802.1x accounting, 214
802.1x authentication, 196–197
Cisco switches, configuring, 204–206
configuring on APs, 257–258
guest VLAN, configuring, 209
MAB, configuring, 210–211
message exchange, 200–201
multidomain authentication mode, 207–208
multiple-host mode, 207
pre-authentication open access mode, 208
restricted VLAN, configuring, 209–210
single-host mode, 206–207
timers, 212–213
troubleshooting, 250–251, 275–279
VLAN assignment, configuring, 211–212
AAA 173–174
accounting, configuring with Cisco IOS, 173–174
authentication, configuring with Cisco IOS, 157–161
authorization, configuring with Cisco IOS, 161–166
Access Policies drawer (ACS 5.1 interface), 105–116
access services, 107–116
accounting, 6–8
ASA/PIX, configuring, 191–192
Authentication Proxy, 326
configuring, 214
configuring with Cisco IOS, 173–174
cut-through proxy accounting, configuring, 303–304
PPP sessions on Cisco IOS, 350
remote access VPNs, 342
VPNs with RADIUS, 359
ACS 4.2 (Cisco Access Control Server 4.2), 23–28
Active Directory, configuring, 128–131
Authentication Proxy 318–319
authorization, 318–319
configuring, 315
backup and restore, configuring, 376–378
certificates, installing, 215–218
command authorization, configuring, 168–173
cut-through proxy authentication, configuring, 290
database replication, 378–383
EAP-FAST, configuring, 265–267
external databases, 125–126
group mapping, configuring, 141–142
identity stores, 125–126
installing, 32–47
problems, troubleshooting, 52–55
interface 61–64
Administration Control, 61–64
Advanced Options section, 69–70
External User Databases section, 78–79
Group Setup section, 74–76
Interface Configuration section, 66–68
Network Access Profiles section, 65
Network Configuration section, 64–65
Reports and Activity section, 79–82
Shared Profile Components section, 78–79
System Configuration section, 76–79
TACACS+ Settings section, 68–69
User Setup section, 70–74
LDAP, configuring, 134–136
LEAP, configuring, 263–264
local password management, 391–392
log file management, configuring, 394–395
NAPs, configuring, 388–391
NARs, 376–376
RDBMS Synchronization feature, 384–388
remote logging, configuring, 391–393
RSA SecureID, configuring, 140
services, 58–61
VLAN assignment, configuring, 228
ACS 5.1 (Cisco Access Control System 5.1), 28–32
Active Directory, configuring, 132–133
Authentication Proxy, authorization, 319–321
certificates, installing, 219–223
command authorization, configuring, 168–173
cut-through proxy authentication, configuring, 290
database replication, configuring, 404–405
dictionaries, 405–409
EAP-FAST, configuring, 266–268
EAP-MD5, configuring, 223–224
external databases, 126–128
group mapping, configuring, 142–148
identity stores, 126–128
initial setup, 47–51
installation problems, troubleshooting, 52–55
interface 105–116
Access Policies drawer, 105–116
CLI, 120–122
Monitoring and Reports drawer, 117–120
My Workspace drawer, 86–87
Network Resources drawer, 87–94
Policy Elements drawer, 98–105
Users and Identity Stores drawer, 94–98
LDAP, configuring, 137–139
LEAP, configuring, 264–265
licensing, 51–52
network resources, importing, 412–414
remote logging, configuring on ACS 5.1, 409–412
RSA SecureID, configuring, 140–141
scheduled backups, configuring, 427–430
software repositories, creating, 422–425
system administration, 415–422
VLAN assignment, configuring, 229
activating secondary servers on ACS 5.1, 402–406
Active Directory, configuring 128–131
on ACS 4.2, 128–131
on ACS 5.1, 132–133
add-on license, ACS 5.1, 52
Administration Control section (ACS 4.2 interface), 61–64
administrative access, ASA/PIX, 180
Advanced Options section (ACS 4.2 interface), 69–70
APs, IEEE 802.1X authentication, 257–258
ASA/PIX 191–192
accounting, configuring, 191–192
authentication, configuring, 186–188
authorization, configuring, 188–191
cut-through proxy authentication, configuring, 282–285
HTTP redirection, configuring, 288–290
local database, 180
privilege levels, 180–182
Virtual HTTP, configuring, 287–288
Virtual Telnet, configuring, 286–287
authentication, 2–4
802.1x authentication, 196–197
on Cisco switches, 204–206
multiple-host mode (802.1x), 207
single-host mode, 206–207
timers, 212–213
troubleshooting, 275–279
WLCs, configuring, 259–263
ASA/PIX, configuring, 186–188
configuring with Cisco IOS, 157–161
cut-through proxy authentication 282–285
configuring, 282–285
troubleshooting, 291–292
EAP, 201–204
example, 4
IPsec VPNs with Cisco IOS, 334–335
PPP sessions on Cisco IOS, 345–347
SSL VPNs with Cisco IOS, 335–336
troubleshooting, 159–160
of VPNs 362–364
with LDAP, 362–364
with RADIUS, 2001 356
troubleshooting, 337
Authentication Proxy 326
accounting, 326
authorization 318–319
ACS 4.2, 318–319
troubleshooting, 325–326
cache, maintaining, 315–316
for FTP sessions, configuring, 312–314
for HTTP sessions, configuring, 311–312
lab scenario, 326–329
prerequisites, 310–311
for Telnet sessions, configuring, 314–315
troubleshooting, 316–317
authorization, 4–6
802.1x authentication, message exchange, 200–201
ASA/PIX, configuring, 188–191
Authentication Proxy, troubleshooting, 325–326
command authorization, configuring, 166–173
configuring with Cisco IOS, 161–166
cut-through proxy authorization, 294–303
PPP sessions 348
on Cisco IOS, 348
troubleshooting, 349–350
VPNs 337–342
with Cisco IOS, 337–342
with LDAP, 364–366
with RADIUS, 356–359
authorization policies, configuring, 113–115
Auth-Proxy, 3
backup and restore 376–378
on ACS 4.2, configuring, 376–378
on ACS 5.1, configuring, 421–427
cache (Authentication Proxy), maintaining, 315–316
certificates, installing 215–218
on ACS 4.2, 215–218
on ACS 5.1, 219–223
Cisco IOS 157–161
AAA authentication, configuring, 157–161
accounting, configuring, 173–174
Authentication Proxy 312–314
for FTP sessions, 312–314
for HTTP sessions, 311–312
for Telnet sessions, 314–315
troubleshooting, 316–317
authorization, configuring, 161–166
command authorization, configuring, 166–173
IPsec VPNs, authentication, 334–335
local database 151–152
configuring, 151–152
privilege levels, 152–153
PPP sessions 350
accounting, 350
authentication, 345–347
privilege levels, lab scenario, 154–155
VPNs, authorization, 342
Cisco switches, configuring IEEE 802.1X authentication, 204–206
classification of network requests, 389
CLI drawer (ACS 5.1 interface), 120–122
command authorization 166–173
configuring with Cisco IOS, 166–173
troubleshooting, 172–173
commands, show commands, 249–250
configuring 257–258
802.1x authentication, 257–258
on Cisco switches, 204–206
guest VLAN feature, 209
MAB, 210–211
restricted VLAN feature, 209–210
VLAN assignment, 211–212
accounting, 214
ACS 4.2 376–378
backup and restore features, 376–378
database replication, 378–383
local password management, 391–392
log file management, 394–395
NAPs, 388–391
NARs, 375–376
RDBMS Synchronization feature, 384–388
remote logging, 391–393
ACS 5.1 421–427
backup and restore features, 421–427
database backup, 425–427
database replication, 404–405
dictionaries, 405–409
remote logging, 409–412
scheduled backups, 427–430
system administration, 415–422
Active Directory 128–131
on ACS 4.2, 128–131
on ACS 5.1, 132–133
ASA/PIX 191–192
accounting, 191–192
authentication, 186–188
authorization, 188–191
HTTP redirection, 288–290
Virtual HTTP, 287–288
Virtual Telnet, 286–287
Authentication Proxy 312–314
for FTP sessions, 312–314
for HTTP sessions, 311–312
for Telnet sessions, 314–315
authentication with Cisco IOS, 157–161
authorization policies, 113–115
authorization with Cisco IOS, 161–166
Cisco IOS, local database, 151–152
cut-through proxy accounting, 303–304
cut-through proxy authentication, 282–285, 290
cut-through proxy authorization, 294–303
exec authorization, 161–166
group mapping 141–142
on ACS 4.2, 141–142
on ACS 5.1, 142–148
identity policies, 110–113
LDAP 134–136
on ACS 4.2, 134–136
on ACS 5.1, 137–139
RSA SecureID 140
on ACS 4.2, 140
on ACS 5.1, 140–141
creating service selection rules, 115–116
CSAdmin service (ACS 4.2), 59
CSAuth service (ACS 4.2), 59
CSDBSync service (ACS 4.2), 59–60
CSLog service (ACS 4.2), 60
CSMon service (ACS 4.2), 60
CSRadius service (ACS 4.2), 60
CSTacacs service (ACS 4.2), 60–61
CSUtil database utility (ACS 4.2), 395–400
cut-through proxy accounting, configuring, 303–304
cut-through proxy authentication 282–285
troubleshooting, 291–292
cut-through proxy authorization, 294–303
database replication, 378–383
on ACS 5.1, 404–405
databases, backing up with ACS 5.1, 425–427
dictionaries, configuring on ACS 5.1, 405–409
EAP, 197–199
types of, 201–204
EAP-FAST, 202–203
ACS 4.2, configuring, 265–267
ACS 5.1, configuring, 266–268
EAP-GTC, 203
EAP-MD5, 201
ACS 5.1, configuring, 223–224
EAPOL, 199–200
EAP-TLS, 202
ACS configuration, 226–227
evaluation license, ACS 5.1, 52
exec authorization, configuring, 161–166
external databases 125–126
ACS 4.2, 125–126
ACS 5.1, 126–128
External User Databases section (ACS 4.2 interface), 78–79
FTP sessions, configuring Authentication Proxy, 312–314
group mapping, configuring 141–142
on ACS 4.2, 141–142
on ACS 5.1, 142–148
Group Setup section (ACS 4.2 interface), 74–76
guest VLAN feature (802.1x), configuring, 209
HTTP redirection, configuring, 288–290
HTTP sessions 176–177
authentication and authorization lab scenario, 176–177
Authentication Proxy, configuring, 311–312
identity policies, configuring, 110–113
identity stores 125–126
ACS 4.2, 125–126
ACS 5.1, 126–128
importing network resources (ACS 5.1), 412–414
initial setup, ACS 5.1, 47–51
installing 32–47
ACS 4.2, 32–47
problems, troubleshooting, 52–55
certificates 215–218
on ACS 4.2, 215–218
on ACS 5.1, 219–223
Interface Configuration section (ACS 4.2 interface), 66–68
IPSec VPNs 359
accounting, with RADIUS, 359
authentication 334–335
with Cisco IOS, 334–335
with LDAP, 362–364
authorization 337–342
with Cisco IOS, 337–342
with LDAP, 364–366
lab scenarios 273–274
802.1x authentication 273–274
configuring using EAP-FAST, 273–274
configuring using EAP-TLS, 249–250
configuring using LEAP, 269–273
configuring using MD-5, 230–245
configuring using PEAP, 245–248
AAA on ASA using TACACS+, 192–194
authentication and authorization of HTTP sessions, 176–177
Authentication Proxy, 326–329
cut-through proxy authentication, 292–294
cut-through proxy authentication, authorization, and accounting, 304–308
local authentication and privilege levels on ASA, 183–184
TACACS+ authentication, authorization, and accounting of administrative sessions, 174–176
VPN AAA 343–345
with Cisco IOS, 343–345
with RADIUS, 359–361
VPN authentication and authorization with LDAP, 367–369
LDAP (Lightweight Directory Access Protocol) 134–136
configuring 134–136
on ACS 4.2, 134–136
on ACS 5.1, 137–139
VPNs 362–364
authentication, 362–364
authorization, 364–366
LEAP, 201–202
ACS 4.2, configuring, 263–264
ACS 5.1, configuring, 264–265
licensing, ACS 5.1, 51–52
local database 180
ASA/PIX, 180
configuring with Cisco IOS, 151–152
privilege levels, 152–153
local password management (ACS 4.2), 391–392
log file management, configuring on ACS 4.2, 394–395
MAB (MAC Authentication Bypass), configuring, 210–211
maintaining Authentication Proxy cache, 315–316
manual backups, performing on ACS 4.2, 377–378
message exchange in IEEE 802.1X authentication, 200–201
Monitoring and Reports drawer (ACS 5.1 interface), 117–120
multiauthentication mode (802.1x), 208
multidomain authentication mode (802.1x), 207–208
multiple-host mode (802.1x), 207
My Workspace drawer (ACS 5.1 interface), 86–87
NAPs (Network Access Profiles), configuring on ACS 4.2, 388–391
NARs (Network Access Restrictions), on ACS 4.2, 375–376
Network Access Profiles section (ACS 4.2 interface), 65
Network Configuration section (ACS 4.2 interface), 64–65
Network Resources drawer (ACS 5.1 interface), 87–94
network resources, importing (ACS 5.1), 412–414
NFR (Not-For-Resale) license (ACS 5.1), 52
passwords, local password management (ACS 4.2), 391–392
ACS configuration, 224–225
policies (NAP), 389–391
Policy Elements drawer (ACS 5.1 interface), 98–105
PPP sessions 350
accounting on Cisco IOS, 350
authenticating 345–347
on Cisco IOS, 345–347
troubleshooting, 347–348
authorization 348
on Cisco IOS, 348
troubleshooting, 349–350
pre-authentication open access mode (802.1x), 208
prerequisites for Authentication Proxy, 310–311
primary servers, configuring replication, 381–382
privilege levels, ASA/PIX, 180–182
privilege levels (Cisco IOS), 152–153
lab scenario, 154–155
profiles, configuring on ACS 4.2, 388–391
RADIUS, 8–12
Authentication Proxy, authorization, 322–325
dictionaries, configuring on ACS 5.1, 405–409
PPP sessions, authorization, 348
VPNs, authentication, 355–356
RDBMS Synchronization feature, configuring on ACS 4.2, 384–388
recovering ACS from backup file, 378–379
remote access VPNs 343
accounting, 343
authentication with RADIUS, 355–356
authorization with RADIUS, 356–359
remote logging 391–393
configuring on ACS 4.2, 391–393
configuring on ACS 5.1, 409–412
replication versus backup, 381
Reports and Activity section (ACS 4.2 interface), 79–82
restricted VLAN (802.1x), configuring, 209–210
RSA SecureID, configuring 140
on ACS 4.2, 140
on ACS 5.1, 140–141
scheduled backups 427–430
configuring on ACS 5.1, 427–430
performing on ACS 4.2, 378
secondary servers 402–406
activating (ACS 5.1), 402–406
replication, configuring, 383
service selection rules, creating, 115–116
services, ACS 4.2, 58–61
Shared Profile Components section (ACS 4.2 interface), 78–79
show commands, 249–250
single-host mode (802.1x), 206–207
software repositories, creating with ACS 5.1, 422–425
SSL VPNs 343
accounting, 343
with RADIUS, 359
authentication 335–336
with Cisco IOS, 335–336
with LDAP, 362–364
with RADIUS, 355–356
authorization 337–342
with Cisco IOS, 337–342
with LDAP, 364–366
with RADIUS, 356–359
system administration on ACS 5.1, 415–422
System Configuration section (ACS 4.2 interface), 76–79
TACACS+ 13–19
Authentication Proxy, authorization, 318–321
dictionaries, configuring on ACS 5.1, 405–409
lab scenarios, authentication, authorization, and accounting of administrative sessions, 174–176
TACACS+ Setting section (ACS 4.2 interface), 68–69
Telnet 314–315
Authentication Proxy, configuring, 314–315
Virtual Telnet, 286–287
timers (802.1x), 212–213
troubleshooting 250–251
802.1x, 250–251
802.1x authentication, 275–279
ACS 4.2 installation, 52–55
authentication, 159–160
of VPNs, 337
Authentication Proxy, 316–317
authorization, 325–326
command authorization, 172–173
cut-through proxy authentication, 291–292
cut-through proxy authorization, 302–303
PPP sessions 349–350
authorization, 349–350
on Cisco IOS, 347–348
VPN authentication 363–364
with LDAP, 363–364
with RADIUS, 355–356
VPN authorization 342
with Cisco IOS, 342
with LDAP, 366
User Setup section (ACS 4.2 interface), 70–74
Users and Identity Stores drawer (ACS 5.1 interface), 94–98
verifying cut-through proxy authentication, 291–292
Virtual HTTP, configuring, 287–288
Virtual Telnet, 286–287
VLAN assignment 228–229
ACS configuration, 228–229
configuring, 211–212
VPNs 343
accounting, 343
authentication 362–364
with LDAP, 362–364
with RADIUS, 355–356
authorization 337–342
with Cisco IOS, 337–342
with RADIUS, 356–359
troubleshooting, 342
Windows, CSUtil database utility, 395–400
wireless, IEEE 802.1X authentication 257–258
configuring, 257–258
WLCs, configuring, 259–263
WLCs, configuring IEEE 802.1X authentication, 259–263