Arista EOS AAA configuration for management with TACACS+ protocol and Cisco ISE (Part II)
This is a continuation from my pervious blog post. This time we will do again AAA with Arista switches with TACACS protocol. Last time, we used locally defined user-roles in the switch to authorize what cli commands a user is allowed to run. Now we will use ISE's "TACACS Command Sets" instead of sending user-roles by using "AV-Pairs".
Advantage of "TACACS Command Sets" is that we will define different sets of cli commands which different users are allowed to run according to their access level. All of this will be done centrally in ISE/TACACS server. No need of defining network-roles in each device locally. The pitfall is that for every typed command by a user; the network device (router/switch) will ask the ISE server to authorize that command according to "Command Sets". If "Command Sets" permits, it sends a positive acknowledgement to the device and in turn the device executes the user cli command. The opposite happens when a cli command is not allowed by the "Command Sets".
We will again continue with our same old topology. The topology is shown below -
01 - Network Topology
We have a management network 192.168.199.0/24. The switch is at .134 and Cisco ISE is at .49 IP address. We are running the latest version of ISE - version 3.0.
The switch configuration is exactly same as previous blog. For explanation, read that blog.
interface Management1
ip address 192.168.199.134/24
!
management ssh
idle-timeout 30
authentication mode password
!
!!! Tacacs server IP address and secret key
tacacs-server host 192.168.199.49 key test123
!
!!! Tacacs server is assigned to a group. We will reference this group later.
aaa group server tacacs+ tac-grp-01
server 192.168.199.49
!
!!! Packets destined for tacacs server, will be sourced from MGMT interface IP address.
ip tacacs source-interface Management1
!
!!! Create a local admin user for console authentication.
username admin role network-admin privilege 15 secret admin
!!! Console authentication is done by switch's local user database.
aaa authentication login console local
!!! SSH authentication will be tried against local database, if failed will go to tacacs server.
aaa authentication login default local group tac-grp-01
!!! Upon successful authentication; the user is logged into the enable (exec) mode directly. No need of typing the command - "enable".
aaa authorization exec default local group tac-grp-01
!!! How the switch will do command authorization; locally first then authorize against tacacs server
aaa authorization commands all default local group tac-grp-01
!!! We will log console accounting data locally in the switch's logbuffer.
aaa accounting exec console start-stop logging
aaa accounting commands all console start-stop logging
!!! We will log ssh/telnet accounting data in the ISE server's tacacs accounting. We will use switch's logbuffer as a failsafe when ISE server is not available.
aaa accounting exec default start-stop group tac-grp-01 logging
aaa accounting commands all default start-stop group tac-grp-01 logging
In above configuration, the most important one is - "aaa authorization commands all default local group tac-grp-01". This setting tells the switch to activate authorization of commands. The switch will authorize a cli command typed by a user if the user belongs to one of the user-roles defined locally in the switch or permitted by the centrally defined command sets in the tacacs server.
Cisco ISE configuration is mostly the same as previous blog. The only difference is that - we will remove assignment of user-roles through AV-Pair in ISE's "TACACS profile". Instead we will use "Tacacs Command Sets" for that purpose. Then again bind everything together with a "Device Admin Policy Set".
I am just uploading the pictures for the steps which remain the same without any explanations. Only changed/new steps will be explained.
02 - Enable TACACS in ISE
03 - Creating User Identity Groups
04 - Creating Network Access User
05 - Creating Network Device Profile
06 - Creating Network Device Groups
07 - Creating Network Devices
08 - Allowed Protocol PAP
Now comes the part where we will create "TACACS Profiles". This time we will create a single profile named - "TAC_Profile_Arista_Alt"; whose sole purpose is to assign only "shell-privilege 15" for successfully authenticated users. There will be no roles assigned by the means of AV-Pairs. The roles is replaced by "Tacacs Command Sets".
09 - Tacacs Profile
Our AV-Pair roles is replaced by "Tacacs Command Sets". We are creating two command sets. One is named "TAC_CS_Arista_Network_Admin" which will allow execution of any cli commands if the user belongs to "AristaNetAdminGroup". And the other is named "TAC_CS_Arista_Network_Operator" which restricts execution of certain cli commands if the user belongs to "AristaNetOperatorGroup". A Tacacs Command Set is like an access control list for cli commands - where we define what commands are permitted/denied. It also supports regular expressions.
Let's have a look at our "TAC_CS_Arista_Network_Admin", command set where we are allowing all commands using wildcard operator '*'.
10 - Tacacs Admin Command Set
And the "TAC_CS_Arista_Network_Operator", command set where we are restricting some commands.
11 - Tacacs Operator Command Set
Now we will bind together everything with a "Device Admin Policy Set" and the logic is that if the device is a Arista Switch and allowed protocol is PAP; then -
- User belongs to "AristaNetAdminGroup"; authorize Tacacs Profile - "TAC_Profile_Arista_Alt" and Command Sets - "TAC_CS_Arista_Network_Admin".
- User belongs to "AristaNetOperatorGroup"; authorize Tacacs Profile - "TAC_Profile_Arista_Alt" and Command Sets - "TAC_CS_Arista_Network_Operator".
12 - Device Admin Policy Set
Let's enable tacacs debugging in the switch first -
Arista-Sw-01#show agent names | egrep -i aaa
Aaa
Arista-Sw-01#show trace Aaa | egrep -i tacacs
AaaPlugin::TacacsAaa enabled ...........
Tacacs enabled ...........
TacacsLib enabled ...........
Arista-Sw-01(config)#trace Aaa enable AaaPlugin::TacacsAaa all
Arista-Sw-01(config)#trace Aaa enable Tacacs all
Arista-Sw-01(config)#trace Aaa filename flash:tacacs.txt
Arista-Sw-01#show trace Aaa | egrep -i tacacs
Tracing sent to flash:/tacacs.txt
AaaPlugin::TacacsAaa enabled 0123456789f
Tacacs enabled 0123456789f
TacacsLib enabled ...........
Now we have logged into (ssh) the switch using user named "netopt01". Let's see what the switch shows about the user -
Session Username Roles TTY State Duration Auth Remote Host
------------- -------------- ------------------- ----------- ----------- -------------- ---------------------- -------------
5 netopt01 <unknown> vty3 E 0:00:07 group tac-grp-01 192.168.199.1
From the above output we can see that this time the user has not been assigned any roles - "unknown".
The same thing is observed from the Tacacs debugging - only "shell-privileges 15 " is assigned when the user is successfully authenticated.
Arista-Sw-01#bash tail -f /mnt/flash/tacacs.txt
1989 AaaPlugin::TacacsAaa 4 acctShell for method group tac-grp-01 user netopt01 action session
1989 Tacacs 4 tac_send_acct returned 1
1989 AaaPlugin::TacacsAaa 2 releaseSession keepConnection= True
3492 AaaPlugin::TacacsAaa 3 authorizeShell for method group tac-grp-01 user netopt01
3492 Tacacs 3 tac_create_author: authenMethod: 6 authenType: 1 authenService: 1
3492 Tacacs 3 tac_send_author returned 257 , status: 1 av_count: 1
3492 Tacacs 6 av pair 0 : priv-lvl=15
3492 AaaPlugin::TacacsAaa 3 authorizeShellCommand: status 1 m_av {'priv-lvl': '15'} o_av {}
3492 AaaPlugin::TacacsAaa 2 releaseSession keepConnection= True
Now we will try to do "configure" - from the operator user. The switch asks the ISE server for authorization of this command. And ISE server denies it as per the "Command Set" defined for operator users.
% Authorization denied for command 'configure terminal'
And the debugging output -
Arista-Sw-01#bash tail -f /mnt/flash/tacacs.txt
3555 AaaPlugin::TacacsAaa 3 authorizeShellCommand for method group tac-grp-01 user netopt01 mode ('Exec', None, None) privlevel 15 tokens ['configure', 'terminal']
3555 Tacacs 3 tac_create_author: authenMethod: 6 authenType: 1 authenService: 1
3555 Tacacs 3 tac_send_author returned 16 , status: 16 av_count: 0
3555 AaaPlugin::TacacsAaa 0 TACACS authz: status 16 message
3555 AaaPlugin::TacacsAaa 2 releaseSession keepConnection= True
3555 Log 0 %AAA-4-CMD_AUTHZ_FAILED: User netopt01 failed authorization to execute command 'configure terminal'
Now we will look at TACACS logs from Cisco ISE. I will shows logs from ISE's "Reports" section as all three AAA modules are easily accessible from there. Otherwise, ISE also supports TACACS "Live Logs".
13 - TACACS Authentication Report
Now we will look at authorization report. We are expecting in the log it should display "configure" was denied for the user named - netopt01.
14 - TACACS Authorization Report
And also for every allowed/permitted command through Tacacs server; there is command accounting.
15 - TACACS Accounting Report
And that's it for today. Stay tuned for upcoming blogs.
Comments
Post a Comment