Home > Cisco > Control System > Cisco Acs 5x User Guide

Cisco Acs 5x User Guide

Add to Favourites
    Download as PDF

    Here you can view all the pages of manual Cisco Acs 5x User Guide. The Cisco manuals for Control System are available online for free. You can easily download all the documents as PDF.

    Overview View all the pages Comments

    Page 171

    Page 171 8-19 User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 Chapter 8 Managing Users and Identity Stores Managing Internal Identity Stores Policies and Identity Attributes, page 3-17 Configuring an Identity Group for Host Lookup Network Access Requests, page 4-18 Management Hierarchy Management Hierarchy enables the administrator to give access permission to the internal users or internal hosts according to their level of hierarchy in the organizations management hierarchy. A... 
    8-19
User Guide for Cisco Secure Access Control System 5.3
OL-24201-01
Chapter 8      Managing Users and Identity Stores
  Managing Internal Identity Stores
Policies and Identity Attributes, page 3-17
Configuring an Identity Group for Host Lookup Network Access Requests, page 4-18
Management Hierarchy 
Management Hierarchy enables the administrator to give access permission to the internal users or 
internal hosts according to their level of hierarchy in the organizations management hierarchy. A...

    Page 172

    Page 172 8-20 User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 Chapter 8 Managing Users and Identity Stores Managing Internal Identity Stores The administrator can configure any level of hierarchy while defining management centers or AAA client locations. The syntax for ManagementHierarchy attribute is: : : Examples: 1.Location:All Locations:ManagementCenter1 2.Location:All Locations:ManagementCenter1:Customer 1 The administrator can configure multiple values for management hierarchy.... 
    8-20
User Guide for Cisco Secure Access Control System 5.3
OL-24201-01
Chapter 8      Managing Users and Identity Stores
  Managing Internal Identity Stores
The administrator can configure any level of hierarchy while defining management centers or  AAA 
client locations. The syntax for ManagementHierarchy attribute is:
: :
Examples: 
1.Location:All Locations:ManagementCenter1
2.Location:All Locations:ManagementCenter1:Customer 1
The administrator can configure multiple values for management hierarchy....

    Page 173

    Page 173 8-21 User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 Chapter 8 Managing Users and Identity Stores Managing Internal Identity Stores Related Topics Configuring and Using HostIsInManagement Hierarchy Attributes, page 8-21. Configuring and Using HostIsInManagement Hierarchy Attributes To configure and use HostIsInManagementHierarchy attribute, complete the following steps: Step 1Create ManagementHierarchy and HostIsInManagementHierarchy attributes for internal hosts. See... 
    8-21
User Guide for Cisco Secure Access Control System 5.3
OL-24201-01
Chapter 8      Managing Users and Identity Stores
  Managing Internal Identity Stores
Related Topics
Configuring and Using HostIsInManagement Hierarchy Attributes, page 8-21.
Configuring and Using HostIsInManagement Hierarchy Attributes
To configure and use HostIsInManagementHierarchy attribute, complete the following steps:
Step 1Create ManagementHierarchy and HostIsInManagementHierarchy attributes for internal hosts. See...

    Page 174

    Page 174 8-22 User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 Chapter 8 Managing Users and Identity Stores Managing External Identity Stores Managing External Identity Stores ACS 5.3 integrates with external identity systems in a number of ways. You can leverage an external authentication service or use an external system to obtain the necessary attributes to authenticate a principal, as well to integrate the attributes into an ACS policy. For example, ACS can leverage Microsoft AD to... 
    8-22
User Guide for Cisco Secure Access Control System 5.3
OL-24201-01
Chapter 8      Managing Users and Identity Stores
  Managing External Identity Stores
Managing External Identity Stores
ACS 5.3 integrates with external identity systems in a number of ways. You can leverage an external 
authentication service or use an external system to obtain the necessary attributes to authenticate a 
principal, as well to integrate the attributes into an ACS policy. 
For example, ACS can leverage Microsoft AD to...

    Page 175

    Page 175 8-23 User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 Chapter 8 Managing Users and Identity Stores Managing External Identity Stores Configuring LDAP Groups, page 8-33 Viewing LDAP Attributes, page 8-34 Directory Service The directory service is a software application, or a set of applications, for storing and organizing information about a computer networks users and network resources. You can use the directory service to manage user access to these resources. The LDAP... 
    8-23
User Guide for Cisco Secure Access Control System 5.3
OL-24201-01
Chapter 8      Managing Users and Identity Stores
  Managing External Identity Stores
Configuring LDAP Groups, page 8-33
Viewing LDAP Attributes, page 8-34
Directory Service
The directory service is a software application, or a set of applications, for storing and organizing 
information about a computer networks users and network resources. You can use the directory service 
to manage user access to these resources. 
The LDAP...

    Page 176

    Page 176 8-24 User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 Chapter 8 Managing Users and Identity Stores Managing External Identity Stores Failover ACS 5.3 supports failover between a primary LDAP server and secondary LDAP server. In the context of LDAP authentication with ACS, failover applies when an authentication request fails because ACS could not connect to an LDAP server. For example, as when the server is down or is otherwise unreachable by ACS. To use this feature, you must... 
    8-24
User Guide for Cisco Secure Access Control System 5.3
OL-24201-01
Chapter 8      Managing Users and Identity Stores
  Managing External Identity Stores
Failover
ACS 5.3 supports failover between a primary LDAP server and secondary LDAP server. In the context 
of LDAP authentication with ACS, failover applies when an authentication request fails because ACS 
could not connect to an LDAP server. 
For example, as when the server is down or is otherwise unreachable by ACS. To use this feature, you 
must...

    Page 177

    Page 177 8-25 User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 Chapter 8 Managing Users and Identity Stores Managing External Identity Stores Possible reasons for an LDAP server to return bind (authentication) errors are: –Filtering errors—A search using filter criteria fails. –Parameter errors—Invalid parameters were entered. –User account is restricted (disabled, locked out, expired, password expired, and so on). The following errors are logged as external resource errors, indicating a... 
    8-25
User Guide for Cisco Secure Access Control System 5.3
OL-24201-01
Chapter 8      Managing Users and Identity Stores
  Managing External Identity Stores
Possible reasons for an LDAP server to return bind (authentication) errors are:
–Filtering errors—A search using filter criteria fails.
–Parameter errors—Invalid parameters were entered.
–User account is restricted (disabled, locked out, expired, password expired, and so on).
The following errors are logged as external resource errors, indicating a...

    Page 178

    Page 178 8-26 User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 Chapter 8 Managing Users and Identity Stores Managing External Identity Stores Unsigned Integer 32 IPv4 Address For unsigned integers and IPv4 attributes, ACS converts the strings that it has retrieved to the corresponding data types. If conversion fails or if no values are retrieved for the attributes, ACS logs a debug message, but does not fail the authentication or the lookup process. You can optionally configure default... 
    8-26
User Guide for Cisco Secure Access Control System 5.3
OL-24201-01
Chapter 8      Managing Users and Identity Stores
  Managing External Identity Stores
Unsigned Integer 32
IPv4 Address
For unsigned integers and IPv4 attributes, ACS converts the strings that it has retrieved to the 
corresponding data types. If conversion fails or if no values are retrieved for the attributes, ACS logs a 
debug message, but does not fail the authentication or the lookup process.
You can optionally configure default...

    Page 179

    Page 179 8-27 User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 Chapter 8 Managing Users and Identity Stores Managing External Identity Stores Step 5Continue with Configuring an External LDAP Server Connection, page 8-27. NoteNAC guest Server can also be used as an External LDAP Server. For procedure to use NAC guest server as an External LDAP Server: http://www.cisco.com/en/US/docs/security/nac/guestserver/configuration_guide/20/ g_sponsor.html#wp1070105. Related Topic Deleting External... 
    8-27
User Guide for Cisco Secure Access Control System 5.3
OL-24201-01
Chapter 8      Managing Users and Identity Stores
  Managing External Identity Stores
Step 5Continue with Configuring an External LDAP Server Connection, page 8-27.
NoteNAC guest Server can also be used as an External LDAP Server. For procedure to use NAC guest server 
as an External LDAP Server:
http://www.cisco.com/en/US/docs/security/nac/guestserver/configuration_guide/20/
g_sponsor.html#wp1070105.
Related Topic
Deleting External...

    Page 180

    Page 180 8-28 User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 Chapter 8 Managing Users and Identity Stores Managing External Identity Stores Anonymous Access Click to ensure that searches on the LDAP directory occur anonymously. The server does not distinguish who the client is and will allow the client read access to any data that is configured accessible to any unauthenticated client. In the absence of specific policy permitting authentication information to be sent to a server, a... 
    8-28
User Guide for Cisco Secure Access Control System 5.3
OL-24201-01
Chapter 8      Managing Users and Identity Stores
  Managing External Identity Stores
Anonymous Access Click to ensure that searches on the LDAP directory occur anonymously. The server does not 
distinguish who the client is and will allow the client read access to any data that is configured 
accessible to any unauthenticated client. 
In the absence of specific policy permitting authentication information to be sent to a server, 
a...
    Start reading Cisco Acs 5x User Guide

    Related Manuals for Cisco Acs 5x User Guide

    All Cisco manuals