Cisco ACS User accounts.

HondabuffHondabuff Posts: 667Member
I rolled out a Cisco ACS server last year when I took over as Engineer on my side of the company. It has been setup for close to a year and I have around 500 sites on it. I'm now trying to implement a NOC user account that is going to be a parser view for checking basic commands such as vpn being up. Has any one set this up yet? All the tutorials I have seen each do it different and I have not gotten it to work correctly. Tacacs is working fine for login authentication but I really want to start tweaking it now.
“The problem with quotes on the Internet is that you can’t always be sure of their authenticity.” ~Abraham Lincoln

Comments

  • EdTheLadEdTheLad Posts: 2,112Member
    Yup, i've done it before.
    Networking, sometimes i love it, mostly i hate it.Its all about the $$$$
  • HondabuffHondabuff Posts: 667Member
    This is on my lab in GNS3. Figure I would screw it up here before get back on my production one at work.

    I will start with the router commands. This is what I have always used and do I need to add anything to my method list?

    CORP-R1#sho run | sec aaa
    aaa new-model
    aaa authentication login default group tacacs+ line
    aaa accounting exec default start-stop group tacacs+
    aaa session-id common
    “The problem with quotes on the Internet is that you can’t always be sure of their authenticity.” ~Abraham Lincoln
  • EdTheLadEdTheLad Posts: 2,112Member
    You need to add authorization.
    Networking, sometimes i love it, mostly i hate it.Its all about the $$$$
  • HondabuffHondabuff Posts: 667Member
    Ok Added.

    CORP-R1#show run | sec aaa
    aaa new-model
    aaa authentication login default group tacacs+ line
    aaa authorization exec default group tacacs+
    aaa accounting exec default start-stop group tacacs+
    aaa session-id common


    and

    CORP-R1(config-line)#authorization exec default *under vty lines*
    “The problem with quotes on the Internet is that you can’t always be sure of their authenticity.” ~Abraham Lincoln
  • HondabuffHondabuff Posts: 667Member
    These commands got me into to exe mode and skipped user mode. I'm going to document how to set this up so I can use it tomorrow.
    CORP-R1#sho run | sec aaa
    aaa new-model
    aaa authentication login default group tacacs+ line
    aaa authorization exec default group tacacs+
    aaa accounting exec default start-stop group tacacs+
    aaa session-id common

    and under vty lines authorization exec default
    “The problem with quotes on the Internet is that you can’t always be sure of their authenticity.” ~Abraham Lincoln
  • SteveO86SteveO86 Posts: 1,423Member
    Definitely do-able with authorization and maybe defining some additional privilege levels for future growth.

    Stumbled upon this article some time ago

    Cisco Secure ACS Shell Profiles and Command sets, How to configure Shell Profiles and Command sets in ACS

    Also the logging in ACS is great, if you review some of the Authentication and Authorization logs you see what profile and commands sets ACS is issues the users.
    My Networking blog
    Latest blog post: Let's review EIGRP Named Mode
    Currently Studying: CCNP: Wireless - IUWMS
  • EdTheLadEdTheLad Posts: 2,112Member
    How about you posting your final config along with the ACS config image snaps and we can work from there. It's been a while since i played with tacacs, if i cant see anything glaringly obvious i can fire up my ACS and play with it later on tonight.
    Networking, sometimes i love it, mostly i hate it.Its all about the $$$$
  • HondabuffHondabuff Posts: 667Member
    Working like a champ now.

    CORP-R1#telnet 10.2.76.1
    Trying 10.2.76.1 ... Open
    #################################################
    authorized users only
    #################################################
    username: bbuilder
    password:
    CORP-R1#sho priv
    CORP-R1#sho privilege
    Current privilege level is 15
    CORP-R1#exit
    [Connection to 10.2.76.1 closed by foreign host]
    CORP-R1#
    CORP-R1#
    CORP-R1#
    CORP-R1#telnet 10.2.76.1
    Trying 10.2.76.1 ... Open
    #################################################
    authorized users only
    #################################################
    username: nocuser
    password:
    CORP-R1#show priv
    CORP-R1#show privilege
    Current privilege level is 7
    CORP-R1#conf t
    ^
    % Invalid input detected at '^' marker.
    CORP-R1#
    “The problem with quotes on the Internet is that you can’t always be sure of their authenticity.” ~Abraham Lincoln
  • HondabuffHondabuff Posts: 667Member
    I changed my Tacacs setup at work and used Solarwinds Config Mgr to push a config change for the authorize statement to 500 Routers this morning and looks like everything was a success! Now our NOC can log into the routers and do basic show commands with out bugging me. A million thanks to EdTheLad! Just made me look like a superstar to my boss!icon_thumright.gif
    “The problem with quotes on the Internet is that you can’t always be sure of their authenticity.” ~Abraham Lincoln
  • d4nz1gd4nz1g Posts: 464Member
    Check the output for show run with this account later, and make sure if you are able to see every line of it.

    I had to set "noc" profiles with priv 15 in order to be able to see the full output for show run, and limited this profile to have access only to show * commands, denying everything else.

    Ah, using tac_plus on linux.
  • HondabuffHondabuff Posts: 667Member
    I ended up doing Priv 7 for the NOC employees. I didn't want them to do a show run and see the hash for the passwords and try and crack them.
    “The problem with quotes on the Internet is that you can’t always be sure of their authenticity.” ~Abraham Lincoln
  • HondabuffHondabuff Posts: 667Member
    So I had to go back and fix my AAA method list. Problem was that when my field techs were installing a new site and I try to SSH into the router with the public IP, I would get a %access denied% message if the VPN tunnel was not up yet. Not a huge deal but it makes you not have access to the router until I applied the settings on the fire wall. Also added a authentication banner to notify you that Tacacs is not reachable and to use the Local database. So now the expected behavior of the routers are if the VPN is down and they cannot reach the ACS server it will default to the local user account on the router. If the ACS server is reachable then you get the Standard motd and login banners. Also worth mentioning is when the router asks for username and username is lowercase, Tacacs is working. If username is capital such as Username, Tacacs is not reachable.

    CORP-R1#show run | sec aaa
    aaa new-model
    aaa authentication login default group tacacs+ local
    aaa authorization exec default group tacacs+ local
    aaa accounting exec default start-stop group tacacs+
    aaa session-id common

    Also added this banner. This will display when you SSH/Telnet into the device and it can't reach the ACS server. Just a reminder to use the local username and PW.

    aaa authentication banner ^C
    #######################################################################
    CISCO ACS SERVER OFFLINE, DEFAULTING TO LOCAL AUTHENTICATION!
    #######################################################################^C

    Also worth mentioning, I use Solarwinds config manager to change my routers. I can take a basic script like you would do in notepad and Push it out to all 500 routers that I mange. Takes about 5 minutes and it will paste the config and save to nvram. A great time saver but you can also take down your whole network with a click of a mouse and there is no getting it back. I give it two thumbs up!
    “The problem with quotes on the Internet is that you can’t always be sure of their authenticity.” ~Abraham Lincoln
Sign In or Register to comment.