CSM: Integrating CSM with ACS version 4.2

Summarized Steps

On ACS:
1. Create an ACS server administrator account with full ACS privileges. This admin credential is required for CSM AAA Mode Setup.

2. Enable Network Device Group.

3. Rename User groups.

4. Create users and associate the users to appropriate groups.

5. Create system identity user and group this user. This same system identity user credential must also be created in CSM server.

6. Add AAA clients and assign the AAA clients to the appropriate network device group. The AAA client hostname must be exactly the same as the hostname of your devices.

On CSM:
1. Create system identity user account, and grant all authorization to this account.

2. Setup system identity user with the system identity user account credential.

3. Go to AAA Mode Setup, and select ACS, input the ACS administrator account (this is not system identity user account!) and key in the shared key.

4. In the AAA mode setup, check the box “Register all installed applications with ACS”. These applications are cwhp (CiscoWorks Home Page), csm (Cisco Security Manager clients) and AutoUpdate (AutoUpdate Server).

5. Restart Cisco Security Manager Daemon Manager (crmdmgtd) service.

On ACS: Create Administrator account with full ACS privileges
Click on Administration Control.
a1

Add an administrator account and grant all privileges.
a2

On the same page, scroll down, under Administrator Privileges, click on Grant All button. Click on Submit button.
a3

On ACS: Enable Network Device Group
Click on Interface Configuration.
a4

Click on Advanced Options.
a5

Check the box “Network Device Groups” (NDG) then click on Submit button.
a6

On ACS: Rename User Groups
For this lab I will create four groups:
a. System Administrators

b. Security Administrators

c. Network Operators

d. Help Desk

Click on Group Setup.
a7

Select a group and click on Rename Group button.
a8

Change the name and click Submit button.
a9

On ACS: Create users and associate users to appropriate groups
Click on User Setup.
a10

Type in the username and click Add/Edit button.
a11

Create the passwords and assign to the appropriate group, and leave the rest as default and click Submit button.
a12

These are the user accounts I have created.
a13

On ACS: Create system identity user and group this user
System identity user is a special user account created to be shared by ACS and CSM.

I chose “sysid” for the system identity username, and chose a password then group this in System Administrator group.

This user account is not for user to login, instead this is used to share between ACS and CSM

This user account is not for user to login, instead this is used to share between ACS and CSM

On ACS: Add AAA clients and assign to appropriate NDG
Click on Network Configuration.
a15

Click on Add Entry button to create device group.
a16

Give a name to the device group and choose a shared secret.
a17

Click on the Network Device Group, and add the AAA client.
a18

1. Click on Add Entry to add AAA client.
2. Click on Add Entry to add remote AAA server if any.
a19

The AAA client hostname must be the same as the hostname of CSM server and the Cisco device you want to manage.

CSMLAB is the hostname of my CSM server.

CSMLAB is the hostname of my CSM server.

NDG I have created.

NDG I have created.

On CSM: Create System Identity User and grant all access
Create a system identity user account, from the menu click on Server > Single-Server Management.
a22

1. Click on Local User Setup.
2. Click on Add button to add a user.
a23

I have created a system identity user account (sysid) in ACS 4.2, the same user account and password has to be created here. Select Full Authorization.
a24

sysid is the same user credential created in ACS 4.2 server.

sysid is the same user credential created in ACS 4.2 server.

From the menu, click on Server > Multi-Server Trust Management > System Identity Setup. Type in the system identity user credential here.
a26

a27

System Identity Setup successfully setup

System Identity Setup successfully setup

On CSM: AAA Mode Setup
From the menu, click on Server > AAA Mode Setup.
a29

Select ACS, then put in the ACS administrator account, and the shared secret.
Do not confuse the administrator account with system identity user account!
Check the box “Register all installed applications with ACS”. These installed applications are cwhp (CiscoWorks Home Page), csm (Cisco Security Manager clients) and AutoUpdate (AutoUpdate Server).
a31

This popup warning appears as soon as you check the box "Register all installed applications with ACS"

This popup warning appears as soon as you check the box “Register all installed applications with ACS”

After you have put in all information click on Apply button.

Verification Status popup appears, click on apply button.

Verification Status popup appears, click on apply button.

This change summary documented that you have selected to register all applications to ACS server.

This change summary documented that you have selected to register all applications to ACS server.

Logout from the CiscoWorks Home Page. Then restart the Cisco Security Manager Daemon Manager service, you can do this by launching services.msc or use the command line.

Only restart the service which I have boxed in red.

Only restart the service which I have boxed in red.

To use the command line, open the command prompt in “Run as Administrator”, then type in net stop crmdmgtd then type in net start crmdmgtd

a32

Items added in ACS 4.2
On ACS server click on Shared Profile Components, you will see additional items.

Click on these new items to assign roles.

Click on these new items to assign roles.

From the Group Setup, you can change the group settings, you will see additional items.

You can assign pre-defined user roles here.

You can assign pre-defined user roles here.

a35

a36

Assign roles
I will assign pre-defined roles to my groups.

I chose System Administrators group.

Assign System administrator role for cwhp.

Assign System administrator role for cwhp.

Assign pre-defined system administrator for csm.

Assign pre-defined system administrator for csm.

Assign pre-defined system administrator role for autoupdate server.

Assign pre-defined system administrator role for autoupdate server.

Click on Submit + Restart button once finished.

I have selected Event Viewer to launch using my csmadmin account.
a40

Login to CiscoWorks (cwhp).
a41

Advertisements
This entry was posted in ASA/PIX, Firewall, Security and tagged , , , , , . Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s