Cisco Acs 57 User Guide
Have a look at the manual Cisco Acs 57 User Guide online for free. It’s possible to download the document as PDF or print. UserManuals.tech offer 53 Cisco manuals and user’s guides for free. Share the user manual or guide on Facebook, Twitter or Google+.
8 Managing Users and Identity Stores Managing External Identity Stores Related Topics RADIUS Identity Stores, page 75 Creating, Duplicating, and Editing RADIUS Identity Servers, page 78 Configuring Shell Prompts, page 81 Configuring Directory Attributes, page 82 Configuring Advanced Options, page 83 Configuring Shell Prompts For TACACS+ ASCII authentication, ACS must return the password prompt to the user. RADIUS identity server supports this functionality by the password prompt option. ACS can use the prompt that you configure in the Shell Prompts page on the ACS web interface. If the prompt is empty, the user receives the default prompt that is configured under TACACS+ global settings. When establishing a connection with a RADIUS identity server, the initial request packets may not have the password. You must request a password. You can use this page to define the prompt that is used to request the password. To do this: 1.Enter the text for the prompt in the Prompt field. 2.Do one of the following: Click Submit to configure the prompt for requesting the password. Click the Directory Attributes tab to define a list of attributes that you want to use in policy rule conditions. See Configuring Directory Attributes, page 82 for more information. Related Topics RADIUS Identity Stores, page 75 Creating, Duplicating, and Editing RADIUS Identity Servers, page 78 Configuring General Settings, page 79 Configuring Directory Attributes, page 82 Configuring Advanced Options, page 83 Authentication Port Port number on which the RADIUS secondary server listens. Valid options are from 1 to 65,535. The default value is 1812. Server Timeout n Seconds Number of seconds, n, that ACS waits for a response from the secondary RADIUS identity server before it determines that the connection to the secondary server has failed. Valid options are from 1 to 300. The default value is 5. Connection Attempts Specifies the number of times that ACS should attempt to reconnect before dropping the request. Valid options are from 1 to 10. The default value is 3. Table 59 RADIUS Identity Server - General Tab (continued) Option Description
8 Managing Users and Identity Stores Managing External Identity Stores Configuring Directory Attributes When a RADIUS identity server responds to a request, RADIUS attributes are returned along with the response. You can make use of these RADIUS attributes in policy rules. In the Directory Attributes tab, you can specify the RADIUS attributes that you use in policy rule conditions. ACS maintains a separate list of these attributes. 1.Modify the fields in the Directory Attributes tab as described in Table 60 on page 82. 2.Do either of the following: Click Submit to save your changes and return to the RADIUS Identity Servers page. Click the Advanced tab to configure failure message handling and to enable identity caching. See Configuring Advanced Options, page 83 for more information. Related Topics RADIUS Identity Stores, page 75 Creating, Duplicating, and Editing RADIUS Identity Servers, page 78 Configuring General Settings, page 79 Configuring Shell Prompts, page 81 Table 60 RADIUS Identity Servers - Directory Attributes Tab Option Description Attribute List Use this section to create the attracted list to include in policy conditions. As you include each attribute, its name, type, default value, and policy condition name appear in the table. To: Add a RADIUS attribute, fill in the fields below the table and click Add. Edit a RADIUS attribute, select the appropriate row in the table and click Edit. The RADIUS attribute parameters appear in the fields below the table. Edit as required, then click Replace. Dictionary Type RADIUS dictionary type. Click the drop-down list box to select a RADIUS dictionary type. RADIUS Attribute Name of the RADIUS attribute. Click Select to choose the RADIUS attribute. This name is composed of two parts: The attribute name and an extension to support AV-pairs if the attribute selected is a Cisco AV-Pair. For example, for an attribute, cisco-av-pair with an AV-pair name some-avpair, ACS displays cisco-av-pair.some-avpair. IETF and vendor VSA attribute names contain an optional suffix, -nnn, where nnn is the ID of the attribute. Type RADIUS attribute type. Valid options are: String Unsigned Integer 32 IPv4 address Default (Optional) A default value that can be used if the attribute is not available in the response from the RADIUS identity server. This value must be of the specified RADIUS attribute type. Policy Condition Name Specify the name of the custom policy condition that uses this attribute.
