Ok, guys, thanks for the answers, I'm now more confused than before ;-) Let's simplify it, I have cisco devices we authenticate locally on each device. We want to centralize the AAA on a server, so I though to install a tac-plus or a freeradius on a linux box, so far not a problem, the problem is I don't want to make another user management because that won't be much different from managing local users on the devices, so I thought to make the tacacs or radius server interact with the AD/LDAP whatever Windows server that already exist and have by default a managed users list that is dynamically updated as new users come or old users leave. This is the user and password used by everyone to log in to their workstations, so they all remember their password and it's a "secure" one (up and low case, numbers, special charaters) which is also requested from users to change every once in a while. All I need is to see that the user exist and that the password is correct, I was thinking also to retrieve some kind of attribute that will allow me to match it against the tacacs/radius group and then setting a sort of permission for the user, it could be per command based (better) or per general permission (have enable 15 or not)
Is this possible or too complicated? Thanks, Ziv -----Original Message----- From: David Barak [mailto:[email protected]] Sent: Sunday, August 09, 2009 3:07 PM To: Ziv Leyes Cc: [email protected] Subject: RE: [c-nsp] TACACS/RADUIS/AD A Cisco ACS can perform pass-through authentication against AD servers. There is a client which should be installed on the AD servers to do so. The only real gotcha with this is making sure your groups match. Other than that, it works like a champ. I have not tried to do this with any of the non-Cisco implementations of TACACS+. -David Barak -----Original Message----- From: Phil Mayers [mailto:[email protected]] Sent: Sunday, August 09, 2009 3:08 PM To: Ziv Leyes Cc: 'Cisco-nsp' Subject: Re: [c-nsp] TACACS/RADUIS/AD Ziv Leyes wrote: > Hi all, > > I'm in need to implement an AAA method other than local for our Cisco > devices (routers/switches) > > I was thinking of using the already existing Active Directory, > because all people has an account there and a strict secure password > policy. > > Also when someone quits, their user is always removed from there but > I don't always get notifications about personnel changes so to manage > another independent user DB is not good for me. > > At the beginning I was thinking to directly connect the AD servers, > but this doesn't give me too much flexibility, I don't manage those > servers and I don't want to depend on others regarding the > authorizations. > > I was thinking about a server like radius or tacacs that will check > only the user authentication against the AD server and perhaps > retrieve a value of which group the user belongs to, let's say I only > need two or three degrees of authorization, (read-only, operator, and > admins). All the rest of the commands authorization granularity will > be performed by the radius/tacacs server, based on the user's groups. Beware: Cisco does not support per-command authorisation via Radius - only TACACS. > > > Is this possible to implement? If yes, do you have some ideas, tips, > howtos? It's certainly possible to run a Radius server authenticating against Active Directory, and extract groups (subject to one minor caveat - see below). You'll have to write the config to map those groups to authz levels, but that's not usually hard. FreeRadius can do this trivially. I don't know much about TACACS but I can't imagine it's that hard to make a TACACS server talk to LDAP. N.B. Active Directory groups have one slightly funny aspect, which is that the "primary" group for a user object is *not* stored as a memberOf attribute - it's stored as the numerical RID of the group on the LDAP attribute, and can be difficult to match via LDAP. Also, nested groups are difficult to match via LDAP. ************************************************************************************ This footnote confirms that this email message has been scanned by PineApp Mail-SeCure for the presence of malicious code, vandals & computer viruses. ************************************************************************************ __________ Information from ESET NOD32 Antivirus, version of virus signature database 4319 (20090809) __________ The message was checked by ESET NOD32 Antivirus. http://www.eset.com __________ Information from ESET NOD32 Antivirus, version of virus signature database 4319 (20090809) __________ The message was checked by ESET NOD32 Antivirus. http://www.eset.com ************************************************************************************ This footnote confirms that this email message has been scanned by PineApp Mail-SeCure for the presence of malicious code, vandals & computer viruses. ************************************************************************************ _______________________________________________ cisco-nsp mailing list [email protected] https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
