Cisco Acs 57 User Guide
Have a look at the manual Cisco Acs 57 User Guide online for free. It’s possible to download the document as PDF or print. UserManuals.tech offer 53 Cisco manuals and user’s guides for free. Share the user manual or guide on Facebook, Twitter or Google+.
1 Cisco Systems, Inc.www.cisco.com Post-Installation Configuration Tasks This chapter provides a set of configuration tasks that you must perform to work with ACS. This chapter contains the following sections: Configuring Minimal System Setup, page 1 Configuring ACS to Perform System Administration Tasks, page 1 Configuring ACS to Manage Access Policies, page 3 Configuring ACS to Monitor and Troubleshoot Problems in the Network, page 4 Configuring Minimal System Setup Table 25 on page 1 lists the steps that you must follow for a minimal system setup to get ACS up and running quickly in a lab, evaluation, or demonstration environment. Configuring ACS to Perform System Administration Tasks Table 26 on page 2 lists the set of system administration tasks that you must perform to administer ACS. Table 25 Minimal System Setup Step No. Task Drawer Refer to... Step 1 Add network devices.Network Resources > Network Devices and AAA ClientsCreating, Duplicating, and Editing Network Devices, page 9. Step 2 Add users.Users and Identity Stores > Internal Identity Stores > UsersCreating Internal Users, page 13. Step 3 Create authorization rules to permit or deny access.Policy Elements > Authorization and PermissionsManaging Authorizations and Permissions, page 16.
2 Post-Installation Configuration Tasks Configuring ACS to Perform System Administration Tasks Table 26 System Administration Tasks Step No. Task Drawer Refer to... Step 1 Install ACS license.System Administration > Configuration > LicensingLicensing Overview, page 36. Step 2 Install system certificates.System Administration > Configuration > Local Server Certificates > Local CertificatesConfiguring Local Server Certificates, page 16. Step 3 Configure password policy rules for administrators and users.For administrators: System Administration > Administrators > Settings > Authentication For administrator access settings: System Administration > Administrators > Settings > Access For users: System Administration > Users > Authentication Settings For hosts: System Administration > Hosts > Authentication Settings For administrators: Configuring Authentication Settings for Administrators, page 11. For administrator access settings: Configuring Administrator Access Settings, page 14 For users: Configuring Authentication Settings for Users, page 9. Step 4 Add ACS administrators.System Administration > Administrators > AccountsConfiguring System Administrators and Accounts, page 3 Step 5 Configure primary and secondary ACS instances.System Administration > Operations > Distributed System ManagementUnderstanding Distributed Deployment, page 2. Step 6 Configure logging.System Administration > Configuration > Log ConfigurationConfiguring Local and Remote Log Storage, page 23. Step 7 Add network devices.Network Resources > Network Devices and AAA ClientsCreating, Duplicating, and Editing Network Devices, page 9.
3 Post-Installation Configuration Tasks Configuring ACS to Manage Access Policies Configuring ACS to Manage Access Policies Table 27 on page 4 lists the set of tasks that you must perform to manage access restrictions and permissions. Step 8 Add users or hosts to the internal identity store, or define external identity stores, or both.For internal identity stores: Users and Identity Stores > Internal Identity Stores For external identity stores: Users and Identity Stores > External Identity StoresFor internal identity stores: —Creating Internal Users, page 13. —Creating Hosts in Identity Stores, page 22. For external identity stores: —Creating External LDAP Identity Stores, page 33. —Joining ACS to an AD Domain, page 62. —Creating and Editing RSA SecurID Token Servers, page 71. —Creating, Duplicating, and Editing RADIUS Identity Servers, page 78. Step 9 Add end user certificates.Users and Identity Stores > Certificate AuthoritiesAdding a Certificate Authority, page 84. Step 10 Configure identity sequence.Users and Identity Stores > Identity Store SequencesCreating, Duplicating, and Editing Identity Store Sequences, page 91. Table 26 System Administration Tasks (continued) Step No. Task Drawer Refer to...
4 Post-Installation Configuration Tasks Configuring ACS to Monitor and Troubleshoot Problems in the Network Configuring ACS to Monitor and Troubleshoot Problems in the Network Table 28 on page 4 lists a set of configuration tasks that you must perform to troubleshoot the Monitoring and Report Viewer. Table 27 Managing Access Policies Step No. Task Drawer Refer to... Step 1 Define policy conditions.Policy Elements > Session ConditionsManaging Policy Conditions, page 1. Step 2 Define authorization and permissions.Policy Elements > Authorization and PermissionsManaging Authorizations and Permissions, page 16. Step 3 Define access services and service selection policies.Access Policies > Access ServicesTo configure access services: Configuring Access Services, page 10. To configure access service policies: Configuring Access Service Policies, page 22. To configure compound conditions: Configuring Compound Conditions, page 40. Table 28 Monitoring and Troubleshooting Configuration Step No. Task Drawer Refer to... Step 1 Configure data purge and backup.Monitoring Configuration > System Operations > Data Management > Removal and BackupConfiguring Data Purging and Incremental Backup, page 3. Step 2 Specify e-mail settings.Monitoring Configuration > System Configuration > Email SettingsSpecifying E Mail Settings, page 14. Step 3 Configure collection filters.Monitoring Configuration > System Configuration > Collection FiltersUnderstanding Collection Filters, page 17. Step 4 Enable system alarms and specify how you would like to receive notification.Monitoring Configuration > System Configuration > System Alarm SettingsConfiguring System Alarm Settings, page 19.
5 Post-Installation Configuration Tasks Configuring ACS to Monitor and Troubleshoot Problems in the Network Step 5 Define schedules and create threshold alarms.Monitoring and Reports > AlarmsTo configure schedules: Understanding Alarm Schedules, page 8. To create threshold alarms: Creating, Editing, and Duplicating Alarm Thresholds, page 10. Step 6 Configure alarm syslog targets.Monitoring Configuration > System Configuration > Alarm Syslog TargetsConfiguring Alarm Syslog Targets, page 19. Step 7 Configure remote database to export the Monitoring and Report Viewer data.Monitoring Configuration > System Configuration > Remote Database SettingsConfiguring Remote Database Settings, page 19. Table 28 Monitoring and Troubleshooting Configuration (continued) Step No. Task Drawer Refer to...
6 Post-Installation Configuration Tasks Configuring ACS to Monitor and Troubleshoot Problems in the Network
1 Cisco Systems, Inc.www.cisco.com Managing Network Resources The Network Resources drawer defines elements within the network that issue requests to ACS or those that ACS interacts with as part of processing a request. This includes the network devices that issue the requests and external servers, such as a RADIUS server that is used as a RADIUS proxy. This drawer allows you to configure: Network device groups—Logically groups the network devices, which you can then use in policy conditions. Network devices—Definition of all the network devices in the ACS device repository that accesses the ACS network. Default network device—A default network device definition that ACS can use for RADIUS or TACACS+ requests when it does not find the device definition for a particular IP address. External proxy servers—RADIUS servers that can be used as a RADIUS proxy. OCSP services—Online Certificate Status Protocol (OCSP) services are used to check the status of x.509 digital certificates and can be used as an alternate to the certificate revocation list (CRL). When ACS receives a request from a network device to access the network, it searches the network device repository to find an entry with a matching IP address. ACS then compares the shared secret with the secret retrieved from the network device definition. If they match, the network device groups that are associated with the network device are retrieved and can be used in policy decisions. See ACS 5.x Policy Model, page 1 for more information on policy decisions. The Network Resources drawer contains: Network Device Groups, page 1 Network Devices and AAA Clients, page 5 Configuring a Default Network Device, page 17 Working with External Proxy Servers, page 18 Working with OCSP Services, page 20 Network Device Groups In ACS, you can define network device groups (NDGs), which are sets of devices. These NDGs provide logical grouping of devices, for example, Device Location or Type, which you can use in policy conditions. When the ACS receives a request for a device, the network device groups associated with that device are retrieved and compared against those in the policy table. With this method, you can group multiple devices and assign them the same policies. For example, you can group all devices in a specific location together and assign to them the same policy. The Device Group Hierarchy is the hierarchical structure that contains the network device groups. Two of these, Location and Device Type, are predefined; you can edit their names but you cannot delete them. You can add up to 6 additional hierarchies including the root.
2 Managing Network Resources Network Device Groups An NDG relates to any node in the hierarchy and is the entity to which devices are associated. These nodes can be any node within the hierarchy, not just leaf nodes. Note: You can have a maximum of six nodes in the NDG hierarchy, including the root node. Related Topics Creating, Duplicating, and Editing Network Device Groups, page 2 Deleting Network Device Groups, page 3 Creating, Duplicating, and Editing Network Device Groups To create, duplicate, or edit a network device group: 1.Choose Network Resources > Network Device Groups. The Network Device Groups page appears. If you have defined additional network device groups, they appear in the left navigation pane, beneath the Network Device Groups option. 2.Do any of the following: Click Create. Check the check box the network device group that you want to duplicate, then click Duplicate. Click the network device group name that you want to modify, or check the check box the name and click Edit. The Hierarchy - General page appears. 3.Modify the fields in the Hierarchy - General page as described in Table 29 on page 2: 4.Click Submit. The network device group configuration is saved. The Network Device Groups page appears with the new network device group configuration. Related Topics Network Device Groups, page 1 Deleting Network Device Groups, page 3 Creating, Duplicating, and Editing Network Device Groups Within a Hierarchy, page 3 Performing Bulk Operations for Network Resources and Users, page 7 Table 29 Device Groups - General Page Field Descriptions Field Description Name Enter a name for the network device group (NDG). Description (Optional) Enter a description for the NDG. Root Node Name/Paren tEnter the name of the root node associated with the NDG. The NDG is structured as an inverted tree, and the root node is at the top of the tree. The root node name can be the same as the NDG name. The NDG name is displayed when you click an NDG in the Network Resources drawer.
3 Managing Network Resources Network Device Groups Deleting Network Device Groups To delete a network device group: 1.Choose Network Resources > Network Device Groups. The Network Device Groups page appears. 2.Check one or more check boxes the network device groups you want to delete, and click Delete. The following error message appears: You have requested to delete a network device group. If this group is referenced from a Policy or a Policy Element then the delete will be prohibited. If this group is referenced from a network device definition, the network device will be modified to reference the root node name group. 3.Click OK. The Network Device Groups page appears without the deleted network device groups. Creating, Duplicating, and Editing Network Device Groups Within a Hierarchy You can arrange the network device group node hierarchy according to your needs by choosing parent and child relationships for new, duplicated, or edited network device group nodes. You can also delete network device group nodes from a hierarchy. To create, duplicate, or edit a network device group node within a hierarchy: 1.Choose Network Resources > Network Device Groups. The Network Device Groups page appears. 2.Click Location, Device Type, or another previously defined network device group in which you want to create a new network device group, and add it to the hierarchy of that group. The Network Device Group hierarchy page appears. 3.Do one of the following: Click Create. If you click Create when you have a group selected, the new group becomes a child of the parent group you selected. You can move a parent and all its children around in the hierarchy by clicking Select from the Create screen. Check the check box the network device group name that you want to duplicate, then click Duplicate. Click the network device group name that you want to modify, or check the check box the name and click Edit. The Device Group - General page appears. 4.Modify fields in the Device Groups - General page as shown in Table 30 on page 3: Table 30 Device Groups - General Page Field Descriptions Field Description
4 Managing Network Resources Network Device Groups 5.Click Submit. The new configuration for the network device group is saved. The Network Device Groups hierarchy page appears with the new network device group configuration. Related Topics Network Device Groups, page 1 Deleting Network Device Groups, page 3 Creating, Duplicating, and Editing Network Device Groups, page 2 Performing Bulk Operations for Network Resources and Users, page 7 Deleting Network Device Groups from a Hierarchy To delete a network device group from within a hierarchy: 1.Choose Network Resources > Network Device Groups. The Network Device Groups page appears. 2.Click Location, Device Type, or another previously defined network device group in which you want to edit a network device group node. The Network Device Groups node hierarchy page appears. 3.Select the nodes that you want to delete and click Delete. The following message appears: You have requested to delete a network device group. If this group is referenced from a Policy or a Policy Element then the delete will be prohibited. If this group is referenced from a network device definition, the network device will be modified to reference the root node name group. 4.Click OK. Note: Root node of a group cannot be deleted from NDG hierarchy.If you try to do so, the following error message appears: Selected node can be removed only with a root group. The network device group node is removed from the configuration. The Network Device Groups hierarchy page appears without the device group node that you deleted. Name Enter a name for the NDG. Description (Optional) Enter a description for the NDG. Parent Enter the name of the parent associated with the NDG. The NDG is structured as an inverted tree, and the parent name is the name of the top of the tree. Click Select to open the Groups dialog box from which you can select the appropriate parent for the group. Table 30 Device Groups - General Page Field Descriptions