Cisco ACS Radius configuration

hey Pete -- i think ill wait for your website!

I would recommend TACACS+ as a preferred protocol for Cisco device AAA setup. Take time to read the difference between TACACS+ and RADIUS protocols to make an informed decision on what you would like to implement. Here is a pretty good article on it from Cisco: http://www.cisco.com/en/US/tech/tk59/technologies_tech_note09186a0080094e99.shtml.

If you have already decided on RADIUS, then here is what is required.
1. AAA setup on the router:

****Define the AAA parameters****
aaa new-model
aaa authentication login default group radius local enable
!
****Define the ACS Server RADIUS setup****
radius-server host <IP_Addr_of_ACS> auth-port 1645 acct-port 1646
radius-server retransmit 30
radius-server key <shared_secret>

****Apply the AAA configuration to the access method****
****Here I am saying that anyone accessing the router on "line vty 0 4" needs to be AAA authenticated****

line vty 0 4
 login authentication default

2.  ACS Server setup
- Under "Network Configuration", you can either create a new group for network devices. I group mine based on location of device or type of device (routers, firewalls, vpn, etc.).
- Once your group is created, you can start adding devices under it. Click the group name you just created under Network Configuration and then click Add Entry.
-  In the "Add AAA Client" page, enter the fields.
i.  Hostname of Cisco device
ii. IP address of Cisco device
iii. The <shared_secret>, which you have setup on the device as well
iv. Drop-down and select the group to which you want to add this device. The groups listed in the drop-downs are those that you configured in the first step.
v.  For "Authenticate Using" select the appropriate RADIUS "version".  Typically for routers and PIX firewalls, you would use the "RADIUS (Cisco IOS/PIX)" protocol. These "versions" are pretty obvious in their description.
vi. Click "Submit + Apply"

Now you can test and see whether your authentication works or not.

Im up and working here you go http://www.petenetlive.com/Tech/Firewalls/Cisco/c2svpnRADIUS.htm

hey pete -- thanks for the guide -- but was after ACS configuration -- not ASA ,  pkapoor , your guide looks great -- but in 'network configuration' -- i cant seen to add a network device group-- the only options i have is to add either an AAA client  or an AAA server or a proxy distrubution table... any reason why this is?  

many thanks

seem to be getting somewhere .... the device is communicating to radius -- but access is rejected -- can i build local database of users i want to be able to acess the devices -- i would like anyone who has access to have priviledge level 15



5d02h: RADIUS: Pick NAS IP for u=0x1818C30 tableid=0 cfg_addr=0.0.0.0
5d02h: RADIUS: ustruct sharecount=1
5d02h: Radius: radius_port_info() success=1 radius_nas_port=1
5d02h: RADIUS(00000000): Send Access-Request to 10.99.1.12:1645 id 1645/1, len 72
5d02h: RADIUS:  authenticator 70 A0 E0 8D 3D 8A C0 8B - 4A 9A F7 07 DF 0C 53 02
5d02h: RADIUS:  NAS-IP-Address      [4]   6   10.87.162.109
5d02h: RADIUS:  NAS-Port            [5]   6   2
5d02h: RADIUS:  NAS-Port-Type       [61]  6   Virtual                   [5]
5d02h: RADIUS:  User-Name           [1]   4   "ra"
5d02h: RADIUS:  Calling-Station-Id  [31]  12  "10.0.0.117"
5d02h: RADIUS:  User-Password       [2]   18  *
5d02h: RADIUS: Received from id 1645/1 10.99.1.12:1645, Access-Reject, len 32
5d02h: RADIUS:  authenticator 3B 13 38 1A 38 48 F7 86 - 1D 06 BB C0 85 49 E2 87
5d02h: RADIUS:  Reply-Message       [18]  12
5d02h: RADIUS:   52 65 6A 65 63 74 65 64 0A 0D                    [Rejected??]
5d02h: RADIUS: saved authorization data for user 1818C30 at 0
5d02h: RADIUS: Pick NAS IP for u=0x1818C30 tableid=0 cfg_addr=0.0.0.0
5d02h: RADIUS: ustruct sharecount=1
5d02h: Radius: radius_port_info() success=1 radius_nas_port=1

can i just add -- that i would like to use windows AD database to allow the users priviledge level 15...

i have made this work by making a new user in a new group

In Network Configuration, you can add AAA client (without creating groups). This could be because of the version of ACS you are running. However, if you just add the AAA client, that will suffice.

Once that is done, let's talk about integrating the AD authentication. Note that for assigning privilege levels, you need to do it with the ACS itself. Active Directory does not have attributes that will assign out privilege levels with RADIUS authentication. However, you can create a group in AD which has all users you want to give access to as its member.

To have the ACS refer to the AD for user credentials, do the following:
1.  External User Database > Database Configuration > Windows Database > Configure
2.  I usually check the Dialin Permission (for this, in the AD account of the user, you must grant Dial-in permissions.
3.  I do not enable Windows callback.
4.  In "Configure Domain List", you will see your domain in the "Available Domains" list. Select and add it to the right side.
5.  Submit

Sometimes the ACS prompts you to restart the service control. For this, go to System Configuration > Service Control and then click the Restart button at the bottom.

Let us know how it goes.

FYI, if you refer to an external database, the ACS builds a local cache of the credentials once a user authenticates successfully for the first time. Therefore, if any user leaves and you disable his AD account, don't forget to check the ACS local database to make sure that you delete the cached account as well.

thanks for this -- however i still cant seem to get a user to be able to get privilege level 15 straight away

In the ACS i have created a local  group of 7 members , they can all  login to the cisco

in the ACS group i made , i edited in the settings> Cisco IOS/PIX 6.x RADIUS Attributes

i added: priv-lvl=15

but i dont actually get privilege level 15 , maybe i need to adjust this?

5d03h: RADIUS:  NAS-Port            [5]   6   2
5d03h: RADIUS:  NAS-Port-Type       [61]  6   Virtual                   [
5d03h: RADIUS:  User-Name           [1]   5   "rob"
5d03h: RADIUS:  Calling-Station-Id  [31]  12  "10.0.0.117"
5d03h: RADIUS:  User-Password       [2]   18  *
5d03h: RADIUS: Received from id 1645/16 10.99.1.12:1645, Access-Accept, l
5d03h: RADIUS:  authenticator 80 88 38 88 14 70 57 87 - 23 00 05 DB F6 17
5d03h: RADIUS:  Vendor, Cisco       [26]  25
5d03h: RADIUS:   Cisco AVpair       [1]   19  "shell:priv-lvl=15"
5d03h: RADIUS:  Framed-IP-Address   [8]   6   255.255.255.255
5d03h: RADIUS:  Class               [25]  24

What version of ACS do you have?

v 4.0

So what is it that you get when the users log in? Have you made sure that you have enabled Shell (exec) access?

i get the normal exec prompt  .. >

i need the priviledge exec prompt #

i think the problem is that the cisco does not understand...priv-lvl=15   , is there a different way this should be written?


6d22h: RADIUS:   Cisco AVpair       [1]   13  "priv-lvl=15"

think ive just worked this out...


you need...

aaa authorisation login ....default radius  etc command  to authorise priv lev 15