0 Bewertungen0% fanden dieses Dokument nützlich (0 Abstimmungen)
23 Ansichten21 Seiten
Lab participants should be able to complete the lab within the allotted lab time of two hours. Lab Topology and Access Each pod includes two Cisco Catalyst switches, two ACS v5. Servers, a Windows 2003 Server for active directory, and a,,management" Windows xp PC.
Lab participants should be able to complete the lab within the allotted lab time of two hours. Lab Topology and Access Each pod includes two Cisco Catalyst switches, two ACS v5. Servers, a Windows 2003 Server for active directory, and a,,management" Windows xp PC.
Lab participants should be able to complete the lab within the allotted lab time of two hours. Lab Topology and Access Each pod includes two Cisco Catalyst switches, two ACS v5. Servers, a Windows 2003 Server for active directory, and a,,management" Windows xp PC.
ACS 5.1 Basic Setup And Familiarization Developers and Lab Proctors This lab was created by: Aruna Yerragudi Lab proctors: Lab Overview In this lab, you will go over the initial setup of Cisco Secure Access Control System (ACS) 5.1. By the end of it, you will: Have configured two ACS servers in a primary/secondary configuration Confirmed that the ACS servers can receive RADIUS and TACACS+ requests Tested simple authentication for a user configured in the ACS internal store and Active Directory Gained familiarity of the ACS View monitoring, reporting and troubleshooting tool Lab participants should be able to complete the lab within the allotted lab time of two hours. Lab Exercises This lab guide includes the following exercises: Lab Exercise 1: Initialization Verification Lab Exercise 2: Configure A Distributed Deployment
ACS 5.1 Basic Setup And Familiarization Lab Guide 2
Lab Exercise 3: Configure A Network Device And Verify AAA Communications Lab Exercise 4: Confirm Basic Authentication Product Overview: ACS 5.1 Cisco Secure Access Control System 5.1 is a platform for centralized network identity and access control. ACS 5.1 features a simple yet powerful, rule-based policy model and a new, intuitive management interface designed for optimum control and visibility. The rule-based policy model provides the flexibility and manageability needed to meet evolving access policy needs. Its integrated monitoring, reporting, and troubleshooting features simplify management and increase compliance. ACS 5.1 integration capabilities and distributed deployment support make it the ideal network identity and access policy solution. Lab Topology and Access Each pod includes two Cisco Catalyst switches, two ACS v5.1 Servers, a Windows 2003 Server for Active Directory, and a management Windows XP PC.
ACS 5.1 Basic Setup And Familiarization Lab Guide 3
Lab Topology This is the topology used for this lab.
ACS 5.1 Basic Setup And Familiarization Lab Guide 4
Internal IP Addresses and Accounts The table that follows lists the internal IP addresses used by the devices in this setup. Device IP Address Account (username/password/domain) Management PC (Mgmt) 192.168.3.50 cisco/cisco123/CISCOSEC Windows 2003/AD (DC) 192.168.3.10 cisco/cisco123/CISCOSEC ACS 5.1 Primary (acs-1) 192.168.3.11 CLI: admin/C!scoLAB123! GUI: acsadmin/cisco123 ACS 5.1 Secondary (acs-2) 192.168.3.12 CLI: admin/C!scoLAB123! GUI: acsadmin/cisco123 Distribution Switch 192.168.250.1 admin/cisco123 Access Switch 192.168.250.2 admin/cisco123 enable: cisco123
ACS 5.1 Basic Setup And Familiarization Lab Guide 5
Lab Exercise 0: Initial Setup Steps (For Reference Only Do Not Complete) This section is for reference only. It should have already been completed for you but it is made available for you to see the steps necessary to initialize the ACS for the network. Exercise Objective In this exercise, the goal is to walk through the initial setup steps that are necessary after a fresh installation. Step 1 Power on the ACS 5.1 instance. The following setup prompt appears. ********************************************** Please type setup to configure the appliance ********************************************** localhost login: setup_ Step 2 At the login prompt, type in setup and press Enter. The setup takes you through a series of steps where various parameters need to be entered. An example of all the parameters is shown below: Press Ctrl-C to abort setup Enter hostname[]: acs-1 Enter IP address []: 192.168.3.11 Enter IP default netmask[]: 255.255.255.0 Enter IP default gateway[]: 192.168.3.1 Enter default DNS domain[]: ciscosec.com Enter Primary nameserver[]: 192.168.3.10 Add/Edit another nameserver? Y/N : n Enter username[admin]: Enter password: Enter password again: Bringing up network interface... Pinging the gateway... Pinging the primary nameserver ... Do not use Ctrl-C from this point on... Appliance is configured Installing applications... Installing acs ... Generating configuration... Rebooting... _
Step 3 After the ACS is installed, the system reboots automatically and comes to the ACS login prompt. You may now login to the ACS either via the console or SSH using the credentials configured during the setup. acs-1 login: _
ACS 5.1 Basic Setup And Familiarization Lab Guide 6
Step 4 The next step is to install the license. Login to the ACS-Pri via the GUI (https://<ACS_hostname>). Enter the default credentials: acsadmin/default. You will be prompted to change the password.
