Cisco Acs 57 User Guide
Have a look at the manual Cisco Acs 57 User Guide online for free. It’s possible to download the document as PDF or print. UserManuals.tech offer 53 Cisco manuals and user’s guides for free. Share the user manual or guide on Facebook, Twitter or Google+.
![Page 44
4
Common Scenarios Using ACS
Overview of Device Administration
3.ACS optionally uses an identity store (external Lightweight Directory Access Protocol [LDAP], Active Directory,
RADIUS Identity Server, or internal ACS identity store) to retrieve user attributes which are included in policy
processing.
4.The response indicates whether the administrator is authorized to issue the command.
To configure a command authorization policy (device administration rule table) to allow an administrator to issue...](http://img.usermanuals.tech/thumb/17/104529/w64_acs-57-user-guide-1523997061_d-43.png "Page 44
4
Common Scenarios Using ACS
Overview of Device Administration
3.ACS optionally uses an identity store (external Lightweight Directory Access Protocol [LDAP], Active Directory,
RADIUS Identity Server, or internal ACS identity store) to retrieve user attributes which are included in policy
processing.
4.The response indicates whether the administrator is authorized to issue the command.
To configure a command authorization policy (device administration rule table) to allow an administrator to issue...")
1 Cisco Systems, Inc.www.cisco.com Common Scenarios Using ACS Network control refers to the process of controlling access to a network. Traditionally a username and password was used to authenticate a user to a network. Now a days with the rapid technological advancements, the traditional method of managing network access with a username and a password is no longer sufficient. The ways in which the users can access the network and what they can access have changed considerably. Hence, you must define complex and dynamic policies to control access to your network. For example, earlier, a user was granted access to a network and authorized to perform certain actions based on the group that the user belonged to. Now, in addition to the group that the user belongs to, you must also consider other factors, such as whether: The user is trying to gain access within or outside of work hours. The user is attempting to gain access remotely. The user has full or restricted access to the services and resources. Apart from users, you also have devices that attempt to connect to your network. When users and devices try to connect to your network through network access servers, such as wireless access points, 802.1x switches, and VPN servers, ACS authenticates and authorizes the request before a connection is established. Authentication is the process of verifying the identity of the user or device that attempts to connect to a network. ACS receives identity proof from the user or device in the form of credentials. There are two different authentication methods: Password-based authentication—A simpler and easier way of authenticating users. The user enters a username and password. The server checks for the username and password in its internal or external databases and if found, grants access to the user. The level of access (authorization) is defined by the rules and conditions that you have created. Certificate-based authentication—ACS supports certificate-based authentication with the use of the Extensible Authentication Protocol-Transport Level Security (EAP-TLS) and Protected Extensible Authentication Protocol-Transport Level Security (PEAP-TLS), which uses certificates for server authentication by the client and for client authentication by the server. Certificate-based authentication methods provide stronger security and are recommended when compared to password-based authentication methods. Authorization determines the level of access that is granted to the user or device. The rule-based policy model in ACS 5.x allows you to define complex conditions in rules. ACS uses a set of rules (policy) to evaluate an access request and to return a decision. ACS organizes a sequence of independent policies into an access service, which is used to process an access request. You can create multiple access services to process different kinds of access requests; for example, for device administration or network access. Cisco Secure Access Control System (ACS) allows you to centrally manage access to your network services and resources (including devices, such as IP phones, printers, and so on). ACS 5.7 is a policy-based access control system that allows you to create complex policy conditions and helps you to comply with the various Governmental regulations. When you deploy ACS in your network, you must choose an appropriate authentication method that determines access to your network.
