Previous Page Next Page

Advanced ACS Functions and Features

Cisco Secure ACS provides numerous functions and features that help secure and protect networks and resources within the network. These services are configured under various sections, as illustrated in Table 9-2, which can be found later in the chapter in the section "Configuring ACS." Some of the advanced features commonly used are discussed in the sections that follow.

Table 9-2. CS Main Menu Options
Menu ItemDescription
User SetupThe User Setup section is used to configure individual user information: add users, delete users in the database, and define various privileges and settings on a per-user basis. These include password authentication, group details, IP address assignment, quotas, RADIUS and TACACS+ attribute settings, and other options. See Figure 9-3 for a screenshot of User Setup menu options. Note the Help pane on the right for various configurable options.
Group SetupThe Group Setup section is used to configure individual group information, add groups, and add users to the groups in the database. The Group Setup menu applies various privileges and restrictions to all the users assigned within the group. These include NAR, Enable options, quotas, IP address assignment, RADIUS and TACACS+ attribute settings, and other options. See Figure 9-4 for a screenshot of Group Setup menu options. Note the Help pane on the right for various configurable options.
Shared Profile ComponentsThe Shared Profile Components section is used to define shared sets of authorization components that may be applied to one or more users or groups of users and referenced by name within their profiles. These include downloadable IP access control lists (IP ACLs), NARs, NAFs, RACs, Command Authorization Sets, and other options. Shared Profile Components offers scalability for selective authorization. See Figure 9-5 for a screenshot of Shared Profile Components menu options.
Network ConfigurationThe Network Configuration section is used to define the NAS, also called a AAA client, with the corresponding NAS IP address, shared secret key, and security protocol (RADIUS or TACACS+). After a NAS is defined, the ACS will accept authentication requests from the corresponding NAS device.

Authentication requests will not be handled by ACS for a NAS not defined under this section.

NDG is a collection of AAA clients and AAA servers.

See Figure 9-6 for a screenshot of Network Configuration menu options.
System ConfigurationThe System Configuration section is used to tune system parameters to run the ACS server. These include starting and stopping the ACS service, logging options, internal database replication, ACS backup and restore, certificate setup, and other options. See Figure 9-7 for a screenshot of System Configuration menu options.
Interface ConfigurationThe Interface Configuration section is used to configure the ACS web interface to display various RADIUS and TACACS+ protocol attribute options that are required to appear as a configurable option in the User Setup or Group Setup window, accordingly. It allows tailoring the interface to simplify the screens that will be used by hiding the features that are not required and adding fields for the specific configuration. See Figure 9-8 for a screenshot of Interface Configuration menu options.
Administration ControlThe Administration Control section is used to control management access to the ACS by allowing you to add or edit administrative accounts and to define access, session, and audit policies to specify parameters for ACS administrative sessions. See Figure 9-9 for a screenshot of Administration Control menu options.
External User DatabasesThe External User Databases section is used to configure the authentication procedure for unknown users not configured in the ACS internal database.

ACS can be enabled for proxy authentication requests of unknown users (not found in its internal database) to one or more external databases. This External User Databases support offers scalability where user entries are not duplicated in the local internal database. In an environment where a substantial user database already exists, ACS can leverage the database built up without additional input.

ACS supports the following external databases:

  • Windows Database

  • Generic Lightweight Directory Access Protocol (LDAP)

  • Novell NetWare Directory Services (NDS)

  • Open Database Connectivity (ODBC)-compliant relational databases

  • LEAP Proxy RADIUS servers

  • RSA SecureID token servers

  • RADIUS-compliant token servers

See Figure 9-10 for a screenshot of External User Databases menu options.
Posture ValidationThe Posture Validation section is used when ACS is deployed as part of a Cisco NAC solution. Note that posture validation is available only in ACS Version 4.0 and later. Posture validation, or posture assessment, validates the endpoint device (for example, a desktop PC) by checking a set of rules to assess the level of trust that is required in that endpoint. Some of these attributes relate to the endpoint device type and operating system—for example, OS type, service pack, and patches. Other attributes belong to various security applications that may be installed on the endpoint, such as antivirus (AV) scanning software.

Posture validation, together with the traditional user authentication, provides validation and a complete security assessment of the endpoint device and the user.

See Figure 9-11 for a screenshot of Posture Validation menu options.
Network Access ProfilesNetwork Access Profiles (NAP) is also commonly referred to as a profile. NAP is used for remote access service (for example VPN, WLAN, dial, ip-admission) for applying a common policy by classifying access requests according to the AAA client's IP address, membership in an NDG, protocol type, or other specific RADIUS attribute values sent by the network device through which the user connects. NAP is used to identify each of the deployed network services. See Figure 9-12 for a screenshot of Network Access Profiles menu options.
Reports and ActivityACS provides the capability to track a variety of user and system activities. ACS can produce various reports and logs, such as tracking passed/failed attempts, user activity, use of remote access services, and many more. These reports can be viewed in the ACS web interface as HTML reports. The logs can be stored in two formats: comma-separated value (CSV) or in ODBC-compliant database tables. See Figure 9-13 for a screenshot of Reports and Activity menu options.
Online DocumentationACS provides online help documentation to assist in understanding and configuring ACS functions and features. See Figure 9-14 for a screenshot of Online Documentation menu options.


Shared Profile Components (SPC)

Shared Profiles are commonly used to group sets of authorization components that can be collectively applied to many users or groups and referenced by name within their profiles. These include Downloadable IP ACL, Network Access Restrictions (NAR), Network Access Filters (NAF), RADIUS Authorization Components (RAC), Command Authorization Sets, and other options. The following sections discuss some of these commonly used features.

The advantage of using Shared Profile Components is that it offers scalability by avoiding unnecessary repetitions in configuring long lists of devices for commands and other authorization parameters.

Downloadable IP ACLs

The Downloadable IP ACLs feature is used to offer per-user based ACL functionality. This feature is compatible with any Layer 3 network device that supports Downloadable IP ACLs functionality. ACS extends per-user ACL support in conjunction with NAF to allow the application of per-device specific filtering. NAF regulates the access control on the basis of a AAA client's IP address. Hence, ACLs can be uniquely tailored on a per-user, per-device basis. Different sets of IP ACLs can be created that can be applied to various users or groups.

Before Downloadable IP ACLs were available, the RADIUS Cisco cisco-av-pair attribute [26/9/1] was used to achieve per-user filtering for each user or group. With Downloadable IP ACL, a single set of ACL can be defined and associated to each applicable user or group by referencing its name. This method is a more granular, easier-to-manage, and more scalable approach than configuring the RADIUS Cisco cisco-av-pair attribute for each user/group. RADIUS authentication is required to support the downloadable IP ACL feature.

The following Cisco devices support Downloadable IP ACL:

Network Access Filter (NAF)

NAF is one of the newer features introduced in the ACS Shared Profile component.

Before NAF, per-device access restriction was not an option. The same level of access restrictions and ACLs were applied to all the devices in the network group. With NAF, granular application of access restrictions and downloadable ACLs is now possible, applying network-access restrictions and downloadable ACLs on network device names, network device groups (NDG), or their IP addresses. NAF can also use the IP address range and wildcards.

NAF can be defined as a named group with any combination of one or more of the following network elements:

Several applications of NAF exist. As discussed previously, NAF can be used in conjunction with Downloadable IP ACLs or in shared NARs to apply device-specific filtering and to regulate access control based on the AAA client's IP address.

Note

NAF needs to be enabled on the Advanced Options page of the Interface Configuration section before it appears as a selection on the Shared Profile Components page.


RADIUS Authorization Components

The shared RADIUS Authorization Components (RAC) function is used to group RADIUS attributes that can be dynamically assigned to user sessions based on a certain policy. Using the "Network Access Profiles (NAP)" section of this chapter, you can map various policy types to a shared RAC with set conditions, such as NDGs and posture.

Shell Command Authorization Sets

Shell command authorization sets are also part of the SPC, providing a mechanism to control the authorization of each command in various privilege levels invoked by a user on any given device in the network. AAA must be configured on each network device to support command authorization sets.

Command authorization sets are used to group the commands into varying sets. These sets can then be applied to multiple users or groups within ACS, to offer per-user granular control to enforce restriction on which commands the users are able to execute per device.

Network Access Restrictions (NAR)

The NAR function is used to define additional conditions that must be met before a user can access the network. ACS applies these conditions to a single user or a group by using information from the attributes sent by the AAA clients.

NAR can be set up in several ways, but all of them work on the same principle—that of matching the attribute information received from the AAA client. Therefore, to effectively deploy NAR, it is important to understand the format of attributes sent by the AAA client.

NAR can be configured in two ways—positive or negative filtering. NAR can either be specified to permit or deny network access. However, if a NAR does not find sufficient information, it defaults to deny access.

Two types of NAR filters are available in ACS:

NAR filtering is applied in the following order of precedence:

  1. Shared-NAR at the user level

  2. Shared-NAR at the group level

  3. Nonshared-NAR at the user level

  4. Nonshared-NAR at the group level

Machine Access Restrictions (MAR)

Cisco Secure ACS supports machine authentication with Active Directory in Windows 2000 and 2003. ACS extends Windows machine authentication by providing the Machine Access Restriction (MAR) feature. The MAR feature, coupled with Windows machine authentication, is used to control authorization for users connecting via various protocols such as EAP-TLS, EAP-FASTv1a, and Microsoft PEAP when authenticating with a Windows external user database. Using MAR, you can impose tighter control to prevent users from passing machine authentication within a configurable length of time, and you can deny them access to a network altogether.

Network Access Profiles (NAP)

One of the recent features introduced in Cisco Secure ACS is called Network Access Profiles (NAP), also known as a profile. Profiles allow classification of incoming access requests according to their network location, membership in an NDG, protocol type, or other specific RADIUS attribute values that are sent by the network access device through which the user connects. Specific profiles can be mapped to AAA policies. For example, different access policies can be applied for users connecting through wireless and remote access VPNs.

NAP is essentially a profile-based authentication and authorization technique. It is a classification tool to identify a particular network-access request and apply a common policy based on the service request. NAP has several applications. Examples include VPN, NAC, and wireless local area network (WLAN). For example, when a user connects to the network through the VPN connection, the authentication can be forwarded to an external database, whereas if the same user connects via the wireless network, a local database can be used. ACS checks incoming requests against network access profiles. When a profile is matched, ACS pushes the configuration and policies to the client according to the profile filter during packet processing.

Cisco NAC Support

Cisco Secure ACS supports the Cisco Self-Defending NAC solution. NAC is a framework of integrated technologies and solutions built on an initiative led by Cisco Systems. NAC uses the network infrastructure to enforce security policy compliance on all endpoint devices seeking access to the network and network resources, thereby limiting damage from emerging security threats. NAC restricts network access only to compliant and trusted endpoint devices (such as PCs, servers, and PDA devices) and blocks network-access requests from noncompliant devices.

ACS acts as a policy enforcement point in NAC deployments by performing posture assessment (health checks) of the endpoint devices seeking network access. Posture validation is based on credentials received from the Posture Agent (PA) related to the endpoint device-type. The Cisco Trust Agent (CTA) acts as a PA in this scenario. Examples of posture validation policy include the type of operating system, service pack, patch levels, and other attributes, such as antivirus software and data (DAT) file versions. ACS performs the posture validation and applies per-user authorization, such as policy-based ACL or VLAN assignment, to the network device.

For more details on the Cisco NAC solution, refer to Chapter 13, "Network Admission Control (NAC)."

Previous Page Next Page