Cisco Acs 57 User Guide
Have a look at the manual Cisco Acs 57 User Guide online for free. It’s possible to download the document as PDF or print. UserManuals.tech offer 53 Cisco manuals and user’s guides for free. Share the user manual or guide on Facebook, Twitter or Google+.
3 Managing Users and Identity Stores Managing External Identity Stores If you set failover settings and if the first LDAP server that ACS attempts to contact cannot be reached, ACS always attempts to contact the other LDAP server. The first server ACS attempts to contact might not always be the primary LDAP server. Instead, the first LDAP server that ACS attempts to contact depends on the previous LDAP authentications attempts and on the value that you enter in the Failback Retry Delay box. LDAP Connection Management ACS 5.7 supports multiple concurrent LDAP connections. Connections are opened on demand at the time of the first LDAP authentication. The maximum number of connections is configured for each LDAP server. Opening connections in advance shortens the authentication time. You can set the maximum number of connections to use for concurrent binding connections. The number of opened connections can be different for each LDAP server (primary or secondary) and is determined according to the maximum number of administration connections configured for each server. ACS retains a list of open LDAP connections (including the bind information) for each LDAP server that is configured in ACS. During the authentication process, the connection manager attempts to find an open connection from the pool. If an open connection does not exist, a new one is opened. If the LDAP server closed the connection, the connection manager reports an error during the first call to search the directory, and tries to renew the connection. After the authentication process is complete, the connection manager releases the connection to the connection manager. Authenticating a User Using a Bind Connection ACS sends a bind request to authenticate the user against an LDAP server. The bind request contains the user's DN and user password in clear text. A user is authenticated when the user's DN and password matches the username and password in the LDAP directory. Authentication Errors—ACS logs authentication errors in the ACS log files. Initialization Errors—Use the LDAP server timeout settings to configure the number of seconds that ACS waits for a response from an LDAP server before determining that the connection or authentication on that server has failed. Possible reasons for an LDAP server to return an initialization error are: —LDAP is not supported. —The server is down. —The server is out of memory. —The user has no privileges. —Incorrect administrator credentials are configured. Bind Errors Possible reasons for an LDAP server to return bind (authentication) errors are: —Filtering errors—A search using filter criteria fails. —Parameter errors—Invalid parameters were entered. —User account is restricted (disabled, locked out, expired, password expired, and so on). The following errors are logged as external resource errors, indicating a possible problem with the LDAP server:
3 Managing Users and Identity Stores Managing External Identity Stores A connection error occurred. The timeout expired. The server is down. The server is out of memory. The following error is logged as an Unknown User error: A user does not exist in the database. The following error is logged as an Invalid Password error, where the user exists, but the password sent is invalid: An invalid password was entered. Group Membership Information Retrieval For user authentication, user lookup, and MAC address lookup, ACS must retrieve the group membership information from LDAP databases. LDAP servers represent the association between a subject (a user or a host) and a group in one of the following two ways: Groups Refer to Subjects—The group objects contain an attribute that specifies the subject. Identifiers for subjects can be stored in the group as: —Distinguished Names (DNs) —Plain usernames Subjects Refer to Groups—The subject objects contain an attribute that specify the group they belong to. LDAP identity stores contain the following parameters for group membership information retrieval: Reference Direction—Specifies the method to use when determining group membership (either Groups to Subjects or Subjects to Groups). Group Map Attribute—Indicates which attribute contains the group membership information. Group Name Attribute—Indicates which attribute contains the group name information. Group Object Class—Determines that you recognize certain objects as groups. Group Search Subtree—Indicates the search base for group searches. Member Type Option—Specifies how members are stored in the group member attribute (either as DNs or plain usernames). Attributes Retrieval For user authentication, user lookup, and MAC address lookup, ACS must retrieve the subject attributes from LDAP databases. For each instance of an LDAP identity store, an identity store dictionary is created. These dictionaries support attributes of the following data types: String Integer 64 IP Address (This can be either an IP version 4 [IPv4] or IP version 6 [IPv6] address.) Unsigned Integer 32 Boolean
