Cisco Acs 5x User Guide
Have a look at the manual Cisco Acs 5x User Guide online for free. It’s possible to download the document as PDF or print. UserManuals.tech offer 53 Cisco manuals and user’s guides for free. Share the user manual or guide on Facebook, Twitter or Google+.
Americas Headquarters Cisco Systems, Inc. 170 West Tasman Drive San Jose, CA 95134-1706 USA http://www.cisco.com Tel: 408 526-4000 800 553-NETS (6387) Fax: 408 527-0883 User Guide for Cisco Secure Access Control System 5.3 September 2016 Text Part Number: OL-24201-01
THE SPECIFICATIONS AND INFORMATION REGARDING THE PRODUCTS IN THIS MANUAL ARE SUBJECT TO CHANGE WITHOUT NOTICE. ALL STATEMENTS, INFORMATION, AND RECOMMENDATIONS IN THIS MANUAL ARE BELIEVED TO BE ACCURATE BUT ARE PRESENTED WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED. USERS MUST TAKE FULL RESPONSIBILITY FOR THEIR APPLICATION OF ANY PRODUCTS. THE SOFTWARE LICENSE AND LIMITED WARRANTY FOR THE ACCOMPANYING PRODUCT ARE SET FORTH IN THE INFORMATION PACKET THAT SHIPPED WITH THE PRODUCT AND ARE INCORPORATED HEREIN BY THIS REFERENCE. IF YOU ARE UNABLE TO LOCATE THE SOFTWARE LICENSE OR LIMITED WARRANTY, CONTACT YOUR CISCO REPRESENTATIVE FOR A COPY. The Cisco implementation of TCP header compression is an adaptation of a program developed by the University of California, Berkeley (UCB) as part of UCB’s public domain version of the UNIX operating system. All rights reserved. Copyright © 1981, Regents of the University of California. NOTWITHSTANDING ANY OTHER WARRANTY HEREIN, ALL DOCUMENT FILES AND SOFTWARE OF THESE SUPPLIERS ARE PROVIDED “AS IS” WITH ALL FAULTS. CISCO AND THE ABOVE-NAMED SUPPLIERS DISCLAIM ALL WARRANTIES, EXPRESSED OR IMPLIED, INCLUDING, WITHOUT LIMITATION, THOSE OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OR ARISING FROM A COURSE OF DEALING, USAGE, OR TRADE PRACTICE. IN NO EVENT SHALL CISCO OR ITS SUPPLIERS BE LIABLE FOR ANY INDIRECT, SPECIAL, CONSEQUENTIAL, OR INCIDENTAL DAMAGES, INCLUDING, WITHOUT LIMITATION, LOST PROFITS OR LOSS OR DAMAGE TO DATA ARISING OUT OF THE USE OR INABILITY TO USE THIS MANUAL, EVEN IF CISCO OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list of Cisco trademarks, go to this URL: www.cisco.com/go/trademarks. Third-party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (1110R) Any Internet Protocol (IP) addresses used in this document are not intended to be actual addresses. Any examples, command display output, and figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses in illustrative content is unintentional and coincidental. User Guide for Cisco Secure Access Control System 5.3 © 2011 Cisco Systems, Inc. All rights reserved.
iii User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 CONTENTS Prefacexxiii Audiencexxiii Document Conventionsxxiii Documentation Updatesxxiv Related Documentationxxiv Obtaining Documentation and Submitting a Service Requestxxv CHAPTER 1Introducing ACS 5.31-1 Overview of ACS1-1 ACS Distributed Deployment1-2 ACS 4.x and 5.3 Replication1-2 ACS Licensing Model1-3 ACS Management Interfaces1-3 ACS Web-based Interface1-4 ACS Command Line Interface1-4 ACS Programmatic Interfaces1-5 Hardware Models Supported by ACS1-5 CHAPTER 2Migrating from ACS 4.x to ACS 5.32-1 Overview of the Migration Process2-2 Migration Requirements2-2 Supported Migration Versions2-2 Before You Begin2-3 Downloading Migration Files2-3 Migrating from ACS 4.x to ACS 5.32-3 Functionality Mapping from ACS 4.x to ACS 5.32-5 Common Scenarios in Migration2-7 Migrating from ACS 4.2 on CSACS 1120 to ACS 5.32-7 Migrating from ACS 3.x to ACS 5.32-8 Migrating Data from Other AAA Servers to ACS 5.32-8 CHAPTER 3ACS 5.x Policy Model3-1 Overview of the ACS 5.x Policy Model3-1
Contents iv User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 Policy Terminology3-3 Simple Policies3-4 Rule-Based Policies3-4 Types of Policies3-5 Access Services3-6 Identity Policy3-9 Group Mapping Policy3-11 Authorization Policy for Device Administration3-11 Processing Rules with Multiple Command Sets3-11 Exception Authorization Policy Rules3-12 Service Selection Policy3-12 Simple Service Selection3-12 Rules-Based Service Selection3-13 Access Services and Service Selection Scenarios3-13 First-Match Rule Tables3-14 Policy Conditions3-16 Policy Results3-16 Authorization Profiles for Network Access3-16 Processing Rules with Multiple Authorization Profiles3-17 Policies and Identity Attributes3-17 Policies and Network Device Groups3-18 Example of a Rule-Based Policy3-18 Flows for Configuring Services and Policies3-19 CHAPTER 4Common Scenarios Using ACS4-1 Overview of Device Administration4-2 Session Administration4-3 Command Authorization4-4 TACACS+ Custom Services and Attributes4-5 Password-Based Network Access4-5 Overview of Password-Based Network Access4-5 Password-Based Network Access Configuration Flow4-7 Certificate-Based Network Access4-9 Overview of Certificate-Based Network Access4-9 Using Certificates in ACS4-10 Certificate-Based Network Access for EAP-TLS4-10 Authorizing the ACS Web Interface from Your Browser Using a Certificate4-11 Validating an LDAP Secure Authentication Connection4-12
Contents v User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 Agentless Network Access4-12 Overview of Agentless Network Access4-12 Host Lookup4-13 Authentication with Call Check4-14 Process Service-Type Call Check4-15 PAP/EAP-MD5 Authentication4-15 Agentless Network Access Flow4-16 Adding a Host to an Internal Identity Store4-17 Configuring an LDAP External Identity Store for Host Lookup4-17 Configuring an Identity Group for Host Lookup Network Access Requests4-18 Creating an Access Service for Host Lookup4-18 Configuring an Identity Policy for Host Lookup Requests4-19 Configuring an Authorization Policy for Host Lookup Requests4-20 VPN Remote Network Access4-20 Supported Authentication Protocols4-21 Supported Identity Stores4-21 Supported VPN Network Access Servers4-22 Supported VPN Clients4-22 Configuring VPN Remote Access Service4-22 ACS and Cisco Security Group Access4-23 Adding Devices for Security Group Access4-24 Creating Security Groups4-24 Creating SGACLs4-25 Configuring an NDAC Policy4-25 Configuring EAP-FAST Settings for Security Group Access4-26 Creating an Access Service for Security Group Access4-26 Creating an Endpoint Admission Control Policy4-27 Creating an Egress Policy4-27 Creating a Default Policy4-28 RADIUS and TACACS+ Proxy Requests4-29 Supported Protocols4-30 Supported RADIUS Attributes4-31 TACACS+ Body Encryption4-31 Connection to TACACS+ Server4-31 Configuring Proxy Service4-32 CHAPTER 5Understanding My Workspace5-1 Welcome Page5-1 Task Guides5-2
