ACS 3.

0 uevlce AdmlnlsLraLlon Lab Culde 1

Nexus
ACS 5.0 Device Admin Lab Guide
Developers and Lab Proctors
This lab was created by: Aruna Yerragudi
Lab proctors:
Lab Overview
In this lab, you will configure the Cisco Access Control Server v5.0 for Device Administration
using TACACS+ protocol. Youll be configuring access control via privilege levels and command
authorization sets. Lab participants should be able to complete the lab within the allotted lab time
of (2) hour(s).
Lab Exercises
This lab guide includes the following exercises:
Lab Exercise 1: Configure Network Device and AAA Client
Lab Exercise 2: Configure Users and Identity Stores
Lab Exercise 3: Configure Policy Elements - Shell Profiles
Lab Exercise 4: Configure Access Services and Service Selection
Lab Exercise 5: Switch Configuration
Lab Exercise 6: Test and View Reports
Lab Exercise 7: Switch Configuration Cleanup
Lab Exercise 8: Configure Policy Elements Command Authorization Sets

ACS 3.0 uevlce AdmlnlsLraLlon Lab Culde 2
Lab Exercise 9: Modification of the Authorization Profiles
Lab Exercise 10: Test and View Reports

Product Overview: ACS 5.0
Cisco Secure Access Control System (ACS) 5.0 is a next-generation platform for centralized
network identity and access control. ACS 5.0 features a simple yet powerful, rule-based policy
model and a new, intuitive management interface designed for optimum control and visibility.
The rule-based policy model provides the flexibility and manageability needed to meet evolving
access policy needs. Its integrated monitoring, reporting, and troubleshooting features simplify
management and increase compliance. ACS 5.0 integration capabilities and distributed
deployment support make it the ideal network identity and access policy solution.
Lab Topology and Access
Every one or two students will share one POD. Each POD includes one Cat6K Switch, an ACS
Server v5.0 and a Win2K3 server
Lab Topology
The following is the topology used for this lab.



ACS 3.0 uevlce AdmlnlsLraLlon Lab Culde 3
Internal IP addresses
The table that follows lists the internal IP addresses used by the devices in this setup.
Device IP Address
Cat Switch 10.10.30.1
ACS 5.0 10.10.30.20
Win2K3/AD 10.10.30.21







Accounts and Passwords
The table that follows lists the accounts and passwords used in this lab.
Access To Account (username/password)
Win2K3/AD Administration/Cisco123
Switch telnet password cisco
Switch enable secret cisco
ACS 5.0 GUI acsadmin/cisco123
ACS 5.0 CLI Admin/csACS123









ACS 3.0 uevlce AdmlnlsLraLlon Lab Culde 4
Lab Exercise 1: Configure Network Device and
AAA Client
Exercise Objective
ln Lhls exerclse, your goal ls Lo add Lhe AAA cllenL (CaLalysL SwlLch) Lo ACS
Lab Exercise Steps
Step 1 Logon to the ACS. (RDP to the Win2K3 server credentials Administrator/Cisco123 and
click on the IE shortcut Cisco Secure ACS Login. Ignore the certificate error and provide the
ACS credentials acsadmin/cisco123 to login)
Step 2 Go to Network Resources -> Network Devices and AAA Clients and click on Create to
create a new entry
Step 3 Enter the device details as per the diagram below

You should have now successfully added the Cat switch as an AAA client.

! End of Exercise: You have successfully completed this exercise.
Proceed to next section.

ACS 3.0 uevlce AdmlnlsLraLlon Lab Culde 3
Lab Exercise 2: Configure User and Identity
Stores
Exercise Objective
ln Lhls exerclse, your goal ls Lo creaLe ldenLlLy Croups and lnLernal users. 1hls lab uses Lhe ACS
lnLernal uaLabase for user auLhenLlcaLlon.
Lab Exercise Steps
Step 1 Go to Users and Identity Stores -> Identity Groups and click on Create
Step 2 Create a group with the following information: Name Admin, Description
Administrators, Parent All Groups

Step 3 Create another group with the following information: Name Operator, Description
Operators, Parent All Groups
Step 4 Go to Users and Identity Stores -> Internal Identity Stores -> Users and click on Create
Step 5 Create a user with the following information: Name devadmin, Identity Group - All
Groups:Admin, Password - cisco123, Confirm Password cisco123
ACS 3.0 uevlce AdmlnlsLraLlon Lab Culde 6

Step 6 Create another user with the following information: Name devop, Identity Group - All
Groups:Operator, Password - cisco123, Confirm Password cisco123

You should now have two Identity Groups - Admin and Operator and two users - devadmin and devop
to the respective Groups.

! End of Exercise: You have successfully completed this exercise.
Proceed to next section.
ACS 3.0 uevlce AdmlnlsLraLlon Lab Culde 7
Lab Exercise 3: Configure Policy Elements
Shell Profiles
Exercise Objective
ln Lhls exerclse, your goal ls Lo conflgure Lhe shell proflles under Lhe ollcy LlemenLs whlch wlll
be laLer used ln Lhe AuLhorlzaLlon 8ules. Shell proflle auLhorlzaLlon provldes declslons for
decldlng whlch rlvllege level Lo asslgn and oLher shell aLLrlbuLed Lo Lhe user requesLlng
auLhorlzaLlon and ls enforced for Lhe duraLlon of a user's sesslon.
Lab Exercise Steps
Step 1 Go to Policy Elements -> Authorization and Permissions -> Device Administration ->
Shell Profiles and click on Create
Step 2 Create a Shell Profile with the name Priv-level-7. Go to the Privilege Level tab and set the
properties as per the screenshot below

Step 3 Create another Shell Profile with the name Priv-level-15. Go to the Privilege Level tab and
Enable Default Privilege and set the Default Privilege level to 15

! End of Exercise: You have successfully completed this exercise.
Proceed to next section.
ACS 3.0 uevlce AdmlnlsLraLlon Lab Culde 8
Lab Exercise 4: Configure Access Service and
Service Selection
Exercise Objective
ln Lhls exerclse, your goal ls Lo creaLe a new Access Servlce and seL Lhe Servlce SelecLlon rules. ln
ACS 3.0, pollcy drlves all acLlvlLles. ollcles conslsL malnly of rules LhaL deLermlne Lhe acLlon of
Lhe pollcy. Access servlces are creaLed Lo deflne auLhenLlcaLlon and auLhorlzaLlon pollcles for
requesLs. A global servlce selecLlon pollcy conLalns rules LhaL deLermlne whlch access servlce
processes an lncomlng requesL.
Lab Exercise Steps
Step 1 Co Lo Access o||c|es -> Access Serv|ces and CreaLe a new Access Servlce
Step 2 CreaLe an Access Servlce wlLh Lhe name - Dev|ce Adm|n. SelecL Lhe check box agalnsL Lhe
opLlon - 8ased on serv|ce temp|ate and choose Dev|ce Adm|n-S|mp|e from Lhe llsL.

Step 3 Co Lo nexL and ln A||owed rotoco|s, selecL A||ow A]ASCII and cllck on I|n|sh
Step 4 Cllck on es when asked !"#$% '"# $()* +" ,"%(-' +.* /*01(2* /*$*2+("3 4"$(2' +" 52+(15+*
+.(6 6*01(2*7"
Step S SelecL ku|e-2 and cllck on Ld|t and edlL as below
ACS 3.0 uevlce AdmlnlsLraLlon Lab Culde 9

Step 6 Cllck on Save Changes and Lhen go Lo Access o||c|es -> Access Serv|ces->Dev|ce Adm|n-
>Ident|ty. Leave Lhe ldenLlLy opLlon aL Lhe defaulL lnLernal users
Step 7 SelecL Lhe Author|zat|on Lo creaLe Lhe AuLhorlzaLlon rules. Cllck on Create and creaLe a
new rule as per Lhe conflg below
ACS 3.0 uevlce AdmlnlsLraLlon Lab Culde
10

Step 8 CreaLe a second AuLhorlzaLlon rule as below
ACS 3.0 uevlce AdmlnlsLraLlon Lab Culde
11


Step 9 Cllck on Save Changes. ?ou should now have creaLed a new Access Servlce, seL Lhe Servlce
SelecLlon rules and creaLed Lhe Lwo AuLhorlzaLlon rules for uevlce access.

! End of Exercise: You have successfully completed this exercise.
Proceed to next section.
ACS 3.0 uevlce AdmlnlsLraLlon Lab Culde
12
Lab Exercise 5: Switch Configuration
Exercise Objective
ln Lhls exerclse, your goal ls Lo add Lhe requlred CLl commands on Lhe swlLch for uevlce
AdmlnlsLraLlon.
Lab Exercise Steps
Step 1 Telnet to the switch and log in. Enter the enable mode. Enter the password cisco
Step 2 Enter configure terminal mode and enter the commands shown below. The following links
protect the console port access.
aaa new-model
aaa authentication login no_aaa none
aaa authorization exec no_aaa none
aaa authorization commands 15 no_aaa none
aaa authorization console
line con 0
login authentication no_aaa
authorization exec no_aaa
authorization commands 15 no_aaa
exit
Step 3 In the configure terminal mode, enter the following commands for setting the aaa settings
and the privilege level commands.
aaa authentication login default group tacacs+ none
aaa authorization exec default group tacacs+ none
tacacs-server host 10.10.30.20 key cisco
privilege configure level 7 snmp-server host
privilege configure level 7 snmp-server enable traps alarms critical
privilege configure level 7 snmp-server
privilege exec level 7 ping
privilege exec level 7 configure terminal
privilege exec level 7 configure
The first command defines TACACS+ as the authentication protocol for shell logins. The second
command defines TACACS+ as the authorization profiles for the shell logins. The third
command specifies the TACACS+ server.
The command with the privilege prefix, define the commands that are available at the specified
privilege level level 7 in our example.
Note: If you are using copy paste for entering the commands on CLI, ensure that there are no extra spaces
copied.
! End of Exercise: You have successfully completed this exercise. Proceed to next section.
ACS 3.0 uevlce AdmlnlsLraLlon Lab Culde
13
Lab Exercise 6: Test and View Report
Exercise Objective
ln Lhls exerclse, your goal ls Lo LesL Lhe conflguraLlon and vlew Lhe auLhenLlcaLlon reporLs from
Lhe MonlLorlng and 8eporLs vlewer
Lab Exercise Steps
Step 1 From the Win2K3 server, open a command prompt and telnet to the switch. Login with the
credentials devadmin/cisco123
Step 2 Verify the privilege level by typing the command show privilege at the CLI. The privilege
level should be set to 15
Step 3 Go to the configure terminal mode and try to execute the commands
interface GigabitEthernet3/2
Step 4 Telnet to the switch and login with the credentials devop/cisco123
Step 5 Verify the privilege level by typing the command show privilege at the CLI. The privilege
level should be set to 7
Step 6 Go to the configure terminal mode and try to execute the commands
snmp-server enable traps alarms critical
snmp-server host 10.10.30.10 test
interface GigabitEthernet3/2
The first two commands should be executed successfully and the third command should fail.
Note: To verify and/or troubleshoot any issues, use the Monitoring and Reports viewer to see the detailed logs of
the authentication request. You can also enable debugging on the switch for troubleshooting. The
commands for enabling debugging are debug aaa authentication, debug aaa authorization,
debug tacacs authentication, debug tacacs authorization
Step 7 On the ACS GUI, go to Monitoring and Reports -> Launch Monitoring & Report Viewer
Note: If there are any DB unavailable errors when launching Monitoring and Reports, check to see if all the
processes are up and running. SSH to the ACS CLI ( refer to lab exercise 2 Note for steps to SSH to ACS)
and execute the show application status acs command.
Step 8 The Monitoring and Reports viewer opens in a new window. Go to Monitoring and Reports
-> Reports -> Catalog -> AAA Protocol and click on TACACS Authentication to generate
the authentication report. A report similar to the below is shown with all the passed and
failed authentications.
ACS 3.0 uevlce AdmlnlsLraLlon Lab Culde
14


Step 9 Click on icon under the Details column. That brings up the detailed report. The detailed
report looks similar to the screenshot below. It shows the information on which Identity
Store, Access Service, Authorization Rules were matched and used.



! End of Exercise: You have successfully completed this exercise.
Proceed to next section.
ACS 3.0 uevlce AdmlnlsLraLlon Lab Culde
13
Lab Exercise 7: Switch Configuration Cleanup
Exercise Objective
ln Lhls exerclse, your goal ls Lo clean Lhe swlLch conflguraLlon and add addlLlonal commands for
Command AuLhorlzaLlon SeLs LesLlng
Lab Exercise Steps
Step 1 Telnet to the switch using the credentials of devadmin/cisco123
Step 2 Go to configure terminal mode and execute the commands below:
no privilege configure level 7 snmp-server host
no privilege configure level 7 snmp-server enable
no privilege configure level 7 snmp-server
no privilege exec level 7 ping
no privilege exec level 7 configure terminal
no privilege exec level 7 configure
By executing the above commands, we are removing the commands from the privilege level 7.
Do a show running-configuration and verify that no privilege related commands exist.
Step 2 In the configure terminal mode execute the below command
aaa authorization commands 15 default group tacacs+ none
The above command defines TACACS+ as the command authorization protocol for shell logins.
A privilege level for access requests must be defined to specify which commands the TACACS+
client is to request permission. In our lab, we will be selecting the privilege level 15. Only
commands that are accessible at privilege level 15 will be checked.

! End of Exercise: You have successfully completed this exercise.
Proceed to next section.
ACS 3.0 uevlce AdmlnlsLraLlon Lab Culde
16
Lab Exercise 8: Configure Policy Elements
Command Authorization Sets
Exercise Objective
ln Lhls exerclse, your goal ls Lo conflgure Lhe ollcy LlemenLs - Command AuLhorlzaLlon SeLs
whlch wlll be used ln Lhe followlng Lask.
Lab Exercise Steps
Step 1 Co Lo o||cy L|ements -> Author|zat|on and erm|ss|ons -> Dev|ce Adm|n|strat|on ->
Command Sets and cllck on Create
Step 2 CreaLe a Command AuLhorlzaLlon seL wlLh Lhe name erm|t A|| and enable erm|t any
command that |s not |n the tab|e below as shown below

Step 3 CreaLe a Command AuLhorlzaLlon seL wlLh Lhe name erm|t Show and add Lhe show
command as shown below
ACS 3.0 uevlce AdmlnlsLraLlon Lab Culde
17


! End of Exercise: You have successfully completed this exercise.
Proceed to next section.
ACS 3.0 uevlce AdmlnlsLraLlon Lab Culde
18
Lab Exercise 9: Modify Authorization Profiles
Exercise Objective
ln Lhls exerclse, your goal ls Lo modlfy Lhe auLhorlzaLlon proflles Lo lnclude Command
AuLhorlzaLlon SeLs ln Lhe AuLhorlzaLlon 8ules.
Lab Exercise Steps
Step 1 Go to Access Policies -> Access Services -> Device Admin -> Authorization and click
on the Customize button at the bottom right hand corner. Select the Command Sets under
Customize Results - Available and add to the Selected

Step 2 Next, edit the existing authorization rules.
Step 3 Select the Admin Rule and Edit it as shown below:
ACS 3.0 uevlce AdmlnlsLraLlon Lab Culde
19

Step 4 Select the Operator Rule and Edit it as shown below:
ACS 3.0 uevlce AdmlnlsLraLlon Lab Culde
20

Step 4 Click on Save Changes

! End of Exercise: You have successfully completed this exercise. Proceed to next section.
ACS 3.0 uevlce AdmlnlsLraLlon Lab Culde
21
Lab Exercise 10: Test and View Reports
Exercise Objective
ln Lhls exerclse, your goal ls Lo LesL LhaL command auLhorlzaLlon seLs Lake effecL based on Lhe
user LhaL logs ln.
Lab Exercise Steps
Step 1 Telnet to the switch and login with the credentials devop/cisco123. Go to the enable
mode.
Step 2 Try to execute the following commands
show running-configuration
ping 10.10.30.20
configure terminal
Only the first command should successfully execute. The remaining commands fail with a
Command Authorization failed error.
Step 3 Telnet to the switch and login with the credentials devadmin/cisco123
Step 4 Try to execute the following commands
show running-configuration
ping 10.10.30.20
configure terminal
All commands should execute successfully.
Step 5 On the ACS GUI, go to Monitoring and Reports -> Launch Monitoring & Report Viewer
Step 6 The Monitoring and Reports viewer opens in a new window and in that go to Monitoring
and Reports -> Reports -> Catalog -> AAA Protocol and click on TACACS
Authentication/Authorization reports. The Authentication report will be similar to the
report in Lab Exercise 6. The Authorization report will look similar to the below report
ACS 3.0 uevlce AdmlnlsLraLlon Lab Culde
22

Step 6 Click on the icon under the detail column in the above report. A detailed report will be
shown similar to the report below.


! End of Exercise: You have successfully completed this exercise. Proceed to next section.
Appendix: Additional Resources
You can find other useful information related to the topics covered in this lab at the following
URLs:
ACS 3.0 uevlce AdmlnlsLraLlon Lab Culde
23
http://cisco.com/en/US/products/ps9911/index.html
http://cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_system/5.0/user/gu
ide/common_scenarios.html#wp1052519

! End of Lab: Congratulations! You have successfully completed the lab. Please let your
proctor know you finished and provide any feedback to help improve the lab experience.