User manager 7 Authorization into Cisco Nexus switches.

mkamenjak · May 24, 2022, 6:31pm

Hello, I have user manager v.7.2.3.
And I want to use it purely as a RADIUS authentication server to manage my network devices. Nothing fancy like hotspot or CRM etc…
And I have a lot of Cisco Nexus switches in my core. Excellent switches I must admit.
Also I like so far how user-manager works. Much better than our previous freeradius/LDAP contraption that we have previously experimented with. How do I get Mikrotik User-manager to work nicely together with Cisco NXOS?

However I am having trouble using user-manager with our Nexus switches. I can authenticate to the switch, but it is hard coded to give me write only ‘network-operator’ privileges instead of ‘network-admin’ privileges by default. And I need ‘network-admin’ privileges(or ‘full’ privileges in Mikrotik terms). As far as I know there is no way to chenge this default. However it is possible to get those privileges by pushing a RADIUS attribute. The RADIUS attribute is supposed to be called ‘Cisco-AVPair’, I think?

So far I have configured it like this(attachment picture 1). I don’t know if this is correct, can you help? Code:

/user-manager attribute
add name=Cisco-AVPair type-id=26 value-type=string vendor-id=Cisco

Screenshot 2022-05-24 201921.png
And I have configured the RADIUS user like this, obviously redacted:

/user-manager user
add attributes="Cisco-AVPair:= \"shell:roles*\\\"network-admin vdc-admin\\\"\"" name=XYZ shared-users=unlimited

Picture 2 in the attachemnt is this… Also I don’t know if this part is correct either.
Screenshot 2022-05-24 203102.png
EDIT, My radius configuration on my test Nexus switch:

radius-server host 1.1.1.1 key 7 "somekey" authentication accounting timeout 1
radius-server host 8.8.8.8 key 7 "somekey" authentication accounting
radius-server directed-request
aaa group server radius RADIUS
    server 1.1.1.1
    server 8.8.8.8
aaa authentication login default fallback error local
aaa authentication login default group RADIUS

sktop · September 27, 2022, 12:44pm

mkamenjak:

Hello, I have user manager v.7.2.3.
And I want to use it purely as a RADIUS authentication server to manage my network devices. Nothing fancy like hotspot or CRM etc…
And I have a lot of Cisco Nexus switches in my core. Excellent switches I must admit.
Also I like so far how user-manager works. Much better than our previous freeradius/LDAP contraption that we have previously experimented with. How do I get Mikrotik User-manager to work nicely together with Cisco NXOS?

However I am having trouble using user-manager with our Nexus switches. I can authenticate to the switch, but it is hard coded to give me write only ‘network-operator’ privileges instead of ‘network-admin’ privileges by default. And I need ‘network-admin’ privileges(or ‘full’ privileges in Mikrotik terms). As far as I know there is no way to chenge this default. However it is possible to get those privileges by pushing a RADIUS attribute. The RADIUS attribute is supposed to be called ‘Cisco-AVPair’, I think?

So far I have configured it like this(attachment picture 1). I don’t know if this is correct, can you help? Code:
/user-manager attribute
add name=Cisco-AVPair type-id=26 value-type=string vendor-id=Cisco
And I have configured the RADIUS user like this, obviously redacted:
/user-manager user
add attributes="Cisco-AVPair:= \"shell:roles*\\\"network-admin vdc-admin\\\"\"" name=XYZ shared-users=unlimited
Picture 2 in the attachemnt is this… Also I don’t know if this part is correct either.
EDIT, My radius configuration on my test Nexus switch:
radius-server host 1.1.1.1 key 7 "somekey" authentication accounting timeout 1
radius-server host 8.8.8.8 key 7 "somekey" authentication accounting
radius-server directed-request
aaa group server radius RADIUS
    server 1.1.1.1
    server 8.8.8.8
aaa authentication login default fallback error local
aaa authentication login default group RADIUS

Hi,
Did You manage to get it working, could You please share final config?

Is this issue related only to the Nexus switches?

I am thinking to use User Manager as Radius authentication server for CISCO switches (I do not have Nexus, just 2960, 1100 Catalyst series).
I thought it will work when I set up User Manager with ROS7 and just add some users.