Cisco Acs 5x User Guide
Have a look at the manual Cisco Acs 5x User Guide online for free. It’s possible to download the document as PDF or print. UserManuals.tech offer 53 Cisco manuals and user’s guides for free. Share the user manual or guide on Facebook, Twitter or Google+.
8-29 User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 Chapter 8 Managing Users and Identity Stores Managing External Identity Stores Step 2Click Next. Step 3Continue with Configuring External LDAP Directory Organization, page 8-29. Configuring External LDAP Directory Organization Use this page to configure an external LDAP identity store. Step 1Select Users and Identity Stores > External Identity Stores > LDAP, then click any of the following: Create and follow the wizard until you reach the Directory Organization page. Duplicate, then click Next until the Directory Organization page appears. Edit, then click Next until the Directory Organization page appears. Admin DN Enter the domain name of the administrator; that is, the LDAP account which, if bound to, permits searching for all required users under the User Directory Subtree and permits searching groups. If the administrator specified does not have permission to see the group name attribute in searches, group mapping fails for users that LDAP authenticates. Password Type the LDAP administrator account password. Use Secure Authentication Click to use Secure Sockets Layer (SSL) to encrypt communication between ACS and the secondary LDAP server. Verify the Port field contains the port number used for SSL on the LDAP server. If you enable this option, you must select a root CA. Root CA Select a trusted root certificate authority from the drop-down list box to enable secure authentication with a certificate. Server Timeout SecondsType the number of seconds that ACS waits for a response from the secondary LDAP server before determining that the connection or authentication with that server has failed, where is the number of seconds. Valid values are 1 to 300. (Default = 10.) Max Admin Connections Type the maximum number of concurrent connections (greater than 0) with LDAP administrator account permissions, that can run for a specific LDAP configuration. These connections are used to search the directory for users and groups under the User Directory Subtree and Group Directory Subtree. Valid values are 1 to 99. (Default = 8.) Test Bind To Server Click to test and ensure that the secondary LDAP server details and credentials can successfully bind. If the test fails, edit your LDAP server details and retest. Table 8-7 LDAP: Server Connection Page (continued) Option Description
8-30 User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 Chapter 8 Managing Users and Identity Stores Managing External Identity Stores Table 8-8 LDAP: Directory Organization Page Option Description Schema Subject Object class Value of the LDAP objectClass attribute that identifies the subject. Often, subject records have several values for the objectClass attribute, some of which are unique to the subject, some of which are shared with other object types. This box should contain a value that is not shared. Valid values are from 1 to 20 characters and must be a valid LDAP object type. This parameter can contain any UTF-8 characters. (Default = Person.) Group Object class Enter the group object class that you want to use in searches that identify objects as groups. (Default = GroupOfUniqueNames.) Subject Name Attribute Name of the attribute in the subject record that contains the subject name. You can obtain this attribute name from your directory server. This attribute specifies the subject name in the LDAP schema. You use this attribute to construct queries to search for subject objects. For more information, refer to the LDAP database documentation. Valid values are from 1 to 20 characters and must be a valid LDAP attribute. This parameter can contain any UTF-8 characters. Common values are uid and CN. (Default = uid.) Group Map Attribute For user authentication, user lookup, and MAC address lookup, ACS must retrieve group membership information from LDAP databases. LDAP servers represent an association between a subject (a user or a host) and a group in one of the following two ways: Groups refer to subjects Subjects refer to groups The Group Map Attribute contains the mapping information. You must enter the attribute that contains the mapping information: an attribute in either the subject or the group, depending on: If you select the Subject Objects Contain Reference To Groups radio button, enter a subject attribute. If you select Group Objects Contain Reference To Subjects radio button, enter a group attribute. Certificate Attribute Enter the attribute that contains certificate definitions. These definitions can optionally be used to validate certificates presented by clients when defined as part of a certificate authentication profile. In such cases, a binary comparison is performed between the client certificate and the certificate retrieved from the LDAP identity store. Subject Objects Contain Reference To GroupsClick if the subject objects contain a reference to groups. Group Objects Contain Reference To SubjectsClick if the group objects contain a reference to subjects. Subjects In Groups Are Stored In Member Attribute As Use the drop-down list box to indicate if the subjects in groups are stored in member attributes as either: Username Distinguished name Directory Structure
8-31 User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 Chapter 8 Managing Users and Identity Stores Managing External Identity Stores Subject Search Base Enter the distinguished name (DN) for the subtree that contains all subjects. For example: o=corporation.com If the tree containing subjects is the base DN, enter: o=corporation.com or dc=corporation,dc=com as applicable to your LDAP configuration. For more information, refer to your LDAP database documentation. Group Search Base Enter the distinguished name (DN) for the subtree that contains all groups. For example: ou=organizational unit[,ou=next organizational unit]o=corporation.com If the tree containing groups is the base DN, type: o=corporation.com or dc=corporation,dc=com as applicable to your LDAP configuration. For more information, refer to your LDAP database documentation. Test Configuration Click to obtain the expected connection and schema results by counting the number of users and groups that may result from your configuration. Table 8-8 LDAP: Directory Organization Page (continued) Option Description
8-32 User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 Chapter 8 Managing Users and Identity Stores Managing External Identity Stores Step 2Click Finish. The external identity store you created is saved. Username Prefix\Suffix Stripping Strip start of subject name up to the last occurrence of the separatorEnter the appropriate text to remove domain prefixes from usernames. If, in the username, ACS finds the delimiter character that is specified in the start_string box, it strips all characters from the beginning of the username through the delimiter character. If the username contains more than one of the characters that are specified in the start_string box, ACS strips characters through the last occurrence of the delimiter character. For example, if the delimiter character is the backslash (\) and the username is DOMAIN\echamberlain, ACS submits echamberlain to an LDAP server. The start_string cannot contain the following special characters: the pound sign (#), the question mark (?), the quote (“), the asterisk (*), the right angle bracket (>), and the left angle bracket (), and the left angle bracket (
8-33 User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 Chapter 8 Managing Users and Identity Stores Managing External Identity Stores Related Topics Configuring LDAP Groups, page 8-33 Deleting External LDAP Identity Stores, page 8-33 Deleting External LDAP Identity Stores You can delete one or more external LDAP identity stores simultaneously. To delete an external LDAP identity store: Step 1Select Users and Identity Stores > External Identity Stores > LDAP. The LDAP Identity Stores page appears, with a list of your configured external identity stores. Step 2Check one or more check boxes next to the external identity stores you want to delete. Step 3Click Delete. The following error message appears: Are you sure you want to delete the selected item/items? Step 4Click OK. The External Identity Stores page appears, without the deleted identity stores in the list. Related Topic Creating External LDAP Identity Stores, page 8-26 Configuring LDAP Groups Use this page to configure an external LDAP group. Step 1Select Users and Identity Stores > External Identity Stores > LDAP, then click any of the following: Create and follow the wizard. Duplicate, then click the Directory Groups tab. Edit, then click the Directory Groups tab. The Selected Directory Groups field displays a list of groups that are available as options in rule-table group-mapping conditions. Step 2Do one of the following: Click Select to open the Groups secondary window from which you can select groups and add them to the Selected Directory Groups list. You can alternatively enter the LDAP groups in the Group Name field and click Add. To remove a selected group from the Selected Directory Groups list, select that group in the Selected Directory Groups list and Click Deselect. Step 3Click Submit to save your changes.
8-34 User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 Chapter 8 Managing Users and Identity Stores Managing External Identity Stores Viewing LDAP Attributes Use this page to view the external LDAP attributes. Step 1Select Users and Identity Stores > External Identity Stores > LDAP. Step 2Check the check box next to the LDAP identity store whose attributes you want to view, click Edit, and then click the Directory Attributes tab. Step 3In the Name of example Subject to Select Attributes field, enter the name of an example object from which to retrieve attributes, then click Select. For example, the object can be an user and the name of the object could either be the username or the user’s DN. Step 4Complete the fields as described in Ta b l e 8 - 9 Step 5Click Add and the information you entered is added to the fields on the screen. The attributes listed here are available for policy conditions. Step 6Click Submit to save your changes. Leveraging Cisco NAC Profiler as an External MAB Database ACS communicates with Cisco NAC Profiler to enable non-802.1X-capable devices to authenticate in 802.1X-enabled networks. Endpoints that are unable to authenticate through 802.1X use the MAC Authentication Bypass (MAB) feature in switches to connect to an 802.1X-enabled network. Typically, non-user-attached devices such as printers, fax machines, IP phones, and Uninterruptible Power Supplies (UPSs) are not equipped with an 802.1x supplicant. Table 8-9 LDAP: Attributes Page Option Description Attribute Name Type an attribute name that you want included in the list of available attributes for policy conditions. Type Select the type you want associated with the attribute name you entered in the Attribute Name field. Default Specify the default value you want associated with the attribute name you entered in the Attribute Name field. If you do not specify a default value, no default is used. When attributes are imported to the Attribute Name/Type/Default box via the Select button, these default values are used: String—Name of the attribute Unsigned Integer 32 IPv4 Address Policy Condition Name (Optional) Specify the name of the custom condition for this attribute. This condition will be available for selection when customizing conditions in a policy.
8-35 User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 Chapter 8 Managing Users and Identity Stores Managing External Identity Stores This means the switch port to which these devices attach cannot authenticate them using the 802.1X exchange of device or user credentials and must revert to an authentication mechanism other than port-based authentication (typically endpoint MAC address-based) in order for them to connect to the network. Cisco NAC Profiler provides a solution for identifying and locating the endpoints that are unable to interact with the authentication component of these systems so that these endpoints can be provided an alternative mechanism for admission to the network. NAC Profiler consists of an LDAP-enabled directory, which can be used for MAC Authentication Bypass (MAB). Thus, the NAC Profiler acts as an external LDAP database for ACS to authenticate non-802.1X-capable devices. NoteYou can use the ACS internal host database to define the MAC addresses for non-802.1X-capable devices. However, if you already have a NAC Profiler in your network, you can use it to act as an external MAB database. To leverage Cisco NAC Profiler as an external MAB database, you must: Enable the LDAP Interface on Cisco NAC Profiler. See Enabling the LDAP Interface on Cisco NAC Profiler to Communicate with ACS, page 8-35. Configure NAC Profiler in ACS. See Configuring NAC Profile LDAP Definition in ACS for Use in Identity Policy, page 8-37. Enabling the LDAP Interface on Cisco NAC Profiler to Communicate with ACS NoteBefore you can enable the LDAP interface on the NAC Profiler, ensure that you have set up your NAC Profiler with the NAC Profiler Collector. For more information on configuring Cisco NAC Profiler, refer to the Cisco NAC Profiler Installation and Configuration Guide, available under http://www.cisco.com/en/US/products/ps8464/ products_installation_and_configuration_guides_list.html. To enable the LDAP interface on the NAC Profiler to communicate with ACS: Step 1Log into your Cisco NAC Profiler. Step 2Choose Configuration > NAC Profiler Modules > List NAC Profiler Modules. Step 3Click Server. The Configure Server page appears. Step 4In the LDAP Configuration area, check the Enable LDAP check box as shown in Figure 8-1.
8-36 User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 Chapter 8 Managing Users and Identity Stores Managing External Identity Stores Figure 8-1 LDAP Interface Configuration in NAC Profiler Step 5 Click Update Server. Step 6Click the Configuration tab and click Apply Changes. The Update NAC Profiler Modules page appears. Step 7Click Update Modules to enable LDAP to be used by ACS. You must enable the endpoint profiles that you want to authenticate against the Cisco NAC Profiler. For information on how to do this, see Configuring Endpoint Profiles in NAC Profiler for LDAP Authentication, page 8-36. For proper Active Response Events you need to configure Active Response Delay time from your Cisco NAC Profiler UI. For this, choose Configuration > NAC Profiler Modules > Configure Server > Advanced Options > Active Response Delay. Configuring Endpoint Profiles in NAC Profiler for LDAP Authentication For the non-802.1X endpoints that you want to successfully authenticate, you must enable the corresponding endpoint profiles in NAC Profiler for LDAP authentication. NoteIf the profile is not enabled for LDAP, the endpoints in the profile will not be authenticated by the Cisco NAC Profiler. To enable the endpoint profiles for LDAP authentication: Step 1Log into your NAC Profiler.
8-37 User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 Chapter 8 Managing Users and Identity Stores Managing External Identity Stores Step 2Choose Configuration > Endpoint Profiles > View/Edit Profiles List. A list of profiles in a table appears. Step 3Click on the name of a profile to edit it. Step 4In the Save Profile page, ensure that the LDAP option is enabled by clicking the Ye s radio button next to it, if it is not already done as shown in Figure 8-2. Figure 8-2 Configuring Endpoint Profiles in NAC Profiler Step 5 Click Save Profile. Configuring NAC Profile LDAP Definition in ACS for Use in Identity Policy After you install ACS, there is a predefined LDAP database definition for NAC Profiler. This predefined database definition for NAC Profiler contains all the required data for establishing an initial connection. The only exception is the host information, which depends on your specific deployment configuration. The steps below describe how to configure the host information, verify the connection, and use the profile database in policies. NoteMake sure that ACS NAC Profiler is chosen under Access Policies > Access Services > Default Network Access > Identity. NoteThe NAC Profiler template in ACS, available under the LDAP external identity store, works with Cisco NAC Profiler version 2.1.8 and later.
8-38 User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 Chapter 8 Managing Users and Identity Stores Managing External Identity Stores To edit the NAC Profiler template in ACS: Step 1Choose Users and Identity Stores > External Identity Stores > LDAP. Step 2Click on the name of the NAC Profiler template or check the check box next to the NAC Profiler template and click Edit. The Edit NAC Profiler definition page appears as shown in Figure 8-3. Figure 8-3 Edit NAC Profiler Definition - General Page Step 3 Click the Server Connection tab. The Edit page appears as shown in Figure 8-4. Figure 8-4 Edit NAC Profiler Definition - Server Connection Page Step 4 In the Primary Server Hostname field, enter the IP address or fully qualified domain name of the Profiler Server, or the Service IP of the Profiler pair if Profiler is configured for High Availability. Step 5Click Test Bind to Server to test the connection and verify ACS can communicate with Profiler through LDAP. A small popup dialog, similar to the one shown in Figure 8-5 appears.