在我们的 CISCO 上通过 ssh 连接时,我在配置 LDAP 身份验证(通过 Windows AD)时遇到了一些问题。我替换了开关中的一些信息,你会在这里看到大写。
目前我们只有一个共享用户,目标是让用户使用自己的 AD 帐户和密码登录。
我已经使用 telnet 和端口 389 上的 IP 验证了与 AD 域控制器的连接。
这是我查看运行配置时的相关(aaa、ldap、用户)信息:
username admin password 5 PASSWORD role network-admin
feature ldap
ldap-server host NAMEOFSERVER rootDN "cn=USERACCT,DC=EXAMPLE,DC=COM" password
7 PASSWORD timeout 60
aaa group server ldap GROUPNAME
server NAMEOFSERVER
no ldap-search-map
aaa authentication login default group GROUPNAME
aaa authentication login console local
aaa authorization ssh-publickey default group GROUPNAME
aaa accounting default group GROUPNAME
这里有一些额外的信息:
version 7.0(3)I6(1)
我登录的用户在不同的 ou 中,但是这个 rootDN 用户应该可以看到所有帐户。此设置适用于其他非 Cisco 设备。
显示 aaa 授权所有 pki-ssh-cert:本地 pki-ssh-pubkey:组 GROUPNAME AAA 命令授权:config-commands 的默认授权:命令的本地默认授权:config-commands 的本地控制台授权:命令的本地控制台授权:当地的
以下是一些调试信息:
2020 Jan 29 14:14:25.830685 ldap: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
2020 Jan 29 14:14:25.830697 ldap: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
2020 Jan 29 14:14:25.830708 ldap: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
2020 Jan 29 14:14:25.830718 ldap: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
2020 Jan 29 14:14:25.830728 ldap: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
2020 Jan 29 14:14:25.830743 ldap: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
2020 Jan 29 14:14:25.830757 ldap: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
2020 Jan 29 14:14:25.830770 ldap: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
2020 Jan 29 14:14:25.830784 ldap: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
2020 Jan 29 14:14:25.830797 ldap: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
2020 Jan 29 14:14:25.830810 ldap: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
2020 Jan 29 14:14:25.830820 ldap: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
2020 Jan 29 14:14:25.830831 ldap: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
2020 Jan 29 14:14:25.830844 ldap: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
2020 Jan 29 14:14:25.830857 ldap: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
2020 Jan 29 14:14:25.830870 ldap: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
2020 Jan 29 14:14:25.830884 ldap: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
2020 Jan 29 14:14:25.830897 ldap: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
2020 Jan 29 14:14:25.830910 ldap: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
2020 Jan 29 14:14:25.830924 ldap: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
2020 Jan 29 14:14:25.830937 ldap: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
2020 Jan 29 14:14:25.830950 ldap: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
2020 Jan 29 14:14:25.830967 ldap: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
2020 Jan 29 14:14:25.830980 ldap: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
2020 Jan 29 14:14:25.830993 ldap: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
2020 Jan 29 14:14:25.831009 ldap: mts_ldap_aaa_request_handler: entering for aaa session id 0
2020 Jan 29 14:14:25.831029 ldap: mts_ldap_aaa_request_handler: user :MYACCOUNT@EXAMPLE.COM:, user_len 30, user_data_len 13
2020 Jan 29 14:14:25.831043 ldap: ldap_authenticate: user MYACCOUNT@EXAMPLE.COM servergroup GROUPNAME
2020 Jan 29 14:14:25.831059 ldap: ldap_global_config: entering ...
2020 Jan 29 14:14:25.831103 ldap: ldap_global_config: GET_REQ...
2020 Jan 29 14:14:25.831115 ldap: ldap_global_config: got back the return value of global configuration operation: SUCCESS
2020 Jan 29 14:14:25.831124 ldap: ldap_global_config: REQ - num server 1 num group 2 timeout 5 deadtime 0
2020 Jan 29 14:14:25.831134 ldap: ldap_global_config: returning retval 0
2020 Jan 29 14:14:25.831143 ldap: ldap_servergroup_config: GET_REQ for LDAP servergroup index 0 name GROUPNAME
2020 Jan 29 14:14:25.831162 ldap: ldap_pss_move2key: rcode = 0 syserr2str = SUCCESS
2020 Jan 29 14:14:25.831183 ldap: ldap_servergroup_config: GET_REQ got protocol server group index 2 name GROUPNAME
2020 Jan 29 14:14:25.831193 ldap: ldap_servergroup_config: returning retval 0 for server group GROUPNAME
2020 Jan 29 14:14:25.831205 ldap: IN FUNCTION ldap_search_map.... for name
2020 Jan 29 14:14:25.831214 ldap: ldap_search_map: entering for search_map , index 0
2020 Jan 29 14:14:25.831222 ldap: ldap_search_map: key size 532, value size 2200
2020 Jan 29 14:14:25.831230 ldap: ldap_search_map: GET_REQ: search_index: 0, search_map:
2020 Jan 29 14:14:25.831237 ldap: find_search_map: entering for search map
2020 Jan 29 14:14:25.831258 ldap: ldap_pss_move2key: rcode = 40480003 syserr2str = no such pss key
2020 Jan 29 14:14:25.831269 ldap: ldap_pss_move2key: calling pss2_getkey
2020 Jan 29 14:14:25.831276 ldap: find_search_map: search map not in PSS
2020 Jan 29 14:14:25.831284 ldap: ldap_search_map: no search map with Protocol search map:
2020 Jan 29 14:14:25.831294 ldap: ldap_search_map: got back the return value of Protocol server operation: can not find the LDAP server, desc: can not find the LDAP server
2020 Jan 29 14:14:25.831307 ldap: ldap_authenticate: ldap_read_config failed for server group GROUPNAME
2020 Jan 29 14:14:25.831320 ldap: ldap_send_response_to_aaa: entering for user MYACCOUNT@EXAMPLE.COM auth_result 7
2020 Jan 29 14:14:25.831349 ldap: ldap_send_response_to_aaa: (user MYACCOUNT@EXAMPLE.COM) - mts_send_response success
2020 Jan 29 14:14:27 NAMEOFSWITCH %AUTHPRIV-3-SYSTEM_MSG: pam_aaa:Authentication failed from IPOFSWITCH - dcos_sshd[6734]
它接受以下命令:
aaa authorization ssh-publickey default group GROUPNAME
但无论何时我尝试这样做:
aaa authorization commands default group GROUPNAME
Command failed to apply
我确定我只是不太了解这些角色,我在文档中遗漏了一些东西,或者我不知道 Cisco 在默认情况下为角色访问寻找哪个属性。我将尝试使用不同的 rootDN 用户,该用户的密码中没有逗号。
使用的资源:
AAA 部分https://www.cisco.com/c/en/us/td/docs/switches/datacenter/nexus9000/sw/7-x/security/configuration/guide/b_Cisco_Nexus_9000_Series_NX-OS_Security_Configuration_Guide_7x/b_Cisco_Nexus_9000_Series_NX-OS_Security_Configuration_Guide_7x/b_Cisco_Nexus_9000_Series_NX-OS_Htmlp_Series_NX-OS_100_Series_NX-OS_Html 7- x/security/ configuration/ guide/b_Cisco_Nexus_9000_Series_NX- OS_Security_Configuration_Guide_7x