Escolar Documentos
Profissional Documentos
Cultura Documentos
Presentation_ID
Cisco Confidential
Example Scenario
In this document, we will create a user called aceadmin. This user account will only have access to a context on the ACE called Cnt1. The user will be given the Admin role and put in the default-domain of the Cnt1 context. This user will not be configured as a local user on the ACE, although the ACE will check its local user database if it cannot reach the ACS (TACACS+/RADIUS server).
150.10.40.21
Presentation_ID
Cisco Confidential
Presentation_ID
Cisco Confidential
Presentation_ID
Cisco Confidential
1. 2. 3. 4.
Source IP Address of ACE AAA Traffic. Be sure to create a second client for the Redundant ACE if necessary. Key entered will also be used in the ACE configuration. Specify TACACS+ Authentication.
Each AAA transaction will occur using a separate TCP connection. Check this box if you would like them to use a single TCP connection.
Presentation_ID
Cisco Confidential
ACE-1/Cnt1(config)# aaa authentication login default group acs-servers local ACE-1/Cnt1(config)# aaa accounting default group acs-servers local
Configure the ACE to use the servers in this TACACS+ server group for AAA. Note that the local keyword at the end means that a local user database on the ACE should be used for authentication ONLY if neither TACACS+ server in the group can be reached. The local user database will NOT be consulted if the authentication is rejected.
Presentation_ID
Cisco Confidential
aaa group server tacacs+ acs-servers server 130.10.0.55 server 130.10.0.56 aaa authentication login default group acs-servers local aaa accounting default group acs-servers local
Presentation_ID
Cisco Confidential
Presentation_ID
Cisco Confidential
Presentation_ID
Cisco Confidential
10
1. 2. 3. 4.
Source IP Address of ACE AAA Traffic. Be sure to create a second client for the Redundant ACE if necessary. Key entered will also be used in the ACE configuration. Specify RADIUS Authentication.
Presentation_ID
Cisco Confidential
11
ACE-1/Cnt1# config ACE-1/Cnt1(config)# radius-server host 130.10.0.55 key cisco123 ACE-1/Cnt1(config)# radius-server host 130.10.0.56 key cisco123 ACE-1/Cnt1(config)# aaa group server radius radius-farm ACE-1/Cnt1(config-radius)# server 130.10.0.55 ACE-1/Cnt1(config-radius)# server 130.10.0.56 ACE-1/Cnt1(config-radius)# exit
Create a group for the RADIUS servers and add the member servers.
ACE-1/Cnt1(config)# aaa authentication login default group radius-farm local ACE-1/Cnt1(config)# aaa accounting default group radius-farm
Configure the ACE to use the servers in this RADIUS server group for AAA. Note that the optional local keyword at the end means that a local user database on the ACE should be used for authentication ONLY if neither RADIUS server in the group can be reached. The local user database will NOT be consulted if the authentication is rejected.
Presentation_ID
Cisco Confidential
12
radius-server host 130.10.0.55 key 7 "fewhg123" authentication accounting radius-server host 130.10.0.56 key 7 "fewhg123" authentication accounting aaa group server radius radius-farm server 130.10.0.55 server 130.10.0.56 aaa authentication login default group radius-farm local aaa accounting default group radius-farm
Presentation_ID
Cisco Confidential
13
Presentation_ID
Cisco Confidential
14
Presentation_ID
Cisco Confidential
15
Presentation_ID
Cisco Confidential
16
Presentation_ID
Cisco Confidential
17
The ACE tells the ACS what context the user has logged into so it can now find out what permissions this user has in the context.
Presentation_ID
Cisco Confidential
18
The ACS tells the ACE what role and domain the user has for this context.
Presentation_ID
Cisco Confidential
19
Presentation_ID
Cisco Confidential
20
The ACE tells the ACS that the aceadmin user has entered the show user- command.
Presentation_ID
Cisco Confidential
21
The ACE tells the ACS the exact time that the aceadmin user logged out.
Presentation_ID
Cisco Confidential
22
Presentation_ID
Cisco Confidential
23
Presentation_ID
Cisco Confidential
24
The ACE tells the ACS the exact time that the aceadmin user logged in.
Presentation_ID
Cisco Confidential
25
The ACE tells the ACS the exact time that the aceadmin entered the show user-acc command.
Presentation_ID
Cisco Confidential
26
The ACE tells the ACS the exact time that the aceadmin user logged out.
Presentation_ID
Cisco Confidential
27
Helpful Resources
BU Escalation Alias
cse-dev-ace@cisco.com
cse-dev-aceappliance@cisco.com
ADBU
http://wwwin.cisco.com/dss/adbu/
ANS Samples
http://www-tac.cisco.com/~smerrow/Samples/main.html
Presentation_ID
Cisco Confidential
28