Using LiveAction with Cisco Secure ACS (TACACS+ Server)



Similar documents
Chapter 8 Lab B: Configuring a Remote Access VPN Server and Client

Cisco ASA and NetFlow Using ASA NetFlow with LiveAction Flow Software

Configuring Devices for Use with Cisco Configuration Professional (CCP) 2.5

How To Create An Easybelle History Database On A Microsoft Powerbook (Windows)

Objectives. Background. Required Resources. CCNA Security

ISE TACACS+ Configuration Guide for Cisco NX-OS Based Network Devices. Secure Access How-to User Series

Network Security and AAA

How To Configure A Bomgar.Com To Authenticate To A Rdius Server For Multi Factor Authentication

Management, Logging and Troubleshooting

PT Activity: Configure Cisco Routers for Syslog, NTP, and SSH Operations

Configuring the Cisco ISA500 for Active Directory/LDAP and RADIUS Authentication

Security Provider Integration RADIUS Server

Lab Configure Basic AP Security through IOS CLI

IIS, FTP Server and Windows

Configuring Steel-Belted RADIUS Proxy to Send Group Attributes

Configuring CSS Remote Access Methods

Configuring Global Protect SSL VPN with a user-defined port

Cox Managed CPE Services. RADIUS Authentication for AnyConnect VPN Version 1.3 [Draft]

Apache CloudStack 4.x (incubating) Network Setup: excerpt from Installation Guide. Revised February 28, :32 pm Pacific

Note: This case study utilizes Packet Tracer. Please see the Chapter 5 Packet Tracer file located in Supplemental Materials.

Dell SupportAssist Version 2.0 for Dell OpenManage Essentials Quick Start Guide

Lab 8.3.3b Configuring a Remote Router Using SSH

Firewall Authentication Proxy for FTP and Telnet Sessions

Configuring Access Service Security

Customer Tips. Configuring Color Access on the WorkCentre 7328/7335/7345 using Windows Active Directory. for the user. Overview

Cloud Services ADM. Agent Deployment Guide

Brocade Certified Layer 4-7 Professional Version: Demo. Page <<1/8>>

1. Introduction What is Axis Camera Station? What is Viewer for Axis Camera Station? AXIS Camera Station Service Control 5

Connect the Host to attach to Fast Ethernet switch port Fa0/2. Configure the host as shown in the topology diagram above.

Configuring Sponsor Authentication

Multi-factor Authentication using Radius

Configuring TACACS+, RADIUS, and Kerberos on Cisco Catalyst Switches

HP Device Manager 4.7

NAC Guest. Lab Exercises

Network Load Balancing

ZyWALL OTP Co works with Active Directory Not Only Enhances Password Security but Also Simplifies Account Management

Quick Start Guide. Cerberus FTP is distributed in Canada through C&C Software. Visit us today at

Connecting to the Firewall Services Module and Managing the Configuration

Lab Advanced Telnet Operations

Quick Start Guide. Sendio System Protection Appliance. Sendio 5.0

Enabling Remote Access to the ACE

Supported Platforms. Supported Standards, MIBs, and RFCs. Prerequisites. Related Features and Technologies. Related Documents. Improved Server Access

Telnet, Console and AUX Port Passwords on Cisco Routers Configuration Example

NMS300 Network Management System

Discovery Guide. Secret Server. Table of Contents

INTEGRATION GUIDE. DIGIPASS Authentication for Cisco ASA 5505

Integration with IP Phones

Tool Tip. SyAM Management Utilities and Non-Admin Domain Users

Configuring the Cisco Secure PIX Firewall with a Single Intern

- Basic Router Security -

HP Device Manager 4.6

Configuring SSH and Telnet

Active Directory Management. Agent Deployment Guide

School of Information Technology and Engineering (SITE) CEG 4395: Computer Network Management. Lab 4: Remote Monitoring (RMON) Operations

NovaBACKUP xsp Version 15.0 Upgrade Guide

Lab a Configure Remote Access Using Cisco Easy VPN

Using Device Discovery

Enterprise Manager. Version 6.2. Installation Guide

TotalCloud Phone System

User Manual. Onsight Management Suite Version 5.1. Another Innovation by Librestream

ehealth Integration for Cisco VPN Solutions Center User Guide

LiveAction Application Note

WhatsUp Gold v16.2 Database Migration and Management Guide

Management Authentication using Windows IAS as a Radius Server

Configuring Password Encryption

Device Interface IP Address Subnet Mask Default Gateway

Basic Exchange Setup Guide

How To Enable A Websphere To Communicate With Ssl On An Ipad From Aaya One X Portal On A Pc Or Macbook Or Ipad (For Acedo) On A Network With A Password Protected (

Lab Creating a Logical Network Diagram

Configuring Password Encryption

WhatsUp Gold v16.1 Database Migration and Management Guide Learn how to migrate a WhatsUp Gold database from Microsoft SQL Server 2008 R2 Express

Lab Configure Remote Access Using Cisco Easy VPN

DIGIPASS Authentication for Cisco ASA 5500 Series

How To Take Advantage Of Active Directory Support In Groupwise 2014

Cisco Unified Communications Manager SIP Trunk Configuration Guide

Cisco ASA. Administrators

Step-by-step installation guide for monitoring untrusted servers using Operations Manager ( Part 3 of 3)

Device Log Export ENGLISH

Use Enterprise SSO as the Credential Server for Protected Sites

ShadowControl ShadowStream

Defender Token Deployment System Quick Start Guide

Installing Policy Patrol on a separate machine

1. Open the preferences screen by opening the Mail menu and selecting Preferences...

Defender 5.7. Remote Access User Guide

1.6 HOW-TO GUIDELINES

Using Cisco UC320W with Windows Small Business Server

Deploying Windows Streaming Media Servers NLB Cluster and metasan

LDAP User Guide PowerSchool Premier 5.1 Student Information System

Securing Networks with PIX and ASA

Sample Configuration: Cisco UCS, LDAP and Active Directory

How to Setup PPTP VPN Between a Windows PPTP Client and the DIR-130.

Lab Introductory Lab 1 - Getting Started and Building Start.txt

TSM for Windows Installation Instructions: Download the latest TSM Client Using the following link:

Product Summary RADIUS Servers

QUANTIFY INSTALLATION GUIDE

Immotec Systems, Inc. SQL Server 2005 Installation Document

Basic Exchange Setup Guide

Step by Step Guide to implement SMS authentication to F5 Big-IP APM (Access Policy Manager)

Step-by-Step Setup Guide Wireless File Transmitter FTP Mode

Security Provider Integration Kerberos Server

Transcription:

LiveAction Application Note Using LiveAction with Cisco Secure ACS (TACACS+ Server) September 2012 http://www.actionpacked.com

Table of Contents 1. Introduction... 1 2. Cisco Router Configuration... 2 3. Cisco ACS TACACS+ Configuration... 3 Cisco Secure ACS Network Device Configuration... 3 Define User Privileges for Administration and Monitor Level Access... 5 Create Admin and Monitor User Group... 7 Create Users... 8 4. Verify LiveAction Connectivity and Operation... 9 5. Appendix... 10

1. Introduction As networks begin to grow in size, the issue of maintaining user credentials on every device in the network can become a very overwhelming problem. Network designers and administrators quickly recognized the need for a centralized user management system for these network devices. Two primary protocols are used in Cisco networking devices to enable this capability: Remote Authentication Dial-In User Service (RADIUS) Terminal Access Controller Access-Control System Plus (TACACS+) RADIUS and TACACS+ both have unique capabilities and benefits as authentication protocols. TACACS+ runs over TCP and tends to be more reliable while RADIUS runs over UDP and is less chatty. Refer to the Cisco document TACACS+ and RADIUS Comparison for more details on the differences between these two protocols. Discussed below are the procedures and methods required for setting up the Cisco Secure ACS TACACS+ feature to interoperate with network devices being controlled or monitored with LiveAction. The LiveAction software logs into Cisco devices using username and password credentials provided by the user. As these credentials can relate to different permission levels in on the TACACS+ server, it is important to understand what is and is not required. Both administration-level and monitor-only authorization setups are covered below. This application note will cover the following topics: Cisco router configuration to support authentication with a Cisco Secure ACS TACACS+ server. Cisco Secure ACS TACACS+ configuration Verify operation in LiveAction http://www.actionpacked.com 1

2. Cisco Router Configuration Cisco devices require individual configuration to support TACACS+ for user authentication. While this configuration is required on each device in the network, it only needs to be setup once for all users that will be logging into the device in the future. In the configuration, the aaa command-set is used. AAA refers to Authentication, Authorization and Accounting. A sample configuration is shown below to allow the following functions: 1. Default authentication is set to use the TACACS+ server for all forms of connection (console, telnet/ssh, and terminal lines). 2. If the TACACS+ server is unavailable for any reason, use the local account setting on the router to allow login. This can be useful if the network connection to the TACACS+ server is lost or the server itself goes down. Cisco IOS Command Description aaa new-model aaa authentication login vtymethod group tacacs+ enable aaa authentication login conmethod group tacacs+ enable aaa authorization commands 1 default group tacacs+ none aaa authorization commands 15 default group tacacs+ none! aaa session-id common Instructs the router to use the newer AAA command-set. Specifies that TACACS+ should be used for Console and Telnet/SSH connections Allows access using the locally configured accounts if a TACACS+ server is not available tacacs-server host 192.168.1.78 tacacs-server directed-request tacacs-server key <shared secret key> line con 0 exec-timeout 0 0 password <console password> logging synchronous login authentication conmethod line vty 0 4 exec-timeout 0 0 privilege level 15 password <telnet/ssh password> login authentication vtymethod terminal-type monitor transport input telnet ssh! End Specify TACACS+ server IP and shared secret key. The key must match the value configured in Cisco ACS. Assigns conmethod and vtymethod authentication to console connections and vty (remote) sessions respectively. http://www.actionpacked.com 2

3. Cisco ACS TACACS+ Configuration: There are many TACACS+ servers available to allow authentication from the router. The most commonly used server and the one that will be covered in this document is the Cisco Secure ACS server. This server can perform many additional tasks related to user management such as Active Directory and LDAP synchronization. This server can also be used for wireless authentication or in conjunction with Cisco s Network Admission Control (NAC) architecture. There are also several free TACACS+ servers available via the open source community. The setup process will be very similar on those platforms as well. Cisco Secure ACS Network Device Configuration Configure the TACACS+ server to operate with a properly configured router on the network. In Cisco Secure ACS, this can be performed by adding a network device as shown in Figure 1. Figure 1 Add Network Device to Cisco Secure ACS http://www.actionpacked.com 3

Clicking the Add Entry button shown in Figure 1 will allow a new network device to be added to the Cisco Secure ACS system. Configuring this device is shown in Figure 2. Figure 2 Adding Network Devices to Cisco Secure ACS The IP address of the device as well as the TACACS+ shared secret key are configured on this device and must match the configuration on the router. In general, it is a good idea to use a loopback address on the router as the management interface. The loopback address is always up and will be accessible given a stable network path to the device. Some routers may have multiple connections for redundancy or load balancing that might not always be in an operational state. http://www.actionpacked.com 4

Define user privileges for administration and monitor level access Two separate user roles need to be configured to allow for separate administrative and monitor access. Cisco Secure ACS provides a highly flexible authorization mechanism that can define exactly which commands are allowed and disallowed per user. The first role to be configured is the administrator user. Figure 3 Shared Profile Components Click the Shared Profile Components button on the left side of the screen, followed by clicking the Shell Command Authorization Sets link. On the window that displays, add a new Authorization set for the admin user. On the screen that follows, configure rules to permit all level 15 commands as shown in Figure 4. Figure 4 Administrator User Configuration http://www.actionpacked.com 5

Repeat this task to configure Monitor-Only access. For this level of access, a customized list of allowed commands will be entered. Below is a table of the configuration that is required for Monitor-Only level access on Cisco Secure ACS Server. Appendix 1 details how each command is used by LiveAction: Command List Textbox: Argument List Textbox (right of command list) login show <none> permit running-config permit privilege permit startup-config permit policy-map interface permit interface permit ip nbar port-map permit ip sla permit ip route permit ip flow export permit ip flow top-talkers terminal permit length 0 permit width 0 Table 1 Allowed Commands for Monitor-Only Level Access Figure 5 displays an example configuration of the shell authorization commands configuration for monitor-only access. Figure 5 Monitor-Only Shell Command Configuration http://www.actionpacked.com 6

