Cisco Acs 57 User Guide
Have a look at the manual Cisco Acs 57 User Guide online for free. It’s possible to download the document as PDF or print. UserManuals.tech offer 53 Cisco manuals and user’s guides for free. Share the user manual or guide on Facebook, Twitter or Google+.
![Page 70
30
Common Scenarios Using ACS
RADIUS and TACACS+ Proxy Requests
Login-IP-Host=10.12.12.12
If the attribute is a cisco-avpair (pair of key=value), the update is done according to the key.
Example:
On the access request:
cisco-avpair = url-redirect=www.cisco.com
cisco-avpair = url-redirect=www.yahoo.com
cisco-avpair = cmd=show
Attribute operation statement:
cisco-avpair UPDATE new value:[url-redirect=www.google.com]
Result of the attribute operation on the request forwarded to the server:
cisco-avpair =...](http://img.usermanuals.tech/thumb/17/104529/w64_acs-57-user-guide-1523997061_d-69.png "Page 70
30
Common Scenarios Using ACS
RADIUS and TACACS+ Proxy Requests
Login-IP-Host=10.12.12.12
If the attribute is a cisco-avpair (pair of key=value), the update is done according to the key.
Example:
On the access request:
cisco-avpair = url-redirect=www.cisco.com
cisco-avpair = url-redirect=www.yahoo.com
cisco-avpair = cmd=show
Attribute operation statement:
cisco-avpair UPDATE new value:[url-redirect=www.google.com]
Result of the attribute operation on the request forwarded to the server:
cisco-avpair =...")
31 Common Scenarios Using ACS RADIUS and TACACS+ Proxy Requests Example: Callback-ID – Attribute Multiple NOT allowed. On the access accept response from the RADIUS server: Callback-ID NOT on the access accept response Attribute operation statement: Callback-ID ADD 1223 Result of the add attribute operation on the response sent to the client device: Callback-ID=1223 If the Callback-ID is on the original access accept response, ACS does not perform the add operation in this example. If multiple attributes are allowed, the add operation always adds the attribute with a new value. Example: Login-IP-Host – attribute Multiple allowed: On the access accept response from the RADIUS server: Login-IP-Host=10.58.23.192 Attribute operation statement: Login-IP-Host ADD 10.58.1.1 Result of the attribute operation on the response sent to the client device: Login-IP-Host=10.58.23.192 Login-IP-Host=10.58.1.1 Updating Attributes in Outbound RADIUS Responses This option is used to update the existing value of a selected RADIUS attribute. If multiple attributes are not allowed, the update operation updates the existing attributes with a new value only if the attribute exist in the access accept response. If multiple attributes are allowed, the update operation removes all the occurrences of this attribute and adds one attribute with a new value. Example: Login-IP-Host – attribute Multiple allowed. On the access accept response from the RADIUS server: Login-IP-Host=10.58.23.192 Login-IP-Host=10.58.1.1 Attribute operation statement: Login-IP-Host UPDATE 10.11.11.11
32 Common Scenarios Using ACS RADIUS and TACACS+ Proxy Requests Result of the attribute operation on the response sent to the client device: Login-IP-Host=10.11.11.11 If the attribute is cisco-avpair (pair of key=value), the update is done according to the key. Example: On the access accept response from the RADIUS server: cisco-avpair = url-redirect=www.cisco.com cisco-avpair = url-redirect=www.yahoo.com cisco-avpair = cmd=show Attribute operation statement: cisco-avpair UPDATE new value:[url-redirect=www.google.com] Result of the attribute operation on the response sent to the client device: cisco-avpair = url-redirect=www.google.com cisco-avpair = cmd=show Deleting Attributes from OutBound RADIUS Responses This option is used to delete the value of RADIUS outbound attributes. Example: Login-IP-Host – attribute Multiple allowed On the Access Accept Response from the RADIUS server: Login-IP-Host=10.56.21.190 Attribute Operation statement: Login-IP-Host DELETE Result of the attribute operation on the response sent to the client device: Attribute Login-IP-Host is not in the access accept response. Related Topics Supported Protocols, page 32 Supported RADIUS Attributes, page 33 Configuring Proxy Service, page 34 Supported Protocols The RADIUS proxy feature in ACS supports the following protocols: Supports forwarding for all RADIUS protocols All EAP protocols Protocols not supported by ACS (Since ACS proxy do not interfere into the protocol conversation and just forwards requests)
33 Common Scenarios Using ACS RADIUS and TACACS+ Proxy Requests Note: ACS proxy can not support protocols that use encrypted RADIUS attributes. The TACACS+ proxy feature in ACS supports the following protocols: PA P ASCII CHAP MSCHAP authentications types Related Topics RADIUS and TACACS+ Proxy Requests, page 26 Supported RADIUS Attributes, page 33 Configuring Proxy Service, page 34 Supported RADIUS Attributes The following supported RADIUS attributes are encrypted: User-Password CHAP-Password Message-Authenticator MPPE-Send-Key and MPPE-Recv-Key Tunnel-Password LEAP Session Key Cisco AV-Pair TACACS+ Body Encryption When ACS receives a packet from NAS with encrypted body (flag TAC_PLUS_UNECRYPTED_FLAG is 0x0), ACS decrypts the body with common data such as shared secret and sessionID between NAS and ACS and then encrypts the body with common data between ACS and TACACS+ proxy server. If the packet body is in cleartext, ACS will resend it to TACACS+ server in cleartext. Connection to TACACS+ Server ACS supports single connection to another TACACS+ server (flag TAC_PLUS_SINGLE_CONNECT_FLAG is 1). If the remote TACACS+ server does not support multiplexing TACACS+ sessions over a single TCP connection ACS will open or close connection for each session. Related Topics RADIUS and TACACS+ Proxy Requests, page 26 Supported Protocols, page 32 Configuring Proxy Service, page 34
34 Common Scenarios Using ACS Enabling and Disabling IPv6 for Network Interfaces Configuring Proxy Service To configure proxy services: 1.Configure a set of remote RADIUS and TACACS+ servers. For information on how to configure remote servers, see Creating, Duplicating, and Editing External Proxy Servers, page 19. 2.Configure an External proxy service. For information on how to configure a External proxy service, see Configuring General Access Service Properties, page 13. You must select the User Selected Service Type option and choose External proxy as the Access Service Policy Structure in the Access Service Properties - General page. 3.After you configure the allowed protocols, click Finish to complete your External proxy service configuration. Related Topics RADIUS and TACACS+ Proxy Requests, page 26 Supported Protocols, page 32 Supported RADIUS Attributes, page 33 Enabling and Disabling IPv6 for Network Interfaces ACS 5.7 provides the capability to disable the IPv6 stack for all interfaces or for a specific interface. By default, IPv6 is enabled for all interfaces. You can enable or disable the IPv6 stack from the ACS CLI in configuration mode. You should restart the ACS services to reflect correct IPv6 behavior even though the CLI prompts for a confirmation. When you disable IPv6 at the global level, you cannot enable it at the interface level. Even when you disable IPv6, ACS allows IPv6 static address configuration, which is shown in the running configuration. However, it will not be used. For more information on the ipv6 enable command and its usage, see the CLI Reference Guide for Cisco Secure Access Control System 5.7.
1 Cisco Systems, Inc.www.cisco.com Understanding My Workspace The Cisco Secure ACS web interface is designed to be viewed using Microsoft Internet Explorer and Mozilla Firefox browsers. For more information on supported browser versions, see Release Notes for Cisco Secure Access Control System 5.7. The web interface not only makes viewing and administering ACS possible, but it also allows you to monitor and report on any event in the network. These reports track connection activity, show which users are currently logged in, list the failed authentication and authorization attempts, and so on. The My Workspace drawer contains: Welcome Page, page 1 Task Guides, page 2 My Account Page, page 2 Login Banner, page 3 Using the Web Interface, page 3 Importing and Exporting ACS Objects Through the Web Interface, page 18 Common Errors, page 24 Accessibility, page 26 Welcome Page The Welcome page appears when you start ACS, and it provides shortcuts to common ACS tasks and links to information. You can return to the Welcome page at any time during your ACS session. To return to this page, choose My Workspace > Welcome. Ta b l e 1 4 W e l c o m e P a g e Field Description Before You Begin Contains a link to a section that describes the ACS policy model and associated terminology. Getting Started Links in this section launch the ACS Task Guides, which provide step-by-step instructions on how to accomplish ACS tasks. Quick Start Opens the Task Guide for the Quick Start scenario. These steps guide you through a minimal system setup to get ACS going quickly in a lab, evaluation, or demonstration environment. Initial System Setup Opens the Task Guide for initial system setup. This scenario guides you through the steps that are required to set up ACS for operation as needed; many steps are optional.
2 Understanding My Workspace Ta s k G u i d e s In ACS 5.7, you can also see a banner in the welcome page. You can customize this After Login banner text from the Login Banner page. Task Guides From the My Workspace drawer, you can access Tasks Guides. When you click any of the tasks, a frame opens on the right side of the web interface. This frame contains step-by-step instructions, as well as links to additional information. ACS provides the following task guides: Quick Start—Lists the minimal steps that are required to get ACS up and running quickly. Initial System Setup—Lists the required steps to set up ACS for basic operations, including information about optional steps. Policy Setup Steps—Lists the required steps to define ACS access control policies. My Account Page Note: Every ACS administrator account is assigned one or more administrative roles. Depending upon the roles assigned to your account, you may or may not be able to perform the operations or see the options described in certain procedures. See Configuring System Administrators and Accounts, page 3 to configure the appropriate administrator privileges. Use the My Account page to update and change the administrator password for the administrator that is currently logged in to ACS. To display this page, choose My Workspace > My Account. Policy Setup Steps Opens the Task Guide for policy setup. This scenario guides you through the steps that are required to set up ACS policies. New in ACS 5 Options in this section link to topics in the ACS online help. Click an option to open the online help window, which displays information for the selected topic. Use the links in the online help topics and in the Contents pane of the online help to view more information about ACS features and tasks. Tu t o r i a l s & O t h e r ResourcesProvides links to: Introduction Overview video. Configuration guide that provides step-by-step instructions for common ACS scenarios. Table 14 Welcome Page (continued) Field Description
3 Understanding My Workspace Login Banner Related Topics Configuring Authentication Settings for Administrators, page 11 Changing the Administrator Password, page 25 Login Banner ACS 5.7 supports customizing of the login banner texts. You can set two sets of banner text; for instance, before logging you can display one banner text, and after logging in you can display another banner text. You can do this customization from the Login Banner page. The copyright statement is default for both the banners. ACS 5.7 displays the role of ACS in the login banners. The role can be primary, primary log collector, secondary, or secondary log collector. You can also configure login banners for ACS CLI. To display a banner text before and after logging in to ACS CLI, use the banner command in the EXEC mode. The banners that are configured using the banner command from ACS CLI do not reflect in ACS web interface, whereas the banners that are configured in ACS web interface impacts the ACS CLI banner. For more information on banner command, see the CLI Reference Guide for Cisco Secure Access Control System. Note: ACS does not support ' and " symbols in login banner text. To customize the login banner, choose My Workspace > Login Banner. Using the Web Interface You can configure and administer ACS through the ACS web interface, in which you can access pages, perform configuration tasks, and view interface configuration errors. This section describes: Ta b l e 1 5 M y A c c o u n t P a g e Field Description General Read-only fields that display information about the currently logged-in administrator: Administrator name Description E-mail address, if it is available Change Password Displays rules for password definition according to the password policy. To change your password: 1.In the Password field, enter your current password. 2.In the New Password field, enter a new password. 3.In the Confirm Password field, enter your new password again. Assigned Roles Displays the roles that are assigned to the currently logged-in administrator. Table 16 Login Banner Page Field Description Before Login Enter the text that you want to display in the banner before login. After Login Enter the text that you want to display in the banner after login.
4 Understanding My Workspace Using the Web Interface Accessing the Web Interface, page 4 Understanding the Web Interface, page 5 Common Errors, page 24 Accessibility, page 26 Accessing the Web Interface The ACS web interface is supported on HTTPS-enabled Microsoft Internet Explorer and Mozilla Firefox browsers. For more information on supported browser versions, see Release Notes for Cisco Secure Access Control System 5.7. This section contains: Logging In, page 4 Logging Out, page 5 Logging In To log in to the ACS web interface for the first time after installation: 1.Enter the ACS URL in your browser, for example, https://acs_host/acsadmin, https://[IPv6 address]/acsadmin, or https://ipv4 address/acsadmin, where /acs_host is the IP address or Domain Name System (DNS) hostname. The DNS hostname works for IPv6 when the given IP address is resolvable to both IPv4 and IPv6 formats. Note: Launching the ACS web interface using IPv6 addresses is not supported in Mozilla Firefox versions 4.x or later. The login page appears. 2.Enter ACSAdmin in the Username field; the value is not case-sensitive. 3.Enter default in the Password field; the value is case-sensitive. This password (default) is valid only when you log in for the first time after installation. Click Reset to clear the Username and Password fields and start over, if needed. 4.Click Login or press Enter. The login page reappears, prompting you to change your password. ACS prompts you to change your password the first time you log in to the web interface after installation and in other situations based on the authentication settings that is configured in ACS. 5.Enter default in the Old Password field, and enter a new password in the New Password and the Confirm Password fields. If you forget your password, use the acs reset-password command to reset your password to default. See the CLI Reference Guide for Cisco Secure Access Control System, 5.7 for more information. 6.Click Login or press Enter. You are prompted to install a valid license:
5 Understanding My Workspace Using the Web Interface Note: The license page only appears the first time that you log in to ACS. 7.See Installing a License File, page 38 to install a valid license. If your login is successful, the main page of the ACS web interface appears. If your login is unsuccessful, the following error message appears: Access Denied. Please contact your Security Administrator for assistance. The Username and Password fields are cleared. 8.Re-enter the valid username and password, and click Login. Note: When you use Internet Explorer to view the ACS web interface, if the Enhanced Security Configuration (ESC) is enabled, you would observe issues in displaying pages and pop-ups of the ACS web interface. To overcome this issue, you must disable the ESC from the Internet Explorer settings. Logging Out Click Logout in the ACS web interface header to end your administrative session. A dialog box appears asking if you are sure you want to log out of ACS. Click OK. Caution: For security reasons, Cisco recommends that you log out of the ACS when you complete your administrative session. If you do not log out, the ACS web interface logs you out if your session remains inactive for a configurable period of time, and does not save any unsubmitted configuration data. See Configuring Session Idle Timeout, page 13 for configuring session idle timeout. Understanding the Web Interface The following sections explain the ACS web interface: Web Interface Design, page 6 Header, page 6 Navigation Pane, page 7 Content Area, page 8
6 Understanding My Workspace Using the Web Interface Web Interface Design Figure 3 on page 6 shows the overall design of the ACS web interface. Figure 3 ACS Web Interface The interface contains: Header, page 6 Navigation Pane, page 7 Content Area, page 8 Header Use the header to: Identify the current user (your username) Access the online help Log out Access the About information, where you can find information about which ACS web interface version is installed. These items appear on the right side of the header (see Figure 4 on page 6). Figure 4 Header Related Topics Navigation Pane, page 7 Content Area, page 8