cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
472
Views
3
Helpful
7
Replies

planing to implement the ACS

adriatikb
Level 1
Level 1

hi!

we are planning to implement the cisco secure ACS for authentication, authorization and accounting for devices on our network. First I make a search on cisco documentation and i found a lot of information about installation and configuration of acs on windows , but did not found any example about configuration of cisco devices for implementation of aaa on these devices.

Can you help me?

Thanks

7 Replies 7

rochopra
Cisco Employee
Cisco Employee

Hi

Following are the AAA commands which can be implemented on IOS devices:

aaa new-model

#Authentication

aaa authentication login default group tacacs+/Radius local

aaa authentication enable default group tacacs+/Radius enable

aaa authentication ppp default group tacacs+/Radius local

#Authorization

aaa authorization commands 0 default group tacacs+ if-authenticated

aaa authorization commands 1 default group tacacs+ if-authenticated

aaa authorization commands 15 default group tacacs+ if-authenticated

aaa authorization exec default group tacacs+ if-authenticated

aaa authorization network default group tacacs+ if-authenticated

aaa authorization config-commands

#Accounting

aaa accounting network default start-stop group tacacs+/Radius

aaa accounting system default start-stop group tacacs+/Radius

aaa accounting exec default start-stop group tacacs+

aaa accounting commands 0 default start-stop group tacacs+/Radius

aaa accounting commands 1 default start-stop group tacacs+/Radius

aaa accounting commands 15 default start-stop group tacacs+/Radius

tacacs-server host key cisco

For details on the commands check the command reference for devices.

~Rohit

Thank you Rohit,

This is very helpful, but we need also some more detailed about the configuration and protocols that are to be use on communication between ACS and the clients(cisco devices)

ADI

Following configurations will be required on ACS:

For Authentication

1. Configure aaa client on ACS

http://www.cisco.com/univercd/cc/td/doc/product/access/acs_soft/csacs4nt/acs41/user/netcfg.htm#wp394848

2. Configure user in ACS

http://www.cisco.com/univercd/cc/td/doc/product/access/acs_soft/csacs4nt/acs41/user/usrmgt.htm

For Authorization:

1. Configure attributes per user or per group in ACS

http://www.cisco.com/univercd/cc/td/doc/product/access/acs_soft/csacs4nt/acs41/user/a_radatr.htm

For Accounting:

AAA server and AAA client should be configured.

~Rohit

Thank you guys

Something else , can we control also the Vty , console an aux to authenticate from aaa?

ADI

Yes, Yes, and Yes. controlling through vty will be your telnet sessions which is the access method you will most likely use to authenticate to your devices. If you want strong security I would reccomend using SSH, but telnet will be just fine. Once you set this all up the first time it will all seem clear.

mbroberson1
Level 3
Level 3

First what you need to do is setup a group on your domain controller where active directory is installed and create a new group. Put your users who will be able to access the network devices in the group. After you have installed ACS is what you do is may using an external database to your windows server active directory group you created. You will need to install the remote agent on the domain controller or the server where you active directory is installed. There is a bit more configuration of the ACS server for the network devices. Check out this link: http://www.cisco.com/application/pdf/en/us/guest/products/ps407/c1629/ccmigration_09186a00801085d0.pdf

On the routers and switches you will need to use the below configurations. This is for TACACS authentication. If you have a ACS this is probably the way you want to go.

aaa new-model

aaa authentication login default group tacacs+ local

aaa authorization exec default group tacacs+ local

aaa accounting exec default start-stop group tacacs+

aaa accounting commands 0 default start-stop group tacacs+

aaa accounting commands 1 default start-stop group tacacs+

aaa accounting commands 15 default start-stop group tacacs+

You could always hire me for a small fee to help you with the configuration. ;-)

Hope this all helps..

mbroberson1
Level 3
Level 3

I forgot you will also need to put this on your network devices.

tacacs-server host x.x.x.x (ip of ACS server)

tacacs-server directed-request

tacacs-server key 7 xxxxxxxxxxxxxxxx (tacacs server key)

Thanks,

Brandon

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: