Scribd Logo
Unggah

Selamat datang di Scribd!

  • Ace Tacacs and Radius

    Diunggah oleh

    changeme789
    171 tayangan28 halaman
    Cisco ACE - tacacs and radius

    Hak Cipta

    © Attribution Non-Commercial (BY-NC)

    Format Tersedia

    PDF, TXT atau baca online dari Scribd

    Apakah menurut Anda dokumen ini bermanfaat?

    Apakah konten ini tidak pantas?

    Laporkan Dokumen Ini
    Cisco ACE - tacacs and radius

    Hak Cipta:

    Attribution Non-Commercial (BY-NC)
    Unduh sebagai PDF, TXT atau baca online dari Scribd
    Tandai sebagai konten tidak pantas
    171 tayangan28 halaman

    Ace Tacacs and Radius

    Diunggah oleh

    changeme789
    Cisco ACE - tacacs and radius

    Hak Cipta:

    Attribution Non-Commercial (BY-NC)
    Unduh sebagai PDF, TXT atau baca online dari Scribd
    Tandai sebagai konten tidak pantas
    dari 28

    ACE Remote Authentication TACACS+ and RADIUS using ACS

    Sean Merrow, Application Networking Services CSE February 2009

    Presentation_ID

    2006 Cisco Systems, Inc. All rights reserved.

    Cisco Confidential

    Example Scenario
    In this document, we will create a user called aceadmin. This user account will only have access to a context on the ACE called Cnt1. The user will be given the Admin role and put in the default-domain of the Cnt1 context. This user will not be configured as a local user on the ACE, although the ACE will check its local user database if it cannot reach the ACS (TACACS+/RADIUS server).

    ACS Servers 130.10.0.55 130.10.0.56 ACE Module/Appliance

    150.10.40.21

    Presentation_ID

    2006 Cisco Systems, Inc. All rights reserved.

    Cisco Confidential

    ACE Remote Authentication - Agenda


    ACE with TACACS+ using ACS
    ACE with RADIUS using ACS Network Catpure Screenshots

    Presentation_ID

    2006 Cisco Systems, Inc. All rights reserved.

    Cisco Confidential

    Create the TACACS+ User on ACS

    Presentation_ID

    2006 Cisco Systems, Inc. All rights reserved.

    Cisco Confidential

    Notes on ACS User Settings


    A common problem customers report after adding the shell command in the TACACS+ Settings is that although authentication works fine with the ACE, those users can no longer access their other network devices.

    These customers should enter the shell command as follows:


    shell:<Context>*<Role> <Domain> shell:Cnt1*Admin default-domain When the * is used, it means the attribute is optional. The = used in the previous slide means the attribute is mandatory. The TACACS+ Settings can also be entered into the Groups on the ACS in which the user is a member. The Group settings will apply to all members, although settings entered directly in the user configuration will override the Group settings.
    Presentation_ID 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential

    Create the ACE TACACS+ Client on ACS


    1

    1. 2. 3. 4.

    Source IP Address of ACE AAA Traffic. Be sure to create a second client for the Redundant ACE if necessary. Key entered will also be used in the ACE configuration. Specify TACACS+ Authentication.

    Each AAA transaction will occur using a separate TCP connection. Check this box if you would like them to use a single TCP connection.

    Presentation_ID

    2006 Cisco Systems, Inc. All rights reserved.

    Cisco Confidential

    Configure TACACS+ on the ACE(s)


    ACE-1/Cnt1# config ACE-1/Cnt1(config)# tacacs-server key cisco123 ACE-1/Cnt1(config)# tacacs-server host 130.10.0.55 ACE-1/Cnt1(config)# tacacs-server host 130.10.0.56 Global TACACS+ key used with all servers that do not have a key configured, such as .55 and .56 below. Note that .57 below has a unique key defined which will be used for that server.

    ACE-1/Cnt1(config)# tacacs-server host 130.10.0.57 key password123


    ACE-1/Cnt1(config)# aaa group server tacacs+ acs-servers ACE-1/Cnt1(config-tacacs+)# server 130.10.0.55 ACE-1/Cnt1(config-tacacs+)# server 130.10.0.56 ACE-1/Cnt1(config-tacacs+)# exit Create a group for the TACACS+ servers and add the member servers.

    ACE-1/Cnt1(config)# aaa authentication login default group acs-servers local ACE-1/Cnt1(config)# aaa accounting default group acs-servers local

    ACE-1/Cnt1(config)# exit ACE-1/Cnt1# copy run start

    Configure the ACE to use the servers in this TACACS+ server group for AAA. Note that the local keyword at the end means that a local user database on the ACE should be used for authentication ONLY if neither TACACS+ server in the group can be reached. The local user database will NOT be consulted if the authentication is rejected.

    Presentation_ID

    2006 Cisco Systems, Inc. All rights reserved.

    Cisco Confidential

    TACACS+ Config on the ACE(s)


    Although keys are entered in clear-text, they are encrypted in the config. tacacs-server tacacs-server tacacs-server tacacs-server key 7 "fewhg123" host 130.10.0.55 host 130.10.0.56 host 130.10.0.57 key 7 "swwxoomi123

    aaa group server tacacs+ acs-servers server 130.10.0.55 server 130.10.0.56 aaa authentication login default group acs-servers local aaa accounting default group acs-servers local

    Presentation_ID

    2006 Cisco Systems, Inc. All rights reserved.

    Cisco Confidential

    ACE Remote Authentication - Agenda


    ACE with TACACS+ using ACS
    ACE with RADIUS using ACS Network Catpure Screenshots

    Presentation_ID

    2006 Cisco Systems, Inc. All rights reserved.

    Cisco Confidential

    Create the RADIUS User on ACS Server

    Presentation_ID

    2006 Cisco Systems, Inc. All rights reserved.

    Cisco Confidential

    10

    Create the ACE RADIUS Client on ACS


    1

    1. 2. 3. 4.

    Source IP Address of ACE AAA Traffic. Be sure to create a second client for the Redundant ACE if necessary. Key entered will also be used in the ACE configuration. Specify RADIUS Authentication.

    Presentation_ID

    2006 Cisco Systems, Inc. All rights reserved.

    Cisco Confidential

    11

    Configure RADIUS on the ACE(s)


    RADIUS servers configured with keys. Alternately, a global key could be configured as shown in the TACACS+ configuration example

    ACE-1/Cnt1# config ACE-1/Cnt1(config)# radius-server host 130.10.0.55 key cisco123 ACE-1/Cnt1(config)# radius-server host 130.10.0.56 key cisco123 ACE-1/Cnt1(config)# aaa group server radius radius-farm ACE-1/Cnt1(config-radius)# server 130.10.0.55 ACE-1/Cnt1(config-radius)# server 130.10.0.56 ACE-1/Cnt1(config-radius)# exit

    Create a group for the RADIUS servers and add the member servers.

    ACE-1/Cnt1(config)# aaa authentication login default group radius-farm local ACE-1/Cnt1(config)# aaa accounting default group radius-farm

    ACE-1/Cnt1(config)# exit ACE-1/Cnt1# copy run start

    Configure the ACE to use the servers in this RADIUS server group for AAA. Note that the optional local keyword at the end means that a local user database on the ACE should be used for authentication ONLY if neither RADIUS server in the group can be reached. The local user database will NOT be consulted if the authentication is rejected.

    Presentation_ID

    2006 Cisco Systems, Inc. All rights reserved.

    Cisco Confidential

    12

    RADIUS Config on the ACE(s)


    Although keys are entered in clear-text, they are encrypted in the config.

    radius-server host 130.10.0.55 key 7 "fewhg123" authentication accounting radius-server host 130.10.0.56 key 7 "fewhg123" authentication accounting aaa group server radius radius-farm server 130.10.0.55 server 130.10.0.56 aaa authentication login default group radius-farm local aaa accounting default group radius-farm

    Presentation_ID

    2006 Cisco Systems, Inc. All rights reserved.

    Cisco Confidential

    13

    ACE Remote Authentication - Agenda


    ACE with TACACS+ using ACS
    ACE with RADIUS using ACS Network Catpure Screenshots

    Presentation_ID

    2006 Cisco Systems, Inc. All rights reserved.

    Cisco Confidential

    14

    Configure Wireshark to Decrypt TACACS+


    Edit Preferences TACACS+ Enter the TACACS+ Key

    Presentation_ID

    2006 Cisco Systems, Inc. All rights reserved.

    Cisco Confidential

    15

    TACACS+ Authentication Request

    Presentation_ID

    2006 Cisco Systems, Inc. All rights reserved.

    Cisco Confidential

    16

    TACACS+ Authentication Response

    Presentation_ID

    2006 Cisco Systems, Inc. All rights reserved.

    Cisco Confidential

    17

    TACACS+ Authorization Request

    The ACE tells the ACS what context the user has logged into so it can now find out what permissions this user has in the context.

    Presentation_ID

    2006 Cisco Systems, Inc. All rights reserved.

    Cisco Confidential

    18

    TACACS+ Authorization Response

    The ACS tells the ACE what role and domain the user has for this context.

    Presentation_ID

    2006 Cisco Systems, Inc. All rights reserved.

    Cisco Confidential

    19

    TACACS+ Accounting Update

    The ACE tells the ACS the time of user login.

    Presentation_ID

    2006 Cisco Systems, Inc. All rights reserved.

    Cisco Confidential

    20

    TACACS+ Accounting Update

    The ACE tells the ACS that the aceadmin user has entered the show user- command.

    Presentation_ID

    2006 Cisco Systems, Inc. All rights reserved.

    Cisco Confidential

    21

    TACACS+ Accounting Update

    The ACE tells the ACS the exact time that the aceadmin user logged out.

    Presentation_ID

    2006 Cisco Systems, Inc. All rights reserved.

    Cisco Confidential

    22

    RADIUS Authentication Request

    Presentation_ID

    2006 Cisco Systems, Inc. All rights reserved.

    Cisco Confidential

    23

    RADIUS Authentication Response

    Presentation_ID

    2006 Cisco Systems, Inc. All rights reserved.

    Cisco Confidential

    24

    RADIUS Accounting Update

    The ACE tells the ACS the exact time that the aceadmin user logged in.

    Presentation_ID

    2006 Cisco Systems, Inc. All rights reserved.

    Cisco Confidential

    25

    RADIUS Accounting Update

    The ACE tells the ACS the exact time that the aceadmin entered the show user-acc command.

    Presentation_ID

    2006 Cisco Systems, Inc. All rights reserved.

    Cisco Confidential

    26

    RADIUS Accounting Update

    The ACE tells the ACS the exact time that the aceadmin user logged out.

    Presentation_ID

    2006 Cisco Systems, Inc. All rights reserved.

    Cisco Confidential

    27

    Helpful Resources
    BU Escalation Alias
    cse-dev-ace@cisco.com

    cse-dev-aceappliance@cisco.com

    Emergency S1/S2 After Hours Escalation E-page


    adbu-esc-ace@epage.cisco.com

    Design and Feature Questions


    cs-ans-dc@cisco.com

    ADBU
    http://wwwin.cisco.com/dss/adbu/

    ANS Samples
    http://www-tac.cisco.com/~smerrow/Samples/main.html

    Presentation_ID

    2006 Cisco Systems, Inc. All rights reserved.

    Cisco Confidential

    28

    Anda mungkin juga menyukai