Cisco ACS User accounts.
I rolled out a Cisco ACS server last year when I took over as Engineer on my side of the company. It has been setup for close to a year and I have around 500 sites on it. I'm now trying to implement a NOC user account that is going to be a parser view for checking basic commands such as vpn being up. Has any one set this up yet? All the tutorials I have seen each do it different and I have not gotten it to work correctly. Tacacs is working fine for login authentication but I really want to start tweaking it now.
“The problem with quotes on the Internet is that you can’t always be sure of their authenticity.” ~Abraham Lincoln
Comments
-
EdTheLad Member Posts: 2,111 ■■■■□□□□□□Yup, i've done it before.Networking, sometimes i love it, mostly i hate it.Its all about the $$$$
-
Hondabuff Member Posts: 667 ■■■□□□□□□□This is on my lab in GNS3. Figure I would screw it up here before get back on my production one at work.
I will start with the router commands. This is what I have always used and do I need to add anything to my method list?
CORP-R1#sho run | sec aaa
aaa new-model
aaa authentication login default group tacacs+ line
aaa accounting exec default start-stop group tacacs+
aaa session-id common“The problem with quotes on the Internet is that you can’t always be sure of their authenticity.” ~Abraham Lincoln -
EdTheLad Member Posts: 2,111 ■■■■□□□□□□You need to add authorization.Networking, sometimes i love it, mostly i hate it.Its all about the $$$$
-
Hondabuff Member Posts: 667 ■■■□□□□□□□Ok Added.
CORP-R1#show run | sec aaa
aaa new-model
aaa authentication login default group tacacs+ line
aaa authorization exec default group tacacs+
aaa accounting exec default start-stop group tacacs+
aaa session-id common
and
CORP-R1(config-line)#authorization exec default *under vty lines*“The problem with quotes on the Internet is that you can’t always be sure of their authenticity.” ~Abraham Lincoln -
Hondabuff Member Posts: 667 ■■■□□□□□□□These commands got me into to exe mode and skipped user mode. I'm going to document how to set this up so I can use it tomorrow.
CORP-R1#sho run | sec aaa
aaa new-model
aaa authentication login default group tacacs+ line
aaa authorization exec default group tacacs+
aaa accounting exec default start-stop group tacacs+
aaa session-id common
and under vty lines authorization exec default“The problem with quotes on the Internet is that you can’t always be sure of their authenticity.” ~Abraham Lincoln -
SteveO86 Member Posts: 1,423Definitely do-able with authorization and maybe defining some additional privilege levels for future growth.
Stumbled upon this article some time ago
Cisco Secure ACS Shell Profiles and Command sets, How to configure Shell Profiles and Command sets in ACS
Also the logging in ACS is great, if you review some of the Authentication and Authorization logs you see what profile and commands sets ACS is issues the users.My Networking blog
Latest blog post: Let's review EIGRP Named Mode
Currently Studying: CCNP: Wireless - IUWMS -
EdTheLad Member Posts: 2,111 ■■■■□□□□□□How about you posting your final config along with the ACS config image snaps and we can work from there. It's been a while since i played with tacacs, if i cant see anything glaringly obvious i can fire up my ACS and play with it later on tonight.Networking, sometimes i love it, mostly i hate it.Its all about the $$$$
-
Hondabuff Member Posts: 667 ■■■□□□□□□□Working like a champ now.
CORP-R1#telnet 10.2.76.1
Trying 10.2.76.1 ... Open
#################################################
authorized users only
#################################################
username: bbuilder
password:
CORP-R1#sho priv
CORP-R1#sho privilege
Current privilege level is 15
CORP-R1#exit
[Connection to 10.2.76.1 closed by foreign host]
CORP-R1#
CORP-R1#
CORP-R1#
CORP-R1#telnet 10.2.76.1
Trying 10.2.76.1 ... Open
#################################################
authorized users only
#################################################
username: nocuser
password:
CORP-R1#show priv
CORP-R1#show privilege
Current privilege level is 7
CORP-R1#conf t
^
% Invalid input detected at '^' marker.
CORP-R1#“The problem with quotes on the Internet is that you can’t always be sure of their authenticity.” ~Abraham Lincoln -
Hondabuff Member Posts: 667 ■■■□□□□□□□I changed my Tacacs setup at work and used Solarwinds Config Mgr to push a config change for the authorize statement to 500 Routers this morning and looks like everything was a success! Now our NOC can log into the routers and do basic show commands with out bugging me. A million thanks to EdTheLad! Just made me look like a superstar to my boss!“The problem with quotes on the Internet is that you can’t always be sure of their authenticity.” ~Abraham Lincoln
-
d4nz1g Member Posts: 464Check the output for show run with this account later, and make sure if you are able to see every line of it.
I had to set "noc" profiles with priv 15 in order to be able to see the full output for show run, and limited this profile to have access only to show * commands, denying everything else.
Ah, using tac_plus on linux. -
Hondabuff Member Posts: 667 ■■■□□□□□□□I ended up doing Priv 7 for the NOC employees. I didn't want them to do a show run and see the hash for the passwords and try and crack them.“The problem with quotes on the Internet is that you can’t always be sure of their authenticity.” ~Abraham Lincoln
-
Hondabuff Member Posts: 667 ■■■□□□□□□□So I had to go back and fix my AAA method list. Problem was that when my field techs were installing a new site and I try to SSH into the router with the public IP, I would get a %access denied% message if the VPN tunnel was not up yet. Not a huge deal but it makes you not have access to the router until I applied the settings on the fire wall. Also added a authentication banner to notify you that Tacacs is not reachable and to use the Local database. So now the expected behavior of the routers are if the VPN is down and they cannot reach the ACS server it will default to the local user account on the router. If the ACS server is reachable then you get the Standard motd and login banners. Also worth mentioning is when the router asks for username and username is lowercase, Tacacs is working. If username is capital such as Username, Tacacs is not reachable.
CORP-R1#show run | sec aaa
aaa new-model
aaa authentication login default group tacacs+ local
aaa authorization exec default group tacacs+ local
aaa accounting exec default start-stop group tacacs+
aaa session-id common
Also added this banner. This will display when you SSH/Telnet into the device and it can't reach the ACS server. Just a reminder to use the local username and PW.
aaa authentication banner ^C
#######################################################################
CISCO ACS SERVER OFFLINE, DEFAULTING TO LOCAL AUTHENTICATION!
#######################################################################^C
Also worth mentioning, I use Solarwinds config manager to change my routers. I can take a basic script like you would do in notepad and Push it out to all 500 routers that I mange. Takes about 5 minutes and it will paste the config and save to nvram. A great time saver but you can also take down your whole network with a click of a mouse and there is no getting it back. I give it two thumbs up!“The problem with quotes on the Internet is that you can’t always be sure of their authenticity.” ~Abraham Lincoln