3 Managing Users and Identity Stores Managing External Identity Stores For unsigned integers and IP address attributes, ACS converts the strings that it has retrieved to the corresponding data types. If conversion fails, or if no values are retrieved for the attributes, ACS logs a debug message but does not fail the authentication or the lookup process. You can optionally configure default values for the attributes that ACS can use when the conversion fails or when ACS does not retrieve any values for the attributes. Certificate Retrieval If you have configured certificate retrieval as part of user lookup, then ACS must retrieve the value of the certificate attribute from LDAP. To do this, you must have configured certificate attribute in the List of attributes to fetch while configuring an LDAP identity store. LDAP Server Identity Check Background This feature prevents spoofing attacks when Cisco ACS performs user authentication or authorization against an LDAP server (in IPv4). An LDAP server can be spoofed if an attacker establishes a rogue LDAP server using a real LDAP server IP address (which can be achieved by another attack on the network), and can get a valid LDAP server certificate issued by the same CA. ACS is required to perform identify verification on the LDAP server's certificate according to RFC 4513—Lightweight Directory Access Protocol (LDAP): Authentication Methods and Security Mechanisms. Feature Overview ACS matches the data retrieved from the LDAP server’s certificate (usually found in the X.509 SAN section; otherwise it is in the CN section) against the data configured by the ACS administrator about that server. Once this authentication check succeeds, the LDAP connection is established; otherwise the ACS discontinues the connection. The hostname data in the LDAP server’s certificate may be in one of the following formats: IP address DNS DNS using the wildcard character “*” In the first two cases, the matching is straight forward. If the wildcard character is detected, ACS performs two sanity checks to verify that: The reconstructed address is of the correct length. The reconstructed address has a “.” immediately after the wildcard character. Creating External LDAP Identity Stores Note: Configuring an LDAP identity store for ACS has no effect on the configuration of the LDAP database. ACS recognizes the LDAP database, enabling the database to be authenticated against. To manage your LDAP database, see your LDAP database documentation. When you create an LDAP identity store, ACS also creates: A new dictionary for that store with two attributes, ExternalGroups and IdentityDn. A custom condition for group mapping from the ExternalGroup attribute; the condition name has the format LDAP:ID-store-name ExternalGroups.
3 Managing Users and Identity Stores Managing External Identity Stores You can edit the predefined condition name, and you can create a custom condition from the IdentityDn attribute in the Custom condition page. See Creating, Duplicating, and Editing a Custom Session Condition, page 5. To create, duplicate, or edit an external LDAP identity store: 1.Choose Users and Identity Stores > External Identity Stores > LDAP. The LDAP Identity Stores page appears. 2.Click Create. You can also: Check the check box next to the identity store that you want to duplicate, and then click Duplicate. Click the identity store name that you want to modify, or check the box next to the name and click Edit. If you are creating an identity store, the first page of a wizard appears: General. If you are duplicating an identity store, the External Identity Stores > Duplicate: id-store page General tab appears, where id-store is the name of the external identity store that you chose. If you are editing an identity store, the External Identity Stores > Edit: id-store page General tab appears, where id-store is the name of the external identity store that you chose. 3.Complete the Name and Description fields as required. 4.Check the Enable Password Change check box to modify the password, to detect the password expiration, and to reset the password. 5.Click Next. 6.Continue with Configuring an External LDAP Server Connection, page 34. Note: A NAC guest server can also be used as an external LDAP server. For the procedure to use a NAC guest server as an external LDAP server: http://www.cisco.com/c/en/us/td/docs/security/nac/guestserver/configuration_guide/20/nacguestserver/g_guestpol.html Related Topic Deleting External LDAP Identity Stores, page 41 Configuring an External LDAP Server Connection Use the LDAP page to configure an external LDAP identity store. 1.Choose Users and Identity Stores > External Identity Stores > LDAP, and then click any of the following: Create and follow the wizard. Duplicate and then Next. The Server Connection page appears. Edit, and then Next. The Server Connection page appears.
3 Managing Users and Identity Stores Managing External Identity Stores Table 43 LDAP: Server Connection Page Option Description Server Connection Enable Secondary Server Check to enable the secondary LDAP server, which is used as a backup in the event that the primary LDAP server fails. If you check this check box, you must enter configuration parameters for the secondary LDAP server. Always Access Primary Server FirstClick to ensure that the primary LDAP server is accessed first, before the secondary LDAP server is accessed. Failback to Primary Server After min.MinutesClick to set the number of minutes that ACS authenticates using the secondary LDAP server if the primary server cannot be reached, where min.is the number of minutes. After this time period, ACS reattempts authentication using the primary LDAP server. (Default is 5.) Enable Deployment ConfigurationCheck to enable the deployment configuration tab. The primary and secondary hostname fields in the server connection page become read-only fields when you enable the deployment configuration. You need to configure the primary and secondary LDAP server hostname details in the deployment configuration page; the hostname details of the current ACS will appear in the server connection page after saving it. If you check the Enable Secondary Server check box after configuring the primary LDAP server hostname in the deployment configuration page, the mandatory fields such as port number, server timeout, and maximum admin connections are set to zero. You need to fill in these fields with an appropriate value. Primary Server Hostname Enter the IP address or DNS name of the machine that is running the primary LDAP software. The hostname can contain from 1 to 256 characters or a valid IP address expressed as a string. The only valid characters for hostnames are alphanumeric characters (a to z, A to Z, 0 to 9), the dot (.), and the hyphen (-). Port Enter the TCP/IP port number on which the primary LDAP server is listening. Valid values are from 1 to 65,535. The default is 389, as stated in the LDAP specification. If you do not know the port number, you can find this information by referring to the administrator of the LDAP server. Anonymous Access Click to ensure that searches on the LDAP directory occur anonymously. The server does not distinguish who the client is and will allow the client read access to any data that is configured accessible to any unauthenticated client. In the absence of specific policy permitting authentication information to be sent to a server, a client should use an anonymous connection. Authenticated Access Click to ensure that searches on the LDAP directory occur with administrative credentials. If so, enter information for the Admin DN and Password fields. Admin DN Enter the distinguished name of the administrator; that is, the LDAP account which, if bound to, permits searching all required users under the User Directory Subtree and permits searching groups. If the administrator specified does not have permission to see the group name attribute in searches, group mapping fails for users that LDAP authenticates. Password Enter the LDAP administrator account password. Use Secure Authentication Click to use Secure Sockets Layer (SSL) to encrypt communication between ACS and the primary LDAP server. Verify the Port field contains the port number used for SSL on the LDAP server. If you enable this option, you must select a root CA. Check Server Identity Check this check box to allow ACS to perform the server identity check while establishing connection with the LDAP server.
3 Managing Users and Identity Stores Managing External Identity Stores Root CA Select a trusted root certificate authority from the drop-down list box to enable secure authentication with a certificate. Server Timeout SecondsEnter the number of seconds that ACS waits for a response from the primary LDAP server before determining that the connection or authentication with that server has failed, where is the number of seconds. Valid values are 1 to 300. (Default = 10.) Max Admin Connections Enter the maximum number of concurrent connections (greater than 0) with LDAP administrator account permissions, that can run for a specific LDAP configuration. These connections are used to search the directory for users and groups under the User Directory Subtree and Group Directory Subtree. Valid values are 1 to 99. (Default = 8.) Test Bind To Server Click to test and ensure that the primary LDAP server details and credentials can successfully bind. If the test fails, edit your LDAP server details and retest. Secondary Server Hostname Enter the IP address or DNS name of the machine that is running the secondary LDAP software. The hostname can contain from 1 to 256 characters or a valid IP address expressed as a string. The only valid characters for hostnames are alphanumeric characters (a to z, A to Z, 0 to 9), the dot (.), and the hyphen (-). Port Enter the TCP/IP port number on which the secondary LDAP server is listening. Valid values are from 1 to 65,535. The default is 389, as stated in the LDAP specification. If you do not know the port number, you can find this information by viewing DS Properties on the LDAP machine. Anonymous Access Click to verify that searches on the LDAP directory occur anonymously. The server does not distinguish who the client is and will allow the client to access (read and update) any data that is configured to be accessible to any unauthenticated client. In the absence of specific policy permitting authentication information to be sent to a server, a client should use an anonymous connection. Authenticated Access Click to ensure that searches on the LDAP directory occur with administrative credentials. If so, enter information for the Admin DN and Password fields. Admin DN Enter the domain name of the administrator; that is, the LDAP account which, if bound to, permits searching for all required users under the User Directory Subtree and permits searching groups. If the administrator specified does not have permission to see the group name attribute in searches, group mapping fails for users that LDAP authenticates. Password Type the LDAP administrator account password. Use Secure Authentication Click to use Secure Sockets Layer (SSL) to encrypt communication between ACS and the secondary LDAP server. Verify the Port field contains the port number used for SSL on the LDAP server. If you enable this option, you must select a root CA. Check Server Identity Check this checkbox to allow ACS to perform the server identity check while establishing connection with the LDAP server. Root CA Select a trusted root certificate authority from the drop-down list box to enable secure authentication with a certificate. Table 43 LDAP: Server Connection Page (continued) Option Description
3 Managing Users and Identity Stores Managing External Identity Stores 2.Click Next. 3.Continue with Configuring External LDAP Directory Organization, page 37. Configuring External LDAP Directory Organization Use this page to configure an external LDAP identity store. 1.Choose Users and Identity Stores > External Identity Stores > LDAP, then click any of the following: Create and follow the wizard until you reach the Directory Organization page. Duplicate, then click Next until the Directory Organization page appears. Edit, then click Next until the Directory Organization page appears. Server Timeout SecondsType the number of seconds that ACS waits for a response from the secondary LDAP server before determining that the connection or authentication with that server has failed, where is the number of seconds. Valid values are 1 to 300. (Default = 10.) Max Admin Connections Type the maximum number of concurrent connections (greater than 0) with LDAP administrator account permissions, that can run for a specific LDAP configuration. These connections are used to search the directory for users and groups under the User Directory Subtree and Group Directory Subtree. Valid values are 1 to 99. (Default = 8.) Test Bind To Server Click to test and ensure that the secondary LDAP server details and credentials can successfully bind. If the test fails, edit your LDAP server details and retest. Table 43 LDAP: Server Connection Page (continued) Option Description
3 Managing Users and Identity Stores Managing External Identity Stores Table 44 LDAP: Directory Organization Page Option Description Schema Subject Object class Value of the LDAP objectClass attribute that identifies the subject. Often, subject records have several values for the objectClass at t r i b u te , s om e o f w h i c h are u n i q u e to t h e s u b j ec t , s o m e o f which are shared with other object types. This box should contain a value that is not shared. Valid values are from 1 to 20 characters and must be a valid LDAP object type. This parameter can contain any UTF-8 characters. (Default = Person.) Group Object class Enter the group object class that you want to use in searches that identify objects as groups. (Default = GroupOfUniqueNames.) Subject Name Attribute Name of the attribute in the subject record that contains the subject name. You can obtain this attribute name from your directory server. This attribute specifies the subject name in the LDAP schema. You use this attribute to construct queries to search for subject objects. For more information, refer to the LDAP database documentation. Valid values are from 1 to 20 characters and must be a valid LDAP attribute. This parameter can contain any UTF-8 characters. Common values are uid and CN. (Default = uid.) Group Map Attribute For user authentication, user lookup, and MAC address lookup, ACS must retrieve group membership information from LDAP databases. LDAP servers represent an association between a subject (a user or a host) and a group in one of the following two ways: Groups refer to subjects Subjects refer to groups The Group Map Attribute contains the mapping information. You must enter the attribute that contains the mapping information: an attribute in either the subject or the group, depending on: If you select the Subject Objects Contain Reference To Groups radio button, enter a subject attribute. If you select Group Objects Contain Reference To Subjects radio button, enter a group attribute. Group Name Attribute Name of the attribute in the group record that contains the group name. You can obtain this attribute name from your directory server. This attribute specifies the group name in the LDAP schema. You use this attribute to construct queries to search for group objects. For more information, refer to the LDAP database documentation. Common values are DN and CN. (Default = DN.). Certificate Attribute Enter the attribute that contains certificate definitions. These definitions can optionally be used to validate certificates presented by clients when defined as part of a certificate authentication profile. In such cases, a binary comparison is performed between the client certificate and the certificate retrieved from the LDAP identity store. Subject Objects Contain Reference To GroupsClick if the subject objects contain a reference to groups. Group Objects Contain Reference To SubjectsClick if the group objects contain a reference to subjects.
