Scribd Logo
Hochladen

Willkommen bei Scribd!

  • ISE TACACS+ Configuration Guide For Wireless LAN Controllers

    Hochgeladen von

    saravanasanthosh_u
    91 Ansichten15 Seiten
    How-To Tacacs for Wlc

    Originaltitel

    How-To Tacacs for Wlc

    Copyright

    © © All Rights Reserved

    Verfügbare Formate

    PDF, TXT oder online auf Scribd lesen

    Stufen Sie dieses Dokument als nützlich ein?

    Sind diese Inhalte unangemessen?

    Dieses Dokument melden
    How-To Tacacs for Wlc

    Copyright:

    © All Rights Reserved
    Als PDF, TXT herunterladen oder online auf Scribd lesen
    Markieren Sie unangemessene Inhalte
    91 Ansichten15 Seiten

    ISE TACACS+ Configuration Guide For Wireless LAN Controllers

    Hochgeladen von

    saravanasanthosh_u
    How-To Tacacs for Wlc

    Copyright:

    © All Rights Reserved
    Als PDF, TXT herunterladen oder online auf Scribd lesen
    Markieren Sie unangemessene Inhalte
    von 15

    ISE TACACS+ Configuration Guide for

    Wireless LAN Controllers

    Secure Access How-to User Series

    Author: Aruna Yerragudi (Edited by Hsing-Tsu Lai)


    Date: December 2015
    SECURE ACCESS HOW-TO GUIDES

    Table of Contents
    About this Guide ............................................................................................................................................................. 3
    Overview .................................................................................................................................................... 3
    Using this Guide ......................................................................................................................................... 3
    Components Used ..................................................................................................................................... 3
    ISE Configuration for Device Admin ............................................................................................................................. 4
    Enabling Device Admin on ISE .................................................................................................................. 4
    Device Admin Work Center ........................................................................................................................ 5
    Configuring Network Device and Network Device Groups ......................................................................... 5
    Defining Identity Stores .............................................................................................................................. 7
    Configuring TACACS Profiles .................................................................................................................... 8
    Device Admin Policy Sets .......................................................................................................................... 9
    WLC Configuration for TACACS+ ................................................................................................................................ 12
    Add a TACACS+ Authentication Server ................................................................................................... 12
    Add a TACACS+ Authorization Server ..................................................................................................... 13
    Add a TACACS+ Accounting Server ........................................................................................................ 13
    Configure the Order of Authentication ...................................................................................................... 14
    What’s Next? ................................................................................................................................................................. 15

    Cisco Systems © 2015 Page 2


    SECURE ACCESS HOW-TO GUIDES

    About this Guide


    Overview
    Terminal Access Controller Access Control System Plus (TACACS+) is a client-server protocol that provides
    centralized security control for users to gain management access to a router or any network access device. TACACS+
    provides these AAA services:

    • Authentication – Who the users are


    • Authorization – What they are allowed to do
    • Accounting – Who did what and when

    This document provides configuration examples for TACACS+ with the Cisco Identity Services Engine (ISE) as the
    TACACS+ server and a Cisco Wireless LAN Controller (WLC) as the TACACS+ client.

    Using this Guide


    This guide divides into two parts for the activities to enable ISE to manage administrator accesses for WLC.

    • Part 1 – Configuring ISE for Device Admin


    • Part 2 – Configuring WLC for TACACS+

    Components Used
    The information in this document is based on the software and hardware versions below:

    • ISE Release 2.0


    • WLC with AireOS Software Versions 7.6 and 8.0

    The materials in this document are created from the devices in a lab environment. All of the devices are started with a
    cleared (default) configuration.

    Cisco Systems © 2015 Page 3


    SECURE ACCESS HOW-TO GUIDES

    ISE Configuration for Device Admin


    Licensing Device Admin on ISE
    Device Admin is licensed per deployment, but requires existing and valid ISE base or mobility licenses.

    Enabling Device Admin on ISE


    The Device Admin service (TACACS+) is not enabled by default in an ISE node. The first step is to enable it.
    Step 1 Login to the ISE admin web portal using one of the supported browsers.
    Step 2 Navigate to Administration > System > Deployment. Select the check box against the ISE node and click
    on Edit.

