Cisco Acs 57 User Guide
Have a look at the manual Cisco Acs 57 User Guide online for free. It’s possible to download the document as PDF or print. UserManuals.tech offer 53 Cisco manuals and user’s guides for free. Share the user manual or guide on Facebook, Twitter or Google+.
5 Managing Network Resources Network Devices and AAA Clients Network Devices and AAA Clients You must define all devices in the ACS device repository that access the network. The network device definition can be associated with a specific IP address or a subnet mask, where all IP addresses within the subnet can access the network. The device definition includes the association of the device to network device groups (NDGs). You also configure whether the device uses TACACS+ or RADIUS, and if it is a Security Group Access device. Note: When you use subnet masks, the number of unique IP addresses depends on the number of IP addresses available through the subnet mask. For example, a subnet mask of 255.255.255.0 means you have 256 unique IP addresses. You can import devices with their configurations into the network devices repository. When ACS receives a request, it searches the network device repository for a device with a matching IP address; then ACS compares the secret or password information against that which was retrieved from the network device definition. If the information matches, the NDGs associated with the device are retrieved and can be used in policy decisions. You must install Security Group Access license to enable Security Group Access options. The Security Group Access options only appear if you have installed the Security Group Access license. For more information on Security Group Access licenses, see Licensing Overview, page 36. Viewing and Performing Bulk Operations for Network Devices You can view the network devices and AAA clients. These are the devices sending access requests to ACS. The access requests are sent via TACACs+ or RADIUS. To view and import network devices: 1.Choose Network Resources > Network Devices and AAA Clients. The Network Device page appears, with any configured network devices listed. Table 31 on page 5 provides a description of the fields in the Network Device page: Table 31 Network Device Page Field Descriptions Option Description Name User-specified name of network devices in ACS. Click a name to edit the associated network device (see Displaying Network Device Properties, page 13). IP AddressDisplay only. The IP address or subnet mask of each network device. The first three IP addresses of type IPv4 or IPv6 appear in the field, each separated by a comma (,). If this field contains a subnet mask, all IP addresses within the specified subnet mask are permitted to access the network and are associated with the network device definition. When you use subnet masks, the number of unique IP addresses depends on the number of IP addresses that are available through the subnet mask. For example: IPv4—A subnet mask of 255.255.255.0 means you have 256 unique IPv4 addresses. By default, the subnet mask value for IPv4 is 32. IPv6—A subnet mask of 2001:0DB8:0:CD30::/127 means you have 2 unique IPv6 addresses. By default, the subnet mask value for IPv6 is 128. You can see the excluded IP address the specified IP address, if any. NDG: stringNetwork device group. The two predefined NDGs are Location and Device Type. If you have defined additional network device groups, they are listed here as well. DescriptionDisplay only. Descriptions of the network devices.
6 Managing Network Resources Network Devices and AAA Clients 2.Do any one of the following: Click Create to create a new network device. See Creating, Duplicating, and Editing Network Devices, page 9. Check the check box the network device that you want to edit and click Edit. See Creating, Duplicating, and Editing Network Devices, page 9. Check the check box the network device that you want to duplicate and click Duplicate. See Creating, Duplicating, and Editing Network Devices, page 9. You can search for the Network devices based on the following categories: —Name —IP Address —Description —NDG Location —Device Type You can specify full IP address, or IP address with wildcard “*” or, with IP address range, such as [15-20] in the IP address search field. The wildcard “*” and the IP range [15-20] option can be specified in all the 4 octets of IP address. The Equals option only is listed in the search condition when searching by IP address. When you search for an IP address or IP-Range address, the search result displays all records that match the Search criteria, even if the Search IP Address (or) IP-Range address is in Excluded IP Address (or) Range. Click File Operations to perform any of the following functions: —Add—Choose this option to add a list of network devices from the import file in a single shot. —Update—Choose this option to replace the list of network devices in ACS with the network devices in the import file. —Delete—Choose this option to delete from ACS the network devices listed in the import file. See Performing Bulk Operations for Network Resources and Users, page 7 for more information. For information on how to create the import files, refer to Software Developer’s Guide for Cisco Secure Access Control System. Note: To perform a bulk add, edit, or delete operation on any of the ACS objects, you can use the export file of that object, retain the header row, and create the .csv import file. However, to add an updated name or MAC address to the ACS objects, must to download and use the particular update template. Also, for the NDGs, the export template contains only the NDG name, so in order to update any other property, you must download and use the NDG update template. Related Topics: Network Devices and AAA Clients, page 5 Performing Bulk Operations for Network Resources and Users, page 7 Creating, Duplicating, and Editing Network Device Groups Within a Hierarchy, page 3 Exporting Network Devices and AAA Clients Note: You must turn off the popup blockers in your browser to ensure that the export process completes successfully.
