Differences

This shows you the differences between two versions of the page.

--- network_stuff:cisco:acs [2016/02/05 20:45] – external edit 127.0.0.1
+++ network_stuff:cisco:acs [2023/11/02 14:38] (current) – external edit 127.0.0.1
@@ Line 5: / Line 5: @@
+ ACS
+Skip to end of metadata
+    Created by JAIME SANTOS , last modified on Mar 08, 2017
+Go to start of metadata
+Use IE from Orion server to access ACS
+To see logging..
+Monitoring and reports > Launch Monitoring and Report Viewer > Catalog > Access Service > Access_Service_Authentication_Summary
+Reports > Favorite
+Launch Monitoring and Rep. View > Monitoring and Reports > Reports > (report manager, you can export reports to kiwi ftp folder)
+Authentications - RADIUS - Today
+Access Policies
+Use Chrome(even if half of the menues are black) and always https://10.30.100.200/acsadmin/ (otherwise you won't be able to edit certains fields)
+    Check user groups in AD
+    Check the corresponing policy in: Access Policies >  CLIENT-AUTH-RADIUS-ACCESS > Authorization ... Here we can find the profile.
+    If the group is in the 'any of these' ldap groups, then we need to add it:
+        External Identity Stores > LDAP > Directory groups
+        To get the whole directory group string for a certain group, we can use PALO cli
+    Then we go back to Access Policies >  CLIENT-AUTH-RADIUS-ACCESS > Authorization and we add the group.
+Users and Identity Stores >  ... >  External Identity Stores >  LDAP >  Edit: "MKTX-LDAP" > Directory Attributes
+# Search for the user name. Find new group name:
+CN=RolePerm-ProdSupport - EU - Trax,OU=Role Permissions,OU=Groups,OU=Resources,DC=CORPORATE,DC=LOCAL
+Go to "Directory Attributes". Type it and add it.
+#Client AAA on the Cisco ASA
+#Authentication ACL to the Cisco ASA
+access-list CLIENT-AUTH-ACL extended permit tcp object-group CLIENT-AUTH-NETWORKS object CLIENT-AUTH-IP eq telnet
+object-group network CLIENT-AUTH-NETWORKS
+ network-object 10.8.19.0 255.255.255.0
+ network-object 10.8.20.0 255.255.254.0
+ network-object 10.8.26.0 255.255.255.0
+object network CLIENT-AUTH-IP
+ host 10.8.1.14
+ description CLIENT-AUTHENTICATION-IP-ADDRESS
+#AAA Configuration
+aaa authentication match CLIENT-AUTH-ACL corp MKTX_RADIUS
+aaa authentication match CLIENT-AUTH-ACL qa MKTX_RADIUS
+aaa authentication match CLIENT-AUTH-ACL guest MKTX_RADIUS
+**aaa-server MKTX_RADIUS protocol radius**
+**aaa-server MKTX_RADIUS (security) host 10.40.100.200**
+ timeout 15
+ key *****
+ **authentication-port 1812**
+ **accounting-port 1813**
+ proxy-auth_map sdi next-code ""
+aaa-server MKTX_RADIUS (corp) host 10.8.254.200
+ timeout 15
+ key *****
+#Authorisation has been configured on the Cisco ACS server
+Access services -> CLIENT-AUTH-RADIUS-ACCESS -> Authorisation
+There should be authorisation profiles for various teams and selecting one of the profiles reveal the Authorisation profile
+policy elements -> authorisation and permissions -> network access -> authorisation profiles -> select one of the authorisation profile -> where you can find the ACL uner Filter-ID ACL which correlates to the ACL on the ASA.
+----
+__RADIUS NAS ATTRIBUTES__
+\\
+[[http://deployingradius.com/book/concepts/nas.html]]
+\\
+This is normallly a file that needs to be placed in the radius servers (eg: ISE) so it accepts authentication messages from the client.

dokucama

User Tools

Site Tools

Differences

Page Tools