Lenovo RackSwitch G8332 TACACS+ with Cisco ACS

Overview

I needed to configure a couple of Lenovo RackSwitch G8332’s for TACACS+ authentication & authorisation against Cisco ACS 5.4 (it’s quite an old version).

This post details the necessary Cisco ACS and Lenovo RackSwitch configuration. 

ACS Configuration

Policy Elements > Authorization and Permissions > Device Administration > Shell Profiles

Create a new Shell Profile.

Name: Lenovo Rackswitch

ACSShellProfile1

Click on the Common Tasks tab.

Privilege Level

  • Default Privilege: Static | Value: 15
  • Maximum Privilege: Static | Value: 15

ACSShellProfile2

Note: setting Default Privilege to 15 is crucial to getting authorisation working.  If you don’t set this, you’ll be authenticated successfully, however when it comes to entering privileged mode, you’ll get this error: “Enable access using (user) credentials restricted to admin accounts only)”.

Click on the Custom Attributes tab.

Click Submit.

ACSShellProfile3

Access Policies > Access Services > Device Admin > Authorization

Create a new Device Administration Authorization Policy.

Name: Lenovo Rackswitch

Conditions

  • External Groups: add relevant groups (here it’s my ‘Cisco ACS Administrators’ AD security group).
  • NDG: Device Type: in and All Device Types:Lenovo Rackswitch

Results

  • Set the Shell Profile to what was created above: Lenovo Rackswitch.
  • Add a relevant Command Set.

Click OK.

Device

Network Resources > Network Devices and AAA Clients

Add a new network device.

Name: enter a relevant name.

Network Device Groups

  • Location: select a relevant location.
  • Device Type: All Device Types:Lenovo Rackswitch

IP Address

  • Check Single IP Address, specify the IP address of the RackSwitch (e.g. 10.99.1.100).

Authentication Options

  • Check TACACS+
  • Shared Secret: specify the shared secret (e.g. my5ecretK3y).

Click Submit.

NetDeviceClient

Switch Configuration

I performed the configuration remotely (via telnet), by default the switch will drop telnet sessions after ten minutes of inactivity.  To prevent being locked out during configuration of TACACS+, I set system idle to 60 minutes (this can be 1 to 60 minutes, or disabled when set to 0).

system idle 60

Command Authorisation & Logging

Enable TACACS+ Command Authorisation:

tacacs-server command-authorization

Enable TACACS+ Command Logging:

tacacs-server command-logging

TACACS+ Authentication

Specify the TACACS+ server and secret:

tacacs-­server primary-­host 10.99.1.100 key my5ecretK3y

Set the primary interface port to the management port (this is optional):

tacacs-­server primary-­host mgt-port

Enable TACACS+ backdoor to allow TACACS+ to be bypassed if the TACACS+ server is not responding.  This is optional, and disabled by default.

tacacs-server backdoor

Use alternate TACACS+ authorisation levels (this is optional):

tacacs-server privilege-mapping

Enable TACACS+:

tacacs-server enable

 

 

 

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s