Cisco Acs 57 User Guide
Have a look at the manual Cisco Acs 57 User Guide online for free. It’s possible to download the document as PDF or print. UserManuals.tech offer 53 Cisco manuals and user’s guides for free. Share the user manual or guide on Facebook, Twitter or Google+.
15 Managing Access Policies Configuring Access Services Operation You can perform the following three operations: Choose ADD to add a new attribute value for the selected RADIUS attribute: —If Multiple not allowed—adds the new value for the selected attribute only if this attribute does not exists on the request. —If Multiple allowed—always adds the attribute with a new value. Choose UPDATE to update the existing value of a selected RADIUS attribute: —If Multiple not allowed—updates the attribute value with the new value if the attribute exists on the request. —If Multiple allowed—removes all occurrences of this attribute and adds one attribute with the new value. —If the attribute is a cisco-avpair (pair of key=value), the update is done according to the key. Choose DELETE to delete the value of the selected RADIUS attribute. The attribute operations statements are ordered. The administrator can change the statement’s order at the time of configuration. ACS performs the operation on the attributes according to the configured order. For more information on this, see RADIUS Attribute Rewrite Operation, page 28. Attribute New Value Enter a new value for the selected RADIUS incoming attribute. This option is not available if you choose the delete operation. RADIUS OUTBOUND Attributes Injection—The RADIUS OUTBOUND attributes section is used for manipulating the outgoing attributes before sending them from the proxy server. Add After you define a RADIUS outgoing attribute, click ADD to add it to the RADIUS attributes list. Edit To edit the listed RADIUS outgoing attribute, select the attribute in the list and click Edit. The attribute properties appear in the fields. Modify the properties as required, then click Replace. Replace Click Replace to replace the selected RADIUS attribute with the value that is currently defined in this field. Delete Click Delete to delete the selected RADIUS outgoing attribute from the list. Dictionary Type Choose the dictionary that contains the RADIUS outgoing attribute you want to use. RADIUS Attribute Name of the RADIUS attribute. Click Select to choose a RADIUS attribute from the specified dictionary. Table 85 Access Service Properties—General Page (continued) Option Description
16 Managing Access Policies Configuring Access Services 3.Click Next to configure the allowed protocols. See Configuring Access Service Allowed Protocols, page 16. Related Topic Configuring Access Service Allowed Protocols, page 16 Configuring Access Services Templates, page 21 Configuring Access Service Allowed Protocols The allowed protocols are the second part of access service creation. Access service definitions contain general and allowed protocol information. When you duplicate and edit services, the Access Service properties page contains tabs. 1.Select Access Policies > Access Services, and then click: Create to create a new access service, and then click Next to go to the Allowed Protocols screen. Duplicate to duplicate an access service, then click Next to go to the Allowed Protocols screen. Edit to edit an access service, then click Next to go to the Allowed Protocols screen. 2.Complete the fields as shown in Table 86 on page 17: Attribute Type Type of the selected RADIUS attribute. Client vendor type of the attribute, from which ACS allows access requests. For a description of the attribute types, refer to Cisco IOS documentation for the Cisco IOS Software release that is running on your AAA clients. Operation You can perform the following three operations: Choose ADD to add a new attribute value for the selected RADIUS attribute: —If Multiple not allowed—adds the new value for the selected attribute only if this attribute does not exists on the request. —If Multiple allowed—always adds the attribute with a new value. Choose UPDATE to update the existing value of a selected RADIUS attribute: —If Multiple not allowed—updates the attribute value with the new value if the attribute exists on the request. —If Multiple allowed—removes all occurrences of this attribute and adds one attribute with the new value. —If the attribute is a cisco-avpair (pair of key=value), the update is done according to the key. Choose DELETE to delete the value of the selected RADIUS attribute. The attribute operations statements are ordered. The administrator can change the statement’s order at the time of configuration. ACS performs the operation on the attributes according to the configured order. For more information on this, see RADIUS Attribute Rewrite Operation, page 28. Attribute New Value Enter a new value for the selected RADIUS outgoing attribute. This option is not available if you choose the delete operation. Table 85 Access Service Properties—General Page (continued) Option Description
17 Managing Access Policies Configuring Access Services Table 86 Access Service Properties—Allowed Protocols Page Option Description Process Host Lookup Check to configure ACS to process the Host Lookup field (for example, when the RADIUS Service-Type equals 10) and use the System UserName attribute from the RADIUS Calling-Station-ID attribute. Uncheck for ACS to ignore the Host Lookup request and use the original value of the system UserName attribute for authentication and authorization. When unchecked, message processing is according to the protocol (for example, PAP). Authentication Protocols A ll ow PA P/ ASCI I E n ab le s PA P/ ASCI I . PA P us es c l e ar- te xt passwords (that is, unencrypted passwords) and is the least secure authentication protocol. When you check Allow PAP/ASCII, you can check Detect PAP as Host Lookup to configure ACS to detect this type of request as a Host Lookup (instead of PAP) request in the network access service. Allow CHAP Enables CHAP authentication. CHAP uses a challenge-response mechanism with password encryption. CHAP does not work with the Windows Active Directory. Allow MS-CHAPv1 Enables MS-CHAPv1. Allow MSCHAPv2 Enables MSCHAPv2. Allow EAP-MD5 Enables EAP-based Message Digest 5 hashed authentication. When you check Allow EAP-MD5, you can check Detect EAP-MD5 as Host Lookup to configure ACS to detect this type of request as a Host Lookup (instead of EAP-MD5) request in the network access service. Allow EAP-TLS Enables the EAP-TLS Authentication protocol and configures EAP-TLS settings. You can specify how ACS verifies user identity as presented in the EAP Identity response from the end-user client. User identity is verified against information in the certificate that the end-user client presents. This comparison occurs after an EAP-TLS tunnel is established between ACS and the end-user client. If you choose Allow EAP-TLS, you can configure the following: Enable Stateless Session resume—Check this check box to enable the Stateless Session Resume feature per Access service. This feature enables you to configure the following options: —Proactive Session Ticket update—Enter the value as a percentage to indicate how much of the Time to Live must elapse before the session ticket is updated. For example, the session ticket update occurs after 10 percent of t h e Ti m e t o L i ve h a s e x p i r e d , i f yo u e n t e r the value 10. —Session ticket Time to Live—Enter the equivalent maximum value in days, weeks, months, and years, using a positive integer. EAP-TLS is a certificate-based authentication protocol. EAP-TLS authentication can occur only after you have completed the required steps to configure certificates. See Configuring Local Server Certificates, page 16 for more information. Allow LEAP Enables LEAP authentication.
18 Managing Access Policies Configuring Access Services Allow PEAP Enables the PEAP authentication protocol and PEAP settings. The default inner method is MSCHAPv2. When you check Allow PEAP, you can configure the following PEAP inner methods: Allow EAP-TLS—Check to use EAP-TLS as the inner method. Allow EAP-MSCHAPv2—Check to use EAP-MSCHAPv2 as the inner method. —Allow Password Change—Check for ACS to support password changes. —Retry Attempts—Specifies how many times ACS requests user credentials before returning login failure. Valid values are 1 to 3. Allow EAP-GTC—Check to use EAP-GTC as the inner method. —Allow Password Change—Check for ACS to support password changes. —Retry Attempts—Specifies how many times ACS requests user credentials before returning login failure. Valid values are 1 to 3. Allow PEAP Cryptobinding TLV—Check to use the PEAP cryptobinding TLV support. Allow PEAPv0 only for legacy clients—Check this option to allow PEAP supplicants to negotiate PEAPv0 only. Note: A few legacy clients do not confirm the PEAPv1 protocol standard. As a result, the EAP conversations are dropped with an Invalid EAP payload error message. Table 86 Access Service Properties—Allowed Protocols Page (continued) Option Description
19 Managing Access Policies Configuring Access Services Allow EAP-FAST Enables the EAP-FAST authentication protocol and EAP-FAST settings. The EAP-FAST protocol can support multiple internal protocols on the same server. The default inner method is MSCHAPv2. When you check Allow EAP-FAST, you can configure EAP-FAST inner methods: Allow EAP-MSCHAPv2 —Allow Password Change—Check for ACS to support password changes in phase zero and phase two of EAP-FAST. —Retry Attempts—Specifies how many times ACS requests user credentials before returning login failure. Valid values are 1-3. Allow EAP-GTC —Allow Password Change—Check for ACS to support password changes in phase zero and phase two of EAP-FAST. —Retry Attempts—Specifies how many times ACS requests user credentials before returning login failure. Valid values are 1-3. Allow TLS-Renegotiation—Check for ACS to support TLS-Renegotiation. This option allows an anonymous TLS handshake between the end-user client and ACS. EAP-MS-CHAP will be used as the only inner method in phase zero. Use PACs—Choose to configure ACS to provision authorization PACs for EAP-FAST clients. Additional PAC Options, page 20 appear. Don’t use PACs—Choose to configure ACS to use EAP-FAST without issuing or accepting any tunnel or machine PACs. All requests for PACs are ignored and ACS responds with a Success-TLV without a PAC. When you choose this option, you can configure ACS to perform machine authentication. Table 86 Access Service Properties—Allowed Protocols Page (continued) Option Description
20 Managing Access Policies Configuring Access Services Allow EAP-FAST (continued)PAC O pti o n s Tunnel PAC Time To Live—The Time To Live (TTL) value restricts the lifetime of the PAC. Specify the lifetime value and units. The default is one (1) day. Proactive PAC Update When: of PAC TTL is Left—The Update value ensures that the client has a valid PAC. ACS initiates update after the first successful authentication but before the expiration time that is set by the TTL. The Update value is a percentage of the remaining time in the TTL. (Default: 10%) Allow Anonymous In-band PAC Provisioning—Check for ACS to establish a secure anonymous TLS handshake with the client and provision it with a so-called PAC by using phase zero of EAP-FAST with EAP-MSCHAPv2. Note: To enable Anonymous PAC Provisioning, you must choose both the inner methods, EAP-MSCHAPv2 and EAP-GTC. Allow Authenticated In-band PAC Provisioning—ACS uses Secure Socket Layer (SSL) server-side authentication to provision the client with a PAC during phase zero of EAP-FAST. This option is more secure than anonymous provisioning but requires that a server certificate and a trusted root CA be installed on ACS. When you check this option, you can configure ACS to return an Access-Accept message to the client after successful authenticated PAC provisioning. Allow Machine Authentication—Check for ACS to provision an end-user client with a machine PAC and perform machine authentication (for end-user clients who do not have the machine credentials). The machine PAC can be provisioned to the client by request (in-band) or by administrator (out-of-band). When ACS receives a valid machine PAC from the end-user client, the machine identity details are extracted from the PAC and verified in the ACS external identity store. After these details are correctly verified, no further authentication is performed. Note: ACS 5.7 only supports Active Directory as an external identity store for machine authentication. When you check this option, you can enter a value for the amount of time that a machine PAC is acceptable for use. When ACS receives an expired machine PAC, it automatically reprovisions the end-user client with a new machine PAC (without waiting for a new machine PAC request from the end-user client). Enable Stateless Session Resume—Check for ACS to provision authorization PACs for EAP-FAST clients and always perform phase two of EAP-FAST (default = enabled). Uncheck this option: —If you do not want ACS to provision authorization PACs for EAP-FAST clients. —To always perform phase two of EAP-FAST. When you check this option, you can enter the authorization period of the user authorization PAC. After this period the PAC expires. When ACS receives an expired authorization PAC, it performs phase two EAP-FAST authentication. Table 86 Access Service Properties—Allowed Protocols Page (continued) Option Description
21 Managing Access Policies Configuring Access Services 3.Click Finish to save your changes to the access service. To enable an access service, you must add it to the service selection policy. Configuring Access Services Templates Use a service template to define an access service with policies that are customized to use specific condition types. 1.In the Configuring General Access Service Properties, page 13, choose Based on service template and click Select. 2.Complete the fields as described in Table 87 on page 22: Preferred EAP protocol Select the preferred EAP protocol from the following options available: EAP-FAST PEAP LEAP EAP-TLS EAP-MD5 This option helps ACS to be flexible to work with old supplicants (end devices) which are not capable of sending No-Acknowledgment, when a particular protocol is not implemented. You can use this option to place a particular protocol first in list of protocols that is being negotiated with device so that the negotiation is successful. EAP-TLS L-bit Enables the L (length included) flag in access policies. When you perform EAP-TLS authentication against Terminal Wireless Local Area Network Unit (TWLU) client in ACS 5.x, the TWLU is expecting a L Flag (length included flag) set in change cipher specifications and the encrypted handshake message. If you are using the Honeywell T W LU u n i t , t h en i t i s rec o m m e n d e d to c re ate a group of all TWLU units and create an access policy with L flag included in it and use that access policy for all the TWLU units so that it will not disturb the other clients. The EAP-TLS L-bit is available at Access Policies > Access Services > Default Network Access > Edit: “Default Network Access” page in ACS web interface. Send as User-Name in RADIUS Access-Accept RADIUS Access-Request User-NameSelect thi s opt ion if you want ACS to send the user name that was received i n the RADIUS access request in the RADIUS access accept response. Principal User Name Select this option if you want ACS to send the principal name of the certificate that is used to authenticate the user in the RADIUS access accept response. Table 86 Access Service Properties—Allowed Protocols Page (continued) Option Description
22 Managing Access Policies Configuring Access Service Policies Deleting an Access Service To delete an access service: 1.Select Access Policies > Access Services. The Access Services page appears with a list of configured services. 2.Check one or more check boxes the access services that you want to delete. 3.Click Delete; then click OK in the confirmation message. The Access Policies page appears without the deleted access service(s). Related Topic Creating, Duplicating, and Editing Access Services, page 11 Configuring Access Service Policies You configure access service policies after you create the access service: Viewing Identity Policies, page 23 Configuring Identity Policy Rule Properties, page 26 Table 87 Access Services Templates Template Name Access Service TypeProtocols Policies Conditions Results Device Admin - SimpleDevice AdministrationPAP/ASCII Identity None - Simple Internal users Authorization Identity group, NDG:Location, NDG:Device Type, Time and DateShell profile Device Admin - Command AuthDevice AdministrationPAP/ASCII Identity None - Simple Internal users Authorization Identity group, NDG:Location, NDG: Time and DateCommand sets Network Access - SimpleNetwork Access PEAP, EAP-FASTIdentity None - Simple Internal users Authorization NDG:Location, Time and date Authorization profiles Network Access - MAC Authentication BypassNetwork Access Process Host Lookup, PAP/ASCII (detect PAP as host lookup) and EAP-MD5 (detect EAP-MD5 as host lookup)Identity None - Simple Internal users Authorization Use case Authorization profiles
23 Managing Access Policies Configuring Access Service Policies Configuring a Group Mapping Policy, page 27 Configuring a Session Authorization Policy for Network Access, page 30 Configuring a Session Authorization Policy for Network Access, page 30 Configuring Shell/Command Authorization Policies for Device Administration, page 35 You can configure simple policies to apply to the same result to all incoming requests; or, you can create rule-based policies. Note: If you create and save a simple policy, and then change to a rule-based policy, the simple policy becomes the default rule of the rule-based policy. If you have saved a rule-based policy and then change to a simple policy, you will lose all your rules except for the default rule. ACS automatically uses the default rule as the simple policy. Before you begin to configure policy rules, you must: Configure the policy conditions and results. See Managing Policy Conditions, page 1. Select the types of conditions and results that the policy rules apply. See Customizing a Policy, page 4. For information about configuring policy rules, see: Creating Policy Rules, page 37 Duplicating a Rule, page 38 Editing Policy Rules, page 39 Deleting Policy Rules, page 39 Viewing Identity Policies The identity policy in an access service defines the identity source that ACS uses for authentication and attribute retrieval. ACS can use the retrieved attributes in subsequent policies. The identity source for: Password-based authentication can be a single identity store, or an identity store sequence. Certificate-based authentication can be a certificate authentication profile, or an identity store sequence. An identity store sequence defines the sequence that is used for authentication and an optional additional sequence to retrieve attributes. See Configuring Identity Store Sequences, page 90. If you created an access service that includes an identity policy, you can configure and modify this policy. You can configure a simple policy, which applies the same identity source for authentication of all requests; or, you can configure a rule-based identity policy. In the rule-based policy, each rule contains one or more conditions and a result, which is the identity source to use for authentication. You can create, duplicate, edit, and delete rules within the identity policy; and you can enable and disable them. Caution: If you switch between the simple policy and the rule-based policy pages, you will lose your previously saved policy. To configure a simple identity policy: 1.Select Access Policies > Access Services > service > Identity, where service is the name of the access service. By default, the Simple Identity Policy page appears with the fields described in Table 88 on page 24:
24 Managing Access Policies Configuring Access Service Policies 2.Select an identity source for authentication; or, choose Deny Access. You can configure additional advanced options. See Configuring Identity Policy Rule Properties, page 26. 3.Click Save Changes to save the policy. Viewing Rules-Based Identity Policies Select Access Policies > Access Services > service > Identity, where is the name of the access service. By default, the Simple Identity Policy page appears with the fields described in Table 88 on page 24. If configured, the Rules-Based Identity Policy page appears with the fields described in Table 89 on page 25: Table 88 Simple Identity Policy Page Option Description Policy type Defines the type of policy to configure: Simple—Specifies the result to apply to all requests. Rule-based—Configure rules to apply different results, depending on the request. If you switch between policy types, you will lose your previously saved policy configuration. Identity Source Identity source to apply to all requests. The default is Deny Access. For: Password-based authentication, choose a single identity store, or an identity store sequence. Certificate-based authentication, choose a certificate authentication profile, or an identity store sequence. The identity store sequence defines the sequence that is used for authentication and an optional additional sequence to retrieve attributes. See Configuring Identity Store Sequences, page 90. Advanced options Specifies whether to reject or drop the request, or continue with authentication for these options: If authentication failed—Default is reject. If user not found—Default is reject. If process failed—Default is drop. Owing to restrictions on the underlying protocol, ACS cannot always continue processing when the Continue option is chosen. ACS can continue when authentication fails for PAP/ASCII, EAP-TLS, or Host Lookup. For all other authentication protocols, the request will be dropped even if you choose the Continue option.