A Default Authorization Rule
You can set a default authorization rule if a condition is not defined or no matched condition is found. You can deny or grant access based on Shared RACs and DACLs selections. To configure a default authorization rule Choose the relevant profile Authorization policy. The Authorization Rules for Profile Page appears. Click Add Rule. The Authorization Rules for Profile Page appears. Select Authentication Action for the line that contains the text If a condition is not defined or there is no...
AAA Client Configuration
This guide uses the term AAA client comprehensively to signify the device through which or to which service access is attempted. This is the RADIUS or TACACS+ client device, and may comprise Network Access Servers (NASs), PIX Firewalls, routers, or any other RADIUS or TACACS+ hardware or software client. This section contains the following topics AAA Client Configuration Options, page 4-8 Adding AAA Clients, page 4-11 Editing AAA Clients, page 4-13 Deleting AAA Clients, page 4-14
AAA Server Configuration
This section presents procedures for configuring AAA servers in the ACS web interface. For additional information about AAA servers, see AAA Servers in Distributed Systems, page 4-2. To configure distributed system features for a given ACS, you must first define the other AAA server(s). For example, all ACSs that are involved in replication, remote logging, authentication proxying, and RDBMS synchronization must have AAA server configurations for each other otherwise, incoming communication...
AAA Server Configuration Options
AAA server configurations enable ACS to interact with the AAA server that the configuration represents. AAA servers that do not have a corresponding configuration in ACS, or whose configuration in ACS is incorrect, does not receive AAA services from ACS, such as proxied authentication requests, database replication communication, remote logging, and RDBMS synchronization. Also, several distributed systems features require that the other ACSs included in the distributed system be represented in...
About ACS Backup
Chapter 8 System Configuration Basic For information about using a backup file to restore ACS, see ACS System Restore, page 8-11. The backup and restore features between different ACS versions are not supported. The default directory for backup files is where drive is the local drive where you installed ACS and path is the path from the root of drive to the ACS directory. For example, if you installed ACS version 4.0 in the default location, the default backup c Program Files CiscoSecure ACS...
About ACS Internal Database Replication
Database replication creates mirror systems of ACSs by duplicating parts of the primary ACS setup to one or more secondary ACSs. You can configure your AAA clients to use these secondary ACSs if the primary ACS fails or is unreachable. With a secondary ACS whose ACS internal database is a replica of the ACS internal database on the primary ACS, if the primary ACS goes out of service, incoming requests are authenticated without network downtime, provided that your AAA clients are configured to...
About Command Authorization Sets
This section contains the following topics Command Authorization Sets Description, page 5-24 Command Authorization Sets Assignment, page 5-26 Case Sensitivity and Command Authorization, page 5-26 Arguments and Command Authorization, page 5-27 About Pattern Matching, page 5-27 Command Authorization Sets Description Command authorization sets provide a central mechanism to control the authorization of each command that is issued on any given network device. This feature greatly enhances the...
About External Audit Servers
Audit servers are Cisco and third-party servers that determine posture information about a host without relying on the presence of a Posture Agent (PA). The Cisco PA is also known as the Cisco Trust Agent (CTA). Audit servers are used to assess posture validation with an organization's security policy. You can also define a secondary external audit server. The presence of a secondary audit server allows the second or failover server to evaluate any policies from the primary server when the...
About Internal Policies
Internal policies comprise one or more rules that you define in ACS. When ACS applies an internal policy, it uses the policy rules to evaluate credentials that are received with the posture validation request. Each rule is associated with an APT, a credential type, and an action. The credential type determines which NAC-compliant application with which the APT and action are associated. ACS applies each rule in the order they appear on the Posture Validation Policies page (from top to bottom),...
About IP Pools Server
If you are using VPNs you may have to overlap IP address assignments that is, it may be advantageous for a PPTP tunnel client within a given tunnel to use the same IP address that another PPTP tunnel client in a different tunnel is using. You can use the IP Pools Server feature to assign the same IP address to multiple users, provided that the users are being tunnelled to different home gateways for routing beyond the boundaries of your own network. You can, therefore, conserve your IP address...
About PACs
PACs are strong shared secrets that enable ACS and an EAP-FAST end-user client to authenticate each other and establish a TLS tunnel for use in EAP-FAST phase two. ACS generates PACs by using the active master key and a username. PAC-Key Shared secret bound to a client (and client device) and server identity. PAC Opaque Opaque field that the client caches and passes to the server. The server recovers the PAC-Key and the client identity to mutually authenticate with the client. PAC-Info At a...
About Posture Credentials and Attributes
For posture validation, credentials are the sets of attributes sent from the endpoint to ACS. Also known as inbound attributes, these attributes contain data that is used during posture validation to determine the posture of the computer. ACS considers attributes from each NAC-compliant application and from CTA to be different types of credentials. With policies that ACS creates for validation, the rules that you create use the content of inbound attributes to determine the APT returned by...
About Radius Authorization Components
Shared Radius Authorization Components (RACs) contain groups of RADIUS attributes that you can dynamically assign to user sessions based on a policy. Using the Network Access Profile configuration, you can map a policy type with set conditions, such as Network Device Groups and posture, to a shared RAC. In ACS, RACs contain attributes that can be specific to a single network service (also referred to as a network-access policy). The access policy can map from various groups and postures to a...
About Radiusenabled Token Servers
ACS supports token servers by using the RADIUS server that is built into the token server. Rather than using a vendor-proprietary API, ACS sends standard RADIUS authentication requests to the RADIUS authentication port on the token server. This feature enables ACS to support any IETF RFC 2865-compliant token server. You can create multiple instances of RADIUS token servers. For information about configuring ACS to authenticate users with one of these token servers, see Configuring a RADIUS...
About Rdbms Synchronization
The RDBMS Synchronization feature enables you to update the ACS internal database with information from an ODBC-compliant data source. The ODBC-compliant data source can be the RDBMS database of a third-party application. It can also be an intermediate file or database that a third-party system updates. Regardless of where the file or database resides, ACS reads the file or database via the ODBC connection. You can also regard RDBMS Synchronization as an API much of what you can configure for a...
About Rules Rule Elements and Attributes
A rule is a set of one or more rule elements. A rule element is a logical statement which comprises A posture validation attribute An operator or posture token A value or notification string ACS uses the operator to compare the contents of an attribute to the value. Each rule element of a rule must be true for the whole rule to be true. In other words, all rule elements of a rule are joined with a Boolean AND. For detailed descriptions of rules, see Setting Up a Profile, page 15-3.
About Shared Profile Components
You use the Shared Profile Components section to develop and name reusable, shared sets of authorization components that may be applied to one or more users or groups of users, and referenced by name within their profiles. These include network-access filters (NAFs),.RADIUS Authorization Components (RACs), downloadable IP access control lists (IP ACLs), Network Access Restrictions (NARs), and command-authorization sets. The Shared Profile Components section addresses the scalability of...
About Unknown User Authentication
The Unknown User Policy is a form of authentication forwarding. In essence, this feature is an extra step in the authentication process. If a username does not exist in the ACS internal database, ACS forwards the authentication request of an incoming username and password to external databases with which it is configured to communicate. The external database must support the authentication protocol used in the authentication request. The Unknown User Policy enables ACS to use a variety of...
About User Group Mapping and Specification
You can use the Database Group Mapping feature in the External User Databases section to associate unknown users with an ACS group for the purpose of assigning authorization profiles. For external user databases from which ACS can derive group information, you can associate the group memberships, which are defined for the users in the external user database, to specific ACS groups. For Windows user databases, group mapping is further specified by domain because each domain maintains its own...
About User Setup Features and Functions
The User Setup section of the ACS web interface is the centralized location for all operations regarding user account configuration and administration. From within the User Setup section, you can View a list of all users in the ACS internal database. Assign the user to a group, including Voice-over-IP (VoIP) groups. Edit user account information. Establish or change user authentication type. Configure callback information for the user. Set network-access restrictions (NARs) for the user. Set...
Access Policy Options
You can configure the following options on the Access Policy Setup page IP Address Filtering Contains the following IP address filtering options - Allow all IP addresses to connect Allow access to the web interface from any IP address. - Allow only listed IP addresses to connect Allow access to the web interface only from IP addresses inside the address range(s) specified in the IP Address Ranges table. - Reject connections from listed IP addresses Allow access to the web interface only from IP...
Accessing the Web Interface
Remote administrative sessions always require that you log in using a valid administrator name and password, as configured in the Administration Control section. If the Allow automatic local login check box is cleared on the Sessions Policy Setup page in the Administration Control section, ACS requires a valid administrator name and password for administrative sessions accessed from a browser on the computer running ACS. Determine whether a supported web browser is installed on the computer you...
Accounting Logs
Accounting logs contain information about the use of remote access services by users. By default, these logs are available in CSV format, with the exception of the Passed Authentications log. You can also configure ACS to export the data for these logs to an ODBC-compliant relational database that you configure to store the log data. Table 11-1 describes all accounting logs. In the web interface, all accounting logs can be enabled, configured, and viewed. Table 11-2 contains information about...
ACS Authentication Process with an ODBC External User Database
ACS forwards user authentication requests to an ODBC database when the user Account in the ACS internal database lists an ODBC database configuration as the authentication method. Is unknown to the ACS internal database, and the Unknown User Policy dictates that an ODBC database is the next external user database to try. In either case, ACS forwards user credentials to the ODBC database via an ODBC connection. The relational database must have a stored procedure that queries the appropriate...
ACS Database Recovery Using the accountActions Table
Because the RDBMS Synchronization feature deletes each record in the accountActions table after processing the record, the accountActions table can be considered a transaction queue. The RDBMS Synchronization feature does not maintain a transaction log audit trail. If a log is required, the external system that adds records to the accountActions table must create it. Unless the external system can recreate the entire transaction history in the accountActions table, we recommend that you...
ACS Features Functions and Concepts
ACS incorporates many technologies to render AAA services to network-access devices, and provides a central access-control function. This section contains the following topics ACS as the AAA Server, page 1-3 AAA Protocols TACACS+ and RADIUS, page 1-3 Additional Features in ACS Version 4.0, page 1-4 From the perspective of the NAD, ACS functions as the AAA server. You must configure the device, which functions as a AAA client from the ACS perspective, to direct all end-user host access requests...
ACS System Logs
System logs are logs about the ACS system and therefore record system-related events. These logs are useful for troubleshooting or audits. They are always enabled and are only available in CSV format. Some system logs can be configured. For information about each system log, including which system logs are configurable, see Table 11-4. For instructions on viewing a CSV report in the web interface, see Viewing a CSV Report, page 11-12. Table 11-4 Accounting Log Descriptions and Related Topics...
