Quick Start and Documentation Guide for Cisco Secure ACS Express, 5.

0
Revised: March 26, 2008, 78-17961-02

This guide provides the information you need to get started installing, configuring, and using Cisco Secure ACS Express 5.0 and includes the following sections:

Supplemental License Agreement, page 2 This Supplemental License Agreement (SLA) contains additional limitations on the license to the Software provided to Customer under the End User License Agreement between Customer and Cisco.

Product Documentation Set, page 3 Installing the ACS Express Appliance, page 5 Using the GUI, page 7 Configuration Overview, page 14 Obtaining Documentation, Obtaining Support, and Security Guidelines, page 12

Americas Headquarters: Cisco Systems, Inc., 170 West Tasman Drive, San Jose, CA 95134-1706 USA

2008 Cisco Systems, Inc. All rights reserved.

Supplemental License Agreement

Supplemental License Agreement

Supplemental License Agreement for Cisco Systems Network Management: Cisco Secure Access Control Server Express Software
IMPORTANTREAD CAREFULLY: This Supplemental License Agreement (SLA) contains additional limitations on the license to the Software provided to Customer under the End User License Agreement between Customer and Cisco. Capitalized terms used in this SLA and not otherwise defined herein shall have the meanings assigned to them in the Software License Agreement. To the extent that there is a conflict among any of these terms and conditions applicable to the Software, the terms and conditions in this SLA shall take precedence. By installing, downloading, accessing or otherwise using the Software, Customer agrees to be bound by the terms of this SLA. If Customer does not agree to the terms of this SLA, Customer may not install, download or otherwise use the Software.

1. ADDITIONAL LICENSE RESTRICTIONS

Installation and Use. The Cisco Secure Access Control Server Express Software component of the Cisco 1010 Hardware Platform is preinstalled. CDs containing tools to restore this Software to the 1010 hardware are provided to Customer for reinstallation purposes only. Customer may only run the supported Cisco Secure Access Control Server Software on the Cisco 1010 Hardware Platform designed for its use. No unsupported Software product or component may be installed on the Cisco 1010 Hardware Platform. Software Upgrades, Major and Minor Releases. Cisco may provide Cisco Secure Access Control Server Express Software updates and new version releases for the 1010 Hardware Platform. If the Software update and new version releases can be purchased through Cisco or a recognized partner or reseller, the Customer should purchase one Software update for each Cisco 1010 Hardware Platform. If the Customer is eligible to receive the Software update or new version release through a Cisco extended service program, the Customer should request to receive only one Software update or new version release per valid service contract.

Quick Start and Documentation Guide for Cisco Secure ACS Express, 5.0

78-17961-02

Product Documentation Set

Reproduction and Distribution. Customer may not reproduce nor distribute software.

2. DESCRIPTION OF OTHER RIGHTS AND LIMITATIONS

Please refer to the Cisco Systems, Inc., End User License Agreement: http://www.cisco.com/en/US/docs/general/warranty/English/EU1KEN_.html

Product Documentation Set

This section provides a list of the ACS Express product documentation with links to the online documentation. You can find links to all ACS Express product documentation at the following URL: http://cisco.com/en/US/products/ps8543/tsd_products_support_series _home.html The following documents comprise the Cisco Secure ACS Express documentation set and should be read in the following order:

Quick Start and Documentation Guide for Cisco Secure ACS Express 5.0 (78-17961-02, this document) http://cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server _express/5.0/roadmap/xpguide.html

Release Notes for Cisco Secure ACS Express, 5.0 (OL-11674-01) http://cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server _express/5.0/release/notes/xpnote.html The Release Notes for Cisco Secure ACS Express, 5.0 provide a collection of information including related documentation, how to get the latest software, information about specific software and hardware requirements, configuration information, lists of known and resolved anomalies, and release note enclosure information for all known anomalies.

Quick Start and Documentation Guide for Cisco Secure ACS Express, 5.0 78-17961-02

Product Documentation Set

Installation and Setup Guide for Cisco Secure ACS Express, 5.0 (OL-11671-01) http://cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server _express/5.0/installation/guide/install.html The Installation and Setup Guide for Cisco Secure ACS Express is an online only document that provides information about how to set up the ACS Express appliance including location, internet connection, and initial configuration.