Step 5 After changing the default password, you will need to install the license. Browse to the license file and click on Install to install the license.
Step 6 This completes the basic setup and installation. The system is now ready for use.
End of Exercise: You have successfully completed this exercise. Proceed to next section.
ACS 5.1 Basic Setup And Familiarization Lab Guide 7
Lab Exercise 1: Initialization Verification Exercise Objective Verify ACS has the basic required configuration. Lab Exercise Steps: Setup Verification
Step 1 From the Topology tab, click on the Management PC > RDP Client and login to the Management PC (Mgmt) using the credentials: cisco/cisco123. Step 2 From the Management PC, open a command prompt (Start > Run ... > cmd) Step 3 In the command prompt window, verify that you can ping the following devices required for the lab to ensure that all the devices are up and accessible. > ping 192.168.3.10 (AD server) > ping 192.168.3.11 (ACS Primary) > ping 192.168.3.12 (ACS Secondary) > ping 192.168.250.2 (Access Switch) Step 4 On the Management PC desktop, double click on the putty shortcut. Connect to the Primary ACS (acs-1.ciscosec.com, 192.168.3.11) via SSH and login using the credentials: admin/C!scoLAB123! login as: admin Using keyboard-interactive authentication. Password: acs-1/admin# Step 5 From the ACS CLI, ping the following devices: 192.168.3.1(Default gateway), 192.168.3.10(AD Server), 192.168.3.12(ACS Secondary) and 192.168.250.2(Access Switch). All the devices should be pingable acs-1/admin# ping 192.168.3.1 (Default Gateway) acs-1/admin# ping 192.168.3.10 (AD server) acs-1/admin# ping 192.168.3.12 (ACS Secondary) acs-1/admin# ping 192.168.250.2 (Access Switch) Step 6 Run the command show application status acs and verify you see a similar status. acs-1/admin# show application status acs ACS role: PRIMARY Process 'database' running Process 'management' running Process 'runtime' running Process 'view-database' running Process 'view-jobmanager' running Process 'view-alertmanager' running Process 'view-collector' running Process 'view-logprocessor' running
ACS 5.1 Basic Setup And Familiarization Lab Guide 8
If any of the process are not in running state, wait for a few minutes and reexecute the command. Or you can stop and restart using the CLI commands: application stop acs and application start acs. The system is ready for use when all the processes are in running state. Step 7 Run the command show ntp to verify synchronization with the NTP server (AD). Note the offset and the delay values. These should not be too high. acs-1/admin# show ntp Primary NTP : 192.168.3.10 synchronised to local net at stratum 11 time correct to within 12 ms polling server every 1024 s remote refid st t when poll reach delay offset jitter ============================================================================= = *127.127.1.0 LOCAL(0) 10 l 14 64 377 0.000 0.000 0.001 192.168.3.10 .LOCL. 1 u 79 256 377 0.001 11.443 6.812 Warning: Output results may conflict during periods of changing synchronization.
End of Exercise: You have successfully completed this exercise. Proceed to next section.
ACS 5.1 Basic Setup And Familiarization Lab Guide 9
Lab Exercise 2: Configure A Distributed ACS Deployment Exercise Objective In this exercise, your goal is to configure two ACS servers in a distributed deployment scenario. Lab Exercise Steps Step 1 From the management PC (Mgmt), open Internet Explorer and logon to the secondary ACS (https://acs-2.ciscosec.com, 192.168.3.12 Credentials: acsadmin/cisco123). ACS comes preconfigured with a self-signed certificate for HTTPS web access. This causes a security alert in web browsers. Select to ignore and continue when the browser presents this certificate security exception. Note: At this point, acs-2 is a standalone ACS server, and by default, it is a primary server Step 2 Go to System Administration > Operations > Local Operations > Deployment Operations and enter the primary server information as shown below: Primary Instance: 192.168.3.11 Admin Username: acsadmin Admin Password: cisco123
Step 3 Click on Register to Primary. The following prompt is shown to confirm the action. Click on OK to continue registering with the primary.
ACS 5.1 Basic Setup And Familiarization Lab Guide 10
Step 4 You will be automatically logged out of the secondary ACS GUI and it will reboot.
Close this browser window.
Step 5 Login to the primary ACS server GUI (https://acs-1.ciscosec.com, 192.168.3.11) and go to System Administration > Operations > Distributed System Management. Verify the Online Status and Replication Status.
ACS 5.1 Basic Setup And Familiarization Lab Guide 11
While the secondary is rebooting, the online status will be red and the replication PENDING. After the secondary is up, the status changes to as shown below. Wait for the secondary to come back up. You can SSH to the secondary ACS and run the command: show application status acs to establish when the secondary is back up.
Step 6 All configurations are now performed on the primary ACS server. All configuration updates will automatically be sent to any secondary servers. Full Replication can also be initiated from the Primary ACS server for selected secondary servers. On the primary ACS server, go to System Administration > Operations > Distributed System Management. Select the secondary instance and click on Full Replication.
ACS 5.1 Basic Setup And Familiarization Lab Guide 12
You will be asked to reconfirm the action.
Click on OK to continue with the full replication. Wait for the secondary ACS server to restart. Click on Refresh get the updated status. Wait for the Online Status to become green and the Replication status to UPDATED.
End of Exercise: You have successfully completed this exercise. Proceed to next section.
ACS 5.1 Basic Setup And Familiarization Lab Guide 13
Lab Exercise 3: Configure A Network Device And Verify AAA Communications Exercise Objective In this exercise, you will: Confirm that the ACS servers can receive RADIUS and TACACS+ requests Confirm ACS View log collection and use it as a troubleshooting tool Configure a network device in ACS Confirm that replication is working Lab Exercise Steps Step 1 Launch ACS View by navigating as follows: Monitoring and Reports > Launch Monitoring & Report Viewer. ACS View opens in a new browser window. Step 2 In this step, well add a new tab called TACACS to the ACS View Dashboard. For that, from the top right hand corner, click on Configure > Add New Page. Type TACACS and click on Add Page. Go the TACACS tab and click again on Configure > Add Application and add Live Authentications application.
Edit the Live Authentications panel by clicking on the icon shown in the above diagram which is located on the top right hand corner of the newly created page. Change the protocol to TACACS and Save the changes. Now from the new TACACS tab, you can monitor TACACS authentications in real time. When done, the new dashboard tab should look like this:
ACS 5.1 Basic Setup And Familiarization Lab Guide 14
Step 3 Click on the Troubleshooting tab. We will use this tab to monitor RADIUS authentications, as it already has a Live Authentications panel configured for RADIUS authentications. Step 4 From the topology, telnet to the access switch. Enter the enable mode. Step 5 The goal of this step is to ensure that both ACS boxes are receiving the requests. acs-1 and acs-2 have been pre-configured in the switch as RADIUS and TACACS+ servers. Send test requests to the ACS servers: test aaa group radius bob bobspwd new-code test aaa group tacacs+ bob bobspwd new-code
Note: Use the show running-configuration command on the access switch to verify the aaa configuration that is already configured on the device.
Step 6 Check the RADIUS and TACACS Live Authentications. If you see entries in these panels, then you have confirmed that the ACS servers are capable of receiving RADIUS and TACACS+ requests. Float over the failure reason to understand why then authentications failed.
