Cisco Acs 57 User Guide
Have a look at the manual Cisco Acs 57 User Guide online for free. It’s possible to download the document as PDF or print. UserManuals.tech offer 53 Cisco manuals and user’s guides for free. Share the user manual or guide on Facebook, Twitter or Google+.
Cisco Systems, Inc.www.cisco.com—CiscoSans User Guide for Cisco Secure Access Control System 5.7 Last Updated: 11/1/16 THE SPECIFICATIONS AND INFORMATION REGARDING THE PRODUCTS IN THIS MANUAL ARE SUBJECT TO CHANGE WITHOUT NOTICE. ALL STATEMENTS, INFORMATION, AND RECOMMENDATIONS IN THIS MANUAL ARE BELIEVED TO BE ACCURATE BUT ARE PRESENTED WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED. USERS MUST TAKE FULL RESPONSIBILITY FOR THEIR APPLICATION OF ANY PRODUCTS. THE SOFTWARE LICENSE AND LIMITED WARRANTY FOR THE ACCOMPANYING PRODUCT ARE SET FORTH IN THE INFORMATION PACKET THAT SHIPPED WITH THE PRODUCT AND ARE INCORPORATED HEREIN BY THIS REFERENCE. IF YOU ARE UNABLE TO LOCATE THE SOFTWARE LICENSE OR LIMITED WARRANTY, CONTACT YOUR CISCO REPRESENTATIVE FOR A COPY. The Cisco implementation of TCP header compression is an adaptation of a program developed by the University of California, Berkeley (UCB) as part of UCB’s public domain version of the UNIX operating system. All rights reserved. Copyright © 1981, Regents of the University of California. NOTWITHSTANDING ANY OTHER WARRANTY HEREIN, ALL DOCUMENT FILES AND SOFTWARE OF THESE SUPPLIERS ARE PROVIDED “AS IS” WITH ALL FAULTS. CISCO AND THE ABOVE-NAMED SUPPLIERS DISCLAIM ALL WARRANTIES, EXPRESSED OR IMPLIED, INCLUDING, WITHOUT LIMITATION, THOSE OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OR ARISING FROM A COURSE OF DEALING, USAGE, OR TRADE PRACTICE. IN NO EVENT SHALL CISCO OR ITS SUPPLIERS BE LIABLE FOR ANY INDIRECT, SPECIAL, CONSEQUENTIAL, OR INCIDENTAL DAMAGES, INCLUDING, WITHOUT LIMITATION, LOST PROFITS OR LOSS OR DAMAGE TO DATA ARISING OUT OF THE USE OR INABILITY TO USE THIS MANUAL, EVEN IF CISCO OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list of Cisco trademarks, go to this URL: www.cisco.com/go/trademarks. Third-party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (1110R)
ii Any Internet Protocol (IP) addresses used in this document are not intended to be actual addresses. Any examples, command display output, and figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses in illustrative content is unintentional and coincidental. © 2015 Cisco Systems, Inc. All rights reserved.
1
Cisco Systems, Inc.www.cisco.com
Preface
Revised: November 1, 2016
This guide describes how to use Cisco Secure Access Control System (ACS) 5.7.
Audience
This guide is for security administrators who use ACS, and who set up and maintain network and application security.
Document Conventions
This guide uses the convention whereby the symbol ^ represents the key labeled Control. For example, the key
combination ^z means hold down the Control key while you press the zkey.
Command descriptions use these conventions:
Examples that contain system prompts denote interactive sessions, indicating the commands that you should enter
at the prompt. The system prompt indicates the current level of the EXEC command interpreter. For example, the
prompt
Router> indicates that you should be at the user level, and the prompt Router# indicates that you should be
at the privileged level. Access to the privileged level usually requires a password.
Commands and keywords are in boldface font.
Arguments for which you supply values are in italic font.
Elements in square brackets ([ ]) are optional.
Alternative keywords of which you must choose one are grouped in braces ({}) and separated by vertical bars (|).
Examples use these conventions:
Terminal sessions and sample console screen displays are in
screen font.
Information you enter is in
boldface screen font.
Nonprinting characters, such as passwords, are in angle brackets (< >).
Default responses to system prompts are in square brackets ([]).
An exclamation point (!) at the beginning of a line indicates a comment line.
Caution: Means reader be careful. You are capable of doing something that might result in equipment damage or
loss of data.
Note: Means the described action saves time. You can save time by performing the action described in the paragraph.
Note: Means reader take note. Notes identify important information that you should reflect upon before continuing,
contain helpful suggestions, or provide references to materials not contained in the document.
2 Preface Documentation Updates Documentation Updates Table 1 on page 2 lists the updates to the User Guide for Cisco Secure Access Control System 5.7. Related Documentation Table 2 on page 2 lists a set of related technical documentation available on Cisco.com. To find end-user documentation for all products on Cisco.com, go to: http://www.cisco.com/go/techdocs. Select Products > Security > Access Control and Policy > Policy and Access Management > Cisco Secure Access Control System. Note: It is possible for the printed and electronic documentation to be updated after original publication. Therefore, you should also review the documentation on http://www.cisco.com for any updates. Obtaining Documentation and Submitting a Service Request For information on obtaining documentation, submitting a service request, and gathering additional information, see the monthly What’s New in Cisco Product Documentation, which also lists all new and revised Cisco technical documentation, at: http://www.cisco.com/en/US/docs/general/whatsnew/whatsnew.html Table 1 Updates to the User Guide for Cisco Secure Access Control System 5.7 Date Description 05/12/2015 Cisco Secure Access Control System, Release 5.7. Table 2 Product Documentation Document Title Available Formats Cisco Secure Access Control System In-Box Documentation and China RoHS Pointer Cardhttp://www.cisco.com/c/en/us/support/security/ secure-access-control-system/products-documentation-roadmaps-list.h tml Migration Guide for Cisco Secure Access Control System 5.7http://www.cisco.com/c/en/us/support/security/ secure-access-control-system/products-installation-guides-list.html CLI Reference Guide for Cisco Secure Access Control System 5.7http://www.cisco.com/c/en/us/support/security/ secure-access-control-system/products-command-reference-list.html Supported and Interoperable Devices and Software for Cisco Secure Access Control System 5.7http://www.cisco.com/c/en/us/support/security/ secure-access-control-system/products-device-support-tables-list.html Installation and Upgrade Guide for Cisco Secure Access Control System 5.7http://www.cisco.com/c/en/us/support/security/ secure-access-control-system/products-installation-guides-list.html Release Notes for Cisco Secure Access Control System 5.7http://www.cisco.com/c/en/us/support/security/ secure-access-control-system/products-release-notes-list.html Software Developer’s Guide for Cisco Secure Access Control System 5.7http://www.cisco.com/c/en/us/support/security/ secure-access-control-system/ products-programming-reference-guides-list.html Regulatory Compliance and Safety Information for Cisco Secure Access Control Systemhttp://www.cisco.com/c/en/us/td/docs/net_mgmt/ cisco_secure_access_control_system/5-6/regulatory/compliance/ csacsrcsi.html
3 Preface Obtaining Documentation and Submitting a Service Request Subscribe to the What’s New in Cisco Product Documentation as a Really Simple Syndication (RSS) feed and set content to be delivered directly to your desktop using a reader application. The RSS feeds are a free service and Cisco currently supports RSS version 2.0.
4 Preface Obtaining Documentation and Submitting a Service Request
1 Cisco Systems, Inc.www.cisco.com Introducing ACS 5.7 This section contains the following topics: Overview of ACS, page 1 ACS Distributed Deployment, page 2 ACS Management Interfaces, page 3 Overview of ACS ACS is a policy-based security server that provides standards-compliant Authentication, Authorization, and Accounting (AAA) services to your network. ACS facilitates the administrative management of Cisco and non-Cisco devices and applications. As a dominant enterprise network access control platform, ACS serves as an integration point for network access control and identity management. ACS 5.x provides a rule-based policy model that allows you to control network access based on dynamic conditions and attributes. The rule-based policy is designed to meet complex access policy needs. For more information on the rule-based policy model in ACS, see ACS 5.x Policy Model, page 1 Within the greater context of two major AAA protocols—RADIUS and TACACS+—ACS provides the following basic areas of functionality: Under the framework of the RADIUS protocol, ACS controls the wired and wireless access by users and host machines to the network and manages the accounting of the network resources used. ACS supports multiple RADIUS-based authentication methods that includes PAP, CHAP, MSCHAPv1, MSCHAPv2. It also supports many members of the EAP family of protocols, such as EAP-MD5, LEAP, PEAP, EAP-FAST, and EAP-TLS. In association with PEAP or EAP-FAST, ACS also supports EAP-MSCHAPv2, EAP-GTC, and EAP-TLS. For more information on authentication methods, see Authentication in ACS 5.7. Under the framework of the TACACS+ protocol, ACS helps to manage Cisco and non-Cisco network devices such as switches, wireless access points, routers, and gateways. It also helps to manage services and entities such as dialup, Virtual Private Network (VPN), and firewall. ACS is the point in your network that identifies users and devices that try to connect to your network. This identity establishment can occur directly by using the ACS internal identity repository for local user authentication or by using external identity repositories. For example, ACS can use Active Directory as an external identity repository, to authenticate a user to grant the user access to the network. For more information about creating identities and supported identity services, see Managing Users and Identity Stores, page 1 ACS provides advanced monitoring, reporting, and troubleshooting tools that help you administer and manage your ACS deployments. For more information on the monitoring, reporting, and troubleshooting capabilities of ACS, see Monitoring and Reporting in ACS, page 1.
2 Introducing ACS 5.7 ACS Distributed Deployment For more information about using ACS for device administration and network access scenarios, see Common Scenarios Using ACS, page 1 Cisco Secure ACS: Enforces access policies for VPN and wireless users. Provides simplified device administration. Provides advanced monitoring, reporting, and troubleshooting tools. There are several changes and enhancements in ACS 5.7 compared to ACS 5.6. For a complete list of new and changed features, see Release Notes for Cisco Secure Access Control System 5.7. Related Topics ACS Distributed Deployment, page 2 ACS Management Interfaces, page 3 ACS Distributed Deployment ACS 5.7 is delivered preinstalled on a standard Cisco Linux-based appliance, and supports a fully distributed deployment. An ACS deployment can consist of a single instance, or multiple instances deployed in a distributed manner, where all instances in a system are managed centrally. One ACS instance becomes the primary instance and you can register additional ACS instances to the primary instance as secondary instances. All instances have the configuration for the entire deployment, which provides redundancy for configuration data. The primary instance centralizes the configuration of the instances in the deployment. Configuration changes made in the primary instance are automatically replicated to the secondary instance. Yo u c a n f o r c e a full replication to the secondary instance. Full replication is used when a new secondary instance is registered and in other cases when the replication gap between the secondary instance and the primary instance is significant. Related Topic ACS 4.x and 5.7 Replication, page 2 ACS 4.x and 5.7 Replication In ACS 4.x, you must select the database object types (or classes) you wish to replicate from primary instance to the secondary instance. When you replicate an object, a complete configuration copy is made on the secondary instance. In ACS 5.7, any configuration changes made in the primary instance are immediately replicated to the secondary instance. Only the configuration changes made since the last replication are propagated to the secondary instance. ACS 4.x did not provide incremental replication, only full replication, and there was service downtime for replication. ACS 5.7 provides incremental replications with no service downtime. Yo u c a n a l s o force a full replication to the secondary instance if configuration changes do not replicate it. Full replication is used when a new secondary instance is registered and other cases when the replication gap between the secondary instance and the primary instance is significant. Table 1 on page 3 lists some of the differences between ACS 4.x and 5.7 replication.
3 Introducing ACS 5.7 ACS Licensing Model For more information about setting up a distributed deployment, see Configuring System Operations, page 1. Note: Replication does not work in ACS servers if you use the Cisco Overlay Transport Virtualization technology in your Virtual Local Area Network. Note: Network Address Translation (NAT) is not supported in an ACS distributed deployment environment. That is, if the network address of a primary or secondary instance is translated, then the database replication may not work properly, and it may display a shared secret mismatch error. ACS Licensing Model You must have a valid license to operate ACS; ACS prompts you to install a valid base license when you first access the web interface. Each server requires a unique base license in a distributed deployment. For information about the types of licenses you can install, see Types of Licenses, page 37. For more information about licenses, see Licensing Overview, page 36. Related Topic ACS Distributed Deployment, page 2 ACS Management Interfaces This section contains the following topics: ACS Web-Based Interface, page 3 ACS Command-Line Interface, page 4 ACS Programmatic Interfaces, page 5 ACS Web-Based Interface You can use the ACS web-based interface to fully configure your ACS deployment, and perform monitoring and reporting operations. The web interface provides a consistent user experience, regardless of the particular area that you are configuring. The ACS web interface is supported on HTTPS-enabled Microsoft Internet Explorer and Mozilla Firefox browsers. For more information on supported browser versions, see Release Notes for Cisco Secure Access Control System 5.7. The new web interface design and organization: Table 1 Differences Between ACS 4.x and 5.6 Replication ACS 4.x ACS 5.7 You can choose the data items to be replicated. You cannot choose the data items to be replicated. All data items, by default are replicated. Supports multi-level or cascading replication. Supports only a fixed flat replication. Cascading replication is not supported. Some data items, such as the external database configurations, are not replicated.All data items are replicated except the database key, database certificate, and master keys. The server certificates, Certificate Signing Requests (CSRs), and private keys are replicated, but they are not shown in the interface.
4 Introducing ACS 5.7 ACS Management Interfaces Reflects the new policy model, which is organized around the user’s view of policy administration. The new policy model is easier to use, as it separates the complex interrelationships that previously existed among policy elements. For example, user groups, network device groups (NDGs), network access filters, network access profiles, and so on. Presents the configuration tasks in a logical order that you can follow for many common scenarios. For example, first you configure conditions and authorizations for policies in the Policy Elements drawer, and then you move on to the Policies drawer to configure the policies with the defined policy elements. Provides new page functionality, such as sorting and filtering lists of items. See Using the Web Interface, page 3 for more information. Note: ACS does not support forward, back, and refresh options that are available on the browser. The ACS web interface does not return any data when you click any of the three options. You need to log out and login again to start working on ACS. Note: ACS web interface does not support few special characters which you cannot manually enter in the web interface. Therefore, it is not recommended to copy and paste the special characters that are not supported by ACS web interface for certain fields. Related Topics ACS Command-Line Interface, page 4 ACS Command-Line Interface You can use the ACS command-line interface (CLI), a text-based interface, to perform some configuration and operational tasks and monitoring. Access to the ACS-specific CLI requires administrator authentication by ACS 5.7. You do not need to be an ACS administrator or log in to ACS 5.7 to use the non-ACS configuration mode. ACS configuration mode command sessions are logged to the diagnostics logs. ACS 5.7 is shipped on the Cisco 1121 Secure Access Control System (CSACS-1121) or on the Cisco SNS 3415 appliance. The ADE-OS software supports the following command modes: EXEC—Use EXEC mode commands to perform system-level operation tasks. For example, install, start, and stop an application; copy files and installations; restore backups; and display information. In addition, certain EXEC mode commands have ACS-specific abilities. For example, start an ACS instance (acs start), display and export ACS logs, and reset an ACS configuration to factory default settings (application reset-config acs). Such commands are specifically mentioned in the documentation. ACS configuration—Use these commands to set the debug log level (enable or disable) for the ACS management and runtime components and to show system settings. Configuration—Use these commands to perform additional configuration tasks for the appliance server in an ADE-OS environment. Note: The CLI includes an option to reset the configuration, which, when issued, resets all ACS configuration information, but retains the appliance settings such as network configuration. For information about using the CLI, see the Command Line Interface Reference Guide for Cisco Secure Access Control System 5.7. Related Topic ACS Web-Based Interface, page 3