Tacacs+ authentication/authorization based on user's subnet

Answered Question
Jul 18th, 2012

Hi Guys/Girls

We have number of production cisco gears, all of which are configured with Tacacs+ and all of them working just fine. But now I have a requirement to implement SSH-ver2 across whole network, comprise of about 8000 cisco gears.

I need to develop a proof of concept (POC), that enabling SSH on production gears will not affect existing Tacacs+ users authentication and authorization.

In our lab cisco gears, it has been already configured with production Tacacs+ server for authentication and authorization. Now I am allowed to test SSH on these lab-gears but I without disrupting others users who are using the same lab-gears.

So, I want to enable SSH version 2 on these lab-gears however, when user coming from a certain specific subnet, this particular user must be authenticated and authorized by LAB Tacacs+ but not from production Tacacs+, however please note that lab-gears I am testing with also already configured for  production Tacacs+ server as well. These lab-gears must be able to do authentication and authorization to two different Tacacs+ server based on users subnet that he or she coming from.

Is this doable plan? I have been looking for a documentation to implement test this method, not being successful.

Your feedback will be appreciated and rated.

Thanks

Rizwan Rafeek

I have this problem too.
0 votes
Correct Answer by Tarik Admani about 1 year 9 months ago

Riswan,

This will not work, tacacs authentication starts once the ssh connection is established, the NAD (switch or router) will open a tacacs connection and send the start flag to the tacacs server in which the message "getusername" is sent from the tacacs server to the device and to the user terminal. You can not create an acl in order to pick which tacacs servers you can authenticate to either. So when it comes to authenticating users from a specific subnet to a specific tacacs server that is not the intended design of tacacs, when you configure multiple servers in a group it is to insure high availability such that when one tacacs server goes down you have a secondary to continue with the authenticaiton requests.

Here is an example of how the tacacs authentication is performed.

http://www.cisco.com/en/US/tech/tk59/technologies_tech_note09186a0080094e99.shtml#comp_traffic

thanks and I hope that helps,

Tarik Admani
*Please rate helpful posts*

  • 1
  • 2
  • 3
  • 4
  • 5
Average Rating: 5 (1 ratings)
ansalaza Wed, 07/18/2012 - 16:42

I think I can get half of your request done, but maybe someone else has a better idea.

It’s a very simple, but not an "automated subnet-based process" for enabling users to choose the TACACS+ Server where to be authenticated/authorized from.

tacacs-server directed-request

Please look into the Usage Guidelines for config details:

http://www.cisco.com/en/US/partner/docs/ios/12_2/security/command/reference/srftacs.html#wp1017941

The above would allow you to test/choose on your LAB Tacacs+ Server instead of sending requests to the Production Server.

rizwanr74 Thu, 07/19/2012 - 08:11

Can you please post the documentation as an attachment, as I couldn't open the URL you posted.

thanks

rizwanr74 Fri, 07/20/2012 - 11:08

Hi Ansalaza,

thanks for the info.  But I am not so sure, how the "tacacs-server directed-request" could resolve my problem, when I have two tacacs+ server hosts configured on the our lab-devices ?


Correct Answer
Tarik Admani Mon, 07/23/2012 - 21:32

Riswan,

This will not work, tacacs authentication starts once the ssh connection is established, the NAD (switch or router) will open a tacacs connection and send the start flag to the tacacs server in which the message "getusername" is sent from the tacacs server to the device and to the user terminal. You can not create an acl in order to pick which tacacs servers you can authenticate to either. So when it comes to authenticating users from a specific subnet to a specific tacacs server that is not the intended design of tacacs, when you configure multiple servers in a group it is to insure high availability such that when one tacacs server goes down you have a secondary to continue with the authenticaiton requests.

Here is an example of how the tacacs authentication is performed.

http://www.cisco.com/en/US/tech/tk59/technologies_tech_note09186a0080094e99.shtml#comp_traffic

thanks and I hope that helps,

Tarik Admani
*Please rate helpful posts*

Actions

Login or Register to take actions

This Discussion

Posted July 18, 2012 at 1:08 PM
Stats:
Replies:7 Avg. Rating:5
Views:872 Votes:0
Shares:0
Tags: tacacs+
+

Related Content

Discussions Leaderboard