3 Managing Users and Identity Stores Managing External Identity Stores Subjects In Groups Are Stored In Member Attribute As Use the drop-down list box to indicate if the subjects in groups are stored in member attributes as either: Username Distinguished name Directory Structure Subject Search Base Enter the distinguished name (DN) for the subtree that contains all subjects. For example: o=corporation.com If the tree containing subjects is the base DN, enter: o=corporation.com or dc=corporation,dc=com as applicable to your LDAP configuration. For more information, refer to your LDAP database documentation. Group Search Base Enter the distinguished name (DN) for the subtree that contains all groups. For example: ou=organizational unit[,ou=next organizational unit]o=corporation.com If the tree containing groups is the base DN, type: o=corporation.com or dc=corporation,dc=com as applicable to your LDAP configuration. For more information, refer to your LDAP database documentation. Test Configuration Click to obtain the expected connection and schema results by counting the number of users and groups that may result from your configuration. Username Prefix\Suffix Stripping Strip start of subject name up to the last occurrence of the separatorEnter the appropriate text to remove domain prefixes from usernames. If, in the username, ACS finds the delimiter character that is specified in the start_string box, it strips all characters from the beginning of the username through the delimiter character. If the username contains more than one of the characters that are specified in the start_string box, ACS strips characters through the last occurrence of the delimiter character. For example, if the delimiter character is the backslash (\) and the username is DOMAIN\echamberlain, ACS submits echamberlain to an LDAP server. The start_string cannot contain the following special characters: the pound sign (#), the question mark (?), the quote (“), the asterisk (*), the right angle bracket (>), and the left angle bracket (
4
Managing Users and Identity Stores
Managing External Identity Stores
2.Click Next.
Continue with Configuring LDAP Hostnames in Deployment Configuration, page 40.
Related Topics
Configuring LDAP Groups, page 42
Deleting External LDAP Identity Stores, page 41
Configuring LDAP Hostnames in Deployment Configuration
ACS 5.7 supports configuring different LDAP hostnames for different ACS instances in your deployment. Configuring all ACS
instances in your deployment to communicate to a single LDAP server may affect the performance of that LDAP server. Also, if
your LDAP servers are deployed in different locations, you can configure the ACS instance with the LDAP server that is deployed
geographically closer to it. This type of configuration results in better response time. Therefore, to manage the load and increase
the performance level, configure in such a way that different ACS instances communicate to different LDAP servers, preferably
with the LDAP server deployed in your local geographical location.Strip end of subject name
from the first occurrence of
the separatorEnter the appropriate text to remove domain suffixes from usernames.
If, in the username, ACS finds the delimiter character that is specified in the Y box, it strips all
characters from the delimiter character through the end of the username.
If the username contains more than one of the character specified in the Y box, ACS strips
characters starting with the first occurrence of the delimiter character. For example, if the
delimiter character is the at symbol (@) and the username is jwiedman@domain, then ACS
submits jwiedman to an LDAP server.
The end_string box cannot contain the following special characters: the pound sign (#), the
question mark (?), the quote ("), the asterisk (*), the right angle bracket (>), and the left angle
bracket (