The CCIE Security syllabus lists both the ACS and the ISE for the lab. There is a huge overlap between the two though, so why would you choose one over the other, and more importantly (for me at least), which will I need to use for what in the exam?
ACS is actually at the end of its life, the last day to order 5.7 was earlier this year, so going forward the focus will be on ISE. But where does that leave the CCIE Security lab exam takers?
ISE 1.1 does not support TACACS+, so this is (the) one thing we can concentrate on.
Apart from this there really is not anything more where ACS trumps ISE. ISE is far more prepared for the BYOD world (Bring Your Own Device) than ACS ever was, it’s a true NAC (Network Access Control) system, offering posturing, profiling, guest access and AAA. Comparing the two, it’s really just a game of numbers, ACS 5.7 and ISE are very closely match, supporting much the same stuff, just one usually supports more than the other, such as ISE 2.0 supporting 250,000 endpoints (concurrent), as opposed to ACS’s 150,000. But then ACS can support 100,000 network devices, whereas ISE supports 30,000, and so on and so forth in this fashion. You can see a comparison between ACS and ISE here.
This kind of sizing is way beyond our interests in terms of the CCIE lab though, we will only have a (large) handful of devices to configure. So, let’s concentrate on TACACS+ for device access, and hope we don’t get any curve balls from the proctor. This forum post does help us out a bit:
Occasionally, you may see more recent software versions installed in the lab. Listed above are the base versions used. Only the features in these versions will be tested. We may change software revisions to accommodate fixes etc, but we will not test features outside of those in the exam blueprints and checklist.
So, while we might see ISE 2.0 running in the lab, TACACS+ access to devices would not be running on this version, so we would be back to ACS to that.
With all this said, and fingers crossed, let’s start going with ACS!
Cisco ACS Initial setup:
First of all, let’s get ACS talking to our network. The syntax is all fairly similar to the IOS, and it’s pretty quick to get the services started:
ACS57/admin# conf t ACS57/admin(config)# int gigabitEthernet 0 ACS57/admin(config-GigabitEthernet)# ip add 10.1.4.151 255.255.255.0 Changing the IP may result in undesired side effects on any installed application(s). Are you sure you want to proceed? Y/N [N]: Y Shutting down ntpd: [ OK ] ntpd: Synchronizing with time server: [ OK ] Starting ntpd: [ OK ] IP Address was modified. ACS is restarting and a new HTTP certificate will be generated. Stopping ACS. Stopping Management and View............................................................... Stopping Runtime................ Stopping Database..... Stopping Ntpd... Cleanup... Starting ACS .... To verify that ACS processes are running, use the 'show application status acs' command. % Warning: Could not find outgoing interface for gateway 192.168.20.1 while trying to add the route. ACS57/admin(config-GigabitEthernet)# exi ACS57/admin(config)# ip default-gateway 10.1.4.254 ACS57/admin(config)# ip name-server 10.1.4.100 % Name-server 10.1.4.100 ; added Name Server was modified. You must restart ACS. Do you want to restart ACS now? (yes/no) yes ACS is not running. To start ACS type 'application start acs'. Starting ACS ..................... To verify that ACS processes are running, use the 'show application status acs' command. ACS57/admin(config)#
We can check the status:
ACS57/admin(config)# do sh app stat acs ACS role: PRIMARY Process 'database' running Process 'management' Changed Process 'runtime' running Process 'ntpd' running Process 'view-database' running Process 'view-jobmanager' running Process 'view-alertmanager' running Process 'view-collector' running Process 'view-logprocessor' running ACS57/admin(config)#
Once it’s all running we access it through the browser, but, just as a word of warning, Internet Explorer does work better here. So far, Firefox has been working much better than IE or Chrome, but IE wins with ACS, which again is another good reason to switch to ISE 2.0.
Anyway, let’s add the AP-DNS router into ACS, and setup TACACS+ access.
Adding TACACS+ clients to ACS
We head over to Network Resources > Network Devices and AAA Clients
To keep things neat, we’ll create a device type for “Routers”:
Click on “Create”:
Click on Submit, I then created another group for “Firewalls” because I’ll need that later:
All that’s left is to fill in the rest of the details:
Fill in the IP address, and the TACACS+ shared secret. Click on Submit.
Now we have our first device:
Let’s get ACS hooked up to AD.
Active Directory integration with ACS
For this to work we need to make sure our clocks are synced, and that DNS is going to work:
ACS57/admin(config)# ntp server 10.1.4.100 The NTP server was modified. If this action resulted in a clock modification, you must restart ACS. ACS57/admin(config)# end ACS57/admin# sh clock Sun Jun 12 09:36:40 UTC 2016 ACS57/admin# nslookup ccielab.local Trying "ccielab.local" ccielab.local. IN ANY ccielab.local. 600 IN A 10.1.4.100 ccielab.local. 600 IN A 192.168.90.100 ccielab.local. 3600 IN NS ad.ccielab.local. ccielab.local. 3600 IN SOA ad.ccielab.local. hostmaster.ccielab.local. 184 900 600 86400 3600 ad.ccielab.local. 3600 IN A 10.1.4.100 ad.ccielab.local. 3600 IN A 192.168.90.100 Received 159 bytes from 10.1.4.100#53 in 195 ms ACS57/admin# conf t ACS57/admin(config)# ip domain-name ccielab.local ACS57/admin(config)# no ntp server time.nist.gov ACS57/admin(config)# clock timezone GMT Changing the system timezone may result in undesired side effects on any installed application(s). Are you sure you want to proceed? Y/N [N]: Y Time zone was modified. You must restart ACS. Do you want to restart ACS now? (yes/no) yes Stopping ACS. Stopping Management and View............................................................... Stopping Runtime...... Stopping Database..... Stopping Ntpd... Cleanup... Starting ACS .... To verify that ACS processes are running, use the 'show application status acs' command. ACS57/admin(config)#
Without a decent NTP server running, ACS will not join AD. Once NTP is supplying the time, and everyone agrees what the correct time is, ACS should be able to join AD:
Now, we can leverage AD, and permit/limit/deny access as we see fit.
We have two users, so let’s create two security groups; network-admin, and network-support:
We can then pull these groups into ACS, by clicking on the Directory Groups tab (see above):
We can also use this as a Directory Attribute (which is what we will be using):
Once we have saved this, we can create a set of policies, which will use the different AD groups.
Cisco ACS Policies
As we have two distinct AD groups, we will have two distinct policies; one for level-15 access, another for level-3:
We do the same again, creating a LVL-3 group with a default privilege set to static 3:
Click on Save at the bottom.
Next switch to the Authorization menu beneath it.
Click on Customize, and add the Compound Condition entry:
Click on OK, then click on Create. The first one I have called Rule-LVL-15:
Here we have selected a compound condition, tying the memberOf attribute in AD, to the shell profile LVL-15. We do the same for the other AD group, and end up getting something like this:
Make sure you save your changes.
Let’s set up the AP-DNS server.
Configuring IOS routers for TACACS+
We only need a few commands, and these are pretty similar to the ones we saw with ISE:
AP-DNS(config)#aaa new-model AP-DNS(config)#aaa authentication login default group tacacs+ local AP-DNS(config)#aaa authorization exec def group tacacs+ local AP-DNS(config)#aaa authorization console AP-DNS(config)# AP-DNS(config)#tacacs-server host 10.1.4.151 Warning: The cli will be deprecated soon 'tacacs-server host 10.1.4.151' Please move to 'tacacs server ' CLI AP-DNS(config)#tacacs server TAC-Servers AP-DNS(config-server-tacacs)#address ipv4 10.1.4.151 AP-DNS(config-server-tacacs)# Jun 12 19:25:51.975: %TAC-3-SERVCONF: Server config failure: A server already exists with the same address. AP-DNS(config-server-tacacs)#exit Warning: Address not yet configured. AP-DNS(config)#no tacacs-server host 10.1.4.151 AP-DNS(config)#tacacs server TAC-Servers AP-DNS(config-server-tacacs)#address ipv4 10.1.4.151 AP-DNS(config-server-tacacs)#key cisco123 AP-DNS(config-server-tacacs)#exit AP-DNS(config)#
Now let’s test:
SW1#telnet 10.1.4.101 Trying 10.1.4.101... Connected to 10.1.4.101. Escape character is 'off'. username: stuart password: AP-DNS#sh privilege Current privilege level is 15 AP-DNS#
Now let’s try Bob:
SW1#telnet 10.1.4.101 Trying 10.1.4.101... Connected to 10.1.4.101. Escape character is 'off'. username: dodgybob password: AP-DNS#sh priv Current privilege level is 3 AP-DNS#
In the next post we’ll look at how we can set up the ASAs for similar access, and why TACACS+ is the best solution for them (when compared with Microsoft NPS).