Wednesday, June 30, 2010

Role based authorization for IOS using TACACS+

Role base authorization simplifies the enforcement of security controls when used with IOS devices.

The first step involves the configuration of the IOS device.

parser view ccie
secret 5 $1$pcY4$eqZ1i/dKMOS8cPigSQZbm0
commands configure include all router
commands configure include all interface
commands configure include shutdown
commands configure include all no router
commands configure include all no interface
commands configure include no shutdown
commands configure include no
commands exec include all configure terminal
commands exec include all configure
commands exec exclude show ip route
commands exec include show ip interface
commands exec include show ip
commands exec include show privilege
commands exec include show parser view
commands exec include show parser
commands exec include show
commands exec include logout
!

Then we proceed to configure AAA:

aaa new-model
aaa authentication login default local
aaa authentication login iosvpn local
aaa authentication login RAD group radius
aaa authentication login TACA group tacacs+
aaa authentication login EZvpn local
aaa authorization exec RAD group radius
aaa authorization exec TACA group tacacs+
aaa authorization network iosvpn local
aaa authorization network ezVPN local
aaa session-id common
aaa authentication login TACA group tacacs+

aaa authorization exec TACA group tacacs+

ip tacacs source-interface FastEthernet0/0

tacacs-server host 172.30.3.53 tacacs-server key 7 1511080501
line vty 0 3

session-timeout 30
exec-timeout 30 0
authorization exec TACA
login authentication TACA

Finally we configure the ACS server:

Enable "Display window for each service..." under advanced TACACS+ interface configuration.


Next, for the desired user(s) or group(s) check "Shell (exec)" and under "Custom Attributes" type:
shell:cli-view-name=ccie

When you login as a user (or member of a group) with this feature enabled, you will be placed in the appropriate CLI view.

No comments:

Post a Comment