CISCO SECURE ACS

5.8
DEPLOYMENT
(INSTALLATION & CONFIGURATION)

AGENDA:
OVERVIEW
INSTALLATION
MIGRATION FROM ACS 4.2 TO ACS 5.8
DOMAIN JOINING OF ACS MACHINE
REMOTE ACCESS VPN INTEGRATION WITH ACS
INTEGRATION OF CSM
INTEGRATION OF FIRESIGHT

OVERVIEW:
ACS IS A POLICY-BASED SECURITY SERVER THAT PROVIDES STANDARDS-COMPLIANT
AUTHENTICATION, AUTHORIZATION, AND ACCOUNTING (AAA) SERVICES TO YOUR NETWORK. ACS
FACILITATES THE ADMINISTRATIVE MANAGEMENT OF CISCO AND NON-CISCO DEVICES AND
APPLICATIONS.

ACS 5.8 PROVIDES A RULE-BASED POLICY MODEL THAT ALLOWS YOU TO CONTROL NETWORK
ACCESS BASED ON DYNAMIC CONDITIONS AND ATTRIBUTES. THE RULE-BASED POLICY IS
DESIGNED TO MEET COMPLEX ACCESS POLICY NEEDS. FOR MORE INFORMATION ON THE RULEBASED POLICY MODEL IN ACS,

ACS IS THE POINT IN YOUR NETWORK THAT IDENTIFIES USERS AND DEVICES THAT TRY TO
CONNECT TO YOUR NETWORK. THIS IDENTITY ESTABLISHMENT CAN OCCUR DIRECTLY BY USING
THE ACS INTERNAL IDENTITY REPOSITORY FOR LOCAL USER AUTHENTICATION OR BY USING
EXTERNAL IDENTITY REPOSITORIES.
FOR EXAMPLE, ACS CAN USE ACTIVE DIRECTORY AS AN EXTERNAL IDENTITY REPOSITORY, TO
AUTHENTICATE A USER TO GRANT THE USER ACCESS TO THE NETWORK.

ACS PROVIDES ADVANCED MONITORING, REPORTING, AND TROUBLESHOOTING TOOLS THAT

HELP YOU ADMINISTER AND MANAGE YOUR ACS DEPLOYMENTS.

CISCO ACS 5.8 INSTALLATION

VIRTUAL MACHINEREQUIREMENTS
THE MINIMUM SYSTEM REQUIREMENTS FOR THE VMWARE VIRTUAL MACHINE
(VM) MUST BE SIMILAR TO THE CSACS-1121 APPLIANCE HARDWARE
CONFIGURATION.
CPU:

2 CPUS

HARD DISK:

500GB

NIC:

1GB NIC

HYPERVISOR:

ESX 5.5, ESX 6.0

NOTE: VMWARE SERVER & VMWARE CLIENT SHOULD BE AVAILABLE TO

CREATE VIRTUAL MACHINE.

CONFIGURATIONTHE VM FOR ESXI

5.5 AND 6.0
1. LOG IN TO THE ESX SERVER.
2. CLICK INVENTORY.
3. CHOOSE NEW VIRTUAL MACHINE.
THE CREATE NEW VIRTUAL MACHINE WIZARD APPEARS.
4. IN THE CONFIGURATION TYPE DIALOG BOX, CHOOSE TYPICAL AS THE VM
CONFIGURATION, AND CLICK NEXT.

CONFIGURATION TO BE CONT.
5. ENTER THE NAME AND CLICK NEXT.

. Choose a data store and click Next.

CONFIGURATION TO BE CONT.
7. SELECT THE STORAGE AND CLICK NEXT.

8. CLICK THE LINUX RADIO BUTTON, AND FROM THE VERSION DROPDOWN LIST, CHOOSE RED HAT ENTERPRISE LINUX 6 (64-BIT) AND CLICK
NEXT.

CONFIGURATION TO BE CONT.
8. SELECT THE NUMBER OF NICS THAT YOU WANT TO USE IN THE NETWORK
WINDOW, AND CLICK NEXT. YOU CAN USE UP TO FOUR NICS.
NOTE: ACS DOES NOT SUPPORT VMXNET2 (ENHANCED) AND VMXNET3
ADAPTERS.

CONFIGURATION TO BE CONT.
9. SELECT THE DISK SIZE AS 500 GB IN THE VIRTUAL DISK CAPACITY
WINDOW, AND CLICK NEXT. (BELOW PROVIDED IS FOR TESTING)

Note: ACS supports only thick provisioning on all supported VMware

servers.

CONFIGURATION TO BE CONT.
Check the Edit the virtual machine
settings before completion check box,
if you want to change parameters and
click Next.
Enter 4096 MB, and click Next.

CONFIGURING THE
VM USING THE DVD
DRIVE:
To configure the VM using the
DVD drive:
1. In the VMware vSphere Client,
highlight the newly created VM,
and choose Edit Virtual Machine
Settings.

CONFIGURING THE VM USING THE DVD DRIVE:

2. In the Virtual Machine Properties dialog box,
chooseCD/DVD Drive 1.
The CD/DVD Drive 1 properties dialog box appears.

3. When you complete the configuration, click

theConsoletab, right-click the VM from the left pane, and
choose GUEST >Send Ctrl+Alt+Delto restart the VM.

3. Browse and locate the ACS 5.8 ISO image.

Move to the console tab. You will lose your cursor control as
soon as you enter the console tab.
4. Press Enter.
The machine restarts with the ACS 5.8 recovery ISO image
loaded. Now, the user is prompted with the install option for
ACS 5.8.
When the ACS 5.8 Install Disk boots, the console displays:
Welcome to Cisco Secure ACS 5.8 Recovery
To boot from the hard disk press <Enter>
Available boot options:
[1] Cisco Secure ACS 5.8 Installation (Monitor/Keyboard)
[2] Cisco Secure ACS 5.8 Installation (Serial Console)
[3] Reset Administrator Password (Keyboard/Monitor)
[4] Reset Administrator Password (Serial Console)
<Enter> Boot from hard disk
Please enter boot option and press <Enter>.

When the VM reboots, the console displays:

5. At the system prompt, type setup, and
press Enter.
localhost login: setup
Enter hostname[]: ABLACS
Enter IP address[]: 10.133.251.3
Enter IP default netmask[]: 255.255.255.240
Enter IP default gateway[]: 10.133.251.1
Enter default DNS domain[]: abl.com.pk
Enter primary nameserver[]: 10.133.10.21
Add secondary nameserver? Y/N : n
Add primary NTP server : 10.133.50.1
Add secondary NTP server? Y/N : n
Enter system timezone[UTC]:
Enable SSH service? Y/N [N[ : y
Enter username [admin]: admin
Enter password: ******
Enter password again: ******

ACS 5.8 CONFIGURATION

LOADING LICENSE FILE:
AFTER COMPLETING INSTALLATION, FIRST OF ALL WE NEED TO INSTALL
LICENSE PROVIDED BY CISCO USING GUI, FEATURE LICENSE FILE IS ALSO
PROVIDED BY CISCO IF MANAGED DEVICES COUNT IS MORE THAN 500.
LOGIN TO GUI USING ADMIN CREDENTIAL.
SYSTEM ADMINISTRATION -> LICENSING -> BASE LICENSE (LOAD THE
LICENSE FILE)
SYSTEM ADMINISTRATION -> LICENSING -> FEATURE OPTIONS -> (LOAD
FEATURE LICENSE FILE)

ACS 5.8 CONFIGURATION CONT.

CREATE INTERNAL USER:
TACACS USERS CAN BE CREATED LOCALLY AT ACS TO ACCESS THE NETWORK
DEVICES, DIFFERENT OPTIONS ARE AVAILABLE TO ENFORCE POLICY.
USERS AND IDENTITY STORES -> INTERNAL IDENTITY STORE -> USERS ->
CREATE

ACS 5.8 CONFIGURATION CONT.

ADDING NETWORK DEVICE:
TO ADD NETWORK DEVICE AT ACS WE NEED THE DEVICE NAME, IP & SHARED
SECRET KEY; THE KEY SHOULD BE SAME AS DEFINED ON DEVICE.
NETWORK RESOURCE -> NETWORK DEVICES AND AAA DEVICES -> CREATE

ACS 5.8 CONFIGURATION CONT.

AUTHORIZATION POLICY:
THERE ARE 2 PHASES TO ENFORCE AUTHORIZATION POLICY, IN THE FIRST
PHASE WE DEFINE POLICY ELEMENTS AND THEN APPLY IN SECOND PHASE.

DEFINE AUTHORIZATION POLICY ELEMENTS:

CREATE SHELL PROFILE:
POLICY ELEMENT -> DEVICE ADMINISTRATION -> SHELL PROFILE ->
CREATE

ACS 5.8
CONFIGURATION CONT.
Create Command Set:
Policy Element ->
Device Administration ->
Command Sets -> Create

ACS 5.8
CONFIGURATION CONT.
Apply Authorization
Policy:
We apply the authorization
policy here to enforce
different access level for
different users; In the
example below we have
created a policy by the
name of local which allows
local users for which
already defined FullPrivilege shell profile and
allow all cmd set is
selected.
Access Policy -> Access
Services -> Create

CONFIGURATION
CONT.
Domain Joining
In order to achieve single
Sign ON the ACS has been
synched with Active
Directory so that already
existing domain credential
instead of local acs
credential are used to
access Network devices.
Users and ID store ->
Active Directory -> Join
After joining the domain
we need to do some
configurational changes so
that specific users may
access the network

ACS 5.8
CONFIGURATION CONT.
ADD Domain Identity
Store:
First of all change the
identity store to
accommodate domain, as
per below diagram both
local and domain identity
store can be used; by
default internal users store
is selected.

ACS 5.8
CONFIGURATION CONT.
Authentication Domain
Users:
In order to restrict
authentication to specific
users but not all domain
users we need to configure
identity.
Go to
Access Policy
-> Network Devices
Access -> Identity
and list all network
engineers domain IDs one
by one.

ACS 5.8
CONFIGURATION CONT.
Authorization Domain
Users:
In the similar fashion we
also need to apply specific
shell profile and command
set for domain users.
Access Policy ->
Network Devices Access
-> Authorization

Migration ACS 4.2 to 5.8

We had already running acs 4.2 in production, after installing ACS 5.8 we have migrated the devices data from 4.2 to 5.8.
Migration of data is achieved with the help of migration utility tool which runs on ACS 4.2 Windows Machine. An independent
machine called migrate machine is deployed which migrates the data from source machine to ACS5.8 target machine.

Please follow the below procedure to perform migration.

Deploy new independent windows server machine to run acs 4.2 same as of in production, called migration machine.
Copy the configuration backup file of existing acs to migration machine.
Download Migration Utility from 5.8 & copy in the migration machine.
System administration -> Downloads > Migration utility

Enable migration interface at acs-5.8 CLI.

# acs config-web-interface migration enable
access cmd prompt of windows migration machine and change the directory where migration utility is placed.
C:\Documents and Settings\Administrator\migration\bin>
then type
# migration.bat
After this a script will run asking for different options.
-Enter Web admin username/password and follow the procedure.


Using the Cisco ACS reports, you can review the performance and status of
Cisco ACS functionality across specified time periods.

You can choose reports from these areas:

AAA Protocol - Access reports about authentications, authorization, and
accounting (also known as AAA services). These reports focus on tracking the
transactions between users and Cisco ACS
Access Service - Access reports about Access Service authentication summary.
ACS Instance - Access reports about the health of the Cisco ACS deployment.
These reports focus on the Cisco ACS infrastructure and administration.
Network Device - Access reports for providing Summary Report of Network
Device authentications and messages sent by the Device.
User - Access Summary reports based on User

For AAA reports follow the below link.

Monitoring and Reports -> Launch Monitoring and Report Viewer -> Reports ->
AAA Reports

INTEGRATING CSM:

ADD CSM SERVER JUST LIKE NORMAL DEVICE.

AT CSM:

Login to CSM through Web.

Server -> AAA Mode Setup

INTEGRATING CSM:
ADDITIONALLY WE NEED TO ADD USERS LOCALLY FOR AUTHORIZATION WITH
SAME CREDENTIAL, OTHERWISE USER WILL NOT BE ABLE TO LOGIN USING
CSM APP.

SERVER -> SINGLE SERVER MANAGEMENT -> LOCAL USER SET UP

Integrating Firesight:

Add server machine to ACS.

INTEGRATING FIRESIGHT:
CREATE THE RULE SO THAT ONLY SPECIFIC USERS CAN LOGIN TO FIRESIGHT.

INTEGRATING FIRESIGHT:
AT FIRESIGHT:

CONFIGURE EXTERNAL AUTHENTICATION PARAMETERS AS PER FOLLOWING.

SYSTEM -> LOCAL -> EXTERNAL AUTHENTICATION -> CREATE

The user can be associated with specific profile as per below.

INTERNET ASA SHOULD BE ADDED IN ACS.

REMOTE ACCESS VPN

Create rule to allow access to specific users.

REMOTE ACCESS VPN

WE NEED TO CONFIGURE AUTHORIZATION PROFILE FOR EACH USER TO ASSIGN IP AND PUSH ACL.
POLICY ELEMENTS -> AUTHORIZATION PROFILE

REMOTE ACCESS VPN

DOWNLOADABLE ACL WHICH IS BEING USED IN AUTHORIZATION PROFILE

MUST BE DEFINED.
POLICY ELEMENT -> DOWNLOADABLE ACLS

After configuring Authorization profile we will apply

it so that this profile is associated with particular
user after successful authentication