Table Of Contents
Numerics - A - B - C - D - E - F - G - H - I - L - M - N - P - R - S - T - U - V - W -
Index
Numerics
802.1x 2-2
A
Access Control Entries
See ACEs
accessing Cisco Secure ACS
how to 4-4, 7-2
URL 4-4, 7-2
access policy
configuring 3-9
HTTP port allocation 3-11
IP address filtering 3-10
access types 2-2
wired LAN access 2-2
Account Locked 3-4
Account Never Expires 3-4
ACEs
adding 7-25
ACLs
default 7-46
ACS
installing 4-4, 7-2
ACS configuration
configuration flowchart 1-5
overview 1-1
summary of steps 1-1
ACS dictionary
adding vendor attributes to 7-34
ACS internal database
using to validate MAC addresses 4-21
add-guiadmin command 7-2
administrative access policies
overview 2-14
administrator account
adding 3-2
editing 3-2
administrator entitlement reports 3-12
administrators
locking out 3-7
separation from general users 2-15
Agentless Host for L2 (802.1x fallback) template 7-59
agentless host for L2 (802.1x fallback) template 7-59
agentless host support
overview 4-1
summary of configuration steps 4-3
agentless request processing
enabling 4-17
enabling for a NAP 4-19
AP
See wireless access point
architecture
campus LAN 2-3
for ACS deployment 2-1
small LAN environment 2-3
wired LAN
geographically dispersed 2-4
audit flow settings
configuring for an audit server 7-37
audit servers 4-2
configuring 7-35
configuring audit flow settings for 7-37
configuring for MAB support 4-23
external posture validation audit servers 7-34
in NAC networks 4-2
mapping to a profile 7-64
audit vendor file
importing 7-67
authentication
configuring 7-19
authentication policy
configuring for EAP-TLS 5-6
authorization policy
creating for a profile 7-22
authorization rule 7-22
AV pairs 7-46
B
Bypass info attribute
in Passed Authentications and Failed Attempts reports 4-22
C
CA certificate
installing 4-8, 5-4, 7-6
campus LAN 2-3
campus WLAN 2-6
cautions
significance of 1-10
Certificate Binary Comparison
specifying for EAP-TLS 5-6
Certificate CN Comparison
specifying for EAP-TLS 5-6
certificate database for LDAP servers
trusted root CA 4-16
Certificate SAN Comparison
specifying for EAP-TLS 5-6
Cisco Network Admission Control
See NAC
Cisco Trust Agent 7-21
Common LDAP Configuration 4-13
configuration flowchart 1-5
configuration steps
for password policy configuration 3-2
configuring
access policy 3-9
ACS for EAP-FAST 7-12
ACS for LDAP 4-13
ACS for PEAP 7-11
ACS for remote web access 7-7
audit servers 7-35
authentication 7-19
external posture validation audit server 7-34
external posture validation policy 7-32
GAME group feedback 4-23, 7-66, 7-68
global authentication settings 5-5
incorrect password attempt options 3-7
internal posture validation policy 7-29
LDAP server 4-15
logging level 7-4
logs and reports 7-14
MAB 4-20
NAF 7-13
password lifetime options 3-6
password policy 3-4
profile-based policies 7-18
protocol settings 7-19
RADIUS AAA client 4-5, 7-2
session policy 3-7
shared secret for RADIUS key wrap 7-3
conventions 1-10
creating
NAP 4-17, 7-17
RACs 7-26
CSUtil
using to import a device-type attribute file 7-67
using to import an audit vendor file 7-67
using to import NAC attribute-value pairs 7-67
D
dACLs
defining 7-23
enabling 7-10
database replication 2-12
design 2-13
databases
deployment considerations 2-16
default ACLs 7-46
defining
dACLs 7-23
RACs 7-26
deployment
architecture 2-1
considerations
database replication 2-12
RDBMS synchronization 2-13
device-type attribute file
importing using CSUtil 7-67
device types
for GAME group feedback 7-69
downloadable access control lists
See dACLs
E
EAP 2-2
EAP-FAST
configuring ACS for 7-12
EAP-TLS 2-2
configuring authentication policy for 5-6
specifing certificate SAN comparison for 5-6
specifying Certificate CN Comparison for 5-6
speciying Certificate Binary Comparison for 5-6
Edit Network Access Protocols page 4-19
enabling
agentless request processing 4-17
agentless request processing for a NAP 4-19
dACLs 7-10
NAFs 7-10
Passed Authentication report 7-14
security certificates 4-7, 5-3, 7-5
Extensible Authentication Protocol
See EAP
Extensible Authentication Protocol-Transport Layer Security
See EAP-TLS
external posture validation policy
adding to a profile 7-63
configuring 7-32
F
facility codes
for syslog messages 6-4
G
GAME group feedback 4-2, 4-23
configuring 4-23, 7-66, 7-68
defined 4-2
selecting device types 7-69
global authentication settings
configuring 5-5
H
HTTP port allocation 3-11
I
incorrect password attempt options 3-7
installing
ACS 4-4, 7-2
security certificates 4-6, 5-2, 7-4
internal posture validation policy
adding to a profile 7-63
configuring 7-29
IP address filtering 3-10
L
large enterprise WLAN 2-7
large LAN
defined 2-2
latency in networks 2-17
Layer 2 NAC 802.1x template 7-49
LDAP
ACS configuration for 4-13
configuring for MAB support 4-9
sample schema for MAB support 4-10
LDAP server
configuring 4-15
LDAP user groups
for MAB support 4-12
Lightweight Directory Access Protocol
See LDAP
logging level
configuring 7-4
logs and reports
configuring 7-14
M
MAB
configuring 4-20
configuring ACS user groups for MAB segments 4-17
configuring audit server to support 4-23
configuring LDAP support for 4-9
defined
sample LDAP schema for MAB support 4-10
MAC addresses
format for entering in ACS 4-21
MAC authentication bypass
See MAB
medium-sized LAN
defined 2-2
N
NAC
configuring posture validation for 7-29
sample profile templates 7-38
Agentless Host for L2 (802.1x fallback) template 7-59
NAC Layer 2 7-43
NAC Layer 2 802.1x 7-49
NAC Layer 3 7-38
wireless (NAC L2 802.1x) template 7-54
NAC attribute-value pairs
importing using CSUtil 7-67
NAC L2 802.1x 7-50
NAC L3 IP template 7-38
NAF
configuring 7-13
enabling 7-10
selecting for a NAP 4-18
NAP
creating 4-17, 7-17
enabling agentless request processing for 4-19
network access filter
See NAF
network access profile
See NAP
networks
latency 2-17
reliability 2-17
P
Passed Authentication report
enabling 7-14
password configuration
Account Locked 3-4
Account Never Expires 3-4
password inactivity options 3-7
password lifetime options 3-6
password policy
configuring 3-1, 3-4
incorrect password attempt options 3-7
password inactivity options 3-7
password lifetime options 3-6
password validation options 3-6
PEAP 2-2
configuring ACS for 7-11
Populate from Global 7-47
port 2002
in HTTP port ranges 3-11
posture assessments
final 7-37
in progress 7-37
posture validation
configuring 7-21
configuring for NAC 7-29
rules 7-21
profile
adding an external validation policy to 7-63
adding an internal validation policy to 7-63
mapping audit servers to 7-64
rules for 7-16
profile-based policies
configuring 7-18
profile rules 7-16
Protected Extensible Authentication Protocol
See PEAP
protocol settings
configuring 7-19
R
RACs
creating 7-26
RADIUS 2-2
RADIUS AAA client
configuring 4-5, 7-2
RADIUS Authorization Components
See RACs
RDBMS synchronization 2-13
regional WLAN 2-6
reliability of network 2-17
remote access policies 2-14
remote web access
configuring ACS for 7-7
reports
administrator entitlement report 3-12
S
Sarbanes-Oxley
See SOX
security certificates
adding a trusted certificate 5-4, 7-7
copying to the ACS host 4-7, 5-2, 7-5
enabling 4-7, 5-3, 7-5
installing 4-6, 5-2, 7-4
using Windows Certificate Import Wizard 4-7, 5-2, 7-5
installing the CA certificate 4-8, 5-4, 7-6
security policies 2-14
security protocols
EAP 2-2
EAP-TLS 2-2
PEAP 2-2
RADIUS 2-2
session policy
configuring 3-7
shared secret
configuring 7-3
simple WLAN 2-5
small LAN
defined 2-2
small LAN environment 2-3
SOX compliance
administrator entitlement reports 3-12
SSL (secure sockets layer) 4-16
syslog
configuring ACS to generate messages 6-1
syslog messages
facility codes 6-4
format in ACS reports 6-4
syslog server
specifying which syslog server ACS sends messages to 6-3
system logging
See syslog
T
templates
samples for NAC 7-38
tokens
See posture assesments
trusted certificate
adding 5-4, 7-7
Tunneling RADIUS attributes
selecting 7-26
U
user groups
configuring for MAB segments 4-17
users
number allowed 2-16
V
vendor attributes
adding to the ACS dictionary 7-34
very large LAN or WLAN
defined 2-2
W
warnings
significance of 1-10
Windows Certificate Import Wizard 4-7, 5-2, 7-5
wired LAN
geographically dispersed 2-4
wired LAN access 2-2
wireless (NAC L2 802.1x) template 7-54
wireless access
campus WLAN 2-6
large enterprise LAN 2-7
regional WLAN 2-6
simple WLAN 2-5
topology 2-5
wireless access point 2-5