Cisco Acs 5x User Guide
Have a look at the manual Cisco Acs 5x User Guide online for free. It’s possible to download the document as PDF or print. UserManuals.tech offer 53 Cisco manuals and user’s guides for free. Share the user manual or guide on Facebook, Twitter or Google+.
18-7 User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 Chapter 18 Managing System Administration Configurations Managing Dictionaries Step 3Click Submit to save the changes. Related Topics Viewing RADIUS and TACACS+ Attributes, page 18-5 Creating, Duplicating, and Editing RADIUS Vendor-Specific Subattributes To create, duplicate, and edit RADIUS vendor-specific subattributes: Step 1Choose System Administration > Configuration > Dictionaries > Protocols > RADIUS > RADIUS VSA. You can alternatively choose the RADIUS VSA from the navigation pane. Step 2Do one of the following: Click Create to create a subattribute for this RADIUS VSA. Check the check box next to the RADIUS VSA that you want to duplicate, then click Duplicate. Check the check box next to the RADIUS VSA that you want to edit, then click Edit. The RADIUS VSA subattribute create page appears. Step 3Complete the fields described in Table 18-9. Table 18-8 RADIUS VSA - Create, Duplicate, Edit Page Option Description Attribute Name of the RADIUS VSA. Description (Optional) A brief description of the RADIUS VSA. Vendor ID ID of the RADIUS vendor. Attribute Prefix (Optional) Prefix that you want to prepend to the RADIUS attribute so that all attributes for the vendor start with the same prefix. Use Advanced Vendor Options Vendor Length Field Size Vendor length field of 8 bits for specifying the length of the VSA. Choose the vendor length of the VSA. Valid options are 0 and 1. The default value is 1. Vendor Type Field Size Vendor type field of 8 bits. Choose the vendor type of the VSA. Valid options are 1, 2, and 4. The default value is 1.
18-8 User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 Chapter 18 Managing System Administration Configurations Managing Dictionaries Table 18-9 Creating, Duplicating, and Editing RADIUS Subattributes Option Description General Attribute Name of the subattribute. The name must be unique. Description (Optional) A brief description of the subattribute. RADIUS Configuration Vendor Attribute ID Enter the vendor ID field for the subattribute. This value must be unique for this vendor. Direction Specifies where the attribute is in use: in the request, in the response, or both. Single or bidirectional authentication. Multiple Allowed Multiple attributes are allowed. Attributes that specify multiple allowed can be used more than once in one request or response. Include attribute in the log Check this check box to include the subattribute in the log. For sensitive attributes, you can uncheck this check box so to they are not logged. Attribute Type Attribute Type Type of the attribute. Valid options are: String Unsigned Integer 32 IPv4 Address HEX String Enumeration—If you choose this option, you must enter the ID-Value pair You cannot use attributes of type HEX String in policy conditions.
18-9 User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 Chapter 18 Managing System Administration Configurations Managing Dictionaries Step 4Click Submit to save the subattribute. Viewing RADIUS Vendor-Specific Subattributes To view the attributes that are supported by a particular RADIUS vendor: Step 1Choose System Administration > Configuration > Dictionaries > Protocols > RADIUS > RADIUS VSA. The RADIUS VSA page appears. Step 2Check the check box next to the vendor whose attribute you want to view, then click Show Vendor Attributes. The vendor-specific attributes and the fields listed in Table 18-7 are displayed. You can create additional VSAs, and duplicate or edit these attributes. For more information, see Creating, Duplicating, and Editing RADIUS Vendor-Specific Subattributes, page 18-7. ID-Value (Optional) For the Enumeration attribute type only. ID—Enter a number from 0 to 999. Value—Enter a value for the ID. Click Add to add this ID-Value pair to the ID-Value table. To edit, replace, and delete ID-Value pairs: Select the ID-Value pair from the ID-Value table. Click Edit to edit the ID and Value fields. Edit the fields as required. Click Add to add a new entry after you modify the fields. Click Replace to replace the same entry with different values. Click Delete to delete the entry from the ID-Value table. Attribute Configuration Add Policy Condition Check this check box to enter a policy condition in which this subattribute will be used. Policy Condition Display Name Enter the name of the policy condition that will use this subattribute. Table 18-9 Creating, Duplicating, and Editing RADIUS Subattributes Option Description
18-10 User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 Chapter 18 Managing System Administration Configurations Managing Dictionaries Related Topic Creating, Duplicating, and Editing RADIUS Vendor-Specific Attributes, page 18-6 Configuring Identity Dictionaries This section contains the following topics: Creating, Duplicating, and Editing an Internal User Identity Attribute, page 18-10 Deleting an Internal User Identity Attribute, page 18-12 Creating, Duplicating, and Editing an Internal Host Identity Attribute, page 18-13 Creating, Duplicating, and Editing an Internal Host Identity Attribute, page 18-13 Deleting an Internal Host Identity Attribute, page 18-13 Creating, Duplicating, and Editing an Internal User Identity Attribute To create, duplicate, and edit an internal user identity attribute: Step 1Select System Administration > Configuration > Dictionaries > Identity > Internal Users. The Attributes list for the Internal Users page appears. Step 2Perform one of these actions: Click Create. Check the check box next to the attribute that you want to duplicate and click Duplicate. Click the attribute name that you want to modify; or, check the check box for the name and click Edit. The Identity Attribute Properties page appears. Step 3Modify the fields in the Identity Attributes Properties page as required. See Configuring Internal Identity Attributes, page 18-11 for field descriptions. Step 4Click Submit. The internal user attribute configuration is saved. The Attributes list for the Internal Users page appears with the new attribute configuration. Related Topics Deleting an Internal User Identity Attribute, page 18-12 Creating, Duplicating, and Editing an Internal Host Identity Attribute, page 18-13 Policies and Identity Attributes, page 3-17
18-11 User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 Chapter 18 Managing System Administration Configurations Managing Dictionaries Configuring Internal Identity Attributes Table 18-10 describes the fields in the internal identity attributes. Table 18-10 Identity Attribute Properties Page Option Description General Attribute Name of the attribute. Description Description of the attribute. Attribute Type Attribute Type (Optional) Use the drop-down list box to choose an attribute type. Valid options are: String—Populates the Maximum Length and Default Value fields in the page. When you select String as attribute type and enter a non-null value for a user, the user is authenticated against the ID store with the name that matches with the already set value, for the attribute on the user details (ACS-RESERVED-Authen-ID-Store). Unsigned Integer 32—Populates the Valid Range From and To fields in the page. IPv4 Address—Populates the Default Value field in the page. Boolean—Populates the Default Value check box in the page.When you set the value of the Boolean attribute as true, it overrides the global settings for password expiration policy and deactivate the policy (ACS-RESERVED-Never-Expired). Date—Populates the Default Value field and calendar icon in the page. Enumeration—Populates the ID and Value fields and the Add, Edit, Replace, and Delete buttons. Maximum Length (Optional) For the String attribute type only. Enter the maximum length of your attribute. The valid range is from 1 to 256. (Default = 32) Value Range (Optional) For the Unsigned Integer attribute type only. From—Enter the lowest acceptable integer value. The valid range is from 0 to 2^31-1 (2147483647). This value must be smaller than the Valid Range To value. To—Enter the highest acceptable integer value. The valid range is from 0 to 2^31-1 (2147483647). This value must be larger than the Valid Range From value. Default Value Enter the default value for the appropriate attribute: String—Up to the maximum length. (Follow the UTF-8 standard.) You can use the letters a to z, A to Z, and the digits 0 to 9. Unsigned Integer 32—An integer in the range from 0 to 2^31-1 (2147483647). IPv4 Address—Enter IP address you want to associate with this attribute, in the format: x.x.x.x, where x.x.x.x is the IP address (no subnet mask). Date—Click the calendar icon to display the calendar popup and select a date. Boolean Value—Select True or False.
18-12 User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 Chapter 18 Managing System Administration Configurations Managing Dictionaries Deleting an Internal User Identity Attribute To delete an internal user identity attribute: Step 1Select System Administration > Configuration > Dictionaries > Identity > Internal Users. The Attributes list for the internal user page appears. Step 2Check the check box next to the attribute you want to delete. Because deleting an identity attribute can take a long time to process, you can delete only one attribute at a time. Step 3Click Delete. Step 4For confirmation, click OK or Cancel. The Attributes list for the internal user page appears without the deleted attribute. Related Topics Creating, Duplicating, and Editing an Internal User Identity Attribute, page 18-10 Policies and Identity Attributes, page 3-17 ID-Value (Optional) For the Enumeration attribute type only. ID—Enter a number from 0 to 999. Value—Enter a value for the ID. Click Add to add this ID-Value pair to the ID-Value table. To edit, replace, and delete ID-Value pairs: Select the ID-Value pair from the ID-Value table. Click Edit to edit the ID and Value fields. Edit the fields as required. Click Add to add a new entry after you modify the fields. Click Replace to replace the same entry with different values. Click Delete to delete the entry from the ID-Value table. Attribute Configuration Mandatory Fields Check the check box to make this attribute a requirement in the User Properties page. Add Policy Condition Check the check box to create a custom condition from this attribute. When you check this option, you must enter a name in the Policy Condition Display Name field. Policy Condition Display NameEnter a name for the policy condition. After you submit this page, the condition appears in the Policy Elements > Session Conditions > Custom page. Table 18-10 Identity Attribute Properties Page (continued) Option Description
18-13 User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 Chapter 18 Managing System Administration Configurations Managing Dictionaries Creating, Duplicating, and Editing an Internal Host Identity Attribute To create, duplicate, and edit an internal host identity attribute: Step 1Select System Administration > Configuration > Dictionaries > Identity > Internal Hosts. The Attributes list for the Internal Hosts page appears. Step 2Do one of the following: Click Create. Check the check box next to the attribute that you want to duplicate and click Duplicate. Click the attribute name that you want to modify; or, check the check box for the name and click Edit. The Identity Attribute Properties page appears. Step 3Modify the fields in the Identity Attributes Properties page as required. See Table 18-10 for field descriptions. Step 4Click Submit. The internal host attribute configuration is saved. The Attributes list for the Internal Hosts page appears with the new attribute configuration. Related Topics Deleting an Internal Host Identity Attribute, page 18-13 Policies and Identity Attributes, page 3-17 Deleting an Internal Host Identity Attribute To delete an internal host identity attribute: Step 1Select System Administration > Configuration > Dictionaries > Identity > Internal User. The Attributes list for the Internal Hosts page appears. Step 2Check the check box next to the attribute you want to delete. Because deleting an attribute can take a long time to process, you can delete only one attribute at a time. Step 3Click Delete. Step 4For confirmation, click OK or Cancel. The Attributes list for the Internal Hosts page appears without the deleted attribute. Related Topics Creating, Duplicating, and Editing an Internal Host Identity Attribute, page 18-13 Policies and Identity Attributes, page 3-17
18-14 User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 Chapter 18 Managing System Administration Configurations Configuring Local Server Certificates Adding Static IP address to Users in Internal Identity Store To add static IP address to a user in Internal Identity Store: Step 1Add a static IP attribute to internal user attribute dictionary: Step 2Select System Administration > Configuration > Dictionaries > Identity > Internal Users. Step 3Click Create. Step 4Add static IP attribute. Step 5Select Users and Identity Stores > Internal Identity Stores > Users. Step 6Click Create. Step 7Edit the static IP attribute of the user. Configuring Local Server Certificates Local server certificates are also known as ACS server certificates. ACS uses the local server certificates to identify itself to the clients. The local server certificates are used by: EAP protocols that use SSL/TLS tunneling. Management interface to authenticate the web interface (GUI). This section contains the following topics: Adding Local Server Certificates, page 18-14 Importing Server Certificates and Associating Certificates to Protocols, page 18-15 Generating Self-Signed Certificates, page 18-16 Generating a Certificate Signing Request, page 18-17 Binding CA Signed Certificates, page 18-17 Editing and Renewing Certificates, page 18-18 Deleting Certificates, page 18-19 Exporting Certificates, page 18-20 Viewing Outstanding Signing Requests, page 18-20 Adding Local Server Certificates You can add a local server certificate, also known as an ACS server certificate, to identify the ACS server to clients. Step 1Select System Administration > Configuration > Local Server Certificates > Local Certificates. The Local Certificates page appears displaying the information in Table 18-11:
18-15 User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 Chapter 18 Managing System Administration Configurations Adding Local Server Certificates Step 2Click Add. Step 3Enter the information in the Local Certificate Store Properties page as described in Table 18-12: Importing Server Certificates and Associating Certificates to Protocols The supported certificate formats are either DER or PEM. Step 1Select System Administration > Configuration > Local Server Certificates > Local Certificates > Add. Step 2Select Import Server Certificate > Next. Step 3Enter the information in the ACS Import Server Certificate as described in Table 18-13: Table 18-11 Local Certificates Page Option Description Friendly Name Name that is associated with the certificate. Issued To Entity to which the certificate is issued. The name that appears is from the certificate subject. Issued By Trusted party that issued the certificate. Valid From Date the certificate is valid from. Valid To (Expiration) Date the certificate is valid to. Protocol Protocol associated with the certificate. Table 18-12 Local Certificate Store Properties Page Option Description Import Server Certificate Select to browse the client machine for the Local Certificate file and import the private key and private key password. See Importing Server Certificates and Associating Certificates to Protocols, page 18-15. Supported certificate formats include, DER, PEM, or Microsoft private key proprietary format. Generate Self Signed Certificate Select to generate a self-signed certificate. See Generating Self-Signed Certificates, page 18-16. Generate Certificate Signing Request Select to generate a certificate signing request. See Generating a Certificate Signing Request, page 18-17. Bind CA Signed Certificate Select to bind the CA certificate. After the RA signs the request, you can install the returned signed certificate on ACS and bind the certificate with its corresponding private key. See Binding CA Signed Certificates, page 18-17.
18-16 User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 Chapter 18 Managing System Administration Configurations Adding Local Server Certificates Step 4Click Finish. The new certificate is saved. The Local Certificate Store page appears with the new certificate. Generating Self-Signed Certificates Step 1Select System Administration > Configurations > Local Server Certificates > Local Certificates > Add. Step 2Select Generate Self Signed Certificate> Next. Step 3Enter the information in the ACS Import Server Certificate as described in Table 18-14: Table 18-13 Import Server Certificate Page Option Description Certificate File Select to browse the client machine for the local certificate file. Private Key File Select to browse to the location of the private key. Private Key Password Enter the private key password. The value may be minimum length = 0 and maximum length = 256. Protocol EAP Check to associate the certificate with EAP protocols that use SSL/TLS tunneling: EAP-TLS, EAP-FAST, and PEAP. Management Interface Check to associate the certificate with the management interface. Allow Duplicate CertificatesAllows to add certificate with same CN and same SKI with different Valid From, Valid To, and Serial number. Override Policy Replace Certificate Check to replace the content of an existing certificate with the one that you import, but retain the existing protocol selections. Table 18-14 Generate Self Signed Certificate Step 2 Option Description Certificate Subject Certificate subject entered during generation of this request. The Certificate Subject field may contain alphanumeric characters. The maximum number of characters is 1024. This field is prefixed with “cn=”. Key Length Key length entered during generation of this request.Values may be 512, 1024, 2048, or 4096. Digest to Sign with Select either SHA1 or SHA256 as management certificates, from the dropdown list. Expiration TTL Select the maximum value in days, weeks, months, and years, and enter a positive integer. Protocol EAP Check to associate the certificate with EAP protocols that use SSL/TLS tunneling: EAP-TLS, EAP-FAST, and PEAP.