Cisco command authorization

Stefan Winter stefan.winter at restena.lu
Fri Jan 4 16:52:51 CET 2008 

Hi all,

there are inquiries every once in a while here about how to enable command 
authorization for Cisco devices in a Cisco-AVPair. The usual answer is: find 
out if the NAS has an attribute for it.

Now I'm myself trying to get rid of a haunting daemon, the tac_plus daemon, 
and so I investigated. Cisco claims that there is a complete mapping scheme 
to translate TACACS+ expressions into Cisco-AVPair Vendor-Specific. This 
works for example with the priv-lvl attribute:

           cisco-avpair = "shell:priv-lvl=15"

There is a web page for Cisco IOS at
http://www.cisco.com/en/US/products/ps6350/products_configuration_guide_chapter09186a00804fe2d8.html
detailing which TACACS+ commands exist, and it suggests that

	   cisco-avpair = "shell:cmd=show"

would do the trick to authorize the "show" command. EXCEPT that there is a 
tiny note for the commands "cmd" and "cmd-arg" saying that they cannot be 
used for encapsulation in the Vendor-Specific space.

These two are the ONLY ones. Since it's just about parsing the string content 
of cisco-avpair at the router side, there is absolutely no technical reason 
why these two wouldn't go through. The only explanation then is that this is 
a deliberate step by Cisco to make sure that TACACS+ is "superior" to RADIUS 
by arbitrarily cutting down functionality. Probably the code in IOS is larger 
with an exception handling to make sure that it doesn't work.

I must say: I'm pissed. But I hope I could at least clarify this topic.

My next-best approach to circumvent this would be to define an intermediate 
privilege level that only has the permission to do the commands in question, 
and only assign the users in question to that lower priv-level. Scales 
poorly, but enough for us. Maybe that approach serves some others as well.

Stefan Winter

-- 
Stefan WINTER

Stiftung RESTENA - Réseau Téléinformatique de l'Education Nationale et de 
la Recherche
Ingenieur Forschung & Entwicklung

6, rue Richard Coudenhove-Kalergi
L-1359 Luxembourg
E-Mail: stefan.winter at restena.lu     Tel.:     +352 424409-1
http://www.restena.lu                Fax:      +352 422473
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 194 bytes
Desc: This is a digitally signed message part.
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20080104/1160406d/attachment.pgp>

More information about the Freeradius-Users mailing list