USD ($)
United States Dollar
India Rupee

Control Plane Security Using Cisco ACS

Created by Pankaj Sharma in Articles 6 Jan 2024


 Configure the IP address of R1:

 Configure the IP address of R2:

 Configure the Switch: Vlan 10 and put following ports in Vlan 10: eth0/1, eth0/2, eth0/0, and eth3/0. Also Configure Interface Vlan 10 on SW with IP address

✓ Configure the ACS with IP address with username admin and password Uninets@123.

 Configure the R4 with Enable Secret Uninets@123

 Configure R4 line Vty 0-4 with transport Input all

 Configure R4 with username Uninets and password Uninets@123 with Privilege level 15

 Configure R4 so that if telnet it from R3 It will go to ACS and then Local password.

Configure the R4 to allow Users who are going to login via AAA with username admin and password Uninets@123 will have full    authorization.

 Use TACACS Server Key Uninets@123


Cisco Secure ACCESS CONTROL SERVER (ACS) offers authentication, accounting, and accounting to arrange network devices. It incorporates switches, Cisco firewalls like ASA and Firepower, and system get to servers. Cisco Secure Access Control Server underpins two noteworthy AAA conventions: to be specific, TACACS+ and RADIUS.

Cisco ACS unifies authentication (your identity) as well as authorization (what you can access) and accounting (the logging of what when you signed in and out, and also what you were conceded access to). Customarily, this was simply required for dial-up clients over modem telephone lines; later, for Internet VPN clients. Be that as it may, starting with ACS variant 4.0, Cisco ACS is playing out a similar verification, approval, and bookkeeping capacities for systems that are NAC-empowered.


Here is the switch configuration wherein assigning interfaces to their respective VLANs and configuring IP address on SVI VLAN 10

Routers Configuration

Here are the configurations on the routers, only IP addresses are assigned on the directly connected interfaces and verifying their connectivity between each other. 


interface Ethernet 0/0

ip address

No shutdown




interface Ethernet0/0

ip address

No shutdown



Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to, timeout is 2 seconds:


Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms


Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to, timeout is 2 seconds:

Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms


PC Configuration

Access the WIN PC via VNC and apply the IP Address:

Configure the ACS:

To access CLI: Username: admin, password: Uninets@123 Once done Try access to ACS via Window machine. It will ask for Username and password: Username: ACSadmin Password: default. Once done it will ask to change password: Uninets@123 and install the License to get started.

Configure the following configuration on R2:

Here we are enabling the aaa new model for authentication and authorization via TACACS server, in case tacacs is not reachable then fall back to local username which is also configured. The credentials for the tacacs server is provided and then finally allow incoming connections to get authenticated and authorized via TACACS server on VTY line.


aaa new-model

aaa authentication login UNINETS_TACACS group tacacs+ local

aaa authorization exec UNINETS_Exec_via_TACACS group tacacs+ local


username admin privilege 15 secret Uninets@123


tacacs-server host key Uninets@123


line vty 0 4

 authorization exec UNINETS_Exec_via_TACACS

 login authentication UNINETS_TACACS

 transport input all


enable secret Uninets@123


Now we have to start configuration on ACS The first step is to create a device group. You do so by navigating to Network Resources > Network Device Groups > Device Type and clicking Create

Configure the device and add it to Device Group.

Configure users Group: So, we have created a network device group, and added router R02 as the first network device (ACS client) in this group. The next step is to create a user group, and then create some users in those groups. The group we are going to create are an Admin group. To create these groups, navigate to Users and Identity Stores > Identity Groups and Click Create,

Configure users with username and password and put that user in user group: These new group have no users in them by default and have no special permissions by Default. The first step to fixing that is to create a couple user accounts and place at least one user account into each group. To create individual users, navigate to Users and IdentityStores> Internal Identity Stores > Users and click Create.

Configure the authorization policies for the user. The next step is to configure authorization policies that give full access to users in the Admin group who are trying to access routers in the network device group we created. To create and assign the reservation policies, first navigate to Access Policies > Access Services > Default Device Admin >Authorization and click Create,

In the dialog box, indicate the name of this policy, called in this example AdminRole, and check the box next to the conditions next to identity group, and click the Select button to choose the Admin group created earlier. Use the same process, checking that box next to NDG Device Type (NDG stands for network device group) and then using the Select button, to indicate the device belongs to the group of routers device group that was created earlier.

This is setting up a condition so that if a user who is a member of the Admin group is attempting to access a device that is a member of the specific router group, then as a result we can provide specific access based on a custom shell profile that we can create. To do that, click the Select button next to the Shell Profile option, and you are presented with the Screen shown,

Verification: - Now for testing login to R01 and telnet, it will ask for username and password, Supply it with username admin and password Uninets@123


Trying … Open

Username: admin





Wrap-up Time, Friends, we hope this post will help you to get best answer for your topic related queries.

Pankaj Sharma

Pankaj Sharma is a senior network security engineer. He is working since past 14 years in IT networking field and have excellent experience in training industry also. His working experience in top companies in India makes him most valuable professional in IT industry. Pankaj Sharma has done CCNA security, Palo Alto and Checkpoint ...

More... | Author`s Bog | Book a Meeting

Comments (0)

Pankaj Sharma

Pankaj Sharma

Ex Security Engineer & Instructor @UniNets Instructor role
★★★★★ 5.00
Faithful User
Expert Vendor
Golden Classes
King Seller
Fantastic Support

Upcoming batches

+91 84484 40748

Enquire Now

Share to your friends


Share this post with others

Contact learning advisor

New Cisco ACI Training Live Batch Starts June 15th!
New Cisco ACI Training Live Batch Starts June 15th!
Advance your career? Don't miss out on our Cisco Application Centric Infrastructure (ACI) training ...
Enroll Now