Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
6988
Views
0
Helpful
8
Replies

ISE and CentOS users authentication

Go to solution
gugonza2
Cisco Employee
Cisco Employee

‎11-18-2018 06:15 AM

Hi, 

 

I'm testing some features of ISE.  We would like to configure some CentOS servers to use RADIUS or TACACS authentication/authorization in ISE.   We know that we don't have TACACS support in Linux, we found some customs libraries but we prefer to use RADIUS.  We found some PAM libraries for that but I would like to know if anyone has an examples or configuration to check it.

 

The objective is to use ISE as central authentication and authorization server for all systems in a customer infrastructure.  The customer has network devices that use TACACS and other important services installed on CentOS.

 

Any suggestion, comment or configuration example ?

 

Thanks in advance

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Timothy Abbott
Cisco Employee
Cisco Employee

‎11-19-2018 06:32 AM

Hi,

 

I know there are some who have successfully used RADIUS instead of TACACS+ for authentication.  Unfortunately, we don't have a guide specific to CentOS.  I would search around and see if there is an example for user authentication using RADIUS for linux operating systems.

 

Regards,

-Tim

View solution in original post

0 Helpful
8 Replies 8

Go to solution
Timothy Abbott
Cisco Employee
Cisco Employee

‎11-19-2018 06:32 AM

Hi,

 

I know there are some who have successfully used RADIUS instead of TACACS+ for authentication.  Unfortunately, we don't have a guide specific to CentOS.  I would search around and see if there is an example for user authentication using RADIUS for linux operating systems.

 

Regards,

-Tim

0 Helpful

Go to solution
gugonza2
Cisco Employee
Cisco Employee
In response to Timothy Abbott

‎11-19-2018 07:13 AM

Thx a lot Timothy, let me know if you find any document, example or test, it would be great.
Thx again.
0 Helpful

Go to solution
Timothy Abbott
Cisco Employee
Cisco Employee
In response to gugonza2

‎11-19-2018 07:18 AM

You’re welcome. If we create one, it will be posted here in the communities. I would give google a try to see if there is a guide somewhere else.

Regards,
-Tim
0 Helpful

Go to solution
marce1000
VIP
VIP
In response to gugonza2

‎11-19-2018 07:28 AM

 

 https://mikedixson.com/2014/09/configuring-radius-authentication-on-linux/

M.



-- ' 'Good body every evening' ' this sentence was once spotted on a logo at the entrance of a Weight Watchers Club !
0 Helpful

Go to solution
gugonza2
Cisco Employee
Cisco Employee
In response to marce1000

‎11-19-2018 08:17 AM

Thx marce1000, Just a note, in this procedure (I´ve seen this note in others links with PAM modules for RADIUS), you need to create the user in Linux.
Is there any PAM module for RADIUS which don´t need to create the user locally ?
0 Helpful

Go to solution
Eric101
Level 1
Level 1
In response to gugonza2

‎01-24-2020 10:44 AM

Hello
I had a similar desire and found the jeroennijhof/pam_script to create local users and home drive automatically. This has met our requirements for tying our Linux servers to our ISE RADIUS.

-Install the package from the epel-release repo:
sudo yum install pam_script

-Add these lines to this file /etc/pam.d/sshd:
auth optional /usr/lib64/security/pam_script.so # Script to create local user if not existing
auth sufficient /usr/lib64/security/pam_radius_auth.so #pam RADIUS Authentication Client

Create the script file pam_script_auth in /etc/pam-script.d/
sudo touch /etc/pam-script.d/pam_script_auth

Add these lines to this file /etc/pam-script.d/pam_script_auth:
#add user
logger Adding New User $PAM_USER
useradd $PAM_USER
echo $PAM_USER:U6aMy0wojraho | sudo chpasswd -e
0 Helpful

Go to solution
don.click1
Level 4
Level 4
In response to Eric101

‎12-04-2020 12:34 PM

I would be very interested in how you got this setup on Debian. 

 

Did you have to change/create any new policies or policy elements?

