Configuration Guide for Cisco Secure ACS 4.2
Index
Downloads: This chapterpdf (PDF - 297.0KB) The complete bookPDF (PDF - 4.32MB) | Feedback

Index

Table Of Contents

Numerics - A - B - C - D - E - F - G - H - I - L - M - N - P - R - S - T - U - V - W -

Index

Numerics

802.1x 2-2

A

AAA clients 4-14

configuring RADIUS client 9-2

creating 4-15

deleting 4-15

updating 4-15

AAA server

configuring 9-4

Access Control Entries

See ACEs

accessing Cisco Secure ACS

how to 6-4, 9-2

URL 6-4, 9-2

access policy

configuring 5-9

HTTP port allocation 5-11

IP address filtering 5-10

access types 2-2

wired LAN access 2-2

accountActions codes

ADD_USER 4-5

CREATE_DACL 4-5

CREATE_USER_DACL 4-5

DELETE_USER_DACL 4-14

deleting 4-13

READ_DACL 4-13

READ_NAS 4-15

UPDATE_DACL 4-13

UPDATE_NAS 4-15

UPDATE_USER_DACL 4-14

accountActions file

for creating dACLs 4-4

Account Locked 5-4

Account Never Expires 5-4

ACE

adding 9-23

ACLs

default 9-52

ACS

installing 6-4, 9-2

ACS configuration

configuration flowchart 1-6

overview 1-1

summary of steps 1-1

ACS dictionary

adding vendor attributes to 9-31, 9-40, 9-74

ACS internal database

using to validate MAC addresses 6-22

Active Directory

multi-forest support 3-7

ADD_USER 4-5

administration control

configuring for NAC/NAP 9-17

administrative access policies

overview 2-17

administrator account

adding 5-2

editing 5-2

administrator entitlement reports 5-12

administrators

locking out 5-7

separation from general users 2-18

Agentless Host for L2 (802.1x fallback) template 9-65

agentless host for L2 (802.1x fallback) template 9-65

agentless host support

overview 6-1

summary of configuration steps 6-3

agentless request processing

enabling 6-18

enabling for a NAP 6-20

AP

See wireless access point

architecture

campus LAN 2-3

for ACS deployment 2-1

small LAN environment 2-3

wired LAN

geographically dispersed 2-4

audit flow settings

configuring for an audit server 9-35, 9-43, 9-78

audit servers 6-2

configuring 9-32, 9-41, 9-76

configuring audit flow settings for 9-35, 9-43, 9-78

configuring for MAB support 6-24

external posture validation audit servers 9-31, 9-40, 9-74

in NAC networks 6-2

mapping to a profile 9-71

audit vendor file

importing 9-73

AV pairs 9-52

B

Bypass info attribute

in Passed Authentications and Failed Attempts reports 6-23

C

CA certificate

installing 6-9, 7-4, 9-7

campus LAN 2-3

campus WLAN 2-6

cautions

significance of x

Certificate Binary Comparison

specifying for EAP-TLS 7-6

Certificate CN Comparison

specifying for EAP-TLS 7-6

certificate database for LDAP servers

trusted root CA 6-16

Certificate SAN Comparison

specifying for EAP-TLS 7-6

Cisco Network Admission Control

See NAC

Common LDAP Configuration 6-14

configuration flowchart 1-6

configuration steps

for password policy configuration 5-2

configuring

AAA server 9-4

access policy 5-9

ACS for EAP-FAST 9-12

ACS for LDAP 6-13

ACS for remote web access 9-17

audit servers 9-32, 9-41, 9-76

dACLs 4-2

external posture validation audit server 9-31, 9-40, 9-74

external posture validation policy 9-38

GAME group feedback 6-24, 9-72, 9-79

global authentication settings 7-5

group filtering at the NAP level 3-6

incorrect password attempt options 5-7

internal posture validation policy 9-35

LDAP server 6-16

logging and reports 9-14

logging level 9-14

logs and reports 9-14

MAB 6-21

multiforest support for Active Directory 3-7

password lifetime options 5-6

password policy 5-4

RADIUS AAA client 6-5, 9-2

RSA Token Server support 3-8

session policy 5-7

shared secret for RADIUS key wrap 9-4

Syslog time format 3-7

conventions x

CREATE_DACL 4-5

CREATE_USER_DACL 4-5

creating

AAA clients 4-15

NAP 6-18

RACs 9-26

CSA Uninstall Patch 3-16

CSDBSync 4-8

csdbsync -run command 4-8

csdbsync -syncnow command 4-8

