Home > Cisco > Control System > Cisco Acs 57 User Guide

Cisco Acs 57 User Guide

Add to Favourites
    Download as PDF

    Here you can view all the pages of manual Cisco Acs 57 User Guide. The Cisco manuals for Control System are available online for free. You can easily download all the documents as PDF.

    Overview View all the pages Comments

    Page 171

    Page 171 4 Managing Users and Identity Stores Managing External Identity Stores ACS introduces a new tab called Deployment Configuration to configure different LDAP server hostnames for every ACS instance. After saving the configuration in Deployment Configuration page, the LDAP server hostnames are auto-populated in the Server Connection page. This configuration can be performed only from the primary ACS instance in a deployment. From the secondary ACS instance, you can only view the details of the LDAP... 
    4   
Managing Users and Identity Stores
Managing External Identity Stores
ACS introduces a new tab called Deployment Configuration to configure different LDAP server hostnames for every ACS 
instance. After saving the configuration in Deployment Configuration page, the LDAP server hostnames are auto-populated in 
the Server Connection page. This configuration can be performed only from the primary ACS instance in a deployment. From 
the secondary ACS instance, you can only view the details of the LDAP...

    Page 172

    Page 172 4 Managing Users and Identity Stores Managing External Identity Stores To delete an external LDAP identity store: 1.Choose Users and Identity Stores > External Identity Stores > LDAP. The LDAP Identity Stores page appears, with a list of your configured external identity stores. 2.Check one or more check boxes next to the external identity stores you want to delete. 3.Click Delete. The following error message appears: Are you sure you want to delete the selected item/items? 4.Click OK. The External... 
    4
Managing Users and Identity Stores
 
Managing External Identity Stores
To delete an external LDAP identity store:
1.Choose Users and Identity Stores > External Identity Stores > LDAP.
The LDAP Identity Stores page appears, with a list of your configured external identity stores.
2.Check one or more check boxes next to the external identity stores you want to delete.
3.Click Delete.
The following error message appears:
Are you sure you want to delete the selected item/items?
4.Click OK.
The External...

    Page 173

    Page 173 4 Managing Users and Identity Stores Managing External Identity Stores For example, the object can be an user and the name of the object could either be the username or the user’s DN. 4.Complete the fields as described in Table 45 on page 43 5.Click Add and the information you entered is added to the fields on the screen. The attributes listed here are available for policy conditions. 6.Click Submit to save your changes. Configuring LDAP Deployments Use this page to view the external LDAP... 
    4   
Managing Users and Identity Stores
Managing External Identity Stores
For example, the object can be an user and the name of the object could either be the username or the user’s DN. 
4.Complete the fields as described in Table 45 on page 43
5.Click Add and the information you entered is added to the fields on the screen. 
The attributes listed here are available for policy conditions.
6.Click Submit to save your changes.
Configuring LDAP Deployments
Use this page to view the external LDAP...

    Page 174

    Page 174 4 Managing Users and Identity Stores Managing External Identity Stores 5.Click Add and the information you entered is added to the fields on the screen. The attributes listed here are available for policy conditions. 6.Click Submit to save your changes. Leveraging Cisco NAC Profiler as an External MAB Database ACS communicates with Cisco NAC Profiler to enable non-802.1X-capable devices to authenticate in 802.1X-enabled networks. Endpoints that are unable to authenticate through 802.1X use the MAC... 
    4
Managing Users and Identity Stores
 
Managing External Identity Stores
5.Click Add and the information you entered is added to the fields on the screen. 
The attributes listed here are available for policy conditions.
6.Click Submit to save your changes.
Leveraging Cisco NAC Profiler as an External MAB Database
ACS communicates with Cisco NAC Profiler to enable non-802.1X-capable devices to authenticate in 802.1X-enabled 
networks. Endpoints that are unable to authenticate through 802.1X use the MAC...

    Page 175

    Page 175 4 Managing Users and Identity Stores Managing External Identity Stores Configure NAC Profiler in ACS. See Configuring NAC Profile LDAP Definition in ACS for Use in Identity Policy, page 46. Enabling the LDAP Interface on Cisco NAC Profiler to Communicate with ACS Note: Before you can enable the LDAP interface on the NAC Profiler, ensure that you have set up your NAC Profiler with the NAC Profiler Collector. For more information on configuring Cisco NAC Profiler, refer to the Cisco NAC Profiler... 
    4   
Managing Users and Identity Stores
Managing External Identity Stores
Configure NAC Profiler in ACS. See Configuring NAC Profile LDAP Definition in ACS for Use in Identity Policy, page 46.
Enabling the LDAP Interface on Cisco NAC Profiler to Communicate with ACS
Note: Before you can enable the LDAP interface on the NAC Profiler, ensure that you have set up your NAC Profiler with the NAC 
Profiler Collector. For more information on configuring Cisco NAC Profiler, refer to the Cisco NAC Profiler...

    Page 176

    Page 176 4 Managing Users and Identity Stores Managing External Identity Stores You must enable the endpoint profiles that you want to authenticate against the Cisco NAC Profiler. For information on how to do this, see Configuring Endpoint Profiles in NAC Profiler for LDAP Authentication, page 46. Fo r p ro p e r Ac t i ve Re s p o n se E ve n t s yo u n e ed to c o n f i g u re Ac t i ve Response Delay time from your Cisco NAC Profiler UI. For this, choose Configuration > NAC Profiler Modules >... 
    4
Managing Users and Identity Stores
 
Managing External Identity Stores
You must enable the endpoint profiles that you want to authenticate against the Cisco NAC Profiler. For information on how to 
do this, see Configuring Endpoint Profiles in NAC Profiler for LDAP Authentication, page 46.
Fo r  p ro p e r  Ac t i ve  Re s p o n se  E ve n t s  yo u  n e ed  to  c o n f i g u re  Ac t i ve Response Delay time from your Cisco NAC Profiler UI. For this, 
choose Configuration > NAC Profiler Modules >...

    Page 177

    Page 177 4 Managing Users and Identity Stores Managing External Identity Stores The steps below describe how to configure the host information, verify the connection, and use the profile database in policies. Note: Make sure that ACS NAC Profiler is chosen under Access Policies > Access Services > Default Network Access > Identity. Note: The NAC Profiler template in ACS, available under the LDAP external identity store, works with Cisco NAC Profiler version 2.1.8 and later. To edit the NAC Profiler template... 
    4   
Managing Users and Identity Stores
Managing External Identity Stores
The steps below describe how to configure the host information, verify the connection, and use the profile database in policies.
Note: Make sure that ACS NAC Profiler is chosen under Access Policies > Access Services > Default Network Access > 
Identity.
Note: The NAC Profiler template in ACS, available under the LDAP external identity store, works with Cisco NAC Profiler version 
2.1.8 and later.
To edit the NAC Profiler template...

    Page 178

    Page 178 4 Managing Users and Identity Stores Managing External Identity Stores 4.In the Primary Server Hostname field, enter the IP address or fully qualified domain name of the Profiler Server, or the Service IP of the Profiler pair if Profiler is configured for High Availability. 5.Click Test Bind to Server to test the connection and verify ACS can communicate with Profiler through LDAP. A small popup dialog, similar to the one shown in Figure 21 on page 48 appears. Figure 21 Test Bind to Server Dialog... 
    4
Managing Users and Identity Stores
 
Managing External Identity Stores
4.In the Primary Server Hostname field, enter the IP address or fully qualified domain name of the Profiler Server, or the 
Service IP of the Profiler pair if Profiler is configured for High Availability.
5.Click Test Bind to Server to test the connection and verify ACS can communicate with Profiler through LDAP. 
A small popup dialog, similar to the one shown in Figure 21 on page 48 appears.
Figure 21 Test Bind to Server Dialog...

    Page 179

    Page 179 4 Managing Users and Identity Stores Managing External Identity Stores Figure 23 Test Configuration Dialog Box Number of Subjects—This value maps to the actual subject devices already profiled by the Cisco NAC Profiler (actual devices enabled for Profiler). After the Profiler receives initial SNMP trap information from the switch, Profiler can poll the switch using SNMP to gather MIB (Management Information Base) information about the switch as well as the connecting endpoint. After the Profiler... 
    4   
Managing Users and Identity Stores
Managing External Identity Stores
Figure 23 Test Configuration Dialog Box
Number of Subjects—This value maps to the actual subject devices already profiled by the Cisco NAC Profiler (actual 
devices enabled for Profiler). 
After the Profiler receives initial SNMP trap information from the switch, Profiler can poll the switch using SNMP to gather 
MIB (Management Information Base) information about the switch as well as the connecting endpoint. 
After the Profiler...

    Page 180

    Page 180 5 Managing Users and Identity Stores Managing External Identity Stores Troubleshooting MAB Authentication with Profiler Integration To troubleshoot MAB authentication while integrating with NAC Profiler and to verify that the endpoint is successfully authenticated, complete the following steps: 1.Run the following command on the switch which is connected to the endpoint devices: ACCESS-Switch# show authentication sessions The following output is displayed: Interface MAC Address Method Domain... 
    5
Managing Users and Identity Stores
 
Managing External Identity Stores
Troubleshooting MAB Authentication with Profiler Integration
To troubleshoot MAB authentication while integrating with NAC Profiler and to verify that the endpoint is successfully 
authenticated, complete the following steps:
1.Run the following command on the switch which is connected to the endpoint devices:
ACCESS-Switch# show authentication sessions
The following output is displayed:
Interface  MAC Address    Method   Domain...
    Start reading Cisco Acs 57 User Guide

    Related Manuals for Cisco Acs 57 User Guide

    All Cisco manuals