Using Authentication Proxy with TACACS

Cisco Secure ACS provides both TACACS+ and RADIUS functionality. Cisco Secure ACS was discussed in detail in Chapter 9, "Cisco Secure Access Control Server." This section discusses configuring TACACS+ using the CSACS. If the CSACS is already configured, you only need to make a few configuration changes to run TACACS+. You must complete three steps for this configuration:

Step 1. Complete the network configuration.

Step 2. Complete the interface configuration.

Step 3. Complete the group setup.

Step 1: Complete the Network Configuration

To complete the network configuration, connect to the Cisco Secure ACS using your browser and click the Network Configuration icon on the left border. Figure 16-7 depicts the Network Configuration page of the Cisco Secure ACS.

Figure 16-7. Cisco Secure ACS Network Configuration Page fTTTT

[View full size image]

PJeUvn^ Coffi jural ion

PJeUvn^ Coffi jural ion

AAA CHrntt Jfj

AMCtm Hisiiwnp

AAA CSm IP Ad-V* 5*

AathnHinftr l'ting

LÛ10.10 254

TACACS+ CCteQ 1ÛS)

AJdErfty]

AAASnm N mot

AAA Vrrtf IF Adfcm

AAA Sir*»*

ifesl

10 1611142

Car sSecure ACS Isr TIfofa» 2 SÏH7

AddEww 1

AddEww 1

Ftoacy ihiiiàmia fable "V .

C'haidiLrt Suiiiu AAA Servm Stoip Aefma

Il-faa-i Ho LMJ

! AíKksx lAMtlfH

i IHrlu-fl 1 AAA Smm i rrifci iiifi^Tfp-^

i VttXjl Dñlnbu«h f artf i a ftwy Diitrihatinn T«M> Entry

• RraiWw IrtlT Ewia - E*Muah*«)-Dimforiuii liMrbmy

Tfwr TVmj i'nsp yen liinfji.-?

'.osiiixf i&.û [t art ujirg Kewo4k Dt-nx <3ra?i

ÍÜ OC.-I, iflrr j t.kxk Hctwwi: Cefxipnton m th.:

lumejfrí-Qt jr. îth tfw Ntfweifc îhwe Qtmft tat.« »f.I Pnug TwtpJ-riai.ii Tahit riwftjfiHi fíyfJi at h vi uMig KC'jí, AAA Ctaai -aMe jt, J du- AAA Seron l»le sn^ ki pIkí oftbc NífciraklVwKí GwgwEiMe-_

Ensure that the Cisco IOS Firewall is listed as a AAA client. The IP address should be the address of the interface that faces the AAA server, and the Authenticate Using field should match the authentication protocol being usedin this case, TACACS+ (Cisco IOS). To change any parameters for the AAA client, just click the client (link), and the Edit window will appear. Figure 16-8 depicts the Edit window for the AAA client.

Figure 16-8. AAA Client Edit Window

[View full size image]

Proxy List

In Figure 16-8, you can see that it is possible to change the AAA client IP address and key. The authentication protocols are selected from a drop-down list.

Note

Ensure that you click Submit-Restart after making any changes to the AAA client configuration.

Step 2: Complete the Interface Configuration

The next step is to complete the interface configuration. Select the Interface Configuration icon on the left border and scroll down in the Edit window until you get to the TACACS+ Services configuration box. Figure 16-9 depicts this area.

In Figure 16-9, you can see that TACACS+ services can be assigned to either users or groups. In the New Services block, check the Group box and list the service as auth-proxy.

Figure 16-9. Interface Configuration Window

[View full size imagel

"71

interface Configuration

r

F

iTr n

r

r

mwi

n

r

hTTf II V

r

r

ITPJWiTilt

r

r

rrpvpuH

r

r

fppt.cp

r

r

ARA?

p

fj

JLrüicicil

r

r

JLV

r

r

• Adr-Mwwl CpnTwruruti m Optima

TACAiCS* HCirsioH

¿«1ère trie tbwk Hïioa rrtbrr User i&a -r Grwv* to*1 ■tsnh.TACAC£+ iim:e thai jr*o WMd to jfrtu ti t

Si tup BTtik-w. «ct'-f'iwÎF Fcrci'tmSepBÄ'ra.fJcb — f r.r : «tome* twrt t* <tjf-j>-«it4 t-y tht KJLS Vkn •f-.i luv« fatibed iifecasi: .f.2'.HLî, tiaJe Hub mi

1] u iniîrr v liul «îhi wfluH rrrrf h rw r -iirl pre«(Mt jviUibfc i.t TACACS+ tufiivtfy wüjM üufct

IcBf^ lf> Ii U3« it tUttkttiMùt T<5 fkcfXif pctjtp. thi «c&m rnsJ-irs ¥-!iv- ratansr thp Knurr «vi . .fcplfVf-Î

• TACAC& I Stnv et. TU» Lettin f UM* I-rfMù>dy used ätnvtx frfdbxdd fùf TACACS+ i Tfnr £wrinpi. Fj.*i"r rfv MW ipnnrrr T p,r-^.-.r--4r •--. jHH Sfirrt thvii Öud rfwiiit-i Aifbyrd fer c^flipa-ibro u&in Uätf Setu? Mii'-jf Graup Ëttuf'

Step 3: Complete the Group Setup

The next step is to configure the parameters of the dynamic ACLs. You do this in the Group Setup window, which you access by clicking the Group Setup icon on the left border and scrolling down to the auth-proxy window. Figure 16-10 depicts the Group Setup window.

Figure 16-10. Group Setup Configuration Window

[View full size imagel

* IViftn

<* Ctawt r----

ArjMlltnfl

¿1

CMbtcd Jiifuimrtr

r ? trad

Dew

priv-tv;-iS

Ifrissr I I

P jijiii pmy

priv-tv;-iS

pi?xy*c;ifj inekLc atr«p my «y pxjxync Iif) f-cc&Lt i

* IViftn

* lAi! LV-kn-T-T)J.mâiâ m IETI' RADfl'S .Mirihr^t

Unap Si+nirit*

T'i matin j-iiririiir ji-Til B£> tai-:r uful «uÖKfrabMu* «r»

Ctx-î Setuie ACS liit LivJ «dp iht «idraunea 1« ûiî

Ont Mil L iiùfi iftCib: lÎkiiJfi iîPjji i'jrfifl-tfitK'ü

■jr-S -n; »3 irnsti prtf-weJ jflnbiii r «ï i^'jwd n

LLT1

In Figure 16-10, four lines are added to the auth-proxy attributes. This is a very open policy and allows anyone who successfully authenticates to have open access to internal resources. Obviously, you want to use a more restrictive policy when configuring your authentication proxy in a production environment:

priv-lvl=15

proxyacl#1=permit icmp any any proxyacl#2=permit tcp any any proxyacl#3=permit udp any any

Was this article helpful?

0 0

Post a comment