8 Managing Users and Identity Stores Configuring CA Certificates Configuring Advanced Options, page 83 Configuring Advanced Options In the Advanced tab, you can do the following: Define what an access reject from a RADIUS identity server means to you. Enable identity caching. Enable passcode caching. Table 61 on page 83 describes the fields in the Advanced tab of the RADIUS Identity Servers page. Click Submit to save the RADIUS Identity Server. Related Topics RADIUS Identity Stores, page 75 Creating, Duplicating, and Editing RADIUS Identity Servers, page 78 Configuring CA Certificates When a client uses the EAP-TLS protocol to authenticate itself against the ACS server, it sends a client certificate that identifies itself to the server. To verify the identity and correctness of the client certificate, the server must have a preinstalled certificate from the Certificate Authority (CA) that has digitally signed the client certificate. If ACS does not trust the client’s CA certificate, then you must install in ACS the entire chain of successively signed CA certificates, all the way to the top-level CA certificate that ACS trusts. CA certificates are also known as trust certificates. Table 61 RADIUS Identity Servers — Advanced Tab Option Description This Identity Store does not differentiate between 'authentication failed' and 'user not found' when an authentication attempt is rejected. From the options below, select how such an authentication reject from the Identity Store should be interpreted by ACS for Identity Policy processing and reporting. Treat Rejects as 'authentication failed' Click this option to consider all ambiguous access reject attempts as failed authentications. Treat Rejects as 'user not found' Click this option to consider all ambiguous access reject attempts as unknown users. Identity caching is used to allow processing of requests that do not perform authentication against the server. The cache retains the results and attributes retrieved from the last successful authentication for the subject. Enable identity caching Check this check box to enable identity caching. If you enable identity caching, you must enter the time in minutes for which you want ACS to retain the identity cache. Aging Time n Minutes Enter the time in minutes for which you want ACS to retain the identity cache. Valid options are from 1 to 1440. Enable passcode caching Check this check box to enable passcode caching. If you enable passcode caching, you must enter the time in seconds for which you want ACS to retain the passcode cache. Aging Time n Seconds Enter the time in seconds for which you want ACS to retain the passcode cache. Valid options are from 1 to 300. The default value is 30 seconds.
8 Managing Users and Identity Stores Configuring CA Certificates You use the CA options to install digital certificates to support EAP-TLS authentication. ACS uses the X.509 v3 digital certificate standard. ACS also supports manual certificate acquisition and provides the means for managing a certificate trust list (CTL) and certificate revocation lists (CRLs). Digital certificates do not require the sharing of secrets or stored database credentials. They can be scaled and trusted over large deployments. If managed properly, they can serve as a method of authentication that is stronger and more secure than shared secret systems. Mutual trust requires that ACS have an installed certificate that can be verified by end-user clients. This server certificate may be issued from a CA or, if you choose, may be a self-signed certificate. For more information, see Configuring Local Server Certificates, page 16. Note: ACS builds a certificate chain with the CA certificates that you add to it and uses this chain during TLS negotiations. You must add the certificate that signed the server certificate to the CA. You must ensure that the chain is signed correctly and that all the certificates are valid. If the server certificate and the CA that signed the server certificate are installed on ACS, ACS sends the full certificate chain to the client. Note: ACS does not support wildcard certificates. Related Topics Adding a Certificate Authority, page 84 Editing a Certificate Authority and Configuring Certificate Revocation Lists, page 85 Deleting a Certificate Authority, page 87 Renewing or Deleting a CA Certificate that is part of a Certificate Chain, page 87 Exporting a Certificate Authority, page 88 Adding a Certificate Authority The supported certificate formats are DER, PEM, or CER. To add a trusted CA (Certificate Authority) certificate: 1.Choose Users and Identity Stores > Certificate Authorities. The Trust Certificate page appears. 2.Click Add. 3.Complete the fields in the Certificate File to Import page as described in Table 62 on page 85:
8 Managing Users and Identity Stores Configuring CA Certificates 4.Click Submit. The new certificate is saved. The Trust Certificate List page appears with the new certificate. Related Topics User Certificate Authentication, page 6 Overview of EAP-TLS, page 5 Editing a Certificate Authority and Configuring Certificate Revocation Lists Use this page to edit a trusted CA (Certificate Authority) certificate. 1.Choose Users and Identity Stores > Certificate Authorities. The Trust Certificate page appears with a list of configured certificates. 2.Click the name that you want to modify, or check the check box for the Name, and click Edit. Complete the fields in the Edit Trust Certificate List Properties Page as described in Table 63 on page 86: When ACS delays the CA CRL, the CA is retained on the local file system. The CA is not refreshed until you resubmit it. By default ACS will fail all user certificates of a CA for which the CRL has expired. If the CA certificate is resubmitted, the following error is shown: 12514 EAP-TLS failed SSL/TLS handshake. This is because of the unknown CA. If the CA certificate is not resubmitted, the following error is shown: 12515 EAP-TLS failed SSL/TLS handshake.This is because of the expired CRL. If you choose Ignore CRL Expiration, ACS fails authentication for the revoked certificates and passes the authentication for non-revoked certificates. Table 62 Certificate Authority Properties Page Option Description Certificate File to Import Certificate File Enter the name of the certificate file. Click Browse t o n a v i g a t e t o t h e l o c a t i o n o n t h e c l i e n t machine where the trust certificate is located. Trust for client with EAP-TLS Check this box so that ACS will use the certificate trust list for the EAP protocol. Allow Duplicate Certificates Allows you to add certificates with the same CN and SKI with different Valid From, Valid To, and Serial numbers. Description Enter a description of the CA certificate.
8 Managing Users and Identity Stores Configuring CA Certificates Table 63 Edit Certificate Authority Properties Page Option Description Issuer Friendly Name The name that is associated with the certificate. Description (Optional) A brief description of the CA certificate. Issued ToDisplay only. The entity to which the certificate is issued. The name that appears is from the certificate subject. Issued ByDisplay only. The certification authority that issued the certificate. Valid fromDisplay only. The start date of the certificate’s validity. An X509 certificate is valid only from the start date to the end date (inclusive). Valid To (Expiration)Display only. The last date of the certificate’s validity. Serial NumberDisplay only. The serial number of the certificate. Description Description of the certificate. Usage Trust for client with EAP-TLS Check this box so that ACS will use the trust list for the TLS-related EAP protocols. Certificate Status Validation OCSP Configuration Use this section to configure the OCSP service. Validate against OCSP service Check this box and select the OCSP service from the drop-down list to validate the requests against the selected the OCSP service. Reject the request if certificate status could not be determined by OCSPCheck this box to reject the request if the certificate status could not be determined by the OCSP service. Certificate Revocation List Configuration Use this section to configure the CRL. Download CRL Check this box to download the CRL. CRL Distribution URL Enter the CRL distribution URL. You can specify a URL that uses an HTTP or secure HTTPS connection. When you use a HTTPS URL, you must install the corresponding HTTPS server’s CA certificate in ACS. You can configure a proxy server in ACS for CRL download so that ACS communicates with the CRL distribution server through the configured proxy server. For more information, see Configuring HTTP Proxy Settings for CRL Requests, page 3. Retrieve CRLACS attempts to download a CRL from the CA. Toggle the time settings for ACS to retrieve a new CRL from the CA. Automatically—Obtain the next update time from the CRL file. If unsuccessful, ACS tries to retrieve the CRL periodically after the first failure until it succeeds. Every—Determines the frequency between retrieval attempts. Enter the amount in units of time.
8 Managing Users and Identity Stores Configuring CA Certificates 3.Click Submit. The Trust Certificate page appears with the edited certificate. The administrator has the rights to configure CRL and OCSP verification. If both CRL and OCSP verification are configured at the same time, then ACS performs OCSP verification first. If it detects any communication problems with either the primary or secondary servers, or if the verification returns the status of a given certificate as unknown, then ACS moves on to perform the CRL validation. Related Topics User Certificate Authentication, page 6 Overview of EAP-TLS, page 5 Configuring HTTP Proxy Settings for CRL Requests, page 3 Deleting a Certificate Authority Use this page to delete a trusted CA (Certificate Authority) certificate: 1.Choose Users and Identity Stores > Certificate Authorities. The Trust Certificate List page appears with a list of configured certificates. 2.Check one or more check boxes next to the certificates that you want to delete. 3.Click Delete. 4.Click Ye s to confirm. The Trust Certificate page appears without the deleted certificate(s). Related Topic Overview of EAP-TLS, page 5 Renewing or Deleting a CA Certificate that is part of a Certificate Chain When you try to delete a CA certificate which is part of a Certificate Chain, ACS displays the following error:If Download Failed Wait Enter the amount of time to attempt to retrieve the CRL, if the retrieval initially failed. Bypass CRL Verification if CRL is not ReceivedIf unchecked, all the client requests that use the certificate that is signed by the selected CA will be rejected until ACS receives the CRL file. When checked, the client request may be accepted before the CRL is received. Ignore CRL Expiration Check this box to check a certificate against an outdated CRL. When checked, ACS continues to use the expired CRL and permits or rejects EAP-TLS authentications according to the contents of the CRL. When unchecked, ACS examines the expiration date of the CRL in the Next Update field in the CRL file. If the CRL has expired, all authentications that use the certificate that is signed by the selected CA are rejected. Table 63 Edit Certificate Authority Properties Page (continued) Option Description
8 Managing Users and Identity Stores Configuring CA Certificates This System Failure occurred: Certificate Authority is in use by one of the ACS nodes certificates. Your changes have not been saved. Click OK to return to the list page. If you want to delete or renew a CA certificate which is part of EAP or management certificate chain, we must map or unbind the EAP or management protocols to another server certificate that is not issued by the CA certificate and then renew or delete it. To renew or delete a CA certificate from ACS: 1.Choose System Administration > Configuration > Local Server Certificates > Local Certificates. 2.Check for the below conditions: If any of the server certificate listed are issued by the CA certificate that you want to renew or delete, you must check if EAP or management protocol is applied to the server certificates. If any of the server certificate issued by the CA certificate is mapped with EAP or management protocol, you must unbind the EAP or management protocol from the server certificate and map it to another server certificate that is not issued by the same CA certificate. For more information on unbinding EAP or management protocols from server certificate, see Unbinding EAP or Management Protocols from Server Certificate, page 88. 3.You can renew or delete the CA certificate if none of the server certificate issued by this CA certificate is mapped with EAP or management protocol. Unbinding EAP or Management Protocols from Server Certificate To unbind EAP or management protocol from a server certificate: 1.Install a new server certificate that is issued by a CA certificate other than the certificate that you want to delete or you can consider the default server certificate. For more information, see Adding Local Server Certificates, page 17. 2.Perform one of the following actions: Check the EAP: Used for EAP protocols that use SSL/TLS tunneling and Management Interface: Used to authenticate the web server (GUI) check boxes while adding the new server certificate. After adding the new server certificate, you can edit the certificate and check the EAP: Used for EAP protocols that use SSL/TLS tunneling and Management Interface: Used to authenticate the web server (GUI) check boxes. This operation unbinds the EAP or management protocols from the old server certificate and binds it with the new server certificate. Exporting a Certificate Authority To export a trust certificate: 1.Choose Users and Identity Stores > Certificate Authorities. The Trust Certificate List page appears with a list of configured certificates. 2.Check the box next to the certificates that you want to export. 3.Click Export. This operation exports the trusted certificate to the client machine. 4.Click Ye s to confirm. You are prompted to install the exported certificate on your client machine.
8 Managing Users and Identity Stores Configuring Certificate Authentication Profiles Related Topics User Certificate Authentication, page 6 Overview of EAP-TLS, page 5 Configuring Certificate Authentication Profiles The certificate authentication profile defines the X509 certificate information to be used for a certificate- based access request. You can select an attribute from the certificate to be used as the username. You can select a subset of the certificate attributes to populate the username field for the context of the request. The username is then used to identify the user for the remainder of the request, including the identification used in the logs. You can use the certificate authentication profile to retrieve certificate data to further validate a certificate presented by an LDAP or AD client. The username from the certificate authentication profile is used to query the LDAP or AD identity store. ACS compares the client certificate against all certificates retrieved from the LDAP or AD identity store, one after another, to see if one of them matches. ACS either accepts or rejects the request. Note: For ACS to accept a request, only one certificate from either the LDAP or the AD identity store must match the client certificate. When ACS processes a certificate-based request for authentication, one of two things happens: the username from the certificate is compared to the username in ACS that is processing the request, or ACS uses the information that is defined in the selected LDAP or AD identity store to validate the certificate information. You can duplicate a certificate authentication profile to create a new profile that is the same, or similar to, an existing certificate authentication profile. After duplication is complete, you access each profile (original and duplicated) separately, to edit or delete them. ACS 5.7 now supports certificate name constraint extension. It accepts the client certificates whose issuers contain the name constraint extension. It checks the client certificates for CA and sub-CA certificates. This extension defines a name space for all subject names in the subsequent certificates in a certificate path. It applies to both the subject distinguished name and the subject alternative name. These restrictions are applicable only when the specified name form is present in the client certificate. The ACS authentication fails if the client certificate is excluded or not permitted by the namespace. Supported Name Constraints: Directory name DNS Email URL Unsupported Name Constraints: IP address Other name To create, duplicate, or edit a certificate authentication profile, complete the following steps: 1.Choose Users and Identity Stores > Certificate Authentication Profile. The Certificate Authentication Profile page appears. 2.Do one of the following:
9 Managing Users and Identity Stores Configuring Identity Store Sequences Click Create. Check the check box next to the certificate authentication profile that you want to duplicate, then click Duplicate. Click the certificate authentication profile that you want to modify, or check the check box next to the name and click Edit. The Certificate Authentication Profile Properties page appears. 3.Complete the fields in the Certificate Authentication Profile Properties page as described in Table 64 on page 90: 4.Click Submit. The Certificate Authentication Profile page reappears. Related Topics Viewing Identity Policies, page 23 Configuring Identity Store Sequences, page 90 Creating External LDAP Identity Stores, page 33 Configuring Identity Store Sequences An access service identity policy determines the identity sources that ACS uses for authentication and attribute retrieval. An identity source consists of a single identity store or multiple identity methods. When you use multiple identity methods, you must first define them in an identity store sequence, and then specify the identity store sequence in the identity policy. An identity store sequence defines the sequence that is used for authentication and attribute retrieval and an optional additional sequence to retrieve additional attributes. Table 64 Certificate Authentication Profile Properties Page Option Description General Name Enter the name of the certificate authentication profile. Description Enter a description of the certificate authentication profile. Certificate Definition Principal Username X509 AttributeAvailable set of principal username attributes for x509 authentication. The selection includes: Common Name Subject Alternative Name Subject Serial Number Subject Subject Alternative Name - Other Name Subject Alternative Name - EMail Subject Alternative Name - DNS Perform Binary Certificate Comparison with Certificate retrieved from LDAP or Active DirectoryCheck this check box if you want to validate certificate information for authentication against a selected LDAP or AD identity store. If you select this option, you must enter the name of the LDAP or AD identity store, or click Select to select the LDAP or AD identity store from the available list.