1 / 22

AAA Introduction Chalk Talk

This content provides an overview of AAA Product, including NAC, Cisco Clean Access, NAC Profiler, Guest Server, and ACS. It also covers AAA Configuration on IOS/FW/ASA and includes information on logs and debugs.

golson
Download Presentation

AAA Introduction Chalk Talk

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. AAA Introduction Chalk Talk Foundation Concepts ABHISHEK NEELAKANATA

  2. CONTENTS • Product Overview • Product License • Logs and Debugs • IOS/ASA AAA

  3. Product Overview • NAC • Cisco Clean Access (CCA) • NAC Profiler • NAC Collector • Guest Server • ACS • Cisco secure ACS on Windows • ACS SE • ACS Unix • ACS Express • IOS/FW/ASA AAA • Auth Proxy • 802.1x on SW • WLSE AAA • User Registration Tool (URT) (EOL: HW - March 31, 2011, App SW - March 31, 2009) • Cisco Access Register (CAR) • Cisco Security Manager ACS Integration • Windows OS: • Windows Supplicant • CSSC • CCA agent

  4. CONTENTS • Product Overview • Product License • Logs and Debugs • IOS/ASA AAA

  5. Product License • Cisco Clean Access (CCA) • For CAM, or CAS, or CAS Failover (HA) licenses: CAM's eth0 MAC address. • For CAM Failover (HA) license only: eth0 MAC address of the secondary CAM. • Both license installed on CAM GUI • /perfigo/control/tomcat/normal-webapps/upload/ • Cisco NAC Profiler Server/Collector • For standalone profiler and collector : eth0 MAC address of the NAC Profiler Server • HA Profiler : submit eth0 of primary and secondary profiler. • HA Collector : Installed on the primary will have eth0 of the profiler primary server. • Collector licenses installed on the secondary will have eth0 of the profiler • secondary server. • Both license installed on profiler Web GUI • /user/beacon/working/flexlm/ • NAC Guest Server • eth0 MAC address of Cisco NAC Guest Server. • For all devices: The eth0 MAC address entered must be in UPPER CASE (i.e. hexadecimal letters must be capitalized). Do not enter colons (":") in between characters.

  6. ACS • ACS: Purchase contract • ACS express • Appliance comes with a preinstalled license • CSSC license 90 day trial license for both wired and wireless functions. • Evaluation License: http://www.cisco.com/go/license/public. • WW-LICENSING

  7. CONTENTS • Product Overview • Product License • Logs and Debugs • IOS/ASA AAA

  8. Logs and Debugs • CCA: • CAM • GUI: Go to Administration > CCA Manager > Support Logs. • SSH: tail –f /perfigo/logs/perfigo-log0.log.0 • CAS • GUI: https://<CAS_eth0_IP_address>/admin. • Monitoring > Support Logs. • SSH: tail –f /perfigo/logs/perfigo-redirect-log0.log.0 • CCA 4.5 • The logs have moved to /perfigo/control/tomcat/logs/nac_manager.log • CAS /perfigo/access/tomcat/logs/nac_server.log • For normal operation, the log level should always remain at the default setting : Severe (CCA 4.1 or earlier) or Info (CCA 4.5).

  9. CCA (4.1.x and earlier)

  10. CCA 4.5

  11. NAC Profiler • NAC Profiler Navigate through the Profiler GUI. Navigate to the Utilities tab, and select System Summary. At the bottom of the System Summary, Select Collect technical logs.

  12. ACS • ACS for Windows 4.1.3 and earlier: • Choose System Configuration > Service Control. • Choose Full for the Level of Detail in the Service Log File Configuration pane. • Run a few tests that you are certain will fail. • Run cssupport.exe from C:\Program Files\CiscoSecure ACS v4.1\bin\cssupport.exe. The default location for the package.cab file is \<ACS_install_dir>\Utils\Support. • ACS SE and ACS for windows (4.1.4 and later ) • In the web interface, choose System Configuration > Support > Run Support Now.

  13. CSSC • CSSC • LogPackager utility : • Download Cisco_logpackager-win.x86_1.5.0.1.zip. It captures the following information: • current end-user technical log contents. • current internal application activity log • information on the machine's hardware and software environment.

  14. IOS debugs • debug aaa authentication • debug aaa authorization • debug aaa accounting • debug radius • debug tacacs • R1#test aaa group radius test test123 new-code • ASA# test aaa-server authentication A-RAD host 10.22.22.5 username test password test123

  15. CONTENTS • Product Overview • Product License • Logs and Debugs • IOS/ASA AAA

  16. IOS/ASA AAA R1 ASA R2 (10.22.22.1)-------------------(10.22.22.11) (192.1.41.11)--------------(192.1.41.2) ACS 10.22.22.5 • Telnet from R2 to R1 • Telnet from R2 to ASA • Http from R1 to R2

  17. IOS • IOS • R1(config)#aaa new-model • R1(config)#radius-server host 10.22.22.5 key cisco • Telnet authentication: • R1(config)#Username cisco123 password cisco123 • R1(config)#aaa authentication login R-Telnet group radius local • R1(config)#line vty 0 4 R1(config-line)#login authentication R-Telnet

  18. ASA • ASA(config)#aaa-server A-RAD protocol radius • ASA(config)#aaa-server A-RAD host 10.22.22.5ASA(config-aaa-server-host)# key cisco • Telnet authentication • ASA(config)#username admin password admin • ASA(config)#aaa authentication telnet console A-RAD LOCAL • Auth Proxy • ASA(config)#access-list A-AUTH-PROXY extended permit tcp any host 192.1.41.2 eq www • ASA(config)#access-group A-AUTH-PROXY in interface inside • ASA(config)#aaa authentication match A-AUTH-PROXY inside A-RAD

More Related