TACACS and RADIUS Support on NFVIS

About RADIUS

Remote Authentication Dial-In User Service (RADIUS) is a distributed client-server system that secures networks against unauthorized access. In the Cisco implementation, RADIUS clients run on Cisco routers and send authentication requests to a central RADIUS server that contains all user authentication and network service access information.

RADIUS is a fully open protocol, distributed in source code format, that can be modified to work with any security system currently available on the market.

Cisco supports RADIUS under its AAA security paradigm. RADIUS has been implemented in a variety of network environments that require high levels of security while maintaining network access for remote users.


Note


You can configure upto four RADIUS servers. When multiple RADIUS servers are configured, if the first server is unreachable, NFVIS tries the next server in the order it is configured.


RADIUS Operation

When a user attempts to log in and authenticate to an access server using RADIUS, the following steps occur:

  1. The user is prompted to enter the username and password.

  2. The username and encrypted password are sent over the network to the RADIUS server.

  3. The user receives one of the following responses from the RADIUS server:

    1. ACCEPT—The user is authenticated.

    2. CHALLENGE—A challenge is issued by the RADIUS server. The challenge collects additional data from the user.

    3. CHANGE PASSWORD—A request is issued by the RADIUS server, asking the user to select a new password.

    4. REJECT—The user is not authenticated and is prompted to reenter the username and password, or access is denied.

The ACCEPT or REJECT response is bundled with additional data that is used for EXEC or network authorization. You must first complete RADIUS authentication before using RADIUS authorization. The additional data included with the ACCEPT or REJECT packets consists of the following:
  • Services that the user can access, including connections such as Telnet, rlogin, or local-area transport (LAT), and services such as PPP, Serial Line Protocol (SLIP), or EXEC services.

  • Connection parameters, including the host or client IP address, access list, and user timeouts.

Configuring a TACACS+ Server

TACACS+ is a security application that provides centralized validation of users attempting to gain access to a router or network access server. TACACS+ services are maintained in a database on a TACACS+ daemon running, typically, on a UNIX or Windows NT workstation. You must configure a TACACS+ server before the configured TACACS+ features on your network access server are available.

On the TACACS+ server, ensure you configure Cisco attribute-value (AV) pair privilege level (priv-lvl) for Cisco Enterprise NFVIS service for the minimum privilege level of administrators and operators.

For more details on TACACS+ configuration, see the Configuring TACACS module in TACACS+ Configuration Guide, Cisco IOS XE Release 3S.


Note


In NFVIS 3.11.1 or earlier release, users with no privilege level or users with a privilege level that is less than the operator's privilege level are considered as auditors with read-only permission.

After NFVIS 3.12.1 release, users with privilege level zero won't be able to login to NFVIS anymore.


To configure TACACS+:


configure terminal
tacacs-server host 209.165.201.20 shared-secret test1
key 0 
admin-priv 14
oper-priv 9
commit

In this configuration, privilege level 14 is assigned to the administrator role, and privilege level 9 is assigned to the operator role. This means a user with privilge level 14 or higher will have all admin privileges when the user logs into the system, and a user with privilege level 9 or higher will have all privileges of an operator at the time of login.

Starting from NFVIS 3.9.2 release, TACACS+ secret encryption is supported. You can only configure either secret key or encrypted secret key at a given time. Encrypted secret key can contain special characters but secret key cannot. For NFVIS 3.12.1 release, the following pattern is supported for encryped-shared-key: [-_a-zA-Z0-9./\\<>%!*$€#{}()+].

To configure encrypted TACACS+ key:


configure terminal
tacacs-server host 209.165.201.20 encrypted-shared-secret test1
key 0 
admin-priv 14
oper-priv 9
commit

Verifying the TACAC+ configuration

Use the show running-config tacacs-server command to verify the configuration if encrypted TACACS+ key is configured:


nfvis# show running-config tacacs-server 

tacacs-server host 209.165.201.20
 encrypted-shared-secret $8$mRTnL9TKZCFi1BUP7Mwbm3JVIo4Z7QvJ
 admin-priv              15
 oper-priv               11
!

