cc/td/doc/product/access/acs_soft/cs_unx
hometocprevnextglossaryfeedbacksearchhelp
PDF

Table Of Contents

Configuring Initial Test Group and User Profiles

Overview of Initial Test Configuration

Setting Up an Initial Group and User Profile

Setting Up a Test Group and User Profile with TACACS+ Attributes

Specifying an Enable Password

Setting Up a Test Group and User Profile with RADIUS Attributes

Testing the User Login and Authentication


Configuring Initial Test Group and User Profiles

This chapter contains instructions on using the graphical CiscoSecure ACS 2.3 Administrator web pages and the Java-based CiscoSecure Administrator advanced configuration program to set up an initial group profile and user account to test authentication. The topics covered in this chapter include:

Overview of Initial Test Configuration

Setting Up an Initial Group and User Profile

Setting Up a Test Group and User Profile with TACACS+ Attributes

Setting Up a Test Group and User Profile with RADIUS Attributes

Testing the User Login and Authentication

After completing and verifying initial configuration of your CiscoSecure ACS software in this chapter, you can expand and customize your access control system following directions in "Basic User and ACS Management," "Advanced Group and User Management," and "Configuring Initial Test Group and User Profiles."

Note Many of the operations described in this chapter can also be carried out through the CiscoSecure command-line interface. For a description of the command-line interface, see Chapter 17, "Using the Command-Line Administrator Interface."

Overview of Initial Test Configuration

To achieve the fastest installation and configuration of the CiscoSecure ACS, Cisco recommends the following steps (described in detail in the next sections):

1. Run the web-based CiscoSecure Administrator to set up an initial group and user profile. This task varies according to whether you are setting up your group and user with TACACS+ protocol support, RADIUS protocol support, or combined TACACS+ and RADIUS protocol support.

2. Log in to the network access server (NAS) that you want the CiscoSecure ACS to manage and input the relevant NAS configuration commands. The NAS configuration commands will vary according to whether your NAS is enabled for TACACS+ protocol support or RADIUS protocol support.

3. Log in to one of the supported NASes under the initial user profile to test network operation.

After installing and verifying your initial configuration, you can expand and customize your access control system following directions in "Basic User and ACS Management," and "Configuring Initial Test Group and User Profiles."

Setting Up an Initial Group and User Profile

If you are installing CiscoSecure ACS for the first time, and have no user or group profiles already configured, your next step, after installing and starting the ACS software, is to set up an initial test user profile and configure your NAS to support this profile. The procedures to carry this out vary according to whether you are assigning TACACS+ protocol attributes or RADIUS protocol attributes to the user profile.

Setting Up a Test Group and User Profile with TACACS+ Attributes

In this section, you will use the Java-based CiscoSecure Administrator advanced configuration program and the CiscoSecure ACS Add a User web page and configure a NAS to set up and support an initial test group profile and user profile with TACACS+ protocol attributes.

Physical Testing Setup

For testing purposes, locate the CiscoSecure ACS, the host NAS, and a login workstation on the same Ethernet segment. (See Figure 3-1.)

Figure 3-1 CiscoSecure Recommended Test Setup

Note The GUI client and the CiscoSecure ACS both need to have name resolution enabled.

Set Up a TACACS+ Group Profile through the CiscoSecure Administrator

Using the CiscoSecure Administrator, you will create an initial test group profile. Using TACACS+ protocol attributes, you will name the profile "T_Shell_Group," and enable Telnet login by enabling all commands and attributes associated with shell service.

Step 1 From a Windows 95 or Windows NT workstation, start your Netscape Navigator or Microsoft Internet Explorer web browser and enter the following URL address:

http://your_server/cs

where your_server is the host name (or the fully qualified domain name, FDQN, if host name and FDQN differ) of the SPARCstation where you installed the CiscoSecure ACS. You can also substitute the SPARCstation's IP address for your_server.

Step 2 When the CiscoSecure Logon window appears, enter the following default values for username and password and click Submit:

username: superuser
password: changeme

Step 3 In the CiscoSecure ACS Main window, click Advanced and then click Advanced again to continue.

The CiscoSecure Administrator advanced configuration program might require several minutes to load.

Step 4 Create and name a test group profile:

a. When the advanced CiscoSecure Administrator window appears, click the Members tab.

b. Locate and deselect the Browse option in the Navigator pane. This displays the Create New Profile icon.

c. In the Navigator pane, locate and click the [Root] folder icon.

d. Click the Create New Profile button to display the New Profile dialog box, select the Group option, and enter T_Shell_Group. This names the group profile "T_Shell_Group."

e. Click OK. The T_Shell_Group profile icon appears on the tree underneath the [Root] folder icon.

Figure 3-2 Creating a Test GROUP Profile

Step 5 Specify shell service for the group profile:

a. Click the T_Shell_Group profile icon in the Navigator pane and click Profile in the Profile pane. This displays the "T_Shell_Group" profile's Options menu in the lower right corner Attributes pane.

b. In the Options menu, select Service-shell, then click Apply. The Service-shell attribute icons appear under the Profile icon in the Profile pane.

Figure 3-3 Specifying Shell Service

Step 6 Click Submit.

Step 7 Click Logoff to exit and terminate the CiscoSecure Administrator session. Your web browser might require several minutes to terminate.

Set Up a TACACS+ User Profile through the CiscoSecure Administrator

Using the CiscoSecure ACS Add a User web page, you will now create an initial test user profile. Using TACACS+ protocol attributes, you will name the profile "T_User," assign it a clear text password, "Cisco" and enable Telnet login by assigning it to the T_Shell_Group profile.

Step 1 From a Windows 95 or Windows NT workstation start your Netscape Navigator or Microsoft Internet Explorer web browser and enter the following URL address:

http://your_server/cs

where your_server is the host name (or the fully qualified domain name, FDQN, if host name and FDQN differ) of the SPARCstation where you installed the CiscoSecure ACS. You can also substitute the SPARCstation's IP address for your_server.

Step 2 When the CiscoSecure Logon window appears, enter the following default values for username and password and click Submit:

username: superuser
password: changeme

Step 3 In the CiscoSecure ACS Main window, click Member, then click Add.

The Add a User web page appears.

Figure 3-4 Add a User Page

Step 4 In the Group field, enter T_Shell_Group. This assigns the new user to the test group you just created and, by inheritance, also grants the user the shell privileges assigned to that group.

Step 5 In the User Name field, enter T_User.

Step 6 In the Password field and in the Confirm field underneath, enter Cisco.

Step 7 Under Web Page privilege field, select 1, to grant the T_User access to the CSUser web page for changing personal passwords.

Step 8 Select Clear to indicate the method of password transmission.

Step 9 Click Add.

Enter NAS Commands for the TACACS+ User Profile

From a network workstation, log in to the host NAS. Bring up the configuration window and input the following configuration commands:

aaa new-model
aaa authentication login default tacacs+ enable
aaa authentication login no_tacacs line
aaa authorization exec tacacs+ if-authenticated
enable password cisco
!
tacacs-server host acs_ip_address
tacacs-server key secret-key
!
line con 0
login authentication no_tacacs
password cisco


where:

acs_ip_address is the IP address of the CiscoSecure ACS.

secret_key is the secret TACACS+ NAS key that you entered for the NAS during the CiscoSecure ACS installation.

Note The "no_tacacs+" authentication method in the above NAS command description is a precautionary measure, included so that an administrator will be able to log in to the console port of the NAS even if the CiscoSecure ACS is unavailable. To log in to the NAS console port with this configuration, enter an arbitrary username with the line password of "cisco."

Specifying an Enable Password

An enable password will allow a user to carry out expanded system administrator-level EXEC operations. To specify an enable password for a given user:

Step 1 In the CiscoSecure Administrator advanced configuration program, click the icon for the user profile in the tree that is displayed in the Navigator pane of the tabbed Members page.

Step 2 Click the Profile icon to expand it.

Step 3 Click the Privilege - Clear icon.

Step 4 In the Attribute window, enter the privilege level (1-15) and the enable password.

Step 5 Click Apply.

Step 6 Click Submit.

Step 7 On the NAS, enter the following command:

aaa authen enable tacacs+ enable

Setting Up a Test Group and User Profile with RADIUS Attributes

In this section, you will use the CiscoSecure Administrator advanced configuration program and the CiscoSecure ACS Add a User web page and configure a NAS to set up an initial test group profile and test user profile with RADIUS protocol attributes.

Physical Testing Setup

For testing purposes, locate the CiscoSecure ACS, the host NAS, and a login workstation on the same Ethernet segment.

Figure 3-5 CiscoSecure Recommended Test Setup

Set Up a RADIUS Group Profile through the CiscoSecure Administrator

Using the CiscoSecure Administrator, you will create an initial group profile. Using RADIUS protocol attributes, you will name the profile "R_Shell_Group," and enable Telnet login.

Step 1 From a Windows 95 or Windows NT workstation start your Netscape Navigator or Microsoft Internet Explorer web browser, enter the following URL:

http://your_server/cs

where your_server is the host name (or the fully qualified domain name, FDQN, if host name and FDQN differ) of the SPARCstation where you installed the CiscoSecure ACS. You can also substitute the SPARCstation's IP address for your_server.

Step 2 When the CiscoSecure Logon window appears, enter the following default values for username and password and click Submit.

username: superuser
password: changeme

Step 3 In the CiscoSecure ACS Main window, click Advanced then click Advanced again to continue.

The advanced configuration program might require a few minutes to load.

Step 4 Specify the host NAS, its shared secret key, and supported version of RADIUS protocol:

a. When the advanced CiscoSecure Administrator window appears, locate and click the NAS page tab.

b. Click New, enter the IP address of the host NAS, and click OK. The IP address appears in the NAS list in the Navigator pane.

c. Select the host NAS IP address, then click Edit.

d. Click on the Shared Secret window, type in a secret key for the NAS, note the key for later reference.

e. Make sure the "RADIUS Vendor" states "Cisco" to indicate that you are using a NAS that supports Cisco RADIUS.

f. Verify that the "Dictionary" drop-down box states "Cisco" as well.

g. Click Done.

Figure 3-6 Specifying the Host NAS and RADIUS Version

Step 5 Create a test group profile:

a. Click the Members tab.

b. Deselect the Browse check box in the Navigator pane. This displays the Create Profile icon (Figure 2-7).

c. In the Navigator pane, locate and click the [Root] folder icon.

d. Click the Create Profile icon to display the New Profile dialog box.

e. Select the Group Profile check box and enter R_Shell_Group. This specifies the profile as a group profile and names the group profile "R_Shell_Group."

f. Click OK. The R_Shell_Group profile icon appears on the tree underneath the [Root] folder icon.

Figure 3-7 Creating a Test Group Profile

Step 6 Specify the RADIUS-Cisco dictionary for this group profile:

a. Click the R_Shell_Group profile icon in the Navigator pane and click the Profile icon in the Profile pane. This displays the "R_Shell_Group" profile's Options menu in the lower right Attributes pane.

b. In the Options menu, select RADIUS-Cisco and click Apply. The RADIUS-Cisco attribute icon appears under the Profile icon in the Profile pane.

Figure 3-8 Specifying RADIUS-Cisco Dictionary

Step 7 Specify RADIUS-Cisco Check Item and Reply attributes:

a. Click the RADIUS-Cisco attribute icon in the Profile pane. This displays the RADIUS-Cisco Options menu in the Attributes pane.

b. Select Reply Attributes and Check Items in the Options menu and click Apply.

Figure 3-9 Specifying the Reply Attributes

Step 8 Click the plus/minus symbol by the RADIUS-Cisco icon to display the Reply Attributes and Check Items icons in the Profile pane.

Step 9 Specify the Reply Attributes values:

a. Select the Reply Attributes icon to display its options in the Attributes pane.

b. Select 6=User-Service-Type, enumeration in the Options menu and click Apply.

c. Click the plus/minus sign by the Reply Attributes icon to display the Reply Attribute icons.

d. Select the User-Service_Type icon in the Profile pane to display the Enumeration dialog box in the lower-right pane.

e. Select 6=Shell-User from the Enumeration dialog box and click Apply. This will authorize a command shell on the NAS.

Step 10 Click Submit.

Step 11 When you are finished click Logoff. The CiscoSecure Administrator advanced configuration program might require several minutes to terminate.

Set Up a RADIUS User Profile through the CiscoSecure ACS

Using the CiscoSecure ACS Add a User web page, you will now create an initial test user profile. You will name the profile "R_User," assign it a clear text password, "Cisco" and enable Telnet login by assigning it to the R_Shell_Group profile.

Step 1 From a Windows 95 or Windows NT workstation start your Netscape Navigator or Microsoft Internet Explorer web browser and enter the following URL address:

http://your_server/cs

where your_server is the host name (or the fully qualified domain name, FDQN, if host name and FDQN differ) of the SPARCstation where you installed the CiscoSecure ACS. You can also substitute the SPARCstation's IP address for your_server.

Step 2 When the CiscoSecure Logon window appears, enter the following default values for username and password and click Submit:

username: superuser
password: changeme

Step 3 In the CiscoSecure ACS Main window, click Member, and then click Add.

The Add a User web page appears.

Figure 3-10 Add a User Page

Step 4 In the Group field, enter R_Shell_Group. This assigns the new user to the test group you just created and, by inheritance, also grants the user the shell privileges assigned to that group.

Step 5 In the User Name field, enter R_User.

Step 6 In the Password field and in the Confirm field underneath, enter Cisco.

Step 7 Under Web Page privilege field, select 1, to grant the T_User access to the CSUser web page for changing personal passwords.

Step 8 Select Clear to indicate the method of password transmission.

Step 9 Click Add.

Enter NAS Commands for the RADIUS User Profile

From a network workstation, log in to the host NAS. Bring up the configuration window and enter the following configuration commands:

aaa new-model
aaa authentication login default radius enable
aaa authentication login no_radius local
aaa authorization exec radius if-authenticated
enable password cisco
!
username root password cisco
!
radius-server host acs_ip_address
radius-server key secret_key
!
line con 0
login authentication no_radius

where:

acs_ip_address is the IP address of the CiscoSecure ACS.

secret_key is the secret key that you entered when you were specifying the host NAS in the CiscoSecure Administrator.

Note The "no_radius" authentication method in the above NAS command description is a precautionary measure, included so that an administrator will be able to log in to the console port of the NAS even if the CiscoSecure ACS is unavailable. To log in to the NAS console port with this configuration, enter an arbitrary username with the line password of "cisco."

Testing the User Login and Authentication

In this last section, you will verify your test user's login and authorization:

Step 1 Open a Telnet window on your PC or SPARCstation using the Start/Run command.

Step 2 Telnet to the IP address of the NAS.

Step 3 Enter the username T_User or R_User, whichever one you configured, and the password Cisco at the appropriate prompts.

Step 4 If the NAS lets you in, then this username and password have been properly set up and authenticated.

hometocprevnextglossaryfeedbacksearchhelp

Posted: Wed Feb 16 10:16:58 PST 2005
All contents are Copyright © 1992--2005 Cisco Systems, Inc. All rights reserved.
Important Notices and Privacy Statement.