Contents vi User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 My Account Page5-2 Using the Web Interface5-3 Accessing the Web Interface5-3 Logging In5-4 Logging Out5-5 Understanding the Web Interface5-5 Web Interface Design5-6 Navigation Pane5-7 Content Area5-8 Importing and Exporting ACS Objects through the Web Interface5-18 Supported ACS Objects5-18 Creating Import Files5-20 Downloading the Template from the Web Interface5-21 Understanding the CSV Templates5-21 Creating the Import File5-22 Common Errors5-25 Concurrency Conflict Errors5-25 Deletion Errors5-26 System Failure Errors5-27 Accessibility5-27 Display and Readability Features5-27 Keyboard and Mouse Features5-28 Obtaining Additional Accessibility Information5-28 CHAPTER 6Post-Installation Configuration Tasks6-1 Configuring Minimal System Setup6-1 Configuring ACS to Perform System Administration Tasks6-2 Configuring ACS to Manage Access Policies6-4 Configuring ACS to Monitor and Troubleshoot Problems in the Network6-4 CHAPTER 7Managing Network Resources7-1 Network Device Groups7-2 Creating, Duplicating, and Editing Network Device Groups7-2 Deleting Network Device Groups7-3 Creating, Duplicating, and Editing Network Device Groups Within a Hierarchy7-4 Deleting Network Device Groups from a Hierarchy7-5 Network Devices and AAA Clients7-5 Viewing and Performing Bulk Operations for Network Devices 7-6
Contents vii User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 Exporting Network Devices and AAA Clients7-7 Performing Bulk Operations for Network Resources and Users7-8 Exporting Network Resources and Users7-10 Creating, Duplicating, and Editing Network Devices7-10 Configuring Network Device and AAA Clients 7-11 Displaying Network Device Properties7-14 Deleting Network Devices7-17 Configuring a Default Network Device7-17 Working with External Proxy Servers7-19 Creating, Duplicating, and Editing External Proxy Servers7-19 Deleting External Proxy Servers7-21 CHAPTER 8Managing Users and Identity Stores8-1 Overview8-1 Internal Identity Stores8-1 External Identity Stores8-2 Identity Stores with Two-Factor Authentication8-3 Identity Groups8-3 Certificate-Based Authentication8-3 Identity Sequences8-4 Managing Internal Identity Stores8-4 Authentication Information8-5 Identity Groups8-6 Creating Identity Groups8-6 Deleting an Identity Group8-7 Managing Identity Attributes8-7 Standard Attributes8-8 User Attributes8-8 Host Attributes8-9 Configuring Authentication Settings for Users8-9 Creating Internal Users8-11 Deleting Users from Internal Identity Stores8-14 Viewing and Performing Bulk Operations for Internal Identity Store Users8-15 Creating Hosts in Identity Stores8-16 Deleting Internal Hosts8-18 Viewing and Performing Bulk Operations for Internal Identity Store Hosts8-18 Managing External Identity Stores8-19 LDAP Overview8-19 Directory Service8-20
Contents viii User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 Authentication Using LDAP8-20 Multiple LDAP Instances8-20 Failover8-21 LDAP Connection Management8-21 Authenticating a User Using a Bind Connection8-21 Group Membership Information Retrieval8-22 Attributes Retrieval8-23 Certificate Retrieval8-23 Creating External LDAP Identity Stores8-23 Configuring an External LDAP Server Connection8-24 Configuring External LDAP Directory Organization8-26 Deleting External LDAP Identity Stores8-30 Configuring LDAP Groups8-30 Viewing LDAP Attributes8-31 Leveraging Cisco NAC Profiler as an External MAB Database8-31 Enabling the LDAP Interface on Cisco NAC Profiler to Communicate with ACS8-32 Configuring NAC Profile LDAP Definition in ACS for Use in Identity Policy8-34 Troubleshooting MAB Authentication with Profiler Integration8-38 Microsoft AD8-38 Machine Authentication8-40 Attribute Retrieval for Authorization8-41 Group Retrieval for Authorization8-41 Certificate Retrieval for EAP-TLS Authentication8-41 Concurrent Connection Management8-41 User and Machine Account Restrictions8-41 Machine Access Restrictions8-42 Dial-in Permissions8-43 Callback Options for Dial-in users8-43 Joining ACS to an AD Domain8-45 Configuring an AD Identity Store8-45 Selecting an AD Group8-47 Configuring AD Attributes8-48 RSA SecurID Server8-51 Configuring RSA SecurID Agents8-51 Creating and Editing RSA SecurID Token Servers8-52 RADIUS Identity Stores8-57 Supported Authentication Protocols8-57 Failover8-58 Password Prompt8-58 User Group Mapping8-58
Contents ix User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 Groups and Attributes Mapping8-58 RADIUS Identity Store in Identity Sequence8-59 Authentication Failure Messages8-59 Username Special Format with Safeword Server8-59 User Attribute Cache8-60 Creating, Duplicating, and Editing RADIUS Identity Servers8-60 Configuring CA Certificates8-65 Adding a Certificate Authority8-66 Editing a Certificate Authority and Configuring Certificate Revocation Lists8-67 Deleting a Certificate Authority8-68 Exporting a Certificate Authority8-69 Configuring Certificate Authentication Profiles8-69 Configuring Identity Store Sequences8-71 Creating, Duplicating, and Editing Identity Store Sequences8-71 Deleting Identity Store Sequences8-73 CHAPTER 9Managing Policy Elements9-1 Managing Policy Conditions9-1 Creating, Duplicating, and Editing a Date and Time Condition9-3 Creating, Duplicating, and Editing a Custom Session Condition9-5 Deleting a Session Condition9-6 Managing Network Conditions9-6 Importing Network Conditions9-8 Exporting Network Conditions9-9 Creating, Duplicating, and Editing End Station Filters9-9 Creating, Duplicating, and Editing Device Filters9-12 Creating, Duplicating, and Editing Device Port Filters9-14 Managing Authorizations and Permissions9-17 Creating, Duplicating, and Editing Authorization Profiles for Network Access9-18 Specifying Authorization Profiles9-19 Specifying Common Attributes in Authorization Profiles9-19 Specifying RADIUS Attributes in Authorization Profiles9-21 Creating and Editing Security Groups9-23 Creating, Duplicating, and Editing a Shell Profile for Device Administration9-23 Defining General Shell Profile Properties9-25 Defining Common Tasks9-25 Defining Custom Attributes9-28 Creating, Duplicating, and Editing Command Sets for Device Administration9-28 Creating, Duplicating, and Editing Downloadable ACLs9-31
Contents x User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 Deleting an Authorizations and Permissions Policy Element9-32 Configuring Security Group Access Control Lists9-33 CHAPTER 10Managing Access Policies10-1 Policy Creation Flow10-1 Network Definition and Policy Goals10-2 Policy Elements in the Policy Creation Flow10-3 Access Service Policy Creation10-4 Service Selection Policy Creation10-4 Customizing a Policy10-4 Configuring the Service Selection Policy10-5 Configuring a Simple Service Selection Policy10-6 Service Selection Policy Page10-6 Creating, Duplicating, and Editing Service Selection Rules10-8 Displaying Hit Counts 10-10 Deleting Service Selection Rules10-10 Configuring Access Services10-11 Editing Default Access Services10-11 Creating, Duplicating, and Editing Access Services10-12 Configuring General Access Service Properties10-13 Configuring Access Service Allowed Protocols10-15 Configuring Access Services Templates10-19 Deleting an Access Service10-20 Configuring Access Service Policies10-21 Viewing Identity Policies10-21 Viewing Rules-Based Identity Policies10-23 Configuring Identity Policy Rule Properties10-24 Configuring a Group Mapping Policy10-26 Configuring Group Mapping Policy Rule Properties10-28 Configuring a Session Authorization Policy for Network Access10-29 Configuring Network Access Authorization Rule Properties10-31 Configuring Device Administration Authorization Policies10-32 Configuring Device Administration Authorization Rule Properties10-33 Configuring Device Administration Authorization Exception Policies10-33 Configuring Shell/Command Authorization Policies for Device Administration10-34 Configuring Authorization Exception Policies10-35 Creating Policy Rules10-37 Duplicating a Rule10-38 Editing Policy Rules10-38