08-21-2018 11:05 AM
I'm looking to add some vyatta devices to our ISE environment for TACACS+ authentication. I'm running in to issues getting the correct Attributes sent to the device. By default, the vyatta dumps you in to "tacplus-operator" role when authenticating with a tacacs server. On our old deployment (linux using tac_plus), we have the following options listed for our vyattas, which tell it to use "tacplus-admin" for our users:
group = ADMINS {
default service = permit
service = vyatta-exec {
set level = "admin"
}
On our ISE deployment, I'm trying:
I can login to the device, it assigns the correct Shell Profile (in my Device Admin Policy Set) and it shows it sending the attributes:
but I get dumped in the tacplus-operators and can't do any administrative tasks, any ideas?
Solved! Go to Solution.
10-26-2018 04:58 AM
After working for many moons with AT&T support and development teams, we were able to get the Vyatta to accept the correct permissions by:
Upgrading the Vyatta 5600 to version 1801R
Setting the TACACS+ Profile Policy Element to (under "Raw View", no spaces, no quotes): level=superuser
The task view will look like:
The configuration on the Vyatta will be similar to:
set system login tacplus-server A.B.C.D port '49' set system login tacplus-server A.B.C.D secret 'suchsecretpassword' set system login tacplus-server A.B.C.D source-address 'W.X.Y.Z' set system login tacplus-server A.B.C.D timeout '3' set system tacplus-options 'command-accounting'
08-21-2018 11:39 AM
Trying using the Raw attributes instead of custom attributes. In your TACACS profile click on the Raw tab and you can try different combinations. Just paste in:
default service = permit
service = vyatta-exec {
set level = "admin"
or try just
level = "admin"
I use RAW attributes for almost everything when doing custom AV pairs.
08-21-2018 12:35 PM
Paul,
Thanks for the response. I am actually pasting all that in to the "raw" section. I've tried different combinations with curly brackets, without, with quotes, without etc. I even tried the "level = admin", same result. It seems as if anything I put in there isn't actually being used on the vyatta side, or more likely, I'm not putting it in there the way it expects it.
Thanks again for the suggestion.
09-01-2018 05:40 PM
https://ecl.ntt.com/files/firewall/5.2/vyatta-network-os-5.2r1-basic-system.pdf says,
...
Specifying authentication level in TACACS+
By default, TACACS+ authorized users on the Brocade vRouter are given operator-level access. However, you can specify the authentication level for individual TACACS+ authorized users on the local Brocade vRouter. Like the mapping of user IDs, thiscon guration is speci ed on the TACACS+ server, as shown in the following example:
user = administrator { default service = permit login = cleartext "vyatta" service = vyatta-exec {
} }
level = "admin"
Logging in to the local Brocade vRouter as the administrator user in this instance provides administrative-level access. You can alsocon gure an additional level on the TACACS+ server as superuser to provide superuser-level access.
...
09-04-2018 07:35 AM
Thanks for the response. I've been trying the recommended settings in my Tacacs+ profiles. Please see the "raw view" as well as the default view and the results when authentication happens.
I get the same result when logging in to the vyatta. I also tried breaking them up in to individual attributes, same result.
10-26-2018 04:58 AM
After working for many moons with AT&T support and development teams, we were able to get the Vyatta to accept the correct permissions by:
Upgrading the Vyatta 5600 to version 1801R
Setting the TACACS+ Profile Policy Element to (under "Raw View", no spaces, no quotes): level=superuser
The task view will look like:
The configuration on the Vyatta will be similar to:
set system login tacplus-server A.B.C.D port '49' set system login tacplus-server A.B.C.D secret 'suchsecretpassword' set system login tacplus-server A.B.C.D source-address 'W.X.Y.Z' set system login tacplus-server A.B.C.D timeout '3' set system tacplus-options 'command-accounting'
10-26-2018 07:21 PM
Many thanks for sharing.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide