[tac_plus] Per Device Command Authorization
alan.mckinnon at gmail.com
Thu Nov 18 01:14:50 UTC 2010
Apparently, though unproven, at 00:57 on Thursday 18 November 2010, Ben
Wiechman did opine thusly:
> Is it possible to configure a list of commands a user is authorized to
> execute that differs by device?
Well, not easily, and not without mangling the config in insane ways.
A workaround is at the end, after I describe the problem :-)
> In our case we'd like to allow certain users read only type access on most
> devices, but give more access on certain devices to do things like
> configure static NAT, etc. Firewall administrators need more permissions
> on the firewalls, but not on backbone routers as another example.
I have exactly the same issue.
The problem is that the list of commands allowed for a user (or group) is
applied universally. What you and I want is to be able to create groups of
*devices* and then tie that to the allow/deny command list for the user. This
will instantly explode the length and complexity of your config
> I don't see any way to do this with the stock configuration, but I may be
> missing something.
> It looks like it might be possible with the multiple groups patch here
> (http://bakacsin.ki.iif.hu/~kissg/pd/tac_plus/), but I'm not entirely clear
> on that either.
I doubt that will work out well. The idea of multiple groups will work if each
group has a config that does not conflict in any way with any other group,
i.e. no two groups attempt to configure the same directive. Then the total
config for a user is the union of all the groups. In real life, what you get
is conflicts, and lots of them. How do you resolve that? Mathematics tells us
it must involve some arbitrary priority process, and that is very hard to
define. If you know C++ it's exactly the same thing as multiple inheritance
and you know how insane that can get. There's more info on this in the list
archives accessible through the web front-end - the question comes up a lot.
The workaround is to use separate tacacs servers for each class of device you
have, and configure each one separately with the access you want for each
user/group on those devices. Configure your devices to use the appropriate
server and port.
You can run multiple tac_plus daemons on one host using different ports and
devices can be configured as to the port to use. So there's no need to arrange
for more machines to do this.
alan dot mckinnon at gmail dot com
More information about the tac_plus