Solved: TACACS Device administration on ACS 5.1

sidcracker · ‎01-28-2011

Hello,

I am quite unfamiliar with the ACS (all models). I have configured the Network device groups, Users (Internal Store) and now I am trying to configure the device administration for the Network devices to get authorized to the Cisco appliances.

Should I be defining both the Shell Profiles and Command Sets for this to work? How is the Access Control List (Under Shell Profiles) different from the commands to be entered under the command sets?

Could someone please tell me the format that is to be entered on the ACS if I need to enter any access lists or command sets

Thanks

Jatin Katyal · ‎01-31-2011

I did see and replied the same on the as well.

If you start discussion on that then I'd appreciate if you mark this query resolved so that others can take benefit out of it and proceed with the new one.

Good luck:)

Rgds,

Jatin

Do rate helpful posts~

~Jatin

View solution in original post

Jatin Katyal · ‎01-29-2011

Let me try to explain all three options;

>>> Downloadable ACLs—Policy Elements > Authorization and Permissions > Named Permission Objects > Downloadable ACLs

You can configure a RADIUS server to download an access list to the security appliance or an access list name at the time of authentication. The user is authorized to do only what is permitted in the user-specific access list.

>>> Command Set—Policy Elements > Authorization and Permissions > Device Administration > Command Sets

In the command set we can define "set of commands" user should have access to. Like if you want that there should be 2 deptt and they should have their respective access like engineer andadmin, engineer should have access to show commands and admin can run any command once successfully logged in to the devices.

>>> Policy Elements > Authorization and Permissions > Device Administration > Shell Profiles

It should be worth noting that under the common task tab within the shell profile, I can successfully login as the user that I have added with the default privilege being set to "not in use" (if this is set to 15 - when the user logs in they will be taken directly into exec privilege mode without having to enter the "enable" command) and the maximum privilege set to 15. If maximum privilege is set to anything less than 15, I cannot get in to exec privilege mode (enable mode).
We also use custom attribute tab under shell-profile for other attributes.

So all the three options can be used in one access-policy.

HTH
Regards,

Jatin

Do rate helpful posts~

~Jatin

sidcracker · ‎01-29-2011

Hello Jatin,

Thanks for your reply. It was very helpful in understanding. I am performing a demo tomorrow to the customer and I just need the appropriate steps for the ACS 5.1 configuration with AD Integration. Could you please help me with the steps. Let me outline the steps which I know and you could fill in the gaps where I am wrong or missing.

Create Network Device Groups - Location and Device types

Create Identity Store - Identity Groups and Users (Internals) :

Create Identity Store (External AD)

a) Join ACS to AD domain

b) Select the Directory Groups required for the policy

Create Shell Profile and Command Sets

a) Under Policy Elements > Authorization and Permissions > Device Administration > Shell Profiles > Click Create

Default Privilege Level : 15

Maximum Privilege Level : 15

b) Under Policy Elements > Authorization and Permissions > Device Administration > Command Sets > Click Create

(Could you please help with the format of the Commands here such as "show interfaces" or "Show route" etc)

Create Access Service Policy

a) Under Access Policies > Access Services > Default Device Admin > Edit the fields

Name : Cisco Device Administration

Service Type: Device Administration

Group Mapping : Active Directory (AD1)

Authorization : Previously mentioned shell profiles and command sets

Create a Service Selection Policy

a) Under Access Policies > Service Selection Policies > Select Access Service Policy (above)

Am i missing anything from making this work. I dont have a machine to make t his work and hence rely on your judgement.

If possible please also provide an example of rule based policies

Thanks

Jatin Katyal · ‎01-30-2011

Joining ACS to an AD Domain
http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_system/5.1/user/guide/users_id_stores.html#wp1140906

ACS 5.1 has to be configured with a valid NTP server for time synchronization, preferably from where the domain controller is syncing its time. Another one is a valid DNS server which can resolve internal names.

Both of them will be configured from the CLI:
http://www.cisco.com/en/US/partner/docs/net_mgmt/cisco_secure_access_control_system/5.1/command/reference/cli_use.html#wp1096003

ip name-server
http://www.cisco.com/en/US/partner/docs/net_mgmt/cisco_secure_access_control_system/5.1/command/reference/cli_app_a.html#wp1729536

Ntp server
http://www.cisco.com/en/US/partner/docs/net_mgmt/cisco_secure_access_control_system/5.1/command/reference/cli_app_a.html#wp1013780

Required ports to be open between ACS and DCs:

    ldap:      389/tcp
    ldap:      389/udp
    smb:       445/tcp
    kdc:        88/tcp
    kpasswd:   464/tcp
    ntp:       123/udp
    Global catalogue: 3268/tcp

So far you are on the right track; Answering your question >> for permitting only show route // show interface and their sub commands, please check the below mentioned screen shot

Under create access-policy, I don't think that you need to group-mapping. Since you want to use AD (xeternal user database), just go to identity and select AD1.

As fas as Rule based policy is concerned, In ACS 5.x, you can create rules based on various conditions apart from identity. The user group no longer contains all of the information. For example, if you want to grant an employee full access while working on campus, and restricted access while working remotely, you can do so using the rule-based policies in ACS 5.1. You can base permissions on various conditions besides identity, and permissions are no longer associated with user groups. You can use session and environment attributes, such as access location, access type, health of the end station, date, time, and so on, to determine the type of access to be granted.

For example if user is a part of different database, then we can go for this.

Hope this helps.

Regards,

Jatin

Do rate helpful posts-

~Jatin

sidcracker · ‎01-30-2011

Hello Jatin,

Thanks for the solution. It worked like a charm. However I have gotten into a bit of difficulty when configuring Command sets on the ACS. I have put commands on the ACS and configured aaa authorization commands on the Cisco Device.. It does work but "access-list" command and other commands appear to be working even when I have not permitted them in the command set.

This is my configuration on both the router and the ACS

ACS

PERMIT/DENY COMMANDS ARGUEMENT

PERMIT CONFIGURE terminal

PERMIT SHOW *

PERMIT ping

PERMIT interface gigabit*

Now I have made a COMMAND-SET called restrictive and applied these commands. But still when I create an access-list on the device it works. I have applied the correct policies and mapping the correct the device groups and ACTIVE DIRECTORY. I am able to get hit counts whenever an AD user logs into the Cisco device. This command set is the only issue I am facing now.

ROUTER

aaa new-model

aaa authentication login default tacacs+ local

aaa authorization exec default tacacs+ local

aaa authorization commands default tacacs+ local

tacacs-server host 1.1.1.1 key 12345

I have looked at the user guide example on the command set and it is really vague.

Please help

Thanks

Jatin Katyal · ‎01-30-2011

Glad, when could help you when needed. You should have all the below listed command on the IOS device to make it fully operation and I don't see those command in your current configuration. EVery command has a default privilege level amd most of them falls in the below listed four categories. If you are runnning and command that level is not defined/configured on the IOS then network access device will never check/validate that command against the tacacs server.


aaa authorization config-commands
aaa authorization commands 0 default  group tacacs+ local
aaa authorization commands 1 default  group tacacs+ local
aaa authorization commands 15 default group tacacs+ local

HTH

Regds,

Jatin

Do rate helpful posts~

~Jatin

sidcracker · ‎01-31-2011

Thanks again Jatin

I made a new discussion in case you didn't see the reply in my time frame.

Thanks agsin

Sent from my iPhone

Jatin Katyal · ‎01-31-2011

I did see and replied the same on the as well.

If you start discussion on that then I'd appreciate if you mark this query resolved so that others can take benefit out of it and proceed with the new one.

Good luck:)

Rgds,

Jatin

Do rate helpful posts~

~Jatin