Cisco Secure Contral Access System (ACS) has been around in the market for a long time and widely been used as the software to do network device administration with Tacacs+ protocol and network secure access with Radius protocol.

This lab is presenting how to use ACS 5.6 in a GNS3 environment. 

Network Topology:

network%2Btopology.png?resize=400%2C246network%2Btopology.png?resize=400%2C246

GNS3 Topology:

11-30-2014%2B7-58-26%2BPM.png?resize=400%2C24511-30-2014%2B7-58-26%2BPM.png?resize=400%2C245
GNS3 is running inside of ESXi Win7 virtual machine. R1 is using cisco 2691 ios with int f0/0 connecting cloud LAN interface. F0/0 has configured a LAN ip 192.168.2.38/24. One thing I found interesting is I have to set Win7 network interface to promiscuous mode to make GNS3 to communicate with other machines in the same LAN

1. ACS 5.6 VM Configuration:

acs.png?resize=400%2C366acs.png?resize=400%2C366
ESXi 5.5 is used to create a vm for ACS5.6. Hard drive has to be at least 60G, also 2 CPUs and 4G memory also is prerequisite based on Cisco installation guide. (In my lab, 2G memory is running well).. 

2. Installation and Basic Configuration of ACS 5.6

Following the Cisco installation guide, it is quite straightforward to do a fresh installation. After rebooted, you will get into console setup steps. Please make sure your Domain Control server is alive. Cisco has a article (Installing and Configuring Cisco Secure Access Control System with CSACS-1121) to describe the whole procedures
Please type ‘setup’ to configure the appliance

localhost login: setup
Enter hostname[]: ACS56
Enter IP address[]: 192.168.2.42
Enter IP default netmask[]: 255.255.255.0
Enter IP default gateway[]: 192.168.2.1
Enter default DNS domain[]: test1.com
Enter primary nameserver[]: 192.168.2.69
Add secondary nameserver? Y/N : n
Add primary NTP server [time.nist.gov]: 192.168.2.69
Add secondary NTP server? Y/N : n
Enter system timezone[UTC]:
Enable SSH service? Y/N [N] : y
Enter username [admin]: admin
Enter password:
Enter password again:
Pinging the gateway…
Pinging the primary nameserver…
Do not use `Ctrl-C’ from this point on…
Appliance is configured
Installing applications…
Installing acs…
Generating configuration…
Rebooting…
Wait until reboot completed, you should be able to log into ACS through SSH and Web browser.
cmd.png?resize=400%2C318cmd.png?resize=400%2C318
11-23-2014%2B7-51-55%2BPM.png?resize=400%2C28611-23-2014%2B7-51-55%2BPM.png?resize=400%2C286
In browser window, first time log in username is ACSADMIN, and password is default. You will have to change it after first time logged in. 

3. Authentication with ACS Internal User

Step1 – create a new entry at Network Devices and AAA Clients

step1.png?resize=400%2C225step1.png?resize=400%2C225

Step2 – create Internal users (acstest1 and acstest2)

step2.png?resize=400%2C233step2.png?resize=400%2C233

Step3 – make sure Default Device Admin – Identity is using Internal Users 

step3.png?resize=400%2C206step3.png?resize=400%2C206

Step 4 – Router’s configuration

aaa new-model
aaa authentication login default group tacacs+ enable
tacacs-server host 192.168.2.42

4. Test and Debug

Test log in with both users acstest1 and acstest2 are successful. 
R1#
*Mar  2 00:21:47.249: AAA/BIND(0000000C): Bind i/f
*Mar  2 00:21:47.253: AAA/AUTHEN/LOGIN (0000000C): Pick method list ‘default’
*Mar  2 00:21:48.013: AAA/LOCAL: exec
R1#
*Mar  2 00:21:58.757: AAA: parse name=tty66 idb type=-1 tty=-1
*Mar  2 00:21:58.757: AAA: name=tty66 flags=0x11 type=5 shelf=0 slot=0 adapter=0 port=66 channel=0
*Mar  2 00:21:58.761: AAA/MEMORY: create_user (0x6440FE70) user=’acstest1′ ruser=’NULL’ ds0=0 port=’tty66′ rem_addr=’192.168.2.106′ authen_type=ASCII service=ENABLE priv=15 initial_task_id=’0′, vrf= (id=0)
*Mar  2 00:21:58.761: AAA/AUTHEN/START (3875444769): port=’tty66′ list=” action=LOGIN service=ENABLE
*Mar  2 00:21:58.761: AAA/AUTHEN/START (3875444769): non-console enable – default to enable password
*Mar  2 00:21:58.765: AAA/AUTHEN/START (3875444769): Method=ENABLE
R1#
*Mar  2 00:21:58.765: AAA/AUTHEN(3875444769): Status=GETPASS
R1#
*Mar  2 00:22:01.013: AAA/AUTHEN/CONT (3875444769): continue_login (user='(undef)’)
*Mar  2 00:22:01.013: AAA/AUTHEN(3875444769): Status=GETPASS
*Mar  2 00:22:01.013: AAA/AUTHEN/CONT (3875444769): Method=ENABLE
*Mar  2 00:22:01.017: AAA/AUTHEN(3875444769): Status=PASS
*Mar  2 00:22:01.017: AAA/MEMORY: free_user (0x6440FE70) user=’NULL’ ruser=’NULL’ port=’tty66′ rem_addr=’192.168.2.106′ authen_type=ASCII service=ENABLE priv=15 vrf= (id=0)
R1#

Reference: