Migration from TACACS+ to RADIUS
In the recent weeks, I have come across some downfalls to using TACACS+ such as no 802.1x authentication, no WPA integration, and the impossible integration into both Kerberos and LDAP. I hate to sound naive, but like many who need help, I'm new to RADIUS, its configuration, and its capabilities. With that said, I have a few questions concerning functionality that I had with TACACS+ and its equivalence in RADIUS. 1. How granular can I get with command authorization? Currently, TACACS+ is used for VPN authentication and device login, but not all those users should, or need, access to the CLI of the network equipment (We use both Cisco and HP devices). Eventually I would like to use the RADIUS setup for wireless authentication too.
From what I've read, setting "Service-Type = NAS-Prompt-User" will give the user the ability to login to the device, but how do I restrict them from enabling themselves?
With the RADIUS setup I have currently, it's using Kerberos for authentication, and LDAP for authorization. 2. Can I set, for a user, a separate enable password? 3. With TACACS+ I have the ability to set a MOTD per device in the configuration, and modify that if need be from the TACACS+ configuration. Is there similar functionality in RADIUS? 4. Am I able to do any command accounting with Cisco equipment? I understand it is not possible with the ASA firewall line, but I haven't found a definitive answer about the router IOS images. If any one of these questions are answered, it will be greatly appreciated. Thank you for your time and any help you can offer me in advance. :) --- Nick nick@switchtower.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Nicholas R. Cappelletti wrote:
In the recent weeks, I have come across some downfalls to using TACACS+ such as no 802.1x authentication, no WPA integration, and the impossible integration into both Kerberos and LDAP.
I can answer some of these for HP. Though there is aready a page in the wiki for HP kit: http://wiki.freeradius.org/HP
I hate to sound naive, but like many who need help, I'm new to RADIUS, its configuration, and its capabilities. With that said, I have a few questions concerning functionality that I had with TACACS+ and its equivalence in RADIUS.
1. How granular can I get with command authorization? Currently, TACACS+ is used for VPN authentication and device login, but not all those users should, or need, access to the CLI of the network equipment (We use both Cisco and HP devices). Eventually I would like to use the RADIUS setup for wireless authentication too.
It's a HP VSA (Vendor specific attribute), but it's currently a little broken. Use: # aaa authorization commands radius To enable and test. Then the VSAs are: HP-Command-String HP-Command-Exception-Flag Use Command-String to specify a list of commands, and HP-Command-Exception-Flag to set whether it's an 'allow' list or a 'deny' list. That is only allow the commands in HP-Command-String, or deny all commands in HP-Command-String. I've forgotten specific values, have a look in the 5400 series manuals. One you enable aaa authorization commands radius, you must include the HP-Command-Exception-Flag with a valid value.
From what I've read, setting "Service-Type = NAS-Prompt-User" will give the user the ability to login to the device, but how do I restrict them from enabling themselves?
HP switches let you specify different authentication mechanisms for login and enable. So you can use local authentication for one and RADIUS for the other, or RADIUS for both. With the initial login the switch sets Service-Type in the Access-Request to 'NAS-Prompt-User' When the user attempts to enable themselves, the switch will prompt them again for a User-Name and password, but this time set the Service-Type to 'Administrative-User'. So either send an Access-Reject for requests with a Service-Type of Administrative user. Or just set Service-Type = NAS-Prompt-User in the reply, when the request was Service-Type 'Administrative-User'. Alternatively if you're lazy like me and have *newish* (>2500 series switches) you can turn on 'login privilege-mode'. # aaa authentication login privilege-mode In this mode if you return Service-Type = 'NAS-Prompt-User', the user will have operator access, and if you return Service-Type = 'Administrative-User', the user will be pre-enabled.
With the RADIUS setup I have currently, it's using Kerberos for authentication, and LDAP for authorization.
2. Can I set, for a user, a separate enable password?
Yes. Use Service-Type as a check item and create two entries for the user in the users file.
