When you want CSM users to be authenticated by Cisco ACS but want the authorization by CSM. Since CSM version 4.3, it has a feature of role management setup, this setup controls user rights.
CSM home screen
The default authentication mode is CiscoWorks Local. CSM supports several authentication module, CiscoWorks Local module holds the local user database. We want to change this to TACACS+.
Change authentication module
There are two ways to change the authentication module. The first is to click AAA Mode Setup in the home screen.
The other method is from the menu click Server > AAA Mode Setup.
Maintain the type as Local RBAC, this is to let CSM to manage the user rights. Change the Login Modules to TACACS+.
CSM can support up to three servers for redundancy, if all configured ACS servers are uncontactable, CSM will fallback to the CiscoWorks Local (local user database) and only allows user admin to login.
Back to the home screen, you will see the Authentication Mode has changed to TACACS+.
Successfully authenticated by TACACS+ the authentication mode will display TACACS+.
If you use the CSM local database account or if the ACS server is uncontactable, then you will see TACACS+ (Fallback Mode).
For the sake of verification, I have enabled logging for passed authentication.
If you logon using the CSM local database account, your ACS server will log this as failed authentication.
This setup is not yet completed! This configuration only allows you to login to the Cisco Security Manager server management. You cannot login with the TACACS+ account to all CSM client applications.
Login to CSM client applications with TACACS+ account
Login to Configuration Manager with the local admin account. From the menu click on Tools > Security Manager Administration…
Check the box under Native RBAC Parameters.
Click on save button then from the menu click on File > Submit to submit the change. Remember whichever you have changed you must submit the changes. If it is configuration changes you need to submit and deploy.
Default Local RBAC modification
Login to Cisco Security Manager server, from the menu click on Server > Single-Server Management.
1. Select Role Management Setup.
2. Select the desired pre-configured roles.
3. Click Set as default button.
the default is Help Desk role. Whenever a user is authenticated successfully by ACS server, the default roles will be used.
The role management setup is very configurable, you can modified the pre-configured roles or create your own roles, but I am really tired now :p I need to sleep.. haha…so perhaps next time I can post a new blog for configuring and modifying roles.
Create admin account
To create an admin account that is authenticated by ACS server,
1. Create an user in ACS server, then create the same user in Cisco Security Manager server.
2. Choose an arbitrary password for the CSM local database user which you have created. It does not matter what password you choose, because the TACACS+ credential will be taken into account if the password matches TACACS+.
You must take note to make this password the most complicated (like 24 characters long with complicated combination), this is because if it is too easy, hacker can bypass ACS server authentication and login as a local admin account which you created. You do not need to use the password you configured in CSM server anyway right? 😉
3. Assigned full authorizations to this account, however you can choose not to 🙂
OMG! It is morning 3.40am now! Gotta sleep! See ya on my next post!