Create Admin and Monitor User Group Once the shell command settings are configured, a user group is needed to associate the access rights to the users. A group is needed for the administrator user as well as the monitor-only users. Click Group Setup on the left side of the screen and select a group from the pull-down. For this example, the group Group2 has been renamed to Admin1. Rename one of the other groups to be used for monitoring. Once this is selected, click Edit Settings as shown in Figure 6. Figure 6 Admin Group Setup In the screen that appears, select the button for Assign a Shell Command Authorization Set for any network device. From the pull-down, select the Admin authorization set. Click Submit, and then perform this task again for the monitor-only group, selecting the Monitor Authorization set. Once you have finished selecting the authorization set, click Submit + Restart at the bottom of the page. Figure 7 - Admin Group Setup Details http://www.actionpacked.com 7

Creating Users Once the Authorization sets and groups are creating, the actual user accounts can be created as well. Cisco Secure ACS has the capability to synchronize users from Active Directory and LDAP sources. For this example, we will create an individual account locally. For more information on LDAP configuration, reference the Cisco configuration guide on the topic. These links can be found in the end of this document. To create a new user, click the User Setup tab on the left, then type in the name of the user that will have administrative privileges. For this example, the username Admin will be used as shown in Figure 8: Figure 8 Admin User Setup In the screen that follows, select the admin1 group created in step 3.3 for this user in the group pull-down at the bottom of the page. If you are using external authentication, that can be entered as well. For this example, the local database will be used for authentication. The details of this configuration are shown in Figure 9. Figure 9 User Configuration Details Perform this task again for the monitor-only user. After both users have been configured, the system is now configured to authenticate users on the router with 2 levels of access. This will allow LiveAction to send the commands required for monitoring or full administrative capabilities. http://www.actionpacked.com 8

4. Verify LiveAction Connectivity and Operation To verify the configuration of the Cisco router and Cisco Secure ACS, simply add the router of interest to LiveAction by going to File Discover Devices shown in Figure 10. Figure 10 Add a New Device in LiveAction Follow the wizard that appears using the administrator user for full configuration or the monitor user for monitor-only. Note that CISCO ASA devices cannot be configured using Add Device. The device must be discovered instead. Enter the IP address and settings for the device in the Device Discovery dialog to add it to LiveAction. Figure 11 Device Discovery Using TACACS+ for authentication with Cisco Secure ACS allows organizations to centralize user management for routers. As LiveAction requires level 15 user access to perform its functions, ensuring the correct authorizations is critical to LiveAction s functionality. For more information on Cisco Secure ACS, visit the documentation shown in the appendix. http://www.actionpacked.com 9

5. Appendix 5.1 LiveAction Commands Required for Monitor-only access Cisco Command terminal length 0 terminal width 0 enable show privilege show running-config show ip sla show ip nbar port-map show ip flow top-talkers show ip flow export show interface Reason for use with LiveAction Outputs the full response of the show commands at one time. Doesn t require the need to press the spacebar to continue. Prevents Line wraps. Switch to privileged mode (Note: TACACS+ typically logs the user in as Level15 at the privilege prompt.) Determine what privilege mode the application is in. Retrieves the running configuration. Determines if the device supports IPSLA and which configuration mode it uses (i.e. ip sla or ip sla monitor). Retrieves the list of port mappings. Checks if NetFlow MIB is supported. Checks if NetFlow collector is supported. Used to gather detailed interface information and statistics. The switchport option is used to determine which ports belong to which Vlan and what mode the ports are in (i.e. access or trunk). show ip route begin Gateway show policy-map interface Retrieve the route table without the code legend. Used to associate QoS policies to interfaces and get statistics. Documentation Links: Cisco Secure ACS Configuration Guide: Configure a Cisco Router with TACACS+ Authentication: http://www.cisco.com/en/us/tech/tk59/technologies_tech_note09186a00800946a3.shtml User Guide for Cisco Secure ACS: http://www.cisco.com/en/us/products/sw/secursw/ps5338/products_user_guide_book09186a0080204be1.html Copyright 2012 ActionPacked! Networks. All rights reserved. ActionPacked!, the ActionPacked! logo and LiveAction are trademarks of ActionPacked! Networks. Other company and product names are the trademarks of their respective companies. ActionPacked! Networks 155 Kapalulu Place, Suite 222 Honolulu, HI 96819 http://www.actionpacked.com 10

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information