Hello,
I am beating my head on the wall trying to get a Cisco switch to authenticate admins via CPPM instead of NPS, and I have looked at multiple guides and canned solutions, but nothing seems to work.
Basically, our Cisco switches would work fine when using NPS, but now that I point them at CPPM, I am not able to log on.
I have done the following config on the Cisco, and attached are my CPPM configs:
aaa new-model
aaa group server radius NAP
server 10.X.X.X auth-port 1812 acct-port 1813
!
aaa authentication login userAuthentication local group NAP
aaa authorization exec userAuthorization local group NAP if-authenticated
aaa authorization network userAuthorization local group NAP
aaa accounting exec default start-stop group NAP
aaa accounting system default start-stop group NAP
!
ip radius source-interface Vlan140
!
radius-server host 10.X.X.X auth-port 1812 acct-port 1813 key XXXXX
radius-server attribute 32 include-in-access-req format %h {SwitchName}
When I attempt to log in, CPPM shows a ACCEPT for the request, but the Cisco switch says Authorization Failed and kicks me out. I know it is hitting on the correct Enforcement Profile because it passes the following attribute back to the Cisco:
Radius:Cisco | Cisco-AVPair | = | shell:priv-lvl=15 |
I got this attribute from our NPS server, and verfied it against a couple guides so I am thinking that this is the correct attribue to pass back to the Cisco, but it is not working.
The switch in question is a Cisco 6509 switch.
On the CPPM, we are looking to make sure the switch is in the proper device group and that is how it hits on the Enforcement Profile. Attached is a sample request that comes back.
Any ideas on how I can get this to work? I really need to get this up and running before we decom out NPS servers. Thanks.