This document has information about Cisco Wide Area Application Services (WAAS) integration with ACS 5.x, so that users could authenticate to WAAS using tacacs credentials and have administrative access.
- ACS 5.x
Example from Datasheet:
Configuration on ACS
Step1: Define a AAA client on ACS 5
Step 2: Define a shell profile under, ACS GUI > Policy Elements > Authorization and Permissions > Device Administration > Shell Profiles
Step 3: Define a command set to allow all commands.
Step 4: Since this example uses tacacs, the default service selected is "default device admin", now point the identity to correct identity source (Internal Users/ AD / Identity store sequence).
Step 5: Create an authorization rule, which checks for the requests from WAAS (for this document I am specifically using device IP as a condition, but this can change based on one's requirement) and applies the shell profile and command set that we had created in step 2 and step 3.
Configuration on WAAS
Define a TACACS+ Server by selecting your Central Manager device under the device list and configure TACACS+: Devices > [Central Manager System name] > Configure > Security > AAA > TACACS+
You will also need to modify the authentication and authorization methods in this screen to allow TACACS+ access.
Browse to the following location and add the group name that matches the custom attribute "value" (created in ACS) in WAAS:
Home > Admin > AAA > User Groups
Then assign this group (Test_Group) “admin” level rights in Role Management. The “admin” role on the Central Manager is pre-configured.
After this when the user logs in to WAAS, they can authenticate using tacacs credentials and will have admin rights to WAAS.
Configuring a User
The first step in setting up your WAAS Express device and Central Manager to communicate is to configure the same user on the WAAS Express device and the Central Manager.
To configure an external TACACS+ user on the WAAS Express device, use the following configuration commands on the WAAS Express device:
waas-express#config tEnter configuration commands, one per line. End with CNTL/Z.waas-express(config)#aaa new-modelwaas-express(config)#aaa authentication login default group tacacs+waas-express(config)#aaa authorization exec default group tacacs+waas-express(config)#tacacs-server host host-ipwaas-express(config)#tacacs-server key keyword
To configure an external RADIUS user on the WAAS Express device, use the following configuration commands on the WAAS Express device:
waas-express#config tEnter configuration commands, one per line. End with CNTL/Z.waas-express(config)#aaa new-modelwaas-express(config)#aaa authentication login default group radiuswaas-express(config)#aaa authorization exec default group radiuswaas-express(config)#radius-server host host-ipwaas-express(config)#radius-server key keyword
The external authentication server for TACACS+ or RADIUS must be Cisco ACS 4.x or 5.x. For detailed information on Configuring a User section of
How can I download (export) the private key of the self-signed certificate created through Object > PKI > Internal CAs ? The Firepower self-signed certificate is to be installed on corporate computers as Trusted Authority and used by FTD for ou...
Trying to migrate a policy config from S370 WSA device to virtual WSA. The policy import throws an error:
Certificates signature verification failed due to Credential Encryption certificate
After replacing the proxy_config_gen...
Working with a lab 5506-x and c3560cx and throwing some OSPF at it to see what sticks. I want the ASA to route to the internet, but I have three Vlans on the switch with SVIs for each subnet. I have NAT working on the ASA out to the internet, b...
I have a Hotspot guest portal setup that has a button that links to a sponsored guest portal to allow certain account to sign in and get elevated access. The button works fine on Android and Windows OS. On iOS devices the customer is gettin...
I have a site to site VPN tunnel setup on an ASA device. The tunnel is up and running and traffic is restricted to a single host on my side. The customer has asked for access to another host on my side via the same tunnel to port 7607. The tunnel uses pub...