Manuals / Cisco Systems / Computer Equipment / Network Card

Cisco Systems 4.2 manual Turning Ping On and Off

Models: 4.2

1 214

Download 214 pages 55.15 Kb

Page 56

Chapter 3 Configuring New Features in ACS 4.2

Turning Ping On and Off

Note ACS saves the generic LDAP configuration that you created. You can now add it to your Unknown User Policy or assign specific user accounts to use this database for authentication.

Turning Ping On and Off

With ACS 4.2, you can enable and disable pinging of the ACS SE device. Prior to release 4.2, when remote devices sent a ping request to an SE device, the ping was always rejected because, by default, the Cisco Security Agent (CSA) runs on the ACS SE device. CSA automatically rejects remote ping requests.

ACS 4.2 provides software patches for you to turn ping on and off by updating the policies in the CSA:

•Ping Turn On Patch—This patch turns on the ping option in the CSA, which makes it possible to ping the ACS SE.

•Ping Turn Off Patch—This patch turns off the ping option in the CSA, which causes the ACS SE to reject pings.

For detailed information on installing these patches, see “Turning Ping On and Off” in Chapter 3 of the the Installation Guide for Cisco Secure ACS Solution Engine, 4.2, “Installing and Configuring Cisco Secure ACS Solution Engine 4.2.”

	Configuration Guide for Cisco Secure ACS 4.2
3-16	OL-14390-02

Image 56

Cisco Systems 4.2 manual Turning Ping On and Off

Contents

Configuration Guide for Cisco Secure ACS Americas HeadquartersPage N T E N T S Deploying ACS in a NAC/NAP Environment Error Messages Overview Profile Setup Profile Setup Audience OrganizationConventions Product DocumentationConvention Boldface fontAvailable Formats ACSTroubleshooting.html Related DocumentationOpenSSL License License IssuesOpenSSL/Open SSL Project Original SSLeay License Overview of ACS Configuration Summary of Configuration StepsClick Interface Configuration Click System ConfigurationPeap EAP-FAST EAP-TLS Leap EAP-MD5 Overview of ACS Configuration Summary of Configuration Steps Configuration Flowchart EAP-TLS, SSLOL-14390-02 Deploy the Access Control Servers Determining the Deployment ArchitectureSize Users Access TypesWired LAN Access Small LAN Environment Campus LANGeographically Dispersed Wired LAN ACS in a Campus LANWireless Access Topology Simple WlanCampus Wlan Regional Wlan Setting Large Enterprise Wlan Setting 6shows a regional WlanDial-up Access Topology Small Dial-Up Network AccessLarge Dial-Up Network Access Small Dial-up NetworkNumber of Users Placement of the Radius ServerDetermining How Many ACSs to Deploy Scalability WAN Latency and Dependability Number of Network Access ServersLAN Versus WAN Deployment Number of LANs in the Network Configuration components for replication-What is replicated Deploying ACS Servers to Support Server FailoverLoad Balancing and Failover Database Replication ConsiderationsDatabase Synchronization Considerations Replication DesignDeploying ACS in a NAC/NAP Environment Component DescriptionACS Cisco AAA server productRemote Access Policy Additional TopicsAdministrative Access Policy Security PolicySeparation of Administrative and General Users Database Considerations Network Latency and ReliabilityNumber of Users Type of DatabaseOL-14390-02 Configuring New Features in ACS New Global EAP-FAST Configuration OptionsOption Description PACUse PAC and Do Not Use PAC Options Disabling NetBIOS 2shows the new options on the NAP ProtocolsConfiguring ACS 4.2 Enhanced Logging Features To disable NetBIOS over TCP/ IP in Windows 2000, XP, orRight-clickMy Network Places and choose Properties Click Internet Protocol TCP/IP and choose PropertiesConfiguring Group Filtering at the NAP Level Click SubmitConfiguring Syslog Time Format in ACS Check the Disable Dynamic users check boxOption to Not Log or Store Dynamic Users Active Directory Multi-Forest SupportClick Submit and Restart Click Database ConfigurationRSA Support on the ACS SE Click Create New Configuration Click ConfigureClick RSA SecureID Token Server Click Upload scconf.recFTP Server Login Password Directory External User Databases Configuration page opensPurging the RSA Node Secret File FieldConfiguring RSA SecurID Token and Ldap Group Mapping Click Configure LdapClick Purge Node Secret Click RSA SecurID Token and Ldap Group MappingRSA SecurID Token and Ldap Group Mapping Configuration Choose Process all usernamesConfiguring New Features in ACS RSA Support on the ACS SE Configuring New Features in ACS RSA Support on the ACS SE Uid=joesmith,ou=members,ou=administrators,o=cisco Turning Ping On and Off New Rdbms Synchronization Features in ACS Release ACS 4.2 provides enhanced support for Rdbms SynchronizationUsing Rdbms Synchronization to Configure dACLs Enable dACLsCreate a Text File to Define the dACLs Check the Rdbms Synchronization check boxKeyword Value Example 4-1shows a sample text fileCode the information in the file as described in Table Sample accountActions CSV File Example 4-2shows a sample accountActions CSV fileClick Rdbms Synchronization Configure Rdbms Synchronization to Use a Local CSV FileAction Code Name Required Description Rdbms Synchronization Setup Page ACS for Windows Configuration Guide for Cisco Secure ACS OL-14390-02 Perform Rdbms Synchronization Running Rdbms Synchronization from the ACS GUIRunning CSDBSync Manually to Create the dACLs ACS for WindowsPerforming Rdbm Synchronization Using a Script View the dACLsEntry for the Sample dACL NAF Error MessagesExplanation User has write access to the ACS On the ACS is configured correctlyEnabled correctly in the ACS GUI Reading, Updating, and Deleting dACLsUpdatedacl ReaddaclDaclreplace DeletedaclUpdateuserdacl UNGN, VN Deleteuserdacl UngnReadnas UpdatenasCreating, Reading, Updating and Deleting AAA clients OL-14390-02 Password Policy Configuration Scenario Summary of Configuration Steps Add and Edit a New Administrator AccountAdministration Control Configure Password Policy Server 4.2, Administrators and Administrative PolicyTo specify password restrictions Privileges that you want to grantAdministrator Password Policy Setup Specify Password Validation Options Specify Password Lifetime OptionsPassword Lifetime Options Password Inactivity OptionsConfigure Session Policy Specify Password Inactivity OptionsSpecify Incorrect Password Attempt Options Incorrect Password Attempt Options section, configureSession Policy Setup Configure Access Policy Click Access PolicyAccess Policy Setup page appears, as shown in Figure Before You BeginAccess Policy Setup Click the appropriate IP Address Filtering optionIP Address Ranges table contains ten rows for configuring IP address ranges. The ranges are always inclusive that is,Range includes the Start and End IP addresses Must differ only in the last octet Class C formatViewing Administrator Entitlement Reports Configuration ACS Certificate Setup to accessInstallation process. With SSL enabled, ACS begins using Displays an errorView Privilege Reports Click Entitlement ReportsOL-14390-02 Agentless Host Support Configuration Scenario Overview of Agentless Host SupportUsing Audit Servers and Game Group Feedback 1shows the flow of MAB informationConfigure a Radius AAA client See Configure a Radius AAA Client, page 6-5for detailsBasic Configuration Steps for Agentless Host Support Install ACSConfigure a Radius AAA Client Install and Set Up an ACS Security Certificate Click Submit + ApplyObtain Certificates and Copy Them to the ACS Host Go to selecteddrive\CertsEnable Security Certificates on the ACS Installation Select Install CertificateClick ACS Certificate Setup Click Install ACS Certificate Click SubmitAdd a Trusted Certificate Install the CA CertificateTo install the CA Certificate Create one or more Ldap database configurations in ACS Configure Ldap Support for MABConfigure an External Ldap Database for MAB Support Description of the Settings in the Sample Ldap Schema 802.1x device n 802.1x device n+1How the Subtrees Work How the Ldap User Groups WorkClick Generic Ldap Create One or More Ldap Database Configurations in ACS1describes the attributes of the sample Ldap groups Specify the common Ldap configuration 6shows the Common Ldap Configuration sectionOL-14390-02 Ldap Server Configuration Sections ACS SE OnlyConfigure User Groups for MAB Segments Click Add Profile Enable Agentless Request ProcessingCreate a New NAP Profile Setup page opens, shown in Figure Profile SetupCheck the check box for Allow Agentless Request Processing Enable Agentless Request Processing for a NAPYou are now ready to enable agentless request processing Configure MAB You are now ready to configure MAB settingsClick Internal ACS DB 13 MAC Address Input AreaConfigure Logging and Reports Configuring Reports for MAB ProcessingConfiguration Steps for Audit Server Support Configure Game Group FeedbackConfigure Security Certificates To configure PEAP-TLS Configure security certificatesConfigure global authentication settings Specify EAP-TLS optionsObtain Certificates and Copy Them to the ACS Host Enable Security Certificates on the ACS Installation Select Install CertificateInstall the CA Certificate Add a Trusted CertificateGlobal Authentication Setup page opens, as shown in Figure Configure Global Authentication SettingsClick Global Authentication Setup EAPMSCHAP2 EAP-GTC Optional Configure Authentication PolicySpecify EAP-TLS Options Configuring Syslog Logging OverviewClick Logging Logging page opens, shown in FigureLogging Configuration Enable Logging Format of Syslog Messages in ACS Reports Facility CodesMessage Length Restrictions OL-14390-02 NAC Configuration Scenario Install ACSPerform Network Configuration Tasks This section describesAdd AAA Client Configure the AAA Server Click Submit + ApplyThis section describes the following tasks Set Up System ConfigurationClick Submit and Apply Click ACS Certification Authority Setup Set Up the ACS Certification AuthorityClick ACS Certificate Setup Choose ACS Certificate Setup Edit Certificate Trust List Edit the Certificate Trust ListSet Up Global Configuration Install the ACS CertificateInstall ACS Certificate page opens, as shown in Figure Click the Read certificate from file radio buttonSet Up Global Authentication Global Authentication Setup Page appears, as shown in FigureGlobal Authentication Setup Allow EAP-MSCHAPv2 Allow EAP-GTCAllow Posture Validation Click Submit + RestartEAP Fast Configuration page appears, as shown in Figure Set Up EAP-FAST ConfigurationClick EAP-FAST Configuration Provisioning check boxes Check the Allow EAP-FASTcheck box-8, this is ACS NAC Server. However, this can be any string Click Service Control Configure the Logging LevelConfigure Logs and Reports Check the Log to CSV Passed Authentications Report check box Check the Log to CSV Radius Accounting Report check box Set Up Administration Control Add Remote Administrator AccessClick Add Administrator Add Administrator page opens, as shown in Figure10 Add Administrator Option Description Click Grant AllClick Network Access Filtering Set Up Shared Profile ComponentsConfigure Network Access Filtering Optional Configure Downloadable IP ACLs 11 Edit Network Access FilteringAdding an ACL To add a new ACLChoose Shared Profile Components Downloadable IP ACLs List of dACLs appears, as shown in FigureAdding an ACE 13 Downloadable IP ACLs14 Downloadable IP ACL Content New ACL appears on the list of downloadable ACLs Configure Radius Authorization ComponentsSaving the dACL Click Radius Authorization Components 16 Radius Authorization Components17 RAC Attribute Add/Edit 18 Attribute Selection for the CiscoFullAccess RAC 19 Attribute Selection for the CiscoRestricted RAC ACL AttributeNumber Attribute Name Description Configure an External Posture Validation Audit Server Add the Posture Attribute to the ACS DictionaryConfigure the External Posture Validation Audit Server Click Add Server20 External Posture Validation Audit Server Setup 21 Use These Audit Servers Section Configure Posture Validation for NAC Configure Internal Posture Validation PoliciesClick Internal Posture Validation Setup Click Add RuleClick Add Condition Set Add/Edit Condition page appears, as shown in FigureConfigure External Posture Validation Policies 26 Edit External Posture Validation Servers27 Add/Edit External Posture Validation Server Configure an External Posture Validation Audit Server Add the Posture Attribute to the ACS Dictionary28 External Posture Validation Audit Server Setup 29 Use These Audit Servers Section Authorization Policy and NAC Audit 30 Audit Flow Settings and Game Group Feedback SectionsSet Up Templates to Create NAPs Sample NAC Profile TemplatesSample NAC Layer 3 Profile Template EAP-FAST GTCProfile Setup 31 Create Profile From Template32 Profile Setup Page for Layer 3 NAC Template EAP Configuration section, Posture Validation is enabled Protocols Policy for the NAC Layer 3 TemplateAuthentication Policy 34 Authentication Page for Layer 3 NAC Profile TemplateFrom the Template drop-down list, choose NAC L2 IP Sample NAC Layer 2 TemplateSample Posture Validation Rule To enable the profile setup Go to Network Access Profiles36 Profile Setup Page for NAC Layer 2 Template Default ACLs ACS and Attribute-Value PairsProtocols Settings 37shows the Protocols settings for the NAC Layer 2 template38 Authentication Settings for NAC Layer 2 Template Sample NAC Layer 2 802.1x Template 39 Sample Posture Validation Policy for NAC Layer 2 Template40 Create Profile From Template 41 Profile Setup Page for NAC Layer 2 802.1x Template 42 Protocols Setting for NAC Layer 802.1x Template Protocols PolicyAuthorization Policy Go to Network Access ProfilesSample Wireless NAC L2 802.1x Template Sample Posture Validation Rule45 Create Profile From Template 46 Profile Setup Page for Wireless NAC L2 802.1xTemplate 47 Protocols Setting for Wireless NAC 802.1x Template Authorization Policy Using a Sample Agentless Host Template Sample Posture Validation Rule50 Create Profile From Template Profile Setup 52 Protocols Setting for Agentless Host for Layer 3 Template Choose Network Access Profiles Map Posture Validation Components to ProfilesChoose the relevant profile Posture Validation policy Enter a Name for the ruleClick Back to return to the Posture Validation policy Click Apply + RestartCheck the Do not reject when Audit failed check box Map an Audit Server to a ProfileCheck the Allow Agentless Request Processing check box Click Select AuditClick Apply and Restart Optional Configure Game Group FeedbackConfigure an external audit server Import NAC Attribute-Value Pairs Import an Audit Vendor File by Using CSUtilImport a Device-Type Attribute File by Using CSUtil Configure Database Support for Agentless Host Processing Enable Posture ValidationConfigure an External Audit Server Restart ACS Navigation bar, click System Configuration\ACSInstallDir\bin\CSUtil -addAVP filename 56 External Posture Validation Audit Server Setup 57 Use These Audit Servers Section 58 Audit Flow Settings and Game Group Feedback Sections Enable Game Group Feedback ACS Solution EnginePDA UnixMac Integrated Device Being authenticated Authentication agent installed, such as Cisco Trust AgentResource usage Posture-validation serverAuthenticate the device, instead of using an IP address GL-2GL-3 Radius Attribute Component Network accessMicrosoft, and RSA Security submitted to the Ietf ACE Updatenas UpdateuserdaclAdduser CA certificate Installing Audit servers ConfiguringConfiguring audit flow settings for 9-35,9-43,9-78 NAP DeleteuserdaclCreateuserdacl Configuring new features in ACS 4.2 ACS configuration forSpecifying Certificate Binary Comparison for Layer 2 NAC 802.1x templateNetbios NACNAC/NAP NAC L2 IPReliability Readdacl ReadnasReading dACLs Regional Wlan Related documentation RSAUsing Windows Certificate Import Wizard Installing the CA certificatePurging Node Secret file purging Sarbanes-Oxley Security policies Security protocolsSignificance Windows Certificate Import Wizard