Cisco Acs 5x User Guide
Have a look at the manual Cisco Acs 5x User Guide online for free. It’s possible to download the document as PDF or print. UserManuals.tech offer 53 Cisco manuals and user’s guides for free. Share the user manual or guide on Facebook, Twitter or Google+.
8-39 User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 Chapter 8 Managing Users and Identity Stores Managing External Identity Stores Figure 8-5 Test Bind to Server Dialog Box For more information, see Creating External LDAP Identity Stores, page 8-26. NoteThe default password for LDAP is GBSbeacon. If you want to change this password, refer to the Cisco NAC Profiler Installation and Configuration Guide at the following location: http://www.cisco.com/en/US/docs/security/nac/profiler/configuration_guide/311/ p_ldap31.html#wp1057155. Step 6If successful, go to the Directory Organization tab. The Edit page appears as shown in Figure 8-6. Figure 8-6 Edit NAC Profiler Definition - Directory Organization Page Step 7 Click Test Configuration. A dialog box as shown in Figure 8-7 appears that lists data corresponding to the Profiler. For example: Primary Server
8-40 User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 Chapter 8 Managing Users and Identity Stores Managing External Identity Stores Number of Subjects: 100 Number of Directory Groups: 6 Figure 8-7 Test Configuration Dialog Box Number of Subjects—This value maps to the actual subject devices already profiled by the Cisco NAC Profiler (actual devices enabled for Profiler). After the Profiler receives initial SNMP trap information from the switch, Profiler can poll the switch using SNMP to gather MIB (Management Information Base) information about the switch as well as the connecting endpoint. After the Profiler has learned about the endpoint (e.g. MAC address, switch port), it adds the endpoint to its database. An endpoint added to the Profiler’s database is considered 1 subject. Number of Directory Groups—This value maps to the actual profiles enabled for LDAP on Profiler. When already running Profiler on your network, default profiles for endpoints are pre-configured. However, all profiles are not enabled for LDAP, and must be configured as described in Configuring Endpoint Profiles in NAC Profiler for LDAP Authentication, page 8-36. Note that if setting up Profiler for the first time, once the Profiler is up and running, you will see zero groups initially. NoteThe subjects and directory groups are listed if they are less than 100 in number. If the number of subjects or directory groups exceed 100, the subjects and directory groups are not listed. Instead, you get a message similar to the following one: More than 100 subjects are found. Step 8Click the Directory Attributes tab if you want to use the directory attributes of subject records as policy conditions in policy rules. See Viewing LDAP Attributes, page 8-34 for more information. Step 9Choose NAC Profiler as the result (Identity Source) of the identity policy. For more information, see Viewing Identity Policies, page 10-21. As soon as Endpoint is successfully authenticated from ACS server, ACS will do a CoA (Change of Authorization) and change VLAN. For this, you can configure static VLAN mapping in ACS server. For more information, see Specifying Common Attributes in Authorization Profiles, page 9-19. When Endpoint is successfully authenticated the following message is displayed on the switch. ACCESS-Switch# #show authentication sessions Interface MAC Address Method Domain Status Session ID Fa1/0/1 0014.d11b.aa36 mab DATA Authz Success 505050010000004A0B41FD15
8-41 User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 Chapter 8 Managing Users and Identity Stores Managing External Identity Stores For more information on features like Event Delivery Method and Active Response, see the Cisco NAC Profiler Installation and Configuration Guide, Release 3.1 at the following location: http://www.cisco.com/en/US/docs/security/nac/profiler/configuration_guide/310/p_prof_events31.html Troubleshooting MAB Authentication with Profiler Integration To troubleshoot MAB authentication while integrating with NAC Profiler and to verify that the endpoint is successfully authenticated, complete the following steps: Step 1Run the following command on the switch which is connected to the endpoint devices: ACCESS-Switch# show authentication sessions The following output is displayed: Interface MAC Address Method Domain Status Session ID Fa1/0/1 0014.d11b.aa36 mab DATA Authz Success 505050010000004A0B41FD15 reject Step 2Enable debugging for SNMP, AAA, and 802.1X on the switch. Step 3Verify the MAB authentication logs in Monitoring and Reports Viewer > Troubleshooting, for failure and success authentications. Microsoft AD ACS uses Microsoft Active Directory (AD) as an external identity store to store resources such as, users, machines, groups, and attributes. ACS authenticates these resources against AD. Supported Authentication Protocols EAP-FAST and PEAP—ACS 5.3 supports user and machine authentication and change password against AD using EAP-FAST and PEAP with an inner method of MSCHAPv2 and EAP-GTC. PAP—ACS 5.3 supports authenticating against AD using PAP and also allows you to change AD users password. MSCHAPv1—ACS 5.3 supports user and machine authentication against AD using MSCHAPv1. You can change AD users password using MSCHAPv1 version 2. ACS does not support MS-CHAP MPPE-Keys of a user, but does support MPPE-Send-Key and MPPE-Recv-Key. NoteACS 5.3 does not support changing user password against AD using MSCHAP version 1. MSCHAPv2—ACS 5.3 supports user and machine authentication against AD using MSCHAPv2. ACS does not support MS-CHAP MPPE-Keys of a user, but does support MPPE-Send-Key and MPPE-Recv-Key. EAP-GTC—ACS 5.3 supports user and machine authentication against AD using EAP-GTC. EAP-TLS—ACS uses the certificate retrieval option introduced in 5.3 to support user and machine authentication against AD using EAP-TLS. ACS 5.x supports changing the password for users who are authenticated against Active Directory in TACACS+ PAP/ASCII, EAP-MSCHAP, and EAP-GTC methods. Changing the password for EAP-FAST and PEAP with inner MSCHAPv2 is also supported.
8-42 User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 Chapter 8 Managing Users and Identity Stores Managing External Identity Stores The AD user password change using the above methods must follow the AD password policy. You must check with your AD administrator to know the complete AD password policy rule. AD password policy important rules are: Enforce password history N passwords remembered Maximum password age N days Minimum password age N days Minimum password length N characters Password must meet complexity requirements AD uses the Maximum password age N days rule to detect password expiry. All other rules are used during password change attempt. ACS supports these AD domains: Windows Server 2003 Windows Server 2003 R2 Windows Server 2008 Windows Server 2008 R2 ACS machine access restriction (MAR) features use AD to map machine authentication to user authentication and authorization, and sets a the maximal time allowed between machine authentication and an authentication of a user from the same machine. Most commonly, MAR fails authentication of users whose host machine does not successfully authenticate or if the time between machine and user authentication is greater than the specified aging time. You can add MAR as a condition in authentication and authorization rules as required. While trying to join ACS to the AD domain, ACS and AD must be time-synchronized. Time in ACS is set according to the Network Time Protocol (NTP) server. Both AD and ACS should be synchronized by the same NTP server. If time is not synchronized when you join ACS to the AD domain, ACS displays a clock skew error. Using the command line interface on your appliance, you must configure the NTP client to work with the same NTP server that the AD domain is synchronized with. Refer to http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_system/5.3/command/ reference/cli.html for more information. NoteACS supports two way trust between Active Directory domains completely. ACS appliance uses different levels of cache for AD groups to optimize the performance. AD groups are identified with a unique identifier, the SID. ACS retrieves the SIDs that belongs to the users, and uses the cached mapping of the SIDs with the full name and the path of the group. The AD client component caches the mapping for 24 hours. The run time component of ACS, queries the AD client and chache the results as long as it is running. To prevent ACS using the outdated mappings, create new AD groups instead of changing/moving the existing ones. If you change/move the existing ones, you have to wait for 24 hours and restart the ACS services to refresh all the cached data. ACS 5.3 supports certificate authorization.
8-43 User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 Chapter 8 Managing Users and Identity Stores Managing External Identity Stores If there is a firewall between ACS and AD, certain ports need to be opened in order to allow ACS to communicate with AD. The following are the default ports to be opened: NoteDial-in users are not supported by AD in ACS. This section contains the following topics: Machine Authentication, page 8-43 Attribute Retrieval for Authorization, page 8-44 Group Retrieval for Authorization, page 8-44 Certificate Retrieval for EAP-TLS Authentication, page 8-44 Concurrent Connection Management, page 8-44 User and Machine Account Restrictions, page 8-44 Machine Access Restrictions, page 8-45 Dial-in Permissions, page 8-46 Callback Options for Dial-in users, page 8-46 Joining ACS to an AD Domain, page 8-48 Configuring an AD Identity Store, page 8-48 Selecting an AD Group, page 8-50 Configuring AD Attributes, page 8-51 Machine Authentication Machine authentication provides access to network services to only these computers that are listed in Active Directory. This becomes very important for wireless networks because unauthorized users can try to access your wireless access points from outside your office building. Machine authentication happens while starting up a computer or while logging in to a computer. Supplicants, such as Funk Odyssey perform machine authentication periodically while the supplicant is running. If you enable machine authentication, ACS authenticates the computer before a user authentication request comes in. ACS checks the credentials provided by the computer against the Windows user database. If the credentials match, the computer is given access to the network.Protocol Port number LDAP 389/udp SMB 445/tcp KDC 88/(tcp/udp) Global catalog 3268/tcp KPASS 464/tcp NTP 123/udp
8-44 User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 Chapter 8 Managing Users and Identity Stores Managing External Identity Stores Attribute Retrieval for Authorization You can configure ACS to retrieve user or machine AD attributes to be used in authorization and group mapping rules. The attributes are mapped to the ACS policy results and determine the authorization level for the user or machine. ACS retrieves user and machine AD attributes after a successful user or machine authentication and can also retrieve the attributes for authorization and group mapping purposes independent of authentication. Group Retrieval for Authorization ACS can retrieve user or machine groups from Active Directory after a successful authentication and also retrieve the user or machine group independent of authentication for authorization and group mapping purposes. You can use the AD group data in the authorization and group mapping tables and introduce special conditions to match them against the retrieved groups. Certificate Retrieval for EAP-TLS Authentication ACS 5.3 supports certificate retrieval for user or machine authentication that uses EAP-TLS protocol. The user or machine record on AD includes a certificate attribute of binary data type. This can contain one or more certificates. ACS refers to this attribute as userCertificate and does not allow you to configure any other name for this attribute. ACS retrieves this certificate for verifying the identity of the user or machine. The certificate authentication profile determines the field (SAN, CN, SSN, SAN-Email, SAN-DNS, or SAN-other name) to be used for retrieving the certificates. After ACS retrieves the certificate, it performs a binary comparison of this certificate with the client certificate. When multiple certificates are received, ACS compares the certificates to check if one of them match. When a match is found, ACS grants the user or machine access to the network. Concurrent Connection Management After ACS connects to the AD domain, at startup, ACS creates a number of threads to be used by the AD identity store for improved performance. Each thread has its own connection. User and Machine Account Restrictions While authenticating or querying a user or a machine, ACS checks whether: The user account disabled The user locked out The user’s account has expired The query run outside of the specified logon hours If the user has one of these limitations, the AD1::IdentityAccessRestricted attribute on the AD dedicated dictionary is set to indicate that the user has restricted access. You can use this attribute in group mapping and authorization rules.
8-45 User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 Chapter 8 Managing Users and Identity Stores Managing External Identity Stores Machine Access Restrictions MAR helps tying the results of machine authentication to user authentication and authorization process. The most common usage of MAR is to fail authentication of users whose host machine does not successfully authenticate. The MAR is effective for all authentication protocols. MAR functionality is based on the following points: As a result of Machine Authentication, the machines RADIUS Calling-Station-ID attribute (31) is cached as an evidence for later reference. Administrator can configure the time to live (TTL) of the above cache entries in the AD settings page. Administrator can configure whether or not MAR is enabled in the AD settings page. However for MAR to work the following limitations must be taken into account: –Machine authentication must be enabled in the authenticating protocol settings –The AAA client must send a value in the Internet Engineering Task Force (IETF) RADIUS Calling-Station-Id attribute (31). –ACS does not replicate the cache of Calling-Station-Id attribute values from successful machine authentications. –ACS do not persevere the cache of Calling-Station-Id attribute. So the content is lost in case you restart ACS or if it crashes. The content is not verified for consistency in case the administrator performs configuration changes that may effect machine authentication. When the user authenticates with either PEAP or EAP-FAST, against AD external ID store then ACS performs an additional action. It searches the cache for the users Calling-Station-Id. If it is found then Was-Machine-Authenticated attribute is set to true on the session context, otherwise set to false. For the above to function correctly, the user authentication request should contain the Calling-Station-Id. In case it does not, the Was-Machine-Authenticated attribute shall be set to false. The administrator can add rules to authorization policies that are based on AD GM attribute and on Machine authentication required attribute. Any rule that contains these two attributes will only apply if the following conditions are met: –MAR feature is enabled –Machine authentication in the authenticating protocol settings is enabled –External ID store is AD When a rule such as the one described above is evaluated, the attributes of AD GM and Was-Machine-Authenticated are fetched from the session context and checked against the rules condition. According to the results of this evaluation an authorization result is set. Exemption list functionality is supported implicitly (in contrast to ACS 4.x). To exempt a given user group from the MAR the administrator can set a rule such that the column of AD Group consists of the group to exempt and the column of Machine Authentication Required consists of No. See the second rule in the table below for an example. For example, the administrator will add rules to the authorization policy as follows:
8-46 User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 Chapter 8 Managing Users and Identity Stores Managing External Identity Stores The Engineers rule is an example of MAR rule that only allows engineers access if their machine was successfully authenticated against windows DB. The Managers rule is an example of an exemption from MAR. Dial-in Permissions The dial-in permissions of a user are checked during authentications or queries from Active Directory. The dial-in check is supported only for user authentications and not for machines, in the following authentication protocols: PA P MSCHAPv2 EAP-FAST PEAP EAP-TLS. The following results are possible: Allow Access Deny Access Control Access through Remote Access Policy. This option is only available for Windows 2000 native domain, Windows server 2003 domain. Control Access through NPS Network Policy. This is the default result. This option is only available for Windows server 2008 and Windows 2008 R2 domains. Callback Options for Dial-in users If call back option is enabled, the server calls the caller back during the connection process. The phone number that is used by the server is set either by the caller or the network administrator. The possible callback options are: No callback Set by Caller (routing and remote access service only). This option can be used to define a series of static IP routes that are added to the routing table of the server running the Routing and Remote Access service when a connection is made. Always callback to (with an option to set a number). This option can be used to assign a specific IP address to a user when a connection is made The callback attributes should be returned on the RADIUS response to the device. AD GroupMachine Authentication Required … ATZ profile Engineers Yes … VLAN X Managers No … VLAN B … … … DENY ACCESS
8-47 User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 Chapter 8 Managing Users and Identity Stores Managing External Identity Stores Dial-in Support Attributes The user attributes on Active Directory are supported on the following servers: Windows server 2003 Windows server 2003 R2 Windows server 2008 Windows server 2008 R2 ACS does not support Dial-in users on Windows 2000. ACS Response If you enable the dial-in check on ACS Active Directory and the users dial-in option is Deny Access on Active Directory, the authentication request is rejected with a message in the log, indicating that dial-in access is denied. If a user fails an MSCHAP v1/v2 authentication if the dial-in is not enabled, ACS should set on the EAP response a proper error code (NT error = 649). In case that the callback options are enabled, the ACS RADIUS response contains the returned Service Type and Callback Number attributes as follows: If callback option is Set by Caller or Always Callback To, the service-type attribute should be queried on Active Directory during the user authentication. The service-type can be the following: –3 = Callback Login –4 = Callback Framed –9 = Callback NAS Prompt This attribute should be returned to the device on Service-type RADIUS attribute. If ACS is already configured to return service-type attribute on the RADIUS response, the service-type value queried for the user on Active Directory replaces it. If the Callback option is Always Callback To, the callback number should also be queried on the Active Directory user. This value is set on the RADIUS response on the Cisco-AV-Pair attribute with the following values: –cisco-av-pair=lcp:callback-dialstring=[callback number value] –cisco-av-pair=Shell:callback-dialstring=[callback number value] –cisco-av-pair=Slip:callback-dialstring=[callback number value] –cisco-av-pair=Arap:callback-dialstring=[callback number value] The callback number value is also returned on the RADIUS response, using the RADIUS attribute CallbackNumber (#19). If callback option is Set by Caller, the RADIUS response contains the following attributes with no value: –cisco-av-pair=lcp:callback-dialstring= –cisco-av-pair=Shell:callback-dialstring= –cisco-av-pair=Slip:callback-dialstring= –cisco-av-pair=Arap:callback-dialstring=
8-48 User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 Chapter 8 Managing Users and Identity Stores Managing External Identity Stores Joining ACS to an AD Domain After you configure the AD identity store in ACS through the ACS web interface, you must submit the configuration to join ACS to the AD domain. For more information on how to configure an AD identity store, see Configuring an AD Identity Store, page 8-48. NoteThe Windows AD account, which joins ACS to the AD domain, can be placed in its own organizational unit (OU). It resides in its own OU either when the account is created or later on, with a restriction that the appliance name must match the name of the AD account. NoteACS does not support user authentication in AD when a user name is supplied with an alternative UPN suffix configured in OU level. The authentication works fine if the UPN suffix is configured in domain level. Related Topic Machine Authentication, page B-34 Configuring an AD Identity Store When you configure an AD identity store, ACS also creates: A new dictionary for that store with two attributes: ExternalGroups and another attribute for any attribute retrieved from the Directory Attributes page. A new attribute, IdentityAccessRestricted. You can manually create a custom condition for this attribute. A custom condition for group mapping from the ExternalGroup attribute; the custom condition name is AD1:ExternalGroups and another custom condition for each attribute selected in the Directory Attributes page (for example, AD1:cn). You can edit the predefined condition name, and you can create a custom condition from the Custom condition page. See Creating, Duplicating, and Editing a Custom Session Condition, page 9-5. To authenticate users and join ACS with an AD domain: Step 1Select Users and Identity Stores > External Identity Stores > Active Directory. The Active Directory page appears. Step 2Modify the fields in the General tab as described in Ta b l e 8 - 1 0. Table 8-10 Active Directory: General Page Option Description Connection Details Active Directory Domain NameName of the AD domain to join ACS to.