Cisco Systems 4.2 manual

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214

Go to page of

A good user manual

The rules should oblige the seller to give the purchaser an operating instrucion of Cisco Systems 4.2, along with an item. The lack of an instruction or false information given to customer shall constitute grounds to apply for a complaint because of nonconformity of goods with the contract. In accordance with the law, a customer can receive an instruction in non-paper form; lately graphic and electronic forms of the manuals, as well as instructional videos have been majorly used. A necessary precondition for this is the unmistakable, legible character of an instruction.

What is an instruction?

The term originates from the Latin word „instructio”, which means organizing. Therefore, in an instruction of Cisco Systems 4.2 one could find a process description. An instruction's purpose is to teach, to ease the start-up and an item's use or performance of certain activities. An instruction is a compilation of information about an item/a service, it is a clue.

Unfortunately, only a few customers devote their time to read an instruction of Cisco Systems 4.2. A good user manual introduces us to a number of additional functionalities of the purchased item, and also helps us to avoid the formation of most of the defects.

What should a perfect user manual contain?

First and foremost, an user manual of Cisco Systems 4.2 should contain:
- informations concerning technical data of Cisco Systems 4.2
- name of the manufacturer and a year of construction of the Cisco Systems 4.2 item
- rules of operation, control and maintenance of the Cisco Systems 4.2 item
- safety signs and mark certificates which confirm compatibility with appropriate standards

Why don't we read the manuals?

Usually it results from the lack of time and certainty about functionalities of purchased items. Unfortunately, networking and start-up of Cisco Systems 4.2 alone are not enough. An instruction contains a number of clues concerning respective functionalities, safety rules, maintenance methods (what means should be used), eventual defects of Cisco Systems 4.2, and methods of problem resolution. Eventually, when one still can't find the answer to his problems, he will be directed to the Cisco Systems service. Lately animated manuals and instructional videos are quite popular among customers. These kinds of user manuals are effective; they assure that a customer will familiarize himself with the whole material, and won't skip complicated, technical information of Cisco Systems 4.2.

Why one should read the manuals?

It is mostly in the manuals where we will find the details concerning construction and possibility of the Cisco Systems 4.2 item, and its use of respective accessory, as well as information concerning all the functions and facilities.

After a successful purchase of an item one should find a moment and get to know with every part of an instruction. Currently the manuals are carefully prearranged and translated, so they could be fully understood by its users. The manuals will serve as an informational aid.

Table of contents for the manual

  • Page 1

    Americas Headquarters Cisco Systems, In c. 170 West Tasman Drive San Jose, CA 951 34-1706 USA http://www.ci sco.com Tel: 408 526-4000 800 553-NETS (638 7) Fax: 408 527-0883 Conf iguration Guide f or Cisco S ecure A CS 4.2 Febr uary 20 08 Text Part Number: OL -14390-02[...]

  • Page 2

    THE SPECIFICATION S AND INFORMATION RE GARDING THE P RODUCTS IN THIS MA NUAL ARE SUBJECT TO CHANGE WITH OUT NOTICE. ALL STATEMENTS , INFORMATION, AND RECOMMENDATI ONS IN THI S MANUAL ARE BE LIEVED TO BE A CCURATE BUT ARE PRESENTED WI THOUT WARRANTY OF ANY KIND, EX PRESS OR IMPLIED. USERS MUST TAKE FULL RESPONSI BILITY FOR THEIR APPLICATION OF ANY P[...]

  • Page 3

    iii Configuration Guid e for Cisco Secure ACS 4.2 OL-14390-02 CONTENTS Preface ix Audience ix Organization ix Conventi ons x Product Documentation x Related Documentation xii Obtaining Documentation and Submitting a Serv ice Request xii Notices iii-xii OpenSSL/Open SSL Project iii-xi ii License Issues iii-xiii CHAPTER 1 Overview of ACS Configura ti[...]

  • Page 4

    Contents iv Configuration Guid e for Cisco Secure ACS 4.2 OL-14390-02 Deploying ACS in a NAC/NAP E nvironment 2-15 Additional Topics 2-16 Remote Access Policy 2-16 Security Policy 2-17 Administrative Access Policy 2-17 Separation of Administrative an d General Users 2-18 Database Considerations 2-19 Number of Users 2-19 Type of Database 2-19 Networ[...]

  • Page 5

    Contents v Configuration Guid e for Cisco Secure ACS 4.2 OL-14390-02 Step 6: View the dACLs 4-9 Error Messages 4-11 Reading, Updating , and Deleting dACLs 4-12 Updating or Deleting dACL Associations with Users or Group s 4-14 Using RDBMS Synchronization to Specify Network Configuration 4-14 Creating, Reading, Updati ng and Deleting AAA clients 4- 1[...]

  • Page 6

    Contents vi Configuration Guid e for Cisco Secure ACS 4.2 OL-14390-02 Step 6: Enable Agentless Reques t Processing 6-18 Create a New NAP 6-18 Enable Agentless Request Processing for a NAP 6-20 Configure MAB 6-21 Step 7: Configure Logg ing and Reports 6-23 Configuring Reports for MAB Processing 6-23 Configuration Steps for Audit Server Support 6-24 [...]

  • Page 7

    Contents vii Configuration Guid e for Cisco Secure ACS 4.2 OL-14390-02 Install the CA Certificate 9-7 Install the ACS Certificate 9-8 Set Up Global Configuration 9-8 Set Up Global Authentication 9-9 Set Up EAP-FAST Configuration 9-12 Configure the Logging Level 9-14 Configure Logs and Reports 9-14 Step 4: Set Up Administration Control 9-17 Add Remo[...]

  • Page 8

    Contents viii Configuration Guid e for Cisco Secure ACS 4.2 OL-14390-02 Profile Setup 9-56 Protocols Policy 9-58 Authorization Policy 9-59 Sample Posture Validation Rule 9-60 Sample Wireless (NAC L2 802.1x) Template 9-60 Profile Setup 9-61 Protocols Policy 9-63 Authorization Policy 9-64 Sample Posture Validation Rule 9-65 Using a Sample Agentless H[...]

  • Page 9

    ix Configuration Guid e for Cisco Secure ACS 4.2 OL-14390-02 Preface Audience This guide is for security admini strators who use Cisco Secure Acces s Control Server (A CS), and who set up and maintain netwo rk and application security . Organization This document contains: • Chapter 1, “Overvie w of AC S Configurati on” —Provides an o vervi[...]

  • Page 10

    x Configuration Guid e for Cisco Secure ACS 4.2 OL-14390-02 Preface Conventions This document uses the f ollo wing con ventions: Ti p Identifies informati on to help you get the most bene f it from your pr oduct. Note Means reader take note . Notes identify important information th at you should reflect upon before continuing, contain helpful su gg[...]

  • Page 11

    xi Configuration Guid e for Cisco Secure ACS 4.2 OL-14390-02 Preface Ta b l e 1 ACS 4. 2 Documentation Document T itle Available Formats Documentation G uide for Cisco Secur e ACS Release 4.2 • Shipped wi th product. • PDF on the product CD-R OM. • On Cisco .com: http://www .cisco.com/en/US/docs/net_mgmt/ cisco_secure_access_control_server_fo[...]

  • Page 12

    xii Configuration Guid e for Cisco Secure ACS 4.2 OL-14390-02 Preface Notices Related Documentation Note W e sometimes update the p rinted and electronic documentatio n after original publication. Therefore, you should also re view the documentati on on Cisco.com for any u pdates. A set of whit e papers about A CS are a v ailable on Cis co.com at: [...]

  • Page 13

    xiii Configuration Guid e for Cisco Secure ACS 4.2 OL-14390-02 Preface Notices OpenSSL/Open SSL Project This product includes softw are de velo ped by the OpenSSL Proj ect for use in the OpenSSL T oolkit ( http://www .openssl.or g/ ). This product includes cr yptographic softw are written by Eric Y oung (eay@cryptsoft.com). This product includes so[...]

  • Page 14

    xiv Configuration Guid e for Cisco Secure ACS 4.2 OL-14390-02 Preface Notices Original SSLeay License: Copyright © 1 995-1998 Eric Y oung (eay@c ryptsoft.com). All rights reserv ed. This package is an SSL implementation wri tten by Eric Y oung (eay@cryptsoft.com). The implementation wa s written so as to conform with Netscapes SSL. This library is[...]

  • Page 15

    CH A P T E R 1-1 Configuration Guide for Cisco Secure ACS 4.2 OL-14390-02 1 Overview of ACS Configuration This chapter describes the general steps for conf i guring Cis co Secure Access Control Server , hereafter referred to as A C S, and present s a fl owchart sho wing the se quence of steps. Note If you are conf iguring A CS to work with Micr oso[...]

  • Page 16

    1-2 Configuration Guid e for Cisco Secure ACS 4.2 OL-14390-02 Chapter 1 Overv iew of ACS Config uration Summary of Configuration Steps b. For each administrator , specify administrator privileges. c. As needed, conf igure the following optional administrat iv e policies: – Access Policy —Specify IP address limitations, HTTP por t restrictions, [...]

  • Page 17

    1-3 Configuration Guide for Cisco Secure ACS 4.2 OL-14390-02 Chapter 1 Overvi ew of ACS Configuration Summary of Configuration Steps – By using database synchronization – By using database replication For detailed instructions, see “Displaying RADI US Configuration Options” in Chapter 2 of the User Guide for Cisco Secur e ACS 4.2 , “Using[...]

  • Page 18

    1-4 Configuration Guid e for Cisco Secure ACS 4.2 OL-14390-02 Chapter 1 Overv iew of ACS Config uration Summary of Configuration Steps Step 14 Set Up Network Access Prof iles. If required, set up Network Access Prof iles. Step 15 Configure Log s and Reports. Config ure reports to specify ho w A C S logs data. Y ou can also view t he logs in HTML re[...]

  • Page 19

    1-5 Configuration Guide for Cisco Secure ACS 4.2 OL-14390-02 Chapter 1 Overvi ew of ACS Configuration Configuration Flowchart Configuration Flowchart Figure 1-1 is a configuration flo w ch art that sho ws the main steps in A CS configuration. Figur e 1 -1 ACS Configur ation Flowc hart Refer to the list of steps in Summary of Conf iguration Steps, p[...]

  • Page 20

    1-6 Configuration Guid e for Cisco Secure ACS 4.2 OL-14390-02 Chapter 1 Overv iew of ACS Config uration Configuration Flowchart[...]

  • Page 21

    CH A P T E R 2-1 Configuration Guide for Cisco Secure ACS 4.2 OL-14390-02 2 Deploy the Access Control Servers This chapter discu sses topics that you shoul d cons ider before deploy ing Cisco Secure Access Contr ol Server , hereafter referred to as A CS. This document does n ot describe the so ftware installati on procedure for A CS or the hardware[...]

  • Page 22

    2-2 Configuration Guid e for Cisco Secure ACS 4.2 OL-14390-02 Chapter 2 Deploy the Access Control Servers Determining the Deployment Architec ture This section discusses: • Access types —How users will access the network (through wireless access, LAN acce ss through switches, and so on) and the security protocols us ed to control user acces s; [...]

  • Page 23

    2-3 Configuration Guide for Cisco Secure ACS 4.2 OL-14390-02 Chapter 2 Deploy the Acce ss Control Servers Determining the Deployment Architecture • EAP-TLS —Extensible Authentication Protocol-T ranspo rt Layer Security (EAP-TLS). EAP-TLS uses the TLS protocol (RFC 2246) , which is the latest ver sion of the Secure Socket Layer (SSL) protocol fr[...]

  • Page 24

    2-4 Configuration Guid e for Cisco Secure ACS 4.2 OL-14390-02 Chapter 2 Deploy the Access Control Servers Determining the Deployment Architec ture Figur e 2-2 ACS in a Campus LAN Figure 2-2 sho ws a possible distrib ution of A CS in a wired cam pus LAN. In this campus LAN , buildi ngs are grouped into three se gments. Each segm ent consists of 1 to[...]

  • Page 25

    2-5 Configuration Guide for Cisco Secure ACS 4.2 OL-14390-02 Chapter 2 Deploy the Acce ss Control Servers Determining the Deployment Architecture Figur e 2-3 ACS in a Geogr aphically Dispersed LAN Wireless Access Topology A wireless access point (AP), such as the Cisco Airone t series, provides a brid ged connection for mobile end-user clients into[...]

  • Page 26

    2-6 Configuration Guid e for Cisco Secure ACS 4.2 OL-14390-02 Chapter 2 Deploy the Access Control Servers Determining the Deployment Architec ture Figur e 2-4 Simple WLAN Campus WLAN In a WLAN where a number of APs are deployed, as in a large building or a campus en vironment, your decisions on ho w to deploy A CS become more complex . Depending on[...]

  • Page 27

    2-7 Configuration Guide for Cisco Secure ACS 4.2 OL-14390-02 Chapter 2 Deploy the Acce ss Control Servers Determining the Deployment Architecture Figur e 2-5 Campus WLAN Regional WLAN Setting In a gi ven g eographical or org anizational re gion, the total numb er of users might or might no t reach a critical le vel for a single A CS. Small off ices[...]

  • Page 28

    2-8 Configuration Guid e for Cisco Secure ACS 4.2 OL-14390-02 Chapter 2 Deploy the Access Control Servers Determining the Deployment Architec ture Figure 2-6 sho ws a regional WLAN. Figur e 2-6 ACS in a Regional WLAN Large Enterprise WLAN Setting In a very large geographicall y dispersed network (o ver 50,00 0 users), access servers might be locate[...]

  • Page 29

    2-9 Configuration Guide for Cisco Secure ACS 4.2 OL-14390-02 Chapter 2 Deploy the Acce ss Control Servers Determining the Deployment Architecture Figure 2-7 sho ws A CS installations in a geographica lly dispersed network th at contains man y WLANs. Figur e 2-7 ACS in a Geographically Dispersed WLAN For the model i n Figure 2-7 , the locati on of A[...]

  • Page 30

    2-10 Configuration Guid e for Cisco Secure ACS 4.2 OL-14390-02 Chapter 2 Deploy the Access Control Servers Determining the Deployment Architec ture Figur e 2-8 Small Dial-up Netw or k Large Dial-Up Network Access In a larger dial-i n en vironment, a single A CS with a backup may be suitable, to o. The suitability of this configuration depends on ne[...]

  • Page 31

    2-11 Configuration Guide for Cisco Secure ACS 4.2 OL-14390-02 Chapter 2 Deploy the Acce ss Control Servers Determining How Many ACSs to Deploy (Scalability) Placement of the RADIUS Server From a practical standpoint, the RADIUS serv er should be inside the general network, prefer ably within a secure subnet designated for servers, such as DHCP , Do[...]

  • Page 32

    2-12 Configuration Guid e for Cisco Secure ACS 4.2 OL-14390-02 Chapter 2 Deploy the Access Control Servers Determining How Many ACSs to Deploy (Scalability) The size of the LAN or WLAN is determined b y the number of us ers who use the LAN or WLAN: For a deta iled formula, see the whit e paper Deploying Cisco Secur e A CS for W indows in Cisco Air [...]

  • Page 33

    2-13 Configuration Guide for Cisco Secure ACS 4.2 OL-14390-02 Chapter 2 Deploy the Acce ss Control Servers Deploying ACS Servers to Support Server Failover only create an 80-percent load on the o ther A CS for the duration of the ou tage. If the W AN is not suitable for authentication co nnections, we recommend using tw o or more A CSs on the LAN i[...]

  • Page 34

    2-14 Configuration Guid e for Cisco Secure ACS 4.2 OL-14390-02 Chapter 2 Deploy the Access Control Servers Deploying ACS Servers to Support Server Failove r • Client conf iguration —Ho w to conf igure the clien t. • Reports and ev ent (error) handling —What information to in clude in the log s. Replication Design Because database replicatio[...]

  • Page 35

    2-15 Configuration Guide for Cisco Secure ACS 4.2 OL-14390-02 Chapter 2 Deploy the Acce ss Control Servers Deployin g ACS in a NAC/NAP Enviro nment Deploying ACS in a NAC/NAP Environment Y ou can deploy A CS in a Cisco Network Admission Control and Micro soft Network Access Protect ion (N A C/NAP) en vironment. In the N A C/N AP en vironmen t, NAP [...]

  • Page 36

    2-16 Configuration Guid e for Cisco Secure ACS 4.2 OL-14390-02 Chapter 2 Deploy the Access Control Servers Additional Topics Figure 2-11 illustrates the ar chitecture of a N AC/N AP network. Figur e 2-1 1 NAC /NAP Deployment Arc hit ectur e Additional Topics This section descri bes additional topics to consider wh en deploying A CS. This section co[...]

  • Page 37

    2-17 Configuration Guide for Cisco Secure ACS 4.2 OL-14390-02 Chapter 2 Deploy the Acce ss Control Servers Additional Topics access, other decisions can also affect ho w A CS is deployed; these includ e specif ic network rout ing (access lists), time-of-day access, individual rest rictions on AAA client access, access control lists (A CLs), and so [...]

  • Page 38

    2-18 Configuration Guid e for Cisco Secure ACS 4.2 OL-14390-02 Chapter 2 Deploy the Access Control Servers Additional Topics A small netw ork with a small number of netw ork de vices may require only o ne or two indi viduals to administer it. Local aut hentication on the de vice is usually suf fi cient. If you require more granul ar control than wh[...]

  • Page 39

    2-19 Configuration Guide for Cisco Secure ACS 4.2 OL-14390-02 Chapter 2 Deploy the Acce ss Control Servers Additional Topics Con versely , if a general user attempts to use his or her remote access to log in to a network device, A CS checks and approv es the username and password; but, the authorization proce ss would f ail because that user would [...]

  • Page 40

    2-20 Configuration Guid e for Cisco Secure ACS 4.2 OL-14390-02 Chapter 2 Deploy the Access Control Servers Additional Topics[...]

  • Page 41

    CH A P T E R 3-1 Configuration Guide for Cisco Secure ACS 4.2 OL-14390-02 3 Configuring New Features in ACS 4.2 This chapter describes ho w to configure se veral new features provided with A CS 4.2. For information on ne w features that accompan y both A CS for W indows and the A CS SE, see: • Ne w Global EAP-F AST Conf iguration Options, page 3-[...]

  • Page 42

    3-2 Configuration Guid e for Cisco Secure ACS 4.2 OL-14390-02 Chapter 3 Config uring New Features in ACS 4.2 New Global EAP-FAST Configuration Options Figur e 3-1 New Global EAP -F AS T Configur ation Option s Ta b l e 3-1 describes the ne w EAP-F AST setting s. Ta b l e 3-1 New EAP -F AS T Global Configuration Settings with Release 4.2 Option Desc[...]

  • Page 43

    3-3 Configuration Guide for Cisco Secure ACS 4.2 OL-14390-02 Chapter 3 Configuring New Feat ures in ACS 4.2 Disabling of EAP-FAST PAC Proce ssing in Network Access Profiles Disabling of EAP-FAST PAC Processing in Network Access Profiles In the Protocols section for Network Access Profile (N AP) configuration, you can no w set up a N AP that causes [...]

  • Page 44

    3-4 Configuration Guid e for Cisco Secure ACS 4.2 OL-14390-02 Chapter 3 Config uring New Features in ACS 4.2 Disabling NetBIOS Figure 3-2 sho ws the ne w options on the N AP Protocols page. Disabling NetBIOS Because disabling NetBIOS might be desirable in some cases, you can run A CS 4.2 with NetBIOS disabled. A CS SE 4.2 runs on a customized versi[...]

  • Page 45

    3-5 Configuration Guide for Cisco Secure ACS 4.2 OL-14390-02 Chapter 3 Configuring New Feat ures in ACS 4.2 Configuring ACS 4.2 Enh anc ed Logging Features T o disabl e NetBIOS ov er TCP/ IP in W indows 2000, XP , or 2003: Step 1 Right-click My Ne twork Places and choose Pr operties . Step 2 Right-click the appropriate Local Area Connection icon, a[...]

  • Page 46

    3-6 Configuration Guid e for Cisco Secure ACS 4.2 OL-14390-02 Chapter 3 Config uring New Features in ACS 4.2 Configuring Group Filteri ng at the NAP Level Configuring Group Filtering at the NAP Level Y ou can use A CS 4.2 t o grant and deny access to us e rs who are authenticated through a LDAP database based on the LD AP group to which the users b[...]

  • Page 47

    3-7 Configuration Guide for Cisco Secure ACS 4.2 OL-14390-02 Chapter 3 Configuring New Feat ures in ACS 4.2 Option to Not Log or Store Dynamic Use rs Option to Not Log or Store Dynamic Users When A CS authenticates users by using e x ternal data bases, such as Activ e Directory or LDAP , and a user is successfully au th enticated with the external [...]

  • Page 48

    3-8 Configuration Guid e for Cisco Secure ACS 4.2 OL-14390-02 Chapter 3 Config uring New Features in ACS 4.2 RSA Support on the ACS SE In pre vious releases, A CS SE devices coul d only send syslog messages using the local t ime that is set on the A CS device. W ith release 4.2, you can conf igure the A CS SE to send syslog messages by using the lo[...]

  • Page 49

    3-9 Configuration Guide for Cisco Secure ACS 4.2 OL-14390-02 Chapter 3 Configuring New Feat ures in ACS 4.2 RSA Support on the ACS SE Figur e 3-5 Exter nal User Databases P age (ACS SE) Step 3 Click RSA SecureID T oken Serv er . The Database Config uration Creation page appears. Step 4 Click Crea te New Conf iguration . The Create a New External Da[...]

  • Page 50

    3-10 Configuration Guid e for Cisco Secure ACS 4.2 OL-14390-02 Chapter 3 Config uring New Features in ACS 4.2 RSA Support on the ACS SE Figur e 3-7 Cisco Secure A CS to RS A SecurID Configuration P age Step 9 On the Cisco Secure ACS to RSA SecurID Configuration p age, enter the informatio n sho wn in Ta b l e 3-3 Step 10 Click Submit . Purging the [...]

  • Page 51

    3-11 Configuration Guide for Cisco Secure ACS 4.2 OL-14390-02 Chapter 3 Configuring New Feat ures in ACS 4.2 RSA Support on the ACS SE The External User Database Conf iguration page opens. Step 4 Click Conf igure . The Cisco Secure A CS to RSA SecurID Configurati on page opens. Step 5 Click Purge Node Secret . Configuring RSA SecurID Token and LDAP[...]

  • Page 52

    3-12 Configuration Guid e for Cisco Secure ACS 4.2 OL-14390-02 Chapter 3 Config uring New Features in ACS 4.2 RSA Support on the ACS SE Figur e 3-8 RSA SecurID T ok en and LD AP Group Mappin g Configur ation P ag e Step 7 If you do not w ant A CS to filter LD AP authenticatio n requests by username, under Domain Filtering, choose Process all user n[...]

  • Page 53

    3-13 Configuration Guide for Cisco Secure ACS 4.2 OL-14390-02 Chapter 3 Configuring New Feat ures in ACS 4.2 RSA Support on the ACS SE Step 8 If you want to limit authentications pro cessed by this LD AP configur ation to usernames with a specific domain qu alification: Note For information abo ut domain filteri ng, see “Domain Filtering” in ch[...]

  • Page 54

    3-14 Configuration Guid e for Cisco Secure ACS 4.2 OL-14390-02 Chapter 3 Config uring New Features in ACS 4.2 RSA Support on the ACS SE Note The X box cannot contain the foll ow ing special characters: the pound sign (#), the question mark (?), the quote (“), the aste risk (*), the right angl e bracket (>), and the left angle bracket (<). A[...]

  • Page 55

    3-15 Configuration Guide for Cisco Secure ACS 4.2 OL-14390-02 Chapter 3 Configuring New Feat ures in ACS 4.2 RSA Support on the ACS SE b. In the Port box, type the TCP/IP port number on whic h the LD AP server is listening. The default is 389, as stated in the LD AP specification. If you do not know the port number , you can find this information b[...]

  • Page 56

    3-16 Configuration Guid e for Cisco Secure ACS 4.2 OL-14390-02 Chapter 3 Config uring New Features in ACS 4.2 Turning Ping On an d Off Note A CS sa ves the generic LD AP configu ration that you created. Y ou can now ad d it to your Unkno wn User Policy or assign specif ic user accounts to use this database for authenticatio n. Turning Ping On and O[...]

  • Page 57

    CH A P T E R 4-1 Configuration Guide for Cisco Secure ACS 4.2 OL-14390-02 4 Using RDBMS Synchronization to Create dACLs and Specify Network Configuration This chapter describe s ho w to configure A CS 4.2 to enable new RDBMS Synchroniza tion features introduced with A CS 4.2. For detai led information on RDBMS Synchr onization, see “RDBMS Synchro[...]

  • Page 58

    4-2 Configuration Guid e for Cisco Secure ACS 4.2 OL-14390-02 Chapter 4 Using RDBMS Synch ronization to Create dACLs and Specify N etwork Configuration Using RDBMS Synchronization to Configure dA CLs • Remote In vocation of the CSDBSync Ser vice on the A CS Solution Engine —W ith A CS 4.2, you can run the CSDBSync service on a remote A CS SE , [...]

  • Page 59

    4-3 Configuration Guide for Cisco Secure ACS 4.2 OL-14390-02 Chapter 4 Using RDBMS Synchro nization to Create dACLs and Spec ify Network Configura tion Using RDBMS Synchronization to Configure dACLs Example 4-1 sho ws a sample te xt fi le. Example 4-1 Sample T ext File for Cr eating a dACL [DACL#1] Name = DACL_For_Troy Description = Test_DACL_For_A[...]

  • Page 60

    4-4 Configuration Guid e for Cisco Secure ACS 4.2 OL-14390-02 Chapter 4 Using RDBMS Synch ronization to Create dACLs and Specify N etwork Configuration Using RDBMS Synchronization to Configure dA CLs Step 3: Code an accountActions File to Creat e the dACL and Associate a User or Group with the dACL T o cr eate a an AccountAct ions CSV fi le to crea[...]

  • Page 61

    4-5 Configuration Guide for Cisco Secure ACS 4.2 OL-14390-02 Chapter 4 Using RDBMS Synchro nization to Create dACLs and Spec ify Network Configura tion Using RDBMS Synchronization to Configure dACLs Ta b l e 4-2 describes the account Actions codes used in Example 4-2 to ad d a User , create a dA CL, and associate the dA CL with a specified User or [...]

  • Page 62

    4-6 Configuration Guid e for Cisco Secure ACS 4.2 OL-14390-02 Chapter 4 Using RDBMS Synch ronization to Create dACLs and Specify N etwork Configuration Using RDBMS Synchronization to Configure dA CLs Figur e 4-1 RDBMS Sync hronization Setup P age (A CS for Windo ws) b. Check the Use lo cal CSV file check box. c. In the Acc ountAction s f ile field,[...]

  • Page 63

    4-7 Configuration Guide for Cisco Secure ACS 4.2 OL-14390-02 Chapter 4 Using RDBMS Synchro nization to Create dACLs and Spec ify Network Configura tion Using RDBMS Synchronization to Configure dACLs • Password —The passwor d for the username pro vided in the Login box. The A CS SE has the information necessary to get the ac countActions f ile f[...]

  • Page 64

    4-8 Configuration Guid e for Cisco Secure ACS 4.2 OL-14390-02 Chapter 4 Using RDBMS Synch ronization to Create dACLs and Specify N etwork Configuration Using RDBMS Synchronization to Configure dA CLs Step 7 For each A CS that you want this ACS to update with data from the accountActi ons table, cli ck the A CS in the AAA Servers li st, and then cli[...]

  • Page 65

    4-9 Configuration Guide for Cisco Secure ACS 4.2 OL-14390-02 Chapter 4 Using RDBMS Synchro nization to Create dACLs and Spec ify Network Configura tion Using RDBMS Synchronization to Configure dACLs A CS fetches the CSV file from the dat abase, reads the action codes in the fil e, and performs the RDBMS Synchronization operations that the fil e spe[...]

  • Page 66

    4-10 Configuration Guid e for Cisco Secure ACS 4.2 OL-14390-02 Chapter 4 Using RDBMS Synch ronization to Create dACLs and Specify N etwork Configuration Using RDBMS Synchronization to Configure dA CLs The Do wnloadable IP A CLs page displays the selected dA CL, as shown in Figur e 4-4 . Figur e 4-4 Entry for the Sample dACL In the A CL Contents col[...]

  • Page 67

    4-11 Configuration Guide for Cisco Secure ACS 4.2 OL-14390-02 Chapter 4 Using RDBMS Synchro nization to Create dACLs and Spec ify Network Configura tion Using RDBMS Synchronization to Configure dACLs Step 5 If the dA CL was not created correctly , re view the steps in Using RDBMS Synchronization to Conf igure dA CLs, page 4-2 and check for errors. [...]

  • Page 68

    4-12 Configuration Guid e for Cisco Secure ACS 4.2 OL-14390-02 Chapter 4 Using RDBMS Synch ronization to Create dACLs and Specify N etwork Configuration Reading, Updating, and Deleting dACLs Reading, Updating, and Deleting dACLs Ta b l e 4-4 lists the account action codes that you can use to read, update, or delete a dA CL. Failed to import D A CL [...]

  • Page 69

    4-13 Configuration Guide for Cisco Secure ACS 4.2 OL-14390-02 Chapter 4 Using RDBMS Synchro nization to Create dACLs and Spec ify Network Configura tion Reading, Updating, and Deleting dACLs . Ta b l e 4-4 Acco unt A ction Codes f or Cr eating, Reading, Upd ating, or Deleting dACLs Action Code Name Required Description 386 READ_D A CL VN, V1 (optio[...]

  • Page 70

    4-14 Configuration Guid e for Cisco Secure ACS 4.2 OL-14390-02 Chapter 4 Using RDBMS Synch ronization to Create dACLs and Specify N etwork Configuration Updating or Deleting dACL Associations with U sers or Groups Updating or Deleting dACL Asso ciations with Users or Groups Ta b l e 4-5 lists the account action codes to update the dA CL or remove t[...]

  • Page 71

    4-15 Configuration Guide for Cisco Secure ACS 4.2 OL-14390-02 Chapter 4 Using RDBMS Synchro nization to Create dACLs and Spec ify Network Configura tion Using RDBMS Synchron ization to Specify Netw ork Configuration Creating, Reading, Updating and Deleting AAA clients The RDBMS Synchronizat ion feature support s creation and d eletion of single or [...]

  • Page 72

    4-16 Configuration Guid e for Cisco Secure ACS 4.2 OL-14390-02 Chapter 4 Using RDBMS Synch ronization to Create dACLs and Specify N etwork Configuration Using RDBMS Synchronization to Specify Network Configuration[...]

  • Page 73

    CH A P T E R 5-1 Configuration Guide for Cisco Secure ACS 4.2 OL-14390-02 5 Password Policy Conf iguration Scenario Cisco Secure A CS, hereafter referred to as A CS, provides n ew passw ord features to support co rporate requirements mandated by the Sarb anes-Oxley Act of 2002. Sarbanes -Ox ley (SO X ) requires stri cter enforcement of password res[...]

  • Page 74

    5-2 Configuration Guid e for Cisco Secure ACS 4.2 OL-14390-02 Chapter 5 Password Policy Configuration Scenario Summary of Configuration Steps Summary of Configuration Steps T o conf igure password policy in A CS: Step 1 Add a ne w administrator account. Add a ne w administrator account, specify the admin istrator name and password, and grant access[...]

  • Page 75

    5-3 Configuration Guide for Cisco Secure ACS 4.2 OL-14390-02 Chapter 5 Password Policy Configuration Scenario Step 1: Add and Edit a N ew Administrator Account Figur e 5-1 Administr ation Control P age The Administration Co ntrol page initially l ists no administrators. If administrato rs hav e been confi gured, the page lists the conf igured admin[...]

  • Page 76

    5-4 Configuration Guid e for Cisco Secure ACS 4.2 OL-14390-02 Chapter 5 Password Policy Configuration Scenario Step 2: Configur e Password Policy Step 4 Click Grant All or Revok e All to globally add or remov e all pri vileges, Step 5 If you want t o grant specif ic pri vileges to the admi nistrator , check the check boxes that correspond to the pr[...]

  • Page 77

    5-5 Configuration Guide for Cisco Secure ACS 4.2 OL-14390-02 Chapter 5 Password Policy Configuration Scenario Step 2: Configure Password Polic y Figur e 5-2 The Administrator P assword P olicy Setup P age[...]

  • Page 78

    5-6 Configuration Guid e for Cisco Secure ACS 4.2 OL-14390-02 Chapter 5 Password Policy Configuration Scenario Step 2: Configur e Password Policy Step 2 On the Pa ssword Polic y Setup Page, sp ecify: • Passw ord V alidation Options See Specify Pa ssword V alidation Options, page 5-6 . • Passw ord Lifetime Options See Specify Pa ssword Lifetime [...]

  • Page 79

    5-7 Configuration Guide for Cisco Secure ACS 4.2 OL-14390-02 Chapter 5 Password Policy Configuration Scenario Step 3: Configure Session Polic y Specify Password Inactivity Options In the Passw ord Inacti vity Options secti on, conf igure: • The password will r e quir e change after n days —Foll owing th e last account acti vity , if enabled, n [...]

  • Page 80

    5-8 Configuration Guid e for Cisco Secure ACS 4.2 OL-14390-02 Chapter 5 Password Policy Configuration Scenario Step 3: Configur e Session Policy Figur e 5-3 The Session P olic y Setup P age Step 2 On the Session Polic y Setup page, set session option s as required. Y ou can specify: • Session idle timeout (minutes) —Speci fies the time, in minu[...]

  • Page 81

    5-9 Configuration Guide for Cisco Secure ACS 4.2 OL-14390-02 Chapter 5 Password Policy Configuration Scenario Step 4: Configure Access Policy Step 4: Configure Access Policy This section descri bes how to conf igure administrati ve access p olicy . Before You Begin If you want to enabl e the SSL for administrator access, you must ha ve completed th[...]

  • Page 82

    5-10 Configuration Guid e for Cisco Secure ACS 4.2 OL-14390-02 Chapter 5 Password Policy Configuration Scenario Step 4: Configure Ac cess Policy Figur e 5-4 Access P olicy Setup P age Step 3 Click the appropriate IP Addr ess Filtering option Ta b l e 5-1 A ccess P o lic y Options Option Description IP Address Filtering Allow all IP addresses to con[...]

  • Page 83

    5-11 Configuration Guide for Cisco Secure ACS 4.2 OL-14390-02 Chapter 5 Password Policy Configuration Scenario Step 4: Configure Access Policy Reject connections from listed IP addresses Restricts remote access to the web in terface to IP addresses outside of the specified IP Address Ranges. IP filtering operates on the IP address recei ved in an H[...]

  • Page 84

    5-12 Configuration Guid e for Cisco Secure ACS 4.2 OL-14390-02 Chapter 5 Password Policy Configuration Scenario Viewing Administrator Entitlement Reports Step 4 T ype the appropriate IP addres s ranges in accordance with th e IP Address Fi ltering option. Step 5 Click the appropriate HTTP Port Al location option to allo w all ports or restrict acce[...]

  • Page 85

    5-13 Configuration Guide for Cisco Secure ACS 4.2 OL-14390-02 Chapter 5 Password Policy Configuration Scenario Viewing Administrator Entitle ment Reports View Privilege Reports T o vi ew pri vilege report s: Step 1 In the na vigation bar , click Reports and Activity . The Reports page opens. Step 2 Click Entitlement Reports . A list of the a vailab[...]

  • Page 86

    5-14 Configuration Guid e for Cisco Secure ACS 4.2 OL-14390-02 Chapter 5 Password Policy Configuration Scenario Viewing Administrator Entitlement Reports[...]

  • Page 87

    CH A P T E R 6-1 Configuration Guide for Cisco Secure ACS 4.2 OL-14390-02 6 Agentless Host Support Configuration Scenario This chapter descri bes how to conf igure the ag entl ess host feature in Cisc o Secure Access Control Server , hereafter referred to as A CS. Note The procedure in this chapter describes ho w to conf igure agentless ho st suppo[...]

  • Page 88

    6-2 Configuration Guid e for Cisco Secure ACS 4.2 OL-14390-02 Chapter 6 Agentless Host Supp ort Configuration Scenario Overview of Agentless Host Supp ort 3. If you conf igure A CS for MAB, it searches the au thentication database fo r the host’ s MA C address The database ca n be: – A CS internal – LD AP (if you configur e LD AP) 4. During t[...]

  • Page 89

    6-3 Configuration Guide for Cisco Secure ACS 4.2 OL-14390-02 Chapter 6 Agentless Host Support Configuration Scenario Summary of Configuration Steps GAME group feedback pro vides an added security check for MA C address authentication by checking the de vice type cate gorization that A CS determines by associating a MA C address with a user group ag[...]

  • Page 90

    6-4 Configuration Guid e for Cisco Secure ACS 4.2 OL-14390-02 Chapter 6 Agentless Host Supp ort Configuration Scenario Basic Configuration Ste ps for Agentless Ho st Support Step 7 Config ure logging and reports. Add the Bypass Inf o attrib ute to the Passed Auth entications and Fail ed Attempts reports. See Step 7: Config ure Logging and Reports, [...]

  • Page 91

    6-5 Configuration Guide for Cisco Secure ACS 4.2 OL-14390-02 Chapter 6 Agentless Host Support Configuration Scenario Basic Configuration Steps for Agentless Host Suppo rt where IP_a ddr ess is the IP address of the host that is running A CS and hostname is the hostname of the host that is running A CS. Step 2: Configure a RADIUS AAA Client Before y[...]

  • Page 92

    6-6 Configuration Guid e for Cisco Secure ACS 4.2 OL-14390-02 Chapter 6 Agentless Host Supp ort Configuration Scenario Basic Configuration Ste ps for Agentless Ho st Support Figur e 6-2 Add AAA Client P age Step 3 In the AAA Client Hostname box, type th e name assigned to this AAA client (up to 32 alphanumer ic characters). Step 4 In the AAA Clie n[...]

  • Page 93

    6-7 Configuration Guide for Cisco Secure ACS 4.2 OL-14390-02 Chapter 6 Agentless Host Support Configuration Scenario Basic Configuration Steps for Agentless Host Suppo rt The steps in this section are r equired to enable post ure v alidation, which is used in Net work Access Profiles. Obtain Certificates and Copy Them to the ACS Host T o copy a cer[...]

  • Page 94

    6-8 Configuration Guid e for Cisco Secure ACS 4.2 OL-14390-02 Chapter 6 Agentless Host Supp ort Configuration Scenario Basic Configuration Ste ps for Agentless Ho st Support Step 4 Select Install Certificate. The W indo ws Certificate Import wizard starts. Step 5 T o inst all the certif icate, follo w the instructions that the wizard disp lays. Ste[...]

  • Page 95

    6-9 Configuration Guide for Cisco Secure ACS 4.2 OL-14390-02 Chapter 6 Agentless Host Support Configuration Scenario Basic Configuration Steps for Agentless Host Suppo rt Step 11 Do not restart the services at this time. Restart the services later , after you ha ve completed the steps for addi ng a trusted certif icate. See Add a T rusted Ce rtific[...]

  • Page 96

    6-10 Configuration Guid e for Cisco Secure ACS 4.2 OL-14390-02 Chapter 6 Agentless Host Supp ort Configuration Scenario Basic Configuration Ste ps for Agentless Ho st Support Step 4: Configure LDAP Support for MAB Y ou can confi gure the A CS internal database to ma nage MAB used wi th the agentless host feature; howe ver , if you have a lar ge num[...]

  • Page 97

    6-11 Configuration Guide for Cisco Secure ACS 4.2 OL-14390-02 Chapter 6 Agentless Host Support Configuration Scenario Basic Configuration Steps for Agentless Host Suppo rt macAddress: 11-22-33-44-55-66 cn: user11-wxp.emea.mycorp.com dn: cn=Group_1_colon,ou=MAC Groups, ou=MAB Segment, o=mycorp objectClass: top objectClass: groupofuniquenames descrip[...]

  • Page 98

    6-12 Configuration Guid e for Cisco Secure ACS 4.2 OL-14390-02 Chapter 6 Agentless Host Supp ort Configuration Scenario Basic Configuration Ste ps for Agentless Ho st Support How the Subtrees Work The sample LD AP schema in Example 6-1 contains code t o define two subtrees: dn: ou=MAC Addresses, ou=MAB Segment, o=mycorp ou: MAC Addresses objectClas[...]

  • Page 99

    6-13 Configuration Guide for Cisco Secure ACS 4.2 OL-14390-02 Chapter 6 Agentless Host Support Configuration Scenario Basic Configuration Steps for Agentless Host Suppo rt Ta b l e 6-1 describes the attrib utes of the sample LD AP groups. Create One or More LDAP Data base Configurations in ACS After you ha ve conf igured one or more LD AP databases[...]

  • Page 100

    6-14 Configuration Guid e for Cisco Secure ACS 4.2 OL-14390-02 Chapter 6 Agentless Host Supp ort Configuration Scenario Basic Configuration Ste ps for Agentless Ho st Support • Common LD AP Confi guration —Configure the sett ings in this section to specify ho w ACS queries the LD AP database. • Primary LD AP Server —Conf igure the settings [...]

  • Page 101

    6-15 Configuration Guide for Cisco Secure ACS 4.2 OL-14390-02 Chapter 6 Agentless Host Support Configuration Scenario Basic Configuration Steps for Agentless Host Suppo rt • UserObjectClass —The value of the LD AP objectType attrib ute that identif ies the record as a user . Often, user records ha ve se veral v alues for the objectType attrib u[...]

  • Page 102

    6-16 Configuration Guid e for Cisco Secure ACS 4.2 OL-14390-02 Chapter 6 Agentless Host Supp ort Configuration Scenario Basic Configuration Ste ps for Agentless Ho st Support Figur e 6-7 LD AP Serv er Configur ation Sections a. For the primary LD AP server specify: – Hostname —The name or IP address of the serv er that is running the LD AP soft[...]

  • Page 103

    6-17 Configuration Guide for Cisco Secure ACS 4.2 OL-14390-02 Chapter 6 Agentless Host Support Configuration Scenario Basic Configuration Steps for Agentless Host Suppo rt For detai led information on this f ield, refer to th e “LD AP Conf iguration Op tions” section in Chapter 12 of the User Guide for Cisco Secur e Access Contr o l Server , ?[...]

  • Page 104

    6-18 Configuration Guid e for Cisco Secure ACS 4.2 OL-14390-02 Chapter 6 Agentless Host Supp ort Configuration Scenario Basic Configuration Ste ps for Agentless Ho st Support Before you assign the us er groups, plan ho w to conf igure the user gr oups. For e xample, users associated with the user group can: • Be denied access to the network • B[...]

  • Page 105

    6-19 Configuration Guide for Cisco Secure ACS 4.2 OL-14390-02 Chapter 6 Agentless Host Support Configuration Scenario Basic Configuration Steps for Agentless Host Suppo rt The Profi le Setup page opens, sho wn in Figure 6-9 . Figur e 6-9 Profile S etup P age Step 3 In the Name te xt box, enter the name o f the N A P . Step 4 If you ha ve set up net[...]

  • Page 106

    6-20 Configuration Guid e for Cisco Secure ACS 4.2 OL-14390-02 Chapter 6 Agentless Host Supp ort Configuration Scenario Basic Configuration Ste ps for Agentless Ho st Support Figur e 6-1 0 Edit Netw or k Access Pr otocols P age Y ou are now re ady to enable agentless request processing. Enable Agentless Reques t Processing for a NAP T o enable agen[...]

  • Page 107

    6-21 Configuration Guide for Cisco Secure ACS 4.2 OL-14390-02 Chapter 6 Agentless Host Support Configuration Scenario Basic Configuration Steps for Agentless Host Suppo rt Y ou are now ready to conf igure MAB settings . Configure MAB To c o n f i g u r e M A B : Step 1 In the Edit Network Access Profiles page, click A uthentication . The Authentica[...]

  • Page 108

    6-22 Configuration Guid e for Cisco Secure ACS 4.2 OL-14390-02 Chapter 6 Agentless Host Supp ort Configuration Scenario Basic Configuration Ste ps for Agentless Ho st Support Step 3 If you specified an LD AP data base in the Credenti al V alidation Databases section, cli ck LD A P Server and then select a LD AP databa se that you config ured on the[...]

  • Page 109

    6-23 Configuration Guide for Cisco Secure ACS 4.2 OL-14390-02 Chapter 6 Agentless Host Support Configuration Scenario Basic Configuration Steps for Agentless Host Suppo rt Step 7: Configure Logging and Reports By default, th e follo wing information about MAB processing is logged to the CS Auth lo g file: • The start of MAB request handling and w[...]

  • Page 110

    6-24 Configuration Guid e for Cisco Secure ACS 4.2 OL-14390-02 Chapter 6 Agentless Host Supp ort Configuration Scenario Configuration Steps for Audit Server Suppor t Step 4 Repeat Step 3 for additi onal report types as required . Step 5 Repeat Steps 3 and 4 for th e Failed Att empts report. Configuration Steps for Audit Server Support If you are us[...]

  • Page 111

    CH A P T E R 7-1 Configuration Guide for Cisco Secure ACS 4.2 OL-14390-02 7 PEAP/EAP-TLS Configuration Scenario Y ou can select EAP-TLS as an inner method that is us ed wi thin the tunn el that ACS establishes for PEAP authentication. If you select EAP-TLS, A CS can use it not only t o encrypt the initial data sent throu gh the PEAP protocol; b ut,[...]

  • Page 112

    7-2 Configuration Guid e for Cisco Secure ACS 4.2 OL-14390-02 Chapter 7 PEAP/EAP-TLS Configuration Scen ario Step 1: Configure Se curity Certifi cates Obtain Certificates and C opy Them to the ACS Host T o use EAP-TLS, you mu st obtain and install security certif icates. T o copy a certif icate to the A CS host: Step 1 Obtain a security certif icat[...]

  • Page 113

    7-3 Configuration Guide for Cisco Secure ACS 4.2 OL-14390-02 Chapter 7 PEAP/EAP -TLS Configu ration Scenario Step 1: Configure Security Certifica tes Step 4 Select Install Certificate. The W indo ws Certificate Import wizard starts. Step 5 T o inst all the certif icate, foll ow the in structions that the wizard displays. Step 6 Accept the default o[...]

  • Page 114

    7-4 Configuration Guid e for Cisco Secure ACS 4.2 OL-14390-02 Chapter 7 PEAP/EAP-TLS Configuration Scen ario Step 1: Configure Se curity Certifi cates Step 10 A CS displays a message indicating t hat the certif icate has been installed and inst ructs you to restart th e A CS services. Step 11 Do not restart the services at this time. Restart the se[...]

  • Page 115

    7-5 Configuration Guide for Cisco Secure ACS 4.2 OL-14390-02 Chapter 7 PEAP/EAP -TLS Configu ration Scenario Step 2: Configure Global A uthentication Settings Step 3 Click Submit . Step 4 T o re start A CS, choose System Conf iguration > Service Control , and then click and then click Restart . Step 2: Configure Global Authentication Settings T [...]

  • Page 116

    7-6 Configuration Guid e for Cisco Secure ACS 4.2 OL-14390-02 Chapter 7 PEAP/EAP-TLS Configuration Scen ario Step 3: Specify EAP-TLS Options Step 3 Specify the prot ocols to use with the PEAP protocol. They are: • EAP_MSCHAP2 • EAP-GTC Step 4 If you want to enable posture v alidation on this A CS installation, check the Enable P osture V alidat[...]

  • Page 117

    CH A P T E R 8-1 Configuration Guide for Cisco Secure ACS 4.2 OL-14390-02 8 Syslog Logging Configuration Scenario Overview A CS provides a system logging (sys log) feature. W ith the addition of this feature, all AAA r eports and audit report messages can be sent to up to two syslog serv ers. Configuring Syslog Logging T o conf igure A C S to gener[...]

  • Page 118

    8-2 Configuration Guid e for Cisco Secure ACS 4.2 OL-14390-02 Chapter 8 Syslog Logging Configuration Scenario Configuring Syslog Logging Figur e 8-1 Logging Configur ation Pag e Step 3 T o enable a syslo g report, on the Logging Conf iguration page, click the Conf igur e link in the sysl og column, in the ro w for each report that you want to gener[...]

  • Page 119

    8-3 Configuration Guide for Cisco Secure ACS 4.2 OL-14390-02 Chapter 8 Syslog Log ging Configuratio n Scenario Configuring Syslog Logging Figur e 8-2 Enable Logging P age Step 4 Check the check box for logging the specif ied information to syslog. For e xample, in Figure 8-2 , check the Log to Syslog Fail ed Attempts Report check box. In the Select[...]

  • Page 120

    8-4 Configuration Guid e for Cisco Secure ACS 4.2 OL-14390-02 Chapter 8 Syslog Logging Configuration Scenario Format of Syslog Me ssages in ACS Reports Step 6 Click Submit . Step 7 Repeat the process for an y additional reports for which you want t o enable syslog reporting. Format of Syslog Messages in ACS Reports Syslog messages incl uded in A CS[...]

  • Page 121

    8-5 Configuration Guide for Cisco Secure ACS 4.2 OL-14390-02 Chapter 8 Syslog Log ging Configuratio n Scenario Format of Syslog Messages in ACS Reports All A CS syslog messages use a sev e rity v alue of 6 (informational). For e xample, if the fa cility v alue is 13 and the se verity va lue is 6, the Priority valu e is 110 ((8 x 13) + 6). The Prior[...]

  • Page 122

    8-6 Configuration Guid e for Cisco Secure ACS 4.2 OL-14390-02 Chapter 8 Syslog Logging Configuration Scenario Format of Syslog Me ssages in ACS Reports[...]

  • Page 123

    CH A P T E R 9-1 Configuration Guide for Cisco Secure ACS 4.2 OL-14390-02 9 NAC Configuration Scenario This chapter describes how to set up Cisco Secure A ccess Control Se rver 4.2, hereafte r referred t o as A CS, to work in a Cisco Network Admission Contro l en vironment. This chapter contai ns the follo wing sections: • Step 1: Install A CS, p[...]

  • Page 124

    9-2 Configuration Guid e for Cisco Secure ACS 4.2 OL-14390-02 Chapter 9 NAC Configuration Scenario Step 2: Perfo rm Network Configuration Tasks T o in stall A CS: Step 1 Start the A CS installation: If you are i nstalling A CS for Wi ndo ws: a. Using a local administrat or account, log in to the compu ter on which you want to install A CS. b. Inser[...]

  • Page 125

    9-3 Configuration Guide for Cisco Secure ACS 4.2 OL-14390-02 Chapter 9 NAC Configuratio n Scenario Step 2: Perform Network Configuration Tasks Step 2 Do one of the foll ow ing: • If you are usin g Network Device Groups (NDGs), c lick the name of the NDG to which you w ant to assign the AAA client. Then , click Add Entry belo w the AAA Clients tab[...]

  • Page 126

    9-4 Configuration Guid e for Cisco Secure ACS 4.2 OL-14390-02 Chapter 9 NAC Configuration Scenario Step 2: Perfo rm Network Configuration Tasks Step 5 In the Shared Secret box, type a sh ared secret key fo r the AAA cli ent. The shared secret is a string th at you determine; for example, m ynet123 . The shar ed secret must be identical on the AAA c[...]

  • Page 127

    9-5 Configuration Guide for Cisco Secure ACS 4.2 OL-14390-02 Chapter 9 NAC Configuratio n Scenario Step 3: Set Up System Configuration Step 2 In the AAA Servers tabl e, click the name of th e AAA ser ver in the AAA Server Na me column. The AAA Server Setup page o pens, shown in Fi gure 9-2 . Figur e 9-2 AAA Server Setup P age Step 3 In the K ey f i[...]

  • Page 128

    9-6 Configuration Guid e for Cisco Secure ACS 4.2 OL-14390-02 Chapter 9 NAC Configuration Scenario Step 3: Set Up System Configuration Obtain Certificates and Copy Them to the ACS Host T o copy a certif icate to the A CS host: Step 1 Obtain a security certif icate. Step 2 Create a certs directory on t he A CS server . a. Open a DOS command windo [...]

  • Page 129

    9-7 Configuration Guide for Cisco Secure ACS 4.2 OL-14390-02 Chapter 9 NAC Configuratio n Scenario Step 3: Set Up System Configuration Edit the Certificate Trust List After you set up the A CS certification author ity , you mu st add the CA certificate to the A CS Certificate Tr u s t list. T o add the certificate to the Certificate Trust list: Ste[...]

  • Page 130

    9-8 Configuration Guid e for Cisco Secure ACS 4.2 OL-14390-02 Chapter 9 NAC Configuration Scenario Step 3: Set Up System Configuration Install the ACS Certificate T o enable security certif icates on the A C S installation: Step 1 In the na vigation bar , click System Configurat ion . The System Conf iguration page o pens. Step 2 Click AC S C e r t[...]

  • Page 131

    9-9 Configuration Guide for Cisco Secure ACS 4.2 OL-14390-02 Chapter 9 NAC Configuratio n Scenario Step 3: Set Up System Configuration Set Up Global Authentication In the global authentication setup, you specify the protocols that A CS uses to transfer creden tials from the host for authentication and au thorization. Unless you ha ve a limited depl[...]

  • Page 132

    9-10 Configuration Guid e for Cisco Secure ACS 4.2 OL-14390-02 Chapter 9 NAC Configuration Scenario Step 3: Set Up System Configuration Figur e 9-6 Global A uthentica tion Setup P age[...]

  • Page 133

    9-11 Configuration Guide for Cisco Secure ACS 4.2 OL-14390-02 Chapter 9 NAC Configuratio n Scenario Step 3: Set Up System Configuration Step 3 T o mak e the PEAP global authen tication parameters a v ailable in the N AP configuration , check the check boxes for: • Allow EAP-MSCHAPv2 . EAP-MSCHAP is a v ariation of the Micr osoft Challenge and Res[...]

  • Page 134

    9-12 Configuration Guid e for Cisco Secure ACS 4.2 OL-14390-02 Chapter 9 NAC Configuration Scenario Step 3: Set Up System Configuration Set Up EAP-FAST Configuration T o conf igure A CS to work with N A C and use EAP-F AST with posture v alidation: Step 1 In the na vigation bar , click System Configurat ion . The System Conf iguration page o pens. [...]

