User Guide for the Cisco Secure Access Control System 5.0
Managing User and Identity Stores
Downloads: This chapterpdf (PDF - 429.0KB) The complete bookPDF (PDF - 12.93MB) | Feedback

Managing Users and Identity Stores

Table Of Contents

Managing Users and Identity Stores

Creating Identity Groups

Deleting an Identity Group

Managing Identity Attributes

Standard Attributes

Authentication Information

User-Defined Attributes

Managing Internal Identity Stores

Viewing and Importing Users to Internal Identity Stores

Creating Internal Users

Deleting Users from Internal Identity Stores

Viewing and Importing Hosts to Internal Identity Stores

Creating Hosts in Identity Stores

Deleting Internal Hosts

Managing External Identity Stores

LDAP Overview

Directory Service

Authentication Using LDAP

Multiple LDAP Instances

Failover

LDAP Connection Management

Authenticating a User Using a Bind Connection

Microsoft Active Directory

Creating External LDAP Identity Stores

Configuring an External LDAP Server Connection

Configuring External LDAP Directory Organization

Deleting External LDAP Identity Stores

Configuring LDAP Groups

Viewing LDAP Attributes

Configuring an AD Identity Store

Selecting Active Directory Group

Configuring Active Directory Attributes

Configuring CA Certificates

Adding a Certificate Authority

Editing a Certificate Authority

Deleting a Certificate Authority

Exporting a Certificate Authority

Configuring Certificate Authentication Profiles

Configuring Identity Store Sequences

Creating, Duplicating, and Editing Identity Store Sequences

Deleting Identity Store Sequences


Managing Users and Identity Stores


When a host connects to the network to use network resources, a network device identifies the new host and makes a request to ACS to authenticate and authorize the user. You manage network devices and other ACS clients by using the ACS network resource repositories, and ACS internal identity stores or external identity stores.

You can define users in ACS (internal users). If you define internal users, you associate each user with an identity group, a description (optional), a password, an enable password (optional), and internal user attributes. ACS 5.0 supports authentication for internal users against the internal database only.

Internal users are defined by two components: fixed and configurable. Fixed components are:

Name

Description

Password

Enabled or disabled status

Identity group to which they belong

Configurable components are:

Enable password for TACACS+ authentication

Sets of identity attributes that determine how the user definition is displayed and entered

Cisco recommends that you configure identity attributes before you create users. When identity attributes are configured:

You can enter the corresponding values as part of a user definition.

They are available for use in policy decisions when the user authenticates.

They can be used to populate the values returned for RADIUS attributes in an authorization profile.

Internal user identity attributes are applied to the user for the duration of the user's session.

Internal identity stores contain the internal user attributes and credential information used to authenticate internal users.

External identity stores are external databases on which to perform credential and authentication validations for internal and external users. External identity stores also include certificate information for the ACS server certificate and certificate authentication profiles.

This section contains the following topics:

Creating Identity Groups

Managing Identity Attributes

Managing Internal Identity Stores

Managing External Identity Stores

Configuring CA Certificates

Configuring Certificate Authentication Profiles

Configuring Identity Store Sequences

Creating Identity Groups

You can assign each internal user to one identity group. Identity groups are defined within a hierarchical structure. They are logical entities that are associated with users, but do not contain data or attributes other than the name you give to them. You use identity groups within policy conditions to create logical groups of users to which the same policy results are applied. You can associate each user in the internal identity store with a single identity group. When ACS processes a request for a user, the identity group for the user is retrieved and can then be used in conditions in the rule table. Identity groups are hierarchical in structure.

You can map identity groups and users in external identity stores to ACS identity groups by using a group mapping policy.

In Administrative Access Control (AAC), you can use identity groups to limit the set of users that a specific administrator can access.


Note Every ACS administrator account is assigned one or more administrative roles. Depending upon the roles assigned to your account, you may or may not be able to perform the operations or see the options described in the following procedure. See Configuring System Administrators and Accounts, page 14-2 to configure the appropriate administrator privileges.


To create an identity group:


Step 1 Select Users and Identity Stores > Identity Groups.

The Identity Groups page appears.

Step 2 Click Create. You can also:

Check the check box next to the identity group that you want to duplicate, then click Duplicate.

Click the identity group name that you want to modify, or check the check box next to the name and click Edit.

The Create page or the Edit page appears.

Step 3 Enter information in the following fields:

Name—Enter a name for the identity group. If you are duplicating an identity group, you must enter a unique name; all other fields are optional.

Description—Enter a description for the identity group.

Parent—Click Select to select a network device group parent for the identity group.

Step 4 Click Submit to save changes.

The identity group configuration is saved. The Identity Groups page appears with the new configuration. If you created a new identity group, it is located within the hierarchy of the page beneath your parent identity group selection.


Related Topic

Deleting an Identity Group

Deleting an Identity Group

To delete an identity group:


Step 1 Select Users and Identity Stores > Identity Groups.

The Identity Groups page appears.

Step 2 Check one or more check boxes next to the identity groups you want to delete and click Delete.

The following error message appears:

Are you sure you want to delete the selected item/items?

Step 3 Click OK.

The Identity Groups page appears without the deleted identity groups.


Related Topic

Creating Identity Groups

Managing Identity Attributes

Administrators can define sets of identity attributes that become elements in policy conditions. For information about the ACS 5.0 policy model, see Chapter 3, "ACS 5.0 Policy Model." During authentication, identity attributes are taken from the internal data store when they are part of a policy condition.

ACS 5.0 interacts with identity elements to authenticate users and obtain attributes for input to an ACS policy.

Attribute definitions include the associated data type and valid values. The set of values depends on the type. For example, if the type is integer, the definition includes the valid range. ACS 5.0 provides a default value definition that can be used in the absence of an attribute value. The default value ensures that all attributes have at least one value.

Related Topics

Standard Attributes

Authentication Information

User-Defined Attributes

Standard Attributes

Table 7-1 describes the standard attributes in the internal user record.

Table 7-1 Standard Attributes 

Attribute
Description

Username

ACS compares the username against the username in the authentication request. The comparison is case-insensitive.

Status

The enabled status indicates that the account is active. The disabled status means that authentications for the username will fail.

Description

A text description of the attribute.

Identity Group

ACS associates each user to an identity group. See Creating Identity Groups for information.


Authentication Information

Select this option to specify there will be an additional password, stored as part of the internal user record, that defines the user's TACACS+ enable password. If you do not select this option, the standard user password is also used for TACACS+ enable.

If the system is not being used for TACACS+ enable operations, you should not select this option.

User-Defined Attributes

Administrators can create and add user-defined attributes from the set of identity attributes. You can then enter values for these attributes for each user in the internal identity store.

You need to define users in ACS, which includes associating each internal user with an identity group, a description (optional), a password, an enable password (optional), and internal and external user attributes.

Internal users are defined by two components: fixed and configurable. Fixed components consist of these attributes:

Name

Description

Password

Enabled or disabled status

Identity group to which they belong

Configurable components consist of these attributes:

Enable password for TACACS+ authentication

Sets of identity attributes that determine how the user definition is displayed and entered

Cisco recommends that you configure identity attributes before you create users. When identity attributes are configured:

You can enter the corresponding values as part of a user definition.

They are available for use in policy decisions when the user authenticates.

Internal user identity attributes are applied to the user for the duration of the user's session.

Internal identity stores contain the internal user attributes and credential information used to authenticate internal users (as defined by you within a policy).

External identity stores are external databases on which to perform credential and authentication validations for internal and external users (as defined by you within a policy).

In ACS 5.0, you can configure identity attributes that are used within your policies, in this order:

1. Define an identity attribute (using the user dictionary).

2. Define custom conditions to be used in a policy.

3. Populate values for each user in the internal database.

4. Define rules based on this condition.

As you become more familiar with ACS 5.0, your identity attributes for users, and the policies themselves, will become more robust and complex.

Managing Internal Identity Stores

ACS contains an identity store for users and an identity store for hosts:

The internal identity store for users is a repository of users, user attributes, and user authentication options.

The internal identity store for hosts contains information about hosts for MAC Authentication Bypass (Host Lookup).

You can define each user and host in the identity stores, and you can import files of users and hosts.

The identity store for users is shared across all ACS instances in a deployment and includes for each user:

Standard Attributes

Authentication Information

User-Defined Attributes


Note ACS 5.0 supports authentication for internal users against the internal identity store only.


To use the identity store sequence feature, you define the list of identity stores to be accessed in a sequence. You can include the same identity store in authentication and attribute retrieval sequence lists; however, if an identity store is used for authentication, it is not accessed for additional attribute retrieval.

For certificate-based authentication, the username is populated from the certificate attribute and is used for attribute retrieval. During the authentication process, authentication fails if more than one instance of a user or host exists in internal identity stores. Attributes are retrieved (but authentication is denied) for users who have disabled accounts or passwords that must be changed.

These types of failures can occur while processing the identity policy:

Authentication failure; possible causes include bad credentials, disabled user, and so on.

User or host does not exist in any of the authentication databases.

Failure occurred while accessing the defined databases.

You can define fail-open options to determine what actions to take when each of these failures occurs:

Reject—Send a reject reply.

Drop—Do not send a reply.

Continue—Continue processing to the next defined policy in the service.

The system attribute, AuthenticationStatus, retains the result of the identity policy processing. If you choose to continue policy processing when a failure occurs, you can use this attribute in a condition in subsequent policy processing to distinguish cases where identity policy processing did not succeed.

You can continue processing when authentication fails for PAP/ASCII, EAP-TLS, or EAP-MD5. For all other authentication protocols, the request is rejected and a message to this effect is logged.

This section contains the following topics:

Viewing and Importing Users to Internal Identity Stores

Creating Internal Users

Deleting Users from Internal Identity Stores

Viewing and Importing Hosts to Internal Identity Stores

Creating Hosts in Identity Stores

Deleting Internal Hosts

For more information about internal identity stores, see Managing Users and Identity Stores.

Viewing and Importing Users to Internal Identity Stores


Note Every ACS administrator account is assigned one or more administrative roles. Depending upon the roles assigned to your account, you may or may not be able to perform the operations or see the options described in the following procedure. See Configuring System Administrators and Accounts, page 14-2 to configure the appropriate administrator privileges.


To view and import users to an internal identity store:


Step 1 Select Users and Identity Stores > Internal Identity Stores > Users.

The Internal Users page appears, with any configured users listed.

Step 2 Click Import to import up to 500 internal users. See Importing Network Resources and Users, page 6-6 for more information on the import process.


Related Topics

Creating Internal Users

Deleting Users from Internal Identity Stores

Creating Internal Users

In ACS, you can create internal users that do not access external identity stores for security reasons.

You can use the bulk import feature to import up to 500 internal users at a time; see Importing Network Resources and Users, page 6-6 for more information. Alternatively, you can use the procedure described in this topic to create internal users.


Step 1 Select Users and Identity Stores > Internal Identity Store > Users.

The Internal Users page appears.

Step 2 Click Create. You can also:

Check the check box next to the user that you want to duplicate, then click Duplicate.

Click the username that you want to modify, or check the check box next to the name and click Edit.

The User Properties page appears. In the Edit view, you can see the Creation/Modification Information, where you can find the information on the original creation and last modification of the user. You cannot edit this information.

Step 3 Complete the fields as described in Table 7-2.

.

Table 7-2 Users and Identity Stores > Internal Identity Store > User Properties Page  

Option
Description
General

Name

The username of the user.

Status

Use the drop-down list box to select the status for the user:

Enabled—Authentication requests for this user are allowed.

Disabled—Authentication requests for this user fail.

Description

(Optional) The description of the user.

Identity Group

Click Select to display the Identity Groups window. Choose an identity group and click OK to configure the user with a specific identity group.

Authentication Information

Change Password on next login

Check this box to start the process to change the user's password at the next user login, after authentication with the old password.

Password

The user's password, which must comply with the password policies defined under System Administration > Administrators > Password Policies.

Confirm Password

The user's password, which must match the Password entry exactly.

Enable Password

(Optional) The internal user's TACACS+ enable password, from 4 to 32 characters. You can disable this option. See Authentication Information for more information.

Confirm Password

(Optional) The internal user's TACACS+ enable password, which must match the Enable Password entry exactly.

User Information

If defined, this section displays additional identity attributes defined for user records.

Creation/Modification Information

Note This section of the page appears only after you have created or modified a MAC address.

Date Created

Display only. The date that the user's account was created, in the format YYYY-MMM-DD, where:

YYYY = Four digits that represent the year.

MMM = Three characters that represent the month of the year: Jan, Feb, Mar, Apr, May, Jun, Jul, Aug, Sept, Oct, Nov, Dec

DD = Two digits that represent the day of the month; a space precedes single-digit days (1 to 9).

Date Modified

Display only. The date that the user's account was last modified (updated), in the format YYYY-MMM-DD, where:

YYYY = Four digits that represent the year.

MMM = Three characters that represent the month of the year: Jan, Feb, Mar, Apr, May, Jun, Jul, Aug, Sept, Oct, Nov, Dec

DD = Two digits that represents the day of the month; single digit days (1 to 9) are preceded by a space.


Step 4 Click Submit.

The user configuration is saved. The Internal Users page appears with the new configuration.


Related Topics

Viewing and Importing Users to Internal Identity Stores

Deleting Users from Internal Identity Stores

Deleting Users from Internal Identity Stores

To delete a user from an internal identity store:


Step 1 Select Users and Identity Stores > Internal Identity Store > Users.

The Internal Users page appears.

Step 2 Check one or more check boxes next to the users you want to delete.

Step 3 Click Delete.

The following error message appears:

Are you sure you want to delete the selected item/items?

Click OK.

The Internal Users page appears without the deleted users.


Related Topics

Viewing and Importing Users to Internal Identity Stores

Creating Internal Users

Viewing and Importing Hosts to Internal Identity Stores


Note Every ACS administrator account is assigned one or more administrative roles. Depending upon the roles assigned to your account, you may or may not be able to perform the operations or see the options described in the following procedure. See Configuring System Administrators and Accounts, page 14-2 to configure the appropriate administrator privileges.


To view and import internal hosts within the internal identity store:


Step 1 Select Users and Identity Stores > Internal Identity Stores > Hosts.

The Internal Hosts page appears, with any configured internal hosts listed.

Step 2 Click Import to import up to 500 internal hosts. See Importing Network Resources and Users, page 6-6 for more information on the import process.

Step 3 To create an internal host, see Creating Hosts in Identity Stores.


Related Topics

Host Lookup, page 4-10

Creating Hosts in Identity Stores

Deleting Internal Hosts

Policies and Identity Attributes, page 3-11

Configuring an Identity Group for Host Lookup Network Access Requests, page 4-15

Creating Hosts in Identity Stores


Note Every ACS administrator account is assigned one or more administrative roles. Depending upon the roles assigned to your account, you may or may not be able to perform the operations or see the options described in the following procedure. See Configuring System Administrators and Accounts, page 14-2 to configure the appropriate administrator privileges.


To create, duplicate, or edit a MAC address and assign identity groups to internal hosts:


Step 1 Select Users and Identity Stores > Internal Identity Stores > Hosts.

The Internal Hosts page appears listing any configured internal hosts.

Step 2 Click Create. You can also:

Check the check box next to the MAC address you want to duplicate, then click Duplicate.

Click the MAC address that you want to modify, or check the check box next to the MAC address and click Edit.

Click Import to import up to 500 internal hosts. See Importing Network Resources and Users, page 6-6 for more information on the import process.

The Internal Hosts General page appears.

Step 3 Complete the fields in the Internal MAC Address Properties page as described in Table 7-3:

Table 7-3 Internal Hosts Properties Page 

Option
Description
General

MAC Address

Enter a valid MAC address. You must enter a MAC address in the format where six hexadecimal digits are separated by hyphens; for example, 01-23-45-67-89-AB.

Status

Use the drop-down list box to enable or disable the MAC address.

Description

Enter a description of the MAC address.

Identity Group

Enter an identity group with which to associate the MAC address, or click Select to display the Identity Groups window. Choose an identity group with which to associate the MAC address, then click OK.

MAC Host Information

Display only. Contains MAC host identity attribute information.

Creation/Modification Information

Note This section of the page appears only after you have created or modified a MAC address.

Date Created

Display only. The date that the user's account was created, in the format YYYY-MMM-DD, where:

YYYY = Four digits that represent the year.

MMM = Three characters that represent the month of the year: Jan, Feb, Mar, Apr, May, Jun, Jul, Aug, Sept, Oct, Nov, Dec

DD = Two digits that represents the day of the month; a space precedes single-digit days (1 to 9).

Date Modified

Display only. The date that the user's account was last modified (updated), in the format YYYY-MMM-DD, where:

YYYY = Four digits that represent the year.

MMM = Three characters that represent the month of the year: Jan, Feb, Mar, Apr, May, Jun, Jul, Aug, Sept, Oct, Nov, Dec

DD = Two digits that represents the day of the month; single digit days (1 to 9) are preceded by a space.


Step 4 Click Submit to save changes.

The MAC address configuration is saved. The Internal MAC list page appears with the new configuration.


Related Topics

Host Lookup, page 4-10

Deleting Internal Hosts

Viewing and Importing Hosts to Internal Identity Stores

Policies and Identity Attributes, page 3-11

Configuring an Identity Group for Host Lookup Network Access Requests, page 4-15

Deleting Internal Hosts

To delete a MAC address:


Step 1 Select Users and Identity Stores > Internal Identity Stores > Hosts.

The Internal MAC List page appears, with any configured MAC addresses listed.

Step 2 Check one or more of the check boxes next to the internal hosts you want to delete.

Step 3 Click Delete.

The Internal MAC List page appears without the deleted MAC address(es).


Related Topics

Host Lookup, page 4-10

Viewing and Importing Hosts to Internal Identity Stores

Creating Hosts in Identity Stores

Policies and Identity Attributes, page 3-11

Configuring an Identity Group for Host Lookup Network Access Requests, page 4-15

Managing External Identity Stores

ACS 5.0 integrates with external identity systems in a number of ways. You can leverage an external authentication service or use an external system to obtain the necessary attributes to authenticate a principal, as well to integrate the attributes into an ACS policy. For example, ACS can leverage Microsoft Active Directory (AD) to authenticate a principal, or it could leverage an LDAP bind operation to find a principal in the database and authenticate it. ACS can obtain identity attributes such as AD group affiliation to make an ACS policy decision.

Related Topics

LDAP Overview

Creating External LDAP Identity Stores

Microsoft Active Directory

LDAP Overview

Lightweight Directory Access Protocol (LDAP), is a networking protocol for querying and modifying directory services that run on TCP/IP. LDAP is a lightweight mechanism for accessing an x.500-based directory server. RFC 2251 defines LDAP.

ACS 5.0 integrates with an LDAP external database, which is also called an identity store, by using the LDAP protocol.

A client starts an LDAP session by connecting to an LDAP server, and sends operation requests to the server. The server then sends responses in return. The directory service is the software application, or a set of applications, that stores and organizes information about a computer network's users and network resources. Administrators use the directory service to manage users' access to these resources. The LDAP directory service is based on a client-server model. One or more LDAP servers contain data from the LDAP directory tree or the LDAP backend database.

See Creating External LDAP Identity Stores for information about configuring an LDAP identity store.

This section contains the following topics:

Directory Service

Authentication Using LDAP

Multiple LDAP Instances

LDAP Connection Management

Authenticating a User Using a Bind Connection

Directory Service

The directory service manages the directory, which is the database that holds the information. Directory services use a distributed model for storing information, and that information is usually replicated between directory servers.

An LDAP directory is organized in a simple tree hierarchy and can be distributed among many servers. Each server can have a replicated version of the total directory that is synchronized periodically.

An entry in the tree contains a set of attributes, where each attribute has a name (an attribute type or attribute description) and one or more values. The attributes are defined in a schema.

Each entry has a unique identifier: its Distinguished Name (DN). This name contains the Relative Distinguished Name (RDN) constructed from attributes in the entry, followed by the parent entry's DN. You can think of the DN as a full filename, and the RDN as a relative filename in a folder.

Related Topics

Authentication Using LDAP

Multiple LDAP Instances

LDAP Connection Management

Authenticating a User Using a Bind Connection

Authentication Using LDAP

ACS 5.0 can use LDAP to authenticate a principal by:

Checking the password against LDAP using the bind operation.

Performing a bind operation on the directory server to find and authenticate the principal.

If the principal authenticates successfully to the LDAP server, when the server subsequently receives a request from the principal, it verifies that the principal is allowed to perform the request.

ACS connects to the LDAP server and maintains a connection pool. See LDAP Connection Management.

Related Topics

Directory Service

Multiple LDAP Instances

LDAP Connection Management

Authenticating a User Using a Bind Connection

Multiple LDAP Instances

You can create more than one LDAP instance in ACS 5.0. By creating more than one LDAP instance with different IP address or port settings, you can configure ACS to authenticate by using different LDAP servers or different databases on the same LDAP server. Each primary server IP address and port configuration, along with the secondary server IP address and port configuration, forms an LDAP instance that corresponds to one ACS LDAP configuration instance.

ACS 5.0 does not require that each LDAP instance correspond to a unique LDAP database. You can have more than one LDAP instance set to access the same database. This method is useful when your LDAP database contains more than one subtree for users or groups. Because each LDAP instance supports only one subtree directory for users and one subtree directory for groups, you must configure separate LDAP instances for each user directory subtree and group directory subtree combination for which ACS should submit authentication requests.

Failover

ACS 5.0 supports failover between a primary LDAP server and secondary LDAP server. In the context of LDAP authentication with ACS, failover applies when an authentication request fails because ACS could not connect to an LDAP server; for example, as when the server is down or is otherwise unreachable by ACS. To use this feature, you must define primary and secondary LDAP servers, and you must set failover settings.

If you set failover settings and if the first LDAP server that ACS attempts to contact cannot be reached, ACS always attempts to contact the other LDAP server. The first server ACS attempts to contact might not always be the primary LDAP server. Instead, the first LDAP server that ACS attempts to contact depends on the previous LDAP authentications attempts and on the value that you enter in the Failback Retry Delay box.

Related Topics

Directory Service

Authentication Using LDAP

LDAP Connection Management

Authenticating a User Using a Bind Connection

LDAP Connection Management

ACS 5.0 supports multiple concurrent LDAP connections. Connections are opened for the connection pool during ACS startup. Opening connections in advance shortens the authentication time. You can set the maximum number of connections to use for concurrent binding connections. The number of opened connections can be different for each LDAP server (primary or secondary) and is determined according to the maximum number of administration connections configured for each server.

ACS retains a list of open LDAP connections (including the bind information) for each LDAP server that is configured in ACS. During the authentication process, the connection manager attempts to find an open connection from the pool. If an open connection does not exist, a new one is opened.

If the LDAP server closed the connection, the connection manager reports an error during the first call to search the directory, and tries to renew the connection.

After the authentication process is complete, the connection manager releases the connection to the connection manager.

Related Topics

Directory Service

Authentication Using LDAP

Multiple LDAP Instances

Authenticating a User Using a Bind Connection

Authenticating a User Using a Bind Connection

A simple bind sends the user's DN and password in clear text to authenticate the user against the LDAP server. A user is authenticated when the bind connection, which uses the user's DN and password from the access request, matches the username and password in the LDAP directory.

Authentication Errors

ACS logs authentication errors in the ACS log files.

Initialization Errors

Use the LDAP server timeout settings to configure the number of seconds that ACS waits for a response from an LDAP server before determining that the connection or authentication on that server has failed.

Possible reasons for an LDAP server to return an initialization error are:

LDAP is not supported.

The server is down.

The server is out of memory.

The user has no privileges.

Bind Errors

Possible reasons for an LDAP server to return bind (authentication) errors are:

Filtering errors—A search using filter criteria fails.

Parameter errors—Invalid parameters were entered.

The following errors are logged as external resource errors, indicating a possible problem with the LDAP server:

A connection error occurred.

The timeout expired.

The server is down.

The server is out of memory.

The following error is logged as an Unknown User error:

A user does not exist in the database.

The following error is logged as an Invalid Password error, where the user exists, but the password sent is invalid:

An invalid password was entered.

Related Topics

Directory Service

Authentication Using LDAP

Multiple LDAP Instances

Microsoft Active Directory

ACS uses Microsoft Active Directory (AD) as an external identity store that stores resources such as: users, machines, servers, PCs, printers, network devices, groups, and attributes. locates and manages resources and authenticates users and groups. ACS authenticates these resources against AD.

User authentication is supported by using:

EAP-FAST and PEAP with inner method of MS-CHAPv2

PAP

Changing the password for EAP-FAST and PEAP with inner MSCHAPv2 is also supported.

ACS supports these AD domains:

Windows Server 2000

Windows Server 2003

Windows Server 2008

ACS machine access restriction (MAR) features use AD to map machine authentication to user authentication and authorization, and sets a the maximal time allowed between machine authentication and an authentication of a user from the same machine. Most commonly, MAR fails authentication of users whose host machine does not successfully authenticate or if the time between machine and user authentication is greater than the specified aging time. You can add MAR as a condition in authentication and authorization rules as required.

ACS and AD must be time-synchronized to within 5 minutes. Time in ACS is set according to the Network Time Protocol (NTP) server. Both AD and ACS should be synchronized by the same NTP server. Using the command line interface on your appliance, you must configure the NTP client to work with the same NTP server that the AD domain is synchronized with. (See Command Line Interface Reference Guide for the Cisco Secure Access Control System 5.0 for more information). If the time is not synchronized, a log message is sent.

Certificate authentication and dial-in users are not supported by AD in ACS.

Related Topic

Machine Authentication, page B-29

Creating External LDAP Identity Stores


Note Configuring an LDAP external database for ACS has no effect on the configuration of the LDAP database. ACS recognizes the LDAP database, enabling the database to be authenticated against. To manage your LDAP database, see your LDAP database documentation.


When you create an external identity store, ACS also creates:

A new dictionary for that store with two attributes, ExternalGroups and IdentityDn.

A custom condition for group mapping from the ExternalGroup attribute; the condition name has the format LDAP:<ID_store_name>ExternalGroups.

You can edit the predefined condition name, and you can create a custom condition from the IdentityDn attribute in the Custom condition page. See Creating, Duplicating, and Editing a Custom Session Condition, page 8-4.


Note Every ACS administrator account is assigned one or more administrative roles. Depending upon the roles assigned to your account, you may or may not be able to perform the operations or see the options described in the following procedure. See Configuring System Administrators and Accounts, page 14-2 to configure the appropriate administrator privileges.


To create, duplicate, or edit an external database:


Step 1 Select Users and Identity Stores > External Identity Stores > LDAP.

The LDAP Identity Stores page appears.

Step 2 Click Create. You can also:

Check the check box next to the identity store you want to duplicate, then click Duplicate.

Click the identity store name that you want to modify, or check the box next to the name and click Edit.

If you are creating an identity store, the first page of a wizard appears: General.

If you are duplicating an identity store, the External Identity Stores > Duplicate: "<idstore>" page General tab appears, where <idstore> is the name of the external identity store that you chose.

If you are editing an identity store, the External Identity Stores > Edit: "<idstore>" page General tab appears, where <idstore> is the name of the external identity store that you chose.

Step 3 Complete the Name and Description fields as required.

Step 4 Click Next. Continue with Configuring an External LDAP Server Connection.


Related Topic

Deleting External LDAP Identity Stores

Configuring an External LDAP Server Connection

Use this page to configure an external LDAP database.


Note Every ACS administrator account is assigned one or more administrative roles. Depending upon the roles assigned to your account, you may or may not be able to perform the operations or see the options described in the following procedure. See Configuring System Administrators and Accounts, page 14-2 to configure the appropriate administrator privileges.



Step 1 Select Users and Identity Stores > External Identity Stores > LDAP, then click:

Create and follow the wizard.

Duplicate, then click the Server Connection tab.

Edit, then click the Server Connection tab.

Table 7-4 LDAP: Server Connection Page 

Option
Description
Server Connection

Enable Secondary Server

Check to enable the secondary LDAP server, to use as a backup in the event that the primary LDAP server fails. If you check this check box, you must enter configuration parameters for the secondary LDAP server.

Always Access Primary Server First

Click to ensure that the primary LDAP server is accessed first, before the secondary LDAP server is accessed.

Failback to Primary Server After <min.> Minutes

Click to set the number of minutes that ACS authenticates using the secondary LDAP server if the primary server cannot be reached, where <min.> is the number of minutes. After this time period, ACS reattempts authentication using the primary LDAP server. (Default = 5.)

Primary Server

Hostname

Enter the IP address or DNS name of the machine that is running the primary LDAP software. The host name can contain from 1 to 256 characters or a valid IP address expressed as a string. The only valid characters for host names are alphanumeric characters (a to z, A to Z, 0 to 9), the dot (.), and the hyphen (-).

Port

Enter the TCP/IP port number on which the primary LDAP server is listening. Valid values are from 1 to 65,535. The default is 389, as stated in the LDAP specification. If you do not know the port number, you can find this information by referring to the administrator of the LDAP server.

Anonymous Access

Click to ensure that searches on the LDAP directory occur anonymously. The server does not distinguish who the client is and will allow the client read access to any data that is configured accessible to any unauthenticated client. In the absence of specific policy permitting authentication information to be sent to a server, a client should use an anonymous connection.

Authenticated Access

Click to ensure that searches on the LDAP directory occur with administrative credentials. If so, enter information for the Admin DN and Password fields.

Admin DN

Enter the distinguished name of the administrator; that is, the LDAP account which, if bound to, permits searching all required users under the User Directory Subtree and permits searching groups. If the administrator specified does not have permission to see the group name attribute in searches, group mapping fails for users that LDAP authenticates.

Password

Enter the LDAP administrator account password.

Use Secure Authentication

Click to use Secure Sockets Layer (SSL) to encrypt communication between ACS and the primary LDAP server. Verify the Port field contains the port number used for SSL on the LDAP server. If you enable this option, you must select a root CA.

Root CA

Select a trusted root certificate authority from the drop-down list box to enable secure authentication with a certificate.

Server Timeout <sec.> Seconds

Enter the number of seconds that ACS waits for a response from the primary LDAP server before determining that the connection or authentication with that server has failed, where <sec.> is the number of seconds. Valid values are 1 to 300. (Default = 10.)

Max Admin Connections

Enter the maximum number of concurrent connections (greater than 0) with LDAP administrator account permissions, that can run for a specific LDAP configuration. These connections are used to search the directory for users and groups under the User Directory Subtree and Group Directory Subtree. Valid values are 1 to 99. (Default = 8.)

Test Bind To Server

Click to test and ensure that the primary LDAP server details and credentials can successfully bind. If the test fails, edit your LDAP server details and retest.

Secondary Server

Hostname

Enter the IP address or DNS name of the machine that is running the secondary LDAP software. The host name can contain from 1 to 256 characters or a valid IP address expressed as a string. The only valid characters for host names are alphanumeric characters (a to z, A to Z, 0 to 9), the dot (.), and the hyphen (-).

Port

Enter the TCP/IP port number on which the secondary LDAP server is listening. Valid values are from 1 to 65,535. The default is 389, as stated in the LDAP specification. If you do not know the port number, you can find this information by viewing DS Properties on the LDAP machine.

Anonymous Access

Click to verify that searches on the LDAP directory occur anonymously. The server does not distinguish who the client is and will allow the client to access (read and update) any data that is configured to be accessible to any unauthenticated client. In the absence of specific policy permitting authentication information to be sent to a server, a client should use an anonymous connection.

Admin DN

Enter the domain name of the administrator; that is, the LDAP account which, if bound to, permits searching for all required users under the User Directory Subtree and permits searching groups. If the administrator specified does not have permission to see the group name attribute in searches, group mapping fails for users that LDAP authenticates.

Password

Type the LDAP administrator account password.

Use Secure Authentication

Click to use Secure Sockets Layer (SSL) to encrypt communication between ACS and the secondary LDAP server. Verify the Port field contains the port number used for SSL on the LDAP server. If you enable this option, you must select a root CA.

Root CA

Select a trusted root certificate authority from the drop-down list box to enable secure authentication with a certificate.

Server Timeout <sec.> Seconds

Type the number of seconds that ACS waits for a response from the secondary LDAP server before determining that the connection or authentication with that server has failed, where <sec.> is the number of seconds. Valid values are 1 to 300. (Default = 10.)

Max Admin Connections

Type the maximum number of concurrent connections (greater than 0) with LDAP administrator account permissions, that can run for a specific LDAP configuration. These connections are used to search the directory for users and groups under the User Directory Subtree and Group Directory Subtree. Valid values are 1 to 99. (Default = 8.)

Test Bind To Server

Click to test and ensure that the secondary LDAP server details and credentials can successfully bind. If the test fails, edit your LDAP server details and retest.


Step 2 Click Next. Continue with Configuring External LDAP Directory Organization.


Configuring External LDAP Directory Organization

Use this page to configure an external LDAP database.


Note Every ACS administrator account is assigned one or more administrative roles. Depending upon the roles assigned to your account, you may or may not be able to perform the operations or see the options described in the following procedure. See Configuring System Administrators and Accounts, page 14-2 to configure the appropriate administrator privileges.



Step 1 Select Users and Identity Stores > External Identity Stores > LDAP, then click:

Create and follow the wizard.

Duplicate, then click the Directory Organization tab.

Edit, then click the Directory Organization tab.

Table 7-5 LDAP: Directory Organization Page 

Option
Description
Schema

Subject Object class

The value of the LDAP object attribute that identifies the record as a subject. Often, subject records have several values for the objectify attribute, some of which are unique to the subject, some of which are shared with other object types. This box should contain a value that is not shared. Valid values are from 1 to 20 characters and must be a valid LDAP object type. This parameter can contain any UTF-8 characters. (Default = Person.)

Group Object class

Enter the group object class that you want to use in searches that identify objects as groups. (Default = GroupOfUniqueNames.)

Subject Name Attribute

The name of the attribute in the subject record that contains the subject name. You can obtain this attribute name from your directory server. This attribute specifies the subject name in the LDAP schema. You use this attribute to construct queries to search for subject objects. For more information, refer to the LDAP database documentation. Valid values are from 1 to 20 characters and must be a valid LDAP attribute. This parameter can contain any UTF-8 characters. Common values are uid and CN. (Default = uid.)

Group Map Attribute

Enter the attribute that contains the mapping information: an attribute in either the subject or the group, depending on:

If you select the Subject Objects Contain Reference To Groups radio button, enter a subject attribute.

If you select Group Objects Contain Reference To Subjects radio button, enter a group attribute.

Certificate Attribute

Enter the attribute that contains certificate definitions. These definitions can optionally be used to validate certificates presented by clients when defined as part of a certificate authentication profile. In such cases, a binary comparison is performed between the client certificate and the certificate retrieved from the LDAP database.

Subject Objects Contain Reference To Groups

Click if the subject objects contain a reference to groups.

Group Objects Contain Reference To Subjects

Click if the group objects contain a reference to subjects.

Subjects In Groups Are Stored In Member Attribute As

Use the drop-down list box to indicate if the subjects in groups are stored in member attributes as either:

Username

Distinguished name

Directory Structure

Subject Search Base

Enter the distinguished name (DN) for the subtree that contains all subjects. For example:

o=corporation.com

If the tree containing subjects is the base DN, enter:

o=corporation.com

or

dc=corporation,dc=com

as applicable to your LDAP configuration. For more information, refer to your LDAP database documentation.

Group Search Base

Enter the distinguished name (DN) for the subtree that contains all groups. For example:

ou=organizational unit[,ou=next organizational unit]o=corporation.com

If the tree containing groups is the base DN, type:

o=corporation.com

or

dc=corporation,dc=com

as applicable to your LDAP configuration. For more information, refer to your LDAP database documentation.

Test Configuration

Click to obtain the expected connection and schema results by counting the number of users and groups that may result from your configuration.

Username Domain Stripping

Strip start of subject name up to the last occurrence of the separator

Enter the appropriate text to remove domain prefixes from usernames.

If, in the username, ACS finds the delimiter character that is specified in the <start_string> box, it strips all characters from the beginning of the username through the delimiter character. If the username contains more than one of the characters that are specified in the <start_string> box, ACS strips characters through the last occurrence of the delimiter character. For example, if the delimiter character is the backslash (\) and the username is DOMAIN\echamberlain, ACS submits echamberlain to an LDAP server.

Note The <start_string> cannot contain the following special characters: the pound sign (#), the question mark (?), the quote ("), the asterisk (*), the right angle bracket (>), and the left angle bracket (<). ACS does not allow these characters in usernames. If the X box contains any of these characters, stripping fails.

Strip end of subject name from the first occurrence of the separator

Enter the appropriate text to remove domain suffixes from usernames.

If, in the username, ACS finds the delimiter character that is specified in the Y box, it strips all characters from the delimiter character through the end of the username. If the username contains more than one of the character specified in the Y box, ACS strips characters starting with the first occurrence of the delimiter character. For example, if the delimiter character is the at symbol (@) and the username is jwiedman@domain, then ACS submits jwiedman to an LDAP server.

Note The <end_string> box cannot contain the following special characters: the pound sign (#), the question mark (?), the quote ("), the asterisk (*), the right angle bracket (>), and the left angle bracket (<). ACS does not allow these characters in usernames. If the <end_string> box contains any of these characters, stripping fails.

MAC Address Format

Search for MAC Address in Format <format>

Use the drop-down list box to enable search for MAC addresses in a specific format, where <format> can be:

xxxxxxxxxxxx

xx-xx-xx-xx-xx-xx

xx:xx:xx:xx:xx:xx

xxxx.xxxx.xxxx

The format you select must match the format of the MAC address stored in the LDAP server.


Step 2 Click Finish.

The external identity store you created is saved.


Related Topics

Configuring LDAP Groups

Deleting External LDAP Identity Stores

Deleting External LDAP Identity Stores

You can delete one or more external databases simultaneously.


Note Every ACS administrator account is assigned one or more administrative roles. Depending upon the roles assigned to your account, you may or may not be able to perform the operations or see the options described in the following procedure. See Configuring System Administrators and Accounts, page 14-2 to configure the appropriate administrator privileges.


To delete an external database:


Step 1 Select Users and Identity Stores > External Identity Stores > LDAP.

The LDAP Identity Stores page appears, with a list of your configured external identity stores.

Step 2 Check one or more check boxes next to the external identity stores you want to delete.

Step 3 Click Delete.

The following error message appears:

Are you sure you want to delete the selected item/items?

Step 4 Click OK.

The External Identity Stores page appears, without the deleted identity stores in the list.


Related Topic

Creating External LDAP Identity Stores

Configuring LDAP Groups

Use this page to configure an external LDAP group.


Note Every ACS administrator account is assigned one or more administrative roles. Depending upon the roles assigned to your account, you may or may not be able to perform the operations or see the options described in the following procedure. See Configuring System Administrators and Accounts, page 14-2 to configure the appropriate administrator privileges.



Step 1 Select Users and Identity Stores > External Identity Stores > LDAP, then click:

Create and follow the wizard.

Duplicate, then click the Directory Groups tab.

Edit, then click the Directory Groups tab.

The Selected Directory Groups field displays a list of groups that are available as options in rule-table group-mapping conditions.

Step 2 Click:

Select to open the Groups secondary window from which you can select groups and add them to the Selected Directory Groups list.

Deselect to remove a selected group from the Selected Directory Groups list.

Step 3 Click Submit to save your changes.


Viewing LDAP Attributes

Use this page to view the external LDAP attributes.


Step 1 Select Users and Identity Stores > External Identity Stores > LDAP, then click:

Create and follow the wizard.

Duplicate, then click the Directory Attributes tab.

Edit, then click the Directory Attributes tab.

Step 2 In the Name of example Subject to Select Attributes, enter the name of an example object from which to retrieve attributes, then click Select.

Step 3 Complete the fields as described in Table 7-6

Table 7-6 LDAP: Attributes Page 

Option
Description

Attribute Name

Type an attribute name that you want included in the list of available attributes for policy conditions.

Type

Select the type you want associated with the attribute name you entered in the Attribute Name field.

Default

Specify the default value you want associated with the attribute name you entered in the Attribute Name field. If you do not specify a default value, no default is used.

Note When attributes are imported to the Attribute Name/Type/Default box via the Select button, these default values are used:

String—Name of the attribute

Integer—0

Binary—null

Policy Condition Name

(Optional) Specify the name of the custom condition for this attribute. This condition will be available for selection when customizing conditions in a policy.


Step 4 Click Add and the information you entered is added to the fields on the screen. The attributes listed here are available for policy conditions.

Step 5 Click Submit to save your changes.


Configuring an AD Identity Store

When you configure an Active Directory (AD) identity store, ACS also creates:

A new dictionary for that store with two attributes: ExternalGroups and another attribute for any attribute selected in the Directory Attributes page.

A custom condition for group mapping from the ExternalGroup attribute; the custom condition name is AD1:ExternalGroups and another custom condition for each attribute selected in the Directory Attributes page (for example, AD1:cn).

You can edit the predefined condition name, and you can create a custom condition from theCustom condition page. See Creating, Duplicating, and Editing a Custom Session Condition, page 8-4.


Note If you add a new domain to ACS, it takes ACS approximately 45 minutes to authenticates users to the new domain. To workaround this waiting period, you can restart ACS, join the newly created domain, and then join back to the previous domain.


To authenticate users and join ACS with an AD domain:


Step 1 Select Users and Identity Stores > External Identity Stores > Active Directory.

The Active Directory page appears.

Step 2 Modify the fields in the tabs as described in Table 7-7.

Table 7-7 Active Directory: General Page 

Option
Description
Connection Details

Active Directory Domain Name

Name of the AD domain to join ACS to.

Username

AD user with Create Computer Objects permission to add machines to the AD domain.

Password

Enter the configured password of the administrator user.

Test Connection

Click to test the ACS connection with the AD domain for the user, domain, and password identified in the previous fields.

A message appears informing you whether the AD server is routable within the network.

End User Authentication Settings

Enable password change

Click to allow the password to be changed.

Enable machine authentication

Click to allow machine authentication.

Enable Machine Access Restrictions

Click to ensure that machine authentication results are tied to user authentication and authorization. If you enable this feature, you must set the Aging time.

Aging time (hours) <time>

The time after a machine was authenticated that a user can be authenticated from that machine. If this time elapses, user authentication fails.

You must set this time if you clicked the Enable Machine Access Restrictions check box.

Connectivity Status

(Display only.) After you save the configuration (by clicking Save Changes), shows the connection status of the domain name with which ACS is joined.


Step 3 Click:

Save Changes to save the configuration, join the ACS to the specified AD domain with the configured credentials, and start the AD agent.

Discard Changes to discard all changes.

If AD is already configured and you want to delete it, click Clear Configuration after you verify that there are no policy rules that use custom conditions based on the AD dictionary.

The Active Directory configuration is saved. The Active Directory page appears with the new configuration.


Related Topics

Selecting Active Directory Group

Configuring Active Directory Attributes

Selecting Active Directory Group

Use this page to select groups that can then be available for policy conditions.


Note Every ACS administrator account is assigned one or more administrative roles. Depending upon the roles assigned to your account, you may or may not be able to perform the operations or see the options described in the following procedure. See Configuring System Administrators and Accounts, page 14-2 to configure the appropriate administrator privileges.



Step 1 Select Users and Identity Stores > External Identity Stores > Active Directory, then click the Directory Groups tab.

The Groups page appears. The Selected Directory Groups field lists the AD groups you selected and saved. The AD groups you selected in the External User Groups page are listed and can be available as options in group mapping conditions in rule tables.

Step 2 Click Select to see the available AD groups on the domain (and other trusted domains in the same forest).

The External User Groups dialog box appears displaying the available AD groups on the domain, as well as other trusted domains in the same forest.

Step 3 Select AD groups, then click OK.

To remove an AD group from the list, click an AD group, then click Deselect.

Step 4 Click:

Save Changes to save the configuration.

Discard Changes to discard all changes.

If AD is already configured and you want to delete it, click Clear Configuration after you verify that there are no policy rules that use custom conditions based on the AD dictionary.


Configuring Active Directory Attributes

Use this page to select attributes that can then be available for policy conditions.


Note Every ACS administrator account is assigned one or more administrative roles. Depending upon the roles assigned to your account, you may or may not be able to perform the operations or see the options described in the following procedure. See Configuring System Administrators and Accounts, page 14-2 to configure the appropriate administrator privileges.



Step 1 Select Users and Identity Stores > External Identity Stores > Active Directory, then click the Directory Attributes tab.

Step 2 Complete the fields in the Active Directory: Attributes page as described in Table 7-8:

Table 7-8 Active Directory: Attributes Page 

Option
Description

Name of example Subject to Select Attributes

Enter the name of a user or computer found on the joined domain.

Select

Click to access the Attributes secondary window, which displays the attributes of the name you entered in the previous field.

Attribute Name list

Displays the attributes you selected in the secondary Selected Attributes window.

Attribute Name

You can select an attribute from the list, then click:

Edit to edit the attribute.

Add to add an attribute to the Attribute Name list.

Type

Attribute types associated with the attribute names. Valid options are:

String

Integer 32

IPv4 Address

HEX String

Default

Specified attribute default value for the selected attribute:

String—Name of the attribute.

Integer 32—0.

IPv4 Address—No default set.

HEX String—No default set.

Policy Condition Name

Enter the custom condition name for this attribute. For example, if the custom condition name is AAA, enter AAA in this field and not AD1:att_name.

Select Attributes Secondary Window

Available from the Attributes secondary window only.

Search Filter

Specify a user or machine name. For user names, you can specify distinguished name, SAM, NetBios, or UPN format. For machine names, you can specify one of the following formats: MACHINE$, NETBiosDomain\MACHINE$, host/MACHINE, or host/machine.domain. You can specify non-English letters for user and machine names.

Attribute Name

The name of an attribute of the user or machine name you entered in the previous field.

Attribute Type

The type of attribute.

Attribute Value

The value of an attribute for the specified user or machine.


Step 3 Click:

Save Changes to save the configuration.

Discard Changes to discard all changes.

If AD is already configured and you want to delete it, click Clear Configuration after you verify that there are no policy rules that use custom conditions based on the AD dictionary.


Configuring CA Certificates

Certificate Authority (CA) certificates are used to identify a client to the server. CA certificates are also known as trust certificates.

ACS uses EAP-TLS, EAP-FAST, and PEAP authentication protocols in combination with digital certification to ensure the protection and validity of authentication information.

You use the Certificate Authorities options to install digital certificates to support EAP-TLS authentication. ACS uses the X.509 v3 digital certificate standard. ACS also supports manual certificate acquisition and provides the means for managing a certificate trust list (CTL) and certificate revocation lists (CRLs).

Digital certificates do not require the sharing of secrets or stored database credentials. They can be scaled and trusted over large deployments. If managed properly, they can serve as a method of authentication that is stronger and more secure than shared secret systems. Mutual trust requires that ACS have an installed certificate that can be verified by end-user clients. This server certificate may be issued from a CA or, if you choose, may be a self-signed certificate. For more information, see Configuring Local Server Certificates, page 16-9.

Related Topics

Adding a Certificate Authority

Editing a Certificate Authority

Deleting a Certificate Authority

Exporting a Certificate Authority

Adding a Certificate Authority


Note Every ACS administrator account is assigned one or more administrative roles. Depending upon the roles assigned to your account, you may or may not be able to perform the operations or see the options described in the following procedure. See Configuring System Administrators and Accounts, page 14-2 to configure the appropriate administrator privileges.



Note The supported certificate formats are either DER or PEM.


To add a trusted CA (Certificate Authority) certificate:


Step 1 Select Users and Identity Stores > Certificate Authorities.

The Trust Certificate page appears.

Step 2 Click Add.

Step 3 Complete the fields in the Certificate File to Import page as described in Table 7-9:

Table 7-9 Certificate Authority Properties Page   

Option
Description
Certificate File to Import

Certificate File

Enter the name of the certificate file. Click Browse to navigate to the location on the client machine where the trust certificate is located.

Trust for client with EAP-TLS

Check this box so that ACS will use the certificate trust list for the EAP protocol.

Description

Enter a description of the CA certificate.


Step 4 Click Submit.

The new certificate is saved. The Trust Certificate List page appears with the new certificate.


Related Topics

User Certificate Authentication, page B-5

Overview of EAP-TLS, page B-4

Editing a Certificate Authority


Note Every ACS administrator account is assigned one or more administrative roles. Depending upon the roles assigned to your account, you may or may not be able to perform the operations or see the options described in the following procedure. See Configuring System Administrators and Accounts, page 14-2 to configure the appropriate administrator privileges.


Use this page to edit a trusted CA (Certificate Authority) certificate.


Step 1 Select Users and Identity Stores > Certificate Authorities.

The Trust Certificate page appears with a list of configured certificates.

Step 2 Click the name that you want to modify, or check the check box for the Name, and click Edit.

Step 3 Complete the fields in the Edit Trust Certificate List Properties Page as described in Table 7-10:

Table 7-10 Edit Certificate Authority Properties Page  

Option
Description
Issuer

Friendly Name

The name that is associated with the certificate.

Issued To

Display only. The entity to which the certificate is issued. The name that appears is from the certificate subject.

Issued By

Display only. The certification authority that issued the certificate.

Valid from

Display only. The start date of the certificate's validity. An X509 certificate is valid only from the start date to the end date (inclusive).

Valid To

Display only. The last date of the certificate's validity.

Serial Number

Display only. The serial number of the certificate.

Description

Description of the certificate.

Usage

Trust for client with EAP-TLS

Check this box so that ACS will use the trust list for the TLS related EAP protocols.

Certificate Revocation List Configuration

Use this section to configure the CRL.

Download CRL

Check this box to download the CRL.

CRL Distribution URL

Enter the CRL distribution URL. You can specify a URL that uses HTTP. The value automatically appears if it exists in the CA certificate.

Retrieve CRL

ACS attempts to download a CRL from the CA. Toggle the time settings for ACS to retrieve a new CRL from the CA.

Automatically —Obtain the next update time from the CRL file. If unsuccessful, ACS tries to retrieve the CRL periodically after the first failure until it succeeds.

Every—Determines the frequency between retrieval attempts. Enter the amount in units of time.

If Download Failed Wait

Enter the amount of time to attempt to retrieve the CRL, if the retrieval initially failed.

Authenticate Before CRL Received

If unchecked, all the client requests that use the certificate that is signed by the selected CA will be rejected until ACS receives the CRL file. When checked, the client request may be accepted before the CRL is received.

Ignore CRL Expiration

Check this box to check a certificate against an outdated CRL. When checked, ACS continues to use the expired CRL and permits or rejects EAP-TLS authentications according to the contents of the CRL. When unchecked, ACS examines the expiration date of the CRL in the Next Update field in the CRL file. If the CRL has expired, all authentications that use the certificate that is signed by the selected CA are rejected.


Step 4 Click Submit.

The Trust Certificate page appears with the edited certificate.


Related Topics

User Certificate Authentication, page B-5

Overview of EAP-TLS, page B-4

Deleting a Certificate Authority


Note Every ACS administrator account is assigned one or more administrative roles. Depending upon the roles assigned to your account, you may or may not be able to perform the operations or see the options described in the following procedure. See Configuring System Administrators and Accounts, page 14-2 to configure the appropriate administrator privileges.


Use this page to delete a trusted CA (Certificate Authority) certificate:


Step 1 Select Users and Identity Stores > Certificate Authorities.

The Trust Certificate List page appears with a list of configured certificates.

Step 2 Check one or more check boxes next to the certificates that you want to delete.

Step 3 Click Delete.

Step 4 For confirmation, click Yes.

The Trust Certificate page appears without the deleted certificate(s).


Related Topic

Overview of EAP-TLS, page B-4

Exporting a Certificate Authority


Note Every ACS administrator account is assigned one or more administrative roles. Depending upon the roles assigned to your account, you may or may not be able to perform the operations or see the options described in the following procedure. See Configuring System Administrators and Accounts, page 14-2 to configure the appropriate administrator privileges.


To export a trust certificate:


Step 1 Select Users and Identity Stores > Certificate Authorities.

The Trust Certificate List page appears with a list of configured certificates.

Step 2 Check the box next to the certificates that you want to export.

Step 3 Click Export.

This operation exports the trusted certificate to the client machine.

Step 4 For confirmation, click Yes.

You are prompted to install the exported certificate on your client machine.


Related Topics

User Certificate Authentication, page B-5

Overview of EAP-TLS, page B-4

Configuring Certificate Authentication Profiles

The certificate authentication profile defines the X509 certificate information to be used for a certificate- based access request. You can select an attribute from the certificate to be used as the username. You can select a subset of the certificate attributes to populate the username field for the context of the request. The username is then used to identify the user for the remainder of the request, including the identification used in the logs.

You can use the certificate authentication profile to retrieve certificate data to further validate a certificate presented by an LDAP client. The username from the certificate authentication profile is used to query the LDAP identity store, and the LDAP client certificate information is returned to ACS. The two certificates are compared, and ACS either accepts or rejects the request. When the access request is accepted, the LDAP attributes from the certificate may be used for configuring policies.

When ACS processes a certificate-based request for authentication, one of two things happens: the username from the certificate is compared to the username in ACS that is processing the request, or ACS uses the information that is defined in the selected LDAP identity store to validate the certificate information.

You can duplicate a certificate authentication profile to create a new profile that is the same, or similar to, an existing certificate authentication profile. After duplication is complete, you access each profile (original and duplicated) separately, to edit or delete them.


Note Every ACS administrator account is assigned one or more administrative roles. Depending upon the roles assigned to your account, you may or may not be able to perform the operations or see the options described in the following procedure. See Configuring System Administrators and Accounts, page 14-2 to configure the appropriate administrator privileges.


To create, duplicate, or edit a certificate authentication profile:


Step 1 Select Users and Identity Stores > Certificate Authentication Profile.

The Certificate Authentication Profile page appears.

Step 2 Do one of the following:

Click Create.

Check the check box next to the certificate authentication profile that you want to duplicate, then click Duplicate.

Click the certificate authentication profile that you want to modify, or check the check box next to the name and click Edit.

The Certificate Authentication Profile Properties page appears.

Step 3 Complete the fields in the Certificate Authentication Profile Properties page as described in Table 7-11:

Table 7-11 Certificate Authentication Profile Properties Page 

Option
Description
General

Name

Enter the name of the certificate authentication profile.

Description

Enter a description of the certificate authentication profile.

Certificate Definition

Principal Username X509 Attribute

The available set of principal username attributes for x509 authentication. The selection includes:

Common Name

Subject Alternative Name

Subject Serial Number

Perform Binary Certificate Comparison with Certificate retrieved from LDAP

Check this check box if you want to validate certificate information for authentication against a selected LDAP identity store.

If you select this option, you must enter the name of the LDAP identity store, or click Select to select the LDAP identity store from the available list.


Step 4 Click Submit. The Certificate Authentication Profile page reappears.


Related Topics

Viewing Identity Policies, page 9-20

Configuring Identity Store Sequences

Creating External LDAP Identity Stores

Configuring Identity Store Sequences

An access service identity policy determines the identity sources that ACS uses for authentication and attribute retrieval. An identity source consists of a single identity store or multiple identity methods. When you use multiple identity methods, you must first define them in an identity store sequence, and then specify the identity store sequence in the identity policy.

An identity store sequence defines the sequence that is used for authentication and attribute retrieval and an optional additional sequence to retrieve additional attributes.

Authentication Sequence

If you select to perform authentication based on a certificate, you specify a single Certificate Authentication Profile, which you have already defined in ACS; if you use password-based authentication, you can define a list of databases to be accessed in sequence. When authentication succeeds, any defined attributes within the database are retrieved. You must have defined the databases in ACS.

Attribute Retrieval Sequence

You can optionally define a list of databases from which to retrieve additional attributes. These databases can be accessed regardless of whether you use password or certificate-based authentication. When you use certificate-based authentication, ACS populates the username field from a certificate attribute and then uses the username to retrieve attributes.

ACS can retrieve attributes for a user, even when:

The user's password is flagged for a mandatory change.

The user's account is disabled.


Note When you perform password-based authentication, you can define the same identity database in the authentication list and the attribute retrieval list. However, if the database is used for authentication, it will not be accessed again as part of the attribute retrieval flow.


ACS authenticates a user or host in an identity store only when there is a single match for that user or host. If an external database contains multiple instances of the same user, authentication fails. Similarly, ACS retrieves attributes only when a single match for the user or host exists; otherwise, ACS skips attribute retrieval from that database.

This section contains the following topics:

Creating, Duplicating, and Editing Identity Store Sequences

Deleting Identity Store Sequences

Creating, Duplicating, and Editing Identity Store Sequences


Note Every ACS administrator account is assigned one or more administrative roles. Depending upon the roles assigned to your account, you may or may not be able to perform the operations or see the options described in the following procedure. See Configuring System Administrators and Accounts, page 14-2 to configure the appropriate administrator privileges.


To create, duplicate, or edit an identity store sequence:


Step 1 Select Users and Identity Stores > Identity Store Sequences.

The Identity Store Sequences page appears.

Step 2 Do one of the following:

Click Create.

Check the check box next to the sequence that you want to duplicate, then click Duplicate.

Click the sequence name that you want to modify, or check the check box next to the name and click Edit.

The Identity Store Sequence Properties page appears as described in Table 7-12.

Table 7-12 Identity Store Sequence Properties Page 

Option
Description
General

Name

Enter the name of the identity store sequence.

Description

Enter a description of the identity store sequence.

Authentication type

Select the authentication type—Password Based or Certificate Based.

If you click Certificate Based, you must enter the certificate authentication profile. Click Select to chose the profile from a list of available profiles.

Authentication and Attribute Retrieval Search List (Password Based only)

Available

The available set of identity stores to access.

Selected

The selected set of identity stores to access in sequence until first authentication succeeds. Use the Up and Down arrows at the right of the list to define the order of access.

ACS automatically retrieves attributes from identity stores that you selected for authentication. You do not need to select the same identity stores for attribute retrieval.

Additional Attribute Retrieval Search List

Available

The available set of additional identity stores for attribute retrieval.

Selected

(Optional) The selected set of additional identity stores for attribute retrieval. Use the Up and Down arrows at the right of the list to define the order of access.

ACS automatically retrieves attributes from identity stores that you selected for authentication. You do not need to select the same identity stores for attribute retrieval.


Step 3 Click Submit. The Identity Store Sequences page reappears.


Related Topics

Importing Network Resources and Users, page 6-6

Viewing Identity Policies, page 9-20

Managing Internal Identity Stores

Managing External Identity Stores

Configuring Certificate Authentication Profiles

Deleting Identity Store Sequences

Deleting Identity Store Sequences


Note Every ACS administrator account is assigned one or more administrative roles. Depending upon the roles assigned to your account, you may or may not be able to perform the operations or see the options described in the following procedure. See Configuring System Administrators and Accounts, page 14-2 to configure the appropriate administrator privileges.


To delete an identity store sequence:


Step 1 Select Users and Identity Stores > Identity Store Sequences.

The Identity Store Sequences page appears with a list of your configured identity store sequences.

Step 2 Check one or more check boxes next to the identity store sequences that you want to delete.

Step 3 Click Delete.

The following error message appears:

Are you sure you want to delete the selected item/items?

Step 4 Click OK.

The Identity Store Sequences page appears, without the deleted identity store sequence(s) listed.


Related Topics

Importing Network Resources and Users, page 6-6

Viewing Identity Policies, page 9-20

Managing Internal Identity Stores

Managing External Identity Stores

Configuring Certificate Authentication Profiles

Creating, Duplicating, and Editing Identity Store Sequences