Start to Finish Setup of Cisco ACS (version 5.5 was used). Including n00b-status group and MAC Auth Bypass (MAB). Active Directory look-up will be added later. đ
Initial Setup
- Load VM image or ISO to appliance
- Follow setup prompts â document the password!
Upgrading Cisco ACS
- Login to the CLI with acsadmin
- Create a repository
repository temp url ftp://192.168.1.100/ user admin password plain (FTP PASSWORD)
- Start the upgrade
acs patch install 5-5-0-46-11.tar.gpg repository temp
TACACS Setup
- Log into ACS with acsadmin
- Set Login Banner under âMy Workspace > Login Bannerâ
- Set Login Prompts under âSystem Administration > Configuration > Global System Options > TACACS+ Settings”
- Change Username / Password Prompts to âACS Usernameâ and âACS Passwordâ
- Create Locations under âNetwork Resources > Network Device Groups > Locationâ
- Create Device Types under âNetwork Resources > Network Device Groups > Device Typeâ
- Create a âSwitchâ device type.
- Create Device under âNetwork Resources > Network Device Groups > Network Devices and AAA Clientsâ
- Select proper location and device type
- Input TACACS info
- Create Identity Group under âUsers and Identity Stores > Identity Groupâ
- Create one named âLocal Device Adminâ
- Create one named âNoob Statusâ for optional future use in restricting commands
- Create Users under âUsers and Identity Stores > Internal Identity Stores > Usersâ
- Assign to identity group
- Create Shell Profile under âPolicy Elements > Authorization and Permissions > Device Administration > Shell Profilesâ
- For name, be descriptive (PRIV15_MAX15)
- Under common tasks tab
- Default privilege â static, value â 15
- Max privilege â static, value â 15
- Create Access Service under âAccess Policies > Access Servicesâ
- Create one for device admin called âDEVICE-ADMINâ
- Choose âUser Selected Service Typeâ and âDevice Administrationâ from the drop-down
- Only Check âIdentityâ and âAuthorizationâ
- Click Next
- Uncheck Process Host Lookup
- Check only PAP/ASCII
- Choose Yes to modify Service Selection Policy â This takes you to the Service Selection rule page
- Click Create
- Check Protocol and match TACACS
- Choose âDEVICE-ADMINâ for the Service
- Modify Authorization Policy Under âAccess Policies > Access Services > DEVICE-ADMIN > Authorization”
- Click âCustomizeâ
- Remove âCompound Conditionâ
- Add âProtocolâ and âIdentity Groupâ
- Remove âCommand Setsâ
- Click OK
- Click Create
- Choose TACACS for âProtocolâ
- Choose âLocal Device Adminâ for âIdentity Groupâ
- Click âDefaultâ and modify the default rule to âDenyAccessâ
Switch Configuration
- TACACS Config
- 3750/3850 etc.
ip tacacs source-interface [SOURCE INTERFACE] tacacs-server host [ACS SERVER IP] tacacs-server key [TACACS SHARED KEY] no tacacs-server directed-request aaa new-model !aaa group server tacacs+ ACS1 ! server [ACS SERVER IP]aaa authentication login default group tacacs+ local aaa authentication enable default group tacacs+ enable aaa authorization exec default group tacacs+ if-authenticated aaa accounting update newinfo aaa accounting exec default start-stop broadcast group tacacs+ aaa accounting commands 1 default start-stop broadcast group tacacs+ aaa accounting commands 15 default start-stop broadcast group tacacs+
- ASA
aaa-server TACACS protocol tacacs+ accounting-mode simultaneous exit aaa-server TACACS (INSIDE) host [TACACS SERVER IP] timeout 2 key [TACACS SHARED KEY]aaa authentication enable console TACACS LOCAL !aaa authentication http console TACACS LOCAL aaa authentication ssh console TACACS LOCAL aaa authorization exec authentication-server aaa accounting command privilege 15 TACACS aaa accounting enable console TACACS aaa accounting ssh console TACACS !http server enable ssh [MGMT IP] [MGMT MASK] INSIDE
- 3750/3850 etc.
