Recently in Cisco Category

Two virgin Ironport Email Security Appliances

| | TrackBacks (0)
ironports.jpgvirgin_ironport.pngjust arrived to replace our C300 ones. The front changed a little bit, and there's the cisco logo on them, making clear who's the new boss in the house.

Software is the same, they come with AsyncOS 6.5 preloaded and a software upgrade takes them to version 6.5.2-101.

I will just be able to load the actual XML config files on the new ones, only the automatically retrieved license codes did change (as the serial numbers are different).

Shrubbery Networks offers a free TACACS+ daemon for download as C source code. If you have a little network and you want to offer TACACS-Services without buying the Cisco ACS software, this could be the right thing for you (it does NOT offer RADIUS services, but there are quite many free radius servers available).

For IOS based devices, the configuration is quite trivial. Example:

key = XXXXXXXXX

user = ciscoadm {
        default service = permit
        service=exec {
                priv-lvl=15
        }
        login = cleartext XXXXXXXX
}

This is a user "ciscoadm" which will have privilege 15 after login (thus no need to "enable"). In this trivial example I've used a cleartext password as I am the only one to have access to this server in the management lan and it is not productive at the moment.
Configure your IOS as usual with

aaa new-model
aaa authentication default group tacacs+ local
tacacs-server 192.168.10.10 key 7 "......."
tacacs-server direct-request

But then we got new Cisco MDS SAN FibreChannel (FiberChannel) Switches to replace our Inrange ones.
So I thought it was as easy as with IOS because SAN-OS claims to be somewhat the same...
Eh, no.

It begins with the fact that you have to explicitly enable tacacs+ and ends with the issue that the default server group "tacacs+" is not available. You HAVE to declare a TACACS server group.

Example (SAN-OS 3.x):

tacacs+ enable
tacacs-server host 192.168.10.10 key 7 "XXXXXXXX"
tacacs-server host 192.168.10.11 key 7 "XXXXXXXX"
aaa group server tacacs+ MYTACACS
   server 192.168.10.10
   server 192.168.10.11
aaa authentication login default group MYTACACS local


But then again - no tacacs login. You cannot login and the tacacs+ daemon logs "Authentication failed". And then - how to assign roles? SAN-OS on Cisco MDS Switches have roles for access levels. Predefined are "network-admin" and "network-operator". So how to assign them via TACACS?

The solution is quite fuzzy and simple. You may solve the password (login) issue by using "global" instead of "login" - this would mean that SAN-OS requests another password than "login". The use of "global" means to set all passwords for all services for this user to the given value - regardless of type transmitted.

Roles finally are defined via cisco-av-pairs. Please don't wonder about the asterisk, it's the correct syntax.
Our SAN-Admin user can be defined like that:

user = user1 {
        default service = permit
        service = exec {
                cisco-av-pair*shell:roles="network-admin"
        }
        global = cleartext XXXXXXXX
}


And - bingo - it works. "user1" can log in and is "network-admin".

You may test it by typing on your san switch:

sanswitch# show user-account


August 2009: Monthly Archives

December 2015

Sun Mon Tue Wed Thu Fri Sat
    1 2 3 4 5
6 7 8 9 10 11 12
13 14 15 16 17 18 19
20 21 22 23 24 25 26
27 28 29 30 31    

About

This blog is owned by:

Pascal Gienger
J├Ągerstrasse 77
8406 Winterthur
Switzerland


Google+: Profile
YouTube Channel: pascalgienger