Cisco Acs 57 User Guide
Have a look at the manual Cisco Acs 57 User Guide online for free. It’s possible to download the document as PDF or print. UserManuals.tech offer 53 Cisco manuals and user’s guides for free. Share the user manual or guide on Facebook, Twitter or Google+.
1 Cisco Systems, Inc.www.cisco.com Managing System Administration Configurations After you install Cisco Secure ACS, you must configure and administer it to manage your network efficiently. The ACS web interface allows you to easily configure ACS to perform various operations. For a list of post-installation configuration tasks to get started with ACS, see Post-Installation Configuration Tasks, page 1. When you choose System Administration > Configuration, you can access pages that allow you do the following: Configure global system options, including settings for TACACS+, EAP-TLS, PEAP, and EAP-FAST. See Configuring Global System Options, page 1. Configure protocol dictionaries. See Managing Dictionaries, page 6. Manage local sever certificates. See Configuring Local Server Certificates, page 16. Manage log configurations. See Configuring Local and Remote Log Storage, page 23. Manage licensing. See Licensing Overview, page 36. Configuring Global System Options From the System Administration > Configuration > Global System Options pages, you can view these options: Configuring TACACS+ Settings, page 1 Configuring EAP-TLS Settings, page 2 Configuring PEAP Settings, page 3 Configuring HTTP Proxy Settings for CRL Requests, page 3 Configuring EAP-FAST Settings, page 4 Generating EAP-FAST PAC, page 4 Generating EAP-FAST PAC, page 4 Configuring TACACS+ Settings Use the TACACS+ Settings page to configure TACACS+ runtime characteristics. Select System Administration > Configuration > Global System Options > TACACS+ Settings. The TACACS+ Settings page appears as described in Table 1 on page 2:
2 Managing System Administration Configurations Configuring Global System Options Configuring EAP-TLS Settings Use the EAP-TLS Settings page to configure EAP-TLS runtime characteristics. Choose System Administration > Configuration > Global System Options > EAP-TLS Settings. The EAP-TLS Settings page appears as described in Table 2 on page 2: Table 1 TACACS+ Settings Option Description Port to Listen Port number on which to listen. By default, the port number is displayed as 49. ACS 5.7 allows you to edit this field. You can configure the TACACS+ port with number 49 and numbers ranging from 1024 to 65535. However, ACS does not allow the port numbers that are already assigned to other ports. This operation restarts the ACS runtime and all registered instances. Connection Timeout Number of minutes before the connection times out. Session Timeout Number of minutes before the session times out. Maximum Packet Size Maximum packet size (in bytes). Single Connect Support Check to enable single connect support. Login Prompts Username Prompt Text string to use as the username prompt. Password Prompt Text string to use as the password prompt. Password Change Control Enable TELNET Change PasswordChoose this option if you want to provide an option to change password during a TELNET session. Prompt for Old Password:Text string to use as the old password prompt. Prompt for New PasswordText string to use as the new password prompt. Prompt for Confirm PasswordText string to use as the confirm password prompt. Disable TELNET Change PasswordChoose this option if you do not want change password during a TELNET session. Message when Disabled Message that is displayed when you choose the Disable TELNET Change Password option. Ta b l e 2 E A P -T L S S e t t i n g s Option Description General Enable EAP-TLS Session ResumeCheck this check box to support abbreviated reauthentication of a user who has passed full EAP-TLS authentication. This feature provides reauthentication of the user with only an SSL handshake and without the application of certificates. EAP-TLS session resume works only within the specified EAP-TLS session timeout value. EAP-TLS Session Ti m e o u tEnter the number of seconds before the EAP-TLS session times out. The default value is 7200 seconds.
3 Managing System Administration Configurations Configuring Global System Options Configuring PEAP Settings Use the PEAP Settings page to configure PEAP runtime characteristics. Choose System Administration > Configuration > Global System Options > PEAP Settings. The PEAP Settings page appears as described in Table 3 on page 3: Related Topics Generating EAP-FAST PAC, page 4 Configuring HTTP Proxy Settings for CRL Requests ACS 5.7 introduces proxy settings for CRL downloads to proxy requests and responses from the CRL distribution server for greater security. ACS provides an option for administrators to enable the proxy settings on the HTTP Proxy Settings page for ACS to communicate with the CRL distribution server through the configured proxy server. The proxy server receives the request from ACS and forwards it to the CRL distribution server. The CRL distribution server, upon receiving the request from the proxy, processes it and forwards the CRLs to the proxy server. The proxy server receives the CRLs from the CRL distribution server and forwards them to ACS. Use the HTTP Proxy Settings page to configure the HTTP Proxy for CRL requests from ACS. Choose System Administration > Configuration > Global System Options > HTTP Proxy Settings. The HTTP Proxy Settings page appears as described in Table 3 on page 3: Stateless Session Resume Master Key Generation PeriodThe value is used to regenerate the master key after the specified period of time. The default is one week. Revoke Click Revoke to cancel all previous master keys. This operation should be used with caution. If the ACS node is a secondary node, the Revoke option is disabled. Table 2 EAP-TLS Settings (continued) Option Description Ta b l e 3 P E A P S e t t i n g s Option Description Enable PEAP Session ResumeWhen checked, ACS caches the TLS session that is created during phase one of PEAP authentication, provided the user successfully authenticates in phase two of PEAP. If a user needs to reconnect and the original PEAP session has not timed out, ACS uses the cached TLS session, resulting in faster PEAP performance and a lessened AAA server load. You must specify a PEAP session timeout value for the PEAP session resume features to work. PEAP Session Timeout Enter the number of seconds before the PEAP session times out. The default value is 7200 seconds. Enable Fast Reconnect Check to allow a PEAP session to resume in ACS without checking user credentials when the session resume feature is enabled.
4 Managing System Administration Configurations Configuring Global System Options Related Topics Adding a Certificate Authority, page 84 Configuring EAP-FAST Settings Use the EAP-FAST Settings page to configure EAP-FAST runtime characteristics. Select System Administration > Configuration > Global System Options > EAP-FAST > Settings. The EAP-FAST Settings page appears as described in Table 5 on page 4: Generating EAP-FAST PAC Use the EAP-FAST Generate PAC page to generate a user or machine PAC. 1.Select System Administration > Configuration > Global System Options > EAP-FAST > Generate PAC. The Generate PAC page appears as described in Table 6 on page 5: Ta b l e 4 H T T P P r ox y S e t t i n g s Option Description General Enable HTTP Proxy Check the Enable HTTP Proxy check box for ACS to communicate with the CRL distribution URL through a proxy server. Proxy Address Enter the proxy IP address or DNS-resolvable hostname to be used as a proxy server for retrieving CRLs from an external CRL distribution server. ACS communicates with the configured proxy server for CRL information. The proxy server forwards the request to the CRL distribution server URL. The proxy server receives the revocation list and forwards it to ACS. Proxy Port Enter the port number through which the proxy traffic travels to and from ACS. Table 5 EAP-FAST Settings Option Description General Authority Identity Info DescriptionUser-friendly string that describes the ACS server that sends credentials to a client. The client can discover this string in the Protected Access Credentials Information (PAC-Info) Type-Length-Value (TLV). The default value is Cisco Secure ACS. Master Key Generation PeriodThe value is used to encrypt or decrypt and sign or authenticate PACs. The default is one week. Revoke Revoke Click Revoke to revoke all previous master keys and PACs. This operation should be used with caution. If the ACS node is a secondary node, the Revoke option is disabled.
5
Managing System Administration Configurations
Configuring RSA SecurID Prompts
2.Click Generate PAC.
Configuring RSA SecurID Prompts
You can configure RSA prompts for an ACS deployment. The set of RSA prompts that you configure is used for all RSA
realms and ACS instances in a deployment. To configure RSA SecurID Prompts:
1.Choose System Administration > Configuration > Global System Options > RSA SecurID Prompts.
The RSA SecurID Prompts page appears.
2.Modify the fields described in Table 7 on page 5.
Ta b l e 6 G e n e r a t e PA C
Option Description
Tunnel PAC Select to generate a tunnel PAC.
Machine PAC Select to generate a machine PAC.
Identity Specifies the username or machine name presented as the “inner username” by the EAP-FAST
protocol. If the Identity string does not match that username, authentication will fail.
PAC Time To Live Enter the equivalent maximum value in seconds, minutes, hours, days, weeks, months, and years.
Enter a positive integer.
Password Enter the password.
Ta b l e 7 R S A S e c u r I D P r o m p t s P a g e
Option Description
Passcode Prompt Text string to request for the passcode. The default value is “Enter
PASSCODE:”.
Next Token Prompt Text string to request for the next token. The default value is “Enter Next
TOKENCODE:”.
Choose PIN Type Prompt Text string to request the PIN type. The default value is “Do you want to
enter your own pin?”.
Accept System PIN Prompt Text string to accept the system-generated PIN. The default value is “ARE
YOU PREPARED TO ACCEPT A SYSTEM-GENERATED PIN?”.
For the two PIN entry prompts below, if the prompt contains the following strings, they will be substituted as follows:
{MIN_LENGTH}—will be replaced by the minimum PIN length configured for the RSA realm.
{MAX_LENGTH}—will be replaced by the maximum PIN length configured for the RSA realm.
/x/—to cancel the new PIN procedure.
Alphanumeric PIN Prompt Text string for requesting an alphanumeric PIN.
Numeric PIN Prompt Text string for requesting a numeric PIN.
Re-Enter PIN Prompt Text string to request the user to re-enter the PIN. The default value is
“Reenter PIN:”.
6 Managing System Administration Configurations Managing Dictionaries 3.Click Submit to configure the RSA SecurID Prompts. Managing Dictionaries The following tasks are available when you select System Administration > Configuration > Dictionaries: Viewing RADIUS and TACACS+ Attributes, page 6 Configuring Identity Dictionaries, page 12 Viewing RADIUS and TACACS+ Attributes The RADIUS and TACACS+ Dictionary pages display the available protocol attributes in these dictionaries: RADIUS (IETF) RADIUS (Cisco) RADIUS (Microsoft) RADIUS (Ascend) RADIUS (Cisco Airespace) RADIUS (Cisco Aironet) RADIUS (Cisco BBSM) RADIUS (Cisco VPN 3000) RADIUS (Cisco VPN 5000) RADIUS (Juniper) RADIUS (Nortel [Bay Networks]) RADIUS (RedCreek) RADIUS (US Robotics) TACACS+ To view and choose attributes from a protocol dictionary, select System Administration > Configuration > Dictionaries > Protocols; then choose a dictionary. The Dictionary page appears with a list of available attributes as shown in Table 8 on page 6: Table 8 Protocols Dictionary Page Option Description Attribute Name of the attribute. ID (RADIUS only) The VSA ID.
7 Managing System Administration Configurations Managing Dictionaries Use the arrows to scroll through the attribute list. ACS 5.7 also supports RADIUS vendor-specific attributes (VSAs). A set of predefined RADIUS VSAs are available. You can define additional vendors and attributes from the ACS web interface. You can create, edit, or delete RADIUS VSAs. After you have defined new VSAs, you can use them in policies, authorization profiles, and RADIUS token servers in the same way as predefined VSAs. For more information, see: RADIUS VSAs, page 6. Creating, Duplicating, and Editing RADIUS Vendor-Specific Attributes, page 7 Creating, Duplicating, and Editing RADIUS Vendor-Specific Attributes Vendor-specific attributes (VSAs) allow vendors to create extensions to the RADIUS attributes. Vendors are assigned a specific vendor numbers. VSAs are attributes that contain subattributes. ACS 5.7 allows you to create, duplicate, and edit RADIUS VSAs. To Create, edit, and duplicate RADIUS VSAs: Some of the internally used attributes cannot be modified. You cannot modify an attribute’s type if the attribute is used by any policy or policy element. 1.Choose System Administration > Configuration > Dictionaries > Protocols > RADIUS VSA. 2.Do one of the following: Click Create. Check the check box the RADIUS VSA that you want to duplicate, and click Duplicate. Check the check box the RADIUS VSA that you want to edit, and click Edit. The RADIUS VSA page appears. Modify the fields as described in Table 9 on page 8. Type Data type of the attribute. Direction (RADIUS only) Specifies where the attribute is in use: in the request, in the response, or both. Single or bidirectional authentication. Multiple Allowed (RADIUS only) Multiple attributes are allowed. Attributes that specify multiple allowed c a n b e u s e d m o r e than once in one request or response. Table 8 Protocols Dictionary Page (continued) Option Description
8 Managing System Administration Configurations Managing Dictionaries 3.Click Submit to save the changes. Related Topics Viewing RADIUS and TACACS+ Attributes, page 6 Importing RADIUS Vendors and Vendor-Specific Attributes ACS 5.7 supports importing RADIUS vendors and RADIUS vendor-specific attributes (VSAs). In ACS 5.7, you have the option to import the RADIUS vendors and RADIUS VSAs from a text file. This text file is based on the Free RADIUS format. For more information on the Free RADIUS format, see http://linux.die.net/man/5/dictionary. The ACS 5.7 web interface provides you the option to download the Import template. You need to enter the vendor and its attributes in the same file. Note: ACS supports A-Z, a-z, 0-9, -, _, and / characters for use in the Import file. Each RADIUS vendor should have a unique vendor ID. You cannot provide different IDs for the same vendor. Therefore, when you import vendors and VSAs, if the vendor name or attribute is already present in ACS, then the import operation fails with errors. In this case, you need to delete that particular vendor, or both the vendors and its attributes, and then re-import the file. ACS displays an appropriate error message and stops the import operation if the file format is wrong or any unsupported characters are present in the file. Table 9 RADIUS VSA - Create, Duplicate, Edit Page Option Description Attribute Name of the RADIUS VSA. Description (Optional) A brief description of the RADIUS VSA. Vendor ID ID of the RADIUS vendor. Attribute Prefix (Optional) Prefix that you want to prepend to the RADIUS attribute so that all attributes for the vendor start with the same prefix. Use Advanced Vendor Options Vendor Length Field Size Vendor length field of 8 bits for specifying the length of the VSA. Choose the vendor length of the VSA. Valid options are 0 and 1. The default value is 1. Vendor Type Field Size Vendor type field of 8 bits. Choose the vendor type of the VSA. Valid options are 1, 2, and 4. The default value is 1.
9 Managing System Administration Configurations Managing Dictionaries Figure 1 Example for RADIUS Vendor and VSAs in Free RADIUS File The # key at the beginning of a line indicates that the line is a comment line. The keyword VENDOR at the beginning of a line indicates that the line has vendors. The keyword ATTRIBUTE at the beginning of a line indicates that the line has VSAs. The value of a VSA should start with the vendor name. For instance, if the vendor name is Cisco, then the attribute value is cisco-fax-message-id. When an attribute is of the Enumeration type, you need to specify the Enumeration name and Enumeration ID in the Free RADIUS file. Table 10 on page 9 displays the attributes types that are supported in a Free RADIUS text file and their mapping with the attribute types in ACS. The edit operation, delete operation, directions, and multi-value attributes are not supported when you import RADIUS vendors and RADIUS VSAs. You need to manually perform these operations after importing the vendors and VSAs. To import RADIUS vendors and RADIUS VSAs: 1.Choose System Administration > Configuration > Dictionaries > Protocols > RADIUS VSA. The RADIUS VSA page appears. 2.Click Import. The Import dialog box appears. Table 10 Attributes Mapping Between Free RADIUS File and ACS Attribute Type in Free RADIUS FileAttribute Type in ACS Web Interface String String Octets HexString IP address IPv4 address Integer Integer/Enumeration
10 Managing System Administration Configurations Managing Dictionaries 3.Click Download Template to download the import file template from the ACS web interface and save it to your client machine. 4.Enter the RADIUS vendors and RADIUS VSAs in the specified format and save them. 5.Click Browse to browse to the location of the Free RADIUS format file that has the RADIUS vendors and RADIUS VSAs and is ready to be imported. 6.Click Start Import to start the import operation. The RADIUS vendors and RADIUS VSAs are imported. ACS displays the log messages in a pop-up window. Related Topics Viewing RADIUS and TACACS+ Attributes, page 6 Creating, Duplicating, and Editing RADIUS Vendor-Specific Subattributes To create, duplicate, and edit RADIUS vendor-specific subattributes: 1.Choose System Administration > Configuration > Dictionaries > Protocols > RADIUS > RADIUS VSA. You can alternatively choose the RADIUS VSA from the navigation pane. 2.Do one of the following: Click Create to create a subattribute for this RADIUS VSA. Check the check box the RADIUS VSA that you want to duplicate, then click Duplicate. Check the check box the RADIUS VSA that you want to edit, then click Edit. Check the checkbox a RADIUS Vendor and click Show Vendor Attributes to view the VSAs of this Vendor. The RADIUS VSA subattribute create page appears. 3.Complete the fields described in Table 11 on page 11.