cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2289
Views
5
Helpful
7
Replies

Tacacs+ authentication/authorization based on user's subnet

rizwanr74
Level 7
Level 7

Hi Guys/Girls

We have number of production cisco gears, all of which are configured with Tacacs+ and all of them working just fine. But now I have a requirement to implement SSH-ver2 across whole network, comprise of about 8000 cisco gears.

I need to develop a proof of concept (POC), that enabling SSH on production gears will not affect existing Tacacs+ users authentication and authorization.

In our lab cisco gears, it has been already configured with production Tacacs+ server for authentication and authorization. Now I am allowed to test SSH on these lab-gears but I without disrupting others users who are using the same lab-gears.

So, I want to enable SSH version 2 on these lab-gears however, when user coming from a certain specific subnet, this particular user must be authenticated and authorized by LAB Tacacs+ but not from production Tacacs+, however please note that lab-gears I am testing with also already configured for  production Tacacs+ server as well. These lab-gears must be able to do authentication and authorization to two different Tacacs+ server based on users subnet that he or she coming from.

Is this doable plan? I have been looking for a documentation to implement test this method, not being successful.

Your feedback will be appreciated and rated.

Thanks

Rizwan Rafeek

1 Accepted Solution

Accepted Solutions

Riswan,

This will not work, tacacs authentication starts once the ssh connection is established, the NAD (switch or router) will open a tacacs connection and send the start flag to the tacacs server in which the message "getusername" is sent from the tacacs server to the device and to the user terminal. You can not create an acl in order to pick which tacacs servers you can authenticate to either. So when it comes to authenticating users from a specific subnet to a specific tacacs server that is not the intended design of tacacs, when you configure multiple servers in a group it is to insure high availability such that when one tacacs server goes down you have a secondary to continue with the authenticaiton requests.

Here is an example of how the tacacs authentication is performed.

http://www.cisco.com/en/US/tech/tk59/technologies_tech_note09186a0080094e99.shtml#comp_traffic

thanks and I hope that helps,

Tarik Admani
*Please rate helpful posts*

View solution in original post

7 Replies 7

ansalaza
Level 1
Level 1

I think I can get half of your request done, but maybe someone else has a better idea.

It’s a very simple, but not an "automated subnet-based process" for enabling users to choose the TACACS+ Server where to be authenticated/authorized from.

tacacs-server directed-request

Please look into the Usage Guidelines for config details:

http://www.cisco.com/en/US/partner/docs/ios/12_2/security/command/reference/srftacs.html#wp1017941

The above would allow you to test/choose on your LAB Tacacs+ Server instead of sending requests to the Production Server.

The URL is dead, cannot be open.

Can you please post the documentation as an attachment, as I couldn't open the URL you posted.

thanks

Hi Ansalaza,

thanks for the info.  But I am not so sure, how the "tacacs-server directed-request" could resolve my problem, when I have two tacacs+ server hosts configured on the our lab-devices ?


Anybody eles have any thoughts to share with?

thanks.

Riswan,

This will not work, tacacs authentication starts once the ssh connection is established, the NAD (switch or router) will open a tacacs connection and send the start flag to the tacacs server in which the message "getusername" is sent from the tacacs server to the device and to the user terminal. You can not create an acl in order to pick which tacacs servers you can authenticate to either. So when it comes to authenticating users from a specific subnet to a specific tacacs server that is not the intended design of tacacs, when you configure multiple servers in a group it is to insure high availability such that when one tacacs server goes down you have a secondary to continue with the authenticaiton requests.

Here is an example of how the tacacs authentication is performed.

http://www.cisco.com/en/US/tech/tk59/technologies_tech_note09186a0080094e99.shtml#comp_traffic

thanks and I hope that helps,

Tarik Admani
*Please rate helpful posts*

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: