Home > Cisco > Control System > Cisco Acs 57 User Guide

Cisco Acs 57 User Guide

    Download as PDF Print this page Share this page

    Have a look at the manual Cisco Acs 57 User Guide online for free. It’s possible to download the document as PDF or print. UserManuals.tech offer 53 Cisco manuals and user’s guides for free. Share the user manual or guide on Facebook, Twitter or Google+.

    Page
    of 584
    							8   
    Managing Users and Identity Stores
    Managing External Identity Stores
    Related Topics
    RADIUS Identity Stores, page 75
    Creating, Duplicating, and Editing RADIUS Identity Servers, page 78
    Configuring Shell Prompts, page 81
    Configuring Directory Attributes, page 82
    Configuring Advanced Options, page 83
    Configuring Shell Prompts
    For TACACS+ ASCII authentication, ACS must return the password prompt to the user. RADIUS identity server supports this 
    functionality by the password prompt option. ACS can use the prompt that you configure in the Shell Prompts page on the ACS 
    web interface. If the prompt is empty, the user receives the default prompt that is configured under TACACS+ global settings.
    When establishing a connection with a RADIUS identity server, the initial request packets may not have the password. You must 
    request a password. You can use this page to define the prompt that is used to request the password. To do this:
    1.Enter the text for the prompt in the Prompt field.
    2.Do one of the following:
    Click Submit to configure the prompt for requesting the password.
    Click the Directory Attributes tab to define a list of attributes that you want to use in policy rule conditions. See Configuring 
    Directory Attributes, page 82 for more information.
    Related Topics
    RADIUS Identity Stores, page 75
    Creating, Duplicating, and Editing RADIUS Identity Servers, page 78
    Configuring General Settings, page 79
    Configuring Directory Attributes, page 82
    Configuring Advanced Options, page 83 Authentication Port Port number on which the RADIUS secondary server listens. Valid options 
    are from 1 to 65,535. The default value is 1812.
    Server Timeout n Seconds Number of seconds, n, that ACS waits for a response from the secondary 
    RADIUS identity server before it determines that the connection to the 
    secondary server has failed. 
    Valid options are from 1 to 300. The default value is 5.
    Connection Attempts Specifies the number of times that ACS should attempt to reconnect 
    before dropping the request. Valid options are from 1 to 10. The default 
    value is 3.
    Table 59 RADIUS Identity Server - General Tab (continued)
    Option Description 
    						
    							8
    Managing Users and Identity Stores
     
    Managing External Identity Stores
    Configuring Directory Attributes
    When a RADIUS identity server responds to a request, RADIUS attributes are returned along with the response. You can make 
    use of these RADIUS attributes in policy rules. 
    In the Directory Attributes tab, you can specify the RADIUS attributes that you use in policy rule conditions. ACS maintains a 
    separate list of these attributes.
    1.Modify the fields in the Directory Attributes tab as described in Table 60 on page 82.
    2.Do either of the following:
    Click Submit to save your changes and return to the RADIUS Identity Servers page.
    Click the Advanced tab to configure failure message handling and to enable identity caching. See Configuring Advanced 
    Options, page 83 for more information.
    Related Topics
    RADIUS Identity Stores, page 75
    Creating, Duplicating, and Editing RADIUS Identity Servers, page 78
    Configuring General Settings, page 79
    Configuring Shell Prompts, page 81
    Table 60 RADIUS Identity Servers - Directory Attributes Tab
    Option Description
    Attribute List Use this section to create the attracted list to include in policy conditions. As you include each 
    attribute, its name, type, default value, and policy condition name appear in the table. To:
    Add a RADIUS attribute, fill in the fields below the table and click Add.
    Edit a RADIUS attribute, select the appropriate row in the table and click Edit. The RADIUS 
    attribute parameters appear in the fields below the table. Edit as required, then click Replace.
    Dictionary Type RADIUS dictionary type. Click the drop-down list box to select a RADIUS dictionary type.
    RADIUS Attribute Name of the RADIUS attribute. Click Select to choose the RADIUS attribute. This name is 
    composed of two parts: The attribute name and an extension to support AV-pairs if the attribute 
    selected is a Cisco AV-Pair. 
    For example, for an attribute, cisco-av-pair with an AV-pair name some-avpair, ACS displays 
    cisco-av-pair.some-avpair.
    IETF and vendor VSA attribute names contain an optional suffix, -nnn, where nnn is the ID of the 
    attribute.
    Type RADIUS attribute type. Valid options are:
    String
    Unsigned Integer 32
    IPv4 address 
    Default (Optional) A default value that can be used if the attribute is not available in the response from the 
    RADIUS identity server. This value must be of the specified RADIUS attribute type.
    Policy Condition Name Specify the name of the custom policy condition that uses this attribute. 
    						
    							8   
    Managing Users and Identity Stores
    Configuring CA Certificates
    Configuring Advanced Options, page 83
    Configuring Advanced Options
    In the Advanced tab, you can do the following:
    Define what an access reject from a RADIUS identity server means to you.
    Enable identity caching.
    Enable passcode caching.
    Table 61 on page 83 describes the fields in the Advanced tab of the RADIUS Identity Servers page.
    Click Submit to save the RADIUS Identity Server.
    Related Topics
    RADIUS Identity Stores, page 75
    Creating, Duplicating, and Editing RADIUS Identity Servers, page 78
    Configuring CA Certificates
    When a client uses the EAP-TLS protocol to authenticate itself against the ACS server, it sends a client certificate that identifies 
    itself to the server. To verify the identity and correctness of the client certificate, the server must have a preinstalled certificate 
    from the Certificate Authority (CA) that has digitally signed the client certificate. 
    If ACS does not trust the client’s CA certificate, then you must install in ACS the entire chain of successively signed CA 
    certificates, all the way to the top-level CA certificate that ACS trusts. CA certificates are also known as trust certificates.
    Table 61 RADIUS Identity Servers — Advanced Tab
    Option Description
    This Identity Store does not differentiate between 'authentication failed' and 'user not found' when an authentication attempt 
    is rejected. From the options below, select how such an authentication reject from the Identity Store should be interpreted 
    by ACS for Identity Policy processing and reporting.
    Treat Rejects as 'authentication failed'  Click this option to consider all ambiguous access reject attempts as failed 
    authentications.
    Treat Rejects as 'user not found'  Click this option to consider all ambiguous access reject attempts as 
    unknown users.
    Identity caching is used to allow processing of requests that do not perform authentication against the server. The cache 
    retains the results and attributes retrieved from the last successful authentication for the subject. 
    Enable identity caching  Check this check box to enable identity caching. If you enable identity 
    caching, you must enter the time in minutes for which you want ACS to 
    retain the identity cache.
    Aging Time n Minutes Enter the time in minutes for which you want ACS to retain the identity 
    cache. Valid options are from 1 to 1440.
    Enable  passcode  caching Check this check box to enable passcode caching. If you enable passcode 
    caching, you must enter the time in seconds for which you want ACS to 
    retain the passcode cache.
    Aging Time n Seconds Enter the time in seconds for which you want ACS to retain the passcode 
    cache. Valid options are from 1 to 300. The default value is 30 seconds.  
    						
    							8
    Managing Users and Identity Stores
     
    Configuring CA Certificates
    You use the CA options to install digital certificates to support EAP-TLS authentication. ACS uses the X.509 v3 digital certificate 
    standard. ACS also supports manual certificate acquisition and provides the means for managing a certificate trust list (CTL) 
    and certificate revocation lists (CRLs).
    Digital certificates do not require the sharing of secrets or stored database credentials. They can be scaled and trusted over 
    large deployments. If managed properly, they can serve as a method of authentication that is stronger and more secure than 
    shared secret systems. 
    Mutual trust requires that ACS have an installed certificate that can be verified by end-user clients. This server certificate may 
    be issued from a CA or, if you choose, may be a self-signed certificate. For more information, see Configuring Local Server 
    Certificates, page 16.
    Note: ACS builds a certificate chain with the CA certificates that you add to it and uses this chain during TLS negotiations. You 
    must add the certificate that signed the server certificate to the CA. You must ensure that the chain is signed correctly and that 
    all the certificates are valid.
    If the server certificate and the CA that signed the server certificate are installed on ACS, ACS sends the full certificate chain to 
    the client. 
    Note: ACS does not support wildcard certificates. 
    Related Topics
    Adding a Certificate Authority, page 84
    Editing a Certificate Authority and Configuring Certificate Revocation Lists, page 85
    Deleting a Certificate Authority, page 87
    Renewing or Deleting a CA Certificate that is part of a Certificate Chain, page 87
    Exporting a Certificate Authority, page 88
    Adding a Certificate Authority
    The supported certificate formats are DER, PEM, or CER.
    To add a trusted CA (Certificate Authority) certificate:
    1.Choose Users and Identity Stores > Certificate Authorities.
    The Trust Certificate page appears.
    2.Click Add.
    3.Complete the fields in the Certificate File to Import page as described in Table 62 on page 85: 
    						
    							8   
    Managing Users and Identity Stores
    Configuring CA Certificates
    4.Click Submit. 
    The new certificate is saved. The Trust Certificate List page appears with the new certificate.
    Related Topics
    User Certificate Authentication, page 6
    Overview of EAP-TLS, page 5
    Editing a Certificate Authority and Configuring Certificate Revocation Lists
    Use this page to edit a trusted CA (Certificate Authority) certificate.
    1.Choose Users and Identity Stores > Certificate Authorities.
    The Trust Certificate page appears with a list of configured certificates.
    2.Click the name that you want to modify, or check the check box for the Name, and click Edit.
    Complete the fields in the Edit Trust Certificate List Properties Page as described in Table 63 on page 86:
    When ACS delays the CA CRL, the CA is retained on the local file system. The CA is not refreshed until you resubmit it.
    By default ACS will fail all user certificates of a CA for which the CRL has expired. 
    If the CA certificate is resubmitted, the following error is shown: 
    12514 EAP-TLS failed SSL/TLS handshake. This is 
    because of the unknown CA.
    If the CA certificate is not resubmitted, the following error is shown: 
    12515 EAP-TLS failed SSL/TLS handshake.This is 
    because of the expired CRL.
    If you choose Ignore CRL Expiration, ACS fails authentication for the revoked certificates and passes the authentication for 
    non-revoked certificates.
    Table 62 Certificate Authority Properties Page 
    Option Description
    Certificate File to Import
    Certificate  File Enter the name of the certificate file. Click Browse t o  n a v i g a t e  t o  t h e  l o c a t i o n  o n  t h e  c l i e n t  
    machine where the trust certificate is located. 
    Trust for client with EAP-TLS Check this box so that ACS will use the certificate trust list for the EAP protocol.
    Allow Duplicate Certificates Allows you to add certificates with the same CN and SKI with different Valid From, Valid 
    To, and Serial numbers.
    Description Enter a description of the CA certificate. 
    						
    							8
    Managing Users and Identity Stores
     
    Configuring CA Certificates
    Table 63 Edit Certificate Authority Properties Page
    Option Description
    Issuer
    Friendly Name The name that is associated with the certificate.
    Description (Optional) A brief description of the CA certificate.
    Issued ToDisplay only. The entity to which the certificate is issued. The name that appears is 
    from the certificate subject.
    Issued ByDisplay only. The certification authority that issued the certificate.
    Valid fromDisplay only. The start date of the certificate’s validity. An X509 certificate is valid only 
    from the start date to the end date (inclusive). 
    Valid To (Expiration)Display only. The last date of the certificate’s validity.
    Serial NumberDisplay only. The serial number of the certificate.
    Description Description of the certificate.
    Usage
    Trust for client with EAP-TLS Check this box so that ACS will use the trust list for the TLS-related EAP protocols.
    Certificate Status Validation
    OCSP Configuration 
    Use this section to configure the OCSP service. 
    Validate against OCSP service Check this box and select the OCSP service from the drop-down list to validate the 
    requests against the selected the OCSP service. 
    Reject the request if certificate 
    status could not be determined by 
    OCSPCheck this box to reject the request if the certificate status could not be determined 
    by the OCSP service. 
    Certificate Revocation List Configuration
    Use this section to configure the CRL.
    Download CRL Check this box to download the CRL.
    CRL Distribution URL Enter the CRL distribution URL. You can specify a URL that uses an HTTP or secure 
    HTTPS connection. When you use a HTTPS URL, you must install the corresponding 
    HTTPS server’s CA certificate in ACS. You can configure a proxy server in ACS for CRL 
    download so that ACS communicates with the CRL distribution server through the 
    configured proxy server. For more information, see Configuring HTTP Proxy Settings 
    for CRL Requests, page 3.
    Retrieve CRLACS attempts to download a CRL from the CA. Toggle the time settings for ACS to retrieve 
    a new CRL from the CA.
    Automatically—Obtain the next update time from the CRL file. If unsuccessful, ACS 
    tries to retrieve the CRL periodically after the first failure until it succeeds.
    Every—Determines the frequency between retrieval attempts. Enter the amount in 
    units of time. 
    						
    							8   
    Managing Users and Identity Stores
    Configuring CA Certificates
    3.Click Submit.
    The Trust Certificate page appears with the edited certificate.
    The administrator has the rights to configure CRL and OCSP verification. If both CRL and OCSP verification are configured at 
    the same time, then ACS performs OCSP verification first. If it detects any communication problems with either the primary or 
    secondary servers, or if the verification returns the status of a given certificate as unknown, then ACS moves on to perform the 
    CRL validation. 
    Related Topics
    User Certificate Authentication, page 6
    Overview of EAP-TLS, page 5
    Configuring HTTP Proxy Settings for CRL Requests, page 3
    Deleting a Certificate Authority
    Use this page to delete a trusted CA (Certificate Authority) certificate:
    1.Choose Users and Identity Stores > Certificate Authorities.
    The Trust Certificate List page appears with a list of configured certificates.
    2.Check one or more check boxes next to the certificates that you want to delete.
    3.Click Delete. 
    4.Click Ye s to confirm.
    The Trust Certificate page appears without the deleted certificate(s).
    Related Topic
    Overview of EAP-TLS, page 5
    Renewing or Deleting a CA Certificate that is part of a Certificate Chain
    When you try to delete a CA certificate which is part of a Certificate Chain, ACS displays the following error:If Download Failed Wait Enter the amount of time to attempt to retrieve the CRL, if the retrieval initially failed.
    Bypass CRL Verification if CRL is not 
    ReceivedIf unchecked, all the client requests that use the certificate that is signed by the 
    selected CA will be rejected until ACS receives the CRL file. When checked, the client 
    request may be accepted before the CRL is received.
    Ignore CRL Expiration Check this box to check a certificate against an outdated CRL. 
    When checked, ACS continues to use the expired CRL and permits or rejects 
    EAP-TLS authentications according to the contents of the CRL. 
    When unchecked, ACS examines the expiration date of the CRL in the Next 
    Update field in the CRL file. If the CRL has expired, all authentications that use the 
    certificate that is signed by the selected CA are rejected.
    Table 63 Edit Certificate Authority Properties Page  (continued)
    Option Description 
    						
    							8
    Managing Users and Identity Stores
     
    Configuring CA Certificates
    This System Failure occurred: Certificate Authority is in use by one of the ACS nodes certificates. Your 
    changes have not been saved. Click OK to return to the list page.
    If you want to delete or renew a CA certificate which is part of EAP or management certificate chain, we must map or unbind 
    the EAP or management protocols to another server certificate that is not issued by the CA certificate and then renew or delete 
    it.
    To renew or delete a CA certificate from ACS:
    1.Choose System Administration > Configuration > Local Server Certificates > Local Certificates.
    2.Check for the below conditions:
    If any of the server certificate listed are issued by the CA certificate that you want to renew or delete, you must check if 
    EAP or management protocol is applied to the server certificates.
    If any of the server certificate issued by the CA certificate is mapped with EAP or management protocol, you must unbind 
    the EAP or management protocol from the server certificate and map it to another server certificate that is not issued by 
    the same CA certificate. For more information on unbinding EAP or management protocols from server certificate, see 
    Unbinding EAP or Management Protocols from Server Certificate, page 88.
    3.You can renew or delete the CA certificate if none of the server certificate issued by this CA certificate is mapped with EAP 
    or management protocol.
    Unbinding EAP or Management Protocols from Server Certificate
    To unbind EAP or management protocol from a server certificate:
    1.Install a new server certificate that is issued by a CA certificate other than the certificate that you want to delete or you can 
    consider the default server certificate. For more information, see Adding Local Server Certificates, page 17.
    2.Perform one of the following actions:
    Check the EAP: Used for EAP protocols that use SSL/TLS tunneling and Management Interface: Used to authenticate 
    the web server (GUI) check boxes while adding the new server certificate.
    After adding the new server certificate, you can edit the certificate and check the EAP: Used for EAP protocols that use 
    SSL/TLS tunneling and Management Interface: Used to authenticate the web server (GUI) check boxes.
    This operation unbinds the EAP or management protocols from the old server certificate and binds it with the new server 
    certificate.
    Exporting a Certificate Authority
    To export a trust certificate:
    1.Choose Users and Identity Stores > Certificate Authorities.
    The Trust Certificate List page appears with a list of configured certificates.
    2.Check the box next to the certificates that you want to export.
    3.Click Export. 
    This operation exports the trusted certificate to the client machine.
    4.Click Ye s to confirm.
    You are prompted to install the exported certificate on your client machine. 
    						
