Cisco ACS – Basic Setup

Start to Finish Setup of Cisco ACS (version 5.5 was used). Including n00b-status group and MAC Auth Bypass (MAB). Active Directory look-up will be added later. 😉

Initial Setup

1. Load VM image or ISO to appliance
2. Follow setup prompts – document the password!

Upgrading Cisco ACS

1. Login to the CLI with acsadmin
2. Create a repository

   repository temp
   url ftp://192.168.1.100/
   user admin password plain (FTP PASSWORD)

3. Start the upgrade

   acs patch install 5-5-0-46-11.tar.gpg repository temp

TACACS Setup

1. Log into ACS with acsadmin
2. Set Login Banner under “My Workspace > Login Banner”
3. Set Login Prompts under “System Administration > Configuration > Global System Options > TACACS+ Settings”
   1. Change Username / Password Prompts to “ACS Username” and “ACS Password”
4. Create Locations under “Network Resources > Network Device Groups > Location”
5. Create Device Types under “Network Resources > Network Device Groups > Device Type”
   1. Create a “Switch” device type.
6. Create Device under “Network Resources > Network Device Groups > Network Devices and AAA Clients”
   1. Select proper location and device type
   2. Input TACACS info
7. Create Identity Group under “Users and Identity Stores > Identity Group”
   1. Create one named “Local Device Admin”
   2. Create one named “Noob Status” for optional future use in restricting commands
8. Create Users under “Users and Identity Stores > Internal Identity Stores > Users”
   1. Assign to identity group
9. Create Shell Profile under “Policy Elements > Authorization and Permissions > Device Administration > Shell Profiles”
   1. For name, be descriptive (PRIV15_MAX15)
   2. Under common tasks tab
      1. Default privilege – static, value – 15
      2. Max privilege – static, value – 15
10. Create Access Service under “Access Policies > Access Services”
    1. Create one for device admin called “DEVICE-ADMIN”
    2. Choose “User Selected Service Type” and “Device Administration” from the drop-down
    3. Only Check “Identity” and “Authorization”
    4. Click Next
    5. Uncheck Process Host Lookup
    6. Check only PAP/ASCII
    7. Choose Yes to modify Service Selection Policy – This takes you to the Service Selection rule page
    8. Click Create
    9. Check Protocol and match TACACS
    10. Choose “DEVICE-ADMIN” for the Service
11. Modify Authorization Policy Under “Access Policies > Access Services > DEVICE-ADMIN > Authorization”
    1. Click “Customize”
    2. Remove “Compound Condition”
    3. Add “Protocol” and “Identity Group”
    4. Remove “Command Sets”
    5. Click OK
    6. Click Create
    7. Choose TACACS for “Protocol”
    8. Choose “Local Device Admin” for “Identity Group”
    9. Click “Default” and modify the default rule to “DenyAccess”

Switch Configuration

1. TACACS Config
   1. 3750/3850 etc.

      ip tacacs source-interface [SOURCE INTERFACE]
      tacacs-server host [ACS SERVER IP]
      tacacs-server key [TACACS SHARED KEY]
      no tacacs-server directed-request
      aaa new-model
      !aaa group server tacacs+ ACS1
      ! server [ACS SERVER IP]aaa authentication login default group tacacs+ local
      aaa authentication enable default group tacacs+ enable
      aaa authorization exec default group tacacs+ if-authenticated
      aaa accounting update newinfo
      aaa accounting exec default start-stop broadcast group tacacs+
      aaa accounting commands 1 default start-stop broadcast group tacacs+
      aaa accounting commands 15 default start-stop broadcast group tacacs+

   2. ASA

      aaa-server TACACS protocol tacacs+
      accounting-mode simultaneous
      exit
      aaa-server TACACS (INSIDE) host [TACACS SERVER IP] timeout 2
      key [TACACS SHARED KEY]aaa authentication enable console TACACS LOCAL
      !aaa authentication http console TACACS LOCAL
      aaa authentication ssh console TACACS LOCAL
      aaa authorization exec authentication-server
      aaa accounting command privilege 15 TACACS
      aaa accounting enable console TACACS
      aaa accounting ssh console TACACS
      !http server enable
      ssh [MGMT IP] [MGMT MASK] INSIDE

2. Test TACACS from CLI

   test aaa group ACS1 [USERNAME] [PASSWORD] legacy

3. Test TACACS with SSH

   ssh [SSH SOURCE INTERFACE]

Setup Command Authorization

1. Create Shell Profile under “Policy Elements > Authorization and Permissions > Device Administration > Command Sets”
   1. Create a Permit All set
      1. Click “Create”
      2. Enter “PERMIT_ALL” for Name
      3. Check “Permit any command that is not in the table below”
      4. Click “Submit”
   2. Create a command set for “show” commands only
      1. Click “Create”
      2. Enter “SHOW_ONLY” for Name
      3. Enter “show” into “Command:” field
      4. Click the “Add^” button
      5. OPTIONALLY: deny “show running-config”
         1. Change “Grant” to “Deny”
         2. Enter “show” into “Command:” field and “running-config” in the “Arguments:” field
         3. Click the “Add^” button
         4. Move it to the top with the up arrow beside the list of commands
      6. Click “Submit”
   3. Create a command set for “show and shut/no shut” commands only
      1. Click “Create”
      2. Enter “SHOW_SHUT_ONLY” for Name
      3. Enter “show” into “Command:” field and click the “Add^” button
      4. Enter “configure” into “Command:” field and “terminal” in the “Arguments:” field
      5. Click the “Add^” button
      6. Enter “interface” into “Command:” field
      7. Click the “Add^” button
      8. Enter “shutdown” into “Command:” field
      9. Click the “Add^” button
      10. Enter “no” into “Command:” field and “shutdown” in the “Arguments:” field
      11. Click the “Add^” button
      12. Enter “end” into “Command:” field
      13. Click the “Add^” button
      14. Enter “exit” into “Command:” field
      15. Click the “Add^” button
      16. Click “Submit”
2. Modify Command Sets Under “Access Policies > Access Services > DEVICE-ADMIN > Authorization”
   1. Click “Customize”
   2. Below “Customize Results”, add “Command Sets” to “Selected:”
   3. Click OK
   4. Click “Rule-1” (the rule for Privilege 15 Admins)
   5. Under “Command Sets:”, click “Deselect” to remove “DenyAllCommands”
   6. Click “Select”
   7. Check “PERMIT_ALL”
   8. Click “OK”
   9. Do steps “a.” thru “h.” for any other Privilege 15 Admin rules
3. Modify Rule Authorizations Under “Access Policies > Access Services > DEVICE-ADMIN > Authorization”
   1. Check the box next to the Local Admin Rule (Rule-1)
   2. Click “Duplicate” and click “Duplicate Below”
   3. Name the rule “Noob Status Rule”
   4. Change the Identity group to “Noob Status”
   5. Under “Command Sets:”, click “Deselect” to remove “PERMIT_ALL”
   6. Click “Select”
   7. Check the Command Set you want to apply.
   8. Click “OK”
4. Switch Setup
   1. 3750

      aaa authorization config-commands
      aaa authorization commands 1 default group tacacs+ if-authenticated
      aaa authorization commands 15 default group tacacs+ if-authenticated

   2. ASA

      aaa authorization command TACACS LOCAL

5. Test it
   1. SSH into the switch with a Noob Status account
   2. Try commands that should and should not be allowed.

Wired MAB (MAC Authentication Bypass)

1. Gather all MAC addresses that will need to be added
   1. Categorize by type (workstation, VoIP, Printer, VTC, Thin Client, Taclane, etc.)
   2. Create Identity Group under “Users and Identity Stores > Identity Group”
      1. Create one named “Network Access Group”
      2. Create one for each device type and for “Parent:” choose “Network Access Group”
   3. Create Hosts under “Users and Identity Stores > Internal Identity Stores > Hosts”
      1. Click “Create”
      2. Enter the MAC (Format doesn’t matter, it will convert it)
      3. Enter an accurate description (Building/Rm/Location, Unit, Model, etc)
      4. Select the appropriate Identity Group
      5. Click “Submit”
   4. Create DACLs under “Policy Elements > Authorization and Permissions > Named Permission Objects > Downloadable ACLs”
      1. Create one for each device type
         1. Click “Create”
         2. Enter a descriptive name, Example: “PRINTER_DACL” or “VTC_DACL”
         3. Paste a copied ACL from a switch (to prevent errors) in the “DACL Content” field
            1. OR: To permit all, just enter “permit ip any any”
         4. Click “Submit”
   5. Create Authz Profiles under “Policy Elements > Authorization and Permissions > Network Access > Authorization Profiles”
      1. Create one for each device type
         1. Click “Create”
         2. Enter a descriptive name, Example: “PRINTER_AUTH” or “VTC_AUTH”
         3. Go to the “Common Tasks” tab
         4. Under ACLS, for “Downloadable ACL Name:” select “Static”
         5. For “Value” select the appropriate ACL for the device type.
         6. Click “Submit”
   6. Create the Access Service under “Access Policies > Access Services”
      1. Click “Create”
      2. Enter “NETWORK-ACCESS-WIRED” for Name
      3. Choose “User Selected Service Type” and “Network Access” from the drop-down
      4. Only Check “Identity” and “Authorization”
      5. Click Next
      6. Keep “Process Host Lookup” checked
      7. OPTIONAL: for dot1x, check “EAP-TLS” and “PEAP”.
         1. Additionally check “EAP-MSCHAPv2” under “PEAP”
         2. Check preferred EAP protocol and select “EAP-TLS”
      1. Choose Yes to modify Service Selection Policy – This takes you to the Service Selection rule page
      2. Click “Customize”
      3. Move “NDG:Device Type” to the “Selected:” box
      4. Click “OK”
      5. Click “Create”
      6. Name the Rule “NETWORK-ACCESS-WIRED-RULE”
      7. For “Protocol:” select “Radius”
      8. For “NDG:Device Type” select “Switch”
      9. For “Service:” select “NETWORK-ACCESS-WIRED”
   7. Create identity rules under “Access Policies > Access Services > NETWORK-ACCESS-WIRED > Identity”
      1. For “Identity Source:” choose “Internal Hosts”
      2. OPTIONAL: for dot1x, select “Rule based result selection”
         1. Click “Create”
         2. Name the rule “WIRED-MAB-ID-RULE”
         3. Select “Compound Condition:”
         4. For “Dictionary:” select “RADIUS-IETF”
         5. For “Attribute:” select “Service-Type”
         6. For “Value:” select “Call Check”
         7. Click “Add”
         8. For “Identity Source:” select “Internal Hosts”
         9. Click “OK”
         10. Click “Save Changes”
   8. Create authorization rules under “Access Policies > Access Services > NETWORK-ACCESS-WIRED > Authorization”
      1. Create a rule for each device type
         1. Click “Create”
         2. Name the rule “”
         3. For “Dictionary:” select “RADIUS-IETF”
         4. For “Attribute:” select “Service-Type”
         5. For “Value:” select “Call Check”
         6. Click “Add”
         7. OPTIONAL: if Wireless MAB is to be implemented:
            1. Change “Attribute:” to “NAS-Port-Type”
            2. For “Value:” select “Ethernet”
            3. Click “Add” and select “Add to selected with And”
         8. For “Authorization Profiles:” select the appropriate profile.
         9. Click “OK”
         10. Click the “Default” rule
         11. Click “Select” and choose “DenyAccess”
         12. Click “OK”
         13. Click “Save Changes”

Switch Configuration

1. AAA and Radius Switch Config

   !--- AAA
   aaa authentication dot1x default group radius
   aaa authorization network default group radius
   aaa accounting dot1x default start-stop group radius
   aaa accounting update periodic 5
   !
   !--- RADIUS SERVER
   radius-server host [ACS SERVER IP]
   radius-server key [SHARED RADIUS KEY]
   radius-server dead-criteria time 30 tries 3
   !--- SEND RADIUS VSA
   radius-server vsa send accounting
   radius-server vsa send authentication
   !--- OTHER RADIUS
   radius-server attribute 6 on-for-login-auth
   radius-server attribute 8 include-in-access-req
   radius-server attribute 25 access-request include
   ip radius source-interface [SOURCE INTERFACE]
   !--- CHANGE OF AUTHORIZATION
   aaa server radius dynamic-author
   client [ACS SERVER IP] server-key [SHARED RADIUS KEY]
   !
   !--- ACL
   ip access-list extende
   
   ip device tracking
   !
   !--- INTERFACE COMMANDS
   interface range [INTERFACE RANGE]
   switchport mode host
   switchport mode access
   switchport access vlan [ACCESS VLAN]
   spanning-tree portfast
   spanning-tree bpduguard enable
   !
   authentication priority mab dot1x
   authentication order mab dot1x
   authentication event fail action next-method
   authentication host-mode multi-auth
   authentication violation restrict
   dot1x pae authenticator
   mab
   dot1x timeout tx-period 10
   authentication port-control auto
   !
   ip access-group ACL-DEFAULT in
   d ACL-DEFAULT
   permit udp any eq bootpc any eq bootps
   permit udp any any eq domain
   deny ip any any log
   ip access-list extended ACL-ALLOW
   permit ip any any
   !
   !--- ENABLE DOT1X
   dot1x system-auth-control

Verifying and Monitoring MAB

1. Check port on the switch
   1. On old switches: show authentication session [INTERFACE]
   2. On newer switches: show authentication session [INTERFACE] detail
2. Check DACL on switch
   1. show ip access-list
3. Check the logs in ACS
   1. Go to “Monitoring and Reports”
   2. Go to “Reports > Catalog > AAA Protocol”
   3. Click “Radius Authentication”
   4. “Username” will be the MAC of the device
   5. Click the Magnifying Glass under “Detail” next to the MAC