Cisco Acs 5x User Guide
Have a look at the manual Cisco Acs 5x User Guide online for free. It’s possible to download the document as PDF or print. UserManuals.tech offer 53 Cisco manuals and user’s guides for free. Share the user manual or guide on Facebook, Twitter or Google+.
17-21 User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 Chapter 17 Configuring System Operations Replicating a Secondary Instance from a Primary Instance Failover ACS 5.3 allows you to configure multiple ACS instances for a deployment scenario. Each deployment can have one primary and multiple secondary ACS server. Scenario 1: Primary ACS goes down in a Distributed deployment Consider we have three ACS instances ACS1, ACS2, and ACS3. ACS1 is the primary, and ACS2 and ACS3 are secondaries. You cannot make any configuration changes on the secondary servers when the primary server ACS1 is down. If all other secondary ACS servers are active, we can make any secondary server as a primary server. Step 1Promote the ACS2 to the primary for the time being and use it to make configuration changes. See Promoting a Secondary Instance from the Distributed System Management Page, page 17-17 and Promoting a Secondary Instance from the Deployment Operations Page, page 17-18 to promote a secondary ACS server as a primary server. Now, ACS2 is the new primary instance. So, we can make the configuration changes on ACS2 and it will be instantly replicated to ACS3 and on all secondary servers. Now, consider the ACS1 is back online. If you need to retain the changes made on ACS2 and the rest of the deployment so that ACS1 is the standalone, do not replicate the changes anymore. Step 2Delete ACS2 and ACS3 from the secondary server list of ACS1. Step 3Delete ACS1 from ACS2, the current primary server to register ACS1 as secondary. Now, ACS2 is the new primary server. The deployment is now fully back online, operational and has the original structure. Scenario 2: Restoring a database backup on the primary server For this scenario, restore a database backup on our primary server and make all secondary servers also have the restored database. To restore a database backup on the primary server: Step 1Use the command acs backup and take a database backup when the deployment is working fine. Step 2Restore the older database backup file taken when the deployment was working fine on the primary. The following warning message is displayed. restore AAA--?110907--?2140.tar.gpg rep chftp Restore requires restart of ACS services. Continue? (yes/no) yes Restoring the database affects the distributed setup. Restoring the data base will affect the distributed setup. For example, replication between primary and secondary will be broken. It is recommended to schedule a downtime to carry out the restore operation. After restore, you will have to configure each secondary to local mode and then re-connect with primary. Do you want to continue with restore operation?. :yes Continuing restore….. Stopping ACS. Stopping Management and View............... Stopping Runtime....... Stopping Database........
17-22 User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 Chapter 17 Configuring System Operations Using the Deployment Operations Page to Create a Local Mode Instance Cleanup....... Starting ACS.... The database on the primary server is restored successfully. Now, you can observe that all secondary servers in the distributed deployment are disconnected. Step 3Log into the secondary webinterface and choose System Administration > Operations > Local Operations > Deployment Operations and click Request Local Mode. You can observe the changes in the menu after the local mode gets activated. Step 4Enter the Admin Username and Admin password and click Reconnect. The secondary ACS server gets restarted. From the primary server , you can observe that the secondary server is up. You can also observe that the database has only the backed up data taken when the deployment was working well. So, the replication of the restored database is successful. Step 5Follow the same procedure for the other secondary servers to get them reconnected. Using the Deployment Operations Page to Create a Local Mode Instance When the secondary instance is in local mode it does not receive any configuration changes from the primary instance. The configuration changes you make to the secondary instance are local and do not propagate to the primary instance. To use the Deployment Operations page to create a local mode instance: Step 1Choose System Operations > Operations > Local Operations > Deployment Operations. The Deployment Operations page appears. See the Table 17-4 for valid field options. Step 2Specify the appropriate values in the Registration section for the secondary instance you want to register. Step 3Click Register to Primary. The system displays the following warning message: This operation will register this ACS Instance as a secondary to the specified Primary Instance. ACS will be restarted. You will be required to login again. Do you wish to continue? Step 4Click OK. Step 5Log into the ACS local machine. Step 6Choose System Administration > Operations > Local Operations > Deployment Operations. The Deployment Operations page appears. Step 7Click Request Local Mode. The secondary instance is now in local mode. After you reconnect the secondary instance to a primary instance you will lose the configuration changes you made to the local secondary instance. You must manually restore the configuration information for the primary instance.
17-23 User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 Chapter 17 Configuring System Operations Using the Deployment Operations Page to Create a Local Mode Instance You can use the configuration information on the ACS Configuration Audit report to manually restore the configuration information for this instance. Creating, Duplicating, Editing, and Deleting Software Repositories To create, duplicate, edit, or delete a software repository: Step 1Choose System Administration > Operations > Software Repositories. The Software Repositories page appears with the information described in Table 17-7: Step 2Perform one of these actions: Click Create. Check the check box next to the software repository that you want to duplicate and click Duplicate. Click the software repository that you want to modify; or, check the check box for the name and click Edit. Check one or more check boxes next to the software repository that you want to delete and click Delete. The Software Update Repositories Properties Page page appears. Step 3Complete the fields in the Software Repositories Properties Page as described in Table 17-8: Table 17-7 Software Repositories Page Option Description Name Name of the software repository. NoteIn ACS web interface, you cannot configure utf-8 characters for a backup filename and a repository name. Protocol Name of the protocol (DISK, FTP, SFTP, TFTP, NFS) you want to use to transfer the upgrade file. Server Name Name of the server. Path Name of the path for the directory containing the upgrade file. You must specify the protocol and the location of the upgrade file; for example, ftp://acs-home/updates. Description Description of the software repository. Table 17-8 Software Update Repositories Properties Page Option Description General Name Name of the software repository. NoteIn ACS web interface, you cannot configure utf-8 characters for a backup filename and a repository name. Description Description of the software repository.
17-24 User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 Chapter 17 Configuring System Operations Using the Deployment Operations Page to Create a Local Mode Instance Step 4Click Submit. The new software repository is saved. The Software Repository page appears, with the new software repository that you created, duplicated, or edited. Related Topics Managing Software Repositories from the Web Interface and CLI, page 17-24 Managing Software Repositories from the Web Interface and CLI You can manage repositories from the web interface or the CLI. Keep in mind the rules for creating or deleting repositories from the web interface or CLI: If you create a repository from the CLI, that repository is not visible from the web interface, and can only be deleted from the CLI. If you create a repository from the web interface, it can be deleted from the CLI; however, that repository still exists in the web interface. If you use the web interface to create a repository for a software update, the repository is automatically created again in the CLI. If you delete a repository using the web interface, it is also deleted in the CLI. Related Topics Creating, Duplicating, Editing, and Deleting Software Repositories, page 17-23 Repository Information Protocol The name of the protocol that you want to use to transfer the upgrade file. Valid options are: DISK—If you choose this protocol, you must provide the path. FTP—If you choose this protocol, you must provide the server name, path, and credentials. SFTP—If you choose this protocol, you must provide the server name, path, and credentials. TFTP—If you choose this protocol, you must enter the name of the TFTP server. You can optionally provide the path. NFS—If you choose this protocol, you must provide the server name and path. You can optionally provide the credentials. If you choose this protocol, make sure that ACS has full access to the NFS file system. You must have read-write and allow root access permission on the NFS file system. Server Name Name of the FTP, SFTP, TFTP, or NFS server. NoteThe actual location that the repository points to is /localdisk/pathname Path Name of the path for the upgrade file. You must specify the protocol and the location of the upgrade file; for example, ftp://acs-home/updates. User Credentials Username Administrator name. Password Administrator password. Table 17-8 Software Update Repositories Properties Page (continued) Option Description
CH A P T E R 18-1 User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 18 Managing System Administration Configurations After you install Cisco Secure ACS, you must configure and administer it to manage your network efficiently. The ACS web interface allows you to easily configure ACS to perform various operations. For a list of post-installation configuration tasks to get started with ACS, see Chapter 6, “Post-Installation Configuration Tasks”. When you select System Administration > Configuration you can access pages that allow you do the following: Configure global system options, including settings for TACACS+, EAP-TTLS, PEAP, and EAP-FAST. See Configuring Global System Options, page 18-1. Configure protocol dictionaries. See Managing Dictionaries, page 18-5. Manage local sever certificates. See Configuring Local Server Certificates, page 18-14. Manage log configurations. See Configuring Logs, page 18-21. Manage licensing. See Licensing Overview, page 18-34. Configuring Global System Options From the System Administration > Configuration > Global System Options pages, you can view these options: Configuring TACACS+ Settings, page 18-1 Configuring EAP-TLS Settings, page 18-2 Configuring PEAP Settings, page 18-3 Configuring EAP-FAST Settings Generating EAP-FAST PAC Configuring TACACS+ Settings Use the TACACS+ Settings page to configure TACACS+ runtime characteristics. Select System Administration > Configuration > Global System Options > TACACS+ Settings. The TACACS+ Settings page appears as described in Table 18-1:
18-2 User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 Chapter 18 Managing System Administration Configurations Configuring Global System Options Configuring EAP-TLS Settings Use the EAP-TLS Settings page to configure EAP-TLS runtime characteristics. Select System Administration > Configuration > Global System Options > EAP-TLS Settings. The EAP-TLS Settings page appears as described in Table 18-2: Table 18-1 TACACS+ Settings Option Description Port to Listen Port number on which to listen. By default, the port number is displayed as 49 and you cannot edit this field. Connection Timeout Number of minutes before the connection times out. Session Timeout Number of minutes before the session times out. Maximum Packet Size Maximum packet size (in bytes). Single Connect Support Check to enable single connect support. Login Prompts Username Prompt Text string to use as the username prompt. Password Prompt Text string to use as the password prompt. Password Change Control Enable TELNET Change PasswordChoose this option if you want to provide an option to change password during a TELNET session. Prompt for Old Password: Text string to use as the old password prompt. Prompt for New Password Text string to use as the new password prompt. Prompt for Confirm PasswordText string to use as the confirm password prompt. Disable TELNET Change PasswordChoose this option if you do not want change password during a TELNET session. Message when Disabled Message that is displayed when you choose the Disable TELNET Change Password option. Table 18-2 EAP-TLS Settings Option Description Enable EAP-TLS Session ResumeCheck this box to support abbreviated reauthentication of a user who has passed full EAP-TLS authentication. This feature provides reauthentication of the user with only an SSL handshake and without the application of certificates. EAP-TLS session resume works only within the EAP-TLS session timeout value. EAP-TLS session timeout Enter the number of seconds before the EAP-TLS session times out.
18-3 User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 Chapter 18 Managing System Administration Configurations Configuring Global System Options Configuring PEAP Settings Use the PEAP Settings page to configure PEAP runtime characteristics. Select System Administration > Configuration > Global System Options > PEAP Settings. The PEAP Settings page appears as described in Table 18-3: Related Topic Generating EAP-FAST PAC, page 18-4 Configuring EAP-FAST Settings Use the EAP-FAST Settings page to configure EAP-FAST runtime characteristics. Select System Administration > Configuration > Global System Options > EAP-FAST > Settings. The EAP-FAST Settings page appears as described in Table 18-4: Table 18-3 PEAP Settings Option Description Enable PEAP Session ResumeWhen checked, ACS caches the TLS session that is created during phase one of PEAP authentication, provided the user successfully authenticates in phase two of PEAP. If a user needs to reconnect and the original PEAP session has not timed out, ACS uses the cached TLS session, resulting in faster PEAP performance and a lessened AAA server load. You must specify a PEAP session timeout value for the PEAP session resume features to work. PEAP Session Timeout Enter the number of seconds before the PEAP session times out. The default value is 7200 seconds. Enable Fast Reconnect Check to allow a PEAP session to resume in ACS without checking user credentials when the session resume feature is enabled. Table 18-4 EAP-FAST Settings Option Description General Authority Identity Info DescriptionUser-friendly string that describes the ACS server that sends credentials to a client. The client can discover this string in the Protected Access Credentials Information (PAC-Info) Type-Length-Value (TLV). The default value is Cisco Secure ACS. Master Key Generation PeriodThe value is used to encrypt or decrypt and sign or authenticate PACs. The default is one week. Revoke Revoke Click Revoke to revoke all previous master keys and PACs. This operation should be used with caution. If the ACS node is a secondary node, the Revoke option is disabled.
18-4 User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 Chapter 18 Managing System Administration Configurations Configuring RSA SecurID Prompts Generating EAP-FAST PAC Use the EAP-FAST Generate PAC page to generate a user or machine PAC. Step 1Select System Administration > Configuration > Global System Options > EAP-FAST > Generate PAC . The Generate PAC page appears as described in Table 18-5: Step 2Click Generate PAC. Configuring RSA SecurID Prompts You can configure RSA prompts for an ACS deployment. The set of RSA prompts that you configure is used for all RSA realms and ACS instances in a deployment. To configure RSA SecurID Prompts: Step 1Choose System Administration > Configuration > Global System Options > RSA SecurID Prompts. The RSA SecurID Prompts page appears. Step 2Modify the fields described in Ta b l e 1 8 - 6. Table 18-5 Generate PAC Option Description Tunnel PAC Select to generate a tunnel PAC. Machine PAC Select to generate a machine PAC. Identity Specifies the username or machine name presented as the “inner username” by the EAP-FAST protocol. If the Identity string does not match that username, authentication will fail. PAC Time To Live Enter the equivalent maximum value in days, weeks, months and years, and enter a positive integer. Password Enter the password. Table 18-6 RSA SecurID Prompts Page Option Description Next Token Prompt Text string to request for the next token. The default value is “Enter Next TOKENCODE:”. Choose PIN Type Prompt Text string to request the PIN type. The default value is “Do you want to enter your own pin?”.
