Ok, guys, thanks for the answers, I'm now more confused than before ;-)

Let's simplify it,
I have cisco devices we authenticate locally on each device. We want to 
centralize the AAA on a server, so I though to install a tac-plus or a 
freeradius on a linux box, so far not a problem, the problem is I don't want to 
make another user management because that won't be much different from managing 
local users on the devices, so I thought to make the tacacs or radius server 
interact with the AD/LDAP whatever Windows server that already exist and have 
by default a managed users list that is dynamically updated as new users come 
or old users leave.
This is the user and password used by everyone to log in to their workstations, 
so they all remember their password and it's a "secure" one (up and low case, 
numbers, special charaters) which is also requested from users to change every 
once in a while.
All I need is to see that the user exist and that the password is correct, I 
was thinking also to retrieve some kind of attribute that will allow me to 
match it against the tacacs/radius group and then setting a sort of permission 
for the user, it could be per command based (better) or per general permission 
(have enable 15 or not)

Is this possible or too complicated?
Thanks,
Ziv



-----Original Message-----
From: David Barak [mailto:[email protected]]
Sent: Sunday, August 09, 2009 3:07 PM
To: Ziv Leyes
Cc: [email protected]
Subject: RE: [c-nsp] TACACS/RADUIS/AD

A Cisco ACS can perform pass-through authentication against AD servers.  There 
is a client which should be installed on the AD servers to do so.  The only 
real gotcha with this is making sure your groups match.  Other than that, it 
works like a champ.  I have not tried to do this with any of the non-Cisco 
implementations of TACACS+.

-David Barak


-----Original Message-----
From: Phil Mayers [mailto:[email protected]]
Sent: Sunday, August 09, 2009 3:08 PM
To: Ziv Leyes
Cc: 'Cisco-nsp'
Subject: Re: [c-nsp] TACACS/RADUIS/AD

Ziv Leyes wrote:
> Hi all,
>
> I'm in need to implement an AAA method other than local for our Cisco
> devices (routers/switches)
>
> I was thinking of using the already existing Active Directory,
> because all people has an account there and a strict secure password
> policy.
>
> Also when someone quits, their user is always removed from there but
> I don't always get notifications about personnel changes so to manage
> another independent user DB is not good for me.
>
> At the beginning I was thinking to directly connect the AD servers,
> but this doesn't give me too much flexibility, I don't manage those
> servers and I don't want to depend on others regarding the
> authorizations.
>
> I was thinking about a server like radius or tacacs that will check
> only the user authentication against the AD server and perhaps
> retrieve a value of which group the user belongs to, let's say I only
> need two or three degrees of authorization, (read-only, operator, and
> admins). All the rest of the commands authorization granularity will
> be performed by the radius/tacacs server, based on the user's groups.

Beware: Cisco does not support per-command authorisation via Radius -
only TACACS.

>
>
> Is this possible to implement? If yes, do you have some ideas, tips,
> howtos?

It's certainly possible to run a Radius server authenticating against
Active Directory, and extract groups (subject to one minor caveat - see
below).

You'll have to write the config to map those groups to authz levels, but
that's not usually hard.

FreeRadius can do this trivially.

I don't know much about TACACS but I can't imagine it's that hard to
make a TACACS server talk to LDAP.

N.B. Active Directory groups have one slightly funny aspect, which is
that the "primary" group for a user object is *not* stored as a memberOf
attribute - it's stored as the numerical RID of the group on the LDAP
attribute, and can be difficult to match via LDAP.

Also, nested groups are difficult to match via LDAP.



************************************************************************************
This footnote confirms that this email message has been scanned by
PineApp Mail-SeCure for the presence of malicious code, vandals & computer 
viruses.
************************************************************************************





__________ Information from ESET NOD32 Antivirus, version of virus signature 
database 4319 (20090809) __________

The message was checked by ESET NOD32 Antivirus.

http://www.eset.com



__________ Information from ESET NOD32 Antivirus, version of virus signature 
database 4319 (20090809) __________

The message was checked by ESET NOD32 Antivirus.

http://www.eset.com


 
 
************************************************************************************
This footnote confirms that this email message has been scanned by
PineApp Mail-SeCure for the presence of malicious code, vandals & computer 
viruses.
************************************************************************************



_______________________________________________
cisco-nsp mailing list  [email protected]
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Reply via email to