When you want CSM users to be authenticated by Cisco ACS but want the authorization by CSM. Since CSM version 4.3, it has a feature of role management setup, this setup controls user rights.
CSM home screen
Maintain the type as Local RBAC, this is to let CSM to manage the user rights. Change the Login Modules to TACACS+.
CSM can support up to three servers for redundancy, if all configured ACS servers are uncontactable, CSM will fallback to the CiscoWorks Local (local user database) and only allows user admin to login.
Successfully authenticated by TACACS+ the authentication mode will display TACACS+.
This setup is not yet completed! This configuration only allows you to login to the Cisco Security Manager server management. You cannot login with the TACACS+ account to all CSM client applications.
Click on save button then from the menu click on File > Submit to submit the change. Remember whichever you have changed you must submit the changes. If it is configuration changes you need to submit and deploy.
the default is Help Desk role. Whenever a user is authenticated successfully by ACS server, the default roles will be used.
The role management setup is very configurable, you can modified the pre-configured roles or create your own roles, but I am really tired now :p I need to sleep.. haha…so perhaps next time I can post a new blog for configuring and modifying roles.
Create admin account
To create an admin account that is authenticated by ACS server,
1. Create an user in ACS server, then create the same user in Cisco Security Manager server.
2. Choose an arbitrary password for the CSM local database user which you have created. It does not matter what password you choose, because the TACACS+ credential will be taken into account if the password matches TACACS+.
You must take note to make this password the most complicated (like 24 characters long with complicated combination), this is because if it is too easy, hacker can bypass ACS server authentication and login as a local admin account which you created. You do not need to use the password you configured in CSM server anyway right? 😉
3. Assigned full authorizations to this account, however you can choose not to 🙂
OMG! It is morning 3.40am now! Gotta sleep! See ya on my next post!