12-03-2024 10:22 AM
Hi,
Im trying to create an AAA deployment for Cisco Switch/router access for users and a service account for DNA center and not sure where to start. Basically, I want users to be able to login to cisco devices using TACACs auth (via clearpass querying AD), users can then "enable" using our enable password (currently hardcoded in the cisco devices using enable secret, not sure if there is a better way for this)
if TACACs server is unreachable, access should default to local as we have an admin account hardcoded locally in the devices,
However, our DNA service account should login to Cisco devices in enabled mode already.
Currently this is what is in the config
aaa new-model
!
!
aaa authentication login default group tacacs+ local enable
!
!
line vty 0 15
session-timeout 15
exec-timeout 15 0
logging synchronous
transport input telnet ssh
Aruba tacacs is passing privilege level 15 in the service profile and I am not sure if I should create a separate service profile for users with non priv level 15 and a service profile for service accounts with priv level 15..
Any help is appreciated
12-03-2024 01:50 PM
When onboarding Network Devices into the DNAC Inventory, I find it's best to create an Authentication credential in DNAC (Design / Network Settings / Device Credentials / CLI) - I call it a DNAC Service Account - and then create that account on all network devices as a local account, with priv 15. That is what I do to onboard a device into DNAC (before the switch even has TACACS+ configured). In addition, your TACACS+ server should be able to authenticate Network Devices with this same username/password (either via local server account, or AD etc.) - once the Network Device is onboarded, DNAC will log into these devices with the same username/password, and then your TACACS+ server will handle that Auth. Also, if you nuke the aaa config on your Network Devices, you can still log into them using the DNAC service account.
On a fresh IOS-XE device, I always add the username, and get the SSH setup - routers/switches can vary in how this is done, but some of the common steps are
conf t
ip domain name my.domain.local
! create a SSH key pair
crypto key generate rsa modulus 2048
! create local account
username SVC_DNAC privilege 15 password MySecret123
!
ip ssh version 2
! Sometimes this is needed too
line vty 0 15
login local
Here is what DNAC would provision (plus my own additions, which is the per-command accounting, and command authorization)
aaa group server tacacs+ dnac-network-tacacs-group
server name dnac-tacacs_172.22.131.174
server name dnac-tacacs_172.22.131.175
timeout 1
aaa authentication login VTY_authen group dnac-network-tacacs-group local
aaa authorization exec VTY_author group dnac-network-tacacs-group local if-authenticated
aaa authorization commands 0 VTY_author group dnac-network-tacacs-group if-authenticated
aaa authorization commands 1 VTY_author group dnac-network-tacacs-group if-authenticated
aaa authorization commands 15 VTY_author group dnac-network-tacacs-group if-authenticated
aaa authorization configuration VTY_author group dnac-network-tacacs-group
aaa accounting exec default start-stop group dnac-network-tacacs-group
aaa accounting commands 0 default start-stop group dnac-network-tacacs-group
aaa accounting commands 1 default start-stop group dnac-network-tacacs-group
aaa accounting commands 15 default start-stop group dnac-network-tacacs-group
ip tacacs source-interface GigabitEthernet1
!
tacacs server dnac-tacacs_172.22.131.174
address ipv4 172.22.131.174
key 0 <TACACS_shared_Secret>
timeout 1
single-connection
!
tacacs server dnac-tacacs_172.22.131.175
address ipv4 172.22.131.175
key 0 <TACACS_shared_Secret>
timeout 1
single-connection
DNAC will also modify the line vty
line vty 0 4
authorization commands 0 VTY_author
authorization commands 1 VTY_author
authorization commands 15 VTY_author
authorization exec VTY_author
login authentication VTY_authen
transport input ssh
12-03-2024 11:29 PM
You mean onboard via day 0 template? The network devices are already in network heirarchy so I am not onboarding new devices to dnac..
12-04-2024 12:01 AM
12-04-2024 08:38 AM
devices were added via discovery without device controllability or telemetry turned on. I can provision commands using template hubs so there is no problem there.
I noticed you use aaa authentication login VTY_authen group dnac-network-tacacs-group local vs aaa authentication login default group tacacs+ local enable.. looks like they do the same thing? Authorizes EXEC sessions on VTY lines using the TACACS+ server group, with local fallback if authenticated. -> does this directly put the user to priv 15 or just allows user to issue enable command? same with this aaa authorization exec VTY_author group dnac-network-tacacs-group local if-authenticated and aaa authorization exec default local commands..
What are you trying to do with these commands below?
aaa authorization commands 0 VTY_author group dnac-network-tacacs-group if-authenticated
aaa authorization commands 1 VTY_author group dnac-network-tacacs-group if-authenticated
aaa authorization commands 15 VTY_author group dnac-network-tacacs-group if-authenticated
aaa authorization configuration VTY_author group dnac-network-tacacs-group
Maybe for now I'll just focus on setting up tacacs for our network engineers to login to vty lines using tacacs, can issue enable command and falling back to local auth if tacacs server is unvailable... would I be able to accomplish that if I took snippets from your config? Thanks so much
12-04-2024 06:43 PM
I'll tackle each question below:
"I noticed you use aaa authentication login VTY_authen group dnac-network-tacacs-group local vs aaa authentication login default group tacacs+ local enable.. looks like they do the same thing"
DNAC makes use of 'method lists' (the VTY_authen is a method list) - it's like a tag that links the "line vty/con/aux" configs to individual aaa statements. It can be hard to read, and by default, IOS doesn't use them - the "line vty/con/aux" implicitly use no method lists - hence, in the aaa statements, you refer to that as 'default'. DNAC doesn't give you a choice when you provision devices, and if those devices are in the Network Hierarchy that contains RADIUS/TACACS+ settings - those are pushed to the device being provisioned - along with anything else that applies at that Hierarchy (such as DNS, NTP, Timezone, MOTD, etc.)
