Cisco Secure ACS 4.2 February 2008 Text Part Number: OL J

Transcription

1 Cisco Secure ACS 4.2 February 2008 Text Part Number:

2 Information Packet TCP UNIX UCB University of California, Berkeley UCB All rights reserved.copyright 1981, Regents of the University of California. CCDE, CCENT, Cisco Eos, Cisco Lumin, Cisco StadiumVision, the Cisco logo, DCE, and Welcome to the Human Network are trademarks; Changing the Way We Work, Live, Play, and Learn is a service mark; and Access Registrar, Aironet, AsyncOS, Bringing the Meeting To You, Catalyst, CCDA, CCDP, CCIE, CCIP, CCNA, CCNP, CCSP, CCVP, Cisco, the Cisco Certified Internetwork Expert logo, Cisco IOS, Cisco Press, Cisco Systems, Cisco Systems Capital, the Cisco Systems logo, Cisco Unity, Collaboration Without Limitation, EtherFast, EtherSwitch, Event Center, Fast Step, Follow Me Browsing, FormShare, GigaDrive, HomeLink, Internet Quotient, IOS, iphone, iq Expertise, the iq logo, iq Net Readiness Scorecard, iquick Study, IronPort, the IronPort logo, LightStream, Linksys, MediaTone, MeetingPlace, MGX, Networkers, Networking Academy, Network Registrar, PCNow, PIX, PowerPanels, ProConnect, ScriptShare, SenderBase, SMARTnet, Spectrum Expert, StackWise, The Fastest Way to Increase Your Internet Quotient, TransPath, WebEx, and the WebEx logo are registered trademarks of Cisco Systems, Inc. and/or its affiliates in the United States and certain other countries. All other trademarks mentioned in this document or Website are the property of their respective owners.the use of the word partner does not imply a partnership relationship between Cisco and any other company.(0804r) IP IP Cisco Secure ACS 4.2 Copyright 2008 Cisco Systems, Inc. All rights reserved. Copyright 2008,. All rights reserved.

3 CONTENTS ix ix ix x xi xiii Service Request xiii xiv OpenSSL Open SSL Project xiv xiv CHAPTER 1 ACS CHAPTER 2 Access Control Server LAN RADIUS 2-11 ACS LAN WAN LAN 2-13 WAN 2-13 ACS 2-13 ACS Cisco Secure ACS 4.2 iii

4 Contents NAC/NAP ACS CHAPTER 3 ACS EAP-FAST 3-2 EAP-FAST PAC 3-4 NetBIOS 3-6 ACS NAP Active Directory 3-10 ACS 4.2 syslog 3-10 ACS SE RSA 3-11 RSA 3-13 RSA SecurID LDAP 3-13 ping / 3-20 CHAPTER 4 RDBMS dacl 4-1 ACS Release 4.2 RDBMS 4-2 RDBMS dacl dacl dacl accountactions dacl dacl 4-5 CSV accountactions CSV RDBMS RDBMS 4-10 ACS GUI RDBMS 4-10 CSDBSync dacl 4-10 RDBM 4-11 iv Cisco Secure ACS 4.2

5 Contents 6 dacl dacl 4-14 dacl 4-16 RDBMS 4-17 AAA 4-17 CHAPTER Password Validation Options 5-7 Password Lifetime Options 5-7 Password Inactivity Options 5-8 Incorrect Password Attempt Options CHAPTER GAME ACS RADIUS AAA ACS 6-8 ACS 6-8 Windows ACS for Windows 6-9 ACS 6-9 CA MAB LDAP 6-12 MAB LDAP 6-12 ACS 1 LDAP MAB 6-20 Cisco Secure ACS 4.2 v

6 Contents NAP 6-20 NAP 6-23 MAB MAB GAME 6-28 CHAPTER 7 PEAP/EAP-TLS ACS 7-2 Windows 7-2 ACS 7-3 CA EAP-TLS CHAPTER 8 syslog syslog 8-1 ACS syslog CHAPTER 9 NAC ACS RADIUS AAA 9-3 AAA ACS 9-7 ACS 9-7 ACS CA 9-9 vi Cisco Secure ACS 4.2

7 Contents ACS EAP-FAST Administration Control IP ACL 9-24 ACL 9-25 ACE 9-26 dacl 9-28 RADIUS ACS NAC ACS NAC NAP 9-48 NAC 9-48 NAC NAC NAC NAC x 9-59 Cisco Secure ACS 4.2 vii

8 Contents NAC L x GAME 9-78 CSUtil 9-79 CSUtil 9-79 NAC ACS GAME 9-84 GLOSSARY INDEX viii Cisco Secure ACS 4.2

9 Cisco Secure Access Control Server ACS 1 ACS ACS 2 Access Control Server ACS 3 ACS 4.2 ACS RDBMS dacl ACS 4.2 RDBMS ACS Solution Engine RDBMS Sync 5 Sarbanes-Oxley Act SOX; 6 MAC authentication bypass ACS 7 PEAP/EAP-TLS PEAP EAP-TLS ACS 8 syslog syslog ACS 9 NAC Cisco Network Admission Control NAC; Microsoft Network Access Protection NAP; ACS glossary ACS Cisco Secure ACS 4.2 ix

10 screen screen screen Option > Network Preferences x Cisco Secure ACS 4.2

11 Cisco.com 1 1 ACS 4.2 Documentation Guide for Cisco Secure ACS Release 4.2 Release Notes for Cisco Secure ACS Release 4.2 CD PDF Cisco.com cisco_secure_access_control_server_for_windows/4.2/roadmap/ DGuide42.html Cisco.com Configuration Guide for Cisco Secure ACS Release 4.2 Installation Guide for Cisco Secure ACS for Windows Release 4.2 Installation Guide for Cisco Secure ACS Solution Engine Release _server_for_windows/4.2/release/notes/acs42_rn.html Cisco.com _server_for_windows/4.2/configuration/guide/acs42_config_guide.html Cisco.com _server_for_windows/4.2/installation/guide/windows/igwn42.html Cisco.com Configuration Guide for Cisco Secure ACS 4.2 Cisco.com Regulatory Compliance and Safety Information for the Cisco Secure ACS Solution Engine Release 4.2 Installation and Configuration Guide for Cisco Secure ACS Remote Agents Release 4.2 Supported and Interoperable Devices and Software Tables for Cisco Secure ACS Solution Engine Release _server_for_solution_engine/4.2/installation/guide/solution_engine/ SE42.html _server_for_windows/4.2/user/guide/acs4_2ug.html CD PDF Cisco.com server_for_solution_engine/4.2/regulatory/compliance/rcsi_42.html Cisco.com server_for_solution_engine/4.2/installation/guide/remote_agent/rmag42.html Cisco.com _server_for_windows/4.2/device/guide/sdt42.html Cisco Secure ACS 4.2 xi

12 1 ACS 4.2 Installation and User Guide for Cisco Secure ACS User-Changeable Passwords Troubleshooting Guide for Cisco Secure Access Control Server Cisco.com _server_for_windows/4.2/installation/guide/user_passwords/ucp42.html Cisco.com _server_for_windows/4.2/trouble/guide/acs_troubleshooting.html ACS HTML Online Documentation ACS HTML xii Cisco Secure ACS 4.2

13 Cisco.com ACS URL Cisco.com NAC NAC ACS URL Service Request Service Request URL What's New in Cisco Product Documentation What's New in Cisco Product Documentation Really Simple Syndication RSS What's New in Cisco Product Documentation RSS RSS 2.0 Cisco Secure ACS 4.2 xiii

14 OpenSSL Open SSL Project OpenSSL Toolkit OpenSSL Project Eric Young Tim Hudson OpenSSL OpenSSL SSLeay BSD OpenSSL OpenSSL Copyright The OpenSSL Project.All rights reserved. Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: 1. Redistributions of source code must retain the copyright notice, this list of conditions and the following disclaimer. 2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions, and the following disclaimer in the documentation and/or other materials provided with the distribution. 3. All advertising materials mentioning features or use of this software must display the following acknowledgment: This product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit ( 4. The names OpenSSL Toolkit and OpenSSL Project must not be used to endorse or promote products derived from this software without prior written permission.for written permission, please contact 5. Products derived from this software may not be called OpenSSL nor may OpenSSL appear in their names without prior written permission of the OpenSSL Project. 6. Redistributions of any form whatsoever must retain the following acknowledgment: This product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit ( THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT AS IS ' AND ANY EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.IN NO EVENT SHALL THE OpenSSL PROJECT OR ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. xiv Cisco Secure ACS 4.2

15 Eric Young Tim Hudson SSLeay Copyright Eric Young rights reserved. This package is an SSL implementation written by Eric Young The implementation was written so as to conform with Netscapes SSL. This library is free for commercial and non-commercial use as long as the following conditions are adhered to.the following conditions apply to all code found in this distribution, be it the RC4, RSA, lhash, DES, etc., code; not just the SSL code.the SSL documentation included with this distribution is covered by the same copyright terms except that the holder is Tim Hudson Copyright remains Eric Young s, and as such any Copyright notices in the code are not to be removed.if this package is used in a product, Eric Young should be given attribution as the author of the parts of the library used.this can be in the form of a textual message at program startup or in documentation (online or textual) provided with the package. Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: 1. Redistributions of source code must retain the copyright notice, this list of conditions and the following disclaimer. 2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution. 3. All advertising materials mentioning features or use of this software must display the following acknowledgement: This product includes cryptographic software written by Eric Young (eay@cryptsoft.com). The word cryptographic can be left out if the routines from the library being used are not cryptography-related. 4. If you include any Windows specific code (or a derivative thereof) from the apps directory (application code) you must include an acknowledgement: This product includes software written by Tim Hudson (tjh@cryptsoft.com). THIS SOFTWARE IS PROVIDED BY ERIC YOUNG AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. GNU Cisco Secure ACS 4.2 xv

16 xvi Cisco Secure ACS 4.2

17 CHAPTER 1 ACS Cisco Secure Access Control Server ACS Cisco Network Admission Control NAC; Microsoft Network Access Protection NAP; Microsoft ACS 9 NAC P.1-2 P.1-5 Cisco Secure ACS

18 1 ACS ACS 1 ACS ACS 2 Access Control Server 2 ACS ACS Installation Guide for Cisco Secure ACS for Windows Release 4.2 URL Cisco.com installation/guide/windows/igwn42.html Installation Guide for Cisco Secure ACS Solution Engine Release 4.2 URL Cisco.com 4.2/installation/guide/solution_engine/ACS_42_SE_install.html 3 Windows ACS Cisco Secure ACS Solution Engine ACS SE 1 a. b. c. Access Policy IP HTTP Secure Sockets Layer SSL Session Policy IP Password Policy 5 4 Web a. AAA b. Interface Configuration c. Interface Configuration 1 RADIUS Configuration Options User Guide for Cisco Secure ACS Using the Web Interface Displaying RADIUS Configuration Options 1-2 Cisco Secure ACS 4.2

19 1 ACS TACACS+ Configuration Options User Guide for Cisco Secure ACS Using the Web Interface Displaying TACACS+ Configuration Options Advanced Options User Guide for Cisco Secure ACS Using the Web Interface Displaying RADIUS Configuration Options Customized User Options User Guide for Cisco Secure ACS Using the Web Interface Displaying RADIUS Configuration Options 5 ACS a. System Configuration b. Service Control Logging Date Format Control Local Password Management ACS Backup ACS Restore ACS Service Management IP Pools Server IP Pools Address Recovery User Guide for Cisco Secure ACS Using the Web Interface Displaying RADIUS Configuration Options 6 a. ACS Web CSUtil User Guide for Cisco Secure ACS Using the Web Interface Displaying RADIUS Configuration Options 7 EAP-TLS Secure Sockets Layer SSL Cisco NAC P ACS 8 ACS PEAP Cisco Secure ACS

20 1 ACS EAP-FAST EAP-TLS LEAP EAP-MD5 MS-CHAP Version 1 Version 2 User Guide for Cisco Secure ACS System Configuration: Authentication and Certificates Global Authentication Setup 9 IP ACL RADIUS User Guide for Cisco Secure ACS Shared Profile Components 10 User Guide for Cisco Secure ACS AAA RADIUS TACACS+ P RADIUS AAA 12 User Guide for Cisco Secure ACS User Group Management 13 ACS NAC ACS HTML User Guide for Cisco Secure ACS Logs and Reports 1-4 Cisco Secure ACS 4.2

21 1 ACS 1-1 ACS 1-1 ACS 8: 6: 9: 1: ODBC 10: ACS 2: AAA 11: 3: 12: Web 4: NAC CSUtil ACS 5: 13: EAP-TLS SSL NAC 14: 7: 15: P.1-2 Cisco Secure ACS

22 1 ACS 1-6 Cisco Secure ACS 4.2

23 CHAPTER 2 Access Control Server Cisco Secure Access Control Server ACS ACS ACS SE Installation Guide for Cisco Secure ACS for Windows Release 4.2 URL Cisco.com installation/guide/windows/igwn42.html Installation Guide for Cisco Secure ACS Solution Engine Release 4.2 URL Cisco.com 4.2/installation/guide/solution_engine/ACS_42_SE_install.html ACS URL Cisco Secure Access Control Server Deployment Guide P.2-2 ACS P.2-12 ACS P.2-15 NAC/NAP ACS P.2-17 P.2-19 Cisco Secure ACS

24 2 Access Control Server ACS LAN RADIUS EAP-TLS Microsoft Active Directory LAN LAN WLAN P.2-2 RADIUS P.2-11 LAN P.2-2 P.2-5 P.2-10 LAN LAN LAN LAN LAN WLAN LAN 1 3,000 LAN 3,000 25,000 LAN 25,000 50,000 LAN WLAN 50,000 LAN RADIUS RADIUS LAN RADIUS LAN EAP Extensible Authentication Protocol EAP RADIUS EAP Internet Engineering Task Force IETF; RFC 2284 IEEE 802.1x 802.1x EAP over LAN EAPoL EAP LAN LAN AAA EAPoL Point-to-Point Protocol PPP; 2-2 Cisco Secure ACS 4.2

25 2 Access Control Server EAP / Challenge Handshake Authentication Protocol CHAP; Transport Layer Security TLS EAP-TLS Extensible Authentication Protocol-Transport Layer Security EAP-TLS EAP-TLS Secure Sockets Layer SSL TLS RFC 2246 TLS IETF TLS PEAP Protected Extensible Authentication Protocol PEAP LAN WLAN 802.1x 1 PEAP PEAP Microsoft RSA Security IETF LAN LAN 3,000 LAN 2-1 ACS 1 AAA ACS ACS 1 2 ACS ACS ACS 2-1 Cisco Catalyst AAA ACS 2-1 ACS LAN Cisco Catalyst ACS HTTP ACS 2-1 LAN ACS Catalyst 2900/3500 Cisco Secure ACS Cisco Secure ACS

26 2 Access Control Server LAN LAN ACS LAN 2-2 LAN ACS 2-2 LAN ACS 1 3 A A 2 A LAN ACS LAN LAN 1 Gb ACS RADIUS ACS 5 10 ACS 1 Cisco LocalDirector ACS LAN ACS ACS AAA ACS 1 ACS WAN ACS 2-4 Cisco Secure ACS 4.2

27 2 Access Control Server 2-3 LAN ACS 1 ACS 1 AAA 2 ACS 2 2 ACS 2 ACS 3 3 ACS 3 ACS 1 ACS AAA AAA WAN ACS ACS 2-3 LAN ACS T1 1 T1 T1 ACS 1 ACS 2 ACS Cisco Aironet AP LAN AP WLAN LAN WLAN WLAN AP AP WLAN WLAN AP Cisco Secure ACS

28 2 Access Control Server WLAN WLAN AP AP 1 AAA ACS 2-4 WLAN 1 3 A A 2 A Cisco Secure ACS 4.2

29 2 Access Control Server WLAN AP WLAN ACS AP LAN 2-5 AP LAN AP LAN 2-5 WLAN Cisco Secure ACS

30 2 Access Control Server WLAN ACS ACS WAN WAN ACS 2-6 WLAN 2-6 WLAN ACS A Cisco Aironet Cisco Secure ACS A A A Cisco Secure ACS 4.2

31 2 Access Control Server WLAN 50,000 ACS 1 ACS ACS 1 ACS P.2-15 P.2-16 Windows Lightweight Directory Access Protocol LDAP ACS 2-7 WLAN ACS 2-7 WLAN ACS I ACS AP ACS 50,000 WLAN ACS ACS WLAN ACS LAN ACS ACS Cisco Secure ACS

32 2 Access Control Server DSL VPN LAN ACS LAN LAN LAN ACS AAA AAA Authentication, Authorization, and Accounting AAA; ACS ACS ACS ACS 2-10 Cisco Secure ACS 4.2

33 2 Access Control Server 2-9 RADIUS RADIUS DHCP DNS RADIUS WAN RADIUS 2 RADIUS Cisco Secure ACS

34 ACS 2 Access Control Server ACS ACS ACS ACS ACS URL Cisco.com Building a Scalable TACACS+ Device Management Framework Catalyst Switching and ACS Deployment Guide Deploying Cisco Secure ACS for Windows in Cisco Aironet Environment EAP-TLS Deployment Guide for Wireless LAN Networks Guidelines for Placing ACS in the Network P.2-12 P.2-12 LAN WAN LAN P.2-13 WAN P.2-13 ACS P ACS 21, ACS WLAN 2,100 LAN WLAN LAN WLAN LAN 1 3,000 LAN 3,000 25,000 LAN 25,000 50,000 LAN WLAN 50,000 Deploying Cisco Secure ACS for Windows in Cisco Aironet Environment URL Cisco.com ACS 5,000 NAS ACS NAS 2-12 Cisco Secure ACS 4.2

35 2 Access Control Server ACS LAN WAN LAN ACS LAN 1 ACS ACS LAN LAN ACS WAN 25,000 50,000 LAN 1 ACS 1 ACS 1 ACS ACS 10,000 ACS ACS ACS 1 WLAN ACS 1, WAN ACS WAN 2 ACS 40% 1 ACS AP ACS AP ACS ACS 40% 1 ACS ACS 80% WAN LAN 2 ACS ACS ACS AP 4,200 1 ACS AP ACS AP EAP-TLS 1 EAP-TLS Cisco Secure ACS

36 ACS 2 Access Control Server EAP-TLS ACS PEAP EAP-TLS PKI PEAP ACS Deploying Cisco Secure ACS for Windows in an Aironet Environment URL Cisco.com Cisco Secure ACS 4.2

37 2 Access Control Server ACS ACS P.2-15 P.2-15 P.2-16 RADIUS RADIUS ACS 1 ACS ACS Configuration components for replication Replication scheduling Replication frequency Replication partners Client configuration Reports and event (error) handling ACS / Database replication setup Automatically triggered cascade At specific times 2-10 ACS Cisco Secure ACS

38 ACS 2 Access Control Server 2-10 ACS 1 A / 2 A A Secondary remote-system 2 A California Relational Database Management System RDBMS; RDBMS ACS Open Database Connectivity ODBC; ODBC RDBMS ACS ODBC RDBMS 2-16 Cisco Secure ACS 4.2

39 2 Access Control Server NAC/NAP ACS NAC/NAP ACS ACS Cisco Network Admission Control NAC; Microsoft Network Access Protection NAP; NAC/NAP NAP EAP over UDP EoU EAP over 802.1x ACS 2-1 NAC/NAP 2-1 NAC/NAP NAP NAP ACS NPS Windows Vista Windows Server 2008 NAP Statement of Health SoH; NAP NAP SoH ACS VPN AAA NAP Microsoft PKI NAP Microsoft Microsoft NPS NAP NAP ACS SoH Microsoft Health Registration Authority HRA; ACS NAP SoH ACS Cisco Host Credentials Authorization Protocol HCAP Microsoft NPS NPS SoH ACS NAP VPN SoH ACS EAP-FAST ACS NAP Cisco Secure ACS

40 NAC/NAP ACS 2 Access Control Server 2-11 NAC/NAP 2-11 NAC/NAP NAP Cisco Cisco Cisco ACS NAP EAP-Host NAP EAP Host EAP EAP-FAST over 802.1X UDP SoH HRA RADIUS Microsoft NPS 802.1X EAP over UDP HCAP RADIUS Cisco Secure ACS 4.2

41 2 Access Control Server ACS P.2-19 P.2-19 P.2-19 P.2-21 P.2-22 LAN LAN ISDN AAA ACS AAA Access Control List ACL; ISDN Public Switched Telephone Network PSTN; ACS AAA ACS Cisco ID ACS ACL Cisco AS5300 Network Access Server ACS Network Security Policy: Best Practices White Paper Cisco IOS Security Configuration Guide 25,000 50, Cisco Secure ACS

42 2 Access Control Server ACS 1 AAA AAA TACACS+ TACACS+ AAA RADIUS 1 AAA ACS AAA ACS AAA ACS ACS AAA AAA ACS AAA 1 2 ACS ACS CiscoWorks ACS 300,000 ACS AAA RADIUS IT ACS TACACS+ TACACS+ TACACS+ TACACS+ shell exec RADIUS AAA ACS RADIUS TACACS+ 1 ACS ACS RADIUS TACACS+ RADIUS PPP TACACS+ shell exec 2-20 Cisco Secure ACS 4.2

43 2 Access Control Server AAA RADIUS PPP AAA AAA TACACS+ ACS TACACS+ shell AAA 1 RADIUS 1 TACACS+ 2 ACS IOS PPP shell AAA aaa new-model tacacs-server host ip-address tacacs-server key secret-key radius-server host ip-address radius-server key secret-key aaa authentication ppp default group radius aaa authentication login default group tacacs+ local aaa authentication login console none aaa authorization network default group radius aaa authorization exec default group tacacs+ none aaa authorization command 15 default group tacacs+ none username user password password line con 0 login authentication console ACS shell exec ACS 1 ACS ACS 300,000 1 ACS WAN 1 ACS ACS ACS ACS Cisco Secure ACS

44 2 Access Control Server ACS AAA 1 ACS VPN T1 WLAN WLAN ACS WAN ACS ACS ACS ACS 1 AAA ACS ACS ACS AAA AAA 2-22 Cisco Secure ACS 4.2

45 CHAPTER 3 ACS 4.2 ACS 4.2 ACS for Windows ACS SE EAP-FAST P.3-2 EAP-FAST PAC P.3-4 NetBIOS P.3-6 ACS 4.2 P.3-7 NAP P.3-8 P.3-9 Active Directory P.3-10 ACS SE ACS 4.2 syslog P.3-10 ACS SE RSA P.3-11 ping / P.3-20 Cisco Secure ACS

46 EAP-FAST 3 ACS 4.2 EAP-FAST Global Authentication Setup EAP-FAST Configuration 3-1 EAP-FAST Configuration 3-1 EAP-FAST 3-1 EAP-FAST 3-1 Release 4.2 EAP-FAST Allow Full TLS Renegotiation in Case of Invalid PAC Allow Anonymous In-band PAC Provisioning PAC EAP PAC TLS Allow Full TLS Renegotiation in Case of Invalid PAC ACS EAP-FAST 0 PAC ACS PAC 3-2 Cisco Secure ACS 4.2

47 3 ACS 4.2 EAP-FAST 3-1 Release 4.2 EAP-FAST Enable anonymous TLS renegotiation Allow Anonymous in-band PAC Provisioning Enable anonymous TLS renegotiation Vista Enable anonymous TLS renegotiation Vista 2 Cisco Secure ACS

48 EAP-FAST PAC 3 ACS 4.2 EAP-FAST PAC EAP-FAST PAC ACS Network Access Profile NAP; NAP Protocols 3-2 ACS 4.2 NAP Protocols EAP-FAST 3-2 Use PAC Do Not Use PAC 3-4 Cisco Secure ACS 4.2

49 3 ACS 4.2 EAP-FAST PAC 3-2 NAP Protocols 3-2 NAP Protocols Use PACs Do Not Use PACs Require Client Certificate Disable Client Certificate Lookup and Comparisons Assign Group NAP PAC EAP-FAST ACS Use PACs Use PACs EAP-FAST EAP-FAST NAP PAC EAP-FAST ACS Do Not Use PACs Do Not Use PACs Require Client Certificate EAP-FAST Do Not Use PACs Disable Client Certificate Lookup and Comparisons EAP-FAST PKI Disable Client Certificate Lookup and Comparisons ACS PKI EAP-FAST Disable Client Certificate Lookup and Comparisons Assign Group Cisco Secure ACS

50 NetBIOS 3 ACS 4.2 NetBIOS NetBIOS ACS 4.2 NetBIOS ACS SE 4.2 Windows 2003 Windows 2003 Windows 2000 Windows XP Windows Server 2003 NetBIOS over TCP/IP NetBT Windows 9.x Windows NT NetBIOS NetBIOS Windows 2000 Windows XP Windows 2003 NetBIOS over TCP/IP My Network Places Properties Local Area Connection Properties Internet Protocol (TCP/IP) Properties Advanced WINS WINS NetBIOS over TCP/IP NetBIOS DHCP DHCP Use NetBIOS setting from the DHCP server Windows 2000/2003 NetBIOS over TCP/IP Windows 2000/2003 DHCP Server DHCP Windows 2000 NetBIOS Windows 2000/XP/ Cisco Secure ACS 4.2

51 3 ACS 4.2 ACS 4.2 ACS 4.2 ACS 4.2 CSV Failed Attempts Passed Authentications Response Time ACS Framed-IP-address Access-Request IP ACS Access-Request IP IP Session-ID ID CSV Failed Attempts Passed Authentications 1 2 System Configuration Logging Logging Configuration 3 CSV Configure 4 5 Attributes Logged Attributes Submit Cisco Secure ACS

52 NAP 3 ACS 4.2 NAP ACS 4.2 LDAP LDAP NAP NAP 1 2 ACS LDAP a. Network Access Profiles Network Access Profile b. Authentication Authentication Authentication Group Filtering for LDAP database Group Filtering for LDAP Database c. LDAP LDAP d. Available Groups LDAP Available Groups --> Selected Groups e. Up Down 3 Submit 3-8 Cisco Secure ACS 4.2

53 3 ACS 4.2 Active Directory LDAP ACS ACS ACS 4.2 ACS ACS 1 External User Databases > Unknown User Policy Configure Unknown User Policy 2 Configure Caching Unknown Users Disable Dynamic users 4 Submit Cisco Secure ACS

54 Active Directory 3 ACS 4.2 Active Directory ACS ACS ACS EAP-FAST 1a PEAP MSPEAP EAP-TLS ACS 4.2 syslog ACS SE 4.2 ACS syslog ACS SE syslog 4.2 GMT syslog ACS SE syslog 1 System Configuration > Date Format Control Date Format Control 2 Time Zone Selection for syslog syslog Use Local Time GMT Use GMT Time 3 Submit and Restart 3-10 Cisco Secure ACS 4.2

55 3 ACS 4.2 ACS SE RSA ACS SE RSA ACS 4.2 RSA ACS SE 1 External User Databases External User Databases 2 Database Configuration External User Databases Configuration External User Databases Configuration ACS SE 3 RSA SecureID Token Server Database Configuration Creation 4 Create New Configuration Create a New External Database Configuration 3-6 Cisco Secure ACS

56 ACS SE RSA 3 ACS Create a New External Database Configuration 5 RSA SecureID Submit 6 Configure sdconf.rec 7 8 Upload scconf.rec Cisco Secure ACS to RSA SecurID Configuration Cisco Secure ACS to RSA SecurID Configuration 9 Cisco Secure ACS to RSA SecurID Configuration Cisco Secure ACS 4.2

57 3 ACS 4.2 ACS SE RSA 3-3 RSA SecureID FTP Server: Login: Password: Directory: sdconf.rec FTP IP RSA TokenID FTP FTP sdconf.rec FTP 10 Submit RSA RSA 1 External User Databases External User Databases 2 Database Configuration External User Databases Configuration 3 RSA SecurID Token Server External User Database Configuration 4 Configure Cisco Secure ACS to RSA SecurID Configuration 5 Purge Node Secret RSA SecurID LDAP RSA LDAP RSA RSA LDAP LDAP RSA LDAP Cisco Secure ACS

58 ACS SE RSA 3 ACS 4.2 LDAP RSA DLL LDAP RSA P.3-11 ACS SE RSA RSA External User Databases Database Configuration 4 RSA SecurID Token and LDAP Group Mapping External Database Configuration 5 Configure LDAP Native RSA Configuration 6 Configure LDAP RSA SecurID Token and LDAP Group Mapping Configuration Cisco Secure ACS 4.2

59 3 ACS 4.2 ACS SE RSA 3-8 RSA SecurID Token and LDAP Group Mapping Configuration 7 LDAP ACS Domain Filtering Process all usernames Cisco Secure ACS

60 ACS SE RSA 3 ACS LDAP User Guide for Cisco Secure ACS, Domain Filtering a. Domain Filtering Only process usernames that are domain qualified b. Qualified by Suffix Prefix 1 LDAP 1 LDAP Prefix LDAP Suffix c. Domain Qualifier LDAP ID Qualified by Prefix Qualified by Suffix 1 LDAP d. LDAP ACS Strip domain before submitting username to LDAP server e. LDAP ACS Strip domain before submitting username to LDAP server 9 ACS LDAP User Guide for Cisco Secure ACS, Domain Filtering a. Domain Filtering Process all usernames after stripping domain name and delimiter b. ACS Strip starting characters through the last X character X #? * > < X ACS X c. ACS Strip ending characters from the first X character X 3-16 Cisco Secure ACS 4.2

61 3 ACS 4.2 ACS SE RSA #? * > < X ACS X 10 Common LDAP Configuration User Directory Subtree DN 11 Group Directory Subtree DN 12 UserObjectType LDAP UserObjectType Netscape Directory Server LDAP 13 UserObjectClass LDAP objecttype objecttype 14 GroupObjectType 15 GroupObjectClass LDAP objecttype 16 GroupAttributeName 17 Server Timeout ACS LDAP ACS LDAP 18 LDAP On Timeout Use Secondary 19 Failback Retry Delay LDAP LDAP ACS ACS LDAP Failback Retry Delay 0 Cisco Secure ACS

62 ACS SE RSA 3 ACS Max. Admin Connection LDAP 21 Primary LDAP Server Secondary LDAP Server On Timeout Use Secondary Secondary LDAP Server a. Hostname LDAP IP DNS IP b. Port LDAP TCP/IP LDAP 389 LDAP 636 c. ACS LDAP 3 LDAP LDAP Version LDAP Version ACS LDAP 2 d. SSL LDAP ACS Use secure authentication 3 SSL LDAP e. ACS SE Use Secure Authentication Trusted Root CA CA Certificate Database Path cert7.db cert7.db ACS User Guide for Cisco Secure ACS, Downloading a Certificate Database (Solution Engine Only) f LDAP LDAP f. ACS for Windows Use Secure authentication Trusted Root CA CA Certificate Database Path Netscape cert7.db CA g. Admin DN DN User Directory Subtree LDAP Admin DN LDAP uid=user id,[ou=organizational unit,] [ou=next organizational unit]o=organization 3-18 Cisco Secure ACS 4.2

63 3 ACS 4.2 ACS SE RSA user id organizational unit next organizational unit 1 uid=joesmith,ou=members,ou=administrators,o=cisco Netscape DS LDAP Netscape h. Password Admin DN 22 Submit LDAP ACS Unknown User Policy Cisco Secure ACS

64 ping / 3 ACS 4.2 ping / ACS 4.2 ACS SE ping 4.2 ping SE ping Cisco Security Agent CSA ACS SE CSA ping ACS 4.2 CSA ping Ping Turn On Patch CSA ping ACS SE ping Ping Turn Off Patch CSA ping ACS SE ping Installation Guide for Cisco Secure ACS Solution Engine, Installing and Configuring Cisco Secure ACS Solution Engine 4.2 Turning Ping On and Off 3-20 Cisco Secure ACS 4.2

65 CHAPTER 4 RDBMS dacl ACS 4.2 RDBMS ACS 4.2 RDBMS User Guide for Cisco Secure ACS, System Configuration: Advanced RDBMS Synchronization RDBMS accountactions User Guide for Cisco Secure ACS, 4.2 E RDBMS Synchronization Import Definitions ACS Release 4.2 RDBMS P.4-2 RDBMS dacl P.4-3 dacl P.4-14 dacl P.4-16 RDBMS P.4-17 Cisco Secure ACS

66 ACS Release 4.2 RDBMS 4 RDBMS dacl ACS Release 4.2 RDBMS ACS 4.2 RDBMS Downloadable ACL dacl; ACL CSV accountactions permit ip deny ip dacl accountactions dacl ACS for Windows ACS GUI RDBMS Synchronization CSDBSync dacl ACS SE dacl ACS SE GUI RDBMS Synchronization SSH ACS SE SSH csdbsync -syncnow RDBMS 1 AAA AAA NDG AAA IP AAA AAA ACS Solution Engine CSDBSync ACS 4.2 SSH ACS SE CSDBSync 4-2 Cisco Secure ACS 4.2

67 4 RDBMS dacl RDBMS dacl RDBMS dacl ACS 4.2 RDBMS dacl dacl RDBMS dacl RDBMS dacl dacl CSV accountactions dacl dacl CSV RDBMS 2 RDBMS ACS GUI Windows ACS SE SSH csdbsync -syncnow 6 dacl 1 dacl dacl 1 2 Interface Configuration Advanced Options Advanced Options 3 4 User-Level Downloadable ACLs Group-Level Downloadable ACLs dacl 5 RDBMS Synchronization 6 Submit Cisco Secure ACS

68 RDBMS dacl 4 RDBMS dacl 2 dacl dacl dacl [DACL#1] Name = DACL_For_Troy Description = Test_DACL_For_ACS_42 Content#1= content1 Definition#1#1= permit ip any host Definition#1#2= permit ip any host Definition#1#3= permit ip any host Definition#1#4= permit ip any host Definition#1#5= permit ip any host Definition#1#6= permit ip any host Definition#1#7= permit ip any host Definition#1#8= permit ip any host Definition#1#9= permit ip any Definition#1#10= permit ip any Definition#1#11= permit ip any Definition#1#12= deny ip any Definition#1#13= deny ip any Definition#1#14= permit ip any any dacl DACL# Name Description Content Definition 1 dacl [DACL#n] n dacl 4-1 dacl 1 1 DACL#1 CSDBSync dacl dacl dacl Content#n n dacl ACS permit IP deny ip Definition Definition #n#n1 n Definition n1 3 ACS for Windows ACS Windows ACS SE ACS SE FTP 4-4 Cisco Secure ACS 4.2

69 4 RDBMS dacl RDBMS dacl 3 accountactions dacl dacl CSV accountactions dacl dacl 1 2 Group ipassword Troy 1,1,Troy,Group 5,100,ipassword,7/8/ :00,0,,,0 3 dacl dacl_create.txt DACL_for_Troy dacl 2,1,,,385,C:\dACL_folder\dACL_create.txt,7/8/ :00,0,,,0 385 dacl dacl dacl_create.txt 7/8/ :00 4 dacl dacl DACL_for_Troy Troy 3,1,Troy,,380,DACL_For_Troy,7/8/ :00,0,,,0 3 dacl Troy 380 dacl dacl dacl_for_troy dacl 7/8/ :00 5 ACS for Windows ACS Windows ACS SE ACS SE FTP Cisco Secure ACS

70 RDBMS dacl 4 RDBMS dacl CSV accountactions 4-2 CSV accountactions CSV accountactions.csv 4-2 CSV accountactions SequenceId,Priority,UserName,GroupName,Action,ValueName,DateTime,MessageNo,ComputerNam es,appid,status 1,1,Troy,Group 5,100,ipassword,7/8/ :00,0,,,0 2,1,,,385,C:\dACL_folder\dACL_create.txt,7/8/ :00,0,,,0 3,1,Troy,,380,DACL_For_Troy,7/8/ :00,0,,, accountactions dacl dacl 4-2 dacl dacl 100 ADD_USER UN GN V1 32 V1 385 CREATE_DACL VN dacl VN = <input_file_name> input_file_name dacl ACS for Windows ACS Windows ACS SE ACS SE FTP ACS for Windows C:\DACL\create_DACL_for_User_1.txt dacl NAF 380 CREATE_USER_DACL UN GN VN dacl dacl ACS UN = GN = VN = dacl dacl 4-6 Cisco Secure ACS 4.2

71 4 RDBMS dacl RDBMS dacl 4 CSV RDBMS CSV RDBMS 1 2 System Configuration RDBMS Synchronization Interface Configuration > Advanced Options RDBMS Synchronization RDBMS Synchronization Setup 3 ACS for Windows a. RDBMS Synchronization Setup RDBMS Synchronization Setup ACS for Windows b. Use local CSV file c. AccountActions file P accountactions dacl dacl CSV accountactions d. Directory CSV accountactions accountactions ACS 4 ACS SE a. RDBMS Synchronization Setup 4-2 Cisco Secure ACS

72 RDBMS dacl 4 RDBMS dacl 4-2 RDBMS Synchronization Setup ACS SE b. Actions File accountactions accountactions.csv FTP accountactions FTP Server ACS accountactions FTP IP DNS Directory FTP accountactions FTP. Username ACS FTP Password Login accountactions FTP ACS SE 5 ACS for Windows ACS SE Synchronization Scheduling Synchronization Partners 4-3 RDBMS Synchronization Setup Synchronization Scheduling Synchronization Partners 4-8 Cisco Secure ACS 4.2

73 4 RDBMS dacl RDBMS dacl 4-3 Synchronization Scheduling Synchronization Partners 6 Manually RDBMS Manually Every X minutes ACS 60 At specific times ACS 1 7 accountactions ACS AAA Servers --> ACS Synchronize 8 ACS Synchronize Synchronize ACS <-- ACS Synchronize Cisco Secure ACS

74 RDBMS dacl 4 RDBMS dacl 9 Synchronize Now ACS Reports and Activity RDBMS Synchronization 5 RDBMS RDBMS dacl 2 ACS GUI RDBMS CSDBSync dacl ACS GUI RDBMS ACS for Windows ACS SE RDBMS Synchronization Synchronize Now ACS CSV accountactions dacl CSDBSync dacl CSDBSync dacl ACS for Windows Windows csdbsync -run CSV accountactions CSDBSync ACS 1 ACS accountactions 1 2 a. CSDBSync net stop csdbsync b. net start csdbsync c. csdbsync -run csdbsync -syncnow ACS CSV RDBMS 4-10 Cisco Secure ACS 4.2

75 4 RDBMS dacl RDBMS dacl ACS SE ACS SE csdbsync -syncnow RDBMS ACS SE CSDBSync ACS SE FTP FTP SSH a. CSDBSync net stop csdbsync b. net start csdbsync c. csdbsync -run csdbsync -syncnow ACS SE CSV RDBMS RDBM ACS SE SSH RDBMS ACS SSH csdbsync -syncnow csdbsync -syncnow csdbsync -run CSDBSync ACS SE 6 dacl RDBMS dacl dacl dacl 1 2 Shared Profile Components Downloadable IP ACLs Downloadable IP ACLs Downloadable IP ACLs Name P dacl dacl Cisco Secure ACS

76 RDBMS dacl 4 RDBMS dacl 3 dacl Downloadable IP ACLs dacl dacl ACL Contents P dacl Content#1 4 Downloadable IP ACL Content ACL Downloadable IP ACL Content 4-12 Cisco Secure ACS 4.2

77 4 RDBMS dacl RDBMS dacl 5 dacl P.4-3 RDBMS dacl P CSDBSync dacl 4-3 dacl Failed to process DACL.DACL not defined. Failed to process DACL.Could not find NAF. Failed to process DACL.Failed to get UserID. Failed to process DACL.DACL content not found. Failed to upload file into FTP server. Failed to import DACL file. Failed to access Host DB. dacl dacl dacl dacl NAF dacl ACS SE RDBMS FTP ID ID ACS SE FTP dacl dacl ACL FTP RDBMS FTP IP RDBMS ID ACS ACS CSDBSync ACS ACS ACS GUI Cisco Secure ACS

78 dacl 4 RDBMS dacl dacl 4-4 dacl 4-4 dacl 386 READ_DACL VN V1 dacl VN = dacl dacl * V1 = <output_file_name> output_file_name dacl ACS SE output_file_name ACS SE FTP DumpDACL.txt ACS for Windows C:\temp\DACL.txt ACS\bin 4-14 Cisco Secure ACS 4.2

79 4 RDBMS dacl dacl 4-4 dacl 387 UPDATE_DACL VN V1 dacl VN = <input_file_name> input_file_name dacl ACS SE input_file_name ACS SE FTP ACS for Windows C:\DACL\dump.txt V1=DACL_REPLACE DACL_APPEND DACL_REPLACE DACL_REPLACE dacl dacl DACL_APPEND dacl dacl dacl dacl NAF dacl 388 DELETE_DACL VN dacl VN = dacl dacl * dacl dacl dacl Cisco Secure ACS

80 4 RDBMS dacl dacl dacl 4-5 dacl 4-5 dacl 381 UPDATE_USER_DACL UN GN VN dacl dacl ACS UN = GN = VN = dacl dacl 382 DELETE_USER_DACL UN GN dacl UN = GN = 4-16 Cisco Secure ACS 4.2

81 4 RDBMS dacl RDBMS RDBMS RDBMS AAA AAA AAA AAA AAA AAA Proxy Distribution Table RDBMS User Guide for Cisco Secure ACS, 4.2 E RDBMS Synchronization Import Definitions AAA RDBMS 1 AAA accountactions AAA 1 AAA RDBMS AAA Cisco Secure ACS

82 4 RDBMS RDBMS dacl 4-6 AAA 224 UPDATE_NAS VN V1 V2 V3 AAA VN = AAA V1 = IP V2 = 225 READ_NAS VN V1 V3 = AAA AAA NDG AAA CSUtil NAS VN = <output_file_name> output_file_name ACS SE FTP DumpNAS.txt ACS for Windows C:\MyNAS\dump.txt AAA \ACS\bin\DumpNAS.txt V1 = NDG V1 NDG 4-18 Cisco Secure ACS 4.2

83 CHAPTER 5 Cisco Secure ACS ACS 2002 Sarbanes-Oxley Act SOX ; SOX ACS SOX ACS Account Never Expires Cisco Secure ACS

84 5 ACS 1 P P P IP P Cisco Secure ACS 4.2

85 Administration Control Administration Control Administration Control Administration Control 2 Add Administrator Add Administrator 3 Administrator Details Cisco Secure ACS

86 1 5 Administrator Name Password ACS 1 32 < > \ ACS ACS Web ACS Administrator Password Policy Password Validation Options ASCII Confirm Password Account Never Expires Account Locked Password Administrator Password Policy Account Never Expires Password Policy Account Locked Administration Control Last Password Change Last Activity / 4 Grant All Revoke All 5-4 Cisco Secure ACS 4.2

87 5 1 5 User Guide for Cisco Secure Access Control Server Administrators and Administrative Policy Add Administrator and Edit Administrator Pages 6 P Cisco Secure ACS

88 Administration Control Password Policy Administrator Password Policy Setup Administrator Password Policy Setup 5-6 Cisco Secure ACS 4.2

89 5 2 2 Password Policy Setup Password Validation Options P.5-7 Password Validation Options Password Lifetime Options P.5-7 Password Lifetime Options Password Inactivity Options P.5-8 Password Inactivity Options Incorrect Password Attempt Option P.5-8 Incorrect Password Attempt Options Password Validation Options Password Validation Options Password may not contain the username Minimum length n characters n Uppercase alphabetic characters Lowercase alphabetic characters Numeric characters Non alphanumeric Password must be different from the previous n versions n Password Lifetime Options Password Lifetime Options The password will require change after n days n ACS The Administrator will be locked out after n days 2 2 The Administrator will be locked out after n days n ACS Cisco Secure ACS

90 2 5 Password Inactivity Options Password Inactivity Options The password will require change after n days n ACS The Administrator will be locked out after n days 2 2 ACS The Administrator will be locked out after n days n ACS ACS Incorrect Password Attempt Options Incorrect Password Attempt Options Lock out Administrator after n successive failed attempts n n 0 ACS ACS Account Never Expires 5-8 Cisco Secure ACS 4.2

91 Administration Control Session Policy Session Policy Setup Session Policy Setup 2 Session Policy Setup Session idle timeout (minutes) ACS 4 ACS ACS Allow Automatic Local Login ACS for Windows ACS local_login ACS local_login Administration Control local_login local_login Administrative Audit Cisco Secure ACS

92 4 5 Respond to invalid IP address connections Access Policy IP ACS 4 SSL P.7-4 CA P.7-5 SSL ACS SSL SSL ACS 1 Administration Control Administration Control 2 Access Policy Access Policy Setup Cisco Secure ACS 4.2

93 Access Policy Setup 3 IP Address Filtering 5-1 Access Policy IP Address Filtering Allow all IP addresses to connect Web IP Allow only listed IP addresses to connect IP Address Ranges IP Web Cisco Secure ACS

94 Access Policy Reject connections from listed IP addresses IP Address Ranges IP Web IP Web HTTP IP HTTP NAT IP HTTP NAT IP IP Address Ranges IP Address Ranges IP 10 Start IP Address End IP Address 10 IP Class C Start IP Address IP 16 End IP Address IP 16 HTTP Configuration HTTP Port Allocation Allow any TCP ports to be used for Administration HTTP Access Web ACS TCP 5-12 Cisco Secure ACS 4.2

95 Access Policy Restrict Administration Sessions to the following port range From Port n to Port n Web ACS TCP 5 ACS ACS 2002 HTTP ACS HTTP 2002 HTTP 2002 Web Secure Socket Layer Setup Use HTTPS Transport for Administration Access ACS Web HTTP HTTP IP ACS Secure Sockets Layer SSL CSAdmin Web Web HTTP ACS HTTP URL HTTPS SSL SSL System Configuration > ACS Certificate Setup SSL ACS HTTPS Cisco Secure ACS

96 IP Address Filtering IP HTTP Port Allocation ACS SSL Submit ACS 5-14 Cisco Secure ACS 4.2

97 5 SOX ACS ACS ACS Privilege Combined Privilege Users to Groups Mapping 1 Reports and Activity Reports 2 Entitlement Reports Excel Cisco Secure ACS

98 Cisco Secure ACS 4.2

99 CHAPTER 6 Cisco Secure Access Control Server ACS ACS Lightweight Directory Access Protocol LDAP ACS LDAP P.6-2 P.6-4 P.6-6 P.6-28 Cisco Secure ACS

100 6 ACS ACS 802.1x Cisco Trust Agent 2 Extensible Authentication Protocol over User Datagram Protocol EoU ACS MAC MAC Authentication Bypass MAB 1. NAD NAD MAC 2. NAD MAC calling-station-id servicetype=10 RADIUS ACS 3. MAB ACS ACS MAC ACS LDAP LDAP 4. MAC ID ACS LDAP MAC ACS MAC ACS MAC ACS ACS calling-station-id MAC IP IP 6-1 MAB 6-2 Cisco Secure ACS 4.2

101 6 6-1 MAB LDAP : MAC : MAC + MAC NAD MAC Service-type-10 ACS GAME ACS NAD ACS ACS Cisco Network Admission Control NAC; Generic Authorization Message Exchange GAME; ACS GAME MAC ACS MAC GAME NAC ACS RADIUS GAME NAP P.9-80 GAME 9 NAC P.9-84 GAME Cisco Secure ACS

102 6 ACS 1 ACS for Windows ACS Solution Engine ACS SE P ACS 2 RADIUS AAA P RADIUS AAA 3 ACS a. ACS b. Windows c. ACS d. CA e. P ACS 4 MAB LDAP a. MAB LDAP b. ACS 1 LDAP P MAB LDAP 5 MAB P MAB 6 a. b. c. MAB P Cisco Secure ACS 4.2

103 6 Passed Authentications Failed Attempts Bypass Info P ACS NAC GAME P.6-28 GAME Cisco Secure ACS

104 6 1 ACS ACS Windows 2000 Server Windows 2003 Cisco Secure ACS SE ACS 1 ACS ACS Installation Guide for Cisco Secure ACS for Windows 4.2 Installation Guide for Cisco Secure ACS Solution Engine ACS for Windows ACS ACS GUI ACS SE ACS GUI add guiadmin GUI Installation Guide for Cisco Secure ACS Solution Engine 4.2 A Command Reference GUI Supported and Interoperable Devices and Software Tables for Cisco Secure ACS Solution Engine Release ACS Admin ACS GUI ACS Admin ACS URL IP_address ACS IP hostname ACS 6-6 Cisco Secure ACS 4.2

105 6 2 RADIUS AAA RADIUS AAA RADIUS AAA 1 Network Configuration Network Configuration 2 1 Network Device Group NDG; AAA NDG AAA Clients Add Entry NDG AAA AAA Clients Add Entry Add AAA Client Add AAA Client Cisco Secure ACS

106 AAA Client Hostname AAA 32 AAA Client IP Address AAA IP NDG Network Device Group AAA NDG Not Assigned AAA NDG Authenticate Using RADIUS (IOS/PIX) AAA Submit + Apply 3 ACS ACS for Windows Cisco Secure ACS SE User Guide for Cisco Secure ACS System Configuration: Authentication and Certificates ACS ACS 1 2 ACS \Certs a. DOS b. mkdir <selected_drive>:\certs selected_drive 3 \Certs server.cer server.pvk ca.cer CA 6-8 Cisco Secure ACS 4.2

107 6 Windows ACS for Windows Windows 1 2 Windows <selected_drive>:\certs selected_drive 3 \Certs\ca.cer Certificate 4 Install Certificate Windows 5 6 Windows 2000 Server 1 ACS 1 System Configuration System Configuration 2 ACS Certificate Setup 3 Install ACS Certificate 4 Install ACS Certificate 6-3 Cisco Secure ACS

108 6 6-3 Install ACS Certificate Read certificate from file Certificate file c:\certs\server.cer Private Key File c:\certs\server.pvk Private Key password 1111 Submit 10 ACS 11 ACS ACS P.6-11 CA CA 1 2 System Configuration > ACS Certificate Setup > ACS Certification Authority Setup ACS Certification Authority Setup Cisco Secure ACS 4.2

109 6 6-4 ACS Certification Authority Setup 3 4 CA certificate file CA c:\certs\ca.cer Submit 1 System Configuration > ACS Certificate Setup > Edit Certificate Trust List Edit Certificate Trust List Stress Submit System Configuration > Service Control Restart ACS Cisco Secure ACS

110 6 4 MAB LDAP MAB ACS MAC ACS GUI MAC LDAP MAB LDAP 1 MAB LDAP P.6-12 MAB LDAP 2 ACS 1 LDAP P.6-16 ACS 1 LDAP MAB LDAP MAB LDAP 1 LDAP ACS MAB LDAP LDAP 6-1 LDAP Lightweight Directory Interchange Format LDIF 6-12 Cisco Secure ACS 4.2

111 6 6-1 MAB LDAP dn: ou=mab Segment, o=mycorp ou: MAB Segment objectclass: top objectclass: organizationalunit description: MAC Authentication Bypass Sub-Tree dn: ou=mac Addresses, ou=mab Segment, o=mycorp ou: MAC Addresses objectclass: top objectclass: organizationalunit dn: ou=mac Groups, ou=mab Segment, o=mycorp ou: MAC Groups objectclass: top objectclass: organizationalunit dn: cn=user00-wxp.emea.mycorp.com,ou=mac Addresses, ou=mab Segment, o=mycorp iphostnumber: objectclass: top objectclass: iphost objectclass: ieee802device macaddress: 00:11:22:33:44:55 cn: user00-wxp.emea.mycorp.com dn: cn=user11-wxp.emea.mycorp.com,ou=mac Addresses, ou=mab Segment, o=mycorp iphostnumber: objectclass: top objectclass: iphost objectclass: ieee802device macaddress: cn: user11-wxp.emea.mycorp.com dn: cn=group_1_colon,ou=mac Groups, ou=mab Segment, o=mycorp objectclass: top objectclass: groupofuniquenames description: group of delimited MAC Addresses uniquemember: cn=user00-wxp.emea.mycorp.com, ou=mac Addresses, ou=mab Segment, o=mycorp uniquemember: cn=user77a-wxp.emea.mycorp.com, ou=mac Addresses, ou=mab Segment, o=mycorp uniquemember: cn=user88-wxp.emea.mycorp.com, ou=mac Addresses, ou=mab Segment, o=mycorp cn: Group_1_colon dn: cn=group_2_dash,ou=mac Groups, ou=mab Segment, o=mycorp objectclass: top objectclass: groupofuniquenames description: group of - delimited MAC Addresses uniquemember: cn=user11-wxp.emea.mycorp.com, ou=mac Addresses, ou=mab Segment, o=mycorp uniquemember: cn=user77b-wxp.emea.mycorp.com, ou=mac Addresses, ou=mab Segment, o=mycorp cn: Group_2_dash Cisco Secure ACS

112 6 LDAP LDAP 6-5 MAB LDAP MAB MAC MAC x n 802.1x n+1 LDAP 00 LDAP LDAP 2 dn: ou=mac Addresses, ou=mab Segment, o=mycorp ou: MAC Addresses objectclass: top objectclass: organizationalunit dn: ou=mac Groups, ou=mab Segment, o=mycorp ou: MAC Groups objectclass: top objectclass: organizationalunit LDAP MAC Addresses ACS IEEE 802.1x MAC ACS LDAP LDAP User Directory Subtree MAC Groups MAC LDAP ACS LDAP LDAP Group Directory Subtree 6-14 Cisco Secure ACS 4.2

113 6 LDAP LDAP LDAP LDAP LDAP cn=group_1_colon dn: cn=group_1_colon,ou=mac Groups, ou=mab Segment, o=mycorp objectclass: top objectclass: groupofuniquenames description: group of delimited MAC Addresses uniquemember: cn=user00-wxp.emea.mycorp.com, ou=mac Addresses, ou=mab Segment, o=mycorp uniquemember: cn=user77a-wxp.emea.mycorp.com, ou=mac Addresses, ou=mab Segment, o=mycorp uniquemember: cn=user88-wxp.emea.mycorp.com, ou=mac Addresses, ou=mab Segment, o=mycorp cn: Group_1_colon ACS MAC LDAP ACS LDAP ACS LDAP LDAP objectclass uniquemember ACS LDAP Common LDAP Configuration GroupObjectClass LDAP P.6-12 MAB LDAP uniquemember 1 uniquemember 1 MAC LDAP LDAP objectclass user00 user77a user88 LDAP ACS LDAP Common LDAP Configuration Group Attribute Name LDAP P.6-12 MAB LDAP Cisco Secure ACS

114 6 ACS 1 LDAP MAB LDAP 1 LDAP ACS P.6-12 MAB LDAP LDAP ACS ACS ACS LDAP 1 External User Databases External User Databases 2 Database Configuration External User Database Configuration 3 Generic LDAP Database Configuration Creation LDAP External User Database Configuration 4 1 LDAP Create New Configuration External User Database Configure 5 6 LDAP LDAP Submit Configure 4 Generic LDAP Configuration Domain Filtering Common LDAP Configuration ACS LDAP Primary LDAP Server LDAP Secondary LDAP Server LDAP 7 8 User Guide for Cisco Secure Access Control Server Configuring a Generic LDAP External User Database LDAP 6-6 Common LDAP Configuration 6-16 Cisco Secure ACS 4.2

115 6 6-6 Common LDAP Configuration User Directory Subtree DN MAB 6-1 LDAP DN ou=mac Addresses, ou=mab Segment, o=mycorp Group Directory Subtree LDAP DN MAB MAC 6-1 LDAP DN ou=mac Groups, ou=mab Segment, o=cisco UserObjectType LDAP 6-1 LDAP macaddress UserObjectClass LDAP objecttype objecttype 6-1 LDAP ieee802device GroupObjectType 6-1 LDAP cn GroupObjectClass MAB LDAP 6-1 ieee802device GroupAttributeName MAB LDAP LDAP 6-1 LDAP uniquemember Server Timeout LDAP ACS LDAP On Timeout Use Secondary ACS LDAP Cisco Secure ACS

116 6 Failback Retry Delay LDAP LDAP ACS 0 ACS LDAP Max. Admin Connections LDAP LDAP 0 User Directory Subtree Group Directory Subtree LDAP 6-7 Primary LDAP Server Secondary LDAP Server 6-7 LDAP Server Configuration a. LDAP Hostname LDAP IP DNS IP Port LDAP TCP/IP LDAP 389 LDAP 636 LDAP Version ACS LDAP LDAP 3 2 ACS LDAP 3 ACS LDAP Cisco Secure ACS 4.2

117 6 Security ACS SSL ACS LDAP SSL LDAP Trusted Root CA Certificate Database Path ACS LDAP SSL ACS SE Port LDAP SSL Trusted Root CA LDAP over SSL Netscape cert7.db ACS SSL LDAP Certificate DB Path ACS for Windows Netscape cert7.db ACS SE Download Certificate Database User Guide for Cisco Secure Access Control Server 12 User Databases LDAP Configuration Options Admin DN DN User Directory Subtree LDAP LDAP uid=user id,[ou=organizational unit,][ou=next organizational unit]o=organization user id organizational unit next organizational unit uid=joesmith,ou=members,ou=administrators,o=cisco LDAP username group name LDAP Password Admin DN LDAP b. LDAP Secondary LDAP Server LDAP Secondary LDAP Server Primary LDAP Server 9 Submit Cisco Secure ACS

118 6 5 MAB MAC ACS NAR User Guide for Cisco Secure ACS User Group Management 6 NAP NAP 1 NAP P.6-20 NAP 2 3 Protocols Allow Agentless Request Processing Authentication MAB P.6-23 MAB 4 NAC NAP P.6-23 NAP NAP NAP 1 Network Access Profiles Network Access Profiles Cisco Secure ACS 4.2

119 6 6-8 Network Access Profiles 2 Add Profile Profile Setup Profile Setup Cisco Secure ACS

120 Name NAP NAF NAF NAF Protocol types RADIUS 1 NAP Submit Edit Network Access Protocols Edit Network Access Protocols 6-22 Cisco Secure ACS 4.2

121 6 NAP NAP 1 Edit Network Access Profiles Protocols NAP Protocols Settings 6-11 Protocols Settings 6-11 Protocols Settings Allow Agentless Request Processing ACS NAC EAP Configuration Allow Posture Validation Submit MAB MAB MAB 1 Edit Network Access Profiles Authentication NAP Authentication Settings 6-12 Authentication Settings Cisco Secure ACS

122 Authentication Settings 2 Credential Validation Databases ACS Generic LDAP LDAP External User Databases > External User Database Configuration LDAP 3 4 Credential Validation Databases LDAP LDAP Server External User Databases > External User Database Configuration LDAP MAC ACS a. Internal ACS DB b. Add MAC Cisco Secure ACS 4.2

123 MAC c. MAC MAC 1 MAC MAC ab : :23:45:67:89:ab ab d. User Group MAC e. MAC Add Default Action If Agentless request was not assigned a user-group MAC LDAP ACS LDAP MAC EAP Posture Validation Authorization Submit Cisco Secure ACS

124 6 7 MAB CSAuth MAB MAB Performing Mac Authentication Bypass on <MAC_address> MAC_address MAC MAC <MAC_address> was (not) found in <DB_name> and mapped to <user_group> user-group MAC_address MAC DB_name MAC_address user_group MAC MAC ACS NAD MAC MAC Passed Authentications Failed attempts MAB Bypass info Passed Authentications Failed Attempts 1 System Configuration System Configuration 2 Logging Logging Configuration Logging Configuration ACS 3 CSV ODBC syslog 3 Bypass info a. Configure Passed Authentications CSV Enable Logging b. Enable Logging c. Select Columns to Log Attributes Bypass Info d. Logged Attributes e Cisco Secure ACS 4.2

125 6 f. Logging Configuration g. Submit Failed Attempts 3 4 Cisco Secure ACS

126 6 NAC ACS LDAP printer PC FAX machine MAC IP MAC IP ACS 4.2 NAC GAME GAME GAME NAP GAME Request Device Type from Audit Server MAC GAME GAME CSUtil CSUtil NAC External Posture Validation Audit Server Setup GAME External Posture Validation Audit Server Setup Which Hosts Are Audited GAME RADIUS 8 GAME 9 NAC P.9-84 GAME 6-28 Cisco Secure ACS 4.2

127 CHAPTER 7 PEAP/EAP-TLS PEAP ACS EAP-TLS EAP-TLS PEAP ACS NAD 2 EAP-TLS ACS NAD Microsoft EAP-TLS 1 P P EAP-TLS P EAP-TLS Cisco Secure ACS

128 1 7 PEAP/EAP-TLS 1 ACS for Windows Cisco Secure ACS Solution Engine User Guide for Cisco Secure ACS System Configuration: Authentication and Certificates ACS EAP-TLS ACS 1 2 ACS \Certs a. DOS b. mkdir <selected_drive>:\certs selected_drive 3 \Certs server.cer server.pvk ca.cer CA Windows Windows 1 2 Windows <selected_drive>:\certs selected_drive 3 \Certs\ca.cer Certificate 4 Install Certificate Windows 7-2 Cisco Secure ACS 4.2

129 7 PEAP/EAP-TLS Windows 2000 Server 1 ACS 1 System Configuration System Configuration ACS Certificate Setup Install ACS Certificate Install ACS Certificate Install ACS Certificate Read certificate from file Certificate file c:\certs\server.cer Private Key File c:\certs\server.pvk Cisco Secure ACS

130 1 7 PEAP/EAP-TLS 8 9 Private Key password 1111 Submit 10 ACS 11 ACS ACS P.7-5 CA CA 1 2 System Configuration > ACS Certificate Setup > ACS Certification Authority Setup ACS Certification Authority Setup ACS Certification Authority Setup 3 4 CA certificate file CA c:\certs\ca.cer Submit 7-4 Cisco Secure ACS 4.2

131 7 PEAP/EAP-TLS 1 1 System Configuration > ACS Certificate Setup > Edit Certificate Trust List Edit Certificate Trust List 2 Stress 3 4 Submit System Configuration > Service Control Restart ACS Cisco Secure ACS

132 2 7 PEAP/EAP-TLS 2 1 System Configuration System Configuration 2 Global Authentication Setup Global Authentication Setup Global Authentication Setup 3 PEAP EAP_MSCHAP2 EAP-GTC 7-6 Cisco Secure ACS 4.2

133 7 PEAP/EAP-TLS 3 EAP-TLS 4 ACS Enable Posture Validation 3 EAP-TLS EAP-TLS 1 Certificate SAN comparison Subject Alternative Name (SAN) Certificate CN comparison Subject Common Name (CN) Certificate Binary comparison LDAP Active Directory EAP-TLS ODBC 4 EAP-TLS 7-4 NAP Protocols EAP Configuration 7-4 NAP Protocols EAP Configuration Cisco Secure ACS

134 4 7 PEAP/EAP-TLS 7-8 Cisco Secure ACS 4.2

135 CHAPTER 8 syslog ACS syslog AAA 2 syslog syslog syslog ACS 1 System Configuration System Configuration 2 Logging Logging Configuration 8-1 Cisco Secure ACS

136 syslog 8 syslog 8-1 Logging Configuration 3 syslog Logging Configuration syslog Configure Enable Logging Cisco Secure ACS 4.2

137 8 syslog syslog 8-2 Enable Logging 4 syslog 8-2 Log to Syslog Failed Attempts Report Select Columns to Log syslog 5 Attributes Logged Attributes Syslog Servers ACS syslog IP syslog IP Port syslog Max message length (Bytes) ACS syslog 2 syslog Cisco Secure ACS

138 ACS syslog 8 syslog 6 7 Submit syslog ACS syslog ACS syslog <n> mmm dd hh:mm:ss XX:XX:XX:XX TAG msg_id total_seg seg# A1=V1 n Priority RFC 3164 syslog facility 8 severity mmm dd hh:mm:ss XX:XX:XX:XX syslog IP TAG CisACS_01_PassedAuth Cisco ACS CisACS_02_FailedAuth Cisco ACS CisACS_03_RADIUSAcc Cisco ACS RADIUS CisACS_04_TACACSAcc Cisco ACS TACACS+ CisACS_05_TACACSAdmin Cisco ACS TACACS+ CisACS_06_VoIPAcc Cisco ACS VoIP CisACS_11_BackRestore ACS CisACS_12_Replication ACS CisACS_13_AdminAudit ACS CisACS_14_PassChanges ACS CisACS_15_ServiceMon ACS CisACS_16_ApplAdmin ACS msg_id ID 1 ID total_seg seg# A1=V1 Cisco ACS, ACS syslog 4 AAA 13 ACS ACS syslog Cisco Secure ACS 4.2

139 8 syslog ACS syslog 13 6 Priority 110 8x13 +6 Priority syslog System3.Info <110> syslog ACS syslog ACS syslog <110> Oct 16 08:58: CisACS_13_AdminAudit 18729fp AAA Server=tfurman-w2k,admin-username=local_login,browser-ip= ,text-message=Admini stration session finished, <110> 13 ACS syslog 1 1 ; 1 ACS 1 <msg_id> <total_seg> <seg#> syslog 1,024 Cisco Security Monitoring, Analysis and Response System MARS 500 Cisco Secure ACS

140 ACS syslog 8 syslog 8-6 Cisco Secure ACS 4.2

141 CHAPTER 9 NAC Cisco Secure Access Control Server 4.2 ACS Cisco Network Admission Control 1 ACS P P P Administration Control P P P NAC P NAP P P P GAME P.9-78 Cisco Secure ACS

142 1 ACS 9 NAC 1 ACS ACS ACS Windows 2003 Cisco Secure ACS Solution Engine ACS SE ACS Installation Guide for Cisco Secure ACS for Windows Release 4.2 Installation Guide for Cisco Secure ACS Solution Engine Release 4.2 ACS 1 ACS ACS for Windows a. ACS b. ACS CD CD-ROM c. CD-ROM Windows ACS for Windows ACS CD setup.exe d. Cisco Secure ACS for Windows Install ACS SE Installation Guide for Cisco Secure ACS Solution Engine Installing and Configuring Cisco Secure ACS SE ACS for Windows ACS ACS GUI 3 4 ACS GUI ACS IP_address ACS IP hostname ACS 9-2 Cisco Secure ACS 4.2

143 9 NAC 2 2 RADIUS AAA P.9-3 AAA P.9-5 RADIUS AAA NAC RADIUS AAA RADIUS AAA 1 Network Configuration Network Configuration 2 1 Network Device Group NDG; AAA NDG AAA Clients Add Entry NDG AAA Not Assigned AAA Clients Add Entry Add AAA Client 9-1 Cisco Secure ACS

144 2 9 NAC 9-1 Add AAA Client 3 4 AAA Client Hostname AAA 32 AAA Client IP Address AAA IP IP *.*.*.* NAD 1 AAA AAA AAA AAA 5 Shared Secret AAA mynet123 AAA ACS ACS 9-4 Cisco Secure ACS 4.2

145 9 NAC NDG Network Device Group AAA NDG Not Assigned AAA NDG EAP-TLS RADIUS RADIUS AAA NDG NDG AAA ACS AAA NAP Authentication Settings EAP-TLS a. Key Encryption Key (KEK) Pairwise Master Key PMK 20 b. Message Authenticator Code Key (MACK) RADIUS HMAC 16 c. Key Input Format ASCII 16 ASCII 8 9 Authenticate Using RADIUS (IOS/PIX) AAA 10 Submit + Apply AAA AAA ACS Windows 2003 AAA AAA 1 Network Configuration Network Configuration 2 AAA Servers AAA Server Name AAA AAA Server Setup 9-2 Cisco Secure ACS

146 2 9 NAC 9-2 AAA Server Setup 3 4 Key AAA Submit and Apply 9-6 Cisco Secure ACS 4.2

147 9 NAC 3 3 ACS P.9-7 P.9-11 ACS ACS ACS EAP-FAST Protected Access Credential PAC ACS NAC CA RA PKI ACS for Windows Cisco Secure ACS Solution Engine User Guide for Cisco Secure ACS System Configuration: Authentication and Certificates ACS ACS 1 2 ACS \certs a. DOS b. mkdir <selected_drive>:\certs selected_drive 3 \certs ACS-1.nac.cisco.com.cer ACS-1.PrivateKey.txt ca.nac.cisco.com.cer CA ACS Cisco Secure ACS

148 3 9 NAC ACS ACS 1 System Configuration System Configuration 2 ACS Certificate Setup ACS Certificate Setup 3 ACS Certification Authority Setup ACS Certificate Authority Setup ACS Certificate Authority Setup 4 5 Submit ACS System Configuration > Service Control Restart ACS ACS CA ACS 1 System Configuration System Configuration 2 ACS Certificate Setup > Edit Certificate Trust List Edit Certificate Trust List 9-8 Cisco Secure ACS 4.2

149 9 NAC CA Submit ACS System Configuration > Service Control Restart ACS CA CA 1 2 System Configuration > ACS Certificate Setup > ACS Certification Authority Setup ACS Certification Authority Setup ACS Certification Authority Setup 3 4 CA certificate file CA c:\certs\ca.cer Submit ACS ACS 1 System Configuration System Configuration 2 ACS Certificate Setup Cisco Secure ACS

150 3 9 NAC 3 4 Install ACS Certificate Install ACS Certificate Install ACS Certificate Read certificate from file Certificate file c:\certs\server.cer Private key file c:\certs\server.pvk 8 9 Private Key password cisco123 Submit 10 ACS 11 ACS System Configuration > Service Control Restart ACS 9-10 Cisco Secure ACS 4.2

151 9 NAC 3 P.9-11 EAP-FAST P.9-14 ACS 1 System Configuration System Configuration 2 Global Authentication Setup Global Authentication Setup 9-6 Cisco Secure ACS

152 3 9 NAC 9-6 Global Authentication Setup 9-12 Cisco Secure ACS 4.2

153 9 NAC 3 3 PEAP NAP Allow EAP-MSCHAPv2. EAP-MSCHAP Protected Extensible Access Protocol PEAP Microsoft Challenge and Response Protocol EAP-MSCHAPv2 User Guide for Cisco Secure ACS, Overview Authentication Allow EAP-GTC. EAP Generic Token Card EAP-GTC User Guide for Cisco Secure ACS System Configuration: Authentication and Certificates EAP-FAST Authentication Allow Posture Validation. User Guide for Cisco Secure ACS, Posture Validation What Is Posture Validation? 4 EAP-TLS a. Allow EAP-TLS b. Certificate SAN comparison Certificate Binary comparison c. EAP-TLS timeout EAP-MD5 Allow EAP-MD5 6 MS-CHAP configuration Allow MS-CHAP Version 1 Authentication Allow MS-CHAP Version 2 Authentication MS-CHAP 7 Submit + Restart 8 P.9-14 EAP-FAST EAP-FAST Cisco Secure ACS

154 3 9 NAC EAP-FAST ACS NAC EAP-FAST 1 System Configuration System Configuration 2 Global Authentication Setup Global Authentication Setup EAP-FAST Configuration EAP FAST Configuration Cisco Secure ACS 4.2

155 9 NAC EAP-FAST Configuration 4 5 Allow EAP-FAST Client Initial Message Welcome 6 Authority ID Info 9-8 ACS NAC Server Cisco Secure ACS

156 3 9 NAC Allow anonymous in-band PAC provisioning Allow authenticated in-band PAC provisioning Accept client on authenticated provisioning Require client certificate for provisioning EAP-GTC EAP-MSCHAPv2 EAP-TLS EAP-FAST Master Server Certificate SAN comparison Certificate Binary comparison EAP-TLS 10 Submit + Restart ACS 1 System Configuration System Configuration 2 Service Control 3 Level of Detail Full Full Full Normal 4 5 Manage Directory 7 Restart ACS ACS ACS GUI 9-16 Cisco Secure ACS 4.2

157 9 NAC 3 ACS User Guide for Cisco Secure ACS Logs and Reports Failed Attempts RADIUS Accounting NAC/NAP Passed Authentications NAC Passed Authentication Passed Authentications 1 System Configuration System Configuration 2 Logging Logging Configuration CSV Passed Authentications File Configuration CSV Passed Authentications File Configuration Cisco Secure ACS

158 3 9 NAC 3 4 Log to CSV Passed Authentications Report Attributes Logged Attributes Message-Type User-Name Caller-ID NAS-Port NAS-IP-Address AAA Server Filter Information Network Device Group Access Device PEAP/EAP-FAST-Clear-Name Logged Remotely EAP Type EAP Type Name Network Access Profile Name Outbound Class Shared RAC Downloadable ACL System-Posture-Token Application-Posture-Token Reason Profile Name 5 6 Submit ACS Reports CSV RADIUS Accounting Configure CSV RADIUS Accounting File Configuration Log to CSV RADIUS Accounting Report 7 Attributes Logged Attributes User-Name Group-Name Calling-Station-Id Acct-Status-Type Acct-Session-Id Acct-Session-Time Acct-Input-Octets 9-18 Cisco Secure ACS 4.2

159 9 NAC 3 Acct-Output-Octets Acct-Input-Packets Acct-Output-Packets Framed-IP-Address NAS-Port NAS-IP-Address Class Termination-Action Called-Station-Id Acct-Delay-Time Acct-Authentic Acct-Terminate-Cause Event-Timestamp NAS-Port-Type Port-Limit NAS-Port-Id AAA Server ExtDB Info Network Access Profile Name cisco-av-pair Access Device Logged Remotely 8 Submit Cisco Secure ACS

160 4 Administration Control 9 NAC 4 Administration Control ACS 1 Administration Control System Configuration 2 Add Administrator Add Administrator Add Administrator 9-20 Cisco Secure ACS 4.2

161 9 NAC 4 Administration Control 3 Administrator Details Administrator Name ACS 1 32 < > \ ACS Password ACS Web ACS Administrator Password Policy Password Validation Options ASCII Confirm Password Account Never Expires Account Locked Password Administrator Password Policy Account Never Expires Password Policy Account Locked Administration Control Last Password Change Last Activity / Cisco Secure ACS

162 4 Administration Control 9 NAC 4 Grant All User Guide for Cisco Secure Access Control Server Administrators and Administrative Policy Add Administrator and Edit Administrator Pages 5 Submit ACS URL Cisco Secure ACS 4.2

163 9 NAC 5 5 NAP ACS RADIUS NAP NAP NAP EAP over UDP EoU 802.1x NAP User Guide for Cisco Secure ACS, Network Access Profiles P.9-23 IP ACL P.9-24 RADIUS P.9-28 NAF 1 ACS ACS ACS ACS NDG IP NAF NAP IP ACL NAF All AAA Clients NAF NAF 1 Shared Profile Components Shared Profile Components 2 Network Access Filtering Network Access Filtering 3 Add Edit Network Access Filtering 9-11 Cisco Secure ACS

164 5 9 NAC 9-11 Edit Network Access Filtering 4 5 Name Selected Items Selected Items 6 Submit IP ACL Downloadable IP Access Control List dacl; IP ACL 3 4 Access Control Entry ACE; VPN ACL ACS dacl dacl dacl 9-24 Cisco Secure ACS 4.2

165 9 NAC 5 Assessment Result ACL ACL Access Control Entries ACE; ACE NAC dacl NAF NAP ACL ACL ACE ACL ACL NAP ACL ACL ACL 1 Shared Profile Components > Downloadable IP ACLs dacl Downloadable IP ACL 2 Add Downloadable IP ACLs 9-13 Cisco Secure ACS

166 5 9 NAC 9-13 Downloadable IP ACLs 3 Downloadable IP ACLs ACL Name Description 9-13 ACL IOS ACL ACE ACE 1 Downloadable IP ACLs Add ACL ACE ACL NAF Downloadable IP ACL Content Cisco Secure ACS 4.2

167 9 NAC Downloadable IP ACL Content 2 3 Name ACL ACL Definitions ACL ACL permit deny ACL User Guide for Cisco Secure Access Control Server Shared Profile Components Downloadable IP ACLs 4 Submit ACS ACL ACE ACL Contents ACL Downloadable IP ACLs 9-15 Cisco Secure ACS

168 5 9 NAC 9-15 Downloadable ACL Contents 5 ACL Contents Network Access Filtering ACL NAF NAF All AAA Clients NAF NAF ACE Project Information Exchange PIX NAF ACE PIX ACL 6 Submit ACL ACL dacl dacl ACE Submit dacl RADIUS RADIUS RAC ACS NAD RADIUS RAC RADIUS 1 Cisco IOS.PIX 6.0 IETF Ascend RAC RADIUS VLAN RADIUS RAC VLAN 9-28 Cisco Secure ACS 4.2

169 9 NAC 5 RAC NAC RADIUS EoU (NAC L2 IP) NAC L x RAC Cisco_FullAccess RAC healthy Cisco_Restricted RAC healthy RAC 1 Shared Profile Components Shared Profile Components 2 RADIUS Authorization Components RADIUS Authorization Components RAC 3 Add RADIUS Authorization Components RADIUS Authorization Components Cisco Secure ACS

170 5 9 NAC 4 5 RADIUS Authorization Components Name Description Add New Attribute RAC RADIUS a. Cisco IOS/PIX 6.0 IETF Ascend Add IETF Session-Timeout (27) Add RAC Attribute Add/Edit 9-17 Session-Timeout (27) RAC Attribute Add/Edit 9-17 RAC Attribute Add/Edit b. Value Session-Timeout (27) c. Submit 6 7 Submit RAC System Configuration > Service Control Restart 9-18 Cisco_FullAccess RAC 9-19 Cisco_Restricted RAC 9-30 Cisco Secure ACS 4.2

171 9 NAC Cisco_FullAccess RAC Cisco Secure ACS

172 5 9 NAC 9-19 Cisco_Restricted RAC VLAN RAC RADIUS Session-Timeout 27 RAC Termination-Action 29 Access-Accept RAC RADIUS-Request (1) VLAN Tunnel-Type 64 RAC 10 VLAN 10 VLAN Tunnel-Medium-Type 65 RAC NAC/NAP 802.1x 9-32 Cisco Secure ACS 4.2

173 9 NAC 5 Tunnel-Private-Group-ID 81 VLAN ID RAC Quarantine VLAN ACS 9-1 NAC-L x NAC-L2-IP NAC-L3-IP x RADIUS Accept-Response ACS 9-1 RADIUS-Accept Response NAC-L x NAC-L2-IP NAC-L3-IP x 1 User-Name EAP x x 8 Framed-IP-Address IP x x 26 Vendor-Specific ACL Cisco (9,1) CiscoSecure-Defined-ACL x 26 Vendor-Specific Cisco (9,1) sec:pg x x 26 Vendor-Specific Cisco (9,1) url-redirect x x 26 Vendor-Specific Cisco (9,1) url-redirect-acl x x x 26 Vendor-Specific Cisco (9,1) posture-token x x 26 Vendor-Specific Cisco (9,1) status-query-timeout x x 26 Vendor-Specific Cisco (9,1) host-session-id x x x 26 Vendor-Specific Microsoft = 311 ACS RADIUS NAD ACL Catalyst 6000 sec:pg = <group-name> URL url-redirect = <URL> URL ACL ACL NAD IOS url-redirect-acl =< ACL-Name> / ACS ID ACS MS-MPPE-Recv-Key ACS Cisco Secure ACS

174 5 9 NAC 9-1 RADIUS-Accept Response NAC-L x NAC-L2-IP NAC-L3-IP x x x 27 Session-Timeout x x x 29 Termination-Action x 64 Tunnel-Type 13 = VLAN x 65 Tunnel-Medium-Type 6 = Radius-Request x x x 79 EAP Message Access-Request Access-Challenge EAP / - Access Accept EAP Success - Access Reject EAP Failure x x x 80 Message Authenticator HMAC-MD5 x 81 Tunnel-Private-Group-ID VLAN 9-34 Cisco Secure ACS 4.2

175 9 NAC 6 6 NAC NAC ACS PA 2 ACS ACS 1 ACS bin\csutil ACS 1 \Utils [attr#0] vendor-id=[your vendor id] vendor-name=[the name of you company] application-id=6 application-name=audit attribute-id=00003 attribute-name=dummy-attr attribute-profile=out attribute-type=unsigned integer ID [vendor]:6 Internet Assigned Numbers Authority IANA 2 a. DOS b. \<ACS_Install_Dir>\bin\CSUtil addavp [file_name] ACS_Install_Dir ACS file_name 3 CSAdmin CSLog CSAuth 1 Cisco Secure ACS

176 6 9 NAC 1 2 Posture Validation Components Setup External Posture Validation Audit Setup Add Server External Posture Validation Audit Server Setup External Posture Validation Audit Server Setup 3 a. Name Description b. Which Hosts Are Audited IP MAC c. d. Use These Audit Servers 9-21 External Posture Validation Audit Server Setup Use These Audit Servers 9-36 Cisco Secure ACS 4.2

177 9 NAC Use These Audit Servers e. Use These Audit Servers Audit Validation Server Audit Server Vendor URL 9-22 Audit Flow Settings GAME Group Feedback 9-22 Audit Flow Settings GAME Group Feedback Cisco Secure ACS

178 6 9 NAC f. Audit Flow Setting g. NAC GAME GAME Group Feedback GAME Group Feedback P.9-84 GAME h. Submit 9-38 Cisco Secure ACS 4.2

179 9 NAC 7 NAC 7 NAC NAC ACS ACS 1 Posture Validation Posture Validation Components Setup 2 Internal Posture Validation Setup Posture Validation 3 Add Policy Edit Posture Validation Description Submit 9-23 Cisco Secure ACS

180 7 NAC 9 NAC a. Default b. Posture Assessment Notification String 8 a. Add Rule Edit Posture Validation Rule Edit Posture Validation Rule 9-40 Cisco Secure ACS 4.2

181 9 NAC 7 NAC b. Add Condition Set c. Add/Edit Condition Add/Edit Condition d. Attribute Attribute e. Operator f. Value g. Enter Add/Edit Condition 9-25 h. i. Submit j. Apply and Restart ACS ACS 1 2 Posture Validation Components Setup External Posture Validation Setup Edit External Posture Validation Servers 9-26 Cisco Secure ACS

182 7 NAC 9 NAC 9-26 Edit External Posture Validation Servers External Posture Validation Servers 3 Add Server Add/Edit External Posture Validation Server Cisco Secure ACS 4.2

183 9 NAC 7 NAC 9-27 Add/Edit External Posture Validation Server Name Description URL Submit Cisco Secure ACS

184 7 NAC 9 NAC NAC NAC ACS PA 2 ACS ACS 1 ACS bin\csutil ACS 1 \Utils [attr#0] vendor-id=[your vendor id] vendor-name=[the name of you company] application-id=6 application-name=audit attribute-id=00003 attribute-name=dummy-attr attribute-profile=out attribute-type=unsigned integer ID [vendor]:6 Internet Assigned Numbers Authority IANA 2 a. DOS b. \<ACS_Install_Dir>\bin\CSUtil addavp [file_name] ACS_Install_Dir ACS file_name 3 CSAdmin CSLog CSAuth Cisco Secure ACS 4.2

185 9 NAC 7 NAC 1 2 Posture Validation Components Setup External Posture Validation Audit Setup Add Server External Posture Validation Audit Server Setup External Posture Validation Audit Server Setup 3 a. Name Description b. Which Hosts Are Audited IP MAC c. d. Use These Audit Servers 9-29 External Posture Audit Validation Server Setup Use These Audit Servers Cisco Secure ACS

186 7 NAC 9 NAC 9-29 Use These Audit Servers e. Use These Audit Servers Audit Validation Server Audit Server Vendor URL 9-30 Audit Flow Settings GAME Group Feedback 9-30 Audit Flow Settings GAME Group Feedback 9-46 Cisco Secure ACS 4.2

187 9 NAC 7 NAC f. Audit Flow Setting g. NAC GAME GAME Group Feedback GAME Group Feedback P.9-84 GAME h. Submit NAC 2 ACS 2 RAC ACL 1 1 RAC ACL Cisco Secure ACS

188 8 NAP 9 NAC 8 NAP ACS 4.1 NAC ACS 4.1 NAC ACS 4.1 NAC NAC 3 NAC L3 IP NAC 2 NAC L2 IP NAC x NAC L x NAC L x ACS 4.1 NAC (802.1x) NAC 3 3 NAC System Configuration > Global Authentication Setup Enable Posture Validation 3 NAC 1 Global Authentication Setup Allow Posture Validation EAP-FAST EAP-FAST MS-CHAPv2 EAP-FAST GTC 2 Network Access Profiles Network Access Profiles 3 Add Template Profile Create Profile from Template Cisco Secure ACS 4.2

189 9 NAC 8 NAP 9-31 Create Profile from Template Name Description Template NAC L3 IP Active Submit 3 NAC Edit Network Access Profile Name 3 NAC Profile Setup 8 Profile Setup 1 Network Access Profiles 2 Cisco Secure ACS

190 8 NAP 9 NAC 3 Profile Setup NAC Profile Setup Any Network Access Filter IP NAF IP Protocol types Allow any Protocol type Allow Selected Protocol types 9-50 Cisco Secure ACS 4.2

191 9 NAC 8 NAP Advanced Filtering 2 [026/009/001]Cisco-av-pair = aaa:service=ip admission [006]Service-Type!= 10 RADIUS RADIUS RADIUS NAC NAC NAC 3 EAP Configuration Cisco Secure ACS

192 8 NAP 9 NAC 1 2 Network Access Profiles Policies Authentication NAC 3 NAC 3 ACS a. ACS Internal ACS DB b. LDAP LDAP Server LDAP c. If Agentless request was not assigned a user-group ACS 9-52 Cisco Secure ACS 4.2

193 9 NAC 8 NAP 9-35 NAC NAC 3 NAC 2 2 NAC 2 NAC 1. Global Authentication Settings EAP-FAST Configuration 2. Allow authenticated in-band PAC provisioning 3. EAP-GTC EAP-MSCHAPv2 2 NAC 1 Network Access Profiles Network Access Profiles 2 Add Template Profile 3 Name Description 4 Template NAC L2 IP 5 Active Cisco Secure ACS

194 8 NAP 9 NAC 6 Submit 2 NAC 2 NAC Profile Setup 2 NAC NAC-EXAMPLE-POSTURE-EXAMPLE Network Access Profiles Profile Setup Cisco Secure ACS 4.2

195 9 NAC 8 NAP NAC Profile Setup Any Network Access Filter IP NAF IP Protocol types Allow any Protocol type Allow Selected Protocol types Advanced Filtering 2 [026/009/001]Cisco-av-pair = aaa:service=ip admission [006]Service-Type!= 10 RADIUS RADIUS RADIUS 2 NAC IP Advanced Filtering Authentication Cisco Secure ACS

196 8 NAP 9 NAC ACS NAC 2 IP ACS RADIUS NAC AAA ACS RADIUS cisco-av-pair VSA Attribute-Value AV; ACS Cisco Secure-Defined-ACL ACL ACS Cisco Secure-Defined-ACL AV ACL #ACL#-IP-name-number name ACL number 3f ACS Auth-Proxy ACL Access-Control Entry ACE; ACES ACS ACL AAA ACE ACL ACL ACL Any ACE Deny ACL any IP ACE ACL Cisco Secure-Defined-ACL ACE ACS NAC url redirect url-redirect-acl URL cisco-av-pair VSA url-redirect = <HTTP HTTPS URL> url-redirect-acl = switch ACL name AV HTTP Secure HTTP HTTPS Web ACS url-redirect AV Web URL url-redirect-acl AV HTTP HTTPS ACL ACL ACL healthy ACS AV Cisco IOS AV AAA ACL NAC 2 IP ACL IP ACL ACL ACL ACL ACS ACL NAC 2 IP 9-56 Cisco Secure ACS 4.2

197 9 NAC 8 NAP URL ACL ACS ACL ACL ACL ACL ACS ACL 802.1x 2 Authentication Bypass 802.1x ID Populate from Global System Configuration Global Authentication Setup 9-37 NAC NAC 2 2 NAC EAP Configuration Allow EAP-Fast EAP-FAST Cisco Secure ACS

198 8 NAP 9 NAC 1 2 Network Access Profiles Policies Authentication NAC 2 Authentication Settings NAC 2 3 ACS a. ACS Internal ACS DB b. LDAP LDAP Server LDAP c. If Agentless request was not assigned a user-group ACS 9-58 Cisco Secure ACS 4.2

199 9 NAC 8 NAP 9-39 NAC NAC 2 NAC x 2 NAC 802.1x System Configuration > Global Authentication Setup Enable Posture Validation 2 NAC 802.1x 1 Network Access Profiles Network Access Profiles 2 Add Template Profile Create Profile from Template 9-40 Cisco Secure ACS

200 8 NAP 9 NAC 9-40 Create Profile from Template Name Description Template NAC L x Active Submit 2 NAC Edit Network Access Profile Name 2 NAC 802.1x Cisco Secure ACS 4.2

201 9 NAC 8 NAP Profile Setup Network Access Profiles Profile Setup NAC x Profile Setup Any Network Access Filter IP NAF IP Protocol types Allow any Protocol type Cisco Secure ACS

202 8 NAP 9 NAC Allow Selected Protocol types Advanced Filtering 2 [026/009/001]Cisco-av-pair = aaa:service=ip admission [006]Service-Type!= 10 RADIUS RADIUS RADIUS 9-42 NAC x 9-42 NAC x EAP Configuration 9-62 Cisco Secure ACS 4.2

203 9 NAC 8 NAP NAC x 1 2 Network Access Profiles Policies Authorization NAC x Authentication NAC x Authentication 2 NAC 802.1x 3 ACS a. ACS Internal ACS DB b. LDAP LDAP Server LDAP c. If Agentless request was not assigned a user-group ACS Cisco Secure ACS

204 8 NAP 9 NAC 9-44 NAC x 9-44 NAC x NAC L x 2 NAC 802.1x System Configuration > Global Authentication Setup Enable Posture Validation NAC L x NAC 1 Network Access Profiles Network Access Profiles 2 Add Template Profile Create Profile from Template Create Profile from Template 9-64 Cisco Secure ACS 4.2

205 9 NAC 8 NAP Name Description Template Wireless (NAC L x) Active Submit NAC x Edit Network Access Profile Name NAC x 7 Profile Setup 1 Network Access Profiles 2 3 Profile Setup 9-46 Cisco Secure ACS

206 8 NAP 9 NAC 9-46 NAC L x Profile Setup Any Network Access Filter IP NAF IP Protocol types Allow any Protocol type Allow Selected Protocol types Advanced Filtering 2 [026/009/001]Cisco-av-pair = aaa:service=ip admission [006]Service-Type!= 10 RADIUS RADIUS RADIUS 9-66 Cisco Secure ACS 4.2

207 9 NAC 8 NAP 9-47 NAC L x 9-47 NAC 802.1x EAP Configuration NAC x 1 2 Network Access Profiles Policies Authorization 9-48 Cisco Secure ACS

208 8 NAP 9 NAC 9-48 NAC L x NAC L x 3 ACS a. ACS Internal ACS DB b. LDAP LDAP Server LDAP c. If Agentless request was not assigned a user-group ACS 9-49 NAC L x 9-49 NAC L x 9-68 Cisco Secure ACS 4.2

209 9 NAC 8 NAP NAC L x NAC L x ACS L3 L x 2 3 L x RADIUS Catalyst 6500 RADIUS RADIUS Service Type 10 NAC-L2-IP service Cisco Attribute Value Pair AVP; AV Advanced Filtering System Configuration > Global Authentication Setup Enable Posture Validation 3 1 Network Access Profiles Network Access Profiles 2 Add Template Profile Create Profile from Template 9-50 Cisco Secure ACS

210 8 NAP 9 NAC 9-50 Create Profile from Template Name Description Template Agentless Host for L3 Active Submit 3 NAC Edit Network Access Profile Name 3 7 Profile Setup 1 2 Network Access Profiles 9-70 Cisco Secure ACS 4.2

211 9 NAC 8 NAP 3 Profile Setup Profile Setup Any Network Access Filter IP NAF IP Protocol types Allow any Protocol type Allow Selected Protocol types Advanced Filtering 2 [026/009/001]Cisco-av-pair = aaa:service=ip admission [006]Service-Type!= 10 RADIUS RADIUS RADIUS Cisco Secure ACS

212 8 NAP 9 NAC Authentication Protocols Agentless Host processing Network Access Profiles Policies Authentication Cisco Secure ACS 4.2

213 9 NAC 8 NAP ACS a. ACS Internal ACS DB b. LDAP LDAP Server LDAP c. If Agentless request was not assigned a user-group ACS Cisco Secure ACS

214 9 9 NAC Network Access Profiles Posture Validation Add Rule Add/Edit Posture Validation Rule Add/Edit Posture Validation Rule 5 Required Credential Types 9-74 Cisco Secure ACS 4.2

215 9 NAC 9 6 Select External Posture Validation Sever Failure Action 7 Submit 8 Back 9 Apply + Restart Cisco Secure ACS

216 10 9 NAC Network Access Profiles Protocols Protocols Settings Allow Agentless Request Processing Submit Posture Validation Select Audit Select External Posture Validation Audit Server Select External Posture Validation Audit Server Cisco Secure ACS 4.2

217 9 NAC 10 8 Fail Open Configuration a. Do not reject when Audit failed b. Use this Posture Token when unable to retrieve posture data c. d. Assign a User Group Assign a User Group 9 Submit 10 Done 11 Apply and Restart Cisco Secure ACS

218 11 GAME 9 NAC 11 GAME NAC ACS Generic Authorization Message Exchange GAME; GAME 1 CSUtil P.9-79 CSUtil 2 CSUtil P.9-79 CSUtil 3 NAC P.9-79 NAC 4 LDAP ACS P P P GAME GAME GAME RADIUS P.9-84 GAME 8 P.9-84 GAME 9-78 Cisco Secure ACS 4.2

219 9 NAC 11 GAME CSUtil CSUtil User Guide for Cisco Secure Access Control Server 4.2 C CSUtil Database Utility Adding a Custom RADIUS Vendor and VSA Set CSUtil GAME [attr#0] vendor-id=<the vendor identifier number> vendor-name=<the name of the vendor> application-id=6 application-name=audit attribute-id=00012 attribute-name=device-type attribute-profile=in out atribute-type=string DOS CSUtil -addavp <device-type filename> device-type filename 4 ACS a. System Configuration b. Service Control c. Restart NAC NAC 1 2 NAC CSUtil a. DOS Cisco Secure ACS

220 11 GAME 9 NAC b. CSUtil -addavp <NAC AV-pair filename> NAC AV-pair filename 3 ACS a. System Configuration b. Service Control c. Restart LDAP ACS P MAB LDAP 2 Global Authentication PEAP NAP EAP P.9-44 NAC NAC ACS PA 2 ACS ACS 1 ACS bin\csutil ACS 9-80 Cisco Secure ACS 4.2

221 9 NAC 11 GAME 1 \Utils [attr#0] vendor-id=[your vendor id] vendor-name=[the name of you company] application-id=6 application-name=audit attribute-id=00003 attribute-name=dummy-attr attribute-profile=out attribute-type=unsigned integer ID [vendor]:6 Internet Assigned Numbers Authority IANA 2 a. DOS b. \<ACS_Install_Dir>\bin\CSUtil addavp [file_name] ACS_Install_Dir ACS file_name 3 CSAdmin CSLog CSAuth Posture Validation Components Setup External Posture Validation Audit Setup Add Server External Posture Validation Audit Server Setup 9-56 Cisco Secure ACS

222 11 GAME 9 NAC 9-56 External Posture Validation Audit Server Setup 3 a. Name Description b. Which Hosts Are Audited IP MAC c. d. Use These Audit Servers 9-57 External Posture Validation Server Audit Setup Use These Audit Servers 9-82 Cisco Secure ACS 4.2

223 9 NAC 11 GAME 9-57 Use These Audit Servers e. Use These Audit Servers Audit Validation Server Audit Server Vendor URL 9-58 Audit Flow Settings GAME Group Feedback Cisco Secure ACS

224 11 GAME 9 NAC 9-58 Audit Flow Settings GAME Group Feedback f. Audit Flow Setting g. NAC GAME GAME Group Feedback GAME Group Feedback P.9-84 GAME h. Submit GAME GAME 1 External Posture Validation Audit Server Setup GAME Group Feedback Request Device Type from Audit Server ACS ACS for Windows ACS for Windows CSUtil User Guide for Cisco Secure ACS 4.2 C Posture Validation Attributes 9-84 Cisco Secure ACS 4.2

225 9 NAC 11 GAME ACS Solution Engine ACS Solution Engine Web NAC Attributes Management User Guide for Cisco Secure ACS NAC Attribute Management (ACS Solution Engine Only) 2 ACS Assign This Group if Audit Server Did not Return a Device-Type 3 Add GAME Group Feedback 4 User Group Any MAC Match Condition =! = match-all contains starts-with regular-expression Device Type User Group Printer IP Phone Cisco Secure ACS