A Default Authorization Rule
You can set a default authorization rule if a condition is not defined or no matched condition is found. You can deny or grant access based on Shared RACs and DACLs selections. To configure a default authorization rule Choose the relevant profile Authorization policy. The Authorization Rules for Profile Page appears. Click Add Rule. The Authorization Rules for Profile Page appears. Select Authentication Action for the line that contains the text If a condition is not defined or there is no...
AAA Server Configuration Options
AAA server configurations enable ACS to interact with the AAA server that the configuration represents. AAA servers that do not have a corresponding configuration in ACS, or whose configuration in ACS is incorrect, does not receive AAA services from ACS, such as proxied authentication requests, database replication communication, remote logging, and RDBMS synchronization. Also, several distributed systems features require that the other ACSs included in the distributed system be represented in...
About ACS Backup
Chapter 8 System Configuration Basic For information about using a backup file to restore ACS, see ACS System Restore, page 8-11. The backup and restore features between different ACS versions are not supported. The default directory for backup files is where drive is the local drive where you installed ACS and path is the path from the root of drive to the ACS directory. For example, if you installed ACS version 4.0 in the default location, the default backup c Program Files CiscoSecure ACS...
About Command Authorization Sets
This section contains the following topics Command Authorization Sets Description, page 5-24 Command Authorization Sets Assignment, page 5-26 Case Sensitivity and Command Authorization, page 5-26 Arguments and Command Authorization, page 5-27 About Pattern Matching, page 5-27 Command Authorization Sets Description Command authorization sets provide a central mechanism to control the authorization of each command that is issued on any given network device. This feature greatly enhances the...
About External Audit Servers
Audit servers are Cisco and third-party servers that determine posture information about a host without relying on the presence of a Posture Agent (PA). The Cisco PA is also known as the Cisco Trust Agent (CTA). Audit servers are used to assess posture validation with an organization's security policy. You can also define a secondary external audit server. The presence of a secondary audit server allows the second or failover server to evaluate any policies from the primary server when the...
About Radius Authorization Components
Shared Radius Authorization Components (RACs) contain groups of RADIUS attributes that you can dynamically assign to user sessions based on a policy. Using the Network Access Profile configuration, you can map a policy type with set conditions, such as Network Device Groups and posture, to a shared RAC. In ACS, RACs contain attributes that can be specific to a single network service (also referred to as a network-access policy). The access policy can map from various groups and postures to a...
About Radiusenabled Token Servers
ACS supports token servers by using the RADIUS server that is built into the token server. Rather than using a vendor-proprietary API, ACS sends standard RADIUS authentication requests to the RADIUS authentication port on the token server. This feature enables ACS to support any IETF RFC 2865-compliant token server. You can create multiple instances of RADIUS token servers. For information about configuring ACS to authenticate users with one of these token servers, see Configuring a RADIUS...
About Rules Rule Elements and Attributes
A rule is a set of one or more rule elements. A rule element is a logical statement that contains ACS uses the operator to compare the contents of an attribute to the value. Each rule element of a rule must be true for the whole rule to be true. In other words, all rule elements of a rule are joined with a Boolean AND. Note The 026 009 001Cisco AV-pair attribute field is unique. When it is selected, the AV-pair key and an AV-pair value are activated. Enter values for the two fields. For...
About Shared Profile Components
You use the Shared Profile Components section to develop and name reusable, shared sets of authorization components that may be applied to one or more users or groups of users, and referenced by name within their profiles. These include network-access filters (NAFs),.RADIUS Authorization Components (RACs), downloadable IP access control lists (IP ACLs), Network Access Restrictions (NARs), and command-authorization sets. The Shared Profile Components section addresses the scalability of...
About Unknown User Authentication
The Unknown User Policy is a form of authentication forwarding. In essence, this feature is an extra step in the authentication process. If a username does not exist in the ACS internal database, ACS forwards the authentication request of an incoming username and password to external databases with which it is configured to communicate. The external database must support the authentication protocol used in the authentication request. The Unknown User Policy enables ACS to use a variety of...
About User Setup Features and Functions
The User Setup section of the ACS web interface is the centralized location for all operations regarding user account configuration and administration. From within the User Setup section, you can View a list of all users in the ACS internal database. Assign the user to a group, including Voice-over-IP (VoIP) groups. Edit user account information. Establish or change user authentication type. Configure callback information for the user. Set network-access restrictions (NARs) for the user. Set...
Access Policy Options
You can configure the following options on the Access Policy Setup page IP Address Filtering Contains the following IP address filtering options - Allow all IP addresses to connect Allow access to the web interface from any IP address. - Allow only listed IP addresses to connect Allow access to the web interface only from IP addresses inside the address range(s) specified in the IP Address Ranges table. - Reject connections from listed IP addresses Allow access to the web interface only from IP...
Accessing the Web Interface
Remote administrative sessions always require that you log in using a valid administrator name and password, as configured in the Administration Control section. If the Allow automatic local login check box is cleared on the Sessions Policy Setup page in the Administration Control section, ACS requires a valid administrator name and password for administrative sessions accessed from a browser on the computer running ACS. Determine whether a supported web browser is installed on the computer you...
Accounting Logs
Accounting logs contain information about the use of remote access services by users. By default, these logs are available in CSV format, with the exception of the Passed Authentications log. You can also configure ACS to export the data for these logs to an ODBC-compliant relational database that you configure to store the log data. Table 11-1 describes all accounting logs. In the web interface, all accounting logs can be enabled, configured, and viewed. Table 11-2 contains information about...
ACS and AV Pairs
When you enable NAC Layer 2 IP validation, ACS provides NAC AAA services by using RADIUS. ACS gets information about the antivirus credentials of the endpoint system and validates the antivirus condition of the endpoint. You can set these Attribute-Value (AV) pairs on ACS by using the RADIUS cisco-av-pair vendor-specific attributes (VSAs). Cisco Secure-Defined-ACL Specifies the names of the downloadable ACLs on the ACS. The switch gets the ACL name through the Cisco Secure-Defined-ACL AV pair...
ACS Authentication Process with an ODBC External User Database
ACS forwards user authentication requests to an ODBC database when the user Account in the ACS internal database lists an ODBC database configuration as the authentication method. Is unknown to the ACS internal database, and the Unknown User Policy dictates that an ODBC database is the next external user database to try. In either case, ACS forwards user credentials to the ODBC database via an ODBC connection. The relational database must have a stored procedure that queries the appropriate...
ACS Database Recovery Using the accountActions Table
Because the RDBMS Synchronization feature deletes each record in the accountActions table after processing the record, the accountActions table can be considered a transaction queue. The RDBMS Synchronization feature does not maintain a transaction log audit trail. If a log is required, the external system that adds records to the accountActions table must create it. Unless the external system can recreate the entire transaction history in the accountActions table, we recommend that you...
ACS Features Functions and Concepts
ACS incorporates many technologies to render AAA services to network-access devices, and provides a central access-control function. This section contains the following topics ACS as the AAA Server, page 1-3 AAA Protocols TACACS+ and RADIUS, page 1-3 Additional Features in ACS Version 4.0, page 1-4 From the perspective of the NAD, ACS functions as the AAA server. You must configure the device, which functions as a AAA client from the ACS perspective, to direct all end-user host access requests...
ACS System Logs
System logs are logs about the ACS system and therefore record system-related events. These logs are useful for troubleshooting or audits. They are always enabled and are only available in CSV format. Some system logs can be configured. For information about each system log, including which system logs are configurable, see Table 11-4. For instructions on viewing a CSV report in the web interface, see Viewing a CSV Report, page 11-12. Table 11-4 Accounting Log Descriptions and Related Topics...
Action Codes for Initializing and Modifying Access Filters
Table F-4 lists the action codes for initializing and modifying AAA client access filters. AAA client access filters control Telnet access to a AAA client. Dial access filters control access by dial-up users. Transactions using these codes affect the configuration that appears in the User Setup and Group Setup sections of the web interface. For more information about the User Setup section, see Chapter 7, User Management. For more information about the Group Setup section, see Chapter 6, User...
Action Codes for Modifying Network Configuration
Table F-6 lists the action codes for adding AAA clients, AAA servers, network device groups, and proxy table entries. Transactions using these codes affect the configuration that appears in the Network Configuration section of the web interface. For more information about the Network Configuration section, see Chapter 4, Network Configuration. Table F-6 Action Codes for Modifying Network Configuration Table F-6 Action Codes for Modifying Network Configuration Adds a new AAA client (named in VN)...
Action Codes for Modifying Tacacs and Radius Group and User Settings
Table F-5 lists the action codes for creating, modifying, and deleting TACACS+ and RADIUS settings for ACS groups and users. In the event that ACS has conflicting user and group settings, user settings always override group settings. Transactions using these codes affect the configuration displayed in the User Setup and Group Setup sections of the web interface. For more information about the User Setup section, see Chapter 7, User Management. For more information about the Group Setup section,...
Adding a Command Authorization
Step 1 In the navigation bar, click Shared Profile Components. The Shared Profile Components page lists the command-authorization set types that are available. These always include Shell Command Authorization Sets and may include others, such as command-authorization set types that support Cisco device-management applications. Step 2 Click one of the listed command-authorization set types, as applicable. The selected Command Authorization Sets table appears. The applicable Command Authorization...
Adding a New IP Pool
You can define up to 999 IP address pools. To add an IP pool Step 1 In the navigation bar, click System Configuration. The AAA Server IP Pools table lists any IP pools that you have already configured, their address ranges, and the percentage of pooled addresses in use. Step 4 In the Name box, type the name (up to 31 characters) to assign to the new IP pool. Step 5 In the Start Address box, type the lowest IP address (up to 15 characters) of the range of addresses for the new pool. Note All...
Adding a Shared NAR
You can create a shared NAR that contains many access restrictions. Although the ACS web interface does not enforce limits to the number of access restrictions in a shared NAR or to the length of each access restriction, you must adhere to the following limits The combination of fields for each line item cannot exceed 1024 characters. The shared NAR cannot have more than 16 KB of characters. The number of line items supported depends on the length of each line item. For example, if you create a...
Adding AAA Servers
For descriptions of the options that are available while adding a remote AAA server configuration, see AAA Server Configuration Options, page 4-15. For ACS to provide AAA services to a remote AAA server, you must ensure that gateway devices between the remote AAA server and ACS permit communication over the ports that support the applicable AAA protocol (RADIUS or TACACS+). For information about ports that AAA protocols use, see AAA Protocols TACACS+ and RADIUS, page 1-3. In the navigation bar,...
Additional Features in ACS Version
ACS version 4.0 provides the following features that help fortify and protect networked business systems Cisco NAC support ACS 4.0 acts as a policy decision point in NAC deployments. Using configurable policies, it evaluates and validates the credentials received from the Cisco Trust Agent (CTA, posture), determines the state of the host, and sends a per-user authorization to the network-access device ACLs, a policy based access control list, or a private VLAN assignment. Evaluation of the host...
Administration Issues
Remote administrator cannot bring up the ACS web interface in a browser or receives a warning that access is not permitted. 1. Verify that you are using a supported browser. Refer to the Release Notes for Cisco Secure Access Control Server for Windows for a list of supported browsers. 2. Ping ACS to confirm connectivity. 3. Verify that the remote administrator is using a valid administrator name and password that have previously been added in Administration Control. 4. Verify that Java...
Administrative Access Policy
Managing a network is a matter of scale. Providing a policy for administrative access to network devices depends directly on the size of the network and the number of administrators required to maintain the network. Local authentication on a network device can be performed, but it is not scalable. The use of network management tools can help in large networks but if local authentication is used on each network device, the policy usually entails a single login on the network device. This does...
An Example of accountActions
Table F-10 presents an sample instance of accountActions that contains some of the action codes described in Action Codes, page F-3. First user fred is created, along with his passwords, including a TACACS_ Enable password with privilege level 10. Fred is assigned to Group 2. His account expires after December 31, 1999, or after 10 incorrect authentication attempts. Attributes for Group 2 include Time-of-Day Day-of-Week restrictions, token caching, and some RADIUS attributes. _ Note This...
Assigning an Unassigned AAA Client or AAA Server to an NDG
You use this procedure to assign an unassigned AAA client or AAA server to an NDG. Before you begin this procedure, you should have already configured the client or server and it should appear in the Not Assigned AAA Clients or Not Assigned AAA Servers table. To assign a network device to an NDG Step 1 In the navigation bar, click Network Configuration. The Network Configuration page opens. Step 2 In the Network Device Groups table, click Not Assigned. Tip If the Network Device Groups table...
Authentication Protocol Database Compatibility
The various password protocols that ACS supports for authentication are supported unevenly by the various databases that ACS supports. For more information about the password protocols that ACS supports, see Passwords, page 1-8. _ Note This release does not support Windows NT. Table 1-2 specifies non-EAP authentication protocol support. Table 1-2 Non-EAP Authentication Protocol and User Database Compatibility Table 1-2 Non-EAP Authentication Protocol and User Database Compatibility H ACS...
AV Pair Dictionary
To use the full range of the Cisco IOS AV-pair dictionary for TACACS+, the AAA client should use IOS version 11.3 or later. Cisco IOS 11.1 and 11.2 have only partial support for TACACS+ AV-pairs. If you specify a given AV pair in ACS, you must also enable the corresponding AV pair in the Cisco IOS software that is running on the AAA client. Therefore, you must consider which AV pairs your Cisco IOS release supports. If ACS sends an AV pair to the AAA client that the Cisco IOS software does not...
Backing Up ACS with CSUtilexe
You can use the -b option to create a system backup of all ACS internal data. The resulting backup file has the same data as the backup files that are produced by the ACS Backup feature found in the web interface. For more information about the ACS Backup feature, see ACS Backup, page 8-7. _ Note During the backup, all services are automatically stopped and restarted. No users are authenticated while the backup is occurring. On the computer that is running ACS, open an MS-DOS command prompt and...
Before Using Radius Attributes
You can enable different attribute-value (AV) pairs for Internet Engineering Task Force (IETF) RADIUS and any supported vendor. For outbound attributes, you can configure the attributes that are sent and their content by using the ACS web interface. The RADIUS attributes that are sent to authentication, authorization, and accounting (AAA) clients in access-accept messages are user specific. To configure a specific attribute to be sent for a user, you must ensure that 1. In the Network...
Benefits of NAC
Dramatically improves any network's security NAC ensures that all endpoints conform to the latest security policy regardless of the size or complexity of the network. With NAC in place, you can focus operations on prevention, rather than on reaction. As a result, you can proactively protect against worms, viruses, spyware, and malicious software before they are introduced into your network. Extends the value of your existing investments Besides being integrated into the Cisco network...
Chapter 10System Configuration Authentication and Certificates 101
About Certification and EAP Protocols 10-1 Digital Certificates 10-1 EAP-TLS Authentication 10-2 About the EAP-TLS Protocol 10-2 EAP-TLS and ACS 10-3 EAP-TLS Limitations 10-4 Enabling EAP-TLS Authentication 10-4 PEAP Authentication 10-5 About the PEAP Protocol 10-5 PEAP and ACS 10-6 PEAP and the Unknown User Policy 10-7 Enabling PEAP Authentication 10-7 EAP-FAST Authentication 10-8 About EAP-FAST 10-8 About Master Keys 10-10 About PACs 10-11 Provisioning Modes 10-12 Types of PACs 10-12 Master...
Chapter 13User Databases 131
About the ACS Internal Database 13-2 User Import and Creation 13-2 About External User Databases 13-3 Authenticating with External User Databases 13-4 External User Database Authentication Process 13-4 Windows User Database Support 13-6 Authentication with Windows User Databases 13-6 Trust Relationships 13-7 Windows Dial-Up Networking Clients 13-7 Windows Dial-Up Networking Clients with a Domain Field 13-7 Windows Dial-Up Networking Clients without a Domain Field 13-7 Usernames and Windows...
