Table Of Contents
Quick Start and Documentation Guide for Cisco Secure ACS Express, 5.0
Supplemental License Agreement
1. ADDITIONAL LICENSE RESTRICTIONS
2. DESCRIPTION OF OTHER RIGHTS AND LIMITATIONS
Installing the ACS Express Appliance
Quick Start and Documentation Guide for Cisco Secure ACS Express, 5.0
Revised: March 26, 2008, 78-17961-02This guide provides the information you need to get started installing, configuring, and using Cisco Secure ACS Express 5.0 and includes the following sections:
•
Supplemental License Agreement
This Supplemental License Agreement (SLA) contains additional limitations on the license to the Software provided to Customer under the End User License Agreement between Customer and Cisco.
•
•
Supplemental License Agreement
Supplemental License Agreement for
Cisco Systems Network Management:
Cisco Secure Access Control Server Express SoftwareIMPORTANT—READ CAREFULLY: This Supplemental License Agreement (SLA) contains additional limitations on the license to the Software provided to Customer under the End User License Agreement between Customer and Cisco. Capitalized terms used in this SLA and not otherwise defined herein shall have the meanings assigned to them in the Software License Agreement. To the extent that there is a conflict among any of these terms and conditions applicable to the Software, the terms and conditions in this SLA shall take precedence.
By installing, downloading, accessing or otherwise using the Software, Customer agrees to be bound by the terms of this SLA. If Customer does not agree to the terms of this SLA, Customer may not install, download or otherwise use the Software.
1. ADDITIONAL LICENSE RESTRICTIONS
Installation and Use. The Cisco Secure Access Control Server Express Software component of the Cisco 1010 Hardware Platform is preinstalled. CDs containing tools to restore this Software to the 1010 hardware are provided to Customer for reinstallation purposes only. Customer may only run the supported Cisco Secure Access Control Server Software on the Cisco 1010 Hardware Platform designed for its use. No unsupported Software product or component may be installed on the Cisco 1010 Hardware Platform.
Software Upgrades, Major and Minor Releases. Cisco may provide Cisco Secure Access Control Server Express Software updates and new version releases for the 1010 Hardware Platform. If the Software update and new version releases can be purchased through Cisco or a recognized partner or reseller, the Customer should purchase one Software update for each Cisco 1010 Hardware Platform. If the Customer is eligible to receive the Software update or new version release through a Cisco extended service program, the Customer should request to receive only one Software update or new version release per valid service contract.
Reproduction and Distribution. Customer may not reproduce nor distribute software.
2. DESCRIPTION OF OTHER RIGHTS AND LIMITATIONS
Please refer to the Cisco Systems, Inc., End User License Agreement:
http://www.cisco.com/en/US/docs/general/warranty/English/EU1KEN_.html
Product Documentation Set
This section provides a list of the ACS Express product documentation with links to the online documentation. You can find links to all ACS Express product documentation at the following URL:
http://cisco.com/en/US/products/ps8543/tsd_products_support_series
_home.htmlThe following documents comprise the Cisco Secure ACS Express documentation set and should be read in the following order:
•
•
The Release Notes for Cisco Secure ACS Express, 5.0 provide a collection of information including related documentation, how to get the latest software, information about specific software and hardware requirements, configuration information, lists of known and resolved anomalies, and release note enclosure information for all known anomalies.
•
The Installation and Setup Guide for Cisco Secure ACS Express is an online only document that provides information about how to set up the ACS Express appliance including location, internet connection, and initial configuration.
•
The User Guide for Cisco Secure ACS Express is an online only document that provides information about how to use the ACS Express GUI and how to perform routine tasks associated with the features and functionality of Cisco ACS Express.
•
The Cisco Secure ACS Express Command Reference focuses on the following topics:
–
–
Each topic provides a high-level summary of the tasks required for using the CLI in the Application Deployment Engine OS 1.0.1, and the procedures for performing these tasks.
•
This guide provides information about troubleshooting strategies and shows example ACS Express logs with pointers to things to look for when experiencing difficulties.
Installing the ACS Express Appliance
The Cisco Secure ACS Express product comprises an appliance, the Cisco Application Deployment Engine (ADE) 1010, and the ACS Express server software. The software for ACS Express is already installed on the appliance.
This section provides an overview of installation tasks required to install the ACS Express appliance.
Step 1
The package containing your ACS Express appliance includes the following:
•
•
•
•
•
Step 2
Step 3
Detailed information about how to mount the appliance is included in the rack mount kit.
Step 4
Figure 1 shows the rear of the ACS Express appliance and the various cable connectors. Connect the AC power cord to the receptacle (#1) on the left-hand side of the rear panel. Connect the other end of the power cord to an AC power source.
Figure 1 Cable Connectors on Rear of ACS Express Appliance
AC Power Connector
Video connector
Mouse
NIC 1 (10/100/1000 Mb) port
Keyboard
Unsupported NIC 2 port
Serial Port
USB ports
Step 5
Configure a terminal (an ASCII terminal or a PC running terminal-emulation software) for 9600 baud, 8 data bits, no parity, 1 stop bit, and no hardware flow control.
Note
Step 6
Step 7
After you turn on power to the ACS Express appliance and it boots up for the first time, the following displays on the console:
*************************************************Please log in as setup to configure the appliance*************************************************localhost login:Step 8
localhost login: setupEnter setup to begin the setup program; the ACS Express appliance will prompt you for the setup parameters.
Step 9
https://server_name.domain
where server_name is the name and domain or IP address of the ACS Express server.
Step 10
See Logging In and Logging Out, for information about logging in and using the GUI.
Step 11
See Chapter 6 of the Installation and Setup Guide for Cisco Secure ACS Express, 5.0, Administering Cisco ACS Express, for an overview of what you need to do to get started configuring the ACS Express server.
You can find detailed information to help you configure the ACS Express server in the User Guide for Cisco Secure ACS Express. See also, Configuration Overview.
The ACS Express GUI also provides online help for each configuration window and configuration tips for GUI fields.
Using the GUI
This section describes how to use the ACS Express graphical user interface (GUI).
Logging In and Logging Out
ACS Express uses a web-based browser to log in and log out of the graphical user interface (GUI). To log in to ACS Express, launch a browser and enter a URL into the browser address field:
https://server_name.domain
Where server_name is the name and domain or IP address of the ACS Express server.
Figure 2 shows an example of the ACS Express login window. Enter your username and password to log in. Click Reset to clear the Username and Password fields.
Figure 2 ACS Express Login Window
To log out of a session on the ACS Express server, click Logout in the upper right corner of the GUI window (Figure 3) in the status pane. This area of the GUI also has the hostname of the ACS Express server and an About button for software version information. Click the circle with the question mark (?) to access online help.
Figure 3 ACS Express Server Status Pane
Navigating the GUI
The top-level window of the ACS Express GUI is called the Workspace. The Workspace contains the following areas:
Workspace
Figure 4 shows an example of the top-level ACS Express window called the Workspace.
Figure 4 ACS Express GUI Workspace
Status Pane
The ACS Express GUI has a top-level application Status pane with the following items.
•
•
•
•
•
Navigation Pane
The navigation pane contains six drawers, and each drawer contains subitems that display data in the content pane. The following list describes navigational behaviors:
•
•
•
•
•
–
–
–
–
•
•
•
Content Pane
The content pane displays information about the item you select from a drawer in the navigation pane.
Dashboard
The Dashboard displays the following collections of information:
•
•
•
•
Using Online Help
ACS Express provides online help in the form of HTML files mapped to the GUI windows. To access online help, click the Question Mark icon in the upper right corner of the GUI window (Figure 5). ACS Express provides context sensitive help, so the window that displays after you click the online help icon is specific to the window from which you requested online help.
Along with the HTML online help files, you can also access a PDF version of the User Guide for Cisco Secure ACS Express from the online help.
Figure 5 Online Help Icon
Configuration Tips
The ACS Express GUI provides configuration tips at each location on a GUI window where you must provide a value or make a choice.
Simply hover your cursor over the name of the GUI field (underlined), and a configuration tip will appear as shown in Figure 6 specific to that field.
Figure 6 Configuration Tips By Cursor
Additionally, some GUI windows have configuration tips available. These pages have an additional Configuration Tip icon, Figure 7, next to the online help icon. If displayed on a window, click this icon for general configuration tips about the window.
Figure 7 Configuration Tip Icon
Online Configuration Overview
You can also click to view an online version of the Configuration Overview from the Navigation pane (Figure 8). The online version differs slightly from the information in the next section, Configuration Overview.
Figure 8 Online Configuration Overview
Configuration Overview
This section provides an overview of the required configuration for the ACS Express server. Each section is associated with a drawer in the ACS Express GUI as shown in Figure 4.
Network Resources
The Devices and Device Groups that make up your network are your network resources. Use the GUI to add all Device Groups in your configuration, then add your devices into the Device Groups. See Chapter 2 of the User Guide for Cisco Secure ACS Express for more detailed information.
Users and Identity Stores
Configure your ACS Express server with the Users and User Groups required for your installation. ACS Express can authenticate users with its internal user database and also through remote or external databases.
Internal User Database
Use the GUI to add all local users into the internal user database. Each local user must belong to at least one User Group, so create the User Groups first, then configure your local Users.
External User Database
ACS Express supports the following external user databases:
•
•
•
Access Policies
Access Services in ACS Express are classified into two types:
•
•
Network Access policies apply to users attempting to access a wireless, wired, or VPN network. Network Access policies also support various authentication schemes like PAP, CHAP, MSCHAPv2, PEAP, EAP-TLS, EAP-FAST, LEAP, and Windows machine authentication. Network Access policies apply to network devices that communicate with ACS Express via RADIUS. Network Access policies can be configured to authenticate users against Active Directory, LDAP, One-Time-Password databases, or the ACS Express internal user database.
Device Administration policies apply to users who attempt to access and configure a network device. ACS Express can authenticate and authorize the maximum allowed privilege level for users. Network devices communicate with ACS Express via TACACS+ or RADIUS. You can configure Device Administration policies to authenticate users against Active Directory, LDAP, One-Time-Password databases, or the ACS Express internal user database.
Access Rules
Access rules enable you to use the ACS Express server to do the following:
•
•
•
We find it very helpful to create a worksheet to list the rules we want to enforce. Each rule should specify the access conditions and the resulting user entitlements. Access conditions include the type of network access, groups to which a user should belong, and the time of day the user is allowed access. Results specify granted entitlements if all the conditions are met.
Table 1 shows an example worksheet.
With a completed worksheet, you can now configure the policy elements including the Time of Day periods in which to allow access and the entitlements you grant users when they log in to the network. Entitlements are specified as a RADIUS response returned to the network device.
RADIUS Access Services
After you have set up your access rules, you can create the RADIUS Access Services your require. A RADIUS Access Service specifies the network device groups from which to process requests, a database to use for authentication, protocol settings, and access rules to grant entitlements.
Based on your worksheet, create a RADIUS Access Service for each network access type. For example, from the example worksheet in Table 1, we would create two RADIUS Access Services, Wireless Access and VPN Access. We also need to configure for two User Groups, Employee and RemoteUser.
A RADIUS Access Service requires the following configuration:
•
•
•
Configure the access rules as listed in your worksheet.
Device Administration
Network devices can communicate with ACS Express via TACACS+ or RADIUS. This section describes how to configure a Device Administration policy for network devices to communicate via TACACS+.
You should already have completed the following:
•
•
Access Rules
To determine your Device Administration access rules, we find it very helpful to create a worksheet to list your rules. Each rule should specify the access conditions and the resulting privilege level if granted. Access conditions include the network device group being administered, groups a user should belong to, and allowed time of access. Results specify the command privilege to grant if all the conditions are met. See Table 2 for an example device access rule worksheet.
With a completed worksheet, you can now configure the policy elements.
TACACS+ Access Service
After you have set up your access rules, you can create the TACACS+ Access Services you require. A TACACS+ Access Service specifies the Conditions required including the network device groups from which to process requests, User Groups, and Time of Access and specifies the privilege level to grant if all conditions are met. A TACACS+ authentication request must also match the session Timeout Settings for Idle Timeout and Session Timeout.
Create a TACACS Access Service based on your worksheet. For example, from the example worksheet in Table 2, we would create TACACS+ Access Services for requests from the following:
•
•
•
Configure the access rules as listed in your worksheet.
Obtaining Documentation and Submitting a Service RequestFor information on obtaining documentation, submitting a service request, and gathering additional information, see the monthly What's New in Cisco Product Documentation, which also lists all new and revised Cisco technical documentation, at:
http://www.cisco.com/en/US/docs/general/whatsnew/whatsnew.html
Subscribe to the What's New in Cisco Product Documentation as a Really Simple Syndication (RSS) feed and set content to be delivered directly to your desktop using a reader application. The RSS feeds are a free service and Cisco currently supports RSS version 2.0.
This document is to be used in conjunction with the documents listed in the "Product Documentation Set" section.
CCDE, CCENT, Cisco Eos, Cisco StadiumVision, the Cisco logo, DCE, and Welcome to the Human Network are trademarks; Changing the Way We Work, Live, Play, and Learn is a service mark; and Access Registrar, Aironet, AsyncOS, Bringing the Meeting To You, Catalyst, CCDA, CCDP, CCIE, CCIP, CCNA, CCNP, CCSP, CCVP, Cisco, the Cisco Certified Internetwork Expert logo, Cisco IOS, Cisco Press, Cisco Systems, Cisco Systems Capital, the Cisco Systems logo, Cisco Unity, Collaboration Without Limitation, Enterprise/Solver, EtherChannel, EtherFast, EtherSwitch, Event Center, Fast Step, Follow Me Browsing, FormShare, GigaDrive, HomeLink, Internet Quotient, IOS, iPhone, iQ Expertise, the iQ logo, iQ Net Readiness Scorecard, iQuick Study, IronPort, the IronPort logo, LightStream, Linksys, MediaTone, MeetingPlace, MGX, Networkers, Networking Academy, Network Registrar, PCNow, PIX, PowerPanels, ProConnect, ScriptShare, SenderBase, SMARTnet, Spectrum Expert, StackWise, The Fastest Way to Increase Your Internet Quotient, TransPath, WebEx, and the WebEx logo are registered trademarks of Cisco Systems, Inc. and/or its affiliates in the United States and certain other countries.
All other trademarks mentioned in this document or Website are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (0803R)
Any Internet Protocol (IP) addresses used in this document are not intended to be actual addresses. Any examples, command display output, and figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses in illustrative content is unintentional and coincidental.
© 2007-2008 Cisco Systems, Inc. All rights reserved.
