Document ID: 116504
Updated: Oct 01, 2013
Contributed by Ashish Varghese, Cisco TAC Engineer.
This document describes how to configure Cisco Wide Area Application Services (WAAS) integration with Cisco Access Control Server (ACS) Version 5.x . When configured per the steps in this document, users are able to authenticate to WAAS with TACACS+ credentials via ACS.
There are no specific requirements for this document.
The information in this document is based on these software and hardware versions:
- Cisco Secure ACS Version 5.x
- Cisco WAAS
The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, make sure that you understand the potential impact of any command.
- In order to define an AAA client on ACS Version 5.x, navigate to Network Resources > Network Devices and AAA Clients. Configure the AAA client with a descriptive name, a single IP address, and a shared secret key for TACACS+.
- In order to define a Shell Profile, navigate to Policy Elements > Authorization and Permissions > Device Administration > Shell Profiles. In this example, a new shell profile called WAAS_Attribute is configured. This custom attribute is sent to the WAAS, which allows it to infer which user group is the administrator group. Configure these custom attributes:
- The Attribute is waas_rbac_groups.
- The Requirement is Optional so that it does not disturb any other device.
- The Value is the name of the group that must be assigned administrative access (Test Group).
- In order to define a command set to allow all commands, navigate to Policy Elements > Authorization and Permissions > Device Administration > Command Sets.
- Edit the Permit_All command set.
- If you check the Permit any command that is not in the table below check box, the user is granted full privileges.
- In order to point the identity to the correct identity source, navigate to Access Policies > Access Services > Default Device Admin > Identity. If the user exists in the local ACS database, select Internal Users. If the user exists in the Active Directory, select the configured identity store (AD1 in this example).
- In order to create an authorization rule, navigate to Access Policies >Access Services > Default Device Admin > Authorization. Create a new authorization policy called WAAS Authorization. This checks for requests from WAAS. In this example, the device IP is used as a condition. However, this can be changed based on the deployment requirements. Apply the shell profile and command sets configured in Steps 2 and 3 in this section.
Configuration on the WAAS
- In order to define a TACACS+ server, navigate to Devices > <Central Manager System Name> > Configure > Security > AAA > TACACS+. Configure the ACS server IP address and pre-shared key.
- In order to modify the authentication and authorization methods, navigate to Devices > <Central Manager System Name> > Configure > Security > AAA > Authentication Methods. In this screenshot, the primary login method is configured for local with the secondary configured for TACACS+.
- Navigate to Home > Admin > AAA > User Groups in order to add the group name that matches the custom attribute Value (see Step 2 in the Configure ACS section) in WAAS.
- Assign this group (Test_Group) admin-level rights on the Home > Admin > AAA > User Groups Role Management tab. The admin role on the Central Manager is pre-configured.
Attempt to log in to WAAS with TACACS+ credentials. If everything is configured correctly, you are granted access.
There is currently no specific troubleshooting information available for this configuration.
The Cisco Support Community is a forum for you to ask and answer questions, share suggestions, and collaborate with your peers.
Refer to Cisco Technical Tips Conventions for information on conventions used in this document.