Cisco Nexus 9000v - RADIUS Configuration - RSA Ready Implementation Guide
a year ago
Originally Published: 2023-03-21

This section describes how to integrate RSA Authentication Manager with Cisco Nexus using RADIUS Client.

Configure RSA SecurID Authentication Manager On-Premises RADIUS Authentication

Procedure

  1. Access the Security Console > RADIUS and Add new, set Model as “Cisco” so that we can see the profile attributes later in the RADIUS profiles, then Save & Create Associated Agent.

  1. Go to RADIUS profiles and Add new, Select Cisco-AVPAIR and set the value to shell:roles="network-admin" you can add multiple roles by having space between roles. 

Note: you can change network-admin to any role you want according to what is configured on the Nexus, by default the network-admin role gives full read-write privileges on the switch.

  1. Now you can apply this profile per user or per RADIUS client depending on what you want, if you grant the RADIUS client this profile then anyone authenticating using RSA SecurID will be granted this profile privileges but if you set it to a per user basis instead, you will control who will have which profile accordingly for more granular control.
  2. Now go to Identity > Users and choose the admins you want to have this privilege and click on their name then go to Authentication Settings and down below you can set the RADIUS profile accordingly.

 

Configuration is complete.

 

Nexus Configuration with RSA Authentication Manager

  1. Configure RADIUS Servers with the Shared secret and the port (You can configure more than one like below if you have replicas in your environment). You can also use port 1645 as well.

KAPACNEXUS001# configure terminal

KAPACNEXUS001(config)# radius-server host 192.168.100.50 key 0 support1! auth-port 1812

KAPACNEXUS001(config)# radius-server host 10.50.100.50 key 0 support1! auth-port 1812

  1. Configure new AAA group with group RADIUS

KAPACNEXUS001(config)# aaa group server radius RSA

KAPACNEXUS001(config-radius)# server 192.168.100.50

KAPACNEXUS001(config-radius)# server 10.50.100.50

  1. Configure AAA Authentication to use RADIUS group for remote access or console

KAPACNEXUS001(config)# aaa authentication login default group RSA local

       KAPACNEXUS001(config)# aaa authentication login console group RSA local

Note:- You must add a fallback method as done above by adding local as a fallback in case the RADIUS server is marked as dead by the switch to prevent lockdown to accessing the switch.

  1. You can also configure timeout value for the RADIUS servers configured, The timeout interval determines how long the Cisco NX-OS device waits for responses from RADIUS servers before declaring a timeout failure, it is advisable to increase it especially in flow having biometrics and approve.

KAPACNEXUS001(config)# radius-server host 192.168.100.50 timeout 60 retransmit 1

Return to the main page.

Don't see what you're looking for?