Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2551
Views
7
Helpful
1
Replies

APIC-EM Cisco-AVPair AAA Attribute and AD

mgomez
Level 4
Level 4

‎11-11-2016 10:35 AM - edited ‎03-01-2019 04:33 AM

I am encountering an issue where I am trying to setup AAA for login to the APIC-EM web console. I have added the APIC-EM to my freeradius server and I see an authorization request come through from APIC-EM to the server. My radius server does an LDAP check to see if the user belongs to a group _netops in this case and the user matches and is granted access.

When attempting to login from the web the response I get on the web is "Invalid Login Credentials".

I have noticed on the configuration page of External Authentication there is an AAA Attribute as defined as Cisco-AVPair with the following defined  “cisco-av-pair= Scope=group-1,group-2:Role=ROLE_OBSERVER&Scope=group-3,group-4:Role=ROLE_ADMIN”.

Is it the recommendation to add Cisco-AVPair to the AD schema with the definitions? If so what would that look like as I have seen many different Cisco-AVPair definitions online.

One example is:

Properties                                                        Value

Common Name                                              CiscoAVPair

LDAP Display Name                                       CiscoAVPair

Unique X500 Object ID                                   1.3.6.1.4.1.9.287247.1

Description                                                     CiscoAVPair

Syntax                                                            Case Sensitive String

Also in freeradius I am assuming I would add the following to my ldap.attrmap:

checkItem       Cisco-AVPair             Cisco-AVPair

replyItem       Cisco-AVPair             Cisco-AVPair


Attached is an example of a login attempt as seen from the freeradius server.

Labels:
AuthenticationAttempt.txt.zip
1 Reply 1

ngoldwat
Level 4
Level 4

‎12-07-2016 01:22 PM

Have you tried: cisco-av-pair Scope=ALL:Role=ROLE_ADMIN

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:


This community is intended for developer topics around Data Center technology and products. If you are looking for a non-developer topic about Data Center, you might find additional information in the Data Center and Cloud community

Customers Also Viewed These Support Documents