Professional Documents
Culture Documents
0
Revised: March 26, 2008, 78-17961-02
This guide provides the information you need to get started installing, configuring, and using Cisco Secure ACS Express 5.0 and includes the following sections:
Supplemental License Agreement, page 2 This Supplemental License Agreement (SLA) contains additional limitations on the license to the Software provided to Customer under the End User License Agreement between Customer and Cisco.
Product Documentation Set, page 3 Installing the ACS Express Appliance, page 5 Using the GUI, page 7 Configuration Overview, page 14 Obtaining Documentation, Obtaining Support, and Security Guidelines, page 12
Americas Headquarters: Cisco Systems, Inc., 170 West Tasman Drive, San Jose, CA 95134-1706 USA
Quick Start and Documentation Guide for Cisco Secure ACS Express, 5.0
78-17961-02
Reproduction and Distribution. Customer may not reproduce nor distribute software.
Quick Start and Documentation Guide for Cisco Secure ACS Express 5.0 (78-17961-02, this document) http://cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server _express/5.0/roadmap/xpguide.html
Release Notes for Cisco Secure ACS Express, 5.0 (OL-11674-01) http://cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server _express/5.0/release/notes/xpnote.html The Release Notes for Cisco Secure ACS Express, 5.0 provide a collection of information including related documentation, how to get the latest software, information about specific software and hardware requirements, configuration information, lists of known and resolved anomalies, and release note enclosure information for all known anomalies.
Quick Start and Documentation Guide for Cisco Secure ACS Express, 5.0 78-17961-02
Installation and Setup Guide for Cisco Secure ACS Express, 5.0 (OL-11671-01) http://cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server _express/5.0/installation/guide/install.html The Installation and Setup Guide for Cisco Secure ACS Express is an online only document that provides information about how to set up the ACS Express appliance including location, internet connection, and initial configuration.
User Guide for Cisco Secure ACS Express, 5.0 (OL-11672-01) http://cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server _express/5.0/user/guide/users.html The User Guide for Cisco Secure ACS Express is an online only document that provides information about how to use the ACS Express GUI and how to perform routine tasks associated with the features and functionality of Cisco ACS Express.
Cisco Secure ACS Express Command Reference, 5.0 (OL-11673-01) http://cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server _express/5.0/command/reference/guide/cmdref.html The Cisco Secure ACS Express Command Reference focuses on the following topics:
Command-line interface configurations Command-line interface reference
Each topic provides a high-level summary of the tasks required for using the CLI in the Application Deployment Engine OS 1.0.1, and the procedures for performing these tasks.
Troubleshooting Guide for Cisco Secure ACS Express, 5.0 (OL-14650-01) http://cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server _express/5.0/troubleshooting/guide/trouble.html This guide provides information about troubleshooting strategies and shows example ACS Express logs with pointers to things to look for when experiencing difficulties.
Quick Start and Documentation Guide for Cisco Secure ACS Express, 5.0
78-17961-02
Open the box and check the contents. The package containing your ACS Express appliance includes the following:
ACS Express appliance Hardware accessory kits Software accessory kits Rack mount kit Power cord
Step 2
Read Chapter 3, Chapter 1, Preparing to Install the Cisco ACS Express Appliance, of the Installation and Setup Guide for Cisco Secure ACS Express and pay special attention to all safety guidelines found in Safety Guidelines. Install the appliance in either a two-post or four-post rack. Detailed information about how to mount the appliance is included in the rack mount kit.
Step 3
Step 4
Connect the AC power cord. Figure 1 shows the rear of the ACS Express appliance and the various cable connectors. Connect the AC power cord to the receptacle (#1) on the left-hand side of the rear panel. Connect the other end of the power cord to an AC power source.
Quick Start and Documentation Guide for Cisco Secure ACS Express, 5.0 78-17961-02
Figure 1
1 2 3 4
5 6 7 8
Video connector NIC 1 (10/100/1000 Mb) port Unsupported NIC 2 port USB ports
Establish a terminal connection. Configure a terminal (an ASCII terminal or a PC running terminal-emulation software) for 9600 baud, 8 data bits, no parity, 1 stop bit, and no hardware flow control.
Note
Use the NIC 1 connector for your Ethernet connection. Using the NIC 2 port is not supported and attempting to use the NIC 2 connector will cause an unstable environment. Connect the ACS Express appliance to an Ethernet connection using the NIC 1 connector (#6 in Figure 1). Turn power on to the ACS Express appliance. After you turn on power to the ACS Express appliance and it boots up for the first time, the following displays on the console:
************************************************* Please log in as setup to configure the appliance ************************************************* localhost login:
Step 6 Step 7
Quick Start and Documentation Guide for Cisco Secure ACS Express, 5.0
211910
78-17961-02
Step 8
setup
Enter setup to begin the setup program; the ACS Express appliance will prompt you for the setup parameters.
Step 9
Use your browser to access the ACS Express GUI by entering the server name and domain name of your ACS Express server into the browser address field: https://server_name.domain where server_name is the name and domain or IP address of the ACS Express server.
