The document provides a guide for deploying and configuring Cisco Secure Access Control Server (ACS) 5.2. It outlines scenarios for installing ACS as a virtual appliance, setting up a backup server for high availability, integrating ACS with Active Directory and LDAP, and configuring AAA authentication and authorization for devices and VPNs using TACACS and RADIUS. Configuration steps are provided for assigning privilege levels to users on routers and firewalls via AAA with shell profiles.
1. CISCO SECURE ACS 5.X PRODUCT DEPLOYMENT GUIDE PacketWisdom.Com
Version : 1.1 | Author : Tariq Ahmad Email: support@packetwisdom.com
1
Cisco Secure Access Control Server (CS-ACS) 5.2
Deployment/Detailed Lab Guide
Authored by :
Tariq Ahmad
CCIE # 26141
2. CISCO SECURE ACS 5.X PRODUCT DEPLOYMENT GUIDE PacketWisdom.Com
Version : 1.1 | Author : Tariq Ahmad Email: support@packetwisdom.com
2
Scenario Info:
Server Role Server IP Info
Cisco Secure ACS Primary Server 192.168.2.30/24
Cisco Secure ACS Backup Server 192.168.2.31/24
Active Directory/LDAP/Certificate Authority/DNS 192.168.2.100/24
Scenarios :
o Basic Installation & configuration of Cisco Secure ACS 5.2 as a Virtualized Appliance (VMware)
o Installing/Activating a Backup Server for High Availability (HA)
o Integrating Cisco Secure ACS with Active Directory Domain
o Integrating Cisco Secure ACS with Lightweight Directory Access Protocol (LDAP)
o Assigning Privilege Levels in IOS to Users for Device Administration via LOCAL database authentication
o Assigning Privilege Levels in IOS to Users Device Administration via AAA Server
AAA Server : Shell Profiles : TACACS
o Understanding & Enabling Logging Passed/Failed Authentications & Viewing Logs using Logs Collector
o Authenticating & Authorizing Users for Command Authorization in IOS via AAA
AAA Server : Command Sets : TACACS
o Authenticating Users for HTTP & SDM Access to a Cisco Router via LOCAL database
o Authenticating Users for HTTP & SDM Access to a Cisco Router via AAA Server
3. CISCO SECURE ACS 5.X PRODUCT DEPLOYMENT GUIDE PacketWisdom.Com
Version : 1.1 | Author : Tariq Ahmad Email: support@packetwisdom.com
3
AAA Server : Shell Profiles : TACACS
o Using IOS Authentication Proxy to restrict access based on User Profiles via Authorization Profile
AAA Server : Authorization Profile : RADIUS
o Using IOS Authentication Proxy to restrict access based on User Profiles via Shell Profiles
AAA Server : Shell Profiles : TACACS
o Using IOS EzVPN Server(legacy method) with Cisco VPN Client for user authentication & group policy assignment
LOCAL for XAuth , LOCAL for group
o Using IOS EzVPN Server(legacy method) with Cisco VPN Client for user authentication & group policy assignment
RADIUS for XAuth , LOCAL for group
AAA Server : Authorization Profile : RADIUS
o Using IOS EzVPN Server(legacy method) with Cisco VPN Client for user authentication & group policy assignment
RADIUS for XAuth , RADIUS for group
AAA Server : Authorization Profile : RADIUS
o Using IOS EzVPN Server(new method – VTI) with Cisco VPN Client for user authentication & group policy
assignment
LOCAL for XAuth , LOCAL for group
o Using IOS EzVPN Server(new method – VTI) with Cisco VPN Client for user authentication & group policy
assignment
RADIUS for XAuth , LOCAL for group
AAA Server : Authorization Profile : RADIUS
o Using IOS EzVPN Server(new method – VTI) with Cisco VPN Client for user authentication & group policy
assignment
RADIUS for XAuth , RADIUS for group
4. CISCO SECURE ACS 5.X PRODUCT DEPLOYMENT GUIDE PacketWisdom.Com
Version : 1.1 | Author : Tariq Ahmad Email: support@packetwisdom.com
4
AAA Server : Authorization Profile : RADIUS
o Authenticating IOS based SSL VPN (WebVPN) Sessions using LOCAL database
o Authenticating IOS based SSL VPN (WebVPN) Sessions using ACS Server (RADIUS)
AAA Server : Authorization Profille : RADIUS
o Authenticating IOS based SSL VPN (AnyConnect VPN) Sessions using LOCAL database
o Authenticating IOS based SSL VPN (AnyConnect VPN) Sessions using ACS Server (RADIUS)
AAA Server : Authorization Profille : RADIUS
o Assigning Privilege Levels to Users on ASA
o Authenticating & Authorizing Users for Command Authorization in ASA via AAA
AAA Server : Shell Profiles : TACACS
o Using Cut-through Proxy on ASA for Authentication Only
AAA Server : Shell Profiles : TACACS
o Using Cut-through Proxy on ASA for Authentication/Authorization via AAA
AAA Server : Command Sets : TACACS
o Using Cut-through Proxy on ASA for Authentication/Authorization via AAA
AAA Server : Downloadable ACL/Authorization Profile : RADIUS
o Using IEEE 802.1X to provide Port-Based Access Control Using Authentication
o Configuring IEEE 802.1X Authentication on a Catalyst Switch & Cisco Secure ACS 5.X using EAP-MD5 for
authentication (dynamic VLAN assignment )
AAA Server : Authorization Profile : RADIUS
o Configuring IEEE 802.1X Authentication on a Catalyst Switch & Cisco Secure ACS 5.X using Protected EAP (PEAP)
for authentication (dynamic VLAN assignment )
AAA Server : Authorization Profile : RADIUS
5. CISCO SECURE ACS 5.X PRODUCT DEPLOYMENT GUIDE PacketWisdom.Com
Version : 1.1 | Author : Tariq Ahmad Email: support@packetwisdom.com
5
o Configuring MAC Authentication Bypass (MAB) for Clientless Devices i.e. IP Phones / Printers / Peripheral Devices
AAA Server : Authorization Profile : RADIUS
o Triggering Change Of Authorization (CoA) from Cisco Secure ACS 5.X
o Configuring IPSec Remote Access VPN on ASA with Cisco VPN Client for user authentication & group policy
assignment
LOCAL for XAuth , LOCAL for group
o Configuring IPSec Remote Access VPN on ASA with Cisco VPN Client for user authentication & group policy
assignment
RADIUS for XAuth , LOCAL for group
AAA Server : Authorization Profile : RADIUS
o Configuring IPSec Remote Access VPN on ASA with Cisco VPN Client for user authentication & group policy
assignment
RADIUS for XAuth , RADIUS for group
AAA Server : Authorization Profile : RADIUS
o Enrolling Cisco Secure ACS with an Enterprise CA
o Enterprise Certificate Authority Installation in Windows 2008 R2 Server
o Certificate Installation on Cisco Secure ACS (using CA Server )
6. CISCO SECURE ACS 5.X PRODUCT DEPLOYMENT GUIDE PacketWisdom.Com
Version : 1.1 | Author : Tariq Ahmad Email: support@packetwisdom.com
6
Basic Installation & Configuration of Cisco Secure ACS 5.2 as a Virtualized Appliance
(VMware)
Setup Info:
o Cisco Secure ACS Primary Server IP address: 192.168.2.30/24
Cisco Official Installation Requirements:
Reference: http://www.cisco.com/en/US/prod/collateral/netmgtsw/ps5698/ps6767/ps9911/data_sheet_c78-614584.html
NOTE: We would install using VMware Workstation 7.x & later version using 2 GB RAM. It would work perfectly for lab purpose.
7. CISCO SECURE ACS 5.X PRODUCT DEPLOYMENT GUIDE PacketWisdom.Com
Version : 1.1 | Author : Tariq Ahmad Email: support@packetwisdom.com
7
After you power on the VM, a welcome screen will display.
At the <Welcome To Cisco Secure ACS 5.2 Recovery screen>, choose the following option:
[1] Cisco Secure ACS Installation (Keyboard/Monitor)
8. CISCO SECURE ACS 5.X PRODUCT DEPLOYMENT GUIDE PacketWisdom.Com
Version : 1.1 | Author : Tariq Ahmad Email: support@packetwisdom.com
8
At the login prompt, enter your username/password chosen in above step and issue the following
command:
‘show application status acs’
9. CISCO SECURE ACS 5.X PRODUCT DEPLOYMENT GUIDE PacketWisdom.Com
Version : 1.1 | Author : Tariq Ahmad Email: support@packetwisdom.com
9
& you are all set. You have successfully installed & setup ACS Server.
10. CISCO SECURE ACS 5.X PRODUCT DEPLOYMENT GUIDE PacketWisdom.Com
Version : 1.1 | Author : Tariq Ahmad Email: support@packetwisdom.com
10
Installing/Activating a Backup Server for High Availability
Setup Info:
o Cisco Secure ACS Primary Server IP address: 192.168.2.30/24
o Cisco Secure ACS Backup Server IP address: 192.168.2.31/24
Setup Description:
o In a deployment, you can have multiple ACS Servers with one server designated as Primary & all other servers as
Secondary Servers
o Installation for backup server will be same. You would only need to change hostname & server ip address for
secondary server to reflect that it’s a secondary/backup server.
