|
|
This chapter contains instructions on setting up an initial group profile and user account to test authentication. The topics covered in this chapter include:
After completing and verifying initial configuration of your CiscoSecure ACS software in this chapter, you can expand and customize your access control system following directions in the chapters, "Simple User and ACS Management," "Advanced Group and User Management," and "ACS and NAS Management."
To achieve the fastest installation and configuration of the CiscsoSecure ACS, Cisco recommends the following steps (described in detail in the next sections):
1 ) Run the web-based CiscoSecure Administrator to set up an initial group and user profile. This task varies according to whether you are setting up your group and user with TACACS+ protocol support, RADIUS protocol support, or combined TACACS+ and RADIUS protocol support.
2 ) Log in to the network access server (NAS) that you want the CiscoSecure ACS to manage and input the relevant NAS configuration commands. The NAS configuration commands will vary according to whether your NAS is enabled for TACACS+ protocol support or RADIUS protocol support.
3 ) Log in to one of the supported NASes under the initial user profile to test network operation.
After installing and verifying your initial configuration, you can expand and customize your access control system following directions in the chapters, "Simple User and ACS Management," and "Advanced Group and User Management."
If you are installing CiscoSecure ACS for the first time, and have no user or group profiles already configured, your next step, after installing and starting the ACS software, is to set up an initial test user profile and configure your NAS to support this profile. The procedures to carry this out vary according to whether you are assigning TACACS+ protocol attributes or RADIUS protocol attributes to the user profile.
In this section, you will use the Java-based CiscoSecure Administrator advanced configuration program and the CiscoSecure ACS Add a User web page and configure a NAS to set up and support an initial test group profile and user profile with TACACS+ protocol attributes.
For testing purposes, locate the CiscoSecureACS, the host NAS, and a login workstation on the same Ethernet segment.
Using the CiscoSecure Administrator, you will create an initial test group profile. Using TACACS+ protocol attributes, you will name the profile "T_Shell_Group," and enable Telnet login by enabling all commands and attributes associated with shell service.
Step 1 From a Windows 95 or Windows NT workstation start your Netscape Navigator or Microsoft Internet Explorer web browser and enter the following URL address:
http://your_server/cs
where your_server is the host name (or the fully qualified domain name, FDQN, if host name and FDQN differ) of the SPARCstation where you installed the CiscoSecure ACS. You can also substitute the SPARCstation's IP address for your_server.
Step 2 When the CiscoSecure Logon window appears, enter the following default values for username and password and click Submit:
superuser
changeme
Step 3 In the CiscoSecure ACS Main window, click Advanced and then click Advanced again to continue.
The CiscoSecure Administrator advanced configuration program may require several minutes to load.
Step 4 Create and name a test group profile:
(a) When the advanced CiscoSecure Administrator window appears, click the Members tab.
(a) Locate and deselect the Browse option in the Navigator pane. This displays the Create New Profile icon.
(b) In the Navigator pane, locate and click the root folder icon.
(c) Click the Create New Profile button to display the New Profile dialog box, select the Group option, and enter T_Shell_Group. This names the group profile "T_Shell_Group."
(d) Click OK. The T_Shell_Group profile icon appears on the tree underneath the Root icon.
Step 5 Specify shell service for the group profile.
(a) Click the T_Shell_Group profile icon in the Navigator pane and click Profile in the Profile pane. This displays the "T_Shell_Group" profile's Options menu in the lower right corner Attributes pane.
(b) In the Options menu, select Service-shell, then click Apply. The Service-shell attribute icons appear under the Profile icon in the Profile pane.
Step 6 Click Submit.
Step 7 Click Logoff to exit and terminate the CiscoSecure Administrator session. Your web browser may require several minutes to terminate.
Using the CiscoSecure ACS Add a User web page, you will now create an initial test user profile. Using TACACS+ protocol attributes, you will name the profile "T_User," assign it a clear text password, "Cisco" and enable Telnet login by assigning it to the T_Shell_Group profile.
Step 1 From a Windows 95 or Windows NT workstation start your Netscape Navigator or Microsoft Internet Explorer web browser and enter the following URL address:
http://your_server/cs
where your_server is the host name (or the fully qualified domain name, FDQN, if host name and FDQN differ) of the SPARCstation where you installed the CiscoSecure ACS. You can also substitute the SPARCstation's IP address for your_server.
Step 2 When the CiscoSecure Logon window appears, enter the following default values for username and password and click Submit:
superuser
changeme
Step 3 In the CiscoSecure ACS Main window, click Member, then click Add.
The Add a User web page appears.
Step 4 In the Group field, enter T_Shell_Group. This assigns the new user to the test group you just created and, by inheritance, also grants the user the shell privileges assigned to that group.
Step 5 In the User Name field, enter T_User.
Step 6 In the Password field and in the Confirm field underneath, enter Cisco.
Step 7 Under Web Page privilege field, select 1, to grant the T_User access to the CSUser web page for changing personal passwords.
Step 8 Select Clear to indicate the method of password transmission.
Step 9 Click Add.
From a network workstation, log in to the host NAS. Bring up the configuration window and input the following configuration commands:
aaa new-modelaaa authentication login default tacacs+ enableaaa authentication login no_tacacs lineaaa authorization exec tacacs+ if-authenticatedenable password cisco!tacacs-server hostacs_ip_addresstacacs-server keysecret-key!line con 0login authentication no_tacacspassword cisco
where:
acs_ip_address is the IP address of the CiscoSecure ACS.
secret_key is the secret TACACS+ NAS key that you entered for the NAS during the CiscoSecure ACS installation.
In this section, you will use the CiscoSecure Administrator advanced configuration program and the CiscoSecure ACS Add a User web page and configure a NAS to set up an initial test group profile and test user profile with RADIUS protocol attributes.
