CCIE Security Lab: ACS vs ISE, and ACS initial setup

The CCIE Security syllabus lists both the ACS and the ISE for the lab. There is a huge overlap between the two though, so why would you choose one over the other, and more importantly (for me at least), which will I need to use for what in the exam?

ACS is actually at the end of its life, the last day to order 5.7 was earlier this year, so going forward the focus will be on ISE.  But where does that leave the CCIE Security lab exam takers?

Well, there are clearly a few places where ISE wins, such as guest access through portals, which is not an option with ACS, but ACS has traditionally been more concerned with device access, such as TACACS+, and without actually doing the research, ISE does not seem as fully kitted-out in this particular field (https://learningnetwork.cisco.com/message/282658#282658). However, TACACS+ was fully supported, as of ISE 2.0. But the ISE version in the lab is listed as 1.1x, pre ISE 2.0 we are limited to RADIUS. So, let’s use that version as our guiding point for ideas.

ISE 1.1 does not support TACACS+, so this is (the) one thing we can concentrate on.

Apart from this there really is not anything more where ACS trumps ISE. ISE is far more prepared for the BYOD world (Bring Your Own Device) than ACS ever was, it’s a true NAC (Network Access Control) system, offering posturing, profiling, guest access and AAA. Comparing the two, it’s really just a game of numbers, ACS 5.7 and ISE are very closely match, supporting much the same stuff, just one usually supports more than the other, such as ISE 2.0 supporting 250,000 endpoints (concurrent), as opposed to ACS’s 150,000. But then ACS can support 100,000 network devices, whereas ISE supports 30,000, and so on and so forth in this fashion. You can see a comparison between ACS and ISE here.

This kind of sizing is way beyond our interests in terms of the CCIE lab though, we will only have a (large) handful of devices to configure. So, let’s concentrate on TACACS+ for device access, and hope we don’t get any curve balls from the proctor. This forum post does help us out a bit:

Occasionally, you may see more recent software versions installed in the lab. Listed above are the base versions used. Only the features in these versions will be tested. We may change software revisions to accommodate fixes etc, but we will not test features outside of those in the exam blueprints and checklist.

So, while we might see ISE 2.0 running in the lab, TACACS+ access to devices would not be running on this version, so we would be back to ACS to that.

With all this said, and fingers crossed, let’s start going with ACS!

Cisco ACS Initial setup:

First of all, let’s get ACS talking to our network. The syntax is all fairly similar to the IOS, and it’s pretty quick to get the services started:

ACS57/admin# conf t
ACS57/admin(config)# int gigabitEthernet 0
ACS57/admin(config-GigabitEthernet)# ip add 10.1.4.151 255.255.255.0

Changing the IP may result in undesired side effects on
any installed application(s).
Are you sure you want to proceed? Y/N [N]: Y
Shutting down ntpd: [  OK  ]
ntpd: Synchronizing with time server: [  OK  ]
Starting ntpd: [  OK  ]
IP Address was modified. 
ACS is restarting and a new HTTP certificate will be generated.
Stopping ACS.
Stopping Management and View...............................................................
Stopping Runtime................
Stopping Database.....
Stopping Ntpd...
Cleanup...
Starting ACS ....

To verify that ACS processes are running, use the 
'show application status acs' command.
% Warning: Could not find outgoing interface for gateway 192.168.20.1 while trying to add the route.

ACS57/admin(config-GigabitEthernet)# exi
ACS57/admin(config)# ip default-gateway 10.1.4.254
ACS57/admin(config)# ip name-server 10.1.4.100
% Name-server 10.1.4.100 ; added
Name Server was modified. You must restart ACS.
Do you want to restart ACS now? (yes/no) yes
ACS is not running.
To start ACS type 'application start acs'.
Starting ACS .....................

To verify that ACS processes are running, use the 
'show application status acs' command.
ACS57/admin(config)#

We can check the status:

ACS57/admin(config)# do sh app stat acs

ACS role: PRIMARY

Process 'database'                  running
Process 'management'                Changed
Process 'runtime'                   running
Process 'ntpd'                      running
Process 'view-database'             running
Process 'view-jobmanager'           running
Process 'view-alertmanager'         running
Process 'view-collector'            running
Process 'view-logprocessor'         running

ACS57/admin(config)#

Once it’s all running we access it through the browser, but, just as a word of warning, Internet Explorer does work better here. So far, Firefox has been working much better than IE or Chrome, but IE wins with ACS, which again is another good reason to switch to ISE 2.0.

Anyway, let’s add the AP-DNS router into ACS, and setup TACACS+ access.

Adding TACACS+ clients to ACS

We head over to Network Resources > Network Devices and AAA Clients

To keep things neat, we’ll create a device type for “Routers”:

Click on “Create”:

Click on Submit, I then created another group for “Firewalls” because I’ll need that later:

We now have two groups:

 

All that’s left is to fill in the rest of the details:

Fill in the IP address, and the TACACS+ shared secret. Click on Submit.

Now we have our first device:

Let’s get ACS hooked up to AD.

Active Directory integration with ACS

For this to work we need to make sure our clocks are synced, and that DNS is going to work:

ACS57/admin(config)# ntp server 10.1.4.100
The NTP server was modified.
If this action resulted in a clock modification, you must restart ACS.
ACS57/admin(config)# end
ACS57/admin# sh clock
Sun Jun 12 09:36:40 UTC 2016
ACS57/admin# nslookup ccielab.local
Trying "ccielab.local"
ccielab.local.                 IN      ANY

ccielab.local.          600     IN      A       10.1.4.100
ccielab.local.          600     IN      A       192.168.90.100
ccielab.local.          3600    IN      NS      ad.ccielab.local.
ccielab.local.          3600    IN      SOA     ad.ccielab.local. hostmaster.ccielab.local. 184 900 600 86400 3600

ad.ccielab.local.       3600    IN      A       10.1.4.100
ad.ccielab.local.       3600    IN      A       192.168.90.100

Received 159 bytes from 10.1.4.100#53 in 195 ms

ACS57/admin# conf t
ACS57/admin(config)# ip domain-name ccielab.local
ACS57/admin(config)# no ntp server time.nist.gov
ACS57/admin(config)# clock timezone GMT
Changing the system timezone may result in undesired side effects on
any installed application(s).
Are you sure you want to proceed? Y/N [N]: Y
Time zone was modified. You must restart ACS.
Do you want to restart ACS now? (yes/no) yes
Stopping ACS.
Stopping Management and View...............................................................
Stopping Runtime......
Stopping Database.....
Stopping Ntpd...
Cleanup...
Starting ACS ....

To verify that ACS processes are running, use the 
'show application status acs' command.
ACS57/admin(config)#

Without a decent NTP server running, ACS will not join AD. Once NTP is supplying the time, and everyone agrees what the correct time is, ACS should be able to join AD:

 

 

Now, we can leverage AD, and permit/limit/deny access as we see fit.

We have two users, so let’s create two security groups; network-admin, and network-support:

We can then pull these groups into ACS, by clicking on the Directory Groups tab (see above):

We can also use this as a Directory Attribute (which is what we will be using):

Once we have saved this, we can create a set of policies, which will use the different AD groups.

Cisco ACS Policies

As we have two distinct AD groups, we will have two distinct policies; one for level-15 access, another for level-3:

 

We do the same again, creating a LVL-3 group with a default privilege set to static 3:

Now let’s link the AD groups to these policies. Head over to Access Policies > Default Device Admin > Identity:
Change this to AD1:

Click on Save at the bottom.

Next switch to the Authorization menu beneath it.

Click on Customize, and add the Compound Condition entry:

Click on OK, then click on Create. The first one I have called Rule-LVL-15:

Here we have selected a compound condition, tying the memberOf attribute in AD, to the shell profile LVL-15. We do the same for the other AD group, and end up getting something like this:

Make sure you save your changes.

Let’s set up the AP-DNS server.

Configuring IOS routers for TACACS+

We only need a few commands, and these are pretty similar to the ones we saw with ISE:

AP-DNS(config)#aaa new-model 
AP-DNS(config)#aaa authentication login default group tacacs+ local
AP-DNS(config)#aaa authorization exec def group tacacs+ local
AP-DNS(config)#aaa authorization console
AP-DNS(config)#
AP-DNS(config)#tacacs-server host 10.1.4.151
 Warning: The cli will be deprecated soon
 'tacacs-server host 10.1.4.151'
 Please move to 'tacacs server ' CLI
AP-DNS(config)#tacacs server TAC-Servers
AP-DNS(config-server-tacacs)#address ipv4 10.1.4.151
AP-DNS(config-server-tacacs)#
Jun 12 19:25:51.975: %TAC-3-SERVCONF: Server config failure: A server already exists with the same address.
AP-DNS(config-server-tacacs)#exit
Warning: Address not yet configured.
AP-DNS(config)#no tacacs-server host 10.1.4.151
AP-DNS(config)#tacacs server TAC-Servers       
AP-DNS(config-server-tacacs)#address ipv4 10.1.4.151         
AP-DNS(config-server-tacacs)#key cisco123
AP-DNS(config-server-tacacs)#exit
AP-DNS(config)#

Now let’s test:

SW1#telnet 10.1.4.101
Trying 10.1.4.101...
Connected to 10.1.4.101.
Escape character is 'off'.

username: stuart
password: 

AP-DNS#sh privilege 
Current privilege level is 15
AP-DNS#

Now let’s try Bob:

SW1#telnet 10.1.4.101
Trying 10.1.4.101...
Connected to 10.1.4.101.
Escape character is 'off'.

username: dodgybob
password: 

AP-DNS#sh priv
Current privilege level is 3
AP-DNS#

Perfect!

In the next post we’ll look at how we can set up the ASAs for similar access, and why TACACS+ is the best solution for them (when compared with Microsoft NPS).

3 Comments

  1. Marcus V Morais June 13, 2016
  2. Ryan Milton (@1860rm) May 9, 2017

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.