Use Cisco ACS to manage Logins and Permissions by Group

From MikroTik Wiki
Revision as of 04:36, 28 October 2010 by Dgerdes (talk | contribs)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search

This document assumes you already have Cisco ACS managing multiple users and groups with various levels of administrative access to network devices and you wish to have it control access to your Mikrotik devices as well.

If you want all your users to have the same group level access (e.g. full, write or read) you don't need this information. You can use the Default Group option under /system user aaa

If on the other hand you want to place different users into different access level groups, this document might be just what you are looking for.

The first place I would start is the quick start document for User Manager and "RouterOS User"

This will get you a working implementation using User Manager instead of ACS. If you like creating and testing small steps when building a complex system, this is a great intermediate step. And I'm not going to repeat the information in that link for configuring Radius Login Authentication for ROS Users.

You can do something similar with Cisco ACS, except that by default ACS does not know how to send Mikrotik-Group information and thus the only option available to you is to use the Default Group setting for all Radius authenticated users and override this default only with locally configured users which is far from optimal.

The remainder of this document discusses changes you will need to make to the Cisco ACS server and user interface.

Now we head to the final step to get ACS to recognize the Mikrotik-Group option. To do this, you need to create a text file on the ACS Windows server containing the following text:

[User Defined Vendor]
IETF Code=14988
VSA 3=Mikrotik-Group


Run the following command to insert the Mikrotik Dictionary into Slot 0 of the VSA Table

CSUtil.exe -addUDV 0 Mikrotik.txt

Where 0 is the slot # and Mikrotik.txt is the name of the file you just created. (You might need to use absolute paths to the command and the file name)

CSUtil.exe can be found in directory:

C:\Program Files\CiscoSecure ACS v4.2\bin

This will restart ACS and if there are no errors Radius-Mikrotik will now be available. But there are a few more steps to get it available to user and group configurations.

First under "Network Configuration" edit a Network AAA Client entry and change the "Authenticate Using" field to "RADIUS (Mikotik)", Submit and Apply. This will cause the Radius (Mikrotik) Option to become available under "Interface Configuration"

So go to Interface Configuration and click on "Radius (Mikrotik)"

Under there, Check the Mikrotik-Group option and click Submit. This will Enable the Radius (Mikrotik) section under User and Group Setup.

Go to whatever Users or Groups you wish to configure, Scroll down to the Radius IETF section and enable "Service-Type Authenticate Only" and down farther in the Mikrotik section enable Mikrotik-Group and fill out the mikrotik Group name. The default groups available to you are "full" "write" and "read", but you can of course configure other custom groups in the ROS configuration dialogs to suit your needs.