navigationHauptseiteStefan DuernbergerMediaWiki-PortalAktuelle EreignisseLetzte nderungenZufllige SeiteHilfe
werkzeugeLinks auf diese Seitenderungen anverlinkten SeitenSpezialseitenDruckversionPermanentlink
diskussion quelltext betrachten versionen/autorenAnmelden
ACS 5.2 Configuration ExamplesSduernberger 20:55, 5. Jul. 2011 (UTC)
Inhaltsverzeichnis [Verbergen]1 ACS 5.2 VMWare Basic Post-Installation Settings
1.1 Patching ACS 5.21.2 Root Patch1.3 Forward Syslog Messages to external Server1.4 Role-Based Access Control1.5 Backups
2 RADIUS Proxy2.1 Set up FreeRADIUS for RADIUS Proxy2.2 Configure ACS for RADIUS Proxy
3 Active Directory Authz with Device Administration3.1 Active Directory Integration3.2 ACS Setup for Device Administration3.3 ACS Setup for Command Authorization
4 Think about
ACS 5.2 VMWare Basic Post-Installation SettingsRead the VMWare Installation Guide for all necessary VMWare Settings:http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_system/5.2/installation/guide/csacs_vmware.htmlAfter installation use VM Console to access your ACS. You have to type setup for the very first settings.
Now, you are able to use your preferred Terminal (putty/SecureCRT...) to connect via SSH to your ACS.
Now, you are able to login with the credentials you specified during initial installation process. Next step is to finish basicconfiguration for e.g. joining Microsoft Active Directory, FTP/SFTP Repositories, etc. Be sure your clock and Timezone is in Syncwith the Active Directory Server clock. Otherwise you are not able to join the Active Directory. My recommendation is to use a NTPServer in your network.
seite
suche
Seite Suchen
ACS 5.2 Configuration Examples Stefan Duernberger MediaWiki 5/23/2014
http://sduernberger.de/mediawiki/index.php?title=ACS_5.2_Configuration_Examples 1 / 21
Patching ACS 5.2Specify a Repository (FTP/SFTP) for ACS Software Updates, etc.
Update your ACS to the latest and greatest image.
Root Patch
Install Root Patch to access underlying Linux. This is only for deep dive troubleshooting for Cisco TAC only!
Then you have to leave the session. Shell must be refreshed. Use the command root_enable to get shell access. Please note thehighlighted error message. Root access is only possible with console not with SSH.
To make sure switch to VMWare Console and try again.
ACS 5.2 Configuration Examples Stefan Duernberger MediaWiki 5/23/2014
http://sduernberger.de/mediawiki/index.php?title=ACS_5.2_Configuration_Examples 2 / 21
Now you can use Linux commands like TCPDump, etc.
Forward Syslog Messages to external ServerNow you can use the WebGUI to access ACS
Default User/PW is ACSAdmin and you have to change the password./default
Then you have to specify your license file.
ACS 5.2 Configuration Examples Stefan Duernberger MediaWiki 5/23/2014
http://sduernberger.de/mediawiki/index.php?title=ACS_5.2_Configuration_Examples 3 / 21
Specify which messages should be forwarded to the new created Syslog Server.
ACS 5.2 Configuration Examples Stefan Duernberger MediaWiki 5/23/2014
http://sduernberger.de/mediawiki/index.php?title=ACS_5.2_Configuration_Examples 4 / 21
Then move the available External Syslog Server to the Selected Targets and click submit.
Role-Based Access ControlThere are multiple Roles already pre-defined. Specify a new Account and assign a role to it.
ACS 5.2 Configuration Examples Stefan Duernberger MediaWiki 5/23/2014
http://sduernberger.de/mediawiki/index.php?title=ACS_5.2_Configuration_Examples 5 / 21
BackupsRelated commands
myACS/admin#acs backup YOURNAME repository YOURREPOSITORYmyACS/admin#backup-logs YOURNAME repository YOURREPOSITORY
RADIUS ProxyACS5.2 is able to forward RADIUS Requests to external RADIUS Server. First set up e.g. FreeRADIUS on a differentVM/Hardware.
Set up FreeRADIUS for RADIUS Proxy
Edit clients.conf and users for a locally stored username.
ACS 5.2 Configuration Examples Stefan Duernberger MediaWiki 5/23/2014
http://sduernberger.de/mediawiki/index.php?title=ACS_5.2_Configuration_Examples 6 / 21
Configure ACS for RADIUS ProxyCreate a Location based on where your devices (Routers/Switches...) are located.
Create Device Types to build groups like Nexus7000, Cat6K, EdgeSwitches, WLAN AP,....
Create Network Devices and AAA Clients
ACS 5.2 Configuration Examples Stefan Duernberger MediaWiki 5/23/2014
http://sduernberger.de/mediawiki/index.php?title=ACS_5.2_Configuration_Examples 7 / 21
Specify external RADIUS Server
Create a new Access Service
Note: You can strip off before or after special characters. See Advanced Option Section on the right hand side.
ACS 5.2 Configuration Examples Stefan Duernberger MediaWiki 5/23/2014
http://sduernberger.de/mediawiki/index.php?title=ACS_5.2_Configuration_Examples 8 / 21
You will be prompted to modify Service Selection. Click on Yes.
First you have to customize the conditions, because per default only the protocol is enabled as a condition. Because per default 2rules (one for protocol TACACS+ and one for protocol RAIDUS) pointing to 2 predefined services, you will be never authenticated byyour remote RADIUS. In this example I added a 2nd Condition (Device Type) to differentiate between Rule 1 and our new Rule 3.Use Customize Button.
Create new Service Selection Rule
ACS 5.2 Configuration Examples Stefan Duernberger MediaWiki 5/23/2014
http://sduernberger.de/mediawiki/index.php?title=ACS_5.2_Configuration_Examples 9 / 21
Now Rule #1 and Rule #3 are identical. Lets remove Nexus7000 Devices from Rule1.
Thats all. Testing, testing, testing.
Active Directory Authz with Device Administration
Make sure that ACS and AD time is in sync as well as ACS can use DNS to resolve the domain. Use the clock
command or much better use NTP. And don t forget to set the timezone.
Active Directory IntegrationUse your ADS Credentials to join your Domain, then click the Test Connection Button
ACS 5.2 Configuration Examples Stefan Duernberger MediaWiki 5/23/2014
http://sduernberger.de/mediawiki/index.php?title=ACS_5.2_Configuration_Examples 10 / 21
If successfull you can save changes and you should be joined and conntected to your domain.
Now you can browse by using the Select Button or manually add AD groups.
ACS 5.2 Configuration Examples Stefan Duernberger MediaWiki 5/23/2014
http://sduernberger.de/mediawiki/index.php?title=ACS_5.2_Configuration_Examples 11 / 21
Your ACS should be automatically be assigned to the computer container in ADS.
ACS Setup for Device AdministrationDevice Administration is done by using the TACACS+ Protocol
ACS 5.2 Configuration Examples Stefan Duernberger MediaWiki 5/23/2014
http://sduernberger.de/mediawiki/index.php?title=ACS_5.2_Configuration_Examples 12 / 21
Per Default Internal Users Database is the Identity Store. We have 2 options and the answer for Pro and Con is: it depends. Youcan easily adjust the DB Lookup within the single result selection or for more granular lookups you should use the rule-basedresult selection. We use the single result selection and by pressing the Select Button a new window pops up where you can selectyour Ident Sources. We select AD1
The testing, testing, testing. Successful eventvwr Message in ADS with user domainadmin
ACS 5.2 Configuration Examples Stefan Duernberger MediaWiki 5/23/2014
http://sduernberger.de/mediawiki/index.php?title=ACS_5.2_Configuration_Examples 13 / 21
ACS Setup for Command AuthorizationWe configure 2 groups in total. Group #1 has unlimited access to the Cisco gear and Group #2 has limited access like only showcommands, etc. So lets start with the Shell Profiles.
ACS 5.2 Configuration Examples Stefan Duernberger MediaWiki 5/23/2014
http://sduernberger.de/mediawiki/index.php?title=ACS_5.2_Configuration_Examples 14 / 21
Add Privilege Level to the new assigned Profiles.
ACS 5.2 Configuration Examples Stefan Duernberger MediaWiki 5/23/2014
http://sduernberger.de/mediawiki/index.php?title=ACS_5.2_Configuration_Examples 15 / 21
Now we create command sets for the 2 Profiles. One Profile will get RO access for specific commands and the other one will getRW access.
ACS 5.2 Configuration Examples Stefan Duernberger MediaWiki 5/23/2014
http://sduernberger.de/mediawiki/index.php?title=ACS_5.2_Configuration_Examples 16 / 21
Create 2 new Identity Groups. They are for binding AD or internal Users to specific ACS Groups.
ACS 5.2 Configuration Examples Stefan Duernberger MediaWiki 5/23/2014
http://sduernberger.de/mediawiki/index.php?title=ACS_5.2_Configuration_Examples 17 / 21
Then assign a new condition (Group Mapping) to the Default Device Admin and change it afterwards to Rule based result selection.
Create the 2 Group Mappings. Group#1 is for DomainAdmins with RW Access and Group#2 is for DomainUsers with RO Access.
ACS 5.2 Configuration Examples Stefan Duernberger MediaWiki 5/23/2014
http://sduernberger.de/mediawiki/index.php?title=ACS_5.2_Configuration_Examples 18 / 21
Finally assign 2 Authorization Policies.First of all, customize the Policy.
ACS 5.2 Configuration Examples Stefan Duernberger MediaWiki 5/23/2014
http://sduernberger.de/mediawiki/index.php?title=ACS_5.2_Configuration_Examples 19 / 21
Then create the 2 Policies.
ACS 5.2 Configuration Examples Stefan Duernberger MediaWiki 5/23/2014
http://sduernberger.de/mediawiki/index.php?title=ACS_5.2_Configuration_Examples 20 / 21
Diese Seite wurde zuletzt am 7. Juli 2011 um 22:47 Uhr gendert. Diese Seite wurde bisher 5.070-mal abgerufen. Datenschutz ber StefanDuernberger MediaWiki Impressum
Thats all. Testint, testing, testing.
Think aboutfreeuser Cleartext-Password := "Cisco123" Service-Type = NAS-Prompt-User, cisco-avpair = "shell:prv-lvl=15", cisco-avpair = "shell:cmd=show"
ACS 5.2 Configuration Examples Stefan Duernberger MediaWiki 5/23/2014
http://sduernberger.de/mediawiki/index.php?title=ACS_5.2_Configuration_Examples 21 / 21
ACS 5.2 Configuration ExamplesInhaltsverzeichnisnavigationsuchewerkzeuge
ACS 5.2 VMWare Basic Post-Installation SettingsPatching ACS 5.2Root PatchForward Syslog Messages to external ServerRole-Based Access ControlBackups
RADIUS ProxySet up FreeRADIUS for RADIUS ProxyConfigure ACS for RADIUS Proxy
Active Directory Authz with Device AdministrationActive Directory IntegrationACS Setup for Device AdministrationACS Setup for Command Authorization
Think about
Top Related