Cisco Secure ACS 4.2 User Manual

Configuration Guide for Cisco Secure ACS

4.2

February 2008

Americas Headquarters

Cisco Systems, Inc. 170 West Tasman Drive San Jose, CA 95134-1706 USA http://www.cisco.com Tel: 408 526-4000

800 553-NETS (6387)

Fax: 408 527-0883

Text Part Number: OL-14390-02

THE SPECIFICATIONS AND INFORMATION REGARDING THE PRODUCTS IN THIS MANUAL ARE SUBJECT TO CHANGE WITHOUT NOTICE. ALL STATEMENTS, INFORMATION, AND RECOMMENDATIONS IN THIS MANUAL ARE BELIEVED TO BE ACCURATE BUT ARE PRESENTED WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED. USERS MUST TAKE FULL RESPONSIBILITY FOR THEIR APPLICATION OF ANY PRODUCTS.

THE SOFTWARE LICENSE AND LIMITED WARRANTY FOR THE ACCOMPANYING PRODUCT ARE SET FORTH IN THE INFORMATION PACKET THAT SHIPPED WITH THE PRODUCT AND ARE INCORPORATED HEREIN BY THIS REFERENCE. IF YOU ARE UNABLE TO LOCATE THE SOFTWARE LICENSE OR LIMITED WARRANTY, CONTACT YOUR CISCO REPRESENTATIVE FOR A COPY.

The Cisco implementation of TCP header compression is an adaptation of a program developed by the University of California, Berkeley (UCB) as part of UCB’s public domain version of the UNIX operating system. All rights reserved. Copyright © 1981, Regents of the University of California.

NOTWITHSTANDING ANY OTHER WARRANTY HEREIN, ALL DOCUMENT FILES AND SOFTWARE OF THESE SUPPLIERS ARE PROVIDED “AS IS” WITH ALL FAULTS. CISCO AND THE ABOVE-NAMED SUPPLIERS DISCLAIM ALL WARRANTIES, EXPRESSED OR LIMITATION, THOSE OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OR ARISING FROM A COURSE OF DEALING, USAGE, OR TRADE PRACTICE.

IN NO EVENT SHALL CISCO OR ITS SUPPLIERS BE LIABLE FOR ANY INDIRECT, SPECIAL, CONSEQUENTIAL, OR INCIDENTAL DAMAGES, INCLUDING, WITHOUT LIMITATION, LOST PROFITS OR LOSS OR DAMAGE TO DATA ARISING OUT OF THE USE OR INABILITY TO USE THIS MANUAL, EVEN IF CISCO OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.

CCDE, CCENT, Cisco Eos, Cisco Lumin, Cisco StadiumVision, the Cisco logo, DCE, and Welcome to the Human Network are trademarks; Changing the Way We Work, Live, Play, and Learn is a service mark; and Access Registrar, Aironet, AsyncOS, Bringing the Meeting To You, Catalyst, CCDA, CCDP, CCIE, CCIP, CCNA, CCNP, CCSP, CCVP, Cisco, the Cisco Collaboration Without Limitation, EtherFast, EtherSwitch, Event Center, Fast Step, Follow Me Browsing, FormShare, GigaDrive, HomeLink, Internet Quotient, IOS, iPhone, iQ Expertise, the iQ logo, iQ Net Readiness Scorecard, iQuick Study, IronPort, the IronPort Networking Academy, Network Registrar, PCNow, PIX, PowerPanels, ProConnect, ScriptShare, SenderBase, SMARTnet, Spectrum Expert, StackWise, The Fastest Way to Increase Your Internet Quotient, TransPath, WebEx, and the WebEx other countries.

All other trademarks mentioned in this document or Website are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (0804R)

Any Internet Protocol (IP) addresses used in this document are not intended to be actual addresses. Any examples, command display output, and figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses in illustrative content is unintentional and coincidental.

Configuration Guide for Cisco Secure ACS 4.2

Certified Internetwork Expert logo, Cisco IOS, Cisco Press, Cisco Systems, Cisco Systems Capital, the Cisco Systems logo, Cisco Unity,

logo, LightStream, Linksys, MediaTone, MeetingPlace, MGX, Networkers,

logo are registered trademarks of Cisco Systems, Inc. and/or its affiliates in the United States and certain

IMPLIED, INCLUDING, WITHOUT

Preface ix

Audience ix

Organization ix

Conventions x

Product Documentation x

Preface

Audience

This guide is for security administrators who use Cisco Secure Access Control Server (ACS), and who set up and maintain network and application security.

