Thursday, May 10, 2012

TACACS+, Active Directory, and Cisco Secure ACS

I have now transitioned to another team at my employer and I have already had the opportunity to work on some very fun projects. One of my first projects dealt with configuring our Cisco IOS switches to authenticate logins against our Active Directory accounts. This allows us to manage our network devices much easier, as well as helping to secure our devices by locking them down to actual user logins instead of relying on the local user databases for each device. Needless to say, it was NOT easy figuring out how to set up everything due to our infrastructure setup. Online documentation was incredibly confusing and led me in the wrong direction several times, but I was able to get everything working.

This article should really be titled “How to set up TACACS+ for Active Directory authentication with a Cisco Secure ACS 4.2 server” but hey, I only have so much to work with. Please keep in mind that this article assumes you already have knowledge about how to work with the Cisco IOS CLI, how to manage and handle user accounts in Windows Active Directory, that you have an ACS appliance connected to the network, and your IOS device is able to communicate with the ACS server.

One special thing about our infrastructure is that we are using a Cisco Secure ACS server as our TACACS+ authentication server. We could have used a basic Windows Server 2008 RADUIS server (or even change the ACS server mode to RADIUS), but since we already had the ACS server up and running and we are not using it for anything else, it made sense for us to only set it up for TACACS+. If you don’t have an ACS server and want to use a Windows RADIUS server instead, see Brian Desmond’s Blog for instructions.

So, in starting this journey I had several pieces of equipment available:
  • 1x Cisco Secure ACS v4.2 appliance (hereby referred to as the ACS server)
  • 1x Windows Server 2003 Server that is a member of a domain (a.k.a. member server)
  • 1x Cisco Catalyst 3750X-48P Switch with IOS 12.2
If you have the same type of hardware or infrastructure setup as me, here is an extremely high level overview of exactly what I did to set up Active Directory authentication on the ACS server, TACACS+ configurations on the Cisco IOS switch, and setting up the Cisco Secure ACS Remote Agent software on the domain member server:
  1. Install and configure the Cisco Secure ACS Remote Agent software on the domain member server. Information on how to do this is located on Cisco’s website here.
  2. Add the Remote Agent under Network Configuration in the ACS server.
  3. Set up Active Directory as an External User Database in the ACS server.
  4. Add the Cisco IOS device as an authorized AAA client under Network Configuration in the ACS server. Read Jose Leitao’s blog on how to do this here.
  5. Set up user accounts in the ACS server for access to log into Cisco IOS devices.
  6. Configure TACACS and AAA authentication on the Cisco IOS device. Again, read Jose Leitao’s blog on how to do this here. I recommend testing logging into your IOS device before you decide to save this configuration (WRITE MEM \ COPY START RUN) because if there is a problem, you can just restart the device without keeping the changes. Here is a sample configuration for your device from #:

    config t
    tacacs-server directed-request
    tacacs-server key <KEY FROM TACACS SERVER>
    tacacs-server host <IP ADDRESS OF TACACS SERVER>
    aaa new-model
    aaa authentication login default local group tacacs+
    aaa authentication login no-tacacs local
    aaa authentication enable default group tacacs+ enable
    aaa authorization console
    aaa authorization config-commands
    aaa authorization exec default group tacacs+ if-authenticated local
    aaa authorization commands 1 default if-authenticated
    aaa authorization commands 15 default local group tacacs+
    aaa session-id common
There are some caveats, or ‘gotchas’, with using a TACACS server to process login requests:
  • At logon, the IOS device will first check its local database for the user ID and password. If the user ID is not in the local database then IOS will then attempt to authenticate against the TACACS server.
  • If the TACACS server is unavailable, the local account database on the network device will be used.
  • You will need to create a ‘failsafe’ local user account on the ACS server in case there is a problem with Active Directory. See the next bullet point for the reason…
  • If the ACS server is up and running but Active Directory is not working, a local ACS user account is the only thing that can be used. The reason why this is true is because IOS can still communicate with the ACS server. Just know that you need to use a local ACS user account if there is an Active Directory problem. And no, there is no workaround for this.
  • ACS supports two different types of user accounts – “Local” and “External User Database”. When you create a user account in ACS, you must define if it is going to be local to the ACS server, or if the user account needs to authenticate against an external user database (in this case our external user database is MS Active Directory).
  • With this configuration, when a user account successfully logs in they are automatically placed into ENABLE mode immediately. This reduces the need to retype passwords over and over again. This type of configuration is very close to a “single-sign-on” user experience for network devices.
  • As long at the network device is able to communicate with the ACS server, authentication will ALWAYS occur with the ACS server.
  • TACACS server authentication is a two way street. You need to add the network device as an AAA client in the ACS server, as well as configure the network device’s TACACS configuration.
Utilize the resources from the embedded links in the steps above. That’s right. I am going to force you to learn how to do most of this on your own! But I hope that I did answer some of your questions about using a Cisco Secure ACS server and TACACS. As always, feel free to send me an email if you need clarification on any of these points.
-Joe