This is a workaround for older IOS versions (12.4x) where Role-Based CLI cannot be used for rancid user because clogin(1) expects # symbol as prompt while older IOS sends > when Role-Based CLI is used.
1. Configure AAA:
aaa new-model
aaa authentication login default local
aaa authorization exec default local
aaa authentication login default local
aaa authorization exec default local
2. Create _rancid user on cisco:
username test privilege 5 secret SomeTrueSecret
3. Set privilege level for appropriate commands:
privilege exec level 5 dir
privilege exec level 5 show vlan-switch
privilege exec level 5 show vtp status
privilege exec level 5 show vtp
privilege exec level 1 show inventory raw
privilege exec level 1 show inventory
privilege exec level 5 show vlans
privilege exec level 5 show diag
privilege exec level 5 show version
privilege exec level 5 show debugging
privilege exec level 5 show controllers
privilege exec level 5 show running-config view full
privilege exec level 5 show running-config view
privilege exec level 5 show running-config
privilege exec level 5 show
privilege exec level 5 show vlan-switch
privilege exec level 5 show vtp status
privilege exec level 5 show vtp
privilege exec level 1 show inventory raw
privilege exec level 1 show inventory
privilege exec level 5 show vlans
privilege exec level 5 show diag
privilege exec level 5 show version
privilege exec level 5 show debugging
privilege exec level 5 show controllers
privilege exec level 5 show running-config view full
privilege exec level 5 show running-config view
privilege exec level 5 show running-config
privilege exec level 5 show
The list of commands may vary, for each Cisco platform it can be determined by extracting commands from @commandtable hash in rancid(1) and adding it to Cisco config, it will pick up those which it supports.
Using RADIUS server gives more granular access control, for example using Microsoft NPAS:
1. (PowerShell) Add NPS Server Role
Import-Module ServerManager
Add-WindowsFeature NPAS-Policy-Server
wuauclt.exe /detectnow
2. (PowerShell) Create group and user accounts
Import-Module ActiveDirectory
New-ADGroup "Cisco-lvl5" Global -Path 'OU=Admin_Groups,OU=10_Admin,DC=company,DC=test' -Description "Membership grants level 5 exec access on Cisco equipment" -OtherAttributes @{mail="noc@company.test"}
New-ADUser _rancid -UserPrincipalName "_rancid@company.test" -CannotChangePassword 1 -PasswordNeverExpires 1 -Enabled 1 -Path 'OU=Service Accounts,OU=RANCID,OU=09_Corporate_Apps,DC=company,DC=test' -DisplayName "_rancid" -Description "Really Awesome New Cisco confIg Differ" -Company "Company" -Department "IS&T" -Division "NOC" -Country "US" -City "Portland" -AccountPassword (ConvertTo-SecureString -string "SomeTrueSecret" -asplaintext -force) -passthru | Add-ADPrincipalGroupMembership -memberof "Cisco-lvl5"
3. (NPAS) Add Cisco devices to RADIUS clients:
Advanced -> Vendor name: RADIUS Standard
4. (NPAS) Create Network Policy:
Conditions:
Service-Type: Login
Client Friendly Name: cisco
NAS Port Type: Virtual (VPN)
User Groups: COMPANY\Cisco-lvl5
Calling Station ID: 192\.168\.*|2001:DB8:DEAD:BEEF::.*
Client Friendly Name: cisco
NAS Port Type: Virtual (VPN)
User Groups: COMPANY\Cisco-lvl5
Calling Station ID: 192\.168\.*|2001:DB8:DEAD:BEEF::.*
Settings:
Cisco-AV-Pair: shell:priv-lvl=5
Access Permission: Grant Access
NAS Port Type: Virtual (VPN)
Authentication Method: Unencrypted Authentication (PAP, SPAP)
Access Permission: Grant Access
NAS Port Type: Virtual (VPN)
Authentication Method: Unencrypted Authentication (PAP, SPAP)
5. (IOS) Configure Cisco for RAIDUS authentication:
aaa new-model
aaa authentication login default group radius local-case
aaa authorization exec default group radius local
ip radius source-interface Loopback0
radius-server attribute 6 on-for-login-auth
radius-server host 192.168.1.x retransmit 0 key mykey1
radius-server host 192.168.2.x retransmit 0 key mykey2
aaa authentication login default group radius local-case
aaa authorization exec default group radius local
ip radius source-interface Loopback0
radius-server attribute 6 on-for-login-auth
radius-server host 192.168.1.x retransmit 0 key mykey1
radius-server host 192.168.2.x retransmit 0 key mykey2
No comments:
Post a Comment