Manual Do Utilizadoríndice analíticoUser Guide for Cisco Secure Access Control System 5.41Contents3Preface23Introducing ACS 5.427Overview of ACS27ACS Distributed Deployment28ACS 4.x and 5.4 Replication28ACS Licensing Model29ACS Management Interfaces29ACS Web-based Interface30ACS Command Line Interface30ACS Programmatic Interfaces31Hardware Models Supported by ACS31Migrating from ACS 4.x to ACS 5.433Overview of the Migration Process34Migration Requirements34Supported Migration Versions34Before You Begin35Downloading Migration Files35Migrating from ACS 4.x to ACS 5.435Functionality Mapping from ACS 4.x to ACS 5.437Common Scenarios in Migration39Migrating from ACS 4.2 on CSACS 1120 to ACS 5.439Migrating from ACS 3.x to ACS 5.440Migrating Data from Other AAA Servers to ACS 5.440ACS 5.x Policy Model43Overview of the ACS 5.x Policy Model43Policy Terminology45Simple Policies46Rule-Based Policies46Types of Policies47Access Services48Identity Policy51Group Mapping Policy53Authorization Policy for Device Administration53Processing Rules with Multiple Command Sets53Exception Authorization Policy Rules54Service Selection Policy54Simple Service Selection54Rules-Based Service Selection55Access Services and Service Selection Scenarios55First-Match Rule Tables56Policy Conditions58Policy Results58Authorization Profiles for Network Access58Processing Rules with Multiple Authorization Profiles59Policies and Identity Attributes59Policies and Network Device Groups60Example of a Rule-Based Policy60Flows for Configuring Services and Policies61Common Scenarios Using ACS65Overview of Device Administration66Session Administration67Command Authorization68TACACS+ Custom Services and Attributes69Password-Based Network Access69Overview of Password-Based Network Access69Password-Based Network Access Configuration Flow71Certificate-Based Network Access73Overview of Certificate-Based Network Access73Using Certificates in ACS74Certificate-Based Network Access74Authorizing the ACS Web Interface from Your Browser Using a Certificate75Validating an LDAP Secure Authentication Connection76Agentless Network Access76Overview of Agentless Network Access76Host Lookup77Authentication with Call Check78Process Service-Type Call Check79PAP/EAP-MD5 Authentication79Agentless Network Access Flow80Adding a Host to an Internal Identity Store81Configuring an LDAP External Identity Store for Host Lookup81Configuring an Identity Group for Host Lookup Network Access Requests82Creating an Access Service for Host Lookup82Configuring an Identity Policy for Host Lookup Requests83Configuring an Authorization Policy for Host Lookup Requests84VPN Remote Network Access84Supported Authentication Protocols85Supported Identity Stores85Supported VPN Network Access Servers86Supported VPN Clients86Configuring VPN Remote Access Service86ACS and Cisco Security Group Access87Adding Devices for Security Group Access88Creating Security Groups88Creating SGACLs89Configuring an NDAC Policy89Configuring EAP-FAST Settings for Security Group Access90Creating an Access Service for Security Group Access90Creating an Endpoint Admission Control Policy91Creating an Egress Policy91Creating a Default Policy92RADIUS and TACACS+ Proxy Requests93Supported Protocols94Supported RADIUS Attributes95TACACS+ Body Encryption95Connection to TACACS+ Server95Configuring Proxy Service96Understanding My Workspace97Welcome Page97Task Guides98My Account Page98Login Banner99Using the Web Interface99Accessing the Web Interface100Logging In100Logging Out101Understanding the Web Interface101Web Interface Design102Navigation Pane103Content Area104Importing and Exporting ACS Objects through the Web Interface114Supported ACS Objects114Creating Import Files117Downloading the Template from the Web Interface117Understanding the CSV Templates118Creating the Import File118Common Errors121Concurrency Conflict Errors121Deletion Errors122System Failure Errors123Accessibility123Display and Readability Features123Keyboard and Mouse Features124Obtaining Additional Accessibility Information124Post-Installation Configuration Tasks125Configuring Minimal System Setup125Configuring ACS to Perform System Administration Tasks126Configuring ACS to Manage Access Policies128Configuring ACS to Monitor and Troubleshoot Problems in the Network128Managing Network Resources131Network Device Groups132Creating, Duplicating, and Editing Network Device Groups132Deleting Network Device Groups133Creating, Duplicating, and Editing Network Device Groups Within a Hierarchy134Deleting Network Device Groups from a Hierarchy135Network Devices and AAA Clients135Viewing and Performing Bulk Operations for Network Devices136Exporting Network Devices and AAA Clients137Performing Bulk Operations for Network Resources and Users138Exporting Network Resources and Users140Creating, Duplicating, and Editing Network Devices140Configuring Network Device and AAA Clients141Displaying Network Device Properties144Deleting Network Devices147Configuring a Default Network Device147Working with External Proxy Servers149Creating, Duplicating, and Editing External Proxy Servers149Deleting External Proxy Servers151Working with OCSP Services151Creating, Duplicating, and Editing OCSP Servers152Deleting OCSP Servers154Managing Users and Identity Stores155Overview155Internal Identity Stores155External Identity Stores156Identity Stores with Two-Factor Authentication157Identity Groups157Certificate-Based Authentication157Identity Sequences158Managing Internal Identity Stores158Authentication Information159Identity Groups160Creating Identity Groups160Deleting an Identity Group161Managing Identity Attributes161Standard Attributes162User Attributes162Host Attributes163Configuring Authentication Settings for Users163Creating Internal Users165Deleting Users from Internal Identity Stores169Viewing and Performing Bulk Operations for Internal Identity Store Users169Creating Hosts in Identity Stores170Deleting Internal Hosts172Viewing and Performing Bulk Operations for Internal Identity Store Hosts172Management Hierarchy173Attributes of Management Hierarchy173Configuring AAA Devices for Management Hierarchy173Configuring Users or Hosts for Management Hierarchy174Configuring and Using UserIsInManagement Hierarchy Attribute174Configuring and Using HostIsInManagement Hierarchy Attributes175Managing External Identity Stores176LDAP Overview176Directory Service177Authentication Using LDAP177Multiple LDAP Instances177Failover178LDAP Connection Management178Authenticating a User Using a Bind Connection178Group Membership Information Retrieval179Attributes Retrieval179Certificate Retrieval180Creating External LDAP Identity Stores180Configuring an External LDAP Server Connection181Configuring External LDAP Directory Organization183Deleting External LDAP Identity Stores187Configuring LDAP Groups187Viewing LDAP Attributes188Leveraging Cisco NAC Profiler as an External MAB Database188Enabling the LDAP Interface on Cisco NAC Profiler to Communicate with ACS189Configuring NAC Profile LDAP Definition in ACS for Use in Identity Policy191Troubleshooting MAB Authentication with Profiler Integration195Microsoft AD195Machine Authentication197Attribute Retrieval for Authorization198Group Retrieval for Authorization198Certificate Retrieval for EAP-TLS Authentication198Concurrent Connection Management198User and Machine Account Restrictions198Machine Access Restrictions199Distributed MAR Cache200Dial-In Permissions201Callback Options for Dial-In users202Joining ACS to an AD Domain203Configuring an AD Identity Store203Selecting an AD Group207Configuring AD Attributes208Configuring Machine Access Restrictions210RSA SecurID Server211Configuring RSA SecurID Agents212Creating and Editing RSA SecurID Token Servers213RADIUS Identity Stores217Supported Authentication Protocols217Failover218Password Prompt218User Group Mapping218Groups and Attributes Mapping218RADIUS Identity Store in Identity Sequence219Authentication Failure Messages219Username Special Format with Safeword Server219User Attribute Cache220Creating, Duplicating, and Editing RADIUS Identity Servers220Configuring CA Certificates225Adding a Certificate Authority226Editing a Certificate Authority and Configuring Certificate Revocation Lists227Deleting a Certificate Authority228Exporting a Certificate Authority229Configuring Certificate Authentication Profiles229Configuring Identity Store Sequences231Creating, Duplicating, and Editing Identity Store Sequences232Deleting Identity Store Sequences234Managing Policy Elements237Managing Policy Conditions237Creating, Duplicating, and Editing a Date and Time Condition239Creating, Duplicating, and Editing a Custom Session Condition241Deleting a Session Condition242Managing Network Conditions242Importing Network Conditions244Exporting Network Conditions245Creating, Duplicating, and Editing End Station Filters245Creating, Duplicating, and Editing Device Filters248Creating, Duplicating, and Editing Device Port Filters251Managing Authorizations and Permissions253Creating, Duplicating, and Editing Authorization Profiles for Network Access254Specifying Authorization Profiles255Specifying Common Attributes in Authorization Profiles255Specifying RADIUS Attributes in Authorization Profiles258Creating and Editing Security Groups260Creating, Duplicating, and Editing a Shell Profile for Device Administration260Defining General Shell Profile Properties262Defining Common Tasks262Defining Custom Attributes265Creating, Duplicating, and Editing Command Sets for Device Administration265Creating, Duplicating, and Editing Downloadable ACLs268Deleting an Authorizations and Permissions Policy Element269Configuring Security Group Access Control Lists270Managing Access Policies271Policy Creation Flow271Network Definition and Policy Goals272Policy Elements in the Policy Creation Flow273Access Service Policy Creation274Service Selection Policy Creation274Customizing a Policy274Configuring the Service Selection Policy275Configuring a Simple Service Selection Policy276Service Selection Policy Page276Creating, Duplicating, and Editing Service Selection Rules278Displaying Hit Counts280Deleting Service Selection Rules280Configuring Access Services281Editing Default Access Services281Creating, Duplicating, and Editing Access Services282Configuring General Access Service Properties283Configuring Access Service Allowed Protocols286Configuring Access Services Templates290Deleting an Access Service291Configuring Access Service Policies292Viewing Identity Policies292Viewing Rules-Based Identity Policies294Configuring Identity Policy Rule Properties295Configuring a Group Mapping Policy297Configuring Group Mapping Policy Rule Properties299Configuring a Session Authorization Policy for Network Access300Configuring Network Access Authorization Rule Properties302Configuring Device Administration Authorization Policies303Configuring Device Administration Authorization Rule Properties304Configuring Device Administration Authorization Exception Policies304Configuring Shell/Command Authorization Policies for Device Administration305Configuring Authorization Exception Policies306Creating Policy Rules308Duplicating a Rule309Editing Policy Rules309Deleting Policy Rules310Configuring Compound Conditions311Compound Condition Building Blocks311Types of Compound Conditions312Using the Compound Expression Builder315Security Group Access Control Pages316Egress Policy Matrix Page316Editing a Cell in the Egress Policy Matrix317Defining a Default Policy for Egress Policy Page317NDAC Policy Page318NDAC Policy Properties Page319Network Device Access EAP-FAST Settings Page321Maximum User Sessions321Max Session User Settings322Max Session Group Settings322Max Session Global Setting323Purging User Sessions324Maximum User Session in Distributed Environment325Maximum User Session in Proxy Scenario326Monitoring and Reporting in ACS327Authentication Records and Details328Dashboard Pages328Working with Portlets330Working with Authentication Lookup Portlet331Running Authentication Lookup Report332Configuring Tabs in the Dashboard332Adding Tabs to the Dashboard332Adding Applications to Tabs333Renaming Tabs in the Dashboard333Changing the Dashboard Layout334Deleting Tabs from the Dashboard334Managing Alarms335Understanding Alarms335Evaluating Alarm Thresholds336Notifying Users of Events337Viewing and Editing Alarms in Your Inbox337Understanding Alarm Schedules343Creating and Editing Alarm Schedules343Assigning Alarm Schedules to Thresholds344Deleting Alarm Schedules345Creating, Editing, and Duplicating Alarm Thresholds345Configuring General Threshold Information347Configuring Threshold Criteria348Passed Authentications348Failed Authentications350Authentication Inactivity352TACACS Command Accounting353TACACS Command Authorization354ACS Configuration Changes355ACS System Diagnostics356ACS Process Status357ACS System Health358ACS AAA Health359RADIUS Sessions360Unknown NAD361External DB Unavailable362RBACL Drops363NAD-Reported AAA Downtime365Configuring Threshold Notifications366Deleting Alarm Thresholds367Configuring System Alarm Settings368Understanding Alarm Syslog Targets369Creating and Editing Alarm Syslog Targets369Deleting Alarm Syslog Targets370Managing Reports371Working with Favorite Reports373Adding Reports to Your Favorites Page373Viewing Favorite-Report Parameters374Editing Favorite Reports375Running Favorite Reports375Deleting Reports from Favorites376Sharing Reports376Working with Catalog Reports377Available Reports in the Catalog377Running Catalog Reports381Deleting Catalog Reports382Running Named Reports383Understanding the Report_Name Page384Enabling RADIUS CoA Options on a Device387Changing Authorization and Disconnecting Active RADIUS Sessions388Customizing Reports389Restoring Reports390Viewing Reports390About Standard Viewer391About Interactive Viewer391About the Interactive Viewer Context Menus391Navigating Reports392Using the Table of Contents393Exporting Report Data394Printing Reports396Saving Report Designs in Interactive Viewer396Formatting Reports in Interactive Viewer397Editing Labels397Formatting Labels398Formatting Data398Resizing Columns399Changing Column Data Alignment399Formatting Data in Columns399Formatting Data in Aggregate Rows400Formatting Data Types400Formatting Numeric Data401Formatting Fixed or Scientific Numbers or Percentages402Formatting Custom Numeric Data403Formatting String Data403Formatting Custom String Data403Formatting Date and Time405Formatting Custom Date and Time405Formatting Boolean Data406Applying Conditional Formats407Setting Conditional Formatting for Columns408Deleting Conditional Formatting410Setting and Removing Page Breaks in Detail Columns410Setting and Removing Page Breaks in a Group Column411Organizing Report Data411Displaying and Organizing Report Data412Reordering Columns in Interactive Viewer412Removing Columns414Hiding or Displaying Report Items414Hiding Columns415Displaying Hidden Columns415Merging Columns415Selecting a Column from a Merged Column417Sorting Data417Sorting a Single Column417Sorting Multiple Columns417Grouping Data419Adding Groups420Grouping Data Based on Date or Time420Removing an Inner Group421Creating Report Calculations422Understanding Supported Calculation Functions423Understanding Supported Operators431Using Numbers and Dates in an Expression431Using Multiply Values in Calculated Columns432Adding Days to an Existing Date Value432Subtracting Date Values in a Calculated Column433Working with Aggregate Data433Creating an Aggregate Data Row435Adding Additional Aggregate Rows436Deleting Aggregate Rows437Hiding and Filtering Report Data437Hiding or Displaying Column Data437Displaying Repeated Values438Hiding or Displaying Detail Rows in Groups or Sections438Working with Filters439Types of Filter Conditions440Setting Filter Values441Creating Filters442Modifying or Clearing a Filter443Creating a Filter with Multiple Conditions443Deleting One Filter Condition in a Filter that Contains Multiple Conditions445Filtering Highest or Lowest Values in Columns445Understanding Charts446Modifying Charts447Filtering Chart Data447Changing Chart Subtype448Changing Chart Formatting448Troubleshooting ACS with the Monitoring and Report Viewer451Available Diagnostic and Troubleshooting Tools451Connectivity Tests451ACS Support Bundle451Expert Troubleshooter452Performing Connectivity Tests453Downloading ACS Support Bundles for Diagnostic Information454Working with Expert Troubleshooter456Troubleshooting RADIUS Authentications456Executing the Show Command on a Network Device460Evaluating the Configuration of a Network Device460Comparing SGACL Policy Between a Network Device and ACS462Comparing the SXP-IP Mappings Between a Device and its Peers462Comparing IP-SGT Pairs on a Device with ACS-Assigned SGT Records465Comparing Device SGT with ACS-Assigned Device SGT466Managing System Operations and Configuration in the Monitoring and Report Viewer469Configuring Data Purging and Incremental Backup471Configuring NFS Staging475Restoring Data from a Backup475Viewing Log Collections476Log Collection Details Page478Recovering Log Messages480Viewing Scheduled Jobs480Viewing Process Status482Viewing Data Upgrade Status483Viewing Failure Reasons483Editing Failure Reasons483Specifying E-Mail Settings484Configuring SNMP Preferences484Understanding Collection Filters485Creating and Editing Collection Filters485Deleting Collection Filters486Configuring System Alarm Settings486Configuring Alarm Syslog Targets486Configuring Remote Database Settings486Changing the Port Numbers for Oracle Database488Managing System Administrators489Understanding Administrator Roles and Accounts490Understanding Authentication491Configuring System Administrators and Accounts491Understanding Roles491Assigning Roles491Assigning Static Roles492Assigning Dynamic Roles492Permissions492Predefined Roles493Changing Role Associations494Administrator Accounts and Role Association494Recovery Administrator Account495Creating, Duplicating, Editing, and Deleting Administrator Accounts495Viewing Predefined Roles497Viewing Role Properties498Configuring Authentication Settings for Administrators498Configuring Session Idle Timeout500Configuring Administrator Access Settings501Working with Administrative Access Control502Administrator Identity Policy503Viewing Rule-Based Identity Policies504Configuring Identity Policy Rule Properties506Administrator Authorization Policy507Configuring Administrator Authorization Policies507Configuring Administrator Authorization Rule Properties508Administrator Login Process509Resetting the Administrator Password510Changing the Administrator Password510Changing Your Own Administrator Password510Resetting Another Administrator’s Password511Configuring System Operations513Understanding Distributed Deployment514Activating Secondary Servers515Removing Secondary Servers516Promoting a Secondary Server516Understanding Local Mode516Understanding Full Replication517Specifying a Hardware Replacement517Scheduled Backups518Creating, Duplicating, and Editing Scheduled Backups518Backing Up Primary and Secondary Instances520Synchronizing Primary and Secondary Instances After Backup and Restore521Editing Instances521Viewing and Editing a Primary Instance521Viewing and Editing a Secondary Instance525Deleting a Secondary Instance525Activating a Secondary Instance526Registering a Secondary Instance to a Primary Instance526Deregistering Secondary Instances from the Distributed System Management Page529Deregistering a Secondary Instance from the Deployment Operations Page529Promoting a Secondary Instance from the Distributed System Management Page530Promoting a Secondary Instance from the Deployment Operations Page531Replicating a Secondary Instance from a Primary Instance531Replicating a Secondary Instance from the Distributed System Management Page532Replicating a Secondary Instance from the Deployment Operations Page532Changing the IP address of a Primary Instance from the Primary Server533Failover534Using the Deployment Operations Page to Create a Local Mode Instance535Creating, Duplicating, Editing, and Deleting Software Repositories536Managing Software Repositories from the Web Interface and CLI537Managing System Administration Configurations539Configuring Global System Options539Configuring TACACS+ Settings539Configuring EAP-TLS Settings540Configuring PEAP Settings541Configuring EAP-FAST Settings541Generating EAP-FAST PAC542Configuring RSA SecurID Prompts542Managing Dictionaries543Viewing RADIUS and TACACS+ Attributes543Creating, Duplicating, and Editing RADIUS Vendor-Specific Attributes544Creating, Duplicating, and Editing RADIUS Vendor-Specific Subattributes545Viewing RADIUS Vendor-Specific Subattributes547Configuring Identity Dictionaries548Creating, Duplicating, and Editing an Internal User Identity Attribute548Configuring Internal Identity Attributes549Deleting an Internal User Identity Attribute550Creating, Duplicating, and Editing an Internal Host Identity Attribute551Deleting an Internal Host Identity Attribute551Adding Static IP address to Users in Internal Identity Store552Configuring Local Server Certificates552Adding Local Server Certificates552Importing Server Certificates and Associating Certificates to Protocols553Generating Self-Signed Certificates554Generating a Certificate Signing Request555Binding CA Signed Certificates556Editing and Renewing Certificates556Deleting Certificates557Exporting Certificates558Viewing Outstanding Signing Requests558Configuring Logs559Configuring Remote Log Targets559Deleting a Remote Log Target561Configuring the Local Log562Deleting Local Log Data562Configuring Logging Categories562Configuring Global Logging Categories563Configuring Per-Instance Logging Categories567Configuring Per-Instance Security and Log Settings568Configuring Per-Instance Remote Syslog Targets569Displaying Logging Categories570Configuring the Log Collector571Viewing the Log Message Catalog571Licensing Overview572Types of Licenses572Installing a License File573Viewing the Base License574Upgrading the Base Server License575Viewing License Feature Options576Adding Deployment License Files577Deleting Deployment License Files578Available Downloads578Downloading Migration Utility Files579Downloading UCP Web Service Files579Downloading Sample Python Scripts579Downloading Rest Services580Understanding Logging581About Logging581Using Log Targets582Logging Categories582Global and Per-Instance Logging Categories584Log Message Severity Levels584Local Store Target585Critical Log Target587Remote Syslog Server Target588Monitoring and Reports Server Target590Viewing Log Messages590Debug Logs591ACS 4.x Versus ACS 5.4 Logging592AAA Protocols595Typical Use Cases595Device Administration (TACACS+)595Session Access Requests (Device Administration [TACACS+])596Command Authorization Requests596Network Access (RADIUS With and Without EAP)596RADIUS-Based Flow Without EAP Authentication597RADIUS-Based Flows with EAP Authentication597Access Protocols-TACACS+ and RADIUS599Overview of TACACS+599Overview of RADIUS600RADIUS VSAs600ACS 5.4 as the AAA Server601RADIUS Attribute Support in ACS 5.4602RADIUS Attribute Rewrite Operation603RADIUS Access Requests605Authentication in ACS 5.4607Authentication Considerations607Authentication and User Databases607PAP608RADIUS PAP Authentication609EAP609EAP-MD5611Overview of EAP-MD5611EAP- MD5 Flow in ACS 5.4611EAP-TLS611Overview of EAP-TLS612User Certificate Authentication612PKI Authentication613PKI Credentials614PKI Usage614Fixed Management Certificates615Importing Trust Certificates615Acquiring Local Certificates615Importing the ACS Server Certificate616Initial Self-Signed Certificate Generation616Certificate Generation616Exporting Credentials617Credentials Distribution618Hardware Replacement and Certificates618Securing the Cryptographic Sensitive Material618Private Keys and Passwords Backup619EAP-TLS Flow in ACS 5.4619PEAPv0/1620Overview of PEAP621Supported PEAP Features621PEAP Flow in ACS 5.4623Creating the TLS Tunnel624Authenticating with MSCHAPv2625EAP-FAST625Overview of EAP-FAST625EAP-FAST Benefits627EAP-FAST in ACS 5.4627About Master-Keys628About PACs628Provisioning Modes629Types of PACs629ACS-Supported Features for PACs631Master Key Generation and PAC TTLs633EAP-FAST for Allow TLS Renegotiation633EAP-FAST Flow in ACS 5.4.633EAP-FAST PAC Management634Key Distribution Algorithm635EAP-FAST PAC-Opaque Packing and Unpacking635Revocation Method635PAC Migration from ACS 4.x635EAP Authentication with RADIUS Key Wrap636EAP-MSCHAPv2636Overview of EAP-MSCHAPv2637MSCHAPv2 for User Authentication637MSCHAPv2 for Change Password637Windows Machine Authentication Against AD637EAP- MSCHAPv2 Flow in ACS 5.4638CHAP638LEAP638Certificate Attributes638Certificate Binary Comparison639Rules Relating to Textual Attributes639Certificate Revocation640Machine Authentication641Authentication Protocol and Identity Store Compatibility642Open Source License Acknowledgements645Notices645OpenSSL/Open SSL Project645License Issues645Glossary649Index669Tamanho: 9 MBPáginas: 678Language: EnglishAbrir o manual