TACACS+ APIs and Commands

TACACS+ APIs

TACACS+ Commands

  • /api/config/security_servers/tacacs-server

  • /api/config/security_servers/tacacs-server?deep

  • /api/config/security_servers/tacacs-server

    /host/<ip-address/domain-name>

  • tacacs-server host

  • key

  • admin-priv

  • oper-priv

Configuring RADIUS

To configure RADIUS support:


configure terminal
radius-server host 103.1.4.3
shared-secret cisco123
admin-priv 15
oper-priv  11
commit

Starting from NFVIS 3.9.2 release, RADIUS secret encryption is supported. You can only configure either secret key or encrypted secret key at a given time. Use encrypted secret if special characters are used in secret. To configure encrypted RADIUS secret:


configure terminal
radius-server host 103.1.4.3
encrypted-shared-secret cisco123
admin-priv 15
oper-priv  11
commit

Verifying the RADIUS configuration

Use the show running-config radius-server command to verify the interface configuration for a RADIUS session:


nfvis# show running-config radius-server 

radius-server host 103.1.4.3
 key           0
 shared-secret cisco123
 admin-priv    15
 oper-priv     11

RADIUS Support APIs and Commands

APIs

Commands

  • /api/config/security_servers/radius-server

  • radius-server host

  • key

  • admin-priv

  • oper-priv

  • encrypted-shared-secret or shared-secret

Default Authentication Order

NFVIS supports both TACACS+ and RADIUS but only one authentication method can be enabled at a time. After you have identified the TACACS+ and RADIUS server and defined an associated TACACS+ and RADIUS authentication key, you must define method lists for TACACS+ and RADIUS authentication. Because TACACS+ and RADIUS authentication is operated through AAA, you need to issue the aaa authentication command, specifying TACACS+ or RADIUS as the authentication method.


nfvis(config)# aaa authentication ?
Possible completions:
  radius   Use RADIUS for AAA
  tacacs   Use TACACS+ for AAA
  users    List of local users

Note


  • Only when TACACS+ or RADIUS is enabled, it can be used for authentication.

  • When TACACS+ or RADIUS is not accessible, local authentication is used. It is recommended to use aaa authentication TACACS local command to authenticate using local database. Local authentication is disabled if the connection between TACACS+ or RADIUS and NFVIS is restored.

  • If the same username is registered for both local authentication and authentication through RADIUS or TACACS+, RADIUS or TACACS+ is chosen as the authentication method.

  • It is recommended to configure Syslog so that it is easier to debug if TACACS+ or RADIUS does not work as expected.


All login attempts will be logged in syslogs in the local nfvis_syslog.log, nfvis-ext-auth.log files and in remote syslog servers.

Enchancements for NFVIS 3.12.3, User Specific Authentication Order

Starting from NFVIS 3.12.3 release, the supported aaa authentication order is local authentication followed by TACACS+.

  • If the user is part of the local database, local authentication is executed and the user is permitted or denied access.

  • If the user is not part of the local database, TACACS+ is used for authentication.

  • If the same user is part of both the databases (local and TACACS+), the user can login with either the local password or the TACACS+ password. However, registering the same user in both the databases is not recommended.

In NFVIS 3.12.3 release, the only supported combination for authentication order is aaa auth-order local tacacs . Any other combinations are not supported. aaa auth-order configuration is mutually exclusive to aaa authentication and if one is configured, the other is automatically replaced.


nfvis(config)# aaa ?
Possible completions:
auth-order Configure authentication order; Mutually exclusive to authentication method configuration
authentication Configure external authentication method; Mutually exclusive to auth-order configuration
ios Specific IOS settings

nfvis(config)# aaa auth-order ?
Description: Configure authentication order; Mutually exclusive to authentication method configuration
Possible completions:local radius tacacs
nfvis(config)# aaa auth-order local ?
Possible completions:
radius tacacs <cr>
nfvis(config)# aaa auth-order local tacacs ?
Possible completions:radius <cr>
nfvis(config)# aaa auth-order local tacacs
nfvis(config)#