Cisco Systems 4.2 manual Configure a Radius AAA client

Page 89

Chapter 6 Agentless Host Support Configuration Scenario

Summary of Configuration Steps

GAME group feedback provides an added security check for MAC address authentication by checking the device type categorization that ACS determines by associating a MAC address with a user group against information stored in a database on an audit server.

To use the GAME group feedback feature, you must add a NAC attribute-value pair to the ACS RADIUS dictionary before configuring a posture validation policy that uses GAME group feedback.

You then configure a posture validation policy in a NAP that requests device type authentication from the audit server. For details on configuring posture validation, see Enable Posture Validation, page 7-46.

The detailed steps for configuring GAME group feedback are described in Enable GAME Group Feedback, page 7-46in Chapter 9, “NAC Configuration Scenario.”

Summary of Configuration Steps

To configure agentless host support in ACS:

Step 1 Install ACS for Windows or ACS Solution Engine (ACS SE).

See Step 1: Install ACS, page 6-4for details.

Step 2 Configure a RADIUS AAA client.

See Step 2: Configure a RADIUS AAA Client, page 6-5for details.

Configure restrictions on the admin user password.

Step 3 Install and set up an ACS security certificate:

Note This step is required to enable posture validation and Network Access Profiles.

a.Obtain certificates and copy them to the ACS host.

b.Run the Windows certificate import wizard to install the certificate

c.Enable security certificates on the ACS installation.

d.Install the CA certificate.

e.Add a trusted certificate.

See Step 3: Install and Set Up an ACS Security Certificate, page 6-6for details.

Step 4 Configure LDAP support for MAB:

a.Configure an external LDAP database for MAB support.

b.Create One or More LDAP Database Configurations in ACS. See Step 4: Configure LDAP Support for MAB, page 6-10for details.

Step 5 Configure user groups for MAB segments.

See Step 5: Configure User Groups for MAB Segments, page 6-17for details.

Step 6 Enable agentless request processing:

a.Create a new Network Access Profile.

b.Enable agentless host processing for the profile.

c.Configure MAB.

See Step 6: Enable Agentless Request Processing, page 6-18for details.

Configuration Guide for Cisco Secure ACS 4.2

 

OL-14390-02

6-3

 

 

 

