Cisco Acs 5x User Guide
Have a look at the manual Cisco Acs 5x User Guide online for free. It’s possible to download the document as PDF or print. UserManuals.tech offer 53 Cisco manuals and user’s guides for free. Share the user manual or guide on Facebook, Twitter or Google+.
4-27 User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 Chapter 4 Common Scenarios Using ACS ACS and Cisco Security Group Access Step 5Click Next. The Access Services Properties page appears. Step 6In the Authentication Protocols area, check the relevant protocols for your access service. Step 7Click Finish. Creating an Endpoint Admission Control Policy After you create a service, you configure the endpoint admission control policy. The endpoint admission control policy returns an SGT to the endpoint and an authorization profile. You can create multiple policies and configure the Default Rule policy. The defaults are Deny Access and the Unknown security group. To add a session authorization policy for an access service: Step 1Choose Access Policies > Access Services > service > Authorization. Step 2Configure an Authorization Policy. See Configuring a Session Authorization Policy for Network Access, page 10-29. Step 3Fill in the fields in the Network Access Authorization Rule Properties page. The Default Rule provides a default rule when no rules match or there are no rules defined. The default for the Default Rule result is Deny Access, which denies access to the network. The security group tag is Unknown. You can modify the security group when creating the session authorization policy for Security Group Access. Step 4Click OK. Step 5Choose Access Policies > Service Selection Policy to choose which services to include in the endpoint policy. See Configuring the Service Selection Policy, page 10-5, for more information. Step 6Fill in the fields in the Service Select Policy pages. Step 7Click Save Changes. Creating an Egress Policy The Egress policy (sometimes called SGACL policy) determines which SGACL to apply at the Egress points of the network based on the source and destination SGT. The Egress policy is represented in a matrix, where the X and Y axis represent the destination and source SGT, respectively, and each cell contains the set of SGACLs to apply at the intersection of these two SGTs. Any security group can take the role of a source SGT, if an endpoint (or Security Group Access device) that carries this SGT sends the packet. Any security group can take the role of a destination SGT, if the packet is targeting an endpoint (or Security Group Access device) that carries this SGT. Therefore, the Egress matrix lists all of the existing security groups on both axes, making it a Cartesian product of the SGT set with itself (SGT x SGT).
4-28 User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 Chapter 4 Common Scenarios Using ACS ACS and Cisco Security Group Access The first row (topmost) of the matrix contains the column headers, which display the destination SGT. The first column (far left) contains the row titles, with the source SG displayed. At the intersection of these axes lies the origin cell (top left) that contains the titles of the axes, namely, Destination and Source. All other cells are internal matrix cells that contain the defined SGACL. The rows and columns are ordered alphabetically according to the SGT names. Each SGACL can contain 200 ACEs. Initially, the matrix contains the cell for the unknown source and unknown destination SG. Unknown refers to the preconfigured SG, which is not modifiable. When you add an SG, ACS adds a new row and new column to the matrix with empty content for the newly added cell. To add an Egress policy and populate the Egress matrix: Step 1Choose Access Policies > Security Group Access Control > Egress Policy. The Egress matrix is visible. The security groups appear in the order in which you defined them. Step 2Click on a cell and then click Edit. Step 3Fill in the fields as required. Step 4Select the set of SGACLs to apply to the cell and move the selected set to the Selected column. The ACLS are used at the Egress point of the SGT of the source and destination that match the coordinates of the cell. The SGACLs are applied in the order in which they appear. Step 5Use the Up and Down arrows to change the order. The device applies the policies in the order in which they are configured. The SGACL are applied to packets for the selected security groups. Step 6Click Submit. Creating a Default Policy After you configure the Egress policies for the source and destination SG in the Egress matrix, Cisco recommends that you configure the Default Egress Policy. The default policy refers to devices that have not been assigned an SGT. The default policy is added by the network devices to the specific policies defined in the cells. The initial setting for the default policy is Permit All. The term default policy refers to the ANY security group to ANY security group policy. Security Group Access network devices concatenate the default policy to the end of the specific cell policy. If the cell is blank, only the default policy is applied. If the cell contains a policy, the resultant policy is the combination of the cell-specific policy which precedes the default policy. The way the specific cell policy and the default policy are combined depends on the algorithm running on the device. The result is the same as concatenating the two policies. The packet is analyzed first to see if it matches the ACEs defined by the SGACLs of the cell. If there is no match, the packet falls through to be matched by the ACEs of the default policy. Combining the cell-specific policy and the default policy is done not by ACS, but by the Security Group Access network device. From the ACS perspective, the cell-specific and the default policy are two separate sets of SGACLs, which are sent to devices in response to two separate policy queries.
4-29 User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 Chapter 4 Common Scenarios Using ACS RADIUS and TACACS+ Proxy Requests To create a default policy: Step 1Choose Access Policies > Security Group Access Control > Egress Policy then choose Default Policy. Step 2Fill in the fields as in the Default Policy for Egress Policy page. Step 3Click Submit. RADIUS and TACACS+ Proxy Requests You can use ACS to act as a proxy server that receives authentication and accounting RADIUS requests and authentication, authorization and accounting TACACS+ requests from a Network Access Server (NAS) and forwards them to a remote server. ACS then receives the replies for each forwarded request from the remote RADIUS or TACACS+ server and sends it back to the client. ACS uses the service selection policy to differentiate between incoming authentication and accounting requests that must be handled locally and those that must be forwarded to a remote RADIUS or TA C A C S + s e r v e r. When ACS receives a proxy request from the NAS, it forwards the request to the first remote RADIUS or TACACS+ server in its list. ACS processes the first valid or invalid response from the remote RADIUS server and does the following: If the response is valid for RADIUS, such as an Access-Challenge, Access-Accept, Access-Reject, or Accounting-Response, ACS returns the response back to the NAS. If ACS does not receive a response within the specified time period, after the specified number of retries, or after specified network timeout it forwards the request to the next remote RADIUS server in the list. If the response is invalid, ACS proxy performs failover to the next remote RADIUS server. When the last failover remote RADIUS server in the list is reached without getting reply, ACS drops the request and does not send any response to the NAS. ACS processes the first valid or invalid response from the remote TACACS+ server and does the following: If the response is valid for TACACS+, such as TAC_PLUS_AUTHEN (REPLY), TAC_PLUS_AUTHOR(RESPONSE) or TAC_PLUS_ACCT(REPLY), ACS returns the response back to the NAS. If ACS does not receive a response within the specified time period, after the specified number of retries, or after specified network timeout it forwards the request to the next remote TACACS+ server in the list. If the response is invalid, ACS proxy performs failover to the next remote TACACS+ server. When the last failover remote TACACS+ server in the list is reached without getting reply, ACS drops the request and does not send any response to the NAS. You can configure ACS to strip the prefix, suffix, and both from a username (RADIUS) or user (TACACS+). For example, from a username acme\[email protected], you can configure ACS to extract only the name of the user, smith by specifying \ and @ as the prefix and suffix separators respectively. ACS can perform local accounting, remote accounting, or both. If you choose both, ACS performs local accounting and then moves on to remote accounting. If there are any errors in local accounting, ACS ignores them and moves on to remote accounting.
4-30 User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 Chapter 4 Common Scenarios Using ACS RADIUS and TACACS+ Proxy Requests During proxying, ACS: 1.Receives the following packets from the NAS and forwards them to the remote RADIUS server: Access-Request Accounting-Request packets 2.Receives the following packets from the remote RADIUS server and returns them to the NAS: Access-Accept Access-Reject Access-Challenge Accounting-Response 3.Receives the following packets from the NAS and forwards them to the remote TACACS+ server: TAC_PLUS_AUTHOR TAC_PLUS_AUTHEN 4.Receives the following packets from the remote TACACS+ server and returns them back to the NAS: This behavior is configurable. TA C _ P L U S _ A C C T An unresponsive external RADIUS server waits for about timeout * number of retries seconds before failover to move to the next server. There could be several unresponsive servers in the list before the first responsive server is reached. In such cases, each request that is forwarded to a responsive external RADIUS server is delayed for number of previous unresponsive servers * timeout * number of retries. This delay can sometimes be longer than the external RADIUS server timeout between two messages in EAP or RADIUS conversation. In such a situation, the external RADIUS server would drop the request. We can configure the number of seconds for an unresponsive external TACACS+ server waits before failover to move to the next server. Related Topics Supported Protocols, page 4-30 Supported RADIUS Attributes, page 4-31 Configuring Proxy Service, page 4-32 Supported Protocols The RADIUS proxy feature in ACS supports the following protocols: Supports forwarding for all RADIUS protocols All EAP protocols Protocols not supported by ACS (Since ACS proxy do not interfere into the protocol conversation and just forwards requests) NoteACS proxy can not support protocols that use encrypted RADIUS attributes.
4-31 User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 Chapter 4 Common Scenarios Using ACS RADIUS and TACACS+ Proxy Requests The TACACS+ proxy feature in ACS supports the following protocols: PA P ASCII CHAP MSCHAP authentications types Related Topics RADIUS and TACACS+ Proxy Requests, page 4-29 Supported RADIUS Attributes, page 4-31 Configuring Proxy Service, page 4-32 Supported RADIUS Attributes The following supported RADIUS attributes are encrypted: User-Password CHAP-Password Message-Authenticator MPPE-Send-Key and MPPE-Recv-Key Tunnel-Password LEAP Session Key Cisco AV-Pair TACACS+ Body Encryption When ACS receives a packet from NAS with encrypted body (flag TAC_PLUS_UNECRYPTED_FLAG is 0x0), ACS decrypts the body with common data such as shared secret and sessionID between NAS and ACS and then encrypts the body with common data between ACS and TACACS+ proxy server. If the packet body is in cleartext, ACS will resend it to TACACS+ server in cleartext. Connection to TACACS+ Server ACS supports single connection to another TACACS+ server (flag TAC_PLUS_SINGLE_CONNECT_FLAG is 1). If the remote TACACS+ server does not support multiplexing TACACS+ sessions over a single TCP connection ACS will open or close connection for each session. Related Topics RADIUS and TACACS+ Proxy Requests, page 4-29 Supported Protocols, page 4-30 Configuring Proxy Service, page 4-32
4-32 User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 Chapter 4 Common Scenarios Using ACS RADIUS and TACACS+ Proxy Requests Configuring Proxy Service To configure proxy services: Step 1Configure a set of remote RADIUS and TACACS+ servers. For information on how to configure remote servers, see Creating, Duplicating, and Editing External Proxy Servers, page 7-19. Step 2Configure an External proxy service. For information on how to configure a External proxy service, see Configuring General Access Service Properties, page 10-13. You must select the User Selected Service Type option and choose External proxy as the Access Service Policy Structure in the Access Service Properties - General page. Step 3After you configure the allowed protocols, click Finish to complete your External proxy service configuration. Related Topics RADIUS and TACACS+ Proxy Requests, page 4-29 Supported Protocols, page 4-30 Supported RADIUS Attributes, page 4-31
CH A P T E R 5-1 User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 5 Understanding My Workspace The Cisco Secure ACS web interface is designed to be viewed using Microsoft Internet Explorer 7.x, 8.x, and 9.x and Mozilla Firefox 3.x and 4.x. The web interface not only makes viewing and administering ACS possible, but it also allows you to monitor and report on any event in the network. These reports track connection activity, show which users are currently logged in, list the failed authentication and authorization attempts, and so on. The My Workspace drawer contains: Welcome Page, page 5-1 Task Guides, page 5-2 My Account Page, page 5-2 Using the Web Interface, page 5-3 Importing and Exporting ACS Objects through the Web Interface, page 5-18 Common Errors, page 5-25 Accessibility, page 5-27 Welcome Page The Welcome page appears when you start ACS, and provides shortcuts to common ACS tasks, and links to information. You can return to the Welcome page at any time during your ACS session. To return to this page, choose My Workspace > Welcome. Table 5-1 Welcome Page Field Description Before You Begin Contains a link to a section that describes the ACS policy model and associated terminology. Getting Started Links in this section launch the ACS Task Guides, which provide step-by-step instructions on how to accomplish ACS tasks. Quick Start Opens the Task Guide for the Quick Start scenario. These steps guide you through a minimal system setup to get ACS going quickly in a lab, evaluation, or demonstration environment. Initial System Setup Opens the Task Guide for initial system setup. This scenario guides you through the steps that are required to set up ACS for operation as needed; many steps are optional.
5-2 User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 Chapter 5 Understanding My Workspace Task Guides Task Guides From the My Workspace drawer, you can access Tasks Guides. When you click any of the tasks, it opens a frame on the right side of the web interface. This frame contains step-by-step instructions as well as links to additional information. ACS provides the following task guides: Quick Start—Lists the minimal steps required to get ACS up and running quickly. Initial System Setup—Lists the required steps to set up ACS for basic operations, including information about optional steps. Policy Setup Steps—Lists the required steps to define ACS access control policies. My Account Page NoteEvery ACS administrator account is assigned one or more administrative roles. Depending upon the roles assigned to your account, you may or may not be able to perform the operations or see the options described in certain procedures. See Configuring System Administrators and Accounts, page 16-3 to configure the appropriate administrator privileges. Use the My Account page to update and change the administrator password for the administrator that is currently logged in to ACS. To display this page, select My Workspace > My Account. Policy Setup Steps Opens the Task Guide for policy setup. This scenario guides you through the steps that are required to set up ACS policies. New in ACS 5 Options in this section link to topics in the ACS online help. Click an option to open the online help window, which displays information for the selected topic. Use the links in the online help topics and in the Contents pane of the online help to view more information about ACS features and tasks. Tutorials & Other ResourcesProvides links to: Introduction Overview video. Configuration guide that provides step-by-step instructions for common ACS scenarios. Table 5-1 Welcome Page (continued) Field Description
5-3 User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 Chapter 5 Understanding My Workspace Using the Web Interface Related Topics Configuring Authentication Settings for Administrators, page 16-9 Changing the Administrator Password, page 16-13 Using the Web Interface You can configure and administer ACS through the ACS web interface, in which you can access pages, perform configuration tasks, and view interface configuration errors. This section describes: Accessing the Web Interface, page 5-3 Understanding the Web Interface, page 5-5 Common Errors, page 5-25 Accessibility, page 5-27 Accessing the Web Interface The ACS web interface is supported on HTTPS-enabled Microsoft Internet Explorer versions 7.x, 8.x, and 9.x and Firefox version 3.x and 4.x. This section contains: Logging In, page 5-4 Logging Out, page 5-5 Table 5-2 My Account Page Field Description General Read-only fields that display information about the currently logged-in administrator: Administrator name Description E-mail address, if it is available Change Password Displays rules for password definition according to the password policy. To change your password: 1.In the Password field, enter your current password. 2.In the New Password field, enter a new password. 3.In the Confirm Password field, enter your new password again. Assigned Roles Displays the roles that are assigned to the currently logged-in administrator.
5-4 User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 Chapter 5 Understanding My Workspace Using the Web Interface Logging In To log in to the ACS web interface for the first time after installation: Step 1Enter the ACS URL in your browser, for example https://acs_host/acsadmin, where /acs_host is the IP address or Domain Name System (DNS) hostname. The login page appears. Step 2Enter ACSAdmin in the Username field; the value is not case-sensitive. Step 3Enter default in the Password field; the value is case-sensitive. This password (default) is valid only when you log in for the first time after installation. Click Reset to clear the Username and Password fields and start over, if needed. Step 4Click Login or press Enter. The login page reappears, prompting you to change your password. ACS prompts you to change your password the first time you log in to the web interface after installation and in other situations based on the authentication settings that is configured in ACS. Step 5Enter default in the Old Password field, then enter a new password in the New Password and the Confirm Password fields. If you forget your username or password, use the acs reset-password command to reset your username to ACSAdmin and your password to default. You are prompted to change your password after a reset. See Command Line Reference for ACS 5.3 for more information. Step 6Click Login or press Enter. You are prompted to install a valid license: NoteThe license page only appears the first time that you log in to ACS.