topic RE: Radius vs TACACS - CLI Authorization in ExtremeWireless (General)

Radius vs TACACS - CLI Authorization

vobelic — Sat, 10 Oct 2015 05:07:00 GMT

I'm looking to setup authorization based on CLI command with either TACACS or RADIUS.
Apparently RADIUS seems to be a no-go according to this post: https://community.extremenetworks.com/extreme/topics/configuring-command-authorization-using-windows...

TACACS on the other hand has the option in XOS
#enable tacacs-authorizationCan someone confirm this is currently only possible with TACACS and explain why such support is missing from RADIUS with XOS 15.1 onwards?
Afterall, TACACS is Cisco while RADIUS should be open and the preferred way.

RE: Radius vs TACACS - CLI Authorization

Ronald_Dvorak — Sat, 10 Oct 2015 14:11:00 GMT

https://en.wikipedia.org/wiki/TACACS

https://community.extremenetworks.com/extreme/topics/configuring-command-authorization-using-windows...

From the above post...
"These VSA's were used and supporting in older firmware (with limited commands) in FreeRadius server & Merit Radius servers.

As this was supported with limited commands and only with few Radius servers, we have removed this from EXOS 15.1.3.1 onwards."

-Ron

RE: Radius vs TACACS - CLI Authorization

vobelic — Sat, 10 Oct 2015 17:26:00 GMT

Yes, thank you for quoting what I already know about RADIUS.

What about TACACS, does CLI authorization actually work?

RE: Radius vs TACACS - CLI Authorization

Stephane_Grosj1 — Sat, 10 Oct 2015 23:19:00 GMT

Hi,

yes, you can deny some commands with TACACS+ on EXOS.
It was possible with Radius using the old VSA and some tweaking. Apparently, the VSA has been removed.

RE: Radius vs TACACS - CLI Authorization

Kunlin_Lu — Wed, 22 Jun 2016 16:08:00 GMT

How to deny some commands with TACACS+ on EXOS ?
How to assign admin right to account with TACACS+ ?

RE: Radius vs TACACS - CLI Authorization

Drew_C — Wed, 22 Jun 2016 16:08:00 GMT

What TACACS+ server are you using?

If it helps, one of the labs I built some time back used a variation of Cisco's TACACS+ server. The user config looked like this:
# Configure User
user = drew {
login = cleartext "mypassword"
service = exec {
priv-lvl = 15
}
cmd = show {
permit .*
}
cmd = download {
permit .*
}
}
user = admin {
default service = permit
login = cleartext ""
}This gave "drew" an admin level account that could only run show and download commands, and denied everything else. You can also explicitly deny certain commands. The admin account was configured as it normally is on the switch by default.

RE: Radius vs TACACS - CLI Authorization

Kunlin_Lu — Wed, 22 Jun 2016 16:08:00 GMT

Hi Drew

It is work, thanks a lot.

I have one more question
If priv-lvl is not 15 and the user need to exec "show configuration"
How to ?

RE: Radius vs TACACS - CLI Authorization

Drew_C — Wed, 22 Jun 2016 16:08:00 GMT

Hi Kunlin,
I don't recall how EXOS will handle that since that command requires an admin-level account. If you're able to do some testing, I'd be curious to see what you find out.

RE: Radius vs TACACS - CLI Authorization

dflouret — Thu, 23 Jun 2016 03:19:00 GMT

EXOS per-command authorization works OK if you're willing to use and modify FreeRADIUS.

I did some investigations on a personal basis some time ago. This is very informally documented in this file:
https://www.dropbox.com/s/m4ukvkrl3wyt2qq/EXOS%20Per-Command%20Authentication.docx?dl=0

The document mentions several files that have to be installed in FreeRADIUS and that can be found here:
https://www.dropbox.com/s/e944v2o73404f57/EXOS_PCA_files.zip?dl=0

Be warned, this will work but with no guarantee. Also, Extreme Networks is not involved in any way in this development.

Haven't played with it in a long time, so no guarantees it will work with the latest FreeRADIUS releases.

Feel free to experiment.