- Test TACACS from CLI
test aaa group ACS1 [USERNAME] [PASSWORD] legacy
- Test TACACS with SSH
ssh [SSH SOURCE INTERFACE]
Setup Command Authorization
- Create Shell Profile under âPolicy Elements > Authorization and Permissions > Device Administration > Command Setsâ
- Create a Permit All set
- Click âCreateâ
- Enter âPERMIT_ALLâ for Name
- Check âPermit any command that is not in the table belowâ
- Click âSubmitâ
- Create a command set for âshowâ commands only
- Click âCreateâ
- Enter âSHOW_ONLYâ for Name
- Enter âshowâ into âCommand:â field
- Click the âAdd^â button
- OPTIONALLY: deny âshow running-configâ
- Change âGrantâ to âDenyâ
- Enter âshowâ into âCommand:â field and ârunning-configâ in the âArguments:â field
- Click the âAdd^â button
- Move it to the top with the up arrow beside the list of commands
- Click âSubmitâ
- Create a command set for âshow and shut/no shutâ commands only
- Click âCreateâ
- Enter âSHOW_SHUT_ONLYâ for Name
- Enter âshowâ into âCommand:â field and click the âAdd^â button
- Enter âconfigureâ into âCommand:â field and âterminalâ in the âArguments:â field
- Click the âAdd^â button
- Enter âinterfaceâ into âCommand:â field
- Click the âAdd^â button
- Enter âshutdownâ into âCommand:â field
- Click the âAdd^â button
- Enter ânoâ into âCommand:â field and âshutdownâ in the âArguments:â field
- Click the âAdd^â button
- Enter âendâ into âCommand:â field
- Click the âAdd^â button
- Enter âexitâ into âCommand:â field
- Click the âAdd^â button
- Click âSubmitâ
- Create a Permit All set
- Modify Command Sets Under âAccess Policies > Access Services > DEVICE-ADMIN > Authorizationâ
- Click âCustomizeâ
- Below âCustomize Resultsâ, add âCommand Setsâ to âSelected:â
- Click OK
- Click âRule-1â (the rule for Privilege 15 Admins)
- Under âCommand Sets:â, click âDeselectâ to remove âDenyAllCommandsâ
- Click âSelectâ
- Check âPERMIT_ALLâ
- Click âOKâ
- Do steps âa.â thru âh.â for any other Privilege 15 Admin rules
- Modify Rule Authorizations Under âAccess Policies > Access Services > DEVICE-ADMIN > Authorizationâ
- Check the box next to the Local Admin Rule (Rule-1)
- Click âDuplicateâ and click âDuplicate Belowâ
- Name the rule âNoob Status Ruleâ
- Change the Identity group to âNoob Statusâ
- Under âCommand Sets:â, click âDeselectâ to remove âPERMIT_ALLâ
- Click âSelectâ
- Check the Command Set you want to apply.
- Click âOKâ
- Switch Setup
- 3750
aaa authorization config-commands aaa authorization commands 1 default group tacacs+ if-authenticated aaa authorization commands 15 default group tacacs+ if-authenticated
- ASA
aaa authorization command TACACS LOCAL
- 3750
- Test it
- SSH into the switch with a Noob Status account
- Try commands that should and should not be allowed.
Wired MAB (MAC Authentication Bypass)
- Gather all MAC addresses that will need to be added
- Categorize by type (workstation, VoIP, Printer, VTC, Thin Client, Taclane, etc.)
- Create Identity Group under âUsers and Identity Stores > Identity Groupâ
- Create one named âNetwork Access Groupâ
- Create one for each device type and for âParent:â choose âNetwork Access Groupâ
- Create Hosts under âUsers and Identity Stores > Internal Identity Stores > Hostsâ
- Click âCreateâ
- Enter the MAC (Format doesnât matter, it will convert it)
- Enter an accurate description (Building/Rm/Location, Unit, Model, etc)
- Select the appropriate Identity Group
- Click âSubmitâ
- Create DACLs under âPolicy Elements > Authorization and Permissions > Named Permission Objects > Downloadable ACLsâ
- Create one for each device type
- Click âCreateâ
- Enter a descriptive name, Example: âPRINTER_DACLâ or âVTC_DACLâ
- Paste a copied ACL from a switch (to prevent errors) in the âDACL Contentâ field
- OR: To permit all, just enter âpermit ip any anyâ
- Click âSubmitâ
- Create one for each device type
- Create Authz Profiles under âPolicy Elements > Authorization and Permissions > Network Access > Authorization Profilesâ
- Create one for each device type
- Click âCreateâ
- Enter a descriptive name, Example: âPRINTER_AUTHâ or âVTC_AUTHâ
- Go to the âCommon Tasksâ tab
- Under ACLS, for âDownloadable ACL Name:â select âStaticâ
- For âValueâ select the appropriate ACL for the device type.
