NAC (CCA): Configure Authentication on Clean Access Manager with ACS 5.x and Later

Document ID: 113560

Updated: Jun 01, 2012

Download PDF

Configure Authentication on CCA with ACS 5.x

ACS5.x Configuration

Troubleshoot

Related Information

Introduction

This document provides information how to configure authentication on the Clean Access Manager (CAM) with Cisco Secure Access Control System (ACS) 5.x and later. For a similar configuration using versions earlier than ACS 5.x, refer to NAC (CCA): Configure Authentication on the Clean Access Manager (CAM) with ACS.

Prerequisites

Requirements

This configuration is applicable to CAM version 3.5 and later.

Components Used

The information in this document is based on CAM version 4.1.

The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, make sure that you understand the potential impact of any command.

Conventions

Refer to the Cisco Technical Tips Conventions for more information on document conventions.

Configure

In this section, you are presented with the information to configure the features described in this document.

Note: Use the Command Lookup Tool (registered customers only) to obtain more information on the commands used in this section.

Network Diagram

This document uses this network setup:

Configure Authentication on CCA with ACS 5.x

Complete these steps:

Add New Roles
1. Create an Admin Role
  - From the CAM, choose User Management > User Roles > New Role.
  - Enter a unique name, admin, for the role in the Role Name field.
  - Enter Admin User Role as an optional Role Description.
  - Choose Normal Login Role as the Role Type.
  - Configure the Out-of-Band (OOB) user role VLAN with the appropriate VLAN. For example, choose the VLAN ID and specify the ID as 10.
  - When finished, click Create Role. In order to restore default properties on the form, click Reset.
  - The role now appears in the List of Roles tab as shown in the Tag VLANs for OOB Role-based mappings section.
2. Create a User Role
  - From the CAM, choose User Management > User Roles > New Role.
  - Enter a unique name, users, for the role in the Role Name field.
  - Enter Normal User Role as an optional Role Description.
  - Configure the Out-of-Band (OOB) user role VLAN with the appropriate VLAN. For example, choose the VLAN ID and specify the ID as 20.
  - When finished, click Create Role. In order to restore default properties on the form, click Reset.
  - The role now appears in the List of Roles tab as shown in the Tag VLANs for OOB Role-based mappings section.
Tag VLANs for OOB Role-based mappings

From the CAM, choose User Management > User Roles > List of Roles in order to see the list of roles so far.
Add RADIUS Auth Server (ACS)
1. Choose User Management > Auth Servers > New.
2. From the Authentication Type drop-down menu, choose Radius.
3. Enter the Provider Name as ACS.
4. Enter the Server Name as auth.cisco.com.
5. Server Port—The port number 1812 on which the RADIUS server is listening.
6. Radius Type—The RADIUS authentication method. Supported methods include EAPMD5, PAP, CHAP, MSCHAP and MSCHAP2.
7. Default Role is used if mapping to ACS is not defined or set correctly, or if the RADIUS attribute is not defined or set correctly on the ACS.
8. Shared Secret—The RADIUS shared secret bound to the specified client's IP address.
9. NAS-IP-Address—This value to be sent with all RADIUS authentication packets.
10. Click Add Server.
Map ACS Users to CCA User Roles
1. Choose User Management > Auth Servers > Mapping Rules > Add Mapping Link in order to map admin user in ACS to the CCA admin user role.
2. Choose User Management > Auth Servers > Mapping Rules > Add Mapping Link in order to map normal user in ACS to the CCA user role.
  
  Here is the user role mapping summary:
Enable Alternate Providers on User Page

Choose Administration > User Pages > Login Page > Add > Content in order to enable alternate providers on the user login page.

ACS5.x Configuration

Choose Network Resources > Network Devices and AAA Clients, then click Create in order to add CAM as an AAA Client.
Provide the Name, IP Address and choose RADIUS under Authentication Options. Then, provide the Shared Secret for CAM and click Submit.
Choose Network Resources > Network Devices and AAA Clients, then click Create in order to add CAS as an AAA Client.
Provide the Name, IP Address and choose RADIUS under Authentication Options. Then, provide the Shared Secret for CAS and click Submit.
Choose Network Resources > Network Devices and AAA Clients and click Create in order to add ASA as an AAA Client.
Provide the Name, IP Address and choose RADIUS under Authentication Options. Then, provide the Shared Secret for ASA and click Submit.
Choose Users and Identity Stores > Identity Groups and click Create in order to create a new Identity Group.
Provide the Group Name and click Submit.
Choose Users and Identity Stores > Identity Groups and click Create in order to create a new Identity Group.
Provide the Group Name and click Submit.
Choose Users and Identity Stores > Internal Identity Stores > Users and click Create in order to create a new user.
Provide the Name of the user and change the group membership to Admin group. Then, provide the password and confirm the password. Click Submit.
Choose Users and Identity Stores > Internal Identity Stores > Users and click Create in order to create a new user.
Provide the Name of the user and change the group membership to Users group. Then, provide the password and confirm the password. Click Submit.
Choose Policy Elements > Authorization and Permissions > Network Access > Authorization Profiles and click Create in order to create a new Authorization Profile.
Provide the Profile Name and click RADIUS Attributes.
From the RADIUS Attributes tab, choose RADIUS-IETF as the Dictionary Type. Then, click Select next to RADIUS Attribute.
Choose the Class attribute and click OK.
Ensure that the Attribute Value is Static and enter Admin as the value. Click Add, then click Submit.
Choose Policy Elements > Authorization and Permissions > Network Access > Authorization Profiles and click Create in order to create a new Authorization Profile.
Provide the Profile Name and click RADIUS Attributes.
From the RADIUS Attributes tab, choose RADIUS-IETF as the Dictionary Type. Then, click Select next to RADIUS Attribute.
Choose the Class attribute and click OK.
Ensure that the Attribute Value is Static and enter Users as the value. Click Add, then click Submit.
Choose Access Policies > Access Services > Service Selection Rules and identify which service is processing the RADIUS request. In this example, the service is Default Network Access.
Choose Acces Policies > Access Services > Default Network Access (the service identified in previous step which processed the RADIUS request) > Authorization. Click Customize.
Move Identity Group from Available to the Selected column. Click OK.
Click Create in order to create a new rule.
Ensure that the Identity Group check box is checked, then click Select next to Identity Group.
Select the Admin group and click OK.
Click Select in the Authorization Profiles section.
Select the Admin Authorization Profile and click OK.
Click Create in order to create a new rule.
Ensure that the Identity Group check box is checked and click Select next to Identity Group..
Select the Users group and click OK.
Click Select in the Authorization Profiles section.
Select the Users Authorization Profile and click OK.
Click OK.
Click Save Changes.