C H A P T E R 3 Network Configuration This chapter details concepts and procedures for configuring the Cisco Secure Access Control Server Release 4.1, hereafter referred to as ACS. You use the configuration process to establish a distributed system, and set up interaction with authentication, authorization, and accounting (AAA) clients and servers. You can also configure remote agents for the ACS Solution Engine.
Chapter 3 Network Configuration About ACS in Distributed Systems • Note • Remote Agents (ACS Solution Engine)—This table lists each remote agent that is configured together with its IP address and available services. For more information about remote agents, see About Remote Agents, page 3-19. The Remote Agents table does not appear unless you have enabled the Distributed System Settings feature in Interface Configuration.
Chapter 3 Network Configuration Proxy in Distributed Systems These types of access control have unique authentication and authorization requirements. With ACS, system administrators can use a variety of authentication methods that are used with different degrees of authorization privileges. Completing the AAA functionality, ACS serves as a central repository for accounting information. Each user session that ACS grants can be fully accounted for, and its accounting information can be stored in the server.
Chapter 3 Network Configuration Proxy in Distributed Systems An Example This section presents a scenario of proxy that is used in an enterprise system. Mary is an employee with an office in the corporate headquarters in Los Angeles. Her username is mary@la.corporate.com. When Mary needs access to the network, she accesses the network locally and authenticates her username and password.
Chapter 3 Network Configuration Proxy in Distributed Systems continues, in order, down the list, until the AAA servers handles the authentication request. (Failed connections are detected by failure of the nominated server to respond within a specified time period. That is, the request is timed out.) If ACS cannot connect to any server in the list, authentication fails. Character String ACS forwards authentication requests by using a configurable set of characters with a delimiter, such as periods (.
Chapter 3 Network Configuration Network Device Searches • Sending the accounting information to the remote AAA server also enables you to use the Max Sessions feature. The Max Sessions feature uses the Start and Stop records in the accounting packet. If the remote AAA server is an ACS and the Max Sessions feature is implemented, you can track the number of sessions that are allowed for each user or group.
Chapter 3 Network Configuration Network Device Searches • Type—The device type, as specified by the AAA protocol that it is configured to use, or the kind of AAA server it is. You can also search for Solution Engine remote agents. If you do not want to limit the search based on device type, choose Any from the Type list. • Device Group—The NDG to which the device is assigned.
Chapter 3 Network Configuration Configuring AAA Clients Step 6 If you want to download a file containing the search results in a comma-separated value format, click Download, and use your browser to save the file to a location and filename of your choice. Step 7 If you want to search again by using different criteria, repeat Step 3 and Step 4. Configuring AAA Clients This guide uses the term “AAA client” comprehensively to signify the device through which or to which service access is attempted.
Chapter 3 Network Configuration Configuring AAA Clients – Number—You can specify a number, for example, 10.3.157.98. – Numeric Range—You can specify the low and high numbers of the range in the octet, separated by a hyphen (-), for example, 10.3.157.10-50. – Wildcard—You can use an asterisk (*) to match all numbers in that octet, for example, 10.3.157.*. ACS allows any octet or octets in the IP Address box to be a number, a numeric range, or an asterisk (*), for example 172.16-31.*.*.
Chapter 3 Network Configuration Configuring AAA Clients The Authenticate Using list always contains: – TACACS+ (Cisco IOS)—The Cisco IOS TACACS+ protocol, which is the standard choice when using Cisco Systems access servers, routers, and firewalls. If the AAA client is a Cisco device-management application, such as Management Center for Firewalls, you must use this option. – RADIUS (Cisco Airespace)—RADIUS using Cisco Airespace VSAs.
Chapter 3 Network Configuration Configuring AAA Clients – RADIUS (Nortel)—RADIUS using Nortel RADIUS VSAs. Select this option if the network device is a Nortel network device that supports authentication via RADIUS. – RADIUS (iPass)—RADIUS for AAA clients using iPass RADIUS. Select this option if the network device is an iPass network device supporting authentication via RADIUS. The iPass RADIUS is identical to IETF RADIUS.
Chapter 3 Network Configuration Configuring AAA Clients To add AAA clients: Step 1 In the navigation bar, click Network Configuration. The Network Configuration page opens. Step 2 Do one of the following: • If you are using NDGs, click the name of the NDG to which you want to assign the AAA client. Then, click Add Entry below the AAA Clients table. • To add AAA clients when you have not enabled NDGs, click Add Entry below the AAA Clients table. The Add AAA Client page appears.
Chapter 3 Network Configuration Configuring AAA Clients Step 2 Do one of the following: • If you are using NDGs, click the name of the NDG to which the AAA client is assigned. Then, click the name of the AAA client. • To edit AAA clients when you have not enabled NDGs, click the name of the AAA client in the AAA Client Hostname column of the AAA Clients table. The AAA Client Setup For Name page appears. Step 3 Modify the AAA client settings, as needed.
Chapter 3 Network Configuration Configuring AAA Servers Deleting AAA Clients To delete AAA clients: Step 1 In the navigation bar, click Network Configuration. The Network Configuration page opens. Step 2 Do one of the following: • If you are using NDGs, click the name of the NDG to which the AAA client is assigned. Then, click the AAA client hostname in the AAA Clients table. • To delete AAA clients when you have not enabled NDGs, click the AAA client hostname in the AAA Clients table.
Chapter 3 Network Configuration Configuring AAA Servers • Deleting AAA Servers, page 3-18 AAA Server Configuration Options AAA server configurations enable ACS to interact with the AAA server that the configuration represents. AAA servers that do not have a corresponding configuration in ACS, or whose configuration in ACS is incorrect, do not receive AAA services from ACS, such as proxied authentication requests, database replication communication, remote logging, and RDBMS synchronization.
Chapter 3 Network Configuration Configuring AAA Servers • Log Update/Watchdog Packets from this remote AAA Server—Enables logging of update or watchdog packets from AAA clients that are forwarded by the remote AAA server to this ACS. Watchdog packets are interim packets that are sent periodically during a session. They provide you with an approximate session length if the AAA client fails and, therefore, no stop packet is received to mark the end of the session.
Chapter 3 Network Configuration Configuring AAA Servers Step 2 Do one of the following: • If you are using NDGs, click the name of the NDG to which the AAA server is to be assigned. Then, click Add Entry below the [name] AAA Servers table. • To add AAA servers when you have not enabled NDGs, below the AAA Servers table, click Add Entry. The Add AAA Server page appears. Step 3 Enter the AAA server settings, as needed.
Chapter 3 Network Configuration Configuring Remote Agents (ACS Solution Engine Only) Step 3 Enter or change AAA server settings, as needed. For information about the configuration options available for the AAA server, see AAA Server Configuration Options, page 3-15. Step 4 To save your changes and apply them immediately, click Submit + Apply. Tip To save your changes and apply them later, choose Submit. When you are ready to implement the changes, choose System Configuration > Service Control.
Chapter 3 Network Configuration Configuring Remote Agents (ACS Solution Engine Only) This section contains the following topics: • About Remote Agents, page 3-19 • Remote Agent Configuration Options, page 3-19 • Adding a Remote Agent, page 3-20 • Editing a Remote Agent Configuration, page 3-21 • Deleting a Remote Agent Configuration, page 3-22 About Remote Agents An ACS Solution Engine can use remote agents for remote logging and authentication of users with a Windows external user database.
Chapter 3 Network Configuration Configuring Remote Agents (ACS Solution Engine Only) Note • If the port number that you provide does not match the port the remote agent that you configured for listening, ACS cannot communicate with the remote agent. For information about configuring the remote agent port, see the Installation and Configuration Guide for Cisco Secure ACS Remote Agents Release 4.1. Network Device Group—The name of the NDG to which this remote agent should belong.
Chapter 3 Network Configuration Configuring Remote Agents (ACS Solution Engine Only) The Add Remote Agent page appears. Step 3 In the Remote Agent Name box, type a name for the remote agent (up to 32 characters). Step 4 In the Remote Agent IP Address box, type the IP address of the computer that runs the remote agent. Step 5 In the Port box, type the number of the TCP port on which the remote agent listens for communication from ACS (up to 6 digits). The default TCP port is 2003.
Chapter 3 Network Configuration Configuring Remote Agents (ACS Solution Engine Only) To edit a remote agent configuration: Step 1 In the navigation bar, click Network Configuration. The Network Configuration section opens. Step 2 Perform one of the following steps, based on your use of NDGs: a. If you are using NDGs, click the name of the NDG to which the remote agent belongs. Then, in the NDG Remote Agents table, click the name of the remote agent configuration you want to edit. b.
Chapter 3 Network Configuration Configuring Network Device Groups Step 2 Perform one of the following steps, based on your use of NDGs: a. If you are using NDGs, click the name of the NDG to which the remote agent belongs. Then, in the NDG Remote Agents table, click the name of the remote agent configuration you want to delete. b. If you are not using NDGs, in the Remote Agents table, click the name of the remote agent configuration that you want to delete.
Chapter 3 Network Configuration Configuring Network Device Groups Adding a Network Device Group You can assign users or groups of users to NDGs. For more information, see: • Setting TACACS+ Enable Password Options for a User, page 6-23 • Setting Enable Privilege Options for a User Group, page 5-13 To add an NDG: Step 1 In the navigation bar, click Network Configuration. The Network Configuration page opens. Step 2 Under the Network Device Groups table, click Add Entry.
Chapter 3 Network Configuration Configuring Network Device Groups Note Step 6 You must enable the Key Wrap feature in the NAP Authentication Settings page to implement these shared keys in EAP-TLS authentication. Click Submit. The Network Device Groups table displays the new NDG.
Chapter 3 Network Configuration Configuring Network Device Groups Step 2 In the Network Device Groups table, click the name of the current group of the network device. Step 3 In the AAA Clients table or AAA Servers table, as applicable, click the name of the client or server that you want to assign to a new NDG. Step 4 From the Network Device Group list, select the NDG to which you want to reassign the network device. Step 5 Click Submit. The network device is assigned to the NDG you selected.
Chapter 3 Network Configuration Configuring Proxy Distribution Tables Deleting a Network Device Group When you delete an NDG, all AAA clients and AAA servers that belong to the deleted group appear in the Not Assigned AAA Clients or Not Assigned AAA Servers table. Tip Caution It might be useful to empty an NDG of AAA clients and AAA servers before you delete it.
Chapter 3 Network Configuration Configuring Proxy Distribution Tables About the Proxy Distribution Table If you enabled the Distributed Systems Settings, when you click Network Configuration, you will see the Proxy Distribution Table. Tip To enable Distributed Systems Settings in the ACS, choose Interface Configuration > Advanced Options. Then, check the Distributed System Settings check box.
Chapter 3 Network Configuration Configuring Proxy Distribution Tables Step 5 From the Strip list, select Yes to strip the character string from the username that you entered, or select No to leave it. Step 6 In the AAA Servers column, select the AAA server that you want to use for proxy. Click the --> (right arrow button) to move it to the Forward To column. Step 7 Tip You can also select additional AAA servers to use for backup proxy if the prior servers fail.
Chapter 3 Network Configuration Configuring Proxy Distribution Tables Step 3 Select the character string entry to reorder, and then click Up or Down to move its position to reflect the search order that you want. Step 4 When you finish sorting, click Submit or Submit + Apply. Editing a Proxy Distribution Table Entry To edit a Proxy Distribution Table entry: Step 1 In the navigation bar, click Network Configuration. The Network Configuration page opens.