From e897e5e5b848ffe58feb2ab14c5645f611be97d0 Mon Sep 17 00:00:00 2001 From: cumulusAnia Date: Wed, 29 Jan 2025 16:12:52 -0800 Subject: [PATCH 1/2] update PIC --- .../Border-Gateway-Protocol-BGP/Optional-BGP-Configuration.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/cumulus-linux-512/Layer-3/Border-Gateway-Protocol-BGP/Optional-BGP-Configuration.md b/content/cumulus-linux-512/Layer-3/Border-Gateway-Protocol-BGP/Optional-BGP-Configuration.md index 8a38f8b150..7282d71829 100644 --- a/content/cumulus-linux-512/Layer-3/Border-Gateway-Protocol-BGP/Optional-BGP-Configuration.md +++ b/content/cumulus-linux-512/Layer-3/Border-Gateway-Protocol-BGP/Optional-BGP-Configuration.md @@ -1391,7 +1391,7 @@ When you configure BGP PIC, Cumulus Linux assigns one next hop group for each so - Cumulus Linux does not support BGP PIC with EVPN, MLAG, or VRF route leaking. - Do not configure PIC if you have configured EVPN. - You can configure PIC on the default VRF only. -- BGP PIC only redistributes the switch loopback address in addition to the host prefixes from the leaf. NVIDIA does not recommend redistributing interface addresses into BGP when you enable PIC. +- NVIDIA recommends that you do not redistribute interface addresses into BGP when you enable PIC. - Do not configure the router ID and network address with the same value. - The BGP router ID and the aggregate address must not be in the same subnet. - Do not use martian addresses as the BGP router ID when you enable PIC. From e64248c5438c7fc333fb6ae322fb83b948c7cf60 Mon Sep 17 00:00:00 2001 From: Stu Clark Date: Thu, 30 Jan 2025 10:18:10 -0500 Subject: [PATCH 2/2] Rewrite RADIUS local fallback authentication - CL511 --- .../RADIUS-AAA.md | 67 +++++++++++-------- 1 file changed, 40 insertions(+), 27 deletions(-) diff --git a/content/cumulus-linux-511/System-Configuration/Authentication-Authorization-and-Accounting/RADIUS-AAA.md b/content/cumulus-linux-511/System-Configuration/Authentication-Authorization-and-Accounting/RADIUS-AAA.md index d69ec7310b..41979794ba 100644 --- a/content/cumulus-linux-511/System-Configuration/Authentication-Authorization-and-Accounting/RADIUS-AAA.md +++ b/content/cumulus-linux-511/System-Configuration/Authentication-Authorization-and-Accounting/RADIUS-AAA.md @@ -196,44 +196,57 @@ A flat file mapping derives from the session number assigned during login, which ## Local Fallback Authentication -{{%notice note%}} -NVUE does not provide commands to configure local fallback authentication. -{{%/notice%}} +If a site wants to allow local fallback authentication for a user when none of the RADIUS servers are reachable, you can add a privileged user account as a local account on the switch. -If a site wants to allow local fallback authentication for a user when none of the RADIUS servers are reachable, you can add a privileged user account as a local account on the switch. The local account must have the same unique identifier as the privileged user and the shell must be the same. +To configure an account for local fallback authentication: -To configure local fallback authentication: +1. Add a local user account with the desired role and permissions as described in {{}}. -1. Add a local privileged user account. For example, if the `radius_priv_user` account in the `/etc/passwd` file is `radius_priv_user:x:1002:1001::/home/radius_priv_user:/sbin/radius_shell`, run the following command to add a local privileged user account named `johnadmin`: +2. To ensure the local user account password will authenticate the user only when none of the RADIUS servers are reachable, configure the {{}} such that RADIUS has a preferred priority over local authentication: - ``` - cumulus@switch:~$ sudo useradd -u 1002 -g 1001 -o -s /sbin/radius_shell johnadmin - ``` +{{< tabs "TabID211 ">}} +{{< tab "NVUE Commands ">}} +``` +cumulus@switch:~$ nv set system aaa authentication-order 10 radius +cumulus@switch:~$ nv set system aaa authentication-order 20 local +``` -2. To enable the local privileged user to run `sudo` and NVUE commands, run the following commands: +{{< /tab >}} +{{< tab "Linux Commands ">}} - ``` - cumulus@switch:~$ sudo adduser johnadmin nvset - cumulus@switch:~$ sudo adduser johnadmin nvapply - cumulus@switch:~$ sudo adduser johnadmin sudo - cumulus@switch:~$ sudo systemctl restart nvued - ``` +Configure the `passwd` line in the `/etc/nsswitch.conf` file to place `files` after `mapuid` in the authentication order: -3. Edit the `/etc/passwd` file to move the local user line before to the `radius_priv_user` line: +``` +cumulus@switch:~$ vi /etc/nsswitch.conf - ``` - cumulus@switch:~$ sudo vi /etc/passwd - ... - johnadmin:x:1002:1001::/home/johnadmin:/sbin/radius_shell - radius_priv_user:x:1002:1001::/home/radius_priv_user:/sbin/radius_shell - ``` +# /etc/nsswitch.conf +# +# Example configuration of GNU Name Service Switch functionality. +# If you have the `glibc-doc-reference' and `info' packages installed, try: +# `info libc "Name Service Switch"' for information about this file. + +passwd: mapuid files mapname +group: mapname files +shadow: files +gshadow: files -4. To set the local password for the local user, run the following command: +hosts: files dns +networks: files - ``` - cumulus@switch:~$ sudo passwd johnadmin - ``` +protocols: db files +services: db files +ethers: db files +rpc: db files +netgroup: nis +``` + +{{< /tab >}} +{{< /tabs >}} + +{{%notice note%}} +If you configure the authentication order to prefer local authentication before RADIUS, both the local user account password and the password configured on the RADIUS server can be used to authenticate the user when the RADIUS servers are reachable. +{{%/notice%}} ## RADIUS User Command Accounting RADIUS user command accounting lets you log every command that a user runs and send the commands to the primary RADIUS server for auditing. Audit logs are a requirement for compliance standards, such as PCI and HIPPA.