Configuration Guide for Cisco Secure ACS 4.2
NAP/NAC Configuration Scenario
Downloads: This chapterpdf (PDF - 876.0KB) The complete bookPDF (PDF - 4.32MB) | Feedback

NAC Configuration Scenario

Table Of Contents

NAC Configuration Scenario

Step 1: Install ACS

Step 2: Perform Network Configuration Tasks

Configure a RADIUS AAA Client

Configure the AAA Server

Step 3: Set Up System Configuration

Install and Set Up an ACS Security Certificate

Obtain Certificates and Copy Them to the ACS Host

Set Up the ACS Certification Authority

Edit the Certificate Trust List

Install the CA Certificate

Install the ACS Certificate

Set Up Global Configuration

Set Up Global Authentication

Set Up EAP-FAST Configuration

Configure the Logging Level

Configure Logs and Reports

Step 4: Set Up Administration Control

Add Remote Administrator Access

Step 5: Set Up Shared Profile Components

Configure Network Access Filtering (Optional)

Configure Downloadable IP ACLs

Adding an ACL

Adding an ACE

Saving the dACL

Configure Radius Authorization Components

Step 6: Configure an External Posture Validation Audit Server

Add the Posture Attribute to the ACS Dictionary

Configure the External Posture Validation Audit Server

Step 7: Configure Posture Validation for NAC

Configure Internal Posture Validation Policies

Configure External Posture Validation Policies

Configure an External Posture Validation Audit Server

Add the Posture Attribute to the ACS Dictionary

Configure the External Posture Validation Audit Server

Authorization Policy and NAC Audit

Step 8: Set Up Templates to Create NAPs

Sample NAC Profile Templates

Sample NAC Layer 3 Profile Template

Profile Setup

Protocols Policy for the NAC Layer 3 Template

Authentication Policy

Sample Posture Validation Rule

Sample NAC Layer 2 Template

Profile Setup

Protocols Settings

Authentication Policy

Sample Posture Validation Rule

Sample NAC Layer 2 802.1x Template

Profile Setup

Protocols Policy

Authorization Policy

Sample Posture Validation Rule

Sample Wireless (NAC L2 802.1x) Template

Profile Setup

Protocols Policy

Authorization Policy

Sample Posture Validation Rule

Using a Sample Agentless Host Template

Profile Setup

Protocols Policy

Authentication Policy

Step 9: Map Posture Validation Components to Profiles

Step 10: Map an Audit Server to a Profile

Step 11 (Optional): Configure GAME Group Feedback

Import an Audit Vendor File by Using CSUtil

Import a Device-Type Attribute File by Using CSUtil

Import NAC Attribute-Value Pairs

Configure Database Support for Agentless Host Processing

Enable Posture Validation

Configure an External Audit Server

Configure an External Posture Validation Audit Server

Add the Posture Attribute to the ACS Dictionary

Configure the External Posture Validation Audit Server

Enable GAME Group Feedback


NAC Configuration Scenario


This chapter describes how to set up Cisco Secure Access Control Server 4.2, hereafter referred to as ACS, to work in a Cisco Network Admission Control environment. This chapter contains the following sections:

Step 1: Install ACS

Step 2: Perform Network Configuration Tasks

Step 3: Set Up System Configuration

Step 4: Set Up Administration Control

Step 5: Set Up Shared Profile Components

Step 6: Configure an External Posture Validation Audit Server

Step 7: Configure Posture Validation for NAC

Step 8: Set Up Templates to Create NAPs

Step 9: Map Posture Validation Components to Profiles

Step 10: Map an Audit Server to a Profile

Step 11 (Optional): Configure GAME Group Feedback

Step 1: Install ACS

This section describes the installation process that you perform to run ACS, which runs on a Windows 2003 server or on a Cisco Secure ACS Solution Engine (ACS SE).

For detailed information on ACS installation, refer to the:

Installation Guide for Cisco Secure ACS for Windows Release 4.2

Installation Guide for Cisco Secure ACS Solution Engine Release 4.2

To install ACS:


Step 1 Start the ACS installation:

If you are installing ACS for Windows:

a. Using a local administrator account, log in to the computer on which you want to install ACS.

b. Insert the ACS CD into a CD-ROM drive on the computer.

c. If the CD-ROM drive supports the Windows autorun feature, the ACS for Windows dialog box appears; otherwise, run setup.exe, located in the root directory of the ACS CD.

d. In the Cisco Secure ACS for Windows dialog box, click Install.

If you are installing ACS SE, follow the instructions in the Installation Guide for Cisco Secure ACS Solution Engine 4.2. Chapter 2, "Installing and Configuring Cisco Secure ACS Solution Engine 4.2," provides detailed installation instructions.

During the installation process, you are prompted to enter a password for encrypting the internal database.

Step 2 Enter a password that is at least 8 characters long, and contains letters and numbers.

The ACS installation process for ACS for Windows automatically creates a shortcut to the ACS administrative GUI on your desktop.

Step 3 Double-click the icon to open a browser window to the ACS administrative GUI.

Step 4 If you do not see the icon on the desktop, open your browser from the machine on which you installed ACS and go to one of these addresses:

http://IP_address:2002

http://hostname:2002

where IP_address is the IP address of the host that is running ACS and hostname is the hostname of the host that is running ACS.


Step 2: Perform Network Configuration Tasks

This section describes:

Configure a RADIUS AAA Client

Configure the AAA Server

Configure a RADIUS AAA Client

Before you can configure NAC support, you must configure a RADIUS AAA client.

To configure a RADIUS AAA client:


Step 1 In the navigation bar, click Network Configuration.

The Network Configuration page opens.

Step 2 Do one of the following:

If you are using Network Device Groups (NDGs), click the name of the NDG to which you want to assign the AAA client. Then, click Add Entry below the AAA Clients table.

To add AAA clients when you have not enabled NDGs, click Not Assigned and then click Add Entry below the AAA Clients table.

The Add AAA Client page opens, shown in Figure 9-1.

Figure 9-1 Add AAA Client Page

Step 3 In the AAA Client Hostname box, type the name assigned to this AAA client (up to 32 alphanumeric characters).

Step 4 In the AAA Client IP Address box, type the AAA client IP address or addresses.


Note You can define all network access devices (NADs) as a single AAA client by entering IP address wildcards; for example, *.*.*.*. Note however, that AAA client definitions with wildcards cannot overlap with other AAA client definitions, regardless of the authentication type configured for the AAA clients.


Step 5 In the Shared Secret box, type a shared secret key for the AAA client.

The shared secret is a string that you determine; for example, mynet123. The shared secret must be identical on the AAA client and ACS. Keys are case sensitive. If the shared secrets do not match, ACS discards all packets from the network device.

Step 6 If you are using NDGs, from the Network Device Group list, choose the name of the NDG to which this AAA client should belong, or, click Not Assigned to set this AAA client to be independent of NDGs.

Step 7 Type the shared secret keys for RADIUS Key Wrap in EAP-TLS authentications.

Each key must be unique, and must also be distinct from the RADIUS shared key. You can configure these shared keys for each AAA client, as well as for each NDG. The NDG key configuration overrides the AAA client configuration. If the key entry is null, ACS uses the AAA client key. You must enable the Key Wrap feature in the NAP Authentication Settings page to implement these shared keys in EAP-TLS authentication:

a. Key Encryption Key (KEK)—Used for encryption of the Pairwise Master Key (PMK). The maximum length is 20 characters.

b. Message Authenticator Code Key (MACK)—Used for the keyed hashed message authentication code (HMAC) calculation over the RADIUS message. The maximum length is 16 characters.

c. Key Input Format—Click the format of the key, ASCII or hexadecimal strings (the default is ASCII).

Step 8 From the Authenticate Using list, choose RADIUS (IOS/PIX).

Step 9 Specify additional AAA client settings as required.

Step 10 Click Submit + Apply.


Configure the AAA Server

Your AAA server is automatically populated during the installation of ACS, using the hostname assigned to Windows 2003 system. You must specify some additional configuration information to enable the server to communicate with AAA clients.

To configure the AAA server:


Step 1 In the navigation bar, click Network Configuration.

The Network Configuration page opens.

Step 2 In the AAA Servers table, click the name of the AAA server in the AAA Server Name column.

The AAA Server Setup page opens, shown in Figure 9-2.

Figure 9-2 AAA Server Setup Page

Step 3 In the Key field, enter the shared secret that you used to set up the AAA clients.

Step 4 Click Submit and Apply.

Step 3: Set Up System Configuration

This section describes the following tasks:

Install and Set Up an ACS Security Certificate

Set Up Global Configuration

Install and Set Up an ACS Security Certificate

You must configure ACS with a digital certificate for establishing client trust when ACS challenges the client for its credentials. Note these points:

For authenticated in-band Protected Access Credential (PAC) provisioning for EAP-FAST, the client must have a certificate that matches the one installed in ACS.

For the most scalable NAC environments, Cisco recommends a production public key infrastructure (PKI) that the production certificate authority (CA) or registration authorities (RAs) sign.

This section describes a simplified procedure for the ACS for Windows platform. For detailed information on installing certificates and for information on how to install certificates on the Cisco Secure ACS Solution Engine platform, see Chapter 9 of the User Guide for Cisco Secure ACS 4.2, "Advanced Configuration: Authentication and Certificates."

Obtain Certificates and Copy Them to the ACS Host

To copy a certificate to the ACS host:


Step 1 Obtain a security certificate.

Step 2 Create a \certs directory on the ACS server.

a. Open a DOS command window.

b. To create a certificates directory, enter:

mkdir <selected_drive>:\certs

where selected_drive is the currently selected drive.

Step 3 For example, copy the following files to the \certs directory:

ACS-1.nac.cisco.com.cer (server certificate)

ACS-1.PrivateKey.txt (server certificate private key)

ca.nac.cisco.com.cer (CA certificate)

You are now ready to set up the ACS certification authority.


Set Up the ACS Certification Authority

To set up the ACS certification authority:


Step 1 In the navigation bar, click System Configuration.

The System Configuration page opens.

Step 2 Click ACS Certificate Setup.

The ACS Certificate Setup page opens.

Step 3 Click ACS Certification Authority Setup.

The ACS Certificate Authority page opens, as shown in Figure 9-3.

Figure 9-3 ACS Certificate Authority Setup Page

Step 4 Enter the path and filename for the certificate authority certificate and then click Submit.

Step 5 Restart ACS.

To restart ACS, choose System Configuration > Service Control and then click Restart.


Edit the Certificate Trust List

After you set up the ACS certification authority, you must add the CA certificate to the ACS Certificate Trust list.

To add the certificate to the Certificate Trust list:


Step 1 In the navigation bar, click System Configuration.

The System Configuration page opens.

Step 2 Choose ACS Certificate Setup > Edit Certificate Trust List.

The Edit Certificate Trust List page opens.

Step 3 In the list of certificates, locate the CA certificate that you installed and check the check box next to it.

Step 4 Click Submit.

Step 5 Restart ACS.

To restart ACS, choose System Configuration > Service Control and then click Restart.


Install the CA Certificate

To install the CA Certificate:


Step 1 Choose System Configuration > ACS Certificate Setup > ACS Certification Authority Setup.

Step 2 The ACS Certification Authority Setup page appears, as shown in Figure 9-4.

Figure 9-4 ACS Certification Authority Setup Page

Step 3 In the CA certificate file box, type the CA certificate location (path and name); for example: c:\Certs\ca.cer.

Step 4 Click Submit.


Install the ACS Certificate

To enable security certificates on the ACS installation:


Step 1 In the navigation bar, click System Configuration.

The System Configuration page opens.

Step 2 Click ACS Certificate Setup.

Step 3 Click Install ACS Certificate.

Step 4 The Install ACS Certificate page opens, as shown in Figure 9-5.

Figure 9-5 Install ACS Certificate Page

Step 5 Click the Read certificate from file radio button.

Step 6 In the Certificate file text box, enter the server certificate location (path and name); for example: c:\Certs\server.cer.

Step 7 In the Private key file text box, type the server certificate private key location (path and name); for example: c:\Certs\server.pvk.

Step 8 In the Private Key password text box, type the private key password; for example cisco123.

Step 9 Click Submit.

Step 10 ACS displays a message indicating that the certificate has been installed and instructs you to restart the ACS services.

Step 11 Restart ACS.

To restart ACS, choose System Configuration > Service Control and then click Restart.


Set Up Global Configuration

This section describes the following tasks:

Set Up Global Authentication

Set Up EAP-FAST Configuration

Set Up Global Authentication

In the global authentication setup, you specify the protocols that ACS uses to transfer credentials from the host for authentication and authorization. Unless you have a limited deployment environment or specific security concerns, you should globally enable all protocols. If you do not enable the protocols in the global authorization setup, then they will not be available later in the Network Access Profiles configuration interface.

To set up global authentication:


Step 1 In the navigation bar, click System Configuration.

The System Configuration page opens.

Step 2 Click Global Authentication Setup.

The Global Authentication Setup Page appears, as shown in Figure 9-6.

Figure 9-6 Global Authentication Setup Page

Step 3 To make the PEAP global authentication parameters available in the NAP configuration, check the check boxes for:

Allow EAP-MSCHAPv2.

EAP-MSCHAP is a variation of the Microsoft Challenge and Response Protocol that is used with the Protected Extensible Access Protocol (PEAP). For a description of the EAP-MSCHAPv2 protocol, see the "Authentication" section in Chapter 1 of the User Guide for Cisco Secure ACS, 4.2, "Overview."

Allow EAP-GTC.

For a description of the EAP Generic Token Card (EAP-GTC) protocol, see "EAP-FAST Authentication" in Chapter 9 of the User Guide for Cisco Secure ACS 4.2, "System Configuration: Authentication and Certificates."

Allow Posture Validation.

For a description of Posture Validation, see the "What Is Posture Validation" section in Chapter 13 of the User Guide for Cisco Secure ACS, 4.2, "Posture Validation."

Step 4 In the EAP-TLS section:

a. Check the Allow EAP-TLS check box.

b. Check the Certificate SAN comparison and Certificate Binary comparison check boxes.

c. Leave the EAP-TLS timeout field set to the default (120 minutes).

Step 5 In the EAP-MD5 section, check the Allow EAP-MD5 check box.

Step 6 Scroll down to the MS-CHAP configuration section, and check the Allow MS-CHAP Version 1 Authentication and Allow MS-CHAP Version 2 Authentication check boxes, as shown in Figure 9-7.

Figure 9-7 MS-CHAP Authentication Selection

Step 7 Click Submit + Restart.

Step 8 Go to Set Up EAP-FAST Configuration, and configure EAP-FAST authentication.


Set Up EAP-FAST Configuration

To configure ACS to work with NAC and use EAP-FAST with posture validation:


Step 1 In the navigation bar, click System Configuration.

The System Configuration page opens.

Step 2 Click Global Authentication Setup.

The Global Authentication Setup Page appears, as shown in Figure 9-6.

Step 3 Click EAP-FAST Configuration.

The EAP FAST Configuration page appears, as shown in Figure 9-8.

Figure 9-8 EAP-FAST Configuration Page

Step 4 Check the Allow EAP-FAST check box.

Step 5 In the Client Initial Message text box, enter a message; for example, Welcome.

Step 6 In the Authority ID Info field, enter the name of the certificate authority server. In the example shown in Figure 9-8, this is ACS NAC Server. However, this can be any string.

Step 7 Check the Allow anonymous in-band PAC provisioning and authenticated in-band PAC provisioning check boxes.

Step 8 Check the Accept client on authenticated provisioning and Require client certificate for provisioning check boxes.

Step 9 Check the check boxes for the EAP-GTC, EAP-MSCHAPv2, and EAP-TLS inner methods.

The EAP-FAST Master Server check box is automatically checked (enabled).

Check the Certificate SAN and Certificate Binary comparison check boxes to enable these EAP-TLS comparison methods.

Step 10 Click Submit + Restart.


Configure the Logging Level

To set ACS to full logging capabilities:


Step 1 In the navigation bar, click System Configuration.

The System Configuration page opens.

Step 2 Click Service Control.

Step 3 Under Level of Detail, click the Full radio button.


Note Setting the logging level to Full might affect system performance. Therefore, you should set the logging level to Full for an initial deployment when detailed troubleshooting is required. After the network has become stable, set the logging level to Normal.


Step 4 Check the Manage Directory check box and choose how many days of logging to keep. (Enter the number of days, based on how much space you have on your hard drive. Cisco recommends that you specify seven days.)

Step 5 Click Restart to restart ACS. (Wait until the browser's progress bar shows that the page has reloaded completely.)


Configure Logs and Reports

ACS logs records of users who gain or are refused network access, as well as records of other actions. You can output the information in the logs to reports that you view in the ACS GUI, which you can then save or print out and review. These reports summarize the logs, and provide useful information for debugging and tracking problems.

For detailed information on ACS logs and reports, see Chapter 10 of the User Guide for Cisco Secure ACS. 4.2, "Logs and Reports."

The Failed Attempts report and the RADIUS Accounting report are useful tools for monitoring the performance of the NAC/NAP network. And the Passed Authentications report is particularly useful in NAC-enabled networks; because, it shows the group mapping for each posture validation request. By default, the Passed Authentication report is unchecked (disabled).

To enable the Passed Authentications report:


Step 1 In the navigation bar, click System Configuration.

The System Configuration page opens.

Step 2 Click Logging.

The Logging Configuration page opens.

The CSV Passed Authentications File Configuration page opens, as shown in Figure 9-9.

Figure 9-9 CSV Passed Authentications File Configuration Page

Step 3 Check the Log to CSV Passed Authentications Report check box.

Step 4 Move the attributes that you want to log from the Attributes list to Logged Attributes list.

Some useful attributes to log are:

Message-Type

User-Name

Caller-ID

NAS-Port

NAS-IP-Address

AAA Server

Filter Information

Network Device Group

Access Device

PEAP/EAP-FAST-Clear-Name

Logged Remotely

EAP Type

EAP Type Name

Network Access Profile Name

Outbound Class

Shared RAC

Downloadable ACL

System-Posture-Token

Application-Posture-Token

Reason

Profile Name

Reason

System-posture-token

Application-posture-token

Step 5 Click Submit.

Step 6 In the ACS Reports table, click the Configure link for the CSV RADIUS Accounting report.

The CSV RADIUS Accounting File Configuration page appears.

Check the Log to CSV RADIUS Accounting Report check box.

Step 7 Move the attributes that you want to log from the Attributes list to the Logged Attributes list.

