Thursday, October 7, 2010

Cisco ACS 4.2:: Quick and easy way to admin devices via TACACS+

A quick template for Cisco ACS 4.2 TACACS+ administration for IOS devices.

On the IOS device (taken from a switch):

enable secret <SECRET>
no enable password
no username <ANY CURRENT USERS>
username panicuser secret 0 <PANIC USER PASSWORD>

ip tacacs source-interface <MANAGEMENT INT>

tacacs-server directed-request
tacacs-server key <SECRET>
tacacs-server host <ACS IP>

aaa new-model
aaa authentication login default group tacacs+ local
aaa authentication login no-tacacs none
aaa authentication enable default group tacacs+ enable
aaa authorization config-commands
aaa authorization exec default if-authenticated
aaa authorization commands 1 default if-authenticated
aaa authorization commands 15 default group tacacs+ local
aaa authorization console

Exit the IOS device and enter with an ACS username:

aaa accounting exec default start-stop group tacacs+
aaa accounting commands 0 default start-stop group tacacs+
aaa accounting commands 1 default start-stop group tacacs+
aaa accounting commands 15 default start-stop group tacacs+
aaa accounting connection default start-stop group tacacs+
aaa accounting system default start-stop group tacacs+
aaa session-id common


Cisco ACS:

Interface Configuration->TACACS+ (Cisco IOS)->Advanced TACACS+ Features and Display enable default (Undefined) service configuration

Network Configuration-> AAA Clients Add Entry-> IOS Device IP Address/Secret/TACACS+ (Cisco IOS)

Group Setup-> The group you want to use->Rename Group-> Meaningful name (Eg: Networking Admins)

Group Setup-> Networking Admins->Edit Settings:

->Enable Options->Level 15
->TACACS+ Settings->Shell (exec)
->TACACS+ Settings->Privilege level->15
->TACACS+ Settings->Shell Command Authorization Set->Per Group Command Authorization->Permit
->Submit + Restart

User Setup->Name of the user to create->Add/Edit

->User Setup->Password
    ->User Setup->Group to which the user is assigned:->Networking Admins
    ->Advanced TACACS+ Settings-> TACACS+ Enable Control:->Use Group Level Setting
    ->Advanced TACACS+ Settings-> TACACS+ Enable Password->Use CiscoSecure PAP password
->Submit

That's it, now everything AAA related goes to the TACACS+ and if the IOS device can't reach it, you have the panicuser that gives you local access to the device.

No comments:

Post a Comment