I recently rebuilt my ISE lab to play with 2.2 and figured I may as well do some security posts while I’m at it. Today we’ll briefly dip our toes in the water by playing with TACACS+’s Command Authorization.
For this lab I have created two groups in my Active Directory NetAdmin which will have full access to everything and JuniorAdmin that will be much more limited.
On the ISE server it is important that you point the DNS to the Active Directory server and you set the domain name.
ISE01/admin# show run | include name hostname ISE01 -- ip domain-name testlab.com -- ip name-server 10.10.13.5
Next the ISE server should be joined to AD so we can match on AD groups, under External Identity Sources, go to Active Directory and add your AD domain then join it with your Domain Admin user/pass. You can also choose to store the credentials if you have a distributed lab but it doesn’t really matter in a standalone node.
Once ISE is joined, go over to the Groups tab and add the AD groups we want to match for TACACS+
Under Advanced Settings, I like to check “Search in the Whitelisted Domains section”. This setting allows you to log into a router without specifying the FQDN.
We can also setup local users and groups to play with as well.
To make a group, we simply create a group and give a name.
We can create local users under Identity Management -> Identities
For our purposes we can give the account a name, password, and assign it to the Local_NetAdmin group.
Identity Source Sequence
Once we have our authentication in place we need to setup a Identity Source Sequence List that tells ISE to search the local database and then active directory if it doesn’t find a match.
ISE Policy Sets
ISE by default has separate policy configuration pages for authentication and authorization but we can combine the pages by enabling a policy set.
First things first, to use TACACS we need to enable the Device Admin service if it is not already under Administration -> Deployment.
Now that TACACS is enabled we need to add some routers into ISE, we could do this on a device by device basis, by subnet, or simply setup a default device profile to match all devices. I’ll add CSR01 into the mix by giving it a name, IP address, and providing the TACACS key.
TACACS Command Sets
Command Sets control exactly what commands are allowed to be used by a user.
We’ll make two policies, a limited command set that is just allowed to run a few commands and one that permits everything.
For the “Limited Commands” set we tell ISE what command can run and what arguments.
The first entry is the show command with the argument’s IP and Route. This does not mean that only
show ip route is allowed to run, rather it means that
show commands that use either “ip” or “route” as the next word so
show ip interface brief would be allowed but not
show run ,
show route would also work (were the command to exist in common IOS 🙂
Next we use
terminal so they can enter configuration mode.
Then allow the user to go to any loopback address, the * is a wildcard for any match.
Finally we are only allowing ip addresses that start with 192.168 and have a subnet mask of at least 255.255. The \ is used to tell ISE that the “.” is not a wildcard but a actual period.
We’ll also make a “Permit All” set that is empty but tells ISE to permit any commands not listed.
When we are done we will have 3 policies, the 2 we made and the standard DenyAll one.
The TACACS policy is configured under Work Centers -> Device Admin Policy Sets, this area is specifically for TACACS so it is not necessary to tell ISE to match TACACS connections as you would have to in the main Policy Set for RADIUS. This makes the authentication policy pretty easy since we can just point it to the Identity Source Sequence we created and call it a day.
Lastly we make the authorization policy where we will say that the local NetAdmin group will get the “Permit All” command set.
The NetAdmin group in AD will also get the same command set, and those pesky juniors will get the limited one. We won’t concern ourshelves with Shell Profiles just yet.
At this point our ISE server is setup enough to act as a simple TACACS server but we need to tell our routers to use it if we want our work to affect anything.
First things first we need to enable AAA on the router.
Then we define the tacacs server by specifying the ISE IP and the tacacs key.
CSR01(config)#tacacs server TAC CSR01(config-server-tacacs)# address ipv4 10.20.2.31 CSR01(config-server-tacacs)# key meowcat
Next we tell the router to use TACACS for authentication and we’ll use local database as a fallback. This will have the router ask ISE if the user is allowed to login in but the router can locally authenticate if ISE is down.
CSR01(config)#aaa authentication login default group tacacs+ local
Finally we tell the router to check with ISE to see if a command is authorized or not. Today we are interested in exec authorization with is the exec terminal session . We also will want commands level authorization so that ISE can process exec level commands like
We will also need
aaa authorization config-commands to enable configuration level commands.
if-authenticated fallback option tells the router to authorize all commands if the ISE server is down and the user successfully authenticated.
CSR01(config)#aaa authorization exec default group tacacs+ if-authenticated
CSR01(config)#aaa authorization commands 15 default group tacacs+ if-authenticated
It is also worth noting that as a failsafe command authorization does not apply to a console session unless you use the
aaa authorization console command.
Testing it out
Now everything is place let’s have our junior Homer Simpson log into the router.
We can verify Homer is on the router with exec level commands since those are restricted by ISE. While we are here can verify that this account should have privilege level 15 so it should be able to do anything.
CSR01#show user Line User Host(s) Idle Location * 2 vty 1 hsimpson idle 00:00:00 10.10.13.13 Interface User Mode Idle Peer Address CSR01#show privilege Current privilege level is 15
If we try to do a
Command authorization failed.
show ip route works fine
CSR01#show ip route | b Gateway Gateway of last resort is 10.10.13.1 to network 0.0.0.0 S* 0.0.0.0/0 [1/0] via 10.10.13.1 10.0.0.0/8 is variably subnetted, 14 subnets, 2 masks C 10.0.123.0/24 is directly connected, GigabitEthernet2 L 10.0.123.1/32 is directly connected, GigabitEthernet2 O 10.1.2.0/24 [110/2] via 10.10.13.160, 21:14:01, GigabitEthernet1 O 10.10.2.0/24 [110/2] via 10.10.13.254, 21:14:01, GigabitEthernet1 O 10.10.11.0/24 [110/2] via 10.10.13.254, 21:14:01, GigabitEthernet1 C 10.10.13.0/24 is directly connected, GigabitEthernet1 L 10.10.13.171/32 is directly connected, GigabitEthernet1 O 10.10.14.0/24 [110/2] via 10.10.13.254, 21:14:01, GigabitEthernet1 O E2 10.10.100.0/24 [110/15] via 10.10.13.254, 21:14:01, GigabitEthernet1 O E2 10.10.101.0/24 [110/15] via 10.10.13.254, 21:14:01, GigabitEthernet1 O E2 10.10.102.0/24 [110/15] via 10.10.13.254, 21:14:01, GigabitEthernet1 O E2 10.10.103.0/24 [110/15] via 10.10.13.254, 21:14:01, GigabitEthernet1 O 10.10.255.254/32 [110/2] via 10.10.13.160, 21:14:01, GigabitEthernet1 S 10.20.2.0/24 [1/0] via 10.10.13.1 172.16.0.0/16 is variably subnetted, 2 subnets, 2 masks B 172.16.0.0/22 [20/0] via 10.10.13.111, 21:13:23 B 172.16.4.0/24 [20/0] via 10.10.13.111, 21:13:23 192.168.0.0/24 is variably subnetted, 2 subnets, 2 masks C 192.168.0.0/24 is directly connected, Loopback0 L 192.168.0.1/32 is directly connected, Loopback0 192.168.1.0/24 is variably subnetted, 2 subnets, 2 masks C 192.168.1.0/24 is directly connected, Loopback1 L 192.168.1.1/32 is directly connected, Loopback1 192.168.2.0/24 is variably subnetted, 2 subnets, 2 masks C 192.168.2.0/24 is directly connected, Loopback2 L 192.168.2.1/32 is directly connected, Loopback2 192.168.3.0/24 is variably subnetted, 2 subnets, 2 masks C 192.168.3.0/24 is directly connected, Loopback3 L 192.168.3.1/32 is directly connected, Loopback3 192.168.111.0/24 is variably subnetted, 2 subnets, 2 masks C 192.168.111.0/24 is directly connected, Loopback111 L 192.168.111.1/32 is directly connected, Loopback111 220.127.116.11/24 is variably subnetted, 2 subnets, 2 masks C 18.104.22.168/24 is directly connected, GigabitEthernet3 L 22.214.171.124/32 is directly connected, GigabitEthernet3 O E2 126.96.36.199/24 [110/15] via 10.10.13.254, 21:14:01, GigabitEthernet1 O E2 188.8.131.52/24 [110/15] via 10.10.13.254, 21:14:01, GigabitEthernet1 O E2 184.108.40.206/24 [110/15] via 10.10.13.254, 21:14:01, GigabitEthernet1
Homer is only allowed to add a particular IP range on a loopback interface. No nuclear meltdowns today Homer!
CSR01(config)#router rip Command authorization failed. CSR01(config)#interface g1 Command authorization failed. CSR01(config)#interface l111 CSR01(config-if)#description test Command authorization failed. CSR01(config-if)#ip address 172.16.1.1 255.255.255.0 Command authorization failed. CSR01(config-if)#ip address 192.168.111.1 255.255.255.0
If that packet thrower guy logs in he can do whatever he needs to do!
CSR01(config)#router rip CSR01(config-router)#
If we want to look at how ISE sees things we can open the TACACS Live Logs, each command is sent to the ISE server and it gives a detailed log of what command was received and the logic it used to make its pass/fail condition.