The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.
This document describes how to configure TACACS+ Authentication and Authorization for the Firepower eXtensible Operating System (FXOS) chassis via Access Control Server (ACS).
The FXOS chassis includes the following User Roles:
Via CLI this can be seen as follows:
fpr4120-TAC-A /security* # show role
Role:
Role Name Priv
---------- ----
aaa aaa
admin admin
operations operations
read-only read-only
Contributed by Tony Remirez, Jose Soto, Cisco TAC Engineers.
Cisco recommends that you have knowledge of these topics:
The information in this document is based on these software and hardware versions:
The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, make sure that you understand the potential impact of any command.
The goal of the configuration is to:
Creating a TACACS Provider using Chassis Manager
Step 1. Navigate to Platform Settings > AAA.
Step 2. Click the TACACS tab.
Step 3. For each TACACS+ provider that you want to add (Up to 16 providers).
3.1. In the TACACS Providers area, click Add.
3.2. In the Add TACACS Provider dialog box, enter the required values.
3.3. Click OK to close the Add TACACS Provider dialog box.
Step 4. Click Save.
Step 5. Navigate to System > User Management > Settings.
Step 6. Under Default Authentication choose TACACS.
Creating a TACACS+ Provider using CLI
Step 1. In order to enable TACACS authentication run the following commands.
fpr4120-TAC-A# scope security
fpr4120-TAC-A /security # scope default-auth
fpr4120-TAC-A /security/default-auth # set realm tacacs
Step 2. Use the show detail command to display the results.
fpr4120-TAC-A /security/default-auth # show detail
Default authentication:
Admin Realm: Tacacs
Operational Realm: Tacacs
Web session refresh period(in secs): 600
Session timeout(in secs) for web, ssh, telnet sessions: 600
Absolute Session timeout(in secs) for web, ssh, telnet sessions: 3600
Serial Console Session timeout(in secs): 600
Serial Console Absolute Session timeout(in secs): 3600
Admin Authentication server group:
Operational Authentication server group:
Use of 2nd factor: No
Step 3. In order to configure TACACS server parameters run the following commands.
fpr4120-TAC-A# scope security
fpr4120-TAC-A /security # scope tacacs
fpr4120-TAC-A /security/tacacs # enter server 10.88.244.50
fpr4120-TAC-A /security/tacacs/server # set descr "ACS Server"
fpr4120-TAC-A /security/tacacs/server* # set key
Enter the key: ******
Confirm the key: ******
Step 4. Use the show detail command to display the results.
fpr4120-TAC-A /security/tacacs/server* # show detail
TACACS+ server:
Hostname, FQDN or IP address: 10.88.244.50
Descr:
Order: 1
Port: 49
Key: ****
Timeout: 5
Adding the FXOS as a network resource
Step 1. Navigate to Network Resources > Network Devices and AAA Clients.
Step 2. Click Create.
Step 3. Enter the required values (Name, IP Address, Device Type and Enable TACACS+ and add the KEY).
Step 4. Click Submit.
Creating the Identity groups and Users
Step 1. Navigate to Users and Identity Stores > Identity Groups.
Step 2. Click Create.
Step 3. Enter the value for Name and click Submit.
Step 4. Repeat steps 2 and 3 for all the required User Roles.
Step 5. Navigate to Users and Identity Stores > Internal Identity Stores > Users.
Step 6. Click Create.
Step 7. Enter the required values (Name, Identity Group, Password).
Step 8. Repeat steps 6 and 7 for all required users.
Creating the Shell Profile for each User Role
Step 1. Navigate to Policy Elements > Authorization and Permissions > Device Administration > Shell Profiles > Click Create.
Step 2. Fill all the attributes for the Authorization Profile.
2.1. Configure the profile Name in the General Tab.
2.2. In Custom Attributes Tab configure the following CISCO-AV-PAIR
cisco-av-pair=shell:roles="aaa"
2.3. Click ADD /\ and then Submit.
Step 3. Repeat steps 1 and 2 for the remaining User Roles using the following Cisco-AV-Pairs
cisco-av-pair=shell:roles="admin"
cisco-av-pair=shell:roles="operations"
cisco-av-pair=shell:roles="read-only"
Creating the Device Admin Access Policy
Step 1. Navigate to Access Policies > Access Services > Default Device Admin > Authorization > Click Create.
Step 2. Fill the required parameters (Identity Group, Device Type and Shell Profile) and click OK.
Step 3. Repeat steps 1 and 2 for all User Roles.
Step 4. Click Save Changes at the bottom of the page.
You may now test each user and verify it was assigned the correct user role.
Username: fxosadmin
Password:
fpr4120-TAC-A# scope security
fpr4120-TAC-A /security # show remote-user detail
Remote User fxosaaa:
Description:
User Roles:
Name: aaa
Name: read-only
Remote User fxosadmin:
Description:
User Roles:
Name: admin
Name: read-only
Remote User fxosoper:
Description:
User Roles:
Name: operations
Name: read-only
Remote User fxosro:
Description:
User Roles:
Name: read-only
Depending on the username entered the FXOS chassis cli will only display the commands authorized for the User Role assigned.
Admin User
fpr4120-TAC-A /security # ?
acknowledge Acknowledge
clear-user-sessions Clear User Sessions
create Create managed objects
delete Delete managed objects
disable Disables services
enable Enables services
enter Enters a managed object
scope Changes the current mode
set Set property values
show Show system information
terminate Active cimc sessions
fpr4120-TAC-A# connect fxos
fpr4120-TAC-A (fxos)# debug aaa aaa-requests
fpr4120-TAC-A (fxos)#
Read-Only User
fpr4120-TAC-A /security # ?
scope Changes the current mode
set Set property values
show Show system information
fpr4120-TAC-A# connect fxos
fpr4120-TAC-A (fxos)# debug aaa aaa-requests
% Permission denied for the role
Admin User Role.
Read only User:
Note: Notice that the ADD button is greyed out.
In order to debug AAA authentication and authorization run the following commands in the FXOS cli.
fpr4120-TAC-A# connect fxos
fpr4120-TAC-A (fxos)# debug aaa aaa-requests
fpr4120-TAC-A (fxos)# debug aaa event
fpr4120-TAC-A (fxos)# debug aaa errors
fpr4120-TAC-A (fxos)# term mon
After a successful authentication attempt, you will see the following output.
2018 Feb 5 14:31:29.192410 aaa: aaa_req_process for authentication. session no 0
2018 Feb 5 14:31:29.192439 aaa: aaa_req_process: General AAA request from appln: login appln_subtype: default
2018 Feb 5 14:31:29.192462 aaa: try_next_aaa_method
2018 Feb 5 14:31:29.192488 aaa: total methods configured is 1, current index to be tried is 0
2018 Feb 5 14:31:29.192509 aaa: handle_req_using_method
2018 Feb 5 14:31:29.192527 aaa: AAA_METHOD_SERVER_GROUP
2018 Feb 5 14:31:29.192552 aaa: aaa_sg_method_handler group = tacacs
2018 Feb 5 14:31:29.192572 aaa: Using sg_protocol which is passed to this function
2018 Feb 5 14:31:29.192592 aaa: Sending request to TACACS service
2018 Feb 5 14:31:29.192654 aaa: mts_send_msg_to_prot_daemon: Payload Length = 374
2018 Feb 5 14:31:29.192694 aaa: session: 0x856b4cc added to the session table 1
2018 Feb 5 14:31:29.192717 aaa: Configured method group Succeeded
2018 Feb 5 14:31:29.366388 aaa: aaa_process_fd_set
2018 Feb 5 14:31:29.366423 aaa: aaa_process_fd_set: mtscallback on aaa_q
2018 Feb 5 14:31:29.366467 aaa: mts_message_response_handler: an mts response
2018 Feb 5 14:31:29.366496 aaa: prot_daemon_reponse_handler
2018 Feb 5 14:31:29.366524 aaa: session: 0x856b4cc removed from the session table 0
2018 Feb 5 14:31:29.366554 aaa: is_aaa_resp_status_success status = 1
2018 Feb 5 14:31:29.366581 aaa: is_aaa_resp_status_success is TRUE
2018 Feb 5 14:31:29.366608 aaa: aaa_send_client_response for authentication. session->flags=21. aaa_resp->flags=0.
2018 Feb 5 14:31:29.366642 aaa: AAA_REQ_FLAG_NORMAL
2018 Feb 5 14:31:29.367462 aaa: aaa_req_process for authorization. session no 0
2018 Feb 5 14:31:29.367496 aaa: aaa_req_process called with context from appln: login appln_subtype: default authen_type:2, authen_method: 0
2018 Feb 5 14:31:29.367525 aaa: aaa_send_req_using_context
2018 Feb 5 14:31:29.367552 aaa: aaa_sg_method_handler group = (null)
2018 Feb 5 14:31:29.367579 aaa: Using sg_protocol which is passed to this function
2018 Feb 5 14:31:29.367607 aaa: context based or directed AAA req(exception: not a relay request). Will not take copy of aaa request
