Network Device Authentication

A lot of people outside of the network space are quite surprised to find out that network devices don't always support LDAP. There are convenient reasons for this.

Doing Authentication

Most devices will support RADIUS with varied levels of "support". For others, they will support TACACS+ as well as RADIUS. Finally, a subset of devices will support LDAP.

RADIUS

You have to map in the dictionary for the appropriate attributes. Example, Juniper, Cisco, etc have their own special attributes. FreeRadius keeps a good list, but it may require occasional additions for other vendors

TACACS+

Is a pile of shit, but a convenient pile of shit for cisco environments. Most people use shrubbery.net's tac_plus or Cisco ACS. ACS is well known for being horrible at the worst times. Also, building your own TACACS+ box means it will last until the apocalypse unlike ACS.

Why not just LDAP everywhere?

Three easy reasons: 

  1. LDAP is usually maintained by someone else (often the Windows admins)
  2. LDAP cannot express per command authorization
  3. LDAP cannot do proper accounting
On #1, consider group membership. It is mostly easier to maintain a separate mapping of group membership in network space versus in AD space. This means network admins don't have to talk to systems admins to get people onboarded. With backend LDAP auth, they get the benefit of whatever LDAP can be used for (maybe revoking access).

On #2, this is pretty basic. I want to let the NOC guys do show commands. Admins can do whatever they need to. Okay, so how does someone go about sorting this? LDAP won't do it unless something like group membership sorts it out on the device. This is a pain in the ass.

On #3, I can look at exact commands run with TACACS+. Why wouldn't I want this? Sometimes it helps to know who did type "reload".


Doing authentication for automation

An optimal setup will allow for ephemeral passwords tied to specific users. Example, consider a scripting engine running a script for user "bob". What I want is that a backend will allocate a temporary username and password mirroring bob's privileges, but only for the hosts to be run on. Then, the script engine will possess a time and space limited credential tied to bob's actions for accounting. It will also note that the script engine received this limited credential for additional traceability.

Comments

Post a Comment

Popular posts from this blog

Linux unnumbered interface source IP behavior

In certain cases, (looking at you, Fortinet), interfaces make more sense without IP addresses. But the kernel must determine which source IP to use for sockets that don't specify one. Linux maintains a scoping of IP addresses. Those exposed directly with iproute2 are host, link, and global. When you intend on taking an unnumbered path, one of two things may happen: 1) A route exists for the unnumbered path. This route is populated with a src address when fib_create_info() is called  (such as in routing table update) (occurs via  fib_info_update_nh_saddr) or; 2) No route exists, but an interface is specified for the connection and the source is derived in ip_route_output_key_hash_rcu(). In both cases, inet_select_addr() is called to determine the source IP, but with slightly different parameters. In the first case, the scope of the FIB table is taken into account. As an example, sources used for link-local routes will permit link-local or global scope. In the seco...
Read more

FortiManager TCL scripts

I had a request sent to me the other day to make a script push some config with the hostname of the node included. Pretty basic thing to do. I was further constrained to use the FortiManager script runner to make this work. As usual, CLI-like scripting sucks and the magic behind the scenes made things more difficult. FortiManager's Role Big HA pile of shit to sync configs with templates. Also has a script runner (used by the config pushes). The scripts are handled through a component called "deployment manager". Relevant debugs: diagnose debug application depmanager -1 -> Not so useful for TCL, good under-the-hood look diagnose debug dpm conf-trace enable -> Will show you SSH connection stuff. More useful IMO. FortiManager holds SSH credentials for the device. It isn't like, even though FortiManager is trusted to play with config, FortiManager can magically login via SSH. This seems like quite a stupid design, but that is the situation we'...
Read more

But Ansible does it all!!

Most people running networks have a decent fleet of Cisco IOS devices (or devices that feature "industry-standard" *cough* ripoff *cough* CLI). Often times, the discussion of Ansible as a framework comes up as the solution. What does Ansible do? Ansible is designed to express desired state, compare against existing state and then calculate whether a change is needed. A great example is that we'll generate a config file with a template, push this to a server, and then signal the relevant service (perhaps with a restart). Cool! Easy! But what if the config file is already the same as what we generated from template? No problem, we'll calculate that the files are the same and do nothing. No restart, no problem.. its already good. This technique is highly effective for things like webservers where the service supports a consistent and suitable approach (in context, of course) for loading the new config. kk.. cool but what is wrong with IOS? IOS-like CLIs ar...
Read more