I am in the process of working through my first ACS 5.1 install and am missing something somewhere. My plan is to get basic functionality working with an internal user before tackling interfacing with AD or LDAP. I want to use ACS for the following...
AAA access for admins and others that support switches and routers
802.1x for users connecting to ports on switches
I am working through the User Guide and sample configs that I can find on CCO and don't think I am doing to bad with the learning curve. I hope I can explaine how far I have gotten so far and where I seem to be stuck. I am sure there is somethig simple I am mising.
I have created locations 1st floor and 2nd floor under the Network Resources: Network Device Groups. I have created two device types of switches and routers under Network Resources: Network Device Groups. I have added devices under the Network Resources: Network Devices and AAA Clients. I have created two groups Admin and ReadOnly under Users and Identity Stores: Identity Groups. I have a user created under Users and Identity Store: Internal Identity Store: Users and made it a member of All Groups:Admin.
Under Policy Elements: Authorization and Permissions > Device Administration >Shell Profiles I have created two profiles. Priv15 with default and change priviledge both enabled and both set to maximum of 15. Priv1 only has the default priviledge enabled with a level of 1. I created ReadWrite, ReadOnly and Restricted under Policy Elements: Authorization and Permissions > Device Administration > Command Sets. I enabled Permit any command not in the table for the ReadWrite and left disabled for the others. I placed permit sh* as a starter command for the ReadOnly set.
I am having trouble figuring out how to associate all these with an access policy. I gather that that is the next step? I think I need to add a policy under Access Policies: Access Services > Default Device Admin Authorization to tie these pieces together. Is there a correlation between what is placed here and the AAA commands placed in the switch? i.e. simply go with default name of Rule-1, Rule-2, etc. or specilfy somethng more descriptive?
I think once I get a bacic up and running I can add something more complex. Most of the samples I have pulled off CCO have been earlier versions and all the screen shots are completely different. I also have not found anything that is a complete sample. I am using the following on the switch and seem to be having some success. At least I am prompted for the user name and password.
tacacs host 172.16.5.250
aaa authentication login default group tacacs+ enable
aaa authorization exec default group tacacs+ if-authenticated
aaa authorization commands 15 default group tacacs+ if-authenticated none
aaa authorization network default group tacacs+ if-authenticated
aaa accounting exec default start-stop group tacacs+
aaa accounting commands 0 default wait-start group tacacs+
aaa accounting commands 15 default wait-start group tacacs+
Any assistance would be appreciated.
The rule names can be whatever you want. They will appear on the list in the order in which they were created, but you can change that by highlighting a rule and then moving it up or down using the controls at the bottom of the window showing the rules. The rules are evaluated top to bottom and first match wins, so keep this in mind when deciding on the criteria for each rule and its position on the list.
Note the "Customize" button on the bottom right of the rule list window, click on it to add more items to the list of available criteria.