Page 100
Chapter 6 Agentless Host Support Configuration Scenario
Basic Configuration Steps for Agentless Host Support
•Common LDAP Configuration—Configure the settings in this section to specify how ACS queries the LDAP database.
•Primary LDAP Server—Configure the settings in this section to specify the primary LDAP server.
•Secondary LDAP Server—Configure the settings in this section if you are setting up LDAP failback.
Step 7 If you want to set up Domain Filtering, refer to the “Configuring a Generic LDAP External User
Database” section in Chapter 12 of the User Guide for Cisco Secure Access Server 4.2.
Step 8 Specify the common LDAP configuration
Figure 6-6shows the Common LDAP Configuration section.
Figure 6-6 Common LDAP Configuration Section
You must specify:
•User Directory Subtree—Enter the distinguished name (DN) of the user directory subtree that contains all users. In MAB configuration, the users are, in effect, host devices.
In the LDAP schema shown in Example 6-1, the DN of the User Directory Subtree is ou=MAC
Addresses, ou=MAB Segment, o=mycorp.
•Group Directory Subtree—Enter the DN for the group directory subtree that contains all user groups as defined in your LDAP schema. In MAB configuration, the members of user groups are actually groups of MAC addresses.
In the LDAP schema shown in Example 6-1, the DN of the group directory subtree is ou=MAC
Groups, ou=MAB Segment, o=cisco.
•UserObjectType— Enter the name of the user object type that is defined in your LDAP schema. In the LDAP schema shown in Example 6-1, the user object type is specified as macAddress.
| Configuration Guide for Cisco Secure ACS 4.2 |
6-14 | OL-14390-02 |
Contents
Configuration Guide for Cisco Secure ACS
Americas Headquarters
Page
N T E N T S
Deploying ACS in a NAC/NAP Environment
Error Messages
Overview
Profile Setup
Profile Setup
Audience
Organization
Conventions
Product Documentation
Convention
Boldface font
Available Formats
ACSTroubleshooting.html
Related Documentation
OpenSSL/Open SSL Project
License Issues
OpenSSL License
Original SSLeay License
Overview of ACS Configuration
Summary of Configuration Steps
Click Interface Configuration
Click System Configuration
Peap EAP-FAST EAP-TLS Leap EAP-MD5
Overview of ACS Configuration Summary of Configuration Steps
Configuration Flowchart
EAP-TLS, SSL
OL-14390-02
Deploy the Access Control Servers
Determining the Deployment Architecture
Wired LAN Access
Access Types
Size Users
Small LAN Environment
Campus LAN
Geographically Dispersed Wired LAN
ACS in a Campus LAN
Wireless Access Topology
Simple Wlan
Campus Wlan
Regional Wlan Setting
Large Enterprise Wlan Setting
6shows a regional Wlan
Dial-up Access Topology
Small Dial-Up Network Access
Large Dial-Up Network Access
Small Dial-up Network
Determining How Many ACSs to Deploy Scalability
Placement of the Radius Server
Number of Users
LAN Versus WAN Deployment Number of LANs in the Network
Number of Network Access Servers
WAN Latency and Dependability
Configuration components for replication-What is replicated
Deploying ACS Servers to Support Server Failover
Load Balancing and Failover
Database Replication Considerations
Database Synchronization Considerations
Replication Design
Deploying ACS in a NAC/NAP Environment
Component Description
ACS
Cisco AAA server product
Remote Access Policy
Additional Topics
Administrative Access Policy
Security Policy
Separation of Administrative and General Users
Database Considerations
Network Latency and Reliability
Number of Users
Type of Database
OL-14390-02
Configuring New Features in ACS
New Global EAP-FAST Configuration Options
Option Description
PAC
Use PAC and Do Not Use PAC Options
Disabling NetBIOS
2shows the new options on the NAP Protocols
Configuring ACS 4.2 Enhanced Logging Features
To disable NetBIOS over TCP/ IP in Windows 2000, XP, or
Right-clickMy Network Places and choose Properties
Click Internet Protocol TCP/IP and choose Properties
Configuring Group Filtering at the NAP Level
Click Submit
Configuring Syslog Time Format in ACS
Check the Disable Dynamic users check box
Option to Not Log or Store Dynamic Users
Active Directory Multi-Forest Support
RSA Support on the ACS SE
Click Database Configuration
Click Submit and Restart
Click Create New Configuration
Click Configure
Click RSA SecureID Token Server
Click Upload scconf.rec
FTP Server Login Password Directory
External User Databases Configuration page opens
Purging the RSA Node Secret File
Field
Configuring RSA SecurID Token and Ldap Group Mapping
Click Configure Ldap
Click Purge Node Secret
Click RSA SecurID Token and Ldap Group Mapping
RSA SecurID Token and Ldap Group Mapping Configuration
Choose Process all usernames
Configuring New Features in ACS RSA Support on the ACS SE
Configuring New Features in ACS RSA Support on the ACS SE
Uid=joesmith,ou=members,ou=administrators,o=cisco
Turning Ping On and Off
New Rdbms Synchronization Features in ACS Release
ACS 4.2 provides enhanced support for Rdbms Synchronization
Using Rdbms Synchronization to Configure dACLs
Enable dACLs
Create a Text File to Define the dACLs
Check the Rdbms Synchronization check box
Code the information in the file as described in Table
Example 4-1shows a sample text file
Keyword Value
Sample accountActions CSV File
Example 4-2shows a sample accountActions CSV file
Action Code Name Required Description
Configure Rdbms Synchronization to Use a Local CSV File
Click Rdbms Synchronization
Rdbms Synchronization Setup Page ACS for Windows
Configuration Guide for Cisco Secure ACS OL-14390-02
Perform Rdbms Synchronization
Running Rdbms Synchronization from the ACS GUI
Running CSDBSync Manually to Create the dACLs
ACS for Windows
Performing Rdbm Synchronization Using a Script
View the dACLs
Entry for the Sample dACL
Explanation
Error Messages
NAF
User has write access to the ACS
On the ACS is configured correctly
Enabled correctly in the ACS GUI
Reading, Updating, and Deleting dACLs
Updatedacl
Readdacl
Daclreplace
Deletedacl
Updateuserdacl UNGN, VN
Deleteuserdacl Ungn
Creating, Reading, Updating and Deleting AAA clients
Updatenas
Readnas
OL-14390-02
Password Policy Configuration Scenario
Add and Edit a New Administrator Account
Administration Control
Configure Password Policy
Server 4.2, Administrators and Administrative Policy
To specify password restrictions
Privileges that you want to grant
Administrator Password Policy Setup
Specify Password Validation Options
Specify Password Lifetime Options
Password Lifetime Options
Password Inactivity Options
Configure Session Policy
Specify Password Inactivity Options
Specify Incorrect Password Attempt Options
Incorrect Password Attempt Options section, configure
Session Policy Setup
Configure Access Policy
Click Access Policy
Access Policy Setup page appears, as shown in Figure
Before You Begin
Access Policy Setup
Click the appropriate IP Address Filtering option
IP Address Ranges table contains ten rows for configuring
IP address ranges. The ranges are always inclusive that is,
Range includes the Start and End IP addresses
Must differ only in the last octet Class C format
Viewing Administrator Entitlement Reports
Configuration ACS Certificate Setup to access
Installation process. With SSL enabled, ACS begins using
Displays an error
View Privilege Reports
Click Entitlement Reports
OL-14390-02
Agentless Host Support Configuration Scenario
Overview of Agentless Host Support
Using Audit Servers and Game Group Feedback
1shows the flow of MAB information
Configure a Radius AAA client
See Configure a Radius AAA Client, page 6-5for details
Basic Configuration Steps for Agentless Host Support
Install ACS
Configure a Radius AAA Client
Install and Set Up an ACS Security Certificate
Click Submit + Apply
Obtain Certificates and Copy Them to the ACS Host
Go to selecteddrive\Certs
Enable Security Certificates on the ACS Installation
Select Install Certificate
Click ACS Certificate Setup Click Install ACS Certificate
Click Submit
To install the CA Certificate
Install the CA Certificate
Add a Trusted Certificate
Configure an External Ldap Database for MAB Support
Configure Ldap Support for MAB
Create one or more Ldap database configurations in ACS
Description of the Settings in the Sample Ldap Schema
802.1x device n 802.1x device n+1
How the Subtrees Work
How the Ldap User Groups Work
1describes the attributes of the sample Ldap groups
Create One or More Ldap Database Configurations in ACS
Click Generic Ldap
Specify the common Ldap configuration
6shows the Common Ldap Configuration section
OL-14390-02
Ldap Server Configuration Sections
ACS SE Only
Configure User Groups for MAB Segments
Create a New NAP
Enable Agentless Request Processing
Click Add Profile
Profile Setup page opens, shown in Figure
Profile Setup
You are now ready to enable agentless request processing
Enable Agentless Request Processing for a NAP
Check the check box for Allow Agentless Request Processing
Configure MAB
You are now ready to configure MAB settings
Click Internal ACS DB
13 MAC Address Input Area
Configure Logging and Reports
Configuring Reports for MAB Processing
Configuration Steps for Audit Server Support
Configure Game Group Feedback
Configure Security Certificates
To configure PEAP-TLS Configure security certificates
Configure global authentication settings
Specify EAP-TLS options
Obtain Certificates and Copy Them to the ACS Host
Enable Security Certificates on the ACS Installation
Install the CA Certificate
Add a Trusted Certificate
Click Global Authentication Setup
Configure Global Authentication Settings
Global Authentication Setup page opens, as shown in Figure
Specify EAP-TLS Options
Optional Configure Authentication Policy
EAPMSCHAP2 EAP-GTC
Configuring Syslog Logging
Overview
Click Logging
Logging page opens, shown in Figure
Logging Configuration
Enable Logging
Format of Syslog Messages in ACS Reports
Facility Codes
Message Length Restrictions
OL-14390-02
NAC Configuration Scenario
Install ACS
Perform Network Configuration Tasks
This section describes
Add AAA Client
Configure the AAA Server
Click Submit and Apply
Set Up System Configuration
This section describes the following tasks
Click ACS Certificate Setup
Set Up the ACS Certification Authority
Click ACS Certification Authority Setup
Choose ACS Certificate Setup Edit Certificate Trust List
Edit the Certificate Trust List
Set Up Global Configuration
Install the ACS Certificate
Install ACS Certificate page opens, as shown in Figure
Click the Read certificate from file radio button
Set Up Global Authentication
Global Authentication Setup Page appears, as shown in Figure
Global Authentication Setup
Allow EAP-MSCHAPv2
Allow EAP-GTC
Allow Posture Validation
Click Submit + Restart
Click EAP-FAST Configuration
Set Up EAP-FAST Configuration
EAP Fast Configuration page appears, as shown in Figure
-8, this is ACS NAC Server. However, this can be any string
Check the Allow EAP-FASTcheck box
Provisioning check boxes
Configure Logs and Reports
Configure the Logging Level
Click Service Control
Check the Log to CSV Passed Authentications Report check box
Check the Log to CSV Radius Accounting Report check box
Set Up Administration Control
Add Remote Administrator Access
Click Add Administrator
Add Administrator page opens, as shown in Figure
10 Add Administrator
Click Grant All
Configure Network Access Filtering Optional
Set Up Shared Profile Components
Click Network Access Filtering
Configure Downloadable IP ACLs
11 Edit Network Access Filtering
Adding an ACL
To add a new ACL
Choose Shared Profile Components Downloadable IP ACLs
List of dACLs appears, as shown in Figure
Adding an ACE
13 Downloadable IP ACLs
14 Downloadable IP ACL Content
Saving the dACL
Configure Radius Authorization Components
New ACL appears on the list of downloadable ACLs
Click Radius Authorization Components
16 Radius Authorization Components
17 RAC Attribute Add/Edit
18 Attribute Selection for the CiscoFullAccess RAC
19 Attribute Selection for the CiscoRestricted RAC
Number Attribute Name Description
Attribute
ACL
Configure an External Posture Validation Audit Server
Add the Posture Attribute to the ACS Dictionary
Configure the External Posture Validation Audit Server
Click Add Server
20 External Posture Validation Audit Server Setup
21 Use These Audit Servers Section
Configure Posture Validation for NAC
Configure Internal Posture Validation Policies
Click Internal Posture Validation Setup
Click Add Rule
Click Add Condition Set
Add/Edit Condition page appears, as shown in Figure
Configure External Posture Validation Policies
26 Edit External Posture Validation Servers
27 Add/Edit External Posture Validation Server
Configure an External Posture Validation Audit Server
28 External Posture Validation Audit Server Setup
29 Use These Audit Servers Section
Authorization Policy and NAC Audit
30 Audit Flow Settings and Game Group Feedback Sections
Set Up Templates to Create NAPs
Sample NAC Profile Templates
Sample NAC Layer 3 Profile Template
EAP-FAST GTC
Profile Setup
31 Create Profile From Template
32 Profile Setup Page for Layer 3 NAC Template
EAP Configuration section, Posture Validation is enabled
Protocols Policy for the NAC Layer 3 Template
Authentication Policy
34 Authentication Page for Layer 3 NAC Profile Template
Sample Posture Validation Rule
Sample NAC Layer 2 Template
From the Template drop-down list, choose NAC L2 IP
To enable the profile setup
Go to Network Access Profiles
36 Profile Setup Page for NAC Layer 2 Template
Default ACLs
ACS and Attribute-Value Pairs
Protocols Settings
37shows the Protocols settings for the NAC Layer 2 template
38 Authentication Settings for NAC Layer 2 Template
Sample NAC Layer 2 802.1x Template
39 Sample Posture Validation Policy for NAC Layer 2 Template
40 Create Profile From Template
41 Profile Setup Page for NAC Layer 2 802.1x Template
42 Protocols Setting for NAC Layer 802.1x Template
Protocols Policy
Authorization Policy
Sample Wireless NAC L2 802.1x Template
45 Create Profile From Template
46 Profile Setup Page for Wireless NAC L2 802.1xTemplate
47 Protocols Setting for Wireless NAC 802.1x Template
Authorization Policy
Using a Sample Agentless Host Template
50 Create Profile From Template
Profile Setup
52 Protocols Setting for Agentless Host for Layer 3 Template
Choose Network Access Profiles
Map Posture Validation Components to Profiles
Choose the relevant profile Posture Validation policy
Enter a Name for the rule
Click Back to return to the Posture Validation policy
Click Apply + Restart
Check the Do not reject when Audit failed check box
Map an Audit Server to a Profile
Check the Allow Agentless Request Processing check box
Click Select Audit
Configure an external audit server
Optional Configure Game Group Feedback
Click Apply and Restart
Import a Device-Type Attribute File by Using CSUtil
Import an Audit Vendor File by Using CSUtil
Import NAC Attribute-Value Pairs
Configure Database Support for Agentless Host Processing
Enable Posture Validation
Configure an External Audit Server
Restart ACS Navigation bar, click System Configuration
\ACSInstallDir\bin\CSUtil -addAVP filename
56 External Posture Validation Audit Server Setup
57 Use These Audit Servers Section
58 Audit Flow Settings and Game Group Feedback Sections
Enable Game Group Feedback
ACS Solution Engine
Mac Integrated Device
Unix
PDA
Being authenticated
Authentication agent installed, such as Cisco Trust Agent
Resource usage
Posture-validation server
Authenticate the device, instead of using an IP address
GL-2
GL-3
Microsoft, and RSA Security submitted to the Ietf
Network access
Radius Attribute Component
Adduser
Updatenas Updateuserdacl
ACE
Configuring audit flow settings for 9-35,9-43,9-78
Audit servers Configuring
CA certificate Installing
Createuserdacl
Deleteuserdacl
NAP
Configuring new features in ACS 4.2
ACS configuration for
Specifying Certificate Binary Comparison for
Layer 2 NAC 802.1x template
Netbios
NAC
NAC/NAP
NAC L2 IP
Reliability
Readdacl Readnas
Reading dACLs Regional Wlan Related documentation
RSA
Using Windows Certificate Import Wizard
Installing the CA certificate
Purging Node Secret file purging Sarbanes-Oxley
Security policies Security protocols
Significance Windows Certificate Import Wizard