cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
5433
Views
0
Helpful
8
Replies

ISE and CentOS users authentication

gugonza2
Cisco Employee
Cisco Employee

Hi, 

 

I'm testing some features of ISE.  We would like to configure some CentOS servers to use RADIUS or TACACS authentication/authorization in ISE.   We know that we don't have TACACS support in Linux, we found some customs libraries but we prefer to use RADIUS.  We found some PAM libraries for that but I would like to know if anyone has an examples or configuration to check it.

 

The objective is to use ISE as central authentication and authorization server for all systems in a customer infrastructure.  The customer has network devices that use TACACS and other important services installed on CentOS.

 

Any suggestion, comment or configuration example ?

 

Thanks in advance

1 Accepted Solution

Accepted Solutions

Timothy Abbott
Cisco Employee
Cisco Employee

Hi,

 

I know there are some who have successfully used RADIUS instead of TACACS+ for authentication.  Unfortunately, we don't have a guide specific to CentOS.  I would search around and see if there is an example for user authentication using RADIUS for linux operating systems.

 

Regards,

-Tim

View solution in original post

8 Replies 8

Timothy Abbott
Cisco Employee
Cisco Employee

Hi,

 

I know there are some who have successfully used RADIUS instead of TACACS+ for authentication.  Unfortunately, we don't have a guide specific to CentOS.  I would search around and see if there is an example for user authentication using RADIUS for linux operating systems.

 

Regards,

-Tim

Thx a lot Timothy, let me know if you find any document, example or test, it would be great.
Thx again.

You’re welcome. If we create one, it will be posted here in the communities. I would give google a try to see if there is a guide somewhere else.

Regards,
-Tim

Thx marce1000, Just a note, in this procedure (I´ve seen this note in others links with PAM modules for RADIUS), you need to create the user in Linux.
Is there any PAM module for RADIUS which don´t need to create the user locally ?

Hello
I had a similar desire and found the jeroennijhof/pam_script to create local users and home drive automatically. This has met our requirements for tying our Linux servers to our ISE RADIUS.

-Install the package from the epel-release repo:
sudo yum install pam_script

-Add these lines to this file /etc/pam.d/sshd:
auth optional /usr/lib64/security/pam_script.so # Script to create local user if not existing
auth sufficient /usr/lib64/security/pam_radius_auth.so #pam RADIUS Authentication Client

Create the script file pam_script_auth in /etc/pam-script.d/
sudo touch /etc/pam-script.d/pam_script_auth

Add these lines to this file /etc/pam-script.d/pam_script_auth:
#add user
logger Adding New User $PAM_USER
useradd $PAM_USER
echo $PAM_USER:U6aMy0wojraho | sudo chpasswd -e

I would be very interested in how you got this setup on Debian. 

 

Did you have to change/create any new policies or policy elements?

alextomko
Beginner
Beginner

I have used pam_tacplus to use Tacacs instead which is better in my opinion. You can then use your ACS/ISE policy sets, the same ones you use for your Cisco network devices will work fine.

 

Here is the setup for CentOS7 or Redhat with pam_tacplus for ssh. You can add the "auth include tacacs" to any other pam files as you want to so you can have tacacs for serial console, sudo and other login functions defined in /etc/pam.d/*. 

 

I have Debian setup to if interested, but here is my CentOS7/Redhat setup:

 

# CentOS7 - Clean Installation.

*Install sudo from root.*

~~~
$ yum install sudo
~~~

*Install autoconf, automake, git, openssl-dev & gcc*

~~~
$ sudo yum install git autoconf automake openssl-dev gcc
~~~

*add test user `netadmin` with no password - do not clear the passwd with -d or it lets you login via consol with no password - or do passwd -l user for existing user - or the user could login with no pass on consol*

~~~
$ sudo useradd netadmin
~~~

*Install pam_tacplus*
~~~
$ git clone https://github.com/jeroennijhof/pam_tacplus/
$ cd pam_tacplus
$ ./auto.sh

$ ./configure

$  sed -i 's/\<AM_CFLAGS = -Wall -Wextra -Werror\>/AM_CFLAGS = -Wall -Wextra/g' Makefile
$ make && sudo make install
~~~

*run command: `setsebool -P nis_enabled 1` to get rid of the permission issue seen in `/var/log/messages` of `failed srv 0: Permission denied`*
~~~
$ sudo setsebool -P nis_enabled 1
~~~

*add `auth include tacacs` at top of `/etc/pam.d/sshd`:*
*add file `/etc/pam.d/tacacs` with:*

~~~
#%PAM-1.0
auth sufficient /usr/local/lib/security/pam_tacplus.so debug server=172.16.1.115 secret=reallysecret
account sufficient /usr/local/lib/security/pam_tacplus.so debug server=172.16.1.115 secret=reallysecret service=shell protocol=ssh
session sufficient /usr/local/lib/security/pam_tacplus.so debug server=172.16.1.115 secret=reallysecret service=shell protocol=ssh
~~~

*check libraries in CentOS:*

~~~
$ ldd /usr/local/lib/security/pam_tacplus.so
linux-vdso.so.1 => (0x00007ffde29f8000)
libtac.so.2 => /usr/local/lib/libtac.so.2 (0x00007ff546824000)
libutil.so.1 => /lib64/libutil.so.1 (0x00007ff546619000)
libcrypto.so.10 => /lib64/libcrypto.so.10 (0x00007ff5461b8000)
libpam.so.0 => /lib64/libpam.so.0 (0x00007ff545fa9000)
libc.so.6 => /lib64/libc.so.6 (0x00007ff545be5000)
libdl.so.2 => /lib64/libdl.so.2 (0x00007ff5459e1000)
libz.so.1 => /lib64/libz.so.1 (0x00007ff5457cb000)
libaudit.so.1 => /lib64/libaudit.so.1 (0x00007ff5455a2000)
/lib64/ld-linux-x86-64.so.2 (0x000055b4b688c000)
libcap-ng.so.0 => /lib64/libcap-ng.so.0 (0x00007ff54539c000)
~~~

*run an ssh with username that has no password:*

~~~
$ ssh netadmin@2.2.2.2
netadmin@2.2.2.2s password:
Last login: Thu Dec 28 13:24:42 2017 from 1.1.1.1
[netadmin@rhel7-centos ~]$
~~~

*SeLinux Stuff:*
~~~
*temporary resolve if se-linux issue - reboot if working - does not persist*
setenforce Permissive

*Install semanage:*sed -i 's/\<AM_CFLAGS = -Wall -Wextra -Werror\>/AM_CFLAGS = -Wall -Wextra/g' Makefile
sudo yum install policycoreutils-python

*permanently sets permissive or disables se-linux on sshd*
semanage permissive -a sshd_t

*collect avc info related to se-linux:*
sudo ausearch -m avc -ts today | sudo audit2why -m pam_tacplus-policy
~~~

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers