Home > Cisco > Control System > Cisco Acs 57 User Guide

Cisco Acs 57 User Guide

Download as PDF Print this page Share this page

Have a look at the manual Cisco Acs 57 User Guide online for free. It’s possible to download the document as PDF or print. UserManuals.tech offer 53 Cisco manuals and user’s guides for free. Share the user manual or guide on Facebook, Twitter or Google+.

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

118

119

120

121

122

123

124

125

126

127

128

129

130

131

132

133

134

135

136

137

138

139

140

141

142

143

144

145

146

147

148

149

150

151

152

153

154

155

156

157

158

159

160

161

162

163

164

165

166

167

168

169

170

171

172

173

174

175

176

177

178

179

180

181

182

183

184

185

186

187

188

189

190

191

192

193

194

195

196

197

198

199

200

201

202

203

204

205

206

207

208

209

210

211

212

213

214

215

216

217

218

219

220

221

222

223

224

225

226

227

228

229

230

231

232

233

234

235

236

237

238

239

240

241

242

243

244

245

246

247

248

249

250

251

252

253

254

255

256

257

258

259

260

261

262

263

264

265

266

267

268

269

270

271

272

273

274

275

276

277

278

279

280

281

282

283

284

285

286

287

288

289

290

291

292

293

294

295

296

297

298

299

300

301

302

303

304

305

306

307

308

309

310

311

312

313

314

315

316

317

318

319

320

321

322

323

324

325

326

327

328

329

330

331

332

333

334

335

336

337

338

339

340

341

342

343

344

345

346

347

348

349

350

351

352

353

354

355

356

357

358

359

360

361

362

363

364

365

366

367

368

369

370

371

372

373

374

375

376

377

378

379

380

381

382

383

384

385

386

387

388

389

390

391

392

393

394

395

396

397

398

399

400

401

402

403

404

405

406

407

408

409

410

411

412

413

414

415

416

417

418

419

420

421

422

423

424

425

426

427

428

429

430

431

432

433

434

435

436

437

438

439

440

441

442

443

444

445

446

447

448

449

450

451

452

453

454

455

456

457

458

459

460

461

462

463

464

465

466

467

468

469

470

471

472

473

474

475

476

477

478

479

480

481

482

483

484

485

486

487

488

489

490

491

492

493

494

495

496

497

498

499

500

501

502

503

504

505

506

507

508

509

510

511

512

513

514

515

516

517

518

519

520

521

522

523

524

525

526

527

528

529

530

531

532

533

534

535

536

537

538

539

540

541

542

543

544

545

546

547

548

549

550

551

552

553

554

555

556

557

558

559

560

561

562

563

564

565

566

567

568

569

570

571

572

573

574

575

576

577

578

579

580

581

582

583

584

View all the pages

Add page 201 to Favourites

image text

Enable zoom

7
Managing Users and Identity Stores
Managing External Identity Stores
ACS 5.7 stores users with passcode in a cache. User and passcode are entered into the cache after successful authentication
with the RSA SecurID server. Upon authentication with the RSA SecurID server, ACS tries first to search for the authenticating
user and passcode in the cache. If not found, ACS authenticates with the RSA SecurID server.
The passcode cache in ACS is available for a configurable amount of time from 1 to 300 seconds. The RSA SecurID server
passcode entry in the cache is available for the amount of time that you configure. Within this period of time, the user can access
the internet with the same passcode.
Creating and Editing RSA SecurID Token Servers
ACS 5.7 supports RSA SecurID Token Servers for authenticating users for the increased security that one-time passwords
provide. RSA SecurID token servers provide two-factor authentication to ensure the authenticity of users.
To authenticate users against an RSA identity store, you must first create an RSA SecurID Token Server in ACS and configure
the realm, ACS instance, and advanced settings.
ACS 5.7 supports only one RSA realm. You can configure the settings for the RSA realm. A single realm can contain many ACS
instances.
Note: You must obtain the sdconf.rec file from the RSA SecurID server administrator and store it in ACS.
To create or edit an RSA SecurID token server:
1.Choose Users and Identity Stores > External Identity Stores > RSA SecurID Token Servers.
The RSA SecurID Token Servers page appears.
2.Click Create.
You can also click the identity store name that you want to modify, or check the box next to the name and click Edit.
3.Complete the fields in the RSA Realm Settings tab as described in Table 55 on page 71.
4.Click the ACS Instance Settings tab. See Configuring ACS Instance Settings, page 72 for more information.
5.Click the Advanced tab. See Configuring Advanced Options, page 74 for more information.
6.Click Submit to create an RSA SecurID store.
Ta b l e 5 5 R S A R e a l m S e t t i n g s Ta b
Option Description
General
Name Name of the RSA realm.
Description (Optional) The description of the RSA realm.
Server Connection
Server Timeout n seconds ACS waits for n seconds to connect to the RSA SecurID token server before timing out.
Reauthenticate on Change
PINCheck this check box to reauthenticate on change PIN.
Realm Configuration File
Import new ‘sdconf.rec’ file Click Browse to select the sdconf.rec file from your machine.
Node Secret Status Once the user is first authenticated against RSA SecurID Token Server, the Node Secret Status
is shown as Created.

Add page 202 to Favourites

image text

Enable zoom

7
Managing Users and Identity Stores

Managing External Identity Stores
The RSA SecurID Token Server page appears with the configured servers.
Related Topics:
RSA SecurID Server, page 69
Configuring ACS Instance Settings, page 72
Configuring Advanced Options, page 74
Configuring ACS Instance Settings
The ACS Instance Settings tab appears with the current list of ACS instances that are active in the system. You cannot add or
delete these entries. However, you can edit the available RSA Realm settings for each of these ACS instances.
Table 56 on page 72 describes the fields in the ACS Instance Settings tab.
You can edit the settings of the ACS instances that are listed on this page. To do this:
1.Check the check box next to the ACS instance that you want to edit and click Edit.
The ACS instance settings dialog box appears. This dialog box contains the following tabs:
RSA Options File—See Editing ACS Instance Settings, page 72 for more information.
Reset Agents Files—See Editing ACS Instance Settings, page 72 for more information.
2.Click OK.
Related Topics
RSA SecurID Server, page 69
Creating and Editing RSA SecurID Token Servers, page 71
Editing ACS Instance Settings, page 72
Editing ACS Instance Settings, page 72
Configuring Advanced Options, page 74
Editing ACS Instance Settings
You can edit the ACS instance settings to:
Enable the RSA Options File, page 73
Reset Agent Files, page 73
Table 56 ACS Instance Settings Tab
Option Description
ACS Instance Name of the ACS instance.
Options File Name of the options file.
Node Secret Status Status of Node Secret. This can be one of the following:
Created
Not created

Add page 203 to Favourites

image text

Enable zoom

7
Managing Users and Identity Stores
Managing External Identity Stores
Enable the RSA Options File
You can enable the RSA options file (sdopts.rec) on each ACS instance to control routing priorities for connections between the
RSA agent and the RSA servers in the realm.
Table 57 on page 73 describes the fields in the RSA Options File tab.
Do one of the following:
Click OK to save the configuration.
Click the Reset Agent Files tab to reset the secret key information or the status of active and inactive servers in the realm.
Related Topics
RSA SecurID Server, page 69
Creating and Editing RSA SecurID Token Servers, page 71
Configuring ACS Instance Settings, page 72
Editing ACS Instance Settings, page 72
Configuring Advanced Options, page 74
Reset Agent Files
Use this page to reset the following:
Node Secret key file, to ensure that communication with the RSA servers is encrypted.
Status of the servers in the realm.
1.Choose either of the following options:
To reset node secret on the agent host, check the Remove secure id file on submit check box.
If you reset the node secret on the agent host, you must reset the agent host’s node secret in the RSA server.
To reset the status of servers in the realm, check the Remove sdstatus.12 file on submit check box.
Ta b l e 5 7 R S A O p t i o n s F i l e Ta b
Option Description
The RSA options file (sdopts.rec) may be enabled on each ACS instance to control the routing priorities for connections
between the RSA agent and the RSA servers in the realm. For detailed description of the format of the sdopts.rec, please
refer to the RSA Documentation.
Use the Automatic Load Balancing status maintained by
the RSA AgentChoose this option to use the automatic load balancing status
that the RSA agent maintains.
Override the Automatic Load Balancing status with the
sdopts.rec file selected belowChoose this option to use the automatic load balancing status
that is specified in the sdopts.rec file.
Current File Lists the sdopts.rec file that is chosen currently.
Time stamp Time when sdopts.rec file was last modified.
File Size Size of the sdopts.rec file.
Import new ‘sdopts.rec’ file Click Browse to import the new sdopts.rec file from your hard
drive.
Note: Changes will not take effect until the page which launched this popup is submitted.

