Migration from TACACS+ to RADIUS

Discussion:

Nicholas R. Cappelletti

16 years ago

In the recent weeks, I have come across some downfalls to using TACACS+ such as no 802.1x authentication, no WPA integration, and the impossible integration into both Kerberos and LDAP.

I hate to sound naive, but like many who need help, I'm new to RADIUS, its configuration, and its capabilities. With that said, I have a few questions concerning functionality that I had with TACACS+ and its equivalence in RADIUS.

1. How granular can I get with command authorization? Currently, TACACS+ is used for VPN authentication and device login, but not all those users should, or need, access to the CLI of the network equipment (We use both Cisco and HP devices). Eventually I would like to use the RADIUS setup for wireless authentication too.

From what I've read, setting "Service-Type = NAS-Prompt-User" will give the user the ability to login to the device, but how do I restrict them from enabling themselves?

With the RADIUS setup I have currently, it's using Kerberos for authentication, and LDAP for authorization.

2. Can I set, for a user, a separate enable password?

3. With TACACS+ I have the ability to set a MOTD per device in the configuration, and modify that if need be from the TACACS+ configuration. Is there similar functionality in RADIUS?

4. Am I able to do any command accounting with Cisco equipment? I understand it is not possible with the ASA firewall line, but I haven't found a definitive answer about the router IOS images.

If any one of these questions are answered, it will be greatly appreciated. Thank you for your time and any help you can offer me in advance. :)

---

Nick
***@switchtower.org
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Arran Cudbard-Bell

16 years ago

Permalink

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Post by Nicholas R. Cappelletti
In the recent weeks, I have come across some downfalls to using TACACS+ such as no 802.1x authentication, no WPA integration, and the impossible integration into both Kerberos and LDAP.

I can answer some of these for HP.

Though there is aready a page in the wiki for HP kit:
http://wiki.freeradius.org/HP

Post by Nicholas R. Cappelletti
I hate to sound naive, but like many who need help, I'm new to RADIUS, its configuration, and its capabilities. With that said, I have a few questions concerning functionality that I had with TACACS+ and its equivalence in RADIUS.
1. How granular can I get with command authorization? Currently, TACACS+ is used for VPN authentication and device login, but not all those users should, or need, access to the CLI of the network equipment (We use both Cisco and HP devices). Eventually I would like to use the RADIUS setup for wireless authentication too.

...

It's a HP VSA (Vendor specific attribute), but it's currently a little
broken.

Use:

# aaa authorization commands radius

To enable and test.

Then the VSAs are:
HP-Command-String
HP-Command-Exception-Flag

Use Command-String to specify a list of commands, and
HP-Command-Exception-Flag to set whether it's an 'allow' list or a
'deny' list.

That is only allow the commands in HP-Command-String, or deny all
commands in HP-Command-String.

I've forgotten specific values, have a look in the 5400 series manuals.

One you enable aaa authorization commands radius, you must include the
HP-Command-Exception-Flag with a valid value.

Post by Nicholas R. Cappelletti

From what I've read, setting "Service-Type = NAS-Prompt-User" will give the user the ability to login to the device, but how do I restrict them from enabling themselves?

HP switches let you specify different authentication mechanisms for
login and enable. So you can use local authentication for one and RADIUS
for the other, or RADIUS for both.

With the initial login the switch sets Service-Type in the
Access-Request to 'NAS-Prompt-User'

When the user attempts to enable themselves, the switch will prompt them
again for a User-Name and password, but this time set the Service-Type
to 'Administrative-User'.

So either send an Access-Reject for requests with a Service-Type of
Administrative user. Or just set Service-Type = NAS-Prompt-User in the
reply, when the request was Service-Type 'Administrative-User'.

Alternatively if you're lazy like me and have *newish* (>2500 series
switches) you can turn on 'login privilege-mode'.

# aaa authentication login privilege-mode

In this mode if you return Service-Type = 'NAS-Prompt-User', the user
will have operator access, and if you return Service-Type =
'Administrative-User', the user will be pre-enabled.

Post by Nicholas R. Cappelletti
With the RADIUS setup I have currently, it's using Kerberos for authentication, and LDAP for authorization.
2. Can I set, for a user, a separate enable password?

Yes. Use Service-Type as a check item and create two entries for the
user in the users file.

Post by Nicholas R. Cappelletti
3. With TACACS+ I have the ability to set a MOTD per device in the configuration, and modify that if need be from the TACACS+ configuration. Is there similar functionality in RADIUS?

No but you can configure a static MOTD on the HP switches.

# banner motd ~
My MOTD banner
~

I believe i've seen this whilst walking the SNMP mib, so it maybe
scriptable via SNMP :)

HP switches don't respect the Reply-Message.

Post by Nicholas R. Cappelletti
4. Am I able to do any command accounting with Cisco equipment? I understand it is not possible with the ASA firewall line, but I haven't found a definitive answer about the router IOS images.

Don't know about cisco, but you can with HP. It sends them in the
'HP-Command-String' VSA attribute with Acct-Status-Type set to 'update'.

use:
# aaa accounting exec start-stop radius
# aaa accounting commands stop-only

To enable.

There's currently a bug in the K series firmware that stops it reporting
commands for service modules.

I've got a case open about it (might be a no fix though).

Post by Nicholas R. Cappelletti
If any one of these questions are answered, it will be greatly appreciated. Thank you for your time and any help you can offer me in advance. :)

No problem :)

Best Regards,
Arran

- --
Arran Cudbard-Bell (A.Cudbard-***@sussex.ac.uk),
Authentication, Authorisation and Accounting Officer,
Infrastructure Services (IT Services),
E1-1-08, Engineering 1, University Of Sussex, Brighton, BN1 9QT
DDI+FAX: +44 1273 873900 | INT: 3900
GPG: 86FF A285 1AA1 EE40 D228 7C2E 71A9 25BB 1E68 54A2
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iEYEARECAAYFAkmVvx8ACgkQcaklux5oVKLrFwCfVKz33COPZkYPNl8uO8umnvrN
/qQAnj3U3rEz4bOxwXoyjWqZw0IXAmJ+
=msI6
-----END PGP SIGNATURE-----
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Alan DeKok

16 years ago

Permalink

...

The hope is that we can add TACACS+ support to FreeRADIUS in a future
version. That will help with migration.

Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Norbert Wegener

16 years ago

Permalink

...

Can this be expected in the foreseeable future?

Norbert Wegener

Post by Alan DeKok
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Alan DeKok

16 years ago

Permalink

Post by Norbert Wegener

Post by Alan DeKok
The hope is that we can add TACACS+ support to FreeRADIUS in a future
version. That will help with migration.

Can this be expected in the foreseeable future?

Maybe within 6 months? We've been involved with the RadSec documents
(RADIUS over TLS over TCP). Once TCP support is in the server, basic
TACACS+ is probably only another 1K LoC.

Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html