Configuring the CiscoWorks Hosting Solution Engine 1.8.1 TACACS+/RADIUS Authentication Using Cisco Secure ACS

Table Of Contents

Configuring the CiscoWorks Hosting Solution Engine 1.8.1 TACACS+/RADIUS Authentication Using Cisco Secure ACS

Required for Use

ACS TACACS+ Setup for HSE

ACS RADIUS Setup for HSE

Configuring the CiscoWorks Hosting Solution Engine 1.8.1 TACACS+/RADIUS Authentication Using Cisco Secure ACS

This document describes the procedure to configure the CiscoWorks Hosting Solution Engine 1.8.1 (HSE) using ACS as a TACACS+/RADIUS authentication module.

• ACS TACACS+ Setup for HSE

• ACS RADIUS Setup for HSE

On Cisco.com, see also the Administration chapter of the User Guide for the CiscoWorks Hosting Solution Engine 1.8.1.

Required for Use

•Cisco Secure ACS 3.2

•CiscoWorks Hosting Solution Engine 1.8.1

ACS TACACS+ Setup for HSE

Procedure

Step 1 Log in to ACS with the user ID Admin.

Step 2 Click Interface Configuration on the left panel.

Step 3 Select the TACACS+ (Cisco IOS) link. The Interface Configuration window appears.

Step 4 Under New Services, create a new service called HSE, with protocol IP. This is case sensitive. Click Submit. See Figure 1.

Figure 1 Create New Services for HSE

Step 5 Click Network Configuration on the left panel.

Step 6 Click Add Entry, then add HSE as AAA client.

Step 7 Enter AAA Client Hostname, IP Address, Key and Authenticate Using TACACS+. Use your HSE IP address. You must either record or remember the key to configure HSE. See Figure 2. Click Submit.

Figure 2 Add HSE as AAA Client

Step 8 Set up ACS group for HSE. Click Group Setup on the left panel. Optional: select a group ID and rename the group.

Step 9 Click Edit Settings. Check HSE Custom IP and Custom Attributes. In Customer Attributes, enter the following parameters, then click Submit + Restart.

cmd=groups

cmd-arg=HSEAdmin

Note HSE supports multiple user groups for a given user. In this case, the user will have combined privileges. The format to configure multiple group privileges for a given user is cmd-arg=GroupA,GroupB,GroupC.

Figure 3 Set Up Group with HSE IP Custom Attributes

In the example shown in Figure 3, cmd-arg=HSEAdmin gives any member of the HSEAdmin group the System Admin role. If you want to create limited access roles for a specific group. then you must log in to HSE and create a specific group with given roles and domains. Enter the group name in TACACS+ using cmd-arg. For example, HSE has monitor-grp with only monitoring capabilities. Setting cmd-agr=monitorgrp will give this group of users monitoring-only privileges.

Step 10 Click User Setup on the left panel. Click Add/Edit to allow users to access HSE.

Step 11 Add or edit Real Name, Description, and Password. Assign the user to the group the you just created for HSE. Click Submit to complete the ACS Configuration.

Figure 4 Set Up User for HSE

Step 12 Log in to HSE as admin. Click on Administration > Setup > Authentication Modules, then select TACACS+ as the module. Enter the shared secret key you entered when you defined the AAA client, then enter the ACS server IP address as the primary server. Click Apply. See Figure 5.

Figure 5 Set Up HSE Using TACACS+

Step 13 To verify that the setup was successful, log out of HSE and log back in again as the ACS user you just created or modified.

ACS RADIUS Setup for HSE

Procedure

Step 1 Log in to ACS with the user ID Admin.

Step 2 Click Interface Configuration on the left panel.

Step 3 Select the RADIUS (CiscoIOS/PIX) link. The Interface Configuration window appears.

Step 4 Enable cisco-av-pair and click Submit. See Figure 6.

Figure 6 Enable RADIUS cisco-av-pair group

Step 5 Add HSE as RADIUS AAA Client. Click Network Configuration on the left panel. Add an entry for AAA Client.

Step 6 Enter AAA Client Hostname, IP Address, Key and Authenticate Using RADIUS (CiscoIOS/PIX). You must either record or remember the key to configure HSE. Click Submit+Restart. See Figure 7.

Figure 7 Add HSE as RADIUS AAA Client

Step 7 Click Add/Edit Group Settings. Edit Cisco IOS/PIX RADIUS Attributes for cisco-av-pair to be HSE:groups=HSEAdmin and then click Submit+Restart. See Figure 8.

Note HSE supports multiple user groups for a given user. In this case, the user will have combined privileges. The format to configure multiple group privileges for a given user is HSEgroups=GroupA,GroupB,GroupC.

Figure 8 Edit RADIUS Attributes with HSE Group Setup

In the example shown in Figure 8, HSE:groups=HSEAdmin gives any member of the HSEAdmin group the System Admin role. If you want to create limited access roles for a specific group. then you must log in to HSE and create a specific group with given roles and domains. Enter the group name in RADIUS using HSE:groups. For example, HSE has monitor-grp with only monitoring capabilities. Setting HSE:group=monitorgrp will give this group of users monitoring-only privileges.

Step 8 Click User Setup on the left panel. Click Add/Edit to allow users to access HSE. RADIUS setup for HSE is now complete.

Step 9 Log in to HSE as admin. Click on Administration > Setup > Authentication Modules, then select RADIUS as the module. Enter the shared secret key you entered when you defined the AAA client, then enter the ACS server IP address as the primary server. Click Apply. See Figure 9.

Figure 9 Set Up HSE Using RADIUS

Step 10 To verify that the setup was successful, log out of HSE and log back in again as the ACS user you just created or modified.

Copyright � 2004 Cisco Systems, Inc.
All rights reserved.

Table Of Contents

Configuring the CiscoWorks Hosting Solution Engine 1.8.1 TACACS+/RADIUS Authentication Using Cisco Secure ACS

Required for Use

ACS TACACS+ Setup for HSE

ACS RADIUS Setup for HSE

Copyright � 2004 Cisco Systems, Inc. All rights reserved.

Copyright � 2004 Cisco Systems, Inc.
All rights reserved.