Cisco ACS 4.2 System Engine Configuration Example

Cisco Secure Access Control System


Cisco Secure ACS Solution Engine (ACS SE) is a highly scalable, rack-mounted, dedicated platform that serves as a high-performance access control server supporting centralized Remote Access Dial-In User Service (RADIUS) and Terminal Access Controller Access Control System (TACACS+). ACS SE controls the authentication, authorization, and accounting (AAA) of users accessing resources through the network. You use ACS SE to control who can access the network, to authorize what types of network services are available for particular users or groups of users, and to keep an accounting record of all user actions in the network. In addition, you can use the same AAA framework, via TACACS+, to manage administrative roles and groups and to control how network administrators change, access, and configure the network internally.

Initial Configuration


 

Firstly you will need a cable RS232 null modem calbe as show below

cisco-acs-4.2-cisco-acs-5.2-migration

 

You will need a computer or a laptop with a serial connection to connect to the cisco ACS appliance 1113 in order to manage it

cisco-acs-4.2-cisco-acs-5.2-migration

Before you can perform the initial configuration of ACS SE, you must establish a serial console connection to it. terminal emulation communication software (Hyper Terminal or equivalent).

 

Terminal Emulation Settings


To establish a serial console connection, set your terminal emulation communication software to operate with the following settings

 

 

cisco-acs-4.2-cisco-acs-5.2-migration

 

Initial Configuration


The bellow print screen prompts for some inputs required from the system namely hostname ip address administrator passwords etc

Power on the appliance; after the startup messages appears – the following is displayed:

Result: The login: prompt appears.

1.  At the login: prompt, type Administrator and then press Enter.

2. At the password: prompt, type setup and press Enter.

3. At the ACS Appliance name [deliverance1]: prompt, type the name that you intend to use for your ACS SE, and then press Enter.

           acsse_adm

4. At the DNS domain [ ]: prompt, type the domain name. Then press Enter.

           test.co.za

5. At the Enter new account name: prompt, type the ACS SE administrator account name, and then press
Enter.

           acsse_adm

6. At the Enter new password: prompt, type the new ACS SE password and press Enter.

           xxxxxxxxxxxxxxxxxxxxx

Note The new password must contain a minimum of 6 characters, and include a mix of at least three
character types (uppercase letters, lowercase letters, digits, and special characters). Failure to not follow this standard will result an ‘password not set’ prompt to appear.

7.  The following prompt appears for the new database password:

xxxxxxxxxxxxxxxxx

8. At the Enter new password again: prompt, type the new database password, and then press Enter.

           xxxxxxxxxxxxxxxxx

9. At the Use Static IP Address [Yes]: prompt, type Y for yes or N for No, and then press Enter.

The following prompts appear only if you set a static IP address manually.

a. To specify the ACS SE IP address, at the IP Address [xx.xx.xx.xx]: prompt, type the IP address,  and then press Enter.

           IP Address: 172.20.12.68

b. At the Subnet Mask [xx.xx.xx.xx]: prompt, type the subnet mask value, and then press Enter.

           Subnet Mask: 255.255.255.240

c. At the Default Gateway [xx.xx.xx.xx]: prompt, type the default gateway value, and then press
Enter.

           Default Gateway: 172.20.12.65
d. At the DNS Servers [xx.xx.xx.xx]: prompt, type the address of any DNS servers that you intend to use (separate each by a single space), and then press Enter.

           DNS Server: 10.33.0.5

11. At the prompt, Confirm the changes? [Yes]: type Y, and then press Enter.

12. The appliances prompts the administrator for network testing, press Y to enable network testing

13. At the next prompt, Enter hostname or IP address (destination address to test connectivity to):, type the IP address or hostname of a device connected to the ACS SE, and then press Enter.

           IP Address: 172.20.12.68

 

If network connectivity is validated in the previous two steps, at the prompt, Test network connectivity [Yes]:, type N, and then press Enter. If the settings appear correctly, at the prompt, Accept network setting [Yes]:, type Y, and then press Enter.

14. To set the time and date of the ACS SE, at the Change Date & Time Setting [N]: prompt, type Y, and then press Enter.

          
15. At the Enter desired time zone index (0 for more choices): prompt, type the index number of the time zone that you want, and then press Enter.

