November 2013
Americas Headquarters
Cisco Systems, Inc. 170 West Tasman Drive
San Jose, CA 95134-1706 USA http://www.cisco.com Tel: 408 526-4000
800 553-NETS (6387) Fax: 408 527-0883
Text Part Number: OL-26225-01
THE SPECIFICATIONS AND INFORMATION REGARDING THE PRODUCTS IN THIS MANUAL ARE SUBJECT TO CHANGE WITHOUT NOTICE. ALL STATEMENTS, INFORMATION, AND RECOMMENDATIONS IN THIS MANUAL ARE BELIEVED TO BE ACCURATE BUT ARE PRESENTED WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED. USERS MUST TAKE FULL RESPONSIBILITY FOR THEIR APPLICATION OF ANY PRODUCTS.
THE SOFTWARE LICENSE AND LIMITED WARRANTY FOR THE ACCOMPANYING PRODUCT ARE SET FORTH IN THE INFORMATION PACKET THAT SHIPPED WITH THE PRODUCT AND ARE INCORPORATED HEREIN BY THIS REFERENCE. IF YOU ARE UNABLE TO LOCATE THE SOFTWARE LICENSE OR LIMITED WARRANTY, CONTACT YOUR CISCO REPRESENTATIVE FOR A COPY.
The Cisco implementation of TCP header compression is an adaptation of a program developed by the University of California, Berkeley (UCB) as part of UCB’s public domain version of the UNIX operating system. All rights reserved. Copyright © 1981, Regents of the University of California.
NOTWITHSTANDING ANY OTHER WARRANTY HEREIN, ALL DOCUMENT FILES AND SOFTWARE OF THESE SUPPLIERS ARE PROVIDED “AS IS” WITH ALL FAULTS. CISCO AND THE ABOVE-NAMED SUPPLIERS DISCLAIM ALL WARRANTIES, EXPRESSED OR IMPLIED, INCLUDING, WITHOUT LIMITATION, THOSE OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OR ARISING FROM A COURSE OF DEALING, USAGE, OR TRADE PRACTICE.
IN NO EVENT SHALL CISCO OR ITS SUPPLIERS BE LIABLE FOR ANY INDIRECT, SPECIAL, CONSEQUENTIAL, OR INCIDENTAL DAMAGES, INCLUDING, WITHOUT LIMITATION, LOST PROFITS OR LOSS OR DAMAGE TO DATA ARISING OUT OF THE USE OR INABILITY TO USE THIS MANUAL, EVEN IF CISCO OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list of Cisco trademarks, go to this URL: www.cisco.com/go/trademarks. Third-party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (1110R)
Any Internet Protocol (IP) addresses used in this document are not intended to be actual addresses. Any examples, command display output, and figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses in illustrative content is unintentional and coincidental.
User Guide for Cisco Secure Access Control System 5.4
© 2012 Cisco Systems, Inc. All rights reserved.
|
|
|
|
|
|
C O N T E N T S |
|
|
Preface xxiii |
|
|
|
|
|
|
|
Audience xxiii |
|
|
|
|
|
|
|
Document Conventions |
xxiii |
|
|
|
|
|
|
Documentation Updates |
xxiv |
|
|
|
|
|
|
Related Documentation |
xxiv |
|
|
|
|
|
|
Obtaining Documentation and Submitting a Service Request xxv |
||||||
|
Introducing ACS 5.4 |
|
|
|
|
|
|
C H A P T E R 1 |
1-1 |
|
|
|
|
|
|
|
Overview of ACS |
1-1 |
|
|
|
|
|
|
ACS Distributed Deployment |
1-2 |
|
|
|
||
|
ACS 4.x and 5.4 Replication |
1-2 |
|
|
|||
|
ACS Licensing Model |
1-3 |
|
|
|
|
|
|
ACS Management Interfaces |
1-3 |
|
|
|
||
|
ACS Web-based Interface |
1-4 |
|
|
|||
|
ACS Command Line Interface |
1-4 |
|
|
|||
|
ACS Programmatic Interfaces |
1-5 |
|
|
|||
|
Hardware Models Supported by ACS |
1-5 |
|
||||
|
Migrating from ACS 4.x to ACS 5.4 |
|
|
|
|||
C H A P T E R 2 |
2-1 |
|
|
||||
|
Overview of the Migration Process |
2-2 |
|
||||
|
Migration Requirements |
2-2 |
|
|
|
||
|
Supported Migration Versions |
2-2 |
|
||||
|
Before You Begin |
2-3 |
|
|
|
|
|
|
Downloading Migration Files |
2-3 |
|
|
|
||
|
Migrating from ACS 4.x to ACS 5.4 |
2-3 |
|
||||
|
Functionality Mapping from ACS 4.x to ACS 5.4 2-5 |
|
|||||
|
Common Scenarios in Migration |
2-7 |
|
|
|||
|
Migrating from ACS 4.2 on CSACS 1120 to ACS 5.4 |
2-7 |
|||||
|
Migrating from ACS 3.x to ACS 5.4 |
2-8 |
|
||||
|
Migrating Data from Other AAA Servers to ACS 5.4 |
2-8 |
C H A P T E R 3 |
ACS 5.x Policy Model 3-1 |
||||
|
|
Overview of the ACS 5.x Policy Model 3-1 |
|||
|
|
User Guide for Cisco Secure Access Control System 5.4 |
|
|
|
|
|
|
|||
|
OL-26225-01 |
|
|
iii |
|
|
|
|
|
Contents
Policy Terminology |
3-3 |
|
|
|
Simple Policies |
3-4 |
|
|
|
Rule-Based Policies |
3-4 |
|
||
Types of Policies |
|
3-5 |
|
|
Access Services 3-6 |
|
|
|
|
Identity Policy |
3-9 |
|
|
|
Group Mapping Policy |
3-11 |
|
||
Authorization Policy for Device Administration 3-11 |
||||
Processing Rules with Multiple Command Sets |
3-11 |
|||
Exception Authorization Policy Rules 3-12 |
|
|||
Service Selection Policy |
3-12 |
|
||
Simple Service Selection |
3-12 |
|
||
Rules-Based Service Selection 3-13 |
|
|||
Access Services and Service Selection Scenarios |
3-13 |
|||
First-Match Rule Tables |
3-14 |
|
||
Policy Conditions 3-16 |
|
|||
Policy Results |
3-16 |
|
|
Authorization Profiles for Network Access |
3-16 |
||
|
Processing Rules with Multiple Authorization Profiles 3-17 |
|||
|
Policies and Identity Attributes |
3-17 |
|
|
|
Policies and Network Device Groups |
3-18 |
|
|
|
Example of a Rule-Based Policy |
3-18 |
|
|
|
Flows for Configuring Services and Policies |
3-19 |
||
|
Common Scenarios Using ACS |
|
|
|
C H A P T E R 4 |
4-1 |
|
|
|
|
Overview of Device Administration |
4-2 |
|
|
|
Session Administration 4-3 |
|
|
|
|
Command Authorization |
4-4 |
|
|
|
|
|
|
|
TACACS+ Custom Services and Attributes |
4-5 |
|
|
|
|
|
|
|
|
Password-Based Network Access |
4-5 |
|
|
|
|
|
|
|
|
Overview of Password-Based Network Access |
4-5 |
|
||
|
|
|
|
|
Password-Based Network Access Configuration Flow 4-7 |
||||
|
|
|
|
|
Certificate-Based Network Access |
4-9 |
|
|
|
|
|
|
|
|
Overview of Certificate-Based Network Access |
4-9 |
|
||
|
|
|
|
|
Using Certificates in ACS 4-10 |
|
|
|
|
|
|
|
|
|
Certificate-Based Network Access |
4-10 |
|
|
|
|
|
|
|
|
Authorizing the ACS Web Interface from Your Browser Using a Certificate 4-11 |
||||
|
|
|
|
|
Validating an LDAP Secure Authentication Connection 4-12 |
||||
|
|
|
|
|
User Guide for Cisco Secure Access Control System 5.4 |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
iv |
|
|
|
|
|
|
OL-26225-01 |
|
|
|
|
|
|
|
|
|
Contents
|
|
Agentless Network Access |
4-12 |
|
|
|
|
|
|
|
|
|
||
|
|
Overview of Agentless Network Access |
4-12 |
|
|
|
|
|
||||||
|
|
Host Lookup |
4-13 |
|
|
|
|
|
|
|
|
|
|
|
|
|
Authentication with Call Check |
|
4-14 |
|
|
|
|
|
|
|
|||
|
|
Process Service-Type Call Check |
4-15 |
|
|
|
|
|
||||||
|
|
PAP/EAP-MD5 Authentication |
4-15 |
|
|
|
|
|
|
|
||||
|
|
Agentless Network Access Flow |
|
4-16 |
|
|
|
|
|
|
||||
|
|
Adding a Host to an Internal Identity Store |
4-17 |
|
|
|
|
|||||||
|
|
Configuring an LDAP External Identity Store for Host Lookup |
4-17 |
|
|
|
||||||||
|
|
Configuring an Identity Group for Host Lookup Network Access Requests 4-18 |
||||||||||||
|
|
Creating an Access Service for Host Lookup |
4-18 |
|
|
|
|
|||||||
|
|
Configuring an Identity Policy for Host Lookup Requests |
4-19 |
|
|
|
||||||||
|
|
Configuring an Authorization Policy for Host Lookup Requests 4-20 |
||||||||||||
|
|
VPN Remote Network Access |
4-20 |
|
|
|
|
|
|
|
|
|
||
|
|
Supported Authentication Protocols |
4-21 |
|
|
|
|
|
|
|||||
|
|
Supported Identity Stores |
4-21 |
|
|
|
|
|
|
|
|
|
||
|
|
Supported VPN Network Access Servers |
4-22 |
|
|
|
|
|||||||
|
|
Supported VPN Clients |
4-22 |
|
|
|
|
|
|
|
|
|
||
|
|
Configuring VPN Remote Access Service |
4-22 |
|
|
|
|
|||||||
|
|
ACS and Cisco Security Group Access |
4-23 |
|
|
|
|
|
|
|||||
|
|
Adding Devices for Security Group Access |
4-24 |
|
|
|
|
|||||||
|
|
Creating Security Groups |
4-24 |
|
|
|
|
|
|
|
|
|
||
|
|
Creating SGACLs 4-25 |
|
|
|
|
|
|
|
|
|
|
||
|
|
Configuring an NDAC Policy |
4-25 |
|
|
|
|
|
|
|
||||
|
|
Configuring EAP-FAST Settings for Security Group Access |
4-26 |
|
|
|
||||||||
|
|
Creating an Access Service for Security Group Access 4-26 |
|
|
|
|
||||||||
|
|
Creating an Endpoint Admission Control Policy |
4-27 |
|
|
|
|
|||||||
|
|
Creating an Egress Policy |
4-27 |
|
|
|
|
|
|
|
|
|
||
|
|
Creating a Default Policy |
4-28 |
|
|
|
|
|
|
|
|
|
||
|
|
RADIUS and TACACS+ Proxy Requests |
4-29 |
|
|
|
|
|
|
|||||
|
|
Supported Protocols |
4-30 |
|
|
|
|
|
|
|
|
|
|
|
|
|
Supported RADIUS Attributes |
4-31 |
|
|
|
|
|
|
|
||||
|
|
TACACS+ Body Encryption |
4-31 |
|
|
|
|
|
|
|
|
|||
|
|
Connection to TACACS+ Server |
|
4-31 |
|
|
|
|
|
|
|
|||
|
|
Configuring Proxy Service |
4-32 |
|
|
|
|
|
|
|
|
|
||
|
Understanding My Workspace |
|
|
|
|
|
|
|
|
|
|
|||
C H A P T E R 5 |
5-1 |
|
|
|
|
|
|
|
|
|
||||
|
|
Welcome Page |
5-1 |
|
|
|
|
|
|
|
|
|
|
|
|
|
Task Guides 5-2 |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
User Guide for Cisco Secure Access Control System 5.4 |
|
|
|
|||
|
|
|
|
|
|
|
|
|
||||||
|
OL-26225-01 |
|
|
|
|
|
|
|
|
|
|
|
v |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Contents
My Account Page 5-2 |
|
|
|
Login Banner 5-3 |
|
|
|
Using the Web Interface |
5-3 |
|
|
Accessing the Web Interface |
5-4 |
||
Logging In |
5-4 |
|
|
Logging Out |
5-5 |
|
|
Understanding the Web Interface 5-5 |
|||
Web Interface Design |
5-6 |
||
Navigation Pane |
5-7 |
|
|
|
|
|
|
|
Content Area |
5-8 |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Importing and Exporting ACS Objects through the Web Interface |
5-18 |
|
|||||||
|
|
|
|
|
|
Supported ACS Objects |
5-18 |
|
|
|
|
|
|||
|
|
|
|
|
|
Creating Import Files |
|
5-21 |
|
|
|
|
|
|
|
|
|
|
|
|
|
Downloading the Template from the Web Interface 5-21 |
|||||||||
|
|
|
|
|
|
Understanding the CSV Templates |
5-22 |
|
|
|
|||||
|
|
|
|
|
|
Creating the Import File |
5-22 |
|
|
|
|
||||
|
|
|
|
|
|
Common Errors |
5-25 |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Concurrency Conflict Errors |
5-25 |
|
|
|
|
||||
|
|
|
|
|
|
Deletion Errors 5-26 |
|
|
|
|
|
|
|
||
|
|
|
|
|
|
System Failure Errors |
5-27 |
|
|
|
|
|
|
||
|
|
|
|
|
|
Accessibility |
5-27 |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Display and Readability Features |
5-27 |
|
|
|
|
||||
|
|
|
|
|
|
Keyboard and Mouse Features |
5-28 |
|
|
|
|
||||
|
|
|
|
|
|
Obtaining Additional Accessibility Information 5-28 |
|
|
|
||||||
|
|
Post-Installation Configuration Tasks |
|
|
|
|
|
||||||||
C H A P T E R 6 |
|
6-1 |
|
|
|
|
|||||||||
|
|
|
|
|
|
Configuring Minimal System Setup |
6-1 |
|
|
|
|
||||
|
|
|
|
|
|
Configuring ACS to Perform System Administration Tasks |
6-2 |
|
|
||||||
|
|
|
|
|
|
Configuring ACS to Manage Access Policies |
6-4 |
|
|
|
|||||
|
|
|
|
|
|
Configuring ACS to Monitor and Troubleshoot Problems in the Network 6-4 |
|||||||||
|
|
Managing Network Resources 7-1 |
|
|
|
|
|
||||||||
C H A P T E R 7 |
|
|
|
|
|
|
|||||||||
|
|
|
|
|
|
Network Device Groups |
7-2 |
|
|
|
|
|
|
||
|
|
|
|
|
|
Creating, Duplicating, and Editing Network Device Groups |
7-2 |
|
|||||||
|
|
|
|
|
|
Deleting Network Device Groups |
7-3 |
|
|
|
|
||||
|
|
|
|
|
|
Creating, Duplicating, and Editing Network Device Groups Within a Hierarchy 7-4 |
|||||||||
|
|
|
|
|
|
Deleting Network Device Groups from a Hierarchy |
7-5 |
|
|
||||||
|
|
|
|
|
|
Network Devices and AAA Clients |
7-5 |
|
|
|
|
||||
|
|
|
|
|
User Guide for Cisco Secure Access Control System 5.4 |
|
|
|
|
|
|
||||
|
|
|
|
|
|
|
|
|
|
|
|||||
|
|
|
|
|
|
|
|
|
|
|
|||||
|
vi |
|
|
|
|
|
|
|
|
|
|
|
|
OL-26225-01 |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Contents
Viewing and Performing Bulk Operations for Network Devices |
7-6 |
||
Exporting Network Devices and AAA Clients 7-7 |
|
|
|
Performing Bulk Operations for Network Resources and Users |
7-8 |
||
Exporting Network Resources and Users |
7-10 |
|
|
Creating, Duplicating, and Editing Network Devices |
7-10 |
|
|
Configuring Network Device and AAA Clients |
7-11 |
|
|
Displaying Network Device Properties |
7-14 |
|
|
Deleting Network Devices 7-17 |
|
|
|
|
Configuring a Default Network Device |
7-17 |
||||
|
Working with External Proxy Servers |
|
7-19 |
|||
|
Creating, Duplicating, and Editing External Proxy Servers 7-19 |
|||||
|
Deleting External Proxy Servers |
|
7-21 |
|||
|
Working with OCSP Services |
7-21 |
|
|
||
|
Creating, Duplicating, and Editing OCSP Servers 7-22 |
|||||
|
Deleting OCSP Servers |
7-24 |
|
|
||
|
Managing Users and Identity Stores |
|
|
|||
C H A P T E R 8 |
|
8-1 |
||||
|
Overview 8-1 |
|
|
|
|
|
|
Internal Identity Stores |
8-1 |
|
|
||
|
External Identity Stores |
8-2 |
|
|
||
|
Identity Stores with Two-Factor Authentication 8-3 |
|||||
|
Identity Groups |
8-3 |
|
|
|
|
|
Certificate-Based Authentication |
8-3 |
||||
|
Identity Sequences |
8-4 |
|
|
|
|
|
Managing Internal Identity Stores |
8-4 |
||||
|
Authentication Information 8-5 |
|
||||
|
Identity Groups |
8-6 |
|
|
|
|
|
Creating Identity Groups |
8-6 |
||||
|
Deleting an Identity Group |
|
8-7 |
|||
|
Managing Identity Attributes |
8-7 |
||||
|
Standard Attributes |
8-8 |
|
|
||
|
User Attributes |
8-8 |
|
|
|
|
|
Host Attributes |
8-9 |
|
|
|
|
Configuring Authentication Settings for Users |
8-9 |
|
|
|
|
|
Creating Internal Users |
8-11 |
|
|
|
|
|
Deleting Users from Internal Identity Stores |
8-15 |
|
|
|
|
|
Viewing and Performing Bulk Operations for Internal Identity Store Users 8-15 |
|||||
|
Creating Hosts in Identity Stores 8-16 |
|
|
|
|
|
|
Deleting Internal Hosts |
8-18 |
|
|
|
|
|
|
User Guide for Cisco Secure Access Control System 5.4 |
|
|
|
|
|
|
|
||||
|
OL-26225-01 |
|
|
|
vii |
|
|
|
|
|
|
Contents
Viewing and Performing Bulk Operations for Internal Identity Store Hosts 8-18
|
|
|
|
|
Management Hierarchy |
8-19 |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Attributes of Management Hierarchy |
8-19 |
|
|
|
|
|||||
|
|
|
|
|
Configuring AAA Devices for Management Hierarchy 8-19 |
|
|
||||||||
|
|
|
|
|
Configuring Users or Hosts for Management Hierarchy |
8-20 |
|
|
|||||||
|
|
|
|
|
Configuring and Using UserIsInManagement Hierarchy Attribute |
8-20 |
|
||||||||
|
|
|
|
|
Configuring and Using HostIsInManagement Hierarchy Attributes |
8-21 |
|
||||||||
|
|
|
|
|
Managing External Identity Stores |
8-22 |
|
|
|
|
|
|
|
||
|
|
|
|
|
LDAP Overview |
8-22 |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Directory Service |
8-23 |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Authentication Using LDAP |
8-23 |
|
|
|
|
|
|
|||
|
|
|
|
|
Multiple LDAP Instances |
8-23 |
|
|
|
|
|
|
|
||
|
|
|
|
|
Failover |
8-24 |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
LDAP Connection Management |
8-24 |
|
|
|
|
|
||||
|
|
|
|
|
Authenticating a User Using a Bind Connection |
8-24 |
|
|
|
||||||
|
|
|
|
|
Group Membership Information Retrieval 8-25 |
|
|
|
|
||||||
|
|
|
|
|
Attributes Retrieval |
8-25 |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Certificate Retrieval |
8-26 |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Creating External LDAP Identity Stores |
8-26 |
|
|
|
|
|||||
|
|
|
|
|
Configuring an External LDAP Server Connection |
8-27 |
|
|
|
||||||
|
|
|
|
|
Configuring External LDAP Directory Organization |
8-29 |
|
|
|
||||||
|
|
|
|
|
Deleting External LDAP Identity Stores |
8-33 |
|
|
|
|
|||||
|
|
|
|
|
Configuring LDAP Groups |
8-33 |
|
|
|
|
|
|
|||
|
|
|
|
|
Viewing LDAP Attributes |
8-34 |
|
|
|
|
|
|
|
||
|
|
|
|
|
Leveraging Cisco NAC Profiler as an External MAB Database |
8-34 |
|
|
|||||||
|
|
|
|
|
Enabling the LDAP Interface on Cisco NAC Profiler to Communicate with ACS 8-35 |
||||||||||
|
|
|
|
|
Configuring NAC Profile LDAP Definition in ACS for Use in Identity Policy 8-37 |
||||||||||
|
|
|
|
|
Troubleshooting MAB Authentication with Profiler Integration 8-41 |
||||||||||
|
|
|
|
|
Microsoft AD |
8-41 |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Machine Authentication |
8-43 |
|
|
|
|
|
|
|
||
|
|
|
|
|
Attribute Retrieval for Authorization |
8-44 |
|
|
|
|
|||||
|
|
|
|
|
Group Retrieval for Authorization |
8-44 |
|
|
|
|
|
||||
|
|
|
|
|
Certificate Retrieval for EAP-TLS Authentication |
8-44 |
|
|
|
||||||
|
|
|
|
|
Concurrent Connection Management |
8-44 |
|
|
|
|
|||||
|
|
|
|
|
User and Machine Account Restrictions |
8-44 |
|
|
|
|
|||||
|
|
|
|
|
Machine Access Restrictions |
8-45 |
|
|
|
|
|
|
|||
|
|
|
|
|
Distributed MAR Cache 8-46 |
|
|
|
|
|
|
|
|||
|
|
|
|
|
Dial-In Permissions |
8-47 |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Callback Options for Dial-In users |
8-48 |
|
|
|
|
|||||
|
|
|
|
|
Joining ACS to an AD Domain |
8-49 |
|
|
|
|
|
||||
|
|
|
|
|
User Guide for Cisco Secure Access Control System 5.4 |
|
|
|
|
|
|
|
|
||
|
|
|
|
|
|
|
|
|
|
|
|
|
|||
|
|
|
|
|
|
|
|
|
|
|
|
|
|||
|
viii |
|
|
|
|
|
|
|
|
|
|
|
|
OL-26225-01 |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Contents
|
|
Configuring an AD Identity Store |
8-49 |
|
|
|
|
|
|
|
||||
|
|
Selecting an AD Group |
8-53 |
|
|
|
|
|
|
|
|
|
||
|
|
Configuring AD Attributes |
8-54 |
|
|
|
|
|
|
|
|
|
||
|
|
Configuring Machine Access Restrictions |
8-56 |
|
|
|
|
|
|
|||||
|
|
RSA SecurID Server 8-57 |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Configuring RSA SecurID Agents |
8-58 |
|
|
|
|
|
|
|
||||
|
|
Creating and Editing RSA SecurID Token Servers |
8-59 |
|
|
|
|
|
||||||
|
|
RADIUS Identity Stores |
8-63 |
|
|
|
|
|
|
|
|
|
|
|
|
|
Supported Authentication Protocols |
8-63 |
|
|
|
|
|
|
|
||||
|
|
Failover 8-64 |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Password Prompt |
8-64 |
|
|
|
|
|
|
|
|
|
|
|
|
|
User Group Mapping |
8-64 |
|
|
|
|
|
|
|
|
|
|
|
|
|
Groups and Attributes Mapping |
8-64 |
|
|
|
|
|
|
|
|
|||
|
|
RADIUS Identity Store in Identity Sequence |
8-65 |
|
|
|
|
|
|
|||||
|
|
Authentication Failure Messages 8-65 |
|
|
|
|
|
|
|
|||||
|
|
Username Special Format with Safeword Server |
8-65 |
|
|
|
|
|
||||||
|
|
User Attribute Cache |
8-66 |
|
|
|
|
|
|
|
|
|
|
|
|
|
Creating, Duplicating, and Editing RADIUS Identity Servers |
8-66 |
|
|
|
||||||||
|
|
Configuring CA Certificates |
8-71 |
|
|
|
|
|
|
|
|
|
|
|
|
|
Adding a Certificate Authority |
8-72 |
|
|
|
|
|
|
|
|
|
||
|
|
Editing a Certificate Authority and Configuring Certificate Revocation Lists 8-73 |
||||||||||||
|
|
Deleting a Certificate Authority |
8-74 |
|
|
|
|
|
|
|
|
|||
|
|
Exporting a Certificate Authority |
8-75 |
|
|
|
|
|
|
|
|
|||
|
|
Configuring Certificate Authentication Profiles |
8-75 |
|
|
|
|
|
|
|
||||
|
|
Configuring Identity Store Sequences |
8-77 |
|
|
|
|
|
|
|
|
|||
|
|
Creating, Duplicating, and Editing Identity Store Sequences |
8-78 |
|
|
|
||||||||
|
|
Deleting Identity Store Sequences |
8-80 |
|
|
|
|
|
|
|
|
|||
|
Managing Policy Elements |
|
|
|
|
|
|
|
|
|
|
|
|
|
C H A P T E R 9 |
9-1 |
|
|
|
|
|
|
|
|
|
|
|
||
|
|
Managing Policy Conditions |
9-1 |
|
|
|
|
|
|
|
|
|
|
|
|
|
Creating, Duplicating, and Editing a Date and Time Condition |
9-3 |
|
|
|
||||||||
|
|
Creating, Duplicating, and Editing a Custom Session Condition |
9-5 |
|
|
|
||||||||
|
|
Deleting a Session Condition 9-6 |
|
|
|
|
|
|
|
|
|
|||
|
|
Managing Network Conditions |
9-6 |
|
|
|
|
|
|
|
|
|
||
|
|
Importing Network Conditions |
9-8 |
|
|
|
|
|
|
|
|
|||
|
|
Exporting Network Conditions |
9-9 |
|
|
|
|
|
|
|
|
|||
|
|
Creating, Duplicating, and Editing End Station Filters |
9-9 |
|
|
|
|
|||||||
|
|
Creating, Duplicating, and Editing Device Filters |
9-12 |
|
|
|
|
|
||||||
|
|
Creating, Duplicating, and Editing Device Port Filters |
9-15 |
|
|
|
|
|||||||
|
|
|
|
|
|
User Guide for Cisco Secure Access Control System 5.4 |
|
|
|
|||||
|
|
|
|
|
|
|
||||||||
|
OL-26225-01 |
|
|
|
|
|
|
|
|
|
|
|
ix |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Contents
Managing Authorizations and Permissions |
9-17 |
|
|
Creating, Duplicating, and Editing Authorization Profiles for Network Access |
9-18 |
||
Specifying Authorization Profiles |
9-19 |
|
|
Specifying Common Attributes in Authorization Profiles |
9-19 |
|
|
Specifying RADIUS Attributes in Authorization Profiles |
9-22 |
|
|
Creating and Editing Security Groups |
9-24 |
|
|
Creating, Duplicating, and Editing a Shell Profile for Device Administration |
9-24 |
||
Defining General Shell Profile Properties 9-26 |
|
|
|
Defining Common Tasks 9-26 |
|
|
|
|
|
|
|
|
|
Defining Custom Attributes |
9-29 |
|
|
|
|
|
||||
|
|
|
|
|
|
Creating, Duplicating, and Editing Command Sets for Device Administration 9-29 |
||||||||||
|
|
|
|
|
|
Creating, Duplicating, and Editing Downloadable ACLs 9-32 |
||||||||||
|
|
|
|
|
|
Deleting an Authorizations and Permissions Policy Element |
9-33 |
|
||||||||
|
|
|
|
|
|
Configuring Security Group Access Control Lists |
9-34 |
|
|
|||||||
|
Managing Access Policies |
|
|
|
|
|
|
|
|
|
||||||
C H A P T E R 10 |
10-1 |
|
|
|
|
|
|
|
|
|||||||
|
|
|
|
|
|
Policy Creation Flow |
10-1 |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Network Definition and Policy Goals |
10-2 |
|
|
|
|
|
||||
|
|
|
|
|
|
Policy Elements in the Policy Creation Flow |
10-3 |
|
|
|
||||||
|
|
|
|
|
|
Access Service Policy Creation |
10-4 |
|
|
|
|
|
|
|||
|
|
|
|
|
|
Service Selection Policy Creation |
10-4 |
|
|
|
|
|
||||
|
|
|
|
|
|
Customizing a Policy |
10-4 |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Configuring the Service Selection Policy |
10-5 |
|
|
|
|
|
||||
|
|
|
|
|
|
Configuring a Simple Service Selection Policy |
10-6 |
|
|
|
||||||
|
|
|
|
|
|
Service Selection Policy Page |
10-6 |
|
|
|
|
|
|
|||
|
|
|
|
|
|
Creating, Duplicating, and Editing Service Selection Rules |
10-8 |
|
||||||||
|
|
|
|
|
|
Displaying Hit Counts |
10-10 |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Deleting Service Selection Rules |
10-10 |
|
|
|
|
|
||||
|
|
|
|
|
|
Configuring Access Services |
10-11 |
|
|
|
|
|
|
|
||
|
|
|
|
|
|
Editing Default Access Services |
10-11 |
|
|
|
|
|
||||
|
|
|
|
|
|
Creating, Duplicating, and Editing Access Services |
10-12 |
|
|
|||||||
|
|
|
|
|
|
Configuring General Access Service Properties |
10-13 |
|
|
|||||||
|
|
|
|
|
|
Configuring Access Service Allowed Protocols |
10-16 |
|
|
|||||||
|
|
|
|
|
|
Configuring Access Services Templates |
10-20 |
|
|
|
||||||
|
|
|
|
|
|
Deleting an Access Service |
10-21 |
|
|
|
|
|
|
|||
|
|
|
|
|
|
Configuring Access Service Policies |
10-22 |
|
|
|
|
|
||||
|
|
|
|
|
|
Viewing Identity Policies 10-22 |
|
|
|
|
|
|
|
|||
|
|
|
|
|
|
Viewing Rules-Based Identity Policies |
10-24 |
|
|
|
||||||
|
|
|
|
|
|
Configuring Identity Policy Rule Properties |
10-25 |
|
|
|
||||||
|
|
|
|
|
User Guide for Cisco Secure Access Control System 5.4 |
|
|
|
|
|
|
|
|
|||
|
|
|
|
|
|
|
|
|
|
|
|
|
||||
|
|
|
|
|
|
|
|
|
|
|
|
|
||||
|
x |
|
|
|
|
|
|
|
|
|
|
|
|
|
OL-26225-01 |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Contents
|
|
Configuring a Group Mapping Policy |
10-27 |
|
|
|
|
|
|
|
||||
|
|
Configuring Group Mapping Policy Rule Properties |
10-29 |
|
|
|
|
|
||||||
|
|
Configuring a Session Authorization Policy for Network Access 10-30 |
||||||||||||
|
|
Configuring Network Access Authorization Rule Properties |
10-32 |
|
|
|
|
|||||||
|
|
Configuring Device Administration Authorization Policies |
10-33 |
|
|
|
|
|||||||
|
|
Configuring Device Administration Authorization Rule Properties |
10-34 |
|
|
|
||||||||
|
|
Configuring Device Administration Authorization Exception Policies |
10-34 |
|
|
|
||||||||
|
|
Configuring Shell/Command Authorization Policies for Device Administration 10-35 |
||||||||||||
|
|
Configuring Authorization Exception Policies |
10-36 |
|
|
|
|
|
||||||
|
|
Creating Policy Rules |
10-38 |
|
|
|
|
|
|
|
|
|
|
|
|
|
Duplicating a Rule |
10-39 |
|
|
|
|
|
|
|
|
|
|
|
|
|
Editing Policy Rules |
10-39 |
|
|
|
|
|
|
|
|
|
|
|
|
|
Deleting Policy Rules |
10-40 |
|
|
|
|
|
|
|
|
|
|
|
|
|
Configuring Compound Conditions |
10-41 |
|
|
|
|
|
|
|
|
|
||
|
|
Compound Condition Building Blocks |
10-41 |
|
|
|
|
|
|
|
||||
|
|
Types of Compound Conditions |
10-42 |
|
|
|
|
|
|
|
|
|
||
|
|
Using the Compound Expression Builder |
10-45 |
|
|
|
|
|
|
|||||
|
|
Security Group Access Control Pages 10-46 |
|
|
|
|
|
|
|
|
||||
|
|
Egress Policy Matrix Page |
10-46 |
|
|
|
|
|
|
|
|
|
||
|
|
Editing a Cell in the Egress Policy Matrix |
10-47 |
|
|
|
|
|
|
|||||
|
|
Defining a Default Policy for Egress Policy Page 10-47 |
|
|
|
|
|
|||||||
|
|
NDAC Policy Page |
10-48 |
|
|
|
|
|
|
|
|
|
|
|
|
|
NDAC Policy Properties Page |
|
10-49 |
|
|
|
|
|
|
|
|
|
|
|
|
Network Device Access EAP-FAST Settings Page |
10-51 |
|
|
|
|
|
||||||
|
|
Maximum User Sessions |
10-51 |
|
|
|
|
|
|
|
|
|
|
|
|
|
Max Session User Settings |
10-52 |
|
|
|
|
|
|
|
|
|
||
|
|
Max Session Group Settings |
|
10-52 |
|
|
|
|
|
|
|
|
|
|
|
|
Max Session Global Setting |
|
10-53 |
|
|
|
|
|
|
|
|
|
|
|
|
Purging User Sessions 10-54 |
|
|
|
|
|
|
|
|
|
|
||
|
|
Maximum User Session in Distributed Environment |
10-55 |
|
|
|
|
|
||||||
|
|
Maximum User Session in Proxy Scenario |
|
10-56 |
|
|
|
|
|
|
||||
|
Monitoring and Reporting in ACS |
|
|
|
|
|
|
|
|
|
|
|
||
C H A P T E R 11 |
|
11-1 |
|
|
|
|
|
|
|
|
|
|||
|
|
Authentication Records and Details |
11-2 |
|
|
|
|
|
|
|
|
|
||
|
|
Dashboard Pages 11-2 |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Working with Portlets 11-4 |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Working with Authentication Lookup Portlet |
11-5 |
|
|
|
|
|
|
|||||
|
|
Running Authentication Lookup Report |
11-6 |
|
|
|
|
|
|
|||||
|
|
Configuring Tabs in the Dashboard |
11-6 |
|
|
|
|
|
|
|
|
|
||
|
|
|
|
|
|
User Guide for Cisco Secure Access Control System 5.4 |
|
|
|
|||||
|
|
|
|
|
|
|
||||||||
|
OL-26225-01 |
|
|
|
|
|
|
|
|
|
|
|
xi |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Contents
|
|
|
|
|
|
Adding Tabs to the Dashboard |
11-6 |
|
|
|
||||
|
|
|
|
|
|
Adding Applications to Tabs |
11-7 |
|
|
|||||
|
|
|
|
|
|
Renaming Tabs in the Dashboard |
11-7 |
|
|
|||||
|
|
|
|
|
|
Changing the Dashboard Layout |
11-8 |
|
|
|||||
|
|
|
|
|
|
Deleting Tabs from the Dashboard |
11-8 |
|
|
|||||
|
Managing Alarms 12-1 |
|
|
|
|
|
|
|
|
|||||
C H A P T E R 12 |
|
|
|
|
|
|
|
|
||||||
|
|
|
|
|
|
Understanding Alarms |
12-1 |
|
|
|
|
|
|
|
|
|
|
|
|
|
Evaluating Alarm Thresholds |
12-2 |
|
|
|
||||
|
|
|
|
|
|
Notifying Users of Events |
12-3 |
|
|
|
|
|||
|
|
|
|
|
|
Viewing and Editing Alarms in Your Inbox |
12-3 |
|
|
|||||
|
|
|
|
|
|
Understanding Alarm Schedules |
12-9 |
|
|
|
|
|||
|
|
|
|
|
|
Creating and Editing Alarm Schedules |
12-9 |
|
||||||
|
|
|
|
|
|
Assigning Alarm Schedules to Thresholds |
12-10 |
|
||||||
|
|
|
|
|
|
Deleting Alarm Schedules |
12-11 |
|
|
|
|
|||
|
|
|
|
|
|
Creating, Editing, and Duplicating Alarm Thresholds 12-11 |
||||||||
|
|
|
|
|
|
Configuring General Threshold Information |
12-13 |
|
||||||
|
|
|
|
|
|
Configuring Threshold Criteria |
12-14 |
|
|
|
||||
|
|
|
|
|
|
Passed Authentications |
12-14 |
|
|
|
||||
|
|
|
|
|
|
Failed Authentications |
12-16 |
|
|
|
|
|||
|
|
|
|
|
|
Authentication Inactivity |
12-18 |
|
|
|
||||
|
|
|
|
|
|
TACACS Command Accounting |
12-19 |
|
|
|||||
|
|
|
|
|
|
TACACS Command Authorization |
12-20 |
|
||||||
|
|
|
|
|
|
ACS Configuration Changes |
12-21 |
|
|
|||||
|
|
|
|
|
|
ACS System Diagnostics |
12-22 |
|
|
|
||||
|
|
|
|
|
|
ACS Process Status |
12-23 |
|
|
|
|
|||
|
|
|
|
|
|
ACS System Health |
12-24 |
|
|
|
|
|||
|
|
|
|
|
|
ACS AAA Health |
12-25 |
|
|
|
|
|
||
|
|
|
|
|
|
RADIUS Sessions |
12-26 |
|
|
|
|
|
||
|
|
|
|
|
|
Unknown NAD |
|
12-27 |
|
|
|
|
|
|
|
|
|
|
|
|
External DB Unavailable |
12-28 |
|
|
|
||||
|
|
|
|
|
|
RBACL Drops |
12-29 |
|
|
|
|
|
|
|
|
|
|
|
|
|
NAD-Reported AAA Downtime |
12-31 |
|
|
|||||
|
|
|
|
|
|
Configuring Threshold Notifications |
12-32 |
|
|
|||||
|
|
|
|
|
|
Deleting Alarm Thresholds |
12-33 |
|
|
|
|
|
||
|
|
|
|
|
|
Configuring System Alarm Settings |
12-34 |
|
|
|
||||
|
|
|
|
|
|
Understanding Alarm Syslog Targets |
12-35 |
|
|
|||||
|
|
|
|
|
|
Creating and Editing Alarm Syslog Targets |
12-35 |
|
||||||
|
|
|
|
|
|
Deleting Alarm Syslog Targets |
12-36 |
|
|
|
||||
|
|
|
|
|
User Guide for Cisco Secure Access Control System 5.4 |
|
|
|
|
|
|
|||
|
|
|
|
|
|
|
|
|
|
|
||||
|
|
|
|
|
|
|
|
|
|
|
||||
|
xii |
|
|
|
|
|
|
|
|
|
|
|
OL-26225-01 |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Contents
C H A P T E R 13 |
Managing Reports |
13-1 |
|
|
|
|
Working with Favorite Reports |
13-3 |
|
|
|
|
Adding Reports to Your Favorites Page |
13-3 |
|||
|
Viewing Favorite-Report Parameters |
13-4 |
|||
|
Editing Favorite Reports |
13-5 |
|
|
|
|
Running Favorite Reports |
13-5 |
|
|
|
|
Deleting Reports from Favorites |
13-6 |
|
||
|
Sharing Reports |
13-6 |
|
|
|
|
Working with Catalog Reports |
13-7 |
|
|
|
|
Available Reports in the Catalog |
13-7 |
|
||
|
Running Catalog Reports |
13-11 |
|
|
|
|
Deleting Catalog Reports |
13-12 |
|
|
|
|
Running Named Reports |
13-13 |
|
|
|
Understanding the Report_Name Page |
13-14 |
|
|
|
||||
|
Enabling RADIUS CoA Options on a Device |
13-17 |
|
|
|
||||
|
Changing Authorization and Disconnecting Active RADIUS Sessions 13-18 |
||||||||
|
Customizing Reports |
13-19 |
|
|
|
|
|
||
|
Restoring Reports |
13-20 |
|
|
|
|
|
|
|
|
Viewing Reports 13-20 |
|
|
|
|
|
|
|
|
|
About Standard Viewer |
13-21 |
|
|
|
|
|
||
|
About Interactive Viewer |
13-21 |
|
|
|
|
|
||
|
About the Interactive Viewer Context Menus |
13-21 |
|
|
|
||||
|
Navigating Reports |
13-22 |
|
|
|
|
|
||
|
Using the Table of Contents 13-23 |
|
|
|
|
||||
|
Exporting Report Data 13-24 |
|
|
|
|
|
|||
|
Printing Reports |
13-26 |
|
|
|
|
|
|
|
|
Saving Report Designs in Interactive Viewer |
13-26 |
|
|
|
||||
|
Formatting Reports in Interactive Viewer |
13-27 |
|
|
|
|
|||
|
Editing Labels |
13-27 |
|
|
|
|
|
|
|
|
Formatting Labels |
13-28 |
|
|
|
|
|
||
|
Formatting Data |
13-28 |
|
|
|
|
|
|
|
|
Resizing Columns |
13-29 |
|
|
|
|
|
|
|
|
Changing Column Data Alignment |
13-29 |
|
|
|
|
|||
|
Formatting Data in Columns 13-29 |
|
|
|
|
|
|||
|
Formatting Data in Aggregate Rows |
13-30 |
|
|
|
|
|||
|
Formatting Data Types |
13-30 |
|
|
|
|
|
||
|
Formatting Numeric Data |
13-31 |
|
|
|
|
|
||
|
Formatting Fixed or Scientific Numbers or Percentages 13-32 |
||||||||
|
Formatting Custom Numeric Data |
13-33 |
|
|
|
|
|||
|
|
|
|
|
User Guide for Cisco Secure Access Control System 5.4 |
|
|
|
|
|
|
|
|
|
|
||||
|
OL-26225-01 |
|
|
|
|
|
|
xiii |
|
|
|
|
|
|
|
|
|
Contents
|
|
|
|
|
Formatting String Data |
13-33 |
|
|
|
|
|
|
|
|||
|
|
|
|
|
Formatting Custom String Data |
13-33 |
|
|
|
|
|
|||||
|
|
|
|
|
Formatting Date and Time |
13-35 |
|
|
|
|
|
|
||||
|
|
|
|
|
Formatting Custom Date and Time |
13-35 |
|
|
|
|
||||||
|
|
|
|
|
Formatting Boolean Data |
|
13-36 |
|
|
|
|
|
|
|||
|
|
|
|
|
Applying Conditional Formats |
13-37 |
|
|
|
|
|
|||||
|
|
|
|
|
Setting Conditional Formatting for Columns |
13-38 |
|
|
||||||||
|
|
|
|
|
Deleting Conditional Formatting |
13-40 |
|
|
|
|
|
|||||
|
|
|
|
|
Setting and Removing Page Breaks in Detail Columns |
13-40 |
|
|||||||||
|
|
|
|
|
Setting and Removing Page Breaks in a Group Column |
13-41 |
|
|||||||||
|
|
|
|
|
Organizing Report Data |
13-41 |
|
|
|
|
|
|
|
|
||
|
|
|
|
|
Displaying and Organizing Report Data |
13-42 |
|
|
|
|||||||
|
|
|
|
|
Reordering Columns in Interactive Viewer |
13-42 |
|
|
|
|||||||
|
|
|
|
|
Removing Columns |
13-44 |
|
|
|
|
|
|
|
|
||
|
|
|
|
|
Hiding or Displaying Report Items |
13-44 |
|
|
|
|
||||||
|
|
|
|
|
Hiding Columns |
13-45 |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Displaying Hidden Columns |
13-45 |
|
|
|
|
|
|
||||
|
|
|
|
|
Merging Columns |
13-45 |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Selecting a Column from a Merged Column |
13-47 |
|
|
||||||||
|
|
|
|
|
Sorting Data |
13-47 |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Sorting a Single Column |
13-47 |
|
|
|
|
|
|
|
|||
|
|
|
|
|
Sorting Multiple Columns |
|
13-47 |
|
|
|
|
|
|
|||
|
|
|
|
|
Grouping Data |
13-49 |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Adding Groups |
13-50 |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Grouping Data Based on Date or Time |
13-50 |
|
|
|
|||||||
|
|
|
|
|
Removing an Inner Group |
|
13-51 |
|
|
|
|
|
|
|||
|
|
|
|
|
Creating Report Calculations 13-52 |
|
|
|
|
|
||||||
|
|
|
|
|
Understanding Supported Calculation Functions |
13-53 |
|
|||||||||
|
|
|
|
|
Understanding Supported Operators |
|
13-61 |
|
|
|
||||||
|
|
|
|
|
Using Numbers and Dates in an Expression |
13-61 |
|
|||||||||
|
|
|
|
|
Using Multiply Values in Calculated Columns |
13-62 |
|
|||||||||
|
|
|
|
|
Adding Days to an Existing Date Value |
13-62 |
|
|
||||||||
|
|
|
|
|
Subtracting Date Values in a Calculated Column |
13-63 |
|
|||||||||
|
|
|
|
|
Working with Aggregate Data |
13-63 |
|
|
|
|
|
|||||
|
|
|
|
|
Creating an Aggregate Data Row |
13-65 |
|
|
|
|
|
|||||
|
|
|
|
|
Adding Additional Aggregate Rows |
13-66 |
|
|
|
|
||||||
|
|
|
|
|
Deleting Aggregate Rows |
|
13-67 |
|
|
|
|
|
|
|||
|
|
|
|
|
Hiding and Filtering Report Data |
13-67 |
|
|
|
|
|
|
||||
|
|
|
|
|
Hiding or Displaying Column Data |
13-67 |
|
|
|
|
||||||
|
|
|
|
|
Displaying Repeated Values |
13-68 |
|
|
|
|
|
|||||
|
|
|
|
|
User Guide for Cisco Secure Access Control System 5.4 |
|
|
|
|
|
|
|
|
|||
|
|
|
|
|
|
|
|
|
|
|
|
|
||||
|
|
|
|
|
|
|
|
|
|
|
|
|
||||
|
xiv |
|
|
|
|
|
|
|
|
|
|
|
|
|
OL-26225-01 |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Contents
|
|
Hiding or Displaying Detail Rows in Groups or Sections |
13-68 |
|
|
|
||||||||
|
|
Working with Filters |
13-69 |
|
|
|
|
|
|
|
|
|
||
|
|
Types of Filter Conditions |
13-70 |
|
|
|
|
|
|
|
|
|||
|
|
Setting Filter Values |
13-71 |
|
|
|
|
|
|
|
|
|
||
|
|
Creating Filters |
13-72 |
|
|
|
|
|
|
|
|
|
|
|
|
|
Modifying or Clearing a Filter |
13-73 |
|
|
|
|
|
|
|
|
|||
|
|
Creating a Filter with Multiple Conditions |
13-73 |
|
|
|
|
|
|
|||||
|
|
Deleting One Filter Condition in a Filter that Contains Multiple Conditions 13-75 |
||||||||||||
|
|
Filtering Highest or Lowest Values in Columns |
13-75 |
|
|
|
|
|
|
|||||
|
|
Understanding Charts |
13-76 |
|
|
|
|
|
|
|
|
|
|
|
|
|
Modifying Charts |
13-77 |
|
|
|
|
|
|
|
|
|
|
|
|
|
Filtering Chart Data 13-77 |
|
|
|
|
|
|
|
|
||||
|
|
Changing Chart Subtype |
13-78 |
|
|
|
|
|
|
|
|
|||
|
|
Changing Chart Formatting |
13-78 |
|
|
|
|
|
|
|
|
|||
|
Troubleshooting ACS with the Monitoring and Report Viewer |
|
|
|
|
|||||||||
C H A P T E R 14 |
14-1 |
|
|
|
||||||||||
|
|
Available Diagnostic and Troubleshooting Tools |
|
14-1 |
|
|
|
|
|
|
||||
|
|
Connectivity Tests |
14-1 |
|
|
|
|
|
|
|
|
|
|
|
|
|
ACS Support Bundle |
14-1 |
|
|
|
|
|
|
|
|
|
|
|
|
|
Expert Troubleshooter |
14-2 |
|
|
|
|
|
|
|
|
|
||
|
|
Performing Connectivity Tests |
14-3 |
|
|
|
|
|
|
|
|
|||
|
|
Downloading ACS Support Bundles for Diagnostic Information |
14-4 |
|
|
|
|
|||||||
|
|
Working with Expert Troubleshooter |
14-6 |
|
|
|
|
|
|
|
|
|||
|
|
Troubleshooting RADIUS Authentications |
14-6 |
|
|
|
|
|
|
|||||
|
|
Executing the Show Command on a Network Device |
14-10 |
|
|
|
|
|
||||||
|
|
Evaluating the Configuration of a Network Device 14-10 |
|
|
|
|
|
|||||||
|
|
Comparing SGACL Policy Between a Network Device and ACS |
14-12 |
|
|
|
||||||||
|
|
Comparing the SXP-IP Mappings Between a Device and its Peers |
14-12 |
|
|
|
||||||||
|
|
Comparing IP-SGT Pairs on a Device with ACS-Assigned SGT Records 14-15 |
||||||||||||
|
|
Comparing Device SGT with ACS-Assigned Device SGT |
14-16 |
|
|
|
|
|||||||
|
Managing System Operations and Configuration in the Monitoring and Report Viewer 15-1 |
|||||||||||||
C H A P T E R 15 |
||||||||||||||
|
|
Configuring Data Purging and Incremental Backup |
15-3 |
|
|
|
|
|
|
|||||
|
|
Configuring NFS Staging |
15-7 |
|
|
|
|
|
|
|
|
|
||
|
|
Restoring Data from a Backup |
15-7 |
|
|
|
|
|
|
|
|
|||
|
|
Viewing Log Collections |
15-8 |
|
|
|
|
|
|
|
|
|
|
|
|
|
Log Collection Details Page |
15-10 |
|
|
|
|
|
|
|
|
|||
|
|
Recovering Log Messages |
15-12 |
|
|
|
|
|
|
|
|
|
||
|
|
|
|
|
|
User Guide for Cisco Secure Access Control System 5.4 |
|
|
|
|||||
|
|
|
|
|
|
|
||||||||
|
OL-26225-01 |
|
|
|
|
|
|
|
|
|
|
|
xv |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Contents
Viewing Scheduled Jobs |
15-12 |
Viewing Process Status |
15-14 |
Viewing Data Upgrade Status 15-15 |
|
Viewing Failure Reasons |
15-15 |
Editing Failure Reasons |
15-15 |
Specifying E-Mail Settings |
15-16 |
|
Configuring SNMP Preferences |
15-16 |
|
||
|
Understanding Collection Filters |
|
15-17 |
|
|
|
Creating and Editing Collection Filters 15-17 |
|
|||
|
Deleting Collection Filters |
15-18 |
|
||
|
Configuring System Alarm Settings |
15-18 |
|
||
|
Configuring Alarm Syslog Targets |
15-18 |
|
||
|
Configuring Remote Database Settings 15-18 |
|
|||
|
Changing the Port Numbers for Oracle Database 15-20 |
||||
|
Managing System Administrators |
|
|
|
|
C H A P T E R 16 |
|
16-1 |
|
||
|
Understanding Administrator Roles and Accounts |
16-2 |
|||
|
Understanding Authentication |
16-3 |
|
||
|
Configuring System Administrators and Accounts |
16-3 |
|||
|
Understanding Roles |
16-3 |
|
|
|
|
Assigning Roles 16-3 |
|
|
|
|
|
Assigning Static Roles |
16-4 |
|
||
|
Assigning Dynamic Roles |
16-4 |
|
||
|
Permissions 16-4 |
|
|
|
|
|
Predefined Roles |
16-5 |
|
|
|
|
|
|
|
|
Changing Role Associations |
16-6 |
|
|
|
|
|
|
|
|
Administrator Accounts and Role Association 16-6 |
||||
|
|
|
|
|
Recovery Administrator Account |
16-7 |
|
||
|
|
|
|
|
Creating, Duplicating, Editing, and Deleting Administrator Accounts 16-7 |
||||
|
|
|
|
|
Viewing Predefined Roles |
16-9 |
|
|
|
|
|
|
|
|
Viewing Role Properties |
16-10 |
|
|
|
|
|
|
|
|
Configuring Authentication Settings for Administrators 16-10 |
||||
|
|
|
|
|
Configuring Session Idle Timeout |
16-12 |
|
|
|
|
|
|
|
|
Configuring Administrator Access Settings |
16-13 |
|
||
|
|
|
|
|
Working with Administrative Access Control |
16-14 |
|
||
|
|
|
|
|
Administrator Identity Policy |
16-15 |
|
|
|
|
|
|
|
|
Viewing Rule-Based Identity Policies 16-16 |
||||
|
|
|
|
|
User Guide for Cisco Secure Access Control System 5.4 |
|
|
|
|
|
|
|
|
|
|
|
|
||
|
|
|
|
|
|
|
|
||
|
xvi |
|
|
|
|
|
|
OL-26225-01 |
|
|
|
|
|
|
|
|
|
Contents
|
Configuring Identity Policy Rule Properties |
|
16-18 |
|
|
|
|
||||
|
Administrator Authorization Policy |
16-19 |
|
|
|
|
|
|
|||
|
Configuring Administrator Authorization Policies |
16-19 |
|
|
|
||||||
|
Configuring Administrator Authorization Rule Properties |
16-20 |
|
|
|||||||
|
Administrator Login Process |
|
16-21 |
|
|
|
|
|
|
|
|
|
Resetting the Administrator Password |
16-22 |
|
|
|
|
|
|
|||
|
Changing the Administrator Password |
16-22 |
|
|
|
|
|
|
|||
|
Changing Your Own Administrator Password |
16-22 |
|
|
|
||||||
|
Resetting Another Administrator’s Password |
16-23 |
|
|
|
||||||
|
Configuring System Operations |
|
|
|
|
|
|
|
|
||
C H A P T E R 17 |
17-1 |
|
|
|
|
|
|
|
|||
|
Understanding Distributed Deployment |
17-2 |
|
|
|
|
|
|
|||
|
Activating Secondary Servers |
17-3 |
|
|
|
|
|
|
|
||
|
Removing Secondary Servers |
17-4 |
|
|
|
|
|
|
|
||
|
Promoting a Secondary Server |
17-4 |
|
|
|
|
|
|
|||
|
Understanding Local Mode |
17-4 |
|
|
|
|
|
|
|
||
|
Understanding Full Replication |
17-5 |
|
|
|
|
|
|
|||
|
Specifying a Hardware Replacement 17-5 |
|
|
|
|
|
|||||
|
Scheduled Backups |
17-6 |
|
|
|
|
|
|
|
|
|
|
Creating, Duplicating, and Editing Scheduled Backups |
17-6 |
|
|
|||||||
|
Backing Up Primary and Secondary Instances |
17-8 |
|
|
|
|
|||||
|
Synchronizing Primary and Secondary Instances After Backup and Restore |
17-9 |
|
||||||||
|
Editing Instances |
17-9 |
|
|
|
|
|
|
|
|
|
|
Viewing and Editing a Primary Instance |
17-9 |
|
|
|
|
|||||
|
Viewing and Editing a Secondary Instance |
|
17-13 |
|
|
|
|
||||
|
Deleting a Secondary Instance |
17-13 |
|
|
|
|
|
|
|||
|
Activating a Secondary Instance |
|
17-14 |
|
|
|
|
|
|
|
|
|
Registering a Secondary Instance to a Primary Instance |
17-14 |
|
|
|||||||
|
Deregistering Secondary Instances from the Distributed System Management Page |
17-17 |
|||||||||
|
Deregistering a Secondary Instance from the Deployment Operations Page |
17-17 |
|
||||||||
|
Promoting a Secondary Instance from the Distributed System Management Page |
17-18 |
|||||||||
|
Promoting a Secondary Instance from the Deployment Operations Page 17-19 |
|
|||||||||
|
Replicating a Secondary Instance from a Primary Instance |
17-19 |
|
|
Replicating a Secondary Instance from the Distributed System Management Page 17-20
Replicating a Secondary Instance from the Deployment Operations Page 17-20
|
Changing the IP address of a Primary Instance from the Primary Server |
17-21 |
|
|
|
|
Failover 17-22 |
|
|
|
|
|
Using the Deployment Operations Page to Create a Local Mode Instance |
17-23 |
|
|
|
|
User Guide for Cisco Secure Access Control System 5.4 |
|
|
|
|
|
|||||
|
OL-26225-01 |
|
|
xvii |
|
|
|
|
|
Contents
|
Creating, Duplicating, Editing, and Deleting Software Repositories |
17-24 |
||
|
Managing Software Repositories from the Web Interface and CLI |
17-25 |
||
|
Managing System Administration Configurations 18-1 |
|
||
C H A P T E R 18 |
|
|||
|
Configuring Global System Options |
18-1 |
|
|
|
Configuring TACACS+ Settings |
18-1 |
|
|
|
Configuring EAP-TLS Settings |
18-2 |
|
|
|
Configuring PEAP Settings |
18-3 |
|
|
|
Configuring EAP-FAST Settings |
18-3 |
|
|
|
Generating EAP-FAST PAC |
18-4 |
|
|
|
Configuring RSA SecurID Prompts |
|
18-4 |
|
|
Managing Dictionaries 18-5 |
|
|
|
|
|
|
|
|
Viewing RADIUS and TACACS+ Attributes |
18-5 |
|
|
|||||
|
|
|
|
|
Creating, Duplicating, and Editing RADIUS Vendor-Specific Attributes |
18-6 |
|
||||||
|
|
|
|
|
Creating, Duplicating, and Editing RADIUS Vendor-Specific Subattributes 18-7 |
||||||||
|
|
|
|
|
Viewing RADIUS Vendor-Specific Subattributes 18-9 |
|
|
||||||
|
|
|
|
|
Configuring Identity Dictionaries |
18-10 |
|
|
|
|
|||
|
|
|
|
|
Creating, Duplicating, and Editing an Internal User Identity Attribute |
18-10 |
|
||||||
|
|
|
|
|
Configuring Internal Identity Attributes |
18-11 |
|
|
|||||
|
|
|
|
|
Deleting an Internal User Identity Attribute |
18-12 |
|
|
|||||
|
|
|
|
|
Creating, Duplicating, and Editing an Internal Host Identity Attribute |
18-13 |
|
||||||
|
|
|
|
|
Deleting an Internal Host Identity Attribute |
18-13 |
|
|
|||||
|
|
|
|
|
Adding Static IP address to Users in Internal Identity Store 18-14 |
|
|
||||||
|
|
|
|
|
Configuring Local Server Certificates |
18-14 |
|
|
|
|
|||
|
|
|
|
|
Adding Local Server Certificates |
18-14 |
|
|
|
|
|
||
|
|
|
|
|
Importing Server Certificates and Associating Certificates to Protocols |
18-15 |
|
||||||
|
|
|
|
|
Generating Self-Signed Certificates |
18-16 |
|
|
|
||||
|
|
|
|
|
Generating a Certificate Signing Request |
|
18-17 |
|
|
||||
|
|
|
|
|
Binding CA Signed Certificates |
18-18 |
|
|
|
|
|||
|
|
|
|
|
Editing and Renewing Certificates |
18-18 |
|
|
|
||||
|
|
|
|
|
Deleting Certificates |
18-19 |
|
|
|
|
|
|
|
|
|
|
|
|
Exporting Certificates |
18-20 |
|
|
|
|
|
|
|
|
|
|
|
|
Viewing Outstanding Signing Requests |
18-20 |
|
|
|||||
|
|
|
|
|
Configuring Logs 18-21 |
|
|
|
|
|
|
|
|
|
|
|
|
|
Configuring Remote Log Targets |
18-21 |
|
|
|
|
|||
|
|
|
|
|
Deleting a Remote Log Target |
18-23 |
|
|
|
|
|||
|
|
|
|
|
Configuring the Local Log |
18-24 |
|
|
|
|
|
||
|
|
|
|
|
Deleting Local Log Data 18-24 |
|
|
|
|
|
|
||
|
|
|
|
|
Configuring Logging Categories |
18-24 |
|
|
|
|
|||
|
|
|
|
|
User Guide for Cisco Secure Access Control System 5.4 |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
||
|
|
|
|
|
|
|
|
|
|
|
|
||
|
xviii |
|
|
|
|
|
|
|
|
|
|
OL-26225-01 |
|
|
|
|
|
|
|
|
|
|
|
|
|
Contents
Configuring Global Logging Categories 18-25 |
|
Configuring Per-Instance Logging Categories 18-29 |
|
Configuring Per-Instance Security and Log Settings |
18-30 |
Configuring Per-Instance Remote Syslog Targets |
18-31 |
Displaying Logging Categories |
18-32 |
||
Configuring the Log Collector |
18-33 |
|
|
Viewing the Log Message Catalog |
18-33 |
||
Licensing Overview |
18-34 |
|
|
Types of Licenses |
18-34 |
|
|
Installing a License File 18-35 |
|
|
|
Viewing the Base License 18-36 |
|
||
Upgrading the Base Server License |
18-37 |
||
Viewing License Feature Options |
18-38 |
|
|
Adding Deployment License Files |
18-39 |
|
|
Deleting Deployment License Files |
18-40 |
||
Available Downloads |
18-40 |
|
|
|
|
Downloading Migration Utility Files |
18-41 |
|
|
|
|||||
|
|
Downloading UCP Web Service Files |
18-41 |
|
|
|
|||||
|
|
Downloading Sample Python Scripts |
18-41 |
|
|
|
|||||
|
|
Downloading Rest Services |
18-42 |
|
|
|
|
||||
|
Understanding Logging |
|
|
|
|
|
|
|
|||
C H A P T E R 19 |
19-1 |
|
|
|
|
|
|
||||
|
|
About Logging |
19-1 |
|
|
|
|
|
|
|
|
|
|
Using Log Targets |
19-2 |
|
|
|
|
|
|
||
|
|
Logging Categories |
19-2 |
|
|
|
|
|
|||
|
|
Global and Per-Instance Logging Categories 19-4 |
|||||||||
|
|
Log Message Severity Levels |
19-4 |
|
|
|
|
||||
|
|
Local Store Target |
19-5 |
|
|
|
|
|
|
||
|
|
Critical Log Target |
19-7 |
|
|
|
|
|
|||
|
|
Remote Syslog Server Target |
19-8 |
|
|
|
|
||||
|
|
Monitoring and Reports Server Target |
19-10 |
|
|
|
|||||
|
|
Viewing Log Messages |
19-10 |
|
|
|
|
||||
|
|
Debug Logs |
19-11 |
|
|
|
|
|
|
|
|
|
|
ACS 4.x Versus ACS 5.4 Logging |
19-12 |
|
|
|
|
||||
|
AAA Protocols |
|
|
|
|
|
|
|
|
|
|
A P P E N D I X A |
A-1 |
|
|
|
|
|
|
|
|
||
|
|
Typical Use Cases |
A-1 |
|
|
|
|
|
|
|
|
|
|
Device Administration (TACACS+) A-1 |
|||||||||
|
|
|
|
|
|
|
|
User Guide for Cisco Secure Access Control System 5.4 |
|
|
|
|
|
|
|
|
|
|
|
|
|||
|
OL-26225-01 |
|
|
|
|
|
|
|
|
xix |
|
|
|
|
|
|
|
|
|
|
|
Contents
Session Access Requests (Device Administration [TACACS+]) A-2 |
|||
Command Authorization Requests |
A-2 |
|
|
Network Access (RADIUS With and Without EAP) |
A-2 |
||
RADIUS-Based Flow Without EAP Authentication A-3 |
|||
RADIUS-Based Flows with EAP Authentication |
A-3 |
||
Access Protocols—TACACS+ and RADIUS |
A-5 |
|
|
Overview of TACACS+ |
A-5 |
|
|
Overview of RADIUS |
A-6 |
|
|
|
|
RADIUS VSAs |
A-6 |
|
|
|
|
|
|
|
|
ACS 5.4 as the AAA Server |
A-7 |
|
|
|
|||
|
|
RADIUS Attribute Support in ACS 5.4 |
A-8 |
|
|||||
|
|
RADIUS Attribute Rewrite Operation |
A-9 |
||||||
|
|
RADIUS Access Requests |
A-11 |
|
|
|
|||
|
Authentication in ACS 5.4 B-1 |
|
|
|
|
||||
A P P E N D I X B |
|
|
|
|
|||||
|
Authentication Considerations |
B-1 |
|
|
|
||||
|
Authentication and User Databases |
B-1 |
|
|
|||||
|
PAP |
B-2 |
|
|
|
|
|
|
|
|
|
RADIUS PAP Authentication |
B-3 |
|
|
||||
|
EAP |
B-3 |
|
|
|
|
|
|
|
|
EAP-MD5 |
B-5 |
|
|
|
|
|
|
|
|
|
Overview of EAP-MD5 |
B-5 |
|
|
|
|
||
|
|
EAPMD5 Flow in ACS 5.4 |
B-5 |
|
|
|
|||
|
EAP-TLS |
B-5 |
|
|
|
|
|
|
|
|
|
Overview of EAP-TLS |
B-6 |
|
|
|
|
||
|
|
User Certificate Authentication |
B-6 |
|
|||||
|
|
PKI Authentication |
B-7 |
|
|
|
|||
|
|
PKI Credentials |
B-8 |
|
|
|
|
|
|
|
|
PKI Usage |
B-8 |
|
|
|
|
|
|
|
|
Fixed Management Certificates |
B-9 |
|
|||||
|
|
Importing Trust Certificates |
B-9 |
|
|
||||
|
|
Acquiring Local Certificates |
B-9 |
|
|
|
|||
|
|
Importing the ACS Server Certificate |
B-10 |
||||||
|
|
Initial Self-Signed Certificate Generation B-10 |
|||||||
|
|
Certificate Generation |
B-10 |
|
|
|
|||
|
|
Exporting Credentials |
B-11 |
|
|
|
|
||
|
|
Credentials Distribution |
B-12 |
|
|
|
|
|
|
|
|
Hardware Replacement and Certificates |
B-12 |
|
|
|
|
|
|
Securing the Cryptographic Sensitive Material |
B-12 |
|
|
|
|
|
|
User Guide for Cisco Secure Access Control System 5.4 |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
xx |
|
|
|
|
OL-26225-01 |
|
|
|
|
|
|
|
Contents
|
|
Private Keys and Passwords Backup |
|
B-13 |
|
|
|
|
|||||
|
EAP-TLS Flow in ACS 5.4 |
B-13 |
|
|
|
|
|
|
|
||||
|
PEAPv0/1 B-14 |
|
|
|
|
|
|
|
|
|
|
|
|
|
Overview of PEAP |
B-15 |
|
|
|
|
|
|
|
|
|
||
|
|
Supported PEAP Features |
B-15 |
|
|
|
|
|
|
||||
|
PEAP Flow in ACS 5.4 |
B-17 |
|
|
|
|
|
|
|
|
|||
|
|
Creating the TLS Tunnel |
B-18 |
|
|
|
|
|
|
|
|||
|
|
Authenticating with MSCHAPv2 B-19 |
|
|
|
|
|||||||
|
EAP-FAST B-19 |
|
|
|
|
|
|
|
|
|
|
|
|
|
Overview of EAP-FAST |
|
B-19 |
|
|
|
|
|
|
|
|
||
|
|
EAP-FAST Benefits |
B-21 |
|
|
|
|
|
|
|
|
||
|
EAP-FAST in ACS 5.4 |
B-21 |
|
|
|
|
|
|
|
|
|||
|
|
About Master-Keys |
B-22 |
|
|
|
|
|
|
|
|
||
|
|
About PACs |
B-22 |
|
|
|
|
|
|
|
|
|
|
|
|
Provisioning Modes |
B-23 |
|
|
|
|
|
|
|
|
||
|
|
Types of PACs |
B-23 |
|
|
|
|
|
|
|
|
||
|
|
ACS-Supported Features for PACs |
B-25 |
|
|
|
|
||||||
|
|
Master Key Generation and PAC TTLs |
B-27 |
|
|
|
|
||||||
|
|
EAP-FAST for Allow TLS Renegotiation |
B-27 |
|
|
|
|
||||||
|
EAP-FAST Flow in ACS 5.4. B-27 |
|
|
|
|
|
|
|
|||||
|
EAP-FAST PAC Management |
B-28 |
|
|
|
|
|
|
|||||
|
|
Key Distribution Algorithm |
B-29 |
|
|
|
|
|
|
||||
|
|
EAP-FAST PAC-Opaque Packing and Unpacking |
B-29 |
||||||||||
|
|
Revocation Method |
B-29 |
|
|
|
|
|
|
|
|
||
|
|
PAC Migration from ACS 4.x |
B-29 |
|
|
|
|
|
|
||||
|
EAP Authentication with RADIUS Key Wrap |
B-30 |
|
|
|
|
|||||||
|
EAP-MSCHAPv2 B-30 |
|
|
|
|
|
|
|
|
|
|
|
|
|
Overview of EAP-MSCHAPv2 |
B-31 |
|
|
|
|
|
|
|||||
|
|
MSCHAPv2 for User Authentication |
B-31 |
|
|
|
|
||||||
|
|
MSCHAPv2 for Change Password |
B-31 |
|
|
|
|
||||||
|
|
Windows Machine Authentication Against AD |
B-31 |
||||||||||
|
EAPMSCHAPv2 Flow in ACS 5.4 |
B-32 |
|
|
|
|
|
|
|||||
|
CHAP |
B-32 |
|
|
|
|
|
|
|
|
|
|
|
|
LEAP |
B-32 |
|
|
|
|
|
|
|
|
|
|
|
|
Certificate Attributes |
B-32 |
|
|
|
|
|
|
|
|
|
||
|
Certificate Binary Comparison |
B-33 |
|
|
|
|
|
|
|||||
|
|
Rules Relating to Textual Attributes |
|
B-33 |
|
|
|
|
|||||
|
Certificate Revocation |
|
B-34 |
|
|
|
|
|
|
|
|
||
|
Machine Authentication |
B-35 |
|
|
|
|
|
|
|
|
|||
|
|
|
|
|
|
|
User Guide for Cisco Secure Access Control System 5.4 |
|
|
|
|||
|
|
|
|
|
|
|
|
||||||
|
OL-26225-01 |
|
|
|
|
|
|
|
|
|
|
xxi |
|
|
|
|
|
|
|
|
|
|
|
|
|
Contents
|
Authentication Protocol and Identity Store Compatibility B-36 |
|
Open Source License Acknowledgements C-1 |
A P P E N D I X C |
|
|
Notices C-1 |
|
OpenSSL/Open SSL Project C-1 |
|
License Issues C-1 |
|
C-3 |
|
|
G L O S S A R Y |
|
|
|
I N D E X |
|
User Guide for Cisco Secure Access Control System 5.4
|
xxii |
OL-26225-01 |
|
|
|
Revised: November 13, 2013
This guide describes how to use Cisco Secure Access Control System (ACS) 5.4.
Audience
This guide is for security administrators who use ACS, and who set up and maintain network and application security.
Document Conventions
This guide uses the convention whereby the symbol ^ represents the key labeled Control. For example, the key combination ^z means hold down the Control key while you press the z key.
Command descriptions use these conventions:
•Examples that contain system prompts denote interactive sessions, indicating the commands that you should enter at the prompt. The system prompt indicates the current level of the EXEC command interpreter. For example, the prompt Router> indicates that you should be at the user level, and the prompt Router# indicates that you should be at the privileged level. Access to the privileged level usually requires a password.
•Commands and keywords are in boldface font.
•Arguments for which you supply values are in italic font.
•Elements in square brackets ([ ]) are optional.
•Alternative keywords of which you must choose one are grouped in braces ({}) and separated by vertical bars (|).
Examples use these conventions:
•Terminal sessions and sample console screen displays are in screen font.
•Information you enter is in boldface screen font.
•Nonprinting characters, such as passwords, are in angle brackets (< >).
•Default responses to system prompts are in square brackets ([]).
•An exclamation point (!) at the beginning of a line indicates a comment line.
User Guide for Cisco Secure Access Control System 5.4
|
OL-26225-01 |
xxiii |
|
Preface
Caution Means reader be careful. You are capable of doing something that might result in equipment damage or loss of data.
Timesaver Means the described action saves time. You can save time by performing the action described in the paragraph.
Note Means reader take note. Notes identify important information that you should reflect upon before continuing, contain helpful suggestions, or provide references to materials not contained in the document.
Documentation Updates
Table 1 lists the updates to the User Guide for Cisco Secure Access Control System 5.4.
Table 1 |
Updates to the User Guide for Cisco Secure Access Control System 5.4 |
||
|
|
|
|
Date |
|
Description |
|
|
|
|
|
9/26/2013 |
|
Fixed the following bugs: |
|
|
|
• |
CSCuh90646 |
|
|
• |
CSCuj24445 |
|
|
|
|
10/30/2012 |
|
Updated the guide with Cisco 3415 Secure Access Control System information. |
|
|
|
|
|
10/23/2012 |
|
Cisco Secure Access Control System, Release 5.4. |
|
|
|
|
|
Related Documentation
Table 2 lists a set of related technical documentation available on Cisco.com. To find end-user documentation for all products on Cisco.com, go to: http://www.cisco.com/go/techdocs.
Select Products > Security > Access Control and Policy > Policy and Access Management > Cisco Secure Access Control System.
Note It is possible for the printed and electronic documentation to be updated after original publication. Therefore, you should also review the documentation on http://www.cisco.com for any updates.
User Guide for Cisco Secure Access Control System 5.4
|
xxiv |
OL-26225-01 |
|
|
|
Preface
Table 2 |
Product Documentation |
|
|
|
|
||
|
|
|
|
Document Title |
|
Available Formats |
|
|
|
||
Cisco Secure Access Control System In-Box |
http://www.cisco.com/en/US/products/ps9911/ |
||
Documentation and China ROHS Pointer Card |
products_licensing_information_listing.html |
||
|
|
||
License and Documentation Guide for Cisco |
http://www.cisco.com/en/US/products/ps9911/ |
||
Secure Access Control System 5.4 |
products_documentation_roadmaps_list.html |
||
|
|
||
Release Notes for Cisco Secure Access Control |
http://www.cisco.com/en/US/products/ps9911/ |
||
System 5.4 |
|
prod_release_notes_list.html |
|
|
|
||
Migration Guide for Cisco Secure Access |
http://www.cisco.com/en/US/products/ps9911/ |
||
Control System 5.4 |
prod_installation_guides_list.html |
||
|
|
||
CLI Reference Guide for Cisco Secure Access |
http://www.cisco.com/en/US/products/ps9911/ |
||
Control System 5.4 |
prod_command_reference_list.html |
||
|
|
||
Supported and Interoperable Devices and |
http://www.cisco.com/en/US/products/ps9911/ |
||
Software for Cisco Secure Access Control |
products_device_support_tables_list.html |
||
System 5.4 |
|
|
|
|
|
||
Installation and Upgrade Guide for Cisco |
http://www.cisco.com/en/US/products/ps9911/ |
||
Secure Access Control System 5.4 |
prod_installation_guides_list.html |
||
|
|
||
Software Developer’s Guide for Cisco Secure |
http://www.cisco.com/en/US/products/ps9911/ |
||
Access Control System 5.4 |
products_programming_reference_guides_list.html |
||
|
|
||
Regulatory Compliance and Safety Information |
http://www.cisco.com/en/US/docs/net_mgmt/cisco_ |
||
for Cisco Secure Access Control System 5.4 |
secure_access_control_system/5.4/regulatory/comp |
||
|
|
liance/csacsrcsi.html |
|
|
|
|
|
Obtaining Documentation and Submitting a Service Request
For information on obtaining documentation, submitting a service request, and gathering additional information, see the monthly What’s New in Cisco Product Documentation, which also lists all new and revised Cisco technical documentation, at:
http://www.cisco.com/en/US/docs/general/whatsnew/whatsnew.html
Subscribe to the What’s New in Cisco Product Documentation as a Really Simple Syndication (RSS) feed and set content to be delivered directly to your desktop using a reader application. The RSS feeds are a free service and Cisco currently supports RSS version 2.0.
User Guide for Cisco Secure Access Control System 5.4
|
OL-26225-01 |
xxv |
|
Preface
User Guide for Cisco Secure Access Control System 5.4
|
xxvi |
OL-26225-01 |
|
|
|
C H A P T E R 1
This section contains the following topics:
•Overview of ACS, page 1-1
•ACS Distributed Deployment, page 1-2
•ACS Management Interfaces, page 1-3
ACS is a policy-based security server that provides standards-compliant Authentication, Authorization, and Accounting (AAA) services to your network. ACS facilitates the administrative management of Cisco and non-Cisco devices and applications.
As a dominant enterprise network access control platform, ACS serves as an integration point for network access control and identity management.
ACS 5.x provides a rule-based policy model that allows you to control network access based on dynamic conditions and attributes. The rule-based policy is designed to meet complex access policy needs. For more information on the rule-based policy model in ACS, see Chapter 3, “ACS 5.x Policy Model.”
Within the greater context of two major AAA protocols—RADIUS and TACACS+—ACS provides the following basic areas of functionality:
•Under the framework of the RADIUS protocol, ACS controls the wired and wireless access by users and host machines to the network and manages the accounting of the network resources used.
ACS supports multiple RADIUS-based authentication methods that includes PAP, CHAP, MSCHAPv1, MSCHAPv2. It also supports many members of the EAP family of protocols, such as EAP-MD5, LEAP, PEAP, EAP-FAST, and EAP-TLS.
In association with PEAP or EAP-FAST, ACS also supports EAP-MSCHAPv2, EAP-GTC, and EAP-TLS. For more information on authentication methods, see Authentication in ACS 5.4.
•Under the framework of the TACACS+ protocol, ACS helps to manage Cisco and non-Cisco network devices such as switches, wireless access points, routers, and gateways. It also helps to manage services and entities such as dialup, Virtual Private Network (VPN), and firewall.
ACS is the point in your network that identifies users and devices that try to connect to your network. This identity establishment can occur directly by using the ACS internal identity repository for local user authentication or by using external identity repositories.
For example, ACS can use Active Directory as an external identity repository, to authenticate a user to grant the user access to the network. For more information about creating identities and supported identity services, see Chapter 8, “Managing Users and Identity Stores.”
User Guide for Cisco Secure Access Control System 5.4
|
OL-26225-01 |
1-1 |
|
|
|
Chapter 1 Introducing ACS 5.4
ACS provides advanced monitoring, reporting, and troubleshooting tools that help you administer and manage your ACS deployments. For more information on the monitoring, reporting, and troubleshooting capabilities of ACS, see Chapter 11, “Monitoring and Reporting in ACS.”.
For more information about using ACS for device administration and network access scenarios, see Chapter 4, “Common Scenarios Using ACS.”
Cisco Secure ACS:
•Enforces access policies for VPN and wireless users.
•Provides simplified device administration.
•Provides advanced monitoring, reporting, and troubleshooting tools.
There are several changes and enhancements in ACS 5.4 compared to ACS 5.3. For a complete list of new and changed features, see:
http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_system/5.4/release/notes/ acs_54_rn.html.
Related Topics
•ACS Distributed Deployment, page 1-2
•ACS Management Interfaces, page 1-3
ACS Distributed Deployment
ACS 5.4 is delivered preinstalled on a standard Cisco Linux-based appliance, and supports a fully distributed deployment.
An ACS deployment can consist of a single instance, or multiple instances deployed in a distributed manner, where all instances in a system are managed centrally. One ACS instance becomes the primary instance and you can register additional ACS instances to the primary instance as secondary instances. All instances have the configuration for the entire deployment, which provides redundancy for configuration data.
The primary instance centralizes the configuration of the instances in the deployment. Configuration changes made in the primary instance are automatically replicated to the secondary instance.
You can force a full replication to the secondary instance. Full replication is used when a new secondary instance is registered and in other cases when the replication gap between the secondary instance and the primary instance is significant.
Related Topic
• ACS 4.x and 5.4 Replication, page 1-2
In ACS 4.x, you must select the database object types (or classes) you wish to replicate from primary instance to the secondary instance. When you replicate an object, a complete configuration copy is made on the secondary instance.
In ACS 5.4, any configuration changes made in the primary instance are immediately replicated to the secondary instance. Only the configuration changes made since the last replication are propagated to the secondary instance.
User Guide for Cisco Secure Access Control System 5.4
1-2 |
OL-26225-01 |
|
|
Chapter 1 Introducing ACS 5.4
ACS 4.x did not provide incremental replication, only full replication, and there was service downtime for replication. ACS 5.4 provides incremental replications with no service downtime.
You can also force a full replication to the secondary instance if configuration changes do not replicate it. Full replication is used when a new secondary instance is registered and other cases when the replication gap between the secondary instance and the primary instance is significant.
Table 1-1 lists some of the differences between ACS 4.x and 5.4 replication.
Table 1-1 |
Differences Between ACS 4.x and 5.4 Replication |
|
|
|
|
ACS 4.x |
|
ACS 5.4 |
|
|
|
You can choose the data items to be replicated. |
You cannot choose the data items to be replicated. |
|
|
|
All data items, by default are replicated. |
|
|
|
Supports multi-level or cascading replication. |
Supports only a fixed flat replication. Cascading |
|
|
|
replication is not supported. |
|
|
|
Some data items, such as the external database |
All data items are replicated except the database |
|
configurations, are not replicated. |
key, database certificate, and master keys. The |
|
|
|
server certificates, Certificate Signing Requests |
|
|
(CSRs), and private keys are replicated, but they |
|
|
are not shown in the interface. |
|
|
|
For more information about setting up a distributed deployment, see Configuring System Operations, page 17-1.
Note Replication does not work in ACS servers if you use the Cisco Overlay Transport Virtualization technology in your Virtual Local Area Network.
Note Network Address Translation (NAT) is not supported in an ACS distributed deployment environment. That is, if the network address of a primary or secondary instance is translated, then the database replication may not work properly, and it may display a shared secret mismatch error.
ACS Licensing Model
You must have a valid license to operate ACS; ACS prompts you to install a valid base license when you first access the web interface. Each server requires a unique base license in a distributed deployment.
For information about the types of licenses you can install, see Types of Licenses, page 18-34. For more information about licenses, see Licensing Overview, page 18-34.
Related Topic
• ACS Distributed Deployment, page 1-2
This section contains the following topics:
User Guide for Cisco Secure Access Control System 5.4
|
OL-26225-01 |
1-3 |
|
|
|
Chapter 1 Introducing ACS 5.4
ACS Management Interfaces
•ACS Web-based Interface, page 1-4
•ACS Command Line Interface, page 1-4
•ACS Programmatic Interfaces, page 1-5
You can use the ACS web-based interface to fully configure your ACS deployment, and perform monitoring and reporting operations. The web interface provides a consistent user experience, regardless of the particular area that you are configuring.
The ACS web interface is supported on HTTPS-enabled Microsoft Internet Explorer versions from 6.x to 9.x and Mozilla Firefox versions from 3.x to 10.x.
The new web interface design and organization:
•Reflects the new policy model, which is organized around the user’s view of policy administration. The new policy model is easier to use, as it separates the complex interrelationships that previously existed among policy elements.
For example, user groups, network device groups (NDGs), network access filters, network access profiles, and so on.
•Presents the configuration tasks in a logical order that you can follow for many common scenarios.
For example, first you configure conditions and authorizations for policies in the Policy Elements drawer, and then you move on to the Policies drawer to configure the policies with the defined policy elements.
•Provides new page functionality, such as sorting and filtering lists of items.
See “Using the Web Interface” section on page 5-3 for more information.
Related Topics
• ACS Command Line Interface, page 1-4
You can use the ACS command-line interface (CLI), a text-based interface, to perform some configuration and operational tasks and monitoring. Access to the ACS-specific CLI requires administrator authentication by ACS 5.4.
You do not need to be an ACS administrator or log into ACS 5.4 to use the non-ACS configuration mode. ACS configuration mode command sessions are logged to the diagnostics logs.
ACS 5.4 is shipped on the Cisco 1121 Secure Access Control System (CSACS-1121) or on the Cisco 3415 Secure Access Control System (CSACS-3415). The ADE-OS software supports these command modes:
•EXEC—Use these commands to perform system-level operation tasks. For example, install, start, and stop application; copy files and installations; restore backups; and display information.
In addition, certain EXEC mode commands have ACS-specific abilities. For example, start an ACS instance, display and export ACS logs, and reset an ACS configuration to factory default settings. Such commands are specifically mentioned in the documentation
•ACS configuration—Use these commands to set the debug log level (enable or disable) for the ACS management and runtime components, and show system settings.
User Guide for Cisco Secure Access Control System 5.4
1-4 |
OL-26225-01 |
|
|