Cisco ACS User accounts.
I rolled out a Cisco ACS server last year when I took over as Engineer on my side of the company. It has been setup for close to a year and I have around 500 sites on it. I'm now trying to implement a NOC user account that is going to be a parser view for checking basic commands such as vpn being up. Has any one set this up yet? All the tutorials I have seen each do it different and I have not gotten it to work correctly. Tacacs is working fine for login authentication but I really want to start tweaking it now.
“The problem with quotes on the Internet is that you can’t always be sure of their authenticity.” ~Abraham Lincoln
Comments
I will start with the router commands. This is what I have always used and do I need to add anything to my method list?
CORP-R1#sho run | sec aaa
aaa new-model
aaa authentication login default group tacacs+ line
aaa accounting exec default start-stop group tacacs+
aaa session-id common
CORP-R1#show run | sec aaa
aaa new-model
aaa authentication login default group tacacs+ line
aaa authorization exec default group tacacs+
aaa accounting exec default start-stop group tacacs+
aaa session-id common
and
CORP-R1(config-line)#authorization exec default *under vty lines*
CORP-R1#sho run | sec aaa
aaa new-model
aaa authentication login default group tacacs+ line
aaa authorization exec default group tacacs+
aaa accounting exec default start-stop group tacacs+
aaa session-id common
and under vty lines authorization exec default
Stumbled upon this article some time ago
Cisco Secure ACS Shell Profiles and Command sets, How to configure Shell Profiles and Command sets in ACS
Also the logging in ACS is great, if you review some of the Authentication and Authorization logs you see what profile and commands sets ACS is issues the users.
Latest blog post: Let's review EIGRP Named Mode
Currently Studying: CCNP: Wireless - IUWMS
CORP-R1#telnet 10.2.76.1
Trying 10.2.76.1 ... Open
#################################################
authorized users only
#################################################
username: bbuilder
password:
CORP-R1#sho priv
CORP-R1#sho privilege
Current privilege level is 15
CORP-R1#exit
[Connection to 10.2.76.1 closed by foreign host]
CORP-R1#
CORP-R1#
CORP-R1#
CORP-R1#telnet 10.2.76.1
Trying 10.2.76.1 ... Open
#################################################
authorized users only
#################################################
username: nocuser
password:
CORP-R1#show priv
CORP-R1#show privilege
Current privilege level is 7
CORP-R1#conf t
^
% Invalid input detected at '^' marker.
CORP-R1#
I had to set "noc" profiles with priv 15 in order to be able to see the full output for show run, and limited this profile to have access only to show * commands, denying everything else.
Ah, using tac_plus on linux.
CORP-R1#show run | sec aaa
aaa new-model
aaa authentication login default group tacacs+ local
aaa authorization exec default group tacacs+ local
aaa accounting exec default start-stop group tacacs+
aaa session-id common
Also added this banner. This will display when you SSH/Telnet into the device and it can't reach the ACS server. Just a reminder to use the local username and PW.
aaa authentication banner ^C
#######################################################################
CISCO ACS SERVER OFFLINE, DEFAULTING TO LOCAL AUTHENTICATION!
#######################################################################^C
Also worth mentioning, I use Solarwinds config manager to change my routers. I can take a basic script like you would do in notepad and Push it out to all 500 routers that I mange. Takes about 5 minutes and it will paste the config and save to nvram. A great time saver but you can also take down your whole network with a click of a mouse and there is no getting it back. I give it two thumbs up!