Table Of Contents
NAC Configuration Scenario
Step 1: Install ACS
Step 2: Configure a RADIUS AAA Client
Step 3: Configure the Logging Level
Step 4: Install and Set Up an ACS Security Certificate
Obtain Certificates and Copy Them to the ACS Host
Run the Windows Certificate Import Wizard to Install the Certificate (ACS for Windows)
Enable Security Certificates on the ACS Installation
Install the CA Certificate
Add a Trusted Certificate
Step 5: Configure Remote Web Access
Step 6: Enable Downloadable ACLs and Network Access Filters
Step 7: Configure ACS for PEAP
Step 8: Configure ACS for EAP-FAST
Step 9: Configure Network Access Filtering
Step 10: Configure Logs and Reports
Step 11: Set Up Network Access Profiles
Create a NAP
Step 12: Configure Profile-Based Policies
Configure Protocol Settings
Configure Authentication
Configure Posture Validation
Configure Authorization
Create an Authorization Policy
Define ACLs
Create a RAC
Step 13: Configure Posture Validation for NAC
Configure Internal Posture Validation Policies
Configure External Posture Validation Policies
Configure an External Posture Validation Audit Server
Add the Posture Attribute to the ACS Dictionary
Configure the External Posture Validation Audit Server
Authorization Policy and NAC Audit
Step 14: Set Up Templates to Create NAPs
Sample NAC Profile Templates
Sample NAC Layer 3 Profile Template
Profile Setup
Protocols Policy for the NAC Layer 3 Template
Authentication Policy
Sample Posture Validation Rule
Sample NAC Layer 2 Template
Profile Setup
Protocols Settings
Authentication Policy
Sample Posture Validation Rule
Sample NAC Layer 2 802.1x Template
Profile Setup
Protocols Policy
Authorization Policy
Sample Posture Validation Rule
Sample Wireless (NAC L2 802.1x) Template
Profile Setup
Protocols Policy
Authorization Policy
Sample Posture Validation Rule
Using a Sample Agentless Host Template
Profile Setup
Protocols Policy
Authentication Policy
Step 15: Map Posture Validation Components to Profiles
Step 16: Map an Audit Server to a Profile
Step 17 (Optional): Configure GAME Group Feedback
Import an Audit Vendor file Using CSUtil
Import a Device-Type Attribute File Using CSUtil
Import NAC Attribute-Value Pairs
Configure Database Support for Agentless Host Processing
Enable Posture Validation
Configure an External Audit Server
Enable GAME Group Feedback
NAC Configuration Scenario
This chapter describes how to set up Cisco Secure Access Control Server 4.1, hereafter referred to as ACS, to work in a Cisco Network Admission Control (NAC) environment. This chapter contains the following sections:
•Step 1: Install ACS
•Step 2: Configure a RADIUS AAA Client
•Step 3: Configure the Logging Level
•Step 4: Install and Set Up an ACS Security Certificate
•Step 5: Configure Remote Web Access
•Step 6: Enable Downloadable ACLs and Network Access Filters
•Step 7: Configure ACS for PEAP
•Step 8: Configure ACS for EAP-FAST
•Step 9: Configure Network Access Filtering
•Step 10: Configure Logs and Reports
•Step 11: Set Up Network Access Profiles
•Step 12: Configure Profile-Based Policies
•Step 13: Configure Posture Validation for NAC
•Step 14: Set Up Templates to Create NAPs
•Step 15: Map Posture Validation Components to Profiles
•Step 16: Map an Audit Server to a Profile
•Step 17 (Optional): Configure GAME Group Feedback
Step 1: Install ACS
This section describes the installation process that you perform to run ACS, which runs on a Windows 2000 Server, Windows 2003, or on a Cisco Secure ACS Solution Engine (ACS SE).
For detailed information on ACS installation, refer to the:
•Installation Guide for Cisco Secure ACS for Windows Release 4.1
•Installation Guide for Cisco Secure ACS Solution Engine Release 4.1
To install ACS:
Step 1 Start the ACS installation.
During the installation process, you are prompted to enter a password for encrypting the internal database.
Step 2 Enter a password that is at least 8 characters long, and contains letters and numbers.
The ACS installation process for ACS for Windows automatically creates a shortcut to the ACS administrative GUI on your desktop.
Note If you are installing ACS on the ACS SE, you must manually create an administrative GUI user by using the add-guiadmin command from the CLI to create a GUI account. For information on this command, see Appendix A of the Installation Guide for Cisco Secure ACS Solution Engine 4.1, "Command Reference." You can then access the administrative GUI through a supported browser. For a list of supported browsers, see Supported and Interoperable Devices and Software Tables for Cisco Secure ACS Release 4.1, which is available at:
http://www.cisco.com/en/US/products/sw/secursw/ps2086/
products_device_support_tables_list.html
Step 3 Double-click the icon to open a browser window to the ACS administrative GUI.
Step 4 If you do not see the icon on the desktop, open your browser from the machine on which you installed ACS and go to one of these addresses:
•http://IP_address:2002
•http://hostname:2002
where IP_address is the IP address of the host that is running ACS and hostname is the hostname of the host that is running ACS.
Step 2: Configure a RADIUS AAA Client
Before you can configure agentless host support, you must configure a RADIUS AAA client.
To configure a RADIUS AAA client:
Step 1 In the navigation bar, click Network Configuration.
The Network Configuration page opens.
Step 2 Do one of the following:
•If you are using Network Device Groups (NDGs), click the name of the NDG to which you want to assign the AAA client. Then, click Add Entry below the AAA Clients table.
•To add AAA clients when you have not enabled NDGs, click Add Entry below the AAA Clients table.
The Add AAA Client page opens, shown in Figure 7-1.
Figure 7-1 Add AAA Client Page
Step 3 In the AAA Client Hostname box, type the name assigned to this AAA client (up to 32 alphanumeric characters).
Step 4 In the AAA Client IP Address box, type the AAA client IP address or addresses.
Step 5 In the Shared Secret box, type the shared secret key for the AAA client. The shared secret must be identical on the AAA client and ACS. Keys are case sensitive. If the shared secrets do not match, ACS discards all packets from the network device.
Step 6 If you are using NDGs, from the Network Device Group list, select the name of the NDG to which this AAA client should belong, or, select Not Assigned to set this AAA client to be independent of NDGs.
Step 7 Type the shared secret keys for RADIUS Key Wrap in EAP-TLS authentications.
Each key must be unique, and must also be distinct from the RADIUS shared key. You can configure these shared keys for each AAA Client, as well as for each NDG. The NDG key configuration overrides the AAA Client configuration. If the key entry is null, ACS uses the AAA client key. You must enable the Key Wrap feature in the NAP Authentication Settings page to implement these shared keys in EAP-TLS authentication:
a. Key Encryption Key (KEK)—Used for encryption of the Pairwise Master Key (PMK). The maximum length is 20 characters.
b. Message Authenticator Code Key (MACK)—Used for the keyed hashed message authentication code (HMAC) calculation over the RADIUS message. The maximum length is 16 characters.
c. Key Input Format—Click the format of the key, ASCII or hexadecimal strings (the default is ASCII).
Step 8 From the Authenticate Using list, select RADIUS (IOS/PIX).
Step 9 Specify additional AAA client settings as required.
Step 10 Click Submit + Apply.
Step 3: Configure the Logging Level
To set ACS to full logging capabilities:
Step 1 In the navigation bar, click System Configuration.
The System Configuration page opens.
Step 2 Click Service Control.
Step 3 Under Level of Detail, click the Full radio button.
Step 4 Check the Manage Directory check box and choose how many days of logging to keep. (Select the number of days based on how much space you have on your hard drive: We recommend that you specify seven days.)
Step 5 Click Restart to restart ACS. (Wait until the browser's progress bar shows that the page has reloaded completely.)
Step 4: Install and Set Up an ACS Security Certificate
This section describes a simplified procedure for the ACS for Windows platform. For detailed information on installing certificates and for information on how to install certificates on the Cisco Secure ACS Solution Engine platform, see Chapter 9 of the User Guide for Cisco Secure ACS 4.1, "Advanced Configuration: Authentication and Certificates."
Obtain Certificates and Copy Them to the ACS Host
To copy a certificate to the ACS host:
Step 1 Obtain a security certificate.
Step 2 Create a \Certs directory on the ACS server.
a. Open a DOS command window.
b. To create a certificates directory, enter:
mkdir <selected_drive>:\Certs
where selected_drive is the currently selected drive.
Step 3 Copy the following files to the \Certs directory:
•server.cer (server certificate)
•server.pvk (server certificate private key)
•ca.cer (CA certificate)
Run the Windows Certificate Import Wizard to Install the Certificate (ACS for Windows)
To run the Windows Certificate Import wizard to install the certificate on the server:
Step 1 Open Windows Explorer.
Step 2 Go to <selected_drive>:\Certs.
Step 3 Double-click the \Certs\ca.cer file.
The Certificate dialog appears.
Step 4 Select Install Certificate.
The Windows Certificate Import wizard starts.
Step 5 To install the certificate, follow the instructions that the wizard displays.
Step 6 Accept the default options for the wizard.
Note Only perform this process once on a Windows 2000 Server.
Enable Security Certificates on the ACS Installation
To enable security certificates on the ACS installation:
Step 1 In the navigation bar, click System Configuration.
The System Configuration page opens.
Step 2 Click ACS Certificate Setup.
Step 3 Click Install ACS Certificate.
Step 4 The Install ACS Certificate page opens, as shown in Figure 7-2.
Figure 7-2 Install ACS Certificate Page
Step 5 Click the Read certificate from file radio button.
Step 6 In the Certificate file text box, enter the server certificate location (path and name); for example: c:\Certs\server.cer.
Step 7 In the Private key file text box, type the server certificate private key location (path and name); for example: c:\Certs\server.pvk.
Step 8 In the Private Key password text box, type 1111.
Step 9 Click Submit.
Step 10 ACS displays a message indicating that the certificate has been installed and instructs you to restart the ACS services.
Step 11 Do not restart the services at this time.
Restart the services later, after you have completed the steps for adding a trusted certificate. See Add a Trusted Certificate.
Install the CA Certificate
To install the CA Certificate:
Step 1 Choose System Configuration > ACS Certificate Setup > ACS Certification Authority Setup.
Step 2 The ACS Certification Authority Setup page appears, shown in Figure 7-3.
Figure 7-3 ACS Certification Authority Setup Page
Step 3 In the CA certificate file box, type the CA certificate location (path and name); for example: c:\Certs\ca.cer.
Step 4 Click Submit.
Add a Trusted Certificate
To add a trusted certificate:
Step 1 Choose System Configuration > ACS Certificate Setup > Edit Certificate Trust List.
The Edit Certificate Trust List appears.
Step 2 Locate the trusted certificate that you want to install and check the corresponding check box by the certificate name. For example, find the Stress certificate and check the corresponding check box.
Step 3 Click Submit.
Step 4 To restart ACS, choose System Configuration > Service Control, and then click Restart.
Step 5: Configure Remote Web Access
To prepare ACS for remote administration:
Step 1 In the navigation bar, click Administration Control.
The System Configuration page opens.
Step 2 Click Add Administrator.
The Administration Control page opens, as shown in Figure 7-4.
Figure 7-4 Administration Control Page
Step 3 To add an administrator, click Add Administrator.
The Add Administrator page opens.
Step 4 In the Administrator Details area:
Option
|
Description
|
Administrator Name
|
Enter the login name for the ACS administrator account. Administrator names can contain 1 to 32 characters, but cannot contain the left angle bracket (<), the right angle bracket (>), and the backslash (\). An ACS administrator name does not have to match a network user name.
|
Password
|
Enter the password for the administrator to access the ACS web interface.
The password can match the password that the administrator uses for dial-in authentication; or, it can be a different password. ACS enforces the options in the Password Validation Options section on the Administrator Password Policy page.
Passwords must be at least 4 characters long and contain at least 1 numeric character. The password cannot include the username or the reverse username, must not match any of the previous 4 passwords, and must be in ASCII characters. If you make a password error, ACS displays the password criteria.
If the password policy changes and the password does not change, the administrator remains logged in. ACS enforces the new password policy at the next login.
|
Confirm Password
|
Reenter the password that you entered in the password field.
|
Account Never Expires
|
If you want to override the lockout options set up on the Administrator Password Policy page (with the exception of manual lockout), check the check box next to Account Never Expires. If you check this option, the account never expires, but the password change policy remains in effect. The default value is unchecked (disabled).
|
Account Locked
|
If you want to lock out an administrator who is denied access due to the account policy options specified on the Password Policy page, check the Account Locked check box. When unchecked (disabled), this option unlocks an administrator who was locked out.
Administrators who have the Administration Control privilege can use this option to manually lock out an account or reset locked accounts. The system displays a message that explains the reason for a lockout.
When an administrator unlocks an account, ACS resets the Last Password Change and the Last Activity fields to the day on which the administrator unlocks the account.
The reset of a locked account does not affect the configuration of the lockout and unlock mechanisms for failed attempts.
|
Step 5 Click Grant All.
This grants all privileges to the new administrator; or, specifies to which groups or actions this administrator is granted access.
Note For more information on administrative privileges, see the "Add Administrator and Edit Administrator Pages" section in Chapter 11 of the User Guide for Cisco Secure Access Control Server 4.1, "Administrators and Administrative Policy."
Step 6 Click Submit.
After performing these steps, from a remote host, you can open a browser in which to administer ACS.
The URLs for remote access are:
•http://IP_address:2002
•http://hostname:2002
Step 6: Enable Downloadable ACLs and Network Access Filters
To enable downloadable access control lists (dACLs) and Network Access Filters (NAFs), which are required to create Network Access Profiles (NAPs):
Step 1 In the navigation bar, click Interface Configuration.
The Interface Configuration page opens.
Step 2 Click ACS Certificate Setup.
The Advanced Options page appears, shown in Figure 7-5.
Figure 7-5 Advanced Options Required to Enable Network Access Profiles
Step 3 Check the check boxes for:
•Group-Level Downloadable ACLs
•Network Access Filtering
Step 4 Click Submit.
Step 7: Configure ACS for PEAP
To configure ACS so that PEAP will work properly with NAC posture validation:
Step 1 In the navigation bar, click System Configuration.
The System Configuration page opens.
Step 2 Click Global Authentication Setup.
The Global Authentication Setup Page appears, as shown in Figure 7-6.
Figure 7-6 Global Authentication Setup Page
Step 3 Check the check box for Allow EAP-MSCHAPv2 or Allow EAP-GTC; or, check both check boxes.
Step 4 In the PEAP section, check the Allow Posture Validation check box.
Step 5 Click Submit + Restart.
Step 8: Configure ACS for EAP-FAST
To configure ACS to work with NAC and use EAP-FAST will with posture validation:
Step 1 In the navigation bar, click System Configuration.
The System Configuration page opens.
Step 2 Click Global Authentication Setup.
The Global Authentication Setup Page appears, as shown in Figure 7-6.
Step 3 Click EAP-FAST Configuration.
The EAP FAST Configuration page appears, as shown in Figure 7-7.
Figure 7-7 EAP-FAST Configuration Page
Step 4 Check the Allow EAP-FAST check box.
Step 5 In the Client Initial Message text box, enter a message, for example, Welcome.
Step 6 In the Authority ID Info field, enter ACS NAC Server.
Step 7 Check the Allow authenticated in-band PAC provisioning check box.
Step 8 Check the Accept client on authenticated provisioning check box.
Step 9 Check the check boxes for the EAP-GTC and EAP-MSCHAPv2 inner methods.
The EAP-FAST Master Server check box is automatically checked (enabled).
Step 10 Click Submit + Restart.
Step 9: Configure Network Access Filtering
To use ACS in a NAC environment, configure network access filtering (NAF).
NAF is an ACS feature that groups several devices into one group. The devices can be ACS clients, ACS servers, ACS network device groups (NDGs), or a specific IP address. NAFs are particularly useful for defining Network Access Profiles (NAPs).
To configure ACS to use NAFs:
Step 1 In the navigation bar, click Interface Configuration.
The Interface Configuration page opens.
Step 2 Click Advanced Options.