3. With TACACS+ I have the ability to set a MOTD per device in the configuration, and modify that if need be from the TACACS+ configuration. Is there similar functionality in RADIUS?
No but you can configure a static MOTD on the HP switches. # banner motd ~ My MOTD banner ~ I believe i've seen this whilst walking the SNMP mib, so it maybe scriptable via SNMP :) HP switches don't respect the Reply-Message.
4. Am I able to do any command accounting with Cisco equipment? I understand it is not possible with the ASA firewall line, but I haven't found a definitive answer about the router IOS images.
Don't know about cisco, but you can with HP. It sends them in the 'HP-Command-String' VSA attribute with Acct-Status-Type set to 'update'. use: # aaa accounting exec start-stop radius # aaa accounting commands stop-only To enable. There's currently a bug in the K series firmware that stops it reporting commands for service modules. I've got a case open about it (might be a no fix though).
If any one of these questions are answered, it will be greatly appreciated. Thank you for your time and any help you can offer me in advance. :)
No problem :) Best Regards, Arran - -- Arran Cudbard-Bell (A.Cudbard-Bell@sussex.ac.uk), Authentication, Authorisation and Accounting Officer, Infrastructure Services (IT Services), E1-1-08, Engineering 1, University Of Sussex, Brighton, BN1 9QT DDI+FAX: +44 1273 873900 | INT: 3900 GPG: 86FF A285 1AA1 EE40 D228 7C2E 71A9 25BB 1E68 54A2 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.8 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEARECAAYFAkmVvx8ACgkQcaklux5oVKLrFwCfVKz33COPZkYPNl8uO8umnvrN /qQAnj3U3rEz4bOxwXoyjWqZw0IXAmJ+ =msI6 -----END PGP SIGNATURE-----
Nicholas R. Cappelletti wrote:
In the recent weeks, I have come across some downfalls to using TACACS+ such as no 802.1x authentication, no WPA integration, and the impossible integration into both Kerberos and LDAP.
I hate to sound naive, but like many who need help, I'm new to RADIUS, its configuration, and its capabilities. With that said, I have a few questions concerning functionality that I had with TACACS+ and its equivalence in RADIUS.
1. How granular can I get with command authorization? Currently, TACACS+ is used for VPN authentication and device login, but not all those users should, or need, access to the CLI of the network equipment (We use both Cisco and HP devices). Eventually I would like to use the RADIUS setup for wireless authentication too.
The hope is that we can add TACACS+ support to FreeRADIUS in a future version. That will help with migration. Alan DeKok.
Alan DeKok schrieb:
Nicholas R. Cappelletti wrote:
In the recent weeks, I have come across some downfalls to using TACACS+ such as no 802.1x authentication, no WPA integration, and the impossible integration into both Kerberos and LDAP.
I hate to sound naive, but like many who need help, I'm new to RADIUS, its configuration, and its capabilities. With that said, I have a few questions concerning functionality that I had with TACACS+ and its equivalence in RADIUS.
1. How granular can I get with command authorization? Currently, TACACS+ is used for VPN authentication and device login, but not all those users should, or need, access to the CLI of the network equipment (We use both Cisco and HP devices). Eventually I would like to use the RADIUS setup for wireless authentication too.
The hope is that we can add TACACS+ support to FreeRADIUS in a future version. That will help with migration.
Can this be expected in the foreseeable future? Norbert Wegener
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Norbert Wegener wrote:
The hope is that we can add TACACS+ support to FreeRADIUS in a future version. That will help with migration.
Can this be expected in the foreseeable future?
Maybe within 6 months? We've been involved with the RadSec documents (RADIUS over TLS over TCP). Once TCP support is in the server, basic TACACS+ is probably only another 1K LoC. Alan DeKok.
participants (4)
-
Alan DeKok -
Arran Cudbard-Bell -
Nicholas R. Cappelletti -
Norbert Wegener