Introduction
The following provides example for configuring a Cisco Secure ACS 5.X server to support TACACS+
authentication, authorization and accounting on Motorola Wireless Controllers and Access Points. In this
configuration example Motorola vendor specific attributes and values will be assigned to groups on the
Cisco Secure ACS server to determine each user’s role and access permissions. The attributes and
values are assigned to the group using user defined services and protocols enabled on each group.
Prerequisites
ACS 5.x should be connected to Wings 5.x box.
Components Used
ACS 5.4
Wings 5.2
Configuration on ACS:
Device Types
The following provides an example of how to define WiNG 5 devices as device types on a Cisco Secure ACS 5.x server. Device types allow devices to be grouped in Cisco Secure ACS 5.x which will be used when defining device authorization policies.
Step1: Go to Cisco Secure ACS select Network Resources > Network Device Groups> Device Type >Create:
Enter a Name and Description and select a Parent. Click Submit:
A Network Device Group for Motorola Solutions devices has now been created:
Network Devices and AAA Clients
The following provides an example of how to add a WiNG 5 device as an AAA Client on the Cisco Secure ACS 5.x server
Within Cisco Secure ACS select Network Resources > Network Devices and AAA Clients >Create:
Enter any Name for the Wireless Controller(s) then select a Location. Assign the Device Type created in the previous step then enable the TACACS+ checkbox. Enter a Shared Secret then select an IP Address option. In this example IP Rang(s) By Mask has been selected and the IPv4 subnet the Wireless Controllers are connected to 192.168.20.0/24 defined. Click Submit:
The Wireless Controller(s) have now been defined as Network Devices and AAA Clients:
Step4:Identity Groups
The following provides an example of how to define identity groups on a Cisco Secure ACS 5.x server. In this example two groups named MotorolaRO and Motorola RW will be defined. Users assigned to the MotorolaRO group will be assigned to the Monitor role and Web access permissions while users assigned to the MotorolaRW group will be assigned to the Superuser role and All access permissions.
1 .Within Cisco Secure ACS select Users and Identity Stores . Identity Groups . Create:
2.Enter a Name and Description for the Read Only access group then click Submit:
3.Create a second group. Enter a Name and Description for the Read Write access group then
click Submit:
Two Identity Groups have now been created:
Shell Profiles
The following provides an example of how to define shell profiles on a Cisco Secure ACS 5.x server. In this example two shell profiles named MOTO RO and MOTO RW will be defined with attributes that determines the role and access permissions each management user is assigned. The name of each shell profile must match the name of the TACACS authentication service defined in the TACACS AAA policy.
In the General tab define the required TACACS+ services and protocols to add. You can use existing services and protocols or create your own. The following example defines services and protocol named MOTO RO will be used to provide Read Only access into WiNG 5 devices:
In the Common Tasks tab set the Maximum Privilege to Static and select a value of 1:
In the Custom Attributes tab in the Attribute and Attribute Value fields, define the attributes to be assigned to the user. In this example Read Only users will be assigned to the Monitor role and Web access permissions. Click Submit:
Create a new Shell Profile. In the General tab define the required TACACS+ services and protocols to add. You can use existing services and protocols or create your own. The following example defines services and protocol named MOTO RW will be used to provide Read Write access into WiNG 5 devices:
In the Common Tasks tab set the Maximum Privilege to Static and select a value of 1:
In the Custom Attributes tab in the Attribute and Attribute Value fields, define the attributes to be assigned to the user. In this example Read Write users will be assigned to the Superuser role and All access permissions. Click Submit:
Shell Profiles named MOTO RO and MOTO RW have now been created:
Device Authorization Policies
The following provides an example of how to define device authorization policies on a Cisco Secure ACS 5.x server. Device authorization policies determine the shell profile each management user is assigned based on the device type requesting authentication, location and identity group membership. In this example two device authorization policies named MotorolaRO and MotorolaRW will be defined.
1 Within Cisco Secure ACS select Access Policies> Default Device Admin >Authorization>Customize:
Add the Customize Conditions named Identity Group.NDG:Location, NDG: Device Type and Protocol. Under Customize Results add Shell Profile then click OK:
Click Create. In the Name field enter MotorolaRO then select the Identity Group, NDG:Location and NDG:Device Type. Set the Protocol to Tacacs and select the Shell Profile named MOTO RO. Click OK:
Click Create>In the Name field enter MotorolaRW then select the Identity Group>NDG:Location and NDG:Device Type. Set the Protocol to Tacacs and select the Shell Profile named MOTO RO> Click OK:
Device Authorization Policies named MotorolaRO and MotorolaRW have now been created:
Motorola Solutions WiNG 5.2
AAA TACACS Policies
The AAA TACACS policy defines the TACACS+ client configuration on a WiNG 5 device. Each AAA TACACS policy can contain up to 2 TACACS+ authentication, authorization and accounting server entries in addition to the names of the TACACS+ authentication service and protocols defined on the Cisco Secure ACS server. The TACACS+ AAA policy also determines the information forwarded to the accounting server.
The following AAA TACACS policy example defines a Cisco Secure ACS server for TACACS+ authentication, accounting and authorization, defines the TACACS+ services and protocols named MOTO RO and MOTO RW and enables CLI command and session accounting:
AAA TACACS Policy Example:
aaa-tacacs-policy CISCO-ACS-SERVER
authentication server 1 host 192.168.10.21 secret 0 hellomoto
authorization server 1 host 192.168.10.21 secret 0 hellomoto
accounting server 1 host 192.168.10.21 secret 0 hellomoto
authentication service MOTO protocol RO
authentication service MOTO protocol RW
accounting commands
accounting session
!
Management Polices
Once an AAA TACACS policy has been defined, it must be assigned to one or more Management
policies before TACACS+ can be utilized. Management policies determine the management interfaces
that are enabled on each WiNG 5 device, local administrative users, roles and access permissions and
external RADIUS or TACACS+ servers used to authenticate administrative users.
By default each WiNG 5 device is assigned to a Management policy named default which is assigned
using profiles. TACACS+ can be enabled on the default Management policy or any user defined Management policy.
Most typical deployments will include separate Management policies for Wireless Controllers and Access Points. Separate Management policies are recommended as the management requirements and interfaces for each device differ. In this case to enable TACACS+ on both Wireless Controllers and Access Points, TACACS+ will need to be enabled on each Management policy.
The following Management policy examples enable TACACS+ authentication, authorization and accounting on user defined Management policies assigned to Wireless Controllers and Access Points. TACACS+ fallback to local authentication is also enabled in the event of a WiNG 5 device cannot reach any defined TACACS+ servers for authentication:
Management Policy Examples:
!
management-policy CONTROLLER-MANAGEMENT
no http server
https server
ssh
user admin password 0 hellomoto role superuser access all
snmp-server user snmptrap v3 encrypted des auth md5 0 hellomoto
snmp-server user snmpoperator v3 encrypted des auth md5 0 hellomoto
snmp-server user snmpmanager v3 encrypted des auth md5 0 hellomoto
aaa-login tacacs fallback
aaa-login tacacs authorization
aaa-login tacacs accounting
aaa-login tacacs policy CISCO-ACS-SERVER
!
!
management-policy AP-MANAGEMENT
ssh
user admin password 0 hellomoto role superuser access all
aaa-login tacacs fallback
aaa-login tacacs authorization
aaa-login tacacs accounting
aaa-login tacacs policy CISCO-ACS-SERVER
!
Verify
The following provides the necessary steps required to validate TACACS+ authentication, authorization and accounting. In this example two user accounts have been defined on each Cisco Secure ACS server and assigned to the appropriate groups. The users group membership determines the role and access permissions assigned to the management user.
Username Role Access Permissions
monitor Monitor Web
super user Superuser all
Role Assignment
The following provides the verification steps required to verify authentication and role assignments:
Using the Web UI, login to the Wireless Controller using the monitor username and password:
The user will be authenticated, authorized and assigned to the Monitor role which provides read-only access on the Wireless Controller. Select Configuration . Devices and attempt to edit a device. Notice no edit functionality is available as the user is only permitted read-only
access on the device: (Only view is available, Delete option is greyed out)
Using the Web UI, login to the Wireless Controller using the superuser username and Password
The user will be authenticated, authorized and assigned to the Superuser role which provides full access on the Wireless Controller. Select Configuration . Devices and attempt to edit a device. Notice the edit functionality is now available as the user is only permitted full access on the device:
Troubleshoot:
Cisco Secure ACS 5.X
Within Cisco Secure ACS 5.X select Monitoring and Reports >Launch Monitoring & Report
Viewer> Select Reports > Catalog >AAA Protocol . TACACS Aauthentication>Run.
You would see the result for passed and failed authentication of the user with the failure reason. For further details, Click on the Magnifying details.
