第1页 / 共684页
第2页 / 共684页
第3页 / 共684页
第4页 / 共684页
第5页 / 共684页
第6页 / 共684页
第7页 / 共684页
第8页 / 共684页
思科ACS5.4配置指南.pdf
User Guide for Cisco Secure Access Control System 5.4
Contents
Preface
Introducing ACS 5.4
Overview of ACS
ACS Distributed Deployment
ACS 4.x and 5.4 Replication
ACS Licensing Model
ACS Management Interfaces
ACS Web-based Interface
ACS Command Line Interface
ACS Programmatic Interfaces
Hardware Models Supported by ACS
Migrating from ACS 4.x to ACS 5.4
Overview of the Migration Process
Migration Requirements
Supported Migration Versions
Before You Begin
Downloading Migration Files
Migrating from ACS 4.x to ACS 5.4
Functionality Mapping from ACS 4.x to ACS 5.4
Common Scenarios in Migration
Migrating from ACS 4.2 on CSACS 1120 to ACS 5.4
Migrating from ACS 3.x to ACS 5.4
Migrating Data from Other AAA Servers to ACS 5.4
ACS 5.x Policy Model
Overview of the ACS 5.x Policy Model
Policy Terminology
Simple Policies
Rule-Based Policies
Types of Policies
Access Services
Identity Policy
Group Mapping Policy
Authorization Policy for Device Administration
Processing Rules with Multiple Command Sets
Exception Authorization Policy Rules
Service Selection Policy
Simple Service Selection
Rules-Based Service Selection
Access Services and Service Selection Scenarios
First-Match Rule Tables
Policy Conditions
Policy Results
Authorization Profiles for Network Access
Processing Rules with Multiple Authorization Profiles
Policies and Identity Attributes
Policies and Network Device Groups
Example of a Rule-Based Policy
Flows for Configuring Services and Policies
Common Scenarios Using ACS
Overview of Device Administration
Session Administration
Command Authorization
TACACS+ Custom Services and Attributes
Password-Based Network Access
Overview of Password-Based Network Access
Password-Based Network Access Configuration Flow
Certificate-Based Network Access
Overview of Certificate-Based Network Access
Using Certificates in ACS
Certificate-Based Network Access
Authorizing the ACS Web Interface from Your Browser Using a Certificate
Validating an LDAP Secure Authentication Connection
Agentless Network Access
Overview of Agentless Network Access
Host Lookup
Authentication with Call Check
Process Service-Type Call Check
PAP/EAP-MD5 Authentication
Agentless Network Access Flow
Adding a Host to an Internal Identity Store
Configuring an LDAP External Identity Store for Host Lookup
Configuring an Identity Group for Host Lookup Network Access Requests
Creating an Access Service for Host Lookup
Configuring an Identity Policy for Host Lookup Requests
Configuring an Authorization Policy for Host Lookup Requests
VPN Remote Network Access
Supported Authentication Protocols
Supported Identity Stores
Supported VPN Network Access Servers
Supported VPN Clients
Configuring VPN Remote Access Service
ACS and Cisco Security Group Access
Adding Devices for Security Group Access
Creating Security Groups
Creating SGACLs
Configuring an NDAC Policy
Configuring EAP-FAST Settings for Security Group Access
Creating an Access Service for Security Group Access
Creating an Endpoint Admission Control Policy
Creating an Egress Policy
Creating a Default Policy
RADIUS and TACACS+ Proxy Requests
Supported Protocols
Supported RADIUS Attributes
TACACS+ Body Encryption
Connection to TACACS+ Server
Configuring Proxy Service
Understanding My Workspace
Welcome Page
Task Guides
My Account Page
Login Banner
Using the Web Interface
Accessing the Web Interface
Logging In
Logging Out
Understanding the Web Interface
Web Interface Design
Navigation Pane
Content Area
Importing and Exporting ACS Objects through the Web Interface
Supported ACS Objects
Creating Import Files
Downloading the Template from the Web Interface
Understanding the CSV Templates
Creating the Import File
Common Errors
Concurrency Conflict Errors
Deletion Errors
System Failure Errors
Accessibility
Display and Readability Features
Keyboard and Mouse Features
Obtaining Additional Accessibility Information
Post-Installation Configuration Tasks
Configuring Minimal System Setup
Configuring ACS to Perform System Administration Tasks
Configuring ACS to Manage Access Policies
Configuring ACS to Monitor and Troubleshoot Problems in the Network
Managing Network Resources
Network Device Groups
Creating, Duplicating, and Editing Network Device Groups
Deleting Network Device Groups
Creating, Duplicating, and Editing Network Device Groups Within a Hierarchy
Deleting Network Device Groups from a Hierarchy
Network Devices and AAA Clients
Viewing and Performing Bulk Operations for Network Devices
Exporting Network Devices and AAA Clients
Performing Bulk Operations for Network Resources and Users
Exporting Network Resources and Users
Creating, Duplicating, and Editing Network Devices
Configuring Network Device and AAA Clients
Displaying Network Device Properties
Deleting Network Devices
Configuring a Default Network Device
Working with External Proxy Servers
Creating, Duplicating, and Editing External Proxy Servers
Deleting External Proxy Servers
Working with OCSP Services
Creating, Duplicating, and Editing OCSP Servers
Deleting OCSP Servers
Managing Users and Identity Stores
Overview
Internal Identity Stores
External Identity Stores
Identity Stores with Two-Factor Authentication
Identity Groups
Certificate-Based Authentication
Identity Sequences
Managing Internal Identity Stores
Authentication Information
Identity Groups
Creating Identity Groups
Deleting an Identity Group
Managing Identity Attributes
Standard Attributes
User Attributes
Host Attributes
Configuring Authentication Settings for Users
Creating Internal Users
Deleting Users from Internal Identity Stores
Viewing and Performing Bulk Operations for Internal Identity Store Users
Creating Hosts in Identity Stores
Deleting Internal Hosts
Viewing and Performing Bulk Operations for Internal Identity Store Hosts
Managing External Identity Stores
LDAP Overview
Directory Service
Authentication Using LDAP
Multiple LDAP Instances
Failover
LDAP Connection Management
Authenticating a User Using a Bind Connection
Group Membership Information Retrieval
Attributes Retrieval
Certificate Retrieval
Creating External LDAP Identity Stores
Configuring an External LDAP Server Connection
Configuring External LDAP Directory Organization
Deleting External LDAP Identity Stores
Configuring LDAP Groups
Viewing LDAP Attributes
Leveraging Cisco NAC Profiler as an External MAB Database
Enabling the LDAP Interface on Cisco NAC Profiler to Communicate with ACS
Configuring NAC Profile LDAP Definition in ACS for Use in Identity Policy
Troubleshooting MAB Authentication with Profiler Integration
Microsoft AD
Machine Authentication
Attribute Retrieval for Authorization
Group Retrieval for Authorization
Certificate Retrieval for EAP-TLS Authentication
Concurrent Connection Management
User and Machine Account Restrictions
Machine Access Restrictions
Distributed MAR Cache
Dial-In Permissions
Callback Options for Dial-In users
Joining ACS to an AD Domain
Configuring an AD Identity Store
Selecting an AD Group
Configuring AD Attributes
Configuring Machine Access Restrictions
RSA SecurID Server
Configuring RSA SecurID Agents
Creating and Editing RSA SecurID Token Servers
RADIUS Identity Stores
Supported Authentication Protocols
Failover
Password Prompt
User Group Mapping
Groups and Attributes Mapping
RADIUS Identity Store in Identity Sequence
Authentication Failure Messages
Username Special Format with Safeword Server
User Attribute Cache
Creating, Duplicating, and Editing RADIUS Identity Servers
Configuring CA Certificates
Adding a Certificate Authority
Editing a Certificate Authority and Configuring Certificate Revocation Lists
Deleting a Certificate Authority
Exporting a Certificate Authority
Configuring Certificate Authentication Profiles
Configuring Identity Store Sequences
Creating, Duplicating, and Editing Identity Store Sequences
Deleting Identity Store Sequences
Managing Policy Elements
Managing Policy Conditions
Creating, Duplicating, and Editing a Date and Time Condition
Creating, Duplicating, and Editing a Custom Session Condition
Deleting a Session Condition
Managing Network Conditions
Importing Network Conditions
Exporting Network Conditions
Creating, Duplicating, and Editing End Station Filters
Creating, Duplicating, and Editing Device Filters
Creating, Duplicating, and Editing Device Port Filters
Managing Authorizations and Permissions
Creating, Duplicating, and Editing Authorization Profiles for Network Access
Specifying Authorization Profiles
Specifying Common Attributes in Authorization Profiles
Specifying RADIUS Attributes in Authorization Profiles
Creating and Editing Security Groups
Creating, Duplicating, and Editing a Shell Profile for Device Administration
Defining General Shell Profile Properties
Defining Common Tasks
Defining Custom Attributes
Creating, Duplicating, and Editing Command Sets for Device Administration
Creating, Duplicating, and Editing Downloadable ACLs
Deleting an Authorizations and Permissions Policy Element
Configuring Security Group Access Control Lists
Managing Access Policies
Policy Creation Flow
Network Definition and Policy Goals
Policy Elements in the Policy Creation Flow
Access Service Policy Creation
Service Selection Policy Creation
Customizing a Policy
Configuring the Service Selection Policy
Configuring a Simple Service Selection Policy
Service Selection Policy Page
Creating, Duplicating, and Editing Service Selection Rules
Displaying Hit Counts
Deleting Service Selection Rules
Configuring Access Services
Editing Default Access Services
Creating, Duplicating, and Editing Access Services
Configuring General Access Service Properties
Configuring Access Service Allowed Protocols
Configuring Access Services Templates
Deleting an Access Service
Configuring Access Service Policies
Viewing Identity Policies
Viewing Rules-Based Identity Policies
Configuring Identity Policy Rule Properties
Configuring a Group Mapping Policy
Configuring Group Mapping Policy Rule Properties
Configuring a Session Authorization Policy for Network Access
Configuring Network Access Authorization Rule Properties
Configuring Device Administration Authorization Policies
Configuring Device Administration Authorization Rule Properties
Configuring Device Administration Authorization Exception Policies
Configuring Shell/Command Authorization Policies for Device Administration
Configuring Authorization Exception Policies
Creating Policy Rules
Duplicating a Rule
Editing Policy Rules
Deleting Policy Rules
Configuring Compound Conditions
Compound Condition Building Blocks
Types of Compound Conditions
Using the Compound Expression Builder
Security Group Access Control Pages
Egress Policy Matrix Page
Editing a Cell in the Egress Policy Matrix
Defining a Default Policy for Egress Policy Page
NDAC Policy Page
NDAC Policy Properties Page
Network Device Access EAP-FAST Settings Page
Maximum User Sessions
Max Session User Settings
Max Session Group Settings
Max Session Global Setting
Purging User Sessions
Maximum User Session in Distributed Environment
Maximum User Session in Proxy Scenario
Monitoring and Reporting in ACS
Authentication Records and Details
Dashboard Pages
Working with Portlets
Working with Authentication Lookup Portlet
Running Authentication Lookup Report
Configuring Tabs in the Dashboard
Adding Tabs to the Dashboard
Adding Applications to Tabs
Renaming Tabs in the Dashboard
Changing the Dashboard Layout
Deleting Tabs from the Dashboard
Managing Alarms
Understanding Alarms
Evaluating Alarm Thresholds
Notifying Users of Events
Viewing and Editing Alarms in Your Inbox
Understanding Alarm Schedules
Creating and Editing Alarm Schedules
Assigning Alarm Schedules to Thresholds
Deleting Alarm Schedules
Creating, Editing, and Duplicating Alarm Thresholds
Configuring General Threshold Information
Configuring Threshold Criteria
Passed Authentications
Failed Authentications
Authentication Inactivity
TACACS Command Accounting
TACACS Command Authorization
ACS Configuration Changes
ACS System Diagnostics
ACS Process Status
ACS System Health
ACS AAA Health
RADIUS Sessions
Unknown NAD
External DB Unavailable
RBACL Drops
NAD-Reported AAA Downtime
Configuring Threshold Notifications
Deleting Alarm Thresholds
Configuring System Alarm Settings
Understanding Alarm Syslog Targets
Creating and Editing Alarm Syslog Targets
Deleting Alarm Syslog Targets
Managing Reports
Working with Favorite Reports
Adding Reports to Your Favorites Page
Viewing Favorite-Report Parameters
Editing Favorite Reports
Running Favorite Reports
Deleting Reports from Favorites
Sharing Reports
Working with Catalog Reports
Available Reports in the Catalog
Running Catalog Reports
Deleting Catalog Reports
Running Named Reports
Understanding the Report_Name Page
Enabling RADIUS CoA Options on a Device
Changing Authorization and Disconnecting Active RADIUS Sessions
Customizing Reports
Restoring Reports
Viewing Reports
About Standard Viewer
About Interactive Viewer
About the Interactive Viewer Context Menus
Navigating Reports
Using the Table of Contents
Exporting Report Data
Printing Reports
Saving Report Designs in Interactive Viewer
Formatting Reports in Interactive Viewer
Editing Labels
Formatting Labels
Formatting Data
Resizing Columns
Changing Column Data Alignment
Formatting Data in Columns
Formatting Data in Aggregate Rows
Formatting Data Types
Formatting Numeric Data
Formatting Fixed or Scientific Numbers or Percentages
Formatting Custom Numeric Data
Formatting String Data
Formatting Custom String Data
Formatting Date and Time
Formatting Custom Date and Time
Formatting Boolean Data
Applying Conditional Formats
Setting Conditional Formatting for Columns
Deleting Conditional Formatting
Setting and Removing Page Breaks in Detail Columns
Setting and Removing Page Breaks in a Group Column
Organizing Report Data
Displaying and Organizing Report Data
Reordering Columns in Interactive Viewer
Removing Columns
Hiding or Displaying Report Items
Hiding Columns
Displaying Hidden Columns
Merging Columns
Selecting a Column from a Merged Column
Sorting Data
Sorting a Single Column
Sorting Multiple Columns
Grouping Data
Adding Groups
Grouping Data Based on Date or Time
Removing an Inner Group
Creating Report Calculations
Understanding Supported Calculation Functions
Understanding Supported Operators
Using Numbers and Dates in an Expression
Using Multiply Values in Calculated Columns
Adding Days to an Existing Date Value
Subtracting Date Values in a Calculated Column
Working with Aggregate Data
Creating an Aggregate Data Row
Adding Additional Aggregate Rows
Deleting Aggregate Rows
Hiding and Filtering Report Data
Hiding or Displaying Column Data
Displaying Repeated Values
Hiding or Displaying Detail Rows in Groups or Sections
Working with Filters
Types of Filter Conditions
Setting Filter Values
Creating Filters
Modifying or Clearing a Filter
Creating a Filter with Multiple Conditions
Deleting One Filter Condition in a Filter that Contains Multiple Conditions
Filtering Highest or Lowest Values in Columns
Understanding Charts
Modifying Charts
Filtering Chart Data
Changing Chart Subtype
Changing Chart Formatting
Troubleshooting ACS with the Monitoring and Report Viewer
Available Diagnostic and Troubleshooting Tools
Connectivity Tests
ACS Support Bundle
Expert Troubleshooter
Performing Connectivity Tests
Downloading ACS Support Bundles for Diagnostic Information
Working with Expert Troubleshooter
Troubleshooting RADIUS Authentications
Executing the Show Command on a Network Device
Evaluating the Configuration of a Network Device
Comparing SGACL Policy Between a Network Device and ACS
Comparing the SXP-IP Mappings Between a Device and its Peers
Comparing IP-SGT Pairs on a Device with ACS-Assigned SGT Records
Comparing Device SGT with ACS-Assigned Device SGT
Managing System Operations and Configuration in the Monitoring and Report Viewer
Configuring Data Purging and Incremental Backup
Configuring NFS Staging
Restoring Data from a Backup
Viewing Log Collections
Log Collection Details Page
Recovering Log Messages
Viewing Scheduled Jobs
Viewing Process Status
Viewing Data Upgrade Status
Viewing Failure Reasons
Editing Failure Reasons
Specifying E-Mail Settings
Configuring SNMP Preferences
Understanding Collection Filters
Creating and Editing Collection Filters
Deleting Collection Filters
Configuring System Alarm Settings
Configuring Alarm Syslog Targets
Configuring Remote Database Settings
Managing System Administrators
Understanding Administrator Roles and Accounts
Understanding Authentication
Configuring System Administrators and Accounts
Understanding Roles
Assigning Roles
Assigning Static Roles
Assigning Dynamic Roles
Permissions
Predefined Roles
Changing Role Associations
Administrator Accounts and Role Association
Recovery Administrator Account
Creating, Duplicating, Editing, and Deleting Administrator Accounts
Viewing Predefined Roles
Viewing Role Properties
Configuring Authentication Settings for Administrators
Configuring Session Idle Timeout
Configuring Administrator Access Settings
Working with Administrative Access Control
Administrator Identity Policy
Viewing Rule-Based Identity Policies
Configuring Identity Policy Rule Properties
Administrator Authorization Policy
Configuring Administrator Authorization Policies
Configuring Administrator Authorization Rule Properties
Administrator Login Process
Resetting the Administrator Password
Changing the Administrator Password
Changing Your Own Administrator Password
Resetting Another Administrator’s Password
Configuring System Operations
Understanding Distributed Deployment
Activating Secondary Servers
Removing Secondary Servers
Promoting a Secondary Server
Understanding Local Mode
Understanding Full Replication
Specifying a Hardware Replacement
Scheduled Backups
Creating, Duplicating, and Editing Scheduled Backups
Backing Up Primary and Secondary Instances
Synchronizing Primary and Secondary Instances After Backup and Restore
Editing Instances
Viewing and Editing a Primary Instance
Viewing and Editing a Secondary Instance
Deleting a Secondary Instance
Activating a Secondary Instance
Registering a Secondary Instance to a Primary Instance
Deregistering Secondary Instances from the Distributed System Management Page
Deregistering a Secondary Instance from the Deployment Operations Page
Promoting a Secondary Instance from the Distributed System Management Page
Promoting a Secondary Instance from the Deployment Operations Page
Replicating a Secondary Instance from a Primary Instance
Replicating a Secondary Instance from the Distributed System Management Page
Replicating a Secondary Instance from the Deployment Operations Page
Changing the IP address of a Primary Instance from the Primary Server
Failover
Using the Deployment Operations Page to Create a Local Mode Instance
Creating, Duplicating, Editing, and Deleting Software Repositories
Managing Software Repositories from the Web Interface and CLI
Managing System Administration Configurations
Configuring Global System Options
Configuring TACACS+ Settings
Configuring EAP-TLS Settings
Configuring PEAP Settings
Configuring EAP-FAST Settings
Generating EAP-FAST PAC
Configuring RSA SecurID Prompts
Managing Dictionaries
Viewing RADIUS and TACACS+ Attributes
Creating, Duplicating, and Editing RADIUS Vendor-Specific Attributes
Creating, Duplicating, and Editing RADIUS Vendor-Specific Subattributes
Viewing RADIUS Vendor-Specific Subattributes
Configuring Identity Dictionaries
Creating, Duplicating, and Editing an Internal User Identity Attribute
Configuring Internal Identity Attributes
Deleting an Internal User Identity Attribute
Creating, Duplicating, and Editing an Internal Host Identity Attribute
Deleting an Internal Host Identity Attribute
Adding Static IP address to Users in Internal Identity Store
Configuring Local Server Certificates
Adding Local Server Certificates
Importing Server Certificates and Associating Certificates to Protocols
Generating Self-Signed Certificates
Generating a Certificate Signing Request
Binding CA Signed Certificates
Editing and Renewing Certificates
Deleting Certificates
Exporting Certificates
Viewing Outstanding Signing Requests
Configuring Logs
Configuring Remote Log Targets
Deleting a Remote Log Target
Configuring the Local Log
Deleting Local Log Data
Configuring Logging Categories
Configuring Global Logging Categories
Configuring Per-Instance Logging Categories
Configuring Per-Instance Security and Log Settings
Configuring Per-Instance Remote Syslog Targets
Displaying Logging Categories
Configuring the Log Collector
Viewing the Log Message Catalog
Licensing Overview
Types of Licenses
Installing a License File
Viewing the Base License
Upgrading the Base Server License
Viewing License Feature Options
Adding Deployment License Files
Deleting Deployment License Files
Available Downloads
Downloading Migration Utility Files
Downloading UCP Web Service Files
Downloading Sample Python Scripts
Downloading Rest Services
Understanding Logging
About Logging
Using Log Targets
Logging Categories
Global and Per-Instance Logging Categories
Log Message Severity Levels
Local Store Target
Critical Log Target
Remote Syslog Server Target
Monitoring and Reports Server Target
Viewing Log Messages
Debug Logs
ACS 4.x Versus ACS 5.4 Logging
AAA Protocols
Typical Use Cases
Device Administration (TACACS+)
Session Access Requests (Device Administration [TACACS+])
Command Authorization Requests
Network Access (RADIUS With and Without EAP)
RADIUS-Based Flow Without EAP Authentication
RADIUS-Based Flows with EAP Authentication
Access Protocols-TACACS+ and RADIUS
Overview of TACACS+
Overview of RADIUS
RADIUS VSAs
ACS 5.4 as the AAA Server
RADIUS Attribute Support in ACS 5.4
RADIUS Attribute Rewrite Operation
RADIUS Access Requests
Authentication in ACS 5.4
Authentication Considerations
Authentication and User Databases
PAP
RADIUS PAP Authentication
EAP
EAP-MD5
Overview of EAP-MD5
EAP- MD5 Flow in ACS 5.4
EAP-TLS
Overview of EAP-TLS
User Certificate Authentication
PKI Authentication
PKI Credentials
PKI Usage
Fixed Management Certificates
Importing Trust Certificates
Acquiring Local Certificates
Importing the ACS Server Certificate
Initial Self-Signed Certificate Generation
Certificate Generation
Exporting Credentials
Credentials Distribution
Hardware Replacement and Certificates
Securing the Cryptographic Sensitive Material
Private Keys and Passwords Backup
EAP-TLS Flow in ACS 5.4
PEAPv0/1
Overview of PEAP
Supported PEAP Features
PEAP Flow in ACS 5.4
Creating the TLS Tunnel
Authenticating with MSCHAPv2
EAP-FAST
Overview of EAP-FAST
EAP-FAST Benefits
EAP-FAST in ACS 5.4
About Master-Keys
About PACs
Provisioning Modes
Types of PACs
ACS-Supported Features for PACs
Master Key Generation and PAC TTLs
EAP-FAST for Allow TLS Renegotiation
EAP-FAST Flow in ACS 5.4.
EAP-FAST PAC Management
Key Distribution Algorithm
EAP-FAST PAC-Opaque Packing and Unpacking
Revocation Method
PAC Migration from ACS 4.x
EAP Authentication with RADIUS Key Wrap
EAP-MSCHAPv2
Overview of EAP-MSCHAPv2
MSCHAPv2 for User Authentication
MSCHAPv2 for Change Password
Windows Machine Authentication Against AD
EAP- MSCHAPv2 Flow in ACS 5.4
CHAP
LEAP
Certificate Attributes
Certificate Binary Comparison
Rules Relating to Textual Attributes
Certificate Revocation
Machine Authentication
Authentication Protocol and Identity Store Compatibility
Open Source License Acknowledgements
Notices
OpenSSL/Open SSL Project
License Issues
Glossary
Index
User Guide for Cisco Secure Access
Control System 5.4
April 2013
Americas Headquarters
Cisco Systems, Inc.
170 West Tasman Drive
San Jose, CA 95134-1706
USA
http://www.cisco.com
Tel: 408 526-4000
800 553-NETS (6387)
Fax: 408 527-0883
Text Part Number: OL-26225-01
THE SPECIFICATIONS AND INFORMATION REGARDING THE PRODUCTS IN THIS MANUAL ARE SUBJECT TO CHANGE WITHOUT NOTICE. ALL
STATEMENTS, INFORMATION, AND RECOMMENDATIONS IN THIS MANUAL ARE BELIEVED TO BE ACCURATE BUT ARE PRESENTED WITHOUT
WARRANTY OF ANY KIND, EXPRESS OR IMPLIED. USERS MUST TAKE FULL RESPONSIBILITY FOR THEIR APPLICATION OF ANY PRODUCTS.
THE SOFTWARE LICENSE AND LIMITED WARRANTY FOR THE ACCOMPANYING PRODUCT ARE SET FORTH IN THE INFORMATION PACKET THAT
SHIPPED WITH THE PRODUCT AND ARE INCORPORATED HEREIN BY THIS REFERENCE. IF YOU ARE UNABLE TO LOCATE THE SOFTWARE LICENSE
OR LIMITED WARRANTY, CONTACT YOUR CISCO REPRESENTATIVE FOR A COPY.
The Cisco implementation of TCP header compression is an adaptation of a program developed by the University of California, Berkeley (UCB) as part of UCB’s public
domain version of the UNIX operating system. All rights reserved. Copyright © 1981, Regents of the University of California.
NOTWITHSTANDING ANY OTHER WARRANTY HEREIN, ALL DOCUMENT FILES AND SOFTWARE OF THESE SUPPLIERS ARE PROVIDED “AS IS” WITH
ALL FAULTS. CISCO AND THE ABOVE-NAMED SUPPLIERS DISCLAIM ALL WARRANTIES, EXPRESSED OR IMPLIED, INCLUDING, WITHOUT
LIMITATION, THOSE OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OR ARISING FROM A COURSE OF
DEALING, USAGE, OR TRADE PRACTICE.
IN NO EVENT SHALL CISCO OR ITS SUPPLIERS BE LIABLE FOR ANY INDIRECT, SPECIAL, CONSEQUENTIAL, OR INCIDENTAL DAMAGES, INCLUDING,
WITHOUT LIMITATION, LOST PROFITS OR LOSS OR DAMAGE TO DATA ARISING OUT OF THE USE OR INABILITY TO USE THIS MANUAL, EVEN IF CISCO
OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list of Cisco trademarks, go to this
URL: www.cisco.com/go/trademarks. Third-party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership
relationship between Cisco and any other company. (1110R)
Any Internet Protocol (IP) addresses used in this document are not intended to be actual addresses. Any examples, command display output, and figures included in the
document are shown for illustrative purposes only. Any use of actual IP addresses in illustrative content is unintentional and coincidental.
User Guide for Cisco Secure Access Control System 5.4
© 2012 Cisco Systems, Inc. All rights reserved.
Preface
xxiii
C O N T E N T S
xxiii
xxiii
Audience
Document Conventions
Documentation Updates
Related Documentation
Obtaining Documentation and Submitting a Service Request
xxiv
xxiv
xxv
C H A P T E R 1
1-1
Introducing ACS 5.4
Overview of ACS
ACS Distributed Deployment
1-1
1-2
ACS 4.x and 5.4 Replication
1-2
1-3
ACS Licensing Model
ACS Management Interfaces
ACS Web-based Interface
ACS Command Line Interface
ACS Programmatic Interfaces
1-3
1-4
1-4
1-5
C H A P T E R 2
Hardware Models Supported by ACS
1-5
Migrating from ACS 4.x to ACS 5.4
Overview of the Migration Process
Migration Requirements
2-2
Supported Migration Versions
2-1
2-2
2-2
2-3
Before You Begin
Downloading Migration Files
2-3
Migrating from ACS 4.x to ACS 5.4
Functionality Mapping from ACS 4.x to ACS 5.4
Common Scenarios in Migration
2-3
2-7
2-5
Migrating from ACS 4.2 on CSACS 1120 to ACS 5.4
Migrating from ACS 3.x to ACS 5.4
Migrating Data from Other AAA Servers to ACS 5.4
2-8
2-7
2-8
C H A P T E R 3
ACS 5.x Policy Model
3-1
Overview of the ACS 5.x Policy Model
3-1
OL-26225-01
User Guide for Cisco Secure Access Control System 5.4
iii
Contents
C H A P T E R 4
Policy Terminology
Simple Policies
3-4
Rule-Based Policies
Types of Policies
3-5
3-3
3-4
Access Services
3-6
3-9
Identity Policy
Group Mapping Policy
Authorization Policy for Device Administration
3-11
Processing Rules with Multiple Command Sets
Exception Authorization Policy Rules
3-11
3-12
3-11
Service Selection Policy
3-12
Simple Service Selection
3-12
Rules-Based Service Selection
Access Services and Service Selection Scenarios
First-Match Rule Tables
3-13
3-14
3-13
Policy Conditions
Policy Results
3-16
3-16
Authorization Profiles for Network Access
3-16
Processing Rules with Multiple Authorization Profiles
3-17
Policies and Identity Attributes
3-17
Policies and Network Device Groups
Example of a Rule-Based Policy
Flows for Configuring Services and Policies
3-18
3-18
3-19
Common Scenarios Using ACS
4-1
Overview of Device Administration
4-3
4-4
Session Administration
Command Authorization
TACACS+ Custom Services and Attributes
4-2
4-5
Password-Based Network Access
4-5
Overview of Password-Based Network Access
Password-Based Network Access Configuration Flow 4-7
4-5
Certificate-Based Network Access
4-9
Overview of Certificate-Based Network Access
Using Certificates in ACS
4-10
4-9
Certificate-Based Network Access
Authorizing the ACS Web Interface from Your Browser Using a Certificate
Validating an LDAP Secure Authentication Connection
4-10
4-12
User Guide for Cisco Secure Access Control System 5.4
iv
4-11
OL-26225-01
Contents
4-18
Agentless Network Access
4-12
4-13
Overview of Agentless Network Access
Host Lookup
Authentication with Call Check
4-14
Process Service-Type Call Check
4-15
4-12
4-15
PAP/EAP-MD5 Authentication
Agentless Network Access Flow 4-16
Adding a Host to an Internal Identity Store
Configuring an LDAP External Identity Store for Host Lookup
Configuring an Identity Group for Host Lookup Network Access Requests
Creating an Access Service for Host Lookup
4-18
4-17
4-17
Configuring an Identity Policy for Host Lookup Requests
4-19
Configuring an Authorization Policy for Host Lookup Requests
4-20
VPN Remote Network Access
4-20
4-21
Supported Authentication Protocols
Supported Identity Stores
Supported VPN Network Access Servers
Supported VPN Clients
Configuring VPN Remote Access Service
4-21
4-22
4-22
4-22
ACS and Cisco Security Group Access
4-23
4-24
4-24
Adding Devices for Security Group Access
Creating Security Groups
Creating SGACLs
4-25
Configuring an NDAC Policy
Configuring EAP-FAST Settings for Security Group Access
Creating an Access Service for Security Group Access
Creating an Endpoint Admission Control Policy
4-27
Creating an Egress Policy
Creating a Default Policy
4-27
4-28
4-25
4-26
4-26
RADIUS and TACACS+ Proxy Requests
4-29
4-30
Supported Protocols
Supported RADIUS Attributes
TACACS+ Body Encryption
Connection to TACACS+ Server
Configuring Proxy Service
4-32
4-31
4-31
4-31
C H A P T E R 5
Understanding My Workspace
5-1
Welcome Page
Task Guides
5-2
5-1
OL-26225-01
User Guide for Cisco Secure Access Control System 5.4
v
Contents
5-2
My Account Page
Login Banner
Using the Web Interface
5-3
5-3
Accessing the Web Interface
5-4
Logging In
Logging Out
5-4
5-5
Understanding the Web Interface
5-6
Web Interface Design
Navigation Pane
5-7
Content Area
5-8
5-5
Importing and Exporting ACS Objects through the Web Interface
5-18
Supported ACS Objects
Creating Import Files
5-18
5-21
Downloading the Template from the Web Interface
Understanding the CSV Templates
Creating the Import File
5-22
5-22
5-21
Common Errors
5-25
Concurrency Conflict Errors
Deletion Errors
5-26
System Failure Errors
5-27
5-25
Accessibility
5-27
Display and Readability Features
Keyboard and Mouse Features
Obtaining Additional Accessibility Information
5-27
5-28
5-28
C H A P T E R 6
Post-Installation Configuration Tasks
6-1
6-1
Configuring Minimal System Setup
Configuring ACS to Perform System Administration Tasks
Configuring ACS to Manage Access Policies
Configuring ACS to Monitor and Troubleshoot Problems in the Network
6-2
6-4
6-4
C H A P T E R 7
Managing Network Resources
7-2
Network Device Groups
7-1
Creating, Duplicating, and Editing Network Device Groups
Deleting Network Device Groups
Creating, Duplicating, and Editing Network Device Groups Within a Hierarchy
Deleting Network Device Groups from a Hierarchy
7-2
7-3
7-5
7-4
Network Devices and AAA Clients
7-5
User Guide for Cisco Secure Access Control System 5.4
vi
OL-26225-01
Contents
7-6
7-8
Viewing and Performing Bulk Operations for Network Devices
Exporting Network Devices and AAA Clients
Performing Bulk Operations for Network Resources and Users
Exporting Network Resources and Users
Creating, Duplicating, and Editing Network Devices
Configuring Network Device and AAA Clients
7-10
7-11
7-10
7-7
Displaying Network Device Properties
Deleting Network Devices
7-17
Configuring a Default Network Device
Working with External Proxy Servers
7-17
7-19
7-14
Creating, Duplicating, and Editing External Proxy Servers
Deleting External Proxy Servers
7-21
7-19
Working with OCSP Services
7-21
Creating, Duplicating, and Editing OCSP Servers
Deleting OCSP Servers
7-24
7-22
C H A P T E R 8
Managing Users and Identity Stores
8-1
Overview 8-1
Internal Identity Stores
External Identity Stores
8-1
8-2
Identity Stores with Two-Factor Authentication
8-3
8-3
Identity Groups
Certificate-Based Authentication
Identity Sequences
8-4
8-3
Managing Internal Identity Stores
8-4
Authentication Information
Identity Groups
8-6
8-5
8-6
8-7
8-7
Creating Identity Groups
Deleting an Identity Group
Managing Identity Attributes
8-8
Standard Attributes
User Attributes
8-8
Host Attributes
8-9
8-11
Configuring Authentication Settings for Users
Creating Internal Users
Deleting Users from Internal Identity Stores
Viewing and Performing Bulk Operations for Internal Identity Store Users
Creating Hosts in Identity Stores
Deleting Internal Hosts
8-14
8-16
8-18
8-9
8-15
OL-26225-01
User Guide for Cisco Secure Access Control System 5.4
vii
Contents
Viewing and Performing Bulk Operations for Internal Identity Store Hosts
8-18
Managing External Identity Stores
8-19
8-21
8-21
8-20
8-20
8-20
LDAP Overview 8-19
Directory Service
Authentication Using LDAP
Multiple LDAP Instances
Failover
LDAP Connection Management
Authenticating a User Using a Bind Connection
Group Membership Information Retrieval
8-22
Attributes Retrieval
Certificate Retrieval
Creating External LDAP Identity Stores
Configuring an External LDAP Server Connection
Configuring External LDAP Directory Organization
Deleting External LDAP Identity Stores
Configuring LDAP Groups
Viewing LDAP Attributes
8-23
8-23
8-30
8-31
8-23
8-30
8-21
8-24
8-26
Leveraging Cisco NAC Profiler as an External MAB Database
8-31
Enabling the LDAP Interface on Cisco NAC Profiler to Communicate with ACS
Configuring NAC Profile LDAP Definition in ACS for Use in Identity Policy
Troubleshooting MAB Authentication with Profiler Integration
8-38
8-34
8-32
Microsoft AD
8-38
8-41
8-40
8-41
8-41
8-41
8-41
Machine Authentication
Attribute Retrieval for Authorization
Group Retrieval for Authorization
Certificate Retrieval for EAP-TLS Authentication
Concurrent Connection Management
User and Machine Account Restrictions
Machine Access Restrictions
Distributed MAR Cache
8-43
Dial-In Permissions
Callback Options for Dial-In users
Joining ACS to an AD Domain
Configuring an AD Identity Store
Selecting an AD Group
Configuring AD Attributes
Configuring Machine Access Restrictions
8-42
8-46
8-44
8-45
8-46
8-50
8-51
8-53
RSA SecurID Server
8-54
Configuring RSA SecurID Agents
8-55
User Guide for Cisco Secure Access Control System 5.4
viii
OL-26225-01
相关推荐
2023年江西萍乡中考道德与法治真题及答案.doc
2012年重庆南川中考生物真题及答案.doc
2013年江西师范大学地理学综合及文艺理论基础考研真题.doc
2020年四川甘孜小升初语文真题及答案I卷.doc
2020年注册岩土工程师专业基础考试真题及答案.doc
2023-2024学年福建省厦门市九年级上学期数学月考试题及答案.doc
2021-2022学年辽宁省沈阳市大东区九年级上学期语文期末试题及答案.doc
2022-2023学年北京东城区初三第一学期物理期末试卷及答案.doc
2018上半年江西教师资格初中地理学科知识与教学能力真题及答案.doc
2012年河北国家公务员申论考试真题及答案-省级.doc
2020-2021学年江苏省扬州市江都区邵樊片九年级上学期数学第一次质量检测试题及答案.doc
2022下半年黑龙江教师资格证中学综合素质真题及答案.doc