Step 3 Check the Network Access Filtering check box.
Click Submit.
Step 4 In the navigation bar, click Shared Profile Components.
The Shared Profile Components page opens.
Step 5 Click Network Access Filtering.
The Network Access Filtering table appears. Initially, this table does not contain shared profile components.
Step 6 Click Add.
The Edit Network Access Filtering page opens, as shown in Figure 7-8.
Figure 7-8 Edit Network Access Filtering Page
Step 7 In the Name text box, enter a name for the network access filter.
Step 8 Move any devices or device groups to the Selected Items list.
To move a device or device group, select the item to move and then click the right arrow button to move it to the Selected Items list.
Step 9 Click Submit.
Step 10: Configure Logs and Reports
ACS logs records of users who gain network access or are refused network access. The ACS reports summarize these logs, and provide useful information for debugging and tracking problems.
The Passed Authentications report is particularly useful in NAC-enabled networks; because, it shows the group mapping for each posture validation request. By default, the Passed Authentication report is unchecked (disabled).
To enable the Passed Authentication report:
Step 1 In the navigation bar, click System Configuration.
The System Configuration page opens.
Step 2 Click Logging.
The Logging Configuration page opens.
Step 3 In the ACS Reports table, click the Configure link for the CSV Passed Authentications report.
The CSV Passed Authentications File Configuration page opens, as shown in Figure 7-9.
Figure 7-9 CSV Passed Authentications File Configuration Page
Step 4 Check the Log to CSV Passed Authentications Report check box.
Step 5 Move the attributes that you want to log from the Attributes list to Logged Attributes list.
Some useful attributes to log are:
•cisco-av-pair attributes starting with PA and A
•Profile Name
•Reason
•System-posture-token
•Application-posture-token
Step 6 Click Submit.
Step 11: Set Up Network Access Profiles
A NAP, also known as a profile, is a way to classify access requests according to the AAA clients' IP addresses, membership in a network device group, protocol types, or other specific RADIUS attribute values sent by the network device through which the user connects.
If you configure NAPs, ACS traverses the ordered list of active profiles, and maps a RADIUS transaction to a profile by using a first-match strategy on the first access-request of the transaction.
After you set up a profile, you associate a set of rules or policies with it, to reflect your organization's security policies. These associations are called profile-based policies. Configuring a profile-based policy includes creating rules for:
•Protocols
•Authentication
•Posture validation
•Authorization
A profile is a classification of network access requests for applying a common policy.
You can create a profile in two ways:
•Manually, by selecting options in the NAP configuration pages.
•By using the sample NAC templates provided with ACS 4.1 to start a profile and then editing the profile as required for your installation.
When you set up a NAP, you can configure:
•Profile name
•Description
•The Active flag, which determines whether this profile is active or inactive
•Classification by NAF selection
•Classification by protocol selection
•Classification by advanced filtering (Boolean expression that comprises RADIUS attributes and values)
ACS uses three conditions to determine how an access request is classified and mapped to a profile. ACS selects the profile when all three conditions match. For each condition, you can substitute the value Any to always match the condition.
You can classify (filter) a user request by choosing a NAF from the list of existing NAFs. You configure NAF objects in the Shared Profile Components pages.
You can use protocol types to choose one or more protocol types as a filter. The protocol types are a subset of the vendor-specific attributes (VSAs) that a network access server supports. ACS 4.1 does not support the TACACS+ protocol for NAPs.
You can use Advanced Filtering to create a specific rule that contains one or more RADIUS attributes and values. The Advanced Filtering rules are based on a Boolean AND expression that uses RADIUS attributes to examine the request packet.
Each NAP contains a name, description, active flag and a set of classifications that you use to rank an access request based on different parameters.
Create a NAP
To create a NAP:
Step 1 In the navigation bar, click Network Access Profiles.
The Network Access Profiles page opens. Initially, the list of Network Access Profiles is empty.
Step 2 Click Add.
The Profile Setup page opens, as shown in Figure 7-10.
Figure 7-10 Profile Setup Page
Step 3 Enter a name for the profile.
Step 4 If you want to activate the profile now, check the Active check box.
Step 5 To select the protocols that the profile will be used with, click the Allow Selected Protocol types radio button, and then move one or more protocols to the Selected area.
Step 6 Click Submit.
Step 12: Configure Profile-Based Policies
After you create a profile, configure the policies to associate with that profile. The available policies are:
•Protocols—The protocols with which the selected profile is used.
•Authentication—The set of configuration policies that are related to authentication mechanisms.
•Posture Validation —Settings that define how posture validation will be performed.
•Authorization —An optional set of authorization rules. If you do not specify authorization policies, ACS defaults to the global configuration setting of authorizing by user-groups.
To configure profile-based policies:
Step 1 In the navigation bar, click Network Access Profiles.
The Edit Network Access Profiles page opens, as shown in Figure 7-11.
Figure 7-11 Edit Network Access Profiles Page
Step 2 Click a a profile option to configure.
•Protocols—To configure protocol settings, see Configure Protocol Settings.
•Authentication—To configure authentication settings, see Configure Authentication.
•Posture Validation—To configure posture validation, see Configure Posture Validation.
•Authorization—To configure authorization, see Configure Authorization.
Configure Protocol Settings
To configure protocol settings:
Step 1 On the Network Access Profiles page, click Protocols.
The Protocols Settings page for the selected profile opens.
Step 2 In the EAP section, check the Allow Posture Validation check box.
Step 3 Check the Enable EAP-FAST check box.
Step 4 If you are using agentless host processing, check the Allow Agentless Host Processing check box.
Step 5 Click Submit.
Configure Authentication
The Authentication page for a specified profile controls how a profile authenticates matched requests and which user-validation databases ACS uses for authentication.
The Authentication page list the databases that were configured in the External User Databases section. These databases are mapped to ACS user groups based on the mapping rules defined in External User Databases > Databases Group Mapping.
To configure profile authentication settings:
Step 1 In the Edit Network Access Profiles page for the profile that you want to edit, click Authentication.
The Edit Authentication page for the selected profile opens. Figure 7-12 shows an example.
Figure 7-12 Edit Authentication Page for a Selected Profile
Step 2 Select one or more databases from the list of Available Databases and click the right arrow button to move them to the list of Selected databases.
Step 3 If you are configuring a MAC authentication bypass (MAB), see Configure MAB, page 4-20 for instructions on configuring MAB.
Configure Posture Validation
Posture validation rules define how ACS performs posture validation. Each posture validation rule specifies a condition and associated actions. The condition contains a set of required credential types, and the action contains a list of external posture validation servers (optional) and internal posture validation polices.
Posture Validation rules also contain:
•The name for the rule.
•A mandatory credential that defines the mandatory credential types that activate this rule.
•Local policies.
•A list of external servers that ACS queries for information that it uses to calculate a posture token.
•Posture Agent (PA) messages that return the client for each token.
•URL redirect information that is sent to the network access device for each token.
ACS evaluates posture rules by using a first-match strategy. ACS calculates the "worst" token that is returned based on the selected internal policies and information that the external posture servers send.
If the client is a nonresponsive host (NRH), ACS uses a specified audit server to audit the client.
Audit Servers are Cisco and third-party servers that determine posture information about a host without relying on the presence of a PA. These types of hosts are also called agentless hosts. The Cisco PA is called the Cisco Trust Agent. ACS uses audit servers to assess posture validation based on an organization's security policy.
Configure Authorization
A profile-based authorization policy is a set of conditions that ACS uses to authenticate users to the network. ACS associates the conditions that you specify in the authorization policy with actions that determine which RAC and downloadable ACLs are returned to the network device.
When you configure an authorization policy, you can also specify whether access to the network is denied for a specific user group; or, in a NAC network, denied based on a returned posture token. Authorization policies are tied not only to the user identity, but also to the profile type to which a user is mapped and the posture of the machine used to access the network.
Note In a non-NAC network, leave the assessment result simply as Any (the default).
An authorization rule has this form:
If (user-group = selected-user-group and posture-token = selected-posture-token),
then provision (selected-RAC and selected-dACL)
You can also use the authorization rules to explicitly deny (send an access-reject) as an action. If you check the Include RADIUS attributes from user-group/user check box, ACS merges the RADIUS attributes defined in the user configuration, user-groups, and RAC. This process is:
1. ACS adds all nonconflicting attributes from all sources.
2. If a conflict occurs between the RADIUS attributes, ACS uses the attribute from the highest priority sources, where priority is assigned (from high to low):
a. User
b. RAC
c. User-group
Create an Authorization Policy
To create an authorization policy for a profile:
Step 1 On the Network Access Profiles page, click Authorization.
The Edit Authorization Rules page for the selected profile opens. Figure 7-13 shows an example.
Figure 7-13 Edit Authorization Policy Page
Step 2 Click Add Rule to add a line.
Step 3 Choose a User Group, System Posture Token, Shared RAC, and Downloadable ACL.
Note You must edit the default authorization rule if you do not check the Include RADIUS attributes from user's group and Include RADIUS attributes from user record check boxes.
Step 4 Add additional authorization rules as required.
Step 5 Click Submit.
Step 6 Click Apply and Restart.
Define ACLs
In ACS 4.1, you can download access lists to specific devices or device groups.
You can define an access list that contains one or more ACLs and later download the list to network devices, based on their assignments to user groups. Before you define ACLS, enable downloadable ACLs.
To define an ACL:
Step 1 Choose Shared Profile Components > Downloadable IP ACLs.
A list of downloadable IP ACLs appears, as shown in Figure 7-14:
Figure 7-14 Downloadable IP ACL List
Step 2 Click Add.
The Edit Downloadable IP ACLs page opens, as shown in Figure 7-15.
Figure 7-15 Downloadable IP ACLs Page
Each Assessment Result (system posture token), according to its definition, should have its own ACL, which contains one or more Access Control Entries (ACEs) that will instruct the NAC network device (router) to block packets from going to a specific destination or allow packets to reach a specific destination.
Step 3 On the Downloadable IP ACLs page, enter a Name and optional Description for the ACL.
Note Do not use spaces in the name of the ACL. IOS does not accept ACL names that include spaces.
Step 4 Click Add (below the ACL table of contents) to add a new Access Control Entry (ACE) to the ACL and assign it to a NAF.
The Downloadable IP ACL Content page opens, as shown in Figure 7-16.
Figure 7-16 Downloadable IP ACL Content Page
Step 5 In the Name text box, type the ACL name.
Step 6 In the ACL Definitions input box, type definitions for the ACL.
ACL definitions consist of a series of permit and deny statements that permit or deny access for specified hosts. For information on the syntax for ACL definitions, see the "Downloadable ACLs" section of Chapter 4 of the User Guide for Cisco Secure Access Control Server 4.1, "Shared Profile Components."
Step 7 Click Submit.
Note Before configuring the ACL on ACS, you should test the syntax on the device to ensure that each ACE is valid.
The Downloadable ACL page appears with the new ACL in the ACL Contents list, as shown in Figure 7-17.
Figure 7-17 Downloadable ACL Contents List with New Content
Step 8 From the drop-down list in the Network Access Filtering column of the ACL Contents table, choose the correct NAF for this ACL.
You perform this action to enable the downloading of different ACEs for different devices or a group of devices. For example, the syntax of an ACE on routers differs from the syntax on a Project Information Exchange (PIX) firewall. By using a NAF, you can assign the same ACL to a PIX and a router, even though the actual ACE that is downloaded is different.
Step 9 Click Submit.
The new ACL appears on the list of downloadable ACLs.
Create a RAC
Shared RADIUS Authorization Components (RACs) contain groups of RADIUS attributes that you can dynamically assign to user sessions based on a policy. For example, you can create a RAC that gathers RADIUS attributes to define a VLAN. By using NAP configuration, you can define a policy that ACS uses to apply conditions specified in Network Access Filters (grouped NDGs), and in posture assessment rules to the shared RAC.
To define RACs:
Step 1 Select the appropriate Tunneling RADIUS attributes in the Advanced Options page:
a. Choose Interface Configuration > RADIUS (IETF).
b. Choose the Tunnel attributes as shown in Figure 7-19.
Figure 7-18 Tunnel Attributes for RACs Used in NAC Configuration:
c. Click Submit.
d. Restart ACS to enable the new settings.
To restart the system, choose System Configuration > Service Control and then click Restart.
Step 2 To add a RAC:
a. Choose Shared Profile Components > RADIUS Authorization Components.
The RADIUS Authorization Components page for Tunnel type (64) opens, as shown in Figure 7-19.
Figure 7-19 RADIUS Authorization Components Page
b. Enter a Name and Description in the RADIUS Authorization Components page.
c. From the IETF lists, select Tunnel type (64) and click Add.
The RAC Attribute Add/Edit page opens, as shown in Figure 7-20.
Figure 7-20 RAC Attribute Add/Edit Page
d. Click Submit.
Step 3 Add Tunnel-Medium-Type = 802(6), Tunnel-Prate-Group-ID = <vlan name>, or any other attribute that is required to define a VLAN.
Step 4 Click Submit.
Step 13: Configure Posture Validation for NAC
This section describes how to set up simple posture validation for a NAC-enabled network. You can create internal policies that ACS uses to validate the posture data or you can configure ACS to send the posture data to an external posture validation server.
Configure Internal Posture Validation Policies
An internal posture validation policy is an internal attribute policy that you can use in more then one profile. The result of an internal posture validation policy returns a Posture Assessment (token) according to rules that you set.
To create an internal posture validation policy:
Step 1 In the navigation bar, click Posture Validation.
The Posture Validation Components Setup page opens.
Step 2 Click Internal Posture Validation Setup.
The Posture Validation page opens, which lists any existing posture validation policies.
Step 3 Choose Add Policy.
The Edit Posture Validation page opens.
Step 4 Enter a name for the policy.
Step 5 Enter a Description (optional).
Step 6 Click Submit.
A new internal policy is created with a default rule. Figure 7-21 shows an example policy.
Figure 7-21 Creating a New Posture Validation Policy
Step 7 To edit the default rule:
a. Click on the Default link.
b. Choose a new Posture Assessment and Notification String for the default rule.
Step 8 To add a new rule:
a. Click Add Rule.
The Edit Posture Rule page appears, as shown in Figure 7-22. Initially no conditions are available for the rule.
Figure 7-22 Edit Posture Validation Rule Page
b. Click Add Condition Set.
c. The Add/Edit Condition page appears, as shown in Figure 7-23.
Figure 7-23 Add/Edit Condition Page
d. From the Attribute drop-down list, choose an Attribute value.
e. From the Operator drop-down list, choose a condition.
f. In the Value text box, enter a value for the condition.
g. Click Enter.
The specified rule appears in Add/Edit Condition page appears, as shown in Figure 7-23.
h. Enter additional conditions as required.
i. Click Submit.
j. Click Apply and Restart to apply the new posture validation rule(s).
For information on creating advanced rules, see Configure Posture Validation.
Configure External Posture Validation Policies
An external posture validation policy uses an external server that returns a posture assessment (token) to ACS according to data that the ACS forwards to this server.
To set up an external posture validation server:
Step 1 In the Posture Validation Components Setup page, click External Posture Validation Setup.
Step 2 The Edit External Posture Validation Servers page opens, as shown in Figure 7-24.
Figure 7-24 Edit External Posture Validation Servers Page
Initially, the list of external posture validation servers is empty.
Step 3 Click Add Server.
The Add/Edit External Posture Validation Server page appears, as shown in Figure 7-25.
Figure 7-25 Add/Edit External Posture Validation Server Page
Step 4 Enter a Name and Description (optional).
Step 5 Enter the server details, URL, User, Password, Timeout, and certificate (if required by the antivirus server).
Step 6 Click Submit.
Configure an External Posture Validation Audit Server
A NAC-enabled network might include agentless hosts that do not have the NAC client software. ACS can defer the posture validation of the agentless hosts to an audit server. The audit server determines the posture credentials of a host without relying on the presence of a PA.
Configuring an external audit server involves two stages:
•Adding the posture attribute to the ACS internal dictionary.
•Configuring an external posture validation server (audit server).
Add the Posture Attribute to the ACS Dictionary
Before you can create an external posture validation server, you must add one or more vendor attributes to the ACS internal data dictionary. To do this, you use the bin\CSUtil tool, which is located in the ACS installation directory.
To add the posture attributes:
Step 1 Create a text file in the \Utils directory with the following format:
vendor-id=[your vendor id]
vendor-name=[The name of you company]
attribute-name=Dummy-attr
attribute-type=unsigned integer
Your vendor ID should be the Internet Assigned Numbers Authority (IANA)-assigned number that is the first section of the posture token attribute name, [vendor]:6:
Step 2 To install the attributes specified in the text file:
a. Open a DOS command window.
b. Enter the following command:
\<ACS_Install_Dir>\bin\CSUtil -addAVP [file_name]
where ACS_Install_Dir is the name of the ACS installation directory and file_name is the name of the text file that contains vendor attributes.
Step 3 Restart the CSAdmin, CSLog, and CSAuth services.
Configure the External Posture Validation Audit Server
You can configure an audit server once, and then use it for other profiles.
To configure an audit server:
Step 1 In the Posture Validation Components Setup page, click External Posture Validation Audit Setup.
Step 2 Click Add Server.
The External Posture Validation Audit Server Setup page appears, as shown in Figure 7-26.
Figure 7-26 External Posture Validation Audit Server Setup Page
Step 3 To configure the audit server:
a. Enter a Name and Description (optional).
b. In the Which Hosts Are Audited section, choose what hosts you want to audit. You can enter the host IP or MAC addresses for the hosts that you want to audit or for a host that you do not want to audit.
c. For the hosts that will not be audited, choose a posture token from the drop-down list.
d. Scroll down to the Use These Audit Servers section.
Figure 7-27 shows the Use These Audit Servers section of the External Posture Validation Server Setup page.
Figure 7-27 Use These Audit Servers Section
e. In the Use These Audit Servers section, enter the Audit Validation Server information, Audit Server vendor, URL, and password.
Figure 7-28 shows the Audit Flow Settings and the GAME Group Feedback section.
Figure 7-28 Audit Flow Settings and GAME Group Feedback Sections
f. If required, in the Audit Flow Setting section, set the audit-flow parameters.
g. If you are configuring GAME group feedback to support agentless host configuration in the NAC environment, configure the settings in the GAME Group Feedback section.
For information on configuring GAME Group Feedback settings, see Enable GAME Group Feedback.
h. Click Submit.
Authorization Policy and NAC Audit
Audit servers define two types of posture assessments (tokens). A:
•Temporary posture assessment is used as the in progress assessment. ACS grants the in progress posture assessment to the agentless host while the audit server is processing the auditing on the host and does not have a final result.
•Final posture assessment is the posture assessment that the audit server returns after it completes the auditing process.
Note To configure the authorization policy to work with the audit server, at least two RACs or downloadable ACLs are required: one for the in progress posture assessment and one for the final posture assessment. You should use a separate RAC or downloadable ACL for each token.
Step 14: Set Up Templates to Create NAPs
ACS 4.1 provides several profile templates that you can use to configure common usable profiles. In NAC-enabled networks, you can use these predefined profile templates to configure commonly used profiles. This section describes the templates provided in ACS 4.1.
Sample NAC Profile Templates
ACS 4.1 provides the following sample profile templates for NAC. A:
•NAC Layer 3 profile template (NAC L3 IP)
•NAC Layer 2 profile template (NAC L2 IP)
•NAC Layer 2 802.1x template (NAC L2 802.1x)
•Wireless (NAC L2 802.1x) template
In addition to these templates, ACS 4.1 provides two templates for agentless host processing that you can use in NAC installations:
•Agentless Host for Layer 3 profile template
•Agentless Host for Layer 2 (802.1x) profile template
Sample NAC Layer 3 Profile Template
This template creates a profile for Layer 3 NAC requests. Before you use this template, you should choose System Configuration > Global Authentication Setup and check the Enable Posture Validation check box.
To create a Layer 3 NAC profile template:
Step 1 Check the check boxes for the following options in the Global Authentication Setup page:
•Allow Posture Validation
•EAP-FAST
•EAP-FAST MS-CHAPv2
•EAP-FAST GTC
Step 2 In the navigation bar, click Network Access Profiles.
The Network Access Profiles page opens.
Step 3 Click Add Template Profile.
The Create Profile from Template page opens, as shown in Figure 7-29.
Figure 7-29 Create Profile From Template Page
Step 4 Enter a Name and Description (optional).
Step 5 From the Template drop-down list, choose NAC L3 IP.
Step 6 Check the Active check box.
Step 7 Click Submit.
If no error appears, then you have created a profile that can authenticate Layer 3 NAC hosts.
The Edit Network Access Profile page opens, and the new profile appears in the Name column.
The predefined values for the Layer 3 NAC template include:
•Profile Setup options
•Protocols
•A sample posture validation policy
•Authentication policy
Step 8 To select a predefined set of values, click on one of the configuration options:
•The profile name (to select the profile setup page for the profile)
•Protocols
•Authentication Policy
•Sample Posture Validation Rules
Profile Setup
To use the Profile Setup settings from the template:
Step 1 In the navigation bar, click Network Access Profiles.
Step 2 Choose the profile that you created.
Step 3 The Profile Setup page appears, as shown in Figure 7-30.
Figure 7-30 Profile Setup Page for Layer 3 NAC Template
The default settings for the profile are:
•Any appears in the Network Access Filter field, which means that this profile has no IP filter.
You can choose NAFs from the drop-down list, so that only specific host IPs match this profile.
•In the Protocol types list, Allow any Protocol type appears in the Protocol types list, which means that no protocol type filter exists for this profile.
•You can click the Allow Selected Protocol types option to specify a protocol type for filtering.
•Two rules are configured in Advanced Filtering:
[026/009/001]Cisco-av-pair = aaa:service=ip admission
These rules specify that the associated profile policies authenticate and authorize each RADIUS request that matches the attribute's rules. You can change the advanced filter, and add, remove, or edit any RADIUS attribute that the RADIUS client sends.
Protocols Policy for the NAC Layer 3 Template
Figure 7-31 shows the Protocols settings for the NAC Layer 3 template.
Figure 7-31 Protocols Setting for NAC Layer 3 Template
In the EAP Configuration section, Posture Validation is enabled.
Authentication Policy
To configure authentication policy:
Step 1 In the navigation bar, select Network Access Profiles.
Step 2 Choose the Authentication link from the Policies column.
The Authentication page for the profile opens, as shown in Figure 7-32.
Figure 7-32 Authentication Page for Layer 3 NAC Profile Template
On this page, you can see the Layer 3 NAC template configuration for authentication:
Step 3 Specify the external database that ACS uses to perform authentication:
a. To keep the default setting (ACS uses its internal database), click the Internal ACS DB radio button.
b. To specify a LDAP server, click the LDAP Server radio button and then, from the drop-down list, choose an LDAP server.
c. From the If Agentless request was not assigned a user-group drop-down list, choose a user group to which ACS assigns a host that is not matched to a user group.
Sample Posture Validation Rule
Figure 7-33 shows the sample posture validation policy provided with the NAC Layer 3 template.
Figure 7-33 Sample Posture Validation Policy for NAC Layer 3 Template
Sample NAC Layer 2 Template
This template creates a profile for Layer 2 NAC requests.
Before you use the Layer 2 NAC profile template:
1. Select EAP-FAST Configuration in Global Authentication Settings.
2. Check (enable) the Allow authenticated in-band PAC provisioning.
3. Check (enable) EAP-GTC and EAP-MSCHAPv2.
To create a Layer 2 NAC profile template:
Step 1 In the navigation bar, click Network Access Profiles.
The Network Access Profiles page opens.
Step 2 Click Add Template Profile.
Step 3 Enter a Name and Description (optional).
Step 4 From the Template drop-down list, choose NAC L2 IP.
Step 5 Check the Active check box.
Step 6 Click Submit.
If no error appears, then you have created a Profile that can authenticate Layer 2 NAC hosts and the Profile Setup page for the NAC Layer 2 template appears.
The predefined values for the Layer 2 NAC template include:
•Profile Setup
•Protocols settings
•Authentication policy
•A sample posture validation rule
The name of this policy is NAC-EXAMPLE-POSTURE-EXAMPLE.
Step 7 To select a configuration option, click the option name.
Profile Setup
To enable the profile setup:
Step 1 Go to Network Access Profiles.
Step 2 Choose the Profile that you created.
The Profile Setup page appears, as shown in Figure 7-34.
Figure 7-34 Profile Setup Page for NAC Layer 2 Template
The default settings for the profile are:
•Any appears in the Network Access Filter field, which means that this profile has no IP filter.
You can choose NAFs from the drop-down list, so that only specific host IPs match this profile.
•Allow any Protocol type appears in the Protocol types list, which means that no protocol type filter exists for this profile.
•You can select the Allow Selected Protocol types option to specify a protocol type for filtering.
•Two rules are configured in Advanced Filtering:
[026/009/001]Cisco-av-pair = aaa:service=ip admission
These rules specify that the associated profile policies authenticate and authorize each RADIUS request that matches the attribute's rules. You can change the advanced filter, and add, remove, or edit any RADIUS attribute that the RADIUS client sends.
This template automatically sets Advanced Filtering and Authentication properties with NAC Layer 2 IP Configuration.
ACS and Attribute-Value Pairs
When you enable NAC Layer 2 IP validation, ACS provides NAC AAA services by using RADIUS. ACS gets information about the antivirus credentials of the endpoint system and validates the antivirus condition of the endpoint.
You can set these Attribute-Value (AV) pairs on ACS by using the RADIUS cisco-av-pair vendor- specific attributes (VSAs).
•Cisco Secure-Defined-ACL—Specifies the names of the downloadable ACLs on the ACS. The switch gets the ACL name from the Cisco Secure-Defined-ACL AV pair in this format:
#ACL#-IP-name-number
where name is the ACL name and number is the version number, such as 3f783768.
ACS uses the Auth-Proxy posture code to check if the switch has downloaded access-control entries (ACEs) for the specified downloadable ACL. If the switch has not downloaded the ACES, ACS sends an AAA request with the downloadable ACL name as the username so that the switch downloads the ACEs. The downloadable ACL is then created as a named ACL on the switch. This ACL has ACEs with a source address of Any and does not have an implicit Deny statement at the end. When the downloadable ACL is applied to an interface after posture validation is complete, the source address is changed from any to the host source IP address. The ACEs are prepended to the downloadable ACL that is applied to the switch interface to which the endpoint device is connected.
If traffic matches the Cisco Secure-Defined-ACL ACEs, ACS takes appropriate actions required by NAC.
•url redirect and url-redirect-acl—Specifies the local URL policy on the switch. The switches use these cisco-av-pair VSAs:
— url-redirect = <HTTP or HTTPS URL>
— url-redirect-acl = switch ACL name
These AV pairs enable the switch to intercept an HTTP or Secure HTTP (HTTPS) request from the endpoint device and forward the client web browser to the specified redirect address from which the latest antivirus files can be downloaded. The url-redirect AV pair on the ACS contains the URL to which the web browser will be redirected. The url-redirect-acl AV pair contains the name of an ACL which specifies the HTTP or HTTPS traffic to be redirected. The ACL must be defined on the switch. Traffic which matches a permit entry in the redirect ACL will be redirected.
If the host's posture is not healthy, ACS might send these AV pairs.
For more information about AV pairs that Cisco IOS software supports, see the documentation about the software releases that run on the AAA clients.
Default ACLs
If you configure NAC Layer 2 IP validation on a switch port, you must also configure a default port ACL on a switch port. You should also apply the default ACL to IP traffic for hosts that have not completed posture validation.
If you configure the default ACL on the switch and the ACS sends a host access policy to the switch, the switch applies the policy to traffic from the host that is connected to a switch port. If the policy applies to the traffic, the switch forwards the traffic. If the policy does not apply, the switch applies the default ACL. However, if the switch gets a host access policy from the ACS, but the default ACL is not configured, the NAC Layer 2 IP configuration does not take effect.
When ACS sends the switch a downloadable ACL that specifies a redirect URL as a policy-map action, this ACL takes precedence over the default ACL that is already configured on the switch port. The default ACL also takes precedence over the policy that is already configured on the host. If the default port ACL is not configured on the switch, the switch can still apply the downloadable ACL from ACS.
You use this template for access requests from Layer 2 devices that do not have the 802.1x client installed. The Authentication Bypass (802.1x fallback) template is used for access requests to bypass the nonclient authentication process. Users are mapped to a User Group based on their identity.
Note Do not click the Populate from Global button; otherwise, the settings for this authentication field will be inherited from the settings in the Global Authentication Setup in System Configuration.
Protocols Settings
Figure 7-35 shows the Protocols settings for the NAC Layer 2 template.
Figure 7-35 Protocols Setting for NAC Layer 2 Template
On this page, you can see the Layer 2 NAC template configuration for protocols. The default settings are:
•In the EAP Configuration area, posture validation is enabled.
•Allow EAP-Fast Configuration is checked, which means that this profile allows EAP-FAST authentication.
Authentication Policy
To set the authentication policy:
Step 1 In the navigation bar, click Network Access Profiles.
Step 2 Choose the Authentication link from the Policies column.
The Authentication Settings page for the NAC Layer 2 template opens, as shown in Figure 7-36.
Figure 7-36 Authentication Settings for NAC Layer 2 Template
Step 3 Specify the external database that ACS uses to perform authentication:
a. To keep the default setting (ACS uses its internal database), click the Internal ACS DB radio button.
b. To specify a LDAP server, click the LDAP Server radio button and then, from the drop-down list, choose an LDAP server.
c. From the If Agentless request was not assigned a user-group drop-down list, choose a user group to which ACS assigns a host that is not matched to a user group.
Sample Posture Validation Rule
Figure 7-37 shows the sample posture validation rule provided with the NAC Layer 2 template.
Figure 7-37 Sample Posture Validation Policy for NAC Layer 2 Template
Sample NAC Layer 2 802.1x Template
This template creates a profile for Layer 2 NAC 802.1x requests. Before you use this template, you should choose System Configuration > Global Authentication Setup and check the Enable Posture Validation check box.
To create a Layer 2 NAC 802.1x profile template:
Step 1 In the navigation bar, click Network Access Profiles.
The Network Access Profiles page opens.
Step 2 Click Add Template Profile.
The Create Profile from Template page opens, as shown in Figure 7-38.
Figure 7-38 Create Profile From Template Page
Step 3 Enter a Name and Description (optional).
Step 4 From the Template drop-down list, choose NAC L2 802.1x.
Step 5 Check the Active check box.
Step 6 Click Submit.
If no error appears, then you have created a Profile that can authenticate Layer 2 NAC hosts.
The Edit Network Access Profile page opens, and the new profile appears in the Name column.
The predefined values for the Layer 2 NAC 802.1x template include:
•Profile Setup
•Protocols
•A sample posture validation policy
•Authentication policy
Step 7 To select a predefined set of values, click on one of the configuration options:
•The profile name (to select the profile setup page for the profile)
•Protocols
•Authentication Policy
•Sample Posture Validation Rules
Profile Setup
To use the Profile Setup settings from the template:
Step 1 In the navigation bar, click Network Access Profiles.
Step 2 Choose the profile that you created.
Step 3 The Profile Setup page appears, as shown in Figure 7-30.
Figure 7-39 Profile Setup Page for NAC Layer 2 802.1x Template
The default settings for the profile are:
•Any appears in the Network Access Filter field, which means that this profile has no IP filter.
You can choose NAFs from the drop-down list, so that only specific host IPs match this profile.
•Allow any Protocol type appears in the Protocol types list, which means that no protocol type filter exists for this profile.
•You can select the Allow Selected Protocol types option to specify a protocol type for filtering.
•Two rules are configured in Advanced Filtering:
[026/009/001]Cisco-av-pair = aaa:service=ip admission
These rules specify that the associated profile policies authenticate and authorize each RADIUS request that matches the attribute's rules. You can change the advanced filter, and add, remove, or edit any RADIUS attribute that the RADIUS client sends.
Protocols Policy
Figure 7-40 shows the Protocols settings for the NAC Layer 2 802.1x template.
Figure 7-40 Protocols Setting for NAC Layer 802.1x Template
In the EAP Configuration section, Posture Validation is enabled.
Authorization Policy
To configure an authorization policy for the NAC Layer 2 802.1x template:
Step 1 Go to Network Access Profiles.
Step 2 Choose the Authorization link from the Policies column.
The Authentication page for the NAC Layer 2 802.1x template profile appears, as shown in Figure 7-41.
Figure 7-41 Authentication Page for NAC Layer 2 802.1x Profile Template
On this page, you can see the Layer 2 NAC 802.1x template configuration for authorization.
Step 3 Specify the external database that ACS uses to perform authentication:
a. To keep the default setting (ACS uses its internal database), click the Internal ACS DB radio button.
b. To specify a LDAP server, click the LDAP Server radio button and then, from the drop-down list, choose an LDAP server.
c. From the If Agentless request was not assigned a user-group drop-down list, choose a user group to which ACS assigns a host that is not matched to a user group.
Sample Posture Validation Rule
Figure 7-42 shows the sample posture validation policy provided with the NAC Layer 2 802.1x template.
Figure 7-42 Sample Posture Validation Policy for NAC Layer 2 802.1x Template
Sample Wireless (NAC L2 802.1x) Template
This template creates a profile for Layer 2 NAC 802.1x requests in wireless networks. Before you use this template, you should choose System Configuration > Global Authentication Setup and check the Enable Posture Validation check box.
To create a wireless (NAC L2 802.1x) NAC profile template:
Step 1 In the navigation bar, click Network Access Profiles.
The Network Access Profiles page opens.
Step 2 Click Add Template Profile.
The Create Profile from Template page opens, as shown in Figure 7-43.
Figure 7-43 Create Profile From Template Page
Step 3 Enter a Name and Description (optional).
Step 4 From the Template drop-down list, choose Wireless (NAC L2 802.1x).
Step 5 Check the Active check box.
Step 6 Click Submit.
If no error appears, then you have created a Profile that can authenticate wireless NAC Layer 2 802.1x hosts.
The Edit Network Access Profile page opens, and the new profile is listed in the Name column.
The predefined values for the NAC Layer 2 802.1x template include:
•Profile Setup
•Protocols
•A sample posture validation policy
•Authentication policy
Step 7 To select a predefined set of values, click on one of the configuration options:
•The profile name (to select the profile setup page for the profile)
•Protocols
•Authentication Policy
•Sample Posture Validation Rules
Profile Setup
To use the Profile Setup settings from the template:
Step 1 Go to Network Access Profiles.
Step 2 Choose the profile that you created.
Step 3 The Profile Setup page appears, as shown in Figure 7-44.
Figure 7-44 Profile Setup Page for Wireless (NAC L2 802.1x)Template
The default settings for the profile are:
•Any appears in the Network Access Filter field, which means that this profile has no IP filter.
You can choose NAFs from the drop-down list, so that only specific host IPs match this profile.
•In the Protocol types list, Allow any Protocol type appears in the Protocol types list, which means that no protocol type filter exists for this profile.
•You can click the Allow Selected Protocol types option to specify a protocol type for filtering.
•Two rules are configured in Advanced Filtering:
[026/009/001]Cisco-av-pair = aaa:service=ip admission
These rules specify that the associated profile policies authenticate and authorize each RADIUS request that matches the attribute's rules. You can change the advanced filter, and add, remove, or edit any RADIUS attribute that the RADIUS client sends.
Protocols Policy
Figure 7-45 shows the Protocols settings for the Wireless (NAC L2 802.1x) template.
Figure 7-45 Protocols Setting for Wireless NAC 802.1x Template
In the EAP Configuration section, Posture Validation is enabled.
Authorization Policy
To configure an authorization policy for the Wireless NAC Layer 2 802.1x template:
Step 1 Go to Network Access Profiles.
Step 2 Choose the Authorization link from the Policies column.
The Authentication page for the profile appears, as shown in Figure 7-46.
Figure 7-46 Authorization Page for Wireless (NAC L2 802.1x) Profile Template
On this page, you can see the Wireless (NAC L2 802.1x) template configuration for authentication:
Step 3 Specify the external database that ACS uses to perform authentication:
a. To keep the default setting (ACS uses its internal database), click the Internal ACS DB radio button.
b. To specify a LDAP server, click the LDAP Server radio button and then, from the drop-down list, choose an LDAP server.
c. From the If Agentless request was not assigned a user-group drop-down list, choose a user group to which ACS assigns a host that is not matched to a user group.
Sample Posture Validation Rule
Figure 7-47 shows the sample posture validation policy provided with the Wireless (NAC L2 802.1x) template.
Figure 7-47 Sample Posture Validation Policy for Wireless (NAC L2 802.1x) Template
Note The posture validation policy for the wireless NAC L2 802.1x template is the same as for the NAC L2 802.1x template.
Using a Sample Agentless Host Template
ACS 4.1 provides two sample templates for agentless host processing:
•Agentless Host for L3
•Agentless Host for L2 (802.1x fallback)
These two templates are almost identical. This section documents the steps for using the Agentless Host for Layer 3 template.
Note You can use the Agentless Host for L2 (802.1x Fallback) profile template to create a profile that matches a RADIUS request a switch sends. Once the profile is created, an analysis of the RADIUS packet that comes from the Catalyst 6500 must be done to create an accurate match for the profile. The RADIUS request from the switch has a Service Type value of 10, just like NAC-L2-IP; but does not have a Cisco Attribute Value Pair (AV pair) that contains the keyword service. Therefore, the template enables two entries in the Advanced Filtering section.
The Agentless Host for Layer 3 template creates a profile for Layer 3 requests that involve agentless host processing. Before you use this template, you should choose System Configuration > Global Authentication Setup and check the Enable Posture Validation check box.
To create an agentless host for Layer 3 profile template:
Step 1 In the navigation bar, click Network Access Profiles.
The Network Access Profiles page opens.
Step 2 Click Add Template Profile.
The Create Profile from Template page opens, as shown in Figure 7-48.
Figure 7-48 Create Profile From Template Page
Step 3 Enter a Name and Description (optional).
Step 4 From the Template drop-down list, choose Agentless Host for L3.
Step 5 Check the Active check box.
Step 6 Click Submit.
If no error appears, then you have created a profile that can authenticate Layer 3 NAC hosts.
The Edit Network Access Profile page opens, and the new profile is listed in the Name column.
The predefined values for the Agentless Host for Layer 3 template include:
•Profile Setup
•Protocols
•A sample posture validation policy
•Authentication policy
Step 7 To select a predefined set of values, click on one of the configuration options.
•The profile name (to select the profile setup page for the profile)
•Protocols
•Authentication Policy
•Sample Posture Validation Rules
Profile Setup
To use the Profile Setup settings from the template:
Step 1 Go to Network Access Profiles.
Step 2 Choose the profile that you created.
Step 3 The Profile Setup page appears, as shown in Figure 7-49.
Figure 7-49 Profile Setup Page for Agentless Host for Layer 3 Template
The default settings for the profile are:
•Any appears in the Network Access Filter field, which means that this profile has no IP filter.
You can choose NAFs from the drop-down list, so that only specific host IPs match this profile.
•In the Protocol types list, Allow any Protocol type appears in the Protocol types list, which means that no protocol type filter exists for this profile.
•You can click the Allow Selected Protocol types option to specify a protocol type for filtering.
•Two rules are configured in Advanced Filtering:
[026/009/001]Cisco-av-pair = aaa:service=ip admission
These rules specify that the associated profile policies authenticate and authorize each RADIUS request that matches the attribute's rules. You can change the advanced filter, and add, remove, or edit any RADIUS attribute that the RADIUS client sends.
Protocols Policy
Figure 7-50 shows the Protocols settings for the Agentless Host for Layer 3 template.
Figure 7-50 Protocols Setting for Agentless Host for Layer 3 Template
In the Authentication Protocols section, check Agentless Host processing.
Authentication Policy
To configure an authentication policy for the Agentless Host for Layer 3 template:
Step 1 Go to Network Access Profiles.
Step 2 Choose the Authentication link from the Policies column.
The Authentication page for the profile appears, as shown in Figure 7-51.
Figure 7-51 Authentication Page for Agentless Host for Layer 3 Profile Template
On this page, you can see the Agentless Host for Layer 3 template configuration for authentication:
Step 3 Specify the external database that ACS uses to perform authentication:
a. To keep the default setting (ACS uses its internal database), click the Internal ACS DB radio button.
b. To specify a LDAP server, click the LDAP Server radio button and then, from the drop-down list, choose an LDAP server.
c. From the If Agentless request was not assigned a user-group drop-down list, choose a user group to which ACS assigns a host that is not matched to a user group.
Step 15: Map Posture Validation Components to Profiles
To add an internal posture validation policy, external posture validation server, or both, to a profile:
Step 1 Choose Network Access Profiles.
Step 2 Choose the relevant profile Posture Validation policy.
Step 3 Click Add Rule.
Step 4 Enter a Name for the rule.
The Add/Edit Posture Validation Rule page for the specified rule appears, as shown in Figure 7-52.
Figure 7-52 Add/Edit Posture Validation Rule Page
Step 5 Choose the Required Credential Types.
Step 6 In the Select External Posture Validation Sever section, select the policies or server that you want to map to this profile. To select a:
•Posture Server, check the check box next to the server name.
•Policy, check the check box next to a policy in the Failure Action column.
Step 7 Click Submit.
Step 8 Click Back to return to the Posture Validation policy.
Step 9 Click Apply + Restart.
Step 16: Map an Audit Server to a Profile
To add an external posture validation audit server to a profile:
Step 1 Choose Network Access Profiles.
Step 2 Click the Protocols link for the relevant Posture Validation Policy.
The Protocols Settings page for the selected policy opens.
Step 3 Check the Allow Agentless Request Processing check box.
Step 4 Click Submit.
Step 5 Click the Posture Validation link for the relevant profile Posture Validation policy.
Step 6 Click Select Audit.
The Select External Posture Validation Audit Server page opens, as shown in Figure 7-53.
Figure 7-53 Select External Validation Audit Server Page
Step 7 Select the audit server to use.
Step 8 To specify a Fail Open configuration to use if the audit fails:
a. Check the Do not reject when Audit failed check box.
b. From the Use this Posture Token when unable to retrieve posture data drop-down list, choose a posture token to apply if the audit fails.
c. Enter a timeout value in seconds.
d. If you want to specify a user group to which to assign the supplicant if the audit fails, check the Assign a User Group check box and then from the Assign a User Group drop-down list, choose a user group.
Step 9 Click Submit.
Step 10 Click Done.
Step 11 Click Apply and Restart.
Step 17 (Optional): Configure GAME Group Feedback
If you are using ACS in a NAC environment with agentless hosts, then you must configure GAME group feedback.
To configure GAME group feedback:
Step 1 Import an audit vendor file by using CSUtil.exe.
See Import an Audit Vendor file Using CSUtil for details.
Step 2 Import a device-type attribute file by using CSUtil.exe.
See Import a Device-Type Attribute File Using CSUtil for details.
Step 3 Import NAC attribute-value pairs.
See Import NAC Attribute-Value Pairs for details.
Step 4 Configure database support for agentless host processing.
The database that you use can be an external LDAP database (preferred) or the ACS internal database. See Configure Database Support for Agentless Host Processing for details.
Step 5 Enable Posture Validation.
See Enable Posture Validation for details.
Step 6 Configure an external audit server.
See Configure an External Audit Server for details.
Step 7 Enable GAME Group feedback.
To enable GAME Group feedback, in the external audit server posture validation setup section, configure:
•Which hosts are audited
•GAME group feedback
•Device-type retrieval and mapping for vendors who have a device attribute in the RADIUS dictionary
See Enable GAME Group Feedback for details.
Step 8 Set up a device group policy.
See Enable GAME Group Feedback for details.
Import an Audit Vendor file Using CSUtil
For information on importing an audit vendor file by using CSUtil.exe, see the "Adding a Custom RADIUS Vendor and VSA Set" section in Appendix D of the User Guide for Cisco Secure Access Control Server 4.1, "CSUtil Database Utility."
Import a Device-Type Attribute File Using CSUtil
Before you can configure GAME group feedback, you must import an attribute file that contains a device-type attribute.
The format of a text file to set up a device-type attributes is:
vendor-id=<the vendor identifier number>
vendor-name=<the name of the vendor>
attribute-name=Device-Type
To import the file:
Step 1 Save the text file that sets up the device-type attribute in an appropriate directory.
Step 2 Open a DOS command window.
Step 3 Enter:
CSUtil -addAVP <device-type filename>
where device-type filename is the name of the text file that contains the device-type attribute.
Step 4 Restart ACS:
a. In the navigation bar, click System Configuration.
b. Click Service Control.
c. Click Restart.
Import NAC Attribute-Value Pairs
To import NAC attribute-value pairs:
Step 1 Obtain a NAC attribute-value pairs file.
Step 2 Import the file by using CSUtil.exe.
a. Start a DOS command window.
b. Enter:
CSUtil -addAVP <NAC AV-pair filename>
where NAC AV-pair filename is the name of the text file that contains the device-type attribute.
Step 3 Restart ACS:
a. In the navigation bar, click System Configuration.
b. Click Service Control.
c. Click Restart.
Configure Database Support for Agentless Host Processing
The database that you use can be an external LDAP database (preferred) or the ACS internal database.
For information on configuring database support for agentless host processing, see Step 4: Configure LDAP Support for MAB, page 4-9 in Chapter 4, "Agentless Host Support Configuration Scenario".
Enable Posture Validation
You must enable posture validation in two places. In the:
•Global Authentication Page, as part of the configuration for PEAP.
•EAP configuration section of the Protocols page for the Network Access Profile that enables agentless host support.
Configure an External Audit Server
For detailed instructions on configuring an external audit server, see Configure an External Posture Validation Audit Server.
Enable GAME Group Feedback
To enable GAME Group feedback:
Step 1 On the External Posture Validation Audit Server Setup page, in the GAME Group Feedback section, check the Request Device Type from Audit Server check box.
If this check box is not available, define an audit device type attribute for the vendor in the internal ACS dictionary.
ACS for Windows:
With ACS for Windows, you use the CSUtil.exe command. For detailed information, see "Posture Validation Attributes" in Appendix D of the User Guide for Cisco Secure ACS.
ACS Solution Engine:
With ACS Solution Engine, you use the NAC Attributes Management page in the web interface. See "NAC Attribute Management (ACS Solution Engine Only)" in Chapter 8 of the User Guide for Cisco Secure ACS for more information.
Step 2 If you want to configure a default destination group that ACS uses if the audit server does not return a device type, check the Assign This Group if Audit Server Did not Return a Device-Type check box.
You should now add entries to the group assignment table. The group assignment table is a list of rules that set conditions that determine the user group to which to assign a particular device type that is returned from the audit server.
Step 3 Click Add to display the group assignment table and add a device-type feedback rule.
The group assignment table appears, as shown in Figure 7-54.
Figure 7-54 GAME Group Feedback Section with Group Assignment Table
Step 4 Specify the following in the group assignment table:
•User Group—Lists all user groups, including Any. The device type that the MAC authentication returns is initially compared with this list of device types.
•Match Condition—Valid values for the operator are:
–match-all
–=
–! =
–contains
–starts-with
–regular-expression
•Device Type—Defines the comparison criteria for the User Group by using an operator and device type. Valid values for the device type drop-down list include:
–Printer
–IP Phone
–Network Infrastructure
–Wireless Access Point
–Windows
–UNIX
–Mac
–Integrated Device
–PDA
–Unknown
Note Type a device type in the text box if the device type drop-down does list not contain a particular device.
•Assign User Group—A drop-down list of administrator-defined user groups. If the comparison of the initial User Group with the Device Type succeeds, ACS will assign this user group.
Step 5 To add additional policies, click Add.
Step 6 To delete a policy, select the policy and click Delete.
Step 7 To move the policies up and down in the group assignment table, click the Up and Down buttons.
Step 8 When you finish setting up policies for group assignment, click Submit.
Step 9 Click Apply and Restart.