In v2.0 we added the csutil "dump.txt" and also included account expiry, password aging, user defined fields (eg Real Name, Description etc) and a whole lot more.
In v2.1 we started to look at TACACS+ Device Admin (TDA) policy to pull in Shared Device Command Sets (DCS) for Shell and PIX, IP based Network Access Restrictions (Group & Shared), Network Device Group (NDG) memberships. Finally aaa-reports! is able to look into each ACS group to pull in the Shell & PIX service authorizations:
- Service enabled (y/n)
- Service attributes (returned after authentication)
- Group level access restrictions
- Shared access restrictions
- Group level shell/pix command authorisations
- Shared shell/pix command authorisations (via NDG->DCS mappings)
With all this data imported we can offer reports to both document the config (eg our group/user detail report that has layout similar to the ACS UI) and explore the config (eg who has access to what devices AND what commands can they execute. Also, the Query Builder can see the same data too - so you can create custom reports about the users in the ACS db too!
Cool huh?
Of course, the next question is how to get the data OUT of ACS and then IN to aaa-reports!
If you have ACS v4.x on either software or appliances its easy. You just create a support "package.cab" using either the command line cssupport.exe (s/w version) or the Support admin page (appliance version). Make sure you tick the check boxes to include the user & group db + config.
If you have ACS v3.x then unfortunately the appliance is not supported. On the s/w version we have a script you can download to suck the data out - available on our download page.
Once you have a .cab file (from either of the methods above) you just click on Import ACS Database on the aaa-reports Import page.
No comments:
Post a Comment