The very last argument in the aaa command (either 'local' or 'enable') tells the IOS what happens when the aaa servers are not responding:
The aaa authorization exec tells you what happens AFTER authentication step, and takes the PrivLvl from the AAA server response. If ISE returns '1' then you end up on the '>' prompt and need to elevate using the enable X command. I don't recall what happens next, because I don't use the enable mode of working - but I think the IOS will request aaa authentication to the server to request the elevation. Like I said, I issue Priv15 to everyone, and then just lock down the commands that each role (SuperAdmin, JuniorAdmin, ReadOnly) can perform.
aaa authorization commands X tells IOS that while you are in the exec shell, EVERY command you issue (that is associated with a priv level ... 0,1,15 etc) will cause an aaa request to the server - that is how ISE can control what command each user can, and cannot issue. But some commands don't relate to a priv level - I have never seen this list, but I think commands like "who" don't cause a aaa event.
My recommendation is to do some testing in a lab. If you have a lab ... Cisco CML or GNS3/Eve-NG and an ISE node then you can test all these scenarios. If not, then take one IOS device that you can always reach physically (console cable) and have a play with all of these options.
12-04-2024 11:13 PM
Hi Arne
Makes perfect sense, I dont have ISE, I have aruba clearpass tacacs+ it can pass any privilege level but I’m not sure how I can replicate locking down commands on a per role basis and if copying your command auth statements will work..
12-04-2024 11:20 PM
line vty 0 15
privilege 15 <<- this make use only Authc by ClearPass and if it success authc it will get level15
session-timeout 15
exec-timeout 15 0
logging synchronous
transport input telnet ssh
12-05-2024 07:56 AM
that doesnt matter I think as aruba clearpass can pass priv 15 under enforcement profiles->priv level->selected services=shell
12-05-2024 08:03 AM
But you dont config
Authz exec under vty so vty not use priv send by tacacs
MHM
12-05-2024 11:59 AM
AAA is a client server protocol. That means, the server (ISE/Clearpass) does nothing, until a client (e.g. IOS) sends a request to it. Therefore, the client needs certain config (I have provided you what DNAC pushes to Catalysts, plus some additional commands), and the Server needs config. But we have not discussed the Server config. Since this is a Cisco forum, I won't go into how Clearpass is configured - you can research that on Airheads. I have configured both and I find the Aruba more complex to configure than ISE. But they do the same thing.
TACACS+ happens in three distinct AAA stages - Authentication, Authorization, Accounting.
When user logs into IOS and presses enter on the username+password, the IOS sends Authentication request to the server. Server checks only the Username and Password - it sends back a simple 'Yes'. / 'No'
Once that is done, if it was a 'Yes', the IOS will have authenticated the user. But the user is not on the CLI yet - IOS performs authorization for the exec (CLI shell). IOS will ask the server to authorize that user - because I have an ISE Authorization Rule that says what a SuperAdmin priv level is, when I login, ISE returns this: (there are many different attributes, but these are the basic ones I return:) -and by the way, I return this for other users too, like Read-Only users. More on that later ...
Now the user is on the '#' prompt.
What happens next, depends on how you have configured your IOS. Do you want EVERY command to be authorized as well? If yes (e.g. for RBAC reasons), the IOS "aaa authorization commands" do just that - but - it must be done for every priv level possible. In my experience, even though you are authorized to priv15, some commands you enter, are lower priv - therefore, to catch those, cater for priv0,1,15 commands.
Going back to ISE config, in the TACACS+ Policy Set I made two Authorization scenarios - super admins, and readonly admin - here is what it looks like in ISE (Clearpass does the same thing, but looks different)
The Command Set configs in ISE show what my Read-Only user gets
When I login as the user 'arne', my experience is as follows
And you can see ISE is authorizing every command I type
To prove my point about Priv0 and Priv1 being required to make this work, I removed the following commands from the IOS
Remember that I am still in Priv 15
But since I am no longer authorizing the priv0/1 commands, I can suddenly issue them as user 'arne', even though my TACACS+ server has rules to not allow this - the reason is simple - IOS no longer makes those requests to the server. The command 'who' is not allowed in my TACACS+ server, but the user can now execute it:
Command authorization has less to do with what Priv Level I gave the user, but it's more concerned with what Priv Level the command is, that I have just entered into the shell. I have yet to see a complete listing (or a command in IOS) that shows what priv level is needed for which command.
test, test, and then test again!
12-05-2024 02:18 PM
Hi Arne,
Thank you for the detailed explanation. You mentioned you did something similar with clearpass? We don't have a test lab to do these tests , we only have prod. Anyway, do you have a template or probably a guide/documentation that you can share that I could probably start with to integrate this with clearpass with copying the behaviour you have implemented in ISE? thanks
12-05-2024 02:55 PM
I don't have a Clearpass system. You can build all this in a lab environment - Clearpass doesn't need much in terms of RAM and CPU, and the IOS stuff can be emulated in Cisco CML (highly recommend that!) or GNS3/Eve-NG. In fact, if you can download CSR1000v or 8000v from software.cisco.com, then you can load that into your Hypervisor (e.g. ESXi) and have that talk to your Clearpass Lab VM.
Failing that ... the first google search for "cleaprass tacacs" hit that came up with this.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide