Cisco Acs 5x User Guide
Have a look at the manual Cisco Acs 5x User Guide online for free. It’s possible to download the document as PDF or print. UserManuals.tech offer 53 Cisco manuals and user’s guides for free. Share the user manual or guide on Facebook, Twitter or Google+.
7-21 User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 Chapter 7 Managing Network Resources Working with External Proxy Servers NoteIf you want ACS to forward unknown RADIUS attributes you have to define VSAs for proxy. Related Topics RADIUS and TACACS+ Proxy Services, page 3-7 RADIUS and TACACS+ Proxy Requests, page 4-29 Configuring General Access Service Properties, page 10-13 Deleting External Proxy Servers, page 7-21 Deleting External Proxy Servers To delete an external proxy server: Step 1Choose Network Resources > External Proxy Servers. The External Proxy Servers page appears with a list of configured servers. Step 2Check one or more check boxes next to the external RADIUS or TACACS+ servers you want to delete, and click Delete. The following message appears: Are you sure you want to delete the selected item/items? Step 3Click OK. The External Proxy Servers page appears without the deleted server(s).
7-22 User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 Chapter 7 Managing Network Resources Working with External Proxy Servers
CH A P T E R 8-1 User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 8 Managing Users and Identity Stores Overview ACS manages your network devices and other ACS clients by using the ACS network resource repositories and identity stores. When a host connects to the network through ACS requesting access to a particular network resource, ACS authenticates the host and decides whether the host can communicate with the network resource. To authenticate and authorize a user or host, ACS uses the user definitions in identity stores. There are two types of identity stores: Internal—Identity stores that ACS maintains locally (also called local stores) are called internal identity stores. For internal identity stores, ACS provides interfaces for you to configure and maintain user records. External—Identity stores that reside outside of ACS are called external identity stores. ACS requires configuration information to connect to these external identity stores to perform authentication and obtain user information. In addition to authenticating users and hosts, most identity stores return attributes that are associated with the users and hosts. You can use these attributes in policy conditions while processing a request and can also populate the values returned for RADIUS attributes in authorization profiles. Internal Identity Stores ACS maintains different internal identity stores to maintain user and host records. For each identity store, you can define identity attributes associated with that particular store for which values are defined while creating the user or host records. You can define these identity attributes as part of identity dictionaries under the System Administration section of the ACS application (System Administration > Configuration > Dictionaries > Identity). Each internal user record includes a password, and you can define a second password as a TACACS+ enable password. You can configure the password stored within the internal user identity store to expire after a particular time period and thus force users to change their own passwords periodically. Users can change their passwords over the RADIUS or TACACS+ protocols or use the UCP web service. Passwords must conform to the password complexity criteria that you define in ACS. Internal user records consist of two component types: fixed and configurable.
8-2 User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 Chapter 8 Managing Users and Identity Stores Overview Fixed components are: Name Description Password Enabled or disabled status Identity group to which users belong Configurable components are: Enable password for TACACS+ authentication Sets of identity attributes that determine how the user definition is displayed and entered Cisco recommends that you configure identity attributes before you create users. When identity attributes are configured: You can enter the corresponding values as part of a user definition. They are available for use in policy decisions when the user authenticates. They can be used to populate the values returned for RADIUS attributes in an authorization profile. Internal user identity attributes are applied to the user for the duration of the user’s session. Internal identity stores contain the internal user attributes and credential information used to authenticate internal users. Internal host records are similar to internal user records, except that they do not contain any password information. Hosts are identified by their MAC addresses. For information on managing internal identity stores, see Managing Internal Identity Stores, page 8-4. External Identity Stores External identity stores are external databases on which ACS performs authentications for internal and external users. ACS 5.3 supports the following external identity stores: LDAP Active Directory RSA SecurID Token Server RADIUS Identity Server External identity store user records include configuration parameters that are required to access the specific store. You can define attributes for user records in all the external identity stores except the RSA SecurID Token Server. External identity stores also include certificate information for the ACS server certificate and certificate authentication profiles. For more information on how to manage external identity stores, see Managing External Identity Stores, page 8-22.
8-3 User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 Chapter 8 Managing Users and Identity Stores Overview Identity Stores with Two-Factor Authentication You can use the RSA SecurID Token Server and RADIUS Identity Server to provide two-factor authentication. These external identity stores use an OTP that provides greater security. The following additional configuration options are available for these external identity stores: Identity caching—You can enable identity caching for ACS to use the identity store while processing a request in cases where authentication is not performed. Unlike LDAP and AD, for which you can perform a user lookup without user authentication, the RSA SecurID Token Server and RADIUS Identity Server does not support user lookup. For example, in order to authorize a TACACS+ request separately from the authentication request, taking into account that it is not possible for the identity store to retrieve the data because authentication is not performed, you can enable identity caching to cache results and attributes retrieved from the last successful authentication for the user. You can use this cache to authorize the request. Treat authentication rejects as—The RSA and RADIUS identity stores do not differentiate between the following results when an authentication attempt is rejected: –Authentication Failed –User Not Found This classification is very important when you determine the fail-open operation. A configuration option is available, allowing you to define which result must be used. Identity Groups Identity groups are logical entities that are defined within a hierarchy and are associated with users and hosts. These identity groups are used to make policy decisions. For internal users and hosts, the identity group is defined as part of the user or host definition. When external identity stores are used, the group mapping policy is used to map attributes and groups retrieved from the external identity store to an ACS identity group. Identity groups are similar in concept to Active Directory groups but are more basic in nature. Certificate-Based Authentication Users and hosts can identify themselves with a certificate-based access request. To process this request, you must define a certificate authentication profile in the identity policy. The certificate authentication profile includes the attribute from the certificate that is used to identify the user or host. It can also optionally include an LDAP or AD identity store that can be used to validate the certificate present in the request. For more information on certificates and certificate-based authentication, see: Configuring CA Certificates, page 8-68 Configuring Certificate Authentication Profiles, page 8-73
8-4 User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 Chapter 8 Managing Users and Identity Stores Managing Internal Identity Stores Identity Sequences You can configure a complex condition where multiple identity stores and profiles are used to process a request. You can define these identity methods in an Identity Sequence object. The identity methods within a sequence can be of any type. The identity sequence is made up of two components, one for authentication and the other for retrieving attributes. If you choose to perform authentication based on a certificate, a single certificate authentication profile is used. If you choose to perform authentication on an identity database, you can define a list of identity databases to be accessed in sequence until the authentication succeeds. If the authentication succeeds, the attributes within the database are retrieved. In addition, you can configure an optional list of databases from which additional attributes can be retrieved. These additional databases can be configured irrespective of whether you use password-based or certificate-based authentication. If a certificate-based authentication is performed, the username is populated from a certificate attribute and this username is used to retrieve attributes from all the databases in the list. For more information on certificate attributes, see Configuring CA Certificates, page 8-68. When a matching record is found for the user, the corresponding attributes are retrieved. ACS retrieves attributes even for users whose accounts are disabled or whose passwords are marked for change. NoteAn internal user account that is disabled is available as a source for attributes, but not for authentication. For more information on identity sequences, see Configuring Identity Store Sequences, page 8-75. This chapter contains the following sections: Managing Internal Identity Stores, page 8-4 Managing External Identity Stores, page 8-22 Configuring CA Certificates, page 8-68 Configuring Certificate Authentication Profiles, page 8-73 Configuring Identity Store Sequences, page 8-75 Managing Internal Identity Stores ACS contains an identity store for users and an identity store for hosts: The internal identity store for users is a repository of users, user attributes, and user authentication options. The internal identity store for hosts contains information about hosts for MAC Authentication Bypass (Host Lookup). You can define each user and host in the identity stores, and you can import files of users and hosts. The identity store for users is shared across all ACS instances in a deployment and includes for each user: Standard attributes User attributes
8-5 User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 Chapter 8 Managing Users and Identity Stores Managing Internal Identity Stores Authentication information NoteACS 5.3 supports authentication for internal users against the internal identity store only. This section contains the following topics: Authentication Information, page 8-5 Identity Groups, page 8-6 Managing Identity Attributes, page 8-7 Configuring Authentication Settings for Users, page 8-9 Creating Internal Users, page 8-11 Viewing and Performing Bulk Operations for Internal Identity Store Users, page 8-15 Creating Hosts in Identity Stores, page 8-16 Viewing and Performing Bulk Operations for Internal Identity Store Hosts, page 8-18 Authentication Information You can configure an additional password, stored as part of the internal user record that defines the user’s TACACS+ enable password which sets the access level to device. If you do not select this option, the standard user password is also used for TACACS+ enable. If the system is not being used for TACACS+ enable operations, you should not select this option. To use the identity store sequence feature, you define the list of identity stores to be accessed in a sequence. You can include the same identity store in authentication and attribute retrieval sequence lists; however, if an identity store is used for authentication, it is not accessed for additional attribute retrieval. For certificate-based authentication, the username is populated from the certificate attribute and is used for attribute retrieval. During the authentication process, authentication fails if more than one instance of a user or host exists in internal identity stores. Attributes are retrieved (but authentication is denied) for users who have disabled accounts or passwords that must be changed. These types of failures can occur while processing the identity policy: Authentication failure; possible causes include bad credentials, disabled user, and so on. User or host does not exist in any of the authentication databases. Failure occurred while accessing the defined databases. You can define fail-open options to determine what actions to take when each of these failures occurs: Reject—Send a reject reply. Drop—Do not send a reply. Continue—Continue processing to the next defined policy in the service. The system attribute, AuthenticationStatus, retains the result of the identity policy processing. If you choose to continue policy processing when a failure occurs, you can use this attribute in a condition in subsequent policy processing to distinguish cases where identity policy processing did not succeed. You can continue processing when authentication fails for PAP/ASCII, EAP-TLS, or EAP-MD5. For all other authentication protocols, the request is rejected and a message to this effect is logged.
8-6 User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 Chapter 8 Managing Users and Identity Stores Managing Internal Identity Stores Identity Groups You can assign each internal user to one identity group. Identity groups are defined within a hierarchical structure. They are logical entities that are associated with users, but do not contain data or attributes other than the name you give to them. You use identity groups within policy conditions to create logical groups of users to which the same policy results are applied. You can associate each user in the internal identity store with a single identity group. When ACS processes a request for a user, the identity group for the user is retrieved and can then be used in conditions in the rule table. Identity groups are hierarchical in structure. You can map identity groups and users in external identity stores to ACS identity groups by using a group mapping policy. Creating Identity Groups To create an identity group: Step 1Select Users and Identity Stores > Identity Groups. The Identity Groups page appears. Step 2Click Create. You can also: Check the check box next to the identity group that you want to duplicate, then click Duplicate. Click the identity group name that you want to modify, or check the check box next to the name and click Edit. Click File Operations to: –Add—Adds identity groups from the import to ACS. –Update—Overwrites the existing identity groups in ACS with the list from the import. –Delete—Removes the identity groups listed in the import from ACS. Click Export to export a list of identity groups to your local hard disk. For more information on the File Operations option, see Performing Bulk Operations for Network Resources and Users, page 7-8. The Create page or the Edit page appears when you choose the Create, Duplicate, or Edit option. Step 3Enter information in the following fields: Name—Enter a name for the identity group. If you are duplicating an identity group, you must enter a unique name; all other fields are optional. Description—Enter a description for the identity group. Parent—Click Select to select a network device group parent for the identity group. Step 4Click Submit to save changes. The identity group configuration is saved. The Identity Groups page appears with the new configuration. If you created a new identity group, it is located within the hierarchy of the page beneath your parent identity group selection.
8-7 User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 Chapter 8 Managing Users and Identity Stores Managing Internal Identity Stores Related Topics Managing Users and Identity Stores, page 8-1 Managing Internal Identity Stores, page 8-4 Performing Bulk Operations for Network Resources and Users, page 7-8 Identity Groups, page 8-3 Creating Identity Groups, page 8-6 Deleting an Identity Group, page 8-7 Deleting an Identity Group To delete an identity group: Step 1Select Users and Identity Stores > Identity Groups. The Identity Groups page appears. Step 2Check one or more check boxes next to the identity groups you want to delete and click Delete. The following error message appears: Are you sure you want to delete the selected item/items? Step 3Click OK. The Identity Groups page appears without the deleted identity groups. Related Topic Managing Identity Attributes, page 8-7 Managing Identity Attributes Administrators can define sets of identity attributes that become elements in policy conditions. For information about the ACS 5.3 policy model, see Chapter 3, “ACS 5.x Policy Model.” During authentication, identity attributes are taken from the internal data store when they are part of a policy condition. ACS 5.3 interacts with identity elements to authenticate users and obtain attributes for input to an ACS policy. Attribute definitions include the associated data type and valid values. The set of values depends on the type. For example, if the type is integer, the definition includes the valid range. ACS 5.3 provides a default value definition that can be used in the absence of an attribute value. The default value ensures that all attributes have at least one value. Related Topics Standard Attributes, page 8-8 User Attributes, page 8-8 Host Attributes, page 8-9
8-8 User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 Chapter 8 Managing Users and Identity Stores Managing Internal Identity Stores Standard Attributes Ta b l e 8 - 1 describes the standard attributes in the internal user record. User Attributes Administrators can create and add user-defined attributes from the set of identity attributes. You can then assign default values for these attributes for each user in the internal identity store and define whether the default values are required or optional. You need to define users in ACS, which includes associating each internal user with an identity group, a description (optional), a password, an enable password (optional), and internal and external user attributes. Internal users are defined by two components: fixed and configurable. Fixed components consist of these attributes: Name Description Password Enabled or disabled status Identity group to which they belong Configurable components consist of these attributes: Enable password for TACACS+ authentication Sets of identity attributes that determine how the user definition is displayed and entered Cisco recommends that you configure identity attributes before you create users. When identity attributes are configured: You can enter the corresponding values as part of a user definition. They are available for use in policy decisions when the user authenticates. Internal user identity attributes are applied to the user for the duration of the user’s session. Internal identity stores contain the internal user attributes and credential information used to authenticate internal users (as defined by you within a policy). External identity stores are external databases on which to perform credential and authentication validations for internal and external users (as defined by you within a policy). Table 8-1 Standard Attributes Attribute Description Username ACS compares the username against the username in the authentication request. The comparison is case-insensitive. Status Enabled status indicates that the account is active. Disabled status indicates that authentications for the username will fail. Description Text description of the attribute. Identity Group ACS associates each user to an identity group. See Managing Identity Attributes, page 8-7 for information.