You are on page 1of 21

ACS 5.

1 Basic Setup And Familiarization Lab Guide 1





ACS 5.1 Basic Setup And
Familiarization
Developers and Lab Proctors
This lab was created by: Aruna Yerragudi
Lab proctors:
Lab Overview
In this lab, you will go over the initial setup of Cisco Secure Access Control System (ACS) 5.1. By
the end of it, you will:
Have configured two ACS servers in a primary/secondary configuration
Confirmed that the ACS servers can receive RADIUS and TACACS+ requests
Tested simple authentication for a user configured in the ACS internal store and Active
Directory
Gained familiarity of the ACS View monitoring, reporting and troubleshooting tool
Lab participants should be able to complete the lab within the allotted lab time of two hours.
Lab Exercises
This lab guide includes the following exercises:
Lab Exercise 1: Initialization Verification
Lab Exercise 2: Configure A Distributed Deployment


ACS 5.1 Basic Setup And Familiarization Lab Guide 2

Lab Exercise 3: Configure A Network Device And Verify AAA Communications
Lab Exercise 4: Confirm Basic Authentication
Product Overview: ACS 5.1
Cisco Secure Access Control System 5.1 is a platform for centralized network identity and access
control. ACS 5.1 features a simple yet powerful, rule-based policy model and a new, intuitive
management interface designed for optimum control and visibility.
The rule-based policy model provides the flexibility and manageability needed to meet evolving
access policy needs. Its integrated monitoring, reporting, and troubleshooting features simplify
management and increase compliance. ACS 5.1 integration capabilities and distributed
deployment support make it the ideal network identity and access policy solution.
Lab Topology and Access
Each pod includes two Cisco Catalyst switches, two ACS v5.1 Servers, a Windows 2003 Server
for Active Directory, and a management Windows XP PC.


ACS 5.1 Basic Setup And Familiarization Lab Guide 3

Lab Topology
This is the topology used for this lab.






ACS 5.1 Basic Setup And Familiarization Lab Guide 4

Internal IP Addresses and Accounts
The table that follows lists the internal IP addresses used by the devices in this setup.
Device IP Address
Account
(username/password/domain)
Management PC (Mgmt) 192.168.3.50 cisco/cisco123/CISCOSEC
Windows 2003/AD (DC) 192.168.3.10 cisco/cisco123/CISCOSEC
ACS 5.1 Primary (acs-1) 192.168.3.11 CLI: admin/C!scoLAB123!
GUI: acsadmin/cisco123
ACS 5.1 Secondary (acs-2) 192.168.3.12 CLI: admin/C!scoLAB123!
GUI: acsadmin/cisco123
Distribution Switch 192.168.250.1 admin/cisco123
Access Switch 192.168.250.2 admin/cisco123
enable: cisco123


ACS 5.1 Basic Setup And Familiarization Lab Guide 5

Lab Exercise 0: Initial Setup Steps (For
Reference Only Do Not Complete)
This section is for reference only. It should have already been completed for you but it is made
available for you to see the steps necessary to initialize the ACS for the network.
Exercise Objective
In this exercise, the goal is to walk through the initial setup steps that are necessary after a fresh
installation.
Step 1 Power on the ACS 5.1 instance. The following setup prompt appears.
**********************************************
Please type setup to configure the appliance
**********************************************
localhost login: setup_
Step 2 At the login prompt, type in setup and press Enter. The setup takes you through a series of
steps where various parameters need to be entered. An example of all the parameters is
shown below:
Press Ctrl-C to abort setup
Enter hostname[]: acs-1
Enter IP address []: 192.168.3.11
Enter IP default netmask[]: 255.255.255.0
Enter IP default gateway[]: 192.168.3.1
Enter default DNS domain[]: ciscosec.com
Enter Primary nameserver[]: 192.168.3.10
Add/Edit another nameserver? Y/N : n
Enter username[admin]:
Enter password:
Enter password again:
Bringing up network interface...
Pinging the gateway...
Pinging the primary nameserver ...
Do not use Ctrl-C from this point on...
Appliance is configured
Installing applications...
Installing acs ...
Generating configuration...
Rebooting...
_

Step 3 After the ACS is installed, the system reboots automatically and comes to the ACS login
prompt. You may now login to the ACS either via the console or SSH using the credentials
configured during the setup.
acs-1 login: _

ACS 5.1 Basic Setup And Familiarization Lab Guide 6

Step 4 The next step is to install the license. Login to the ACS-Pri via the GUI
(https://<ACS_hostname>). Enter the default credentials: acsadmin/default. You will be
prompted to change the password.

Step 5 After changing the default password, you will need to install the license. Browse to the license
file and click on Install to install the license.

Step 6 This completes the basic setup and installation. The system is now ready for use.

End of Exercise: You have successfully completed this exercise.
Proceed to next section.

ACS 5.1 Basic Setup And Familiarization Lab Guide 7

Lab Exercise 1: Initialization Verification
Exercise Objective
Verify ACS has the basic required configuration.
Lab Exercise Steps: Setup Verification

Step 1 From the Topology tab, click on the Management PC > RDP Client and login to the
Management PC (Mgmt) using the credentials: cisco/cisco123.
Step 2 From the Management PC, open a command prompt (Start > Run ... > cmd)
Step 3 In the command prompt window, verify that you can ping the following devices required for the
lab to ensure that all the devices are up and accessible.
> ping 192.168.3.10 (AD server)
> ping 192.168.3.11 (ACS Primary)
> ping 192.168.3.12 (ACS Secondary)
> ping 192.168.250.2 (Access Switch)
Step 4 On the Management PC desktop, double click on the putty shortcut. Connect to the Primary
ACS (acs-1.ciscosec.com, 192.168.3.11) via SSH and login using the credentials:
admin/C!scoLAB123!
login as: admin
Using keyboard-interactive authentication.
Password:
acs-1/admin#
Step 5 From the ACS CLI, ping the following devices: 192.168.3.1(Default gateway),
192.168.3.10(AD Server), 192.168.3.12(ACS Secondary) and 192.168.250.2(Access
Switch). All the devices should be pingable
acs-1/admin# ping 192.168.3.1 (Default Gateway)
acs-1/admin# ping 192.168.3.10 (AD server)
acs-1/admin# ping 192.168.3.12 (ACS Secondary)
acs-1/admin# ping 192.168.250.2 (Access Switch)
Step 6 Run the command show application status acs and verify you see a similar status.
acs-1/admin# show application status acs
ACS role: PRIMARY
Process 'database' running
Process 'management' running
Process 'runtime' running
Process 'view-database' running
Process 'view-jobmanager' running
Process 'view-alertmanager' running
Process 'view-collector' running
Process 'view-logprocessor' running

ACS 5.1 Basic Setup And Familiarization Lab Guide 8

If any of the process are not in running state, wait for a few minutes and reexecute the
command. Or you can stop and restart using the CLI commands: application stop
acs and application start acs. The system is ready for use when all the processes
are in running state.
Step 7 Run the command show ntp to verify synchronization with the NTP server (AD). Note the
offset and the delay values. These should not be too high.
acs-1/admin# show ntp
Primary NTP : 192.168.3.10
synchronised to local net at stratum 11
time correct to within 12 ms
polling server every 1024 s
remote refid st t when poll reach delay offset
jitter
=============================================================================
=
*127.127.1.0 LOCAL(0) 10 l 14 64 377 0.000 0.000
0.001
192.168.3.10 .LOCL. 1 u 79 256 377 0.001 11.443
6.812
Warning: Output results may conflict during periods of changing
synchronization.

End of Exercise: You have successfully completed this exercise.
Proceed to next section.

ACS 5.1 Basic Setup And Familiarization Lab Guide 9

Lab Exercise 2: Configure A Distributed ACS
Deployment
Exercise Objective
In this exercise, your goal is to configure two ACS servers in a distributed deployment scenario.
Lab Exercise Steps
Step 1 From the management PC (Mgmt), open Internet Explorer and logon to the secondary ACS
(https://acs-2.ciscosec.com, 192.168.3.12 Credentials: acsadmin/cisco123). ACS comes
preconfigured with a self-signed certificate for HTTPS web access. This causes a security
alert in web browsers. Select to ignore and continue when the browser presents this certificate
security exception.
Note: At this point, acs-2 is a standalone ACS server, and by default, it is a primary server
Step 2 Go to System Administration > Operations > Local Operations > Deployment
Operations and enter the primary server information as shown below:
Primary Instance: 192.168.3.11
Admin Username: acsadmin
Admin Password: cisco123

Step 3 Click on Register to Primary. The following prompt is shown to confirm the action. Click on
OK to continue registering with the primary.

ACS 5.1 Basic Setup And Familiarization Lab Guide
10


Step 4 You will be automatically logged out of the secondary ACS GUI and it will reboot.


Close this browser window.

Step 5 Login to the primary ACS server GUI (https://acs-1.ciscosec.com, 192.168.3.11) and go to
System Administration > Operations > Distributed System Management. Verify the
Online Status and Replication Status.

ACS 5.1 Basic Setup And Familiarization Lab Guide
11



While the secondary is rebooting, the online status will be red and the replication PENDING. After the
secondary is up, the status changes to as shown below. Wait for the secondary to come back up. You
can SSH to the secondary ACS and run the command: show application status acs to establish when
the secondary is back up.

Step 6 All configurations are now performed on the primary ACS server. All configuration updates will
automatically be sent to any secondary servers. Full Replication can also be initiated from the
Primary ACS server for selected secondary servers. On the primary ACS server, go to
System Administration > Operations > Distributed System Management. Select the
secondary instance and click on Full Replication.

ACS 5.1 Basic Setup And Familiarization Lab Guide
12


You will be asked to reconfirm the action.

Click on OK to continue with the full replication. Wait for the secondary ACS server to restart.
Click on Refresh get the updated status. Wait for the Online Status to become green and the
Replication status to UPDATED.

End of Exercise: You have successfully completed this exercise.
Proceed to next section.

ACS 5.1 Basic Setup And Familiarization Lab Guide
13

Lab Exercise 3: Configure A Network Device
And Verify AAA Communications
Exercise Objective
In this exercise, you will:
Confirm that the ACS servers can receive RADIUS and TACACS+ requests
Confirm ACS View log collection and use it as a troubleshooting tool
Configure a network device in ACS
Confirm that replication is working
Lab Exercise Steps
Step 1 Launch ACS View by navigating as follows: Monitoring and Reports > Launch Monitoring
& Report Viewer. ACS View opens in a new browser window.
Step 2 In this step, well add a new tab called TACACS to the ACS View Dashboard. For that, from
the top right hand corner, click on Configure > Add New Page. Type TACACS and click on
Add Page. Go the TACACS tab and click again on Configure > Add Application and add
Live Authentications application.

Edit the Live Authentications panel by clicking on the icon shown in the above diagram which
is located on the top right hand corner of the newly created page. Change the protocol to
TACACS and Save the changes. Now from the new TACACS tab, you can monitor TACACS
authentications in real time. When done, the new dashboard tab should look like this:


ACS 5.1 Basic Setup And Familiarization Lab Guide
14

Step 3 Click on the Troubleshooting tab. We will use this tab to monitor RADIUS authentications, as
it already has a Live Authentications panel configured for RADIUS authentications.
Step 4 From the topology, telnet to the access switch. Enter the enable mode.
Step 5 The goal of this step is to ensure that both ACS boxes are receiving the requests. acs-1 and
acs-2 have been pre-configured in the switch as RADIUS and TACACS+ servers. Send test
requests to the ACS servers:
test aaa group radius bob bobspwd new-code
test aaa group tacacs+ bob bobspwd new-code

Note: Use the show running-configuration command on the access switch to verify the aaa configuration
that is already configured on the device.

Step 6 Check the RADIUS and TACACS Live Authentications. If you see entries in these panels,
then you have confirmed that the ACS servers are capable of receiving RADIUS and
TACACS+ requests. Float over the failure reason to understand why then authentications
failed.

For more information on these requests, go to the General tab on the Dashboard, and look at
todays authentications for RADIUS and TACACS, under My Favorite Reports. Confirm that
requests are being received by both acs-1 and acs-2.
Step 7 The first set of requests failed due to a Unknown Device error. Lets now add the device into
ACS. From the ACS home page, go to Network Resources > Network Devices and AAA
Clients and click on Create to create a new entry
Step 8 Enter the device details as per the diagram below

ACS 5.1 Basic Setup And Familiarization Lab Guide
15



Step 9 Click on Submit to successfully create the Network Device on ACS
Step 10 Send the RADIUS and TACACS requests again. Check that the failure message is different
this time. The failures should not be related to an unknown device. This confirms that the
access switch is configured in ACS.
Step 11 Next, lets test that the replication was successful between the two ACS. Since the
configuration was done on acs-1, let us direct the requests to acs-2 using the following switch
command.
test aaa group ACS joe@acs-2 joepwd new-code

Notice the error message that you receive with the above command is same as Step 10.
This confirms that the configuration was replicated to acs-2.
End of Exercise: You have successfully completed this exercise.
Proceed to next section.

