Cisco Acs 5x User Guide
Have a look at the manual Cisco Acs 5x User Guide online for free. It’s possible to download the document as PDF or print. UserManuals.tech offer 53 Cisco manuals and user’s guides for free. Share the user manual or guide on Facebook, Twitter or Google+.
8-69 User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 Chapter 8 Managing Users and Identity Stores Configuring CA Certificates You use the CA options to install digital certificates to support EAP-TLS authentication. ACS uses the X.509 v3 digital certificate standard. ACS also supports manual certificate acquisition and provides the means for managing a certificate trust list (CTL) and certificate revocation lists (CRLs). Digital certificates do not require the sharing of secrets or stored database credentials. They can be scaled and trusted over large deployments. If managed properly, they can serve as a method of authentication that is stronger and more secure than shared secret systems. Mutual trust requires that ACS have an installed certificate that can be verified by end-user clients. This server certificate may be issued from a CA or, if you choose, may be a self-signed certificate. For more information, see Configuring Local Server Certificates, page 18-14. NoteACS builds a certificate chain with the CA certificates that you add to it and uses this chain during TLS negotiations. You must add the certificate that signed the server certificate to the CA. You must ensure that the chain is signed correctly and that all the certificates are valid. If the server certificate and the CA that signed the server certificate are installed on ACS, ACS sends the full certificate chain to the client. NoteACS does not support wildcard certificates. Related Topics Adding a Certificate Authority, page 8-69 Editing a Certificate Authority and Configuring Certificate Revocation Lists, page 8-71 Deleting a Certificate Authority, page 8-72 Exporting a Certificate Authority, page 8-73 Adding a Certificate Authority The supported certificate formats are DER, PEM, or CER. To add a trusted CA (Certificate Authority) certificate: Step 1Select Users and Identity Stores > Certificate Authorities. The Trust Certificate page appears. Step 2Click Add. Step 3Complete the fields in the Certificate File to Import page as described in Ta b l e 8 - 1 9: Table 8-19 Certificate Authority Properties Page Option Description Certificate File to Import Certificate File Enter the name of the certificate file. Click Browse to navigate to the location on the client machine where the trust certificate is located. Trust for client with EAP-TLS Check this box so that ACS will use the certificate trust list for the EAP protocol.
8-70 User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 Chapter 8 Managing Users and Identity Stores Configuring CA Certificates Allow Duplicate Certificates Allows you to add certificates with the same CN and SKI with different Valid From, Valid To, and Serial numbers. Description Enter a description of the CA certificate. Table 8-19 Certificate Authority Properties Page (continued) Option Description
8-71 User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 Chapter 8 Managing Users and Identity Stores Configuring CA Certificates Step 4Click Submit. The new certificate is saved. The Trust Certificate List page appears with the new certificate. Related Topics User Certificate Authentication, page B-6 Overview of EAP-TLS, page B-6 Editing a Certificate Authority and Configuring Certificate Revocation Lists Use this page to edit a trusted CA (Certificate Authority) certificate. Step 1Select Users and Identity Stores > Certificate Authorities. The Trust Certificate page appears with a list of configured certificates. Step 2Click the name that you want to modify, or check the check box for the Name, and click Edit. Complete the fields in the Edit Trust Certificate List Properties Page as described in Ta b l e 8 - 2 0: When ACS delays the CA CRL, CA is retained on the local file system. The CA is not refreshed until you resubmit it. By default ACS will fail all user certificates of a CA for which the CRL has expired. If CA is resubmitted, the following error is shown: 12514 EAP-TLS failed SSL/TLS handshake. This is because of the unknown CA. If CA is not resubmitted, the following error is shown: 12515 EAP-TLS failed SSL/TLS handshake. This is because of the expired CRL. If you choose Ignore CRL Expiration, authentication will fail for revoked certificates and successful for non-revoked certificates. Table 8-20 Edit Certificate Authority Properties Page Option Description Issuer Friendly Name The name that is associated with the certificate. Description (Optional) A brief description of the CA certificate. Issued ToDisplay only. The entity to which the certificate is issued. The name that appears is from the certificate subject. Issued ByDisplay only. The certification authority that issued the certificate. Valid fromDisplay only. The start date of the certificate’s validity. An X509 certificate is valid only from the start date to the end date (inclusive). Valid To (Expiration)Display only. The last date of the certificate’s validity. Serial NumberDisplay only. The serial number of the certificate. DescriptionDescription of the certificate. Usage Trust for client with EAP-TLS Check this box so that ACS will use the trust list for the TLS related EAP protocols.
8-72 User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 Chapter 8 Managing Users and Identity Stores Configuring CA Certificates Step 3Click Submit. The Trust Certificate page appears with the edited certificate. Related Topics User Certificate Authentication, page B-6 Overview of EAP-TLS, page B-6 Deleting a Certificate Authority Use this page to delete a trusted CA (Certificate Authority) certificate: Step 1Select Users and Identity Stores > Certificate Authorities. The Trust Certificate List page appears with a list of configured certificates. Step 2Check one or more check boxes next to the certificates that you want to delete. Step 3Click Delete. Step 4Click Ye s to confirm. The Trust Certificate page appears without the deleted certificate(s). Certificate Revocation List ConfigurationUse this section to configure the CRL. Download CRL Check this box to download the CRL. CRL Distribution URL Enter the CRL distribution URL. You can specify a URL that uses HTTP. Retrieve CRLACS attempts to download a CRL from the CA. Toggle the time settings for ACS to retrieve a new CRL from the CA. Automatically —Obtain the next update time from the CRL file. If unsuccessful, ACS tries to retrieve the CRL periodically after the first failure until it succeeds. Every—Determines the frequency between retrieval attempts. Enter the amount in units of time. If Download Failed Wait Enter the amount of time to attempt to retrieve the CRL, if the retrieval initially failed. Bypass CRL Verification if CRL is not ReceivedIf unchecked, all the client requests that use the certificate that is signed by the selected CA will be rejected until ACS receives the CRL file. When checked, the client request may be accepted before the CRL is received. Ignore CRL Expiration Check this box to check a certificate against an outdated CRL. When checked, ACS continues to use the expired CRL and permits or rejects EAP-TLS authentications according to the contents of the CRL. When unchecked, ACS examines the expiration date of the CRL in the Next Update field in the CRL file. If the CRL has expired, all authentications that use the certificate that is signed by the selected CA are rejected. Table 8-20 Edit Certificate Authority Properties Page (continued) Option Description
8-73 User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 Chapter 8 Managing Users and Identity Stores Configuring Certificate Authentication Profiles Related Topic Overview of EAP-TLS, page B-6 Exporting a Certificate Authority To export a trust certificate: Step 1Select Users and Identity Stores > Certificate Authorities. The Trust Certificate List page appears with a list of configured certificates. Step 2Check the box next to the certificates that you want to export. Step 3Click Export. This operation exports the trusted certificate to the client machine. Step 4Click Ye s to confirm. You are prompted to install the exported certificate on your client machine. Related Topics User Certificate Authentication, page B-6 Overview of EAP-TLS, page B-6 Configuring Certificate Authentication Profiles The certificate authentication profile defines the X509 certificate information to be used for a certificate- based access request. You can select an attribute from the certificate to be used as the username. You can select a subset of the certificate attributes to populate the username field for the context of the request. The username is then used to identify the user for the remainder of the request, including the identification used in the logs. You can use the certificate authentication profile to retrieve certificate data to further validate a certificate presented by an LDAP or AD client. The username from the certificate authentication profile is used to query the LDAP or AD identity store. ACS compares the client certificate against all certificates retrieved from the LDAP or AD identity store, one after another, to see if one of them matches. ACS either accepts or rejects the request. NoteFor ACS to accept a request, only one certificate from either the LDAP or the AD identity store must match the client certificate. When ACS processes a certificate-based request for authentication, one of two things happens: the username from the certificate is compared to the username in ACS that is processing the request, or ACS uses the information that is defined in the selected LDAP or AD identity store to validate the certificate information. You can duplicate a certificate authentication profile to create a new profile that is the same, or similar to, an existing certificate authentication profile. After duplication is complete, you access each profile (original and duplicated) separately, to edit or delete them.
8-74 User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 Chapter 8 Managing Users and Identity Stores Configuring Certificate Authentication Profiles To create, duplicate, or edit a certificate authentication profile: Step 1Select Users and Identity Stores > Certificate Authentication Profile. The Certificate Authentication Profile page appears. Step 2Do one of the following: Click Create. Check the check box next to the certificate authentication profile that you want to duplicate, then click Duplicate. Click the certificate authentication profile that you want to modify, or check the check box next to the name and click Edit. The Certificate Authentication Profile Properties page appears. Step 3Complete the fields in the Certificate Authentication Profile Properties page as described in Ta b l e 8 - 2 1: Step 4Click Submit. The Certificate Authentication Profile page reappears. Related Topics Viewing Identity Policies, page 10-21 Configuring Identity Store Sequences, page 8-75 Creating External LDAP Identity Stores, page 8-26 Table 8-21 Certificate Authentication Profile Properties Page Option Description General Name Enter the name of the certificate authentication profile. Description Enter a description of the certificate authentication profile. Certificate Definition Principal Username X509 AttributeAvailable set of principal username attributes for x509 authentication. The selection includes: Common Name Subject Alternative Name Subject Serial Number Subject Subject Alternative Name - Other Name Subject Alternative Name - EMail Subject Alternative Name - DNS Perform Binary Certificate Comparison with Certificate retrieved from LDAP or Active DirectoryCheck this check box if you want to validate certificate information for authentication against a selected LDAP or AD identity store. If you select this option, you must enter the name of the LDAP or AD identity store, or click Select to select the LDAP or AD identity store from the available list.
8-75 User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 Chapter 8 Managing Users and Identity Stores Configuring Identity Store Sequences Configuring Identity Store Sequences An access service identity policy determines the identity sources that ACS uses for authentication and attribute retrieval. An identity source consists of a single identity store or multiple identity methods. When you use multiple identity methods, you must first define them in an identity store sequence, and then specify the identity store sequence in the identity policy. An identity store sequence defines the sequence that is used for authentication and attribute retrieval and an optional additional sequence to retrieve additional attributes. Authentication Sequence An identity store sequence can contain a definition for certificate-based authentication or password-based authentication or both. If you select to perform authentication based on a certificate, you specify a single Certificate Authentication Profile, which you have already defined in ACS. If you select to perform authentication based on a password, you can define a list of databases to be accessed in sequence. When authentication succeeds, any defined attributes within the database are retrieved. You must have defined the databases in ACS. Attribute Retrieval Sequence You can optionally define a list of databases from which to retrieve additional attributes. These databases can be accessed regardless of whether you use password or certificate-based authentication. When you use certificate-based authentication, ACS populates the username field from a certificate attribute and then uses the username to retrieve attributes. ACS can retrieve attributes for a user, even when: The user’s password is flagged for a mandatory change. The user’s account is disabled. When you perform password-based authentication, you can define the same identity database in the authentication list and the attribute retrieval list. However, if the database is used for authentication, it will not be accessed again as part of the attribute retrieval flow. ACS authenticates a user or host in an identity store only when there is a single match for that user or host. If an external database contains multiple instances of the same user, authentication fails. Similarly, ACS retrieves attributes only when a single match for the user or host exists; otherwise, ACS skips attribute retrieval from that database. This section contains the following topics: Creating, Duplicating, and Editing Identity Store Sequences, page 8-75 Deleting Identity Store Sequences, page 8-77 Creating, Duplicating, and Editing Identity Store Sequences To create, duplicate, or edit an identity store sequence: Step 1Select Users and Identity Stores > Identity Store Sequences. The Identity Store Sequences page appears.
8-76 User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 Chapter 8 Managing Users and Identity Stores Configuring Identity Store Sequences Step 2Do one of the following: Click Create. Check the check box next to the sequence that you want to duplicate, then click Duplicate. Click the sequence name that you want to modify, or check the check box next to the name and click Edit. The Identity Store Sequence Properties page appears as described in Ta b l e 8 - 2 2. Table 8-22 Identity Store Sequence Properties Page Option Description General Name Enter the name of the identity store sequence. Description Enter a description of the identity store sequence. Authentication Method List Certificate Based Check this check box to use the certificate-based authentication method. If you choose this option, you must enter the certificate authentication profile. Click Select to choose the profile from a list of available profiles. Password Based Check this check box to use the password-based authentication method. If you choose this option, you must choose the set of identity stores that ACS will access one after another until a match is found. If you choose this option, you must select a list of identity stores in the Authentication and Attribute Retrieval Search List area for ACS to access the identity stores one after another. Authentication and Attribute Retrieval Search List Note This section appears only when you check the Password Based option. Available Available set of identity stores to access. Selected Selected set of identity stores to access in sequence until first authentication succeeds. Use the Up and Down arrows at the right of the list to define the order of access. ACS automatically retrieves attributes from identity stores that you selected for authentication. You do not need to select the same identity stores for attribute retrieval. Additional Attribute Retrieval Search List Available Available set of additional identity stores for attribute retrieval. Selected (Optional) The selected set of additional identity stores for attribute retrieval. Use the Up and Down arrows at the right of the list to define the order of access. ACS automatically retrieves attributes from identity stores that you selected for authentication. You do not need to select the same identity stores for attribute retrieval. Internal User/Host If internal user/host is not found or disabled then exit the sequence and treat as User Not FoundThis option is applicable for the attribute phase and when the Internal Identity Store is in the Attribute retrieval list. ACS exists the sequence and treats it as User Not Found if this option is selected and the user not found or is disabled.
8-77 User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 Chapter 8 Managing Users and Identity Stores Configuring Identity Store Sequences Step 3Click Submit. The Identity Store Sequences page reappears. Related Topics Performing Bulk Operations for Network Resources and Users, page 7-8 Viewing Identity Policies, page 10-21 Managing Internal Identity Stores, page 8-4 Managing External Identity Stores, page 8-22 Configuring Certificate Authentication Profiles, page 8-73 Deleting Identity Store Sequences, page 8-77 Deleting Identity Store Sequences To delete an identity store sequence: Step 1Select Users and Identity Stores > Identity Store Sequences. The Identity Store Sequences page appears with a list of your configured identity store sequences. Step 2Check one or more check boxes next to the identity store sequences that you want to delete. Step 3Click Delete. The following error message appears: Are you sure you want to delete the selected item/items? Step 4Click OK. The Identity Store Sequences page appears, without the deleted identity store sequence(s) listed. Related Topics Performing Bulk Operations for Network Resources and Users, page 7-8 Viewing Identity Policies, page 10-21 Advanced Options Break sequence If this option is selected and if an authentication attempt against current Identity Store results in process error, the flow breaks the Identity Stores sequence. The flow then continues to the Fail-Open option configured in the Identity Policy. The same applies to attribute retrieval. Continue to next identity store in the sequenceIf this is checked and if authentication with the current Identity Store results in a process error, the flow tries to authenticate it with the next Identity Store in the authentication list. The same applies to attribute retrieval phase. Table 8-22 Identity Store Sequence Properties Page (continued) Option Description
8-78 User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 Chapter 8 Managing Users and Identity Stores Configuring Identity Store Sequences Managing Internal Identity Stores, page 8-4 Managing External Identity Stores, page 8-22 Configuring Certificate Authentication Profiles, page 8-73 Creating, Duplicating, and Editing Identity Store Sequences, page 8-75