Cisco Acs 57 User Guide

							31   
Common Scenarios Using ACS
RADIUS and TACACS+ Proxy Requests
Example:
Callback-ID – Attribute Multiple NOT allowed.
On the access accept response from the RADIUS server:
Callback-ID NOT on the access accept response
Attribute operation statement:
Callback-ID ADD 1223
Result of the add attribute operation on the response sent to the client device: 
Callback-ID=1223
If the Callback-ID is on the original access accept response, ACS does not perform the add operation in this 
example.
If multiple attributes are allowed, the add operation always adds the attribute with a new value.
Example:
Login-IP-Host – attribute Multiple allowed:
On the access accept response from the RADIUS server:
Login-IP-Host=10.58.23.192
Attribute operation statement: 
Login-IP-Host ADD 10.58.1.1
Result of the attribute operation on the response sent to the client device: 
Login-IP-Host=10.58.23.192
Login-IP-Host=10.58.1.1
Updating Attributes in Outbound RADIUS Responses
This option is used to update the existing value of a selected RADIUS attribute.
If multiple attributes are not allowed, the update operation updates the existing attributes with a new value only if 
the attribute exist in the access accept response.
If multiple attributes are allowed, the update operation removes all the occurrences of this attribute and adds one 
attribute with a new value.
Example:
Login-IP-Host – attribute Multiple allowed.
On the access accept response from the RADIUS server:
Login-IP-Host=10.58.23.192
Login-IP-Host=10.58.1.1
Attribute operation statement:
Login-IP-Host UPDATE 10.11.11.11 
						

							32
Common Scenarios Using ACS
 
RADIUS and TACACS+ Proxy Requests
Result of the attribute operation on the response sent to the client device: 
Login-IP-Host=10.11.11.11
If the attribute is cisco-avpair (pair of key=value), the update is done according to the key.
Example:
On the access accept response from the RADIUS server:
cisco-avpair = url-redirect=www.cisco.com
cisco-avpair = url-redirect=www.yahoo.com
cisco-avpair = cmd=show
Attribute operation statement:
cisco-avpair UPDATE new value:[url-redirect=www.google.com]
Result of the attribute operation on the response sent to the client device:
cisco-avpair = url-redirect=www.google.com
cisco-avpair = cmd=show
Deleting Attributes from OutBound RADIUS Responses
This option is used to delete the value of RADIUS outbound attributes.
Example:
Login-IP-Host – attribute Multiple allowed
On the Access Accept Response from the RADIUS server:
Login-IP-Host=10.56.21.190
Attribute Operation statement:
Login-IP-Host DELETE
Result of the attribute operation on the response sent to the client device:
Attribute Login-IP-Host is not in the access accept response.
Related Topics
Supported Protocols, page 32
Supported RADIUS Attributes, page 33
Configuring Proxy Service, page 34
Supported Protocols
The RADIUS proxy feature in ACS supports the following protocols:
Supports forwarding for all RADIUS protocols
All EAP protocols
Protocols not supported by ACS (Since ACS proxy do not interfere into the protocol conversation and just forwards 
requests) 
						

							33   
Common Scenarios Using ACS
RADIUS and TACACS+ Proxy Requests
Note: ACS proxy can not support protocols that use encrypted RADIUS attributes. 
The TACACS+ proxy feature in ACS supports the following protocols:
PA P
ASCII
CHAP
MSCHAP authentications types
Related Topics
RADIUS and TACACS+ Proxy Requests, page 26
Supported RADIUS Attributes, page 33
Configuring Proxy Service, page 34
Supported RADIUS Attributes
The following supported RADIUS attributes are encrypted:
User-Password
CHAP-Password
Message-Authenticator
MPPE-Send-Key and MPPE-Recv-Key
Tunnel-Password
LEAP Session Key Cisco AV-Pair
TACACS+ Body Encryption
When ACS receives a packet from NAS with encrypted body (flag TAC_PLUS_UNECRYPTED_FLAG is 0x0), ACS 
decrypts the body with common data such as shared secret and sessionID between NAS and ACS and then encrypts 
the body with common data between ACS and TACACS+ proxy server. If the packet body is in cleartext, ACS will resend 
it to TACACS+ server in cleartext.
Connection to TACACS+ Server
ACS supports single connection to another TACACS+ server (flag TAC_PLUS_SINGLE_CONNECT_FLAG is 1). If the 
remote TACACS+ server does not support multiplexing TACACS+ sessions over a single TCP connection ACS will open 
or close connection for each session.
Related Topics
RADIUS and TACACS+ Proxy Requests, page 26
Supported Protocols, page 32
Configuring Proxy Service, page 34 
						

							34
Common Scenarios Using ACS
 
Enabling and Disabling IPv6 for Network Interfaces
Configuring Proxy Service
To configure proxy services:
1.Configure a set of remote RADIUS and TACACS+ servers. For information on how to configure remote servers, see 
Creating, Duplicating, and Editing External Proxy Servers, page 19.
2.Configure an External proxy service. For information on how to configure a External proxy service, see Configuring 
General Access Service Properties, page 13.
You must select the User Selected Service Type option and choose External proxy as the Access Service Policy 
Structure in the Access Service Properties - General page.
3.After you configure the allowed protocols, click Finish to complete your External proxy service configuration.
Related Topics
RADIUS and TACACS+ Proxy Requests, page 26
Supported Protocols, page 32
Supported RADIUS Attributes, page 33
Enabling and Disabling IPv6 for Network Interfaces
ACS 5.7 provides the capability to disable the IPv6 stack for all interfaces or for a specific interface. By default, IPv6 is 
enabled for all interfaces. 
You can enable or disable the IPv6 stack from the ACS CLI in configuration mode. You should restart the ACS services 
to reflect correct IPv6 behavior even though the CLI prompts for a confirmation.
When you disable IPv6 at the global level, you cannot enable it at the interface level.
Even when you disable IPv6, ACS allows IPv6 static address configuration, which is shown in the running configuration. 
However, it will not be used.
For more information on the ipv6 enable command and its usage, see the CLI Reference Guide for Cisco Secure Access 
Control System 5.7. 
						

							1
Cisco Systems, Inc.www.cisco.com
 
Understanding My Workspace
The Cisco Secure ACS web interface is designed to be viewed using Microsoft Internet Explorer and Mozilla Firefox 
browsers. For more information on supported browser versions, see Release Notes for Cisco Secure Access Control 
System 5.7. The web interface not only makes viewing and administering ACS possible, but it also allows you to monitor 
and report on any event in the network. 
These reports track connection activity, show which users are currently logged in, list the failed authentication and 
authorization attempts, and so on.
The My Workspace drawer contains:
Welcome Page, page 1
Task Guides, page 2
My Account Page, page 2
Login Banner, page 3
Using the Web Interface, page 3
Importing and Exporting ACS Objects Through the Web Interface, page 18
Common Errors, page 24
Accessibility, page 26
Welcome Page
The Welcome page appears when you start ACS, and it provides shortcuts to common ACS tasks and links to 
information.
You can return to the Welcome page at any time during your ACS session. To return to this page, choose My Workspace 
> Welcome.
Ta b l e 1 4 W e l c o m e  P a g e
Field Description
Before You Begin Contains a link to a section that describes the ACS policy model and associated terminology. 
Getting  Started Links in this section launch the ACS Task Guides, which provide step-by-step instructions on how 
to accomplish ACS tasks.
Quick Start  Opens the Task Guide for the Quick Start scenario. These steps guide you through a minimal 
system setup to get ACS going quickly in a lab, evaluation, or demonstration environment.
Initial  System  Setup Opens the Task Guide for initial system setup. This scenario guides you through the steps that are 
required to set up ACS for operation as needed; many steps are optional. 
						

							2
Understanding My Workspace
 
Ta s k  G u i d e s
In ACS 5.7, you can also see a banner in the welcome page. You can customize this After Login banner text from the 
Login Banner page. 
Task Guides
From the My Workspace drawer, you can access Tasks Guides. When you click any of the tasks, a frame opens on the 
right side of the web interface. This frame contains step-by-step instructions, as well as links to additional information. 
ACS provides the following task guides:
Quick Start—Lists the minimal steps that are required to get ACS up and running quickly.
Initial System Setup—Lists the required steps to set up ACS for basic operations, including information about optional 
steps.
Policy Setup Steps—Lists the required steps to define ACS access control policies.
My Account Page
Note: Every ACS administrator account is assigned one or more administrative roles. Depending upon the roles assigned 
to your account, you may or may not be able to perform the operations or see the options described in certain 
procedures. See Configuring System Administrators and Accounts, page 3 to configure the appropriate administrator 
privileges.
Use the My Account page to update and change the administrator password for the administrator that is currently logged 
in to ACS.
To display this page, choose My Workspace > My Account. Policy Setup Steps Opens the Task Guide for policy setup. This scenario guides you through the steps that are 
required to set up ACS policies.
New  in  ACS  5 Options in this section link to topics in the ACS online help. Click an option to open the online help 
window, which displays information for the selected topic. 
Use the links in the online help topics and in the Contents pane of the online help to view more 
information about ACS features and tasks.
Tu t o r i a l s  &  O t h e r  
ResourcesProvides links to:
Introduction Overview video. 
Configuration guide that provides step-by-step instructions for common ACS scenarios.
Table 14 Welcome Page (continued)
Field Description 
						

							3   
Understanding My Workspace
Login Banner
Related Topics
Configuring Authentication Settings for Administrators, page 11
Changing the Administrator Password, page 25
Login Banner
ACS 5.7 supports customizing of the login banner texts. You can set two sets of banner text; for instance, before logging 
you can display one banner text, and after logging in you can display another banner text. You can do this customization 
from the Login Banner page. The copyright statement is default for both the banners. ACS 5.7 displays the role of ACS 
in the login banners. The role can be primary, primary log collector, secondary, or secondary log collector. 
You can also configure login banners for ACS CLI. To display a banner text before and after logging in to ACS CLI, use 
the banner command in the EXEC mode. The banners that are configured using the banner command from ACS CLI do 
not reflect in ACS web interface, whereas the banners that are configured in ACS web interface impacts the ACS CLI 
banner. For more information on banner command, see the CLI Reference Guide for Cisco Secure Access Control 
System.
Note: ACS does not support ' and " symbols in login banner text. 
To customize the login banner, choose My Workspace > Login Banner.
Using the Web Interface
You can configure and administer ACS through the ACS web interface, in which you can access pages, perform 
configuration tasks, and view interface configuration errors. This section describes:
Ta b l e 1 5 M y  A c c o u n t  P a g e
Field Description
General Read-only fields that display information about the currently logged-in administrator:
Administrator name
Description
E-mail address, if it is available
Change Password Displays rules for password definition according to the password policy.
To change your password:
1.In the Password field, enter your current password.
2.In the New Password field, enter a new password.
3.In the Confirm Password field, enter your new password again.
Assigned Roles Displays the roles that are assigned to the currently logged-in administrator.
Table 16 Login Banner Page
Field Description
Before Login Enter the text that you want to display in the banner before login. 
After Login Enter the text that you want to display in the banner after login.  
						

							4
Understanding My Workspace
 
Using the Web Interface
Accessing the Web Interface, page 4
Understanding the Web Interface, page 5
Common Errors, page 24
Accessibility, page 26
Accessing the Web Interface
The ACS web interface is supported on HTTPS-enabled Microsoft Internet Explorer and Mozilla Firefox browsers. For 
more information on supported browser versions, see Release Notes for Cisco Secure Access Control System 5.7. 
This section contains:
Logging In, page 4
Logging Out, page 5
Logging In
To log in to the ACS web interface for the first time after installation:
1.Enter the ACS URL in your browser, for example, https://acs_host/acsadmin, https://[IPv6 address]/acsadmin, or 
https://ipv4 address/acsadmin, where /acs_host is the IP address or Domain Name System (DNS) hostname. The 
DNS hostname works for IPv6 when the given IP address is resolvable to both IPv4 and IPv6 formats. 
Note: Launching the ACS web interface using IPv6 addresses is not supported in Mozilla Firefox versions 4.x or later. 
The login page appears. 
2.Enter ACSAdmin in the Username field; the value is not case-sensitive.
3.Enter default in the Password field; the value is case-sensitive.
This password (default) is valid only when you log in for the first time after installation. Click Reset to clear the 
Username and Password fields and start over, if needed.
4.Click Login or press Enter.
The login page reappears, prompting you to change your password.
ACS prompts you to change your password the first time you log in to the web interface after installation and in other 
situations based on the authentication settings that is configured in ACS.
5.Enter default in the Old Password field, and enter a new password in the New Password and the Confirm Password 
fields.
If you forget your password, use the acs reset-password command to reset your password to default. See the CLI 
Reference Guide for Cisco Secure Access Control System, 5.7 for more information.
6.Click Login or press Enter.
You are prompted to install a valid license: 
						

							5   
Understanding My Workspace
Using the Web Interface
Note: The license page only appears the first time that you log in to ACS.
7.See Installing a License File, page 38 to install a valid license.
If your login is successful, the main page of the ACS web interface appears.
If your login is unsuccessful, the following error message appears:
Access Denied. Please contact your Security Administrator for assistance. 
The Username and Password fields are cleared.
8.Re-enter the valid username and password, and click Login.
Note: When you use Internet Explorer to view the ACS web interface, if the Enhanced Security Configuration (ESC) is 
enabled, you would observe issues in displaying pages and pop-ups of the ACS web interface. To overcome this issue, 
you must disable the ESC from the Internet Explorer settings.
Logging Out
Click Logout in the ACS web interface header to end your administrative session. A dialog box appears asking if you are 
sure you want to log out of ACS. Click OK.
Caution: For security reasons, Cisco recommends that you log out of the ACS when you complete your 
administrative session. If you do not log out, the ACS web interface logs you out if your session remains inactive for 
a configurable period of time, and does not save any unsubmitted configuration data. See Configuring Session Idle 
Timeout, page 13 for configuring session idle timeout.
Understanding the Web Interface
The following sections explain the ACS web interface:
Web Interface Design, page 6
Header, page 6
Navigation Pane, page 7
Content Area, page 8 
						

							6
Understanding My Workspace
 
Using the Web Interface
Web Interface Design
Figure 3 on page 6 shows the overall design of the ACS web interface.
Figure 3 ACS Web Interface
The interface contains:
Header, page 6
Navigation Pane, page 7
Content Area, page 8
Header
Use the header to:
Identify the current user (your username)
Access the online help
Log out
Access the About information, where you can find information about which ACS web interface version is installed.
These items appear on the right side of the header (see Figure 4 on page 6).
Figure 4 Header
Related Topics
Navigation Pane, page 7
Content Area, page 8