This deployment guide provides detailed design and implementation information relating to the deployment of the Cisco® Secure Access Control Server (ACS) with the Cisco Virtual Office.
Please refer to the Cisco Virtual Office overview (http://www.cisco.com/go/cvo) for further information about the solution, its architecture, and all of its components.
Hardware Platforms and Software Images
This guide is based on a Cisco 881 Integrated Services Router with wireless running Cisco IOS® Software Release 12.4(20)T. For other Cisco router platforms, the sample configurations may need minor modifications.
Introduction to Cisco Secure ACS
Cisco Secure ACS is a scalable, high-performance RADIUS and TACACS+ security server. As the centralized control point for managing enterprise network users, network administrators, and network infrastructure resources, Cisco Secure ACS provides a comprehensive identity-based network access control solution for Cisco intelligent information networks.
Cisco Secure ACS extends network access security by combining traditional authentication, authorization, and accounting (AAA) with policy control. Cisco Secure ACS enforces a uniform network access security policy for network administrators and other network users.
Cisco Secure ACS supports a broad variety of Cisco and other network access devices (NADs), also known as AAA clients, including:
• Wired and wireless LAN (WLAN) switches and access points
• Edge and core routers
• Dialup and broadband terminators
• Content and storage devices
• Voice over IP (VoIP)
• Firewalls
• VPNs
Figure 1 illustrates the role of the Cisco Secure ACS as a traditional network access control and AAA server.
An access control server is required for different components of the Cisco Virtual Office solution, namely 802.1x, Authentication Proxy (AuthProxy), wireless authentication, and public key infrastructure (PKI)-AAA authentication of routers. The Cisco Secure ACS is hosted on the management network of the Cisco Virtual Office. The server is accessed through the management gateway from the spoke routers. The management gateway is accessed through the secure management tunnel that is configured on the spoke router.
This guide addresses the following features of Cisco Virtual Office that require the Cisco Secure ACS as part of the configuration:
• Authentication Proxy
• PKI
• 802.1x
• Wireless
The AuthProxy feature is used for end-user authentication. The user is allowed access to corporate sites only if valid credentials are provided. The credentials must be verified by a RADIUS server. Upon verification of the credentials, appropriate permit access control entries (ACEs) are downloaded and applied on the remote spoke, giving the user the appropriate level of access.
PKI-AAA authentication can be used for device authentication to check the validity of Cisco Virtual Office routers as part of secure session setup.
Using the 802.1x standard, all the IP devices are classified as trusted or nontrusted, based on the 802.1x authentication status. When a new device becomes active on the network, the router initiates an 802.1x exchange. Depending on the 802.1x client running on the user device, the user is prompted for credentials. Authenticated users are then passed on to the router. The router uses the credentials to obtain authentication from a RADIUS server. If the authentication passes, the router is considered a trusted device and is given more privileges, such as access to the corporate network.
Enterprise WLANS need strong security policies that protect the company from rogue access points, intruders, unauthorized users, and unauthorized viewing of transmitted data. Cisco supports numerous Extensible Authentication Protocol (EAP) types-providing a centrally managed, standards-based, open wireless network security scheme-and also Wired Equivalent Privacy (WEP) and Wi-Fi Protected Access (WPA)-based implementations.
For sample configurations for these features, please refer to the respective white papers listed in the "References" section at the end of this document.
In addition to these features, the last section of the guide also addresses how to troubleshoot and monitor the Cisco Secure ACS reports.
Cisco Secure ACS Setup
The Cisco Secure ACS must be installed on a Windows server. For a complete set of installation instructions, please follow the installation guides at the following links:
You can use the Cisco Secure ACS Appliance for Cisco Virtual Office instead of the Cisco Secure ACS for Windows Server (the software product). The Cisco Secure ACS Appliance provides, as nearly as possible, the same features and functions of the Cisco Secure ACS for Windows Server in a dedicated, security-hardened, application-specific, appliance packaging. For a complete set of installations and user guides for the Cisco Secure ACS Appliance, please refer to the following links:
After successful installation of the Cisco Secure ACS, you can access the ACS web interface using a web browser or locally from the Windows server. You can access the Cisco Secure ACS interface from the Windows server by choosing:
Accessing the Cisco Secure ACS server brings up the interface shown in Figure 2. The web interface layout has a navigation bar on the left pane.
The administrator can select the required tabs from the left navigation bar for configuring the Cisco Secure ACS.
Figure 2. Cisco Secure ACS Interface
Cisco Secure ACS Basic Configuration
You must perform the following steps to configure the Cisco Secure ACS for the basic configuration before you can configure the Cisco Virtual Office features in the server.
1. Create an administrator with all the privileges (Figure 3).
Add an administrator and make sure the appropriate privileges are granted to the administrator:
• Click Administration Control.
• Click Add Administrator.
• Create an administrator name and password.
• Give the administrator all privileges by clicking Grant All.
The administrator has all the privileges required to manage the Cisco Secure ACS. If required, you can give other users access to the Cisco Secure ACS. Credentials are required the first time the administrator accesses the Cisco Secure ACS interface.
2. Define the options for the user interface (Figure 4).
You can configure the options needed for Cisco Secure ACS group attributes. The options selected will be displayed in the group's user interface.
• Go to Interface Configuration.
• Click Advanced Options.
• Select the required options to appear in the user interface:
– User-Level Network Access Restrictions
– User-Level Downloadable ACLs
– Group-Level Password Aging
– Network Device Groups
• Click Submit after selecting the options.
• Go to User Interface
• Make sure the options selected are displayed.
Figure 4. Interface Configuration
3. Configure network device groups (NDGs).
You can use the advanced Network Device Grouping feature to view and administer a collection of network devices as a single, logical group. To simplify administration, you can assign each group a name to refer to all devices within that group. This action creates two levels of network devices within the Cisco Secure ACS-single, discrete devices such as an individual router or network access server, and an NDG; that is, a collection of routers or AAA servers.
a) Add a Cisco Secure ACS (Figure 5).
Add the Windows machine where the Cisco Secure ACS is installed as an AAA server. Following are the steps to add the AAA server under Network Device Groups:
• Go to Network Configuration.
• Select the default network device group.
• Configure the AAA server.
Figure 5. Network Configuration
b) Configure the spoke routers under NDG (Figure 6).
• Go to Network Configuration.
• Select the default network device group.
• Click Add Entry to add AAA clients.
• Add the AAA clients.
• You can add AAA clients on the same subnet by using the wild character * (for example: 10.10.10.*)
• Select the RADIUS Authentication as RADIUS (Cisco IOS Software or Cisco PIX® 6.0)
• Click Submit + Apply.
Figure 6. Network Configuration: Add AAA Client
Cisco Secure ACS Configuration for Cisco Virtual Office
Authentication Proxy
Authentication proxy provides a way to identify legitimate users and limit access to the corporate network only to them. Only users who provide correct credentials can access the corporate site. The credentials are verified by an access control server, in which an access control element (ACE) is configured as an attribute-value pair (AV pair) in the group configuration. When the credentials are validated, the AV pair is downloaded for all the Auth Proxy users belonging to that group. Additionally, users can belong to different groups that have different AV pairs configured, so users get different access privileges depending on their group.
The following steps describe how to configure the Authentication Proxy for an access control server:
1. Create a AuthProxy group in the Cisco Secure ACS (Figure 7).
• Go to Group Setup.
• Select a group from the list of groups.
• Click Rename Group.
• Specify Auth-Proxy as the group name.
• Click Submit.
Figure 7. Group Setup
2. Edit the Auth-Proxy group's settings (Figure 8).
• Go to Group Setup.
• Select the Auth-Proxy group from the group list.
• Click Edit Settings.
• Define any network access restrictions required.
• Add the Cisco IOS Software RADIUS attributes (cisco-av-pair)
auth-proxy:priv-lvl=15 and auth-proxy:proxyacl#1=permit ip any any.
• Click Submit + Restart to apply the configuration.
Figure 8. Group Setup: Editing
3. Add a user to the Authentication Proxy group.
Users have to first access a corporate website using a web browser. When a user gains access to a corporate website, that user is prompted with an authentication prompt. The user needs to provide the username and password defined to have access to the corporate network.
Users are added to specific groups in the Cisco Secure ACS. The Group settings define the type of services the user will be authorized to use. To add all the users of Cisco Virtual Office to the Authentication Proxy group, do the following (Figure 9):
• Go to User Setup.
• Add a new user by entering a new username.
• Update the passwords that will be used for user authentication.
• Select the Auth-Proxy group from the list of groups.
• Click Submit.
Figure 9. User Setup
PKI-AAA Authentication and Authorization
You can strengthen security on the Cisco Virtual Office hub router by configuring PKI-AAA authorization in addition to Certificate Revocation List (CRL) validation for each peer certificate. When a Cisco Virtual Office spoke negotiates an IP Security (IPsec) session with the hub, the hub router extracts a specified field from the peer certificate subject and sends it to a RADIUS server. This field is sent as the username, and the password is preconfigured. The field that is sent as the username is specified in the trustpoint configuration; by default, it is the subject name, which is a fully qualified domain name.
If the RADIUS server has an entry for this username with the password matching the set password, the query returns successfully along with the following Cisco attribute-value pairs configured for that username:
• Certificate use (cert-application)
• Certificate trustpoint (cert-trustpoint)
• Serial number (cert-serial)
• Certificate lifetime (cert-lifetime-end)
Following is a sample Cisco AV pair configuration that can be configured on a Cisco Secure ACS:
cisco-avpair = "pki:cert-lifetime-end=1:00 jan 1, 2009"
The RADIUS server returns failure if the record is not found or the password does not match the set password. The peer certificate is not accepted if the RADIUS request fails.
If any or both of cert-trustpoint and cert-serial are specified, the router compares these values with the trustpoint name and serial number extracted from the peer certificate. The certificate is accepted only if these fields match. You can use the cert-lifetime-end value to bypass the actual expiry date of the certificate. This bypass is useful when an expired peer certificate needs to be accepted. Just specify a different date in the attribute-value pair, and the router uses this date for the expiry date calculation.
With the PKI-AAA feature, the hub accepts a certificate only if it has an entry on the RADIUS server. You can temporarily disable the certificate by setting the cert-application value to none.
Do the following to create a group and configure the username and password that is used as a field in PKI-AAA trustpoint configuration:
1. Create a Devices group for PKI-AAA (Figure 10).
• Go to Group Setup.
• Create a new group Devices Group.
• Scroll down to Cisco IOS/PIX RADIUS Attributes.
• Select the cisco-av-pair and add pki:cert-application=all.
• Click Submit + Restart.
Figure 10. Group Setup
2. Add a device entry to Devices Group (Figure 11).
The Group settings define the type of services the user is authorized to use. All the devices of Cisco Virtual Office are added to the Devices Group (PKI-AAA).
• Go to User Setup.
• Add a new user (username-vpn.cisco.com).
• Update the password (cisco) that will be used for user authentication.
• Select the Devices Group from the list of groups.
• Click Submit.
Figure 11. User Setup
IEEE 802.1x-Based Device Authentication
Using IEEE 802.1x-based device authentication, all IP devices connecting to the router are subject to 802.1x-based credential validation. The device does not get an IP address until the credentials are validated by the Cisco Secure ACS. When validated, the port becomes active and the device gets network access. If the validation fails, the port is shut down.
The authenticator is the Cisco Virtual Office spoke router, and the authentication server is a Cisco Secure ACS.
After the router gathers the credentials from the device, it forwards them to the Cisco Secure ACS for authentication. If the credentials are valid, the port becomes enabled and is attached to the trusted VLAN.
The authentication mechanisms used in Cisco Virtual Office deployment are Extensible Authentication Protocol-Message Digest Algorithm 5-Challenge Handshake Authentication Protocol (EAP-MD5-CHAP), EAP-Protected EAP (EAP-PEAP), and EAP Transport Layer Security (EAP-TLS). The 802.1x supplicant running on the hosts establishes an EAP session with the Cisco Secure ACS and authenticates itself using username and password credentials. The user account needs to be configured on the Cisco Secure ACS. The supplicant needs to be configured to perform the EAP-MD5-Challenge, EAP-PEAP, or EAP-TLS. You can optionally configure EAP-PEAP and EAP-TLS to authenticate the Cisco Secure ACS using digital certificates. In this case you should preload the Cisco Secure ACS with a certificate issued by a certificate server. EAP-TLS authenticates the end host using digital certificates along with user credentials supplied. So each host should have its own certificate from a certificate server that is trusted by the Cisco Secure ACS.
Authentication Setup for 802.1x
Do the following to set up 802.1x authentication (Figure 12):
• Go to System Configuration.
• Click Global Authentication Setup.
• Edit the EAP Configuration.
• Select the PEAP: Allow EAP-MSCHAPv2.
• Select the Allow EAP-TLS if you need a certificate (This process requires installation of a certificate; refer to the section "Wireless Authentication" for certificate installation on the Cisco Secure ACS.)
• Click Submit + Restart.
Figure 12. System Configuration: Global Authentication Setup
Wireless Authentication
This section addresses the wireless authentication features in Cisco Virtual Office that are authenticated using a Cisco Secure ACS. It is out of the scope of this document to address all the wireless authentication mechanisms deployed in Cisco Virtual Office. The Secure Wireless deployment guide addresses all the different secure wireless methods and the sample configurations on both the server and client sides. The wireless authentication used in Cisco Virtual Office are EAP and WPA Phase-Shift Keying (WPA-PSK) authentication types.
Extensible Authentication Protocol
Standard 802.1x enterprise WLAN implementation uses EAP, which provides secure wireless implementation and safeguards against hacker attacks. EAP provides a standard mechanism for supporting various authentication methods over wired and wireless networks. An AAA client (also known as a network access server) such as an access point that supports EAP does not need to understand the specific EAP type used in the EAP authentication process. The network access server tunnels the authentication messages between the peer (user machine trying to authenticate) and the AAA server (such as the Cisco Secure ACS). The network access server is aware only of when the EAP authentication process starts and when it ends.
Cisco supports many authentication types in Cisco IOS Software routers. Some of the methods deployed in Cisco Virtual Office include:
• Cisco LEAP
• PEAP-MS-CHAP Version 2
• PEAP-Generic Token Card (GTC)
• EAP-Flexible Authentication via Secure Tunneling (FAST)
• EAP-TLS
Note: EAP-PEAP and EAP-TLS do not work with local RADIUS in the current Cisco IOS Software Release 12.4(15)T3.
1. Configure the EAP authentication types: LEAP, PEAP, and EAP-TLS (Figure 13).
• Go to System Configuration.
• Click Global Authentication Setup.
• Select PEAP: Allow EAP-MSCHAPv2 and Allow EAP-GTC.
• Select PEAP: Allow EAP-TLS and all the relevant certificate options.
• Select EAP-TLS and all the relevant certificate options.
• Select LEAP: Allow LEAP.
• Click Submit + Restart.
Figure 13. System Configuration: EAP Configuration
EAP-TLS uses concepts of PKI:
• A WLAN client (that is, a user's machine) requires a valid certificate to authenticate to the WLAN network.
• The Cisco Secure ACS requires a "server" certificate to validate its identity to the clients.
• The certificate-authority-server infrastructure issues certificates to the Cisco Secure ACS(s) and the clients.
You need to configure certificate setup on the Cisco Secure ACS in order to use the EAP-TLS authentication. Following are the steps to do Certificate Setup in the Cisco Secure ACS (Figure 14):
1. Generate a certificate signing request.
• Go to System Configuration.
• Click ACS Certificate Setup.
• Click Generate Certificate Signing Request.
• Specify the certificate subject, private key file, and password.
• Click Submit. It will generate a signing request.
Figure 14. System Configuration: ACS Certificate Setup
2. Install the Cisco ACS certificate (Figure 15).
• Copy and paste the generated certificate request to the Certificate Authority.
• Use the following command-line interface (CLI) command if you are using Cisco IOS Software as the Certificate Authority: #crypto pki server <server-name> request pkcs10 terminal pem.
• Save the generated cert to a file.
• Go to System Configuration -> ACS Certificate Setup -> Install ACS Certificate.
• Specify the saved file in Read certificate from file.
• Specify the private key file and private key password.
Figure 15. System Configuration: Install ACS Certificate
Wi-Fi Protected Access
Wi-Fi Protected Access (WPA) is a standards-based security solution from the Wi-Fi Alliance that addresses the vulnerabilities in native WLANs and provides enhanced protection from targeted attacks. WPA addresses all known WEP vulnerabilities in the original IEEE 802.11 security implementation and brings an immediate security solution to WLANs in both enterprise and small office or home office (SOHO) environments.
You can configure the WPA enterprise on the router and use it by assigning a defined group username and password. In Cisco Virtual Office WPA enterprise deployment, the already defined Auth-Proxy group is used for the username and password credentials. The Secure Wireless deployment guide gives more information about the WPA.
Cisco Secure ACS Reports for Cisco Virtual Office
The Cisco Secure ACS produces a variety of logs, and provides a way to view most of these logs in the ACS web interface as HTML reports. This section briefly addresses the Reports and Activity component of the ACS, specifically how to check the different passed and failed authentication logs relevant to solution deployment. For a detailed setup and configuration, please refer to the Cisco Secure Access Control Server user guide "Logs and Reports" section at http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_solution_engine/4.0/user/guide/r.html.
Do the following to check for passed and failed authentication logs in Cisco Virtual Office (Figure 16):
1. Check for passed authentications.
• Go to Reports and Activity.
• Click Passed Authentications from the left-pane menu.
• Select a passed authentication log file.
Note: Logs are chronologically ordered according to date.
Figure 16. Reports and Activity: Passed Authentications
2. Check for failed authentications (Figure 17).
• Go to Reports and Activity.
• Click Failed Attempts from the left-pane menu.
• Select a failed attempts file.
Note: Logs are chronologically ordered according to date.
Figure 17. Reports and Activity: Failed Authentications
References
• Cisco Virtual Office solution guides and information:
