ISE TACACS+ Configuration Guide for Cisco NX-OS Based Network Devices. Secure Access How-to User Series

Transcription

1 ISE TACACS+ Configuration Guide for Cisco NX-OS Based Network Devices Secure Access How-to User Series Author: Technical Marketing, Policy and Access, Security Business Group, Cisco Systems Date: January 2016

2 Table of Contents Table of Contents... 2 About This Guide... 3 Overview... 3 Using This Guide... 3 Components Used... 3 ISE Configuration for Device Administration... 4 Licensing Device Administration on ISE... 4 Enabling Device Administration on ISE... 4 Device Administration Work Center... 5 Network Device and Network Device Groups... 5 Identity Stores... 7 TACACS Profiles... 8 NX-OS Operator... 8 NX-OS Admin... 9 NX-OS Security... 9 TACACS Command Sets... 9 HelpDesk Commands... 9 Permit All Commands NX-OS Security Commands Device Admin Policy Sets NX-OS Configuration for TACACS TACACS+ Authentication and Fallback TACACS+ Command Authorization TACACS+ Command Accounting What s Next? Cisco Systems 2016 Page 2

3 About This Guide Overview Terminal Access Controller Access Control System Plus (TACACS+) is a client-server protocol that provides centralized security control for management access to routers and many types of network access devices. TACACS+ provides these AAA services: Authentication Who the users are Authorization What they are allowed to do Accounting Who did what and when This document provides configuration examples for TACACS+ with the Cisco Identity Services Engine (ISE) as the TACACS+ server and a Cisco NX-OS network device as the TACACS+ client. Using This Guide This guide divides the activities into two parts to enable ISE to manage administrative access for Cisco NX-OS based network devices. Part 1 Configure ISE for Device Administration Part 2 Configure Cisco NX-OS for TACACS+ Components Used The information in this document is based on the following software and hardware version: ISE VMware virtual appliance, Release 2.0 Cisco Nexus1000V (N1Kv) for VMware vsphere, Cisco NX-OS 5.2(1)SV3(1.10) It works on most of Cisco NX-OS devices. The materials in this document are created from the devices in a lab environment. All of the devices are started with a cleared (default) configuration. Cisco Systems 2016 Page 3

4 ISE Configuration for Device Administration Licensing Device Administration on ISE Device Administration (TACACS+) is licensed per deployment, but requires existing and valid ISE base or mobility licenses. Enabling Device Administration on ISE The Device Administration service (TACACS+) is not enabled by default in an ISE node. The first step is to enable it. Step 1 Step 2 Log in to the ISE admin web portal using one of the supported browsers. Navigate to Administration > System > Deployment. Select the check box next to the ISE node and click Edit. Step 3 Figure 1. ISE Deployment Page Under General Settings, scroll down and select the check box next to Enable Device Admin Service. Figure 2. ISE Deployment General Settings Cisco Systems 2016 Page 4

5 Step 4 Save the configuration. Device Administration Service is now enabled on ISE. Device Administration Work Center ISE 2.0 introduces Work Centers, each of which encompasses all the elements for a particular feature. Step 1 Go to Work Centers > Device Administration > Overview Figure 3. Device Administration Overview The Device Administration Overview provides the high-level steps for the Use Case. Network Device and Network Device Groups ISE provides powerful device grouping with multiple device group hierarchies. Each hierarchy represents a distinct and independent classification of network devices. Step 1 Navigate to Work Centers > Device Administration > Network Device Groups Figure 4. Network Device Groups Cisco Systems 2016 Page 5

6 Step 2 All Device Types and All Locations are default hierarchies provided by ISE. You may add your own hierarchies and define the various components in identifying a Network Device which can be used later in the Policy Conditions. After defining hierarchies, the Network Device Groups will look similar to the following: Figure 5. Network Device Group Tree View Step 3 Now, add an N1Kv as a Network Device. Go to Work Centers > Device Administration > Network Resources. Click Add to add a new Network Device DMZ_BLDO_N1Kv. Figure 6. Adding Network Device Enter the IP address of the Device and make sure to map the Location and Device Type for the Device. Finally, Enable the TACACS+ Authentication Settings and specify the Shared Secret. Cisco Systems 2016 Page 6

7 Identity Stores This section defines an Identity Store for the Device Administrators, which can be the ISE Internal Users and any supported External Identity Sources. Here uses Active Directory (AD), an External Identity Source. Step 1 Go to Administration > Identity Management > External Identity Stores > Active Directory. Click Add to define a new AD Joint Point. Specify the Join Point name and the AD domain name and click Submit. Figure 3. Adding AD Join Point Step 2 Click Yes when prompted Would you like to Join all ISE Nodes to this Active Directory Domain? Input the credentials with AD join privileges, and Join ISE to AD. Check the Status to verify it operational. Figure 4. Joining ISE to AD Step 3 Go to the Groups tab, and click Add to get all the groups needed based on which the users are authorized for the device access. The following example shows the groups used in the Authorization Policy in this guide Figure 5. AD Groups Cisco Systems 2016 Page 7

8 TACACS Profiles The Cisco TACACS+ implements cisco-av-pair, a vendor-specific attribute (VSA) option in the Internet Engineering Task Force (IEFT) specification, in the format protocol : attribute separator value * When Cisco NX-OS devices use TACACS+ for authentication, the TACACS+ server returns user attributes along with authentication results, in Cisco VSAs. For TACACS+ authentications, the Cisco NX-OS software supports: Shell as the protocol in access-accept packets to provide user profile information. Roles as the attribute in access-accept packets to list all the roles to which the user belongs. The role names are delimited by white spaces. Each user role contains one or more rules that define the operations allowed for the users assigned to the role. Each user can have multiple roles so to execute a combination of all commands permitted by the roles. The predefined roles on NX-OS devices differ among NX-OS platforms. Two common ones are: network-admin predefined network admin role has complete read-and-write access to all commands on the switch; available in the default virtual device context (VDC) only if the devices (e.g. Nexus 7000) have multiple VDCs. Use NX-OS CLI command show cli syntax roles network-admin to see the full command list available for this role. network-operator predefined network admin role has complete read access to all commands on the switch; available in the default VDC only if the devices (e.g. Nexus 7000) have multiple VDCs. Use NX-OS CLI command show cli syntax roles network-operator to see the full command list available for this role. The recent NX-OS releases allow to create up to 64 user-defined roles in a VDC. User-defined user roles, by default, permit access to the commands show, exit, end, and configure terminal only, so we need to add rules and role features to grand additional access. To see the list of commands allowed by each role feature, issue NX-OS CLI show role feature name <feature-name>. To see that for all role features, issue NX-OS CLI show role feature detail. The following example shows what available for the feature interface: N1Kv# show role feature name interface interface (Interface configuration commands) show interface * config t ; interface * If TACACS+ users have the same user names defined locally on the Cisco NX-OS device, the Cisco NX-OS software applies the user roles for the local user accounts but not those configured on the TACACS+ server. We will define three TACACS Profiles NX-OS Operator, NX-OS Admin, and NX-OS Security. NX-OS Operator Step 4 On the ISE Administrative Web Portal, go to Work Centers > Device Administration > Policy Results > TACACS Profiles. Add a new TACACS Profile and name it NX-OS Operator. Step 5 Scroll down to the Custom Attributes section to add the attribute as: Cisco Systems 2016 Page 8

9 Step 6 Step 7 Step 8 Type Name Value Mandatory shell:roles network-operator Click the check mark at the end of the entry to keep the line. Click the tab [ Raw View ], and it shows: Profile Attributes shell:roles=network-operator Click Submit to save the profile. NX-OS Admin Step 9 Step 10 Step 11 Step 12 Step 13 Add another profile and name it NX-OS Admin. Scroll down to the Custom Attributes section to add the attribute as: Type Name Value Mandatory shell:roles network-admin Click the check mark at the end of the entry to keep the line. Click the tab [ Raw View ], and it shows: Profile Attributes shell:roles=network-admin Click Submit to save the profile. NX-OS Security Step 14 On the ISE Administrative Web Portal, go to Work Centers > Device Administration > Policy Results > TACACS Profiles. Add a new TACACS Profile and name it NX-OS Operator. Step 15 Scroll down to the Custom Attributes section to add the attribute as: Type Name Value Mandatory shell:roles network-operator demo-security We enclose the value with double quotes because it has two role names, which are separated by a space character. The role demo-security is a user-defined role and will be configured later on the NX-OS device. Step 16 Click the check mark at the end of the entry to keep the line. Step 17 Click the tab [ Raw View ], and it shows: Profile Attributes shell:roles= network-operator demo-security Step 18 Click Submit to save the profile. TACACS Command Sets NX-OS command authorization queries the configured TACACS+ server to verify whether the Device Administrators are authorized to issue the commands. NX-OS normally authorizes on user roles. To fine tune available commands, ISE can provide a list of commands granted to the users. We define three commands sets -- HelpDesk_Commands, Permit_All_Commands, and NX-OS_Security_Commands. HelpDesk Commands This is the same as that in the guide for IOS devices. Please skip this section if it already defined. Cisco Systems 2016 Page 9

