Cisco Systems OL-9971-01 User Manual
CHAPTER
3
Network Configuration
This chapter details concepts and procedures for configuring the Cisco Secure Access Control Server
Release 4.1, hereafter referred to as ACS. You use the configuration process to establish a distributed
system, and set up interaction with authentication, authorization, and accounting (AAA) clients and
servers. You can also configure remote agents for the ACS Solution Engine.
This chapter contains the following topics:
• About Network Configuration, page 3-1
• About ACS in Distributed Systems, page 3-2
• Proxy in Distributed Systems, page 3-3
• Network Device Searches, page 3-6
• Configuring AAA Clients, page 3-8
• Configuring AAA Servers, page 3-14
• Configuring Remote Agents (ACS Solution Engine Only), page 3-18
• Configuring Network Device Groups, page 3-23
• Configuring Proxy Distribution Tables, page 3-27
About Network Configuration
The appearance of the page that you see when you click Network Configurationdiffers according to the
network-configuration selections that you made in the Interface Configuration section.
The tables that might appear in this section are:
• AAA Clients—This table lists each AAA client that is configured on the network, together with its
IP address and associated protocol.
If you are using Network Device Groups (NDGs), this table does not appear on the initial page, but
is accessed through the Network Device Group table. For more information about this interface
configuration, see Displaying Advanced Options, page 2-5.
• AAA Servers—This table lists each AAA server that is configured on the network together with its
IP addressand associated type. After installation, this table automatically lists the machine on which
ACS is installed. In ACS SE, the name of the machine is listed as self.
If you are using Network Device Groups (NDGs), this table does not appear on the initial page, but
is accessed through the Network Device Group table. For more information about this interface
configuration, see Displaying Advanced Options, page 2-5.
OL-9971-01
User Guide for Cisco Secure Access Control Server
3-1
About ACS in Distributed Systems
• Remote Agents (ACS Solution Engine)—This table lists each remote agent that is configured
together with its IP address and available services. For more information about remote agents, see
About Remote Agents, page 3-19.
Note The Remote Agents table does not appear unless you have enabled the Distributed System
• Network Device Groups—This table lists the name of each NDG that has been configured,and the
number of AAA clients and AAA servers that are assigned to each NDG. If you are using NDGs,
the AAA Clients table and AAA Servers table do not appear on the opening page. To configureAAA
clients or AAA servers, you must click the name of the NDG to which the device is assigned. If the
newly configured device is not assigned to an NDG, it belongs to the (Not Assigned) group.
This table appears only when you have configured the interface to use NDGs. For more information
about this interface configuration, see Displaying Advanced Options, page 2-5.
• Proxy Distribution Table—You can use the Proxy Distribution Table to configure proxy
capabilities including domain stripping. For more information, see Configuring Proxy Distribution
Tables, page 3-27.
This table appears only when you have configured the interface to enable Distributed Systems
Settings. For more information about this interface configuration, see Displaying Advanced
Options, page 2-5.
Chapter 3 Network Configuration
Settings feature in Interface Configuration. If you are using NDGs, this table does not appear on
the initial page, but is accessed through the Network Device Groups table. For more information
about this interface configuration, see Displaying Advanced Options, page 2-5.
About ACS in Distributed Systems
These topics describe how ACS can be used in a distributed system.
• AAA Servers in Distributed Systems, page 3-2
• Default Distributed System Settings, page 3-3
AAA Servers in Distributed Systems
AAA server is the generic term for an access-control server (ACS), and the two terms are often used
interchangeably.Multiple AAA servers can be configuredto communicate with one another as primary,
backup, client, or peer systems. You can, therefore, use powerful features such as:
• Proxy
• Fallback on failed connection
• ACS internal database replication
• Remote and centralized logging
You can configure AAA servers to determine who can access the network and what services are
authorized for each user. The AAA server stores a profile containing authentication and authorization
information for each user. Authentication information validates user identity, and authorization
information determines what network services a user can to use. A single AAA server can provide
concurrent AAA services to many dial-up access servers, routers, and firewalls.Each networkdevice can
be configured to communicate with a AAA server. You can, therefore, centrally control dial-up access,
and secure network devices from unauthorized access.
3-2
User Guide for Cisco Secure Access Control Server
OL-9971-01
Chapter 3 Network Configuration
These types of access control have unique authentication and authorization requirements. With ACS,
system administrators can use a variety of authentication methods that are used with different degrees
of authorization privileges.
Completing the AAA functionality, ACS servesas a central repository for accounting information. Each
user session that ACS grants can be fully accounted for, and its accounting information can be stored in
the server. You can use this accounting information for billing, capacity planning, and security audits.
Note If the fields mentioned in this section do not appear in the ACS web interface, you can enable them by
choosing Interface Configuration> Advanced Options. Then, check the DistributedSystem Settings
check box.
Default Distributed System Settings
You use the AAA Servers table and the Proxy Distribution Table to establish distributed system settings.
The parameters that are configured within these tables create the foundation so that you can configure
multiple ACSs to work with one another. Each table containsan ACSentry for itself. In the AAA Servers
table, the only AAA server that is initially listed is itself (in ACS SE, the server name is listed as self);
the Proxy Distribution Table lists an initial entry of (Default), which displays how the local ACS is
configured to handle each authentication request locally.
You can configure additional AAA servers in the AAA Servers table. These devices can, therefore,
become visible in the web interface so that they can be configured for other distributed features such as
proxy, ACS internal database replication, remote logging, and RDBMS synchronization. For
information about configuring additional AAA servers, see Adding AAA Servers, page 3-16.
Proxy in Distributed Systems
Proxy in Distributed Systems
Proxy is a powerful feature that enables you to use ACS for authentication in a network that uses more
than one AAA server. This section contains the following topics:
• The Proxy Feature, page 3-3
• Fallback on Failed Connection, page 3-4
• Remote Use of Accounting Packets, page 3-5
• Other Features Enabled by System Distribution, page 3-6
The Proxy Feature
Using proxy, ACS automatically forwards an authentication request from AAA clients to AAA servers.
After the request has been successfully authenticated, the authorization privileges that you configured
for the user on the remote AAA server are passed back to the original ACS, where the AAA client applies
the user profile information for that session.
Proxy provides a useful service to users, such as business travelers, who dial in to a network device other
than the one they normally use and would otherwise be authenticated by a foreign AAA server. To
configure proxy, you choose Interface Configuration > Advanced Options. Then, check the
Distributed System Settings check box.
OL-9971-01
User Guide for Cisco Secure Access Control Server
3-3
Proxy in Distributed Systems
An Example
This section presents a scenario of proxy that is used in an enterprise system. Mary is an employee with
an office in the corporate headquarters in Los Angeles. Her username is mary@la.corporate.com.When
Mary needs access to the network, she accesses the network locally and authenticates her username and
password. Because Mary works in the Los Angeles office, her user profile, which defines her
authentication and authorization privileges, resides on the local Los Angeles AAA server.
However, Mary occasionally travels to a division within the corporation in New York, where she still
needs to access the corporate network to get her e-mail and other files. When Mary is in New York, she
dials in to the New York office and logs in as mary@la.corporate.com. The New York ACS does not
recognize her username, but the Proxy Distribution Table contains an entry, @la.corporate.com, to
forward the authentication request to the Los Angeles ACS. Because the username and password
information for Mary reside on that AAA server,when she authenticates correctly, the AAA client in the
New York office applies the authorization parameters that are assigned to her.
Proxy Distribution Table
Whether, and where, an authentication request is to be forwarded is defined in the Proxy Distribution
Table on the Network Configuration page. You can use multiple ACSs throughout your network. For
information about configuringthe Proxy Distribution Table, see Configuring Proxy Distribution Tables,
page 3-27.
ACS employs character strings that the administrator defines to determine whether an authentication
request should be processed locally or forwarded, and where. When an end user dials in to the network
device and ACS finds a match for the character string defined in the Proxy Distribution Table, ACS
forwards the authentication request to the associated remote AAA server.
Chapter 3 Network Configuration
Note When an ACS receives a TACACS+ authentication request forwarded by proxy, any requests for
Network Access Restrictions for TACACS+ are applied to the IP address of the forwarding AAA server,
not to the IP address of the originating AAA client.
Note When an ACS proxies to a second ACS, the second ACS responds to the first by using only IETF
attributes, no VSAs, when it recognizes the first ACS as the AAA server. Alternatively, you can
configurethe second ACS to see an ACS as a AAA client; in this case, the second ACSresponses include
the RADIUS VSAs for whatever RADIUS vendor is specified in the AAA client definition table
entry—in the same manner as any other AAA client.
Administrators with geographically dispersed networks can configure and manage the user profiles of
employees within their immediate location or building. The administrator can, therefore, manage the
policies of just their users and all authentication requests from other users within the company can be
forwarded to their respective AAA server for authentication. Not every user profilemust reside on every
AAA server.Proxies saveadministration time and server space, and allowsend users to receive the same
privileges regardless of the access device through which they connect.
Fallback on Failed Connection
You can configure the order in which ACS checks remote AAA servers if a failure of the network
connection to the primary AAA server occurs. If an authentication request cannot be sent to the first
listed server, because of a network failure for example, the next listed server is checked. This checking
3-4
User Guide for Cisco Secure Access Control Server
OL-9971-01
Chapter 3 Network Configuration
continues, in order, down the list, until the AAA servers handles the authentication request. (Failed
connections are detected by failure of the nominated server to respond within a specified time period.
That is, the request is timed out.) If ACS cannot connect to any server in the list, authentication fails.
Character String
ACS forwards authentication requests by using a configurableset of characters with a delimiter, such as
periods (.), slashes (/), or hyphens (-). When configuring the ACS character string, you must specify
whether the character string is the prefix or suffix. For example, you can use domain.us as a suffix
character string in username*domain.us, where the asterisk (*) represents any delimiter. An example of
a prefix character string is domain.*username, where the asterisk (*) would be used to detect the slash(/).
Stripping
Stripping allows ACS to remove, or strip, the matched character string from the username. When you
enable stripping, ACS examines each authentication request for matching information. When ACS finds
a match by character string in the Proxy Distribution Table, as described in the example under Proxy in
Distributed Systems, page 3-3, ACS strips off the character string if you have configuredit to do so. For
example,in the following proxy example, the character string that accompanies the username establishes
the ability to forward the request to another AAA server. If the user must enter the user ID of
mary@corporate.com to be forwarded correctly to the AAA server for authentication, ACS might find
a match on the @corporate.com character string, and strip the @corporate.com, leaving a username of
mary, which might be the username format that the destination AAA server requires to identify the
correct entry in its database.
Proxy in Distributed Systems
Note Realm stripping does not work with Extensible Authentication Protocol (EAP)-based authentication
protocols, such as Protected Extensible Authentication Protocol (PEAP) or Extensible Authentication
Protocol-Flexible Authentication via Secure Tunneling (EAP-FAST). For example, if you are using
Protected Extensible Authentication Protocol Microsoft Challenge Authentication Handshake Protocol
(PEAP MSCHAP), authentication will fail if a realm is stripped by proxy.
Remote Use of Accounting Packets
When proxy is employed, ACS can dispatch AAA accounting packets in one of three ways:
• Log them locally.
• Forward them to the destination AAA server.
• Log them locally and forward copies to the destination AAA server.
Sending accounting packets to the remote ACS offers several benefits.
• When ACS is configured to send accounting packets to the remote AAA server, the remote
AAA server logs an entry in the accounting report for that session on the destination server. ACS
also caches the user connection information and adds an entry in the List Logged on Users report.
You can then view the information for users that are currently connected. Because the accounting
information is sent to the remote AAA server, even if the connection fails, you can view the Failed
Attempts report to troubleshoot the failed connection.
OL-9971-01
User Guide for Cisco Secure Access Control Server
3-5
Network Device Searches
• Sending the accounting information to the remote AAA server also enables you to use the Max
Sessions feature. The Max Sessions feature uses the Start and Stop records in the accounting packet.
If the remote AAA server is an ACS and the Max Sessions feature is implemented, you can track
the number of sessions that are allowed for each user or group.
• You can also choose to have Voice-over-IP (VoIP) accounting information logged remotely,
appended to the RADIUS Accounting log, entered in a separate VoIP Accounting log, or both.
Other Features Enabled by System Distribution
Beyond basic proxy and fallback features, configuring an ACS to interact with distributed systems
enables several other features that are beyond the scope of this chapter. These features include:
• Replication—For more information, see ACS Internal Database Replication, page 8-1.
• RDBMS synchronization—For more information, see RDBMS Synchronization, page 8-17.
• Remote and centralized logging—For more information, see Remote Logging for ACS for
Windows, page 10-9, and Remote Logging for ACS SE with ACS Remote Agents, page 10-10.
Chapter 3 Network Configuration
Network Device Searches
You can search for any network device that is configured in the Network Configuration section of the
ACS web interface.
This section contains the following topics:
• Network Device Search Criteria, page 3-6
• Searching for Network Devices, page 3-7
Network Device Search Criteria
You can specify search criteria for network device searches. ACS provides the following search criteria:
• Name—The name assigned to the network device in ACS.You can use an asterisk (*) as a wildcard
character. For example, if you wanted to find all devices with names starting with the letter M, you
would enter M* or m*. Name-based searches are case insensitive. If you do not want to search based
on device name, you can leave the Name box blank or you can put only an asterisk (*) in the Name
box.
• IP Address—The IP address specifiedfor the network device in ACS. For each octet in the address,
you have three options:
–
Number—You can specify a number, for example, 10.3.157.98.
–
Numeric Range—Youcanspecify the low and high numbers of therange in the octet, separated
by a hyphen (-), for example, 10.3.157.10-50.
–
Wildcard—You can use an asterisk (*) to match all numbers in that octet, for example,
10.3.157.*.
ACSallows any octet or octets in the IP Address box to be a number, a numeric range, or an asterisk
(*), for example 172.16-31.*.*.
3-6
User Guide for Cisco Secure Access Control Server
OL-9971-01
Chapter 3 Network Configuration
• Type—The device type, as specified by the AAA protocol that it is configured to use, or the kind of
AAA server it is. You can also search for Solution Engine remote agents. If you do not want to limit
the search based on device type, choose Any from the Type list.
• Device Group—The NDG to which the deviceis assigned. This search criterion only appears if you
have enabled Network Device Groups on the Advanced Options page in the Interface Configuration
section. If you do not want to limit the search based on NDG membership, select Any from the
Device Group list.
Searching for Network Devices
To search for a network device:
Step 1 In the navigation bar, click Network Configuration.
The Network Configuration page opens.
Step 2 Click Search.
The Search for Network Devices page appears. In the configuration area, the controls for setting search
criteria appear abovethe search results for the most recent search that was previously conducted for this
session, if any.
Network Device Searches
Tip When you leave the Search for Network Devices page, ACS retains your search criteria and
results for the duration of the current administrative session. Until you log out of ACS, you can
return to the Search for Network Devices page to view your most recent search criteria and
results.
Step 3 Set the criteria for a device search. For information about search criteria, see Network Device Search
Criteria, page 3-6.
Tip To reset the search criteria to default settings, click Clear.
Step 4 Click Search.
A table lists each network device configured in ACS that matches the search criteria you specified. If
ACS did not find a matching network device, the message No Search Results appears.
The table listing that matches network devices includes the device name, IP address, and type. If you
have enabled Network Device Groups on the Advanced Options page in the Interface Configuration
Section, the table also includes the NDG of each matching network device.
Tip You can sort the table rows by whichever column you want, in ascending or descending order.
Click a column title once to sort the rows by the entries in that column in ascending order. Click
the column a second time to sort the rows by the entries in that column in descending order.
OL-9971-01
Step 5 If you want to view the configurationsettings for a network devicefound by the search, click the network
device name in the Name column in the table of matching network devices.
ACS displays the applicable setup page. For information about the AAA Client Setup page, see AAA
Client Configuration Options, page 3-8. For information about the AAA Server Setup page, see AAA
Server Configuration Options, page 3-15.
User Guide for Cisco Secure Access Control Server
3-7
Configuring AAA Clients
Step 6 If you want to download a file containing the search results in a comma-separated value format, click
Download, and use your browser to save the file to a location and filename of your choice.
Step 7 If you want to search again by using different criteria, repeat Step 3 and Step 4.
Configuring AAA Clients
This guide uses the term “AAA client” comprehensively to signify the device through which or to which
service access is attempted. This is the RADIUS or TACACS+ client device, and may comprise Network
Access Servers (NASs), PIX Firewalls, routers, or any other RADIUS or TACACS+ hardware or
software client.
This section contains the following topics:
• AAA Client Configuration Options, page 3-8
• Adding AAA Clients, page 3-11
• Editing AAA Clients, page 3-12
• Deleting AAA Clients, page 3-14
Chapter 3 Network Configuration
AAA Client Configuration Options
AAA client configurations enable ACS to interact with the network devices that the configuration
represents. A network device that does not have a corresponding configuration in ACS, or whose
configuration in ACS is incorrect, does not receive AAA services from ACS.
The Add AAA Client and AAA Client Setup pages include:
• AAA Client Hostname—The name that you assign to the AAA client configuration. Each AAA
client configuration can represent multiple network devices; thus, the AAA client hostname
configured in ACS is not required to match the hostname configured on a network device. We
recommend that you adopt a descriptive, consistent naming convention for AAA client hostnames.
Maximum length for AAA client hostnames is 32 characters.
Note After you submit the AAA client hostname, you cannot change it. If you want to use a
different name for AAA clients, delete the AAA client configuration and create a new AAA
client configuration by using the new name.
• AAA Client IP Address—At a minimum, a single IP address of the AAA client or the keyword
dynamic.
If you only use the keyword dynamic, with no IP addresses, the AAA client configurationcan only
be used for command authorization for Cisco multi device-management applications, such as
Management Center for Firewalls.ACS only provides AAA services to devices based on IP address;
so it ignores such requests from a device whose AAA client configuration only has the keyword
dynamic in the Client IP Address box.
If you want the AAA client configuration in ACS to represent multiple network devices, you can
specify multiple IP addresses. Separate each IP address by pressing Enter.
In each IP address that you specify, you have three options for each octet in the address:
3-8
User Guide for Cisco Secure Access Control Server
OL-9971-01
Chapter 3 Network Configuration
–
–
–
ACSallows any octet or octets in the IP Address box to be a number, a numeric range, or an asterisk
(*), for example 172.16-31.*.*.
• Shared Secret—The shared secret key of the AAA client. Maximum length for the AAA client key
is 32 characters.
For correct operation, the key must be identical on the AAA client and ACS.Keysare case sensitive.
If the shared secret does not match, ACS discards all packets from the network device.
• Network Device Group—The name of the NDG to which this AAA client should belong. Tomake
the AAA client independent of NDGs, use the Not Assigned selection.
Note This option does not appear if you have not configured ACS to use NDGs. To enable NDGs,
Configuring AAA Clients
Number—You can specify a number, for example, 10.3.157.98.
Numeric Range—Youcanspecify the low and high numbers of therange in the octet, separated
by a hyphen (-), for example, 10.3.157.10-50.
Wildcard—You can use an asterisk (*) to match all numbers in that octet, for example,
10.3.157.*.
choose Interface Configuration > Advanced Options. Then, check the Network Device
Groups check box.
• RADIUS Key Wrap—The shared secret keys for RADIUS Key Wrap in EAP-TLS authentications.
Each key must be unique, and must also be distinct from the RADIUS shared key. These shared keys
are configurable for each AAA Client, as well as for each NDG. The NDG key configuration
overrides the AAA Client configuration.
–
Key Encryption Key (KEK)—This is used for encryption of the Pairwise Master Key (PMK).
In ASCII mode, enter a key length of exactly 16 characters; in hexadecimal mode, enter a key
length of 32 characters.
–
Message Authentication Code Key (MACK)—This is used for the keyed hashed message
authentication code (HMAC) calculation over the RADIUS message. In ASCII mode, enter a
key length of exactly 20 characters; in hexadecimal mode, enter a key length of 40 characters.
Note If you leave a key field empty when key wrap is enabled, the key will contain only zeros.
–
Key Input Format—Select whether to enter the keys as ASCII or hexadecimal strings (the
default is ASCII).
Note You must enable the Key Wrap feature in the NAP Authentication Settings page to
implement these shared keys in EAP-TLS authentication.
• Authenticate Using—The AAA protocol to use for communications with the AAA client. The
Authenticate Using list includes Cisco IOS TACACS+and several vendor-specificimplementations
of RADIUS. If you haveconfigureduser-definedRADIUS vendors andVSAs, those vendor-specific
RADIUS implementations appear on the list also. For information about creating user-defined
RADIUS VSAs, see Custom RADIUS Vendors and VSAs, page 8-19.
OL-9971-01
User Guide for Cisco Secure Access Control Server
3-9
Loading...