Add page 204 to Favourites

image text

Enable zoom

7
Managing Users and Identity Stores

Managing External Identity Stores
2.Click OK.
Related Topics
RSA SecurID Server, page 69
Creating and Editing RSA SecurID Token Servers, page 71
Configuring ACS Instance Settings, page 72
Editing ACS Instance Settings, page 72
Configuring Advanced Options, page 74
Configuring Advanced Options
Use this page to do the following:
Define what an access reject from an RSA SecurID token server means to you.
Enable identity caching—Caching users in RSA is similar to caching users in RADIUS token with the logic and the purpose
of the caching being the same. The only difference is that in RSA there is no attribute retrieval for users and therefore no
caching of attributes. The user who is authenticated is cached, but without any attributes.
Enable passcode caching—This option stores the passcodes after the first successful authentication with an RSA secure ID
token server and uses the cached user credentials for the subsequent authentications if they happens within the configured
time period.
To configure advanced options for the RSA realm:
1.Do one of the following:
Click the Treat Rejects as Authentication failed radio button—ACS interprets this as an authentication reject from an RSA
SecurdID store and consider this as an authentication failure.
Click the Treat Rejects as User not found radio button—ACS interprets this as an authentication reject from an RSA SecurID
store and consider this as “user not found.”
2.Check the Enable identity caching check box.
Enable identity caching to allow ACS to process requests that are not authenticated through the RSA server.
The results obtained from the last successful authentication are available in the cache for the specified time period.
3.Enter the aging time in minutes.
The identity cache stores the results of a successful login only for the time period specified here. The default value is 120
minutes. The valid range is from 1 to 1440 minutes.
4.Check the Enable passcode caching check box.
Enable passcode caching to allow ACS to cache the passcodes and allow users to access the network with the same
passcode for the specified time period.
5.Enter the aging time in seconds.
The passcode cache stores the results of a successful login only for the time period specified here. The default value is 30
seconds. The valid range is from 1 to 300 seconds.
6.Click Submit.

Add page 205 to Favourites

image text

Enable zoom

7
Managing Users and Identity Stores
Managing External Identity Stores
Related Topics
RSA SecurID Server, page 69
Creating and Editing RSA SecurID Token Servers, page 71
Configuring ACS Instance Settings, page 72
Editing ACS Instance Settings, page 72
Configuring Advanced Options, page 74
RADIUS Identity Stores
RADIUS server is a third-party server that supports the RADIUS interface. RADIUS identity store, which is part of ACS, connects
to the RADIUS server.
RADIUS servers are servers that come with a standard RADIUS interface built into them and other servers that support the
RADUIS interface. ACS 5.7 supports any RADIUS RFC 2865-compliant server as an external identity store. ACS 5.7 supports
multiple RADIUS token server identities.
For example, the RSA SecurID server and SafeWord server. RADIUS identity stores can work with any RADIUS Token server that
is used to authenticate the user. RADIUS identity stores use the UDP port for authentication sessions. The same UDP port is
used for all RADIUS communication.
Note: For ACS to successfully send RADIUS messages to a RADIUS-enabled server, you must ensure that the gateway devices
between the RADIUS-enabled server and ACS allow communication over the UDP port. You can configure the UDP port through
the ACS web interface.
This section contains the following topics:
Supported Authentication Protocols, page 75
Failover, page 76
Password Prompt, page 76
User Group Mapping, page 76
Groups and Attributes Mapping, page 76
RADIUS Identity Store in Identity Sequence, page 76
Authentication Failure Messages, page 77
Username Special Format with Safeword Server, page 77
User Attribute Cache, page 77
Creating, Duplicating, and Editing RADIUS Identity Servers, page 78
Supported Authentication Protocols
ACS supports the following authentication protocols for RADIUS identity stores:
RADIUS PAP
TACACS+ ASCII/PAP
PEAP with inner EAP-GTC

