11-18-2018 06:15 AM
Hi,
I'm testing some features of ISE. We would like to configure some CentOS servers to use RADIUS or TACACS authentication/authorization in ISE. We know that we don't have TACACS support in Linux, we found some customs libraries but we prefer to use RADIUS. We found some PAM libraries for that but I would like to know if anyone has an examples or configuration to check it.
The objective is to use ISE as central authentication and authorization server for all systems in a customer infrastructure. The customer has network devices that use TACACS and other important services installed on CentOS.
Any suggestion, comment or configuration example ?
Thanks in advance
Solved! Go to Solution.
11-19-2018 06:32 AM
Hi,
I know there are some who have successfully used RADIUS instead of TACACS+ for authentication. Unfortunately, we don't have a guide specific to CentOS. I would search around and see if there is an example for user authentication using RADIUS for linux operating systems.
Regards,
-Tim
11-19-2018 06:32 AM
Hi,
I know there are some who have successfully used RADIUS instead of TACACS+ for authentication. Unfortunately, we don't have a guide specific to CentOS. I would search around and see if there is an example for user authentication using RADIUS for linux operating systems.
Regards,
-Tim
11-19-2018 07:13 AM
11-19-2018 07:18 AM
11-19-2018 07:28 AM
https://mikedixson.com/2014/09/configuring-radius-authentication-on-linux/
M.
11-19-2018 08:17 AM
01-24-2020 10:44 AM
12-04-2020 12:34 PM
I would be very interested in how you got this setup on Debian.
Did you have to change/create any new policies or policy elements?
10-01-2020 09:42 AM
I have used pam_tacplus to use Tacacs instead which is better in my opinion. You can then use your ACS/ISE policy sets, the same ones you use for your Cisco network devices will work fine.
Here is the setup for CentOS7 or Redhat with pam_tacplus for ssh. You can add the "auth include tacacs" to any other pam files as you want to so you can have tacacs for serial console, sudo and other login functions defined in /etc/pam.d/*.
I have Debian setup to if interested, but here is my CentOS7/Redhat setup:
# CentOS7 - Clean Installation.
*Install sudo from root.*
~~~
$ yum install sudo
~~~
*Install autoconf, automake, git, openssl-dev & gcc*
~~~
$ sudo yum install git autoconf automake openssl-dev gcc
~~~
*add test user `netadmin` with no password - do not clear the passwd with -d or it lets you login via consol with no password - or do passwd -l user for existing user - or the user could login with no pass on consol*
~~~
$ sudo useradd netadmin
~~~
*Install pam_tacplus*
~~~
$ git clone https://github.com/jeroennijhof/pam_tacplus/
$ cd pam_tacplus
$ ./auto.sh
$ ./configure
$ sed -i 's/\<AM_CFLAGS = -Wall -Wextra -Werror\>/AM_CFLAGS = -Wall -Wextra/g' Makefile
$ make && sudo make install
~~~
*run command: `setsebool -P nis_enabled 1` to get rid of the permission issue seen in `/var/log/messages` of `failed srv 0: Permission denied`*
~~~
$ sudo setsebool -P nis_enabled 1
~~~
*add `auth include tacacs` at top of `/etc/pam.d/sshd`:*
*add file `/etc/pam.d/tacacs` with:*
~~~
#%PAM-1.0
auth sufficient /usr/local/lib/security/pam_tacplus.so debug server=172.16.1.115 secret=reallysecret
account sufficient /usr/local/lib/security/pam_tacplus.so debug server=172.16.1.115 secret=reallysecret service=shell protocol=ssh
session sufficient /usr/local/lib/security/pam_tacplus.so debug server=172.16.1.115 secret=reallysecret service=shell protocol=ssh
~~~
*check libraries in CentOS:*
~~~
$ ldd /usr/local/lib/security/pam_tacplus.so
linux-vdso.so.1 => (0x00007ffde29f8000)
libtac.so.2 => /usr/local/lib/libtac.so.2 (0x00007ff546824000)
libutil.so.1 => /lib64/libutil.so.1 (0x00007ff546619000)
libcrypto.so.10 => /lib64/libcrypto.so.10 (0x00007ff5461b8000)
libpam.so.0 => /lib64/libpam.so.0 (0x00007ff545fa9000)
libc.so.6 => /lib64/libc.so.6 (0x00007ff545be5000)
libdl.so.2 => /lib64/libdl.so.2 (0x00007ff5459e1000)
libz.so.1 => /lib64/libz.so.1 (0x00007ff5457cb000)
libaudit.so.1 => /lib64/libaudit.so.1 (0x00007ff5455a2000)
/lib64/ld-linux-x86-64.so.2 (0x000055b4b688c000)
libcap-ng.so.0 => /lib64/libcap-ng.so.0 (0x00007ff54539c000)
~~~
*run an ssh with username that has no password:*
~~~
$ ssh netadmin@2.2.2.2
netadmin@2.2.2.2s password:
Last login: Thu Dec 28 13:24:42 2017 from 1.1.1.1
[netadmin@rhel7-centos ~]$
~~~
*SeLinux Stuff:*
~~~
*temporary resolve if se-linux issue - reboot if working - does not persist*
setenforce Permissive
*Install semanage:*sed -i 's/\<AM_CFLAGS = -Wall -Wextra -Werror\>/AM_CFLAGS = -Wall -Wextra/g' Makefile
sudo yum install policycoreutils-python
*permanently sets permissive or disables se-linux on sshd*
semanage permissive -a sshd_t
*collect avc info related to se-linux:*
sudo ausearch -m avc -ts today | sudo audit2why -m pam_tacplus-policy
~~~
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide