Sunday, November 8, 2015

Finally TACACS on ISE


Cisco has been persuading people migrate ACS to ISE.  However one of the hold-backs is ISE's lack of TACACS support.  ISE 2.0 finally supports TACACS.  This article is to demonstrate a "barebone" configuration of TACACS with ISE 2.0.

One of the important features of TACACS is "per command authorization", which means you can customize which commands users are allowed to execute.  For example, you'd like to allow HelpDesk users use most of the "show" commands.  So they can show interface status, show routing table, etc.  However, you don't want them be able to "show running-config" as the configuration file contains sensitive information (such as SNMP RW community string).  This is the most popular use case of TACACS.  This article will show you how to do it with ISE 2.0.

Before diving into configuration, let's review the AAA authorization flow chart.

As seen from the flow chart above, "priv_level" takes precedence over "User Profile"(in ISE it is called "Command Set").  Let say, if the logged in user was put into priv_level 1, it doesn't matter if the "Command Set" allows "show run" or not.  Because "show run" is not available in priv_level 1.

In our example, we'll put the user in priv_level 15.  Then we'll restrict the commands with "Command Set".

ISE Configuration

 ISE configuration is as simple as 1, 2, 3 as shown below:











1. Enable Device Admin Service

Go to "Administration > System > Deployment > Your ISE node (server)".  Check the "Enable Device Admin Service" check box and Save.

2. Enable TACACS for Network Devices

Go to "Administration > Network Resource > Network Devices".  Please note that you may create specific network devices here so they can have different settings.  For simplicity, I choose "Default Device".  Check the "TACACS+ Authentication Settings" checkbox and enter a "Shared Secret".  You will configure the same "shared secret" phrase in router config later on.  (a.k.a. TACACS key)

3. Configure "Device Admin Policy Set"

"Device Admin Policy Set" is a set of rules to customize the user access.  Before you can configure "Device Admin Policy Set", you'll have to configure the following first:
  • Identity/Identity Group (user/user group)
  • TACACS Command Set
  • TACACS Profile

3.1 Configure Identity/Identity Group

It is the best practice to put users into groups.  Then assign permissions to groups.

To create an identity group (user group), go to "Administration > Identity Management > Groups > User Identity Groups".  Click the "Add" button to add a group called "HelpDesk_Group".
To create an identity (user), go to "Administration > Identity Management > Identities > Users".  Click the "Add" button to add an identity (user) called "jdoe".  Put the user into "HelpDesk_Group".

3.2 Configure "Command Set"

"Command Set" define which command the user can or cannot execute.
Go to "Work Centers > Policy Results > TACACS Command Sets".  Add a new command set called "HelpDesk_CommandSet".  As show in the picture above, we'll add three command rules:
1) PERMIT, show, .*
This rule allow all the commands begin with "show", such as "show interface", "show ip route", etc.
However, we don't want the HelpDesk users to be able to see the full configuration (either running-config or startup-config").  Thus we'll have to exclude the "show running-config" and "show startup-config" commands.
2) DENY_ALWAYS, show, running-config
3) DENY_ALWAYS, show, startup-config
Rule #2 and #3 above exclude the corresponding commands.
You might wonder what's the difference between "DENY" and "DENY_ALWAYS".  ISE examines the rules from top to bottom.  Once it found a matching rule, it'll stop examining the remaining rules.  Thus the order of the rules is very important.  "DENY_ALWAYS" rules are always examined first regardless of their position on the list.  This is to make sure the ones you want to deny will definitely be denied.  Of course, you may use "DENY" instead.  Just to make sure the DENY rules are on top of the PERMIT rules.

3.3 Configure TACACS Profile

Go to "Work Centers > Policy Results > TACACS Profiles".  Add a new profile called "HelpDesk_Profile".  Set the default priviledge and maximum privilege to 15.
Depending on the use case, you may set different privilege levels.  But in our example, we want to control the access with Command Set instead of Privilege Level.  That's why we set the privilege level to 15 (highest).

3.4 Configure Device Admin Policy Set

Now with all prerequisite ready, go to "Work Centers > Device Administration > Device Admin Policy Sets".  Click "Add" button to add a policy set called "IOS" above the "Default" policy set.

Three attributes need to be configured:
1) Name
2) Condition - in our example, condition doesn't matter but it cannot be blank.  Thus we add a condition "Device Type=All", which is a "always true" condition.
3) Authorization Rule - in our example, we want to control what the user can do.  This is called "per command authorization".  The rule says:
IF the logged in user is within "HelpDesk_Group" do the following:
A) Apply shell profile "HelpDesk_Profile" (in our example, the whole purpose of the profile is to set priv_level to 15).
B) For each command user entered, check against "HelpDesk_CommandSet" to permit or deny.


 IOS Configuration

! -- Have to enter this first, otherwise some commands are not available
aaa new-model
! -- Define TACACS server
tacacs server ISE
 address ipv4 192.168.21.10
 key Cisco123
!
! -- Define TACACS server group 'ISE_GROUP'
aaa group server tacacs+ ISE_GROUP
 server name ISE
!
! -- Define a local user in case TACACS is not available
username cisco privilege 15 password 0 cisco
! -- Default method is no authentication or authorization
aaa authentication login default none
aaa authorization exec default none
!
! -- Define method 'ABC' for authentication and authorization
aaa authentication login ABC group ISE_GROUP local
aaa authorization exec ABC group ISE_GROUP local
aaa authorization commands 15 ABC group ISE_GROUP local
aaa authorization config-commands
!
! -- Use method ABC on VTY authentication and authorization
line vty 0 4
 login authentication ABC
 authorization exec ABC
 authorization commands 15 ABC
 transport input all

Test

Telnet to the router.  Log in with user 'jdoe'.  Try some commands.  We see that the user can run all the show commands except for "show run" and "show start".  The user cannot run any other commands (such as "conf t").

Troubleshooting

On ISE there is a "Operation > TACACS Livelog" screen.  We may see realtime authentication and authorization events.
Click on the "Details" icon to view detailed TACACS authorization report.


Another Example of Command Set


The above command set will do the following:
1) Allow all "show" commands except for "show running-config" and "show startup-config" (to view the full configuration file)
2) However, it allows "show running-config interface" to view the configuration of a specific interface.
3) Allow "clear counters" command.

Please note the order of the rules.  With the same command, more specific arguments should be on the top.  Less specific arguments should be at the bottom.

Thursday, June 18, 2015

Cisco IOS AAA Configuration with ISE

I was trying to set up a POC (Proof Of Concept) lab to use Cisco ISE as AAA server.

IMHO, a good configuration example should meet the following:

1) Minimal
No one wants to read a 300-line example.  A minimal configuration is easy to understand.  If needed, we may add features on top of the minimal configuration.

2) Typical
The example should represent the most popular use case.

3) No Ambiguity
Though not affecting functionality, names should be picked carefully to avoid any potential confusion for readers (especially beginners).

My goal was to set up AAA on a Cisco router with Cisco ISE for IOS CLI.  Based on the username, IOS privilege level 7 or level 15 will be assigned after login.

This is a typical use case as RBAC (Role Based Access Control) is widely used.  Users with privilege 7 can run most of the "show" commands but not the "conf t" command.  Users with privilege 15 can run all commands.

I have ISE 1.4 and UNL 0.9.0-40 running on VMware Workstation.  The topology is like below:

ISE IP = 192.168.21.131
Router IP = 192.168.21.201



Router configuration:

! -- encrypt passwords in config file
service password-encryption
!
! -- fallback user account in the event of RADIUS failing
username admin password cisco
enable password cisco
!
! -- define RADIUS server
radius server RADIUS-ISE
 address ipv4 192.168.21.131
 key secret123
!
! -- create AAA server group
aaa group server radius RADIUS-ISE-GROUP
 server name RADIUS-ISE
!
! -- creaate new AAA model
aaa new-model
!
! -- Configure the default login method to 'none' (no authentication)
! -- This method applies to the console by default
aaa authentication login default none
aaa authorization exec default none
!
! -- Configure Authentication and Authorization methods for VTY lines
aaa authentication login VTY_authen group RADIUS-ISE-GROUP local
aaa authorization exec VTY_author group RADIUS-ISE-GROUP local
!
! -- Configure default Accounting method, which applies to both console and VTY lines
aaa accounting exec default start-stop group RADIUS-ISE-GROUP
!
! -- Apply Authentication and Authorization methods to VTY lines
line vty 0 4
 authorization exec VTY_author
 login authentication VTY_authen
 transport input all



ISE configuration:


1.     Administration > Network Resources > Network Devices > Default Device


For simplicity, we use “Default Device” here.  You may create device group to have more granular control.

Enable “Default Network Device Status”.
Enter “secret123” into “Shared Secret” field.

2.     Policy > Policy Elements - Results > Authorization > Authorization Profiles

 Create two authorization profiles:
  • Shell_priv_15
  • Shell_priv_7

Attribute settings for profile “Shell_priv_15”:
Cisco:cisco-av-pair
Shell:priv-lvl=15
Radius:Service-Type
Login

Attribute settings for profile “Shell_priv_7”:
Cisco:cisco-av-pair
Shell:priv-lvl=7
Radius:Service-Type
Login


3.     Administration > Identity Management > Groups

Create two User Identify groups:
  • CLI-users-15
  • CLI-users-7

4.     Administration > Identity Management - Identities > Users

Create users and put into desired group

 

5.     Policy > Authorization

 Create two authorization policies on the top:
  • CLI-access-15
  • CLI-access-7

Associate corresponding user group to “Conditions” column.
Associate corresponding authorization (standard) profile to “Permissions” column.





Monday, May 25, 2015

New book - Deploying Cisco Unified Contact Center Express

Back in 2006 I was a Cisco TAC engineer supporting Contact Center Express (a.k.a. IPCC Express, CRA, CRS, IPIVR, now known as CCX).  Information is so scarce that even TAC engineers joked it was "tribal knowledge".

