ACS Configuration Examples

navigation
Hauptseite
StefanDuernberger
MediaWiki-Portal
AktuelleEreignisse
Letztenderungen
ZuflligeSeite
Hilfe
werkzeuge
Links auf dieseSeite
nderungenan
verlinktenSeiten
Spezialseiten
Druckversion
Permanentlink
diskussion quelltext betrachten versionen/autoren
Anmelden
ACS 5.2 Configuration Examples
Sduernberger 20:55, 5. Jul. 2011 (UTC)
Inhaltsverzeichnis [Verbergen]
1 ACS5.2 VMWare Basic Post-Installation Settings
1.1 Patching ACS5.2
1.2 Root Patch
1.3 Forward Syslog Messages to external Server
1.4 Role-Based Access Control
1.5 Backups
2 RADIUSProxy
2.1 Set up FreeRADIUSfor RADIUSProxy
2.2 Configure ACSfor RADIUSProxy
3 Active DirectoryAuthzwith Device Administration
3.1 Active DirectoryIntegration
3.2 ACSSetup for Device Administration
3.3 ACSSetup for Command Authorization
4 Think about
ACS 5.2 VMWare Basic Post-Installation Settings
Read the VMWare Installation Guide for all necessary VMWare Settings:
http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_system/5.2/installation/guide/csacs_vmware.html
After installation use VMConsole to access your ACS. You have to type setup for the very first settings.
Now, you are able to use your preferred Terminal (putty/SecureCRT...) to connect via SSHto your ACS.
Now, you are able to login with the credentials you specified during initial installation process. Next step is to finish basic
configuration for e.g. joining Microsoft Active Directory, FTP/SFTP Repositories, etc. Be sure your clock and Timezone is in Sync
with the Active Directory Server clock. Otherwise you are not able to join the Active Directory. My recommendation is to use a NTP
Server in your network.
seite
suche
Seite Suchen
ACS 5.2 Configuration Examples Stefan Duernberger MediaWiki 5/23/2014
http://sduernberger.de/mediawiki/index.php?title=ACS_5.2_Configuration_Examples 1 / 21
Patching ACS 5.2
Specify a Repository (FTP/SFTP) for ACS Software Updates, etc.
Update your ACS to the latest and greatest image.
Root Patch
Install Root Patch to access underlying Linux. This is only for deep dive troubleshooting for Cisco TAConly!
Then you have to leave the session. Shell must be refreshed. Use the command root_enable to get shell access. Please note the
highlighted error message. Root access is only possible with console not with SSH.
To make sure switch to VMWare Console and try again.
Nowyou can use Linux commands like TCPDump, etc.
Forward Syslog Messages to external Server
Nowyou can use the WebGUI to access ACS
Default User/PW is ACSAdmin and you have to change the password./default
Then you have to specify your license file.
Specify which messages should be forwarded to the newcreated Syslog Server.
Then move the available External Syslog Server to the Selected Targets and click submit.
Role-Based Access Control
There are multiple Roles already pre-defined. Specify a newAccount and assign a role to it.
Backups
Related commands
myACS/admin#acs backup YOURNAME repository YOURREPOSITORY
myACS/admin#backup-logs YOURNAME repository YOURREPOSITORY
RADIUS Proxy
ACS5.2 is able to forward RADIUS Requests to external RADIUS Server. First set up e.g. FreeRADIUS on a different
VM/Hardware.
Set up FreeRADIUS for RADIUS Proxy
Edit clients.conf and users for a locally stored username.
Configure ACS for RADIUS Proxy
Create a Location based on where your devices (Routers/Switches...) are located.
Create Device Types to build groups like Nexus7000, Cat6K, EdgeSwitches, WLANAP,....
Create Network Devices and AAA Clients
Specify external RADIUS Server
Create a newAccess Service
Note: You can strip off before or after special characters. See Advanced Option Section on the right hand side.
You will be prompted to modify Service Selection. Click on Yes.
First you have to customize the conditions, because per default only the protocol is enabled as a condition. Because per default 2
rules (one for protocol TACACS+ and one for protocol RAIDUS) pointing to 2 predefined services, you will be never authenticated by
your remote RADIUS. In this example I added a 2nd Condition (Device Type) to differentiate between Rule 1 and our newRule 3.
Use Customize Button.
Create newService Selection Rule
NowRule #1 and Rule #3 are identical. Lets remove Nexus7000 Devices fromRule1.
Thats all. Testing, testing, testing.
Active Directory Authz with Device Administration
Make sure that ACS and ADtime is in sync as well as ACS can use DNS to resolve the domain. Use the clock
command or much better use NTP. And dont forget to set the timezone.
Active Directory Integration
Use your ADS Credentials to join your Domain, then click the Test Connection Button
If successfull you can save changes and you should be joined and conntected to your domain.
Nowyou can browse by using the Select Button or manually add ADgroups.
Your ACS should be automatically be assigned to the computer container in ADS.
ACS Setup for Device Administration
Device Administration is done by using the TACACS+ Protocol
Per Default Internal Users Database is the Identity Store. We have 2 options and the answer for Pro and Con is: it depends. You
can easily adjust the DB Lookup within the single result selection or for more granular lookups you should use the rule-based
result selection. We use the single result selection and by pressing the Select Button a newwindowpops up where you can select
your Ident Sources. We select AD1
The testing, testing, testing. Successful eventvwr Message in ADS with user domainadmin
ACS Setup for Command Authorization
We configure 2 groups in total. Group #1 has unlimited access to the Cisco gear and Group #2 has limited access like only show
commands, etc. So lets start with the Shell Profiles.
Add Privilege Level to the newassigned Profiles.
Nowwe create command sets for the 2 Profiles. One Profile will get ROaccess for specific commands and the other one will get
RW access.
Create 2 newIdentity Groups. They are for binding ADor internal Users to specific ACS Groups.
Then assign a newcondition (Group Mapping) to the Default Device Admin and change it afterwards to Rule based result selection.
Create the 2 Group Mappings. Group#1 is for DomainAdmins with RW Access and Group#2 is for DomainUsers with ROAccess.
Finally assign 2 Authorization Policies.
First of all, customize the Policy.
Then create the 2 Policies.
DieseSeitewurdezuletzt am7. Juli 2011um22:47Uhr gendert. DieseSeitewurdebisher 5.070-mal abgerufen. Datenschutz ber Stefan
Duernberger MediaWiki Impressum
Thats all. Testint, testing, testing.
Think about
freeuser Cleartext-Password := "Cisco123"
Service-Type = NAS-Prompt-User,
cisco-avpair = "shell:prv-lvl=15",
cisco-avpair = "shell:cmd=show"

ACS Configuration Examples

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

ACS Configuration Examples

Uploaded by

Copyright:

Available Formats

navigation

You might also like