ACS Configuration Examples

navigationHauptseiteStefan DuernbergerMediaWiki-PortalAktuelle EreignisseLetzte nderungenZufllige SeiteHilfe

werkzeugeLinks auf diese Seitenderungen anverlinkten SeitenSpezialseitenDruckversionPermanentlink

diskussion quelltext betrachten versionen/autorenAnmelden

ACS 5.2 Configuration ExamplesSduernberger 20:55, 5. Jul. 2011 (UTC)

Inhaltsverzeichnis [Verbergen]1 ACS 5.2 VMWare Basic Post-Installation Settings

1.1 Patching ACS 5.21.2 Root Patch1.3 Forward Syslog Messages to external Server1.4 Role-Based Access Control1.5 Backups

2 RADIUS Proxy2.1 Set up FreeRADIUS for RADIUS Proxy2.2 Configure ACS for RADIUS Proxy

3 Active Directory Authz with Device Administration3.1 Active Directory Integration3.2 ACS Setup for Device Administration3.3 ACS Setup for Command Authorization

4 Think about

ACS 5.2 VMWare Basic Post-Installation SettingsRead the VMWare Installation Guide for all necessary VMWare Settings:http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_system/5.2/installation/guide/csacs_vmware.htmlAfter installation use VM Console to access your ACS. You have to type setup for the very first settings.

Now, you are able to use your preferred Terminal (putty/SecureCRT...) to connect via SSH to your ACS.

Now, you are able to login with the credentials you specified during initial installation process. Next step is to finish basicconfiguration for e.g. joining Microsoft Active Directory, FTP/SFTP Repositories, etc. Be sure your clock and Timezone is in Syncwith the Active Directory Server clock. Otherwise you are not able to join the Active Directory. My recommendation is to use a NTPServer in your network.

seite

suche

Seite Suchen

ACS 5.2 Configuration Examples Stefan Duernberger MediaWiki 5/23/2014

http://sduernberger.de/mediawiki/index.php?title=ACS_5.2_Configuration_Examples 1 / 21

Patching ACS 5.2Specify a Repository (FTP/SFTP) for ACS Software Updates, etc.

Update your ACS to the latest and greatest image.

Root Patch

Install Root Patch to access underlying Linux. This is only for deep dive troubleshooting for Cisco TAC only!

Then you have to leave the session. Shell must be refreshed. Use the command root_enable to get shell access. Please note thehighlighted error message. Root access is only possible with console not with SSH.

To make sure switch to VMWare Console and try again.



Now you can use Linux commands like TCPDump, etc.

Forward Syslog Messages to external ServerNow you can use the WebGUI to access ACS

Default User/PW is ACSAdmin and you have to change the password./default

Then you have to specify your license file.



Specify which messages should be forwarded to the new created Syslog Server.



Then move the available External Syslog Server to the Selected Targets and click submit.

Role-Based Access ControlThere are multiple Roles already pre-defined. Specify a new Account and assign a role to it.



BackupsRelated commands

myACS/admin#acs backup YOURNAME repository YOURREPOSITORYmyACS/admin#backup-logs YOURNAME repository YOURREPOSITORY

RADIUS ProxyACS5.2 is able to forward RADIUS Requests to external RADIUS Server. First set up e.g. FreeRADIUS on a differentVM/Hardware.

Set up FreeRADIUS for RADIUS Proxy

Edit clients.conf and users for a locally stored username.



Configure ACS for RADIUS ProxyCreate a Location based on where your devices (Routers/Switches...) are located.

Create Device Types to build groups like Nexus7000, Cat6K, EdgeSwitches, WLAN AP,....

Create Network Devices and AAA Clients



Specify external RADIUS Server

Create a new Access Service

Note: You can strip off before or after special characters. See Advanced Option Section on the right hand side.



You will be prompted to modify Service Selection. Click on Yes.

First you have to customize the conditions, because per default only the protocol is enabled as a condition. Because per default 2rules (one for protocol TACACS+ and one for protocol RAIDUS) pointing to 2 predefined services, you will be never authenticated byyour remote RADIUS. In this example I added a 2nd Condition (Device Type) to differentiate between Rule 1 and our new Rule 3.Use Customize Button.

Create new Service Selection Rule



Now Rule #1 and Rule #3 are identical. Lets remove Nexus7000 Devices from Rule1.

Thats all. Testing, testing, testing.

Active Directory Authz with Device Administration

Make sure that ACS and AD time is in sync as well as ACS can use DNS to resolve the domain. Use the clock

command or much better use NTP. And don t forget to set the timezone.

Active Directory IntegrationUse your ADS Credentials to join your Domain, then click the Test Connection Button



If successfull you can save changes and you should be joined and conntected to your domain.

Now you can browse by using the Select Button or manually add AD groups.



Your ACS should be automatically be assigned to the computer container in ADS.

ACS Setup for Device AdministrationDevice Administration is done by using the TACACS+ Protocol



Per Default Internal Users Database is the Identity Store. We have 2 options and the answer for Pro and Con is: it depends. Youcan easily adjust the DB Lookup within the single result selection or for more granular lookups you should use the rule-basedresult selection. We use the single result selection and by pressing the Select Button a new window pops up where you can selectyour Ident Sources. We select AD1

The testing, testing, testing. Successful eventvwr Message in ADS with user domainadmin



ACS Setup for Command AuthorizationWe configure 2 groups in total. Group #1 has unlimited access to the Cisco gear and Group #2 has limited access like only showcommands, etc. So lets start with the Shell Profiles.



Add Privilege Level to the new assigned Profiles.



Now we create command sets for the 2 Profiles. One Profile will get RO access for specific commands and the other one will getRW access.



Create 2 new Identity Groups. They are for binding AD or internal Users to specific ACS Groups.



Then assign a new condition (Group Mapping) to the Default Device Admin and change it afterwards to Rule based result selection.

Create the 2 Group Mappings. Group#1 is for DomainAdmins with RW Access and Group#2 is for DomainUsers with RO Access.



Finally assign 2 Authorization Policies.First of all, customize the Policy.



Then create the 2 Policies.



Diese Seite wurde zuletzt am 7. Juli 2011 um 22:47 Uhr gendert. Diese Seite wurde bisher 5.070-mal abgerufen. Datenschutz ber StefanDuernberger MediaWiki Impressum

Thats all. Testint, testing, testing.

Think aboutfreeuser Cleartext-Password := "Cisco123" Service-Type = NAS-Prompt-User, cisco-avpair = "shell:prv-lvl=15", cisco-avpair = "shell:cmd=show"



ACS 5.2 Configuration ExamplesInhaltsverzeichnisnavigationsuchewerkzeuge

ACS 5.2 VMWare Basic Post-Installation SettingsPatching ACS 5.2Root PatchForward Syslog Messages to external ServerRole-Based Access ControlBackups

RADIUS ProxySet up FreeRADIUS for RADIUS ProxyConfigure ACS for RADIUS Proxy

Active Directory Authz with Device AdministrationActive Directory IntegrationACS Setup for Device AdministrationACS Setup for Command Authorization

Think about

Documents

ACS Configuration Examples