Index

Numbers

802.1x accounting, 214

802.1x authentication, 196–197

Cisco switches, configuring, 204–206

configuring on APs, 257–258

guest VLAN, configuring, 209

MAB, configuring, 210–211

message exchange, 200–201

multidomain authentication mode, 207–208

multiple-host mode, 207

pre-authentication open access mode, 208

restricted VLAN, configuring, 209–210

single-host mode, 206–207

timers, 212–213

troubleshooting, 250–251, 275–279

VLAN assignment, configuring, 211–212

A

AAA 173–174

accounting, configuring with Cisco IOS, 173–174

authentication, configuring with Cisco IOS, 157–161

authorization, configuring with Cisco IOS, 161–166

Access Policies drawer (ACS 5.1 interface), 105–116

access services, 107–116

accounting, 6–8

ASA/PIX, configuring, 191–192

Authentication Proxy, 326

configuring, 214

configuring with Cisco IOS, 173–174

cut-through proxy accounting, configuring, 303–304

PPP sessions on Cisco IOS, 350

remote access VPNs, 342

VPNs with RADIUS, 359

ACS 4.2 (Cisco Access Control Server 4.2), 23–28

Active Directory, configuring, 128–131

Authentication Proxy 318–319

authorization, 318–319

configuring, 315

backup and restore, configuring, 376–378

certificates, installing, 215–218

command authorization, configuring, 168–173

cut-through proxy authentication, configuring, 290

database replication, 378–383

EAP-FAST, configuring, 265–267

external databases, 125–126

group mapping, configuring, 141–142

identity stores, 125–126

installing, 32–47

problems, troubleshooting, 52–55

interface 61–64

Administration Control, 61–64

Advanced Options section, 69–70

External User Databases section, 78–79

Group Setup section, 74–76

Interface Configuration section, 66–68

Network Access Profiles section, 65

Network Configuration section, 64–65

Reports and Activity section, 79–82

Shared Profile Components section, 78–79

System Configuration section, 76–79

TACACS+ Settings section, 68–69

User Setup section, 70–74

LDAP, configuring, 134–136

LEAP, configuring, 263–264

local password management, 391–392

log file management, configuring, 394–395

NAPs, configuring, 388–391

NARs, 376–376

RDBMS Synchronization feature, 384–388

remote logging, configuring, 391–393

RSA SecureID, configuring, 140

services, 58–61

VLAN assignment, configuring, 228

ACS 5.1 (Cisco Access Control System 5.1), 28–32

Active Directory, configuring, 132–133

Authentication Proxy, authorization, 319–321

certificates, installing, 219–223

command authorization, configuring, 168–173

cut-through proxy authentication, configuring, 290

database replication, configuring, 404–405

dictionaries, 405–409

EAP-FAST, configuring, 266–268

EAP-MD5, configuring, 223–224

external databases, 126–128

group mapping, configuring, 142–148

identity stores, 126–128

initial setup, 47–51

installation problems, troubleshooting, 52–55

interface 105–116

Access Policies drawer, 105–116

CLI, 120–122

Monitoring and Reports drawer, 117–120

My Workspace drawer, 86–87

Network Resources drawer, 87–94

Policy Elements drawer, 98–105

Users and Identity Stores drawer, 94–98

LDAP, configuring, 137–139

LEAP, configuring, 264–265

licensing, 51–52

network resources, importing, 412–414

remote logging, configuring on ACS 5.1, 409–412

RSA SecureID, configuring, 140–141

scheduled backups, configuring, 427–430

software repositories, creating, 422–425

system administration, 415–422

VLAN assignment, configuring, 229

activating secondary servers on ACS 5.1, 402–406

Active Directory, configuring 128–131

on ACS 4.2, 128–131

on ACS 5.1, 132–133

add-on license, ACS 5.1, 52

Administration Control section (ACS 4.2 interface), 61–64

administrative access, ASA/PIX, 180

Advanced Options section (ACS 4.2 interface), 69–70

APs, IEEE 802.1X authentication, 257–258

ASA/PIX 191–192

accounting, configuring, 191–192

authentication, configuring, 186–188

authorization, configuring, 188–191

cut-through proxy authentication, configuring, 282–285

HTTP redirection, configuring, 288–290

local database, 180

privilege levels, 180–182

Virtual HTTP, configuring, 287–288

Virtual Telnet, configuring, 286–287

authentication, 2–4

802.1x authentication, 196–197

on Cisco switches, 204–206

multiple-host mode (802.1x), 207

single-host mode, 206–207

timers, 212–213

troubleshooting, 275–279

WLCs, configuring, 259–263

ASA/PIX, configuring, 186–188

configuring with Cisco IOS, 157–161

cut-through proxy authentication 282–285

configuring, 282–285

troubleshooting, 291–292

EAP, 201–204

example, 4

IPsec VPNs with Cisco IOS, 334–335

PPP sessions on Cisco IOS, 345–347

SSL VPNs with Cisco IOS, 335–336

troubleshooting, 159–160

of VPNs 362–364

with LDAP, 362–364

with RADIUS, 2001 356

troubleshooting, 337

Authentication Proxy 326

accounting, 326

authorization 318–319

ACS 4.2, 318–319

troubleshooting, 325–326

cache, maintaining, 315–316

for FTP sessions, configuring, 312–314

for HTTP sessions, configuring, 311–312

lab scenario, 326–329

prerequisites, 310–311

for Telnet sessions, configuring, 314–315

troubleshooting, 316–317

authorization, 4–6

802.1x authentication, message exchange, 200–201

ASA/PIX, configuring, 188–191

Authentication Proxy, troubleshooting, 325–326

command authorization, configuring, 166–173

configuring with Cisco IOS, 161–166

cut-through proxy authorization, 294–303

PPP sessions 348

on Cisco IOS, 348

troubleshooting, 349–350

VPNs 337–342

with Cisco IOS, 337–342

with LDAP, 364–366

with RADIUS, 356–359

authorization policies, configuring, 113–115

Auth-Proxy, 3

B

backup and restore 376–378

on ACS 4.2, configuring, 376–378

on ACS 5.1, configuring, 421–427

C

cache (Authentication Proxy), maintaining, 315–316

certificates, installing 215–218

on ACS 4.2, 215–218

on ACS 5.1, 219–223

Cisco IOS 157–161

AAA authentication, configuring, 157–161

accounting, configuring, 173–174

Authentication Proxy 312–314

for FTP sessions, 312–314

for HTTP sessions, 311–312

for Telnet sessions, 314–315

troubleshooting, 316–317

authorization, configuring, 161–166

command authorization, configuring, 166–173

IPsec VPNs, authentication, 334–335

local database 151–152

configuring, 151–152

privilege levels, 152–153

PPP sessions 350

accounting, 350

authentication, 345–347

privilege levels, lab scenario, 154–155

VPNs, authorization, 342

Cisco switches, configuring IEEE 802.1X authentication, 204–206

classification of network requests, 389

CLI drawer (ACS 5.1 interface), 120–122

command authorization 166–173

configuring with Cisco IOS, 166–173

troubleshooting, 172–173

commands, show commands, 249–250

configuring 257–258

802.1x authentication, 257–258

on Cisco switches, 204–206

guest VLAN feature, 209

MAB, 210–211

restricted VLAN feature, 209–210

VLAN assignment, 211–212

accounting, 214

ACS 4.2 376–378

backup and restore features, 376–378

database replication, 378–383

local password management, 391–392

log file management, 394–395

NAPs, 388–391

NARs, 375–376

RDBMS Synchronization feature, 384–388

remote logging, 391–393

ACS 5.1 421–427

backup and restore features, 421–427

database backup, 425–427

database replication, 404–405

dictionaries, 405–409

remote logging, 409–412

scheduled backups, 427–430

system administration, 415–422

Active Directory 128–131

on ACS 4.2, 128–131

on ACS 5.1, 132–133

ASA/PIX 191–192

accounting, 191–192

authentication, 186–188

authorization, 188–191

HTTP redirection, 288–290

Virtual HTTP, 287–288

Virtual Telnet, 286–287

Authentication Proxy 312–314

for FTP sessions, 312–314

for HTTP sessions, 311–312

for Telnet sessions, 314–315

authentication with Cisco IOS, 157–161

authorization policies, 113–115

authorization with Cisco IOS, 161–166

Cisco IOS, local database, 151–152

cut-through proxy accounting, 303–304

cut-through proxy authentication, 282–285, 290

cut-through proxy authorization, 294–303

exec authorization, 161–166

group mapping 141–142

on ACS 4.2, 141–142

on ACS 5.1, 142–148

identity policies, 110–113

LDAP 134–136

on ACS 4.2, 134–136

on ACS 5.1, 137–139

RSA SecureID 140

on ACS 4.2, 140

on ACS 5.1, 140–141

creating service selection rules, 115–116

CSAdmin service (ACS 4.2), 59

CSAuth service (ACS 4.2), 59

CSDBSync service (ACS 4.2), 59–60

CSLog service (ACS 4.2), 60

CSMon service (ACS 4.2), 60

CSRadius service (ACS 4.2), 60

CSTacacs service (ACS 4.2), 60–61

CSUtil database utility (ACS 4.2), 395–400

cut-through proxy accounting, configuring, 303–304

cut-through proxy authentication 282–285

configuring, 282–285, 290

troubleshooting, 291–292

cut-through proxy authorization, 294–303

D

database replication, 378–383

on ACS 5.1, 404–405

databases, backing up with ACS 5.1, 425–427

dictionaries, configuring on ACS 5.1, 405–409

E

EAP, 197–199

types of, 201–204

EAP-FAST, 202–203

ACS 4.2, configuring, 265–267

ACS 5.1, configuring, 266–268

EAP-GTC, 203

EAP-MD5, 201

ACS 5.1, configuring, 223–224

EAPOL, 199–200

EAP-TLS, 202

ACS configuration, 226–227

evaluation license, ACS 5.1, 52

exec authorization, configuring, 161–166

external databases 125–126

ACS 4.2, 125–126

ACS 5.1, 126–128

External User Databases section (ACS 4.2 interface), 78–79

F

FTP sessions, configuring Authentication Proxy, 312–314

G

group mapping, configuring 141–142

on ACS 4.2, 141–142

on ACS 5.1, 142–148

Group Setup section (ACS 4.2 interface), 74–76

guest VLAN feature (802.1x), configuring, 209

H

HTTP redirection, configuring, 288–290

HTTP sessions 176–177

authentication and authorization lab scenario, 176–177

Authentication Proxy, configuring, 311–312

I

identity policies, configuring, 110–113

identity stores 125–126

ACS 4.2, 125–126

ACS 5.1, 126–128

importing network resources (ACS 5.1), 412–414

initial setup, ACS 5.1, 47–51

installing 32–47

ACS 4.2, 32–47

problems, troubleshooting, 52–55

certificates 215–218

on ACS 4.2, 215–218

on ACS 5.1, 219–223

Interface Configuration section (ACS 4.2 interface), 66–68

IPSec VPNs 359

accounting, with RADIUS, 359

authentication 334–335

with Cisco IOS, 334–335

with LDAP, 362–364

authorization 337–342

with Cisco IOS, 337–342

with LDAP, 364–366

L

lab scenarios 273–274

802.1x authentication 273–274

configuring using EAP-FAST, 273–274

configuring using EAP-TLS, 249–250

configuring using LEAP, 269–273

configuring using MD-5, 230–245

configuring using PEAP, 245–248

AAA on ASA using TACACS+, 192–194

authentication and authorization of HTTP sessions, 176–177

Authentication Proxy, 326–329

cut-through proxy authentication, 292–294

cut-through proxy authentication, authorization, and accounting, 304–308

local authentication and privilege levels on ASA, 183–184

TACACS+ authentication, authorization, and accounting of administrative sessions, 174–176

VPN AAA 343–345

with Cisco IOS, 343–345

with RADIUS, 359–361

VPN authentication and authorization with LDAP, 367–369

LDAP (Lightweight Directory Access Protocol) 134–136

configuring 134–136

on ACS 4.2, 134–136

on ACS 5.1, 137–139

VPNs 362–364

authentication, 362–364

authorization, 364–366

LEAP, 201–202

ACS 4.2, configuring, 263–264

ACS 5.1, configuring, 264–265

licensing, ACS 5.1, 51–52

local database 180

ASA/PIX, 180

configuring with Cisco IOS, 151–152

privilege levels, 152–153

local password management (ACS 4.2), 391–392

log file management, configuring on ACS 4.2, 394–395

M

MAB (MAC Authentication Bypass), configuring, 210–211

maintaining Authentication Proxy cache, 315–316

manual backups, performing on ACS 4.2, 377–378

message exchange in IEEE 802.1X authentication, 200–201

method lists, 3, 162

Monitoring and Reports drawer (ACS 5.1 interface), 117–120

multiauthentication mode (802.1x), 208

multidomain authentication mode (802.1x), 207–208

multiple-host mode (802.1x), 207

My Workspace drawer (ACS 5.1 interface), 86–87

N

NAPs (Network Access Profiles), configuring on ACS 4.2, 388–391

NARs (Network Access Restrictions), on ACS 4.2, 375–376

Network Access Profiles section (ACS 4.2 interface), 65

Network Configuration section (ACS 4.2 interface), 64–65

Network Resources drawer (ACS 5.1 interface), 87–94

network resources, importing (ACS 5.1), 412–414

NFR (Not-For-Resale) license (ACS 5.1), 52

P

passwords, local password management (ACS 4.2), 391–392

PEAP, 202, 203

ACS configuration, 224–225

policies (NAP), 389–391

Policy Elements drawer (ACS 5.1 interface), 98–105

PPP sessions 350

accounting on Cisco IOS, 350

authenticating 345–347

on Cisco IOS, 345–347

troubleshooting, 347–348

authorization 348

on Cisco IOS, 348

troubleshooting, 349–350

pre-authentication open access mode (802.1x), 208

prerequisites for Authentication Proxy, 310–311

primary servers, configuring replication, 381–382

privilege levels, ASA/PIX, 180–182

privilege levels (Cisco IOS), 152–153

lab scenario, 154–155

profiles, configuring on ACS 4.2, 388–391

R

RADIUS, 8–12

Authentication Proxy, authorization, 322–325

dictionaries, configuring on ACS 5.1, 405–409

PPP sessions, authorization, 348

VPNs, authentication, 355–356

RDBMS Synchronization feature, configuring on ACS 4.2, 384–388

recovering ACS from backup file, 378–379

remote access VPNs 343

accounting, 343

authentication with RADIUS, 355–356

authorization with RADIUS, 356–359

remote logging 391–393

configuring on ACS 4.2, 391–393

configuring on ACS 5.1, 409–412

replication versus backup, 381

Reports and Activity section (ACS 4.2 interface), 79–82

restricted VLAN (802.1x), configuring, 209–210

RSA SecureID, configuring 140

on ACS 4.2, 140

on ACS 5.1, 140–141

S

scheduled backups 427–430

configuring on ACS 5.1, 427–430

performing on ACS 4.2, 378

secondary servers 402–406

activating (ACS 5.1), 402–406

replication, configuring, 383

service selection rules, creating, 115–116

services, ACS 4.2, 58–61

Shared Profile Components section (ACS 4.2 interface), 78–79

show commands, 249–250

single-host mode (802.1x), 206–207

software repositories, creating with ACS 5.1, 422–425

SSL VPNs 343

accounting, 343

with RADIUS, 359

authentication 335–336

with Cisco IOS, 335–336

with LDAP, 362–364

with RADIUS, 355–356

authorization 337–342

with Cisco IOS, 337–342

with LDAP, 364–366

with RADIUS, 356–359

system administration on ACS 5.1, 415–422

System Configuration section (ACS 4.2 interface), 76–79

T

TACACS+ 13–19

Authentication Proxy, authorization, 318–321

dictionaries, configuring on ACS 5.1, 405–409

lab scenarios, authentication, authorization, and accounting of administrative sessions, 174–176

TACACS+ Setting section (ACS 4.2 interface), 68–69

Telnet 314–315

Authentication Proxy, configuring, 314–315

Virtual Telnet, 286–287

timers (802.1x), 212–213

troubleshooting 250–251

802.1x, 250–251

802.1x authentication, 275–279

ACS 4.2 installation, 52–55

authentication, 159–160

of VPNs, 337

Authentication Proxy, 316–317

authorization, 325–326

command authorization, 172–173

cut-through proxy authentication, 291–292

cut-through proxy authorization, 302–303

PPP sessions 349–350

authorization, 349–350

on Cisco IOS, 347–348

VPN authentication 363–364

with LDAP, 363–364

with RADIUS, 355–356

VPN authorization 342

with Cisco IOS, 342

with LDAP, 366

U

User Setup section (ACS 4.2 interface), 70–74

Users and Identity Stores drawer (ACS 5.1 interface), 94–98

V

verifying cut-through proxy authentication, 291–292

Virtual HTTP, configuring, 287–288

Virtual Telnet, 286–287

VLAN assignment 228–229

ACS configuration, 228–229

configuring, 211–212

VPNs 343

accounting, 343

authentication 362–364

with LDAP, 362–364

with RADIUS, 355–356

authorization 337–342

with Cisco IOS, 337–342

with RADIUS, 356–359

troubleshooting, 342

W

Windows, CSUtil database utility, 395–400

wireless, IEEE 802.1X authentication 257–258

configuring, 257–258

WLCs, configuring, 259–263

WLCs, configuring IEEE 802.1X authentication, 259–263