Chapter 5Shared Profile Components
802.1X Example Setup 5-2 Network Access Filters 5-2 About Network Access Filters 5-3 Adding a Network Access Filter 5-3 Editing a Network Access Filter 5-5 Deleting a Network Access Filter 5-6 RADIUS Authorization Components 5-6 About RADIUS Authorization Components 5-7 Understanding RACs and Groups 5-7 Migrating Away from Groups to RACs 5-7 Vendors 5-7 Attribute Types 5-8 Before You Begin Using RADIUS Authorization Components 5-8 Enabling Use of RAC 5-9 Adding RADIUS Authorization Components...
Chapter 9System Configuration Advanced
ACS Internal Database Replication 9-1 About ACS Internal Database Replication 9-2 Replication Process 9-3 Replication Frequency 9-5 Important Implementation Considerations 9-5 Database Replication Versus Database Backup 9-6 Database Replication Logging 9-7 Replication Options 9-7 Replication Components Options 9-7 Outbound Replication Options 9-9 Inbound Replication Options 9-10 Implementing Primary and Secondary Replication Setups on ACSs 9-10 Configuring a Secondary ACS 9-11 Replicating...
Cisco Product Security Overview
Cisco provides a free online Security Vulnerability Policy portal at this URL From this site, you can perform these tasks Report security vulnerabilities in Cisco products. Obtain assistance with security incidents that involve Cisco products. Register to receive security information from Cisco. A current list of security advisories and notices for Cisco products is available at this URL http www.cisco.com go psirt If you prefer to see advisories and notices as they are updated in real time,...
Cisco Technical Support Documentation Website
The Cisco Technical Support & Documentation website provides online documents and tools for troubleshooting and resolving technical issues with Cisco products and technologies. The website is available 24 hours a day, at this URL Access to all tools on the Cisco Technical Support & Documentation website requires a Cisco.com user ID and password. If you have a valid service contract but do not have a user ID or password, you can register at this URL _ Note Use the Cisco Product...
Cloning a Radius Authorization Component
To make a copy of an existing RAC by using the clone feature Step 1 In the navigation bar, click Shared Profile Components. The Shared Profile Components page appears. Step 2 Click RADIUS Authorization Components. The RADIUS Authorization Components Table Page appears. Step 3 Select the RAC name of the component that you want to clone. The Edit RADIUS Authorization Component Page appears. Step 4 To clone an existing RAC with all of its attributes, click Clone. A clone named Copy of RACname is...
Configuring a CSV
This procedure describes how to configure the content of a CSV log. For instructions to enable or disable a CSV log, see Enabling or Disabling a CSV Log, page 11-11. The logs to which this procedure applies are You cannot configure the ACS Backup and Restore, RDBMS synchronization, and Database Replication CSV logs. You can configure several aspects of a CSV log, including Log content Select which data attributes are included in the log. Log generation frequency Determine whether a new log is...
Configuring a PIX Command Authorization Set for a User Group
Use this procedure to specify the PIX command-authorization set parameters for a user group. The three options are None No authorization for PIX commands. Assign a PIX Command Authorization Set for any network device One PIX command-authorization set is assigned and it applies all network devices. Assign a PIX Command Authorization Set on a per Network Device Group Basis Particular PIX command-authorization sets are to be effective on particular NDGs. Ensure that you configure a AAA client to...
Configuring a Windows External User Database
For information about the options that are available on the Windows User Database Configuration page, see Windows User Database Configuration Options, page 13-18. To configure ACS to authenticate users against the Windows user database in the trusted domains of your network Step 1 In the navigation bar, click External User Databases. Step 2 Click Database Configuration. ACS displays a list of all possible external user database types. If no Windows database configuration exists, the Database...
Configuring an Authorization Rule
Step 1 Choose Network Access Profiles. Step 2 Choose the relevant profile Authorization policy. Step 3 The Authorization Rules for Profile Page appears. Step 4 Click Add Rule. The Authorization Rules for Profile Page appears. Step 5 Select a User Group from the drop-down list. Step 6 Select the System Posture Token Step 7 Select Authentication Actions You may select to deny access or one or both authorization actions to implement when the authorization rules match Deny Access Check this option...
Configuring an ODBC External User Database
Creating an ODBC database configuration provides ACS with information that it uses to pass authentication requests to an ODBC-compliant relational database. This information reflects the way that you have implemented your relational database, and does not dictate how your relational database is configured or functions. For information about your relational database, refer to your relational documentation. Note Before performing this procedure, you should have completed the steps in Preparing to...
Configuring Authorization Policies
Authorization policies comprise rules that are applied to a NAP. Authorization policies are used for authorizing an authenticated user. Authorization rules can be based on group membership, posture validation, or both. Authorization actions are built from the RADIUS Authorization Components and ACLs. Credentials are used in identity and posture authorization. Each application's posture credentials are evaluated separately. Credentials are compared against the posture-validation policies. When...
Configuring Cisco Iospix 60 Radius Settings for a User Group
The Cisco IOS PIX 6.x RADIUS parameters appear only when the following are true. You have configured A AAA client to use RADIUS (Cisco IOS PIX 6.x) in Network Configuration. Group-level RADIUS (Cisco IOS PIX 6.x) attributes in Interface Configuration RADIUS (Cisco IOS PIX 6.x). Cisco IOS PIX 6.x RADIUS represents only the Cisco VSAs. You must configure the IETF RADIUS and Cisco IOS PIX 6.x RADIUS attributes. Note To hide or display Cisco IOS PIX 6.x RADIUS attributes, see Setting Protocol...
Configuring Cisco VPN 5000 Concentrator Radius Settings for a User Group
The Cisco VPN 5000 Concentrator RADIUS attribute configurations appear only when the following are true.You have configured A network device to use RADIUS (Cisco VPN 5000) in Network Configuration. Group-level RADIUS (Cisco VPN 5000) attributes on the RADIUS (Cisco VPN 5000) page of the Interface Configuration section. Cisco VPN 5000 Concentrator RADIUS represents only the Cisco VPN 5000 Concentrator VSA. You must configure the IETF RADIUS and Cisco VPN 5000 Concentrator RADIUS attributes. Note...
Configuring Custom Radius Vsa Settings for a User Group
User-defined, custom Radius VSA configurations appear only when all the following are true You have defined and configured the custom RADIUS VSAs. (For information about creating user-defined RADIUS VSAs, see Custom RADIUS Vendors and VSAs, page 9-19.) You have configured a network device in Network Configuration that uses a RADIUS protocol that supports the custom VSA. You have configured group-level custom RADIUS attributes on the RADIUS (Name) page of the Interface Configuration section. You...
Configuring Device Management Command Authorization for a User
Use this procedure to specify the device-management command-authorization set parameters for a user. Device-management command-authorization sets support the authorization of tasks in Cisco device-management applications that are configured to use ACS for authorization. You can choose None No authorization is performed for commands that are issued in the applicable Cisco device-management application. Group For this user, the group-level command-authorization set applies for the applicable...
Configuring Fail Open
You can configure fail open for errors that can prevent the retrieval of posture token from an upstream NAC server. If fail open is not configured, the user request is rejected. You can select whether to enable fail open for Audit Server for profiles that are associated with an audit server External Posture Validation Server for profiles that are associated with an External Posture Validation Server If you enable fail open, you will need to select the posture token to be granted when an error...
Configuring NAC in ACS
This section provides an overview of the steps to configure posture validation in ACS, with references to more detailed procedures for each step. Note Design your posture policies by using the Posture Validation tab and then assign those policies to profiles by using the Posture Validation link inside the Network Access Profiles tab. Before ACS can perform posture validation, you must complete several configuration steps. An overview of the steps follows. For information on finding detailed...
Configuring Posture Validation Policies
Use the Posture Validation Page to configure and delete posture-validation rules. Posture-validation rules define the way that ACS performs posture validation. Each rule comprises a condition and actions. The condition contains a set of required credential types while the action contains a list of internal posture-validation policies or external posture-validation servers that you can use for posture validation, or both. See Chapter 14, Network Access Control Overview, for more information. ACS...
Configuring Profile Based Policies
Step 1 Identify the network services that you want to control by using ACS (for example, VPN, Dial, WLAN, Step 2 Set up a profile for each network service. Setting up a profile defines how ACS will recognize or identify requests for example, device IP, NDG, NAF, advanced filtering). For more information, see Setting Up a Profile, page 15-3. Step 3 Define the authentication protocols and external databases that are required for the service. For more information, see Configuring Authentication...
Configuring Service Logs
You can configure how ACS generates and manages the service log file. The options for configuring the service log file are Level of detail You can set the service log file to contain one of three levels of detail - None No log file is generated. - Low Only start and stop actions are logged. This is the default setting. - Full All services actions are logged. Generate new file You can control how often a new service log file is created - Every Day ACS generates a new log file at 12 01 A.M. local...
Configuring the Unknown Service Setting for a User
If you want TACACS+ AAA clients to permit unknown services, you can check the Default (Undefined) Services check box. Checking this option will PERMIT all UNKNOWN Services. To configure the Unknown Service setting for a user Step 1 Perform Step 1 through Step 3 of Adding a Basic User Account, page 7-3. The User Setup Edit page opens. The username that you add or edit appears at the top of the page. Step 2 Scroll down to the table under the heading PERMIT all UNKNOWN Services. Step 3 To allow...
Creating an ACS Group Mapping for a Token Server ODBC Database or LEAP Proxy Radius Server Database
To set or change a token server, ODBC, or LEAP Proxy RADIUS Server database group mapping Step 1 In the navigation bar, click External User Databases. Step 2 Click Database Group Mappings. Step 3 Click the name of the token server, LEAP Proxy RADIUS Server, or ODBC database configuration for which you want to configure a group mapping. The Define Group Mapping table appears. Step 4 From the Select a default group for database list, click the group to which users who were authenticated with this...
Creating an ACS Group Mapping for Windows or Generic LDAP Groups
To map a Windows or generic LDAP group to an ACS group Step 1 In the navigation bar, click External User Databases. Step 2 Click Database Group Mappings. Step 3 Click the external user database name for which you want to configure a group mapping. If you are mapping a Windows group set, the Domain Configurations table appears. The Group Mappings for database Users table appears. Step 4 If you are mapping a Windows group set for a new domain The Define New Domain Configuration page appears. b....
Creating an ACS Internal Database Dump File
You can use the -d option to dump all contents of the ACS internal database into a password-protected text file. You can provide a name for the file otherwise, it is called dump.txt. The dump file provides a thorough and compressible backup of all ACS internal data. Using the -l option, you can reload the ACS internal data from a dump file created by the -d option. For more information about the -l option, see Loading the ACS Internal Database from a Dump File, page D-7. Note Using the -d...
Creating an Internal Policy
Use internal posture validation to write your own policies for access in your network. After you have created policies, you can then profile rules to use these policies. You can select internal policies for more than one profile. To add the policy to a profile, use the Network Access Profiles page. For descriptions of the options available on the Internal Posture Validation Setup page, see Internal Policy Configuration Options, page 14-10. For details on how to set up your third-party component...
Database Issues
RDBMS Synchronization is not operating properly. Make sure that the correct server appears in the Partners list. Database Replication not operating properly. Make sure you have set the server correctly as Send or Receive. On the sending server, ensure that the receiving server is in the Replication list. On the receiving server, ensure that the sending server is selected in the Accept Replication from list. Also, ensure that the sending server is not in the replication partner list. Make sure...
Database Search Order
You can configure the order in which ACS checks the selected databases when ACS attempts unknown authentication. The Unknown User Policy supports unknown user authentication. It will 1. Find the next user database in the Selected Databases list that supports the authentication protocol of the request. If the list contains no user databases that support the authentication protocol of the request, stop unknown user authentication and deny network access to the user. 2. Send the authentication...
Decoding Error Numbers
You can use the -e option to decode error numbers in ACS service logs. These error codes are internal to ACS. For example, the CSRadius log could contain a message similar to csRadius Logs RDs.iog RDs 05 22 2001 10 09 02 E 2152 4756 Error -1087 authenticating geddy - no NAs response sent In this example, the error code number that you could use csutii.exe to decode is -1087 c Program Fiies ciscosecure Acs vX.XXutiis csutii.exe -e -1087 csutii v3.0(1.14), copyright 1997-2001, cisco systems Inc...
Deleting a Command Authorization
To delete a command-authorization set Step 1 In the navigation bar, click Shared Profile Components. The Shared Profile Components page lists the command-authorization set types available. Step 2 Click a command-authorization set type, as applicable. The selected Command Authorization Sets table appears. Step 3 From the Name column, click the name of the command set that you want to delete. Information for the selected set appears on the applicable Command Authorization Set page. A dialog box...
Deleting a Condition Component or Condition
A condition component is the list of elements that a condition set comprises. To delete a condition component from a condition set or an entire condition set Step 1 If you have not already done so, access the Internal Policy Validation Setup page. To Access the Internal Policy Validation Setup page a. In the navigation bar, click Posture Validation. b. Click Internal Posture Validation Setup. ACS displays a list of posture validation policies. Step 2 Select a policy name from the list of...
Deleting a Downloadable IP ACL
You should remove the association of a IP ACL with any user, user group profile, or network access profile before deleting the IP ACL. Step 1 In the navigation bar, click Shared Profile Components. The Shared Profile Components page appears. Step 2 Click Downloadable IP ACLs. Step 3 Click the name of the downloadable IP ACL that you want to delete. The Downloadable IP ACLs page appears and displays information for the selected IP ACL. Step 4 At the bottom of the page, click Delete. A dialog box...
Deleting a Network Device Group
When you delete an NDG, all AAA clients and AAA servers that belong to the deleted group appear in the Not Assigned AAA Clients or Not Assigned AAA Servers table. It might be useful to empty an NDG of AAA clients and AAA servers before you delete it. You can do this manually by performing the procedure Reassigning AAA Clients or AAA Servers to an NDG, page 4-21 or, in cases where you have a large number of devices to reassign, use the RDBMS Synchronization feature. Caution When deleting an NDG,...
Deleting a Radius Authorization Component
You should remove the association of an RAC with any network access profile before deleting the RAC. To delete an RAC Step 1 In the navigation bar, click Shared Profile Components. The Shared Profile Components page appears. Step 2 Click RADIUS Authorization Components. The RADIUS Authorization Components Table Page appears. Step 3 Select the RAC name of the component that you want to delete. The Edit RADIUS Authorization Component Page appears. Step 4 Click Delete to remove the RADIUS...
Dialin Connection Issues
A dial-in user cannot connect to the AAA client. No record of the attempt appears in the TACACS+ or RADIUS Accounting Report (in the Reports & Activity section, click TACACS+ Accounting or RADIUS Accounting or Failed Attempts). Examine the ACS Reports or AAA client Debug output to narrow the problem to a system error or a user error. Confirm that The dial-in user was able to establish a connection and ping the computer before ACS was installed. If the dial-in user could not, the problem is...
Digital Certificates
You use the ACS Certificate Setup pages to install digital certificates to support EAP-TLS, EAP-FAST, and PEAP authentication, as well as to support Secure HyperText Transfer Protocol (HTTPS) protocol for secure access to the ACS web interface. ACS uses the X.509 v3 digital certificate standard. Certificate files must be in Base64-encoded X.509 format or Distinguished Encoding Rules (DER)-encoded binary X.509 format. Also, ACS supports manual certificate enrollment and provides the means for...
Documentation Feedback
You can rate and provide feedback about Cisco technical documents by completing the online feedback form that appears with the technical documents on Cisco.com. You can send comments about Cisco documentation to bug-doc cisco.com. You can submit comments by using the response card (if present) behind the front cover of your document or by writing to the following address Attn Customer Document Ordering 170 West Tasman Drive San Jose, CA 95134-9883
Downloadable ACLs
Downloadable per-user ACL support is available for Layer 3 network devices that support downloadable ACLs. These includes Cisco PIX security appliances, Cisco VPN solutions, and Cisco IOS routers. You can define sets of ACLs that you can apply per user or per group. This feature complements NAC support by enabling the enforcement of the correct ACL policy. When used in conjunction with NAFs, you can apply downloadable ACLs can differently per device, allowing you to tailor ACLs uniquely per...
Dynamic Administration Reports
These reports show the status of user accounts when you access them in the ACS web interface. They are available only in the web interface, are always enabled, and require no configuration. Table 11-3 contains descriptions of all dynamic administration reports and information about what you can do regarding dynamic administration reports. Table 11-3 Dynamic Administration Report Descriptions and Related Topics Table 11-3 Dynamic Administration Report Descriptions and Related Topics Lists all...
Eaptls Procedure Output
The stored procedure must return a single row that contains the nonnull fields. Table 13-4 lists the procedure results that ACS expects as output from stored procedure. Table 13-6 EAP-TLS Stored Procedure Results Table 13-6 EAP-TLS Stored Procedure Results The ACS group number for authorization. You use 0xFFFFFFFF to assign the default value. Values other than 0-499 are converted to the default. Note The group that is specified in the CSNTgroup field overrides group mapping that is configured...
Editing a Downloadable IP ACL
You should have already configured any NAFs that you intend to use in your editing of the downloadable IP ACL. Step 1 In the navigation bar, click Shared Profile Components. The Shared Profile Components page appears. Step 2 Click Downloadable IP ACLs. The Downloadable IP ACLs table appears. Step 3 In the Name column, click the IP ACL that you want to edit. The Downloadable IP ACLs page appears and displays with information for the selected ACL. Step 4 Edit the Name or Description information,...
Editing a Network Access Filter
Step 1 In the navigation bar, click Shared Profile Components. The Shared Profile Components page appears. Step 2 Click Network Access Filtering. The Network Access Filtering table appears. Step 3 In the Name column, click the NAF that you want to edit. The Network Access Filter page appears with information visible for the selected NAF. Step 4 Edit the Name or Description of the NAF type and delete information, as applicable. The description can be up to 30,000 characters. Caution If you...
Editing a Policy
You can only edit a policy by accessing it through the Posture Validation pages. To edit a policy or posture validation rule Step 1 In the navigation bar, click Posture Validation. Step 2 Click Internal Posture Validation Setup. Step 3 Click on the policy name of the rule that you want to edit. The applicable policy rules page appears. Step 4 To edit a policy a. Click Add Rule to add more condition sets. To change a condition set that you have already added iii. Update its attribute, entity,...
Editing a Radius Authorization Component
Step 1 In the navigation bar, click Shared Profile Components. The Shared Profile Components page appears. Step 2 Click RADIUS Authorization Components. The RADIUS Authorization Components Table Page appears. Step 3 Select the RAC name of the component that you want to edit. The Edit RADIUS Authorization Component Page appears. Step 4 To add a new attribute, select the correct vendor attribute by using the drop-down list and click the adjacent Add button. Step 5 To alter an existing attribute,...
Editing an Administrator Account
You can edit a ACS administrator account to change the privileges granted to the administrator. You can effectively disable an administrator account by revoking all privileges. _ Note You cannot change the name of an administrator account however, you can delete an administrator account and then create an account with the new name. For information about deleting an administrator account, see Deleting an Administrator Account, page 12-7. For information about creating an administrator account,...
Enabling PEAP Authentication
This procedure provides an overview of the detailed procedures that are required to configure ACS to support PEAP authentication. Note You must configure end-user client computers to support PEAP. This procedure is specific to configuration of ACS only. Step 1 Install a server certificate in ACS. PEAP requires a server certificate. For detailed steps, see Installing an ACS Server Certificate, page 10-25. Note If you have previously installed a certificate to support EAP-TLS or PEAP user...
Exporting Posture Validation Attribute Definitions
The -dumpAVP option exports the current posture-validation attributes to an attribute definition file. For an explanation of the contents of a posture-validation attribute definition file, see Posture-Validation Attribute Definition File, page D-28. For an example of an attribute-definition file, see Default Posture-Validation Attribute Definition File, page D-35. To export posture-validation attributes Step 1 On the computer that is running ACS, open an MS-DOS command prompt and change...
Exporting User List to a Text File
You can use the -u option to export a list of all users in the ACS internal database to a text file named users.txt. The users.txt file organizes users by group. Within each group, users are listed in the order that their user accounts were created in the ACS internal database. For example, if accounts were created for Pat, Dana, and Lloyd, in that order, users.txt lists them in that order as well rather than alphabetically. Note Using the -u option requires that you stop the CSAuth service....
External Audit Server Configuration Options
Table 14-3 describes the external audit server settings. Table 14-3 External Audit Server Options Table 14-3 External Audit Server Options Audit all hosts that do not contain a posture agent. Audit only the hosts for which you have provided host IP addresses and ranges (IP Mask) or MAC addresses. Exclude the hosts for which you have provided host IP addresses and ranges (IP Mask) or MAC addresses and audit all other hosts. Select a token for the hosts that will not be audited Select a token...
External Policy Configuration Options
On the External Posture Validation Setup page you can specify a NAC server (and an optional second NAC server) that ACS relies upon to apply the policy and configure the set of credential types that ACS forwards. The options for configuring an external policy are as follows Name Specifies the name by which to identify the policy. Note The name can contain up to 32 characters. Leading and trailing spaces are not allowed. Names cannot contain the left bracket ( ), the right bracket ( ), the comma...
External User Database Authentication Process
When ACS attempts user authentication with an external user database, it forwards the user credentials to the external user database. The external user database passes or fails the authentication request from ACS. On receiving the response from the external user database, ACS instructs the requesting AAA client to grant or deny the user access, depending on the response from the external user database. Figure 13-1 shows a AAA configuration with an external user database. The specifics of the...
Generating PAC Files
Note If you use the -a or -g option during PAC file generation, csutii. exe restarts the CSAuth service. No users are authenticated while CSAuth is unavailable. For more information about PACs, see About PACs, page 10-11. To generate PAC files Step 1 Use the discussion in PAC File Options and Examples, page D-25, to determine the following Which users for whom you want to generate PAC files. If you want to use a list of users, create it now. What password to use to protect the PAC files that...
Group Disablement
You perform this procedure to disable a user group and, therefore, to prevent any member of the disabled group from authenticating. Note Group Disablement is the only setting in ACS where the setting at the group level may override the setting at the user level. If group disablement is set, all users within the disabled group are denied authentication, regardless of whether the user account is disabled. However, if a user account is disabled, it remains disabled regardless of the status of the...
Group Mapping by External User Database
You can map an external database to a ACS group. Unknown users who authenticate by using the specified database automatically belong to, and inherit the authorizations of, the group. For example, you could configure ACS so that all unknown users who authenticate with a certain token server database belong to a group called Telecommuters. You could then assign a group setup that is appropriate for users who are working away from home, such as Maxsessions i. Or, you could configure restricted...
Group Mapping Order
ACS always maps users to a single ACS group yet a user can belong to more than one group set mapping. For example, a user named John could be a member of the group combination Engineering and California, and at the same time be a member of the group combination Engineering and Managers. If ACS group set mappings exist for both these combinations, ACS has to determine to which group John should be assigned. ACS prevents conflicting group set mappings by assigning a mapping order to the group set...
Group Radius Settings
ACS contains a full range of settings for RADIUS at the group level. If a AAA client has been configured to use RADIUS as the security control protocol, you can configure standard services, including Internet Engineering Task Force (IETF), Microsoft, and Ascend, to apply to the authorization of each user who belongs to a particular group. You can also configure RADIUS settings at the user level. User-level settings always override group-level settings. You can also use ACS to enter and...
Groups to RACs
To set up a plan to migrate from groups to RACs Define the appropriate network access policies and define rules. Create a matrix that shows the level of authorization for each user group and posture. Group all the similar cases and create RACs for them. Remove any previously defined attributes from the users groups if desired. You can use group attributes (if the authorization policy check box is selected) so that you can apply profile-independent attributes to all users of the group without...
Group Specific Attributes
Table F-9 lists the attributes that define an ACS group, including their data types, limits, and default values. It also provides the action code that you can use in your accountActions table to affect each field. For more information about action codes, see Action Codes, page F-3. Table F-9 Group-Specific Attributes Table F-9 Group-Specific Attributes Table F-9 Group-Specific Attributes (continued) Table F-9 Group-Specific Attributes (continued)
HostAAA clientuser deniiy
ACS is a critical component of the Cisco Network Admission Control (NAC) framework. Cisco NAC is a Cisco Systems-sponsored industry initiative that uses the network infrastructure to enforce security-policy compliance on all machines seeking to access network computing resources, thereby limiting damage from viruses and worms. With NAC, network access to compliant and trusted PCs can be permitted, while the access of noncompliant devices can be restricted. See Figure 1-2. ACS is also an...
IETF Dictionary of Radius Ietf Av Pairs
Table C-7 lists the supported RADIUS (IETF) attributes. If the attribute has a security server-specific format, the format is specified. Table C-7 RADIUS (IETF) Attributes Name of the user being authenticated. User password or input following an access challenge. Passwords longer than 16 characters are encrypted by using IETF Draft 2 or later specifications. PPP (Point-to-Point Protocol) Challenge Handshake Authentication Protocol (CHAP) response to an Access-Challenge. IP address of the AAA...
Implementing Centralized Remote Logging
Ensure that gateway devices between remote ACSs and the central logging ACS permit the central logging ACS to receive data on TCP port 2001. To implement centralized remote logging Step 1 On a computer on which you will to store centralized logging data, install ACS. For information about installing ACS, see the Installation Guide for Cisco Secure ACS for Windows. Step 2 In the ACS that is running on the central logging server a. Configure the accounting logs as needed. All accounting data that...
Implementing Primary and Secondary Replication Setups on ACSs
If you implement a replication scheme that uses cascading replication, the ACS configured to replicate only when it has received replicated components from another ACS acts as a primary ACS and as a secondary ACS. First, it acts as a secondary ACS while it receives replicated components, and then it acts as a primary ACS while it replicates components to other ACSs. For an illustration of cascade replication, see Figure 9-1. To implement primary and secondary replication setups on ACSs a. In...
Import Vendor Attribute Value Pairs AVPs
ACS does not include any non-Cisco attributes by default. Therefore, you must import a NAC Attribute Definition File (ADF) from each vendor application that you would like to validate in your NAC posture-validation policies. The attributes that are added can be used to create conditions for internal policies. NAC introduces the ability to authorize network hosts not only based upon user or machine identity but also upon a host's posture validation. The posture validation is determined by...