Step 10
Log in to the ACS Express server. See Logging In and Logging Out, page 8, for information about logging in and using the GUI.
Step 11
Configure the ACS Express server for your sites requirements. See Chapter 6 of the Installation and Setup Guide for Cisco Secure ACS Express, 5.0, Administering Cisco ACS Express, for an overview of what you need to do to get started configuring the ACS Express server. http://cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server _express/5.0/installation/guide/admin.html You can find detailed information to help you configure the ACS Express server in the User Guide for Cisco Secure ACS Express. See also, Configuration Overview, page 14. The ACS Express GUI also provides online help for each configuration window and configuration tips for GUI fields.
Logging In and Logging Out, page 8 Navigating the GUI, page 9 Using Online Help, page 12
Quick Start and Documentation Guide for Cisco Secure ACS Express, 5.0
78-17961-02
To log out of a session on the ACS Express server, click Logout in the upper right corner of the GUI window (Figure 3) in the status pane. This area of the GUI also has the hostname of the ACS Express server and an About button for software version information. Click the circle with the question mark (?) to access online help.
Quick Start and Documentation Guide for Cisco Secure ACS Express, 5.0
78-17961-02
Figure 3
Workspace
Figure 4 shows an example of the top-level ACS Express window called the Workspace.
Quick Start and Documentation Guide for Cisco Secure ACS Express, 5.0 78-17961-02
Figure 4
Callout 1 2 3
Status Pane
The ACS Express GUI has a top-level application Status pane with the following items.
Product NameCisco Secure ACS Express displays on the left side of the status bar Server HostnameName of the server where you are currently logged in
Quick Start and Documentation Guide for Cisco Secure ACS Express, 5.0
10
78-17961-02
Login NameUser ID for current session LogoutLogs you out of the application and displays the login window AboutDisplays information about the currently installed software version and server hostname
Navigation Pane
The navigation pane contains six drawers, and each drawer contains subitems that display data in the content pane. The following list describes navigational behaviors:
Clicking on a drawer name highlights and expands the drawer. Clicking on a drawer arrow expands the drawer. Clicking on an item highlights the drawer name and selected item, and the content pane is refreshed. After refreshing the content pane, a status dialog will temporarily appear until the content pane is downloaded fully. Clicking on a drawer in which an item was previously selected does the following:
Highlights the drawer Expands the drawer Selects the previously selected item Refreshes the content pane
After you log in, the GUI keeps track of the last selected item in a cookie. If the cookie is present, the last selected item will be active upon login. You can collapse the navigation pane by clicking the toggle on left (center) edge of the content pane. With the navigation pane collapsed, click the toggle again to display the navigation pane. Only one drawer and item can be active at a time.
Content Pane
The content pane displays information about the item you select from a drawer in the navigation pane.
Quick Start and Documentation Guide for Cisco Secure ACS Express, 5.0 78-17961-02
11
Dashboard
The Dashboard displays the following collections of information:
Configuration Tips
The ACS Express GUI provides configuration tips at each location on a GUI window where you must provide a value or make a choice. Simply hover your cursor over the name of the GUI field (underlined), and a configuration tip will appear as shown in Figure 6 specific to that field.
Quick Start and Documentation Guide for Cisco Secure ACS Express, 5.0
12
78-17961-02
Figure 6
Additionally, some GUI windows have configuration tips available. These pages have an additional Configuration Tip icon, Figure 7, next to the online help icon. If displayed on a window, click this icon for general configuration tips about the window.
Figure 7 Configuration Tip Icon
Quick Start and Documentation Guide for Cisco Secure ACS Express, 5.0 78-17961-02
13
Configuration Overview
Configuration Overview
This section provides an overview of the required configuration for the ACS Express server. Each section is associated with a drawer in the ACS Express GUI as shown in Figure 4.
Network Resources
The Devices and Device Groups that make up your network are your network resources. Use the GUI to add all Device Groups in your configuration, then add your devices into the Device Groups. See Chapter 2 of the User Guide for Cisco Secure ACS Express for more detailed information. http://cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server _express/5.0/user/guide/gui.html
Quick Start and Documentation Guide for Cisco Secure ACS Express, 5.0
14
78-17961-02
Configuration Overview
Access Policies
Access Services in ACS Express are classified into two types:
Network Access policies apply to users attempting to access a wireless, wired, or VPN network. Network Access policies also support various authentication schemes like PAP, CHAP, MSCHAPv2, PEAP, EAP-TLS, EAP-FAST, LEAP, and Windows machine authentication. Network Access policies apply to network devices that communicate with ACS Express via RADIUS. Network Access policies can be configured to authenticate users against Active Directory, LDAP, One-Time-Password databases, or the ACS Express internal user database. Device Administration policies apply to users who attempt to access and configure a network device. ACS Express can authenticate and authorize the maximum allowed privilege level for users. Network devices communicate with ACS Express via TACACS+ or RADIUS. You can configure Device Administration policies to authenticate users against Active Directory, LDAP, One-Time-Password databases, or the ACS Express internal user database.
Access Rules
Access rules enable you to use the ACS Express server to do the following:
Specify user entitlements based on the users role in your organization Assign different VLANs for employees and contractors Restrict network access based on the time of day such as from Monday to Friday from 9 a.m. to 5 p.m.
We find it very helpful to create a worksheet to list the rules we want to enforce. Each rule should specify the access conditions and the resulting user entitlements. Access conditions include the type of network access, groups to which a user should belong, and the time of day the user is allowed access. Results specify granted entitlements if all the conditions are met. Table 1 shows an example worksheet.
Quick Start and Documentation Guide for Cisco Secure ACS Express, 5.0 78-17961-02
15
Configuration Overview
Table 1
Time of Access
Entitlements
Mon-Fri, 8 a.m. - 6 p.m. Assign VLAN Employee Sat-Sun, 8 a.m. - 6 p.m. Deny access Mon-Sun, 7/24 Assign VPN Group RemoteUsers
With a completed worksheet, you can now configure the policy elements including the Time of Day periods in which to allow access and the entitlements you grant users when they log in to the network. Entitlements are specified as a RADIUS response returned to the network device.
General SettingsSpecifies the name and description of access service. Selection RulesSpecifies the network devices groups for the types of network access. From the example worksheet, the Wireless Access access service would handle requests from the Wireless Controllers device group. Authentication RulesSpecifies the configured database for user authentication and the protocol settings.
Quick Start and Documentation Guide for Cisco Secure ACS Express, 5.0
16
78-17961-02
Configuration Overview
Device Administration
Network devices can communicate with ACS Express via TACACS+ or RADIUS. This section describes how to configure a Device Administration policy for network devices to communicate via TACACS+. You should already have completed the following:
Configured your network devices for login authentication against a AAA server Configured the user database
Access Rules
To determine your Device Administration access rules, we find it very helpful to create a worksheet to list your rules. Each rule should specify the access conditions and the resulting privilege level if granted. Access conditions include the network device group being administered, groups a user should belong to, and allowed time of access. Results specify the command privilege to grant if all the conditions are met. See Table 2 for an example device access rule worksheet.
Table 2 Example Device Access Rule Worksheet
Time of Access -
With a completed worksheet, you can now configure the policy elements.
Quick Start and Documentation Guide for Cisco Secure ACS Express, 5.0 78-17961-02
17
Configuration Overview
Create a TACACS Access Service based on your worksheet. For example, from the example worksheet in Table 2, we would create TACACS+ Access Services for requests from the following:
Wireless controllers from members of the Read-Write Admin group Wireless controllers from members of the Read-Only Admins group VPN concentrators from members of the Read-Only Admins group
Quick Start and Documentation Guide for Cisco Secure ACS Express, 5.0
18
78-17961-02
Configuration Overview
This document is to be used in conjunction with the documents listed in the Product Documentation Set section.
CCDE, CCENT, Cisco Eos, Cisco StadiumVision, the Cisco logo, DCE, and Welcome to the Human Network are trademarks; Changing the Way We Work, Live, Play, and Learn is a service mark; and Access Registrar, Aironet, AsyncOS, Bringing the Meeting To You, Catalyst, CCDA, CCDP, CCIE, CCIP, CCNA, CCNP, CCSP, CCVP, Cisco, the Cisco Certified Internetwork Expert logo, Cisco IOS, Cisco Press, Cisco Systems, Cisco Systems Capital, the Cisco Systems logo, Cisco Unity, Collaboration Without Limitation, Enterprise/Solver, EtherChannel, EtherFast, EtherSwitch, Event Center, Fast Step, Follow Me Browsing, FormShare, GigaDrive, HomeLink, Internet Quotient, IOS, iPhone, iQ Expertise, the iQ logo, iQ Net Readiness Scorecard, iQuick Study, IronPort, the IronPort logo, LightStream, Linksys, MediaTone, MeetingPlace, MGX, Networkers, Networking Academy, Network Registrar, PCNow, PIX, PowerPanels, ProConnect, ScriptShare, SenderBase, SMARTnet, Spectrum Expert, StackWise, The Fastest Way to Increase Your Internet Quotient, TransPath, WebEx, and the WebEx logo are registered trademarks of Cisco Systems, Inc. and/or its affiliates in the United States and certain other countries. All other trademarks mentioned in this document or Website are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (0803R) Any Internet Protocol (IP) addresses used in this document are not intended to be actual addresses. Any examples, command display output, and figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses in illustrative content is unintentional and coincidental. 2007-2008 Cisco Systems, Inc. All rights reserved. Printed in the USA on recycled paper containing 10% postconsumer waste.
Quick Start and Documentation Guide for Cisco Secure ACS Express, 5.0 78-17961-02
19
Configuration Overview
Quick Start and Documentation Guide for Cisco Secure ACS Express, 5.0
20
78-17961-02