AD Groups x TACACS+ Groups
274 views
Skip to first unread message
Paulo Roberto Tomasi
Feb 3, 2021, 12:08:43 PM2/3/21
to event-driv...@googlegroups.com
Hi everyone,
I would like help to some questions about TACACS+ integration with Windows Active Directory
I have done integration already, now I'm trying to understand the relation of user+groups configured in TACACS+ vs user+groups configured in AD.
Here are some questions about the role of user/groups in each component:
1 - Is it possible to assign permissions to users based on AD groups? Do I need to create the same groups in tac_plus.conf?
2 - Is it possible to use the same group/permissions to different vendors? In my example, apply groups Engineer, Tech and Read to Cisco/Huawei/Juniper vendors
3 - Is it mandatory to configure priv-lvl in each group?
4 - Can the groups be based only on attributes (not to use priv-lvl)? How to correctly set "default command" and "default attribute" options?
This image shows a base to the questions:
The idea here is create only three groups and (if possible) assign them to users and device this way:
* give all possible commands to John (engineer) to all devices;
* give some config commands to Peter (technician) to all devices;
* give only read commands to Paul (read) to all devices.
Thanks!
Marc Huber
Feb 3, 2021, 1:30:31 PM2/3/21
to event-driv...@googlegroups.com
Hi Paulo,
On 03.02.21 18:08, Paulo Roberto Tomasi wrote:
> 1 - Is it possible to assign permissions to users based on AD groups?
> Do I need to create the same groups in tac_plus.conf?
yes and yes. AD groups are mapped to tac_plus groups (with
$AD_GROUP_PREFIX removed). Multi-group memberships (with unlimited
scope) aren't permitted.
> 2 - Is it possible to use the same group/permissions to different
> vendors? In my example, apply groups Engineer, Tech and Read to
> Cisco/Huawei/Juniper vendors
Yes, if the service used is compatible enough. The daemon doesn't
know/care about device types. Juniper shouldn't be an issue at all
(service is junos-exec).
> 3 - Is it mandatory to configure priv-lvl in each group?
Groups are hierarchic. priv-level can be configured at any group level
or at user level.
> 4 - Can the groups be based only on attributes (not to use priv-lvl)?
> How to correctly set "default command" and "default attribute" options?
priv-lvl is actually an attribute, too ...
The idea here is create only three groups and (if possible) assign them
to users and device this way:
>
> * give all possible commands to John (engineer) to all devices;
> * give some config commands to Peter (technician) to all devices;
> * give only read commands to Paul (read) to all devices.
setenv AD_GROUP_PREFIX = "tac_"
John: AD-Membership: tac_full_access
Peter: AD-Membership: tac_limited_access
Paul: AD-Membership: tac_read_access
group = full_access {
service = shell {
add priv-lvl = 15
default cmd = permit
}
service = junos-exec {
...
}
}
group = limited_access {
service = shell {
add priv-lvl = 15
default cmd = deny
cmd = show { permit . }
cmd = configure { permit . }
cmd = ...
}
service = junos-exec {
...
}
}
group = read_access {
service = shell {
add priv-lvl = 15
default cmd = deny
cmd = show { permit . }
cmd = exit { permit . }
cmd = ...
}
service = junos-exec {
...
}
}
I don't think the "default attribute" is of any relevance in this
context, but I may be wrong on that (regarding junos-exec).
Cheers,
Marc
On 03.02.21 18:08, Paulo Roberto Tomasi wrote:
> 1 - Is it possible to assign permissions to users based on AD groups?
> Do I need to create the same groups in tac_plus.conf?
$AD_GROUP_PREFIX removed). Multi-group memberships (with unlimited
scope) aren't permitted.
> 2 - Is it possible to use the same group/permissions to different
> vendors? In my example, apply groups Engineer, Tech and Read to
> Cisco/Huawei/Juniper vendors
know/care about device types. Juniper shouldn't be an issue at all
(service is junos-exec).
> 3 - Is it mandatory to configure priv-lvl in each group?
or at user level.
> 4 - Can the groups be based only on attributes (not to use priv-lvl)?
> How to correctly set "default command" and "default attribute" options?
The idea here is create only three groups and (if possible) assign them
to users and device this way:
>
> * give all possible commands to John (engineer) to all devices;
> * give some config commands to Peter (technician) to all devices;
> * give only read commands to Paul (read) to all devices.
John: AD-Membership: tac_full_access
Peter: AD-Membership: tac_limited_access
Paul: AD-Membership: tac_read_access
group = full_access {
service = shell {
add priv-lvl = 15
default cmd = permit
}
service = junos-exec {
...
}
}
group = limited_access {
service = shell {
add priv-lvl = 15
default cmd = deny
cmd = show { permit . }
cmd = configure { permit . }
cmd = ...
}
service = junos-exec {
...
}
}
group = read_access {
service = shell {
add priv-lvl = 15
default cmd = deny
cmd = show { permit . }
cmd = exit { permit . }
cmd = ...
}
service = junos-exec {
...
}
}
I don't think the "default attribute" is of any relevance in this
context, but I may be wrong on that (regarding junos-exec).
Cheers,
Marc
Paulo Roberto Tomasi
Feb 3, 2021, 2:16:16 PM2/3/21
to event-driv...@googlegroups.com
Thank you very much for those precious information
Very well explained
Thanks, Marc
--
You received this message because you are subscribed to the Google Groups "Event-Driven Servers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to event-driven-ser...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/event-driven-servers/ef1b93c2-5612-bbbc-5f43-7ee0658a32ba%40googlemail.com.
Reply all
Reply to author
Forward
0 new messages