Guest

Cisco Secure Access Control System

ACS Version 5.4 Integration with Motorola WiNGS 5.X (AP) Configuration Example

Techzone Article content

Document ID: 116510

Updated: Oct 03, 2013

Contributed by Minakshi Kumar, Cisco TAC Engineer.

   Print

Introduction

This document provides a configuration example with a Cisco Secure Access Control Server (ACS) Version 5.4 to support TACACS+ Authentication, Authorization, and Accounting (AAA) on Motorola Wireless Controllers and Access Points. In this document, Motorola vendor-specific attributes and values are assigned to groups on the ACS in order to determine each user's role and access permissions. The attributes and values are assigned to the group with user-defined services and protocols enabled on each group.

Prerequisites

Requirements

The ACS Version 5.x should be connected to Motorola WiNGS 5.x.

Components Used

The information in this document is based on these software and hardware versions:

  • ACS Version 5.4
  • WiNGS 5.2

The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, make sure that you understand the potential impact of any command.

Configure

ACS Configuration

Device Types

Here is an example of how to define WiNG 5 devices as device types on a Cisco Secure ACS Version 5.x. Device types allow devices to be grouped in Cisco Secure ACS Version 5.x, which is used when you define device authorization policies.

On the ACS GUI, navigate to Network Resources > Network Device Groups > Device Type, and click Create.

Enter a Name and Description, and select a Parent. Click Submit.

This creates a Network Device Group for Motorola Solutions devices.

Network Devices and AAA Clients

Here is an example of how to add a WiNG 5 device as an AAA Client on the Cisco Secure ACS Version 5.x.

On the Cisco Secure ACS, navigate to Network Resources > Network Devices and AAA Clients, and click Create:

Enter a Name for the Wireless Controller(s), and select a Location. Assign the Device Type created in the previous section, and check the TACACS+ checkbox. Enter a Shared Secret, and click the radio button next to the appropriate IP Address option. In this example, IP Range(s) By Mask is selected, and the IPv4 subnet that the Wireless Controllers are connected to (192.168.20.0/24) is defined. Click Submit once you enter all the information.

This defines the Wireless Controller(s) as Network Devices and AAA Clients:

Identity Groups

In this example, two groups, named MotorolaRO and MotorolaRW, are defined. Users assigned to the MotorolaRO group are assigned to the Monitor role and granted Web Access permissions, while users assigned to the MotorolaRW group are assigned to the Superuser role and granted All Access permissions.

Navigate to Users and Identity Stores > Identity Groups > Create:

Enter a Name and Description for the Read Only Access group, and click Submit.

Create a second group. Enter a Name and Description for the Read Write Access group, and click Submit.

You have now created two Identity Groups.

Shell Profiles

Here is an example of how to define shell profiles on a Cisco Secure ACS Version 5.x. In this example, two shell profiles, named MOTO RO and MOTO RW, are defined with attributes that determine the role and access permissions that each management user is assigned. The name of each shell profile must match the name of the TACACS+ authentication service defined in the TACACS+ AAA policy.

Navigate to Policy Elements > Authorization and Permissions > Device Administration > Shell Profiles. Click Create.

On the General tab, define the required TACACS+ services and protocols to add. You can use the current services and protocols or create your own. This example defines services and protocols under the name MOTO RO in order to provide Read Only Access to WiNG 5 devices:

On the Common Tasks tab, set the Maximum Privilege to Static, and select a value of 1.

On the Custom Attributes tab, in the Attribute and Attribute Value fields, define the attributes to be assigned to the user. In this example, Read Only users are assigned to the Monitor role and granted Web Access permissions. Click Submit.

Create a new Shell Profile. On the General tab, define the required TACACS+ services and protocols to add. You can use the current services and protocols or create your own. This example defines services and protocols, named MOTO RW, that provide Read Write Access for WiNG 5 devices:

On the Common Tasks tab, set the Maximum Privilege to Static, and select a value of 1.

On the Custom Attributes tab, in the Attribute and Attribute Value fields, define the attributes to be assigned to the user. In this example, Read Write users are assigned to the Superuser role and granted All Access permissions. Click Submit.

You have now created Shell Profiles named MOTO RO and MOTO RW.

Device Authorization Profiles

Here is an example of how to define device authorization policies on a Cisco Secure ACS Version 5.x. Device authorization policies determine the shell profile each management user is assigned based on the device type that requests authentication, location, and identity group membership. In this example, two device authorization policies, named MotorolaRO and MotorolaRW, are defined.

