This Deployment and Implementation shows how to configure Cisco Secure Access Control Server for ECT. This guide provides detailed steps to administer and configure the Cisco Secure Access Control Server (ACS) for different layered security features in a remote access Virtual Private Network (VPN) deployment.
ECT Introduction
The Cisco® ECT solution is a highly scalable Cisco IOS Software-based solution that securely integrates the network infrastructure, management infrastructure, managed services, and applications across the entire enterprise, including LAN, WAN, branch, and teleworker locations.
The Cisco ECT solution is an integral part of the Cisco Service Oriented Network Architecture (SONA) framework to guide customers to achieve Intelligent Information Network (IIN) in their Enterprises.
Based on the SONA and IIN framework, the Cisco ECT Solution is a highly scalable Cisco IOS Software solution that securely integrates the network infrastructure, management infrastructure, managed services, and applications across the entire enterprise: LAN, WAN, Branch, and Teleworker locations. The key differentiator of ECT Solution is the integration of Cisco IOS Software, managed services, and applications on the same CPE.
Cisco has successfully deployed ECT solution internally, thus increasing productivity and improving efficiency, while enabling seamless "zero-touch deployment", manageability, and low-to-negative Total Cost of Ownership (TCO). Both Enterprises and Service Providers can leverage Cisco ECT Solution to offer the benefits of network services to their end users/customers, while maintaining an effective ROI.
Figure 1 shows the Cisco ECT network topology. For medium and large size ECT deployments it is always recommended to have three tunnels available for all of the remote routers:
• One to access the management network
• One for primary data traffic
• One for failover data traffic
Figure 1. ECT Network Topology
The management network hosts all the servers and tools needed for maintaining the network (AAA server, certificate server, provisioning/management tools, and so on). The second connection carries the data traffic to the corporate network. Most of the security features are configured on the spoke router. The spoke can be configured in split-tunneling or non-split-tunneling mode. In split-tunneling mode, only the traffic destined for the corporate network is routed to the VPN tunnel; the remaining traffic is routed directly to the Internet service provider (ISP). In non-split-tunneling mode, all the traffic is routed via the corporate network regardless of the traffic's destination.
Hardware Platforms and Software Images
This guide is written based on a Cisco 871 Integrated Service Router (ISR) with wireless running Cisco IOS Software Release 12.4(15)T3 (c870-advipservicesk9-mz.124-15.T3). For other Cisco router platforms, the sample configurations may need minor modifications.
Introduction to Cisco Secure ACS
Cisco Secure ACS is a scalable, high-performance Remote Access Dial-In User Service (RADIUS) and Terminal Access Controller Access Control System (TACACS+) security server. As the centralized control point for managing enterprise network users, network administrators, and network infrastructure resources, Cisco Secure ACS provides a comprehensive identity-based network-access control solution for Cisco intelligent information networks.
Cisco Secure ACS extends network-access security by combining traditional authentication, authorization, and accounting (AAA-pronounced "triple A") with policy control. Cisco Secure ACS enforces a uniform network-access security policy for network administrators and other network users.
Cisco Secure ACS supports a broad variety of Cisco and other network-access devices (NADs), also known as AAA clients, including:
• Wired and wireless LAN switches and access points
• Edge and core routers
• Dialup and broadband terminators
• Content and storage devices
• Voice over IP (VoIP)
• Firewalls
• Virtual private networks (VPNs)
Figure 2 illustrates the role of Cisco Secure ACS as a traditional network access control/AAA server.
Figure 2. A Simple AAA Scenario
This guide only explains how to configure the Cisco Secure ACS for Cisco ECT based features. This document doesn't explain the details or the complete configurations of Cisco Secure ACS. Please refer to the link for complete details about
An Access Control server is required for different components of the Cisco ECT solution, namely 802.1x, Authentication Proxy (AuthProxy), Wireless authentication and PKI-AAA authentication of routers. The Cisco Secure ACS server is hosted on the management network of the ECT. The Cisco Secure ACS server is accessed through the management gateway from the spoke routers. The management gateway is accessed through the secure management tunnel that is configured on the spoke router.
We will address the following features of ECT in this guide that require Cisco Secure ACS as part of the configuration.
• Authentication Proxy
• PKI
• 802.1x
• Wireless
The AuthProxy feature is used for end-user authentication. The user is allowed access to the corporate site only if valid credentials are provided. The credentials need to be verified by a RADIUS server. Upon verification of the credentials, appropriate permit access control entries (ACEs) are downloaded and applied on the remote spoke, giving the user the appropriate level of access.
PKI-AAA authentication can be used for device authentication to check the validity of ECT routers as part of secure session setup.
Using 802.1x feature, all the IP devices are classified as trusted or nontrusted, based on the 802.1x authentication status. When a new device becomes active on the network, the router initiates an 802.1x exchange. Depending on the 802.1x client running on the user device, the user will be prompted for credentials. They are then passed on to the router. The router uses the credentials to get authenticated from a RADIUS server. If the authentication is passed, it is considered a trusted device and is given more privileges, such as access to the corporate network.
Enterprise Wireless LANs (WLANS) need strong security policies that protect the company from rogue access points, intruders, unauthorized users, and unauthorized viewing of transmitted data. Cisco supports numerous Extensible Authentication Protocol (EAP) types-providing a centrally managed, standards-based, open wireless network security scheme, and also WEP and WPA based implementations.
In addition to the above features, the last section of the guide will also address how to troubleshoot and monitor the ACS reports.
Cisco Secure ACS Setup
Cisco Access Control Server needs to be installed on a Windows server. For complete set of installation instructions, please follow the installation guides at
Cisco Secure ACS Appliance can also be used for ECT instead of the Cisco Secure ACS for Windows Server (the software product). The Cisco Secure ACS Appliance provides, as nearly as possible, the exact same features and functions of the Cisco Secure ACS for Windows Server in a dedicated, security hardened, application-specific, appliance packaging. For complete set of installations and user guides for Cisco Secure Appliance, please refer to the following links
After successful installation of the Cisco Secure ACS, the ACS web interface can be accessed using a web browser or locally from the Windows server. The Cisco Secure ACS interface can be accessed from the Windows server, using the
Accessing the Cisco Secure ACS server will bring up the following interface. The web interface layout has a navigation bar on the left pane.
The admin can select the required tabs from the left navigation bar for configuring the Cisco Secure ACS.
Cisco Secure ACS Basic Configuration
In this section we address the basic configuration required for Cisco Secure ACS. The below mentioned basic configuration is required before we proceed with configuring the ECT features in Cisco Secure ACS.
1. Create an Admin with all the privileges
To get started with configuring Cisco Access Control Server, it is required to add an Administrator and make sure the appropriate privileges are granted to the Administrator. Here are the steps required for adding an Administrator to the Cisco Secure ACS.
• Click on Administration Control
• Click on Add Administrator
• Create an Administrator name and password
• Give all Administrator privileges by clicking on Grant All
The administrator is given all the privileges required to manage the Cisco Secure ACS. If required further user access can be created to access the Cisco Secure ACS. Once the admin/user access is created in ACS, the next time Cisco Secure ACS interface is accessed the required credentials need to be provided to access the Cisco Secure ACS server.
For more information on managing user access for Cisco Secure ACS server please refer to the following link
We can configure the options needed for Cisco Secure ACS group attributes. The options selected will be displayed in the user interface of the group.
• Go to Interface Configuration
• Click on the Advance options
• Select the required options that will appear in the user interface
• User-level Network Access Restrictions
• User-level Downloadable ACL's
• Group-level Password Aging
• Network Device Groups
• Click on submit after selecting the options
• Go to User Interface
• Check the options selected are displayed
3. Configuring Network Device Groups
Network Device Grouping is an advanced feature that you use to view and administer a collection of network devices as a single logical group. To simplify administration, you can assign each group a name that can be used to refer to all devices within that group. This action creates two levels of network devices within Cisco Secure ACS-single discrete devices such as an individual router or network-access server, and an NDG; that is, a collection of routers or AAA servers.
a) Adding a ACS server
Add the windows machine where Cisco Secure ACS is installed as AAA server. Here are the steps to add the AAA server under Network Device Groups.
– Go to Network Configuration
– Select the default network device group
– Configure the AAA server
b) Configuring the spoke routers under Network Device group
– Go to Network Configuration
– Select the default network device group
– Click on Add Entry to add AAA clients
– Add the AAA clients as shown below.
– AAA clients on the same subnet can be added by using wild character * (E.g.: 10.10.10.*)
– Select the Radius Authentication as Radius (Cisco IOS/PIX 6.0)
– Click on Submit and Apply
Cisco Secure ACS Configuration for ECT
Authentication Proxy
Authentication proxy provides a way to identify legitimate users and limit access to the corporate network only to them. The user will be allowed to have access to the corporate site only if correct credentials are provided. The credentials are verified by an Access Control Server. In the Access Control Server, an Access Control Element (ACE) is configured as an attribute-value pair (AV pair) in the group configuration. Once the credentials are validated, the AV pair is downloaded for all the auth-proxy users belonging to that group. Additionally, users can belong to different groups which have different AV pair configured so that user gets different access privileges depending on their group.
Here we describe how we configure the Authentication Proxy for an Access Control Server.
1. Create a Auth-proxy Group in Cisco Secure ACS Server
• Go to Group Setup
• Select a group from the list of groups
• Click on Rename Group
• Specify Auth-Proxy as the group name
• Click on Submit
2. Editing the Auth-Proxy Group's Settings
• Go to Group Setup
• Select the Auth-Proxy group from the group list
• Click on Edit Settings
• Define any network access restrictions required
• Add the Cisco IOS Radius attributes (cisco-av-pair)
auth-proxy:priv-lvl=15, auth-proxy:proxyacl#1=permit ip any any
• Click on Submit + Restart to apply the configuration
3. Adding user to the Authentication Proxy Group
Users will have to first access a corporate Website using a Web browser. When a user gains access to a corporate Website, that user will be prompted with an authentication prompt. The user needs to provide the username and password defined to have access to the corporate network.
Users are added to specific groups in Cisco Secure ACS. The Group settings define the type of services the user will be authorized to use. All the users of ECT are added to the Authentication Proxy group.
• Go to User Setup
• Add a new user
• Update the passwords that will be used for user authentication
• Select the Authentication Proxy group from the list of groups
• Click on Submit
Authentication Proxy Sample Configuration
Sample configuration is provided for reference to the ACS feature. For the latest configuration please refer to the Layered Security deployment guide under the Layered and Perimeter Security Managed Services folder on the ECT web page.
aaa authorization auth-proxy default group authproxy
ip admission auth-proxy-banner file http://10.x.x.x/disclaimer.htm
ip admission auth-proxy-banner http ^
This is the authentication proxy challenge
^
ip admission max-login-attempts 6
! Configure 30 minutes of inactivity timeout.
! auth_proxy_acl is the intercept ACL
ip admission name pxy proxy http inactivity-time 30 list proxy_acl
!
ip admission name test_proxy proxy http list proxy_acl
interface BVI1
description inside interface
ip inspect fw in
ip access-group proxy_inbound_acl in
ip admission test_proxy
!...
ip access-list extended proxy_acl
remark --- Auth-Proxy ACL -----------
! Deny lines are used to bypass auth-proxy
deny tcp any host 10.10.200.1 eq www
! auth-proxy will intercept http access matching the below line
permit tcp any 10.10.240.0 0.0.255 eq www
!
ip access-list extended proxy_inbound_acl
remark --- Auth-Proxy Inbound ACL which blocks the traffic ---
! Allow access to certain protocols
permit udp any any eq domain
permit udp any any eq netbios-ns
permit udp any any eq netbios-dgm
permit udp any any eq 5445
permit tcp any any eq 5060
permit tcp any any eq 5061
permit tcp any any eq 2000
permit tcp any any eq 2443
permit udp any any eq tftp
! Block corporate subnets. If split tunneling is not enabled denying
! all traffic using
! "deny any any" is sufficient
deny ip any 10.0.0.0 0.255.255.255
...
...
Permit ip any any ! if split tunneling is enabled
PKI-AAA Authentication and Authorization
Security on the Cisco ECT hub router can be strengthened by configuring PKI-AAA authorization in addition to CRL validation for each peer certificate. When a Cisco ECT spoke negotiates an IPsec session with the hub, the hub router extracts a specified field from the peer certificate's subject and sends it to a RADIUS server. This field is sent as the username, and the password is preconfigured. The field that is sent as the username is specified in the trust point configuration; by default, it is the subject name, which is a fully qualified domain name.
If the RADIUS server has an entry for this username with the password matching the set password, the query returns successfully along with the following Cisco attribute-value pairs configured for that username:
• Certificate use (cert-application)
• Certificate trustpoint (cert-trustpoint)
• Serial number (cert-serial)
• Certificate lifetime (cert-lifetime-end)
Following is a sample Cisco AV pair configuration which can be configured on a Cisco Secure ACS:
cisco-avpair = "pki:cert-lifetime-end=1:00 jan 1, 2009"
The RADIUS server returns failure if the record is not found or the password is not matching the set password. The peer certificate is not accepted if the RADIUS request fails.
If any or both of cert-trustpoint and cert-serial are specified, the router compares these values with the trustpoint name and serial number extracted from the peer certificate. The certificate is accepted only if these fields match. The cert-lifetime-end value can be used to bypass the actual expiry date of the certificate-useful when an expired peer certificate needs to be accepted. A different date can be specified in the attribute-value pair and the router uses this for the expiry date calculation.
With the PKI-AAA feature, the hub accepts a certificate only if it has an entry on the RADIUS server. The certificate can be temporarily disabled by setting the cert-application value to none.
Here we describe how we create a group and configure the username and password that is used as field in PKI-AAA trust point configuration
1. Creating a Devices Group for PKI-AAA
• Go to Group Setup
• Create a new group Devices Group
• Scroll down to the Cisco IOS/PIX Radius Attributes
• Select the cisco-av-pair and add pki:cert-application=all
• Click on Submit + Restart
2. Adding Device entry to Devices Group
The Group settings define the type of services the user will be authorized to use. All the devices of ECT are added to the Devices group (PKI-AAA).
• Go to User Setup
• Add a new user (username-vpn.cisco.com)
• Update the password (cisco) that will be used for user authentication
• Select the Devices group from the list of groups
• Click on Submit
PKI-AAA Sample Configuration
Sample configuration is provided for reference to the ACS feature. For the latest configuration please refer to the Layered Security deployment guide under the Layered and Perimeter Security Managed Services folder on the ECT web page.
aaa authorization network pkiaaa group pki-aaa-server
!
crypto pki trustpoint trustpoint1
enrollment mode ra
enrollment url http://test-ca:80
authorization list pkiaaa
authorization username subjectname commonname
IEEE 802.1x-Based Device Authentication
Using this feature, all IP devices connecting to the router are subject to 802.1x based credential validation. The device will not get IP address until the credentials are validated by the Cisco Secure ACS. Once validated, the port becomes active and the device gets network access. If the validation fails the port is shut down.
The authenticator is the ECT spoke router and the authentication server is a Cisco Secure Access Control Server (ACS).
Once the router gathers the credentials from the device, it is forwarded to the Cisco Secure ACS server for authentication. If the credentials are valid, the port becomes enabled and gets attached to the trusted VLAN.
The authentication mechanisms used in ECT deployment are EAP-MD5-Challenge EAP-PEAP and EAP-TLS. The 802.1x supplicant running on the hosts establishes an EAP session with the Cisco Secure ACS and authenticates itself using username/password credentials. The user account needs to be configured on the Cisco Secure ACS. The supplicant needs to be configured to perform the EAP-MD5-Challenge, EAP-PEAP or EAP-TLS. EAP-PEAP and EAP_TLS can be optionally configured to authenticate the Cisco Secure ACS using digital certificates. In this case the ACS should be pre-loaded with a certificate issued by a Certificate Server. EAP-TLS authenticates end host using digital certificates along with user credentials supplied. So each host should have its own certificate from a Certificate Server which is trusted by the Cisco Secure ACS server.
Authentication Setup for 802.1x
• Go to the System Configuration
• Click on the Global Authentication setup
• Edit the EAP Configuration
• Select the PEAP: Allow EAP-MSCHAPv2
• Select the Allow EAP-TLS if you need certificate (This would require certificate to be installed-Check wireless section below for certificate installation on ACS server)
• Click on Submit and Restart
802.1x Sample Configuration
Sample configuration is provided for reference to the ACS feature. For the latest configuration please refer to the 802.1x Security deployment guide under the Layered and Perimeter Security Managed Services folder on the ECT web page.
! Adding a voice VLAN, which will be using the same pool as BVI1 - the Corporate pool
!
vlan 11
interface vlan 11
description Voice VLAN
ip unnumbered BVI1
ip inspect firewall in
no autostate
! interface BVI1 must have proxy-arp enabled
interface BVI1
ip proxy-arp
interface FastEthernet0
switchport access vlan 10
switchport voice vlan 11
dot1x pae authenticator
dot1x port-control auto
dot1x reauthentication
dot1x guest-vlan 20
spanning-tree portfast
!
interface FastEthernet1
switchport access vlan 10
switchport voice vlan 11
dot1x pae authenticator
dot1x port-control auto
dot1x reauthentication
dot1x guest-vlan 20
spanning-tree portfast
!
interface FastEthernet2
switchport access vlan 10
switchport voice vlan 11
dot1x pae authenticator
dot1x port-control auto
dot1x reauthentication
dot1x guest-vlan 20
spanning-tree portfast
!
interface FastEthernet3
switchport access vlan 10
switchport voice vlan 11
dot1x pae authenticator
dot1x port-control auto
dot1x reauthentication
dot1x guest-vlan 20
spanning-tree portfast
!
Wireless Authentication
In this section we address the wireless authentication features in ECT that are authenticated using an Cisco Secure ACS server. It is out of the scope of this document to address all the wireless authentication mechanisms deployed in ECT. The Secure Wireless deployment guide will address all the different secure wireless methods and the list of sample configurations on both the server and client side. Also the complete wireless configuration on the client side, router and Cisco Secure ACS server will be addressed in the wireless deployment guide. The wireless authentication used in ECT are EAP and WPA authentication types.
Extensible Authentication Protocol
802.1x Enterprise WLAN implementation uses EAP which provides secure wireless implementation and safeguards against hacker attacks. EAP provides a standard mechanism for supporting various authentication methods over wired and wireless networks. An AAA client (also known as a network access server) such as an access point that supports EAP need not have any understanding of the specific EAP type used in the EAP authentication process. The network access server tunnels the authentication messages between the peer (user machine trying to authenticate) and the AAA server (such as the Cisco Secure ACS). The network access server is aware only of when the EAP authentication process starts and when it ends.
Cisco supports many authentication types in IOS® routers. Some of the methods deployed in ECT include:
• LEAP
• Protected EAP (PEAP)-MS-Challenge Handshake Authentication Protocol (CHAP) version 2
• PEAP-Generic Token Card (GTC)
• EAP-Flexible Authentication via Secure Tunneling (FAST)
• EAP-Transport Layer Security (TLS)
Note: EAP-PEAP and EAP-TLS doesn't work with local radius in the current IOS software release 12.4(15)T3.
1. Configuring the EAP authentication types: LEAP, PEAP, EAP-TLS
• Go to System Configuration
• Click on Global Authentication Setup
• Select PEAP: Allow EAP-MSCHAPv2, Allow EAP-GTC
• Select PEAP: Allow EAP-TLS and all the relevant certificate options
• Click on EAP-FAST Configuration
– Click on Allow EAP-FAST
– Click on Allowed Inner Methods: EAP-GTC, EAP-MSCHAPv2
• Select EAP-TLS and all the relevant certificate options
• Select LEAP: Allow LEAP
• Click on Submit and Restart
EAP-TLS uses concepts of PKI:
• A WLAN client (that is, a user's machine) requires a valid certificate to authenticate to the WLAN network
• The Cisco Secure ACS server requires a "server" certificate to validate its identity to the clients
• The certificate-authority-server infrastructure issues certificates to the Cisco Secure ACS server(s) and the clients
Certificate setup needs to be configured on the Cisco Secure ACS server in order to use the EAP-TLS authentication. Here are the steps to do Certificate Setup in Cisco Secure ACS.
1. Generate Certificate Signing Request
• Go to System Configuration
• Click ACS Certificate Setup
• Click Generate Certificate Signing Request
• Specify the certificate subject, private key file and password
• Click on submit. It will generate a signing request
