1. Create an ACS server administrator account with full ACS privileges. This admin credential is required for CSM AAA Mode Setup.
2. Enable Network Device Group.
3. Rename User groups.
4. Create users and associate the users to appropriate groups.
5. Create system identity user and group this user. This same system identity user credential must also be created in CSM server.
6. Add AAA clients and assign the AAA clients to the appropriate network device group. The AAA client hostname must be exactly the same as the hostname of your devices.
1. Create system identity user account, and grant all authorization to this account.
2. Setup system identity user with the system identity user account credential.
3. Go to AAA Mode Setup, and select ACS, input the ACS administrator account (this is not system identity user account!) and key in the shared key.
4. In the AAA mode setup, check the box “Register all installed applications with ACS”. These applications are cwhp (CiscoWorks Home Page), csm (Cisco Security Manager clients) and AutoUpdate (AutoUpdate Server).
5. Restart Cisco Security Manager Daemon Manager (crmdmgtd) service.
On ACS: Create Administrator account with full ACS privileges
Click on Administration Control.
Add an administrator account and grant all privileges.
On the same page, scroll down, under Administrator Privileges, click on Grant All button. Click on Submit button.
On ACS: Enable Network Device Group
Click on Interface Configuration.
Check the box “Network Device Groups” (NDG) then click on Submit button.
On ACS: Rename User Groups
For this lab I will create four groups:
a. System Administrators
b. Security Administrators
c. Network Operators
d. Help Desk
Select a group and click on Rename Group button.
Change the name and click Submit button.
On ACS: Create users and associate users to appropriate groups
Click on User Setup.
Type in the username and click Add/Edit button.
Create the passwords and assign to the appropriate group, and leave the rest as default and click Submit button.
These are the user accounts I have created.
On ACS: Create system identity user and group this user
System identity user is a special user account created to be shared by ACS and CSM.
I chose “sysid” for the system identity username, and chose a password then group this in System Administrator group.
On ACS: Add AAA clients and assign to appropriate NDG
Click on Network Configuration.
Click on Add Entry button to create device group.
Give a name to the device group and choose a shared secret.
Click on the Network Device Group, and add the AAA client.
1. Click on Add Entry to add AAA client.
2. Click on Add Entry to add remote AAA server if any.
The AAA client hostname must be the same as the hostname of CSM server and the Cisco device you want to manage.
On CSM: Create System Identity User and grant all access
Create a system identity user account, from the menu click on Server > Single-Server Management.
1. Click on Local User Setup.
2. Click on Add button to add a user.
I have created a system identity user account (sysid) in ACS 4.2, the same user account and password has to be created here. Select Full Authorization.
From the menu, click on Server > Multi-Server Trust Management > System Identity Setup. Type in the system identity user credential here.
On CSM: AAA Mode Setup
From the menu, click on Server > AAA Mode Setup.
Select ACS, then put in the ACS administrator account, and the shared secret.
Do not confuse the administrator account with system identity user account!
Check the box “Register all installed applications with ACS”. These installed applications are cwhp (CiscoWorks Home Page), csm (Cisco Security Manager clients) and AutoUpdate (AutoUpdate Server).
After you have put in all information click on Apply button.
Logout from the CiscoWorks Home Page. Then restart the Cisco Security Manager Daemon Manager service, you can do this by launching services.msc or use the command line.
To use the command line, open the command prompt in “Run as Administrator”, then type in
net stop crmdmgtd then type in
net start crmdmgtd
Items added in ACS 4.2
On ACS server click on Shared Profile Components, you will see additional items.
From the Group Setup, you can change the group settings, you will see additional items.
I will assign pre-defined roles to my groups.
I chose System Administrators group.
Click on Submit + Restart button once finished.
I have selected Event Viewer to launch using my csmadmin account.