Some useful attributes to log are:

User-Name

Group-Name

Calling-Station-Id

Acct-Status-Type

Acct-Session-Id

Acct-Session-Time

Acct-Input-Octets

Acct-Output-Octets

Acct-Input-Packets

Acct-Output-Packets

Framed-IP-Address

NAS-Port

NAS-IP-Address

Class

Termination-Action

Called-Station-Id

Acct-Delay-Time

Acct-Authentic

Acct-Terminate-Cause

Event-Timestamp

NAS-Port-Type

Port-Limit

NAS-Port-Id

AAA Server

ExtDB Info

Network Access Profile Name

cisco-av-pair

Access Device

Logged Remotely

Step 8 Click Submit.


Step 4: Set Up Administration Control

This section describes how to add remote administrator access.

Add Remote Administrator Access

To prepare ACS for remote administration:


Step 1 In the navigation bar, click Administration Control.

The System Configuration page opens.

Step 2 Click Add Administrator.

The Add Administrator page opens, as shown in Figure 9-10.

Figure 9-10 Add Administrator Page

Step 3 In the Administrator Details area, specify the following information:

Option
Description

Administrator Name

Enter the login name for the ACS administrator account. Administrator names can contain 1 to 32 characters, but cannot contain the left angle bracket (<), the right angle bracket (>), or the backslash (\). An ACS administrator name does not have to match a network user name.

Password

Enter the password for the administrator to access the ACS web interface.

The password can match the password that the administrator uses for dial-in authentication; or, it can be a different password. ACS enforces the options in the Password Validation Options section on the Administrator Password Policy page.

Passwords must be at least 4 characters long and contain at least 1 numeric character. The password cannot include the username or the reverse username, must not match any of the previous 4 passwords, and must be in ASCII characters. If you make a password error, ACS displays the password criteria.

If the password policy changes and the password does not change, the administrator remains logged in. ACS enforces the new password policy at the next login.

Confirm Password

Reenter the password that you entered in the password field.

Account Never Expires

If you want to override the lockout options set up on the Administrator Password Policy page (with the exception of manual lockout), check the check box next to Account Never Expires. If you check this option, the account never expires, but the password change policy remains in effect. The default value is unchecked (disabled).

Account Locked

If you want to lock out an administrator who is denied access due to the account policy options specified on the Password Policy page, check the Account Locked check box. When unchecked (disabled), this option unlocks an administrator who was locked out.

Administrators who have the Administration Control privilege can use this option to manually lock out an account or reset locked accounts. The system displays a message that explains the reason for a lockout.

When an administrator unlocks an account, ACS resets the Last Password Change and the Last Activity fields to the day on which the administrator unlocks the account.

The reset of a locked account does not affect the configuration of the lockout and unlock mechanisms for failed attempts.


Step 4 Click Grant All.

This grants all privileges to the new administrator; or, specifies to which groups or actions this administrator is granted access.


Note For more information on administrative privileges, see the "Add Administrator and Edit Administrator Pages" section in Chapter 11 of the User Guide for Cisco Secure Access Control Server 4.2, "Administrators and Administrative Policy."


Step 5 Click Submit.

After performing these steps, from a remote host, you can open a browser in which to administer ACS.

The URLs for remote access are:

http://IP_address:2002

http://hostname:2002


Step 5: Set Up Shared Profile Components

Before you can set up NAPs, you must set up Shared Profile Components.

Shared Profile Components are configurations that can be reused across many different NAPs to set up filtering within ACS or to control network authorizations within RADIUS.

A NAP is a classification of network-access requests for applying a common policy. You can use NAPs to aggregate all policies that should be activated for a certain location in the network or for users who connect to the network by using specified protocols such as EAP over UDP (EoU) or 802.1x.

For detailed information on NAPs, see Chapter 14 of the User Guide for Cisco Secure ACS, 4.2, "Network Access Profiles."

This section describes the following tasks:

Configure Network Access Filtering (Optional)

Configure Downloadable IP ACLs

Configure Radius Authorization Components

Configure Network Access Filtering (Optional)

NAF is an ACS feature that groups several devices into one group. The devices can be ACS clients, ACS servers, ACS network device groups (NDGs), or a specific IP address. NAFs are particularly useful for defining NAPs.

When you set up Downloadable IP ACLs, you can:

Assign the default NAF, which is All AAA Clients.

This default allows access to all clients.

Set up a NAF to limit access to specified clients.

To set up a NAF:


Step 1 In the navigation bar, click Shared Profile Components.

The Shared Profile Components page opens.

Step 2 Click Network Access Filtering.

The Network Access Filtering table appears. Initially, this table does not contain shared profile components.

Step 3 Click Add.

The Edit Network Access Filtering page opens, as shown in Figure 9-11.

Figure 9-11 Edit Network Access Filtering Page

Step 4 In the Name text box, enter a name for the network access filter.

Step 5 Move any devices or device groups to the Selected Items list.

To move a device or device group, select the item to move and then click the right arrow button to move it to the Selected Items list.

Step 6 Click Submit.


Configure Downloadable IP ACLs

Downloadable IP Access Control Lists (dACLs) are access lists that can be downloaded to enforce the network authorization of a host. Downloadable ACLs dynamically download Layer 3 and Layer 4 access control entries (ACEs) to a router; or, to a VPN concentrator and merge them with the default interface ACL.

In ACS 4.2, you can download access lists to specific devices or device groups.

You can define an access list that contains one or more dACLs and later download the list to network devices, based on their assignments to user groups. Before you define dACLs, enable dACLs.

Each Assessment Result (system posture token), according to its definition, should have its own ACL, which contains one or more Access Control Entries (ACEs) that will instruct the NAC network device (router) to block packets from going to a specific destination or allow packets to reach a specific destination.

To enable dACLs and NAFs, which are required to create NAPs:

Add a new posture ACL.

Add ACE entries for the ACL.

Save the posture ACL.


Note These ACLs are referred to as posture ACLs because they are a component of a NAP that is used in posture validation.


Adding an ACL

To add a new ACL:


Step 1 Choose Shared Profile Components > Downloadable IP ACLs.

A list of dACLs appears, as shown in Figure 9-12:

Figure 9-12 Downloadable IP ACL List

Step 2 Click Add.

The Edit Downloadable IP ACLs page opens, as shown in Figure 9-13.

Figure 9-13 Downloadable IP ACLs Page

Step 3 On the Downloadable IP ACLs page, enter a Name and optional Description for the ACL, as shown in Figure 9-13.


Note Do not use spaces in the name of the ACL. IOS does not accept ACL names that include spaces.



Adding an ACE

To add an ACE:


Step 1 On the Downloadable IP ACLs page, Click Add (below the ACL table of contents) to add a new ACE to the ACL and assign it to a NAF.

The Downloadable IP ACL Content page opens, as shown in Figure 9-14.

Figure 9-14 Downloadable IP ACL Content Page

Step 2 In the Name text box, type the ACL name.

Step 3 In the ACL Definitions input box, type definitions for the ACL.

ACL definitions consist of a series of permit and deny statements that permit or deny access for specified hosts. For information on the syntax for ACL definitions, see the "Downloadable ACLs" section of Chapter 4 of the User Guide for Cisco Secure Access Control Server 4.2, "Shared Profile Components."

Step 4 Click Submit.


Note Before configuring the ACL on ACS, you should test the syntax on the device to ensure that each ACE is valid.


The Downloadable ACL page appears with the new ACL in the ACL Contents list, as shown in Figure 9-15.

Figure 9-15 Downloadable ACL Contents List with New Content

Step 5 From the drop-down list in the Network Access Filtering column of the ACL Contents table, choose the correct NAF for this ACL.

You can choose the default NAF (All AAA Clients), or you can specify a NAF that you have configured to control how access is set up for different devices or groups of devices.

For example, the syntax of an ACE on routers differs from the syntax on a Project Information Exchange (PIX) firewall. By using a NAF, you can assign the same ACL to a PIX and a router, even though the actual ACE that is downloaded is different.

Step 6 Click Submit.

The new ACL appears on the list of downloadable ACLs.


Saving the dACL

When you finish adding ACEs to the dACL, click Submit to save the dACL and submit it.

Configure Radius Authorization Components

Shared RADIUS Authorization Components (RACs) are sets of RADIUS attributes that ACS applies to Network Access Devices (NADs) during network authorization. Each RAC can contain one or more vendor RADIUS attributes, including Cisco IOS.PIX 6.0, IETF, and Ascend attributes.

By setting up RACs, you can dynamically assign RADIUS attributes to user sessions based on a policy. For example, you can create a RAC that gathers RADIUS attributes to define a VLAN. Users who access the network through a switch; for example, are then given access to specified VLANs based on how they are authorized and authenticated.

The sample RACs in this section provide RADIUS configurations to handle the most important services in the NAC environment:

EoU (NAC L2 IP)

NAC L2 802.1x

The sample RACs are:

Cisco_FullAccess—Provides full access to the Cisco network. You use this RAC to grant access to clients that qualify as healthy.

Cisco_Restricted—Provides restricted access to the Cisco network. You uses this RAC to grant partial (quarantined) access to clients that do not qualify as healthy.

To define RACs:


Step 1 In the navigation bar, click Shared Profile Components.

The Shared Profile Components page opens.

Step 2 Click RADIUS Authorization Components.

The RADIUS Authorization Components table appears. Initially, this table does not contain any RACs.

Step 3 Click Add.

The RADIUS Authorization Components Page opens, as shown in Figure 9-16.

Figure 9-16 RADIUS Authorization Components Page

Step 4 Enter a Name and Description in the RADIUS Authorization Components page.

Step 5 In the Add New Attribute section, add the RADIUS attributes for the RAC.

a. To add an attribute, from the drop-down lists for Cisco IOS/PIX 6.0, IETF, and Ascend, choose the attribute that you want to add and then click Add.

For example, from the IETF drop-down list, choose Session-Timeout (27) and click Add.

The RAC Attribute Add/Edit page opens. Figure 9-17 shows the RAC Attribute Add/Edit page for Session-Timeout (27).

Figure 9-17 RAC Attribute Add/Edit Page

b. In the Value field for the attribute, enter an appropriate value. Each attribute has specific value types based on how the attribute is defined.

For example, for the Session-Timeout (27) attribute, enter a timeout value in seconds.

c. Click Submit.

Step 6 When you are finished adding attributes, click Submit.

Step 7 To enable the RAC, from the navigation bar, choose System Configuration > Service Control and then click Restart.

Figure 9-18 shows attribute selection for the Cisco_FullAccess RAC and Figure 9-19 shows attribute selection for the Cisco_Restricted RAC.

Figure 9-18 Attribute Selection for the Cisco_FullAccess RAC

Figure 9-19 Attribute Selection for the Cisco_Restricted RAC

To enable VLAN assignment, the sample RACs include the following RADIUS attributes:

Session-Timeout (attribute 27)—Enables a session timeout. In the sample RACs, the timeout value is set to 3600 seconds (six hours). Because session timeouts and revalidations use considerable network resources, you might want to set the timeout value to allow a longer timeout period; for example, 8 to 24 hours.

Termination-Action (attribute 29)—Determines how the switch port responds to a session timeout. This attribute is only used in Access-Accept packets. When a session timeout occurs, the port drops all traffic on the switch until reauthentication is complete. In the sample RACs, this attribute is set to RADIUS-Request (1). This ensures that the switch maintains the current VLAN assignment and network connectivity while reauthentication is in progress.

Tunnel-Type (attribute 64)—Specifies the type of tunnel that is set up for the user to connect. In the sample RACs, this value is set to type 10, VLAN, which indicates that the user is granted access to a VLAN that is configured on the switch.

Tunnel-Medium-Type (attribute 65)—Indicates which protocol to use over the tunnel. In the sample RACs, this is set to type 6, which specifies an 802 protocol. In the NAC/NAP environment, this is the 802.1x protocol.

Tunnel-Private-Group-ID (attribute 81)—Indicates the group ID for the VLAN tunnel. In the sample RAC, this is set to Quarantine, which denotes a quarantine VLAN to which devices are assigned. In actual practice, you should set this value to a value that is configured on the switch.


For reference, Table 9-1 lists all of the possible attributes that ACS can send. An X in the NAC-L2-802.1x, NAC-L2-IP, or NAC-L3-IP column indicates that ACS can send the specified attribute in a RADIUS Accept-Response used with this technology.

Table 9-1 Attributes That Can Be Sent in the RADIUS-Accept Response 

NAC-L2 -802.1x
NAC-L2-IP
NAC-L3-IP
Attribute Number
Attribute Name
Description

x

   

1

User-Name

Copied from EAP Identity Response in Access Request

 

x

x

8

Framed-IP-Address

IP address of host

 

x

x

26

Vendor-Specific

Cisco (9,1)

CiscoSecure-Defined-ACL

ACL name.

ACS automatically sends this to the NAD as part of the RADIUS packet.

x

   

26

Vendor-Specific

Cisco (9,1)

sec:pg

Policy-based ACL assignment. Only applies to Catalyst 6000.
sec:pg = <group-name>

 

x

x

26

Vendor-Specific

Cisco (9,1)

url-redirect

Redirection URL.

url-redirect = <URL>

 

x

x

26

Vendor-Specific

Cisco (9,1)

url-redirect-acl

Apply the named ACL for the redirect URL; ACL must be defined locally on the NAD. Only works on switches with IOS.

url-redirect-acl =< ACL-Name>

x

x

x

26

Vendor-Specific

Cisco (9,1)

posture-token

Posture token/state name.

Automatically sent by ACS.

 

x

x

26

Vendor-Specific

Cisco (9,1)

status-query-timeout

Sets Status Query timer

 
x

x

26

Vendor-Specific

Cisco (9,1)
host-session-id

Session identifier used for auditing.

Automatically sent by ACS.
x

x

x

26

Vendor-Specific

Microsoft = 311

Key for Status Query: MS-MPPE-Recv-Key

Automatically sent by ACS.
x

x

x

27

Session-Timeout

Sets Revalidation Timer (in seconds)

x

x

x

29

Termination-
Action

Action on Session Timeout

(0) Default: Terminate session
(1) Radius-Request: Re-authenticate
x
   
64

Tunnel-Type

13 = VLAN

x
   
65

Tunnel-Medium-Type

6 = 802

x

x

x

79

EAP Message

EAP Request/Response Packet in Access Request and Access Challenge:

- EAP Success in Access Accept
- EAP Failure in Access Reject
x

x

x

80

Message Authenticator

HMAC-MD5 to ensure integrity of packet.

x
   
81

Tunnel-Private-Group-ID

VLAN name


Step 6: Configure an External Posture Validation Audit Server

A NAC-enabled network might include agentless hosts that do not have the NAC client software. ACS can defer the posture validation of the agentless hosts to an audit server. The audit server determines the posture credentials of a host without relying on the presence of a PA.

Configuring an external audit server involves two stages:

Adding the posture attribute to the ACS internal dictionary.

Configuring an external posture validation server (audit server).

Add the Posture Attribute to the ACS Dictionary

Before you can create an external posture validation server, you must add one or more vendor attributes to the ACS internal data dictionary. To do this, you use the bin\CSUtil tool, which is located in the ACS installation directory.

To add the posture attributes:


Step 1 Create a text file in the \Utils directory with the following format:

[attr#0]
vendor-id=[your vendor id]
vendor-name=[The name of you company]
application-id=6
application-name=Audit
attribute-id=00003
attribute-name=Dummy-attr
attribute-profile=out
attribute-type=unsigned integer
 
   

Your vendor ID should be the Internet Assigned Numbers Authority (IANA)-assigned number that is the first section of the posture token attribute name, [vendor]:6:

Step 2 To install the attributes specified in the text file:

a. Open a DOS command window.

b. Enter the following command:

\<ACS_Install_Dir>\bin\CSUtil -addAVP [file_name]

where ACS_Install_Dir is the name of the ACS installation directory and file_name is the name of the text file that contains vendor attributes.

Step 3 Restart the CSAdmin, CSLog, and CSAuth services.


Configure the External Posture Validation Audit Server

You can configure an audit server once, and then use it for other profiles.

To configure an audit server:


Step 1 In the Posture Validation Components Setup page, click External Posture Validation Audit Setup.

Step 2 Click Add Server.

The External Posture Validation Audit Server Setup page appears, as shown in Figure 9-20.

Figure 9-20 External Posture Validation Audit Server Setup Page

Step 3 To configure the audit server:

a. Enter a Name and Description (optional).

b. In the Which Hosts Are Audited section, choose what hosts you want to audit. You can enter the host IP or MAC addresses for the hosts that you want to audit or for a host that you do not want to audit.

c. For the hosts that will not be audited, choose a posture token from the drop-down list.

d. Scroll down to the Use These Audit Servers section.

Figure 9-21 shows the Use These Audit Servers section of the External Posture Validation Server Setup page.

Figure 9-21 Use These Audit Servers Section

e. In the Use These Audit Servers section, enter the Audit Validation Server information, Audit Server vendor, URL, and password.

Figure 9-22 shows the Audit Flow Settings and the GAME Group Feedback section.

Figure 9-22 Audit Flow Settings and GAME Group Feedback Sections

f. If required, in the Audit Flow Setting section, set the audit-flow parameters.

g. If you are configuring GAME group feedback to support agentless host configuration in the NAC environment, configure the settings in the GAME Group Feedback section.

For information on configuring GAME Group Feedback settings, see Enable GAME Group Feedback.

h. Click Submit.


Step 7: Configure Posture Validation for NAC

This section describes how to set up simple posture validation for a NAC-enabled network. You can create internal policies that ACS uses to validate the posture data or you can configure ACS to send the posture data to an external posture validation server.

Configure Internal Posture Validation Policies

An internal posture validation policy is an internal attribute policy that you can use in more then one profile. The result of an internal posture validation policy returns a Posture Assessment (token) according to rules that you set.

To create an internal posture validation policy:


Step 1 In the navigation bar, click Posture Validation.

The Posture Validation Components Setup page opens.

Step 2 Click Internal Posture Validation Setup.

The Posture Validation page opens, which lists any existing posture validation policies.

Step 3 Choose Add Policy.

The Edit Posture Validation page opens.

Step 4 Enter a name for the policy.

Step 5 Enter a Description (optional).

Step 6 Click Submit.

A new internal policy is created with a default rule. Figure 9-23 shows an example policy.

Figure 9-23 Creating a New Posture Validation Policy

Step 7 To edit the default rule:

a. Click on the Default link.

b. Choose a new Posture Assessment and Notification String for the default rule.

Step 8 To add a new rule:

a. Click Add Rule.

The Edit Posture Rule page appears, as shown in Figure 9-24. Initially no conditions are available for the rule.

Figure 9-24 Edit Posture Validation Rule Page

b. Click Add Condition Set.

c. The Add/Edit Condition page appears, as shown in Figure 9-25.

Figure 9-25 Add/Edit Condition Page

d. From the Attribute drop-down list, choose an Attribute value.

e. From the Operator drop-down list, choose a condition.

f. In the Value text box, enter a value for the condition.

g. Click Enter.

The specified rule appears in Add/Edit Condition page, as shown in Figure 9-25.

h. Enter additional conditions as required.

i. Click Submit.

j. Click Apply and Restart to apply the new posture validation rule(s).


Configure External Posture Validation Policies

An external posture validation policy uses an external server that returns a posture assessment (token) to ACS according to data that the ACS forwards to this server.

To set up an external posture validation server:


Step 1 In the Posture Validation Components Setup page, click External Posture Validation Setup.

Step 2 The Edit External Posture Validation Servers page opens, as shown in Figure 9-26.

Figure 9-26 Edit External Posture Validation Servers Page

Initially, the list of external posture validation servers is empty.

Step 3 Click Add Server.

The Add/Edit External Posture Validation Server page appears, as shown in Figure 9-27.

Figure 9-27 Add/Edit External Posture Validation Server Page

Step 4 Enter a Name and Description (optional).

Step 5 Enter the server details, URL, User, Password, Timeout, and certificate (if required by the antivirus server).

Step 6 Click Submit.


Configure an External Posture Validation Audit Server

A NAC-enabled network might include agentless hosts that do not have the NAC client software. ACS can defer the posture validation of the agentless hosts to an audit server. The audit server determines the posture credentials of a host without relying on the presence of a PA.

Configuring an external audit server involves two stages:

Adding the posture attribute to the ACS internal dictionary.

Configuring an external posture validation server (audit server).

Add the Posture Attribute to the ACS Dictionary

Before you can create an external posture validation server, you must add one or more vendor attributes to the ACS internal data dictionary. To do this, you use the bin\CSUtil tool, which is located in the ACS installation directory.

To add the posture attributes:


Step 1 Create a text file in the \Utils directory with the following format:

[attr#0]
vendor-id=[your vendor id]
vendor-name=[The name of you company]
application-id=6
application-name=Audit
attribute-id=00003
attribute-name=Dummy-attr
attribute-profile=out
attribute-type=unsigned integer
 
   

Your vendor ID should be the Internet Assigned Numbers Authority (IANA)-assigned number that is the first section of the posture token attribute name, [vendor]:6:

Step 2 To install the attributes specified in the text file:

a. Open a DOS command window.

b. Enter the following command:

\<ACS_Install_Dir>\bin\CSUtil -addAVP [file_name]

where ACS_Install_Dir is the name of the ACS installation directory and file_name is the name of the text file that contains vendor attributes.

Step 3 Restart the CSAdmin, CSLog, and CSAuth services.


Configure the External Posture Validation Audit Server

You can configure an audit server once, and then use it for other profiles.

To configure an audit server:


Step 1 In the Posture Validation Components Setup page, click External Posture Validation Audit Setup.

Step 2 Click Add Server.

The External Posture Validation Audit Server Setup page appears, as shown in Figure 9-28.

Figure 9-28 External Posture Validation Audit Server Setup Page

Step 3 To configure the audit server:

a. Enter a Name and Description (optional).

b. In the Which Hosts Are Audited section, choose what hosts you want to audit. You can enter the host IP or MAC addresses for the hosts that you want to audit or for a host that you do not want to audit.

c. For the hosts that will not be audited, choose a posture token from the drop-down list.

d. Scroll down to the Use These Audit Servers section.

Figure 9-29 shows the Use These Audit Servers section of the External Posture Validation Server Setup page.

Figure 9-29 Use These Audit Servers Section

e. In the Use These Audit Servers section, enter the Audit Validation Server information, Audit Server vendor, URL, and password.

Figure 9-30 shows the Audit Flow Settings and the GAME Group Feedback section.

Figure 9-30 Audit Flow Settings and GAME Group Feedback Sections

f. If required, in the Audit Flow Setting section, set the audit-flow parameters.

g. If you are configuring GAME group feedback to support agentless host configuration in the NAC environment, configure the settings in the GAME Group Feedback section.

For information on configuring GAME Group Feedback settings, see Enable GAME Group Feedback.

h. Click Submit.


Authorization Policy and NAC Audit

Audit servers define two types of posture assessments (tokens). A:

Temporary posture assessment is used as the in progress assessment. ACS grants the in progress posture assessment to the agentless host while the audit server is processing the auditing on the host and does not have a final result.

Final posture assessment is the posture assessment that the audit server returns after it completes the auditing process.

To configure the authorization policy to work with the audit server, at least two RACs or downloadable ACLs are required: one for the in progress posture assessment and one for the final posture assessment. You should use a separate RAC or downloadable ACL for each token.

Step 8: Set Up Templates to Create NAPs

ACS 4.1 provides several profile templates that you can use to configure common usable profiles. In NAC-enabled networks, you can use these predefined profile templates to configure commonly used profiles. This section describes the templates provided in ACS 4.1.

Sample NAC Profile Templates

ACS 4.1 provides the following sample profile templates for NAC. A:

NAC Layer 3 profile template (NAC L3 IP)

NAC Layer 2 profile template (NAC L2 IP)

NAC Layer 2 802.1x template (NAC L2 802.1x)

Wireless (NAC L2 802.1x) template

In addition to these templates, ACS 4.1 provides two templates for agentless host processing that you can use in NAC installations:

Agentless Host for Layer 3 profile template

Agentless Host for Layer 2 (802.1x) profile template

Sample NAC Layer 3 Profile Template

This template creates a profile for Layer 3 NAC requests. Before you use this template, you should choose System Configuration > Global Authentication Setup and check the Enable Posture Validation check box.

To create a Layer 3 NAC profile template:


Step 1 Check the check boxes for the following options in the Global Authentication Setup page:

Allow Posture Validation

EAP-FAST

EAP-FAST MS-CHAPv2

EAP-FAST GTC

Step 2 In the navigation bar, click Network Access Profiles.

The Network Access Profiles page opens.

Step 3 Click Add Template Profile.

The Create Profile from Template page opens, as shown in Figure 9-31.

Figure 9-31 Create Profile From Template Page

Step 4 Enter a Name and Description (optional).

Step 5 From the Template drop-down list, choose NAC L3 IP.

Step 6 Check the Active check box.

Step 7 Click Submit.

If no error appears, then you have created a profile that can authenticate Layer 3 NAC hosts.

The Edit Network Access Profile page opens, and the new profile appears in the Name column.

The predefined values for the Layer 3 NAC template include:

Profile Setup options

Protocols

A sample posture validation policy

Authentication policy

Step 8 To select a predefined set of values, click on one of the configuration options:

The profile name (to select the profile setup page for the profile)

Protocols

Authentication Policy

Sample Posture Validation Rules


Profile Setup

To use the Profile Setup settings from the template:


Step 1 In the navigation bar, click Network Access Profiles.

Step 2 Choose the profile that you created.

Step 3 The Profile Setup page appears, as shown in Figure 9-32.

Figure 9-32 Profile Setup Page for Layer 3 NAC Template

The default settings for the profile are:

Any appears in the Network Access Filter field, which means that this profile has no IP filter.

You can choose NAFs from the drop-down list, so that only specific host IPs match this profile.

In the Protocol types list, Allow any Protocol type appears in the Protocol types list, which means that no protocol type filter exists for this profile.

You can click the Allow Selected Protocol types option to specify a protocol type for filtering.

Two rules are configured in Advanced Filtering:

[026/009/001]Cisco-av-pair = aaa:service=ip admission
[006]Service-Type != 10
 
   

These rules specify that the associated profile policies authenticate and authorize each RADIUS request that matches the attribute's rules. You can change the advanced filter, and add, remove, or edit any RADIUS attribute that the RADIUS client sends.


Protocols Policy for the NAC Layer 3 Template

Figure 9-33 shows the Protocols settings for the NAC Layer 3 template.

Figure 9-33 Protocols Setting for NAC Layer 3 Template

In the EAP Configuration section, Posture Validation is enabled.

Authentication Policy

To configure authentication policy:


Step 1 In the navigation bar, select Network Access Profiles.

Step 2 Choose the Authentication link from the Policies column.

The Authentication page for the profile opens, as shown in Figure 9-34.

Figure 9-34 Authentication Page for Layer 3 NAC Profile Template

On this page, you can see the Layer 3 NAC template configuration for authentication:

Step 3 Specify the external database that ACS uses to perform authentication:

a. To keep the default setting (ACS uses its internal database), click the Internal ACS DB radio button.

b. To specify a LDAP server, click the LDAP Server radio button and then, from the drop-down list, choose an LDAP server.

c. From the If Agentless request was not assigned a user-group drop-down list, choose a user group to which ACS assigns a host that is not matched to a user group.


Sample Posture Validation Rule

Figure 9-35 shows the sample posture validation policy provided with the NAC Layer 3 template.

Figure 9-35 Sample Posture Validation Policy for NAC Layer 3 Template

Sample NAC Layer 2 Template

This template creates a profile for Layer 2 NAC requests.

Before you use the Layer 2 NAC profile template:

1. Select EAP-FAST Configuration in Global Authentication Settings.

2. Check (enable) the Allow authenticated in-band PAC provisioning.

3. Check (enable) EAP-GTC and EAP-MSCHAPv2.

To create a Layer 2 NAC profile template:


Step 1 In the navigation bar, click Network Access Profiles.

The Network Access Profiles page opens.

Step 2 Click Add Template Profile.

Step 3 Enter a Name and Description (optional).

Step 4 From the Template drop-down list, choose NAC L2 IP.

Step 5 Check the Active check box.

Step 6 Click Submit.

If no error appears, then you have created a Profile that can authenticate Layer 2 NAC hosts and the Profile Setup page for the NAC Layer 2 template appears.

The predefined values for the Layer 2 NAC template include:

Profile Setup

Protocols settings

Authentication policy

A sample posture validation rule

The name of this policy is NAC-EXAMPLE-POSTURE-EXAMPLE.

Step 7 To select a configuration option, click the option name.


Profile Setup

To enable the profile setup:


Step 1 Go to Network Access Profiles.

Step 2 Choose the Profile that you created.

The Profile Setup page appears, as shown in Figure 9-36.

Figure 9-36 Profile Setup Page for NAC Layer 2 Template

The default settings for the profile are:

Any appears in the Network Access Filter field, which means that this profile has no IP filter.

You can choose NAFs from the drop-down list, so that only specific host IPs match this profile.

Allow any Protocol type appears in the Protocol types list, which means that no protocol type filter exists for this profile.

You can select the Allow Selected Protocol types option to specify a protocol type for filtering.

Two rules are configured in Advanced Filtering:

[026/009/001]Cisco-av-pair = aaa:service=ip admission
[006]Service-Type != 10
 
   

These rules specify that the associated profile policies authenticate and authorize each RADIUS request that matches the attribute's rules. You can change the advanced filter, and add, remove, or edit any RADIUS attribute that the RADIUS client sends.

This template automatically sets Advanced Filtering and Authentication properties with NAC Layer 2 IP Configuration.


ACS and Attribute-Value Pairs

When you enable NAC Layer 2 IP validation, ACS provides NAC AAA services by using RADIUS. ACS gets information about the antivirus credentials of the endpoint system and validates the antivirus condition of the endpoint.

You can set these Attribute-Value (AV) pairs on ACS by using the RADIUS cisco-av-pair vendor- specific attributes (VSAs).

Cisco Secure-Defined-ACL—Specifies the names of the downloadable ACLs on the ACS. The switch gets the ACL name from the Cisco Secure-Defined-ACL AV pair in this format:

#ACL#-IP-name-number

where name is the ACL name and number is the version number, such as 3f783768.

ACS uses the Auth-Proxy posture code to check if the switch has downloaded access-control entries (ACEs) for the specified downloadable ACL. If the switch has not downloaded the ACES, ACS sends an AAA request with the downloadable ACL name as the username so that the switch downloads the ACEs. The downloadable ACL is then created as a named ACL on the switch. This ACL has ACEs with a source address of Any and does not have an implicit Deny statement at the end. When the downloadable ACL is applied to an interface after posture validation is complete, the source address is changed from any to the host source IP address. The ACEs are prepended to the downloadable ACL that is applied to the switch interface to which the endpoint device is connected.

If traffic matches the Cisco Secure-Defined-ACL ACEs, ACS takes appropriate actions required by NAC.

url redirect and url-redirect-acl—Specifies the local URL policy on the switch. The switches use these cisco-av-pair VSAs:

url-redirect = <HTTP or HTTPS URL>

url-redirect-acl = switch ACL name

These AV pairs enable the switch to intercept an HTTP or Secure HTTP (HTTPS) request from the endpoint device and forward the client web browser to the specified redirect address from which the latest antivirus files can be downloaded. The url-redirect AV pair on the ACS contains the URL to which the web browser will be redirected. The url-redirect-acl AV pair contains the name of an ACL which specifies the HTTP or HTTPS traffic to be redirected. The ACL must be defined on the switch. Traffic which matches a permit entry in the redirect ACL will be redirected.

If the host's posture is not healthy, ACS might send these AV pairs.

For more information about AV pairs that Cisco IOS software supports, see the documentation about the software releases that run on the AAA clients.

Default ACLs

If you configure NAC Layer 2 IP validation on a switch port, you must also configure a default port ACL on a switch port. You should also apply the default ACL to IP traffic for hosts that have not completed posture validation.

If you configure the default ACL on the switch and the ACS sends a host access policy to the switch, the switch applies the policy to traffic from the host that is connected to a switch port. If the policy applies to the traffic, the switch forwards the traffic. If the policy does not apply, the switch applies the default ACL. However, if the switch gets a host access policy from the ACS, but the default ACL is not configured, the NAC Layer 2 IP configuration does not take effect.

When ACS sends the switch a downloadable ACL that specifies a redirect URL as a policy-map action, this ACL takes precedence over the default ACL that is already configured on the switch port. The default ACL also takes precedence over the policy that is already configured on the host. If the default port ACL is not configured on the switch, the switch can still apply the downloadable ACL from ACS.

You use this template for access requests from Layer 2 devices that do not have the 802.1x client installed. The Authentication Bypass (802.1x fallback) template is used for access requests to bypass the nonclient authentication process. Users are mapped to a User Group based on their identity.


Note Do not click the Populate from Global button; otherwise, the settings for this authentication field will be inherited from the settings in the Global Authentication Setup in System Configuration.


Protocols Settings

Figure 9-37 shows the Protocols settings for the NAC Layer 2 template.

Figure 9-37 Protocols Setting for NAC Layer 2 Template

On this page, you can see the Layer 2 NAC template configuration for protocols. The default settings are:

In the EAP Configuration area, posture validation is enabled.

Allow EAP-Fast Configuration is checked, which means that this profile allows EAP-FAST authentication.

Authentication Policy

To set the authentication policy:


Step 1 In the navigation bar, click Network Access Profiles.

Step 2 Choose the Authentication link from the Policies column.

The Authentication Settings page for the NAC Layer 2 template opens, as shown in Figure 9-38.

Figure 9-38 Authentication Settings for NAC Layer 2 Template

Step 3 Specify the external database that ACS uses to perform authentication:

a. To keep the default setting (ACS uses its internal database), click the Internal ACS DB radio button.

b. To specify a LDAP server, click the LDAP Server radio button and then, from the drop-down list, choose an LDAP server.

c. From the If Agentless request was not assigned a user-group drop-down list, choose a user group to which ACS assigns a host that is not matched to a user group.


Sample Posture Validation Rule

Figure 9-39 shows the sample posture validation rule provided with the NAC Layer 2 template.

Figure 9-39 Sample Posture Validation Policy for NAC Layer 2 Template

Sample NAC Layer 2 802.1x Template

This template creates a profile for Layer 2 NAC 802.1x requests. Before you use this template, you should choose System Configuration > Global Authentication Setup and check the Enable Posture Validation check box.

To create a Layer 2 NAC 802.1x profile template:


Step 1 In the navigation bar, click Network Access Profiles.

The Network Access Profiles page opens.

Step 2 Click Add Template Profile.

The Create Profile from Template page opens, as shown in Figure 9-40.

Figure 9-40 Create Profile From Template Page

Step 3 Enter a Name and Description (optional).

Step 4 From the Template drop-down list, choose NAC L2 802.1x.

Step 5 Check the Active check box.

Step 6 Click Submit.

If no error appears, then you have created a Profile that can authenticate Layer 2 NAC hosts.

The Edit Network Access Profile page opens, and the new profile appears in the Name column.

The predefined values for the Layer 2 NAC 802.1x template include:

Profile Setup

Protocols

A sample posture validation policy

Authentication policy

Step 7 To select a predefined set of values, click on one of the configuration options:

The profile name (to select the profile setup page for the profile)

Protocols

Authentication Policy

Sample Posture Validation Rules


Profile Setup

To use the Profile Setup settings from the template:


Step 1 In the navigation bar, click Network Access Profiles.

Step 2 Choose the profile that you created.

Step 3 The Profile Setup page appears, as shown in Figure 9-41.

Figure 9-41 Profile Setup Page for NAC Layer 2 802.1x Template

The default settings for the profile are:

Any appears in the Network Access Filter field, which means that this profile has no IP filter.

You can choose NAFs from the drop-down list, so that only specific host IPs match this profile.

Allow any Protocol type appears in the Protocol types list, which means that no protocol type filter exists for this profile.

You can select the Allow Selected Protocol types option to specify a protocol type for filtering.

Two rules are configured in Advanced Filtering:

[026/009/001]Cisco-av-pair = aaa:service=ip admission
[006]Service-Type != 10
 
   

These rules specify that the associated profile policies authenticate and authorize each RADIUS request that matches the attribute's rules. You can change the advanced filter, and add, remove, or edit any RADIUS attribute that the RADIUS client sends.


Protocols Policy

Figure 9-42 shows the Protocols settings for the NAC Layer 2 802.1x template.

Figure 9-42 Protocols Setting for NAC Layer 802.1x Template

In the EAP Configuration section, Posture Validation is enabled.

Authorization Policy

To configure an authorization policy for the NAC Layer 2 802.1x template:


Step 1 Go to Network Access Profiles.

Step 2 Choose the Authorization link from the Policies column.

The Authentication page for the NAC Layer 2 802.1x template profile appears, as shown in Figure 9-43.

Figure 9-43 Authentication Page for NAC Layer 2 802.1x Profile Template

On this page, you can see the Layer 2 NAC 802.1x template configuration for authorization.

Step 3 Specify the external database that ACS uses to perform authentication:

a. To keep the default setting (ACS uses its internal database), click the Internal ACS DB radio button.

b. To specify a LDAP server, click the LDAP Server radio button and then, from the drop-down list, choose an LDAP server.

c. From the If Agentless request was not assigned a user-group drop-down list, choose a user group to which ACS assigns a host that is not matched to a user group.


Sample Posture Validation Rule

Figure 9-44 shows the sample posture validation policy provided with the NAC Layer 2 802.1x template.

Figure 9-44 Sample Posture Validation Policy for NAC Layer 2 802.1x Template

Sample Wireless (NAC L2 802.1x) Template

This template creates a profile for Layer 2 NAC 802.1x requests in wireless networks. Before you use this template, you should choose System Configuration > Global Authentication Setup and check the Enable Posture Validation check box.

To create a wireless (NAC L2 802.1x) NAC profile template:


Step 1 In the navigation bar, click Network Access Profiles.

The Network Access Profiles page opens.

Step 2 Click Add Template Profile.

The Create Profile from Template page opens, as shown in Figure 9-45.

Figure 9-45 Create Profile From Template Page

Step 3 Enter a Name and Description (optional).

Step 4 From the Template drop-down list, choose Wireless (NAC L2 802.1x).

Step 5 Check the Active check box.

Step 6 Click Submit.

If no error appears, then you have created a Profile that can authenticate wireless NAC Layer 2 802.1x hosts.

The Edit Network Access Profile page opens, and the new profile is listed in the Name column.

The predefined values for the NAC Layer 2 802.1x template include:

Profile Setup

Protocols

A sample posture validation policy

Authentication policy

Step 7 To select a predefined set of values, click on one of the configuration options:

The profile name (to select the profile setup page for the profile)

Protocols

Authentication Policy

Sample Posture Validation Rules


Profile Setup

To use the Profile Setup settings from the template:


Step 1 Go to Network Access Profiles.

Step 2 Choose the profile that you created.

Step 3 The Profile Setup page appears, as shown in Figure 9-46.

Figure 9-46 Profile Setup Page for Wireless (NAC L2 802.1x)Template

The default settings for the profile are:

Any appears in the Network Access Filter field, which means that this profile has no IP filter.

You can choose NAFs from the drop-down list, so that only specific host IPs match this profile.

In the Protocol types list, Allow any Protocol type appears in the Protocol types list, which means that no protocol type filter exists for this profile.

You can click the Allow Selected Protocol types option to specify a protocol type for filtering.

Two rules are configured in Advanced Filtering:

[026/009/001]Cisco-av-pair = aaa:service=ip admission
[006]Service-Type != 10
 
   

These rules specify that the associated profile policies authenticate and authorize each RADIUS request that matches the attribute's rules. You can change the advanced filter, and add, remove, or edit any RADIUS attribute that the RADIUS client sends.


Protocols Policy

Figure 9-47 shows the Protocols settings for the Wireless (NAC L2 802.1x) template.

Figure 9-47 Protocols Setting for Wireless NAC 802.1x Template

In the EAP Configuration section, Posture Validation is enabled.

Authorization Policy

To configure an authorization policy for the Wireless NAC Layer 2 802.1x template:


Step 1 Go to Network Access Profiles.

Step 2 Choose the Authorization link from the Policies column.

The Authorization page for the profile appears, as shown in Figure 9-48.

Figure 9-48 Authorization Page for Wireless (NAC L2 802.1x) Profile Template

On this page, you can see the Wireless (NAC L2 802.1x) template configuration for authentication:

Step 3 Specify the external database that ACS uses to perform authentication:

a. To keep the default setting (ACS uses its internal database), click the Internal ACS DB radio button.

b. To specify a LDAP server, click the LDAP Server radio button and then, from the drop-down list, choose an LDAP server.

c. From the If Agentless request was not assigned a user-group drop-down list, choose a user group to which ACS assigns a host that is not matched to a user group.


Sample Posture Validation Rule

Figure 9-49 shows the sample posture validation policy provided with the Wireless (NAC L2 802.1x) template.

Figure 9-49 Sample Posture Validation Policy for Wireless (NAC L2 802.1x) Template


Note The posture validation policy for the wireless NAC L2 802.1x template is the same as for the NAC L2 802.1x template.


Using a Sample Agentless Host Template

ACS 4.1 provides two sample templates for agentless host processing:

Agentless Host for L3

Agentless Host for L2 (802.1x fallback)

These two templates are almost identical. This section documents the steps for using the Agentless Host for Layer 3 template.


Note You can use the Agentless Host for L2 (802.1x Fallback) profile template to create a profile that matches a RADIUS request a switch sends. Once the profile is created, an analysis of the RADIUS packet that comes from the Catalyst 6500 must be done to create an accurate match for the profile. The RADIUS request from the switch has a Service Type value of 10, just like NAC-L2-IP; but does not have a Cisco Attribute Value Pair (AV pair) that contains the keyword service. Therefore, the template enables two entries in the Advanced Filtering section.


The Agentless Host for Layer 3 template creates a profile for Layer 3 requests that involve agentless host processing. Before you use this template, you should choose System Configuration > Global Authentication Setup and check the Enable Posture Validation check box.

To create an agentless host for Layer 3 profile template:


Step 1 In the navigation bar, click Network Access Profiles.

The Network Access Profiles page opens.

Step 2 Click Add Template Profile.

The Create Profile from Template page opens, as shown in Figure 9-50.

Figure 9-50 Create Profile From Template Page

Step 3 Enter a Name and Description (optional).

Step 4 From the Template drop-down list, choose Agentless Host for L3.

Step 5 Check the Active check box.

Step 6 Click Submit.

If no error appears, then you have created a profile that can authenticate Layer 3 NAC hosts.

The Edit Network Access Profile page opens, and the new profile is listed in the Name column.

The predefined values for the Agentless Host for Layer 3 template include:

Profile Setup

Protocols

A sample posture validation policy

Authentication policy

Step 7 To select a predefined set of values, click on one of the configuration options.

The profile name (to select the profile setup page for the profile)

Protocols

Authentication Policy

Sample Posture Validation Rules


Profile Setup

To use the Profile Setup settings from the template:


Step 1 Go to Network Access Profiles.

Step 2 Choose the profile that you created.

Step 3 The Profile Setup page appears, as shown in Figure 9-51.

Figure 9-51 Profile Setup Page for Agentless Host for Layer 3 Template

The default settings for the profile are:

Any appears in the Network Access Filter field, which means that this profile has no IP filter.

You can choose NAFs from the drop-down list, so that only specific host IPs match this profile.

In the Protocol types list, Allow any Protocol type appears in the Protocol types list, which means that no protocol type filter exists for this profile.

You can click the Allow Selected Protocol types option to specify a protocol type for filtering.

Two rules are configured in Advanced Filtering:

[026/009/001]Cisco-av-pair = aaa:service=ip admission
[006]Service-Type != 10
 
   

These rules specify that the associated profile policies authenticate and authorize each RADIUS request that matches the attribute's rules. You can change the advanced filter, and add, remove, or edit any RADIUS attribute that the RADIUS client sends.


Protocols Policy

Figure 9-52 shows the Protocols settings for the Agentless Host for Layer 3 template.

Figure 9-52 Protocols Setting for Agentless Host for Layer 3 Template

In the Authentication Protocols section, check Agentless Host processing.

Authentication Policy

To configure an authentication policy for the Agentless Host for Layer 3 template:


Step 1 Go to Network Access Profiles.

Step 2 Choose the Authentication link from the Policies column.

The Authentication page for the profile appears, as shown in Figure 9-53.

Figure 9-53 Authentication Page for Agentless Host for Layer 3 Profile Template

On this page, you can see the Agentless Host for Layer 3 template configuration for authentication:

Step 3 Specify the external database that ACS uses to perform authentication:

a. To keep the default setting (ACS uses its internal database), click the Internal ACS DB radio button.

b. To specify a LDAP server, click the LDAP Server radio button and then, from the drop-down list, choose an LDAP server.

c. From the If Agentless request was not assigned a user-group drop-down list, choose a user group to which ACS assigns a host that is not matched to a user group.


Step 9: Map Posture Validation Components to Profiles

To add an internal posture validation policy, external posture validation server, or both, to a profile:


Step 1 Choose Network Access Profiles.

Step 2 Choose the relevant profile Posture Validation policy.

Step 3 Click Add Rule.

Step 4 Enter a Name for the rule.

The Add/Edit Posture Validation Rule page for the specified rule appears, as shown in Figure 9-54.

Figure 9-54 Add/Edit Posture Validation Rule Page

Step 5 Choose the Required Credential Types.

Step 6 In the Select External Posture Validation Sever section, select the policies or server that you want to map to this profile. To select a:

Posture Server, check the check box next to the server name.

Policy, check the check box next to a policy in the Failure Action column.

Step 7 Click Submit.

Step 8 Click Back to return to the Posture Validation policy.

Step 9 Click Apply + Restart.


Step 10: Map an Audit Server to a Profile

To add an external posture validation audit server to a profile:


Step 1 Choose Network Access Profiles.

Step 2 Click the Protocols link for the relevant Posture Validation Policy.

The Protocols Settings page for the policy that you choose opens.

Step 3 Check the Allow Agentless Request Processing check box.

Step 4 Click Submit.

Step 5 Click the Posture Validation link for the relevant profile Posture Validation policy.

Step 6 Click Select Audit.

The Select External Posture Validation Audit Server page opens, as shown in Figure 9-55.

Figure 9-55 Select External Validation Audit Server Page

Step 7 Choose the audit server to use.

Step 8 To specify a Fail Open configuration to use if the audit fails:

a. Check the Do not reject when Audit failed check box.

b. From the Use this Posture Token when unable to retrieve posture data drop-down list, choose a posture token to apply if the audit fails.

c. Enter a timeout value in seconds.

d. If you want to specify a user group to which to assign the supplicant if the audit fails, check the Assign a User Group check box and then from the Assign a User Group drop-down list, choose a user group.

Step 9 Click Submit.

Step 10 Click Done.

Step 11 Click Apply and Restart.


Step 11 (Optional): Configure GAME Group Feedback

If you are using ACS in a NAC environment with agentless hosts, then you must configure Generic Authorization Message Exchange (GAME) group feedback.

To configure GAME group feedback:


Step 1 Import an audit vendor file by using CSUtil.

See Import an Audit Vendor File by Using CSUtil for details.

Step 2 Import a device-type attribute file by using CSUtil.

See Import a Device-Type Attribute File by Using CSUtil for details.

Step 3 Import NAC attribute-value pairs.

See Import NAC Attribute-Value Pairs for details.

Step 4 Configure database support for agentless host processing.

The database that you use can be an external LDAP database (preferred) or the ACS internal database. See Configure Database Support for Agentless Host Processing for details.

Step 5 Enable Posture Validation.

See Enable Posture Validation for details.

Step 6 Configure an external audit server.

See Configure an External Audit Server for details.

Step 7 Enable GAME group feedback.

To enable GAME group feedback, in the external audit server posture validation setup section, configure:

Which hosts are audited

GAME group feedback

Device-type retrieval and mapping for vendors who have a device attribute in the RADIUS dictionary

See Enable GAME Group Feedback for details.

Step 8 Set up a device group policy.

See Enable GAME Group Feedback for details.


Import an Audit Vendor File by Using CSUtil

For information on importing an audit vendor file by using CSUtil, see the "Adding a Custom RADIUS Vendor and VSA Set" section in Appendix D of the User Guide for Cisco Secure Access Control Server 4.2, "CSUtil Database Utility."

Import a Device-Type Attribute File by Using CSUtil

Before you can configure GAME group feedback, you must import an attribute file that contains a device-type attribute.

The format of a text file to set up a device-type attributes is:

[attr#0]
vendor-id=<the vendor identifier number>
vendor-name=<the name of the vendor>
application-id=6
application-name=Audit
attribute-id=00012
attribute-name=Device-Type
attribute-profile=in out
atribute-type=string
 
   

To import the file:


Step 1 Save the text file that sets up the device-type attribute in an appropriate directory.

Step 2 Open a DOS command window.

Step 3 Enter:

CSUtil -addAVP <device-type filename> 

where device-type filename is the name of the text file that contains the device-type attribute.

Step 4 Restart ACS:

a. In the navigation bar, click System Configuration.

b. Click Service Control.

c. Click Restart.


Import NAC Attribute-Value Pairs

To import NAC attribute-value pairs:


Step 1 Use a text editor to create a NAC attribute-value pairs file.

Step 2 Import the file by using CSUtil. Then:

a. Start a DOS command window.

b. Enter:

CSUtil -addAVP <NAC AV-pair filename>

where NAC AV-pair filename is the name of the text file that contains the device-type attribute.

Step 3 Restart ACS:

a. In the navigation bar, click System Configuration.

b. Click Service Control.

c. Click Restart.


Configure Database Support for Agentless Host Processing

The database that you use can be an external LDAP database (preferred) or the ACS internal database.

For information on configuring database support for agentless host processing, see Step 4: Configure LDAP Support for MAB.

Enable Posture Validation

You must enable posture validation in two places. The

Global Authentication Page, as part of the configuration for PEAP.

EAP configuration section of the Protocols page for the NAP that enables agentless host support.

Configure an External Audit Server

For detailed instructions on configuring an external audit server, see Configure External Posture Validation Policies.

Configure an External Posture Validation Audit Server

A NAC-enabled network might include agentless hosts that do not have the NAC client software. ACS can defer the posture validation of the agentless hosts to an audit server. The audit server determines the posture credentials of a host without relying on the presence of a PA.

Configuring an external audit server involves two stages:

Adding the posture attribute to the ACS internal dictionary.

Configuring an external posture validation server (audit server).

Add the Posture Attribute to the ACS Dictionary

Before you can create an external posture validation server, you must add one or more vendor attributes to the ACS internal data dictionary. To do this, you use the bin\CSUtil tool, which is located in the ACS installation directory.

To add the posture attributes:


Step 1 Create a text file in the \Utils directory with the following format:

[attr#0]
vendor-id=[your vendor id]
vendor-name=[The name of you company]
application-id=6
application-name=Audit
attribute-id=00003
attribute-name=Dummy-attr
attribute-profile=out
attribute-type=unsigned integer
 
   

Your vendor ID should be the Internet Assigned Numbers Authority (IANA)-assigned number that is the first section of the posture token attribute name, [vendor]:6:

Step 2 To install the attributes specified in the text file:

a. Open a DOS command window.

b. Enter the following command:

\<ACS_Install_Dir>\bin\CSUtil -addAVP [file_name]

where ACS_Install_Dir is the name of the ACS installation directory and file_name is the name of the text file that contains vendor attributes.

Step 3 Restart the CSAdmin, CSLog, and CSAuth services.


Configure the External Posture Validation Audit Server

You can configure an audit server once, and then use it for other profiles.

To configure an audit server:


Step 1 In the Posture Validation Components Setup page, click External Posture Validation Audit Setup.

Step 2 Click Add Server.

The External Posture Validation Audit Server Setup page appears, as shown in Figure 9-56.

Figure 9-56 External Posture Validation Audit Server Setup Page

Step 3 To configure the audit server:

a. Enter a Name and Description (optional).

b. In the Which Hosts Are Audited section, choose what hosts you want to audit. You can enter the host IP or MAC addresses for the hosts that you want to audit or for a host that you do not want to audit.

c. For the hosts that will not be audited, choose a posture token from the drop-down list.

d. Scroll down to the Use These Audit Servers section.

Figure 9-57 shows the Use These Audit Servers section of the External Posture Validation Server Setup page.

Figure 9-57 Use These Audit Servers Section

e. In the Use These Audit Servers section, enter the Audit Validation Server information, Audit Server vendor, URL, and password.

Figure 9-58 shows the Audit Flow Settings and the GAME Group Feedback section.

Figure 9-58 Audit Flow Settings and GAME Group Feedback Sections

f. If required, in the Audit Flow Setting section, set the audit-flow parameters.

g. If you are configuring GAME group feedback to support agentless host configuration in the NAC environment, configure the settings in the GAME Group Feedback section.

For information on configuring GAME Group Feedback settings, see Enable GAME Group Feedback.

h. Click Submit.


Enable GAME Group Feedback

To enable GAME group feedback:


Step 1 On the External Posture Validation Audit Server Setup page, in the GAME Group Feedback section, check the Request Device Type from Audit Server check box.

If this check box is not available, define an audit-device type attribute for the vendor in the internal ACS dictionary.

ACS for Windows:

With ACS for Windows, you use the CSUtil command. For detailed information, see

Posture Validation Attributes in the User Guide for Cisco Secure ACS 4.2.

ACS Solution Engine:

With ACS Solution Engine, you use the NAC Attributes Management page in the web interface. For more information, see NAC Attribute Management (ACS Solution Engine Only) in the User Guide for Cisco Secure ACS 4.2.

Step 2 If you want to configure a default destination group that ACS uses if the audit server does not return a device type, check the Assign This Group if Audit Server Did not Return a Device-Type check box.

You should now add entries to the group assignment table. The group assignment table is a list of rules that set conditions that determine the user group to which to assign a particular device type that the audit server returns.

Step 3 Click Add to display the group assignment table and add a device-type feedback rule.

The group assignment table appears, as shown in Figure 9-59.

Figure 9-59 GAME Group Feedback Section with Group Assignment Table

Step 4 In the group assignment table, specify:

User Group—Lists all user groups, including Any. The device type that the MAC authentication returns is initially compared with this list of device types.

Match Condition—Valid values for the operator are:

match-all

=

! =

contains

starts-with

regular-expression

Device Type—Defines the comparison criteria for the User Group by using an operator and device type. Valid values for the device type drop-down list include:

Printer

IP Phone

Network Infrastructure

Wireless Access Point

Windows

UNIX

Mac

Integrated Device

PDA

Unknown


Note Type a device type in the text box if the device type drop-down does list not contain a particular device.


Assign User Group—A drop-down list of administrator-defined user groups. If the comparison of the initial User Group with the Device Type succeeds, ACS will assign this user group.

Step 5 To add additional policies, click Add.

Step 6 To delete a policy, highlight the policy and click Delete.

Step 7 To move the policies up and down in the group assignment table, click the Up and Down buttons.

Step 8 When you finish setting up policies for group assignment, click Submit.

Step 9 Click Apply and Restart.