On Cisco Secure ACS, navigate to Access Policies > Default Device Admin > Authorization > Customize:

Add the Customize Conditions named Identity Group, NDG:Location, NDG: Device Type, and Protocol. Under Customize Results, add Shell Profile, and click OK:

Click Create. In the Name field, enter MotorolaRO, and select the Identity Group, NDG:Location, and NDGevice Type. Set the Protocol to Tacacs, and select the Shell Profile named MOTO RO. Click OK:

Click Create. In the Name field, enter MotorolaRW, and select the Identity Group, NDG:Location, and NDGevice Type. Set the Protocol to Tacacs, and select the Shell Profile named MOTO RW. Click OK:

You have now created Device Authorization Policies named MotorolaRO and MotorolaRW:

Motorola Solutions WiNG 5.2 Configuration

AAA TACACS Policies

The AAA TACACS policy defines the TACACS+ client configuration on a WiNG 5 device. Each AAA TACACS policy can contain up to two TACACS+ AAA server entries in addition to the names of the TACACS+ authentication service and protocols defined on the Cisco Secure ACS. The TACACS+ AAA policy also determines the information that is forwarded to the accounting server.

This AAA TACACS policy example defines a Cisco Secure ACS for TACACS+ AAA, defines the TACACS+ services and protocols named MOTO RO and MOTO RW, and enables CLI command and session accounting.

AAA TACACS Policy Example

aaa-tacacs-policy CISCO-ACS-SERVER

authentication server 1 host 192.168.10.21 secret 0 hellomoto

authorization server 1 host 192.168.10.21 secret 0 hellomoto

accounting server 1 host 192.168.10.21 secret 0 hellomoto

authentication service MOTO protocol RO

authentication service MOTO protocol RW

accounting commands

accounting session

!

Management Policies

Once a AAA TACACS+ policy is defined, it must be assigned to one or more Management policies before TACACS+ is used. Management policies determine the management interfaces that are enabled on each WiNG 5 device, local administrative users, roles and access permissions, and external RADIUS or TACACS+ servers used in order to authenticate administrative users.

By default, each WiNG 5 device is assigned to a Management policy, named default, that is assigned with the use of profiles. TACACS+ can be enabled on the default Management policy or any user-defined Management policy.

Most typical deployments include separate Management policies for Wireless Controllers and Access Points. Separate Management policies are recommended, because the management requirements and interfaces for each device differ. In this case, TACACS+ must be enabled on each Management policy in order to enable TACACS+ on both Wireless Controllers and Access Points.

The Management policy examples in the next section enable TACACS+ AAA on user-defined Management policies that are assigned to Wireless Controllers and Access Points. TACACS+ fallback to local authentication is also enabled in the event that a WiNG 5 device cannot reach any defined TACACS+ servers for authentication.

Management Policy Examples

!

management-policy CONTROLLER-MANAGEMENT

no http server

https server

ssh

user admin password 0 hellomoto role superuser access all

snmp-server user snmptrap v3 encrypted des auth md5 0 hellomoto

snmp-server user snmpoperator v3 encrypted des auth md5 0 hellomoto

snmp-server user snmpmanager v3 encrypted des auth md5 0 hellomoto

aaa-login tacacs fallback

aaa-login tacacs authorization

aaa-login tacacs accounting

aaa-login tacacs policy CISCO-ACS-SERVER

!

!

management-policy AP-MANAGEMENT

ssh

user admin password 0 hellomoto role superuser access all

aaa-login tacacs fallback

aaa-login tacacs authorization

aaa-login tacacs accounting

aaa-login tacacs policy CISCO-ACS-SERVER

!

Verify

This section provides the necessary steps required in order to validate TACACS+ AAA. In this example, two user accounts are defined on each Cisco Secure ACS and assigned to the appropriate groups. The user's group membership determines the role and access permissions assigned to the management user.

Username           Role          Access Permissions
----------------------------------------------------
monitor Monitor Web
super user Superuser all

Role Assignment

This section provides the verification steps required in order to verify authentication and role assignments.

On the Web UI, log in to the Wireless Controller with the monitor username and password:

The user is authenticated, authorized, and assigned to the Monitor role, which provides read only access on the Wireless Controller. Select Configuration > Devices, and attempt to edit a device.

Note: No edit functionality is available, because the user is permitted read only access.

Access on the device: (Only the View button is available; the Delete button is greyed-out.)

On the Web UI, log in to the Wireless Controller with the superuser username and password:

The user is authenticated, authorized, and assigned to the Superuser role, which provides full access on the Wireless Controller. Select Configuration > Devices, and attempt to edit a device.

Note: The Edit button is now available, because the user is permitted full access on the device.

Troubleshoot

On the Cisco Secure ACS Version 5.X, navigate to Monitoring and Reports > Launch Monitoring & Report Viewer > Select Reports > Catalog > AAA Protocol > TACACS Authentication > Run.

This presents the results for all passed and failed authentications for users and includes the failure reason. Click the magnifying glass (Details) button for further details.

Updated: Oct 03, 2013
Document ID: 116510