Welcome to the extraxi blog...

If you found this page accidentally and don't know what extraxi is about... we specialise in reporting solutions for the Cisco Secure ACS and Funk SBR access control servers (aka AAA servers).

The servers are predominantly used to secure network services such as dial, wireless lan, vpn, firewall and network device management.

Typically these servers just chuck out MBs of raw CSV log data about network activity. What we do is to help collect this data then import and turn it into useable information.

Wednesday, 17 June 2009

RBAC Style Device Management using CIsco Secure ACS and TACACS+

A few years back when we all worked on ACS at Cisco a good friend wrote a really clear guide to using ACS (with TACACS+) to implement an RBAC style system for managing administrative authentication and authorization of IOS devices.

The Cisco web site isnt always very easy to find stuff and Im sure one day it'll get deleted, so here is link to a local copy:

Missing user names in the ACS package.cab

aaa-reports! can import the ACS cab file to get an up-to-date list of usernames, group assignments and even much of the policy. However, its possible that dynamic users (eg externally authenticated via Windows, RSA, LDAP etc) may not be included in the cab file.

This is because ACS now has an extra setting to disable dynamic users. If enabled the external users will not be included in the package.cab file. The setting is in the Configure Caching Unknown Users section on the External Authenticators ACS Admin page.
Also worth a mention, on the User Setup page there is the Remove Dynamic Users button, that will do exactly that!
TIP: If you wish to purge stale records - export the cab into aaa-reports! and run the inactivity reports to see which user records can go. Only then should you remove the dynamic users.
SHAMELESS PLUG: csvsync v3.0 can initiate the creation of the package.cab and download it ready for automated import into aaa-reports! enterprise v1.1