Vai alla pagina of
Manuali d’uso simili
-
Server
Cisco Systems Servers
654 pagine 5.05 mb -
Server
Cisco Systems UCSEZINFRACHSS
96 pagine 12.9 mb -
Server
Cisco Systems 4.2
214 pagine 2.99 mb -
Server
Cisco Systems UCUCSEZC220M3S
124 pagine 8.54 mb -
Server
Cisco Systems 5.4
8 pagine 0.14 mb -
Server
Cisco Systems OL-6349-01
12 pagine 0.24 mb -
Server
Cisco Systems 9266CV-8i
124 pagine 8.54 mb -
Server
Cisco Systems OL-10663-02
22 pagine 0.24 mb
Un buon manuale d’uso
Le regole impongono al rivenditore l'obbligo di fornire all'acquirente, insieme alle merci, il manuale d’uso Cisco Systems 4.2. La mancanza del manuale d’uso o le informazioni errate fornite al consumatore sono la base di una denuncia in caso di inosservanza del dispositivo con il contratto. Secondo la legge, l’inclusione del manuale d’uso in una forma diversa da quella cartacea è permessa, che viene spesso utilizzato recentemente, includendo una forma grafica o elettronica Cisco Systems 4.2 o video didattici per gli utenti. La condizione è il suo carattere leggibile e comprensibile.
Che cosa è il manuale d’uso?
La parola deriva dal latino "instructio", cioè organizzare. Così, il manuale d’uso Cisco Systems 4.2 descrive le fasi del procedimento. Lo scopo del manuale d’uso è istruire, facilitare lo avviamento, l'uso di attrezzature o l’esecuzione di determinate azioni. Il manuale è una raccolta di informazioni sull'oggetto/servizio, un suggerimento.
Purtroppo, pochi utenti prendono il tempo di leggere il manuale d’uso, e un buono manuale non solo permette di conoscere una serie di funzionalità aggiuntive del dispositivo acquistato, ma anche evitare la maggioranza dei guasti.
Quindi cosa dovrebbe contenere il manuale perfetto?
Innanzitutto, il manuale d’uso Cisco Systems 4.2 dovrebbe contenere:
- informazioni sui dati tecnici del dispositivo Cisco Systems 4.2
- nome del fabbricante e anno di fabbricazione Cisco Systems 4.2
- istruzioni per l'uso, la regolazione e la manutenzione delle attrezzature Cisco Systems 4.2
- segnaletica di sicurezza e certificati che confermano la conformità con le norme pertinenti
Perché non leggiamo i manuali d’uso?
Generalmente questo è dovuto alla mancanza di tempo e certezza per quanto riguarda la funzionalità specifica delle attrezzature acquistate. Purtroppo, la connessione e l’avvio Cisco Systems 4.2 non sono sufficienti. Questo manuale contiene una serie di linee guida per funzionalità specifiche, la sicurezza, metodi di manutenzione (anche i mezzi che dovrebbero essere usati), eventuali difetti Cisco Systems 4.2 e modi per risolvere i problemi più comuni durante l'uso. Infine, il manuale contiene le coordinate del servizio Cisco Systems in assenza dell'efficacia delle soluzioni proposte. Attualmente, i manuali d’uso sotto forma di animazioni interessanti e video didattici che sono migliori che la brochure suscitano un interesse considerevole. Questo tipo di manuale permette all'utente di visualizzare tutto il video didattico senza saltare le specifiche e complicate descrizioni tecniche Cisco Systems 4.2, come nel caso della versione cartacea.
Perché leggere il manuale d’uso?
Prima di tutto, contiene la risposta sulla struttura, le possibilità del dispositivo Cisco Systems 4.2, l'uso di vari accessori ed una serie di informazioni per sfruttare totalmente tutte le caratteristiche e servizi.
Dopo l'acquisto di successo di attrezzature/dispositivo, prendere un momento per familiarizzare con tutte le parti del manuale d'uso Cisco Systems 4.2. Attualmente, sono preparati con cura e tradotti per essere comprensibili non solo per gli utenti, ma per svolgere la loro funzione di base di informazioni e di aiuto.
Sommario del manuale d’uso
-
Pagina 1
Americas Headquarters Cisco Systems, In c. 170 West Tasman Drive San Jose, CA 951 34-1706 USA http://www.ci sco.com Tel: 408 526-4000 800 553-NETS (638 7) Fax: 408 527-0883 Conf iguration Guide f or Cisco S ecure A CS 4.2 Febr uary 20 08 Text Part Number: OL -14390-02[...]
-
Pagina 2
THE SPECIFICATION S AND INFORMATION RE GARDING THE P RODUCTS IN THIS MA NUAL ARE SUBJECT TO CHANGE WITH OUT NOTICE. ALL STATEMENTS , INFORMATION, AND RECOMMENDATI ONS IN THI S MANUAL ARE BE LIEVED TO BE A CCURATE BUT ARE PRESENTED WI THOUT WARRANTY OF ANY KIND, EX PRESS OR IMPLIED. USERS MUST TAKE FULL RESPONSI BILITY FOR THEIR APPLICATION OF ANY P[...]
-
Pagina 3
iii Configuration Guid e for Cisco Secure ACS 4.2 OL-14390-02 CONTENTS Preface ix Audience ix Organization ix Conventi ons x Product Documentation x Related Documentation xii Obtaining Documentation and Submitting a Serv ice Request xii Notices iii-xii OpenSSL/Open SSL Project iii-xi ii License Issues iii-xiii CHAPTER 1 Overview of ACS Configura ti[...]
-
Pagina 4
Contents iv Configuration Guid e for Cisco Secure ACS 4.2 OL-14390-02 Deploying ACS in a NAC/NAP E nvironment 2-15 Additional Topics 2-16 Remote Access Policy 2-16 Security Policy 2-17 Administrative Access Policy 2-17 Separation of Administrative an d General Users 2-18 Database Considerations 2-19 Number of Users 2-19 Type of Database 2-19 Networ[...]
-
Pagina 5
Contents v Configuration Guid e for Cisco Secure ACS 4.2 OL-14390-02 Step 6: View the dACLs 4-9 Error Messages 4-11 Reading, Updating , and Deleting dACLs 4-12 Updating or Deleting dACL Associations with Users or Group s 4-14 Using RDBMS Synchronization to Specify Network Configuration 4-14 Creating, Reading, Updati ng and Deleting AAA clients 4- 1[...]
-
Pagina 6
Contents vi Configuration Guid e for Cisco Secure ACS 4.2 OL-14390-02 Step 6: Enable Agentless Reques t Processing 6-18 Create a New NAP 6-18 Enable Agentless Request Processing for a NAP 6-20 Configure MAB 6-21 Step 7: Configure Logg ing and Reports 6-23 Configuring Reports for MAB Processing 6-23 Configuration Steps for Audit Server Support 6-24 [...]
-
Pagina 7
Contents vii Configuration Guid e for Cisco Secure ACS 4.2 OL-14390-02 Install the CA Certificate 9-7 Install the ACS Certificate 9-8 Set Up Global Configuration 9-8 Set Up Global Authentication 9-9 Set Up EAP-FAST Configuration 9-12 Configure the Logging Level 9-14 Configure Logs and Reports 9-14 Step 4: Set Up Administration Control 9-17 Add Remo[...]
-
Pagina 8
Contents viii Configuration Guid e for Cisco Secure ACS 4.2 OL-14390-02 Profile Setup 9-56 Protocols Policy 9-58 Authorization Policy 9-59 Sample Posture Validation Rule 9-60 Sample Wireless (NAC L2 802.1x) Template 9-60 Profile Setup 9-61 Protocols Policy 9-63 Authorization Policy 9-64 Sample Posture Validation Rule 9-65 Using a Sample Agentless H[...]
-
Pagina 9
ix Configuration Guid e for Cisco Secure ACS 4.2 OL-14390-02 Preface Audience This guide is for security admini strators who use Cisco Secure Acces s Control Server (A CS), and who set up and maintain netwo rk and application security . Organization This document contains: • Chapter 1, “Overvie w of AC S Configurati on” —Provides an o vervi[...]
-
Pagina 10
x Configuration Guid e for Cisco Secure ACS 4.2 OL-14390-02 Preface Conventions This document uses the f ollo wing con ventions: Ti p Identifies informati on to help you get the most bene f it from your pr oduct. Note Means reader take note . Notes identify important information th at you should reflect upon before continuing, contain helpful su gg[...]
-
Pagina 11
xi Configuration Guid e for Cisco Secure ACS 4.2 OL-14390-02 Preface Ta b l e 1 ACS 4. 2 Documentation Document T itle Available Formats Documentation G uide for Cisco Secur e ACS Release 4.2 • Shipped wi th product. • PDF on the product CD-R OM. • On Cisco .com: http://www .cisco.com/en/US/docs/net_mgmt/ cisco_secure_access_control_server_fo[...]
-
Pagina 12
xii Configuration Guid e for Cisco Secure ACS 4.2 OL-14390-02 Preface Notices Related Documentation Note W e sometimes update the p rinted and electronic documentatio n after original publication. Therefore, you should also re view the documentati on on Cisco.com for any u pdates. A set of whit e papers about A CS are a v ailable on Cis co.com at: [...]
-
Pagina 13
xiii Configuration Guid e for Cisco Secure ACS 4.2 OL-14390-02 Preface Notices OpenSSL/Open SSL Project This product includes softw are de velo ped by the OpenSSL Proj ect for use in the OpenSSL T oolkit ( http://www .openssl.or g/ ). This product includes cr yptographic softw are written by Eric Y oung (eay@cryptsoft.com). This product includes so[...]
-
Pagina 14
xiv Configuration Guid e for Cisco Secure ACS 4.2 OL-14390-02 Preface Notices Original SSLeay License: Copyright © 1 995-1998 Eric Y oung (eay@c ryptsoft.com). All rights reserv ed. This package is an SSL implementation wri tten by Eric Y oung (eay@cryptsoft.com). The implementation wa s written so as to conform with Netscapes SSL. This library is[...]
-
Pagina 15
CH A P T E R 1-1 Configuration Guide for Cisco Secure ACS 4.2 OL-14390-02 1 Overview of ACS Configuration This chapter describes the general steps for conf i guring Cis co Secure Access Control Server , hereafter referred to as A C S, and present s a fl owchart sho wing the se quence of steps. Note If you are conf iguring A CS to work with Micr oso[...]
-
Pagina 16
1-2 Configuration Guid e for Cisco Secure ACS 4.2 OL-14390-02 Chapter 1 Overv iew of ACS Config uration Summary of Configuration Steps b. For each administrator , specify administrator privileges. c. As needed, conf igure the following optional administrat iv e policies: – Access Policy —Specify IP address limitations, HTTP por t restrictions, [...]
-
Pagina 17
1-3 Configuration Guide for Cisco Secure ACS 4.2 OL-14390-02 Chapter 1 Overvi ew of ACS Configuration Summary of Configuration Steps – By using database synchronization – By using database replication For detailed instructions, see “Displaying RADI US Configuration Options” in Chapter 2 of the User Guide for Cisco Secur e ACS 4.2 , “Using[...]
-
Pagina 18
1-4 Configuration Guid e for Cisco Secure ACS 4.2 OL-14390-02 Chapter 1 Overv iew of ACS Config uration Summary of Configuration Steps Step 14 Set Up Network Access Prof iles. If required, set up Network Access Prof iles. Step 15 Configure Log s and Reports. Config ure reports to specify ho w A C S logs data. Y ou can also view t he logs in HTML re[...]
