Cisco Acs 5 1 Evaluation Essay

Table Of Contents

Release Notes for Cisco Secure ACS Solution Engine Version 3.3

New Features

Supplemental License Agreement for Cisco Systems Network Management Software Running on the Cisco 11XX Hardware Platform

Product Documentation

Related Documentation

Installation Notes

Upgrading to Cisco Secure ACS version 3.3

Cisco 1111—Recovering Cisco Secure ACS 3.3

Cisco 1112—Recovering Cisco Secure ACS 3.3

Security Patch Process

Limitations and Restrictions

Important Known Problems with Network Admission Control

Supported Migration Versions

Supported Web Browsers

Supported Operating Systems for Remote Agent

Windows Support for Remote Agent

Solaris Support for Remote Agent

Supported Platforms for CiscoSecure Authentication Agent

Other Supported Devices and Software

Known Problems

Cisco AAA Client Problems

Known Problems in Cisco Secure ACS Version 3.3

Resolved Problems

Obtaining Documentation

Cisco.com

Ordering Documentation

Documentation Feedback

Obtaining Technical Assistance

Cisco Technical Support Website

Submitting a Service Request

Definitions of Service Request Severity

Obtaining Additional Publications and Information


Release Notes for Cisco Secure ACS Solution Engine Version 3.3


June 2005

These release notes pertain to Cisco Secure Access Control Server Solution Engine (Cisco Secure ACS) version 3.3.

These release notes provide:

New Features

Supplemental License Agreement for Cisco Systems Network Management Software Running on the Cisco 11XX Hardware Platform

Product Documentation

Related Documentation

Installation Notes

Upgrading to Cisco Secure ACS version 3.3

Cisco 1111—Recovering Cisco Secure ACS 3.3

Cisco 1112—Recovering Cisco Secure ACS 3.3

Security Patch Process

Limitations and Restrictions

Important Known Problems with Network Admission Control

Supported Migration Versions

Supported Web Browsers

Supported Operating Systems for Remote Agent

Supported Platforms for CiscoSecure Authentication Agent

Other Supported Devices and Software

Known Problems

Resolved Problems

Obtaining Documentation

Documentation Feedback

Obtaining Technical Assistance

Obtaining Additional Publications and Information

New Features

Cisco Secure ACS version 3.3 contains the following new features and enhancements:

Network admission control (NAC)—Cisco Secure ACS acts as a policy decision point in NAC deployments. Using policies you configure, it evaluates the credentials sent to it by Cisco Trust Agent, determines the state of the host, and sends the AAA client ACLs that are appropriate to the host state. Evaluation of the host credentials can enforce many specific policies, such as operating system patch level and anti-virus DAT file version. Cisco Secure ACS records the results of policy evaluation for use with your monitoring system. Policies can be evaluated locally by Cisco Secure ACS or can be the result returned from an external policy server that Cisco Secure ACS forwards credentials to. For example, credentials specific to an anti-virus vendor can be forwarded to the vendor anti-virus policy server.

Cisco Security Agent integration (CSA)—Cisco Secure ACS Solution Engine ships with a pre-installed, standalone CSA. This integration in the base appliance image helps protect Cisco Secure ACS Solution Engine from day-zero attacks. The new behavior-based technology available with CSA protects Cisco Secure ACS Solution Engine against the constantly changing threats that viruses and worms pose.

EAP Flexible Authentication via Secured Tunnel (EAP-FAST) support—Cisco Secure ACS supports the EAP-FAST protocol, a new publicly accessible IEEE 802.1X EAP type developed by Cisco Systems that protects authentication in a TLS tunnel but does not require use of certificates, unlike PEAP. Cisco developed EAP-FAST to support customers who cannot enforce a strong password policy and wish to deploy an 802.1X EAP type that does not require digital certificates, supports a variety of user and password database types, supports password expiration and change, and is flexible, easy to deploy, and easy to manage. For example, a customer using Cisco LEAP can migrate to EAP-FAST for protection from dictionary attacks. Cisco Secure ACS supports EAP-FAST supplicants available on Cisco Compatible client devices and Cisco Aironet 802.11a/b/g PCI and CardBus WLAN client adapters.

Machine Access Restrictions (MARs)—Cisco Secure ACS includes MARs as an enhancement of Windows machine authentication. When Windows machine authentication is enabled, you can use MARs to control authorization of EAP-TLS and Microsoft PEAP users who authenticate with a Windows external user database. Users who access the network with a computer that has not passed machine authentication within a configurable length of time are given the authorizations of a user group that you specify and which you can configure to limit authorization as needed. Alternatively, you can deny network access altogether.

Network Access Filters (NAFs)—Cisco Secure ACS includes NAF as a new type of Shared Profile Component. NAF provides a flexible way of applying network access restrictions and downloadable ACLs on AAA client names, network device groups, or the IP addresses of AAA clients. NAFs applied by IP addresses can use IP address ranges and wildcards. This feature introduces granular application of network access restrictions and downloadable ACLs, both of which previously only supported the use of the same access restrictions or ACLs to all devices. NAFs allow much more flexible network device restriction policies to be defined, a requirement common in large environments.

Downloadble ACL enhancements—Cisco Secure ACS version 3.3 extends per-user ACL support to any layer three network device that supports this feature. This includes Cisco PIX Firewalls, Cisco VPN solutions, and Cisco IOS routers. You can define sets of ACLs that can be applied per user or per group. This feature complements NAC support by enabling the enforcement of the correct ACL policy. When used in conjunction with NAFs, downloadable ACLs can be applied differently per AAA client, enabling you to tailor ACLs uniquely per user, per access device.

Replication enhancements—Cisco Secure ACS version 3.3 includes two enhancements to the CiscoSecure Database Replication feature:

Configurable replication timeout—You can specify how long a replication event is permitted to continue before Cisco Secure ACS ends the replication attempt and restarts affected services. This feature improves your ability to configure replication when network connections between replication partners are slow.

Separate replication of user database and group database—You can replicate the user and group databases separately. Replicating changes to user accounts no longer automatically requires replicating groups. Likewise, replicating groups no longer requires replicating users. This increase to replication component granularity can reduce the amount of data sent between Cisco Secure ACSes during a replication event.

Supplemental License Agreement for Cisco Systems Network Management Software Running on the Cisco 11XX Hardware Platform

IMPORTANTREAD CAREFULLY: This Supplemental License Agreement ("SLA") contains additional limitations on the license to the Software provided to Customer under the Software License Agreement between Customer and Cisco. Capitalized terms used in this SLA and not otherwise defined herein shall have the meanings assigned to them in the Software License Agreement. To the extent that there is a conflict among any of these terms and conditions applicable to the Software, the terms and conditions in this SLA shall take precedence.

By installing, downloading, accessing or otherwise using the Software, Customer agrees to be bound by the terms of this SLA. If Customer does not agree to the terms of this SLA, Customer may not install, download or otherwise use the Software.

1. ADDITIONAL LICENSE RESTRICTIONS.

Installation and Use. The Cisco Secure Access Control Server Software component of the Cisco 11XX Hardware Platform is pre-installed. CD's containing tools to restore this Software to the 11XX hardware are provided to Customer for reinstallation purposes only. Customer may only run the supported Cisco Secure Access Control Server Software on the Cisco 11XX Hardware Platform designed for its use. No unsupported Software product or component may be installed on the Cisco 11XX Hardware Platform.

Software Upgrades, Major and Minor Releases. Cisco may provide Cisco Secure Access Control Server Software updates and new version releases for the 11XX Hardware Platform. If the Software update and new version releases can be purchased through Cisco or a recognized partner or reseller, the Customer should purchase one Software update for each Cisco 11XX Hardware Platform. If the Customer is eligible to receive the Software update or new version release through a Cisco extended service program, the Customer should request to receive only one Software update or new version release per valid service contract.

Reproduction and Distribution. Customer may not reproduce nor distribute software.

2. DESCRIPTION OF OTHER RIGHTS AND LIMITATIONS.

Please refer to the Cisco Systems, Inc. Software License Agreement.

Product Documentation


Note We sometimes update the printed and electronic documentation after original publication. Therefore, you should also review the documentation on Cisco.com for any updates.


