ACS 5.4 drop users into enable

jeremys8137 · ‎04-12-2013

I'm new to ACS 5.4 and have very limited knowledge of the previous versions. I am trying to get users in the external identity store (AD) to be dropped directly into enable mode after being authenticated, since I don't know of a way to set an enable password for users in an external identity store. I think it has something to do with shell attributes but I'm not realy sure.

So here's what I tried.

Linking identity group to external group and provide full command priviliges - enable still didn't work

Creating duplicate users in the internal identity store and setting the password type field to AD1 - That gives me the ability to get to the enable password prompt hit enter on the blank promt then prompts for Old and new passwords but fails everytime with an Error in Authentication.

Gurpreet Puri · ‎04-18-2013

Hi Jeremy,

Please share the configuration you are using on Cisco Device.

Regards,
Gurpreet S Puri

****************************
Keep Smiling, Peace :)
****************************

(Please Rate Helpful Post)

Regards, Gurpreet S Puri **************************** Keep Smiling, Peace :) **************************** (Please Rate Helpful Post)

Amjad Abdullah · ‎04-19-2013

Jeremey: I am really interested to know the answer of this quesiton.

I am eagerly waiting if someone can answer this.

Rating useful replies is more useful than saying "Thank you"

Saurav Lodh · ‎04-21-2013

From the ACS 5.x doc I found, "

You can configure an additional password, stored as part of the internal user record that defines the user's TACACS+ enable password which sets the access level to device. If you do not select this option, the standard user password is also used for TACACS+ enable. If the system is not being used for TACACS+ enable operations, you should not select this option."

jeremys8137 · ‎04-21-2013

All,

I have found the solution to this problem I will post the screen shots and configs from my equipment in the morning.

Amjad Abdullah · ‎04-21-2013

Eagerly waiting

Rating useful replies is more useful than saying "Thank you"

jeremys8137 · ‎04-22-2013

To all those eagerly awaiting the answer to this question:

This step by step guide assumes that you are using an external identity store or not requiring your internal users to have a separate enable password, and that these have already been configured. Acs is laid out in a way that guides you through the configuration if you know what you are doing. In any implementation you should configure acs in this way: add in your devices (network resources) add your users (users and identity store) configure policy conditions (policy elements) and finally configure your policies (Access Policies).

Step 1.

Policy Elements >

Authorization and Permissions >

Device Administration >

Shell Profiles

click the check box for the permit access shell profile then click duplicate.

In the General tab name the profile whatever you want, I chose enable. In the Common Tasks tab change the drop down menu to static and value to 15 for both Default Privilge and maximun Privilge. Hit Submit

Step 2

Policy Elements >

Authorization and Permissions >

Device Administration >

Command Sets

Hit create.

I named my command set AllowAllCommands

Step 3.

Access Policies >

Access Services >

Default Device Admin >

Authorization

in the lower right-hand corner of the screen click customize.

Make sure the customize conditions and result contain Shell Profile, command sets and AD:external groups (see the image below). This allows you to control under which conditions you authenticate users. Click ok

Now we need to create a rule to match authentication request against. under the same page now click create in the lower left hand corner.

Now you are almost done.

The only thing that needs to be updated on the device config is the AAA/tacacs and vty line config.

here's what i use

aaa authentication login default group tacacs+ line

aaa authentication login no_tacacs none

aaa authentication enable default group tacacs+ enable

aaa authorization exec default group tacacs+ local < - drops uers into enable

aaa authorization commands 0 default group tacacs+ local

aaa authorization commands 1 default group tacacs+ local

aaa authorization commands 15 default group tacacs+ local

aaa accounting exec default start-stop group tacacs+

aaa accounting commands 15 default start-stop group tacacs+

aaa accounting connection default start-stop group tacacs+

aaa accounting system default start-stop group tacacs+

tacacs-server host 10.125.1.4

tacacs-server host 192.168.36.4 <- High availability backup acs

tacacs-server directed-request

tacacs-sefver key 7 xxxxxxxxxxxxxxx

line vty 0 15

login authentication default

username user1 privilge 15 secret sUp3rs3cr3t < fallback local authentication

Amjad Abdullah · ‎04-27-2013

Jeremy:

Thank you very much.

To be honest, I thought you want to inforce using a separate enable password than the user password when using external identity. That's why I was interested to see how that is being done.

But as long as you solved your issue, The +5s are really deserved.

Thank you for sharing back the knowledge. I appreciate if you mark this discussion as "Resolved" so that people find the way easily if they have same issue.

Greetings,

Amjad

Rating useful replies is more useful than saying "Thank you"

jeremys8137 · ‎04-25-2013

that was my config but i found one from cisco as well.

http://www.cisco.com/en/US/products/ps9911/products_configuration_example09186a0080bc8514.shtml