Access Control System (ACS)
ACS servers exist to centrally manage the users and control what those users are authorized to do. It can use an external database that already exist and contains usernames and passwords (ie.: Microsoft Active Directory).
The ACS server can be installed to multiple platforms ie.: Windoes server, dedicated physical Cisco appliance, VMWare ESXi server etc..
Identity Services Engine (ISE)
This is an identity and access control policy platform that can validate that a computer meets the requirements of a company’s policy related to virus definition files, service pack levels and so on before allowing the device on the network.
ACS and ISE can be used together.
Protocols between ACS and the router
- TACACS – Cisco proprietary
Encrypts the whole communication between the router and the ACS server.
- RADIUS – open standard
Encrypts only the password between ACS and the router.
Configuring Routers to Interoperate with an ACS
# aaa new model # aaa authentication login AUTHEN_via_TACACS group tacacs+ local # aaa authorization exec Author-Exec_via_TACACS group tacacs+ local # username admin privilege 15 secret cisco # tacacs-server host 192.1681.252 key cisco123 # line vty 0 4 (line)# authorization exec Author-Exec_via_TACACS (line)# login authentication AUTHEN_via_TACACS
aaa new model
This is required on every device.
# aaa authentication login AUTHEN_via_TACACS group tacacs+ local # username admin privilege 15 secret cisco # tacacs-server host 192.1681.252 key cisco123 # line vty 0 4 (line)# login authentication AUTHEN_via_TACACS
When a user tries to login to the device the 192.1681.252 TACACS server is going to check the credentials and reply with a pass or fail message. The “group tacacs+ local” part means that the primary login mechanism is the tacacs+ and when it’s not reachable the local authentication will take its place (admin/cisco).
# aaa authorization exec Author-Exec_via_TACACS group tacacs+ local # line vty 0 4 (line)# authorization exec Author-Exec_via_TACACS
The AAA server will verify whether the router is authorized to gain access to the CLI and on what privilege level is the user placed into. Similarly to authentication if the tacacs+ server is unreachable, it will check locally whether the user is authorized to execute a command.
CCP (Cisco Configuration Professional)
Configure > Router > AAA > AAA Servers and Groups > Servers > Add
Configure > Router > AAA > Authentication Policies > Login > click Add
Configure > Router > AAA > Authorization Policies > EXEC Command Mode > click Add
Add local user
Configure > Router > Router Access > User Accounts/View > click Add