Anyway time to try something else : Tacacs+ or Radius. Radius does authentication pretty well but does not have any way to restrict commands except setting predefined privilege levels during authentication.
RADIUS combines authentication and authorization. The access-accept packets sent by the RADIUS server to the client contain authorization information. This makes it difficult to decouple authentication and authorization.
...
RADIUS does not allow users to control which commands can be executed on a router and which cannot. Therefore, RADIUS is not as useful for router management or as flexible for terminal services.
Source Cisco
Tacacs+ on the other hand allows you to give someone privilege level 15 but denying some commands (switchport trunk allow vlan anyone ;-)??). At the moment I have a request of a 3rd party supplier to give them rights at a customer site to shut/no shut ports to reboot POE-devices, nothing more, nothing less.
I've dabbled a bit with Centos but ended up with Debian because it has a binary package ready in its repository (Raspbian also BTW).
Read this for installation. Do not forget to add the admin users to your linux system.
Tried PAM authentication but failed and did not spend that much time on it (had some examples using PAM). Changed it to local authentication based on /etc/passwd and that worked. For testing I created 2 groups: admins and operators.
For this test setup I used my old trusty Cisco 2940 switch but any other Cisco device will do.
This is a part of my /etc/tacacs/tac_plus.conf file
# admin group
group = admins {
default service = permit
# login = PAM
service = exec {
priv-lvl = 15
}
}
group = operators {
default service = deny
service = exec {
priv-lvl = 15
}
cmd=show {
permit .*
}
cmd=enable {
permit .*
}
cmd=exit {
permit .*
}
cmd = configure {
permit terminal
}
cmd = interface {
permit FastEthernet.*
permit GigabitEthernet.*
}
cmd = shutdown {
permit .*
}
cmd = no {
permit shutdown
}
}
# Create a block for every admin user you have
user = tempelman {
member = operators
login = file /etc/passwd
}
user = marcel {
member = admins
login = file /etc/passwd
}
The operators are only allowed to (no) shutdown Fa and Gi interfaces. The rest is restricted.
In most examples the necessary command to get this working on the Cisco side, is omitted:
aaa authentication login default group tacacs+ local none
aaa authorization config-commands
aaa authorization exec default group tacacs+ local none
aaa authorization commands 0 default group tacacs+ local none
aaa authorization commands 15 default group tacacs+ local none
aaa accounting exec default start-stop group tacacs+
aaa accounting commands 0 default start-stop group tacacs+
aaa accounting commands 15 default start-stop group tacacs+
Without this command the operators had access to all commands in configure mode.
Now this is working I'm going to try a config for HP Procurve switches and get Rancid authenticating with Tacacs+.
All in all setting up a Tacacs+ server is not hard and when you Google around there is enough documentation to be found.
To be continued....
Interesting links:
http://www.pro-bono-publico.de/projects/tac_plus.html#AEN68
http://www.routingloops.co.uk/cisco/tacacs-on-ubuntu-14-04-lts/
https://networklessons.com/linux/how-to-install-tacacs-on-linux-centos/
No comments:
Post a Comment