How to integrate Cisco ACS 5.X and Cisco Prime. [TESTED]

Here is the quick instruction how to configure Cisco ACS for Cisco Prime (tested on ACS 5.X and Prime Infrastructure 2.X). First of all, you need to know that we can integrate ACS and CPI in more then one different way:

• ACS for user authentication during login to CPI Web GUI.
• ACS for user authentication during login to CPI CLI.
• ACS as ACS View.

ACS and CPI WebGUI

Cisco Prime Infrastructure 2.2 Administrator Guide > Controlling User Access > Configuring ACS 5.x says NOTHING about how to configure ACS 5.X.
Cisco Prime Infrastructure 2.2 Administrator Guide > Best Practices: Server Security Hardening > Authenticating With External AAA provides wrong instructions:

Step 1 Log in to Prime Infrastructure with a user ID that has administrator privileges.
Step 2 Select Administration > Users, Roles & AAA > TACACS+ or Administration > Users, Roles & AAA > RADIUS.
Step 3 Enter the TACACS+ or RADIUS server IP address and shared secret in the appropriate fields.
Step 4 Select Administration > Users, Roles & AAA > AAA Mode Settings.
Step 5 Set the AAA mode as appropriate.

So, if you configure regular access you get the following error during login:

No authorization information found for Remote Authenticated User. Please check the correctness of the associated task(s) and Virtual Domain(s) in the remote server.

You can find solution HERE.

Solution

• HTTPS://_CPI_IP_/ root/_your_root_password_
• Administration > Users, Roles & AAA > TACACS+ Servers > “– Select a command –” Add TACACS+ server > …
• AAA Mode Settings > TACACS+ > Enable fallback to Local > on authentication failure or no server response > Save. Note that “Install time root user is going to be always authenticated locally irrespective of the AAA Mode Settings“. So, if you have root with no other users configured locally plus AAA users, AAA mode doesn’t make sense…
• User Groups > Press “Task List” button for Group Name “Root”.
• Copy left column (TACACS+ Custom Attributes) to notepad.
• Add virtual-domain0=ROOT-DOMAIN to the list.
• Go to ACS Shell Profiles > Custom Attributes > Bulk Edit > Paste all entries > OK.
• Test login.

Again, I used the following list of attributes for CPI 2.1 and the list is different for CPI 2.2:

role0=Root
task0=View Alerts and Events
task1=Run Job
task2=Device Reports
task3=Alarm Stat Panel Access
task4=WAN Optimization Multisegment Access
task5=RADIUS Servers
task6=Raw NetFlow Reports
task7=Network Summary Reports
task8=Edit Audit Logs Purge Settings Access
task9=Discovery View Privilege
task10=Configure ACS View Servers
task11=Run Reports List
task12=View Audit Logs Purge Settings Access
task13=View CAS Notifications Only
task14=Administration Menu Access
task15=Monitor Clients
task16=Configure Guest Users
task17=Monitor Media Streams
task18=Configure Lightweight Access Point Templates
task19=Monitor Chokepoints
task20=Maps Read Write
task21=Configure Access Points
task22=Virtual Domains List
task23=All
task24=Users and Groups
task25=View Group Members
task26=Edit Device Access
task27=Saved Reports List
task28=Migration Templates
task29=Monitor Spectrum Experts
task30=Configure Autonomous Access Point Templates
task31=Audit Trails
task32=Swim Collection
task33=Client Location
task34=Delete Device Access
task35=Device WorkCenter
task36=TrustSec Readiness Assessment
task37=PnP Profile Deploy Read-Write Access
task38=Monitor Access Points
task39=Data Collection Management Access
task40=CleanAir Reports
task41=Configure Ethernet Switches
task42=Configure Ethernet Switch Ports
task43=TACACS+ Servers
task44=Edit Job
task45=Mobility Service Management
task46=Autonomous AP Reports
task47=Swim Upgrade Analysis
task48=Delete Groups
task49=Performance Reports
task50=Configure Controllers
task51=Help Menu Access
task52=Packet Capture Access
task53=WorkflowsReadWriteAccess
task54=MSAP Reports
task55=Scheduled Tasks and Data Collection
task56=Monitor Tags
task57=Details Dashboard Access
task58=Search Access
task59=Scheduled Configuration Tasks
task60=View Groups
task61=Configure WIPS Profiles
task62=Delete Job
task63=Client Reports
task64=Troubleshoot
task65=Services Menu Access
task66=Configure Templates
task67=System Jobs Tab Access
task68=System Settings
task69=Report Launch Pad
task70=Remove Clients
task71=Performance Dashboard Access
task72=Alarm Browser Access
task73=Configure Config Groups
task74=Application and Services Access
task75=Export Device Access
task76=Mesh Reports
task77=Swim Info Update
task78=High Availability Configuration
task79=License Center
task80=View Audit Logs Access
task81=Lobby Ambassador Defaults Configuration
task82=Design Monitoring Template Access
task83=Add Group Members
task84=Monitor Controllers
task85=Deploy Configuring Access
task86=View Job
task87=Monitor Security
task88=Track Clients
task89=Monitor Menu Access
task90=Export Audit Logs Access
task91=Design Configuration Template Access
task92=Schedule Job
task93=SSO Servers
task94=Monitor Interferers
task95=Configure Switch Location Configuration Templates
task96=Configure WiFi TDOA Receivers
task97=Add Groups
task98=Cancel Job
task99=Swim Distribution
task100=PnP Preferences Read-Write Access
task101=Discovery CRUD Privilege
task102=WAN Optimization Dashboard Access
task103=nbiAccessPrivilege
task104=Voice Audit Report
task105=Admin Dashboard Access
task106=PnP Deploy History Read-Write Access
task107=Global SSID Groups
task108=Modify Groups
task109=Report Run History
task110=Maps Read Only
task111=Compliance Reports
task112=Disable Clients
task113=Custom NetFlow Reports
task114=WIPS Service
task115=Security Reports
task116=Application Server Management Access
task117=Configure Spectrum Experts
task118=Appliance
task119=View Security Index Issues
task120=Swim Access Privilege
task121=Configure Mobility Devices
task122=Device Bulk Import Access
task123=Home Menu Access
task124=Health Monitor Details
task125=Monitor WiFi TDOA Receivers
task126=Add Device Access
task127=Approve Job
task128=View Alert Condition
task129=User Preferences
task130=Guest Reports
task131=Config Archive Read-Write Task
task132=Logging
task133=Device View configuration Access
task134=Swim Preference Save
task135=Automated Feedback
task136=Delete and Clear Alerts
task137=Identity Search Engine
task138=Configure Third Party Controllers and Access Point
task139=Email Notification
task140=License Check
task141=SSO Server AAA Mode
task142=Rogue Location
task143=Swim Recommondation
task144=Identify Unknown Users
task145=Delete Group Members
task146=Reports Menu Access
task147=PnP Profile Read-Write Access
task148=Configure ISE Servers
task149=Tools Menu Access
task150=Config Audit Dashboard
task151=Incidents Alarms Events Access
task152=Virtual Domain Management
task153=Monitor Ethernet Switches
task154=TAC Case Management Tool
task155=Pause Job
task156=Discovery Schedule Privilege
task157=Monitor Mobility Devices
task158=Context Aware Reports
task159=Voice Diagnostics
task160=Configure Choke Points
task161=MSE Analytics
task162=RRM Dashboard
task163=Swim Delete
task164=Theme Changer Access
task165=Import Policy Update
task166=Design Endpoint Site Association Access
task167=Diagnostic Information
task168=Planning Mode
task169=Pick and Unpick Alerts
task170=Configure Menu Access
task171=Ack and Unack Security Index Issues
task172=Deploy Monitoring Template Access
task173=Ack and Unack Alerts
task174=Auto Provisioning
virtual-domain0=ROOT-DOMAIN

If you add role0 and virtual-domain0 only, it’s not gonna work! TESTED.

ACS and CPI CLI

Cisco Prime Infrastructure 2.2 Administrator Guide > Best Practices: Server Security Hardening > Authenticating With External AAA > To set up remote user authentication via the CLI provides you comprehensive steps:

aaa authentication tacacs+ server 192.168.1.1 key plain TACACS_SHARED_KEY
username USERNAME password remote role admin email ADMIN.EXAMPLE.COM

Note:

• The 2nd command is required, without it you will see Authorization requests with correct TACACS Shared Key, you will see correct username, but WRONG PASSWORD. Tested it with CPI 2.2. It will be fine as soon as you add username statement.
• If you configured “ACS for WebGUI” as I mentioned above, no other action on ACS side is required.
• If you configure ACS for both (WebGUI and CLI) you can easily determine who is who. Authentication request for WebGUI or CLI by looking at “Remote Address” field in request message. If it’s WebGUI you will see CPI’s IP address in “Remote Address” field, if it’s CLI, you will see client’s IP address.

How to configure Cisco Nexus 7K for Cisco ACS (TACACS). [SOLVED]

So, I was needed to configure Cisco Nexus 7K with NX-OS 6.x to use TACACS server configured on Cisco ACS 5.X. I decided to build minimal lab to test it before deployment on real hardware: NX-OS and Cisco ACS. I have already had Cisco ACS but I was needed to get some NX-OS virtual device. Cisco Nexus 1000v was not the case because I had VMware Workstation ONLY and had no time to install Cisco Nexus 1000v in a nested ESXi installed on Workstation. Thus I tried to use Cisco Titanium 5.1.2.

Installing Cisco Nexus Titanium on VMware Workstation

* Prepare your VMware Workstation.
* Download .RAR with “Titanium-VM” (just use Google to find the file).
* Import VMware into VMware Workstation: Open > ….vmx > “I Copied”.
* Add Serial port to the VM like this:
* Connect to the Serial port using PuTTY (you will see nothing before VM is booted).
* Start VM. You will see the the following, but it’s OK. BTW, you will see CLI prompt after VM booted (just wait for a while) and NO ANY messages in VM console.

Loader Loading stage1.5.

Loader loading, please wait...
WARNING: Ancient bootloader, some functionality may be limited!

* After VM is booted you will see the following:

.
*****************
 Username: admin
 Password: cisco
*****************
.N7K login:

* Then you probably would reconfigure Management interface to let VM access to your network:

N7K(config)# int mgmt 0
N7K(config-if)# ip address 10.0.0.200/24
N7K(config-if)# no sh
N7K(config-if)# this config

interface mgmt0
  vrf member management
  ip address 10.0.0.200/24

N7K(config-if)# end
N7K# ping 10.0.0.1 vrf management
PING 10.0.0.1 (10.0.0.1): 56 data bytes
64 bytes from 10.0.0.1: icmp_seq=0 ttl=63 time=94.748 ms
64 bytes from 10.0.0.1: icmp_seq=1 ttl=63 time=2.842 ms
64 bytes from 10.0.0.1: icmp_seq=2 ttl=63 time=4.994 ms
64 bytes from 10.0.0.1: icmp_seq=3 ttl=63 time=3.653 ms
64 bytes from 10.0.0.1: icmp_seq=4 ttl=63 time=7.946 ms

--- 10.0.0.1 ping statistics ---
5 packets transmitted, 5 packets received, 0.00% packet loss
round-trip min/avg/max = 2.842/22.836/94.748 ms
N7K# copy run start
[########################################] 100%
Copy complete, now saving to disk (please wait)...
N7K#

* TACACS+ feature is disabled by default:

N7K# show feature | i Feature|tacacs
Feature Name          Instance  State
tacacs                1         disabled
N7K#
N7K# conf t
N7K(config)# feature tacacs+
N7K(config)# exit
N7K# show feature | i Feature|tacacs
Feature Name          Instance  State
tacacs                1         enabled
N7K#

* Template:

! Before start you have to make sure that your username, password and role is configured locally.
! Then I suggest you to configure local authentication for console connectins.
aaa authentication login console local

tacacs-server host 10.0.0.100 key $SECRET$
tacacs-server host 10.0.0.100 timeout 3

aaa group server tacacs+ AAA
 server 10.0.0.100
 use-vrf management
 source-interface mgmt0
 exit

! For test purposes you can test authentication procedure:
test aaa group AAA USERNAME PASSWORD
user has been authenticated

...
aaa accounting default group AAA
...

! Some optional timeouts.
line console
 exec-timeout 15
 exit
line vty
 exec-timeout 15
 exit

! Save configuration.
copy run start

Some useful links:
* Cisco Secure Access Control System > Nexus Integration with ACS 5.2 Configuration Example.
* Cisco Nexus 7000 Series NX-OS Security Configuration Guide, Release 6.x > Configuring TACACS+.
* TACACS+ configuration on Nexus 7000.

* http://roadtocciedc.blogspot.com/2014/01/cisco-titanium-nx-os-emulator.html
* http://routing-bits.com/2011/05/24/nexus-user-roles/
* http://networkhobo.com/2014/01/23/configure-tacacs-access-on-nexus-7k/

Admin area