User Guide for the Cisco Secure Access Control System 5.0
Managing Network Resources
Downloads: This chapterpdf (PDF - 231.0KB) The complete bookPDF (PDF - 12.93MB) | Feedback

Managing Network Resources

Table Of Contents

Managing Network Resources

Network Device Groups

Creating, Duplicating, and Editing Network Device Groups

Deleting Network Device Groups

Creating, Duplicating, and Editing Network Device Groups Within a Hierarchy

Deleting Network Device Groups from a Hierarchy

Network Devices and AAA Clients

Viewing and Importing Network Devices

Importing Network Resources and Users

Creating, Duplicating, and Editing Network Devices

Configuring Network Device and AAA Clients

Displaying Network Device Properties

Deleting Network Devices

Configuring External Policy Servers

Creating External Policy Servers

Deleting External Policy Servers


Managing Network Resources


You use the Network Resources drawer to define all network devices (those that access the ACS network) in the device repository.

When ACS receives a request from a network device to access the network, it searches the network device repository to find an entry with a matching IP address. ACS then compares the shared secret with the secret retrieved from the network device definition, and, if they match, the network device groups associated with the network device are retrieved and can be used in policy decisions. See ACS 5.0 Policy Model for more information on policy decisions.

The Network Resources drawer contains:

Network Device Groups

Network Devices and AAA Clients

Configuring External Policy Servers

Network Device Groups

In ACS you can define network device groups (NDGs), which are sets of devices. These NDGs provide logical groupings of devices, for example, Device Location or Type, which you can use in policy conditions. When the ACS receives a request for a device, the network device groups associated with that device are retrieved and compared against those in the policy table. With this method, you can group multiple devices and assign them the same policies. For example, you can group all devices in a specific location together and assign to them the same policy.

You can define up to 12 network device groups.

The Device Group Hierarchy is the hierarchical structure that contains the network device groups. Two of these, Location and Device Type, are predefined; you cannot change their names or delete them. You can add up to 10 additional hierarchies.

An NDG relates to any node in the hierarchy and is the entity to which devices are associated. These nodes can be any node within the hierarchy, not just leaf nodes.

To display NDGs, select Network Resources > Network Device Groups.

Creating, Duplicating, and Editing Network Device Groups


Note Every ACS administrator account is assigned one or more administrative roles. Depending upon the roles assigned to your account, you may or may not be able to perform the operations or see the options described in the following procedure. See Configuring System Administrators and Accounts, page 14-2 to configure the appropriate administrator privileges.


To create, duplicate, or edit a network device group:


Step 1 Select Network Resources > Network Device Groups.

The Network Device Groups page appears. If you have defined additional network device groups, they appear in the left navigation pane, beneath the Network Device Groups option, in alphabetical order.

Step 2 Do one of the following:

Click Create.

Check the check box next to the network device group that you want to duplicate, then click Duplicate.

Click the network device group name that you want to modify, or check the check box next to the name and click Edit.

The Device Groups - General page appears.

Step 3 Modify fields in the Device Groups - General page as described in Table 6-1:

Table 6-1 Device Groups - General Page Field Descriptions

Field
Description

Name

Enter a name for the network device group (NDG).

Description

(Optional) Enter a description for the NDG.

Parent

Enter the name of the parent associated with the NDG. The NDG is structured as an inverted tree, and the parent name is the name of the top of the tree. The parent name can be the same as the NDG name. The parent name is displayed when you click on an NDG in the Network Resources drawer.


Step 4 Click Submit.

The network device group configuration is saved. The Network Device Groups page appears with the new network device group configuration.


Related Topics

Network Device Groups

Deleting Network Device Groups

Creating, Duplicating, and Editing Network Device Groups Within a Hierarchy

Deleting Network Device Groups

To delete a network device group:


Step 1 Select Network Resources > Network Device Groups.

The Network Device Groups page appears.

Step 2 Check one or more check boxes next to the network device groups you want to delete, and click Delete.

The following error message appears:

Are you sure you want to delete the selected item/items?

Step 3 Click OK.

The Network Device Groups page appears without the deleted network device groups.


Creating, Duplicating, and Editing Network Device Groups Within a Hierarchy

You can arrange the network device group node hierarchy according to your needs by choosing parent and child relationships for new, duplicated, or edited network device group nodes. You can also delete network device group nodes from a hierarchy.


Note Every ACS administrator account is assigned one or more administrative roles. Depending upon the roles assigned to your account, you may or may not be able to perform the operations or see the options described in the following procedure. See Configuring System Administrators and Accounts, page 14-2 to configure the appropriate administrator privileges.


To create, duplicate, or edit a network device group node within a hierarchy:


Step 1 Select Network Resources > Network Device Groups.

The Network Device Groups page appears.

Step 2 Click Location, Device Type, or another previously defined network device group in which you want to create a new network device group, and add it to the hierarchy of that group.

The Network Device Group hierarchy page appears.

Step 3 Do one of the following:

Click Create. If you click Create when you have a group selected, the new group becomes a child of the parent group you selected. You can move a parent and all its children around in the hierarchy by clicking Select from the Create screen.

Check the check box next to the network device group name that you want to duplicate, then click Duplicate.

Click the network device group name that you want to modify, or check the check box next to the name and click Edit.

The Device Groups - General page appears.

Step 4 Modify fields in the Device Groups - General page as shown in Table 6-2:

Table 6-2 Device Groups - General Page Field Descriptions

Field
Description

Name

Enter a name for the network device group.

Description

(Optional) Enter a description for the network device group.

Parent

Enter the name of the parent associated with the NDG. The NDG is structured as an inverted tree, and the parent name is the name of the top of the tree. Click Select to open the Groups dialog box from which you can select the appropriate parent for the group.


Step 5 Click Submit.

The new configuration for network device group is saved. The Network Device Groups hierarchy page appears with the new network device group configuration.


Deleting Network Device Groups from a Hierarchy

To delete a network device group from within a hierarchy:


Step 1 Select Network Resources > Network Device Groups.

The Network Device Groups page appears.

Step 2 Click Location, Device Type, or another previously defined network device group in which you want to edit a network device group node.

The Network Device Groups node hierarchy page appears.

Step 3 Select the nodes that you want to delete and click Delete.

The following error message appears:

Are you sure you want to delete the selected item/items?

Step 4 Click OK.

The network device group node is removed from the configuration. The Network Device Groups hierarchy page appears without the device group node you deleted.


Network Devices and AAA Clients

You must define all devices in the ACS device repository that access the network.The network device definition can be associated with a specific IP address or a subnet mask, where all IP addresses within the subnet can access the network. The device definition includes the association of the device to network device groups (NDGs). You also configure whether the device uses TACACS+ or RADIUS, and if it is a TrustSec device.

You can import devices with their configurations into the network devices repository.

When ACS receives a request, it searches the network device repository for a device with a matching IP address; then ACS compares the secret or password information against that which was retrieved from the network device definition. If the information matches, the NDGs associated with the device are retrieved and can be used in policy decisions.

Viewing and Importing Network Devices

You can view the network devices and AAA clients. These are the devices sending access requests to ACS. The access requests are sent via TACACs+ or RADIUS.


Note Every ACS administrator account is assigned one or more administrative roles. Depending upon the roles assigned to your account, you may or may not be able to perform the operations or see the options described in the following procedure. See Configuring System Administrators and Accounts, page 14-2 to configure the appropriate administrator privileges.


To view and import users:


Step 1 Select Network Resources > Network Devices and AAA Clients.

The Network Device page appears, with any configured network devices listed.

Step 2 Complete the Network Device page fields as described in Table 6-3:

Table 6-3 Network Device Page Field Descriptions

Option
Description

Name

The user-specified name of network devices in ACS. Click a name to edit the associated network device (see Displaying Network Device Properties).

IP / Mask

Display only. The IP address or subnet mask of each network device. The first three IP addresses appear in the field, each separated by a comma (,).

If this field contains a subnet mask, all IP addresses within the specified subnet mask are permitted to access the network and are associated with the network device definition.

NDG: <string>

The network device group. The two predefined NDGs are Location and Device Type. If you have defined additional network device groups, they are listed here as well.

RADIUS

Display only. Specifies whether network devices use a RADIUS protocol for authentication.

TACACS+

Display only. Specifies whether network devices use the Cisco IOS TACACS+ protocol for authentication.

TrustSec

Display only. This column appears only when the Cisco TrustSec feature is enabled. It specifies whether network devices use TrustSec functionality.

Description

Display only. Descriptions of the network devices.


Step 3 Click:

Create to create a new network device. See Creating, Duplicating, and Editing Network Device Groups Within a Hierarchy.

Import to import a CSV file containing up to 500 network devices at one time. See Importing Network Resources and Users for more information.


Related Topics:

Importing Network Resources and Users

Creating, Duplicating, and Editing Network Device Groups Within a Hierarchy

Filtering, page 18-9

Importing Network Resources and Users

You can use the bulk import function to import configurations of these types to your database:

Internal users

Internal hosts

Network devices


Note Every ACS administrator account is assigned one or more administrative roles. Depending upon the roles assigned to your account, you may or may not be able to perform the operations or see the options described in the following procedure. See Configuring System Administrators and Accounts, page 14-2 to configure the appropriate administrator privileges.



Step 1 Click the Start Import button on the Users, Network Devices, and MAC Address pages of the web interface.

The Configure Import window appears.

Step 2 Select which method to use to import configuration data:

Click Browse if you have a previously created template-based .csv file on your hard drive that you want to import. Browse to the .csv file you want to import and click Start.

Click Download Template to open or download a .csv template file. Add the data you want to import to the .csv file and save it to your hard drive. Click Browse and navigate to your .csv file and click Start.

Within the .csv file, you must adhere to these requirements:

Do not alter the contents of the first record (the first line, or row, of the .csv file).

Each record must be contained on a single line.

No new-line characters can be embedded in any fields.

Do not exceed 500 records per .csv file.

For non-English languages, the .csv file must be encoded in utf-8 encoding or be saved with a font that supports Unicode.


Note Use the Download Template function to ensure that your .csv file adheres to the requirements. The .csv templates for users, internal hosts, and network devices are specific to their type; for example, you cannot use a downloaded template accessed from the Users page to import internal hosts or network devices.


The Configure Import window closes upon successful upload of your .csv file and the Import Progress secondary window appears.

Step 3 Use the Import Progress to monitor the bulk import success. Data transfer failures of any records within your .csv file are displayed.


Note You can click the Abort button to stop importing data that is underway; however, the data that successfully transferred is not removed from your database.


When the import completes, the Save Log button is enabled.

Step 4 Click Save Log to save the .csv file to the database.

Step 5 Click OK to close the Import Progress window.


Note You can submit only one .csv file to the system at one time. If an import is underway, an additional import cannot succeed until the original import is complete.



Creating, Duplicating, and Editing Network Devices

You can use the bulk import feature to import up to 500 network devices at a time; see Importing Network Resources and Users for more information. Alternatively, you can use the procedure described in this topic to create network devices.


Note Every ACS administrator account is assigned one or more administrative roles. Depending upon the roles assigned to your account, you may or may not be able to perform the operations or see the options described in the following procedure. See Configuring System Administrators and Accounts, page 14-2 to configure the appropriate administrator privileges.


To create, duplicate, or edit a network device:


Step 1 Select Network Resources > Network Devices and AAA Clients.

The Network Devices page appears, with a list of your configured network devices, if any.

Step 2 Do one of the following:

Click Create.

Check the check box next to the network device name that you want to duplicate, then click Duplicate.

Click the network device name that you want to modify, or check the check box next to the name and click Edit.

The first page of the Create Network Device process appears if you are creating a new network device. The Network Device Properties page for the selected device appears if you are duplicating or editing a network device.

Step 3 Modify the fields as required. For field descriptions, see Configuring Network Device and AAA Clients.

Step 4 Click Submit.

Your new network device configuration is saved. The Network Devices page appears, with your new network device configuration listed.


Related Topics

Viewing and Importing Network Devices

Configuring Network Device and AAA Clients

Configuring Network Device and AAA Clients

To display this page, select Network Resources > Network Devices and AAA Clients, then click Create.

Table 6-4 Creating Network Devices and AAA Clients 

Option
Description
General

Name

The name of the network device. If you are duplicating a network device, you must enter a unique name as a minimum configuration; all other fields are optional.

Description

The description of the network device.

Network Device Groups 1

Location

Click Select to display the Network Device Groups selection box. Click the radio button next to the Location network device group you want to associate with the network device. See Creating, Duplicating, and Editing Network Device Groups for information about creating network device groups.

Device Type

Click Select to display the Network Device Groups selection box. Click the radio button next to the Device Type network device group you want to associate with the network device. See Creating, Duplicating, and Editing Network Device Groups for information about creating network device groups.

IP Address

IP

The IP addresses and subnet masks associated with the network device. Select to enter a single IP address or to define a range.

IP / Mask

For a single IP address, enter the address in the IP field, and click Single IP Address.

For an IP address range, click IP Range(s). You can configure up to 40 IP addresses or subnet masks for each network device. If you use a subnet mask in this field, all IP addresses within the specified subnet mask are permitted to access the network and are associated with the network device definition.

The first six IP addresses appear in the field; use the scroll bar to see any additional configured IP addresses.

Note A mask is needed only for wildcards—if you want an IP address range. You cannot use an asterisk (*) as a wildcard.

Authentication Options

TACACS+

Check to use the Cisco IOS TACACS+ protocol to authenticate communication to and from the network device.

You must use this option if the network device is a Cisco device-management application, such as Management Center for Firewalls. You should use this option when the network device is a Cisco access server, router, or firewall.

TACACS+ Shared Secret

The shared secret of the network device, if you enabled the TACACS+ protocol.

A shared secret is an expected string of text, which a user must provide before the network device authenticates a username and password. The connection is rejected until the user supplies the shared secret.

Single Connect Device

Check to use a single TCP connection for all TACACS+ communication with the network device. Choose one:

Legacy TACACS+ Single Connect Support

TACACS+ Draft Compliant Single Connect Support

If you disable this option, a new TCP connection is used for every TACACS+ request.

RADIUS

Check to use the RADIUS protocol to authenticate communication to and from the network device.

RADIUS Shared Secret

The shared secret of the network device, if you have enabled the RADIUS protocol.

A shared secret is an expected string of text, which a user must provide before the network device authenticates a username and password. The connection is rejected until the user supplies the shared secret.

TrustSec

Appears only when you enable the Cisco TrustSec feature. Check to use TrustSec functionality on the network device. If the network device is the seed device (first device in the TrustSec network), you must also check the RADIUS check box.

Identification

The name that will be used for TrustSec identification of this device. By default, you can use the configured device name. If you want to use another name, clear the Use device name for TrustSec identification check box, and enter the name in the Identification field.

Password

The TrustSec authentication password.

Advanced TrustSec Settings

Check to display additional TrustSec fields.

Other TrustSec devices to trust this device

Specifies whether all the device's peer devices trust this device. The default is checked, which means that the peer devices trust this device, and do not change the SGTs on packets arriving from this device.

If you uncheck the check box, the peer devices repaint packets from this device with the related peer SGT.

Download peer authorization policy every: Days Hours Minutes Seconds

Specifies the expiry time for the peer authorization policy. ACS returns this information to the device in the response to a peer policy request. The default is 1 day.

Download SGACL lists every: Days Hours Minutes Seconds

Specifies the expiry time for SGACL lists. ACS returns this information to the device in the response to a request for SGACL lists. The default is 1 day.

Download environment data every: Days Hours Minutes Seconds

Specifies the expiry time for environment data. ACS returns this information to the device in the response to a request for environment data. The default is 1 day.

Re-authentication every:

Specifies the dot1x (.1x) reauthentication period. ACS configures this for the supplicant and returns this information to the authenticator. The default is 1 day.

1 The Device Type and Location network device groups are predefined at installation. You can define an additional 10 network device groups. See Creating, Duplicating, and Editing Network Device Groups for information on how to define network device groups. If you have defined additional network device groups, they appear in the Network Device Groups page and in the Network Resources drawer in the left navigation pane, in alphabetical order.

Displaying Network Device Properties


Note Every ACS administrator account is assigned one or more administrative roles. Depending upon the roles assigned to your account, you may or may not be able to perform the operations or see the options described in the following procedure. See Configuring System Administrators and Accounts, page 14-2 to configure the appropriate administrator privileges.


Select Network Resources > Network Devices and AAA Clients, then click a device name or check the check box next to a device name, and click Edit or Duplicate.

The Network Devices and AAA Clients Properties page appears, displaying the information described in Table 6-5:

Table 6-5 Network Devices and AAA Clients Properties Page 

Option
Description

Name

The name of the network device. If you are duplicating a network device, you must enter a unique name as a minimum configuration; all other fields are optional.

Description

The description of the network device.

Network Device Groups 1

Device Type: Select

Click Select to display the Network Device Groups selection box. Click the radio button next to the device type network device group that you want to associate with the network device. See Creating, Duplicating, and Editing Network Device Groups for information about creating network device groups.

Location: Select

Click Select to display the Network Device Groups selection box. Click the radio button next to the network device group you want to associate with the network device. See Creating, Duplicating, and Editing Network Device Groups for information about creating network device groups.

IP Address

IP Address

The IP addresses and subnet masks associated with the network device. Select to enter a single IP address or to define a range.

IP / Mask

For a single IP address, enter the address in the IP field, and click Single IP Address.

For an IP address range, click IP Range(s). You can configure up to 40 IP addresses or subnet masks for each network device. If you use a subnet mask in this field, all IP addresses within the specified subnet mask are permitted to access the network and are associated with the network device definition.

The first six IP addresses appear in the field; use the scroll bar to see any additional configured IP addresses.

Authentication Options

TACACS+

Check to use the Cisco IOS TACACS+ protocol to authenticate communication to and from the network device.

You must use this option if the network device is a Cisco device-management application, such as Management Center for Firewalls. You should use this option when the network device is a Cisco access server, router, or firewall.

TACACS+ Shared Secret

The shared secret of the network device, if you enabled the TACACS+ protocol.

A shared secret is an expected string of text, which a user must provide before the network device authenticates a username and password. The connection is rejected until the user supplies the shared secret.

Single Connect Device

Check to use a single TCP connection for all TACACS+ communication with the network device. Choose one:

Legacy TACACS+ Single Connect Support

TACACS+ Draft Compliant Single Connect Support

If you disable this option, a new TCP connection is used for every TACACS+ request.

RADIUS

Check to use the RADIUS protocol to authenticate communication to and from the network device.

RADIUS Shared Secret

The shared secret of the network device, if you have enabled the RADIUS protocol.

A shared secret is an expected string of text, which a user must provide before the network device authenticates a username and password. The connection is rejected until the user supplies the shared secret.

TrustSec

Appears only when you enable the Cisco TrustSec feature. Check to use TrustSec functionality on the network device. If the network device is the seed device (first device in the TrustSec network), you must also check the RADIUS check box.

Identification

The name that will be used for TrustSec identification of this device. By default, you can use the configured device name. If you want to use another name, clear the Use device name for TrustSec identification check box, and enter the name in the Identification field.

Password

The TrustSec authentication password.

Advanced TrustSec Settings

Check to display additional TrustSec fields.

Other TrustSec devices to trust this device

Specifies whether all the device's peer devices trust this device. The default is checked, which means that the peer devices trust this device, and do not change the SGTs on packets arriving from this device.

If you uncheck the check box, the peer devices repaint packets from this device with the related peer SGT.

Download peer authorization policy every: Days Hours Minutes Seconds

Specifies the expiry time for the peer authorization policy. ACS returns this information to the device in the response to a peer policy request. The default is 1 day.

Download SGACL lists every: Days Hours Minutes Seconds

Specifies the expiry time for SGACL lists. ACS returns this information to the device in the response to a request for SGACL lists. The default is 1 day.

Download environment data every: Days Hours Minutes Seconds

Specifies the expiry time for environment data. ACS returns this information to the device in the response to a request for environment data. The default is 1 day.

Re-authentication every:

Specifies the dot1x (.1x) reauthentication period. ACS configures this for the supplicant and returns this information to the authenticator. The default is 1 day.

1 The Device Type and Location network device groups are predefined at installation. You can define an additional 10 network device groups. See Creating, Duplicating, and Editing Network Device Groups for information on how to define network device groups. If you have defined additional network device groups, they appear in the Network Device Groups page and in the Network Resources drawer in the left navigation pane, in alphabetical order.


Related Topics:

Viewing and Importing Network Devices

Creating, Duplicating, and Editing Network Device Groups

Deleting Network Devices

To delete a network device:


Step 1 Select Network Resources > Network Devices and AAA Clients.

The Network Devices page appears, with a list of your configured network devices.

Step 2 Check one or more check boxes next to the network devices you want to delete.

Step 3 Click Delete.

The following error message appears:

Are you sure you want to delete the selected item/items?

Step 4 Click OK.

The Network Devices page appears, without the deleted network devices listed. The network device is removed from the device repository.


Configuring External Policy Servers

External policy servers are Cisco and third-party servers that return policy attributes about a user or machine, for example the Cisco NAC Appliance - Clean Access Manager. You can configure an external policy check to consult with a specified external policy server. You cannot define a failover server; failover needs to be handled by the server's own high availability functionality. The external policy server interoperates only with CCA, not with MS NPS.

The connection to the server is over HTTP or HTTPS and each server connection definition contains a timeout configuration. The value of this option is the number of seconds ACS will wait for a response from the server.

After you configure your external policy server, you can use it as a a result for the external policy check policy. See Configuring an External Policy Check Policy, page 9-28.

This section contains the following topics:

Creating External Policy Servers

Deleting External Policy Servers

Creating External Policy Servers

ACS can interact with external policy servers such as the Cisco NAC Appliance - Clean Access Manager. These servers are used to acquire the following additional attributes for your authorization policy decision:

NACRadiusPolicyStatus—Specifies whether the host or user complies with NAC policy.

NACRadiusRole—Specifies a role value assigned to the host or user by the NAC appliance.

NACRadiusIsUserAuthenticated—Specifies whether the NAC appliance authenticated the user.

NACRadiusUserName—Specifies the user name the NAC appliance used to authenticate the user.


Note Every ACS administrator account is assigned one or more administrative roles. Depending upon the roles assigned to your account, you may or may not be able to perform the operations or see the options described in the following procedure. See Configuring System Administrators and Accounts, page 14-2 to configure the appropriate administrator privileges.


To create, duplicate, or edit an external policy server:


Step 1 Select Network Resources > Network Device Groups > External Policy Servers.

The External Policy Servers page appears with a list of configured services.

Step 2 Do one of the following:

Click Create.

Check the check box next to the external policy server that you want to duplicate, then click Duplicate.

Click the external policy server name that you want to modify, or check the check box next to the name and click Edit.

The External Policy Servers page appears.

Step 3 Modify fields in the External Policy Servers page as shown in Table 6-6:

Table 6-6 External Policy Server Page Field Descriptions

Option
Description
General

Name

Name of the external policy server.

Description

(Optional) The description of the external policy server.

Server Details

URL

URL of the external policy server.

HTTPS Trusted Root CA

If you selected HTTPS in the URL field, select a trusted root certificate authority from the drop-down list box. This certificate is configured in Users and Identity Stores >Certificate Authorities. ACS and the server exchange certificates during the SSL handshake.Therefore, you need to configure an ACS client certificate to be used for HTTPS at System Administration > Configuration > Local Server Certificates > Local Certificates.

Server Timeout

Number of seconds ACS will wait for a response from the external policy server.

Maximum Connections

Number of concurrent connections for the external policy server.


Step 4 Click Submit to save changes.

The external policy server configuration is saved. The External Policy Server page appears with the new configuration.


Related Topics:

Creating an Access Service for Host Lookup, page 4-15

ACS and NAC RADIUS, page 4-17

Deleting External Policy Servers

To delete an external policy server:


Step 1 Select Network Resources > External Policy Servers.

The External Policy Servers page appears with a list of configured services.

Step 2 Check one or more check boxes next to the network device groups you want to delete, and click Delete.

The following error message appears:

Are you sure you want to delete the selected item/items?

Step 3 Click OK.

The External Policy Servers page appears without the deleted server(s).

Step 4 Click Save Changes to save the new configuration.