Ace Tacacs and Radius

© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 1

ACE Remote AuthenticationTACACS+ and RADIUS using ACS

Sean Merrow, Application Networking Services CSE

February 2009


Example Scenario

In this document, we will create a user called ‘aceadmin’.

This user account will only have access to a context on the ACE called ‘Cnt1’.

The user will be given the Admin role and put in the default-domain of the Cnt1 context.

This user will not be configured as a local user on the ACE, although the ACE will check its local user database if it cannot reach the ACS (TACACS+/RADIUS server).

ACS Servers

130.10.0.55

130.10.0.56 ACE Module/Appliance

150.10.40.21


ACE Remote Authentication - Agenda

ACE with TACACS+ using ACS

ACE with RADIUS using ACS

Network Catpure Screenshots


Create the TACACS+ User on ACS

1

2

3


Notes on ACS User Settings

A common problem customers report after adding the shell command in the TACACS+ Settings is that although authentication works fine with the ACE, those users can no longer access their other network devices.

These customers should enter the shell command as follows:

shell:<Context>*<Role> <Domain>

shell:Cnt1*Admin default-domain

When the * is used, it means the attribute is optional. The = used in the previous slide means the attribute is mandatory.

The TACACS+ Settings can also be entered into the Groups on the ACS in which the user is a member. The Group settings will apply to all members, although settings entered directly in the user configuration will override the Group settings.


Create the ACE TACACS+ Client on ACS

1

2 1. Source IP Address of ACE AAA Traffic.

2. Be sure to create a second client for the

Redundant ACE if necessary.

3. Key entered will also be used in the ACE

configuration.

4. Specify TACACS+ Authentication.

• Each AAA transaction will occur using a

separate TCP connection. Check this

box if you would like them to use a single

TCP connection.


Configure TACACS+ on the ACE(s)

ACE-1/Cnt1# config

ACE-1/Cnt1(config)# tacacs-server key cisco123

ACE-1/Cnt1(config)# tacacs-server host 130.10.0.55

ACE-1/Cnt1(config)# tacacs-server host 130.10.0.56

ACE-1/Cnt1(config)# tacacs-server host 130.10.0.57 key password123

ACE-1/Cnt1(config)# aaa group server tacacs+ acs-servers

ACE-1/Cnt1(config-tacacs+)# server 130.10.0.55

ACE-1/Cnt1(config-tacacs+)# server 130.10.0.56

ACE-1/Cnt1(config-tacacs+)# exit

ACE-1/Cnt1(config)# aaa authentication login default group acs-servers local

ACE-1/Cnt1(config)# aaa accounting default group acs-servers local

ACE-1/Cnt1(config)# exit

ACE-1/Cnt1# copy run start

Global TACACS+ key used with all servers

that do not have a key configured, such as

.55 and .56 below. Note that .57 below has

a unique key defined which will be used for

that server.

Create a group for the TACACS+

servers and add the member

servers.

Configure the ACE to use the servers in this TACACS+

server group for AAA. Note that the ‘local’ keyword at the

end means that a local user database on the ACE should be

used for authentication ONLY if neither TACACS+ server in

the group can be reached. The local user database will

NOT be consulted if the authentication is rejected.


TACACS+ Config on the ACE(s)

tacacs-server key 7 "fewhg123"

tacacs-server host 130.10.0.55

tacacs-server host 130.10.0.56

tacacs-server host 130.10.0.57 key 7 "swwxoomi123”

aaa group server tacacs+ acs-servers

server 130.10.0.55

server 130.10.0.56

aaa authentication login default group acs-servers local

aaa accounting default group acs-servers local

Although keys are entered in clear-text, they

are encrypted in the config.







Create the RADIUS User on ACS Server

1

2

3


Create the ACE RADIUS Client on ACS

1

2 1. Source IP Address of ACE AAA Traffic.

2. Be sure to create a second client for the

Redundant ACE if necessary.

3. Key entered will also be used in the ACE

configuration.

4. Specify RADIUS Authentication.


ACE-1/Cnt1# config

ACE-1/Cnt1(config)# radius-server host 130.10.0.55 key cisco123

ACE-1/Cnt1(config)# radius-server host 130.10.0.56 key cisco123

ACE-1/Cnt1(config)# aaa group server radius radius-farm

ACE-1/Cnt1(config-radius)# server 130.10.0.55

ACE-1/Cnt1(config-radius)# server 130.10.0.56

ACE-1/Cnt1(config-radius)# exit

ACE-1/Cnt1(config)# aaa authentication login default group radius-farm local

ACE-1/Cnt1(config)# aaa accounting default group radius-farm

ACE-1/Cnt1(config)# exit

ACE-1/Cnt1# copy run start

Configure RADIUS on the ACE(s)

RADIUS servers configured with keys.

Alternately, a global key could be configured

as shown in the TACACS+ configuration

example

Create a group for the RADIUS

servers and add the member

servers.

Configure the ACE to use the servers in this RADIUS server

group for AAA. Note that the optional ‘local’ keyword at the

end means that a local user database on the ACE should be

used for authentication ONLY if neither RADIUS server in

the group can be reached. The local user database will

NOT be consulted if the authentication is rejected.


RADIUS Config on the ACE(s)

radius-server host 130.10.0.55 key 7 "fewhg123" authentication accounting

radius-server host 130.10.0.56 key 7 "fewhg123" authentication accounting

aaa group server radius radius-farm

server 130.10.0.55

server 130.10.0.56

aaa authentication login default group radius-farm local

aaa accounting default group radius-farm

Although keys are entered in clear-text, they

are encrypted in the config.







Configure Wireshark to Decrypt TACACS+

• Edit Preferences TACACS+

• Enter the TACACS+ Key


TACACS+ Authentication Request


TACACS+ Authentication Response


TACACS+ Authorization Request

The ACE tells the ACS what context the user

has logged into so it can now find out what

permissions this user has in the context.


TACACS+ Authorization Response

The ACS tells the ACE what role and domain

the user has for this context.


TACACS+ Accounting Update

The ACE tells the ACS the time of user login.



The ACE tells the ACS that the aceadmin user

has entered the ‘show user-’ command.



The ACE tells the ACS the exact time that the

aceadmin user logged out.


RADIUS Authentication Request


RADIUS Authentication Response


RADIUS Accounting Update


aceadmin user logged in.




aceadmin entered the ‘show user-acc’

command.




aceadmin user logged out.


Helpful Resources

BU Escalation Alias

[email protected]

[email protected]

Emergency S1/S2 After Hours Escalation E-page

[email protected]

Design and Feature Questions

[email protected]

ADBU

http://wwwin.cisco.com/dss/adbu/

ANS Samples

http://www-tac.cisco.com/~smerrow/Samples/main.html

mailto:[email protected]




















http://wwwin.cisco.com/dss/adbu/




Documents

Ace Tacacs and Radius