Chapter 4: Getting Familiar with ACS 5.1
Excerpt from AAA Identity Management Security.By Vivek Santuka, Premdeep Banga, and Brandon J. Carroll Published by Cisco Press ISBN-10: 1-58714-144-2 ISBN-13: 978-1-58714-144-7 |
This chapter covers the following subjects:
Navigating the ACS 5.1 Graphical User Interface
Adding Network Groups and Devices
Adding Users to Internal Repositories
Policy Elements and Access Services
Monitoring and Reports
Using the ACS Command-Line Interface
ACS 5.1 has a completely different user interface from ACS 4.2. Throughout the course of this chapter you will become familiar with the GUI and know where different functions are located. If this is your first time using ACS 5.1, it is important to take the time to learn how to navigate the interface.
The GUI is broken into two frames. You access different menu items on the left side frame (Navigation Pane) and perform configuration in the right side frame (Content Area). The Monitoring and Reports section is the only exception to this. After you launch the Monitoring and Reports Viewer, a new browser window opens. This new window has a layout similar to the original window but contains menu items related to monitoring and reporting. The left side menu is divided further into drop-down menus or drawers. Click on a drawer to expand it and see a list of options. The available drawers are as follows:
My Workspace
Network Resources
Users and Identity Stores
Policy Elements
Access Policies
Monitoring and Reports
System Administration
My Workspace
The My Workspace drawer contains:
Welcome Page
Task Guide
My Account
Welcome Page
The Welcome Page appears when you log in to ACS and provides links to information and shortcuts to some common tasks. Figure 4-1 shows the Welcome Page.
Welcome Page
Clicking on the links below the Getting Started section on the Welcome Page creates a new frame in the Content Area. This new frame provides help on how to get started with ACS and contains shortcuts to the initial tasks.
Clicking on any other link in the Welcome Page will open a new window containing the help section. ACS 5.1 has a comprehensive help section and can be accessed using the Help link in the top-right corner of the ACS GUI.
Task Guide
The Task Guide has three menu items:
Quick Start
Initial System Setup
Policy Setup Steps
These items are shortcuts for the links under the Getting Started section on the Welcome Page.
My Account
My Account provides general information regarding the ACS GUI account and assigned roles, and enables you to change the password of your ACS administrator account. No other changes to the account can be made from this section. See Chapter 15, “ACS 5.1 Advanced Configuration,” for information on editing and adding GUI administrator accounts. Figure 4-2 shows the My Account pane.
My Account
Network Resources
AAA clients and external RADIUS servers are defined within this drawer. When ACS receives an AAA request from a network device, it searches the network device repository to find an entry with a matching IP address. If a match is not found, the request will be rejected.
This drawer has four menu items:
Network Device Groups
Network Devices and AAA Clients
Default Network Device
External RADIUS Servers
Network Device Groups
AAA clients in the ACS repository can be assigned to Network Device Groups (NDGs). NDGs are logical grouping of devices—for example, by Location or Type—which can be used in policy conditions. For example, all routers in the San Jose location can be assigned a single policy. NDGs simplify creating policies and managing device repository.
NDGs are defined under a hierarchical structure called a Device Group Hierarchy. Each device group hierarchy has a root node under which NDGs are defined. For example, Location and Device Type groups are predefined. The root node of the Location group is All Locations. New NDGs can be created under All Locations. These NDGs can further have other NDGs as child nodes. Figure 4-3 shows a sample hierarchy created under the Locations group. Notice how the NDGs are created countrywise, statewise, or citywise.
Hierarchical Structure of NDGs
A maximum of 12 hierarchical groups can be created and each group can have a maximum of six nodes including the root node.
Note - The two hierarchical groups provided—Location and Device Types—cannot be deleted or modified. This leaves 10 groups that can be added.
Clicking on the Network Device Groups menu item will display the existing groups in the Content Area as shown in Figure 4-4. The groups also appear as individual submenu items in the Navigation Pane under Network Device Groups. Click on a group name in the Content Area to edit it. New groups can be created by clicking on the Create button or the Duplicate button.
Network Device Groups
To create a group, follow these steps:
Step 1. | Select Network Resources > Network Device Groups. The Network Device Groups page appears as shown in Figure 4-4. |
Step 2. | Click Create. The Hierarchy - General Page appears in the Content Area. Figure 4-5 shows this page. |
Step 3. | Enter a name; for this example, use Routers. |
Step 4. | (Optional) Enter a description. |
Step 5. | Enter a root node name. For this example, use All Routers. Remember that this is any name that refers to all the NDGs and devices in this group. |
Step 6. | Click Submit to create the group. The group Routers now appears in the Navigation Pane as a submenu item under the Network Device Group menu item. |
Creating a Network Device Group
Clicking on the group name, Routers, in the Navigation Page will open the Network Device Groups page in the Content Area. Because the group is new, only the root node All Routers will be displayed. This page is similar to the one shown in Figure 4-3. You can add NDGs to the Routers group from this page. To do so, follow these steps:
Step 1. | Click Create. |
Step 2. | Enter a name for the group; for our example, use Core Routers. |
Step 3. | (Optional) Enter a description. |
Step 4. | The root node, All Routers, is already selected in the Parent field. If other NDGs existed in the Routers group, you could have clicked on Select to see them and select a different parent node. |
Step 5. | Click Submit to create the NDG. Core Routers is now visible under the root node in the Network Device Groups page. |
Network Devices and AAA Clients
It is important to remember that a device should be in the ACS repository before AAA requests from that device will be accepted. The Network Devices and AAA Clients menu item shows the repository and enables you to manage the devices. Along with the name and address, the page displays the NDG that the device belongs to. You can use the filter option to search for devices. This page is shown is Figure 4-6. To add an AAA client to the ACS database and enable communications using the TACACS+ or RADIUS protocols, you use the following steps:
Step 1. | Select Network Resources > Network Devices and AAA Clients. |
Step 2. | Click Create. Figure 4-6 shows the Create Network Device page. |
Step 3. | Enter the hostname of the AAA client, or if this is going to be a group of devices, enter a name that makes it easily recognizable. For this example, use Router1. |
Step 4. | (Optional) Enter a description. |
Step 5. | All device groups configured in ACS are shown and their root nodes are selected. Click Select next to the group you want to change to display the Network Device Groups selection box. Click the radio button next to the desired Network Device Group and click OK. For this example, select the San Jose and Core Routers from the Location and Routers groups. |
Step 6. | A device definition can represent a single or multiple devices. Select Single IP Address or IP Range as required. Selecting IP Range will display options for configuring a mask with the IP address. You can add multiple entries for the range. For this example, use a 192.168.1.0 address with a mask of 24. |
Step 7. | Select TACACS+ and/or RADIUS and enter the shared secret. You have the option of selecting both protocols for a device. For this example, select TACACS+ and enter Cisco as the shared secret. |
Step 8. | Click Submit The device is now listed in the Network Devices and AAA Clients page as shown in Figure 4-7. |
Adding a New AAA Device
Network Devices and AAA Clients
Note - The number of devices that you can add in ACS depends on the license type. The number of devices is determined by the number of unique IP addresses that you configure. This includes the subnet masks that you configure. For example, a subnet mask of 255.255.255.0 implies 256 unique IP addresses and hence the number of devices is 256.
Default Network Device
As mentioned previously, a device needs to be in the ACS repository before AAA requests will be accepted from it. There is an exception to this rule. You can configure a default network device. If a request comes from a device that does not specifically exist in the repository, ACS will use the default device profile. In the default network device definition, you provide a shared secret key, network device group, and the protocol(s) to be used. To configure the default network device, follow these steps:
Step 1. | Select Network Resources > Default Network Device. The Default Network Device page appears. Figure 4-8 shows this page. |
Step 2. | Select Enabled from the drop-down list next to Default Network Device Status. |
Step 3. | Click Select next to the device groups that you want to modify. For our example, select San Jose NDG from the Locations Group. |
Step 4. | Select TACACS+ or RADIUS and enter the shared secret for the protocols. You can select one or both the protocols. For this example, select both the protocols and use Cisco as the shared secret. |
Step 5. | Click Submit. |
Default Network Device
External RADIUS Servers
ACS 5.1 can function both as a RADIUS server and a RADIUS proxy server. When it acts as a proxy server, ACS receives authentication and accounting requests from the AAA client and forwards them to the external RADIUS server. ACS accepts the results of the requests and returns them to the client. You must configure the external RADIUS servers in ACS to enable ACS to forward requests to them. You can configure multiple external RADIUS servers. To add a server, follow these steps:
Step 1. | Select Network Resources > External RADIUS Servers. The External RADIUS Servers page appears with a list of configured servers. |
Step 2. | Click Create. The Create Server page appears as shown in Figure 4-9. |
Step 3. | Enter a name for the server. For this example, use External1. |
Step 4. | (Optional) Enter a description. |
Step 5. | Enter the server IP address. For this example, use 192.168.1.40. |
Step 6. | Enter the shared secret. This secret is used to encrypt the RADIUS request between ACS and the external server. For this example, use Cisco. |
Step 7. | Click Advanced Options. |
Step 8. | Verify the authentication and accounting ports. By default, ports 1812 and 1813 are used. If the external server uses other ports, enter them in the respective fields. This example leaves the ports set to the default values. |
Step 9. | Verify the server timeout value. By default, five seconds timeout period is used. If the server fails to respond in that period, the server will resend the request as many times as specified in the Connection Attempts field. You can specify a timeout value of 1 to 120 seconds. For this example, specify 10 seconds. |
Step 10. | Verify the connection attempts value. By default, ACS will attempt to connect to the external server three times. You can configure ACS to attempt up to 10 times to connect to the external server. For this example, specify five attempts. |
Step 11. | Click Submit. |
Adding an External RADIUS Server
Users and Identity Stores
To authenticate and authorize a user or host, ACS uses the user definitions stored in identity stores. There are two types of identity stores:
Internal Identity Stores: Identity stores that ACS maintains locally are called internal identity stores. ACS maintains two different internal identity stores for user and host records. These stores are accessible from the Internal Identity Stores menu item in the Users and Identity Stores drawer.
External Identity Stores: Identity stores that reside outside of ACS are called external identity stores (or external user databases in earlier versions of ACS). Each external identity store requires certain configuration before ACS can obtain information from it. The External Identity Stores menu item under the Users and Identity Stores drawer can be used to configure these stores.
In this chapter, you add a user and a host to the internal identity stores. External identity stores are discussed in Chapter 5, “Configuring External Databases with ACS.”
Before adding a user or host, you should know about identity groups and how to add them.
Identity Groups
Identity groups, as the name suggests, are groups of users or hosts. As in ACS 4.2, users and hosts can be put in a group to apply a uniform policy on them.
Note - A key point to remember is that ACS 4.2 is a group-based server, whereas ACS 5.1 is a policy-based server. This means that users and groups in ACS 5.1 do not have reply attributes configured in their profile. Reply attributes are derived from policy evaluation.
Identity groups are defined in a hierarchical structure like the NDGs. All Groups is the root of this hierarchy.
To create an identity group, follow these steps: