dokucama

User Tools

Site Tools

Trace: acs
network_stuff:cisco:acs

This is an old revision of the document!

Cisco ACS 5.x Check video list here (all available in youtube):
http://www.labminutes.com/store/cisco-acs-5x-video-bundle

ACS Skip to end of metadata 

  Created by JAIME SANTOS , last modified on Mar 08, 2017

Go to start of metadata

Use IE from Orion server to access ACS To see logging..

Monitoring and reports > Launch Monitoring and Report Viewer > Catalog > Access Service > Access_Service_Authentication_Summary

Reports > Favorite

Launch Monitoring and Rep. View > Monitoring and Reports > Reports > (report manager, you can export reports to kiwi ftp folder)

Authentications - RADIUS - Today Access Policies

Use Chrome(even if half of the menues are black) and always https://10.30.100.200/acsadmin/ (otherwise you won't be able to edit certains fields) 

  Check user groups in AD
  Check the corresponing policy in: Access Policies >  CLIENT-AUTH-RADIUS-ACCESS > Authorization ... Here we can find the profile.
  If the group is in the 'any of these' ldap groups, then we need to add it:
      External Identity Stores > LDAP > Directory groups
      To get the whole directory group string for a certain group, we can use PALO cli
  Then we go back to Access Policies >  CLIENT-AUTH-RADIUS-ACCESS > Authorization and we add the group.

Users and Identity Stores > … > External Identity Stores > LDAP > Edit: “MKTX-LDAP” > Directory Attributes

# Search for the user name. Find new group name:

CN=RolePerm-ProdSupport - EU - Trax,OU=Role Permissions,OU=Groups,OU=Resources,DC=CORPORATE,DC=LOCAL

Go to “Directory Attributes”. Type it and add it.

#Client AAA on the Cisco ASA

#Authentication ACL to the Cisco ASA

access-list CLIENT-AUTH-ACL extended permit tcp object-group CLIENT-AUTH-NETWORKS object CLIENT-AUTH-IP eq telnet

object-group network CLIENT-AUTH-NETWORKS

network-object 10.8.19.0 255.255.255.0

network-object 10.8.20.0 255.255.254.0

network-object 10.8.26.0 255.255.255.0

object network CLIENT-AUTH-IP

host 10.8.1.14

description CLIENT-AUTHENTICATION-IP-ADDRESS

#AAA Configuration

aaa authentication match CLIENT-AUTH-ACL corp MKTX_RADIUS

aaa authentication match CLIENT-AUTH-ACL qa MKTX_RADIUS

aaa authentication match CLIENT-AUTH-ACL guest MKTX_RADIUS

aaa-server MKTX_RADIUS protocol radius

aaa-server MKTX_RADIUS (security) host 10.40.100.200

timeout 15

key *

authentication-port 1812

accounting-port 1813

proxy-auth_map sdi next-code “”

aaa-server MKTX_RADIUS (corp) host 10.8.254.200

timeout 15

key *

authentication-port 1812

accounting-port 1813

proxy-auth_map sdi next-code “”

aaa-server MKTX_RADIUS (security) host 10.30.100.200

timeout 15

key *

#Authorisation has been configured on the Cisco ACS server

Access services → CLIENT-AUTH-RADIUS-ACCESS → Authorisation

There should be authorisation profiles for various teams and selecting one of the profiles reveal the Authorisation profile

policy elements → authorisation and permissions → network access → authorisation profiles → select one of the authorisation profile → where you can find the ACL uner Filter-ID ACL which correlates to the ACL on the ASA.

RADIUS NAS ATTRIBUTES
http://deployingradius.com/book/concepts/nas.html
This is normallly a file that needs to be placed in the radius servers (eg: ISE) so it accepts authentication messages from the client.

network_stuff/cisco/acs.1679854076.txt.gz · Last modified: (external edit)

Page Tools

Except where otherwise noted, content on this wiki is licensed under the following license: CC Attribution-Share Alike 4.0 International
CC Attribution-Share Alike 4.0 International Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki