Instructions

ACS 5.1 Basic Setup And Familiarization Lab Guide 1

ACS 5.1 Basic Setup And Familiarization

Developers and Lab Proctors This lab was created by: Aruna Yerragudi

Lab proctors:

Lab Overview In this lab, you will go over the initial setup of Cisco Secure Access Control System (ACS) 5.1. By

the end of it, you will:

Have configured two ACS servers in a primary/secondary configuration

Confirmed that the ACS servers can receive RADIUS and TACACS+ requests

Tested simple authentication for a user configured in the ACS internal store and Active

Directory

Gained familiarity of the ACS View monitoring, reporting and troubleshooting tool

Lab participants should be able to complete the lab within the allotted lab time of two hours.

Lab Exercises This lab guide includes the following exercises:

Lab Exercise 1: Initialization Verification

Lab Exercise 2: Configure A Distributed Deployment


Lab Exercise 3: Configure A Network Device And Verify AAA Communications

Lab Exercise 4: Confirm Basic Authentication

Product Overview: ACS 5.1 Cisco Secure Access Control System 5.1 is a platform for centralized network identity and access

control. ACS 5.1 features a simple yet powerful, rule-based policy model and a new, intuitive

management interface designed for optimum control and visibility.

The rule-based policy model provides the flexibility and manageability needed to meet evolving

access policy needs. Its integrated monitoring, reporting, and troubleshooting features simplify

management and increase compliance. ACS 5.1 integration capabilities and distributed

deployment support make it the ideal network identity and access policy solution.

Lab Topology and Access Each pod includes two Cisco Catalyst switches, two ACS v5.1 Servers, a Windows 2003 Server

for Active Directory, and a management Windows XP PC.


Lab Topology This is the topology used for this lab.


Internal IP Addresses and Accounts The table that follows lists the internal IP addresses used by the devices in this setup.

Device IP Address Account

(username/password/domain)

Management PC (Mgmt) 192.168.3.50 cisco/cisco123/CISCOSEC

Windows 2003/AD (DC) 192.168.3.10 cisco/cisco123/CISCOSEC

ACS 5.1 Primary (acs-1) 192.168.3.11 CLI: admin/C!scoLAB123!

GUI: acsadmin/cisco123

ACS 5.1 Secondary (acs-2) 192.168.3.12 CLI: admin/C!scoLAB123!

GUI: acsadmin/cisco123

Distribution Switch 192.168.250.1 admin/cisco123

Access Switch 192.168.250.2 admin/cisco123

enable: cisco123


Lab Exercise 0: Initial Setup Steps (For

Reference Only Do Not Complete) This section is for reference only. It should have already been completed for you but it is made

available for you to see the steps necessary to initialize the ACS for the network.

Exercise Objective In this exercise, the goal is to walk through the initial setup steps that are necessary after a fresh

installation.

Step 1 Power on the ACS 5.1 instance. The following setup prompt appears.

**********************************************

Please type setup to configure the appliance

**********************************************

localhost login: setup_

Step 2 At the login prompt, type in setup and press Enter. The setup takes you through a series of

steps where various parameters need to be entered. An example of all the parameters is

shown below:

Press Ctrl-C to abort setup

Enter hostname[]: acs-1

Enter IP address []: 192.168.3.11

Enter IP default netmask[]: 255.255.255.0

Enter IP default gateway[]: 192.168.3.1

Enter default DNS domain[]: ciscosec.com

Enter Primary nameserver[]: 192.168.3.10

Add/Edit another nameserver? Y/N : n

Enter username[admin]:

Enter password:

Enter password again:

Bringing up network interface...

Pinging the gateway...

Pinging the primary nameserver ...

Do not use Ctrl-C from this point on...

Appliance is configured

Installing applications...

Installing acs ...

Generating configuration...

Rebooting...

_

Step 3 After the ACS is installed, the system reboots automatically and comes to the ACS login

prompt. You may now login to the ACS either via the console or SSH using the credentials

configured during the setup.

acs-1 login: _


Step 4 The next step is to install the license. Login to the ACS-Pri via the GUI

(https://). Enter the default credentials: acsadmin/default. You will be

prompted to change the password.

Step 5 After changing the default password, you will need to install the license. Browse to the license

file and click on Install to install the license.

Step 6 This completes the basic setup and installation. The system is now ready for use.

End of Exercise: You have successfully completed this exercise. Proceed to next section.


Lab Exercise 1: Initialization Verification

Exercise Objective Verify ACS has the basic required configuration.

Lab Exercise Steps: Setup Verification

Step 1 From the Topology tab, click on the Management PC > RDP Client and login to the

Management PC (Mgmt) using the credentials: cisco/cisco123.

Step 2 From the Management PC, open a command prompt (Start > Run ... > cmd)

Step 3 In the command prompt window, verify that you can ping the following devices required for the

lab to ensure that all the devices are up and accessible.

> ping 192.168.3.10 (AD server)

> ping 192.168.3.11 (ACS Primary)

> ping 192.168.3.12 (ACS Secondary)

> ping 192.168.250.2 (Access Switch)

Step 4 On the Management PC desktop, double click on the putty shortcut. Connect to the Primary

ACS (acs-1.ciscosec.com, 192.168.3.11) via SSH and login using the credentials:

admin/C!scoLAB123!

login as: admin

Using keyboard-interactive authentication.

Password:

acs-1/admin#

Step 5 From the ACS CLI, ping the following devices: 192.168.3.1(Default gateway),

192.168.3.10(AD Server), 192.168.3.12(ACS Secondary) and 192.168.250.2(Access

Switch). All the devices should be pingable

acs-1/admin# ping 192.168.3.1 (Default Gateway)

acs-1/admin# ping 192.168.3.10 (AD server)

acs-1/admin# ping 192.168.3.12 (ACS Secondary)

acs-1/admin# ping 192.168.250.2 (Access Switch)

Step 6 Run the command show application status acs and verify you see a similar status.

acs-1/admin# show application status acs

ACS role: PRIMARY

Process 'database' running

Process 'management' running

Process 'runtime' running

Process 'view-database' running

Process 'view-jobmanager' running

Process 'view-alertmanager' running

Process 'view-collector' running

Process 'view-logprocessor' running


If any of the process are not in running state, wait for a few minutes and reexecute the

command. Or you can stop and restart using the CLI commands: application stop

acs and application start acs. The system is ready for use when all the processes

are in running state.

Step 7 Run the command show ntp to verify synchronization with the NTP server (AD). Note the

offset and the delay values. These should not be too high.

acs-1/admin# show ntp

Primary NTP : 192.168.3.10

synchronised to local net at stratum 11

time correct to within 12 ms

polling server every 1024 s

remote refid st t when poll reach delay offset

jitter

=============================================================================

=

*127.127.1.0 LOCAL(0) 10 l 14 64 377 0.000 0.000

0.001

192.168.3.10 .LOCL. 1 u 79 256 377 0.001 11.443

6.812

Warning: Output results may conflict during periods of changing

synchronization.



Lab Exercise 2: Configure A Distributed ACS

Deployment

Exercise Objective In this exercise, your goal is to configure two ACS servers in a distributed deployment scenario.

Lab Exercise Steps Step 1 From the management PC (Mgmt), open Internet Explorer and logon to the secondary ACS

(https://acs-2.ciscosec.com, 192.168.3.12 Credentials: acsadmin/cisco123). ACS comes

preconfigured with a self-signed certificate for HTTPS web access. This causes a security

alert in web browsers. Select to ignore and continue when the browser presents this certificate

security exception.

Note: At this point, acs-2 is a standalone ACS server, and by default, it is a primary server

Step 2 Go to System Administration > Operations > Local Operations > Deployment

Operations and enter the primary server information as shown below:

Primary Instance: 192.168.3.11

Admin Username: acsadmin

Admin Password: cisco123

Step 3 Click on Register to Primary. The following prompt is shown to confirm the action. Click on

OK to continue registering with the primary.

ACS 5.1 Basic Setup And Familiarization Lab Guide

10

Step 4 You will be automatically logged out of the secondary ACS GUI and it will reboot.

Close this browser window.

Step 5 Login to the primary ACS server GUI (https://acs-1.ciscosec.com, 192.168.3.11) and go to

System Administration > Operations > Distributed System Management. Verify the

Online Status and Replication Status.


11

While the secondary is rebooting, the online status will be red and the replication PENDING. After the

secondary is up, the status changes to as shown below. Wait for the secondary to come back up. You

can SSH to the secondary ACS and run the command: show application status acs to establish when

the secondary is back up.

Step 6 All configurations are now performed on the primary ACS server. All configuration updates will

automatically be sent to any secondary servers. Full Replication can also be initiated from the

Primary ACS server for selected secondary servers. On the primary ACS server, go to

System Administration > Operations > Distributed System Management. Select the

secondary instance and click on Full Replication.


12

You will be asked to reconfirm the action.

Click on OK to continue with the full replication. Wait for the secondary ACS server to restart.

Click on Refresh get the updated status. Wait for the Online Status to become green and the

Replication status to UPDATED.



13

Lab Exercise 3: Configure A Network Device

And Verify AAA Communications

Exercise Objective In this exercise, you will:

Confirm that the ACS servers can receive RADIUS and TACACS+ requests

Confirm ACS View log collection and use it as a troubleshooting tool

Configure a network device in ACS

Confirm that replication is working

Lab Exercise Steps Step 1 Launch ACS View by navigating as follows: Monitoring and Reports > Launch Monitoring

& Report Viewer. ACS View opens in a new browser window.

Step 2 In this step, well add a new tab called TACACS to the ACS View Dashboard. For that, from

the top right hand corner, click on Configure > Add New Page. Type TACACS and click on

Add Page. Go the TACACS tab and click again on Configure > Add Application and add

Live Authentications application.

Edit the Live Authentications panel by clicking on the icon shown in the above diagram which

is located on the top right hand corner of the newly created page. Change the protocol to

TACACS and Save the changes. Now from the new TACACS tab, you can monitor TACACS

authentications in real time. When done, the new dashboard tab should look like this:


14

Step 3 Click on the Troubleshooting tab. We will use this tab to monitor RADIUS authentications, as

it already has a Live Authentications panel configured for RADIUS authentications.

Step 4 From the topology, telnet to the access switch. Enter the enable mode.

Step 5 The goal of this step is to ensure that both ACS boxes are receiving the requests. acs-1 and

acs-2 have been pre-configured in the switch as RADIUS and TACACS+ servers. Send test

requests to the ACS servers:

test aaa group radius bob bobspwd new-code

test aaa group tacacs+ bob bobspwd new-code

Note: Use the show running-configuration command on the access switch to verify the aaa configuration that is already configured on the device.

Step 6 Check the RADIUS and TACACS Live Authentications. If you see entries in these panels,

then you have confirmed that the ACS servers are capable of receiving RADIUS and

TACACS+ requests. Float over the failure reason to understand why then authentications

failed.

For more information on these requests, go to the General tab on the Dashboard, and look at

todays authentications for RADIUS and TACACS, under My Favorite Reports. Confirm that

requests are being received by both acs-1 and acs-2.

Step 7 The first set of requests failed due to a Unknown Device error. Lets now add the device into

ACS. From the ACS home page, go to Network Resources > Network Devices and AAA

Clients and click on Create to create a new entry

Step 8 Enter the device details as per the diagram below


15

Step 9 Click on Submit to successfully create the Network Device on ACS

Step 10 Send the RADIUS and TACACS requests again. Check that the failure message is different

this time. The failures should not be related to an unknown device. This confirms that the

access switch is configured in ACS.

Step 11 Next, lets test that the replication was successful between the two ACS. Since the

configuration was done on acs-1, let us direct the requests to acs-2 using the following switch

command.

test aaa group ACS joe@acs-2 joepwd new-code

Notice the error message that you receive with the above command is same as Step 10.

This confirms that the configuration was replicated to acs-2.



16

Lab Exercise 4: Confirm Basic Authentication

Exercise Objective In this exercise, your goal is to authenticate users to both Active Directory and also the ACS

internal store. You will learn the process for establishing connectivity to Active Directory (AD),

increase your familiarity with ACS View, and gain your first exposure to ACS Access Services

that define how requests are processed for authentication and authorization.

Lab Exercise Steps Step 1 Create a user in ACS with credentials joe-internal/cisco123. Go to Users and Identity Stores

> Internal Identity Stores > Users

Step 2 From the access switch, send a test RADIUS authentication for the user created in the

previous step. Use ACS View to confirm the authentication status. Examine the users detailed

authentication report to try to understand how ACS processed the authentication request.

When ACS is installed, it comes preconfigured with two Access Services, Default Device Admin

and Default Network Access, for TACACS+ and RADIUS authentications respectively. The

Service Selection Policy, under Access Policies > Service Selection Rules, shows this default

configuration:


17

Look at the Default Network Access Access Service identity policy, Access Policies >

Default Network Access > Identity.

You can see that the Identity Source is set to Internal Users. This is how ACS knew where to

locate the user you authenticated in this step.

In the next steps, you will authenticate a user to AD.

Step 3 Create an AD identity store. Go to Users and Identity Stores > External Identity Stores >

Active Directory.

Step 4 Configure the properties of Active Directory as follows:

Active Directory Doman Name: ciscosec.com

Username: administrator

Password: C!scoLAB123!

Click on Save Changes to save the configuration.


18

Ensure that the Connectivity Status is CONNECTED. You may need to scroll down to see the status.

If there are any errors during connectivity, check the NTP status via the ACS CLI by running the show

ntp command. Note the offset and the delay values. These should not be too high. If they are reload

the ACS box by typing in the command reload.

acs-1/admin# show ntp

Primary NTP : 192.168.3.10

synchronised to local net at stratum 11

time correct to within 12 ms

polling server every 1024 s

remote refid st t when poll reach delay offset

jitter

=============================================================================

=

*127.127.1.0 LOCAL(0) 10 l 14 64 377 0.000 0.000

0.001

192.168.3.10 .LOCL. 1 u 79 256 377 0.001 11.443

6.812

Warning: Output results may conflict during periods of changing

synchronization.

After the ACS box comes back up, again check the NTP status and ensure that the offset/delay

values are small. Now try to connect to the AD server again.


19

Step 5 After connecting to the AD, confirm that ACS can query AD group. Go to the Directory

Groups tab and click on Select. The pop-up window should list the various AD groups.

Step 6 Similarly, confirm that ACS can query AD user attributes. Go to the Directory Attributes tab,

enter user1 in the Name of example Subject to Select Attributes field, and click on Select.


20

If you can see the pop-ups as shown above, this means that ACS can successfully query AD for

group and user attribute information.

Step 7 Edit the Default Network Access Access Service to use the configured AD as the Identity

Store. Send an authentication request from the switch for user, user1 with password

cisco123.

Confirm in ACS View that the user was authenticated to AD.



21

Appendix: Additional Resources You can find other useful information related to the topics covered in this lab at the following

URLs:

http://cisco.com/en/US/products/ps9911/index.html

http://cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_system/5.1/user

/guide/common_scenarios.html

End of Lab: Congratulations! You have successfully completed the lab. Please let your proctor know you finished and provide any feedback to help improve the lab experience.

Instructions

Documents

Transcript of Instructions