Home > Cisco > Control System > Cisco Acs 5x User Guide

Cisco Acs 5x User Guide

Add to Favourites
    Download as PDF

    Here you can view all the pages of manual Cisco Acs 5x User Guide. The Cisco manuals for Control System are available online for free. You can easily download all the documents as PDF.

    Overview View all the pages Comments

    Page 71

    Page 71 4-7 User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 Chapter 4 Common Scenarios Using ACS Password-Based Network Access Password-Based Network Access Configuration Flow This topic describes the end-to-end flow for password-based network access and lists the tasks that you must perform. The information about how to configure the tasks is located in the relevant task chapters. To configure password-based network access: Step 1Configure network devices and AAA clients. a.In the... 
    4-7
User Guide for Cisco Secure Access Control System 5.3
OL-24201-01
Chapter 4      Common Scenarios Using ACS
  Password-Based Network Access
Password-Based Network Access Configuration Flow
This topic describes the end-to-end flow for password-based network access and lists the tasks that you 
must perform. The information about how to configure the tasks is located in the relevant task chapters. 
To configure password-based network access:
Step 1Configure network devices and AAA clients. 
a.In the...

    Page 72

    Page 72 4-8 User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 Chapter 4 Common Scenarios Using ACS Password-Based Network Access For RADIUS, non-EAP authentication methods (RADIUS/PAP, RADIUS/CHAP, RADIUS/MS-CHAPv1, RADIUS/MSCHAPv2), and simple EAP methods (EAP-MD5 and LEAP), you need to configure only the protocol in the Allowed Protocols page as defined in Ta b l e 4 - 1. Some of the complex EAP protocols require additional configuration: For EAP-TLS, you must also configure: –The... 
    4-8
User Guide for Cisco Secure Access Control System 5.3
OL-24201-01
Chapter 4      Common Scenarios Using ACS
  Password-Based Network Access
For RADIUS, non-EAP authentication methods (RADIUS/PAP, RADIUS/CHAP, 
RADIUS/MS-CHAPv1, RADIUS/MSCHAPv2), and simple EAP methods (EAP-MD5 and LEAP), you 
need to configure only the protocol in the Allowed Protocols page as defined in Ta b l e 4 - 1.
Some of the complex EAP protocols require additional configuration:
For EAP-TLS, you must also configure:
–The...

    Page 73

    Page 73 4-9 User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 Chapter 4 Common Scenarios Using ACS Certificate-Based Network Access Related Topics Authentication in ACS 5.3, page B-1 Network Devices and AAA Clients, page 7-5 Managing Access Policies, page 10-1 Creating, Duplicating, and Editing Access Services, page 10-12 About PACs, page B-21 Certificate-Based Network Access This section contains the following topics: Overview of Certificate-Based Network Access, page 4-9 Using... 
    4-9
User Guide for Cisco Secure Access Control System 5.3
OL-24201-01
Chapter 4      Common Scenarios Using ACS
  Certificate-Based Network Access
Related Topics
Authentication in ACS 5.3, page B-1
Network Devices and AAA Clients, page 7-5
Managing Access Policies, page 10-1
Creating, Duplicating, and Editing Access Services, page 10-12
About PACs, page B-21
Certificate-Based Network Access
This section contains the following topics:
Overview of Certificate-Based Network Access, page 4-9
Using...

    Page 74

    Page 74 4-10 User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 Chapter 4 Common Scenarios Using ACS Certificate-Based Network Access You can configure two types of certificates in ACS: Trust certificate—Also known as CA certificate. Used to form CTL trust hierarchy for verification of remote certificates. Local certificate—Also known as local server certificate. The client uses the local certificate with various protocols to authenticate the ACS server. This certificate is maintained in... 
    4-10
User Guide for Cisco Secure Access Control System 5.3
OL-24201-01
Chapter 4      Common Scenarios Using ACS
  Certificate-Based Network Access
You can configure two types of certificates in ACS:
Trust certificate—Also known as CA certificate. Used to form CTL trust hierarchy for verification 
of remote certificates.
Local certificate—Also known as local server certificate. The client uses the local certificate with 
various protocols to authenticate the ACS server. This certificate is maintained in...

    Page 75

    Page 75 4-11 User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 Chapter 4 Common Scenarios Using ACS Certificate-Based Network Access Step 4Configure policy elements. See Managing Policy Conditions, page 9-1, for more information. You can create custom conditions to use the certificate’s attributes as a policy condition. See Creating, Duplicating, and Editing a Custom Session Condition, page 9-5, for details. Step 5Create an access service. See Configuring Access Services, page 10-11, for... 
    4-11
User Guide for Cisco Secure Access Control System 5.3
OL-24201-01
Chapter 4      Common Scenarios Using ACS
  Certificate-Based Network Access
Step 4Configure policy elements. See Managing Policy Conditions, page 9-1, for more information.
You can create custom conditions to use the certificate’s attributes as a policy condition. See Creating, 
Duplicating, and Editing a Custom Session Condition, page 9-5, for details.
Step 5Create an access service. See Configuring Access Services, page 10-11, for...

    Page 76

    Page 76 4-12 User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 Chapter 4 Common Scenarios Using ACS Agentless Network Access Validating an LDAP Secure Authentication Connection You can define a secure authentication connection for the LDAP external identity store, by using a CA certificate to validate the connection. To validate an LDAP secure authentication connection using a certificate: Step 1Configure an LDAP external identity store. See Creating External LDAP Identity Stores, page... 
    4-12
User Guide for Cisco Secure Access Control System 5.3
OL-24201-01
Chapter 4      Common Scenarios Using ACS
  Agentless Network Access
Validating an LDAP Secure Authentication Connection 
You can define a secure authentication connection for the LDAP external identity store, by using a CA 
certificate to validate the connection.
To validate an LDAP secure authentication connection using a certificate:
Step 1Configure an LDAP external identity store. See Creating External LDAP Identity Stores, page...

    Page 77

    Page 77 4-13 User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 Chapter 4 Common Scenarios Using ACS Agentless Network Access Cisco provides two features to accommodate non-802.1x devices. For example, MAC Authentication Bypass (Host Lookup) and the Guest VLAN access by using web authentication. ACS 5.3 supports the Host Lookup fallback mechanism when there is no 802.1x supplicant. After 802.1x times out on a port, the port can move to an open state if Host Lookup is configured and... 
    4-13
User Guide for Cisco Secure Access Control System 5.3
OL-24201-01
Chapter 4      Common Scenarios Using ACS
  Agentless Network Access
Cisco provides two features to accommodate non-802.1x devices. For example, MAC Authentication 
Bypass (Host Lookup) and the Guest VLAN access by using web authentication. 
ACS 5.3 supports the Host Lookup fallback mechanism when there is no 802.1x supplicant. After 802.1x 
times out on a port, the port can move to an open state if Host Lookup is configured and...

    Page 78

    Page 78 4-14 User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 Chapter 4 Common Scenarios Using ACS Agentless Network Access Internal users Active Directory You can access the Active Directory via the LDAP API. You can use the Internal Users identity store for Host Lookup in cases where the relevant host is already listed in the Internal Users identity store, and you prefer not to move the data to the Internal Hosts identity store. ACS uses the MAC format (XX-XX-XX-XX-XX-XX) and no... 
    4-14
User Guide for Cisco Secure Access Control System 5.3
OL-24201-01
Chapter 4      Common Scenarios Using ACS
  Agentless Network Access
Internal users 
Active Directory
You can access the Active Directory via the LDAP API. 
You can use the Internal Users identity store for Host Lookup in cases where the relevant host is already 
listed in the Internal Users identity store, and you prefer not to move the data to the Internal Hosts 
identity store. 
ACS uses the MAC format (XX-XX-XX-XX-XX-XX) and no...

    Page 79

    Page 79 4-15 User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 Chapter 4 Common Scenarios Using ACS Agentless Network Access Process Service-Type Call Check You may not want to copy the CallingStationID attribute value to the System UserName attribute value. When the Process Host Lookup option is checked, ACS uses the System UserName attribute that was copied from the RADIUS User-Name attribute. When the Process Host Lookup option is not checked, ACS ignores the HostLookup field and... 
    4-15
User Guide for Cisco Secure Access Control System 5.3
OL-24201-01
Chapter 4      Common Scenarios Using ACS
  Agentless Network Access
Process Service-Type Call Check
You may not want to copy the CallingStationID attribute value to the System UserName attribute value. 
When the Process Host Lookup option is checked, ACS uses the System UserName attribute that was 
copied from the RADIUS User-Name attribute. 
When the Process Host Lookup option is not checked, ACS ignores the HostLookup field and...

    Page 80

    Page 80 4-16 User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 Chapter 4 Common Scenarios Using ACS Agentless Network Access Agentless Network Access Flow This topic describes the end-to-end flow for agentless network access and lists the tasks that you must perform. The information about how to configure the tasks is located in the relevant task chapters. Perform these tasks in the order listed to configure agentless network access in ACS: Step 1Configure network devices and AAA... 
    4-16
User Guide for Cisco Secure Access Control System 5.3
OL-24201-01
Chapter 4      Common Scenarios Using ACS
  Agentless Network Access
Agentless Network Access Flow
This topic describes the end-to-end flow for agentless network access and lists the tasks that you must 
perform. The information about how to configure the tasks is located in the relevant task chapters. 
Perform these tasks in the order listed to configure agentless network access in ACS:
Step 1Configure network devices and AAA...
    Start reading Cisco Acs 5x User Guide

    Related Manuals for Cisco Acs 5x User Guide

    All Cisco manuals