10 Step 19 On the ISE Administrative Web Portal, go to Work Centers > Device Administration > Policy Results > TACACS Command Sets. Add a new set and name it HelpDesk_Commands. Step 20 Click +Add to configure entries to the set: Grant Command Argument PERMIT debug PERMIT undebug PERMIT traceroute DENY ping ^([0-9]{1,3})\.([0-9]{1,3})\.([0-9]{1,3})\.255$ PERMIT ping PERMIT show We allow helpdesk analysts to perform debug, undebug, traceroute, and show. For ping, they are restricted from broadcast pings, assuming the network subnets with broadcast addresses ending with.255, as shown in the regular expression in the argument column. Step 21 Step 22 Click the check mark at the end of each entry to keep the line. Click Save to persist the command set. Permit All Commands This is the same as that in the guide for IOS devices. Please skip this section if it already defined. Step 23 Step 24 Step 25 Add a new set and name it Permit_All_Commands. Tick the checkbox next to Permit any command that is not listed below, and leave the command list empty. Grant Command Argument Click Save to persist the command set. NX-OS Security Commands Step 26 On the ISE Administrative Web Portal, go to Work Centers > Device Administration > Policy Results > TACACS Command Sets. Add a new set and name it NX-OS_Security_Commands. Step 27 Tick the checkbox next to Permit any command that is not listed below. Step 28 Click +Add to configure entries to the set: Grant Command Argument DENY interface mgmt0 DENY interface control0 We allow security analysts to execute any commands other than to configure interfaces mgmt0 and control0. Step 29 Click the check mark at the end of each entry to keep the line. Step 30 Click Save to persist the command set. Cisco Systems 2016 Page 10

11 Device Admin Policy Sets Policy Sets are enabled by default for Device Administration. Policy Sets can divide polices based on the Device Types so to ease application of TACACS profiles. For example, Cisco IOS devices use Privilege Levels and/or Command Sets whereas Cisco NX-OS devices use Custom Attributes. Step 1 Navigate to Work Centers > Device Administration > Device Admin Policy Sets. Add a new Policy Set NX-OS Devices: S Name Description Conditions NX-OS Devices DEVICE:Device Type EQUALS Device Type#All Device Types#Network Devices#NX-OS Devices Figure 6. Policy Set Condition Step 2 Create the Authentication Policy. For Authentication, we use the AD as the ID Store. Authentication Policy Default Rule (if no match) : Allow Protocols : Default Device Administration and use: demoad Figure 7. Authentication Policy Step 3 Define the Authorization Policy. Here we define the authorization policy based on the user groups in AD and the location of the device. For example, the users in AD group West Coast can access only the devices located in West Coast. S Rule Name Conditions Command Sets Shell Profiles HelpDesk DEVICE:Location CONTAINS All West Locations#West_Coast securitydemo.net/demogroups/west_coast HelpDesk_Commands NX-OS Operator HelpDesk East Security West securitydemo.net/demogroups/helpdesk DEVICE:Location CONTAINS All Locations#East_Coast securitydemo.net/demogroups/east_coast securitydemo.net/demogroups/helpdesk DEVICE:Location CONTAINS All Locations#West_Coast securitydemo.net/demogroups/west_coast securitydemo.net/demogroups/security_operators HelpDesk_Commands NX-OS_Security_Commands NX-OS Operator NX-OS Admin Cisco Systems 2016 Page 11

12 S Rule Name Conditions Command Sets Shell Profiles Security DEVICE:Location CONTAINS All East Locations#East_Coast securitydemo.net/demogroups/east_coast NX-OS_Security_Commands NX-OS Admin Admin West Admin East securitydemo.net/demogroups/security_operators DEVICE:Location CONTAINS All Locations#West_Coast securitydemo.net/demogroups/west_coast securitydemo.net/demogroups/network_operators DEVICE:Location CONTAINS All Locations#East_Coast securitydemo.net/demogroups/east_coast securitydemo.net/demogroups/network_operators Default if no matches, then DenyAllCommands Figure 8. Authorization Policy Permit_All_Commands Permit_All_Commands NX-OS Admin NX-OS Admin We are now done with the ISE configuration for Device Administration for NX-OS devices. Cisco Systems 2016 Page 12

13 NX-OS Configuration for TACACS+ SSH is enabled by default on Cisco NX-OS devices so we need only to ensure proper IP addressing for the management interface, before configuring TACACS+. ip domain-name securitydemo.net switchname N1Kv interface mgmt0 ip address /24 no shutdown vrf context management ip route / !!! disable DNS lookup!!! no ip domain-lookup!!! VLANs!!!! vlan 100 name mgt!!! Define VTY access!!! ip access-list vtyaccess 10 permit tcp / /32 eq deny ip any any line console exec-timeout 0 line vty access-class vtyaccess in Since we have a valid IP address for the above sample network device at this stage, we can SSH to this NX-OS device from a client in /24. Note that we disable EXEC timeout for CONSOLE so to avoid possible access issue during AAA configuration. TACACS+ AAA on a Cisco NX-OS device can be configured in the following sequence: 1. Enable TACACS+ Authentication and Fallback 2. Enable TACACS+ Command Authorization 3. Enable TACACS+ Command Accounting Cisco Systems 2016 Page 13

14 TACACS+ Authentication and Fallback TACACS+ authentication can be enabled with a configuration similar to the following: tacacs+ enable role name demo-security description A user-defined role example for demo purposes rule 10 permit read-write feature interface interface policy deny permit interface Vethernet1 tacacs-server host key ISEisC00L timeout 10 tacacs-server host test username tp-test password tp-test idle-time 60 aaa group server tacacs+ demotg server deadtime 10 use-vrf management source-interface mgmt 0 aaa authentication login ascii-authentication aaa authentication login default group demotg aaa authentication login console local We have thus switched to TACACS+ to authenticate the VTY lines. Since no TACACS+ command authorization yet, the TACACS+ users are currently authorized based on their user roles. In the events that the configured TACSACS+ server becomes unavailable, the login authentication falls back to use the local user database. TACACS+ Command Authorization This is optional, as users can be authorized on their roles. TACACS+ Command Authorization for the configuration mode and for the EXEC mode can be enabled by adding the following: aaa authorization config-commands default group demotg local aaa authorization commands default group demotg local TACACS+ Command Accounting Command accounting sends info about each command executed, which includes the command, the date, and the username. The following adds to the previous configuration example to enable this accounting feature: aaa accounting default group demotg We are done with the NX-OS configuration for TACACS+. Cisco Systems 2016 Page 14

15 What s Next? Configuration for Device Administration for Cisco NX-OS is completed. We will need to validate the configuration. Step 1 Step 2 Step 3 SSH and log into the NX-OS devices as various roles. Once on the device command-line interface (CLI), verify that the user has access to the right commands. For example, a Helpdesk user should be able to ping a regular IP address (e.g ) but denied to ping a broadcast address (e.g ). To show the user connections and role(s), issue show users show user-account [<user-name>] A sample output is shown below: N1Kv# show users NAME LINE TIME IDLE PID COMMENT admin ttys0 Jan 11 02: hellen pts/0 Jan 11 02: ( ) session=ssh * N1Kv# show user-account hellen user:hellen roles:network-operator account created through REMOTE authentication Credentials such as ssh server key will be cached temporarily only for this user account Local login not possible... Step 4 The following debugs are useful in troubleshooting TACACS+: debug tacacs+ aaa-request Here is a sample debug output: 2016 Jan 11 03:03: tacacs[6288]: process_aaa_tplus_request:checking for state of mgmt0 port with servergroup demotg 2016 Jan 11 03:03: tacacs[6288]: process_aaa_tplus_request: Group demotg found. corresponding vrf is management 2016 Jan 11 03:03: tacacs[6288]: process_aaa_tplus_request: checking for mgmt0 vrf:management against vrf:management of requested group 2016 Jan 11 03:03: tacacs[6288]: process_aaa_tplus_request:port_check will be done 2016 Jan 11 03:03: tacacs[6288]: state machine count Jan 11 03:03: tacacs[6288]: is_intf_up_with_valid_ip(1258):proper IOD is found Jan 11 03:03: tacacs[6288]: is_intf_up_with_valid_ip(1261):port is up Jan 11 03:03: tacacs[6288]: debug_av_list(797):printing list 2016 Jan 11 03:03: tacacs[6288]: 35 : 4 : ping 2016 Jan 11 03:03: tacacs[6288]: 36 : 12 : Jan 11 03:03: tacacs[6288]: 36 : 4 : <cr> 2016 Jan 11 03:03: tacacs[6288]: debug_av_list(807):done printing list, exiting function 2016 Jan 11 03:03: tacacs[6288]: tplus_encrypt(659):key is configured for this aaa sessin Jan 11 03:03: tacacs[6288]: num_inet_addrs: 1 first s_addr: s6_addr : 0a01:64b4:: 2016 Jan 11 03:03: tacacs[6288]: non_blocking_connect(259):interface ip_type: IPV Jan 11 03:03: tacacs[6288]: non_blocking_connect(369): Proceeding with bind 2016 Jan 11 03:03: tacacs[6288]: non_blocking_connect(388): setsockopt success error:22 Cisco Systems 2016 Page 15

16 2016 Jan 11 03:03: tacacs[6288]: non_blocking_connect(489): connect() is in-progress for server Jan 11 03:03: tacacs[6288]: tplus_decode_authen_response: copying hostname into context Step 5 From the ISE GUI, navigate to Operations > TACACS Livelog. All the TACACS authentication and authorization requests are captured here, and the details button provides detailed information about why a particular transaction passed/failed. Figure 9. TACACS Livelogs Step 6 For historic reports: Go to Work Centers > Device Administration > Reports > Device Administration to get the authentication, authorization, and accounting reports. Cisco Systems 2016 Page 16