For more information on these requests, go to the General tab on the Dashboard, and look at todays authentications for RADIUS and TACACS, under My Favorite Reports. Confirm that requests are being received by both acs-1 and acs-2. Step 7 The first set of requests failed due to a Unknown Device error. Lets now add the device into ACS. From the ACS home page, go to Network Resources > Network Devices and AAA Clients and click on Create to create a new entry Step 8 Enter the device details as per the diagram below
ACS 5.1 Basic Setup And Familiarization Lab Guide 15
Step 9 Click on Submit to successfully create the Network Device on ACS Step 10 Send the RADIUS and TACACS requests again. Check that the failure message is different this time. The failures should not be related to an unknown device. This confirms that the access switch is configured in ACS. Step 11 Next, lets test that the replication was successful between the two ACS. Since the configuration was done on acs-1, let us direct the requests to acs-2 using the following switch command. test aaa group ACS joe@acs-2 joepwd new-code
Notice the error message that you receive with the above command is same as Step 10. This confirms that the configuration was replicated to acs-2. End of Exercise: You have successfully completed this exercise. Proceed to next section.
ACS 5.1 Basic Setup And Familiarization Lab Guide 16
Lab Exercise 4: Confirm Basic Authentication Exercise Objective In this exercise, your goal is to authenticate users to both Active Directory and also the ACS internal store. You will learn the process for establishing connectivity to Active Directory (AD), increase your familiarity with ACS View, and gain your first exposure to ACS Access Services that define how requests are processed for authentication and authorization. Lab Exercise Steps Step 1 Create a user in ACS with credentials joe-internal/cisco123. Go to Users and Identity Stores > Internal Identity Stores > Users
Step 2 From the access switch, send a test RADIUS authentication for the user created in the previous step. Use ACS View to confirm the authentication status. Examine the users detailed authentication report to try to understand how ACS processed the authentication request. When ACS is installed, it comes preconfigured with two Access Services, Default Device Admin and Default Network Access, for TACACS+ and RADIUS authentications respectively. The Service Selection Policy, under Access Policies > Service Selection Rules, shows this default configuration:
ACS 5.1 Basic Setup And Familiarization Lab Guide 17
Look at the Default Network Access Access Service identity policy, Access Policies > Default Network Access > Identity.
You can see that the Identity Source is set to Internal Users. This is how ACS knew where to locate the user you authenticated in this step. In the next steps, you will authenticate a user to AD. Step 3 Create an AD identity store. Go to Users and Identity Stores > External Identity Stores > Active Directory. Step 4 Configure the properties of Active Directory as follows: Active Directory Doman Name: ciscosec.com Username: administrator Password: C!scoLAB123! Click on Save Changes to save the configuration.
ACS 5.1 Basic Setup And Familiarization Lab Guide 18
Ensure that the Connectivity Status is CONNECTED. You may need to scroll down to see the status. If there are any errors during connectivity, check the NTP status via the ACS CLI by running the show ntp command. Note the offset and the delay values. These should not be too high. If they are reload the ACS box by typing in the command reload. acs-1/admin# show ntp Primary NTP : 192.168.3.10 synchronised to local net at stratum 11 time correct to within 12 ms polling server every 1024 s remote refid st t when poll reach delay offset jitter ============================================================================= = *127.127.1.0 LOCAL(0) 10 l 14 64 377 0.000 0.000 0.001 192.168.3.10 .LOCL. 1 u 79 256 377 0.001 11.443 6.812 Warning: Output results may conflict during periods of changing synchronization. After the ACS box comes back up, again check the NTP status and ensure that the offset/delay values are small. Now try to connect to the AD server again.
ACS 5.1 Basic Setup And Familiarization Lab Guide 19
Step 5 After connecting to the AD, confirm that ACS can query AD group. Go to the Directory Groups tab and click on Select. The pop-up window should list the various AD groups.
Step 6 Similarly, confirm that ACS can query AD user attributes. Go to the Directory Attributes tab, enter user1 in the Name of example Subject to Select Attributes field, and click on Select.
ACS 5.1 Basic Setup And Familiarization Lab Guide 20
If you can see the pop-ups as shown above, this means that ACS can successfully query AD for group and user attribute information. Step 7 Edit the Default Network Access Access Service to use the configured AD as the Identity Store. Send an authentication request from the switch for user, user1 with password cisco123. Confirm in ACS View that the user was authenticated to AD.
End of Exercise: You have successfully completed this exercise. Proceed to next section.
ACS 5.1 Basic Setup And Familiarization Lab Guide 21
Appendix: Additional Resources You can find other useful information related to the topics covered in this lab at the following URLs: http://cisco.com/en/US/products/ps9911/index.html http://cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_system/5.1/user /guide/common_scenarios.html End of Lab: Congratulations! You have successfully completed the lab. Please let your proctor know you finished and provide any feedback to help improve the lab experience.