AnsweredAssumed Answered

Permissions based on device groups

Question asked by Robert Davis on Sep 6, 2018
Latest reply on Sep 7, 2018 by Robert Davis

Like • Show 0 Likes0
Comment • 2

Is it possible to setup RSA SecurID token access to allow permissions to the same user to different device groups? For instance if I want a user to have token access to Cisco Wireless LAN Controllers with read/write permissions but read-only permissions on Cisco Routers, would this be possible?

More in depth, would I be able to make permissions even more granular for instance in Cisco prime, setting user permissions to apply beyond read/write or read/only and actually limit users down to certain virtual domains using various strings?

Edward Davis

Sep 6, 2018 4:11 PM

Correct Answer

You can do this with radius authentication and setting up a radius profile for the user with 'Cisco specific' radius return attributes that tell the Cisco (a) this user is authenticated [access-accept] and (b) here are additional settings for the user. This depends on the Cisco device being able to use radius (most or all can) and also understand incoming attributes (most Cisco devices that can do radius auth can handle attributes). So seek Cisco documentation on which attributes can do [what you want] and after that it is somewhat trivial to make the RSA server send those attributes for a user. You can pile on the attributes and send many of them, up to the maximum size limit of a radius packet payload (depending on the payload this can be 50 to 100 attributes or more) and per radius RFC, if radius device sees an attribute it doesn't need or want it should ignore it and just process the ones it needs. So, essentially yes, you can do a lot with radius attributes and instruct the Cisco that 'this user needs exec-level privileges and needs these IP networks and ....' whatever the Cisco device is capable of doing with attributes.

Very common is the cisco-avpair attribute with multiple things it can do...a few examples

cisco-avpair= ”ip:addr-pool=first“

cisco-avpair= ”shell:priv-lvl=15“

The first example causes Cisco’s Multiple Named ip address Pools” feature to be activated during IP authorization (during PPP’s IPCP address assignment).

The second example causes a user logging in from a network access server to have immediate access to EXEC commands.

NOTE: RSA radius does not handle any form of CHAP, so avoid configuring radius CHAP options on the Cisco side.

See the reply in context

No one else had this question

Outcomes

Edward Davis

Sep 6, 2018 4:11 PM

Very common is the cisco-avpair attribute with multiple things it can do...a few examples

cisco-avpair= ”ip:addr-pool=first“

cisco-avpair= ”shell:priv-lvl=15“

The first example causes Cisco’s Multiple Named ip address Pools” feature to be activated during IP authorization (during PPP’s IPCP address assignment).

The second example causes a user logging in from a network access server to have immediate access to EXEC commands.

NOTE: RSA radius does not handle any form of CHAP, so avoid configuring radius CHAP options on the Cisco side.

Actions

Robert Davis Sep 7, 2018 8:41 AM

Thank you Edward! To confirm, you can setup the profile so that a single user token ID has read only access to Device Group A and read/write access to Device Group B?

I think your answer states that but I'm not sure I am 100% confident you stated a single user can have different access levels to different device groups. I have setup radius return attributes on cisco ACS however I do not have access to our RSA server.

The administrator of that server stated specifically "As has been previously explained. There is no way to grant a user read-only access to some network devices and read-write to others." Since I can't login and check myself, I wanted to ask here before going back to them.

We have LAN engineers and WAN engineers and want to grant read write for LAN on the layer 2 environment and read only on the WAN environment. Everything is token based auth.

Respectfully,

Rob

Actions

2 Replies

Edward Davis Sep 6, 2018 4:11 PM
Unmark Correct
Correct Answer
You can do this with radius authentication and setting up a radius profile for the user with 'Cisco specific' radius return attributes that tell the Cisco (a) this user is authenticated [access-accept] and (b) here are additional settings for the user. This depends on the Cisco device being able to use radius (most or all can) and also understand incoming attributes (most Cisco devices that can do radius auth can handle attributes). So seek Cisco documentation on which attributes can do [what you want] and after that it is somewhat trivial to make the RSA server send those attributes for a user. You can pile on the attributes and send many of them, up to the maximum size limit of a radius packet payload (depending on the payload this can be 50 to 100 attributes or more) and per radius RFC, if radius device sees an attribute it doesn't need or want it should ignore it and just process the ones it needs. So, essentially yes, you can do a lot with radius attributes and instruct the Cisco that 'this user needs exec-level privileges and needs these IP networks and ....' whatever the Cisco device is capable of doing with attributes.

Very common is the cisco-avpair attribute with multiple things it can do...a few examples
cisco-avpair= ”ip:addr-pool=first“
cisco-avpair= ”shell:priv-lvl=15“

The first example causes Cisco’s Multiple Named ip address Pools” feature to be activated during IP authorization (during PPP’s IPCP address assignment).
The second example causes a user logging in from a network access server to have immediate access to EXEC commands.

NOTE: RSA radius does not handle any form of CHAP, so avoid configuring radius CHAP options on the Cisco side.
Like • Show 1 Like1
Actions
Robert Davis Sep 7, 2018 8:41 AM
Mark Correct
Correct Answer
Thank you Edward! To confirm, you can setup the profile so that a single user token ID has read only access to Device Group A and read/write access to Device Group B?

I think your answer states that but I'm not sure I am 100% confident you stated a single user can have different access levels to different device groups. I have setup radius return attributes on cisco ACS however I do not have access to our RSA server.

The administrator of that server stated specifically "As has been previously explained. There is no way to grant a user read-only access to some network devices and read-write to others." Since I can't login and check myself, I wanted to ask here before going back to them.

We have LAN engineers and WAN engineers and want to grant read write for LAN on the layer 2 environment and read only on the WAN environment. Everything is token based auth.

Respectfully,

Rob
Like • Show 0 Likes0
Actions

Permissions based on device groups

cisco-avpair= ”ip:addr-pool=first“

cisco-avpair= ”shell:priv-lvl=15“

Outcomes

cisco-avpair= ”ip:addr-pool=first“

cisco-avpair= ”shell:priv-lvl=15“

Related Content

Recommended Content