Table 1 describes the product documentation that is available.

Document Title

Available Formats

Release Notes for Cisco Secure ACS Solution Engine

Printed document that was included with the product.

On Cisco.com.

Installation and Setup Guide for Cisco Secure ACS Solution Engine

PDF on the product CD-ROM.

On Cisco.com.

Printed document available by order (part number DOC-7816532).1

User Guide for
Cisco Secure ACS Solution Engine

PDF on the product CD-ROM.

On Cisco.com.

Printed document available by order (part number DOC-7816534=).1

Installation and User Guide for Cisco Secure ACS User-Changeable Passwords

PDF on the product CD-ROM.

On Cisco.com.

Regulatory Compliance and Safety Information for Cisco Secure ACS Solution Engine

Printed document that was included with the product.

PDF on the product CD-ROM.

On Cisco.com.

Supported and Interoperable Devices and Software Tables for Cisco Secure ACS Solution Engine

On Cisco.com.

Recommended Resources for the Cisco Secure ACS User

On Cisco.com.

Online Documentation

In the Cisco Secure ACS HTML interface, click Online Documentation.


Related Documentation


Note We sometimes update the printed and electronic documentation after original publication. Therefore, you should also review the documentation on Cisco.com for any updates.


Table 2 describes a set of white papers about Cisco Secure ACS for Windows Server; however, much of the information contained in these papers is applicable to Cisco Secure ACS Solution Engine. All white papers are available on Cisco.com. To view them, go to the following URL:

http://www.cisco.com/warp/public/cc/pd/sqsw/sq/tech/index.shtml

Document Title

Description and Available Formats

Building a Scalable TACACS+ Device Management Framework

This document discusses the key benefits of and how to deploy Cisco Secure ACS Shell Authorization Command sets, which provide the facilities for constructing a scalable network device management system using familiar and efficient TCP/IP protocols and utilities supported by Cisco devices.

Catalyst Switching and ACS Deployment Guide

This document presents planning, design, and implementation practices for deploying Cisco Secure ACS for Windows Server in support of Cisco Catalyst Switch networks. It discusses network topology regarding AAA, user database choices, password protocol choices, access requirements, and capabilities of Cisco Secure ACS.

Deploying Cisco Secure ACS for Windows in a Cisco Aironet Environment

This paper discusses guidelines for wireless network design and deployment with Cisco Secure ACS.

EAP-TLS Deployment Guide for Wireless LAN Networks

This document discusses the Extensible Authentication Protocol Transport Layer Security (EAP-TLS) authentication protocol deployment in wireless networks. It introduces the EAP-TLS architecture and then discusses deployment issues.

Guidelines for Placing ACS in the Network

This document discusses planning, design, and implementation practices for deploying Cisco Secure ACS for Windows Server in an enterprise network. It discusses network topology, user database choices, access requirements, integration of external databases, and capabilities of Cisco Secure ACS.

Initializing MC Authorization on ACS 3.1

This application note explains how to initialize Management Center authorization on Cisco Secure ACS.


Installation Notes

For information about installing Cisco Secure ACS, see Installation and Setup Guide for Cisco Secure ACS Solution Engine, version 3.3.

Upgrading to Cisco Secure ACS version 3.3

This procedure upgrades the Cisco Secure ACS software on a Cisco 1111 device to Cisco Secure ACS Solution Engine 3.3 from any of the following versions:

Cisco Secure ACS Solution Engine 3.2.3

Cisco Secure ACS Solution Engine 3.2.2

Cisco Secure ACS Solution Engine 3.2.1


Note Cisco 1112 devices do not support versions of Cisco Secure ACS before version 3.3; therefore, this section does not apply to Cisco 1112 devices.


Please read this procedure carefully before proceeding. Upgrading from Cisco Secure ACS versions 3.2.1 and 3.2.2 requires significant additional steps that must be taken to preserve Cisco Secure ACS data and configuration.

To upgrade a Cisco 1111 device from Cisco Secure ACS Solution Engine version 3.2 to version 3.3, follow these steps:


Step 1 If the Cisco 1111 is running Cisco Security Agent, you must disable the CSAgent service before proceeding with the upgrade. To disable the CSAgent service, log in to the console and enter stop csagent.

Step 2 Determine what software of the following categories the Cisco 1111 is running:

Cisco Secure ACS

Appliance Management Software

Patches, if any

To do so, log in to the HTML interface, select System Configuration > Appliance Upgrade Status, and view the version information displayed.

Step 3 If the Cisco 1111 you are upgrading is running Cisco Secure ACS version 3.2.1 or version 3.2.2, you must perform the following steps:

a. Back up Cisco Secure ACS data and configuration. To do so, use one of the two following features:

ACS Backup, available in the System Configuration section of the HTML interface. For more information, see User Guide for Cisco Secure ACS Solution Engine.

backup command, available on the serial console. For more information, see Installation and Setup Guide for Cisco Secure ACS Solution Engine.

b. Use the Recovery CD from Cisco Secure ACS 3.2.3. to upgrade the appliance to version 3.2.3. This will destroy all data and install a new image. You can download the image of the Recovery CD image for Cisco Secure ACS Solution Engine version 3.2.3 from the following location:

http://www.cisco.com/pcgi-bin/tablebuild.pl/acs-soleng-3des

For more information about reimaging the hard drive, see Installation and Setup Guide for Cisco Secure ACS Solution Engine, version 3.3.

c. Perform initial configuration of the Cisco Secure ACS Appliance. For more information, see Installation and Setup Guide for Cisco Secure ACS Solution Engine.

d. Restore the appliance data and configuration. To do so, use one of the two following features:

ACS Restore, available in the System Configuration section of the HTML interface. For more information, see User Guide for Cisco Secure ACS Solution Engine.

restore command, available on the serial console. For more information, see Installation and Setup Guide for Cisco Secure ACS Solution Engine.

Step 4 If either of the following conditions is true:

In Step 3 you reimaged the Cisco 1111 with Cisco Secure ACS version 3.2.3.

The Cisco 1111 is not running Appliance Management Software version 3.2.3.12.

you must apply the applInstAppliance_3_2_3_12 upgrade, available on the Cisco Secure ACS version 3.3 upgrade CD. The applInstAppliance_3_2_3_12 upgrade is also available as part of the "Microsoft Security Bulletin MS04-011 - Appliance Management Software and Microsoft Hotfix" patch, found at:

http://www.cisco.com/pcgi-bin/tablebuild.pl/acs-soleng-3des

For assistance with applying the upgrade, use the upgrade procedure in User Guide for Cisco Secure ACS Solution Engine.

Step 5 If either of the following conditions is true:

In Step 3 you reimaged the Cisco 1111 with Cisco Secure ACS version 3.2.3.

The Cisco 1111 does not have the patch named "Microsoft Security Bulletin MS04-11 and MS04-012" applied.

you must apply the appl_ms04-011-012 patch, available on the Cisco Secure ACS version 3.3 upgrade CD. The appl_ms04-011-012 patch is also available as part of the "Microsoft Security Bulletin MS04-011 - Appliance Management Software and Microsoft Hotfix" patch, found at:

http://www.cisco.com/pcgi-bin/tablebuild.pl/acs-soleng-3des

For assistance with applying the patch, use the upgrade procedure in User Guide for Cisco Secure ACS Solution Engine.

Step 6 Apply the applInstAppliance_3_3_1_16 upgrade, available on the Cisco Secure ACS version 3.3 upgrade CD. The applInstAppliance_3_3_1_16 upgrade will also be available for downloading on cisco.com.

For assistance with applying the upgrade, use the upgrade procedure in User Guide for Cisco Secure ACS Solution Engine.

Step 7 Apply the applInstAcs_3_3_1_16 upgrade, available on the Cisco Secure ACS version 3.3 upgrade CD. The applInstAcs_3_3_1_16 upgrade is also available for downloading on cisco.com.


Note This is the only upgrade in this procedure that does not require that the Cisco 1111 reboot itself.


For assistance with applying the upgrade, use the upgrade procedure in User Guide for Cisco Secure ACS Solution Engine.

