Cisco Systems 3750 Switch User Manual
Contents
1. Configure MAB To configure MAB Step1 In the Edit Network Access Profiles page click Authentication The Authentication page for the selected NAP opens Figure 6 12 shows the Authentication Settings page Figure 6 12 Authentication Settings Page Authentication for my_mac_auth_bypass 2 Credential Validation Databases Available Databases Selected Databases Windows Database Winde Generic LDAP Generic LI BI Bl gt Up Down Populate from Global Authenticate MAC with LDAP Server Not Selected MAC Addresses User Group Internal ACS DB No MAC Group Mappings Add Delete Default Action If Agentless request was not assigned a user group o Default Group gt a Step 2 In the Credential Validation Databases section choose the database s that ACS will use to authenticate agentless hosts amp Note If you clicked Generic LDAP or another LDAP database choose External User Databases gt External User Database Configuration and configure an LDAP database Configuration Guide for Cisco Secure ACS 4 2 I OL 14390 02 EN Chapter6 Agentless Host Support Configuration Scenario WE Basic Configuration Steps for Agentless Host Support Step 3 Step 4 Step 5 Step 6 Step7 Step 8 If you specified an LDAP database in the Credential Validation Databases section click LDAP Server and then select a LDAP database that yo2. Session idle timeout minutes 60 M Allow automatic local login M Respond to invalid IP address connections 158387 Step2 On the Session Policy Setup page set session options as required You can specify e Session idle timeout minutes Specifies the time in minutes that an administrative session must remain idle before ACS terminates the connection 4 character maximum When an administrative session terminates ACS displays a dialog box asking whether the administrator wants to continue If the administrator chooses to continue ACS starts a new administrative session This parameter only applies to the ACS administrative session in the browser It does not apply to an administrative dial up session e Allow Automatic Local Login ACS for Windows Only Enables administrators to start an administrative session without logging in if they are using a browser on the computer that runs ACS ACS uses a default administrator account named Jocal_login to conduct these sessions When unchecked disabled administrators must log in by using administrator names and passwords s Note To prevent accidental lockout when there are no defined administrator accounts ACS does not require an administrator name and password for local access to ACS The local_login administrator account requires the Administration Control privilege ACS records administrative sessions that use the local_login account in the Administrative A
3. Add Edit Attribute 2 RAC Vendor IETF Attribute Session Timeout 27 Type integer Value 3600 3 s b Inthe Value field for the attribute enter an appropriate value Each attribute has specific value types based on how the attribute is defined For example for the Session Timeout 27 attribute enter a timeout value in seconds c Click Submit Step6 When you are finished adding attributes click Submit Step7 To enable the RAC from the navigation bar choose System Configuration gt Service Control and then click Restart Figure 9 18 shows attribute selection for the Cisco_FullAccess RAC and Figure 9 19 shows attribute selection for the Cisco_Restricted RAC Configuration Guide for Cisco Secure ACS 4 2 oL 14390 02 9 27 Chapter9 NAC Configuration Scenario Hi Step 5 Set Up Shared Profile Components Figure 9 18 Attribute Selection for the Cisco_FullAccess RAC RADIUS Authorization Name Cisco_FullAccess ngs Provides full access to the Cisc Description network Add New Attribute Cisco IOS PIX cisco ay pair 1 v Add 6 0 IETF Service Type 6 v Add Ascend Ascend Remote Addr 154 Y Add Assigned Attributes Yendor Attribute Yalue IETF Session Timeout 27 3600 i r RADIUS Request IETF Termination Action 29 a IETF Tunnel Type 64 Ti VLAN 13 IETF Tunnel Medium Type 711802 6 65 2 IETF Tunnel Private Group ID T1 Quarantine g 81 ra Conf
4. In ACS 4 2 you can download access lists to specific devices or device groups You can define an access list that contains one or more dACLs and later download the list to network devices based on their assignments to user groups Before you define dACLs enable dACLs Each Assessment Result system posture token according to its definition should have its own ACL which contains one or more Access Control Entries ACEs that will instruct the NAC network device router to block packets from going to a specific destination or allow packets to reach a specific destination OL 14390 02 Configuration Guide for Cisco Secure ACS 4 2 Chapter9 NAC Configuration Scenario Hi Step 5 Set Up Shared Profile Components To enable dACLs and NAFs which are required to create NAPs e Add a new posture ACL e Add ACE entries for the ACL e Save the posture ACL Note These ACLs are referred to as posture ACLs because they are a component of a NAP that is used in posture validation Adding an ACL To add a new ACL Step1 Choose Shared Profile Components gt Downloadable IP ACLs A list of dACLs appears as shown in Figure 9 12 Figure 9 12 Downloadable IP ACL List Shared Profile Components Downloadable IP ACLs 2 Name Description call ACL to permit all traffic because token is En Healthy NAC ACL Test ACL for NAC 158417 Step2 Click Add The Edit Downloadable IP ACLs page opens as shown i
5. 158426 e Inthe Use These Audit Servers section enter the Audit Validation Server information Audit Server vendor URL and password Figure 9 30 shows the Audit Flow Settings and the GAME Group Feedback section Configuration Guide for Cisco Secure ACS 4 2 Chapter9 NAC Configuration Scenario Step 7 Configure Posture Validation for NAC W Figure 9 30 Audit Flow Settings and GAME Group Feedback Sections Audit Flow Settings Use this Posture Token while Audit Server does not A Quarantine yet have a posture validation jresult f Polling Intervals Use timeouts sent by Audit Server for Polling Intervals and Session Timeout x land Session IT Timeout Polling Interval seconds Maximum amount lof times the Audit Bo Server should be 38 polled Policy string to be sent to the Audit Server GAME Group Feedback I Request Device Type from Audit Server Assign This Group if Audit Server Did not Return a Device of Type User Group Device Type lAssign User Group No Device Type Policies Aaa Delete up Down Submit Delete Cancel f If required in the Audit Flow Setting section set the audit flow parameters 158425 g Ifyou are configuring GAME group feedback to support agentless host configuration in the NAC environment configure the settings in the GAME Group Feedback sectio
6. Condition Sets No Condition Sets Match OR inside Condition and AND between Condition Sets Match AND inside Condition and OR between Condition Sets Add Condition Set Posture Token Cisco PA Healthy Notification String Submit Cancel 158421 b Click Add Condition Set c The Add Edit Condition page appears as shown in Figure 9 25 Figure 9 25 Add Edit Condition Page Posture Validation Add Edit Condition Condition Elements Table Cisco Host HotFixes contains KB12345 oo Cisco PA 05 Type Windows NT Attribute Cisco PA OS Type E Entit O Operator v Value l Submit Cancel 158406 d From the Attribute drop down list choose an Attribute value e From the Operator drop down list choose a condition f In the Value text box enter a value for the condition Configuration Guide for Cisco Secure ACS 4 2 OL 14390 02 E Chapter9 NAC Configuration Scenario HI Step 7 Configure Posture Validation for NAC g Click Enter The specified rule appears in Add Edit Condition page as shown in Figure 9 25 h Enter additional conditions as required i Click Submit j Click Apply and Restart to apply the new posture validation rule s Configure External Posture Validation Policies Step 1 Step 2 Step 3 An external posture validation policy uses an external server that returns a posture assessment token to ACS accordi
7. Figure 2 1 ACS Server in a Small LAN Environment Catalyst 2900 3500 Switch Firewall ae _ Sj Cisco Secure ACS 158316 Campus LAN You can use ACS for wired access in a campus LAN A campus LAN is typically divided into subnets Figure 2 2 shows an ACS deployment in a wired campus LAN I OL 14390 02 Configuration Guide for Cisco Secure ACS 4 2 Chapter2 Deploy the Access Control Servers W Determining the Deployment Architecture Figure 2 2 ACS in a Campus LAN Segment 1 Jo ano Remote office 158308 Figure 2 2 shows a possible distribution of ACS in a wired campus LAN In this campus LAN buildings are grouped into three segments Each segment consists of 1 to 3 buildings and all the buildings in the segment are on a common LAN All interbuilding and intersegment network connections use one gigabyte fiber optic technology Primary network access is through switch ports over wired Ethernet You use ACS to provide RADIUS authentication for the network access servers and you configure it to use an external database One ACS is deployed for each segment of 5 to 10 buildings A Cisco LocalDirector content switch is placed before each ACS for load balancing and failover Geographically Dispersed Wired LAN In a larger network that is geographically dispersed speed redundancy and reliability are important in determining whether to use a centralized ACS service or a number of geographic
8. If you want to set up Domain Filtering refer to the Configuring a Generic LDAP External User Database section in Chapter 12 of the User Guide for Cisco Secure Access Server 4 2 Specify the common LDAP configuration Figure 6 6 shows the Common LDAP Configuration section Figure 6 6 Common LDAP Configuration Section Common LDAP Configuration 2 eit hetitabec ou MAC Addresses ou MAB Segment Subtree Group Directory EENE Subtree ou MAC Groups ou MAB Segment o UserObjectType macAddress UserObjectClass jieee802Device GroupObjectType cn GroupObjectClass jieee802Device Group Attribute uniqueMember Name Server Timeout 30 seconds On Timeout Use o Secondary Failback Retry Delay D minutes Max Admin a0 Connections 20 158378 You must specify e User Directory Subtree Enter the distinguished name DN of the user directory subtree that contains all users In MAB configuration the users are in effect host devices In the LDAP schema shown in Example 6 1 the DN of the User Directory Subtree is ou mac Addresses ou MAB Segment o mycorp e Group Directory Subtree Enter the DN for the group directory subtree that contains all user groups as defined in your LDAP schema In MAB configuration the members of user groups are actually groups of MAC addresses In the LDAP schema shown in Example 6 1 the DN of the group directory subtree is ou mac Groups ou MAB Segment o cisco e Use
9. b Inthe Which Hosts Are Audited section choose what hosts you want to audit You can enter the host IP or MAC addresses for the hosts that you want to audit or for a host that you do not want to audit For the hosts that will not be audited choose a posture token from the drop down list d Scroll down to the Use These Audit Servers section Figure 9 57 shows the Use These Audit Servers section of the External Posture Validation Server Setup page wi Configuration Guide for Cisco Secure ACS 4 2 OL 14390 02 Chapter9 NAC Configuration Scenario Step 11 Optional Configure GAME Group Feedback W Figure 9 57 Use These Audit Servers Section Use These Audit Servers Audit Server Unix vendor Smig URL Username Password M Primary Server Ti A E Configuration imeout sec Trusted Root CA none selected 7 Validate Certificate Vv Common Name URL Username Password M Secondary Server Timeout sec s Configuration Trusted Root CA none selected validate Certificate Vv Common Name 158426 e Inthe Use These Audit Servers section enter the Audit Validation Server information Audit Server vendor URL and password Figure 9 58 shows the Audit Flow Settings and the GAME Group Feedback section Configuration Guide for Cisco Secure ACS 4 2 oL 14390 02 Um Chapter9 NAC Configuration Scenario HZ Step 11 Optio
10. in Chapter 2 of the User Guide for Cisco Secure ACS 4 2 Using the Web Interface TACACS Configuration Options For detailed information see Displaying TACACS Configuration Options in Chapter 2 of the User Guide for Cisco Secure ACS 4 2 Using the Web Interface Advanced Options For detailed information see Displaying RADIUS Configuration Options in Chapter 2 of the User Guide for Cisco Secure ACS 4 2 Using the Web Interface Customized User Options For detailed information see Displaying RADIUS Configuration Options in Chapter 2 of the User Guide for Cisco Secure ACS 4 2 Using the Web Interface Step5 Configure Basic ACS System Settings a Click System Configuration b Configure Service Control Logging Date Format Control Local Password Management ACS Backup ACS Restore ACS Service Management optional IP Pools Server optional IP Pools Address Recovery For detailed instructions see Displaying RADIUS Configuration Options in Chapter 2 of the User Guide for Cisco Secure ACS 4 2 Using the Web Interface Step6 Configure Users a As required for your network security setup configure users You can configure users Manually by using the ACS web interface By using the CSUtil utility to import users from an external database Configuration Guide for Cisco Secure ACS 4 2 OL 14390 02 _ Chapter 1 Overview of ACS Configuration S
11. Certificate Database Path check box and download a cert7 db file Note pP To download a cert7 db certificate database file to ACS now complete the steps in Downloading a Certificate Database Solution Engine Only in Chapter 12 of the User Guide for Cisco Secure ACS 4 2 and then continue with Step f You can download a certificate database later Until a certificate database is downloaded for the current LDAP server secure authentication to this LDAP server fails ACS for Windows only If you checked the Use Secure authentication check box perform one of the following procedures Click the Trusted Root CA radio button and in the adjacent drop down list choose a Trusted Root CA Certificate Database Path radio button and in the adjacent box type the path to the Netscape cert7 db file which contains the certificates for the server to be queried and the trusted CA The Admin DN box requires the fully qualified Distinguished Name DN of the administrator that is the LDAP account which if bound to permits searches for all required users under the User Directory subtree In the Admin DN box type the following information from your LDAP server uid user id ou organizational unit ou next organizational unit o organization where user id is the username organizational unit is the last level of the tree next organizational unit is the next level up the tree For example uid joesmith ou members
12. New RDBMS Synchronization Features in ACS Release 4 2 Using RDBMS Synchronization to Configure ACLs 4 2 Step 1 Enable dACLs 4 2 Step 2 Create a Text File to Define the dACLs 4 2 4 1 Step 3 Code an accountActions File to Create the dACL and Associate a User or Group with the dACL 4 4 Sample accountActions CSV File 4 4 Step 4 Configure RDBMS Synchronization to Use a Local CSV File 4 5 Step 5 Perform RDBMS Synchronization 4 8 Running RDBMS Synchronization from the ACS GUI Running CSDBSync Manually to Create the dACLs Performing RDBM Synchronization Using a Script 4 8 4 8 4 9 Configuration Guide for Cisco Secure ACS 4 2 OL 14390 02 Contents W Step 6 View the dACLs 4 9 Error Messages 4 11 Reading Updating and Deleting dACLs 4 12 Updating or Deleting dACL Associations with Users or Groups 4 14 Using RDBMS Synchronization to Specify Network Configuration 4 14 Creating Reading Updating and Deleting AAA clients 4 15 CHAPTER 5 Password Policy Configuration Scenario 5 1 Limitation on Ability of the Administrator to Change Passwords 5 1 Summary of Configuration Steps 5 2 Step 1 Add and Edit a New Administrator Account 5 2 Step 2 Configure Password Policy 5 4 Specify Password Validation Options 5 6 Specify Password Lifetime Options 5 6 Specify Password Inactivity Options 5 7 Specify Incorrect Password Attempt Options 5 7 Step 3 Configure Session Policy 5 7 Step 4 Configure Access Policy 5 9 View
13. certs where selected_drive is the currently selected drive Step3 Copy the following files to the Certs directory e server cer server certificate e server pvk server certificate private key e ca cer CA certificate Run the Windows Certificate Import Wizard to Install the Certificate To run the Windows Certificate Import wizard to install the certificate on the server Step 1 Start Windows Explorer Step 2 Go to lt selected_drive gt Certs where selected_drive is the currently selected drive Step3 Double click the Certs ca cer file The Certificate dialog appears Configuration Guide for Cisco Secure ACS 4 2 72 E OL 14390 02 Chapter7 PEAP EAP TLS Configuration Scenario Step 4 Step 5 Step 6 Step 1 Configure Security Certificates Select Install Certificate The Windows Certificate Import wizard starts To install the certificate follow the instructions that the wizard displays Accept the default options for the wizard amp Note Only perform this process once on a Windows 2000 Server Enable Security Certificates on the ACS Installation To enable security certificates Step1 In the navigation bar click System Configuration The System Configuration page opens Step2 Click ACS Certificate Setup Step3 Click Install ACS Certificate Step4 The Install ACS Certificate page opens shown in Figure 7 1 Figure 7 1 Install ACS Certificate Page Install ACS Certificate In
14. Figure 3 2 shows the new options on the NAP Protocols page Table 3 2 New Options on the NAP Protocols Page Option Description Use PACs Click the Use PACs radio button if you want ACS to authenticate clients to which this NAP is applied by using EAP FAST with PACs enabled If you click the Use PACs radio button then the same EAP FAST configuration options that are available in the global EAP FAST configuration are available Do Not Use PACs Click the Do Not Use PACs radio button if you want ACS to authenticate clients to which this NAP is applied by using EAP FAST without PACs enabled Require Client Certificate If you click the Do Not Use PACs radio button the Require Client Certificate option is available Choose this option to require a client certification for EAP FAST tunnel establishment Disable Client Certificate Lookup If you click the Do Not Use PACs radio button you can check and Comparisons the Disable Client Certificate Lookup and Comparisons check box to disable client certificate lookup and to enable EAP FAST PKI Authorization Bypass If you check the Disable Client Certificate Lookup and Comparisons check box ACS establishes an EAP FAST tunnel without authorizing the user based on user group data or a public key infrastructure PKI certificate in a user database instead ACS maps the user to a preconfigured user group Assign Group If you check the Disable Client Certificate Lookup and Compariso
15. Index W wireless NAC L2 802 1x template 9 60 NAC NAP components defined 2 15 deploying ACS with 2 15 network architecture illustrated 2 16 NAC attribute value pairs importing using CSUtil 9 73 NAC L2 802 1x 9 25 9 56 NAC L2 IP 9 25 NAC L3 IP template 9 44 NAF enabling 9 22 selecting fora NAP 6 19 NAP configuring group filtering by LDAP user group 3 6 creating 6 18 enabling agentless request processing for 6 20 NAP agent 2 15 NAP client 2 15 NETBIOS disabling 3 4 net start csdbsync command 4 9 net stop csdbsync command 4 9 Network Access Filter See MAB See NAF medium sized LAN Network Access Filtering defined 2 2 See NAF multi forest support 3 7 network access profile See NAP N network access servers number supported by ACS 2 12 NAC network configuration configuring posture validation for 9 35 specifying using RDBMS Synchronization sample profile templates 9 44 RDBMS Synchronization Agentless Host for L2 802 1x fallback specifying network configuration 4 14 template 9 65 Network Policy Server NAC Layer 2 9 49 See NPS NAC Layer 2 802 1x 9 55 networks NAC Layer 3 9 44 latency 2 19 Configuration Guide for Cisco Secure ACS 4 2 oL 14390 02 am W index reliability 2 19 P PAC disabling PAC processing in NAPs 3 3 Passed Authentication report enabling 9 15 password configuration Account Locked 5 4 Account Never Expires 5 4 password inactivity options 5 7 password lifetime options 5 6 pa
16. Number Attribute Name Description x 1 User Name Copied from EAP Identity Response in Access Request x xX 8 Framed IP Address IP address of host xX xX 26 Vendor Specific ACL name Cisco 9 1 ACS automatically sends this to the NAD as CiscoSecure Defined Pe of the RADIUS packet ACL x 26 Vendor Specific Policy based ACL assignment Only applies to Cisco 9 1 Catalyst 6000 sec pg lt group name gt sec pg x xX 26 Vendor Specific Redirection URL Cisco 9 1 url redirect lt URL gt url redirect x xX 26 Vendor Specific Apply the named ACL for the redirect URL ACL must be defined locally on the NAD Cisco 9 1 Only works on switches with IOS url redirect acl url redirect acl lt ACL Name gt x x xX 26 Vendor Specific Posture token state name Cisco 9 1 Automatically sent by ACS posture token x xX 26 Vendor Specific Sets Status Query timer Cisco 9 1 status query timeout x x 26 Vendor Specific Session identifier used for auditing Cisco 9 1 Automatically sent by ACS host session id E Configuration Guide for Cisco Secure ACS 4 2 OL 14390 02 _ Chapter 9 NAC Configuration Scenario Step 6 Configure an External Posture Validation Audit Server Hi Table 9 1 Attributes That Can Be Sent in the RADIUS Accept Response continued xX X xX 26 Vendor Specific Key for Status Query MS MPPE Recv Key Microsoft 311 Automatically sent by ACS x x x 27 Session Timeo
17. Step 6 Step7 Step 8 If you are using ACS in a NAC environment with agentless hosts then you must configure Generic Authorization Message Exchange GAME group feedback To configure GAME group feedback Import an audit vendor file by using CSUtil See Import an Audit Vendor File by Using CSUtil page 9 73 for details Import a device type attribute file by using CSUtil See Import a Device Type Attribute File by Using CSUtil page 9 73 for details Import NAC attribute value pairs See Import NAC Attribute Value Pairs page 9 73 for details Configure database support for agentless host processing The database that you use can be an external LDAP database preferred or the ACS internal database See Configure Database Support for Agentless Host Processing page 9 74 for details Enable Posture Validation See Enable Posture Validation page 9 74 for details Configure an external audit server See Configure an External Audit Server page 9 74 for details Enable GAME group feedback To enable GAME group feedback in the external audit server posture validation setup section configure e Which hosts are audited e GAME group feedback e Device type retrieval and mapping for vendors who have a device attribute in the RADIUS dictionary See Enable GAME Group Feedback page 9 79 for details Set up a device group policy See Enable GAME Group Feedback page 9 79 for details Configuration Guide for Cisco Secure A
18. and the WebEx logo are registered trademarks of Cisco Systems Inc and or its affiliates in the United States and certain other countries All other trademarks mentioned in this document or Website are the property of their respective owners The use of the word partner does not imply a partnership relationship between Cisco and any other company 0804R Any Internet Protocol IP addresses used in this document are not intended to be actual addresses Any examples command display output and figures included in the document are shown for illustrative purposes only Any use of actual IP addresses in illustrative content is unintentional and coincidental Configuration Guide for Cisco Secure ACS 4 2 2008 Cisco Systems Inc All rights reserved CONTENTS Preface ix Audience ix Organization ix Conventions x Product Documentation x Related Documentation xii Obtaining Documentation and Submitting a Service Request xii Notices iii xii OpenSSL Open SSL Project _ iii xiii License Issues __ iii xiii CHAPTER 1 Overview of ACS Configuration 1 1 Summary of Configuration Steps 1 1 Configuration Flowchart 1 5 CHAPTER 2 Deploy the Access Control Servers 2 1 Determining the Deployment Architecture 2 1 Access Types 2 2 Wired LAN Access 2 2 Wireless Access Topology 2 5 Dial up Access Topology 2 9 Placement of the RADIUS Server 2 11 Determining How Many ACSs to Deploy Scalability 2 11 Number of Users 2 11 Number of Network Access
19. your vendor id vendor name The name of you company application id 6 application name Audit attribute id 00003 attribute name Dummy attr attribute profile out attribute type unsigned integer I OL 14390 02 Configuration Guide for Cisco Secure ACS 4 2 Chapter9 NAC Configuration Scenario HH Step 6 Configure an External Posture Validation Audit Server Your vendor ID should be the Internet Assigned Numbers Authority ANA assigned number that is the first section of the posture token attribute name vendor 6 Step2 To install the attributes specified in the text file a Open a DOS command window b Enter the following command lt ACS_Install_Dir gt bin CSUtil addAVP file_name where ACS_Install_Dir is the name of the ACS installation directory and file_name is the name of the text file that contains vendor attributes Step 3 Restart the CSAdmin CSLog and CSAuth services Configure the External Posture Validation Audit Server You can configure an audit server once and then use it for other profiles To configure an audit server Step1 In the Posture Validation Components Setup page click External Posture Validation Audit Setup Step2 Click Add Server The External Posture Validation Audit Server Setup page appears as shown in Figure 9 20 Configuration Guide for Cisco Secure ACS 4 2 P93 OL 14390 02 Chapter9 NAC Configuration Scenario Step 3 Figure 9 20 Step 6 Conf
20. 009 001 Cisco av pair aaa service ip admission 006 Service Type mi Configuration Guide for Cisco Secure ACS 4 2 OL 14390 02 Chapter9 NAC Configuration Scenario Protocols Policy These rules specify that the associated profile policies authenticate and authorize each RADIUS Step 8 Set Up Templates to Create NAPs request that matches the attribute s rules You can change the advanced filter and add remove or edit any RADIUS attribute that the RADIUS client sends Figure 9 47 shows the Protocols settings for the Wireless NAC L2 802 1x template Figure 9 47 Network Access Profiles Protocols Setting for Wireless NAC 802 1x Template Authentication Protocols nnoaada Allow PAP Allow CHAP Allow MS CHAPV1 Allow MS CHAPv2 Allow Agentless Request Processing EAP Configuration ii m 7 PEAP Allow EAP MSCHAPv2 Allow EAP GTC Allow Pasture Validation Allow EAP TLS Vv m Vv r EAP FAST Allow E amp 4P FAST Allow anonymous in band PAC provisioning Allow authenticated in band PAC provisioning M Accept client on authenticated provisioning I Require client certificate for provisioning Allow Stateless session resume Authorization PAC TTL ft hours gt Allowed inner methods M EAP GTC M E amp P MSCHAPv2 F EAP TLS Posture Validation C None Required Submit Cancel In the EAP Configuration section Posture Validation i
21. 02 Chapter3 Configuring New Features in ACS 4 2 Disabling of EAP FAST PAC Processing in Network Access Profiles W Disabling of EAP FAST PAC Processing in Network Access Profiles In the Protocols section for Network Access Profile NAP configuration you can now set up a NAP that causes ACS to use EAP FAST but not issue or accept tunnel or machine PACs Figure 3 2 shows the EAP FAST section of the NAP Protocols page for ACS 4 2 Figure 3 2 Use PAC and Do Not Use PAC Options EAP FAST O Allow EAP FAST Use PACs O Allow full TLS renegotiation in case of Invalid PAC Allow anonymous in band PAC provisioning Enable anonymous TLS renegotiation O Allow authenticated in band PAC provisioning O Accept client on authenticated provisioning CO Require client certificate for provisioning O Allow Stateless session resume Authorization PAC TTL p hours b Do Not Use PACs Require client certificate Disable Client Certificate Lookup and Comparisons Assign Group When receiving client certificate select one of the following lookup methods O Certificate SAN lookup O Certificate CN lookup Allowed inner methods CIEAP GTC C EAP MSCHAP v2 C EAP TLS Posture Validation None O Required Optional Client may not supply posture data Use token Unknown i O Posture only 270295 Configuration Guide for Cisco Secure ACS 4 2 OL 14390 02 a 33 Chapter3 Configuring New Features inACS4 2 W Disabling NetBIOS
22. 02 Configuration Guide for Cisco Secure ACS 4 2 Hl Chapter8 Syslog Logging Configuration Scenario W Format of Syslog Messages in ACS Reports Step6 Click Submit Step7 Repeat the process for any additional reports for which you want to enable syslog reporting Format of Syslog Messages in ACS Reports Syslog messages included in ACS reports have the following format lt n gt mmm dd hh mm ss XX XX XX XX TAG msg_id total_seg seg A1 V1 The elements of the message are e n tThe Priority value of the message it is a combination of facility and severity of the syslog message which is calculated according to RFC 3164 by first multiplying the facility value by 8 and then adding the severity value mmm dd hh mm ss Date and time of the message XX Xx xXx xx IP Address of the machine generating this syslog message e tac One of the following values depending on the application name CisACS_01_PassedAuth Cisco ACS passed authentications CisACS_02_FailedAuth Cisco ACS failed attempts CisACS_03_RADIUSAcc Cisco ACS RADIUS accounting CisACS_04_TACACSAcc Cisco ACS TACACS accounting CisACS_05_TACACSAdmin Cisco ACS TACACS administration CisACS_06_VoIPAcc Cisco ACS VoIP accounting CisACS_11_BackRestore ACS backup and restore log messages CisACS_12_Replication ACS database replication log messages CisACS_13_AdminAudit ACS administration audit log messages CisACS_14 Pa
23. 4 2 OL 14390 02 purging Node Secret file purging 3 10 S Sarbanes Oxley See SOX security certificate installing and setting up 9 5 security certificates adding a trusted certificate 7 4 copying to the ACS host 6 7 7 2 9 6 enabling 6 8 7 3 9 8 installing 6 6 7 2 9 6 using Windows Certificate Import Wizard 6 7 7 2 installing the CA certificate 6 9 7 4 9 7 security policies 2 17 security protocols EAP 2 2 EAP TLS 2 3 PEAP 2 3 RADIUS 2 2 session policy configuring 5 7 Shared Profile Components configuring for NAC NAP 9 20 shared secret configuring 9 4 simple WLAN 2 5 small LAN defined 2 2 small LAN environment 2 3 SOX compliance administrator entitlement reports 5 12 SSL secure sockets layer 6 16 Syslog configuring ACS to generate messages 8 1 Syslog messages Index W facility codes 8 4 format in ACS reports 8 4 Syslog server specifying which Syslog server ACS sends messages to 8 3 Syslog time format configuring 3 7 system logging See Syslog T templates samples for NAC 9 44 tokens See posture assesments trusted certificate adding 7 4 U UPDATE_DACL 4 13 UPDATE_NAS 4 15 UPDATE_USER_DACL 4 14 updating AAA clients 4 15 updating dACLs 4 12 user groups configuring for MAB segments 6 17 users number allowed 2 19 V vendor attributes adding to the ACS dictionary 9 31 9 40 9 74 very large LAN or WLAN defined 2 2 viewing dACLs 4 9 I OL 143
24. 4 2 P28 W OL 14390 02 Chapter 2 Deploy the Access Control Servers Determining the Deployment Architecture W Figure 2 7 shows ACS installations in a geographically dispersed network that contains many WLANs Figure 2 7 ACS in a Geographically Dispersed WLAN 63491 For the model in Figure 2 7 the location of ACS depends on whether all users need access on any AP or require only regional or local network access Along with database type these factors control whether local or regional ACSs are required and how database continuity is maintained In this very large deployment model over 50 000 users security becomes a more complicated issue too Additional Considerations for Deploying ACS in a WLAN Environment You should also consider the following when deploying ACS in a WLAN environment consider if e Wireless is secondary to wired access using a remote ACS as a secondary system is acceptable e Wireless is the primary means of access put a primary ACS in each LAN e The customer uses ACS for user configuration data replication is critical Dial up Access Topology Until recently dial up access was the most prevalent method for providing remote access to network resources However DSL access and access through VPNs have largely replaced dial up access through modems ACS is still used in some LAN environments to provide security for dial up access You can provide dial up access for a small LAN or for a large
25. 7 Step 8 Step 9 Step 10 In the Shared Secret box type a shared secret key for the AAA client The shared secret is a string that you determine for example mynet123 The shared secret must be identical on the AAA client and ACS Keys are case sensitive If the shared secrets do not match ACS discards all packets from the network device If you are using NDGs from the Network Device Group list choose the name of the NDG to which this AAA client should belong or click Not Assigned to set this AAA client to be independent of NDGs Type the shared secret keys for RADIUS Key Wrap in EAP TLS authentications Each key must be unique and must also be distinct from the RADIUS shared key You can configure these shared keys for each AAA client as well as for each NDG The NDG key configuration overrides the AAA client configuration If the key entry is null ACS uses the AAA client key You must enable the Key Wrap feature in the NAP Authentication Settings page to implement these shared keys in EAP TLS authentication a Key Encryption Key KEK Used for encryption of the Pairwise Master Key PMK The maximum length is 20 characters b Message Authenticator Code Key MACK Used for the keyed hashed message authentication code HMAC calculation over the RADIUS message The maximum length is 16 characters c Key Input Format Click the format of the key ASCII or hexadecimal strings the default is ASCII From the Authenticat
26. ACS 4 2 OL 14390 02 Chapter9 NAC Configuration Scenario Step 8 Set Up Templates to Create NAPs W c From the If Agentless request was not assigned a user group drop down list choose a user group to which ACS assigns a host that is not matched to a user group Sample Posture Validation Rule Figure 9 39 shows the sample posture validation rule provided with the NAC Layer 2 template Figure 9 39 Sample Posture Validation Policy for NAC Layer 2 Template Posture Validation for Test_NAC_L2_ service EF Posture Yalidation Rules Condition Action Rule Name i i Required Credential Associate With Types le INAC EXAMPLE POSTURE Gienmine NAC SAMPLE CTA POLICY EXAMPLE f Internal Add Rule up Down The Up Down buttons submit and save the sort order to the database Determine Posture Validation for NAH No Audit Server was selected Select Audit Done 158432 Sample NAC Layer 2 802 1x Template This template creates a profile for Layer 2 NAC 802 1x requests Before you use this template you should choose System Configuration gt Global Authentication Setup and check the Enable Posture Validation check box To create a Layer 2 NAC 802 1x profile template Step1 In the navigation bar click Network Access Profiles The Network Access Profiles page opens Step2 Click Add Template Profile The Create Profile from Template page opens as shown in Figure 9 40 Configuration Guide for
27. Add new CA certificate to local certificate storage CA certificate file C Certs ca cer 158374 2 Back to Help Step3 In the CA certificate file box type the CA certificate location path and name For example c Certs ca cer Step4 Click Submit Add a Trusted Certificate After you add a server certificate and set up the certificate authority install a trusted certificate To add a trusted certificate Step1 Choose System Configuration gt ACS Certificate Setup gt Edit Certificate Trust List The Edit Certificate Trust List appears Step2 Locate the trusted certificate that you want to install and check the check box next to the certificate name For example find the Stress certificate and check the check box next to it Configuration Guide for Cisco Secure ACS 4 2 ra g OL 14390 02 Chapter7 PEAP EAP TLS Configuration Scenario Step 2 Configure Global Authentication Settings Hi Step3 Click Submit Step4 To restart ACS choose System Configuration gt Service Control and then click and then click Restart Step 2 Configure Global Authentication Settings To configure global authentication settings Step1 In the navigation bar click System Configuration The System Configuration page opens Step2 Click Global Authentication Setup The Global Authentication Setup page opens as shown in Figure 7 3 Figure 7 3 Global Authentication Setup Page Global Authentication Setup EAP Configuration
28. Cisco Secure ACS 4 2 oL 14390 02 EN Chapter9 NAC Configuration Scenario HI Step 8 Set Up Templates to Create NAPs Figure 9 40 Create Profile From Template Page Create Profile from Template 2 Name Test_NAC_L2_802 1x Sample Nac L2 602 1x template Description Template Nac L2 802 1 gt Active Vv Submit Cancel Step3 Enter a Name and Description optional Step4 From the Template drop down list choose NAC L2 802 1x Step5 Check the Active check box Step6 Click Submit 158412 If no error appears then you have created a Profile that can authenticate Layer 2 NAC hosts The Edit Network Access Profile page opens and the new profile appears in the Name column The predefined values for the Layer 2 NAC 802 1x template include e Profile Setup e Protocols e A sample posture validation policy e Authentication policy Step7 To select a predefined set of values click on one of the configuration options e The profile name to select the profile setup page for the profile e Protocols e Authentication Policy e Sample Posture Validation Rules Profile Setup To use the Profile Setup settings from the template Step1 In the navigation bar click Network Access Profiles Step2 Choose the profile that you created Step3 The Profile Setup page appears as shown in Figure 9 41 Configuration Guide for Cisco Secure ACS 4 2 Pose OL 14390 02 _ Chapter 9 NAC Configuration S
29. Configuration page opens Click Logging The Logging Configuration page opens The CSV Passed Authentications File Configuration page opens as shown in Figure 9 9 Figure 9 9 CSV Passed Authentications File Configuration Page Enable Logging M Log to CSV Passed Authentications report If the selected log is disabled ACS will not implement critical logging for that report Select Columns To Log Attributes bound Class ass Info it Device Type 0 Host HotFixes o Host HostF ODN o HIP CSAOperatior o HIP CSAMCName o HIP CSAStates o HIP DaysSinceLas esterAudit Device 1 Application Posture Logged Attributes PEAP EAP FAST CI Access Device Network Device Grot cisco av pair Cisco PA 0S Versior Cisco PA OS Type Cisco PA Kernel Ver Cisco PA 0S Releas Log File Management ic C C C Generate New File Every day Every week Every month when size is greater than 2048 KB 158413 Check the Log to CSV Passed Authentications Report check box I OL 14390 02 Configuration Guide for Cisco Secure ACS 4 2 gy Chapter 9 NAC Configuration Scenario Hi Step 3 Set Up System Configuration Step 4 Step 5 Step 6 Step 7 Move the attributes that you want to log from the Attributes list to Logged Attributes list Some useful attributes to log are Message Type User Name Caller ID NAS Port NAS IP Address AAA
30. Deploy Scalability W Placement of the RADIUS Server From a practical standpoint the RADIUS server should be inside the general network preferably within a secure subnet designated for servers such as DHCP Domain Name System DNS and so on You should avoid requiring RADIUS requests to travel over WAN connections because of possible network delays and loss of connectivity Due to various reasons this type of configuration is not always possible for example with small remote subnets that require authentication support from the enterprise You must also consider backup authentication You may use a system that is dedicated as the RADIUS secondary Or you may have two synchronized systems that each support a different network segment but provide mutual backup if one fails Refer to the documentation for your RADIUS server for information on database replication and the use of external databases Determining How Many ACSs to Deploy Scalability A number of factors affect the scalability of an ACS installation that is how effectively each ACS can process user access requests and how many ACS servers you should deploy in the network For detailed information on scalability considerations see the following white papers on ACS deployment which are available on Cisco com at http www cisco com en US products sw secursw ps2086 prod_white_papers_list html e Building a Scalable TACACS Device Management Framework e Catalyst Switching an
31. Description NAP client A computer running Windows Vista or Windows Server 2008 NAP clients send their health credentials as Statements of Health SoHs or as a health certificate NAP agent A process running on a NAP client that sends SoHs or health certificates to ACS Network access devices Cisco devices through which you can access the network such as routers switches wireless access points and VPN concentrators ACS Cisco AAA server product Network Policy Server NPS A Microsoft server that validates health certificates from NAP clients and provides remediation instructions if needed Health Registration Authority A Microsoft certificate server that obtains health certificates on behalf of NAP clients from a public key infrastructure PKI Policy Servers Servers that provide current system health state for Microsoft NPSs When a NAP client connects it uses a NAP agent to send ACS one of the following e A list of SoHs e A certificate that the client has received from a Microsoft Health Registration Authority HRA The ACS host validates the client credentials If the NAP agent sends a e List of SoHs the ACS sends the list to a Microsoft NPS by using the Cisco Host Credentials Authorization Protocol HCAP The NPS evaluates the SoHs The ACS then sends an appropriate NAP to the network access device switch router VPN and so on to grant the authorized level of access to the client e Hea
32. Select the certification authority that issued the server certificate that is installed on the LDAP server Certificate DB Path For ACS for Windows this is the path to the Netscape cert7 db file For the ACS SE this option provides a link to the Download Certificate Database page Configuration Guide for Cisco Secure ACS 4 2 Peis OL 14390 02 _ Chapter 6 Agentless Host Support Configuration Scenario Basic Configuration Steps for Agentless Host Support W For detailed information on this field refer to the LDAP Configuration Options section in Chapter 12 of the User Guide for Cisco Secure Access Control Server User Databases Admin DN The DN of the administrator that is the LDAP account which if bound to permits searches for all required users under the User Directory Subtree It must contain the following information about your LDAP server uid user id ou organizational unit ou next organizational unit o organization where user id is the username organizational unit is the last level of the tree and next organizational unit is the next level up the tree For example uid joesmith ou members ou administrators o cisco You can use anonymous credentials for the administrator username if the LDAP server is configured to make the group name attribute visible in searches by anonymous credentials Otherwise you must specify an administrator username that permits the group name attribute t
33. Server Filter Information Network Device Group Access Device PEAP EAP FAST Clear Name Logged Remotely EAP Type EAP Type Name Network Access Profile Name Outbound Class Shared RAC Downloadable ACL System Posture Token Application Posture Token Reason Profile Name Reason System posture token Application posture token Click Submit In the ACS Reports table click the Configure link for the CSV RADIUS Accounting report The CSV RADIUS Accounting File Configuration page appears Check the Log to CSV RADIUS Accounting Report check box Move the attributes that you want to log from the Attributes list to the Logged Attributes list Some useful attributes to log are User Name Group Name Calling Station Id Acct Status Type Acct Session Id Acct Session Time Configuration Guide for Cisco Secure ACS 4 2 OL 14390 02 Chapter 9 NAC Configuration Scenario Step 8 Acct Input Octets Acct Output Octets Acct Input Packets Acct Output Packets Framed IP Address NAS Port NAS IP Address Class Termination Action Called Station Id Acct Delay Time Acct Authentic Acct Terminate Cause Event Timestamp NAS Port Type Port Limit NAS Port Id AAA Server ExtDB Info Network Access Profile Name cisco av pair Access Device Logged Remotely Click Submit Step 4 Set Up Administration Control This section describes how to add remote administrator access Add Remote Administrator Access Step 1
34. Servers 2 12 LAN Versus WAN Deployment Number of LANs in the Network 2 12 WAN Latency and Dependability 2 12 Determining How Many ACS Servers to Deploy in Wireless Networks 2 13 Deploying ACS Servers to Support Server Failover 2 13 Load Balancing and Failover 2 13 Database Replication Considerations 2 13 Replication Design 2 14 Database Synchronization Considerations 2 14 Configuration Guide for Cisco Secure ACS 4 2 OL 14390 02 E E Contents Deploying ACS ina NAC NAP Environment 2 15 Additional Topics 2 16 Remote Access Policy 2 16 Security Policy 2 17 Administrative Access Policy 2 17 Separation of Administrative and General Users 2 18 Database Considerations 2 19 Number of Users 2 19 Type of Database 2 19 Network Latency and Reliability 2 19 CHAPTER 3 Configuring New Features in ACS 4 2 3 1 New Global EAP FAST Configuration Options 3 1 Disabling of EAP FAST PAC Processing in Network Access Profiles 3 3 Disabling NetBIOS 3 4 Configuring ACS 4 2 Enhanced Logging Features 3 5 Configuring Group Filtering at the NAP Level 3 6 Option to Not Log or Store Dynamic Users 3 7 Active Directory Multi Forest Support 3 7 Configuring Syslog Time Format in ACS 4 2 3 7 RSA Support on the ACS SE 3 8 Purging the RSA Node Secret File 3 10 Configuring RSA SecurlD Token and LDAP Group Mapping 3 11 Turning Ping On and Off 3 16 CHAPTER 4 Using RDBMS Synchronization to Create dACLs and Specify Network Configuration 4 1
35. Step 2 To prepare ACS for remote administration In the navigation bar click Administration Control The System Configuration page opens Click Add Administrator The Add Administrator page opens as shown in Figure 9 10 Step 4 Set Up Administration Control I OL 14390 02 Configuration Guide for Cisco Secure ACS 4 2 Chapter 9 NAC Configuration Scenario Hi Step 4 Set Up Administration Control Figure 9 10 Add Administrator Page Add Administrator Administrator Details Administrator Name Password Confirm Password Account Never Expires Account Locked m m Password Requirements e Password must be at least 4 character s long r r Administrator Privileges z Grant All Revoke All User amp Group Setup Available groups 4 Group 41 2 Group 2 3 Groups 4 Group 4 5 Group 5 6 Group 6 7 Group 8 Groups 9 Group 9 10 Group 10 I Add Edit users in these groups I Setup of these groups I Read access to users in these groups I Read access of these groups Editable groups gt gt gt ge ae 158405 wi Configuration Guide for Cisco Secure ACS 4 2 OL 14390 02 Chapter 9 NAC Configuration Scenario Step 3 Step 4 Step 4 Set Up Administration Control In the Administrator Details area specify the following information Option Description Administrator Name Enter the
36. Steps for Agentless Host Support W Figure 6 9 Profile Setup Page Profile Setup Name Description A Active Network Access Filter Any Protocol types Allow any Protocol type Allow Selected Protocol types Protocol type RADIUS Nortel RADIUS Juniper RADIUS Ascend RADIUS IETF RADIUS Cisco VPN 500 RADIUS Cisco VPN 300C RADIUS Cisco IOS PIXE RADIUS Cisco BBSM RADIUS Cisco Aironet RADIUS Cisco Airespace lee Selected 158449 Step3 In the Name text box enter the name of the NAP Step4 If you have set up network access filters NAFs and want to apply one then from the drop down list of NAFs choose the appropriate NAF Step5 In the Protocol types section select at least one RADIUS protocol type Step6 Configure additional NAP settings as required Step7 Click Submit The Edit Network Access Protocols page for the new profile appears as shown in Figure 6 10 I OL 14390 02 Configuration Guide for Cisco Secure ACS 4 2 Hl Chapter6 Agentless Host Support Configuration Scenario WE Basic Configuration Steps for Agentless Host Support Figure 6 10 Edit Network Access Protocols Page Network Access Profiles Name Policies Description Active Protocols Authentication C my mac auth bypass posture validation Authorization Add Profile Add Template Profile Up Down The
37. The System Configuration page opens Click ACS Certificate Setup Click Install ACS Certificate The Install ACS Certificate page opens as shown in Figure 9 5 Figure 9 5 Install ACS Certificate Page Install ACS Certificate Install new certificate Read certificate from file Certificate file C Certs server cer Use certificate from storage Certificate CN Private key file C Certs server pvk Private key password Q Back to Help Click the Read certificate from file radio button 158430 In the Certificate file text box enter the server certificate location path and name for example c Certs server cer In the Private key file text box type the server certificate private key location path and name for example c Certs server pvk In the Private Key password text box type the private key password for example cisco123 Click Submit ACS displays a message indicating that the certificate has been installed and instructs you to restart the ACS services Restart ACS To restart ACS choose System Configuration gt Service Control and then click Restart Set Up Global Configuration This section describes the following tasks e Set Up Global Authentication page 9 9 e Set Up EAP FAST Configuration page 9 12 Configuration Guide for Cisco Secure ACS 4 2 OL 14390 02 Chapter9 NAC Configuration Scenario Step 3 Set Up System Configuration W Set Up Global
38. Validation The Posture Validation Components Setup page opens Click Internal Posture Validation Setup The Posture Validation page opens which lists any existing posture validation policies Choose Add Policy The Edit Posture Validation page opens Enter a name for the policy Enter a Description optional Click Submit A new internal policy is created with a default rule Figure 9 23 shows an example policy Figure 9 23 Creating a New Posture Validation Policy Posture Validation Edit Posture Validation Rules for My_test_policy 2 Description Test policy for NAC posture validation Action Condition i Posture Token ID TE 7 m Notification String 1 Default Cisco PA Unknown Add Rule up Down The Up Down buttons submit and save the sort order to the database Rename Clone Delete Done 158420 To edit the default rule a Click on the Default link b Choose a new Posture Assessment and Notification String for the default rule To add a new rule a Click Add Rule The Edit Posture Rule page appears as shown in Figure 9 24 Initially no conditions are available for the rule Configuration Guide for Cisco Secure ACS 4 2 OL 14390 02 Chapter9 NAC Configuration Scenario Step 7 Configure Posture Validation for NAC W Figure 9 24 Edit Posture Validation Rule Page Posture Validation Edit Posture Yalidation Rule My_test_policy 2
39. ValueName DateTime MessageNo ComputerNames A ppId Status 1 1 Troy Group 5 100 ipassword 7 8 2008 15 00 0 0 2 1 385 C dACL_folder dACL_create txt 7 8 2008 15 00 0 0 3 1 Troy 380 DACL_For_Troy 7 8 2008 15 00 0 0 Configuration Guide for Cisco Secure ACS 4 2 Maa g OL 14390 02 Chapter4 Using RDBMS Synchronization to Create dACLs and Specify Network Configuration Using RDBMS Synchronization to Configure dACLs W Table 4 2 describes the accountActions codes used in Example 4 2 to add a User create a dACL and associate the dACL with a specified User or Group Table 4 2 Account Action Codes to Create dACLs and Assign Them to Specified Users or Groups Action Code Name Required Description 100 ADD_USER UNIGN V1 _ Creates a User 32 characters maximum The variable VZ is used as the initial password Optionally you can assign the User to a Group 385 CREATE_DACL VN Use this action code to create a ACL VN lt input_file_name gt where input_file_name is a text file that contains definitions for dACLs On ACS for Windows this file resides in a directory on the Windows machine that is running ACS On the ACS SE this file resides on an FTP server used with the ACS SE You can specify the absolute file path for example C DACL create_DACL_for_User_1 txt for ACS for Windows The dACL definition is ignored if it is already present or contains an invalid definition content name content defini
40. You can set up network device groups to simplify configuration of common devices For detailed information see the User Guide for Cisco Secure ACS 4 2 Add AAA clients You can add RADIUS clients or TACACS clients For detailed instructions see Step 2 Configure a RADIUS AAA Client page 6 5 Set Up User Groups Set up user groups to apply common configuration settings to groups of users For detailed instructions see Chapter 2 of the User Guide for Cisco Secure ACS 4 2 User Group Management Configure Posture Validation If you are using ACS with NAC configure posture validation I OL 14390 02 Configuration Guide for Cisco Secure ACS 4 2 Chapter1 Overview of ACS Configuration W Summary of Configuration Steps Step 14 Set Up Network Access Profiles If required set up Network Access Profiles Step15 Configure Logs and Reports Configure reports to specify how ACS logs data You can also view the logs in HTML reports For detailed instructions see Chapter 9 of the User Guide for Cisco Secure ACS 4 2 Logs and Reports Configuration Guide for Cisco Secure ACS 4 2 OL 14390 02 Chapter1 Overview of ACS Configuration Configuration Flowchart Figure 1 1 is a configuration flowchart that shows the main steps in ACS configuration Figure 1 1 gt Step 1 Plan the Deployment Step 2 Install ACS Servers Step 3 Configure Additional Administrators Step 4 C
41. by username under Domain Filtering choose Process all usernames Configuration Guide for Cisco Secure ACS 4 2 Ea 0L 14390 02 _ Chapter 3 Configuring New Features in ACS 4 2 Step 8 Step 9 RSA Support onthe ACS SE W If you want to limit authentications processed by this LDAP configuration to usernames with a specific domain qualification S Note For information about domain filtering see Domain Filtering in chapter 12 of the User Guide for Cisco Secure ACS 4 2 a Under Domain Filtering click the Only process usernames that are domain qualified radio button b From the Qualified by list choose the applicable type of domain qualification Suffix or Prefix Only one type of domain qualification is supported per LDAP configuration For example if you want this LDAP configuration to authenticate usernames that begin with a specific domain name select Prefix If you want this LDAP configuration to authenticate usernames that end with a specific domain name select Suffix c In the Domain Qualifier box type the name of the domain for which you this LDAP configuration should authenticate usernames Include the delimiting character that separates the user ID from the domain name Ensure that the delimiting character appears in the applicable position at the end of the domain name if Prefix is selected on the Qualified by list at the beginning of the domain name if Suffix is selected on the Qualified by
42. can use RDBMS Synchronization to perform network configuration tasks such as e Add AAA clients e Delete AAA clients e Set AAA client configuration details e Add AAA servers e Delete AAA servers e Set AAA server configuration details e Add and configure Proxy Distribution Table entries D Note For specific information about all actions that RDBMS Synchronization can perform see Appendix E RDBMS Synchronization Import Definition in the User Guide for Cisco Secure ACS 4 2 Configuration Guide for Cisco Secure ACS 4 2 Sana OL 14390 02 _ Chapter 4 Using RDBMS Synchronization to Create dACLs and Specify Network Configuration Using RDBMS Synchronization to Specify Network Configuration W Creating Reading Updating and Deleting AAA clients The RDBMS Synchronization feature supports creation and deletion of single or multiple AAA clients In addition accountActions codes 224 and 225 enable reading and updating AAA client information This section describes the various RDBMS Synchronization tasks that you can perform on single or multiple AAA clients Table 4 6 lists the account action codes that are used to read and update single or multiple AAA clients Table 4 6 Account Action Codes for Create Read Update Delete for AAA Clients Action Code Name Required Description sti its lt S S S 224 UPDATE_NAS VN V1 V2 V3 _ Use this action code to update AAA clients VN AAA Client Name V1 I
43. connectivity needs against the reliability and throughput to the central ACS Configuration Guide for Cisco Secure ACS 4 2 OL 14390 02 EN Chapter2 Deploy the Access Control Servers W Determining the Deployment Architecture Figure 2 6 shows a regional WLAN Figure 2 6 ACS in a Regional WLAN Corporate Headquarters am Cisco Aironet 0000004 eal Small Remote Office Small 00000 Remote Ca Office Regional Office 158314 Corporate Region Large Enterprise WLAN Setting In a very large geographically dispersed network over 50 000 users access servers might be located in different parts of a city in different cities or on different continents If network latency is not an issue a central ACS might work but connection reliability over long distances might cause problems In this case local ACSs may be preferable to a central ACS If the need for a globally coherent user database is most important database replication or synchronization from a central ACS may be necessary For information on database replication considerations see Database Replication Considerations page 2 13 and Database Synchronization Considerations page 2 14 Authentication by using external databases such as a Windows user database or the Lightweight Directory Access Protocol LDAP can further complicate the deployment of distributed localized ACSs Configuration Guide for Cisco Secure ACS
44. login name for the ACS administrator account Administrator names can contain to 32 characters but cannot contain the left angle bracket lt the right angle bracket gt or the backslash An ACS administrator name does not have to match a network user name Password Enter the password for the administrator to access the ACS web interface The password can match the password that the administrator uses for dial in authentication or it can be a different password ACS enforces the options in the Password Validation Options section on the Administrator Password Policy page Passwords must be at least 4 characters long and contain at least 1 numeric character The password cannot include the username or the reverse username must not match any of the previous 4 passwords and must be in ASCII characters If you make a password error ACS displays the password criteria If the password policy changes and the password does not change the administrator remains logged in ACS enforces the new password policy at the next login Confirm Password Reenter the password that you entered in the password field Account Never Expires If you want to override the lockout options set up on the Administrator Password Policy page with the exception of manual lockout check the check box next to Account Never Expires If you check this option the account never expires but the password change policy remains in effect The defau
45. method that ACS uses to process authentication requests from hosts that do not have an authentication agent installed such as Cisco Trust Agent Access Control List Each ACL consists of a set of ACL entries Access Control Entry An ACL Entry contains a type a qualifier for the user or group to which the entry refers and a set of permissions For some entry types the qualifier for the group or users is undefined Application Posture Token The result of a posture validation check for a given vendor s application A server that can determine the posture credentials of a host without relying on the presence of a PA on the host The server must be able to determine the posture credentials of a host and act as a posture validation server In network management security the verification of the identity of a person or a process Attribute value pair Encoding that the RADIUS protocol uses to specify an action that the host performs when a condition represented by the attribute value is met Cisco Trust Agent The Cisco implementation of the PA I OL 14390 02 Configuration Guide for Cisco Secure ACS 4 2 gg Glossary E EAP Extensible Authentication Protocol Provides the ability to deploy RADIUS into Ethernet network environments EAP is defined by Internet Engineering Task Force IETF RFC 2284 and the IEEE 802 1x standards EAP TLS Extensible Authentication Protocol Transport Layer Security Uses the TLS protocol RFC 224
46. might look in an ACS generated syslog message lt 110 gt Oct 16 08 58 07 64 103 114 149 CisACS_13_AdminAudit 18729fp11 1 0 AAA Server tfurman w2k admin username local_login browser ip 127 0 0 1 text message Administra tion session finished In this example lt 110 gt represents the calculated value when the facility code is 13 the log audit facility code Message Length Restrictions When an ACS message exceeds the syslog standard length limitation or target length limitation the message content is split into several segments e If all attribute value elements fit into one segment then no segmentation is performed e Ifthe message does not fit into one segment the message is split between attribute value pairs keeping an attribute value pair complete within the segment That is the first segment ends with a semicolon while the next segment s content starts with the next attribute value pair e Inrare cases when one attribute value pair is too long to fit in one segment all by itself the value is segmented between sequenced segments of the message Such segmentation might happen if attribute value contains several hundreds of characters In general ACS attribute values are designed to avoid such length All segments of one message have exactly the same header The lt msg_id gt and lt total_seg gt values are shared between all segments The lt seg gt is set according to number of segments and the relative part of t
47. name and number is the version number such as 3f 783768 ACS uses the Auth Proxy posture code to check if the switch has downloaded access control entries ACEs for the specified downloadable ACL If the switch has not downloaded the ACES ACS sends an AAA request with the downloadable ACL name as the username so that the switch downloads the ACEs The downloadable ACL is then created as a named ACL on the switch This ACL has ACEs with a source address of Any and does not have an implicit Deny statement at the end When the downloadable ACL is applied to an interface after posture validation is complete the source address is changed from any to the host source IP address The ACEs are prepended to the downloadable ACL that is applied to the switch interface to which the endpoint device is connected If traffic matches the Cisco Secure Defined ACL ACEs ACS takes appropriate actions required by NAC e url redirect and url redirect acl Specifies the local URL policy on the switch The switches use these cisco av pair VSAs url redirect lt HTTP or HTTPS URL gt url redirect acl switch ACL name These AV pairs enable the switch to intercept an HTTP or Secure HTTP HTTPS request from the endpoint device and forward the client web browser to the specified redirect address from which the latest antivirus files can be downloaded The url redirect AV pair on the ACS contains the URL to which the web browser will be redirected The ur1 r
48. not found in the LDAP Server or the ACS Internal Database or if the LDAP Server is not reachable If you enabled the EAP protocol and posture validation set up posture validation rules in the Posture Validation section As required specify additional authorization rules in the Authorization section Click Submit Configuration Guide for Cisco Secure ACS 4 2 OL 14390 02 _ Chapter 6 Agentless Host Support Configuration Scenario Basic Configuration Steps for Agentless Host Support W Step 7 Configure Logging and Reports amp By default the following information about MAB processing is logged to the CSAuth log file e The start of MAB request handling and what trigger is used to initiate MAB The format of this message is Performing Mac Authentication Bypass on lt MAC_address gt where MAC_address is the MAC address that triggered the processing e User group mapping actions that indicate which MAC address in the authentication database was mapped to what user group The format of this message is lt MAC_address gt was not found in lt DB_name gt and mapped to lt user_group gt user group where MAC_address is the MAC address that was mapped DB_name is the name of the database that was used to match the MAC_address and user_group is the name of the user group to which the MAC address was mapped Note Because the results of MAC address lookup can influence the response that ACS returns to the
49. page 9 5 e Set Up Global Configuration page 9 8 Install and Set Up an ACS Security Certificate You must configure ACS with a digital certificate for establishing client trust when ACS challenges the client for its credentials Note these points e For authenticated in band Protected Access Credential PAC provisioning for EAP FAST the client must have a certificate that matches the one installed in ACS e For the most scalable NAC environments Cisco recommends a production public key infrastructure PKI that the production certificate authority CA or registration authorities RAs sign This section describes a simplified procedure for the ACS for Windows platform For detailed information on installing certificates and for information on how to install certificates on the Cisco Secure ACS Solution Engine platform see Chapter 9 of the User Guide for Cisco Secure ACS 4 2 Advanced Configuration Authentication and Certificates Configuration Guide for Cisco Secure ACS 4 2 oL 14390 02 g oos Chapter 9 NAC Configuration Scenario HZ Step 3 Set Up System Configuration Obtain Certificates and Copy Them to the ACS Host Step 1 Step 2 Step 3 To copy a certificate to the ACS host Obtain a security certificate Create a certs directory on the ACS server a Open a DOS command window b To create a certificates directory enter mkdir lt selected_drive gt certs where selected_drive is the currently s
50. the internal database Enter a password that is at least 8 characters long and contains letters and numbers The ACS installation process for ACS for Windows automatically creates a shortcut to the ACS administrative GUI on your desktop Double click the icon to open a browser window to the ACS administrative GUI If you do not see the icon on the desktop open your browser from the machine on which you installed ACS and go to one of these addresses e http IP_address 2002 e http hostname 2002 where P_address is the IP address of the host that is running ACS and hostname is the hostname of the host that is running ACS Step 2 Perform Network Configuration Tasks This section describes e Configure a RADIUS AAA Client page 9 2 e Configure the AAA Server page 9 4 Configure a RADIUS AAA Client Step 1 Before you can configure NAC support you must configure a RADIUS AAA client To configure a RADIUS AAA client In the navigation bar click Network Configuration The Network Configuration page opens Configuration Guide for Cisco Secure ACS 4 2 P32 E OL 14390 02 Chapter 9 NAC Configuration Scenario Step 2 Step 3 Step 4 Step 2 Perform Network Configuration Tasks Do one of the following e If you are using Network Device Groups NDGs click the name of the NDG to which you want to assign the AAA client Then click Add Entry below the AAA Clients table e To add AAA clients when y
51. the creation of dynamic users while using an external database for authentication O Disable dynamic users 270291 Step3 Check the Disable Dynamic users check box Step4 Click Submit Active Directory Multi Forest Support ACS supports machine authentication in a multi forest environment Machine authentications succeed as long as an appropriate trust relation exists between the primary ACS forest and the requested domain s forest When a requested user s or machine s domain is part of a trusted forest machine authentication will succeed ACS supports user authentication between multiple forests for EAP FAST versionla with PEAP MSPEAP and for EAP TLS amp Note The multi forest feature works only where the username contains the domain information Configuring Syslog Time Format in ACS 4 2 ACS SE 4 2 provides a new option for configuring the time format that ACS uses to send messages to syslog servers Configuration Guide for Cisco Secure ACS 4 2 OL 14390 02 a 37 Chapter3 Configuring New Features in ACS 4 2 WE RSA Support on the ACS SE Step 1 Step 2 Step 3 In previous releases ACS SE devices could only send syslog messages using the local time that is set on the ACS device With release 4 2 you can configure the ACS SE to send syslog messages by using the local time setting or Greenwich Mean Time GMT To configure the time format used for events sent to a syslog server In the navigati
52. this attribute is set to RADIUS Request 1 This ensures that the switch maintains the current VLAN assignment and network connectivity while reauthentication is in progress Tunnel Type attribute 64 Specifies the type of tunnel that is set up for the user to connect In the sample RACs this value is set to type 10 VLAN which indicates that the user is granted access to a VLAN that is configured on the switch I OL 14390 02 Configuration Guide for Cisco Secure ACS 4 2 Chapter9 NAC Configuration Scenario Hi Step 5 Set Up Shared Profile Components Tunnel Medium Type attribute 65 Indicates which protocol to use over the tunnel In the sample RACs this is set to type 6 which specifies an 802 protocol In the NAC NAP environment this is the 802 1x protocol Tunnel Private Group ID attribute 81 Indicates the group ID for the VLAN tunnel In the sample RAC this is set to Quarantine which denotes a quarantine VLAN to which devices are assigned In actual practice you should set this value to a value that is configured on the switch For reference Table 9 1 lists all of the possible attributes that ACS can send An X in the NAC L2 802 1x NAC L2 IP or NAC L3 IP column indicates that ACS can send the specified attribute in a RADIUS Accept Response used with this technology Table 9 1 Attributes That Can Be Sent in the RADIUS Accept Response Attribute NAC L2 802 1x NAC L2 IP NAC L3 IP
53. to clients that do not qualify as healthy To define RACs Step 1 In the navigation bar click Shared Profile Components The Shared Profile Components page opens Step2 Click RADIUS Authorization Components The RADIUS Authorization Components table appears Initially this table does not contain any RACs Step3 Click Add The RADIUS Authorization Components Page opens as shown in Figure 9 16 Figure 9 16 RADIUS Authorization Components Page Shared Profile Components Edit RADIUS Authorization Components Name Description H Add New Attribute 2 Cisco IOS PIX 6 0 cisco av pair 1 S Add IETF Service Type 6 z Add Ascend Ascend Remote Addr 154 aj Add 158451 2 Back to Help Step4 Enter a Name and Description in the RADIUS Authorization Components page Step5 Inthe Add New Attribute section add the RADIUS attributes for the RAC a To add an attribute from the drop down lists for Cisco IOS PIX 6 0 IETF and Ascend choose the attribute that you want to add and then click Add For example from the IETF drop down list choose Session Timeout 27 and click Add The RAC Attribute Add Edit page opens Figure 9 17 shows the RAC Attribute Add Edit page for Session Timeout 27 Configuration Guide for Cisco Secure ACS 4 2 P9268 i OL 14390 02 Chapter9 NAC Configuration Scenario Step 5 Set Up Shared Profile Components Hi Figure 9 17 RAC Attribute Add Edit Page RAC Attribute Add Edit
54. to that device This does require that the AAA client have two separate configurations on ACS one for RADIUS and one for TACACS An example of a AAA client configuration under IOS that effectively separates PPP and shell logins is aaa new model tacacs server host ip address tacacs server key secret key radius server host ip address radius server key secret key aaa authentication ppp default group radius aaa authentication login default group tacacs local aaa authentication login console none aaa authorization network default group radius aaa authorization exec default group tacacs none aaa authorization command 15 default group tacacs none username user password password line con 0 login authentication console Configuration Guide for Cisco Secure ACS 4 2 P2418 E OL 14390 02 Chapter2 Deploy the Access Control Servers Additional Topics W Conversely if a general user attempts to use his or her remote access to log in to a network device ACS checks and approves the username and password but the authorization process would fail because that user would not have credentials that allow shell or exec access to the device Database Considerations Number of Users Type of Database Aside from topological considerations the user database is one of the most influential factors in deployment decisions for ACS The size of the user base distribution of users throughout the network access requirements and type
55. up to 32 alphanumeric characters 158375 In the AAA Client IP Address box type the AAA client IP address or addresses If you are using NDGs from the Network Device Group list select the name of the NDG to which this AAA client should belong or select Not Assigned to set this AAA client to be independent of NDGs From the Authenticate Using list select RADIUS IOS PIX Specify additional AAA client settings as required Click Submit Apply Step 3 Install and Set Up an ACS Security Certificate This section describes a simplified procedure for the ACS for Windows platform For detailed information on installing certificates and also for information on how to install certificates on the Cisco Secure ACS SE platform see Chapter 9 of the User Guide for Cisco Secure ACS 4 2 Advanced Configuration Authentication and Certificates Configuration Guide for Cisco Secure ACS 4 2 lt OL 14390 02 Chapter6 Agentless Host Support Configuration Scenario Basic Configuration Steps for Agentless Host Support W The steps in this section are required to enable posture validation which is used in Network Access Profiles Obtain Certificates and Copy Them to the ACS Host To copy a certificate to the ACS host Step 1 Obtain a security certificate Step2 Create a Certs directory on the ACS server a Open a DOS command window b To create a certificates directory enter mkdir lt selected_drive gt certs wh
56. 1 In the navigation bar click System Configuration The System Configuration page opens Step2 Choose ACS Certificate Setup gt Edit Certificate Trust List The Edit Certificate Trust List page opens Step3 In the list of certificates locate the CA certificate that you installed and check the check box next to it Step4 Click Submit Step5 Restart ACS To restart ACS choose System Configuration gt Service Control and then click Restart Install the CA Certificate To install the CA Certificate Step1 Choose System Configuration gt ACS Certificate Setup gt ACS Certification Authority Setup Step2 The ACS Certification Authority Setup page appears as shown in Figure 9 4 Figure 9 4 ACS Certification Authority Setup Page ACS Certification Authority Setup CA Operations 2 Add new CA certificate to local certificate storage CA certificate file C Certs ca cer 158374 2 Back to Help Step3 In the CA certificate file box type the CA certificate location path and name for example e Certs ca cer Step4 Click Submit Configuration Guide for Cisco Secure ACS 4 2 oL 14390 02 a 37 Chapter9 NAC Configuration Scenario HZ Step 3 Set Up System Configuration Install the ACS Certificate Step 1 Step 2 Step 3 Step 4 Step 5 Step 6 Step 7 Step 8 Step 9 Step 10 Step 11 To enable security certificates on the ACS installation In the navigation bar click System Configuration
57. 2 Step 3 Step 4 To enable GAME group feedback On the External Posture Validation Audit Server Setup page in the GAME Group Feedback section check the Request Device Type from Audit Server check box If this check box is not available define an audit device type attribute for the vendor in the internal ACS dictionary ACS for Windows With ACS for Windows you use the CSUtil command For detailed information see Posture Validation Attributes in Appendix D of the User Guide for Cisco Secure ACS ACS Solution Engine With ACS Solution Engine you use the NAC Attributes Management page in the web interface See NAC Attribute Management ACS Solution Engine Only in Chapter 8 of the User Guide for Cisco Secure ACS for more information If you want to configure a default destination group that ACS uses if the audit server does not return a device type check the Assign This Group if Audit Server Did not Return a Device Type check box You should now add entries to the group assignment table The group assignment table is a list of rules that set conditions that determine the user group to which to assign a particular device type that the audit server returns Click Add to display the group assignment table and add a device type feedback rule The group assignment table appears as shown in Figure 9 59 Figure 9 59 GAME Group Feedback Section with Group Assignment Table GAME Group Feedback M Request Devic
58. 2 PEAP I Allow EAP MSCHAPv2 I Allow EAP GTC M Allow Posture Validation I Allow EAP TLS Select one or more of the following options Certificate SAN comparison Certificate CN comparison Certificate Binary comparison EAP TLS session timeout minutes 120 Cisco client initial message PEAP session timeout minutes 120 Enable Fast Reconnect Vv EAP FAST EAP FAST Configuration EAP TLS M Allow EAP TLS Select one or more of the following options M Certificate SAN comparison M Certificate CN comparison M Certificate Binary comparison EAP TLS session timeout minutes 120 158448 Configuration Guide for Cisco Secure ACS 4 2 OL 14390 02 gos Chapter7 PEAP EAP TLS Configuration Scenario HI Step 3 Specify EAP TLS Options Step3 Specify the protocols to use with the PEAP protocol They are e EAP _MSCHAP2 e EAP GTC Step4 If you want to enable posture validation on this ACS installation check the Enable Posture Validation check box Step 3 Specify EAP TLS Options Specify one or more of the certificate comparison options for EAP TLS e Certificate SAN Comparison Based on the name in the Subject Alternative Name SAN field in the user certificate e Certificate CN Comparison Based on the name in the Subject Common Name CN field in the user certificate e Certificate Binary Comparison Based on a binary comparison between the user certificate in the use
59. 2 Import the file by using CSUtil Then a Start a DOS command window b Enter CsUtil addAVP lt NAC AV pair filename gt where NAC AV pair filename is the name of the text file that contains the device type attribute I OL 14390 02 Configuration Guide for Cisco Secure ACS 4 2 E Chapter9 NAC Configuration Scenario HI Step 11 Optional Configure GAME Group Feedback Step3 Restart ACS a In the navigation bar click System Configuration b Click Service Control c Click Restart Configure Database Support for Agentless Host Processing The database that you use can be an external LDAP database preferred or the ACS internal database For information on configuring database support for agentless host processing see Step 4 Configure LDAP Support for MAB page 6 10 Enable Posture Validation You must enable posture validation in two places The e Global Authentication Page as part of the configuration for PEAP EAP configuration section of the Protocols page for the NAP that enables agentless host support Configure an External Audit Server For detailed instructions on configuring an external audit server see Configure an External Posture Validation Audit Server page 7 31 Configure an External Posture Validation Audit Server A NAC enabled network might include agentless hosts that do not have the NAC client software ACS can defer the posture validation of the agentless hosts to an audit server The a
60. 21 Use These Audit Servers Section Use These Audit Servers Audit Server Unix vendor a URL Username Password M Primary Server Ti tj Configuration imeout sec Trusted Root CA none selected Validate Certificate Vv Common Name URL Username Password M Secondary Server Timeout sec s Configuration Trusted Root CA none selected validate Certificate Vv Common Name 158426 e Inthe Use These Audit Servers section enter the Audit Validation Server information Audit Server vendor URL and password Figure 9 22 shows the Audit Flow Settings and the GAME Group Feedback section Configuration Guide for Cisco Secure ACS 4 2 Chapter9 NAC Configuration Scenario Step 7 Configure Posture Validation for NAC W Figure 9 22 Audit Flow Settings and GAME Group Feedback Sections Audit Flow Settings Use this Posture Token while Audit Server does not ouarantine il yet have a Quarantine posture validation result Polling Intervals Use timeouts sent by Audit Server for Polling Intervals and Session Timeout x and Session Timeout Polling Interval seconds Maximum amount of times the Audit a Server should be 3 polled Policy string to be sent to the Audit Server GAME Group Feedback F Request Device Type from Audit Server Assign This Group if Audit Server Did not Return a Devi
61. 6 which is the latest version of the Secure Socket Layer SSL protocol from the IETF TLS provides a way to use certificates for user and server authentication and for dynamic session key generation Endpoint Device Any machine that attempts to connect to or use the resources of a network Also referred to as a host External Posture A Cisco or third party server used to perform posture validation A posture validation server acts as Validation Server an application specific policy decision point in NAC for authorizing a set of posture credentials against a set of policy rules G GAME group Generic Authorization Message Exchange A Cisco protocol that is used in the Cisco Network feedback Admission Control NAC environment GAME group feedback provides an added security check for MAC address authentication by checking the device type categorization that ACS determines by associating a MAC address with a user group against information stored in a database on an audit server H Health Registration A Microsoft certificate server that obtains health certificates on behalf of NAP clients from a public Authority key infrastructure PKI HCAP Cisco Host Credentials Authorization Protocol A protocol that ACS uses to communicate with a Microsoft NPS Host Another name for an endpoint device L LDAP Lightweight Directory Access Protocol A set of protocols for accessing information directories LDAP is based on the standards contained within t
62. 8 In the navigation bar click External User Databases Click Database Configuration ACS lists all possible external user database types Click RSA SecurID Token and LDAP Group Mapping The External Database Configuration page appears Click Configure The LDAP Native RSA Configuration page opens Click Configure LDAP The RSA SecurID Token and LDAP Group Mapping Configuration page opens as shown in Figure 3 8 I OL 14390 02 Configuration Guide for Cisco Secure ACS 4 2 Chapter3 Configuring New Features in ACS 4 2 WE RSA Support on the ACS SE Figure 3 8 RSA SecurlD Token and LDAP Group Mapping Configuration Page User Setup erod RSA SecurID Token and LDAP Group Mapping Configuration Setup ii Sa Dae Domain Filtering Network Configuration Process all usernames Only process usernames that are domain qualified Enf iaurati onfiguration ps E Qualified by Suffix 3 Interface Configuration Domain Qualifier ay Administration Strip domain before submitting username to LDAP server Control gt Process all usernames after stripping domain name and delimiter JE External User nk Databases Strip starting characters through the last character mann Posture 3 punaj iyalidation Strip ending characters from the first character aay Administration Control A BIE Perera aser Common LDAP Configurati
63. 90 02 Chapter 9 NAC Configuration Scenario Step 4 Step 5 Step 6 Step 7 Figure 9 8 EAP FAST Configuration Page EAP FAST Settings EAP FAST El Allow EAP FAST Active master key TTL 1 months Retired master key TTL 3 months Tunnel PAC TTL 1 weeks Client initial message Hello Wor d Authority ID Info ACS NAC Server Ml Allow full TLS renegotiation in case of Invalid PAC M Allow anonymous in band PAC provisioning Enable anonymous TLS renegotiation Ml Allow authenticated in band PAC provisioning Ml Accept client on authenticated provisioning Ml Require client certificate for provisioning When receiving client certificate select one of the following lookup methods Certificate SAN lookup O Certificate CN lookup M Allow Machine Authentication Machine PAC TTL 1 weeks M Allow Stateless session resume Authorization PAC TTL 1 hours x Allowed inner methods EAP GTC EAP MSCHAP V2 EAP TLS Select one or more of the following EAP TLS comparison methods Ml Certificate SAN comparison O certificate CN comparison M Certificate Binary comparison EAP TLS session timeout minutes 120 MIEAP FAST master server Actual EAP FAST server status Master Check the Allow EAP FAST check box 240962 Step 3 Set Up System Configuration In the Client Initial Message text box enter a message for example welcome In th
64. 90 02 Configuration Guide for Cisco Secure ACS 4 2 gg W index wW warnings significance of x Windows Certificate Import Wizard 6 7 7 2 wired LAN geographically dispersed 2 4 wired LAN access 2 2 wireless NAC L2 802 1x template 9 60 wireless access campus WLAN 2 6 large enterprise LAN 2 8 regional WLAN 2 7 simple WLAN 2 5 topology 2 5 wireless access point 2 5 E Configuration Guide for Cisco Secure ACS 4 2 OL 14390 02
65. AA server 9 4 access policy 5 9 ACS for EAP FAST 9 12 ACS for LDAP 6 13 ACS for remote web access 9 17 audit servers 9 32 9 41 9 76 dACLs 4 2 external posture validation audit server 9 31 9 40 9 74 external posture validation policy 9 38 GAME group feedback 6 24 9 72 9 79 global authentication settings 7 5 group filtering at the NAP level 3 6 incorrect password attempt options 5 7 internal posture validation policy 9 35 LDAP server 6 16 logging and reports 9 14 Configuration Guide for Cisco Secure ACS 4 2 OL 14390 02 logging level 9 14 logs and reports 9 14 MAB 6 21 multiforest support for Active Directory 3 7 password lifetime options 5 6 password policy 5 4 RADIUS AAA client 6 5 9 2 RSA Token Server support 3 8 session policy 5 7 shared secret for RADIUS key wrap 9 4 Syslog time format 3 7 conventions x CREATE_DACL 4 5 CREATE_USER_DACL 4 5 creating AAA clients 4 15 NAP 6 18 RACs 39 26 CSA Uninstall Patch 3 16 CSDBSync 4 8 csdbsync runcommand 4 8 csdbsync syncnow command 4 8 CSUtil using to import a device type attribute file 9 73 using to import an audit vendor file 9 73 using to import NAC attribute value pairs 9 73 CSV file 4 5 CSV Passed Authentications report 9 15 reading 4 12 updating 4 12 viewing 4 9 database replication 2 13 design 2 14 databases deployment considerations 2 19 default ACLs 9 52 defining RACs 39 26 DELETE_DACL 4 13 DELETE_USER_DACL 4 14 deleting AAA clients 4 15
66. ACS 4 2 User Group Management Step 6 Enable Agentless Request Processing To enable agentless request processing you must set up a Network Access Profile that enables the feature To create a NAP to enable agentless request processing Step 1 Create a new NAP See Create a New NAP page 6 18 for details Step2 In the Protocols page check the Allow Agentless Request Processing check box Step 3 In the Authentication section configure MAB See Configure MAB page 6 21 for details Step4 Ifyou are using agentless request processing in a NAC environment configure posture validation for the NAP See Enable Agentless Request Processing for a NAP page 6 20 for details Create a New NAP To create a new NAP Step1 In the navigation bar click Network Access Profiles The Network Access Profiles page opens as shown in Figure 6 8 Figure 6 8 Network Access Profiles Page Network Access Profiles 9 Name Policies Description Active Add Profile Add Template Profile Up Down The Up Down buttons submit and save the sort order to the database C Deny access when no profile matches Grant access using global configuration when no profile matches Apply and Restart 158383 Step2 Click Add Profile Configuration Guide for Cisco Secure ACS 4 2 ca OL 14390 02 _ Chapter 6 Agentless Host Support Configuration Scenario The Profile Setup page opens shown in Figure 6 9 Basic Configuration
67. Ajali CISCO Configuration Guide for Cisco Secure ACS 4 2 February 2008 Americas Headquarters Cisco Systems Inc 170 West Tasman Drive San Jose CA 95134 1706 USA http www cisco com Tel 408 526 4000 800 553 NETS 6387 Fax 408 527 0883 Text Part Number OL 14390 02 THE SPECIFICATIONS AND INFORMATION REGARDING THE PRODUCTS IN THIS MANUAL ARE SUBJECT TO CHANGE WITHOUT NOTICE ALL STATEMENTS INFORMATION AND RECOMMENDATIONS IN THIS MANUAL ARE BELIEVED TO BE ACCURATE BUT ARE PRESENTED WITHOUT WARRANTY OF ANY KIND EXPRESS OR IMPLIED USERS MUST TAKE FULL RESPONSIBILITY FOR THEIR APPLICATION OF ANY PRODUCTS THE SOFTWARE LICENSE AND LIMITED WARRANTY FOR THE ACCOMPANYING PRODUCT ARE SET FORTH IN THE INFORMATION PACKET THAT SHIPPED WITH THE PRODUCT AND ARE INCORPORATED HEREIN BY THIS REFERENCE IF YOU ARE UNABLE TO LOCATE THE SOFTWARE LICENSE OR LIMITED WARRANTY CONTACT YOUR CISCO REPRESENTATIVE FOR A COPY The Cisco implementation of TCP header compression is an adaptation of a program developed by the University of California Berkeley UCB as part of UCB s public domain version of the UNIX operating system All rights reserved Copyright 1981 Regents of the University of California NOTWITHSTANDING ANY OTHER WARRANTY HEREIN ALL DOCUMENT FILES AND SOFTWARE OF THESE SUPPLIERS ARE PROVIDED AS IS WITH ALL FAULTS CISCO AND THE ABOVE NAMED SUPPLIERS DISCLAIM ALL WARRANTIES EXPRESSED OR IMPLIED INCLUDING WITHOUT LIMITA
68. Authentication In the global authentication setup you specify the protocols that ACS uses to transfer credentials from the host for authentication and authorization Unless you have a limited deployment environment or specific security concerns you should globally enable all protocols If you do not enable the protocols in the global authorization setup then they will not be available later in the Network Access Profiles configuration interface To set up global authentication Step1 In the navigation bar click System Configuration The System Configuration page opens Step2 Click Global Authentication Setup The Global Authentication Setup Page appears as shown in Figure 9 6 Configuration Guide for Cisco Secure ACS 4 2 oL 14390 02 Chapter9 NAC Configuration Scenario HZ Step 3 Set Up System Configuration Figure 9 6 Global Authentication Setup Page EAP Configuration PEAP M Allow EAP MSCHAPV2 M Allow EAP GTC Ml Allow Posture Validation Mallow EAP TLS Select one or more of the following options M Certificate SAN comparison O certificate CN comparison M Certificate Binary comparison EAP TLS session timeout minutes 120 Cisco client initial message Hello World PEAP session timeout minutes 120 Enable Fast Reconnect EAP FAST EAP FAST Configuration EAP TLS M Allow EAP TLS Select one or more of the following options M Certificate SAN com
69. BMS Synchronization and dACLs Create a text file to define the dACLs Code an accountActions CSV file to create the dACL and associate a User or Group with the dACL Configure RDBMS Synchronization to use a local CSV file Perform RDBMS Synchronization in one of two ways e From the ACS GUI e By running the csdbsync syncnow command from the Windows command shell or in an SSH connection with a remote ACS SE View the dACL Step 1 Enable dACLs Step 1 Step 2 Step 3 Step 4 Step 5 Step 6 To enable dACLs In the Navigation Bar click Interface Configuration Click Advanced Options The Advanced Options page opens Check the User Level Downloadable ACLs check box Check the Group Level Downloadable ACLs check box This enables assigning a dACL to a Group Name Check the RDBMS Synchronization check box Click Submit Step 2 Create a Text File to Define the dACLs Step 1 To create a text file to define dACLs Use a text editor of your choice to create a text file for example Notepad Configuration Guide for Cisco Secure ACS 4 2 P42 E OL 14390 02 Chapter4 Using RDBMS Synchronization to Create dACLs and Specify Network Configuration Using RDBMS Synchronization to Configure dACLs W Example 4 1 shows a sample text file Example 4 1 Sample Text File for Creating a dACL DACL 1 Name DACL_For_Troy Description Test_DACL_For_ACS_42 Content 1 content1 Definition Definition Definition Def
70. C L3 IP e NAC Layer 2 profile template NAC L2 IP e NAC Layer 2 802 1x template NAC L2 802 1x e Wireless NAC L2 802 1x template In addition to these templates ACS 4 1 provides two templates for agentless host processing that you can use in NAC installations e Agentless Host for Layer 3 profile template e Agentless Host for Layer 2 802 1x profile template Sample NAC Layer 3 Profile Template This template creates a profile for Layer 3 NAC requests Before you use this template you should choose System Configuration gt Global Authentication Setup and check the Enable Posture Validation check box To create a Layer 3 NAC profile template Step 1 Check the check boxes for the following options in the Global Authentication Setup page e Allow Posture Validation e EAP FAST e EAP FAST MS CHAPv2 e EAP FAST GTC Step2 In the navigation bar click Network Access Profiles The Network Access Profiles page opens Step3 Click Add Template Profile The Create Profile from Template page opens as shown in Figure 9 31 Configuration Guide for Cisco Secure ACS 4 2 Peas OL 14390 02 Chapter9 NAC Configuration Scenario Step 8 Set Up Templates to Create NAPs W Figure 9 31 Create Profile From Template Page Create Profile from Template 2 Name Test_NAC_L2_802 1x Sample NAC L2 602 1x template Description Template Nac L2 802 1 gt Active Vv Submit Cancel 158412 Step4 Enter a Nam
71. CP server that can selectively enable and disable NetBIOS configurations through DHCP option types you can choose the Use NetBIOS setting from the DHCP server NetBIOS over TCP IP can also be disabled for computers that are running Windows 2000 2003 by using the advanced DHCP option types that are supported by the Windows 2000 2003 DHCP Server service Note Computers that are running an operating system prior to Windows 2000 will be unable to browse locate or create file and print share connections to a Windows 2000 XP 2003 computer with NetBIOS disabled Configuring ACS 4 2 Enhanced Logging Features Step 1 Step 2 Step 3 Step 4 Step 5 ACS 4 2 provides several new logging features When you configure the CSV Failed Attempts and Passed Authentications reports you can add several new fields e Response Time Indicates how long it takes ACS to respond to a client after receiving an authentication request e Framed IP address lIf ACS is configured to assign IP addresses when it receives Access Request messages or if an incoming Access Request contains an IP address indicates the framed IP address e Session ID Indicates the session ID of a user session To add a field to the CSV Failed Attempts or Passed Authentications report In the navigation bar click System Configuration Click Logging The Logging Configuration page opens In the CSV column click Configure next to the name of the report you want to confi
72. CS 4 2 Po OL 14390 02 Chapter 9 NAC Configuration Scenario Step 11 Optional Configure GAME Group Feedback W Import an Audit Vendor File by Using CSUtil For information on importing an audit vendor file by using CSUtil see the Adding a Custom RADIUS Vendor and VSA Set section in Appendix D of the User Guide for Cisco Secure Access Control Server 4 2 CSUtil Database Utility Import a Device Type Attribute File by Using CSUtil Before you can configure GAME group feedback you must import an attribute file that contains a device type attribute The format of a text file to set up a device type attributes is attr 0 vendor id lt the vendor identifier number gt vendor name lt the name of the vendor gt application id 6 application name Audit attribute id 00012 attribute name Device Type attribute profile in out atribute type string To import the file Step 1 Save the text file that sets up the device type attribute in an appropriate directory Step2 Open a DOS command window Step3 Enter csutil addavp lt device type filename gt where device type filename is the name of the text file that contains the device type attribute Step4 Restart ACS a In the navigation bar click System Configuration b Click Service Control c Click Restart Import NAC Attribute Value Pairs To import NAC attribute value pairs Step 1 Use a text editor to create a NAC attribute value pairs file Step
73. Figure 9 33 shows the Protocols settings for the NAC Layer 3 template Figure 9 33 Protocols Setting for NAC Layer 3 Template Network Access Profiles Edit Protocols Settings for Sample_NAC_L3_PROFILE Populate from Global Authentication Protocols Allow PAP Allow CHAP Allow MS CHAPw1 Allow MS CHAPyv2 fFHoovaadqd Allow Agentless Request Processing EAP Configuration PEAP F Allow EAP MSCHAPv2 F Allow EAP GTC M Allow Posture Validation F Allow EAP TLS EAP FAST I Allow EAP FAST I Allow anonymous in band PAC provisioning I Allow authenticated in band PAC provisioning I Accept client on authenticated provisioning I Require client certificate for provisioning I Allow Stateless session resume Authorization PAC TTL fi hours gt Allowed inner methods Submit Cancel 158445 In the EAP Configuration section Posture Validation is enabled Configuration Guide for Cisco Secure ACS 4 2 oL 14390 02 E oar Chapter9 NAC Configuration Scenario HI Step 8 Set Up Templates to Create NAPs Authentication Policy To configure authentication policy Step1 In the navigation bar select Network Access Profiles Step2 Choose the Authentication link from the Policies column The Authentication page for the profile opens as shown in Figure 9 34 Figure 9 34 Authentication Page for Layer 3 NAC Profile Template Authentication for NAC3_Template Credential Validation Databas
74. HZ Step 2 Configure Password Policy Step2 On the Password Policy Setup Page specify Password Validation Options See Specify Password Validation Options page 5 6 Password Lifetime Options See Specify Password Lifetime Options page 5 6 Password Inactivity Options See Specify Password Inactivity Options page 5 7 Incorrect Password Attempt Option See Specify Incorrect Password Attempt Options page 5 7 Specify Password Validation Options In the Password Validation Options section configure Password may not contain the username lIf enabled the password cannot contain the username or the reverse username Minimum length n characters n specifies the minimum length of the password default 4 range 4 to 20 Uppercase alphabetic characters If enabled the password must contain uppercase alphabetic characters Lowercase alphabetic characters lIf enabled the password must contain lowercase alphabetic characters Numeric characters If enabled the password must contain numeric characters Non alphanumeric characters If enabled the password must contain nonalphanumeric characters for example the at symbol Password must be different from the previous n versions If enabled the password must be different from the previous n versions default 10 range 0 to 99 Specify Password Lifetime Options In the Password Lifetime Options section configure The password will require change after n
75. NAD the success or failure of the MAC address lookup has an effect on the user group that is mapped to an access request Therefore the MAC address lookup result might be listed in the Passed Authentications or Failed attempts report Configuring Reports for MAB Processing Step 1 Step 2 Step 3 When you configure reports you can add a new attribute called Bypass info to the Passed Authentications and Failed Attempts reports To add this attribute In the navigation bar click System Configuration The System Configuration page opens Click Logging The Logging Configuration page opens The Logging Configuration page shows three columns of ACS reports CSV ODBC and syslog To add the Bypass attribute to a specified report a Click Configure under the report type for one of the reports that you want to modify for example click the CSV report for the Passed Authentications report The Enable Logging page for the specified report opens b Check the check box in the Enable Logging section c In the Attributes column of the Select Columns to Log section select the Bypass Info attribute d Click the right arrow icon to move this attributed to the Logged Attributes column e Select any other attributes that you want to log f Set the other values on the Logging Configuration page as required g Click Submit I OL 14390 02 Configuration Guide for Cisco Secure ACS 4 2 Chapter6 Agentless Host Support Configu
76. NAF to specify a downloadable IP ACL or Network Access Restriction based on the AAA clients by whom the user may access the network saves you the effort of listing each AAA client explicitly NAP agent A process running on a NAP client that sends SoHs or health certificates to ACS NAP client A computer running Windows Vista or Windows Server 2008 NAP clients send their health credentials as Statements of Health SoHs or a health certificate NDG Network Device Group A collection of network devices that act as a single logical group NPS Network Policy Server A Microsoft server that validates health certificates from NAP clients and provides remediation instructions if needed P PA Posture Agent An application that serves as the single point of contact on the host for aggregating posture credentials from potentially multiple posture plug ins and communicating with the network PAC Protected Access Credential A security credential that is used with EAP FAST Flexible Authentication via Secure Tunneling With EAP FAST instead of using a certificate mutual authentication is achieved by using a PAC which can be managed dynamically by the authentication server The PAC can be provisioned distributed one time to the client either manually or automatically Manual provisioning is delivery to the client via disk or a secured network distribution method Automatic provisioning is an in band over the air distribution PDP Policy Decision Point Provi
77. Nac L2 602 1x template Description Template Nac L2 802 1 gt Active Vv Submit Cancel Step3 Enter a Name and Description optional 158412 Step4 From the Template drop down list choose Agentless Host for L3 Step5 Check the Active check box Step6 Click Submit If no error appears then you have created a profile that can authenticate Layer 3 NAC hosts The Edit Network Access Profile page opens and the new profile is listed in the Name column The predefined values for the Agentless Host for Layer 3 template include e Profile Setup e Protocols e A sample posture validation policy e Authentication policy Step7 To select a predefined set of values click on one of the configuration options e The profile name to select the profile setup page for the profile e Protocols e Authentication Policy e Sample Posture Validation Rules Configuration Guide for Cisco Secure ACS 4 2 oce I OL 14390 02 Chapter9 NAC Configuration Scenario Step 8 Set Up Templates to Create NAPs i Profile Setup To use the Profile Setup settings from the template Step 1 Go to Network Access Profiles Step2 Choose the profile that you created Step3 The Profile Setup page appears as shown in Figure 9 51 Figure 9 51 Profile Setup Page for Agentless Host for Layer 3 Template Profile Setup Name Agentless_host Test template for age
78. New Global EAP FAST Configuration Options page 3 1 e Disabling of EAP FAST PAC Processing in Network Access Profiles page 3 3 e Disabling NetBIOS page 3 4 e Configuring ACS 4 2 Enhanced Logging Features page 3 5 e Configuring Group Filtering at the NAP Level page 3 6 e Option to Not Log or Store Dynamic Users page 3 7 e Active Directory Multi Forest Support page 3 7 For information on new features that accompany ACS SE only see e Configuring Syslog Time Format in ACS 4 2 page 3 7 e RSA Support on the ACS SE page 3 8 e Turning Ping On and Off page 3 16 New Global EAP FAST Configuration Options The EAP FAST Configuration page in the Global Authentication Setup section contains several new options Figure 3 1 shows the new options on the EAP FAST Configuration page Configuration Guide for Cisco Secure ACS 4 2 oL 14390 02 Chapter3 Configuring New Features in ACS 4 2 HI New Global EAP FAST Configuration Options Figure 3 1 EAP FAST Settings EAP FAST Callow EAP FAST New Global EAP FAST Configuration Options Ed Active master key TTL 1 months na Retired master key TTL 3 months Tunnel PAC TTL 1 weeks M Client initial message Authority ID Info cisco O Allow full TLS renegotiation in case of Invalid PAC O Allow anonymous in band PAC provisioning Cl Enable anonymous TLS renegotiation O Allow authenticated in band PAC provisioning O accept client on authenticated pro
79. P Address V2 Shared Secret Key V3 Vendor 225 READ_NAS VN V1 Use this action code to export an AAA client list optional to an output file that can be used to associate the list with members of a particular NDG or with all AAA clients You can use this output file as input for CSUtil to import NASs VN lt output_file_name gt where output_file_name specifies the filename for the FTP server used with the ACS SE If nothing is specified the default name DumpNAS txt is used For the ACS for Windows platform you can specify the absolute file path for example C MyNAS dump txt If no value is specified the AAA client lists is written to the ACS bin DumpNAS txt file V1 NDG name optional V1 should contain a valid NDG name I OL 14390 02 Configuration Guide for Cisco Secure ACS 4 2 Chapter4 Using RDBMS Synchronization to Create dACLs and Specify Network Configuration HZ Using RDBMS Synchronization to Specify Network Configuration Configuration Guide for Cisco Secure ACS 4 2 Ca OL 14390 02 CHAPTER Password Policy Configuration Scenario Cisco Secure ACS hereafter referred to as ACS provides new password features to support corporate requirements mandated by the Sarbanes Oxley Act of 2002 Sarbanes Oxley SOX requires stricter enforcement of password restrictions ACS provides SOX support which includes e Enforcement of password lifetime policy e Enforcement of inactiv
80. Protocol type appears in the Protocol types list which means that no protocol type filter exists for this profile You can select the Allow Selected Protocol types option to specify a protocol type for filtering Two rules are configured in Advanced Filtering 026 009 001 Cisco av pair aaa service ip admission 006 Service Type 10 These rules specify that the associated profile policies authenticate and authorize each RADIUS request that matches the attribute s rules You can change the advanced filter and add remove or edit any RADIUS attribute that the RADIUS client sends I OL 14390 02 Configuration Guide for Cisco Secure ACS 4 2 gy Chapter9 NAC Configuration Scenario HI Step 8 Set Up Templates to Create NAPs This template automatically sets Advanced Filtering and Authentication properties with NAC Layer 2 IP Configuration ACS and Attribute Value Pairs When you enable NAC Layer 2 IP validation ACS provides NAC AAA services by using RADIUS ACS gets information about the antivirus credentials of the endpoint system and validates the antivirus condition of the endpoint You can set these Attribute Value AV pairs on ACS by using the RADIUS cisco av pair vendor specific attributes VSAs e Cisco Secure Defined ACL Specifies the names of the downloadable ACLs on the ACS The switch gets the ACL name from the Cisco Secure Defined ACL AV pair in this format ACL IP name number where name is the ACL
81. Reject connections from listed IP addresses Restricts remote access to the web interface to IP addresses outside of the specified IP Address Ranges IP filtering operates on the IP address received in an HTTP request from a remote administrator s web browser If the browser is configured to use an HTTP proxy server or the browser runs on a workstation behind a network device performing network address translation IP filtering applies only to the IP address of the HTTP proxy server or the NAT device IP Address Ranges The IP Address Ranges table contains ten rows for configuring IP address ranges The ranges are always inclusive that is the range includes the Start and End IP addresses Use dotted decimal format The IP addresses that define a range must differ only in the last octet Class C format Start IP Address Defines the lowest included IP address in the specified range up to 16 characters End IP Address Defines the highest included IP address in the specified range up to 16 characters HTTP Configuration HTTP Port Allocation Allow any TCP ports to be used for Administration HTTP Access Enables ACS to use any valid TCP port for remote access to the web interface Restrict Administration Sessions to the following port range From Port n to Port n Restricts the ports that ACS can use for remote access to the web interface Use the boxes to specify the port range up to five dig
82. S Ascend RADIUS IETF EJ RADIUS Cisco VPN 5004 RADIUS Cisco VPN 300 lt RADIUS Cisco IOS PIXE RADIUS Cisco BBSM RADIUS Cisco Aironet RADIUS Cisco Airespace gt I Advanced Filtering Rule Elements Table 006 Service Type 10 Submit Delete Cancel The default settings for the profile are 026 009 001 cisco av pair aaa service ip_admission 158444 e Any appears in the Network Access Filter field which means that this profile has no IP filter You can choose NAFs from the drop down list so that only specific host IPs match this profile e In the Protocol types list Allow any Protocol type appears in the Protocol types list which means that no protocol type filter exists for this profile e You can click the Allow Selected Protocol types option to specify a protocol type for filtering e Two rules are configured in Advanced Filtering 026 009 001 Cisco av pair 006 Service Type 10 aaa service ip admission mi Configuration Guide for Cisco Secure ACS 4 2 OL 14390 02 Chapter9 NAC Configuration Scenario Step 8 Set Up Templates to Create NAPs W These rules specify that the associated profile policies authenticate and authorize each RADIUS request that matches the attribute s rules You can change the advanced filter and add remove or edit any RADIUS attribute that the RADIUS client sends Protocols Policy for the NAC Layer 3 Template
83. TION THOSE OF MERCHANTABILITY FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OR ARISING FROM A COURSE OF DEALING USAGE OR TRADE PRACTICE IN NO EVENT SHALL CISCO OR ITS SUPPLIERS BE LIABLE FOR ANY INDIRECT SPECIAL CONSEQUENTIAL OR INCIDENTAL DAMAGES INCLUDING WITHOUT LIMITATION LOST PROFITS OR LOSS OR DAMAGE TO DATA ARISING OUT OF THE USE OR INABILITY TO USE THIS MANUAL EVEN IF CISCO OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES CCDE CCENT Cisco Eos Cisco Lumin Cisco StadiumVision the Cisco logo DCE and Welcome to the Human Network are trademarks Changing the Way We Work Live Play and Learn is a service mark and Access Registrar Aironet AsyncOS Bringing the Meeting To You Catalyst CCDA CCDP CCIE CCIP CCNA CCNP CCSP CCVP Cisco the Cisco Certified Internetwork Expert logo Cisco IOS Cisco Press Cisco Systems Cisco Systems Capital the Cisco Systems logo Cisco Unity Collaboration Without Limitation EtherFast EtherSwitch Event Center Fast Step Follow Me Browsing FormShare GigaDrive HomeLink Internet Quotient IOS iPhone iQ Expertise the iQ logo iQ Net Readiness Scorecard iQuick Study IronPort the IronPort logo LightStream Linksys MediaTone MeetingPlace MGX Networkers Networking Academy Network Registrar PCNow PIX PowerPanels ProConnect ScriptShare SenderBase SMARTnet Spectrum Expert StackWise The Fastest Way to Increase Your Internet Quotient TransPath WebEx
84. Up Down buttons submit and save the sort order to the database Test profile to enable MAC autentication bypass for agentless host support YES Deny access when no profile matches Grant access using global configuration when no profile matches Apply and Restart You are now ready to enable agentless request processing 158385 Enable Agentless Request Processing for a NAP To enable agentless request processing for a NAP Step 1 In the Edit Network Access Profiles page click Protocols The Protocols Settings page for the selected NAP opens Figure 6 11 shows the top portion of the Protocols Settings page Figure 6 11 Protocols Settings Page Protocols Settings for my_mac_auth_bypass Populate from Global Authentication Protocols I Allow PAP IM Allow CHAP I Allow MS CHAPy1 T Allow MS CHAPy2 M Allow Agentless Request Processing 158386 Step2 Check the check box for Allow Agentless Request Processing Step3 Configure additional protocol configuration options as required Step4 Ifyou are using ACS in a NAC environment check the Allow Posture Validation check box in the EAP Configuration area Step5 Click Submit Configuration Guide for Cisco Secure ACS 4 2 _ Chapter 6 Agentless Host Support Configuration Scenario Basic Configuration Steps for Agentless Host Support W You are now ready to configure MAB settings
85. ables ACS to use the secure socket layer SSL protocol to Administration Access encrypt HTTP traffic between the CSAdmin service and the web browser that accesses the web interface This option enables encryption of all HTTP traffic between the browser and ACS as reflected by the URLs that begin with HTTPS Most browsers include an indicator for SSL encrypted connections To enable SSL first install an a server certificate and a certification authority certificate Choose System Configuration gt ACS Certificate Setup to access the installation process With SSL enabled ACS begins using HTTPS at the next administrator login Current administrator sessions are unaffected In the absence of a certificate ACS displays an error Step4 Type the appropriate IP address ranges in accordance with the IP Address Filtering option Step5 Click the appropriate HTTP Port Allocation option to allow all ports or restrict access to certain ports If you restrict access type the range of the restricted ports Step6 Check this option if you want ACS to use the SSL Step7 Click Submit ACS saves and begins enforcing the access policy settings Viewing Administrator Entitlement Reports To assist in SOX compliance ACS produces entitlement report which contain data extracted from the ACS configuration and formatted into text based files ACS produces entitlement reports for administrators and users The reports that you can generate are e Privi
86. age Create a new External Database Configuration Enter a name for the new configuration for RSA SecurID Token Server RSA SecurID Token Server 270292 Step5 Enter the name for the RSA SecureID Token Server and then click Submit You are prompted to choose what to do with the Token Sever Step6 Click Configure You are prompted to upload the sdconf rec file Step7 Click Upload scconf rec Step8 The Cisco Secure ACS to RSA SecurID Configuration page appears as shown in Figure 3 7 Configuration Guide for Cisco Secure ACS 4 2 oL 14390 02 Chapter3 Configuring New Features in ACS 4 2 E RSA Support on the ACS SE Figure 3 7 Cisco Secure ACS to RSA SecurID Configuration Page Cisco Secure ACS to RSA SecurID Configuration FTP Setup FTP Server Login Password Directory Decryption Password 270289 Step9 On the Cisco Secure ACS to RSA SecurID Configuration page enter the information shown in Table 3 3 Table 3 3 RSA SecurelD Server Configuration Field Description FTP Server The IP address of the FTP server that contains the sdconf rec file This the configuration file for your RSA TokenID installation Login The login name for the FTP server Password The password for the FTP server Directory The directory on the FTP server where the sdconf rec file is located Step10 Click Submit Purging the RSA Node Secret File When you change the RSA Token Server
87. age 9 71 e Step 11 Optional Configure GAME Group Feedback page 9 72 Step 1 Install ACS This section describes the installation process that you perform to run ACS which runs on a Windows 2003 server or on a Cisco Secure ACS Solution Engine ACS SE For detailed information on ACS installation refer to the e Installation Guide for Cisco Secure ACS for Windows Release 4 2 e Installation Guide for Cisco Secure ACS Solution Engine Release 4 2 Configuration Guide for Cisco Secure ACS 4 2 oL 14390 02 Chapter9 NAC Configuration Scenario Hi Step 2 Perform Network Configuration Tasks Step 1 Step 2 Step 3 Step 4 To install ACS Start the ACS installation If you are installing ACS for Windows a Using a local administrator account log in to the computer on which you want to install ACS b Insert the ACS CD into a CD ROM drive on the computer c Ifthe CD ROM drive supports the Windows autorun feature the ACS for Windows dialog box appears otherwise run setup exe located in the root directory of the ACS CD d In the Cisco Secure ACS for Windows dialog box click Install If you are installing ACS SE follow the instructions in the Installation Guide for Cisco Secure ACS Solution Engine 4 2 Chapter 2 Installing and Configuring Cisco Secure ACS Solution Engine 4 2 provides detailed installation instructions During the installation process you are prompted to enter a password for encrypting
88. ally dispersed ACS units As with many applications AAA clients rely on timely and accurate responses to their queries Network speed is an important factor in deciding how to deploy ACS because delays in authentication that the network causes can result in timeouts at the client side or the switch A useful approach in large extended networks such as for a globally dispersed corporation is to have at least one ACS deployed in each major geographical region Depending on the quality of the WAN links these servers may act as backup partners to servers in other regions to protect against failure of the ACS in any particular region Figure 2 3 shows ACS deployed in a geographically dispersed wired LAN In the illustration Switch 1 is configured with ACS 1 as its primary AAA server but with ACS 2 of Region 2 as its secondary Switch 2 is configured with ACS 2 as its primary but with ACS 3 as its secondary Likewise Switch 3 uses ACS 3 as its primary but ACS 1 as its secondary Using a local ACS as the primary AAA server minimizes AAA WAN traffic When necessary using the primary ACS from another region as the secondary further minimizes the number of ACS units Configuration Guide for Cisco Secure ACS 4 2 P24 E OL 14390 02 Chapter 2 Deploy the Access Control Servers Determining the Deployment Architecture W Figure 2 3 ACS in a Geographically Dispersed LAN Region 1 Region 2 FA T Switch 1 fS BS tl aw S a ala at i
89. ame for the rule OL 14390 02 Configuration Guide for Cisco Secure ACS 4 2 E Chapter 9 NAC Configuration Scenario HI Step 9 Map Posture Validation Components to Profiles The Add Edit Posture Validation Rule page for the specified rule appears as shown in Figure 9 54 Figure 9 54 Add Edit Posture Validation Rule Page Posture Validation Rule for Sample_NAC_L2_8021x Name Add_rule_example Condition Required Credential Types Available Credentials Selected Credentials Cisco HIP Action Select Internal Posture Validation Policies Select Name Description Policy Details _ Action ID Condition PNT j m Checks for device against with audit Posture Token Notification String my_device_policy server database 1 Cisco HIP CSAMCN pri i i isco HIP ame printer Cisco Host Healthy 2 Default Cisco Host Healthy Action ID Condition Posture Token Notification d NAC SAMPLE CTA String POLICY Cisco PA PA Name contains Cisco 1 Trust Agent AND Cisco PA Healthy Cisco PA PA Version gt 1 0 0 0 2 Default Cisco PA Quarantine Select External Posture Validation Server Forward Failure Select Name Description Credential Server Details 2 Failure Posture Token Action Types i A So K test_posture_server Test posture Primary https hostname 2002 resource y Reject ccor E PA E Unknown E nown D amp server Secondary User Step5 Choose the Required Cr
90. atabase Step2 Enter a password that is at least 8 characters long and contains letters and numbers The ACS installation process for ACS for Windows automatically creates a shortcut to the ACS administrative GUI on your desktop D Note If you are installing ACS on the ACS SE you must manually create an administrative GUI user by using the use the add guiadmin command to create a GUI account For information on this command see Appendix A of the Installation Guide for Cisco Secure ACS Solution Engine 4 2 Command Reference You can then access the administrative GUI through a supported browser For a list of supported browsers see Supported and Interoperable Devices and Software Tables for Cisco Secure ACS Solution Engine Release 4 1 Step3 Double click the ACS Admin icon to open a browser window to the ACS administrative GUI Step4 If you do not see the ACS Admin icon on the desktop open your browser from the machine on which you installed ACS and go to one of the following locations e http IP_address 2002 e http hostname 2002 Configuration Guide for Cisco Secure ACS 4 2 lt OL 14390 02 Chapter6 Agentless Host Support Configuration Scenario Basic Configuration Steps for Agentless Host Support W where P_address is the IP address of the host that is running ACS and hostname is the hostname of the host that is running ACS Step 2 Configure a RADIUS AAA Client Before you can configure agentless
91. ate dACLs and Specify Network Configuration Using RDBMS Synchronization to Configure dACLs W e Password The password for the username provided in the Login box The ACS SE has the information necessary to get the accountActions file from the FTP server Step5 ACS for Windows and ACS SE Set the Synchronization Scheduling and Synchronization Partners options as required Figure 4 3 shows the Synchronization Scheduling and Synchronization Partners sections of the RDBMS Synchronization Setup page Figure 4 3 Synchronization Scheduling and Synchronization Partners Options Synchronization Scheduling Z Manually O Every 60 minutes At specific times m n Set All Clear All Synchronization Partners Edl AAA Servers Synchronize E 2 Back to Help Step6 Specify the following Synchronization Scheduling information IK 203257 e Manually lIf you want to disable automatic RDBMS Synchronization check the Manually check box e Every X minutes ACS performs synchronization on a set frequency The unit of measurement is minutes with a default update frequency of 60 minutes e At specific times ACS performs synchronization at the time that is specified in the day and hour graph The minimum interval is one hour and the synchronization occurs on the hour that you chose Configuration Guide for Cisco Secure ACS 4 2 oL 14390 02 E Chapter4 Using RDBMS Synchronization to Create dACLs and Sp
92. ates and Copy Them to the ACS Host 7 2 Run the Windows Certificate Import Wizard to Install the Certificate Enable Security Certificates on the ACS Installation 7 3 Install the CA Certificate 7 4 Add a Trusted Certificate 7 4 Step 2 Configure Global Authentication Settings 7 5 Step 3 Specify EAP TLS Options 7 6 Step 4 Optional Configure Authentication Policy 7 6 CHAPTER 8 Syslog Logging Configuration Scenario 8 1 Overview 8 1 Configuring Syslog Logging 8 1 Format of Syslog Messages in ACS Reports 8 4 Facility Codes 8 4 Message Length Restrictions 8 5 CHAPTER 9 NAC Configuration Scenario 9 1 Step 1 Install ACS 9 1 Step 2 Perform Network Configuration Tasks 9 2 Configure a RADIUS AAA Client 9 2 Configure the AAA Server 9 4 Step 3 Set Up System Configuration 9 5 Install and Set Up an ACS Security Certificate 9 5 Obtain Certificates and Copy Them to the ACS Host 9 6 Set Up the ACS Certification Authority 9 6 Edit the Certificate Trust List 9 7 7 2 Configuration Guide for Cisco Secure ACS 4 2 OL 14390 02 Install the CA Certificate 9 7 Install the ACS Certificate 9 8 Set Up Global Configuration 9 8 Set Up Global Authentication 9 9 Set Up EAP FAST Configuration 9 12 Configure the Logging Level 9 14 Configure Logs and Reports 9 14 Step 4 Set Up Administration Control 9 17 Add Remote Administrator Access 9 17 Step 5 Set Up Shared Profile Components 9 20 Configure Network Access Filtering Optional 9 20 Con
93. ates to Create NAPs W Authorization Policy To configure an authorization policy for the NAC Layer 2 802 1x template Step 1 Go to Network Access Profiles Step2 Choose the Authorization link from the Policies column The Authentication page for the NAC Layer 2 802 1x template profile appears as shown in Figure 9 43 Figure 9 43 Authentication Page for NAC Layer 2 802 1x Profile Template Authorization Rules for Sample_NAC_L2_8021x Condition Action System an User Group Posture Y Shared RAC Downloadable ACL Access Token e Any x Healthy Sits NAC SAMPLE HEALTHY L2 RAC gt e Any Quarantine Cr NAC SAMPLE QUARANTINE L2 RAC x If a condition is not defined or there is 0O NAC SAMPLE QUARANTINE L2 RAC D jno matched condition I Include RADIUS attributes from user s group I Include RADIUS attributes from user record Add Rule Delete up Down The Up Down buttons submit and save the sort order to the database Submit Done 158437 On this page you can see the Layer 2 NAC 802 1x template configuration for authorization Step3 Specify the external database that ACS uses to perform authentication a To keep the default setting ACS uses its internal database click the Internal ACS DB radio button b To specify a LDAP server click the LDAP Server radio button and then from the drop down list choose an LDAP server c From the If Agen
94. ault ACL that is already configured on the switch port The default ACL also takes precedence over the policy that is already configured on the host If the default port ACL is not configured on the switch the switch can still apply the downloadable ACL from ACS You use this template for access requests from Layer 2 devices that do not have the 802 1x client installed The Authentication Bypass 802 1x fallback template is used for access requests to bypass the nonclient authentication process Users are mapped to a User Group based on their identity Note Do not click the Populate from Global button otherwise the settings for this authentication field will be inherited from the settings in the Global Authentication Setup in System Configuration Protocols Settings Figure 9 37 shows the Protocols settings for the NAC Layer 2 template Figure 9 37 Protocols Setting for NAC Layer 2 Template Edit Protocols Settings for Test_NAC_L2_service 2 Populate from Global Authentication Protocols I Allow PAP I Allow CHAP T Allow MS CHAPy1 M Allow MS CHAPy2 I Allow Agentless Request Processing EAP Configuration PEAP F Allow EAP MSCHAPV2 M Allow EAP GTC M Allow Posture Validation a M Allow EAP TLS z wo On this page you can see the Layer 2 NAC template configuration for protocols The default settings are e Inthe EAP Configuration area posture validation is enabled e Allow EAP Fast Configuration is checked w
95. bracket lt the right angle bracket gt and the backslash An ACS administrator name does not have to match a network user name Password Enter the password for the administrator to access the ACS web interface The password can match the password that the administrator uses for dial in authentication or it can be a different password ACS enforces the options in the Password Validation Options section on the Administrator Password Policy page Passwords must be at least 4 characters long and contain at least 1 numeric character The password cannot include the username or the reverse username must not match any of the previous 4 passwords and must be in ASCII characters For errors in passwords ACS displays the password criteria If the password policy changes and the password does not change the administrator remains logged in ACS enforces the new password policy at the next login Confirm Password Reenter the password that you entered in the password field OL 14390 02 Configuration Guide for Cisco Secure ACS 4 2 Chapter5 Password Policy Configuration Scenario HZ Step 2 Configure Password Policy Option Description Account Never If you want to override the lockout options set up on the Administrator Expires Password Policy page with the exception of manual lockout check the check box next to Account Never Expires If you check this option the account never expires but passw
96. cate DB Path FO Admin DN CT Password FCO 158381 a For the primary LDAP server specify Hostname tThe name or IP address of the server that is running the LDAP software If you are using DNS on your network you can type the hostname instead of the IP address Port The TCP IP port number on which the LDAP server is listening The default is 389 as stated in the LDAP specification If you do not know the port number you can find this information by viewing those properties on the LDAP server If you want to use secure authentication port 636 is the default LDAP Version ACS uses LDAP version 3 or version 2 to communicate with your LDAP database If you check this check box ACS uses LDAP version 3 If it is unchecked ACS uses LDAP version 2 Security ACS uses SSL to encrypt communication between ACS and the LDAP server If you do not enable SSL user credentials are passed to the LDAP server in clear text If you select this option then you must select Trusted Root CA or Certificate Database Path ACS supports only server side authentication for SSL communication with the LDAP server ACS SE Only You must ensure that the Port box contains the port number used for SSL on the LDAP server Trusted Root CA LDAP over SSL includes the option to authenticate by using the certificate database files other than the Netscape cert7 db file This option uses the same mechanism as other SSL installations in the ACS environment
97. ccess to all clients e Set up a NAF to limit access to specified clients To set up a NAF In the navigation bar click Shared Profile Components The Shared Profile Components page opens Click Network Access Filtering The Network Access Filtering table appears Initially this table does not contain shared profile components Click Add The Edit Network Access Filtering page opens as shown in Figure 9 11 Configuration Guide for Cisco Secure ACS 4 2 P920 U OL 14390 02 Chapter9 NAC Configuration Scenario Step 4 Step 5 Step 6 Step 5 Set Up Shared Profile Components W Figure 9 11 Edit Network Access Filtering Page Network Access Filtering Name lios routers Description Network Device Groups Selected Items Network Devices az IP Address CO a Be 158419 Q Back to Heip In the Name text box enter a name for the network access filter Move any devices or device groups to the Selected Items list To move a device or device group select the item to move and then click the right arrow button to move it to the Selected Items list Click Submit Configure Downloadable IP ACLs Downloadable IP Access Control Lists dACLs are access lists that can be downloaded to enforce the network authorization of a host Downloadable ACLs dynamically download Layer 3 and Layer 4 access control entries ACEs to a router or to a VPN concentrator and merge them with the default interface ACL
98. ce Tr gf Type User Group Device Type Assign User Group No Device Type Policies Up Down Submit Delete Cancel f If required in the Audit Flow Setting section set the audit flow parameters 158425 g If you are configuring GAME group feedback to support agentless host configuration in the NAC environment configure the settings in the GAME Group Feedback section For information on configuring GAME Group Feedback settings see Enable GAME Group Feedback page 9 79 h Click Submit Step 7 Configure Posture Validation for NAC This section describes how to set up simple posture validation for a NAC enabled network You can create internal policies that ACS uses to validate the posture data or you can configure ACS to send the posture data to an external posture validation server Configure Internal Posture Validation Policies An internal posture validation policy is an internal attribute policy that you can use in more then one profile The result of an internal posture validation policy returns a Posture Assessment token according to rules that you set Configuration Guide for Cisco Secure ACS 4 2 oL 14390 02 EEN Chapter9 NAC Configuration Scenario HI Step 7 Configure Posture Validation for NAC Step 1 Step 2 Step 3 Step 4 Step 5 Step 6 Step 7 Step 8 To create an internal posture validation policy In the navigation bar click Posture
99. cenario Step 8 Set Up Templates to Create NAPs Ti Figure 9 41 Profile Setup Page for NAC Layer 2 802 1x Template Profile Setup Name Sample_NAC_L2_8021x Sample template for Nac L2 8021x Description Active M Network Access Filter Any vy Protocol types Allow any Protocol type Allow Selected Protocol types Protocol type Selected RADIUS Nortel RADIUS Juniper RADIUS Ascend RADIUS IETF RADIUS Cisco VPN 500 RADIUS Cisco VPN 300 RADIUS Cisco IOS PIX RADIUS Cisco BBSM RADIUS Cisco Aironet RADIUS Cisco Airespace gt i ae Advanced Filtering Rule Elements Table 026 009 001 cisco av pair not exist aaa service 006 Service Type 10 158440 Submit The default settings for the profile are Any appears in the Network Access Filter field which means that this profile has no IP filter You can choose NAFs from the drop down list so that only specific host IPs match this profile Allow any Protocol type appears in the Protocol types list which means that no protocol type filter exists for this profile You can select the Allow Selected Protocol types option to specify a protocol type for filtering Two rules are configured in Advanced Filtering 026 009 001 Cisco av pair aaa service ip admission 006 Service Type 10 These rules specify that the associated profile policies authent
100. cess Control Servers W Determining the Deployment Architecture Figure 2 4 Simple WLAN Segment 1 Segment 3 158308 Remote office Campus WLAN In a WLAN where a number of APs are deployed as in a large building or a campus environment your decisions on how to deploy ACS become more complex Depending on the processing needs of the installation all of the APs might be on the same LAN Figure 2 5 shows all APs on the same LAN however the APs might also be distributed throughout the LAN and connected via routers switches and so on Configuration Guide for Cisco Secure ACS 4 2 P26 E OL 14390 02 Chapter2 Deploy the Access Control Servers Determining the Deployment Architecture W Figure 2 5 Campus WLAN Cisco Aironet APs day Dial up connection Sf a UNIX server Novell server al Windows NT Server p Cisco Secure O gt Access Control Server Macintosh server 63490 Regional WLAN Setting In a given geographical or organizational region the total number of users might or might not reach a critical level for a single ACS Small offices would not qualify for separate installations of ACSs and a regional office might have sufficient reserve capacity In this case the small offices can authenticate users across the WAN to the larger regional office Once again you should determine that this does not pose arisk to the users in the remote offices Assess critical
101. character check box and then type the domain qualifier delimiting character in the X box I OL 14390 02 Configuration Guide for Cisco Secure ACS 4 2 Chapter3 Configuring New Features in ACS 4 2 HZ RSA Support on the ACS SE Step 10 Step 11 Step 12 Step 13 Step 14 Step 15 Step 16 Step 17 Step 18 Step 19 Step 20 Step 21 Note The X box cannot contain the following special characters the pound sign the question mark the quote the asterisk the right angle bracket gt and the left angle bracket lt ACS does not allow these characters in usernames If the X box contains any of these characters stripping fails Under Common LDAP Configuration in the User Directory Subtree box type the DN of the tree containing all your users In the Group Directory Subtree box type the DN of the subtree containing all your groups In the User Object Type box type the name of the attribute in the user record that contains the username You can obtain this attribute name from your Directory Server For more information refer to your LDAP database documentation amp Note The default values in the UserObjectType and following fields reflect the default configuration of the Netscape Directory Server Confirm all values for these fields with your LDAP server configuration and documentation In the User Object Class box type the value of the LDAP objectType attribute that id
102. cient security for the network devices Separation of Administrative and General Users You should prevent the general network user from accessing network devices Even though the general user may not intend to gain unauthorized access inadvertent access could accidentally disrupt network access AAA and ACS provide the means to separate the general user from the administrative user The easiest and recommended method to perform such separation is to use RADIUS for the general remote access user and TACACS for the administrative user One issue is that an administrator may also require remote network access like the general user If you use ACS this issue poses no problem The administrator can have RADIUS and TACACS configurations in ACS By using authorization RADIUS users can set PPP or other network access protocols as the permitted protocol Under TACACS only the administrator would be configured to have shell exec access For example if the administrator is dialing in to the network as a general user a AAA client would use RADIUS as the authenticating and authorizing protocol and the PPP protocol would be authorized In turn if the same administrator remotely connects to a AAA client to make configuration changes the AAA client would use the TACACS protocol for authentication and authorization Because this administrator is configured on ACS with permission for shell under TACACS the administrator would be authorized to log in
103. co Secure ACS 4 2 oL 14390 02 EN Chapter 9 NAC Configuration Scenario HI Step 8 Set Up Templates to Create NAPs Figure 9 46 Profile Setup Page for Wireless NAC L2 802 1x Template Name Sample_wireless_NAC_l Sample wireless Nac L2 802 1x template Description Active Vv Network Access Filter Any bd Protocol types Allow any Protocol type Allow Selected Protocol types Protocol type Selected RADIUS Nortel RADIUS WJunipen RADIUS Ascend RADIUS IETF gt RADIUS Cisco VPN SO0 RADIUS Cisco VPN 300f RADIUS Cisco IOS PIXE RADIUS Cisco BBSM RADIUS Cisco Aironet RADIUS Cisco Airespace gt I Advanced Filtering Rule Elements Table 0267 009 001 cisco av pair not exist aaa service 006 Service Type 10 remove Submit Clone Delete Cancel The default settings for the profile are 158446 e Any appears in the Network Access Filter field which means that this profile has no IP filter You can choose NAFs from the drop down list so that only specific host IPs match this profile e In the Protocol types list Allow any Protocol type appears in the Protocol types list which means that no protocol type filter exists for this profile e You can click the Allow Selected Protocol types option to specify a protocol type for filtering e Two rules are configured in Advanced Filtering 026
104. condary Determines whether ACS performs failover of LDAP authentication attempts Failback Retry Delay The number of minutes after the primary LDAP server fails to authenticate a user that ACS resumes sending authentication requests to the primary LDAP server first A value of zero 0 causes ACS to always use the primary LDAP server first Max Admin Connections The maximum number of concurrent connections greater than zero 0 with LDAP administrator account permissions that can run for a specific LDAP configuration These connections are used to search the directory for users and groups under the User Directory Subtree and Group Directory Subtree Specify LDAP server configuration information Figure 6 7 shows the Primary LDAP Server and Secondary LDAP Server configuration sections I OL 14390 02 Configuration Guide for Cisco Secure ACS 4 2 Chapter6 Agentless Host Support Configuration Scenario WE Basic Configuration Steps for Agentless Host Support Figure 6 7 LDAP Server Configuration Sections Primary LDAP Server Hostname Port 389 Default is 389 LDAP Yersion M Use LDAP Y3 Security I Use Secure Authentication C Trusted Root CA none selected sits Certificate DB Path FO Admin DN o Password a Secondary LDAP Server Hostname Port 389 Default is 389 LDAP Yersion M Use LDAP Y3 Security I Use Secure Authentication C Trusted Root CA none selected Certifi
105. configuration you must purge the existing Node Secret file To purge the Node Secret file Step1 In the navigation bar click External User Databases The External User Databases page opens Step2 Click Database Configuration The External User Databases Configuration page opens Step3 Click RSA SecurID Token Server Configuration Guide for Cisco Secure ACS 4 2 P30 Es OL 14390 02 _ Chapter 3 Configuring New Features in ACS 4 2 Step 4 Step 5 RSA Support onthe ACS SE W The External User Database Configuration page opens Click Configure The Cisco Secure ACS to RSA SecurID Configuration page opens Click Purge Node Secret Configuring RSA SecurlD Token and LDAP Group Mapping You can perform authentication with RSA in native mode and also by using LDAP group mapping with RSA If you use RSA with LDAP group mapping then the user s LDAP group membership controls authorization When RSA native mode authentication succeeds group mapping occurs with LDAP The user s group is applied based on the group mapping configuration Note Step 1 Step 2 Step 3 Step 4 Step 5 Step 6 Before you configure RSA authentication with LDAP Group Mapping ensure that you have the correct installation or configuration of the third party DLLs required to support this type of external database To configure RSA authentication with LDAP Group Mapping Enable RSA support as described in RSA Support on the ACS SE page 3
106. curity user database extensibility and support for one time token authentication and password change or aging PEAP is based on an Internet Draft that Cisco Systems Microsoft and RSA Security submitted to the IETF Small LAN Environment In a small LAN environment a LAN containing up to 3 000 users see Figure 2 1 a single ACS is usually located close to the switch and behind a firewall In this environment the user database is usually small because few switches require access to ACS for AAA and the workload is small enough to require only a single ACS However you should still deploy a second ACS server for redundancy and set up the second ACS server as a replication partner to the primary server because losing the ACS would prevent users from gaining access to the network In Figure 2 1 an Internet connection via firewall and router are included because these are likely to be features of such a network but they are not strictly related to the Cisco Catalyst AAA setup or required as part of it You should also limit access to the system hosting the ACS to as small a number of users and devices as necessary As shown in Figure 2 1 you set access by connecting the ACS host to a private LAN segment on the firewall Access to this segment is limited only to the Cisco Catalyst Switch client and those user machines that require HTTP access to the ACS for administrative purposes Users should not be aware that the ACS is part of the network
107. d i e this code cannot simply be copied and put under another distribution license including the GNU Public License Configuration Guide for Cisco Secure ACS 4 2 Pv OL 14390 02 S CHAPTER 1 Overview of ACS Configuration This chapter describes the general steps for configuring Cisco Secure Access Control Server hereafter referred to as ACS and presents a flowchart showing the sequence of steps Note If you are configuring ACS to work with Microsoft clients in a Cisco Network Access Control Microsoft Network Access Protection NAC NAP network refer to Chapter 9 NAC Configuration Scenario This chapter contains e Summary of Configuration Steps page 1 1 e Configuration Flowchart page 1 5 Summary of Configuration Steps Step 1 Step 2 Step 3 To configure ACS Plan the ACS Deployment Determine how many ACS servers you need and their placement in the network For detailed information see Chapter 2 Deploy the Access Control Servers Install the ACS Servers Install the ACS servers as required For detailed installation instructions refer to e Installation Guide for Cisco Secure ACS for Windows Release 4 2 available on Cisco com at http www cisco com en US docs net_mgmt cisco_secure_access_control_server_for_windows 4 2 installation guide windows IGwn42 html e Installation Guide for Cisco Secure ACS Solution Engine Release 4 2 available on Cisco com at http www ci
108. d ACS Deployment Guide e Deploying Cisco Secure ACS for Windows in Cisco Aironet Environment e EAP TLS Deployment Guide for Wireless LAN Networks e Guidelines for Placing ACS in the Network This section contains e Number of Users page 2 11 e Number of Network Access Servers page 2 12 e LAN Versus WAN Deployment Number of LANs in the Network page 2 12 e WAN Latency and Dependability page 2 12 e Determining How Many ACS Servers to Deploy in Wireless Networks page 2 13 Number of Users In all topologies the number of users is an important consideration For example assuming that an ACS can support 21 000 users if an wireless access point can support 10 users then a given ACS could support 2 100 wireless access points in a WLAN environment I OL 14390 02 Configuration Guide for Cisco Secure ACS 4 2 Chapter2 Deploy the Access Control Servers HZ Determining How Many ACSs to Deploy Scalability The size of the LAN or WLAN is determined by the number of users who use the LAN or WLAN Size Users Small LAN 1 to 3 000 Medium sized LAN 3 000 to 25 000 Large LAN 25 000 to 50 000 Very large LAN or WLAN Over 50 000 For a detailed formula see the white paper Deploying Cisco Secure ACS for Windows in Cisco Aironet Environment which is available on Cisco com at this location http www cisco com en US products sw secursw ps2086 prod_white_papers_list html Number of Network Access Servers An ACS can
109. d be on adjacent subnets with reliable WAN connections ACSs on adjacent subnets could then be used as secondary systems for backup If the WAN connections between buildings in this subnet are short reliable and pose no issue of network latency two ACSs can service all of these buildings and all the users At 40 percent load one ACS would take half of the access points as the primary server and the other ACS would take the remaining APs Each ACS would provide backup for the other Again at 40 percent load a failure of one ACS would Configuration Guide for Cisco Secure ACS 4 2 Ea OL 14390 02 Chapter2 Deploy the Access Control Servers Deploying ACS Servers to Support Server Failover W only create an 80 percent load on the other ACS for the duration of the outage If the WAN is not suitable for authentication connections we recommend using two or more ACSs on the LAN in a primary or secondary mode or load balanced Determining How Many ACS Servers to Deploy in Wireless Networks In planning how many ACS servers to deploy in a wireless network consider e The location and number of access points For example with 4 200 APs One ACS could handle half of the APs as primary server Other ACSs could handle the remaining APs e The number of EAP TLS clients together with EAP TLS authentications per second e The number of clients e Scalability with different protocols For example if you use EAP TLS you will need more ACS s
110. databases choose the LDAP database that you want to use to filter user access d From the list of LDAP user groups in the Available Groups list choose the groups for which to allow access Choose a group in the Available Groups list and click the right arrow gt button to move the group to the list of Selected Groups e If you want to sort the lists click the Up and Down buttons to move a group up or down in a list Step3 Click Submit Configuration Guide for Cisco Secure ACS 4 2 E OL 14390 02 Chapter3 Configuring New Features in ACS 4 2 Option to Not Log or Store Dynamic Users W Option to Not Log or Store Dynamic Users When ACS authenticates users by using external databases such as Active Directory or LDAP and a user is successfully authenticated with the external database then by default ACS stores the information for the user in the ACS internal database The users that ACS creates in this manner are called dynamic users With ACS 4 2 you can configure ACS not to not create or store data on dynamic users To disable creation of dynamic users in the ACS internal database Step1 In the navigation bar choose External User Databases gt Unknown User Policy The Configure Unknown User Policy page opens Step2 Scroll down to the Configure Caching Unknown Users section shown in Figure 3 4 Figure 3 4 Disabling Creation of Dynamic Users Configure Caching Unknown Users Ej Use this option to disable
111. days Following a change of password if this option is enabled n specifies the number of days before ACS requires a change of password due to password age the default value is 30 days The range is 1 to 365 When checked enabled the Administrator will be locked after n days option causes ACS to compare the two password lifetime Options and use the greater value of the two The Administrator will be locked out after n days Following a change of password if this option is enabled n specifies the number of days before ACS locks out the associated administrator account due to password age The default value is 30 days the range is to 365 days Configuration Guide for Cisco Secure ACS 4 2 OL 14390 02 Chapter5 Password Policy Configuration Scenario Step 3 Configure Session Policy W Specify Password Inactivity Options In the Password Inactivity Options section configure e The password will require change after n days Following the last account activity if enabled n specifies the number of days before ACS requires a change of password due to password inactivity The default value is 30 days the range is 1 to 365 days When checked enabled the Administrator will be locked after n days option causes ACS to compare the two Password Inactivity Options and use the greater value of the two Note For additional security ACS does not warn users who are approaching the limit for password inactivity e The Adminis
112. deleting dACLs 4 12 deployment architecture 2 1 considerations database replication 2 13 number of access servers 2 12 RDBMS Synchronization 2 14 device type attribute file importing using CSUtil 9 73 device types for GAME group feedback 9 80 disabling NETBIOS 3 4 documentation conventions x objectives ix Index W related xii a downloadable ACLs dACLs See dACLs accountActions file for creating 4 4 configuring E using RDBMS Synchronization 4 2 configuring for NAC NAP 39 21 EAP 2 2 creating a text file to configuring 4 2 EAP FAST deleting 4 12 configuring ACS for 9 12 errors creating 4 11 configuring for NAC NAP 9 12 Configuration Guide for Cisco Secure ACS 4 2 oL 14390 02 ZN W index configuring new features in ACS 4 2 3 2 EAP TLS 2 3 specifying Certificate Binary Comparison for 7 6 specifying Certificate CN Comparison for 7 6 specifying certificate SAN comparison for 7 6 Edit Network Access Protocols page 6 19 enabling agentless request processing 6 18 agentless request processing fora NAP _ 6 20 NAFs 9 22 Passed Authentication report 9 15 security certificates 6 8 7 3 9 8 EoU 39 25 errors creating dACLs 4 11 Extensible Authentication Protocol See EAP Extensible Authentication Protocol Transport Layer Security See EAP TLS external posture validation policy adding toa profile 9 69 configuring 9 38 F facility codes for Syslog messages 8 4 G GAME group feedback 6 2 6 24 c
113. des facilities for policy management and conditional filters PEP Policy Enforcement Point ACS acts as the policy enforcement point for policy management Configuration Guide for Cisco Secure ACS 4 2 I 0L 14390 02 E GLS WE Glossary PEAP Protected Extensible Authentication Protocol An 802 1x authentication type for wireless LANs WLANs PEAP provides strong security user database extensibility and support for one time token authentication and password change or aging PEAP is based on an Internet Draft that Cisco Systems Microsoft and RSA Security submitted to the IETF Posture credentials State information of a network endpoint at a given point in time that represents hardware and software OS and application information Posture plug in A third party DLL that provides host posture credentials to a posture agent on the same endpoint for endpoint posture validation and network authorization PV Posture Validation Posture validation validates the collection of attributes that describe the general state and health of the user s machine the host PVS Posture Validation Server A posture validation server acts as an application specific policy decision point in NAC for authorizing a set of posture credentials against a set of policy rules R RAC RADIUS Attribute Component RADIUS A widely deployed protocol enabling centralized authentication authorization and accounting for network access S SoH Statement
114. dial in LAN Small Dial Up Network Access In the small LAN environment see Figure 2 8 network architects typically place a single ACS internal to the AAA client which a firewall and the AAA client protect from outside access In this environment the user database is usually small because few devices require access to the ACS for authentication authorization and accounting AAA and any database replication is limited to a secondary ACS as a backup I OL 14390 02 Configuration Guide for Cisco Secure ACS 4 2 Chapter2 Deploy the Access Control Servers W Determining the Deployment Architecture Figure 2 8 Small Dial up Network Server based dial access Cisco Secure Access Control Server Large Dial Up Network Access ron E Modem 63486 In a larger dial in environment a single ACS with a backup may be suitable too The suitability of this configuration depends on network and server access latency Figure 2 9 shows an example of a large dial in network In this scenario the addition of a backup ACS is recommended Figure 2 9 Large Dial up Network Cisco AS5300 Cisco AS5300 s A iy Cisco Secure Access Control Server 1 m UNIX server Novell server Windows NT on erver T 2 Macintosh server 63487 E Configuration Guide for Cisco Secure ACS 4 2 OL 14390 02 _ Chapter 2 Deploy the Access Control Servers Determining How Many ACSs to
115. e Authority ID Info field enter the name of the certificate authority server In the example shown in Figure 9 8 this is acs Nac Server However this can be any string Check the Allow anonymous in band PAC provisioning and authenticated in band PAC provisioning check boxes I OL 14390 02 Configuration Guide for Cisco Secure ACS 4 2 jg Chapter9 NAC Configuration Scenario Hi Step 3 Set Up System Configuration Step 8 Step 9 Step 10 Check the Accept client on authenticated provisioning and Require client certificate for provisioning check boxes Check the check boxes for the EAP GTC EAP MSCHAPv2 and EAP TLS inner methods The EAP FAST Master Server check box is automatically checked enabled Check the Certificate SAN and Certificate Binary comparison check boxes to enable these EAP TLS comparison methods Click Submit Restart Configure the Logging Level Step 1 Step 2 Step 3 Step 4 Step 5 To set ACS to full logging capabilities In the navigation bar click System Configuration The System Configuration page opens Click Service Control Under Level of Detail click the Full radio button Note Setting the logging level to Full might affect system performance Therefore you should set the logging level to Full for an initial deployment when detailed troubleshooting is required After the network has become stable set the logging level to Normal Check the Manage Direc
116. e CSV file from the database reads the action codes in the file and performs the RDBMS Synchronization operations that file specifies Performing RDBM Synchronization Using a Script On the ACS SE you can change ACS configuration from a remote system by using a command line utility for RDBMS Synchronization that includes SSH support You can use the mechanism that starts the SSH server to add Administrator privileges and invoke the csdbsync syncnow command The csdbsync syncnow and csdbsync run commands work the same without stopping or starting the CSDBSync service You can include the commands to perform these actions in a script that you run remotely on a specified ACS SE Step 6 View the dACLs Step 1 Step 2 Step 3 After you have run RDBMS Synchronization to create the dACLs view the dACLs to ensure that they are correct To view the dACLs In the Navigation Bar click Shared Profile Components Click Downloadable IP ACLs The Downloadable IP ACLs page opens In the Name column of the Downloadable IP ACLs table you should see the dACL that was specified in the text file that you coded in Step 2 Create a Text File to Define the dACLs page 4 2 Click the name of the dACL I OL 14390 02 Configuration Guide for Cisco Secure ACS 4 2 Chapter4 Using RDBMS Synchronization to Create dACLs and Specify Network Configuration HI Using RDBMS Synchronization to Configure dACLs The Downloadable IP ACLs page dis
117. e Description objectClass The value in the example indicates that this is a group of unique names The value that you specify here must match the name that you specify in the Group Object Class text box when you specify the Common LDAP configuration during ACS LDAP configuration For information on configuring LDAP see Configure an External LDAP Database for MAB Support page 6 10 uniqueMember The value in the example is uniqueMember One or more uniqueMember entries are used to specify one or more device type records that have been set up in the LDAP schema to define agentless hosts with specified MAC addresses The objectClass field in the LDAP user group shown in the previous code sample includes user00 user77a and user88 The name that you give to this field in your LDAP schema must match the value that you enter in the Group Attribute Name text box when you specify the common LDAP configuration during ACS LD configuration For information on configuring LDAP see Configure an External LDAP Database for MAB Support page 6 10 Create One or More LDAP Database Configurations in ACS After you have configured one or more LDAP databases to support MAB configure ACS to query the LDAP databases The settings in the following procedure are based on the LDAP schema described in the previous section Configure an External LDAP Database for MAB Support page 6 10 For your ACS installation configure ACS based on the schema that yo
118. e Type from Audit Server K Assign This Group if Audit Server Did not Return a Device 10 Group 10 Type User Group Device Type Assign User Group P 2 Group 2 contains gt Printer gt s Group 5 gt o Add Delete Up Down Submit Delete Cancel In the group assignment table specify 158428 e User Group Lists all user groups including Any The device type that the MAC authentication returns is initially compared with this list of device types e Match Condition Valid values for the operator are match all OL 14390 02 Configuration Guide for Cisco Secure ACS 4 2 E Chapter9 NAC Configuration Scenario HZ Step 11 Optional Configure GAME Group Feedback Step 5 Step 6 Step 7 Step 8 Step 9 contains starts with regular expression e Device Type Defines the comparison criteria for the User Group by using an operator and device type Valid values for the device type drop down list include wy Printer IP Phone Network Infrastructure Wireless Access Point Windows UNIX Mac Integrated Device PDA Unknown Note Type a device type in the text box if the device type drop down does list not contain a particular device e Assign User Group A drop down list of administrator defined user groups If the comparison of the initial User Group with the Device Type succeeds ACS will assign this user group To add addit
119. e Using list choose RADIUS IOS PIX Specify additional AAA client settings as required Click Submit Apply Configure the AAA Server Step 1 Your AAA server is automatically populated during the installation of ACS using the hostname assigned to Windows 2003 system You must specify some additional configuration information to enable the server to communicate with AAA clients To configure the AAA server In the navigation bar click Network Configuration The Network Configuration page opens Configuration Guide for Cisco Secure ACS 4 2 OL 14390 02 Chapter9 NAC Configuration Scenario Step 3 Set Up System Configuration W Step2 In the AAA Servers table click the name of the AAA server in the AAA Server Name column The AAA Server Setup page opens shown in Figure 9 2 Figure 9 2 AAA Server Setup Page AAA Server Setup for nmdoc win2k6 AAA Server IP Address 172 20 98 85 Key secret_value Network Device Group Not Assigned xj o Log Update Watchdog Packets from this remote AAA Server AAA Server Type CiscoSecure ACS i Traffic Type inbound outbound b Authentication Port 1545 444 Server RADIUS Accounting 1646 Port 240951 Step3 In the Key field enter the shared secret that you used to set up the AAA clients Step4 Click Submit and Apply Step 3 Set Up System Configuration This section describes the following tasks e Install and Set Up an ACS Security Certificate
120. e and Description optional Step5 From the Template drop down list choose NAC L3 IP Step6 Check the Active check box Step7 Click Submit If no error appears then you have created a profile that can authenticate Layer 3 NAC hosts The Edit Network Access Profile page opens and the new profile appears in the Name column The predefined values for the Layer 3 NAC template include e Profile Setup options e Protocols e A sample posture validation policy e Authentication policy Step8 To select a predefined set of values click on one of the configuration options e The profile name to select the profile setup page for the profile e Protocols e Authentication Policy e Sample Posture Validation Rules Profile Setup To use the Profile Setup settings from the template Step1 In the navigation bar click Network Access Profiles Step2 Choose the profile that you created Step3 The Profile Setup page appears as shown in Figure 9 32 Configuration Guide for Cisco Secure ACS 4 2 oL 14390 02 g oas Chapter 9 NAC Configuration Scenario HI Step 8 Set Up Templates to Create NAPs Figure 9 32 Profile Setup Page for Layer 3 NAC Template Profile Setup Name Sample_NAC_L3_PROFI Description Active E Network Access Filter Any x Protocol types Allow any Protocol type Allow Selected Protocol types Protocol type Selected RADIUS Nortel RADIUS WJunipen RADIU
121. e appears as shown in Figure 5 4 I OL 14390 02 Configuration Guide for Cisco Secure ACS 4 2 Chapter5 Password Policy Configuration Scenario HI Step 4 Configure Access Policy Figure 5 4 Access Policy Setup Page IP Address Filtering Allow all IP addresses to connect Allow only listed IP addresses to connect Reject connections from listed IP addresses IP Address Ranges 2 Start IP Address End IP Address oO OO u Oo oO fF WY N E ooo HTTP Configuration HTTP Port Allocation Allow any TCP ports to be used for Administration HTTP Access Restrict Administration Sessions to the following port range From Port 1024 to Port 65535 Secure Socket Layer Setup I Use HTTPS Transport for Administration Access 210086 Step3 Click the appropriate IP Address Filtering option Table 5 1 Access Policy Options Option Description IP Address Filtering Allow all IP addresses to connect Enables remote access to the web interface from any IP address Allow only listed IP addresses to Restricts remote access to the web interface to IP addresses connect within the specified IP Address Ranges wi Configuration Guide for Cisco Secure ACS 4 2 OL 14390 02 Chapter 5 Password Policy Configuration Scenario Table 5 1 Option Step 4 Configure Access Policy W Access Policy Options continued Description
122. e attribute s rules You can change the advanced filter and add remove or edit any RADIUS attribute that the RADIUS client sends Protocols Policy 9 68 Figure 9 52 shows the Protocols settings for the Agentless Host for Layer 3 template Figure 9 52 Protocols Setting for Agentless Host for Layer 3 Template Protocols Settings for Agentless_host Populate from Global Authentication Protocols Allow PAP Allow CHAP Allow MS CHAP 1 Allow MS CHAPv2 nnoadq xI Allow Agentless Request Processing EAP Configuration PEAP F Allow EAP MSCHAPV2 F Allow EAP GTC I Allow Posture Validation Allow EAP TLS EAP FAST I Allow EAP FAST I Allow anonymous in band PAC provisioning I Allow authenticated in band PAC provisioning I Accept client on authenticated provisioning I Require client certificate for provisioning In the Authentication Protocols section check Agentless Host processing Configuration Guide for Cisco Secure ACS 4 2 158410 OL 14390 02 Chapter 9 NAC Configuration Scenario Step 9 Map Posture Validation Components to Profiles Authentication Policy Step 1 Step 2 Step 3 To configure an authentication policy for the Agentless Host for Layer 3 template Go to Network Access Profiles Choose the Authentication link from the Policies column The Authentication page for the profile appears as shown in Figure 9 53 Figure 9 53 Authentication Page fo
123. e host s MAC address to identify it The NAD sends ACS a RADIUS authorization request with servicetype 10 and the MAC address of the host contained in the calling station id attribute I OL 14390 02 Configuration Guide for Cisco Secure ACS 4 2 jg Chapter6 Agentless Host Support Configuration Scenario HZ Overview of Agentless Host Support 3 If you configure ACS for MAB it searches the authentication database for the host s MAC address The database can be ACS internal LDAP if you configure LDAP 4 During the database lookup ACS looks up the MAC address in an identity store the internal ACS database or an LDAP database ACS maps the MAC address to an ACS user group If ACS finds the MAC address ACS associates the access request to an ACS user group If ACS does not find the MAC address ACS assigns the access request to a default group that has been configured for failed MAB At this stage ACS proceeds with authorization as for all other access requests The expected value in the calling station id attribute is a MAC address however if the attribute contains a different value IP address ACS looks for the IP address in the access database ACS applies authorization rules based on the user group and associated policies that a Network Access Profile contains Figure 6 1 shows the flow of MAB information Figure 6 1 MAB Flow LDAP w Request MAC address lookup Response MAC address
124. e of the accountActions CSV file that you created in Step 3 Code an accountActions File to Create the dACL and Associate a User or Group with the dACL page 4 4 In the Directory field enter the directory path to the accountActions CSV file ACS has the information with which to access the accountActions table If you are using ACS SE a Complete the required fields on the RDBMS Synchronization Setup page Figure 4 2 Figure 4 2 RDBMS Synchronization Setup Page ACS SE RDBMS Synchronization Setup Service is Running FTP Setup For Account Actions Download 2 Actions File accountactions cs FTP Server Directory Login Password esessesseseses 206252 Enter the following information Actions File The name of the accountActions file The default name is accountactions csv The filename provided must match the name of the accountActions file on the FTP server FTP Server The IP address or hostname of the FTP server from which ACS obtains the accountActions file If you specify a hostname DNS must be enabled on your network Directory The relative path from the FTP server root directory to the directory where the accountActions file resides To specify the FTP root directory enter a single dot Username A valid username to enable ACS to access the FTP server Configuration Guide for Cisco Secure ACS 4 2 mae W OL 14390 02 Chapter4 Using RDBMS Synchronization to Cre
125. eate txt code the following statement 2 1 385 C dACL_folder dACL_create txt 7 8 2008 15 00 0 0 Action code 385 creates a ACL The value directly after the action code specifies the directory path and filename of the text file that specifies the dACL In the sample code shown in Example 4 1 and Example 4 2 this is the dACL_create txt file The value after the directory path and filename must specify a timestamp for the file for example 7 8 2008 15 00 Step4 Code a statement to associate the dACL with a specified User For example to associate the dACL DACL_for_Troy with the User Troy code 3 1 Troy 380 DACL_For_Troy 7 8 2008 15 00 0 0 The third value in this statement specifies the User Troy to associate the dACL with Action code 380 associates dACL with the User and the value immediately after the action code specifies the dACL name dACL_for_Troy The value after the dACL name must specify a timestamp for the action for example 7 8 2008 15 00 Step5 Save the file e ACS for Windows Save the file to a directory on the Windows machine that is running ACS e ACS SE Save the file to a directory on an FTP server used with the ACS SE Sample accountActions CSV File Example 4 2 shows a sample accountActions CSV file Note The default filename for the CSV is accountactions csv However you can rename it Example 4 2 Sample accountActions CSV File Sequenceld Priority UserName GroupName Action
126. ecify Network Configuration HZ Using RDBMS Synchronization to Configure dACLs Step7 For each ACS that you want this ACS to update with data from the accountActions table click the ACS in the AAA Servers list and then click the right arrow button gt on the interface The ACS that you chose appears in the Synchronize list Step8 To remove ACSs from the Synchronize list click the ACS in the Synchronize list and then click the left arrow button lt The ACS that you chose is removed from the Synchronize list Step 9 At the bottom of the browser window click Synchronize Now ACS immediately begins a synchronization event To check the status of the synchronization view the RDBMS Synchronization report in Reports and Activity Step 5 Perform RDBMS Synchronization You can perform the RDBMS Synchronization and create the dACLs in two ways By running e RDBMS Synchronization from the ACS GUI e CSDBSync manually to create the dACLs Running RDBMS Synchronization from the ACS GUI When you click Synchronize Now on the RDBMS Synchronization page for ACS for Windows or for the ACS SE ACS begins a synchronization event and creates the dACLs specified in the accountActions CSV file Running CSDBSync Manually to Create the dACLs You can run CSDBSync manually to create the dACLs ACS for Windows In Windows use the command line interface to invoke the csdbsync run command The CSDBSync service reads each statement
127. ecify password restrictions Step 2 Configure Password Policy To configure password policy Step 1 On the Administration Control page click Password Policy The Administrator Password Policy Setup page appears shown in Figure 5 2 Configuration Guide for Cisco Secure ACS 4 2 a OL 14390 02 Chapter 5 Password Policy Configuration Scenario Figure 5 2 The Administrator Password Policy Setup Page Administrator Password Policy Setup Password Validation Options l Password may not contain the username Minimum length 4 characters Password must contain I lower case alphabetic characters I upper case alphabetic characters M numeric characters I non alphanumeric characters l Password must be different from the previous 10 versions Password Lifetime Options 2 Following a change of password I The password will require change after 30 days l The Administrator will be locked out after eo days Password Inactivity Options 2 Following last account activity l The password will require change after 30 days I The Administrator will be locked out after eo days Incorrect Password Attempt Options 2 I Lock out Administrator after 3 successive failed attempts Submit Cancel 158377 Step 2 Configure Password Policy W I OL 14390 02 Configuration Guide for Cisco Secure ACS 4 2 gy Chapter5 Password Policy Configuration Scenario
128. edential Types Step6 In the Select External Posture Validation Sever section select the policies or server that you want to map to this profile To select a e Posture Server check the check box next to the server name e Policy check the check box next to a policy in the Failure Action column Step7 Click Submit Step8 Click Back to return to the Posture Validation policy Step9 Click Apply Restart _ Configuration Guide for Cisco Secure ACS 4 2 OL 14390 02 Chapter 9 NAC Configuration Scenario Step 10 Map an Audit Server to a Profile Step 10 Map an Audit Server to a Profile Step 1 Step 2 Step 3 Step 4 Step 5 Step 6 Step 7 Step 8 To add an external posture validation audit server to a Choose Network Access Profiles Click the Protocols link for the relevant Posture Valid profile ation Policy The Protocols Settings page for the policy that you choose opens Check the Allow Agentless Request Processing check box Click Submit Click the Posture Validation link for the relevant profile Posture Validation policy Click Select Audit The Select External Posture Validation Audit Server page opens as shown in Figure 9 55 Figure 9 55 Select External Validation Audit Server Page Select External Posture Validation Audit for Sample_NAC_L2_8021x 2 Select Audit Server Select Name Description Server Details Server URL ang al ia lo ame test one External audi
129. edirect ac1 AV pair contains the name of an ACL which specifies the HTTP or HTTPS traffic to be redirected The ACL must be defined on the switch Traffic which matches a permit entry in the redirect ACL will be redirected If the host s posture is not healthy ACS might send these AV pairs For more information about AV pairs that Cisco IOS software supports see the documentation about the software releases that run on the AAA clients Default ACLs If you configure NAC Layer 2 IP validation on a switch port you must also configure a default port ACL on a switch port You should also apply the default ACL to IP traffic for hosts that have not completed posture validation Configuration Guide for Cisco Secure ACS 4 2 Pos OL 14390 02 Chapter 9 NAC Configuration Scenario Step 8 Set Up Templates to Create NAPs W If you configure the default ACL on the switch and the ACS sends a host access policy to the switch the switch applies the policy to traffic from the host that is connected to a switch port If the policy applies to the traffic the switch forwards the traffic If the policy does not apply the switch applies the default ACL However if the switch gets a host access policy from the ACS but the default ACL is not configured the NAC Layer 2 IP configuration does not take effect When ACS sends the switch a downloadable ACL that specifies a redirect URL as a policy map action this ACL takes precedence over the def
130. elease 4 2 Shipped with product PDF on the product CD ROM On Cisco com http www cisco com en US docs net_mgmt cisco_secure_access_control_server_for_solution_engine 4 2 regulatory compliance RCSI_42 html Installation and Configuration Guide for Cisco Secure ACS Remote Agents Release 4 2 On Cisco com http www cisco com en US docs net_mgmt cisco_secure_access_control_server_for_solution_engine 4 2 installation guide remote_agent rmag42 html Supported and Interoperable Devices and Software Tables for Cisco Secure ACS Solution Engine Release 4 2 On Cisco com http www cisco com en US docs net_mgmt cisco_secure_access_control_server_for_windows 4 2 device guide sdt42 html I OL 14390 02 Configuration Guide for Cisco Secure ACS 4 2 gg Preface E Notices Table 1 ACS 4 2 Documentation continued Document Title Available Formats Installation and User Guide for Cisco On Cisco com Beane AC User Changeable http www cisco com en US docs net_mgmt Passwords i cisco_secure_access_control_server_for_windows 4 2 installation guide user_passwords ucp42 html Troubleshooting Guide for Cisco e On Cisco com ACUTE ACCESS COMTO SEINER http www cisco com en US docs net_mgmt cisco_secure_access_control_server_for_windows 4 2 trouble guide ACS_Troubleshooting html Online Documentation In the ACS HTML interface click Online Documentation Online Help I
131. elected drive For example copy the following files to the certs directory e ACS I nac cisco com cer server certificate e ACS 1 PrivateKey txt server certificate private key e ca nac cisco com cer CA certificate You are now ready to set up the ACS certification authority Set Up the ACS Certification Authority Step 1 Step 2 Step 3 Step 4 Step 5 To set up the ACS certification authority In the navigation bar click System Configuration The System Configuration page opens Click ACS Certificate Setup The ACS Certificate Setup page opens Click ACS Certification Authority Setup The ACS Certificate Authority page opens as shown in Figure 9 3 Figure 9 3 ACS Certificate Authority Setup Page ACS Certification Authority Setup CA Operations 2 Add new CA certificate to local certificate storage CA certificate file s ca nac cisco com cer 240952 Enter the path and filename for the certificate authority certificate and then click Submit Restart ACS To restart ACS choose System Configuration gt Service Control and then click Restart Configuration Guide for Cisco Secure ACS 4 2 OL 14390 02 Chapter9 NAC Configuration Scenario Step 3 Set Up System Configuration W Edit the Certificate Trust List After you set up the ACS certification authority you must add the CA certificate to the ACS Certificate Trust list To add the certificate to the Certificate Trust list Step
132. ented in Example 6 1 Figure 6 5 Tree Structure for a MAB Support LDAP Schema MAB segment MAC addresses MAC groups LDAP user group 11 LDAP user group 00 802 1x device n 802 1x device n 1 Configuration Guide for Cisco Secure ACS 4 2 oL 14390 02 N Chapter6 Agentless Host Support Configuration Scenario WE Basic Configuration Steps for Agentless Host Support How the Subtrees Work The sample LDAP schema in Example 6 1 contains code to define two subtrees dn ou MAC Addresses ou MAB Segment o mycorp ou MAC Addresses objectClass top objectClass organizationalUnit dn ou MAC Groups ou MAB Segment o mycorp ou MAC Groups objectClass top objectClass organizationalUnit The LDAP subtrees are e MAC Addresses A user directory subtree that contains device records that specify MAC addresses for agentless hosts IEEE 802 1x devices that require agentless host authentication by ACS When you specify a user directory subtree during LDAP configuration in the ACS user interface you enter the name assigned to the user directory subtree in your LDAP schema in the User Directory Subtree text box e MAC Groups A group directory subtree that contains LDAP user groups of users who connect from specified MAC devices that are identified in the device records When you specify a group directory subtree during LDAP configuration in the ACS user interface you enter the name assig
133. entifies the record as a user Often user records have several values for the objectType attribute some of which are unique to the user while others are shared with other object types Choose a value that is not shared In the GroupObjectType box type the name of the attribute in the group record that contains the group name In the GroupObjectClass box type a value for the LDAP objectType attribute in the group record that identifies the record as a group In the GroupAttributeName box type the name of the attribute of the group record that contains the list of user records who are a member of that group In the Server Timeout box type the number of seconds that ACS waits for a response from an LDAP server before determining that the connection with that server has failed To enable failover of LDAP authentication attempts check the On Timeout Use Secondary check box In the Failback Retry Delay box type the number of minutes after the primary LDAP server fails to authenticate a user that ACS resumes sending authentication requests to the primary LDAP server first D Note To specify that ACS should always use the primary LDAP server first type zero 0 in the Failback Retry Delay box In the Max Admin Connection box enter the number of maximum concurrent connections with LDAP administrator account permissions For the Primary LDAP Server and Secondary LDAP Server tables amp Note If you did not check the On Tim
134. eout Use Secondary check box you do not need to complete the options in the Secondary LDAP Server table a In the Hostname box type the name or IP address of the server that is running the LDAP software If you are using DNS on your network you can type the hostname instead of the IP address Configuration Guide for Cisco Secure ACS 4 2 31a OL 14390 02 _ Chapter 3 Configuring New Features in ACS 4 2 RSA Support on the ACS SE W In the Port box type the TCP IP port number on which the LDAP server is listening The default is 389 as stated in the LDAP specification If you do not know the port number you can find this information by viewing those properties on the LDAP server If you want to use secure authentication port 636 is usually used To specify that ACS should use LDAP version 3 to communicate with your LDAP database check the LDAP Version check box If the LDAP Version check box is not checked ACS uses LDAP version 2 If you want ACS to use SSL to connect to the LDAP server check the Use secure authentication check box and complete the next three steps If you do not use SSL the username and password credentials are normally passed over the network to the LDAP directory in clear text ACS SE only If you checked the Use Secure Authentication check box perform one of the following procedures Check the Trusted Root CA check box and in the adjacent drop down list choose a Trusted Root CA
135. ere selected_drive is the currently selected drive Step3 Copy the following files to the Certs directory e server cer server certificate e server pvk server certificate private key e ca cer CA certificate Run the Windows Certificate Import Wizard to Install the Certificate ACS for Windows To run the Windows Certificate Import wizard to install the certificate on the server Step 1 Start Windows Explorer Step 2 Go to lt selected_drive gt Certs where selected_drive is the currently selected drive Step3 Double click the Certs ca cer file The Certificate dialog appears Configuration Guide for Cisco Secure ACS 4 2 OL 14390 02 a 67 Chapter6 Agentless Host Support Configuration Scenario WE Basic Configuration Steps for Agentless Host Support Step 4 Step 5 Step 6 Select Install Certificate The Windows Certificate Import wizard starts To install the certificate follow the instructions that the wizard displays Accept the default options for the wizard amp Note Only perform this process once on a Windows 2000 Server Enable Security Certificates on the ACS Installation Step 1 Step 2 Step 3 Step 4 Step 5 Step 6 Step 7 Step 8 Step 9 Step 10 To enable security certificates In the navigation bar click System Configuration The System Configuration page opens Click ACS Certificate Setup Click Install ACS Certificate The Install ACS Certificate page opens s
136. ervers but if you use PEAP you will need fewer EAP TLS is slower than PEAP due to public key infrastructure PKI processing time For a detailed formula that you can be use to calculate the number of ACS servers required in a wireless network see the white paper titled Deploying Cisco Secure ACS for Windows in an Aironet Environment available on Cisco com at http www cisco com en US products sw secursw ps2086 prod_white_papers_list html Deploying ACS Servers to Support Server Failover This section discusses deployment topologies for implementing server failover This section contains e Load Balancing and Failover page 2 13 e Database Replication Considerations page 2 13 e Database Synchronization Considerations page 2 14 Load Balancing and Failover To implement load balancing you can set up user groups and then assign groups to a specific RADIUS server usually the nearest RADIUS server Database Replication Considerations Database replication replicates selected database information such as user and group information from a primary ACS to one or more ACS backups or clients The following aspects of replication are configurable with ACS e Configuration components for replication What is replicated e Replication scheduling When replication occurs e Replication frequency How often systems are replicated e Replication partners Which systems are replicated Configuration Guide for Cisco Secure ACS 4 2
137. es Available Databases Selected Databases Windows Database Wind Generic LDAP Generic LI Populate from Global Authenticate MAC with LDAP Server Not Selected gt MAC Addresses User Group Internal ACS DB No MAC Group Mappings Add Delete Default Action If Agentless request was not assigned a user group o Default Group Submit Cancel On this page you can see the Layer 3 NAC template configuration for authentication Step3 Specify the external database that ACS uses to perform authentication 158443 a To keep the default setting ACS uses its internal database click the Internal ACS DB radio button b To specify a LDAP server click the LDAP Server radio button and then from the drop down list choose an LDAP server Configuration Guide for Cisco Secure ACS 4 2 OL 14390 02 Chapter9 NAC Configuration Scenario Step 8 Set Up Templates to Create NAPs W c From the If Agentless request was not assigned a user group drop down list choose a user group to which ACS assigns a host that is not matched to a user group Sample Posture Validation Rule Figure 9 35 shows the sample posture validation policy provided with the NAC Layer 3 template Figure 9 35 Sample Posture Validation Policy for NAC Layer 3 Template Posture Validation for Sample_NAC_L3_PROFILE 2 Posture Validation Ru
138. es for Creating Reading Updating or Deleting dACLs Action Code Name Required Description 386 READ_DACL VN V1 optional Use this action code to read dACL attributes and save them in a file for later use VN contains dACL name or for all dACLs V1 lt output_file_name gt where output_file_name contains the exported dACLs definition On the ACS SE output_file_name specifies the file in the FTP server for the ACS SE If not is specified the default filename DumpDACL txt is used On ACS for Windows you can specify the absolute file path for example C temp DACL txt for ACS for Windows If you do not specify the file path and filename ACS writes the data to a file in the ACS bin directory 387 UPDATE_DACL VN V1 optional Use this action code to update dACL attributes VN lt input_file_name gt where input_file_name specifies the file that contains the definition for the dACL to be updated On the ACS SE platform input_file_name specifies the file name present in the FTP server for ACS SE You can specify the absolute file path for example C DACL dump txt for ACS for Windows V1 DACL_REPLACE or DACL_APPEND The default option is DACL_REPLACE The DACL_REPLACE option replaces the existing dACL with the new one DACL_APPEND appends the new dACL content and its definition to the existing dACL If the dACL has not been defined the new dACL is added to the existing list The dACL definition is ign
139. es the link Although this option saves time and money it does not provide the speed and reliability of a dedicated frame relay or T1 link If a reliable authentication service is critical to business functionality such as a WLAN of retail outlets with cash registers that are linked by a WLAN the loss of WAN connection to a remote ACS could be catastrophic The same issue can be applied to an external database that ACS uses You should deploy the database close enough to ACS to ensure reliable and timely access Using a local ACS with a remote database can result in the same problems as using a remote ACS Another possible problem in this scenario is that a user may experience timeout problems The AAA client would be able to contact ACS but ACS would wait for a reply that might be delayed or never arrive from the external user database If the ACS were remote the AAA client would time out and try an alternate method to authenticate the user but in the latter case it is likely the end user client would time out first I OL 14390 02 Configuration Guide for Cisco Secure ACS 4 2 Chapter2 Deploy the Access Control Servers W Additional Topics Configuration Guide for Cisco Secure ACS 4 2 OL 14390 02 CHAPTER Configuring New Features in ACS 4 2 This chapter describes how to configure several new features provided with ACS 4 2 For information on new features that accompany both ACS for Windows and the ACS SE see e
140. exists user group fo a E 4 MAC address MAC address Agentless host NAD Service type 10 ACS 158372 Using Audit Servers and GAME Group Feedback You can configure ACS to use audit servers An audit server is a device that checks the information that the NAD provides against a list of predetermined device types The audit server can categorize an end device and provide additional information to ACS ACS can then make a group assignment decision based on the categorization of the device For example if the device is a printer ACS can assign the device to a user group that includes printers In a Cisco Network Admission Control NAC environment ACS supports audit server authentication by enabling Generic Authorization Message Exchange GAME group feedback Configuration Guide for Cisco Secure ACS 4 2 E OL 14390 02 _ Chapter 6 Agentless Host Support Configuration Scenario Summary of Configuration Steps W GAME group feedback provides an added security check for MAC address authentication by checking the device type categorization that ACS determines by associating a MAC address with a user group against information stored in a database on an audit server To use the GAME group feedback feature you must add a NAC attribute value pair to the ACS RADIUS dictionary before configuring a posture validation policy that uses GAME group feedback You then configure a posture validation policy in a NAP that req
141. figure Downloadable IP ACLs 9 21 Adding an ACL 9 22 Adding an ACE 9 23 Saving the dACL 9 25 Configure Radius Authorization Components 9 25 Step 6 Configure an External Posture Validation Audit Server 9 31 Add the Posture Attribute to the ACS Dictionary 9 31 Configure the External Posture Validation Audit Server 9 32 Step 7 Configure Posture Validation for NAC 9 35 Configure Internal Posture Validation Policies 9 35 Configure External Posture Validation Policies 9 38 Configure an External Posture Validation Audit Server 9 40 Add the Posture Attribute to the ACS Dictionary 9 40 Configure the External Posture Validation Audit Server 9 41 Authorization Policy and NAC Audit 9 43 Step 8 Set Up Templates to Create NAPs 9 44 Sample NAC Profile Templates 9 44 Sample NAC Layer 3 Profile Template 9 44 Profile Setup 9 45 Protocols Policy for the NAC Layer 3 Template 9 47 Authentication Policy 9 48 Sample Posture Validation Rule 9 49 Sample NAC Layer 2 Template 9 49 Profile Setup 9 50 Protocols Settings 9 53 Authentication Policy 9 54 Sample Posture Validation Rule 9 55 Sample NAC Layer 2 802 1x Template 9 55 Contents W Configuration Guide for Cisco Secure ACS 4 2 OL 14390 02 govi E Contents Profile Setup 9 56 Protocols Policy 9 58 Authorization Policy 9 59 Sample Posture Validation Rule 9 60 Sample Wireless NAC L2 802 1x Template 9 60 Profile Setup 9 61 Protocols Policy 9 63 Authorization Policy 9 64 Sample Posture Validation R
142. for Cisco Secure ACS 4 2 gg Preface HI Notices Original SSLeay License Copyright 1995 1998 Eric Young eay cryptsoft com All rights reserved This package is an SSL implementation written by Eric Young eay cryptsoft com The implementation was written so as to conform with Netscapes SSL This library is free for commercial and non commercial use as long as the following conditions are adhered to The following conditions apply to all code found in this distribution be it the RC4 RSA lhash DES etc code not just the SSL code The SSL documentation included with this distribution is covered by the same copyright terms except that the holder is Tim Hudson tjh cryptsoft com Copyright remains Eric Young s and as such any Copyright notices in the code are not to be removed If this package is used in a product Eric Young should be given attribution as the author of the parts of the library used This can be in the form of a textual message at program startup or in documentation online or textual provided with the package Redistribution and use in source and binary forms with or without modification are permitted provided that the following conditions are met 1 Redistributions of source code must retain the copyright notice this list of conditions and the following disclaimer 2 Redistributions in binary form must reproduce the above copyright notice this list of conditions and the following disclaimer in t
143. from the accountActions CSV file and updates the ACS internal database as the action codes in the file specify In a distributed environment a single ACS known as the senior synchronization partner accesses the accountActions table and sends synchronization commands to its synchronization partners Step 1 Open a command prompt window Step2 Enter the following commands a To stop the CSDBSync service enter net stop csdbsync b Enter net start csdbsync c Enter one of the following commands csdbsync run csdbsync syncnow Configuration Guide for Cisco Secure ACS 4 2 mae E OL 14390 02 _ Chapter 4 Using RDBMS Synchronization to Create dACLs and Specify Network Configuration Step 1 Step 2 Step 3 Using RDBMS Synchronization to Configure dACLs W ACS fetches the CSV file from the database reads the action codes in the file and performs the RDBMS Synchronization operations that the file specifies ACS SE On the ACS SE you can run the csdbsync syncnow command to invoke RDBMS Synchronization To run CSDBSync manually on the ACS SE Check connectivity between the ACS SE and the FTP server and be certain that you have write permissions to the FTP server directory Start a SSH command shell Enter the following commands a To stop the CSDBSync service enter net stop csdbsync b Enter net start csdbsync c Enter one of the following commands csdbsync run csdbsync syncnow ACS SE fetches th
144. gure The configuration page for the selected report opens To add a field to the report click the field name in the Attributes column and then click the right arrow button to move it to the Logged Attributes column Click Submit to save the report configuration I OL 14390 02 Configuration Guide for Cisco Secure ACS 4 2 Chapter3 Configuring New Features in ACS 4 2 WE Configuring Group Filtering at the NAP Level Configuring Group Filtering at the NAP Level You can use ACS 4 2 to grant and deny access to users who are authenticated through a LDAP database based on the LDAP group to which the users belong This feature is called group filtering at the NAP level To configure group filtering at the NAP level Step 1 Configure LDAP on the ACS server Step2 Set up a Network Access Profile a In the navigation bar click Network Access Profiles The Network Access Profile page opens b Click the Authentication link for the profile The Authentication page for the selected profile appears The top of the Authentication page contains the Group Filtering for LDAP database section as shown in Figure 3 3 Figure 3 3 Group Filtering for LDAP Database Configuration Group Filtering For LDAP Database Available Groups Selected Groups SivaSakthi James Accounting Managers HR Managers PO Managers QA Managers gt Generic LDAP Generic LDAP T Ve oon 270293 c From the drop down list for LDAP
145. he X 500 standard but is significantly simpler MAB MAC authentication bypass An authentication method that uses the MAC address of a device to authenticate the device instead of using an IP address Configuration Guide for Cisco Secure ACS 4 2 ca OL 14390 02 NAC NAC NAP NAC compliant applications Glossary W Network Admission Control NAC is a Cisco sponsored industry initiative that uses the network infrastructure to enforce security policy compliance on all devices seeking to access network computing resources thereby limiting damage from viruses and worms NAC is part of the Cisco Self Defending Network an initiative to increase network intelligence in order to enable the network to automatically identify prevent and adapt to security threats Cisco Network Access Control Microsoft Network Access Protection Applications that integrate with the NAC client Examples of such applications are Cisco Security Agent and antivirus programs that provide the NAC client with attributes about themselves such as the version number of a virus definition file NAD Network Access Device A network access device acts as a policy enforcement point for the authorized network access privileges that are granted to a host NAF Network Access Filter A NAF is a named group of any combination of one or more of the following network elements IP addresses AAA clients network devices and network device groups NDGs Using a
146. he content follows Use the following message length restrictions e For sending messages to a standard syslog server the maximum message length should be 1024 bytes e For sending messages to Cisco Security Monitoring Analysis and Response System MARS the maximum message length should be 500 bytes e Message segmentation should be used when the original message including header and data exceeds length limitations I OL 14390 02 Configuration Guide for Cisco Secure ACS 4 2 Chapter8 Syslog Logging Configuration Scenario HZ Format of Syslog Messages in ACS Reports Configuration Guide for Cisco Secure ACS 4 2 OL 14390 02 CHAPTER NAC Configuration Scenario This chapter describes how to set up Cisco Secure Access Control Server 4 2 hereafter referred to as ACS to work in a Cisco Network Admission Control environment This chapter contains the following sections e Step 1 Install ACS page 9 1 e Step 2 Perform Network Configuration Tasks page 9 2 e Step 3 Set Up System Configuration page 9 5 e Step 4 Set Up Administration Control page 9 17 e Step 5 Set Up Shared Profile Components page 9 20 e Step 6 Configure an External Posture Validation Audit Server page 9 31 e Step 7 Configure Posture Validation for NAC page 9 35 e Step 8 Set Up Templates to Create NAPs page 9 44 e Step 9 Map Posture Validation Components to Profiles page 9 69 e Step 10 Map an Audit Server to a Profile p
147. he documentation and or other materials provided with the distribution 3 All advertising materials mentioning features or use of this software must display the following acknowledgement This product includes cryptographic software written by Eric Young eay cryptsoft com The word cryptographic can be left out if the routines from the library being used are not cryptography related 4 If you include any Windows specific code or a derivative thereof from the apps directory application code you must include an acknowledgement This product includes software written by Tim Hudson tjh cryptsoft com THIS SOFTWARE IS PROVIDED BY ERIC YOUNG AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES INCLUDING BUT NOT LIMITED TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT INDIRECT INCIDENTAL SPECIAL EXEMPLARY OR CONSEQUENTIAL DAMAGES INCLUDING BUT NOT LIMITED TO PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES LOSS OF USE DATA OR PROFITS OR BUSINESS INTERRUPTION HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY WHETHER IN CONTRACT STRICT LIABILITY OR TORT INCLUDING NEGLIGENCE OR OTHERWISE ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE The license and distribution terms for any publicly available version or derivative of this code cannot be change
148. he name of the ACS installation directory and file_name is the name of the text file that contains vendor attributes Restart the CSAdmin CSLog and CSAuth services I oL 14390 02 Configuration Guide for Cisco Secure ACS 4 2 Chapter 9 NAC Configuration Scenario HI Step 11 Optional Configure GAME Group Feedback Configure the External Posture Validation Audit Server You can configure an audit server once and then use it for other profiles To configure an audit server 158424 Step1 In the Posture Validation Components Setup page click External Posture Validation Audit Setup Step2 Click Add Server The External Posture Validation Audit Server Setup page appears as shown in Figure 9 56 Figure 9 56 External Posture Validation Audit Server Setup Page External Posture Yalidation Audit Server Setup 2 Name Description Which Hosts Are Audited Audit all user groups Available Groups Selected Groups 1 Group 1 2 Group 2 3 Group 3 4 Group 4 gt 5 Group 5 E E 6 Group 6 g lt lt 7 Group 7 8 Group 8 9 Group 9 10 Group 10 11 Group 11 Hi adina El Audit all hosts gt Host IP Addresses and Ranges IP MASK comma separated values f Host MAC Addresses comma separated values E Select a Posture Token for the Healthy E hosts that will not be audited ov Step3 To configure the audit server a Enter a Name and Description optional
149. hentication policy e A sample posture validation rule The name of this policy is NAC EXAMPLE POSTURE EXAMPLE Step7 To select a configuration option click the option name Profile Setup To enable the profile setup Step1 Go to Network Access Profiles Step2 Choose the Profile that you created The Profile Setup page appears as shown in Figure 9 36 Configuration Guide for Cisco Secure ACS 4 2 Po50 i OL 14390 02 Chapter 9 NAC Configuration Scenario Step 8 Set Up Templates to Create NAPs W Figure 9 36 Profile Setup Page for NAC Layer 2 Template Profile Setup 2 Name Test_NAC_L2_ service Description Active O Network Access Filter Any Ne Protocol types Allow any Protocol type allow Selected Protocol types Protocol type Selected RADIUS Nortel RADIUS Juniper RADIUS Ascend RADIUS IETF gt RADIUS Cisco VPN 500 RADIUS Cisco VPN 3001 lt RADIUS Cisco IOS PIX RADIUS Cisco BBSM RADIUS Cisco Aironet RADIUS Cisco Airespace 2l Advanced Filtering Rule Elements Table 026 009 00l1 cisco av pair aaa service ip_admission 006 Service Type 10 158441 The default settings for the profile are Any appears in the Network Access Filter field which means that this profile has no IP filter You can choose NAFs from the drop down list so that only specific host IPs match this profile Allow any
150. hich means that this profile allows EAP FAST authentication I OL 14390 02 Configuration Guide for Cisco Secure ACS 4 2 Chapter 9 NAC Configuration Scenario HI Step 8 Set Up Templates to Create NAPs Authentication Policy To set the authentication policy Step1 In the navigation bar click Network Access Profiles Step2 Choose the Authentication link from the Policies column The Authentication Settings page for the NAC Layer 2 template opens as shown in Figure 9 38 Figure 9 38 Authentication Settings for NAC Layer 2 Template Authentication for L2_NAC 2 Credential Validation Databases Available Databases Selected Databases Windows Database Winde Generic LDAP Generic LI E E gt Up Down Populate from Global Authenticate MAC with LDAP Server Not Selected gt MAG Addresses User Group Internal ACS DB No MAC Group Mappings Add Delete Default Action If Agentless request was not assigned a user group o Default Group gt 3 bn Submit Cancel Step3 Specify the external database that ACS uses to perform authentication a To keep the default setting ACS uses its internal database click the Internal ACS DB radio button b To specify a LDAP server click the LDAP Server radio button and then from the drop down list choose an LDAP server wi Configuration Guide for Cisco Secure
151. hich you supply values and new or important italic font terminology Displayed session and system information paths and file names screen font Information you enter boldface screen font Variables you enter italic screen font Menu items and button names boldface font Indicates menu items to select in the order you select them Option gt Network Preferences je Tip Identifies information to help you get the most benefit from your product Note Means reader take note Notes identify important information that you should reflect upon before continuing contain helpful suggestions or provide references to materials not contained in the document A Caution Means reader be careful In this situation you might do something that could result in equipment damage loss of data or a potential breach in your network security A Warning Identifies information that you must heed to prevent damaging yourself the state of software or equipment Warnings identify definite security breaches that will result if the information presented is not followed carefully Product Documentation Note We sometimes update the printed and electronic documentation after original publication Therefore you should also review the documentation on Cisco com for any updates Table 1 describes the product documentation that is available Configuration Guide for Cisco Secure ACS 4 2 OL 14390 02 Preface Table 1 Docu
152. host support you must configure a RADIUS AAA client To configure a RADIUS AAA client Step1 In the navigation bar click Network Configuration The Network Configuration page opens Step2 Do one of the following e If you are using Network Device Groups NDGs click the name of the NDG to which you want to assign the AAA client Then click Add Entry below the AAA Clients table e To add AAA clients when you have not enabled NDGs click Add Entry below the AAA Clients table The Add AAA Client page opens shown in Figure 6 2 Configuration Guide for Cisco Secure ACS 4 2 oL 14390 02 a es Chapter6 Agentless Host Support Configuration Scenario WE Basic Configuration Steps for Agentless Host Support Step 3 Step 4 Step 5 Step 6 Step 7 Step 8 Figure 6 2 Add AAA Client Page Add AAA Client AAA Client Hostname AAA Client IP Address Shared Secret Network Device Group Not Assigned gt RADIUS Key Wrap Key Encryption Key Message Authenticator Code Key Key Input Format ASCII Hexadecimal Authenticate Using RADIUS IETF x I Single Connect TACACS AAA Client Record stop in accounting on failure Log Update Watchdog Packets from this A amp A Client M Log RADIUS Tunneling Packets from this AAA Client I Replace RADIUS Port info with Username from this AAA Client Submit Apply Cancel 2 Back to Help In the AAA Client Hostname box type the name assigned to this AAA client
153. hough the actual ACE that is downloaded is different Click Submit The new ACL appears on the list of downloadable ACLs When you finish adding ACEs to the dACL click Submit to save the dACL and submit it Configure Radius Authorization Components Shared RADIUS Authorization Components RACs are sets of RADIUS attributes that ACS applies to Network Access Devices NADs during network authorization Each RAC can contain one or more vendor RADIUS attributes including Cisco IOS PIX 6 0 IETF and Ascend attributes By setting up RACs you can dynamically assign RADIUS attributes to user sessions based on a policy For example you can create a RAC that gathers RADIUS attributes to define a VLAN Users who access the network through a switch for example are then given access to specified VLANs based on how they are authorized and authenticated The sample RACs in this section provide RADIUS configurations to handle the most important services in the NAC environment EoU NAC L2 IP e NAC L2 802 1x I OL 14390 02 Configuration Guide for Cisco Secure ACS 4 2 Chapter9 NAC Configuration Scenario Hi Step 5 Set Up Shared Profile Components The sample RACs are e Cisco_FullAccess Provides full access to the Cisco network You use this RAC to grant access to clients that qualify as healthy e Cisco_Restricted Provides restricted access to the Cisco network You uses this RAC to grant partial quarantined access
154. hown in Figure 6 3 Figure 6 3 Install ACS Certificate Page Install ACS Certificate Install new certificate 2 Read certificate from file Certificate file c Certs server cer C Use certificate from storage Certificate CN Private key file Ic Certs server pvk Private key password E 2 Back to Help Ensure that you click the Read certificate from file radio button 158380 In the Certificate file text box enter the server certificate location path and name for example c Certs server cer In the Private Key File text box type the server certificate private key location path and name for example c Certs server pvk In the Private Key password text box type 1111 Click Submit ACS displays a message indicating that the certificate has been installed and instructs you to restart the ACS services Configuration Guide for Cisco Secure ACS 4 2 lt OL 14390 02 Chapter6 Agentless Host Support Configuration Scenario Step 11 Basic Configuration Steps for Agentless Host Support W Do not restart the services at this time Restart the services later after you have completed the steps for adding a trusted certificate See Add a Trusted Certificate page 6 9 Install the CA Certificate Step 1 Step 2 Step 3 Step 4 To install the CA Certificate Choose System Configuration gt ACS Certificate Setup gt ACS Certification Authority Setup The ACS Certification Au
155. icate and authorize each RADIUS request that matches the attribute s rules You can change the advanced filter and add remove or edit any RADIUS attribute that the RADIUS client sends I OL 14390 02 Configuration Guide for Cisco Secure ACS 4 2 g Chapter 9 NAC Configuration Scenario HI Step 8 Set Up Templates to Create NAPs Protocols Policy Figure 9 42 shows the Protocols settings for the NAC Layer 2 802 1x template Figure 9 42 Network Access Profiles Protocols Setting for NAC Layer 802 1x Template fnooadq Authentication Protocols Allow PAP Allow CHAP Allow MS CHAPv1 Allow MS CHAPv2 Allow Agentless Request Processing EAP Configuration r e z PEAP Allow EAP MSCHAPv2 Allow EAP GTC Allow Posture Validation Allow EAP TLS Vv o Vv A Submit Cancel In the EAP Configuration section Posture Validation is enabled EAP FAST Allow E amp P FAST Allow anonymous in band PAC provisioning Allow authenticated in band PAC provisioning M Accept client on authenticated provisioning I Require client certificate for provisioning Allow Stateless session resume Authorization PAC TTL 1 hours Allowed inner methods M EAP GTC M EAP MSCHAPV2 I EAP TLS Posture Validation None Required 158439 wi Configuration Guide for Cisco Secure ACS 4 2 OL 14390 02 Chapter9 NAC Configuration Scenario Step 8 Set Up Templ
156. iguration Guide for Cisco Secure ACS 4 2 OL 14390 02 Chapter9 NAC Configuration Scenario Step 5 Set Up Shared Profile Components W Figure 9 19 Attribute Selection for the Cisco_Restricted RAC Name Cisco_Restricted Description RADIUS Authorization Components Provides restricted access to the Cisco network Add New Attribute 2 Cisco IOS PIX cisco av pair 1 x 6 0 i IETF Service Type 6 x Ascend Ascend Remote Addr 154 Assigned Attributes endor Attribute alue IETF Session Timeout 27 3600 7 i RADIUS Request IETF Termination Action 29 1 IETF Tunnel Type 64 T1 VLAN 13 Tunnel Medium Type T1 802 6 IETF 65 Ti 802 6 t Tunnel Private Group ID w T1 Quarantine IETF 81 a uarantine g N To enable VLAN assignment the sample RACs include the following RADIUS attributes Session Timeout attribute 27 Enables a session timeout In the sample RACs the timeout value is set to 3600 seconds six hours Because session timeouts and revalidations use considerable network resources you might want to set the timeout value to allow a longer timeout period for example 8 to 24 hours Termination Action attribute 29 Determines how the switch port responds to a session timeout This attribute is only used in Access Accept packets When a session timeout occurs the port drops all traffic on the switch until reauthentication is complete In the sample RACs
157. igure an External Posture Validation Audit Server External Posture Validation Audit Server Setup Page External Posture Yalidation Audit Server Setup Name Description Which Hosts Are Audited Audit all user groups gt Available Groups Group 1 13 2 Group 2 3 Group 3 4 Group 4 5 Group 5 6 Group 6 7 Group 7 8 Group 8 9 Group 9 10 Group 10 11 Group 11 142 Graun 1 hd Selected Groups Audit all hosts gt Host IP Addresses and Ranges IP MASK comma separated values Host MAC Addresses comma separated values a EI a H Select a Posture Token for the hosts that will not be audited Healthy z 158424 To configure the audit server a Enter a Name and Description optional b Inthe Which Hosts Are Audited section choose what hosts you want to audit You can enter the host IP or MAC addresses for the hosts that you want to audit or for a host that you do not want to audit c For the hosts that will not be audited choose a posture token from the drop down list d Scroll down to the Use These Audit Servers section Figure 9 21 shows the Use These Audit Servers section of the External Posture Validation Server Setup page OL 14390 02 Configuration Guide for Cisco Secure ACS 4 2 Chapter9 NAC Configuration Scenario HH Step 6 Configure an External Posture Validation Audit Server Figure 9
