Guest

Cisco Secure Access Control System

ACS Limited User Access with RADIUS on Nexus Configuration Example

Document ID: 116236

Updated: Jul 11, 2013

Contributed by Minakshi Kumar, Cisco TAC Engineer.

   Print

Introduction

This document describes how to provide restricted access to Nexus users so that they can only enter limited commands with Cisco Secure Access Control Server (ACS) as a RADIUS server. For example, you might want a user to be able to log in to a privileged or a configuration mode and only be allowed to enter interface commands. In order to achieve this, you must create a custom role for the user on the RADIUS server that is used.

Prerequisites

Requirements

The RADIUS server (ACS in this example) and Nexus must be able to contact each other and perform authentications.

Components Used

The information in this document is based on these software and hardware versions:

  • ACS Version 5.x
  • Nexus 7000 Switches

The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, make sure that you understand the potential impact of any command.

Configure

Configuration of Custom Roles on the Nexus

In order to create a role that only provides read/write access for the interface command, enter:

switch(config)# role name Limited-Access
switch(config-role)# rule 1 permit read-write feature interface

Additional permit access rules are defined with this syntax:

switch(config-role)# rule 1 permit read-write feature snmp
switch(config-role)# rule 2 permit read-write feature snmp
TargetParamsEntry

switch(config-role)# rule 3 permit read-write feature snmp
TargetAddrEntry

Configure the Nexus for Authentication and Authorization

  1. In order to create a local user on the switch with full privileges for fallback, enter the username command:
    Switch(config)#username admin privilege 15 password 0 cisco123!
  2. In order to provide the IP address of the RADIUS server (ACS), enter:
    switch# conf terminal
    switch(config)# Radius-server host 10.10.1.1 key cisco123
    authenticationaccounting

    switch(config)# aaa group server radius RadServer
    switch(config-radius)#server 10.10.1.1
    switch(config-radius)# use-vrf Management

    Note: The key must match the Shared Secret configured on the RADIUS server for this Nexus device.

  3. In order to test the RADIUS server availability, enter the test aaa command:
    switch# test aaa server Radius 10.10.1.1 user1 Ur2Gd2BH
    Test authentication should fail with a Rejection from the server since it is not yet configured. However, it confirms that the server is reachable.
  4. In order to configure login authentications, enter:
    Switch(config)#aaa authentication login default group Radserver
    Switch(config)#aaa accounting default group Radserver
    Switch(config)#aaa authentication login error-enable
    You do not have to worry about the local fallback method here, because Nexus fallbacks to local on its own if the RADIUS server is unavailable.

Configuration of ACS

  1. Navigate to Policy Elements > Authentication and Permissions > Network Access > Authorization Profile in order to create an Authorization Profile.

  2. Enter a name for the profile.
  3. Under the Custom Attributes tab, enter these values:
    • Dictionary Type: Radius-Cisco
    • Attribute: cisco-av-pair
    • Requirement: Mandatory
    • Value: shell:roles=Limited_Access

  4. Submit the changes in order to create an attribute-based role for the Nexus switch.

  5. Create a new authorization rule or edit a current rule in the correct access policy. RADIUS requests are processed by the Network Access Policy by default.
  6. In the Conditions area, choose the appropriate conditions. In the Results area, choose the Limited_Access profile.


  7. Click OK.

Verify

Use this section in order to confirm that your configuration works properly.

Nexus Role Verification

Enter the show role command on Nexus in order to display the defined roles and configured access rules.

switch# show role  (Displays all the roles and includes
custom roles that you have created and their permissions.)

Role: network-admin

Description: Predefined network admin role has access to all
commands on the switch.
-------------------------------------------------------------------
Rule Perm Type Scope Entity
----------------------------------------------------------------
1 permit read-write

Role:Limited_Access
Description: Predefined Limited_Access role has access to these commands.
-------------------------------------------------------------------
Rule Perm Type Scope Entity
-------------------------------------------------------------------
1 permit read-write feature Interface

Nexus User-Role Assignment Verification

Log in to Nexus with the username and password configured on the ACS. After login, enter the show user-account command in order to verify that the test user has the Limited_Access role:

switch# show user-account
user:admin
this user account has no expiry date
roles:network-admin

user:Test
this user account has no expiry date
roles:Limited_Access


Once the user access role is confirmed, switch into configuration mode and attempt to enter a command other than an interface command. The user should be denied access.

The Output Interpreter Tool (registered customers only) supports certain show commands. Use the Output Interpreter Tool in order to view an analysis of show command output.

  • show role - Displays the role definition and configured access rules.
  • show user-account - Displays the user account details and includes role assignment.

Troubleshoot

This section provides information you can use in order to troubleshoot your switch configuration.

Complete these steps on the switch for role assignment:

  1. Verify which AAA group is used for authentication with the show running-config aaa and show aaa authentication commands.
  2. For RADIUS, verify the Virtual Routing and Forwarding (VRF) association with the AAA group with the show aaa authentication and show running-config radius commands.
  3. If these commands verify that the association is correct, enter the debug radius all command in order to enable trace logging.
  4. Verify that the correct attributes are being pushed from the ACS.

The Output Interpreter Tool (registered customers only) supports certain show commands. Use the Output Interpreter Tool in order to view an analysis of show command output.

Note: Refer to Important Information on Debug Commands before you use debug commands.

  • show running-config aaa-
  • show aaa authentication-
  • show running-config radius
  • debug radius all
Updated: Jul 11, 2013
Document ID: 116236