Cisco WAN :: Radius Configuration On Nexus 7k
Jun 5, 2012Configuring radius authentication on Nexus 7k?I have heard once you have configured the radius you are only able to run show commands on it.
View 1 RepliesConfiguring radius authentication on Nexus 7k?I have heard once you have configured the radius you are only able to run show commands on it.
View 1 Repliesi am trying to assign a right role for a user who authenticates to nexus 7k switch via radius. i am using cisco ISE version 1.1.1.268 and the nexus version is 5.0.2,I have created a role on nexus.
View 1 Replies View RelatedI have setup my radius server access on the Nexus but am unable to authenticate through putty. If I do a radius-server test on the Nexus it says I authenticate. Here is the log I am getting.
2012 Mar 14 16:03:21 switch-a %AUTHPRIV-4-SYSTEM_MSG: pam_unix(aaa:auth): check
pass; user unknown - aaad
[Code].....
I can authenticate between our MDS 9216i switch and RSA radius server but my role does not come across. The logged in user is a network-operator not admin. In the AV Pair i have defined shell:role*network-admin but it doesnt seem to come across
View 4 Replies View RelatedI am facing issue with nexus 7010 login authentication by radius server. I have two nexus 7010, one of them is working perfectly. Other taking long time to authenticate. If i use local database to login it works perfectly. It works fine also if i login from console using radius for authentication.
View 1 Replies View Relatedmy customer has FreeRadius, and I'm trying to get the server to assign a network admin role to a 5K running 5.0.3 code.This is based on the example given in this document: url...The server authenticates the user name, but will only put the user into the network operator role. This is confirmed by checking the output of show user-account and debug security user-db.The Radius test using the same credentials passes the authentication test. I'm sure the problem is that the N5K dosent understand the VSA format of the attribute, and that this is a simple syntax problem.
View 2 Replies View RelatedI need to configure RADIUS VSA configuration for a my alvarion device. Following are the attributes that need to be configured.
- Packet Data Flow ID (ID 1, integer16)
- Direction (ID 4, integer8)
- Transport Type (ID 6, integer8)
- UplinkQoSID (ID 7, integer8)
- DownlinkQoSID (ID 8, integer8)
[code]....
I was able to configure the first 6 attributes, how can I add the Sub - TLV's ClassifiedID, Priority, VLAN-ID and Classifier Direction which come under Classifier. Don't see any option for that in ACS 5.x
I have been given a new project at work, to configure a 881W for wireless capebilities. how to get it to work using local database for the users to authenticate against, but our goal is to authenticate against a radius server that we have in place for existing Juniper AP's.
I have looked at some documentation out there and I cant seem to find what Im looking for. What I need to find out is an example of how to setup a radius server so that the wireless user can authenticate against. I have found some docs on google but those go over radius server setups for logons to the router etc.
here is what I got so far
Building configuration...
Current configuration : 2005 bytes!version 12.4no service padservice timestamps debug datetime msecservice timestamps log datetime msecservice password-encryption!hostname 881W_AP!logging rate-limit console 9enable secret 5
[Code].....
I am currently trying to get eap-tls user certificate based wireless authentication working. The mismatch of guides im trying to follow has me coming up trumps with success so far.
My steps for radius:- (i think this part ive actually got ok) [URL]
Steps for the wireless profile on a win 7 client:- this has me confused all over the place [URL]
My 1130 Config:-
[code]
Current configuration : 3805 bytes
!
! Last configuration change at 11:57:56 UTC Fri Jan 25 2013 by apd
[Code].....
I can't seem to get the SSID RadiusTest to work properly.
Windows PC's show "Windows was unable to find a certificate to log you into the network". Macs don't authenticate either. Radius server isn't seeing any requests at all. Radius server is working because we are authenticating other things to it.
On my test 1231, IOS is 12.3(8) JEB1.
version 12.3
no service pad
service timestamps debug datetime msec
[Code].....
Is it possible to deploy the CSS11501 in one arm design to loadbalance the authentication traffic Radius across CSACS servers which is on UDP 1645 or 1812 port, is it required to configure the NAT or not, if yes how can define the shared secret in the CSS. also tell me how to configure the keepalive for udp traffic in this scenario other then default icmp keep alive
View 2 Replies View RelatedI have a couple of ACS 5.2 configured as active and backup and I am doing dot 1x authentication using these servers . I have configured the switch with the bellow configuration.
radius-server host 10.0.10.15 auth-port 1645 acct-port 1646
radius-server host 10.0.10.16 auth-port 1645 acct-port 1646
radius-server key 7 aaaaaaaaaaaaaa
please help to understand what will happen in switch
1) in case of primary failure
2)in case if primary returns alive .
I came across an interesting issue and thought I would see if anyone else has encountered it before contacting TAC.I have two Cisco Catalyst WS-4510R-E switches with a single Supervisor V module in each chassis. Both Sup cards are now running 12.2(54) SG1; ipbasek9 firmware; yes, I plan to move both switches to 15 code but that's another story. Anyways, prior to the upgrade the one switch was running 12.2 (33) code; I suspect the code was never upgraded; running ipbase non - K9 code. The other switch was running 12.2(44) with K9 prior to upgrade to 12.2(54).
View 2 Replies View RelatedI have two Cisco Catalyst WS-4510R-E switches with a single Supervisor V module in each chassis. Both Sup cards are now running 12.2(54) SG1; ipbasek9 firmware; yes, I plan to move both switches to 15 code but that's another story. Anyways, prior to the upgrade the one switch was running 12.2 (33) code; I suspect the code was never upgraded; running ipbase non - K9 code. The other switch was running 12.2(44) with K9 prior to upgrade to 12.2(54). With the background set, one switch reports the following:SwitchA (config)#r?radius-server redundancy regexp represourc rmon route-map router.
View 4 Replies View RelatedI am looking to configure PBR in Nexus. The current setup in IOS is :
interface Vlan10
ip address 172.27.206.1 255.255.255.0
ip address 172.27.208.1 255.255.254.0 secondary
ip policy route-map Vlan_10_to_Corp
route-map Vlan_10_to_Corp permit 10match ip address Vlan_10_to_Corp
set ip next-hop 172.27.209.250!route-map Vlan_305_to_EFH permit 30
[code]....
But, Nexus PBR will not work with deny statements init. Now, what options do I have ?
I'm busy on configuring the backup of the configuration from Nexus switches 5K and 7K.I have installed COPSSH on my windows server and try to confiugre the sftp credentials. [code] I have tested from the CLI from the switch and i have the issue but if i use the default vrf 'default' it works fine.How can i change the command sent by DCNM to the Nexus in order to specify vrf default and not vrf management ?
View 1 Replies View Relatedi have a use-case in which we need to firewall some of the security-sensitive-vlans to the ASA. In other words, there are few vlans that have their SVIs on the N5k (Layer-3 enabled) which talk to each other and there are some which have the layer-3 on the ASA. The ASA has sub-interfaces for those vlans. The N5k-sw and the ASA are interconnected on the same 1 physical link with a sub-interface on both ( /30) and the ASA is injecting default route to it in OSPF. They are advertising all of their networks in OSPF. I see all the routes in them. (Attached pic),My issue is: I am unable to ping the other sub-interface on the ASA from the N5k. (If you check the attached diagram, i cannot ping 20.1.1.1 from the N5k, although i can reach my next-hop 10.1.1.2) I have made the security-level to 100 for the subinterfaces and the physical interface on the ASA, also have allowed ip,icmps in the ACLs on the sub-interfaces of vlan 10 and 20 in both directions.
View 5 Replies View RelatedI have followed every piece of cisco documentation I could find on this and I still can't get vPC configured to actually work. The VLANs stay in a suspended state so no traffic flows across. Below is my configuration:vrf context management ip route 0.0.0.0/0 10.86.0.1vlan 1,vlan 86 name I.S_Infrastructure,vpc domain 1 role priority 1000 peer-keepalive destination 10.86.0.4,interface Vlan1,interface Vlan86 no shutdown description I.S._Infrastructure ip address 10.86.0.1/24,interface port-channel1 switchport mode trunk vpc peer-link spanning-tree port type normal,interface Ethernet1/1 switchport mode trunk channel-group 1 mode active,interface Ethernet1/2 switchport mode trunk channel-group 1 mode active ,interface Ethernet1/3,escription Connection to Mgmt0 switchport access vlan 86 speed 1000.
View 8 Replies View RelatedI am seeing an issue that after deleting/recreating one of the VDC in Nexus 7K, VLAN is not been able to be configured within the VDC although it is not actually a reserved VLAN. Could it be anything missing in the license installation? the version of the image is NX-OS 6.1.2
StorageVDC(config)# vlan 100
^
invalid vlans (reserved values) at '^' marker.
I would like to know if the power the Nexus 7K allocates per module is configurable?For example, we are only using the 8 didicated ports on our N7K-M132XP-12 card. The Nexus budgets 750W for the module, but given that we will only ever use 8 of the 32 ports we would like to allocate the remaining power elsewhere.
View 2 Replies View RelatedI want to know how to retrieve the complete configuration for a Nexus via the snmpwalk or snmpget commands...
View 6 Replies View RelatedWe have two Nexus switches in our network, one of them is Nexus5020 other Nexus5596UP. System image is identical on both switches 5.2(1)N1(4). When we try to setup VPC between these switches we see that all configured vlans on VPC peer link between Nexus switches are blocked by spanning tree protocol with message "Bridge Assurance Inconsistent, VPC Peer-link Inconsistent". We still can't solve this problem.
Topology:
NEXUS_5020---Peer_link(Po2)---NEXUS_5596UP
/
/
Member_link (Po100) Member_link (Po100)
/
/
SERVER
Configuration:
NEXUS_5020:
speed 1000
interface Vlan2000
no shutdown
description VPC_keepalive_link
vrf member VPC_kepalive
ip address 10.55.55.2/30
I am looking to implement a QoS policy on a pair of Nexus 5548 UPs. FCoE is a factor here. I have created the following configuration and would like to get a few pairs of eyes to take a look at this for a quick sanity check.
How to make sure this config is valid. Also, I realize I'm applying an MTU of 9216 to all classes right now, this will be phased out incrementally.
class-map type qos match-all class-platinum
match cos 5
class-map type qos match-all class-gold
match cos 4
class-map type qos class-fcoe
match cos 3
[code]....
We have Nexus 7009 switch and want to configure the span session
We are using F2 and M2 card both are in seperate differeent VDC.And out server is connected to M2 card on eth 4/6 and want to monitor the traffic from vlan 161Which is made on F2 card.
Connectivity is like this.
Nexus 1 Nexus2
Slot 3: F2 card Slot 3 : F2 card
Slot 3: M2 card Slot 3 : M2 card
[Code]......
I have a Cisco Nexus 3064 that I am using as part of a flat network for the Lab. I have 30 Virtualization Servers(MS HyperV and VMware vSphere) connected to this switch and I want to enable jumbo frames. The Virtualization Servers are able to ping the local VM's using 8K bytes. However I am unable to ping from server to server using 8K bytes. I have configuration (in abbreviation). All the servers are in the same network which I configured as L2 ports with the "switchport" command. However, the interface "MTU" command is unavailable in L2 mode. I am only able to get the interface "MTU" command only in L3 mode with the "no switchport" command on the interface.
# int eth1/2-45
# no switchport
# mtu 9216
# no shut
I can ping the servers with less than 1500 bytes, but anything larger fails.
What is the purpose of these default configuration lines? What do they mean? I can't find an explanation of them anywhere. I believe some are written to the config when FCoE is enabled..
I would like to know exactly what they are doing.
class-map type qos class-fcoe
class-map type queuing class-fcoe
match qos-group 1
[Code].....
I have two 5548s as core. 8 FEXs are multihomed (advanced vPC topology?) to both the cores.Suppose, I have to configure a bunch of ports on the FEXs, say Eth101/1/10 - 20. I would login to the first core and apply the configs.
My question is - do I have to do the same on the second core also? Or would the first core replicate the stuff to the second core? I know about port-profiles/CFS and such. But, without that would it automatically sync to second core?
For testing purpose, I went to Core 1 Eth101/1/10 and put a description "TEST". Wrote the config. After 5 minutes logged into second core and did show run Eth101/1/10. But, the description "TEST" didn't show up there.
Also, doing sh run on any FEX port is faster on one of the cores and very slow on second core... all the FEXs have 20 GB uplink to core 1 & 2 (so total 40GB in vPC, max pinning 1)
I found this reference DCNM-L-NXACCK9 in the configuration generated by a dynamic Tools for a nexus bundle N5K-C5548UP-B-S32. This reference is not reflected in the price list. Has it been replaced? no datasheet on Cisco portal.
View 2 Replies View RelatedThis is regarding CISCO logging configuration.We palnned to implement enable logging on all the cisco nexus switchs.we are running HP arc sight in our DC this device monitor all the CISCO devices.We want to enable logging with this Arc sight device.Just I would like to know about config commands for Nexus device, what is the command to enable logs which is include "who is login & logout?, interface down information?,who was did conf t ? & every logs"
View 8 Replies View Relatedwe've been using IOS for a long time, but are relatively new to NX-OS. We've got a central syslog server that all our devices log to. No matter what we do, we can't get our Nexus switches to log there. Here's my current attempt:
Nexus 7009, NX-OS 6.0(1)
# sh logging server
Logging server: enabled
{redacted}
server severity: debugging
server facility: local7
server VRF: default
[code].....
The default VRF is working. I see log entries in the logfile, but nothing arrives at the syslog server. It's not a config issue on the server, because tcpdump shows that no packets arrive from the IP for loopback 0.
What is the exact command in restoring the running-config on a Nexus 7010. Is it the same command / procedure as the Cisco IOS?
View 3 Replies View RelatedWe are facing issue of continous packet discards On nexus4001L link (int po2) to Nexus5020 switch. Nexus4001L is installed in IBM blade center server and we have FCOE enabled in this setup. [code]
View 2 Replies View RelatedI have been tasked to replace the existing Cat 6500 and 3750 switches by Nexus 7000 and Nexus 2000.I was told initially my boss plans to get 2 x Nexus 7000 and then eventually blow up to 4 x Nexus 7000s.For Nexus, is there a list of tasks / points that i need to consider for building the initial design?
Can i just link the Nexus 7000 like the following?
N7k-A ========= N7k-B
| |
lots of N2ks lots of N2ks