- Click âSubmitâ
- Create one for each device type
- Create the Access Service under âAccess Policies > Access Servicesâ
- Click âCreateâ
- Enter âNETWORK-ACCESS-WIREDâ for Name
- Choose âUser Selected Service Typeâ and âNetwork Accessâ from the drop-down
- Only Check âIdentityâ and âAuthorizationâ
- Click Next
- Keep âProcess Host Lookupâ checked
- OPTIONAL: for dot1x, check âEAP-TLSâ and âPEAPâ.
- Additionally check âEAP-MSCHAPv2â under âPEAPâ
- Check preferred EAP protocol and select âEAP-TLSâ
- Choose Yes to modify Service Selection Policy â This takes you to the Service Selection rule page
- Click âCustomizeâ
- Move âNDG:Device Typeâ to the âSelected:â box
- Click âOKâ
- Click âCreateâ
- Name the Rule âNETWORK-ACCESS-WIRED-RULEâ
- For âProtocol:â select âRadiusâ
- For âNDG:Device Typeâ select âSwitchâ
- For âService:â select âNETWORK-ACCESS-WIREDâ
- Create identity rules under âAccess Policies > Access Services > NETWORK-ACCESS-WIRED > Identityâ
- For âIdentity Source:â choose âInternal Hostsâ
- OPTIONAL: for dot1x, select âRule based result selectionâ
- Click âCreateâ
- Name the rule âWIRED-MAB-ID-RULEâ
- Select âCompound Condition:â
- For âDictionary:â select âRADIUS-IETFâ
- For âAttribute:â select âService-Typeâ
- For âValue:â select âCall Checkâ
- Click âAddâ
- For âIdentity Source:â select âInternal Hostsâ
- Click âOKâ
- Click âSave Changesâ
- Create authorization rules under âAccess Policies > Access Services > NETWORK-ACCESS-WIRED > Authorizationâ
- Create a rule for each device type
- Click âCreateâ
- Name the rule ââ
- For âDictionary:â select âRADIUS-IETFâ
- For âAttribute:â select âService-Typeâ
- For âValue:â select âCall Checkâ
- Click âAddâ
- OPTIONAL: if Wireless MAB is to be implemented:
- Change âAttribute:â to âNAS-Port-Typeâ
- For âValue:â select âEthernetâ
- Click âAddâ and select âAdd to selected with Andâ
- For âAuthorization Profiles:â select the appropriate profile.
- Click âOKâ
- Click the âDefaultâ rule
- Click âSelectâ and choose âDenyAccessâ
- Click âOKâ
- Click âSave Changesâ
- Create a rule for each device type
Switch Configuration
- AAA and Radius Switch Config
!--- AAA aaa authentication dot1x default group radius aaa authorization network default group radius aaa accounting dot1x default start-stop group radius aaa accounting update periodic 5 ! !--- RADIUS SERVER radius-server host [ACS SERVER IP] radius-server key [SHARED RADIUS KEY] radius-server dead-criteria time 30 tries 3 !--- SEND RADIUS VSA radius-server vsa send accounting radius-server vsa send authentication !--- OTHER RADIUS radius-server attribute 6 on-for-login-auth radius-server attribute 8 include-in-access-req radius-server attribute 25 access-request include ip radius source-interface [SOURCE INTERFACE] !--- CHANGE OF AUTHORIZATION aaa server radius dynamic-author client [ACS SERVER IP] server-key [SHARED RADIUS KEY] ! !--- ACL ip access-list extende ip device tracking ! !--- INTERFACE COMMANDS interface range [INTERFACE RANGE] switchport mode host switchport mode access switchport access vlan [ACCESS VLAN] spanning-tree portfast spanning-tree bpduguard enable ! authentication priority mab dot1x authentication order mab dot1x authentication event fail action next-method authentication host-mode multi-auth authentication violation restrict dot1x pae authenticator mab dot1x timeout tx-period 10 authentication port-control auto ! ip access-group ACL-DEFAULT in d ACL-DEFAULT permit udp any eq bootpc any eq bootps permit udp any any eq domain deny ip any any log ip access-list extended ACL-ALLOW permit ip any any ! !--- ENABLE DOT1X dot1x system-auth-control
Verifying and Monitoring MAB
- Check port on the switch
- On old switches: show authentication session [INTERFACE]
- On newer switches: show authentication session [INTERFACE] detail
- Check DACL on switch
- show ip access-list
- Check the logs in ACS
- Go to âMonitoring and Reportsâ
- Go to âReports > Catalog > AAA Protocolâ
- Click âRadius Authenticationâ
- âUsernameâ will be the MAC of the device
- Click the Magnifying Glass under âDetailâ next to the MAC