Cisco Acs 57 User Guide
Have a look at the manual Cisco Acs 57 User Guide online for free. It’s possible to download the document as PDF or print. UserManuals.tech offer 53 Cisco manuals and user’s guides for free. Share the user manual or guide on Facebook, Twitter or Google+.
11 Managing System Administration Configurations Managing Dictionaries 4.Click Submit to save the subattribute. Table 11 Creating, Duplicating, and Editing RADIUS Subattributes Option Description General Attribute Name of the subattribute. The name must be unique. Description (Optional) A brief description of the subattribute. RADIUS Configuration Vendor Attribute ID Enter the vendor ID field for the subattribute. This value must be unique for this vendor. Direction Specifies where the attribute is in use: in the request, in the response, or both. Single or bidirectional authentication. Multiple Allowed Multiple attributes are allowed. Attributes that specify multiple allowed can be used more than once in one request or response. Include attribute in the log Check this check box to include the subattribute in the log. For sensitive attributes, you can uncheck this check box so to they are not logged. Attribute Type Attribute Type Type of the attribute. Valid options are: String Unsigned Integer 32 IPv4 Address HEX String Enumeration—If you choose this option, you must enter the ID-Value pair You cannot use attributes of type HEX String in policy conditions. ID-Value (Optional) For the Enumeration attribute type only. ID—Enter a number from 0 to 999. Value—Enter a value for the ID. Click Add to add this ID-Value pair to the ID-Value table. To edit, replace, and delete ID-Value pairs: Select the ID-Value pair from the ID-Value table. Click Edit to edit the ID and Value fields. Edit the fields as required. Click Add to add a new entry after you modify the fields. Click Replace to replace the same entry with different values. Click Delete to delete the entry from the ID-Value table. Attribute Configuration Add Policy Condition Check this check box to enter a policy condition in which this subattribute will be used. Policy Condition Display NameEnter the name of the policy condition that will use this subattribute.
12 Managing System Administration Configurations Managing Dictionaries Viewing RADIUS Vendor-Specific Subattributes To view the attributes that are supported by a particular RADIUS vendor: 1.Choose System Administration > Configuration > Dictionaries > Protocols > RADIUS > RADIUS VSA. The RADIUS VSA page appears. 2.Check the check box the vendor whose attribute you want to view, then click Show Vendor Attributes. The vendor-specific attributes and the fields listed in Table 8 on page 6 are displayed. You can create additional VSAs, and duplicate or edit these attributes. For more information, see Creating, Duplicating, and Editing RADIUS Vendor-Specific Subattributes, page 10. Related Topic Creating, Duplicating, and Editing RADIUS Vendor-Specific Attributes, page 7 Configuring Identity Dictionaries This section contains the following topics: Creating, Duplicating, and Editing an Internal User Identity Attribute, page 12 Deleting an Internal User Identity Attribute, page 14 Creating, Duplicating, and Editing an Internal Host Identity Attribute, page 15 Creating, Duplicating, and Editing an Internal Host Identity Attribute, page 15 Deleting an Internal Host Identity Attribute, page 15 Creating, Duplicating, and Editing an Internal User Identity Attribute To create, duplicate, and edit an internal user identity attribute: 1.Select System Administration > Configuration > Dictionaries > Identity > Internal Users. The Attributes list for the Internal Users page appears. 2.Perform one of these actions: Click Create. Check the check box the attribute that you want to duplicate and click Duplicate. Click the attribute name that you want to modify; or, check the check box for the name and click Edit. The Identity Attribute Properties page appears. 3.Modify the fields in the Identity Attributes Properties page as required. See Configuring Internal Identity Attributes, page 13 for field descriptions. 4.Click Submit.
