I'm evaluating ACS 5.1 for a future deployment. I'm trying to get authentication working for IOS devices using AD groups. Ideally I would like to be able to say this AD group has access to level 15 when logging into IOS devices and another group has show command access only. I can't seem to get it to give access based on the groups. Is this even possible? Using internal users I can get this to work fine. Any help would be appreciated.
To grant privilege level based on AD group membership create a new authorization rule matching on AD group.
By default you will not see AD group membership as an available criteria when creating an authorization rule, click on "Customize" (bottom right corner) while viewing the authorization rules and add AD group membership (as well as any other criteria as needed).
Thanks for the prompt reply. I still can't quite get it to work right. I can log in with my network account but I'm only presented with the unprivaleged prompt. When I try and go into enable mode I get an authentication error. I'll describe my setup below.
Under Network Resources > Network Devices and AAA clients, I have a test switch setup to authenticate.
Under Users and Identity Store > External Identity Stores > AD, I have a connection to our AD and under Directory Groups I have a few AD paths to some different OU's. One of which I'm a member of and I'd like to use for IOS device management.
Under Policy Elements > Authorization and Permissions > Device Administration > Shell Profiles, I have a profile setup called Cisco Device Mgmt with the Common Tasks > Privilege Levels > Default Privilege set to static level 15.
Under Access Policies > Default Device Admin > Authorization, I have a rule called IOS Admin that has conditions of ANY Identity Group, ANY NDG Location, ANY NDG Type, ANY Date & Time, and AD1:memberof equals IS Data Comm Group which I'm a member with a Result of Cisco Device Mgmt.
I've never used any of the previous ACS versions so it's new to me. I've been using the user guide as well as the help from the web GUI. Do you know of any better resources for 5.1?
What does the AAA configuration look like on the router/switch?
If you want to be granted upon login the privilege level assigned to you by the TACACS+ server you need to have exec authorization, for example:
aaa authorization exec default group tacacs+
Here are the commands on the switch. We are also testing machine authentication and voip phones.
aaa authentication login default group tacacs+ none
aaa authentication login none none
aaa authentication dot1x default group radius
aaa authorization exec default group tacacs+ if-authenticated
aaa authorization network default group radius
aaa accounting commands 15 default start-stop group tacacs+
I thought I would add that I think the problem is with how I'm mapping to AD. I added an AD attribute for memberof. Now when doing an access policy rule I can choose member of and put a network group in. When I log into my switch I get the same prompts whether I use a user in the group or a user not in the group. If I use local users I can get it to work fine. I can log in with a local user in the Cisco IOS Admin Identity group and get level 15 access and log in with a user just in the users and only get non priviledged access.
I was able to get this working. What I did was first setup the connection to AD. You will need to add a Directory Group to the group you want to have access. I ended up not needing to add the memberof attribute. You will need to create your AAA device that you will be authenticating against. This could be a switch or router. I created a Shell Profile under Policy Elements >Device Administration for Cisco IOS management. Give level 15 default and level 15 for max under common tasks. I then added under Device Policies > Default Device Admin > Group Mapping. CLick the customize button on bottom right and you can add AD as an option. I created a rule mapping the Policy Element group to my AD group. I then added an authorization rule under Default Device Admin allowing the access to the Policy Element identity group I created to the Shell profile I created. Hope this helps.
Thanks for the feedback...this seems to work now....However, I wondering if you could help with another query?
I have configured a shell profile called "Test Shell Profile" in the following as per your instructions above i.e.
Policy Elements -> Authorization and Permissions -> Device Administration -> Shell Profile , is configured with the privilege levels as outlined above.
This shell profile is then referenced in a rule configured under "Access Policies -> Access Services -> Default Device Admin -> Authorization".
This seems to work a treat...
Further to the above I am trying to get some commands authorised by the ACS. I have added a few permit/deny statements by creating a new command set called "TestSet" under
Policy Elements -> Authorization and Permission -> Device Administration -> Command Sets.
This is set to permit "show version", "show running-config", but to deny "show interface". I have also added the following commands on the cisco IOS: -
aaa authorization commands 15 default group tacacs+ none
When I try and login as a user and enter a command that I have allowed via a permit statement within the command set I get the following output:
Command authorization failed.
Adding debug I can see the following: -
Oct 29 13:43:20: tty2 AAA/AUTHOR/CMD (1789043126): Port='tty2' list='' service=CMD
Oct 29 13:43:20: AAA/AUTHOR/CMD: tty2 (1789043126) user='getmein'
Oct 29 13:43:20: tty2 AAA/AUTHOR/CMD (1789043126): send AV service=shell
Oct 29 13:43:20: tty2 AAA/AUTHOR/CMD (1789043126): send AV cmd=show
Oct 29 13:43:20: tty2 AAA/AUTHOR/CMD (1789043126): send AV cmd-arg=running-config
Oct 29 13:43:20: tty2 AAA/AUTHOR/CMD (1789043126): send AV cmd-arg=
Oct 29 13:43:20: tty2 AAA/AUTHOR/CMD (1789043126): found list "default"
Oct 29 13:43:20: tty2 AAA/AUTHOR/CMD (1789043126): Method=tacacs+ (tacacs+)
Oct 29 13:43:20: AAA/AUTHOR/TAC+: (1789043126): user=getmein
Oct 29 13:43:20: AAA/AUTHOR/TAC+: (1789043126): send AV service=shell
Oct 29 13:43:20: AAA/AUTHOR/TAC+: (1789043126): send AV cmd=show
Oct 29 13:43:20: AAA/AUTHOR/TAC+: (1789043126): send AV cmd-arg=running-config
Oct 29 13:43:20: AAA/AUTHOR/TAC+: (1789043126): send AV cmd-arg=
Oct 29 13:43:20: TAC+: (1789043126): received author response status = FAIL
Oct 29 13:43:20: AAA/AUTHOR (1789043126): Post authorization status = FAIL
This seems to indicate that the ACS is not picking up the command set (TestSet) created in the ACS, I have looked further at the ACS and cannot see anywhere within the Access Policy' where I am supposed to tell the ACS to use the new command set. Also, I am not completely sure I have all the required commands required on the Cisco IOS for authenticating these commands.
Note: - further to the above command not working I am also not able to get into configuration mode.
Where I am going wrong with this?