CSACSGuide-SAMPLE

CISCO SECURE ACS 5.X PRODUCT DEPLOYMENT GUIDE PacketWisdom.Com
Version : 1.1 | Author : Tariq Ahmad Email: support@packetwisdom.com
1
Cisco Secure Access Control Server (CS-ACS) 5.2
Deployment/Detailed Lab Guide
Authored by :
Tariq Ahmad
CCIE # 26141

2
 Scenario Info:
Server Role Server IP Info
Cisco Secure ACS Primary Server 192.168.2.30/24
Cisco Secure ACS Backup Server 192.168.2.31/24
Active Directory/LDAP/Certificate Authority/DNS 192.168.2.100/24
 Scenarios :
o Basic Installation & configuration of Cisco Secure ACS 5.2 as a Virtualized Appliance (VMware)
o Installing/Activating a Backup Server for High Availability (HA)
o Integrating Cisco Secure ACS with Active Directory Domain
o Integrating Cisco Secure ACS with Lightweight Directory Access Protocol (LDAP)
o Assigning Privilege Levels in IOS to Users for Device Administration via LOCAL database authentication
o Assigning Privilege Levels in IOS to Users Device Administration via AAA Server
AAA Server : Shell Profiles : TACACS
o Understanding & Enabling Logging Passed/Failed Authentications & Viewing Logs using Logs Collector
o Authenticating & Authorizing Users for Command Authorization in IOS via AAA
AAA Server : Command Sets : TACACS
o Authenticating Users for HTTP & SDM Access to a Cisco Router via LOCAL database
o Authenticating Users for HTTP & SDM Access to a Cisco Router via AAA Server

3
o Using IOS Authentication Proxy to restrict access based on User Profiles via Authorization Profile
AAA Server : Authorization Profile : RADIUS
o Using IOS Authentication Proxy to restrict access based on User Profiles via Shell Profiles
o Using IOS EzVPN Server(legacy method) with Cisco VPN Client for user authentication & group policy assignment
LOCAL for XAuth , LOCAL for group
RADIUS for XAuth , LOCAL for group
RADIUS for XAuth , RADIUS for group
o Using IOS EzVPN Server(new method – VTI) with Cisco VPN Client for user authentication & group policy
assignment
assignment
assignment

4
o Authenticating IOS based SSL VPN (WebVPN) Sessions using LOCAL database
o Authenticating IOS based SSL VPN (WebVPN) Sessions using ACS Server (RADIUS)
AAA Server : Authorization Profille : RADIUS
o Authenticating IOS based SSL VPN (AnyConnect VPN) Sessions using LOCAL database
o Authenticating IOS based SSL VPN (AnyConnect VPN) Sessions using ACS Server (RADIUS)
AAA Server : Authorization Profille : RADIUS
o Assigning Privilege Levels to Users on ASA
o Authenticating & Authorizing Users for Command Authorization in ASA via AAA
o Using Cut-through Proxy on ASA for Authentication Only
o Using Cut-through Proxy on ASA for Authentication/Authorization via AAA
AAA Server : Command Sets : TACACS
o Using Cut-through Proxy on ASA for Authentication/Authorization via AAA
AAA Server : Downloadable ACL/Authorization Profile : RADIUS
o Using IEEE 802.1X to provide Port-Based Access Control Using Authentication
o Configuring IEEE 802.1X Authentication on a Catalyst Switch & Cisco Secure ACS 5.X using EAP-MD5 for
authentication (dynamic VLAN assignment )
o Configuring IEEE 802.1X Authentication on a Catalyst Switch & Cisco Secure ACS 5.X using Protected EAP (PEAP)
for authentication (dynamic VLAN assignment )

5
o Configuring MAC Authentication Bypass (MAB) for Clientless Devices i.e. IP Phones / Printers / Peripheral Devices
o Triggering Change Of Authorization (CoA) from Cisco Secure ACS 5.X
o Configuring IPSec Remote Access VPN on ASA with Cisco VPN Client for user authentication & group policy
assignment
assignment
assignment
o Enrolling Cisco Secure ACS with an Enterprise CA
o Enterprise Certificate Authority Installation in Windows 2008 R2 Server
o Certificate Installation on Cisco Secure ACS (using CA Server )

6
Basic Installation & Configuration of Cisco Secure ACS 5.2 as a Virtualized Appliance
(VMware)
 Setup Info:
o Cisco Secure ACS Primary Server IP address: 192.168.2.30/24
 Cisco Official Installation Requirements:
Reference: http://www.cisco.com/en/US/prod/collateral/netmgtsw/ps5698/ps6767/ps9911/data_sheet_c78-614584.html
NOTE: We would install using VMware Workstation 7.x & later version using 2 GB RAM. It would work perfectly for lab purpose.

7
After you power on the VM, a welcome screen will display.
At the <Welcome To Cisco Secure ACS 5.2 Recovery screen>, choose the following option:
[1] Cisco Secure ACS Installation (Keyboard/Monitor)

8
At the login prompt, enter your username/password chosen in above step and issue the following
command:
‘show application status acs’

9
& you are all set. You have successfully installed & setup ACS Server.

10
Installing/Activating a Backup Server for High Availability
 Setup Info:
o Cisco Secure ACS Backup Server IP address: 192.168.2.31/24
 Setup Description:
o In a deployment, you can have multiple ACS Servers with one server designated as Primary & all other servers as
Secondary Servers
o Installation for backup server will be same. You would only need to change hostname & server ip address for
secondary server to reflect that it’s a secondary/backup server.
 Secondary Server Activation
o In order to add a secondary server to the ACS deployment, follow the steps documented below :

11
 [Primary ACS Server ] You can check status that secondary instance has been registered successfully
by navigating to :
System Administration > Operations > Distributed System Management

12
Request Local Mode :
You can configure ACS Server in Local Mode if you desire to make changes to a single ACS instance ONLY.
These changes DO NOT replicate to any other server in the deployment

13
Integrating Cisco Secure ACS with Active Directory Domain
 Setup Info:
o Windows 2008 Server R2 (64-bit) IP address : 192.168.2.100/24
 AD Setup Info:
o Windows 2008 Server
Machine Name : Win2008AD
Domain Name : tariqccie.com
Domain Admin : Administrator
Domain Admin Password : cciesec123
 Steps to Setup Active Directory:
o Step1 : Active Directory Setup
 ‘dcpromo.exe’
o Step2 : ACS Basic Setup for DNS lookup
 ‘ip name-server’
o Step3 : Joining Cisco Secure ACS to AD domain

14
Step1 : Active Directory Setup
 It would take you to Active Directory installation Wizard

15
 ‘Forward Lookup Zone’

16
 Check Connectivity Status which should show as ‘Connected’.

17
 Add IT , Finance & Contractor group names to the Directory Groups list as well.

18
 Now, all users for Network Access will be authenticated against Active Directory (AD1)

19
 Once added, click OK

20
Integrating Cisco Secure ACS with Lightweight Directory Access Protocol (LDAP)
 Setup Info:
o Cisco Secure ACS Primary Server: 192.168.2.30/24
o LDAP Server : 192.168.2.100/24
 LDAP Setup Info:
o Windows 2008 Server
IP address : 192.168.2.100
Domain Name : tariqccie.com i.e. [DC=tariqccie,DC=com]
Admin DN : Administrator i.e. [CN=Administrator,CN=Users,DC=tariqccie,DC=com]
Password : cciesec123
 Steps to Setup LDAP on ACS Server:
o Step1 : General
o Step2 : Server Connection
o Step3 : Directory Organization
Step1 : General

21
 Structure as illustrated here :
 Test Configuration . If you configured correctly so far, you would see Number of Users/Groups listed

22
 Ensure that LDAP Identity Store was created successfully under 'External identity Store'
 Select Directory Groups tab & select all 3 Groups defined earlier

23

24
 Selected Groups are listed under Directory Groups list

25
 Under Authorization tab , ensure that LDAP1:External Groups is selected as a matching Condition

26
 Verify that rule creation was successful

27
Assigning Privilege Levels to Users via AAA using Shell Profiles (TACACS)
 Setup Info:
o Cisco Secure ACS Primary Server : 192.168.2.30/24
o Router (R1) : 192.168.2.11/24
 Scenario Diagram:
 Scenario Requirement:
Configure Level 2 Privilege Level on IOS
Level2 user should ONLY be able to configure hostname & change interface duplex / speed . It should NOT have
ability to shut down any interfaces

28
Authenticate user using LOCAL database
Create a user 'tariq' for testing purposes ( username : tariq , password : tariqccie )
Enable secret for Level 2 should be 'ciscoexpert'
Console line should NOT be required to authenticate users i.e. exempt Console from AAA
 Steps:
o Setup IOS router for Customized privilege level '2' & aaa authentication / authorization
o ACS Server Configuration
Step 1: Add R1 as AAA Client
Step 2: Create Identity Group ‘Admin’
Step 3: Create User ‘tariq’ in ACS database
Step 4: Create Shell Profile ‘PrivilegeLevel2’
Step 5: Create Authorization Policy ‘AllowAccess’ & assign it Shell Profile defined above
o Authenticate user & verify privilege level is set correctly

29
 Another way to test is in IOS , you can use following command to verify ACS is able to authenticate users
successfully.
test aaa group tacacs+ tariq tariqccie legacy
[Syntax : test aaa group group-name username password {legacy | new-code} ]
!
You can run various debugs as illustrated here :
 debug aaa authentication
 debug aaa authorization
 debug tacacs
 debug tacacs packet
R1#debug tacacs
R1#debug aaa authorization
*Mar 1 02:29:18.251: TPLUS(00000015)/0/66A278EC: Processing the reply packet
*Mar 1 02:29:18.251: TPLUS: Processed AV priv-lvl=2
*Mar 1 02:29:18.251: TPLUS: received authorization response for 21: PASS
*Mar 1 02:29:18.259: AAA/AUTHOR/EXEC(00000015): processing AV cmd=

30
Enabling Logging for Passed / Failed Authentication :

31
Login to R1 (using putty as done before ) & verify that you can see Logs for Passed Authentication under Monitoring
& Reports Viewer tab

32
Authenticating & Authorizing Users for Command Authorization via AAA using Command
Sets (TACACS)
 Setup Info:
o Cisco Secure ACS Primary Server : 192.168.2.30/24
o Router (R1) : 192.168.2.11/24
 Steps:
o Setup IOS router for Command Authorization via AAA
 Only commands for 'show version' , 'show interfaces' & 'ping' should be allowed
Step 1: Add R1 as AAA Client
 Explanation :
 Previously we used privilege levels in IOS to limit the commands available to a user during an administrative session.
Configuring and maintaining privilege levels on few devices might be useful but applying it on a corporate scale
(hundreds of devices) is not very convenient & manageable.
 To make this easier to manage, IOS allows using TACACS+ to control which commands a user can execute on the
device.

33
R1 Configuration :
username backup password backup : Create a local User for backup
!
aaa new-model : Enable AAA
tacacs-server host 192.168.2.30 key CiscoKey : Define TACACS-SERVER for authentication/authorization
!
aaa authentication login default none : Normally defined to exempt Console from accidental logout
aaa authentication login telnet group tacacs+ local : Authentication via TACACS+
aaa authorization exec telnet group tacacs+ none : Authorization via TACACS+
aaa authorization commands 0 telnet group tacacs+ none : Define Authorization Commands Level 0 , 1 & 15
aaa authorization commands 1 telnet group tacacs+ none
aaa authorization commands 15 telnet group tacacs+ none
!
aaa authorization config-commands
!
!
line vty 0 4 : Use Terminal Lines (vty) for authentication/authorization tests
login authentication telnet
authorization exec telnet
authorization commands 0 telnet
!

34
Using IOS Auth-Proxy for Authorization using RADIUS (Authorization Profile)
 Setup Info:
o Cisco Secure ACS Server : 192.168.2.30/24
o Router (R1) : 192.168.2.11/24
o HTTP Server : 192.168.3.22/24
 Setup Diagram:

35
Verification :
 Before authentication , ACL would look like :
 Initiate an HTTP Session to Web Server . IOS Auth-proxy feature would intercept the connection & you would be re-
directed to an authentication page.

36
 After authentication, the Authentication Proxy cache and the interface ACL will look like :

37
Debugs :
You can use following command for debugging/troubleshooting purpose :
o debug ip auth-proxy detailed
o debug tacacs

38
Using IOS Auth-Proxy for Authorization using TACACS+ (Shell Profile)
 Setup Info:
o Router (R1) : 192.168.2.11/24
o HTTP Server : 192.168.3.22/24
 Scenario Requirement:
Restrict access to HR Departments Web Server (192.168.3.22) to only HR Team
Configure router (R1) to authenticate all HTTP sessions and then download ACL from ACS to permit access to Web
Server
 Steps:
o Setup R1 for IOS Auth-proxy configuration
Step 1: Add R1 as AAA Client (TACACS+)
Step 2 :Create Identity Group named ‘HR Team'
Step 3: Create User ‘hrmanager’ in ACS database ( password : cisco )
Step 4: Create Shell Profile named 'Auth-Proxy'

39
Solution :
From the requirements given, the resulting IKE Phase 1 & Phase 2 should look like :
 ISAKMP POLICY:
Authentication : Pre-shared Key
Encryption : 3DES
Hash : MD5
DH Group : 2
PSK : c1sc0s3c
 IPSEC POLICY:
Encryption : ESP-3DES
Hash/Authentication : ESP-MD5
R1 Configuration :
aaa new-model : Enabling AAA
!
aaa authentication login NOAUTH none : Exempting Console from “accidental” authentication
aaa authentication login XAUTH local : User authentication via XAUTH (local database)
aaa authorization network GROUPAUTH local : Group authorization via GROUPAUTH (local database)
!
radius-server host 192.168.2.30 key CiscoKey :Define ACS Server & it's shared secret
!

40
username EZUser password 0 EZPassword :Local usernames defined for XAUTH
 Verification :
Step 1: Create a new EzVPN connection entry in Windows XP Client machine using the configured group name i.e.
EZ_GROUP
Step 2: Initiate connection from XP Client machine & when prompted for username/password (during XAUTH phase),
enter the user credentials ( Username : EZUser )
Step 3: After the connection is established, check to make sure that proper IP address , Split-tunnelling ACL etc. was
assigned to the client

41

42
 Step 6: Create an Authorization Profile with respective “cisco-av-pair” attribute [For GROUP User]

43
Group Attributes : ( Authorization Profile )
ipsec:default-domain=cisco
ipsec:inacl=101
ipsec:access-restrict=fastethernet 0/0
ipsec:group-lock=1
ipsec:browser-proxy=bproxy_profile_A
ipsec:xauth-banner=Xauth banner text here
XAuth User Attributes : ( Authorization Profile ) – (Non-overlapping)
Framed-IP-Address
ipsec:user-savepassword
ipsec:user-includelocal-lan
ipsec:user-vpngroup

44
Authenticating IOS SSL VPN (WebVPN) Sessions using LOCAL database
Verification :
 Access WebVPN portal by logging into following URL :
https://192.168.2.11/webvpn.html

45
 You could also browse via WebVPN portal since your access is NOT restricted. Although , you could be more
granular and restrict access if need be.
 'Show Flash' depicts contents of Flash when Bookmark is created (as an XML file)

46
Authenticating IOS SSL VPN (AnyConnect VPN) Sessions
 Setup Info:
o Router (R1) : 192.168.2.11/24
 Scenario Requirements :
Use ACS Server for IOS SSL VPN (AnyConnect VPN) Sessions
End user credentials : anyconnectvpnuser / cisco
User should connect via URL https://192.168.2.11
Users should download AnyConnect SVC Installer upon successful login
IP address Pool for allocation 'VPNPOOL' : 10.5.5.0/24
Split Tunnel traffic to : 1.1.1.0/24
 Steps:
o Setup IOS SSL VPN on R1
Step 1: Add R1 as AAA Client (RADIUS)
Step 2 :Create Identity Group ’VPNGroup'
Step 3: Create User ‘anyconnectvpn’ in ACS Internal User database

47
 Make sure image is present in Flash

48
 As soon as your login is successful, you would see AnyConnect client would download & install automatically

49
 And Boom ! AnyConnect Client established VPN session successfully.
 Check AnyConnect VPN Client statistics to verify

50
 Step 4 : Create an Authorization Profile with respective “cisco-av-pair” attribute
The authorization profile has the following cisco-av-pair attribute:
webvpn:addr-pool=VPNPOOL
webvpn:keep-svc-installed=1
webvpn:svc-enabled=1
webvpn:svc-required=1
webvpn:split-include="1.1.1.0 255.255.255.0"

51
 Explanation :
 Using Cut-through Proxy feature, you can make authentication and authorization mandatory for certain types of
sessions.
 ASA supports direct authentication with :
FTP (TCP port 21),
Telnet (TCP port 23),
HTTP (TCP port 80), &
HTTPS (TCP port 443)
 In order to verify the solution , you will need to access Web Service on Application Server (130.10.10.100) from a
host in the outside network i.e. 130.10.10.50 & verify AAA credentials

52
 Authentication as well as Authorization can be verified using 'show uauth' on ASA

53
 Step 4: Create Downloadable ACL in ACS
 Authentication as well as Authorization can be verified using 'show uauth' & 'show access-list' on ASA
 Here you can verify that Downloadable ACL has been successfully downloaded & you can verify that access was
granted as per the ACL

54

55
IEEE 802.1X Provides Port-Based Access Control Using Authentication
 Basic Info:
The basic idea behind the standard is to authenticate and authorize before a user can connect to the
physical or logical port of a Layer 2 device in order to gain access to VLAN or WLAN infrastructure
 EAP Types :
Various EAP types can be used , each has its own requirements . Major types are :
EAP-MD5
LEAP
PEAP

56
Configuring IEEE 802.1X Authentication on a Catalyst Switch & Cisco Secure ACS 5.X using
EAP-MD5 for authentication
 Setup Info:
o IOS Catalyst Switch : 192.168.2.20/24
o EAP-type used : EAP-MD5
o Client Workstations
 HR Department Users : 192.168.50.X/24
 ACCT Department Users : 192.168.51.X/24
 Scenario Diagram:

57
 Explanation :
In order to assign a VLAN to a client upon successful authentication i.e. via dynamic VLAN assignment
, following RADIUS attributes need to be pushed to Catalyst Switch:
■[064] Tunnel-Type
■[065] Tunnel-Medium-Type
■[081] Tunnel-Private-Group-ID
First 2 attributes i.e. Tunnel-Type & Tunnel-Medium-Type will be same in an Authorization Profile.
Last attribute Tunnel-Medium-Group-ID will be assigned appropriately for each dynamic VLAN
assignment i.e.
 For HR Authorization Profile, Tunnel-Medium-Group-ID will be 50
 For ACCT Authorization Profile, Tunnel-Medium-Group-ID will be 51
For HR Authorization Profile , you would configure RADIUS attributes as :
NOTE : Since we are not sending multiple attributes for RADIUS IETF attributes , so Tag value is set to 1
Dictionary Type: RADIUS-IETF
RADIUS Attribute: Tunnel-Type
Attribute Type: Tagged Enum
Attribute Value: Static: VLAN
Tag: 1

58

59
Understanding PEAP

60
Cisco Secure ACS Configuration :
Refer to Section "Enrolling Cisco Secure ACS with an Enterprise CA"
Step 1: install the CA Certificate (Certificate Authority) and ACS Server certificate (the identity certificate for ACS
For Protected EAP i.e. PEAP , The ACS 5.X configuration requirement is to install the CA Certificate (CA that
issued ACS server identity certificate) and ACS server certificate (the identity certificate for ACS) on Cisco
Secure ACS .
Before proceeding any further, make sure that you have CA Certificate & ACS Certificate Installed properly using the
following steps :
 Navigate to Users and Identity Stores > Certificate Authorities & verify that the CA Certificate was installed
successfully

61
Configuring MAC Authentication Bypass (MAB) for Clientless Devices
 Setup Info:
o SwitchA : 192.168.2.12/24
o Printer : Use it's MAC address
Use ACS Server for allow clientless devices i.e. Printers / IP Phones to be granted access to network
ACS will process MAB as 'Host Lookup' based on Calling-Station-ID (31) i.e. MAC address of device
 Scenario Diagram :

62
 802.1X + MAB :
If 802.1x was configured on port in addition to MAB , authentication process would be like :

63
Triggering Change Of Authorization (CoA) from Cisco Secure ACS 5.X
 Setup Info:
If ACS Administrator wishes to change an authenticated user/device status for some reason, he/she can issue
CoA from within ACS
 Steps :
 Launch Monitoring & Reports Viewer

64
Solution :
From the requirements given, the resulting IKE Phase 1 & Phase 2 should look like :
 ISAKMP POLICY:
Authentication : Pre-shared Key
Encryption : 3DES
Hash : SHA
DH Group : 2
PSK : c1sc0s3c
 IPSEC POLICY:
Encryption : ESP-3DES
Hash/Authentication : ESP-SHA
ASA Configuration : (Using RADIUS)
interface Ethernet0/0 :Basic Configuration for OUTSIDE interface
nameif outside
security-level 0
ip address 130.10.10.10 255.255.255.0
!
interface Ethernet0/1 :Basic Configuration for INSIDE interface
nameif inside
security-level 100
ip address 192.168.2.10 255.255.255.0
!

65
Enrolling Cisco Secure ACS with an Enterprise CA
A CA assigned Digital Certificate on ACS can be used for following purposes :
 Use for administrative sessions
 EAP-TLS or PEAP related authentication mechanisms
The self-signed certificate cannot be used for EAP-TLS authentication
Process :
 Let's Create a digital certificate for Cisco Secure ACS from your trusted public or enterprise certificate authority
 Here, you can see existing Certificate (Self-Signed Certificate) issued itself by ACS52 which was being used for
managing ACS Server (for HTTPS sessions etc.)
 Select ADD

CSACSGuide-SAMPLE

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Viewers also liked

Viewers also liked (20)

Similar to CSACSGuide-SAMPLE

Similar to CSACSGuide-SAMPLE (20)

CSACSGuide-SAMPLE