Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Community Member

New ACS 5.1 install - missing something

I am in the process of working through my first ACS 5.1 install and am missing something somewhere. My plan is to get basic functionality working with an internal user before tackling interfacing with AD or LDAP. I want to use ACS for the following...

     AAA access for admins and others that support switches and routers

     802.1x for users connecting to ports on switches

I am working through the User Guide and sample configs that I can find on CCO and don't think I am doing to bad with the learning curve. I hope I can explaine how far I have gotten so far and where I seem to be stuck. I am sure there is somethig simple I am mising.

I have created locations 1st floor and 2nd floor under the Network Resources: Network Device Groups. I have created two device types of switches and routers under Network Resources: Network Device Groups. I have added devices under the Network Resources: Network Devices and AAA Clients. I have created two groups Admin and ReadOnly under Users and Identity Stores: Identity Groups. I have a user created under Users and Identity Store: Internal Identity Store: Users and made it a member of All Groups:Admin.

Under Policy Elements: Authorization and Permissions > Device Administration >Shell Profiles I have created two profiles. Priv15 with default and change priviledge both enabled and both set to maximum of 15. Priv1 only has the default priviledge enabled with a level of 1. I created ReadWrite, ReadOnly and Restricted under Policy Elements: Authorization and Permissions > Device Administration > Command Sets. I enabled Permit any command not in the table for the ReadWrite and left disabled for the others. I placed permit sh* as a starter command for the ReadOnly set.

I am having trouble figuring out how to associate all these with an access policy. I gather that that is the next step? I think I need to add a policy under Access Policies: Access Services > Default Device Admin Authorization to tie these pieces together. Is there a correlation between what is placed here and the AAA commands placed in the switch? i.e. simply go with default name of Rule-1, Rule-2, etc. or specilfy somethng more descriptive?

I think once I get a bacic up and running I can add something more complex. Most of the samples I have pulled off CCO have been earlier versions and all the screen shots are completely different. I also have not found anything that is a complete sample. I am using the following on the switch and seem to be having some success. At least I am prompted for the user name and password.

aaa new-model
tacacs host 172.16.5.250
aaa authentication login default group tacacs+ enable
aaa authorization exec default group tacacs+ if-authenticated
aaa authorization commands 15 default group tacacs+ if-authenticated none
aaa authorization network default group tacacs+ if-authenticated
aaa accounting exec default start-stop group tacacs+
aaa accounting commands 0 default wait-start group tacacs+
aaa accounting commands 15 default wait-start group tacacs+

Any assistance would be appreciated.

Brent

Everyone's tags (4)
1 ACCEPTED SOLUTION

Accepted Solutions

Re: New ACS 5.1 install - missing something

The rule names can be whatever you want. They will appear on the list in the order in which they were created, but you can change that by highlighting a rule and then moving it up or down using the controls at the bottom of the window showing the rules. The rules are evaluated top to bottom and first match wins, so keep this in mind when deciding on the criteria for each rule and its position on the list.

Note the "Customize" button on the bottom right of the rule list window, click on it to add more items to the list of available criteria.

2 REPLIES

Re: New ACS 5.1 install - missing something

The rule names can be whatever you want. They will appear on the list in the order in which they were created, but you can change that by highlighting a rule and then moving it up or down using the controls at the bottom of the window showing the rules. The rules are evaluated top to bottom and first match wins, so keep this in mind when deciding on the criteria for each rule and its position on the list.

Note the "Customize" button on the bottom right of the rule list window, click on it to add more items to the list of available criteria.

Community Member

Re: New ACS 5.1 install - missing something

Thanks it was the customize button that I was missing. Internal users seem to be working fine now.

Any tips or suggestions for setting things up to use AD as an external store? It has been recommended that I get an HTML type browser such as JExplorer to assist with groups and other options with in AD. This would be an easier way to get the exact groups and other items together for authentication.

509
Views
0
Helpful
2
Replies
CreatePlease to create content