I’ve recently decided to rollout RADIUS to all shared-login devices that support it (mostly network devices). When dealing with basic Cisco and Juniper switches, it’s pretty trivial and well documented. NX-OS is a bit more difficult due to the fact that authentication methods are mutually exclusive. That means that you cannot simultaneously authenticate with a local account and a RADIUS account. Radius needs to be completely down for a Nexus switch to revert to local authentication.
The biggest annoyance in that “RADIUS everything” project was in fact UCS. Cisco are big proponents of their in-house RADIUS server, ACS. That makes things a bit difficult when you’re using Windows as your RADIUS server.
There is very little detailed documentation that exists for setting up RADIUS on the UCS platform.
Cisco’s documentation is very sparse and doesn’t mention authentication methods (spoiler alert: it’s unencrypted).
The most helpful resource is this Tumblr (!!) blog post about Windows 2003 Server and IAS. While it’s more detailed, it really doesn’t look like NPS in Windows Server 2008 and above.
So, without further ado, here’s how I did it.
I’ll skip the NPS installation and initial configuration because it’s really not the point of this post.
In NPS, create a new Network Policy (under Policies):
- Type of network access server: Unspecified
- Conditions: Add the Windows Group you’ll be using to grant admin access to UCS. You can also add a “Client Friendly Name” to filter our the authentication requests. Please remember that in order to use friendly names, you need to add your UCS Fabric Interconnects as RADIUS Clients. You will need to add the main IP as well as the A and B Fabric Interconnects in order for authentication to work. The “Device Manufacturer” or “Vendor Name” must be set to “RADIUS Standard” for UCS equipment.
- Access permission: Access granted (obviously)
- Authentication methods: simply select “Unencrypted (PAP, SPAP)” as the authentication method and nothing else.
- Constraints: none, unless you want to configure timeouts.
- Settings: RADIUS Attributes > Standard > remove everything then add Service-Type (Attribute nunber 6) Login.
- RADIUS Attributes > Vendor Specific > add Vendor-Specific (Attribute number 26) > add network access server vendor Cisco then “Yes, it conforms” then click “Configure Attribute…” > Vendor-assigned attribute 1, Attribute format String, Attribute value shell:roles*”admin networkadmin”
It should look like this:
Once you are done, simply add a RADIUS provider to your UCS system by doing the following:
- Login to UCS.
- Go to Admin > All > User Management > RADIUS
- Under RADIUS Providers, add your RADIUS server(s) along with a key you defined in NPS.
- Then, create a RADIUS Provider Group into which you add the RADIUS Providers you just created.
- Under Admin > All > User Management > Authentication, create a new domain, name it whatever you’d like, then select the Radius radio button. Select the Provider Group you created for RADIUS. Click OK.
- Create another domain called local with local as the realm (this is very important and will save you from being locked out if something goes wrong).
- Under Admin > All > User Management > Authentication > Native Authentication, select Realm: Radius and the Provider Group you created.
Please note that you can use any authentication method for the GUI as long as it’s configured properly. However, the CLI will only work with RADIUS. Local authentication will not work unless your RADIUS infrastructure is completely down.
I have raised a bug with Cisco: https://tools.cisco.com/
Save and exit.