Cisco 3.3 Manual de usuario Pagina 393
- Pagina / 860
- Tabla de contenidos
- SOLUCIÓN DE PROBLEMAS
- MARCADORES
Valorado. / 5. Basado en revisión del cliente
10-13
User Guide for Cisco Secure ACS for Windows Server
78-16592-01
Chapter 10 System Configuration: Authentication and Certificates
About Certification and EAP Protocols
EAP-FAST Authentication
This section contains the following topics:
• About EAP-FAST, page 10-13
• About Master Keys, page 10-15
• About PACs, page 10-17
–
Automatic PAC Provisioning, page 10-18
–
Manual PAC Provisioning, page 10-20
• Master Key and PAC TTLs, page 10-21
• Table 10-2
• Enabling EAP-FAST, page 10-25
About EAP-FAST
The EAP Flexible Authentication via Secured Tunnel (EAP-FAST) protocol is a
client-server security architecture that encrypts EAP transactions with a TLS
tunnel. While similar to PEAP in this respect, it differs significantly in that
EAP-FAST tunnel establishment is based upon strong secrets that are unique to
users. These secrets are called Protected Access Credentials (PACs), which
Cisco Secure ACS generates using a master key known only to Cisco Secure ACS.
Because handshakes based upon shared secrets are intrinsically faster than
handshakes based upon PKI, EAP-FAST is the significantly faster of the two
solutions that provide encrypted EAP transactions. No certificate management is
required to implement EAP-FAST.
EAP-FAST occurs in three phases:
• Phase zero—Unique to EAP-FAST, phase zero is a tunnel-secured means of
providing an EAP-FAST end-user client with a PAC for the user requesting
network access (see Automatic PAC Provisioning, page 10-18). Providing a
PAC to the end-user client is the sole purpose of phase zero. The tunnel is
established based on an anonymous Diffie-Hellman key exchange. If
EAP-MSCHAPv2 authentication succeeds, Cisco Secure ACS provides the
user a PAC. To determine which databases support EAP-FAST phase zero,
see Authentication Protocol-Database Compatibility, page 1-10.
- Windows Server 1
- CONTENTS 3
- 3 Interface Configuration 3-1 6
- 4 Network Configuration 4-1 6
- 6 User Group Management 6-1 8
- 7 User Management 7-1 10
- Contents 11
- 11 Logs and Reports 11-1 16
- 13 User Databases 13-1 18
- 15 Unknown User Policy 15-1 21
- A Troubleshooting A-1 23
- C RADIUS Attributes C-1 23
- D CSUtil Database Utility D-1 24
- E VPDN Processing E-1 26
- G Internal Architecture G-1 26
- Audience 29
- Organization 29
- Conventions 31
- Product Documentation 32
- Related Documentation 33
- Table 2 Related Documentation 34
- Obtaining Documentation 35
- Documentation Feedback 36
- Submitting a Service Request 37
- Overview 41
- The Cisco Secure ACS Paradigm 42
- Chapter 1 Overview 43
- • Authorization, page 1-17 46
- • Accounting, page 1-22 46
- • Administration, page 1-23 46
- Authentication 48
- Authentication Considerations 49
- Passwords 51
- Comparing PAP, CHAP, and ARAP 52
- EAP Support 53
- Basic Password Configurations 54
- Password Aging 55
- User-Changeable Passwords 56
- Authorization 57
- Max Sessions 58
- Dynamic Usage Quotas 58
- Accounting 62
- Administration 63
- Network Device Groups 64
- HTML Interface Security 66
- HTML Interface Layout 67
- Accessing the HTML Interface 72
- Using Online Help 74
- Deployment Considerations 77
- System Requirements 78
- Network and Port Requirements 80
- Network Topology 82
- Wireless Network 85
- Cisco Aironet AP 86
- Remote Access using VPN 88
- VPN concentrator 89
- Network WAN 89
- Remote Access Policy 90
- Security Policy 91
- Administrative Access Policy 91
- Database 94
- Suggested Deployment Sequence 95
- Interface Configuration 99
- Interface Design Concepts 100
- Defining New User Data Fields 101
- Advanced Options 102
- 78-16592-01 103
- Interface 104
- Setting Options for TACACS+ 107
- Attributes 114
- Network Configuration 117
- About Distributed Systems 118
- Proxy in Distributed Systems 120
- Fallback on Failed Connection 121
- Proxy in an Enterprise 122
- • Log them locally 123
- Network Device Searches 124
- Searching for Network Devices 125
- AAA Client Configuration 127
- Adding a AAA Client 132
- Editing a AAA Client 135
- AAA Server Configuration 137
- Adding a AAA Server 140
- Editing a AAA Server 142
- Deleting a AAA Server 144
- Adding a Network Device Group 145
- Step 3 Click Delete 154
- Step 4 Click OK 154
- Shared Profile Components 155
- Network Access Filters 156
- Downloadable IP ACLs 161
- About Downloadable IP ACLs 162
- Adding a Downloadable IP ACL 164
- Editing a Downloadable IP ACL 167
- Network Access Restrictions 168
- About IP-based NAR Filters 171
- Command Authorization Sets 179
- About Pattern Matching 184
- Step 4 Click Delete 189
- User Group Management 191
- Default Group 192
- Group TACACS+ Settings 192
- Basic User Group Settings 193
- Group Disablement 194
- User Group 227
- Ascend-Remote-Addr 233
- Group Setting Management 244
- Renaming a User Group 245
- User Management 247
- About User Databases 248
- Basic User Setup Options 249
- Adding a Basic User Account 250
- Assigning a User to a Group 254
- Setting User Callback Option 255
- TACACS+ Settings (User) 269
- RADIUS Attributes 283
- Listing All Users 301
- Finding a User 301
- Disabling a User Account 302
- Deleting a User Account 303
- Saving User Settings 306
- System Configuration: Basic 307
- Service Control 308
- Date Format Control 309
- Local Password Management 311
- Cisco Secure ACS Backup 315
- Directory Management 316
- Components Backed Up 316
- Backup Options 317
- Components Restored 321
- Step 2 Click ACS Restore 322
- System Monitoring 323
- System Monitoring Options 324
- Setting Up System Monitoring 325
- Event Logging 326
- VoIP Accounting Configuration 327
- Step 4 Click Submit 328
- Replication Process 332
- Replication Frequency 335
- Database Replication Logging 338
- Replication Options 339
- Outbound Replication Options 340
- Cisco Secure ACSes 343
- Replicating Immediately 347
- Scheduling Replication 349
- RDBMS Synchronization 353
- About RDBMS Synchronization 354
- User Groups 355
- About CSDBSync 357
- Synchronization 365
- RDBMS Synchronization Options 366
- IP Pools Server 372
- Adding a New IP Pool 375
- Editing an IP Pool Definition 376
- Resetting an IP Pool 377
- Deleting an IP Pool 378
- IP Pools Address Recovery 379
- Digital Certificates 382
- EAP-TLS Authentication 382
- About the EAP-TLS Protocol 383
- EAP-TLS and Cisco Secure ACS 384
- EAP-TLS Limitations 386
- PEAP Authentication 388
- PEAP and Cisco Secure ACS 389
- Enabling PEAP Authentication 392
- EAP-FAST Authentication 393
- About Master Keys 395
- About PACs 397
- Automatic PAC Provisioning 398
- Manual PAC Provisioning 400
- Master Key and PAC TTLs 401
- Replication and EAP-FAST 402
- Enabling EAP-FAST 405
- Global Authentication Setup 406
- Step 5 Click Delete 425
- Logs and Reports 433
- Logging Formats 434
- Special Logging Attributes 434
- NAC Attributes in Logs 436
- Accounting Logs 438
- Step 2 Click Logged-in Users 442
- Deleting Logged-in Users 443
- Cisco Secure ACS System Logs 445
- Working with CSV Logs 447
- CSV Log File Locations 448
- Viewing a CSV Report 450
- Configuring a CSV Log 451
- Working with ODBC Logs 453
- Preparing for ODBC Logging 454
- Configuring an ODBC Log 455
- Remote Logging 458
- Remote Logging Options 460
- Service Logs 463
- Services Logged 464
- Configuring Service Logs 465
- Administrator Accounts 467
- About Administrator Accounts 468
- Administrator Privileges 469
- Access Policy 477
- Access Policy Options 478
- Setting Up Access Policy 480
- Session Policy 482
- Setting Up Session Policy 483
- Audit Policy 484
- User Databases 485
- CiscoSecure User Database 486
- User Import and Creation 487
- About External User Databases 488
- End-user client AAA client 490
- Cisco Secure 490
- Access Control Server 490
- External user 490
- Windows User Database 491
- Trust Relationships 493
- Domain-Qualified Usernames 498
- UPN Usernames 498
- EAP-TLS Domain Stripping 500
- Machine Authentication 500
- Machine Access Restrictions 503
- Generic LDAP 516
- User Database 517
- Multiple LDAP Instances 517
- Domain Filtering 518
- LDAP Failover 520
- LDAP Configuration Options 521
- Novell NDS Database 533
- User Contexts 535
- ODBC Database 539
- External User Database 542
- Relational Database 543
- Type Definitions 545
- Procedure 546
- PAP Procedure Output 549
- EAP-TLS Procedure Output 552
- Result Codes 553
- Token Server User Databases 562
- RADIUS-Enabled Token Servers 563
- RSA SecurID Token Servers 568
- Network Admission Control 573
- NAC AAA Components 574
- Posture Validation 575
- Posture Tokens 576
- NAC Databases 582
- Policy Selection Options 585
- Configuring a NAC Database 586
- NAC Policies 588
- Local Policies 589
- About Local Policies 590
- NAC Attribute Data Types 591
- Rule Operators 592
- Rule Configuration Options 596
- Creating a Local Policy 597
- External Policies 600
- Creating an External Policy 604
- Editing a Policy 606
- Deleting a Policy 608
- Step 5 Click Delete Policy 609
- Step 6 Click Submit 609
- Unknown User Policy 611
- \username. The 617
- Added Authentication Latency 619
- :username 620
- Unknown User Policy Options 623
- Database Search Order 624
- User Group Mapping and 629
- Specification 629
- • Windows domains 632
- • Novell NDS 632
- • Generic LDAP 632
- Group Mapping Order 633
- NAC Group Mapping 641
- Troubleshooting 645
- Administration Issues 646
- Browser Issues 648
- Cisco IOS Issues 649
- Database Issues 651
- Dial-in Connection Issues 654
- Debug Issues 658
- Proxy Issues 659
- MaxSessions Issues 660
- Report Issues 661
- Third-Party Server Issues 663
- User Authentication Issues 664
- • If you have RADIUS/TACACS 665
- Note Some attributes are not 666
- TACACS+ Attribute-Value Pairs 667
- TACACS+ AV Pairs 668
- Cisco IOS AV Pair Dictionary 669
- TACACS+ Accounting AV Pairs 670
- Dictionary of RADIUS VSA 686
- • Cisco IOS 700
- • Cisco VPN 3000 700
- • Ascend 700
- Note The MS-CHAP-MPPE-Keys 702
- Table C-9 Nortel RADIUS VSAs 715
- CSUtil Database Utility 717
- CSUtil.exe Syntax 718
- CSUtil.exe Options 719
- CSUtil.exe -x 721
- Step 2 Type: 722
- CSUtil.exe -r config filename 724
- Step 3 Type: 726
- Dump File 727
- ONLINE or OFFLINE Statement 733
- ADD Statements 734
- UPDATE Statements 735
- DELETE Statements 737
- ADD_NAS Statements 737
- DEL_NAS Statements 739
- Import File Example 740
- Decoding Error Numbers 743
- Recalculating CRC Values 744
- Listing Custom RADIUS Vendors 748
- RADIUS Vendor/VSA Import File 750
- Vendor and VSA Set Definition 751
- Attribute Definition 752
- Enumeration Definition 754
- PAC File Generation 756
- PAC File Options and Examples 757
- Generating PAC Files 759
- Posture Validation Attributes 760
- CSUtil.exe -addavp filename 765
- CSUtil.exe -delavp vendor-ID 767
- VPDN Processing 781
- VPDN Process 782
- Figure E-10 786
- RDBMS Synchronization Import 787
- Definitions 787
- Action Codes 790
- PIX Shell (pixshell) 799
- NAS01,tty0,0898-69696969 801
- User Settings 805
- User-Specific Attributes 818
- User-Defined Attributes 820
- Group-Specific Attributes 821
- An Example of accountActions 822
- Internal Architecture 825
- Windows Registry 826
- CSDBSync 828
- Monitoring 829
- Recording 830
- Notification 831
- Response 831
- CSTacacs and CSRadius 832
Relacionado con productos y manuales para Ordenadores Cisco 3.3
Ordenadores Cisco 6200 Manual de usuario
(32 paginas)
(32 paginas)
Ordenadores Cisco SFS 7008P Manual de usuario
(34 paginas)
(34 paginas)
Ordenadores Cisco ONS 15200 Manual de usuario
(74 paginas)
(74 paginas)
Ordenadores Cisco SFS 7008 Manual de usuario
(108 paginas)
(108 paginas)
Ordenadores Cisco TOPSPIN SFS 3001 Manual de usuario
(30 paginas)
(30 paginas)
Ordenadores Cisco OL-6349-01 Manual de usuario
(12 paginas)
(12 paginas)
© 2020, manymanuals.es. Todos los derechos reservados | 0.065 s |
Manymanuals.com
Manymanuals.de
Manymanuals.fr
Manymanuals.it
Manymanuals.pl
Manymanuals.cz
Manymanuals.es
Manymanuals-pt.com
Comentarios a estos manuales