Commands authorization

The RADIUS protocol combines user authentication and authorization steps into one phase. The user must be successfully authenticated before the RADIUS server will send authorization information from the user's profile to the Network Access Server (NAS). After user authentication has occurred, the authorization information provided by the RADIUS server is stored on the NAS for the duration of the user's session. Changes in the user's authorization profile during this time will not be effective until after the next authentication occurs.

You can limit the services for a user by enabling AAA RADIUS authorization. The NAS uses the information set up on the RADIUS server to control the user's access to CLI commands.

The authorization type implemented on the switches is the "commands" method. This method explicitly specifies on the RADIUS server which commands are allowed on the client device for authenticated users. This is done on a per-user or per-group basis.


[NOTE: ]

NOTE: The commands authorization will only be executed for commands entered from Telnet, SSH, or console sessions. The Web management interface is not supported.


By default, all users may execute a minimal set of commands regardless of their authorization status, for example, "exit" and "logout". This minimal set of commands can prevent deadlock on the switch due to an error in the user's authorization profile on the RADIUS server.

Enabling authorization

To control access to the CLI commands, enter this command at the CLI.

Syntax:

[no] aaa authorization <commands> <radius|none>

Configures authorization for controlling access to CLI commands. When enabled, the switch checks the list of commands supplied by the RADIUS server during user authentication to determine if a command entered by the user can be executed.

radius: The NAS requests authorization information from the RADIUS server. Authorization rights are assigned by user or group.

none: The NAS does not request authorization information.

For example, to enable the RADIUS protocol as the authorization method:

HP Switch(config)# aaa authorization commands radius

When the NAS sends the RADIUS server a valid username and password, the RADIUS server sends an Access-Accept packet that contains two attributes the command list and the command exception flag. When an authenticated user enters a command on the switch, the switch examines the list of commands delivered in the RADIUS Access-Accept packet as well as the command exception flag, which indicates whether the user has permission to execute the commands in the list. See Configuring commands authorization on a RADIUS server.

After the Access-Accept packet is delivered, the command list resides on the switch. Any changes to the user's command list on the RADIUS server are not seen until the user is authenticated again.

Viewing authorization information

Syntax:

show authorization

Configures authorization for controlling access to CLI commands. When enabled, the switch checks the list of commands supplied by the RADIUS server during user authentication to determine if a command entered by the user can be executed.

The show authorization command

HP Switch(config)# show authorization

 Status and Counters - Authorization Information

  Type     | Method
  -------- + ------
  Commands | RADIUS

Configuring commands authorization on a RADIUS server

Using vendor specific attributes (VSAs)

Some RADIUS-based features implemented on HP switches use HP VSAs for information exchange with the RADIUS server. RADIUS Access-Accept packets sent to the switch may contain the vendor-specific information.

The attributes supported with commands authorization are:

  • HP-Command-String: List of commands (regular expressions) that are permitted (or denied) execution by the user. The commands are delimited by semi-colons and must be between 1 and 249 characters in length. Multiple instances of this attribute may be present in Access-Accept packets. (A single instance may be present in Accounting-Request packets.)

  • HP-Command-Exception: A flag that specifies whether the commands indicated by the HP-Command-String attribute are permitted or denied to the user. A zero (0) means permit all listed commands and deny all others; a one (1) means deny all listed commands and permit all others.

The results of using the HP-Command-String and HP-Command-Exception attributes in various combinations are shown below.

HP command string and exception

HP-command-string HP-command-exception Description
Not present Not present If command authorization is enabled and the RADIUS server does not provide any authorization attributes in an Access-Accept packet, the user is denied access to the server. This message appears: "Access denied: no user's authorization info supplied by the RADIUS server."
Not present DenyList-PermitOthers(1) Authenticated user is allowed to execute all commands available on the switch.
Not present PermitList-DenyOthers(0) Authenticated user can only execute a minimal set of commands (those that are available by default to any user).
Commands List DenyList-PermitOthers(1) Authenticated user may execute all commands except those in the Commands list.
Commands List PermitList-DenyOthers(0) Authenticated user can execute only those commands provided in the Commands List, plus the default commands.
Commands List Not present Authenticated user can only execute commands from the Commands List, plus the default commands.
Empty Commands List Not present Authenticate user can only execute a minimal set of commands (those that are available by default to any user).
Empty Commands List DenyList-PermitOthers(1) Authenticated user is allowed to execute all commands available on the switch.
Empty Commands List PermitList-DenyOthers(0) Authenticate user can only execute a minimal set of commands (those that are available by default to any user).

You must configure the RADIUS server to provide support for the HP VSAs. There are multiple RADIUS server applications; the two examples below show how a dictionary file can be created to define the VSAs for that RADIUS server application.

Example configuration on Cisco secure ACS for MS Windows

It is necessary to create a dictionary file that defines the VSAs so that the RADIUS server application can determine which VSAs to add to its user interface. The VSAs will appear below the standard attributes that can be configured in the application.

The dictionary file must be placed in the proper directory on the RADIUS server. Follow these steps.

  1. Create a dictionary file (for example, hp.ini) containing the HP VSA definitions, as shown in the example below.

    ;[User Defined Vendor]
    ;
    ; The Name and IETF vendor code and any VSAs MUST be unique.
    ;
    ; One or more VSAs named (max 255)
    ;
    ; Each named VSA requires a definition section...
    ;
    ; Types are STRING, INTEGER, IPADDR
    ;
    ; The profile specifies usage, IN for accounting, OUT for
    authorization,
    ; MULTI if more than a single instance is allowed per
    RADIUS message.
    ; Combinations are allowed, e.g. "IN", "MULTI OUT",
    "MULT IN OUT"
    ;
    ; Enumerations are optional for INTEGER attribute types
    
    [User Defined Vendor]
    
    Name=HP
    IETF Code=11
    VSA 2=Hp-Command-String
    VSA 3=Hp-Command-Exception
    
    [Hp-Command-String]
    
    Type=STRING
    Profile=IN OUT
    
    [Hp-Command-Exception]
    
    Type=INTEGER
    
    Profile=IN OUT
    
    Enums=Hp-Command-Exception-Types
    
    [Hp-Command-Exception-Types]
    
    0=PermitList
    1=DenyList
    
  2. Copy the hp.ini dictionary file to c:\program files\cisco acs 3.2\utils (or the \utils directory wherever acs is installed).

  3. From the command prompt execute the following command:

    c:\Program files\CiscoSecure ACS v3.2\utils> csutil -addudv 0 hp.ini
    

    The zero (0) is the slot number. You will see some processing messages:

    Adding or removing vendors requires ACS services to be
    re-started. Please make sure regedit is not running as
    it can prevent registry backup/restore operations.
    
    Are you sure you want to proceed? (Y or N) y
    
    Parsing [.\hp.ini] for addition at UDV slot [0]
    Stopping any running services
    Creating backup of current config
    
    Adding Vendor [HP} added as [RADIUS (HP)]
    
    Done
    Checking new configuration...
    New configuration OK 
    Re-starting stopped services
    
  4. Start the registry editor (regedit) and browse to HKEY_LOCAL_MACHINE\software\cisco\CiscoAAA v3.2\NAS Vendors tree.

    Cisco adds the entry into this tree for each custom vendor. The id is 100 + the slot number used in the previous command (100 + 0, as it was added in slot 0). Look in the key to verify the vendor name and id.

  5. Go to:

    HKEY_LOCAL_MACHINE\software\cisco\CiscoAAAv3.2\CSRadius\ExtensionPoints
    \002\AssociatedWithVendors
    
  6. Right-click and then select New > key. Add the vendor Id number that you determined in step 4 (100 in the example).

  7. Restart all Cisco services.

  8. The newly created HP RADIUS VSA appears only when you configure an AAA client (NAS) to use the HP VSA RADIUS attributes. Select Network Configuration and add (or modify) an AAA entry. In the Authenticate Using field choose RADIUS(HP) as an option for the type of security control protocol.

  9. Select Submit + Restart to effect the change. The HP RADIUS VSA attributes will appear in Cisco ACS configurations, for example, "Interface Configuration", "Group Setup", "User Setup".

To enable the processing of the HP-Command-String VSA for RADIUS accounting:

  1. Select System Configuration.

  2. Select Logging.

  3. Select CSV RADIUS Accounting. In the Select Columns to Log section, add the HP-Command-String attribute to the Logged Attributes list.

  4. Select Submit.

  5. Select Network Configuration. In the AAA Clients section, select an entry in the AAA Client Hostname column. You will go to the AAA Client Setup screen.

  6. Check the box for Log Update/Watchdog Packets from this AAA Client.

  7. Click Submit + Restart. You should be able to see the HP-Command-String attribute in the RADIUS accounting reports.

  8. Enter the commands you wish to allow or deny with the special characters used in standard regular expressions (c, ., \, list], ^list], *, ^, $). Commands must be between 1-249 characters in length.

Example configuration using FreeRADIUS

  1. Create a dictionary file (for example, dictionary.hp) containing HP VSA definitions. An example file is:

    Example dictionary file

    Example dictionary file
  2. Find the location of the dictionary files used by FreeRADIUS (try /usr/local/share/freeradius).

  3. Copy dictionary.hp to that location. Open the existing dictionary file and add this entry:

    $ INCLUDE dictionary.hp

  4. You can now use HP VSAs with other attributes when configuring user entries.