Cisco Nexus 9000v - RADIUS Client Configuration - RSA Ready Implementation Guide
a year ago
Originally Published: 2023-03-21

This section describes how to integrate RSA Cloud Authentication Service with Cisco Nexus using RADIUS Client

Procedure

  1. Access your Cloud Administration Console and go to Authentication Clients > RADIUS.
  2. Choose your Authentication Details according to your needs and environment.
    Click the Cloud Authentication Service validates password and applies access policy for additional authentication option for LDAP + RSA Authentication method and the Cloud Authentication Service only applies access policy for additional authentication option for only RSA authentication method.
    Saneesh_0-1679393061122.png
  3. Add new RADIUS profile with Cisco AVPAIR and set it according to the required role configured on the Nexus, for example, network-admin.
    If you want to add multiple roles, you can separate them with space inside the “ “.

Saneesh_1-1679393061126.png

Note:  you can change network-admin to any role you want according to what is configured on the Nexus, by default the network-admin role gives full read-write privileges on the switch.

Nexus Configuration with RSA Cloud Authentication Service

Procedure

  1. Configure RADIUS Servers with the Shared secret and the port (You can configure more than one like below if you have more than one Identity router in your environment) , the below IP addresses should refer to the management interface of the identity routers. You must use port 1812 here.

KAPACNEXUS001# configure terminal

KAPACNEXUS001(config)# radius-server host 192.168.10.57 key 0 support1! auth-port 1812

KAPACNEXUS001(config)# radius-server host 10.50.100.57 key 0 support1! auth-port 1812

  1. Configure new AAA group with group RADIUS

KAPACNEXUS001(config)# aaa group server radius RSA

KAPACNEXUS001(config-radius)# server 192.168.10.57

KAPACNEXUS001(config-radius)# server 10.50.100.57

  1. Configure AAA Authentication to use RADIUS group for remote access or console

KAPACNEXUS001(config)# aaa authentication login default group RSA local

       KAPACNEXUS001(config)# aaa authentication login console group RSA local

Note:- You must add a fallback method as done above by adding local as a fallback in case the RADIUS server is marked as dead by the switch to prevent lockdown to accessing the switch.

  1.  You can also configure timeout value for the RADIUS servers configured, The timeout interval determines how long the Cisco NX-OS device waits for responses from RADIUS servers before declaring a timeout failure, it is advisable to increase it especially in flow having biometrics and approve.

KAPACNEXUS001(config)# radius-server host 192.168.100.50 timeout 60 retransmit 1

Configuration is complete.

Return to the main page.

Don't see what you're looking for?