Cisco Acs 57 User Guide
Have a look at the manual Cisco Acs 57 User Guide online for free. It’s possible to download the document as PDF or print. UserManuals.tech offer 53 Cisco manuals and user’s guides for free. Share the user manual or guide on Facebook, Twitter or Google+.
15 Managing Network Resources Network Devices and AAA Clients Single Connect DeviceCheck to use a single TCP connection for all TACACS+ communication with the network device. Choose one: Legacy TACACS+ Single Connect Support TACACS+ Draft Compliant Single Connect Support If you disable this option, a new TCP connection is used for every TACACS+ request. RADIUS Check to use the RADIUS protocol to authenticate communication to and from the network device. RADIUS Shared SecretShared secret of the network device, if you have enabled the RADIUS protocol. A shared secret is an expected string of text, which a user must provide before the network device authenticates a username and password. The connection is rejected until the user supplies the shared secret. CoA Port Used to set up the RAIUS CoA port for session directory, for user authentication. This session directory can be launched from Monitoring and Troubleshooting Viewer page. By default, the CoA port value is filled as 1700. Enable KeyWrap Check to enable the shared secret keys for RADIUS Key Wrap in PEAP, EAP-FAST and EAP-TLS authentications. Each key must be unique and be distinct from the RADIUS shared key. You can configure these shared keys for each AAA Client. Key Encryption Key (KEK)Used to encrypt the Pairwise Master Key (PMK). In ASCII mode, enter a key with 16 characters. In hexadecimal mode, enter a key with 32 characters. Message Authentication Code Key (MACK)Used to calculate the keyed hashed message authentication code (HMAC) over the RADIUS message. In ASCII mode, enter a key length with 20 characters. In hexadecimal mode, enter a key with 40 characters. Key Input Format Enter the keys as ASCII or hexadecimal strings. The default is hexadecimal. Security Group AccessAppears only when you enable the Cisco Security Group Access feature. Check to use Security Group Access functionality on the network device. If the network device is the seed device (first device in the Security Group Access network), you must also check the RADIUS check box. Identification Name that will be used for Security Group Access identification of this device. By default, you can use the configured device name. If you want to use another name, clear the Use device name for Security Group Access identification check box, and enter the name in the Identification field. Password Security Group Access authentication password. Security Group Access Advanced SettingsCheck to display additional Security Group Access fields. Other Security Group Access devices to trust this device Specifies whether all the device’s peer devices trust this device. The default is checked, which means that the peer devices trust this device, and do not change the SGTs on packets arriving from this device. If you uncheck the check box, the peer devices repaint packets from this device with the related peer SGT. Download peer authorization policy every: Weeks Days Hours Minutes Seconds Specifies the expiry time for the peer authorization policy. ACS returns this information to the device in the response to a peer policy request. The default is 1 day. Table 33 Network Devices and AAA Clients Properties Page (continued) Option Description
16 Managing Network Resources Network Devices and AAA Clients Related Topics: Viewing and Performing Bulk Operations for Network Devices, page 5 Creating, Duplicating, and Editing Network Device Groups, page 2 Deleting Network Devices To delete a network device: 1.Choose Network Resources > Network Devices and AAA Clients. The Network Devices page appears, with a list of your configured network devices. 2.Check one or more check boxes the network devices you want to delete. 3.Click Delete. The following message appears: Are you sure you want to delete the selected item/items? 4.Click OK. The Network Devices page appears, without the deleted network devices listed. The network device is removed from the device repository. Using Single Static IP Addresses That Are Part of IP Subnets and IP Ranges ACS 5.7 allows you to configure a network device with a single static IP address that can be part of an IP subnet or range configured on another network device. For example, when you have network devices with the IP range 1.0-10.0-10.1 in ACS, the administrator can configure another network device with the IP address 1.1.1.1. ACS allows you to use single static IPv4 or IPv6 addresses that are also a part of IP subnets and single static IPv4 addresses that are a part of IP ranges. Download SGACL lists every: Weeks Days Hours Minutes Seconds Specifies the expiry time for SGACL lists. ACS returns this information to the device in the response to a request for SGACL lists. The default is 1 day. Download environment data every: Weeks Days Hours Minutes Seconds Specifies the expiry time for environment data. ACS returns this information to the device in the response to a request for environment data. The default is 1 day. Re-authentication every: Weeks Days Hours Minutes SecondsSpecifies the dot1x (.1x) reauthentication period. ACS configures this for the supplicant and returns this information to the authenticator. The default is 1 day. 1. The Device Type and Location network device groups are predefined at installation. You can define an additional 10 network device groups. See Creating, Duplicating, and Editing Network Device Groups, page 2, for information on how to define network device groups. If you have defined additional network device groups, they appear in the Network Device Groups page and in the Network Resources drawer in the left navigation pane, in alphabetical order. Table 33 Network Devices and AAA Clients Properties Page (continued) Option Description
17 Managing Network Resources Configuring a Default Network Device When ACS receives an access request, it searches the single static IP addresses first. If a match is not found, ACS searches the IP subnets and IP ranges for the network device. An IP address with a subnet mask of 32 resolves to the IP address itself. Therefore, ACS does not allow you to configure a single static IP address on a network device if the same IP address with a subnet mask of 32 is configured on another network device. ACS displays all the occurrences of an IP address (Single IP address, IP subnet, and IP ranges) when you filter network devices on the Network Device and AAA Clients page. Configuring a Default Network Device While processing requests, ACS searches the network device repository for a network device whose IP address matches the IP address presented in the request. If the search does not yield a match, ACS uses the default network device definition for RADIUS or TACACS+ requests. The default network device defines the shared secret to be used and also provides NDG definitions for RADIUS or TACACS+ requests that use the default network device definition. Choose Network Resources > Default Network Device to configure the default network device. The Default Network Device page appears, displaying the information described in Table 34 on page 17. Ta b l e 3 4 D e f a u l t N e t w o r k D e v i c e P a g e Option Description Default Network Device The default device definition can optionally be used in cases where no specific device definition is found that matches a device IP address. Default Network Device Status Choose Enabled from the drop-down list box to move the default network device to the active state. Network Device Groups Location Click Select to display the Network Device Groups selection box. Click the radio button the Location network device group you want to associate with the network device. See Creating, Duplicating, and Editing Network Device Groups, page 2 for information about creating network device groups. Device Type Click Select to display the Network Device Groups selection box. Click the radio button the Device Type network device group you want to associate with the network device. See Creating, Duplicating, and Editing Network Device Groups, page 2 for information about creating network device groups. Authentication Options TACACS+ Check to use the Cisco IOS TACACS+ protocol to authenticate communication to and from the network device. You must use this option if the network device is a Cisco device-management application, such as Management Center for Firewalls. You should use this option when the network device is a Cisco access server, router, or firewall. Shared Secret Shared secret of the network device, if you enabled the TACACS+ protocol. A shared secret is an expected string of text, which a user must provide before the network device authenticates a username and password. The connection is rejected until the user supplies the shared secret.
18 Managing Network Resources Working with External Proxy Servers Related Topics Network Device Groups, page 1 Network Devices and AAA Clients, page 5 Creating, Duplicating, and Editing Network Device Groups, page 2 Working with External Proxy Servers ACS 5.7 can function both as a RADIUS and TACACS+ server and as a RADIUS and TACACS+ proxy server. When it acts as a proxy server, ACS receives authentication and accounting requests from the NAS and forwards them to the external RADIUS or TACACS+ server. ACS accepts the results of the requests and returns them to the NAS. You must configure the external RADIUS or TACACS+ servers in ACS to enable ACS to forward requests to them. You can define the timeout period and the number of connection attempts. ACS can simultaneously act as a proxy server to multiple external RADIUS or TACACS+ servers. RADIUS proxy server can handle the looping scenario whereas TACACS+ proxy server cannot. Note: You can use the external RADIUS or TACACS+ servers that you configure here in access services of the RADIUS or TACACS+ proxy service type. Single Connect Device Check to use a single TCP connection for all TACACS+ communication with the network device. Choose one: Legacy TACACS+ Single Connect Support TACACS+ Draft Compliant Single Connect Support If you disable this option, ACS uses a new TCP connection for every TACACS+ request. RADIUS Check to use the RADIUS protocol to authenticate communication to and from the network device. Shared Secret Shared secret of the network device, if you have enabled the RADIUS protocol. A shared secret is an expected string of text, which a user must provide before the network device authenticates a username and password. The connection is rejected until the user supplies the shared secret. CoA Port Used to set up the RAIUS CoA port for session directory, for user authentication. This session directory can be launched from Monitoring and Troubleshooting Viewer page. By default, the CoA port value is filled as 1700. Enable KeyWrap Check to enable the shared secret keys for RADIUS Key Wrap in PEAP, EAP-FAST and EAP-TLS authentications. Each key must be unique and be distinct from the RADIUS shared key. You can configure these shared keys for each AAA Client. Key Encryption Key (KEK) Used to encrypt the Pairwise Master Key (PMK). In ASCII mode, enter a key with 16 characters. In hexadecimal mode, enter a key with 32 characters. Message Authentication Code Key (MACK)Used to calculate the keyed hashed message authentication code (HMAC) over the RADIUS message. In ASCII mode, enter a key length with 20 characters. In hexadecimal mode, enter a key with 40 characters. Key Input Format Enter the keys as ASCII or hexadecimal strings. The default is hexadecimal. Table 34 Default Network Device Page (continued) Option Description
19 Managing Network Resources Working with External Proxy Servers This section contains the following topics: Creating, Duplicating, and Editing External Proxy Servers, page 19 Deleting External Proxy Servers, page 20 Creating, Duplicating, and Editing External Proxy Servers To create, duplicate, or edit an external proxy server: 1.Choose Network Resources > External Proxy Servers. The External Proxy Servers page appears with a list of configured servers. 2.Do one of the following: Click Create. Check the check box the external proxy server that you want to duplicate, then click Duplicate. Click the external proxy server name that you want to edit, or check the check box the name and click Edit. The External Proxy Servers page appears. 3.Edit fields in the External Proxy Servers page as shown in Table 35 on page 19. Table 35 External Policy Servers Page Option Description General Name Name of the external RADIUS or TACACS+ server. Description (Optional) The description of the external RADIUS or TACACS+ server. Server Connection Server IP Address IP address of the external RADIUS or TACACS+ server. It can be either an IPv4 or IPv6 address. ACS 5.7 validates the IP address, if the address is entered in the supported format. It displays an error message if the entered format is not correct. Shared Secret Shared secret between ACS and the external RADIUS or TACACS+ server that is used for authenticating the external RADIUS or TACACS+ server. A shared secret is an expected string of text that a user must provide to enable the network device to authenticate a username and password. The connection is rejected until the user supplies the shared secret. Show/Hide button is available to view the Shared secret in plain text or hidden format. Advanced Options RADIUS Choose to create a RADIUS proxy server. RADIUS supports only IPv4 addresses. TACACS+ Choose to create a TACACS+ proxy server. TACACS+ supports IPv4 and IPv6 addresses. Cisco Secure ACS Default choice. Supports both RADIUS and TACACS+. You can choose Cisco Secure ACS if you use an IPv4 or IPv6 address. Authentication Port RADIUS authentication port number. The default is 1812. Accounting Port RADIUS accounting port number. The default is 1813. Server Timeout Number of seconds ACS waits for a response from the external RADIUS server. The default is 5 seconds. Valid values are from 1 to 300.
20 Managing Network Resources Working with OCSP Services 4.Click Submit to save the changes. The external Proxy Server configuration is saved. The External Proxy Server page appears with the new configuration. Note: If you want ACS to forward unknown RADIUS attributes you have to define VSAs for proxy. Related Topics RADIUS and TACACS+ Proxy Services, page 7 RADIUS and TACACS+ Proxy Requests, page 26 Configuring General Access Service Properties, page 13 Deleting External Proxy Servers, page 20 Deleting External Proxy Servers To delete an external proxy server: 1.Choose Network Resources > External Proxy Servers. The External Proxy Servers page appears with a list of configured servers. 2.Check one or more check boxes the external RADIUS or TACACS+ servers you want to delete, and click Delete. The following message appears: Are you sure you want to delete the selected item/items? 3.Click OK. The External Proxy Servers page appears without the deleted server(s). Working with OCSP Services ACS 5.7 introduces a new protocol, Online Certificate Status Protocol (OCSP), which is used to check the status of x.509 digital certificates. This protocol can be used as an alternate to the certificate revocation list (CRL). It can also address the issues that result when handling CRLs. ACS 5.7 communicates with OCSP services over HTTP to validate the status of the certificates in authentications. OCSP is configured in a reusable configuration object, and OCSP can be referenced from any certificate authority (CA) certificate that is configured in ACS. Multiple CA objects can reference the same OCSP service. Connection AttemptsNumber of times ACS attempts to connect to the external RADIUS server. The default is 3 attempts. Valid values are from 1 to 99. Connection Port TACACS+ connection port. The default is 49. Network Timeout Number of seconds ACS waits for a response from the external TACACS+ server. The default is 20 seconds. Table 35 External Policy Servers Page Option Description
21 Managing Network Resources Working with OCSP Services You can configure up to two OCSP servers in ACS, which are called the primary and secondary OCSP servers. ACS communicates with the secondary OCSP server when a timeout occurs while it is communicating with the primary OCSP server. OCSP can return the following three values for a given certificate request: Good—The certificate is good for usage. Revoked—The certificate is revoked. Unknown —The certificate status is unknown. The status of the certificate is unknown if the OCSP is not configured to handle the given certificate CA. In this case, the certificate is handled as an unknown certificate; that is, the validation process checks the Reject the request if no status flag. If the flag is set in such a way that the request should not be rejected, then OCSP continues to CRL to check whether the certificate is configured in ACS. ACS caches all OCSP responses. This is to maximize the performance and reduce the load in the OCSP servers. At the time of OCSP verification, ACS looks for the relevant information in the cache first. If the relevant information is not found, then ACS establishes a connection to the OCSP server. ACS defines a lifetime for all OCSP records in each OCSP service. In addition, each OCSP response has a Time to Live that defines the interval after which a new request should be made. Each cache entry is retained for either the Time to Live or the cache lifetime, whichever is shorter. Click Clear Cache to clear all the cached records that are associated with this OCSP service. Clear Cache also clears the records in the secondary ACS servers in a distributed system. ACS does not support replicating the cached responses database. The caches are not persistent; therefore, the cached responses are cleared after you restart the ACS application. ACS verifies the user certificates and the CA certificates and creates a set of logs for both the certificates in RADIUS Authentication reports page. Therefore, OCSP logs appear twice in the RADIUS Authentication reports page for the passed authentications whereas for the failed authentications, it appears only once. The following logs are displayed twice when ACS communicates with the OCSP server for the first time: 12568 Lookup user certificate status in OCSP cache. 12569 User certificate status was not found in OCSP cache. 12550 Sent an OCSP request to the primary OCSP server for the CA. 12553 Received OCSP response. 12554 OCSP status of user certificate is good. The following logs are displayed twice when ACS communicates searches the cached OCSP responses for the subsequent verifications based on either the cache Time to Live or the cache Lifetime options: 12568 Lookup user certificate status in OCSP cache. 12570 Lookup user certificate status in OCSP cache succeeded. 12554 OCSP status of user certificate is good. This section contains the following topics: Creating, Duplicating, and Editing OCSP Servers, page 22 Deleting OCSP Servers, page 23
22 Managing Network Resources Working with OCSP Services Creating, Duplicating, and Editing OCSP Servers To create, duplicate, or edit an OCSP server: 1.Choose Network Resources > OCSP Services. The OCSP Services page appears with a list of configured OCSP servers. 2.Do one of the following: Click Create. Check the check box the OCSP server that you want to duplicate, then click Duplicate. Click the OCSP server name that you want to edit, or check the check box the name and click Edit. The OCSP Servers page appears. 3.Edit fields in the OCSP Servers page as shown in Table 36 on page 22. Ta b l e 3 6 O C S P S e r v e r s P a g e Option Description Name Name of the OCSP server. Description (Optional) The description of the OCSP server. Server Connection Enable Secondary ServerCheck this check box to enable the secondary server configuration, such as Always Access Primary Server First and Failback options. Always Access Primary Server FirstEnable this option to check the primary server first before moving on to the secondary server, even if there was no previous response from the primary server. Failback To Primary ServerEnable this option to use the secondary server for the given amount of time when the primary is completely down. The time range is 1 to 1440 minutes. Primary Server URL Enter the URL or the IP address of the primary server. Enable Nonce Extension Support Check this check box to use a nonce in the OCSP request. This option includes a random number in the OCSP request. When you select this option, it compares the number that is received in the response with the number that is included in the request. This method ensures that old communications are not reused. You can configure a nonce in Windows 2008 and 2012 servers. If the nonce from the ACS server is not matched with the Windows server, Windows returns an unauthorized response. As a result, ACS fails the request and considers this to be an unknown certificate. Validate Response Signature Check this check box to instruct the OCSP responder to include one of the following signatures in the response: The CA certificate A different certificate from the CA certificate ACS validates the response certificate based on the OCSP response signature. If there is no OCSP response signature, then ACS fails the response, and the status of the certificate cannot be determined. Network Timeout Enter the number of seconds that ACS should wait for a response from the primary OCSP server. The default is 5 seconds. Valid values are from 1 to 300 seconds. Secondary Server
23 Managing Network Resources Working with OCSP Services 4.Click Submit to save your changes. The OCSP Server configuration is saved. The OCSP Server page appears with the new configuration. Related Topics Deleting OCSP Servers, page 23 Deleting OCSP Servers To delete an OCSP server, complete the following steps: 1.Choose Network Resources > OCSP Services. The OCSP Services page appears with a list of configured OCSP servers. 2.Check one or more check boxes the OCSP servers you want to delete, and click Delete. The following message appears: Are you sure you want to delete the selected item/items? URL Enter the URL or the IP address of the secondary server. Enable Nonce Extension Support Check this check box to use a nonce in the OCSP request. This option includes a random number in the OCSP request. When you select this option, it compares the number that is received in the response with the number that is included in the request. This method ensures that old communications are not reused. You can configure a nonce in Windows 2008 and 2012 servers. If the nonce from the ACS server is not matched with the Windows server, Windows returns an unauthorized response. As a result, ACS fails the request and considers this to be an unknown certificate. Validate Response Signature Check this check box to instruct the OCSP responder to include one of the following signatures in the response: The CA certificate A different certificate from the CA certificate ACS validates the response certificate based on the OCSP response signature. If there is no OCSP response signature, then ACS fails the response, and the status of the certificate cannot be determined. Network Timeout Enter the number of seconds that ACS should wait for a response from the primary OCSP server. The default is 5 seconds. Valid values are from 1 to 300. Response Cache Cache Entry Time To L i v eDefines the interval after which the a new OCSP request should be made. Enter the value in number of minutes. The default value is 300 minutes. Clear Cache Clears the Cache of the selected OCSP service for all the associated Certificate Authorities. The Clear Cache option can interact with all the nodes that are associated with this OCSP service within a deployment. This option also shows the updated status when you select it. Ta b l e 3 6 O C S P S e r v e r s P a g e Option Description
24 Managing Network Resources Working with OCSP Services 3.Click OK. The OCSP Servers page appears without the deleted server(s).