Configuration Guide for Cisco Secure ACS 4.1 - Overview of ACS Configuration [Cisco Secure Access Control Server for Windows]

Table Of Contents

Overview of ACS Configuration

Summary of Configuration Steps

Configuration Flowchart

Overview of ACS Configuration

This chapter describes the general steps for configuring Cisco Secure Access Control Server, hereafter referred to as ACS, and presents a flowchart showing the sequence of steps.

This chapter contains:

•Summary of Configuration Steps

•Configuration Flowchart

Summary of Configuration Steps

To configure ACS:

Step 1 Plan the ACS Deployment.

Determine how many ACS servers you need and their placement in the network.

For detailed information, see Chapter 2, "Deploy the Access Control Servers."

Step 2 Install the ACS Servers.

Install the ACS servers as required. For detailed installation instructions, refer to:

•Installation Guide for Cisco Secure ACS for Windows Release 4.1, available on Cisco.com at:

http://www.cisco.com/en/US/products/sw/secursw/ps2086/
prod_installation_guides_list.html

•Installation Guide for Cisco Secure ACS Solution Engine Release 4.1, available on Cisco.com at:

http://www.cisco.com/en/US/products/sw/secursw/ps5338/
prod_installation_guides_list.html

Step 3 Configure Additional Administrators.

When you install the Windows version of ACS, there are initially no administrative users. When you install Cisco Secure ACS Solution Engine (ACS SE), there is initially one administrator.

Note After you install Cisco Secure ACS Solution Engine, the administrative user can access the ACS SE only by using the command line interface (CLI) through a serial port connection. To enable an administrative user who can access the ACS SE by using the ACS web GUI, you must create an administrative GUI user by using the add-guiadmin command. For information on the add-guiadmin command, see Appendix A of the Installation Guide for Cisco Secure ACS Solution Engine 4.1, "Command Reference."

To set up additional administrative accounts:

a. Add Administrators.

b. For each administrator, specify administrator privileges.

c. As needed, configure the following optional administrative policies:

–Access Policy—Specify IP address limitations, HTTP port restrictions, and secure socket layer (SSL) setup.

–Session Policy—Specify timeouts, automatic local logins, and response to invalid IP address connections.

–Password Policy—Configure the password policy for administrators.

For detailed information, see Chapter 3, "Password Policy Configuration Scenario."

Step 4 Configure the Web Interface:

a. Add AAA clients and specify the authorization protocols that the clients will use.

b. Click Interface Configuration.

c. On the Interface Configuration page, configure the interface to include one or more of:

–RADIUS Configuration Options—For detailed information, see "Displaying RADIUS Configuration Options" in Chapter 2 of the User Guide for Cisco Secure ACS 4.1, "Using the Web Interface."

–TACACS+ Configuration Options—For detailed information, see "Displaying TACACS+ Configuration Options" in Chapter 2 of the User Guide for Cisco Secure ACS 4.1, "Using the Web Interface."

–Advanced Options—For detailed information, see "Displaying RADIUS Configuration Options" in Chapter 2 of the User Guide for Cisco Secure ACS 4.1, "Using the Web Interface."

–Customized User Options—For detailed information, see "Displaying RADIUS Configuration Options" in Chapter 2 of the User Guide for Cisco Secure ACS 4.1, "Using the Web Interface."

Step 5 Configure Basic ACS System Settings:

a. Click System Configuration.

b. Configure:

–Service Control

–Logging

–Date Format Control

–Local Password Management

–ACS Backup

–ACS Restore

–ACS Service Management

–(optional) IP Pools Server

–(optional) IP Pools Address Recovery

For detailed instructions, see "Displaying RADIUS Configuration Options" in Chapter 2 of the User Guide for Cisco Secure ACS 4.1, "Using the Web Interface."

Step 6 Configure Users:

a. As required for your network security setup, configure users. You can configure users:

–Manually, by using the ACS web interface

–By using the CSUtil utility to import users from an external database

–By using database synchronization

–By using database replication

For detailed instructions, see "Displaying RADIUS Configuration Options" in Chapter 2 of the User Guide for Cisco Secure ACS 4.1, "Using the Web Interface."

Step 7 Configure Certificates.

This step is required if you are using EAP-TLS, Secure Sockets Layer (SSL), or Cisco Network Admission Control (NAC).

For detailed instructions, see Step 3: Install and Set Up an ACS Security Certificate, page 4-6.

Step 8 Configure Global Authentication Settings.

Configure the security protocols that ACS uses to authenticate users. You can configure the following global authentication methods:

•PEAP

•EAP-FAST

•EAP-TLS

•LEAP

•EAP-MD5

•Legacy authentication protocols, such as MS-CHAP Version 1 and Version 2

For detailed instructions, see "Global Authentication Setup" in Chapter 8 of the User Guide for Cisco Secure ACS 4.1, "System Configuration: Authentication and Certificates."

Step 9 Configure Shared Profile Components.

You can configure the following shared profile components:

•Downloadable IP ACLs

•Network Access Filtering

•RADIUS Authorization Components

•Network Access Restrictions

•Command Authorization Sets

For detailed instructions, see Chapter 3 of the User Guide for Cisco Secure ACS 4.1, "Shared Profile Components."

Step 10 Set Up Network Device Groups.

You can set up network device groups to simplify configuration of common devices. For detailed information, see the User Guide for Cisco Secure ACS 4.1.

Step 11 Add AAA Clients.

You can add RADIUS clients or TACACS+ clients. For detailed instructions, see Step 2: Configure a RADIUS AAA Client, page 4-5.

Step 12 Set Up User Groups.

Set up user groups to apply common configuration settings to groups of users. For detailed instructions, see Chapter 2 of the User Guide for Cisco Secure ACS 4.1, "User Group Management."

Step 13 Configure Posture Validation.

If you are using ACS with NAC, configure posture validation. For detailed instructions, see Step 11: Set Up Network Access Profiles, page 7-16 and Step 13: Configure Posture Validation for NAC, page 7-29

Step 14 Set Up Network Access Profiles.

If required, set up network access profiles. For detailed information, see Step 11: Set Up Network Access Profiles, page 7-16

Step 15 Configure Logs and Reports.

Configure reports to specify how ACS logs data. You can also view the logs in HTML reports. For detailed instructions, see Chapter 9 of the User Guide for Cisco Secure ACS 4.1, "Logs and Reports.

Configuration Flowchart

Figure 1-1 is a configuration flowchart that shows the main steps in ACS configuration.

Figure 1-1 ACS Configuration Flowchart

Refer to the list of steps in Summary of Configuration Steps for information on where to find detailed descriptions of each step.

	Configuration Guide for Cisco Secure ACS 4.1
	Overview of ACS Configuration
Configuration Guide for Cisco Secure ACS 4.1 About This Guide Overview of ACS Configuration Deploy the Access Control Servers Password Policy Configuration Scenario Agentless Host Support Configuration Scenario PEAP/EAP-TLS Configuration Scenario Syslog Logging Configuration Scenario NAC Configuration Scenario Glossary Index	Download this chapter Overview of ACS Configuration Download the complete book Configuration Guide for Cisco Secure ACS 4.1 (PDF version) (PDF - 3 MB) Feedback Table Of Contents Overview of ACS Configuration Summary of Configuration Steps Configuration Flowchart Overview of ACS Configuration This chapter describes the general steps for configuring Cisco Secure Access Control Server, hereafter referred to as ACS, and presents a flowchart showing the sequence of steps. This chapter contains: •Summary of Configuration Steps •Configuration Flowchart Summary of Configuration Steps To configure ACS: Step 1 Plan the ACS Deployment. Determine how many ACS servers you need and their placement in the network. For detailed information, see Chapter 2, "Deploy the Access Control Servers." Step 2 Install the ACS Servers. Install the ACS servers as required. For detailed installation instructions, refer to: •Installation Guide for Cisco Secure ACS for Windows Release 4.1, available on Cisco.com at: http://www.cisco.com/en/US/products/sw/secursw/ps2086/ prod_installation_guides_list.html •Installation Guide for Cisco Secure ACS Solution Engine Release 4.1, available on Cisco.com at: http://www.cisco.com/en/US/products/sw/secursw/ps5338/ prod_installation_guides_list.html Step 3 Configure Additional Administrators. When you install the Windows version of ACS, there are initially no administrative users. When you install Cisco Secure ACS Solution Engine (ACS SE), there is initially one administrator. Note After you install Cisco Secure ACS Solution Engine, the administrative user can access the ACS SE only by using the command line interface (CLI) through a serial port connection. To enable an administrative user who can access the ACS SE by using the ACS web GUI, you must create an administrative GUI user by using the add-guiadmin command. For information on the add-guiadmin command, see Appendix A of the Installation Guide for Cisco Secure ACS Solution Engine 4.1, "Command Reference." To set up additional administrative accounts: a. Add Administrators. b. For each administrator, specify administrator privileges. c. As needed, configure the following optional administrative policies: –Access Policy—Specify IP address limitations, HTTP port restrictions, and secure socket layer (SSL) setup. –Session Policy—Specify timeouts, automatic local logins, and response to invalid IP address connections. –Password Policy—Configure the password policy for administrators. For detailed information, see Chapter 3, "Password Policy Configuration Scenario." Step 4 Configure the Web Interface: a. Add AAA clients and specify the authorization protocols that the clients will use. b. Click Interface Configuration. c. On the Interface Configuration page, configure the interface to include one or more of: –RADIUS Configuration Options—For detailed information, see "Displaying RADIUS Configuration Options" in Chapter 2 of the User Guide for Cisco Secure ACS 4.1, "Using the Web Interface." –TACACS+ Configuration Options—For detailed information, see "Displaying TACACS+ Configuration Options" in Chapter 2 of the User Guide for Cisco Secure ACS 4.1, "Using the Web Interface." –Advanced Options—For detailed information, see "Displaying RADIUS Configuration Options" in Chapter 2 of the User Guide for Cisco Secure ACS 4.1, "Using the Web Interface." –Customized User Options—For detailed information, see "Displaying RADIUS Configuration Options" in Chapter 2 of the User Guide for Cisco Secure ACS 4.1, "Using the Web Interface." Step 5 Configure Basic ACS System Settings: a. Click System Configuration. b. Configure: –Service Control –Logging –Date Format Control –Local Password Management –ACS Backup –ACS Restore –ACS Service Management –(optional) IP Pools Server –(optional) IP Pools Address Recovery For detailed instructions, see "Displaying RADIUS Configuration Options" in Chapter 2 of the User Guide for Cisco Secure ACS 4.1, "Using the Web Interface." Step 6 Configure Users: a. As required for your network security setup, configure users. You can configure users: –Manually, by using the ACS web interface –By using the CSUtil utility to import users from an external database –By using database synchronization –By using database replication For detailed instructions, see "Displaying RADIUS Configuration Options" in Chapter 2 of the User Guide for Cisco Secure ACS 4.1, "Using the Web Interface." Step 7 Configure Certificates. This step is required if you are using EAP-TLS, Secure Sockets Layer (SSL), or Cisco Network Admission Control (NAC). For detailed instructions, see Step 3: Install and Set Up an ACS Security Certificate, page 4-6. Step 8 Configure Global Authentication Settings. Configure the security protocols that ACS uses to authenticate users. You can configure the following global authentication methods: •PEAP •EAP-FAST •EAP-TLS •LEAP •EAP-MD5 •Legacy authentication protocols, such as MS-CHAP Version 1 and Version 2 For detailed instructions, see "Global Authentication Setup" in Chapter 8 of the User Guide for Cisco Secure ACS 4.1, "System Configuration: Authentication and Certificates." Step 9 Configure Shared Profile Components. You can configure the following shared profile components: •Downloadable IP ACLs •Network Access Filtering •RADIUS Authorization Components •Network Access Restrictions •Command Authorization Sets For detailed instructions, see Chapter 3 of the User Guide for Cisco Secure ACS 4.1, "Shared Profile Components." Step 10 Set Up Network Device Groups. You can set up network device groups to simplify configuration of common devices. For detailed information, see the User Guide for Cisco Secure ACS 4.1. Step 11 Add AAA Clients. You can add RADIUS clients or TACACS+ clients. For detailed instructions, see Step 2: Configure a RADIUS AAA Client, page 4-5. Step 12 Set Up User Groups. Set up user groups to apply common configuration settings to groups of users. For detailed instructions, see Chapter 2 of the User Guide for Cisco Secure ACS 4.1, "User Group Management." Step 13 Configure Posture Validation. If you are using ACS with NAC, configure posture validation. For detailed instructions, see Step 11: Set Up Network Access Profiles, page 7-16 and Step 13: Configure Posture Validation for NAC, page 7-29 Step 14 Set Up Network Access Profiles. If required, set up network access profiles. For detailed information, see Step 11: Set Up Network Access Profiles, page 7-16 Step 15 Configure Logs and Reports. Configure reports to specify how ACS logs data. You can also view the logs in HTML reports. For detailed instructions, see Chapter 9 of the User Guide for Cisco Secure ACS 4.1, "Logs and Reports. Configuration Flowchart Figure 1-1 is a configuration flowchart that shows the main steps in ACS configuration. Figure 1-1 ACS Configuration Flowchart Refer to the list of steps in Summary of Configuration Steps for information on where to find detailed descriptions of each step.
	Terms & Conditions \| Privacy Statement \| Cookie Policy \| Trademarks