Cisco Acs 5x User Guide
Have a look at the manual Cisco Acs 5x User Guide online for free. It’s possible to download the document as PDF or print. UserManuals.tech offer 53 Cisco manuals and user’s guides for free. Share the user manual or guide on Facebook, Twitter or Google+.
4-17 User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 Chapter 4 Common Scenarios Using ACS Agentless Network Access Step 7Define the service selection. Step 8Add the access service to your service selection policy. For more information, see Creating, Duplicating, and Editing Service Selection Rules, page 10-8. Related Topics Managing Users and Identity Stores, page 8-1 Managing Access Policies, page 10-1 Adding a Host to an Internal Identity Store To configure an internal identity store for Host Lookup: Step 1Choose Users and Identity Store > Internal Identity Stores > Hosts and click Create. See Viewing and Performing Bulk Operations for Internal Identity Store Hosts, page 8-18, or more information. Step 2Fill in the fields as described in the Users and Identity Stores > Internal Identity Store > Hosts > Create Page. Step 3Click Submit. Previous Step: Network Devices and AAA Clients, page 7-5 Next Step: Configuring an Identity Group for Host Lookup Network Access Requests, page 4-18 Configuring an LDAP External Identity Store for Host Lookup To configure an LDAP external identity store for Host Lookup: Step 1Choose Users and Identity Stores > External Identity Stores > LDAP and click Create. See Creating External LDAP Identity Stores, page 8-26, for more information. Step 2Follow the steps for creating an LDAP database. In the LDAP: Directory Organization page, choose the MAC address format. The format you choose represents the way MAC addresses are stored in the LDAP external identity store. Step 3Click Finish.
4-18 User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 Chapter 4 Common Scenarios Using ACS Agentless Network Access Previous Step: Network Devices and AAA Clients, page 7-5 Next Step: Configuring an Identity Group for Host Lookup Network Access Requests, page 4-18 Related Topics Creating External LDAP Identity Stores, page 8-26 Deleting External LDAP Identity Stores, page 8-33 Configuring an Identity Group for Host Lookup Network Access Requests To configure an identity group for Host Lookup network access requests: Step 1Choose Users and Identity Store > Identity Groups> and click Create. See Managing Identity Attributes, page 8-7, for more information. Step 2Fill in the fields as required. The identity group may be any agentless device, such as a printer or phone. Step 3Click Submit. Previous Steps: Adding a Host to an Internal Identity Store, page 4-17 Configuring an LDAP External Identity Store for Host Lookup, page 4-17 Next Step: Creating an Access Service for Host Lookup, page 4-18 Related Topic Managing Identity Attributes, page 8-7 Creating an Access Service for Host Lookup You create an access service and then enable agentless host processing. To create an access service for Host Lookup: Step 1Choose Access Policies > Access Service, and click Create. See Configuring Access Services, page 10-11, for more information. Step 2Fill in the fields as described in the Access Service Properties—General page: a.In the Service Structure section, choose User Selected Policy Structure. b.Set the Access Service Type to Network Access and define the policy structure.
4-19 User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 Chapter 4 Common Scenarios Using ACS Agentless Network Access c.Select Network Access, and check Identity and Authorization. The group mapping and External Policy options are optional. d.Make sure you select Process Host Lookup. If you want ACS to detect PAP or EAP-MD5 authentications for MAC addresses (see PAP/EAP-MD5 Authentication, page 4-15), and process it like it is a Host Lookup request (for example, MAB requests), complete the following steps: e.Select one of the ACS supported protocols for MAB in the Allowed Protocols Page (EAP-MD5 or PA P ) . f.Check Detect PAP/EAP-MD5 as Host Lookup. Related Topics Managing Access Policies, page 10-1 Authentication in ACS 5.3, page B-1 Authentication with Call Check, page 4-14 Process Service-Type Call Check, page 4-15 Configuring an Identity Policy for Host Lookup Requests To configure an identity policy for Host Lookup requests: Step 1Choose Access Policies > Access Services > Identity. See Viewing Identity Policies, page 10-21, for details. Step 2Select Customize to customize the authorization policy conditions. A list of conditions appears. This list includes identity attributes, system conditions, and custom conditions. See Customizing a Policy, page 10-4, for more information. Step 3Select Use Case from the Av a i l a b l e customized conditions and move it to the Selected conditions. Step 4In the Identity Policy Page, click Create. a.Enter a Name for the rule. b.In the Conditions area, check Use Case, then check whether the value should or should not match. c.Select Host Lookup and click OK. This attribute selection ensures that while processing the access request, ACS will look for the host and not for an IP address. d.Select any of the identity stores that support host lookup as your Identity Source. e.Click OK. Step 5Click Save Changes. Related Topic Managing Access Policies, page 10-1
4-20 User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 Chapter 4 Common Scenarios Using ACS VPN Remote Network Access Configuring an Authorization Policy for Host Lookup Requests To configure an authorization policy for Host Lookup requests: Step 1Choose Access Policies > Access Services > Authorization. See Configuring a Session Authorization Policy for Network Access, page 10-29, for details. Step 2Select Customize to customize the authorization policy conditions. A list of conditions appears. This list includes identity attributes, system conditions, and custom conditions. See Customizing a Policy, page 10-4, for more information. Step 3Select Use Case from the Av a i l a b l e customized conditions and move it to the Selected conditions. Step 4Select Authorization Profiles from the customized results and move it to the Selected conditions and click OK. Step 5In the Authorization Policy Page, click Create. a.Enter a Name for the rule. b.In the Conditions area, check Use Case, then check whether the value should or should not match. c.Select Host Lookup and click OK. This attribute selection ensures that while processing the access request, ACS will look for the host and not for an IP address. d.Select an Authorization Profile from the authorization profiles and move it to the Selected results column e.Click OK. Step 6Click Save Changes. Related Topic Managing Access Policies, page 10-1 VPN Remote Network Access A remote access Virtual Private Network (VPN) allows you to connect securely to a private company network from a public Internet. You could be accessing your company’s network from home or elsewhere. The VPN is connected to your company’s perimeter network (DMZ). A VPN gateway can manage simultaneous VPN connections. Related Topics Supported Authentication Protocols, page 4-21 Supported Identity Stores, page 4-21 Supported VPN Network Access Servers, page 4-22 Supported VPN Clients, page 4-22 Configuring VPN Remote Access Service, page 4-22
4-21 User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 Chapter 4 Common Scenarios Using ACS VPN Remote Network Access Supported Authentication Protocols ACS 5.3 supports the following protocols for inner authentication inside the VPN tunnel: RADIUS/PAP RADIUS/CHAP RADIUS/MS-CHAPv1 RADIUS/MS-CHAPv2 With the use of MS-CHAPv1 or MS-CHAPv2 protocols, ACS can generate MPPE keys that is used for encryption of the tunnel that is created. Related Topics VPN Remote Network Access, page 4-20 Supported Identity Stores, page 4-21 Supported VPN Network Access Servers, page 4-22 Supported VPN Clients, page 4-22 Configuring VPN Remote Access Service, page 4-22 Supported Identity Stores ACS can perform VPN authentication against the following identity stores: ACS internal identity store—RADIUS/PAP, RADIUS/CHAP, RADIUS/MS-CHAP-v1, and RADIUS/MS-CHAP-v2 Active Directory—RADIUS/PAP, RADIUS/MS-CHAP-v1, and RADIUS/MS-CHAP-v2 LDAP—RADIUS/PAP RSA SecurID Server—RADIUS/PAP RADIUS Token Server—RADIUS/PAP (dynamic OTP) Related Topics VPN Remote Network Access, page 4-20 Supported Authentication Protocols, page 4-21 Supported VPN Network Access Servers, page 4-22 Supported VPN Clients, page 4-22 Configuring VPN Remote Access Service, page 4-22
4-22 User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 Chapter 4 Common Scenarios Using ACS VPN Remote Network Access Supported VPN Network Access Servers ACS 5.3 supports the following VPN network access servers: Cisco ASA 5500 Series Cisco VPN 3000 Series Related Topics VPN Remote Network Access, page 4-20 Supported Authentication Protocols, page 4-21 Supported Identity Stores, page 4-21 Supported VPN Clients, page 4-22 Configuring VPN Remote Access Service, page 4-22 Supported VPN Clients ACS 5.3 supports the following VPN clients: Cisco VPN Client 5.0 Series Cisco Clientless SSL VPN (WEBVPN) Cisco AnyConnect VPN client 2.3 Series MS VPN client Related Topics VPN Remote Network Access, page 4-20 Supported Authentication Protocols, page 4-21 Supported Identity Stores, page 4-21 Supported VPN Network Access Servers, page 4-22 Configuring VPN Remote Access Service, page 4-22 Configuring VPN Remote Access Service To configure a VPN remote access service: Step 1Configure the VPN protocols in the Allowed Protocols page of the default network access service. For more information, see Configuring Access Service Allowed Protocols, page 10-15. Step 2Create an authorization profile for VPN by selecting the dictionary type, and the Tunneling-Protocols attribute type and value. For more information, see Specifying RADIUS Attributes in Authorization Profiles, page 9-21. Step 3Click Submit to create the VPN authorization profile.
4-23 User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 Chapter 4 Common Scenarios Using ACS ACS and Cisco Security Group Access Related Topics VPN Remote Network Access, page 4-20 Supported Authentication Protocols, page 4-21 Supported Identity Stores, page 4-21 Supported VPN Network Access Servers, page 4-22 Supported VPN Clients, page 4-22 Configuring VPN Remote Access Service, page 4-22 ACS and Cisco Security Group Access NoteACS requires an additional feature license to enable Security Group Access capabilities. Cisco Security Group Access, hereafter referred to as Security Group Access, is a new security architecture for Cisco products. You can use Security Group Access to create a trustworthy network fabric that provides confidentiality, message authentication, integrity, and antireplay protection on network traffic. Security Group Access requires that all network devices have an established identity, and must be authenticated and authorized before they start operating in the network. This precaution prevents the attachment of rogue network devices in a secure network. Until now, ACS authenticated only users and hosts to grant them access to the network. With Security Group Access, ACS also authenticates devices such as routers and switches by using a name and password. Any device with a Network Interface Card (NIC) must authenticate itself or stay out of the trusted network. Security is improved and device management is simplified since devices can be identified by their name rather than IP address. NoteThe Cisco Catalyst 6500 running Cisco IOS 12.2(33) SXI and DataCenter 3.0 (Nexus 7000) NX-OS 4.0.3 devices support Security Group Access. The Cisco Catalyst 6500 supports Security Group Tags (SGTs); however, it does not support Security Group Access Control Lists (SGACLs) in this release. To configure ACS for Security Group Access: 1.Add users. This is the general task to add users in ACS and is not specific to Security Group Access. Choose Users and Identity Stores > Internal Identity Store > Users and click Create. See Creating Internal Users, page 8-11, for more information. 2.Adding Devices for Security Group Access. 3.Creating Security Groups. 4.Creating SGACLs. 5.Configuring an NDAC Policy.
4-24 User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 Chapter 4 Common Scenarios Using ACS ACS and Cisco Security Group Access 6.Configuring EAP-FAST Settings for Security Group Access. 7.Creating an Access Service for Security Group Access. 8.Creating an Endpoint Admission Control Policy. 9.Creating an Egress Policy. 10.Creating a Default Policy. Adding Devices for Security Group Access The RADIUS protocol requires a shared secret between the AAA client and the server. In ACS, RADIUS requests are processed only if they arrive from a known AAA client. You must configure the AAA client in ACS with a shared secret. The Security Group Access device should be configured with the same shared secret. In Security Group Access, every device must be able to act as a AAA client for new devices that join the secured network. All the Security Group Access devices possess a Protected Access Credential (PAC) as part of the EAP Flexible Authentication via Secured Tunnel (EAP-FAST) protocol. A PAC is used to identify the AAA client. The RADIUS shared secret can be derived from the PAC. To add a network device: Step 1Choose Network Resources > Network Devices and AAA Client and click Create. See Network Devices and AAA Clients, page 7-5, for more information. Step 2Fill in the fields in the Network Devices and AAA clients pages: To add a device as a seed Security Group Access device, check RADIUS and Security Group Access, or to add a device as a Security Group Access client, check Security Group Access only. If you add the device as a RADIUS client, enter the IP Address and the RADIUS/Shared Secret. If you add the device as a Security Group Access device, fill in the fields in the Security Group Access section. You can check Advanced Settings to display advanced settings for the Security Group Access device configuration and modify the default settings. The location or device type can be used as a condition to configure an NDAC policy rule. Step 3Click Submit. Creating Security Groups Security Group Access uses security groups for tagging packets at ingress to allow filtering later on at Egress. The product of the security group is the security group tag, a 4-byte string ID that is sent to the network device. The web interface displays the decimal and hexadecimal representation. The SGT is unique. When you edit a security group you can modify the name, however, you cannot modify the SGT ID. The security group names Unknown and Any are reserved. The reserved names are used in the Egress policy matrix. The generation ID changes when the Egress policy is modified.