Secondary Server Activation
o In order to add a secondary server to the ACS deployment, follow the steps documented below :
11. CISCO SECURE ACS 5.X PRODUCT DEPLOYMENT GUIDE PacketWisdom.Com
Version : 1.1 | Author : Tariq Ahmad Email: support@packetwisdom.com
11
[Primary ACS Server ] You can check status that secondary instance has been registered successfully
by navigating to :
System Administration > Operations > Distributed System Management
12. CISCO SECURE ACS 5.X PRODUCT DEPLOYMENT GUIDE PacketWisdom.Com
Version : 1.1 | Author : Tariq Ahmad Email: support@packetwisdom.com
12
Request Local Mode :
You can configure ACS Server in Local Mode if you desire to make changes to a single ACS instance ONLY.
These changes DO NOT replicate to any other server in the deployment
13. CISCO SECURE ACS 5.X PRODUCT DEPLOYMENT GUIDE PacketWisdom.Com
Version : 1.1 | Author : Tariq Ahmad Email: support@packetwisdom.com
13
Integrating Cisco Secure ACS with Active Directory Domain
Setup Info:
o Cisco Secure ACS Primary Server IP address: 192.168.2.30/24
o Windows 2008 Server R2 (64-bit) IP address : 192.168.2.100/24
AD Setup Info:
o Windows 2008 Server
Machine Name : Win2008AD
Domain Name : tariqccie.com
Domain Admin : Administrator
Domain Admin Password : cciesec123
Steps to Setup Active Directory:
o Step1 : Active Directory Setup
‘dcpromo.exe’
o Step2 : ACS Basic Setup for DNS lookup
‘ip name-server’
o Step3 : Joining Cisco Secure ACS to AD domain
14. CISCO SECURE ACS 5.X PRODUCT DEPLOYMENT GUIDE PacketWisdom.Com
Version : 1.1 | Author : Tariq Ahmad Email: support@packetwisdom.com
14
Step1 : Active Directory Setup
It would take you to Active Directory installation Wizard
16. CISCO SECURE ACS 5.X PRODUCT DEPLOYMENT GUIDE PacketWisdom.Com
Version : 1.1 | Author : Tariq Ahmad Email: support@packetwisdom.com
16
Check Connectivity Status which should show as ‘Connected’.
17. CISCO SECURE ACS 5.X PRODUCT DEPLOYMENT GUIDE PacketWisdom.Com
Version : 1.1 | Author : Tariq Ahmad Email: support@packetwisdom.com
17
Add IT , Finance & Contractor group names to the Directory Groups list as well.
18. CISCO SECURE ACS 5.X PRODUCT DEPLOYMENT GUIDE PacketWisdom.Com
Version : 1.1 | Author : Tariq Ahmad Email: support@packetwisdom.com
18
Now, all users for Network Access will be authenticated against Active Directory (AD1)
19. CISCO SECURE ACS 5.X PRODUCT DEPLOYMENT GUIDE PacketWisdom.Com
Version : 1.1 | Author : Tariq Ahmad Email: support@packetwisdom.com
19
Once added, click OK
20. CISCO SECURE ACS 5.X PRODUCT DEPLOYMENT GUIDE PacketWisdom.Com
Version : 1.1 | Author : Tariq Ahmad Email: support@packetwisdom.com
20
Integrating Cisco Secure ACS with Lightweight Directory Access Protocol (LDAP)
Setup Info:
o Cisco Secure ACS Primary Server: 192.168.2.30/24
o LDAP Server : 192.168.2.100/24
LDAP Setup Info:
o Windows 2008 Server
IP address : 192.168.2.100
Domain Name : tariqccie.com i.e. [DC=tariqccie,DC=com]
Admin DN : Administrator i.e. [CN=Administrator,CN=Users,DC=tariqccie,DC=com]
Password : cciesec123
Steps to Setup LDAP on ACS Server:
o Step1 : General
o Step2 : Server Connection
o Step3 : Directory Organization
Step1 : General
21. CISCO SECURE ACS 5.X PRODUCT DEPLOYMENT GUIDE PacketWisdom.Com
Version : 1.1 | Author : Tariq Ahmad Email: support@packetwisdom.com
21
Structure as illustrated here :
Test Configuration . If you configured correctly so far, you would see Number of Users/Groups listed
22. CISCO SECURE ACS 5.X PRODUCT DEPLOYMENT GUIDE PacketWisdom.Com
Version : 1.1 | Author : Tariq Ahmad Email: support@packetwisdom.com
22
Ensure that LDAP Identity Store was created successfully under 'External identity Store'
Select Directory Groups tab & select all 3 Groups defined earlier
23. CISCO SECURE ACS 5.X PRODUCT DEPLOYMENT GUIDE PacketWisdom.Com
Version : 1.1 | Author : Tariq Ahmad Email: support@packetwisdom.com
23
24. CISCO SECURE ACS 5.X PRODUCT DEPLOYMENT GUIDE PacketWisdom.Com
Version : 1.1 | Author : Tariq Ahmad Email: support@packetwisdom.com
24
Selected Groups are listed under Directory Groups list
25. CISCO SECURE ACS 5.X PRODUCT DEPLOYMENT GUIDE PacketWisdom.Com
Version : 1.1 | Author : Tariq Ahmad Email: support@packetwisdom.com
25
Under Authorization tab , ensure that LDAP1:External Groups is selected as a matching Condition
26. CISCO SECURE ACS 5.X PRODUCT DEPLOYMENT GUIDE PacketWisdom.Com
Version : 1.1 | Author : Tariq Ahmad Email: support@packetwisdom.com
26
Verify that rule creation was successful
27. CISCO SECURE ACS 5.X PRODUCT DEPLOYMENT GUIDE PacketWisdom.Com
Version : 1.1 | Author : Tariq Ahmad Email: support@packetwisdom.com
27
Assigning Privilege Levels to Users via AAA using Shell Profiles (TACACS)
Setup Info:
o Cisco Secure ACS Primary Server : 192.168.2.30/24
o Router (R1) : 192.168.2.11/24
Scenario Diagram:
Scenario Requirement:
Configure Level 2 Privilege Level on IOS
Level2 user should ONLY be able to configure hostname & change interface duplex / speed . It should NOT have
ability to shut down any interfaces
28. CISCO SECURE ACS 5.X PRODUCT DEPLOYMENT GUIDE PacketWisdom.Com
Version : 1.1 | Author : Tariq Ahmad Email: support@packetwisdom.com
28
Authenticate user using LOCAL database
Create a user 'tariq' for testing purposes ( username : tariq , password : tariqccie )
Enable secret for Level 2 should be 'ciscoexpert'
Console line should NOT be required to authenticate users i.e. exempt Console from AAA
Steps:
o Setup IOS router for Customized privilege level '2' & aaa authentication / authorization
o ACS Server Configuration
Step 1: Add R1 as AAA Client
Step 2: Create Identity Group ‘Admin’
Step 3: Create User ‘tariq’ in ACS database
Step 4: Create Shell Profile ‘PrivilegeLevel2’
Step 5: Create Authorization Policy ‘AllowAccess’ & assign it Shell Profile defined above
o Authenticate user & verify privilege level is set correctly
29. CISCO SECURE ACS 5.X PRODUCT DEPLOYMENT GUIDE PacketWisdom.Com
Version : 1.1 | Author : Tariq Ahmad Email: support@packetwisdom.com
29
Another way to test is in IOS , you can use following command to verify ACS is able to authenticate users
successfully.
test aaa group tacacs+ tariq tariqccie legacy
[Syntax : test aaa group group-name username password {legacy | new-code} ]
!
You can run various debugs as illustrated here :
debug aaa authentication
debug aaa authorization
debug tacacs
debug tacacs packet
R1#debug tacacs
R1#debug aaa authorization
*Mar 1 02:29:18.251: TPLUS(00000015)/0/66A278EC: Processing the reply packet
*Mar 1 02:29:18.251: TPLUS: Processed AV priv-lvl=2
*Mar 1 02:29:18.251: TPLUS: received authorization response for 21: PASS
*Mar 1 02:29:18.259: AAA/AUTHOR/EXEC(00000015): processing AV cmd=
30. CISCO SECURE ACS 5.X PRODUCT DEPLOYMENT GUIDE PacketWisdom.Com
Version : 1.1 | Author : Tariq Ahmad Email: support@packetwisdom.com
30
Enabling Logging for Passed / Failed Authentication :
31. CISCO SECURE ACS 5.X PRODUCT DEPLOYMENT GUIDE PacketWisdom.Com
Version : 1.1 | Author : Tariq Ahmad Email: support@packetwisdom.com
31
Login to R1 (using putty as done before ) & verify that you can see Logs for Passed Authentication under Monitoring
& Reports Viewer tab
32. CISCO SECURE ACS 5.X PRODUCT DEPLOYMENT GUIDE PacketWisdom.Com
Version : 1.1 | Author : Tariq Ahmad Email: support@packetwisdom.com
32
Authenticating & Authorizing Users for Command Authorization via AAA using Command
Sets (TACACS)
Setup Info:
o Cisco Secure ACS Primary Server : 192.168.2.30/24
o Router (R1) : 192.168.2.11/24
Steps:
o Setup IOS router for Command Authorization via AAA
Only commands for 'show version' , 'show interfaces' & 'ping' should be allowed
o ACS Server Configuration
Step 1: Add R1 as AAA Client
Explanation :
Previously we used privilege levels in IOS to limit the commands available to a user during an administrative session.
