This document describes how to configure Cisco Wide Area Application Services (WAAS) integration with Cisco Access Control Server (ACS) Version 5.x . When configured per the steps in this document, users are able to authenticate to WAAS with TACACS+ credentials via ACS.
There are no specific requirements for this document.
The information in this document is based on these software and hardware versions:
- Cisco Secure ACS Version 5.x
- Cisco WAAS
The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, make sure that you understand the potential impact of any command.
- In order to define an AAA client on ACS Version 5.x, navigate to Network Resources > Network Devices and AAA Clients. Configure the AAA client with a descriptive name, a single IP address, and a shared secret key for TACACS+.
- In order to define a Shell Profile, navigate to Policy Elements > Authorization and Permissions > Device Administration > Shell Profiles. In this example, a new shell profile called WAAS_Attribute is configured. This custom attribute is sent to the WAAS, which allows it to infer which user group is the administrator group. Configure these custom attributes:
- The Attribute is waas_rbac_groups.
- The Requirement is Optional so that it does not disturb any other device.
- The Value is the name of the group that must be assigned administrative access (Test Group).
- In order to define a command set to allow all commands, navigate to Policy Elements > Authorization and Permissions > Device Administration > Command Sets.
- Edit the Permit_All command set.
- If you check the Permit any command that is not in the table below check box, the user is granted full privileges.
Note: Since this example uses TACACS, the default service selected is default device admin.
- In order to point the identity to the correct identity source, navigate to Access Policies > Access Services > Default Device Admin > Identity. If the user exists in the local ACS database, select Internal Users. If the user exists in the Active Directory, select the configured identity store (AD1 in this example).
- In order to create an authorization rule, navigate to Access Policies >Access Services > Default Device Admin > Authorization. Create a new authorization policy called WAAS Authorization. This checks for requests from WAAS. In this example, the device IP is used as a condition. However, this can be changed based on the deployment requirements. Apply the shell profile and command sets configured in Steps 2 and 3 in this section.
Configuration on the WAAS
- In order to define a TACACS+ server, navigate to Devices > <Central Manager System Name> > Configure > Security > AAA > TACACS+. Configure the ACS server IP address and pre-shared key.
- In order to modify the authentication and authorization methods, navigate to Devices > <Central Manager System Name> > Configure > Security > AAA > Authentication Methods. In this screenshot, the primary login method is configured for local with the secondary configured for TACACS+.
- Navigate to Home > Admin > AAA > User Groups in order to add the group name that matches the custom attribute Value (see Step 2 in the Configure ACS section) in WAAS.
- Assign this group (Test_Group) admin-level rights on the Home > Admin > AAA > User Groups Role Management tab. The admin role on the Central Manager is pre-configured.
Attempt to log in to WAAS with TACACS+ credentials. If everything is configured correctly, you are granted access.
There is currently no specific troubleshooting information available for this configuration.