Solved: AAA Authentication of VPN3k for Mgmt Accounts

thethmon · ‎01-05-2004

I see that I can set up CS-ACS to authenticate the administration accounts for my VPN3k (ver 4.x). A couple questions if anyone knows.

1. What is the behavior if no AAA servers are available? Is console access the only option, or will it revert back to the locally configured accounts on the concentrator?

2. Is there any other way other than restricting access in CS-ACS to limit admin? That is, it appears that anyone configured in CS-ACS with the privilege level at the right level and shell permissions will be able to administer the VPN concentrators.

gfullage · ‎01-06-2004

The privilege level assigned to the ACS user has to match the privilege level of the VPN3000 user, then that user gets whatever privilege's assigned in teh 3000 GUI.

The sample config is a bit misleading for this, I've been after them to change it for a while. Basically as soon as you add a AAA Admin server into the 3000 config, then the 3000 is going to use that external server. The usernames on the 3000 (admin, config, isp, mis, user) at this point now mean nothing. The only thing that is checked is the privilege level assigned under each of these users, and it is compared against the privilege level assigned on teh TACACS server. So basically, you go under the "admin" 3000 user and set the privilege level to say, 15, and the "config" user gets say, 11, and the "mis" user gets say, 9. Then on the TACACS server you set up your users with Exec (shell) permissions and set the privilege level to say, 15. When this user logs into the 3000 he gets the rights that the "admin" user has, because his privileel level is the same. If on the TACACS server you set the privilege level to 9, then he would get the rights that the "mis" user has. The username on the 3000 is meaningless, the only things that are matched are the privilege level, and from there the permissions are assigned accordingly.

Hope that makes sense. The sample config shows a user "admin" being added to the ACS server, but this is misleading cause it makes people think the TACACS username has to be equal to the 3000 username, this is NOT the case. The TACACS username can be anything, and that user will get the permissions assigned via the concentrator based on what 3000 user has the EXACT same privilege level set up.

View solution in original post

gfullage · ‎01-05-2004

1. If ACS isn't available then the only access to the device is via the console port, using the old locally configured accounts and passwords.

2. You can set up Network Access Restrictions in ACS so that only specific users can authenticate against the 3000. For those users you don't want to authenticate against it you can add the 3000 NAS in as a "Denied Calling/Point of Access location" under the CLI/DNIS Based access restriction section. (note, VPN3000 NAS's have to be placed under this section, not the IP-based access restriction).

thethmon · ‎01-06-2004

Thanks for the reply. Another question: How is the privilege level handled? That is to say, if I set up the 'admin' account on the VPN3k to say level 12. Now if I have a user that is allowed to talk to the VPN3k in ACS and has a "Max Privilege level of 15 for any NAS" set in ACS. Will that user be an admin of the NAS?

gfullage · ‎01-06-2004

The privilege level assigned to the ACS user has to match the privilege level of the VPN3000 user, then that user gets whatever privilege's assigned in teh 3000 GUI.

The sample config is a bit misleading for this, I've been after them to change it for a while. Basically as soon as you add a AAA Admin server into the 3000 config, then the 3000 is going to use that external server. The usernames on the 3000 (admin, config, isp, mis, user) at this point now mean nothing. The only thing that is checked is the privilege level assigned under each of these users, and it is compared against the privilege level assigned on teh TACACS server. So basically, you go under the "admin" 3000 user and set the privilege level to say, 15, and the "config" user gets say, 11, and the "mis" user gets say, 9. Then on the TACACS server you set up your users with Exec (shell) permissions and set the privilege level to say, 15. When this user logs into the 3000 he gets the rights that the "admin" user has, because his privileel level is the same. If on the TACACS server you set the privilege level to 9, then he would get the rights that the "mis" user has. The username on the 3000 is meaningless, the only things that are matched are the privilege level, and from there the permissions are assigned accordingly.

Hope that makes sense. The sample config shows a user "admin" being added to the ACS server, but this is misleading cause it makes people think the TACACS username has to be equal to the 3000 username, this is NOT the case. The TACACS username can be anything, and that user will get the permissions assigned via the concentrator based on what 3000 user has the EXACT same privilege level set up.

thethmon · ‎01-07-2004

Thanks for your help. I was able to configure it. It's still annoying that the it won't fail back to the internal admins if the TACACS servers aren't available, but I'll trade that off with being able to have more than 5 admins by name.

dlac455 · ‎01-06-2004

One problem I ran into was a limit on the number of admins. As I recall, there was a limit of 5 admins. Is that still true?