[c-nsp] TACACS/RADUIS/AD

Ziv Leyes zivl at gilat.net
Sun Aug 9 08:46:20 EDT 2009 

Ok, guys, thanks for the answers, I'm now more confused than before ;-)

Let's simplify it,
I have cisco devices we authenticate locally on each device. We want to centralize the AAA on a server, so I though to install a tac-plus or a freeradius on a linux box, so far not a problem, the problem is I don't want to make another user management because that won't be much different from managing local users on the devices, so I thought to make the tacacs or radius server interact with the AD/LDAP whatever Windows server that already exist and have by default a managed users list that is dynamically updated as new users come or old users leave.
This is the user and password used by everyone to log in to their workstations, so they all remember their password and it's a "secure" one (up and low case, numbers, special charaters) which is also requested from users to change every once in a while.
All I need is to see that the user exist and that the password is correct, I was thinking also to retrieve some kind of attribute that will allow me to match it against the tacacs/radius group and then setting a sort of permission for the user, it could be per command based (better) or per general permission (have enable 15 or not)

Is this possible or too complicated?
Thanks,
Ziv



-----Original Message-----
From: David Barak [mailto:thegameiam at yahoo.com]
Sent: Sunday, August 09, 2009 3:07 PM
To: Ziv Leyes
Cc: cisco-nsp at puck.nether.net
Subject: RE: [c-nsp] TACACS/RADUIS/AD

A Cisco ACS can perform pass-through authentication against AD servers.  There is a client which should be installed on the AD servers to do so.  The only real gotcha with this is making sure your groups match.  Other than that, it works like a champ.  I have not tried to do this with any of the non-Cisco implementations of TACACS+.

-David Barak


-----Original Message-----
From: Phil Mayers [mailto:p.mayers at imperial.ac.uk]
Sent: Sunday, August 09, 2009 3:08 PM
To: Ziv Leyes
Cc: 'Cisco-nsp'
Subject: Re: [c-nsp] TACACS/RADUIS/AD

Ziv Leyes wrote:
> Hi all,
>
> I'm in need to implement an AAA method other than local for our Cisco
> devices (routers/switches)
>
> I was thinking of using the already existing Active Directory,
> because all people has an account there and a strict secure password
> policy.
>
> Also when someone quits, their user is always removed from there but
> I don't always get notifications about personnel changes so to manage
> another independent user DB is not good for me.
>
> At the beginning I was thinking to directly connect the AD servers,
> but this doesn't give me too much flexibility, I don't manage those
> servers and I don't want to depend on others regarding the
> authorizations.
>
> I was thinking about a server like radius or tacacs that will check
> only the user authentication against the AD server and perhaps
> retrieve a value of which group the user belongs to, let's say I only
> need two or three degrees of authorization, (read-only, operator, and
> admins). All the rest of the commands authorization granularity will
> be performed by the radius/tacacs server, based on the user's groups.

Beware: Cisco does not support per-command authorisation via Radius -
only TACACS.

>
>
> Is this possible to implement? If yes, do you have some ideas, tips,
> howtos?

It's certainly possible to run a Radius server authenticating against
Active Directory, and extract groups (subject to one minor caveat - see
below).

You'll have to write the config to map those groups to authz levels, but
that's not usually hard.

FreeRadius can do this trivially.

I don't know much about TACACS but I can't imagine it's that hard to
make a TACACS server talk to LDAP.

N.B. Active Directory groups have one slightly funny aspect, which is
that the "primary" group for a user object is *not* stored as a memberOf
attribute - it's stored as the numerical RID of the group on the LDAP
attribute, and can be difficult to match via LDAP.

Also, nested groups are difficult to match via LDAP.



************************************************************************************
This footnote confirms that this email message has been scanned by
PineApp Mail-SeCure for the presence of malicious code, vandals & computer viruses.
************************************************************************************





__________ Information from ESET NOD32 Antivirus, version of virus signature database 4319 (20090809) __________

The message was checked by ESET NOD32 Antivirus.

http://www.eset.com



__________ Information from ESET NOD32 Antivirus, version of virus signature database 4319 (20090809) __________

The message was checked by ESET NOD32 Antivirus.

http://www.eset.com


 
 
************************************************************************************
This footnote confirms that this email message has been scanned by
PineApp Mail-SeCure for the presence of malicious code, vandals & computer viruses.
************************************************************************************

More information about the cisco-nsp mailing list