You Shall Not Pass – ISE TACACS+

Standard

I recently rebuilt my ISE lab to play with 2.2 and figured I may as well do some security posts while I’m at it.  Today we’ll briefly dip our toes in the water by playing with TACACS+’s Command Authorization.

Active Directory

For this lab I have created two groups in my Active Directory NetAdmin which will have full access to everything and JuniorAdmin that will be much more limited.

ise-tac-ad-004

On the ISE server it is important that you point the DNS to the Active Directory server and you set the domain name.

ISE01/admin# show run | include name
hostname ISE01
--
ip domain-name testlab.com
--
ip name-server 10.10.13.5

Next the ISE server should be joined to AD so we can match on AD groups, under External Identity Sources, go to Active Directory and add your AD domain then join it with your Domain Admin user/pass. You can also choose to store the credentials if you have a distributed lab but it doesn’t really matter in a standalone node.

ise-tac-ad-001

Once ISE is joined, go over to the Groups tab and add the AD groups we want to match for TACACS+

ise-tac-ad-002

Under Advanced Settings, I like to check “Search in the Whitelisted Domains section”. This setting allows you to log into a router without specifying the FQDN.

ise-tac-ad-003

Local Authentication

We can also setup local users and groups to play with as well.

Local Groups

To make a group, we simply create a group and give a name.

ise-tac-group-001.png

Local Users

We can create local users under Identity Management -> Identities

For our purposes we can give the account a name, password, and assign it to the Local_NetAdmin group.

ise-tac-002

ise-tac-003

Identity Source Sequence

Once we have our authentication in place we need to setup a Identity Source Sequence List that tells ISE to search the local database and then active directory if it doesn’t find a match.

ise-tac-010

ISE Policy Sets

ISE by default has separate policy configuration pages for authentication and authorization but we can combine the pages by enabling a policy set.

ise-tac-policy-set-001

TACACS Setup

First things first, to use TACACS we need to enable the Device Admin service if it is not already under Administration -> Deployment.

ise-tac-001

Network Resources

Now that TACACS is enabled we need to add some routers into ISE, we could do this on a device by device basis, by subnet, or simply setup a default device profile to match all devices. I’ll add CSR01 into the mix by giving it a name, IP address, and providing the TACACS key.

ise-tac-005

TACACS Command Sets

Command Sets control exactly what commands are allowed to be used by a user.
We’ll make two policies, a limited command set that is just allowed to run a few commands and one that permits everything.

For the “Limited Commands” set we tell ISE what command can run and what arguments.

The first entry is the show command with the argument’s IP and Route. This does not mean that only show ip route is allowed to run, rather it means that show commands that use either “ip” or “route” as the next word so show ip interface brief would be allowed but not show run ,  show route would also work (were the command to exist in common IOS 🙂

Next we use configure and terminal so they can enter configuration mode.

Then allow the user to go to any loopback address, the * is a wildcard for any match.

Finally we are only allowing ip addresses that start with 192.168 and have a subnet mask of at least 255.255. The \ is used to tell ISE that the “.” is not a wildcard but a actual period.

ise-tac-007

We’ll also make a “Permit All” set that is empty but tells ISE to permit any commands not listed.

ise-tac-008

When we are done we will have 3 policies, the 2 we made and the standard DenyAll one.

ise-tac-006

Authentication Policy

The TACACS policy is configured under Work Centers -> Device Admin Policy Sets, this area is specifically for TACACS so it is not necessary to tell ISE to match TACACS connections as you would have to in the main Policy Set for RADIUS. This makes the authentication policy pretty easy since we can just point it to the Identity Source Sequence we created and call it a day.

ise-tac-009

Lastly we make the authorization policy where we will say that the local NetAdmin group will get the “Permit All” command set.

The NetAdmin group in AD will also get the same command set, and those pesky juniors will get the limited one. We won’t concern ourshelves with Shell Profiles just yet.

ise-tac-authorization

Router Config

At this point our ISE server is setup enough to act as a simple TACACS server but we need to tell our routers to use it if we want our work to affect anything.

First things first we need to enable AAA on the router.

CSR01(config)#aaa new-model

Then we define the tacacs server by specifying the ISE IP and the tacacs key.

CSR01(config)#tacacs server TAC
CSR01(config-server-tacacs)# address ipv4 10.20.2.31
CSR01(config-server-tacacs)# key meowcat

Next we tell the router to use TACACS for authentication and we’ll use local database as a fallback. This will have the router ask ISE if the user is allowed to login in but the router can locally authenticate if ISE is down.

CSR01(config)#aaa authentication login default group tacacs+ local

Finally we tell the router to check with ISE to see if a command is authorized or not. Today we are interested in exec authorization with is the exec terminal session . We also will want commands level authorization so that ISE can process exec level commands like show commands.   

We will also need aaa authorization config-commands to enable configuration level commands. 

The if-authenticated fallback option tells the router to authorize all commands if the ISE server is down and the user successfully authenticated.

CSR01(config)#aaa authorization exec default group tacacs+ if-authenticated 
CSR01(config)#aaa authorization commands 15 default group tacacs+ if-authenticated

It is also worth noting that as a failsafe command authorization does not apply to a console session unless you  use the aaa authorization console command.

Testing it out

Now everything is place let’s have our junior Homer Simpson log into the router.

We can verify Homer is on the router with exec level commands since those are restricted by ISE. While we are here can verify that this account should have privilege level 15 so it should be able to do anything.

CSR01#show user
 Line User Host(s) Idle Location
* 2 vty 1 hsimpson idle 00:00:00 10.10.13.13

Interface User Mode Idle Peer Address

CSR01#show privilege 
Current privilege level is 15

If we try to do a show run

CSR01#show run
Command authorization failed.

But running show ip route works fine

CSR01#show ip route | b Gateway
Gateway of last resort is 10.10.13.1 to network 0.0.0.0

S* 0.0.0.0/0 [1/0] via 10.10.13.1
 10.0.0.0/8 is variably subnetted, 14 subnets, 2 masks
C 10.0.123.0/24 is directly connected, GigabitEthernet2
L 10.0.123.1/32 is directly connected, GigabitEthernet2
O 10.1.2.0/24 [110/2] via 10.10.13.160, 21:14:01, GigabitEthernet1
O 10.10.2.0/24 [110/2] via 10.10.13.254, 21:14:01, GigabitEthernet1
O 10.10.11.0/24 [110/2] via 10.10.13.254, 21:14:01, GigabitEthernet1
C 10.10.13.0/24 is directly connected, GigabitEthernet1
L 10.10.13.171/32 is directly connected, GigabitEthernet1
O 10.10.14.0/24 [110/2] via 10.10.13.254, 21:14:01, GigabitEthernet1
O E2 10.10.100.0/24 [110/15] via 10.10.13.254, 21:14:01, GigabitEthernet1
O E2 10.10.101.0/24 [110/15] via 10.10.13.254, 21:14:01, GigabitEthernet1
O E2 10.10.102.0/24 [110/15] via 10.10.13.254, 21:14:01, GigabitEthernet1
O E2 10.10.103.0/24 [110/15] via 10.10.13.254, 21:14:01, GigabitEthernet1
O 10.10.255.254/32 [110/2] via 10.10.13.160, 21:14:01, GigabitEthernet1
S 10.20.2.0/24 [1/0] via 10.10.13.1
 172.16.0.0/16 is variably subnetted, 2 subnets, 2 masks
B 172.16.0.0/22 [20/0] via 10.10.13.111, 21:13:23
B 172.16.4.0/24 [20/0] via 10.10.13.111, 21:13:23
 192.168.0.0/24 is variably subnetted, 2 subnets, 2 masks
C 192.168.0.0/24 is directly connected, Loopback0
L 192.168.0.1/32 is directly connected, Loopback0
 192.168.1.0/24 is variably subnetted, 2 subnets, 2 masks
C 192.168.1.0/24 is directly connected, Loopback1
L 192.168.1.1/32 is directly connected, Loopback1
 192.168.2.0/24 is variably subnetted, 2 subnets, 2 masks
C 192.168.2.0/24 is directly connected, Loopback2
L 192.168.2.1/32 is directly connected, Loopback2
 192.168.3.0/24 is variably subnetted, 2 subnets, 2 masks
C 192.168.3.0/24 is directly connected, Loopback3
L 192.168.3.1/32 is directly connected, Loopback3
 192.168.111.0/24 is variably subnetted, 2 subnets, 2 masks
C 192.168.111.0/24 is directly connected, Loopback111
L 192.168.111.1/32 is directly connected, Loopback111
 200.0.1.0/24 is variably subnetted, 2 subnets, 2 masks
C 200.0.1.0/24 is directly connected, GigabitEthernet3
L 200.0.1.1/32 is directly connected, GigabitEthernet3
O E2 200.1.1.0/24 [110/15] via 10.10.13.254, 21:14:01, GigabitEthernet1
O E2 200.11.11.0/24 [110/15] via 10.10.13.254, 21:14:01, GigabitEthernet1
O E2 200.111.111.0/24 [110/15] via 10.10.13.254, 21:14:01, GigabitEthernet1

Homer is only allowed to add a particular IP range on a loopback interface. No nuclear meltdowns today Homer!

CSR01(config)#router rip
Command authorization failed.

CSR01(config)#interface g1
Command authorization failed.

CSR01(config)#interface l111
CSR01(config-if)#description test
Command authorization failed.

CSR01(config-if)#ip address 172.16.1.1 255.255.255.0
Command authorization failed.

CSR01(config-if)#ip address 192.168.111.1 255.255.255.0

If that packet thrower guy logs in he can do whatever he needs to do!

CSR01(config)#router rip 
CSR01(config-router)#

If we want to look at how ISE sees things we can open the TACACS Live Logs, each command is sent to the ISE server and it gives a detailed log of what command was received and the logic it used to make its pass/fail condition.

ise-tac-ops-002.png

ise-tac-ops-001.png

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.