Back to work
So... last I had written, several months ago, I had managed to add my CentOS server to my domain and was going to work on getting FreeRADIUS running there, so I could have my Cisco virtual devices authenticate against it.
Turns out, this was WAY more complicated then I thought it would be.
I'll spare the gory details, but long story short, I don't like the way FreeRADIUS tries to do... a lot of things.
Luckily, I complained about this on IRC, and someone else asked why I wasn't just using TACACS+. The reason I hadn't is because I don't have access to Cisco's TACACS+ server software - and I assumed there wasn't a free implementation of it out there.
As it turns out, when you assume, you may waste several months on a wild and unnecessary goose chase.
TACACS.net
There is indeed a free TACACS+ implementation, available from tacacs.net.
It's also ridiculously easy to set up. In addition to the normal configuration options (IP to bind to, mainly), all I had to do was specify:
authentication.xml
<UserGroup>
<Name>Router Access</Name>
<AuthenticationType>Windows_Domain</AuthenticationType>
<LDAPServer>outpost-hub.outpost.amateria:636</LDAPServer>
<LDAPUseSSL>1</LDAPUseSSL>
<LDAPUserDirectorySubtree>OU=Accounts,DC=outpost,DC=amateria</LDAPUserDirectorySubtree>
<LDAPGroupName>Router Access</LDAPGroupName>
</UserGroup>
clients.xml
<ClientGroup Name="INTERNAL">
<Secret ClearText="hidden" DES=""></Secret>
<Clients>
<Client>172.*</Client>
<Client>10.*</Client>
</Clients>
</ClientGroup>
authorization.xml
<Authorization>
<UserGroups>
<UserGroup>Router Access</UserGroup>
</UserGroups>
<ClientGroups>
<ClientGroup>INTERNAL</ClientGroup>
</ClientGroups>
<Shell>
<Permit>.*</Permit>
</Shell>
</Authorization>
And... that's it. In a nutshell, it takes requests from TACACS+ clients in the 172.* and 10.* ranges, looks up user accounts in the "OU=Accounts" DN, and confirms they belong to the "Router Access" LDAP group, and grants them permission to all commands on the router. (I could've made it more granular, but didn't see a need at this point.)
As a bonus, since it runs on a Windows host inside the domain, it can use the host's Kerberos credentials to access ActiveDirectory!
Bringing it online... jk
At this point, I went to configure one of my virtual Cisco routers to use TACACS for login, and... it didn't work.
After some digging, I found that for some reason, my CentOS and Windows Server machines couldn't route to the GNS3 LAN any more.
At this point, though, I decided that the original mesh design I had come up with, was probably overkill for what I was learning at the time. And also that it would probably need redesigning in the future when I learned new stuff.
So I killed the whole setup and went to a single router for now.
Also, I configured the input VTY lines for SSH.
At this point, I found something unusual - which is that trying to actually login to the router in question would hang for about 30-60 seconds, and then fail.
Coincidentally, at the same time, the CPU usage on the GNS3 VM would shoot up to about 100% and stay there. Nothing I seemed to do (switching from SSH to Telnet authentication) seemed to make a difference...
So for now, I'm just assuming that TACACS+/LDAP authentication would be working in a real environment, and moving on - because I've wasted more time on this than I'd like to admit.
I'm not really what I'll be moving on to next, but, we'll see.
