Cisco Acs 57 User Guide
Have a look at the manual Cisco Acs 57 User Guide online for free. It’s possible to download the document as PDF or print. UserManuals.tech offer 53 Cisco manuals and user’s guides for free. Share the user manual or guide on Facebook, Twitter or Google+.
11 Common Scenarios Using ACS Agentless Network Access Overview of EAP-TLS, page 5 Authorizing the ACS Web Interface from Your Browser Using a Certificate You use the HTTPS certificate-based authentication to connect to ACS with your browser. The Local Server Certificate in ACS is used to authorize the ACS web interface from your browser. ACS does not support browser authentication (mutual authentication is not supported). A default Local Server Certificate is installed on ACS so that you can connect to ACS with your browser. The default certificate is a self-signed certificate and cannot be modified during installation. Related Topics Using Certificates in ACS, page 9 Configuring Local Server Certificates, page 16 Validating an LDAP Secure Authentication Connection You can define a secure authentication connection for the LDAP external identity store, by using a CA certificate to validate the connection. To validate an LDAP secure authentication connection using a certificate: 1.Configure an LDAP external identity store. See Creating External LDAP Identity Stores, page 33. 2.In the LDAP Server Connection page, check Use Secure Authentication. 3.Select Root CA from the drop-down menu and continue with the LDAP configuration for ACS. Related Topics Using Certificates in ACS, page 9 Configuring Local Server Certificates, page 16 Managing External Identity Stores, page 29 Agentless Network Access This section contains the following topics: Overview of Agentless Network Access, page 11 Host Lookup, page 12 Agentless Network Access Flow, page 15 For more information about protocols used for network access, see Authentication in ACS 5.7, page 1. Overview of Agentless Network Access Agentless network access refers to the mechanisms used to perform port-based authentication and authorization in cases where the host device does not have the appropriate agent software. For example, a host device, where there is no 802.1x supplicant or a host device, where the supplicant is disabled.
12 Common Scenarios Using ACS Agentless Network Access 802.1x must be enabled on the host device and on the switch to which the device connects. If a host/device without an 802.1x supplicant attempts to connect to a port that is enabled for 802.1x, it will be subjected to the default security policy. The default security policy says that 802.1x authentication must succeed before access to the network is granted. Therefore, by default, non-802.1x-capable devices cannot get access to an 802.1x-protected network. Although many devices increasingly support 802.1x, there will always be devices that require network connectivity, but do not, or cannot, support 802.1x. Examples of such devices include network printers, badge readers, and legacy servers. You must make some provision for these devices. Cisco provides two features to accommodate non-802.1x devices. For example, MAC Authentication Bypass (Host Lookup) and the Guest VLAN access by using web authentication. ACS 5.7 supports the Host Lookup fallback mechanism when there is no 802.1x supplicant. After 802.1x times out on a port, the port can move to an open state if Host Lookup is configured and succeeds. Related Topics Host Lookup, page 12 Agentless Network Access Flow, page 15 Host Lookup ACS uses Host Lookup as the validation method when an identity cannot be authenticated according to credentials (for example, password or certificate), and ACS needs to validate the identity by doing a lookup in the identity stores. An example for using host lookup is when a network device is configured to request MAC Authentication Bypass (MAB). This can happen after 802.1x times out on a port or if the port is explicitly configured to perform authentication bypass. When MAB is implemented, the host connects to the network access device. The device detects the absence of the appropriate software agent on the host and determines that it must identify the host according to its MAC address. The device sends a RADIUS request with service-type=10 and the MAC address of the host to ACS in the calling-station-id attribute. Some devices might be configured to implement the MAB request by sending PAP or EAP-MD5 authentication with the MAC address of the host in the user name, user password, and CallingStationID attributes, but without the service-type=10 attribute. While most use cases for host lookup are to obtain a MAC address, there are other scenarios where a device requests to validate a different parameter, and the calling-station-id attribute contains this value instead of the MAC address. For example, IP address in layer 3 use cases). Table 13 on page 13 describes the RADIUS parameters required for host lookup use cases.
13 Common Scenarios Using ACS Agentless Network Access ACS supports host lookup for the following identity stores: Internal hosts External LDAP Internal users Active Directory You can access the Active Directory via the LDAP API. You can use the Internal Users identity store for Host Lookup in cases where the relevant host is already listed in the Internal Users identity store, and you prefer not to move the data to the Internal Hosts identity store. ACS uses the MAC format (XX-XX-XX-XX-XX-XX) and no other conversions are possible. To search the Internal Users identity store using the User-Name attribute (for example, xx:xx:xx:xx:xx:xx) you should leave the Process Host Lookup option unchecked. ACS will handle the request as a PAP request. When MAC address authentication over PAP or EAP-MD5 is not detected according to the Host Lookup configuration, authentication and authorization occur like regular user authentication over PAP or EAP-MD5. You can use any identity store that supports these authentication protocols. ACS uses the MAC address format as presented in the RADIUS User-Name attribute. Related Topics Creating an Access Service for Host Lookup, page 17 Viewing and Performing Bulk Operations for Internal Identity Store Hosts, page 25 Managing Users and Identity Stores, page 1 Authentication with Call Check, page 13 Authentication with Call Check When ACS identifies a network access request with the call check attribute as Host Lookup (RADIUS::ServiceType = 10), ACS authenticates (validates) and authorizes the host by looking up the value in the Calling-Station-ID attribute (for example, the MAC address) in the configured identity store according to the authentication policy. When ACS receives a RADIUS message, it performs basic parsing and validation, and then checks if the Call Check attribute, RADIUS ServiceType(6), is equal to the value 10. If the RADIUS ServiceType is equal to 10, ACS sets the system dictionary attribute UseCase to a value of Host Lookup. Table 13 RADIUS Attributes for Host Lookup Use Cases Attribute Use Cases PAP 802.1x EAP-MD5 RADIUS::ServiceType — Call check (with PAP or EAP-MD5) — RADIUS::UserNameMAC addressAny value (usually the MAC address)MAC address RADIUS::UserPasswordMAC addressAny value (usually the MAC address)MAC address RADIUS::CallingStationIDMAC addressMAC address MAC address
14 Common Scenarios Using ACS Agentless Network Access In the ACS packet processing flow, the detection of Host Lookup according to Call Check service-type is done before the service selection policy. It is possible to use the condition UseCase equals Host Lookup in the service selection policy. Initially, when RADIUS requests are processed, the RADIUS User-Name attribute is copied to the System UserName attribute. When the RADIUS Service-Type equals 10, the RADIUS Calling-Station-ID attribute is copied to the System User-Name attribute, and it overrides the RADIUS User-Name attribute value. ACS supports four MAC address formats: Six groups of two hexadecimal digits, separated by hyphens—01-23-45-67-89-AB Six groups of two hexadecimal digits, separated by colons—01:23:45:67:89:AB Three groups of four hexadecimal digits, separated by dots—0123.4567.89AB Twelve consecutive hexadecimal digits without any separators—0123456789AB If the Calling-Station-ID attribute is one of the four supported MAC address formats above, ACS copies it to the User-Name attribute with the format of XX-XX-XX-XX-XX-XX. If the MAC address is in a format other than one of the four above, ACS copies the string as is. Process Service-Type Call Check You may not want to copy the CallingStationID attribute value to the System UserName attribute value. When the Process Host Lookup option is checked, ACS uses the System UserName attribute that was copied from the RADIUS User-Name attribute. When the Process Host Lookup option is not checked, ACS ignores the HostLookup field and uses the original value of the System UserName attribute for authentication and authorization. The request processing continues according to the message protocol. For example, according to the RADIUS User-Name and User-Password attributes for PAP. For setting the Process Host Lookup option, see Creating an Access Service for Host Lookup, page 17. PAP/EAP-MD5 Authentication When a device is configured to use PAP or EAP-MD5 for MAC address authentication, you can configure ACS to detect the request as a Host Lookup request, within the network access service. The device sends the request with the host's MAC address in the User-Name, User-Password, and Calling-Station-ID attributes. If you do not configure ACS to detect Host Lookup, the access request is handled as a regular PAP, or EAP-MD5 authentication request. If you check the Process HostLookup field and select PAP or EAP-MD5, ACS places the HostLookup value in the ACS::UseCase attribute. The User-Password attribute is ignored for the detection algorithm. ACS follows the authentication process as if the request is using the call check attribute, and processes it as a Host Lookup (Service-Type=10) request. The RADIUS dictionary attribute ACS::UseCase is set to the value of HostLookup. The Detect Host Lookup option for PAP and EAP-MD5 MAC authentication is done after the service selection policy. If a service selection rule is configured to match ACS::UseCase = Host Lookup, the request falls into the Host Lookup category. If ACS is not configured to detect PAP or EAP-MD5 authentications as MAC authentication flows, ACS will not consider the Detect Host Lookup option. These requests are handled like a regular user request for authentication, and looks for the username and password in the selected identity store. Related Topics Creating an Access Service for Host Lookup, page 17 Managing Access Policies, page 1
15 Common Scenarios Using ACS Agentless Network Access Viewing and Performing Bulk Operations for Internal Identity Store Hosts, page 25 Managing Users and Identity Stores, page 1 Agentless Network Access Flow This topic describes the end-to-end flow for agentless network access and lists the tasks that you must perform. The information about how to configure the tasks is located in the relevant task chapters. Perform these tasks in the order listed to configure agentless network access in ACS: 1.Configure network devices and AAA clients. This is the general task to configure network devices and AAA clients in ACS and is not specific to agentless network access. Select Network Resources > Network Devices and AAA Clients and click Create. See Network Devices and AAA Clients, page 5. 2.Configure an identity store for internal hosts. Configure an internal identity store. See Adding a Host to an Internal Identity Store, page 16 or Configure an external identity store. See Configuring an LDAP External Identity Store for Host Lookup, page 16. For more information, see Managing Users and Identity Stores, page 1 3.Configure the identity group. See Configuring an Identity Group for Host Lookup Network Access Requests, page 17. For more information, see Managing Users and Identity Stores, page 1 4.Define policy elements and authorization profiles for Host Lookup requests. For more information, see Managing Policy Elements, page 1 5.Create an empty service by defining an access service for Host Lookup. For more information, see Creating an Access Service for Host Lookup, page 17. 6.Return to the service that you created: a.Define an identity policy. For more information, see Configuring an Identity Policy for Host Lookup Requests, page 18. ACS has the option to look for host MAC addresses in multiple identity stores. For example, MAC addresses can be in the Internal Hosts identity store, in one of the configured LDAP identity stores, or in the Internal Users identity store. The MAC address lookup may be in one of the configured identity stores, and the MAC attributes may be fetched from a different identity store that you configured in the identity sequence. You can configure ACS to continue processing a Host Lookup request even if the MAC address was not found in the identity store. An administrator can define an authorization policy based on the event, regardless of whether or not the MAC address was found. The ACS::UseCase attribute is available for selection in the Authentication Policy, but is not mandatory for Host Lookup support. b.Return to the service that you created.
16 Common Scenarios Using ACS Agentless Network Access c.Define an authorization policy. For more information, see Configuring an Authorization Policy for Host Lookup Requests, page 18. 7.Define the service selection. 8.Add the access service to your service selection policy. For more information, see Creating, Duplicating, and Editing Service Selection Rules, page 7. Related Topics Managing Users and Identity Stores, page 1 Managing Access Policies, page 1 Adding a Host to an Internal Identity Store To configure an internal identity store for Host Lookup: 1.Choose Users and Identity Store > Internal Identity Stores > Hosts and click Create. See Viewing and Performing Bulk Operations for Internal Identity Store Hosts, page 25, for more information. 2.Fill in the fields as described in the Users and Identity Stores > Internal Identity Store > Hosts > Create Page. 3.Click Submit. Previous Step: Network Devices and AAA Clients, page 5 Next Step: Configuring an Identity Group for Host Lookup Network Access Requests, page 17 Configuring an LDAP External Identity Store for Host Lookup To configure an LDAP external identity store for Host Lookup: 1.Choose Users and Identity Stores > External Identity Stores > LDAP and click Create. See Creating External LDAP Identity Stores, page 33, for more information. 2.Follow the steps for creating an LDAP database. In the LDAP: Directory Organization page, choose the MAC address format. The format you choose represents the way MAC addresses are stored in the LDAP external identity store. 3.Click Finish. Previous Step: Network Devices and AAA Clients, page 5 Next Step: Configuring an Identity Group for Host Lookup Network Access Requests, page 17 Related Topics Creating External LDAP Identity Stores, page 33
17 Common Scenarios Using ACS Agentless Network Access Deleting External LDAP Identity Stores, page 41 Configuring an Identity Group for Host Lookup Network Access Requests To configure an identity group for Host Lookup network access requests: 1.Choose Users and Identity Store > Identity Groups> and click Create. See Managing Identity Attributes, page 7, for more information. 2.Fill in the fields as required. The identity group may be any agentless device, such as a printer or phone. 3.Click Submit. Previous Steps: Adding a Host to an Internal Identity Store, page 16 Configuring an LDAP External Identity Store for Host Lookup, page 16 Next Step: Creating an Access Service for Host Lookup, page 17 Related Topic Managing Identity Attributes, page 7 Creating an Access Service for Host Lookup You create an access service and then enable agentless host processing. To create an access service for Host Lookup: 1.Choose Access Policies > Access Service, and click Create. See Configuring Access Services, page 10, for more information. 2.Fill in the fields as described in the Access Service Properties—General page: a.In the Service Structure section, choose User Selected Policy Structure. b.Set the Access Service Type to Network Access and define the policy structure. c.Select Network Access, and check Identity and Authorization. The group mapping and External Policy options are optional. d.Make sure you select Process Host Lookup. If you want ACS to detect PAP or EAP-MD5 authentications for MAC addresses (see PAP/EAP-MD5 Authentication, page 14), and process it like it is a Host Lookup request (for example, MAB requests), complete the following steps: e.Select one of the ACS supported protocols for MAB in the Allowed Protocols Page (EAP-MD5 or PAP). f.Check Detect PAP/EAP-MD5 as Host Lookup.
