ACS Limited User Access with RADIUS on Nexus Configuration Example

Available Languages

Download Options

  • PDF     (787.1 KB)
    View with Adobe Reader on a variety of devices
Updated:July 11, 2013
Document ID:116236

Bias-Free Language

The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.

Introduction

This document describes how to provide restricted access to Nexus users so that they can only enter limited commands with Cisco Secure Access Control Server (ACS) as a RADIUS server. For example, you might want a user to be able to log in to a privileged or a configuration mode and only be allowed to enter interface commands. In order to achieve this, you must create a custom role for the user on the RADIUS server that is used.

Prerequisites

Requirements

The RADIUS server (ACS in this example) and Nexus must be able to contact each other and perform authentications.

Components Used

The information in this document is based on these software and hardware versions:

  • ACS Version 5.x
  • Nexus 7000 Switches

The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, make sure that you understand the potential impact of any command.

Configure

Configuration of Custom Roles on the Nexus

In order to create a role that only provides read/write access for the interface command, enter:

switch(config)# role name Limited-Access
switch(config-role)# rule 1 permit read-write feature interface

Additional permit access rules are defined with this syntax:

switch(config-role)# rule 1 permit read-write feature snmp
switch(config-role)# rule 2 permit read-write feature snmp
TargetParamsEntry
switch(config-role)# rule 3 permit read-write feature snmp
TargetAddrEntry

Configure the Nexus for Authentication and Authorization

  1. In order to create a local user on the switch with full privileges for fallback, enter the username command:
    Switch(config)#username admin privilege 15 password 0 cisco123!
  2. In order to provide the IP address of the RADIUS server (ACS), enter:
    switch# conf terminal
    switch(config)# Radius-server host 10.10.1.1 key cisco123
    authenticationaccounting
    switch(config)# aaa group server radius RadServer
    switch(config-radius)#server 10.10.1.1
    switch(config-radius)# use-vrf Management

    Note: The key must match the Shared Secret configured on the RADIUS server for this Nexus device.

  3. In order to test the RADIUS server availability, enter the test aaa command: 
    switch# test aaa server Radius 10.10.1.1 user1 Ur2Gd2BH
    Test authentication should fail with a Rejection from the server since it is not yet configured. However, it confirms that the server is reachable.
  4. In order to configure login authentications, enter:
    Switch(config)#aaa authentication login default group Radserver
    Switch(config)#aaa accounting default group Radserver
    Switch(config)#aaa authentication login error-enable
    You do not have to worry about the local fallback method here, because Nexus fallbacks to local on its own if the RADIUS server is unavailable.

Configuration of ACS

  1. Navigate to Policy Elements > Authentication and Permissions > Network Access > Authorization Profile in order to create an Authorization Profile.

  2. Enter a name for the profile.
  3. Under the Custom Attributes tab, enter these values:
    • Dictionary Type: Radius-Cisco
    • Attribute: cisco-av-pair
    • Requirement: Mandatory
    • Value: shell:roles=Limited_Access

  4. Submit the changes in order to create an attribute-based role for the Nexus switch.

  5. Create a new authorization rule or edit a current rule in the correct access policy. RADIUS requests are processed by the Network Access Policy by default.
  6. In the Conditions area, choose the appropriate conditions. In the Results area, choose the Limited_Access profile.


  7. Click OK.

Verify

Use this section in order to confirm that your configuration works properly.

Nexus Role Verification

Enter the show role command on Nexus in order to display the defined roles and configured access rules.

switch# show role  (Displays all the roles and includes
custom roles that you have created and their permissions.)

Role: network-admin

  Description: Predefined network admin role has access to all
  commands on the switch.
  -------------------------------------------------------------------
   Rule    Perm    Type        Scope               Entity
  ----------------------------------------------------------------
    1       permit  read-write

Role:Limited_Access
  Description: Predefined Limited_Access role has access to these commands.
  -------------------------------------------------------------------
  Rule    Perm    Type        Scope               Entity
  -------------------------------------------------------------------
  1       permit  read-write  feature             Interface

Nexus User-Role Assignment Verification

Log in to Nexus with the username and password configured on the ACS. After login, enter the show user-account command in order to verify that the test user has the Limited_Access role:

switch# show user-account
        user:admin
        this user account has no expiry date
        roles:network-admin

user:Test
      this user account has no expiry date
      roles:Limited_Access


Once the user access role is confirmed, switch into configuration mode and attempt to enter a command other than an interface command. The user should be denied access.

The Output Interpreter Tool (registered customers only) supports certain show commands. Use the Output Interpreter Tool in order to view an analysis of show command output.

  • show role - Displays the role definition and configured access rules.
  • show user-account - Displays the user account details and includes role assignment.

Troubleshoot

This section provides information you can use in order to troubleshoot your switch configuration.

Complete these steps on the switch for role assignment:

  1. Verify which AAA group is used for authentication with the show running-config aaa and show aaa authentication commands.
  2. For RADIUS, verify the Virtual Routing and Forwarding (VRF) association with the AAA group with the show aaa authentication and show running-config radius commands.
  3. If these commands verify that the association is correct, enter the debug radius all command in order to enable trace logging.
  4. Verify that the correct attributes are being pushed from the ACS.

The Output Interpreter Tool (registered customers only) supports certain show commands. Use the Output Interpreter Tool in order to view an analysis of show command output.

Note: Refer to Important Information on Debug Commands before you use debug commands.

  • show running-config aaa-
  • show aaa authentication-
  • show running-config radius
  • debug radius all

Revision History

Revision Publish Date Comments
1.0
11-Jul-2013
Initial Release
TAC Authored

Contributed by Cisco Engineers

  • Minakshi Kumar
    Cisco TAC Engineer.

Was this Document Helpful?

FeedbackFeedback

Contact Cisco

This Document Applies to These Products