Вы находитесь на странице: 1из 23

 Nexus 

Nexus

ACS 5.0 Device Admin Lab Guide

Developers and Lab Proctors

This lab was created by: Aruna Yerragudi

Lab proctors:

Lab Overview

In this lab, you will configure the Cisco Access Control Server v5.0 for Device Administration using TACACS+ protocol. You’ll be configuring access control via privilege levels and command authorization sets. Lab participants should be able to complete the lab within the allotted lab time of (2) hour(s).

Lab Exercises

This lab guide includes the following exercises:

Lab Exercise 1: Configure Network Device and AAA Client

Lab Exercise 2: Configure Users and Identity Stores

Lab Exercise 3: Configure Policy Elements - Shell Profiles

Lab Exercise 4: Configure Access Services and Service Selection

Lab Exercise 5: Switch Configuration

Lab Exercise 6: Test and View Reports

Lab Exercise 7: Switch Configuration Cleanup

Lab Exercise 8: Configure Policy Elements – Command Authorization Sets

ACS
5.0
Device
Administration
Lab
Guide 













 



 1


Lab Exercise 9: Modification of the Authorization Profiles

Lab Exercise 10: Test and View Reports

Product Overview: ACS 5.0

Cisco Secure Access Control System (ACS) 5.0 is a next-generation platform for centralized network identity and access control. ACS 5.0 features a simple yet powerful, rule-based policy model and a new, intuitive management interface designed for optimum control and visibility.

The rule-based policy model provides the flexibility and manageability needed to meet evolving access policy needs. Its integrated monitoring, reporting, and troubleshooting features simplify management and increase compliance. ACS 5.0 integration capabilities and distributed deployment support make it the ideal network identity and access policy solution.

Lab Topology and Access

Every one or two students will share one POD. Each POD includes one Cat6K Switch, an ACS Server v5.0 and a Win2K3 server

Lab Topology

The following is the topology used for this lab.

Topology The following is the topology used for this lab. ACS
5.0
Device
Administration
Lab
Guide 
 



ACS
5.0
Device
Administration
Lab
Guide 













 



 2


Internal IP addresses

The table that follows lists the internal IP addresses used by the devices in this setup.

Device

IP Address

Cat Switch

10.10.30.1

ACS 5.0

10.10.30.20

Win2K3/AD

10.10.30.21

Accounts and Passwords

The table that follows lists the accounts and passwords used in this lab.

Access To

Account (username/password)

Win2K3/AD

Administration/Cisco123

Switch telnet password

cisco

Switch enable secret

cisco

ACS 5.0 GUI

acsadmin/cisco123

ACS 5.0 CLI

Admin/csACS123

ACS
5.0
Device
Administration
Lab
Guide 













 



 3


Lab Exercise 1: Configure Network Device and AAA Client

Exercise Objective

In
this
exercise,
you r
goal
is
to
a dd
t he
AAA
client
(Catalyst
Switch)
to
ACS 


Lab Exercise Steps

Step 1

Logon to the ACS. (RDP to the Win2K3 server – credentials Administrator/Cisco123 and click on the IE shortcut Cisco Secure ACS Login. Ignore the certificate error and provide the ACS credentials acsadmin/cisco123 to login)

Step 2

Go to Network Resources -> Network Devices and AAA Clients and click on Create to create a new entry

Step 3

Enter the device details as per the diagram below

Step 3 Enter the device details as per the diagram below You should have now successfully

You should have now successfully added the Cat switch as an AAA client.

End of Exercise: You have successfully completed this exercise. Proceed to next section.

ACS
5.0
Device
Administration
Lab
Guide 













 



 4


Lab Exercise 2: Configure User and Identity Stores

Exercise Objective

In
this
exercise,
you r
goal
is
to 
create
Identity
Groups
and
Internal
Us ers.
 This
lab
uses
the
ACS
 Internal
Database
for
user
authentication. 


Lab Exercise Steps

Step 1

Go to Users and Identity Stores -> Identity Groups and click on Create

Step 2

Create a group with the following information: Name – Admin, Description – Administrators, Parent – All Groups

, Description – Administrators , Parent – All Groups Step 3 Create another group with the

Step 3

Create another group with the following information: Name – Operator, Description – Operators, Parent – All Groups

Step 4

Go to Users and Identity Stores -> Internal Identity Stores -> Users and click on Create

Step 5

Create a user with the following information: Name – devadmin, Identity Group - All Groups:Admin, Password - cisco123, Confirm Password – cisco123

ACS
5.0
Device
Administration
Lab
Guide 













 



 5


Step 6 Create another user with the following information: Name – devop , Identity Group

Step 6

Create another user with the following information: Name – devop, Identity Group - All Groups:Operator, Password - cisco123, Confirm Password – cisco123

You should now have two Identity Groups - Admin and Operator and two users - devadmin and devop to the respective Groups.

