Instruction/ maintenance manual of the product 4.2 Cisco Systems
Go to page of 214
Americas Headquarters Cisco Systems, In c. 170 West Tasman Drive San Jose, CA 951 34-1706 USA http://www.ci sco.com Tel: 408 526-4000 800 553-NETS (638 7) Fax: 408 527-0883 Conf iguration Guide f or Cisco S ecure A CS 4.
THE SPECIFICATION S AND INFORMATION RE GARDING THE P RODUCTS IN THIS MA NUAL ARE SUBJECT TO CHANGE WITH OUT NOTICE. ALL STATEMENTS , INFORMATION, AND RECOMMENDATI ONS IN THI S MANUAL ARE BE LIEVED TO BE A CCURATE BUT ARE PRESENTED WI THOUT WARRANTY OF ANY KIND, EX PRESS OR IMPLIED.
iii Configuration Guid e for Cisco Secure ACS 4.2 OL-14390-02 CONTENTS Preface ix Audience ix Organization ix Conventi ons x Product Documentation x Related Documentation xii Obtaining Documentation a.
Contents iv Configuration Guid e for Cisco Secure ACS 4.2 OL-14390-02 Deploying ACS in a NAC/NAP E nvironment 2-15 Additional Topics 2-16 Remote Access Policy 2-16 Security Policy 2-17 Administrative .
Contents v Configuration Guid e for Cisco Secure ACS 4.2 OL-14390-02 Step 6: View the dACLs 4-9 Error Messages 4-11 Reading, Updating , and Deleting dACLs 4-12 Updating or Deleting dACL Associations w.
Contents vi Configuration Guid e for Cisco Secure ACS 4.2 OL-14390-02 Step 6: Enable Agentless Reques t Processing 6-18 Create a New NAP 6-18 Enable Agentless Request Processing for a NAP 6-20 Configu.
Contents vii Configuration Guid e for Cisco Secure ACS 4.2 OL-14390-02 Install the CA Certificate 9-7 Install the ACS Certificate 9-8 Set Up Global Configuration 9-8 Set Up Global Authentication 9-9 S.
Contents viii Configuration Guid e for Cisco Secure ACS 4.2 OL-14390-02 Profile Setup 9-56 Protocols Policy 9-58 Authorization Policy 9-59 Sample Posture Validation Rule 9-60 Sample Wireless (NAC L2 802.
ix Configuration Guid e for Cisco Secure ACS 4.2 OL-14390-02 Preface Audience This guide is for security admini strators who use Cisco Secure Acces s Control Server (A CS), and who set up and maintain netwo rk and application security .
x Configuration Guid e for Cisco Secure ACS 4.2 OL-14390-02 Preface Conventions This document uses the f ollo wing con ventions: Ti p Identifies informati on to help you get the most bene f it from your pr oduct.
xi Configuration Guid e for Cisco Secure ACS 4.2 OL-14390-02 Preface Ta b l e 1 ACS 4. 2 Documentation Document T itle Available Formats Documentation G uide for Cisco Secur e ACS Release 4.2 • Shipped wi th product. • PDF on the product CD-R OM. • On Cisco .
xii Configuration Guid e for Cisco Secure ACS 4.2 OL-14390-02 Preface Notices Related Documentation Note W e sometimes update the p rinted and electronic documentatio n after original publication. Therefore, you should also re view the documentati on on Cisco.
xiii Configuration Guid e for Cisco Secure ACS 4.2 OL-14390-02 Preface Notices OpenSSL/Open SSL Project This product includes softw are de velo ped by the OpenSSL Proj ect for use in the OpenSSL T oolkit ( http://www .openssl.or g/ ). This product includes cr yptographic softw are written by Eric Y oung (eay@cryptsoft.
xiv Configuration Guid e for Cisco Secure ACS 4.2 OL-14390-02 Preface Notices Original SSLeay License: Copyright © 1 995-1998 Eric Y oung (eay@c ryptsoft.com). All rights reserv ed. This package is an SSL implementation wri tten by Eric Y oung (eay@cryptsoft.
CH A P T E R 1-1 Configuration Guide for Cisco Secure ACS 4.2 OL-14390-02 1 Overview of ACS Configuration This chapter describes the general steps for conf i guring Cis co Secure Access Control Server , hereafter referred to as A C S, and present s a fl owchart sho wing the se quence of steps.
1-2 Configuration Guid e for Cisco Secure ACS 4.2 OL-14390-02 Chapter 1 Overv iew of ACS Config uration Summary of Configuration Steps b. For each administrator , specify administrator privileges.
1-3 Configuration Guide for Cisco Secure ACS 4.2 OL-14390-02 Chapter 1 Overvi ew of ACS Configuration Summary of Configuration Steps – By using database synchronization – By using database replication For detailed instructions, see “Displaying RADI US Configuration Options” in Chapter 2 of the User Guide for Cisco Secur e ACS 4.
1-4 Configuration Guid e for Cisco Secure ACS 4.2 OL-14390-02 Chapter 1 Overv iew of ACS Config uration Summary of Configuration Steps Step 14 Set Up Network Access Prof iles. If required, set up Network Access Prof iles. Step 15 Configure Log s and Reports.
1-5 Configuration Guide for Cisco Secure ACS 4.2 OL-14390-02 Chapter 1 Overvi ew of ACS Configuration Configuration Flowchart Configuration Flowchart Figure 1-1 is a configuration flo w ch art that sho ws the main steps in A CS configuration.
1-6 Configuration Guid e for Cisco Secure ACS 4.2 OL-14390-02 Chapter 1 Overv iew of ACS Config uration Configuration Flowchart.
CH A P T E R 2-1 Configuration Guide for Cisco Secure ACS 4.2 OL-14390-02 2 Deploy the Access Control Servers This chapter discu sses topics that you shoul d cons ider before deploy ing Cisco Secure Access Contr ol Server , hereafter referred to as A CS.
2-2 Configuration Guid e for Cisco Secure ACS 4.2 OL-14390-02 Chapter 2 Deploy the Access Control Servers Determining the Deployment Architec ture This section discusses: • Access types —How users.
2-3 Configuration Guide for Cisco Secure ACS 4.2 OL-14390-02 Chapter 2 Deploy the Acce ss Control Servers Determining the Deployment Architecture • EAP-TLS —Extensible Authentication Protocol-T ranspo rt Layer Security (EAP-TLS).
2-4 Configuration Guid e for Cisco Secure ACS 4.2 OL-14390-02 Chapter 2 Deploy the Access Control Servers Determining the Deployment Architec ture Figur e 2-2 ACS in a Campus LAN Figure 2-2 sho ws a possible distrib ution of A CS in a wired cam pus LAN.
2-5 Configuration Guide for Cisco Secure ACS 4.2 OL-14390-02 Chapter 2 Deploy the Acce ss Control Servers Determining the Deployment Architecture Figur e 2-3 ACS in a Geogr aphically Dispersed LAN Wir.
2-6 Configuration Guid e for Cisco Secure ACS 4.2 OL-14390-02 Chapter 2 Deploy the Access Control Servers Determining the Deployment Architec ture Figur e 2-4 Simple WLAN Campus WLAN In a WLAN where a number of APs are deployed, as in a large building or a campus en vironment, your decisions on ho w to deploy A CS become more complex .
2-7 Configuration Guide for Cisco Secure ACS 4.2 OL-14390-02 Chapter 2 Deploy the Acce ss Control Servers Determining the Deployment Architecture Figur e 2-5 Campus WLAN Regional WLAN Setting In a gi ven g eographical or org anizational re gion, the total numb er of users might or might no t reach a critical le vel for a single A CS.
2-8 Configuration Guid e for Cisco Secure ACS 4.2 OL-14390-02 Chapter 2 Deploy the Access Control Servers Determining the Deployment Architec ture Figure 2-6 sho ws a regional WLAN.
2-9 Configuration Guide for Cisco Secure ACS 4.2 OL-14390-02 Chapter 2 Deploy the Acce ss Control Servers Determining the Deployment Architecture Figure 2-7 sho ws A CS installations in a geographica lly dispersed network th at contains man y WLANs.
2-10 Configuration Guid e for Cisco Secure ACS 4.2 OL-14390-02 Chapter 2 Deploy the Access Control Servers Determining the Deployment Architec ture Figur e 2-8 Small Dial-up Netw or k Large Dial-Up Network Access In a larger dial-i n en vironment, a single A CS with a backup may be suitable, to o.
2-11 Configuration Guide for Cisco Secure ACS 4.2 OL-14390-02 Chapter 2 Deploy the Acce ss Control Servers Determining How Many ACSs to Deploy (Scalability) Placement of the RADIUS Server From a pract.
2-12 Configuration Guid e for Cisco Secure ACS 4.2 OL-14390-02 Chapter 2 Deploy the Access Control Servers Determining How Many ACSs to Deploy (Scalability) The size of the LAN or WLAN is determined b.
2-13 Configuration Guide for Cisco Secure ACS 4.2 OL-14390-02 Chapter 2 Deploy the Acce ss Control Servers Deploying ACS Servers to Support Server Failover only create an 80-percent load on the o ther A CS for the duration of the ou tage.
2-14 Configuration Guid e for Cisco Secure ACS 4.2 OL-14390-02 Chapter 2 Deploy the Access Control Servers Deploying ACS Servers to Support Server Failove r • Client conf iguration —Ho w to conf igure the clien t. • Reports and ev ent (error) handling —What information to in clude in the log s.
2-15 Configuration Guide for Cisco Secure ACS 4.2 OL-14390-02 Chapter 2 Deploy the Acce ss Control Servers Deployin g ACS in a NAC/NAP Enviro nment Deploying ACS in a NAC/NAP Environment Y ou can deploy A CS in a Cisco Network Admission Control and Micro soft Network Access Protect ion (N A C/NAP) en vironment.
2-16 Configuration Guid e for Cisco Secure ACS 4.2 OL-14390-02 Chapter 2 Deploy the Access Control Servers Additional Topics Figure 2-11 illustrates the ar chitecture of a N AC/N AP network. Figur e 2-1 1 NAC /NAP Deployment Arc hit ectur e Additional Topics This section descri bes additional topics to consider wh en deploying A CS.
2-17 Configuration Guide for Cisco Secure ACS 4.2 OL-14390-02 Chapter 2 Deploy the Acce ss Control Servers Additional Topics access, other decisions can also affect ho w A CS is deployed; these includ.
2-18 Configuration Guid e for Cisco Secure ACS 4.2 OL-14390-02 Chapter 2 Deploy the Access Control Servers Additional Topics A small netw ork with a small number of netw ork de vices may require only o ne or two indi viduals to administer it. Local aut hentication on the de vice is usually suf fi cient.
2-19 Configuration Guide for Cisco Secure ACS 4.2 OL-14390-02 Chapter 2 Deploy the Acce ss Control Servers Additional Topics Con versely , if a general user attempts to use his or her remote access to.
2-20 Configuration Guid e for Cisco Secure ACS 4.2 OL-14390-02 Chapter 2 Deploy the Access Control Servers Additional Topics.
CH A P T E R 3-1 Configuration Guide for Cisco Secure ACS 4.2 OL-14390-02 3 Configuring New Features in ACS 4.2 This chapter describes ho w to configure se veral new features provided with A CS 4.
3-2 Configuration Guid e for Cisco Secure ACS 4.2 OL-14390-02 Chapter 3 Config uring New Features in ACS 4.2 New Global EAP-FAST Configuration Options Figur e 3-1 New Global EAP -F AS T Configur ation Option s Ta b l e 3-1 describes the ne w EAP-F AST setting s.
3-3 Configuration Guide for Cisco Secure ACS 4.2 OL-14390-02 Chapter 3 Configuring New Feat ures in ACS 4.2 Disabling of EAP-FAST PAC Proce ssing in Network Access Profiles Disabling of EAP-FAST PAC P.
3-4 Configuration Guid e for Cisco Secure ACS 4.2 OL-14390-02 Chapter 3 Config uring New Features in ACS 4.2 Disabling NetBIOS Figure 3-2 sho ws the ne w options on the N AP Protocols page. Disabling NetBIOS Because disabling NetBIOS might be desirable in some cases, you can run A CS 4.
3-5 Configuration Guide for Cisco Secure ACS 4.2 OL-14390-02 Chapter 3 Configuring New Feat ures in ACS 4.2 Configuring ACS 4.2 Enh anc ed Logging Features T o disabl e NetBIOS ov er TCP/ IP in W indows 2000, XP , or 2003: Step 1 Right-click My Ne twork Places and choose Pr operties .
3-6 Configuration Guid e for Cisco Secure ACS 4.2 OL-14390-02 Chapter 3 Config uring New Features in ACS 4.2 Configuring Group Filteri ng at the NAP Level Configuring Group Filtering at the NAP Level Y ou can use A CS 4.
3-7 Configuration Guide for Cisco Secure ACS 4.2 OL-14390-02 Chapter 3 Configuring New Feat ures in ACS 4.2 Option to Not Log or Store Dynamic Use rs Option to Not Log or Store Dynamic Users When A CS.
3-8 Configuration Guid e for Cisco Secure ACS 4.2 OL-14390-02 Chapter 3 Config uring New Features in ACS 4.2 RSA Support on the ACS SE In pre vious releases, A CS SE devices coul d only send syslog messages using the local t ime that is set on the A CS device.
3-9 Configuration Guide for Cisco Secure ACS 4.2 OL-14390-02 Chapter 3 Configuring New Feat ures in ACS 4.2 RSA Support on the ACS SE Figur e 3-5 Exter nal User Databases P age (ACS SE) Step 3 Click RSA SecureID T oken Serv er . The Database Config uration Creation page appears.
3-10 Configuration Guid e for Cisco Secure ACS 4.2 OL-14390-02 Chapter 3 Config uring New Features in ACS 4.2 RSA Support on the ACS SE Figur e 3-7 Cisco Secure A CS to RS A SecurID Configuration P age Step 9 On the Cisco Secure ACS to RSA SecurID Configuration p age, enter the informatio n sho wn in Ta b l e 3-3 Step 10 Click Submit .
3-11 Configuration Guide for Cisco Secure ACS 4.2 OL-14390-02 Chapter 3 Configuring New Feat ures in ACS 4.2 RSA Support on the ACS SE The External User Database Conf iguration page opens. Step 4 Click Conf igure . The Cisco Secure A CS to RSA SecurID Configurati on page opens.
3-12 Configuration Guid e for Cisco Secure ACS 4.2 OL-14390-02 Chapter 3 Config uring New Features in ACS 4.2 RSA Support on the ACS SE Figur e 3-8 RSA SecurID T ok en and LD AP Group Mappin g Configu.
3-13 Configuration Guide for Cisco Secure ACS 4.2 OL-14390-02 Chapter 3 Configuring New Feat ures in ACS 4.2 RSA Support on the ACS SE Step 8 If you want to limit authentications pro cessed by this LD.
3-14 Configuration Guid e for Cisco Secure ACS 4.2 OL-14390-02 Chapter 3 Config uring New Features in ACS 4.2 RSA Support on the ACS SE Note The X box cannot contain the foll ow ing special characters: the pound sign (#), the question mark (?), the quote (“), the aste risk (*), the right angl e bracket (>), and the left angle bracket (<).
3-15 Configuration Guide for Cisco Secure ACS 4.2 OL-14390-02 Chapter 3 Configuring New Feat ures in ACS 4.2 RSA Support on the ACS SE b. In the Port box, type the TCP/IP port number on whic h the LD AP server is listening. The default is 389, as stated in the LD AP specification.
3-16 Configuration Guid e for Cisco Secure ACS 4.2 OL-14390-02 Chapter 3 Config uring New Features in ACS 4.2 Turning Ping On an d Off Note A CS sa ves the generic LD AP configu ration that you created. Y ou can now ad d it to your Unkno wn User Policy or assign specif ic user accounts to use this database for authenticatio n.
CH A P T E R 4-1 Configuration Guide for Cisco Secure ACS 4.2 OL-14390-02 4 Using RDBMS Synchronization to Create dACLs and Specify Network Configuration This chapter describe s ho w to configure A CS 4.2 to enable new RDBMS Synchroniza tion features introduced with A CS 4.
4-2 Configuration Guid e for Cisco Secure ACS 4.2 OL-14390-02 Chapter 4 Using RDBMS Synch ronization to Create dACLs and Specify N etwork Configuration Using RDBMS Synchronization to Configure dA CLs • Remote In vocation of the CSDBSync Ser vice on the A CS Solution Engine —W ith A CS 4.
4-3 Configuration Guide for Cisco Secure ACS 4.2 OL-14390-02 Chapter 4 Using RDBMS Synchro nization to Create dACLs and Spec ify Network Configura tion Using RDBMS Synchronization to Configure dACLs Example 4-1 sho ws a sample te xt fi le.
4-4 Configuration Guid e for Cisco Secure ACS 4.2 OL-14390-02 Chapter 4 Using RDBMS Synch ronization to Create dACLs and Specify N etwork Configuration Using RDBMS Synchronization to Configure dA CLs .
4-5 Configuration Guide for Cisco Secure ACS 4.2 OL-14390-02 Chapter 4 Using RDBMS Synchro nization to Create dACLs and Spec ify Network Configura tion Using RDBMS Synchronization to Configure dACLs T.
4-6 Configuration Guid e for Cisco Secure ACS 4.2 OL-14390-02 Chapter 4 Using RDBMS Synch ronization to Create dACLs and Specify N etwork Configuration Using RDBMS Synchronization to Configure dA CLs Figur e 4-1 RDBMS Sync hronization Setup P age (A CS for Windo ws) b.
4-7 Configuration Guide for Cisco Secure ACS 4.2 OL-14390-02 Chapter 4 Using RDBMS Synchro nization to Create dACLs and Spec ify Network Configura tion Using RDBMS Synchronization to Configure dACLs • Password —The passwor d for the username pro vided in the Login box.
4-8 Configuration Guid e for Cisco Secure ACS 4.2 OL-14390-02 Chapter 4 Using RDBMS Synch ronization to Create dACLs and Specify N etwork Configuration Using RDBMS Synchronization to Configure dA CLs .
4-9 Configuration Guide for Cisco Secure ACS 4.2 OL-14390-02 Chapter 4 Using RDBMS Synchro nization to Create dACLs and Spec ify Network Configura tion Using RDBMS Synchronization to Configure dACLs A.
4-10 Configuration Guid e for Cisco Secure ACS 4.2 OL-14390-02 Chapter 4 Using RDBMS Synch ronization to Create dACLs and Specify N etwork Configuration Using RDBMS Synchronization to Configure dA CLs The Do wnloadable IP A CLs page displays the selected dA CL, as shown in Figur e 4-4 .
4-11 Configuration Guide for Cisco Secure ACS 4.2 OL-14390-02 Chapter 4 Using RDBMS Synchro nization to Create dACLs and Spec ify Network Configura tion Using RDBMS Synchronization to Configure dACLs Step 5 If the dA CL was not created correctly , re view the steps in Using RDBMS Synchronization to Conf igure dA CLs, page 4-2 and check for errors.
4-12 Configuration Guid e for Cisco Secure ACS 4.2 OL-14390-02 Chapter 4 Using RDBMS Synch ronization to Create dACLs and Specify N etwork Configuration Reading, Updating, and Deleting dACLs Reading, Updating, and Deleting dACLs Ta b l e 4-4 lists the account action codes that you can use to read, update, or delete a dA CL.
4-13 Configuration Guide for Cisco Secure ACS 4.2 OL-14390-02 Chapter 4 Using RDBMS Synchro nization to Create dACLs and Spec ify Network Configura tion Reading, Updating, and Deleting dACLs .
4-14 Configuration Guid e for Cisco Secure ACS 4.2 OL-14390-02 Chapter 4 Using RDBMS Synch ronization to Create dACLs and Specify N etwork Configuration Updating or Deleting dACL Associations with U s.
4-15 Configuration Guide for Cisco Secure ACS 4.2 OL-14390-02 Chapter 4 Using RDBMS Synchro nization to Create dACLs and Spec ify Network Configura tion Using RDBMS Synchron ization to Specify Netw or.
4-16 Configuration Guid e for Cisco Secure ACS 4.2 OL-14390-02 Chapter 4 Using RDBMS Synch ronization to Create dACLs and Specify N etwork Configuration Using RDBMS Synchronization to Specify Network .
CH A P T E R 5-1 Configuration Guide for Cisco Secure ACS 4.2 OL-14390-02 5 Password Policy Conf iguration Scenario Cisco Secure A CS, hereafter referred to as A CS, provides n ew passw ord features to support co rporate requirements mandated by the Sarb anes-Oxley Act of 2002.
5-2 Configuration Guid e for Cisco Secure ACS 4.2 OL-14390-02 Chapter 5 Password Policy Configuration Scenario Summary of Configuration Steps Summary of Configuration Steps T o conf igure password policy in A CS: Step 1 Add a ne w administrator account.
5-3 Configuration Guide for Cisco Secure ACS 4.2 OL-14390-02 Chapter 5 Password Policy Configuration Scenario Step 1: Add and Edit a N ew Administrator Account Figur e 5-1 Administr ation Control P age The Administration Co ntrol page initially l ists no administrators.
5-4 Configuration Guid e for Cisco Secure ACS 4.2 OL-14390-02 Chapter 5 Password Policy Configuration Scenario Step 2: Configur e Password Policy Step 4 Click Grant All or Revok e All to globally add .
5-5 Configuration Guide for Cisco Secure ACS 4.2 OL-14390-02 Chapter 5 Password Policy Configuration Scenario Step 2: Configure Password Polic y Figur e 5-2 The Administrator P assword P olicy Setup P.
5-6 Configuration Guid e for Cisco Secure ACS 4.2 OL-14390-02 Chapter 5 Password Policy Configuration Scenario Step 2: Configur e Password Policy Step 2 On the Pa ssword Polic y Setup Page, sp ecify: • Passw ord V alidation Options See Specify Pa ssword V alidation Options, page 5-6 .
5-7 Configuration Guide for Cisco Secure ACS 4.2 OL-14390-02 Chapter 5 Password Policy Configuration Scenario Step 3: Configure Session Polic y Specify Password Inactivity Options In the Passw ord Ina.
5-8 Configuration Guid e for Cisco Secure ACS 4.2 OL-14390-02 Chapter 5 Password Policy Configuration Scenario Step 3: Configur e Session Policy Figur e 5-3 The Session P olic y Setup P age Step 2 On the Session Polic y Setup page, set session option s as required.
5-9 Configuration Guide for Cisco Secure ACS 4.2 OL-14390-02 Chapter 5 Password Policy Configuration Scenario Step 4: Configure Access Policy Step 4: Configure Access Policy This section descri bes how to conf igure administrati ve access p olicy .
5-10 Configuration Guid e for Cisco Secure ACS 4.2 OL-14390-02 Chapter 5 Password Policy Configuration Scenario Step 4: Configure Ac cess Policy Figur e 5-4 Access P olicy Setup P age Step 3 Click the.
5-11 Configuration Guide for Cisco Secure ACS 4.2 OL-14390-02 Chapter 5 Password Policy Configuration Scenario Step 4: Configure Access Policy Reject connections from listed IP addresses Restricts remote access to the web in terface to IP addresses outside of the specified IP Address Ranges.
5-12 Configuration Guid e for Cisco Secure ACS 4.2 OL-14390-02 Chapter 5 Password Policy Configuration Scenario Viewing Administrator Entitlement Reports Step 4 T ype the appropriate IP addres s ranges in accordance with th e IP Address Fi ltering option.
5-13 Configuration Guide for Cisco Secure ACS 4.2 OL-14390-02 Chapter 5 Password Policy Configuration Scenario Viewing Administrator Entitle ment Reports View Privilege Reports T o vi ew pri vilege report s: Step 1 In the na vigation bar , click Reports and Activity .
5-14 Configuration Guid e for Cisco Secure ACS 4.2 OL-14390-02 Chapter 5 Password Policy Configuration Scenario Viewing Administrator Entitlement Reports.
CH A P T E R 6-1 Configuration Guide for Cisco Secure ACS 4.2 OL-14390-02 6 Agentless Host Support Configuration Scenario This chapter descri bes how to conf igure the ag entl ess host feature in Cisc o Secure Access Control Server , hereafter referred to as A CS.
6-2 Configuration Guid e for Cisco Secure ACS 4.2 OL-14390-02 Chapter 6 Agentless Host Supp ort Configuration Scenario Overview of Agentless Host Supp ort 3. If you conf igure A CS for MAB, it searches the au thentication database fo r the host’ s MA C address The database ca n be: – A CS internal – LD AP (if you configur e LD AP) 4.
6-3 Configuration Guide for Cisco Secure ACS 4.2 OL-14390-02 Chapter 6 Agentless Host Support Configuration Scenario Summary of Configuration Steps GAME group feedback pro vides an added security chec.
6-4 Configuration Guid e for Cisco Secure ACS 4.2 OL-14390-02 Chapter 6 Agentless Host Supp ort Configuration Scenario Basic Configuration Ste ps for Agentless Ho st Support Step 7 Config ure logging and reports. Add the Bypass Inf o attrib ute to the Passed Auth entications and Fail ed Attempts reports.
6-5 Configuration Guide for Cisco Secure ACS 4.2 OL-14390-02 Chapter 6 Agentless Host Support Configuration Scenario Basic Configuration Steps for Agentless Host Suppo rt where IP_a ddr ess is the IP address of the host that is running A CS and hostname is the hostname of the host that is running A CS.
6-6 Configuration Guid e for Cisco Secure ACS 4.2 OL-14390-02 Chapter 6 Agentless Host Supp ort Configuration Scenario Basic Configuration Ste ps for Agentless Ho st Support Figur e 6-2 Add AAA Client P age Step 3 In the AAA Client Hostname box, type th e name assigned to this AAA client (up to 32 alphanumer ic characters).
6-7 Configuration Guide for Cisco Secure ACS 4.2 OL-14390-02 Chapter 6 Agentless Host Support Configuration Scenario Basic Configuration Steps for Agentless Host Suppo rt The steps in this section are r equired to enable post ure v alidation, which is used in Net work Access Profiles.
6-8 Configuration Guid e for Cisco Secure ACS 4.2 OL-14390-02 Chapter 6 Agentless Host Supp ort Configuration Scenario Basic Configuration Ste ps for Agentless Ho st Support Step 4 Select Install Certificate. The W indo ws Certificate Import wizard starts.
6-9 Configuration Guide for Cisco Secure ACS 4.2 OL-14390-02 Chapter 6 Agentless Host Support Configuration Scenario Basic Configuration Steps for Agentless Host Suppo rt Step 11 Do not restart the services at this time. Restart the services later , after you ha ve completed the steps for addi ng a trusted certif icate.
6-10 Configuration Guid e for Cisco Secure ACS 4.2 OL-14390-02 Chapter 6 Agentless Host Supp ort Configuration Scenario Basic Configuration Ste ps for Agentless Ho st Support Step 4: Configure LDAP Su.
6-11 Configuration Guide for Cisco Secure ACS 4.2 OL-14390-02 Chapter 6 Agentless Host Support Configuration Scenario Basic Configuration Steps for Agentless Host Suppo rt macAddress: 11-22-33-44-55-66 cn: user11-wxp.
6-12 Configuration Guid e for Cisco Secure ACS 4.2 OL-14390-02 Chapter 6 Agentless Host Supp ort Configuration Scenario Basic Configuration Ste ps for Agentless Ho st Support How the Subtrees Work The.
6-13 Configuration Guide for Cisco Secure ACS 4.2 OL-14390-02 Chapter 6 Agentless Host Support Configuration Scenario Basic Configuration Steps for Agentless Host Suppo rt Ta b l e 6-1 describes the attrib utes of the sample LD AP groups.
6-14 Configuration Guid e for Cisco Secure ACS 4.2 OL-14390-02 Chapter 6 Agentless Host Supp ort Configuration Scenario Basic Configuration Ste ps for Agentless Ho st Support • Common LD AP Confi guration —Configure the sett ings in this section to specify ho w ACS queries the LD AP database.
6-15 Configuration Guide for Cisco Secure ACS 4.2 OL-14390-02 Chapter 6 Agentless Host Support Configuration Scenario Basic Configuration Steps for Agentless Host Suppo rt • UserObjectClass —The value of the LD AP objectType attrib ute that identif ies the record as a user .
6-16 Configuration Guid e for Cisco Secure ACS 4.2 OL-14390-02 Chapter 6 Agentless Host Supp ort Configuration Scenario Basic Configuration Ste ps for Agentless Ho st Support Figur e 6-7 LD AP Serv er Configur ation Sections a.
6-17 Configuration Guide for Cisco Secure ACS 4.2 OL-14390-02 Chapter 6 Agentless Host Support Configuration Scenario Basic Configuration Steps for Agentless Host Suppo rt For detai led information on.
6-18 Configuration Guid e for Cisco Secure ACS 4.2 OL-14390-02 Chapter 6 Agentless Host Supp ort Configuration Scenario Basic Configuration Ste ps for Agentless Ho st Support Before you assign the us er groups, plan ho w to conf igure the user gr oups.
6-19 Configuration Guide for Cisco Secure ACS 4.2 OL-14390-02 Chapter 6 Agentless Host Support Configuration Scenario Basic Configuration Steps for Agentless Host Suppo rt The Profi le Setup page opens, sho wn in Figure 6-9 . Figur e 6-9 Profile S etup P age Step 3 In the Name te xt box, enter the name o f the N A P .
6-20 Configuration Guid e for Cisco Secure ACS 4.2 OL-14390-02 Chapter 6 Agentless Host Supp ort Configuration Scenario Basic Configuration Ste ps for Agentless Ho st Support Figur e 6-1 0 Edit Netw or k Access Pr otocols P age Y ou are now re ady to enable agentless request processing.
6-21 Configuration Guide for Cisco Secure ACS 4.2 OL-14390-02 Chapter 6 Agentless Host Support Configuration Scenario Basic Configuration Steps for Agentless Host Suppo rt Y ou are now ready to conf igure MAB settings . Configure MAB To c o n f i g u r e M A B : Step 1 In the Edit Network Access Profiles page, click A uthentication .
6-22 Configuration Guid e for Cisco Secure ACS 4.2 OL-14390-02 Chapter 6 Agentless Host Supp ort Configuration Scenario Basic Configuration Ste ps for Agentless Ho st Support Step 3 If you specified a.
6-23 Configuration Guide for Cisco Secure ACS 4.2 OL-14390-02 Chapter 6 Agentless Host Support Configuration Scenario Basic Configuration Steps for Agentless Host Suppo rt Step 7: Configure Logging an.
6-24 Configuration Guid e for Cisco Secure ACS 4.2 OL-14390-02 Chapter 6 Agentless Host Supp ort Configuration Scenario Configuration Steps for Audit Server Suppor t Step 4 Repeat Step 3 for additi onal report types as required . Step 5 Repeat Steps 3 and 4 for th e Failed Att empts report.
CH A P T E R 7-1 Configuration Guide for Cisco Secure ACS 4.2 OL-14390-02 7 PEAP/EAP-TLS Configuration Scenario Y ou can select EAP-TLS as an inner method that is us ed wi thin the tunn el that ACS establishes for PEAP authentication.
7-2 Configuration Guid e for Cisco Secure ACS 4.2 OL-14390-02 Chapter 7 PEAP/EAP-TLS Configuration Scen ario Step 1: Configure Se curity Certifi cates Obtain Certificates and C opy Them to the ACS Host T o use EAP-TLS, you mu st obtain and install security certif icates.
7-3 Configuration Guide for Cisco Secure ACS 4.2 OL-14390-02 Chapter 7 PEAP/EAP -TLS Configu ration Scenario Step 1: Configure Security Certifica tes Step 4 Select Install Certificate. The W indo ws Certificate Import wizard starts. Step 5 T o inst all the certif icate, foll ow the in structions that the wizard displays.
7-4 Configuration Guid e for Cisco Secure ACS 4.2 OL-14390-02 Chapter 7 PEAP/EAP-TLS Configuration Scen ario Step 1: Configure Se curity Certifi cates Step 10 A CS displays a message indicating t hat the certif icate has been installed and inst ructs you to restart th e A CS services.
7-5 Configuration Guide for Cisco Secure ACS 4.2 OL-14390-02 Chapter 7 PEAP/EAP -TLS Configu ration Scenario Step 2: Configure Global A uthentication Settings Step 3 Click Submit . Step 4 T o re start A CS, choose System Conf iguration > Service Control , and then click and then click Restart .
7-6 Configuration Guid e for Cisco Secure ACS 4.2 OL-14390-02 Chapter 7 PEAP/EAP-TLS Configuration Scen ario Step 3: Specify EAP-TLS Options Step 3 Specify the prot ocols to use with the PEAP protocol.
CH A P T E R 8-1 Configuration Guide for Cisco Secure ACS 4.2 OL-14390-02 8 Syslog Logging Configuration Scenario Overview A CS provides a system logging (sys log) feature. W ith the addition of this feature, all AAA r eports and audit report messages can be sent to up to two syslog serv ers.
8-2 Configuration Guid e for Cisco Secure ACS 4.2 OL-14390-02 Chapter 8 Syslog Logging Configuration Scenario Configuring Syslog Logging Figur e 8-1 Logging Configur ation Pag e Step 3 T o enable a sy.
8-3 Configuration Guide for Cisco Secure ACS 4.2 OL-14390-02 Chapter 8 Syslog Log ging Configuratio n Scenario Configuring Syslog Logging Figur e 8-2 Enable Logging P age Step 4 Check the check box for logging the specif ied information to syslog. For e xample, in Figure 8-2 , check the Log to Syslog Fail ed Attempts Report check box.
8-4 Configuration Guid e for Cisco Secure ACS 4.2 OL-14390-02 Chapter 8 Syslog Logging Configuration Scenario Format of Syslog Me ssages in ACS Reports Step 6 Click Submit . Step 7 Repeat the process for an y additional reports for which you want t o enable syslog reporting.
8-5 Configuration Guide for Cisco Secure ACS 4.2 OL-14390-02 Chapter 8 Syslog Log ging Configuratio n Scenario Format of Syslog Messages in ACS Reports All A CS syslog messages use a sev e rity v alue of 6 (informational). For e xample, if the fa cility v alue is 13 and the se verity va lue is 6, the Priority valu e is 110 ((8 x 13) + 6).
8-6 Configuration Guid e for Cisco Secure ACS 4.2 OL-14390-02 Chapter 8 Syslog Logging Configuration Scenario Format of Syslog Me ssages in ACS Reports.
CH A P T E R 9-1 Configuration Guide for Cisco Secure ACS 4.2 OL-14390-02 9 NAC Configuration Scenario This chapter describes how to set up Cisco Secure A ccess Control Se rver 4.2, hereafte r referred t o as A CS, to work in a Cisco Network Admission Contro l en vironment.
9-2 Configuration Guid e for Cisco Secure ACS 4.2 OL-14390-02 Chapter 9 NAC Configuration Scenario Step 2: Perfo rm Network Configuration Tasks T o in stall A CS: Step 1 Start the A CS installation: If you are i nstalling A CS for Wi ndo ws: a. Using a local administrat or account, log in to the compu ter on which you want to install A CS.
9-3 Configuration Guide for Cisco Secure ACS 4.2 OL-14390-02 Chapter 9 NAC Configuratio n Scenario Step 2: Perform Network Configuration Tasks Step 2 Do one of the foll ow ing: • If you are usin g Network Device Groups (NDGs), c lick the name of the NDG to which you w ant to assign the AAA client.
9-4 Configuration Guid e for Cisco Secure ACS 4.2 OL-14390-02 Chapter 9 NAC Configuration Scenario Step 2: Perfo rm Network Configuration Tasks Step 5 In the Shared Secret box, type a sh ared secret key fo r the AAA cli ent. The shared secret is a string th at you determine; for example, m ynet123 .
9-5 Configuration Guide for Cisco Secure ACS 4.2 OL-14390-02 Chapter 9 NAC Configuratio n Scenario Step 3: Set Up System Configuration Step 2 In the AAA Servers tabl e, click the name of th e AAA ser ver in the AAA Server Na me column. The AAA Server Setup page o pens, shown in Fi gure 9-2 .
9-6 Configuration Guid e for Cisco Secure ACS 4.2 OL-14390-02 Chapter 9 NAC Configuration Scenario Step 3: Set Up System Configuration Obtain Certificates and Copy Them to the ACS Host T o copy a certif icate to the A CS host: Step 1 Obtain a security certif icate.
9-7 Configuration Guide for Cisco Secure ACS 4.2 OL-14390-02 Chapter 9 NAC Configuratio n Scenario Step 3: Set Up System Configuration Edit the Certificate Trust List After you set up the A CS certification author ity , you mu st add the CA certificate to the A CS Certificate Tr u s t list.
9-8 Configuration Guid e for Cisco Secure ACS 4.2 OL-14390-02 Chapter 9 NAC Configuration Scenario Step 3: Set Up System Configuration Install the ACS Certificate T o enable security certif icates on the A C S installation: Step 1 In the na vigation bar , click System Configurat ion .
9-9 Configuration Guide for Cisco Secure ACS 4.2 OL-14390-02 Chapter 9 NAC Configuratio n Scenario Step 3: Set Up System Configuration Set Up Global Authentication In the global authentication setup, you specify the protocols that A CS uses to transfer creden tials from the host for authentication and au thorization.
9-10 Configuration Guid e for Cisco Secure ACS 4.2 OL-14390-02 Chapter 9 NAC Configuration Scenario Step 3: Set Up System Configuration Figur e 9-6 Global A uthentica tion Setup P age.
9-11 Configuration Guide for Cisco Secure ACS 4.2 OL-14390-02 Chapter 9 NAC Configuratio n Scenario Step 3: Set Up System Configuration Step 3 T o mak e the PEAP global authen tication parameters a v ailable in the N AP configuration , check the check boxes for: • Allow EAP-MSCHAPv2 .
9-12 Configuration Guid e for Cisco Secure ACS 4.2 OL-14390-02 Chapter 9 NAC Configuration Scenario Step 3: Set Up System Configuration Set Up EAP-FAST Configuration T o conf igure A CS to work with N A C and use EAP-F AST with posture v alidation: Step 1 In the na vigation bar , click System Configurat ion .
9-13 Configuration Guide for Cisco Secure ACS 4.2 OL-14390-02 Chapter 9 NAC Configuratio n Scenario Step 3: Set Up System Configuration Figur e 9-8 EAP -F AS T Configur ation P age Step 4 Check the Allow EAP-F AST check box. Step 5 In the Client Initial Messag e text box, enter a messag e; for example, Welcome .
9-14 Configuration Guid e for Cisco Secure ACS 4.2 OL-14390-02 Chapter 9 NAC Configuration Scenario Step 3: Set Up System Configuration Step 8 Check the Accept client on authenticated pr ovisioning and Requir e client certificate f or pro visioning check boxes.
9-15 Configuration Guide for Cisco Secure ACS 4.2 OL-14390-02 Chapter 9 NAC Configuratio n Scenario Step 3: Set Up System Configuration T o enable the P assed Authentications report: Step 1 In the na vigation bar , click System Conf iguration . The System Conf iguration page o pens.
9-16 Configuration Guid e for Cisco Secure ACS 4.2 OL-14390-02 Chapter 9 NAC Configuration Scenario Step 3: Set Up System Configuration Step 4 Mov e the attrib utes that you want t o log from the Attributes list to Logged Attributes list.
9-17 Configuration Guide for Cisco Secure ACS 4.2 OL-14390-02 Chapter 9 NAC Configuratio n Scenario Step 4: Set Up Administration Control • Acct-Input-Octets • Acct-Output-Octets • Acct-Input-Pa.
9-18 Configuration Guid e for Cisco Secure ACS 4.2 OL-14390-02 Chapter 9 NAC Configuration Scenario Step 4: Set Up Ad ministration Contr ol Figur e 9- 1 0 Ad d Ad mi ni s tra tor Page.
9-19 Configuration Guide for Cisco Secure ACS 4.2 OL-14390-02 Chapter 9 NAC Configuratio n Scenario Step 4: Set Up Administration Control Step 3 In the Administrator Det ails area, specify the follo wing information: Step 4 Click Grant All .
9-20 Configuration Guid e for Cisco Secure ACS 4.2 OL-14390-02 Chapter 9 NAC Configuration Scenario Step 5: Set Up Shared Profile Components Step 5 Click Submit . After performing these steps, from a remote host, you can open a browser in which to administer A CS.
9-21 Configuration Guide for Cisco Secure ACS 4.2 OL-14390-02 Chapter 9 NAC Configuratio n Scenario Step 5: Set Up Shared Profile Compone nts Figur e 9-1 1 Edit Networ k Access Filter ing Pag e Step 4 In the Name text b ox, enter a name for the network access f ilter .
9-22 Configuration Guid e for Cisco Secure ACS 4.2 OL-14390-02 Chapter 9 NAC Configuration Scenario Step 5: Set Up Shared Profile Components T o enable dA CLs and N AFs, whic h are required to create N APs: • Add a ne w posture A CL. • Add A CE entries fo r the A CL.
9-23 Configuration Guid e for Cisco Secure ACS 4.2 OL-14390-02 Chapter 9 NAC Configuration Scenario Step 5: Set Up Shared Profile Components Figur e 9-13 Downloadable IP ACLs P age Step 3 On the Do wnloadable IP A CLs page, enter a Name and optional Descr iption for the A CL, as shown in Figure 9-13 .
9-24 Configuration Guid e for Cisco Secure ACS 4.2 OL-14390-02 Chapter 9 NAC Configuration Scenario Step 5: Set Up Shared Profile Components Figur e 9-14 Downloadable IP ACL Cont ent P age Step 2 In the Name te xt box, type the A CL name. Step 3 In the A CL Definitions input box, ty pe definit ions for the A CL.
9-25 Configuration Guide for Cisco Secure ACS 4.2 OL-14390-02 Chapter 9 NAC Configuratio n Scenario Step 5: Set Up Shared Profile Compone nts Figur e 9-15 Downloadable A CL Contents List with New Cont ent Step 5 From the drop-do wn list in the Netw ork Access Filtering column of the A CL Contents table, choose the correct N AF for this ACL.
9-26 Configuration Guid e for Cisco Secure ACS 4.2 OL-14390-02 Chapter 9 NAC Configuration Scenario Step 5: Set Up Shared Profile Components The sample RA Cs are: • Cisco_FullAccess— Provides full access to the Cisco netw ork. Y ou use this RAC to g rant access to clients tha t qualify as heal thy .
9-27 Configuration Guide for Cisco Secure ACS 4.2 OL-14390-02 Chapter 9 NAC Configuratio n Scenario Step 5: Set Up Shared Profile Compone nts Figur e 9-1 7 RAC At tribute A dd/Edit Pag e b. In the V alue field for the attrib ute, enter an appropriate va lue.
9-28 Configuration Guid e for Cisco Secure ACS 4.2 OL-14390-02 Chapter 9 NAC Configuration Scenario Step 5: Set Up Shared Profile Components Figur e 9-18 Attr ibute Selection f o r the Cisco_FullAcces.
9-29 Configuration Guide for Cisco Secure ACS 4.2 OL-14390-02 Chapter 9 NAC Configuratio n Scenario Step 5: Set Up Shared Profile Compone nts Figur e 9-19 Attr ibute Selection f or the Cisco_Restr ict.
9-30 Configuration Guid e for Cisco Secure ACS 4.2 OL-14390-02 Chapter 9 NAC Configuration Scenario Step 5: Set Up Shared Profile Components • T unnel-Medium-T ype (attribute 65) —Indicat es which protocol to use o ve r the tunnel. In the sample RA Cs, this is set to type 6, which specif ies an 802 protocol.
9-31 Configuration Guide for Cisco Secure ACS 4.2 OL-14390-02 Chapter 9 NAC Configuratio n Scenario Step 6: Configure an Extern al Posture Validation Audit Server Step 6: Configure an External Posture Validation Audit Server A N A C-enabled network might i nclude agentless hosts that do not ha ve the N AC client software.
9-32 Configuration Guid e for Cisco Secure ACS 4.2 OL-14390-02 Chapter 9 NAC Configuration Scenario Step 6: Configure an External Posture Valida tion Audit Server Y our vendor ID sho uld be the Intern.
9-33 Configuration Guide for Cisco Secure ACS 4.2 OL-14390-02 Chapter 9 NAC Configuratio n Scenario Step 6: Configure an Extern al Posture Validation Audit Server Figur e 9-20 Exter nal Post ure V alidation A udit Ser v er Setup P a g e Step 3 T o conf igure the audit server: a.
9-34 Configuration Guid e for Cisco Secure ACS 4.2 OL-14390-02 Chapter 9 NAC Configuration Scenario Step 6: Configure an External Posture Valida tion Audit Server Figur e 9-21 Use Th ese A udit Servers S ection e. In the Use These Audit Servers section, enter the Au dit V alidation Server info rmation, Audit Serv er vendor , URL, and passwor d.
9-35 Configuration Guide for Cisco Secure ACS 4.2 OL-14390-02 Chapter 9 NAC Configuratio n Scenario Step 7: Configure Posture Validation for NAC Figur e 9-22 A udit Flow Settings and GAME Group F eedback Sections f. If required, in the Audi t Flo w Setting section, set the audit- flow parameters.
9-36 Configuration Guid e for Cisco Secure ACS 4.2 OL-14390-02 Chapter 9 NAC Configuration Scenario Step 7: Configure Po st ure Validation for NAC T o cr eate an internal posture v alidation policy: Step 1 In the na vigation bar , click P osture V alidation .
9-37 Configuration Guide for Cisco Secure ACS 4.2 OL-14390-02 Chapter 9 NAC Configuratio n Scenario Step 7: Configure Posture Validation for NAC Figur e 9-24 Edit P osture V alidation Rule P age b. Click Add Condition Set . c. The Add/Edit Condi tion page appears, as sho wn in Figure 9-25 .
9-38 Configuration Guid e for Cisco Secure ACS 4.2 OL-14390-02 Chapter 9 NAC Configuration Scenario Step 7: Configure Po st ure Validation for NAC g. Click Enter . The specified rule appears in Add/ Edit Condition page, as shown in Figure 9-25 . h. Enter additional con ditions as required.
9-39 Configuration Guide for Cisco Secure ACS 4.2 OL-14390-02 Chapter 9 NAC Configuratio n Scenario Step 7: Configure Posture Validation for NAC Figur e 9-27 Add/Edit Exter nal P ostur e V al idation Server P age Step 4 Enter a Name and Descr iption (optional) .
9-40 Configuration Guid e for Cisco Secure ACS 4.2 OL-14390-02 Chapter 9 NAC Configuration Scenario Step 7: Configure Po st ure Validation for NAC Configure an External Posture Validation Audit Server A N A C-enabled network might i nclude agentless hosts that do not ha ve the N AC client software.
9-41 Configuration Guide for Cisco Secure ACS 4.2 OL-14390-02 Chapter 9 NAC Configuratio n Scenario Step 7: Configure Posture Validation for NAC Configure the External Posture Validation Audit Server Y ou can configure an audit server once, and then use it for other prof iles.
9-42 Configuration Guid e for Cisco Secure ACS 4.2 OL-14390-02 Chapter 9 NAC Configuration Scenario Step 7: Configure Po st ure Validation for NAC Figur e 9-29 Use Th ese A udit Servers S ection e. In the Use These Audit Servers section, enter the Au dit V alidation Server info rmation, Audit Serv er vendor , URL, and passwor d.
9-43 Configuration Guide for Cisco Secure ACS 4.2 OL-14390-02 Chapter 9 NAC Configuratio n Scenario Step 7: Configure Posture Validation for NAC Figur e 9-30 A udit Flow Settings and GAME Group F eedback Sections f. If required, in the Audi t Flo w Setting section, set the audit- flow parameters.
9-44 Configuration Guid e for Cisco Secure ACS 4.2 OL-14390-02 Chapter 9 NAC Configuration Scenario Step 8: Set Up Temp lates to Create NAPs Step 8: Set Up Templates to Create NAPs A CS 4.1 provides se veral prof ile templates that you can use to conf igure common usab le profiles.
9-45 Configuration Guide for Cisco Secure ACS 4.2 OL-14390-02 Chapter 9 NAC Configuratio n Scenario Step 8: Set Up Templa tes to Create NAPs Figur e 9-31 Creat e Pr ofile Fr om T emplate P age Step 4 Enter a Name and Descr iption (optional) . Step 5 From the T emplate drop-down list , choose NA C L 3 I P .
9-46 Configuration Guid e for Cisco Secure ACS 4.2 OL-14390-02 Chapter 9 NAC Configuration Scenario Step 8: Set Up Temp lates to Create NAPs Figur e 9-32 Profile Set up P age f or Lay er 3 NA C T emplate The default set tings for the prof ile are: • Any appears in the Network Access Filter field, wh ich means that this prof ile has no IP filter .
9-47 Configuration Guide for Cisco Secure ACS 4.2 OL-14390-02 Chapter 9 NAC Configuratio n Scenario Step 8: Set Up Templa tes to Create NAPs These rules specify that the asso ciated profile policies authenti cate and authorize each R ADIUS request that matches the attribute’ s rules.
9-48 Configuration Guid e for Cisco Secure ACS 4.2 OL-14390-02 Chapter 9 NAC Configuration Scenario Step 8: Set Up Temp lates to Create NAPs Authentication Policy T o co nfigure auth entication polic y: Step 1 In the na vigation bar , select Network Access Prof iles .
9-49 Configuration Guide for Cisco Secure ACS 4.2 OL-14390-02 Chapter 9 NAC Configuratio n Scenario Step 8: Set Up Templa tes to Create NAPs c. From the If Agentless request was not assigned a user -group d rop-do wn list, choose a user group to which A CS assigns a host that is not matched to a user group.
9-50 Configuration Guid e for Cisco Secure ACS 4.2 OL-14390-02 Chapter 9 NAC Configuration Scenario Step 8: Set Up Temp lates to Create NAPs Step 6 Click Submit . If no error appears, then you hav e created a Prof ile that can authenticate Layer 2 N A C hosts and the Profi le Setup page for the N A C Layer 2 template appears.
9-51 Configuration Guide for Cisco Secure ACS 4.2 OL-14390-02 Chapter 9 NAC Configuratio n Scenario Step 8: Set Up Templa tes to Create NAPs Figur e 9-36 Pr ofile Setup P age for NA C La yer 2 T emplat e The default set tings for the prof ile are: • Any appears in the Network Access Filter f ield, which means that this profile has no IP f ilter .
9-52 Configuration Guid e for Cisco Secure ACS 4.2 OL-14390-02 Chapter 9 NAC Configuration Scenario Step 8: Set Up Temp lates to Create NAPs This template automaticall y sets Advanced Fi lte ring and Authenticatio n properties with N AC Layer 2 IP Configuration.
9-53 Configuration Guide for Cisco Secure ACS 4.2 OL-14390-02 Chapter 9 NAC Configuratio n Scenario Step 8: Set Up Templa tes to Create NAPs If you conf igure the def ault A CL on the switch and the A CS sends a host access polic y to the switch, the switch applies the polic y to traf fic from the host that i s connected to a switch port.
9-54 Configuration Guid e for Cisco Secure ACS 4.2 OL-14390-02 Chapter 9 NAC Configuration Scenario Step 8: Set Up Temp lates to Create NAPs Authentication Policy T o set the authentication policy: Step 1 In the na vigation bar , click Network Access Prof iles .
9-55 Configuration Guide for Cisco Secure ACS 4.2 OL-14390-02 Chapter 9 NAC Configuratio n Scenario Step 8: Set Up Templa tes to Create NAPs c. From the If Agentless request was not assigned a user -group d rop-do wn list, choose a user group to which A CS assigns a host that is not matched to a user group.
9-56 Configuration Guid e for Cisco Secure ACS 4.2 OL-14390-02 Chapter 9 NAC Configuration Scenario Step 8: Set Up Temp lates to Create NAPs Figur e 9-40 Creat e Pr ofile Fr om T emplate P age Step 3 Enter a Name and Descr iption (optional) . Step 4 From the T emplate drop-down li st, choose N A C L2 802.
9-57 Configuration Guide for Cisco Secure ACS 4.2 OL-14390-02 Chapter 9 NAC Configuratio n Scenario Step 8: Set Up Templa tes to Create NAPs Figur e 9-41 Profile Setup P age for NA C Lay er 2 802.
9-58 Configuration Guid e for Cisco Secure ACS 4.2 OL-14390-02 Chapter 9 NAC Configuration Scenario Step 8: Set Up Temp lates to Create NAPs Protocols Policy Figure 9-42 sho ws the Protocols settin gs for the N AC Layer 2 802.1x t emplate. Figur e 9-42 Prot ocols Setting f or NAC La yer 802.
9-59 Configuration Guide for Cisco Secure ACS 4.2 OL-14390-02 Chapter 9 NAC Configuratio n Scenario Step 8: Set Up Templa tes to Create NAPs Authorization Policy T o conf igure an authorization policy for the N A C Layer 2 802.1x template: Step 1 Go to Network Access Pr of iles .
9-60 Configuration Guid e for Cisco Secure ACS 4.2 OL-14390-02 Chapter 9 NAC Configuration Scenario Step 8: Set Up Temp lates to Create NAPs Sample Posture Validation Rule Figure 9-44 sho ws the sample posture v alidation polic y provided wit h the N A C Layer 2 802.
9-61 Configuration Guide for Cisco Secure ACS 4.2 OL-14390-02 Chapter 9 NAC Configuratio n Scenario Step 8: Set Up Templa tes to Create NAPs Figur e 9-45 Creat e Pr ofile Fr om T emplate P age Step 3 Enter a Name and Descr iption (optional) . Step 4 From the T emplate drop -do wn list, choose Wir eless (NA C L2 802.
9-62 Configuration Guid e for Cisco Secure ACS 4.2 OL-14390-02 Chapter 9 NAC Configuration Scenario Step 8: Set Up Temp lates to Create NAPs Figur e 9-46 Profile Set up P age f or Wir eless (NAC L2 802.
9-63 Configuration Guide for Cisco Secure ACS 4.2 OL-14390-02 Chapter 9 NAC Configuratio n Scenario Step 8: Set Up Templa tes to Create NAPs These rules specify that the asso ciated profile policies authenti cate and authorize each R ADIUS request that matches the attribute’ s rules.
9-64 Configuration Guid e for Cisco Secure ACS 4.2 OL-14390-02 Chapter 9 NAC Configuration Scenario Step 8: Set Up Temp lates to Create NAPs Authorization Policy T o conf igure an authorization policy for t he W ireless N A C Layer 2 802.1x template: Step 1 Go to Network Access Pr of iles .
9-65 Configuration Guide for Cisco Secure ACS 4.2 OL-14390-02 Chapter 9 NAC Configuratio n Scenario Step 8: Set Up Templa tes to Create NAPs Sample Posture Validation Rule Figure 9-49 sho ws the sample posture v alidation policy pro vided with the W ireless (N A C L2 802.
9-66 Configuration Guid e for Cisco Secure ACS 4.2 OL-14390-02 Chapter 9 NAC Configuration Scenario Step 8: Set Up Temp lates to Create NAPs T o create an agentless h ost for Layer 3 p rofile template: Step 1 In the na vigation bar , click Network Access Prof iles .
9-67 Configuration Guide for Cisco Secure ACS 4.2 OL-14390-02 Chapter 9 NAC Configuratio n Scenario Step 8: Set Up Templa tes to Create NAPs Profile Setup T o use the Prof ile Setup settings from the template: Step 1 Go to Network Access Prof iles. Step 2 Choose the prof ile that you created.
9-68 Configuration Guid e for Cisco Secure ACS 4.2 OL-14390-02 Chapter 9 NAC Configuration Scenario Step 8: Set Up Temp lates to Create NAPs • Y ou can click the All ow Selected Pr otocol types op tion to specify a protoc ol type for fi ltering.
9-69 Configuration Guide for Cisco Secure ACS 4.2 OL-14390-02 Chapter 9 NAC Configuratio n Scenario Step 9: Map Postu re Validation Components to Profile s Authentication Policy T o co nfigure an auth entication polic y for the Ag entless Host for Layer 3 template: Step 1 Go to Network Access Pr of iles .
9-70 Configuration Guid e for Cisco Secure ACS 4.2 OL-14390-02 Chapter 9 NAC Configuration Scenario Step 9: Map Posture Vali da tion Components to Profiles The Add/Edit Posture V alidation Rule page fo r the specif ied rule appears, as shown in Figure 9-54 .
9-71 Configuration Guide for Cisco Secure ACS 4.2 OL-14390-02 Chapter 9 NAC Configuratio n Scenario Step 10: Map an Au dit Server to a Profile Step 10: Map an Audit Server to a Profile T o add an e xternal posture validation au dit server to a pro file: Step 1 Choose Network Access Pr ofiles .
9-72 Configuration Guid e for Cisco Secure ACS 4.2 OL-14390-02 Chapter 9 NAC Configuration Scenario Step 11 (Optiona l): Configure GAME Group Feedback d.
9-73 Configuration Guide for Cisco Secure ACS 4.2 OL-14390-02 Chapter 9 NAC Configuratio n Scenario Step 11 (Optional): Configure GAME Gro up Feedback Import an Audit Vendor File by Using CSUtil For i.
9-74 Configuration Guid e for Cisco Secure ACS 4.2 OL-14390-02 Chapter 9 NAC Configuration Scenario Step 11 (Optiona l): Configure GAME Group Feedback Step 3 Restart A CS: a. In the na vigation bar , click System Conf iguration . b. Click Service Contr ol .
9-75 Configuration Guide for Cisco Secure ACS 4.2 OL-14390-02 Chapter 9 NAC Configuratio n Scenario Step 11 (Optional): Configure GAME Gro up Feedback T o add t he posture attrib utes: Step 1 Create a.
9-76 Configuration Guid e for Cisco Secure ACS 4.2 OL-14390-02 Chapter 9 NAC Configuration Scenario Step 11 (Optiona l): Configure GAME Group Feedback Configure the External Posture Validation Audit Server Y ou can configure an audi t server once, and then use it for othe r profiles.
9-77 Configuration Guide for Cisco Secure ACS 4.2 OL-14390-02 Chapter 9 NAC Configuratio n Scenario Step 11 (Optional): Configure GAME Gro up Feedback Figur e 9-57 Use These A udit Servers Section e. In the Use These Audit Servers section, enter the Au dit V alidation Server info rmation, Audit Serv er vendor , URL, and passwor d.
9-78 Configuration Guid e for Cisco Secure ACS 4.2 OL-14390-02 Chapter 9 NAC Configuration Scenario Step 11 (Optiona l): Configure GAME Group Feedback Figur e 9-58 A udit Flow Settings and GAME Group F eedback Sections f. If required, in the Audi t Flo w Setting section, set the audit- flow parameters.
9-79 Configuration Guide for Cisco Secure ACS 4.2 OL-14390-02 Chapter 9 NAC Configuratio n Scenario Step 11 (Optional): Configure GAME Gro up Feedback Enable GAME Group Feedback T o enable GAME group .
9-80 Configuration Guid e for Cisco Secure ACS 4.2 OL-14390-02 Chapter 9 NAC Configuration Scenario Step 11 (Optiona l): Configure GAME Group Feedback – contains – starts-with – regul ar-e xpression • Device T ype —Def ines the comparison criteria for the Us er Group b y using an operator and de vice type.
GL-1 Configuration Guid e for Cisco Secure ACS 4.2 OL-14390-02 GLOSSARY A AAA Authentication, Auth orization, and Accounting server .-(Authenticat ion, authorization, and accountin g is pronounced “triple-A.
Glossary GL-2 Configuration Guid e for Cisco Secure ACS 4.2 OL-14390-02 E EAP Extensible Authenti cation Protocol-Pro vides the ability to depl oy RADIUS into Ethernet n etwork en vironments. EAP is defined b y Internet Engi ne ering T ask Force (IETF) RF C 2284 and the IEEE 802.
Glossar y GL-3 Configuration Guid e for Cisco Secure ACS 4.2 OL-14390-02 N NAC Network Admi ssion Control-N AC i s a Cisco-sponsored industry init iativ e that uses the netw ork infrastructure to enforc e security polic y compliance on al l de vices seeking to access network computing resources; th ereby limi ting damage from viruses and w orms.
Glossary GL-4 Configuration Guid e for Cisco Secure ACS 4.2 OL-14390-02 PEAP Protected Extensible Authenticati on Protocol-An 802.1x authent ication type for wireless LANs (WLANs). PEAP provides strong security , user data base extensibility , an d support for one-time tok en authentication and passwo rd change or aging.
IN-1 Configuration Guid e for Cisco Secure ACS 4.2 OL-14390-02 INDEX Numerics 802.1x 2-2 A AAA clients 4-14 configuring RADIUS cli ent 9-2 creating 4-15 deletin g 4-15 updating 4-15 AAA server configu.
Index IN-2 Configuration Guide for Cisco Secure ACS 4.2 OL-14390-02 separation from general users 2-18 Agentless Host for L2 (802.1x f allback) template 9-65 agentless host for L2 (802.
Index IN-3 Configuration Guid e for Cisco Secure ACS 4.2 OL-14390-02 logging level 9-14 logs and reports 9-14 MAB 6-21 multiforest support for Active Directory 3-7 password lifetime option s 5-6 passw.
Index IN-4 Configuration Guide for Cisco Secure ACS 4.2 OL-14390-02 configuring new feat ures in ACS 4.2 3-2 EAP-TLS 2-3 specifying Certificate Binary Comparison for 7-6 specifying Certificate CN Comp.
Index IN-5 Configuration Guid e for Cisco Secure ACS 4.2 OL-14390-02 for MAB support 6-12 Lightweight Di rectory Access Protoc ol See LDAP logging configuring 9-14 enhanced features with AC S 4.
Index IN-6 Configuration Guide for Cisco Secure ACS 4.2 OL-14390-02 reliability 2-19 P PAC disabling PAC processing in N APs 3-3 Passed Authentication report enabling 9-15 password configu ration Acco.
Index IN-7 Configuration Guid e for Cisco Secure ACS 4.2 OL-14390-02 purging Node Se cret file purging 3-10 S Sarbanes-Oxl ey See SOX security certificate installing and sett ing up 9-5 security certi.
Index IN-8 Configuration Guide for Cisco Secure ACS 4.2 OL-14390-02 W warnings significance of x Windows Certificate Import Wizard 6-7, 7-2 wired LAN geographicall y dispersed 2-4 wired LAN access 2-2 wireless (NAC L2 802.
An important point after buying a device Cisco Systems 4.2 (or even before the purchase) is to read its user manual. We should do this for several simple reasons:
If you have not bought Cisco Systems 4.2 yet, this is a good time to familiarize yourself with the basic data on the product. First of all view first pages of the manual, you can find above. You should find there the most important technical data Cisco Systems 4.2 - thus you can check whether the hardware meets your expectations. When delving into next pages of the user manual, Cisco Systems 4.2 you will learn all the available features of the product, as well as information on its operation. The information that you get Cisco Systems 4.2 will certainly help you make a decision on the purchase.
If you already are a holder of Cisco Systems 4.2, but have not read the manual yet, you should do it for the reasons described above. You will learn then if you properly used the available features, and whether you have not made any mistakes, which can shorten the lifetime Cisco Systems 4.2.
However, one of the most important roles played by the user manual is to help in solving problems with Cisco Systems 4.2. Almost always you will find there Troubleshooting, which are the most frequently occurring failures and malfunctions of the device Cisco Systems 4.2 along with tips on how to solve them. Even if you fail to solve the problem, the manual will show you a further procedure – contact to the customer service center or the nearest service center
