Networking, Security & Cloud Knowledge

Showing posts with label Secuirty - ACS. Show all posts
Showing posts with label Secuirty - ACS. Show all posts

Friday, May 29, 2015

ACS 5.1 overview

   Earlier version of ACS was based on membership of user groups; user group defines access restriction and permission for the users who are members of the group. Since authorization was tied up with user groups all members will have access policies and restrictions all the time. This type authorization suitable for simple polices in which identity is only condition. If we want user should have different permission on different condition (like location, date and time). The ACS 5.1 rule based policy model is based on rule of the form:
   IF then
In ACS5.1 we define conditions and results as global, shared objects. You define them once and then reference them when you create rules. ACS 5.1 uses the term policy elements for these shared objects, and they are the building blocks for creating rules.



Table below shows how the various policy elements define all the information that the old group contained.
Table 3-1 Information in Policy Elements 
Information in ACS 4.x Group
Information in ACS 5.1 Policy Element
Identity information
AD group membership and attributes
LDAP group membership and attributes
ACS internal identity groups and attributes
Other policy conditions
Time and date conditions
Custom conditions
Permissions
Authorization profiles


A policy is a set of rules that ACS 5.1 uses to evaluate an access request and return a decision. For example, the set of rules in an:
  • Authorization policy returns the authorization decision for a given access request.
  • Identity policy decide how to authenticate and acquire identity attributes for a given access request.

ACS 5.1 organizes the sequence of independent policies (a policy workflow) into an access service, which it uses to process an access request. We can create multiple access services to process different kinds of access request, for example device administration or network access.

Access service contain the identity and authorization policies for handling incoming service request, by default ACS provides one access service (Default Network Access) for handling Radius network access  request and another (Default Devices Admin) TACACS device admin request. Typically each access service will have two policies step an identity policy to select the identity store use to authenticate the user and authorization policy to granting permission.

We can define simple polices which applies single result to all request without any conditions and rule-based polices which are complex polices that test various conditions.


Key Benefits
  • Powerful and flexible policy model
    • Authorization is not tied to single group membership.
    • Different authorization under different condition (e.g.  Time, location etc).
    • Network devices groups can be structured hierarchically to simplify policy administration.

  • Enhanced management and troubleshooting:
    • Centralized collection and reporting for activity and health information
    • Incremental replication
    • Installation and management interface for software updates.



ACS Functionality


Within the context of two major AAA protocol – RADIUS & TACACS+ ACS provides the following basic area of functionality.
Under the framework of the RADIUS protocol, ACS controls the wired and wireless access by users and host machines to the network and manages the accounting of the network resources used. ACS supports

  • multiple RADIUS-based authentication methods that include PAP, CHAP, MSCHAPv1, MSCHAPv2, and many members of the EAP family of protocols, such as EAP-MD5, LEAP, PEAP, EAP-FAST, and EAP-TLS. In association with PEAP or EAP-FAST, ACS also supports EAP-MSCHAPv2 and EAP-GTC.
  • Under the framework of the TACACS+ protocol, ACS facilitates the administrative management of Cisco & non-Cisco network devices such as switches, wireless access points, router and gateway, as well as of services and entities such as dialup, VPN and firewall.



Summary


  • Cisco ACS 5.1 is policy management system for supporting comprehensive, identity-based access control and security. It support for 802.1x and support for NAC RADIUS. And also supports device administration through TACACS+.
  • It is available in two form factors
    • Linux Appliance: One rack-unit (1Ru) security-hardened, Linux-based appliance
    • Virtual Appliance: Software application and operation system image for installing on VMware ESX 3.5.
  • All primary and secondary ACS servers can process AAA requests. The primary ACS server is also the default log collector for the Monitoring and Report Viewer, you can configure any ACS server to be the log collector.



Wednesday, January 18, 2012

024- Cisco Secure ACS 5.1..............Part I




[1]Initial configuation of Cisco Secure ACS-1121 Appliance


Power on the appliance.

The setup prompt appears as foloows:

Please type `setup' to configure the appliance

localhost login:

----------------------------------------------------------------------------------
Provide the basic parameter :

localhost login: setup

Enter hostname[]: ACS01

Enter IP address[]: 10.10.10.10

Enter IP default netmask[]: 255.255.255.0

Enter IP default gateway[]: 10.10.10.1

Enter default DNS domain[]: xyz.com

Enter Primary nameserver[]: 10.10.10.50

Add/Edit another nameserver? Y/N : n

Enter username [admin]: admin

Enter password: ******

Enter password again: ******


Pinging the gateway...
Pinging the primary nameserver...
Do not use `Ctrl-C' from this point on...
Appliance is configured
Installing applications...
Installing acs...
Generating configuration...
Rebooting...



Note: The password set above is only used for CLI mode.
-----------------------------------------------------------------------------------
[2] Verifying the Installation Process
Login in into ACS and issue following commmand
show application, and press Enter.

The console Output:
[name]  [Description]


acs ACS 5.1
---------------------------------------------------------------------------------
[3] To check the release and ACS version installed enter following command
show application version acs, and press Enter.

The console Output:
Cisco ACS VERSION INFORMATION
-----------------------------
Version : 5.1.0


Release : B.1083
---------------------------------------------------------------------------------
[4] Setting SNMP string on ACS 5.1
snmp-server community PUBLIC ro
snmp-server host 10.10.10.100 version 2c PUBLIC
-----------------------------------------------------------------------------------
[5] Configuring DNS servere entries in ACS

ip name-server  10.10.10.50  20.20.20.50

clock timezone India/Delhi

------------------------------------------------------------------------------------
[6] To check the status of ACS processes enter the following command
show application status acs, and press Enter.


The console output:

ACS role: PRIMARY
Process 'database' running
Process 'management' running

Process 'runtime' running
Process 'view-database' running
Process 'view-jobmanager' running
Process 'view-alertmanager' running
Process 'view-collector' running
Process 'view-logprocessor' running

--------------------------------------------------------------------------------
[07] GUI Access to ACS 5.1
In URL https://10.10.10.10/acsadmin


Note: Default username: acsadmin and password: default. The system will ask to change the default password

You will had to add the license file. If you got the ACS 5.x image from Cisco website they will provide you with a trial license file or a standard / extended license.