[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

Cisco ACS Radius configuration

Posted on 2007-10-15
19
Medium Priority
?
13,603 Views
Last Modified: 2009-05-27
Need some help to use Cisco ACS server to provide login authentication to cisco devices on the network....



Not sure of the best way to set up ACS to act as radius server , if anyone with any experience can point me in the right direction , will be great....


for the devices on the network, have configured it as the following....



aaa new-model

aaa authentication password-prompt Password:
aaa authentication username-prompt Username:
aaa authentication login default group radius local enable

radius-server host (IP adddress of ACS) auth-port 8812 acct-port 8813 key secretkey

0
Comment
Question by:peterelvidge
  • 9
  • 5
  • 3
  • +1
18 Comments
 
LVL 57

Expert Comment

by:Pete Long
ID: 20076772
Typical - Ive got a full walkthough on my website - and my broadband is down :(

Heres the official link you need to read  http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00800b6099.shtml#configuringthemicrosoftserverwithias

If my site gets back up this evening www.petenetlive.com go to tech info - cisco and there a full walkthrough :)
0
 
LVL 4

Author Comment

by:peterelvidge
ID: 20077125
hey Pete -- i think ill wait for your website!
0
 
LVL 1

Expert Comment

by:pkapoor
ID: 20078909
I would recommend TACACS+ as a preferred protocol for Cisco device AAA setup. Take time to read the difference between TACACS+ and RADIUS protocols to make an informed decision on what you would like to implement. Here is a pretty good article on it from Cisco: http://www.cisco.com/en/US/tech/tk59/technologies_tech_note09186a0080094e99.shtml.

If you have already decided on RADIUS, then here is what is required.
1. AAA setup on the router:

****Define the AAA parameters****
aaa new-model
aaa authentication login default group radius local enable
!
****Define the ACS Server RADIUS setup****
radius-server host <IP_Addr_of_ACS> auth-port 1645 acct-port 1646
radius-server retransmit 30
radius-server key <shared_secret>

****Apply the AAA configuration to the access method****
****Here I am saying that anyone accessing the router on "line vty 0 4" needs to be AAA authenticated****

line vty 0 4
 login authentication default

2.  ACS Server setup
- Under "Network Configuration", you can either create a new group for network devices. I group mine based on location of device or type of device (routers, firewalls, vpn, etc.).
- Once your group is created, you can start adding devices under it. Click the group name you just created under Network Configuration and then click Add Entry.
-  In the "Add AAA Client" page, enter the fields.
i.  Hostname of Cisco device
ii. IP address of Cisco device
iii. The <shared_secret>, which you have setup on the device as well
iv. Drop-down and select the group to which you want to add this device. The groups listed in the drop-downs are those that you configured in the first step.
v.  For "Authenticate Using" select the appropriate RADIUS "version".  Typically for routers and PIX firewalls, you would use the "RADIUS (Cisco IOS/PIX)" protocol. These "versions" are pretty obvious in their description.
vi. Click "Submit + Apply"

Now you can test and see whether your authentication works or not.
0
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 57

Expert Comment

by:Pete Long
ID: 20080684
0
 
LVL 4

Author Comment

by:peterelvidge
ID: 20084825
hey pete -- thanks for the guide -- but was after ACS configuration -- not ASA ,  pkapoor , your guide looks great -- but in 'network configuration' -- i cant seen to add a network device group-- the only options i have is to add either an AAA client  or an AAA server or a proxy distrubution table... any reason why this is?  

many thanks
0
 
LVL 4

Author Comment

by:peterelvidge
ID: 20084899
seem to be getting somewhere .... the device is communicating to radius -- but access is rejected -- can i build local database of users i want to be able to acess the devices -- i would like anyone who has access to have priviledge level 15



5d02h: RADIUS: Pick NAS IP for u=0x1818C30 tableid=0 cfg_addr=0.0.0.0
5d02h: RADIUS: ustruct sharecount=1
5d02h: Radius: radius_port_info() success=1 radius_nas_port=1
5d02h: RADIUS(00000000): Send Access-Request to 10.99.1.12:1645 id 1645/1, len 72
5d02h: RADIUS:  authenticator 70 A0 E0 8D 3D 8A C0 8B - 4A 9A F7 07 DF 0C 53 02
5d02h: RADIUS:  NAS-IP-Address      [4]   6   10.87.162.109
5d02h: RADIUS:  NAS-Port            [5]   6   2
5d02h: RADIUS:  NAS-Port-Type       [61]  6   Virtual                   [5]
5d02h: RADIUS:  User-Name           [1]   4   "ra"
5d02h: RADIUS:  Calling-Station-Id  [31]  12  "10.0.0.117"
5d02h: RADIUS:  User-Password       [2]   18  *
5d02h: RADIUS: Received from id 1645/1 10.99.1.12:1645, Access-Reject, len 32
5d02h: RADIUS:  authenticator 3B 13 38 1A 38 48 F7 86 - 1D 06 BB C0 85 49 E2 87
5d02h: RADIUS:  Reply-Message       [18]  12
5d02h: RADIUS:   52 65 6A 65 63 74 65 64 0A 0D                    [Rejected??]
5d02h: RADIUS: saved authorization data for user 1818C30 at 0
5d02h: RADIUS: Pick NAS IP for u=0x1818C30 tableid=0 cfg_addr=0.0.0.0
5d02h: RADIUS: ustruct sharecount=1
5d02h: Radius: radius_port_info() success=1 radius_nas_port=1
0
 
LVL 4

Author Comment

by:peterelvidge
ID: 20084972
can i just add -- that i would like to use windows AD database to allow the users priviledge level 15...

i have made this work by making a new user in a new group
0
 
LVL 1

Expert Comment

by:pkapoor
ID: 20086099
In Network Configuration, you can add AAA client (without creating groups). This could be because of the version of ACS you are running. However, if you just add the AAA client, that will suffice.

Once that is done, let's talk about integrating the AD authentication. Note that for assigning privilege levels, you need to do it with the ACS itself. Active Directory does not have attributes that will assign out privilege levels with RADIUS authentication. However, you can create a group in AD which has all users you want to give access to as its member.

To have the ACS refer to the AD for user credentials, do the following:
1.  External User Database > Database Configuration > Windows Database > Configure
2.  I usually check the Dialin Permission (for this, in the AD account of the user, you must grant Dial-in permissions.
3.  I do not enable Windows callback.
4.  In "Configure Domain List", you will see your domain in the "Available Domains" list. Select and add it to the right side.
5.  Submit

Sometimes the ACS prompts you to restart the service control. For this, go to System Configuration > Service Control and then click the Restart button at the bottom.

Let us know how it goes.
0
 
LVL 1

Expert Comment

by:pkapoor
ID: 20086140
FYI, if you refer to an external database, the ACS builds a local cache of the credentials once a user authenticates successfully for the first time. Therefore, if any user leaves and you disable his AD account, don't forget to check the ACS local database to make sure that you delete the cached account as well.
0
 
LVL 4

Author Comment

by:peterelvidge
ID: 20086458
thanks for this -- however i still cant seem to get a user to be able to get privilege level 15 straight away
0
 
LVL 4

Author Comment

by:peterelvidge
ID: 20086535
In the ACS i have created a local  group of 7 members , they can all  login to the cisco

in the ACS group i made , i edited in the settings> Cisco IOS/PIX 6.x RADIUS Attributes

i added: priv-lvl=15

but i dont actually get privilege level 15 , maybe i need to adjust this?

5d03h: RADIUS:  NAS-Port            [5]   6   2
5d03h: RADIUS:  NAS-Port-Type       [61]  6   Virtual                   [
5d03h: RADIUS:  User-Name           [1]   5   "rob"
5d03h: RADIUS:  Calling-Station-Id  [31]  12  "10.0.0.117"
5d03h: RADIUS:  User-Password       [2]   18  *
5d03h: RADIUS: Received from id 1645/16 10.99.1.12:1645, Access-Accept, l
5d03h: RADIUS:  authenticator 80 88 38 88 14 70 57 87 - 23 00 05 DB F6 17
5d03h: RADIUS:  Vendor, Cisco       [26]  25
5d03h: RADIUS:   Cisco AVpair       [1]   19  "shell:priv-lvl=15"
5d03h: RADIUS:  Framed-IP-Address   [8]   6   255.255.255.255
5d03h: RADIUS:  Class               [25]  24
0
 
LVL 1

Expert Comment

by:pkapoor
ID: 20086811
What version of ACS do you have?
0
 
LVL 4

Author Comment

by:peterelvidge
ID: 20092090
v 4.0
0
 
LVL 1

Expert Comment

by:pkapoor
ID: 20095835
So what is it that you get when the users log in? Have you made sure that you have enabled Shell (exec) access?
0
 
LVL 4

Author Comment

by:peterelvidge
ID: 20099371
i get the normal exec prompt  .. >

i need the priviledge exec prompt #

i think the problem is that the cisco does not understand...priv-lvl=15   , is there a different way this should be written?


6d22h: RADIUS:   Cisco AVpair       [1]   13  "priv-lvl=15"
0
 
LVL 4

Author Comment

by:peterelvidge
ID: 20100105
think ive just worked this out...


you need...

aaa authorisation login ....default radius  etc command  to authorise priv lev 15
0
 
LVL 1

Accepted Solution

by:
Computer101 earned 0 total points
ID: 20962260
PAQed with points refunded (500)

Computer101
Community Support Moderator
0
 
LVL 57

Expert Comment

by:Pete Long
ID: 32644522
Old Link above see http://petenetlive.com/KB/Article/0000071.htm instead
0

Featured Post

Free Tool: SSL Checker

Scans your site and returns information about your SSL implementation and certificate. Helpful for debugging and validating your SSL configuration.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

During and after that shift to cloud, one area that still poses a struggle for many organizations is what to do with their department file shares.
Unable to change the program that handles the scan event from a network attached Canon/Brother printer/scanner. This means you'll always have to choose which program handles this action, e.g. ControlCenter4 (in the case of a Brother).
Viewers will learn how to properly install and use Secure Shell (SSH) to work on projects or homework remotely. Download Secure Shell: Follow basic installation instructions: Open Secure Shell and use "Quick Connect" to enter credentials includi…
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…

872 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question