ACS Windows Services
ACS operates as a set of Microsoft Windows services. When you install ACS, the installation adds these Windows services to the server. These services provide the core of ACS functionality. The ACS services on the computer running ACS include CSAdmin Provides the web interface for administration of ACS. CSAuth Provides authentication services. CSDBSync Provides synchronization of the ACS internal database with an external RDBMS application. CSLog Provides logging services, for accounting and...
Action Codes for Initializing and Modifying Access Filters
Table F-4 lists the action codes for initializing and modifying AAA client access filters. AAA client access filters control Telnet access to a AAA client. Dial access filters control access by dial-up users. Transactions using these codes affect the configuration that appears in the User Setup and Group Setup sections of the web interface. For more information about the User Setup section, see Chapter 7, User Management. For more information about the Group Setup section, see Chapter 6, User...
Action Codes for Modifying Network Configuration
Table F-6 lists the action codes for adding AAA clients, AAA servers, network device groups, and proxy table entries. Transactions using these codes affect the configuration that appears in the Network Configuration section of the web interface. For more information about the Network Configuration section, see Chapter 4, Network Configuration. Table F-6 Action Codes for Modifying Network Configuration Table F-6 Action Codes for Modifying Network Configuration Adds a new AAA client (named in VN)...
Action Codes for Modifying Tacacs and Radius Group and User Settings
Table F-5 lists the action codes for creating, modifying, and deleting TACACS+ and RADIUS settings for ACS groups and users. In the event that ACS has conflicting user and group settings, user settings always override group settings. Transactions using these codes affect the configuration displayed in the User Setup and Group Setup sections of the web interface. For more information about the User Setup section, see Chapter 7, User Management. For more information about the Group Setup section,...
Adding a Command Authorization
Step 1 In the navigation bar, click Shared Profile Components. The Shared Profile Components page lists the command-authorization set types that are available. These always include Shell Command Authorization Sets and may include others, such as command-authorization set types that support Cisco device-management applications. Step 2 Click one of the listed command-authorization set types, as applicable. The selected Command Authorization Sets table appears. The applicable Command Authorization...
Adding a New IP Pool
You can define up to 999 IP address pools. To add an IP pool Step 1 In the navigation bar, click System Configuration. The AAA Server IP Pools table lists any IP pools that you have already configured, their address ranges, and the percentage of pooled addresses in use. Step 4 In the Name box, type the name (up to 31 characters) to assign to the new IP pool. Step 5 In the Start Address box, type the lowest IP address (up to 15 characters) of the range of addresses for the new pool. Note All...
Adding a New Proxy Distribution Table Entry
To create a Proxy Distribution Table entry Step 1 In the navigation bar, click Network Configuration. The Network Configuration page opens. Step 2 Under the Proxy Distribution Table, click Add Entry. Note If the Proxy Distribution Table does not appear, choose Interface Configuration > Advanced Options. Then, select the Distributed System Settings check box. Step 3 In the Character String box, type the string of characters, including the delimiter to forward on when users dial in to be...
Adding a Profile
On the Profile Setup page, you can configure Activation flag (determines whether this profile is active or inactive) The Network Access Profiles Page page is initially empty. Once populated, you must set the list of profiles into an order with a priority sequence from top to bottom. Use the Profile Setup Page to configure the profile name, description, add the classification, and all other parameters that are required to set up the profile. Step 1 In the navigation bar, click Network Access...
Adding a Shared NAR
You can create a shared NAR that contains many access restrictions. Although the ACS web interface does not enforce limits to the number of access restrictions in a shared NAR or to the length of each access restriction, you must adhere to the following limits The combination of fields for each line item cannot exceed 1024 characters. The shared NAR cannot have more than 16 KB of characters. The number of line items supported depends on the length of each line item. For example, if you create a...
Adding AAA Servers
For descriptions of the options that are available while adding a remote AAA server configuration, see AAA Server Configuration Options, page 4-15. For ACS to provide AAA services to a remote AAA server, you must ensure that gateway devices between the remote AAA server and ACS permit communication over the ports that support the applicable AAA protocol (RADIUS or TACACS+). For information about ports that AAA protocols use, see AAA Protocols TACACS+ and RADIUS, page 1-3. In the navigation bar,...
Additional Features in ACS Version
ACS version 4.0 provides the following features that help fortify and protect networked business systems Cisco NAC support ACS 4.0 acts as a policy decision point in NAC deployments. Using configurable policies, it evaluates and validates the credentials received from the Cisco Trust Agent (CTA, posture), determines the state of the host, and sends a per-user authorization to the network-access device ACLs, a policy based access control list, or a private VLAN assignment. Evaluation of the host...
Administration Issues
Remote administrator cannot bring up the ACS web interface in a browser or receives a warning that access is not permitted. 1. Verify that you are using a supported browser. Refer to the Release Notes for Cisco Secure Access Control Server for Windows for a list of supported browsers. 2. Ping ACS to confirm connectivity. 3. Verify that the remote administrator is using a valid administrator name and password that have previously been added in Administration Control. 4. Verify that Java...
Administrative Access Policy
Managing a network is a matter of scale. Providing a policy for administrative access to network devices depends directly on the size of the network and the number of administrators required to maintain the network. Local authentication on a network device can be performed, but it is not scalable. The use of network management tools can help in large networks but if local authentication is used on each network device, the policy usually entails a single login on the network device. This does...
Administrative Sessions and HTTP Proxy
ACS does not support HTTP proxy for administrative sessions. If the browser used for an administrative session is configured to use a proxy server, ACS sees the administrative session originating from the IP address of the proxy server rather than from the actual address of the computer. Administrative session tracking assumes each browser resides on a computer with a unique IP. Also, IP filtering of proxied administrative sessions has to be based on the IP address of the proxy server rather...
Administrator Privileges
You can grant appropriate privileges to each ACS administrator by assigning privileges on an administrator-by-administrator basis. You control privileges by selecting the options from the Administrator Privileges table on the Add Administrator or Edit Administrator pages. These options are User and Group Setup Contains the following privilege options for the User Setup and Group Setup sections of the web interface - Add Edit users in these groups Enables the administrator to add or edit users...
Allowing Overlapping IP Pools or Forcing Unique Pool Address Ranges
ACS provides automated detection of overlapping pools. Note To use overlapping pools, you must be using RADIUS with VPN, and you cannot be using the Dynamic Host Configuration Protocol (DHCP). You can determine whether overlapping IP pools are allowed by checking which button appears below the AAA Server IP Pools table Allow Overlapping Pool Address Ranges Overlapping IP pool address ranges are not allowed. Clicking this button allows IP address ranges to overlap between pools. Force Unique...
An Example of accountActions
Table F-10 presents an sample instance of accountActions that contains some of the action codes described in Action Codes, page F-3. First user fred is created, along with his passwords, including a TACACS_ Enable password with privilege level 10. Fred is assigned to Group 2. His account expires after December 31, 1999, or after 10 incorrect authentication attempts. Attributes for Group 2 include Time-of-Day Day-of-Week restrictions, token caching, and some RADIUS attributes. _ Note This...
Assigning an Unassigned AAA Client or AAA Server to an NDG
You use this procedure to assign an unassigned AAA client or AAA server to an NDG. Before you begin this procedure, you should have already configured the client or server and it should appear in the Not Assigned AAA Clients or Not Assigned AAA Servers table. To assign a network device to an NDG Step 1 In the navigation bar, click Network Configuration. The Network Configuration page opens. Step 2 In the Network Device Groups table, click Not Assigned. Tip If the Network Device Groups table...
Authenticating with External User Databases
Authenticating users with an external user database requires more than configuring ACS to communicate with an external user database. Performing one of the configuration procedures in this chapter for an external database does not, on its own, instruct ACS to authenticate any users with that database. After you have configured ACS to communicate with an external user database, you can configure ACS to authenticate users with the external user database in one of two ways By Specific User...
Authentication Bypass
You can use the profile template that ACS provides to create a profile that matches a RADIUS request that will come from a switch. Once the profile is created an analysis of the RADIUS packet that comes from the Catalyst 6500 must be done to create an accurate match for the profile. The RADIUS request from the switch has a Service Type value of 10, just like NAC-L2-IP but does not have a Cisco Attribute Value Pair (AVP) that contains the keywords service. Therefore, two entries are created in...
Authentication Protocol Database Compatibility
The various password protocols that ACS supports for authentication are supported unevenly by the various databases that ACS supports. For more information about the password protocols that ACS supports, see Passwords, page 1-8. _ Note This release does not support Windows NT. Table 1-2 specifies non-EAP authentication protocol support. Table 1-2 Non-EAP Authentication Protocol and User Database Compatibility Table 1-2 Non-EAP Authentication Protocol and User Database Compatibility H ACS...
Authorization Rules
Authorization rules allow for variation of device provisioning within the NAP based on group membership and posture token. The set of possible mappings is theoretically quite high-for each NAP-for each group and for each posture. However, in practice most users will be caught by a default case for example, normal healthy users. Exceptions to the norm would be corner cases, such as groups that require specialized access rights (for example, administrators) or users with Infected or Quarantined...
Backing Up ACS with CSUtilexe
You can use the -b option to create a system backup of all ACS internal data. The resulting backup file has the same data as the backup files that are produced by the ACS Backup feature found in the web interface. For more information about the ACS Backup feature, see ACS Backup, page 8-7. _ Note During the backup, all services are automatically stopped and restarted. No users are authenticated while the backup is occurring. On the computer that is running ACS, open an MS-DOS command prompt and...
Basic User Group Settings
This section presents the basic activities that you perform when configuring a new user group. This section contains the following topics Group Disablement, page 6-3 Enabling VoIP Support for a User Group, page 6-4 Setting Default Time-of-Day Access for a User Group, page 6-5 Setting Callback Options for a User Group, page 6-5 Setting Network Access Restrictions for a User Group, page 6-6 Setting Max Sessions for a User Group, page 6-9 Setting Usage Quotas for a User Group, page 6-10
Chapter 10System Configuration Authentication and Certificates 101
About Certification and EAP Protocols 10-1 Digital Certificates 10-1 EAP-TLS Authentication 10-2 About the EAP-TLS Protocol 10-2 EAP-TLS and ACS 10-3 EAP-TLS Limitations 10-4 Enabling EAP-TLS Authentication 10-4 PEAP Authentication 10-5 About the PEAP Protocol 10-5 PEAP and ACS 10-6 PEAP and the Unknown User Policy 10-7 Enabling PEAP Authentication 10-7 EAP-FAST Authentication 10-8 About EAP-FAST 10-8 About Master Keys 10-10 About PACs 10-11 Provisioning Modes 10-12 Types of PACs 10-12 Master...
Chapter 13User Databases 131
About the ACS Internal Database 13-2 User Import and Creation 13-2 About External User Databases 13-3 Authenticating with External User Databases 13-4 External User Database Authentication Process 13-4 Windows User Database Support 13-6 Authentication with Windows User Databases 13-6 Trust Relationships 13-7 Windows Dial-Up Networking Clients 13-7 Windows Dial-Up Networking Clients with a Domain Field 13-7 Windows Dial-Up Networking Clients without a Domain Field 13-7 Usernames and Windows...
Chapter 17User Group Mapping and Specification 171
About User Group Mapping and Specification 17-1 Group Mapping by External User Database 17-1 Creating an ACS Group Mapping for a Token Server, ODBC Database, or LEAP Proxy RADIUS Server Database 17-2 Group Mapping by Group Set Membership 17-3 Group Mapping Order 17-3 No Access Group for Group Set Mappings 17-4 Default Group Mapping for Windows 17-4 Windows Group Mapping Limitations 17-4 Creating an ACS Group Mapping for Windows or Generic LDAP Groups 17-4 Editing a Windows or Generic LDAP Group...
Chapter 5Shared Profile Components
802.1X Example Setup 5-2 Network Access Filters 5-2 About Network Access Filters 5-3 Adding a Network Access Filter 5-3 Editing a Network Access Filter 5-5 Deleting a Network Access Filter 5-6 RADIUS Authorization Components 5-6 About RADIUS Authorization Components 5-7 Understanding RACs and Groups 5-7 Migrating Away from Groups to RACs 5-7 Vendors 5-7 Attribute Types 5-8 Before You Begin Using RADIUS Authorization Components 5-8 Enabling Use of RAC 5-9 Adding RADIUS Authorization Components...
Chapter 9System Configuration Advanced
ACS Internal Database Replication 9-1 About ACS Internal Database Replication 9-2 Replication Process 9-3 Replication Frequency 9-5 Important Implementation Considerations 9-5 Database Replication Versus Database Backup 9-6 Database Replication Logging 9-7 Replication Options 9-7 Replication Components Options 9-7 Outbound Replication Options 9-9 Inbound Replication Options 9-10 Implementing Primary and Secondary Replication Setups on ACSs 9-10 Configuring a Secondary ACS 9-11 Replicating...
Cisco Product Security Overview
Cisco provides a free online Security Vulnerability Policy portal at this URL From this site, you can perform these tasks Report security vulnerabilities in Cisco products. Obtain assistance with security incidents that involve Cisco products. Register to receive security information from Cisco. A current list of security advisories and notices for Cisco products is available at this URL http www.cisco.com go psirt If you prefer to see advisories and notices as they are updated in real time,...
Cisco Technical Support Documentation Website
The Cisco Technical Support & Documentation website provides online documents and tools for troubleshooting and resolving technical issues with Cisco products and technologies. The website is available 24 hours a day, at this URL Access to all tools on the Cisco Technical Support & Documentation website requires a Cisco.com user ID and password. If you have a valid service contract but do not have a user ID or password, you can register at this URL _ Note Use the Cisco Product...
Cloning a Profile
Cloning replicates all the following relevant components for a NAP Authentication references External databases. Posture references Internal or external posture validation, and external audit server. For more information about posture references, see Setting Up Posture Validation Policies, page 14-18. Authorization references RACs and DACLs. Cloning a NAP does not copy the shared-profile components, or the internal and external posture-validation policies, that the profile references. The newly...
Cloning a Radius Authorization Component
To make a copy of an existing RAC by using the clone feature Step 1 In the navigation bar, click Shared Profile Components. The Shared Profile Components page appears. Step 2 Click RADIUS Authorization Components. The RADIUS Authorization Components Table Page appears. Step 3 Select the RAC name of the component that you want to clone. The Edit RADIUS Authorization Component Page appears. Step 4 To clone an existing RAC with all of its attributes, click Clone. A clone named Copy of RACname is...
Configuring a CSV
This procedure describes how to configure the content of a CSV log. For instructions to enable or disable a CSV log, see Enabling or Disabling a CSV Log, page 11-11. The logs to which this procedure applies are You cannot configure the ACS Backup and Restore, RDBMS synchronization, and Database Replication CSV logs. You can configure several aspects of a CSV log, including Log content Select which data attributes are included in the log. Log generation frequency Determine whether a new log is...
Configuring a PIX Command Authorization Set for a User
Use this procedure to specify the PIX command-authorization set parameters for a user. The four options are None No authorization for PIX commands. Group The group-level PIX command-authorization set applies for this user. Assign a PIX Command Authorization Set for any network device One PIX command-authorization set is assigned, and it applies to all network devices. Assign a PIX Command Authorization Set on a per Network Device Group Basis Particular PIX command-authorization sets will be...
Configuring a PIX Command Authorization Set for a User Group
Use this procedure to specify the PIX command-authorization set parameters for a user group. The three options are None No authorization for PIX commands. Assign a PIX Command Authorization Set for any network device One PIX command-authorization set is assigned and it applies all network devices. Assign a PIX Command Authorization Set on a per Network Device Group Basis Particular PIX command-authorization sets are to be effective on particular NDGs. Ensure that you configure a AAA client to...
Configuring a Shell Command Authorization Set for a User
Use this procedure to specify the shell command-authorization set parameters for a user. You can choose None No authorization for shell commands. Group The group-level shell command-authorization set applies for this user. Assign a Shell Command Authorization Set for any network device One shell command-authorization set is assigned, and it applies all network devices. Assign a Shell Command Authorization Set on a per Network Device Group Basis Particular shell command-authorization sets will...
Configuring a Windows External User Database
For information about the options that are available on the Windows User Database Configuration page, see Windows User Database Configuration Options, page 13-18. To configure ACS to authenticate users against the Windows user database in the trusted domains of your network Step 1 In the navigation bar, click External User Databases. Step 2 Click Database Configuration. ACS displays a list of all possible external user database types. If no Windows database configuration exists, the Database...
Configuring an Authorization Rule
Step 1 Choose Network Access Profiles. Step 2 Choose the relevant profile Authorization policy. Step 3 The Authorization Rules for Profile Page appears. Step 4 Click Add Rule. The Authorization Rules for Profile Page appears. Step 5 Select a User Group from the drop-down list. Step 6 Select the System Posture Token Step 7 Select Authentication Actions You may select to deny access or one or both authorization actions to implement when the authorization rules match Deny Access Check this option...
Configuring an ODBC External User Database
Creating an ODBC database configuration provides ACS with information that it uses to pass authentication requests to an ODBC-compliant relational database. This information reflects the way that you have implemented your relational database, and does not dictate how your relational database is configured or functions. For information about your relational database, refer to your relational documentation. Note Before performing this procedure, you should have completed the steps in Preparing to...
Configuring Ascend Radius Settings for a User Group
The Ascend RADIUS parameters appear only when the following are true. You have configured A AAA client to use RADIUS (Ascend) or RADIUS (Cisco IOS PIX) in Network Configuration. Group-level RADIUS (Ascend) attributes in Interface Configuration RADIUS (Ascend). Ascend RADIUS represents only the Ascend proprietary attributes. You must configure the IETF RADIUS and Ascend RADIUS attributes. Proprietary attributes override IETF attributes. The default attribute setting for RADIUS is...
Configuring Authorization Policies
Authorization policies comprise rules that are applied to a NAP. Authorization policies are used for authorizing an authenticated user. Authorization rules can be based on group membership, posture validation, or both. Authorization actions are built from the RADIUS Authorization Components and ACLs. Credentials are used in identity and posture authorization. Each application's posture credentials are evaluated separately. Credentials are compared against the posture-validation policies. When...
Configuring Cisco Airespace Radius Settings for a User Group
The Cisco Airespace RADIUS parameters appear only when the following are true. You have configured A AAA client to use RADIUS (Cisco Airespace) in Network Configuration. Group-level RADIUS (Cisco Airespace) attributes in Interface Configuration > RADIUS (Cisco-Airespace). Cisco Airespace RADIUS represents only the Cisco VSAs. Interface Configuration will display IETF RADIUS and Cisco IOS PIX 6.x RADIUS attributes. You must configure the specific attributes manually. Note To hide or display...
Configuring Cisco Aironet Radius Settings for a User Group
The single Cisco Aironet RADIUS Vendor Specific Attribute (VSA), Cisco-Aironet-Session-Timeout, is a virtual VSA. It is a specialized implementation of the IETF RADIUS Session-Timeout attribute (27) that ACS uses only when it responds to a RADIUS request from a AAA client by using RADIUS (Cisco Aironet). You can, therefore, provide different timeout values for users accessing your network through wireless and wired access devices. By specifying a timeout value specifically for WLAN connections,...
Configuring Cisco Iospix 60 Radius Settings for a User Group
The Cisco IOS PIX 6.x RADIUS parameters appear only when the following are true. You have configured A AAA client to use RADIUS (Cisco IOS PIX 6.x) in Network Configuration. Group-level RADIUS (Cisco IOS PIX 6.x) attributes in Interface Configuration RADIUS (Cisco IOS PIX 6.x). Cisco IOS PIX 6.x RADIUS represents only the Cisco VSAs. You must configure the IETF RADIUS and Cisco IOS PIX 6.x RADIUS attributes. Note To hide or display Cisco IOS PIX 6.x RADIUS attributes, see Setting Protocol...
Configuring Cisco VPN 5000 Concentrator Radius Settings for a User Group
The Cisco VPN 5000 Concentrator RADIUS attribute configurations appear only when the following are true.You have configured A network device to use RADIUS (Cisco VPN 5000) in Network Configuration. Group-level RADIUS (Cisco VPN 5000) attributes on the RADIUS (Cisco VPN 5000) page of the Interface Configuration section. Cisco VPN 5000 Concentrator RADIUS represents only the Cisco VPN 5000 Concentrator VSA. You must configure the IETF RADIUS and Cisco VPN 5000 Concentrator RADIUS attributes. Note...
Configuring Custom Radius Vsa Settings for a User Group
User-defined, custom Radius VSA configurations appear only when all the following are true You have defined and configured the custom RADIUS VSAs. (For information about creating user-defined RADIUS VSAs, see Custom RADIUS Vendors and VSAs, page 9-19.) You have configured a network device in Network Configuration that uses a RADIUS protocol that supports the custom VSA. You have configured group-level custom RADIUS attributes on the RADIUS (Name) page of the Interface Configuration section. You...
Configuring Device Management Command Authorization for a User Group
Use this procedure to specify the device-management command-authorization set parameters for a group. Device-management command-authorization sets support the authorization of tasks in Cisco device-management applications that are configured to use ACS for authorization. The three options are None No authorization is performed for commands that are issued in the applicable Cisco device-management application. Assign a device-management application for any network device For the applicable...
Configuring Device Management Command Authorization for a User
Use this procedure to specify the device-management command-authorization set parameters for a user. Device-management command-authorization sets support the authorization of tasks in Cisco device-management applications that are configured to use ACS for authorization. You can choose None No authorization is performed for commands that are issued in the applicable Cisco device-management application. Group For this user, the group-level command-authorization set applies for the applicable...
Configuring Fail Open
You can configure fail open for errors that can prevent the retrieval of posture token from an upstream NAC server. If fail open is not configured, the user request is rejected. You can select whether to enable fail open for Audit Server for profiles that are associated with an audit server External Posture Validation Server for profiles that are associated with an External Posture Validation Server If you enable fail open, you will need to select the posture token to be granted when an error...
Configuring NAC in ACS
This section provides an overview of the steps to configure posture validation in ACS, with references to more detailed procedures for each step. Note Design your posture policies by using the Posture Validation tab and then assign those policies to profiles by using the Posture Validation link inside the Network Access Profiles tab. Before ACS can perform posture validation, you must complete several configuration steps. An overview of the steps follows. For information on finding detailed...
Configuring Policies
If you plan to use NAC in your network, you will need to define the manner in which posture validation will be performed. Policies are sets of rules that are used to determine a posture token for a posture validation request. You can configure posture validation, also known as posture compliance, as Internally within ACS. See Setting Up Posture Validation Policies, page 14-18. Externally by using the Host Credential Authorization Protocol (HCAP) protocol to one or more Posture Validation...
Configuring Profile Based Policies
Step 1 Identify the network services that you want to control by using ACS (for example, VPN, Dial, WLAN, Step 2 Set up a profile for each network service. Setting up a profile defines how ACS will recognize or identify requests for example, device IP, NDG, NAF, advanced filtering). For more information, see Setting Up a Profile, page 15-3. Step 3 Define the authentication protocols and external databases that are required for the service. For more information, see Configuring Authentication...
Configuring Service Logs
You can configure how ACS generates and manages the service log file. The options for configuring the service log file are Level of detail You can set the service log file to contain one of three levels of detail - None No log file is generated. - Low Only start and stop actions are logged. This is the default setting. - Full All services actions are logged. Generate new file You can control how often a new service log file is created - Every Day ACS generates a new log file at 12 01 A.M. local...
Configuring Tacacs Settings for a User
You can use this procedure to configure TACACS+ settings at the user level for the following services and protocols Project Information Exchange (PIX) PIX Shell (pixShell) Serial Line Internet Protocol (SLIP) You can also enable any new TACACS+ services that you configure. Because having all service protocol settings appear within the User Setup section would be cumbersome, you choose what settings to hide or display at the user level when you configure the interface. For more information about...
Configuring the Unknown Service Setting for a User
If you want TACACS+ AAA clients to permit unknown services, you can check the Default (Undefined) Services check box. Checking this option will PERMIT all UNKNOWN Services. To configure the Unknown Service setting for a user Step 1 Perform Step 1 through Step 3 of Adding a Basic User Account, page 7-3. The User Setup Edit page opens. The username that you add or edit appears at the top of the page. Step 2 Scroll down to the table under the heading PERMIT all UNKNOWN Services. Step 3 To allow...
Configuring VPN 3000ASAPIX v7x Radius Settings for a User Group
To control Microsoft Point-to-Point Encryption (MPPE) settings for users accessing the network through Cisco VPN 3000 concentrators, for example, use the CVPN3000-PPTP-Encryption (vsa 20) and CVPN3 0 0 0-L2TP-Encryption (VSA 21) attributes. Settings for CVPN3000-PPTP-Encryption (VSA 20) and CVPN3000-L2TP-Encryption (vsa 21) override Microsoft MPPE RADIUS settings. If either of these attributes is enabled, ACS determines the values to be sent in outbound RADIUS (Microsoft) attributes and sends...
Conventions
This document uses the following conventions This document uses the following conventions Commands, keywords, special terminology, and options that should be selected during procedures Variables for which you supply values and new or important terminology Displayed session and system information, paths and file names Indicates menu items to select, in the order you select them. Identifies information to help you get the most benefit from your product. Means reader take note. Notes identify...
Creating an ACS Group Mapping for a Token Server ODBC Database or LEAP Proxy Radius Server Database
To set or change a token server, ODBC, or LEAP Proxy RADIUS Server database group mapping Step 1 In the navigation bar, click External User Databases. Step 2 Click Database Group Mappings. Step 3 Click the name of the token server, LEAP Proxy RADIUS Server, or ODBC database configuration for which you want to configure a group mapping. The Define Group Mapping table appears. Step 4 From the Select a default group for database list, click the group to which users who were authenticated with this...
Creating an ACS Group Mapping for Windows or Generic LDAP Groups
To map a Windows or generic LDAP group to an ACS group Step 1 In the navigation bar, click External User Databases. Step 2 Click Database Group Mappings. Step 3 Click the external user database name for which you want to configure a group mapping. If you are mapping a Windows group set, the Domain Configurations table appears. The Group Mappings for database Users table appears. Step 4 If you are mapping a Windows group set for a new domain The Define New Domain Configuration page appears. b....
Creating an ACS Internal Database Dump File
You can use the -d option to dump all contents of the ACS internal database into a password-protected text file. You can provide a name for the file otherwise, it is called dump.txt. The dump file provides a thorough and compressible backup of all ACS internal data. Using the -l option, you can reload the ACS internal data from a dump file created by the -d option. For more information about the -l option, see Loading the ACS Internal Database from a Dump File, page D-7. Note Using the -d...
Creating an Internal Policy
Use internal posture validation to write your own policies for access in your network. After you have created policies, you can then profile rules to use these policies. You can select internal policies for more than one profile. To add the policy to a profile, use the Network Access Profiles page. For descriptions of the options available on the Internal Posture Validation Setup page, see Internal Policy Configuration Options, page 14-10. For details on how to set up your third-party component...
CSAdmin
CSAdmin is the service that provides the web server for the ACS web interface. After ACS is installed, you must configure it from its web interface therefore, CSAdmin must be running when you configure ACS. Because the ACS web server uses port 2002, rather than the standard port 80 that is usually associated with HTTP traffic, you can use another web server on the same machine to provide other web services. We have not performed interoperability testing with other web servers, but unless a...
CSTacacs and CSRadius
The CSTacacs and CSRadius services communicate between the CSAuth module and the access device that is requesting authentication and authorization services. For CSTacacs and CSRadius to work properly, the system must meet the following conditions CSTacacs and CSRadius services must be configured from CSAdmin. CSTacacs and CSRadius services must communicate with access devices such as access servers, routers, switches, and firewalls. The identical shared secret (key) must be configured both in...
Database Issues
RDBMS Synchronization is not operating properly. Make sure that the correct server appears in the Partners list. Database Replication not operating properly. Make sure you have set the server correctly as Send or Receive. On the sending server, ensure that the receiving server is in the Replication list. On the receiving server, ensure that the sending server is selected in the Accept Replication from list. Also, ensure that the sending server is not in the replication partner list. Make sure...
Database Search Order
You can configure the order in which ACS checks the selected databases when ACS attempts unknown authentication. The Unknown User Policy supports unknown user authentication. It will 1. Find the next user database in the Selected Databases list that supports the authentication protocol of the request. If the list contains no user databases that support the authentication protocol of the request, stop unknown user authentication and deny network access to the user. 2. Send the authentication...
Decoding Error Numbers
You can use the -e option to decode error numbers in ACS service logs. These error codes are internal to ACS. For example, the CSRadius log could contain a message similar to csRadius Logs RDs.iog RDs 05 22 2001 10 09 02 E 2152 4756 Error -1087 authenticating geddy - no NAs response sent In this example, the error code number that you could use csutii.exe to decode is -1087 c Program Fiies ciscosecure Acs vX.XXutiis csutii.exe -e -1087 csutii v3.0(1.14), copyright 1997-2001, cisco systems Inc...
Defining User Access Requests
You use the Profile Setup Page to define how ACS classifies access requests. You can use one or all of the following classification methods You use these three conditions to determine how ACS classifies an access request and maps it to a profile. The profile is selected when all the selected conditions match. For each condition, the value Any always matches the condition. For example, if you create a NAF for wireless and then select the Aironet Protocol type, only devices with the protocol...
Deleting a Command Authorization
To delete a command-authorization set Step 1 In the navigation bar, click Shared Profile Components. The Shared Profile Components page lists the command-authorization set types available. Step 2 Click a command-authorization set type, as applicable. The selected Command Authorization Sets table appears. Step 3 From the Name column, click the name of the command set that you want to delete. Information for the selected set appears on the applicable Command Authorization Set page. A dialog box...
Deleting a Condition Component or Condition
A condition component is the list of elements that a condition set comprises. To delete a condition component from a condition set or an entire condition set Step 1 If you have not already done so, access the Internal Policy Validation Setup page. To Access the Internal Policy Validation Setup page a. In the navigation bar, click Posture Validation. b. Click Internal Posture Validation Setup. ACS displays a list of posture validation policies. Step 2 Select a policy name from the list of...
Deleting a Network Device Group
When you delete an NDG, all AAA clients and AAA servers that belong to the deleted group appear in the Not Assigned AAA Clients or Not Assigned AAA Servers table. It might be useful to empty an NDG of AAA clients and AAA servers before you delete it. You can do this manually by performing the procedure Reassigning AAA Clients or AAA Servers to an NDG, page 4-21 or, in cases where you have a large number of devices to reassign, use the RDBMS Synchronization feature. Caution When deleting an NDG,...
Deleting a Policy or Rule
Step 1 If you have not already done so, access the Internal Policy Validation Setup page. To Access the Internal Policy Validation Setup page a. In the navigation bar, click Posture Validation. b. Click Internal Posture Validation Setup. ACS displays a list of posture validation policies. Step 2 To delete a rule or policy, select a policy name from the list of posture validation policies. The Posture Validation Rules page appears. Step 3 To delete an entire policy and all its rules, click...
Deleting a Radius Authorization Component
You should remove the association of an RAC with any network access profile before deleting the RAC. To delete an RAC Step 1 In the navigation bar, click Shared Profile Components. The Shared Profile Components page appears. Step 2 Click RADIUS Authorization Components. The RADIUS Authorization Components Table Page appears. Step 3 Select the RAC name of the component that you want to delete. The Edit RADIUS Authorization Component Page appears. Step 4 Click Delete to remove the RADIUS...
