Configure Users & Add AAA Clients to TACACS Server
Also to configure network devices as TACACS clients, please refer following posts..
Configuring AAA on Cisco Routers / Switches for TACACS Users
Configuring AAA on Cisco ASA for TACACS Users
Evolution of the ACSActually the basis of oldest method was to configure Shared Profile Components and bind them in User Profiles/Groups. Then they developed it to a some extent where we can configure Policy Elements and bind them with User Profiles/Groups.
Now the ISE is here to replace the old ACS servers. So now it is more flexible because ISE uses a rich set of policy elements and use them to implement policies to permit or deny Authorization based on conditions.
Let's get started with a typical practical example..
Let's say there are 2 types of users who access network devices of a company. They are Admin users and Help Desk users. Both Admin and Help Desk users must be able to issue any command in L2 Devices. Admin users should be allowed to issue any command in L3 Devices too while Help Desk users must not be able to configure Layer 3 devices.
To full fill this requirement, following tasks should be performed at ISE.
1. Create 2 User Groups (Admin_Users, Helpdesk_Users)
2. Create 2 Users and assign them to 2 User Groups (Bob, Sally)
3. Create a Shell Profile (CiscoHigh)
4. Create 2 Command Sets (ALL Commnads, Deny Some Config)
5. Create 2 Device Groups (LAN,WAN)
6. Create 2 Network Devices (L2-Switch, L3-Router)
7. Create a Device Admin Policy Set with 2 Authorization Policies
Prerequisites
First of all following 2 features must be fulfilled.
1. Have a Device Admin License
Administration > System > Licencing
Quantity of 1 license is enough per ISE which means you have to have only 1 Device Admin license to run ACS service on ISE.
2. Enable Device Admin Service
Administration > System > Deployment
Configuration
1. Create 2 User Groups
Go to Work Centers > Device Administration > User Identity Groups > +Add
2. Create 2 Users and assign them to 2 User Groups
Go to Work Centers > Device Administration > Identities > +Add
Bob is the Admin User & Sally is the HelpDesk User.
3. Create a Shell Profile
Go to Work Centers > Device Administration > Policy Elements > Results > TACACS Profiles > +Add
I am creating a one Shell Profile for both user types because the command restriction is done at the Command Sets configuration. Because all users should have access to privilege level 15 commands generally, this is the approach.
I name this Shell Profile as CiscoHigh.
Go to Work Centers > Device Administration > Policy Elements > Results > TACACS Command Sets > +Add
First Command Set is to permit all commands, so I just need to tick permit any command that is not listed below check box and leave the commands space empty.
I named the 1st one as ALL Commands and the second one as Deny Some Config..
5. Create 2 Device Groups
Go to Work Centers > Device Administration > Network Resources > Network Device Groups > +Add
6. Create 2 Network Devices
Go to Work Centers > Device Administration > Network Resources > Network Devices > +Add
Both the devices are added in the same way..
7. Create a Device Admin Policy Set with 2 Authorization Policies
Go to Work Centers > Device Administration > Device Admin Policy Sets > +Add
Let's create a Policy Set named TACACS.
Click on the + mark on Conditions and I am configuring this main Policy Set condition to be the username equal to TACACS User IN Network Access UserName. So that the Policy Set will be only referred for a username in Network Access section.
After hitting Use, Policy Set will be shown like the following.. I am selecting Default Device Admin as the allowed protocols which permits TACAS, RADIUS etc by default.
(click on the images to view in full size)
Now click on the > to go inside the Policy Set and further configurations..
1st to configure is the Authentication Policy. When you expand it, you can see a Default Policy is there and truly there is nothing much to do here. So I am just selecting Internal Users as the Identity Store only and move to Authorization Policy. (click on the images to view in full size)
Authorization Policy is the one which does the real work. According to the requirement, we can use a granular logic with AND, OR etc to implement the policy. Following snap is showing how I addressed the requirement. (click on the images to view in full size)
You can go to Work Centers > Device Administration > Reports to view reports. Here is a snapshot of Command Accounting. (click on the images to view in full size)
Note:-
The main thing to keep in mind is that the distinction between Authentication Policy and the Authorization Policy inside a Policy Set.
Authentication Policies
Authentication policies define the protocols that Cisco ISE uses to communicate with the network devices, and the identity sources that it uses for authentication.
An Authentication Policy consists of the following:
1. Network Access Service
An allowed protocols service to choose the protocols to handle the initial request and protocol negotiation. The other thing is a proxy service that will proxy requests to an external RADIUS server for processing.
2. Identity Source An identity source or an identity source sequence to be used for authentication.
Authorization Policies
Network authorization policies associate rules with specific user and group identities to create the corresponding profiles. Whenever these rules match the configured attributes, the corresponding authorization profile that grants permission is returned by the policy and network access is authorized accordingly.
No comments:
Post a Comment