Cisco Acs 57 User Guide
Have a look at the manual Cisco Acs 57 User Guide online for free. It’s possible to download the document as PDF or print. UserManuals.tech offer 53 Cisco manuals and user’s guides for free. Share the user manual or guide on Facebook, Twitter or Google+.
4 Managing Users and Identity Stores Managing External Identity Stores ACS introduces a new tab called Deployment Configuration to configure different LDAP server hostnames for every ACS instance. After saving the configuration in Deployment Configuration page, the LDAP server hostnames are auto-populated in the Server Connection page. This configuration can be performed only from the primary ACS instance in a deployment. From the secondary ACS instance, you can only view the details of the LDAP configurations. If you enable the LDAP Deployment Configurations in your deployment, when a request comes to one of the ACS instances, the ACS instance searches for the configured primary LDAP server. After finding the configured LDAP server, it communicates with that LDAP server and fetches the required details. Before You Begin Check the Enable Deployment Configuration check box in the Server Connection page. When you check the Enable Deployment Configuration check box, the primary and secondary LDAP server hostname fields become read-only fields. Use this page to configure different primary and secondary LDAP hostnames for different ACS instances in your deployment: 1.Choose Users and Identity Stores > External Identity Stores > LDAP and then click any of the following: Create and follow the wizard until you reach the Deployment Configuration page. Duplicate and then click Next until the Deployment Configuration page appears. Edit and then click Next until the Deployment Configuration page appears. Note: Check the Enable Deployment Configuration check box to enable the Deployment Configuration tab operations. You can see the Deployment Configuration tab even though you have not checked the Deployment Configuration check box. If this Enable Deployment Configuration check box is unchecked, you cannot configure different primary and secondary LDAP server hostnames for the ACS instances in your deployment. The Deployment Configuration page appears, displaying the current list of ACS instances that are active in your deployment. 2.Check the check box near the ACS instance name and click Edit. The LDAP hostname setting dialog box appears. This dialog box contains the following two fields: Primary Hostname—Enter the hostname of the primary LDAP server so that the selected ACS instance communicates with the specified primary LDAP server. Secondary Hostname—Enter the hostname of the secondary LDAP server so that the selected ACS instance communicates with the specified secondary LDAP server when the primary LDAP server is down. 3.Click OK. The LDAP hostname configuration is saved. 4.Click Finish. The external identity store that you have created is saved. Related Topics Creating External LDAP Identity Stores, page 33 Deleting External LDAP Identity Stores, page 41 Deleting External LDAP Identity Stores You can delete one or more external LDAP identity stores simultaneously.
4 Managing Users and Identity Stores Managing External Identity Stores To delete an external LDAP identity store: 1.Choose Users and Identity Stores > External Identity Stores > LDAP. The LDAP Identity Stores page appears, with a list of your configured external identity stores. 2.Check one or more check boxes next to the external identity stores you want to delete. 3.Click Delete. The following error message appears: Are you sure you want to delete the selected item/items? 4.Click OK. The External Identity Stores page appears, without the deleted identity stores in the list. Related Topic Creating External LDAP Identity Stores, page 33 Configuring LDAP Groups Use this page to configure an external LDAP group. 1.Choose Users and Identity Stores > External Identity Stores > LDAP, then click any of the following: Create and follow the wizard. Duplicate, then click the Directory Groups tab. Edit, then click the Directory Groups tab. The Selected Directory Groups field displays a list of groups that are available as options in rule-table group-mapping conditions. 2.Do one of the following: Click Select to open the Groups secondary window from which you can select groups and add them to the Selected Directory Groups list. You can alternatively enter the LDAP groups in the Group Name field and click Add. To remove a selected group from the Selected Directory Groups list, select that group in the Selected Directory Groups list and Click Deselect. 3.Click Submit to save your changes. Viewing LDAP Attributes Use this page to view the external LDAP attributes. 1.Choose Users and Identity Stores > External Identity Stores > LDAP. 2.Check the check box next to the LDAP identity store whose attributes you want to view, click Edit, and then click the Directory Attributes tab. 3.In the Name of example Subject to Select Attributes field, enter the name of an example object from which to retrieve attributes, then click Select.
