Configuring Cisco Access Control Server for User Authentication and Authorization

SAMPLE CONFIG ON ROUTER TO BE AUTHENTICATED

Step One: Create Username and Password

username cisco privilege 15 password 0 cisco123

Step Two: Configure the Authentication, Authorization, and Accounting parameters

aaa new-model
aaa authentication login default group tacacs+ local enable
aaa authorization exec EXMODE group tacacs+
aaa session-id common

Step Three: Configure your tacacs+ server hostname, address and key (shared key on ACS)

tacacs server acs101
address ipv4 192.168.137.50
key cisco123

NB: The shared key string must match in order to be authenticated

Step Four: Attach the Authorization method “EXMODE” that was configured in the aaa
authorization configuration to “line vty” for SSH and Telnet.

line vty 0 4
password cisco123
authorization exec EXMODE
transport input all
The configuration below specifies the steps in configuring the ACS Server.

a. Create a group where we will group device under the same administration

Network Resources – Network Device Groups – Device Type

Creating Network Device Group 1

  • Creating Network Device Group

 

b. Now we will put devices under the network device group we created above
Network Resources > Network Devices and AAA Clients > Create

Under the “Device Type” we will select the network group (Dublin Network) that we created
earlier.

Add a router to the network device group 2

  • Adding a router to the Network Device Group

c. Now we will create the Identity Group to be authenticated by the ACS Server
Users and Identity Stores > Identity Groups > Create

Creating the identity group (user group) 3

  • Creating the identity group (A User group)

d. We then create the users to be authenticated by the ACS Server

Users and Identity Stores > Internal Identity Stores > Create

Creating a user to add to a the user group 4

  • Creating users that will be authenticated on the ACS Server

 

e. Creating Access Policies (How Users will be connected)
Access Policies > Access Services > Default Device Admin > Authorization

When creating an Access Policy we will have to set the conditions that a user must meet
before they will be granted access to connect.

In the example below, we will set two conditions which a user profile should meet. ie
“Identity Group” – (Who they are) and satisfy the “Device Type” – (What they are trying to
connect to) before access is granted.

Creating Access Policies 5

  •  Creating Access Policies

 

Now we can test to verify if our user profile can be authenticated by the ACS Server. We will use the command below:

R1#test aaa group tacacs+ cisco cisco123 legacy
Attempting authentication test to server-group tacacs+ using tacacs+
User was successfully authenticated

We can clearly see from above that the ACS Server has authenticated our username cisco and password cisco123

 

 

Troubleshooting Authentication Failure

For easy troubleshooting, go to the Monitoring and Reports and click on “Launch Monitoring
and Reports”. After I completed this lab, I could not authenticate so I set to figure out
what the problem was, so the following are the steps I took:

1. Go to Monitoring and Reports

Troubleshooting Authentication Failure 6

  •  Accessing Monitoring and Reports on ACS

2. Click on “Launch Monitoring and Report Viewer” (This will take you to Cisco Secure ACS
View)
3. On sidebar, on the left click on “Reports”. (This will open a new window)

Viewing Detailed Reports

  • Accessing Detailed Reports for troubleshooting

4. Under AAA Protocols, click on “TACACS (or RADIUS) Authentication” depending on what you’re
authenticating with. Specify a time range which you want your report to cover and click “Run”.

TACACS TROUBLESHOOTING 7

  •  Accessing TACACS Authentication Logs

5. Report will now be displayed and you would be able to view the reason why you are not able to authenticate.

Failure Reason for TACACS 8

  • Viewing TACACS Authentication Logs

6. You click on the logs for a detailed description.

From the log detail, I was able to deduce the reason behind the authentication failure

Failure Reason for TACACS 1

  • Mismatched Shared Secret (I had not set the shared key under the tacacs server configuration on the router)

 

Viewing the logged into detail helped me to rectify the anomaly.

Failure Reason for TACACS 2

  •  Details from “Other Attributes”, “Authentication Result” and “Steps” helped to troubleshoot the problem

Leave a Reply

Your email address will not be published. Required fields are marked *