Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 

Motorola WINGS 5.X (AP) integration with ACS 5.4

Introduction

The following provides example for configuring a Cisco Secure ACS 5.X server to support TACACS+

authentication, authorization and accounting on Motorola Wireless Controllers and Access Points. In this

configuration example Motorola vendor specific attributes and values will be assigned to groups on the

Cisco Secure ACS server to determine each user’s role and access permissions. The attributes and

values are assigned to the group using user defined services and protocols enabled on each group.

Prerequisites

ACS 5.x should be connected to Wings 5.x box.

Components Used

ACS 5.4

Wings 5.2

Configuration on ACS:

Device Types

The following provides an example of how to define WiNG 5 devices as  device types on a Cisco Secure ACS 5.x server. Device types allow  devices to be grouped in Cisco Secure ACS 5.x which will be used when  defining device authorization policies.

Step1: Go to Cisco Secure ACS select Network Resources > Network Device Groups> Device Type >Create:

devicetyp1.jpg

Enter a Name and Description and select a Parent. Click Submit:

devicetyp2.jpg

A Network Device Group for Motorola Solutions devices has now been created:

devicetyp3.jpg

Network Devices and AAA Clients

The following provides an example of how to add a WiNG 5 device as an AAA Client on the Cisco Secure  ACS 5.x server

Within Cisco Secure ACS select Network Resources > Network Devices and AAA Clients >Create:

devicetyp4.jpg

Enter any Name for the Wireless Controller(s) then select a Location.  Assign the Device Type created in the previous step then enable the  TACACS+ checkbox. Enter a Shared Secret then select an IP Address  option. In this example IP Rang(s) By Mask has been selected and the  IPv4 subnet the Wireless Controllers are connected to 192.168.20.0/24  defined. Click Submit:

devtyp6.jpg

The Wireless Controller(s) have now been defined as Network Devices and AAA Clients:

devtyp8.jpg

Step4:Identity Groups

The following provides an example of how to define identity groups on  a Cisco Secure ACS 5.x server. In  this example two groups named  MotorolaRO and Motorola RW will be defined. Users assigned to the   MotorolaRO group will be assigned to the Monitor role and Web access  permissions while users assigned to the MotorolaRW group will be  assigned to the Superuser role and All access permissions.

1 .Within Cisco Secure ACS select Users and Identity Stores . Identity Groups . Create:

devtyp9.jpg

2.Enter a Name and Description for the Read Only access group then click Submit:

devtyp10.jpg

3.Create a second group. Enter a Name and Description for the Read Write access group then

click Submit:

devtyp11.jpg

Two Identity Groups have now been created:

devtyp13.jpg

Shell Profiles

The following provides an example of how to define shell profiles on a  Cisco Secure ACS 5.x server. In this example two shell profiles named  MOTO RO and MOTO RW will be defined with attributes that determines the  role and access permissions each management user is assigned. The name  of each shell profile must match the name of the TACACS authentication  service defined in the TACACS AAA policy.

devtyp14.jpg

In the General tab define the required TACACS+ services and protocols  to add. You can use existing services and protocols or create your own.  The following example defines services and protocol named MOTO RO will  be used to provide Read Only access into WiNG 5 devices:

devtyp15.jpg

In the Common Tasks tab set the Maximum Privilege to Static and select a value of 1:

devtyp16.jpg

In the Custom Attributes tab in the Attribute and Attribute Value  fields, define the attributes to be assigned to the user. In this  example Read Only users will be assigned to the Monitor role and Web  access permissions. Click Submit:

devtyp17.jpg

Create a new Shell Profile. In the General tab define the required  TACACS+ services and protocols to add. You can use existing services and  protocols or create your own. The following example defines services  and protocol named MOTO RW will be used to provide Read Write access  into WiNG 5 devices:

devtyp18.jpg

In the Common Tasks tab set the Maximum Privilege to Static and select a value of 1:

devtyp19.jpg

In the Custom Attributes tab in the Attribute and Attribute Value  fields, define the attributes to be assigned to the user. In this  example Read Write users will be assigned to the Superuser role and All  access permissions. Click Submit:

devtyp20.jpg

Shell Profiles named MOTO RO and MOTO RW have now been created:

Device Authorization Policies

The following provides an example of how to define device  authorization policies on a Cisco Secure ACS 5.x server. Device  authorization policies determine the shell profile each management user  is assigned based on the device type requesting authentication, location  and identity group membership. In this example two device authorization  policies named MotorolaRO and MotorolaRW will be defined.

1 Within Cisco Secure ACS select Access Policies> Default Device Admin >Authorization>Customize:

devtyp21.jpg

Add the Customize Conditions named Identity Group.NDG:Location, NDG:  Device Type and Protocol. Under Customize Results add Shell Profile then  click OK:

devtyp22.jpg

Click Create. In the Name field enter MotorolaRO then select the  Identity Group, NDG:Location and NDG:Device Type. Set the Protocol to  Tacacs and select the Shell Profile named MOTO RO. Click OK:

devtyp23.jpg

Click Create>In the Name field enter MotorolaRW then select the  Identity Group>NDG:Location and NDG:Device Type. Set the Protocol to  Tacacs and select the Shell Profile named MOTO RO> Click OK:

devtyp24.jpg

Device Authorization Policies named MotorolaRO and MotorolaRW have now been created:

devtyp25.jpg

Motorola Solutions WiNG 5.2

AAA TACACS Policies

The AAA TACACS policy defines the TACACS+ client configuration on a  WiNG 5 device. Each AAA TACACS policy can contain up to 2 TACACS+  authentication, authorization and accounting server entries in addition  to the names of the TACACS+ authentication service and protocols defined  on the Cisco Secure ACS server. The TACACS+ AAA policy also determines  the information forwarded to the accounting server.

The following AAA TACACS policy example defines a Cisco Secure ACS  server for TACACS+ authentication, accounting and authorization, defines  the TACACS+ services and protocols named MOTO RO and MOTO RW and  enables CLI command and session accounting:

AAA TACACS Policy Example:

aaa-tacacs-policy CISCO-ACS-SERVER

authentication server 1 host 192.168.10.21 secret 0 hellomoto

authorization server 1 host 192.168.10.21 secret 0 hellomoto

accounting server 1 host 192.168.10.21 secret 0 hellomoto

authentication service MOTO protocol RO

authentication service MOTO protocol RW

accounting commands

accounting session

!

Management Polices

Once an AAA TACACS policy has been defined, it must be assigned to one or more Management

policies before TACACS+ can be utilized. Management policies determine the management interfaces

that are enabled on each WiNG 5 device, local administrative users, roles and access permissions and

external RADIUS or TACACS+ servers used to authenticate administrative users.

By default each WiNG 5 device is assigned to a Management policy named default which is assigned

using profiles. TACACS+ can be enabled on the default Management policy or any user defined Management policy.

Most typical deployments will include separate Management policies  for Wireless Controllers and Access Points. Separate Management policies  are recommended as the management requirements and interfaces for each  device differ. In this case to enable TACACS+ on both Wireless  Controllers and Access Points, TACACS+ will need to be enabled on each  Management policy.

The following Management policy examples enable TACACS+  authentication, authorization and accounting on user defined Management  policies assigned to Wireless Controllers and Access Points. TACACS+  fallback to local authentication is also enabled in the event of a WiNG 5  device cannot reach any defined TACACS+ servers for authentication:

Management Policy Examples:

!

management-policy CONTROLLER-MANAGEMENT

no http server

https server

ssh

user admin password 0 hellomoto role superuser access all

snmp-server user snmptrap v3 encrypted des auth md5 0 hellomoto

snmp-server user snmpoperator v3 encrypted des auth md5 0 hellomoto

snmp-server user snmpmanager v3 encrypted des auth md5 0 hellomoto

aaa-login tacacs fallback

aaa-login tacacs authorization

aaa-login tacacs accounting

aaa-login tacacs policy CISCO-ACS-SERVER

!

!

management-policy AP-MANAGEMENT

ssh

user admin password 0 hellomoto role superuser access all

aaa-login tacacs fallback

aaa-login tacacs authorization

aaa-login tacacs accounting

aaa-login tacacs policy CISCO-ACS-SERVER

!

Verify

The following provides the necessary steps required to validate  TACACS+ authentication, authorization and accounting. In this example  two user accounts have been defined on each Cisco Secure ACS server and  assigned to the appropriate groups. The users group membership  determines the role and access permissions assigned to the management  user.

Username           Role                 Access Permissions

monitor              Monitor           Web

super user        Superuser         all

Role Assignment

The following provides the verification steps required to verify authentication and role assignments:

Using the Web UI, login to the Wireless Controller using the monitor username and password:

devtyp26.jpg

The user will be authenticated, authorized and assigned to the  Monitor role which provides read-only access on the Wireless Controller.  Select Configuration . Devices and attempt to edit a device. Notice no  edit functionality is available as the user is only permitted read-only

access on the device: (Only view is available, Delete option is greyed out)

devtyp27.jpg

Using the Web UI, login to the Wireless Controller using the superuser username and Password

devtyp28.jpg

The user will be authenticated, authorized and assigned to the  Superuser role which provides full access on the Wireless Controller.  Select Configuration . Devices and attempt to edit a device. Notice the  edit functionality is now available as the user is only permitted full  access on the device:

devtyp29.jpg

Troubleshoot:

Cisco Secure ACS 5.X

Within Cisco Secure ACS 5.X select Monitoring and Reports >Launch Monitoring & Report

Viewer> Select Reports > Catalog >AAA Protocol . TACACS Aauthentication>Run.

You would see the result for passed and failed authentication of the  user with the failure reason. For further details, Click on the  Magnifying details.

1278
Views
0
Helpful
0
Comments