**Cisco ACS 5.x** Check video list here (all available in youtube):\\ http://www.labminutes.com/store/cisco-acs-5x-video-bundle \\ ACS Skip to end of metadata Created by JAIME SANTOS , last modified on Mar 08, 2017 Go to start of metadata Use IE from Orion server to access ACS To see logging.. Monitoring and reports > Launch Monitoring and Report Viewer > Catalog > Access Service > Access_Service_Authentication_Summary Reports > Favorite Launch Monitoring and Rep. View > Monitoring and Reports > Reports > (report manager, you can export reports to kiwi ftp folder) Authentications - RADIUS - Today Access Policies Use Chrome(even if half of the menues are black) and always https://10.30.100.200/acsadmin/ (otherwise you won't be able to edit certains fields) Check user groups in AD Check the corresponing policy in: Access Policies > CLIENT-AUTH-RADIUS-ACCESS > Authorization ... Here we can find the profile. If the group is in the 'any of these' ldap groups, then we need to add it: External Identity Stores > LDAP > Directory groups To get the whole directory group string for a certain group, we can use PALO cli Then we go back to Access Policies > CLIENT-AUTH-RADIUS-ACCESS > Authorization and we add the group. Users and Identity Stores > ... > External Identity Stores > LDAP > Edit: "MKTX-LDAP" > Directory Attributes # Search for the user name. Find new group name: CN=RolePerm-ProdSupport - EU - Trax,OU=Role Permissions,OU=Groups,OU=Resources,DC=CORPORATE,DC=LOCAL Go to "Directory Attributes". Type it and add it. #Client AAA on the Cisco ASA #Authentication ACL to the Cisco ASA access-list CLIENT-AUTH-ACL extended permit tcp object-group CLIENT-AUTH-NETWORKS object CLIENT-AUTH-IP eq telnet object-group network CLIENT-AUTH-NETWORKS network-object 10.8.19.0 255.255.255.0 network-object 10.8.20.0 255.255.254.0 network-object 10.8.26.0 255.255.255.0 object network CLIENT-AUTH-IP host 10.8.1.14 description CLIENT-AUTHENTICATION-IP-ADDRESS #AAA Configuration aaa authentication match CLIENT-AUTH-ACL corp MKTX_RADIUS aaa authentication match CLIENT-AUTH-ACL qa MKTX_RADIUS aaa authentication match CLIENT-AUTH-ACL guest MKTX_RADIUS **aaa-server MKTX_RADIUS protocol radius** **aaa-server MKTX_RADIUS (security) host 10.40.100.200** timeout 15 key ***** **authentication-port 1812** **accounting-port 1813** proxy-auth_map sdi next-code "" aaa-server MKTX_RADIUS (corp) host 10.8.254.200 timeout 15 key ***** #Authorisation has been configured on the Cisco ACS server Access services -> CLIENT-AUTH-RADIUS-ACCESS -> Authorisation There should be authorisation profiles for various teams and selecting one of the profiles reveal the Authorisation profile policy elements -> authorisation and permissions -> network access -> authorisation profiles -> select one of the authorisation profile -> where you can find the ACL uner Filter-ID ACL which correlates to the ACL on the ASA. ---- __RADIUS NAS ATTRIBUTES__ \\ [[http://deployingradius.com/book/concepts/nas.html]] \\ This is normallly a file that needs to be placed in the radius servers (eg: ISE) so it accepts authentication messages from the client.