Cisco Acs 57 User Guide

1
Cisco Systems, Inc.www.cisco.com
 
Common Scenarios Using ACS
Network control refers to the process of controlling access to a network. Traditionally a username and password was 
used to authenticate a user to a network. Now a days with the rapid technological advancements, the traditional method 
of managing network access with a username and a password is no longer sufficient.
The ways in which the users can access the network and what they can access have changed considerably. Hence, you 
must...

2
Common Scenarios Using ACS
 
Overview of Device Administration
This chapter provides guidelines for some of the common scenarios. This chapter contains:
Overview of Device Administration, page 2
Password-Based Network Access, page 5 
Certificate-Based Network Access, page 8 
Agentless Network Access, page 11
VPN Remote Network Access, page 19
ACS and Cisco Security Group Access, page 21
RADIUS and TACACS+ Proxy Requests, page 26
Enabling and Disabling IPv6 for Network Interfaces, page 34...

3   
Common Scenarios Using ACS
Overview of Device Administration
You configure the permit and deny settings in the device administration rule table. You configure policy elements within 
a device administration rule table as conditions that are or not met. The rule table maps specific request conditions to 
device administration results through a matching process. The result of rule table processing is a shell profile or a 
command set, dependent on the type of request.
Session administration requests...

4
Common Scenarios Using ACS
 
Overview of Device Administration
3.ACS optionally uses an identity store (external Lightweight Directory Access Protocol [LDAP], Active Directory, 
RADIUS Identity Server, or internal ACS identity store) to retrieve user attributes which are included in policy 
processing.
4.The response indicates whether the administrator is authorized to issue the command.
To configure a command authorization policy (device administration rule table) to allow an administrator to issue...

5   
Common Scenarios Using ACS
Password-Based Network Access
Password-Based Network Access
This section contains the following topics:
Overview of Password-Based Network Access, page 5
Password-Based Network Access Configuration Flow, page 6
For more information about password-based protocols, see Authentication in ACS 5.7, page 1
Overview of Password-Based Network Access
The use of a simple, unencrypted username and password is not considered a strong authentication mechanism but can 
be sufficient...

6
Common Scenarios Using ACS
 
Password-Based Network Access
—EAP-FAST-GTC
—EAP-MD5
—LEAP
You must choose the authentication method based on the following factors:
The network access server—Wireless access points, 802.1X authenticating switches, VPN servers, and so on.
The client computer and software—EAP supplicant, VPN client, and so on.
The identity store that is used to authenticate the user—Internal or External (AD, LDAP, RSA token server, or RADIUS 
identity server).
Related Topics...

7   
Common Scenarios Using ACS
Password-Based Network Access
For RADIUS, non-EAP authentication methods (RADIUS/PAP, RADIUS/CHAP, RADIUS/MS-CHAPv1, 
RADIUS/MSCHAPv2), and simple EAP methods (EAP-MD5 and LEAP), you need to configure only the protocol in the 
Allowed Protocols page as defined in Table 11 on page 7.
Some of the complex EAP protocols require additional configuration:
For EAP-TLS, you must also configure:
—The EAP-TLS settings under System Administration > Configuration > EAP-TLS Settings....

8
Common Scenarios Using ACS
 
Certificate-Based Network Access
—The inner method in the Allowed Protocols page and specify whether password change is allowed.
—The PEAP settings under System Administration > Configuration > PEAP Settings.
—Local server certificates under System Administration > Configuration > Local Server Certificates > Local 
Certificates.
For EAP-FAST, you must also configure:
—The inner method in the Allowed Protocols page and specify whether password change is allowed.
—Whether or...

9   
Common Scenarios Using ACS
Certificate-Based Network Access
A certificate can be self-signed or signed by another CA. A hierarchy of certificates can be made to form trust relations 
of each entity to its CA. The trusted root CA is the entity that signs the certificate of all other CAs and eventually signs 
each certificate in its hierarchy.
ACS identifies itself with its own certificate. ACS supports a certificate trust list (CTL) for authorizing connection 
certificates. ACS also supports complex...

10
Common Scenarios Using ACS
 
Certificate-Based Network Access
EAP-TLS or PEAP (EAP-TLS)
The local certificate. See Configuring Local Server Certificates, page 16.
To configure certificate-based network access for EAP-TLS or PEAP (EAP-TLS):
1.Configure the trust certificate list. See Configuring CA Certificates, page 83, for more information.
2.Configure the LDAP external identity store. You might want to do this to verify the certificate against a certificate 
stored in LDAP. See Creating External...