Guest

Cisco NAC Appliance (Clean Access)

NAC (CCA): Configure Authentication on Clean Access Manager with ACS 5.x and Later

Document ID: 113560

Updated: Jun 01, 2012

   Print

Introduction

This document provides information how to configure authentication on the Clean Access Manager (CAM) with Cisco Secure Access Control System (ACS) 5.x and later. For a similar configuration using versions earlier than ACS 5.x, refer to NAC (CCA): Configure Authentication on the Clean Access Manager (CAM) with ACS.

Prerequisites

Requirements

This configuration is applicable to CAM version 3.5 and later.

Components Used

The information in this document is based on CAM version 4.1.

The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, make sure that you understand the potential impact of any command.

Conventions

Refer to the Cisco Technical Tips Conventions for more information on document conventions.

Configure

In this section, you are presented with the information to configure the features described in this document.

Note: Use the Command Lookup Tool (registered customers only) to obtain more information on the commands used in this section.

Network Diagram

This document uses this network setup:

nac-cam-acs5-config-01.gif

Configure Authentication on CCA with ACS 5.x

Complete these steps:

  1. Add New Roles
    1. Create an Admin Role

      • From the CAM, choose User Management > User Roles > New Role.

        nac-cam-acs5-config-02.gif

      • Enter a unique name, admin, for the role in the Role Name field.

      • Enter Admin User Role as an optional Role Description.

      • Choose Normal Login Role as the Role Type.

      • Configure the Out-of-Band (OOB) user role VLAN with the appropriate VLAN. For example, choose the VLAN ID and specify the ID as 10.

      • When finished, click Create Role. In order to restore default properties on the form, click Reset.

      • The role now appears in the List of Roles tab as shown in the Tag VLANs for OOB Role-based mappings section.

    2. Create a User Role

      • From the CAM, choose User Management > User Roles > New Role.

        nac-cam-acs5-config-03.gif

      • Enter a unique name, users, for the role in the Role Name field.

      • Enter Normal User Role as an optional Role Description.

      • Configure the Out-of-Band (OOB) user role VLAN with the appropriate VLAN. For example, choose the VLAN ID and specify the ID as 20.

      • When finished, click Create Role. In order to restore default properties on the form, click Reset.

      • The role now appears in the List of Roles tab as shown in the Tag VLANs for OOB Role-based mappings section.

  2. Tag VLANs for OOB Role-based mappings

    From the CAM, choose User Management > User Roles > List of Roles in order to see the list of roles so far.

    nac-cam-acs5-config-04.gif

  3. Add RADIUS Auth Server (ACS)

    1. Choose User Management > Auth Servers > New.

      nac-cam-acs5-config-05.gif

    2. From the Authentication Type drop-down menu, choose Radius.

    3. Enter the Provider Name as ACS.

    4. Enter the Server Name as auth.cisco.com.

    5. Server Port—The port number 1812 on which the RADIUS server is listening.

    6. Radius Type—The RADIUS authentication method. Supported methods include EAPMD5, PAP, CHAP, MSCHAP and MSCHAP2.

    7. Default Role is used if mapping to ACS is not defined or set correctly, or if the RADIUS attribute is not defined or set correctly on the ACS.

    8. Shared Secret—The RADIUS shared secret bound to the specified client's IP address.

    9. NAS-IP-Address—This value to be sent with all RADIUS authentication packets.

    10. Click Add Server.

      nac-cam-acs5-config-06.gif

  4. Map ACS Users to CCA User Roles

    1. Choose User Management > Auth Servers > Mapping Rules > Add Mapping Link in order to map admin user in ACS to the CCA admin user role.

      nac-cam-acs5-config-07.gif

    2. Choose User Management > Auth Servers > Mapping Rules > Add Mapping Link in order to map normal user in ACS to the CCA user role.

      nac-cam-acs5-config-08.gif

      Here is the user role mapping summary:

      nac-cam-acs5-config-09.gif

  5. Enable Alternate Providers on User Page

    Choose Administration > User Pages > Login Page > Add > Content in order to enable alternate providers on the user login page.

    nac-cam-acs5-config-10.gif

ACS5.x Configuration

  1. Choose Network Resources > Network Devices and AAA Clients, then click Create in order to add CAM as an AAA Client.

    nac-cam-acs5-config-11.gif

  2. Provide the Name, IP Address and choose RADIUS under Authentication Options. Then, provide the Shared Secret for CAM and click Submit.

    nac-cam-acs5-config-12.gif

  3. Choose Network Resources > Network Devices and AAA Clients, then click Create in order to add CAS as an AAA Client.

    nac-cam-acs5-config-13.gif

  4. Provide the Name, IP Address and choose RADIUS under Authentication Options. Then, provide the Shared Secret for CAS and click Submit.

    nac-cam-acs5-config-14.gif

  5. Choose Network Resources > Network Devices and AAA Clients and click Create in order to add ASA as an AAA Client.

    nac-cam-acs5-config-15.gif

  6. Provide the Name, IP Address and choose RADIUS under Authentication Options. Then, provide the Shared Secret for ASA and click Submit.

    nac-cam-acs5-config-16.gif

  7. Choose Users and Identity Stores > Identity Groups and click Create in order to create a new Identity Group.

    nac-cam-acs5-config-17.gif

  8. Provide the Group Name and click Submit.

    nac-cam-acs5-config-18.gif

  9. Choose Users and Identity Stores > Identity Groups and click Create in order to create a new Identity Group.

    nac-cam-acs5-config-19.gif

  10. Provide the Group Name and click Submit.

    nac-cam-acs5-config-20.gif

  11. Choose Users and Identity Stores > Internal Identity Stores > Users and click Create in order to create a new user.

    nac-cam-acs5-config-21.gif

  12. Provide the Name of the user and change the group membership to Admin group. Then, provide the password and confirm the password. Click Submit.

    nac-cam-acs5-config-22.gif

  13. Choose Users and Identity Stores > Internal Identity Stores > Users and click Create in order to create a new user.

    nac-cam-acs5-config-23.gif

  14. Provide the Name of the user and change the group membership to Users group. Then, provide the password and confirm the password. Click Submit.

    nac-cam-acs5-config-24.gif

  15. Choose Policy Elements > Authorization and Permissions > Network Access > Authorization Profiles and click Create in order to create a new Authorization Profile.

    nac-cam-acs5-config-25.gif

  16. Provide the Profile Name and click RADIUS Attributes.

    nac-cam-acs5-config-26.gif

  17. From the RADIUS Attributes tab, choose RADIUS-IETF as the Dictionary Type. Then, click Select next to RADIUS Attribute.

    nac-cam-acs5-config-27.gif

  18. Choose the Class attribute and click OK.

    nac-cam-acs5-config-28.gif

  19. Ensure that the Attribute Value is Static and enter Admin as the value. Click Add, then click Submit.

    nac-cam-acs5-config-29.gif

  20. Choose Policy Elements > Authorization and Permissions > Network Access > Authorization Profiles and click Create in order to create a new Authorization Profile.

    nac-cam-acs5-config-30.gif

  21. Provide the Profile Name and click RADIUS Attributes.

    nac-cam-acs5-config-31.gif

  22. From the RADIUS Attributes tab, choose RADIUS-IETF as the Dictionary Type. Then, click Select next to RADIUS Attribute.

    nac-cam-acs5-config-32.gif

  23. Choose the Class attribute and click OK.

    nac-cam-acs5-config-33.gif

  24. Ensure that the Attribute Value is Static and enter Users as the value. Click Add, then click Submit.

    nac-cam-acs5-config-34.gif

  25. Choose Access Policies > Access Services > Service Selection Rules and identify which service is processing the RADIUS request. In this example, the service is Default Network Access.

    nac-cam-acs5-config-35.gif

  26. Choose Acces Policies > Access Services > Default Network Access (the service identified in previous step which processed the RADIUS request) > Authorization. Click Customize.

    nac-cam-acs5-config-36.gif

  27. Move Identity Group from Available to the Selected column. Click OK.

    nac-cam-acs5-config-37.gif

  28. Click Create in order to create a new rule.

    nac-cam-acs5-config-38.gif

  29. Ensure that the Identity Group check box is checked, then click Select next to Identity Group.

    nac-cam-acs5-config-39.gif

  30. Select the Admin group and click OK.

    nac-cam-acs5-config-40.gif

  31. Click Select in the Authorization Profiles section.

    nac-cam-acs5-config-41.gif

  32. Select the Admin Authorization Profile and click OK.

    nac-cam-acs5-config-42.gif

  33. Click Create in order to create a new rule.

    nac-cam-acs5-config-43.gif

  34. Ensure that the Identity Group check box is checked and click Select next to Identity Group..

    nac-cam-acs5-config-44.gif

  35. Select the Users group and click OK.

    nac-cam-acs5-config-45.gif

  36. Click Select in the Authorization Profiles section.

    nac-cam-acs5-config-46.gif

  37. Select the Users Authorization Profile and click OK.

    nac-cam-acs5-config-47.gif

  38. Click OK.

    nac-cam-acs5-config-48.gif

  39. Click Save Changes.

    nac-cam-acs5-config-49.gif

Troubleshoot

There is currently no specific troubleshooting information available for this configuration.

Related Information

Updated: Jun 01, 2012
Document ID: 113560