topic Re: excluding tacacs section in show run using AV pairs in ISE? in Network Access Control

excluding tacacs section in show run using AV pairs in ISE?

holger2meyer — Wed, 06 Oct 2021 06:10:22 GMT

Hello,

Maybe a silly question but I think it's not possible but it would be nice if we could deny users with RO access to IOS devices to read the tacacs config section, correct? In particular the tacacs-server key. I'm not sure how ISE would process a command request for "show run" when we also define "DENY_ALWAYS tacacs-server" or even "DENY_ALWAYS *tacacs-server"? I take it that the "show run" output will still contian the tacacs-server section, right? Despide that "DENY_ALWAYS tacacs-server" was specified, too. Such that we could achieve something like "show run | exclude tacacs-server"?

Thanks and regards,

Holger

Re: excluding tacacs section in show run using AV pairs in ISE?

Rob Ingram — Wed, 06 Oct 2021 10:40:27 GMT

Hi @holger2meyer

AFAIK you cannot configure TACACS+ to not display certain sections of the running-configuration. You've given me an idea though, perhaps you could create an alias for "show run | exclude tacacs-server" and permit the user to run the alias command and deny "show run"? I've not tried it myself though.

I believe the "tacacs-server" command is depreciated in newer versions and you have to use the syntax "tacacs server <name>". If you were running the new syntax (which you aren't) and used "tacacs server XXXX" which has multiple lines of configuration, that would not work as "exclude" only excludes the line with "tacacs" and not the rest of the configuration.

Re: excluding tacacs section in show run using AV pairs in ISE?

holger2meyer — Wed, 06 Oct 2021 11:44:43 GMT

Hello Rob,

many thanks for your answer, quite helpful. Might be an idea to use an alias. See, it would be nice to have a way to prevent a given read-only user group from seeing type 7 keys/password hashes when issuing a "show run" like they are still in use once in a while for tacacs or NTP keys in older ISO versions. Not to mention the BGP neighbor password.

Regards,

Holger

Re: excluding tacacs section in show run using AV pairs in ISE?

Rob Ingram — Wed, 06 Oct 2021 11:56:54 GMT

@holger2meyer if it's preventing seeing the Type 7 keys in the configuration, how about using Type 6 which is encrypted. I think it's supported for radius and tacacs.

https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst1000/software/releases/15_2_7_e/configuration_guides/sec/b_1527e_security_c1000_cg/configuring_radius.html

https://community.cisco.com/t5/networking-documents/configuring-type-6-passwords-in-ios-xe/ta-p/4438495

Re: excluding tacacs section in show run using AV pairs in ISE?

holger2meyer — Wed, 06 Oct 2021 12:08:43 GMT

Hi Rob,

that's the plan but the installation spans several thousand devices... it'll take the team some time to migrate. Would be nice to have a fix for the time being. And, to my knowledge BGP still only supports md5 😞 (correct me if I'm wrong).

Regards,

Holger

Re: excluding tacacs section in show run using AV pairs in ISE?

Rob Ingram — Wed, 06 Oct 2021 12:23:09 GMT

Hi @holger2meyer

Ok I understand. According to the second link provided above, BGP MD5 authentication passwords will not be converted to Type 6, but recommends to use BGP TCP Authentication Option. Or just try the alias workaround for TACACS.

HTH