[c-nsp] TACACS/RADUIS/AD

[Phil Mayers]

Ziv Leyes wrote:
> Hi all,
> 
> I'm in need to implement an AAA method other than local for our Cisco
> devices (routers/switches)
> 
> I was thinking of using the already existing Active Directory,
> because all people has an account there and a strict secure password
> policy.
> 
> Also when someone quits, their user is always removed from there but
> I don't always get notifications about personnel changes so to manage
> another independent user DB is not good for me.
> 
> At the beginning I was thinking to directly connect the AD servers,
> but this doesn't give me too much flexibility, I don't manage those
> servers and I don't want to depend on others regarding the
> authorizations.
> 
> I was thinking about a server like radius or tacacs that will check
> only the user authentication against the AD server and perhaps
> retrieve a value of which group the user belongs to, let's say I only
> need two or three degrees of authorization, (read-only, operator, and
> admins). All the rest of the commands authorization granularity will
> be performed by the radius/tacacs server, based on the user's groups.

Beware: Cisco does not support per-command authorisation via Radius - 
only TACACS.

> 
> 
> Is this possible to implement? If yes, do you have some ideas, tips,
> howtos?

It's certainly possible to run a Radius server authenticating against 
Active Directory, and extract groups (subject to one minor caveat - see 
below).

You'll have to write the config to map those groups to authz levels, but 
that's not usually hard.

FreeRadius can do this trivially.

I don't know much about TACACS but I can't imagine it's that hard to 
make a TACACS server talk to LDAP.

N.B. Active Directory groups have one slightly funny aspect, which is 
that the "primary" group for a user object is *not* stored as a memberOf 
attribute - it's stored as the numerical RID of the group on the LDAP 
attribute, and can be difficult to match via LDAP.

Also, nested groups are difficult to match via LDAP.