  • Page 135

    9-13 Configuration Guide for Cisco Secure ACS 4.2 OL-14390-02 Chapter 9 NAC Configuratio n Scenario Step 3: Set Up System Configuration Figur e 9-8 EAP -F AS T Configur ation P age Step 4 Check the Allow EAP-F AST check box. Step 5 In the Client Initial Messag e text box, enter a messag e; for example, Welcome . Step 6 In the Authority ID Info f ie[...]

  • Page 136

    9-14 Configuration Guid e for Cisco Secure ACS 4.2 OL-14390-02 Chapter 9 NAC Configuration Scenario Step 3: Set Up System Configuration Step 8 Check the Accept client on authenticated pr ovisioning and Requir e client certificate f or pro visioning check boxes. Step 9 Check the check boxes for the EAP-GTC , EAP-MSCHAPv2 , and EAP-TLS inner methods.[...]

  • Page 137

    9-15 Configuration Guide for Cisco Secure ACS 4.2 OL-14390-02 Chapter 9 NAC Configuratio n Scenario Step 3: Set Up System Configuration T o enable the P assed Authentications report: Step 1 In the na vigation bar , click System Conf iguration . The System Conf iguration page o pens. Step 2 Click Logging . The Logging Conf iguration page opens. The [...]

  • Page 138

    9-16 Configuration Guid e for Cisco Secure ACS 4.2 OL-14390-02 Chapter 9 NAC Configuration Scenario Step 3: Set Up System Configuration Step 4 Mov e the attrib utes that you want t o log from the Attributes list to Logged Attributes list. Some useful attrib utes to log are: • Message-T ype • User-Name • Caller-ID • N AS-Port • N AS-IP-Add[...]

  • Page 139

    9-17 Configuration Guide for Cisco Secure ACS 4.2 OL-14390-02 Chapter 9 NAC Configuratio n Scenario Step 4: Set Up Administration Control • Acct-Input-Octets • Acct-Output-Octets • Acct-Input-Packets • Acct-Output-Packets • Framed-IP-Address • N AS-Port • N AS-IP-Address • Class • T ermination-Acti on • Called-Station-Id • Acc[...]

  • Page 140

    9-18 Configuration Guid e for Cisco Secure ACS 4.2 OL-14390-02 Chapter 9 NAC Configuration Scenario Step 4: Set Up Ad ministration Contr ol Figur e 9- 1 0 Ad d Ad mi ni s tra tor Page[...]

  • Page 141

    9-19 Configuration Guide for Cisco Secure ACS 4.2 OL-14390-02 Chapter 9 NAC Configuratio n Scenario Step 4: Set Up Administration Control Step 3 In the Administrator Det ails area, specify the follo wing information: Step 4 Click Grant All . This grants all pr ivile ges to the ne w administrator; or , specifies to which groups o r actions this admi[...]

  • Page 142

    9-20 Configuration Guid e for Cisco Secure ACS 4.2 OL-14390-02 Chapter 9 NAC Configuration Scenario Step 5: Set Up Shared Profile Components Step 5 Click Submit . After performing these steps, from a remote host, you can open a browser in which to administer A CS. The URLs for remote access are: • http:// IP_addr ess :2002 • http:// hostnam e :[...]

  • Page 143

    9-21 Configuration Guide for Cisco Secure ACS 4.2 OL-14390-02 Chapter 9 NAC Configuratio n Scenario Step 5: Set Up Shared Profile Compone nts Figur e 9-1 1 Edit Networ k Access Filter ing Pag e Step 4 In the Name text b ox, enter a name for the network access f ilter . Step 5 Move any de vices or device groups to the Selected Items list. T o mo ve [...]

  • Page 144

    9-22 Configuration Guid e for Cisco Secure ACS 4.2 OL-14390-02 Chapter 9 NAC Configuration Scenario Step 5: Set Up Shared Profile Components T o enable dA CLs and N AFs, whic h are required to create N APs: • Add a ne w posture A CL. • Add A CE entries fo r the A CL. • Sav e the posture A CL. Note These A CLs are referred to as posture A CLs [...]

  • Page 145

    9-23 Configuration Guid e for Cisco Secure ACS 4.2 OL-14390-02 Chapter 9 NAC Configuration Scenario Step 5: Set Up Shared Profile Components Figur e 9-13 Downloadable IP ACLs P age Step 3 On the Do wnloadable IP A CLs page, enter a Name and optional Descr iption for the A CL, as shown in Figure 9-13 . Note Do not use spaces in the name of the A CL.[...]

  • Page 146

    9-24 Configuration Guid e for Cisco Secure ACS 4.2 OL-14390-02 Chapter 9 NAC Configuration Scenario Step 5: Set Up Shared Profile Components Figur e 9-14 Downloadable IP ACL Cont ent P age Step 2 In the Name te xt box, type the A CL name. Step 3 In the A CL Definitions input box, ty pe definit ions for the A CL. A CL def initions consist of a serie[...]

  • Page 147

    9-25 Configuration Guide for Cisco Secure ACS 4.2 OL-14390-02 Chapter 9 NAC Configuratio n Scenario Step 5: Set Up Shared Profile Compone nts Figur e 9-15 Downloadable A CL Contents List with New Cont ent Step 5 From the drop-do wn list in the Netw ork Access Filtering column of the A CL Contents table, choose the correct N AF for this ACL. Y ou ca[...]

  • Page 148

    9-26 Configuration Guid e for Cisco Secure ACS 4.2 OL-14390-02 Chapter 9 NAC Configuration Scenario Step 5: Set Up Shared Profile Components The sample RA Cs are: • Cisco_FullAccess— Provides full access to the Cisco netw ork. Y ou use this RAC to g rant access to clients tha t qualify as heal thy . • Cisco_Restricted —Provides restricted a[...]

  • Page 149

    9-27 Configuration Guide for Cisco Secure ACS 4.2 OL-14390-02 Chapter 9 NAC Configuratio n Scenario Step 5: Set Up Shared Profile Compone nts Figur e 9-1 7 RAC At tribute A dd/Edit Pag e b. In the V alue field for the attrib ute, enter an appropriate va lue. Each attribute has spec ific v a lue types based on how the attribute is de f ined. For e x[...]

  • Page 150

    9-28 Configuration Guid e for Cisco Secure ACS 4.2 OL-14390-02 Chapter 9 NAC Configuration Scenario Step 5: Set Up Shared Profile Components Figur e 9-18 Attr ibute Selection f o r the Cisco_FullAccess RAC[...]

  • Page 151

    9-29 Configuration Guide for Cisco Secure ACS 4.2 OL-14390-02 Chapter 9 NAC Configuratio n Scenario Step 5: Set Up Shared Profile Compone nts Figur e 9-19 Attr ibute Selection f or the Cisco_Restr icted RAC T o enable VLAN assign ment, the sample RA Cs include the follow ing RADIUS attrib utes: • Session-Timeout (attrib ute 27) —Enables a sessi[...]

  • Page 152

    9-30 Configuration Guid e for Cisco Secure ACS 4.2 OL-14390-02 Chapter 9 NAC Configuration Scenario Step 5: Set Up Shared Profile Components • T unnel-Medium-T ype (attribute 65) —Indicat es which protocol to use o ve r the tunnel. In the sample RA Cs, this is set to type 6, which specif ies an 802 protocol. In the N A C/N AP en vironment, this[...]

  • Page 153

    9-31 Configuration Guide for Cisco Secure ACS 4.2 OL-14390-02 Chapter 9 NAC Configuratio n Scenario Step 6: Configure an Extern al Posture Validation Audit Server Step 6: Configure an External Posture Validation Audit Server A N A C-enabled network might i nclude agentless hosts that do not ha ve the N AC client software. A CS can defer the posture[...]

  • Page 154

    9-32 Configuration Guid e for Cisco Secure ACS 4.2 OL-14390-02 Chapter 9 NAC Configuration Scenario Step 6: Configure an External Posture Valida tion Audit Server Y our vendor ID sho uld be the Internet Assigned Numbers Authority (IAN A)-assigned number that is the first sectio n of the posture tok en attrib ute name, [ven dor]:6: Step 2 T o inst a[...]

  • Page 155

    9-33 Configuration Guide for Cisco Secure ACS 4.2 OL-14390-02 Chapter 9 NAC Configuratio n Scenario Step 6: Configure an Extern al Posture Validation Audit Server Figur e 9-20 Exter nal Post ure V alidation A udit Ser v er Setup P a g e Step 3 T o conf igure the audit server: a. Enter a Name and Descr iption (optional) . b. In the Which Hosts Are A[...]

  • Page 156

    9-34 Configuration Guid e for Cisco Secure ACS 4.2 OL-14390-02 Chapter 9 NAC Configuration Scenario Step 6: Configure an External Posture Valida tion Audit Server Figur e 9-21 Use Th ese A udit Servers S ection e. In the Use These Audit Servers section, enter the Au dit V alidation Server info rmation, Audit Serv er vendor , URL, and passwor d. Fig[...]

  • Page 157

    9-35 Configuration Guide for Cisco Secure ACS 4.2 OL-14390-02 Chapter 9 NAC Configuratio n Scenario Step 7: Configure Posture Validation for NAC Figur e 9-22 A udit Flow Settings and GAME Group F eedback Sections f. If required, in the Audi t Flo w Setting section, set the audit- flow parameters. g. If you are conf iguring GAME group feedback to su[...]

  • Page 158

    9-36 Configuration Guid e for Cisco Secure ACS 4.2 OL-14390-02 Chapter 9 NAC Configuration Scenario Step 7: Configure Po st ure Validation for NAC T o cr eate an internal posture v alidation policy: Step 1 In the na vigation bar , click P osture V alidation . The Posture V alidation Components Setup page opens. Step 2 Click Internal P osture V alid[...]

  • Page 159

    9-37 Configuration Guide for Cisco Secure ACS 4.2 OL-14390-02 Chapter 9 NAC Configuratio n Scenario Step 7: Configure Posture Validation for NAC Figur e 9-24 Edit P osture V alidation Rule P age b. Click Add Condition Set . c. The Add/Edit Condi tion page appears, as sho wn in Figure 9-25 . Figur e 9-25 Add/Edit Condit ion P age d. From the Attrib [...]

  • Page 160

    9-38 Configuration Guid e for Cisco Secure ACS 4.2 OL-14390-02 Chapter 9 NAC Configuration Scenario Step 7: Configure Po st ure Validation for NAC g. Click Enter . The specified rule appears in Add/ Edit Condition page, as shown in Figure 9-25 . h. Enter additional con ditions as required. i. Click Submit . j. Click Appl y and Restart to apply the [...]

  • Page 161

    9-39 Configuration Guide for Cisco Secure ACS 4.2 OL-14390-02 Chapter 9 NAC Configuratio n Scenario Step 7: Configure Posture Validation for NAC Figur e 9-27 Add/Edit Exter nal P ostur e V al idation Server P age Step 4 Enter a Name and Descr iption (optional) . Step 5 Enter the server detail s, URL, User , Password, T imeout, and certificat e (if [...]

  • Page 162

    9-40 Configuration Guid e for Cisco Secure ACS 4.2 OL-14390-02 Chapter 9 NAC Configuration Scenario Step 7: Configure Po st ure Validation for NAC Configure an External Posture Validation Audit Server A N A C-enabled network might i nclude agentless hosts that do not ha ve the N AC client software. A CS can defer the posture v alidation of the agen[...]

  • Page 163

    9-41 Configuration Guide for Cisco Secure ACS 4.2 OL-14390-02 Chapter 9 NAC Configuratio n Scenario Step 7: Configure Posture Validation for NAC Configure the External Posture Validation Audit Server Y ou can configure an audit server once, and then use it for other prof iles. T o conf igure an audit server: Step 1 In the Posture V alidation Compon[...]

  • Page 164

    9-42 Configuration Guid e for Cisco Secure ACS 4.2 OL-14390-02 Chapter 9 NAC Configuration Scenario Step 7: Configure Po st ure Validation for NAC Figur e 9-29 Use Th ese A udit Servers S ection e. In the Use These Audit Servers section, enter the Au dit V alidation Server info rmation, Audit Serv er vendor , URL, and passwor d. Figure 9-30 sho ws [...]

  • Page 165

    9-43 Configuration Guide for Cisco Secure ACS 4.2 OL-14390-02 Chapter 9 NAC Configuratio n Scenario Step 7: Configure Posture Validation for NAC Figur e 9-30 A udit Flow Settings and GAME Group F eedback Sections f. If required, in the Audi t Flo w Setting section, set the audit- flow parameters. g. If you are conf iguring GAME group feedback to su[...]

  • Page 166

    9-44 Configuration Guid e for Cisco Secure ACS 4.2 OL-14390-02 Chapter 9 NAC Configuration Scenario Step 8: Set Up Temp lates to Create NAPs Step 8: Set Up Templates to Create NAPs A CS 4.1 provides se veral prof ile templates that you can use to conf igure common usab le profiles. In N A C-enabled networks, you can use these predefined profile tem[...]

  • Page 167

    9-45 Configuration Guide for Cisco Secure ACS 4.2 OL-14390-02 Chapter 9 NAC Configuratio n Scenario Step 8: Set Up Templa tes to Create NAPs Figur e 9-31 Creat e Pr ofile Fr om T emplate P age Step 4 Enter a Name and Descr iption (optional) . Step 5 From the T emplate drop-down list , choose NA C L 3 I P . Step 6 Check the Active check box. Step 7 [...]

  • Page 168

    9-46 Configuration Guid e for Cisco Secure ACS 4.2 OL-14390-02 Chapter 9 NAC Configuration Scenario Step 8: Set Up Temp lates to Create NAPs Figur e 9-32 Profile Set up P age f or Lay er 3 NA C T emplate The default set tings for the prof ile are: • Any appears in the Network Access Filter field, wh ich means that this prof ile has no IP filter .[...]

  • Page 169

    9-47 Configuration Guide for Cisco Secure ACS 4.2 OL-14390-02 Chapter 9 NAC Configuratio n Scenario Step 8: Set Up Templa tes to Create NAPs These rules specify that the asso ciated profile policies authenti cate and authorize each R ADIUS request that matches the attribute’ s rules. Y ou can change the adv anced filt er , and add, remove, or edi[...]

  • Page 170

    9-48 Configuration Guid e for Cisco Secure ACS 4.2 OL-14390-02 Chapter 9 NAC Configuration Scenario Step 8: Set Up Temp lates to Create NAPs Authentication Policy T o co nfigure auth entication polic y: Step 1 In the na vigation bar , select Network Access Prof iles . Step 2 Choose the A uthentication link from the Policies column. The Authenticati[...]

  • Page 171

    9-49 Configuration Guide for Cisco Secure ACS 4.2 OL-14390-02 Chapter 9 NAC Configuratio n Scenario Step 8: Set Up Templa tes to Create NAPs c. From the If Agentless request was not assigned a user -group d rop-do wn list, choose a user group to which A CS assigns a host that is not matched to a user group. Sample Posture Validation Rule Figure 9-3[...]

  • Page 172

    9-50 Configuration Guid e for Cisco Secure ACS 4.2 OL-14390-02 Chapter 9 NAC Configuration Scenario Step 8: Set Up Temp lates to Create NAPs Step 6 Click Submit . If no error appears, then you hav e created a Prof ile that can authenticate Layer 2 N A C hosts and the Profi le Setup page for the N A C Layer 2 template appears. The predefined v alues[...]

  • Page 173

    9-51 Configuration Guide for Cisco Secure ACS 4.2 OL-14390-02 Chapter 9 NAC Configuratio n Scenario Step 8: Set Up Templa tes to Create NAPs Figur e 9-36 Pr ofile Setup P age for NA C La yer 2 T emplat e The default set tings for the prof ile are: • Any appears in the Network Access Filter f ield, which means that this profile has no IP f ilter .[...]

  • Page 174

    9-52 Configuration Guid e for Cisco Secure ACS 4.2 OL-14390-02 Chapter 9 NAC Configuration Scenario Step 8: Set Up Temp lates to Create NAPs This template automaticall y sets Advanced Fi lte ring and Authenticatio n properties with N AC Layer 2 IP Configuration. ACS and Attribute-Value Pairs When you enable NA C Layer 2 IP validation, A CS provides[...]

  • Page 175

    9-53 Configuration Guide for Cisco Secure ACS 4.2 OL-14390-02 Chapter 9 NAC Configuratio n Scenario Step 8: Set Up Templa tes to Create NAPs If you conf igure the def ault A CL on the switch and the A CS sends a host access polic y to the switch, the switch applies the polic y to traf fic from the host that i s connected to a switch port. If the po[...]

  • Page 176

    9-54 Configuration Guid e for Cisco Secure ACS 4.2 OL-14390-02 Chapter 9 NAC Configuration Scenario Step 8: Set Up Temp lates to Create NAPs Authentication Policy T o set the authentication policy: Step 1 In the na vigation bar , click Network Access Prof iles . Step 2 Choose the A uthentication link from the Policies column. The Authentication Set[...]

  • Page 177

    9-55 Configuration Guide for Cisco Secure ACS 4.2 OL-14390-02 Chapter 9 NAC Configuratio n Scenario Step 8: Set Up Templa tes to Create NAPs c. From the If Agentless request was not assigned a user -group d rop-do wn list, choose a user group to which A CS assigns a host that is not matched to a user group. Sample Posture Validation Rule Figure 9-3[...]

  • Page 178

    9-56 Configuration Guid e for Cisco Secure ACS 4.2 OL-14390-02 Chapter 9 NAC Configuration Scenario Step 8: Set Up Temp lates to Create NAPs Figur e 9-40 Creat e Pr ofile Fr om T emplate P age Step 3 Enter a Name and Descr iption (optional) . Step 4 From the T emplate drop-down li st, choose N A C L2 802.1x . Step 5 Check the Active check box. Step[...]

  • Page 179

    9-57 Configuration Guide for Cisco Secure ACS 4.2 OL-14390-02 Chapter 9 NAC Configuratio n Scenario Step 8: Set Up Templa tes to Create NAPs Figur e 9-41 Profile Setup P age for NA C Lay er 2 802.1x T emplate The default set tings for the prof ile are: • Any appears in the Network Access Filter f ield, which means that this profile has no IP f il[...]

  • Page 180

    9-58 Configuration Guid e for Cisco Secure ACS 4.2 OL-14390-02 Chapter 9 NAC Configuration Scenario Step 8: Set Up Temp lates to Create NAPs Protocols Policy Figure 9-42 sho ws the Protocols settin gs for the N AC Layer 2 802.1x t emplate. Figur e 9-42 Prot ocols Setting f or NAC La yer 802.1x T emplat e In the EAP Conf iguration section, Posture V[...]

  • Page 181

    9-59 Configuration Guide for Cisco Secure ACS 4.2 OL-14390-02 Chapter 9 NAC Configuratio n Scenario Step 8: Set Up Templa tes to Create NAPs Authorization Policy T o conf igure an authorization policy for the N A C Layer 2 802.1x template: Step 1 Go to Network Access Pr of iles . Step 2 Choose the A uthorization link from the Policies col umn. The [...]

  • Page 182

    9-60 Configuration Guid e for Cisco Secure ACS 4.2 OL-14390-02 Chapter 9 NAC Configuration Scenario Step 8: Set Up Temp lates to Create NAPs Sample Posture Validation Rule Figure 9-44 sho ws the sample posture v alidation polic y provided wit h the N A C Layer 2 802.1x template. Figur e 9-44 Sample P ostur e V alidation P olicy f or NA C Lay er 2 8[...]

  • Page 183

    9-61 Configuration Guide for Cisco Secure ACS 4.2 OL-14390-02 Chapter 9 NAC Configuratio n Scenario Step 8: Set Up Templa tes to Create NAPs Figur e 9-45 Creat e Pr ofile Fr om T emplate P age Step 3 Enter a Name and Descr iption (optional) . Step 4 From the T emplate drop -do wn list, choose Wir eless (NA C L2 802.1x) . Step 5 Check the Active che[...]

  • Page 184

    9-62 Configuration Guid e for Cisco Secure ACS 4.2 OL-14390-02 Chapter 9 NAC Configuration Scenario Step 8: Set Up Temp lates to Create NAPs Figur e 9-46 Profile Set up P age f or Wir eless (NAC L2 802.1x)T emplate The default set tings for the prof ile are: • Any appears in the Network Access Filter field, wh ich means that this prof ile has no [...]

  • Page 185

    9-63 Configuration Guide for Cisco Secure ACS 4.2 OL-14390-02 Chapter 9 NAC Configuratio n Scenario Step 8: Set Up Templa tes to Create NAPs These rules specify that the asso ciated profile policies authenti cate and authorize each R ADIUS request that matches the attribute’ s rules. Y ou can change the adv anced filt er , and add, remove, or edi[...]

  • Page 186

    9-64 Configuration Guid e for Cisco Secure ACS 4.2 OL-14390-02 Chapter 9 NAC Configuration Scenario Step 8: Set Up Temp lates to Create NAPs Authorization Policy T o conf igure an authorization policy for t he W ireless N A C Layer 2 802.1x template: Step 1 Go to Network Access Pr of iles . Step 2 Choose the A uthorization link from the Policies co[...]

  • Page 187

    9-65 Configuration Guide for Cisco Secure ACS 4.2 OL-14390-02 Chapter 9 NAC Configuratio n Scenario Step 8: Set Up Templa tes to Create NAPs Sample Posture Validation Rule Figure 9-49 sho ws the sample posture v alidation policy pro vided with the W ireless (N A C L2 802.1x) template. Figur e 9-49 Sample P ostur e V alidation Polic y for Wir eless [...]

  • Page 188

    9-66 Configuration Guid e for Cisco Secure ACS 4.2 OL-14390-02 Chapter 9 NAC Configuration Scenario Step 8: Set Up Temp lates to Create NAPs T o create an agentless h ost for Layer 3 p rofile template: Step 1 In the na vigation bar , click Network Access Prof iles . The Network Access Profiles page o pens. Step 2 Click Add T emplate Prof ile . The [...]

