installation and configuration of cisco secure acs 5.3 (vmware) – part 5

Hi again!
In this part we are configuring a user within the secure ACS to log in to a router.

To configure user accounts for administering netwok devices you need to do the following steps. By the role-based architecture of Secure ACS 5.3 the configuration differs a little from the olf 3.x and 4.x servers.

What we are going to to do is to configure…

…a AAA login with full administrator rights (enable mode)
…AAA authorization (commands are checked against the ACS before they are accepted by the router)

Step 1: location

First we need to configure a location. The location describes where the network device is or to which group it belongs to. This value is user-specific.

Step 2: device type

With the device type we can define which type of machine is used (router, switch or whatever).

Step 3: AAA client

The AAA-client defines the attributes of the machine or which exact machine we want to configure. Attributes in this configuration step is for example the ip address of the device and the name (which has to match the hostname value of a cisco device).

The AAA-configuration of my test-router looks like this

aaa new-model
aaa authentication login VTY group tacacs+ local
aaa authentication login CONSOLE local
aaa authorization config-commands
aaa authorization exec default group tacacs+ local
aaa authorization exec VTY group tacacs+ if-authenticated
aaa authorization commands 15 default group tacacs+ local if-authenticated
aaa authorization commands 15 VTY group tacacs+ if-authenticated
aaa accounting commands 15 default start-stop group tacacs+
ip tacacs source-interface FastEthernet1/0
tacacs-server host
tacacs-server key tacacstest
line con 0
session-timeout 300
exec-timeout 300 0
password cisco
logging synchronous
login authentication CONSOLE
transport input none
line aux 0
line vty 0 4
password cisco
logging synchronous
login authentication VTY

Step 4: identity group

The identity group is the user database. You can also refer to LDAP (active directory) server to perform authentication, but in my example I am only using the local database.

Step 5: user database

Now here you can actually configure the values within the user database.

Step 6: shell profile

The shell profile is used to connect a user to its rights that the user shall have during a telnet/ssh session. In this example we are enabling the user to be at “privilege level 15” when he successfully logs in.

Step 7: command set

This step allows to connect a set of commands to a specific user. This means for example that you can configure a user who is able to to everything on a router except doing a reload as you deny the commmand “reload”.

Step 8: access-service

The access-service is a profile name for the configuration of a user with its authorization commands and its adminitrative rights.

One needs to generate a service-selection-rule and put it on the top of the list. The selection rule is processed when a user connects to a device and tries to authenticate.

Step 9: The test!

Now we can test if everything is working what we have configured

I try to telnet into my testrouter and the prompt shows up (take a look at “username” and “Password”…the first letters of the words are not capital letters like they were before I configured tacacs authentication. That shows us that the ACS server show us the login prompt, not the router itself)

username: testuser

Looks good!
I hope you are having fun with that little tutorial.

Feel free to comment!


About markus.wirth

Living near Limburg in Germany, working as a Network Engineer around Frankfurt am Main.
This entry was posted in Cisco Secure ACS 5.3 Installation & Configuration, Misc, Uncategorized and tagged , , , , . Bookmark the permalink.

16 Responses to installation and configuration of cisco secure acs 5.3 (vmware) – part 5

  1. Jhon says:

    Markus excellent, Thanks. good post!
    if not much trouble enseñarias us to use 802.1x radius.


  2. hi i hope u dont forget about part 6 cisco secure acs as a cluster

  3. Indeed….I forgot it 🙂 will do it later when I got time…regards!

  4. Al Monte says:

    Hi Markus,

    Im new in world of acs 5.3, but with your posts i can tell you that im learning an lot, and im also share this site with the rest of my friends.
    Now, im finding a problem that only you or other person can explain me better. I have created a group of security with users from AD to access all devices with highest privilegi, and its working, but i can see other peoples that belong to the same AD connecting to devices like router and switches, offcorse that they can only loggin to the devices but cannot do nothing, but i would like find a solution that only people that belong to the security group can loggin to the devices, and the rest of AD useres must be denied.
    Please, what i cand do ?

    Best Regards
    Al Monte

  5. markus.wirth says:

    Thats an interesting scenario. I am almost in vacation but I will take a look into it today or tomorrow if my time allows it. I will keep you in touch!

    • Al Monte says:

      Hi Markus,

      Thanx in answer me, i hope that we can solve this issue because its can be a good scenario to secure our company.

      B. Regards
      Al Monte

    • Al Monte says:

      Hi Markus,

      Sorry, but i have one more question to ask you please.
      Talking about security, the acs 5.3 is one solution for centralization of authentication, but i found one more problem, that only you with your expertise can explain me better.
      For a situation of integrationg acs 5.3 with AD we can have a big problem, i mean big problem because wen i decided to create a security group to connect or add to acs 5.3, we cam make our LAN in dangerous, because if i give a privilege of 15 to this group it can be a seroius problem in future, because the AD normally is administratting by another person, it means, if this administrator dicide to add one more user to this security group without our permission, it can happend and our LAN can be attacked by someone that belongs our company.
      Please, tell me how i can avoid this problem ?

      Best Regards
      Al Monte

      • markus.wirth says:

        Sorry I did not have the time to test it out until now. I am on vacation and I dont have access to a ESX where I can do it in VMWARE for testing purposes. I will return on monday!

      • You can add user specific command sets for each user if I am not wring. But I think the problem is in your design. You have ADMINs which some of them are not allowed to configure the network devices?? Because if thats the case you need to differentiate between network admins and server admins. If some of them shall use both then they are super-admins for example. Shall the user authenticartion go via ACS which refers to AD or ACS only?


  6. Al Monte says:

    Hi Markus,

    Thanx friend, i will wait untill untill you back, from now untill the day you comeback, i wish you good holidays.
    My questions are very important to get a answer, because im developed a project wicth acs 5.3, but i start this development because of your site, it means that your expertise help me a lot to develop my skills and the project.
    Thanx friend

    Best Regards
    Al Monte

  7. m1979 says:

    Mate, thanks, that is the best guide online. Helped me A LOT!

  8. Jose Ramon says:

    Hi, Markus:
    Congratulations for the article. I’ve followed it perfectly until the final part of point 8. When I am with the definition of the AUTHORITATION-RULE15. I select status enabled, but in the definition of Compound Condition, after I select Dictionary:Internal Users and Attribute:Useridentitygroup, I pick in Operator, but it doesn’t appear any option, so I can’t select, and so I finally can’t add any condition, so I can’t define the rule. Can you help me? Why it happen to me? The rest of the points no problem.

    • ww70866 says:

      Hi Markus,

      Thanks a lot the these articles, Yes, I am also having same issue at exact step as Jose. Not sure if I missed any steps above, I checked a few times but couldn’t find anything I could have missed. Could you please help?

  9. Emmanu71 says:

    So many thanks for this great guidelines!
    I followed step by step and it works for the Admin group.
    In my production environment, I have 2 groups: Admin with full right (priv. 15) and Support with limited right (priv 5). When I log in as support user:
    – it prompts me to exec mode
    – only local user secret is allowed
    – the privilege is 15 than 5
    Could you updated this post with those two scenarios?

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s