This article aims to let you understand how to configure AAA in Cisco ACS 5.3 for internal group and external users integrated with Microsoft Active Directory by using a demo.
Demo Environment
After the authorized user login to the router through ACS, the user can execute “configure terminal” and all command-sets under “router” only.
Router 1, IP:1.1.1.1 ( use internal group)
Router 2, IP:2.2.2.2 (use AD group)
ACS Server, IP:142.100.64.53
AD domain name: ccievoice.com
Router 1 configuration with AAA:
enable password cisco
!
aaa new-model
!
!
aaa group server tacacs+ 15lab
server 142.100.64.53
!
aaa authentication login noacs line none
aaa authentication login 15lab-vty group 15lab
aaa authorization config-commands
aaa authorization exec vty group tacacs+
aaa authorization commands 5 15lab-command group 15lab
aaa accounting exec 15lab-acc start-stop group 15lab
aaa accounting commands 0 15lab-acc-cmd start-stop group 15lab
aaa accounting commands 1 15lab-acc-cmd start-stop group 15lab
aaa accounting commands 5 15lab-acc-cmd start-stop group 15lab
!
ip tacacs source-interface Loopback0
!
privilege configure all level 5 router
!
tacacs-server host 142.100.64.53 key cisco
line con 0
exec-timeout 0 0
logging synchronous
login authentication noacs
line aux 0
login authentication noacs
line vty 0
exec-timeout 0 0
authorization commands 5 15lab-command
authorization exec vty
accounting commands 0 15lab-acc-cmd
accounting commands 1 15lab-acc-cmd
accounting commands 5 15lab-acc-cmd
accounting exec 15lab-acc
logging synchronous
login authentication 15lab-vty
line vty 1 4
authorization commands 5 15lab-command
authorization exec vty
accounting commands 0 15lab-acc-cmd
accounting commands 1 15lab-acc-cmd
accounting commands 5 15lab-acc-cmd
accounting exec 15lab-acc
login authentication 15lab-vty
line vty 5 15
authorization commands 5 15lab-command
authorization exec vty
accounting commands 0 15lab-acc-cmd
accounting commands 1 15lab-acc-cmd
accounting commands 5 15lab-acc-cmd
accounting exec 15lab-acc
login authentication 15lab-vty
|
Router 2 configuration with AAA:
NOTE: No configurations of accounting yet.
aaa new-model
!
!
aaa group server tacacs+ 15lab
server 142.100.64.53
aaa authentication login noacs line none
aaa authentication login vty group 15lab
aaa authorization exec vty group 15lab
!
ip tacacs source-interface Loopback0
!
!
tacacs-server host 142.100.64.53 key cisco
line con 0
exec-timeout 0 0
privilege level 15
logging synchronous
login authentication noacs
line aux 0
exec-timeout 3600 0
logging synchronous
login authentication noacs
line vty 0 4
authorization exec vty
login authentication vty
line vty 5 14
authorization exec vty
login authentication vty
line vty 15
authorization exec vty
login authentication vty
parser view fifteenlab
secret 5 cisco.
commands configure include all router
commands exec include configure terminal
commands exec include configure
|
NDG in ACS:
Router1 and Router2 associations with NDGs
Add internal user group
Add internal users to internal groups
Create a user in Microsoft Active Directory as external user of ACS
Integration AD into ACS
Add the correct group to Directory Groups
Select sample subject to select “sAMAccountName”Attribute in Directory Attributes tab
Sample user for “aduser1”
Define filters for Router1 and Router2
Create R1 filter
Create R2 filter
Define Shell Profiles for authorization
Name “aduser1-view” is used for AD users
Set Custom Attributes to select correct View in router
“fifteenlab” matches View name that is configured in CLI of Router2:
parser view fifteenlab
secret 5 cisco.
commands configure include all router
commands exec include configure terminal
commands exec include configure
Add another profile “level-5” for internal user :
Set Default Privilege to “5”
Define Command sets to allow which commands internal users are able to execute
Define Access Services
Go to Identify of defined Access Service and then configure different rules for Router1 and Router2
Customize “Device Filter” to give option for selecting different devices
Rule-R1 is supposed to give login user the access by using Internal Users:
Rule-R2 is supposed to give login user the access by using AD:
Define Authorization
“Rule-1” is used for internal users’ authorization
“Rule-2” is used for AD users’ authorization, Note: DenyAllCommands in Command-sets will not affect anything.
Create Service Selection Rules
Customize “Protocol” and “NDG:Department” for match Rotuer1 and Router2
Add a rule and select correct service for it
Test
Proof of concept in Router1
r1#telnet 1.1.1.1
Trying 1.1.1.1 ... Open
(15Lab) username: acsuser1
r1#show privi
r1#show privilege
Current privilege level is 5
r1#conf t
Enter configuration commands, one per line. End with CNTL/Z.
r1(config)#?
Configure commands:
call Configure Call parameters
default Set a command to its defaults
dss Configure dss parameters
end Exit from configure mode
exit Exit from configure mode
help Description of the interactive help system
no Negate a command or set its defaults
router Enable a routing process
r1(config)#router ?
bgp Border Gateway Protocol (BGP)
eigrp Enhanced Interior Gateway Routing Protocol (EIGRP)
isis ISO IS-IS
iso-igrp IGRP for OSI networks
mobile Mobile routes
odr On Demand stub Routes
ospf Open Shortest Path First (OSPF)
rip Routing Information Protocol (RIP)
|
Proof of concept in Router2
bb#telnet 2.2.2.2
Trying 2.2.2.2 ... Open
(15Lab) username: aduser1
(15Lab) password:
bb>show parser view
Current view is 'fifteenlab'
|
No comments:
Post a Comment