  • Page 189

    9-67 Configuration Guide for Cisco Secure ACS 4.2 OL-14390-02 Chapter 9 NAC Configuratio n Scenario Step 8: Set Up Templa tes to Create NAPs Profile Setup T o use the Prof ile Setup settings from the template: Step 1 Go to Network Access Prof iles. Step 2 Choose the prof ile that you created. Step 3 The Profile Setup page appears, as sho wn in Figu[...]

  • Page 190

    9-68 Configuration Guid e for Cisco Secure ACS 4.2 OL-14390-02 Chapter 9 NAC Configuration Scenario Step 8: Set Up Temp lates to Create NAPs • Y ou can click the All ow Selected Pr otocol types op tion to specify a protoc ol type for fi ltering. • T wo rules are conf igured in Advanced Filtering : [026/009/001]Cisco-av-pair = aaa:service=ip adm[...]

  • Page 191

    9-69 Configuration Guide for Cisco Secure ACS 4.2 OL-14390-02 Chapter 9 NAC Configuratio n Scenario Step 9: Map Postu re Validation Components to Profile s Authentication Policy T o co nfigure an auth entication polic y for the Ag entless Host for Layer 3 template: Step 1 Go to Network Access Pr of iles . Step 2 Choose the A uthentication link from[...]

  • Page 192

    9-70 Configuration Guid e for Cisco Secure ACS 4.2 OL-14390-02 Chapter 9 NAC Configuration Scenario Step 9: Map Posture Vali da tion Components to Profiles The Add/Edit Posture V alidation Rule page fo r the specif ied rule appears, as shown in Figure 9-54 . Figur e 9-54 Add/Edit Post ur e V alidation Ru le P age Step 5 Choose the Required Credenti[...]

  • Page 193

    9-71 Configuration Guide for Cisco Secure ACS 4.2 OL-14390-02 Chapter 9 NAC Configuratio n Scenario Step 10: Map an Au dit Server to a Profile Step 10: Map an Audit Server to a Profile T o add an e xternal posture validation au dit server to a pro file: Step 1 Choose Network Access Pr ofiles . Step 2 Click the Protocols link for the rele v ant Post[...]

  • Page 194

    9-72 Configuration Guid e for Cisco Secure ACS 4.2 OL-14390-02 Chapter 9 NAC Configuration Scenario Step 11 (Optiona l): Configure GAME Group Feedback d. If you want t o specify a user group to wh ich to assign the supplicant if the audit fails, check the Assign a User Gr oup check box and then from the Assign a User Group drop- down l ist, choose [...]

  • Page 195

    9-73 Configuration Guide for Cisco Secure ACS 4.2 OL-14390-02 Chapter 9 NAC Configuratio n Scenario Step 11 (Optional): Configure GAME Gro up Feedback Import an Audit Vendor File by Using CSUtil For infor mation on importi ng an audit vend or file b y using CSUtil , see the “ A dding a Custom RADIUS V endor and VSA Set” section in Appendix D of[...]

  • Page 196

    9-74 Configuration Guid e for Cisco Secure ACS 4.2 OL-14390-02 Chapter 9 NAC Configuration Scenario Step 11 (Optiona l): Configure GAME Group Feedback Step 3 Restart A CS: a. In the na vigation bar , click System Conf iguration . b. Click Service Contr ol . c. Click Restart . Configure Database Support for Agentless Host Processing The database tha[...]

  • Page 197

    9-75 Configuration Guide for Cisco Secure ACS 4.2 OL-14390-02 Chapter 9 NAC Configuratio n Scenario Step 11 (Optional): Configure GAME Gro up Feedback T o add t he posture attrib utes: Step 1 Create a text file in the Utils directory with the fo llowi ng format: [attr#0] vendor-id=[your vendor id] vendor-name=[The name of you company] application-[...]

  • Page 198

    9-76 Configuration Guid e for Cisco Secure ACS 4.2 OL-14390-02 Chapter 9 NAC Configuration Scenario Step 11 (Optiona l): Configure GAME Group Feedback Configure the External Posture Validation Audit Server Y ou can configure an audi t server once, and then use it for othe r profiles. T o conf igure an audit server: Step 1 In the Posture V alidation[...]

  • Page 199

    9-77 Configuration Guide for Cisco Secure ACS 4.2 OL-14390-02 Chapter 9 NAC Configuratio n Scenario Step 11 (Optional): Configure GAME Gro up Feedback Figur e 9-57 Use These A udit Servers Section e. In the Use These Audit Servers section, enter the Au dit V alidation Server info rmation, Audit Serv er vendor , URL, and passwor d. Figure 9-58 sho w[...]

  • Page 200

    9-78 Configuration Guid e for Cisco Secure ACS 4.2 OL-14390-02 Chapter 9 NAC Configuration Scenario Step 11 (Optiona l): Configure GAME Group Feedback Figur e 9-58 A udit Flow Settings and GAME Group F eedback Sections f. If required, in the Audi t Flo w Setting section, set the audit- flow parameters. g. If you are conf iguring GAME group feedback[...]

  • Page 201

    9-79 Configuration Guide for Cisco Secure ACS 4.2 OL-14390-02 Chapter 9 NAC Configuratio n Scenario Step 11 (Optional): Configure GAME Gro up Feedback Enable GAME Group Feedback T o enable GAME group feedback: Step 1 On the External Posture V alidation Audit Serv er Se tup page, in the GAME Group Feedback sectio n, check the Request Device T ype fr[...]

  • Page 202

    9-80 Configuration Guid e for Cisco Secure ACS 4.2 OL-14390-02 Chapter 9 NAC Configuration Scenario Step 11 (Optiona l): Configure GAME Group Feedback – contains – starts-with – regul ar-e xpression • Device T ype —Def ines the comparison criteria for the Us er Group b y using an operator and de vice type. V alid values for th e devi ce t[...]

  • Page 203

    GL-1 Configuration Guid e for Cisco Secure ACS 4.2 OL-14390-02 GLOSSARY A AAA Authentication, Auth orization, and Accounting server .-(Authenticat ion, authorization, and accountin g is pronounced “triple-A. ” An AAA server is the central server that aggregates one or more authentication, authorizatio n, or both decisions in to a single system-[...]

  • Page 204

    Glossary GL-2 Configuration Guid e for Cisco Secure ACS 4.2 OL-14390-02 E EAP Extensible Authenti cation Protocol-Pro vides the ability to depl oy RADIUS into Ethernet n etwork en vironments. EAP is defined b y Internet Engi ne ering T ask Force (IETF) RF C 2284 and the IEEE 802.1x standards. EAP-TLS Extensible Authentication Protocol-T ransport La[...]

  • Page 205

    Glossar y GL-3 Configuration Guid e for Cisco Secure ACS 4.2 OL-14390-02 N NAC Network Admi ssion Control-N AC i s a Cisco-sponsored industry init iativ e that uses the netw ork infrastructure to enforc e security polic y compliance on al l de vices seeking to access network computing resources; th ereby limi ting damage from viruses and w orms. N [...]

  • Page 206

    Glossary GL-4 Configuration Guid e for Cisco Secure ACS 4.2 OL-14390-02 PEAP Protected Extensible Authenticati on Protocol-An 802.1x authent ication type for wireless LANs (WLANs). PEAP provides strong security , user data base extensibility , an d support for one-time tok en authentication and passwo rd change or aging. PEAP is based on an Interne[...]

  • Page 207

    IN-1 Configuration Guid e for Cisco Secure ACS 4.2 OL-14390-02 INDEX Numerics 802.1x 2-2 A AAA clients 4-14 configuring RADIUS cli ent 9-2 creating 4-15 deletin g 4-15 updating 4-15 AAA server configuring 9-4 Access Control Entries See ACEs accessing Cisco Secure ACS how to 6-4, 9-2 URL 6-4, 9-2 access policy configuring 5-9 HTTP port alloca tion 5[...]

  • Page 208

    Index IN-2 Configuration Guide for Cisco Secure ACS 4.2 OL-14390-02 separation from general users 2-18 Agentless Host for L2 (802.1x f allback) template 9-65 agentless host for L2 (802.1x fallback) template 9-65 agentless host support overview 6-1 summary of configuration steps 6-3 agentless request processing enabling 6-18 enabling for a NAP 6-20 [...]

  • Page 209

    Index IN-3 Configuration Guid e for Cisco Secure ACS 4.2 OL-14390-02 logging level 9-14 logs and reports 9-14 MAB 6-21 multiforest support for Active Directory 3-7 password lifetime option s 5-6 password poli cy 5-4 RADIUS AAA cli ent 6-5, 9-2 RSA Token Server support 3-8 session policy 5-7 shared secret for RADIUS key wrap 9-4 Syslog time format 3[...]

  • Page 210

    Index IN-4 Configuration Guide for Cisco Secure ACS 4.2 OL-14390-02 configuring new feat ures in ACS 4.2 3-2 EAP-TLS 2-3 specifying Certificate Binary Comparison for 7-6 specifying Certificate CN Comparison for 7-6 specifying certific ate SAN comparison for 7-6 Edit Network Access Protocols page 6-19 enabling agentless request processing 6-18 agent[...]

  • Page 211

    Index IN-5 Configuration Guid e for Cisco Secure ACS 4.2 OL-14390-02 for MAB support 6-12 Lightweight Di rectory Access Protoc ol See LDAP logging configuring 9-14 enhanced features with AC S 4.2 3-5 logging level configuring 9-14 logs and reports configuring 9-14 M MAB configuring 6-21 configuring ACS u ser groups for MAB segments 6-17 configuring[...]

  • Page 212

    Index IN-6 Configuration Guide for Cisco Secure ACS 4.2 OL-14390-02 reliability 2-19 P PAC disabling PAC processing in N APs 3-3 Passed Authentication report enabling 9-15 password configu ration Account Locked 5-4 Account Never Ex pires 5-4 password inactivity op tions 5-7 password lifetime option s 5-6 password poli cy configuring 5-1, 5-4 incorr[...]

  • Page 213

    Index IN-7 Configuration Guid e for Cisco Secure ACS 4.2 OL-14390-02 purging Node Se cret file purging 3-10 S Sarbanes-Oxl ey See SOX security certificate installing and sett ing up 9-5 security certificates adding a trusted certificate 7-4 copying to the ACS host 6-7, 7-2, 9-6 enabling 6-8, 7-3, 9-8 installing 6-6, 7-2, 9-6 using Windows Certifica[...]

  • Page 214

    Index IN-8 Configuration Guide for Cisco Secure ACS 4.2 OL-14390-02 W warnings significance of x Windows Certificate Import Wizard 6-7, 7-2 wired LAN geographicall y dispersed 2-4 wired LAN access 2-2 wireless (NAC L2 802.1x) template 9-60 wireless access campus WLAN 2-6 large enterprise LAN 2-8 regional WLAN 2-7 simple WLAN 2-5 topology 2-5 wirele[...]