Step 8 If you performed Step 2 or if the Cisco 1111 does not have the Cisco Security Agent upgrade applied, apply the Cisco Security Agent update, available on the Cisco Secure ACS version 3.3 upgrade CD. The Cisco Security Agent update is also available for downloading on cisco.com.

Step 9 Verify that Cisco Security Agent is enabled. To do so, log in to the console and enter show. If the CSAgent service is not running, enter start csagent.

Step 10 To see the results of this upgrade procedure, view the Appliance Upgrade page. To do so, log in to the HTML interface and select System Configuration > Appliance Upgrade Status.

When you complete this procedure, the Application Versions table on the Appliance Upgrade page will appear as follows:

Application Versions 

Cisco Secure ACS

3.3.1.16

Appliance Management Software

3.3.1.16

Appliance Base Image

3.2.2.1

CSA

(Patch: 4_0_1_543)

Microsoft Security Bulletin MS04-11 and MS04-012

(Patch: 1_0_0)



Cisco 1111—Recovering Cisco Secure ACS 3.3

This section provides procedures for the recovery process for a Cisco 1111 that runs Cisco Secure ACS Solution Engine 3.3.


Caution You cannot use the Recovery CD for Cisco Secure ACS Solution Engine 3.3 on a Cisco 1111.

To perform recovery on a Cisco 1111 running Cisco Secure ACS Solution Engine 3.3, follow these steps:


Step 1 Use the Recovery CD from Cisco Secure ACS 3.2.3 to upgrade the appliance to version 3.2.3. This will destroy all data and install a new image. You can download the image of the Recovery CD image for Cisco Secure ACS Solution Engine version 3.2.3 from the following location:

http://www.cisco.com/pcgi-bin/tablebuild.pl/acs-soleng-3des

For more information about reimaging the hard drive, see Installation and Setup Guide for Cisco Secure ACS Solution Engine, version 3.3.

Step 2 Perform initial configuration of the Cisco Secure ACS Appliance. For more information, see Installation and Setup Guide for Cisco Secure ACS Solution Engine.

Step 3 Apply the applInstAppliance_3_2_3_12 upgrade, available on the Cisco Secure ACS version 3.3 upgrade CD. The applInstAppliance_3_2_3_12 upgrade is also available as part of the "Microsoft Security Bulletin MS04-011 - Appliance Management Software and Microsoft Hotfix" patch, found at:

http://www.cisco.com/pcgi-bin/tablebuild.pl/acs-soleng-3des

For assistance with applying the upgrade, use the upgrade procedure in User Guide for Cisco Secure ACS Solution Engine.

Step 4 Apply the appl_ms04-011-012 patch, available on the Cisco Secure ACS version 3.3 upgrade CD. The appl_ms04-011-012 patch is also available as part of the "Microsoft Security Bulletin MS04-011 - Appliance Management Software and Microsoft Hotfix" patch, found at:

http://www.cisco.com/pcgi-bin/tablebuild.pl/acs-soleng-3des

For assistance with applying the patch, use the upgrade procedure in User Guide for Cisco Secure ACS Solution Engine.

Step 5 Apply the applInstAppliance_3_3_1_16 upgrade, available on the Cisco Secure ACS version 3.3 upgrade CD. The applInstAppliance_3_3_1_16 upgrade is also available for downloading on cisco.com.

For assistance with applying the upgrade, use the upgrade procedure in User Guide for Cisco Secure ACS Solution Engine.

Step 6 Apply the applInstAcs_3_3_1_16 upgrade, available on the Cisco Secure ACS version 3.3 upgrade CD. The applInstAcs_3_3_1_16 upgrade is also available for downloading on cisco.com.


Note This is the only upgrade in this procedure that does not require that the Cisco 1111 reboot itself.


For assistance with applying the upgrade, use the upgrade procedure in User Guide for Cisco Secure ACS Solution Engine.

Step 7 Apply the Cisco Security Agent update, available on the Cisco Secure ACS version 3.3 upgrade CD. The Cisco Security Agent update will also be available for downloading on cisco.com.

Step 8 Verify that Cisco Security Agent is enabled. To do so, log into the console and enter show. If the CSAgent service is not running, enter start csagent.

Step 9 To see the results of this recovery procedure, view the Appliance Upgrade page. To do so, log in to the HTML interface and select System Configuration > Appliance Upgrade Status.

When you complete this procedure, the Application Versions table on the Appliance Upgrade page will appear as follows:

Application Versions 

Cisco Secure ACS

3.3.1.16

Appliance Management Software

3.3.1.16

Appliance Base Image

3.2.2.1

CSA

(Patch: 4_0_1_543)

Microsoft Security Bulletin MS04-11 and MS04-012

(Patch: 1_0_0)



Cisco 1112—Recovering Cisco Secure ACS 3.3

The recovery process for a Cisco 1111 that runs Cisco Secure ACS Solution Engine 3.3 is documented in Installation and Configuration Guide for Cisco Secure ACS Solution Engine, version 3.3. The Recovery CD for Cisco Secure ACS Solution Engine, version 3.3, is designed for and tested with Cisco 1112 devices.

Security Patch Process

For information about our process for evaluating and releasing Microsoft security patches for Cisco Secure ACS Solution Engine, see the Cisco Secure ACS Solution Engine Security Patch Process document, available in the Product Literature area for Cisco Secure ACS Solution Engine on cisco.com.

Limitations and Restrictions

The following limitations and restrictions apply to Cisco Secure ACS 3.3.

Important Known Problems with Network Admission Control

The following known problems are related to Network Admission Control. We recommend that you review them.

CSCee88908—CSLog crash if a logged attribute is deleted due to replication

CSCee87826—A deleted policy is being reassign when created with the same name

CSCee87899—Replication of CNAC policies should be updated in the doc

Supported Migration Versions

We support migrating to Cisco Secure ACS Solution Engine version 3.3 from many versions of Cisco Secure ACS for Windows Server; however, migration requires upgrading Cisco Secure ACS for Windows Server to version 3.3.

For detailed steps for performing a migration from Cisco Secure ACS for Windows Server to Cisco Secure ACS Solution Engine, see either of the following two documents:

Installation Guide for Cisco Secure ACS for Windows Server, version 3.3

Installation and Configuration Guide for Cisco Secure ACS Solution Engine, version 3.3

Supported Web Browsers

To administer all features included in the HTML interface of Cisco Secure ACS 3.3, use an English-language version of one of the following tested and supported web browsers:

Microsoft Internet Explorer for Microsoft Windows

Version 6.0

Service Pack 1

Microsoft Java Virtual Machine

Netscape Communicator for Microsoft Windows

Version 7.1

Sun Java Plug-in 1.4.2_04

Netscape Communicator for Solaris 2.8

Version 7.0

Mozilla 5.0

Sun Java Plug-in 1.4.0_01


NoteSeveral known problems are related to using Netscape Communicator with Cisco Secure ACS. For more information, please review Table 3.

We do not recommend using a slow network connection for remote access to the Cisco Secure ACS HTML interface. Some features that use Java applets do not operate optimally, such as the HTML pages for configuring Network Access Restrictions and Network Admission Control.


We do not support other versions of these browsers or other Java virtual machines with these browsers, nor do we test web browsers by other manufacturers.


Note To use a web browser to access the Cisco Secure ACS HTML interface, configure your web browser as follows:

Use an English-language version of a supported browser.

Enable Java.

Enable JavaScript.

Disable HTTP proxy.


Supported Operating Systems for Remote Agent

Cisco Secure ACS 3.3 supports Cisco Secure ACS Remote Agent on Microsoft Windows 2000 and Solaris operating systems, as specified in the following two sections.

Windows Support for Remote Agent

Solaris Support for Remote Agent

Windows Support for Remote Agent

The computer running Cisco Secure ACS Remote Agent for Windows must use an English-language version of one of the following operating systems:

Windows 2000 Server, with Service Pack 4 installed

Windows 2000 Advanced Server, with the following conditions:

with Service Pack 4 installed

without features specific to Windows 2000 Advanced Server enabled

Windows Server 2003, Enterprise Edition

Windows Server 2003, Standard Edition


Note The following restrictions apply to support for Microsoft Windows operating systems:

We have not tested and cannot support the multi-processor feature of any supported operating system.

We cannot support Microsoft clustering service on any supported operating system.

Windows 2000 Datacenter Server is not a supported operating system.


Tested Windows Security Patches


Note For information about remote agent support for Microsoft patches issued after the release of Cisco Secure ACS Solution Engine version 3.3, see Supported and Interoperable Devices and Software Tables for Cisco Secure ACS Solution Engine, version 3.3.


We tested Cisco Secure ACS Remote Agent for Windows with the Windows Server 2003 patches documented in the following Microsoft Knowledge Base Articles:

819696

823182

823559

824105

824141

824146

825119

828028

828035

828741

832894

835732

837001

837009

839643

840374

We tested Cisco Secure ACS Remote Agent for Windows with the Windows 2000 Server patches documented in the following Microsoft Knowledge Base Articles:

329115

823182

823559

823980

824105

824141

824146

825119

826232

828035

828741

828749

835732

837001

839643

Solaris Support for Remote Agent

The computer running Cisco Secure ACS Remote Agent for Solaris must use Solaris 2.8 or 2.9.

Supported Platforms for CiscoSecure Authentication Agent

For use with Cisco Secure ACS 3.3, we tested CiscoSecure Authentication Agent on Windows XP with Service Pack 1. We support the use of CiscoSecure Authentication Agent with Cisco Secure ACS 3.3 when CiscoSecure Authentication Agent runs on one of the following client platform operating systems:

Windows XP

Windows 2000 Professional

Windows 98

Windows 95

Windows NT 4.0

Other Supported Devices and Software

For information about supported Cisco devices, external user databases, and other software, see Supported and Interoperable Devices and Software Tables for Cisco Secure ACS Solution Engine Version 3.3. To see this document, go to the following URL: http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_solution_engine/3.3/device/table/app33sdt.html.

Known Problems

This section contains information about the following topics:

Cisco AAA Client Problems

Known Problems in Cisco Secure ACS Version 3.3

Cisco AAA Client Problems

Refer to the appropriate release notes for information about Cisco AAA client problems that might affect the operation of Cisco Secure ACS. You can access these release notes online at the following URLs.

Cisco Aironet Access Point

http://www.cisco.com/univercd/cc/td/doc/product/wireless/

Cisco BBSM

http://www.cisco.com/univercd/cc/td/doc/product/aggr/bbsm/

Cisco Catalyst Switches

http://www.cisco.com/univercd/cc/td/doc/product/lan/

Cisco IOS

http://www.cisco.com/univercd/cc/td/doc/product/software/

Cisco Secure PIX Firewall

http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/

Cisco VPN 3000 Concentrator

http://www.cisco.com/univercd/cc/td/doc/product/vpn/vpn3000/

http://www.cisco.com/univercd/cc/td/doc/product/vpn/vpn3002/

Cisco VPN 5000 Concentrator

http://www.cisco.com/univercd/cc/td/doc/product/aggr/vpn5000/

Known Problems in Cisco Secure ACS Version 3.3

Table 3 describes problems known to exist in this release.


NoteA "—" in the Explanation column indicates that no information was available at the time of publication. You should check the Cisco Software Bug Toolkit for current information. To access the Cisco Software Bug Toolkit, go to http://www.cisco.com/pcgi-bin/Support/Bugtool/home.pl. (You will be prompted to log in to Cisco.com.)

Bug summaries and explanations in Table 3 are printed word-for-word as they appear in our bug tracking system.

Bug ID

Summary

Explanation

CSCef61117

ACS on 2003 huge performance impact when writing to registry

Cisco Secure ACS 3.2.3 or 3.3 running on Windows 2003 Standard and Enterprise edition may cause huge delay when writing to the registry.

Therefore when more than six operations write to the Microsoft registry, a failure may occur. Refer to the field notices on Cisco.com for more details.

CSCdv35872

Insufficient length for NDS context entry

When a Novell NDS database configuration in Cisco Secure ACS has a context list greater than 4095 characters long, editing the NDS configuration page results in incorrect HTML in the browser interface.

Workaround/Solution: Use a context list no longer than 4096 characters.

CSCdv86708

HTTP Port Allocation is not replicated

Changes to HTTP Port Allocation settings do not appear to replicate. After the HTTP Port Allocation settings are changed on the Access Policy Setup page in the Administration Control section on the primary Cisco Secure ACS server and replication succeeds, the secondary Cisco Secure ACS server does not display the changes to the HTTP Port Allocation settings in the HTML interface.

Workaround/Solution: The changes to the HTTP Port Allocation settings do replicate successfully; however, to see the changes on the secondary Cisco Secure ACS, restart the CSAdmin service.

CSCdz61464

Solaris Netscape 7.0 - Minor Features Failure

When the administrative browser is Netscape 7.0 on Solaris 8.0, some menus in the HTML interface for Cisco Secure ACS do not work properly.

Workaround/Solution: Use a supported Windows browser.

CSCea25090

Logged In User not showing after going into enable mode on router

With AAA Accounting for exec sessions configured on a NAS, a user shows up in the Logged-In User report on Cisco Secure ACS. With Accounting also configured for going into enable mode, the user no longer appears in the Logged-In User report after authenticating successfully.

Cisco Secure ACS tracks user sessions by IP address and port number. When enable authentication succeeds, Cisco Secure ACS sees that the IP address and port number combination for the existing session have been reused and assumes that the accounting stop packet was not sent or was lost; therefore, the user session is removed from the Logged-In User report even though the session continues in enable mode.

Because the NAS cannot be configured to send new accounting start packets when the enable mode is entered, the Logged-In User report cannot correctly report the user session as ongoing.

Workaround: None.

CSCea55457

Radius Attributes do not appear in user/group profile page

After you enable RADIUS attributes in the Interface Configuration section of the Cisco Secure ACS HTML interface, they do not appear or appear only partially in Group Setup or User Setup, as applicable.

Workaround/Solution: Restart the CSAdmin service.

CSCea62226

CSAgent (solaris) - appliance present the RA as running while is not

The HTML interface of a Cisco Secure ACS Appliance indicates that the logging service of a Solaris remote agent is available even though it is not. For Solaris remote agents, the service status displayed for the remote agent in Network Configuration is not reliable.

Workaround/Solution: Log into the computer running the Solaris remote agent to determine if the CSLogAgent process is running.

CSCea74289

cascade replication due to user pass change-dont work

Cascading replication does not occur when the replication trigger is user password change and the primary Cisco Secure ACS is configured to perform replication manually.

Workaround/Solution: Use scheduled replication on the primary Cisco Secure ACS.

CSCea87748

Downloadable ACLs deleted and downsized after backup via CLI

If your Cisco Secure ACS Appliance has downloadable ACLs defined that have more than approximately 31 kilobytes of text in them and you use the system console to backup and restore the database, the downloadable ACLs are truncated to approximately 31 kilobytes or are deleted entirely.

Workaround/Solution: Do not create downloadable ACLs that contain more than 30 kilobytes of data; or, if this is unavoidable, keep text file records of the ACLs so that, if a restoration performed from the system console is necessary, you can recreate the downloadable ACLs.

CSCeb16968

ACS shared profile components disappear with XML error messages

After you upgrade Cisco Secure ACS, authorization support for Management Center (MC) applications, such as Management Center for Firewalls, fails. In the Shared Profile Components section of the Cisco Secure ACS HTML interface, each MC that has registered with Cisco Secure ACS has a set of pages for configuring authorization components. If you access a page for editing or adding authorization components, you see an error message about a missing XML file.

Workaround/Solution: You must use CiscoWorks to re-register all MCs with Cisco Secure ACS.

Log into the CiscoWorks desktop with admin privileges.

Go to Server Configuration > Setup > Security > Select Login Module. Configure CiscoWorks to use the CiscoWorks Local module, and then configure CiscoWorks to use the TACACS+ module.

Go to VPN Security Management Solution > Administration > Common Services > Configuration > AAA Servers. Unregister all MCs and then re-register all MCs.

Log out of CiscoWorks.

CSCeb21037

Windows Remote Agent un-install issue

Uninstalling Cisco Secure Remote Agent for Windows does not remove some subdirectories, such as those that contain log files.

Workaround/Solution: Manually delete the directories left by the uninstallation process.

CSCeb51393

multi-admin needs to be able to add/edit/delete downloadable ACLs

With multi-administrator tries to add/edit/delete downloadable acl under the shared profile components, after the first admin submitted any changes, the other administrator's ACS session got locked up.

Workaround: There is no workaround. Administrators must inform each other when he/she is working on the downloadable ACLs.

CSCeb62898

Group mapping ordering applet is not properly ordered

In a newly created Windows group mapping configuration, group mappings list in the wrong order.

Workaround: On the page for ordering group mappings, order the group mappings and click Submit. As additional mappings are added, they appear properly at the end of the list of mappings.

CSCec61110

authentications on secondary acs may fail after replication

Symptom: In environment where primary and secondary Cisco Secure ACS primary and secondary servers are kept in synch using the replication feature, user authentication may fail for users defined in an external database users and the Failed Attempts log will contain an "external DB not configured" error.

Conditions: This happens with certain external database types such as LDAP, NDS, and the various token server types. It can't happen with the Windows external DB. By configuring external databases in a different order on the primary and secondary Cisco Secure ACS servers, authentication fails on the secondary server for users defined in the databases configured in a different order. If external databases are configured in same order on primary and secondary servers, this does not happen. For example, if you configure two instances of LDAP external user databases on primary and secondary servers but configure them in different orders, after users are replicated, LDAP authentication attempts fail on the secondary server.

Workaround: For each database type involved in the problem, delete the external databases on all secondary servers and reconfigure them in the same order that they are defined on the primary server. If this fails, delete the affected external databases on the primary and secondary servers and reconfigure them.

CSCec64143

Uninstalling Win Remote Agent when un-install terminates unexpected

When Windows Remote Agent uninstallation process terminates unexpectedly and the uninstallation process could not be completed, registry keys remain for the remote agent. Further attempts to install the remote agent will fail due to these registry keys.

Workaround: Use regedit to delete all Cisco Remote Agent entries. In the registry, search for "csagent" and "acs agent". Delete all matching entries. If they cannot be deleted, ignore them.

CSCec89440

Unable to edit some of the disabled accounts

The Disabled Accounts report in the Reports and Activity section of the Cisco Secure ACS HTML interface can behave oddly when you access it using an administrator account that doesn't have access to all groups.

Table Of Contents

Overview

Introduction to ACS

Network Admission Control (NAC)

Identity-Based Networking Services (IBNS)

ACS Features, Functions and Concepts

ACS as the AAA Server

AAA Protocols—TACACS+ and RADIUS

TACACS+

RADIUS

Platforms

Additional Features in This Release

Authentication

Authentication Considerations

Authentication and User Databases

Authentication Protocol-Database Compatibility

Passwords

EAP Support

Other Authentication-Related Features

Authorization

Max Sessions

Dynamic Usage Quotas

Shared Profile Components

Support for Cisco Device-Management Applications

Other Authorization-Related Features

Accounting

Other Accounting-Related Features

Managing and Administrating ACS

Web Interface Security

Cisco Security Agent Integration (ACS Solution Engine Only)

Cisco Security Agent Service Management

Cisco Security Agent Logging

Cisco Security Agent Restrictions

Cisco Security Agent Policies

HTTP Port Allocation for Administrative Sessions

Web Interface Layout

Uniform Resource Locator for the Web Interface

Online Help and Online Documentation

Using Online Help

Using the Online User Guide

ACS Specifications

System Performance Specifications

ACS Windows Services

Online Documentation Reference

Related Documentation

TACACS+ Documents

Network Admission Control (NAC) documentation

Requests for Comments (RFCs)

Technology White Papers

Question and Answer Pages

Tutorials

Software Download


Overview


This chapter contains an overview of the Cisco Secure Access Control Server Release 4.1, hereafter referred to as ACS.

The following topics are presented:

Introduction to ACS

ACS Features, Functions and Concepts

Managing and Administrating ACS

ACS Specifications

Online Documentation Reference

Related Documentation

Introduction to ACS

ACS is a scalable, high-performance Remote Access Dial-In User Service (RADIUS) and Terminal Access Controller Access Control System (TACACS+) security server. As the centralized control point for managing enterprise network users, network administrators, and network infrastructure resources, ACS provides a comprehensive identity-based network-access control solution for Cisco intelligent information networks.

ACS extends network-access security by combining traditional authentication, authorization, and accounting (AAA - pronounced "triple A") with policy control. ACS enforces a uniform network-access security policy for network administrators and other network users.

ACS supports a broad variety of Cisco and other network-access devices (NADs), also known as AAA clients, including:

Wired and wireless LAN switches and access points

Edge and core routers

Dialup and broadband terminators

Content and storage devices

Voice over IP (VoIP)

Firewalls

Virtual private networks (VPNs)

Figure 1-1 illustrates the role of ACS as a traditional network access control/AAA server.

Figure 1-1 A Simple AAA Scenario

Network Admission Control (NAC)

ACS is a critical component of the Cisco Network Admission Control (NAC) framework. Cisco NAC is a Cisco Systems-sponsored industry initiative that uses the network infrastructure to enforce security-policy compliance on all machines seeking to access network computing resources, thereby limiting damage from viruses and worms. With NAC, network access to compliant and trusted PCs can be permitted, while the access of noncompliant devices can be restricted. See Figure 1-2.

Figure 1-2 ACS Extended to NAC

Identity-Based Networking Services (IBNS)

ACS is also an important component of the Cisco Identity-Based Networking Services (IBNS) architecture. Cisco IBNS is based on Extensible Authentication Protocol (EAP) and on port-security standards such as IEEE 802.1x (a standard for port-based network-access control) to extend security authentication, authorization, and accounting from the perimeter of the network to every connection point inside the LAN. New policy controls such as per-user quotas, virtual LAN (VLAN) assignments, and access-control lists (ACLs) can be deployed, due to the extended capabilities of Cisco switches and wireless access points to query ACS over the RADIUS protocol.

ACS Features, Functions and Concepts

ACS incorporates many technologies to render AAA services to network-access devices, and provides a central access-control function.

This section contains the following topics:

ACS as the AAA Server

AAA Protocols—TACACS+ and RADIUS

Additional Features in This Release

Authentication

Authorization

Accounting

ACS as the AAA Server

ACS functions as an AAA server for one or more NADs. The NADs are AAA clients of the ACS server. You must configure each client NAD to direct end-user host access requests to the ACS by using the TACACS+ or RADIUS protocols.

TACACS+ is traditionally used to provide authorization for network administrative operations on the network infrastructure itself; RADIUS is universally used to secure the access of end-users to network resources.

Basically, the NAD serves as the network gatekeeper, and sends an access request to ACS on behalf of the user. ACS verifies the username, password and possibly other data by using its internal database or one of the configured external identity directories. ACS ultimately responds to the NAD with an access denied or an access-accept message with a set of authorization attributes. When ACS is used in the context of the NAC architecture, additional machine data, known as posture, is validated as well, before the user is granted access to the network.

AAA Protocols—TACACS+ and RADIUS

ACS can use the TACACS+ and RADIUS AAA protocols.

Table 1-1 compares the two protocols.

Point of Comparison

TACACS+

RADIUS

Transmission Protocol

TCP—Connection-oriented transport-layer protocol, reliable full-duplex data transmission

UDP—Connectionless transport-layer protocol, datagram exchange without acknowledgments or guaranteed delivery

Ports Used

49

Authentication and Authorization: 1645 and 1812
Accounting: 1646 and 1813

Encryption

Full packet encryption

Encrypts only passwords up to 16 bytes

AAA Architecture

Separate control of each service: authentication, authorization, and accounting

Authentication and authorization combined as one service

Intended Purpose

Device management

User access control


TACACS+

ACS conforms to the TACACS+ protocol as defined by Cisco Systems in draft 1.78. For more information, refer to the Cisco IOS software documentation at http://www.cisco.com.

RADIUS

ACS conforms to the RADIUS protocol as defined in the draft of April 1997 and in the following Requests for Comments (RFCs):

RFC 2138, Remote Authentication Dial In User Service

RFC 2139, RADIUS Accounting

RFC 2284

RFC 2865

RFC 2866

RFC 2867

RFC 2868

RFC 2869

The ports used for authentication and accounting have changed in RADIUS RFC documents. To support the older and newer RFCs, ACS accepts authentication requests on port 1645 and port 1812. For accounting, ACS accepts accounting packets on port 1646 and 1813.

In addition to support for standard Internet Engineering Task Force (IETF) RADIUS attributes, ACS includes support for RADIUS vendor-specific attributes (VSAs). We have predefined the following RADIUS VSAs in ACS:

Cisco Building Broadband Service Manager (BBSM)

Cisco IOS/PIX 6.0

Cisco VPN 3000/ASA/PIX 7.x+

Cisco VPN 5000

Cisco Airespace

Ascend

Juniper

Microsoft

Nortel

ACS also supports up to 10 RADIUS VSAs that you define. After you define a new RADIUS VSA, you can use it as you would one of the RADIUS VSAs that come predefined in ACS. In the Network Configuration section of the ACS web interface, you can configure AAA clients to use a user-defined RADIUS VSA as the AAA protocol. In Interface Configuration, you can enable user-level and group-level attributes for user-defined RADIUS VSAs. In User Setup and Group Setup, you can configure the values for enabled attributes of a user-defined RADIUS VSA.

For more information about creating user-defined RADIUS VSAs, see Custom RADIUS Vendors and VSAs, page 8-19.

Platforms

ACS is available on two platforms, ACS for Windows and ACS for the Solution Engine. ACS for Windows is a software platform. The Solution Engine is a hardware and software platform that requires a network appliance.

The platforms are nearly identical. However, only Windows supports Open Database Connectivity (ODBC) databases, and the CSUtil.exe database utility. Support for the Solution Engine, which is not required for Windows, includes the Remote Agent, the Simple Network Management Protocol (SNMP), File Transfer Protocol (FTP) server support, a serial console, and support for the Cisco Security Agent.

This guide identifies information exclusively belonging to one platform as "ACS for Windows only" or "ACS Solution Engine only." All other text belongs to both platforms.

Additional Features in This Release

This release of ACS provides the following features that protect networked business systems:

Improved Compliance Support—This release contains new ACS administrator permissions to improve password management and audit reports for regulatory compliance (for example, Sarbanes-Oxley (SOX)). ACS includes the following capabilities for:

Authentication:

Forcing periodic change of administrator's password

Applying password structure policy

Forcing administrator's password change for inactive account

Preventing the reuse of password (password history)

Disabling administrator accounts for inactivity

Disabling administrator accounts after failed logins

Allowing ACS administrators to change own passwords

Audit and Reporting:

Logging all administrative actions via Syslog, in addition to existing logging targets.

Controlling administrators' access to log file configuration in order to prevent the disablement of specific audit logging.

Adding new reports for administrators privileges

Authorization: Providing a read-only privilege for users and groups.

External database support for MAC Authentication Bypass—The ability to maintain MAC address lists in an external LDAP server; and map MAC addresses to user groups has been added to this release.

Improved diagnostics and error messages—Improved the diagnostic information about certificate mismatches with HCAP and GAME servers have been added to this release. The raw dump of GAME and HCAP messages is in a readable format and the authentication failure codes are now more intuitive.

PEAP/EAP-TLS Support — The authenticator side of PEAP/EAP-TLS as a protocol enhancement is included in this release. This permits ACS to authenticate clients with PEAP by using EAP-TLS as the phase two inner method, and enables certificate based authentication to occur within a secure tunnel, encrypting identity information. Since EAP-TLS normally relies on client-side certificates for authentication, the PEAP tunnel will protect the client's certificate content.

Logging and Reporting Extensions—New internal mechanisms for logging have been added to this release, to create consistent log levels and improved performance. Syslog is supported and the capability to log ACS messages to remote servers that support Syslog standard is available.

Multiple concurrent logging destinations— Log data may be sent to multiple destinations simultaneously.

Enhanced remote agent support for logging— You can expose reports externally that were previously provided only locally, for files from previous versions, for example, sending audit reports to remote agent on appliance.

RADIUS AES Key Wrap Functionality —This feature supports a secure, certified mode of operation, notably in a Federal Information Processing Standard (FIPS)-compliant wireless solution. RADIUS Key Wrap support with EAP-TLS authentication in ACS, is another step towards satisfying the set of security requirements in Cisco's practical, deployable, and interoperable secure solutions. AES replaces MD5 encryption.

Cisco NAC support—ACS 4.1 acts as a policy decision point in NAC deployments. By using configurable policies, it evaluates and validates the credentials that it receives from the Cisco Trust Agent (posture), determines the state of the host, and sends a per-user authorization to the network-access device: ACLs, a policy based access control list, or a private VLAN assignment. Evaluation of the host credentials can enforce many specific policies, such as OS patch level and antivirus DAT file version. ACS records the policy evaluation result for use with monitoring systems. Before granting network access, ACS 4.1 also allows third-party Audit Vendors to audit hosts without the appropriate agent technology. ACS policies can be extended with external policy servers to which ACS forwards posture credentials. For example, credentials specific to an antivirus vendor can be forwarded to the vendor's antivirus policy server, and audit policy requests can be forwarded to third-party audit products. For more information, see Chapter 13, "Posture Validation."

GAME Group Feedback— This feature provides the ability to authorize a host based on checking the device-type categorization returned from authentication as a user-group against an audit server.

Expanded agentless support— This feature adds support for auditing agentless hosts connected to a Layer 2 Network Access Device (NAD). The agentless host is admitted to a quarantine network where it can receive an IP address and only then instantiate the audit. When instantiated, the audit will continue as with a regular Layer 3 host.

Extended replication components—Improved and enhanced replication components have been added to this release. Administrators now can replicate:

Posture validation settings

Additional logging attributes

Audit support for MAC Authentication Bypass —Audit processing has been enhanced to include MAC Authentication Bypass (MAB). MAB enables double checking an audit request against a MAC authentication policy and an Audit Policy, and combines the evaluation of these two policies.

Audit Verification of MAC Exceptions — You can apply MAC exceptions to NAC audit requests. Dual verification of endpoints is then possible. You can check whether the user group (which signifies the device type) that the agentless request processing returns matches the device type that the audit server returns, and you can define a policy for handling mismatches.

Japanese Microsoft Windows Support—New support for the Japanese version of Microsoft Windows 2003 at the service pack level is available. Only ACS for Windows supports the Japanese version of Windows 2003. The ACS Solution Engine does not support the Japanese OS.


Note We do not support distributed ACS deployments in a NAT environment.


Authentication

Authentication determines user identity and verifies the information. Traditional authentication uses a name and a fixed password. More secure methods use technologies such as Challenge Authentication Handshake Protocol (CHAP) and One-time Passwords (OTPs). ACS supports a variety of these authentication methods.

A fundamental implicit relationship exists between authentication and authorization. The more authorization privileges granted to a user, the stronger the authentication should be. ACS supports this relationship by providing various methods of authentication.

This section contains the following topics:

Authentication Considerations

Authentication and User Databases

Authentication Protocol-Database Compatibility

Passwords

Other Authentication-Related Features

Authentication Considerations

Username and password is the most popular, simplest, and least-expensive method of authentication. The disadvantage is that this information can be told to someone else, guessed, or captured. Simple unencrypted username and password is not considered a strong authentication mechanism but can be sufficient for low authorization or privilege levels such as Internet access.

You should use encryption to reduce the risk of password capturing on the network. Client and server access-control protocols such as TACACS+ and RADIUS encrypt passwords to prevent them from being captured within a network. However, TACACS+ and RADIUS operate only between the AAA client and ACS. Before this point in the authentication process, unauthorized persons can obtain clear-text passwords, such as:

The communication between an end-user client dialing up over a phone line

An Integrated Services Digital Network (ISDN) line terminating at a network-access server

Over a TELNET session between an end-user client and the hosting device

Authentication and User Databases

ACS supports a variety of user databases. It supports the ACS internal database and several external user databases, including:

Windows User Database

Generic Lightweight Directory Access Protocol (LDAP)

Novell NetWare Directory Services (NDS) when used with Generic LDAP

LEAP Proxy Remote Access Dial-In User Service (RADIUS) servers

Token servers

Open Database Connectivity (ODBC)-compliant relational databases (ACS for Windows)

Authentication Protocol-Database Compatibility

The various password protocols that ACS supports for authentication are supported unevenly by the various databases that ACS supports. For more information about the password protocols that ACS supports, see Passwords.

Table 1-2 specifies non-EAP authentication protocol support.

Database

ASCII/PAP

CHAP

ARAP

MS-CHAP v.1

MS-CHAP v.2

ACS

Yes

Yes

Yes

Yes

Yes

Windows SAM

Yes

No

No

Yes

Yes

Windows AD

Yes

No

No

Yes

Yes

LDAP

Yes

No

No

No

No

ODBC (ACS for Windows only)

Yes

Yes

Yes

Yes

Yes

LEAP Proxy RADIUS Server

Yes

No

No

Yes

Yes

All Token Servers

Yes

No

No

No

No


Table 1-3 specifies EAP authentication protocol support.

Database

LEAP

EAP-

MD5

EAP-

TLS

PEAP (EAP-GTC)

PEAP (EAP-MS
CHAPv2)

PEAP (EAP-

TLS)

EAP-FAST Phase Zero

EAP-FAST Phase Two

ACS

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Windows SAM

Yes

No

No

Yes

Yes

No

Yes

Yes

Windows AD

Yes

No

Yes

Yes

Yes

Yes

Yes

Yes

LDAP

No

No

Yes

Yes

No

Yes

No

Yes

ODBC (ACS for Windows only)

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Yes

LEAP Proxy RADIUS Server

Yes

No

No

Yes

Yes

No

Yes

Yes

All Token Servers

No

No

No

Yes

No

No

No

No


Passwords

ACS supports many common password protocols:

ASCII/Password Authentication Protocol (ASCII/PAP)

CHAP

MS-CHAP

Lightweight and Efficient Application Protocol (LEAP)

AppleTalk Remote Access Protocol (ARAP)

EAP-MD5

EAP-TLS

PEAP(EAP-GTC)

PEAP(EAP-MSCHAPv2)

PEAP(EAP-TLS)

EAP-FAST

Passwords can be processed by using these password-authentication protocols based on the version and type of security-control protocol used (for example, RADIUS or TACACS+), and the configuration of the AAA client and end-user client. The following sections outline the different conditions and functions of password handling.

In the case of token servers, ACS acts as a client to the token server by using its proprietary API or its RADIUS interface, depending on the token server. For more information, see About Token Servers and ACS, page 12-50.

Different levels of security can be concurrently used with ACS for different requirements. The basic user-to-network security level is PAP. Although PAP provides unencrypted security, PAP does offer convenience and simplicity for the client. PAP allows authentication against the Windows database. With this configuration, users need to log in only once. CHAP allows a higher level of security for encrypting passwords when communicating from an end-user client to the AAA client. You can use CHAP with the ACS internal database. ARAP support is included to support Apple clients.

Comparing PAP, CHAP, and ARAP

PAP, CHAP, and ARAP are authentication protocols that encrypt passwords. However, each protocol provides a different level of security. Table 1-4 describes the security associated with each protocol.

Protocol

Security

PAP

Uses clear-text passwords (that is, unencrypted passwords) and is the least sophisticated authentication protocol. If you are using the Windows user database to authenticate users, you must use PAP password encryption or Microsoft-Challenge Authentication Handshake Protocol (MS-CHAP).

CHAP

Uses a challenge-response mechanism with one-way encryption on the response. CHAP enables ACS to negotiate downward from the most secure to the least secure encryption mechanism, and it protects passwords that are transmitted in the process. CHAP passwords are reusable. If you are using the ACS internal database for authentication, you can use PAP or CHAP. CHAP does not work with the Windows user database.

ARAP

Uses a two-way challenge-response mechanism. The AAA client challenges the end-user client to authenticate itself, and the end-user client challenges the AAA client to authenticate itself.


MS-CHAP

ACS supports MS-CHAP for user authentication. Differences between MS-CHAP and standard CHAP are:

The MS-CHAP Response packet is in a format compatible with Microsoft Windows and LAN Manager 2.x. The MS-CHAP format does not require the authenticator to store a clear-text or reversibly encrypted password.

MS-CHAP provides an authentication-retry mechanism that the authenticator controls.

MS-CHAP provides additional failure codes in the Failure packet Message field.

For more information on MS-CHAP, refer to RFC 2433 Microsoft PPP CHAP Extensions for RADIUS Attributes for MS-CHAP Support.

EAP Support

The EAP, based on IETF 802.1x, is an end-to-end framework that allows the creation of authentication types without changing AAA client configurations. For more information about EAP, see RFC 2284, PPP Extensible Authentication Protocol (EAP).

ACS supports several EAP protocols. Table 1-5 describes each supported protocol.

EAP Protocol

Description

EAP-MD5

An EAP protocol that does not support mutual authentication.

EAP-TLS

EAP incorporating Transport Layer Security. For more information, see EAP-TLS Deployment Guide for Wireless LAN Networks and EAP-TLS Authentication, page 9-2.

LEAP

An EAP protocol that Cisco Aironet wireless equipment uses; it supports mutual authentication.

PEAP

Protected EAP, which is implemented with EAP-Generic Token Card (GTC), EAP -TLS and EAP-MS-CHAPv2 protocols. For more information, see PEAP Authentication, page 9-5.

EAP-FAST

A faster means of encrypting EAP authentication, supports EAP-GTC authentication. For more information, see EAP-FAST Authentication, page 9-8.


The architecture of ACS is extensible with regard to EAP; additional varieties of EAP will be supported as those protocols mature.

Basic Password Configurations

Several basic password configurations are available:


Note These configurations are all classed as inbound authentication.


Single password for ASCII/PAP/CHAP/MS-CHAP/ARAP—The most convenient method for the administrator when setting up accounts and the user when obtaining authentication. However, because the CHAP password is the same as the PAP password, and the PAP password is transmitted in clear text during an ASCII/PAP login, the CHAP password could be compromised.

Separate passwords for ASCII/PAP and CHAP/MS-CHAP/ARAP—For a higher level of security, users can have two separate passwords. If the ASCII/PAP password is compromised, the CHAP/ARAP password can remain secure.

External user database authentication—For authentication by an external user database, the user does not need a password stored in the ACS internal database. Instead, ACS records which external user database it should query to authenticate the user.

Advanced Password Configurations

ACS supports the following advanced password configurations:

Inbound passwords—Passwords used by most ACS users. The TACACS+ and RADIUS protocols support these passwords. The passwords are held in the ACS internal database and are not usually provided to an external source if an outbound password has been configured.

Outbound passwords—The TACACS+ protocol supports outbound passwords that can be used, for example, when another AAA client and end-user client authenticate a AAA client. Passwords from the ACS internal database are then sent to the second AAA client and end-user client.

Token caching—When token caching is enabled, ISDN users can connect (for a limited time) to a second B Channel by using the same OTP that was entered during original authentication. For greater security, the B-Channel authentication request from the AAA client should include the OTP in the username value (for example, Fredpassword) while the password value contains an ASCII/PAP/ARAP password. The TACACS+ and RADIUS servers then verify that the token is still cached and validate the incoming password against the single ASCII/PAP/ARAP or separate CHAP/ARAP password, depending on the configuration that the user employs.

The TACACS+ SENDAUTH feature enables AAA clients to authenticate themselves to other AAA clients or an end-user clients via outbound authentication. The outbound authentication can be PAP, CHAP, or ARAP. With outbound authentication, the ACS password is given out. By default, ASCII/PAP or CHAP/ARAP password is used, depending on how this has been configured; however, we recommend that you configure the separate SENDAUTH password for the user so that ACS inbound passwords are never compromised.

If you want to use outbound passwords and maintain the highest level of security, we recommend that you configure users in the ACS internal user database with an outbound password that is different from the inbound password.

Password Aging

With ACS you can choose whether and how to employ password aging. Control for password aging may reside in the ACS internal database, or in an external Windows user database. Each password-aging mechanism differs as to requirements and setting configurations.

You use the password aging feature the ACS internal database controls to force users to change their passwords under any of the following conditions:

Date exceeds: value (a date).

After a specified number of logins.

The first time a new user logs in.

For information on the requirements and configuration of the password aging feature that the ACS internal database controls, see Enabling Password Aging for the ACS Internal Database, page 5-15.

You use the Windows-based password aging feature to control the following password aging parameters:

Maximum password age in days.

Minimum password age in days.

The methods and functionality of Windows password aging differ according to the Windows operating system release. For information on the requirements and configuration of the Windows-based password aging feature, see Enabling Password Aging for Users in Windows Databases, page 5-19, and refer to your Windows system documentation.

User-Changeable Passwords

With ACS, you can install a separate program so that users can change their passwords by using a web-based utility. For more information about installing user-changeable passwords, see the Installation and User Guide for Cisco Secure ACS User-Changeable Passwords on http://www.cisco.com.

Other Authentication-Related Features

In addition to the authentication-related features discussed in this section, ACS provides additional features:

Authentication of unknown users with external user databases. (See About Unknown User Authentication, page 15-3.)

Authentication of computers running Microsoft Windows. (See Machine Authentication, page 12-10.)

Support for the Microsoft Windows Callback feature. (See Setting the User Callback Option, page 6-6.)

Ability to configure user accounts, including passwords, by using an external data source. (See About RDBMS Synchronization, page 8-17.)

Ability for external users to authenticate via an enable password. (See Setting TACACS+ Enable Password Options for a User, page 6-23.)

Proxy of authentication requests to other AAA servers. (See Proxy in Distributed Systems, page 3-3.)

Configurable character string stripping from proxied authentication requests. (See Stripping, page 3-5.)

Self-signed server certificates. (See Using Self-Signed Certificates, page 9-31.)

Certificate revocation list checking during EAP-TLS authentication. (See Managing Certificate Revocation Lists, page 9-27.)

Authorization

Authorization determines what a user is allowed to do. ACS can send user profile policies to AAA clients to determine which network services the user can access. You can configure authorization to give different users and groups different levels of service. For example, standard dial-up users might not have the same access privileges as premium customers and users. You can also differentiate by levels of security, access times, and services.

You can use the ACS access restrictions feature to permit or deny logins based on time-of-day and day-of-week. For example, you could create a group for temporary accounts that you can disable on specified dates. A service provider could then offer a 30-day free trial. You could use the same authorization to create a temporary account for a consultant with login permission that is limited to Monday through Friday, 9 A.M. to 5 P.M.

You can also apply the following restrictions to users:

a single service

a combination of services, such as PPP, ARAP, Serial Line Internet Protocol (SLIP), or EXEC

Layer 2 and Layer 3 protocols, such as IP and IPX

access lists

On a per-user or per-group basis, access lists can restrict the following user access:

parts of the network where critical information is stored

certain services, such as File Transfer Protocol (FTP) or Simple Network Management Protocol (SNMP)

One fast-growing service that providers offer and corporations adopt is a service authorization for Virtual Private Dial-Up Networks (VPDNs). ACS can provide information to the network device for a specific user to configure a secure tunnel through a public network, such as the Internet. The information can be for the access server (such as the home gateway for that user) or for the home gateway router to validate the user at the customer premises. In either case, ACS can be used for each end of the VPDN.

This section contains the following topics:

Max Sessions

Dynamic Usage Quotas

Shared Profile Components

Support for Cisco Device-Management Applications

Other Authorization-Related Features

Max Sessions

Max Sessions is a useful feature for organizations that need to limit the number of concurrent sessions that are available to a user or a group:

User Max Sessions—For example, an Internet service provider can limit each account holder to a single session.

Group Max Sessions—For example, an enterprise administrator can allow the remote access infrastructure to be shared equally among several departments and limit the maximum number of concurrent sessions for all users in any one department.

In addition to enabling simple User and Group Max Sessions control, as an administrator you can use ACS to specify a Group Max Sessions value and a group-based User Max Sessions value; that is, a User Max Sessions value based on the group membership of the user. For example, an administrator can allocate a Group Max Sessions value of 50 to the group Sales and also limit each member of the Sales group to five sessions each. Therefore, no single member of a group account would be able to use more than five sessions at any one time, but the group could still have up to 50 active sessions.

For more information about the Max Sessions feature, see Setting Max Sessions for a User Group, page 5-9 and Setting Max Sessions Options for a User, page 6-11.

Dynamic Usage Quotas

You can use ACS to define network usage quotas for users. Using quotas, you can limit the network access of each user in a group or of individual users. You define quotas by duration of sessions or the total number of sessions. Quotas can be absolute; or based on daily, weekly, or monthly periods. To grant access to users who have exceeded their quotas, you can reset session quota counters as needed.

To support time-based quotas, we recommend enabling accounting update packets on all AAA clients. If update packets are not enabled, the quota is updated only when the user logs off and the accounting stop packet is received from the AAA client. If the AAA client through which the user is accessing your network fails, the session information is not updated. In the case of multiple sessions, such as with ISDN, the quota would not be updated until all sessions terminate, which means that a second channel will be accepted; even if the first channel has exhausted the quota that is allocated to the user.

For more information about usage quotas, see Setting Usage Quotas for a User Group, page 5-10 and Options for Setting User Usage Quotas, page 6-12.

Shared Profile Components

ACS provides a means for specifying authorization profile components that you can apply to multiple user groups and users. For example, you may have multiple user groups that have identical network-access restrictions. Rather than configuring the network-access restrictions several times, once per group, you can configure a network-access restriction set in the Shared Profile Components section of the web interface, and then configure each group to use the network-access restriction set that you created.

For information about the types of shared-profile components that ACS supports, see About Shared Profile Components, page 4-1.

Support for Cisco Device-Management Applications

ACS supports Cisco device-management applications, such as by providing command authorization for network users who are using the management application to configure managed network devices. You provide support for command authorization for management application users by using unique command-authorization set types for each management application that is configured to use ACS for authorization.

ACS uses TACACS+ to communicate with management applications. For a management application to communicate with ACS, you must configure the management application in ACS as a AAA client that uses TACACS+. Also, you must provide the device-management application with a valid administrator name and password. When a management application initially communicates with ACS, these requirements ensure the validity of the communication.

Additionally, the administrator that the management application uses must have the Create New Device Command Set Type privilege enabled. When a management application initially communicates with ACS, it dictates to ACS the creation of a device command set type, which appears in the Shared Profile Components section of the web interface. It also dictates a custom service for TACACS+ to authorize. The custom service appears on the TACACS+ (Cisco IOS) page in the Interface Configuration section of the web interface. For information about enabling TACACS+ services, see Displaying TACACS+ Configuration Options, page 2-6. For information about device command-authorization sets for management applications, see Command Authorization Sets, page 4-25.

After the management application has dictated the custom TACACS+ service and device command-authorization set type to ACS, you can configure command-authorization sets for each role that the management application supports and apply those sets to user groups that contain network administrators or to individual users who are network administrators.

Other Authorization-Related Features

In addition to the authorization-related features discussed in this section, ACS provides these additional features:

Group administration of users. (See Chapter 5, "User Group Management.")

Ability to map a user from an external user database to a specific ACS group. (See Chapter 16, "User Group Mapping and Specification.")

Ability to disable an account after a number of failed attempts, specified by the administrator. (See Setting Options for User Account Disablement, page 6-13.)

Ability to disable an account on a specific date. (See Setting Options for User Account Disablement, page 6-13.)

Ability to disable groups of users. (See Group Disablement, page 5-3.)

Ability to restrict time-of-day and day-of-week access. (See Setting Default Time-of-Day Access for a User Group, page 5-5.)

Network access restrictions (NARs) based on remote address caller line identification (CLID) and dialed number identification service (DNIS.) (See Setting Network Access Restrictions for a User Group, page 5-6.)

Downloadable ACLs for users or groups, enabling centralized, modular ACL management. (See Downloadable IP ACLs, page 4-13.)

Network access filters, which apply different downloadable ACLs and NARs based on a user's point of entry into your network. (See Network Access Filters, page 4-2.)

Comments

Leave a Reply

Your email address will not be published. Required fields are marked *