Evil TTL - Network Solutions
Evil TTL   >   TACACS Hard Token Authentication

Evil_TTL> show | s

TACACS Hard Token Authentication

Category:Cisco Systems -> Security

User Authentication Against External RSA Server

**********************************************
** Restricted access! For private use only! **
**********************************************

Evil_TTL> enable
Password:  

User Based Internal TACACS Authorization with External RSA Authentication

Steps:

0. Go to “Network Resources”. Create categories in “Network Device Groups” - “Location” and “Device Type”. Go to “Network Devices and AAA Clients”, create a reference to an IP address of a device or pick up a subnet. If the device is not on the list, ACS will ignore any requests from it.
1. Go to “Users and Identity Stores” - “External Identity Stores” - “RSA SecurID Token Servers”, create RSA instance, upload configuration file generated on RSA (RSA SecurID). Then go to “Advanced” and tick “Passcode caching”. 60 sec would be enough to be able to reuse the same token code on the same device during the set amount of time.
2. Go to “Users and Identity Stores” - “Identity Groups”. Create a group for users, eg “Network Services”. Go to “Internal Identity Stores” - “Users”. Create a User with the same username as registered on RSA and assign it to the group recently created. From “Password Type:” select “RSA SecurID” from Step 1 to be able to identify a user against the RSA server.
3. Go to “Policy Elements” - “Authorizations and Permissions” - “Device Administration” - “Command Sets”. Create policy, eg “ShowOnly”. Customize policy with allowed commands, like “show”, “ping”, etc.
4. Go to “Access Policies” - “Access Services”. Create new service, eg. “RSA Device Admin”. Go to “RSA Device Admin” - “Identity” and select “Internal Users”. Go to “Authorization”, create the following rule: Dictionary:“Internal Users”, Attribute:“UserIdentityGroup”; Operator:“in”; Value:“Static”“All Groups:Network Services”. Click “Add”. Choose shell profile for this particular group of users, eg “ShowOnly” from Step 3. Click “OK”.
5. Go to “Service Selection Rules”. Create a group. Protocol:“match”“Tacacs”; “NDG:Device Type”:“in”“(select device group where the device is)”

By privilege15