Cisco Acs 5x User Guide
Have a look at the manual Cisco Acs 5x User Guide online for free. It’s possible to download the document as PDF or print. UserManuals.tech offer 53 Cisco manuals and user’s guides for free. Share the user manual or guide on Facebook, Twitter or Google+.
8-49 User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 Chapter 8 Managing Users and Identity Stores Managing External Identity Stores Step 3Click: Username Predefined user in AD. AD account required for domain access in ACS should have either of the following: Add workstations to domain user right in corresponding domain. Create Computer Objects or Delete Computer Objects permission on corresponding computers container where ACS machines account is precreated (created before joining ACS machine to the domain). We recommend that you disable the lockout policy for the ACS account and configure the AD infrastructure to send alerts to the admin if a wrong password is used for that account. This is because if you enter a wrong password, ACS will not create or modify its machine account when it is necessary and therefore possibly deny all authentications. Password Enter the user password. The password should have minimum of 8 characters with the combination of atleast one lower case alphabet, one upper case alphabet, one numeral, and one special character. All special characters are supported. Test Connection Click to test the ACS connection with the AD domain for the user, domain, and password identified in the previous fields. A message appears informing you whether the AD server is routable within the network and also authenticates the given AD username and password. To join to the AD domain, ACS first attempts to create a secure connection. If this is unsuccessful, it would then attempt to create an insecure connection. End User Authentication Settings Enable password change Click to allow the password to be changed. Enable machine authenticationClick to allow machine authentication. Enable Machine Access RestrictionsClick to ensure that machine authentication results are tied to user authentication and authorization. If you enable this feature, you must set the Aging time. Aging time (hours) timeTime after a machine was authenticated that a user can be authenticated from that machine. If this time elapses, user authentication fails. You must set this time if you clicked the Enable Machine Access Restrictions check box. Enable dial-in check Click to examine the user’s dial-in permissions during authentication or query. The result of the check can cause a reject of the authentication in case the dial-in permission is denied. The result is not stored on AD dictionary. Enable callback support for dial-up clientsClick to examine the user’s callback option during authentication or query. The result of the check is returned to the device on the RADIUS response. The result is not stored on AD dictionary Connectivity Status Joined to Domain (Display only.) After you save the configuration (by clicking Save Changes), shows the domain name with which ACS is joined. Connectivity Status (Display only.) After you save the configuration (by clicking Save Changes), shows the connection status of the domain name with which ACS is joined. Table 8-10 Active Directory: General Page (continued) Option Description
8-50 User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 Chapter 8 Managing Users and Identity Stores Managing External Identity Stores Save Changes to save the configuration, join the ACS to the specified AD domain with the configured credentials, and start the AD agent. Discard Changes to discard all changes. If AD is already configured and you want to delete it, click Clear Configuration after you verify that: –There are no policy rules that use custom conditions based on the AD dictionary. –The AD is not chosen as the identity source in any of the available access services. –There are no identity store sequences with the AD. The Active Directory configuration is saved. The Active Directory page appears with the new configuration. NoteThe Windows AD account, which joins ACS to the AD domain, can be placed in its own Organizational Unit (OU). It resides in its own OU either when the account is created or later on with a restriction that the appliance name must match the name of the AD account. NoteAD connector gets affected (sometimes gets disconnected) when there is a slow response from the server while you test the ACS connection with the AD domain. But, it works fine with the other applications. NoteDue to NETBIOS limitations, ACS hostnames must contain less than or equal to 15 characters. Related Topics Selecting an AD Group, page 8-50 Configuring AD Attributes, page 8-51 Selecting an AD Group Use this page to select groups that can then be available for policy conditions. NoteTo select groups and attributes from an AD, ACS must be connected to that AD. Step 1Select Users and Identity Stores > External Identity Stores > Active Directory, then click the Directory Groups tab. The Groups page appears. The Selected Directory Groups field lists the AD groups you selected and saved. The AD groups you selected in the External User Groups page are listed and can be available as options in group mapping conditions in rule tables. If you have more groups in other trusted domain or forest that are not displayed, you can use the search filter to narrow down your search results. Step 2Click Select to see the available AD groups on the domain (and other trusted domains in the same forest).
8-51 User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 Chapter 8 Managing Users and Identity Stores Managing External Identity Stores The External User Groups dialog box appears displaying a list of AD groups in the domain, as well as other trusted domains in the same forest. If you have more groups that are not displayed, use the search filter to refine your search and click Go. Step 3Enter the AD groups or select them from the list, then click OK. To remove an AD group from the list, click an AD group, then click Deselect. Step 4Click: Save Changes to save the configuration. Discard Changes to discard all changes. If AD is already configured and you want to delete it, click Clear Configuration after you verify that there are no policy rules that use custom conditions based on the AD dictionary. NoteIt is not recommended to use domain local groups in ACS policies. The reason is that the membership evaluation in domain local groups can be time consuming. So, by default, the domain local groups are not evaluated. Therefore, if you install patch 3 or later, ACS 5.3 does not retrieve domain local groups. NoteWhen configuring the AD Identity Store on ACS 5.x, the security groups defined on Active Directory are enumerated and can be used, but distribution groups are not shown. Active Directory Distribution groups are not security-enabled and can only be used with e-mail applications to send e-mail to collections of users. Please refer to Microsoft documentation for more information on distribution groups. NoteLogon authentication may fail on Active Directory when ACS tries to authenticate Users who belong to more than 1015 groups in external identity stores. This is due to the Local Security Authentication (LSA) limitations in Active Directory. Configuring AD Attributes Use this page to select attributes that can then be available for policy conditions. Step 1Select Users and Identity Stores > External Identity Stores > Active Directory, then click the Directory Attributes tab. Step 2Complete the fields in the Active Directory: Attributes page as described in Ta b l e 8 - 1 1:
8-52 User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 Chapter 8 Managing Users and Identity Stores Managing External Identity Stores Step 3Click: Save Changes to save the configuration. Discard Changes to discard all changes. Table 8-11 Active Directory: Attributes Page Option Description Name of example Subject to Select AttributesEnter the name of a user or computer found on the joined domain. You can enter the user’s or the computer’s CN or distinguished name. The set of attributes that are displayed belong to the subject that you specify. The set of attributes are different for a user and a computer. Select Click to access the Attributes secondary window, which displays the attributes of the name you entered in the previous field. Attribute Name List—Displays the attributes you selected in the secondary Selected Attributes window. Attribute Name Do one of the following: –Enter the name of the attribute. –You can also select an attribute from the list, then click Edit to edit the attribute. Click Add to add an attribute to the Attribute Name list. Type Attribute types associated with the attribute names. Valid options are: String Unsigned Integer 32 IPv4 Address Default Specified attribute default value for the selected attribute: String—Name of the attribute. Unsigned Integer 32—0. IPv4 Address—No default set. Policy Condition Name Enter the custom condition name for this attribute. For example, if the custom condition name is AAA, enter AAA in this field and not AD1:att_name. Select Attributes Secondary WindowAvailable from the Attributes secondary window only. Search Filter Specify a user or machine name. For user names, you can specify distinguished name, SAM, NetBios, or UPN format. For machine names, you can specify one of the following formats: MACHINE$, NETBiosDomain\MACHINE$, host/MACHINE, or host/machine.domain. You can specify non-English letters for user and machine names. Attribute Name The name of an attribute of the user or machine name you entered in the previous field. Attribute Type The type of attribute. Attribute Value The value of an attribute for the specified user or machine.
8-53
User Guide for Cisco Secure Access Control System 5.3
OL-24201-01
Chapter 8 Managing Users and Identity Stores
Managing External Identity Stores
If AD is already configured and you want to delete it, click Clear Configuration after you verify
that there are no policy rules that use custom conditions based on the AD dictionary.
AD Deployments with Users Belonging to Large Number of Groups
In ACS 5.3, when you move between AD domains, the user authentications show a timeout error if the
user belongs to a large number of groups (more than 50 groups). But, the subsequent authentication of
the same user or another user belongs to the same group works properly. This is due to the
adclient.get.builtin.membership parameter in ACS AD agent configuration. This parameter, when set as
true, performs a lot of additional requests and takes a lot of time for the users who belong to large number
of groups. You can observe that the AD built-in groups are not available for usage in ACS policies after
the adclient.get.builin.membership parameter is set as true. So, to overcome this issue, you should set
the adclient.get.builtin.membership parameter as false.
To s e t adclient.get.builin.membership parameter, perform the following steps in ACS CLI:
Step 1Log into ACS CLI in configuration mode.
Step 2Enter the following commands:
acs-config
ad-agent-configuration adclient.get. builtin.membership false
NoteThe first authentication of a user belongs to the large number of groups may fail with a timeout
error. But, the subsequent authentications of the same user or another user belongs to the same
group works properly.
Joining ACS to Domain Controllers
When ACS needs to connect to a domain controller or a global catalog, it sends SRV requests to the
configured DNS servers to find out the available list of domain controllers for a domain and the global
catalogs for a forest.
If the Active Directory configuration on ACS machine is assigned to a subnet, which in turn is assigned
to a site, then ACS sends the DNS queries scoped to the site. That is the DNS server is supposed to return
the domain controllers and the global catalogs serving that particular site to which the subnet is assigned
to.
If the ACS machine is not assigned to a site, then ACS does not send the DNS queries scoped to the site.
That is the DNS server is supposed to return all available domain controllers and global catalogs with
no regard to the sites.
ACS iterates the available list of domain controllers or global catalogs and tries to establish the
connection according to the order of the domain controllers or the global catalogs in the DNS response
received from the DNS server.
8-54 User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 Chapter 8 Managing Users and Identity Stores Managing External Identity Stores RSA SecurID Server ACS supports the RSA SecurID server as an external database. RSA SecurID two-factor authentication consists of the user’s personal identification number (PIN) and an individually registered RSA SecurID token that generates single-use token codes based on a time code algorithm. A different token code is generated at fixed intervals (usually each at 30 or 60 seconds). The RSA SecurID server validates this dynamic authentication code. Each RSA SecurID token is unique, and it is not possible to predict the value of a future token based on past tokens. Thus when a correct token code is supplied together with a PIN, there is a high degree of certainty that the person is a valid user. Therefore, RSA SecurID servers provide a more reliable authentication mechanism than conventional reusable passwords. You can integrate with RSA SecurID authentication technology in any one of the following ways: Using the RSA SecurID agent—Users are authenticated with username and passcode through the RSA’s native protocol. Using the RADIUS protocol—Users are authenticated with username and passcode through the RADIUS protocol. RSA SecurID token server in ACS 5.3 integrates with the RSA SecurID authentication technology by using the RSA SecurID Agent. Configuring RSA SecurID Agents The RSA SecurID Server administrator can do the following: Create an Agent Record (sdconf.rec), page 8-54 Reset the Node Secret (securid), page 8-54 Override Automatic Load Balancing, page 8-55 Manually Intervene to Remove a Down RSA SecurID Server, page 8-55 Create an Agent Record (sdconf.rec) To configure an RSA SecurID token server in ACS 5.3, the ACS administrator requires the sdconf.rec file. The sdconf.rec file is a configuration record file that specifies how the RSA agent communicates with the RSA SecurID server realm. In order to create the sdconf.rec file, the RSA SecurID server administrator should add the ACS host as an Agent host on the RSA SecurID server and generate a configuration file for this agent host. NoteThe sdconf.rec file is unique in a deployment. However, Cisco Secure ACS replicates the sdconf.rec file from the primary server to the secondary server while joining the secondary server with the primary server. Reset the Node Secret (securid) After the agent initially communicates with the RSA SecurID server, the server provides the agent with a node secret file called securid. Subsequent communication between the server and the agent relies on exchanging the node secret to verify the other’s authenticity. At times, you might have to reset the node secret. To reset the node secret:
8-55 User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 Chapter 8 Managing Users and Identity Stores Managing External Identity Stores The RSA SecurID server administrator must uncheck the Node Secret Created check box on the Agent Host record in the RSA SecurID server. The ACS administrator must remove the securid file from ACS. Override Automatic Load Balancing RSA SecurID Agent automatically balances the requested loads on the RSA SecurID servers in the realm. However, you do have the option to manually balance the load. You can specify which server each of the agent hosts must use and assign a priority to each server so that the agent host directs authentication requests to some servers more frequently than others. You must specify the priority settings in a text file and save it as sdopts.rec, which you can then upload to ACS. Manually Intervene to Remove a Down RSA SecurID Server When an RSA SecurID server is down, the automatic exclusion mechanism does not always work quickly. To speed up this process, you can remove the sdstatus.12 file from ACS. Creating and Editing RSA SecurID Token Servers ACS 5.3 supports RSA SecurID Token Servers for authenticating users for the increased security that one-time passwords provide. RSA SecurID token servers provide two-factor authentication to ensure the authenticity of users. To authenticate users against an RSA identity store, you must first create an RSA SecurID Token Server in ACS and configure the realm, ACS instance, and advanced settings. ACS 5.3 supports only one RSA realm. You can configure the settings for the RSA realm. A single realm can contain many ACS instances. NoteYou must obtain the sdconf.rec file from the RSA SecurID server administrator and store it in ACS. To create or edit an RSA SecurID token server: Step 1Select Users and Identity Stores > External Identity Stores > RSA SecurID Token Servers. The RSA SecurID Token Servers page appears. Step 2Click Create. You can also click the identity store name that you want to modify, or check the box next to the name and click Edit. Step 3Complete the fields in the RSA Realm Settings tab as described in Ta b l e 8 - 1 2. Table 8-12 RSA Realm Settings Tab Option Description General Name Name of the RSA realm. Description (Optional) The description of the RSA realm. Server Connection
8-56 User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 Chapter 8 Managing Users and Identity Stores Managing External Identity Stores Step 4Click the ACS Instance Settings tab. See Configuring ACS Instance Settings, page 8-57 for more information. Step 5Click the Advanced tab. See Configuring Advanced Options, page 8-59 for more information. Step 6Click Submit to create an RSA SecurID store. The RSA SecurID Token Server page appears with the configured servers. Server Timeout n seconds ACS waits for n seconds to connect to the RSA SecurID token server before timing out. Reauthenticate on Change PINCheck this check box to reauthenticate on change PIN. Realm Configuration File Import new ‘sdconf.rec’ file Click Browse to select the sdconf.rec file from your machine. Node Secret Status Once the user is first authenticated against RSA SecurID Token Server, the Node Secret Status is shown as Created. Table 8-12 RSA Realm Settings Tab Option Description
8-57 User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 Chapter 8 Managing Users and Identity Stores Managing External Identity Stores Related Topics: RSA SecurID Server, page 8-54 Configuring ACS Instance Settings, page 8-57 Configuring Advanced Options, page 8-59 Configuring ACS Instance Settings The ACS Instance Settings tab appears with the current list of ACS instances that are active in the system. You cannot add or delete these entries. However, you can edit the available RSA Realm settings for each of these ACS instances. .Ta b l e 8 - 1 3 describes the fields in the ACS Instance Settings tab. You can edit the settings of the ACS instances that are listed on this page. To do this: Step 1Check the check box next to the ACS instance that you want to edit and click Edit. The ACS instance settings dialog box appears. This dialog box contains the following tabs: RSA Options File—See Editing ACS Instance Settings, page 8-57 for more information. Reset Agents Files—See Editing ACS Instance Settings, page 8-57 for more information. Step 2Click OK. Related Topics RSA SecurID Server, page 8-54 Creating and Editing RSA SecurID Token Servers, page 8-55 Editing ACS Instance Settings, page 8-57 Editing ACS Instance Settings, page 8-57 Configuring Advanced Options, page 8-59 Editing ACS Instance Settings You can edit the ACS instance settings to: Enable the RSA options file, page 8-58 Reset Agent Files, page 8-58 Table 8-13 ACS Instance Settings Tab Option Description ACS Instance Name of the ACS instance. Options File Name of the options file. Node Secret Status Status of Node Secret. This can be one of the following: Created Not created
8-58 User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 Chapter 8 Managing Users and Identity Stores Managing External Identity Stores Enable the RSA options file You can enable the RSA options file (sdopts.rec) on each ACS instance to control routing priorities for connections between the RSA agent and the RSA servers in the realm. Ta b l e 8 - 1 4 describes the fields in the RSA Options File tab. Do one of the following: Click OK to save the configuration. Click the Reset Agent Files tab to reset the secret key information or the status of active and inactive servers in the realm. Related Topics RSA SecurID Server, page 8-54 Creating and Editing RSA SecurID Token Servers, page 8-55 Configuring ACS Instance Settings, page 8-57 Editing ACS Instance Settings, page 8-57 Configuring Advanced Options, page 8-59 Reset Agent Files Use this page to reset the following: Node Secret key file, to ensure that communication with the RSA servers is encrypted. Status of the servers in the realm. Table 8-14 RSA Options File Tab Option Description The RSA options file (sdopts.rec) may be enabled on each ACS instance to control the routing priorities for connections between the RSA agent and the RSA servers in the realm. For detailed description of the format of the sdopts.rec, please refer to the RSA Documentation. Use the Automatic Load Balancing status maintained by the RSA AgentChoose this option to use the automatic load balancing status that the RSA agent maintains. Override the Automatic Load Balancing status with the sdopts.rec file selected belowChoose this option to use the automatic load balancing status that is specified in the sdopts.rec file. Current File Lists the sdopts.rec file that is chosen currently. Timestamp Time when sdopts.rec file was last modified. File Size Size of the sdopts.rec file. Import new ‘sdopts.rec’ file Click Browse to import the new sdopts.rec file from your hard drive. NoteChanges will not take effect until the page which launched this popup is submitted.