Cisco Acs 5x User Guide
Have a look at the manual Cisco Acs 5x User Guide online for free. It’s possible to download the document as PDF or print. UserManuals.tech offer 53 Cisco manuals and user’s guides for free. Share the user manual or guide on Facebook, Twitter or Google+.
10-17 User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 Chapter 10 Managing Access Policies Configuring Access Services Allow EAP-FAST Enables the EAP-FAST authentication protocol and EAP-FAST settings. The EAP-FAST protocol can support multiple internal protocols on the same server. The default inner method is MSCHAPv2. When you check Allow EAP-FAST, you can configure EAP-FAST inner methods: Allow EAP-MSCHAPv2 –Allow Password Change—Check for ACS to support password changes in phase zero and phase two of EAP-FAST. –Retry Attempts—Specifies how many times ACS requests user credentials before returning login failure. Valid values are 1-3. Allow EAP-GTC –Allow Password Change—Check for ACS to support password changes in phase zero and phase two of EAP-FAST. –Retry Attempts—Specifies how many times ACS requests user credentials before returning login failure. Valid values are 1-3. Allow TLS-Renegotiation—Check for ACS to support TLS-Renegotiation. This option allows an anonymous TLS handshake between the end-user client and ACS. EAP-MS-CHAP will be used as the only inner method in phase zero. Use PACs—Choose to configure ACS to provision authorization PACs for EAP-FAST clients. Additional PA C O p t i o n s appear. Don’t use PACs—Choose to configure ACS to use EAP-FAST without issuing or accepting any tunnel or machine PACs. All requests for PACs are ignored and ACS responds with a Success-TLV without a PAC. When you choose this option, you can configure ACS to perform machine authentication. Table 10-7 Access Service Properties—Allowed Protocols Page (continued) Option Description
10-18 User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 Chapter 10 Managing Access Policies Configuring Access Services Allow EAP-FAST (continued)PA C O pt i on s Tunnel PAC Time To Live—The Time To Live (TTL) value restricts the lifetime of the PAC. Specify the lifetime value and units. The default is one (1) day. Proactive PAC Update When: of PAC TTL is Left—The Update value ensures that the client has a valid PAC. ACS initiates update after the first successful authentication but before the expiration time that is set by the TTL. The Update value is a percentage of the remaining time in the TTL. (Default: 10%) Allow Anonymous In-band PAC Provisioning—Check for ACS to establish a secure anonymous TLS handshake with the client and provision it with a so-called PAC by using phase zero of EAP-FAST with EAP-MSCHAPv2. NoteTo enable Anonymous PAC Provisioning, you must choose both the inner methods, EAP-MSCHAPv2 and EAP-GTC. Allow Authenticated In-band PAC Provisioning—ACS uses Secure Socket Layer (SSL) server-side authentication to provision the client with a PAC during phase zero of EAP-FAST. This option is more secure than anonymous provisioning but requires that a server certificate and a trusted root CA be installed on ACS. When you check this option, you can configure ACS to return an Access-Accept message to the client after successful authenticated PAC provisioning. Allow Machine Authentication—Check for ACS to provision an end-user client with a machine PAC and perform machine authentication (for end-user clients who do not have the machine credentials). The machine PAC can be provisioned to the client by request (in-band) or by administrator (out-of-band). When ACS receives a valid machine PAC from the end-user client, the machine identity details are extracted from the PAC and verified in the ACS external identity store. After these details are correctly verified, no further authentication is performed. NoteACS 5.3 only supports Active Directory as an external identity store for machine authentication. When you check this option, you can enter a value for the amount of time that a machine PAC is acceptable for use. When ACS receives an expired machine PAC, it automatically reprovisions the end-user client with a new machine PAC (without waiting for a new machine PAC request from the end-user client). Enable Stateless Session Resume—Check for ACS to provision authorization PACs for EAP-FAST clients and always perform phase two of EAP-FAST (default = enabled). Uncheck this option: –If you do not want ACS to provision authorization PACs for EAP-FAST clients. –To always perform phase two of EAP-FAST. When you check this option, you can enter the authorization period of the user authorization PAC. After this period the PAC expires. When ACS receives an expired authorization PAC, it performs phase two EAP-FAST authentication. Table 10-7 Access Service Properties—Allowed Protocols Page (continued) Option Description
10-19 User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 Chapter 10 Managing Access Policies Configuring Access Services Step 3Click Finish to save your changes to the access service. To enable an access service, you must add it to the service selection policy. Configuring Access Services Templates Use a service template to define an access service with policies that are customized to use specific condition types. Step 1In the Configuring General Access Service Properties, page 10-13, choose Based on service template and click Select. Step 2Complete the fields as described in Table 10-8: Preferred EAP protocol Select the preferred EAP protocol from the following options available: EAP-FAST PEAP LEAP EAP-TLS EAP-MD5 This option helps ACS to be flexible to work with old supplicants (end devices) which are not capable of sending No-Acknowledgement, when a particular protocol is not implemented. You can use this option to place a particular protocol first in list of protocols that is being negotiated with device so that the negotiation is successful. Table 10-7 Access Service Properties—Allowed Protocols Page (continued) Option Description
10-20 User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 Chapter 10 Managing Access Policies Configuring Access Services Deleting an Access Service To delete an access service: Step 1Select Access Policies > Access Services. The Access Services page appears with a list of configured services. Step 2Check one or more check boxes next to the access services that you want to delete. Step 3Click Delete; then click OK in the confirmation message. The Access Policies page appears without the deleted access service(s). Related Topic Creating, Duplicating, and Editing Access Services, page 10-12 Table 10-8 Access Services Templates Template NameAccess Service Type Protocols Policies Conditions Results Device Admin - SimpleDevice AdministrationPAP/ASCII Identity None - Simple Internal users Authorization Identity group, NDG:Location, NDG:Device Type, Time and DateShell profile Device Admin - Command AuthDevice AdministrationPAP/ASCII Identity None - Simple Internal users Authorization Identity group, NDG:Location, NDG: Time and DateCommand sets Network Access - SimpleNetwork Access PEAP, EAP-FASTIdentity None - Simple Internal users Authorization NDG:Location, Time and date Authorization profiles Network Access - MAC Authentication BypassNetwork Access Process Host Lookup, PAP/ASCII (detect PAP as host lookup) and EAP-MD5 (detect EAP-MD5 as host lookup)Identity None - Simple Internal users Authorization Use case Authorization profiles
10-21 User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 Chapter 10 Managing Access Policies Configuring Access Service Policies Configuring Access Service Policies You configure access service policies after you create the access service: Viewing Identity Policies, page 10-21 Configuring Identity Policy Rule Properties, page 10-24 Configuring a Group Mapping Policy, page 10-26 Configuring a Session Authorization Policy for Network Access, page 10-29 Configuring a Session Authorization Policy for Network Access, page 10-29 Configuring Shell/Command Authorization Policies for Device Administration, page 10-34 You can configure simple policies to apply to the same result to all incoming requests; or, you can create rule-based policies. NoteIf you create and save a simple policy, and then change to a rule-based policy, the simple policy becomes the default rule of the rule-based policy. If you have saved a rule-based policy and then change to a simple policy, you will lose all your rules except for the default rule. ACS automatically uses the default rule as the simple policy. Before you begin to configure policy rules, you must: Configure the policy conditions and results. See Managing Policy Conditions, page 9-1. Select the types of conditions and results that the policy rules apply. See Customizing a Policy, page 10-4. For information about configuring policy rules, see: Creating Policy Rules, page 10-37 Duplicating a Rule, page 10-38 Editing Policy Rules, page 10-38 Deleting Policy Rules, page 10-39 Viewing Identity Policies The identity policy in an access service defines the identity source that ACS uses for authentication and attribute retrieval. ACS can use the retrieved attributes in subsequent policies. The identity source for: Password-based authentication can be a single identity store, or an identity store sequence. Certificate-based authentication can be a certificate authentication profile, or an identity store sequence. An identity store sequence defines the sequence that is used for authentication and an optional additional sequence to retrieve attributes. See Configuring Identity Store Sequences, page 8-75. If you created an access service that includes an identity policy, you can configure and modify this policy. You can configure a simple policy, which applies the same identity source for authentication of all requests; or, you can configure a rule-based identity policy.
10-22 User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 Chapter 10 Managing Access Policies Configuring Access Service Policies In the rule-based policy, each rule contains one or more conditions and a result, which is the identity source to use for authentication. You can create, duplicate, edit, and delete rules within the identity policy; and you can enable and disable them. CautionIf you switch between the simple policy and the rule-based policy pages, you will lose your previously saved policy. To configure a simple identity policy: Step 1Select Access Policies > Access Services > service > Identity, where service is the name of the access service. By default, the Simple Identity Policy page appears with the fields described in Table 10-9: Step 2Select an identity source for authentication; or, choose Deny Access. You can configure additional advanced options. See Configuring Identity Policy Rule Properties, page 10-24. Step 3Click Save Changes to save the policy. Table 10-9 Simple Identity Policy Page Option Description Policy type Defines the type of policy to configure: Simple—Specifies the result to apply to all requests. Rule-based—Configure rules to apply different results, depending on the request. If you switch between policy types, you will lose your previously saved policy configuration. Identity Source Identity source to apply to all requests. The default is Deny Access. For: Password-based authentication, choose a single identity store, or an identity store sequence. Certificate-based authentication, choose a certificate authentication profile, or an identity store sequence. The identity store sequence defines the sequence that is used for authentication and an optional additional sequence to retrieve attributes. See Configuring Identity Store Sequences, page 8-75. Advanced options Specifies whether to reject or drop the request, or continue with authentication for these options: If authentication failed—Default is reject. If user not found—Default is reject. If process failed—Default is drop. Owing to restrictions on the underlying protocol, ACS cannot always continue processing when the Continue option is chosen. ACS can continue when authentication fails for PAP/ASCII, EAP-TLS, or Host Lookup. For all other authentication protocols, the request will be dropped even if you choose the Continue option.
10-23 User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 Chapter 10 Managing Access Policies Configuring Access Service Policies Viewing Rules-Based Identity Policies Select Access Policies > Access Services > service > Identity, where is the name of the access service. By default, the Simple Identity Policy page appears with the fields described in Table 10-9. If configured, the Rules-Based Identity Policy page appears with the fields described in Table 10-10: To configure a rule-based policy, see these topics: Table 10-10 Rule-based Identity Policy Page Option Description Policy type Defines the type of policy to configure: Simple—Specifies the results to apply to all requests. Rule-based—Configure rules to apply different results depending on the request. CautionIf you switch between policy types, you will lose your previously saved policy configuration. Status The current status of the rule. The rule statuses are: Enabled—The rule is active. Disabled—ACS does not apply the results of the rule. Monitor—The rule is active, but ACS does not apply the results of the rule. Results such as hit count are written to the log, and the log entry includes an identification that the rule is monitor only. The Monitor option is especially useful for watching the results of a new rule. Name Rule name. Conditions Conditions that determine the scope of the policy. This column displays all current conditions in subcolumns. Results Identity source that is used for authentication as a result of the evaluation of the rule. Hit Count Number of times that the rule is matched. Click the Hit Count button to refresh and reset this column. Default Rule ACS applies the Default rule when: Enabled rules are not matched. No other rules are defined. Click the link to edit the Default Rule. You can edit only the results of the Default Rule; you cannot delete, disable, or duplicate it. Customize button Opens the Customize page in which you choose the types of conditions to use in policy rules. A new Conditions column appears in the Policy page for each condition that you add. CautionIf you remove a condition type after defining rules, you will lose any conditions that you configured for that condition type. Hit Count button Opens a window that enables you to reset and refresh the Hit Count display in the Policy page. See Displaying Hit Counts, page 10-10.
10-24 User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 Chapter 10 Managing Access Policies Configuring Access Service Policies Creating Policy Rules, page 10-37 Duplicating a Rule, page 10-38 Editing Policy Rules, page 10-38 Deleting Policy Rules, page 10-39 For information about configuring an identity policy for Host Lookup requests, see Configuring an Authorization Policy for Host Lookup Requests, page 4-20. Related Topics Configuring a Group Mapping Policy, page 10-26 Configuring a Session Authorization Policy for Network Access, page 10-29 Configuring a Session Authorization Policy for Network Access, page 10-29 Configuring Shell/Command Authorization Policies for Device Administration, page 10-34 Configuring Identity Policy Rule Properties You can create, duplicate, or edit an identity policy rule to determine the identity databases that are used to authenticate the client and retrieve attributes for the client. To display this page: Step 1Choose Access Policies > Access Services > service > Identity, then do one of the following: Click Create. Check a rule check box, and click Duplicate. Click a rule name or check a rule check box, then click Edit. Step 2Complete the fields as shown in the Identity Rule Properties page described in Table 10-11:
10-25 User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 Chapter 10 Managing Access Policies Configuring Access Service Policies Table 10-11 Identity Rule Properties Page Option Description General Rule Name Name of the rule. If you are duplicating a rule, you must enter a unique name as a minimum configuration; all other fields are optional. Rule Status Rule statuses are: Enabled—The rule is active. Disabled—ACS does not apply the results of the rule. Monitor—The rule is active, but ACS does not apply the results of the rule. Results such as hit count are written to the log, and the log entry includes an identification that the rule is monitor only. The Monitor option is especially useful for watching the results of a new rule. Conditions conditionsConditions that you can configure for the rule. By default the compound condition appears. You can change the conditions that appear by using the Customize button in the Policy page. The default value for each condition is ANY. To change the value for a condition, check the condition check box, then specify the value. If you check Compound Condition, an expression builder appears in the conditions frame. For more information, see Configuring Compound Conditions, page 10-40. Results Identity Source Identity source to apply to requests. The default is Deny Access. For: Password-based authentication, choose a single identity store, or an identity store sequence. Certificate-based authentication, choose a certificate authentication profile, or an identity store sequence. The identity store sequence defines the sequence that is used for authentication and attribute retrieval and an optional sequence to retrieve additional attributes. See Configuring Identity Store Sequences, page 8-75. Advanced optionsSpecifies whether to reject or drop the request, or continue with authentication for these options: If authentication failed—Default is reject. If user not found—Default is reject. If process failed—Default is drop. Owing to restrictions on the underlying protocol, ACS cannot always continue processing when the Continue option is chosen. ACS can continue when authentication fails for PAP/ASCII, EAP-TLS or Host Lookup. For all other authentication protocols, the request is dropped even if you choose the Continue option.
10-26 User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 Chapter 10 Managing Access Policies Configuring Access Service Policies Configuring a Group Mapping Policy Configure a group mapping policy to map groups and attributes that are retrieved from external identity stores to ACS identity groups. When ACS processes a request for a user or host, this policy retrieves the relevant identity group which can be used in authorization policy rules. If you created an access service that includes a group mapping policy, you can configure and modify this policy. You can configure a simple policy, which applies the same identity group to all requests; or, you can configure a rule-based policy. In the rule-based policy, each rule contains one or more conditions and a result. The conditions can be based only on attributes or groups retrieved from external attribute stores, and the result is an identity group within the identity group hierarchy. You can create, duplicate, edit, and delete rules within the policy; and you can enable and disable them. CautionIf you switch between the simple policy and the rule-based policy pages, you will lose your previously saved policy. To configure a simple group mapping policy: Step 1Select Access Policies > Access Services > service > Group Mapping, where service is the name of the access service. By default, the Simple Group Mapping Policy page appears. See Table 10-12 for field descriptions. See Table 10-13 for Rule-Based Group Mapping Policy page field descriptions. Table 10-12 Simple Group Mapping Policy Page Option Description Policy type Defines the type of policy to configure: Simple—Specifies the results to apply to all requests. Rule-based—Configure rules to apply different results depending on the request. CautionIf you switch between policy types, you will lose your previously saved policy configuration. Identity Group Identity group to which attributes and groups from all requests are mapped.