4 Managing Users and Identity Stores Managing External Identity Stores For example, the object can be an user and the name of the object could either be the username or the user’s DN. 4.Complete the fields as described in Table 45 on page 43 5.Click Add and the information you entered is added to the fields on the screen. The attributes listed here are available for policy conditions. 6.Click Submit to save your changes. Configuring LDAP Deployments Use this page to view the external LDAP attributes. 1.Choose Users and Identity Stores > External Identity Stores > LDAP. 2.Check the check box next to the LDAP identity store whose attributes you want to view, click Edit, and then click the Directory Attributes tab. 3.In the Name of example Subject to Select Attributes field, enter the name of an example object from which to retrieve attributes, then click Select. For example, the object can be an user and the name of the object could either be the username or the user’s DN. 4.Complete the fields as described in Table 45 on page 43 Table 45 LDAP: Attributes Page Option Description Attribute Name Type an attribute name that you want included in the list of available attributes for policy conditions. Type Select the type you want associated with the attribute name you entered in the Attribute Name field. Default Specify the default value you want associated with the attribute name you entered in the Attribute Name field. If you do not specify a default value, no default is used. When attributes are imported to the Attribute Name/Type/Default box via the Select button, these default values are used: String—Name of the attribute Integer 64 IP Address—This can be either an IP version 4 (IPv4) or IP version 6 (IPv6) address. Unsigned Integer 32 Boolean Policy Condition Name (Optional) Specify the name of the custom condition for this attribute. This condition will be available for selection when customizing conditions in a policy.
4 Managing Users and Identity Stores Managing External Identity Stores 5.Click Add and the information you entered is added to the fields on the screen. The attributes listed here are available for policy conditions. 6.Click Submit to save your changes. Leveraging Cisco NAC Profiler as an External MAB Database ACS communicates with Cisco NAC Profiler to enable non-802.1X-capable devices to authenticate in 802.1X-enabled networks. Endpoints that are unable to authenticate through 802.1X use the MAC Authentication Bypass (MAB) feature in switches to connect to an 802.1X-enabled network. Typically, non-user-attached devices such as printers, fax machines, IP phones, and Uninterruptible Power Supplies (UPSs) are not equipped with an 802.1x supplicant. This means the switch port to which these devices attach cannot authenticate them using the 802.1X exchange of device or user credentials and must revert to an authentication mechanism other than port-based authentication (typically endpoint MAC address-based) in order for them to connect to the network. Cisco NAC Profiler provides a solution for identifying and locating the endpoints that are unable to interact with the authentication component of these systems so that these endpoints can be provided an alternative mechanism for admission to the network. NAC Profiler consists of an LDAP-enabled directory, which can be used for MAC Authentication Bypass (MAB). Thus, the NAC Profiler acts as an external LDAP database for ACS to authenticate non-802.1X-capable devices. Note: You can use the ACS internal host database to define the MAC addresses for non-802.1X-capable devices. However, if you already have a NAC Profiler in your network, you can use it to act as an external MAB database. To leverage Cisco NAC Profiler as an external MAB database, you must: Enable the LDAP Interface on Cisco NAC Profiler. See Enabling the LDAP Interface on Cisco NAC Profiler to Communicate with ACS, page 45. Table 46 LDAP: Attributes Page Option Description Attribute Name Type an attribute name that you want included in the list of available attributes for policy conditions. Type Select the type you want associated with the attribute name you entered in the Attribute Name field. Default Specify the default value you want associated with the attribute name you entered in the Attribute Name field. If you do not specify a default value, no default is used. When attributes are imported to the Attribute Name/Type/Default box via the Select button, these default values are used: String—Name of the attribute Integer 64 IP Address—This can be either an IP version 4 (IPv4) or IP version 6 (IPv6) address. Unsigned Integer 32 Boolean Policy Condition Name (Optional) Specify the name of the custom condition for this attribute. This condition will be available for selection when customizing conditions in a policy.
4 Managing Users and Identity Stores Managing External Identity Stores Configure NAC Profiler in ACS. See Configuring NAC Profile LDAP Definition in ACS for Use in Identity Policy, page 46. Enabling the LDAP Interface on Cisco NAC Profiler to Communicate with ACS Note: Before you can enable the LDAP interface on the NAC Profiler, ensure that you have set up your NAC Profiler with the NAC Profiler Collector. For more information on configuring Cisco NAC Profiler, refer to the Cisco NAC Profiler Installation and Configuration Guide, available under http://www.cisco.com/c/en/us/support/security/nac-profiler/ products-installation-and-configuration-guides-list.html. To enable the LDAP interface on the NAC Profiler to communicate with ACS: 1.Log into your Cisco NAC Profiler. 2.Choose Configuration > NAC Profiler Modules > List NAC Profiler Modules. 3.Click Server. The Configure Server page appears. 4.In the LDAP Configuration area, check the Enable LDAP check box as shown in Figure 17 on page 45. Figure 17 LDAP Interface Configuration in NAC Profiler 5.Click Update Server. 6.Click the Configuration tab and click Apply Changes. The Update NAC Profiler Modules page appears. 7.Click Update Modules to enable LDAP to be used by ACS.
4 Managing Users and Identity Stores Managing External Identity Stores You must enable the endpoint profiles that you want to authenticate against the Cisco NAC Profiler. For information on how to do this, see Configuring Endpoint Profiles in NAC Profiler for LDAP Authentication, page 46. Fo r p ro p e r Ac t i ve Re s p o n se E ve n t s yo u n e ed to c o n f i g u re Ac t i ve Response Delay time from your Cisco NAC Profiler UI. For this, choose Configuration > NAC Profiler Modules > Configure Server > Advanced Options > Active Response Delay. Configuring Endpoint Profiles in NAC Profiler for LDAP Authentication For the non-802.1X endpoints that you want to successfully authenticate, you must enable the corresponding endpoint profiles in NAC Profiler for LDAP authentication. Note: If the profile is not enabled for LDAP, the endpoints in the profile will not be authenticated by the Cisco NAC Profiler. To enable the endpoint profiles for LDAP authentication: 1.Log into your NAC Profiler. 2.Choose Configuration > Endpoint Profiles > View/Edit Profiles List. A list of profiles in a table appears. 3.Click the name of a profile to edit it. 4.On the Save Profile page, ensure that the LDAP option is enabled by clicking the Ye s radio button, if it is not already done as shown in Figure 18 on page 46. Figure 18 Configuring Endpoint Profiles in NAC Profiler 5.Click Save Profile. Configuring NAC Profile LDAP Definition in ACS for Use in Identity Policy After you install ACS, there is a predefined LDAP database definition for NAC Profiler. This predefined database definition for NAC Profiler contains all the required data for establishing an initial connection. The only exception is the host information, which depends on your specific deployment configuration.
4 Managing Users and Identity Stores Managing External Identity Stores The steps below describe how to configure the host information, verify the connection, and use the profile database in policies. Note: Make sure that ACS NAC Profiler is chosen under Access Policies > Access Services > Default Network Access > Identity. Note: The NAC Profiler template in ACS, available under the LDAP external identity store, works with Cisco NAC Profiler version 2.1.8 and later. To edit the NAC Profiler template in ACS: 1.Choose Users and Identity Stores > External Identity Stores > LDAP. 2.Click on the name of the NAC Profiler template or check the check box next to the NAC Profiler template and click Edit. The Edit NAC Profiler definition page appears as shown in Figure 19 on page 47. Figure 19 Edit NAC Profiler Definition — General Page 3.Click the Server Connection tab. The Edit page appears as shown in Figure 20 on page 47. Figure 20 Edit NAC Profiler Definition — Server Connection Page
4 Managing Users and Identity Stores Managing External Identity Stores 4.In the Primary Server Hostname field, enter the IP address or fully qualified domain name of the Profiler Server, or the Service IP of the Profiler pair if Profiler is configured for High Availability. 5.Click Test Bind to Server to test the connection and verify ACS can communicate with Profiler through LDAP. A small popup dialog, similar to the one shown in Figure 21 on page 48 appears. Figure 21 Test Bind to Server Dialog Box For more information, see Creating External LDAP Identity Stores, page 33. Note: The default password for LDAP is GBSbeacon. If you want to change this password, refer to the Cisco NAC Profiler Installation and Configuration Guide. 6.If successful, go to the Directory Organization tab. The Edit page appears as shown in Figure 22 on page 48. Figure 22 Edit NAC Profiler Definition — Directory Organization Page 7.Click Test Configuration. A dialog box as shown in Figure 23 on page 49 appears that lists data corresponding to the Profiler. For example: Primary Server Number of Subjects: 100 Number of Directory Groups: 6
4 Managing Users and Identity Stores Managing External Identity Stores Figure 23 Test Configuration Dialog Box Number of Subjects—This value maps to the actual subject devices already profiled by the Cisco NAC Profiler (actual devices enabled for Profiler). After the Profiler receives initial SNMP trap information from the switch, Profiler can poll the switch using SNMP to gather MIB (Management Information Base) information about the switch as well as the connecting endpoint. After the Profiler has learned about the endpoint (e.g. MAC address, switch port), it adds the endpoint to its database. An endpoint added to the Profiler’s database is considered 1 subject. Number of Directory Groups—This value maps to the actual profiles enabled for LDAP on Profiler. When already running Profiler on your network, default profiles for endpoints are pre-configured. However, all profiles are not enabled for LDAP, and must be configured as described in Configuring Endpoint Profiles in NAC Profiler for LDAP Authentication, page 46. Note that if setting up Profiler for the first time, once the Profiler is up and running, you will see zero groups initially. The subjects and directory groups are listed if they are less than 100 in number. If the number of subjects or directory groups exceed 100, the subjects and directory groups are not listed. Instead, you get a message similar to the following one: More than 100 subjects are found. 8.Click the Directory Attributes tab if you want to use the directory attributes of subject records as policy conditions in policy rules. See Viewing LDAP Attributes, page 42 for more information. 9.Choose NAC Profiler as the result (Identity Source) of the identity policy. For more information, see Viewing Identity Policies, page 23. As soon as Endpoint is successfully authenticated from ACS server, ACS will do a CoA (Change of Authorization) and change VLAN. For this, you can configure static VLAN mapping in ACS server. For more information, see Specifying Common Attributes in Authorization Profiles, page 19. When Endpoint is successfully authenticated the following message is displayed on the switch. ACCESS-Switch# #show authentication sessions Interface MAC Address Method Domain Status Session ID Fa1/0/1 0014.d11b.aa36 mab DATA Authz Success 505050010000004A0B41FD15 For more information on features like Event Delivery Method and Active Response, see the Cisco NAC Profiler Installation and Configuration Guide, Release 3.1. Note: You can use Microsoft Active Directory as an LDAP server and authenticate against ACS.
5 Managing Users and Identity Stores Managing External Identity Stores Troubleshooting MAB Authentication with Profiler Integration To troubleshoot MAB authentication while integrating with NAC Profiler and to verify that the endpoint is successfully authenticated, complete the following steps: 1.Run the following command on the switch which is connected to the endpoint devices: ACCESS-Switch# show authentication sessions The following output is displayed: Interface MAC Address Method Domain Status Session ID Fa1/0/1 0014.d11b.aa36 mab DATA Authz Success 505050010000004A0B41FD15 reject 2.Enable debugging for SNMP, AAA, and 802.1X on the switch. 3.Verify the MAB authentication logs in Monitoring and Reports Viewer > Troubleshooting, for failure and success authentications. Microsoft AD ACS uses Microsoft Active Directory (AD) as an external identity store to store resources such as, users, machines, groups, and attributes. ACS authenticates these resources against AD. Supported Authentication Protocols EAP-FAST and PEAP—ACS 5.7 supports user and machine authentication and change password against AD using EAP-FAST and PEAP with an inner method of MSCHAPv2 and EAP-GTC. PAP—ACS 5.7 supports authenticating against AD using PAP and also allows you to change AD users password. MSCHAPv1—ACS 5.7 supports user and machine authentication against AD using MSCHAPv1. You can change AD users password using MSCHAPv1 version 2. ACS does not support MS-CHAP MPPE-Keys of a user, but does support MPPE-Send-Key and MPPE-Recv-Key. Note: ACS 5.7 does not support changing user password against AD using MSCHAP version 1. MSCHAPv2—ACS 5.7 supports user and machine authentication against AD using MSCHAPv2. ACS does not support MS-CHAP MPPE-Keys of a user, but does support MPPE-Send-Key and MPPE-Recv-Key. EAP-GTC—ACS 5.7 supports user and machine authentication against AD using EAP-GTC. EAP-TLS—ACS uses the certificate retrieval option introduced in 5.7 to support user and machine authentication against AD using EAP-TLS. ACS 5.x supports changing the password for users who are authenticated against Active Directory in the TACACS+ PAP/ASCII, EAP-MSCHAP, and EAP-GTC methods. Changing the password for EAP-FAST and PEAP with inner MSCHAPv2 is also supported. Changing the AD user password using the above methods must comply with the AD password policies. You must check with your AD administrator to determine the complete set of AD password policy rules. The most important AD password policies are: Enforce password history: N passwords are remembered. Maximum password age is N days. Minimum password age is N days. Minimum password length is N characters. Password must meet complexity requirements.