Community discussions

MikroTik App
 
mkamenjak
newbie
Topic Author
Posts: 41
Joined: Tue Jul 13, 2021 12:49 pm

User manager 7 Authorization into Cisco Nexus switches.

Tue May 24, 2022 9:31 pm

Hello, I have user manager v.7.2.3.
And I want to use it purely as a RADIUS authentication server to manage my network devices. Nothing fancy like hotspot or CRM etc...
And I have a lot of Cisco Nexus switches in my core. Excellent switches I must admit.
Also I like so far how user-manager works. Much better than our previous freeradius/LDAP contraption that we have previously experimented with. How do I get Mikrotik User-manager to work nicely together with Cisco NXOS?

However I am having trouble using user-manager with our Nexus switches. I can authenticate to the switch, but it is hard coded to give me write only 'network-operator' privileges instead of 'network-admin' privileges by default. And I need 'network-admin' privileges(or 'full' privileges in Mikrotik terms). As far as I know there is no way to chenge this default. However it is possible to get those privileges by pushing a RADIUS attribute. The RADIUS attribute is supposed to be called 'Cisco-AVPair', I think?

So far I have configured it like this(attachment picture 1). I don't know if this is correct, can you help? Code:
/user-manager attribute
add name=Cisco-AVPair type-id=26 value-type=string vendor-id=Cisco
Screenshot 2022-05-24 201921.png
And I have configured the RADIUS user like this, obviously redacted:
/user-manager user
add attributes="Cisco-AVPair:= \"shell:roles*\\\"network-admin vdc-admin\\\"\"" name=XYZ shared-users=unlimited
Picture 2 in the attachemnt is this... Also I don't know if this part is correct either.
Screenshot 2022-05-24 203102.png
EDIT, My radius configuration on my test Nexus switch:
radius-server host 1.1.1.1 key 7 "somekey" authentication accounting timeout 1
radius-server host 8.8.8.8 key 7 "somekey" authentication accounting
radius-server directed-request
aaa group server radius RADIUS
    server 1.1.1.1
    server 8.8.8.8
aaa authentication login default fallback error local
aaa authentication login default group RADIUS
You do not have the required permissions to view the files attached to this post.
 
sktop
just joined
Posts: 5
Joined: Wed May 22, 2013 9:19 am

Re: User manager 7 Authorization into Cisco Nexus switches.

Tue Sep 27, 2022 3:44 pm

Hello, I have user manager v.7.2.3.
And I want to use it purely as a RADIUS authentication server to manage my network devices. Nothing fancy like hotspot or CRM etc...
And I have a lot of Cisco Nexus switches in my core. Excellent switches I must admit.
Also I like so far how user-manager works. Much better than our previous freeradius/LDAP contraption that we have previously experimented with. How do I get Mikrotik User-manager to work nicely together with Cisco NXOS?

However I am having trouble using user-manager with our Nexus switches. I can authenticate to the switch, but it is hard coded to give me write only 'network-operator' privileges instead of 'network-admin' privileges by default. And I need 'network-admin' privileges(or 'full' privileges in Mikrotik terms). As far as I know there is no way to chenge this default. However it is possible to get those privileges by pushing a RADIUS attribute. The RADIUS attribute is supposed to be called 'Cisco-AVPair', I think?

So far I have configured it like this(attachment picture 1). I don't know if this is correct, can you help? Code:
/user-manager attribute
add name=Cisco-AVPair type-id=26 value-type=string vendor-id=Cisco
Screenshot 2022-05-24 201921.png
And I have configured the RADIUS user like this, obviously redacted:
/user-manager user
add attributes="Cisco-AVPair:= \"shell:roles*\\\"network-admin vdc-admin\\\"\"" name=XYZ shared-users=unlimited
Picture 2 in the attachemnt is this... Also I don't know if this part is correct either.
Screenshot 2022-05-24 203102.png
EDIT, My radius configuration on my test Nexus switch:
radius-server host 1.1.1.1 key 7 "somekey" authentication accounting timeout 1
radius-server host 8.8.8.8 key 7 "somekey" authentication accounting
radius-server directed-request
aaa group server radius RADIUS
    server 1.1.1.1
    server 8.8.8.8
aaa authentication login default fallback error local
aaa authentication login default group RADIUS
Hi,
Did You manage to get it working, could You please share final config?

Is this issue related only to the Nexus switches?

I am thinking to use User Manager as Radius authentication server for CISCO switches (I do not have Nexus, just 2960, 1100 Catalyst series).
I thought it will work when I set up User Manager with ROS7 and just add some users.

Who is online

Users browsing this forum: No registered users and 8 guests