step-by-step guide for configuring cisco® acs server as the
TRANSCRIPT
1
Step-by-step Guide for Configuring Cisco® ACS server
as the Radius with an External Windows Database
Table of Contents:
INTRODUCTION:....................................................................................................................................... 2
GETTING STARTED: ................................................................................................................................ 3
STEP-1: INTERFACE CONFIGURATION ............................................................................................. 4
STEP-2: NETWORK CONFIGURATION ............................................................................................... 5
STEP-3: SYSTEM CONFIGURATION .................................................................................................... 9
STEP 4: EXTERNAL USER DATABASE .............................................................................................. 22
STEP-5 REPORTS AND ACTIVITY: ..................................................................................................... 24
BIND YOUR AAA CLIENTS AND ACS SERVER TOGETHER WITH A SHARED SECRET: .... 26
2
Step-by-step Guide for Configuring Cisco® ACS server as the Radius with an External Windows Database
Introduction:
This is a simple step by step configuration for Setting up Cisco ACS
server as the Radius for granting secure network access for Intel AMT clients. The configuration here uses Windows AD as external database
for simplicity. CISCO ACS server has been configured here to allow several popular Radius protocols like EAP-PEAP, EAP-TLS and EAP-
FAST.
You can use this as a quick start guide for validating Intel AMT access to secure networks where CISCO ACS has been deployed as Radius.
This configuration has been successfully used for validating wired and wireless access to AMT FW over secure networks in a simple
environment with a single domain controller using SCCM SP1 & SP2 consoles.
It is assumed that the reader is familiar with the basic concepts of
802.1x networks, wireless & radius protocols and the process used to create and install certificates and other related aspects of AMT
provisioning. Refer to other material available on the vPro Expert center for assistance with any of these topics.
For a high level overview on navigating 802.1x networks with AMT
client refer to my posting Navigating Secure Networks with AMT Client http://communities.intel.com/docs/DOC-3866
3
Getting Started:
For demonstration of our simple ACS configuration we have Windows 2003 Virtual Machine Domain Controller with DHCP, DNS, Microsoft CA
and CISCO ACS 4.0 installed.
Start ACS Admin console: “Start/Program/Cisco ACS Admin 4.0/ACS Admin”
We will follow these five simple steps to configure the ACS server for validating customer scenarios for navigating secure networks using
Intel AMT.
4
Step-1: Interface Configuration
Click on “Interface Configuration”, “Advanced Options” and un-check all options and click “Submit”. This will ensure that you do not have
any advanced options and will facilitate simple configuration for your ACS server.
5
Step-2: Network Configuration
Click on “Network Configuration”.
Step2-A: Click on the existing AAA Server Name “VPRODEMODC” (in
our case) installed and set a shared secret (key) “password1234” between the server and the Radius clients to be defined in the next
step.
6
Click “Submit + Apply”.
Note: If at any time when you click “Submit”, you get a message if the service needs to be restarted, Click on “System Configuration”,
“Service Control” and Restart the service.
7
Step2-B: Under “Network Configuration”, Click “Add Entry” to add AAA client for Wired access. Fill-in details for “AAA Client Hostname”
and “IP Address” and the same shared secret. Select other setting as shown. Click “Submit + Apply”.
8
Step2-B: Under Network Configuration, Click Add Entry to add AAA client for Wireless access. Fill-in details for your wireless AP and IP
address and Click “Submit + Apply”.
Note: The shared secret (key) should be configured also on the web interface for each of these AAA clients as the Radius server shared
secret under Radius configuration on the AAA clients.
9
Step-3: System Configuration
Click on “System Configuration”.
Configure the “ACS Certificate Setup” to facilitate EAP-PEAP and EAP-TLS setup – Step 3-A to Step 3-E.
Note: It is assumed that the reader is familiar with requesting
certificates from the installed Microsoft CA using the web enrollment.
After that, configure “Global Authentication Setup” where the Radius authentication protocols are setup – Step 3-F.
10
Step 3-A: Click on “System Configuration”, Click “ACS Certificate Setup” as shown.
Access the Web Enrollment form for your Microsoft CA on the domain
controller http://localhost/certsrv and download the RootCA file (Base 64 format) for importing into ACS (Give a name for the file and save
it).
Tip: If you don’t have the CA running you can also use self-signed
certificate.
11
Click on “ACS Certification Authority Setup” and fill-in the Root CA CER file saved above. Click “Submit”.
12
Step 3-B: Click “Generate Certificate Signing Request” and create a certificate request for ACS server as shown
CN=vprodemodc.vprodemo.com (FQDN for ACS server)
Private key file: C:\Certs\acs.pvk (choose any file name) Private key password: P@ssw0rd (choose a password and retype to
confirm.
Fill-in rest of the information as shown. Click “Submit”.
14
Invoke web enrollment for your CA and submit CSR
http://localhost/certsrv/
Request a “Certificate”, “Advanced Certificate Request”,
“Submit a certificate request by using the base-64-encoded CMC or PKCS #10 file, or submit a renewal request by using a base-64-
encoded PKCS #7 file”
Paste the CSR file generated in the previous step, select “Web Server template” and click “Submit”.
Download certificate ACSVPRODEMO.CER in Base64 format
15
Step 3-C: Click “Install ACS Certificate” and select the certificate file downloaded in the previous step.
Click “Submit”.
16
Click “Install New Certificate” and accept the dialog box to the remove the old certificate (if one was installed).
Click “System Configuration”, Click “Service Control” and “Restart” the
service to get rid of the message in Red.
17
You may want to skip Step 3-D & Step 3-E if you do not want to implement Certificate revocation list. If so proceed to Step 3-F.
Step 3-D:
Click on “System Configuration”, Click “ACS Certificate Setup”
Click “Edit Certificate Trust List”
Check your cert authority (VPRODEMOCA in our case) to implement
CRL from this CA, Click “Submit
18
Step 3-E:
Click on “System Configuration”, Click “ACS Certificate Setup”
Click “Certificate Revocation Lists”, click on VPRODEMOCA and fill in
the CRL URL: http://localhost/certenroll/vprodemoca+.crl
See directory for correct name of your CRL file c:\windows\system32\certsrv\certenroll\
Check the box for CRL is in use and click Submit.
Click “System Configuration”, Click “Service Control” and Restart the
service to get rid of the message as needed.
19
Step 3F:
Click on “System Configuration”, Click “Global Authentication Setup”
Configure EAP-PEAP and EAP-TLS Radius protocols on the ACS server
by checking the boxes appropriately as shown. Click “Submit + Restart”.
20
Click on the EAP-FAST protocol configuration. Allow EAP-Fast by checking the appropriate boxes as shown. Choose a name for
Authority ID info (we chose ACS) and allow anonymous in-band PAC provisioning as required in your situation. Click “Submit + Restart”.
Note: EAP-FAST is very flexible Radius protocol in that it will allow
either tokens, username/password or certificate based authentication inside a secure tunnel. We use it with username/password here. Also
notice the machine authentication parameters so computer can be authenticated without user being signed on. In order to select
anonymous PAC (Protected Access Credentials) provisioning to clients
you need to select both inner protocols EAP-GTC as well as EAP-MSCHAP2 on your Radius server as shown.
21
Tip: Machine Authentication – In the previous screen shot for
EAP-FAST authentication you noticed where to turn on the machine authentication. Where do you configure the
corresponding machine authentication for EAP-PEAP and EAP-TLS protocols? See Step 4 for details.
Although you configure machine authentication, Windows XP
clients will not maintain wireless connection when the user logs off unless you create administrator profile. See my
posting on the expert center for more details to enable Windows XP clients to connect to wireless AP without user
sign-on. http://communities.intel.com/docs/DOC-4143
22
Step 4: External User Database
Click on “External User Database”, click “database configuration”, click “Windows Database”, Click “Configure”. Leave most of the defaults as
shown in the next two screen shots.
23
Allow for Machine authentication within EAP-PEAP and EAP-TLS as shown and click “Submit”.
We are done with most of the configuration. We just need to know where to see the failed and successful events in the logs which is in
the next step
24
Step-5 Reports and Activity:
Click “Reports and Activity”, Highlighted are the two reports of interest. Click on each of these links.
Clcik on “Passed authentication”, click Passed Authentication Active.CSV to see if there is any data for that day.
25
Our ACS configuration is set to default such that a new file is created
once every day. If there is data it will be displayed. In our example there is no data for today. When data is displayed you can click
download and save the log to a CSV file.
We are now done with the simple configuration of CISCO ACS to use with an external windows database. Don’t forget to define the shared
secret in all your AAA clients under Radius configuration. If you are unfamiliar you can read rest of this document for some clues.
See my “Step-by-Step guide for navigating secure networks with Intel
AMT using CISCO ACS as the Radius” where I used this configuration
to validate several Radius protocols and their access to AMT FW using SCCM SP2
26
Bind your AAA clients and ACS Server together with a Shared
Secret:
Overview: Once you install ACS, add your wired switch & wireless AP as the Radius clients, you need to correspondingly add the Radius
server in the configuration for both the wired switch as well as the wireless AP. The Radius server and the switch share a common secret
that needs to be configured on both. Likewise, the Radius and the wireless AP share a common secret which should be configured on
both of them.
Further, it is assumed that the wired switch is configured with some ports for open access and other ports for secure access so you can test
secure 802.1x connectivity by moving the client from open port to secured port and looking for entries in the log files for access being
granted or rejected.
Open the Administration interface for your switch where Radius is
defined and verify the shared secret. In our case it is under the Security settings for the Radius server. Our shared secret is
“password1234” on our switch as well as on the IAS server.
27
Open the Administration interface for (our case Aironet 1200) wireless AP where Radius is defined and verify the shared secret for the Radius
server under the Security/Server Manager. Make sure EAP Authentication is set for the single Radius server with the Priority 1.
There are no backup Radius servers in our simple setup scenario.