Set up TACACS+ authentication to Director on Cisco ACS server

book

Article ID: 166898

calendar_today

Updated On:

Products

Director

Issue/Introduction

To set up TACACS+ authentication to Director, you must configure the TACACS+ server and the Director appliance. Refer to "Administering Director" in the Director Configuration and Management Guide for instructions on configuring the appliance.

This document contains instructions for configuring TACACS+ authentication in Cisco ACS 4.x and 5.4.

Cisco ACS 4.x

  1. Create a Network Device group.
    1. Click the Network Configuration button.
      A list of existing Network Device groups displays.
    2. Click Add Entry and enter your name and key or shared secret.
  2. Create one AAA client for each Director appliance that uses the TACACS+ protocol.
    1. Select the Network Device group you created in step 1.
    2. Click Add Entry.
    3. For AAA Client hostname, specify a name. You can use the IP address for the name.
    4. For AAA Client IP address, specify the IP address of the Director appliance.
    5. Select the Network Device group you created in step 1.
    6. Select TACACS+ (Cisco IOS) as the protocol.
    7. Click Submit
      You might be prompted to restart the ACS server; restart the server (select System Configuration > Service Control).
  3. Create a group.
    1. Click Group Setup and select an unused group.
    2. Click Rename and enter a name such as "Director users".
    3. Select the group you created and click Edit Settings.
    4. Scroll down to Advanced TACACS+ settings and click Max Privilege for any AAA client. Set it to level 15.
    5. On the drop down window, select the Device group you created in step 1 and click Add Association to add it to the group.
    6. Select Use separate password and enter the enable password.
    7. Press Submit
  4. Create a user. 
    1. Click User Setup.
    2. In the window, specify a username and click Add/Edit
    3. Enter details for the user, including the following:
      • Real name
      • Description
      • Password - This should only contain alphanumerical characters and cannot exceed 16 bytes in length. (You do not need a separate CHAP/MS-CHAP/ARAP password.)
    4. Assign the user to the group you created in step 3. 
      Tip: You can add users to a group created for a specific purpose or to a generic group. In either case, the User Group must be associated to the Device Group for this AAA client.
    5. Click Submit.   

Cisco ACS 5.4

Support for Cisco ACS 5.4 was introduced in SGME 6.1.15.1.
ACS Version Tested: 5.4.0.46.0a

  1. Create a Network Device group.
    1. Select Network Resources > Network Device Groups.
    2. A list of existing Network Device groups displays.
    3. Click Create and enter a name and description.
    4. Click Submit.
  2. Select Network Resources > Network Device Groups > Device Type and select the group you created.
    1. Add Director as a client.
    2. Select Network Resources > Network Devices and AAA Clients.
    3. Click Create.
    4. For the Name, specify a name. You can use the IP address for the name.
    5. For IP Address, select Single IP Address and specify the IP address of the Director appliance in the field.
    6. For Authentication Options, select TACACS and enter the key or shared secret.
    7. Click Submit.
  3. Create a group.
    1. Select Users and Identity Stores  > Identity Groups.
    2. Click Create.
    3. Enter a name and description for the group.
    4. Click Submit.  
  4. Create a user.
    1. Select Users and Identity Stores  > Internal Identity Stores > Users.
    2. In the window, specify a username and click Create.
    3. Enter details for the user, including the following:
      • Real name
      • Description
      • Password - This should only contain alphanumerical characters and cannot exceed 16 bytes in length. (You do not need a separate CHAP/MS-CHAP/ARAP or enable password.)
    4. Assign the user to the group you created in step 3. 
      Tip: You can add users to a group created for a specific purpose or to a generic group. In either case, the User Group must be associated to the Device Group for this AAA client.
    5. Click Submit.
  5. Create a shell profile.
    1. Click Policy Elements > Authorization and Permissions > Device Administration > Shell Profiles.
    2. Click Create and add a Name and Description for the profile. 
    3. Click the Common Tasks tab and set the DEFAULT Privilege level. Director supports only four levels (1, 7, 10, and 15).
  6. Create the access policy.
    1. Select Access Policies > Access Services.
    2. Click Create.
    3. For Name, enter "Tacacs access policy".
    4. Select User Selected Service Type, select Device Administration.
    5. Click Next.
    6. Select “Allow PAP/ASCII” in Step 2 - Allowed Protocols.
    7. Select Finish.
    8. Select Access Policies > Access Services (which is created above) > Identity.
    9. Select Single result selection.
    10. For Identity source, select Internal users.
    11. Click Submit.
    12. For Authorization, Create a rule with valid conditions.
    13. Select Access Policies > Access Services (which is created above) > Authorization.
    14. Select the shell profile that you created in step 5.
    15. Click Submit.
  7. Enable the access policy.
    1. Select Access Policies > Service Selection Rules.
    2. Select Rule based result selection and click Create.
    3. Enter a name for the policy.
    4. For Status, select Enabled.
    5. Under Conditions, select Protocol and select TACACS.
    6. For Service, select Tacacs access policy.
    7. Click OK.
      When the rule is enabled, the rules list displays it with a green icon.
  8. Reload the server or restart the ACS service.
    Note: Make sure Access Services > Service Selection Rules has the valid conditions and that Access Services is selected.