Image 89
Contents Americas Headquarters Configuration Guide for Cisco Secure ACSPage N T E N T S Deploying ACS in a NAC/NAP Environment Error Messages Overview Profile Setup Profile Setup Organization AudienceProduct Documentation ConventionsConvention Boldface fontAvailable Formats Related Documentation ACSTroubleshooting.htmlOpenSSL License License IssuesOpenSSL/Open SSL Project Original SSLeay License Summary of Configuration Steps Overview of ACS ConfigurationClick System Configuration Click Interface ConfigurationPeap EAP-FAST EAP-TLS Leap EAP-MD5 Overview of ACS Configuration Summary of Configuration Steps EAP-TLS, SSL Configuration FlowchartOL-14390-02 Determining the Deployment Architecture Deploy the Access Control ServersSize Users Access TypesWired LAN Access Campus LAN Small LAN EnvironmentACS in a Campus LAN Geographically Dispersed Wired LANSimple Wlan Wireless Access TopologyCampus Wlan Regional Wlan Setting 6shows a regional Wlan Large Enterprise Wlan SettingSmall Dial-Up Network Access Dial-up Access TopologySmall Dial-up Network Large Dial-Up Network AccessNumber of Users Placement of the Radius ServerDetermining How Many ACSs to Deploy Scalability WAN Latency and Dependability Number of Network Access ServersLAN Versus WAN Deployment Number of LANs in the Network Deploying ACS Servers to Support Server Failover Configuration components for replication-What is replicatedLoad Balancing and Failover Database Replication ConsiderationsReplication Design Database Synchronization ConsiderationsComponent Description Deploying ACS in a NAC/NAP EnvironmentACS Cisco AAA server productAdditional Topics Remote Access PolicySecurity Policy Administrative Access PolicySeparation of Administrative and General Users Network Latency and Reliability Database ConsiderationsNumber of Users Type of DatabaseOL-14390-02 New Global EAP-FAST Configuration Options Configuring New Features in ACSPAC Option DescriptionUse PAC and Do Not Use PAC Options 2shows the new options on the NAP Protocols Disabling NetBIOSTo disable NetBIOS over TCP/ IP in Windows 2000, XP, or Configuring ACS 4.2 Enhanced Logging FeaturesRight-clickMy Network Places and choose Properties Click Internet Protocol TCP/IP and choose PropertiesClick Submit Configuring Group Filtering at the NAP LevelCheck the Disable Dynamic users check box Configuring Syslog Time Format in ACSOption to Not Log or Store Dynamic Users Active Directory Multi-Forest SupportClick Submit and Restart Click Database ConfigurationRSA Support on the ACS SE Click Configure Click Create New ConfigurationClick RSA SecureID Token Server Click Upload scconf.recExternal User Databases Configuration page opens FTP Server Login Password DirectoryPurging the RSA Node Secret File FieldClick Configure Ldap Configuring RSA SecurID Token and Ldap Group MappingClick Purge Node Secret Click RSA SecurID Token and Ldap Group MappingChoose Process all usernames RSA SecurID Token and Ldap Group Mapping ConfigurationConfiguring New Features in ACS RSA Support on the ACS SE Configuring New Features in ACS RSA Support on the ACS SE Uid=joesmith,ou=members,ou=administrators,o=cisco Turning Ping On and Off ACS 4.2 provides enhanced support for Rdbms Synchronization New Rdbms Synchronization Features in ACS ReleaseEnable dACLs Using Rdbms Synchronization to Configure dACLsCreate a Text File to Define the dACLs Check the Rdbms Synchronization check boxKeyword Value Example 4-1shows a sample text fileCode the information in the file as described in Table Example 4-2shows a sample accountActions CSV file Sample accountActions CSV FileClick Rdbms Synchronization Configure Rdbms Synchronization to Use a Local CSV FileAction Code Name Required Description Rdbms Synchronization Setup Page ACS for Windows Configuration Guide for Cisco Secure ACS OL-14390-02 Running Rdbms Synchronization from the ACS GUI Perform Rdbms SynchronizationRunning CSDBSync Manually to Create the dACLs ACS for WindowsView the dACLs Performing Rdbm Synchronization Using a ScriptEntry for the Sample dACL NAF Error MessagesExplanation On the ACS is configured correctly User has write access to the ACSEnabled correctly in the ACS GUI Reading, Updating, and Deleting dACLsReaddacl UpdatedaclDaclreplace DeletedaclDeleteuserdacl Ungn Updateuserdacl UNGN, VNReadnas UpdatenasCreating, Reading, Updating and Deleting AAA clients OL-14390-02 Password Policy Configuration Scenario Add and Edit a New Administrator Account Administration Control Server 4.2, Administrators and Administrative Policy Configure Password PolicyTo specify password restrictions Privileges that you want to grantAdministrator Password Policy Setup Specify Password Lifetime Options Specify Password Validation OptionsPassword Lifetime Options Password Inactivity OptionsSpecify Password Inactivity Options Configure Session PolicySpecify Incorrect Password Attempt Options Incorrect Password Attempt Options section, configureSession Policy Setup Click Access Policy Configure Access PolicyAccess Policy Setup page appears, as shown in Figure Before You BeginClick the appropriate IP Address Filtering option Access Policy SetupIP address ranges. The ranges are always inclusive that is, IP Address Ranges table contains ten rows for configuringRange includes the Start and End IP addresses Must differ only in the last octet Class C formatConfiguration ACS Certificate Setup to access Viewing Administrator Entitlement ReportsInstallation process. With SSL enabled, ACS begins using Displays an errorClick Entitlement Reports View Privilege ReportsOL-14390-02 Overview of Agentless Host Support Agentless Host Support Configuration Scenario1shows the flow of MAB information Using Audit Servers and Game Group FeedbackSee Configure a Radius AAA Client, page 6-5for details Configure a Radius AAA clientInstall ACS Basic Configuration Steps for Agentless Host SupportConfigure a Radius AAA Client Click Submit + Apply Install and Set Up an ACS Security CertificateGo to selecteddrive\Certs Obtain Certificates and Copy Them to the ACS HostSelect Install Certificate Enable Security Certificates on the ACS InstallationClick ACS Certificate Setup Click Install ACS Certificate Click SubmitAdd a Trusted Certificate Install the CA CertificateTo install the CA Certificate Create one or more Ldap database configurations in ACS Configure Ldap Support for MABConfigure an External Ldap Database for MAB Support 802.1x device n 802.1x device n+1 Description of the Settings in the Sample Ldap SchemaHow the Ldap User Groups Work How the Subtrees WorkClick Generic Ldap Create One or More Ldap Database Configurations in ACS1describes the attributes of the sample Ldap groups 6shows the Common Ldap Configuration section Specify the common Ldap configurationOL-14390-02 ACS SE Only Ldap Server Configuration SectionsConfigure User Groups for MAB Segments Click Add Profile Enable Agentless Request ProcessingCreate a New NAP Profile Setup Profile Setup page opens, shown in FigureCheck the check box for Allow Agentless Request Processing Enable Agentless Request Processing for a NAPYou are now ready to enable agentless request processing You are now ready to configure MAB settings Configure MAB13 MAC Address Input Area Click Internal ACS DBConfiguring Reports for MAB Processing Configure Logging and ReportsConfigure Game Group Feedback Configuration Steps for Audit Server SupportTo configure PEAP-TLS Configure security certificates Configure Security CertificatesConfigure global authentication settings Specify EAP-TLS optionsObtain Certificates and Copy Them to the ACS Host Enable Security Certificates on the ACS Installation Add a Trusted Certificate Install the CA CertificateGlobal Authentication Setup page opens, as shown in Figure Configure Global Authentication SettingsClick Global Authentication Setup EAPMSCHAP2 EAP-GTC Optional Configure Authentication PolicySpecify EAP-TLS Options Overview Configuring Syslog LoggingClick Logging Logging page opens, shown in FigureLogging Configuration Enable Logging Facility Codes Format of Syslog Messages in ACS ReportsMessage Length Restrictions OL-14390-02 Install ACS NAC Configuration ScenarioThis section describes Perform Network Configuration TasksAdd AAA Client Configure the AAA Server This section describes the following tasks Set Up System ConfigurationClick Submit and Apply Click ACS Certification Authority Setup Set Up the ACS Certification AuthorityClick ACS Certificate Setup Edit the Certificate Trust List Choose ACS Certificate Setup Edit Certificate Trust ListInstall the ACS Certificate Set Up Global ConfigurationInstall ACS Certificate page opens, as shown in Figure Click the Read certificate from file radio buttonGlobal Authentication Setup Page appears, as shown in Figure Set Up Global AuthenticationGlobal Authentication Setup Allow EAP-GTC Allow EAP-MSCHAPv2Allow Posture Validation Click Submit + RestartEAP Fast Configuration page appears, as shown in Figure Set Up EAP-FAST ConfigurationClick EAP-FAST Configuration Provisioning check boxes Check the Allow EAP-FASTcheck box-8, this is ACS NAC Server. However, this can be any string Click Service Control Configure the Logging LevelConfigure Logs and Reports Check the Log to CSV Passed Authentications Report check box Check the Log to CSV Radius Accounting Report check box Add Remote Administrator Access Set Up Administration ControlClick Add Administrator Add Administrator page opens, as shown in Figure10 Add Administrator Click Grant All Click Network Access Filtering Set Up Shared Profile ComponentsConfigure Network Access Filtering Optional 11 Edit Network Access Filtering Configure Downloadable IP ACLsTo add a new ACL Adding an ACLChoose Shared Profile Components Downloadable IP ACLs List of dACLs appears, as shown in Figure13 Downloadable IP ACLs Adding an ACE14 Downloadable IP ACL Content New ACL appears on the list of downloadable ACLs Configure Radius Authorization ComponentsSaving the dACL 16 Radius Authorization Components Click Radius Authorization Components17 RAC Attribute Add/Edit 18 Attribute Selection for the CiscoFullAccess RAC 19 Attribute Selection for the CiscoRestricted RAC ACL AttributeNumber Attribute Name Description Add the Posture Attribute to the ACS Dictionary Configure an External Posture Validation Audit ServerClick Add Server Configure the External Posture Validation Audit Server20 External Posture Validation Audit Server Setup 21 Use These Audit Servers Section Configure Internal Posture Validation Policies Configure Posture Validation for NACClick Add Rule Click Internal Posture Validation SetupAdd/Edit Condition page appears, as shown in Figure Click Add Condition Set26 Edit External Posture Validation Servers Configure External Posture Validation Policies27 Add/Edit External Posture Validation Server Configure an External Posture Validation Audit Server 28 External Posture Validation Audit Server Setup 29 Use These Audit Servers Section 30 Audit Flow Settings and Game Group Feedback Sections Authorization Policy and NAC AuditSample NAC Profile Templates Set Up Templates to Create NAPsSample NAC Layer 3 Profile Template EAP-FAST GTC31 Create Profile From Template Profile Setup32 Profile Setup Page for Layer 3 NAC Template Protocols Policy for the NAC Layer 3 Template EAP Configuration section, Posture Validation is enabled34 Authentication Page for Layer 3 NAC Profile Template Authentication PolicyFrom the Template drop-down list, choose NAC L2 IP Sample NAC Layer 2 TemplateSample Posture Validation Rule Go to Network Access Profiles To enable the profile setup36 Profile Setup Page for NAC Layer 2 Template ACS and Attribute-Value Pairs Default ACLs37shows the Protocols settings for the NAC Layer 2 template Protocols Settings38 Authentication Settings for NAC Layer 2 Template 39 Sample Posture Validation Policy for NAC Layer 2 Template Sample NAC Layer 2 802.1x Template40 Create Profile From Template 41 Profile Setup Page for NAC Layer 2 802.1x Template Protocols Policy 42 Protocols Setting for NAC Layer 802.1x TemplateAuthorization Policy Sample Wireless NAC L2 802.1x Template 45 Create Profile From Template 46 Profile Setup Page for Wireless NAC L2 802.1xTemplate 47 Protocols Setting for Wireless NAC 802.1x Template Authorization Policy Using a Sample Agentless Host Template 50 Create Profile From Template Profile Setup 52 Protocols Setting for Agentless Host for Layer 3 Template Map Posture Validation Components to Profiles Choose Network Access ProfilesChoose the relevant profile Posture Validation policy Enter a Name for the ruleClick Apply + Restart Click Back to return to the Posture Validation policyMap an Audit Server to a Profile Check the Do not reject when Audit failed check boxCheck the Allow Agentless Request Processing check box Click Select AuditClick Apply and Restart Optional Configure Game Group FeedbackConfigure an external audit server Import NAC Attribute-Value Pairs Import an Audit Vendor File by Using CSUtilImport a Device-Type Attribute File by Using CSUtil Enable Posture Validation Configure Database Support for Agentless Host ProcessingConfigure an External Audit Server Restart ACS Navigation bar, click System Configuration\ACSInstallDir\bin\CSUtil -addAVP filename 56 External Posture Validation Audit Server Setup 57 Use These Audit Servers Section 58 Audit Flow Settings and Game Group Feedback Sections ACS Solution Engine Enable Game Group FeedbackPDA UnixMac Integrated Device Authentication agent installed, such as Cisco Trust Agent Being authenticatedResource usage Posture-validation serverGL-2 Authenticate the device, instead of using an IP addressGL-3 Radius Attribute Component Network accessMicrosoft, and RSA Security submitted to the Ietf ACE Updatenas UpdateuserdaclAdduser CA certificate Installing Audit servers ConfiguringConfiguring audit flow settings for 9-35,9-43,9-78 NAP DeleteuserdaclCreateuserdacl ACS configuration for Configuring new features in ACS 4.2Specifying Certificate Binary Comparison for Layer 2 NAC 802.1x templateNAC NetbiosNAC/NAP NAC L2 IPReaddacl Readnas ReliabilityReading dACLs Regional Wlan Related documentation RSAInstalling the CA certificate Using Windows Certificate Import WizardPurging Node Secret file purging Sarbanes-Oxley Security policies Security protocolsSignificance Windows Certificate Import Wizard
Related manuals
Manual 94 pages 10.59 Kb Manual 34 pages 46.13 Kb

4.2 specifications

Cisco Systems, a global leader in IT and networking solutions, has consistently evolved to meet the demands of modern enterprises. One of its noteworthy offerings is Cisco Systems 4.2, a version that embodies a significant leap in networking technology and capability. With its rich set of features, Cisco Systems 4.2 caters to a wide range of industries, facilitating enhanced performance and security.

One of the main features of Cisco Systems 4.2 is its improved scalability. The architecture has been designed to support an ever-increasing number of devices and users, making it ideal for growing enterprises. The enhanced scalability allows organizations to expand their network capacities without compromising performance, ensuring seamless integration of new technologies and devices.

Another critical aspect of Cisco Systems 4.2 is its advanced security protocols. With cyber threats constantly evolving, Cisco prioritizes security in this version by offering robust features such as end-to-end encryption, improved firewall capabilities, and enhanced intrusion detection systems. These security enhancements provide organizations with peace of mind, knowing that their sensitive data and networks are well-protected from unauthorized access and potential threats.

Cisco Systems 4.2 also introduces intelligent automation features, which significantly streamline network management. Through the use of artificial intelligence and machine learning, Cisco enables organizations to automate routine tasks, reduce human error, and optimize performance. This automation not only enhances efficiency but also allows IT teams to focus on strategic initiatives rather than day-to-day maintenance.

Moreover, Cisco Systems 4.2 emphasizes infrastructure flexibility. The new architecture supports various deployment models, including on-premises, cloud, and hybrid environments. This flexibility enables organizations to adapt their networking strategies according to their specific needs and operational requirements, facilitating a more tailored approach to IT infrastructure.

Collaboration tools have also been enhanced in this version. Cisco Systems 4.2 integrates advanced communication solutions that empower teams to collaborate in real time, regardless of their geographical location. Features such as high-definition video conferencing, secure messaging, and file sharing enhance productivity and foster innovation across teams.

In summary, Cisco Systems 4.2 stands out as a forward-thinking networking solution with key features such as scalability, advanced security, intelligent automation, flexible infrastructure, and enhanced collaboration tools. These characteristics position Cisco Systems 4.2 as an invaluable asset for enterprises striving for digital transformation in an increasingly interconnected world. The ongoing innovation reflects Cisco's commitment to delivering cutting-edge technology solutions that drive business success and resilience.