Jump to content

Cisco ACS 5 Integration with Microsoft Active Directory


shadowmac
 Share

Recommended Posts

Steps to integrate ACS with AD

  • Windows Server 2008 configuration
    • Synchronize with time server using NTP
    • Create Cisco Administrators security group
    • Assign users to created security group
  • Cisco ACS configuration
    • Synchronize with time server using NTP
    • Define correct DNS
    • Define AD connection and Security Group mapping
    • Define Shell Profile
    • Define Access Policy – Edit Default Device Admin
    • Identity
    • Authorization
    • Define Access Policy – Define Service Selection Rule
  • Cisco router configuration for AAA support
  • Windows Server 2008 configuration - Synchronize with time server using NTP
    • Log into your PDC Server and open the command prompt
    • Stop the W32Time service: (C:\net stop w32time)
    • Configure the external time sources: (c:\w32tm /config /syncfromflags:manual /manualpeerlist:â€192.168.1.5â€)
    • Make your PDC a reliable time source for the clients (c:/w32tm /config /reliable:yes)
    • Start the W32Time Service: (C:\net start w32time)
    • The windows time service should begin synchronizing the time. You can check the external NTP servers in the time configuration by typing: c:\w32tm /query /configuration
    • Check the Event Viewer for any errors
  • Windows Server 2008 configuration - Create Cisco Administrators security group

    Windows Server 2008 configuration - Assign users to created security group

    • Click on user and then click on Member of Tab
    • Click Add
    • Type in the created security group
    • Click on Check Names to verify then click OK and OK again to close user.
    Cisco ACS configuration - Synchronize with time server using NTP
    • enter on ACS CLI: clock timezone US/Eastern (verify by typing: show clock)

      US/Indiana-Starke

      US/Pacific

      US/Michigan

      US/Mountain

      US/Central

      US/Samoa

      US/Arizona

      US/Eastern

      US/Alaska

      US/East-Indiana

      US/Hawaii

      US/Aleutian

    • enter on ACS CLI: ntp server 192168.1.5 (verify by typing: show ntp)
    Cisco ACS configuration - Define correct DNS
    • enter on ACS CLI: ip name-server 192.168.2.6 (verify by typing: ping dc.mywiseguys.com)
    Cisco ACS configuration - Define AD connection and Security Group mapping
  • browse to Users and Identity Stores - External Identity Stores - Active Directory
  • Enter:
    • General Tab: Active Directory Domain Name
    • General Tab: Credentials used to join this machine to the AD domain (username and password) - Click Test Connection to verify (NOTE1: password must not contain certain special characters like # or $ or " , etc , which does not work on cisco devices.)(NOTE2: Predefined user in AD. AD account required for domain access in ACS should have either of the following: Add workstations to domain user right in corresponding domain OR Create Computer Objects or Delete Computer Objects permission on corresponding computers container where ACS machine's account is precreated (created before joining ACS machine to the domain). We recommend that you disable the lockout policy for the ACS account and configure the AD infrastructure to send alerts to the admin if a wrong password is used for that account. This is because if you enter a wrong password, ACS will not create or modify its machine account when it is necessary and therefore possibly deny all authentications.)
    • General Tab: Click Save
    • General Tab: Look at bottom under Connection Status and verify it says CONNECTED
    • Directory Groups: click Select and place checkmark in created security group and click OK
    • Directory Groups: click Save
  • Cisco ACS configuration - Define Shell Profile
  • browse to Policy Elements - Authorization & Permissions - Device Administratrion - Shell Profiles
  • click Create
    • General Tab: Name = ENABLE
    • Common Tasks Tab: Default Privilege = Static Value = 15
    • Click Submit
  • browse to Access Policies - Default Device Admin - Identity
    • Click Select and choose AD1 (gets created automatically once the connection to AD was established)
    • Click OK
    • Click Save Changes
  • browse to Access Policies - Default Device Admin - Authorization
    • Click on Customize
    • Select Compound Condition and click on arrow to move to the right (Compound Condition allows us to select AD group during policy/rule creation)
    • Click OK
    • Place a checkmark next to a rule and click Edit
    • Uncheck any checkmarks and place a checkmark next to Compound Condition
    • Now you can select AD-AD1 from the Dictionary
    • Select attribute: External Groups
    • Select Value: your security group you created earlier and click OK
    • Under Current Condition Set click on Add V
    • Under Results click Select and choose the Shell Policy you created earlier (ENABLE) and click OK and click OK again to close
    • Click Save Changes
  • browse to Access Policies - Service Selection Rules
    • Select Rule based result selection and click OK to warning if it pops up
    • Click Create (notice you only have Compound Condition) click Cancel
    • Click Customize
    • Click Protocol and click on the arrow to move it to the right then click OK
    • Click Create
    • place checkmark next to protocol, match and click Select and choose TACACS and click OK
    • Change Results to Default Device Admin and Click OK
    • Click Save Changes
  • browse to Network Resources - Network Devices and AAA Clients
    • Click Create
    • Enter a Name
    • Place a checkmark next to TACACS and enter shared secret
    • Enter IP Address
    • Click Submit
  • Configure Cisco IOS to connect
    • enter: aaa new-model
    • enter: aaa authentication login default group tacacs+ local
    • enter: aaa authorization exec default group tacacs+ local
    • enter: aaa authorization console
    • enter: tacacs-server host 192.168.2.201
    • enter: tacacs-server key cisco
    • enter: debug aaa authentication
    • enter: debug tacacs

Link to comment
Share on other sites

  • 1 month later...

Cisco ACS require ports to function:





Service Name


UDP


TCP


DHCP


68


-


RADIUS Authentication and Authorization (original draft RFC)


1645


-


RADIUS Accounting (original draft RFC)


1646


-


RADIUS Authentication and Authorization (revised draft RFC)


1812


-


RADIUS Accounting (revised draft RFC)


1813


-


TACACS+ AAA


-


49


Replication and RDBMS Synchronization


-


2000


Cisco Secure ACS Remote Logging


-


2001


Cisco Secure ACS Distributed Logging (appliance only)


-


2003


HTTP Administrative Access (at login)


-


2002


Administrative Access (after login) Port Range


-


Configurable (default 1024-65535)*


Link to comment
Share on other sites

 Share

×
×
  • Create New...