We have a mixed environment of cisco and nokia firewalls. we are trying to implements Cisco ACS and have got TACACS+ to work with the Pixs/ASAs. The problem is with implementing TACACS+ with the Nokias. There is no way i can see to enrol non cisco devices. Any help would be appreciated.
What issue are you having with Nokia firewalls
and Cisco ACS? I am assuming that you're also
running Checkpoint firewalls on top of the Nokia
IPSO Operating System?
I'm not sure of the procedure involved in enrolling the Nokia into the ACS.I've not been able to find any articles on the internet that show how the ACS should be configured using TACACS+ for the nokias to be enrolled. and am also unsure what additional configuration needs to be done on the nokia. the nokia's are running checkpoint ngx. I also intend to have the ACS Server authenticate for alteon and Citrix Loadbalancers.
We have basic TACACS+ authentication working with the Nokia-IPSO boxes, The users must however be defined locally to Nokia IPSO to provide authorisation though.
The trick is to allow non local users to authenticate and authorise with the ACS database which needs vendor specific attributes to be sent, the following is good for a RADIUS aproach;
I am not sure whether this can be done with TACACS+ though. As for the checkpoint S/W I cannot comment.
please post of any progress on this.
I've tried this but the intstructions are for the ACS appliance. I'm running ACS on top of Windows and there is not an option to import the config file.
Using Radius is out of the question. The prefered option is to use TACACS+.
The DB update procedure is different for the ACS windows than the ACS SE.
However it sounds like RADIUS is not an option for you. I am still experimenting with TACACS+ , I will let you know if I make some progress.
Some specific documentation would be useful for this, but I haven't found any.
This was an issue in IPSO 4.2 and lower. I
remembered this because I explicitly open
a TAC case with Nokia TAC 2.5 years ago.
They told me that you will not have to define
the users locally on Nokia IPSO startting with
IPSO 6.x and higher, if my memory serves me
OK had some success - in ACS interface configuration - TACACS+ - New Services , checked the button and added service nokia-ipso , also lower down checked the button to display customised TACACS attributes.
Now in group setup for firewall group there is a TACACS section for nokia-ipso , check this button and the button for custom attributes.
In the window here enter;
set-up TACACS on voyager and the user role as per the manuals. and Bingo! non local access for the ACS authenticated users. The superuser
switch does not seem to do anything yet, but still experimenting.
I've configured this on the ACS server and it seems fine however i am having issues trying to configure voyager. I have defined an Auth. Profile called TACPLUS_sshd_authprofile it is using the ACS server. its does not seem to be working. Have i missed a step or am i doing something wrong.
I have to confess I did not do the work on the nokias, I only support the ACS side of this, I will ask our Nokia expert to post the changes he made.
This is from our nokia expert - hope it makes sense.
Instructions on how to add TACACS authentication into Nokia
1. On your Nokia system, create the roles that are to be assigned to the nonlocal users.
2. Create an authentication profile of type TACACS+ and set the control level to sufficient.
3. Add the new authentication profile to each appropriate service profile.
4. Make the TACACS+ authentication profile the first authentication mechanism for each
appropriate service by deleting the other authentication profiles for each service and then
adding them back again. The other profiles are then added after the TACACS+ authentication profile.
5. Ensure that the User based Management Roles are correct.
CLISH command set:
1.1 IPSO CLlSH CommandsAdd The Authentication Profile
Add The Authentication Profile
a. Use the following command to create a TACACS+ LOGIN authentication profile.
add aaa authprofile tacacs_login_authprofile authtype TACPLUS authcontrol nokia-server-auth-sufficient
b. Use the following command to create a TACACS+ SSH authentication profile.
add aaa authprofile tacacs_sshd_authprofile authtype TACPLUS authcontrol nokia-server-auth-sufficient
c. Use the following command to create a TACACS+ HTTP authentication profile.
add aaa authprofile tacacs_httpd_authprofile authtype TACPLUS authcontrol nokia-server-auth-sufficient
2) Add TACAS Server
a. Use the following command to configure TACPLUS for use in the LOGIN profile profile.
add aaa tacplus-servers authprofile tacacs_login_authprofile priority 1 host x.x.x.x port 49 secret secret timeout 3
b. Use the following command to configure TACPLUS for use in the SSH profile profile.
add aaa tacplus-servers authprofile tacacs_sshd_authprofile priority 1 host x.x.x.x port 49 secret secret timeout 3
c. Use the following command to configure TACPLUS for use in the HTTP profile profile.
add aaa tacplus-servers authprofile tacacs_httpd_authprofile priority 1 host x.x.x.x port 49 secret secret timeout 3
3) Add Service Profile
a) Use the following command to configure TACPLUS for use in the LOGIN profile profile.
add aaa profile tacacs_prof_login authprofile tacacs_login_authprofile acctprofile base_login_acctprofile sessprofile base_login_sessprofile
add aaa profile tacacs_prof_login authprofile base_login_authprofile
b) Use the following command to configure TACPLUS for use in the SSH profile profile.
add aaa profile tacacs_prof_sshd authprofile tacacs_sshd_authprofile acctprofile base_sshd_acctprofile sessprofile base_sshd_sessprofile
add aaa profile tacacs_prof_sshd authprofile base_sshd_authprofile
c) Use the following command to configure TACPLUS for use in the HTTP profile profile.
add aaa profile tacacs_prof_httpd authprofile tacacs_httpd_authprofile acctprofile base_httpd_acctprofile sessprofile base_httpd_sessprofile
add aaa profile tacacs_prof_httpd authprofile base_httpd_authprofile
4) Service Module
a. Use the following command to configure the service module to use the TACACS base LOGIN profile
set aaa service login profile tacacs_prof_login
a. Use the following command to configure the service module to use the TACACS base SSH profile
set aaa service sshd profile tacacs_prof_sshd
a. Use the following command to configure the service module to use the TACACS base HTTP profile
set aaa service httpd profile tacacs_prof_httpd