Home > Articles > Cisco Network Technology > General Networking > Cisco AAA Identity Management Security: Getting Familiar with ACS 5.1

Cisco AAA Identity Management Security: Getting Familiar with ACS 5.1

Chapter Description

ACS 5.1 has a completely different user interface from ACS 4.2. Throughout the course of this chapter you will become familiar with the GUI and know where different functions are located.

From the Book

AAA Identity Management Security

AAA Identity Management Security

$59.99 (Save 20%)

Network Resources

AAA clients and external RADIUS servers are defined within this drawer. When ACS receives an AAA request from a network device, it searches the network device repository to find an entry with a matching IP address. If a match is not found, the request will be rejected.

This drawer has four menu items:

  • Network Device Groups
  • Network Devices and AAA Clients
  • Default Network Device
  • External RADIUS Servers

Network Device Groups

AAA clients in the ACS repository can be assigned to Network Device Groups (NDGs). NDGs are logical grouping of devices—for example, by Location or Type—which can be used in policy conditions. For example, all routers in the San Jose location can be assigned a single policy. NDGs simplify creating policies and managing device repository.

NDGs are defined under a hierarchical structure called a Device Group Hierarchy. Each device group hierarchy has a root node under which NDGs are defined. For example, Location and Device Type groups are predefined. The root node of the Location group is All Locations. New NDGs can be created under All Locations. These NDGs can further have other NDGs as child nodes. Figure 4-3 shows a sample hierarchy created under the Locations group. Notice how the NDGs are created countrywise, statewise, or citywise.

Figure 4-3

Figure 4-3 Hierarchical Structure of NDGs

A maximum of 12 hierarchical groups can be created and each group can have a maximum of six nodes including the root node.

Clicking on the Network Device Groups menu item will display the existing groups in the Content Area as shown in Figure 4-4. The groups also appear as individual submenu items in the Navigation Pane under Network Device Groups. Click on a group name in the Content Area to edit it. New groups can be created by clicking on the Create button or the Duplicate button.

Figure 4-4

Figure 4-4 Network Device Groups

To create a group, follow these steps:

  • Step 1. Select Network Resources > Network Device Groups.
  • The Network Device Groups page appears as shown in Figure 4-4.
  • Step 2. Click Create.
  • The Hierarchy - General Page appears in the Content Area. Figure 4-5 shows this page.
    Figure 4-5

    Figure 4-5 Creating a Network Device Group

  • Step 3. Enter a name; for this example, use Routers.
  • Step 4. (Optional) Enter a description.
  • Step 5. Enter a root node name. For this example, use All Routers.

    Remember that this is any name that refers to all the NDGs and devices in this group.

  • Step 6. Click Submit to create the group. The group Routers now appears in the Navigation Pane as a submenu item under the Network Device Group menu item.

Clicking on the group name, Routers, in the Navigation Page will open the Network Device Groups page in the Content Area. Because the group is new, only the root node All Routers will be displayed. This page is similar to the one shown in Figure 4-3. You can add NDGs to the Routers group from this page. To do so, follow these steps:

  • Step 1. Click Create.
  • Step 2. Enter a name for the group; for our example, use Core Routers.
  • Step 3. (Optional) Enter a description.
  • Step 4. The root node, All Routers, is already selected in the Parent field. If other NDGs existed in the Routers group, you could have clicked on Select to see them and select a different parent node.
  • Step 5. Click Submit to create the NDG. Core Routers is now visible under the root node in the Network Device Groups page.

Network Devices and AAA Clients

It is important to remember that a device should be in the ACS repository before AAA requests from that device will be accepted. The Network Devices and AAA Clients menu item shows the repository and enables you to manage the devices. Along with the name and address, the page displays the NDG that the device belongs to. You can use the filter option to search for devices. This page is shown is Figure 4-6. To add an AAA client to the ACS database and enable communications using the TACACS+ or RADIUS protocols, you use the following steps:

  • Step 1. Select Network Resources > Network Devices and AAA Clients.
  • Step 2. Click Create. Figure 4-6 shows the Create Network Device page.
  • Step 3. Enter the hostname of the AAA client, or if this is going to be a group of devices, enter a name that makes it easily recognizable. For this example, use Router1.
  • Step 4. (Optional) Enter a description.
  • Step 5. All device groups configured in ACS are shown and their root nodes are selected. Click Select next to the group you want to change to display the Network Device Groups selection box. Click the radio button next to the desired Network Device Group and click OK. For this example, select the San Jose and Core Routers from the Location and Routers groups.
  • Step 6. A device definition can represent a single or multiple devices. Select Single IP Address or IP Range as required. Selecting IP Range will display options for configuring a mask with the IP address. You can add multiple entries for the range. For this example, use a 192.168.1.0 address with a mask of 24.
  • Step 7. Select TACACS+ and/or RADIUS and enter the shared secret. You have the option of selecting both protocols for a device. For this example, select TACACS+ and enter Cisco as the shared secret.
  • Step 8. Click Submit

    The device is now listed in the Network Devices and AAA Clients page as shown in Figure 4-7.

Figure 4-6

Figure 4-6 Adding a New AAA Device

Figure 4-7

Figure 4-7 Network Devices and AAA Clients

Default Network Device

As mentioned previously, a device needs to be in the ACS repository before AAA requests will be accepted from it. There is an exception to this rule. You can configure a default network device. If a request comes from a device that does not specifically exist in the repository, ACS will use the default device profile. In the default network device definition, you provide a shared secret key, network device group, and the protocol(s) to be used. To configure the default network device, follow these steps:

  • Step 1. Select Network Resources > Default Network Device.
  • The Default Network Device page appears. Figure 4-8 shows this page.
    Figure 4-8

    Figure 4-8 Default Network Device

  • Step 2. Select Enabled from the drop-down list next to Default Network Device Status.
  • Step 3. Click Select next to the device groups that you want to modify. For our example, select San Jose NDG from the Locations Group.
  • Step 4. Select TACACS+ or RADIUS and enter the shared secret for the protocols. You can select one or both the protocols. For this example, select both the protocols and use Cisco as the shared secret.
  • Step 5. Click Submit.

External RADIUS Servers

ACS 5.1 can function both as a RADIUS server and a RADIUS proxy server. When it acts as a proxy server, ACS receives authentication and accounting requests from the AAA client and forwards them to the external RADIUS server. ACS accepts the results of the requests and returns them to the client. You must configure the external RADIUS servers in ACS to enable ACS to forward requests to them. You can configure multiple external RADIUS servers. To add a server, follow these steps:

  • Step 1. Select Network Resources > External RADIUS Servers. The External RADIUS Servers page appears with a list of configured servers.
  • Step 2. Click Create.

    The Create Server page appears as shown in Figure 4-9.

    Figure 4-9

    Figure 4-9 Adding an External RADIUS Server

  • Step 3. Enter a name for the server. For this example, use External1.
  • Step 4. (Optional) Enter a description.
  • Step 5. Enter the server IP address. For this example, use 192.168.1.40.
  • Step 6. Enter the shared secret. This secret is used to encrypt the RADIUS request between ACS and the external server. For this example, use Cisco.
  • Step 7. Click Advanced Options.
  • Step 8. Verify the authentication and accounting ports.

    By default, ports 1812 and 1813 are used. If the external server uses other ports, enter them in the respective fields. This example leaves the ports set to the default values.

  • Step 9. Verify the server timeout value.

    By default, five seconds timeout period is used. If the server fails to respond in that period, the server will resend the request as many times as specified in the Connection Attempts field. You can specify a timeout value of 1 to 120 seconds. For this example, specify 10 seconds.

  • Step 10. Verify the connection attempts value.

    By default, ACS will attempt to connect to the external server three times. You can configure ACS to attempt up to 10 times to connect to the external server. For this example, specify five attempts.

  • Step 11. Click Submit.
3. Users and Identity Stores | Next Section Previous Section