Академический Документы
Профессиональный Документы
Культура Документы
5.8
DEPLOYMENT
(INSTALLATION & CONFIGURATION)
AGENDA:
OVERVIEW
INSTALLATION
MIGRATION FROM ACS 4.2 TO ACS 5.8
DOMAIN JOINING OF ACS MACHINE
REMOTE ACCESS VPN INTEGRATION WITH ACS
INTEGRATION OF CSM
INTEGRATION OF FIRESIGHT
OVERVIEW:
ACS IS A POLICY-BASED SECURITY SERVER THAT PROVIDES STANDARDS-COMPLIANT
AUTHENTICATION, AUTHORIZATION, AND ACCOUNTING (AAA) SERVICES TO YOUR NETWORK. ACS
FACILITATES THE ADMINISTRATIVE MANAGEMENT OF CISCO AND NON-CISCO DEVICES AND
APPLICATIONS.
ACS 5.8 PROVIDES A RULE-BASED POLICY MODEL THAT ALLOWS YOU TO CONTROL NETWORK
ACCESS BASED ON DYNAMIC CONDITIONS AND ATTRIBUTES. THE RULE-BASED POLICY IS
DESIGNED TO MEET COMPLEX ACCESS POLICY NEEDS. FOR MORE INFORMATION ON THE RULEBASED POLICY MODEL IN ACS,
ACS IS THE POINT IN YOUR NETWORK THAT IDENTIFIES USERS AND DEVICES THAT TRY TO
CONNECT TO YOUR NETWORK. THIS IDENTITY ESTABLISHMENT CAN OCCUR DIRECTLY BY USING
THE ACS INTERNAL IDENTITY REPOSITORY FOR LOCAL USER AUTHENTICATION OR BY USING
EXTERNAL IDENTITY REPOSITORIES.
FOR EXAMPLE, ACS CAN USE ACTIVE DIRECTORY AS AN EXTERNAL IDENTITY REPOSITORY, TO
AUTHENTICATE A USER TO GRANT THE USER ACCESS TO THE NETWORK.
2 CPUS
HARD DISK:
500GB
NIC:
1GB NIC
HYPERVISOR:
CONFIGURATION TO BE CONT.
5. ENTER THE NAME AND CLICK NEXT.
CONFIGURATION TO BE CONT.
7. SELECT THE STORAGE AND CLICK NEXT.
8. CLICK THE LINUX RADIO BUTTON, AND FROM THE VERSION DROPDOWN LIST, CHOOSE RED HAT ENTERPRISE LINUX 6 (64-BIT) AND CLICK
NEXT.
CONFIGURATION TO BE CONT.
8. SELECT THE NUMBER OF NICS THAT YOU WANT TO USE IN THE NETWORK
WINDOW, AND CLICK NEXT. YOU CAN USE UP TO FOUR NICS.
NOTE: ACS DOES NOT SUPPORT VMXNET2 (ENHANCED) AND VMXNET3
ADAPTERS.
CONFIGURATION TO BE CONT.
9. SELECT THE DISK SIZE AS 500 GB IN THE VIRTUAL DISK CAPACITY
WINDOW, AND CLICK NEXT. (BELOW PROVIDED IS FOR TESTING)
CONFIGURATION TO BE CONT.
Check the Edit the virtual machine
settings before completion check box,
if you want to change parameters and
click Next.
Enter 4096 MB, and click Next.
CONFIGURING THE
VM USING THE DVD
DRIVE:
To configure the VM using the
DVD drive:
1. In the VMware vSphere Client,
highlight the newly created VM,
and choose Edit Virtual Machine
Settings.
ACS 5.8
CONFIGURATION CONT.
Create Command Set:
Policy Element ->
Device Administration ->
Command Sets -> Create
ACS 5.8
CONFIGURATION CONT.
Apply Authorization
Policy:
We apply the authorization
policy here to enforce
different access level for
different users; In the
example below we have
created a policy by the
name of local which allows
local users for which
already defined FullPrivilege shell profile and
allow all cmd set is
selected.
Access Policy -> Access
Services -> Create
CONFIGURATION
CONT.
Domain Joining
In order to achieve single
Sign ON the ACS has been
synched with Active
Directory so that already
existing domain credential
instead of local acs
credential are used to
access Network devices.
Users and ID store ->
Active Directory -> Join
After joining the domain
we need to do some
configurational changes so
that specific users may
access the network
ACS 5.8
CONFIGURATION CONT.
ADD Domain Identity
Store:
First of all change the
identity store to
accommodate domain, as
per below diagram both
local and domain identity
store can be used; by
default internal users store
is selected.
ACS 5.8
CONFIGURATION CONT.
Authentication Domain
Users:
In order to restrict
authentication to specific
users but not all domain
users we need to configure
identity.
Go to
Access Policy
-> Network Devices
Access -> Identity
and list all network
engineers domain IDs one
by one.
ACS 5.8
CONFIGURATION CONT.
Authorization Domain
Users:
In the similar fashion we
also need to apply specific
shell profile and command
set for domain users.
Access Policy ->
Network Devices Access
-> Authorization
We had already running acs 4.2 in production, after installing ACS 5.8 we have migrated the devices data from 4.2 to 5.8.
Migration of data is achieved with the help of migration utility tool which runs on ACS 4.2 Windows Machine. An independent
machine called migrate machine is deployed which migrates the data from source machine to ACS5.8 target machine.
Deploy new independent windows server machine to run acs 4.2 same as of in production, called migration machine.
Copy the configuration backup file of existing acs to migration machine.
Download Migration Utility from 5.8 & copy in the migration machine.
System administration -> Downloads > Migration utility
Using the Cisco ACS reports, you can review the performance and status of
Cisco ACS functionality across specified time periods.
Monitoring and Reports -> Launch Monitoring and Report Viewer -> Reports ->
AAA Reports
INTEGRATING CSM:
AT CSM:
INTEGRATING CSM:
ADDITIONALLY WE NEED TO ADD USERS LOCALLY FOR AUTHORIZATION WITH
SAME CREDENTIAL, OTHERWISE USER WILL NOT BE ABLE TO LOGIN USING
CSM APP.
INTEGRATING FIRESIGHT:
CREATE THE RULE SO THAT ONLY SPECIFIC USERS CAN LOGIN TO FIRESIGHT.
INTEGRATING FIRESIGHT:
AT FIRESIGHT: