Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2762
Views
5
Helpful
7
Replies

Tacacs+ authentication/authorization based on user's subnet

Go to solution
rizwanr74
Level 7
Level 7

‎07-18-2012 01:08 PM - edited ‎03-10-2019 07:18 PM

Hi Guys/Girls

We have number of production cisco gears, all of which are configured with Tacacs+ and all of them working just fine. But now I have a requirement to implement SSH-ver2 across whole network, comprise of about 8000 cisco gears.

I need to develop a proof of concept (POC), that enabling SSH on production gears will not affect existing Tacacs+ users authentication and authorization.

In our lab cisco gears, it has been already configured with production Tacacs+ server for authentication and authorization. Now I am allowed to test SSH on these lab-gears but I without disrupting others users who are using the same lab-gears.

So, I want to enable SSH version 2 on these lab-gears however, when user coming from a certain specific subnet, this particular user must be authenticated and authorized by LAB Tacacs+ but not from production Tacacs+, however please note that lab-gears I am testing with also already configured for  production Tacacs+ server as well. These lab-gears must be able to do authentication and authorization to two different Tacacs+ server based on users subnet that he or she coming from.

Is this doable plan? I have been looking for a documentation to implement test this method, not being successful.

Your feedback will be appreciated and rated.

Thanks

Rizwan Rafeek

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Tarik Admani
VIP Alumni
VIP Alumni
In response to rizwanr74

‎07-23-2012 09:32 PM

Riswan,

This will not work, tacacs authentication starts once the ssh connection is established, the NAD (switch or router) will open a tacacs connection and send the start flag to the tacacs server in which the message "getusername" is sent from the tacacs server to the device and to the user terminal. You can not create an acl in order to pick which tacacs servers you can authenticate to either. So when it comes to authenticating users from a specific subnet to a specific tacacs server that is not the intended design of tacacs, when you configure multiple servers in a group it is to insure high availability such that when one tacacs server goes down you have a secondary to continue with the authenticaiton requests.

Here is an example of how the tacacs authentication is performed.

http://www.cisco.com/en/US/tech/tk59/technologies_tech_note09186a0080094e99.shtml#comp_traffic

thanks and I hope that helps,

Tarik Admani
*Please rate helpful posts*

View solution in original post

7 Replies 7

Go to solution
ansalaza
Level 1
Level 1

‎07-18-2012 04:42 PM

I think I can get half of your request done, but maybe someone else has a better idea.

It’s a very simple, but not an "automated subnet-based process" for enabling users to choose the TACACS+ Server where to be authenticated/authorized from.

tacacs-server directed-request

Please look into the Usage Guidelines for config details:

http://www.cisco.com/en/US/partner/docs/ios/12_2/security/command/reference/srftacs.html#wp1017941

The above would allow you to test/choose on your LAB Tacacs+ Server instead of sending requests to the Production Server.

0 Helpful

Go to solution
rizwanr74
Level 7
Level 7
In response to ansalaza

‎07-18-2012 04:50 PM

The URL is dead, cannot be open.

0 Helpful

Go to solution
rizwanr74
Level 7
Level 7
In response to ansalaza

‎07-19-2012 08:11 AM

Can you please post the documentation as an attachment, as I couldn't open the URL you posted.

thanks

0 Helpful

Go to solution
rizwanr74
Level 7
Level 7
In response to ansalaza

‎07-20-2012 11:08 AM

Hi Ansalaza,

thanks for the info.  But I am not so sure, how the "tacacs-server directed-request" could resolve my problem, when I have two tacacs+ server hosts configured on the our lab-devices ?


0 Helpful

Go to solution
rizwanr74
Level 7
Level 7
In response to rizwanr74

‎07-23-2012 06:58 AM

Anybody eles have any thoughts to share with?

thanks.

0 Helpful

Go to solution
Tarik Admani
VIP Alumni
VIP Alumni
In response to rizwanr74

‎07-23-2012 09:32 PM

Riswan,

This will not work, tacacs authentication starts once the ssh connection is established, the NAD (switch or router) will open a tacacs connection and send the start flag to the tacacs server in which the message "getusername" is sent from the tacacs server to the device and to the user terminal. You can not create an acl in order to pick which tacacs servers you can authenticate to either. So when it comes to authenticating users from a specific subnet to a specific tacacs server that is not the intended design of tacacs, when you configure multiple servers in a group it is to insure high availability such that when one tacacs server goes down you have a secondary to continue with the authenticaiton requests.

Here is an example of how the tacacs authentication is performed.

http://www.cisco.com/en/US/tech/tk59/technologies_tech_note09186a0080094e99.shtml#comp_traffic

thanks and I hope that helps,

Tarik Admani
*Please rate helpful posts*

Customers Also Viewed These Support Documents