Organization

This document contains:

• Chapter 1, “Overview of ACS Configuration”—Provides an overview of ACS configuration,

including a summary of configuration steps and configuration flowchart that show the sequence of configuration steps.

• Chapter 2, “Deploy the Access Control Servers”—Describes factors to consider when deploying ACS,

including the access type, network topology, and whether database synchronization and replication are required.

• Chapter 3, “Configuring New Features in ACS 4.2”—Describes how to configure the most important

new features in ACS 4.2.

• Chapter 4, “Using RDBMS Synchronization to Create dACLs and Specify Network

Configuration”—Describes how to configure new RDBMS synchronization features in ACS 4.2 and run

RDBMS Sync remotely on the ACS Solution Engine.

• Chapter 5, “Password Policy Configuration Scenario”—Describes how to configure Sarbanes-Oxley

(SOX) support when adding administrators.

• Chapter 6, “Agentless Host Support Configuration Scenario”—Describes how to configure ACS for

agentless host support (MAC authentication bypass).

• Chapter 7, “PEAP/EAP-TLS Configuration Scenario”—Describes how to configure ACS for

PEAP/EAP-TLS support.

• Chapter 8, “Syslog Logging Configuration Scenario”—Describes how to configure ACS to log

syslog messages.

• Chapter 9, “NAC Configuration Scenario”—Describes how to configure ACS in a Cisco Network

Admission Control (NAC) and Microsoft Network Access Protection (NAP) environment.

• “Glossary”—Lists common terms used in ACS.

OL-14390-02

Configuration Guide for Cisco Secure ACS 4.2

Conventions

This document uses the following conventions:

Preface

Item Convention

Commands, keywords, special terminology, and options that should be selected during procedures

Variables for which you supply values and new or important terminology

Displayed session and system information, paths and file names screen font

Information you enter boldface screen font

Variables you enter italic screen font

Menu items and button names boldface font

Indicates menu items to select, in the order you select them. Option > Network Preferences

boldface font

italic font

Tip Identifies information to help you get the most benefit from your product.

Note Means reader take note. Notes identify important information that you should reflect upon before

continuing, contain helpful suggestions, or provide references to materials not contained in the document.

Caution Means reader be careful. In this situation, you might do something that could result in equipment

damage, loss of data, or a potential breach in your network security.

Warning

Identifies information that you must heed to prevent damaging yourself, the state of software, or equipment. Warnings identify definite security breaches that will result if the information presented is not followed carefully.

Product Documentation

Note We sometimes update the printed and electronic documentation after original publication. Therefore,

you should also review the documentation on Cisco.com for any updates.

Table 1 describes the product documentation that is available.

Configuration Guide for Cisco Secure ACS 4.2

OL-14390-02

Preface

Ta b l e 1 ACS 4.2 Documentation

Document Title Available Formats

Documentation Guide for Cisco Secure ACS Release 4.2

• Shipped with product.

• PDF on the product CD-ROM.

• On Cisco.com:

http://www.cisco.com/en/US/docs/net_mgmt/ cisco_secure_access_control_server_for_windows/

4.2/roadmap/DGuide42.html

Release Notes for Cisco Secure ACS Release 4.2

On Cisco.com:

http://www.cisco.com/en/US/docs/net_mgmt/ cisco_secure_access_control_server_for_windows/

4.2/release/notes/ACS42_RN.html

Configuration Guide for Cisco Secure ACS Release 4.2

• On Cisco.com:

http://www.cisco.com/en/US/docs/net_mgmt/ cisco_secure_access_control_server_for_windows/

4.2/configuration/guide/acs42_config_guide.html

Installation Guide for Cisco Secure ACS for Windows Release 4.2

• On Cisco.com:

http://www.cisco.com/en/US/docs/net_mgmt/ cisco_secure_access_control_server_for_windows/

4.2/installation/guide/windows/IGwn42.html

Installation Guide for Cisco Secure ACS Solution Engine Release 4.2

• On Cisco.com:

http://www.cisco.com/en/US/docs/net_mgmt/ cisco_secure_access_control_server_for_solution_engine/

4.2/installation/guide/solution_engine/SE42.html

Configuration Guide for Cisco Secure ACS 4.2

• On Cisco.com:

http://www.cisco.com/en/US/docs/net_mgmt/ cisco_secure_access_control_server_for_windows/

4.2/user/guide/ACS4_2UG.html

Regulatory Compliance and Safety Information for the Cisco Secure ACS Solution Engine Release 4.2

• Shipped with product.

• PDF on the product CD-ROM.

• On Cisco.com:

• http://www.cisco.com/en/US/docs/net_mgmt/

cisco_secure_access_control_server_for_solution_engine/

4.2/regulatory/compliance/RCSI_42.html

Installation and Configuration Guide for Cisco Secure ACS Remote Agents Release 4.2

• On Cisco.com:

• http://www.cisco.com/en/US/docs/net_mgmt/

cisco_secure_access_control_server_for_solution_engine/

4.2/installation/guide/remote_agent/rmag42.html

Supported and Interoperable Devices and Software Tables for Cisco Secure ACS Solution Engine Release 4.2

• On Cisco.com:

http://www.cisco.com/en/US/docs/net_mgmt/ cisco_secure_access_control_server_for_windows/

4.2/device/guide/sdt42.html

OL-14390-02

Configuration Guide for Cisco Secure ACS 4.2

Preface

Notices

Table 1 ACS 4.2 Documentation (continued)

Document Title Available Formats

Installation and User Guide for Cisco Secure ACS User-Changeable Passwords

Troubleshooting Guide for Cisco Secure Access Control Server

Online Documentation In the ACS HTML interface, click Online Documentation.

Online Help In the ACS HTML interface, online help appears in the right-hand frame when you

• On Cisco.com:

http://www.cisco.com/en/US/docs/net_mgmt/ cisco_secure_access_control_server_for_windows/

4.2/installation/guide/user_passwords/ucp42.html

• On Cisco.com

http://www.cisco.com/en/US/docs/net_mgmt/ cisco_secure_access_control_server_for_windows/4.2/trouble/guide/ ACS_Troubleshooting.html

are configuring a feature.

OpenSSL/Open SSL Project

This product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit (

http://www.openssl.org/).

This product includes cryptographic software written by Eric Young (eay@cryptsoft.com).

This product includes software written by Tim Hudson (tjh@cryptsoft.com).

License Issues

The OpenSSL toolkit stays under a dual license, i.e. both the conditions of the OpenSSL License and the original SSLeay license apply to the toolkit. See below for the actual license texts. Actually both licenses are BSD-style Open Source licenses. In case of any license issues related to OpenSSL please contact openssl-core@openssl.org.

OpenSSL License:

Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:

1. Redistributions of source code must retain the copyright notice, this list of conditions and the

following disclaimer.

Notices

2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions, and

the following disclaimer in the documentation and/or other materials provided with the distribution.

3. All advertising materials mentioning features or use of this software must display the following

acknowledgment: “This product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit (

4. The names “OpenSSL Toolkit” and “OpenSSL Project” must not be used to endorse or promote

http://www.openssl.org/)”.

products derived from this software without prior written permission. For written permission, please contact openssl-core@openssl.org.

5. Products derived from this software may not be called “OpenSSL” nor may “OpenSSL” appear in

their names without prior written permission of the OpenSSL Project.

6. Redistributions of any form whatsoever must retain the following acknowledgment:

“This product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit (

http://www.openssl.org/)”.

THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT “AS IS”' AND ANY EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

This product includes cryptographic software written by Eric Young (eay@cryptsoft.com). This product includes software written by Tim Hudson (tjh@cryptsoft.com).

OL-14390-02

Configuration Guide for Cisco Secure ACS 4.2

xiii

Notices

Preface

Original SSLeay License:

This package is an SSL implementation written by Eric Young (eay@cryptsoft.com).

The implementation was written so as to conform with Netscapes SSL.

This library is free for commercial and non-commercial use as long as the following conditions are adhered to. The following conditions apply to all code found in this distribution, be it the RC4, RSA, lhash, DES, etc., code; not just the SSL code. The SSL documentation included with this distribution is covered by the same copyright terms except that the holder is Tim Hudson (tjh@cryptsoft.com).

Copyright remains Eric Young’s, and as such any Copyright notices in the code are not to be removed. If this package is used in a product, Eric Young should be given attribution as the author of the parts of the library used. This can be in the form of a textual message at program startup or in documentation (online or textual) provided with the package.

Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:

1. Redistributions of source code must retain the copyright notice, this list of conditions and the

following disclaimer.

2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and

the following disclaimer in the documentation and/or other materials provided with the distribution.

3. All advertising materials mentioning features or use of this software must display the following

acknowledgement:

“This product includes cryptographic software written by Eric Young (eay@cryptsoft.com)”.

The word ‘cryptographic’ can be left out if the routines from the library being used are not cryptography-related.

4. If you include any Windows specific code (or a derivative thereof) from the apps directory

(application code) you must include an acknowledgement: “This product includes software written by Tim Hudson (tjh@cryptsoft.com)”.

THIS SOFTWARE IS PROVIDED BY ERIC YOUNG “AS IS” AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

The license and distribution terms for any publicly available version or derivative of this code cannot be changed. i.e. this code cannot simply be copied and put under another distribution license [including the GNU Public License].

xiv

Configuration Guide for Cisco Secure ACS 4.2

OL-14390-02

Overview of ACS Configuration

This chapter describes the general steps for configuring Cisco Secure Access Control Server, hereafter referred to as ACS, and presents a flowchart showing the sequence of steps.

Note If you are configuring ACS to work with Microsoft clients in a Cisco Network Access Control/Microsoft

Network Access Protection (NAC/NAP) network, refer to Chapter 9, “NAC Configuration Scenario.”

This chapter contains:

• Summary of Configuration Steps, page 1-1

• Configuration Flowchart, page 1-5

Summary of Configuration Steps

CHAP T ER

To configur e ACS :

Step 1 Plan the ACS Deployment.

Determine how many ACS servers you need and their placement in the network.

For detailed information, see Chapter 2, “Deploy the Access Control Servers.”

Step 2 Install the ACS Servers.

Install the ACS servers as required. For detailed installation instructions, refer to:

• Installation Guide for Cisco Secure ACS for Windows Release 4.2, available on Cisco.com at:

http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_windows/

4.2/installation/guide/windows/IGwn42.html

• Installation Guide for Cisco Secure ACS Solution Engine Release 4.2, available on Cisco.com at:

http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_solution_en gine/4.2/installation/guide/solution_engine/ACS_42_SE_install.html

Step 3 Configure Additional Administrators.

When you install the Windows version of ACS, there are initially no administrative users. When you install Cisco Secure ACS Solution Engine (ACS SE), there is initially one administrator.

To set up additional administrative accounts:

a. Add Administrators.

OL-14390-02

Configuration Guide for Cisco Secure ACS 4.2

1-1

Summary of Configuration Steps

b. For each administrator, specify administrator privileges.

c. As needed, configure the following optional administrative policies:

–

For detailed information, see Chapter 5, “Password Policy Configuration Scenario.”

Step 4 Configure the Web Interface:

a. Add AAA clients and specify the authorization protocols that the clients will use.

b. Click Interface Configuration.

c. On the Interface Configuration page, configure the interface to include one or more of:

–

Chapter 1 Overview of ACS Configuration

Access Policy—Specify IP address limitations, HTTP port restrictions, and secure socket layer (SSL) setup.

Session Policy—Specify timeouts, automatic local logins, and response to invalid IP address connections.

Password Policy—Configure the password policy for administrators.

RADIUS Configuration Options—For detailed information, see “Displaying RADIUS

Configuration Options” in Chapter 2 of the User Guide for Cisco Secure ACS 4.2, “Using the Web Interface.”

–

TACACS+ Configuration Options—For detailed information, see “Displaying TACACS+ Configuration Options” in Chapter 2 of the User Guide for Cisco Secure ACS 4.2, “Using the Web Interface.”

–

Advanced Options—For detailed information, see “Displaying RADIUS Configuration Options” in Chapter 2 of the User Guide for Cisco Secure ACS 4.2, “Using the Web Interface.”

–

Customized User Options—For detailed information, see “Displaying RADIUS Configuration Options” in Chapter 2 of the User Guide for Cisco Secure ACS 4.2, “Using the Web Interface.”

Step 5 Configure Basic ACS System Settings:

a. Click System Configuration.

b. Configure:

–

Service Control

–

Logging

–

Date Format Control

–

Local Password Management

–

ACS Backup

–

ACS Restore

–

ACS Service Management

–

(optional) IP Pools Server

–

(optional) IP Pools Address Recovery

For detailed instructions, see “Displaying RADIUS Configuration Options” in Chapter 2 of the User Guide for Cisco Secure ACS 4.2, “Using the Web Interface.”

Step 6 Configure Users:

1-2

a. As required for your network security setup, configure users. You can configure users:

–

Manually, by using the ACS web interface

–

By using the CSUtil utility to import users from an external database

Configuration Guide for Cisco Secure ACS 4.2

OL-14390-02

Chapter 1 Overview of ACS Configuration

–

By using database synchronization

–

By using database replication

For detailed instructions, see “Displaying RADIUS Configuration Options” in Chapter 2 of the User Guide for Cisco Secure ACS 4.2, “Using the Web Interface.”

Step 7 Configure Certificates.

This step is required if you are using EAP-TLS, Secure Sockets Layer (SSL), or Cisco Network Admission Control (NAC).

For detailed instructions, see Step 3: Install and Set Up an ACS Security Certificate, page 6-6.

Step 8 Configure Global Authentication Settings.

Configure the security protocols that ACS uses to authenticate users. You can configure the following global authentication methods:

• PEAP

• EAP-FAST

• EAP-TLS

• LEAP

• EAP-MD5

• Legacy authentication protocols, such as MS-CHAP Version 1 and Version 2

Summary of Configuration Steps

For detailed instructions, see “Global Authentication Setup” in Chapter 8 of the User Guide for Cisco Secure ACS 4.2, “System Configuration: Authentication and Certificates.”

Step 9 Configure Shared Profile Components.

You can configure the following shared profile components:

• Downloadable IP ACLs

• Network Access Filtering

• RADIUS Authorization Components

• Network Access Restrictions

• Command Authorization Sets

For detailed instructions, see Chapter 3 of the User Guide for Cisco Secure ACS 4.2, “Shared Profile Components.”

Step 10 Set Up Network Device Groups.

You can set up network device groups to simplify configuration of common devices. For detailed information, see the User Guide for Cisco Secure ACS 4.2.

Step 11 Add AAA clients.

You can add RADIUS clients or TACACS+ clients. For detailed instructions, see Step 2: Configure a

RADIUS AAA Client, page 6-5.

Step 12 Set Up User Groups.

Set up user groups to apply common configuration settings to groups of users. For detailed instructions, see Chapter 2 of the User Guide for Cisco Secure ACS 4.2, “User Group Management.”

Step 13 Configure Posture Validation.

If you are using ACS with NAC, configure posture validation.

OL-14390-02

Configuration Guide for Cisco Secure ACS 4.2

1-3

Summary of Configuration Steps

Step 14 Set Up Network Access Profiles.

If required, set up Network Access Profiles.

Step 15 Configure Logs and Reports.

Configure reports to specify how ACS logs data. You can also view the logs in HTML reports. For detailed instructions, see Chapter 9 of the User Guide for Cisco Secure ACS 4.2, “Logs and Reports.

Chapter 1 Overview of ACS Configuration

1-4

Configuration Guide for Cisco Secure ACS 4.2

OL-14390-02

Chapter 1 Overview of ACS Configuration

Configuration Flowchart

Figure 1-1 is a configuration flowchart that shows the main steps in ACS configuration.

Figure 1-1 ACS Configuration Flowchart

Step 6:

Configure Users

Step 1: Plan the

Deployment

Step 2: Install

ACS Servers

Step 3: Configure

Additional

Administrators

Step 4: Configure the Web Interface

Is there a

Remote ODBC User

Database?

Yes

Configure Database

Synchronization

Is there a Large User Database?

Yes

Step 8: Configure Global

Authentication Settings

Step 9: Configure Shared

Profile Components

Step 10: Set Up

Network Device Groups

Step 11: Add

AAA Clients

Step 12: Set Up

User Groups

Are you

using NAC?

Configuration Flowchart

Step 5: Configure

Basic ACS

System Settings

Use CSUtil for

Bulk User

Data Import

Are you using

EAP-TLS, SSL,

or NAC?

Yes

Step 7: Configure

Certificates

Yes

Step 13: Configure

Posture Validation

Step 14: Set Up

Network Access Profiles

Step 15: Configure

Logs and Reports

158309

Refer to the list of steps in Summary of Configuration Steps, page 1-1 for information on where to find detailed descriptions of each step.

OL-14390-02

Configuration Guide for Cisco Secure ACS 4.2

1-5

Configuration Flowchart

Chapter 1 Overview of ACS Configuration

1-6

Configuration Guide for Cisco Secure ACS 4.2

OL-14390-02

CHAP T ER

Deploy the Access Control Servers

This chapter discusses topics that you should consider before deploying Cisco Secure Access Control Server, hereafter referred to as ACS.

This document does not describe the software installation procedure for ACS or the hardware installation procedure for the ACS SE. For detailed installation information, refer to:

• Installation Guide for Cisco Secure ACS for Windows Release 4.2, available on Cisco.com at:

http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_windows/

4.2/installation/guide/windows/IGwn42.html

• Installation Guide for Cisco Secure ACS Solution Engine Release 4.2, available on Cisco.com at:

http://www.cisco.com/en/US/docs/net_mgmt/ cisco_secure_access_control_server_for_solution_engine/4.2/installation/guide/solution_engine/ ACS_42_SE_install.html

Note For more detailed information on deploying ACS, see the Cisco Secure Access Control Server

Deployment Guide at

http://www.cisco.com/application/pdf/en/us/guest/products/ ps2086/c1244/cdccont_0900aecd80737943.pdf.

This chapter contains:

• Determining the Deployment Architecture, page 2-1

• Determining How Many ACSs to Deploy (Scalability), page 2-11

• Deploying ACS Servers to Support Server Failover, page 2-13

• Deploying ACS in a NAC/NAP Environment, page 2-15

• Additional Topics, page 2-16

Determining the Deployment Architecture

How your enterprise network is configured and the network topology are likely to be the most important factors in deploying ACS.

Configuration Guide for Cisco Secure ACS 4.2

OL-14390-02

2-1

Determining the Deployment Architecture

This section discusses:

• Access types—How users will access the network (through wireless access, LAN access through

• Network architecture—How the network is organized (centrally through campus LANs, regional

This section contains:

• Access Types, page 2-2

• Placement of the RADIUS Server, page 2-11

Access Types

This section contains:

• Wired LAN Access, page 2-2

• Wireless Access Topology, page 2-5

Chapter 2 Deploy the Access Control Servers

switches, and so on) and the security protocols used to control user access; for example, RADIUS, EAP- TLS, Microsoft Active Directory, and so on.

LANs, WLANs, and so on.

Wired LAN Access

• Dial-up Access Topology, page 2-9

You can use wired LAN access in a small LAN environment, a campus LAN environment, or a regionally or globally dispersed network. The number of users determines the size of the LAN or WLAN:

Size Users

small LAN 1 to 3,000

medium-sized LAN 3,000 to 25,000

large LAN 25,000 to 50,000

very large LAN or WLAN over 50,000

The wired LAN environment uses the following security protocols:

• RADIUS—RADIUS is used to control user access to wired LANs. In broadcast or switch-based

Ethernet networks, you can use RADIUS to provide virtual LAN identification information for each authorized user.

• EAP—Extensible Authentication Protocol (EAP), provides the ability to deploy RADIUS into

Ethernet network environments. EAP is defined by Internet Engineering Task Force (IETF) RFC 2284 and the IEEE 802.1x standards.

The 802.1x standard, also known as EAP over LAN (EAPoL), concerns the part of the wider EAP standard that relates to broadcast media networks. Upon connection, EAPoL provides a communications channel between an end user on a client LAN device to the AAA server through the LAN switch. The functionality is similar to what Point-to-Point Protocol (PPP) servers on point-to-point links provide.

2-2

By supporting complex challenge-response dialogues, EAP facilitates the user-based authentication demands of both conventional one-way hashed password authentication schemes such as Challenge Handshake Authentication Protocol (CHAP) and of more advanced authentication schemes such as Transport Layer Security (TLS), or digital certificates.

Configuration Guide for Cisco Secure ACS 4.2

OL-14390-02

Chapter 2 Deploy the Access Control Servers

• EAP-TLS—Extensible Authentication Protocol-Transport Layer Security (EAP-TLS). EAP-TLS

uses the TLS protocol (RFC 2246), which is the latest version of the Secure Socket Layer (SSL) protocol from the IETF. TLS provides a way to use certificates for user and server authentication and for dynamic session key generation.

• PEAP— Protected Extensible Authentication Protocol (PEAP) is an 802.1x authentication type for

wireless LANs (WLANs). PEAP provides strong security, user database extensibility, and support for one-time token authentication and password change or aging. PEAP is based on an Internet Draft that Cisco Systems, Microsoft, and RSA Security submitted to the IETF.

Small LAN Environment

In a small LAN environment (a LAN containing up to 3,000 users; see Figure 2-1), a single ACS is usually located close to the switch and behind a firewall. In this environment, the user database is usually small because few switches require access to ACS for AAA, and the workload is small enough to require only a single ACS.

However, you should still deploy a second ACS server for redundancy, and set up the second ACS server as a replication partner to the primary server; because, losing the ACS would prevent users from gaining access to the network. In these are likely to be features of such a network; but, they are not strictly related to the Cisco Catalyst AAA setup or required as part of it.

You should also limit access to the system hosting the ACS to as small a number of users and devices as necessary. As shown in on the firewall. Access to this segment is limited only to the Cisco Catalyst Switch client and those user machines that require HTTP access to the ACS for administrative purposes. Users should not be aware that the ACS is part of the network.

Determining the Deployment Architecture

Figure 2-1, an Internet connection via firewall and router are included because

Figure 2-1, you set access by connecting the ACS host to a private LAN segment

Figure 2-1 ACS Server in a Small LAN Environment

Catalyst 2900/3500

Switch

Internet

Firewall

Cisco Secure ACS

Campus LAN

158316

You can use ACS for wired access in a campus LAN. A campus LAN is typically divided into subnets.

Figure 2-2 shows an ACS deployment in a wired campus LAN.

OL-14390-02

Configuration Guide for Cisco Secure ACS 4.2

2-3

Determining the Deployment Architecture

Figure 2-2 ACS in a Campus LAN

Chapter 2 Deploy the Access Control Servers

Segment 1

Segment 3

Segment 2

Internet

Remote office

158308

Figure 2-2 shows a possible distribution of ACS in a wired campus LAN. In this campus LAN, buildings

are grouped into three segments. Each segment consists of 1 to 3 buildings and all the buildings in the segment are on a common LAN. All interbuilding and intersegment network connections use one-gigabyte fiber-optic technology. Primary network access is through switch ports over wired Ethernet.

You use ACS to provide RADIUS authentication for the network access servers, and you configure it to use an external database. One ACS is deployed for each segment of 5 to 10 buildings. A Cisco LocalDirector content switch is placed before each ACS for load balancing and failover.

Geographically Dispersed Wired LAN

In a larger network that is geographically dispersed, speed, redundancy, and reliability are important in determining whether to use a centralized ACS service or a number of geographically dispersed ACS units. As with many applications, AAA clients rely on timely and accurate responses to their queries. Network speed is an important factor in deciding how to deploy ACS; because delays in authentication that the network causes can result in timeouts at the client side or the switch.

A useful approach in large extended networks, such as for a globally dispersed corporation, is to have at least one ACS deployed in each major geographical region. Depending on the quality of the WAN links, these servers may act as backup partners to servers in other regions to protect against failure of the ACS in any particular region.

2-4

Figure 2-3 shows ACS deployed in a geographically dispersed wired LAN. In the illustration, Switch 1

is configured with ACS 1 as its primary AAA server but with ACS 2 of Region 2 as its secondary. Switch 2 is configured with ACS 2 as its primary but with ACS 3 as its secondary. Likewise, Switch 3 uses ACS 3 as its primary but ACS 1 as its secondary. Using a local ACS as the primary AAA server minimizes AAA WAN traffic. When necessary, using the primary ACS from another region as the secondary further minimizes the number of ACS units.

Configuration Guide for Cisco Secure ACS 4.2

OL-14390-02

Chapter 2 Deploy the Access Control Servers

Figure 2-3 ACS in a Geographically Dispersed LAN

Determining the Deployment Architecture

Switch 1

Region 1

Firewall

ACS 1

T1 T1

ACS 3

Firewall

Switch 3

Region 3

Region 2

Switch 1

Firewall

ACS 2

158313

Wireless Access Topology

A wireless access point (AP), such as the Cisco Aironet series, provides a bridged connection for mobile end-user clients into the LAN. Authentication is absolutely necessary, due to the ease of access to the AP. Encryption is also necessary because of the ease of eavesdropping on communications.

Scaling can be a serious issue in the wireless network. The mobility factor of the WLAN requires considerations similar to those given to the dial-up network. Unlike the wired LAN, however, you can more readily expand the WLAN. Though WLAN technology does have physical limits as to the number of users who can connect via an AP, the number of APs can grow quickly. As with the dial-up network, you can structure your WLAN to allow full access for all users, or provide restricted access to different subnets among sites, buildings, floors, or rooms. This capability raises a unique issue with the WLAN: the ability of a user to roam among APs.

Simple WLAN

A single AP might be installed in a simple WLAN (Figure 2-4). Because only one AP is present, the primary issue is security. An environment such as this generally contains a small user base and few network devices. Providing AAA services to the other devices on the network does not cause any significant additional load on the ACS.

OL-14390-02

Configuration Guide for Cisco Secure ACS 4.2

2-5

Determining the Deployment Architecture

Figure 2-4 Simple WLAN

Chapter 2 Deploy the Access Control Servers

Segment 1

Segment 3

Segment 2

Internet

Remote office

158308

Campus WLAN

In a WLAN where a number of APs are deployed, as in a large building or a campus environment, your decisions on how to deploy ACS become more complex. Depending on the processing needs of the installation, all of the APs might be on the same LAN.

Figure 2-5 shows all APs on the same LAN;

however, the APs might also be distributed throughout the LAN, and connected via routers, switches, and so on.

2-6

Configuration Guide for Cisco Secure ACS 4.2

OL-14390-02

Chapter 2 Deploy the Access Control Servers

Figure 2-5 Campus WLAN

Determining the Deployment Architecture

Regional WLAN Setting

In a given geographical or organizational region, the total number of users might or might not reach a critical level for a single ACS. Small offices would not qualify for separate installations of ACSs and a regional office might have sufficient reserve capacity. In this case, the small offices can authenticate users across the WAN to the larger regional office. Once again, you should determine that this does not pose a risk to the users in the remote offices. Assess critical connectivity needs against the reliability and throughput to the central ACS.

OL-14390-02

Configuration Guide for Cisco Secure ACS 4.2

2-7

Determining the Deployment Architecture

Figure 2-6 shows a regional WLAN.

Figure 2-6 ACS in a Regional WLAN

Chapter 2 Deploy the Access Control Servers

Corporate Headquarters

Small

Remote

Office

Cisco Aironet

Cisco Secure ACS

Small

Remote

Office

Corporate Region

Internet

Regional

Office

158314

Large Enterprise WLAN Setting

In a very large geographically dispersed network (over 50,000 users), access servers might be located in different parts of a city, in different cities, or on different continents. If network latency is not an issue, a central ACS might work; but, connection reliability over long distances might cause problems. In this case, local ACSs may be preferable to a central ACS.

If the need for a globally coherent user database is most important, database replication or synchronization from a central ACS may be necessary. For information on database replication considerations, see

Database Replication Considerations, page 2-13 and Database Synchronization Considerations, page 2-14. Authentication by using external databases, such as a Windows user database

or the Lightweight Directory Access Protocol (LDAP), can further complicate the deployment of distributed, localized ACSs.

2-8

Configuration Guide for Cisco Secure ACS 4.2

OL-14390-02

Chapter 2 Deploy the Access Control Servers

Figure 2-7 shows ACS installations in a geographically dispersed network that contains many WLANs.

Figure 2-7 ACS in a Geographically Dispersed WLAN

Determining the Deployment Architecture

For the model in Figure 2-7, the location of ACS depends on whether all users need access on any AP, or require only regional or local network access. Along with database type, these factors control whether local or regional ACSs are required, and how database continuity is maintained. In this very large deployment model (over 50,000 users), security becomes a more complicated issue, too.

Additional Considerations for Deploying ACS in a WLAN Environment

You should also consider the following when deploying ACS in a WLAN environment, consider if:

• Wireless is secondary to wired access, using a remote ACS as a secondary system is acceptable.

• Wireless is the primary means of access, put a primary ACS in each LAN.

• The customer uses ACS for user configuration, data replication is critical.

Dial-up Access Topology

Until recently, dial-up access was the most prevalent method for providing remote access to network resources. However, DSL access and access through VPNs have largely replaced dial-up access through modems.

ACS is still used in some LAN environments to provide security for dial-up access. You can provide dial-up access for a small LAN or for a large dial-in LAN.

Small Dial-Up Network Access

In the small LAN environment, see Figure 2-8, network architects typically place a single ACS internal to the AAA client, which a firewall and the AAA client protect from outside access. In this environment, the user database is usually small; because, few devices require access to the ACS for authentication, authorization and accounting (AAA), and any database replication is limited to a secondary ACS as a backup.

63491

OL-14390-02

Configuration Guide for Cisco Secure ACS 4.2

2-9

Determining the Deployment Architecture

Figure 2-8 Small Dial-up Network

Large Dial-Up Network Access

In a larger dial-in environment, a single ACS with a backup may be suitable, too. The suitability of this configuration depends on network and server access latency. dial-in network. In this scenario, the addition of a backup ACS is recommended.

Chapter 2 Deploy the Access Control Servers

Figure 2-9 shows an example of a large

Figure 2-9 Large Dial-up Network

2-10

Configuration Guide for Cisco Secure ACS 4.2

OL-14390-02

+ 184 hidden pages

Cisco Secure ACS 4.2 User Manual

CONTENTS

Preface

Notices

OpenSSL/Open SSL Project

License Issues

Overview of ACS Configuration

Summary of Configuration Steps

Configuration Flowchart

Deploy the Access Control Servers

Determining the Deployment Architecture

Access Types

Wired LAN Access

Wireless Access Topology

Dial-up Access Topology