    Figure 1. ISE Deployment Page


    Step 3 Under General Settings, scroll down and select the check box against Enable Device Admin Service.

    Figure 2. ISE Deployment General Settings

    Step 4 Save the configuration. Device Admin Service is now enabled on ISE.

    Cisco Systems © 2015 Page 4


    SECURE ACCESS HOW-TO GUIDES

    Device Admin Work Center


    ISE 2.0 introduces Work Centers for TrutSec and Device Administration. A work center contains all the elements for a
    particular feature.
    Step 1 Go to Work Centers > Device Administration > Overview

    Figure 3. Device Admin Overview

    The Device Administration Overview provides the high-level steps needed for the Device Admin Use Case.

    Configuring Network Device and Network Device Groups


    Let us now explore Network Devices and Network Device Groupings.
    ISE provides powerful device grouping in the form of multiple device group hierarchies. Each hierarchy represents a
    distinct and independent classification of network devices.
    Step 1 Navigate to Work Centers > Device Administration > Network Device Groups

    Figure 4. Network Device Groups

    Cisco Systems © 2015 Page 5


    SECURE ACCESS HOW-TO GUIDES

    All Device Types and All Locations are default hierarchies provided by ISE. You may add your own
    hierarchies or define the various components for identifying a Network Device which will be used later in
    the Policy Conditions.
    Step 2 After defining various hierarchies, the Network Device Groups will look similar to the following:

    Figure 5. Network Device Group Tree View

    Here we added the various device types and also locations.


    Step 3 Now, add a WLC as a Network Device. Go to Work Centers > Device Administration > Network
    Resources. Click on Add to add a new Network Device DMZ_BLDO_vWLC.

    Figure 6. Adding Network Device

    Cisco Systems © 2015 Page 6


    SECURE ACCESS HOW-TO GUIDES

    Enter the IP address of the Device and make sure to map the Location and Device Type for the Device.
    Finally, Enable the TACACS+ Authentication Settings and specify the Shared Secret.

    Defining Identity Stores


    This section is to define an Identity Store for the Device Administrators. The Identity Store can be ISE Internal Users
    and/or any supported External Identity Sources. For this configuration, we will use Active Directory (AD), an External
    Identity Source.
    Step 1 Go to Administration > Identity Management > External Identity Stores > Active Directory. Click on
    Add to define a new Active Directory Joint Point. Specify the Join Point name and the AD domain name
    and click on Submit.

    Figure 3. Adding AD Join Point

    Step 2 Click Yes when prompted “Would you like to Join all ISE Nodes to this Active Directory Domain?”
    Input the credentials with AD join privileges, and Join ISE to AD. Check the Status to verify it operational.

    Figure 4. Joining ISE to AD

    Step 3 Go to the Groups tab, and click on Add to get all the groups needed based on which the users are
    authorized for the device access. Below shows the groups used in the Authorization Policy in this guide

    Cisco Systems © 2015 Page 7


    SECURE ACCESS HOW-TO GUIDES

    Figure 5. AD Groups

    Configuring TACACS Profiles


    We will define the three TACACS Profiles, to be used in the Authorization Policies –

    • WLC_Monitor_Only: Helpdesk with access to the Monitor tab


    • WLC_Security_Access: Security Operators with access to Security and Commands tabs
    • WLC_Admin: Administrators with full access.

    WLC uses TACACS+ Custom Attributes, which need to be defined as role1, role2, etc. The available roles are
    MONITOR, WLAN, CONTROLLER, WIRELESS, SECURITY, MANAGEMENT, COMMAND, ALL, and
    LOBBY. The first seven correspond to the menu options on the WLC admin web UI. You may enter one or more roles
    to allow read and write access to the particular features, and read-only for the rest.
    To grant read and write access to WLAN, SECURITY and CONTROLLER, then enter the following text:
    role1=WLAN
    role2=SECURITY
    role3=CONTROLLER

    Step 1 On the ISE GUI, go to Work Centers > Device Administration > Policy Results > TACACS Profiles.
    Add a new TACACS Profile called WLC_Monitor_Only. Scroll down to the Custom Attributes section
    to define access to only the MONITOR.

    Cisco Systems © 2015 Page 8


    SECURE ACCESS HOW-TO GUIDES

    Figure 6. TACACS Profile for WLC_Monitor_Only

    Click on Save to save the profile.


    Step 2 Add another profile called WLC_Security_Access to provide access to the SECURITY and
    COMMANDS.

    Figure 7. TACACS Profile for WLC_Security_Access

    Click on Save to save the profile.


    Step 3 Add a third profile called WLC_Admin which provides access to all the tabs with role1=ALL as the
    attribute.

    Figure 8. TACACS Profile for WLC_Admin

    Device Admin Policy Sets


    Policy Sets are enabled by default for Device Admin. Policy Sets can divide polices based on the Device Types so to
    ease application of TACACS profiles. For example, Cisco IOS devices use Privilege Levels and/or Command Sets
    whereas WLC devices use Custom Attributes.
    Step 1 Navigate to Work Centers > Device Administration > Device Admin Policy Sets. Add a new Policy Set
    called WirelessLanControllers with the condition
    DEVICE:Device Type EQUALS Device Type#All Device Types#Network Device#Wireless Devices

    Figure 9. Policy Set Condition

    Step 2 Create the Authentication Policy. For Authentication, we will be using the Active Directory as the ID Store.

    Cisco Systems © 2015 Page 9


    SECURE ACCESS HOW-TO GUIDES

    Figure 10. Authentication Policy

    Step 3 Define the Authorization Policy. Here we will be defining the authorization policy based on the users
    Group in Active Directory and the location of the device. For example, the users in Active Directory group
    West Coast can access only the devices located in West Coast whereas the users in Active Directory group
    East Coast can access only the devices located in East Coast.

    S Rule Name Conditions Shell Profiles

     WLC HelpDesk West demoAD:ExternalGroups EQUALS


    securitydemo.net/DemoGroups/HelpDesk
    WLC_Monitor_Only

    AND
    demoAD:ExternalGroups EQUALS
    securitydemo.net/DemoGroups/West_Coast
    AND
    DEVICE:Location CONTAINS All Locations#West_Coast

     WLC HelpDesk East demoAD:ExternalGroups EQUALS


    securitydemo.net/DemoGroups/HelpDesk
    WLC_Monitor_Only

    AND
    demoAD:ExternalGroups EQUALS
    securitydemo.net/DemoGroups/East_Coast
    AND
    DEVICE:Location CONTAINS All Locations#East_Coast

     WLC Security West demoAD:ExternalGroups EQUALS


    securitydemo.net/DemoGroups/Security_Operators
    WLC_Security_Access

    AND
    demoAD:ExternalGroups EQUALS
    securitydemo.net/DemoGroups/West_Coast
    AND
    DEVICE:Location CONTAINS All Locations#West_Coast

     WLC Security East demoAD:ExternalGroups EQUALS


    securitydemo.net/DemoGroups/Security_Operators
    WLC_Security_Access

    AND
    demoAD:ExternalGroups EQUALS
    securitydemo.net/DemoGroups/East_Coast
    AND
    DEVICE:Location CONTAINS All Locations#East_Coast

     WLC Admin E and W demoAD:ExternalGroups EQUALS


    securitydemo.net/DemoGroups/Network_Operators
    WLC_Admin

    AND
    demoAD:ExternalGroups EQUALS
    securitydemo.net/DemoGroups/West_Coast
    AND
    demoAD:ExternalGroups EQUALS
    securitydemo.net/DemoGroups/West_Coast

    Cisco Systems © 2015 Page 10


    SECURE ACCESS HOW-TO GUIDES

    S Rule Name Conditions Shell Profiles

     WLC Admin West demoAD:ExternalGroups EQUALS


    securitydemo.net/DemoGroups/Network_Operators
    WLC_Admin

    AND
    demoAD:ExternalGroups EQUALS
    securitydemo.net/DemoGroups/West_Coast
    AND
    DEVICE:Location CONTAINS All Locations#West_Coast

     WLC Admin East demoAD:ExternalGroups EQUALS


    securitydemo.net/DemoGroups/Network_Operators
    WLC_Admin

    AND
    demoAD:ExternalGroups EQUALS
    securitydemo.net/DemoGroups/East_Coast
    AND
    DEVICE:Location CONTAINS All Locations#East_Coast

     Default DenyAllCommands

    Figure 11. Authorization Policy

    We are now done with the ISE configuration for Device Admin for WLC devices

    Cisco Systems © 2015 Page 11


    SECURE ACCESS HOW-TO GUIDES

    WLC Configuration for TACACS+

    In order to configure TACACS+ in the WLC controller, you need to complete these steps:
    1. Add a TACACS+ Authentication Server
    2. Add a TACACS+ Authorization Server
    3. Add a TACACS+ Accounting Server
    4. Configure the Priority Order of Management User Authentication

    Add a TACACS+ Authentication Server


    Complete these steps in order to add a TACACS+ Authentication Server.
    Step 1 From the WLC GUI, navigate to Security > AAA > TACACS+ > Authentication, and click New...

    Figure 12. TACACS+ Authentication Server

    Step 2 Enter the IP address of the ISE server as the TACACS+ server and the shared secret key.

    Figure 13. Adding TACACS+ Authentication Server

    Step 3 Click Apply.

    Cisco Systems © 2015 Page 12


    SECURE ACCESS HOW-TO GUIDES

    Add a TACACS+ Authorization Server


    Complete these steps in order to add a TACACS+ Authorization Server.
    Step 1 From the WLC GUI, navigate to Security > AAA > TACACS+ > Authorization, and click New...

    Step 2 Add the IP address of the ISE server as the server IP address and the shared secret key.

    Figure 14. Adding TACACS+ Authorization Server

    Step 3 Click Apply

    Add a TACACS+ Accounting Server


    Complete these steps in order to add a TACACS+ Accounting Server.
    Step 1 From the WLC GUI, navigate to Security > AAA > TACACS+ > Accounting, and click New...

    Step 2 Enter the IP address of the ISE server as the server IP address and the shared secret key.

    Figure 15. Adding TACACS+ Accounting Server

    Step 3 Click Apply

    Cisco Systems © 2015 Page 13


    SECURE ACCESS HOW-TO GUIDES

    Configure the Priority Order of Management User Authentication


    This step explains how to configure the priority order for management user authentication. The default controller
    configuration is local and RADIUS. With TACACS+, the order of authentication can be TACACS+ and local, or
    local and TACACS+.
    Step 1 From the GUI, go to Security > Priority Order > Management User. Using the arrows, Up, and Down
    buttons, select and order the Authentication to be TACACS+ followed by LOCAL

    Figure 16. Configuring the Order of Authentication

    Step 2 Click Apply.


    We are done with the WLC configuration for TACACS+.

    Cisco Systems © 2015 Page 14


    SECURE ACCESS HOW-TO GUIDES

    What’s Next?
    At this point, all the needed configuration for Device Admin for WLC is completed. You will need to validate the
    configuration.
    Step 1 Login to WLC as various users belonging to the different groups and accessing different devices.
    Step 2 When you login, verify that the user has access to the right tabs.
    Step 3 For a user, who is a Helpdesk user, navigate to the different tabs and try to add/modify/delete. For example,
    go to WLANs and try to delete one of the WLAN. As this user has only MONITOR access, the operation
    should be denied with the following error

    Figure 17. Error message for Authorization Failure on WLC

    Step 4 From the ISE GUI, navigate to Operations > TACACS Livelog. All the TACACS authentication and
    authorization requests are captured here and the details button will give detailed information of why a
    particular transaction passed/failed.

    Figure 18. TACACS Livelogs

    Step 5 For historic reports, on ISE go to Work Centers > Device Administration > Reports > Device
    Administration to get the authentication, authorization and accounting reports.

    Cisco Systems © 2015 Page 15

    Das könnte Ihnen auch gefallen