7 Managing Network Resources Network Devices and AAA Clients To export a list of network devices: 1.Choose Network Resources > Network Devices and AAA Clients. The Network Device page appears. 2.Choose the filter condition and the Match if operator, and enter the filter criterion that you are looking for in the text box. 3.Click Go. A list of records that match your filter criterion appears. You can export this list to a .csv file. 4.Click Export to export the records to a .csv file. A system message box appears, prompting you for an encryption password to encrypt the .csv file during file transfer. To encrypt the export .csv file, check the Password check box and enter the encryption password. You can optionally choose to not encrypt the file during transfer. 5.Click Start Export to begin the export process. The Export Progress window appears, displaying the progress of the export process. If any errors are encountered during this process, they are displayed in the Export Progress window. You can terminate the export process at any time during this process. All the reports, till you abort the export process, get exported. To resume, you have to start the export process all over again. 6.After the export process is complete, Click Save File to save the export file to your local disk. The export file is a .csv file that is compressed as export.zip. Performing Bulk Operations for Network Resources and Users You can use the file operation function to perform bulk operations (add, update, and delete) for the following on your database: Internal users Internal hosts Network devices For bulk operations, you must download the .csv file template from ACS and add the records that you want to add, update, or delete to the .csv file and save it to your local disk. Use the Download Template function to ensure that your .csv file adheres to the requirements. The .csv templates for users, internal hosts, and network devices are specific to their type; for example, you cannot use a downloaded template accessed from the Users page to add internal hosts or network devices. Within the .csv file, you must adhere to these requirements: Do not alter the contents of the first record (the first line, or row, of the .csv file). Use only one line for each record. Do not imbed new-line characters in any fields. For non-English languages, encode the .csv file in utf-8 encoding, or save it with a font that supports Unicode.
8 Managing Network Resources Network Devices and AAA Clients Before you begin the bulk operation, ensure that your browser’s popup blocker is disabled. 1.Click File Operations on the Users, Network Devices, or MAC Address page of the web interface. The Operation dialog box appears. 2.Click Next to download the .csv file template if you do not have it. 3.Click any one of the following operations if you have previously created a template-based .csv file on your local disk: Add—Adds the records in the .csv file to the records currently available in ACS. Update—Overwrites the records in ACS with the records from the .csv file. Delete—Removes the records in the .csv file from the list in ACS. 4.Click Next to move to the next page. 5.Click Browse to navigate to your .csv file. 6.Choose either of the following options that you want ACS to follow in case of an error during the import process: Continue processing remaining records; successful records will be imported. Stop processing the remaining records; only the records that were successfully imported before the error will be imported. 7.Check the Password check box and enter the password to decrypt the .csv file if it is encrypted in GPG format. 8.Click Finish to start the bulk operation. The Import Progress window appears. Use this window to monitor the progress of the bulk operation. Data transfer failures of any records within your .csv file are displayed. You can click the Abort button to stop importing data that is under way; however, the data that was successfully transferred is not removed from your database. When the operation completes, the Save Log button is enabled. 9.Click Save Log to save the log file to your local disk. 10.Click OK to close the Import Progress window. You can submit only one .csv file to the system at one time. If an operation is under way, an additional operation cannot succeed until the original operation is complete. Note: Internal users whose password type is NAC Profiler can also be imported when NAC Profiler is not installed in ACS. For information on how to create the import files, refer to Software Developer’s Guide for Cisco Secure Access Control System. Note: To perform a bulk add, edit, or delete operation on any of the ACS objects, you can use the export file of that object, retain the header row, and create the .csv import file. However, to add an updated name or MAC address to the ACS objects, you must download and use the particular update template. Also, for the NDGs, the export template contains only the NDG name, so in order to update any other property, you must download and use the NDG update template. Exporting Network Resources and Users To export a list of network resources or users: 1.Click Export on the Users, Network Devices, or MAC Address page of the web interface.
9 Managing Network Resources Network Devices and AAA Clients The Network Device page appears. 2.Choose the filter condition and the Match if operator, and enter the filter criterion that you are looking for in the text box. 3.Click Go. A list of records that match your filter criterion appears. You can export these to a .csv file. 4.Click Export to export the records to a .csv file. A system message box appears, prompting you for an encryption password to encrypt the .csv file during file transfer. To encrypt the export .csv file, check the Password check box and enter the encryption password. You can optionally choose to not encrypt the file during transfer. 5.Click Start Export to begin the export process. The Export Progress window appears, displaying the progress of the export process. If any errors are encountered during this process, they are displayed in the Export Progress window. You can terminate the export process at any time during this process. If you terminate the export process, all the reports till the termination of the process are exported. If you want to resume, you have to start the export process all over again. 6.After the export process is complete, Click Save File to save the export file to your local disk. The export file is a .csv file that is compressed as export.zip. Creating, Duplicating, and Editing Network Devices You can use the bulk import feature to import a large number of network devices in a single operation; see Performing Bulk Operations for Network Resources and Users, page 7 for more information. Alternatively, you can use the procedure described in this topic to create network devices. To create, duplicate, or edit a network device: 1.Choose Network Resources > Network Devices and AAA Clients. The Network Devices page appears, with a list of your configured network devices, if any. 2.Do one of the following: Click Create. Check the check box the network device name that you want to duplicate, then click Duplicate. Click the network device name that you want to modify, or check the check box the name and click Edit. The first page of the Create Network Device process appears if you are creating a new network device. The Network Device Properties page for the selected device appears if you are duplicating or editing a network device. 3.Modify the fields as required. For field descriptions, see Configuring Network Device and AAA Clients, page 10. 4.Click Submit.
10 Managing Network Resources Network Devices and AAA Clients Your new network device configuration is saved. The Network Devices page appears, with your new network device configuration listed. Related Topics Viewing and Performing Bulk Operations for Network Devices, page 5 Configuring Network Device and AAA Clients, page 10 Configuring Network Device and AAA Clients To display this page, choose Network Resources > Network Devices and AAA Clients, then click Create. Table 32 Creating Network Devices and AAA Clients Option Description General Name Name of the network device. If you are duplicating a network device, you must enter a unique name as a minimum configuration; all other fields are optional. Description Description of the network device. Network Device Groups 1 Location Click Select to display the Network Device Groups selection box. Click the radio button the Location network device group you want to associate with the network device. See Creating, Duplicating, and Editing Network Device Groups, page 2 for information about creating network device groups. Device Type Click Select to display the Network Device Groups selection box. Click the radio button the Device Type network device group you want to associate with the network device. See Creating, Duplicating, and Editing Network Device Groups, page 2 for information about creating network device groups. IP Address The IP addresses and subnet masks that are associated with the network device. Select to enter a single IP address or to define a range. Single IP Address Choose to enter a single IP address. The IP address can be either IPv4 or IPv6. ACS 5.7 validates the IP address if the address is entered in the supported format. It displays an error message if the entered format is not correct. In ACS 5.7, you can configure a network device with a single static IP address that can be part of a IP subnet or range configured on another network device. For more information, see Using Single Static IP Addresses That Are Part of IP Subnets and IP Ranges, page 16. Note: IPv6 addresses are supported only in TACACS+ protocols.
11 Managing Network Resources Network Devices and AAA Clients IP Subnets Choose to enter an IP address range. You can configure up to 40 IP addresses or subnet masks for each network device. If you use a subnet mask in this field, all IP addresses within the specified subnet mask are permitted to access the network and are associated with the network device definition. When you use subnet masks, the number of unique IP addresses depends on the number of IP addresses available through the subnet mask. For example, a subnet mask of 255.255.255.0 means you have 256 unique IP addresses. By default, the subnet mask value for IPv4 is 32, and the IPv6 value is 128. The first six IP addresses appear in the field; use the scroll bar to see any additional configured IP addresses. A mask is needed only for wildcards, if you want an IP address range. You cannot use an asterisk (*) as a wildcard. IP Range(s) Choose to enter single or multiple ranges of IP address. You can configure up to 40 IP addresses or subnet masks for each network device. You can also exclude a subnet of IP address range from the configured range in a scenario where that subset has already been added. You can use a hyphen (-) to specify a range of IP addresses. A maximum of 40 IP addresses are allowed in a single IP range. You can also add IP addresses with wildcards. You can use asterisks (*) as wildcards. Some examples of entering IP address ranges are: A single range—10.77.10.1-10,,,, 192.120.10-12.10 Multiple ranges—10.*.1-20.10, 192.1-23.*.100-150 Exclusions from a range—10.10.1-255.* exclude 10.10.10-200.100-150 Using dynamic device IP address ranges (for example: 1-5.*.7.9) can have performance implications on both the run-time and the management. Therefore, we recommend using IP address and subnet mask whenever possible. The dynamic IP address ranges should be used only when the range cannot be described using IP address and subnet mask. Note: AAA clients with wildcards are migrated from 4.x to 5.x. Authentication Options TACACS+ Check to use the Cisco IOS TACACS+ protocol to authenticate communication to and from the network device. You must use this option if the network device is a Cisco device-management application, such as Management Center for Firewalls. You should use this option when the network device is a Cisco access server, router, or firewall. Check TACACS+ if you use IPv4 or IPv6 IP addresses. TACACS+ Shared SecretShared secret of the network device, if you enabled the TACACS+ protocol. A shared secret i s an exp ected stri ng of text, which a user must provide before the network device authenticates a username and password. The connection is rejected until the user supplies the shared secret. Table 32 Creating Network Devices and AAA Clients (continued) Option Description
12 Managing Network Resources Network Devices and AAA Clients Single Connect Device Check to use a single TCP connection for all TACACS+ communication with the network device. Choose one: Legacy TACACS+ Single Connect Support TACACS+ Draft Compliant Single Connect Support If you disable this option, a new TCP connection is used for every TACACS+ request. RADIUS Check to use the RADIUS protocol to authenticate communication to and from the network device. Uncheck this option if you use an IPv6 address. RADIUS Shared Secret Shared secret of the network device, if you have enabled the RADIUS protocol. A shared secret is an expected string of text, which a user must provide before the network device authenticates a username and password. The connection is rejected until the user supplies the shared secret. CoA Port Used to set up the RAIUS CoA port for session directory, for user authentication. This session directory can be launched from Monitoring and Troubleshooting Viewer page. By default, the CoA port value is filled as 1700. Enable KeyWrap Check to enable the shared secret keys for RADIUS KeyWrap in PEAP, EAP-FAST and EAP-TLS authentications. Each key must be unique, and must also be distinct from the RADIUS shared key. These shared keys are configurable for each AAA Client. The default key mode for KeyWrap is hexadecimal string. Key Encryption Key (KEK)Used for encryption of the Pairwise Master Key (PMK). In ASCII mode, enter a key length of exactly 16 characters; in hexadecimal mode, enter a key length of 32 characters. Message Authentication Code Key (MACK)Used to calculate the keyed hashed message authentication code (HMAC) over the RADIUS message. In ASCII mode, enter a key length with 20 characters. In hexadecimal mode, enter a key with 40 characters. Key Input Format Enter the keys as ASCII or hexadecimal strings. The default is hexadecimal. Security Group Access Appears only when you enable the Cisco Security Group Access feature. Check to use Security Group Access functionality on the network device. If the network device is the seed device (first device in the Security Group Access network), you must also check the RADIUS check box. Use Device ID for Security Group Access IdentificationCheck this check box to use the device ID for Security Group Access Identification. When you check this check box, the following field, Device ID, is disabled. Device ID Name that will be used for Security Group Access identification of this device. By default, you can use the configured device name. If you want to use another name, clear the Use device name for Security Group Access identification check box, and enter the name in the Identification field. Password Security Group Access authentication password. Security Group Access Advanced SettingsCheck to display additional Security Group Access fields. Other Security Group Access devices to trust this device (SGA trusted)Specifies whether all the device’s peer devices trust this device. The default is checked, which means that the peer devices trust this device, and do not change the SGTs on packets arriving from this device. If you uncheck the check box, the peer devices repaint packets from this device with the related peer SGT. Table 32 Creating Network Devices and AAA Clients (continued) Option Description
13 Managing Network Resources Network Devices and AAA Clients Displaying Network Device Properties Choose Network Resources > Network Devices and AAA Clients, then click a device name or check the check box a device name, and click Edit or Duplicate. The Network Devices and AAA Clients Properties page appears, displaying the information described in Table 33 on page 13: Download peer authorization policy every: Weeks Days Hours Minutes Seconds Specifies the expiry time for the peer authorization policy. ACS returns this information to the device in the response to a peer policy request. The default is 1 day. Download SGACL lists every: Weeks Days Hours Minutes SecondsSpecifies the expiry time for SGACL lists. ACS returns this information to the device in the response to a request for SGACL lists. The default is 1 day. Download environment data every: Weeks Days Hours Minutes SecondsSpecifies the expiry time for environment data. ACS returns this information to the device in the response to a request for environment data. The default is 1 day. Re-authentication every: Weeks Days Hours Minutes SecondsSpecifies the dot1x (.1x) reauthentication period. ACS configures this for the supplicant and returns this information to the authenticator. The default is 1 day. 1. The Device Type and Location network device groups are predefined at installation. You can define an additional 10 network device groups. See Creating, Duplicating, and Editing Network Device Groups, page 2 for information on how to define network device groups. If you have defined additional network device groups, they appear in alphabetical order in the Network Device Groups page and in the Network Resources drawer in the left navigation pane. Table 32 Creating Network Devices and AAA Clients (continued) Option Description Table 33 Network Devices and AAA Clients Properties Page Option Description Name Name of the network device. If you are duplicating a network device, you must enter a unique name as a minimum configuration; all other fields are optional. Description Description of the network device. Network Device Groups 1 Location: Select Click Select to display the Network Device Groups selection box. Click the radio button the network device group you want to associate with the network device. See Creating, Duplicating, and Editing Network Device Groups, page 2 for information about creating network device groups. Device Type: Select Click Select to display the Network Device Groups selection box. Click the radio button the device type network device group that you want to associate with the network device. See Creating, Duplicating, and Editing Network Device Groups, page 2 for information about creating network device groups.
14 Managing Network Resources Network Devices and AAA Clients IP Address The IP addresses and subnet masks associated with the network device. Select to enter a single IP address or to define a range. Single IP Address Choose to enter a single IP address. In ACS 5.7, you can configure a network device with a single static IP address that can be part of a IP subnet or range configured on another network device. For more information, see Using Single Static IP Addresses That Are Part of IP Subnets and IP Ranges, page 16 IP Subnets Choose to enter an IP address range. You can configure up to 40 IP addresses or subnet masks for each network device. If you use a subnet mask in this field, all IP addresses within the specified subnet mask are permitted to access the network and are associated with the network device definition. When you use subnet masks, the number of unique IP addresses depends on the number of IP addresses available through the subnet mask. For example, a subnet mask of 255.255.255.0 means you have 256 unique IP addresses. The first six IP addresses appear in the field; use the scroll bar to see any additional configured IP addresses. A mask is needed only for wildcards—if you want an IP address range. You cannot use asterisk (*) as wildcards. IP Range(s) Choose to enter single or multiple ranges of IP address. You can configure up to 40 IP addresses or subnet masks for each network device. You can also exclude a subnet of IP address range from the configured range in a scenario where that subset has already been added. You can use a hyphen (-) to specify a range of IP address. You can also add IP addresses with wildcards. You can use asterisks (*) as wildcards. Some examples of entering IP address ranges are: A single range—10.77.10.1-10,,,, 192.120.10-12.10 Multiple ranges—10.*.1-20.10, 192.1-23.*.100-150 Exclusions from a range—10.10.1-255.* exclude 10.10.10-200.100-150 Using dynamic device IP address ranges (for example: 1-5.*.7.9) can have performance implications on both the run-time and the management. Therefore, we recommend using IP address and subnet mask whenever possible. The dynamic IP address ranges should be used only when the range cannot be described using IP address and subnet mask. Authentication Options TACACS+ Check to use the Cisco IOS TACACS+ protocol to authenticate communication to and from the network device. You must use this option if the network device is a Cisco device-management application, such as Management Center for Firewalls. You should use this option when the network device is a Cisco access server, router, or firewall. TACACS+ Shared SecretShared secret of the network device, if you enabled the TACACS+ protocol. A shared secret is an expected string of text, which a user must provide before the network device authenticates a username and password. The connection is rejected until the user supplies the shared secret. Table 33 Network Devices and AAA Clients Properties Page (continued) Option Description