Using LiveAction with Cisco Secure ACS (TACACS+ Server)

Transcription

1 LiveAction Application Note Using LiveAction with Cisco Secure ACS (TACACS+ Server) September

2 Table of Contents 1. Introduction Cisco Router Configuration Cisco ACS TACACS+ Configuration... 3 Cisco Secure ACS Network Device Configuration... 3 Define User Privileges for Administration and Monitor Level Access... 5 Create Admin and Monitor User Group... 7 Create Users Verify LiveAction Connectivity and Operation Appendix... 10

3 1. Introduction As networks begin to grow in size, the issue of maintaining user credentials on every device in the network can become a very overwhelming problem. Network designers and administrators quickly recognized the need for a centralized user management system for these network devices. Two primary protocols are used in Cisco networking devices to enable this capability: Remote Authentication Dial-In User Service (RADIUS) Terminal Access Controller Access-Control System Plus (TACACS+) RADIUS and TACACS+ both have unique capabilities and benefits as authentication protocols. TACACS+ runs over TCP and tends to be more reliable while RADIUS runs over UDP and is less chatty. Refer to the Cisco document TACACS+ and RADIUS Comparison for more details on the differences between these two protocols. Discussed below are the procedures and methods required for setting up the Cisco Secure ACS TACACS+ feature to interoperate with network devices being controlled or monitored with LiveAction. The LiveAction software logs into Cisco devices using username and password credentials provided by the user. As these credentials can relate to different permission levels in on the TACACS+ server, it is important to understand what is and is not required. Both administration-level and monitor-only authorization setups are covered below. This application note will cover the following topics: Cisco router configuration to support authentication with a Cisco Secure ACS TACACS+ server. Cisco Secure ACS TACACS+ configuration Verify operation in LiveAction 1

4 2. Cisco Router Configuration Cisco devices require individual configuration to support TACACS+ for user authentication. While this configuration is required on each device in the network, it only needs to be setup once for all users that will be logging into the device in the future. In the configuration, the aaa command-set is used. AAA refers to Authentication, Authorization and Accounting. A sample configuration is shown below to allow the following functions: 1. Default authentication is set to use the TACACS+ server for all forms of connection (console, telnet/ssh, and terminal lines). 2. If the TACACS+ server is unavailable for any reason, use the local account setting on the router to allow login. This can be useful if the network connection to the TACACS+ server is lost or the server itself goes down. Cisco IOS Command Description aaa new-model aaa authentication login vtymethod group tacacs+ enable aaa authentication login conmethod group tacacs+ enable aaa authorization commands 1 default group tacacs+ none aaa authorization commands 15 default group tacacs+ none! aaa session-id common Instructs the router to use the newer AAA command-set. Specifies that TACACS+ should be used for Console and Telnet/SSH connections Allows access using the locally configured accounts if a TACACS+ server is not available tacacs-server host tacacs-server directed-request tacacs-server key <shared secret key> line con 0 exec-timeout 0 0 password <console password> logging synchronous login authentication conmethod line vty 0 4 exec-timeout 0 0 privilege level 15 password <telnet/ssh password> login authentication vtymethod terminal-type monitor transport input telnet ssh! End Specify TACACS+ server IP and shared secret key. The key must match the value configured in Cisco ACS. Assigns conmethod and vtymethod authentication to console connections and vty (remote) sessions respectively. 2

5 3. Cisco ACS TACACS+ Configuration: There are many TACACS+ servers available to allow authentication from the router. The most commonly used server and the one that will be covered in this document is the Cisco Secure ACS server. This server can perform many additional tasks related to user management such as Active Directory and LDAP synchronization. This server can also be used for wireless authentication or in conjunction with Cisco s Network Admission Control (NAC) architecture. There are also several free TACACS+ servers available via the open source community. The setup process will be very similar on those platforms as well. Cisco Secure ACS Network Device Configuration Configure the TACACS+ server to operate with a properly configured router on the network. In Cisco Secure ACS, this can be performed by adding a network device as shown in Figure 1. Figure 1 Add Network Device to Cisco Secure ACS 3

6 Clicking the Add Entry button shown in Figure 1 will allow a new network device to be added to the Cisco Secure ACS system. Configuring this device is shown in Figure 2. Figure 2 Adding Network Devices to Cisco Secure ACS The IP address of the device as well as the TACACS+ shared secret key are configured on this device and must match the configuration on the router. In general, it is a good idea to use a loopback address on the router as the management interface. The loopback address is always up and will be accessible given a stable network path to the device. Some routers may have multiple connections for redundancy or load balancing that might not always be in an operational state. 4

7 Define user privileges for administration and monitor level access Two separate user roles need to be configured to allow for separate administrative and monitor access. Cisco Secure ACS provides a highly flexible authorization mechanism that can define exactly which commands are allowed and disallowed per user. The first role to be configured is the administrator user. Figure 3 Shared Profile Components Click the Shared Profile Components button on the left side of the screen, followed by clicking the Shell Command Authorization Sets link. On the window that displays, add a new Authorization set for the admin user. On the screen that follows, configure rules to permit all level 15 commands as shown in Figure 4. Figure 4 Administrator User Configuration 5

