Cisco Secure Access Control System 5.2 Configuration Example


Table of Contents

1.1.       Cisco ACS 5.2 Appliance Introduction
1.2.       Getting Started Important Notes
1.3.       Initial Configuration
1.4.       Terminal emulation communication software
1.5.       Command Line initial Configuration
1.6.       Accessing appliance via the gui
1.7.       Configuring a location for network resouces
1.8.       Creating a Test TACACS+ host server
1.9.       Creating External Database of users
1.10.     Creating Cisco ACS 5.2 Access Policy
1.11.     Creating Authentication Profiles for different levels of TACACS+ access
1.12.     Service Selection Evaluation Sequence
1.13.     Identity rule evaluation


Cisco ACS 5.2 Appliance Introduction



Cisco Secure ACS Solution Engine 1121 series is a robust and scalable solution .Cisco has taken a completely different approach to designing the solution. The new ACS 5.x series no longer uses windows as an underlying platform for the cisco ACS software base and are currently using a Linux operating system to deliver stability and performance to the solution .Similarly the policy elements required to enable the functionality of the system must be built from scratch as described in more details bellow.

Getting Started Important Notes


The Cisco ACS 5.2 comes in two flavours VM version and an Appliance based version.To read more about that visit this page

If your Aim is to upgrade or install the Cico ACS 5.2 in vmware you will need to download the Cisco ACS 5.2 image over here. Of course as with most good things from Cisco this requires a a CCO login.An installation and configuration guide to installing Cisco ACS 5.x in Vmware can be found here

After Successfuly downloading the Cisco ACS 5.2 version you will need a trial or a demo licence to start up your appliance or VM box. You can find that trial licence on this page and you guessed it that also requires a CCO login.

After successfuly completing the above steps proceed with the bellow described guide.If you however feel you are lost you can always give us a shout over here



Initial Configuration



Firstly you will need a cable RS232 null modem cable as show below




You will need a computer or a laptop with a serial connection to connect to the cisco ACS appliance 1121 in order to manage it



Before you can perform the initial configuration of ACS SE, you must establish a serial console connection to it. terminal emulation communication software (Hyper Terminal or equivalent).


Terminal emulation communication software



To establish a serial console connection, set your terminal emulation communication software to operate with the following settings






Command Line initial Configuration



The initial configuration of the device has to be done on the Command Line Interface and example of that is included bellow



hostname ACS-SERVER
ip domain-name
interface GigabitEthernet 0
ip address
ip name-server
ip default-gateway
clock timezone UTC
username cisco password hash $1$BHnpbkaB$hqithhU2AhP6f0SIgOYng0 role admin
service sshd

min-password-length 6
logging localhost
logging loglevel 6
cdp timer 60
cdp holdtime 180
cdp run GigabitEthernet 0



Accessing appliance via the gui


Once that is completed then Gui connection to the Cisco ACS device can be established using Https://acs-ipaddress/








Configuring a location for network resouces


Upon login configure a location for the Acs Server Network usually something along the sides of a geographic location or a network location.







Creating a Test TACACS+ host server


The bellow section creates a test TACACS+ host that will use the ACS 5.2 server for the purposes of testing your installations.





The bellow screen expands on the details of the test TACACS+ device.It can be any TACACS+ supporting device




If you are struggling to complete the device side of the installation please look at our TACACS+ templates over here



Creating External Database of users


Once the aboves steps are done an external database can be created in order to plug in to an existing data store typically a Microsoft active directory repository


A few important and notes when connecting to the Microsoft Active Directory

Cisco discarded the Agent that used to plug into the Microsoft directory in the previous releases in favor of a more direct and robust method.

DNS server must configured thats used on the current AD .Make sure that you can ping the local.domain from cli in order for you to proceed.


Don't Forget the username used in connecting to the local domain must have domain administrator privileges .

Bear in mind at NTP must be used or the 2 clocks must be synchronized with a no more that 5 seconds difference -otherwise you will get a clock skew error and the ACS server and the Domain controller being queried.

At the time of saving the changes the ACS gets added as a computer account on the AD thats normal as it needs to query the authenticatino requests.


the bellow commands will help you with configuring the correct time zone clock and ntp server .Remember you need to configure the timezone correctly in order for the clocks between the ACS server and the AD to synchronize .For a full listing of the availible timezones you need to consule the Cisco Documentation or issue the command show timezone on teh CLI of the Cisco ACS appliance

clock set Jan 4 05:05:05 2011
clock timezone Africa/Johannesburg
ntp server




Creating Cisco ACS 5.2 Access Policy


Once you are successfully authenticated via the AD then you need to query the existing domain groups and add the appropriate ones to the list so that you may use them later to build the access policy .




Creating Authentication Profiles for different levels of TACACS+ access


After that an authentication profile is needed in order to differentiate the level of access for systems administrators and normal users .Bellow is a maximum privilege profile that will be used later on in the TACACS+ system policy







Service Selection Evaluation Sequence



As mentioned previously the Cisco ACS approach to providing services has thoroughly been redesigned, resembling more closely a firewall rule set whereby a user's access is being evaluated according to the type of protocol matched as well as identity and device administrator privilege level profile.


In the above page the way the service selection is evaluated is according to the protocol type Radius or Tacacs . According to the result, a selection of a specific rule is selected in order to apply the identity and authorization profiles that needs to be assigned to a user as part of the service policy.


So in the above example the protocol TACACS+ (generally used by Cisco Devices to deliver authentication with different levels of privileges and shell profiles) will be evaluated first and then as a result of the rule the Default Device Admin Service policy will be used to grant that specific access.If the requesting device is not using TACACS+ in the request the next availible method of authentication is used in this case radius.



Identity rule evaluation



The bellow print screen describes the Identity rules being evaluated in order of appearance before selecting the type of access and privilege level that will be assigned to the user.







The bellow print screen is an expansion of the Identity Policy identifying who the users are and what these users will be able to access using the TACACS+ protocol






The bellow rule identifies a couple of user groups belonging to the Active Directory external database that are assigned a full privilege level authorization profile to be able to administer the Tacacs+ devices.




And that completes the basic setup of the Cisco ACS Appliance .







Similar Documents For Configuring Different Parameters of the ACS 5.2 Appliance can be found bellow.


  1. Cisco ACS 5.2-Virtual-Machine-VMware-Workstation-Installation-Guide
  2. Cisco-ACS-5.2-Role-Based-Authentication-Authorization-For-Different-Privilege-Levels-Configuration-Example
  3. Cisco-ACS-5.2-Intresting-Configurations
  4. Cisco-ACS-5.2-802.1.x-Authentication-And-Multi-Domain-Authentication-Configuration-Example
  5. Cisco TACACS+ switch template configuration example.
  6. Cisco TACACS + firewall template configuration example.



For a free assessment and recommendations on how to optimize your current Cisco ACS solution contact us here

Share The Link And Enjoy Thanks !