TACACS and RADIUS Support on NFVIS

About RADIUS

Remote Authentication Dial-In User Service (RADIUS) is a distributed client-server system that secures networks against unauthorized access. In the Cisco implementation, RADIUS clients run on Cisco routers and send authentication requests to a central RADIUS server that contains all user authentication and network service access information.

RADIUS is a fully open protocol, distributed in source code format, that can be modified to work with any security system currently available on the market.

Cisco supports RADIUS under its AAA security paradigm. RADIUS has been implemented in a variety of network environments that require high levels of security while maintaining network access for remote users.

RADIUS Operation

When a user attempts to log in and authenticate to an access server using RADIUS, the following steps occur:

  1. The user is prompted to enter the username and password.

  2. The username and encrypted password are sent over the network to the RADIUS server.

  3. The user receives one of the following responses from the RADIUS server:

    1. ACCEPT—The user is authenticated.

    2. CHALLENGE—A challenge is issued by the RADIUS server. The challenge collects additional data from the user.

    3. CHANGE PASSWORD—A request is issued by the RADIUS server, asking the user to select a new password.

    4. REJECT—The user is not authenticated and is prompted to reenter the username and password, or access is denied.

The ACCEPT or REJECT response is bundled with additional data that is used for EXEC or network authorization. You must first complete RADIUS authentication before using RADIUS authorization. The additional data included with the ACCEPT or REJECT packets consists of the following:
  • Services that the user can access, including connections such as Telnet, rlogin, or local-area transport (LAT), and services such as PPP, Serial Line Protocol (SLIP), or EXEC services.

  • Connection parameters, including the host or client IP address, access list, and user timeouts.

Configuring a TACACS+ Server

TACACS+ is a security application that provides centralized validation of users attempting to gain access to a router or network access server. TACACS+ services are maintained in a database on a TACACS+ daemon running, typically, on a UNIX or Windows NT workstation. You must configure a TACACS+ server before the configured TACACS+ features on your network access server are available.

On the TACACS+ server, ensure you configure Cisco attribute-value (AV) pair privilege level (priv-lvl) for Cisco Enterprise NFVIS service for the minimum privilege level of administrators and operators.

For more details on TACACS+ configuration, see the Configuring TACACS module in TACACS+ Configuration Guide, Cisco IOS XE Release 3S.


Note

In NFVIS 3.11.1 or earlier release, users with no privilege level or users with a privilege level that is less than the operator's privilege level are considered as auditors with read-only permission.

After NFVIS 3.12.1 release, users with privilege level zero won't be able to login to NFVIS anymore.


To configure TACACS+:


configure terminal
tacacs-server host 209.165.201.20 shared-secret test1
key 0 
admin-priv 14
oper-priv 9
commit

In this configuration, privilege level 14 is assigned to the administrator role, and privilege level 9 is assigned to the operator role. This means a user with privilge level 14 or higher will have all admin privileges when the user logs into the system, and a user with privilege level 9 or higher will have all privileges of an operator at the time of login.

Starting from NFVIS 3.9.2 release, TACACS+ secret encryption is supported. You can only configure either secret key or encrypted secret key at a given time. Encrypted secret key can contain special characters but secret key cannot. For NFVIS 3.12.1 release, the following pattern is supported for encryped-shared-key: [-_a-zA-Z0-9./\\<>%!*$€#{}()+].

To configure encrypted TACACS+ key:


configure terminal
tacacs-server host 209.165.201.20 encrypted-shared-secret test1
key 0 
admin-priv 14
oper-priv 9
commit

Verifying the TACAC+ configuration

Use the show running-config tacacs-server command to verify the configuration if encrypted TACACS+ key is configured:


nfvis# show running-config tacacs-server 

tacacs-server host 209.165.201.20
 encrypted-shared-secret $8$mRTnL9TKZCFi1BUP7Mwbm3JVIo4Z7QvJ
 admin-priv              15
 oper-priv               11
!

TACACS+ APIs and Commands

TACACS+ APIs

TACACS+ Commands

  • /api/config/security_servers/tacacs-server

  • /api/config/security_servers/tacacs-server?deep

  • /api/config/security_servers/tacacs-server

    /host/<ip-address/domain-name>

  • tacacs-server host

  • key

  • admin-priv

  • oper-priv

Configuring RADIUS

To configure RADIUS support:


radius-server host 103.1.4.3
key 0 
shared-secret cisco123
admin-priv 2
oper-priv  1
commit

Starting from NFVIS 3.9.2 release, TACACS+ secret encryption is supported. You can only configure either secret key or encrypted secret key at a given time. To configure encrypted RADIUS key:


radius-server host 103.1.4.3
key 0 
encrypted-shared-secret cisco123
admin-priv 2
oper-priv  1
commit

Verifying the RADIUS configuration

Use the show running-config radius-server command to verify the interface configuration for a RADIUS session:


nfvis# show running-config radius-server 

radius-server host 103.1.4.3
 key           0
 shared-secret cisco123
 admin-priv    2
 oper-priv     1

RADIUS Support APIs and Commands

APIs

Commands

  • /api/config/security_servers/radius-server

  • host

Specifying TACACS and RADIUS Authentication

NFVIS supports both TACACS+ and RADIUS but only one authentication method can be enable at a time. After you have identified the TACACS+ and RADIUS server and defined an associated TACACS+ and RADIUS authentication key, you must define method lists for TACACS+ and RADIUS authentication. Because TACACS+ and RADIUS authentication is operated through AAA, you need to issue the aaa authentication command, specifying TACACS+ or RADIUS as the authentication method.


nfvis(config)# aaa authentication ?
Possible completions:
  radius   Use RADIUS for AAA
  tacacs   Use TACACS+ for AAA
  users    List of local users

Note

  • Only when TACACS+ or RADIUS is enabled, it can be used for authentication.

  • When TACACS+ or RADIUS is not accessible, local authentication is used. Local authentication is disabled if the connection between TACACS+ or RADIUS and NFVIS is restored.

  • If same username exists on both local and TACACS+ or RADIUS, then TACACS+ or RADIUS user is chosen for authentication.

  • It is recommended to configure Syslog Support so that it is easier to debug if TACACS+ or RADIUS does not work as expected.


All login attempts will be logged in syslogs in the local /var/log/nfvis_syslog.log file and in remote syslog servers. It is important to configure a remote syslog server when configuring TACACS+/RADIUS in order to be able to view logs regarding login attempts when TACACS+/RADIUS is configured.