Configuration Guide for Cisco Secure ACS 4.2 February 2008 Americas Headquarters Cisco Systems, Inc. 170 West Tasman Drive San Jose, CA 95134-1706 USA http://www.cisco.
THE SPECIFICATIONS AND INFORMATION REGARDING THE PRODUCTS IN THIS MANUAL ARE SUBJECT TO CHANGE WITHOUT NOTICE. ALL STATEMENTS, INFORMATION, AND RECOMMENDATIONS IN THIS MANUAL ARE BELIEVED TO BE ACCURATE BUT ARE PRESENTED WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED. USERS MUST TAKE FULL RESPONSIBILITY FOR THEIR APPLICATION OF ANY PRODUCTS.
CONTENTS Preface ix Audience ix Organization ix Conventions x Product Documentation x Related Documentation xii Obtaining Documentation and Submitting a Service Request xii Notices iii-xii OpenSSL/Open SSL Project iii-xiii License Issues iii-xiii CHAPTER 1 Overview of ACS Configuration 1-1 Summary of Configuration Steps Configuration Flowchart CHAPTER 2 1-1 1-5 Deploy the Access Control Servers 2-1 Determining the Deployment Architecture 2-1 Access Types 2-2 Wired LAN Access 2-2 Wi
Contents Deploying ACS in a NAC/NAP Environment 2-15 Additional Topics 2-16 Remote Access Policy 2-16 Security Policy 2-17 Administrative Access Policy 2-17 Separation of Administrative and General Users Database Considerations 2-19 Number of Users 2-19 Type of Database 2-19 Network Latency and Reliability 2-19 CHAPTER 3 Configuring New Features in ACS 4.
Contents Step 6: View the dACLs Error Messages 4-11 4-9 Reading, Updating, and Deleting dACLs 4-12 Updating or Deleting dACL Associations with Users or Groups 4-14 Using RDBMS Synchronization to Specify Network Configuration 4-14 Creating, Reading, Updating and Deleting AAA clients 4-15 CHAPTER 5 Password Policy Configuration Scenario 5-1 Limitation on Ability of the Administrator to Change Passwords Summary of Configuration Steps 5-2 Step 1: Add and Edit a New Administrator Account Step 2: Conf
Contents Step 6: Enable Agentless Request Processing 6-18 Create a New NAP 6-18 Enable Agentless Request Processing for a NAP Configure MAB 6-21 Step 7: Configure Logging and Reports 6-23 Configuring Reports for MAB Processing 6-23 Configuration Steps for Audit Server Support Configure GAME Group Feedback 6-24 CHAPTER 7 PEAP/EAP-TLS Configuration Scenario Summary of Configuration Steps 6-20 6-24 7-1 7-1 Step 1: Configure Security Certificates 7-1 Obtain Certificates and Copy Them to the ACS Host 7-
Contents Install the CA Certificate 9-7 Install the ACS Certificate 9-8 Set Up Global Configuration 9-8 Set Up Global Authentication 9-9 Set Up EAP-FAST Configuration 9-12 Configure the Logging Level 9-14 Configure Logs and Reports 9-14 Step 4: Set Up Administration Control 9-17 Add Remote Administrator Access 9-17 Step 5: Set Up Shared Profile Components 9-20 Configure Network Access Filtering (Optional) 9-20 Configure Downloadable IP ACLs 9-21 Adding an ACL 9-22 Adding an ACE 9-23 Saving the dACL 9-25 Co
Contents Profile Setup 9-56 Protocols Policy 9-58 Authorization Policy 9-59 Sample Posture Validation Rule 9-60 Sample Wireless (NAC L2 802.
Preface Audience This guide is for security administrators who use Cisco Secure Access Control Server (ACS), and who set up and maintain network and application security. Organization This document contains: • Chapter 1, “Overview of ACS Configuration”—Provides an overview of ACS configuration, including a summary of configuration steps and configuration flowchart that show the sequence of configuration steps.
Preface Conventions This document uses the following conventions: Item Convention Commands, keywords, special terminology, and options that should boldface font be selected during procedures Variables for which you supply values and new or important terminology italic font Displayed session and system information, paths and file names screen Information you enter boldface screen Variables you enter italic screen font Menu items and button names boldface font Indicates menu items to select, in t
Preface Table 1 ACS 4.2 Documentation Document Title Documentation Guide for Cisco Secure ACS Release 4.2 Available Formats • Shipped with product. • PDF on the product CD-ROM. • On Cisco.com: http://www.cisco.com/en/US/docs/net_mgmt/ cisco_secure_access_control_server_for_windows/ 4.2/roadmap/DGuide42.html Release Notes for Cisco Secure ACS Release 4.2 On Cisco.com: http://www.cisco.com/en/US/docs/net_mgmt/ cisco_secure_access_control_server_for_windows/ 4.2/release/notes/ACS42_RN.
Preface Notices Table 1 ACS 4.2 Documentation (continued) Document Title Available Formats Installation and User Guide for Cisco Secure ACS User-Changeable Passwords • Troubleshooting Guide for Cisco Secure Access Control Server • On Cisco.com: http://www.cisco.com/en/US/docs/net_mgmt/ cisco_secure_access_control_server_for_windows/ 4.2/installation/guide/user_passwords/ucp42.html On Cisco.com http://www.cisco.com/en/US/docs/net_mgmt/ cisco_secure_access_control_server_for_windows/4.
Preface Notices OpenSSL/Open SSL Project This product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit (http://www.openssl.org/). This product includes cryptographic software written by Eric Young (eay@cryptsoft.com). This product includes software written by Tim Hudson (tjh@cryptsoft.com). License Issues The OpenSSL toolkit stays under a dual license, i.e. both the conditions of the OpenSSL License and the original SSLeay license apply to the toolkit.
Preface Notices Original SSLeay License: Copyright © 1995-1998 Eric Young (eay@cryptsoft.com). All rights reserved. This package is an SSL implementation written by Eric Young (eay@cryptsoft.com). The implementation was written so as to conform with Netscapes SSL. This library is free for commercial and non-commercial use as long as the following conditions are adhered to. The following conditions apply to all code found in this distribution, be it the RC4, RSA, lhash, DES, etc.
CH A P T E R 1 Overview of ACS Configuration This chapter describes the general steps for configuring Cisco Secure Access Control Server, hereafter referred to as ACS, and presents a flowchart showing the sequence of steps. Note If you are configuring ACS to work with Microsoft clients in a Cisco Network Access Control/Microsoft Network Access Protection (NAC/NAP) network, refer to Chapter 9, “NAC Configuration Scenario.
Chapter 1 Overview of ACS Configuration Summary of Configuration Steps b. For each administrator, specify administrator privileges. c. As needed, configure the following optional administrative policies: – Access Policy—Specify IP address limitations, HTTP port restrictions, and secure socket layer (SSL) setup. – Session Policy—Specify timeouts, automatic local logins, and response to invalid IP address connections. – Password Policy—Configure the password policy for administrators.
Chapter 1 Overview of ACS Configuration Summary of Configuration Steps – By using database synchronization – By using database replication For detailed instructions, see “Displaying RADIUS Configuration Options” in Chapter 2 of the User Guide for Cisco Secure ACS 4.2, “Using the Web Interface.” Step 7 Configure Certificates. This step is required if you are using EAP-TLS, Secure Sockets Layer (SSL), or Cisco Network Admission Control (NAC).
Chapter 1 Overview of ACS Configuration Summary of Configuration Steps Step 14 Set Up Network Access Profiles. If required, set up Network Access Profiles. Step 15 Configure Logs and Reports. Configure reports to specify how ACS logs data. You can also view the logs in HTML reports. For detailed instructions, see Chapter 9 of the User Guide for Cisco Secure ACS 4.2, “Logs and Reports. Configuration Guide for Cisco Secure ACS 4.
Chapter 1 Overview of ACS Configuration Configuration Flowchart Configuration Flowchart Figure 1-1 is a configuration flowchart that shows the main steps in ACS configuration.
Chapter 1 Overview of ACS Configuration Configuration Flowchart Configuration Guide for Cisco Secure ACS 4.
CH A P T E R 2 Deploy the Access Control Servers This chapter discusses topics that you should consider before deploying Cisco Secure Access Control Server, hereafter referred to as ACS. This document does not describe the software installation procedure for ACS or the hardware installation procedure for the ACS SE. For detailed installation information, refer to: • Installation Guide for Cisco Secure ACS for Windows Release 4.2, available on Cisco.com at: http://www.cisco.
Chapter 2 Deploy the Access Control Servers Determining the Deployment Architecture This section discusses: • Access types—How users will access the network (through wireless access, LAN access through switches, and so on) and the security protocols used to control user access; for example, RADIUS, EAP- TLS, Microsoft Active Directory, and so on. • Network architecture—How the network is organized (centrally through campus LANs, regional LANs, WLANs, and so on.
Chapter 2 Deploy the Access Control Servers Determining the Deployment Architecture • EAP-TLS—Extensible Authentication Protocol-Transport Layer Security (EAP-TLS). EAP-TLS uses the TLS protocol (RFC 2246), which is the latest version of the Secure Socket Layer (SSL) protocol from the IETF. TLS provides a way to use certificates for user and server authentication and for dynamic session key generation. • PEAP— Protected Extensible Authentication Protocol (PEAP) is an 802.
Chapter 2 Deploy the Access Control Servers Determining the Deployment Architecture Figure 2-2 ACS in a Campus LAN Segment 1 A Segment 3 A Segment 2 A Remote office 158308 Internet Figure 2-2 shows a possible distribution of ACS in a wired campus LAN. In this campus LAN, buildings are grouped into three segments. Each segment consists of 1 to 3 buildings and all the buildings in the segment are on a common LAN.
Chapter 2 Deploy the Access Control Servers Determining the Deployment Architecture Figure 2-3 ACS in a Geographically Dispersed LAN Region 1 Region 2 Switch 1 Switch 1 T1 Firewall Firewall T1 T1 ACS 1 ACS 2 ACS 3 Firewall 158313 Switch 3 Region 3 Wireless Access Topology A wireless access point (AP), such as the Cisco Aironet series, provides a bridged connection for mobile end-user clients into the LAN. Authentication is absolutely necessary, due to the ease of access to the AP.
Chapter 2 Deploy the Access Control Servers Determining the Deployment Architecture Figure 2-4 Simple WLAN Segment 1 A Segment 3 A Segment 2 A Remote office 158308 Internet Campus WLAN In a WLAN where a number of APs are deployed, as in a large building or a campus environment, your decisions on how to deploy ACS become more complex. Depending on the processing needs of the installation, all of the APs might be on the same LAN.
Chapter 2 Deploy the Access Control Servers Determining the Deployment Architecture Figure 2-5 Campus WLAN Regional WLAN Setting In a given geographical or organizational region, the total number of users might or might not reach a critical level for a single ACS. Small offices would not qualify for separate installations of ACSs and a regional office might have sufficient reserve capacity. In this case, the small offices can authenticate users across the WAN to the larger regional office.
Chapter 2 Deploy the Access Control Servers Determining the Deployment Architecture Figure 2-6 shows a regional WLAN.
Chapter 2 Deploy the Access Control Servers Determining the Deployment Architecture Figure 2-7 shows ACS installations in a geographically dispersed network that contains many WLANs. Figure 2-7 ACS in a Geographically Dispersed WLAN 63491 I For the model in Figure 2-7, the location of ACS depends on whether all users need access on any AP, or require only regional or local network access.
Chapter 2 Deploy the Access Control Servers Determining the Deployment Architecture Figure 2-8 Small Dial-up Network Large Dial-Up Network Access In a larger dial-in environment, a single ACS with a backup may be suitable, too. The suitability of this configuration depends on network and server access latency. Figure 2-9 shows an example of a large dial-in network. In this scenario, the addition of a backup ACS is recommended.
Chapter 2 Deploy the Access Control Servers Determining How Many ACSs to Deploy (Scalability) Placement of the RADIUS Server From a practical standpoint, the RADIUS server should be inside the general network, preferably within a secure subnet designated for servers, such as DHCP, Domain Name System (DNS), and so on. You should avoid requiring RADIUS requests to travel over WAN connections because of possible network delays and loss of connectivity.
Chapter 2 Deploy the Access Control Servers Determining How Many ACSs to Deploy (Scalability) The size of the LAN or WLAN is determined by the number of users who use the LAN or WLAN: Size Users Small LAN 1 to 3,000 Medium-sized LAN 3,000 to 25,000 Large LAN 25,000 to 50,000 Very large LAN or WLAN Over 50,000 For a detailed formula, see the white paper Deploying Cisco Secure ACS for Windows in Cisco Aironet Environment, which is available on Cisco.com at this location: http://www.cisco.
Chapter 2 Deploy the Access Control Servers Deploying ACS Servers to Support Server Failover only create an 80-percent load on the other ACS for the duration of the outage. If the WAN is not suitable for authentication connections, we recommend using two or more ACSs on the LAN in a primary or secondary mode or load balanced.
Chapter 2 Deploy the Access Control Servers Deploying ACS Servers to Support Server Failover • Client configuration—How to configure the client. • Reports and event (error) handling—What information to include in the logs. Replication Design Because database replication in a ACS is a top-down approach, using the cascade method minimizes replication-induced downtime on the master server.
Chapter 2 Deploy the Access Control Servers Deploying ACS in a NAC/NAP Environment Deploying ACS in a NAC/NAP Environment You can deploy ACS in a Cisco Network Admission Control and Microsoft Network Access Protection (NAC/NAP) environment. In the NAC/NAP environment, NAP client computers authorize with ACS by using EAP over UDP (EoU) or EAP over 802.1x. Table 2-1 describes the components of a NAC/NAP deployment.
Chapter 2 Deploy the Access Control Servers Additional Topics Figure 2-11 illustrates the architecture of a NAC/NAP network. Figure 2-11 NAC/NAP Deployment Architecture Cisco switches and routers Cisco ACS (Network Access) NAP client System Health Agents NAP agent EAP-FAST over 802.1X or UDP carrying the list of SoHs or a health certificate RADIUS EAP Host EAP-Host NAP Enforcement Client 802.
Chapter 2 Deploy the Access Control Servers Additional Topics access, other decisions can also affect how ACS is deployed; these include specific network routing (access lists), time-of-day access, individual restrictions on AAA client access, access control lists (ACLs), and so on. You can implement remote-access policies for employees who telecommute, or mobile users who dial in over ISDN or a public switched telephone network (PSTN).
Chapter 2 Deploy the Access Control Servers Additional Topics A small network with a small number of network devices may require only one or two individuals to administer it. Local authentication on the device is usually sufficient. If you require more granular control than what authentication can provide, some means of authorization is necessary. As discussed earlier, controlling access by using privilege levels can be cumbersome. ACS reduces this problem.
Chapter 2 Deploy the Access Control Servers Additional Topics Conversely, if a general user attempts to use his or her remote access to log in to a network device, ACS checks and approves the username and password; but, the authorization process would fail because that user would not have credentials that allow shell or exec access to the device. Database Considerations Aside from topological considerations, the user database is one of the most influential factors in deployment decisions for ACS.
Chapter 2 Deploy the Access Control Servers Additional Topics Configuration Guide for Cisco Secure ACS 4.
CH A P T E R 3 Configuring New Features in ACS 4.2 This chapter describes how to configure several new features provided with ACS 4.2. For information on new features that accompany both ACS for Windows and the ACS SE, see: • New Global EAP-FAST Configuration Options, page 3-1 • Disabling of EAP-FAST PAC Processing in Network Access Profiles, page 3-3 • Disabling NetBIOS, page 3-4 • Configuring ACS 4.
Chapter 3 Configuring New Features in ACS 4.2 New Global EAP-FAST Configuration Options Figure 3-1 New Global EAP-FAST Configuration Options Table 3-1 describes the new EAP-FAST settings. Table 3-1 New EAP-FAST Global Configuration Settings with Release 4.2 Option Description Allow Full TLS Renegotiation in Case of Invalid This option handles cases of an invalid or expired PAC PAC.
Chapter 3 Configuring New Features in ACS 4.2 Disabling of EAP-FAST PAC Processing in Network Access Profiles Disabling of EAP-FAST PAC Processing in Network Access Profiles In the Protocols section for Network Access Profile (NAP) configuration, you can now set up a NAP that causes ACS to use EAP-FAST but not issue or accept tunnel or machine PACs. Figure 3-2 shows the EAP-FAST section of the NAP Protocols page for ACS 4.2.
Chapter 3 Configuring New Features in ACS 4.2 Disabling NetBIOS Figure 3-2 shows the new options on the NAP Protocols page. Table 3-2 New Options on the NAP Protocols Page Option Description: Use PACs Click the Use PACs radio button if you want ACS to authenticate clients to which this NAP is applied by using EAP-FAST with PACs enabled. If you click the Use PACs radio button, then the same EAP-FAST configuration options that are available in the global EAP-FAST configuration are available.
Chapter 3 Configuring New Features in ACS 4.2 Configuring ACS 4.2 Enhanced Logging Features To disable NetBIOS over TCP/ IP in Windows 2000, XP, or 2003: Step 1 Right-click My Network Places and choose Properties. Step 2 Right-click the appropriate Local Area Connection icon, and click Properties. Step 3 Click Internet Protocol (TCP/IP) and choose Properties. Step 4 Click Advanced, and click the WINS tab. Step 5 On the WINS tab, enable or disable NetBIOS over TCP/IP.
Chapter 3 Configuring New Features in ACS 4.2 Configuring Group Filtering at the NAP Level Configuring Group Filtering at the NAP Level You can use ACS 4.2 to grant and deny access to users who are authenticated through a LDAP database based on the LDAP group to which the users belong. This feature is called group filtering at the NAP level. To configure group filtering at the NAP level: Step 1 Configure LDAP on the ACS server. Step 2 Set up a Network Access Profile. a.
Chapter 3 Configuring New Features in ACS 4.2 Option to Not Log or Store Dynamic Users Option to Not Log or Store Dynamic Users When ACS authenticates users by using external databases, such as Active Directory or LDAP, and a user is successfully authenticated with the external database, then, by default, ACS stores the information for the user in the ACS internal database. The users that ACS creates in this manner are called dynamic users. With ACS 4.
Chapter 3 Configuring New Features in ACS 4.2 RSA Support on the ACS SE In previous releases, ACS SE devices could only send syslog messages using the local time that is set on the ACS device. With release 4.2, you can configure the ACS SE to send syslog messages by using the local time setting or Greenwich Mean Time (GMT). To configure the time format used for events sent to a syslog server: Step 1 In the navigation bar, choose System Configuration > Date Format Control.
Chapter 3 Configuring New Features in ACS 4.2 RSA Support on the ACS SE Figure 3-5 Step 3 External User Databases Page (ACS SE) Click RSA SecureID Token Server. The Database Configuration Creation page appears. Step 4 Click Create New Configuration. The Create a New External Database Configuration page appears, as shown in Figure 3-6. Figure 3-6 Step 5 Create a New External Database Configuration Page. Enter the name for the RSA SecureID Token Server and then click Submit.
Chapter 3 Configuring New Features in ACS 4.2 RSA Support on the ACS SE Figure 3-7 Step 9 On the Cisco Secure ACS to RSA SecurID Configuration page, enter the information shown in Table 3-3 Table 3-3 Step 10 Cisco Secure ACS to RSA SecurID Configuration Page RSA SecureID Server Configuration Field Description FTP Server: The IP address of the FTP server that contains the sdconf.rec file. This the configuration file for your RSA TokenID installation. Login: The login name for the FTP server.
Chapter 3 Configuring New Features in ACS 4.2 RSA Support on the ACS SE The External User Database Configuration page opens. Step 4 Click Configure. The Cisco Secure ACS to RSA SecurID Configuration page opens. Step 5 Click Purge Node Secret. Configuring RSA SecurID Token and LDAP Group Mapping You can perform authentication with RSA in native mode and also by using LDAP group mapping, with RSA. If you use RSA with LDAP group mapping, then the user's LDAP group membership controls authorization.
Chapter 3 Configuring New Features in ACS 4.2 RSA Support on the ACS SE Figure 3-8 Step 7 RSA SecurID Token and LDAP Group Mapping Configuration Page If you do not want ACS to filter LDAP authentication requests by username, under Domain Filtering, choose Process all usernames. Configuration Guide for Cisco Secure ACS 4.
Chapter 3 Configuring New Features in ACS 4.2 RSA Support on the ACS SE Step 8 If you want to limit authentications processed by this LDAP configuration to usernames with a specific domain qualification: Note For information about domain filtering, see “Domain Filtering” in chapter 12 of the User Guide for Cisco Secure ACS, 4.2. a. Under Domain Filtering, click the Only process usernames that are domain qualified radio button. b.
Chapter 3 Configuring New Features in ACS 4.2 RSA Support on the ACS SE Note The X box cannot contain the following special characters: the pound sign (#), the question mark (?), the quote (“), the asterisk (*), the right angle bracket (>), and the left angle bracket (<). ACS does not allow these characters in usernames. If the X box contains any of these characters, stripping fails.
Chapter 3 Configuring New Features in ACS 4.2 RSA Support on the ACS SE b. In the Port box, type the TCP/IP port number on which the LDAP server is listening. The default is 389, as stated in the LDAP specification. If you do not know the port number, you can find this information by viewing those properties on the LDAP server. If you want to use secure authentication, port 636 is usually used. c.
Chapter 3 Configuring New Features in ACS 4.2 Turning Ping On and Off Note ACS saves the generic LDAP configuration that you created. You can now add it to your Unknown User Policy or assign specific user accounts to use this database for authentication. Turning Ping On and Off With ACS 4.2, you can enable and disable pinging of the ACS SE device. Prior to release 4.
CH A P T E R 4 Using RDBMS Synchronization to Create dACLs and Specify Network Configuration This chapter describes how to configure ACS 4.2 to enable new RDBMS Synchronization features introduced with ACS 4.2. For detailed information on RDBMS Synchronization, see “RDBMS Synchronization” in Chapter 8 of the User Guide for Cisco Secure ACS, 4.2, “System Configuration: Advanced.
Chapter 4 Using RDBMS Synchronization to Create dACLs and Specify Network Configuration Using RDBMS Synchronization to Configure dACLs • Remote Invocation of the CSDBSync Service on the ACS Solution Engine—With ACS 4.2, you can run the CSDBSync service on a remote ACS SE, over an SSH connection. Using RDBMS Synchronization to Configure dACLs With ACS 4.2, you can use RDBMS Synchronization to set up downloadable dACLs and associate dACLs with specified Users or Groups.
Chapter 4 Using RDBMS Synchronization to Create dACLs and Specify Network Configuration Using RDBMS Synchronization to Configure dACLs Example 4-1 shows a sample text file. Example 4-1 Sample Text File for Creating a dACL [DACL#1] Name = DACL_For_Troy Description = Test_DACL_For_ACS_42 Content#1= content1 Definition#1#1= permit ip any host 192.168.1.152 Definition#1#2= permit ip any host 192.168.5.152 Definition#1#3= permit ip any host 192.168.29.33 Definition#1#4= permit ip any host 192.168.29.
Chapter 4 Using RDBMS Synchronization to Create dACLs and Specify Network Configuration Using RDBMS Synchronization to Configure dACLs Step 3: Code an accountActions File to Create the dACL and Associate a User or Group with the dACL To create a an AccountActions CSV file to create a dACL and assign it to a User or Group: Step 1 Create a text file by using a text editor of your choice; for example, Notepad. Step 2 Code a statement to create a User or Group.
Chapter 4 Using RDBMS Synchronization to Create dACLs and Specify Network Configuration Using RDBMS Synchronization to Configure dACLs Table 4-2 describes the accountActions codes used in Example 4-2 to add a User, create a dACL, and associate the dACL with a specified User or Group. Table 4-2 Account Action Codes to Create dACLs and Assign Them to Specified Users or Groups Action Code Name Required Description 100 ADD_USER UN|GN, V1 Creates a User (32 characters maximum).
Chapter 4 Using RDBMS Synchronization to Create dACLs and Specify Network Configuration Using RDBMS Synchronization to Configure dACLs Figure 4-1 RDBMS Synchronization Setup Page (ACS for Windows) b. Check the Use local CSV file check box. c. In the AccountActions file field, enter the filename of the accountActions CSV file that you created in Step 3: Code an accountActions File to Create the dACL and Associate a User or Group with the dACL, page 4-4. d.
Chapter 4 Using RDBMS Synchronization to Create dACLs and Specify Network Configuration Using RDBMS Synchronization to Configure dACLs • Password—The password for the username provided in the Login box. The ACS SE has the information necessary to get the accountActions file from the FTP server. Step 5 (ACS for Windows and ACS SE) Set the Synchronization Scheduling and Synchronization Partners options as required.
Chapter 4 Using RDBMS Synchronization to Create dACLs and Specify Network Configuration Using RDBMS Synchronization to Configure dACLs Step 7 For each ACS that you want this ACS to update with data from the accountActions table, click the ACS in the AAA Servers list, and then click the right arrow button (-->) on the interface. The ACS that you chose appears in the Synchronize list.
Chapter 4 Using RDBMS Synchronization to Create dACLs and Specify Network Configuration Using RDBMS Synchronization to Configure dACLs ACS fetches the CSV file from the database, reads the action codes in the file, and performs the RDBMS Synchronization operations that the file specifies.
Chapter 4 Using RDBMS Synchronization to Create dACLs and Specify Network Configuration Using RDBMS Synchronization to Configure dACLs The Downloadable IP ACLs page displays the selected dACL, as shown in Figure 4-4. Figure 4-4 Entry for the Sample dACL In the ACL Contents column, you should see the content name specified in the Content#1 block that you coded in the text file in Step 2: Create a Text File to Define the dACLs, page 4-2. Step 4 Click the content name.
Chapter 4 Using RDBMS Synchronization to Create dACLs and Specify Network Configuration Using RDBMS Synchronization to Configure dACLs Step 5 If the dACL was not created correctly, review the steps in Using RDBMS Synchronization to Configure dACLs, page 4-2 and check for errors. For a list of error messages, see Error Messages, page 4-11. Error Messages Table 4-3 lists the error messages associated with dACL creation using CSDBSync. .
Chapter 4 Using RDBMS Synchronization to Create dACLs and Specify Network Configuration Reading, Updating, and Deleting dACLs Table 4-3 dACL Creation Errors (continued) Error Message Explanation Failed to import DACL file. Failed to access Host DB. Possible Cause The user ID specified in the RDBMS Synchronization configuration does not have write access to the ACS. Recommended Action Ensure that the specified user has write access to the ACS.
Chapter 4 Using RDBMS Synchronization to Create dACLs and Specify Network Configuration Reading, Updating, and Deleting dACLs . Table 4-4 Account Action Codes for Creating, Reading, Updating, or Deleting dACLs Action Code Name Required Description 386 READ_DACL VN, V1 (optional) Use this action code to read dACL attributes and save them in a file for later use. VN = contains dACL name or * for all dACLs. V1 = where output_file_name contains the exported dACLs definition.
Chapter 4 Updating or Deleting dACL Associations with Users or Groups Using RDBMS Synchronization to Create dACLs and Specify Network Configuration Updating or Deleting dACL Associations with Users or Groups Table 4-5 lists the account action codes to update the dACL or remove the association of the dACL and the User or Group.
Chapter 4 Using RDBMS Synchronization to Create dACLs and Specify Network Configuration Using RDBMS Synchronization to Specify Network Configuration Creating, Reading, Updating and Deleting AAA clients The RDBMS Synchronization feature supports creation and deletion of single or multiple AAA clients. In addition, accountActions codes 224 and 225 enable reading and updating AAA client information.
Chapter 4 Using RDBMS Synchronization to Specify Network Configuration Using RDBMS Synchronization to Create dACLs and Specify Network Configuration Configuration Guide for Cisco Secure ACS 4.
CH A P T E R 5 Password Policy Configuration Scenario Cisco Secure ACS, hereafter referred to as ACS, provides new password features to support corporate requirements mandated by the Sarbanes-Oxley Act of 2002. Sarbanes-Oxley (SOX) requires stricter enforcement of password restrictions.
Chapter 5 Password Policy Configuration Scenario Summary of Configuration Steps Summary of Configuration Steps To configure password policy in ACS: Step 1 Add a new administrator account. Add a new administrator account, specify the administrator name and password, and grant access privileges. See Step 1: Add and Edit a New Administrator Account, page 5-2 for details. Step 2 Configure password policy. Configure restrictions on the admin user password.
Chapter 5 Password Policy Configuration Scenario Step 1: Add and Edit a New Administrator Account Figure 5-1 Administration Control Page The Administration Control page initially lists no administrators. If administrators have been configured, the page lists the configured administrators. Step 2 To add an administrator, click Add Administrator. The Add Administrator page opens.
Chapter 5 Password Policy Configuration Scenario Step 2: Configure Password Policy Option Description Account Never Expires If you want to override the lockout options set up on the Administrator Password Policy page (with the exception of manual lockout), check the check box next to Account Never Expires. If you check this option, the account never expires but password change policy remains in effect. The default value is unchecked (disabled).
Chapter 5 Password Policy Configuration Scenario Step 2: Configure Password Policy Figure 5-2 The Administrator Password Policy Setup Page Configuration Guide for Cisco Secure ACS 4.
Chapter 5 Password Policy Configuration Scenario Step 2: Configure Password Policy Step 2 On the Password Policy Setup Page, specify: • Password Validation Options See Specify Password Validation Options, page 5-6. • Password Lifetime Options See Specify Password Lifetime Options, page 5-6. • Password Inactivity Options See Specify Password Inactivity Options, page 5-7. • Incorrect Password Attempt Option See Specify Incorrect Password Attempt Options, page 5-7.
Chapter 5 Password Policy Configuration Scenario Step 3: Configure Session Policy Specify Password Inactivity Options In the Password Inactivity Options section, configure: • Note For additional security, ACS does not warn users who are approaching the limit for password inactivity.
Chapter 5 Password Policy Configuration Scenario Step 3: Configure Session Policy Figure 5-3 Step 2 The Session Policy Setup Page On the Session Policy Setup page, set session options as required. You can specify: • Session idle timeout (minutes)—Specifies the time, in minutes, that an administrative session must remain idle before ACS terminates the connection (4-character maximum).
Chapter 5 Password Policy Configuration Scenario Step 4: Configure Access Policy Step 4: Configure Access Policy This section describes how to configure administrative access policy. Before You Begin If you want to enable the SSL for administrator access, you must have completed the steps in Install the CA Certificate, page 7-4, and Add a Trusted Certificate, page 7-4. After you have enabled SSL, ACS begins using the SSL at the next administrator login.
Chapter 5 Password Policy Configuration Scenario Step 4: Configure Access Policy Figure 5-4 Step 3 Access Policy Setup Page Click the appropriate IP Address Filtering option Table 5-1 Access Policy Options Option Description IP Address Filtering Allow all IP addresses to connect Enables remote access to the web interface from any IP address. Allow only listed IP addresses to connect Restricts remote access to the web interface to IP addresses within the specified IP Address Ranges.
Chapter 5 Password Policy Configuration Scenario Step 4: Configure Access Policy Table 5-1 Access Policy Options (continued) Option Description Reject connections from listed IP addresses Restricts remote access to the web interface to IP addresses outside of the specified IP Address Ranges. IP filtering operates on the IP address received in an HTTP request from a remote administrator's web browser.
Chapter 5 Password Policy Configuration Scenario Viewing Administrator Entitlement Reports Table 5-1 Access Policy Options (continued) Option Description Secure Socket Layer Setup Use HTTPS Transport for Administration Access Enables ACS to use the secure socket layer (SSL) protocol to encrypt HTTP traffic between the CSAdmin service and the web browser that accesses the web interface.
Chapter 5 Password Policy Configuration Scenario Viewing Administrator Entitlement Reports View Privilege Reports To view privilege reports: Step 1 In the navigation bar, click Reports and Activity. The Reports page opens. Step 2 Click Entitlement Reports. A list of the available entitlement reports appears. Figure 5-5 shows an example list. Figure 5-5 Step 3 List of Entitlement Reports To view a report, click the report name.
Chapter 5 Password Policy Configuration Scenario Viewing Administrator Entitlement Reports Configuration Guide for Cisco Secure ACS 4.
CH A P T E R 6 Agentless Host Support Configuration Scenario This chapter describes how to configure the agentless host feature in Cisco Secure Access Control Server, hereafter referred to as ACS. Note The procedure in this chapter describes how to configure agentless host support by using ACS with a Lightweight Directory Access Protocol (LDAP) database. You can also configure agentless host support by using the ACS internal database: but, using an LDAP database is generally more efficient.
Chapter 6 Agentless Host Support Configuration Scenario Overview of Agentless Host Support 3. If you configure ACS for MAB, it searches the authentication database for the host’s MAC address The database can be: – ACS internal – LDAP (if you configure LDAP) 4. During the database lookup: – ACS looks up the MAC address in an identity store (the internal ACS database or an LDAP database). – ACS maps the MAC address to an ACS user group.
Chapter 6 Agentless Host Support Configuration Scenario Summary of Configuration Steps GAME group feedback provides an added security check for MAC address authentication by checking the device type categorization that ACS determines by associating a MAC address with a user group against information stored in a database on an audit server.
Chapter 6 Agentless Host Support Configuration Scenario Basic Configuration Steps for Agentless Host Support Step 7 Configure logging and reports. Add the Bypass Info attribute to the Passed Authentications and Failed Attempts reports. See Step 7: Configure Logging and Reports, page 6-23. Note If you are using ACS with NAC, configure audit server support and, optionally, configure GAME group feedback. See Configure GAME Group Feedback, page 6-24 for details.
Chapter 6 Agentless Host Support Configuration Scenario Basic Configuration Steps for Agentless Host Support where IP_address is the IP address of the host that is running ACS and hostname is the hostname of the host that is running ACS. Step 2: Configure a RADIUS AAA Client Before you can configure agentless host support, you must configure a RADIUS AAA client. To configure a RADIUS AAA client: Step 1 In the navigation bar, click Network Configuration. The Network Configuration page opens.
Chapter 6 Agentless Host Support Configuration Scenario Basic Configuration Steps for Agentless Host Support Figure 6-2 Add AAA Client Page Step 3 In the AAA Client Hostname box, type the name assigned to this AAA client (up to 32 alphanumeric characters). Step 4 In the AAA Client IP Address box, type the AAA client IP address or addresses.
Chapter 6 Agentless Host Support Configuration Scenario Basic Configuration Steps for Agentless Host Support The steps in this section are required to enable posture validation, which is used in Network Access Profiles. Obtain Certificates and Copy Them to the ACS Host To copy a certificate to the ACS host: Step 1 Obtain a security certificate. Step 2 Create a \Certs directory on the ACS server. a. Open a DOS command window. b.
Chapter 6 Agentless Host Support Configuration Scenario Basic Configuration Steps for Agentless Host Support Step 4 Select Install Certificate. The Windows Certificate Import wizard starts. Step 5 To install the certificate, follow the instructions that the wizard displays. Step 6 Accept the default options for the wizard. Note Only perform this process once on a Windows 2000 Server.
Chapter 6 Agentless Host Support Configuration Scenario Basic Configuration Steps for Agentless Host Support Step 11 Do not restart the services at this time. Restart the services later, after you have completed the steps for adding a trusted certificate. See Add a Trusted Certificate, page 6-9. Install the CA Certificate To install the CA Certificate: Step 1 Choose System Configuration > ACS Certificate Setup > ACS Certification Authority Setup.
Chapter 6 Agentless Host Support Configuration Scenario Basic Configuration Steps for Agentless Host Support Step 4: Configure LDAP Support for MAB You can configure the ACS internal database to manage MAB used with the agentless host feature; however, if you have a large number of MAC addresses to process (for example, several thousand), it is more efficient to use an external LDAP database than to configure the MAC address mappings manually through the ACS GUI.
Chapter 6 Agentless Host Support Configuration Scenario Basic Configuration Steps for Agentless Host Support macAddress: 11-22-33-44-55-66 cn: user11-wxp.emea.mycorp.com dn: cn=Group_1_colon,ou=MAC Groups, ou=MAB Segment, o=mycorp objectClass: top objectClass: groupofuniquenames description: group of delimited MAC Addresses uniqueMember: cn=user00-wxp.emea.mycorp.com, ou=MAC Addresses, ou=MAB Segment, o=mycorp uniqueMember: cn=user77a-wxp.emea.mycorp.
Chapter 6 Agentless Host Support Configuration Scenario Basic Configuration Steps for Agentless Host Support How the Subtrees Work The sample LDAP schema in Example 6-1 contains code to define two subtrees: dn: ou=MAC Addresses, ou=MAB Segment, o=mycorp ou: MAC Addresses objectClass: top objectClass: organizationalUnit dn: ou=MAC Groups, ou=MAB Segment, o=mycorp ou: MAC Groups objectClass: top objectClass: organizationalUnit The LDAP subtrees are: • MAC Addresses—A user directory subtree that contains
Chapter 6 Agentless Host Support Configuration Scenario Basic Configuration Steps for Agentless Host Support Table 6-1 describes the attributes of the sample LDAP groups. Table 6-1 Attributes in LDAP User Groups for Agentless Host Support Attribute Name Description objectClass The value in the example indicates that this is a “group of unique names.
Chapter 6 Agentless Host Support Configuration Scenario Basic Configuration Steps for Agentless Host Support • Common LDAP Configuration—Configure the settings in this section to specify how ACS queries the LDAP database. • Primary LDAP Server—Configure the settings in this section to specify the primary LDAP server. • Secondary LDAP Server—Configure the settings in this section if you are setting up LDAP failback.
Chapter 6 Agentless Host Support Configuration Scenario Basic Configuration Steps for Agentless Host Support • UserObjectClass—The value of the LDAP objectType attribute that identifies the record as a user. Often, user records have several values for the objectType attribute, some of which are unique to the user, some of which are shared with other object types. In the LDAP schema shown in Example 6-1, the user object class is specified as ieee802Device.
Chapter 6 Agentless Host Support Configuration Scenario Basic Configuration Steps for Agentless Host Support Figure 6-7 a. LDAP Server Configuration Sections For the primary LDAP server specify: – Hostname—The name or IP address of the server that is running the LDAP software. If you are using DNS on your network, you can type the hostname instead of the IP address. – Port—The TCP/IP port number on which the LDAP server is listening. The default is 389, as stated in the LDAP specification.
Chapter 6 Agentless Host Support Configuration Scenario Basic Configuration Steps for Agentless Host Support For detailed information on this field, refer to the “LDAP Configuration Options” section in Chapter 12 of the User Guide for Cisco Secure Access Control Server, “User Databases.” – Admin DN—The DN of the administrator; that is, the LDAP account which, if bound to, permits searches for all required users under the User Directory Subtree.
Chapter 6 Agentless Host Support Configuration Scenario Basic Configuration Steps for Agentless Host Support Before you assign the user groups, plan how to configure the user groups. For example, users associated with the user group can: • Be denied access to the network • Be limited by network access restrictions (NARs) • Have specified password settings For detailed information on how to set up user groups, refer to chapter 5 of the User Guide for Cisco Secure ACS 4.2, “User Group Management.
Chapter 6 Agentless Host Support Configuration Scenario Basic Configuration Steps for Agentless Host Support The Profile Setup page opens, shown in Figure 6-9. Figure 6-9 Profile Setup Page Step 3 In the Name text box, enter the name of the NAP. Step 4 If you have set up network access filters (NAFs) and want to apply one, then from the drop-down list of NAFs, choose the appropriate NAF. Step 5 In the Protocol types section, select at least one RADIUS protocol type.
Chapter 6 Agentless Host Support Configuration Scenario Basic Configuration Steps for Agentless Host Support Figure 6-10 Edit Network Access Protocols Page You are now ready to enable agentless request processing. Enable Agentless Request Processing for a NAP To enable agentless request processing for a NAP: Step 1 In the Edit Network Access Profiles page, click Protocols. The Protocols Settings page for the selected NAP opens. Figure 6-11 shows the top portion of the Protocols Settings page.
Chapter 6 Agentless Host Support Configuration Scenario Basic Configuration Steps for Agentless Host Support You are now ready to configure MAB settings. Configure MAB To configure MAB: Step 1 In the Edit Network Access Profiles page, click Authentication. The Authentication page for the selected NAP opens. Figure 6-12 shows the Authentication Settings page.
Chapter 6 Agentless Host Support Configuration Scenario Basic Configuration Steps for Agentless Host Support Step 3 If you specified an LDAP database in the Credential Validation Databases section, click LDAP Server and then select a LDAP database that you configured on the External User Databases > External User Database Configuration page. Step 4 If you will validate MAC addresses by using the ACS internal database: a. Click Internal ACS DB. b. Click Add.
Chapter 6 Agentless Host Support Configuration Scenario Basic Configuration Steps for Agentless Host Support Step 7: Configure Logging and Reports By default, the following information about MAB processing is logged to the CSAuth log file: • The start of MAB request handling and what trigger is used to initiate MAB. The format of this message is: Performing Mac Authentication Bypass on where MAC_address is the MAC address that triggered the processing.
Chapter 6 Agentless Host Support Configuration Scenario Configuration Steps for Audit Server Support Step 4 Repeat Step 3 for additional report types as required. Step 5 Repeat Steps 3 and 4 for the Failed Attempts report. Configuration Steps for Audit Server Support If you are using ACS with the NAC solution or with other applications that support the use of audit servers, you can set up agentless host support that uses an audit server.
CH A P T E R 7 PEAP/EAP-TLS Configuration Scenario You can select EAP-TLS as an inner method that is used within the tunnel that ACS establishes for PEAP authentication. If you select EAP-TLS, ACS can use it not only to encrypt the initial data sent through the PEAP protocol; but, once a secure tunnel is established between ACS and the NAD, to encrypt (for a second time) the data that is transmitted within the secure tunnel.
Chapter 7 PEAP/EAP-TLS Configuration Scenario Step 1: Configure Security Certificates Obtain Certificates and Copy Them to the ACS Host To use EAP-TLS, you must obtain and install security certificates. To copy a certificate to the ACS host: Step 1 Obtain a security certificate. Step 2 Create a \Certs directory on the ACS server. a. Open a DOS command window. b. To create a certificates directory, enter: mkdir :\Certs where selected_drive is the currently selected drive.
Chapter 7 PEAP/EAP-TLS Configuration Scenario Step 1: Configure Security Certificates Step 4 Select Install Certificate. The Windows Certificate Import wizard starts. Step 5 To install the certificate, follow the instructions that the wizard displays. Step 6 Accept the default options for the wizard. Note Only perform this process once on a Windows 2000 Server.
Chapter 7 PEAP/EAP-TLS Configuration Scenario Step 1: Configure Security Certificates Step 10 ACS displays a message indicating that the certificate has been installed and instructs you to restart the ACS services. Step 11 Do not restart the services at this time. Restart the services later, after you have completed the steps for adding a trusted certificate. See Add a Trusted Certificate, page 7-4.
Chapter 7 PEAP/EAP-TLS Configuration Scenario Step 2: Configure Global Authentication Settings Step 3 Click Submit. Step 4 To restart ACS, choose System Configuration > Service Control, and then click and then click Restart. Step 2: Configure Global Authentication Settings To configure global authentication settings: Step 1 In the navigation bar, click System Configuration. The System Configuration page opens. Step 2 Click Global Authentication Setup.
Chapter 7 PEAP/EAP-TLS Configuration Scenario Step 3: Specify EAP-TLS Options Step 3 Step 4 Specify the protocols to use with the PEAP protocol. They are: • EAP_MSCHAP2 • EAP-GTC If you want to enable posture validation on this ACS installation, check the Enable Posture Validation check box.
CH A P T E R 8 Syslog Logging Configuration Scenario Overview ACS provides a system logging (syslog) feature. With the addition of this feature, all AAA reports and audit report messages can be sent to up to two syslog servers. Configuring Syslog Logging To configure ACS to generate syslog messages: Step 1 In the navigation bar, click System Configuration. The System Configuration page opens. Step 2 Click Logging. The Logging page opens, shown in Figure 8-1.
Chapter 8 Syslog Logging Configuration Scenario Configuring Syslog Logging Figure 8-1 Step 3 Logging Configuration Page To enable a syslog report, on the Logging Configuration page, click the Configure link in the syslog column, in the row for each report that you want to generate. The Enable Login window for the specified report opens, as shown in Figure 8-2. Configuration Guide for Cisco Secure ACS 4.
Chapter 8 Syslog Logging Configuration Scenario Configuring Syslog Logging Figure 8-2 Step 4 Enable Logging Page Check the check box for logging the specified information to syslog. For example, in Figure 8-2, check the Log to Syslog Failed Attempts Report check box. In the Select Columns to Log section, a list of the fields available for the specified syslog report appears.
Chapter 8 Syslog Logging Configuration Scenario Format of Syslog Messages in ACS Reports Step 6 Click Submit. Step 7 Repeat the process for any additional reports for which you want to enable syslog reporting.
Chapter 8 Syslog Logging Configuration Scenario Format of Syslog Messages in ACS Reports All ACS syslog messages use a severity value of 6 (informational). For example, if the facility value is 13 and the severity value is 6, the Priority value is 110 ((8 x 13) + 6). The Priority value appears according to the syslog server setup, and might appear as one of: – System3.Info – <110> Note You cannot configure the format of the syslog facility and severity on ACS.
Chapter 8 Syslog Logging Configuration Scenario Format of Syslog Messages in ACS Reports Configuration Guide for Cisco Secure ACS 4.
CH A P T E R 9 NAC Configuration Scenario This chapter describes how to set up Cisco Secure Access Control Server 4.2, hereafter referred to as ACS, to work in a Cisco Network Admission Control environment.
Chapter 9 NAC Configuration Scenario Step 2: Perform Network Configuration Tasks To install ACS: Step 1 Start the ACS installation: If you are installing ACS for Windows: a. Using a local administrator account, log in to the computer on which you want to install ACS. b. Insert the ACS CD into a CD-ROM drive on the computer. c. If the CD-ROM drive supports the Windows autorun feature, the ACS for Windows dialog box appears; otherwise, run setup.exe, located in the root directory of the ACS CD. d.
Chapter 9 NAC Configuration Scenario Step 2: Perform Network Configuration Tasks Step 2 Do one of the following: • If you are using Network Device Groups (NDGs), click the name of the NDG to which you want to assign the AAA client. Then, click Add Entry below the AAA Clients table. • To add AAA clients when you have not enabled NDGs, click Not Assigned and then click Add Entry below the AAA Clients table. The Add AAA Client page opens, shown in Figure 9-1.
Chapter 9 NAC Configuration Scenario Step 2: Perform Network Configuration Tasks Step 5 In the Shared Secret box, type a shared secret key for the AAA client. The shared secret is a string that you determine; for example, mynet123. The shared secret must be identical on the AAA client and ACS. Keys are case sensitive. If the shared secrets do not match, ACS discards all packets from the network device.
Chapter 9 NAC Configuration Scenario Step 3: Set Up System Configuration Step 2 In the AAA Servers table, click the name of the AAA server in the AAA Server Name column. The AAA Server Setup page opens, shown in Figure 9-2. Figure 9-2 AAA Server Setup Page Step 3 In the Key field, enter the shared secret that you used to set up the AAA clients. Step 4 Click Submit and Apply.
Chapter 9 NAC Configuration Scenario Step 3: Set Up System Configuration Obtain Certificates and Copy Them to the ACS Host To copy a certificate to the ACS host: Step 1 Obtain a security certificate. Step 2 Create a \certs directory on the ACS server. a. Open a DOS command window. b. To create a certificates directory, enter: mkdir :\certs where selected_drive is the currently selected drive. Step 3 For example, copy the following files to the \certs directory: • ACS-1.nac.cisco.
Chapter 9 NAC Configuration Scenario Step 3: Set Up System Configuration Edit the Certificate Trust List After you set up the ACS certification authority, you must add the CA certificate to the ACS Certificate Trust list. To add the certificate to the Certificate Trust list: Step 1 In the navigation bar, click System Configuration. The System Configuration page opens. Step 2 Choose ACS Certificate Setup > Edit Certificate Trust List. The Edit Certificate Trust List page opens.
Chapter 9 NAC Configuration Scenario Step 3: Set Up System Configuration Install the ACS Certificate To enable security certificates on the ACS installation: Step 1 In the navigation bar, click System Configuration. The System Configuration page opens. Step 2 Click ACS Certificate Setup. Step 3 Click Install ACS Certificate. Step 4 The Install ACS Certificate page opens, as shown in Figure 9-5. Figure 9-5 Install ACS Certificate Page Step 5 Click the Read certificate from file radio button.
Chapter 9 NAC Configuration Scenario Step 3: Set Up System Configuration Set Up Global Authentication In the global authentication setup, you specify the protocols that ACS uses to transfer credentials from the host for authentication and authorization. Unless you have a limited deployment environment or specific security concerns, you should globally enable all protocols.
Chapter 9 NAC Configuration Scenario Step 3: Set Up System Configuration Figure 9-6 Global Authentication Setup Page Configuration Guide for Cisco Secure ACS 4.
Chapter 9 NAC Configuration Scenario Step 3: Set Up System Configuration Step 3 To make the PEAP global authentication parameters available in the NAP configuration, check the check boxes for: • Allow EAP-MSCHAPv2. EAP-MSCHAP is a variation of the Microsoft Challenge and Response Protocol that is used with the Protected Extensible Access Protocol (PEAP). For a description of the EAP-MSCHAPv2 protocol, see the “Authentication” section in Chapter 1 of the User Guide for Cisco Secure ACS, 4.2, “Overview.
Chapter 9 NAC Configuration Scenario Step 3: Set Up System Configuration Set Up EAP-FAST Configuration To configure ACS to work with NAC and use EAP-FAST with posture validation: Step 1 In the navigation bar, click System Configuration. The System Configuration page opens. Step 2 Click Global Authentication Setup. The Global Authentication Setup Page appears, as shown in Figure 9-6. Step 3 Click EAP-FAST Configuration. The EAP FAST Configuration page appears, as shown in Figure 9-8.
Chapter 9 NAC Configuration Scenario Step 3: Set Up System Configuration Figure 9-8 EAP-FAST Configuration Page Step 4 Check the Allow EAP-FAST check box. Step 5 In the Client Initial Message text box, enter a message; for example, Welcome. Step 6 In the Authority ID Info field, enter the name of the certificate authority server. In the example shown in Figure 9-8, this is ACS NAC Server. However, this can be any string.
Chapter 9 NAC Configuration Scenario Step 3: Set Up System Configuration Step 8 Check the Accept client on authenticated provisioning and Require client certificate for provisioning check boxes. Step 9 Check the check boxes for the EAP-GTC, EAP-MSCHAPv2, and EAP-TLS inner methods. The EAP-FAST Master Server check box is automatically checked (enabled). Check the Certificate SAN and Certificate Binary comparison check boxes to enable these EAP-TLS comparison methods. Step 10 Click Submit + Restart.
Chapter 9 NAC Configuration Scenario Step 3: Set Up System Configuration To enable the Passed Authentications report: Step 1 In the navigation bar, click System Configuration. The System Configuration page opens. Step 2 Click Logging. The Logging Configuration page opens. The CSV Passed Authentications File Configuration page opens, as shown in Figure 9-9. Figure 9-9 Step 3 CSV Passed Authentications File Configuration Page Check the Log to CSV Passed Authentications Report check box.
Chapter 9 NAC Configuration Scenario Step 3: Set Up System Configuration Step 4 Move the attributes that you want to log from the Attributes list to Logged Attributes list.
Chapter 9 NAC Configuration Scenario Step 4: Set Up Administration Control Step 8 • Acct-Input-Octets • Acct-Output-Octets • Acct-Input-Packets • Acct-Output-Packets • Framed-IP-Address • NAS-Port • NAS-IP-Address • Class • Termination-Action • Called-Station-Id • Acct-Delay-Time • Acct-Authentic • Acct-Terminate-Cause • Event-Timestamp • NAS-Port-Type • Port-Limit • NAS-Port-Id • AAA Server • ExtDB Info • Network Access Profile Name • cisco-av-pair • Access Dev
Chapter 9 NAC Configuration Scenario Step 4: Set Up Administration Control Figure 9-10 Add Administrator Page Configuration Guide for Cisco Secure ACS 4.
Chapter 9 NAC Configuration Scenario Step 4: Set Up Administration Control Step 3 In the Administrator Details area, specify the following information: Option Description Administrator Name Enter the login name for the ACS administrator account. Administrator names can contain 1 to 32 characters, but cannot contain the left angle bracket (<), the right angle bracket (>), or the backslash (\). An ACS administrator name does not have to match a network user name.
Chapter 9 NAC Configuration Scenario Step 5: Set Up Shared Profile Components Step 5 Click Submit. After performing these steps, from a remote host, you can open a browser in which to administer ACS. The URLs for remote access are: • http://IP_address:2002 • http://hostname:2002 Step 5: Set Up Shared Profile Components Before you can set up NAPs, you must set up Shared Profile Components.
Chapter 9 NAC Configuration Scenario Step 5: Set Up Shared Profile Components Figure 9-11 Edit Network Access Filtering Page Step 4 In the Name text box, enter a name for the network access filter. Step 5 Move any devices or device groups to the Selected Items list. To move a device or device group, select the item to move and then click the right arrow button to move it to the Selected Items list. Step 6 Click Submit.
Chapter 9 NAC Configuration Scenario Step 5: Set Up Shared Profile Components To enable dACLs and NAFs, which are required to create NAPs: Note • Add a new posture ACL. • Add ACE entries for the ACL. • Save the posture ACL. These ACLs are referred to as posture ACLs because they are a component of a NAP that is used in posture validation. Adding an ACL To add a new ACL: Step 1 Choose Shared Profile Components > Downloadable IP ACLs.
Chapter 9 NAC Configuration Scenario Step 5: Set Up Shared Profile Components Figure 9-13 Step 3 Downloadable IP ACLs Page On the Downloadable IP ACLs page, enter a Name and optional Description for the ACL, as shown in Figure 9-13. Note Do not use spaces in the name of the ACL. IOS does not accept ACL names that include spaces. Adding an ACE To add an ACE: Step 1 On the Downloadable IP ACLs page, Click Add (below the ACL table of contents) to add a new ACE to the ACL and assign it to a NAF.
Chapter 9 NAC Configuration Scenario Step 5: Set Up Shared Profile Components Figure 9-14 Downloadable IP ACL Content Page Step 2 In the Name text box, type the ACL name. Step 3 In the ACL Definitions input box, type definitions for the ACL. ACL definitions consist of a series of permit and deny statements that permit or deny access for specified hosts.
Chapter 9 NAC Configuration Scenario Step 5: Set Up Shared Profile Components Figure 9-15 Step 5 Downloadable ACL Contents List with New Content From the drop-down list in the Network Access Filtering column of the ACL Contents table, choose the correct NAF for this ACL. You can choose the default NAF (All AAA Clients), or you can specify a NAF that you have configured to control how access is set up for different devices or groups of devices.
Chapter 9 NAC Configuration Scenario Step 5: Set Up Shared Profile Components The sample RACs are: • Cisco_FullAccess—Provides full access to the Cisco network. You use this RAC to grant access to clients that qualify as healthy. • Cisco_Restricted—Provides restricted access to the Cisco network. You uses this RAC to grant partial (quarantined) access to clients that do not qualify as healthy. To define RACs: Step 1 In the navigation bar, click Shared Profile Components.
Chapter 9 NAC Configuration Scenario Step 5: Set Up Shared Profile Components Figure 9-17 b. RAC Attribute Add/Edit Page In the Value field for the attribute, enter an appropriate value. Each attribute has specific value types based on how the attribute is defined. For example, for the Session-Timeout (27) attribute, enter a timeout value in seconds. c. Click Submit. Step 6 When you are finished adding attributes, click Submit.
Chapter 9 NAC Configuration Scenario Step 5: Set Up Shared Profile Components Figure 9-18 Attribute Selection for the Cisco_FullAccess RAC Configuration Guide for Cisco Secure ACS 4.
Chapter 9 NAC Configuration Scenario Step 5: Set Up Shared Profile Components Figure 9-19 Attribute Selection for the Cisco_Restricted RAC To enable VLAN assignment, the sample RACs include the following RADIUS attributes: • Session-Timeout (attribute 27)—Enables a session timeout. In the sample RACs, the timeout value is set to 3600 seconds (six hours).
Chapter 9 NAC Configuration Scenario Step 5: Set Up Shared Profile Components • Tunnel-Medium-Type (attribute 65)—Indicates which protocol to use over the tunnel. In the sample RACs, this is set to type 6, which specifies an 802 protocol. In the NAC/NAP environment, this is the 802.1x protocol. • Tunnel-Private-Group-ID (attribute 81)—Indicates the group ID for the VLAN tunnel. In the sample RAC, this is set to Quarantine, which denotes a quarantine VLAN to which devices are assigned.
Chapter 9 NAC Configuration Scenario Step 6: Configure an External Posture Validation Audit Server Table 9-1 Attributes That Can Be Sent in the RADIUS-Accept Response (continued) x x x 26 Vendor-Specific Microsoft = 311 Key for Status Query: MS-MPPE-Recv-Key Automatically sent by ACS.
Chapter 9 NAC Configuration Scenario Step 6: Configure an External Posture Validation Audit Server Your vendor ID should be the Internet Assigned Numbers Authority (IANA)-assigned number that is the first section of the posture token attribute name, [vendor]:6: Step 2 To install the attributes specified in the text file: a. Open a DOS command window. b.
Chapter 9 NAC Configuration Scenario Step 6: Configure an External Posture Validation Audit Server Figure 9-20 Step 3 External Posture Validation Audit Server Setup Page To configure the audit server: a. Enter a Name and Description (optional). b. In the Which Hosts Are Audited section, choose what hosts you want to audit. You can enter the host IP or MAC addresses for the hosts that you want to audit or for a host that you do not want to audit. c.
Chapter 9 NAC Configuration Scenario Step 6: Configure an External Posture Validation Audit Server Figure 9-21 e. Use These Audit Servers Section In the Use These Audit Servers section, enter the Audit Validation Server information, Audit Server vendor, URL, and password. Figure 9-22 shows the Audit Flow Settings and the GAME Group Feedback section. Configuration Guide for Cisco Secure ACS 4.
Chapter 9 NAC Configuration Scenario Step 7: Configure Posture Validation for NAC Figure 9-22 Audit Flow Settings and GAME Group Feedback Sections f. If required, in the Audit Flow Setting section, set the audit-flow parameters. g. If you are configuring GAME group feedback to support agentless host configuration in the NAC environment, configure the settings in the GAME Group Feedback section. For information on configuring GAME Group Feedback settings, see Enable GAME Group Feedback, page 9-79. h.
Chapter 9 NAC Configuration Scenario Step 7: Configure Posture Validation for NAC To create an internal posture validation policy: Step 1 In the navigation bar, click Posture Validation. The Posture Validation Components Setup page opens. Step 2 Click Internal Posture Validation Setup. The Posture Validation page opens, which lists any existing posture validation policies. Step 3 Choose Add Policy. The Edit Posture Validation page opens. Step 4 Enter a name for the policy.
Chapter 9 NAC Configuration Scenario Step 7: Configure Posture Validation for NAC Figure 9-24 Edit Posture Validation Rule Page b. Click Add Condition Set. c. The Add/Edit Condition page appears, as shown in Figure 9-25. Figure 9-25 Add/Edit Condition Page d. From the Attribute drop-down list, choose an Attribute value. e. From the Operator drop-down list, choose a condition. f. In the Value text box, enter a value for the condition. Configuration Guide for Cisco Secure ACS 4.
Chapter 9 NAC Configuration Scenario Step 7: Configure Posture Validation for NAC g. Click Enter. The specified rule appears in Add/Edit Condition page, as shown in Figure 9-25. h. Enter additional conditions as required. i. Click Submit. j. Click Apply and Restart to apply the new posture validation rule(s).
Chapter 9 NAC Configuration Scenario Step 7: Configure Posture Validation for NAC Figure 9-27 Add/Edit External Posture Validation Server Page Step 4 Enter a Name and Description (optional). Step 5 Enter the server details, URL, User, Password, Timeout, and certificate (if required by the antivirus server). Step 6 Click Submit. Configuration Guide for Cisco Secure ACS 4.
Chapter 9 NAC Configuration Scenario Step 7: Configure Posture Validation for NAC Configure an External Posture Validation Audit Server A NAC-enabled network might include agentless hosts that do not have the NAC client software. ACS can defer the posture validation of the agentless hosts to an audit server. The audit server determines the posture credentials of a host without relying on the presence of a PA.