-
Pagina 19
1-5 Configuration Guide for Cisco Secure ACS 4.2 OL-14390-02 Chapter 1 Overvi ew of ACS Configuration Configuration Flowchart Configuration Flowchart Figure 1-1 is a configuration flo w ch art that sho ws the main steps in A CS configuration. Figur e 1 -1 ACS Configur ation Flowc hart Refer to the list of steps in Summary of Conf iguration Steps, p[...]
-
Pagina 20
1-6 Configuration Guid e for Cisco Secure ACS 4.2 OL-14390-02 Chapter 1 Overv iew of ACS Config uration Configuration Flowchart[...]
-
Pagina 21
CH A P T E R 2-1 Configuration Guide for Cisco Secure ACS 4.2 OL-14390-02 2 Deploy the Access Control Servers This chapter discu sses topics that you shoul d cons ider before deploy ing Cisco Secure Access Contr ol Server , hereafter referred to as A CS. This document does n ot describe the so ftware installati on procedure for A CS or the hardware[...]
-
Pagina 22
2-2 Configuration Guid e for Cisco Secure ACS 4.2 OL-14390-02 Chapter 2 Deploy the Access Control Servers Determining the Deployment Architec ture This section discusses: • Access types —How users will access the network (through wireless access, LAN acce ss through switches, and so on) and the security protocols us ed to control user acces s; [...]
-
Pagina 23
2-3 Configuration Guide for Cisco Secure ACS 4.2 OL-14390-02 Chapter 2 Deploy the Acce ss Control Servers Determining the Deployment Architecture • EAP-TLS —Extensible Authentication Protocol-T ranspo rt Layer Security (EAP-TLS). EAP-TLS uses the TLS protocol (RFC 2246) , which is the latest ver sion of the Secure Socket Layer (SSL) protocol fr[...]
-
Pagina 24
2-4 Configuration Guid e for Cisco Secure ACS 4.2 OL-14390-02 Chapter 2 Deploy the Access Control Servers Determining the Deployment Architec ture Figur e 2-2 ACS in a Campus LAN Figure 2-2 sho ws a possible distrib ution of A CS in a wired cam pus LAN. In this campus LAN , buildi ngs are grouped into three se gments. Each segm ent consists of 1 to[...]
-
Pagina 25
2-5 Configuration Guide for Cisco Secure ACS 4.2 OL-14390-02 Chapter 2 Deploy the Acce ss Control Servers Determining the Deployment Architecture Figur e 2-3 ACS in a Geogr aphically Dispersed LAN Wireless Access Topology A wireless access point (AP), such as the Cisco Airone t series, provides a brid ged connection for mobile end-user clients into[...]
-
Pagina 26
2-6 Configuration Guid e for Cisco Secure ACS 4.2 OL-14390-02 Chapter 2 Deploy the Access Control Servers Determining the Deployment Architec ture Figur e 2-4 Simple WLAN Campus WLAN In a WLAN where a number of APs are deployed, as in a large building or a campus en vironment, your decisions on ho w to deploy A CS become more complex . Depending on[...]
-
Pagina 27
2-7 Configuration Guide for Cisco Secure ACS 4.2 OL-14390-02 Chapter 2 Deploy the Acce ss Control Servers Determining the Deployment Architecture Figur e 2-5 Campus WLAN Regional WLAN Setting In a gi ven g eographical or org anizational re gion, the total numb er of users might or might no t reach a critical le vel for a single A CS. Small off ices[...]
-
Pagina 28
2-8 Configuration Guid e for Cisco Secure ACS 4.2 OL-14390-02 Chapter 2 Deploy the Access Control Servers Determining the Deployment Architec ture Figure 2-6 sho ws a regional WLAN. Figur e 2-6 ACS in a Regional WLAN Large Enterprise WLAN Setting In a very large geographicall y dispersed network (o ver 50,00 0 users), access servers might be locate[...]
-
Pagina 29
2-9 Configuration Guide for Cisco Secure ACS 4.2 OL-14390-02 Chapter 2 Deploy the Acce ss Control Servers Determining the Deployment Architecture Figure 2-7 sho ws A CS installations in a geographica lly dispersed network th at contains man y WLANs. Figur e 2-7 ACS in a Geographically Dispersed WLAN For the model i n Figure 2-7 , the locati on of A[...]
-
Pagina 30
2-10 Configuration Guid e for Cisco Secure ACS 4.2 OL-14390-02 Chapter 2 Deploy the Access Control Servers Determining the Deployment Architec ture Figur e 2-8 Small Dial-up Netw or k Large Dial-Up Network Access In a larger dial-i n en vironment, a single A CS with a backup may be suitable, to o. The suitability of this configuration depends on ne[...]
-
Pagina 31
2-11 Configuration Guide for Cisco Secure ACS 4.2 OL-14390-02 Chapter 2 Deploy the Acce ss Control Servers Determining How Many ACSs to Deploy (Scalability) Placement of the RADIUS Server From a practical standpoint, the RADIUS serv er should be inside the general network, prefer ably within a secure subnet designated for servers, such as DHCP , Do[...]
-
Pagina 32
2-12 Configuration Guid e for Cisco Secure ACS 4.2 OL-14390-02 Chapter 2 Deploy the Access Control Servers Determining How Many ACSs to Deploy (Scalability) The size of the LAN or WLAN is determined b y the number of us ers who use the LAN or WLAN: For a deta iled formula, see the whit e paper Deploying Cisco Secur e A CS for W indows in Cisco Air [...]
-
Pagina 33
2-13 Configuration Guide for Cisco Secure ACS 4.2 OL-14390-02 Chapter 2 Deploy the Acce ss Control Servers Deploying ACS Servers to Support Server Failover only create an 80-percent load on the o ther A CS for the duration of the ou tage. If the W AN is not suitable for authentication co nnections, we recommend using tw o or more A CSs on the LAN i[...]
-
Pagina 34
2-14 Configuration Guid e for Cisco Secure ACS 4.2 OL-14390-02 Chapter 2 Deploy the Access Control Servers Deploying ACS Servers to Support Server Failove r • Client conf iguration —Ho w to conf igure the clien t. • Reports and ev ent (error) handling —What information to in clude in the log s. Replication Design Because database replicatio[...]
-
Pagina 35
2-15 Configuration Guide for Cisco Secure ACS 4.2 OL-14390-02 Chapter 2 Deploy the Acce ss Control Servers Deployin g ACS in a NAC/NAP Enviro nment Deploying ACS in a NAC/NAP Environment Y ou can deploy A CS in a Cisco Network Admission Control and Micro soft Network Access Protect ion (N A C/NAP) en vironment. In the N A C/N AP en vironmen t, NAP [...]
-
Pagina 36
2-16 Configuration Guid e for Cisco Secure ACS 4.2 OL-14390-02 Chapter 2 Deploy the Access Control Servers Additional Topics Figure 2-11 illustrates the ar chitecture of a N AC/N AP network. Figur e 2-1 1 NAC /NAP Deployment Arc hit ectur e Additional Topics This section descri bes additional topics to consider wh en deploying A CS. This section co[...]
-
Pagina 37
2-17 Configuration Guide for Cisco Secure ACS 4.2 OL-14390-02 Chapter 2 Deploy the Acce ss Control Servers Additional Topics access, other decisions can also affect ho w A CS is deployed; these includ e specif ic network rout ing (access lists), time-of-day access, individual rest rictions on AAA client access, access control lists (A CLs), and so [...]
-
Pagina 38
2-18 Configuration Guid e for Cisco Secure ACS 4.2 OL-14390-02 Chapter 2 Deploy the Access Control Servers Additional Topics A small netw ork with a small number of netw ork de vices may require only o ne or two indi viduals to administer it. Local aut hentication on the de vice is usually suf fi cient. If you require more granul ar control than wh[...]
-
Pagina 39
2-19 Configuration Guide for Cisco Secure ACS 4.2 OL-14390-02 Chapter 2 Deploy the Acce ss Control Servers Additional Topics Con versely , if a general user attempts to use his or her remote access to log in to a network device, A CS checks and approv es the username and password; but, the authorization proce ss would f ail because that user would [...]
-
Pagina 40
2-20 Configuration Guid e for Cisco Secure ACS 4.2 OL-14390-02 Chapter 2 Deploy the Access Control Servers Additional Topics[...]
-
Pagina 41
CH A P T E R 3-1 Configuration Guide for Cisco Secure ACS 4.2 OL-14390-02 3 Configuring New Features in ACS 4.2 This chapter describes ho w to configure se veral new features provided with A CS 4.2. For information on ne w features that accompan y both A CS for W indows and the A CS SE, see: • Ne w Global EAP-F AST Conf iguration Options, page 3-[...]
-
Pagina 42
3-2 Configuration Guid e for Cisco Secure ACS 4.2 OL-14390-02 Chapter 3 Config uring New Features in ACS 4.2 New Global EAP-FAST Configuration Options Figur e 3-1 New Global EAP -F AS T Configur ation Option s Ta b l e 3-1 describes the ne w EAP-F AST setting s. Ta b l e 3-1 New EAP -F AS T Global Configuration Settings with Release 4.2 Option Desc[...]
-
Pagina 43
3-3 Configuration Guide for Cisco Secure ACS 4.2 OL-14390-02 Chapter 3 Configuring New Feat ures in ACS 4.2 Disabling of EAP-FAST PAC Proce ssing in Network Access Profiles Disabling of EAP-FAST PAC Processing in Network Access Profiles In the Protocols section for Network Access Profile (N AP) configuration, you can no w set up a N AP that causes [...]
-
Pagina 44
3-4 Configuration Guid e for Cisco Secure ACS 4.2 OL-14390-02 Chapter 3 Config uring New Features in ACS 4.2 Disabling NetBIOS Figure 3-2 sho ws the ne w options on the N AP Protocols page. Disabling NetBIOS Because disabling NetBIOS might be desirable in some cases, you can run A CS 4.2 with NetBIOS disabled. A CS SE 4.2 runs on a customized versi[...]
-
Pagina 45
3-5 Configuration Guide for Cisco Secure ACS 4.2 OL-14390-02 Chapter 3 Configuring New Feat ures in ACS 4.2 Configuring ACS 4.2 Enh anc ed Logging Features T o disabl e NetBIOS ov er TCP/ IP in W indows 2000, XP , or 2003: Step 1 Right-click My Ne twork Places and choose Pr operties . Step 2 Right-click the appropriate Local Area Connection icon, a[...]
-
Pagina 46
3-6 Configuration Guid e for Cisco Secure ACS 4.2 OL-14390-02 Chapter 3 Config uring New Features in ACS 4.2 Configuring Group Filteri ng at the NAP Level Configuring Group Filtering at the NAP Level Y ou can use A CS 4.2 t o grant and deny access to us e rs who are authenticated through a LDAP database based on the LD AP group to which the users b[...]
-
Pagina 47
3-7 Configuration Guide for Cisco Secure ACS 4.2 OL-14390-02 Chapter 3 Configuring New Feat ures in ACS 4.2 Option to Not Log or Store Dynamic Use rs Option to Not Log or Store Dynamic Users When A CS authenticates users by using e x ternal data bases, such as Activ e Directory or LDAP , and a user is successfully au th enticated with the external [...]
-
Pagina 48
3-8 Configuration Guid e for Cisco Secure ACS 4.2 OL-14390-02 Chapter 3 Config uring New Features in ACS 4.2 RSA Support on the ACS SE In pre vious releases, A CS SE devices coul d only send syslog messages using the local t ime that is set on the A CS device. W ith release 4.2, you can conf igure the A CS SE to send syslog messages by using the lo[...]
-
Pagina 49
3-9 Configuration Guide for Cisco Secure ACS 4.2 OL-14390-02 Chapter 3 Configuring New Feat ures in ACS 4.2 RSA Support on the ACS SE Figur e 3-5 Exter nal User Databases P age (ACS SE) Step 3 Click RSA SecureID T oken Serv er . The Database Config uration Creation page appears. Step 4 Click Crea te New Conf iguration . The Create a New External Da[...]
-
Pagina 50
3-10 Configuration Guid e for Cisco Secure ACS 4.2 OL-14390-02 Chapter 3 Config uring New Features in ACS 4.2 RSA Support on the ACS SE Figur e 3-7 Cisco Secure A CS to RS A SecurID Configuration P age Step 9 On the Cisco Secure ACS to RSA SecurID Configuration p age, enter the informatio n sho wn in Ta b l e 3-3 Step 10 Click Submit . Purging the [...]
-
Pagina 51
3-11 Configuration Guide for Cisco Secure ACS 4.2 OL-14390-02 Chapter 3 Configuring New Feat ures in ACS 4.2 RSA Support on the ACS SE The External User Database Conf iguration page opens. Step 4 Click Conf igure . The Cisco Secure A CS to RSA SecurID Configurati on page opens. Step 5 Click Purge Node Secret . Configuring RSA SecurID Token and LDAP[...]
-
Pagina 52
3-12 Configuration Guid e for Cisco Secure ACS 4.2 OL-14390-02 Chapter 3 Config uring New Features in ACS 4.2 RSA Support on the ACS SE Figur e 3-8 RSA SecurID T ok en and LD AP Group Mappin g Configur ation P ag e Step 7 If you do not w ant A CS to filter LD AP authenticatio n requests by username, under Domain Filtering, choose Process all user n[...]
-
Pagina 53
3-13 Configuration Guide for Cisco Secure ACS 4.2 OL-14390-02 Chapter 3 Configuring New Feat ures in ACS 4.2 RSA Support on the ACS SE Step 8 If you want to limit authentications pro cessed by this LD AP configur ation to usernames with a specific domain qu alification: Note For information abo ut domain filteri ng, see “Domain Filtering” in ch[...]
-
Pagina 54
3-14 Configuration Guid e for Cisco Secure ACS 4.2 OL-14390-02 Chapter 3 Config uring New Features in ACS 4.2 RSA Support on the ACS SE Note The X box cannot contain the foll ow ing special characters: the pound sign (#), the question mark (?), the quote (“), the aste risk (*), the right angl e bracket (>), and the left angle bracket (<). A[...]
-
Pagina 55
3-15 Configuration Guide for Cisco Secure ACS 4.2 OL-14390-02 Chapter 3 Configuring New Feat ures in ACS 4.2 RSA Support on the ACS SE b. In the Port box, type the TCP/IP port number on whic h the LD AP server is listening. The default is 389, as stated in the LD AP specification. If you do not know the port number , you can find this information b[...]
-
Pagina 56
3-16 Configuration Guid e for Cisco Secure ACS 4.2 OL-14390-02 Chapter 3 Config uring New Features in ACS 4.2 Turning Ping On an d Off Note A CS sa ves the generic LD AP configu ration that you created. Y ou can now ad d it to your Unkno wn User Policy or assign specif ic user accounts to use this database for authenticatio n. Turning Ping On and O[...]
-
Pagina 57
CH A P T E R 4-1 Configuration Guide for Cisco Secure ACS 4.2 OL-14390-02 4 Using RDBMS Synchronization to Create dACLs and Specify Network Configuration This chapter describe s ho w to configure A CS 4.2 to enable new RDBMS Synchroniza tion features introduced with A CS 4.2. For detai led information on RDBMS Synchr onization, see “RDBMS Synchro[...]
-
Pagina 58
4-2 Configuration Guid e for Cisco Secure ACS 4.2 OL-14390-02 Chapter 4 Using RDBMS Synch ronization to Create dACLs and Specify N etwork Configuration Using RDBMS Synchronization to Configure dA CLs • Remote In vocation of the CSDBSync Ser vice on the A CS Solution Engine —W ith A CS 4.2, you can run the CSDBSync service on a remote A CS SE , [...]
-
Pagina 59
4-3 Configuration Guide for Cisco Secure ACS 4.2 OL-14390-02 Chapter 4 Using RDBMS Synchro nization to Create dACLs and Spec ify Network Configura tion Using RDBMS Synchronization to Configure dACLs Example 4-1 sho ws a sample te xt fi le. Example 4-1 Sample T ext File for Cr eating a dACL [DACL#1] Name = DACL_For_Troy Description = Test_DACL_For_A[...]
-
Pagina 60
4-4 Configuration Guid e for Cisco Secure ACS 4.2 OL-14390-02 Chapter 4 Using RDBMS Synch ronization to Create dACLs and Specify N etwork Configuration Using RDBMS Synchronization to Configure dA CLs Step 3: Code an accountActions File to Creat e the dACL and Associate a User or Group with the dACL T o cr eate a an AccountAct ions CSV fi le to crea[...]
-
Pagina 61
4-5 Configuration Guide for Cisco Secure ACS 4.2 OL-14390-02 Chapter 4 Using RDBMS Synchro nization to Create dACLs and Spec ify Network Configura tion Using RDBMS Synchronization to Configure dACLs Ta b l e 4-2 describes the account Actions codes used in Example 4-2 to ad d a User , create a dA CL, and associate the dA CL with a specified User or [...]
-
Pagina 62
4-6 Configuration Guid e for Cisco Secure ACS 4.2 OL-14390-02 Chapter 4 Using RDBMS Synch ronization to Create dACLs and Specify N etwork Configuration Using RDBMS Synchronization to Configure dA CLs Figur e 4-1 RDBMS Sync hronization Setup P age (A CS for Windo ws) b. Check the Use lo cal CSV file check box. c. In the Acc ountAction s f ile field,[...]
-
Pagina 63
4-7 Configuration Guide for Cisco Secure ACS 4.2 OL-14390-02 Chapter 4 Using RDBMS Synchro nization to Create dACLs and Spec ify Network Configura tion Using RDBMS Synchronization to Configure dACLs • Password —The passwor d for the username pro vided in the Login box. The A CS SE has the information necessary to get the ac countActions f ile f[...]
-
Pagina 64
4-8 Configuration Guid e for Cisco Secure ACS 4.2 OL-14390-02 Chapter 4 Using RDBMS Synch ronization to Create dACLs and Specify N etwork Configuration Using RDBMS Synchronization to Configure dA CLs Step 7 For each A CS that you want this ACS to update with data from the accountActi ons table, cli ck the A CS in the AAA Servers li st, and then cli[...]
-
Pagina 65
4-9 Configuration Guide for Cisco Secure ACS 4.2 OL-14390-02 Chapter 4 Using RDBMS Synchro nization to Create dACLs and Spec ify Network Configura tion Using RDBMS Synchronization to Configure dACLs A CS fetches the CSV file from the dat abase, reads the action codes in the fil e, and performs the RDBMS Synchronization operations that the fil e spe[...]
-
Pagina 66
4-10 Configuration Guid e for Cisco Secure ACS 4.2 OL-14390-02 Chapter 4 Using RDBMS Synch ronization to Create dACLs and Specify N etwork Configuration Using RDBMS Synchronization to Configure dA CLs The Do wnloadable IP A CLs page displays the selected dA CL, as shown in Figur e 4-4 . Figur e 4-4 Entry for the Sample dACL In the A CL Contents col[...]
-
Pagina 67
4-11 Configuration Guide for Cisco Secure ACS 4.2 OL-14390-02 Chapter 4 Using RDBMS Synchro nization to Create dACLs and Spec ify Network Configura tion Using RDBMS Synchronization to Configure dACLs Step 5 If the dA CL was not created correctly , re view the steps in Using RDBMS Synchronization to Conf igure dA CLs, page 4-2 and check for errors. [...]
-
Pagina 68
4-12 Configuration Guid e for Cisco Secure ACS 4.2 OL-14390-02 Chapter 4 Using RDBMS Synch ronization to Create dACLs and Specify N etwork Configuration Reading, Updating, and Deleting dACLs Reading, Updating, and Deleting dACLs Ta b l e 4-4 lists the account action codes that you can use to read, update, or delete a dA CL. Failed to import D A CL [...]
-
Pagina 69
4-13 Configuration Guide for Cisco Secure ACS 4.2 OL-14390-02 Chapter 4 Using RDBMS Synchro nization to Create dACLs and Spec ify Network Configura tion Reading, Updating, and Deleting dACLs . Ta b l e 4-4 Acco unt A ction Codes f or Cr eating, Reading, Upd ating, or Deleting dACLs Action Code Name Required Description 386 READ_D A CL VN, V1 (optio[...]
-
Pagina 70
4-14 Configuration Guid e for Cisco Secure ACS 4.2 OL-14390-02 Chapter 4 Using RDBMS Synch ronization to Create dACLs and Specify N etwork Configuration Updating or Deleting dACL Associations with U sers or Groups Updating or Deleting dACL Asso ciations with Users or Groups Ta b l e 4-5 lists the account action codes to update the dA CL or remove t[...]
-
Pagina 71
4-15 Configuration Guide for Cisco Secure ACS 4.2 OL-14390-02 Chapter 4 Using RDBMS Synchro nization to Create dACLs and Spec ify Network Configura tion Using RDBMS Synchron ization to Specify Netw ork Configuration Creating, Reading, Updating and Deleting AAA clients The RDBMS Synchronizat ion feature support s creation and d eletion of single or [...]
-
Pagina 72
4-16 Configuration Guid e for Cisco Secure ACS 4.2 OL-14390-02 Chapter 4 Using RDBMS Synch ronization to Create dACLs and Specify N etwork Configuration Using RDBMS Synchronization to Specify Network Configuration[...]
-
Pagina 73
CH A P T E R 5-1 Configuration Guide for Cisco Secure ACS 4.2 OL-14390-02 5 Password Policy Conf iguration Scenario Cisco Secure A CS, hereafter referred to as A CS, provides n ew passw ord features to support co rporate requirements mandated by the Sarb anes-Oxley Act of 2002. Sarbanes -Ox ley (SO X ) requires stri cter enforcement of password res[...]
-
Pagina 74
5-2 Configuration Guid e for Cisco Secure ACS 4.2 OL-14390-02 Chapter 5 Password Policy Configuration Scenario Summary of Configuration Steps Summary of Configuration Steps T o conf igure password policy in A CS: Step 1 Add a ne w administrator account. Add a ne w administrator account, specify the admin istrator name and password, and grant access[...]
-
Pagina 75
5-3 Configuration Guide for Cisco Secure ACS 4.2 OL-14390-02 Chapter 5 Password Policy Configuration Scenario Step 1: Add and Edit a N ew Administrator Account Figur e 5-1 Administr ation Control P age The Administration Co ntrol page initially l ists no administrators. If administrato rs hav e been confi gured, the page lists the conf igured admin[...]
-
Pagina 76
5-4 Configuration Guid e for Cisco Secure ACS 4.2 OL-14390-02 Chapter 5 Password Policy Configuration Scenario Step 2: Configur e Password Policy Step 4 Click Grant All or Revok e All to globally add or remov e all pri vileges, Step 5 If you want t o grant specif ic pri vileges to the admi nistrator , check the check boxes that correspond to the pr[...]
-
Pagina 77
5-5 Configuration Guide for Cisco Secure ACS 4.2 OL-14390-02 Chapter 5 Password Policy Configuration Scenario Step 2: Configure Password Polic y Figur e 5-2 The Administrator P assword P olicy Setup P age[...]
-
Pagina 78
5-6 Configuration Guid e for Cisco Secure ACS 4.2 OL-14390-02 Chapter 5 Password Policy Configuration Scenario Step 2: Configur e Password Policy Step 2 On the Pa ssword Polic y Setup Page, sp ecify: • Passw ord V alidation Options See Specify Pa ssword V alidation Options, page 5-6 . • Passw ord Lifetime Options See Specify Pa ssword Lifetime [...]
-
Pagina 79
5-7 Configuration Guide for Cisco Secure ACS 4.2 OL-14390-02 Chapter 5 Password Policy Configuration Scenario Step 3: Configure Session Polic y Specify Password Inactivity Options In the Passw ord Inacti vity Options secti on, conf igure: • The password will r e quir e change after n days —Foll owing th e last account acti vity , if enabled, n [...]
-
Pagina 80
5-8 Configuration Guid e for Cisco Secure ACS 4.2 OL-14390-02 Chapter 5 Password Policy Configuration Scenario Step 3: Configur e Session Policy Figur e 5-3 The Session P olic y Setup P age Step 2 On the Session Polic y Setup page, set session option s as required. Y ou can specify: • Session idle timeout (minutes) —Speci fies the time, in minu[...]
-
Pagina 81
5-9 Configuration Guide for Cisco Secure ACS 4.2 OL-14390-02 Chapter 5 Password Policy Configuration Scenario Step 4: Configure Access Policy Step 4: Configure Access Policy This section descri bes how to conf igure administrati ve access p olicy . Before You Begin If you want to enabl e the SSL for administrator access, you must ha ve completed th[...]
-
Pagina 82
5-10 Configuration Guid e for Cisco Secure ACS 4.2 OL-14390-02 Chapter 5 Password Policy Configuration Scenario Step 4: Configure Ac cess Policy Figur e 5-4 Access P olicy Setup P age Step 3 Click the appropriate IP Addr ess Filtering option Ta b l e 5-1 A ccess P o lic y Options Option Description IP Address Filtering Allow all IP addresses to con[...]
-
Pagina 83
5-11 Configuration Guide for Cisco Secure ACS 4.2 OL-14390-02 Chapter 5 Password Policy Configuration Scenario Step 4: Configure Access Policy Reject connections from listed IP addresses Restricts remote access to the web in terface to IP addresses outside of the specified IP Address Ranges. IP filtering operates on the IP address recei ved in an H[...]
-
Pagina 84
5-12 Configuration Guid e for Cisco Secure ACS 4.2 OL-14390-02 Chapter 5 Password Policy Configuration Scenario Viewing Administrator Entitlement Reports Step 4 T ype the appropriate IP addres s ranges in accordance with th e IP Address Fi ltering option. Step 5 Click the appropriate HTTP Port Al location option to allo w all ports or restrict acce[...]
-
Pagina 85
5-13 Configuration Guide for Cisco Secure ACS 4.2 OL-14390-02 Chapter 5 Password Policy Configuration Scenario Viewing Administrator Entitle ment Reports View Privilege Reports T o vi ew pri vilege report s: Step 1 In the na vigation bar , click Reports and Activity . The Reports page opens. Step 2 Click Entitlement Reports . A list of the a vailab[...]
-
Pagina 86
5-14 Configuration Guid e for Cisco Secure ACS 4.2 OL-14390-02 Chapter 5 Password Policy Configuration Scenario Viewing Administrator Entitlement Reports[...]
-
Pagina 87
CH A P T E R 6-1 Configuration Guide for Cisco Secure ACS 4.2 OL-14390-02 6 Agentless Host Support Configuration Scenario This chapter descri bes how to conf igure the ag entl ess host feature in Cisc o Secure Access Control Server , hereafter referred to as A CS. Note The procedure in this chapter describes ho w to conf igure agentless ho st suppo[...]
-
Pagina 88
6-2 Configuration Guid e for Cisco Secure ACS 4.2 OL-14390-02 Chapter 6 Agentless Host Supp ort Configuration Scenario Overview of Agentless Host Supp ort 3. If you conf igure A CS for MAB, it searches the au thentication database fo r the host’ s MA C address The database ca n be: – A CS internal – LD AP (if you configur e LD AP) 4. During t[...]
-
Pagina 89
6-3 Configuration Guide for Cisco Secure ACS 4.2 OL-14390-02 Chapter 6 Agentless Host Support Configuration Scenario Summary of Configuration Steps GAME group feedback pro vides an added security check for MA C address authentication by checking the de vice type cate gorization that A CS determines by associating a MA C address with a user group ag[...]
-
Pagina 90
6-4 Configuration Guid e for Cisco Secure ACS 4.2 OL-14390-02 Chapter 6 Agentless Host Supp ort Configuration Scenario Basic Configuration Ste ps for Agentless Ho st Support Step 7 Config ure logging and reports. Add the Bypass Inf o attrib ute to the Passed Auth entications and Fail ed Attempts reports. See Step 7: Config ure Logging and Reports, [...]
-
Pagina 91
6-5 Configuration Guide for Cisco Secure ACS 4.2 OL-14390-02 Chapter 6 Agentless Host Support Configuration Scenario Basic Configuration Steps for Agentless Host Suppo rt where IP_a ddr ess is the IP address of the host that is running A CS and hostname is the hostname of the host that is running A CS. Step 2: Configure a RADIUS AAA Client Before y[...]
-
Pagina 92
6-6 Configuration Guid e for Cisco Secure ACS 4.2 OL-14390-02 Chapter 6 Agentless Host Supp ort Configuration Scenario Basic Configuration Ste ps for Agentless Ho st Support Figur e 6-2 Add AAA Client P age Step 3 In the AAA Client Hostname box, type th e name assigned to this AAA client (up to 32 alphanumer ic characters). Step 4 In the AAA Clie n[...]
-
Pagina 93
6-7 Configuration Guide for Cisco Secure ACS 4.2 OL-14390-02 Chapter 6 Agentless Host Support Configuration Scenario Basic Configuration Steps for Agentless Host Suppo rt The steps in this section are r equired to enable post ure v alidation, which is used in Net work Access Profiles. Obtain Certificates and Copy Them to the ACS Host T o copy a cer[...]
-
Pagina 94
6-8 Configuration Guid e for Cisco Secure ACS 4.2 OL-14390-02 Chapter 6 Agentless Host Supp ort Configuration Scenario Basic Configuration Ste ps for Agentless Ho st Support Step 4 Select Install Certificate. The W indo ws Certificate Import wizard starts. Step 5 T o inst all the certif icate, follo w the instructions that the wizard disp lays. Ste[...]
-
Pagina 95
6-9 Configuration Guide for Cisco Secure ACS 4.2 OL-14390-02 Chapter 6 Agentless Host Support Configuration Scenario Basic Configuration Steps for Agentless Host Suppo rt Step 11 Do not restart the services at this time. Restart the services later , after you ha ve completed the steps for addi ng a trusted certif icate. See Add a T rusted Ce rtific[...]
-
Pagina 96
6-10 Configuration Guid e for Cisco Secure ACS 4.2 OL-14390-02 Chapter 6 Agentless Host Supp ort Configuration Scenario Basic Configuration Ste ps for Agentless Ho st Support Step 4: Configure LDAP Support for MAB Y ou can confi gure the A CS internal database to ma nage MAB used wi th the agentless host feature; howe ver , if you have a lar ge num[...]
-
Pagina 97
6-11 Configuration Guide for Cisco Secure ACS 4.2 OL-14390-02 Chapter 6 Agentless Host Support Configuration Scenario Basic Configuration Steps for Agentless Host Suppo rt macAddress: 11-22-33-44-55-66 cn: user11-wxp.emea.mycorp.com dn: cn=Group_1_colon,ou=MAC Groups, ou=MAB Segment, o=mycorp objectClass: top objectClass: groupofuniquenames descrip[...]
-
Pagina 98
6-12 Configuration Guid e for Cisco Secure ACS 4.2 OL-14390-02 Chapter 6 Agentless Host Supp ort Configuration Scenario Basic Configuration Ste ps for Agentless Ho st Support How the Subtrees Work The sample LD AP schema in Example 6-1 contains code t o define two subtrees: dn: ou=MAC Addresses, ou=MAB Segment, o=mycorp ou: MAC Addresses objectClas[...]
-
Pagina 99
6-13 Configuration Guide for Cisco Secure ACS 4.2 OL-14390-02 Chapter 6 Agentless Host Support Configuration Scenario Basic Configuration Steps for Agentless Host Suppo rt Ta b l e 6-1 describes the attrib utes of the sample LD AP groups. Create One or More LDAP Data base Configurations in ACS After you ha ve conf igured one or more LD AP databases[...]
-
Pagina 100
6-14 Configuration Guid e for Cisco Secure ACS 4.2 OL-14390-02 Chapter 6 Agentless Host Supp ort Configuration Scenario Basic Configuration Ste ps for Agentless Ho st Support • Common LD AP Confi guration —Configure the sett ings in this section to specify ho w ACS queries the LD AP database. • Primary LD AP Server —Conf igure the settings [...]
-
Pagina 101
6-15 Configuration Guide for Cisco Secure ACS 4.2 OL-14390-02 Chapter 6 Agentless Host Support Configuration Scenario Basic Configuration Steps for Agentless Host Suppo rt • UserObjectClass —The value of the LD AP objectType attrib ute that identif ies the record as a user . Often, user records ha ve se veral v alues for the objectType attrib u[...]
-
Pagina 102
6-16 Configuration Guid e for Cisco Secure ACS 4.2 OL-14390-02 Chapter 6 Agentless Host Supp ort Configuration Scenario Basic Configuration Ste ps for Agentless Ho st Support Figur e 6-7 LD AP Serv er Configur ation Sections a. For the primary LD AP server specify: – Hostname —The name or IP address of the serv er that is running the LD AP soft[...]
-
Pagina 103
6-17 Configuration Guide for Cisco Secure ACS 4.2 OL-14390-02 Chapter 6 Agentless Host Support Configuration Scenario Basic Configuration Steps for Agentless Host Suppo rt For detai led information on this f ield, refer to th e “LD AP Conf iguration Op tions” section in Chapter 12 of the User Guide for Cisco Secur e Access Contr o l Server , ?[...]
-
Pagina 104
6-18 Configuration Guid e for Cisco Secure ACS 4.2 OL-14390-02 Chapter 6 Agentless Host Supp ort Configuration Scenario Basic Configuration Ste ps for Agentless Ho st Support Before you assign the us er groups, plan ho w to conf igure the user gr oups. For e xample, users associated with the user group can: • Be denied access to the network • B[...]
-
Pagina 105
6-19 Configuration Guide for Cisco Secure ACS 4.2 OL-14390-02 Chapter 6 Agentless Host Support Configuration Scenario Basic Configuration Steps for Agentless Host Suppo rt The Profi le Setup page opens, sho wn in Figure 6-9 . Figur e 6-9 Profile S etup P age Step 3 In the Name te xt box, enter the name o f the N A P . Step 4 If you ha ve set up net[...]
-
Pagina 106
6-20 Configuration Guid e for Cisco Secure ACS 4.2 OL-14390-02 Chapter 6 Agentless Host Supp ort Configuration Scenario Basic Configuration Ste ps for Agentless Ho st Support Figur e 6-1 0 Edit Netw or k Access Pr otocols P age Y ou are now re ady to enable agentless request processing. Enable Agentless Reques t Processing for a NAP T o enable agen[...]
-
Pagina 107
6-21 Configuration Guide for Cisco Secure ACS 4.2 OL-14390-02 Chapter 6 Agentless Host Support Configuration Scenario Basic Configuration Steps for Agentless Host Suppo rt Y ou are now ready to conf igure MAB settings . Configure MAB To c o n f i g u r e M A B : Step 1 In the Edit Network Access Profiles page, click A uthentication . The Authentica[...]
-
Pagina 108
6-22 Configuration Guid e for Cisco Secure ACS 4.2 OL-14390-02 Chapter 6 Agentless Host Supp ort Configuration Scenario Basic Configuration Ste ps for Agentless Ho st Support Step 3 If you specified an LD AP data base in the Credenti al V alidation Databases section, cli ck LD A P Server and then select a LD AP databa se that you config ured on the[...]
-
Pagina 109
6-23 Configuration Guide for Cisco Secure ACS 4.2 OL-14390-02 Chapter 6 Agentless Host Support Configuration Scenario Basic Configuration Steps for Agentless Host Suppo rt Step 7: Configure Logging and Reports By default, th e follo wing information about MAB processing is logged to the CS Auth lo g file: • The start of MAB request handling and w[...]
-
Pagina 110
6-24 Configuration Guid e for Cisco Secure ACS 4.2 OL-14390-02 Chapter 6 Agentless Host Supp ort Configuration Scenario Configuration Steps for Audit Server Suppor t Step 4 Repeat Step 3 for additi onal report types as required . Step 5 Repeat Steps 3 and 4 for th e Failed Att empts report. Configuration Steps for Audit Server Support If you are us[...]
-
Pagina 111
CH A P T E R 7-1 Configuration Guide for Cisco Secure ACS 4.2 OL-14390-02 7 PEAP/EAP-TLS Configuration Scenario Y ou can select EAP-TLS as an inner method that is us ed wi thin the tunn el that ACS establishes for PEAP authentication. If you select EAP-TLS, A CS can use it not only t o encrypt the initial data sent throu gh the PEAP protocol; b ut,[...]
-
Pagina 112
7-2 Configuration Guid e for Cisco Secure ACS 4.2 OL-14390-02 Chapter 7 PEAP/EAP-TLS Configuration Scen ario Step 1: Configure Se curity Certifi cates Obtain Certificates and C opy Them to the ACS Host T o use EAP-TLS, you mu st obtain and install security certif icates. T o copy a certif icate to the A CS host: Step 1 Obtain a security certif icat[...]
-
Pagina 113
7-3 Configuration Guide for Cisco Secure ACS 4.2 OL-14390-02 Chapter 7 PEAP/EAP -TLS Configu ration Scenario Step 1: Configure Security Certifica tes Step 4 Select Install Certificate. The W indo ws Certificate Import wizard starts. Step 5 T o inst all the certif icate, foll ow the in structions that the wizard displays. Step 6 Accept the default o[...]
-
Pagina 114
7-4 Configuration Guid e for Cisco Secure ACS 4.2 OL-14390-02 Chapter 7 PEAP/EAP-TLS Configuration Scen ario Step 1: Configure Se curity Certifi cates Step 10 A CS displays a message indicating t hat the certif icate has been installed and inst ructs you to restart th e A CS services. Step 11 Do not restart the services at this time. Restart the se[...]
-
Pagina 115
7-5 Configuration Guide for Cisco Secure ACS 4.2 OL-14390-02 Chapter 7 PEAP/EAP -TLS Configu ration Scenario Step 2: Configure Global A uthentication Settings Step 3 Click Submit . Step 4 T o re start A CS, choose System Conf iguration > Service Control , and then click and then click Restart . Step 2: Configure Global Authentication Settings T [...]
-
Pagina 116
7-6 Configuration Guid e for Cisco Secure ACS 4.2 OL-14390-02 Chapter 7 PEAP/EAP-TLS Configuration Scen ario Step 3: Specify EAP-TLS Options Step 3 Specify the prot ocols to use with the PEAP protocol. They are: • EAP_MSCHAP2 • EAP-GTC Step 4 If you want to enable posture v alidation on this A CS installation, check the Enable P osture V alidat[...]
-
Pagina 117
CH A P T E R 8-1 Configuration Guide for Cisco Secure ACS 4.2 OL-14390-02 8 Syslog Logging Configuration Scenario Overview A CS provides a system logging (sys log) feature. W ith the addition of this feature, all AAA r eports and audit report messages can be sent to up to two syslog serv ers. Configuring Syslog Logging T o conf igure A C S to gener[...]
-
Pagina 118
8-2 Configuration Guid e for Cisco Secure ACS 4.2 OL-14390-02 Chapter 8 Syslog Logging Configuration Scenario Configuring Syslog Logging Figur e 8-1 Logging Configur ation Pag e Step 3 T o enable a syslo g report, on the Logging Conf iguration page, click the Conf igur e link in the sysl og column, in the ro w for each report that you want to gener[...]
-
Pagina 119
8-3 Configuration Guide for Cisco Secure ACS 4.2 OL-14390-02 Chapter 8 Syslog Log ging Configuratio n Scenario Configuring Syslog Logging Figur e 8-2 Enable Logging P age Step 4 Check the check box for logging the specif ied information to syslog. For e xample, in Figure 8-2 , check the Log to Syslog Fail ed Attempts Report check box. In the Select[...]
-
Pagina 120
8-4 Configuration Guid e for Cisco Secure ACS 4.2 OL-14390-02 Chapter 8 Syslog Logging Configuration Scenario Format of Syslog Me ssages in ACS Reports Step 6 Click Submit . Step 7 Repeat the process for an y additional reports for which you want t o enable syslog reporting. Format of Syslog Messages in ACS Reports Syslog messages incl uded in A CS[...]
-
Pagina 121
8-5 Configuration Guide for Cisco Secure ACS 4.2 OL-14390-02 Chapter 8 Syslog Log ging Configuratio n Scenario Format of Syslog Messages in ACS Reports All A CS syslog messages use a sev e rity v alue of 6 (informational). For e xample, if the fa cility v alue is 13 and the se verity va lue is 6, the Priority valu e is 110 ((8 x 13) + 6). The Prior[...]
-
Pagina 122
8-6 Configuration Guid e for Cisco Secure ACS 4.2 OL-14390-02 Chapter 8 Syslog Logging Configuration Scenario Format of Syslog Me ssages in ACS Reports[...]
-
Pagina 123
CH A P T E R 9-1 Configuration Guide for Cisco Secure ACS 4.2 OL-14390-02 9 NAC Configuration Scenario This chapter describes how to set up Cisco Secure A ccess Control Se rver 4.2, hereafte r referred t o as A CS, to work in a Cisco Network Admission Contro l en vironment. This chapter contai ns the follo wing sections: • Step 1: Install A CS, p[...]
-
Pagina 124
9-2 Configuration Guid e for Cisco Secure ACS 4.2 OL-14390-02 Chapter 9 NAC Configuration Scenario Step 2: Perfo rm Network Configuration Tasks T o in stall A CS: Step 1 Start the A CS installation: If you are i nstalling A CS for Wi ndo ws: a. Using a local administrat or account, log in to the compu ter on which you want to install A CS. b. Inser[...]
-
Pagina 125
9-3 Configuration Guide for Cisco Secure ACS 4.2 OL-14390-02 Chapter 9 NAC Configuratio n Scenario Step 2: Perform Network Configuration Tasks Step 2 Do one of the foll ow ing: • If you are usin g Network Device Groups (NDGs), c lick the name of the NDG to which you w ant to assign the AAA client. Then , click Add Entry belo w the AAA Clients tab[...]
-
Pagina 126
9-4 Configuration Guid e for Cisco Secure ACS 4.2 OL-14390-02 Chapter 9 NAC Configuration Scenario Step 2: Perfo rm Network Configuration Tasks Step 5 In the Shared Secret box, type a sh ared secret key fo r the AAA cli ent. The shared secret is a string th at you determine; for example, m ynet123 . The shar ed secret must be identical on the AAA c[...]
-
Pagina 127
9-5 Configuration Guide for Cisco Secure ACS 4.2 OL-14390-02 Chapter 9 NAC Configuratio n Scenario Step 3: Set Up System Configuration Step 2 In the AAA Servers tabl e, click the name of th e AAA ser ver in the AAA Server Na me column. The AAA Server Setup page o pens, shown in Fi gure 9-2 . Figur e 9-2 AAA Server Setup P age Step 3 In the K ey f i[...]
-
Pagina 128
9-6 Configuration Guid e for Cisco Secure ACS 4.2 OL-14390-02 Chapter 9 NAC Configuration Scenario Step 3: Set Up System Configuration Obtain Certificates and Copy Them to the ACS Host T o copy a certif icate to the A CS host: Step 1 Obtain a security certif icate. Step 2 Create a certs directory on t he A CS server . a. Open a DOS command windo [...]
-
Pagina 129
9-7 Configuration Guide for Cisco Secure ACS 4.2 OL-14390-02 Chapter 9 NAC Configuratio n Scenario Step 3: Set Up System Configuration Edit the Certificate Trust List After you set up the A CS certification author ity , you mu st add the CA certificate to the A CS Certificate Tr u s t list. T o add the certificate to the Certificate Trust list: Ste[...]
-
Pagina 130
9-8 Configuration Guid e for Cisco Secure ACS 4.2 OL-14390-02 Chapter 9 NAC Configuration Scenario Step 3: Set Up System Configuration Install the ACS Certificate T o enable security certif icates on the A C S installation: Step 1 In the na vigation bar , click System Configurat ion . The System Conf iguration page o pens. Step 2 Click AC S C e r t[...]
-
Pagina 131
9-9 Configuration Guide for Cisco Secure ACS 4.2 OL-14390-02 Chapter 9 NAC Configuratio n Scenario Step 3: Set Up System Configuration Set Up Global Authentication In the global authentication setup, you specify the protocols that A CS uses to transfer creden tials from the host for authentication and au thorization. Unless you ha ve a limited depl[...]
-
Pagina 132
9-10 Configuration Guid e for Cisco Secure ACS 4.2 OL-14390-02 Chapter 9 NAC Configuration Scenario Step 3: Set Up System Configuration Figur e 9-6 Global A uthentica tion Setup P age[...]
-
Pagina 133
9-11 Configuration Guide for Cisco Secure ACS 4.2 OL-14390-02 Chapter 9 NAC Configuratio n Scenario Step 3: Set Up System Configuration Step 3 T o mak e the PEAP global authen tication parameters a v ailable in the N AP configuration , check the check boxes for: • Allow EAP-MSCHAPv2 . EAP-MSCHAP is a v ariation of the Micr osoft Challenge and Res[...]
-
Pagina 134
9-12 Configuration Guid e for Cisco Secure ACS 4.2 OL-14390-02 Chapter 9 NAC Configuration Scenario Step 3: Set Up System Configuration Set Up EAP-FAST Configuration T o conf igure A CS to work with N A C and use EAP-F AST with posture v alidation: Step 1 In the na vigation bar , click System Configurat ion . The System Conf iguration page o pens. [...]
-
Pagina 135
9-13 Configuration Guide for Cisco Secure ACS 4.2 OL-14390-02 Chapter 9 NAC Configuratio n Scenario Step 3: Set Up System Configuration Figur e 9-8 EAP -F AS T Configur ation P age Step 4 Check the Allow EAP-F AST check box. Step 5 In the Client Initial Messag e text box, enter a messag e; for example, Welcome . Step 6 In the Authority ID Info f ie[...]
-
Pagina 136
9-14 Configuration Guid e for Cisco Secure ACS 4.2 OL-14390-02 Chapter 9 NAC Configuration Scenario Step 3: Set Up System Configuration Step 8 Check the Accept client on authenticated pr ovisioning and Requir e client certificate f or pro visioning check boxes. Step 9 Check the check boxes for the EAP-GTC , EAP-MSCHAPv2 , and EAP-TLS inner methods.[...]
-
Pagina 137
9-15 Configuration Guide for Cisco Secure ACS 4.2 OL-14390-02 Chapter 9 NAC Configuratio n Scenario Step 3: Set Up System Configuration T o enable the P assed Authentications report: Step 1 In the na vigation bar , click System Conf iguration . The System Conf iguration page o pens. Step 2 Click Logging . The Logging Conf iguration page opens. The [...]
-
Pagina 138
9-16 Configuration Guid e for Cisco Secure ACS 4.2 OL-14390-02 Chapter 9 NAC Configuration Scenario Step 3: Set Up System Configuration Step 4 Mov e the attrib utes that you want t o log from the Attributes list to Logged Attributes list. Some useful attrib utes to log are: • Message-T ype • User-Name • Caller-ID • N AS-Port • N AS-IP-Add[...]
-
Pagina 139
9-17 Configuration Guide for Cisco Secure ACS 4.2 OL-14390-02 Chapter 9 NAC Configuratio n Scenario Step 4: Set Up Administration Control • Acct-Input-Octets • Acct-Output-Octets • Acct-Input-Packets • Acct-Output-Packets • Framed-IP-Address • N AS-Port • N AS-IP-Address • Class • T ermination-Acti on • Called-Station-Id • Acc[...]
-
Pagina 140
9-18 Configuration Guid e for Cisco Secure ACS 4.2 OL-14390-02 Chapter 9 NAC Configuration Scenario Step 4: Set Up Ad ministration Contr ol Figur e 9- 1 0 Ad d Ad mi ni s tra tor Page[...]
-
Pagina 141
9-19 Configuration Guide for Cisco Secure ACS 4.2 OL-14390-02 Chapter 9 NAC Configuratio n Scenario Step 4: Set Up Administration Control Step 3 In the Administrator Det ails area, specify the follo wing information: Step 4 Click Grant All . This grants all pr ivile ges to the ne w administrator; or , specifies to which groups o r actions this admi[...]
-
Pagina 142
9-20 Configuration Guid e for Cisco Secure ACS 4.2 OL-14390-02 Chapter 9 NAC Configuration Scenario Step 5: Set Up Shared Profile Components Step 5 Click Submit . After performing these steps, from a remote host, you can open a browser in which to administer A CS. The URLs for remote access are: • http:// IP_addr ess :2002 • http:// hostnam e :[...]
-
Pagina 143
9-21 Configuration Guide for Cisco Secure ACS 4.2 OL-14390-02 Chapter 9 NAC Configuratio n Scenario Step 5: Set Up Shared Profile Compone nts Figur e 9-1 1 Edit Networ k Access Filter ing Pag e Step 4 In the Name text b ox, enter a name for the network access f ilter . Step 5 Move any de vices or device groups to the Selected Items list. T o mo ve [...]
-
Pagina 144
9-22 Configuration Guid e for Cisco Secure ACS 4.2 OL-14390-02 Chapter 9 NAC Configuration Scenario Step 5: Set Up Shared Profile Components T o enable dA CLs and N AFs, whic h are required to create N APs: • Add a ne w posture A CL. • Add A CE entries fo r the A CL. • Sav e the posture A CL. Note These A CLs are referred to as posture A CLs [...]
-
Pagina 145
9-23 Configuration Guid e for Cisco Secure ACS 4.2 OL-14390-02 Chapter 9 NAC Configuration Scenario Step 5: Set Up Shared Profile Components Figur e 9-13 Downloadable IP ACLs P age Step 3 On the Do wnloadable IP A CLs page, enter a Name and optional Descr iption for the A CL, as shown in Figure 9-13 . Note Do not use spaces in the name of the A CL.[...]
-
Pagina 146
9-24 Configuration Guid e for Cisco Secure ACS 4.2 OL-14390-02 Chapter 9 NAC Configuration Scenario Step 5: Set Up Shared Profile Components Figur e 9-14 Downloadable IP ACL Cont ent P age Step 2 In the Name te xt box, type the A CL name. Step 3 In the A CL Definitions input box, ty pe definit ions for the A CL. A CL def initions consist of a serie[...]
-
Pagina 147
9-25 Configuration Guide for Cisco Secure ACS 4.2 OL-14390-02 Chapter 9 NAC Configuratio n Scenario Step 5: Set Up Shared Profile Compone nts Figur e 9-15 Downloadable A CL Contents List with New Cont ent Step 5 From the drop-do wn list in the Netw ork Access Filtering column of the A CL Contents table, choose the correct N AF for this ACL. Y ou ca[...]
-
Pagina 148
9-26 Configuration Guid e for Cisco Secure ACS 4.2 OL-14390-02 Chapter 9 NAC Configuration Scenario Step 5: Set Up Shared Profile Components The sample RA Cs are: • Cisco_FullAccess— Provides full access to the Cisco netw ork. Y ou use this RAC to g rant access to clients tha t qualify as heal thy . • Cisco_Restricted —Provides restricted a[...]
-
Pagina 149
9-27 Configuration Guide for Cisco Secure ACS 4.2 OL-14390-02 Chapter 9 NAC Configuratio n Scenario Step 5: Set Up Shared Profile Compone nts Figur e 9-1 7 RAC At tribute A dd/Edit Pag e b. In the V alue field for the attrib ute, enter an appropriate va lue. Each attribute has spec ific v a lue types based on how the attribute is de f ined. For e x[...]
-
Pagina 150
9-28 Configuration Guid e for Cisco Secure ACS 4.2 OL-14390-02 Chapter 9 NAC Configuration Scenario Step 5: Set Up Shared Profile Components Figur e 9-18 Attr ibute Selection f o r the Cisco_FullAccess RAC[...]
-
Pagina 151
9-29 Configuration Guide for Cisco Secure ACS 4.2 OL-14390-02 Chapter 9 NAC Configuratio n Scenario Step 5: Set Up Shared Profile Compone nts Figur e 9-19 Attr ibute Selection f or the Cisco_Restr icted RAC T o enable VLAN assign ment, the sample RA Cs include the follow ing RADIUS attrib utes: • Session-Timeout (attrib ute 27) —Enables a sessi[...]
-
Pagina 152
9-30 Configuration Guid e for Cisco Secure ACS 4.2 OL-14390-02 Chapter 9 NAC Configuration Scenario Step 5: Set Up Shared Profile Components • T unnel-Medium-T ype (attribute 65) —Indicat es which protocol to use o ve r the tunnel. In the sample RA Cs, this is set to type 6, which specif ies an 802 protocol. In the N A C/N AP en vironment, this[...]
-
Pagina 153
9-31 Configuration Guide for Cisco Secure ACS 4.2 OL-14390-02 Chapter 9 NAC Configuratio n Scenario Step 6: Configure an Extern al Posture Validation Audit Server Step 6: Configure an External Posture Validation Audit Server A N A C-enabled network might i nclude agentless hosts that do not ha ve the N AC client software. A CS can defer the posture[...]
-
Pagina 154
9-32 Configuration Guid e for Cisco Secure ACS 4.2 OL-14390-02 Chapter 9 NAC Configuration Scenario Step 6: Configure an External Posture Valida tion Audit Server Y our vendor ID sho uld be the Internet Assigned Numbers Authority (IAN A)-assigned number that is the first sectio n of the posture tok en attrib ute name, [ven dor]:6: Step 2 T o inst a[...]
-
Pagina 155
9-33 Configuration Guide for Cisco Secure ACS 4.2 OL-14390-02 Chapter 9 NAC Configuratio n Scenario Step 6: Configure an Extern al Posture Validation Audit Server Figur e 9-20 Exter nal Post ure V alidation A udit Ser v er Setup P a g e Step 3 T o conf igure the audit server: a. Enter a Name and Descr iption (optional) . b. In the Which Hosts Are A[...]
-
Pagina 156
9-34 Configuration Guid e for Cisco Secure ACS 4.2 OL-14390-02 Chapter 9 NAC Configuration Scenario Step 6: Configure an External Posture Valida tion Audit Server Figur e 9-21 Use Th ese A udit Servers S ection e. In the Use These Audit Servers section, enter the Au dit V alidation Server info rmation, Audit Serv er vendor , URL, and passwor d. Fig[...]
-
Pagina 157
9-35 Configuration Guide for Cisco Secure ACS 4.2 OL-14390-02 Chapter 9 NAC Configuratio n Scenario Step 7: Configure Posture Validation for NAC Figur e 9-22 A udit Flow Settings and GAME Group F eedback Sections f. If required, in the Audi t Flo w Setting section, set the audit- flow parameters. g. If you are conf iguring GAME group feedback to su[...]
-
Pagina 158
9-36 Configuration Guid e for Cisco Secure ACS 4.2 OL-14390-02 Chapter 9 NAC Configuration Scenario Step 7: Configure Po st ure Validation for NAC T o cr eate an internal posture v alidation policy: Step 1 In the na vigation bar , click P osture V alidation . The Posture V alidation Components Setup page opens. Step 2 Click Internal P osture V alid[...]
-
Pagina 159
9-37 Configuration Guide for Cisco Secure ACS 4.2 OL-14390-02 Chapter 9 NAC Configuratio n Scenario Step 7: Configure Posture Validation for NAC Figur e 9-24 Edit P osture V alidation Rule P age b. Click Add Condition Set . c. The Add/Edit Condi tion page appears, as sho wn in Figure 9-25 . Figur e 9-25 Add/Edit Condit ion P age d. From the Attrib [...]
-
Pagina 160
9-38 Configuration Guid e for Cisco Secure ACS 4.2 OL-14390-02 Chapter 9 NAC Configuration Scenario Step 7: Configure Po st ure Validation for NAC g. Click Enter . The specified rule appears in Add/ Edit Condition page, as shown in Figure 9-25 . h. Enter additional con ditions as required. i. Click Submit . j. Click Appl y and Restart to apply the [...]
-
Pagina 161
9-39 Configuration Guide for Cisco Secure ACS 4.2 OL-14390-02 Chapter 9 NAC Configuratio n Scenario Step 7: Configure Posture Validation for NAC Figur e 9-27 Add/Edit Exter nal P ostur e V al idation Server P age Step 4 Enter a Name and Descr iption (optional) . Step 5 Enter the server detail s, URL, User , Password, T imeout, and certificat e (if [...]
-
Pagina 162
9-40 Configuration Guid e for Cisco Secure ACS 4.2 OL-14390-02 Chapter 9 NAC Configuration Scenario Step 7: Configure Po st ure Validation for NAC Configure an External Posture Validation Audit Server A N A C-enabled network might i nclude agentless hosts that do not ha ve the N AC client software. A CS can defer the posture v alidation of the agen[...]
-
Pagina 163
9-41 Configuration Guide for Cisco Secure ACS 4.2 OL-14390-02 Chapter 9 NAC Configuratio n Scenario Step 7: Configure Posture Validation for NAC Configure the External Posture Validation Audit Server Y ou can configure an audit server once, and then use it for other prof iles. T o conf igure an audit server: Step 1 In the Posture V alidation Compon[...]
-
Pagina 164
9-42 Configuration Guid e for Cisco Secure ACS 4.2 OL-14390-02 Chapter 9 NAC Configuration Scenario Step 7: Configure Po st ure Validation for NAC Figur e 9-29 Use Th ese A udit Servers S ection e. In the Use These Audit Servers section, enter the Au dit V alidation Server info rmation, Audit Serv er vendor , URL, and passwor d. Figure 9-30 sho ws [...]
-
Pagina 165
9-43 Configuration Guide for Cisco Secure ACS 4.2 OL-14390-02 Chapter 9 NAC Configuratio n Scenario Step 7: Configure Posture Validation for NAC Figur e 9-30 A udit Flow Settings and GAME Group F eedback Sections f. If required, in the Audi t Flo w Setting section, set the audit- flow parameters. g. If you are conf iguring GAME group feedback to su[...]
-
Pagina 166
9-44 Configuration Guid e for Cisco Secure ACS 4.2 OL-14390-02 Chapter 9 NAC Configuration Scenario Step 8: Set Up Temp lates to Create NAPs Step 8: Set Up Templates to Create NAPs A CS 4.1 provides se veral prof ile templates that you can use to conf igure common usab le profiles. In N A C-enabled networks, you can use these predefined profile tem[...]
-
Pagina 167
9-45 Configuration Guide for Cisco Secure ACS 4.2 OL-14390-02 Chapter 9 NAC Configuratio n Scenario Step 8: Set Up Templa tes to Create NAPs Figur e 9-31 Creat e Pr ofile Fr om T emplate P age Step 4 Enter a Name and Descr iption (optional) . Step 5 From the T emplate drop-down list , choose NA C L 3 I P . Step 6 Check the Active check box. Step 7 [...]
-
Pagina 168
9-46 Configuration Guid e for Cisco Secure ACS 4.2 OL-14390-02 Chapter 9 NAC Configuration Scenario Step 8: Set Up Temp lates to Create NAPs Figur e 9-32 Profile Set up P age f or Lay er 3 NA C T emplate The default set tings for the prof ile are: • Any appears in the Network Access Filter field, wh ich means that this prof ile has no IP filter .[...]
-
Pagina 169
9-47 Configuration Guide for Cisco Secure ACS 4.2 OL-14390-02 Chapter 9 NAC Configuratio n Scenario Step 8: Set Up Templa tes to Create NAPs These rules specify that the asso ciated profile policies authenti cate and authorize each R ADIUS request that matches the attribute’ s rules. Y ou can change the adv anced filt er , and add, remove, or edi[...]
-
Pagina 170
9-48 Configuration Guid e for Cisco Secure ACS 4.2 OL-14390-02 Chapter 9 NAC Configuration Scenario Step 8: Set Up Temp lates to Create NAPs Authentication Policy T o co nfigure auth entication polic y: Step 1 In the na vigation bar , select Network Access Prof iles . Step 2 Choose the A uthentication link from the Policies column. The Authenticati[...]
-
Pagina 171
9-49 Configuration Guide for Cisco Secure ACS 4.2 OL-14390-02 Chapter 9 NAC Configuratio n Scenario Step 8: Set Up Templa tes to Create NAPs c. From the If Agentless request was not assigned a user -group d rop-do wn list, choose a user group to which A CS assigns a host that is not matched to a user group. Sample Posture Validation Rule Figure 9-3[...]
-
Pagina 172
9-50 Configuration Guid e for Cisco Secure ACS 4.2 OL-14390-02 Chapter 9 NAC Configuration Scenario Step 8: Set Up Temp lates to Create NAPs Step 6 Click Submit . If no error appears, then you hav e created a Prof ile that can authenticate Layer 2 N A C hosts and the Profi le Setup page for the N A C Layer 2 template appears. The predefined v alues[...]
-
Pagina 173
9-51 Configuration Guide for Cisco Secure ACS 4.2 OL-14390-02 Chapter 9 NAC Configuratio n Scenario Step 8: Set Up Templa tes to Create NAPs Figur e 9-36 Pr ofile Setup P age for NA C La yer 2 T emplat e The default set tings for the prof ile are: • Any appears in the Network Access Filter f ield, which means that this profile has no IP f ilter .[...]
-
Pagina 174
9-52 Configuration Guid e for Cisco Secure ACS 4.2 OL-14390-02 Chapter 9 NAC Configuration Scenario Step 8: Set Up Temp lates to Create NAPs This template automaticall y sets Advanced Fi lte ring and Authenticatio n properties with N AC Layer 2 IP Configuration. ACS and Attribute-Value Pairs When you enable NA C Layer 2 IP validation, A CS provides[...]
-
Pagina 175
9-53 Configuration Guide for Cisco Secure ACS 4.2 OL-14390-02 Chapter 9 NAC Configuratio n Scenario Step 8: Set Up Templa tes to Create NAPs If you conf igure the def ault A CL on the switch and the A CS sends a host access polic y to the switch, the switch applies the polic y to traf fic from the host that i s connected to a switch port. If the po[...]
-
Pagina 176
9-54 Configuration Guid e for Cisco Secure ACS 4.2 OL-14390-02 Chapter 9 NAC Configuration Scenario Step 8: Set Up Temp lates to Create NAPs Authentication Policy T o set the authentication policy: Step 1 In the na vigation bar , click Network Access Prof iles . Step 2 Choose the A uthentication link from the Policies column. The Authentication Set[...]
-
Pagina 177
9-55 Configuration Guide for Cisco Secure ACS 4.2 OL-14390-02 Chapter 9 NAC Configuratio n Scenario Step 8: Set Up Templa tes to Create NAPs c. From the If Agentless request was not assigned a user -group d rop-do wn list, choose a user group to which A CS assigns a host that is not matched to a user group. Sample Posture Validation Rule Figure 9-3[...]
-
Pagina 178
9-56 Configuration Guid e for Cisco Secure ACS 4.2 OL-14390-02 Chapter 9 NAC Configuration Scenario Step 8: Set Up Temp lates to Create NAPs Figur e 9-40 Creat e Pr ofile Fr om T emplate P age Step 3 Enter a Name and Descr iption (optional) . Step 4 From the T emplate drop-down li st, choose N A C L2 802.1x . Step 5 Check the Active check box. Step[...]
-
Pagina 179
9-57 Configuration Guide for Cisco Secure ACS 4.2 OL-14390-02 Chapter 9 NAC Configuratio n Scenario Step 8: Set Up Templa tes to Create NAPs Figur e 9-41 Profile Setup P age for NA C Lay er 2 802.1x T emplate The default set tings for the prof ile are: • Any appears in the Network Access Filter f ield, which means that this profile has no IP f il[...]
-
Pagina 180
9-58 Configuration Guid e for Cisco Secure ACS 4.2 OL-14390-02 Chapter 9 NAC Configuration Scenario Step 8: Set Up Temp lates to Create NAPs Protocols Policy Figure 9-42 sho ws the Protocols settin gs for the N AC Layer 2 802.1x t emplate. Figur e 9-42 Prot ocols Setting f or NAC La yer 802.1x T emplat e In the EAP Conf iguration section, Posture V[...]
-
Pagina 181
9-59 Configuration Guide for Cisco Secure ACS 4.2 OL-14390-02 Chapter 9 NAC Configuratio n Scenario Step 8: Set Up Templa tes to Create NAPs Authorization Policy T o conf igure an authorization policy for the N A C Layer 2 802.1x template: Step 1 Go to Network Access Pr of iles . Step 2 Choose the A uthorization link from the Policies col umn. The [...]
-
Pagina 182
9-60 Configuration Guid e for Cisco Secure ACS 4.2 OL-14390-02 Chapter 9 NAC Configuration Scenario Step 8: Set Up Temp lates to Create NAPs Sample Posture Validation Rule Figure 9-44 sho ws the sample posture v alidation polic y provided wit h the N A C Layer 2 802.1x template. Figur e 9-44 Sample P ostur e V alidation P olicy f or NA C Lay er 2 8[...]
-
Pagina 183
9-61 Configuration Guide for Cisco Secure ACS 4.2 OL-14390-02 Chapter 9 NAC Configuratio n Scenario Step 8: Set Up Templa tes to Create NAPs Figur e 9-45 Creat e Pr ofile Fr om T emplate P age Step 3 Enter a Name and Descr iption (optional) . Step 4 From the T emplate drop -do wn list, choose Wir eless (NA C L2 802.1x) . Step 5 Check the Active che[...]
-
Pagina 184
9-62 Configuration Guid e for Cisco Secure ACS 4.2 OL-14390-02 Chapter 9 NAC Configuration Scenario Step 8: Set Up Temp lates to Create NAPs Figur e 9-46 Profile Set up P age f or Wir eless (NAC L2 802.1x)T emplate The default set tings for the prof ile are: • Any appears in the Network Access Filter field, wh ich means that this prof ile has no [...]
-
Pagina 185
9-63 Configuration Guide for Cisco Secure ACS 4.2 OL-14390-02 Chapter 9 NAC Configuratio n Scenario Step 8: Set Up Templa tes to Create NAPs These rules specify that the asso ciated profile policies authenti cate and authorize each R ADIUS request that matches the attribute’ s rules. Y ou can change the adv anced filt er , and add, remove, or edi[...]
-
Pagina 186
9-64 Configuration Guid e for Cisco Secure ACS 4.2 OL-14390-02 Chapter 9 NAC Configuration Scenario Step 8: Set Up Temp lates to Create NAPs Authorization Policy T o conf igure an authorization policy for t he W ireless N A C Layer 2 802.1x template: Step 1 Go to Network Access Pr of iles . Step 2 Choose the A uthorization link from the Policies co[...]
-
Pagina 187
9-65 Configuration Guide for Cisco Secure ACS 4.2 OL-14390-02 Chapter 9 NAC Configuratio n Scenario Step 8: Set Up Templa tes to Create NAPs Sample Posture Validation Rule Figure 9-49 sho ws the sample posture v alidation policy pro vided with the W ireless (N A C L2 802.1x) template. Figur e 9-49 Sample P ostur e V alidation Polic y for Wir eless [...]
-
Pagina 188
9-66 Configuration Guid e for Cisco Secure ACS 4.2 OL-14390-02 Chapter 9 NAC Configuration Scenario Step 8: Set Up Temp lates to Create NAPs T o create an agentless h ost for Layer 3 p rofile template: Step 1 In the na vigation bar , click Network Access Prof iles . The Network Access Profiles page o pens. Step 2 Click Add T emplate Prof ile . The [...]
-
Pagina 189
9-67 Configuration Guide for Cisco Secure ACS 4.2 OL-14390-02 Chapter 9 NAC Configuratio n Scenario Step 8: Set Up Templa tes to Create NAPs Profile Setup T o use the Prof ile Setup settings from the template: Step 1 Go to Network Access Prof iles. Step 2 Choose the prof ile that you created. Step 3 The Profile Setup page appears, as sho wn in Figu[...]
-
Pagina 190
9-68 Configuration Guid e for Cisco Secure ACS 4.2 OL-14390-02 Chapter 9 NAC Configuration Scenario Step 8: Set Up Temp lates to Create NAPs • Y ou can click the All ow Selected Pr otocol types op tion to specify a protoc ol type for fi ltering. • T wo rules are conf igured in Advanced Filtering : [026/009/001]Cisco-av-pair = aaa:service=ip adm[...]
-
Pagina 191
9-69 Configuration Guide for Cisco Secure ACS 4.2 OL-14390-02 Chapter 9 NAC Configuratio n Scenario Step 9: Map Postu re Validation Components to Profile s Authentication Policy T o co nfigure an auth entication polic y for the Ag entless Host for Layer 3 template: Step 1 Go to Network Access Pr of iles . Step 2 Choose the A uthentication link from[...]
-
Pagina 192
9-70 Configuration Guid e for Cisco Secure ACS 4.2 OL-14390-02 Chapter 9 NAC Configuration Scenario Step 9: Map Posture Vali da tion Components to Profiles The Add/Edit Posture V alidation Rule page fo r the specif ied rule appears, as shown in Figure 9-54 . Figur e 9-54 Add/Edit Post ur e V alidation Ru le P age Step 5 Choose the Required Credenti[...]
-
Pagina 193
9-71 Configuration Guide for Cisco Secure ACS 4.2 OL-14390-02 Chapter 9 NAC Configuratio n Scenario Step 10: Map an Au dit Server to a Profile Step 10: Map an Audit Server to a Profile T o add an e xternal posture validation au dit server to a pro file: Step 1 Choose Network Access Pr ofiles . Step 2 Click the Protocols link for the rele v ant Post[...]
-
Pagina 194
9-72 Configuration Guid e for Cisco Secure ACS 4.2 OL-14390-02 Chapter 9 NAC Configuration Scenario Step 11 (Optiona l): Configure GAME Group Feedback d. If you want t o specify a user group to wh ich to assign the supplicant if the audit fails, check the Assign a User Gr oup check box and then from the Assign a User Group drop- down l ist, choose [...]
-
Pagina 195
9-73 Configuration Guide for Cisco Secure ACS 4.2 OL-14390-02 Chapter 9 NAC Configuratio n Scenario Step 11 (Optional): Configure GAME Gro up Feedback Import an Audit Vendor File by Using CSUtil For infor mation on importi ng an audit vend or file b y using CSUtil , see the “ A dding a Custom RADIUS V endor and VSA Set” section in Appendix D of[...]
-
Pagina 196
9-74 Configuration Guid e for Cisco Secure ACS 4.2 OL-14390-02 Chapter 9 NAC Configuration Scenario Step 11 (Optiona l): Configure GAME Group Feedback Step 3 Restart A CS: a. In the na vigation bar , click System Conf iguration . b. Click Service Contr ol . c. Click Restart . Configure Database Support for Agentless Host Processing The database tha[...]
-
Pagina 197
9-75 Configuration Guide for Cisco Secure ACS 4.2 OL-14390-02 Chapter 9 NAC Configuratio n Scenario Step 11 (Optional): Configure GAME Gro up Feedback T o add t he posture attrib utes: Step 1 Create a text file in the Utils directory with the fo llowi ng format: [attr#0] vendor-id=[your vendor id] vendor-name=[The name of you company] application-[...]
-
Pagina 198
9-76 Configuration Guid e for Cisco Secure ACS 4.2 OL-14390-02 Chapter 9 NAC Configuration Scenario Step 11 (Optiona l): Configure GAME Group Feedback Configure the External Posture Validation Audit Server Y ou can configure an audi t server once, and then use it for othe r profiles. T o conf igure an audit server: Step 1 In the Posture V alidation[...]
-
Pagina 199
9-77 Configuration Guide for Cisco Secure ACS 4.2 OL-14390-02 Chapter 9 NAC Configuratio n Scenario Step 11 (Optional): Configure GAME Gro up Feedback Figur e 9-57 Use These A udit Servers Section e. In the Use These Audit Servers section, enter the Au dit V alidation Server info rmation, Audit Serv er vendor , URL, and passwor d. Figure 9-58 sho w[...]
-
Pagina 200
9-78 Configuration Guid e for Cisco Secure ACS 4.2 OL-14390-02 Chapter 9 NAC Configuration Scenario Step 11 (Optiona l): Configure GAME Group Feedback Figur e 9-58 A udit Flow Settings and GAME Group F eedback Sections f. If required, in the Audi t Flo w Setting section, set the audit- flow parameters. g. If you are conf iguring GAME group feedback[...]
-
Pagina 201
9-79 Configuration Guide for Cisco Secure ACS 4.2 OL-14390-02 Chapter 9 NAC Configuratio n Scenario Step 11 (Optional): Configure GAME Gro up Feedback Enable GAME Group Feedback T o enable GAME group feedback: Step 1 On the External Posture V alidation Audit Serv er Se tup page, in the GAME Group Feedback sectio n, check the Request Device T ype fr[...]
-
Pagina 202
9-80 Configuration Guid e for Cisco Secure ACS 4.2 OL-14390-02 Chapter 9 NAC Configuration Scenario Step 11 (Optiona l): Configure GAME Group Feedback – contains – starts-with – regul ar-e xpression • Device T ype —Def ines the comparison criteria for the Us er Group b y using an operator and de vice type. V alid values for th e devi ce t[...]
-
Pagina 203
GL-1 Configuration Guid e for Cisco Secure ACS 4.2 OL-14390-02 GLOSSARY A AAA Authentication, Auth orization, and Accounting server .-(Authenticat ion, authorization, and accountin g is pronounced “triple-A. ” An AAA server is the central server that aggregates one or more authentication, authorizatio n, or both decisions in to a single system-[...]
-
Pagina 204
Glossary GL-2 Configuration Guid e for Cisco Secure ACS 4.2 OL-14390-02 E EAP Extensible Authenti cation Protocol-Pro vides the ability to depl oy RADIUS into Ethernet n etwork en vironments. EAP is defined b y Internet Engi ne ering T ask Force (IETF) RF C 2284 and the IEEE 802.1x standards. EAP-TLS Extensible Authentication Protocol-T ransport La[...]
-
Pagina 205
Glossar y GL-3 Configuration Guid e for Cisco Secure ACS 4.2 OL-14390-02 N NAC Network Admi ssion Control-N AC i s a Cisco-sponsored industry init iativ e that uses the netw ork infrastructure to enforc e security polic y compliance on al l de vices seeking to access network computing resources; th ereby limi ting damage from viruses and w orms. N [...]
-
Pagina 206
Glossary GL-4 Configuration Guid e for Cisco Secure ACS 4.2 OL-14390-02 PEAP Protected Extensible Authenticati on Protocol-An 802.1x authent ication type for wireless LANs (WLANs). PEAP provides strong security , user data base extensibility , an d support for one-time tok en authentication and passwo rd change or aging. PEAP is based on an Interne[...]
-
Pagina 207
IN-1 Configuration Guid e for Cisco Secure ACS 4.2 OL-14390-02 INDEX Numerics 802.1x 2-2 A AAA clients 4-14 configuring RADIUS cli ent 9-2 creating 4-15 deletin g 4-15 updating 4-15 AAA server configuring 9-4 Access Control Entries See ACEs accessing Cisco Secure ACS how to 6-4, 9-2 URL 6-4, 9-2 access policy configuring 5-9 HTTP port alloca tion 5[...]
-
Pagina 208
Index IN-2 Configuration Guide for Cisco Secure ACS 4.2 OL-14390-02 separation from general users 2-18 Agentless Host for L2 (802.1x f allback) template 9-65 agentless host for L2 (802.1x fallback) template 9-65 agentless host support overview 6-1 summary of configuration steps 6-3 agentless request processing enabling 6-18 enabling for a NAP 6-20 [...]
-
Pagina 209
Index IN-3 Configuration Guid e for Cisco Secure ACS 4.2 OL-14390-02 logging level 9-14 logs and reports 9-14 MAB 6-21 multiforest support for Active Directory 3-7 password lifetime option s 5-6 password poli cy 5-4 RADIUS AAA cli ent 6-5, 9-2 RSA Token Server support 3-8 session policy 5-7 shared secret for RADIUS key wrap 9-4 Syslog time format 3[...]
-
Pagina 210
Index IN-4 Configuration Guide for Cisco Secure ACS 4.2 OL-14390-02 configuring new feat ures in ACS 4.2 3-2 EAP-TLS 2-3 specifying Certificate Binary Comparison for 7-6 specifying Certificate CN Comparison for 7-6 specifying certific ate SAN comparison for 7-6 Edit Network Access Protocols page 6-19 enabling agentless request processing 6-18 agent[...]
-
Pagina 211
Index IN-5 Configuration Guid e for Cisco Secure ACS 4.2 OL-14390-02 for MAB support 6-12 Lightweight Di rectory Access Protoc ol See LDAP logging configuring 9-14 enhanced features with AC S 4.2 3-5 logging level configuring 9-14 logs and reports configuring 9-14 M MAB configuring 6-21 configuring ACS u ser groups for MAB segments 6-17 configuring[...]
-
Pagina 212
Index IN-6 Configuration Guide for Cisco Secure ACS 4.2 OL-14390-02 reliability 2-19 P PAC disabling PAC processing in N APs 3-3 Passed Authentication report enabling 9-15 password configu ration Account Locked 5-4 Account Never Ex pires 5-4 password inactivity op tions 5-7 password lifetime option s 5-6 password poli cy configuring 5-1, 5-4 incorr[...]
-
Pagina 213
Index IN-7 Configuration Guid e for Cisco Secure ACS 4.2 OL-14390-02 purging Node Se cret file purging 3-10 S Sarbanes-Oxl ey See SOX security certificate installing and sett ing up 9-5 security certificates adding a trusted certificate 7-4 copying to the ACS host 6-7, 7-2, 9-6 enabling 6-8, 7-3, 9-8 installing 6-6, 7-2, 9-6 using Windows Certifica[...]
-
Pagina 214
Index IN-8 Configuration Guide for Cisco Secure ACS 4.2 OL-14390-02 W warnings significance of x Windows Certificate Import Wizard 6-7, 7-2 wired LAN geographicall y dispersed 2-4 wired LAN access 2-2 wireless (NAC L2 802.1x) template 9-60 wireless access campus WLAN 2-6 large enterprise LAN 2-8 regional WLAN 2-7 simple WLAN 2-5 topology 2-5 wirele[...]