You are here
Cisco ACS 5.4 Video Guide to Installation, Configuration, and Deployment
Submitted by admin on Sat, 10/19/2013 - 16:48
Cisco Secure Access Control System (ACS) has been around for a number of years since version 3.x and 4.x, and is one of the most popular products in the market for network Authentication, Authorization, and Accounting (AAA) server in enterprise network due to its variety of supported features and robustness. This is true for the two commonly used protocols; RADIUS, used in network access security, whether it is VPN, wired or wireless 802.1X access, and TACACS+, used in network device administration.
With the release of the Cisco ACS version 5, there have been significant changes to not only the fact that ACS has become a standalone Linux-based system running on a VM or hardware appliance, as opposed to being an application on a Windows server, but also a new Graphical User Interface (GUI) and the way to implement the entire network access policies using policy-driven concept instead of user and user group-based policies. The result of this is greater configuration flexibility that allows you, being a network administrator, to have a more control over who can access your network and what resources they can access.
Knowing that understanding and configuring Cisco ACS 5.x can be challenging especially for those who had first-hand experience and are used to the previous versions, Lab Minutes has produced an extensive video library on Cisco ACS with intention to assist all of our audience in making their ACS implementation process a success. Whether you are studying for certification or having to learn as part of your job requirement, our videos can provide you with enough information to at least get you started on the technology, if not more. These videos are basically an elaborate Cisco ACS training course where you can watch step-by-step configuration as they are demonstrated in each lab.
As you may know, Cisco also has newer authentication system known as Cisco Identity Services Engine (ISE), which is actually based on the ACS platform, hence shares common functionalities, and, for the most part, can do more in providing solution to a comprehensive identity-based access network. There seems to be a lot misconception on what ACS can and cannot do comparing to ISE so we will also discuss these as we proceed through the article to help you from unnecessarily upgrading to ISE.
This article serves as a guide to your journey of learning and configuring Cisco Secure Access Control System. We will guide you through how you can best utilize the videos that have been made available on our website to maximize your learning experience. Links to relevant videos are provided under each section. Please note that our videos are created primarily on Cisco 5.4. For additional information on product and license, please consult Cisco ACS licensing, and ordering guide, and Cisco ACS datasheet.
Before you can begin an installation, you want to make sure that you are in possession of all the necessary hardware, and network components. A basic setup usually includes a Cisco network device (eg. router, switch, ASA, WLC), Windows Domain Controller or LDAP Server, DNS server, and Certificate Authority Server. You should also have an ESXi server if you plan to use a VM version, or otherwise, ACS appliances.
Our first video shows you how to install ACS on a VM. Although an ACS 5.3 is used in our demonstration, the process is very much applicable to other 5.x version but you might want to double check Cisco document for the VM requirement on the version you intend. If you own an appliance, you just skip the VM creation steps, insert an install DVD, and proceed to the software initialization setup. You also want to make sure that you have obtained a license file, whether an evaluation or a proper license, at this time.
Once you have an ACS installed, let’s familiarize yourselves with ACS GUI, and perform basic configuration along the way with this video.
If you plan to use ACS only for device administration, or VPN access, most likely, you can get away with the default self-signed certificate. However, if you plan to implement wired or wireless 802.1X, it is recommended to have the certificate signed by an internal trusted CA, as demonstrated in this video, or even a third-party CA. Unlike ISE, since ACS does not provide web portal for guest access, a third-party signed certificate is optional.
All authentication system requires user database and unless you plan to exclusively use ACS local identity store, you need to integrate ACS with an external identity store of your choice. The two most popular options are Microsoft Active Directory and LDAP, although ACS can also authenticate against a RSA token server or another RADIUS server.
- SEC0084 - ACS 5.4 AD Integration and Identity Store Sequences
- SEC0085 - ACS 5.4 LDAP Integration and Identity Store Sequences
Identity-based 802.1X authentication system heavily relies on participation of Network Access Devices (NAD), aka authenticator, to pass on authentication information between user requesting network access, aka supplicant, and ACS, aka authentication server, as well as enforcing network access restriction as part of the authorization result. Having NAD configured appropriately is one of the crucial steps that helps eliminate a lot of issues you might run into later on otherwise. Since the network device config are interchangeable between ISE and ACS, here we refer back to the videos that we already have in the ISE video series on recommended configurations for a Cisco switch and WLC.
- SEC0038 - ISE 1.1 802.1X Switch & WLC Recommended Config (Part 1)
- SEC0039 - ISE 1.1 802.1X Switch & WLC Recommended Config (Part 2)
Now that you have the system prepared, we will start tackling some of the potential use cases with Cisco ACS. You can skip to the section that is relevant to the feature you plan to implement.
1. Device Administration
One main reason that a lot of users are still reluctant to migrate to ISE is the lack of TACACS+ support on ISE (at the time of this writing), considering TACACS+ is the most commonly used protocol for device administration on Cisco network devices. Here we begin with basic user authentication on Cisco switch and ASA firewall using TACACS+.
- SEC0086 - ACS 5.4 TACACS Device Admin on Switch and ASA (Part 1)
- SEC0087 - ACS 5.4 TACACS Device Admin on Switch and ASA (Part 2)
This video expands our configuration to include two types of authorization; Shell Privilege and Command Authorization. Note that per-command authorization is a unique feature to TACACS+ and not achievable via RADIUS, hence not available on ISE. Shell Privilege, on the other hand, can be implemented using RADIUS.
So far, we have looked at device admin on IOS-based devices and ASA firewall. If you have a Wireless LAN Controller (WLC) and would like to leverage TACACS+ instead of using local admin accounts, this video will help you with the configuration.
2. MAC Authentication Bypass (MAB)
Once you have enable 802.1X throughout your network infrastructure, wired or/and wireless, unless you plan to disable 802.1X on ports or SSID that non-802.1X-capable devices are connected to, you will need to configure MAB. MAB is nothing but a list of allowed MAC addresses that will automatically pass 802.1X authentication and receive network access privileges according to their group membership. MAB should be used as a last resort since it requires manual administration. This process is somewhat automated on ISE with its ability to discover the type of device through Device Profiling. You can then configure policies to allow them on the network based on a device type without having to enter all of the device MAC addresses. Device Profiling is one of features that distinguish ISE from ACS.
- SEC0090 - ACS 5.4 Wired and Wireless MAC Authentication Bypass (MAB) (Part 1)
- SEC0091 - ACS 5.4 Wired and Wireless MAC Authentication Bypass (MAB) (Part 2)
3. Wired and Wireless 802.1X (Native Supplicant)
Wireless 802.1X is already widely deployed in most corporate environment. Some companies have started looking into extending the same type of authentication into wired in order to capture user identity as they appear on the network, identify their locations, and restrict their access. Other misconception some people have is this requires ISE. That is not the case as you will see in these videos that this feature is completely supported on ACS. However, using ACS, you are limited to using Windows Native Supplicant. What ISE brings to the table is the support for EAP Chaining using Cisco AnyConnect Secure Mobility with Network Access Module (NAM) as a supplicant that helps address some of caveats exists in Windows Native Supplicant with user and machine authentication. For additional information on this subject, please check out our ISE video series.
Here we discuss two most popular authentication protocols: PEAP (username/password based) and EAP-TLS (certificate based). Our demonstrations are only applicable to Windows computer but you can make it work on Macintosh, and other OS platforms.
- SEC0092 - ACS 5.4 Wired 802.1X PEAP EAP-TLS with Machine Authentication (Part 1)
- SEC0093 - ACS 5.4 Wired 802.1X PEAP EAP-TLS with Machine Authentication (Part 2)
- SEC0094 - ACS 5.4 Wireless 802.1X PEAP EAP-TLS with Machine Authentication (Part 1)
- SEC0095 - ACS 5.4 Wireless 802.1X PEAP EAP-TLS with Machine Authentication (Part 2)
We also have included here how to use GPO to distribute network settings to the Windows client for those network engineers out there that may not know too much about GPO.
4. VPN Access
Another common application implemented using ACS is remote user VPN access. In addition to basic RADIUS authentication, Cisco VPN device accepts wide range of RADIUS attributes, both IEFT standard and Cisco Vendor Specific Attribute (VSA), to give you better control in assigning access privileges to remote users. This video uses a RADIUS class attribute as an example to place users under a specific Group-Policy when they connect via Cisco AnyConnect VPN client as well as pushing out per-user downloadable ACL.
Looking at a more advance feature on ACS, ACS allows even greater flexibilities with user custom attribute where you can create per-user attributes type string, boolean numeric etc., and build authentication or authorization policies around those attributes. You can also leverage existing user attributes on Active Directory for the same purpose. With this, per-user policy similar to ACS pre-5.x version is possible. The following video demonstrates a use of custom attribute to enable and disable VPN access on an individual user, and a use of AD user attribute to assign VPN user a static IP. All VPN functionalities presented in this section can also be implemented on ISE.
The other feature that does not exist on ACS but does on ISE is support for BYOD device onboarding. This is when you would like to allow employee personal devices to register and connect to network as part of BYOD initiative.
When you have only a small number of network devices or local users, adding, modifying, and removing them manually may not be a problem. Dealing with a few hundred of them is a different story, and you may want to look into import and export features. This video shows you how to work with a .csv file to help you save time when you need to work with a large number of objects (eg. Network device, user, location etc.).
When building a reliable authentication system, redundancy is almost mandatory. In ACS term, you need to implement a distributed deployment. Although this video only shows a two-server deployment; single primary and single secondary, which is probably the most common topology, it is certainly possible to incorporate additional secondary servers that are geographically dispersed and even have the secondary servers joined local domain controllers, and have network devices authenticated against local ACS servers. This way, you minimize latency to only within the geographical region, while enjoying the benefit of unified access policies and configuration system.
Finally, the last two videos show you maintenance tasks that you most likely need to perform during the lifetime of your ACS implementation. Regular configuration and report backup are always recommended so you can be prepared for any disasters. From time to time, you might also need to perform patch install when you run into documented issues so it is helpful to know how it is done as well.
Hopefully after reviewing these videos, you have gained enough confidence and feel more comfortable working with Cisco ACS 5. If you have any question, feel free to post them under the corresponding video page or Lab Minutes forum. For similar video guides on other technologies, keep your eyes on our website or sign up on our newsletter to be the first to know.
All videos referenced in this guide are available for purchase under Cisco ACS 5.x Video bundle