Cisco Acs 57 User Guide
Have a look at the manual Cisco Acs 57 User Guide online for free. It’s possible to download the document as PDF or print. UserManuals.tech offer 53 Cisco manuals and user’s guides for free. Share the user manual or guide on Facebook, Twitter or Google+.
6 Managing Users and Identity Stores Managing External Identity Stores Dial-In Support Attributes The user attributes on Active Directory are supported on the following servers: Windows Server 2003 Windows Server 2003 R2 Windows Server 2008 Windows Server 2008 R2 Windows Server 2012 Windows Server 2012 R2 ACS does not support Dial-in users on Windows 2000. ACS Response If you enable the dial-in check on ACS Active Directory and the user's dial-in option is 'Deny Access' on Active Directory, the authentication request is rejected with a message in the log, indicating that dial-in access is denied. If a user fails an MSCHAP v1/v2 authentication if the dial-in is not enabled, ACS should set on the EAP response a proper error code (NT error = 649). In case that the callback options are enabled, the ACS RADIUS response contains the returned Service Type and Callback Number attributes as follows: If callback option is Set by Caller or Always Callback To, the service-type attribute should be queried on Active Directory during the user authentication. The service-type can be the following: —3 = Callback Login —4 = Callback Framed —9 = Callback NAS Prompt This attribute should be returned to the device on Service-type RADIUS attribute. If ACS is already configured to return service-type attribute on the RADIUS response, the service-type value queried for the user on Active Directory replaces it. If the Callback option is Always Callback To, the callback number should also be queried on the Active Directory user. This value is set on the RADIUS response on the Cisco-AV-Pair attribute with the following values: —cisco-av-pair=lcp:callback-dialstring=[callback number value] —cisco-av-pair=Shell:callback-dialstring=[callback number value] —cisco-av-pair=Slip:callback-dialstring=[callback number value] —cisco-av-pair=Arap:callback-dialstring=[callback number value] The callback number value is also returned on the RADIUS response, using the RADIUS attribute CallbackNumber (#19). If callback option is Set by Caller, the RADIUS response contains the following attributes with no value: —cisco-av-pair=lcp:callback-dialstring= —cisco-av-pair=Shell:callback-dialstring= —cisco-av-pair=Slip:callback-dialstring= —cisco-av-pair=Arap:callback-dialstring=
6 Managing Users and Identity Stores Managing External Identity Stores Joining ACS to an AD Domain In ACS 5.7, you can join the ACS nodes from same deployment to different AD domains. However, each node can be joined to a single AD domain. The policy definitions of those ACS nodes are not changed and that uses the same AD identity store. For information on how to configure an AD identity store, see Configuring an AD Identity Store, page 62. Note: The Windows AD account, which joins ACS to the AD domain, can be placed in its own organizational unit (OU). It resides in its own OU either when the account is created or later on, with a restriction that the appliance name must match the name of the AD account. Note: ACS does not support user authentication in AD when a user name is supplied with an alternative UPN suffix configured in OU level. The authentication works fine if the UPN suffix is configured in domain level. Related Topics Machine Authentication, page 31 Configuring an AD Identity Store The AD settings are not displayed by default, and they are not joined to an AD domain when you first install ACS. When you open the AD configuration page, you can see the list of all ACS nodes in the distributed deployment. When you configure an AD identity store, ACS also creates the following: A new dictionary for that store with two attributes: the ExternalGroup attribute and another attribute for any attribute that is retrieved from the Directory Attributes page. A new attribute, IdentityAccessRestricted. You can manually create a custom condition for this attribute. A custom condition for group mapping from the ExternalGroup attribute—the custom condition name is AD1:ExternalGroups—and another custom condition for each attribute that is selected in the Directory Attributes page (for example, AD1:cn). You can edit the predefined condition name, and you can create a custom condition from the Custom condition page. See Creating, Duplicating, and Editing a Custom Session Condition, page 5. Note: When you upgrade ACS to ACS 5.7 version using the Reimaging and Upgrading an ACS Server method, if you restore a configuration in which the AD is defined, you need to join ACS manually to the AD domain. See Installation and Upgrade Guide for Cisco Secure Access Control System for more information on upgrade methods. Note: When you upgrade ACS to ACS 5.7 using the Upgrading an ACS Server Using Application Upgrade Bundle method, if you have ACS joined to AD already, ACS remains connected to AD after the application upgrade. To authenticate users and join ACS with an AD domain: 1.Choose Users and Identity Stores > External Identity Stores > Active Directory. The Active Directory page appears. The AD configuration page acts as a central AD management tool for all ACS nodes. You can perform the join and test connection operations against a single ACS node or multiple ACS nodes on this page. You can also view the join results of all ACS nodes in the deployment at a single glance. 2.Modify the fields in the General tab as described in Table 50 on page 63.
6 Managing Users and Identity Stores Managing External Identity Stores 3.Click: Save Changes to save the configuration. Discard Changes to discard all changes. If AD is already configured and you want to delete it, click Clear Configuration after you verify the following: —There are no policy rules that use custom conditions based on the AD dictionary. —The AD is not chosen as the identity source in any of the available access services. —There are no identity store sequences with the AD. The Active Directory configuration is saved. The Active Directory page appears with the new configuration. Note: The Centrify configuration is affected (and sometimes gets disconnected) when there is a slow response from the server while you test the ACS connection with the AD domain. However the configuration works fine with the other applications. Note: Due to NETBIOS limitations, ACS hostnames must contain less than or equal to 15 characters. Joining Nodes to an AD Domain To join a single node or multiple nodes to an AD Domain, complete the following steps: 1.Choose Users and Identity Stores > External Identity Stores > Active Directory. The Active Directory page appears. Table 50 Active Directory: General Page Option Description Connection Details Join/Test Connection Click to join or test the ACS connection with the AD domain for the given user, domain, and password entered. See Joining Nodes to an AD Domain, page 63. Leave Click to disconnect a single node or multiple nodes from the AD domain for the given user, domain, and password entered. See Disconnecting Nodes from the AD Domain, page 64 End User Authentication Settings Enable password change Click to allow the password to be changed. Enable machine authenticationClick to allow machine authentication. Enable dial-in check Click to examine the user’s dial-in permissions during authentication or query. The result of the check can cause a reject of the authentication in case the dial-in permission is denied. The result is not stored on the AD dictionary. Enable callback check for dial-in clientsClick to examine the user’s callback option during authentication or query. The result of the check is returned to the device on the RADIUS response. The result is not stored on the AD dictionary. Connectivity Status Joined to Domain (Display only.) Displays the domain name with which ACS is joined. Connectivity Status (Display only.) Displays the connection status of the domain name with which ACS is joined.
6 Managing Users and Identity Stores Managing External Identity Stores 2.Select a single node or multiple nodes and click Join/Test Connection. The Join/Test Connection page appears. 3.Complete the fields in the Join/Test Connection page as described in Table 51 on page 64. 4.Click: Join to join the selected nodes to the AD domain. The status of the nodes are changed according to the join results. Test Connection to test the connection to ensure that the entered credentials are correct and the AD domain is reachable. A message appears informing you whether the AD server is routable within the network and also authenticating the given AD username and password. The Test Connection results are displayed in a separate dialog box as a table. Cancel to cancel the connection. Disconnecting Nodes from the AD Domain To disconnect a single node or multiple nodes from an AD Domain, complete the following steps: 1.Choose Users and Identity Stores > External Identity Stores > Active Directory. The Active Directory page appears. 2.Select a single node or multiple nodes and click Leave. The Leave Connection page appears. 3.Complete the fields in the Leave Connection page as described in Table 52 on page 65 Table 51 Join/Test Connection Page Option Description Active Directory Domain NameName of the AD domain to which you want to join ACS. Username Enter the username of a predefined AD user. An AD account which is required for the domain access in ACS, should have either of the following: Add workstations to the domain user in the corresponding domain. Create Computer Objects or Delete Computer Objects permission on corresponding computers container where ACS machine's account is precreated (created before joining ACS machine to the domain). Cisco recommends that you disable the lockout policy for the ACS account and configure the AD infrastructure to send alerts to the administrator if a wrong password is used for that account. This is because, if you enter a wrong password, ACS will not create or modify its machine account when it is necessary and therefore possibly deny all authentications. Password Enter the user password. The password should have a minimum of 8 characters, using a combination of at least one lower case letter, one upper case letter, one numeral, and one special character. All special characters are supported.
6 Managing Users and Identity Stores Managing External Identity Stores 4.Click: Leave to disconnect the selected nodes from AD domain. Cancel to cancel the operation. Note: Administrators can perform operations like join, leave, or test connection from the secondary server. When you perform these operations from the secondary server, it affects only the secondary server. Related Topics Selecting an AD Group, page 65 Configuring AD Attributes, page 66 Configuring Machine Access Restrictions, page 68 Selecting an AD Group Use this page to select groups that can then be available for policy conditions. Note: To select groups and attributes from an AD, ACS must be connected to that AD. 1.Choose Users and Identity Stores > External Identity Stores > Active Directory, then click the Directory Groups tab. The Groups page appears. The Selected Directory Groups field lists the AD groups you selected and saved. The AD groups you selected in the External User Groups page are listed and can be available as options in group mapping conditions in rule tables. Table 52 Leave Connection Page Option Description Username Enter the username of a predefined AD user. An AD account which is required for the domain access in ACS, should have either of the following: Add workstations to the domain user in the corresponding domain. Create Computer Objects or Delete Computer Objects permission on corresponding computers container where ACS machine's account is precreated (created before joining ACS machine to the domain). Cisco recommends that you disable the lockout policy for the ACS account and configure the AD infrastructure to send alerts to the administrator if a wrong password is used for that account. This is because, if you enter a wrong password, ACS will not create or modify its machine account when it is necessary and therefore possibly deny all authentications. Password Enter the user password. Do not try to remove machine accountCheck this check box to disconnect the selected nodes from the AD domain, when you do not know the credentials or have any DNS issues. This operation disconnects the node from the AD domain and leaves an entry for this node in the database. Only administrators can remove this node entry from the database.
6 Managing Users and Identity Stores Managing External Identity Stores If you have more groups in other trusted domains or forests that are not displayed, you can use the search filter to narrow down your search results. You can also add a new AD group using the Add button. Note: ACS 5.7 does not retrieve domain local groups. It is not recommended to use domain local groups in ACS policies. The reason is that the membership evaluation in domain local groups can be time consuming. So, by default, the domain local groups are not evaluated. 2.Click Select to see the available AD groups on the domain (and other trusted domains in the same forest). The External User Groups dialog box appears displaying a list of AD groups in the domain, as well as other trusted domains in the same forest. If you have more groups that are not displayed, use the search filter to refine your search and click Go. 3.Enter the AD groups or select them from the list, then click OK. To remove an AD group from the list, click an AD group, then click Deselect. 4.Click: Save Changes to save the configuration. Discard Changes to discard all changes. If AD is already configured and you want to delete it, click Clear Configuration after you verify that there are no policy rules that use custom conditions based on the AD dictionary. Note: When configuring the AD Identity Store on ACS 5.x, the security groups defined on Active Directory are enumerated and can be used, but distribution groups are not shown. Active Directory Distribution groups are not security-enabled and can only be used with e-mail applications to send e-mail to collections of users. Please refer to Microsoft documentation for more information on distribution groups. Note: Logon authentication may fail on Active Directory when ACS tries to authenticate users who belong to more than 1015 groups in external identity stores. This is due to the Local Security Authentication (LSA) limitations in Active Directory. Configuring AD Attributes Use this page to select attributes that can then be available for policy conditions. 1.Choose Users and Identity Stores > External Identity Stores > Active Directory, then click the Directory Attributes tab. 2.Complete the fields in the Active Directory: Attributes page as described in Table 53 on page 67:
6 Managing Users and Identity Stores Managing External Identity Stores Table 53 Active Directory: Attributes Page Option Description Name of example Subject to Select AttributesEnter the name of a user or computer found on the joined domain. You can enter the user’s or the computer’s CN or distinguished name. The set of attributes that are displayed belong to the subject that you specify. The set of attributes are different for a user and a computer. Select Click to access the Attributes secondary window, which displays the attributes of the name you entered in the previous field. Attribute Name List—Displays the attributes you have selected in the secondary Selected Attributes window. You can select multiple attributes together and submit them. Attribute NameDo one of the following: —Enter the name of the attribute. —You can also select an attribute from the list, then click Edit to edit the attribute. Click Add to add an attribute to the Attribute Name list. Type Attribute types associated with the attribute names. Valid options are: String Integer 64 IP Address—This can be either an IPv4 or IPv6 address. Unsigned Integer 32 Boolean Default Specified attribute default value for the selected attribute: String—Name of the attribute. Integer 64—0 Unsigned Integer 64—0. IP Address—No default set. Boolean—No default set. Policy Condition Name Enter the custom condition name for this attribute. For example, if the custom condition name is AAA, enter AAA in this field and not AD1:att_name. Select Attributes Secondary WindowAvailable from the Attributes secondary window only. Search Filter Specify a user or machine name. For user names, you can specify distinguished name, SAM, NetBios, or UPN format. For machine names, you can specify one of the following formats: MACHINE$, NETBiosDomain\MACHINE$, host/MACHINE, or host/machine.domain. You can specify non-English letters for user and machine names.
6 Managing Users and Identity Stores Managing External Identity Stores 3.Do one of the following: Click Save Changes to save the configuration. Click Discard Changes to discard all changes. If AD is already configured and you want to delete it, click Clear Configuration after you verify that there are no policy rules that use custom conditions based on the AD dictionary. Configuring Machine Access Restrictions To configure the Machine Access Restrictions, complete the following steps: 1.Choose Users and Identity Stores > External Identity Stores > Active Directory, then click the Machine Access Restrictions tab. 2.Complete the fields in the Active Directory: Machine Access Restrictions page as described in Table 54 on page 68. 3.Do one of the following: Click Save Changes to save the configuration. Attribute Name The name of an attribute of the user or machine name you entered in the previous field. Attribute Type The type of attribute. Attribute Value The value of an attribute for the specified user or machine. Table 54 Active Directory: Machine Access Restrictions Page Option Description Enable Machine Access RestrictionsCheck this check box to enable the Machine Access Restrictions controls in the web interface. This ensures that the machine authentication results are tied to user authentication and authorization. If you enable this feature, you must set the Aging time. Aging time (hours) Time after a machine was authenticated that a user can be authenticated from that machine. If this time elapses, user authentication fails. The default value is 6 hours. The valid range is from 1 to 8760 hours. MAR Cache Distribution Cache entry replication timeoutEnter the time in seconds after which the cache entry replication gets timed out. The default value is 5 seconds. The valid range is from 1 to 10. Cache entry replication attemptsEnter the number of times ACS has to perform MAR cache entry replication. The default value is 2. The valid range is from 0 to 5. Cache entry query timeout Enter the time in seconds after which the cache entry query gets timed out. The default value is 2 seconds. The valid range is from 1 to 10. Cache entry query attempts Enter the number of times that ACS has to perform the cache entry query. The default value is 1. The valid range is from 0 to 5. Node Lists all the nodes that are connected to this AD domain. Cache Distribution Group Enter the Cache Distribution Group of the selected node. This accepts any text string to a maximum of 64 characters. The Cache Distribution Group does not allow the special characters “(” and “)”. Table 53 Active Directory: Attributes Page (continued) Option Description
6
Managing Users and Identity Stores
Managing External Identity Stores
Click Discard Changes to discard all changes.
If AD is already configured and you want to delete it, click Clear Configuration after you verify that there are no policy rules
that use custom conditions based on the AD dictionary.
AD Deployment with Users Belonging to Large Number of Groups
In ACS, when you move between AD domains, the user authentications show a timeout error if the user belongs to a large
number of groups (more than 50 groups). But, the subsequent authentication of the same user or another user belongs to the
same group works properly. This is due to the adclient.get.builtin.membership parameter in ACS AD agent configuration. This
parameter, when set as true, performs a lot of additional requests and takes a lot of time for the users who belong to large
number of groups. You can observe that the AD built-in groups are not available for usage in ACS policies after the
adclient.get.builin.membership parameter is set as true. So, to overcome this issue, you should set the
adclient.get.builtin.membership parameter as false.
To s e t adclient.get.builin.membership parameter, perform the following steps in ACS CLI:
1.Log in to ACS CLI in configuration mode.
2.Enter the following commands:
acs-config
ad-agent-configuration adclient.get. builtin.membership false {local/distribute}
Note: The first authentication of a user belongs to the large number of groups may fail with a timeout error. But, the subsequent
authentications of the same user or another user belongs to the same group works properly.
Joining ACS to Domain Controllers
When ACS needs to connect to a domain controller or a global catalog, it sends SRV requests to the configured DNS servers
to find out the available list of domain controllers for a domain and the global catalogs for a forest.
If the Active Directory configuration on ACS machine is assigned to a subnet, which in turn is assigned to a site, then ACS sends
the DNS queries scoped to the site. That is the DNS server is supposed to return the domain controllers and the global catalogs
serving that particular site to which the subnet is assigned to.
If the ACS machine is not assigned to a site, then ACS does not send the DNS queries scoped to the site. That is the DNS server
is supposed to return all available domain controllers and global catalogs with no regard to the sites.
ACS iterates the available list of domain controllers or global catalogs and tries to establish the connection according to the
order of the domain controllers or the global catalogs in the DNS response received from the DNS server.
RSA SecurID Server
ACS supports the RSA SecurID server as an external database. RSA SecurID two-factor authentication consists of the user’s
personal identification number (PIN) and an individually registered RSA SecurID token that generates single-use token codes
based on a time code algorithm.
A different token code is generated at fixed intervals (usually each at 30 or 60 seconds). The RSA SecurID server validates this
dynamic authentication code. Each RSA SecurID token is unique, and it is not possible to predict the value of a future token
based on past tokens.
Thus when a correct token code is supplied together with a PIN, there is a high degree of certainty that the person is a valid
user. Therefore, RSA SecurID servers provide a more reliable authentication mechanism than conventional reusable passwords.
You can integrate with RSA SecurID authentication technology in any one of the following ways:
7 Managing Users and Identity Stores Managing External Identity Stores Using the RSA SecurID agent—Users are authenticated with username and passcode through the RSA’s native protocol. Using the RADIUS protocol—Users are authenticated with username and passcode through the RADIUS protocol. RSA SecurID token server in ACS 5.7 integrates with the RSA SecurID authentication technology by using the RSA SecurID Agent. Configuring RSA SecurID Agents The RSA SecurID Server administrator can do the following: Create an Agent Record (sdconf.rec), page 70 Reset the Node Secret (SecurID), page 70 Override Automatic Load Balancing, page 70 Manually Intervene to Remove a Down RSA SecurID Server, page 70 Passcode Caching, page 70 Create an Agent Record (sdconf.rec) To configure an RSA SecurID token server in ACS 5.7, the ACS administrator requires the sdconf.rec file. The sdconf.rec file is a configuration record file that specifies how the RSA agent communicates with the RSA SecurID server realm. In order to create the sdconf.rec file, the RSA SecurID server administrator should add the ACS host as an Agent host on the RSA SecurID server and generate a configuration file for this agent host. Note: The sdconf.rec file is unique in a deployment. However, Cisco Secure ACS replicates the sdconf.rec file from the primary server to the secondary server while joining the secondary server with the primary server. Reset the Node Secret (SecurID) After the agent initially communicates with the RSA SecurID server, the server provides the agent with a node secret file called SecurID. Subsequent communication between the server and the agent relies on exchanging the node secret to verify the other’s authenticity. At times, you might have to reset the node secret. To reset the node secret: The RSA SecurID server administrator must uncheck the Node Secret Created check box on the Agent Host record in the RSA SecurID server. The ACS administrator must remove the SecurID file from ACS. Override Automatic Load Balancing RSA SecurID Agent automatically balances the requested loads on the RSA SecurID servers in the realm. However, you do have the option to manually balance the load. You can specify which server each of the agent hosts must use and assign a priority to each server so that the agent host directs authentication requests to some servers more frequently than others. You must specify the priority settings in a text file and save it as sdopts.rec, which you can then upload to ACS. Manually Intervene to Remove a Down RSA SecurID Server When an RSA SecurID server is down, the automatic exclusion mechanism does not always work quickly. To speed up this process, you can remove the sdstatus.12 file from ACS. Passcode Caching Passcode caching enables the user to perform more than one authentication with an RSA SecurID server using the same passcode.