Wednesday, June 27, 2018

Read-Only with TACACS+

I have recently spun up a TACACS+ server and got it configured in a test environment before we go live. I have been able to get mostly everything configured with the exception of a Read-Only user. I am using TacasGUI with MAVIS LDAP. The LDAP is working perfectly and the groups are working as they are supposed to. I am just unable to have any AAA Authenticated user actually show up as a Read-Only user. If I set an AD group in Tacacs to privilege level 15 they will get SU privileges and any other level including 5 shows as Port-Config when doing a #show who command to check SSH connections. If I change the Read-Only to use Privilege level 15 it will then log in as a SU so I know the groups are working and using the config in Tacacs. Below is a small snippet of my configs maybe I am missing something obvious.

I have 3 AD groups Admins, Read-Only, and Ports-Only

Snippet from a test switch config (let me know if you need to see more)

Current configuration:
!
ver 08.0.30mbT311
!
stack unit 1
  module 1 icx6430c-12-port-management-module
  module 2 icx6430c-copper-2port-2g-module
  module 3 icx6430c-fiber-2port-2g-module

aaa authentication login default local tacacs+
aaa authentication login privilege-mode
aaa authorization exec default tacacs+ none
aaa accounting commands 0 default start-stop tacacs+
hostname Tacacs_Test
ip address 0.0.0.0 255.255.255.0

This is a snippet from my Tacacs config as well.

group = Admins {
default service = permit
service = shell {
default cmd = permit
set priv-lvl = 15
}
} #END OF Admins

group = Read-Only {
default service = permit
service = shell {
default cmd = permit
set priv-lvl = 5
}
} #END OF Read-Only

group = Ports-Only {
default service = permit
service = shell {
default cmd = permit
set priv-lvl = 4
}
} #END OF Ports-Only

This is the #show who output while all 3 users (one in each group) are logged in.

 1      established, client ip address 0.0.0.0, server hostkey DSA, user is test13784, privilege port-config
        using vrf default-vrf.
        32 second(s) in idle
 2      established, client ip address 0.0.0.0, server hostkey DSA, user is curtinr, privilege super-user
        using vrf default-vrf.
        you are connecting to this session
        56 second(s) in idle
 3      established, client ip address 0.0.0.0, server hostkey DSA, user is test12689, privilege port-config
        using vrf default-vrf.
        5 second(s) in idle

So as you can see even though Read-Only is set to 5 and Ports-Only is set to 4 both users appear to have Port-Config privileges. I have tested level 5 on a local user and it shows as having true level 5 Read-Only privileges but just not using AAA. My account curtinr is in the Admins group, Test13784 is in the Read-Only group, and Test12689 is in the Port-Only group.



No comments:

Post a Comment