Page 54
Chapter 3 Configuring New Features in ACS 4.2
RSA Support on the ACS SE
Note The X box cannot contain the following special characters: the pound sign (#), the question mark (?), the quote (“), the asterisk (*), the right angle bracket (>), and the left angle bracket
(<). ACS does not allow these characters in usernames. If the X box contains any of these characters, stripping fails.
Step 10 Under Common LDAP Configuration, in the User Directory Subtree box, type the DN of the tree containing all your users.
Step 11 In the Group Directory Subtree box, type the DN of the subtree containing all your groups.
Step 12 In the User Object Type box, type the name of the attribute in the user record that contains the username. You can obtain this attribute name from your Directory Server. For more information, refer to your LDAP database documentation.
Note The default values in the UserObjectType and following fields reflect the default configuration of the Netscape Directory Server. Confirm all values for these fields with your LDAP server configuration and documentation.
Step 13 In the User Object Class box, type the value of the LDAP objectType attribute that identifies the record as a user. Often, user records have several values for the objectType attribute, some of which are unique to the user, while others are shared with other object types. Choose a value that is not shared.
Step 14 In the GroupObjectType box, type the name of the attribute in the group record that contains the group name.
Step 15 In the GroupObjectClass box, type a value for the LDAP objectType attribute in the group record that identifies the record as a group.
Step 16 In the GroupAttributeName box, type the name of the attribute of the group record that contains the list of user records who are a member of that group.
Step 17 In the Server Timeout box, type the number of seconds that ACS waits for a response from an LDAP server before determining that the connection with that server has failed.
Step 18 To enable failover of LDAP authentication attempts, check the On Timeout Use Secondary check box.
Step 19 In the Failback Retry Delay box, type the number of minutes after the primary LDAP server fails to authenticate a user that ACS resumes sending authentication requests to the primary LDAP server first.
Note To specify that ACS should always use the primary LDAP server first, type zero (0) in the Failback Retry Delay box.
Step 20 In the Max. Admin Connection box, enter the number of maximum concurrent connections with LDAP administrator account permissions.
Step 21 For the Primary LDAP Server and Secondary LDAP Server tables:
Note If you did not check the On Timeout Use Secondary check box, you do not need to complete the options in the Secondary LDAP Server table.
a.In the Hostname box, type the name or IP address of the server that is running the LDAP software. If you are using DNS on your network, you can type the hostname instead of the IP address.
| Configuration Guide for Cisco Secure ACS 4.2 |
3-14 | OL-14390-02 |
Contents
Configuration Guide for Cisco Secure ACS
Americas Headquarters
Page
N T E N T S
Deploying ACS in a NAC/NAP Environment
Error Messages
Overview
Profile Setup
Profile Setup
Audience
Organization
Convention
Conventions
Product Documentation
Boldface font
Available Formats
ACSTroubleshooting.html
Related Documentation
License Issues
OpenSSL/Open SSL Project
OpenSSL License
Original SSLeay License
Overview of ACS Configuration
Summary of Configuration Steps
Click Interface Configuration
Click System Configuration
Peap EAP-FAST EAP-TLS Leap EAP-MD5
Overview of ACS Configuration Summary of Configuration Steps
Configuration Flowchart
EAP-TLS, SSL
OL-14390-02
Deploy the Access Control Servers
Determining the Deployment Architecture
Access Types
Wired LAN Access
Size Users
Small LAN Environment
Campus LAN
Geographically Dispersed Wired LAN
ACS in a Campus LAN
Wireless Access Topology
Simple Wlan
Campus Wlan
Regional Wlan Setting
Large Enterprise Wlan Setting
6shows a regional Wlan
Dial-up Access Topology
Small Dial-Up Network Access
Large Dial-Up Network Access
Small Dial-up Network
Placement of the Radius Server
Determining How Many ACSs to Deploy Scalability
Number of Users
Number of Network Access Servers
LAN Versus WAN Deployment Number of LANs in the Network
WAN Latency and Dependability
Load Balancing and Failover
Configuration components for replication-What is replicated
Deploying ACS Servers to Support Server Failover
Database Replication Considerations
Database Synchronization Considerations
Replication Design
ACS
Deploying ACS in a NAC/NAP Environment
Component Description
Cisco AAA server product
Remote Access Policy
Additional Topics
Administrative Access Policy
Security Policy
Separation of Administrative and General Users
Number of Users
Database Considerations
Network Latency and Reliability
Type of Database
OL-14390-02
Configuring New Features in ACS
New Global EAP-FAST Configuration Options
Option Description
PAC
Use PAC and Do Not Use PAC Options
Disabling NetBIOS
2shows the new options on the NAP Protocols
Right-clickMy Network Places and choose Properties
Configuring ACS 4.2 Enhanced Logging Features
To disable NetBIOS over TCP/ IP in Windows 2000, XP, or
Click Internet Protocol TCP/IP and choose Properties
Configuring Group Filtering at the NAP Level
Click Submit
Option to Not Log or Store Dynamic Users
Configuring Syslog Time Format in ACS
Check the Disable Dynamic users check box
Active Directory Multi-Forest Support
Click Database Configuration
RSA Support on the ACS SE
Click Submit and Restart
Click RSA SecureID Token Server
Click Create New Configuration
Click Configure
Click Upload scconf.rec
Purging the RSA Node Secret File
FTP Server Login Password Directory
External User Databases Configuration page opens
Field
Click Purge Node Secret
Configuring RSA SecurID Token and Ldap Group Mapping
Click Configure Ldap
Click RSA SecurID Token and Ldap Group Mapping
RSA SecurID Token and Ldap Group Mapping Configuration
Choose Process all usernames
Configuring New Features in ACS RSA Support on the ACS SE
Configuring New Features in ACS RSA Support on the ACS SE
Uid=joesmith,ou=members,ou=administrators,o=cisco
Turning Ping On and Off
New Rdbms Synchronization Features in ACS Release
ACS 4.2 provides enhanced support for Rdbms Synchronization
Create a Text File to Define the dACLs
Using Rdbms Synchronization to Configure dACLs
Enable dACLs
Check the Rdbms Synchronization check box
Example 4-1shows a sample text file
Code the information in the file as described in Table
Keyword Value
Sample accountActions CSV File
Example 4-2shows a sample accountActions CSV file
Configure Rdbms Synchronization to Use a Local CSV File
Action Code Name Required Description
Click Rdbms Synchronization
Rdbms Synchronization Setup Page ACS for Windows
Configuration Guide for Cisco Secure ACS OL-14390-02
Running CSDBSync Manually to Create the dACLs
Perform Rdbms Synchronization
Running Rdbms Synchronization from the ACS GUI
ACS for Windows
Performing Rdbm Synchronization Using a Script
View the dACLs
Entry for the Sample dACL
Error Messages
Explanation
NAF
Enabled correctly in the ACS GUI
User has write access to the ACS
On the ACS is configured correctly
Reading, Updating, and Deleting dACLs
Daclreplace
Updatedacl
Readdacl
Deletedacl
Updateuserdacl UNGN, VN
Deleteuserdacl Ungn
Updatenas
Creating, Reading, Updating and Deleting AAA clients
Readnas
OL-14390-02
Password Policy Configuration Scenario
Add and Edit a New Administrator Account
Administration Control
To specify password restrictions
Configure Password Policy
Server 4.2, Administrators and Administrative Policy
Privileges that you want to grant
Administrator Password Policy Setup
Password Lifetime Options
Specify Password Validation Options
Specify Password Lifetime Options
Password Inactivity Options
Specify Incorrect Password Attempt Options
Configure Session Policy
Specify Password Inactivity Options
Incorrect Password Attempt Options section, configure
Session Policy Setup
Access Policy Setup page appears, as shown in Figure
Configure Access Policy
Click Access Policy
Before You Begin
Access Policy Setup
Click the appropriate IP Address Filtering option
Range includes the Start and End IP addresses
IP Address Ranges table contains ten rows for configuring
IP address ranges. The ranges are always inclusive that is,
Must differ only in the last octet Class C format
Installation process. With SSL enabled, ACS begins using
Viewing Administrator Entitlement Reports
Configuration ACS Certificate Setup to access
Displays an error
View Privilege Reports
Click Entitlement Reports
OL-14390-02
Agentless Host Support Configuration Scenario
Overview of Agentless Host Support
Using Audit Servers and Game Group Feedback
1shows the flow of MAB information
Configure a Radius AAA client
See Configure a Radius AAA Client, page 6-5for details
Basic Configuration Steps for Agentless Host Support
Install ACS
Configure a Radius AAA Client
Install and Set Up an ACS Security Certificate
Click Submit + Apply
Obtain Certificates and Copy Them to the ACS Host
Go to selecteddrive\Certs
Click ACS Certificate Setup Click Install ACS Certificate
Enable Security Certificates on the ACS Installation
Select Install Certificate
Click Submit
Install the CA Certificate
To install the CA Certificate
Add a Trusted Certificate
Configure Ldap Support for MAB
Configure an External Ldap Database for MAB Support
Create one or more Ldap database configurations in ACS
Description of the Settings in the Sample Ldap Schema
802.1x device n 802.1x device n+1
How the Subtrees Work
How the Ldap User Groups Work
Create One or More Ldap Database Configurations in ACS
1describes the attributes of the sample Ldap groups
Click Generic Ldap
Specify the common Ldap configuration
6shows the Common Ldap Configuration section
OL-14390-02
Ldap Server Configuration Sections
ACS SE Only
Configure User Groups for MAB Segments
Enable Agentless Request Processing
Create a New NAP
Click Add Profile
Profile Setup page opens, shown in Figure
Profile Setup
Enable Agentless Request Processing for a NAP
You are now ready to enable agentless request processing
Check the check box for Allow Agentless Request Processing
Configure MAB
You are now ready to configure MAB settings
Click Internal ACS DB
13 MAC Address Input Area
Configure Logging and Reports
Configuring Reports for MAB Processing
Configuration Steps for Audit Server Support
Configure Game Group Feedback
Configure global authentication settings
Configure Security Certificates
To configure PEAP-TLS Configure security certificates
Specify EAP-TLS options
Obtain Certificates and Copy Them to the ACS Host
Enable Security Certificates on the ACS Installation
Install the CA Certificate
Add a Trusted Certificate
Configure Global Authentication Settings
Click Global Authentication Setup
Global Authentication Setup page opens, as shown in Figure
Optional Configure Authentication Policy
Specify EAP-TLS Options
EAPMSCHAP2 EAP-GTC
Click Logging
Configuring Syslog Logging
Overview
Logging page opens, shown in Figure
Logging Configuration
Enable Logging
Format of Syslog Messages in ACS Reports
Facility Codes
Message Length Restrictions
OL-14390-02
NAC Configuration Scenario
Install ACS
Perform Network Configuration Tasks
This section describes
Add AAA Client
Configure the AAA Server
Set Up System Configuration
Click Submit and Apply
This section describes the following tasks
Set Up the ACS Certification Authority
Click ACS Certificate Setup
Click ACS Certification Authority Setup
Choose ACS Certificate Setup Edit Certificate Trust List
Edit the Certificate Trust List
Install ACS Certificate page opens, as shown in Figure
Set Up Global Configuration
Install the ACS Certificate
Click the Read certificate from file radio button
Set Up Global Authentication
Global Authentication Setup Page appears, as shown in Figure
Global Authentication Setup
Allow Posture Validation
Allow EAP-MSCHAPv2
Allow EAP-GTC
Click Submit + Restart
Set Up EAP-FAST Configuration
Click EAP-FAST Configuration
EAP Fast Configuration page appears, as shown in Figure
Check the Allow EAP-FASTcheck box
-8, this is ACS NAC Server. However, this can be any string
Provisioning check boxes
Configure the Logging Level
Configure Logs and Reports
Click Service Control
Check the Log to CSV Passed Authentications Report check box
Check the Log to CSV Radius Accounting Report check box
Click Add Administrator
Set Up Administration Control
Add Remote Administrator Access
Add Administrator page opens, as shown in Figure
10 Add Administrator
Click Grant All
Set Up Shared Profile Components
Configure Network Access Filtering Optional
Click Network Access Filtering
Configure Downloadable IP ACLs
11 Edit Network Access Filtering
Choose Shared Profile Components Downloadable IP ACLs
Adding an ACL
To add a new ACL
List of dACLs appears, as shown in Figure
Adding an ACE
13 Downloadable IP ACLs
14 Downloadable IP ACL Content
Configure Radius Authorization Components
Saving the dACL
New ACL appears on the list of downloadable ACLs
Click Radius Authorization Components
16 Radius Authorization Components
17 RAC Attribute Add/Edit
18 Attribute Selection for the CiscoFullAccess RAC
19 Attribute Selection for the CiscoRestricted RAC
Attribute
Number Attribute Name Description
ACL
Configure an External Posture Validation Audit Server
Add the Posture Attribute to the ACS Dictionary
Configure the External Posture Validation Audit Server
Click Add Server
20 External Posture Validation Audit Server Setup
21 Use These Audit Servers Section
Configure Posture Validation for NAC
Configure Internal Posture Validation Policies
Click Internal Posture Validation Setup
Click Add Rule
Click Add Condition Set
Add/Edit Condition page appears, as shown in Figure
Configure External Posture Validation Policies
26 Edit External Posture Validation Servers
27 Add/Edit External Posture Validation Server
Configure an External Posture Validation Audit Server
28 External Posture Validation Audit Server Setup
29 Use These Audit Servers Section
Authorization Policy and NAC Audit
30 Audit Flow Settings and Game Group Feedback Sections
Sample NAC Layer 3 Profile Template
Set Up Templates to Create NAPs
Sample NAC Profile Templates
EAP-FAST GTC
Profile Setup
31 Create Profile From Template
32 Profile Setup Page for Layer 3 NAC Template
EAP Configuration section, Posture Validation is enabled
Protocols Policy for the NAC Layer 3 Template
Authentication Policy
34 Authentication Page for Layer 3 NAC Profile Template
Sample NAC Layer 2 Template
Sample Posture Validation Rule
From the Template drop-down list, choose NAC L2 IP
To enable the profile setup
Go to Network Access Profiles
36 Profile Setup Page for NAC Layer 2 Template
Default ACLs
ACS and Attribute-Value Pairs
Protocols Settings
37shows the Protocols settings for the NAC Layer 2 template
38 Authentication Settings for NAC Layer 2 Template
Sample NAC Layer 2 802.1x Template
39 Sample Posture Validation Policy for NAC Layer 2 Template
40 Create Profile From Template
41 Profile Setup Page for NAC Layer 2 802.1x Template
42 Protocols Setting for NAC Layer 802.1x Template
Protocols Policy
Authorization Policy
Sample Wireless NAC L2 802.1x Template
45 Create Profile From Template
46 Profile Setup Page for Wireless NAC L2 802.1xTemplate
47 Protocols Setting for Wireless NAC 802.1x Template
Authorization Policy
Using a Sample Agentless Host Template
50 Create Profile From Template
Profile Setup
52 Protocols Setting for Agentless Host for Layer 3 Template
Choose the relevant profile Posture Validation policy
Choose Network Access Profiles
Map Posture Validation Components to Profiles
Enter a Name for the rule
Click Back to return to the Posture Validation policy
Click Apply + Restart
Check the Allow Agentless Request Processing check box
Check the Do not reject when Audit failed check box
Map an Audit Server to a Profile
Click Select Audit
Optional Configure Game Group Feedback
Configure an external audit server
Click Apply and Restart
Import an Audit Vendor File by Using CSUtil
Import a Device-Type Attribute File by Using CSUtil
Import NAC Attribute-Value Pairs
Configure an External Audit Server
Configure Database Support for Agentless Host Processing
Enable Posture Validation
Restart ACS Navigation bar, click System Configuration
\ACSInstallDir\bin\CSUtil -addAVP filename
56 External Posture Validation Audit Server Setup
57 Use These Audit Servers Section
58 Audit Flow Settings and Game Group Feedback Sections
Enable Game Group Feedback
ACS Solution Engine
Unix
Mac Integrated Device
PDA
Resource usage
Being authenticated
Authentication agent installed, such as Cisco Trust Agent
Posture-validation server
Authenticate the device, instead of using an IP address
GL-2
GL-3
Network access
Microsoft, and RSA Security submitted to the Ietf
Radius Attribute Component
Updatenas Updateuserdacl
Adduser
ACE
Audit servers Configuring
Configuring audit flow settings for 9-35,9-43,9-78
CA certificate Installing
Deleteuserdacl
Createuserdacl
NAP
Specifying Certificate Binary Comparison for
Configuring new features in ACS 4.2
ACS configuration for
Layer 2 NAC 802.1x template
NAC/NAP
Netbios
NAC
NAC L2 IP
Reading dACLs Regional Wlan Related documentation
Reliability
Readdacl Readnas
RSA
Purging Node Secret file purging Sarbanes-Oxley
Using Windows Certificate Import Wizard
Installing the CA certificate
Security policies Security protocols
Significance Windows Certificate Import Wizard