Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2228
Views
0
Helpful
6
Replies

ISE TACACS profile for Vyatta tacplus-admin

Go to solution
BeardRedMachine
Level 1
Level 1

‎08-21-2018 11:05 AM

I'm looking to add some vyatta devices to our ISE environment for TACACS+ authentication.  I'm running in to issues getting the correct Attributes sent to the device.  By default, the vyatta dumps you in to "tacplus-operator" role when authenticating with a tacacs server.  On our old deployment (linux using tac_plus), we have the following options listed for our vyattas, which tell it to use "tacplus-admin" for our users:

 

group = ADMINS {
default service = permit
service = vyatta-exec {
set level = "admin"
}

 

On our ISE deployment, I'm trying:
ISE_Attributes_Vyatta.png

 

I can login to the device, it assigns the correct Shell Profile (in my Device Admin Policy Set) and it shows it sending the attributes:

ISE_Attributes_Response_Vyatta.png

but I get dumped in the tacplus-operators and can't do any administrative tasks, any ideas?

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
BeardRedMachine
Level 1
Level 1
In response to BeardRedMachine

‎10-26-2018 04:58 AM

After working for many moons with AT&T support and development teams, we were able to get the Vyatta to accept the correct permissions by:

 

Upgrading the Vyatta 5600 to version 1801R

Setting the TACACS+ Profile Policy Element to (under "Raw View", no spaces, no quotes): level=superuser

The task view will look like:

 

Vyatta_Task_View.jpg

 

 

 

 

 

 

 

 

 

The configuration on the Vyatta will be similar to:

 

set system login tacplus-server A.B.C.D port '49'
set system login tacplus-server A.B.C.D secret 'suchsecretpassword'
set system login tacplus-server A.B.C.D source-address 'W.X.Y.Z'
set system login tacplus-server A.B.C.D timeout '3'
set system tacplus-options 'command-accounting'

View solution in original post

0 Helpful
6 Replies 6

Go to solution
paul
Level 10
Level 10

‎08-21-2018 11:39 AM

Trying using the Raw attributes instead of custom attributes.  In your TACACS profile click on the Raw tab and you can try different combinations.  Just paste in:

 

default service = permit
service = vyatta-exec {
set level = "admin"

 

or try just

 

level = "admin"

 

I use RAW attributes for almost everything when doing custom AV pairs.

0 Helpful

Go to solution
BeardRedMachine
Level 1
Level 1
In response to paul

‎08-21-2018 12:35 PM

Paul,

Thanks for the response.  I am actually pasting all that in to the "raw" section. I've tried different combinations with curly brackets, without, with quotes, without etc.  I even tried the "level = admin", same result.  It seems as if anything I put in there isn't actually being used on the vyatta side, or more likely, I'm not putting it in there the way it expects it.

 

Thanks again for the suggestion.

0 Helpful

Go to solution
hslai
Cisco Employee
Cisco Employee
In response to BeardRedMachine

‎09-01-2018 05:40 PM

https://ecl.ntt.com/files/firewall/5.2/vyatta-network-os-5.2r1-basic-system.pdf says,

...
Specifying authentication level in TACACS+

By default, TACACS+ authorized users on the Brocade vRouter are given operator-level access. However, you can specify the authentication level for individual TACACS+ authorized users on the local Brocade vRouter. Like the mapping of user IDs, thiscon guration is speci ed on the TACACS+ server, as shown in the following example:

    user = administrator {
         default service = permit
         login = cleartext "vyatta"
         service = vyatta-exec {

} }

level = "admin"

Logging in to the local Brocade vRouter as the administrator user in this instance provides administrative-level access. You can alsocon gure an additional level on the TACACS+ server as superuser to provide superuser-level access.

...

 

0 Helpful

Go to solution
BeardRedMachine
Level 1
Level 1
In response to hslai

‎09-04-2018 07:35 AM

Thanks for the response.  I've been trying the recommended settings in my Tacacs+ profiles.  Please see the "raw view" as well as the default view and the results when authentication happens.

Custom_Attr_View.jpgRaw_View.jpgAuthor_Attributes.jpg

 

I get the same result when logging in to the vyatta.  I also tried breaking them up in to individual attributes, same result.

0 Helpful

Go to solution
BeardRedMachine
Level 1
Level 1
In response to BeardRedMachine

‎10-26-2018 04:58 AM

After working for many moons with AT&T support and development teams, we were able to get the Vyatta to accept the correct permissions by:

 

Upgrading the Vyatta 5600 to version 1801R

Setting the TACACS+ Profile Policy Element to (under "Raw View", no spaces, no quotes): level=superuser

The task view will look like:

 

Vyatta_Task_View.jpg

 

 

 

 

 

 

 

 

 

The configuration on the Vyatta will be similar to:

 

set system login tacplus-server A.B.C.D port '49'
set system login tacplus-server A.B.C.D secret 'suchsecretpassword'
set system login tacplus-server A.B.C.D source-address 'W.X.Y.Z'
set system login tacplus-server A.B.C.D timeout '3'
set system tacplus-options 'command-accounting'
0 Helpful

Go to solution
hslai
Cisco Employee
Cisco Employee
In response to BeardRedMachine

‎10-26-2018 07:21 PM

Many thanks for sharing.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents