Home > Cisco > Control System > Cisco Acs 57 User Guide

Cisco Acs 57 User Guide

    Download as PDF Print this page Share this page

    Have a look at the manual Cisco Acs 57 User Guide online for free. It’s possible to download the document as PDF or print. UserManuals.tech offer 53 Cisco manuals and user’s guides for free. Share the user manual or guide on Facebook, Twitter or Google+.

    Page
    of 584
    							1
    Cisco Systems, Inc.www.cisco.com
     
    Common Scenarios Using ACS
    Network control refers to the process of controlling access to a network. Traditionally a username and password was 
    used to authenticate a user to a network. Now a days with the rapid technological advancements, the traditional method 
    of managing network access with a username and a password is no longer sufficient.
    The ways in which the users can access the network and what they can access have changed considerably. Hence, you 
    must define complex and dynamic policies to control access to your network.
    For example, earlier, a user was granted access to a network and authorized to perform certain actions based on the 
    group that the user belonged to. Now, in addition to the group that the user belongs to, you must also consider other 
    factors, such as whether:
    The user is trying to gain access within or outside of work hours.
    The user is attempting to gain access remotely.
    The user has full or restricted access to the services and resources.
    Apart from users, you also have devices that attempt to connect to your network.
    When users and devices try to connect to your network through network access servers, such as wireless access points, 
    802.1x switches, and VPN servers, ACS authenticates and authorizes the request before a connection is established.
    Authentication is the process of verifying the identity of the user or device that attempts to connect to a network. ACS 
    receives identity proof from the user or device in the form of credentials. There are two different authentication methods:
    Password-based authentication—A simpler and easier way of authenticating users. The user enters a username and 
    password. The server checks for the username and password in its internal or external databases and if found, grants 
    access to the user. The level of access (authorization) is defined by the rules and conditions that you have created.
    Certificate-based authentication—ACS supports certificate-based authentication with the use of the Extensible 
    Authentication Protocol-Transport Level Security (EAP-TLS) and Protected Extensible Authentication 
    Protocol-Transport Level Security (PEAP-TLS), which uses certificates for server authentication by the client and for 
    client authentication by the server.
    Certificate-based authentication methods provide stronger security and are recommended when compared to 
    password-based authentication methods.
    Authorization determines the level of access that is granted to the user or device. The rule-based policy model in ACS 
    5.x allows you to define complex conditions in rules. ACS uses a set of rules (policy) to evaluate an access request and 
    to return a decision.
    ACS organizes a sequence of independent policies into an access service, which is used to process an access request. 
    You can create multiple access services to process different kinds of access requests; for example, for device 
    administration or network access.
    Cisco Secure Access Control System (ACS) allows you to centrally manage access to your network services and 
    resources (including devices, such as IP phones, printers, and so on). ACS 5.7 is a policy-based access control system 
    that allows you to create complex policy conditions and helps you to comply with the various Governmental regulations.
    When you deploy ACS in your network, you must choose an appropriate authentication method that determines access 
    to your network. 
    						
    							2
    Common Scenarios Using ACS
     
    Overview of Device Administration
    This chapter provides guidelines for some of the common scenarios. This chapter contains:
    Overview of Device Administration, page 2
    Password-Based Network Access, page 5 
    Certificate-Based Network Access, page 8 
    Agentless Network Access, page 11
    VPN Remote Network Access, page 19
    ACS and Cisco Security Group Access, page 21
    RADIUS and TACACS+ Proxy Requests, page 26
    Enabling and Disabling IPv6 for Network Interfaces, page 34
    Overview of Device Administration
    Device administration allows ACS to control and audit the administration operations performed on network devices, by 
    using these methods:
    Session administration—A session authorization request to a network device elicits an ACS response. The response 
    includes a token that is interpreted by the network device which limits the commands that may be executed for the 
    duration of a session. See Session Administration, page 3.
    Command authorization—When an administrator issues operational commands on a network device, ACS is queried 
    to determine whether the administrator is authorized to issue the command. See Command Authorization, page 3.
    Device administration results can be shell profiles or command sets.
    Shell profiles allow a selection of attributes to be returned in the response to the authorization request for a session, with 
    privilege level as the most commonly used attribute. Shell profiles contain common attributes that are used for shell 
    access sessions and user-defined attributes that are used for other types of sessions.
    ACS 5.7 allows you to create custom TACACS+ authorization services and attributes. You can define:
    Any A-V pairs for these attributes.
    The attributes as either optional or mandatory.
    Multiple A-V pairs with the same name (multi-part attributes).
    ACS also supports task-specific predefined shell attributes. Using the TACACS+ shell profile, you can specify custom 
    attributes to be returned in the shell authorization response. See TACACS+ Custom Services and Attributes, page 4.
    Command sets define the set of commands, and command arguments, that are permitted or denied. The received 
    command, for which authorization is requested, is compared against commands in the available command sets that are 
    contained in the authorization results.
    If a command is matched to a command set, the corresponding permit or deny setting for the command is retrieved. If 
    multiple results are found in the rules that are matched, they are consolidated and a single permit or deny result for the 
    command is returned, as described in these conditions:
    If an explicit deny-always setting exists in any command set, the command is denied.
    If no explicit deny-always setting exists in a command set, and any command set returns a permit result, the 
    command is permitted.
    If either of the previous two conditions are not met, the command is denied. 
    						
    							3   
    Common Scenarios Using ACS
    Overview of Device Administration
    You configure the permit and deny settings in the device administration rule table. You configure policy elements within 
    a device administration rule table as conditions that are or not met. The rule table maps specific request conditions to 
    device administration results through a matching process. The result of rule table processing is a shell profile or a 
    command set, dependent on the type of request.
    Session administration requests have a shell profile result, which contains values of attributes that are used in session 
    provisioning. Command authorization requests have a command authorization result, which contains a list of command 
    sets that are used to validate commands and arguments.
    This model allows you to configure the administrator levels to have specific device administration capabilities. For 
    example, you can assign a user the Network Device Administrator role which provides full access to device administration 
    functions, while a Read Only Admin cannot perform administrative functions.
    Session Administration
    The following steps describe the flow for an administrator to establish a session (the ability to communicate) with a 
    network device:
    1.An administrator accesses a network device.
    2.The network device sends a RADIUS or TACACS+ access request to ACS.
    3.ACS uses an identity store (external LDAP, Active Directory, RSA, RADIUS Identity Server, or internal ACS identity 
    store) to validate the administrator’s credentials.
    4.The RADIUS or TACACS+ response (accept or reject) is sent to the network device. The accept response also 
    contains the administrator’s maximum privilege level, which determines the level of administrator access for the 
    duration of the session.
    To configure a session administration policy (device administration rule table) to permit communication:
    1.Configure the TACACS+ protocol global settings and user authentication option. See Configuring TACACS+ 
    Settings, page 1.
    2.Configure network resources. See Network Devices and AAA Clients, page 5.
    3.Configure the users and identity stores. See Managing Internal Identity Stores, page 4 or Managing External Identity 
    Stores, page 29.
    4.Configure shell profiles according to your needs. See Creating, Duplicating, and Editing a Shell Profile for Device 
    Administration, page 22.
    5.Configure an access service policy. See Access Service Policy Creation, page 4.
    6.Configure a service selection policy. See Service Selection Policy Creation, page 4.
    7.Configure an authorization policy (rule table). See Configuring a Session Authorization Policy for Network Access, 
    page 30.
    Command Authorization
    This topic describes the flow for an administrator to issue a command to a network device.
    Note: The device administration command flow is available for the TACACS+ protocol only.
    1.An administrator issues a command to a network device.
    2.The network device sends an access request to ACS. 
    						
    							4
    Common Scenarios Using ACS
     
    Overview of Device Administration
    3.ACS optionally uses an identity store (external Lightweight Directory Access Protocol [LDAP], Active Directory, 
    RADIUS Identity Server, or internal ACS identity store) to retrieve user attributes which are included in policy 
    processing.
    4.The response indicates whether the administrator is authorized to issue the command.
    To configure a command authorization policy (device administration rule table) to allow an administrator to issue 
    commands to a network device:
    1.Configure the TACACS+ protocol global settings and user authentication option. See Configuring TACACS+ 
    Settings, page 1.
    2.Configure network resources. See Network Devices and AAA Clients, page 5.
    3.Configure the users and identity stores. See Managing Internal Identity Stores, page 4 or Managing External Identity 
    Stores, page 29.
    4.Configure command sets accor d i n g  t o  yo u r  n e e d s .  S e e  Creating, Duplicating, and Editing Command Sets for Device 
    Administration, page 27.
    5.Configure an access service policy. See Access Service Policy Creation, page 4.
    6.Configure a service selection policy. See Service Selection Policy Creation, page 4.
    7.Configure an authorization policy (rule table). See Configuring Shell/Command Authorization Policies for Device 
    Administration, page 35.
    Related Topics
    Network Devices and AAA Clients, page 5
    Configuring System Administrators and Accounts, page 3
    Managing Users and Identity Stores, page 1
    Managing External Identity Stores, page 29
    Managing Policy Conditions, page 1
    Managing Access Policies, page 1
    TACACS+ Custom Services and Attributes
    This topic describes the configuration flow to define TACACS+ custom attributes and services.
    1.Create a custom TACACS+ condition to move to TACACS+ service on request. To do this:
    a.Go to Policy Elements > Session Conditions > Custom and click Create.
    b.Create a custom TACACS+ condition. See Creating, Duplicating, and Editing a Custom Session Condition, 
    page 5.
    2.Create an access service for Device Administration with the TACACS+ shell profile as the result. See Configuring 
    Shell/Command Authorization Policies for Device Administration, page 35.
    3.Create custom TACACS+ attributes. See Creating, Duplicating, and Editing a Shell Profile for Device Administration, 
    page 22. 
    						
    							5   
    Common Scenarios Using ACS
    Password-Based Network Access
    Password-Based Network Access
    This section contains the following topics:
    Overview of Password-Based Network Access, page 5
    Password-Based Network Access Configuration Flow, page 6
    For more information about password-based protocols, see Authentication in ACS 5.7, page 1
    Overview of Password-Based Network Access
    The use of a simple, unencrypted username and password is not considered a strong authentication mechanism but can 
    be sufficient for low authorization or privilege levels such as Internet access.
    Encryption reduces the risk of password capture on the network. Client and server access-control protocols, such as 
    RADIUS encrypt passwords to prevent them from being captured within a network. However, RADIUS operates only 
    between the AAA client and ACS. Before this point in the authentication process, unauthorized persons can obtain 
    clear-text passwords, in these scenarios:
    The communication between an end-user client dialing up over a phone line
    An ISDN line terminating at a network-access server
    Over a Telnet session between an end-user client and the hosting device
    ACS supports various authentication methods for authentication against the various identity stores that ACS supports. 
    For more information about authentication protocol identity store compatibility, see Authentication Protocol and Identity 
    Store Compatibility, page 32.
    Passwords can be processed by using these password-authentication protocols based on the version and type of 
    security-control protocol used (for example, RADIUS), and the configuration of the AAA client and end-user client.
    You can use different levels of security with ACS concurrently, for different requirements. Password Authentication 
    Protocol (PAP) provides a basic security level. PAP provides a very basic level of security, but is simple and convenient 
    for the client. MSCHAPv2 allows a higher level of security for encrypting passwords when communicating from an 
    end-user client to the AAA client. 
    Note: During password-based access (or certificate-based access), the user is not only authenticated but also 
    authorized according to the ACS configuration. And if NAS sends accounting requests, the user is also accounted.
    ACS supports the following password-based authentication methods:
    Plain RADIUS password authentication methods
    —RADIUS-PAP
    —RADIUS-CHAP
    —RADIUS-MSCHAPv1
    —RADIUS-MSCHAPv2
    RADIUS EAP-based password authentication methods
    —PEAP-MSCHAPv2
    —PEAP-GTC
    —EAP-FAST-MSCHAPv2 
    						
    							6
    Common Scenarios Using ACS
     
    Password-Based Network Access
    —EAP-FAST-GTC
    —EAP-MD5
    —LEAP
    You must choose the authentication method based on the following factors:
    The network access server—Wireless access points, 802.1X authenticating switches, VPN servers, and so on.
    The client computer and software—EAP supplicant, VPN client, and so on.
    The identity store that is used to authenticate the user—Internal or External (AD, LDAP, RSA token server, or RADIUS 
    identity server).
    Related Topics
    Authentication in ACS 5.7, page 1
    Password-Based Network Access Configuration Flow, page 6
    Network Devices and AAA Clients, page 5
    Managing Access Policies, page 1
    Password-Based Network Access Configuration Flow
    This topic describes the end-to-end flow for password-based network access and lists the tasks that you must perform. 
    The information about how to configure the tasks is located in the relevant task chapters. 
    To configure password-based network access:
    1.Configure network devices and AAA clients. 
    a.In the Network Devices and AAA Clients, page 5, configure the Authentication Setting as RADIUS.
    b.Enter the Shared Secret.
    See Network Devices and AAA Clients, page 5, for more information. 
    2.Configure the users and identity stores. For more information, see Managing Users and Identity Stores, page 1
    3.Define policy conditions and authorization profiles. For more information, see Managing Policy Elements, page 1
    4.Define an access service. For more information, see Creating, Duplicating, and Editing Access Services, page 11. 
    a.Set the Access Service Type to Network Access.
    b.Select one of the ACS-supported protocols in the Allowed Protocols Page and follow the steps in the Action 
    column in Table 11 on page 7.
    5.Add the access service to your service selection policy. For more information, see Creating, Duplicating, and Editing 
    Service Selection Rules, page 7.
    6.Return to the service that you created and in the Authorization Policy Page, define authorization rules. For more 
    information, see Configuring Access Service Policies, page 22. 
    						
    							7   
    Common Scenarios Using ACS
    Password-Based Network Access
    For RADIUS, non-EAP authentication methods (RADIUS/PAP, RADIUS/CHAP, RADIUS/MS-CHAPv1, 
    RADIUS/MSCHAPv2), and simple EAP methods (EAP-MD5 and LEAP), you need to configure only the protocol in the 
    Allowed Protocols page as defined in Table 11 on page 7.
    Some of the complex EAP protocols require additional configuration:
    For EAP-TLS, you must also configure:
    —The EAP-TLS settings under System Administration > Configuration > EAP-TLS Settings.
    —A local server certificate under System Administration > Configuration > Local Server Certificates > Local 
    Certificates.
    —A CA certificate under Users and Identity Stores > Certificate Authorities.
    For PEAP, you must also configure:
    Table 11 Network Access Authentication Protocols
    Protocol Action
    Process Host Lookup 
    (MAB)In the Allowed Protocols Page, choose Process Host Lookup.
    RADIUS PAP In the Allowed Protocols Page, choose Allow PAP/ASCII.
    RADIUS CHAP In the Allowed Protocols Page, choose Allow CHAP.
    RADIUS MSCHAPv1 In the Allowed Protocols Page, choose Allow MS-CHAPv1.
    RADIUS MSCHAPv2 In the Allowed Protocols Page, choose Allow MS-CHAPv2.
    EAP-MD5 In the Allowed Protocols Page, choose Allow EAP-MD5.
    LEAP In the Allowed Protocols Page, choose Allow LEAP.
    PEAP In the Allowed Protocols Page, choose PEAP. For the PEAP inner method, choose EAP-MSCHAPv2 
    or EAP-GTC or both.
    EAP-FAST1.In the Allowed Protocols Page, choose Allow EAP-FAST to enable the EAP-FAST settings.
    2.For the EAP-FAST inner method, choose EAP-MSCHAPv2 or EAP-GTC or both.
    3.Select Allow Anonymous In-Band PAC Provisioning or Allow Authenticated In-Band PAC 
    Provisioning or both.
    For Windows machine authentication against Microsoft AD and for the change password 
    feature:
    1.Click the Use PACS radio button. For details about PACs, see About PACs, page 20.
    2.Check Allow Authenticated In-Band PAC Provisioning.
    3.Check Allow Machine Authentication. 
    4.Enter the Machine PAC Time to Live.
    5.Check Enable Stateless Session Resume. 
    6.Enter the Authorization PAC Time to Live.
    7.Check Preferred EAP Protocol to set the preferred protocol from the list.
    8.Check EAP-TLS L-bit to set the Length included flag in the access policies. 
    						
    							8
    Common Scenarios Using ACS
     
    Certificate-Based Network Access
    —The inner method in the Allowed Protocols page and specify whether password change is allowed.
    —The PEAP settings under System Administration > Configuration > PEAP Settings.
    —Local server certificates under System Administration > Configuration > Local Server Certificates > Local 
    Certificates.
    For EAP-FAST, you must also configure:
    —The inner method in the Allowed Protocols page and specify whether password change is allowed.
    —Whether or not to use PACs and if you choose to use PACs, you must also specify how to allow in-band PAC 
    provisioning.
    —The EAP-FAST settings under System Administration > Configuration > EAP-FAST > Settings.
    —A local server certificate under System Administration > Configuration > Local Server Certificates > Local 
    Certificates (Only if you enable authenticated PAC provisioning).
    Related Topics
    Authentication in ACS 5.7, page 1
    Network Devices and AAA Clients, page 5
    Managing Access Policies, page 1
    Creating, Duplicating, and Editing Access Services, page 11
    About PACs, page 20
    Certificate-Based Network Access
    This section contains the following topics:
    Overview of Certificate-Based Network Access, page 8
    Using Certificates in ACS, page 9
    Certificate-Based Network Access, page 9
    For more information about certificate-based protocols, see Authentication in ACS 5.7, page 1
    Overview of Certificate-Based Network Access
    Before using EAP-TLS, you must install a computer certificate on ACS. The installed computer certificate must be issued 
    from a CA that can follow a certificate chain to a root CA that the access client trusts. 
    Additionally, in order for ACS to validate the user or computer certificate of the access client, you must install the 
    certificate of the root CA that issued the user or computer certificate to the access clients.
    ACS supports certificate-based network access through the EAP-TLS protocol, which uses certificates for server 
    authentication by the client and for client authentication by the server. 
    Other protocols, such as PEAP or the authenticated-provisioning mode of EAP-FAST also make use of certificates for 
    server authentication by the client, but they cannot be considered certificate-based network access because the server 
    does not use the certificates for client authentication.
    ACS Public Key Infrastructure (PKI) certificate-based authentication is based on X509 certificate identification. The entity 
    which identifies itself with a certificate holds a private-key that correlates to the public key stored in the certificate.  
    						
    							9   
    Common Scenarios Using ACS
    Certificate-Based Network Access
    A certificate can be self-signed or signed by another CA. A hierarchy of certificates can be made to form trust relations 
    of each entity to its CA. The trusted root CA is the entity that signs the certificate of all other CAs and eventually signs 
    each certificate in its hierarchy.
    ACS identifies itself with its own certificate. ACS supports a certificate trust list (CTL) for authorizing connection 
    certificates. ACS also supports complex hierarchies that authorize an identity certificate when all of the chain certificates 
    are presented to it. 
    ACS supports several RSA key sizes used in the certificate that are 512, 1024, 2048, or 4096 bits. Other key sizes may 
    be used. ACS 5.7 supports RSA. ACS does not support the Digital Signature Algorithm (DSA). However, in some use 
    cases, ACS will not prevent DSA cipher suites from being used for certificate-based authentication.
    All certificates that are used for network access authentication must meet the requirements for X.509 certificates and 
    work for connections that use SSL/TLS. After this minimum requirement is met, the client and server certificates have 
    additional requirements.
    You can configure two types of certificates in ACS:
    Trust certificate—Also known as CA certificate. Used to form CTL trust hierarchy for verification of remote certificates.
    Local certificate—Also known as local server certificate. The client uses the local certificate with various protocols to 
    authenticate the ACS server. This certificate is maintained in association with its private key, which is used to prove 
    possession of the certificate.
    During certificate-based access (or password-based access), the user is not only authenticated but also authorized 
    according to the ACS configuration. And if NAS sends accounting requests, the user is also accounted.
    Note: ACS does not support wild card certificates.
    Related Topics
    Configuring CA Certificates, page 83
    Configuring Local Server Certificates, page 16
    Using Certificates in ACS, page 9
    Using Certificates in ACS
    The three use cases for certificates in ACS 5.7 are:
    Certificate-Based Network Access, page 9
    Authorizing the ACS Web Interface from Your Browser Using a Certificate, page 11
    Validating an LDAP Secure Authentication Connection, page 11
    Certificate-Based Network Access 
    For TLS- related EAP and PEAP protocols, you must set up a server certificate from the local certificate store and a trust 
    list certificate to authenticate the client. You can choose the trust certificate from any of the certificates in the local 
    certificate store.
    To use EAP-TLS or PEAP (EAP-TLS), you must obtain and install trust certificates. The information about how to perform 
    the tasks is located in the relevant task chapters.
    Before you Begin:
    Set up the server by configuring: 
    						
    							10
    Common Scenarios Using ACS
     
    Certificate-Based Network Access
    EAP-TLS or PEAP (EAP-TLS)
    The local certificate. See Configuring Local Server Certificates, page 16.
    To configure certificate-based network access for EAP-TLS or PEAP (EAP-TLS):
    1.Configure the trust certificate list. See Configuring CA Certificates, page 83, for more information.
    2.Configure the LDAP external identity store. You might want to do this to verify the certificate against a certificate 
    stored in LDAP. See Creating External LDAP Identity Stores, page 33, for details.
    3.Set up the Certificate Authentication Profile. See Configuring Certificate Authentication Profiles, page 89, for details.
    4.Configure policy elements. See Managing Policy Conditions, page 1, for more information.
    You can create custom conditions to use the certificate’s attributes as a policy condition. See Creating, Duplicating, 
    and Editing a Custom Session Condition, page 5, for details.
    5.Create an access service. See Configuring Access Services, page 10, for more information.
    6.In the Allowed Protocols Page, choose EAP-TLS or PEAP (EAP-TLS) as inner method.
    7.Configure identity and authorization policies for the access service. See Configuring Access Service Policies, 
    page 22, for details.
    Note: When you create rules for the identity policy, the result may be the Certificate Authentication Profile or an 
    Identity Sequence. See Viewing Identity Policies, page 23, for more information.
    8.Configure the Authorization Policies. See Configuring a Session Authorization Policy for Network Access, page 30.
    9.Configure the Service Selection Policy. See Configuring the Service Selection Policy, page 5.
    Related Topics
    Configuring Local Server Certificates, page 16
    Configuring CA Certificates, page 83
    Authentication in ACS 5.7, page 1
    Table 12 Network Access Authentication Protocols
    Protocol Action
    EAP-TLS In the Allowed Protocols Page, choose Allow EAP-TLS to enable the EAP-TLS settings.
    Enable Stateless Session resume—Check this check box to enable the Stateless Session 
    Resume feature per Access service. This feature enables you to configure the following 
    options:
    —Proactive Session Ticket update—Enter the value as a percentage to indicate how much 
    of the Time to Live must elapse before the session ticket is updated. For example, the 
    session ticket update occurs after 10 percent of the Time to Live has expired, if you enter 
    the value 10.
    —S e ss i o n  t i c ke t  Ti m e  to  Li ve—Enter the equivalent maximum value in days, weeks, months, 
    and years, using a positive integer. 
    PEAP In the Allowed Protocols Page, choose PEAP. For the PEAP inner method, choose EAP-TLS or 
    PEAP Cryptobinding TLV.  
    						
    All Cisco manuals Comments (0)