I wrote previously on how to integrate Cisco IPS modules with Microsoft 2008 NPS server, for Radius authentication. Now we are going to cover how to integrate Cisco Nexus with radius. The format is very similar to the IPS setup, so it may be worth having a read of the first post to get an idea.
We start with some basic assumptions, and one caveat:
1: Your basic Nexus switch configuration is already in place and can ping your NPS server (via the management vrf)
2: You already have an NPS server in place, serving clients.
I am using the Cisco Titanium Nexus 7000 emulator (but the same process should apply to the NX5000 series, I need to do this on real Nexus 5000’s so if there are any differences I will update this post).
Nexus client and profile settings on Microsoft 2008 NPS
We start by adding a client onto the NPS, we give it a friendly name, specify the IP address and set the radius secret (here I am using nxnps123). I have also set the vendor name to Cisco.
And now we have a client set up:
Now we create a policy to map access to the client. I have called this “TestNexus Admin”, and the plan will be to have a read-only policy added later on.
In the next window I start to specify the conditions, and will use the security group “sec-FW-admin”, so click on Add to add a condition and select “Windows Groups”
Now you can add your specific groups.
Next, I add the Client Friendly Name, and use the same name I called the client:
We keep the default of Access granted and move on till we see the “Configure Authentication Methods”, here we select just PAP and SPAP:
We can skip the “Configure Restraints” window and move on to “Configure Settings”. Here we remove the two options under “Standard”:
We can add a Vendor Specific entry:
For this entry, we will use “shell-roles=*admin” (before anyone says this is wrong, please read the rest of the post to see why I haven’t corrected this yet…)
And that’s all the configuration on the Microsoft side (for the moment at least).
Nexus Radius setup and AAA Authentication
Just in case you haven’t set up the basics on the Nexus the screenshots below show how to set the management vrf IP, and default routing, as well as confirming reachability to the NPS server:
Notice here that we have to specify vrf management in the ping command for it to work
Now we know that we can “talk” to the NPS box we can start setting up the radius parts.
We start by setting the radius key, it should match the key used to set up the client under NPS (again here we are using “nxnps123”). The 0 next to “key” means that it is unencrypted.
Then we set the host (which we should have at least two of for redundancy), and create an aaa group and add the server to this. the last command tells the Nexus to use the management vrf to communicate with the server.
Now we can tell the Nexus to use radius for authentication, and we also tell it to keep track of errors:
Finally, just in case our Radius server is down for any reason, the Nexus should use its local database for login:
Now we can test login!
But we can’t stop here. Like I pointed out earlier there was an issue with the shell:roles command within the NPS setup.
With the existing configuration we try saving the config:
So let’s look at the privilege levels:
Well, -1 was never a good thing in my book. So I changed the AV-pair to “shell:roles=*”network-admin vdc-admin””, logged out, and back in again:
Now although the displayed privilege level is still showing -1, we can save the config.
Lastly, I copied the profile in NPS, changed the Windows Group to one that has people we want to give read-only access to, and changed the role to network operator:
https://www.802101.com/wp-content/uploads/https://img2.802101.com/2013/08/nexus-ro.jpg” alt=”Cisco Nexus radius read-only network-operator” width=”307″ height=”320″ border=”0″ />
And again we test, this time we are expecting the copy run start to fail
Which it does, but they can still issue show commands, so the achieves exactly what is required.
Fallback on Nexus
Lastly, we need to make sure that if the radius server is down, we can still get in. I stopped the NPS service and tried logging in. Login failed. I reconnected and tried logging in with the admin username and password, and got in:
As you can see, Cisco Nexus plays very nicely with Microsoft’s NPS. Better than ASAs do, anyway.
Thanks for your doc, I was looking exactly for this config, but unfortunately doesn’t work for me on my Nexus 5k
I configured the NPS policy exactly as same as your post and here below the config from my Nexus
radius-server key 7 "xxxx"
radius-server timeout 1
radius-server retransmit 2
radius-server host y.y.y.y key 7 "xxxx" authentication accounting
aaa group server radius MY-RAD
aaa authentication login default group MY-RAD local
aaa authentication login console group MY-RAD local
and here the message every time I get from NPS log
Authentication failed due to a user credentials mismatch. Either the user name provided does not map to an existing user account or the password was incorrect.
Enabling debug on Nexus
packet from RADIUS server y.y.y.y fails verification: The shared secret is probably incorrect.
But the shared key is correct I put it on the NPS client side and on the Nexus almost 10 time to be sur..
Thanks for your feedback
This was a useful doc. Thanks for putting this together.
To validate the aaa without changing the authentication settings, you can use following command
"test aaa group groupname username password"
"test aaa server radius X.X.X.X username password"
Note: I was unable to add multiple client IPs to same Network Policy while setting this up. So i have to use discrete client with discrete network policy. Also while adding vendor attributes, you dont need to mention "" . You could simple use shell:roles=network-admin. The other point use you can use any VRF (wherever your Radius server is) to configure the AD group.
radius-server key [email protected]
radius-server host 10.0.0.1 authentication accounting
aaa group server radius AD03
aaa authentication login default group my-rad local
aaa authentication login console local
aaa authentication login error-enable
Great stuff, thanks!
I have a question, when the nps server is up i can’t use the local username and password ?
It will fallback to local auth when the NPS server is unavailable, but if the NPS server is up, the device will try to use that first.
Can you fix screenshots please
oh, wow. All the pictures are screwed.
Thanks for letting me know.
I have the same question as Robin:
“When the NPS is up I can’t use the local username and password?”
I’d like to be able to use both RADIUS and LOCAL logins simultaneously. I am able to do this on Catalyst 9300 but not Nexus it seems.
My use case is:-
RADIUS – login for network engineer use
LOCAL – local account for Solarwinds NCM config backup
its either/or. Cant use both methods at the same time as far as I know.