Add page 206 to Favourites

image text

Enable zoom

7
Managing Users and Identity Stores

Managing External Identity Stores
EAP-FAST with inner EAP-GTC
Failover
ACS 5.7 allows you to configure multiple RADIUS identity stores. Each RADIUS identity store can have primary and secondary
RADIUS servers. When ACS is unable to connect to the primary server, it uses the secondary server.
Password Prompt
RADIUS identity stores allow you to configure the password prompt. You can configure the password prompt through the ACS
web interface.
User Group Mapping
To provide the per-user group mapping feature available in ACS 4.x, ACS 5.7 uses the attribute retrieval and authorization
mechanism for users that are authenticated with a RADIUS identity store.
For this, you must configure the RADIUS identity store to return authentication responses that contain the [009\]
cisco-av-pair attribute with the following value:
ACS:CiscoSecure-Group-Id=N, where N can be any ACS group number from 0 through 499 that ACS assigns to the user.
Then, this attribute is available in the policy configuration pages of the ACS web interface while creating authorization and group
mapping rules.
Groups and Attributes Mapping
You can use the RADIUS attributes retrieved during authentication against the RADIUS identity store in ACS policy conditions
for authorization and group mapping. You can select the attributes that you want to use in policy conditions while configuring
the RADIUS identity store. These attributes are kept in the RADIUS identity store dedicated dictionary and can be used to define
policy conditions.
Note: You cannot query the RADIUS server for the requested attributes. You can only configure the RADIUS identity store to
return the requested attributes. These attributes are available in the Access-Accept response as part of the attributes list.
You can use the attribute subscription feature of ACS 5.7 to receive RADIUS identity store attributes can on the ACS response
to the device. The following RADIUS attributes are returned:
Attributes that are listed in the RADIUS RFS
Vendor-specific attributes
The following attribute types are supported:
String
Unsigned Integer
IP Address
Enumeration
If an attribute with multiple values is returned, the value is ignored, and if a default value has been configured, that value is
returned. However, this attribute is reported in the customer log as a problematic attribute.
RADIUS Identity Store in Identity Sequence
You can add the RADIUS identity store for authentication sequence in an identity sequence. However, you cannot add the
RADIUS identity store for attribute retrieval sequence because you cannot query the RADIUS identity store without
authentication. ACS cannot distinguish between different error cases while authenticating with a RADIUS server.

Add page 207 to Favourites

image text

Enable zoom

7
Managing Users and Identity Stores
Managing External Identity Stores
RADIUS servers return an Access-Reject message for all error cases. For example, when a user is not found in the RADIUS
server, instead of returning a User Unknown status, the RADIUS server returns an Access-Reject message.
You can, however, enable the Treat Rejects as Authentication Failure or User Not Found option available in the RADIUS identity
store pages of the ACS web interface.
Authentication Failure Messages
When a user is not found in the RADIUS server, the RADIUS server returns an Access-Reject message. ACS provides you the
option to configure this message through the ACS web interface as either Authentication Failed or Unknown User.
However, this option returns an Unknown User message not only for cases where the user is not known, but for all failure cases.
Table 58 on page 77 lists the different failure cases that are possible with RADIUS identity servers.
Username Special Format with Safeword Server
Safeword token server supports authentication with the following username format:
Username—Username, OTP
ACS parses the username and converts this to:
Username—Username
Safeword token servers support both the formats. ACS works with various token servers. While configuring a Safeword server,
you must check the Safeword Server check box for ACS to parse the username and convert it to the specified format.
This conversion is done in the RADIUS token server identity store before the request is sent to the RADIUS token server.
User Attribute Cache
RADIUS token servers, by default, do not support user lookups. However, the user lookup functionality is essential for the
following ACS features:
Table 58 Error Handling
Cause of Authentication Failure Failure Cases
Authentication FailedUser is unknown.
User attempts to login with wrong passcode.
User logon hours expired.
Process FailedRADIUS server is configured incorrectly in
ACS.
RADIUS server is unavailable.
RADIUS packet is detected as malformed.
Problem during sending or receiving a packet
from the RADIUS server.
Ti m e o u t .
Unknown User Authentication failed and the 'Fail on Reject'
option is set to false.