0 Helpful

Go to solution
alextomko
Level 1
Level 1

‎10-01-2020 09:42 AM

I have used pam_tacplus to use Tacacs instead which is better in my opinion. You can then use your ACS/ISE policy sets, the same ones you use for your Cisco network devices will work fine.

 

Here is the setup for CentOS7 or Redhat with pam_tacplus for ssh. You can add the "auth include tacacs" to any other pam files as you want to so you can have tacacs for serial console, sudo and other login functions defined in /etc/pam.d/*. 

 

I have Debian setup to if interested, but here is my CentOS7/Redhat setup:

 

# CentOS7 - Clean Installation.

*Install sudo from root.*

~~~
$ yum install sudo
~~~

*Install autoconf, automake, git, openssl-dev & gcc*

~~~
$ sudo yum install git autoconf automake openssl-dev gcc
~~~

*add test user `netadmin` with no password - do not clear the passwd with -d or it lets you login via consol with no password - or do passwd -l user for existing user - or the user could login with no pass on consol*

~~~
$ sudo useradd netadmin
~~~

*Install pam_tacplus*
~~~
$ git clone https://github.com/jeroennijhof/pam_tacplus/
$ cd pam_tacplus
$ ./auto.sh

$ ./configure

$  sed -i 's/\<AM_CFLAGS = -Wall -Wextra -Werror\>/AM_CFLAGS = -Wall -Wextra/g' Makefile
$ make && sudo make install
~~~

*run command: `setsebool -P nis_enabled 1` to get rid of the permission issue seen in `/var/log/messages` of `failed srv 0: Permission denied`*
~~~
$ sudo setsebool -P nis_enabled 1
~~~

*add `auth include tacacs` at top of `/etc/pam.d/sshd`:*
*add file `/etc/pam.d/tacacs` with:*

~~~
#%PAM-1.0
auth sufficient /usr/local/lib/security/pam_tacplus.so debug server=172.16.1.115 secret=reallysecret
account sufficient /usr/local/lib/security/pam_tacplus.so debug server=172.16.1.115 secret=reallysecret service=shell protocol=ssh
session sufficient /usr/local/lib/security/pam_tacplus.so debug server=172.16.1.115 secret=reallysecret service=shell protocol=ssh
~~~

*check libraries in CentOS:*

~~~
$ ldd /usr/local/lib/security/pam_tacplus.so
linux-vdso.so.1 => (0x00007ffde29f8000)
libtac.so.2 => /usr/local/lib/libtac.so.2 (0x00007ff546824000)
libutil.so.1 => /lib64/libutil.so.1 (0x00007ff546619000)
libcrypto.so.10 => /lib64/libcrypto.so.10 (0x00007ff5461b8000)
libpam.so.0 => /lib64/libpam.so.0 (0x00007ff545fa9000)
libc.so.6 => /lib64/libc.so.6 (0x00007ff545be5000)
libdl.so.2 => /lib64/libdl.so.2 (0x00007ff5459e1000)
libz.so.1 => /lib64/libz.so.1 (0x00007ff5457cb000)
libaudit.so.1 => /lib64/libaudit.so.1 (0x00007ff5455a2000)
/lib64/ld-linux-x86-64.so.2 (0x000055b4b688c000)
libcap-ng.so.0 => /lib64/libcap-ng.so.0 (0x00007ff54539c000)
~~~

*run an ssh with username that has no password:*

~~~
$ ssh netadmin@2.2.2.2
netadmin@2.2.2.2s password:
Last login: Thu Dec 28 13:24:42 2017 from 1.1.1.1
[netadmin@rhel7-centos ~]$
~~~

*SeLinux Stuff:*
~~~
*temporary resolve if se-linux issue - reboot if working - does not persist*
setenforce Permissive

*Install semanage:*sed -i 's/\<AM_CFLAGS = -Wall -Wextra -Werror\>/AM_CFLAGS = -Wall -Wextra/g' Makefile
sudo yum install policycoreutils-python

*permanently sets permissive or disables se-linux on sshd*
semanage permissive -a sshd_t

*collect avc info related to se-linux:*
sudo ausearch -m avc -ts today | sudo audit2why -m pam_tacplus-policy
~~~

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents