Migration from TACACS+ to RADIUS

Arran Cudbard-Bell A.Cudbard-Bell at sussex.ac.uk
Fri Feb 13 19:42:39 CET 2009 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Nicholas R. Cappelletti wrote:
> In the recent weeks, I have come across some downfalls to using TACACS+ such as no 802.1x authentication, no WPA integration, and the impossible integration into both Kerberos and LDAP.
> 

I can answer some of these for HP.

Though there is aready a page in the wiki for HP kit:
http://wiki.freeradius.org/HP

> I hate to sound naive, but like many who need help, I'm new to RADIUS, its configuration, and its capabilities.  With that said, I have a few questions concerning functionality that I had with TACACS+ and its equivalence in RADIUS.
> 
> 1. How granular can I get with command authorization?  Currently, TACACS+ is used for VPN authentication and device login, but not all those users should, or need, access to the CLI of the network equipment (We use both Cisco and HP devices).  Eventually I would like to use the RADIUS setup for wireless authentication too.
> 

It's a HP VSA (Vendor specific attribute), but it's currently a little
broken.

Use:

# aaa authorization commands radius

To enable and test.


Then the VSAs are:
HP-Command-String
HP-Command-Exception-Flag


Use Command-String to specify a list of commands, and
HP-Command-Exception-Flag to set whether it's an 'allow' list or a
'deny' list.

That is only allow the commands in HP-Command-String, or deny all
commands in HP-Command-String.

I've forgotten specific values, have a look in the 5400 series manuals.

One you enable aaa authorization commands radius, you must include the
HP-Command-Exception-Flag with a valid value.

>>From what I've read, setting "Service-Type = NAS-Prompt-User" will give the user the ability to login to the device, but how do I restrict them from enabling themselves?

HP switches let you specify different authentication mechanisms for
login and enable. So you can use local authentication for one and RADIUS
for the other, or RADIUS for both.

With the initial login the switch sets Service-Type in the
Access-Request to 'NAS-Prompt-User'

When the user attempts to enable themselves, the switch will prompt them
again for a User-Name and password, but this time set the Service-Type
to 'Administrative-User'.

So either send an Access-Reject for requests with a Service-Type of
Administrative user. Or just set Service-Type = NAS-Prompt-User in the
reply, when the request was Service-Type 'Administrative-User'.

Alternatively if you're lazy like me and have *newish* (>2500 series
switches) you can turn on 'login privilege-mode'.

# aaa authentication login privilege-mode

In this mode if you return Service-Type = 'NAS-Prompt-User', the user
will have operator access, and if you return Service-Type =
'Administrative-User', the user will be pre-enabled.

> With the RADIUS setup I have currently, it's using Kerberos for authentication, and LDAP for authorization.
> 
> 2. Can I set, for a user, a separate enable password?
> 

Yes. Use Service-Type as a check item and create two entries for the
user in the users file.

> 3. With TACACS+ I have the ability to set a MOTD per device in the configuration, and modify that if need be from the TACACS+ configuration.  Is there similar functionality in RADIUS?
> 

No but you can configure a static MOTD on the HP switches.

# banner motd ~
My MOTD banner
~

I believe i've seen this whilst walking the SNMP mib, so it maybe
scriptable via SNMP :)

HP switches don't respect the Reply-Message.

> 4. Am I able to do any command accounting with Cisco equipment?  I understand it is not possible with the ASA firewall line, but I haven't found a definitive answer about the router IOS images.

Don't know about cisco, but you can with HP. It sends them in the
'HP-Command-String' VSA attribute with Acct-Status-Type set to 'update'.

use:
# aaa accounting exec start-stop radius
# aaa accounting commands stop-only

To enable.

There's currently a bug in the K series firmware that stops it reporting
commands for service modules.

I've got a case open about it (might be a no fix though).
> 
> If any one of these questions are answered, it will be greatly appreciated.  Thank you for your time and any help you can offer me in advance. :)
> 

No problem :)

Best Regards,
Arran

- --
Arran Cudbard-Bell (A.Cudbard-Bell at sussex.ac.uk),
Authentication, Authorisation and Accounting Officer,
Infrastructure Services (IT Services),
E1-1-08, Engineering 1, University Of Sussex, Brighton, BN1 9QT
DDI+FAX: +44 1273 873900 | INT: 3900
GPG: 86FF A285 1AA1 EE40 D228 7C2E 71A9 25BB 1E68 54A2
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iEYEARECAAYFAkmVvx8ACgkQcaklux5oVKLrFwCfVKz33COPZkYPNl8uO8umnvrN
/qQAnj3U3rEz4bOxwXoyjWqZw0IXAmJ+
=msI6
-----END PGP SIGNATURE-----

More information about the Freeradius-Users mailing list