topic Ask the Expert: Installing and Configuring Cisco Access Control in Network Access Control

Ask the Expert: Installing and Configuring Cisco Access Control System

ciscomoderator — Mon, 11 Mar 2019 03:57:49 GMT

With Javier Henderson

Welcome to the Cisco Support Community Ask the Expert conversation. This is an opportunity to learn and ask questions about how to install and configure the Cisco Secure Access Control System (ACS) with expert Javier Henderson.

The Cisco Secure ACS is a centralized identity and access policy solution that ties together an enterprise's network access policy and identity strategy. Cisco Secure ACS operates as a RADIUS and TACACS+ server, combining user authentication, user and administrator device access control, and policy control in a centralized identity networking solution.

Javier Henderson has been a customer support engineer with the Security Team, specializing in AAA technologies, since 2004. In addition to supporting Cisco customers, he has delivered training to other teams on various AAA products. Javier attended Buenos Aires University and holds CCNA and Checkpoint certifications.

Remember to use the rating system to let Javier know if you've received an adequate response.

Because of the volume expected during this event, Javier might not be able to answer every question. Remember that you can continue the conversation in the Security community, subcommunity, AAA, Identity and NAC, shortly after the event. This event lasts through October 18, 2013. Visit this forum often to view responses to your questions and those of other Cisco Support Community members.

Ask the Expert: Installing and Configuring Cisco Access Control

Eric R. Jones — Fri, 04 Oct 2013 21:11:41 GMT

CSACS 1121 V5.4.0.46.4

Good morning, I'm Eric Jones and I'm a CISCO equipment user.

I have some questions on the 1121 AAA server.

We have 2, one is configured to work with our Active Directory.

It access the AD data and will pull the username from the AD group; however, when you attempt to enter the AD group users password it fails to login into the IOS device chosen.

What it wants is the enable password created for the local admin account on the IOS device.

The Shell profiles and Command Sets have been created.

The binding has been completed.

The IOS device has its configuration completed.

Part II of this issue.

When I first began configuring the device there were now Default Device Admin or Default Network Admin Access Policies configured.

I had to create these myself.

After that surprise everything went smoothly as mentioned above with the Shell Profiles and Command Sets.

Has anyone seen this issue before.

Part III of this issue.

When entering the Monitoring and Reports section and enabling Support Bundle I get an error when trying to start it.

I get a red warning banner at the top stating the server isn't running. Well Clearly it's running but it doesn't think so.

Also when trying to view the reports to see any accounting, authorization, authentication information in the logs there's nothing there.

I have configured the logs to write to a Server but nothing ever gets written.

And since nothing is being done locally on the ACS I can't tell why it's not writting to the server.

Any thoughts?

Ask the Expert: Installing and Configuring Cisco Access Control

aducey01 — Sun, 06 Oct 2013 05:11:49 GMT

I'm implementing a Cisco ACS in a multi tenant private cloud. Has anyone else done this using multiple LDAP identity stores? I need to research other work done in this area by universities, government and individuals. Can you help me with any examples?

Thank you,

-anne

Ask the Expert: Installing and Configuring Cisco Access Control

Eric R. Jones — Tue, 08 Oct 2013 01:32:28 GMT

I found my answer, the IP address format I was using was incorrect.

I had been using 10.*.*.* or a combination of this when I should have been a bit more detailed.

I have used 10.#-#.*.* or 10.0.#-#.#-# and now that issue has been resolved.

The next issue deals with AD and some users not being able to use their passwords to access the Priv Exec portion.

Should be an easy thing to track down.

Ask the Expert: Installing and Configuring Cisco Access Control

Javier Henderson — Tue, 08 Oct 2013 05:12:27 GMT

Anne,

ACS supports having multiple LDAP servers as identity stores.

Do you have specific configuration scenarios in mind that you'd care to discuss?

Javier Henderson

Cisco Systems

Ask the Expert: Installing and Configuring Cisco Access Control

Javier Henderson — Tue, 08 Oct 2013 05:17:08 GMT

Eric,

Regarding your questions:

1) Can you post the AAA configuration that you're using on the router? Please redact any passwords and IP addresses.

2) By default, ACS has a RADIUS default access policy called Default Network Access, and a TACACS+ access policy called Default Device Admin. You can create additional policies, as needed.

3) Please log into the CLI and run the following command:

# show application status acs

Then post the results.

Also, what version of ACS are you running? Include patch level, please. You can get this information from the "About..." link on the GUI, or "show version" on the CLI.

Ask the Expert: Installing and Configuring Cisco Access Control

TM13 — Wed, 09 Oct 2013 15:07:14 GMT

Hi Javier,

We configured AAA on the switch on the group, and we added 2 ACS on that group, and on the row we added Enable last.

So first i can see deny message on our ACS but 2 time i can go switch by my Enable password, but on second ACS on the group at the moment shut down, is that affected or ? that Enable command is allowing us to access switch any idea?

Re: Ask the Expert: Installing and Configuring Cisco Access Con

Javier Henderson — Wed, 09 Oct 2013 15:17:53 GMT

Tulgabat,

Could I see the current switch configuration, please?

In general, authentication methods are tried in the order in which they appear, until a valid response is received.

Note: access-reject is a valid response, so if the user enters an invalid username/password combination and ACS returns access-reject then no subsequent methods will be tried.

For example, consider the following configuration on a router:

aaa authentication login default group tacacs+ local

In the above case, access-reject by ACS will cause the router to reject the login. if ACS returns an error condition, or is unreachable, then the local user account configuration on the router will be used.

Javier Henderson

Cisco Systems

Ask the Expert: Installing and Configuring Cisco Access Control

John Ventura — Wed, 09 Oct 2013 23:33:40 GMT

Hi Javier,

For the purpose of ACS database replication - what ports need to be open on any firewalls between primary and secondary nodes? appreciate your help on this.

thanks,

John

Ask the Expert: Installing and Configuring Cisco Access Control

jacksonseow — Thu, 10 Oct 2013 00:54:13 GMT

Hi Javier,

How are you? I'm Jackson from Westrac Australia, we use AIRONET 1300 series WIFI radios.

Quick question,

Logging in via hyperterminal, we are normally present with "AP>" , we've seen a couple of "Bridge:".

Could you point out to me how to go from Bridge prompt to AP prompt pls, thank you

regards

Ask the Expert: Installing and Configuring Cisco Access Control

Javier Henderson — Thu, 10 Oct 2013 10:47:01 GMT

The following table lists what ports are used by ACS, and for what purpose:

http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_system/5.2/user/guide/admin_operations.html#wp1093548

Javier Henderson

Cisco Systems

Ask the Expert: Installing and Configuring Cisco Access Control

TM13 — Thu, 10 Oct 2013 14:22:55 GMT

Javier,

That error condition making some confusions ... i've tried both Drop,Reject actions on it.

vty lin

line vty 0 4

session-timeout 10

password 7 121A0C041104

authorization commands 1 COMMANDS-1-AUTH

authorization commands 15 COMMANDS-15-AUTH

authorization exec EXEC-AUTH

accounting commands 1 COMMANDS-1-ACCT

accounting commands 15 COMMANDS-15-ACCT

accounting exec EXEC-ACCOUNTING

logging synchronous

transport input ssh

transport output telnet ssh

and AAA config

aaa group server tacacs+ TEST

server **.11

server **.12

aaa authentication login VTY-LOGIN group TEST enable

aaa authentication login CONSOLE group TEST enable

and i can see deny message in ACS on our primary ACS, and second time it is allowing to access it by Enable password, so i am guessing that is why because our Secondary ACS is shutdown ... so wondering procedure is it should access both ACS in the group?

Ask the Expert: Installing and Configuring Cisco Access Control

Javier Henderson — Thu, 10 Oct 2013 14:39:59 GMT

Tulgabat,

The router should try to contact both ACS serves listed in the TEST server group. If neither respods, or both respond with an error condition, then the router should try the next method on the list, which in your configuration is "enable" (ie, the enable password configured on the router).

Keep in mind that if either of the ACS servers returns a deny then the authentication process will stop at that point and reject the login attempt.

Javier Henderson

Cisco Systems

Ask the Expert: Installing and Configuring Cisco Access Control

Javier Henderson — Thu, 10 Oct 2013 16:06:40 GMT

Jackson,

The Bridge: prompt is from the bootloader, rather than IOS. Please refer to the wireless area of this support forum for further assistance, since this event is centered around ACS.

Regards,

Javier Henderson

Cisco Systems

Ask the Expert: Installing and Configuring Cisco Access Control

John Ventura — Fri, 11 Oct 2013 01:18:15 GMT

Hi Javier,

Another quick question, how do I configure ACS to use Windows AD credentials for administrative access to the ACS GUI?

thanks,

John

Ask the Expert: Installing and Configuring Cisco Access Control

Javier Henderson — Fri, 11 Oct 2013 11:36:00 GMT

To configure ACS to use Windows AD credentials for administrative access to the GUI once ACS has been joined to an AD domain:

1) Go to System Administration -> Administrators -> Administrative Access Control

2) Click on Identity, then for Identity Source select "AD1"

3) Click on Save Changes

4) Click on Authorization

5) Create an authorization policy with the desired criteria to grant access and grant the desired role

Complete, step by step instructions are available in the following document:

http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_system/5.4/user/guide/admin_admin.html

Javier Henderson

Cisco Systems

Ask the Expert: Installing and Configuring Cisco Access Control

RAJMOHAN RAMAMOORTHY — Mon, 14 Oct 2013 15:07:58 GMT

Hi Javier,

How can we integrate ACS with RSA Authentication Manager for two factor authentication.

How does the two factor authentication work in this integration scenario?

Is there any other App other than RSA, we can integrate with ACS for two factor authentication.

Rajmohan R

Ask the Expert: Installing and Configuring Cisco Access Control

Javier Henderson — Mon, 14 Oct 2013 15:19:53 GMT

Rajmohan,

ACS supports the RSA product, in addition to other third party products as external user databases to provide two-factor authentication.

Details on the configuration steps can be found int he following document:

http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_system/5.4/user/guide/users_id_stores.html

Please let me know if you have specific questions regarding ACS configuration once you had a chance to read that document.

Javier Henderson

Cisco Systems

Ask the Expert: Installing and Configuring Cisco Access Control

TM13 — Wed, 16 Oct 2013 04:55:31 GMT

Thanks Javier,

Looks like 5.2 version bug ...

Ask the Expert: Installing and Configuring Cisco Access Control

Jessica Deaken — Thu, 17 Oct 2013 17:19:26 GMT

Hello Javier,

Thank you for covering this topic. Have a question for you. What are the requirements for the AD account used to join ACS to AD?

Regards,

Jessica