13 Managing System Administration Configurations Managing Dictionaries The internal user attribute configuration is saved. The Attributes list for the Internal Users page appears with the new attribute configuration. Related Topics Deleting an Internal User Identity Attribute, page 14 Creating, Duplicating, and Editing an Internal Host Identity Attribute, page 15 Policies and Identity Attributes, page 16 Configuring Internal Identity Attributes Table 12 on page 13 describes the fields in the internal identity attributes. Table 12 Identity Attribute Properties Page Option Description General Attribute Name of the attribute. Description Description of the attribute. Attribute Type Attribute Type (Optional) Use the drop-down list box to choose an attribute type. Valid options are: String—Populates the Maximum Length and Default Value fields in the page. When you select String as the attribute type and enter a non-null value for a user, the user is authenticated against the ID store with the name that matches the already set value, for the attribute that is shown in the user details (ACS-RESERVED-Authen-ID-Store). Unsigned Integer 32—Populates the Valid Range From and To fields in the page. IP Address—Populates the Default Value field in the page. This can be either IPv4 or IPv6 addresses. Boolean—Populates the Default Value check box in the page. When you set the value of the Boolean attribute as true, it overrides the global settings for the password expiration policy and deactivates the policy (ACS-RESERVED-Never-Expired). Date—Populates the Default Value field and calendar icon in the page. Enumeration—Populates the ID and Value fields and the Add, Edit, Replace, and Delete buttons. Maximum Length (Optional) For the String attribute type only. Enter the maximum length of your attribute. The valid range is from 1 to 256. (Default = 32) Value Range (Optional) For the Unsigned Integer attribute type only. From—Enter the lowest acceptable integer value. The valid range is from 0 to 2^31-1 (2147483647). This value must be smaller than the Valid Range To value. To—Enter the highest acceptable integer value. The valid range is from 0 to 2^31-1 (2147483647). This value must be larger than the Valid Range From value.
14 Managing System Administration Configurations Managing Dictionaries Deleting an Internal User Identity Attribute To delete an internal user identity attribute: 1.Select System Administration > Configuration > Dictionaries > Identity > Internal Users. The Attributes list for the internal user page appears. 2.Check the check box the attribute you want to delete. Because deleting an identity attribute can take a long time to process, you can delete only one attribute at a time. 3.Click Delete. 4.For confirmation, click OK or Cancel. Default Value Enter the default value for the appropriate attribute: String—Up to the maximum length. (Follow the UTF-8 standard.) You can use the letters a to z, A to Z, and the digits 0 to 9. Unsigned Integer 32—An integer in the range from 0 to 2^31-1 (2147483647). IP Address —Enter the IP address you want to associate with this attribute, in this format: —IPv4 address—x.x.x.x, where x.x.x.x is the IPv4 address (no subnet mask) —IPv6 address—x:x:x:x:x:x:x:x, where x:x:x:x:x:x:x:x is the IPv6 address (no subnet mask) Date—Click the calendar icon to display the calendar pop-up and select a date. Boolean Value—Select True or False. ID-Value (Optional) For the Enumeration attribute type only. ID—Enter a number from 0 to 999. Value—Enter a value for the ID. Click Add to add this ID-Value pair to the ID-Value table. To edit, replace, and delete ID-Value pairs: Select the ID-Value pair from the ID-Value table. Click Edit to edit the ID and Value fields. Edit the fields as required. Click Add to add a new entry after you modify the fields. Click Replace to replace the same entry with different values. Click Delete to delete the entry from the ID-Value table. Attribute Configuration Mandatory Fields Check the check box to make this attribute a requirement in the User Properties page. Add Policy Condition Check the check box to create a custom condition from this attribute. When you check this option, you must enter a name in the Policy Condition Display Name field. Policy Condition Display NameEnter a name for the policy condition. After you submit this page, the condition appears in the Policy Elements > Session Conditions > Custom page. Table 12 Identity Attribute Properties Page (continued) Option Description
15 Managing System Administration Configurations Managing Dictionaries The Attributes list for the internal user page appears without the deleted attribute. Related Topics Creating, Duplicating, and Editing an Internal User Identity Attribute, page 12 Policies and Identity Attributes, page 16 Creating, Duplicating, and Editing an Internal Host Identity Attribute To create, duplicate, and edit an internal host identity attribute: 1.Select System Administration > Configuration > Dictionaries > Identity > Internal Hosts. The Attributes list for the Internal Hosts page appears. 2.Do one of the following: Click Create. Check the check box the attribute that you want to duplicate and click Duplicate. Click the attribute name that you want to modify; or, check the check box for the name and click Edit. The Identity Attribute Properties page appears. 3.Modify the fields in the Identity Attributes Properties page as required. See Table 12 on page 13 for field descriptions. 4.Click Submit. The internal host attribute configuration is saved. The Attributes list for the Internal Hosts page appears with the new attribute configuration. Related Topics Deleting an Internal Host Identity Attribute, page 15 Policies and Identity Attributes, page 16 Deleting an Internal Host Identity Attribute To delete an internal host identity attribute: 1.Select System Administration > Configuration > Dictionaries > Identity > Internal User. The Attributes list for the Internal Hosts page appears. 2.Check the check box the attribute you want to delete. Because deleting an attribute can take a long time to process, you can delete only one attribute at a time. 3.Click Delete. 4.For confirmation, click OK or Cancel.
16 Managing System Administration Configurations Configuring Local Server Certificates The Attributes list for the Internal Hosts page appears without the deleted attribute. Related Topics Creating, Duplicating, and Editing an Internal Host Identity Attribute, page 15 Policies and Identity Attributes, page 16 Adding Static IP address to Users in Internal Identity Store To add static IP address to a user in Internal Identity Store: 1.Add a static IP attribute to internal user attribute dictionary: 2.Select System Administration > Configuration > Dictionaries > Identity > Internal Users. 3.Click Create. 4.Add static IP attribute. 5.Select Users and Identity Stores > Internal Identity Stores > Users. 6.Click Create. 7.Edit the static IP attribute of the user. Configuring Local Server Certificates Local server certificates are also known as ACS server certificates. ACS uses the local server certificates to identify itself to the clients. The local server certificates are used by: EAP protocols that use SSL/TLS tunneling. Management interface to authenticate the web interface (GUI). This section contains the following topics: Adding Local Server Certificates, page 17 Importing Server Certificates and Associating Certificates to Protocols, page 17 Generating Self-Signed Certificates, page 18 Generating a Certificate Signing Request, page 19 Binding CA Signed Certificates, page 20 Editing and Renewing Certificates, page 20 Deleting Certificates, page 21 Exporting Certificates, page 22 Viewing Outstanding Signing Requests, page 22
17 Managing System Administration Configurations Configuring Local Server Certificates Adding Local Server Certificates You can add a local server certificate, also known as an ACS server certificate, to identify the ACS server to clients. 1.Select System Administration > Configuration > Local Server Certificates > Local Certificates. The Local Certificates page appears displaying the information in Table 13 on page 17: 2.Click Add. 3.Enter the information in the Local Certificate Store Properties page as described in Table 14 on page 17: Importing Server Certificates and Associating Certificates to Protocols The supported certificate formats are either DER or PEM. 1.Select System Administration > Configuration > Local Server Certificates > Local Certificates > Add. 2.Select Import Server Certificate > Next. 3.Enter the information in the ACS Import Server Certificate as described in Table 15 on page 18: Table 13 Local Certificates Page Option Description Friendly Name Name that is associated with the certificate. Issued To Entity to which the certificate is issued. The name that appears is from the certificate subject. Issued By Trusted party that issued the certificate. Valid From Date the certificate is valid from. Valid To (Expiration) Date the certificate is valid to. Protocol Protocol associated with the certificate. Table 14 Local Certificate Store Properties Page Option Description Import Server Certificate Select to browse the client machine for the Local Certificate file and import the private key and private key password. See Importing Server Certificates and Associating Certificates to Protocols, page 17. Supported certificate formats include CER, DER, PEM, or Microsoft private key proprietary format. Generate Self Signed Certificate Select to generate a self-signed certificate. See Generating Self-Signed Certificates, page 18. Generate Certificate Signing Request Select to generate a certificate signing request. See Generating a Certificate Signing Request, page 19. Bind CA Signed Certificate Select to bind the CA certificate. After the RA signs the request, you can install the returned signed certificate on ACS and bind the certificate with its corresponding private key. See Binding CA Signed Certificates, page 20.
18 Managing System Administration Configurations Configuring Local Server Certificates 4.Click Finish. The new certificate is saved. The Local Certificate Store page appears with the new certificate. Generating Self-Signed Certificates 1.Select System Administration > Configurations > Local Server Certificates > Local Certificates > Add. 2.Select Generate Self Signed Certificate> Next. 3.Enter the information in the ACS Import Server Certificate as described in Table 16 on page 19: Table 15 Import Server Certificate Page Option Description Certificate File Select to browse the client machine for the local certificate file. Private Key File Select to browse to the location of the private key. Private Key Password Enter the private key password. The value may be minimum length = 0 and maximum length = 256. Protocol EAP Check to associate the certificate with EAP protocols that use SSL/TLS tunneling: EAP-TLS, EAP-FAST, and PEAP. Management Interface Check to associate the certificate with the management interface. Allow Duplicate CertificatesAllows to add certificate with same CN and same SKI with different Valid From, Valid To, and Serial number. Override Policy Replace Certificate Check to replace the content of an existing certificate with the one that you import, but retain the existing protocol selections.
19 Managing System Administration Configurations Configuring Local Server Certificates 4.Click Finish. The new certificate is saved. The Local Certificate Store page appears with the new certificate. Generating a Certificate Signing Request 1.Select System Administration > Configurations > Local Server Certificates > Local Certificates > Add. 2.Select Generate Certificate Signing Request > Next. 3.Enter the information in the ACS Import Server Certificate as described in Table 17 on page 19: 4.Click Finish. The following message is displayed: A server certificate signing request has been generated and can be viewed in the “Outstanding Signing Requests” list. Table 16 Generate Self Signed Certificate Option Description Certificate Subject Certificate subject entered during generation of this request. The Certificate Subject field may contain alphanumeric characters. The maximum number of characters is 1024. This field is prefixed with “cn=”. Key Length Key length entered during generation of this request.Values may be 512, 1024, 2048, or 4096. Digest to Sign with Select either SHA1 or SHA256 as management certificates, from the dropdown list. Expiration TTL Select the maximum value in days, weeks, months, and years, and enter a positive integer. Protocol EAP Check to associate the certificate with EAP protocols that use SSL/TLS tunneling: EAP-TLS, EAP-FAST, and PEAP. Management InterfaceCheck to associate the certificate with the management interface. Allow Duplicate CertificatesAllows to add certificate with same CN and same SKI with different Valid From, Valid To, and Serial number. Override Policy Replace Certificate Check to replace the content of an existing certificate with the one that you import, but retain the existing protocol selections. Table 17 Generate Signing Requests Option Description Certificate Subject Certificate subject entered during generation of this request. The Certificate Subject field may contain alphanumeric characters. The maximum number of characters is 1024. This field is prefixed with “cn=”. Key Length Key length entered during generation of this request.Values may be 512, 1024, 2048, or 4096. Digest to Sign with Select either SHA1 or SHA256 as management certificates, from the dropdown list.
20 Managing System Administration Configurations Configuring Local Server Certificates The new certificate is saved. The Local Certificate Store page appears with the new certificate. Binding CA Signed Certificates Use this page to bind a CA signed certificate to the request that was used to obtain the certificate from the CA. 1.Select System Administration > Configurations > Local Server Certificates > Local Certificates > Add. 2.Select Bind CA Signed Certificate > Next. 3.Enter the information in the ACS Import Server Certificate as described in Table 18 on page 20: 4.Click Finish. The new certificate is saved. The Local Certificate Store page appears with the new certificate. Related Topics Configuring Local Server Certificates, page 16 Certificate-Based Network Access, page 9 Editing and Renewing Certificates You can renew an existing self-signed certificate without having to remove it and adding a new certificate. This ensures that any service that uses the local certificate continues without any interruption. To renew or extend a local server certificate: 1.Select System Administration > Configuration > Local Server Certificates > Local Certificates. 2.Click the name that you want to modify; or, check the check box for the Name, and click Edit. 3.Enter the certificate properties as described in Table 19 on page 21: Table 18 Bind CA Signed Certificate Option Description Certificate File Browse to the client machine and select the certificate file to be imported. Protocol EAP Check to associate the certificate with EAP protocols that use SSL/TLS tunneling: EAP-TLS, EAP-FAST, and PEAP. Management Interface Check to associate the certificate with the management interface. Allow Duplicate CertificatesAllows to add certificate with same CN and same SKI with different Valid From, Valid To, and Serial number. Override Policy Replace Certificate Check to replace the content of an existing certificate with the one that you import, but retain the existing protocol selections.