You can now tie the configurations discussed in this chapter together and create a complete distributed network. You started out with a network that you wanted to make a distributed system and added a Proxy Distribution Table to forward authentication requests to other ACSs. After your Proxy Distribution Table was created, you were able to configure remote accounting. You also enabled NDGs along the way and discovered how to search them. The following is a recap of all the steps that you performed in this chapter in an order that keeps your ACS configuration clean and easily readable.
The steps required to perform this task include enabling the necessary options in interface configuration, configuring a NDG, moving and manipulating AAA servers and clients, and configuring the Proxy Distribution Table. Finally, you search the NDGs for specific devices for configuration and troubleshooting purposes.
Step 1. | Select Interface Configuration.
|
Step 2. | Select Advanced Options.
|
Step 3. | Place a check mark next to Distributed System Settings and Network Device Groups.
|
Step 4. | Select Submit.
|
Step 5. | Select the Network Configuration button on the left menu bar of ACS.
|
Step 6. | Under the Network Device Groups table, you click Add Entry.
|
Step 7. | You then select Add.
|
Step 8. | Next, enter a name for the NDG, in this case Firewalls.
|
Step 9. | Click Submit.
|
Step 10. | Click Network Configuration.
|
Step 11. | Select the (Not Assigned) group.
|
Step 12. | Select the AAA client you want to move, in this case the pixCA Firewall.
|
Step 13. | Using the drop-down list, select the NDG you want this AAA client to be placed into, in this case FIREWALLS.
|
Step 14. | Select Submit + Restart.
|
Step 15. | Click Network Configuration.
|
Step 16. | Select the (Not Assigned) group.
|
Step 17. | Select the AAA server you want to move, in this case the SERVER Firewall.
|
Step 18. | Using the drop-down list, select the NDG you want this AAA server to be placed into, in this case FIREWALLS.
|
Step 19. | Select Submit + Restart.
|
Step 20. | Next, configure the PIX Firewall. The configuration on the PIX Firewall should resemble the following:
[View full width] pixfirewall(config)# sh aaa-server aaa-server TACACS+ protocol tacacs+ <--default config aaa-server RADIUS protocol radius <--default config aaa-server LOCAL protocol local <--default config aaa-server MYTACACS protocol tacacs+ <--Defines the Protocol aaa-server MYTACACS (outside) host 192.168.1.100 acskey timeout 10 <--Defines the location  of the server and the key pixfirewall(config)#show access-list <- View the ACLs in place access-list ACS; 1 elements <- This ACL is used in AAA to define what to authenticate access-list ACS line 1 permit tcp host 10.0.1.100 any eq www (hitcnt=7) access-list INSIDE; 3 elements <-This ACL defines what traffic is allowed to pass through the PIX firewall. access-list INSIDE permit tcp any any eq www access-list INSIDE permit tcp any any eq 443 access-list INSIDE deny ip any any pixfirewall(config)# sh access-group <-This displays where the ACL is applied. access-group INSIDE in interface inside pixfirewall(config)# pixfirewall(config)#show aaa <- this shows the ACL- ACS applied in the authentication statement. aaa authentication match ACS inside MYTACACS pixfirewall(config)#
|
Step 21. | You now need to add the ACS New York as an AAA server to be able to use it in the Proxy Distribution Table. Select the NDG that you want to work with.
|
Step 22. | Select the Firewalls NDG.
|
Step 23. | Select the Add Entry button underneath the AAA servers table. Enter the name of the AAA server in New York.
|
Step 24. | Enter the IP address of the AAA server.
|
Step 25. | Enter the key to be used.
|
Step 26. | Select Submit + Restart.
|
Step 27. | Next, you use that server in the Proxy Distribution Table to forward authentication requests. For this example, you use the @ symbol as the deliminating character, and you perform stripping. Start by selecting Network Configuration.
|
Step 28. | Start by selecting the Add Entry button underneath the Proxy Distribution Table.
|
Step 29. | Enter the character string.
|
Step 30. | Using the drop-down, select the position. In this example, you use suffix.
|
Step 31. | Select Yes in the Strip drop-down list.
|
Step 32. | Select the ACS that you want to forward to, in this case ACS_NY, and click the right arrow button to move this server from the AAA server box on the left to the Forward To box on the right.
|
Step 33. | Using the drop-down menu, choose local, remote, or local/remote to enable remote accounting. Note that if local is chosen, no remote accounting is taking place.
|
Step 34. | Select Submit + Restart.
|
Step 35. | To search for network devices, select the Search button under the Network Device Groups table.
|
Step 36. | Enter the host name of the device you are trying to locate. You can leave the asterisk as a wildcard or even enter a partial name with the asterisk appended and search that way.
|
Step 37. | Enter the IP address in dotted decimal notation. You can also enter an asterisk here in place of any octet.
|
Step 38. | Using the drop-down menu, select the type of network device you are searching for. The options are any, TACACS+ (Cisco IOS), RADIUS (IETF), Cisco Secure AAA server, TACACS+ AAA server, or RADIUS AAA server.
|
Step 39. | Using the drop-down menu, select the device group you want to search. The default is any.
|
Step 40. | Select Search.
|
This completely creates the configuration from each section. Figure 9-15 shows the end result.
As you can see in the figure, the AAA user from New York attempts to access the Internet. The username with the suffix is included in the authentication request. The ACS_CA device sees the suffix and references the Proxy Distribution Table to determine where to send the request. The Proxy Distribution Table has an entry that points to ACS New York with the corresponding suffix, and the request is forwarded to ACS New York. The authentication is passed, and the user is off and surfing the Internet.
