Cisco ACS – Basic Setup

Start to Finish Setup of Cisco ACS (version 5.5 was used). Including n00b-status group and MAC Auth Bypass (MAB). Active Directory look-up will be added later. 😉

Initial Setup

  1. Load VM image or ISO to appliance
  2. Follow setup prompts – document the password!

Upgrading Cisco ACS

  1. Login to the CLI with acsadmin
  2. Create a repository
  3. Start the upgrade

TACACS Setup

  1. Log into ACS with acsadmin
  2. Set Login Banner under “My Workspace > Login Banner”
  3. Set Login Prompts under “System Administration > Configuration > Global System Options > TACACS+ Settings”
    1. Change Username / Password Prompts to “ACS Username” and “ACS Password”
  4. Create Locations under “Network Resources > Network Device Groups > Location”
  5. Create Device Types under “Network Resources > Network Device Groups > Device Type”
    1. Create a “Switch” device type.
  6. Create Device under “Network Resources > Network Device Groups > Network Devices and AAA Clients”
    1. Select proper location and device type
    2. Input TACACS info
  7. Create Identity Group under “Users and Identity Stores > Identity Group”
    1. Create one named “Local Device Admin”
    2. Create one named “Noob Status” for optional future use in restricting commands
  8. Create Users under “Users and Identity Stores > Internal Identity Stores > Users”
    1. Assign to identity group
  9. Create Shell Profile under “Policy Elements > Authorization and Permissions > Device Administration > Shell Profiles”
    1. For name, be descriptive (PRIV15_MAX15)
    2. Under common tasks tab
      1. Default privilege – static, value – 15
      2. Max privilege – static, value – 15
  10. Create Access Service under “Access Policies > Access Services”
    1. Create one for device admin called “DEVICE-ADMIN”
    2. Choose “User Selected Service Type” and “Device Administration” from the drop-down
    3. Only Check “Identity” and “Authorization”
    4. Click Next
    5. Uncheck Process Host Lookup
    6. Check only PAP/ASCII
    7. Choose Yes to modify Service Selection Policy – This takes you to the Service Selection rule page
    8. Click Create
    9. Check Protocol and match TACACS
    10. Choose “DEVICE-ADMIN” for the Service
  11. Modify Authorization Policy Under “Access Policies > Access Services > DEVICE-ADMIN > Authorization”
    1. Click “Customize”
    2. Remove “Compound Condition”
    3. Add “Protocol” and “Identity Group”
    4. Remove “Command Sets”
    5. Click OK
    6. Click Create
    7. Choose TACACS for “Protocol”
    8. Choose “Local Device Admin” for “Identity Group”
    9. Click “Default” and modify the default rule to “DenyAccess”

Switch Configuration

  1. TACACS Config
    1. 3750/3850 etc.
    2. ASA
  2. Test TACACS from CLI
  3. Test TACACS with SSH

Setup Command Authorization

  1. Create Shell Profile under “Policy Elements > Authorization and Permissions > Device Administration > Command Sets”
    1. Create a Permit All set
      1. Click “Create”
      2. Enter “PERMIT_ALL” for Name
      3. Check “Permit any command that is not in the table below”
      4. Click “Submit”
    2. Create a command set for “show” commands only
      1. Click “Create”
      2. Enter “SHOW_ONLY” for Name
      3. Enter “show” into “Command:” field
      4. Click the “Add^” button
      5. OPTIONALLY: deny “show running-config”
        1. Change “Grant” to “Deny”
        2. Enter “show” into “Command:” field and “running-config” in the “Arguments:” field
        3. Click the “Add^” button
        4. Move it to the top with the up arrow beside the list of commands
      6. Click “Submit”
    3. Create a command set for “show and shut/no shut” commands only
      1. Click “Create”
      2. Enter “SHOW_SHUT_ONLY” for Name
      3. Enter “show” into “Command:” field and click the “Add^” button
      4. Enter “configure” into “Command:” field and “terminal” in the “Arguments:” field
      5. Click the “Add^” button
      6. Enter “interface” into “Command:” field
      7. Click the “Add^” button
      8. Enter “shutdown” into “Command:” field
      9. Click the “Add^” button
      10. Enter “no” into “Command:” field and “shutdown” in the “Arguments:” field
      11. Click the “Add^” button
      12. Enter “end” into “Command:” field
      13. Click the “Add^” button
      14. Enter “exit” into “Command:” field
      15. Click the “Add^” button
      16. Click “Submit”
  2. Modify Command Sets Under “Access Policies > Access Services > DEVICE-ADMIN > Authorization”
    1. Click “Customize”
    2. Below “Customize Results”, add “Command Sets” to “Selected:”
    3. Click OK
    4. Click “Rule-1” (the rule for Privilege 15 Admins)
    5. Under “Command Sets:”, click “Deselect” to remove “DenyAllCommands”
    6. Click “Select”
    7. Check “PERMIT_ALL”
    8. Click “OK”
    9. Do steps “a.” thru “h.” for any other Privilege 15 Admin rules
  3. Modify Rule Authorizations Under “Access Policies > Access Services > DEVICE-ADMIN > Authorization”
    1. Check the box next to the Local Admin Rule (Rule-1)
    2. Click “Duplicate” and click “Duplicate Below”
    3. Name the rule “Noob Status Rule”
    4. Change the Identity group to “Noob Status”
    5. Under “Command Sets:”, click “Deselect” to remove “PERMIT_ALL”
    6. Click “Select”
    7. Check the Command Set you want to apply.
    8. Click “OK”
  4. Switch Setup
    1. 3750
    2. ASA
  5. Test it
    1. SSH into the switch with a Noob Status account
    2. Try commands that should and should not be allowed.

