brksec-2580 - introduction to cisco secure acs 5.0

© 2009 Cisco Systems, Inc. All rights reserved. Cisco PublicPresentation_ID 1

Introduction to Cisco Secure ACS 5.0

BRKSEC-2580


Agenda

Overview

Policy Model

Managing Policy

Deployment

Migration

Licensing

More Information


Cisco Secure ACS 5.0

Overview


Next-Generation Access Policy Management

Single platform for network access and device administration

Extremely flexible policy administration

New web-based administration

Advanced troubleshooting, monitoring, and reporting tools

New linux-based platform for robustness, scalability and performance


ACS 5.0 Platform Options

Linux Appliance

One rack-unit (1RU) security-hardened, Linux-based appliance

VMWare version

Software application and Linux operating system image for installation on VMware ESX 3.5


ACS 5.0: Focus On Core Dot1x And Device Administration Use Cases

Core network access use cases

802.1X wired & wireless access using passwords or certificates

Authentication to ACS internal database or external directories

Host lookup for devices with no supplicant (“MAC auth bypass”)

Basic functionality for standard Device Administration use cases

RADIUS/TACACS+ shell login authorization

TACACS+ per-command authorization (ACS “command sets”)

Other use cases may not be supported

ACS 5.0 does not deliver complete parity with ACS 4.x

More complete feature parity planned for future releases

See More Information for a detailed ACS 4.x comparison


ACS 5.1: Address Other Use Cases

ACS 5.1 – Q4CY09

One-Time Passwords for remote access, dot1x and device administration scenarios

Advanced TACACS+ features such as password change

Advanced network access handling such as RADIUS proxy and AD certificate comparison

Contact your account team for more ACS 5.1 information



Policy Model


Employee Group

Permissions – Employee_VLANRestrictions – None

NetAdmin Group

Permissions – Full AccessRestrictions – None

Guest Group

Permissions – Guest_VLANRestrictions – Time_of_Day

User Groups

ACS 4.x: Group-Based Policy Model

Group-based policy

User is authenticated & associated to a group

• Authorization based on static permissions

and restrictions for the user’s group

User subjected to SAME restrictions and gets

SAME permissions ALWAYS

?• Works well if Identity is the

dominant or only condition

• Does not work well for

complex authorization policies

based on dynamic conditions• Employee gets full access

when on-site & restricted

access when coming in

remotely


Employee Group

NetAdmin Group

Guest Group

ACS 5 : Rules-Based Policy Model

Location

Posture Access Type

Time & Date

Engineering

Human Resources

Login VLAN

Guest

Quarantine

Deny Access

+

IdentityOther

ConditionsAuthorization Profiles

CONDITIONS RESULT

ID GROUP LOCATION AZN PROFILE

ENG SJ_CAMPUS SJ_ENG

ENG RTP_CAMPUS RTP_ENG

ENG EXTERNAL EXT

IF NO MATCH DENY ACCESS

CONDITIONS RESULT

ID GROUP LOCATION AZN PROFILE

ENG SJ_CAMPUS SJ_ENG

ENG RTP_CAMPUS RTP_ENG

ENG EXTERNAL EXT

IF NO MATCH DENY ACCESS

Policy Rules Policy Elements

Identity is decoupled from permissions

Authorization based on identity and conditions

specified as policy rules

• IF <condition(s)> THEN <permission>


Flexible Policy Conditions

Network information – AAA protocol, AAA client, network device group

AAA information – EAP type, MAC address, other AAA attributes

Certificate attributes

Identity store user attributes and group memberships

ACS internal store, Active Directory, LDAP directories


ACS

AAA Request

Access Service

AAA Response

Access Services Implement ACS Policy


ACS Service Selection

AAA RequestService

Selection

Access Service 1AAA

Response

Access Service 2

Access Service 3

ACS Service Selection Criteria

AAA protocol

Network device group

ACS server

Request attributes

Date and time

AAA client


Access Service Components

Identity Policy

Selects the Identity Store (or stores) to be used for authentication and retrieval of identity attributes

Group Mapping Policy (optional)

Used to “normalize” identity information by mapping from collected identity attributes to an internal “Identity Group”

External Server Check (optional)

Allows collection of additional attributes to be collected from external policy systems

Authorization Policy

This is the heart of ACS, where all collected attributes are evaluated to arrive at an authorization policy decision


Identity Policy

Policy to select identity stores that are used to authenticate and retrieve attributes/group info

Flexibility in selection of identity store

Static

“Always use LDAP”

Conditional -

“Use CORP_AD if MSCHAPv2 is used”

Authentication Method Identity Store

X509 Certificate Certificate Profile

MSCHAPv2 CORP_AD

If no match Deny Access


Authorization Policy

ID Group Location Access Type

Time & Date

Compliance Azn Profile

ENGR - - - Compliant ENG

ENGR - - - Not Compliant

PUB, ENG

CONT CAMPUS WIRED DAY Compliant CONT

CONT CAMPUS WIRELESS DAY Compliant CONT_WLAN

PRINTERS CAMPUS WIRED - - PTR

DEFAULT (If no match found) QUAR

First match (permissions cannot be merged)

Discrete columns per condition element

Authorization profiles may be combined in Rule results

Conflict resolution via precedence order

Allows “hierarchy” of Authorization profiles, reduces proliferation of individual profiles

Default rule (If no match found)



Managing Policy


ACS 5.0 Graphical User Interface


Service Selection


ACS Access Services2 Access Services by default

User configurable / customizable


Location NDG Hierarchy


Network Device List


Network Device Properties


Users and Identity Stores


Internal Users


LDAP Directories


LDAP Directory Configuration


Active Directory Configuration


AD groups Select the subset of AD groups to be made available for

referencing in policy rules


AD User AttributesSelect subset of user record attributes to be retrieved and

made available for reference in policy rules


Certificate Authentication ProfileDefine which cert attribute is mapped to “username”

Optionally perform binary cert comparison


Identity SequenceDefine one ID source for authentication, another for

additional attributes (e.g. CERT + AD groups)


Date & Time Condition


Custom Condition


Authorization Profile (permissions container)

Define set of permission attributes to be referenced in policy rules (returned in “access accept” response)


ACS Access Services2 Access Services by default

User configurable / customizable


Identity Policy ExampleRule-based Identity Policy – allows use of EAP-

MSCHAPv2 or EAP-TLS (client cert) for authentication


Authorization Policy ExampleAuthorization based on membership in AD groups,

location, and date/time condition


Exception Policy ExampleSet of conditions can be different than standard policy

Keeps policy exceptions & waivers separate


Service Selection



Monitoring and Reporting


ACS 5.0 Monitoring & Reports Dashboard


Monitoring and Reports Highlights

Basic License Features

Dashboard

Real-time display of system and AAA health metrics

Reports

Pre-defined & custom reports

Favorite reports

Troubleshooting Reports & tools

Standard Log Data Storage (1 month data age-out)

Advanced Monitoring & Reporting License Features

Alarms

Define conditions and thresholds to generate alarms

Display of alarms in Monitoring Dashboard

Session Directory

Directory of all sessions, showing key data (username, MAC address, IP address, session identifier, NAD, port, policy decision, posture, etc).

AAA Accounting start/stop for session start/stop

Troubleshooting Tools

Connectivity tests (ping/nslookup/traceroute) on any device

Extended Log Data Storage (up to 1 year data age-out)


ACS 5.0: Reports

Authentication

Authentication summary, failed authentication summary, MAC authentication reports, access service authentication reports

AAA

RADIUS/TACACS+ authentication and accounting ,TACACS+ authorization

Health/Operations Status

Diagnostics, health summary

ACS Administration

Administrator logins, configuration changes

Command Audit

Command audit by user/device, command authorization by user/device


Authentication Report Details


ACS 5: Session Directory Report

Reports details of RADIUS & TACACS sessions

Active, History and Lookup


ACS 5.0: Alarm Types *

Authentication activity alarms

Passed or failed authentications over a period of time

Inactivity over a period of time

Audit alarms

Command accounting, command authorization (TACACS+)

ACS configuration commands

Health alarms

ACS system process, metrics

AAA throughput

RADIUS traffic volume

* Advanced Monitoring & Reporting License


ACS 5.0 Alarms*



ACS 5.0: Troubleshooting Tools

Authentication Query

Displays recently used MAC addresses for any particular user and passed/failed authentication activity

Authentication Failure Code Customization*

Administrator can customize ACS failure code root cause and resolution information

Connectivity to ACS

To test connectivity and download package.cab file from server

Connectivity test*

ping / nslookup / traceroute commands



Base License Features


Advanced License Features



Deployment


ACS Distributed Deployment Consists of multiple ACS’s that are managed together

One Primary and multiple Secondary servers

All ACS instances are identical (run full ACS software version)

Each ACS can play a specific role in the deployment

Part of the functionality (AAA, Management interface, Monitoring & Reporting) could be disabled

Incremental replication model

Primary ACS is single point of configuration & to monitor secondary servers

Automatic incremental replication to Secondary servers

ACS

Secondary

ACS

Master

ACS

Secondary

ACS

Secondary

Database

downloadIncremental

Replication


Promoting a Secondary to be a Master

Each secondary could take the role of the master

Secondary promotion to be a master is manual

The master (if not failed) is stopped

Replication is allowed to complete

The promoted secondary notifies all ACS instances

On promotion the secondary interrogates all instances for their replication status ACS

Secondary

ACS

Master

ACS

Secondary

ACS

Secondary

DB Download

Incremental

Replication

X

Promoted Master


Deployment Planning

Things to consider

Form factor : Appliance vs VMWare

Number of ACS servers : Based on performance data

Location of the server

Function : AAA server, Replication server, Monitoring & Reporting Server


Minimum ACS Deployment

Consists of 2 servers

Primary server provides all the configuration, authentication and policy requirements for the network.

Second server used as a backup server.

Replication from primary ACS to secondary ACS to keep the secondary server in synchronization.


Medium Growing ACS Deployment

As the local network grows, more Cisco Secure ACS servers need to be added to the system.

Consider promoting the primary server to perform configuration services only, using the secondary servers for AAA functions.

At this point, primary server maybe used as a centralized logging server.


Larger ACS Deployment

In a large, centralized network consider the use of a load balancer. Simplifies the deployment.

Recommended to dedicate one Cisco Secure ACS server as a Monitoring and Reports server.

Dedicated logging server is recommended due to the potential high syslog traffic.



Migrating to ACS 5.0


ACS 4.2 or 5.0?

Check the 5.0 feature gap list here:

http://cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_system/5.0/user/guide/migrate.html#wp1052549

Evaluate using the ACS 5.0 evaluation software:

Available at: http://www.cisco.com/cgi-bin/tablebuild.pl/acs5-eval

Runs on VMware Server or ESX

Requires 60Gb disk space

90 day license

Appliance investment protection

Consider purchasing 5.0 on the 1120 appliance, and then downgrading to 4.2, in anticipation of a future upgrade to 5.x

http://cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_system/5.0/user/guide/migrate.html



ACS 4.x Key Feature Parity Roadmap

ACS 5.0 – available now

ACS 5.1 – Q4CY09

Device Administration

RADIUS and TACACS+ device administration with privilege levels and command sets

TACACS+ change password, enable password handling, One-Time Passwords (OTP), IP/MAC filtering

Network Access

Simple auth, EAP-TLS, PEAP-MSCHAP, FAST-MSCHAP, Mac-auth Bypass

PEAP-GTC,FAST-GTC,LEAP, RADIUS proxy, custom VSAs, AD certificate comparison

Operational ACS admin roles and password policy

Advanced ACS admin policies, configuration provisioning


Migration Methodology

Establish a pilot ACS 5 server to develop the master ACS 5 configuration

This could be a lab server

Secondary ACS servers could be joined to this server, or its configuration could be restored to a production ACS 5 primary server

Migrate data and network access policy from existing AAA deployment(s) to this pilot ACS 5 server

Use ACS migration and import tools to create configuration data (users, devices,….)

Manually create the new ACS 5 network access policy and other configuration areas not addressed by tools


ACS 5.0 Migration and Import Tools

ACS 5.0 Migration Tool

Analyses ACS 4.x configuration data and exports key elements to ACS 5.0

Requires an ACS 4.x for Windows lab machine to import existing 4.x database and run migration tool

ACS 5.0 ships with ACS 4.x for Windows to facilitate migration

Data migrated includes users, devices, TACACS+ command sets and shell attributes, shared dACLs, EAP-FAST attributes

Import Tools

ACS 5.0 GUI User/device CSV import



Licensing


ACS 5.0 Product Numbers and Pricing

Product Number

Description

CSACS-1120-K9Cisco Secure 1120 Appliance with ACS 5.0 pre-installed and base license

CSACS-5.0-IENVM-K9

Cisco Secure ACS 5.0 Virtual appliance software for VMWare ESX with base license

CSACS-5-MON-LIC=

Cisco Secure ACS 5.0 Advanced Monitoring and Reporting add-on license (enables session directory, threshold alerting, connectivity/troubleshooting tools and up to 12 months data collection)

CSACS-5-LRG-LIC=

Cisco Secure ACS 5.0 Large Deployment add-on license

ACS 5.0 will be available as an appliance or as software for VMWare ESX.

Add-on licenses apply to an ACS deployment not per server/instance. An ACS deployment is a set of replicating ACS servers/instances.

The Large Deployment add-on license is required for ACS deployments supporting more than 500 managed devices (AAA clients).


ACS 4.x to 5.0 Upgrades

Product Number

Description

CSACS-1120-UP-K9

Cisco Secure 1120 5.0 Appliance for 4.x customers

CSACS-5.0-VM-UP-K9

Cisco Secure ACS 5.0 for VMWare ESX for 4.x customers

ACS 5.0 will not run on existing ACS 111x appliance hardware. The appliance upgrade includes new 1120 appliance hardware. Customers may be required to return existing device or provide certificate ofDestruction

Add-on licenses described in the previous slide apply to the upgrade products as well


Cisco Secure ACS Service Offerings

Software Application Support (SAS) is offered for all ACS versions

SAS includes ACS software patches, maintenance releases and minor revisions

SMARTnet service is offered for the appliance hardware support

Both SAS and SMARTnet is required for full ACS 5.0 support coverage



More Information


More Information

ACS 5.0 home page

http://www.cisco.com/go/acs

ACS 5.0 documentation

http://cisco.com/en/US/products/ps9911/tsd_products_support_series_home.html

ACS 4.2 and 5.0 comparison

http://cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_system/5.0/user/guide/migrate.html#wp1052549

Contact the ACS marketing team

[email protected]

http://www.cisco.com/go/acs





mailto:[email protected]




Summary


Summary

ACS 5.0 delivers a next-generation platform for network access and identity control

Linux-based platform

New and user-friendly graphical user interface

Powerful and flexible policy model

Integrated and enhanced troubleshooting, monitoring and reporting functionality

Robust deployment architecture

Migration requires careful planning

Understand 5.0/5.1 feature list

Download 5.0 evaluation

Consider the 1120 appliance platform even if remaining on 4.2


Complete Your Online Session Evaluation

Give us your feedback and you could win fabulous prizes. Winners announced daily.

Receive 20 Passport points for each session evaluation you complete.

Complete your session evaluation online now (open a browser through our wireless network to access our portal) or visit one of the Internet stations throughout the Convention Center.

Don’t forget to activate your

Cisco Live Virtual account for access to

all session material, communities, and

on-demand and live activities throughout

the year. Activate your account at the

Cisco booth in the World of Solutions or visit

www.ciscolive.com.

http://www.ciscolive.com/

brksec-2580 - introduction to cisco secure acs 5.0

Documents

command audit

command authorization

based platform

network access

policy rules

ad groups

primary server

additional attributes