Manuals
/
Brands
/
Computer Equipment
/
Network Card
/
Cisco Systems
/
Computer Equipment
/
Network Card
Cisco Systems
4.2 manual
1
1
214
214
Download
214 pages, 3 Mb
Americas Headquarters
Cisco Systems, Inc.
170 West Tasman Drive
San Jose, CA 95134-1706
USA
http://www.cisco.com
Tel: 408
526-4000
800 553-NETS (6387)
Fax: 408
527-0883
Configuration Guide for Cisco Secure ACS
4.2
February 2008
Text Part Number: OL-14390-02
Contents
Main
Page
CONTENTS
Page
Page
Page
Page
Page
Preface
Audience
Organization
Conventions
Product Documentation
Page
Related Documentation
Obtaining Documentation and Submitting a Service Request
Notices
OpenSSL/Open SSL Project
License Issues
Page
Overview of ACS Configuration
Page
Page
Page
1-5
Configuration Flowchart
Figure 1-1 is a configuration flowchart that shows the main steps in ACS configuration.
Page
Deploy the Access Control Servers
Determining the Deployment Architecture
Access Types
Wired LAN Access
Page
Page
Wireless Access Topology
Region 1
Region 3
Region 2
Page
Page
Corporate Headquarters
Corporate Region
Dial-up Access Topology
I
Page
Placement of the RADIUS Server
Determining How Many ACSs to Deploy (Scalability)
Number of Users
Number of Network Access Servers
LAN Versus WAN Deployment (Number of LANs in the Network)
WAN Latency and Dependability
Determining How Many ACS Servers to Deploy in Wireless Networks
Deploying ACS Servers to Support Server Failover
Load Balancing and Failover
Database Replication Considerations
Replication Design
California
Database Synchronization Considerations
California
China
Deploying ACS in a NAC/NAP Environment
Additional Topics
Remote Access Policy
Security Policy
Administrative Access Policy
Separation of Administrative and General Users
Database Considerations
Number of Users
Type of Database
Network Latency and Reliability
Page
Configuring New Features in ACS 4.2
New Global EAP-FAST Configuration Options
Page
Page
Disabling NetBIOS
Configuring ACS 4.2 Enhanced Logging Features
Configuring Group Filtering at the NAP Level
Option to Not Log or Store Dynamic Users
Active Directory Multi-Forest Support
Configuring Syslog Time Format in ACS 4.2
RSA Support on the ACS SE
Page
Purging the RSA Node Secret File
Configuring RSA SecurID Token and LDAP Group Mapping
Page
Page
Page
Page
Turning Ping On and Off
Using RDBMS Synchronization to Create dACLs and Specify Network Configuration
New RDBMS Synchronization Features in ACS Release 4.2
Using RDBMS Synchronization to Configure dACLs
Step 1: Enable dACLs
Step 2: Create a Text File to Define the dACLs
Page
Step 3: Code an accountActions File to Create the dACL and Associate a User or Group with the dACL
Sample accountActions CSV File
Step 4: Configure RDBMS Synchronization to Use a Local CSV File
Page
Page
Step 5: Perform RDBMS Synchronization
Running RDBMS Synchronization from the ACS GUI
Running CSDBSync Manually to Create the dACLs
Performing RDBM Synchronization Using a Script
Step 6: View the dACLs
Page
Error Messages
Reading, Updating, and Deleting dACLs
Page
Updating or Deleting dACL Associations with Users or Groups
Using RDBMS Synchronization to Specify Network Configuration
Creating, Reading, Updating and Deleting AAA clients
Page
Password Policy Configuration Scenario
Limitation on Ability of the Administrator to Change Passwords
Step 1: Add and Edit a New Administrator Account
Page
Step 2: Configure Password Policy
Page
Specify Password Validation Options
Specify Password Lifetime Options
Specify Password Inactivity Options
Specify Incorrect Password Attempt Options
Step 3: Configure Session Policy
Page
Step 4: Configure Access Policy
Page
Page
Viewing Administrator Entitlement Reports
View Privilege Reports
Page
Agentless Host Support Configuration Scenario
Overview of Agentless Host Support
Using Audit Servers and GAME Group Feedback
Page
Basic Configuration Steps for Agentless Host Support
Step 1: Install ACS
Step 2: Configure a RADIUS AAA Client
Step 3: Install and Set Up an ACS Security Certificate
Obtain Certificates and Copy Them to the ACS Host
Run the Windows Certificate Import Wizard to Install the Certificate (ACS for Windows)
Enable Security Certificates on the ACS Installation
Install the CA Certificate
Add a Trusted Certificate
Step 4: Configure LDAP Support for MAB
Configure an External LDAP Database for MAB Support
6-11
Description of the Settings in the Sample LDAP Schema
Figure 6-5 shows the tree structure of the LDAP schema that is presented in Example 6-1.
Figure 6-5 Tree Structure for a MAB Support LDAP Schema
MAB segment
Page
Create One or More LDAP Database Configurations in ACS
Page
Page
Step 5: Configure User Groups for MAB Segments
Step 6: Enable Agentless Request Processing
Create a New NAP
Page
Enable Agentless Request Processing for a NAP
Configure MAB
Page
Step 7: Configure Logging and Reports
Configuring Reports for MAB Processing
Configuration Steps for Audit Server Support
Configure GAME Group Feedback
PEAP/EAP-TLS Configuration Scenario
Step 1: Configure Security Certificates
Obtain Certificates and Copy Them to the ACS Host
Run the Windows Certificate Import Wizard to Install the Certificate
Enable Security Certificates on the ACS Installation
Install the CA Certificate
Add a Trusted Certificate
Step 2: Configure Global Authentication Settings
Step 3: Specify EAP-TLS Options
Step 4: (Optional) Configure Authentication Policy
Syslog Logging Configuration Scenario
Overview
Configuring Syslog Logging
Page
Page
Format of Syslog Messages in ACS Reports
Facility Codes
Message Length Restrictions
Page
NAC Configuration Scenario
Step 1: Install ACS
Step 2: Perform Network Configuration Tasks
Configure a RADIUS AAA Client
Page
Configure the AAA Server
Step 3: Set Up System Configuration
Install and Set Up an ACS Security Certificate
Obtain Certificates and Copy Them to the ACS Host
Set Up the ACS Certification Authority
Edit the Certificate Trust List
Install the CA Certificate
Install the ACS Certificate
Set Up Global Configuration
Set Up Global Authentication
Page
Page
Set Up EAP-FAST Configuration
Page
Configure the Logging Level
Configure Logs and Reports
Page
Page
Step 4: Set Up Administration Control
Add Remote Administrator Access
Page
Page
Step 5: Set Up Shared Profile Components
Configure Network Access Filtering (Optional)
Configure Downloadable IP ACLs
Adding an ACL
Adding an ACE
Page
Saving the dACL
Configure Radius Authorization Components
Page
Page
Page
Page
Page
Step 6: Configure an External Posture Validation Audit Server
Page
Page
Page
Step 7: Configure Posture Validation for NAC
Configure Internal Posture Validation Policies
Page
Page
Configure External Posture Validation Policies
Page
Configure an External Posture Validation Audit Server
Page
Page
Authorization Policy and NAC Audit
Step 8: Set Up Templates to Create NAPs
Sample NAC Profile Templates
Sample NAC Layer 3 Profile Template
Page
Page
Protocols Policy for the NAC Layer 3 Template
Page
Sample NAC Layer 2 Template
Page
Page
Page
Protocols Settings
Page
Sample NAC Layer 2 802.1x Template
Page
Page
Page
Authorization Policy
Sample Wireless (NAC L2 802.1x) Template
Page
Page
Page
Authorization Policy
Using a Sample Agentless Host Template
Page
Page
Page
Step 9: Map Posture Validation Components to Profiles
Page
Step 10: Map an Audit Server to a Profile
Step 11 (Optional): Configure GAME Group Feedback
Import an Audit Vendor File by Using CSUtil
Import a Device-Type Attribute File by Using CSUtil
Import NAC Attribute-Value Pairs
Configure Database Support for Agentless Host Processing
Enable Posture Validation
Configure an External Audit Server
Configure an External Posture Validation Audit Server
Page
Page
Page
Page
Enable GAME Group Feedback
Page
GLOSSARY
A
C
E
G
H
L
N
P
R
S
V
INDEX
Numerics
A
B
C
D
E
F
G
H
I
M
N
specifying network configuration
P
R
S
T
U
V
W