Cisco Systems OL-24201-01 manual Agentless Network Access Flow

Chapter 4 Common Scenarios Using ACS

Agentless Network Access

Agentless Network Access Flow

This topic describes the end-to-end flow for agentless network access and lists the tasks that you must perform. The information about how to configure the tasks is located in the relevant task chapters.

Perform these tasks in the order listed to configure agentless network access in ACS:

Step 1 Configure network devices and AAA clients.

This is the general task to configure network devices and AAA clients in ACS and is not specific to agentless network access. Select Network Resources > Network Devices and AAA Clients and click Create. See Network Devices and AAA Clients, page 7-5.

Step 2 Configure an identity store for internal hosts.

•Configure an internal identity store. See Adding a Host to an Internal Identity Store, page 4-17or

•Configure an external identity store. See Configuring an LDAP External Identity Store for Host Lookup, page 4-17.

For more information, see Chapter 8, “Managing Users and Identity Stores.”

Step 3 Configure the identity group. See Configuring an Identity Group for Host Lookup Network Access Requests, page 4-18.

For more information, see Chapter 8, “Managing Users and Identity Stores.”

Step 4 Define policy elements and authorization profiles for Host Lookup requests.

For more information, see Chapter 9, “Managing Policy Elements.”

Step 5 Create an empty service by defining an access service for Host Lookup. For more information, see Creating an Access Service for Host Lookup, page 4-18.

Step 6 Return to the service that you created:

a.Define an identity policy. For more information, see Configuring an Identity Policy for Host Lookup Requests, page 4-19.

ACS has the option to look for host MAC addresses in multiple identity stores.

For example, MAC addresses can be in the Internal Hosts identity store, in one of the configured LDAP identity stores, or in the Internal Users identity store.

The MAC address lookup may be in one of the configured identity stores, and the MAC attributes may be fetched from a different identity store that you configured in the identity sequence.

You can configure ACS to continue processing a Host Lookup request even if the MAC address was not found in the identity store. An administrator can define an authorization policy based on the event, regardless of whether or not the MAC address was found.

The ACS::UseCase attribute is available for selection in the Authentication Policy, but is not mandatory for Host Lookup support.

b.Return to the service that you created.

c.Define an authorization policy. For more information, see Configuring an Authorization Policy for Host Lookup Requests, page 4-20.