User Guide for Cisco Secure ACS Express, 5.0 (OL-11672-01) http://cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server _express/5.0/user/guide/users.html The User Guide for Cisco Secure ACS Express is an online only document that provides information about how to use the ACS Express GUI and how to perform routine tasks associated with the features and functionality of Cisco ACS Express.

Cisco Secure ACS Express Command Reference, 5.0 (OL-11673-01) http://cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server _express/5.0/command/reference/guide/cmdref.html The Cisco Secure ACS Express Command Reference focuses on the following topics:
Command-line interface configurations Command-line interface reference

Each topic provides a high-level summary of the tasks required for using the CLI in the Application Deployment Engine OS 1.0.1, and the procedures for performing these tasks.

Troubleshooting Guide for Cisco Secure ACS Express, 5.0 (OL-14650-01) http://cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server _express/5.0/troubleshooting/guide/trouble.html This guide provides information about troubleshooting strategies and shows example ACS Express logs with pointers to things to look for when experiencing difficulties.

Quick Start and Documentation Guide for Cisco Secure ACS Express, 5.0

78-17961-02

Installing the ACS Express Appliance

Installing the ACS Express Appliance

The Cisco Secure ACS Express product comprises an appliance, the Cisco Application Deployment Engine (ADE) 1010, and the ACS Express server software. The software for ACS Express is already installed on the appliance. This section provides an overview of installation tasks required to install the ACS Express appliance.
Step 1

Open the box and check the contents. The package containing your ACS Express appliance includes the following:

ACS Express appliance Hardware accessory kits Software accessory kits Rack mount kit Power cord

Step 2

Read Chapter 3, Chapter 1, Preparing to Install the Cisco ACS Express Appliance, of the Installation and Setup Guide for Cisco Secure ACS Express and pay special attention to all safety guidelines found in Safety Guidelines. Install the appliance in either a two-post or four-post rack. Detailed information about how to mount the appliance is included in the rack mount kit.

Step 3

Step 4

Connect the AC power cord. Figure 1 shows the rear of the ACS Express appliance and the various cable connectors. Connect the AC power cord to the receptacle (#1) on the left-hand side of the rear panel. Connect the other end of the power cord to an AC power source.

Quick Start and Documentation Guide for Cisco Secure ACS Express, 5.0 78-17961-02

Installing the ACS Express Appliance

Figure 1

Cable Connectors on Rear of ACS Express Appliance

1 2 3 4

AC Power Connector Mouse Keyboard Serial Port

Step 5

5 6 7 8

Video connector NIC 1 (10/100/1000 Mb) port Unsupported NIC 2 port USB ports

Establish a terminal connection. Configure a terminal (an ASCII terminal or a PC running terminal-emulation software) for 9600 baud, 8 data bits, no parity, 1 stop bit, and no hardware flow control.

Note

Use the NIC 1 connector for your Ethernet connection. Using the NIC 2 port is not supported and attempting to use the NIC 2 connector will cause an unstable environment. Connect the ACS Express appliance to an Ethernet connection using the NIC 1 connector (#6 in Figure 1). Turn power on to the ACS Express appliance. After you turn on power to the ACS Express appliance and it boots up for the first time, the following displays on the console:
************************************************* Please log in as setup to configure the appliance ************************************************* localhost login:

Step 6 Step 7

Quick Start and Documentation Guide for Cisco Secure ACS Express, 5.0

211910

78-17961-02

Using the GUI

Step 8

At the login prompt, enter setup.

localhost login:

setup

Enter setup to begin the setup program; the ACS Express appliance will prompt you for the setup parameters.
Step 9

Use your browser to access the ACS Express GUI by entering the server name and domain name of your ACS Express server into the browser address field: https://server_name.domain where server_name is the name and domain or IP address of the ACS Express server.

Step 10

Log in to the ACS Express server. See Logging In and Logging Out, page 8, for information about logging in and using the GUI.

Step 11

Configure the ACS Express server for your sites requirements. See Chapter 6 of the Installation and Setup Guide for Cisco Secure ACS Express, 5.0, Administering Cisco ACS Express, for an overview of what you need to do to get started configuring the ACS Express server. http://cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server _express/5.0/installation/guide/admin.html You can find detailed information to help you configure the ACS Express server in the User Guide for Cisco Secure ACS Express. See also, Configuration Overview, page 14. The ACS Express GUI also provides online help for each configuration window and configuration tips for GUI fields.

Using the GUI

This section describes how to use the ACS Express graphical user interface (GUI).

Logging In and Logging Out, page 8 Navigating the GUI, page 9 Using Online Help, page 12
Quick Start and Documentation Guide for Cisco Secure ACS Express, 5.0

78-17961-02

Using the GUI

Logging In and Logging Out

ACS Express uses a web-based browser to log in and log out of the graphical user interface (GUI). To log in to ACS Express, launch a browser and enter a URL into the browser address field: https://server_name.domain Where server_name is the name and domain or IP address of the ACS Express server. Figure 2 shows an example of the ACS Express login window. Enter your username and password to log in. Click Reset to clear the Username and Password fields.
Figure 2 ACS Express Login Window

To log out of a session on the ACS Express server, click Logout in the upper right corner of the GUI window (Figure 3) in the status pane. This area of the GUI also has the hostname of the ACS Express server and an About button for software version information. Click the circle with the question mark (?) to access online help.

Quick Start and Documentation Guide for Cisco Secure ACS Express, 5.0

78-17961-02

Using the GUI

Figure 3

ACS Express Server Status Pane

Navigating the GUI

The top-level window of the ACS Express GUI is called the Workspace. The Workspace contains the following areas:

Status Pane Navigation Pane Content Pane

Workspace
Figure 4 shows an example of the top-level ACS Express window called the Workspace.

Quick Start and Documentation Guide for Cisco Secure ACS Express, 5.0 78-17961-02

Using the GUI

Figure 4

ACS Express GUI Workspace

Callout 1 2 3

Description Status pane Navigation pane Content pane

Status Pane
The ACS Express GUI has a top-level application Status pane with the following items.

Product NameCisco Secure ACS Express displays on the left side of the status bar Server HostnameName of the server where you are currently logged in

Quick Start and Documentation Guide for Cisco Secure ACS Express, 5.0

10

78-17961-02

Using the GUI

Login NameUser ID for current session LogoutLogs you out of the application and displays the login window AboutDisplays information about the currently installed software version and server hostname

Navigation Pane
The navigation pane contains six drawers, and each drawer contains subitems that display data in the content pane. The following list describes navigational behaviors:

Clicking on a drawer name highlights and expands the drawer. Clicking on a drawer arrow expands the drawer. Clicking on an item highlights the drawer name and selected item, and the content pane is refreshed. After refreshing the content pane, a status dialog will temporarily appear until the content pane is downloaded fully. Clicking on a drawer in which an item was previously selected does the following:
Highlights the drawer Expands the drawer Selects the previously selected item Refreshes the content pane

After you log in, the GUI keeps track of the last selected item in a cookie. If the cookie is present, the last selected item will be active upon login. You can collapse the navigation pane by clicking the toggle on left (center) edge of the content pane. With the navigation pane collapsed, click the toggle again to display the navigation pane. Only one drawer and item can be active at a time.

Content Pane
The content pane displays information about the item you select from a drawer in the navigation pane.

Quick Start and Documentation Guide for Cisco Secure ACS Express, 5.0 78-17961-02

11

Using the GUI

Dashboard
The Dashboard displays the following collections of information:

Configuration Summary Usage Summary Server Information Server Status

Using Online Help

ACS Express provides online help in the form of HTML files mapped to the GUI windows. To access online help, click the Question Mark icon in the upper right corner of the GUI window (Figure 5). ACS Express provides context sensitive help, so the window that displays after you click the online help icon is specific to the window from which you requested online help. Along with the HTML online help files, you can also access a PDF version of the User Guide for Cisco Secure ACS Express from the online help.
Figure 5 Online Help Icon

Configuration Tips
The ACS Express GUI provides configuration tips at each location on a GUI window where you must provide a value or make a choice. Simply hover your cursor over the name of the GUI field (underlined), and a configuration tip will appear as shown in Figure 6 specific to that field.

Quick Start and Documentation Guide for Cisco Secure ACS Express, 5.0

12

78-17961-02

Using the GUI

Figure 6

Configuration Tips By Cursor

Additionally, some GUI windows have configuration tips available. These pages have an additional Configuration Tip icon, Figure 7, next to the online help icon. If displayed on a window, click this icon for general configuration tips about the window.
Figure 7 Configuration Tip Icon

Online Configuration Overview

You can also click to view an online version of the Configuration Overview from the Navigation pane (Figure 8). The online version differs slightly from the information in the next section, Configuration Overview.
Figure 8 Online Configuration Overview

Quick Start and Documentation Guide for Cisco Secure ACS Express, 5.0 78-17961-02

13

Configuration Overview

Configuration Overview
This section provides an overview of the required configuration for the ACS Express server. Each section is associated with a drawer in the ACS Express GUI as shown in Figure 4.

Network Resources
The Devices and Device Groups that make up your network are your network resources. Use the GUI to add all Device Groups in your configuration, then add your devices into the Device Groups. See Chapter 2 of the User Guide for Cisco Secure ACS Express for more detailed information. http://cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server _express/5.0/user/guide/gui.html

Users and Identity Stores

Configure your ACS Express server with the Users and User Groups required for your installation. ACS Express can authenticate users with its internal user database and also through remote or external databases.

Internal User Database

Use the GUI to add all local users into the internal user database. Each local user must belong to at least one User Group, so create the User Groups first, then configure your local Users.

External User Database

ACS Express supports the following external user databases:

Microsoft Active Directory LDAP Databases One-Time-Password Servers

Quick Start and Documentation Guide for Cisco Secure ACS Express, 5.0

14

78-17961-02

Configuration Overview

Access Policies
Access Services in ACS Express are classified into two types:

Network Access Device Administration

Network Access policies apply to users attempting to access a wireless, wired, or VPN network. Network Access policies also support various authentication schemes like PAP, CHAP, MSCHAPv2, PEAP, EAP-TLS, EAP-FAST, LEAP, and Windows machine authentication. Network Access policies apply to network devices that communicate with ACS Express via RADIUS. Network Access policies can be configured to authenticate users against Active Directory, LDAP, One-Time-Password databases, or the ACS Express internal user database. Device Administration policies apply to users who attempt to access and configure a network device. ACS Express can authenticate and authorize the maximum allowed privilege level for users. Network devices communicate with ACS Express via TACACS+ or RADIUS. You can configure Device Administration policies to authenticate users against Active Directory, LDAP, One-Time-Password databases, or the ACS Express internal user database.

Access Rules
Access rules enable you to use the ACS Express server to do the following:

Specify user entitlements based on the users role in your organization Assign different VLANs for employees and contractors Restrict network access based on the time of day such as from Monday to Friday from 9 a.m. to 5 p.m.

We find it very helpful to create a worksheet to list the rules we want to enforce. Each rule should specify the access conditions and the resulting user entitlements. Access conditions include the type of network access, groups to which a user should belong, and the time of day the user is allowed access. Results specify granted entitlements if all the conditions are met. Table 1 shows an example worksheet.

Quick Start and Documentation Guide for Cisco Secure ACS Express, 5.0 78-17961-02

15

Configuration Overview

Table 1

Example Access Rule Worksheet

Network Access Wireless Access Wireless Access VPN Access

User Groups Employee Employee Employee, RemoteUsers

Time of Access

Entitlements

Mon-Fri, 8 a.m. - 6 p.m. Assign VLAN Employee Sat-Sun, 8 a.m. - 6 p.m. Deny access Mon-Sun, 7/24 Assign VPN Group RemoteUsers

With a completed worksheet, you can now configure the policy elements including the Time of Day periods in which to allow access and the entitlements you grant users when they log in to the network. Entitlements are specified as a RADIUS response returned to the network device.

RADIUS Access Services

After you have set up your access rules, you can create the RADIUS Access Services your require. A RADIUS Access Service specifies the network device groups from which to process requests, a database to use for authentication, protocol settings, and access rules to grant entitlements. Based on your worksheet, create a RADIUS Access Service for each network access type. For example, from the example worksheet in Table 1, we would create two RADIUS Access Services, Wireless Access and VPN Access. We also need to configure for two User Groups, Employee and RemoteUser. A RADIUS Access Service requires the following configuration:

General SettingsSpecifies the name and description of access service. Selection RulesSpecifies the network devices groups for the types of network access. From the example worksheet, the Wireless Access access service would handle requests from the Wireless Controllers device group. Authentication RulesSpecifies the configured database for user authentication and the protocol settings.

Configure the access rules as listed in your worksheet.

Quick Start and Documentation Guide for Cisco Secure ACS Express, 5.0

16

78-17961-02

Configuration Overview

Device Administration
Network devices can communicate with ACS Express via TACACS+ or RADIUS. This section describes how to configure a Device Administration policy for network devices to communicate via TACACS+. You should already have completed the following:

Configured your network devices for login authentication against a AAA server Configured the user database

Access Rules
To determine your Device Administration access rules, we find it very helpful to create a worksheet to list your rules. Each rule should specify the access conditions and the resulting privilege level if granted. Access conditions include the network device group being administered, groups a user should belong to, and allowed time of access. Results specify the command privilege to grant if all the conditions are met. See Table 2 for an example device access rule worksheet.
Table 2 Example Device Access Rule Worksheet

Network Access Wireless Controllers Wireless Controllers VPN Concentrators

User Groups Read-Write Admin Read-Only Admins Read-Only Admin

Time of Access -

Privilege Level Deny Access 1

Mon-Fri, 8 a.m. - 6 p.m. 15

With a completed worksheet, you can now configure the policy elements.

TACACS+ Access Service

After you have set up your access rules, you can create the TACACS+ Access Services you require. A TACACS+ Access Service specifies the Conditions required including the network device groups from which to process requests, User Groups, and Time of Access and specifies the privilege level to grant if all conditions are met. A TACACS+ authentication request must also match the session Timeout Settings for Idle Timeout and Session Timeout.

Quick Start and Documentation Guide for Cisco Secure ACS Express, 5.0 78-17961-02

17

Configuration Overview

Create a TACACS Access Service based on your worksheet. For example, from the example worksheet in Table 2, we would create TACACS+ Access Services for requests from the following:

Wireless controllers from members of the Read-Write Admin group Wireless controllers from members of the Read-Only Admins group VPN concentrators from members of the Read-Only Admins group

Configure the access rules as listed in your worksheet.

Obtaining Documentation and Submitting a Service Request

For information on obtaining documentation, submitting a service request, and gathering additional information, see the monthly Whats New in Cisco Product Documentation, which also lists all new and revised Cisco technical documentation, at: http://www.cisco.com/en/US/docs/general/whatsnew/whatsnew.html Subscribe to the Whats New in Cisco Product Documentation as a Really Simple Syndication (RSS) feed and set content to be delivered directly to your desktop using a reader application. The RSS feeds are a free service and Cisco currently supports RSS version 2.0.

Quick Start and Documentation Guide for Cisco Secure ACS Express, 5.0

18

78-17961-02

Configuration Overview

This document is to be used in conjunction with the documents listed in the Product Documentation Set section.

CCDE, CCENT, Cisco Eos, Cisco StadiumVision, the Cisco logo, DCE, and Welcome to the Human Network are trademarks; Changing the Way We Work, Live, Play, and Learn is a service mark; and Access Registrar, Aironet, AsyncOS, Bringing the Meeting To You, Catalyst, CCDA, CCDP, CCIE, CCIP, CCNA, CCNP, CCSP, CCVP, Cisco, the Cisco Certified Internetwork Expert logo, Cisco IOS, Cisco Press, Cisco Systems, Cisco Systems Capital, the Cisco Systems logo, Cisco Unity, Collaboration Without Limitation, Enterprise/Solver, EtherChannel, EtherFast, EtherSwitch, Event Center, Fast Step, Follow Me Browsing, FormShare, GigaDrive, HomeLink, Internet Quotient, IOS, iPhone, iQ Expertise, the iQ logo, iQ Net Readiness Scorecard, iQuick Study, IronPort, the IronPort logo, LightStream, Linksys, MediaTone, MeetingPlace, MGX, Networkers, Networking Academy, Network Registrar, PCNow, PIX, PowerPanels, ProConnect, ScriptShare, SenderBase, SMARTnet, Spectrum Expert, StackWise, The Fastest Way to Increase Your Internet Quotient, TransPath, WebEx, and the WebEx logo are registered trademarks of Cisco Systems, Inc. and/or its affiliates in the United States and certain other countries. All other trademarks mentioned in this document or Website are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (0803R) Any Internet Protocol (IP) addresses used in this document are not intended to be actual addresses. Any examples, command display output, and figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses in illustrative content is unintentional and coincidental. 2007-2008 Cisco Systems, Inc. All rights reserved. Printed in the USA on recycled paper containing 10% postconsumer waste.

Quick Start and Documentation Guide for Cisco Secure ACS Express, 5.0 78-17961-02

19

Configuration Overview

Quick Start and Documentation Guide for Cisco Secure ACS Express, 5.0

20

78-17961-02