Home > Cisco > Control System > Cisco Acs 57 User Guide

Cisco Acs 57 User Guide

Here you can view all the pages of manual Cisco Acs 57 User Guide. The Cisco manuals for Control System are available online for free. You can easily download all the documents as PDF.

Overview View all the pages Comments

Page 61

21   
Common Scenarios Using ACS
ACS and Cisco Security Group Access
Cisco AnyConnect VPN client 2.3 Series
MS VPN client
Related Topics
VPN Remote Network Access, page 19
Supported Authentication Protocols, page 19
Supported Identity Stores, page 20
Supported VPN Network Access Servers, page 20
Configuring VPN Remote Access Service, page 21
Configuring VPN Remote Access Service
To configure a VPN remote access service:
1.Configure the VPN protocols in the Allowed Protocols page of the default...

Page 62

22
Common Scenarios Using ACS
 
ACS and Cisco Security Group Access
Security is improved and device management is simplified since devices can be identified by their name rather than IP 
address.
Note: The Cisco Catalyst 6500 running Cisco IOS 12.2(33) SXI and DataCenter 3.0 (Nexus 7000) NX-OS 4.0.3 devices 
support Security Group Access. The Cisco Catalyst 6500 supports Security Group Tags (SGTs); however, it does not 
support Security Group Access Control Lists (SGACLs) in this release.
To configure...

Page 63

23   
Common Scenarios Using ACS
ACS and Cisco Security Group Access
The location or device type can be used as a condition to configure an NDAC policy rule.
3.Click Submit.
Creating Security Groups
Security Group Access uses security groups for tagging packets at ingress to allow filtering later on at Egress. The 
product of the security group is the security group tag, a 4-byte string ID that is sent to the network device. 
The web interface displays the decimal and hexadecimal representation. The SGT...

Page 64

24
Common Scenarios Using ACS
 
ACS and Cisco Security Group Access
The NDAC policy is a single service, and it contains a single policy with one or more rules. Since the same policy is used 
for setting responses for authentication, peer authorization, and environment requests, the same SGT is returned for all 
request types when they apply to the same device.
Note: You cannot add the NDAC policy as a service in the service selection policy; however, the NDAC policy is 
automatically applied to Security...

Page 65

25   
Common Scenarios Using ACS
ACS and Cisco Security Group Access
6.In the Authentication Protocols area, check the relevant protocols for your access service. 
7.Click Finish.
Creating an Endpoint Admission Control Policy
After you create a service, you configure the endpoint admission control policy. The endpoint admission control policy 
returns an SGT to the endpoint and an authorization profile. You can create multiple policies and configure the Default 
Rule policy. The defaults are Deny Access...

Page 66

26
Common Scenarios Using ACS
 
RADIUS and TACACS+ Proxy Requests
To add an Egress policy and populate the Egress matrix:
1.Choose Access Policies > Security Group Access Control > Egress Policy.
The Egress matrix is visible. The security groups appear in the order in which you defined them.
2.Click on a cell and then click Edit.
3.Fill in the fields as required.
4.Select the set of SGACLs to apply to the cell and move the selected set to the Selected column.
The ACLS are used at the Egress point of the...

Page 67

27   
Common Scenarios Using ACS
RADIUS and TACACS+ Proxy Requests
ACS uses the service selection policy to differentiate between incoming authentication and accounting requests that 
must be handled locally and those that must be forwarded to a remote RADIUS or TACACS+ server.
When ACS receives a proxy request from the NAS, it forwards the request to the first remote RADIUS or TACACS+ server 
in its list. ACS processes the first valid or invalid response from the remote RADIUS server and does the...

Page 68

28
Common Scenarios Using ACS
 
RADIUS and TACACS+ Proxy Requests
An unresponsive external RADIUS server waits for about timeout * number of retries seconds before failover to move to 
the next server. 
There could be several unresponsive servers in the list before the first responsive server is reached. In such cases, each 
request that is forwarded to a responsive external RADIUS server is delayed for number of previous unresponsive servers 
* timeout * number of retries.
This delay can sometimes be...

Page 69

29   
Common Scenarios Using ACS
RADIUS and TACACS+ Proxy Requests
Called-Station-Id – Attribute Multiple NOT allowed:
On the access request:
Called-Station-Id NOT on the request
Attribute operation statement: 
Called-Station-Id ADD 1223
Result of the add attribute operation on the request forwarded to the server:
Called-Station-Id =1223
If the Called-Station-Id is on the original request, ACS does not perform the add operation in this example.
If multiple attributes are allowed, the add operation...

Page 70

30
Common Scenarios Using ACS
 
RADIUS and TACACS+ Proxy Requests
Login-IP-Host=10.12.12.12
If the attribute is a cisco-avpair (pair of key=value), the update is done according to the key.
Example:
On the access request:
cisco-avpair = url-redirect=www.cisco.com
cisco-avpair = url-redirect=www.yahoo.com
cisco-avpair = cmd=show
Attribute operation statement:
cisco-avpair UPDATE new value:[url-redirect=www.google.com]
Result of the attribute operation on the request forwarded to the server:
cisco-avpair =...

Start reading Cisco Acs 57 User Guide

Related Manuals for Cisco Acs 57 User Guide

Cisco Acs 5x User Guide
650 pages | Cisco Control System

All Cisco manuals