Cisco Acs 5x User Guide
Have a look at the manual Cisco Acs 5x User Guide online for free. It’s possible to download the document as PDF or print. UserManuals.tech offer 53 Cisco manuals and user’s guides for free. Share the user manual or guide on Facebook, Twitter or Google+.
8-59 User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 Chapter 8 Managing Users and Identity Stores Managing External Identity Stores Step 1Choose either of the following options: To reset node secret on the agent host, check the Remove securid file on submit check box. If you reset the node secret on the agent host, you must reset the agent host’s node secret in the RSA server. To reset the status of servers in the realm, check the Remove sdstatus.12 file on submit check box. Step 2Click OK. Related Topics RSA SecurID Server, page 8-54 Creating and Editing RSA SecurID Token Servers, page 8-55 Configuring ACS Instance Settings, page 8-57 Editing ACS Instance Settings, page 8-57 Configuring Advanced Options, page 8-59 Configuring Advanced Options Use this page to do the following: Define what an access reject from an RSA SecurID token server means to you. Enable identity caching—Caching users in RSA is similar to caching users in Radius Token with the logic and the purpose of the caching being the same. The only difference is that in RSA there is no attribute retrieval for users and therefore no caching of attributes. The user who is authenticated is cached, but without any attributes. To configure advanced options for the RSA realm: Step 1Do one of the following: Click the Treat Rejects as Authentication failed radio button—ACS to interprets this as an authentication reject from an RSA SecurdID store as an authentication failure. Click the Treat Rejects as User not found radio button—ACS interprets this as an authentication reject from an RSA SecurID store as “user not found.” Step 2Enable identity caching to allow ACS to process requests that are not authenticated through the RSA server. The results obtained from the last successful authentication are available in the cache for the specified time period. Step 3Check the Enable identity caching check box. Step 4Enter the aging time in minutes. The identity cache stores the results of a successful login only for the time period specified here. Step 5Click Submit.
8-60 User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 Chapter 8 Managing Users and Identity Stores Managing External Identity Stores Related Topics RSA SecurID Server, page 8-54 Creating and Editing RSA SecurID Token Servers, page 8-55 Configuring ACS Instance Settings, page 8-57 Editing ACS Instance Settings, page 8-57 Editing ACS Instance Settings, page 8-57 RADIUS Identity Stores RADIUS server is a third-party server that supports the RADIUS interface. RADIUS identity store, which is part of ACS, connects to the RADIUS server. RADIUS servers are servers that come with a standard RADIUS interface built into them and other servers that support the RADUIS interface. ACS 5.3 supports any RADIUS RFC 2865-compliant server as an external identity store. ACS 5.3 supports multiple RADIUS token server identities. For example, the RSA SecurID server and SafeWord server. RADIUS identity stores can work with any RADIUS Token server that is used to authenticate the user. RADIUS identity stores use the UDP port for authentication sessions. The same UDP port is used for all RADIUS communication. NoteFor ACS to successfully send RADIUS messages to a RADIUS-enabled server, you must ensure that the gateway devices between the RADIUS-enabled server and ACS allow communication over the UDP port. You can configure the UDP port through the ACS web interface. This section contains the following topics: Supported Authentication Protocols, page 8-60 Failover, page 8-61 Password Prompt, page 8-61 User Group Mapping, page 8-61 Groups and Attributes Mapping, page 8-61 RADIUS Identity Store in Identity Sequence, page 8-62 Authentication Failure Messages, page 8-62 Username Special Format with Safeword Server, page 8-62 User Attribute Cache, page 8-63 Creating, Duplicating, and Editing RADIUS Identity Servers, page 8-63 Supported Authentication Protocols ACS supports the following authentication protocols for RADIUS identity stores: RADIUS PAP TACACS+ ASCII/PAP PEAP with inner EAP-GTC EAP-FAST with inner EAP-GTC
8-61 User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 Chapter 8 Managing Users and Identity Stores Managing External Identity Stores Failover ACS 5.3 allows you to configure multiple RADIUS identity stores. Each RADIUS identity store can have primary and secondary RADIUS servers. When ACS is unable to connect to the primary server, it uses the secondary server. Password Prompt RADIUS identity stores allow you to configure the password prompt. You can configure the password prompt through the ACS web interface. User Group Mapping To provide the per-user group mapping feature available in ACS 4.x, ACS 5.3 uses the attribute retrieval and authorization mechanism for users that are authenticated with a RADIUS identity store. For this, you must configure the RADIUS identity store to return authentication responses that contain the [009\001] cisco-av-pair attribute with the following value: ACS:CiscoSecure-Group-Id=N, where N can be any ACS group number from 0 through 499 that ACS assigns to the user. Then, this attribute is available in the policy configuration pages of the ACS web interface while creating authorization and group mapping rules. Groups and Attributes Mapping You can use the RADIUS attributes retrieved during authentication against the RADIUS identity store in ACS policy conditions for authorization and group mapping. You can select the attributes that you want to use in policy conditions while configuring the RADIUS identity store. These attributes are kept in the RADIUS identity store dedicated dictionary and can be used to define policy conditions. NoteYou cannot query the RADIUS server for the requested attributes. You can only configure the RADIUS identity store to return the requested attributes. These attributes are available in the Access-Accept response as part of the attributes list. You can use the attribute subscription feature of ACS 5.3 to receive RADIUS identity store attributes can on the ACS response to the device. The following RADIUS attributes are returned: Attributes that are listed in the RADIUS RFS Vendor-specific attributes The following attribute types are supported: String Unsigned Integer IPv4 Address Enumeration If an attribute with multiple values is returned, the value is ignored, and if a default value has been configured, that value is returned. However, this attribute is reported in the customer log as a problematic attribute.
8-62 User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 Chapter 8 Managing Users and Identity Stores Managing External Identity Stores RADIUS Identity Store in Identity Sequence You can add the RADIUS identity store for authentication sequence in an identity sequence. However, you cannot add the RADIUS identity store for attribute retrieval sequence because you cannot query the RADIUS identity store without authentication. ACS cannot distinguish between different error cases while authenticating with a RADIUS server. RADIUS servers return an Access-Reject message for all error cases. For example, when a user is not found in the RADIUS server, instead of returning a User Unknown status, the RADIUS server returns an Access-Reject message. You can, however, enable the Treat Rejects as Authentication Failure or User Not Found option available in the RADIUS identity store pages of the ACS web interface. Authentication Failure Messages When a user is not found in the RADIUS server, the RADIUS server returns an Access-Reject message. ACS provides you the option to configure this message through the ACS web interface as either Authentication Failed or Unknown User. However, this option returns an Unknown User message not only for cases where the user is not known, but for all failure cases. Ta b l e 8 - 1 5 lists the different failure cases that are possible with RADIUS identity servers. Username Special Format with Safeword Server Safeword token server supports authentication with the following username format: Username—Username, OTP ACS parses the username and converts this to: Username—Username Table 8-15 Error Handling Cause of Authentication Failure Failure Cases Authentication Failed User is unknown. User attempts to login with wrong passcode. User logon hours expired. Process Failed RADIUS server is configured incorrectly in ACS. RADIUS server is unavailable. RADIUS packet is detected as malformed. Problem during sending or receiving a packet from the RADIUS server. Timeout. Unknown User Authentication failed and the Fail on Reject option is set to false.
8-63 User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 Chapter 8 Managing Users and Identity Stores Managing External Identity Stores Safeword token servers support both the formats. ACS works with various token servers. While configuring a Safeword server, you must check the Safeword Server check box for ACS to parse the username and convert it to the specified format. This conversion is done in the RADIUS token server identity store before the request is sent to the RADIUS token server. User Attribute Cache RADIUS token servers, by default, do not support user lookups. However, the user lookup functionality is essential for the following ACS features: PEAP session resume—Happens after successful authentication during EAP session establishment EAP/FAST fast reconnect—Happens after successful authentication during EAP session establishment T+ Authorization—Happens after successful T+ Authentication ACS caches the results of successful authentications to process user lookup requests for these features. For every successful authentication, the name of the authenticated user and the retrieved attributes are cached. Failed authentications are not written to the cache. The cache is available in the memory at runtime and is not replicated between ACS nodes in a distributed deployment. You can configure the time to live (TTL) limit for the cache through the ACS web interface. You must enable the identity caching option and set the aging time in minutes. The cache is available in the memory for the specified amount of time. Creating, Duplicating, and Editing RADIUS Identity Servers ACS 5.3 supports the RADIUS identity server as an external identity store for the increased security that one-time passwords provide. RADIUS identity servers provide two-factor authentication to ensure the authenticity of the users. To authenticate users against a RADIUS identity store, you must first create the RADIUS identity server in ACS and configure the settings for the RADIUS identity store. ACS 5.3 supports the following authentication protocols: RADIUS PAP TACACS+ ASCII\PAP PEAP with inner EAP-GTC EAP-FAST with inner EAP-GTC For a successful authentication with a RADIUS identity server, ensure that: The gateway devices between the RADIUS identity server and ACS allow communication over the UDP port. The shared secret that you configure for the RADIUS identity server on the ACS web interface is identical to the shared secret configured on the RADIUS identity server. To create, duplicate, or edit a RADIUS Identity Server: Step 1Choose Users and Identity Stores > External Identity Stores > RADIUS Identity Servers. The RADIUS Identity Servers page appears with a list of RADIUS external identity servers.
8-64 User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 Chapter 8 Managing Users and Identity Stores Managing External Identity Stores Step 2Click Create. You can also: Check the check box next to the identity store you want to duplicate, then click Duplicate. Click the identity store name that you want to modify, or check the box next to the name and click Edit. Step 3Complete the fields in the General tab. See Configuring General Settings, page 8-64 for a description of the fields in the General tab. Step 4Yo u c a n : Click Submit to save the RADIUS Identity Server. Click the Shell Prompts tab. See Configuring Shell Prompts, page 8-66 for a description of the fields in the Shell Prompts tab. Click the Directory Attributes tab. See Configuring Directory Attributes, page 8-67 for a description of the fields in the Directory Attributes tab. Click the Advanced tab. See Configuring Advanced Options, page 8-68 for a description of the fields in the Advanced tab. Step 5Click Submit to save the changes. Related Topics RADIUS Identity Stores, page 8-60 Creating, Duplicating, and Editing RADIUS Identity Servers, page 8-63 Configuring General Settings Ta b l e 8 - 1 6 describes the fields in the General tab of the RADIUS Identity Servers page. Table 8-16 RADIUS Identity Server - General Tab Option Description Name Name of the external RADIUS identity server. Description (Optional) A brief description of the RADIUS identity server. SafeWord Server Check this check box to enable a two-factor authentication using a SafeWord server.
8-65 User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 Chapter 8 Managing Users and Identity Stores Managing External Identity Stores Server Connection Enable Secondary Server Check this check box to use a secondary RADIUS identity server as a backup server in case the primary RADIUS identity server fails. If you enable the secondary server, you must configure the parameters for the secondary RADIUS identity server and must choose one of the following options: Always Access Primary Server First—Select this option to ensure that ACS always accesses the primary RADIUS identity server first before the secondary server is accessed. Failback To Primary Server After n Minutes—Select this option to set the number of minutes ACS can use the secondary server for authentication. After this time expires, ACS should again attempt to authenticate using the primary server. The default value is 5 minutes. Primary Server Server IP Address IP address of the primary RADIUS identity server. Shared Secret Shared secret between ACS and the primary RADIUS identity server. A shared secret is an expected string of text, which a user must provide before the network device authenticates a username and password. The connection is rejected until the user supplies the shared secret. Authentication Port Port number on which the RADIUS primary server listens. Valid options are from 1 to 65,535. The default value is 1812. Server Timeout n Seconds Number of seconds, n, that ACS waits for a response from the primary RADIUS identity server before it determines that the connection to the primary server has failed. Valid options are from 1 to 300. The default value is 5. Connection Attempts Specifies the number of times that ACS should attempt to reconnect before contacting the secondary RADIUS identity server or dropping the connection if no secondary server is configured. Valid options are from 1 to 10. The default value is 3. Secondary Server Server IP Address IP address of the secondary RADIUS identity server. Shared Secret Shared secret between ACS and the secondary RADIUS identity server. The shared secret must be identical to the shared secret that is configured on the RADIUS identity server. A shared secret is an expected string of text, which a user must provide before the network device authenticates a username and password. The connection is rejected until the user supplies the shared secret. Authentication Port Port number on which the RADIUS secondary server listens. Valid options are from 1 to 65,535. The default value is 1812. Table 8-16 RADIUS Identity Server - General Tab (continued) Option Description
8-66 User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 Chapter 8 Managing Users and Identity Stores Managing External Identity Stores Related Topics RADIUS Identity Stores, page 8-60 Creating, Duplicating, and Editing RADIUS Identity Servers, page 8-63 Configuring Shell Prompts, page 8-66 Configuring Directory Attributes, page 8-67 Configuring Advanced Options, page 8-68 Configuring Shell Prompts For TACACS+ ASCII authentication, ACS must return the password prompt to the user. RADIUS identity server supports this functionality by the password prompt option. ACS can use the prompt that you configure in the Shell Prompts page on the ACS web interface. If the prompt is empty, the user receives the default prompt that is configured under TACACS+ global settings. When establishing a connection with a RADIUS identity server, the initial request packets may not have the password. You must request a password. You can use this page to define the prompt that is used to request the password. To do this: Step 1Enter the text for the prompt in the Prompt field. Step 2Do one of the following: Click Submit to configure the prompt for requesting the password. Click the Directory Attributes tab to define a list of attributes that you want to use in policy rule conditions. See Configuring Directory Attributes, page 8-67 for more information. Related Topics RADIUS Identity Stores, page 8-60 Creating, Duplicating, and Editing RADIUS Identity Servers, page 8-63 Configuring General Settings, page 8-64 Configuring Directory Attributes, page 8-67 Configuring Advanced Options, page 8-68 Server Timeout n Seconds Number of seconds, n, that ACS waits for a response from the secondary RADIUS identity server before it determines that the connection to the secondary server has failed. Valid options are from 1 to 300. The default value is 5. Connection Attempts Specifies the number of times that ACS should attempt to reconnect before dropping the request. Valid options are from 1 to 10. The default value is 3. Table 8-16 RADIUS Identity Server - General Tab (continued) Option Description
8-67 User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 Chapter 8 Managing Users and Identity Stores Managing External Identity Stores Configuring Directory Attributes When a RADIUS identity server responds to a request, RADIUS attributes are returned along with the response. You can make use of these RADIUS attributes in policy rules. In the Directory Attributes tab, you can specify the RADIUS attributes that you use in policy rule conditions. ACS maintains a separate list of these attributes. Step 1Modify the fields in the Directory Attributes tab as described in Ta b l e 8 - 1 7. Step 2Do either of the following: Click Submit to save your changes and return to the RADIUS Identity Servers page. Click the Advanced tab to configure failure message handling and to enable identity caching. See Configuring Advanced Options, page 8-68 for more information. Related Topics RADIUS Identity Stores, page 8-60 Creating, Duplicating, and Editing RADIUS Identity Servers, page 8-63 Configuring General Settings, page 8-64 Table 8-17 RADIUS Identity Servers - Directory Attributes Tab Option Description Attribute List Use this section to create the attracted list to include in policy conditions. As you include each attribute, its name, type, default value, and policy condition name appear in the table. To: Add a RADIUS attribute, fill in the fields below the table and click Add. Edit a RADIUS attribute, select the appropriate row in the table and click Edit. The RADIUS attribute parameters appear in the fields below the table. Edit as required, then click Replace. Dictionary Type RADIUS dictionary type. Click the drop-down list box to select a RADIUS dictionary type. RADIUS Attribute Name of the RADIUS attribute. Click Select to choose the RADIUS attribute. This name is composed of two parts: The attribute name and an extension to support AV-pairs if the attribute selected is a Cisco AV-Pair. For example, for an attribute, cisco-av-pair with an AV-pair name some-avpair, ACS displays cisco-av-pair.some-avpair. IETF and vendor VSA attribute names contain an optional suffix, -nnn, where nnn is the ID of the attribute. Type RADIUS attribute type. Valid options are: String Unsigned Integer 32 IPv4 Address Default (Optional) A default value that can be used if the attribute is not available in the response from the RADIUS identity server. This value must be of the specified RADIUS attribute type. Policy Condition Name Specify the name of the custom policy condition that uses this attribute.
8-68 User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 Chapter 8 Managing Users and Identity Stores Configuring CA Certificates Configuring Shell Prompts, page 8-66 Configuring Advanced Options, page 8-68 Configuring Advanced Options In the Advanced tab, you can do the following: Define what an access reject from a RADIUS identity server means to you. Enable identity caching. Ta b l e 8 - 1 8 describes the fields in the Advanced tab of the RADIUS Identity Servers page. Click Submit to save the RADIUS Identity Server. Related Topics RADIUS Identity Stores, page 8-60 Creating, Duplicating, and Editing RADIUS Identity Servers, page 8-63 Configuring CA Certificates When a client uses the EAP-TLS protocol to authenticate itself against the ACS server, it sends a client certificate that identifies itself to the server. To verify the identity and correctness of the client certificate, the server must have a preinstalled certificate from the Certificate Authority (CA) that has digitally signed the client certificate. If ACS does not trust the client’s CA certificate, then you must install in ACS the entire chain of successively signed CA certificates, all the way to the top-level CA certificate that ACS trusts. CA certificates are also known as trust certificates. Table 8-18 RADIUS Identity Server - Advanced Tab Option Description This Identity Store does not differentiate between authentication failed and user not found when an authentication attempt is rejected. From the options below, select how such an authentication reject from the Identity Store should be interpreted by ACS for Identity Policy processing and reporting. Treat Rejects as authentication failed Click this option to consider all ambiguous access reject attempts as failed authentications. Treat Rejects as user not found Click this option to consider all ambiguous access reject attempts as unknown users. Identity caching is used to allow processing of requests that do not perform authentication against the server. The cache retains the results and attributes retrieved from the last successful authentication for the subject. Enable identity caching Check this check box to enable identity caching. If you enable identity caching, you must enter the time in minutes for which you want ACS to retain the identity cache. Aging Time n Minutes Enter the time in minutes for which you want ACS to retain the identity cache. Valid options are from 1 to 1440.