Wired MAB (MAC Authentication Bypass)

  1. Gather all MAC addresses that will need to be added
    1. Categorize by type (workstation, VoIP, Printer, VTC, Thin Client, Taclane, etc.)
    2. Create Identity Group under “Users and Identity Stores > Identity Group”
      1. Create one named “Network Access Group”
      2. Create one for each device type and for “Parent:” choose “Network Access Group”
    3. Create Hosts under “Users and Identity Stores > Internal Identity Stores > Hosts”
      1. Click “Create”
      2. Enter the MAC (Format doesn’t matter, it will convert it)
      3. Enter an accurate description (Building/Rm/Location, Unit, Model, etc)
      4. Select the appropriate Identity Group
      5. Click “Submit”
    4. Create DACLs under “Policy Elements > Authorization and Permissions > Named Permission Objects > Downloadable ACLs”
      1. Create one for each device type
        1. Click “Create”
        2. Enter a descriptive name, Example: “PRINTER_DACL” or “VTC_DACL”
        3. Paste a copied ACL from a switch (to prevent errors) in the “DACL Content” field
          1. OR: To permit all, just enter “permit ip any any”
        4. Click “Submit”
    5. Create Authz Profiles under “Policy Elements > Authorization and Permissions > Network Access > Authorization Profiles”
      1. Create one for each device type
        1. Click “Create”
        2. Enter a descriptive name, Example: “PRINTER_AUTH” or “VTC_AUTH”
        3. Go to the “Common Tasks” tab
        4. Under ACLS, for “Downloadable ACL Name:” select “Static”
        5. For “Value” select the appropriate ACL for the device type.
        6. Click “Submit”
    6. Create the Access Service under “Access Policies > Access Services”
      1. Click “Create”
      2. Enter “NETWORK-ACCESS-WIRED” for Name
      3. Choose “User Selected Service Type” and “Network Access” from the drop-down
      4. Only Check “Identity” and “Authorization”
      5. Click Next
      6. Keep “Process Host Lookup” checked
      7. OPTIONAL: for dot1x, check “EAP-TLS” and “PEAP”.
        1. Additionally check “EAP-MSCHAPv2” under “PEAP”
        2. Check preferred EAP protocol and select “EAP-TLS”
      1. Choose Yes to modify Service Selection Policy – This takes you to the Service Selection rule page
      2. Click “Customize”
      3. Move “NDG:Device Type” to the “Selected:” box
      4. Click “OK”
      5. Click “Create”
      6. Name the Rule “NETWORK-ACCESS-WIRED-RULE”
      7. For “Protocol:” select “Radius”
      8. For “NDG:Device Type” select “Switch”
      9. For “Service:” select “NETWORK-ACCESS-WIRED”
    7. Create identity rules under “Access Policies > Access Services > NETWORK-ACCESS-WIRED > Identity”
      1. For “Identity Source:” choose “Internal Hosts”
      2. OPTIONAL: for dot1x, select “Rule based result selection”
        1. Click “Create”
        2. Name the rule “WIRED-MAB-ID-RULE”
        3. Select “Compound Condition:”
        4. For “Dictionary:” select “RADIUS-IETF”
        5. For “Attribute:” select “Service-Type”
        6. For “Value:” select “Call Check”
        7. Click “Add”
        8. For “Identity Source:” select “Internal Hosts”
        9. Click “OK”
        10. Click “Save Changes”
    8. Create authorization rules under “Access Policies > Access Services > NETWORK-ACCESS-WIRED > Authorization”
      1. Create a rule for each device type
        1. Click “Create”
        2. Name the rule “”
        3. For “Dictionary:” select “RADIUS-IETF”
        4. For “Attribute:” select “Service-Type”
        5. For “Value:” select “Call Check”
        6. Click “Add”
        7. OPTIONAL: if Wireless MAB is to be implemented:
          1. Change “Attribute:” to “NAS-Port-Type”
          2. For “Value:” select “Ethernet”
          3. Click “Add” and select “Add to selected with And”
        8. For “Authorization Profiles:” select the appropriate profile.
        9. Click “OK”
        10. Click the “Default” rule
        11. Click “Select” and choose “DenyAccess”
        12. Click “OK”
        13. Click “Save Changes”

Switch Configuration

  1. AAA and Radius Switch Config

Verifying and Monitoring MAB

  1. Check port on the switch
    1. On old switches: show authentication session [INTERFACE]
    2. On newer switches: show authentication session [INTERFACE] detail
  2. Check DACL on switch
    1. show ip access-list
  3. Check the logs in ACS
    1. Go to “Monitoring and Reports”
    2. Go to “Reports > Catalog > AAA Protocol”
    3. Click “Radius Authentication”
    4. “Username” will be the MAC of the device
    5. Click the Magnifying Glass under “Detail” next to the MAC

Leave a Reply

Your email address will not be published. Required fields are marked *