Configuration Guide for Cisco Secure ACS 4.2 - NAP/NAC Configuration Scenario [Cisco Secure Access Control Server for Windows]

Table Of Contents

NAC Configuration Scenario

Step 1: Install ACS

Step 2: Perform Network Configuration Tasks

Configure a RADIUS AAA Client

Configure the AAA Server

Step 3: Set Up System Configuration

Install and Set Up an ACS Security Certificate

Obtain Certificates and Copy Them to the ACS Host

Set Up the ACS Certification Authority

Edit the Certificate Trust List

Install the CA Certificate

Install the ACS Certificate

Set Up Global Configuration

Set Up Global Authentication

Set Up EAP-FAST Configuration

Configure the Logging Level

Configure Logs and Reports

Step 4: Set Up Administration Control

Add Remote Administrator Access

Step 5: Set Up Shared Profile Components

Configure Network Access Filtering (Optional)

Configure Downloadable IP ACLs

Adding an ACL

Adding an ACE

Saving the dACL

Configure Radius Authorization Components

Step 6: Configure an External Posture Validation Audit Server

Add the Posture Attribute to the ACS Dictionary

Configure the External Posture Validation Audit Server

Step 7: Configure Posture Validation for NAC

Configure Internal Posture Validation Policies

Configure External Posture Validation Policies

Configure an External Posture Validation Audit Server

Add the Posture Attribute to the ACS Dictionary

Configure the External Posture Validation Audit Server

Authorization Policy and NAC Audit

Step 8: Set Up Templates to Create NAPs

Sample NAC Profile Templates

Sample NAC Layer 3 Profile Template

Profile Setup

Protocols Policy for the NAC Layer 3 Template

Authentication Policy

Sample Posture Validation Rule

Sample NAC Layer 2 Template

Profile Setup

Protocols Settings

Authentication Policy

Sample Posture Validation Rule

Sample NAC Layer 2 802.1x Template

Profile Setup

Protocols Policy

Authorization Policy

Sample Posture Validation Rule

Sample Wireless (NAC L2 802.1x) Template

Profile Setup

Protocols Policy

Authorization Policy

Sample Posture Validation Rule

Using a Sample Agentless Host Template

Profile Setup

Protocols Policy

Authentication Policy

Step 9: Map Posture Validation Components to Profiles

Step 10: Map an Audit Server to a Profile

Step 11 (Optional): Configure GAME Group Feedback

Import an Audit Vendor File by Using CSUtil

Import a Device-Type Attribute File by Using CSUtil

Import NAC Attribute-Value Pairs

Configure Database Support for Agentless Host Processing

Enable Posture Validation

Configure an External Audit Server

Configure an External Posture Validation Audit Server

Add the Posture Attribute to the ACS Dictionary

Configure the External Posture Validation Audit Server

Enable GAME Group Feedback

NAC Configuration Scenario

This chapter describes how to set up Cisco Secure Access Control Server 4.2, hereafter referred to as ACS, to work in a Cisco Network Admission Control environment. This chapter contains the following sections:

•Step 1: Install ACS

•Step 2: Perform Network Configuration Tasks

•Step 3: Set Up System Configuration

•Step 4: Set Up Administration Control

•Step 5: Set Up Shared Profile Components

•Step 6: Configure an External Posture Validation Audit Server

•Step 7: Configure Posture Validation for NAC

•Step 8: Set Up Templates to Create NAPs

•Step 9: Map Posture Validation Components to Profiles

•Step 10: Map an Audit Server to a Profile

•Step 11 (Optional): Configure GAME Group Feedback

Step 1: Install ACS

This section describes the installation process that you perform to run ACS, which runs on a Windows 2003 server or on a Cisco Secure ACS Solution Engine (ACS SE).

For detailed information on ACS installation, refer to the:

•Installation Guide for Cisco Secure ACS for Windows Release 4.2

•Installation Guide for Cisco Secure ACS Solution Engine Release 4.2

To install ACS:

Step 1 Start the ACS installation:

If you are installing ACS for Windows:

a. Using a local administrator account, log in to the computer on which you want to install ACS.

b. Insert the ACS CD into a CD-ROM drive on the computer.

c. If the CD-ROM drive supports the Windows autorun feature, the ACS for Windows dialog box appears; otherwise, run setup.exe, located in the root directory of the ACS CD.

d. In the Cisco Secure ACS for Windows dialog box, click Install.

If you are installing ACS SE, follow the instructions in the Installation Guide for Cisco Secure ACS Solution Engine 4.2. Chapter 2, "Installing and Configuring Cisco Secure ACS Solution Engine 4.2," provides detailed installation instructions.

During the installation process, you are prompted to enter a password for encrypting the internal database.

Step 2 Enter a password that is at least 8 characters long, and contains letters and numbers.

The ACS installation process for ACS for Windows automatically creates a shortcut to the ACS administrative GUI on your desktop.

Step 3 Double-click the icon to open a browser window to the ACS administrative GUI.

Step 4 If you do not see the icon on the desktop, open your browser from the machine on which you installed ACS and go to one of these addresses:

•http://IP_address:2002

•http://hostname:2002

where IP_address is the IP address of the host that is running ACS and hostname is the hostname of the host that is running ACS.

Step 2: Perform Network Configuration Tasks

This section describes:

•Configure a RADIUS AAA Client

•Configure the AAA Server

Configure a RADIUS AAA Client

Before you can configure NAC support, you must configure a RADIUS AAA client.

To configure a RADIUS AAA client:

Step 1 In the navigation bar, click Network Configuration.

The Network Configuration page opens.

Step 2 Do one of the following:

•If you are using Network Device Groups (NDGs), click the name of the NDG to which you want to assign the AAA client. Then, click Add Entry below the AAA Clients table.

•To add AAA clients when you have not enabled NDGs, click Not Assigned and then click Add Entry below the AAA Clients table.

The Add AAA Client page opens, shown in Figure 9-1.

Figure 9-1 Add AAA Client Page

Step 3 In the AAA Client Hostname box, type the name assigned to this AAA client (up to 32 alphanumeric characters).

Step 4 In the AAA Client IP Address box, type the AAA client IP address or addresses.

Note You can define all network access devices (NADs) as a single AAA client by entering IP address wildcards; for example, *.*.*.*. Note however, that AAA client definitions with wildcards cannot overlap with other AAA client definitions, regardless of the authentication type configured for the AAA clients.

Step 5 In the Shared Secret box, type a shared secret key for the AAA client.

The shared secret is a string that you determine; for example, mynet123. The shared secret must be identical on the AAA client and ACS. Keys are case sensitive. If the shared secrets do not match, ACS discards all packets from the network device.

Step 6 If you are using NDGs, from the Network Device Group list, choose the name of the NDG to which this AAA client should belong, or, click Not Assigned to set this AAA client to be independent of NDGs.

Step 7 Type the shared secret keys for RADIUS Key Wrap in EAP-TLS authentications.

Each key must be unique, and must also be distinct from the RADIUS shared key. You can configure these shared keys for each AAA client, as well as for each NDG. The NDG key configuration overrides the AAA client configuration. If the key entry is null, ACS uses the AAA client key. You must enable the Key Wrap feature in the NAP Authentication Settings page to implement these shared keys in EAP-TLS authentication:

a. Key Encryption Key (KEK)—Used for encryption of the Pairwise Master Key (PMK). The maximum length is 20 characters.

b. Message Authenticator Code Key (MACK)—Used for the keyed hashed message authentication code (HMAC) calculation over the RADIUS message. The maximum length is 16 characters.

c. Key Input Format—Click the format of the key, ASCII or hexadecimal strings (the default is ASCII).

Step 8 From the Authenticate Using list, choose RADIUS (IOS/PIX).

Step 9 Specify additional AAA client settings as required.

Step 10 Click Submit + Apply.

Configure the AAA Server

Your AAA server is automatically populated during the installation of ACS, using the hostname assigned to Windows 2003 system. You must specify some additional configuration information to enable the server to communicate with AAA clients.

To configure the AAA server:

Step 1 In the navigation bar, click Network Configuration.

The Network Configuration page opens.

Step 2 In the AAA Servers table, click the name of the AAA server in the AAA Server Name column.

The AAA Server Setup page opens, shown in Figure 9-2.

Figure 9-2 AAA Server Setup Page

Step 3 In the Key field, enter the shared secret that you used to set up the AAA clients.

Step 4 Click Submit and Apply.

Step 3: Set Up System Configuration

This section describes the following tasks:

•Install and Set Up an ACS Security Certificate

•Set Up Global Configuration

Install and Set Up an ACS Security Certificate

You must configure ACS with a digital certificate for establishing client trust when ACS challenges the client for its credentials. Note these points:

•For authenticated in-band Protected Access Credential (PAC) provisioning for EAP-FAST, the client must have a certificate that matches the one installed in ACS.

•For the most scalable NAC environments, Cisco recommends a production public key infrastructure (PKI) that the production certificate authority (CA) or registration authorities (RAs) sign.

This section describes a simplified procedure for the ACS for Windows platform. For detailed information on installing certificates and for information on how to install certificates on the Cisco Secure ACS Solution Engine platform, see Chapter 9 of the User Guide for Cisco Secure ACS 4.2, "Advanced Configuration: Authentication and Certificates."

Obtain Certificates and Copy Them to the ACS Host

To copy a certificate to the ACS host:

Step 1 Obtain a security certificate.

Step 2 Create a \certs directory on the ACS server.

a. Open a DOS command window.

b. To create a certificates directory, enter:

mkdir <selected_drive>:\certs

where selected_drive is the currently selected drive.

Step 3 For example, copy the following files to the \certs directory:

•ACS-1.nac.cisco.com.cer (server certificate)

•ACS-1.PrivateKey.txt (server certificate private key)

•ca.nac.cisco.com.cer (CA certificate)

You are now ready to set up the ACS certification authority.

Set Up the ACS Certification Authority

To set up the ACS certification authority:

Step 1 In the navigation bar, click System Configuration.

The System Configuration page opens.

Step 2 Click ACS Certificate Setup.

The ACS Certificate Setup page opens.

Step 3 Click ACS Certification Authority Setup.

The ACS Certificate Authority page opens, as shown in Figure 9-3.

Figure 9-3 ACS Certificate Authority Setup Page

Step 4 Enter the path and filename for the certificate authority certificate and then click Submit.

Step 5 Restart ACS.

To restart ACS, choose System Configuration > Service Control and then click Restart.

Edit the Certificate Trust List

After you set up the ACS certification authority, you must add the CA certificate to the ACS Certificate Trust list.

To add the certificate to the Certificate Trust list:

Step 1 In the navigation bar, click System Configuration.

The System Configuration page opens.

Step 2 Choose ACS Certificate Setup > Edit Certificate Trust List.

The Edit Certificate Trust List page opens.

Step 3 In the list of certificates, locate the CA certificate that you installed and check the check box next to it.

Step 4 Click Submit.

Step 5 Restart ACS.

To restart ACS, choose System Configuration > Service Control and then click Restart.

Install the CA Certificate

To install the CA Certificate:

Step 1 Choose System Configuration > ACS Certificate Setup > ACS Certification Authority Setup.

Step 2 The ACS Certification Authority Setup page appears, as shown in Figure 9-4.

Figure 9-4 ACS Certification Authority Setup Page

Step 3 In the CA certificate file box, type the CA certificate location (path and name); for example: c:\Certs\ca.cer.

Step 4 Click Submit.

Install the ACS Certificate

To enable security certificates on the ACS installation:

Step 1 In the navigation bar, click System Configuration.

The System Configuration page opens.

Step 2 Click ACS Certificate Setup.

Step 3 Click Install ACS Certificate.

Step 4 The Install ACS Certificate page opens, as shown in Figure 9-5.

Figure 9-5 Install ACS Certificate Page

Step 5 Click the Read certificate from file radio button.

Step 6 In the Certificate file text box, enter the server certificate location (path and name); for example: c:\Certs\server.cer.

Step 7 In the Private key file text box, type the server certificate private key location (path and name); for example: c:\Certs\server.pvk.

Step 8 In the Private Key password text box, type the private key password; for example cisco123.

Step 9 Click Submit.

Step 10 ACS displays a message indicating that the certificate has been installed and instructs you to restart the ACS services.

Step 11 Restart ACS.

To restart ACS, choose System Configuration > Service Control and then click Restart.

Set Up Global Configuration

This section describes the following tasks:

•Set Up Global Authentication

•Set Up EAP-FAST Configuration

Set Up Global Authentication

In the global authentication setup, you specify the protocols that ACS uses to transfer credentials from the host for authentication and authorization. Unless you have a limited deployment environment or specific security concerns, you should globally enable all protocols. If you do not enable the protocols in the global authorization setup, then they will not be available later in the Network Access Profiles configuration interface.

To set up global authentication:

Step 1 In the navigation bar, click System Configuration.

The System Configuration page opens.

Step 2 Click Global Authentication Setup.

The Global Authentication Setup Page appears, as shown in Figure 9-6.

Figure 9-6 Global Authentication Setup Page

Step 3 To make the PEAP global authentication parameters available in the NAP configuration, check the check boxes for:

•Allow EAP-MSCHAPv2.

EAP-MSCHAP is a variation of the Microsoft Challenge and Response Protocol that is used with the Protected Extensible Access Protocol (PEAP). For a description of the EAP-MSCHAPv2 protocol, see the "Authentication" section in Chapter 1 of the User Guide for Cisco Secure ACS, 4.2, "Overview."

•Allow EAP-GTC.

For a description of the EAP Generic Token Card (EAP-GTC) protocol, see "EAP-FAST Authentication" in Chapter 9 of the User Guide for Cisco Secure ACS 4.2, "System Configuration: Authentication and Certificates."

•Allow Posture Validation.

For a description of Posture Validation, see the "What Is Posture Validation" section in Chapter 13 of the User Guide for Cisco Secure ACS, 4.2, "Posture Validation."

Step 4 In the EAP-TLS section:

a. Check the Allow EAP-TLS check box.

b. Check the Certificate SAN comparison and Certificate Binary comparison check boxes.

c. Leave the EAP-TLS timeout field set to the default (120 minutes).

Step 5 In the EAP-MD5 section, check the Allow EAP-MD5 check box.

Step 6 Scroll down to the MS-CHAP configuration section, and check the Allow MS-CHAP Version 1 Authentication and Allow MS-CHAP Version 2 Authentication check boxes, as shown in Figure 9-7.

Figure 9-7 MS-CHAP Authentication Selection

Step 7 Click Submit + Restart.

Step 8 Go to Set Up EAP-FAST Configuration, and configure EAP-FAST authentication.

Set Up EAP-FAST Configuration

To configure ACS to work with NAC and use EAP-FAST with posture validation:

Step 1 In the navigation bar, click System Configuration.

The System Configuration page opens.

Step 2 Click Global Authentication Setup.

The Global Authentication Setup Page appears, as shown in Figure 9-6.

Step 3 Click EAP-FAST Configuration.

The EAP FAST Configuration page appears, as shown in Figure 9-8.

Figure 9-8 EAP-FAST Configuration Page

Step 4 Check the Allow EAP-FAST check box.

Step 5 In the Client Initial Message text box, enter a message; for example, Welcome.

Step 6 In the Authority ID Info field, enter the name of the certificate authority server. In the example shown in Figure 9-8, this is ACS NAC Server. However, this can be any string.

Step 7 Check the Allow anonymous in-band PAC provisioning and authenticated in-band PAC provisioning check boxes.

Step 8 Check the Accept client on authenticated provisioning and Require client certificate for provisioning check boxes.

Step 9 Check the check boxes for the EAP-GTC, EAP-MSCHAPv2, and EAP-TLS inner methods.

The EAP-FAST Master Server check box is automatically checked (enabled).

Check the Certificate SAN and Certificate Binary comparison check boxes to enable these EAP-TLS comparison methods.

Step 10 Click Submit + Restart.

Configure the Logging Level

To set ACS to full logging capabilities:

Step 1 In the navigation bar, click System Configuration.

The System Configuration page opens.

Step 2 Click Service Control.

Step 3 Under Level of Detail, click the Full radio button.

Note Setting the logging level to Full might affect system performance. Therefore, you should set the logging level to Full for an initial deployment when detailed troubleshooting is required. After the network has become stable, set the logging level to Normal.

Step 4 Check the Manage Directory check box and choose how many days of logging to keep. (Enter the number of days, based on how much space you have on your hard drive. Cisco recommends that you specify seven days.)

Step 5 Click Restart to restart ACS. (Wait until the browser's progress bar shows that the page has reloaded completely.)

Configure Logs and Reports

ACS logs records of users who gain or are refused network access, as well as records of other actions. You can output the information in the logs to reports that you view in the ACS GUI, which you can then save or print out and review. These reports summarize the logs, and provide useful information for debugging and tracking problems.

For detailed information on ACS logs and reports, see Chapter 10 of the User Guide for Cisco Secure ACS. 4.2, "Logs and Reports."

The Failed Attempts report and the RADIUS Accounting report are useful tools for monitoring the performance of the NAC/NAP network. And the Passed Authentications report is particularly useful in NAC-enabled networks; because, it shows the group mapping for each posture validation request. By default, the Passed Authentication report is unchecked (disabled).

To enable the Passed Authentications report:

Step 1 In the navigation bar, click System Configuration.

The System Configuration page opens.

Step 2 Click Logging.

The Logging Configuration page opens.

The CSV Passed Authentications File Configuration page opens, as shown in Figure 9-9.

Figure 9-9 CSV Passed Authentications File Configuration Page

Step 3 Check the Log to CSV Passed Authentications Report check box.

Step 4 Move the attributes that you want to log from the Attributes list to Logged Attributes list.

Some useful attributes to log are:

•Message-Type

•User-Name

•Caller-ID

•NAS-Port

•NAS-IP-Address

•AAA Server

•Filter Information

•Network Device Group

•Access Device

•PEAP/EAP-FAST-Clear-Name

•Logged Remotely

•EAP Type

•EAP Type Name

•Network Access Profile Name

•Outbound Class

•Shared RAC

•Downloadable ACL

•System-Posture-Token

•Application-Posture-Token

•Reason

•Profile Name

•Reason

•System-posture-token

•Application-posture-token

Step 5 Click Submit.

Step 6 In the ACS Reports table, click the Configure link for the CSV RADIUS Accounting report.

The CSV RADIUS Accounting File Configuration page appears.

Check the Log to CSV RADIUS Accounting Report check box.

Step 7 Move the attributes that you want to log from the Attributes list to the Logged Attributes list.

Some useful attributes to log are:

•User-Name

•Group-Name

•Calling-Station-Id

•Acct-Status-Type

•Acct-Session-Id

•Acct-Session-Time

•Acct-Input-Octets

•Acct-Output-Octets

•Acct-Input-Packets

•Acct-Output-Packets

•Framed-IP-Address

•NAS-Port

•NAS-IP-Address

•Class

•Termination-Action

•Called-Station-Id

•Acct-Delay-Time

•Acct-Authentic

•Acct-Terminate-Cause

•Event-Timestamp

•NAS-Port-Type

•Port-Limit

•NAS-Port-Id

•AAA Server

•ExtDB Info

•Network Access Profile Name

•cisco-av-pair

•Access Device

•Logged Remotely

Step 8 Click Submit.

Step 4: Set Up Administration Control

This section describes how to add remote administrator access.

Add Remote Administrator Access

To prepare ACS for remote administration:

Step 1 In the navigation bar, click Administration Control.

The System Configuration page opens.

Step 2 Click Add Administrator.

The Add Administrator page opens, as shown in Figure 9-10.

Figure 9-10 Add Administrator Page

Step 3 In the Administrator Details area, specify the following information:

Option

Description

Administrator Name

Enter the login name for the ACS administrator account. Administrator names can contain 1 to 32 characters, but cannot contain the left angle bracket (<), the right angle bracket (>), or the backslash (\). An ACS administrator name does not have to match a network user name.

Password

Enter the password for the administrator to access the ACS web interface.

The password can match the password that the administrator uses for dial-in authentication; or, it can be a different password. ACS enforces the options in the Password Validation Options section on the Administrator Password Policy page.

Passwords must be at least 4 characters long and contain at least 1 numeric character. The password cannot include the username or the reverse username, must not match any of the previous 4 passwords, and must be in ASCII characters. If you make a password error, ACS displays the password criteria.

If the password policy changes and the password does not change, the administrator remains logged in. ACS enforces the new password policy at the next login.

Confirm Password

Reenter the password that you entered in the password field.

Account Never Expires

If you want to override the lockout options set up on the Administrator Password Policy page (with the exception of manual lockout), check the check box next to Account Never Expires. If you check this option, the account never expires, but the password change policy remains in effect. The default value is unchecked (disabled).

Account Locked

If you want to lock out an administrator who is denied access due to the account policy options specified on the Password Policy page, check the Account Locked check box. When unchecked (disabled), this option unlocks an administrator who was locked out.

Administrators who have the Administration Control privilege can use this option to manually lock out an account or reset locked accounts. The system displays a message that explains the reason for a lockout.

When an administrator unlocks an account, ACS resets the Last Password Change and the Last Activity fields to the day on which the administrator unlocks the account.

The reset of a locked account does not affect the configuration of the lockout and unlock mechanisms for failed attempts.

Step 4 Click Grant All.

This grants all privileges to the new administrator; or, specifies to which groups or actions this administrator is granted access.

Note For more information on administrative privileges, see the "Add Administrator and Edit Administrator Pages" section in Chapter 11 of the User Guide for Cisco Secure Access Control Server 4.2, "Administrators and Administrative Policy."

Step 5 Click Submit.

After performing these steps, from a remote host, you can open a browser in which to administer ACS.

The URLs for remote access are:

•http://IP_address:2002

•http://hostname:2002

Step 5: Set Up Shared Profile Components

Before you can set up NAPs, you must set up Shared Profile Components.

Shared Profile Components are configurations that can be reused across many different NAPs to set up filtering within ACS or to control network authorizations within RADIUS.

A NAP is a classification of network-access requests for applying a common policy. You can use NAPs to aggregate all policies that should be activated for a certain location in the network or for users who connect to the network by using specified protocols such as EAP over UDP (EoU) or 802.1x.

For detailed information on NAPs, see Chapter 14 of the User Guide for Cisco Secure ACS, 4.2, "Network Access Profiles."

This section describes the following tasks:

•Configure Network Access Filtering (Optional)

•Configure Downloadable IP ACLs

•Configure Radius Authorization Components

Configure Network Access Filtering (Optional)

NAF is an ACS feature that groups several devices into one group. The devices can be ACS clients, ACS servers, ACS network device groups (NDGs), or a specific IP address. NAFs are particularly useful for defining NAPs.

When you set up Downloadable IP ACLs, you can:

•Assign the default NAF, which is All AAA Clients.

This default allows access to all clients.

•Set up a NAF to limit access to specified clients.

To set up a NAF:

Step 1 In the navigation bar, click Shared Profile Components.

The Shared Profile Components page opens.

Step 2 Click Network Access Filtering.

The Network Access Filtering table appears. Initially, this table does not contain shared profile components.

Step 3 Click Add.

The Edit Network Access Filtering page opens, as shown in Figure 9-11.

Figure 9-11 Edit Network Access Filtering Page

Step 4 In the Name text box, enter a name for the network access filter.

Step 5 Move any devices or device groups to the Selected Items list.

To move a device or device group, select the item to move and then click the right arrow button to move it to the Selected Items list.

Step 6 Click Submit.

Configure Downloadable IP ACLs

Downloadable IP Access Control Lists (dACLs) are access lists that can be downloaded to enforce the network authorization of a host. Downloadable ACLs dynamically download Layer 3 and Layer 4 access control entries (ACEs) to a router; or, to a VPN concentrator and merge them with the default interface ACL.

In ACS 4.2, you can download access lists to specific devices or device groups.

You can define an access list that contains one or more dACLs and later download the list to network devices, based on their assignments to user groups. Before you define dACLs, enable dACLs.

Each Assessment Result (system posture token), according to its definition, should have its own ACL, which contains one or more Access Control Entries (ACEs) that will instruct the NAC network device (router) to block packets from going to a specific destination or allow packets to reach a specific destination.

To enable dACLs and NAFs, which are required to create NAPs:

•Add a new posture ACL.

•Add ACE entries for the ACL.

•Save the posture ACL.

Note These ACLs are referred to as posture ACLs because they are a component of a NAP that is used in posture validation.

Adding an ACL

To add a new ACL:

Step 1 Choose Shared Profile Components > Downloadable IP ACLs.

A list of dACLs appears, as shown in Figure 9-12:

Figure 9-12 Downloadable IP ACL List

Step 2 Click Add.

The Edit Downloadable IP ACLs page opens, as shown in Figure 9-13.

Figure 9-13 Downloadable IP ACLs Page

Step 3 On the Downloadable IP ACLs page, enter a Name and optional Description for the ACL, as shown in Figure 9-13.

Note Do not use spaces in the name of the ACL. IOS does not accept ACL names that include spaces.

Adding an ACE

To add an ACE:

Step 1 On the Downloadable IP ACLs page, Click Add (below the ACL table of contents) to add a new ACE to the ACL and assign it to a NAF.

The Downloadable IP ACL Content page opens, as shown in Figure 9-14.

Figure 9-14 Downloadable IP ACL Content Page

Step 2 In the Name text box, type the ACL name.

Step 3 In the ACL Definitions input box, type definitions for the ACL.

ACL definitions consist of a series of permit and deny statements that permit or deny access for specified hosts. For information on the syntax for ACL definitions, see the "Downloadable ACLs" section of Chapter 4 of the User Guide for Cisco Secure Access Control Server 4.2, "Shared Profile Components."

Step 4 Click Submit.

Note Before configuring the ACL on ACS, you should test the syntax on the device to ensure that each ACE is valid.

The Downloadable ACL page appears with the new ACL in the ACL Contents list, as shown in Figure 9-15.

Figure 9-15 Downloadable ACL Contents List with New Content

Step 5 From the drop-down list in the Network Access Filtering column of the ACL Contents table, choose the correct NAF for this ACL.

You can choose the default NAF (All AAA Clients), or you can specify a NAF that you have configured to control how access is set up for different devices or groups of devices.

For example, the syntax of an ACE on routers differs from the syntax on a Project Information Exchange (PIX) firewall. By using a NAF, you can assign the same ACL to a PIX and a router, even though the actual ACE that is downloaded is different.

Step 6 Click Submit.

The new ACL appears on the list of downloadable ACLs.

Saving the dACL

When you finish adding ACEs to the dACL, click Submit to save the dACL and submit it.

Configure Radius Authorization Components

Shared RADIUS Authorization Components (RACs) are sets of RADIUS attributes that ACS applies to Network Access Devices (NADs) during network authorization. Each RAC can contain one or more vendor RADIUS attributes, including Cisco IOS.PIX 6.0, IETF, and Ascend attributes.

By setting up RACs, you can dynamically assign RADIUS attributes to user sessions based on a policy. For example, you can create a RAC that gathers RADIUS attributes to define a VLAN. Users who access the network through a switch; for example, are then given access to specified VLANs based on how they are authorized and authenticated.

The sample RACs in this section provide RADIUS configurations to handle the most important services in the NAC environment:

•EoU (NAC L2 IP)

•NAC L2 802.1x

The sample RACs are:

•Cisco_FullAccess—Provides full access to the Cisco network. You use this RAC to grant access to clients that qualify as healthy.

•Cisco_Restricted—Provides restricted access to the Cisco network. You uses this RAC to grant partial (quarantined) access to clients that do not qualify as healthy.

To define RACs:

Step 1 In the navigation bar, click Shared Profile Components.

The Shared Profile Components page opens.

Step 2 Click RADIUS Authorization Components.

The RADIUS Authorization Components table appears. Initially, this table does not contain any RACs.

Step 3 Click Add.

The RADIUS Authorization Components Page opens, as shown in Figure 9-16.

Figure 9-16 RADIUS Authorization Components Page

Step 4 Enter a Name and Description in the RADIUS Authorization Components page.

Step 5 In the Add New Attribute section, add the RADIUS attributes for the RAC.

a. To add an attribute, from the drop-down lists for Cisco IOS/PIX 6.0, IETF, and Ascend, choose the attribute that you want to add and then click Add.

For example, from the IETF drop-down list, choose Session-Timeout (27) and click Add.

The RAC Attribute Add/Edit page opens. Figure 9-17 shows the RAC Attribute Add/Edit page for Session-Timeout (27).

Figure 9-17 RAC Attribute Add/Edit Page

b. In the Value field for the attribute, enter an appropriate value. Each attribute has specific value types based on how the attribute is defined.

For example, for the Session-Timeout (27) attribute, enter a timeout value in seconds.

c. Click Submit.

Step 6 When you are finished adding attributes, click Submit.

Step 7 To enable the RAC, from the navigation bar, choose System Configuration > Service Control and then click Restart.

Figure 9-18 shows attribute selection for the Cisco_FullAccess RAC and Figure 9-19 shows attribute selection for the Cisco_Restricted RAC.

Figure 9-18 Attribute Selection for the Cisco_FullAccess RAC

Figure 9-19 Attribute Selection for the Cisco_Restricted RAC

To enable VLAN assignment, the sample RACs include the following RADIUS attributes:

•Session-Timeout (attribute 27)—Enables a session timeout. In the sample RACs, the timeout value is set to 3600 seconds (six hours). Because session timeouts and revalidations use considerable network resources, you might want to set the timeout value to allow a longer timeout period; for example, 8 to 24 hours.

•Termination-Action (attribute 29)—Determines how the switch port responds to a session timeout. This attribute is only used in Access-Accept packets. When a session timeout occurs, the port drops all traffic on the switch until reauthentication is complete. In the sample RACs, this attribute is set to RADIUS-Request (1). This ensures that the switch maintains the current VLAN assignment and network connectivity while reauthentication is in progress.

•Tunnel-Type (attribute 64)—Specifies the type of tunnel that is set up for the user to connect. In the sample RACs, this value is set to type 10, VLAN, which indicates that the user is granted access to a VLAN that is configured on the switch.

•Tunnel-Medium-Type (attribute 65)—Indicates which protocol to use over the tunnel. In the sample RACs, this is set to type 6, which specifies an 802 protocol. In the NAC/NAP environment, this is the 802.1x protocol.

•Tunnel-Private-Group-ID (attribute 81)—Indicates the group ID for the VLAN tunnel. In the sample RAC, this is set to Quarantine, which denotes a quarantine VLAN to which devices are assigned. In actual practice, you should set this value to a value that is configured on the switch.

For reference, Table 9-1 lists all of the possible attributes that ACS can send. An X in the NAC-L2-802.1x, NAC-L2-IP, or NAC-L3-IP column indicates that ACS can send the specified attribute in a RADIUS Accept-Response used with this technology.

Table 9-1 Attributes That Can Be Sent in the RADIUS-Accept Response

NAC-L2 -802.1x

NAC-L2-IP

NAC-L3-IP

Attribute Number

Attribute Name

Description

x

1

User-Name

Copied from EAP Identity Response in Access Request

x

x

8

Framed-IP-Address

IP address of host

x

x

26

Vendor-Specific

Cisco (9,1)

CiscoSecure-Defined-ACL

ACL name.

ACS automatically sends this to the NAD as part of the RADIUS packet.

x

26

Vendor-Specific

Cisco (9,1)

sec:pg

Policy-based ACL assignment. Only applies to Catalyst 6000.
sec:pg = <group-name>

x

x

26

Vendor-Specific

Cisco (9,1)

url-redirect

Redirection URL.

url-redirect = <URL>

x

x

26

Vendor-Specific

Cisco (9,1)

url-redirect-acl

Apply the named ACL for the redirect URL; ACL must be defined locally on the NAD. Only works on switches with IOS.

url-redirect-acl =< ACL-Name>

x

x

x

26

Vendor-Specific

Cisco (9,1)

posture-token

Posture token/state name.

Automatically sent by ACS.

x

x

26

Vendor-Specific

Cisco (9,1)

status-query-timeout

Sets Status Query timer

x

x

26

Vendor-Specific

Cisco (9,1)

host-session-id

Session identifier used for auditing.

Automatically sent by ACS.

x

x

x

26

Vendor-Specific

Microsoft = 311

Key for Status Query: MS-MPPE-Recv-Key

Automatically sent by ACS.

x

x

x

27

Session-Timeout

Sets Revalidation Timer (in seconds)

x

x

x

29

Termination-
Action

Action on Session Timeout

(0) Default: Terminate session

(1) Radius-Request: Re-authenticate

x

64

Tunnel-Type

13 = VLAN

x

65

Tunnel-Medium-Type

6 = 802

x

x

x

79

EAP Message

EAP Request/Response Packet in Access Request and Access Challenge:

- EAP Success in Access Accept

- EAP Failure in Access Reject

x

x

x

80

Message Authenticator

HMAC-MD5 to ensure integrity of packet.

x

81

Tunnel-Private-Group-ID

VLAN name

Step 6: Configure an External Posture Validation Audit Server

A NAC-enabled network might include agentless hosts that do not have the NAC client software. ACS can defer the posture validation of the agentless hosts to an audit server. The audit server determines the posture credentials of a host without relying on the presence of a PA.

Configuring an external audit server involves two stages:

•Adding the posture attribute to the ACS internal dictionary.

•Configuring an external posture validation server (audit server).

Add the Posture Attribute to the ACS Dictionary

Before you can create an external posture validation server, you must add one or more vendor attributes to the ACS internal data dictionary. To do this, you use the bin\CSUtil tool, which is located in the ACS installation directory.

To add the posture attributes:

Step 1 Create a text file in the \Utils directory with the following format:
[attr#0]
vendor-id=[your vendor id]
vendor-name=[The name of you company]
application-id=6
application-name=Audit
attribute-id=00003
attribute-name=Dummy-attr
attribute-profile=out
attribute-type=unsigned integer
Your vendor ID should be the Internet Assigned Numbers Authority (IANA)-assigned number that is the first section of the posture token attribute name, [vendor]:6: