Adding Users to the Database
| To add local users to the ACS database, use the following step sequence. This adds a user to the ACS database. It also adds that user to the default group. When you add a user to a group, the settings within that group are inherited by the user members of that group. As discussed previously in the book, you can configure user specific settings that can override the group settings. User's settings always override the group settings.
In this example, the password authentication database in the drop-down list is the CiscoSecure database. This does not use a Windows database or other external user database. Rather, this entry is contained in the ACS database. Also, the "Separate (CHAP/MS-CHAP/ARAP)" option is not selected. In this situation, the same password would be used for PAP, CHAP, MS-CHAP, and ARAP authentications. Authenticating a UserThe preceding step sequence has now added a single user to the ACS database. The defaults are to use the local database to authenticate and to add the user to the default group. For example purposes, you can use a PIX Firewall to authenticate a user when that user makes an outbound connection to an Internet web page or any TCP connection. Figure 7-1 shows this topology. Figure 7-1. PIX Firewall AAA Topology The way that PIX Firewalls work for AAA is a little tricky to understand. While you can perform AAA to any type of traffic, you can deliver an authentication prompt to a user only via Telnet, HTTP, or FTP. Therefore, if you want to authenticate a user that makes a connection to a device outside of the firewall and the protocol in use is NOT Telnet, HTTP, or FTP, the user must authenticate first with one of those three protocols. After users open a Telnet and authenticate, they can then use other protocols. Of course, this is assuming that other protocol traffic is permitted through the PIX Firewall. Example 7-1 demonstrates a basic PIX Firewall configuration with AAA authentication taking place. Example 7-1. PIX Firewall Configuration with AAA[View full width] timeout uauth 3:00:00 absolute uauth 0:30:00 inactivity aaa-server TACACS+ protocol tacacs+ aaa-server RADIUS protocol radius aaa-server LOCAL protocol local aaa-server MYTACACS protocol tacacs+ aaa-server MYTACACS (inside) host 10.1.1.50 secretkey timeout 10 aaa authentication match AAA inside MYTACACS The most important part of this configuration is defining the ACS device as the server for authentication. This is done by entering the aaa-server command. When you use the aaa-server command, you define the protocol that the AAA client will use to communicate, in this case the PIX Firewall, with the options of TACACS+ or RADIUS. In Figure 7-1, we use the TACACS+ protocol. Another key element of the AAA configuration is the secret key that is defined. In this example, we use secretkey as the secret key. The key note of this key is that it must match the secretkey that is defined on the ACS device. Figure 7-2 demonstrates the configuration of the PIX Firewall as an AAA client in the ACS device. Figure 7-2. Editing the AAA Client in ACS Adding a New AAA ClientTo add a new AAA client, follow these steps:
This sequence adds a new AAA client to the ACS database. Figure 7-1 also illustrates the parameters that you need to include when you enter an AAA client. These parameters include the IP address of the AAA client, secret key, and AAA client name. To edit an existing entry, simply select the name of the entry you want to edit. For the configured parameters to take effect, you must submit and restart. Also, you can see in Figure 7-3 that after you select the option to submit and restart, the page refreshes to Network Configuration. Figure 7-3. Network Configuration |
This tells the PIX to authenticate all 
outbound TCP connections. aaa authentication telnet console MYTACACS 
EAN: 2147483647
Pages: 173