18 Common Scenarios Using ACS Agentless Network Access Related Topics Managing Access Policies, page 1 Authentication in ACS 5.7, page 1 Authentication with Call Check, page 13 Process Service-Type Call Check, page 14 Configuring an Identity Policy for Host Lookup Requests To configure an identity policy for Host Lookup requests: 1.Choose Access Policies > Access Services > Identity. See Viewing Identity Policies, page 23, for details. 2.Select Customize to customize the authorization policy conditions. A list of conditions appears. This list includes identity attributes, system conditions, and custom conditions. See Customizing a Policy, page 4, for more information. 3.Select Use Case from the Available customized conditions and move it to the Selected conditions. 4.In the Identity Policy Page, click Create. a.Enter a Name for the rule. b.In the Conditions area, check Use Case, then check whether the value should or should not match. c.Select Host Lookup and click OK. This attribute selection ensures that while processing the access request, ACS will look for the host and not for an IP address. d.Select any of the identity stores that support host lookup as your Identity Source. e.Click OK. 5.Click Save Changes. Related Topic Managing Access Policies, page 1 Configuring an Authorization Policy for Host Lookup Requests To configure an authorization policy for Host Lookup requests: 1.Choose Access Policies > Access Services > Authorization. See Configuring a Session Authorization Policy for Network Access, page 30, for details. 2.Select Customize to customize the authorization policy conditions. A list of conditions appears. This list includes identity attributes, system conditions, and custom conditions. See Customizing a Policy, page 4, for more information. 3.Select Use Case from the Available customized conditions and move it to the Selected conditions.
19 Common Scenarios Using ACS VPN Remote Network Access 4.Select Authorization Profiles from the customized results and move it to the Selected conditions and click OK. 5.In the Authorization Policy Page, click Create. a.Enter a Name for the rule. b.In the Conditions area, check Use Case, then check whether the value should or should not match. c.Select Host Lookup and click OK. This attribute selection ensures that while processing the access request, ACS will look for the host and not for an IP address. d.Select an Authorization Profile from the authorization profiles and move it to the Selected results column e.Click OK. 6.Click Save Changes. Related Topic Managing Access Policies, page 1 VPN Remote Network Access A remote access Virtual Private Network (VPN) allows you to connect securely to a private company network from a public Internet. You could be accessing your company’s network from home or elsewhere. The VPN is connected to your company’s perimeter network (DMZ). A VPN gateway can manage simultaneous VPN connections. Related Topics Supported Authentication Protocols, page 19 Supported Identity Stores, page 20 Supported VPN Network Access Servers, page 20 Supported VPN Clients, page 20 Configuring VPN Remote Access Service, page 21 Supported Authentication Protocols ACS 5.7 supports the following protocols for inner authentication inside the VPN tunnel: RADIUS/PAP RADIUS/CHAP RADIUS/MS-CHAPv1 RADIUS/MS-CHAPv2 With the use of MS-CHAPv1 or MS-CHAPv2 protocols, ACS can generate MPPE keys that is used for encryption of the tunnel that is created. Related Topics VPN Remote Network Access, page 19
20 Common Scenarios Using ACS VPN Remote Network Access Supported Identity Stores, page 20 Supported VPN Network Access Servers, page 20 Supported VPN Clients, page 20 Configuring VPN Remote Access Service, page 21 Supported Identity Stores ACS can perform VPN authentication against the following identity stores: ACS internal identity store—RADIUS/PAP, RADIUS/CHAP, RADIUS/MS-CHAP-v1, and RADIUS/MS-CHAP-v2 Active Directory—RADIUS/PAP, RADIUS/MS-CHAP-v1, and RADIUS/MS-CHAP-v2 LDAP—RADIUS/PAP RSA SecurID Server—RADIUS/PAP RADIUS Token Server—RADIUS/PAP (dynamic OTP) Related Topics VPN Remote Network Access, page 19 Supported Authentication Protocols, page 19 Supported VPN Network Access Servers, page 20 Supported VPN Clients, page 20 Configuring VPN Remote Access Service, page 21 Supported VPN Network Access Servers ACS 5.7 supports the following VPN network access servers: Cisco ASA 5500 Series Cisco VPN 3000 Series Related Topics VPN Remote Network Access, page 19 Supported Authentication Protocols, page 19 Supported Identity Stores, page 20 Supported VPN Clients, page 20 Configuring VPN Remote Access Service, page 21 Supported VPN Clients ACS 5.7 supports the following VPN clients: Cisco VPN Client 5.0 Series Cisco Clientless SSL VPN (WEBVPN)