For testing purposes, locate the CiscoSecure ACS, the host NAS, and a login workstation on the same Ethernet segment.
Using the CiscoSecure Administrator, you will create an initial group profile. Using RADIUS protocol attributes, you will name the profile "R_Shell_Group," and enable Telnet login.
Step 1 From a Windows 95 or Windows NT workstation start your Netscape Navigator or Microsoft Internet Explorer web browser, enter the following URL:
http://your_server/cs
where your_server is the host name (or the fully qualified domain name, FDQN, if host name and FDQN differ) of the SPARCstation where you installed the CiscoSecure ACS. You can also substitute the SPARCstation's IP address for your_server.
Step 2 When the CiscoSecure Logon window appears, enter the following default values for username and password and click Submit.
superuser
changeme
Step 3 In the CiscoSecure ACS Main window, click Advanced then click Advanced again to continue.
The advanced configuration program may require a few minutes to load.
Step 4 Specify the host NAS, its shared secret key, and supported version of RADIUS protocol:
(a) When the advanced CiscoSecure Administrator window appears, locate and click the NAS page tab.
(b) Click New, enter the IP address of the host NAS, and click OK. The IP address appears in the NAS list in the Navigator pane.
(c) Select the host NAS IP address, then click Edit.
(d) Click on the Shared Secret window, type in a secret key for the NAS, note the key for later reference.
(e) Make sure the "RADIUS Vendor" states "Cisco" to indicate that you are using a NAS that supports Cisco RADIUS.
(f) Verify that the "Dictionary" drop-down box states "Cisco" as well.
(g) Click Done.
Step 5 Create a test group profile:
(a) Click the Members tab.
(b) Deselect the Browse check box in the Navigator pane. This displays the Create New Profile icon (Figure 2-7).
(c) In the Navigator pane, locate and click the [Root] folder icon.
(d) Click the Create New Profile icon to display the New Profile dialog box.
(e) Select the Group Profile checkbox and enter R_Shell_Group. This specifies the profile as a group profile and names the group profile "R_Shell_Group."
(f) Click OK. The R_Shell_Group profile icon appears on the tree underneath the "Root" folder icon.
Step 6 Specify the RADIUS-Cisco dictionary for this group profile:
(a) Click the R_Shell_Group profile icon in the Navigator pane and click the Profile icon in the Profile pane. This displays the "R_Shell_Group" profile's Options menu in the lower right Attributes pane.
(b) In the Options menu, select RADIUS-Cisco and click Apply. The RADIUS-Cisco attribute icon appears under the Profile icon in the Profile pane.
Step 7 Specify RADIUS-Cisco Check Item and Reply attributes:
(a) Click the RADIUS-Cisco attribute icon in the Profile pane. This displays the RADIUS-Cisco Options menu in the Attributes pane.
(b) Select Reply Attributes and Check Items in the Options menu and click Apply.
Step 8 Click the plus/minus symbol by the RADIUS-Cisco icon to display the Reply Attributes and Check Items icons in the Profile pane.
Step 9 Specify the Reply Attributes values:
(a) Select the Reply Attributes icon to display its options in the Attributes pane.
(b) Select 6=User-Service-Type, enumeration in the Options menu and click Apply.
(c) Click the plus/minus sign by the Reply Attributes icon to display the Reply Attribute icons.
(d) Select the User-Service_Type icon in the Profile pane to display the Enumeration dialog box in the lower-right pane.
(e) Select 6=Shell-User from the Enumeration dialog box and click Apply. This will authorize a command shell on the NAS.
Step 10 Click Submit.
Step 11 When you are finished click Logoff. The CiscoSecure Administrator advanced configuration program may require several minutes to terminate.
Using the CiscoSecure ACS Add a User web page, you will now create an initial test user profile. You will name the profile "R_User," assign it a clear text password, "Cisco" and enable Telnet login by assigning it to the R_Shell_Group profile.
Step 1 From a Windows 95 or Windows NT workstation start your Netscape Navigator or Microsoft Internet Explorer web browser and enter the following URL address:
http://your_server/cs
where your_server is the host name (or the fully qualified domain name, FDQN, if host name and FDQN differ) of the SPARCstation where you installed the CiscoSecure ACS. You can also substitute the SPARCstation's IP address for your_server.
Step 2 When the CiscoSecure Logon window appears, enter the following default values for username and password and click Submit:
superuser
changeme
Step 3 In the CiscoSecure ACS Main window, click Member, and then click Add.
The Add a User web page appears.
Step 4 In the Group field, enter R_Shell_Group. This assigns the new user to the test group you just created and, by inheritance, also grants the user the shell privileges assigned to that group.
Step 5 In the User Name field, enter R_User.
Step 6 In the Password field and in the Confirm field underneath, enter Cisco.
Step 7 Under Web Page privilege field, select 1, to grant the T_User access to the CSUser web page for changing personal passwords.
Step 8 Select Clear to indicate the method of password transmission.
Step 9 Click Add.
From a network workstation, log in to the host NAS. Bring up the configuration window and enter the following configuration commands:
aaa new-modelaaa authentication login default radius enableaaa authentication login no_radius localaaa authorization exec radius if-authenticatedenable password cisco!username root password cisco!radius-server hostacs_ip_addressradius-serverkeysecret_key!line con 0login authentication no_radius
where:
In this last section, you will verify your test user's login and authorization:
Step 1 Open a Telnet window on your PC or SPARCstation using the Start/Run command.
Step 2 Telnet to the IP address of the NAS.
Step 3 Enter the username T_User or R_User, whichever one you configured, and the password Cisco at the appropriate prompts.
Step 4 If the NAS lets you in, then this username and password have been properly set up and authenticated.
|
|