Cisco ACS Lab2: Use Tacacs+ to do Authentication and Authorization with ACS 5.6

Previous Lab1: Cisco ACS Lab1: Installing and Configuring ACS 5.6 in ESXi and GNS3
This Lab2 will use cisco router to connect with ACS 5.6 and use Tacacs+ protocol to complete authentication and authorization tasks.

Step1: Join/Test connection to Active Directory Server

Step2: Choose Proper Active Directory Group to do authentication and authorization

In windows AD server, add test1, test2 and test3 users and put them into testgroup as shown in the following screenshot.

Choose test1.com/Users/testgroup in the Directory Groups tab.

Step3: Make sure there is a rule to use Tacacs and Service is Default Device Admin

Step 4: Choose AD1 as the authtication method for Identity of Default Device Admin

Step5: For Authorization, Create a rule to use AD1:ExternalGroups as conditions

Step6: Customize a Shell Profile for level 15 user

Step 7: Cisco Router Configuration:

! create local admin user for failback
username admin privilege 15 password 0 cisco123!

aaa new-model
tacacs-server host 192.168.2.42
aaa authentication login default group tacacs+ local
aaa authentication enable default group tacacs+ enable
aaa authorization exec default group tacacs+ local
aaa authorization commands 0 default group tacacs+ local
aaa authorization commands 1 default group tacacs+ local
aaa authorization commands 15 default group tacacs+ local
aaa authorization config-commands

Step 8: Test with AD user account test1

Reference:

• ACS 5.x: TACACS+ Authentication and Command Authorization based on AD group membership Configuration Example