A Default Authorization Rule
You can set a default authorization rule if a condition is not defined or no matched condition is found. You can deny or grant access based on Shared RACs and DACLs selections. To configure a default authorization rule Choose the relevant profile Authorization policy. The Authorization Rules for Profile Page appears. Click Add Rule. The Authorization Rules for Profile Page appears. Select Authentication Action for the line that contains the text If a condition is not defined or there is no...
About External Audit Servers
Audit servers are Cisco and third-party servers that determine posture information about a host without relying on the presence of a Posture Agent (PA). The Cisco PA is also known as the Cisco Trust Agent (CTA). Audit servers are used to assess posture validation with an organization's security policy. You can also define a secondary external audit server. The presence of a secondary audit server allows the second or failover server to evaluate any policies from the primary server when the...
About IP Pools Server
If you are using VPNs you may have to overlap IP address assignments that is, it may be advantageous for a PPTP tunnel client within a given tunnel to use the same IP address that another PPTP tunnel client in a different tunnel is using. You can use the IP Pools Server feature to assign the same IP address to multiple users, provided that the users are being tunnelled to different home gateways for routing beyond the boundaries of your own network. You can, therefore, conserve your IP address...
About Radius Authorization Components
Shared Radius Authorization Components (RACs) contain groups of RADIUS attributes that you can dynamically assign to user sessions based on a policy. Using the Network Access Profile configuration, you can map a policy type with set conditions, such as Network Device Groups and posture, to a shared RAC. In ACS, RACs contain attributes that can be specific to a single network service (also referred to as a network-access policy). The access policy can map from various groups and postures to a...
About Radiusenabled Token Servers
ACS supports token servers by using the RADIUS server that is built into the token server. Rather than using a vendor-proprietary API, ACS sends standard RADIUS authentication requests to the RADIUS authentication port on the token server. This feature enables ACS to support any IETF RFC 2865-compliant token server. You can create multiple instances of RADIUS token servers. For information about configuring ACS to authenticate users with one of these token servers, see Configuring a RADIUS...
About Shared Profile Components
You use the Shared Profile Components section to develop and name reusable, shared sets of authorization components that may be applied to one or more users or groups of users, and referenced by name within their profiles. These include network-access filters (NAFs),.RADIUS Authorization Components (RACs), downloadable IP access control lists (IP ACLs), Network Access Restrictions (NARs), and command-authorization sets. The Shared Profile Components section addresses the scalability of...
About Unknown User Authentication
The Unknown User Policy is a form of authentication forwarding. In essence, this feature is an extra step in the authentication process. If a username does not exist in the ACS internal database, ACS forwards the authentication request of an incoming username and password to external databases with which it is configured to communicate. The external database must support the authentication protocol used in the authentication request. The Unknown User Policy enables ACS to use a variety of...
About User Setup Features and Functions
The User Setup section of the ACS web interface is the centralized location for all operations regarding user account configuration and administration. From within the User Setup section, you can View a list of all users in the ACS internal database. Assign the user to a group, including Voice-over-IP (VoIP) groups. Edit user account information. Establish or change user authentication type. Configure callback information for the user. Set network-access restrictions (NARs) for the user. Set...
Access Policy Options
You can configure the following options on the Access Policy Setup page IP Address Filtering Contains the following IP address filtering options - Allow all IP addresses to connect Allow access to the web interface from any IP address. - Allow only listed IP addresses to connect Allow access to the web interface only from IP addresses inside the address range(s) specified in the IP Address Ranges table. - Reject connections from listed IP addresses Allow access to the web interface only from IP...
ACS Database Recovery Using the accountActions Table
Because the RDBMS Synchronization feature deletes each record in the accountActions table after processing the record, the accountActions table can be considered a transaction queue. The RDBMS Synchronization feature does not maintain a transaction log audit trail. If a log is required, the external system that adds records to the accountActions table must create it. Unless the external system can recreate the entire transaction history in the accountActions table, we recommend that you...
ACS System Logs
System logs are logs about the ACS system and therefore record system-related events. These logs are useful for troubleshooting or audits. They are always enabled and are only available in CSV format. Some system logs can be configured. For information about each system log, including which system logs are configurable, see Table 11-4. For instructions on viewing a CSV report in the web interface, see Viewing a CSV Report, page 11-12. Table 11-4 Accounting Log Descriptions and Related Topics...
Action Codes for Initializing and Modifying Access Filters
Table F-4 lists the action codes for initializing and modifying AAA client access filters. AAA client access filters control Telnet access to a AAA client. Dial access filters control access by dial-up users. Transactions using these codes affect the configuration that appears in the User Setup and Group Setup sections of the web interface. For more information about the User Setup section, see Chapter 7, User Management. For more information about the Group Setup section, see Chapter 6, User...
Action Codes for Modifying Network Configuration
Table F-6 lists the action codes for adding AAA clients, AAA servers, network device groups, and proxy table entries. Transactions using these codes affect the configuration that appears in the Network Configuration section of the web interface. For more information about the Network Configuration section, see Chapter 4, Network Configuration. Table F-6 Action Codes for Modifying Network Configuration Table F-6 Action Codes for Modifying Network Configuration Adds a new AAA client (named in VN)...
Action Codes for Modifying Tacacs and Radius Group and User Settings
Table F-5 lists the action codes for creating, modifying, and deleting TACACS+ and RADIUS settings for ACS groups and users. In the event that ACS has conflicting user and group settings, user settings always override group settings. Transactions using these codes affect the configuration displayed in the User Setup and Group Setup sections of the web interface. For more information about the User Setup section, see Chapter 7, User Management. For more information about the Group Setup section,...
Adding a New IP Pool
You can define up to 999 IP address pools. To add an IP pool Step 1 In the navigation bar, click System Configuration. The AAA Server IP Pools table lists any IP pools that you have already configured, their address ranges, and the percentage of pooled addresses in use. Step 4 In the Name box, type the name (up to 31 characters) to assign to the new IP pool. Step 5 In the Start Address box, type the lowest IP address (up to 15 characters) of the range of addresses for the new pool. Note All...
Adding a Shared NAR
You can create a shared NAR that contains many access restrictions. Although the ACS web interface does not enforce limits to the number of access restrictions in a shared NAR or to the length of each access restriction, you must adhere to the following limits The combination of fields for each line item cannot exceed 1024 characters. The shared NAR cannot have more than 16 KB of characters. The number of line items supported depends on the length of each line item. For example, if you create a...
Administration Issues
Remote administrator cannot bring up the ACS web interface in a browser or receives a warning that access is not permitted. 1. Verify that you are using a supported browser. Refer to the Release Notes for Cisco Secure Access Control Server for Windows for a list of supported browsers. 2. Ping ACS to confirm connectivity. 3. Verify that the remote administrator is using a valid administrator name and password that have previously been added in Administration Control. 4. Verify that Java...
Administrative Access Policy
Managing a network is a matter of scale. Providing a policy for administrative access to network devices depends directly on the size of the network and the number of administrators required to maintain the network. Local authentication on a network device can be performed, but it is not scalable. The use of network management tools can help in large networks but if local authentication is used on each network device, the policy usually entails a single login on the network device. This does...
Backing Up ACS with CSUtilexe
You can use the -b option to create a system backup of all ACS internal data. The resulting backup file has the same data as the backup files that are produced by the ACS Backup feature found in the web interface. For more information about the ACS Backup feature, see ACS Backup, page 8-7. _ Note During the backup, all services are automatically stopped and restarted. No users are authenticated while the backup is occurring. On the computer that is running ACS, open an MS-DOS command prompt and...
Before Using Radius Attributes
You can enable different attribute-value (AV) pairs for Internet Engineering Task Force (IETF) RADIUS and any supported vendor. For outbound attributes, you can configure the attributes that are sent and their content by using the ACS web interface. The RADIUS attributes that are sent to authentication, authorization, and accounting (AAA) clients in access-accept messages are user specific. To configure a specific attribute to be sent for a user, you must ensure that 1. In the Network...
Chapter 13User Databases 131
About the ACS Internal Database 13-2 User Import and Creation 13-2 About External User Databases 13-3 Authenticating with External User Databases 13-4 External User Database Authentication Process 13-4 Windows User Database Support 13-6 Authentication with Windows User Databases 13-6 Trust Relationships 13-7 Windows Dial-Up Networking Clients 13-7 Windows Dial-Up Networking Clients with a Domain Field 13-7 Windows Dial-Up Networking Clients without a Domain Field 13-7 Usernames and Windows...
Chapter 5Shared Profile Components
802.1X Example Setup 5-2 Network Access Filters 5-2 About Network Access Filters 5-3 Adding a Network Access Filter 5-3 Editing a Network Access Filter 5-5 Deleting a Network Access Filter 5-6 RADIUS Authorization Components 5-6 About RADIUS Authorization Components 5-7 Understanding RACs and Groups 5-7 Migrating Away from Groups to RACs 5-7 Vendors 5-7 Attribute Types 5-8 Before You Begin Using RADIUS Authorization Components 5-8 Enabling Use of RAC 5-9 Adding RADIUS Authorization Components...
Cisco Product Security Overview
Cisco provides a free online Security Vulnerability Policy portal at this URL From this site, you can perform these tasks Report security vulnerabilities in Cisco products. Obtain assistance with security incidents that involve Cisco products. Register to receive security information from Cisco. A current list of security advisories and notices for Cisco products is available at this URL http www.cisco.com go psirt If you prefer to see advisories and notices as they are updated in real time,...
Cisco Technical Support Documentation Website
The Cisco Technical Support & Documentation website provides online documents and tools for troubleshooting and resolving technical issues with Cisco products and technologies. The website is available 24 hours a day, at this URL Access to all tools on the Cisco Technical Support & Documentation website requires a Cisco.com user ID and password. If you have a valid service contract but do not have a user ID or password, you can register at this URL _ Note Use the Cisco Product...
Configuring a CSV
This procedure describes how to configure the content of a CSV log. For instructions to enable or disable a CSV log, see Enabling or Disabling a CSV Log, page 11-11. The logs to which this procedure applies are You cannot configure the ACS Backup and Restore, RDBMS synchronization, and Database Replication CSV logs. You can configure several aspects of a CSV log, including Log content Select which data attributes are included in the log. Log generation frequency Determine whether a new log is...
Configuring Authorization Policies
Authorization policies comprise rules that are applied to a NAP. Authorization policies are used for authorizing an authenticated user. Authorization rules can be based on group membership, posture validation, or both. Authorization actions are built from the RADIUS Authorization Components and ACLs. Credentials are used in identity and posture authorization. Each application's posture credentials are evaluated separately. Credentials are compared against the posture-validation policies. When...
Configuring Cisco VPN 5000 Concentrator Radius Settings for a User Group
The Cisco VPN 5000 Concentrator RADIUS attribute configurations appear only when the following are true.You have configured A network device to use RADIUS (Cisco VPN 5000) in Network Configuration. Group-level RADIUS (Cisco VPN 5000) attributes on the RADIUS (Cisco VPN 5000) page of the Interface Configuration section. Cisco VPN 5000 Concentrator RADIUS represents only the Cisco VPN 5000 Concentrator VSA. You must configure the IETF RADIUS and Cisco VPN 5000 Concentrator RADIUS attributes. Note...
Configuring NAC in ACS
This section provides an overview of the steps to configure posture validation in ACS, with references to more detailed procedures for each step. Note Design your posture policies by using the Posture Validation tab and then assign those policies to profiles by using the Posture Validation link inside the Network Access Profiles tab. Before ACS can perform posture validation, you must complete several configuration steps. An overview of the steps follows. For information on finding detailed...
Configuring Posture Validation Policies
Use the Posture Validation Page to configure and delete posture-validation rules. Posture-validation rules define the way that ACS performs posture validation. Each rule comprises a condition and actions. The condition contains a set of required credential types while the action contains a list of internal posture-validation policies or external posture-validation servers that you can use for posture validation, or both. See Chapter 14, Network Access Control Overview, for more information. ACS...
Configuring the Unknown Service Setting for a User
If you want TACACS+ AAA clients to permit unknown services, you can check the Default (Undefined) Services check box. Checking this option will PERMIT all UNKNOWN Services. To configure the Unknown Service setting for a user Step 1 Perform Step 1 through Step 3 of Adding a Basic User Account, page 7-3. The User Setup Edit page opens. The username that you add or edit appears at the top of the page. Step 2 Scroll down to the table under the heading PERMIT all UNKNOWN Services. Step 3 To allow...
Creating an ACS Group Mapping for a Token Server ODBC Database or LEAP Proxy Radius Server Database
To set or change a token server, ODBC, or LEAP Proxy RADIUS Server database group mapping Step 1 In the navigation bar, click External User Databases. Step 2 Click Database Group Mappings. Step 3 Click the name of the token server, LEAP Proxy RADIUS Server, or ODBC database configuration for which you want to configure a group mapping. The Define Group Mapping table appears. Step 4 From the Select a default group for database list, click the group to which users who were authenticated with this...
Creating an ACS Group Mapping for Windows or Generic LDAP Groups
To map a Windows or generic LDAP group to an ACS group Step 1 In the navigation bar, click External User Databases. Step 2 Click Database Group Mappings. Step 3 Click the external user database name for which you want to configure a group mapping. If you are mapping a Windows group set, the Domain Configurations table appears. The Group Mappings for database Users table appears. Step 4 If you are mapping a Windows group set for a new domain The Define New Domain Configuration page appears. b....
Creating an ACS Internal Database Dump File
You can use the -d option to dump all contents of the ACS internal database into a password-protected text file. You can provide a name for the file otherwise, it is called dump.txt. The dump file provides a thorough and compressible backup of all ACS internal data. Using the -l option, you can reload the ACS internal data from a dump file created by the -d option. For more information about the -l option, see Loading the ACS Internal Database from a Dump File, page D-7. Note Using the -d...
Creating an Internal Policy
Use internal posture validation to write your own policies for access in your network. After you have created policies, you can then profile rules to use these policies. You can select internal policies for more than one profile. To add the policy to a profile, use the Network Access Profiles page. For descriptions of the options available on the Internal Posture Validation Setup page, see Internal Policy Configuration Options, page 14-10. For details on how to set up your third-party component...
Database Search Order
You can configure the order in which ACS checks the selected databases when ACS attempts unknown authentication. The Unknown User Policy supports unknown user authentication. It will 1. Find the next user database in the Selected Databases list that supports the authentication protocol of the request. If the list contains no user databases that support the authentication protocol of the request, stop unknown user authentication and deny network access to the user. 2. Send the authentication...
Deleting a Network Device Group
When you delete an NDG, all AAA clients and AAA servers that belong to the deleted group appear in the Not Assigned AAA Clients or Not Assigned AAA Servers table. It might be useful to empty an NDG of AAA clients and AAA servers before you delete it. You can do this manually by performing the procedure Reassigning AAA Clients or AAA Servers to an NDG, page 4-21 or, in cases where you have a large number of devices to reassign, use the RDBMS Synchronization feature. Caution When deleting an NDG,...
Deleting a Radius Authorization Component
You should remove the association of an RAC with any network access profile before deleting the RAC. To delete an RAC Step 1 In the navigation bar, click Shared Profile Components. The Shared Profile Components page appears. Step 2 Click RADIUS Authorization Components. The RADIUS Authorization Components Table Page appears. Step 3 Select the RAC name of the component that you want to delete. The Edit RADIUS Authorization Component Page appears. Step 4 Click Delete to remove the RADIUS...
Dialin Connection Issues
A dial-in user cannot connect to the AAA client. No record of the attempt appears in the TACACS+ or RADIUS Accounting Report (in the Reports & Activity section, click TACACS+ Accounting or RADIUS Accounting or Failed Attempts). Examine the ACS Reports or AAA client Debug output to narrow the problem to a system error or a user error. Confirm that The dial-in user was able to establish a connection and ping the computer before ACS was installed. If the dial-in user could not, the problem is...
Digital Certificates
You use the ACS Certificate Setup pages to install digital certificates to support EAP-TLS, EAP-FAST, and PEAP authentication, as well as to support Secure HyperText Transfer Protocol (HTTPS) protocol for secure access to the ACS web interface. ACS uses the X.509 v3 digital certificate standard. Certificate files must be in Base64-encoded X.509 format or Distinguished Encoding Rules (DER)-encoded binary X.509 format. Also, ACS supports manual certificate enrollment and provides the means for...
Downloadable ACLs
Downloadable per-user ACL support is available for Layer 3 network devices that support downloadable ACLs. These includes Cisco PIX security appliances, Cisco VPN solutions, and Cisco IOS routers. You can define sets of ACLs that you can apply per user or per group. This feature complements NAC support by enabling the enforcement of the correct ACL policy. When used in conjunction with NAFs, you can apply downloadable ACLs can differently per device, allowing you to tailor ACLs uniquely per...
Editing a Network Access Filter
Step 1 In the navigation bar, click Shared Profile Components. The Shared Profile Components page appears. Step 2 Click Network Access Filtering. The Network Access Filtering table appears. Step 3 In the Name column, click the NAF that you want to edit. The Network Access Filter page appears with information visible for the selected NAF. Step 4 Edit the Name or Description of the NAF type and delete information, as applicable. The description can be up to 30,000 characters. Caution If you...
Editing a Policy
You can only edit a policy by accessing it through the Posture Validation pages. To edit a policy or posture validation rule Step 1 In the navigation bar, click Posture Validation. Step 2 Click Internal Posture Validation Setup. Step 3 Click on the policy name of the rule that you want to edit. The applicable policy rules page appears. Step 4 To edit a policy a. Click Add Rule to add more condition sets. To change a condition set that you have already added iii. Update its attribute, entity,...
Enabling PEAP Authentication
This procedure provides an overview of the detailed procedures that are required to configure ACS to support PEAP authentication. Note You must configure end-user client computers to support PEAP. This procedure is specific to configuration of ACS only. Step 1 Install a server certificate in ACS. PEAP requires a server certificate. For detailed steps, see Installing an ACS Server Certificate, page 10-25. Note If you have previously installed a certificate to support EAP-TLS or PEAP user...
Exporting User List to a Text File
You can use the -u option to export a list of all users in the ACS internal database to a text file named users.txt. The users.txt file organizes users by group. Within each group, users are listed in the order that their user accounts were created in the ACS internal database. For example, if accounts were created for Pat, Dana, and Lloyd, in that order, users.txt lists them in that order as well rather than alphabetically. Note Using the -u option requires that you stop the CSAuth service....
External Policy Configuration Options
On the External Posture Validation Setup page you can specify a NAC server (and an optional second NAC server) that ACS relies upon to apply the policy and configure the set of credential types that ACS forwards. The options for configuring an external policy are as follows Name Specifies the name by which to identify the policy. Note The name can contain up to 32 characters. Leading and trailing spaces are not allowed. Names cannot contain the left bracket ( ), the right bracket ( ), the comma...
Fallback on Failed Connection
You can configure the order in which ACS checks remote AAA servers if a failure of the network connection to the primary AAA server occurs. If an authentication request cannot be sent to the first listed server, because of a network failure for example, the next listed server is checked. This checking continues, in order, down the list, until the AAA servers handles the authentication request. (Failed connections are detected by failure of the nominated server to respond within a specified time...
Group Disablement
You perform this procedure to disable a user group and, therefore, to prevent any member of the disabled group from authenticating. Note Group Disablement is the only setting in ACS where the setting at the group level may override the setting at the user level. If group disablement is set, all users within the disabled group are denied authentication, regardless of whether the user account is disabled. However, if a user account is disabled, it remains disabled regardless of the status of the...
Group Mapping Order
ACS always maps users to a single ACS group yet a user can belong to more than one group set mapping. For example, a user named John could be a member of the group combination Engineering and California, and at the same time be a member of the group combination Engineering and Managers. If ACS group set mappings exist for both these combinations, ACS has to determine to which group John should be assigned. ACS prevents conflicting group set mappings by assigning a mapping order to the group set...
HostAAA clientuser deniiy
ACS is a critical component of the Cisco Network Admission Control (NAC) framework. Cisco NAC is a Cisco Systems-sponsored industry initiative that uses the network infrastructure to enforce security-policy compliance on all machines seeking to access network computing resources, thereby limiting damage from viruses and worms. With NAC, network access to compliant and trusted PCs can be permitted, while the access of noncompliant devices can be restricted. See Figure 1-2. ACS is also an...
IETF Dictionary of Radius Ietf Av Pairs
Table C-7 lists the supported RADIUS (IETF) attributes. If the attribute has a security server-specific format, the format is specified. Table C-7 RADIUS (IETF) Attributes Name of the user being authenticated. User password or input following an access challenge. Passwords longer than 16 characters are encrypted by using IETF Draft 2 or later specifications. PPP (Point-to-Point Protocol) Challenge Handshake Authentication Protocol (CHAP) response to an Access-Challenge. IP address of the AAA...
Implementing Centralized Remote Logging
Ensure that gateway devices between remote ACSs and the central logging ACS permit the central logging ACS to receive data on TCP port 2001. To implement centralized remote logging Step 1 On a computer on which you will to store centralized logging data, install ACS. For information about installing ACS, see the Installation Guide for Cisco Secure ACS for Windows. Step 2 In the ACS that is running on the central logging server a. Configure the accounting logs as needed. All accounting data that...
Import Vendor Attribute Value Pairs AVPs
ACS does not include any non-Cisco attributes by default. Therefore, you must import a NAC Attribute Definition File (ADF) from each vendor application that you would like to validate in your NAC posture-validation policies. The attributes that are added can be used to create conditions for internal policies. NAC introduces the ability to authorize network hosts not only based upon user or machine identity but also upon a host's posture validation. The posture validation is determined by...
Importing Posture Validation Attribute Definitions
The -addAVP option imports posture-validation attribute definitions into ACS from an attribute definition file. For an explanation of the contents of a posture-validation attribute definition file, see Posture-Validation Attribute Definition File, page D-28. For an example of an attribute definition file, see Default Posture-Validation Attribute Definition File, page D-35. Because completing this procedure requires restarting the CSAuth service, which temporarily suspends authentication...
Juniper Dictionary of Radius Vsas
Table C-11 lists the Juniper RADIUS VSAs supported by ACS. The Juniper vendor ID number is 2636. Table C-11 Juniper RADIUS VSAs String (maximum length 247 characters) String (maximum length 247 characters) String (maximum length 247 characters) This appendix details the command-line utility, csutii.exe, for Cisco Secure Access Control Server Release 4.0 for Windows, hereafter referred to as ACS. Among its several functions, your can use csutii .exe to add, change, and delete users from a...
LDAP Configuration Options
The LDAP Database Configuration page contains many options, presented in three tables Domain Filtering This table contains options for domain filtering. The settings in this table affect all LDAP authentication that is performed by using this configuration regardless of whether the primary or secondary LDAP server handles the authentication. For more information about domain filtering, see Domain Filtering, page 13-24 - Process all usernames When you select this option, ACS does not perform...
Log Filtering
You can use ACS to filter CSV log reports. When you select a report type from the available reports types list, a report history (log) files list of the selected report type appears. After you select a specific CSV log file, and its contents appear, you can specify the filtering criteria. The filtering criteria is applied on the original log file, and only rows that match the criteria appear. Filtering criteria includes a regular expression, a time range or both. Regular expression-based...
Master Key and Pac Ttls
The TTL values for master keys and PACs determine their states, as described in About Master Keys, page 10-10 and About PACs, page 10-11. master key and PAC states determine whether someone requesting network access with EAP-FAST requires PAC provisioning or PAC refreshing. Table 10-1 summarizes ACS behavior with respect to PAC and master key states. Table 10-1 Master Key versus PAC States Table 10-1 Master Key versus PAC States PAC is not refreshed at end of phase two. PAC is refreshed at end...
Microsoft MPPE Dictionary of Radius Vsas
ACS supports the Microsoft RADIUS VSAs used for MPPE. The vendor ID for this Microsoft RADIUS Implementation is 311. MPPE is an encryption technology developed by Microsoft to encrypt PPP links. These PPP connections can be via a dial-up line, or over a VPN tunnel such as PPTP. MPPE is supported by several RADIUS network device vendors that ACS supports. The following ACS RADIUS protocols support the Microsoft RADIUS VSAs Cisco VPN 3000 ASA PIX 7.x+ To control Microsoft MPPE settings for users...
NAC Agentless Host
This template is used for access requests for NAC Agentless Hosts (NAH), also known as agentless hosts. These requests use EAP over UDP (EoU). Table 15-16 describes the Profile Sample in the NAH Sample Profile Template. Table 15-16 NAH Sample Profile Template Table 15-16 NAH Sample Profile Template ( 26 9 1 Cisco av-pair aaa service ip-admission) AND ( 006 Service-Type 10) Table 15-16 NAH Sample Profile Template (continued) Table 15-16 NAH Sample Profile Template (continued) Include RADIUS...
Network Access Control Overview
NAC is a set of technologies and solutions built on an industry initiative led by Cisco Systems. It uses the network infrastructure to enforce security policy compliance on all devices seeking to access network computing resources thereby limiting damage from emerging security threats. Customers using NAC can allow network access only to compliant and trusted endpoint devices (PCs, servers, and PDAs, for example) and can restrict the access of noncompliant devices. This section contains the...
Nortel Dictionary of Radius Vsas
Table C-10 lists the Nortel RADIUS VSAs supported by ACS. The Nortel vendor ID number is 1584. Table C-10 Nortel RADIUS VSAs Ipaddr (maximum length 15 characters) Ipaddr (maximum length 15 characters) Ipaddr (maximum length 15 characters) Ipaddr (maximum length 15 characters) Ipaddr (maximum length 15 characters)
Outbound Replication Options
In the Outbound Replication table on the ACS Database Replication page, you can schedule outbound replication and specify the secondary ACSs for this primary ACS. Table 9-2 Outbound Replication Options Table 9-2 Outbound Replication Options ACS does not perform automatic database replication. ACS performs database replication to the configured list of secondary ACSs when database replication from a primary ACS completes. You use this option to build a propagation hierarchy of ACS, relieving a...
P
Tip Use the Network Access Profile templates to save time. NAP templates automatically create a set of shared profile components if none are configured. For details, see Shared-profile Components, page 15-13. 1. Add devices to ACS. For ACS to interact with AAA clients and servers you must add their network information. For instructions on how to add devices by using Network Configuration, see Adding AAA Clients, page 4-11. 2. Enable the attributes (VSAs) that you want to use. Disable those...
PEAP and ACS
ACS supports PEAP authentication by using the Cisco Aironet PEAP client or the Microsoft PEAP client that is included with Microsoft Windows XP Service Pack 1. ACS can support the Cisco Aironet PEAP client with PEAP(EAP-GTC) only. For the Microsoft PEAP client in the Windows XP Service Pack 1, ACS supports only PEAP(EAP-MS-CHAPv2). For information about which user databases support PEAP protocols, see Authentication Protocol-Database Compatibility, page 1-7. When the end-user client is the...
PEAP and the Unknown User Policy
During PEAP authentication, ACS might not know the real username to be authenticated until phase two of authentication. While the Microsoft PEAP client does reveal the actual username during phase one, the Cisco PEAP client does not therefore, ACS does not attempt to look up the username that is presented during phase one and the use of the Unknown User Policy is irrelevant during phase one, regardless of the PEAP client used. When phase two of PEAP authentication occurs and the username that...
Posture Validation for Agentless Hosts
Posture-validation rules define what the returned posture token for posture validation will be. The posture-validation table includes posture-validation rules and audit configuration settings. A required credential that defines the mandatory credential types that activate the rule. The local policies and external servers that will execute to calculate the posture token. PA (posture agent) Messages that will return to the client for each posture token. A URL redirect that will be sent to the AAA...
Posture Validation Process
ACS evaluates the posture attributes received from an endpoint computer. The following overview describes the steps and systems involved in posture validation. Details about various concepts, such as posture tokens and policies, are provided in topics that follow. 1. Following a network event (for example, EoLAN Hello 802.1 or traffic captured ny the EoU ACL on the NAD), the NAD initiates an EAP conversation with the endpoint and forwards EAP messages from the endpoint to ACS. 2. ACS...
Preparing for ODBC Logging
The following procedure explains how to prepare for ODBC logging. After you have prepared for ODBC logging, you can configure individual ODBC logs. Step 1 Set up the relational database to which you want to export logging data. For more information, refer to your relational database documentation. Step 2 Set up a system data source name (DSN) on the computer that is running ACS. For instructions, see Configuring a System Data Source Name for an ODBC External User Database, page 13-43. Step 3...
Processing Unmatched User Requests
ACS global configuration settings serve two purposes Defining the fallback behavior for a request that does not match a profile. Defining the baseline for NAPs (if you want to enable a protocol in the NAP authentication page, you must first enable it in the Global Authentication Settings page). Although legacy global settings and NAPs are supported and are interoperable, we do not recommend both of them, except for the case that is described in this section. We recommend that you use the Deny...
Proxy in Distributed Systems
Proxy is a powerful feature that enables you to use ACS for authentication in a network that uses more than one AAA server. Using proxy, ACS automatically forwards an authentication requests from AAA clients to AAA servers. After the request has been successfully authenticated, the authorization privileges that you configured for the user on the remote AAA server are passed back to the original ACS, where the AAA client applies the user profile information for that session. Proxy provides a...
Replication and Eapfast
The Database Replication feature supports the replication of EAP-FAST settings, Authority ID, and master keys. Replication of EAP-FAST data occurs only if on the Database Replication Setup page of the primary ACS, under Send, you have checked the EAP-FAST master keys and policies check box. Global Authentication Setup page of the primary ACS, you have enabled EAP-FAST and checked the EAP-FAST master server check box. Database Replication Setup page of the secondary ACS, under Receive, you have...
Replication Components Options
You can specify the ACS internal database components that an ACS sends as a primary ACS and the components that it receives as a secondary ACS. For increased security, you might want to have one ACS always be the sender and the other ACSs always be the receivers. You can use this method to ensure that all your ACSs are configured identically. _ Note The ACS internal database components that a secondary ACS receives overwrite the ACS internal database components on the secondary ACS. Any...
Separation of Administrative and General Users
You should prevent the general network user from accessing network devices. Even though the general user may not intend to gain unauthorized access, inadvertent access could accidentally disrupt network access. AAA and ACS provide the means to separate the general user from the administrative user. The easiest, and recommended, method to perform such separation is to use RADIUS for the general remote-access user and TACACS+ for the administrative user. One issue is that an administrator may...
Setting a Posture Validation Policy
A posture-validation policy can have one or more posture-validation rules. When ACS uses a posture-validation policy to evaluate a posture-validation request, the first match is implemented. The selected rules determines which internal and external policies will be activated for the request. You can configure posture-validation policies that might be associated with a rule in Internal or External Posture Validation Setup, as applicable. To add an internal posture-validation policy, external...
Setting Cisco Aironet Radius Parameters for a User
The single Cisco Aironet RADIUS VSA, Cisco-Aironet-Session-Timeout, is a virtual VSA. This VSA acts as a specialized implementation (that is, a remapping) of the IETF RADIUS Session-Timeout attribute (27) to respond to a request from a Cisco Aironet Access Point.Use the Cisco-Aironet-Session-Timeout attribute to provide a different timeout value when a user must be able to connect via wireless and wired devices. This capability to provide a second timeout value specifically for WLAN connections...
Setting IP Address Assignment Method for a User Group
Perform this procedure to configure the way ACS assigns IP addresses to users in the group. The four possible methods are No IP address assignment No IP address is assigned to this group. Assigned by dialup client Use the IP address that is configured on the dialup client network settings for TCP IP. Assigned from AAA Client pool The IP address is assigned by an IP address pool that is assigned on the AAA client. Assigned from AAA server pool The IP address is assigned by an IP address pool...
Setting Juniper Radius Parameters for a User
The Juniper RADIUS parameters appear only if all the following are true AAA clients (one or more) are configured to use RADIUS (Juniper) in Network Configuration. Per-user TACACS+ RADIUS Attributes check box is selected under Interface Configuration > Advanced Options. User-level RADIUS (Juniper) attributes that you want to apply are enabled under Interface Configuration > RADIUS (Juniper). Juniper RADIUS represents only the Juniper proprietary attributes. You must configure the IETF RADIUS...
Setting Network Access Restrictions for a User
You use the Network Access Restrictions table in the Advanced Settings area of User Setup to set NARs in three ways Apply existing shared NARs by name. Define IP-based access restrictions to permit or deny user access to a specified AAA client or to specified ports on an AAA client when an IP connection has been established. Define calling line ID Dialed Number Identification Service (CLI DNIS)-based access restrictions to permit or deny user access based on the CLI DNIS that is used. _ Note...
Suggested Deployment Sequence
While no single process for all ACS deployments is recommended, you should consider following the sequence, keyed to the high-level functions that are represented in the navigation toolbar. Also remember that many of these deployment activities are iterative in nature you may find that you repeatedly return to such tasks as interface configuration as your deployment proceeds. The recommended sequence of configuration tasks is Configure Administrators You should configure at least one...
T
TACACS+ 1-3 accounting 1-15 advanced TACACS+ settings in Group Setup 6-2, 6-3 in User Setup 7-22 AV (attribute value) pairs accounting B-3 general B-1 custom commands 3-8 enable password options for users 7-23 enable privilege options 7-22 interface configuration 3-7 interface options 3-9 outbound passwords for users 7-24 ports 1-3 SENDAUTH 1-10 settings in Group Setup 6-2, 6-3, 6-22 in User Setup 7-15, 7-16 specifications 1-3 time-of-day access 3-8 troubleshooting A-15 vs. RADIUS 1-3 TACACS+...
User Data Configuration Options
The Configure User Defined Fields page enables you to add (or edit) up to five fields for recording information on each user. The fields you define in this section subsequently appear in the Supplementary User Information section at the top of the User Setup page. For example, you could add the user's company name, telephone number, department, billing code, and so on. You can also include these fields in the accounting logs. For more information about the accounting logs, see About ACS Logs...
User Changeable Passwords with Windows User Databases
For network users who are authenticated by a Windows user database, ACS supports user-changeable passwords on password expiration. You can enable this feature in the MS-CHAP Settings and Windows EAP Settings tables on the Windows User Database Configuration page in the External User Databases section. The use of this feature in your network requires that Users must be present in the Windows Active Directory or SAM user database. User accounts in ACS must specify the Windows user database for...
User Defined Attributes
User-defined attributes (UDAs) are string values that can contain any data, such as social security number, department name, telephone number, and so on. You can configure ACS to include UDAs on accounting logs about user activity. For more information about configuring UDAs, see User Data Configuration Options, page 3-4. RDBMS Synchronization can set UDAs by using the SET_VALUE action (code 1) to create a value called USER_DEFINED_FIELD_0 or USER_DEFINED_FIELD_1. For accountActions rows...
User Defined Radius Vendors and VSA Sets
This section provides information and procedures about user-defined RADIUS vendors and VSAs. This section contains the following topics About User-Defined RADIUS Vendors and VSA Sets, page D-18 Adding a Custom RADIUS Vendor and VSA Set, page D-18 Deleting a Custom RADIUS Vendor and VSA Set, page D-19 Listing Custom RADIUS Vendors, page D-20 Exporting Custom RADIUS Vendor and VSA Sets, page D-21 RADIUS Vendor VSA Import File, page D-21
User Specific Attributes
Table F-7 lists the attributes that define an ACS user, including their data types, limits, and default values. It also provides the action code you can use in accountActions to affect each attribute. Although there are many actions available, adding a user requires only one transaction ADD_USER. You can safely leave other user attributes at their default values. The term NULL is not simply an empty string, but means not set that is, the value will not be processed. Some features are processed...
Using the Online User Guide
The user guide provides information about the configuration, operation, and concepts of ACS. The information in the online documentation is as current as the release date of the ACS version that you are using. For the latest documentation about ACS, click http www.cisco.com. To access online documentation Step 1 In the ACS web interface, click Online Documentation. Step 2 If you want to select a topic from the table of contents, scroll through the table of contents and click the applicable...
Using the Web Interface
Administrative Sessions and HTTP Proxy 3-2 Administrative Sessions Through Firewalls 3-2 Administrative Sessions Through a NAT Gateway 3-2 Accessing the Web Interface 3-3 Logging Off the Web Interface 3-3 Interface Design Concepts 3-4 Introduction of Network Access Profiles 3-4 User-to-Group Relationship 3-4 Per-User or Per-Group Features 3-4 User Data Configuration Options 3-4 Configuring New User Data Fields 3-5 Advanced Options 3-5 Setting Advanced Options for the ACS User Interface 3-7...
Viewing a CSV Report
When you select Logged-in Users or Disabled Accounts, a list of logged-in users or disabled accounts appears in the display area, which is the pane on the right side of the web browser. For all other types of reports, a list of applicable reports appears. Files appear in chronological order, with the most recent file at the top of the list. The reports are named and listed by the date on which they were created for example, a report ending with 2002-10-13.csv was created on October 13, 2002....
Cisco Airespace Dictionary of Radius Vsa
Table C-6 lists the supported RADIUS (Cisco Airespace) attributes. In addition to these attributes, Cisco Airespace devices support some IETF attributes for 802.1x identity networking Tunnel-Private-Group-Id (81) ACS cannot offer partial support of IETF hence, adding an Cisco Airespace device (into the Network Configuration) will automatically enable all IETF attributes. Table C-6 Cisco Airespace RADIUS Attributes Table C-6 Cisco Airespace RADIUS Attributes Name of the user being authenticated....
NAC Layer 2 8021x
Before you use this template enable 1. EAP-FAST in Global Authentication Setup 2. EAP-FAST Authenticated in-band PAC Provisioning in Global Authentication Settings 3. EAP-FAST MS-CHAPv2 in Global Authentication Setup 4. EAP-FAST GTC in Global Authentication Setup Table 15-8 describes the content of the NAC L2 802.1x Sample Profile Template. Table 15-8 NAC L2 802.1x Profile Sample Table 15-8 describes the content of the NAC L2 802.1x Sample Profile Template. Table 15-8 NAC L2 802.1x Profile...
EAP Configuration
EAP is a flexible request-response protocol for arbitrary authentication information (RFC 2284). EAP is layered on top of another protocol such as UDP, 802.1x, or RADIUS and supports multiple authentication types EAP-TLS (based on X.509 certificates) EAP-MD5 Plain Password Hash (CHAP over EAP) New extended EAP methods have been added to EAP for NAC EAP-TLV Carry posture credentials, adding posture AVPs, posture notifications. Status Query You can use this new EAP method for securely querying...
AAA Client Configuration Options
AAA client configurations enable ACS to interact with the network devices that the configuration represents. A network device that does not have a corresponding configuration in ACS, or whose configuration in ACS is incorrect, does not receive AAA services from ACS. The Add AAA Client and AAA Client Setup pages include AAA Client Hostname The name that you assign to the AAA client configuration. Each AAA client configuration can represent multiple network devices thus, the AAA client hostname...
Date Format Control
ACS supports two possible date formats in its logs, reports, and administrative interface. You can choose a month day year format or a day month year format. Tip Using a comma-separated value (CSV) file might not work well in different countries for example, when imported into programs such as Word or Excel. You might need to replace the commas(,) with semicolons ( ) if necessary. If you have reports that were generated before you changed the date format, you must move or rename them to avoid...
Ascend Dictionary of Radius Av Pairs
ACS supports the Ascend RADIUS AV pairs. Table C-9 contains Ascend RADIUS dictionary translations for parsing requests and generating responses. All transactions comprise AV pairs. The value of each attribute is specified as Ipaddr 4 octets in network byte order. Integer 32-bit value in big endian order (high byte first). Call filter Defines a call filter for the profile. Note RADIUS filters are retrieved only when a call is placed by using a RADIUS outgoing profile or answered by using a...
About the ciscoavpair Radius Attribute
The first attribute in the Cisco IOS PIX 6.0 RADIUS implementation, cisco-av-pair, supports the inclusion of many AV pairs by using the following format where attribute and value are an AV pair supported by the releases of IOS implemented on your AAA clients, and sep is for mandatory attributes and asterisk (*) for optional attributes. You can then use the full set of Terminal Access Controller Access Control System (TACACS+) authorization features for RADIUS. Note The attribute name in an AV...
Loading the ACS Internal Database from a Dump File
You can use the -l option to overwrite all ACS internal data from a dump text file. This option replaces the existing all ACS internal data with the data in the dump text file. In effect, the -l option initializes all ACS internal data before loading it from the dump text file. Dump text files are created by using the -d option. You must use the same password used to encrypt the dump files. You can use the -p option in conjunction with the -l option to reset password-aging counters. Note Using...
Listing Custom Radius Vendors
You can use the -listUDV option to determine what custom RADIUS vendors are defined in ACS. You also use this option to determine which of the ten possible custom RADIUS vendor slots are in use and which RADIUS vendor occupies each used slot. To list all custom RADIUS vendors that are defined in ACS Step 1 On the computer that is running ACS, open an MS-DOS command prompt and change directories to the directory containing csutii .exe. For more information about the location of csutii. exe, see...
CSUtil Command Syntax
The syntax for the CSUtil command is csutil -q -b backup_filename -d -p secret_key dump_filename -e number -g group_number -i file -p secret_key -l filename -passwd secret_key -n -r all users config backup_file -u -listUDV -addUDV slot filename.ini -delUDV slot -dumpUDV database_dump_filename -t -filepath full_filepath -passwd password -machine (-a -g group_number -u user_name -f user_list_filepath) -addAVP filepath -delAVP vendor_id application_id attribute_id -dumpAVP filename -delPropHPP...
Protocol Configuration Options for RADIUS
It is unlikely that you would want to install every attribute available for every protocol. Displaying each would make setting up a user or group cumbersome. To simplify setup, use the options in this section to customize the attributes that are visible. For a list of supported RADIUS AV pairs and accounting AV pairs, see Appendix C, RADIUS Attributes. Depending on which AAA client or clients you have configured, the Interface Configuration page displays different choices of RADIUS protocol...
About Downloadable IP ACLs
You can use downloadable IP ACLs to create sets of ACL definitions that you can apply to many users or user groups. These sets of ACL definitions are called ACL contents. Also, by incorporating NAFs, you can control the ACL contents that are sent to the AAA client from which a user is seeking access. That is, a downloadable IP ACL comprises one or more ACL content definitions, each of which is associated with a NAF or (by default) associated to all AAA clients. (The NAF controls the...
