Summary of the content on the page No. 1
User Guide for Cisco Secure Access
Control System 5.3
April 2014
Americas Headquarters
Cisco Systems, Inc.
170 West Tasman Drive
San Jose, CA 95134-1706
USA
http://www.cisco.com
Tel: 408 526-4000
800 553-NETS (6387)
Fax: 408 527-0883
Text Part Number: OL-24201-01
Summary of the content on the page No. 2
THE SPECIFICATIONS AND INFORMATION REGARDING THE PRODUCTS IN THIS MANUAL ARE SUBJECT TO CHANGE WITHOUT NOTICE. ALL STATEMENTS, INFORMATION, AND RECOMMENDATIONS IN THIS MANUAL ARE BELIEVED TO BE ACCURATE BUT ARE PRESENTED WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED. USERS MUST TAKE FULL RESPONSIBILITY FOR THEIR APPLICATION OF ANY PRODUCTS. THE SOFTWARE LICENSE AND LIMITED WARRANTY FOR THE ACCOMPANYING PRODUCT ARE SET FORTH IN THE INFORMATION PACKET THAT SHIPPED WITH THE PRODUCT AND ARE IN
Summary of the content on the page No. 3
CONTENTS Preface xxiii Audience xxiii Document Conventions xxiii Documentation Updates xxiv Related Documentation xxiv Obtaining Documentation and Submitting a Service Request xxv CHAPTER 1 Introducing ACS 5.3 1-1 Overview of ACS 1-1 ACS Distributed Deployment 1-2 ACS 4.x and 5.3 Replication 1-2 ACS Licensing Model 1-3 ACS Management Interfaces 1-3 ACS Web-based Interface 1-4 ACS Command Line Interface 1-4 ACS Programmatic Interfaces 1-5 Hardware Models Supported by ACS 1-5 CHAPTER 2 Migrating f
Summary of the content on the page No. 4
Contents Policy Terminology 3-3 Simple Policies 3-4 Rule-Based Policies 3-4 Types of Policies 3-5 Access Services 3-6 Identity Policy 3-9 Group Mapping Policy 3-11 Authorization Policy for Device Administration 3-11 Processing Rules with Multiple Command Sets 3-11 Exception Authorization Policy Rules 3-12 Service Selection Policy 3-12 Simple Service Selection 3-12 Rules-Based Service Selection 3-13 Access Services and Service Selection Scenarios 3-13 First-Match Rule Tables 3-14 Policy Condition
Summary of the content on the page No. 5
Contents Agentless Network Access 4-12 Overview of Agentless Network Access 4-12 Host Lookup 4-13 Authentication with Call Check 4-14 Process Service-Type Call Check 4-15 PAP/EAP-MD5 Authentication 4-15 Agentless Network Access Flow 4-16 Adding a Host to an Internal Identity Store 4-17 Configuring an LDAP External Identity Store for Host Lookup 4-17 Configuring an Identity Group for Host Lookup Network Access Requests 4-18 Creating an Access Service for Host Lookup 4-18 Configuring an Identity P
Summary of the content on the page No. 6
Contents My Account Page 5-2 Using the Web Interface 5-3 Accessing the Web Interface 5-3 Logging In 5-4 Logging Out 5-5 Understanding the Web Interface 5-5 Web Interface Design 5-6 Navigation Pane 5-7 Content Area 5-8 Importing and Exporting ACS Objects through the Web Interface 5-18 Supported ACS Objects 5-18 Creating Import Files 5-20 Downloading the Template from the Web Interface 5-21 Understanding the CSV Templates 5-21 Creating the Import File 5-22 Common Errors 5-25 Concurrency Conflict E
Summary of the content on the page No. 7
Contents Exporting Network Devices and AAA Clients 7-7 Performing Bulk Operations for Network Resources and Users 7-8 Exporting Network Resources and Users 7-10 Creating, Duplicating, and Editing Network Devices 7-10 Configuring Network Device and AAA Clients 7-11 Displaying Network Device Properties 7-14 Deleting Network Devices 7-17 Configuring a Default Network Device 7-17 Working with External Proxy Servers 7-19 Creating, Duplicating, and Editing External Proxy Servers 7-19 Deleting External
Summary of the content on the page No. 8
Contents Authentication Using LDAP 8-20 Multiple LDAP Instances 8-20 Failover 8-21 LDAP Connection Management 8-21 Authenticating a User Using a Bind Connection 8-21 Group Membership Information Retrieval 8-22 Attributes Retrieval 8-23 Certificate Retrieval 8-23 Creating External LDAP Identity Stores 8-23 Configuring an External LDAP Server Connection 8-24 Configuring External LDAP Directory Organization 8-26 Deleting External LDAP Identity Stores 8-30 Configuring LDAP Groups 8-30 Viewing LDAP A
Summary of the content on the page No. 9
Contents Groups and Attributes Mapping 8-58 RADIUS Identity Store in Identity Sequence 8-59 Authentication Failure Messages 8-59 Username Special Format with Safeword Server 8-59 User Attribute Cache 8-60 Creating, Duplicating, and Editing RADIUS Identity Servers 8-60 Configuring CA Certificates 8-65 Adding a Certificate Authority 8-66 Editing a Certificate Authority and Configuring Certificate Revocation Lists 8-67 Deleting a Certificate Authority 8-68 Exporting a Certificate Authority 8-69 Con
Summary of the content on the page No. 10
Contents Deleting an Authorizations and Permissions Policy Element 9-32 Configuring Security Group Access Control Lists 9-33 CHAPTER 10 Managing Access Policies 10-1 Policy Creation Flow 10-1 Network Definition and Policy Goals 10-2 Policy Elements in the Policy Creation Flow 10-3 Access Service Policy Creation 10-4 Service Selection Policy Creation 10-4 Customizing a Policy 10-4 Configuring the Service Selection Policy 10-5 Configuring a Simple Service Selection Policy 10-6 Service Selection Po
Summary of the content on the page No. 11
Contents Deleting Policy Rules 10-39 Configuring Compound Conditions 10-40 Compound Condition Building Blocks 10-40 Types of Compound Conditions 10-41 Using the Compound Expression Builder 10-44 Security Group Access Control Pages 10-45 Egress Policy Matrix Page 10-45 Editing a Cell in the Egress Policy Matrix 10-46 Defining a Default Policy for Egress Policy Page 10-46 NDAC Policy Page 10-47 NDAC Policy Properties Page 10-48 Network Device Access EAP-FAST Settings Page 10-50 Maximum User Sessio
Summary of the content on the page No. 12
Contents Understanding Alarm Schedules 12-9 Creating and Editing Alarm Schedules 12-9 Assigning Alarm Schedules to Thresholds 12-10 Deleting Alarm Schedules 12-11 Creating, Editing, and Duplicating Alarm Thresholds 12-11 Configuring General Threshold Information 12-13 Configuring Threshold Criteria 12-14 Passed Authentications 12-14 Failed Authentications 12-16 Authentication Inactivity 12-18 TACACS Command Accounting 12-19 TACACS Command Authorization 12-20 ACS Configuration Changes 12-21 ACS S
Summary of the content on the page No. 13
Contents Running Catalog Reports 13-11 Deleting Catalog Reports 13-13 Running Named Reports 13-13 Understanding the Report_Name Page 13-15 Enabling RADIUS CoA Options on a Device 13-18 Changing Authorization and Disconnecting Active RADIUS Sessions 13-18 Customizing Reports 13-20 Restoring Reports 13-20 Viewing Reports 13-21 About Standard Viewer 13-21 About Interactive Viewer 13-21 About Interactive Viewer’s Context Menus 13-21 Navigating Reports 13-23 Using the Table of Contents 13-23 Exportin
Summary of the content on the page No. 14
Contents Organizing Report Data 13-41 Displaying and Organizing Report Data 13-41 Reordering Columns in Interactive Viewer 13-42 Removing Columns 13-43 Hiding or Displaying Report Items 13-44 Hiding Columns 13-44 Displaying Hidden Columns 13-45 Merging Columns 13-45 Selecting a Column from a Merged Column 13-46 Sorting Data 13-47 Sorting a Single Column 13-47 Sorting Multiple Columns 13-47 Grouping Data 13-48 Adding Groups 13-50 Grouping Data Based on Date or Time 13-50 Removing an Inner Group 1
Summary of the content on the page No. 15
Contents Modifying Charts 13-76 Filtering Chart Data 13-76 Changing Chart Subtype 13-77 Changing Chart Formatting 13-77 CHAPTER 14 Troubleshooting ACS with the Monitoring & Report Viewer 14-1 Available Diagnostic and Troubleshooting Tools 14-1 Connectivity Tests 14-1 ACS Support Bundle 14-1 Expert Troubleshooter 14-2 Performing Connectivity Tests 14-3 Downloading ACS Support Bundles for Diagnostic Information 14-4 Working with Expert Troubleshooter 14-5 Troubleshooting RADIUS Authentications 14-
Summary of the content on the page No. 16
Contents Configuring System Alarm Settings 15-17 Configuring Alarm Syslog Targets 15-17 Configuring Remote Database Settings 15-17 CHAPTER 16 Managing System Administrators 16-1 Understanding Administrator Roles and Accounts 16-2 Understanding Authentication 16-3 Configuring System Administrators and Accounts 16-3 Understanding Roles 16-3 Permissions 16-4 Predefined Roles 16-4 Changing Role Associations 16-5 Administrator Accounts and Role Association 16-6 Creating, Duplicating, Editing, and Del
Summary of the content on the page No. 17
Contents Viewing and Editing a Primary Instance 17-9 Viewing and Editing a Secondary Instance 17-13 Deleting a Secondary Instance 17-13 Activating a Secondary Instance 17-14 Registering a Secondary Instance to a Primary Instance 17-14 Deregistering Secondary Instances from the Distributed System Management Page 17-17 Deregistering a Secondary Instance from the Deployment Operations Page 17-17 Promoting a Secondary Instance from the Distributed System Management Page 17-18 Promoting a Secondary I
Summary of the content on the page No. 18
Contents Configuring Local Server Certificates 18-14 Adding Local Server Certificates 18-14 Importing Server Certificates and Associating Certificates to Protocols 18-15 Generating Self-Signed Certificates 18-16 Generating a Certificate Signing Request 18-17 Binding CA Signed Certificates 18-17 Editing and Renewing Certificates 18-18 Deleting Certificates 18-19 Exporting Certificates 18-20 Viewing Outstanding Signing Requests 18-20 Configuring Logs 18-21 Configuring Remote Log Targets 18-21 Dele
Summary of the content on the page No. 19
Contents Using Log Targets 19-2 Logging Categories 19-2 Global and Per-Instance Logging Categories 19-4 Log Message Severity Levels 19-4 Local Store Target 19-5 Critical Log Target 19-7 Remote Syslog Server Target 19-8 Monitoring and Reports Server Target 19-10 Viewing Log Messages 19-10 Debug Logs 19-11 ACS 4.x Versus ACS 5.3 Logging 19-12 APPENDIX A AAA Protocols A-1 Typical Use Cases A-1 Device Administration (TACACS+) A-1 Session Access Requests (Device Administration [TACACS+]) A-2 Command
Summary of the content on the page No. 20
Contents Overview of EAP-TLS B-6 User Certificate Authentication B-6 PKI Authentication B-7 PKI Credentials B-8 PKI Usage B-8 Fixed Management Certificates B-9 Importing Trust Certificates B-9 Acquiring Local Certificates B-9 Importing the ACS Server Certificate B-10 Initial Self-Signed Certificate Generation B-10 Certificate Generation B-10 Exporting Credentials B-11 Credentials Distribution B-12 Hardware Replacement and Certificates B-12 Securing the Cryptographic Sensitive Material B-12 Priva