To make things more interesting (instead of saying "worse"), CCX components were developed by different companies - CCX Engine was developed by Cisco while Desktop Suite was developed by Spanlink (now Calabrio).

Cisco's documentation is "menu driven" instead of "task driven".  i.e. the documentation explains what each menu does but doesn't tell you what menus you need to navigate to achieve a specific goal.

Training partner classes are more focusing on scripting other than system integration.

Since then I was hoping to write a book on CCX.  Not a "CCX For Dummies" but a book for engineers.  For engineers that are smart enough to grasp any new products or technologies with a lab and a good book.

Different people have different definitions of "good book".  My definition is:

1) KISS - Keep It Simple Stupid.
2) Tell me something new - Something that the manufacturer manual didn't tell me.

I've been procrastinating due to work and family.  Now it's 2015.  I finally had the chance to finish something I wanted to do nine years ago.  For the time being, the book is only available from LuLu.com (http://www.lulu.com/shop/michael-houtong-luo/deploying-cisco-unified-contact-center-express/paperback/product-22186750.html).  It will be available on other retailers (such as Amazon, Barnes & Noble, etc.) later on.  Table of content can be viewed from here.

Same as my other book "Deploying Cisco Unified Presence", I did this with limited time and resource.  I'm pretty sure there will be typos and mistakes in the book.  I'd appreciate it if you can send me your feedback and suggestions to houtong@gmail.com.

By the way, I'm setting up a charitable foundation (Luo's Foundation) to support  students from low-income families.  All proceeds from this book will go to the foundation.  I will publish the details when the foundation is fully set up.

Thank you very much for your support.

http://www.lulu.com/shop/michael-houtong-luo/deploying-cisco-unified-contact-center-express/paperback/product-22186750.html


Tuesday, May 5, 2015

ESXi 6.0 on HP DL380 G5

Just upgraded ESXi from 5.5 to 6.0 on my HP DL380 G5 with the "HP Custom Image".  Thought it'd work better than the "vanilla" (generic) image.

The install went well.  But from time to time, it kept giving me the purple screen (system crash), usually 10 - 20 minutes after the VMs boot up.

A search led me to the URL http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=2085921

But it didn't fix my problem.

Finally, I decided to "upgrade" with a generic image - overwrite the HP custom version with a generic version.

The installer gave me warning on the RAID controller.  P400 controller was "not supported" by 6.0 any more.  I ignored and continue.  The install completed successfully.

Now I'm living happily ever after.  :)

Saturday, April 4, 2015

IOU, GNS3, Cisco VIRL/CML

GNS3 is a well known network emulator software.  Many people compare it with IOU, which is not quite an apple-to-apple compare.

GNS3 is actually a front end add-on to DynamIP - which is the real emulator. I'm not going to compare DynamIP and IOU here as this has been done many times.  You may search Internet for those articles.

DynamIP and IOU requires quite some command line effort to get them running.  Thus some "front end" add-ons were built to make them easier to use.  GNS3 is the most popular front end of DynamIP.  On IOU side, it's probably IOU Web.  These add-ons allow you crate network topologies, save/restore configurations, etc.



From easy-of-use perspective, GNS3 is no doubt a winner.  You may drag-and-drop routers/switches in GNS3.  However, I prefer IOU because it uses much less resource (CPU/memory) and I'm not afraid of writing up the NETMAP file.

IOU Web doesn't have drag-and-drop.  But it has quite a few neat features.  For example, you may use any existing network diagram and map the elements on it to any virtual devices.  It also has a very powerful configuration/lab management interface.

Things become interesting now when GNS3 can act as IOU front-end.


I tested GNS3 version 1.3 with IOU back end and it works pretty well.  I think here's how I would choose between GNS3 and IOU Web:

If I need to create a lab in a very short time (say 20 routers in 15 minutes), I'd use GNS3.  Otherwise I'd probably use IOU Web as it gives me more flexibility on documentation and network drawings.  Also, as a "minimalist", IOU Web doesn't require any front end software (as it has a http server built-in and uses web interface).

How about Cisco VIRL/CML?

Sigh...  when I first heard about the idea two years ago, I was so excited.  Finally, an official / vendor-supported network emulator!  With the progress lagging on, we're getting more and more frustrated and disappointed.

Yes, Cisco VIRL/CML does have some unique features such as auto-generated configuration, TAC support, etc.  But aren't those features more "novice facing"?  The most disappointing part was - Cisco didn't (and has no plan) to invest more on the L2 features.

I had a conversation with the CML product manager lately.  He admitted that the NX-OS feature on CML was "70% done" because quite a few developers in the Nexus team were laid off.  Thus the most interested features such as VDC, VPC are not available on CML.  I asked if there's ANY possibility that Cisco continues the development and complete the rest 30% in the future, his answer was a very definite "No".  Then I asked him what's the selling point of CML?  He just kept repeating "more than 15 nodes" and "TAC supported".

VIRL (personal edition) is selling for $200.  CML (enterprise edition)'s price structure is unknown.  But price is not the point here.  Even if they are free, what's the advantage they have over GNS3 and IOU?