Configuring ACS for TACACS+ via AD User Groups

ACS, Cisco / February 10, 2016

This is assuming that ACS has already been configured for authentication via Active Directory

Creating a Shell Profile

>> Policy Elements >> Authorization and Permissions >> Device Administration >> Shell Profile

  • Click on Create
  • Under General Tab
    • Enter name and Description
  • Under Common Tasks Tab
    • Default Priviledge = Static, Value = 15
    • Maximum Priviledge = Static, Value = 15
  • Submit

Creating a Command Set – Command Permissions

>> Policy Elements >> Authorization and Permissions >> Device Administration >> Command Sets

  • Click on Create
  • Enter Name and Description
  • List command users in this group can use or check option to permit all commands except whats listed below
  • Click Submit

Creating Access Service

You may use the two default Access service but these instructions covers adding a new Access Service
>> Access Policy >> Access Services

  • Click on Create
  • Enter Name and and Description
  • Select a built in template or based off of an existing service
  • If not, Select Service type – Device Administration
  • Check Identity
  • Check Authorization
  • Click Next
  • Check Process Host Lookup
  • Check “Allow PAP/ASCII
  • Click Finish

Enabling Service created above

>> Access Policy >> Access Services >> Service Selection Rules

  • Click on create
  • Enter Name
  • Status = Enable
  • Check Protocol = Match
  • Click on Select, Choose TACACS and Click OK
  • Under Result > Service, select the above Service created
  • Click OK
  • Save Changes
  • Service Should be green

Note: I normally delete all default Access Services and create my own.

Associating an Identity for this Service

>> Access Policy >> Access Services >> Service Selection Rules >> Service >> Identity

  • Choose “Single result Selection”
  • Change Identity Source to AD1
  • Save Changes

>> Access Policy >> Access Services >> Service Selection Rules >> Service >> Authorization

  • Click on Customize – Lower right
  • I normally add The following Conditions and Results
  • AD1:External Groups
  • NDG:Device Type
  • NDG:Location
  • Shell Profile
  • Command Sets
  • Click OK
  • Save Changes
  • Click on Create – Lower Left
  • Enter name
  • Check AD1:ExternalGroups and select AD group
  • Check NDG:Device Type and select the types of devices this group can access
  • Check NDG:Location and select the location this group can manage
  • If they are not checked, they will not be affected. Idealy you can leave ALL
  • Select Shell Profile
  • Select Command Set
  • Click on OK
  • Save Changes

Equipment/Devices added as a AAA Client should be able to be managed by members of this AD group