Re: AW: User Problem with Cisco Nexus 4.x

Tue, 09 Aug 2011 08:21:01 -0700 

 
>> Cisco Nexus with NXOS Version older than 4.2 (4.0 and 4.1) don?t like 
>> the entry "Vendor-Specific = 9".
>
>  What does that mean?
>
>> It seems that freeradius add this automatically if it?s not within the 
>> config.
>
>  No.  FreeRADIUS adds almost nothing automatically.
>
>> But, when i put it in the config, the dump shows "bad udp checksum", 
>> wireshark "AVP too long". When i remove this line from the config, 
>> "vendor-specific=9" is also transmitted, but without checksum/avp too 
>> long error.
>>  
>> Is this behavior documented anywhere?
>> I didn?t found this.
>
>  See the FAQ for "it doesn't work".
>
>  You haven't shown us the wireshark output.  You haven't shown us the 
> configuration you added.
>
>  Short summaries are *not* enough.  We need the *exact* information.
>
>  Alan DeKok.

Hi Alan,

Please find the dumps attached.

==========================
dump_ok.cap

test Auth-Type := Pap, Huntgroup-Name == "nexus", MD5-Password := 
"098f6bcd4621d373cade4e832627b4f6"
        Login-Service = Telnet,
#        Vendor-Specific = Cisco,
        Cisco-AVPair = "shell:roles*\"network-admin\" \"vdc-admin\""
==========================
dump_notok.cap

test Auth-Type := Pap, Huntgroup-Name == "nexus", MD5-Password := 
"098f6bcd4621d373cade4e832627b4f6"
        Login-Service = Telnet,
        Vendor-Specific = Cisco,
        Cisco-AVPair = "shell:roles*\"network-admin\" \"vdc-admin\""
==========================
dump_notok_2.cap

test Auth-Type := Pap, Huntgroup-Name == "nexus", MD5-Password := 
"098f6bcd4621d373cade4e832627b4f6"
        Login-Service = Telnet,
        Vendor-Specific = 9,
        Cisco-AVPair = "shell:roles*\"network-admin\" \"vdc-admin\""
==========================

On Cisco Nexus older NXOS Version 4.2 login is possible with the last config 
(dump_notok_2.cap",
But roles within the av-pairs are ignored. Newer devices (NXOS 4.2 and up) will 
ignore the "AVP too short"
And takeover the roles from the radius paket. Seems that there was an update in 
the radius implementaion
to make it more robust.

And as you can see in the dump_ok.cap, "Vendor-Specific=9" was send, even if it 
was not in the config.
But there is an other cisco av-pair in the config, is this the reason why the 
vendor-id was added to the reply?

Jan

Attachment: dump_ok.cap
Description: dump_ok.cap

Attachment: dump_notok.cap
Description: dump_notok.cap

Attachment: dump_notok_2.cap
Description: dump_notok_2.cap

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Reply via email to