How to lab ACS
zrockstar
Member Posts: 378
How are you guys doing your ACS labs? I couldn't find any way to get the Windows client from Cisco other than buying an ACS server. Any ideas?
Comments
-
spiderjericho Registered Users, Member Posts: 896 ■■■■■□□□□□Good question. I ran into the same problem when I was studying CCNA Security (and doing the labs, I stopped after the fourth chapter). Cisco doesn't, to my limited knowledge, offer ACS evaluations. The only other way to get exposed to it is through wandering the ethereal.
I can say based on my experience focus on the concepts of AAA, the two types of offerings, the Cisco products, etc. I'd definitely try to see if you can set up a Radius server (I didn't do the lab, so beats me on free offerings). -
dover Member Posts: 184 ■■■■□□□□□□Cisco does offer a downloadable evaluation version of ACS for Windows but you have to have a valid service contract in order to download. So not much help there unless you know someone that has one or want to buy a qualifying cisco product and throw in SmartNET. I had one from buying a 5505 ASA that I was able to use for labbing for the CCNA Sec.
From Cisco:
Q. Are evaluation copies of Cisco Secure ACS for Windows available?
A. Yes. You can download a 90-day trial version of Cisco Secure ACS from Cisco Secure Access Control System - Products & Services - Cisco Systems. Customers are encouraged to work with a Cisco sales representative if they would like to order a copy of the evaluation. -
zrockstar Member Posts: 378Thanks for your replies guys. Yeah Jericho, I definitely understand. I am on chapter 7 right now and am getting a little discouraged since building a security lab looks like it is going to cost thousands of dollars which I don't have right now.
Dover, do you know if you buy used gear if that still gets you in the system? Sorry, I did run across that option on the web when I was searching, but not having an account I just passed it by. -
spiderjericho Registered Users, Member Posts: 896 ■■■■■□□□□□It would require a Smartnet contract. Normally if you buying a new piece of gear, you'll get it, as it's your warranty and service contract with Cisco.
I'm thinking of CCNP Security and contemplating buying two ASA 5505 (hopefully, they come with 8.4 OS).
And it really isn't hard. I passed the test (now take this with a grain of salt...as I passed barely) without really labbing like I said. And the stuff I got hung up on were the Zone Based firewall questions.
Now, they've obviously revised the curriculum/certificate recently, but just do all the labs you can do. GNS3 will get you most of the way. Packet Tracer works for some. And don't worry about ACS. Just look for screen shots or commit them to memory. But I would recommend setting up a Radius server so the concept and the commands to set it up are familiar to you.
It really isn't a bad exam when compared to CCDA or CCNA voice (I have no experience with Service Provider or Wireless). -
btowntech Member Posts: 198 ■■■□□□□□□□If you really need to know more about Cisco ACS try looking at Cisco Access Control Security: AAA Administration Services. It walks you through setting it up and has plenty of screenshots. Came in handy for configuring our ACS at work.BS - Information Technology; AAS - Electro-Mechanical Engineering
-
zrockstar Member Posts: 378Thanks guys. I am new to server operations (I start those classes next month), but can I achieve the same AAA authentication through the RADIUS role on Server 2008? I do have a student copy of that I can run in GNS3.
-
dover Member Posts: 184 ■■■■□□□□□□Z,
Nah, used gear doesn't get you any warranty/smartnet access.
You can definitely use 2008's NPS (Network Policy Server) for your Radius based AAA. It actually works great! The only thing you'll really want to have ACS for is practice setting up TACACS+ server groups and configuring authentication and doing things like setting CLI command authorization. I prefer RADIUS and the ACS interface is very clunky and not very intuitive. If you really dig into radius you can do just about everything you can do with ACS like configuring downloadable per user ACL's and things - its just a little more challenging.
Spiderjericho, I bought an ASA 5505 thinking that would be my main tool to study for the 642-618 Firewall exam....I was disappointed. There is so much that is not available with the 5505 and the configs are going to be much different.
Don't get me wrong I love the 5505 and I'm using it as my router/firewall at home but to really do most of the firewall configs and labs you need to have a 5510 or higher (and preferably two). Definitely look into GNS3 and getting an ASA up and running in Qemu - that way you can actually configure active/active failover and multiple-context firewalls without having to spend thousands of dollars on lab equipment.