Tuesday, September 27, 2016

Cisco ACS 5.x and BIG-IQ 5.0 Radius Attributes

In this post I will show you  the relevant  radius cfg on the cisco ACS for attributes and the F5 BIG-IQ.


1st I download the VSA template that we will use for  inserting the f5 vendor specific attributes








I found it's much easier to export the cisco ACS template, modify, replace, and edit and re-import. The time trying to download the f5-support template and getting a flawless import is very time consuming.





2nd, we  after a successful import is wise  to click the show vendor attribute and check things over.







I kept my  radius attribute small and just only the attribute that I  required so the full VSA dictionary was not included.






Now we can define the attribute in our network authorization profiles mapping the attributes that's required such a specific  role.


Here's  a sample of my F5 authorization profiles.  They where generic defined to match a f5 "role" . Notice the  attributes are defined along with the generic_reply  which will we  help in further diagnostics & analysis.



by applingy a unique reply message per ACS  authorization_profile and then using just that profile in a policy,  can help you  narrow down what policy and  authorization_profile that's being used & matched


So here's the final  policies


On the BIG-IQ you will need to define the radius settings and remote-role. It's a good ideal to define a default  role of guest . If no role is found, the "no-access" becomes your default role btw.

( cli  cfg   BIG-IQ 5.0 )

Sys::Version
Main Package
  Product     BIG-IQ
  Version     5.0.0
  Build       0.0.3026
  Edition     Final

  Date        Tue Jun  7 00:17:51 PDT 2016



admin@(BIGIQCALITECH01)(Active)(/Common)(tmos)# list auth 
auth password-policy { }
auth radius system-auth {
    debug enabled
    servers {
        RAD1 
        RAD2
        RAD3
    }
    service-type default
}
auth radius-server RAD01  {
    secret test1234567890
    server 10.3.1.11
    timeout 30
}
auth radius-server RAD02 {
    secret test1234567890
    server 10.4.1.11
    timeout 30
}
auth radius-server RAD03 {
    secret test1234567890 
    server 10.5.1.11
    timeout 30
}
auth remote-role {
    role-info {
        operator {
            attribute F5-LTM-User-Info-1=operator
            console tmsh
            line-order 2
            role 400
            user-partition All
        }
        resource-admin {
            attribute F5-LTM-User-Info-1=resource
            console tmsh
            line-order 3
            role 20
            user-partition All
        }
    }
}
auth remote-user {
    default-role guest
    remote-console-access tmsh
}
auth source {
    type radius
}
auth user admin {
    description "Predefned Admin User"
    encrypted-password  myencpsssword_admin_user
    partition Common
    partition-access {
        all-partitions {
            role admin
        }
    }
    shell tmsh
}

(END)


During  debugging my  lack of attributes being sent via cisco ACS, I found out depending on what means you access  BIG-IQ the  radius request is pretty much different.

Check out this WebGUI and then SSHd access and notice the  attributes sent via the radius_client ( BIGIQ )




Also ,  another finding; "  the  security and audit logs" via the cli , will never shows the WebGUI access success or failures and nor do we have audit logging from  command-executions  that are done via the WebGUI.

(audit logging via cli)


( security logging via cli )



TIP: The   f5 security logs typically  display  either RAW: sshd(pam_audit): for SSH access  or RAW: httpd(mod_auth_pam): for webgui access


BTW: 

In the WebGUI, it's was  unclear to me if you need to define  user-groups, but if you do, the  groups needs to match the  F5 attributes that are being sent via ciscoACS ( see the above  Vendor-3375-Attr-12 =  aka  F5-LTM-User-Info-1   attribute#12 for VSA  F5 )


( example radius servers configuration and user-group via the webgui  )



(user-group  and specific RAdius-VSA attribute that's  expected for this role )



(  BIG-IQ roles  numbers-2-names  )







And lastly, I used the wrong browser initially ( safari ) and then later Firefox  rls.48 and the same bug where corrupt our ACS policies database. So even tho the  webgui of the cisco ACS shows the authorization_profile and policy being correctly configured, the  cisco ACS instance did not send the radius-attribute.


So we will look at the next patch ( #5 ) and see what the release note shows.


Tip if you are trying ssh access and can not get a shell, the log will show the following



Tip use the ACS reporter if your experiencing  authentication issues





Ken Felix

NSE ( network security expert) and Route/Switching Engineer
kfelix  -----a----t---- socpuppets ---dot---com

     ^      ^
=(  @  @ )=
         o 

        /  \

No comments:

Post a Comment