cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
 
ISE 2.3 Patch 7 has been posted. This will be the last patch for the ISE 2.3 release!
Choose one of the topics below to view our ISE Resources to help you on your journey with ISE

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

364
Views
0
Helpful
6
Replies

ISE TACACS profile for Vyatta tacplus-admin

I'm looking to add some vyatta devices to our ISE environment for TACACS+ authentication.  I'm running in to issues getting the correct Attributes sent to the device.  By default, the vyatta dumps you in to "tacplus-operator" role when authenticating with a tacacs server.  On our old deployment (linux using tac_plus), we have the following options listed for our vyattas, which tell it to use "tacplus-admin" for our users:

 

group = ADMINS {
default service = permit
service = vyatta-exec {
set level = "admin"
}

 

On our ISE deployment, I'm trying:
ISE_Attributes_Vyatta.png

 

I can login to the device, it assigns the correct Shell Profile (in my Device Admin Policy Set) and it shows it sending the attributes:

ISE_Attributes_Response_Vyatta.png

but I get dumped in the tacplus-operators and can't do any administrative tasks, any ideas?

1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted

Re: ISE TACACS profile for Vyatta tacplus-admin

After working for many moons with AT&T support and development teams, we were able to get the Vyatta to accept the correct permissions by:

 

Upgrading the Vyatta 5600 to version 1801R

Setting the TACACS+ Profile Policy Element to (under "Raw View", no spaces, no quotes): level=superuser

The task view will look like:

 

Vyatta_Task_View.jpg

 

 

 

 

 

 

 

 

 

The configuration on the Vyatta will be similar to:

 

set system login tacplus-server A.B.C.D port '49'
set system login tacplus-server A.B.C.D secret 'suchsecretpassword'
set system login tacplus-server A.B.C.D source-address 'W.X.Y.Z'
set system login tacplus-server A.B.C.D timeout '3'
set system tacplus-options 'command-accounting'
Everyone's tags (5)
6 REPLIES 6
VIP Engager

Re: ISE TACACS profile for Vyatta tacplus-admin

Trying using the Raw attributes instead of custom attributes.  In your TACACS profile click on the Raw tab and you can try different combinations.  Just paste in:

 

default service = permit
service = vyatta-exec {
set level = "admin"

 

or try just

 

level = "admin"

 

I use RAW attributes for almost everything when doing custom AV pairs.

Re: ISE TACACS profile for Vyatta tacplus-admin

Paul,

Thanks for the response.  I am actually pasting all that in to the "raw" section. I've tried different combinations with curly brackets, without, with quotes, without etc.  I even tried the "level = admin", same result.  It seems as if anything I put in there isn't actually being used on the vyatta side, or more likely, I'm not putting it in there the way it expects it.

 

Thanks again for the suggestion.

Cisco Employee

Re: ISE TACACS profile for Vyatta tacplus-admin

https://ecl.ntt.com/files/firewall/5.2/vyatta-network-os-5.2r1-basic-system.pdf says,

...
Specifying authentication level in TACACS+

By default, TACACS+ authorized users on the Brocade vRouter are given operator-level access. However, you can specify the authentication level for individual TACACS+ authorized users on the local Brocade vRouter. Like the mapping of user IDs, thiscon guration is speci ed on the TACACS+ server, as shown in the following example:

    user = administrator {
         default service = permit
         login = cleartext "vyatta"
         service = vyatta-exec {

} }

level = "admin"

Logging in to the local Brocade vRouter as the administrator user in this instance provides administrative-level access. You can alsocon gure an additional level on the TACACS+ server as superuser to provide superuser-level access.

...


 

Re: ISE TACACS profile for Vyatta tacplus-admin

Thanks for the response.  I've been trying the recommended settings in my Tacacs+ profiles.  Please see the "raw view" as well as the default view and the results when authentication happens.

Custom_Attr_View.jpgRaw_View.jpgAuthor_Attributes.jpg

 

I get the same result when logging in to the vyatta.  I also tried breaking them up in to individual attributes, same result.

Highlighted

Re: ISE TACACS profile for Vyatta tacplus-admin

After working for many moons with AT&T support and development teams, we were able to get the Vyatta to accept the correct permissions by:

 

Upgrading the Vyatta 5600 to version 1801R

Setting the TACACS+ Profile Policy Element to (under "Raw View", no spaces, no quotes): level=superuser

The task view will look like:

 

Vyatta_Task_View.jpg

 

 

 

 

 

 

 

 

 

The configuration on the Vyatta will be similar to:

 

set system login tacplus-server A.B.C.D port '49'
set system login tacplus-server A.B.C.D secret 'suchsecretpassword'
set system login tacplus-server A.B.C.D source-address 'W.X.Y.Z'
set system login tacplus-server A.B.C.D timeout '3'
set system tacplus-options 'command-accounting'
Everyone's tags (5)
Cisco Employee

Re: ISE TACACS profile for Vyatta tacplus-admin

Many thanks for sharing.