GMT (+2)

16. At the Synchronize with NTP server? [N]: prompt, press Enter to select the default value

17. At the Enter date [mm/dd/yyyy]: prompt, type the date in the given format, and then press Enter.

           10/10/2008

17. At the Enter time [hh:mm:ss]: prompt, type the current time in the given format, and then press Enter.

           15:48:02

Result: The system displays the following message on the console:

Initial configuration is successful. Appliance will now reboot.
The system reboots.

Administration to the box can now be done via a browser connecting to the box as show here http://172.20.12.68:2002

 

 

 

Network Configuration


 

The network configuration tab allows you to add devices that require AAA authentication via TACACS+. The appearance of the page that you see when you click Network Configuration differs according to the Network configuration selections that you made in the Interface Configuration section. The tables that might appear in this section are:

  • AAA Clients—This table lists each AAA client that is configured on the network, together with its

IP address and associated protocol. If you are using NDGs, this table does not appear on the initial page, but is accessed through the Network Device Groups table
.

  • AAA Servers—This table lists each AAA server that is configured on the network together with its

IP address and associated type. If you are using NDGs, this table does not appear on the initial page, but is accessed through the Network Device Groups table.

  • Network Device Groups—This table lists the name of each NDG that has been configured, and the

number of AAA clients and AAA servers that are assigned to each NDG. If you are using NDGs,
the AAA Clients table and AAA Servers table do not appear on the opening page.
The term “AAA client” is used comprehensively to signify the device through which service access is attempted. This is the RADIUS or TACACS+ client device, and may comprise Network Access Servers (NAS’s), PIX Firewalls, routers, or any other RADIUS or TACACS+ hardware or software client.

AAA client configurations enable ACS to interact with the network devices that the configuration represents. A network device that does not have a corresponding configuration in ACS, or whose configuration in ACS is incorrect, does not receive AAA services from ACS.

The Add AAA Client and AAA Client Setup pages include:

cisco-acs-4.2-cisco-acs-5.2-migration

  • AAA Client Hostname—The name that you assign to the AAA client configuration. Each AAA client configuration can represent multiple network devices; thus, the AAA client hostname configured in ACS is not required to match the hostname configured on a network device.

 

  • AAA Client IP Address—At a minimum, a single IP address of the AAA client. In each IP address that you specify, you have three options for each octet in the address, the full address, a numeric range or a wild card mask.
  • Key—The shared secret of the AAA client. Maximum length for the AAA client key is 32 characters. For correct operation, the key must be identical on the AAA client and ACS. Keys are case sensitive. If the shared secret does not match, ACS discards all packets from the network device.

 

  • Network Device Group—The name of the NDG to which this AAA client should belong. To make the AAA client independent of NDGs, use the Not Assigned selection.
  • Authenticate Using—The AAA protocol to use for communications with the AAA client. The Authenticate Using list includes Cisco IOS TACACS+ and several vendor-specific implementations of RADIUS. Authenticate using TACACS+ (Cisco IOS)

Group Setup


 

A user can only belong to one group in ACS. The user inherits the attributes and operations that are assigned to his or her group. However, in the case of conflicting settings, the settings at the user level override the settings that you configure at the group level. By default, users are assigned to the Default Group. Users who  authenticate via the Unknown User method and who are not mapped to an existing ACS group are also assigned to the Default Group. Alternatively, you can choose not to map a user to a particular group; but instead, to have the group mapped by an external authenticator.

To Create a new Group:

1. Select Group Setup

2. Add new group – specify new group name, namely Security

3. Use default settings except for Enable option, select  Max priviledge for any AAA client

cisco-acs-user-creation

User Setup


 

1. Select User Setup

2. Add new user – specify new username, Submit

 

cisco-acs-user-creation

And that completes the basic setup of the Cisco ACS Appliance

 

Recommended Reading


 

  1. Cisco ACS Best Practices document
  2. Cisco ASA Best Practices and Security Hardening Document.
  3. Cisco-vpn-ipsec-configuration-examples
  4. Cisco-ids-ips-aip-idsm-configuration-examples
  5. Detailed Cisco ACS 5.2 installation and configuration example with print screens

 

Share The Link And Enjoy Thanks !