Resumen del contenido incluido en la página 1
Configuration Guide for Cisco Secure ACS
4.2
February 2008
Americas Headquarters
Cisco Systems, Inc.
170 West Tasman Drive
San Jose, CA 95134-1706
USA
http://www.cisco.com
Tel: 408 526-4000
800 553-NETS (6387)
Fax: 408 527-0883
Text Part Number: OL-14390-02
Resumen del contenido incluido en la página 2
THE SPECIFICATIONS AND INFORMATION REGARDING THE PRODUCTS IN THIS MANUAL ARE SUBJECT TO CHANGE WITHOUT NOTICE. ALL STATEMENTS, INFORMATION, AND RECOMMENDATIONS IN THIS MANUAL ARE BELIEVED TO BE ACCURATE BUT ARE PRESENTED WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED. USERS MUST TAKE FULL RESPONSIBILITY FOR THEIR APPLICATION OF ANY PRODUCTS. THE SOFTWARE LICENSE AND LIMITED WARRANTY FOR THE ACCOMPANYING PRODUCT ARE SET FORTH IN THE INFORMATION PACKET THAT SHIPPED WITH THE PRODUCT AND AR
Resumen del contenido incluido en la página 3
CONTENTS Preface ix Audience ix Organization ix Conventions x Product Documentation x Related Documentation xii Obtaining Documentation and Submitting a Service Request xii Notices iii-xii OpenSSL/Open SSL Project iii-xiii License Issues iii-xiii CHAPTER 1 Overview of ACS Configuration 1-1 Summary of Configuration Steps 1-1 Configuration Flowchart 1-5 CHAPTER 2 Deploy the Access Control Servers 2-1 Determining the Deployment Architectur
Resumen del contenido incluido en la página 4
Contents Deploying ACS in a NAC/NAP Environment 2-15 Additional Topics 2-16 Remote Access Policy 2-16 Security Policy 2-17 Administrative Access Policy 2-17 Separation of Administrative and General Users 2-18 Database Considerations 2-19 Number of Users 2-19 Type of Database 2-19 Network Latency and Reliability 2-19 CHAPTER 3 Configuring New Features in ACS 4.2 3-1 New Global EAP-FAST Configuration Options 3-1 Disabling of EAP-FAST PAC Processi
Resumen del contenido incluido en la página 5
Contents Step 6: View the dACLs 4-9 Error Messages 4-11 Reading, Updating, and Deleting dACLs 4-12 Updating or Deleting dACL Associations with Users or Groups 4-14 Using RDBMS Synchronization to Specify Network Configuration 4-14 Creating, Reading, Updating and Deleting AAA clients 4-15 CHAPTER 5 Password Policy Configuration Scenario 5-1 Limitation on Ability of the Administrator to Change Passwords 5-1 Summary of Configuration Steps 5-2 Step 1: Add and E
Resumen del contenido incluido en la página 6
Contents Step 6: Enable Agentless Request Processing 6-18 Create a New NAP 6-18 Enable Agentless Request Processing for a NAP 6-20 Configure MAB 6-21 Step 7: Configure Logging and Reports 6-23 Configuring Reports for MAB Processing 6-23 Configuration Steps for Audit Server Support 6-24 Configure GAME Group Feedback 6-24 CHAPTER 7 PEAP/EAP-TLS Configuration Scenario 7-1 Summary of Configuration Steps 7-1 Step 1: Configure Security Certificates 7-1 O
Resumen del contenido incluido en la página 7
Contents Install the CA Certificate 9-7 Install the ACS Certificate 9-8 Set Up Global Configuration 9-8 Set Up Global Authentication 9-9 Set Up EAP-FAST Configuration 9-12 Configure the Logging Level 9-14 Configure Logs and Reports 9-14 Step 4: Set Up Administration Control 9-17 Add Remote Administrator Access 9-17 Step 5: Set Up Shared Profile Components 9-20 Configure Network Access Filtering (Optional) 9-20 Configure Downloadable IP ACLs 9-2
Resumen del contenido incluido en la página 8
Contents Profile Setup 9-56 Protocols Policy 9-58 Authorization Policy 9-59 Sample Posture Validation Rule 9-60 Sample Wireless (NAC L2 802.1x) Template 9-60 Profile Setup 9-61 Protocols Policy 9-63 Authorization Policy 9-64 Sample Posture Validation Rule 9-65 Using a Sample Agentless Host Template 9-65 Profile Setup 9-67 Protocols Policy 9-68 Authentication Policy 9-69 Step 9: Map Posture Validation Components to Profiles 9-69 Step 10:
Resumen del contenido incluido en la página 9
Preface Audience This guide is for security administrators who use Cisco Secure Access Control Server (ACS), and who set up and maintain network and application security. Organization This document contains: • Chapter 1, “Overview of ACS Configuration”—Provides an overview of ACS configuration, including a summary of configuration steps and configuration flowchart that show the sequence of configuration steps. Chapter 2, “Deploy the Access Control Servers”—Describes factors to conside
Resumen del contenido incluido en la página 10
Preface Conventions This document uses the following conventions: Item Convention Commands, keywords, special terminology, and options that should boldface font be selected during procedures Variables for which you supply values and new or important italic font terminology Displayed session and system information, paths and file names screen font Information you enter boldface screen font Variables you enter italic screen font Menu items and button names boldface font Indicates menu items to
Resumen del contenido incluido en la página 11
Preface Table 1 ACS 4.2 Documentation Document Title Available Formats Documentation Guide for Cisco Shipped with product. Secure ACS Release 4.2 PDF on the product CD-ROM. On Cisco.com: http://www.cisco.com/en/US/docs/net_mgmt/ cisco_secure_access_control_server_for_windows/ 4.2/roadmap/DGuide42.html Release Notes for Cisco Secure ACS On Cisco.com: Release 4.2 http://www.cisco.com/en/US/docs/net_mgmt/ cisco_secure_access_control_server_for_windows/ 4.2/release/notes/ACS42_RN.h
Resumen del contenido incluido en la página 12
Preface Notices Table 1 ACS 4.2 Documentation (continued) Document Title Available Formats Installation and User Guide for Cisco On Cisco.com: Secure ACS User-Changeable http://www.cisco.com/en/US/docs/net_mgmt/ Passwords cisco_secure_access_control_server_for_windows/ 4.2/installation/guide/user_passwords/ucp42.html Troubleshooting Guide for Cisco On Cisco.com Secure Access Control Server http://www.cisco.com/en/US/docs/net_mgmt/ cisco_secure_access_control_server_for_windows/4.2
Resumen del contenido incluido en la página 13
Preface Notices OpenSSL/Open SSL Project This product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit (http://www.openssl.org/). This product includes cryptographic software written by Eric Young (eay@cryptsoft.com). This product includes software written by Tim Hudson (tjh@cryptsoft.com). License Issues The OpenSSL toolkit stays under a dual license, i.e. both the conditions of the OpenSSL License and the original SSLeay license apply to the toolkit. See
Resumen del contenido incluido en la página 14
Preface Notices Original SSLeay License: Copyright © 1995-1998 Eric Young (eay@cryptsoft.com). All rights reserved. This package is an SSL implementation written by Eric Young (eay@cryptsoft.com). The implementation was written so as to conform with Netscapes SSL. This library is free for commercial and non-commercial use as long as the following conditions are adhered to. The following conditions apply to all code found in this distribution, be it the RC4, RSA, lhash, DES, etc., code; not
Resumen del contenido incluido en la página 15
CH A P T E R 1 Overview of ACS Configuration This chapter describes the general steps for configuring Cisco Secure Access Control Server, hereafter referred to as ACS, and presents a flowchart showing the sequence of steps. Note If you are configuring ACS to work with Microsoft clients in a Cisco Network Access Control/Microsoft Network Access Protection (NAC/NAP) network, refer to Chapter 9, “NAC Configuration Scenario.” This chapter contains: Summary of Configuration S
Resumen del contenido incluido en la página 16
Chapter 1 Overview of ACS Configuration Summary of Configuration Steps b. For each administrator, specify administrator privileges. c. As needed, configure the following optional administrative policies: – Access Policy—Specify IP address limitations, HTTP port restrictions, and secure socket layer (SSL) setup. – Session Policy—Specify timeouts, automatic local logins, and response to invalid IP address connections. – Password Policy—Configure the password policy fo
Resumen del contenido incluido en la página 17
Chapter 1 Overview of ACS Configuration Summary of Configuration Steps – By using database synchronization – By using database replication For detailed instructions, see “Displaying RADIUS Configuration Options” in Chapter 2 of the User Guide for Cisco Secure ACS 4.2, “Using the Web Interface.” Step 7 Configure Certificates. This step is required if you are using EAP-TLS, Secure Sockets Layer (SSL), or Cisco Network Admission Control (NAC). For detailed instructions,
Resumen del contenido incluido en la página 18
Chapter 1 Overview of ACS Configuration Summary of Configuration Steps Step 14 Set Up Network Access Profiles. If required, set up Network Access Profiles. Step 15 Configure Logs and Reports. Configure reports to specify how ACS logs data. You can also view the logs in HTML reports. For detailed instructions, see Chapter 9 of the User Guide for Cisco Secure ACS 4.2, “Logs and Reports. Configuration Guide for Cisco Secure ACS 4.2 1-4 OL-14390-02
Resumen del contenido incluido en la página 19
Chapter 1 Overview of ACS Configuration Configuration Flowchart Configuration Flowchart Figure 1-1 is a configuration flowchart that shows the main steps in ACS configuration. Figure 1-1 ACS Configuration Flowchart Step 8: Configure Global Authentication Settings Step 6: Configure Users Step 9: Configure Shared Profile Components Step 1: Plan the Deployment Is there a No Remote ODBC User Step 10: Set Up Database? Network Device Groups Step 2: Install Yes ACS Servers Ste
Resumen del contenido incluido en la página 20
Chapter 1 Overview of ACS Configuration Configuration Flowchart Configuration Guide for Cisco Secure ACS 4.2 1-6 OL-14390-02