In this part we are configuring a user within the secure ACS to log in to a router.
To configure user accounts for administering netwok devices you need to do the following steps. By the role-based architecture of Secure ACS 5.3 the configuration differs a little from the olf 3.x and 4.x servers.
What we are going to to do is to configure…
…a AAA login with full administrator rights (enable mode)
…AAA authorization (commands are checked against the ACS before they are accepted by the router)
Step 1: location
First we need to configure a location. The location describes where the network device is or to which group it belongs to. This value is user-specific.
With the device type we can define which type of machine is used (router, switch or whatever).
Step 3: AAA client
The AAA-client defines the attributes of the machine or which exact machine we want to configure. Attributes in this configuration step is for example the ip address of the device and the name (which has to match the hostname value of a cisco device).
The AAA-configuration of my test-router looks like this
aaa authentication login VTY group tacacs+ local
aaa authentication login CONSOLE local
aaa authorization config-commands
aaa authorization exec default group tacacs+ local
aaa authorization exec VTY group tacacs+ if-authenticated
aaa authorization commands 15 default group tacacs+ local if-authenticated
aaa authorization commands 15 VTY group tacacs+ if-authenticated
aaa accounting commands 15 default start-stop group tacacs+
ip tacacs source-interface FastEthernet1/0
tacacs-server host 10.245.213.15
tacacs-server key tacacstest
line con 0
exec-timeout 300 0
login authentication CONSOLE
transport input none
line aux 0
line vty 0 4
login authentication VTY
Step 4: identity group
The identity group is the user database. You can also refer to LDAP (active directory) server to perform authentication, but in my example I am only using the local database.
Step 5: user database
Now here you can actually configure the values within the user database.
Step 6: shell profile
The shell profile is used to connect a user to its rights that the user shall have during a telnet/ssh session. In this example we are enabling the user to be at “privilege level 15” when he successfully logs in.
Step 7: command set
This step allows to connect a set of commands to a specific user. This means for example that you can configure a user who is able to to everything on a router except doing a reload as you deny the commmand “reload”.
Step 8: access-service
The access-service is a profile name for the configuration of a user with its authorization commands and its adminitrative rights.
One needs to generate a service-selection-rule and put it on the top of the list. The selection rule is processed when a user connects to a device and tries to authenticate.
Step 9: The test!
Now we can test if everything is working what we have configured
I try to telnet into my testrouter and the prompt shows up (take a look at “username” and “Password”…the first letters of the words are not capital letters like they were before I configured tacacs authentication. That shows us that the ACS server show us the login prompt, not the router itself)
I hope you are having fun with that little tutorial.
Feel free to comment!