8 Repeat this task to configure Monitor-Only access. For this level of access, a customized list of allowed commands will be entered. Below is a table of the configuration that is required for Monitor-Only level access on Cisco Secure ACS Server. Appendix 1 details how each command is used by LiveAction: Command List Textbox: Argument List Textbox (right of command list) login show <none> permit running-config permit privilege permit startup-config permit policy-map interface permit interface permit ip nbar port-map permit ip sla permit ip route permit ip flow export permit ip flow top-talkers terminal permit length 0 permit width 0 Table 1 Allowed Commands for Monitor-Only Level Access Figure 5 displays an example configuration of the shell authorization commands configuration for monitor-only access. Figure 5 Monitor-Only Shell Command Configuration 6

9 Create Admin and Monitor User Group Once the shell command settings are configured, a user group is needed to associate the access rights to the users. A group is needed for the administrator user as well as the monitor-only users. Click Group Setup on the left side of the screen and select a group from the pull-down. For this example, the group Group2 has been renamed to Admin1. Rename one of the other groups to be used for monitoring. Once this is selected, click Edit Settings as shown in Figure 6. Figure 6 Admin Group Setup In the screen that appears, select the button for Assign a Shell Command Authorization Set for any network device. From the pull-down, select the Admin authorization set. Click Submit, and then perform this task again for the monitor-only group, selecting the Monitor Authorization set. Once you have finished selecting the authorization set, click Submit + Restart at the bottom of the page. Figure 7 - Admin Group Setup Details 7

10 Creating Users Once the Authorization sets and groups are creating, the actual user accounts can be created as well. Cisco Secure ACS has the capability to synchronize users from Active Directory and LDAP sources. For this example, we will create an individual account locally. For more information on LDAP configuration, reference the Cisco configuration guide on the topic. These links can be found in the end of this document. To create a new user, click the User Setup tab on the left, then type in the name of the user that will have administrative privileges. For this example, the username Admin will be used as shown in Figure 8: Figure 8 Admin User Setup In the screen that follows, select the admin1 group created in step 3.3 for this user in the group pull-down at the bottom of the page. If you are using external authentication, that can be entered as well. For this example, the local database will be used for authentication. The details of this configuration are shown in Figure 9. Figure 9 User Configuration Details Perform this task again for the monitor-only user. After both users have been configured, the system is now configured to authenticate users on the router with 2 levels of access. This will allow LiveAction to send the commands required for monitoring or full administrative capabilities. 8

11 4. Verify LiveAction Connectivity and Operation To verify the configuration of the Cisco router and Cisco Secure ACS, simply add the router of interest to LiveAction by going to File Discover Devices shown in Figure 10. Figure 10 Add a New Device in LiveAction Follow the wizard that appears using the administrator user for full configuration or the monitor user for monitor-only. Note that CISCO ASA devices cannot be configured using Add Device. The device must be discovered instead. Enter the IP address and settings for the device in the Device Discovery dialog to add it to LiveAction. Figure 11 Device Discovery Using TACACS+ for authentication with Cisco Secure ACS allows organizations to centralize user management for routers. As LiveAction requires level 15 user access to perform its functions, ensuring the correct authorizations is critical to LiveAction s functionality. For more information on Cisco Secure ACS, visit the documentation shown in the appendix. 9

12 5. Appendix 5.1 LiveAction Commands Required for Monitor-only access Cisco Command terminal length 0 terminal width 0 enable show privilege show running-config show ip sla show ip nbar port-map show ip flow top-talkers show ip flow export show interface Reason for use with LiveAction Outputs the full response of the show commands at one time. Doesn t require the need to press the spacebar to continue. Prevents Line wraps. Switch to privileged mode (Note: TACACS+ typically logs the user in as Level15 at the privilege prompt.) Determine what privilege mode the application is in. Retrieves the running configuration. Determines if the device supports IPSLA and which configuration mode it uses (i.e. ip sla or ip sla monitor). Retrieves the list of port mappings. Checks if NetFlow MIB is supported. Checks if NetFlow collector is supported. Used to gather detailed interface information and statistics. The switchport option is used to determine which ports belong to which Vlan and what mode the ports are in (i.e. access or trunk). show ip route begin Gateway show policy-map interface Retrieve the route table without the code legend. Used to associate QoS policies to interfaces and get statistics. Documentation Links: Cisco Secure ACS Configuration Guide: Configure a Cisco Router with TACACS+ Authentication: User Guide for Cisco Secure ACS: Copyright 2012 ActionPacked! Networks. All rights reserved. ActionPacked!, the ActionPacked! logo and LiveAction are trademarks of ActionPacked! Networks. Other company and product names are the trademarks of their respective companies. ActionPacked! Networks 155 Kapalulu Place, Suite 222 Honolulu, HI