Cisco ACS 5.x Use Case: Authenticating Users Against Internal Database

This is the most simple use case. We will use shown topology for this and some future use cases:

ucase1-1

We have our internal network comprising of the domain controller, the AAA server and RSA SecurID AM server. On the outside network, we have two PCs for testing purposes. This whole lab is virtual, running on VMware Workstation, GNS3 and Debian Wheezy.

The requirements for this use case are simple: authenticate users against the AAA internal database when they telnet to the router.

First, we need to register R1 as a AAA client in the ACS server. Under Network Resources->Network Devices and AAA Clients click Create and fill in the basic data about our router:

ucase1-2

Also we need to create some user. This is done under User and Identity Stores->Users->Create:

ucase1-3

That’s all for ACS. Now for the router:

!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R1
!
boot-start-marker
boot-end-marker
!
enable secret 5 $1$BmMz$gxszzdLeOtPwCAKmWJiCw1
!
aaa new-model
!
!
aaa authentication login default group tacacs+
aaa authentication login CONSOLE_NONE none
!
!
aaa session-id common
memory-size iomem 5
no ip icmp rate-limit unreachable
ip cef
!
!
no ip domain lookup
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
!
multilink bundle-name authenticated
!
!
archive
log config
hidekeys
!
!
ip tcp synwait-time 5
!
!
interface FastEthernet0/0
ip address 11.11.11.10 255.255.255.0
duplex auto
speed auto
!
interface FastEthernet0/1
ip address 192.168.168.10 255.255.255.0
duplex auto
speed auto
!
ip forward-protocol nd
!
!
no ip http server
no ip http secure-server
!
!
tacacs-server host 192.168.168.12 key spop123
!
control-plane
!
line con 0
exec-timeout 0 0
privilege level 15
logging synchronous
login authentication CONSOLE_NONE
line aux 0
exec-timeout 0 0
privilege level 15
logging synchronous
line vty 0 4
!
!
end

Let’s now try telnet to R1:

ucase1-5

If we recall the previous blog and ACS inner working, we can see what access service was chosen and why. Because the communication from R1 to the ACS was TACACS+, from the Service Selection Rules, we can see based on the Hit Count column, that the Rule-2 was triggered, because it matches used protocol – TACACS+. Then, the Default Device Admin service is selected. Under the Authorization link from the selected Default Device Admin, we can see based on the hit count that the default shell profile Permit Access is triggered:

ucase1-6

ucase1-7

So, this is the simplest use case. In following blogs, we will expand this example with authorizations and external user data stores.

Thanks for reading!

Advertisements
This entry was posted in AAA, ACS 5.x, ACS/RADIUS/TACACS, Cisco, Security and tagged , , , , . Bookmark the permalink.

2 Responses to Cisco ACS 5.x Use Case: Authenticating Users Against Internal Database

  1. gbories2014 says:

    Reblogged this on dnslookupfr.

  2. Pingback: Cisco ACS 5.x Use Case: Authenticating Enable Access Against AAA Server | popravak

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s