Cisco ACS with Nokia IP Firewalls

Unanswered Question
Sep 4th, 2008

Hi,

We have a mixed environment of cisco and nokia firewalls. we are trying to implements Cisco ACS and have got TACACS+ to work with the Pixs/ASAs. The problem is with implementing TACACS+ with the Nokias. There is no way i can see to enrol non cisco devices. Any help would be appreciated.

Cheers

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
cisco24x7 Thu, 09/04/2008 - 10:21

What issue are you having with Nokia firewalls

and Cisco ACS? I am assuming that you're also

running Checkpoint firewalls on top of the Nokia

IPSO Operating System?

Globix_LHR Thu, 09/04/2008 - 23:43

I'm not sure of the procedure involved in enrolling the Nokia into the ACS.I've not been able to find any articles on the internet that show how the ACS should be configured using TACACS+ for the nokias to be enrolled. and am also unsure what additional configuration needs to be done on the nokia. the nokia's are running checkpoint ngx. I also intend to have the ACS Server authenticate for alteon and Citrix Loadbalancers.

plewenz Fri, 09/05/2008 - 02:26

We have basic TACACS+ authentication working with the Nokia-IPSO boxes, The users must however be defined locally to Nokia IPSO to provide authorisation though.

The trick is to allow non local users to authenticate and authorise with the ACS database which needs vendor specific attributes to be sent, the following is good for a RADIUS aproach;

http://www.linickx.com/archives/317/how-to-import-vendor-specific-attributes-into-cisco-secure-acs-se-applience

I am not sure whether this can be done with TACACS+ though. As for the checkpoint S/W I cannot comment.

please post of any progress on this.

Globix_LHR Tue, 09/09/2008 - 00:05

I've tried this but the intstructions are for the ACS appliance. I'm running ACS on top of Windows and there is not an option to import the config file.

Using Radius is out of the question. The prefered option is to use TACACS+.

plewenz Tue, 09/09/2008 - 02:19

The DB update procedure is different for the ACS windows than the ACS SE.

However it sounds like RADIUS is not an option for you. I am still experimenting with TACACS+ , I will let you know if I make some progress.

Some specific documentation would be useful for this, but I haven't found any.

cisco24x7 Tue, 09/09/2008 - 07:02

This was an issue in IPSO 4.2 and lower. I

remembered this because I explicitly open

a TAC case with Nokia TAC 2.5 years ago.

They told me that you will not have to define

the users locally on Nokia IPSO startting with

IPSO 6.x and higher, if my memory serves me

correctly.

plewenz Tue, 09/09/2008 - 08:23

OK had some success - in ACS interface configuration - TACACS+ - New Services , checked the button and added service nokia-ipso , also lower down checked the button to display customised TACACS attributes.

Now in group setup for firewall group there is a TACACS section for nokia-ipso , check this button and the button for custom attributes.

In the window here enter;

Nokia-IPSO-User-Role=adminRole

Nokia-IPSO-SuperUser-Access=1

set-up TACACS on voyager and the user role as per the manuals. and Bingo! non local access for the ACS authenticated users. The superuser

switch does not seem to do anything yet, but still experimenting.

Globix_LHR Wed, 09/17/2008 - 00:13

Hi,

I've configured this on the ACS server and it seems fine however i am having issues trying to configure voyager. I have defined an Auth. Profile called TACPLUS_sshd_authprofile it is using the ACS server. its does not seem to be working. Have i missed a step or am i doing something wrong.

Thanks

plewenz Mon, 09/22/2008 - 23:49

I have to confess I did not do the work on the nokias, I only support the ACS side of this, I will ask our Nokia expert to post the changes he made.

plewenz Tue, 09/23/2008 - 04:05

This is from our nokia expert - hope it makes sense.

Instructions on how to add TACACS authentication into Nokia

1. On your Nokia system, create the roles that are to be assigned to the nonlocal users.

2. Create an authentication profile of type TACACS+ and set the control level to sufficient.

3. Add the new authentication profile to each appropriate service profile.

4. Make the TACACS+ authentication profile the first authentication mechanism for each

appropriate service by deleting the other authentication profiles for each service and then

adding them back again. The other profiles are then added after the TACACS+ authentication profile.

5. Ensure that the User based Management Roles are correct.

CLISH command set:

1.1 IPSO CLlSH CommandsAdd The Authentication Profile

Add The Authentication Profile

a. Use the following command to create a TACACS+ LOGIN authentication profile.

add aaa authprofile tacacs_login_authprofile authtype TACPLUS authcontrol nokia-server-auth-sufficient

b. Use the following command to create a TACACS+ SSH authentication profile.

add aaa authprofile tacacs_sshd_authprofile authtype TACPLUS authcontrol nokia-server-auth-sufficient

c. Use the following command to create a TACACS+ HTTP authentication profile.

add aaa authprofile tacacs_httpd_authprofile authtype TACPLUS authcontrol nokia-server-auth-sufficient

2) Add TACAS Server

a. Use the following command to configure TACPLUS for use in the LOGIN profile profile.

add aaa tacplus-servers authprofile tacacs_login_authprofile priority 1 host x.x.x.x port 49 secret secret timeout 3

b. Use the following command to configure TACPLUS for use in the SSH profile profile.

add aaa tacplus-servers authprofile tacacs_sshd_authprofile priority 1 host x.x.x.x port 49 secret secret timeout 3

c. Use the following command to configure TACPLUS for use in the HTTP profile profile.

add aaa tacplus-servers authprofile tacacs_httpd_authprofile priority 1 host x.x.x.x port 49 secret secret timeout 3

3) Add Service Profile

a) Use the following command to configure TACPLUS for use in the LOGIN profile profile.

add aaa profile tacacs_prof_login authprofile tacacs_login_authprofile acctprofile base_login_acctprofile sessprofile base_login_sessprofile

Then run:

add aaa profile tacacs_prof_login authprofile base_login_authprofile

b) Use the following command to configure TACPLUS for use in the SSH profile profile.

add aaa profile tacacs_prof_sshd authprofile tacacs_sshd_authprofile acctprofile base_sshd_acctprofile sessprofile base_sshd_sessprofile

Then run:

add aaa profile tacacs_prof_sshd authprofile base_sshd_authprofile

c) Use the following command to configure TACPLUS for use in the HTTP profile profile.

add aaa profile tacacs_prof_httpd authprofile tacacs_httpd_authprofile acctprofile base_httpd_acctprofile sessprofile base_httpd_sessprofile

Then run:

add aaa profile tacacs_prof_httpd authprofile base_httpd_authprofile

4) Service Module

a. Use the following command to configure the service module to use the TACACS base LOGIN profile

set aaa service login profile tacacs_prof_login

a. Use the following command to configure the service module to use the TACACS base SSH profile

set aaa service sshd profile tacacs_prof_sshd

a. Use the following command to configure the service module to use the TACACS base HTTP profile

set aaa service httpd profile tacacs_prof_httpd

Actions

This Discussion