解決済み: Integrating Cisco AAA + Microsoft AD + Role-Based access control

Patrik Grexa · ‎10-12-2023

Hello Cisco community.

A little bit of a background:

I would like my users/groups that are created in Microsoft Server 2019 AD to be able to log in to several Cisco routers and switches with a different levels of privileges using AAA. My first idea was to use NPS Radius and assign users and groups with different levels of privileges. This unfortunetally didn't work as expected as I stumbled to two different issues. In my virtual environment I wasn't able to succesfully change privilege levels to my authenticated users using shell:priv-lvl=5 (NPS), but my main issue is that privilege levels are not sufficient for me and I was thinking about using role-based access control.

Question:

Is there any way to integrate Cisco ASA with Microsoft AD with the option of using role-based access control?

Any links, recomendations and typs are welcomed.

Thank you.

Arne Bier · ‎10-16-2023

Hi @Patrik Grexa

I am interested to know what didn't work with NPS, because NPS is a fully functioning RADIUS server, and if you want to enable your Cisco switches/routers with AAA using RADIUS, then NPS will do just as good a job as ISE. Of course, I am an ISE fanatic, but that doesn't mean that other RADIUS servers can't do the job. RADIUS is an ancient open standard and IOS/IOS-XE AAA commands are quite simple.

I am using ISE as an example, but you can do this with NPS as well. Here are the RADIUS attributes that you must match on when processing RADIUS AAA requests from Cisco IOS and AireOS:

The RADIUS Access-Accept for IOS devices must then contain the priv level. I didn't keep the screenshot of that attribute, but it's a Cisco AVPair.

cisco-avpair= ”shell:priv-lvl=15“

One thing I will note is that when implementing IOS AAA using RADIUS, is that you can't get per-command authorization - that requires TACACS+. But if you simply want to log users into your IOS devices, then RADIUS is just fine. I have an issue understanding IOS priv levels and as such I always assign priv15 to all users, and then limit their access using command authorization. The command "show running-config" requires priv 15. But if I want to allow a junior engineer access to see all configs, but have no conf t access, then I still give them priv 15. But that requires TACACS+.

If this is the wrong approach, I would like to know how to do it better.

元の投稿で解決策を見る

ammahend · ‎10-12-2023

If you are asking if you can configure ASA as radius or TACACS server to manage remote login to your network devices with different priv level based on the AD group they belong to, then ASA not typically used as a dedicated RADIUS server

Ideally, you need Cisco Identity service Engine preferably with device administration license, you can get a VM with 90 days full feature free trail and test it out.

https://www.cisco.com/c/en/us/support/docs/licensing/cloud-systems-management/smart-care-service/lic217143-how-to-generate-a-demo-or-evaluation-lic.html

https://www.cisco.com/c/en/us/td/docs/security/ise/3-0/admin_guide/b_ISE_admin_3_0/b_ISE_admin_30_device_admin.html#concept_9B1DD5A7AD9C445AAC764722E6E7D32A

-hope this helps-

Arne Bier · ‎10-16-2023

Hi @Patrik Grexa

I am interested to know what didn't work with NPS, because NPS is a fully functioning RADIUS server, and if you want to enable your Cisco switches/routers with AAA using RADIUS, then NPS will do just as good a job as ISE. Of course, I am an ISE fanatic, but that doesn't mean that other RADIUS servers can't do the job. RADIUS is an ancient open standard and IOS/IOS-XE AAA commands are quite simple.

I am using ISE as an example, but you can do this with NPS as well. Here are the RADIUS attributes that you must match on when processing RADIUS AAA requests from Cisco IOS and AireOS:

The RADIUS Access-Accept for IOS devices must then contain the priv level. I didn't keep the screenshot of that attribute, but it's a Cisco AVPair.

cisco-avpair= ”shell:priv-lvl=15“

One thing I will note is that when implementing IOS AAA using RADIUS, is that you can't get per-command authorization - that requires TACACS+. But if you simply want to log users into your IOS devices, then RADIUS is just fine. I have an issue understanding IOS priv levels and as such I always assign priv15 to all users, and then limit their access using command authorization. The command "show running-config" requires priv 15. But if I want to allow a junior engineer access to see all configs, but have no conf t access, then I still give them priv 15. But that requires TACACS+.

If this is the wrong approach, I would like to know how to do it better.