Cisco Systems 4.2 manual Original SSLeay License

Page 14

Preface

Notices

Original SSLeay License:

Copyright © 1995-1998 Eric Young (eay@cryptsoft.com). All rights reserved.

This package is an SSL implementation written by Eric Young (eay@cryptsoft.com).

The implementation was written so as to conform with Netscapes SSL.

This library is free for commercial and non-commercial use as long as the following conditions are adhered to. The following conditions apply to all code found in this distribution, be it the RC4, RSA, lhash, DES, etc., code; not just the SSL code. The SSL documentation included with this distribution is covered by the same copyright terms except that the holder is Tim Hudson (tjh@cryptsoft.com).

Copyright remains Eric Young’s, and as such any Copyright notices in the code are not to be removed. If this package is used in a product, Eric Young should be given attribution as the author of the parts of the library used. This can be in the form of a textual message at program startup or in documentation (online or textual) provided with the package.

Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:

1.Redistributions of source code must retain the copyright notice, this list of conditions and the following disclaimer.

2.Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution.

3.All advertising materials mentioning features or use of this software must display the following acknowledgement:

“This product includes cryptographic software written by Eric Young (eay@cryptsoft.com)”.

The word ‘cryptographic’ can be left out if the routines from the library being used are not cryptography-related.

4.If you include any Windows specific code (or a derivative thereof) from the apps directory (application code) you must include an acknowledgement: “This product includes software written by Tim Hudson (tjh@cryptsoft.com)”.

THIS SOFTWARE IS PROVIDED BY ERIC YOUNG “AS IS” AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

The license and distribution terms for any publicly available version or derivative of this code cannot be changed. i.e. this code cannot simply be copied and put under another distribution license [including the GNU Public License].

Configuration Guide for Cisco Secure ACS 4.2

 

xiv

OL-14390-02

 

 

 

Image 14
Contents Configuration Guide for Cisco Secure ACS Americas HeadquartersPage N T E N T S Deploying ACS in a NAC/NAP Environment Error Messages Overview Profile Setup Profile Setup Audience OrganizationConvention ConventionsProduct Documentation Boldface fontAvailable Formats ACSTroubleshooting.html Related DocumentationOpenSSL License License IssuesOpenSSL/Open SSL Project Original SSLeay License Overview of ACS Configuration Summary of Configuration StepsClick Interface Configuration Click System ConfigurationPeap EAP-FAST EAP-TLS Leap EAP-MD5 Overview of ACS Configuration Summary of Configuration Steps Configuration Flowchart EAP-TLS, SSLOL-14390-02 Deploy the Access Control Servers Determining the Deployment ArchitectureSize Users Access TypesWired LAN Access Small LAN Environment Campus LANGeographically Dispersed Wired LAN ACS in a Campus LANWireless Access Topology Simple WlanCampus Wlan Regional Wlan Setting Large Enterprise Wlan Setting 6shows a regional WlanDial-up Access Topology Small Dial-Up Network AccessLarge Dial-Up Network Access Small Dial-up NetworkNumber of Users Placement of the Radius ServerDetermining How Many ACSs to Deploy Scalability WAN Latency and Dependability Number of Network Access ServersLAN Versus WAN Deployment Number of LANs in the Network Load Balancing and Failover Configuration components for replication-What is replicatedDeploying ACS Servers to Support Server Failover Database Replication ConsiderationsDatabase Synchronization Considerations Replication DesignACS Deploying ACS in a NAC/NAP EnvironmentComponent Description Cisco AAA server productRemote Access Policy Additional TopicsAdministrative Access Policy Security PolicySeparation of Administrative and General Users Number of Users Database ConsiderationsNetwork Latency and Reliability Type of DatabaseOL-14390-02 Configuring New Features in ACS New Global EAP-FAST Configuration OptionsOption Description PACUse PAC and Do Not Use PAC Options Disabling NetBIOS 2shows the new options on the NAP ProtocolsRight-clickMy Network Places and choose Properties Configuring ACS 4.2 Enhanced Logging FeaturesTo disable NetBIOS over TCP/ IP in Windows 2000, XP, or Click Internet Protocol TCP/IP and choose PropertiesConfiguring Group Filtering at the NAP Level Click SubmitOption to Not Log or Store Dynamic Users Configuring Syslog Time Format in ACSCheck the Disable Dynamic users check box Active Directory Multi-Forest SupportClick Submit and Restart Click Database ConfigurationRSA Support on the ACS SE Click RSA SecureID Token Server Click Create New ConfigurationClick Configure Click Upload scconf.recPurging the RSA Node Secret File FTP Server Login Password DirectoryExternal User Databases Configuration page opens FieldClick Purge Node Secret Configuring RSA SecurID Token and Ldap Group MappingClick Configure Ldap Click RSA SecurID Token and Ldap Group MappingRSA SecurID Token and Ldap Group Mapping Configuration Choose Process all usernamesConfiguring New Features in ACS RSA Support on the ACS SE Configuring New Features in ACS RSA Support on the ACS SE Uid=joesmith,ou=members,ou=administrators,o=cisco Turning Ping On and Off New Rdbms Synchronization Features in ACS Release ACS 4.2 provides enhanced support for Rdbms SynchronizationCreate a Text File to Define the dACLs Using Rdbms Synchronization to Configure dACLsEnable dACLs Check the Rdbms Synchronization check boxKeyword Value Example 4-1shows a sample text fileCode the information in the file as described in Table Sample accountActions CSV File Example 4-2shows a sample accountActions CSV fileClick Rdbms Synchronization Configure Rdbms Synchronization to Use a Local CSV FileAction Code Name Required Description Rdbms Synchronization Setup Page ACS for Windows Configuration Guide for Cisco Secure ACS OL-14390-02 Running CSDBSync Manually to Create the dACLs Perform Rdbms SynchronizationRunning Rdbms Synchronization from the ACS GUI ACS for WindowsPerforming Rdbm Synchronization Using a Script View the dACLsEntry for the Sample dACL NAF Error MessagesExplanation Enabled correctly in the ACS GUI User has write access to the ACSOn the ACS is configured correctly Reading, Updating, and Deleting dACLsDaclreplace UpdatedaclReaddacl DeletedaclUpdateuserdacl UNGN, VN Deleteuserdacl UngnReadnas UpdatenasCreating, Reading, Updating and Deleting AAA clients OL-14390-02 Password Policy Configuration Scenario Add and Edit a New Administrator Account Administration Control To specify password restrictions Configure Password PolicyServer 4.2, Administrators and Administrative Policy Privileges that you want to grantAdministrator Password Policy Setup Password Lifetime Options Specify Password Validation OptionsSpecify Password Lifetime Options Password Inactivity OptionsSpecify Incorrect Password Attempt Options Configure Session PolicySpecify Password Inactivity Options Incorrect Password Attempt Options section, configureSession Policy Setup Access Policy Setup page appears, as shown in Figure Configure Access PolicyClick Access Policy Before You BeginAccess Policy Setup Click the appropriate IP Address Filtering optionRange includes the Start and End IP addresses IP Address Ranges table contains ten rows for configuringIP address ranges. The ranges are always inclusive that is, Must differ only in the last octet Class C formatInstallation process. With SSL enabled, ACS begins using Viewing Administrator Entitlement ReportsConfiguration ACS Certificate Setup to access Displays an errorView Privilege Reports Click Entitlement ReportsOL-14390-02 Agentless Host Support Configuration Scenario Overview of Agentless Host SupportUsing Audit Servers and Game Group Feedback 1shows the flow of MAB informationConfigure a Radius AAA client See Configure a Radius AAA Client, page 6-5for detailsBasic Configuration Steps for Agentless Host Support Install ACSConfigure a Radius AAA Client Install and Set Up an ACS Security Certificate Click Submit + ApplyObtain Certificates and Copy Them to the ACS Host Go to selecteddrive\CertsClick ACS Certificate Setup Click Install ACS Certificate Enable Security Certificates on the ACS InstallationSelect Install Certificate Click SubmitAdd a Trusted Certificate Install the CA CertificateTo install the CA Certificate Create one or more Ldap database configurations in ACS Configure Ldap Support for MABConfigure an External Ldap Database for MAB Support Description of the Settings in the Sample Ldap Schema 802.1x device n 802.1x device n+1How the Subtrees Work How the Ldap User Groups WorkClick Generic Ldap Create One or More Ldap Database Configurations in ACS1describes the attributes of the sample Ldap groups Specify the common Ldap configuration 6shows the Common Ldap Configuration sectionOL-14390-02 Ldap Server Configuration Sections ACS SE OnlyConfigure User Groups for MAB Segments Click Add Profile Enable Agentless Request ProcessingCreate a New NAP Profile Setup page opens, shown in Figure Profile SetupCheck the check box for Allow Agentless Request Processing Enable Agentless Request Processing for a NAPYou are now ready to enable agentless request processing Configure MAB You are now ready to configure MAB settingsClick Internal ACS DB 13 MAC Address Input AreaConfigure Logging and Reports Configuring Reports for MAB ProcessingConfiguration Steps for Audit Server Support Configure Game Group FeedbackConfigure global authentication settings Configure Security CertificatesTo configure PEAP-TLS Configure security certificates Specify EAP-TLS optionsObtain Certificates and Copy Them to the ACS Host Enable Security Certificates on the ACS Installation Install the CA Certificate Add a Trusted CertificateGlobal Authentication Setup page opens, as shown in Figure Configure Global Authentication SettingsClick Global Authentication Setup EAPMSCHAP2 EAP-GTC Optional Configure Authentication PolicySpecify EAP-TLS Options Click Logging Configuring Syslog LoggingOverview Logging page opens, shown in FigureLogging Configuration Enable Logging Format of Syslog Messages in ACS Reports Facility CodesMessage Length Restrictions OL-14390-02 NAC Configuration Scenario Install ACSPerform Network Configuration Tasks This section describesAdd AAA Client Configure the AAA Server This section describes the following tasks Set Up System ConfigurationClick Submit and Apply Click ACS Certification Authority Setup Set Up the ACS Certification AuthorityClick ACS Certificate Setup Choose ACS Certificate Setup Edit Certificate Trust List Edit the Certificate Trust ListInstall ACS Certificate page opens, as shown in Figure Set Up Global ConfigurationInstall the ACS Certificate Click the Read certificate from file radio buttonSet Up Global Authentication Global Authentication Setup Page appears, as shown in FigureGlobal Authentication Setup Allow Posture Validation Allow EAP-MSCHAPv2Allow EAP-GTC Click Submit + RestartEAP Fast Configuration page appears, as shown in Figure Set Up EAP-FAST ConfigurationClick EAP-FAST Configuration Provisioning check boxes Check the Allow EAP-FASTcheck box-8, this is ACS NAC Server. However, this can be any string Click Service Control Configure the Logging LevelConfigure Logs and Reports Check the Log to CSV Passed Authentications Report check box Check the Log to CSV Radius Accounting Report check box Click Add Administrator Set Up Administration ControlAdd Remote Administrator Access Add Administrator page opens, as shown in Figure10 Add Administrator Click Grant All Click Network Access Filtering Set Up Shared Profile ComponentsConfigure Network Access Filtering Optional Configure Downloadable IP ACLs 11 Edit Network Access FilteringChoose Shared Profile Components Downloadable IP ACLs Adding an ACLTo add a new ACL List of dACLs appears, as shown in FigureAdding an ACE 13 Downloadable IP ACLs14 Downloadable IP ACL Content New ACL appears on the list of downloadable ACLs Configure Radius Authorization ComponentsSaving the dACL Click Radius Authorization Components 16 Radius Authorization Components17 RAC Attribute Add/Edit 18 Attribute Selection for the CiscoFullAccess RAC 19 Attribute Selection for the CiscoRestricted RAC ACL AttributeNumber Attribute Name Description Configure an External Posture Validation Audit Server Add the Posture Attribute to the ACS DictionaryConfigure the External Posture Validation Audit Server Click Add Server20 External Posture Validation Audit Server Setup 21 Use These Audit Servers Section Configure Posture Validation for NAC Configure Internal Posture Validation PoliciesClick Internal Posture Validation Setup Click Add RuleClick Add Condition Set Add/Edit Condition page appears, as shown in FigureConfigure External Posture Validation Policies 26 Edit External Posture Validation Servers27 Add/Edit External Posture Validation Server Configure an External Posture Validation Audit Server 28 External Posture Validation Audit Server Setup 29 Use These Audit Servers Section Authorization Policy and NAC Audit 30 Audit Flow Settings and Game Group Feedback SectionsSample NAC Layer 3 Profile Template Set Up Templates to Create NAPsSample NAC Profile Templates EAP-FAST GTCProfile Setup 31 Create Profile From Template32 Profile Setup Page for Layer 3 NAC Template EAP Configuration section, Posture Validation is enabled Protocols Policy for the NAC Layer 3 TemplateAuthentication Policy 34 Authentication Page for Layer 3 NAC Profile TemplateFrom the Template drop-down list, choose NAC L2 IP Sample NAC Layer 2 TemplateSample Posture Validation Rule To enable the profile setup Go to Network Access Profiles36 Profile Setup Page for NAC Layer 2 Template Default ACLs ACS and Attribute-Value PairsProtocols Settings 37shows the Protocols settings for the NAC Layer 2 template38 Authentication Settings for NAC Layer 2 Template Sample NAC Layer 2 802.1x Template 39 Sample Posture Validation Policy for NAC Layer 2 Template40 Create Profile From Template 41 Profile Setup Page for NAC Layer 2 802.1x Template 42 Protocols Setting for NAC Layer 802.1x Template Protocols PolicyAuthorization Policy Sample Wireless NAC L2 802.1x Template 45 Create Profile From Template 46 Profile Setup Page for Wireless NAC L2 802.1xTemplate 47 Protocols Setting for Wireless NAC 802.1x Template Authorization Policy Using a Sample Agentless Host Template 50 Create Profile From Template Profile Setup 52 Protocols Setting for Agentless Host for Layer 3 Template Choose the relevant profile Posture Validation policy Choose Network Access ProfilesMap Posture Validation Components to Profiles Enter a Name for the ruleClick Back to return to the Posture Validation policy Click Apply + RestartCheck the Allow Agentless Request Processing check box Check the Do not reject when Audit failed check boxMap an Audit Server to a Profile Click Select AuditClick Apply and Restart Optional Configure Game Group FeedbackConfigure an external audit server Import NAC Attribute-Value Pairs Import an Audit Vendor File by Using CSUtilImport a Device-Type Attribute File by Using CSUtil Configure an External Audit Server Configure Database Support for Agentless Host ProcessingEnable Posture Validation Restart ACS Navigation bar, click System Configuration\ACSInstallDir\bin\CSUtil -addAVP filename 56 External Posture Validation Audit Server Setup 57 Use These Audit Servers Section 58 Audit Flow Settings and Game Group Feedback Sections Enable Game Group Feedback ACS Solution EnginePDA UnixMac Integrated Device Resource usage Being authenticatedAuthentication agent installed, such as Cisco Trust Agent Posture-validation serverAuthenticate the device, instead of using an IP address GL-2GL-3 Radius Attribute Component Network accessMicrosoft, and RSA Security submitted to the Ietf ACE Updatenas UpdateuserdaclAdduser CA certificate Installing Audit servers ConfiguringConfiguring audit flow settings for 9-35,9-43,9-78 NAP DeleteuserdaclCreateuserdacl Specifying Certificate Binary Comparison for Configuring new features in ACS 4.2ACS configuration for Layer 2 NAC 802.1x templateNAC/NAP NetbiosNAC NAC L2 IPReading dACLs Regional Wlan Related documentation ReliabilityReaddacl Readnas RSAPurging Node Secret file purging Sarbanes-Oxley Using Windows Certificate Import WizardInstalling the CA certificate Security policies Security protocolsSignificance Windows Certificate Import Wizard
Related manuals
Manual 94 pages 10.59 Kb Manual 34 pages 46.13 Kb

4.2 specifications

Cisco Systems, a global leader in IT and networking solutions, has consistently evolved to meet the demands of modern enterprises. One of its noteworthy offerings is Cisco Systems 4.2, a version that embodies a significant leap in networking technology and capability. With its rich set of features, Cisco Systems 4.2 caters to a wide range of industries, facilitating enhanced performance and security.

One of the main features of Cisco Systems 4.2 is its improved scalability. The architecture has been designed to support an ever-increasing number of devices and users, making it ideal for growing enterprises. The enhanced scalability allows organizations to expand their network capacities without compromising performance, ensuring seamless integration of new technologies and devices.

Another critical aspect of Cisco Systems 4.2 is its advanced security protocols. With cyber threats constantly evolving, Cisco prioritizes security in this version by offering robust features such as end-to-end encryption, improved firewall capabilities, and enhanced intrusion detection systems. These security enhancements provide organizations with peace of mind, knowing that their sensitive data and networks are well-protected from unauthorized access and potential threats.

Cisco Systems 4.2 also introduces intelligent automation features, which significantly streamline network management. Through the use of artificial intelligence and machine learning, Cisco enables organizations to automate routine tasks, reduce human error, and optimize performance. This automation not only enhances efficiency but also allows IT teams to focus on strategic initiatives rather than day-to-day maintenance.

Moreover, Cisco Systems 4.2 emphasizes infrastructure flexibility. The new architecture supports various deployment models, including on-premises, cloud, and hybrid environments. This flexibility enables organizations to adapt their networking strategies according to their specific needs and operational requirements, facilitating a more tailored approach to IT infrastructure.

Collaboration tools have also been enhanced in this version. Cisco Systems 4.2 integrates advanced communication solutions that empower teams to collaborate in real time, regardless of their geographical location. Features such as high-definition video conferencing, secure messaging, and file sharing enhance productivity and foster innovation across teams.

In summary, Cisco Systems 4.2 stands out as a forward-thinking networking solution with key features such as scalability, advanced security, intelligent automation, flexible infrastructure, and enhanced collaboration tools. These characteristics position Cisco Systems 4.2 as an invaluable asset for enterprises striving for digital transformation in an increasingly interconnected world. The ongoing innovation reflects Cisco's commitment to delivering cutting-edge technology solutions that drive business success and resilience.