A
Caution ACS 4.0 introduces the concept of Network Access Profiles (NAPs) that affects how group authorization is performed. If you are not using NAPs, ACS functions similar to previous versions. If you do plan to use NAPs, you must understand how Remote Access Dial-in User Service (RADIUS) authorization can be split between group, user, and NAP (via RACs). This chapter contains the following topics About User Group Setup Features and Functions, page 6-2 Basic User Group Settings, page 6-3...
A Default Authorization Rule
You can set a default authorization rule if a condition is not defined or no matched condition is found. You can deny or grant access based on Shared RACs and DACLs selections. To configure a default authorization rule Choose the relevant profile Authorization policy. The Authorization Rules for Profile Page appears. Click Add Rule. The Authorization Rules for Profile Page appears. Select Authentication Action for the line that contains the text If a condition is not defined or there is no...
Nch
AAA 1-1 See also AAA clients See also AAA servers pools for IP address assignment 7-7 AAA clients 1-1 adding and configuring 4-11 configuring 4-7 deleting 4-14 editing 4-13 IP pools 7-7 multiple IP addresses for 4-8 number of 1-20 searching for 4-6 table 4-1 TACACS+ and RADIUS 1-3 AAA servers 1-3 adding 4-16 configuring 4-15 deleting 4-19 editing 4-18 enabling in interface (table) 3-6 functions and concepts 1-2 in distributed systems 4-2 master 9-2 overview 4-15 primary 9-2 replicating 9-2...
AAA Client Configuration
This guide uses the term AAA client comprehensively to signify the device through which or to which service access is attempted. This is the RADIUS or TACACS+ client device, and may comprise Network Access Servers (NASs), PIX Firewalls, routers, or any other RADIUS or TACACS+ hardware or software client. This section contains the following topics AAA Client Configuration Options, page 4-8 Adding AAA Clients, page 4-11 Editing AAA Clients, page 4-13 Deleting AAA Clients, page 4-14
AAA Server Configuration
This section presents procedures for configuring AAA servers in the ACS web interface. For additional information about AAA servers, see AAA Servers in Distributed Systems, page 4-2. To configure distributed system features for a given ACS, you must first define the other AAA server(s). For example, all ACSs that are involved in replication, remote logging, authentication proxying, and RDBMS synchronization must have AAA server configurations for each other otherwise, incoming communication...
AAA Server Configuration Options
AAA server configurations enable ACS to interact with the AAA server that the configuration represents. AAA servers that do not have a corresponding configuration in ACS, or whose configuration in ACS is incorrect, does not receive AAA services from ACS, such as proxied authentication requests, database replication communication, remote logging, and RDBMS synchronization. Also, several distributed systems features require that the other ACSs included in the distributed system be represented in...
About ACS Backup
Chapter 8 System Configuration Basic For information about using a backup file to restore ACS, see ACS System Restore, page 8-11. The backup and restore features between different ACS versions are not supported. The default directory for backup files is where drive is the local drive where you installed ACS and path is the path from the root of drive to the ACS directory. For example, if you installed ACS version 4.0 in the default location, the default backup c Program Files CiscoSecure ACS...
About ACS Internal Database Replication
Database replication creates mirror systems of ACSs by duplicating parts of the primary ACS setup to one or more secondary ACSs. You can configure your AAA clients to use these secondary ACSs if the primary ACS fails or is unreachable. With a secondary ACS whose ACS internal database is a replica of the ACS internal database on the primary ACS, if the primary ACS goes out of service, incoming requests are authenticated without network downtime, provided that your AAA clients are configured to...
About ACS Logs and Reports
ACS provides logs that can be divided into four types Dynamic ACS administration reports This section contains information about the items from the previous list. For information about service logs, see Service Logs, page 11-23. This section contains the following topics Dynamic Administration Reports, page 11-6 Note All reports open instantly when selected, except for the Logged-In Users report, which might take up to 20 seconds to open. Specific user information might take up to several...
About ACS System Restore
You use the ACS System Restore feature to restore your user and group databases, and your ACS system configuration information from backup files that the ACS Backup feature generates. This feature helps you to minimize downtime if ACS system information becomes corrupted or is misconfigured. The ACS System Restore feature only works with backup files that ACS generates when running an identical ACS version and patch level. If you restore onto a physically different server, it must have the same...
About Administrator Accounts
Administrators are the only users of the ACS web interface. To access the ACS web interface from a browser run elsewhere than on the ACS Windows server itself, you must log in to ACS by using an administrator account. If your ACS is so configured, you may need to log in to ACS even in a browser run on the ACS Windows server. For more information about automatic local logins, see Session Policy, page 12-11. Note ACS administrator accounts are unique to ACS. They are not related to other...
About Certificate Revocation Lists
When a digital certificate is issued, you generally expect it to remain valid throughout its predetermined period of validity. However, various circumstances may call for invalidating the certificate earlier than expected. Such circumstances might include compromise or suspected compromise of the corresponding private key, or a change in the CAs issuance program. Under such circumstances, a CRL provides the mechanism by which the CA revokes the legitimacy of a certificate and calls for its...
About Certification and EAP Protocols
ACS uses Extensible Authentication Protocol-Transport Layer Security (EAP-TLS), Extensible Authentication Protocol-Flexible Authentication via Secure Tunnelling (EAP-FAST), and Protected Extensible Authentication Protocol (PEAP) authentication protocols in combination with digital certification to ensure the protection and validity of authentication information. Digital certification, EAP-TLS, PEAP, EAP-FAST, and machine authentication are described in the topics that follow. This section...
About Command Authorization Sets
This section contains the following topics Command Authorization Sets Description, page 5-24 Command Authorization Sets Assignment, page 5-26 Case Sensitivity and Command Authorization, page 5-26 Arguments and Command Authorization, page 5-27 About Pattern Matching, page 5-27 Command Authorization Sets Description Command authorization sets provide a central mechanism to control the authorization of each command that is issued on any given network device. This feature greatly enhances the...
About CSDBSync
The CSDBSync service uses an ODBC system data source name (DSN) to access the accountActions table. See Figure 9-2. This service looks specifically for a table named accountActions. Synchronization events fail if CSDBSync cannot access the accountActions table. CSDBSync reads each record from the accountActions table and updates the ACS internal database as specified by the action code in the record. For example, a record could instruct CSDBSync to add a user or change a user password. In a...
About Eapfast
The EAP Flexible Authentication via Secured Tunnel (EAP-FAST) protocol is a client-server security architecture that encrypts EAP transactions with a TLS tunnel. While similar to PEAP in this respect, it differs significantly in that EAP-FAST tunnel establishment is based on strong secrets that are unique to users. These secrets are called Protected Access Credentials (PACs), which ACS generates by using a master key known only to ACS. Because handshakes based on shared secrets are...
About External Audit Servers
Audit servers are Cisco and third-party servers that determine posture information about a host without relying on the presence of a Posture Agent (PA). The Cisco PA is also known as the Cisco Trust Agent (CTA). Audit servers are used to assess posture validation with an organization's security policy. You can also define a secondary external audit server. The presence of a secondary audit server allows the second or failover server to evaluate any policies from the primary server when the...
About External Policies
External policies are policies that are defined by an external NAC server, usually from an anti-virus vendor and a set of credential types to be forwarded to the external database. You also have the option of defining a secondary external NAC server. The presence of a secondary server allows The secondary or failover to evaluate any policies from the primary server. ACS does not determine the result of applying an external policy instead, it forwards the selected credentials to the external NAC...
About External User Databases
You can configure ACS to forward authentication of users to one or more external user databases. Support for external user databases means that ACS does not require that you create duplicate user entries in the user database. In organizations in which a substantial user database already exists, ACS can leverage the work already invested in building the database without any additional input. In addition to performing authentication for network access, ACS can perform authentication for TACACS+...
About Internal Policies
Internal policies comprise one or more rules that you define in ACS. When ACS applies an internal policy, it uses the policy rules to evaluate credentials that are received with the posture validation request. Each rule is associated with an APT, a credential type, and an action. The credential type determines which NAC-compliant application with which the APT and action are associated. ACS applies each rule in the order they appear on the Posture Validation Policies page (from top to bottom),...
About IP Pools Server
If you are using VPNs you may have to overlap IP address assignments that is, it may be advantageous for a PPTP tunnel client within a given tunnel to use the same IP address that another PPTP tunnel client in a different tunnel is using. You can use the IP Pools Server feature to assign the same IP address to multiple users, provided that the users are being tunnelled to different home gateways for routing beyond the boundaries of your own network. You can, therefore, conserve your IP address...
About Master Keys
EAP-FAST master keys are strong secrets that ACS automatically generates and of which only ACS is aware. Master keys are never sent to an end-user client. EAP-FAST requires master keys for two purposes PAC generation ACS generates PACs by using the active master key. For details about PACs, see About PACs, page 10-11. EAP-FAST phase one ACS determines whether the PAC that the end-user client presents was generated by one of the master keys it is aware of the active master key or a retired...
About Network Configuration
The appearance of the page that you see when you click Network Configuration differs according to the network-configuration selections that you made in the Interface Configuration section. The four tables that might appear in this section are AAA Clients This table lists each AAA client that is configured on the network, together with its IP address and associated protocol. If you are using Network Device Groups (NDGs), this table does not appear on the initial page, but is accessed through the...
About PACs
PACs are strong shared secrets that enable ACS and an EAP-FAST end-user client to authenticate each other and establish a TLS tunnel for use in EAP-FAST phase two. ACS generates PACs by using the active master key and a username. PAC-Key Shared secret bound to a client (and client device) and server identity. PAC Opaque Opaque field that the client caches and passes to the server. The server recovers the PAC-Key and the client identity to mutually authenticate with the client. PAC-Info At a...
About Posture Credentials and Attributes
For posture validation, credentials are the sets of attributes sent from the endpoint to ACS. Also known as inbound attributes, these attributes contain data that is used during posture validation to determine the posture of the computer. ACS considers attributes from each NAC-compliant application and from CTA to be different types of credentials. With policies that ACS creates for validation, the rules that you create use the content of inbound attributes to determine the APT returned by...
About Radius Authorization Components
Shared Radius Authorization Components (RACs) contain groups of RADIUS attributes that you can dynamically assign to user sessions based on a policy. Using the Network Access Profile configuration, you can map a policy type with set conditions, such as Network Device Groups and posture, to a shared RAC. In ACS, RACs contain attributes that can be specific to a single network service (also referred to as a network-access policy). The access policy can map from various groups and postures to a...
About Radiusenabled Token Servers
ACS supports token servers by using the RADIUS server that is built into the token server. Rather than using a vendor-proprietary API, ACS sends standard RADIUS authentication requests to the RADIUS authentication port on the token server. This feature enables ACS to support any IETF RFC 2865-compliant token server. You can create multiple instances of RADIUS token servers. For information about configuring ACS to authenticate users with one of these token servers, see Configuring a RADIUS...
About Rdbms Synchronization
The RDBMS Synchronization feature enables you to update the ACS internal database with information from an ODBC-compliant data source. The ODBC-compliant data source can be the RDBMS database of a third-party application. It can also be an intermediate file or database that a third-party system updates. Regardless of where the file or database resides, ACS reads the file or database via the ODBC connection. You can also regard RDBMS Synchronization as an API much of what you can configure for a...
About Remote Logging
You can use the Remote Logging feature to centralize accounting logs that multiple ACSs generate. You can configure each ACS to point to one ACS to use as a central logging server. The central logging ACS still performs AAA functions, but it also is the repository for accounting logs that it receives. For more information about ACS accounting logs, see Accounting Logs, page 11-4. The Remote Logging feature enables ACS to send accounting data received from AAA clients directly to the CSLog...
About Rules Rule Elements and Attributes
A rule is a set of one or more rule elements. A rule element is a logical statement which comprises A posture validation attribute An operator or posture token A value or notification string ACS uses the operator to compare the contents of an attribute to the value. Each rule element of a rule must be true for the whole rule to be true. In other words, all rule elements of a rule are joined with a Boolean AND. For detailed descriptions of rules, see Setting Up a Profile, page 15-3.
About Self Signed Certificates
ACS supports TLS SSL-related protocols, including PEAP, EAP-FAST, and HTTPS, that require the use of digital certificates. Employing self-signed certificates is a way for administrators to meet this requirement without having to interact with a CA to obtain and install the certificate for the ACS. The administrator uses the self-signed certificate feature in ACS to generate the self-signed digital certificate, and use it for the PEAP and EAP-FAST authentication protocols or for HTTPS support in...
About Shared Profile Components
You use the Shared Profile Components section to develop and name reusable, shared sets of authorization components that may be applied to one or more users or groups of users, and referenced by name within their profiles. These include network-access filters (NAFs),.RADIUS Authorization Components (RACs), downloadable IP access control lists (IP ACLs), Network Access Restrictions (NARs), and command-authorization sets. The Shared Profile Components section addresses the scalability of...
About the accountActions Table
The accountActions table contains a set of rows that define actions CSDBSync is to perform in the ACS internal database. Each row in the accountActions table holds user, user group, or AAA client information. Each row also contains an action field and several other fields. These fields provide CSDBSync with the information it needs to update the ACS internal database. For full details of the accountActions table format and available actions, see Appendix F, RDBMS Synchronization Import...
About the ACS Internal Database
For users who are authenticated by using the ACS internal database, ACS stores user passwords in a database which is protected by an administration password and encrypted by using the AES 128 algorithm. For users who are authenticated with external user databases, ACS does not store passwords in the ACS internal database. Unless you have configured ACS to authenticate users with an external user database, ACS uses usernames and passwords in the ACS internal database during authentication. For...
About Token Servers and ACS
ACS provides ASCII, PAP, and PEAP (EAP-GTC) authentication by using token servers. Other authentication protocols are not supported with token server databases. _ Note Authentication protocols that are not supported with token server databases might be supported by another type of external user database. For more information about authentication protocols and the external database types that support them, see Authentication Protocol-Database Compatibility, page 1-7. Requests from the AAA client...
About Unknown User Authentication
The Unknown User Policy is a form of authentication forwarding. In essence, this feature is an extra step in the authentication process. If a username does not exist in the ACS internal database, ACS forwards the authentication request of an incoming username and password to external databases with which it is configured to communicate. The external database must support the authentication protocol used in the authentication request. The Unknown User Policy enables ACS to use a variety of...
About User Group Mapping and Specification
You can use the Database Group Mapping feature in the External User Databases section to associate unknown users with an ACS group for the purpose of assigning authorization profiles. For external user databases from which ACS can derive group information, you can associate the group memberships, which are defined for the users in the external user database, to specific ACS groups. For Windows user databases, group mapping is further specified by domain because each domain maintains its own...
About User Setup Features and Functions
The User Setup section of the ACS web interface is the centralized location for all operations regarding user account configuration and administration. From within the User Setup section, you can View a list of all users in the ACS internal database. Assign the user to a group, including Voice-over-IP (VoIP) groups. Edit user account information. Establish or change user authentication type. Configure callback information for the user. Set network-access restrictions (NARs) for the user. Set...
About User Defined Radius Vendors and VSA Sets
In addition to supporting a set of predefined RADIUS vendors and vendor-specific attributes (VSAs), ACS supports RADIUS vendors and VSAs that you define. We recommend that you use RDBMS Synchronization to add and configure custom RADIUS vendors however, you can use csutii.exe to accomplish the same custom RADIUS vendor and VSA configurations that you can accomplish by using RDBMS Synchronization. Custom RADIUS vendor and VSA configurations that you create by using RDBMS Synchronization or...
Access Policy Options
You can configure the following options on the Access Policy Setup page IP Address Filtering Contains the following IP address filtering options - Allow all IP addresses to connect Allow access to the web interface from any IP address. - Allow only listed IP addresses to connect Allow access to the web interface only from IP addresses inside the address range(s) specified in the IP Address Ranges table. - Reject connections from listed IP addresses Allow access to the web interface only from IP...
Accessing the Web Interface
Remote administrative sessions always require that you log in using a valid administrator name and password, as configured in the Administration Control section. If the Allow automatic local login check box is cleared on the Sessions Policy Setup page in the Administration Control section, ACS requires a valid administrator name and password for administrative sessions accessed from a browser on the computer running ACS. Determine whether a supported web browser is installed on the computer you...
AccountActions Format
Each row in accountActions has 14 fields (or columns). Table F-1 lists the fields that compose accountActions. Table F-1 also reflects the order in which the fields appear in accountActions. The one-letter or two-letter abbreviations given in the Mnemonic column are a shorthand notation used to indicate required fields for each action code in Action Codes, page F-3. To see an example accountActions, see An Example of accountActions, page F-25. Table F-1 accountActions Fields Table F-1...
AccountActions Mandatory Fields
For all actions, the following fields cannot be empty and must have a valid value In addition to the previous required fields, the DateTime, UserName and GroupName fields are also often required to have a valid value If a transaction is acting upon a user account, a valid value is required in the UserName field. If a transaction is acting upon a group, a valid value is required in the GroupName field. If a transaction is acting upon a AAA client configuration, neither the UserName field nor the...
AccountActions Processing Order
ACS reads rows from accountActions and processes them in a specific order. ACS determines the order first by the values in the Priority fields (mnemonic P) and then by the values in the Sequence ID fields (mnemonic SI). ACS processes the rows with the highest Priority field. The lower the number in the Priority field, the higher the priority. For example, if row A has the value 1 in its Priority field and row B has the value 2 in its Priority field, ACS would process row A first, regardless of...
Accounting
AAA clients use the accounting functions that the RADIUS and TACACS+ protocols provide to communicate relevant data for each user session to the AAA server for recording. ACS writes accounting records to a comma-separated value (CSV) log file or ODBC database, depending on your configuration. You can easily import these logs into popular database and spreadsheet applications for billing, security audits, and report generation. You can also use a third-party reporting tool to manage accounting...
Accounting Logs
Accounting logs contain information about the use of remote access services by users. By default, these logs are available in CSV format, with the exception of the Passed Authentications log. You can also configure ACS to export the data for these logs to an ODBC-compliant relational database that you configure to store the log data. Table 11-1 describes all accounting logs. In the web interface, all accounting logs can be enabled, configured, and viewed. Table 11-2 contains information about...
ACS and AV Pairs
When you enable NAC Layer 2 IP validation, ACS provides NAC AAA services by using RADIUS. ACS gets information about the antivirus credentials of the endpoint system and validates the antivirus condition of the endpoint. You can set these Attribute-Value (AV) pairs on ACS by using the RADIUS cisco-av-pair vendor-specific attributes (VSAs). Cisco Secure-Defined-ACL Specifies the names of the downloadable ACLs on the ACS. The switch gets the ACL name through the Cisco Secure-Defined-ACL AV pair...
ACS Authentication Process with a Generic LDAP User Database
ACS forwards the username and password to an LDAP database by using a Transmission Control Protocol (TCP) connection on a port that you specify. The LDAP database passes or fails the authentication request from ACS. When receiving the response from the LDAP database, ACS instructs the requesting AAA client to grant or deny the user access, depending on the response from the LDAP server. ACS grants authorization based on the ACS group to which the user is assigned. While the group to which a...
ACS Authentication Process with an ODBC External User Database
ACS forwards user authentication requests to an ODBC database when the user Account in the ACS internal database lists an ODBC database configuration as the authentication method. Is unknown to the ACS internal database, and the Unknown User Policy dictates that an ODBC database is the next external user database to try. In either case, ACS forwards user credentials to the ODBC database via an ODBC connection. The relational database must have a stored procedure that queries the appropriate...
ACS Certificate Setup
This section contains the following topics Installing an ACS Server Certificate, page 10-25 Adding a Certificate Authority Certificate, page 10-27 Editing the Certificate Trust List, page 10-27 Managing Certificate Revocation Lists, page 10-28 Generating a Certificate Signing Request, page 10-31 Using Self-Signed Certificates, page 10-32 Updating or Replacing an ACS Certificate, page 10-35
ACS Database Recovery Using the accountActions Table
Because the RDBMS Synchronization feature deletes each record in the accountActions table after processing the record, the accountActions table can be considered a transaction queue. The RDBMS Synchronization feature does not maintain a transaction log audit trail. If a log is required, the external system that adds records to the accountActions table must create it. Unless the external system can recreate the entire transaction history in the accountActions table, we recommend that you...
ACS Features Functions and Concepts
ACS incorporates many technologies to render AAA services to network-access devices, and provides a central access-control function. This section contains the following topics ACS as the AAA Server, page 1-3 AAA Protocols TACACS+ and RADIUS, page 1-3 Additional Features in ACS Version 4.0, page 1-4 From the perspective of the NAD, ACS functions as the AAA server. You must configure the device, which functions as a AAA client from the ACS perspective, to direct all end-user host access requests...
ACS Internal Database Replication
This section provides information about the ACS internal database replication feature, including procedures for implementing this feature and configuring the ACSs involved. _ Note ACS does not support distributed deployments in a NAT environment. If a Primary or Secondary address is NATed, the database replication file will indicate shared secret mismatch. This section contains the following topics About ACS Internal Database Replication, page 9-2 - Replication Process, page 9-3 - Replication...
ACS Specifications
Note For the hardware, operating system, third-party software, and network requirements, see the Installation Guide for Cisco Secure ACS for Windows at This section contains the following topics System Performance Specifications, page 1-19 ACS Windows Services, page 1-20
ACS System Logs
System logs are logs about the ACS system and therefore record system-related events. These logs are useful for troubleshooting or audits. They are always enabled and are only available in CSV format. Some system logs can be configured. For information about each system log, including which system logs are configurable, see Table 11-4. For instructions on viewing a CSV report in the web interface, see Viewing a CSV Report, page 11-12. Table 11-4 Accounting Log Descriptions and Related Topics...
ACS System Restore
This section provides information about the ACS System Restore feature, including procedures for restoring your ACS from a backup file. Caution As with previous versions of ACS, you must not perform backups, restores, or replication between different versions of ACS. This section contains the following topics About ACS System Restore, page 8-11 Backup Filenames and Locations, page 8-11 Components Restored, page 8-12 Reports of ACS Restorations, page 8-12 Restoring ACS from a Backup File, page...
ACS Windows Services
ACS operates as a set of Microsoft Windows services. When you install ACS, the installation adds these Windows services to the server. These services provide the core of ACS functionality. The ACS services on the computer running ACS include CSAdmin Provides the web interface for administration of ACS. CSAuth Provides authentication services. CSDBSync Provides synchronization of the ACS internal database with an external RDBMS application. CSLog Provides logging services, for accounting and...
Action Codes for Initializing and Modifying Access Filters
Table F-4 lists the action codes for initializing and modifying AAA client access filters. AAA client access filters control Telnet access to a AAA client. Dial access filters control access by dial-up users. Transactions using these codes affect the configuration that appears in the User Setup and Group Setup sections of the web interface. For more information about the User Setup section, see Chapter 7, User Management. For more information about the Group Setup section, see Chapter 6, User...
Action Codes for Modifying Network Configuration
Table F-6 lists the action codes for adding AAA clients, AAA servers, network device groups, and proxy table entries. Transactions using these codes affect the configuration that appears in the Network Configuration section of the web interface. For more information about the Network Configuration section, see Chapter 4, Network Configuration. Table F-6 Action Codes for Modifying Network Configuration Table F-6 Action Codes for Modifying Network Configuration Adds a new AAA client (named in VN)...
Action Codes for Modifying Tacacs and Radius Group and User Settings
Table F-5 lists the action codes for creating, modifying, and deleting TACACS+ and RADIUS settings for ACS groups and users. In the event that ACS has conflicting user and group settings, user settings always override group settings. Transactions using these codes affect the configuration displayed in the User Setup and Group Setup sections of the web interface. For more information about the User Setup section, see Chapter 7, User Management. For more information about the Group Setup section,...
Added Authentication Latency
Adding external user databases against which to authenticate unknown users can significantly increase the time needed for each individual authentication. At best, the time needed for each authentication is the time taken by the external user database to authenticate, plus some time for ACS processing. In some circumstances (for example, when using a Windows user database), the extra latency introduced by an external user database can be as much as tens of seconds. If you have configured the...
Adding a Command Authorization
Step 1 In the navigation bar, click Shared Profile Components. The Shared Profile Components page lists the command-authorization set types that are available. These always include Shell Command Authorization Sets and may include others, such as command-authorization set types that support Cisco device-management applications. Step 2 Click one of the listed command-authorization set types, as applicable. The selected Command Authorization Sets table appears. The applicable Command Authorization...
Adding a Network Device Group
You can assign users or groups of users to NDGs. For more information, see Setting TACACS+ Enable Password Options for a User, page 7-23 Setting Enable Privilege Options for a User Group, page 6-13 To add an NDG Step 1 In the navigation bar, click Network Configuration. The Network Configuration page opens. Step 2 Under the Network Device Groups table, click Add Entry. Tip If the Network Device Groups table does not appear, choose Interface Configuration > Advanced Options. Then, choose...
Adding a New IP Pool
You can define up to 999 IP address pools. To add an IP pool Step 1 In the navigation bar, click System Configuration. The AAA Server IP Pools table lists any IP pools that you have already configured, their address ranges, and the percentage of pooled addresses in use. Step 4 In the Name box, type the name (up to 31 characters) to assign to the new IP pool. Step 5 In the Start Address box, type the lowest IP address (up to 15 characters) of the range of addresses for the new pool. Note All...
Adding a New Proxy Distribution Table Entry
To create a Proxy Distribution Table entry Step 1 In the navigation bar, click Network Configuration. The Network Configuration page opens. Step 2 Under the Proxy Distribution Table, click Add Entry. Note If the Proxy Distribution Table does not appear, choose Interface Configuration > Advanced Options. Then, select the Distributed System Settings check box. Step 3 In the Character String box, type the string of characters, including the delimiter to forward on when users dial in to be...
Adding a Profile
On the Profile Setup page, you can configure Activation flag (determines whether this profile is active or inactive) The Network Access Profiles Page page is initially empty. Once populated, you must set the list of profiles into an order with a priority sequence from top to bottom. Use the Profile Setup Page to configure the profile name, description, add the classification, and all other parameters that are required to set up the profile. Step 1 In the navigation bar, click Network Access...
Adding a Shared NAR
You can create a shared NAR that contains many access restrictions. Although the ACS web interface does not enforce limits to the number of access restrictions in a shared NAR or to the length of each access restriction, you must adhere to the following limits The combination of fields for each line item cannot exceed 1024 characters. The shared NAR cannot have more than 16 KB of characters. The number of line items supported depends on the length of each line item. For example, if you create a...
Adding AAA Servers
For descriptions of the options that are available while adding a remote AAA server configuration, see AAA Server Configuration Options, page 4-15. For ACS to provide AAA services to a remote AAA server, you must ensure that gateway devices between the remote AAA server and ACS permit communication over the ports that support the applicable AAA protocol (RADIUS or TACACS+). For information about ports that AAA protocols use, see AAA Protocols TACACS+ and RADIUS, page 1-3. In the navigation bar,...
Adding an Administrator Account
For descriptions of the options available while adding an administrator account, see Administrator Step 1 In the navigation bar, click Administration Control. The Add Administrator page appears. Step 3 Complete the boxes in the Administrator Details table a. In the Administrator Name box, type the login name (up to 32 characters) for the new ACS administrator account. b. In the Password box, type the password (from 4 to 32 characters) for the new ACS administrator account. c. In the Confirm...
Additional Features in ACS Version
ACS version 4.0 provides the following features that help fortify and protect networked business systems Cisco NAC support ACS 4.0 acts as a policy decision point in NAC deployments. Using configurable policies, it evaluates and validates the credentials received from the Cisco Trust Agent (CTA, posture), determines the state of the host, and sends a per-user authorization to the network-access device ACLs, a policy based access control list, or a private VLAN assignment. Evaluation of the host...
Administration Issues
Remote administrator cannot bring up the ACS web interface in a browser or receives a warning that access is not permitted. 1. Verify that you are using a supported browser. Refer to the Release Notes for Cisco Secure Access Control Server for Windows for a list of supported browsers. 2. Ping ACS to confirm connectivity. 3. Verify that the remote administrator is using a valid administrator name and password that have previously been added in Administration Control. 4. Verify that Java...
Administrative Access Policy
Managing a network is a matter of scale. Providing a policy for administrative access to network devices depends directly on the size of the network and the number of administrators required to maintain the network. Local authentication on a network device can be performed, but it is not scalable. The use of network management tools can help in large networks but if local authentication is used on each network device, the policy usually entails a single login on the network device. This does...
Administrative Sessions and HTTP Proxy
ACS does not support HTTP proxy for administrative sessions. If the browser used for an administrative session is configured to use a proxy server, ACS sees the administrative session originating from the IP address of the proxy server rather than from the actual address of the computer. Administrative session tracking assumes each browser resides on a computer with a unique IP. Also, IP filtering of proxied administrative sessions has to be based on the IP address of the proxy server rather...
Administrative Sessions Through a NAT Gateway
We do not recommend conducting administrative sessions across a network device performing NAT. If the administrator runs a browser on a computer behind a NAT gateway, ACS receives the HTTP requests from the public IP address of the NAT device, which conflicts with the computer private IP address, included in the content of the HTTP requests. ACS does not permit this. If ACS is behind a NAT gateway and the URL used to access the web interface specifies ACS by its hostname, administrative...
Administrative Sessions Through Firewalls
In the case of firewalls that do not perform network address translation (NAT), administrative sessions conducted across the firewall can require additional configuration of ACS and the firewall. This is because ACS assigns a random HTTP port at the beginning of an administrative session. To allow administrative sessions from browsers outside a firewall that protects ACS, the firewall must permit HTTP traffic across the range of ports that ACS is configured to use. You can control the HTTP port...
Administrator Privileges
You can grant appropriate privileges to each ACS administrator by assigning privileges on an administrator-by-administrator basis. You control privileges by selecting the options from the Administrator Privileges table on the Add Administrator or Edit Administrator pages. These options are User and Group Setup Contains the following privilege options for the User Setup and Group Setup sections of the web interface - Add Edit users in these groups Enables the administrator to add or edit users...
Advanced Filtering
You can use Advanced Filtering to create rules based on specific RADIUS attributes and values (including Cisco-AV- pairs). It is based on a Boolean AND expression of RADIUS attributes. You can enter multiple rule-elements, which are treated as an AND Boolean expression. Operators contains, start with, and regular expression only apply to string-type attribute values. _ Note ACS supports Cisco IOS RADIUS AV pairs. Before you select an AV pair, confirm that your AAA client supports it. If you...
Advanced User Authentication Settings
This section presents the activities that you perform to configure user-level TACACS+ and RADIUS enable parameters. This section contains the following topics TACACS+ Settings (User), page 7-16 - Configuring TACACS+ Settings for a User, page 7-16 - Configuring a Shell Command Authorization Set for a User, page 7-17 - Configuring a PIX Command Authorization Set for a User, page 7-19 - Configuring Device-Management Command Authorization for a User, page 7-20 - Configuring the Unknown Service...
Allowing Overlapping IP Pools or Forcing Unique Pool Address Ranges
ACS provides automated detection of overlapping pools. Note To use overlapping pools, you must be using RADIUS with VPN, and you cannot be using the Dynamic Host Configuration Protocol (DHCP). You can determine whether overlapping IP pools are allowed by checking which button appears below the AAA Server IP Pools table Allow Overlapping Pool Address Ranges Overlapping IP pool address ranges are not allowed. Clicking this button allows IP address ranges to overlap between pools. Force Unique...
An Example of accountActions
Table F-10 presents an sample instance of accountActions that contains some of the action codes described in Action Codes, page F-3. First user fred is created, along with his passwords, including a TACACS_ Enable password with privilege level 10. Fred is assigned to Group 2. His account expires after December 31, 1999, or after 10 incorrect authentication attempts. Attributes for Group 2 include Time-of-Day Day-of-Week restrictions, token caching, and some RADIUS attributes. _ Note This...
Appendix Cradius Attributes C1
Cisco IOS Dictionary of RADIUS IETF C-2 Cisco IOS PIX 6.0 Dictionary of RADIUS VSAs C-4 About the cisco-av-pair RADIUS Attribute C-5 Cisco VPN 3000 Concentrator ASA PIX 7.x+ Dictionary of RADIUS VSAs C-6 Cisco VPN 5000 Concentrator Dictionary of RADIUS VSAs C-10 Cisco Building Broadband Service Manager Dictionary of RADIUS VSA C-10 Cisco Airespace Dictionary of RADIUS VSA C-10 IETF Dictionary of RADIUS IETF (AV Pairs) C-11 Microsoft MPPE Dictionary of RADIUS VSAs C-19 Ascend Dictionary of...
Appendix D CSUtil Database Utility D1
Location of CSUtil.exe and Related Files D-2 Creating an ACS Internal Database D-5 Creating an ACS Internal Database Dump File D-6 Loading the ACS Internal Database from a Dump File D-7 Compacting the ACS Internal Database D-8 User and AAA Client Import Option D-9 Importing User and AAA Client Information D-9 User and AAA Client Import File Format D-10 About User and AAA Client Import File Format D-11 ONLINE or OFFLINE Statement D-11 ADD Statements D-12 UPDATE Statements D-13 DELETE Statements...
Appendix Frdbms Synchronization Import Definitions F1
AccountActions Specification F-1 accountActions Format F-1 accountActions Mandatory Fields F-2 accountActions Processing Order F-3 Supported Versions for ODBC Datasources F-3 Action Codes F-3 Action Codes for Setting and Deleting Values F-4 Action Codes for Creating and Modifying User Accounts F-4 Action Codes for Initializing and Modifying Access Filters F-9 Action Codes for Modifying TACACS+ and RADIUS Group and User Settings F-12 Action Codes for Modifying Network Configuration F-17 ACS...
Assigning a User to a Client IP Address
To assign a user to a client IP address Step 1 Perform Step 1 through Step 3 of Adding a Basic User Account, page 7-3. The User Setup Edit page opens. The username that you add or edit appears at the top of the page. Step 2 Under Client IP Address Assignment in the User Setup table, select the applicable option. Choices include Note The IP address assignment in User Setup overrides the IP address assignment in Group Setup. Use group settings Click this option to use the IP address group...
Assigning a User to a Group
A user can only belong to one group in ACS. The user inherits the attributes and operations that are assigned to his or her group. However, in the case of conflicting settings, the settings at the user level override the settings that you configure at the group level. By default, users are assigned to the Default Group. Users who authenticate via the Unknown User method and who are not mapped to an existing ACS group are also assigned to the Default Group. Alternatively, you can choose not to...
Assigning an Unassigned AAA Client or AAA Server to an NDG
You use this procedure to assign an unassigned AAA client or AAA server to an NDG. Before you begin this procedure, you should have already configured the client or server and it should appear in the Not Assigned AAA Clients or Not Assigned AAA Servers table. To assign a network device to an NDG Step 1 In the navigation bar, click Network Configuration. The Network Configuration page opens. Step 2 In the Network Device Groups table, click Not Assigned. Tip If the Network Device Groups table...
Audit Policy
The Audit Policy feature controls the generation of the Administrative Audit log. For more information about enabling, viewing, or configuring the Administrative Audit log, see ACS System Logs, page 11-8. Cisco Secure Access Control Server Release 4.0 for Windows, hereafter referred to as ACS, authenticates users against one of several possible databases, including its internal database. You can configure ACS to authenticate users with more than one type of database. With this flexibility you...
Authenticating with External User Databases
Authenticating users with an external user database requires more than configuring ACS to communicate with an external user database. Performing one of the configuration procedures in this chapter for an external database does not, on its own, instruct ACS to authenticate any users with that database. After you have configured ACS to communicate with an external user database, you can configure ACS to authenticate users with the external user database in one of two ways By Specific User...
Authentication and Unknown Users
This section provides information about using the Unknown User Policy with authentication. The information in this section is also relevant for NAP authentication policies, unless stated otherwise. This section contains the following topics About Unknown User Authentication, page 16-3 General Authentication of Unknown Users, page 16-3 Windows Authentication of Unknown Users, page 16-4 Performance of Unknown User Authentication, page 16-6
Authentication Bypass
You can use the profile template that ACS provides to create a profile that matches a RADIUS request that will come from a switch. Once the profile is created an analysis of the RADIUS packet that comes from the Catalyst 6500 must be done to create an accurate match for the profile. The RADIUS request from the switch has a Service Type value of 10, just like NAC-L2-IP but does not have a Cisco Attribute Value Pair (AVP) that contains the keywords service. Therefore, two entries are created in...
Authentication Considerations
Username and password is the most popular, simplest, and least-expensive method of authentication. The disadvantage is that this information can be told to someone else, guessed, or captured. Simple unencrypted username and password is not considered a strong authentication mechanism but can be sufficient for low authorization or privilege levels such as Internet access. You should use encryption to reduce the risk of password capturing on the network. Client and server access-control protocols...
Authentication Protocol Database Compatibility
The various password protocols that ACS supports for authentication are supported unevenly by the various databases that ACS supports. For more information about the password protocols that ACS supports, see Passwords, page 1-8. _ Note This release does not support Windows NT. Table 1-2 specifies non-EAP authentication protocol support. Table 1-2 Non-EAP Authentication Protocol and User Database Compatibility Table 1-2 Non-EAP Authentication Protocol and User Database Compatibility H ACS...
Authentication Protocols
You can configure all relevant parameters for authentication in the Authentication Settings Page. These parameters are applied during access request processing. The following authentication protocols can be configured in the Authentication Settings Page RADIUS Authentication protocols - An option to allow or disallow authentication by using Password Authentication Protocol (PAP) protocol. - An option to allow or disallow authentication by using CHAP password protocol. - An option to allow or...
Authentication Timeout Value on AAA clients
You must increase the AAA client timeout to accommodate the longer authentication time that is required for ACS to pass the authentication request to the external user databases that an unknown user authentication uses. If the AAA client timeout value is not set high enough to account for the delay that an unknown user authentication requires, the AAA client times out the request and every unknown user authentication fails. In Cisco IOS, the default AAA client timeout value is five seconds. If...
Authentication with Windows User Databases
ACS forwards user credentials to a Windows database by passing the user credentials to the Windows operating system of the computer that is running ACS. The Windows database passes or fails the authentication request from ACS. When receiving the response from the Windows database, ACS instructs the requesting AAA client to grant or deny the user access, depending on the response from the Windows database. ACS grants authorization based on the ACS group to which the user is assigned. While you...
Authorization of Unknown Users
Although the Unknown User Policy allows authentication requests to be processed by databases that are configured in the External User Database section, ACS is responsible for all authorizations that are sent to AAA clients and end-user clients. Unknown user authentication works with the ACS user group mapping features to assign unknown users to user groups that you have already configured and, therefore, to assign authorization to all unknown users who pass authentication. For more information,...
Authorization Rules
Authorization rules allow for variation of device provisioning within the NAP based on group membership and posture token. The set of possible mappings is theoretically quite high-for each NAP-for each group and for each posture. However, in practice most users will be caught by a default case for example, normal healthy users. Exceptions to the norm would be corner cases, such as groups that require specialized access rights (for example, administrators) or users with Infected or Quarantined...
Authorization Sets
This section describes command-authorization sets and pattern matching, and provides detailed instructions for configuring and managing them. This section contains the following topics About Command Authorization Sets, page 5-24 - Command Authorization Sets Description, page 5-24 - Command Authorization Sets Assignment, page 5-26 - Case Sensitivity and Command Authorization, page 5-26 - Arguments and Command Authorization, page 5-27 - About Pattern Matching, page 5-27 Adding a Command...
AV Pair Dictionary
To use the full range of the Cisco IOS AV-pair dictionary for TACACS+, the AAA client should use IOS version 11.3 or later. Cisco IOS 11.1 and 11.2 have only partial support for TACACS+ AV-pairs. If you specify a given AV pair in ACS, you must also enable the corresponding AV pair in the Cisco IOS software that is running on the AAA client. Therefore, you must consider which AV pairs your Cisco IOS release supports. If ACS sends an AV pair to the AAA client that the Cisco IOS software does not...
Backing Up ACS with CSUtilexe
You can use the -b option to create a system backup of all ACS internal data. The resulting backup file has the same data as the backup files that are produced by the ACS Backup feature found in the web interface. For more information about the ACS Backup feature, see ACS Backup, page 8-7. _ Note During the backup, all services are automatically stopped and restarted. No users are authenticated while the backup is occurring. On the computer that is running ACS, open an MS-DOS command prompt and...