158. ing Administrator Entitlement Reports 5 12 View Privilege Reports 5 13 CHAPTER 6 Agentless Host Support Configuration Scenario 6 1 Overview of Agentless Host Support 6 1 Using Audit Servers and GAME Group Feedback 6 2 Summary of Configuration Steps 6 3 Basic Configuration Steps for Agentless Host Support 6 4 Step 1 Install ACS 6 4 Step 2 Configure a RADIUS AAA Client 6 5 Step 3 Install and Set Up an ACS Security Certificate 6 6 Obtain Certificates and Copy Them to the ACS Host 6 7 Run the Windows Certificate Import Wizard to Install the Certificate ACS for Windows 6 7 Enable Security Certificates on the ACS Installation 6 8 Install the CA Certificate 6 9 Add a Trusted Certificate 6 9 Step 4 Configure LDAP Support for MAB 6 10 Configure an External LDAP Database for MAB Support 6 10 Create One or More LDAP Database Configurations in ACS 6 13 Step 5 Configure User Groups for MAB Segments 6 17 Configuration Guide for Cisco Secure ACS 4 2 OL 14390 02 E E Contents Step 6 Enable Agentless Request Processing 6 18 Create a New NAP 6 18 Enable Agentless Request Processing for a NAP 6 20 Configure MAB 6 21 Step 7 Configure Logging and Reports 6 23 Configuring Reports for MAB Processing 6 23 Configuration Steps for Audit Server Support 6 24 Configure GAME Group Feedback 6 24 CHAPTER 7 PEAP EAP TLS Configuration Scenario 7 1 Summary of Configuration Steps 7 1 Step 1 Configure Security Certificates 7 1 Obtain Certific
159. inition Definition Definition Definition Definition Definition Definition Definition Definition Definition PRPPPPRPRPRPRPERP HEB EB I Definition 1 permit ip any host 192 168 1 152 permit ip any host 192 168 5 152 3 permit ip any host 192 168 29 33 4 permit ip any host 192 168 29 34 5 permit ip any host 192 168 9 50 6 permit ip any host 192 168 9 20 7 permit ip any host 192 168 7 20 permit ip any host 192 168 128 1 9 permit ip any 192 168 24 0 0 0 0 255 10 permit ip any 192 168 0 0 0 0 255 11 permit ip any 192 0 0 0 0 255 255 255 12 deny ip any 192 168 0 0 0 3 255 255 13 deny ip any 192 168 0 0 0 1 255 255 14 permit ip any any Step2 Code the information in the file as described in Table 4 1 Table 4 1 Keywords for Creating a dACL By Coding a Text File Value Keyword dACL number The first line of the text file must specify the dACL number enclosed in square brackets for example DACL n where n is the number of the dACL In Example 4 1 the first line specifies pacL 1 because the file specifies only one dACL Name Specifies the name of the dACL that is created when you run CSDBSync Description Specifies a short description of the dACL Content Specifies the number of a content block that consists of definitions for access privileges associated with the dACL This keyword has the format content n where n specifies the number of the c
160. ional policies click Add To delete a policy highlight the policy and click Delete To move the policies up and down in the group assignment table click the Up and Down buttons When you finish setting up policies for group assignment click Submit Click Apply and Restart Configuration Guide for Cisco Secure ACS 4 2 NET aT AAA Access Accept Access Challenge Access Request Accounting Agentless host processing ACL ACE APT Audit server Authentication AV pair Cc Cisco Trust Agent GLOSSARY Authentication Authorization and Accounting server Authentication authorization and accounting is pronounced triple A An AAA server is the central server that aggregates one or more authentication authorization or both decisions into a single system authorization decision and maps this decision to a network access profile for enforcement on the NAD Response packet from the RADIUS server notifying the access server that the user is authenticated This packet contains the user profile which defines the specific AAA functions assigned to the user Response packet from the RADIUS server requesting that the user supply additional information before being authenticated Request packet that the access server sends to the RADIUS server requesting authentication of the user Accounting in network management subsystems is responsible for collecting network data relating to resource usage A
161. isco Secure ACS 4 2 OL 14390 02 E Na W index separation from general users 2 18 Agentless Host for L2 802 1x fallback template 9 65 agentless host for L2 802 1x fallback template 9 65 agentless host support overview 6 1 summary of configuration steps 6 3 agentless request processing enabling 6 18 enabling fora NAP _ 6 20 AP See wireless access point architecture campus LAN 2 3 for ACS deployment 2 1 small LAN environment 2 3 wired LAN geographically dispersed 2 4 audit flow settings configuring for an audit server 9 35 9 43 9 78 audit servers 6 2 configuring 9 32 9 41 9 76 configuring audit flow settings for 9 35 9 43 9 78 configuring for MAB support 6 24 external posture validation audit servers 9 31 9 40 9 74 in NAC networks 6 2 mapping toa profile 9 71 audit vendor file importing 9 73 AV pairs 9 52 Bypass info attribute in Passed Authentications and Failed Attempts reports 6 23 Cc CA certificate installing 6 9 7 4 9 7 campus LAN 2 3 campus WLAN 2 6 cautions significance of x Certificate Binary Comparison specifying for EAP TLS 7 6 Certificate CN Comparison specifying for EAP TLS 7 6 certificate database for LDAP servers trusted root CA 6 16 Certificate SAN Comparison specifying for EAP TLS 7 6 Cisco Network Admission Control See NAC Common LDAP Configuration 6 14 configuration flowchart 1 5 configuration steps for password policy configuration 5 2 configuring A
162. its per box The range is always inclusive that is the range includes the start and end port numbers The size of the specified range determines the maximum number of concurrent administrative sessions ACS uses port 2002 to start all administrative sessions Port 2002 does not need to be in the port range Also ACS does not allow definition of an HTTP port range that consists only of port 2002 The port range must consist of at least one port other than port 2002 A firewall configured to permit HTTP traffic over the ACS administrative port range must also permit HTTP traffic through port 2002 because this is the port that a web browser must address to initiate an administrative session We do not recommend allowing administration of ACS from outside a firewall If access to the web interface from outside a firewall is necessary keep the HTTP port range as narrow as possible A narrow range can help to prevent accidental discovery of an active administrative port by unauthorized users An unauthorized user would have to impersonate or spoof the IP address of a legitimate host to make use of the active administrative session HTTP port I OL 14390 02 Configuration Guide for Cisco Secure ACS 4 2 Chapter5 Password Policy Configuration Scenario W Viewing Administrator Entitlement Reports Table 5 1 Access Policy Options continued Option Description Secure Socket Layer Setup Use HTTPS Transport for En
163. ity limits e Improved password constraints To enable password configuration that includes these new features ACS provides a new password policy page All administrator logins are subject to the policy that you configure for passwords and accounts unless you check the Account Never Expires check box For example ACS provides configurable limits on password lifetime and activity and incorrect password attempts These options can force password change and can result in automatic account lockout Privileged administrators can also lock out an account In addition you can monitor the last password change and last account activity for each administrator Limitation on Ability of the Administrator to Change Passwords If an administrator is not granted full administrative access the only action the administrator can take is to change his or her own password I OL 14390 02 Configuration Guide for Cisco Secure ACS 4 2 jg Chapter5 Password Policy Configuration Scenario W Summary of Configuration Steps Summary of Configuration Steps Step 1 Step 2 Step 3 Step 4 To configure password policy in ACS Add a new administrator account Add a new administrator account specify the administrator name and password and grant access privileges See Step 1 Add and Edit a New Administrator Account page 5 2 for details Configure password policy Configure restrictions on the admin user password See Step 2 Configure Passwo
164. lege The privileges granted to a selected administrator e Combined Privilege The privileges granted to all administrators e Users to Groups Mapping The group membership of every user Configuration Guide for Cisco Secure ACS 4 2 OL 14390 02 Chapter5 Password Policy Configuration Scenario Viewing Administrator Entitlement Reports W View Privilege Reports To view privilege reports Step1 In the navigation bar click Reports and Activity The Reports page opens Step2 Click Entitlement Reports A list of the available entitlement reports appears Figure 5 5 shows an example list Figure 5 5 List of Entitlement Reports User Entitlement Reports Download Report for mapping of Users to Groups Administrator Entitlement Reports Download Privilege Report for All Administrators Privilege Report for admin 77 Privilege Report for test one 158379 Step3 To view a report click the report name Each report is downloaded to the local computer in the form of an Excel spreadsheet Configuration Guide for Cisco Secure ACS 4 2 oL 14390 02 SEE Chapter5 Password Policy Configuration Scenario W Viewing Administrator Entitlement Reports Configuration Guide for Cisco Secure ACS 4 2 OL 14390 02 CHAPTER Agentless Host Support Configuration Scenario This chapter describes how to configure the agentless host feature in Cisco Secure Access Control Server hereafter refer
165. les Condition Action Rule Name i ial Required Credential Associate With Types NAC EXAMPLE POSTURE Cisco PA NAC SAMPLE CTA POLICY EXAMPLE Internal Add Rule up Down The Up Down buttons submit and save the sort order to the database Determine Posture Validation for NAH No Audit Server was selected Select Audit Done 158435 Sample NAC Layer 2 Template This template creates a profile for Layer 2 NAC requests Before you use the Layer 2 NAC profile template 1 Select EAP FAST Configuration in Global Authentication Settings 2 Check enable the Allow authenticated in band PAC provisioning 3 Check enable EAP GTC and EAP MSCHAPv2 To create a Layer 2 NAC profile template Step1 In the navigation bar click Network Access Profiles The Network Access Profiles page opens Step2 Click Add Template Profile Step3 Enter a Name and Description optional Step4 From the Template drop down list choose NAC L2 IP Step5 Check the Active check box Configuration Guide for Cisco Secure ACS 4 2 oL 14390 02 g oao Chapter9 NAC Configuration Scenario HI Step 8 Set Up Templates to Create NAPs Step6 Click Submit If no error appears then you have created a Profile that can authenticate Layer 2 NAC hosts and the Profile Setup page for the NAC Layer 2 template appears The predefined values for the Layer 2 NAC template include e Profile Setup e Protocols settings e Aut
166. list Only one domain name is supported per LDAP configuration You can type up to 512 characters d If you want ACS to remove the domain qualifier before submitting it to the LDAP database check the Strip domain before submitting username to LDAP server check box e Ifyou want ACS to pass the username to the LDAP database without removing the domain qualifier uncheck the Strip domain before submitting username to LDAP server check box If you want to enable ACS to strip domain qualifiers from usernames before submitting them to an LDAP server amp Note For information about domain filtering see Domain Filtering in chapter 12 of the User Guide for Cisco Secure ACS 4 2 a Under Domain Filtering click the Process all usernames after stripping domain name and delimiter radio button b Ifyou want ACS to strip prefixed domain qualifiers check the Strip starting characters through the last X character check box and then type the domain qualifier delimiting character in the X box amp Note The X box cannot contain the following special characters the pound sign the question mark the quote the asterisk the right angle bracket gt and the left angle bracket lt ACS does not allow these characters in usernames If the X box contains any of these characters stripping fails c If you want ACS to strip suffixed domain qualifiers check the Strip ending characters from the first X
167. llation Guide for Cisco Secure ACS Solution Engine 4 2 Installing and Configuring Cisco Secure ACS Solution Engine 4 2 Configuration Guide for Cisco Secure ACS 4 2 P36 OL 14390 02 CHAPTER i Using RDBMS Synchronization to Create dACLs and Specify Network Configuration This chapter describes how to configure ACS 4 2 to enable new RDBMS Synchronization features introduced with ACS 4 2 For detailed information on RDBMS Synchronization see RDBMS Synchronization in Chapter 8 of the User Guide for Cisco Secure ACS 4 2 System Configuration Advanced For detailed information on the accountActions codes to use with RDBMS Synchronization see Appendix E of the User Guide for Cisco Secure ACS 4 2 RDBMS Synchronization Import Definitions This chapter contains New RDBMS Synchronization Features in ACS Release 4 2 page 4 1 Using RDBMS Synchronization to Configure dACLs page 4 2 Reading Updating and Deleting dACLs page 4 12 Updating or Deleting dACL Associations with Users or Groups page 4 14 Using RDBMS Synchronization to Specify Network Configuration page 4 14 New RDBMS Synchronization Features in ACS Release 4 2 ACS 4 2 provides enhanced support for RDBMS Synchronization Configuration of Downloadable ACLs dACLs for Specified Users and Groups You can specify dACLs by entering permit ip and deny ip commands in a comma separated value CSV accountActions file By using new account actio
168. lt value is unchecked disabled Account Locked If you want to lock out an administrator who is denied access due to the account policy options specified on the Password Policy page check the Account Locked check box When unchecked disabled this option unlocks an administrator who was locked out Administrators who have the Administration Control privilege can use this option to manually lock out an account or reset locked accounts The system displays a message that explains the reason for a lockout When an administrator unlocks an account ACS resets the Last Password Change and the Last Activity fields to the day on which the administrator unlocks the account The reset of a locked account does not affect the configuration of the lockout and unlock mechanisms for failed attempts Click Grant All This grants all privileges to the new administrator or specifies to which groups or actions this administrator is granted access amp Note For more information on administrative privileges see the Add Administrator and Edit Administrator Pages section in Chapter 11 of the User Guide for Cisco Secure Access Control Server 4 2 Administrators and Administrative Policy I OL 14390 02 Configuration Guide for Cisco Secure ACS 4 2 Chapter9 NAC Configuration Scenario Hi Step 5 Set Up Shared Profile Components Step 5 Click Submit After performing these steps from a remote host yo
169. lth certificate rather than a list of SoHs then ACS validates the certificate as the EAP FAST session is established to determine the overall health of the client The ACS then sends the appropriate NAP to the network to grant the authorized level of access to the client I OL 14390 02 Configuration Guide for Cisco Secure ACS 4 2 Chapter2 Deploy the Access Control Servers W Additional Topics Figure 2 11 illustrates the architecture of a NAC NAP network Figure 2 11 NAP client System Health Agents NAP agent EAP Host EAP Host NAP Enforcement Other Client EAP types EAP over 802 1X UDP Supplicant Supplicant lt tc amy lt EAP FAST over Gap RADIUS Additional Topics NAC NAP Deployment Architecture Cisco ACS Cisco switches and routers Network Access 802 1X or UDP carrying the list of SoHs ora health certificate Microsoft NPS System Health Health Registration Authority HRA HCAP RADIUS Policy Servers 270297 This section describes additional topics to consider when deploying ACS This section contains e Remote Access Policy page 2 16 e Security Policy page 2 17 e Administrative Access Policy page 2 17 e Database Considerations page 2 19 e Network Latency and Reliability page 2 19 Remote Access Policy Remote access is a broad concept In general it defines ho
170. ment Title ACS 4 2 Documentation Available Formats Documentation Guide for Cisco Secure ACS Release 4 2 Shipped with product PDF on the product CD ROM On Cisco com http www cisco com en US docs net_mgmt cisco_secure_access_control_server_for_windows 4 2 roadmap DGuide42 html Release Notes for Cisco Secure ACS Release 4 2 On Cisco com http www cisco com en US docs net_mgmt cisco_secure_access_control_server_for_windows 4 2 release notes ACS42_RN html Configuration Guide for Cisco Secure ACS Release 4 2 On Cisco com http www cisco com en US docs net_mgmt cisco_secure_access_control_server_for_windows 4 2 configuration guide acs42_config_guide html Installation Guide for Cisco Secure ACS for Windows Release 4 2 On Cisco com http www cisco com en US docs net_mgmt cisco_secure_access_control_server_for_windows 4 2 installation guide windows IGwn42 html Installation Guide for Cisco Secure ACS Solution Engine Release 4 2 On Cisco com http www cisco com en US docs net_mgmt cisco_secure_access_control_server_for_solution_engine 4 2 installation guide solution_engine SE42 html Configuration Guide for Cisco Secure ACS 4 2 On Cisco com http www cisco com en US docs net_mgmt cisco_secure_access_control_server_for_windows 4 2 user guide ACS4_2UG html Regulatory Compliance and Safety Information for the Cisco Secure ACS Solution Engine R
171. n For information on configuring GAME Group Feedback settings see Enable GAME Group Feedback page 9 79 h Click Submit Authorization Policy and NAC Audit Audit servers define two types of posture assessments tokens A e Temporary posture assessment is used as the in progress assessment ACS grants the in progress posture assessment to the agentless host while the audit server is processing the auditing on the host and does not have a final result e Final posture assessment is the posture assessment that the audit server returns after it completes the auditing process To configure the authorization policy to work with the audit server at least two RACs or downloadable ACLs are required one for the in progress posture assessment and one for the final posture assessment You should use a separate RAC or downloadable ACL for each token Configuration Guide for Cisco Secure ACS 4 2 I OL 14390 02 g oa Chapter9 NAC Configuration Scenario HI Step 8 Set Up Templates to Create NAPs Step 8 Set Up Templates to Create NAPs ACS 4 1 provides several profile templates that you can use to configure common usable profiles In NAC enabled networks you can use these predefined profile templates to configure commonly used profiles This section describes the templates provided in ACS 4 1 Sample NAC Profile Templates ACS 4 1 provides the following sample profile templates for NAC A e NAC Layer 3 profile template NA
172. n Figure 9 13 Configuration Guide for Cisco Secure ACS 4 2 OL 14390 02 Chapter9 NAC Configuration Scenario Hi Step 5 Set Up Shared Profile Components Step 3 Adding an ACE Step 1 Figure 9 13 Downloadable IP ACLs Page Shared Profile Components Edit Downloadable IP ACLs Name Healthy SS Sg ACL to permit all traffic because Description token is Healthy zi ACL Contents Network Access Filtering No ACLs ada Up Down 2 Back to Help On the Downloadable IP ACLs page enter a Name and optional Description for the ACL as shown in Figure 9 13 D Note Do not use spaces in the name of the ACL IOS does not accept ACL names that include spaces 158415 To add an ACE On the Downloadable IP ACLs page Click Add below the ACL table of contents to add a new ACE to the ACL and assign it to a NAF The Downloadable IP ACL Content page opens as shown in Figure 9 14 Configuration Guide for Cisco Secure ACS 4 2 OL 14390 02 Chapter9 NAC Configuration Scenario W Step 5 Set Up Shared Profile Components Figure 9 14 Downloadable IP ACL Content Page Edit Downloadable IP ACL Content nanai eme ACL Definitions permit ip any any B 158416 Step2 In the Name text box type the ACL name Step3 In the ACL Definitions input box type definitions for the ACL ACL definitions consist of a series of permit and deny statements that permit or deny acces
173. n codes that you include in the accountActions file you can create a dACL that contains the commands that the text file specifies On ACS for Windows you can perform dACL configuration from the RDBMS Synchronization page in the ACS GUI or by running the CSDBSynec command On the ACS SE you can perform dACL configuration from the RDBMS Synchronization page in the ACS SE GUI or connect to the ACS SE by using an SSH client and then running the esdbsyne syncnow command from the SSH shell Support for Creation Reading Updating and Deleting of Single or Multiple AAA Clients Through RDBMS Synchronization With the capability to read AAA client data you can export the AAA client list for a particular NDG an AAA client list with a specified IP range or the list of all AAA clients I OL 14390 02 Configuration Guide for Cisco Secure ACS 4 2 gy Chapter4 Using RDBMS Synchronization to Create dACLs and Specify Network Configuration HZ Using RDBMS Synchronization to Configure dACLs e Remote Invocation of the CSDBSync Service on the ACS Solution Engine With ACS 4 2 you can run the CSDBSync service on a remote ACS SE over an SSH connection Using RDBMS Synchronization to Configure dACLs Step 1 Step 2 Step 3 Step 4 Step 5 Step 6 With ACS 4 2 you can use RDBMS Synchronization to set up downloadable dACLs and associate dACLs with specified Users or Groups To configure dACLs by using RDBMS Synchronization Enable RD
174. n the ACS HTML interface online help appears in the right hand frame when you are configuring a feature Related Documentation Note We sometimes update the printed and electronic documentation after original publication Therefore you should also review the documentation on Cisco com for any updates A set of white papers about ACS are available on Cisco com at http www cisco com warp public cc pd sqsw sq tech index shtml For information on Network Admission Control various NAC components and ACS see http www cisco com go NAC Obtaining Documentation and Submitting a Service Request For information on obtaining documentation submitting a service request and gathering additional information see the monthly What s New in Cisco Product Documentation which also lists all new and revised Cisco technical documentation at http www cisco com en US docs general whatsnew whatsnew html Subscribe to the What s New in Cisco Product Documentation as a Really Simple Syndication RSS feed and set content to be delivered directly to your desktop using a reader application The RSS feeds are a free service and Cisco currently supports RSS version 2 0 Notices The following notices pertain to this software license Configuration Guide for Cisco Secure ACS 4 2 Px OL 14390 02 Preface Notices W OpenSSL Open SSL Project License Issues This product includes software developed by the OpenSSL Projec
175. nal Step 5 Enter the server details URL User Password Timeout and certificate if required by the antivirus server Step6 Click Submit Configuration Guide for Cisco Secure ACS 4 2 oL 14390 02 EN Chapter9 NAC Configuration Scenario HI Step 7 Configure Posture Validation for NAC Configure an External Posture Validation Audit Server A NAC enabled network might include agentless hosts that do not have the NAC client software ACS can defer the posture validation of the agentless hosts to an audit server The audit server determines the posture credentials of a host without relying on the presence of a PA Configuring an external audit server involves two stages e Adding the posture attribute to the ACS internal dictionary e Configuring an external posture validation server audit server Add the Posture Attribute to the ACS Dictionary Step 1 Step 2 Step 3 Before you can create an external posture validation server you must add one or more vendor attributes to the ACS internal data dictionary To do this you use the bin CSUtil tool which is located in the ACS installation directory To add the posture attributes Create a text file in the Utils directory with the following format attr 0 vendor id your vendor id vendor name The name of you company application id 6 application name Audit attribute id 00003 attribute name Dummy attr attribute profile out attribute type unsigned in
176. nal Configure GAME Group Feedback Figure 9 58 Audit Flow Settings and GAME Group Feedback Sections Audit Flow Settings Use this Posture Token while Audit Server does not Quarantine gt yet have a posture validation result Polling Intervals Use timeouts sent by Audit Server for Polling Intervals and Session Timeout gt and Session Timeout Polling Interval seconds Maximum amount of times the Audit Bo Server should be 32 polled Policy string to be sent to the Audit Server GAME Group Feedback F Request Device Type from Audit Server E Assign This Group if Audit Server Did not Return a Device Tr of Type User Group Device Type lAssign User Group No Device Type Policies E Delete i Down Submit Delete Cancel f If required in the Audit Flow Setting section set the audit flow parameters 158425 g Ifyou are configuring GAME group feedback to support agentless host configuration in the NAC environment configure the settings in the GAME Group Feedback section For information on configuring GAME Group Feedback settings see Enable GAME Group Feedback page 9 79 h Click Submit Configuration Guide for Cisco Secure ACS 4 2 P78 OL 14390 02 Chapter9 NAC Configuration Scenario Step 11 Optional Configure GAME Group Feedback W Enable GAME Group Feedback Step 1 Step
177. ned to the group directory subtree in your LDAP schema in the Group Directory Subtree text box How the LDAP User Groups Work Each LDAP user group record sets up an LDAP user group that maps users connecting through one or more devices to the specified group For example the LDAP user group identified as cn Group_1_colon sets up an LDAP user group that will map users connecting from the host at 10 56 60 100 as well as from two other hosts dn cn Group_1_colon ou MAC Groups ou MAB Segment o mycorp objectClass top objectClass groupofuniquenames description group of delimited MAC Addresses uniqueMember cn user00 wxp emea mycorp com ou MAC Addresses ou MAB Segment o mycorp uniqueMember cn user77a wxp emea mycorp com ou MAC Addresses ou MAB Segment O mMycorp uniqueMember cn user88 wxp emea mycorp com ou MAC Addresses ou MAB Segment o mycorp cn Group_1_colon ACS queries the LDAP database to determine to which user groups to assign users who connect from a host with a specified MAC address ACS then assign users in the LDAP user group to a specified ACS user group that you configure Configuration Guide for Cisco Secure ACS 4 2 Pei OL 14390 02 Chapter6 Agentless Host Support Configuration Scenario Basic Configuration Steps for Agentless Host Support W Table 6 1 describes the attributes of the sample LDAP groups Table 6 1 Attributes in LDAP User Groups for Agentless Host Support Attribute Nam
178. ng to data that the ACS forwards to this server To set up an external posture validation server In the Posture Validation Components Setup page click External Posture Validation Setup The Edit External Posture Validation Servers page opens as shown in Figure 9 26 Figure 9 26 Edit External Posture Validation Servers Page Posture Validation Edit External Posture Yalidation Servers 2 Name Description Forward Credential Type Server Details Add Server Apply and Restart Cancel Initially the list of external posture validation servers is empty Click Add Server 158427 The Add Edit External Posture Validation Server page appears as shown in Figure 9 27 Configuration Guide for Cisco Secure ACS 4 2 a38 OL 14390 02 Chapter9 NAC Configuration Scenario Step 7 Configure Posture Validation for NAC W Figure 9 27 Add Edit External Posture Validation Server Page Posture Validation Edit Add Edit External Posture Validation Server 2 Name Description URL Username M Primary Server Password configuration Timeout fot 10 Sec Trusted hone selected O oOo ooo o y F Root CA URL o Username M Secondary Server Password configuration Timeout kooo Sec Trusted Z hone selected Root CA Forwarding Credential Types Available Credentials Selected Credentials 158364 Submit Cancel Step4 Enter a Name and Description optio
179. nization and replication are required Chapter 3 Configuring New Features in ACS 4 2 Describes how to configure the most important new features in ACS 4 2 Chapter 4 Using RDBMS Synchronization to Create dACLs and Specify Network Configuration Describes how to configure new RDBMS synchronization features in ACS 4 2 and run RDBMS Sync remotely on the ACS Solution Engine Chapter 5 Password Policy Configuration Scenario Describes how to configure Sarbanes Oxley SOX support when adding administrators Chapter 6 Agentless Host Support Configuration Scenario Describes how to configure ACS for agentless host support MAC authentication bypass Chapter 7 PEAP EAP TLS Configuration Scenario Describes how to configure ACS for PEAP EAP TLS support Chapter 8 Syslog Logging Configuration Scenario Describes how to configure ACS to log syslog messages Chapter 9 NAC Configuration Scenario Describes how to configure ACS in a Cisco Network Admission Control NAC and Microsoft Network Access Protection NAP environment Glossary Lists common terms used in ACS I OL 14390 02 Configuration Guide for Cisco Secure ACS 4 2 gg Preface Conventions This document uses the following conventions Item Convention Commands keywords special terminology and options that should boldface font be selected during procedures Variables for w
180. ns check box then from the drop down list of user groups in the Assign Group field select a user group to apply to the client Disabling NetBIOS Because disabling NetBIOS might be desirable in some cases you can run ACS 4 2 with NetBIOS disabled ACS SE 4 2 runs on a customized version of Windows 2003 that includes some but not all Windows 2003 services S Note Although you can use Windows 2000 Windows XP and Windows Server 2003 to disable NetBIOS over TCP IP NetBT many corporate networks do not since most of them still have legacy Windows 9 x or Windows NT machines on their network These machines need NetBIOS to function properly on a network since they use NetBIOS to log in to domains find one another and establish sessions for accessing shared resources Configuration Guide for Cisco Secure ACS 4 2 OL 14390 02 _ Chapter 3 Configuring New Features in ACS 4 2 Step 1 Step 2 Step 3 Step 4 Step 5 Configuring ACS 4 2 Enhanced Logging Features W To disable NetBIOS over TCP IP in Windows 2000 XP or 2003 Right click My Network Places and choose Properties Right click the appropriate Local Area Connection icon and click Properties Click Internet Protocol TCP IP and choose Properties Click Advanced and click the WINS tab On the WINS tab enable or disable NetBIOS over TCP IP The changes take effect immediately without rebooting the system Optionally if you are using a DH
181. ntless host processing Description E Active Vv Network Access Filter Any ha Protocol types Allow any Protocol type Allow Selected Protocol types Protocol type Selected RADIUS Nortel RADIUS Juniper RADIUS Ascend RADIUS IETF 5 RADIUS Cisco VPN 5000 E RADIUS Cisco VPN 3000 lt RADIUS Cisco IOS PIXE RADIUS Cisco BBSM RADIUS Cisco Aironet RADIUS Cisco Airespace Advanced Filtering Rule Elements Table 026 009 001 cisco av pair aaa service ip_admission 006 Service Type 10 si Submit Delete Cancel g na The default settings for the profile are Any appears in the Network Access Filter field which means that this profile has no IP filter You can choose NAFs from the drop down list so that only specific host IPs match this profile that no protocol type filter exists for this profile I OL 14390 02 In the Protocol types list Allow any Protocol type appears in the Protocol types list which means Configuration Guide for Cisco Secure ACS 4 2 g Chapter 9 NAC Configuration Scenario HI Step 8 Set Up Templates to Create NAPs e You can click the Allow Selected Protocol types option to specify a protocol type for filtering e Two rules are configured in Advanced Filtering 026 009 001 Cisco av pair aaa service ip admission 006 Service Type 10 These rules specify that the associated profile policies authenticate and authorize each RADIUS request that matches th
182. o be visible to searches Note If the administrator username that you specify does not have permission to see the group name attribute in searches group mapping fails for users whom LDAP authenticates Password tThe password for the administrator account that you specified in the Admin DN box The LDAP server determines case sensitivity If you want to set up LDAP server failback then in the Secondary LDAP server section specify information to identify the failback LDAP server The options and text input boxes in the Secondary LDAP Server section are the same as the ones in the Primary LDAP Server section Step9 Click Submit Step 5 Configure User Groups for MAB Segments During configuration of Network Access Profiles to enable agentless request processing you will be required to map devices that have specified MAC addresses to one of the default user groups that ACS provides I oL 14390 02 Configuration Guide for Cisco Secure ACS 4 2 Chapter6 Agentless Host Support Configuration Scenario WE Basic Configuration Steps for Agentless Host Support Before you assign the user groups plan how to configure the user groups For example users associated with the user group can e Be denied access to the network e Be limited by network access restrictions NARs e Have specified password settings For detailed information on how to set up user groups refer to chapter 5 of the User Guide for Cisco Secure
183. o individuals to administer it Local authentication on the device is usually sufficient If you require more granular control than what authentication can provide some means of authorization is necessary As discussed earlier controlling access by using privilege levels can be cumbersome ACS reduces this problem In large enterprise networks with many devices to administer the use of ACS practically becomes a necessity Because administration of many devices requires a larger number of network administrators with varying levels of access the use of local control is simply not a viable way to track network device configuration changes that are required when changing administrators or devices The use of network management tools such as CiscoWorks helps to ease this burden but maintaining security is still an issue Because ACS can comfortably handle up to 300 000 users the number of network administrators that ACS supports is rarely an issue If a large remote access population is using RADIUS for AAA support the corporate IT team should consider separate TACACS authentication by using ACS for the administrative team Separate TACACS authentication would isolate the general user population from the administrative team and reduce the likelihood of inadvertent access to network devices If the use of TACACS is not a suitable solution using TACACS for administrative shell or exec logins and RADIUS for remote network access provides suffi
184. oL 14390 02 Chapter2 Deploy the Access Control Servers HZ Deploying ACS Servers to Support Server Failover e Client configuration How to configure the client e Reports and event error handling What information to include in the logs Replication Design Because database replication in a ACS is a top down approach using the cascade method minimizes replication induced downtime on the master server If the primary server is not used for authentication services but for database maintenance only the cascade method may not be as critical However when traveling across time zones particularly international time zones it may be necessary to use the cascade method going to remote secondaries In this case when you configure database replication on the Database replication setup page click At specific times instead of Automatically triggered cascade Use the automatically triggered cascade method so that local replication occurs during a time that will minimize the impact on user authentication During these long distance replications replicating to the backup or secondary server first also helps reduce this impact Figure 2 10 shows a hypothetical deployment for replication where each region has a primary and a secondary ACS deployed In this scenario replication is made to the secondary servers to avoid replication downtime to the primary but may not be needed if the primary is used mainly for database maintenance but n
185. ode Priv lvl Proxy IP Address ExtDB Info Source NAS Network Device Gro Access Device Device Command PEAP EAP FAST Cl gt Global Message Id Logged Remotely l EAP Type EAP Type Name Network Access Profi Outbound Class Shared RAC Downloadable ACL System P osture T ok Anplieati reae gt Author Data Group Name Filter Information ve oon Syslog Servers IP Port Max message length Bytes Server 1 Server 2 m Submit Reset Columns Check the check box for logging the specified information to syslog 158423 Configuring Syslog Logging W For example in Figure 8 2 check the Log to Syslog Failed Attempts Report check box In the Select Columns to Log section a list of the fields available for the specified syslog report appears To move an attribute to the list of the attributes shown in the report select the field in the Available column and then click the right arrow icon to move it to the Logged Attributes column In the Syslog Servers section specify the following information for the syslog servers to which ACS will send logging information e IP Enter the IP address of the syslog server e Port Enter the syslog port number on the specified server e Max message length Bytes Enter the maximum syslog message length that ACS will accept You can enter information for up to two syslog servers I OL 14390
186. of Health A message that a NAP client sends to an NPS indicating the health of the client V VSA Vendor Specific Attribute Most vendors use the VSA to support value added features Configuration Guide for Cisco Secure ACS 4 2 Pca i OL 14390 02 INDEX UPDATE_NAS 4 15 UPDATE_USER_DACL 4 14 802 1x 2 2 accountActions file for creating dACLs 4 4 Account Locked 5 4 Numerics i Account Never Expires 5 4 AAA clients 4 14 ACE configuring RADIUS client 9 2 adding 9 23 creating 4 15 ACLs deleting 4 15 default 9 52 updating 4 15 ACS AAA server installing 6 4 9 2 configuring 9 4 ACS configuration Access Control Entries configuration flowchart 1 5 See ACEs overview 1 1 accessing Cisco Secure ACS summary of steps 1 1 how to 6 4 9 2 ACS dictionary URL 6 4 9 2 adding vendor attributes to 9 31 9 40 9 74 access policy ACS internal database configuring 5 9 using to validate MAC addresses 6 22 HTTP port allocation 5 11 Active Directory IP address filtering 5 10 multi forest support 3 7 access types 2 2 ADD_USER 4 5 wired LAN access 2 2 administration control accountActions codes configuring for NAC NAP 39 17 ADD_USER 4 5 administrative access policies CREATE_DACL 4 5 overview 2 17 CREATE _USER_ DACL 4 5 administrator account DELETE_USER_DACL 4 14 adding 5 2 deleting 4 13 editing 5 2 READ_DACL 4 13 administrator entitlement reports 5 12 READ_NAS 4 15 administrators UPDATE_DACL 4 13 locking out 5 7 Configuration Guide for C
187. of user database are all factors to consider when you decide how to deploy ACS ACS is designed for the enterprise environment and can handle 300 000 users This capacity is usually more than adequate for a corporation In an environment that exceeds these numbers the user base would typically be geographically dispersed which requires the use of more than one ACS configuration A WAN failure could render a local network inaccessible because of the loss of the authentication server In addition reducing the number of users that a single ACS handles improves performance by lowering the number of logins occurring at any given time and reducing the load on the database ACS supports several database options including the ACS internal database or by using remote authentication with any of the external databases that ACS supports Each database option has its own advantages and limitations in scalability and performance Network Latency and Reliability Network latency and reliability are also important factors in how you deploy ACS Delays in authentication can result in timeouts for the end user client or the AAA client The general rule for large extended networks such as those in a globally dispersed corporation is to have at least one ACS deployed in each region This configuration may not be adequate without a reliable high speed connection between sites Many corporations use secure VPN connections between sites so that the Internet provid
188. on Validation User Directory Subtree AEAN Group Directory Subtree E Control A gt UserObjectType uid External User Databases UserObjectClass Person penal GroupObjectType cn GroupObjectClass GroupOfUniqueNames aay Administration laien eed Group Attribute Name UniqueMember Be External User Databases Server Timeout 30 seconds ouaa Posture i saaal yy alidati Validation On Timeout Use Secondary ay EEL EET Failback Retry Delay 0 minutes 4g external Wer Max Admin Connections 40 Databases Validation Primary LDAP Server ay Administration Control Hostname External User 7 JG patabases Port 389 Default is 389 manal Post i ESE LDAP Version Muse LDAP v3 Security Ouse Secure Authentication Administration vy Control OTrusted Root CA none selected bij JE External User Certificate DB Path Download Certificate database Databases No File Downloaded giin Admin on 4 Network Acces Password Profiles Reports and Activity Secondary LDAP Server EA Online r Documentation Hostname Port 389 Default is 389 LDAP Version MUse LDAP v3 Security Ouse Secure Authentication OTrusted Root CA none selected b Certificate DB Path Download Certificate database No File Downloaded Admin DN Password 270296 Step7 If you do not want ACS to filter LDAP authentication requests
189. on bar choose System Configuration gt Date Format Control The Date Format Control page opens In the Time Zone Selection for syslog section specify the date format for events sent to syslog servers To specify e Local time click the Use Local Time radio button e GMT time click the Use GMT Time radio button Click Submit and Restart RSA Support on the ACS SE Step 1 Step 2 ACS 4 2 adds support for RSA Token Server on the ACS SE To add this support In the navigation bar click External User Databases The External User Databases page opens Click Database Configuration The External User Databases Configuration page opens as shown in Figure 3 5 Configuration Guide for Cisco Secure ACS 4 2 EN OL 14390 02 Chapter3 Configuring New Features in ACS 4 2 RSA Support onthe ACS SE W Figure 3 5 External User Databases Page ACS SE External User Database Configuration Choose which external user database type to configure Windows Database Generic LDAP LEAP Proxy RADIUS Server RADIUS Token Server RSA SecurID Token Server RSA SecurID Token and LDAP Group Mapping List all database configurations Cancel Step3 Click RSA SecureID Token Server 270290 The Database Configuration Creation page appears Step4 Click Create New Configuration The Create a New External Database Configuration page appears as shown in Figure 3 6 Figure 3 6 Create a New External Database Configuration P
190. onfigure the Web Interface Step 5 Configure Basic ACS System Settings ACS Configuration Flowchart Step 6 Configure Users Is there a Database Configure Database Synchronization Is there a Large User Database Use CSUtil for Bulk User Data Import Are you using EAP TLS SSL or NAC Step 7 Configure Certificates Step 8 Configure Global Authentication Settings y 3 Step 9 Configure Shared Profile Components Step 10 Set Up Network Device Groups A y Step 11 Add AAA Clients i Step 12 Set Up User Groups Are you using NAC Step 13 Configure Posture Validation p 7 Step 14 Set Up Network Access Profiles y Step 15 Configure Logs and Reports 158309 Configuration Flowchart W Refer to the list of steps in Summary of Configuration Steps page 1 1 for information on where to find detailed descriptions of each step Configuration Guide for Cisco Secure ACS 4 2 I OL 14390 02 Chapter1 Overview of ACS Configuration WE Configuration Flowchart Configuration Guide for Cisco Secure ACS 4 2 OL 14390 02 CHAPTER Deploy the Access Control Servers This chapter discusses topics that you should consider before deploying Cisco Secure Access C
191. onfiguring 6 24 9 72 9 79 defined 6 3 selecting device types 9 80 Global Authentication configuring for NAC NAP 39 9 setting up 9 9 global authentication settings configuring 7 5 group filtering configuring at the NAP level 3 6 Health Registration Authority 2 15 Host Credentials Authorization Protocol 2 15 HTTP port allocation 5 11 incorrect password attempt options 5 7 installation related documentation xii installing ACS 6 4 9 2 security certificate 9 5 security certificates 6 6 7 2 9 6 internal posture validation policy adding toa profile 9 69 configuring 9 35 IP address filtering 5 10 L large enterprise WLAN 2 8 large LAN defined 2 2 latency in networks 2 19 Layer 2 NAC 802 1x template 9 55 LDAP 3 6 ACS configuration for 6 13 configuring for MAB support 6 10 sample schema for MAB support 6 10 LDAP server configuring 6 16 LDAP user groups Configuration Guide for Cisco Secure ACS 4 2 OL 14390 02 for MAB support 6 12 Lightweight Directory Access Protocol See LDAP logging configuring 9 14 enhanced features with ACS 4 2 3 5 logging level configuring 9 14 logs and reports configuring 9 14 MAB configuring 6 21 configuring ACS user groups for MAB segments 6 17 configuring audit server to support 6 24 configuring LDAP support for 6 10 defined sample LDAP schema for MAB support 6 10 MAC addresses format for entering in ACS 6 22 MAC authentication bypass
192. ontent block The file shown in Example 4 1 has only one content block Definition keywords Specify a series of permit IP or deny ip commands that ACS applies to Users or Groups to which you associate the dACL Each Definition keyword has the format Definition n n1 where n is the number of the content block of definition keywords and n is the number of each definition Step3 Save the file e ACS for Windows Save the file to a directory on the Windows machine that is running ACS e ACS SE Save the file to a directory on an FTP server used with the ACS SE I OL 14390 02 Configuration Guide for Cisco Secure ACS 4 2 Chapter4 Using RDBMS Synchronization to Create dACLs and Specify Network Configuration HZ Using RDBMS Synchronization to Configure dACLs Step 3 Code an accountActions File to Create the dACL and Associate a User or Group with the dACL To create a an AccountActions CSV file to create a dACL and assign it to a User or Group Step 1 Create a text file by using a text editor of your choice for example Notepad Step2 Code a statement to create a User or Group For example to create a User named Troy who belongs to a Group named Group and has an initial password of ipassword code the following statement 1 1 Troy Group 5 100 ipassword 7 8 2008 15 00 0 0 Step3 Code a statement to create a dACL For example to create a dACL called DACL_for_Troy that is specified in a text file called dACL_cr
193. ontrol Server hereafter referred to as ACS This document does not describe the software installation procedure for ACS or the hardware installation procedure for the ACS SE For detailed installation information refer to Installation Guide for Cisco Secure ACS for Windows Release 4 2 available on Cisco com at http www cisco com en US docs net_mgmt cisco_secure_access_control_server_for_windows 4 2 installation guide windows IGwn42 html Installation Guide for Cisco Secure ACS Solution Engine Release 4 2 available on Cisco com at http www cisco com en US docs net_mgmt cisco_secure_access_control_server_for_solution_engine 4 2 installation guide solution_engine ACS_42_SE_install html Note For more detailed information on deploying ACS see the Cisco Secure Access Control Server Deployment Guide at http www cisco com application pdf en us guest products ps2086 c1244 cdccont_0900aecd80737943 pdf This chapter contains Determining the Deployment Architecture page 2 1 Determining How Many ACSs to Deploy Scalability page 2 11 Deploying ACS Servers to Support Server Failover page 2 13 Deploying ACS in a NAC NAP Environment page 2 15 Additional Topics page 2 16 Determining the Deployment Architecture How your enterprise network is configured and the network topology are likely to be the most important factors in deploying ACS I OL 14390 02 Configuration Guide for Cisco Secure ACS 4 2 gy Chap
194. or MAB Segments page 6 17 for details Enable agentless request processing a Create a new Network Access Profile b Enable agentless host processing for the profile c Configure MAB See Step 6 Enable Agentless Request Processing page 6 18 for details OL 14390 02 Configuration Guide for Cisco Secure ACS 4 2 E Chapter6 Agentless Host Support Configuration Scenario WE Basic Configuration Steps for Agentless Host Support Step7 Configure logging and reports Add the Bypass Info attribute to the Passed Authentications and Failed Attempts reports See Step 7 Configure Logging and Reports page 6 23 Note If you are using ACS with NAC configure audit server support and optionally configure GAME group feedback See Configure GAME Group Feedback page 6 24 for details Basic Configuration Steps for Agentless Host Support This section describes the basic configuration steps for agentless host support Step 1 Install ACS This section describes the installation process that you perform to run ACS which runs on a Windows 2000 Server a Windows 2003 system or a Cisco Secure ACS SE To install ACS Step 1 Start ACS installation For detailed information on ACS installation refer to the e Installation Guide for Cisco Secure ACS for Windows 4 2 e Installation Guide for Cisco Secure ACS Solution Engine 4 2 During the installation process you are prompted to enter a password for encrypting the internal d
195. ord change policy remains in effect The default value is unchecked disabled Account Locked If you want to lock out an administrator who is denied access due to the account policy options specified on the Password Policy page check the check box for Account Locked When unchecked disabled this option unlocks an administrator who was locked out Administrators who have the Administration Control privilege can use this option to manually lock out an account or reset locked accounts The system displays a message that explains the reason for a lockout When an administrator unlocks an account ACS resets the Last Password Change and the Last Activity fields to the day on which the administrator unlocks the account The reset of a locked account does not affect the configuration of the lockout and unlock mechanisms for failed attempts Step4 Click Grant All or Revoke All to globally add or remove all privileges Step5 If you want to grant specific privileges to the administrator check the check boxes that correspond to the privileges that you want to grant S Note For more information on administrative privileges see the Add Administrator and Edit Administrator Pages section in Chapter 11 of the User Guide for Cisco Secure Access Control Server 4 2 Administrators and Administrative Policy Step6 Goto Step 2 Configure Password Policy page 5 4 the next section of this chapter and follow the steps to sp
196. ored if it contains an invalid definition content name content definition or NAF name 388 DELETE_DACL VN Use this action code to delete a dACL VN The name of the dACL to delete To delete all dACLs code an asterisk By default all the dACLs are deleted Users and Groups associated with this dACL will be dereferenced after deleting the dACL Configuration Guide for Cisco Secure ACS 4 2 OL 14390 02 EEN Chapter4 Using RDBMS Synchronization to Create dACLs and Specify Network Configuration W Updating or Deleting dACL Associations with Users or Groups Updating or Deleting dACL Associations with Users or Groups Table 4 5 lists the account action codes to update the dACL or remove the association of the dACL and the User or Group Table 4 5 Account Action Codes to Create or Remove dACL Associations With Users and User Groups Action Code Name Required Description 381 UPDATE_USER_DACL UNIGN VN This action code updates the dACL for a specified User or Group The dACL name specified should be valid and should be present in ACS UN Valid Username GN Valid Group name optional VN dACL name This dACL must be defined in Shared Profile Component 382 DELETE_USER_DACL UNIGN This action code disassociates a dACL from a specified User or Group UN valid Username GN Valid Group name optional Using RDBMS Synchronization to Specify Network Configuration You
197. ot for authentication Figure 2 10 ACS Database Replication Scenario ee A al EN China Master a Secondary secondary r mot system system 2 Secondary ga A system 2 California ej 158371 Database Synchronization Considerations An alternative to database replication is the use of Relational Database Management System RDBMS synchronization You use the RDBMS synchronization feature to update the ACS user database with information from an Open Database Connectivity ODBC compliant data source The ODBC compliant data source can be the RDBMS database of a third party application It can also be an intermediate file or database that a third party system updates Regardless of where the file or database resides ACS reads the file or database via the ODBC connection RDBMS synchronization supports addition modification and deletion for all data items it can access Configuration Guide for Cisco Secure ACS 4 2 P24 E OL 14390 02 _ Chapter 2 Deploy the Access Control Servers Deploying ACS ina NAC NAP Environment W Deploying ACS in a NAC NAP Environment You can deploy ACS in a Cisco Network Admission Control and Microsoft Network Access Protection NAC NAP environment In the NAC NAP environment NAP client computers authorize with ACS by using EAP over UDP EoU or EAP over 802 1x Table 2 1 describes the components of a NAC NAP deployment Table 2 1 Components of a NAC NAP Deployment Component
198. ou administrators o cisco Tip h If you are using Netscape DS as your LDAP software you can copy this information from the Netscape console In the Password box type the password for the administrator account that is specified in the Admin DN box The server determines password case sensitivity Step 22 Click Submit I OL 14390 02 Configuration Guide for Cisco Secure ACS 4 2 Chapter3 Configuring New Features in ACS 4 2 W Turning Ping On and Off Note ACS saves the generic LDAP configuration that you created You can now add it to your Unknown User Policy or assign specific user accounts to use this database for authentication Turning Ping On and Off With ACS 4 2 you can enable and disable pinging of the ACS SE device Prior to release 4 2 when remote devices sent a ping request to an SE device the ping was always rejected because by default the Cisco Security Agent CSA runs on the ACS SE device CSA automatically rejects remote ping requests ACS 4 2 provides software patches for you to turn ping on and off by updating the policies in the CSA e Ping Turn On Patch This patch turns on the ping option in the CSA which makes it possible to ping the ACS SE e Ping Turn Off Patch This patch turns off the ping option in the CSA which causes the ACS SE to reject pings For detailed information on installing these patches see Turning Ping On and Off in Chapter 3 of the the Insta
199. ou have not enabled NDGs click Not Assigned and then click Add Entry below the AAA Clients table The Add AAA Client page opens shown in Figure 9 1 Figure 9 1 Add AAA Client Page Add AAA Client AAA Client Hostname Shared Secret Network Device Group Not Assigned gt RADIUS Key Wrap Key Encryption Key Key Input Format ASCII Hexadecimal AAA Client IP Address Message Authenticator Code Key Authenticate Using RADIUS IETF o l I Single Connect TACACS AAA Client Record stop in accounting on failure I Log Update Watchdog Packets from this AAA Client M Log RADIUS Tunneling Packets from this AAA Client Replace RADIUS Port info with Username from this AAA Client Submit Apply Cancel In the AAA Client Hostname box type the name assigned to this AAA client up to 32 alphanumeric characters In the AAA Client IP Address box type the AAA client IP address or addresses D 158375 Note You can define all network access devices NADs as a single AAA client by entering IP address wildcards for example Note however that AAA client definitions with wildcards cannot overlap with other AAA client definitions regardless of the authentication type configured for the AAA clients I OL 14390 02 Configuration Guide for Cisco Secure ACS 4 2 gy Chapter9 NAC Configuration Scenario HH Step 2 Perform Network Configuration Tasks Step 5 Step 6 Step
200. parison C certificate CN comparison M Certificate Binary comparison EAP TLS session timeout minutes 120 LEAP Callow LEAP For Aironet only EAP MD5 Allow EAP MDS AP EAP request timeout seconds 20 MS CHAP Configuration M Allow MS CHAP Version 1 Authentication M Allow MS CHAP Version 2 Authentication 203260 Configuration Guide for Cisco Secure ACS 4 2 Pot OL 14390 02 Chapter9 NAC Configuration Scenario Step 3 Set Up System Configuration W Step3 To make the PEAP global authentication parameters available in the NAP configuration check the check boxes for e Allow EAP MSCHAPv2 EAP MSCHAP is a variation of the Microsoft Challenge and Response Protocol that is used with the Protected Extensible Access Protocol PEAP For a description of the EAP MSCHAPv2 protocol see the Authentication section in Chapter 1 of the User Guide for Cisco Secure ACS 4 2 Overview e Allow EAP GTC For a description of the EAP Generic Token Card EAP GTC protocol see EAP FAST Authentication in Chapter 9 of the User Guide for Cisco Secure ACS 4 2 System Configuration Authentication and Certificates e Allow Posture Validation For a description of Posture Validation see the What Is Posture Validation section in Chapter 13 of the User Guide for Cisco Secure ACS 4 2 Posture Validation Step4 In the EAP TLS section a Check the Allow EAP TLS check bo
201. part of the overall Cisco corporate security policy Security Policy Every organization that maintains a network should develop a security policy for the organization The sophistication nature and scope of your security policy directly affect how you deploy ACS For more information about developing and maintaining a comprehensive security policy refer to these documents e Network Security Policy Best Practices White Paper e Cisco IOS Security Configuration Guide Administrative Access Policy Managing a network is a matter of scale Providing a policy for administrative access to network devices depends directly on the size of the network and the number of administrators required to maintain the network A network device can be authenticated locally but this ability is not scalable The use of network management tools can help in large networks 25 000 to 50 000 users but if local authentication is used on each network device the policy usually entails a single login on the network device A single login on the network device does not provide adequate network device security ACS provides a centralized administrator database and you can add or delete administrators at one location TACACS is the recommended AAA protocol for controlling AAA client administrative access because of its ability to provide per command control command authorization of AAA client administrator access to the device RADIUS is not well suited for this pu
202. plate page opens as shown in Figure 9 45 Configuration Guide for Cisco Secure ACS 4 2 960 I OL 14390 02 Chapter9 NAC Configuration Scenario Step 8 Set Up Templates to Create NAPs W Figure 9 45 Create Profile From Template Page Create Profile from Template 2 Name Test_NAC_L2_802 1x Sample NAC L2 602 1x template Description Template Nac L2 802 1 gt Active Vv Submit Cancel Step3 Enter a Name and Description optional Step4 From the Template drop down list choose Wireless NAC L2 802 1x Step5 Check the Active check box Step6 Click Submit 158412 If no error appears then you have created a Profile that can authenticate wireless NAC Layer 2 802 1x hosts The Edit Network Access Profile page opens and the new profile is listed in the Name column The predefined values for the NAC Layer 2 802 1x template include e Profile Setup e Protocols e A sample posture validation policy e Authentication policy Step7 To select a predefined set of values click on one of the configuration options e The profile name to select the profile setup page for the profile e Protocols e Authentication Policy e Sample Posture Validation Rules Profile Setup To use the Profile Setup settings from the template Step 1 Go to Network Access Profiles Step2 Choose the profile that you created Step3 The Profile Setup page appears as shown in Figure 9 46 Configuration Guide for Cis
203. plays the selected dACL as shown in Figure 4 4 Figure 4 4 Entry for the Sample dACL Downloadable IP ACLs Name DACL_For_Troy Description Test DACL For ACS 42 ACL Contents W Network Access Filtering content ealraaa clientsy z add uo Down 203258 In the ACL Contents column you should see the content name specified in the Content 1 block that you coded in the text file in Step 2 Create a Text File to Define the dACLs page 4 2 Step 4 Click the content name The Downloadable IP ACL Content page appears The Content Name and ACL Definitions appear on the page as shown in Figure 4 5 Figure 4 5 Downloadable IP ACL Content Page Downloadable IP ACL Content Name contenti ACL Definitions deny ip any 192 168 permit ip any any permit ip any host 192 168 1 152 permit ip any host 192 168 5 152 permit ip any host 192 168 29 33 permit ip any host 192 168 29 34 permit ip any host 192 168 9 50 permit ip any host 192 168 9 20 permit ip any host 192 168 7 20 permit ip any host 192 168 128 1 permit ip any 192 168 24 0 0 0 0 255 permit ip any 192 168 0 0 permit ip any 192 0 0 0 0 0 0 6 0 00 deny ip any 192 168 0 0 0 0 255 5 255 255 255 255 255 255 0 2 5 3 1 203265 wi Configuration Guide for Cisco Secure ACS 4 2 OL 14390 02 _ Chapter 4 Using RDBMS Synchronization to Create dACLs and Specify Network Configura
204. r Agentless Host for Layer 3 Profile Template Authorization Rules for agentless_host_fallback joss Condition Action System Den User Group Posture Y Shared RAC Downloadable ACL Token Access e o Default Group gt Any jm NAC SAMPLE QUARANTINE L2 RAC gt If a condition is not defined or there is no matched condition cd a I Include RADIUS attributes from user s group I Include RADIUS attributes from user record Add Rule Delete up Down The Up Down buttons submit and save the sort order to the database Submit Done 158409 On this page you can see the Agentless Host for Layer 3 template configuration for authentication Specify the external database that ACS uses to perform authentication a To keep the default setting ACS uses its internal database click the Internal ACS DB radio button b To specify a LDAP server click the LDAP Server radio button and then from the drop down list choose an LDAP server c From the If Agentless request was not assigned a user group drop down list choose a user group to which ACS assigns a host that is not matched to a user group Step 9 Map Posture Validation Components to Profiles Step 1 Step 2 Step 3 Step 4 To add an internal posture validation policy external posture validation server or both to a profile Choose Network Access Profiles Choose the relevant profile Posture Validation policy Click Add Rule Enter a N
205. r object in the LDAP server or Active Directory and the certificate that the user presents during EAP TLS authentication You cannot use this comparison method to authenticate users in an ODBC external user database Step 4 Optional Configure Authentication Policy You can enable EAP TLS when you set up an authentication policy in the protocols section of Network Access Profile configuration Figure 7 4 shows the modified EAP configuration section on the NAP Protocols page Figure 7 4 EAP Configuration Section of NAP Protocols Page EAP Configuration PEAP F Allow EAP MSCHAPv2 Allow EAP GTC M Allow Posture Validation Allow EAP TLS 158447 Configuration Guide for Cisco Secure ACS 4 2 re E OL 14390 02 cuartenO Syslog Logging Configuration Scenario Overview ACS provides a system logging syslog feature With the addition of this feature all AAA reports and audit report messages can be sent to up to two syslog servers Configuring Syslog Logging To configure ACS to generate syslog messages Step1 In the navigation bar click System Configuration The System Configuration page opens Step2 Click Logging The Logging page opens shown in Figure 8 1 Configuration Guide for Cisco Secure ACS 4 2 oL 14390 02 EN Chapter 8 Syslog Logging Configuration Scenario W Configuring Syslog Logging Step 3 Figure 8 1 Logging Configuration Page Logging Configuration Critical Logger
206. rObjectType Enter the name of the user object type that is defined in your LDAP schema In the LDAP schema shown in Example 6 1 the user object type is specified as macAddress Configuration Guide for Cisco Secure ACS 4 2 Peis E OL 14390 02 _ Chapter 6 Agentless Host Support Configuration Scenario Basic Configuration Steps for Agentless Host Support W UserObjectClass The value of the LDAP object Type attribute that identifies the record as a user Often user records have several values for the objectType attribute some of which are unique to the user some of which are shared with other object types In the LDAP schema shown in Example 6 1 the user object class is specified as ieee802Device GroupObjectType tThe name of the attribute in the group record that contains the group name In tIn the LDAP schema shown in Example 6 1 this is cn GroupObjectClass For MAB configuration specify the name of a device record that you have set up in your LDAP schema For example in Example 6 1 the group object class is ieee802Device GroupAttributeName For MAB configuration specify the name of the LDAP attribute that specifies a LDAP user group For example in Example 6 1 each member of a LDAP user group is specified in a uniqueMember attribute Server Timeout The number of seconds that ACS waits for a response from an LDAP server before determining that the connection with that server failed On Timeout Use Se
207. ration Scenario WE Configuration Steps for Audit Server Support Step 4 Step 5 Repeat Step 3 for additional report types as required Repeat Steps 3 and 4 for the Failed Attempts report Configuration Steps for Audit Server Support If you are using ACS with the NAC solution or with other applications that support the use of audit servers you can set up agentless host support that uses an audit server An audit server runs a database that can enable further authentication of the information that is used to assign agentless host devices to user groups For example the categorization of devices in the LDAP schema might set up device categories such as printer PC or FAX machine The database on the audit server can check whether a device with a specified MAC address or IP address is the type of device associated in the database with the specified MAC address or IP address If it is not the correct device type a specified authentication policy can be executed The mechanism that ACS 4 2 uses to communicate with audit servers in a NAC environment is called GAME group feedback The GAME protocol defines the GAME groups When you configure GAME group feedback for an audit server that is used in a NAP you can enable the Request Device Type from Audit Server feature If this feature is enabled the audit feature can request a device type from the audit server and then check the device type against the device type that MAC authentication return
208. rd Policy page 5 4 for details Configure session policy Configure restrictions on the admin user s session See Step 3 Configure Session Policy page 5 7 for details Configure access policy Configure restrictions on admin access such as the IP addresses from which administrators can log in See Step 4 Configure Access Policy page 5 9 for details Step 1 Add and Edit a New Administrator Account Step 1 To add a new administrator account In the navigation bar click Administration Control The Administration Control page appears as shown in Figure 5 1 Configuration Guide for Cisco Secure ACS 4 2 OL 14390 02 Chapter5 Password Policy Configuration Scenario Step 1 Add and Edit a New Administrator Account Figure 5 1 Administration Control Page Administration Control Administration Control Administrators 2 admin777 test one Add Administrator Access Policy Session Policy Password Policy 158376 The Administration Control page initially lists no administrators If administrators have been configured the page lists the configured administrators Step2 To add an administrator click Add Administrator The Add Administrator page opens Step3 In the Administrator Details area enter Option Description Administrator Name Enter the login name for the ACS administrator account Administrator names can contain 1 to 32 characters excluding the left angle
209. re efficient to use an external LDAP database than to configure the MAC address mappings manually through the ACS GUI To configure LDAP support for MAB Step 1 Configure an External LDAP database for MAB support See Configure an External LDAP Database for MAB Support page 6 10for details Step2 Create one or more LDAP database configurations in ACS See Create One or More LDAP Database Configurations in ACS page 6 13 for details Configure an External LDAP Database for MAB Support Configure one or more external LDAP databases for MAB support In each LDAP database create e Device records that describe the agentless hosts that ACS will authenticate e LDAP groups that define an LDAP schema to enable MAB for agentless host support Example 6 1 shows portions of a sample Lightweight Directory Interchange Format LDIF file that defines an LDAP database for agentless host support Example 6 1 Sample LDAP Schema for MAB Support dn ou MAB Segment o mycorp ou MAB Segment objectClass top objectClass organizationalUnit description MAC Authentication Bypass Sub Tree dn ou MAC Addresses ou MAB Segment o mycorp ou MAC Addresses objectClass top objectClass organizationalUnit dn ou MAC Groups ou MAB Segment o mycorp ou MAC Groups objectClass top objectClass organizationalUnit dn cn user00 wxp emea mycorp com ou MAC Addresses ou MAB Segment o mycorp ipHostNumber 10 56 60 100 objectClass top objectClas
210. red to as ACS S Note The procedure in this chapter describes how to configure agentless host support by using ACS with a Lightweight Directory Access Protocol LDAP database You can also configure agentless host support by using the ACS internal database but using an LDAP database is generally more efficient This chapter contains the following sections Overview of Agentless Host Support page 6 1 Summary of Configuration Steps page 6 3 Basic Configuration Steps for Agentless Host Support page 6 4 Configuration Steps for Audit Server Support page 6 24 Overview of Agentless Host Support Many hosts that ACS authenticates run agent software that requests access to network resources and receives authorization from ACS However some hosts do not run agent software For example Many 802 1x port security deployments authenticate hosts that do not have appropriate security agent software such as Cisco Trust Agent When an agentless host is connected to a Layer 2 device and an Extensible Authentication Protocol over User Datagram Protocol timeout EoU timeout occurs in band posture validation cannot occur ACS solves this problem by using the MAC address of the host device to identify and authenticate the host This technique is called MAC authentication bypass MAB 1 When an agentless host connects to a network access device NAD the NAD detects that the host does not have an appropriate software agent and uses th
211. roducts derived from this software without prior written permission For written permission please contact openssl core openssl org 5 Products derived from this software may not be called OpenSSL nor may OpenSSL appear in their names without prior written permission of the OpenSSL Project 6 Redistributions of any form whatsoever must retain the following acknowledgment This product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit http www openssl org THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT AS IC AND ANY EXPRESSED OR IMPLIED WARRANTIES INCLUDING BUT NOT LIMITED TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED IN NO EVENT SHALL THE OpenSSL PROJECT OR ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT INDIRECT INCIDENTAL SPECIAL EXEMPLARY OR CONSEQUENTIAL DAMAGES INCLUDING BUT NOT LIMITED TO PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES LOSS OF USE DATA OR PROFITS OR BUSINESS INTERRUPTION HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY WHETHER IN CONTRACT STRICT LIABILITY OR TORT INCLUDING NEGLIGENCE OR OTHERWISE ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE This product includes cryptographic software written by Eric Young eay cryptsoft com This product includes software written by Tim Hudson tjh cryptsoft com I OL 14390 02 Configuration Guide
212. rpose because of the one time transfer of authorization information at the time of initial authentication The type of access is also an important consideration In the case of different administrative access levels to the AAA clients or if a subset of administrators is to be limited to certain systems you can use ACS with command authorization per network device to restrict network administrators as necessary Using local authentication restricts the administrative access policy to no login on a device or by using privilege levels to control access Controlling access by means of privilege levels is cumbersome and not very scalable Such control requires altering the privilege levels of specific commands on the AAA client device and defining specific privilege levels for the user login You can easily create more problems by editing command privilege levels Using command authorization on ACS does not require that you alter the privilege level of controlled commands The AAA client sends the command to ACS to be parsed and ACS determines whether the administrator has permission to use the command The use of AAA allows authentication on any AAA client for any user on ACS and limits access to these devices on a per AAA client basis I OL 14390 02 Configuration Guide for Cisco Secure ACS 4 2 Chapter2 Deploy the Access Control Servers W Additional Topics A small network with a small number of network devices may require only one or tw
213. s Configure GAME Group Feedback Step 1 Step 2 Step 3 Step 4 Step 5 Step 6 Step 7 Step 8 To configure GAME group feedback Import an audit vendor file by using CSUtil Import a device type attribute file by using CSUtil Import NAC attribute value pairs Enable Posture Validation In the External Posture Validation Audit Server Setup page configure an external audit server Enable GAME group feedback In the external audit server posture validation setup section configure e Which hosts are audited section e GAME group feedback e Device type retrieval and mapping for vendors who have a device attribute in the RADIUS dictionary Set up a device group policy The detailed steps for configuring GAME group feedback are described in Enable GAME Group Feedback page 7 46 in Chapter 9 NAC Configuration Scenario Configuration Guide for Cisco Secure ACS 4 2 OL 14390 02 CHAPTER PEAP EAP TLS Configuration Scenario You can select EAP TLS as an inner method that is used within the tunnel that ACS establishes for PEAP authentication If you select EAP TLS ACS can use it not only to encrypt the initial data sent through the PEAP protocol but once a secure tunnel is established between ACS and the NAD to encrypt for a second time the data that is transmitted within the secure tunnel This enhanced encryption method greatly enhances the security of communications between ACS and the NAD Most customer
214. s EAP is defined by Internet Engineering Task Force IETF RFC 2284 and the IEEE 802 1x standards The 802 1x standard also known as EAP over LAN EAPOoL concerns the part of the wider EAP standard that relates to broadcast media networks Upon connection EAPoL provides a communications channel between an end user on a client LAN device to the AAA server through the LAN switch The functionality is similar to what Point to Point Protocol PPP servers on point to point links provide By supporting complex challenge response dialogues EAP facilitates the user based authentication demands of both conventional one way hashed password authentication schemes such as Challenge Handshake Authentication Protocol CHAP and of more advanced authentication schemes such as Transport Layer Security TLS or digital certificates Configuration Guide for Cisco Secure ACS 4 2 22 E OL 14390 02 Chapter 2 Deploy the Access Control Servers Determining the Deployment Architecture W e EAP TLS Extensible Authentication Protocol Transport Layer Security EAP TLS EAP TLS uses the TLS protocol RFC 2246 which is the latest version of the Secure Socket Layer SSL protocol from the IETF TLS provides a way to use certificates for user and server authentication and for dynamic session key generation e PEAP Protected Extensible Authentication Protocol PEAP is an 802 1x authentication type for wireless LANs WLANs PEAP provides strong se
215. s ipHost objectClass ieee802Device macAddress 00 11 22 33 44 55 cn user00 wxp emea mycorp com dn cn userll wxp emea mycorp com ou MAC Addresses ou MAB Segment o mycorp ipHostNumber 10 56 60 111 objectClass top objectClass ipHost objectClass ieee802Device Configuration Guide for Cisco Secure ACS 4 2 Cu OL 14390 02 Chapter6 Agentless Host Support Configuration Scenario Basic Configuration Steps for Agentless Host Support W macAddress 11 22 33 44 55 66 cn userll wxp emea mycorp com dn cn Group_1_colon ou MAC Groups ou MAB Segment o mycorp objectClass top objectClass groupofuniquenames description group of delimited MAC Addresses uniqueMember cn user00 wxp emea mycorp com ou MAC Addresses ou MAB Segment o mycorp uniqueMember cn user77a wxp emea mycorp com ou MAC Addresses ou MAB Segment O mMycorp uniqueMember cn user88 wxp emea mycorp com ou MAC Addresses ou MAB Segment o mycorp cn Group_1_colon dn cn Group_2_dash ou MAC Groups ou MAB Segment o mycorp objectClass top objectClass groupofuniquenames description group of delimited MAC Addresses uniqueMember cn userll wxp emea mycorp com ou MAC Addresses ou MAB Segment o mycorp uniqueMember cn user77b wxp emea mycorp com ou MAC Addresses ou MAB Segment O mMycorp cn Group_2_dash Description of the Settings in the Sample LDAP Schema Figure 6 5 shows the tree structure of the LDAP schema that is pres
216. s Configuration Remote Logging Servers Configuration ACS Reports v Indicates Logging Enabled X Indicates Logging Disabled Report Name csS ODBC Syslog Failed Attempts pa cas aan aides Passed Authentication iii ae dace RADIUS Accounting penis ea ae TACACS Accounting Sais Oe aie aes ER TACACS Administration ae a aaa VoIP Accounting pe ie ae ae ae Backup and Restore etwas ee ie Database Replication am is i ea oe Administration Audit Pa ice es oe aise sis User Password Changes che e Ri i ae e ACS Service Monitoring a ita ne iii eS ia RDBMS Synchronization A TA bau iri a ee Cancel 158436 To enable a syslog report on the Logging Configuration page click the Configure link in the syslog column in the row for each report that you want to generate The Enable Login window for the specified report opens as shown in Figure 8 2 wi Configuration Guide for Cisco Secure ACS 4 2 OL 14390 02 _ Chapter 8 Syslog Logging Configuration Scenario Step 4 Step 5 Figure 8 2 Enable Logging Page Syslog Failed Attempts File Configuration Enable Logging I Log to Syslog Failed Attempts report logging for that report If the selected log is disabled ACS will not implement critical Select Columns To Log Attributes Logged Attributes UserName NAS IP Address Authen Failure Code Author F ailure C
217. s enabled OL 14390 02 158442 Configuration Guide for Cisco Secure ACS 4 2 g Chapter9 NAC Configuration Scenario HI Step 8 Set Up Templates to Create NAPs Authorization Policy To configure an authorization policy for the Wireless NAC Layer 2 802 1x template Step 1 Go to Network Access Profiles Step2 Choose the Authorization link from the Policies column The Authorization page for the profile appears as shown in Figure 9 48 Figure 9 48 Authorization Page for Wireless NAC L2 802 1x Profile Template Authorization Rules for Sample_NAC_L2_8021x Condition Action System Den User Group Posture Y Shared RAC Downloadable ACL Access Token e Any Ri Healthy O NAC SAMPLE HEALTHY L2 RAC gt x e Any he Quarantine O NAC SAMPLE QUARANTINE L2 RAC z if a conuition is not defnediorthersiis Ir NAC SAMPLE QUARANTINE L2 RAC 3 e y jno matched condition I Include RADIUS attributes from user s group I Include RADIUS attributes from user record Add Rule Delete up Down The Up Down buttons submit and save the sort order to the database Submit Done 158437 On this page you can see the Wireless NAC L2 802 1x template configuration for authentication Step3 Specify the external database that ACS uses to perform authentication a To keep the default setting ACS uses its internal database click the Internal ACS DB radio b
218. s for specified hosts For information on the syntax for ACL definitions see the Downloadable ACLs section of Chapter 4 of the User Guide for Cisco Secure Access Control Server 4 2 Shared Profile Components Step4 Click Submit amp Note Before configuring the ACL on ACS you should test the syntax on the device to ensure that each ACE is valid The Downloadable ACL page appears with the new ACL in the ACL Contents list as shown in Figure 9 15 Configuration Guide for Cisco Secure ACS 4 2 Po24 OL 14390 02 Chapter 9 NAC Configuration Scenario Saving the dACL Step 5 Step 6 Step 5 Set Up Shared Profile Components Hi Figure 9 15 Downloadable ACL Contents List with New Content Shared Profile Components Edit Downloadable IP ACLs Name Healthy ACL to permit all traffic because Description token is Healthy ha ACL Contents Network Access Filtering C permit 158414 2 Back to Help From the drop down list in the Network Access Filtering column of the ACL Contents table choose the correct NAF for this ACL You can choose the default NAF All AAA Clients or you can specify a NAF that you have configured to control how access is set up for different devices or groups of devices For example the syntax of an ACE on routers differs from the syntax on a Project Information Exchange PIX firewall By using a NAF you can assign the same ACL to a PIX and a router even t
219. s section documents the steps for using the Agentless Host for Layer 3 template D Note You can use the Agentless Host for L2 802 1x Fallback profile template to create a profile that matches a RADIUS request a switch sends Once the profile is created an analysis of the RADIUS packet that comes from the Catalyst 6500 must be done to create an accurate match for the profile The RADIUS request from the switch has a Service Type value of 10 just like NAC L2 IP but does not have a Cisco Attribute Value Pair AV pair that contains the keyword service Therefore the template enables two entries in the Advanced Filtering section The Agentless Host for Layer 3 template creates a profile for Layer 3 requests that involve agentless host processing Before you use this template you should choose System Configuration gt Global Authentication Setup and check the Enable Posture Validation check box Configuration Guide for Cisco Secure ACS 4 2 oL 14390 02 965 Chapter9 NAC Configuration Scenario HI Step 8 Set Up Templates to Create NAPs To create an agentless host for Layer 3 profile template Step1 In the navigation bar click Network Access Profiles The Network Access Profiles page opens Step2 Click Add Template Profile The Create Profile from Template page opens as shown in Figure 9 50 Figure 9 50 Create Profile From Template Page Create Profile from Template 2 Name Test_NAC_L2_802 1x Sample
220. s who will use this feature are customers who use Microsoft supplicants Summary of Configuration Steps Step 1 Step 2 Step 3 To configure PEAP TLS Configure security certificates See Step 1 Configure Security Certificates page 7 1 for details Configure global authentication settings See Step 2 Configure Global Authentication Settings page 7 5 for details Specify EAP TLS options See Step 3 Specify EAP TLS Options page 7 6 for details The following sections provide more details about the previous steps Step 1 Configure Security Certificates This section describes a simplified procedure for the ACS for Windows platform For detailed information on installing certificates and for information on how to install certificates on the Cisco Secure ACS Solution Engine platform see Chapter 9 of the User Guide for Cisco Secure ACS 4 2 Advanced Configuration Authentication and Certificates I OL 14390 02 Configuration Guide for Cisco Secure ACS 4 2 jg Chapter7 PEAP EAP TLS Configuration Scenario HZ Step 1 Configure Security Certificates Obtain Certificates and Copy Them to the ACS Host To use EAP TLS you must obtain and install security certificates To copy a certificate to the ACS host Step 1 Obtain a security certificate Step2 Create a Certs directory on the ACS server a Open a DOS command window b To create a certificates directory enter mkdir lt selected_drive gt
221. sco com en US docs net_mgmt cisco_secure_access_control_server_for_solution_en gine 4 2 installation guide solution_engine ACS_42_SE_install html Configure Additional Administrators When you install the Windows version of ACS there are initially no administrative users When you install Cisco Secure ACS Solution Engine ACS SE there is initially one administrator To set up additional administrative accounts a Add Administrators I OL 14390 02 Configuration Guide for Cisco Secure ACS 4 2 jg Chapter1 Overview of ACS Configuration W Summary of Configuration Steps b For each administrator specify administrator privileges c As needed configure the following optional administrative policies Access Policy Specify IP address limitations HTTP port restrictions and secure socket layer SSL setup Session Policy Specify timeouts automatic local logins and response to invalid IP address connections Password Policy Configure the password policy for administrators For detailed information see Chapter 5 Password Policy Configuration Scenario Step4 Configure the Web Interface a Add AAA clients and specify the authorization protocols that the clients will use b Click Interface Configuration c On the Interface Configuration page configure the interface to include one or more of RADIUS Configuration Options For detailed information see Displaying RADIUS Configuration Options
222. ssChanges ACS user password changes log messages CisACS_15_ServiceMon ACS service monitoring log messages CisACS_16_ApplAdmin ACS appliance administration audit log messages e msg_id Unique message id All segments of one message share the same message ID e total_seg Total number of segments in this message e seg Segment sequence number within this message segmentation e ai vi Attribute value pairs delimited by a comma for Cisco ACS log messages and the message itself Facility Codes ACS syslog messages use the following facility values e 4 Security and authorization messages This value is used for all AAA related messages failed attempts passed attempts accounting and so on e 13 Log audit This value is used for all other ACS report messages Configuration Guide for Cisco Secure ACS 4 2 lt OL 14390 02 Chapter 8 Syslog Logging Configuration Scenario Format of Syslog Messages in ACS Reports W All ACS syslog messages use a severity value of 6 informational For example if the facility value is 13 and the severity value is 6 the Priority value is 110 8 x 13 6 The Priority value appears according to the syslog server setup and might appear as one of System3 Info lt 110 gt amp Note You cannot configure the format of the syslog facility and severity on ACS The following sample syslog message shows how the facility code and other information
223. ssword policy configuring 5 1 5 4 incorrect password attempt options 5 7 password inactivity options 5 7 password lifetime options 5 6 password validation options 5 6 PEAP 2 3 ping turning off 3 16 turning on 3 16 Policy Servers 2 15 Populate from Global 9 53 port 2002 in HTTP port ranges 5 11 posture assessments final 9 43 in progress 9 43 posture validation configuring for NAC 9 35 profile adding an external validation policy to 9 69 adding an internal validation policy to 9 69 mapping audit servers to 9 71 protected access certificate See PAC Protected Extensible Authentication Protocol See PEAP purging RSA Node Secret file 3 10 RACs configuring for NAC NAP 9 25 creating 9 26 sample RACs for NAC NAP 9 26 RADIUS 2 2 RADIUS AAA client configuring 6 5 RADIUS AAA clients configuring 9 2 RADIUS access control entry See ACE RADIUS Authorization Components See RACs RDBMS Synchronization 2 14 configuring to use a local CSV file 4 5 network configuration 4 14 running from the ACS GUI 4 8 using CSDBSync 4 8 using to configuring dACLs 4 2 READ_DACL 4 13 READ_NAS 4 15 reading dACLs 4 12 regional WLAN 2 7 related documentation xii reliability of network 2 19 remote access policies 2 16 remote web access configuring ACS for 9 17 reports administrator entitlement report 5 12 RSA configuring LDAP group mapping for 3 11 configuring Token Server support on the ACS SE 3 8 Configuration Guide for Cisco Secure ACS
224. stall new certificate 2 Read certificate from file Certificate file C Certs server cer C Use certificate from storage Certificate CN Private key file c Certs server pvk Private key password f swej Step5 Ensure that you click the Read certificate from file radio button Step6 In the Certificate file text box enter the server certificate location path and name for example c Certs server cer Step7 In the Private Key File text box type the server certificate private key location path and name for example c Certs server pvk Step8 In the Private Key password text box type 1111 Step9 Click Submit Configuration Guide for Cisco Secure ACS 4 2 oL 14390 02 EN Chapter7 PEAP EAP TLS Configuration Scenario HZ Step 1 Configure Security Certificates Step 10 ACS displays a message indicating that the certificate has been installed and instructs you to restart the ACS services Step 11 Do not restart the services at this time Restart the services later after you have completed the steps for adding a trusted certificate See Add a Trusted Certificate page 7 4 Install the CA Certificate To install the CA Certificate Step1 Choose System Configuration gt ACS Certificate Setup gt ACS Certification Authority Setup Step2 The ACS Certification Authority Setup page appears shown in Figure 7 2 Figure 7 2 ACS Certification Authority Setup Page ACS Certification Authority Setup CA Operations 2
225. support up 5 000 discrete network access servers NASs You can use the multi NAS capability of ACS to increase this number LAN Versus WAN Deployment Number of LANs in the Network In general you should provide one ACS server per LAN If a backup ACS is required the backup ACS may reside on the same LAN or can be an ACS on another LAN WAN Latency and Dependability The distance between LANs in a large network 25 000 to 50 000 users is also a consideration If the network is centralized one primary ACS and one secondary ACS might be sufficient If the network is geographically dispersed the number of ACS servers required varies with the needs of the regions For example e Some regions may not need a dedicated ACS e Larger regions regions with over 10 000 users such as corporate headquarters might need several ACSs The distance between subnets is also a consideration If subnets are close together the connections will be more reliable and fewer ACS servers will be needed Adjacent subnets could serve other buildings with reliable connections If the subnets are farther apart more ACS servers might be needed The number of subnets and the number of users on each subnet is also a factor For example ina WLAN a building may have 400 potential users and the same subnet might comprise four buildings One ACS assigned to this subnet will service 1 600 users about one tenth of the number of current users Other buildings coul
226. t for use in the OpenSSL Toolkit http www openssl org This product includes cryptographic software written by Eric Young eay cryptsoft com This product includes software written by Tim Hudson tjh cryptsoft com The OpenSSL toolkit stays under a dual license i e both the conditions of the OpenSSL License and the original SSLeay license apply to the toolkit See below for the actual license texts Actually both licenses are BSD style Open Source licenses In case of any license issues related to OpenSSL please contact openssl core openssl org OpenSSL License Copyright 1998 2007 The OpenSSL Project All rights reserved Redistribution and use in source and binary forms with or without modification are permitted provided that the following conditions are met 1 Redistributions of source code must retain the copyright notice this list of conditions and the following disclaimer 2 Redistributions in binary form must reproduce the above copyright notice this list of conditions and the following disclaimer in the documentation and or other materials provided with the distribution 3 All advertising materials mentioning features or use of this software must display the following acknowledgment This product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit http www openssl org 4 The names OpenSSL Toolkit and OpenSSL Project must not be used to endorse or promote p
227. t is correct Ensure that the ACLs defined in the file are correct Failed to upload file into FTP server Possible Cause The FTP server was not reachable or a network error occurred Recommended Action Ensure that the IP address for the FTP server in the RDBMS configuration is correct and that the network is functioning correctly I OL 14390 02 Configuration Guide for Cisco Secure ACS 4 2 Chapter4 Using RDBMS Synchronization to Create dACLs and Specify Network Configuration HZ Reading Updating and Deleting dACLs Table 4 3 dACL Creation Errors continued Error Message Explanation Failed to import DACL file Possible Cause The user ID specified in the RDBMS Synchronization configuration does not have write access to the ACS Recommended Action Ensure that the specified user has write access to the ACS Failed to access Host DB Possible Cause The CSDBSync service could not access the database on the host ACS Recommended Action Ensure that the database on the ACS is configured correctly and enabled correctly in the ACS GUI Reading Updating and Deleting dACLs Table 4 4 lists the account action codes that you can use to read update or delete a dACL Configuration Guide for Cisco Secure ACS 4 2 Ca OL 14390 02 Chapter4 Using RDBMS Synchronization to Create dACLs and Specify Network Configuration Reading Updating and Deleting dACLs W Table 4 4 Account Action Cod
228. t server for Token Token g GAME group feedback Primary https test 2002 resource Healthy Unknown Secondary a Server URL ae a sie data le osture test Test posture validation Token Token P server Primary https test 2002 resource Healthy Healthy Secondary e Do Not Use Audit Server Use this Posture Token Fail Open Configuration when unable to retrieve Quarantine x V Do Not reject when Audit posture data failed M Assign a User Group EHME Timeout sec roup 3 Submit Cancel Choose the audit server to use To specify a Fail Open configuration to use if the audit fails a Check the Do not reject when Audit failed check box b From the Use this Posture Token when unable to retrieve posture data drop down list choose a posture token to apply if the audit fails c Enter a timeout value in seconds OL 14390 02 158453 Configuration Guide for Cisco Secure ACS 4 2 jg Chapter9 NAC Configuration Scenario HI Step 11 Optional Configure GAME Group Feedback Step 9 Step 10 Step 11 d If you want to specify a user group to which to assign the supplicant if the audit fails check the Assign a User Group check box and then from the Assign a User Group drop down list choose a user group Click Submit Click Done Click Apply and Restart Step 11 Optional Configure GAME Group Feedback Step 1 Step 2 Step 3 Step 4 Step 5
229. teger Your vendor ID should be the Internet Assigned Numbers Authority IANA assigned number that is the first section of the posture token attribute name vendor 6 To install the attributes specified in the text file a Open a DOS command window b Enter the following command lt ACS_Install_Dir gt bin CSUtil addAVP file_name where ACS_Install_Dir is the name of the ACS installation directory and file_name is the name of the text file that contains vendor attributes Restart the CSAdmin CSLog and CSAuth services Configuration Guide for Cisco Secure ACS 4 2 Po40 OL 14390 02 Chapter 9 NAC Configuration Scenario Configure the External Posture Validation Audit Server Step 7 Configure Posture Validation for NAC W You can configure an audit server once and then use it for other profiles To configure an audit server Step1 In the Posture Validation Components Setup page click External Posture Validation Audit Setup Step2 Click Add Server The External Posture Validation Audit Server Setup page appears as shown in Figure 9 28 Figure 9 28 External Posture Validation Audit Server Setup Page External Posture Yalidation Audit Server Setup Name Description Which Hosts Are Audited E Audit all user groups x Available Groups Selected Groups 1 Group 1 2 Group 2 3 Group 3 4 Group 4 2 5 Group 5 6 Group 6 g lt lt 7 Gro
230. tep7 Step 8 Step 9 Step 10 Step 11 Step 12 Step 13 Summary of Configuration Steps W By using database synchronization By using database replication For detailed instructions see Displaying RADIUS Configuration Options in Chapter 2 of the User Guide for Cisco Secure ACS 4 2 Using the Web Interface Configure Certificates This step is required if you are using EAP TLS Secure Sockets Layer SSL or Cisco Network Admission Control NAC For detailed instructions see Step 3 Install and Set Up an ACS Security Certificate page 6 6 Configure Global Authentication Settings Configure the security protocols that ACS uses to authenticate users You can configure the following global authentication methods e PEAP e EAP FAST e EAP TLS e LEAP e EAP MD5 e Legacy authentication protocols such as MS CHAP Version 1 and Version 2 For detailed instructions see Global Authentication Setup in Chapter 8 of the User Guide for Cisco Secure ACS 4 2 System Configuration Authentication and Certificates Configure Shared Profile Components You can configure the following shared profile components e Downloadable IP ACLs e Network Access Filtering e RADIUS Authorization Components e Network Access Restrictions e Command Authorization Sets For detailed instructions see Chapter 3 of the User Guide for Cisco Secure ACS 4 2 Shared Profile Components Set Up Network Device Groups
231. ter2 Deploy the Access Control Servers W Determining the Deployment Architecture This section discusses e Access types How users will access the network through wireless access LAN access through switches and so on and the security protocols used to control user access for example RADIUS EAP TLS Microsoft Active Directory and so on e Network architecture How the network is organized centrally through campus LANs regional LANs WLANs and so on This section contains e Access Types page 2 2 e Placement of the RADIUS Server page 2 11 Access Types This section contains e Wired LAN Access page 2 2 e Wireless Access Topology page 2 5 e Dial up Access Topology page 2 9 Wired LAN Access You can use wired LAN access in a small LAN environment a campus LAN environment or a regionally or globally dispersed network The number of users determines the size of the LAN or WLAN Size Users small LAN 1 to 3 000 medium sized LAN 3 000 to 25 000 large LAN 25 000 to 50 000 very large LAN or WLAN over 50 000 The wired LAN environment uses the following security protocols e RADIUS RADIUS is used to control user access to wired LANs In broadcast or switch based Ethernet networks you can use RADIUS to provide virtual LAN identification information for each authorized user e EAP Extensible Authentication Protocol EAP provides the ability to deploy RADIUS into Ethernet network environment
232. thority Setup page appears shown in Figure 6 4 Figure 6 4 ACS Certification Authority Setup Page ACS Certification Authority Setup CA Operations 2 Add new CA certificate to local certificate storage CA certificate file C Certs ca cer 2 Back to Help In the CA certificate file box type the CA certificate location path and name For example c Certs ca cer Click Submit 158374 Add a Trusted Certificate After you add a server certificate and set up the certificate authority install a trusted certificate To add a trusted certificate Step1 Choose System Configuration gt ACS Certificate Setup gt Edit Certificate Trust List The Edit Certificate Trust List appears Step2 Locate the trusted certificate that you want to install and check the corresponding check box by the certificate name For example find the Stress certificate and check the corresponding check box Step3 Click Submit Step4 To restart ACS choose System Configuration gt Service Control and then click Restart Configuration Guide for Cisco Secure ACS 4 2 oL 14390 02 g 69 Chapter6 Agentless Host Support Configuration Scenario WE Basic Configuration Steps for Agentless Host Support Step 4 Configure LDAP Support for MAB You can configure the ACS internal database to manage MAB used with the agentless host feature however if you have a large number of MAC addresses to process for example several thousand it is mo
233. tion Using RDBMS Synchronization to Configure dACLs W If the dACL was not created correctly review the steps in Using RDBMS Synchronization to Configure dACLs page 4 2 and check for errors For a list of error messages see Error Messages page 4 11 Error Messages Table 4 3 lists the error messages associated with dACL creation using CSDBSync Table 4 3 dACL Creation Errors Error Message Explanation Failed to process DACL DACL not defined Possible Cause The dACL was not specified correctly in the text file used to define the dACLs Recommended Action Review the text file that you coded to specify the dACLs and ensure that the syntax is correct Failed to process DACL Could not find NAF Possible Cause The text file provided to define the dACL did not correctly define a NAF Recommended Action Review the text file that you coded to specify the dACLs and ensure that the syntax is correct Failed to process DACL Failed to get UserID Possible Cause On the ACS SE the user ID specified for the FTP server in the RDBMS Synchronization configuration was incorrect Recommended Action Check to ensure that the specified user ID exists on the FTP server used with the ACS SE Failed to process DACL DACL content not found Possible Cause The text file used to specify the dACL did not correctly specify the dACL content Recommended Action Check the syntax in the text file and ensure that i
234. tion or NAF name 380 CREATE_USER_DACL UNIGN VN This action code associates a specified dACL with a User or Group The dACL name specified should be valid and present in ACS The codes are UN valid Username GN Valid Group name optional VN dACL name This dACL must be defined in Shared Profile Components Step 4 Configure RDBMS Synchronization to Use a Local CSV File To configure RDBMS Synchronization to use a local CSV file Step1 In the navigation bar click System Configuration Step2 Click RDBMS Synchronization S Note If this feature does not appear choose Interface Configuration gt Advanced Options then check the RDBMS Synchronization check box The RDBMS Synchronization Setup page appears Step3 If you are using ACS for Windows complete these steps a Complete the required fields on the RDBMS Synchronization Setup page Figure 4 1 Configuration Guide for Cisco Secure ACS 4 2 OL 14390 02 EN Chapter4 Using RDBMS Synchronization to Create dACLs and Specify Network Configuration HZ Using RDBMS Synchronization to Configure dACLs Step 4 Figure 4 1 RDBMS Synchronization Setup Page ACS for Windows d RDBMS Synchronization Setup Service is Running RDBMS Synchronization using local CSV a Use local CSV file AccountActions File Directory 203266 Check the Use local CSV file check box In the AccountActions file field enter the filenam
235. tless request was not assigned a user group drop down list choose a user group to which ACS assigns a host that is not matched to a user group Configuration Guide for Cisco Secure ACS 4 2 I OL 14390 02 EE Chapter9 NAC Configuration Scenario HI Step 8 Set Up Templates to Create NAPs Sample Posture Validation Rule Figure 9 44 shows the sample posture validation policy provided with the NAC Layer 2 802 1x template Figure 9 44 Sample Posture Validation Policy for NAC Layer 2 802 1x Template Posture Validation for Sample_NAC_L28021x 2 Posture Yalidation Rules Condition Action Rule Name Required Credential Types Associate With e NAC EXAMPLE POSTURE EXAMPLE cisco Pa NAC SAMPLE CTA POLICY Internal Add Rule up Down The Up Down buttons submit and save the sort order to the database Determine Posture Validation for NAH No Audit Server was selected Select Audit Done 158438 Sample Wireless NAC L2 802 1x Template This template creates a profile for Layer 2 NAC 802 1x requests in wireless networks Before you use this template you should choose System Configuration gt Global Authentication Setup and check the Enable Posture Validation check box To create a wireless NAC L2 802 1x NAC profile template Step1 In the navigation bar click Network Access Profiles The Network Access Profiles page opens Step2 Click Add Template Profile The Create Profile from Tem
236. tory check box and choose how many days of logging to keep Enter the number of days based on how much space you have on your hard drive Cisco recommends that you specify seven days Click Restart to restart ACS Wait until the browser s progress bar shows that the page has reloaded completely Configure Logs and Reports ACS logs records of users who gain or are refused network access as well as records of other actions You can output the information in the logs to reports that you view in the ACS GUI which you can then save or print out and review These reports summarize the logs and provide useful information for debugging and tracking problems For detailed information on ACS logs and reports see Chapter 10 of the User Guide for Cisco Secure ACS 4 2 Logs and Reports The Failed Attempts report and the RADIUS Accounting report are useful tools for monitoring the performance of the NAC NAP network And the Passed Authentications report is particularly useful in NAC enabled networks because it shows the group mapping for each posture validation request By default the Passed Authentication report is unchecked disabled Configuration Guide for Cisco Secure ACS 4 2 Poi DE OL 14390 02 _ Chapter 9 NAC Configuration Scenario Step 1 Step 2 Step 3 To enable the Passed Authentications report Step 3 Set Up System Configuration W In the navigation bar click System Configuration The System
237. trator will be locked out after n days Following the last account activity if enabled n specifies the number of days before ACS locks out the associated administrator account due to password inactivity default 30 range 1 to 365 amp Note For additional security ACS does not warn users who are approaching the limit for account inactivity Specify Incorrect Password Attempt Options In the Incorrect Password Attempt Options section configure Lock out Administrator after n successive failed attempts If checked enabled n specifies the allowable number of incorrect password attempts When checked n cannot be set to zero 0 If not checked disabled ACS allows unlimited successive failed login attempts The default value is 3 days the range 1 to 98 days Note For additional security ACS does not warn users who are approaching the limit for failed attempts If the Account Never Expires option is checked enabled for a specific administrator this option is ignored Step 3 Configure Session Policy To configure session policy Step1 On the Administration Control page click Session Policy The Session Policy Setup page opens as shown in Figure 5 3 Configuration Guide for Cisco Secure ACS 4 2 oL 14390 02 E57 Chapter5 Password Policy Configuration Scenario HI Step 3 Configure Session Policy Figure 5 3 The Session Policy Setup Page Session Policy Setup Session Configuration
238. u can open a browser in which to administer ACS The URLs for remote access are e http IP_address 2002 e http hostname 2002 Step 5 Set Up Shared Profile Components Before you can set up NAPs you must set up Shared Profile Components Shared Profile Components are configurations that can be reused across many different NAPs to set up filtering within ACS or to control network authorizations within RADIUS A NAP is a classification of network access requests for applying a common policy You can use NAPs to aggregate all policies that should be activated for a certain location in the network or for users who connect to the network by using specified protocols such as EAP over UDP EoU or 802 1x For detailed information on NAPs see Chapter 14 of the User Guide for Cisco Secure ACS 4 2 Network Access Profiles This section describes the following tasks e Configure Network Access Filtering Optional page 9 20 e Configure Downloadable IP ACLs page 9 21 e Configure Radius Authorization Components page 9 25 Configure Network Access Filtering Optional Step 1 Step 2 Step 3 NAF is an ACS feature that groups several devices into one group The devices can be ACS clients ACS servers ACS network device groups NDGs or a specific IP address NAFs are particularly useful for defining NAPs When you set up Downloadable IP ACLs you can e Assign the default NAF which is All AAA Clients This default allows a
239. u configured on the External User Databases gt External User Database Configuration page If you will validate MAC addresses by using the ACS internal database a Click Internal ACS DB b Click Add A text box for entering MAC addresses and associated user group mappings appears as shown in Figure 6 13 Figure 6 13 MAC Address Input Area MAC Addresses User Group Internal 0 Default Group gt ACS DB a Delete 9 8 c In the MAC addresses input area enter one or more MAC addresses to use in authenticating agentless hosts You can enter the MAC address in the following formats for representing MAC 48 addresses in human readable form Six groups of two hexadecimal digits separated by hyphens in transmission order for example 01 23 45 67 89 ab Six groups of two separated by colons for example 01 23 45 67 89 ab Three groups of four hexadecimal digits separated by dots for example 0123 4567 89ab d From the drop down list of user groups in the User Group area choose a user group to which devices having one of the specified MAC address are mapped e To add additional groups of MAC addresses click Add and enter additional groups and associated user groups as required In the Default Action If Agentless request was not assigned to a user group area from the drop down list of user groups choose a group to which to assign the MAC addresses if the MAC addresses are
240. u set up for your network To create a LDAP configuration in ACS Step1 In the navigation bar click External User Databases The External User Databases page opens Step2 Click Database Configuration The External User Database Configuration page opens Step3 Click Generic LDAP The Database Configuration Creation table appears If an LDAP configuration exists the External User Database Configuration table also appears Step4 Do one of the following If e There are no existing LDAP database configurations click Create New Configuration e The External User Database table appears click Configure Step5 Ifyou are creating anew LDAP configuration enter the name of the new configuration for generic LDAP and then click Submit Step6 Click Configure The Generic LDAP Configuration page appears and contains four sections e Domain Filtering Use to configure domain filtering which is an optional configuration setting Configuration Guide for Cisco Secure ACS 4 2 oL 14390 02 SE Chapter6 Agentless Host Support Configuration Scenario WE Basic Configuration Steps for Agentless Host Support Step 7 Step 8 e Common LDAP Configuration Configure the settings in this section to specify how ACS queries the LDAP database e Primary LDAP Server Configure the settings in this section to specify the primary LDAP server e Secondary LDAP Server Configure the settings in this section if you are setting up LDAP failback
241. udit report under the local_login administrator name e Respond to invalid IP address connections Enables ACS to send an error message in response to attempts to start a remote administrative session by using an IP address that is invalid according to the IP address range settings in the Access Policy If this check box is unchecked ACS does not display an error message when a user makes an invalid remote connection attempt This option is checked enabled by default Disabling this option can help to prevent unauthorized users from discovering ACS Configuration Guide for Cisco Secure ACS 4 2 a OL 14390 02 Chapter 5 Password Policy Configuration Scenario Step 4 Configure Access Policy Hi Step 4 Configure Access Policy Step 1 Step 2 This section describes how to configure administrative access policy Before You Begin If you want to enable the SSL for administrator access you must have completed the steps in Install the CA Certificate page 7 4 and Add a Trusted Certificate page 7 4 After you have enabled SSL ACS begins using the SSL at the next administrator login This change does not affect current administrator sessions In the absence of a certificate ACS displays an error message when you attempt to configure SSL To set up an ACS access policy In the navigation bar click Administration Control ACS displays the Administration Control page Click Access Policy The Access Policy Setup pag
242. udit server determines the posture credentials of a host without relying on the presence of a PA Configuring an external audit server involves two stages e Adding the posture attribute to the ACS internal dictionary e Configuring an external posture validation server audit server Add the Posture Attribute to the ACS Dictionary Before you can create an external posture validation server you must add one or more vendor attributes to the ACS internal data dictionary To do this you use the bin CSUtil tool which is located in the ACS installation directory Configuration Guide for Cisco Secure ACS 4 2 Po74 OL 14390 02 Chapter 9 NAC Configuration Scenario Step 1 Step 2 Step 3 Step 11 Optional Configure GAME Group Feedback W To add the posture attributes Create a text file in the Utils directory with the following format attr 0 vendor id your vendor id vendor name The name of you company application id 6 application name Audit attribute id 00003 attribute name Dummy attr attribute profile out attribute type unsigned integer Your vendor ID should be the Internet Assigned Numbers Authority IANA assigned number that is the first section of the posture token attribute name vendor 6 To install the attributes specified in the text file a Open a DOS command window b Enter the following command lt ACS_Install_Dir gt bin CSUtil addAVP file_name where ACS_Install_Dir is t
243. uests device type authentication from the audit server For details on configuring posture validation see Enable Posture Validation page 7 46 The detailed steps for configuring GAME group feedback are described in Enable GAME Group Feedback page 7 46 in Chapter 9 NAC Configuration Scenario Summary of Configuration Steps Step 1 Step 2 Step 3 Step 4 Step 5 Step 6 To configure agentless host support in ACS Install ACS for Windows or ACS Solution Engine ACS SE See Step 1 Install ACS page 6 4 for details Configure a RADIUS AAA client See Step 2 Configure a RADIUS AAA Client page 6 5 for details Configure restrictions on the admin user password Install and set up an ACS security certificate Note This step is required to enable posture validation and Network Access Profiles a Obtain certificates and copy them to the ACS host b Run the Windows certificate import wizard to install the certificate c Enable security certificates on the ACS installation d Install the CA certificate e Add a trusted certificate See Step 3 Install and Set Up an ACS Security Certificate page 6 6 for details Configure LDAP support for MAB a Configure an external LDAP database for MAB support b Create One or More LDAP Database Configurations in ACS See Step 4 Configure LDAP Support for MAB page 6 10 for details Configure user groups for MAB segments See Step 5 Configure User Groups f
244. ule 9 65 Using a Sample Agentless Host Template 9 65 Profile Setup 9 67 Protocols Policy 9 68 Authentication Policy 9 69 Step 9 Map Posture Validation Components to Profiles 9 69 Step 10 Map an Audit Server to a Profile 9 71 Step 11 Optional Configure GAME Group Feedback 9 72 Import an Audit Vendor File by Using CSUtil 9 73 Import a Device Type Attribute File by Using CSUtil 9 73 Import NAC Attribute Value Pairs 9 73 Configure Database Support for Agentless Host Processing 9 74 Enable Posture Validation 9 74 Configure an External Audit Server 9 74 Configure an External Posture Validation Audit Server 9 74 Add the Posture Attribute to the ACS Dictionary 9 74 Configure the External Posture Validation Audit Server 9 76 Enable GAME Group Feedback 9 79 GLOSSARY INDEX Configuration Guide for Cisco Secure ACS 4 2 OL 14390 02 Audience Organization Preface This guide is for security administrators who use Cisco Secure Access Control Server ACS and who set up and maintain network and application security This document contains Chapter 1 Overview of ACS Configuration Provides an overview of ACS configuration including a summary of configuration steps and configuration flowchart that show the sequence of configuration steps Chapter 2 Deploy the Access Control Servers Describes factors to consider when deploying ACS including the access type network topology and whether database synchro
245. up 7 8 Group 8 9 Group 9 10 Group 10 11 Gr 11 42 piss 1 audit all hosts gt Host IP Addresses and Ranges IP MASK comma separated values f Host MAC Addresses comma separated values f Select a Posture Token for the Healthy E hosts that will not be audited _ B Step3 To configure the audit server a Enter a Name and Description optional b Inthe Which Hosts Are Audited section choose what hosts you want to audit You can enter the host IP or MAC addresses for the hosts that you want to audit or for a host that you do not want to audit c For the hosts that will not be audited choose a posture token from the drop down list d Scroll down to the Use These Audit Servers section Figure 9 29 shows the Use These Audit Servers section of the External Posture Validation Server Setup page Configuration Guide for Cisco Secure ACS 4 2 oL 14390 02 Chapter9 NAC Configuration Scenario HI Step 7 Configure Posture Validation for NAC Figure 9 29 Use These Audit Servers Section Use These Audit Servers Audit Server Unix vendor a URL Username Password M Primary Server Ti tj Configuration imeout sec Trusted Root CA none selected Validate Certificate Vv Common Name URL Username Password M Secondary Server Timeout sec s Configuration Trusted Root CA none selected validate Certificate Vv Common Name
246. ut Sets Revalidation Timer in seconds xX xX X 29 Termination Action on Session Timeout Action 0 Default Terminate session 1 Radius Request Re authenticate x 64 Tunnel Type 13 VLAN x 65 Tunnel Medium Type 6 802 x x x 79 EAP Message EAP Request Response Packet in Access Request and Access Challenge EAP Success in Access Accept EAP Failure in Access Reject X xX X 80 Message Authenticator HMAC MDS to ensure integrity of packet x 81 Tunnel Pri VLAN name vate Group ID Step 6 Configure an External Posture Validation Audit Server A NAC enabled network might include agentless hosts that do not have the NAC client software ACS can defer the posture validation of the agentless hosts to an audit server The audit server determines the posture credentials of a host without relying on the presence of a PA Configuring an external audit server involves two stages e Adding the posture attribute to the ACS internal dictionary e Configuring an external posture validation server audit server Add the Posture Attribute to the ACS Dictionary Step 1 Before you can create an external posture validation server you must add one or more vendor attributes to the ACS internal data dictionary To do this you use the bin CSUtil tool which is located in the ACS installation directory To add the posture attributes Create a text file in the Utils directory with the following format attr 0 vendor id
247. utton b To specify a LDAP server click the LDAP Server radio button and then from the drop down list choose an LDAP server c From the If Agentless request was not assigned a user group drop down list choose a user group to which ACS assigns a host that is not matched to a user group Configuration Guide for Cisco Secure ACS 4 2 Chapter9 NAC Configuration Scenario Step 8 Set Up Templates to Create NAPs W Sample Posture Validation Rule Figure 9 49 shows the sample posture validation policy provided with the Wireless NAC L2 802 1x template Figure 9 49 Sample Posture Validation Policy for Wireless NAC L2 802 1x Template Posture Validation for Sample_NAC_L28021x 2 Posture Yalidation Rules Condition Action Rule Name Required Credential Types Associate With C NAC EXAMPLE POSTURE EXAMPLE cisco Pa NAC SAMPLE CTA POLICY Internal Add Rule up Down The Up Down buttons submit and save the sort order to the database Determine Posture Validation for NAH No Audit Server was selected Select Audit Done 158438 amp Note The posture validation policy for the wireless NAC L2 802 1x template is the same as for the NAC L2 802 1x template Using a Sample Agentless Host Template ACS 4 1 provides two sample templates for agentless host processing e Agentless Host for L3 e Agentless Host for L2 802 1x fallback These two templates are almost identical Thi
248. visioning C Require client certificate for provisioning When receiving client certificate select one of the following lookup methods Certificate SAN lookup O Certificate CN lookup Table 3 1 describes the new EAP FAST settings Table 3 1 Option 270294 New EAP FAST Global Configuration Settings with Release 4 2 Description Allow Full TLS Renegotiation in Case of Invalid PAC This option handles cases of an invalid or expired PAC In this situation the EAP server can select a different cipher than the one normally used with the invalid PAC to start the full TLS handshake and authentication Check the Allow Full TLS Renegotiation in Case of Invalid PAC check box if you have clients that might attempt to authenticate by using certificates that are unusually old Allow Anonymous In band PAC Provisioning ACS provisions an end user client with a PAC using EAP FAST phase zero If you check this check box ACS establishes a secured connection with the end user client to provide the client with a new PAC Enable anonymous TLS renegotiation If you check the Allow Anonymous in band PAC Provisioning check box you can also check the Enable anonymous TLS renegotiation check box Check the Enable anonymous TLS renegotiation check box if your network contains Vista clients to prevent Vista users from being prompted twice for their password wi Configuration Guide for Cisco Secure ACS 4 2 OL 14390
249. w the user can connect to the LAN or from the LAN to outside resources that is the Internet Connectivity is possible in many ways dial in ISDN wireless bridges and secure Internet connections Each method incurs its own advantages and disadvantages and provides a unique challenge to providing AAA services In addition to the method of Configuration Guide for Cisco Secure ACS 4 2 OL 14390 02 Chapter 2 Deploy the Access Control Servers Additional Topics Hil access other decisions can also affect how ACS is deployed these include specific network routing access lists time of day access individual restrictions on AAA client access access control lists ACLs and so on You can implement remote access policies for employees who telecommute or mobile users who dial in over ISDN or a public switched telephone network PSTN Such policies are enforced at the corporate campus with ACS and the AAA client Inside the enterprise network remote access policies can control wireless access by individual employees ACS remote access policies provide control by using central authentication and authorization of remote users The Cisco user database maintains all user IDs passwords and privileges You can download ACS policies in the form of ACLs to network access servers such as the Cisco AS5300 Network Access Server or by allowing access during specific periods or on specific access servers Remote access policies are
250. x b Check the Certificate SAN comparison and Certificate Binary comparison check boxes c Leave the EAP TLS timeout field set to the default 120 minutes Step 5 In the EAP MD5 section check the Allow EAP MD5 check box Step6 Scroll down to the MS CHAP configuration section and check the Allow MS CHAP Version 1 Authentication and Allow MS CHAP Version 2 Authentication check boxes as shown in Figure 9 7 Figure 9 7 MS CHAP Authentication Selection LEAP M Allow LEAP For Aironet only EAP MDS M Allow EAP MDS AP EAP request timeout seconds 20 MS CHAP Configuration 2 M Allow MS CHAP Version 1 Authentication M Allow MS CHAP Version 2 Authentication 240963 Step7 Click Submit Restart Step8 Go to Set Up EAP FAST Configuration page 9 12 and configure EAP FAST authentication Configuration Guide for Cisco Secure ACS 4 2 oL 14390 02 lt Chapter9 NAC Configuration Scenario HZ Step 3 Set Up System Configuration Set Up EAP FAST Configuration To configure ACS to work with NAC and use EAP FAST with posture validation Step1 In the navigation bar click System Configuration The System Configuration page opens Step2 Click Global Authentication Setup The Global Authentication Setup Page appears as shown in Figure 9 6 Step3 Click EAP FAST Configuration The EAP FAST Configuration page appears as shown in Figure 9 8 Configuration Guide for Cisco Secure ACS 4 2 Ca OL 143
251. z i Sj Sj pad Switch 3 Region 3 158313 Wireless Access Topology A wireless access point AP such as the Cisco Aironet series provides a bridged connection for mobile end user clients into the LAN Authentication is absolutely necessary due to the ease of access to the AP Encryption is also necessary because of the ease of eavesdropping on communications Scaling can be a serious issue in the wireless network The mobility factor of the WLAN requires considerations similar to those given to the dial up network Unlike the wired LAN however you can more readily expand the WLAN Though WLAN technology does have physical limits as to the number of users who can connect via an AP the number of APs can grow quickly As with the dial up network you can structure your WLAN to allow full access for all users or provide restricted access to different subnets among sites buildings floors or rooms This capability raises a unique issue with the WLAN the ability of a user to roam among APs Simple WLAN A single AP might be installed in a simple WLAN Figure 2 4 Because only one AP is present the primary issue is security An environment such as this generally contains a small user base and few network devices Providing AAA services to the other devices on the network does not cause any significant additional load on the ACS I OL 14390 02 Configuration Guide for Cisco Secure ACS 4 2 Chapter2 Deploy the Ac
Download Pdf Manuals
Related Search