2018 Feb 5 14:31:29.367634 aaa: Sending request to TACACS service
2018 Feb 5 14:31:29.369679 aaa: mts_send_msg_to_prot_daemon: Payload Length = 660
2018 Feb 5 14:31:29.369739 aaa: session: 0x856b4cc added to the session table 1
2018 Feb 5 14:31:29.539392 aaa: aaa_process_fd_set
2018 Feb 5 14:31:29.539420 aaa: aaa_process_fd_set: mtscallback on aaa_q
2018 Feb 5 14:31:29.539449 aaa: mts_message_response_handler: an mts response
2018 Feb 5 14:31:29.539470 aaa: prot_daemon_reponse_handler
2018 Feb 5 14:31:29.539496 aaa: session: 0x856b4cc removed from the session table 0
2018 Feb 5 14:31:29.539525 aaa: is_aaa_resp_status_success status = 2
2018 Feb 5 14:31:29.539550 aaa: is_aaa_resp_status_success is TRUE
2018 Feb 5 14:31:29.539578 aaa: aaa_send_client_response for authorization. session->flags=9. aaa_resp->flags=0.
2018 Feb 5 14:31:29.539606 aaa: AAA_REQ_FLAG_NORMAL
2018 Feb 5 14:31:29.539683 aaa: mts_send_response Successful
2018 Feb 5 14:31:29.539723 aaa: aaa_cleanup_session
2018 Feb 5 14:31:29.602013 aaa: OLD OPCODE: accounting_interim_update
2018 Feb 5 14:31:29.602041 aaa: aaa_create_local_acct_req: user=, session_id=, log=added user fxosro
2018 Feb 5 14:31:29.602076 aaa: aaa_req_process for accounting. session no 0
2018 Feb 5 14:31:29.602109 aaa: MTS request reference is NULL. LOCAL request
2018 Feb 5 14:31:29.602135 aaa: Setting AAA_REQ_RESPONSE_NOT_NEEDED
2018 Feb 5 14:31:29.602162 aaa: aaa_req_process: General AAA request from appln: default appln_subtype: default
2018 Feb 5 14:31:29.602190 aaa: try_next_aaa_method
2018 Feb 5 14:31:29.602228 aaa: no methods configured for default default
2018 Feb 5 14:31:29.602249 aaa: no configuration available for this request
2018 Feb 5 14:31:29.602357 aaa: aaa_local_accounting_msg
2018 Feb 5 14:31:29.602386 aaa: update:::added user fxosro
2018 Feb 5 14:31:29.602414 aaa: av list is null. No vsan id
2018 Feb 5 14:31:29.602541 aaa: aaa_send_client_response for accounting. session->flags=254. aaa_resp->flags=0.
2018 Feb 5 14:31:29.602569 aaa: response for accounting request of old library will be sent as SUCCESS
2018 Feb 5 14:31:29.602594 aaa: response not needed for this request
2018 Feb 5 14:31:29.602619 aaa: AAA_REQ_FLAG_LOCAL_RESP
2018 Feb 5 14:31:29.602643 aaa: aaa_cleanup_session
2018 Feb 5 14:31:29.602671 aaa: aaa_req should be freed.
2018 Feb 5 14:31:29.602698 aaa: Fall back method local succeeded
2018 Feb 5 14:31:29.603544 aaa: aaa_process_fd_set
2018 Feb 5 14:31:29.603565 aaa: aaa_process_fd_set: mtscallback on aaa_accounting_q
2018 Feb 5 14:31:29.603588 aaa: OLD OPCODE: accounting_interim_update
2018 Feb 5 14:31:29.603613 aaa: aaa_create_local_acct_req: user=, session_id=, log=added user:fxosro to the role:read-only
2018 Feb 5 14:31:29.603643 aaa: aaa_req_process for accounting. session no 0
2018 Feb 5 14:31:29.603669 aaa: MTS request reference is NULL. LOCAL request
2018 Feb 5 14:31:29.603695 aaa: Setting AAA_REQ_RESPONSE_NOT_NEEDED
2018 Feb 5 14:31:29.603721 aaa: aaa_req_process: General AAA request from appln: default appln_subtype: default
2018 Feb 5 14:31:29.603747 aaa: try_next_aaa_method
2018 Feb 5 14:31:29.603779 aaa: no methods configured for default default
2018 Feb 5 14:31:29.603807 aaa: no configuration available for this request
2018 Feb 5 14:31:29.603834 aaa: try_fallback_method
2018 Feb 5 14:31:29.603856 aaa: handle_req_using_method
2018 Feb 5 14:31:29.603874 aaa: local_method_handler
2018 Feb 5 14:31:29.603891 aaa: aaa_local_accounting_msg
2018 Feb 5 14:31:29.603911 aaa: update:::added user:fxosro to the role:read-only
2018 Feb 5 14:31:29.603934 aaa: av list is null. No vsan id
2018 Feb 5 14:31:29.604040 aaa: aaa_send_client_response for accounting. session->flags=254. aaa_resp->flags=0.
2018 Feb 5 14:31:29.604058 aaa: response for accounting request of old library will be sent as SUCCESS
2018 Feb 5 14:31:29.604074 aaa: response not needed for this request
2018 Feb 5 14:31:29.604089 aaa: AAA_REQ_FLAG_LOCAL_RESP
2018 Feb 5 14:31:29.604104 aaa: aaa_cleanup_session
2018 Feb 5 14:31:29.604119 aaa: aaa_req should be freed.
2018 Feb 5 14:31:29.604135 aaa: Fall back method local succeeded
2018 Feb 5 14:31:31.084252 aaa: aaa_req_process for accounting. session no 0
2018 Feb 5 14:31:31.084280 aaa: Setting AAA_REQ_RESPONSE_NOT_NEEDED
2018 Feb 5 14:31:31.084309 aaa: aaa_req_process: General AAA request from appln: default appln_subtype: default
2018 Feb 5 14:31:31.084336 aaa: try_next_aaa_method
2018 Feb 5 14:31:31.084375 aaa: no methods configured for default default
2018 Feb 5 14:31:31.084403 aaa: no configuration available for this request
2018 Feb 5 14:31:31.084430 aaa: try_fallback_method
2018 Feb 5 14:31:31.084457 aaa: handle_req_using_method
2018 Feb 5 14:31:31.084484 aaa: local_method_handler
2018 Feb 5 14:31:31.084511 aaa: aaa_local_accounting_msg
2018 Feb 5 14:31:31.084540 aaa: update:::enabled (null)
2018 Feb 5 14:31:31.084568 aaa: av list is null. No vsan id
2018 Feb 5 14:31:31.084693 aaa: aaa_send_client_response for accounting. session->flags=211. aaa_resp->flags=0.
2018 Feb 5 14:31:31.084721 aaa: response not needed for this request
2018 Feb 5 14:31:31.084746 aaa: AAA_REQ_FLAG_LOCAL_RESP
2018 Feb 5 14:31:31.084769 aaa: aaa_cleanup_session
2018 Feb 5 14:31:31.084792 aaa: mts_drop of request msg
2018 Feb 5 14:31:31.084833 aaa: Fall back method local succeeded
2018 Feb 5 14:31:31.384309 aaa: mts_aaa_req_process
2018 Feb 5 14:31:31.384340 aaa: aaa_req_process for accounting. session no 0
2018 Feb 5 14:31:31.384368 aaa: Setting AAA_REQ_RESPONSE_NOT_NEEDED
2018 Feb 5 14:31:31.384395 aaa: aaa_req_process: General AAA request from appln: default appln_subtype: default
2018 Feb 5 14:31:31.384423 aaa: try_next_aaa_method
2018 Feb 5 14:31:31.384462 aaa: no methods configured for default default
2018 Feb 5 14:31:31.384490 aaa: no configuration available for this request
2018 Feb 5 14:31:31.384517 aaa: try_fallback_method
2018 Feb 5 14:31:31.384545 aaa: handle_req_using_method
2018 Feb 5 14:31:31.384570 aaa: local_method_handler
2018 Feb 5 14:31:31.384595 aaa: aaa_local_accounting_msg
2018 Feb 5 14:31:31.384620 aaa: update:::enabled (null)
2018 Feb 5 14:31:31.384645 aaa: av list is null. No vsan id
2018 Feb 5 14:31:31.384769 aaa: aaa_send_client_response for accounting. session->flags=211. aaa_resp->flags=0.
2018 Feb 5 14:31:31.384796 aaa: response not needed for this request
2018 Feb 5 14:31:31.384820 aaa: AAA_REQ_FLAG_LOCAL_RESP
2018 Feb 5 14:31:31.384846 aaa: aaa_cleanup_session
2018 Feb 5 14:31:31.384869 aaa: mts_drop of request msg
2018 Feb 5 14:31:31.384911 aaa: Fall back method local succeeded
After a failed authentication attempt, you will see the following output.
2018 Feb 5 14:29:18.702123 aaa: mts_aaa_req_process
2018 Feb 5 14:29:18.702144 aaa: aaa_req_process for authentication. session no 0
2018 Feb 5 14:29:18.702169 aaa: aaa_req_process: General AAA request from appln: login appln_subtype: default
2018 Feb 5 14:29:18.702188 aaa: try_next_aaa_method
2018 Feb 5 14:29:18.702212 aaa: total methods configured is 1, current index to be tried is 0
2018 Feb 5 14:29:18.702232 aaa: handle_req_using_method
2018 Feb 5 14:29:18.702251 aaa: AAA_METHOD_SERVER_GROUP
2018 Feb 5 14:29:18.702276 aaa: aaa_sg_method_handler group = tacacs
2018 Feb 5 14:29:18.702295 aaa: Using sg_protocol which is passed to this function
2018 Feb 5 14:29:18.702315 aaa: Sending request to TACACS service
2018 Feb 5 14:29:18.702378 aaa: mts_send_msg_to_prot_daemon: Payload Length = 372
2018 Feb 5 14:29:18.702427 aaa: session: 0x856b4cc added to the session table 1
2018 Feb 5 14:29:18.702459 aaa: Configured method group Succeeded
2018 Feb 5 14:29:18.876839 aaa: aaa_process_fd_set
2018 Feb 5 14:29:18.876870 aaa: aaa_process_fd_set: mtscallback on aaa_q
2018 Feb 5 14:29:18.876908 aaa: mts_message_response_handler: an mts response
2018 Feb 5 14:29:18.876938 aaa: prot_daemon_reponse_handler
2018 Feb 5 14:29:18.876966 aaa: session: 0x856b4cc removed from the session table 0
2018 Feb 5 14:29:18.877003 aaa: is_aaa_resp_status_success status = 2
2018 Feb 5 14:29:18.877030 aaa: is_aaa_resp_status_success is TRUE
2018 Feb 5 14:29:18.877058 aaa: aaa_send_client_response for authentication. session->flags=21. aaa_resp->flags=0.
2018 Feb 5 14:29:18.877086 aaa: AAA_REQ_FLAG_NORMAL
2018 Feb 5 14:29:18.877171 aaa: mts_send_response Successful
2018 Feb 5 14:29:18.877224 aaa: aaa_cleanup_session
2018 Feb 5 14:29:18.877253 aaa: mts_drop of request msg
2018 Feb 5 14:29:18.877299 aaa: aaa_req should be freed.
2018 Feb 5 14:29:18.877364 aaa: aaa_process_fd_set
2018 Feb 5 14:29:18.877391 aaa: aaa_process_fd_set: mtscallback on aaa_q
2018 Feb 5 14:29:18.877410 aaa: aaa_enable_info_config: GET_REQ for aaa login error message
2018 Feb 5 14:29:18.877415 aaa: got back the return value of configuration operation:unknown security item
Ethanalyzer command on FX-OS cli will prompt for a password when TACACS/RADIUS authentication is enabled. This behavior is caused by a bug.
Bug id: CSCvg87518
Revision | Publish Date | Comments |
---|---|---|
1.0 |
05-Feb-2018 |
Initial Release |