CSM: Authentication by TACACS+ and Authorization by CSM

When you want CSM users to be authenticated by Cisco ACS but want the authorization by CSM. Since CSM version 4.3, it has a feature of role management setup, this setup controls user rights.

Cisco Security Manager is a web application to manage CSM server. Backend database, user credentials, emails etc are set up here.

Cisco Security Manager is a web application to manage CSM server. Backend database, user credentials, emails etc are set up here.

Login to the web portal
acs1

Select Server Administration
acs2

acs3

CSM home screen

Cisco Security Manager home screen.

Cisco Security Manager home screen.

The default authentication mode is CiscoWorks Local. CSM supports several authentication module, CiscoWorks Local module holds the local user database. We want to change this to TACACS+.
acs5

Change authentication module
There are two ways to change the authentication module. The first is to click AAA Mode Setup in the home screen.
acs6a

The other method is from the menu click Server > AAA Mode Setup.
acs6

Maintain the type as Local RBAC, this is to let CSM to manage the user rights. Change the Login Modules to TACACS+.

Click on change button.

Click on change button.

CSM can support up to three servers for redundancy, if all configured ACS servers are uncontactable, CSM will fallback to the CiscoWorks Local (local user database) and only allows user admin to login.
acs7b

Successful notification.

Successful notification.

Back to the home screen, you will see the Authentication Mode has changed to TACACS+.
acs8

Authentication test

testuser is an account from acs server.

testuser is an account from acs server.

testuser has been successfully login.

testuser has been successfully login.


Successfully authenticated by TACACS+ the authentication mode will display TACACS+.

If you use the CSM local database account or if the ACS server is uncontactable, then you will see TACACS+ (Fallback Mode).
acs10a

For the sake of verification, I have enabled logging for passed authentication.
acs10b

If you logon using the CSM local database account, your ACS server will log this as failed authentication.
acs10c

This setup is not yet completed! This configuration only allows you to login to the Cisco Security Manager server management. You cannot login with the TACACS+ account to all CSM client applications.

acs11

Login to CSM client applications with TACACS+ account
Login to Configuration Manager with the local admin account. From the menu click on Tools > Security Manager Administration…
acs12

Check the box under Native RBAC Parameters.
acs13

Click on save button then from the menu click on File > Submit to submit the change. Remember whichever you have changed you must submit the changes. If it is configuration changes you need to submit and deploy.

Ready-only access.

Authenticated by TACACS+ and gain Ready-only access.

Default Local RBAC modification
Login to Cisco Security Manager server, from the menu click on Server > Single-Server Management.
acs15

acs16
1. Select Role Management Setup.
2. Select the desired pre-configured roles.
3. Click Set as default button.

the default is Help Desk role. Whenever a user is authenticated successfully by ACS server, the default roles will be used.

The role management setup is very configurable, you can modified the pre-configured roles or create your own roles, but I am really tired now :p I need to sleep.. haha…so perhaps next time I can post a new blog for configuring and modifying roles.

Create admin account
To create an admin account that is authenticated by ACS server,
1. Create an user in ACS server, then create the same user in Cisco Security Manager server.

2. Choose an arbitrary password for the CSM local database user which you have created. It does not matter what password you choose, because the TACACS+ credential will be taken into account if the password matches TACACS+.

You must take note to make this password the most complicated (like 24 characters long with complicated combination), this is because if it is too easy, hacker can bypass ACS server authentication and login as a local admin account which you created. You do not need to use the password you configured in CSM server anyway right? 😉

3. Assigned full authorizations to this account, however you can choose not to 🙂

acs17

Assign full rights to the admin account.

Assign full rights to the admin account.

The admin username must be the same for ACS server and CSM server local database account.

The admin username must be the same for ACS server and CSM server local database account.

Passed authentication verification.

Passed authentication verification.

OMG! It is morning 3.40am now! Gotta sleep! See ya on my next post!

Advertisements
This entry was posted in ASA/PIX, Firewall, Security and tagged , , , , , , . Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s