|
Table Of Contents
Configuring the CiscoWorks Hosting Solution Engine 1.8.1 TACACS+/RADIUS Authentication Using Cisco Secure ACS
This document describes the procedure to configure the CiscoWorks Hosting Solution Engine 1.8.1 (HSE) using ACS as a TACACS+/RADIUS authentication module.
On Cisco.com, see also the Administration chapter of the User Guide for the CiscoWorks Hosting Solution Engine 1.8.1.
Required for Use
•Cisco Secure ACS 3.2
•CiscoWorks Hosting Solution Engine 1.8.1
ACS TACACS+ Setup for HSE
Procedure
Step 1 Log in to ACS with the user ID Admin.
Step 2 Click Interface Configuration on the left panel.
Step 3 Select the TACACS+ (Cisco IOS) link. The Interface Configuration window appears.
Step 4 Under New Services, create a new service called HSE, with protocol IP. This is case sensitive. Click Submit. See Figure 1.
Figure 1 Create New Services for HSE
Step 5 Click Network Configuration on the left panel.
Step 6 Click Add Entry, then add HSE as AAA client.
Step 7 Enter AAA Client Hostname, IP Address, Key and Authenticate Using TACACS+. Use your HSE IP address. You must either record or remember the key to configure HSE. See Figure 2. Click Submit.
Figure 2 Add HSE as AAA Client
Step 8 Set up ACS group for HSE. Click Group Setup on the left panel. Optional: select a group ID and rename the group.
Step 9 Click Edit Settings. Check HSE Custom IP and Custom Attributes. In Customer Attributes, enter the following parameters, then click Submit + Restart.
cmd=groups
cmd-arg=HSEAdmin
Note HSE supports multiple user groups for a given user. In this case, the user will have combined privileges. The format to configure multiple group privileges for a given user is
cmd-arg=GroupA,GroupB,GroupC
.
Figure 3 Set Up Group with HSE IP Custom Attributes
In the example shown in Figure 3,
cmd-arg=HSEAdmin
gives any member of the HSEAdmin group the System Admin role. If you want to create limited access roles for a specific group. then you must log in to HSE and create a specific group with given roles and domains. Enter the group name in TACACS+ usingcmd-arg
. For example, HSE has monitor-grp with only monitoring capabilities. Settingcmd-agr=monitorgrp
will give this group of users monitoring-only privileges.Step 10 Click User Setup on the left panel. Click Add/Edit to allow users to access HSE.
Step 11 Add or edit Real Name, Description, and Password. Assign the user to the group the you just created for HSE. Click Submit to complete the ACS Configuration.
Figure 4 Set Up User for HSE
Step 12 Log in to HSE as admin. Click on Administration > Setup > Authentication Modules, then select TACACS+ as the module. Enter the shared secret key you entered when you defined the AAA client, then enter the ACS server IP address as the primary server. Click Apply. See Figure 5.
Figure 5 Set Up HSE Using TACACS+
Step 13 To verify that the setup was successful, log out of HSE and log back in again as the ACS user you just created or modified.
ACS RADIUS Setup for HSE
Procedure
Step 1 Log in to ACS with the user ID Admin.
Step 2 Click Interface Configuration on the left panel.
Step 3 Select the RADIUS (CiscoIOS/PIX) link. The Interface Configuration window appears.
Step 4 Enable cisco-av-pair and click Submit. See Figure 6.
Figure 6 Enable RADIUS cisco-av-pair group
Step 5 Add HSE as RADIUS AAA Client. Click Network Configuration on the left panel. Add an entry for AAA Client.
Step 6 Enter AAA Client Hostname, IP Address, Key and Authenticate Using RADIUS (CiscoIOS/PIX). You must either record or remember the key to configure HSE. Click Submit+Restart. See Figure 7.
Figure 7 Add HSE as RADIUS AAA Client
Step 7 Click Add/Edit Group Settings. Edit Cisco IOS/PIX RADIUS Attributes for cisco-av-pair to be
HSE:groups=HSEAdmin
and then click Submit+Restart. See Figure 8.
Note HSE supports multiple user groups for a given user. In this case, the user will have combined privileges. The format to configure multiple group privileges for a given user is
HSEgroups=GroupA,GroupB,GroupC
.
Figure 8 Edit RADIUS Attributes with HSE Group Setup
In the example shown in Figure 8,
HSE:groups=HSEAdmin
gives any member of the HSEAdmin group the System Admin role. If you want to create limited access roles for a specific group. then you must log in to HSE and create a specific group with given roles and domains. Enter the group name in RADIUS usingHSE:groups
. For example, HSE has monitor-grp with only monitoring capabilities. SettingHSE:group=monitorgrp
will give this group of users monitoring-only privileges.Step 8 Click User Setup on the left panel. Click Add/Edit to allow users to access HSE. RADIUS setup for HSE is now complete.
Step 9 Log in to HSE as admin. Click on Administration > Setup > Authentication Modules, then select RADIUS as the module. Enter the shared secret key you entered when you defined the AAA client, then enter the ACS server IP address as the primary server. Click Apply. See Figure 9.
Figure 9 Set Up HSE Using RADIUS
Step 10 To verify that the setup was successful, log out of HSE and log back in again as the ACS user you just created or modified.
Copyright © 2004 Cisco Systems, Inc.
All rights reserved.
Posted: Mon Aug 30 18:19:57 PDT 2004
All contents are Copyright © 1992--2004 Cisco Systems, Inc. All rights reserved.
Important Notices and Privacy Statement.