2 Common Scenarios Using ACS Overview of Device Administration This chapter provides guidelines for some of the common scenarios. This chapter contains: Overview of Device Administration, page 2 Password-Based Network Access, page 5 Certificate-Based Network Access, page 8 Agentless Network Access, page 11 VPN Remote Network Access, page 19 ACS and Cisco Security Group Access, page 21 RADIUS and TACACS+ Proxy Requests, page 26 Enabling and Disabling IPv6 for Network Interfaces, page 34 Overview of Device Administration Device administration allows ACS to control and audit the administration operations performed on network devices, by using these methods: Session administration—A session authorization request to a network device elicits an ACS response. The response includes a token that is interpreted by the network device which limits the commands that may be executed for the duration of a session. See Session Administration, page 3. Command authorization—When an administrator issues operational commands on a network device, ACS is queried to determine whether the administrator is authorized to issue the command. See Command Authorization, page 3. Device administration results can be shell profiles or command sets. Shell profiles allow a selection of attributes to be returned in the response to the authorization request for a session, with privilege level as the most commonly used attribute. Shell profiles contain common attributes that are used for shell access sessions and user-defined attributes that are used for other types of sessions. ACS 5.7 allows you to create custom TACACS+ authorization services and attributes. You can define: Any A-V pairs for these attributes. The attributes as either optional or mandatory. Multiple A-V pairs with the same name (multi-part attributes). ACS also supports task-specific predefined shell attributes. Using the TACACS+ shell profile, you can specify custom attributes to be returned in the shell authorization response. See TACACS+ Custom Services and Attributes, page 4. Command sets define the set of commands, and command arguments, that are permitted or denied. The received command, for which authorization is requested, is compared against commands in the available command sets that are contained in the authorization results. If a command is matched to a command set, the corresponding permit or deny setting for the command is retrieved. If multiple results are found in the rules that are matched, they are consolidated and a single permit or deny result for the command is returned, as described in these conditions: If an explicit deny-always setting exists in any command set, the command is denied. If no explicit deny-always setting exists in a command set, and any command set returns a permit result, the command is permitted. If either of the previous two conditions are not met, the command is denied.
3 Common Scenarios Using ACS Overview of Device Administration You configure the permit and deny settings in the device administration rule table. You configure policy elements within a device administration rule table as conditions that are or not met. The rule table maps specific request conditions to device administration results through a matching process. The result of rule table processing is a shell profile or a command set, dependent on the type of request. Session administration requests have a shell profile result, which contains values of attributes that are used in session provisioning. Command authorization requests have a command authorization result, which contains a list of command sets that are used to validate commands and arguments. This model allows you to configure the administrator levels to have specific device administration capabilities. For example, you can assign a user the Network Device Administrator role which provides full access to device administration functions, while a Read Only Admin cannot perform administrative functions. Session Administration The following steps describe the flow for an administrator to establish a session (the ability to communicate) with a network device: 1.An administrator accesses a network device. 2.The network device sends a RADIUS or TACACS+ access request to ACS. 3.ACS uses an identity store (external LDAP, Active Directory, RSA, RADIUS Identity Server, or internal ACS identity store) to validate the administrator’s credentials. 4.The RADIUS or TACACS+ response (accept or reject) is sent to the network device. The accept response also contains the administrator’s maximum privilege level, which determines the level of administrator access for the duration of the session. To configure a session administration policy (device administration rule table) to permit communication: 1.Configure the TACACS+ protocol global settings and user authentication option. See Configuring TACACS+ Settings, page 1. 2.Configure network resources. See Network Devices and AAA Clients, page 5. 3.Configure the users and identity stores. See Managing Internal Identity Stores, page 4 or Managing External Identity Stores, page 29. 4.Configure shell profiles according to your needs. See Creating, Duplicating, and Editing a Shell Profile for Device Administration, page 22. 5.Configure an access service policy. See Access Service Policy Creation, page 4. 6.Configure a service selection policy. See Service Selection Policy Creation, page 4. 7.Configure an authorization policy (rule table). See Configuring a Session Authorization Policy for Network Access, page 30. Command Authorization This topic describes the flow for an administrator to issue a command to a network device. Note: The device administration command flow is available for the TACACS+ protocol only. 1.An administrator issues a command to a network device. 2.The network device sends an access request to ACS.
4 Common Scenarios Using ACS Overview of Device Administration 3.ACS optionally uses an identity store (external Lightweight Directory Access Protocol [LDAP], Active Directory, RADIUS Identity Server, or internal ACS identity store) to retrieve user attributes which are included in policy processing. 4.The response indicates whether the administrator is authorized to issue the command. To configure a command authorization policy (device administration rule table) to allow an administrator to issue commands to a network device: 1.Configure the TACACS+ protocol global settings and user authentication option. See Configuring TACACS+ Settings, page 1. 2.Configure network resources. See Network Devices and AAA Clients, page 5. 3.Configure the users and identity stores. See Managing Internal Identity Stores, page 4 or Managing External Identity Stores, page 29. 4.Configure command sets accor d i n g t o yo u r n e e d s . S e e Creating, Duplicating, and Editing Command Sets for Device Administration, page 27. 5.Configure an access service policy. See Access Service Policy Creation, page 4. 6.Configure a service selection policy. See Service Selection Policy Creation, page 4. 7.Configure an authorization policy (rule table). See Configuring Shell/Command Authorization Policies for Device Administration, page 35. Related Topics Network Devices and AAA Clients, page 5 Configuring System Administrators and Accounts, page 3 Managing Users and Identity Stores, page 1 Managing External Identity Stores, page 29 Managing Policy Conditions, page 1 Managing Access Policies, page 1 TACACS+ Custom Services and Attributes This topic describes the configuration flow to define TACACS+ custom attributes and services. 1.Create a custom TACACS+ condition to move to TACACS+ service on request. To do this: a.Go to Policy Elements > Session Conditions > Custom and click Create. b.Create a custom TACACS+ condition. See Creating, Duplicating, and Editing a Custom Session Condition, page 5. 2.Create an access service for Device Administration with the TACACS+ shell profile as the result. See Configuring Shell/Command Authorization Policies for Device Administration, page 35. 3.Create custom TACACS+ attributes. See Creating, Duplicating, and Editing a Shell Profile for Device Administration, page 22.
5 Common Scenarios Using ACS Password-Based Network Access Password-Based Network Access This section contains the following topics: Overview of Password-Based Network Access, page 5 Password-Based Network Access Configuration Flow, page 6 For more information about password-based protocols, see Authentication in ACS 5.7, page 1 Overview of Password-Based Network Access The use of a simple, unencrypted username and password is not considered a strong authentication mechanism but can be sufficient for low authorization or privilege levels such as Internet access. Encryption reduces the risk of password capture on the network. Client and server access-control protocols, such as RADIUS encrypt passwords to prevent them from being captured within a network. However, RADIUS operates only between the AAA client and ACS. Before this point in the authentication process, unauthorized persons can obtain clear-text passwords, in these scenarios: The communication between an end-user client dialing up over a phone line An ISDN line terminating at a network-access server Over a Telnet session between an end-user client and the hosting device ACS supports various authentication methods for authentication against the various identity stores that ACS supports. For more information about authentication protocol identity store compatibility, see Authentication Protocol and Identity Store Compatibility, page 32. Passwords can be processed by using these password-authentication protocols based on the version and type of security-control protocol used (for example, RADIUS), and the configuration of the AAA client and end-user client. You can use different levels of security with ACS concurrently, for different requirements. Password Authentication Protocol (PAP) provides a basic security level. PAP provides a very basic level of security, but is simple and convenient for the client. MSCHAPv2 allows a higher level of security for encrypting passwords when communicating from an end-user client to the AAA client. Note: During password-based access (or certificate-based access), the user is not only authenticated but also authorized according to the ACS configuration. And if NAS sends accounting requests, the user is also accounted. ACS supports the following password-based authentication methods: Plain RADIUS password authentication methods —RADIUS-PAP —RADIUS-CHAP —RADIUS-MSCHAPv1 —RADIUS-MSCHAPv2 RADIUS EAP-based password authentication methods —PEAP-MSCHAPv2 —PEAP-GTC —EAP-FAST-MSCHAPv2
6 Common Scenarios Using ACS Password-Based Network Access —EAP-FAST-GTC —EAP-MD5 —LEAP You must choose the authentication method based on the following factors: The network access server—Wireless access points, 802.1X authenticating switches, VPN servers, and so on. The client computer and software—EAP supplicant, VPN client, and so on. The identity store that is used to authenticate the user—Internal or External (AD, LDAP, RSA token server, or RADIUS identity server). Related Topics Authentication in ACS 5.7, page 1 Password-Based Network Access Configuration Flow, page 6 Network Devices and AAA Clients, page 5 Managing Access Policies, page 1 Password-Based Network Access Configuration Flow This topic describes the end-to-end flow for password-based network access and lists the tasks that you must perform. The information about how to configure the tasks is located in the relevant task chapters. To configure password-based network access: 1.Configure network devices and AAA clients. a.In the Network Devices and AAA Clients, page 5, configure the Authentication Setting as RADIUS. b.Enter the Shared Secret. See Network Devices and AAA Clients, page 5, for more information. 2.Configure the users and identity stores. For more information, see Managing Users and Identity Stores, page 1 3.Define policy conditions and authorization profiles. For more information, see Managing Policy Elements, page 1 4.Define an access service. For more information, see Creating, Duplicating, and Editing Access Services, page 11. a.Set the Access Service Type to Network Access. b.Select one of the ACS-supported protocols in the Allowed Protocols Page and follow the steps in the Action column in Table 11 on page 7. 5.Add the access service to your service selection policy. For more information, see Creating, Duplicating, and Editing Service Selection Rules, page 7. 6.Return to the service that you created and in the Authorization Policy Page, define authorization rules. For more information, see Configuring Access Service Policies, page 22.
7 Common Scenarios Using ACS Password-Based Network Access For RADIUS, non-EAP authentication methods (RADIUS/PAP, RADIUS/CHAP, RADIUS/MS-CHAPv1, RADIUS/MSCHAPv2), and simple EAP methods (EAP-MD5 and LEAP), you need to configure only the protocol in the Allowed Protocols page as defined in Table 11 on page 7. Some of the complex EAP protocols require additional configuration: For EAP-TLS, you must also configure: —The EAP-TLS settings under System Administration > Configuration > EAP-TLS Settings. —A local server certificate under System Administration > Configuration > Local Server Certificates > Local Certificates. —A CA certificate under Users and Identity Stores > Certificate Authorities. For PEAP, you must also configure: Table 11 Network Access Authentication Protocols Protocol Action Process Host Lookup (MAB)In the Allowed Protocols Page, choose Process Host Lookup. RADIUS PAP In the Allowed Protocols Page, choose Allow PAP/ASCII. RADIUS CHAP In the Allowed Protocols Page, choose Allow CHAP. RADIUS MSCHAPv1 In the Allowed Protocols Page, choose Allow MS-CHAPv1. RADIUS MSCHAPv2 In the Allowed Protocols Page, choose Allow MS-CHAPv2. EAP-MD5 In the Allowed Protocols Page, choose Allow EAP-MD5. LEAP In the Allowed Protocols Page, choose Allow LEAP. PEAP In the Allowed Protocols Page, choose PEAP. For the PEAP inner method, choose EAP-MSCHAPv2 or EAP-GTC or both. EAP-FAST1.In the Allowed Protocols Page, choose Allow EAP-FAST to enable the EAP-FAST settings. 2.For the EAP-FAST inner method, choose EAP-MSCHAPv2 or EAP-GTC or both. 3.Select Allow Anonymous In-Band PAC Provisioning or Allow Authenticated In-Band PAC Provisioning or both. For Windows machine authentication against Microsoft AD and for the change password feature: 1.Click the Use PACS radio button. For details about PACs, see About PACs, page 20. 2.Check Allow Authenticated In-Band PAC Provisioning. 3.Check Allow Machine Authentication. 4.Enter the Machine PAC Time to Live. 5.Check Enable Stateless Session Resume. 6.Enter the Authorization PAC Time to Live. 7.Check Preferred EAP Protocol to set the preferred protocol from the list. 8.Check EAP-TLS L-bit to set the Length included flag in the access policies.
8 Common Scenarios Using ACS Certificate-Based Network Access —The inner method in the Allowed Protocols page and specify whether password change is allowed. —The PEAP settings under System Administration > Configuration > PEAP Settings. —Local server certificates under System Administration > Configuration > Local Server Certificates > Local Certificates. For EAP-FAST, you must also configure: —The inner method in the Allowed Protocols page and specify whether password change is allowed. —Whether or not to use PACs and if you choose to use PACs, you must also specify how to allow in-band PAC provisioning. —The EAP-FAST settings under System Administration > Configuration > EAP-FAST > Settings. —A local server certificate under System Administration > Configuration > Local Server Certificates > Local Certificates (Only if you enable authenticated PAC provisioning). Related Topics Authentication in ACS 5.7, page 1 Network Devices and AAA Clients, page 5 Managing Access Policies, page 1 Creating, Duplicating, and Editing Access Services, page 11 About PACs, page 20 Certificate-Based Network Access This section contains the following topics: Overview of Certificate-Based Network Access, page 8 Using Certificates in ACS, page 9 Certificate-Based Network Access, page 9 For more information about certificate-based protocols, see Authentication in ACS 5.7, page 1 Overview of Certificate-Based Network Access Before using EAP-TLS, you must install a computer certificate on ACS. The installed computer certificate must be issued from a CA that can follow a certificate chain to a root CA that the access client trusts. Additionally, in order for ACS to validate the user or computer certificate of the access client, you must install the certificate of the root CA that issued the user or computer certificate to the access clients. ACS supports certificate-based network access through the EAP-TLS protocol, which uses certificates for server authentication by the client and for client authentication by the server. Other protocols, such as PEAP or the authenticated-provisioning mode of EAP-FAST also make use of certificates for server authentication by the client, but they cannot be considered certificate-based network access because the server does not use the certificates for client authentication. ACS Public Key Infrastructure (PKI) certificate-based authentication is based on X509 certificate identification. The entity which identifies itself with a certificate holds a private-key that correlates to the public key stored in the certificate.
9 Common Scenarios Using ACS Certificate-Based Network Access A certificate can be self-signed or signed by another CA. A hierarchy of certificates can be made to form trust relations of each entity to its CA. The trusted root CA is the entity that signs the certificate of all other CAs and eventually signs each certificate in its hierarchy. ACS identifies itself with its own certificate. ACS supports a certificate trust list (CTL) for authorizing connection certificates. ACS also supports complex hierarchies that authorize an identity certificate when all of the chain certificates are presented to it. ACS supports several RSA key sizes used in the certificate that are 512, 1024, 2048, or 4096 bits. Other key sizes may be used. ACS 5.7 supports RSA. ACS does not support the Digital Signature Algorithm (DSA). However, in some use cases, ACS will not prevent DSA cipher suites from being used for certificate-based authentication. All certificates that are used for network access authentication must meet the requirements for X.509 certificates and work for connections that use SSL/TLS. After this minimum requirement is met, the client and server certificates have additional requirements. You can configure two types of certificates in ACS: Trust certificate—Also known as CA certificate. Used to form CTL trust hierarchy for verification of remote certificates. Local certificate—Also known as local server certificate. The client uses the local certificate with various protocols to authenticate the ACS server. This certificate is maintained in association with its private key, which is used to prove possession of the certificate. During certificate-based access (or password-based access), the user is not only authenticated but also authorized according to the ACS configuration. And if NAS sends accounting requests, the user is also accounted. Note: ACS does not support wild card certificates. Related Topics Configuring CA Certificates, page 83 Configuring Local Server Certificates, page 16 Using Certificates in ACS, page 9 Using Certificates in ACS The three use cases for certificates in ACS 5.7 are: Certificate-Based Network Access, page 9 Authorizing the ACS Web Interface from Your Browser Using a Certificate, page 11 Validating an LDAP Secure Authentication Connection, page 11 Certificate-Based Network Access For TLS- related EAP and PEAP protocols, you must set up a server certificate from the local certificate store and a trust list certificate to authenticate the client. You can choose the trust certificate from any of the certificates in the local certificate store. To use EAP-TLS or PEAP (EAP-TLS), you must obtain and install trust certificates. The information about how to perform the tasks is located in the relevant task chapters. Before you Begin: Set up the server by configuring:
10 Common Scenarios Using ACS Certificate-Based Network Access EAP-TLS or PEAP (EAP-TLS) The local certificate. See Configuring Local Server Certificates, page 16. To configure certificate-based network access for EAP-TLS or PEAP (EAP-TLS): 1.Configure the trust certificate list. See Configuring CA Certificates, page 83, for more information. 2.Configure the LDAP external identity store. You might want to do this to verify the certificate against a certificate stored in LDAP. See Creating External LDAP Identity Stores, page 33, for details. 3.Set up the Certificate Authentication Profile. See Configuring Certificate Authentication Profiles, page 89, for details. 4.Configure policy elements. See Managing Policy Conditions, page 1, for more information. You can create custom conditions to use the certificate’s attributes as a policy condition. See Creating, Duplicating, and Editing a Custom Session Condition, page 5, for details. 5.Create an access service. See Configuring Access Services, page 10, for more information. 6.In the Allowed Protocols Page, choose EAP-TLS or PEAP (EAP-TLS) as inner method. 7.Configure identity and authorization policies for the access service. See Configuring Access Service Policies, page 22, for details. Note: When you create rules for the identity policy, the result may be the Certificate Authentication Profile or an Identity Sequence. See Viewing Identity Policies, page 23, for more information. 8.Configure the Authorization Policies. See Configuring a Session Authorization Policy for Network Access, page 30. 9.Configure the Service Selection Policy. See Configuring the Service Selection Policy, page 5. Related Topics Configuring Local Server Certificates, page 16 Configuring CA Certificates, page 83 Authentication in ACS 5.7, page 1 Table 12 Network Access Authentication Protocols Protocol Action EAP-TLS In the Allowed Protocols Page, choose Allow EAP-TLS to enable the EAP-TLS settings. Enable Stateless Session resume—Check this check box to enable the Stateless Session Resume feature per Access service. This feature enables you to configure the following options: —Proactive Session Ticket update—Enter the value as a percentage to indicate how much of the Time to Live must elapse before the session ticket is updated. For example, the session ticket update occurs after 10 percent of the Time to Live has expired, if you enter the value 10. —S e ss i o n t i c ke t Ti m e to Li ve—Enter the equivalent maximum value in days, weeks, months, and years, using a positive integer. PEAP In the Allowed Protocols Page, choose PEAP. For the PEAP inner method, choose EAP-TLS or PEAP Cryptobinding TLV.