Cisco NAC Appliance (Clean Access)

Introduction

This document describes how to configure the authentication on the Clean Access Manager (CAM) with Cisco Secure Access Control Server (ACS). For a similar configuration using ACS 5.x and later, refer to NAC (CCA): Configure Authentication on Clean Access Manager with ACS 5.x and Later.

Prerequisites

Requirements

This configuration is applicable to CAM version 3.5 and later.

Components Used

The information in this document is based on CAM version 4.1.

The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, make sure that you understand the potential impact of any command.

Conventions

Refer to the Cisco Technical Tips Conventions for more information on document conventions.

Configure

In this section, you are presented with the information to configure the features described in this document.

Note: Use the Command Lookup Tool (registered customers only) to obtain more information on the commands used in this section.

Network Diagram

This document uses this network setup:

Steps to Configure Authentication on CCA with ACS

Complete these steps:

1. Add New Roles

   1. Create an Admin Role

      • In the CAM, choose User Management > User Roles > New Role.

        

      • Enter a unique name, admin, for the role in the Role Name field.

      • Enter Admin User Role as an optional Role Description.

      • Choose Normal Login Role as the Role Type.

      • Configure the Out-of-Band (OOB) user role VLAN with the appropriate VLAN. For example, choose the VLAN ID and specify the ID as 10.

      • When finished, click Create Role. In order to restore default properties on the form, click Reset.

      • The role now appears in the List of Roles tab as shown in the Tag VLANs for OOB Role-based mappings section.

   2. Create a User Role

      • In the CAM, choose User Management > User Roles > New Role.

        

      • Enter a unique name, users, for the role in the Role Name field.

      • Enter Normal User Role as an optional Role Description.

      • Configure the Out-of-Band (OOB) user role VLAN with the appropriate VLAN. For example, choose the VLAN ID and specify the ID as 20.

      • When finished, click Create Role. In order to restore default properties on the form, click Reset.

      • The role now appears in the List of Roles tab as shown in the Tag VLANs for OOB Role-based mappings section.

2. Tag VLANs for OOB Role-based mappings

   In the CAM, choose User Management > User Roles > List of Roles in order to see the list of roles so far.

   

3. Add RADIUS Auth Server (ACS)

   1. Choose User Management > Auth Servers > New.

      

   2. From the Authentication Type drop-down menu, choose Radius.

   3. Enter the Provider Name as ACS.

   4. Enter the Server Name as auth.cisco.com.

   5. Server Port—The port number 1812 on which the RADIUS server is listening.

   6. Radius Type—The RADIUS authentication method. Supported methods include EAPMD5, PAP, CHAP, MSCHAP and MSCHAP2.

   7. Default Role is used if mapping to ACS is not defined or set correctly, or if the RADIUS attribute is not defined or set correctly on the ACS.

   8. Shared Secret—The RADIUS shared secret bound to the specified client's IP address.

   9. NAS-IP-Address—This value to be sent with all RADIUS authentication packets.

   10. Click Add Server.

       

4. Map ACS Users to CCA User Roles

   1. Choose User Management > Auth Servers > Mapping Rules > Add Mapping Link in order to map admin user in ACS to the CCA admin user role.

      

   2. Choose User Management > Auth Servers > Mapping Rules > Add Mapping Link in order to map normal user in ACS to the CCA user role.

      

   3. Here is the user role mapping summary:

      

5. Enable Alternate Providers on User Page

   Choose Administration > User Pages > Login Page > Add > Content in order to enable alternate providers on the user login page.

   

ACS Configuration

1. Choose Interface Configuration in order to make sure that the RADIUS (IETF) Class attribute [025] is enabled.

   

2. Add RADIUS Client to ACS Server

   1. Choose Network Configuration in order to add the AAA client CAM as shown:

      

      Click Submit + Restart.

      Note: Make sure that the RADIUS key matches with the AAA client and uses RADIUS (IETF).

   2. Choose Network Configuration in order to add the AAA client CAS as shown:

      

      Click Submit + Restart.

      Note: For VPN gateway RADIUS accounting, CCA policy must allow RADIUS accounting packets (UDP 1646/1813) from the CAS IP address to pass unauthenticated to the ACS server IP address.

   3. Choose Network Configuration in order to add the AAA client ASA as shown:

      

      • User near-side PIX/ASA interface address (typically inside interface)

      • Set type to RADIUS (Cisco IOS/PIX).

3. Add /Configure Groups on ACS Server

   1. Create Admin group

      

      • Set the IETF RADIUS Class attribute [025] to appropriate group value.

      • The value must match that configured on CAS mapping.

   2. Create User group

      

      Add/configure group for each Clean Access User Role to be mapped.

   3. Add/Configure Users on ACS Server

      

      • Add/configure ACS user for each Clean Access user to be authenticated by ACS.

      • Set ACS Group membership.

      • ACS also supports proxy authentication to other external servers.

Verify

Use this section to confirm that your configuration works properly.

In the ACS monitoring section, you can see the information on the passed authentications as shown:

Similarly, you can see the screenshot for RADIUS accounting:

Troubleshoot

There is currently no specific troubleshooting information available for this configuration.

Related Information

• Cisco NAC Appliance Support Page
• Technical Support & Documentation - Cisco Systems