Cisco Systems 4.2 manual Uid=joesmith,ou=members,ou=administrators,o=cisco

Page 55

Chapter 3 Configuring New Features in ACS 4.2

RSA Support on the ACS SE

b.In the Port box, type the TCP/IP port number on which the LDAP server is listening. The default is 389, as stated in the LDAP specification. If you do not know the port number, you can find this information by viewing those properties on the LDAP server. If you want to use secure authentication, port 636 is usually used.

c.To specify that ACS should use LDAP version 3 to communicate with your LDAP database, check the LDAP Version check box. If the LDAP Version check box is not checked, ACS uses LDAP version 2.

d.If you want ACS to use SSL to connect to the LDAP server, check the Use secure authentication check box and complete the next three steps. If you do not use SSL, the username and password credentials are normally passed over the network to the LDAP directory in clear text.

e.ACS SE only: If you checked the Use Secure Authentication check box, perform one of the following procedures:. Check the:

Trusted Root CA check box, and in the adjacent drop-down list, choose a Trusted Root CA.

Certificate Database Path check box, and download a cert7.db file.

Note To download a cert7.db certificate database file to ACS now, complete the steps in “Downloading a Certificate Database (Solution Engine Only)” in Chapter 12 of the User Guide for Cisco Secure ACS, 4.2, and then continue with Step f. You can download a certificate database later. Until a certificate database is downloaded for the current LDAP server, secure authentication to this LDAP server fails.

f.ACS for Windows only: If you checked the Use Secure authentication check box, perform one of the following procedures. Click the:

Trusted Root CA radio button, and in the adjacent drop-down list, choose a Trusted Root CA.

Certificate Database Path radio button, and in the adjacent box, type the path to the Netscape cert7.db file, which contains the certificates for the server to be queried and the trusted CA.

g.The Admin DN box requires the fully qualified Distinguished Name (DN) of the administrator; that is, the LDAP account which, if bound to, permits searches for all required users under the User Directory subtree.

In the Admin DN box, type the following information from your LDAP server:

uid=user id,[ou=organizational unit,]

[ou=next organizational unit]o=organization where user id is the username organizational unit is the last level of the tree

next organizational unit is the next level up the tree.

For example:

uid=joesmith,ou=members,ou=administrators,o=cisco

Tip If you are using Netscape DS as your LDAP software, you can copy this information from the Netscape console.

h.In the Password box, type the password for the administrator account that is specified in the Admin DN box. The server determines password case sensitivity.

Step 22 Click Submit.

 

 

Configuration Guide for Cisco Secure ACS 4.2

 

 

 

 

 

 

OL-14390-02

 

 

3-15

 

 

 

 

 

Page 54 Page 56
Image 55
Page 54 Page 56
Contents Americas Headquarters Configuration Guide for Cisco Secure ACSPage N T E N T S Deploying ACS in a NAC/NAP Environment Error Messages Overview Profile Setup Profile Setup Organization AudienceBoldface font ConventionsProduct Documentation ConventionAvailable Formats Related Documentation ACSTroubleshooting.htmlOpenSSL/Open SSL Project License IssuesOpenSSL License Original SSLeay License Summary of Configuration Steps Overview of ACS ConfigurationClick System Configuration Click Interface ConfigurationPeap EAP-FAST EAP-TLS Leap EAP-MD5 Overview of ACS Configuration Summary of Configuration Steps EAP-TLS, SSL Configuration FlowchartOL-14390-02 Determining the Deployment Architecture Deploy the Access Control ServersWired LAN Access Access TypesSize Users Campus LAN Small LAN EnvironmentACS in a Campus LAN Geographically Dispersed Wired LANSimple Wlan Wireless Access TopologyCampus Wlan Regional Wlan Setting 6shows a regional Wlan Large Enterprise Wlan SettingSmall Dial-Up Network Access Dial-up Access TopologySmall Dial-up Network Large Dial-Up Network AccessDetermining How Many ACSs to Deploy Scalability Placement of the Radius ServerNumber of Users LAN Versus WAN Deployment Number of LANs in the Network Number of Network Access ServersWAN Latency and Dependability Database Replication Considerations Configuration components for replication-What is replicatedDeploying ACS Servers to Support Server Failover Load Balancing and FailoverReplication Design Database Synchronization ConsiderationsCisco AAA server product Deploying ACS in a NAC/NAP EnvironmentComponent Description ACSAdditional Topics Remote Access PolicySecurity Policy Administrative Access PolicySeparation of Administrative and General Users Type of Database Database ConsiderationsNetwork Latency and Reliability Number of UsersOL-14390-02 New Global EAP-FAST Configuration Options Configuring New Features in ACSPAC Option DescriptionUse PAC and Do Not Use PAC Options 2shows the new options on the NAP Protocols Disabling NetBIOSClick Internet Protocol TCP/IP and choose Properties Configuring ACS 4.2 Enhanced Logging FeaturesTo disable NetBIOS over TCP/ IP in Windows 2000, XP, or Right-clickMy Network Places and choose PropertiesClick Submit Configuring Group Filtering at the NAP LevelActive Directory Multi-Forest Support Configuring Syslog Time Format in ACSCheck the Disable Dynamic users check box Option to Not Log or Store Dynamic UsersRSA Support on the ACS SE Click Database ConfigurationClick Submit and Restart Click Upload scconf.rec Click Create New ConfigurationClick Configure Click RSA SecureID Token ServerField FTP Server Login Password DirectoryExternal User Databases Configuration page opens Purging the RSA Node Secret FileClick RSA SecurID Token and Ldap Group Mapping Configuring RSA SecurID Token and Ldap Group MappingClick Configure Ldap Click Purge Node SecretChoose Process all usernames RSA SecurID Token and Ldap Group Mapping ConfigurationConfiguring New Features in ACS RSA Support on the ACS SE Configuring New Features in ACS RSA Support on the ACS SE Uid=joesmith,ou=members,ou=administrators,o=cisco Turning Ping On and Off ACS 4.2 provides enhanced support for Rdbms Synchronization New Rdbms Synchronization Features in ACS ReleaseCheck the Rdbms Synchronization check box Using Rdbms Synchronization to Configure dACLsEnable dACLs Create a Text File to Define the dACLsCode the information in the file as described in Table Example 4-1shows a sample text fileKeyword Value Example 4-2shows a sample accountActions CSV file Sample accountActions CSV FileAction Code Name Required Description Configure Rdbms Synchronization to Use a Local CSV FileClick Rdbms Synchronization Rdbms Synchronization Setup Page ACS for Windows Configuration Guide for Cisco Secure ACS OL-14390-02 ACS for Windows Perform Rdbms SynchronizationRunning Rdbms Synchronization from the ACS GUI Running CSDBSync Manually to Create the dACLsView the dACLs Performing Rdbm Synchronization Using a ScriptEntry for the Sample dACL Explanation Error MessagesNAF Reading, Updating, and Deleting dACLs User has write access to the ACSOn the ACS is configured correctly Enabled correctly in the ACS GUIDeletedacl UpdatedaclReaddacl DaclreplaceDeleteuserdacl Ungn Updateuserdacl UNGN, VNCreating, Reading, Updating and Deleting AAA clients UpdatenasReadnas OL-14390-02 Password Policy Configuration Scenario Add and Edit a New Administrator Account Administration Control Privileges that you want to grant Configure Password PolicyServer 4.2, Administrators and Administrative Policy To specify password restrictionsAdministrator Password Policy Setup Password Inactivity Options Specify Password Validation OptionsSpecify Password Lifetime Options Password Lifetime OptionsIncorrect Password Attempt Options section, configure Configure Session PolicySpecify Password Inactivity Options Specify Incorrect Password Attempt OptionsSession Policy Setup Before You Begin Configure Access PolicyClick Access Policy Access Policy Setup page appears, as shown in FigureClick the appropriate IP Address Filtering option Access Policy SetupMust differ only in the last octet Class C format IP Address Ranges table contains ten rows for configuringIP address ranges. The ranges are always inclusive that is, Range includes the Start and End IP addressesDisplays an error Viewing Administrator Entitlement ReportsConfiguration ACS Certificate Setup to access Installation process. With SSL enabled, ACS begins usingClick Entitlement Reports View Privilege ReportsOL-14390-02 Overview of Agentless Host Support Agentless Host Support Configuration Scenario1shows the flow of MAB information Using Audit Servers and Game Group FeedbackSee Configure a Radius AAA Client, page 6-5for details Configure a Radius AAA clientInstall ACS Basic Configuration Steps for Agentless Host SupportConfigure a Radius AAA Client Click Submit + Apply Install and Set Up an ACS Security CertificateGo to selecteddrive\Certs Obtain Certificates and Copy Them to the ACS HostClick Submit Enable Security Certificates on the ACS InstallationSelect Install Certificate Click ACS Certificate Setup Click Install ACS CertificateTo install the CA Certificate Install the CA CertificateAdd a Trusted Certificate Configure an External Ldap Database for MAB Support Configure Ldap Support for MABCreate one or more Ldap database configurations in ACS 802.1x device n 802.1x device n+1 Description of the Settings in the Sample Ldap SchemaHow the Ldap User Groups Work How the Subtrees Work1describes the attributes of the sample Ldap groups Create One or More Ldap Database Configurations in ACSClick Generic Ldap 6shows the Common Ldap Configuration section Specify the common Ldap configurationOL-14390-02 ACS SE Only Ldap Server Configuration SectionsConfigure User Groups for MAB Segments Create a New NAP Enable Agentless Request ProcessingClick Add Profile Profile Setup Profile Setup page opens, shown in FigureYou are now ready to enable agentless request processing Enable Agentless Request Processing for a NAPCheck the check box for Allow Agentless Request Processing You are now ready to configure MAB settings Configure MAB13 MAC Address Input Area Click Internal ACS DBConfiguring Reports for MAB Processing Configure Logging and ReportsConfigure Game Group Feedback Configuration Steps for Audit Server SupportSpecify EAP-TLS options Configure Security CertificatesTo configure PEAP-TLS Configure security certificates Configure global authentication settingsObtain Certificates and Copy Them to the ACS Host Enable Security Certificates on the ACS Installation Add a Trusted Certificate Install the CA CertificateClick Global Authentication Setup Configure Global Authentication SettingsGlobal Authentication Setup page opens, as shown in Figure Specify EAP-TLS Options Optional Configure Authentication PolicyEAPMSCHAP2 EAP-GTC Logging page opens, shown in Figure Configuring Syslog LoggingOverview Click LoggingLogging Configuration Enable Logging Facility Codes Format of Syslog Messages in ACS ReportsMessage Length Restrictions OL-14390-02 Install ACS NAC Configuration ScenarioThis section describes Perform Network Configuration TasksAdd AAA Client Configure the AAA Server Click Submit and Apply Set Up System ConfigurationThis section describes the following tasks Click ACS Certificate Setup Set Up the ACS Certification AuthorityClick ACS Certification Authority Setup Edit the Certificate Trust List Choose ACS Certificate Setup Edit Certificate Trust ListClick the Read certificate from file radio button Set Up Global ConfigurationInstall the ACS Certificate Install ACS Certificate page opens, as shown in FigureGlobal Authentication Setup Page appears, as shown in Figure Set Up Global AuthenticationGlobal Authentication Setup Click Submit + Restart Allow EAP-MSCHAPv2Allow EAP-GTC Allow Posture ValidationClick EAP-FAST Configuration Set Up EAP-FAST ConfigurationEAP Fast Configuration page appears, as shown in Figure -8, this is ACS NAC Server. However, this can be any string Check the Allow EAP-FASTcheck boxProvisioning check boxes Configure Logs and Reports Configure the Logging LevelClick Service Control Check the Log to CSV Passed Authentications Report check box Check the Log to CSV Radius Accounting Report check box Add Administrator page opens, as shown in Figure Set Up Administration ControlAdd Remote Administrator Access Click Add Administrator10 Add Administrator Click Grant All Configure Network Access Filtering Optional Set Up Shared Profile ComponentsClick Network Access Filtering 11 Edit Network Access Filtering Configure Downloadable IP ACLsList of dACLs appears, as shown in Figure Adding an ACLTo add a new ACL Choose Shared Profile Components Downloadable IP ACLs13 Downloadable IP ACLs Adding an ACE14 Downloadable IP ACL Content Saving the dACL Configure Radius Authorization ComponentsNew ACL appears on the list of downloadable ACLs 16 Radius Authorization Components Click Radius Authorization Components17 RAC Attribute Add/Edit 18 Attribute Selection for the CiscoFullAccess RAC 19 Attribute Selection for the CiscoRestricted RAC Number Attribute Name Description AttributeACL Add the Posture Attribute to the ACS Dictionary Configure an External Posture Validation Audit ServerClick Add Server Configure the External Posture Validation Audit Server20 External Posture Validation Audit Server Setup 21 Use These Audit Servers Section Configure Internal Posture Validation Policies Configure Posture Validation for NACClick Add Rule Click Internal Posture Validation SetupAdd/Edit Condition page appears, as shown in Figure Click Add Condition Set26 Edit External Posture Validation Servers Configure External Posture Validation Policies27 Add/Edit External Posture Validation Server Configure an External Posture Validation Audit Server 28 External Posture Validation Audit Server Setup 29 Use These Audit Servers Section 30 Audit Flow Settings and Game Group Feedback Sections Authorization Policy and NAC AuditEAP-FAST GTC Set Up Templates to Create NAPsSample NAC Profile Templates Sample NAC Layer 3 Profile Template31 Create Profile From Template Profile Setup32 Profile Setup Page for Layer 3 NAC Template Protocols Policy for the NAC Layer 3 Template EAP Configuration section, Posture Validation is enabled34 Authentication Page for Layer 3 NAC Profile Template Authentication PolicySample Posture Validation Rule Sample NAC Layer 2 TemplateFrom the Template drop-down list, choose NAC L2 IP Go to Network Access Profiles To enable the profile setup36 Profile Setup Page for NAC Layer 2 Template ACS and Attribute-Value Pairs Default ACLs37shows the Protocols settings for the NAC Layer 2 template Protocols Settings38 Authentication Settings for NAC Layer 2 Template 39 Sample Posture Validation Policy for NAC Layer 2 Template Sample NAC Layer 2 802.1x Template40 Create Profile From Template 41 Profile Setup Page for NAC Layer 2 802.1x Template Protocols Policy 42 Protocols Setting for NAC Layer 802.1x TemplateAuthorization Policy Sample Wireless NAC L2 802.1x Template 45 Create Profile From Template 46 Profile Setup Page for Wireless NAC L2 802.1xTemplate 47 Protocols Setting for Wireless NAC 802.1x Template Authorization Policy Using a Sample Agentless Host Template 50 Create Profile From Template Profile Setup 52 Protocols Setting for Agentless Host for Layer 3 Template Enter a Name for the rule Choose Network Access ProfilesMap Posture Validation Components to Profiles Choose the relevant profile Posture Validation policyClick Apply + Restart Click Back to return to the Posture Validation policyClick Select Audit Check the Do not reject when Audit failed check boxMap an Audit Server to a Profile Check the Allow Agentless Request Processing check boxConfigure an external audit server Optional Configure Game Group FeedbackClick Apply and Restart Import a Device-Type Attribute File by Using CSUtil Import an Audit Vendor File by Using CSUtilImport NAC Attribute-Value Pairs Restart ACS Navigation bar, click System Configuration Configure Database Support for Agentless Host ProcessingEnable Posture Validation Configure an External Audit Server\ACSInstallDir\bin\CSUtil -addAVP filename 56 External Posture Validation Audit Server Setup 57 Use These Audit Servers Section 58 Audit Flow Settings and Game Group Feedback Sections ACS Solution Engine Enable Game Group FeedbackMac Integrated Device UnixPDA Posture-validation server Being authenticatedAuthentication agent installed, such as Cisco Trust Agent Resource usageGL-2 Authenticate the device, instead of using an IP addressGL-3 Microsoft, and RSA Security submitted to the Ietf Network accessRadius Attribute Component Adduser Updatenas UpdateuserdaclACE Configuring audit flow settings for 9-35,9-43,9-78 Audit servers ConfiguringCA certificate Installing Createuserdacl DeleteuserdaclNAP Layer 2 NAC 802.1x template Configuring new features in ACS 4.2ACS configuration for Specifying Certificate Binary Comparison forNAC L2 IP NetbiosNAC NAC/NAPRSA ReliabilityReaddacl Readnas Reading dACLs Regional Wlan Related documentationSecurity policies Security protocols Using Windows Certificate Import WizardInstalling the CA certificate Purging Node Secret file purging Sarbanes-OxleySignificance Windows Certificate Import Wizard
Related manuals
Manual 94 pages 10.59 Kb Manual 34 pages 46.13 Kb

4.2 specifications

Cisco Systems, a global leader in IT and networking solutions, has consistently evolved to meet the demands of modern enterprises. One of its noteworthy offerings is Cisco Systems 4.2, a version that embodies a significant leap in networking technology and capability. With its rich set of features, Cisco Systems 4.2 caters to a wide range of industries, facilitating enhanced performance and security.

One of the main features of Cisco Systems 4.2 is its improved scalability. The architecture has been designed to support an ever-increasing number of devices and users, making it ideal for growing enterprises. The enhanced scalability allows organizations to expand their network capacities without compromising performance, ensuring seamless integration of new technologies and devices.

Another critical aspect of Cisco Systems 4.2 is its advanced security protocols. With cyber threats constantly evolving, Cisco prioritizes security in this version by offering robust features such as end-to-end encryption, improved firewall capabilities, and enhanced intrusion detection systems. These security enhancements provide organizations with peace of mind, knowing that their sensitive data and networks are well-protected from unauthorized access and potential threats.

Cisco Systems 4.2 also introduces intelligent automation features, which significantly streamline network management. Through the use of artificial intelligence and machine learning, Cisco enables organizations to automate routine tasks, reduce human error, and optimize performance. This automation not only enhances efficiency but also allows IT teams to focus on strategic initiatives rather than day-to-day maintenance.

Moreover, Cisco Systems 4.2 emphasizes infrastructure flexibility. The new architecture supports various deployment models, including on-premises, cloud, and hybrid environments. This flexibility enables organizations to adapt their networking strategies according to their specific needs and operational requirements, facilitating a more tailored approach to IT infrastructure.

Collaboration tools have also been enhanced in this version. Cisco Systems 4.2 integrates advanced communication solutions that empower teams to collaborate in real time, regardless of their geographical location. Features such as high-definition video conferencing, secure messaging, and file sharing enhance productivity and foster innovation across teams.

In summary, Cisco Systems 4.2 stands out as a forward-thinking networking solution with key features such as scalability, advanced security, intelligent automation, flexible infrastructure, and enhanced collaboration tools. These characteristics position Cisco Systems 4.2 as an invaluable asset for enterprises striving for digital transformation in an increasingly interconnected world. The ongoing innovation reflects Cisco's commitment to delivering cutting-edge technology solutions that drive business success and resilience.
Top Page Image Contents