CSUtil

using to import a device-type attribute file 9-73

using to import an audit vendor file 9-73

using to import NAC attribute-value pairs 9-73

CSV file 4-5

CSV Passed Authentications report 9-15

D

dACLs

accountActions file for creating 4-4

configuring

using RDBMS Synchronization 4-2

configuring for NAC/NAP 9-21

creating a text file to configuring 4-2

deleting 4-12

errors creating 4-11

reading 4-12

updating 4-12

viewing 4-9

database replication 2-13

design 2-14

databases

deployment considerations 2-19

default ACLs 9-52

defining

RACs 9-26

DELETE_DACL 4-13

DELETE_USER_DACL 4-14

deleting

AAA clients 4-15

deleting dACLs 4-12

deployment

architecture 2-1

considerations

database replication 2-13

number of access servers 2-12

RDBMS Synchronization 2-14

device-type attribute file

importing using CSUtil 9-73

device types

for GAME group feedback 9-80

disabling NETBIOS 3-4

documentation

conventions x

objectives ix

related xii

downloadable ACLs

See dACLs

E

EAP 2-2

EAP-FAST

configuring ACS for 9-12

configuring for NAC/NAP 9-12

configuring new features in ACS 4.2 3-2

EAP-TLS 2-3

specifying Certificate Binary Comparison for 7-6

specifying Certificate CN Comparison for 7-6

specifying certificate SAN comparison for 7-6

Edit Network Access Protocols page 6-19

enabling

agentless request processing 6-18

agentless request processing for a NAP 6-20

NAFs 9-22

Passed Authentication report 9-15

security certificates 6-8, 7-3, 9-8

EoU 9-25

errors

creating dACLs 4-11

Extensible Authentication Protocol

See EAP

Extensible Authentication Protocol-Transport Layer Security

See EAP-TLS

external posture validation policy

adding to a profile 9-69

configuring 9-38

F

facility codes

for Syslog messages 8-4

G

GAME group feedback 6-2, 6-24

configuring 6-24, 9-72, 9-79

defined 6-3

selecting device types 9-80

Global Authentication

configuring for NAC/NAP 9-9

setting up 9-9

global authentication settings

configuring 7-5

group filtering

configuring at the NAP level 3-6

H

Health Registration Authority 2-15

Host Credentials Authorization Protocol 2-15

HTTP port allocation 5-11

I

incorrect password attempt options 5-7

installation

related documentation xii

installing

ACS 6-4, 9-2

security certificate 9-5

security certificates 6-6, 7-2, 9-6

internal posture validation policy

adding to a profile 9-69

configuring 9-35

IP address filtering 5-10

L

large enterprise WLAN 2-8

large LAN

defined 2-2

latency in networks 2-19

Layer 2 NAC 802.1x template 9-55

LDAP 3-6

ACS configuration for 6-13

configuring for MAB support 6-10

sample schema for MAB support 6-10

LDAP server

configuring 6-16

LDAP user groups

for MAB support 6-12

Lightweight Directory Access Protocol

See LDAP

logging

configuring 9-14

enhanced features with ACS 4.2 3-5

logging level

configuring 9-14

logs and reports

configuring 9-14

M

MAB

configuring 6-21

configuring ACS user groups for MAB segments 6-17

configuring audit server to support 6-24

configuring LDAP support for 6-10

defined

sample LDAP schema for MAB support 6-10

MAC addresses

format for entering in ACS 6-22

MAC authentication bypass

See MAB

medium-sized LAN

defined 2-2

multi-forest support 3-7

N

NAC

configuring posture validation for 9-35

sample profile templates 9-44

Agentless Host for L2 (802.1x fallback) template 9-65

NAC Layer 2 9-49

NAC Layer 2 802.1x 9-55

NAC Layer 3 9-44

wireless (NAC L2 802.1x) template 9-60

NAC/NAP

components defined 2-15

deploying ACS with 2-15

network architecture illustrated 2-16

NAC attribute-value pairs

importing using CSUtil 9-73

NAC L2 802.1x 9-25, 9-56

NAC L2 IP 9-25

NAC L3 IP template 9-44

NAF

enabling 9-22

selecting for a NAP 6-19

NAP

configuring group filtering by LDAP user group 3-6

creating 6-18

enabling agentless request processing for 6-20

NAP agent 2-15

NAP client 2-15

NETBIOS

disabling 3-4

net start csdbsync command 4-9

net stop csdbsync command 4-9

Network Access Filter

See NAF

Network Access Filtering

See NAF

network access profile

See NAP

network access servers

number supported by ACS 2-12

network configuration

specifying using RDBMS Synchronization

RDBMS Synchronization

specifying network configuration     1

Network Policy Server

See NPS

networks

latency 2-19

reliability 2-19

P

PAC

disabling PAC processing in NAPs 3-3

Passed Authentication report

enabling 9-15

password configuration

Account Locked 5-4

Account Never Expires 5-4

password inactivity options 5-7

password lifetime options 5-6

password policy

configuring 5-1, 5-4

incorrect password attempt options 5-7

password inactivity options 5-7

password lifetime options 5-6

password validation options 5-6

PEAP 2-3

ping

turning off 3-16

turning on 3-16

Policy Servers 2-15

Populate from Global 9-53

port 2002

in HTTP port ranges 5-11

posture assessments

final 9-43

in progress 9-43

posture validation

configuring for NAC 9-35

profile

adding an external validation policy to 9-69

adding an internal validation policy to 9-69

mapping audit servers to 9-71

protected access certificate

See PAC

Protected Extensible Authentication Protocol

See PEAP

purging

RSA Node Secret file 3-10

R

RACs

configuring for NAC/NAP 9-25

creating 9-26

sample RACs for NAC/NAP 9-26

RADIUS 2-2

RADIUS AAA client

configuring 6-5

RADIUS AAA clients

configuring 9-2

RADIUS access control entry

See ACE

RADIUS Authorization Components

See RACs

RDBMS Synchronization 2-14

configuring to use a local CSV file 4-5

network configuration 4-14

running from the ACS GUI 4-8

using CSDBSync 4-8

using to configuring dACLs 4-2

READ_DACL 4-13

READ_NAS 4-15

reading dACLs 4-12

regional WLAN 2-7

related documentation xii

reliability of network 2-19

remote access policies 2-16

remote web access

configuring ACS for 9-17

reports

administrator entitlement report 5-12

RSA

configuring LDAP group mapping for 3-11

configuring Token Server support on the ACS SE 3-8

purging Node Secret file

purging 3-10

S

Sarbanes-Oxley

See SOX

security certificate

installing and setting up 9-5

security certificates

adding a trusted certificate 7-4

copying to the ACS host 6-7, 7-2, 9-6

enabling 6-8, 7-3, 9-8

installing 6-6, 7-2, 9-6

using Windows Certificate Import Wizard 6-7, 7-2

installing the CA certificate 6-9, 7-4, 9-7

security policies 2-17

security protocols

EAP 2-2

EAP-TLS 2-3

PEAP 2-3

RADIUS 2-2

session policy

configuring 5-7

Shared Profile Components

configuring for NAC/NAP 9-20

shared secret

configuring 9-4

simple WLAN 2-5

small LAN

defined 2-2

small LAN environment 2-3

SOX compliance

administrator entitlement reports 5-12

SSL (secure sockets layer) 6-16

Syslog

configuring ACS to generate messages 8-1

Syslog messages

facility codes 8-4

format in ACS reports 8-4

Syslog server

specifying which Syslog server ACS sends messages to 8-3

Syslog time format

configuring 3-7

system logging

See Syslog

T

templates

samples for NAC 9-44

tokens

See posture assesments

trusted certificate

adding 7-4

U

UPDATE_DACL 4-13

UPDATE_NAS 4-15

UPDATE_USER_DACL 4-14

updating

AAA clients 4-15

updating dACLs 4-12

user groups

configuring for MAB segments 6-17

users

number allowed 2-19

V

vendor attributes

adding to the ACS dictionary 9-31, 9-40, 9-74

very large LAN or WLAN

defined 2-2

viewing dACLs 4-9

W

warnings

significance of x

Windows Certificate Import Wizard 6-7, 7-2

wired LAN

geographically dispersed 2-4

wired LAN access 2-2

wireless (NAC L2 802.1x) template 9-60

wireless access

campus WLAN 2-6

large enterprise LAN 2-8

regional WLAN 2-7

simple WLAN 2-5

topology 2-5

wireless access point 2-5