    							8   
    Managing Users and Identity Stores
    Configuring Certificate Authentication Profiles
    Related Topics
    User Certificate Authentication, page 6
    Overview of EAP-TLS, page 5
    Configuring Certificate Authentication Profiles
    The certificate authentication profile defines the X509 certificate information to be used for a certificate- based access request. 
    You can select an attribute from the certificate to be used as the username. 
    You can select a subset of the certificate attributes to populate the username field for the context of the request. The username 
    is then used to identify the user for the remainder of the request, including the identification used in the logs.
    You can use the certificate authentication profile to retrieve certificate data to further validate a certificate presented by an LDAP 
    or AD client. The username from the certificate authentication profile is used to query the LDAP or AD identity store. 
    ACS compares the client certificate against all certificates retrieved from the LDAP or AD identity store, one after another, to 
    see if one of them matches. ACS either accepts or rejects the request.
    Note: For ACS to accept a request, only one certificate from either the LDAP or the AD identity store must match the client 
    certificate.
    When ACS processes a certificate-based request for authentication, one of two things happens: the username from the 
    certificate is compared to the username in ACS that is processing the request, or ACS uses the information that is defined in 
    the selected LDAP or AD identity store to validate the certificate information.
    You can duplicate a certificate authentication profile to create a new profile that is the same, or similar to, an existing certificate 
    authentication profile. After duplication is complete, you access each profile (original and duplicated) separately, to edit or 
    delete them.
    ACS 5.7 now supports certificate name constraint extension. It accepts the client certificates whose issuers contain the name 
    constraint extension. It checks the client certificates for CA and sub-CA certificates. This extension defines a name space for 
    all subject names in the subsequent certificates in a certificate path. It applies to both the subject distinguished name and the 
    subject alternative name. These restrictions are applicable only when the specified name form is present in the client certificate. 
    The ACS authentication fails if the client certificate is excluded or not permitted by the namespace. 
    Supported Name Constraints:
    Directory name
    DNS
    Email
    URL
    Unsupported Name Constraints:
    IP address
    Other name
    To create, duplicate, or edit a certificate authentication profile, complete the following steps: 
    1.Choose Users and Identity Stores > Certificate Authentication Profile.
    The Certificate Authentication Profile page appears.
    2.Do one of the following: 
    						
    							9
    Managing Users and Identity Stores
     
    Configuring Identity Store Sequences
    Click Create.
    Check the check box next to the certificate authentication profile that you want to duplicate, then click Duplicate. 
    Click the certificate authentication profile that you want to modify, or check the check box next to the name and click Edit.
    The Certificate Authentication Profile Properties page appears.
    3.Complete the fields in the Certificate Authentication Profile Properties page as described in Table 64 on page 90:
    4.Click Submit. 
    The Certificate Authentication Profile page reappears. 
    Related Topics
    Viewing Identity Policies, page 23
    Configuring Identity Store Sequences, page 90
    Creating External LDAP Identity Stores, page 33
    Configuring Identity Store Sequences
    An access service identity policy determines the identity sources that ACS uses for authentication and attribute retrieval. An 
    identity source consists of a single identity store or multiple identity methods. When you use multiple identity methods, you must 
    first define them in an identity store sequence, and then specify the identity store sequence in the identity policy.
    An identity store sequence defines the sequence that is used for authentication and attribute retrieval and an optional additional 
    sequence to retrieve additional attributes.
    Table 64 Certificate Authentication Profile Properties Page
    Option Description
    General
    Name Enter the name of the certificate authentication profile.
    Description Enter a description of the certificate authentication profile.
    Certificate Definition
    Principal Username X509 
    AttributeAvailable set of principal username attributes for x509 authentication. The selection includes:
    Common Name
    Subject Alternative Name
    Subject Serial Number
    Subject
    Subject Alternative Name - Other Name
    Subject Alternative Name - EMail
    Subject Alternative Name - DNS
    Perform Binary Certificate 
    Comparison with 
    Certificate retrieved from 
    LDAP or Active DirectoryCheck this check box if you want to validate certificate information for authentication against a 
    selected LDAP or AD identity store. 
    If you select this option, you must enter the name of the LDAP or AD identity store, or click 
    Select to select the LDAP or AD identity store from the available list. 
    						
    All Cisco manuals Comments (0)

    Related Manuals for Cisco Acs 57 User Guide