Chapter 9 NAC Configuration Scenario Step 7: Configure Posture Validation for NAC Configure the External Posture Validation Audit Server You can configure an audit server once, and then use it for other profiles. To configure an audit server: Step 1 In the Posture Validation Components Setup page, click External Posture Validation Audit Setup. Step 2 Click Add Server. The External Posture Validation Audit Server Setup page appears, as shown in Figure 9-28.
Chapter 9 NAC Configuration Scenario Step 7: Configure Posture Validation for NAC Figure 9-29 e. Use These Audit Servers Section In the Use These Audit Servers section, enter the Audit Validation Server information, Audit Server vendor, URL, and password. Figure 9-30 shows the Audit Flow Settings and the GAME Group Feedback section. Configuration Guide for Cisco Secure ACS 4.
Chapter 9 NAC Configuration Scenario Step 7: Configure Posture Validation for NAC Figure 9-30 Audit Flow Settings and GAME Group Feedback Sections f. If required, in the Audit Flow Setting section, set the audit-flow parameters. g. If you are configuring GAME group feedback to support agentless host configuration in the NAC environment, configure the settings in the GAME Group Feedback section. For information on configuring GAME Group Feedback settings, see Enable GAME Group Feedback, page 9-79. h.
Chapter 9 NAC Configuration Scenario Step 8: Set Up Templates to Create NAPs Step 8: Set Up Templates to Create NAPs ACS 4.1 provides several profile templates that you can use to configure common usable profiles. In NAC-enabled networks, you can use these predefined profile templates to configure commonly used profiles. This section describes the templates provided in ACS 4.1. Sample NAC Profile Templates ACS 4.1 provides the following sample profile templates for NAC.
Chapter 9 NAC Configuration Scenario Step 8: Set Up Templates to Create NAPs Figure 9-31 Create Profile From Template Page Step 4 Enter a Name and Description (optional). Step 5 From the Template drop-down list, choose NAC L3 IP. Step 6 Check the Active check box. Step 7 Click Submit. If no error appears, then you have created a profile that can authenticate Layer 3 NAC hosts. The Edit Network Access Profile page opens, and the new profile appears in the Name column.
Chapter 9 NAC Configuration Scenario Step 8: Set Up Templates to Create NAPs Figure 9-32 Profile Setup Page for Layer 3 NAC Template The default settings for the profile are: • Any appears in the Network Access Filter field, which means that this profile has no IP filter. You can choose NAFs from the drop-down list, so that only specific host IPs match this profile.
Chapter 9 NAC Configuration Scenario Step 8: Set Up Templates to Create NAPs These rules specify that the associated profile policies authenticate and authorize each RADIUS request that matches the attribute’s rules. You can change the advanced filter, and add, remove, or edit any RADIUS attribute that the RADIUS client sends. Protocols Policy for the NAC Layer 3 Template Figure 9-33 shows the Protocols settings for the NAC Layer 3 template.
Chapter 9 NAC Configuration Scenario Step 8: Set Up Templates to Create NAPs Authentication Policy To configure authentication policy: Step 1 In the navigation bar, select Network Access Profiles. Step 2 Choose the Authentication link from the Policies column. The Authentication page for the profile opens, as shown in Figure 9-34.
Chapter 9 NAC Configuration Scenario Step 8: Set Up Templates to Create NAPs c. From the If Agentless request was not assigned a user-group drop-down list, choose a user group to which ACS assigns a host that is not matched to a user group. Sample Posture Validation Rule Figure 9-35 shows the sample posture validation policy provided with the NAC Layer 3 template.
Chapter 9 NAC Configuration Scenario Step 8: Set Up Templates to Create NAPs Step 6 Click Submit. If no error appears, then you have created a Profile that can authenticate Layer 2 NAC hosts and the Profile Setup page for the NAC Layer 2 template appears. The predefined values for the Layer 2 NAC template include: • Profile Setup • Protocols settings • Authentication policy • A sample posture validation rule The name of this policy is NAC-EXAMPLE-POSTURE-EXAMPLE.
Chapter 9 NAC Configuration Scenario Step 8: Set Up Templates to Create NAPs Figure 9-36 Profile Setup Page for NAC Layer 2 Template The default settings for the profile are: • Any appears in the Network Access Filter field, which means that this profile has no IP filter. You can choose NAFs from the drop-down list, so that only specific host IPs match this profile. • Allow any Protocol type appears in the Protocol types list, which means that no protocol type filter exists for this profile.
Chapter 9 NAC Configuration Scenario Step 8: Set Up Templates to Create NAPs This template automatically sets Advanced Filtering and Authentication properties with NAC Layer 2 IP Configuration. ACS and Attribute-Value Pairs When you enable NAC Layer 2 IP validation, ACS provides NAC AAA services by using RADIUS. ACS gets information about the antivirus credentials of the endpoint system and validates the antivirus condition of the endpoint.
Chapter 9 NAC Configuration Scenario Step 8: Set Up Templates to Create NAPs If you configure the default ACL on the switch and the ACS sends a host access policy to the switch, the switch applies the policy to traffic from the host that is connected to a switch port. If the policy applies to the traffic, the switch forwards the traffic. If the policy does not apply, the switch applies the default ACL.
Chapter 9 NAC Configuration Scenario Step 8: Set Up Templates to Create NAPs Authentication Policy To set the authentication policy: Step 1 In the navigation bar, click Network Access Profiles. Step 2 Choose the Authentication link from the Policies column. The Authentication Settings page for the NAC Layer 2 template opens, as shown in Figure 9-38. Figure 9-38 Step 3 Authentication Settings for NAC Layer 2 Template Specify the external database that ACS uses to perform authentication: a.
Chapter 9 NAC Configuration Scenario Step 8: Set Up Templates to Create NAPs c. From the If Agentless request was not assigned a user-group drop-down list, choose a user group to which ACS assigns a host that is not matched to a user group. Sample Posture Validation Rule Figure 9-39 shows the sample posture validation rule provided with the NAC Layer 2 template. Figure 9-39 Sample Posture Validation Policy for NAC Layer 2 Template Sample NAC Layer 2 802.
Chapter 9 NAC Configuration Scenario Step 8: Set Up Templates to Create NAPs Figure 9-40 Create Profile From Template Page Step 3 Enter a Name and Description (optional). Step 4 From the Template drop-down list, choose NAC L2 802.1x. Step 5 Check the Active check box. Step 6 Click Submit. If no error appears, then you have created a Profile that can authenticate Layer 2 NAC hosts. The Edit Network Access Profile page opens, and the new profile appears in the Name column.
Chapter 9 NAC Configuration Scenario Step 8: Set Up Templates to Create NAPs Figure 9-41 Profile Setup Page for NAC Layer 2 802.1x Template The default settings for the profile are: • Any appears in the Network Access Filter field, which means that this profile has no IP filter. You can choose NAFs from the drop-down list, so that only specific host IPs match this profile. • Allow any Protocol type appears in the Protocol types list, which means that no protocol type filter exists for this profile.
Chapter 9 NAC Configuration Scenario Step 8: Set Up Templates to Create NAPs Protocols Policy Figure 9-42 shows the Protocols settings for the NAC Layer 2 802.1x template. Figure 9-42 Protocols Setting for NAC Layer 802.1x Template In the EAP Configuration section, Posture Validation is enabled. Configuration Guide for Cisco Secure ACS 4.
Chapter 9 NAC Configuration Scenario Step 8: Set Up Templates to Create NAPs Authorization Policy To configure an authorization policy for the NAC Layer 2 802.1x template: Step 1 Go to Network Access Profiles. Step 2 Choose the Authorization link from the Policies column. The Authentication page for the NAC Layer 2 802.1x template profile appears, as shown in Figure 9-43. Figure 9-43 Authentication Page for NAC Layer 2 802.1x Profile Template On this page, you can see the Layer 2 NAC 802.
Chapter 9 NAC Configuration Scenario Step 8: Set Up Templates to Create NAPs Sample Posture Validation Rule Figure 9-44 shows the sample posture validation policy provided with the NAC Layer 2 802.1x template. Figure 9-44 Sample Posture Validation Policy for NAC Layer 2 802.1x Template Sample Wireless (NAC L2 802.1x) Template This template creates a profile for Layer 2 NAC 802.1x requests in wireless networks.
Chapter 9 NAC Configuration Scenario Step 8: Set Up Templates to Create NAPs Figure 9-45 Create Profile From Template Page Step 3 Enter a Name and Description (optional). Step 4 From the Template drop-down list, choose Wireless (NAC L2 802.1x). Step 5 Check the Active check box. Step 6 Click Submit. If no error appears, then you have created a Profile that can authenticate wireless NAC Layer 2 802.1x hosts.
Chapter 9 NAC Configuration Scenario Step 8: Set Up Templates to Create NAPs Figure 9-46 Profile Setup Page for Wireless (NAC L2 802.1x)Template The default settings for the profile are: • Any appears in the Network Access Filter field, which means that this profile has no IP filter. You can choose NAFs from the drop-down list, so that only specific host IPs match this profile.
Chapter 9 NAC Configuration Scenario Step 8: Set Up Templates to Create NAPs These rules specify that the associated profile policies authenticate and authorize each RADIUS request that matches the attribute’s rules. You can change the advanced filter, and add, remove, or edit any RADIUS attribute that the RADIUS client sends. Protocols Policy Figure 9-47 shows the Protocols settings for the Wireless (NAC L2 802.1x) template. Figure 9-47 Protocols Setting for Wireless NAC 802.
Chapter 9 NAC Configuration Scenario Step 8: Set Up Templates to Create NAPs Authorization Policy To configure an authorization policy for the Wireless NAC Layer 2 802.1x template: Step 1 Go to Network Access Profiles. Step 2 Choose the Authorization link from the Policies column. The Authorization page for the profile appears, as shown in Figure 9-48. Figure 9-48 Authorization Page for Wireless (NAC L2 802.1x) Profile Template On this page, you can see the Wireless (NAC L2 802.
Chapter 9 NAC Configuration Scenario Step 8: Set Up Templates to Create NAPs Sample Posture Validation Rule Figure 9-49 shows the sample posture validation policy provided with the Wireless (NAC L2 802.1x) template. Figure 9-49 Note Sample Posture Validation Policy for Wireless (NAC L2 802.1x) Template The posture validation policy for the wireless NAC L2 802.1x template is the same as for the NAC L2 802.1x template. Using a Sample Agentless Host Template ACS 4.
Chapter 9 NAC Configuration Scenario Step 8: Set Up Templates to Create NAPs To create an agentless host for Layer 3 profile template: Step 1 In the navigation bar, click Network Access Profiles. The Network Access Profiles page opens. Step 2 Click Add Template Profile. The Create Profile from Template page opens, as shown in Figure 9-50. Figure 9-50 Create Profile From Template Page Step 3 Enter a Name and Description (optional).
Chapter 9 NAC Configuration Scenario Step 8: Set Up Templates to Create NAPs Profile Setup To use the Profile Setup settings from the template: Step 1 Go to Network Access Profiles. Step 2 Choose the profile that you created. Step 3 The Profile Setup page appears, as shown in Figure 9-51. Figure 9-51 Profile Setup Page for Agentless Host for Layer 3 Template The default settings for the profile are: • Any appears in the Network Access Filter field, which means that this profile has no IP filter.
Chapter 9 NAC Configuration Scenario Step 8: Set Up Templates to Create NAPs • You can click the Allow Selected Protocol types option to specify a protocol type for filtering. • Two rules are configured in Advanced Filtering: [026/009/001]Cisco-av-pair = aaa:service=ip admission [006]Service-Type != 10 These rules specify that the associated profile policies authenticate and authorize each RADIUS request that matches the attribute’s rules.
Chapter 9 NAC Configuration Scenario Step 9: Map Posture Validation Components to Profiles Authentication Policy To configure an authentication policy for the Agentless Host for Layer 3 template: Step 1 Go to Network Access Profiles. Step 2 Choose the Authentication link from the Policies column. The Authentication page for the profile appears, as shown in Figure 9-53.
Chapter 9 NAC Configuration Scenario Step 9: Map Posture Validation Components to Profiles The Add/Edit Posture Validation Rule page for the specified rule appears, as shown in Figure 9-54. Figure 9-54 Add/Edit Posture Validation Rule Page Step 5 Choose the Required Credential Types. Step 6 In the Select External Posture Validation Sever section, select the policies or server that you want to map to this profile. To select a: • Posture Server, check the check box next to the server name.
Chapter 9 NAC Configuration Scenario Step 10: Map an Audit Server to a Profile Step 10: Map an Audit Server to a Profile To add an external posture validation audit server to a profile: Step 1 Choose Network Access Profiles. Step 2 Click the Protocols link for the relevant Posture Validation Policy. The Protocols Settings page for the policy that you choose opens. Step 3 Check the Allow Agentless Request Processing check box. Step 4 Click Submit.
Chapter 9 NAC Configuration Scenario Step 11 (Optional): Configure GAME Group Feedback d. If you want to specify a user group to which to assign the supplicant if the audit fails, check the Assign a User Group check box and then from the Assign a User Group drop-down list, choose a user group. Step 9 Click Submit. Step 10 Click Done. Step 11 Click Apply and Restart.
Chapter 9 NAC Configuration Scenario Step 11 (Optional): Configure GAME Group Feedback Import an Audit Vendor File by Using CSUtil For information on importing an audit vendor file by using CSUtil, see the “Adding a Custom RADIUS Vendor and VSA Set” section in Appendix D of the User Guide for Cisco Secure Access Control Server 4.2, “CSUtil Database Utility.
Chapter 9 NAC Configuration Scenario Step 11 (Optional): Configure GAME Group Feedback Step 3 Restart ACS: a. In the navigation bar, click System Configuration. b. Click Service Control. c. Click Restart. Configure Database Support for Agentless Host Processing The database that you use can be an external LDAP database (preferred) or the ACS internal database. For information on configuring database support for agentless host processing, see Step 4: Configure LDAP Support for MAB, page 6-10.
Chapter 9 NAC Configuration Scenario Step 11 (Optional): Configure GAME Group Feedback To add the posture attributes: Step 1 Create a text file in the \Utils directory with the following format: [attr#0] vendor-id=[your vendor id] vendor-name=[The name of you company] application-id=6 application-name=Audit attribute-id=00003 attribute-name=Dummy-attr attribute-profile=out attribute-type=unsigned integer Your vendor ID should be the Internet Assigned Numbers Authority (IANA)-assigned number that is the
Chapter 9 NAC Configuration Scenario Step 11 (Optional): Configure GAME Group Feedback Configure the External Posture Validation Audit Server You can configure an audit server once, and then use it for other profiles. To configure an audit server: Step 1 In the Posture Validation Components Setup page, click External Posture Validation Audit Setup. Step 2 Click Add Server. The External Posture Validation Audit Server Setup page appears, as shown in Figure 9-56.
Chapter 9 NAC Configuration Scenario Step 11 (Optional): Configure GAME Group Feedback Figure 9-57 e. Use These Audit Servers Section In the Use These Audit Servers section, enter the Audit Validation Server information, Audit Server vendor, URL, and password. Figure 9-58 shows the Audit Flow Settings and the GAME Group Feedback section. Configuration Guide for Cisco Secure ACS 4.
Chapter 9 NAC Configuration Scenario Step 11 (Optional): Configure GAME Group Feedback Figure 9-58 Audit Flow Settings and GAME Group Feedback Sections f. If required, in the Audit Flow Setting section, set the audit-flow parameters. g. If you are configuring GAME group feedback to support agentless host configuration in the NAC environment, configure the settings in the GAME Group Feedback section.
Chapter 9 NAC Configuration Scenario Step 11 (Optional): Configure GAME Group Feedback Enable GAME Group Feedback To enable GAME group feedback: Step 1 On the External Posture Validation Audit Server Setup page, in the GAME Group Feedback section, check the Request Device Type from Audit Server check box. If this check box is not available, define an audit-device type attribute for the vendor in the internal ACS dictionary. ACS for Windows: With ACS for Windows, you use the CSUtil command.
Chapter 9 NAC Configuration Scenario Step 11 (Optional): Configure GAME Group Feedback – contains – starts-with – regular-expression • Device Type—Defines the comparison criteria for the User Group by using an operator and device type.
GLOSSARY A AAA Authentication, Authorization, and Accounting server.-(Authentication, authorization, and accounting is pronounced “triple-A.” An AAA server is the central server that aggregates one or more authentication, authorization, or both decisions into a single system-authorization decision, and maps this decision to a network-access profile for enforcement on the NAD. Access -Accept Response packet from the RADIUS server notifying the access server that the user is authenticated.
Glossary E EAP Extensible Authentication Protocol-Provides the ability to deploy RADIUS into Ethernet network environments. EAP is defined by Internet Engineering Task Force (IETF) RFC 2284 and the IEEE 802.1x standards. EAP-TLS Extensible Authentication Protocol-Transport Layer Security-Uses the TLS protocol (RFC 2246), which is the latest version of the Secure Socket Layer (SSL) protocol from the IETF.
Glossary N NAC Network Admission Control-NAC is a Cisco-sponsored industry initiative that uses the network infrastructure to enforce security policy compliance on all devices seeking to access network computing resources; thereby limiting damage from viruses and worms. NAC is part of the Cisco Self-Defending Network, an initiative to increase network intelligence in order to enable the network to automatically identify, prevent, and adapt to security threats.
Glossary PEAP Protected Extensible Authentication Protocol-An 802.1x authentication type for wireless LANs (WLANs). PEAP provides strong security, user database extensibility, and support for one-time token authentication and password change or aging. PEAP is based on an Internet Draft that Cisco Systems, Microsoft, and RSA Security submitted to the IETF.
INDEX UPDATE_NAS Numerics 4-15 UPDATE_USER_DACL 802.
Index separation from general users 2-18 C Agentless Host for L2 (802.1x fallback) template agentless host for L2 (802.
Index logging level logs and reports MAB reading 9-14 updating 9-14 multiforest support for Active Directory password lifetime options password policy database replication design 5-6 2-14 default ACLs 3-8 RACs 9-4 9-52 9-26 DELETE_DACL 3-7 AAA clients 4-5 deleting dACLs architecture 6-18 4-12 2-1 considerations 9-26 CSDBSync 4-15 deployment 4-15 CSA Uninstall Patch 4-14 deleting 4-5 creating RACs 4-13 DELETE_USER_DACL x CREATE_USER_DACL NAP database replication 3-1
Index configuring new features in ACS 4.
Index for MAB support wireless (NAC L2 802.1x) template 6-12 Lightweight Directory Access Protocol NAC/NAP See LDAP logging configuring components defined 2-15 deploying ACS with 2-15 network architecture illustrated 9-14 enhanced features with ACS 4.2 importing using CSUtil NAC L2 802.
Index reliability See PEAP 2-19 purging RSA Node Secret file P PAC disabling PAC processing in NAPs R 3-3 Passed Authentication report enabling RACs configuring for NAC/NAP 9-15 password configuration Account Locked creating sample RACs for NAC/NAP 5-4 5-4 RADIUS password inactivity options 5-7 RADIUS AAA client password lifetime options password policy 9-26 2-2 configuring 5-6 9-25 9-26 Account Never Expires 6-5 RADIUS AAA clients configuring configuring 5-1, 5-4 incorrect p
Index purging Node Secret file purging facility codes 8-4 format in ACS reports 3-10 8-4 Syslog server specifying which Syslog server ACS sends messages to 8-3 S Syslog time format Sarbanes-Oxley configuring See SOX 3-7 system logging security certificate installing and setting up See Syslog 9-5 security certificates adding a trusted certificate copying to the ACS host enabling 7-4 T 6-7, 7-2, 9-6 templates 6-8, 7-3, 9-8 installing samples for NAC 6-6, 7-2, 9-6 using Windows Certi
Index W warnings significance of x Windows Certificate Import Wizard 6-7, 7-2 wired LAN geographically dispersed wired LAN access 2-4 2-2 wireless (NAC L2 802.1x) template 9-60 wireless access campus WLAN 2-6 large enterprise LAN regional WLAN simple WLAN topology 2-8 2-7 2-5 2-5 wireless access point 2-5 Configuration Guide for Cisco Secure ACS 4.