End of Exercise: You have successfully completed this exercise. Proceed to next section.

ACS
5.0
Device
Administration
Lab
Guide 













 



 6


Lab Exercise 3: Configure Policy Elements – Shell Profiles

Exercise Objective

In
this
exercise,
you r
goal
is
to
configure
the
shell
profiles
under
the
Policy
Elements
which
will
 be
later
used
in
the
Authorization
Rules .
 Shell
profile
au thorization
provides
decisions
for 
 deciding
which
Privilege
level
to
assign
and
other
shell
attributed
to 
the
user
requesting
 authorization
and
is
enforced
for
th e
duration
of
a
user's
session.
 


Lab Exercise Steps

Step 1

Go to Policy Elements -> Authorization and Permissions -> Device Administration -> Shell Profiles and click on Create

Step 2

Create a Shell Profile with the name Priv-level-7. Go to the Privilege Level tab and set the properties as per the screenshot below

tab and set the properties as per the screenshot below Step 3 
 Create another Shell

Step 3

Create another Shell Profile with the name Priv-level-15. Go to the Privilege Level tab and Enable Default Privilege and set the Default Privilege level to 15

End of Exercise: You have successfully completed this exercise. Proceed to next section.

ACS
5.0
Device
Administration
Lab
Guide 













 



 7


Lab Exercise 4: Configure Access Service and Service Selection

Exercise Objective

In
this
exercise,
you r
goal
is
to
 create
a
new
Access
Service
and
set
the
Service
Selection
rules.
In
 ACS
5.0,
policy
drives
all
activities.
Policies
consist
mainly
of
rules
that
determine
the
acti on
of
 the
policy.
Access
services
are
created
to
define
authentication
and
authorization
policies
for
 requests.
A
global
service
selection
policy
contains
rules
that
determine
which
access
service
 processes
an
incoming
request. 


Lab Exercise Steps

Step
1
 Go 
to
 Access
Policies
 ‐ >
Access
Services 
and
Create
a
new
Access
Service


Step
2
 Create
an
Access
Service
with
the
Name
– 
 Device
Admin .
Select
the
 check
box
against
the
 option
 – 
 Based
on
service
template
 and
choose
 Device
Admin ‐ Simple
from
the
list.
 





Step
3
 Go
to
Next
and
in
 Allowed
Protocols,
select
Allow
PAP/ASCII
and
click
on
 Finish


Step
4
 Click
on
 Yes
when
asked
“ Would
you
like
to
modify
the
Service
Selection
Policy
to
activate
 this
service? ” 


Step
5
 Select
Rule‐ 2
and
click
on
 Edit
and
edit
as
below 


ACS
5.0
Device
Administration
Lab
Guide 













 



 8





Step
6
 Click
on
 Save
Changes
and
then
g o
to
 Access
Policies
 ‐ >
Access
Services ‐ >Device
Admin ‐ >Identity.
Leave
the
Identity
option
at
the
default
Internal
Users 


Step
7
 Select
the
Authorization
to
create
the
Authorization
rules .
C lick
on
 Create
 and create
a
 new
rule
as
per
the
config
below

ACS
5.0
Device
Administration
Lab
Guide 













 



 9





Step
8
 Create
a
second
Authorization
rule
as
below 


ACS
5.0
Device
Administration
Lab
Guide 













 






 
 
 Step
9
 Click
on
 Save
C hanges.
 You
should
 now



 


Step
9
 Click
on
 Save
C hanges.
 You
should
 now
 have
created
a
new
Access
Service,
set
the
Service
 Selection
rules
 
and
created
the
two
Authorization
rules
for
Device
acces s. 


End of Exercise: You have successfully completed this exercise. Proceed to next section.

ACS
5.0
Device
Administration
Lab
Guide 













 





Lab Exercise 5: Switch Configuration

Exercise Objective

In
this
exercise,
you r
goal
is
to
 add
the
required
CLI
commands
on
the
switch
for
Device
 Administr ation. 
 


Lab Exercise Steps

Step 1

Telnet to the switch and log in. Enter the enable mode. Enter the password cisco

Step 2

Enter configure terminal mode and enter the commands shown below. The following links protect the console port access.

aaa new-model

aaa authentication login no_aaa none

aaa authorization exec no_aaa none

aaa authorization commands 15 no_aaa none

aaa authorization console

line con 0

login authentication no_aaa

authorization exec no_aaa

authorization commands 15 no_aaa

exit

Step 3

In the configure terminal mode, enter the following commands for setting the aaa settings and the privilege level commands.

aaa authentication login default group tacacs+ none

aaa authorization exec default group tacacs+ none

tacacs-server host 10.10.30.20 key cisco

privilege configure level 7 snmp-server host

privilege configure level 7 snmp-server enable traps alarms critical

privilege configure level 7 snmp-server

privilege exec level 7 ping

privilege exec level 7 configure terminal

privilege exec level 7 configure

The first command defines TACACS+ as the authentication protocol for shell logins. The second command defines TACACS+ as the authorization profiles for the shell logins. The third command specifies the TACACS+ server.

The command with the “privilege” prefix, define the commands that are available at the specified privilege level – level 7 in our example.

Note:

If you are using copy paste for entering the commands on CLI, ensure that there are no extra spaces copied.

End of Exercise: You have successfully completed this exercise. Proceed to next section.

ACS
5.0
Device
Administration
Lab
Guide 













 





Lab Exercise 6: Test and View Report

Exercise Objective

In
this
exercise,
you r
goal
is
to
test
the
configuration
and
view
the
authentication
reports
from
 the
Monitoring
and
Reports
Viewer 


Lab Exercise Steps

Step 1

From the Win2K3 server, open a command prompt and telnet to the switch. Login with the credentials “devadmin/cisco123

Step 2

Verify the privilege level by typing the command show privilege at the CLI. The privilege level should be set to 15

Step 3

Go to the configure terminal mode and try to execute the commands

interface GigabitEthernet3/2

Step 4

Telnet to the switch and login with the credentials “devop/cisco123

Step 5

Verify the privilege level by typing the command show privilege at the CLI. The privilege level should be set to 7

Step 6

Go to the configure terminal mode and try to execute the commands

snmp-server enable traps alarms critical

snmp-server host 10.10.30.10 test

interface GigabitEthernet3/2

The first two commands should be executed successfully and the third command should fail.

Note:

To verify and/or troubleshoot any issues, use the Monitoring and Reports viewer to see the detailed logs of the authentication request. You can also enable debugging on the switch for troubleshooting. The commands for enabling debugging are debug aaa authentication, debug aaa authorization, debug tacacs authentication, debug tacacs authorization

Step 7

On the ACS GUI, go to Monitoring and Reports -> Launch Monitoring & Report Viewer

Note:

If there are any “DB unavailable” errors when launching Monitoring and Reports, check to see if all the processes are up and running. SSH to the ACS CLI ( refer to lab exercise 2 Note for steps to SSH to ACS) and execute the “show application status acs” command.

Step 8

The Monitoring and Reports viewer opens in a new window. Go to Monitoring and Reports -> Reports -> Catalog -> AAA Protocol and click on TACACS Authentication to generate the authentication report. A report similar to the below is shown with all the passed and failed authentications.

ACS
5.0
Device
Administration
Lab
Guide 













 





Step 9 Click on report looks similar to the screenshot below. It shows the information

Step 9

Click on

report looks similar to the screenshot below. It shows the information on which Identity

Store, Access Service, Authorization Rules were matched and used.

Access Service, Authorization Rules were matched and used. icon under the Details column. That brings up

icon under the Details column. That brings up the detailed report. The detailed




End of Exercise: You have successfully completed this exercise. Proceed to next section.

ACS
5.0
Device
Administration
Lab
Guide 













 





Lab Exercise 7: Switch Configuration Cleanup

Exercise Objective

In
this
exercise,
you r
goal
is
to
clean
the
switch
configuration 
 and
add
additional
commands
for
 Command
Authorization
Sets
testing 


Lab Exercise Steps

Step 1

Telnet to the switch using the credentials of devadmin/cisco123

Step 2

Go to configure terminal mode and execute the commands below:

no privilege configure level 7 snmp-server host no privilege configure level 7 snmp-server enable no privilege configure level 7 snmp-server no privilege exec level 7 ping no privilege exec level 7 configure terminal no privilege exec level 7 configure

By executing the above commands, we are removing the commands from the privilege level 7. Do a show running-configuration and verify that no privilege related commands exist.

Step 2

In the configure terminal mode execute the below command

aaa authorization commands 15 default group tacacs+ none

The above command defines TACACS+ as the command authorization protocol for shell logins. A privilege level for access requests must be defined to specify which commands the TACACS+ client is to request permission. In our lab, we will be selecting the privilege level 15. Only commands that are accessible at privilege level 15 will be checked.

End of Exercise: You have successfully completed this exercise. Proceed to next section.

ACS
5.0
Device
Administration
Lab
Guide 













 





Lab Exercise 8: Configure Policy Elements – Command Authorization Sets

Exercise Objective

In
this
exercise,
you r
goal
is
to 
configure
the
Policy
Elements
 ‐ 
Command
Authorization
Sets
 which
will
be
used
in
the
following
task. 


Lab Exercise Steps

Step
1
 Go
to
 Policy
Elements
‐ >
Authorization
and
Permissions
‐ >
Device
 Administration
‐ >
 Command
Sets
and
click
on
 Create

Step
2
 Create
a
Command
Authorization
set
with
the
name
 Permit
All
 and enable
 Permit
any
 command
that
is
not
in
the
table
below
as
shown
below 





Step
3
 Create
a
Command
Authorization
set
with
the
name
 Perm it
Show
and
add
the
show
 command
as
shown
below 


ACS
5.0
Device
Administration
Lab
Guide 













 








End of Exercise: You have successfully completed this exercise. Proceed to next section.

ACS
5.0
Device
Administration
Lab
Guide 













 





Lab Exercise 9: Modify Authorization Profiles

Exercise Objective

In
this
exercise,
you r
goal
is
to
 modify
t he
authorization
profiles
to
include
Command
 Authorization
Sets
in
the
Authorization
Rules. 


Lab Exercise Steps

Step 1

Go to Access Policies -> Access Services -> Device Admin -> Authorization and click on the Customize button at the bottom right hand corner. Select the Command Sets under Customize Results - Available and add to the Selected

Customize Results - Available and add to the Selected Step 2 Next, edit the existing authorization

Step 2

Next, edit the existing authorization rules.

Step 3

Select the Admin Rule and Edit it as shown below:

ACS
5.0
Device
Administration
Lab
Guide 













 





Step 4 Select the Operator Rule and Edit it as shown below: ACS
5.0
Device
Administration
Lab
Guide 
 



Step 4

Select the Operator Rule and Edit it as shown below:

ACS
5.0
Device
Administration
Lab
Guide 













 





Step 4 Click on Save Changes  End of Exercise: You have successfully completed this

Step 4

Click on Save Changes

End of Exercise: You have successfully completed this exercise. Proceed to next section.

ACS
5.0
Device
Administration
Lab
Guide 













 





Lab Exercise 10: Test and View Reports

Exercise Objective

In
this
exercise,
you r
goal
is
to
test
that
command
authorization
 sets
take
effect
based
on
the
 user
that
logs
in. 


Lab Exercise Steps

Step 1

Telnet to the switch and login with the credentials “devop/cisco123”. Go to the enable mode.

Step 2

Try to execute the following commands

show running-configuration ping 10.10.30.20 configure terminal

Only the first command should successfully execute. The remaining commands fail with a Command Authorization failed error.

Step 3

Telnet to the switch and login with the credentials “devadmin/cisco123

Step 4

Try to execute the following commands

show running-configuration ping 10.10.30.20 configure terminal

All commands should execute successfully.

Step 5

On the ACS GUI, go to Monitoring and Reports -> Launch Monitoring & Report Viewer

Step 6

The Monitoring and Reports viewer opens in a new window and in that go to Monitoring and Reports -> Reports -> Catalog -> AAA Protocol and click on TACACS Authentication/Authorization reports. The Authentication report will be similar to the report in Lab Exercise 6. The Authorization report will look similar to the below report

ACS
5.0
Device
Administration
Lab
Guide 













 





Step 6 Click on the shown similar to the report below. icon under the detail

Step 6

Click on the

shown similar to the report below.

Step 6 Click on the shown similar to the report below. icon under the detail column

icon under the detail column in the above report. A detailed report will be

detail column in the above report. A detailed report will be  End of Exercise: You

End of Exercise: You have successfully completed this exercise. Proceed to next section.

Appendix: Additional Resources

You can find other useful information related to the topics covered in this lab at the following URLs:

ACS
5.0
Device
Administration
Lab
Guide 













 





http://cisco.com/en/US/products/ps9911/index.html

http://cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_system/5.0/user/gu

ide/common_scenarios.html#wp1052519

End of Lab: Congratulations! You have successfully completed the lab. Please let your proctor know you finished and provide any feedback to help improve the lab experience.


 


ACS
5.0
Device
Administration
Lab
Guide