IOS: Role-based Access Control with ACS

Document

Mar 20, 2011 10:54 AM
Mar 20th, 2011

Documentation

This  configuration example is meant to be interpreted with the aid of the  official documentation from the configuration guide located here:

http://www.cisco.com/en/US/docs/ios/sec_user_services/configuration/guide/sec_role_base_cli.html#wp1056582

Prerequisites

Before you create a view, you must perform the following tasks:

Enable AAA via the aaa new-model command.

Ensure that your system is in root view—not privilege level 15. (command: "enable view" and use the enable password or enable secret)

Goal

The goad is to enable per-user-level access restriction based on each person’s role and function within the organization.  This feature is very useful when you want to delegate varying responsibilities to different user groups within the organization.

We will create two roles:

a. network operator (netop)

b. security operator (secop)

For example, managing and configuring routing protocols and infrastructure configuration should be assigned to the network operations team. Managing the VPN, IOS firewall, and AAA functionality should be assigned to the security operations team. We will be configuring R2 and the ACS server in order to accomplish this.

Topology

topology.jpg

Assumption

This excercise will assume that  all routing is in place and there is proper route from the  192.168.2.0/24 to the 192.168.4.0/24 network. Make sure you can ping  end to end. We will also assume that the firewall has been properly configured with translation and permission to allow all the necessary traffic to and from the users, routers to the ACS server.

Step by Step Configuration (R2)

Configure aaa on the router

conf t

aaa new-model

aaa authentication login FREE none

aaa authentication login TACACS-GRP group tacacs+

aaa authorization exec TACACS-GRP group tacacs+

line vty 0 4

login authentication TACACS-GRP

authorization exec TACACS-GRP

enable password cisco

Configure tacacs server

tacacs-server host 192.168.2.14

tacacs-server key cisco

Enable view and configure netop and secop view - also protect the console

Before enabling view if you are trying to configure this from console after configuring the enable password make sure to exit out and connect to

console again. If you do not have authentication configured for console, then you will see this below error message.

%AAA-6-USER_BLOCKED: Enable view requires to be authenticated by non-none methods,Please use the appropriate method with the login authentication.

R2>en
Password:
R2#
R2#enab view
Password:

After enabling view with a password then, we can protect the console.

R2(config)#line con 0

R2(config)#login authentication FREE

R2(config)# parser view netop
secret cisco
commands configure include all ip route
commands configure include all router
commands configure include all interface
commands configure include ip
commands exec include configure terminal
commands exec include configure
commands exec include all show

netop: will be able to configure the following:

1. dynamic routing protocol

2. static routes

3. apply interface specific commands

4. execute any show commands

parser view secop
secret 5 $1$BLsw$UjHivthLFLACo9ClKXi46/
commands configure include all radius-server
commands configure include all tacacs-server
commands configure include all interface
commands configure include all zone-pair
commands configure include all zone
commands configure include all policy-map
commands configure include all class-map
commands configure include ip inspect
commands configure include ip
commands configure include all crypto
commands configure include all aaa
commands exec include configure terminal
commands exec include configure
commands exec include all show

secop: will be able to configure the following:

1. all VPN related configuration (crypto)

2. all AAA, CBAC and ZBF configuration

3. all TACACS or RADIUS parameters configuration

4. apply interface specific commands

5. execute any show commands

Configure the ACS server

create R2 as a AAA client on the ACS server

R2-aaa-client.jpg

enable per user TACACS+/RADIUS attributes under the interface configuration

Interface-config-advance-option-enable-per-user-attrib.jpg

enable "shell exec" for user under interface configuration >> TACACS+ (Cisco IOS)

Make sure to select "Display a window for each service selected.." or you will not see the "customer attribute" box in the 'user setup' screen shot.

interface-config-per-user-tacacs.jpg
create the two users netop and secop

We can add them to a separate group called Role-Based CLI group (this is optional)

users-in-RBAC.jpg

Configure each user separately and connect them to the respective views configured on the router

netop - Tie it to the view (netop) that we created on the router
netop-setup-acs.jpg
secop - Tie it to the view (secop) that we created on the router

secop-setup-acs.jpg

Apply authentication and authorization to line vty

line vty 0 4

authorization exec TACACS-GRP
login authentication TACACS-GRP

Test from the Router R2

R2#  test aaa group tacacs+ netop netop leg
Attempting authentication test to server-group tacacs+ using tacacs+
User was successfully authenticated.

R2#  test aaa group tacacs+ secop secop leg
Attempting authentication test to server-group tacacs+ using tacacs+
User authentication request was rejected by server.

Final Configuration Section:

enable password cisco
!
aaa new-model
!
!
aaa authentication login TACACS-GRP group tacacs+
aaa authentication login FREE none
aaa authorization exec TACACS-GRP group tacacs+

!

line con 0
exec-timeout 0 0
password cisco
logging synchronous
login authentication FREE
!
line vty 0 3
exec-timeout 0 0
password cisco
authorization exec TACACS-GRP
logging synchronous
login authentication TACACS-GRP
transport input telnet
line vty 4
exec-timeout 0 0
password cisco
authorization exec TACACS-GRP
logging synchronous
login authentication TACACS-GRP
transport input telnet

!

parser view netop
secret 5 $1$VN8q$A4X5YI35YsGxdKOMihLBN/
commands configure include all ip route
commands configure include all router
commands configure include all interface
commands configure include ip
commands exec include configure terminal
commands exec include configure
commands exec include all show
!
parser view secop
secret 5 $1$BLsw$UjHivthLFLACo9ClKXi46/
commands configure include all radius-server
commands configure include all tacacs-server
commands configure include all interface
commands configure include all zone-pair
commands configure include all zone
commands configure include all policy-map
commands configure include all class-map
commands configure include ip inspect
commands configure include ip
commands configure include all crypto
commands configure include all aaa
commands exec include configure terminal
commands exec include configure
commands exec include all show
!

Test from R1:

R1#telnet 192.168.4.11
Trying 192.168.4.11 ... Open

Username: netop
Password:

R2>conf t ------> (notice you are not in the # prompt but, still you are able to make changes to the configuration)
Enter configuration commands, one per line.  End with CNTL/Z.
R2(config)>int f0/1
R2(config-if)>shut
R2(config-if)>no shut
R2(config-if)>ip addre ?
  A.B.C.D  IP address
  dhcp     IP Address negotiated via DHCP
  pool     IP Address autoconfigured from a local DHCP pool

R2(config-if)>exit
R2(config)>polic-m
R2(config)>polic-m ? ---> (unable to configure policy-map when logged in an netop)
% Unrecognized command

R1#telnet 192.168.4.11
Trying 192.168.4.11 ... Open


User Access Verification

Username: secop
Password:

R2>conf t
Enter configuration commands, one per line.  End with CNTL/Z.
R2(config)>class-map type inspect in-out-class  ---------> (notice you are able to create class-map when logged in as secop
R2(config-cmap)>

Average Rating: 5 (2 ratings)

Comments

mubashir.sultan Mon, 01/09/2012 - 04:43

Hi,

Very informative and useful...

Could you please upload the same for the ACS 5.X? It would be great...

BR,

Mubasher Sultan

Actions

Login or Register to take actions

This Document

Posted March 20, 2011 at 10:54 AM
Stats: