Stefan Winter wrote:
Hi all,
there are inquiries every once in a while here about how to enable command
authorization for Cisco devices in a Cisco-AVPair. The usual answer is: find
out if the NAS has an attribute for it.
Now I'm myself trying to get rid of a haunting daemon, the tac_plus daemon,
and so I investigated. Cisco claims that there is a complete mapping scheme
to translate TACACS+ expressions into Cisco-AVPair Vendor-Specific. This
works for example with the priv-lvl attribute:
cisco-avpair = "shell:priv-lvl=15"
There is a web page for Cisco IOS at
http://www.cisco.com/en/US/products/ps6350/products_configuration_guide_chapter09186a00804fe2d8.html
detailing which TACACS+ commands exist, and it suggests that
cisco-avpair = "shell:cmd=show"
would do the trick to authorize the "show" command. EXCEPT that there is a
tiny note for the commands "cmd" and "cmd-arg" saying that they cannot be
used for encapsulation in the Vendor-Specific space.
These two are the ONLY ones. Since it's just about parsing the string content
of cisco-avpair at the router side, there is absolutely no technical reason
why these two wouldn't go through. The only explanation then is that this is
a deliberate step by Cisco to make sure that TACACS+ is "superior" to RADIUS
by arbitrarily cutting down functionality. Probably the code in IOS is larger
with an exception handling to make sure that it doesn't work.
I must say: I'm pissed. But I hope I could at least clarify this topic.
My next-best approach to circumvent this would be to define an intermediate
privilege level that only has the permission to do the commands in question,
and only assign the users in question to that lower priv-level. Scales
poorly, but enough for us. Maybe that approach serves some others as well.
Stefan Winter
------------------------------------------------------------------------
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Could you add this to the wiki ?
http://wiki.freeradius.org/Cisco
I myself don't use any Cisco kit, but the situation is much the same
with HP Procurve Switches.
On all but the most expensive switches TACACS+ is the only way to define
command lists, on all the others your
either a manager or an operator.
HP Claim to support a few VSA's for setting command lists and priv
levels, but on most of their switches they don't actually work !
--
Arran Cudbard-Bell ([EMAIL PROTECTED])
Authentication, Authorisation and Accounting Officer
Infrastructure Services | ENG1 E1-1-08
University Of Sussex, Brighton
EXT:01273 873900 | INT: 3900
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
