Previous Lab1: Cisco ACS Lab1: Installing and Configuring ACS 5.6 in ESXi and GNS3
This Lab2 will use cisco router to connect with ACS 5.6 and use Tacacs+ protocol to complete authentication and authorization tasks.
Step1: Join/Test connection to Active Directory Server
Step2: Choose Proper Active Directory Group to do authentication and authorization
In windows AD server, add test1, test2 and test3 users and put them into testgroup as shown in the following screenshot.
Choose test1.com/Users/testgroup in the Directory Groups tab.
Step3: Make sure there is a rule to use Tacacs and Service is Default Device Admin
Step 4: Choose AD1 as the authtication method for Identity of Default Device Admin
Step5: For Authorization, Create a rule to use AD1:ExternalGroups as conditions
Step6: Customize a Shell Profile for level 15 user
Step 7: Cisco Router Configuration:
! create local admin user for failback
username admin privilege 15 password 0 cisco123!
tacacs-server host 192.168.2.42
aaa authentication login default group tacacs+ local
aaa authentication enable default group tacacs+ enable
aaa authorization exec default group tacacs+ local
aaa authorization commands 0 default group tacacs+ local
aaa authorization commands 1 default group tacacs+ local
aaa authorization commands 15 default group tacacs+ local
aaa authorization config-commands
Step 8: Test with AD user account test1
- ACS 5.x: TACACS+ Authentication and Command Authorization based on AD group membership Configuration Example