Setup TACACS+ between LANTECH switch and Cisco ACS

cisco_acs.md

References

All are from Cisco official documents:

• How to Assign Privilege Levels with TACACS+ and RADIUS
• Migration Guide for the Cisco Secure Access Control System 5.3

Basics

• The security model of Lantech switches is rather simple. Each user falls into either one of the following of permissions.
  • read-only: allow to view current settings but changing settings is disallowed.
  • read-write: both viewing/changing settings are allowed.
• How permission mapped into TACACS+ privilege level?
  • privilege level 1~8 --> read-only permission
  • privilege level 9~15 --> read-write permission

Cisco ACS configuration

• Image we're going split users into two groups with different permissions like the following table

group name	permission	privelege level	members
admin-group	read-write	15	alex, amy
user-group	read-only	1	ufo, upup

Create groups: admin-group and user-group

Create users under correspondent groups

Create Shell Profiles:

• roaccess: privilege level = 1

• rwaccess: privilege level =15
  
  

In Access-Services -> Service Selection Rules, create a rule to route all tacas+ access into Default Device Admin service

In Access Policies > ... > Access Services > Default Device Admin > Authorization
Create rules to map groups into correspondent shell profiles

When things not work. Let's diagnosis

• Check how many times the rule has been hit
  
  
• Open monitoring and resports and check the TACACS+ AAA reports
  
  
• Click the Refresh button and check the detail by clicking details
  
• In side the report, the sections Access Policy and Evaluating Identity Policy provide valuable clues on why ACS allows/denys a login.