[c-nsp] TACACS/RADUIS/AD
Phil Mayers
p.mayers at imperial.ac.uk
Sun Aug 9 08:07:33 EDT 2009
Ziv Leyes wrote:
> Hi all,
>
> I'm in need to implement an AAA method other than local for our Cisco
> devices (routers/switches)
>
> I was thinking of using the already existing Active Directory,
> because all people has an account there and a strict secure password
> policy.
>
> Also when someone quits, their user is always removed from there but
> I don't always get notifications about personnel changes so to manage
> another independent user DB is not good for me.
>
> At the beginning I was thinking to directly connect the AD servers,
> but this doesn't give me too much flexibility, I don't manage those
> servers and I don't want to depend on others regarding the
> authorizations.
>
> I was thinking about a server like radius or tacacs that will check
> only the user authentication against the AD server and perhaps
> retrieve a value of which group the user belongs to, let's say I only
> need two or three degrees of authorization, (read-only, operator, and
> admins). All the rest of the commands authorization granularity will
> be performed by the radius/tacacs server, based on the user's groups.
Beware: Cisco does not support per-command authorisation via Radius -
only TACACS.
>
>
> Is this possible to implement? If yes, do you have some ideas, tips,
> howtos?
It's certainly possible to run a Radius server authenticating against
Active Directory, and extract groups (subject to one minor caveat - see
below).
You'll have to write the config to map those groups to authz levels, but
that's not usually hard.
FreeRadius can do this trivially.
I don't know much about TACACS but I can't imagine it's that hard to
make a TACACS server talk to LDAP.
N.B. Active Directory groups have one slightly funny aspect, which is
that the "primary" group for a user object is *not* stored as a memberOf
attribute - it's stored as the numerical RID of the group on the LDAP
attribute, and can be difficult to match via LDAP.
Also, nested groups are difficult to match via LDAP.
More information about the cisco-nsp
mailing list