Home > Cisco > Control System > Cisco Acs 57 User Guide

Cisco Acs 57 User Guide

Add to Favourites
    Download as PDF

    Here you can view all the pages of manual Cisco Acs 57 User Guide. The Cisco manuals for Control System are available online for free. You can easily download all the documents as PDF.

    Overview View all the pages Comments

    Page 51

    Page 51 11 Common Scenarios Using ACS Agentless Network Access Overview of EAP-TLS, page 5 Authorizing the ACS Web Interface from Your Browser Using a Certificate You use the HTTPS certificate-based authentication to connect to ACS with your browser. The Local Server Certificate in ACS is used to authorize the ACS web interface from your browser. ACS does not support browser authentication (mutual authentication is not supported). A default Local Server Certificate is installed on ACS so that you can... 
    11   
Common Scenarios Using ACS
Agentless Network Access
Overview of EAP-TLS, page 5
Authorizing the ACS Web Interface from Your Browser Using a Certificate
You use the HTTPS certificate-based authentication to connect to ACS with your browser. The Local Server Certificate 
in ACS is used to authorize the ACS web interface from your browser. ACS does not support browser authentication 
(mutual authentication is not supported).
A default Local Server Certificate is installed on ACS so that you can...

    Page 52

    Page 52 12 Common Scenarios Using ACS Agentless Network Access 802.1x must be enabled on the host device and on the switch to which the device connects. If a host/device without an 802.1x supplicant attempts to connect to a port that is enabled for 802.1x, it will be subjected to the default security policy. The default security policy says that 802.1x authentication must succeed before access to the network is granted. Therefore, by default, non-802.1x-capable devices cannot get access to an... 
    12
Common Scenarios Using ACS
 
Agentless Network Access
802.1x must be enabled on the host device and on the switch to which the device connects. If a host/device without an 
802.1x supplicant attempts to connect to a port that is enabled for 802.1x, it will be subjected to the default security 
policy. 
The default security policy says that 802.1x authentication must succeed before access to the network is granted. 
Therefore, by default, non-802.1x-capable devices cannot get access to an...

    Page 53

    Page 53 13 Common Scenarios Using ACS Agentless Network Access ACS supports host lookup for the following identity stores: Internal hosts External LDAP Internal users Active Directory You can access the Active Directory via the LDAP API. You can use the Internal Users identity store for Host Lookup in cases where the relevant host is already listed in the Internal Users identity store, and you prefer not to move the data to the Internal Hosts identity store. ACS uses the MAC format (XX-XX-XX-XX-XX-XX)... 
    13   
Common Scenarios Using ACS
Agentless Network Access
ACS supports host lookup for the following identity stores:
Internal hosts
External LDAP
Internal users 
Active Directory
You can access the Active Directory via the LDAP API. 
You can use the Internal Users identity store for Host Lookup in cases where the relevant host is already listed in the 
Internal Users identity store, and you prefer not to move the data to the Internal Hosts identity store. 
ACS uses the MAC format (XX-XX-XX-XX-XX-XX)...

    Page 54

    Page 54 14 Common Scenarios Using ACS Agentless Network Access In the ACS packet processing flow, the detection of Host Lookup according to Call Check service-type is done before the service selection policy. It is possible to use the condition UseCase equals Host Lookup in the service selection policy. Initially, when RADIUS requests are processed, the RADIUS User-Name attribute is copied to the System UserName attribute. When the RADIUS Service-Type equals 10, the RADIUS Calling-Station-ID attribute is... 
    14
Common Scenarios Using ACS
 
Agentless Network Access
In the ACS packet processing flow, the detection of Host Lookup according to Call Check service-type is done before 
the service selection policy. It is possible to use the condition UseCase equals Host Lookup in the service selection policy. 
Initially, when RADIUS requests are processed, the RADIUS User-Name attribute is copied to the System UserName 
attribute. When the RADIUS Service-Type equals 10, the RADIUS Calling-Station-ID attribute is...

    Page 55

    Page 55 15 Common Scenarios Using ACS Agentless Network Access Viewing and Performing Bulk Operations for Internal Identity Store Hosts, page 25 Managing Users and Identity Stores, page 1 Agentless Network Access Flow This topic describes the end-to-end flow for agentless network access and lists the tasks that you must perform. The information about how to configure the tasks is located in the relevant task chapters. Perform these tasks in the order listed to configure agentless network access in ACS:... 
    15   
Common Scenarios Using ACS
Agentless Network Access
Viewing and Performing Bulk Operations for Internal Identity Store Hosts, page 25
Managing Users and Identity Stores, page 1
Agentless Network Access Flow
This topic describes the end-to-end flow for agentless network access and lists the tasks that you must perform. The 
information about how to configure the tasks is located in the relevant task chapters. 
Perform these tasks in the order listed to configure agentless network access in ACS:...

    Page 56

    Page 56 16 Common Scenarios Using ACS Agentless Network Access c.Define an authorization policy. For more information, see Configuring an Authorization Policy for Host Lookup Requests, page 18. 7.Define the service selection. 8.Add the access service to your service selection policy. For more information, see Creating, Duplicating, and Editing Service Selection Rules, page 7. Related Topics Managing Users and Identity Stores, page 1 Managing Access Policies, page 1 Adding a Host to an Internal Identity... 
    16
Common Scenarios Using ACS
 
Agentless Network Access
c.Define an authorization policy. For more information, see Configuring an Authorization Policy for Host Lookup 
Requests, page 18.
7.Define the service selection. 
8.Add the access service to your service selection policy. For more information, see Creating, Duplicating, and Editing 
Service Selection Rules, page 7.
Related Topics
Managing Users and Identity Stores, page 1
Managing Access Policies, page 1
Adding a Host to an Internal Identity...

    Page 57

    Page 57 17 Common Scenarios Using ACS Agentless Network Access Deleting External LDAP Identity Stores, page 41 Configuring an Identity Group for Host Lookup Network Access Requests To configure an identity group for Host Lookup network access requests: 1.Choose Users and Identity Store > Identity Groups> and click Create. See Managing Identity Attributes, page 7, for more information. 2.Fill in the fields as required. The identity group may be any agentless device, such as a printer or phone. 3.Click... 
    17   
Common Scenarios Using ACS
Agentless Network Access
Deleting External LDAP Identity Stores, page 41
Configuring an Identity Group for Host Lookup Network Access Requests
To configure an identity group for Host Lookup network access requests:
1.Choose Users and Identity Store > Identity Groups> and click Create. 
See Managing Identity Attributes, page 7, for more information.
2.Fill in the fields as required.
The identity group may be any agentless device, such as a printer or phone.
3.Click...

    Page 58

    Page 58 18 Common Scenarios Using ACS Agentless Network Access Related Topics Managing Access Policies, page 1 Authentication in ACS 5.7, page 1 Authentication with Call Check, page 13 Process Service-Type Call Check, page 14 Configuring an Identity Policy for Host Lookup Requests To configure an identity policy for Host Lookup requests: 1.Choose Access Policies > Access Services > Identity. See Viewing Identity Policies, page 23, for details. 2.Select Customize to customize the authorization policy... 
    18
Common Scenarios Using ACS
 
Agentless Network Access
Related Topics
Managing Access Policies, page 1
Authentication in ACS 5.7, page 1
Authentication with Call Check, page 13
Process Service-Type Call Check, page 14
Configuring an Identity Policy for Host Lookup Requests
To configure an identity policy for Host Lookup requests:
1.Choose Access Policies > Access Services >  Identity. 
See Viewing Identity Policies, page 23, for details.
2.Select Customize to customize the authorization policy...

    Page 59

    Page 59 19 Common Scenarios Using ACS VPN Remote Network Access 4.Select Authorization Profiles from the customized results and move it to the Selected conditions and click OK. 5.In the Authorization Policy Page, click Create. a.Enter a Name for the rule. b.In the Conditions area, check Use Case, then check whether the value should or should not match. c.Select Host Lookup and click OK. This attribute selection ensures that while processing the access request, ACS will look for the host and not for an IP... 
    19   
Common Scenarios Using ACS
VPN Remote Network Access
4.Select Authorization Profiles from the customized results and move it to the Selected conditions and click OK.
5.In the Authorization Policy Page, click Create.
a.Enter a Name for the rule.
b.In the Conditions area, check Use Case, then check whether the value should or should not match.
c.Select Host Lookup and click OK. 
This attribute selection ensures that while processing the access request, ACS will look for the host and not for an 
IP...

    Page 60

    Page 60 20 Common Scenarios Using ACS VPN Remote Network Access Supported Identity Stores, page 20 Supported VPN Network Access Servers, page 20 Supported VPN Clients, page 20 Configuring VPN Remote Access Service, page 21 Supported Identity Stores ACS can perform VPN authentication against the following identity stores: ACS internal identity store—RADIUS/PAP, RADIUS/CHAP, RADIUS/MS-CHAP-v1, and RADIUS/MS-CHAP-v2 Active Directory—RADIUS/PAP, RADIUS/MS-CHAP-v1, and RADIUS/MS-CHAP-v2 LDAP—RADIUS/PAP RSA... 
    20
Common Scenarios Using ACS
 
VPN Remote Network Access
Supported Identity Stores, page 20
Supported VPN Network Access Servers, page 20
Supported VPN Clients, page 20
Configuring VPN Remote Access Service, page 21
Supported Identity Stores
ACS can perform VPN authentication against the following identity stores:
ACS internal identity store—RADIUS/PAP, RADIUS/CHAP, RADIUS/MS-CHAP-v1, and RADIUS/MS-CHAP-v2
Active Directory—RADIUS/PAP, RADIUS/MS-CHAP-v1, and RADIUS/MS-CHAP-v2
LDAP—RADIUS/PAP
RSA...
    Start reading Cisco Acs 57 User Guide

    Related Manuals for Cisco Acs 57 User Guide

    All Cisco manuals