| This section goes through the configuration steps required to integrate Router MC with Cisco Secure ACS Server for authentication and authorization. Understanding User Permissions To log into Router MC, your username and password must be authenticated. After authentication, Router MC establishes what your role is within the application. This role defines the set of Router MC Tasks or operations that you are authorized to perform. If you are not authorized for certain Router MC tasks or for certain devices, the related Router MC Menu items, TOC items, and buttons will be hidden or disabled. Either the CiscoWorks server or Cisco Secure Access Control Server (ACS) manages authentication and authorization for Router MC. By default, authentication and authorization is managed by CiscoWorks. You can change to ACS using CiscoWorks Common Services. See the documentation for CiscoWorks Common Services for details on how to specify ACS for authentication and authorization. The sections that follow cover user permissions for Router MC. CiscoWorks Server Roles and Router MC Permissions CiscoWorks has five role types that correspond to likely functions within your organization: Help desk User has read-only access for viewing devices, device groups, and the entire scope of a VPN. Approver User can review policy changes, and either approve or reject them. User can also approve or reject deployment jobs. Network operator User can make policy changes (but not device inventory changes) and create and deploy jobs. Note that a network operator's activities and jobs must be approved by an Approver. System administrator User can perform CiscoWorks server tasks and can make changes to the device hierarchy (such as move or delete devices). The system administrator can also change administrative settings. Network administrator User can perform all CiscoWorks server and Router MC Tasks. A network administrator can also add users to the system with CiscoWorks or ACS, set user passwords and assign user roles and privileges. Table 20-1 shows how Router MC Permissions are mapped to these roles in ACS. Table 20-1. Router MC Permissions and Associated RolesRouter MC Permission in ACS | Permitted Router MC Tasks | Help Desk | Approver | Network Operator | System Admin | Network Admin |
|---|
View Config | Activity and Job Workflow: VPN and Firewall Settings and Policies: | Yes | Yes | Yes | Yes | Yes | View Admin | | Yes | Yes | Yes | Yes | Yes | View CLI | View CLI commands for policy definitions, per activity, in the Configuration tab. View the CLI commands generated for the devices in a deployment job, in the Deployment tab.
| No | Yes | Yes | Yes | Yes | Modify Config | Device Management: Specify device credentials. Import devices (also need Modify Device-List permission). Reimport devices. Edit devices. Move and delete devices (also need Modify Device-List permission). Create device groups (also need Modify Device-List permission). Delete device groups (also need Modify Device-List permission).
Activity and Job Workflow: VPN and Firewall Settings and Policies: Define/modify general, hub, and spoke settings. Create/modify IKE and VPN tunnel policies. Create/modify access rules. Create/modify transform sets. Create/modify translation rules. Create/modify network groups. Upload policies to target device.
| No | No | Yes | No | Yes | Modify Device-List | Device Management: Import devices (also need Modify Config permission). Move and delete devices (also need Modify Config permission). Create device groups (also need Modify Config permission). Delete device groups (also need Modify Config permission). Add unmanaged spoke.
Activity Workflow: Create activity. Submit activity. Delete activity.
| No | No | No | Yes | Yes | Modify Admin | Administration: Activity Workflow: | No | No | No | Yes | Yes | Approve Activity | Approve a submitted activity, thereby committing its policy configurations to the database. Reject a submitted activity.
| No | Yes | No | No | Yes | Approve Job | Approve a job so that it can be deployed. | No | Yes | No | No | Yes | Deploy | | No | No | Yes | No | Yes |
ACS Roles and Router MC Permissions Cisco Secure Access Control Server (ACS) supports application-specific roles. Each role is made up of a set of permissions that determine the role's level of access to Router MC Tasks. Each user group is assigned a role and each user in the group can perform Router MC Actions based on the permissions in the role. Furthermore, these roles can be assigned to ACS device groups, which allow permissions to be differentiated on different sets of devices. ACS device groups are completely independent of Router MC Device groups. Router MC provides default roles and permissions in ACS. Some permissions must be configured on the managed devices and others on the Router MC Management Station, as specified in the list that follows. The available Router MC permissions in ACS are as follows: View Config Users can view settings and policies but cannot make changes. View Admin Users can view Router MC Application settings. This permission must be configured on the Router MC Management Station. View CLI Users can view the current and previous configurations on managed devices and can preview the CLI commands to be generated for or deployed to the devices by Router MC. Modify Config Users can define and modify policies. Modify Device-List Users can make changes to the Router MC Device inventory. This permission must be configured on the Router MC Management Station. Modify Admin Users can modify Router MC Application settings. This permission must be configured on the Router MC Management Station. Approve Activity Users can approve activities. This permission must be configured on the Router MC Management Station. Approve Job Users can approve jobs. This permission must be configured on the Router MC Management Station. Deploy Users can deploy VPN and firewall policy configurations to devices or files. These permissions are mapped to roles in ACS. These roles are the same as the CiscoWorks roles.
Setting up Router MC to Work with ACS You need Cisco Access Control Server (ACS) 3.2 to use ACS device groups and permissions with Router MC. To work with ACS device groups and user permissions, you must define your username in ACS and in CiscoWorks, and follow the setup procedure as follows: Step 1. | Define the Router MC server in ACS.
| Step 2. | Define the Login Module in CiscoWorks as TACACS+.
| Step 3. | Synchronize CiscoWorks Common Services with the ACS server configuration.
| Step 4. | Define usernames, device groups, and user groups in ACS.
|
The sections that follow provide details about the preceding steps. Step 1: Define the Router MC Server in ACS Work through the steps that follow to define Router MC in ACS: Step 1. | In ACS, select Network Configuration.
| Step 2. | Add the Router MC server to a device group, or add it as an individual device, depending on the ACS setup.
| Step 3. | Enter the ACS shared key in the Key field.
| Step 4. | Click on Submit + Restart button.
|
Step 2: Define the Login Module in CiscoWorks as TACACS+ Work through the steps that follow to define the login module in CiscoWorks as TACACS+: Step 1. | In the CiscoWorks desktop, select Server Configuration > Setup > Security > Select Login Module.
| Step 2. | If it is not already selected, select TACACS+.
| Step 3. | In the Login Module Options window, enter the ACS server name, change the default port if necessary, and enter the ACS shared key that you defined in ACS for the Router MC server.
| Step 4. | Click Finish.
|
Step 3: Synchronize CiscoWorks Common Services with the ACS Server Configuration Work through the steps that follow for the synchronization: Step 1. | In the CiscoWorks desktop, select VPN/Security Management Solution > Administration > Configuration > AAA Server.
| Step 2. | In the AAA Server Information window, click Synchronize.
| Step 3. | Add login details. Enter the ACS shared key that you defined in ACS for the Router MC server.
| Step 4. | Click Register.
| Step 5. | Select iosmdc, and then click Add to add the Router MC Permission roles in ACS.
| Step 6. | Click OK.
| Step 7. | Click Finish.
|
Step 4: Define Usernames, Device Groups, And User Groups in ACS Work through the steps that follow to configure user and group information: Step 1. | In ACS, select User Setup to define usernames. You must define the same username and password for both CiscoWorks authentication and ACS authentication.
| Step 2. | Select Group Setup to define permissions for device groups.
|
Note To remove the CiscoWorks permission roles from ACS, click Unregister in the AAA Server Information window. To restore CiscoWorks permission roles in ACS after you have deleted them with the Unregister button, click Register in the AAA Server Information window.
|