Add page 208 to Favourites

image text

Enable zoom

7
Managing Users and Identity Stores

Managing External Identity Stores
PEAP session resume—Happens after successful authentication during EAP session establishment
EAP/FAST fast reconnect—Happens after successful authentication during EAP session establishment
T+ Authorization—Happens after successful T+ Authentication
ACS caches the results of successful authentications to process user lookup requests for these features. For every successful
authentication, the name of the authenticated user and the retrieved attributes are cached. Failed authentications are not written
to the cache.
The cache is available in the memory at runtime and is not replicated between ACS nodes in a distributed deployment. You can
configure the time to live (TTL) limit for the cache through the ACS web interface. You must enable the identity caching option
and set the aging time in minutes. The cache is available in the memory for the specified amount of time.
Passcode Caching
Passcode caching enables the user to perform more than one authentication with an RADIUS identity server using the same
passcode.
ACS 5.7 stores users with passcode in a cache. User and passcode are entered into the cache after successful authentication
with the RADIUS Identity Server. Upon authentication with the RADIUS identity server, ACS tries first to search for the
authenticating user and passcode in the cache. If not found, ACS authenticates with the RADIUS identity server.
The passcode cache in ACS is available for a configurable amount of time from 1 to 300 seconds. The RADIUS identity server
passcode entry in the cache is available for the amount of time that you configure. Within this period of time, the user can access
the internet with the same passcode.
Creating, Duplicating, and Editing RADIUS Identity Servers
ACS 5.7 supports the RADIUS identity server as an external identity store for the increased security that one-time passwords
provide. RADIUS identity servers provide two-factor authentication to ensure the authenticity of the users.
To authenticate users against a RADIUS identity store, you must first create the RADIUS identity server in ACS and configure
the settings for the RADIUS identity store. ACS 5.7 supports the following authentication protocols:
RADIUS PAP
TACACS+ ASCII\PAP
PEAP with inner EAP-GTC
EAP-FAST with inner EAP-GTC
For a successful authentication with a RADIUS identity server, ensure that:
The gateway devices between the RADIUS identity server and ACS allow communication over the UDP port.
The shared secret that you configure for the RADIUS identity server on the ACS web interface is identical to the shared
secret configured on the RADIUS identity server.
To create, duplicate, or edit a RADIUS Identity Server:
1.Choose Users and Identity Stores > External Identity Stores > RADIUS Identity Servers.
The RADIUS Identity Servers page appears with a list of RADIUS external identity servers.
2.Click Create. You can also:
Check the check box next to the identity store you want to duplicate, then click Duplicate.
Click the identity store name that you want to modify, or check the box next to the name and click Edit.

Add page 209 to Favourites

image text

Enable zoom

							7   
Managing Users and Identity Stores
Managing External Identity Stores
3.Complete the fields in the General tab. See Configuring General Settings, page 79 for a description of the fields in the 
General tab.
4.Yo u  c a n :
Click Submit to save the RADIUS Identity Server.
Click the Shell Prompts tab. See Configuring Shell Prompts, page 81 for a description of the fields in the Shell Prompts tab.
Click the Directory Attributes tab. See Configuring Directory Attributes, page 82 for a description of the fields in the 
Directory Attributes tab.
Click the Advanced tab. See Configuring Advanced Options, page 83 for a description of the fields in the Advanced tab.
5.Click Submit to save the changes.
Related Topics
RADIUS Identity Stores, page 75
Creating, Duplicating, and Editing RADIUS Identity Servers, page 78
Configuring General Settings
Table 59 on page 80 describes the fields in the General tab of the RADIUS Identity Servers page.

Add page 210 to Favourites

image text

Enable zoom

8
Managing Users and Identity Stores

Managing External Identity Stores
Table 59 RADIUS Identity Server - General Tab
Option Description
Name Name of the external RADIUS identity server.
Description (Optional) A brief description of the RADIUS identity server.
SafeWord Server Check this check box to enable a two-factor authentication using a
SafeWord server.
Server Connection
Enable Secondary Server Check this check box to use a secondary RADIUS identity server as a
backup server in case the primary RADIUS identity server fails.
If you enable the secondary server, you must configure the parameters for
the secondary RADIUS identity server and must choose one of the
following options:
Always Access Primary Server First—Select this option to ensure that
ACS always accesses the primary RADIUS identity server first before
the secondary server is accessed.
Failback To Primary Server After n Minutes—Select this option to set
the number of minutes ACS can use the secondary server for
authentication.
After this time expires, ACS should again attempt to authenticate
using the primary server. The default value is 5 minutes.
Primary Server
Server IP Address IP address of the primary RADIUS identity server.
Shared Secret Shared secret between ACS and the primary RADIUS identity server.
A shared secret is an expected string of text, which a user must provide
before the network device authenticates a username and password. The
connection is rejected until the user supplies the shared secret.
Authentication Port Port number on which the RADIUS primary server listens. Valid options are
from 1 to 65,535. The default value is 1812.
Server Timeout n Seconds Number of seconds, n, that ACS waits for a response from the primary
RADIUS identity server before it determines that the connection to the
primary server has failed. Valid options are from 1 to 300. The default
value is 5.
Connection Attempts Specifies the number of times that ACS should attempt to reconnect
before contacting the secondary RADIUS identity server or dropping the
connection if no secondary server is configured. Valid options are from 1
to 10. The default value is 3.
Secondary Server
Server IP Address IP address of the secondary RADIUS identity server.
Shared Secret Shared secret between ACS and the secondary RADIUS identity server.
The shared secret must be identical to the shared secret that is configured
on the RADIUS identity server.
A shared secret is an expected string of text, which a user must provide
before the network device authenticates a username and password. The
connection is rejected until the user supplies the shared secret.

All Cisco manuals Comments (0)

Related Manuals for Cisco Acs 57 User Guide

Cisco Acs 5x User Guide
650 pages | Cisco Control System