4-25 User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 Chapter 4 Common Scenarios Using ACS ACS and Cisco Security Group Access Devices consider only the SGT value; the name and description of a security group are a management convenience and are not conveyed to the devices. Therefore, changing the name or description of the security group does not affect the generation ID of an SGT. To create a security group: Step 1Choose Policy Elements > Authorizations and Permissions > Network Access > Security Groups and click Create. Step 2Fill in the fields as described in the Configuring Security Group Access Control Lists, page 9-33. TipWhen you edit a security group, the security group tag and the generation ID are visible. Step 3Click Submit. Creating SGACLs Security Group Access Control Lists (SGACLs) are similar to standard IP-based ACLs, in that you can specify whether to allow or deny communications down to the transport protocol; for example, TCP, User Datagram Protocol (UDP), and the ports; FTP; or Secure Shell Protocol (SSH). You can create SGACLs that can be applied to communications between security groups. You apply Security Group Access policy administration in ACS by configuring these SGACLs to the intersection of source and destination security groups through a customizable Egress matrix view, or individual source and destination security group pairs. To create an SGACL: Step 1Choose Policy Elements > Authorizations and Permissions > Named Permissions Objects > Security Group ACLs. then click Create. Step 2Fill in the fields as described in the Configuring Security Group Access Control Lists, page 9-33. Step 3Click Submit. Configuring an NDAC Policy The Network Device Admission Control (NDAC) policy defines which security group is sent to the device. When you configure the NDAC policy, you create rules with previously defined conditions, for example, NDGs. The NDAC policy is a single service, and it contains a single policy with one or more rules. Since the same policy is used for setting responses for authentication, peer authorization, and environment requests, the same SGT is returned for all request types when they apply to the same device. NoteYou cannot add the NDAC policy as a service in the service selection policy; however, the NDAC policy is automatically applied to Security Group Access devices.
4-26 User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 Chapter 4 Common Scenarios Using ACS ACS and Cisco Security Group Access To configure an NDAC policy for a device: Step 1Choose Access Policies > Security Group Access Control > Security Group Access > Network Device Access > Authorization Policy. Step 2Click Customize to select which conditions to use in the NDAC policy rules. The Default Rule provides a default rule when no rules match or there are no rules defined. The default security group tag for the Default Rule result is Unknown. Step 3Click Create to create a new rule. Step 4Fill in the fields in the NDAC Policy Properties page. Step 5Click Save Changes. Configuring EAP-FAST Settings for Security Group Access Since RADIUS information is retrieved from the PAC, you must define the amount of time for the EAP-FAST tunnel PAC to live. You can also refresh the time to live for an active PAC. To configure the EAP-FAST settings for the tunnel PAC: Step 1Choose Access Policies > Security Group Access Control > > Network Device Access. Step 2Fill in the fields in the Network Device Access EAP-FAST Settings page. Step 3Click Submit. Creating an Access Service for Security Group Access You create an access service for endpoint admission control policies for endpoint devices, and then you add the service to the service selection policy. NoteThe NDAC policy is a service that is automatically applied to Security Group Access devices. You do not need to create an access service for Security Group Access devices. To create an access service: Step 1Choose Access Policies > Access Service, and click Create. See Configuring Access Services, page 10-11, for more information. Step 2Fill in the fields in the Access Service Properties—General page as required. Step 3In the Service Structure section, choose User selected policy structure. Step 4Select Network Access, and check Identity and Authorization.