18-5
User Guide for Cisco Secure Access Control System 5.3
OL-24201-01
Chapter 18 Managing System Administration Configurations
Managing Dictionaries
Step 3Click Submit to configure the RSA SecurID Prompts.
Managing Dictionaries
The following tasks are available when you select System Administration > Configuration >
Dictionaries:
Viewing RADIUS and TACACS+ Attributes, page 18-5
Configuring Identity Dictionaries, page 18-10
Viewing RADIUS and TACACS+ Attributes
The RADIUS and TACACS+ Dictionary pages display the available protocol attributes in these
dictionaries:
RADIUS (IETF)
RADIUS (Cisco)
RADIUS (Microsoft)
RADIUS (Ascend)
RADIUS (Cisco Airespace)
RADIUS (Cisco Aironet)
RADIUS (Cisco BBSM)
RADIUS (Cisco VPN 3000)
RADIUS (Cisco VPN 5000)
RADIUS (Juniper)
RADIUS (Nortel [Bay Networks]) Accept System PIN Prompt Text string to accept the system-generated PIN. The default value is “ARE
YOU PREPARED TO ACCEPT A SYSTEM-GENERATED PIN?”.
For the two PIN entry prompts below, if the prompt contains the following
strings, they will be substituted as follows:
{MIN_LENGTH}- will be replaced by the minimum PIN length
configured for the RSA Realm.
{MAX_LENGTH}- will be replaced by the maximum PIN length
configured for the RSA Realm.
Alphanumeric PIN Prompt Text string for requesting an alphanumeric PIN.
Numeric PIN Prompt Text string for requesting a numeric PIN.
Re-Enter PIN Prompt Text string to request the user to re-enter the PIN. The default value is
“Reenter PIN:”.
Table 18-6 RSA SecurID Prompts Page
Option Description
18-6 User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 Chapter 18 Managing System Administration Configurations Managing Dictionaries RADIUS (RedCreek) RADIUS (US Robotics) TA C A C S + To view and choose attributes from a protocol dictionary, select System Administration > Configuration > Dictionaries > Protocols; then choose a dictionary. The Dictionary page appears with a list of available attributes as shown in Table 18-7: Use the arrows to scroll through the attribute list. ACS 5.3 also supports RADIUS vendor-specific attributes (VSAs). A set of predefined RADIUS VSAs are available. You can define additional vendors and attributes from the ACS web interface. You can create, edit, or delete RADIUS VSAs. After you have defined new VSAs, you can use them in policies, authorization profiles, and RADIUS token servers in the same way as predefined VSAs. For more information, see: RADIUS VSAs, page A-6. Creating, Duplicating, and Editing RADIUS Vendor-Specific Attributes, page 18-6 Creating, Duplicating, and Editing RADIUS Vendor-Specific Attributes Vendor-Specific Attributes (VSAs) allow vendors to create extension to the RADIUS attributes. The vendors have a specific vendor number assigned to them. VSAs are attributes that contain subattributes. ACS 5.3 allows you to create, duplicate, or edit RADIUS VSA (VSAs). To do this: Some of the internally used attributes cannot be modified. You cannot modify an attribute’s type if the attribute is used by any policy or policy element. Step 1Choose System Administration > Configuration > Dictionaries > Protocols > RADIUS VSA. Step 2Do one of the following: Click Create. Check the check box next to the RADIUS VSA that you want to duplicate, then click Duplicate. Check the check box next to the RADIUS VSA that you want to edit, then click Edit. The Create RADIUS VSA page appears. Modify the fields as described in Table 18-8. Table 18-7 Protocols Dictionary Page Option Description Attribute Name of the attribute. ID (RADIUS only) The VSA ID. Type Data type of the attribute. Direction (RADIUS only) Specifies where the attribute is in use: in the request, in the response, or both. Single or bidirectional authentication. Multiple Allowed (RADIUS only) Multiple attributes are allowed. Attributes that specify multiple allowed can be used more than once in one request or response.