Page 103
Chapter 6 Agentless Host Support Configuration Scenario
Basic Configuration Steps for Agentless Host Support
For detailed information on this field, refer to the “LDAP Configuration Options” section in
Chapter 12 of the User Guide for Cisco Secure Access Control Server, “User Databases.”
–Admin DN—The DN of the administrator; that is, the LDAP account which, if bound to, permits searches for all required users under the User Directory Subtree. It must contain the following information about your LDAP server:
uid=user id,[ou=organizational unit,][ou=next organizational unit]o=organization
where user id is the username, organizational unit is the last level of the tree, and next organizational unit is the next level up the tree.
For example:
uid=joesmith,ou=members,ou=administrators,o=cisco
You can use anonymous credentials for the administrator username if the LDAP server is configured to make the group name attribute visible in searches by anonymous credentials. Otherwise, you must specify an administrator username that permits the group name attribute to be visible to searches.
Note If the administrator username that you specify does not have permission to see the group name attribute in searches, group mapping fails for users whom LDAP authenticates.
–Password—The password for the administrator account that you specified in the Admin DN box. The LDAP server determines case sensitivity.
b.If you want to set up LDAP server failback, then in the Secondary LDAP server section, specify information to identify the failback LDAP server.
The options and text input boxes in the Secondary LDAP Server section are the same as the ones in the Primary LDAP Server section.
Step 9 Click Submit.
Step 5: Configure User Groups for MAB Segments
During configuration of Network Access Profiles to enable agentless request processing, you will be required to map devices that have specified MAC addresses to one of the default user groups that ACS provides.
| | Configuration Guide for Cisco Secure ACS 4.2 | | |
| | |
| OL-14390-02 | | | 6-17 | |
| | | |
Contents
Americas Headquarters
Configuration Guide for Cisco Secure ACS
Page
N T E N T S
Deploying ACS in a NAC/NAP Environment
Error Messages
Overview
Profile Setup
Profile Setup
Organization
Audience
Boldface font
Conventions
Product Documentation
Convention
Available Formats
Related Documentation
ACSTroubleshooting.html
OpenSSL/Open SSL Project
License Issues
OpenSSL License
Original SSLeay License
Summary of Configuration Steps
Overview of ACS Configuration
Click System Configuration
Click Interface Configuration
Peap EAP-FAST EAP-TLS Leap EAP-MD5
Overview of ACS Configuration Summary of Configuration Steps
EAP-TLS, SSL
Configuration Flowchart
OL-14390-02
Determining the Deployment Architecture
Deploy the Access Control Servers
Wired LAN Access
Access Types
Size Users
Campus LAN
Small LAN Environment
ACS in a Campus LAN
Geographically Dispersed Wired LAN
Simple Wlan
Wireless Access Topology
Campus Wlan
Regional Wlan Setting
6shows a regional Wlan
Large Enterprise Wlan Setting
Small Dial-Up Network Access
Dial-up Access Topology
Small Dial-up Network
Large Dial-Up Network Access
Determining How Many ACSs to Deploy Scalability
Placement of the Radius Server
Number of Users
LAN Versus WAN Deployment Number of LANs in the Network
Number of Network Access Servers
WAN Latency and Dependability
Database Replication Considerations
Configuration components for replication-What is replicated
Deploying ACS Servers to Support Server Failover
Load Balancing and Failover
Replication Design
Database Synchronization Considerations
Cisco AAA server product
Deploying ACS in a NAC/NAP Environment
Component Description
ACS
Additional Topics
Remote Access Policy
Security Policy
Administrative Access Policy
Separation of Administrative and General Users
Type of Database
Database Considerations
Network Latency and Reliability
Number of Users
OL-14390-02
New Global EAP-FAST Configuration Options
Configuring New Features in ACS
PAC
Option Description
Use PAC and Do Not Use PAC Options
2shows the new options on the NAP Protocols
Disabling NetBIOS
Click Internet Protocol TCP/IP and choose Properties
Configuring ACS 4.2 Enhanced Logging Features
To disable NetBIOS over TCP/ IP in Windows 2000, XP, or
Right-clickMy Network Places and choose Properties
Click Submit
Configuring Group Filtering at the NAP Level
Active Directory Multi-Forest Support
Configuring Syslog Time Format in ACS
Check the Disable Dynamic users check box
Option to Not Log or Store Dynamic Users
RSA Support on the ACS SE
Click Database Configuration
Click Submit and Restart
Click Upload scconf.rec
Click Create New Configuration
Click Configure
Click RSA SecureID Token Server
Field
FTP Server Login Password Directory
External User Databases Configuration page opens
Purging the RSA Node Secret File
Click RSA SecurID Token and Ldap Group Mapping
Configuring RSA SecurID Token and Ldap Group Mapping
Click Configure Ldap
Click Purge Node Secret
Choose Process all usernames
RSA SecurID Token and Ldap Group Mapping Configuration
Configuring New Features in ACS RSA Support on the ACS SE
Configuring New Features in ACS RSA Support on the ACS SE
Uid=joesmith,ou=members,ou=administrators,o=cisco
Turning Ping On and Off
ACS 4.2 provides enhanced support for Rdbms Synchronization
New Rdbms Synchronization Features in ACS Release
Check the Rdbms Synchronization check box
Using Rdbms Synchronization to Configure dACLs
Enable dACLs
Create a Text File to Define the dACLs
Code the information in the file as described in Table
Example 4-1shows a sample text file
Keyword Value
Example 4-2shows a sample accountActions CSV file
Sample accountActions CSV File
Action Code Name Required Description
Configure Rdbms Synchronization to Use a Local CSV File
Click Rdbms Synchronization
Rdbms Synchronization Setup Page ACS for Windows
Configuration Guide for Cisco Secure ACS OL-14390-02
ACS for Windows
Perform Rdbms Synchronization
Running Rdbms Synchronization from the ACS GUI
Running CSDBSync Manually to Create the dACLs
View the dACLs
Performing Rdbm Synchronization Using a Script
Entry for the Sample dACL
Explanation
Error Messages
NAF
Reading, Updating, and Deleting dACLs
User has write access to the ACS
On the ACS is configured correctly
Enabled correctly in the ACS GUI
Deletedacl
Updatedacl
Readdacl
Daclreplace
Deleteuserdacl Ungn
Updateuserdacl UNGN, VN
Creating, Reading, Updating and Deleting AAA clients
Updatenas
Readnas
OL-14390-02
Password Policy Configuration Scenario
Add and Edit a New Administrator Account
Administration Control
Privileges that you want to grant
Configure Password Policy
Server 4.2, Administrators and Administrative Policy
To specify password restrictions
Administrator Password Policy Setup
Password Inactivity Options
Specify Password Validation Options
Specify Password Lifetime Options
Password Lifetime Options
Incorrect Password Attempt Options section, configure
Configure Session Policy
Specify Password Inactivity Options
Specify Incorrect Password Attempt Options
Session Policy Setup
Before You Begin
Configure Access Policy
Click Access Policy
Access Policy Setup page appears, as shown in Figure
Click the appropriate IP Address Filtering option
Access Policy Setup
Must differ only in the last octet Class C format
IP Address Ranges table contains ten rows for configuring
IP address ranges. The ranges are always inclusive that is,
Range includes the Start and End IP addresses
Displays an error
Viewing Administrator Entitlement Reports
Configuration ACS Certificate Setup to access
Installation process. With SSL enabled, ACS begins using
Click Entitlement Reports
View Privilege Reports
OL-14390-02
Overview of Agentless Host Support
Agentless Host Support Configuration Scenario
1shows the flow of MAB information
Using Audit Servers and Game Group Feedback
See Configure a Radius AAA Client, page 6-5for details
Configure a Radius AAA client
Install ACS
Basic Configuration Steps for Agentless Host Support
Configure a Radius AAA Client
Click Submit + Apply
Install and Set Up an ACS Security Certificate
Go to selecteddrive\Certs
Obtain Certificates and Copy Them to the ACS Host
Click Submit
Enable Security Certificates on the ACS Installation
Select Install Certificate