ACS 5.1 Basic Setup And Familiarization Lab Guide
16

Lab Exercise 4: Confirm Basic Authentication
Exercise Objective
In this exercise, your goal is to authenticate users to both Active Directory and also the ACS
internal store. You will learn the process for establishing connectivity to Active Directory (AD),
increase your familiarity with ACS View, and gain your first exposure to ACS Access Services
that define how requests are processed for authentication and authorization.
Lab Exercise Steps
Step 1 Create a user in ACS with credentials joe-internal/cisco123. Go to Users and Identity Stores
> Internal Identity Stores > Users

Step 2 From the access switch, send a test RADIUS authentication for the user created in the
previous step. Use ACS View to confirm the authentication status. Examine the users detailed
authentication report to try to understand how ACS processed the authentication request.
When ACS is installed, it comes preconfigured with two Access Services, Default Device Admin
and Default Network Access, for TACACS+ and RADIUS authentications respectively. The
Service Selection Policy, under Access Policies > Service Selection Rules, shows this default
configuration:

ACS 5.1 Basic Setup And Familiarization Lab Guide
17


Look at the Default Network Access Access Service identity policy, Access Policies >
Default Network Access > Identity.

You can see that the Identity Source is set to Internal Users. This is how ACS knew where to
locate the user you authenticated in this step.
In the next steps, you will authenticate a user to AD.
Step 3 Create an AD identity store. Go to Users and Identity Stores > External Identity Stores >
Active Directory.
Step 4 Configure the properties of Active Directory as follows:
Active Directory Doman Name: ciscosec.com
Username: administrator
Password: C!scoLAB123!
Click on Save Changes to save the configuration.

ACS 5.1 Basic Setup And Familiarization Lab Guide
18


Ensure that the Connectivity Status is CONNECTED. You may need to scroll down to see the status.
If there are any errors during connectivity, check the NTP status via the ACS CLI by running the show
ntp command. Note the offset and the delay values. These should not be too high. If they are reload
the ACS box by typing in the command reload.
acs-1/admin# show ntp
Primary NTP : 192.168.3.10
synchronised to local net at stratum 11
time correct to within 12 ms
polling server every 1024 s
remote refid st t when poll reach delay offset
jitter
=============================================================================
=
*127.127.1.0 LOCAL(0) 10 l 14 64 377 0.000 0.000
0.001
192.168.3.10 .LOCL. 1 u 79 256 377 0.001 11.443
6.812
Warning: Output results may conflict during periods of changing
synchronization.
After the ACS box comes back up, again check the NTP status and ensure that the offset/delay
values are small. Now try to connect to the AD server again.


ACS 5.1 Basic Setup And Familiarization Lab Guide
19

Step 5 After connecting to the AD, confirm that ACS can query AD group. Go to the Directory
Groups tab and click on Select. The pop-up window should list the various AD groups.


Step 6 Similarly, confirm that ACS can query AD user attributes. Go to the Directory Attributes tab,
enter user1 in the Name of example Subject to Select Attributes field, and click on Select.

ACS 5.1 Basic Setup And Familiarization Lab Guide
20



If you can see the pop-ups as shown above, this means that ACS can successfully query AD for
group and user attribute information.
Step 7 Edit the Default Network Access Access Service to use the configured AD as the Identity
Store. Send an authentication request from the switch for user, user1 with password
cisco123.
Confirm in ACS View that the user was authenticated to AD.

End of Exercise: You have successfully completed this exercise.
Proceed to next section.


ACS 5.1 Basic Setup And Familiarization Lab Guide
21

Appendix: Additional Resources
You can find other useful information related to the topics covered in this lab at the following
URLs:
http://cisco.com/en/US/products/ps9911/index.html
http://cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_system/5.1/user
/guide/common_scenarios.html
End of Lab: Congratulations! You have successfully completed the lab. Please let your
proctor know you finished and provide any feedback to help improve the lab experience.