Configuring and maintaining privilege levels on few devices might be useful but applying it on a corporate scale
(hundreds of devices) is not very convenient & manageable.
To make this easier to manage, IOS allows using TACACS+ to control which commands a user can execute on the
device.
33. CISCO SECURE ACS 5.X PRODUCT DEPLOYMENT GUIDE PacketWisdom.Com
Version : 1.1 | Author : Tariq Ahmad Email: support@packetwisdom.com
33
R1 Configuration :
username backup password backup : Create a local User for backup
!
aaa new-model : Enable AAA
tacacs-server host 192.168.2.30 key CiscoKey : Define TACACS-SERVER for authentication/authorization
!
aaa authentication login default none : Normally defined to exempt Console from accidental logout
aaa authentication login telnet group tacacs+ local : Authentication via TACACS+
aaa authorization exec telnet group tacacs+ none : Authorization via TACACS+
aaa authorization commands 0 telnet group tacacs+ none : Define Authorization Commands Level 0 , 1 & 15
aaa authorization commands 1 telnet group tacacs+ none
aaa authorization commands 15 telnet group tacacs+ none
!
aaa authorization config-commands
!
!
line vty 0 4 : Use Terminal Lines (vty) for authentication/authorization tests
login authentication telnet
authorization exec telnet
authorization commands 0 telnet
authorization commands 1 telnet
authorization commands 15 telnet
!
34. CISCO SECURE ACS 5.X PRODUCT DEPLOYMENT GUIDE PacketWisdom.Com
Version : 1.1 | Author : Tariq Ahmad Email: support@packetwisdom.com
34
Using IOS Auth-Proxy for Authorization using RADIUS (Authorization Profile)
Setup Info:
o Cisco Secure ACS Server : 192.168.2.30/24
o Router (R1) : 192.168.2.11/24
o HTTP Server : 192.168.3.22/24
Setup Diagram:
35. CISCO SECURE ACS 5.X PRODUCT DEPLOYMENT GUIDE PacketWisdom.Com
Version : 1.1 | Author : Tariq Ahmad Email: support@packetwisdom.com
35
Verification :
Before authentication , ACL would look like :
Initiate an HTTP Session to Web Server . IOS Auth-proxy feature would intercept the connection & you would be re-
directed to an authentication page.
36. CISCO SECURE ACS 5.X PRODUCT DEPLOYMENT GUIDE PacketWisdom.Com
Version : 1.1 | Author : Tariq Ahmad Email: support@packetwisdom.com
36
After authentication, the Authentication Proxy cache and the interface ACL will look like :
37. CISCO SECURE ACS 5.X PRODUCT DEPLOYMENT GUIDE PacketWisdom.Com
Version : 1.1 | Author : Tariq Ahmad Email: support@packetwisdom.com
37
Debugs :
You can use following command for debugging/troubleshooting purpose :
o debug ip auth-proxy detailed
o debug tacacs
38. CISCO SECURE ACS 5.X PRODUCT DEPLOYMENT GUIDE PacketWisdom.Com
Version : 1.1 | Author : Tariq Ahmad Email: support@packetwisdom.com
38
Using IOS Auth-Proxy for Authorization using TACACS+ (Shell Profile)
Setup Info:
o Cisco Secure ACS Server : 192.168.2.30/24
o Router (R1) : 192.168.2.11/24
o HTTP Server : 192.168.3.22/24
Scenario Requirement:
Restrict access to HR Departments Web Server (192.168.3.22) to only HR Team
Configure router (R1) to authenticate all HTTP sessions and then download ACL from ACS to permit access to Web
Server
Steps:
o Setup R1 for IOS Auth-proxy configuration
o ACS Server Configuration
Step 1: Add R1 as AAA Client (TACACS+)
Step 2 :Create Identity Group named ‘HR Team'
Step 3: Create User ‘hrmanager’ in ACS database ( password : cisco )
Step 4: Create Shell Profile named 'Auth-Proxy'
39. CISCO SECURE ACS 5.X PRODUCT DEPLOYMENT GUIDE PacketWisdom.Com
Version : 1.1 | Author : Tariq Ahmad Email: support@packetwisdom.com
39
Solution :
From the requirements given, the resulting IKE Phase 1 & Phase 2 should look like :
ISAKMP POLICY:
Authentication : Pre-shared Key
Encryption : 3DES
Hash : MD5
DH Group : 2
PSK : c1sc0s3c
IPSEC POLICY:
Encryption : ESP-3DES
Hash/Authentication : ESP-MD5
R1 Configuration :
aaa new-model : Enabling AAA
!
aaa authentication login NOAUTH none : Exempting Console from “accidental” authentication
aaa authentication login XAUTH local : User authentication via XAUTH (local database)
aaa authorization network GROUPAUTH local : Group authorization via GROUPAUTH (local database)
!
radius-server host 192.168.2.30 key CiscoKey :Define ACS Server & it's shared secret
!
40. CISCO SECURE ACS 5.X PRODUCT DEPLOYMENT GUIDE PacketWisdom.Com
Version : 1.1 | Author : Tariq Ahmad Email: support@packetwisdom.com
40
username EZUser password 0 EZPassword :Local usernames defined for XAUTH
Verification :
Step 1: Create a new EzVPN connection entry in Windows XP Client machine using the configured group name i.e.
EZ_GROUP
Step 2: Initiate connection from XP Client machine & when prompted for username/password (during XAUTH phase),
enter the user credentials ( Username : EZUser )
Step 3: After the connection is established, check to make sure that proper IP address , Split-tunnelling ACL etc. was
assigned to the client
41. CISCO SECURE ACS 5.X PRODUCT DEPLOYMENT GUIDE PacketWisdom.Com
Version : 1.1 | Author : Tariq Ahmad Email: support@packetwisdom.com
41
42. CISCO SECURE ACS 5.X PRODUCT DEPLOYMENT GUIDE PacketWisdom.Com
Version : 1.1 | Author : Tariq Ahmad Email: support@packetwisdom.com
42
Step 6: Create an Authorization Profile with respective “cisco-av-pair” attribute [For GROUP User]
43. CISCO SECURE ACS 5.X PRODUCT DEPLOYMENT GUIDE PacketWisdom.Com
Version : 1.1 | Author : Tariq Ahmad Email: support@packetwisdom.com
43
Group Attributes : ( Authorization Profile )
ipsec:default-domain=cisco
ipsec:inacl=101
ipsec:access-restrict=fastethernet 0/0
ipsec:group-lock=1
ipsec:browser-proxy=bproxy_profile_A
ipsec:xauth-banner=Xauth banner text here
XAuth User Attributes : ( Authorization Profile ) – (Non-overlapping)
Framed-IP-Address
ipsec:user-savepassword
ipsec:user-includelocal-lan
ipsec:user-vpngroup
44. CISCO SECURE ACS 5.X PRODUCT DEPLOYMENT GUIDE PacketWisdom.Com
Version : 1.1 | Author : Tariq Ahmad Email: support@packetwisdom.com
44
Authenticating IOS SSL VPN (WebVPN) Sessions using LOCAL database
Verification :
Access WebVPN portal by logging into following URL :
https://192.168.2.11/webvpn.html
45. CISCO SECURE ACS 5.X PRODUCT DEPLOYMENT GUIDE PacketWisdom.Com
Version : 1.1 | Author : Tariq Ahmad Email: support@packetwisdom.com
45
You could also browse via WebVPN portal since your access is NOT restricted. Although , you could be more
granular and restrict access if need be.
'Show Flash' depicts contents of Flash when Bookmark is created (as an XML file)
46. CISCO SECURE ACS 5.X PRODUCT DEPLOYMENT GUIDE PacketWisdom.Com
Version : 1.1 | Author : Tariq Ahmad Email: support@packetwisdom.com
46
Authenticating IOS SSL VPN (AnyConnect VPN) Sessions
Setup Info:
o Cisco Secure ACS Server : 192.168.2.30/24
o Router (R1) : 192.168.2.11/24
Scenario Requirements :
Use ACS Server for IOS SSL VPN (AnyConnect VPN) Sessions
End user credentials : anyconnectvpnuser / cisco
User should connect via URL https://192.168.2.11
Users should download AnyConnect SVC Installer upon successful login
IP address Pool for allocation 'VPNPOOL' : 10.5.5.0/24
Split Tunnel traffic to : 1.1.1.0/24
Steps:
o Setup IOS SSL VPN on R1
o ACS Server Configuration
Step 1: Add R1 as AAA Client (RADIUS)
Step 2 :Create Identity Group ’VPNGroup'
Step 3: Create User ‘anyconnectvpn’ in ACS Internal User database
47. CISCO SECURE ACS 5.X PRODUCT DEPLOYMENT GUIDE PacketWisdom.Com
Version : 1.1 | Author : Tariq Ahmad Email: support@packetwisdom.com
47
Make sure image is present in Flash
48. CISCO SECURE ACS 5.X PRODUCT DEPLOYMENT GUIDE PacketWisdom.Com
Version : 1.1 | Author : Tariq Ahmad Email: support@packetwisdom.com
48
As soon as your login is successful, you would see AnyConnect client would download & install automatically
49. CISCO SECURE ACS 5.X PRODUCT DEPLOYMENT GUIDE PacketWisdom.Com
Version : 1.1 | Author : Tariq Ahmad Email: support@packetwisdom.com
49
And Boom ! AnyConnect Client established VPN session successfully.
Check AnyConnect VPN Client statistics to verify
50. CISCO SECURE ACS 5.X PRODUCT DEPLOYMENT GUIDE PacketWisdom.Com
Version : 1.1 | Author : Tariq Ahmad Email: support@packetwisdom.com
50
Step 4 : Create an Authorization Profile with respective “cisco-av-pair” attribute
The authorization profile has the following cisco-av-pair attribute:
webvpn:addr-pool=VPNPOOL
webvpn:keep-svc-installed=1
webvpn:svc-enabled=1
webvpn:svc-required=1
webvpn:split-include="1.1.1.0 255.255.255.0"
51. CISCO SECURE ACS 5.X PRODUCT DEPLOYMENT GUIDE PacketWisdom.Com
Version : 1.1 | Author : Tariq Ahmad Email: support@packetwisdom.com
51
Explanation :
Using Cut-through Proxy feature, you can make authentication and authorization mandatory for certain types of
sessions.
ASA supports direct authentication with :
FTP (TCP port 21),
Telnet (TCP port 23),
HTTP (TCP port 80), &
HTTPS (TCP port 443)
In order to verify the solution , you will need to access Web Service on Application Server (130.10.10.100) from a
host in the outside network i.e. 130.10.10.50 & verify AAA credentials
52. CISCO SECURE ACS 5.X PRODUCT DEPLOYMENT GUIDE PacketWisdom.Com
Version : 1.1 | Author : Tariq Ahmad Email: support@packetwisdom.com
52
Authentication as well as Authorization can be verified using 'show uauth' on ASA
53. CISCO SECURE ACS 5.X PRODUCT DEPLOYMENT GUIDE PacketWisdom.Com
Version : 1.1 | Author : Tariq Ahmad Email: support@packetwisdom.com
53
Step 4: Create Downloadable ACL in ACS
Authentication as well as Authorization can be verified using 'show uauth' & 'show access-list' on ASA
Here you can verify that Downloadable ACL has been successfully downloaded & you can verify that access was
granted as per the ACL
54. CISCO SECURE ACS 5.X PRODUCT DEPLOYMENT GUIDE PacketWisdom.Com
Version : 1.1 | Author : Tariq Ahmad Email: support@packetwisdom.com
54
55. CISCO SECURE ACS 5.X PRODUCT DEPLOYMENT GUIDE PacketWisdom.Com
Version : 1.1 | Author : Tariq Ahmad Email: support@packetwisdom.com
55
IEEE 802.1X Provides Port-Based Access Control Using Authentication
Basic Info:
The basic idea behind the standard is to authenticate and authorize before a user can connect to the
physical or logical port of a Layer 2 device in order to gain access to VLAN or WLAN infrastructure
EAP Types :
Various EAP types can be used , each has its own requirements . Major types are :
EAP-MD5
LEAP
PEAP
56. CISCO SECURE ACS 5.X PRODUCT DEPLOYMENT GUIDE PacketWisdom.Com
Version : 1.1 | Author : Tariq Ahmad Email: support@packetwisdom.com
56
Configuring IEEE 802.1X Authentication on a Catalyst Switch & Cisco Secure ACS 5.X using
EAP-MD5 for authentication
Setup Info:
o Cisco Secure ACS Server : 192.168.2.30/24
o IOS Catalyst Switch : 192.168.2.20/24
o EAP-type used : EAP-MD5
o Client Workstations
HR Department Users : 192.168.50.X/24
ACCT Department Users : 192.168.51.X/24
Scenario Diagram:
57. CISCO SECURE ACS 5.X PRODUCT DEPLOYMENT GUIDE PacketWisdom.Com
Version : 1.1 | Author : Tariq Ahmad Email: support@packetwisdom.com
57
Explanation :
In order to assign a VLAN to a client upon successful authentication i.e. via dynamic VLAN assignment
, following RADIUS attributes need to be pushed to Catalyst Switch:
■[064] Tunnel-Type
■[065] Tunnel-Medium-Type
■[081] Tunnel-Private-Group-ID
First 2 attributes i.e. Tunnel-Type & Tunnel-Medium-Type will be same in an Authorization Profile.
Last attribute Tunnel-Medium-Group-ID will be assigned appropriately for each dynamic VLAN
assignment i.e.
For HR Authorization Profile, Tunnel-Medium-Group-ID will be 50
For ACCT Authorization Profile, Tunnel-Medium-Group-ID will be 51
For HR Authorization Profile , you would configure RADIUS attributes as :
NOTE : Since we are not sending multiple attributes for RADIUS IETF attributes , so Tag value is set to 1
Dictionary Type: RADIUS-IETF
RADIUS Attribute: Tunnel-Type
Attribute Type: Tagged Enum
Attribute Value: Static: VLAN
Tag: 1
58. CISCO SECURE ACS 5.X PRODUCT DEPLOYMENT GUIDE PacketWisdom.Com
Version : 1.1 | Author : Tariq Ahmad Email: support@packetwisdom.com
58
60. CISCO SECURE ACS 5.X PRODUCT DEPLOYMENT GUIDE PacketWisdom.Com
Version : 1.1 | Author : Tariq Ahmad Email: support@packetwisdom.com
60
Cisco Secure ACS Configuration :
Refer to Section "Enrolling Cisco Secure ACS with an Enterprise CA"
Step 1: install the CA Certificate (Certificate Authority) and ACS Server certificate (the identity certificate for ACS
For Protected EAP i.e. PEAP , The ACS 5.X configuration requirement is to install the CA Certificate (CA that
issued ACS server identity certificate) and ACS server certificate (the identity certificate for ACS) on Cisco
Secure ACS .
Before proceeding any further, make sure that you have CA Certificate & ACS Certificate Installed properly using the
following steps :
Navigate to Users and Identity Stores > Certificate Authorities & verify that the CA Certificate was installed
successfully
61. CISCO SECURE ACS 5.X PRODUCT DEPLOYMENT GUIDE PacketWisdom.Com
Version : 1.1 | Author : Tariq Ahmad Email: support@packetwisdom.com
61
Configuring MAC Authentication Bypass (MAB) for Clientless Devices
Setup Info:
o Cisco Secure ACS Server : 192.168.2.30/24
o SwitchA : 192.168.2.12/24
o Printer : Use it's MAC address
Scenario Requirements :
Use ACS Server for allow clientless devices i.e. Printers / IP Phones to be granted access to network
ACS will process MAB as 'Host Lookup' based on Calling-Station-ID (31) i.e. MAC address of device
Scenario Diagram :
62. CISCO SECURE ACS 5.X PRODUCT DEPLOYMENT GUIDE PacketWisdom.Com
Version : 1.1 | Author : Tariq Ahmad Email: support@packetwisdom.com
62
802.1X + MAB :
If 802.1x was configured on port in addition to MAB , authentication process would be like :
63. CISCO SECURE ACS 5.X PRODUCT DEPLOYMENT GUIDE PacketWisdom.Com
Version : 1.1 | Author : Tariq Ahmad Email: support@packetwisdom.com
63
Triggering Change Of Authorization (CoA) from Cisco Secure ACS 5.X
Setup Info:
o Cisco Secure ACS Server : 192.168.2.30/24
Scenario Requirements :
If ACS Administrator wishes to change an authenticated user/device status for some reason, he/she can issue
CoA from within ACS
Steps :
Launch Monitoring & Reports Viewer
64. CISCO SECURE ACS 5.X PRODUCT DEPLOYMENT GUIDE PacketWisdom.Com
Version : 1.1 | Author : Tariq Ahmad Email: support@packetwisdom.com
64
Solution :
From the requirements given, the resulting IKE Phase 1 & Phase 2 should look like :
ISAKMP POLICY:
Authentication : Pre-shared Key
Encryption : 3DES
Hash : SHA
DH Group : 2
PSK : c1sc0s3c
IPSEC POLICY:
Encryption : ESP-3DES
Hash/Authentication : ESP-SHA
ASA Configuration : (Using RADIUS)
interface Ethernet0/0 :Basic Configuration for OUTSIDE interface
nameif outside
security-level 0
ip address 130.10.10.10 255.255.255.0
!
interface Ethernet0/1 :Basic Configuration for INSIDE interface
nameif inside
security-level 100
ip address 192.168.2.10 255.255.255.0
!
65. CISCO SECURE ACS 5.X PRODUCT DEPLOYMENT GUIDE PacketWisdom.Com
Version : 1.1 | Author : Tariq Ahmad Email: support@packetwisdom.com
65
Enrolling Cisco Secure ACS with an Enterprise CA
A CA assigned Digital Certificate on ACS can be used for following purposes :
Use for administrative sessions
EAP-TLS or PEAP related authentication mechanisms
The self-signed certificate cannot be used for EAP-TLS authentication
Process :
Let's Create a digital certificate for Cisco Secure ACS from your trusted public or enterprise certificate authority
Here, you can see existing Certificate (Self-Signed Certificate) issued itself by ACS52 which was being used for
managing ACS Server (for HTTPS sessions etc.)
Select ADD