This document has information about Cisco Wide Area Application Services (WAAS) integration with ACS 5.x, so that users could authenticate to WAAS using tacacs credentials and have administrative access.
- ACS 5.x
Example from Datasheet:
Configuration on ACS
Step1: Define a AAA client on ACS 5
Step 2: Define a shell profile under, ACS GUI > Policy Elements > Authorization and Permissions > Device Administration > Shell Profiles
Step 3: Define a command set to allow all commands.
Step 4: Since this example uses tacacs, the default service selected is "default device admin", now point the identity to correct identity source (Internal Users/ AD / Identity store sequence).
Step 5: Create an authorization rule, which checks for the requests from WAAS (for this document I am specifically using device IP as a condition, but this can change based on one's requirement) and applies the shell profile and command set that we had created in step 2 and step 3.
Configuration on WAAS
Define a TACACS+ Server by selecting your Central Manager device under the device list and configure TACACS+: Devices > [Central Manager System name] > Configure > Security > AAA > TACACS+
You will also need to modify the authentication and authorization methods in this screen to allow TACACS+ access.
Browse to the following location and add the group name that matches the custom attribute "value" (created in ACS) in WAAS:
Home > Admin > AAA > User Groups
Then assign this group (Test_Group) “admin” level rights in Role Management. The “admin” role on the Central Manager is pre-configured.
After this when the user logs in to WAAS, they can authenticate using tacacs credentials and will have admin rights to WAAS.
Configuring a User
The first step in setting up your WAAS Express device and Central Manager to communicate is to configure the same user on the WAAS Express device and the Central Manager.
To configure an external TACACS+ user on the WAAS Express device, use the following configuration commands on the WAAS Express device:
waas-express#config tEnter configuration commands, one per line. End with CNTL/Z.waas-express(config)#aaa new-modelwaas-express(config)#aaa authentication login default group tacacs+waas-express(config)#aaa authorization exec default group tacacs+waas-express(config)#tacacs-server host host-ipwaas-express(config)#tacacs-server key keyword
To configure an external RADIUS user on the WAAS Express device, use the following configuration commands on the WAAS Express device:
waas-express#config tEnter configuration commands, one per line. End with CNTL/Z.waas-express(config)#aaa new-modelwaas-express(config)#aaa authentication login default group radiuswaas-express(config)#aaa authorization exec default group radiuswaas-express(config)#radius-server host host-ipwaas-express(config)#radius-server key keyword
The external authentication server for TACACS+ or RADIUS must be Cisco ACS 4.x or 5.x. For detailed information on Configuring a User section of
Hi, i need some help with this config, i already read several books, other posts and the administration guide but i'm not entirely sure how to enable the ISe to send alarm notifications, since there isn't any place where to put the sender email and passwo...
If device tracking isn't configured correctly, or if it can't track the MAC and the IP address mapping of an interface, dACL won't be applied correctly from ISE, what about VLAN assignment via ISE? will it be affected as well?
Hello. I've been working with the Cisco API interacting with different FMCs for a while, and I notice that every physical device has the same domain UUID, which is "e276abec-e0f2-11e3-8169-6d9ed49b625f".In my side of the API programming I considered the d...
Por favor, me podrian ayudar ya que utilizamos el servicio en varios equipos, pero realmenteno podemos hacer funcionar el AnyConnect en una Mac con sistema operativo High Sierra, y necesitamos poder hacer funcionar la vpn, por favor.Si me pueden deci...
Hi Team, Following is the IPSec config I have on my ASR. There are multiple "ikev2 policies" calling multiple "ikev2 proposals" - This is just one set of them. Each IKev2 Policy and IKev2 Proposal is configured with different parameters for eac...