Americas Headquarters
Configuration Guide for Cisco Secure ACS
Page
N T E N T S
Deploying ACS in a NAC/NAP Environment
Error Messages
Overview
Profile Setup
Profile Setup
Organization
Audience
Product Documentation
Conventions
Convention
Boldface font
Available Formats
Related Documentation
ACSTroubleshooting.html
OpenSSL License
License Issues
OpenSSL/Open SSL Project
Original SSLeay License
Summary of Configuration Steps
Overview of ACS Configuration
Click System Configuration
Click Interface Configuration
Peap EAP-FAST EAP-TLS Leap EAP-MD5
Overview of ACS Configuration Summary of Configuration Steps
EAP-TLS, SSL
Configuration Flowchart
OL-14390-02
Determining the Deployment Architecture
Deploy the Access Control Servers
Size Users
Access Types
Wired LAN Access
Campus LAN
Small LAN Environment
ACS in a Campus LAN
Geographically Dispersed Wired LAN
Simple Wlan
Wireless Access Topology
Campus Wlan
Regional Wlan Setting
6shows a regional Wlan
Large Enterprise Wlan Setting
Small Dial-Up Network Access
Dial-up Access Topology
Small Dial-up Network
Large Dial-Up Network Access
Number of Users
Placement of the Radius Server
Determining How Many ACSs to Deploy Scalability
WAN Latency and Dependability
Number of Network Access Servers
LAN Versus WAN Deployment Number of LANs in the Network
Deploying ACS Servers to Support Server Failover
Configuration components for replication-What is replicated
Load Balancing and Failover
Database Replication Considerations
Replication Design
Database Synchronization Considerations
Component Description
Deploying ACS in a NAC/NAP Environment
ACS
Cisco AAA server product
Additional Topics
Remote Access Policy
Security Policy
Administrative Access Policy
Separation of Administrative and General Users
Network Latency and Reliability
Database Considerations
Number of Users
Type of Database
OL-14390-02
New Global EAP-FAST Configuration Options
Configuring New Features in ACS
PAC
Option Description
Use PAC and Do Not Use PAC Options
2shows the new options on the NAP Protocols
Disabling NetBIOS
To disable NetBIOS over TCP/ IP in Windows 2000, XP, or
Configuring ACS 4.2 Enhanced Logging Features
Right-clickMy Network Places and choose Properties
Click Internet Protocol TCP/IP and choose Properties
Click Submit
Configuring Group Filtering at the NAP Level
Check the Disable Dynamic users check box
Configuring Syslog Time Format in ACS
Option to Not Log or Store Dynamic Users
Active Directory Multi-Forest Support
Click Submit and Restart
Click Database Configuration
RSA Support on the ACS SE
Click Configure
Click Create New Configuration
Click RSA SecureID Token Server
Click Upload scconf.rec
External User Databases Configuration page opens
FTP Server Login Password Directory
Purging the RSA Node Secret File
Field
Click Configure Ldap
Configuring RSA SecurID Token and Ldap Group Mapping
Click Purge Node Secret
Click RSA SecurID Token and Ldap Group Mapping
Choose Process all usernames
RSA SecurID Token and Ldap Group Mapping Configuration
Configuring New Features in ACS RSA Support on the ACS SE
Configuring New Features in ACS RSA Support on the ACS SE
Uid=joesmith,ou=members,ou=administrators,o=cisco
Turning Ping On and Off
ACS 4.2 provides enhanced support for Rdbms Synchronization
New Rdbms Synchronization Features in ACS Release
Enable dACLs
Using Rdbms Synchronization to Configure dACLs
Create a Text File to Define the dACLs
Check the Rdbms Synchronization check box
Keyword Value
Example 4-1shows a sample text file
Code the information in the file as described in Table
Example 4-2shows a sample accountActions CSV file
Sample accountActions CSV File
Click Rdbms Synchronization
Configure Rdbms Synchronization to Use a Local CSV File
Action Code Name Required Description
Rdbms Synchronization Setup Page ACS for Windows
Configuration Guide for Cisco Secure ACS OL-14390-02
Running Rdbms Synchronization from the ACS GUI
Perform Rdbms Synchronization
Running CSDBSync Manually to Create the dACLs
ACS for Windows
View the dACLs
Performing Rdbm Synchronization Using a Script
Entry for the Sample dACL
NAF
Error Messages
Explanation
On the ACS is configured correctly
User has write access to the ACS
Enabled correctly in the ACS GUI
Reading, Updating, and Deleting dACLs
Readdacl
Updatedacl
Daclreplace
Deletedacl
Deleteuserdacl Ungn
Updateuserdacl UNGN, VN
Readnas
Updatenas
Creating, Reading, Updating and Deleting AAA clients
OL-14390-02
Password Policy Configuration Scenario
Add and Edit a New Administrator Account
Administration Control
Server 4.2, Administrators and Administrative Policy
Configure Password Policy
To specify password restrictions
Privileges that you want to grant
Administrator Password Policy Setup
Specify Password Lifetime Options
Specify Password Validation Options
Password Lifetime Options
Password Inactivity Options
Specify Password Inactivity Options
Configure Session Policy
Specify Incorrect Password Attempt Options
Incorrect Password Attempt Options section, configure
Session Policy Setup
Click Access Policy
Configure Access Policy
Access Policy Setup page appears, as shown in Figure
Before You Begin
Click the appropriate IP Address Filtering option
Access Policy Setup
IP address ranges. The ranges are always inclusive that is,
IP Address Ranges table contains ten rows for configuring
Range includes the Start and End IP addresses
Must differ only in the last octet Class C format
Configuration ACS Certificate Setup to access
Viewing Administrator Entitlement Reports
Installation process. With SSL enabled, ACS begins using
Displays an error
Click Entitlement Reports
View Privilege Reports
OL-14390-02
Overview of Agentless Host Support
Agentless Host Support Configuration Scenario
1shows the flow of MAB information
Using Audit Servers and Game Group Feedback
See Configure a Radius AAA Client, page 6-5for details
Configure a Radius AAA client
Install ACS
Basic Configuration Steps for Agentless Host Support
Configure a Radius AAA Client
Click Submit + Apply
Install and Set Up an ACS Security Certificate
Go to selecteddrive\Certs
Obtain Certificates and Copy Them to the ACS Host
Select Install Certificate
Enable Security Certificates on the ACS Installation
Click ACS Certificate Setup Click Install ACS Certificate
Click Submit
Add a Trusted Certificate
Install the CA Certificate
To install the CA Certificate
Create one or more Ldap database configurations in ACS
Configure Ldap Support for MAB
Configure an External Ldap Database for MAB Support
802.1x device n 802.1x device n+1
Description of the Settings in the Sample Ldap Schema
How the Ldap User Groups Work
How the Subtrees Work
Click Generic Ldap
Create One or More Ldap Database Configurations in ACS
1describes the attributes of the sample Ldap groups
6shows the Common Ldap Configuration section
Specify the common Ldap configuration
OL-14390-02
ACS SE Only
Ldap Server Configuration Sections
Configure User Groups for MAB Segments
Click Add Profile
Enable Agentless Request Processing
Create a New NAP
Profile Setup
Profile Setup page opens, shown in Figure
Check the check box for Allow Agentless Request Processing
Enable Agentless Request Processing for a NAP
You are now ready to enable agentless request processing
You are now ready to configure MAB settings
Configure MAB
13 MAC Address Input Area
Click Internal ACS DB
Configuring Reports for MAB Processing
Configure Logging and Reports
Configure Game Group Feedback
Configuration Steps for Audit Server Support
To configure PEAP-TLS Configure security certificates
Configure Security Certificates
Configure global authentication settings
Specify EAP-TLS options
Obtain Certificates and Copy Them to the ACS Host
Enable Security Certificates on the ACS Installation
Add a Trusted Certificate
Install the CA Certificate
Global Authentication Setup page opens, as shown in Figure
Configure Global Authentication Settings
Click Global Authentication Setup
EAPMSCHAP2 EAP-GTC
Optional Configure Authentication Policy
Specify EAP-TLS Options
Overview
Configuring Syslog Logging
Click Logging
Logging page opens, shown in Figure
Logging Configuration
Enable Logging
Facility Codes
Format of Syslog Messages in ACS Reports
Message Length Restrictions
OL-14390-02
Install ACS
NAC Configuration Scenario
This section describes
Perform Network Configuration Tasks
Add AAA Client
Configure the AAA Server
This section describes the following tasks
Set Up System Configuration
Click Submit and Apply
Click ACS Certification Authority Setup
Set Up the ACS Certification Authority
Click ACS Certificate Setup
Edit the Certificate Trust List
Choose ACS Certificate Setup Edit Certificate Trust List
Install the ACS Certificate
Set Up Global Configuration
Install ACS Certificate page opens, as shown in Figure
Click the Read certificate from file radio button
Global Authentication Setup Page appears, as shown in Figure
Set Up Global Authentication
Global Authentication Setup
Allow EAP-GTC
Allow EAP-MSCHAPv2
Allow Posture Validation
Click Submit + Restart
EAP Fast Configuration page appears, as shown in Figure
Set Up EAP-FAST Configuration
Click EAP-FAST Configuration
Provisioning check boxes
Check the Allow EAP-FASTcheck box
-8, this is ACS NAC Server. However, this can be any string
Click Service Control
Configure the Logging Level
Configure Logs and Reports
Check the Log to CSV Passed Authentications Report check box
Check the Log to CSV Radius Accounting Report check box
Add Remote Administrator Access
Set Up Administration Control
Click Add Administrator
Add Administrator page opens, as shown in Figure
10 Add Administrator
Click Grant All
Click Network Access Filtering
Set Up Shared Profile Components
Configure Network Access Filtering Optional
11 Edit Network Access Filtering
Configure Downloadable IP ACLs
To add a new ACL
Adding an ACL
Choose Shared Profile Components Downloadable IP ACLs
List of dACLs appears, as shown in Figure
13 Downloadable IP ACLs
Adding an ACE
14 Downloadable IP ACL Content
New ACL appears on the list of downloadable ACLs
Configure Radius Authorization Components
Saving the dACL
16 Radius Authorization Components
Click Radius Authorization Components
17 RAC Attribute Add/Edit
18 Attribute Selection for the CiscoFullAccess RAC
19 Attribute Selection for the CiscoRestricted RAC
ACL
Attribute
Number Attribute Name Description
Add the Posture Attribute to the ACS Dictionary
Configure an External Posture Validation Audit Server
Click Add Server
Configure the External Posture Validation Audit Server
20 External Posture Validation Audit Server Setup
21 Use These Audit Servers Section
Configure Internal Posture Validation Policies
Configure Posture Validation for NAC
Click Add Rule
Click Internal Posture Validation Setup
Add/Edit Condition page appears, as shown in Figure
Click Add Condition Set
26 Edit External Posture Validation Servers
Configure External Posture Validation Policies
27 Add/Edit External Posture Validation Server
Configure an External Posture Validation Audit Server
28 External Posture Validation Audit Server Setup
29 Use These Audit Servers Section
30 Audit Flow Settings and Game Group Feedback Sections
Authorization Policy and NAC Audit
Sample NAC Profile Templates
Set Up Templates to Create NAPs
Sample NAC Layer 3 Profile Template
EAP-FAST GTC
31 Create Profile From Template
Profile Setup
32 Profile Setup Page for Layer 3 NAC Template
Protocols Policy for the NAC Layer 3 Template
EAP Configuration section, Posture Validation is enabled
34 Authentication Page for Layer 3 NAC Profile Template
Authentication Policy
From the Template drop-down list, choose NAC L2 IP
Sample NAC Layer 2 Template
Sample Posture Validation Rule
Go to Network Access Profiles
To enable the profile setup
36 Profile Setup Page for NAC Layer 2 Template
ACS and Attribute-Value Pairs
Default ACLs
37shows the Protocols settings for the NAC Layer 2 template
Protocols Settings
38 Authentication Settings for NAC Layer 2 Template
39 Sample Posture Validation Policy for NAC Layer 2 Template
Sample NAC Layer 2 802.1x Template
40 Create Profile From Template
41 Profile Setup Page for NAC Layer 2 802.1x Template
Protocols Policy
42 Protocols Setting for NAC Layer 802.1x Template
Authorization Policy
Sample Wireless NAC L2 802.1x Template
45 Create Profile From Template
46 Profile Setup Page for Wireless NAC L2 802.1xTemplate
47 Protocols Setting for Wireless NAC 802.1x Template
Authorization Policy
Using a Sample Agentless Host Template
50 Create Profile From Template
Profile Setup
52 Protocols Setting for Agentless Host for Layer 3 Template
Map Posture Validation Components to Profiles
Choose Network Access Profiles
Choose the relevant profile Posture Validation policy
Enter a Name for the rule
Click Apply + Restart
Click Back to return to the Posture Validation policy
Map an Audit Server to a Profile
Check the Do not reject when Audit failed check box
Check the Allow Agentless Request Processing check box
Click Select Audit
Click Apply and Restart
Optional Configure Game Group Feedback
Configure an external audit server
Import NAC Attribute-Value Pairs
Import an Audit Vendor File by Using CSUtil
Import a Device-Type Attribute File by Using CSUtil
Enable Posture Validation
Configure Database Support for Agentless Host Processing
Configure an External Audit Server
Restart ACS Navigation bar, click System Configuration
\ACSInstallDir\bin\CSUtil -addAVP filename
56 External Posture Validation Audit Server Setup
57 Use These Audit Servers Section
58 Audit Flow Settings and Game Group Feedback Sections
ACS Solution Engine
Enable Game Group Feedback
PDA
Unix
Mac Integrated Device
Authentication agent installed, such as Cisco Trust Agent
Being authenticated
Resource usage
Posture-validation server
GL-2
Authenticate the device, instead of using an IP address
GL-3
Radius Attribute Component
Network access
Microsoft, and RSA Security submitted to the Ietf
ACE
Updatenas Updateuserdacl
Adduser
CA certificate Installing
Audit servers Configuring
Configuring audit flow settings for 9-35,9-43,9-78
NAP
Deleteuserdacl
Createuserdacl
ACS configuration for
Configuring new features in ACS 4.2
Specifying Certificate Binary Comparison for
Layer 2 NAC 802.1x template
NAC
Netbios
NAC/NAP
NAC L2 IP
Readdacl Readnas
Reliability
Reading dACLs Regional Wlan Related documentation
RSA
Installing the CA certificate
Using Windows Certificate Import Wizard
Purging Node Secret file purging Sarbanes-Oxley
Security policies Security protocols
Significance Windows Certificate Import Wizard