[tac_plus] Examples of RBAC in do_auth.py?

Daniel Schmidt daniel.schmidt at wyo.gov
Thu Nov 17 16:25:13 UTC 2011 

Um.... the short answer would be probably/do what now?

Are you talking about plain vanilla cisco router/switches/no nexus?  If
this is the case, even if you were using nexus, I'd say you are trying to
over-complicate your problem.  Do you not use privilege levels - you only
need to do that for Radius, it's much easier to manage if you forget they
exist. (Managing levels requires touching every device each time you
change something - the only way to match a privilege level to commands is
locally on the router.)

First, make a set of different rules on paper.  Operator, admin,
super-admin and the commands you want them to do.  Then, devices: core,
CPE, PE, ect.  From those, you will have to make "groups"  Then, you pair
them together into groups.  Use as many or as few as you want, just
remember - one group cannot take away what another group grants.

[admin_group]
host_allow =
	<ip's of PE>
command_permit =
	<list of commands>

[operator_group]
host_allow =
	<ip's of CPE devices>
host_deny =
	<couple ip's you never want the operators to touch>
command_permit =
	<a few show commands you can trust the operators with>

>From there, you can assign a user to as many or as few of the groups that
he needs.  And, it can be changed on the fly very easily.  (Good luck
doing that on the Cisco ACS)

[users]
Homer =
	operator_group
lisa =
	super_admin
bart =
	operator_group
	admin
	another_operator_group

NOW -- if you are bound and determined to use privilege levels, you CAN do
that as well by replacing the priv-lvl tac_key, but I am loathe to show
you how, as it is seems rather bass ackward and explaining it would
certainly entail bribing me with free beer.

-----Original Message-----
From: tac_plus-bounces at shrubbery.net
[mailto:tac_plus-bounces at shrubbery.net] On Behalf Of Brandon Ewing
Sent: Thursday, November 17, 2011 7:45 AM
To: tac_plus at shrubbery.net
Subject: [tac_plus] Examples of RBAC in do_auth.py?

Does anyone have any examples of do_auth.py config files that could be
adapted for Role-based Access control?

I want to break it up so I have groups of commands (l2-only, l3-only,
routing protocols, etc), and groups of network devices (core, CPE, PE,
etc), and assign groups of commands on groups of network devices to
specific users.

I don't know if do_auth.py is setup to provide something like this, but if
anyone has any examples or pointers on how to approach the above, it would
be appreciated.

-- 
Brandon Ewing
(nicotine at warningg.com)
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
URL:
<http://www.shrubbery.net/pipermail/tac_plus/attachments/20111117/8de20bbd
/attachment.bin>
_______________________________________________
tac_plus mailing list
tac_plus at shrubbery.net
http://www.shrubbery.net/mailman/listinfo.cgi/tac_plus
E-Mail to and from me, in connection with the transaction 
of public business,is subject to the Wyoming Public Records 
Act, and may be disclosed to third parties.

More information about the tac_plus mailing list