Cisco ACS User accounts.

Hondabuff

I rolled out a Cisco ACS server last year when I took over as Engineer on my side of the company. It has been setup for close to a year and I have around 500 sites on it. I'm now trying to implement a NOC user account that is going to be a parser view for checking basic commands such as vpn being up. Has any one set this up yet? All the tutorials I have seen each do it different and I have not gotten it to work correctly. Tacacs is working fine for login authentication but I really want to start tweaking it now.

EdTheLad

Yup, i've done it before.

Hondabuff

This is on my lab in GNS3. Figure I would screw it up here before get back on my production one at work.

I will start with the router commands. This is what I have always used and do I need to add anything to my method list?

CORP-R1#sho run | sec aaa
aaa new-model
aaa authentication login default group tacacs+ line
aaa accounting exec default start-stop group tacacs+
aaa session-id common

EdTheLad

You need to add authorization.

Hondabuff

Ok Added.

CORP-R1#show run | sec aaa
aaa new-model
aaa authentication login default group tacacs+ line
aaa authorization exec default group tacacs+
aaa accounting exec default start-stop group tacacs+
aaa session-id common


and

CORP-R1(config-line)#authorization exec default *under vty lines*

Hondabuff

These commands got me into to exe mode and skipped user mode. I'm going to document how to set this up so I can use it tomorrow.
CORP-R1#sho run | sec aaa
aaa new-model
aaa authentication login default group tacacs+ line
aaa authorization exec default group tacacs+
aaa accounting exec default start-stop group tacacs+
aaa session-id common

and under vty lines authorization exec default

SteveO86

Definitely do-able with authorization and maybe defining some additional privilege levels for future growth.

Stumbled upon this article some time ago

Cisco Secure ACS Shell Profiles and Command sets, How to configure Shell Profiles and Command sets in ACS

Also the logging in ACS is great, if you review some of the Authentication and Authorization logs you see what profile and commands sets ACS is issues the users.

EdTheLad

How about you posting your final config along with the ACS config image snaps and we can work from there. It's been a while since i played with tacacs, if i cant see anything glaringly obvious i can fire up my ACS and play with it later on tonight.

Hondabuff

Working like a champ now.

CORP-R1#telnet 10.2.76.1
Trying 10.2.76.1 ... Open
#################################################
authorized users only
#################################################
username: bbuilder
password:
CORP-R1#sho priv
CORP-R1#sho privilege
Current privilege level is 15
CORP-R1#exit
[Connection to 10.2.76.1 closed by foreign host]
CORP-R1#
CORP-R1#
CORP-R1#
CORP-R1#telnet 10.2.76.1
Trying 10.2.76.1 ... Open
#################################################
authorized users only
#################################################
username: nocuser
password:
CORP-R1#show priv
CORP-R1#show privilege
Current privilege level is 7
CORP-R1#conf t
^
% Invalid input detected at '^' marker.
CORP-R1#

Hondabuff

I changed my Tacacs setup at work and used Solarwinds Config Mgr to push a config change for the authorize statement to 500 Routers this morning and looks like everything was a success! Now our NOC can log into the routers and do basic show commands with out bugging me. A million thanks to EdTheLad! Just made me look like a superstar to my boss!

d4nz1g

Check the output for show run with this account later, and make sure if you are able to see every line of it.

I had to set "noc" profiles with priv 15 in order to be able to see the full output for show run, and limited this profile to have access only to show * commands, denying everything else.

Ah, using tac_plus on linux.

Hondabuff

I ended up doing Priv 7 for the NOC employees. I didn't want them to do a show run and see the hash for the passwords and try and crack them.

Hondabuff

So I had to go back and fix my AAA method list. Problem was that when my field techs were installing a new site and I try to SSH into the router with the public IP, I would get a %access denied% message if the VPN tunnel was not up yet. Not a huge deal but it makes you not have access to the router until I applied the settings on the fire wall. Also added a authentication banner to notify you that Tacacs is not reachable and to use the Local database. So now the expected behavior of the routers are if the VPN is down and they cannot reach the ACS server it will default to the local user account on the router. If the ACS server is reachable then you get the Standard motd and login banners. Also worth mentioning is when the router asks for username and username is lowercase, Tacacs is working. If username is capital such as Username, Tacacs is not reachable.

CORP-R1#show run | sec aaa
aaa new-model
aaa authentication login default group tacacs+ local
aaa authorization exec default group tacacs+ local
aaa accounting exec default start-stop group tacacs+
aaa session-id common

Also added this banner. This will display when you SSH/Telnet into the device and it can't reach the ACS server. Just a reminder to use the local username and PW.

aaa authentication banner ^C
#######################################################################
CISCO ACS SERVER OFFLINE, DEFAULTING TO LOCAL AUTHENTICATION!
#######################################################################^C

Also worth mentioning, I use Solarwinds config manager to change my routers. I can take a basic script like you would do in notepad and Push it out to all 500 routers that I mange. Takes about 5 minutes and it will paste the config and save to nvram. A great time saver but you can also take down your whole network with a click of a mouse and there is no getting it back. I give it two thumbs up!