Click ACS Certificate Setup Click Install ACS Certificate
To install the CA Certificate
Install the CA Certificate
Add a Trusted Certificate
Configure an External Ldap Database for MAB Support
Configure Ldap Support for MAB
Create one or more Ldap database configurations in ACS
802.1x device n 802.1x device n+1
Description of the Settings in the Sample Ldap Schema
How the Ldap User Groups Work
How the Subtrees Work
1describes the attributes of the sample Ldap groups
Create One or More Ldap Database Configurations in ACS
Click Generic Ldap
6shows the Common Ldap Configuration section
Specify the common Ldap configuration
OL-14390-02
ACS SE Only
Ldap Server Configuration Sections
Configure User Groups for MAB Segments
Create a New NAP
Enable Agentless Request Processing
Click Add Profile
Profile Setup
Profile Setup page opens, shown in Figure
You are now ready to enable agentless request processing
Enable Agentless Request Processing for a NAP
Check the check box for Allow Agentless Request Processing
You are now ready to configure MAB settings
Configure MAB
13 MAC Address Input Area
Click Internal ACS DB
Configuring Reports for MAB Processing
Configure Logging and Reports
Configure Game Group Feedback
Configuration Steps for Audit Server Support
Specify EAP-TLS options
Configure Security Certificates
To configure PEAP-TLS Configure security certificates
Configure global authentication settings
Obtain Certificates and Copy Them to the ACS Host
Enable Security Certificates on the ACS Installation
Add a Trusted Certificate
Install the CA Certificate
Click Global Authentication Setup
Configure Global Authentication Settings
Global Authentication Setup page opens, as shown in Figure
Specify EAP-TLS Options
Optional Configure Authentication Policy
EAPMSCHAP2 EAP-GTC
Logging page opens, shown in Figure
Configuring Syslog Logging
Overview
Click Logging
Logging Configuration
Enable Logging
Facility Codes
Format of Syslog Messages in ACS Reports
Message Length Restrictions
OL-14390-02
Install ACS
NAC Configuration Scenario
This section describes
Perform Network Configuration Tasks
Add AAA Client
Configure the AAA Server
Click Submit and Apply
Set Up System Configuration
This section describes the following tasks
Click ACS Certificate Setup
Set Up the ACS Certification Authority
Click ACS Certification Authority Setup
Edit the Certificate Trust List
Choose ACS Certificate Setup Edit Certificate Trust List
Click the Read certificate from file radio button
Set Up Global Configuration
Install the ACS Certificate
Install ACS Certificate page opens, as shown in Figure
Global Authentication Setup Page appears, as shown in Figure
Set Up Global Authentication
Global Authentication Setup
Click Submit + Restart
Allow EAP-MSCHAPv2
Allow EAP-GTC
Allow Posture Validation
Click EAP-FAST Configuration
Set Up EAP-FAST Configuration
EAP Fast Configuration page appears, as shown in Figure
-8, this is ACS NAC Server. However, this can be any string
Check the Allow EAP-FASTcheck box
Provisioning check boxes
Configure Logs and Reports
Configure the Logging Level
Click Service Control
Check the Log to CSV Passed Authentications Report check box
Check the Log to CSV Radius Accounting Report check box
Add Administrator page opens, as shown in Figure
Set Up Administration Control
Add Remote Administrator Access
Click Add Administrator
10 Add Administrator
Click Grant All
Configure Network Access Filtering Optional
Set Up Shared Profile Components
Click Network Access Filtering
11 Edit Network Access Filtering
Configure Downloadable IP ACLs
List of dACLs appears, as shown in Figure
Adding an ACL
To add a new ACL
Choose Shared Profile Components Downloadable IP ACLs
13 Downloadable IP ACLs
Adding an ACE
14 Downloadable IP ACL Content
Saving the dACL
Configure Radius Authorization Components
New ACL appears on the list of downloadable ACLs
16 Radius Authorization Components
Click Radius Authorization Components
17 RAC Attribute Add/Edit
18 Attribute Selection for the CiscoFullAccess RAC
19 Attribute Selection for the CiscoRestricted RAC
Number Attribute Name Description
Attribute
ACL
Add the Posture Attribute to the ACS Dictionary
Configure an External Posture Validation Audit Server
Click Add Server
Configure the External Posture Validation Audit Server
20 External Posture Validation Audit Server Setup
21 Use These Audit Servers Section
Configure Internal Posture Validation Policies
Configure Posture Validation for NAC
Click Add Rule
Click Internal Posture Validation Setup
Add/Edit Condition page appears, as shown in Figure
Click Add Condition Set
26 Edit External Posture Validation Servers
Configure External Posture Validation Policies
27 Add/Edit External Posture Validation Server
Configure an External Posture Validation Audit Server
28 External Posture Validation Audit Server Setup
29 Use These Audit Servers Section
30 Audit Flow Settings and Game Group Feedback Sections
Authorization Policy and NAC Audit
EAP-FAST GTC
Set Up Templates to Create NAPs
Sample NAC Profile Templates
Sample NAC Layer 3 Profile Template
31 Create Profile From Template
Profile Setup
32 Profile Setup Page for Layer 3 NAC Template
Protocols Policy for the NAC Layer 3 Template
EAP Configuration section, Posture Validation is enabled
34 Authentication Page for Layer 3 NAC Profile Template
Authentication Policy
Sample Posture Validation Rule
Sample NAC Layer 2 Template
From the Template drop-down list, choose NAC L2 IP
Go to Network Access Profiles
To enable the profile setup
36 Profile Setup Page for NAC Layer 2 Template
ACS and Attribute-Value Pairs
Default ACLs
37shows the Protocols settings for the NAC Layer 2 template
Protocols Settings
38 Authentication Settings for NAC Layer 2 Template
39 Sample Posture Validation Policy for NAC Layer 2 Template
Sample NAC Layer 2 802.1x Template
40 Create Profile From Template
41 Profile Setup Page for NAC Layer 2 802.1x Template
Protocols Policy
42 Protocols Setting for NAC Layer 802.1x Template
Authorization Policy
Sample Wireless NAC L2 802.1x Template
45 Create Profile From Template
46 Profile Setup Page for Wireless NAC L2 802.1xTemplate
47 Protocols Setting for Wireless NAC 802.1x Template
Authorization Policy
Using a Sample Agentless Host Template
50 Create Profile From Template
Profile Setup
52 Protocols Setting for Agentless Host for Layer 3 Template
Enter a Name for the rule
Choose Network Access Profiles
Map Posture Validation Components to Profiles
Choose the relevant profile Posture Validation policy
Click Apply + Restart
Click Back to return to the Posture Validation policy
Click Select Audit
Check the Do not reject when Audit failed check box
Map an Audit Server to a Profile
Check the Allow Agentless Request Processing check box
Configure an external audit server
Optional Configure Game Group Feedback
Click Apply and Restart
Import a Device-Type Attribute File by Using CSUtil
Import an Audit Vendor File by Using CSUtil
Import NAC Attribute-Value Pairs
Restart ACS Navigation bar, click System Configuration
Configure Database Support for Agentless Host Processing
Enable Posture Validation
Configure an External Audit Server
\ACSInstallDir\bin\CSUtil -addAVP filename
56 External Posture Validation Audit Server Setup
57 Use These Audit Servers Section
58 Audit Flow Settings and Game Group Feedback Sections
ACS Solution Engine
Enable Game Group Feedback
Mac Integrated Device
Unix
PDA
Posture-validation server
Being authenticated
Authentication agent installed, such as Cisco Trust Agent
Resource usage
GL-2
Authenticate the device, instead of using an IP address
GL-3
Microsoft, and RSA Security submitted to the Ietf
Network access
Radius Attribute Component
Adduser
Updatenas Updateuserdacl
ACE
Configuring audit flow settings for 9-35,9-43,9-78
Audit servers Configuring
CA certificate Installing
Createuserdacl
Deleteuserdacl
NAP
Layer 2 NAC 802.1x template
Configuring new features in ACS 4.2
ACS configuration for
Specifying Certificate Binary Comparison for
NAC L2 IP
Netbios
NAC
NAC/NAP
RSA
Reliability
Readdacl Readnas
Reading dACLs Regional Wlan Related documentation
Security policies Security protocols
Using Windows Certificate Import Wizard
Installing the CA certificate
Purging Node Secret file purging Sarbanes-Oxley
Significance Windows Certificate Import Wizard