Cisco ACS 5.8 New Features

Cisco ACS 5.8 New Features

ACS
If you are running Cisco Access Control Server in your environment & plan to upgrade to latest 5.8 version, listed below is the sneak peak at the new feature list. Remember these are in addition to the detailed scenarios covered in our Cisco ACS 5.X Deployment guide Active Directory Enhancements ACS 5.8 web interface includes the following new options in the Active Directory page namely Advanced Tuning , Authentication Domains , Diagnostic Tool  , Ambiguous Identity Resolution , Enable Kerberos for PAP authentications to name a few. Authenticating Administrators against RADIUS Identity and RSA SecurID Servers Previous releases of ACS support authenticating ACS administrators only against AD or LDAP external identity stores. But, ACS 5.8 supports authenticating administrators against RADIUS Identity and RSA SecurID servers. This feature is available in…
Read More
Configuring Role Based Access Control (RBAC) using TACACS+

Configuring Role Based Access Control (RBAC) using TACACS+

ACS
In this blog post , we will configure Cisco Secure ACS 5X to return a TACACS attribute defining the role a user should be placed into an IOS device using Role Based Access Control (RBAC).RBAC enables access restriction based on each user’s role and function within the organization.  This feature is very useful when you an ACSAdmin wants to delegate varying responsibilities to different user groups within an organization. Use of  Role-Based CLI Access feature allows the network administrator to define “views“, which are a set of operational commands and configuration capabilities that provide selective or partial access to Cisco IOS EXEC and configuration (config) mode commands. We can create following roles to accomplish goals set forth: 1) Network Operator Role (netop) Allowed to configure network related operational tasks e.g. configuration…
Read More
2 Factor authentication for Cisco VPN Solutions

2 Factor authentication for Cisco VPN Solutions

ACS, ISE
Generally, there are two forms of approaches that are used widely in networks today for User Credentials management i.e.  Username & Password based authentication and/or Certificate based authentication.First approach is easier to manage but if you choose easy passwords or your passwords are stolen, your identity can get compromised. 2nd approach requires little bit of management overhead but offers most security since your Identity Certificates can’t be forged that easily. However, if your laptop which has your Certificate installed gets stolen , your identity gets compromised. Both methods offer single layer of authentication. Using any of the above methods alone, your identity can be compromised. Despite of losing user credentials (someone decoding your company’s global VPN Client group authentication key from the Cisco VPN Client PCF file – ) or…
Read More
ACS5.X : 802.1x Port Based Access Control via RADIUS attributes

ACS5.X : 802.1x Port Based Access Control via RADIUS attributes

ACS
NOTE : This article covers IEEE 802.1X Port-Based Access Control method. Identity Based Network Service (Cisco IBNS) & IBNS2.0 framework are covered in other articles. This article will cover  IEEE 802.1X Port-Based Access Control Using Authentication from Cisco Secure ACS 5.X using dynamic VLAN assignment.The basic idea behind the standard is to authenticate and authorize before a user can connect to the physical or logical port of a Layer 2 device in order to gain access to VLAN or WLAN infrastructure. Here, we have following three basic components of IEEE 802.1x architecture : Authentication Server :Cisco Secure ACS 5.X Authenticator                :Catalyst Switch Client or Supplicant    :XP Native Client (or AnyConnect Secure Mobility Client etc.) In order to assign a VLAN to a client upon successful authentication…
Read More