[c-nsp] Cisco ACS question

Bielawa, Daniel W. (NS) dwbielawa at liberty.edu
Thu Feb 4 09:07:22 EST 2010


	The setup you are looking for is two parts. The first part is on the network device that you want to authenticate using TACACS. The second part is in the ACS server itself.

	In our network we use TACACS for authentication, authorization, and accounting for network logins. Below is a link to the Cisco TACACS configuration guide for a 3750.


	In ACS we have our devices configured using TACACS. I would recommend setting up a separate group in ACS for your admin accounts. Then add those devices to that group, with the enable option set to the maximum privilege level of 15. Do not allow you general user group access to the devices configured for TACACS and they will not be able to login to them.

Thank You

Daniel Bielawa 
Network Engineer
Liberty University Network Services
Email: dwbielawa at liberty.edu
Phone: 434-592-7987

-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Andrew Gabriel
Sent: Thursday, February 04, 2010 8:48 AM
To: cisco-nsp at puck.nether.net
Subject: [c-nsp] Cisco ACS question

I don't have a lot of experience with Cisco ACS boxes and the Cisco
documentation doesn't explain this clearly so am hoping somebody could share
their experience or provide some ideas.

We have 2 Cisco ACS boxes (4.2) that are currently used for providing Radius
authentication to wireless users (Cisco WLC). At the back end it is linked
to our Microsoft Active Directory and the ACS doesn't have any user
accounts, it just interfaces between the Active Directory servers and the
wireless clients.

My question is, how do I use the existing ACS severs to run Radius and
TACACS for AAA for various network devices on the network. In other words,
how do I run a separate set of authentication for the network engineers to
manage their devices, using the existing ACS infrastructure, without:

   1. Disrupting or changing the existing authentication for Wireless
   2. Allowing any general wireless user to authenticate to our network
   devices (I don't mind having a separate AD group for the network admins so
   the rest of the users can be filtered, or even manually setting up local
   accounts for the few network engineers on the ACS boxes).

Would appreciate any suggestions or ideas.

cisco-nsp mailing list  cisco-nsp at puck.nether.net
archive at http://puck.nether.net/pipermail/cisco-nsp/

More information about the cisco-nsp mailing list