Ziv Leyes wrote:
Hi all,
I'm in need to implement an AAA method other than local for our Cisco
devices (routers/switches)
I was thinking of using the already existing Active Directory,
because all people has an account there and a strict secure password
policy.
Also when someone quits, their user is always removed from there but
I don't always get notifications about personnel changes so to manage
another independent user DB is not good for me.
At the beginning I was thinking to directly connect the AD servers,
but this doesn't give me too much flexibility, I don't manage those
servers and I don't want to depend on others regarding the
authorizations.
I was thinking about a server like radius or tacacs that will check
only the user authentication against the AD server and perhaps
retrieve a value of which group the user belongs to, let's say I only
need two or three degrees of authorization, (read-only, operator, and
admins). All the rest of the commands authorization granularity will
be performed by the radius/tacacs server, based on the user's groups.
Beware: Cisco does not support per-command authorisation via Radius -
only TACACS.
Is this possible to implement? If yes, do you have some ideas, tips,
howtos?
It's certainly possible to run a Radius server authenticating against
Active Directory, and extract groups (subject to one minor caveat - see
below).
You'll have to write the config to map those groups to authz levels, but
that's not usually hard.
FreeRadius can do this trivially.
I don't know much about TACACS but I can't imagine it's that hard to
make a TACACS server talk to LDAP.
N.B. Active Directory groups have one slightly funny aspect, which is
that the "primary" group for a user object is *not* stored as a memberOf
attribute - it's stored as the numerical RID of the group on the LDAP
attribute, and can be difficult to match via LDAP.
Also, nested groups are difficult to match via LDAP.
_______________________________________________
cisco-nsp mailing list [email protected]
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/