Step-by-step Guide for Configuring Cisco ACS server as the Radius with an External Windows Database Table of Contents: INTRODUCTION:... 2 GETTING STARTED:... 3 STEP-1: INTERFACE CONFIGURATION... 4 STEP-2: NETWORK CONFIGURATION... 5 STEP-3: SYSTEM CONFIGURATION... 9 STEP 4: EXTERNAL USER DATABASE... 22 STEP-5 REPORTS AND ACTIVITY:... 24 BIND YOUR AAA CLIENTS AND ACS SERVER TOGETHER WITH A SHARED SECRET:... 26 1
Step-by-step Guide for Configuring Cisco ACS server as the Radius with an External Windows Database Introduction: This is a simple step by step configuration for Setting up Cisco ACS server as the Radius for granting secure network access for Intel AMT clients. The configuration here uses Windows AD as external database for simplicity. CISCO ACS server has been configured here to allow several popular Radius protocols like EAP-PEAP, EAP-TLS and EAP- FAST. You can use this as a quick start guide for validating Intel AMT access to secure networks where CISCO ACS has been deployed as Radius. This configuration has been successfully used for validating wired and wireless access to AMT FW over secure networks in a simple environment with a single domain controller using SCCM SP1 & SP2 consoles. It is assumed that the reader is familiar with the basic concepts of 802.1x networks, wireless & radius protocols and the process used to create and install certificates and other related aspects of AMT provisioning. Refer to other material available on the vpro Expert center for assistance with any of these topics. For a high level overview on navigating 802.1x networks with AMT client refer to my posting Navigating Secure Networks with AMT Client http://communities.intel.com/docs/doc-3866 2
Getting Started: For demonstration of our simple ACS configuration we have Windows 2003 Virtual Machine Domain Controller with DHCP, DNS, Microsoft CA and CISCO ACS 4.0 installed. Start ACS Admin console: Start/Program/Cisco ACS Admin 4.0/ACS Admin We will follow these five simple steps to configure the ACS server for validating customer scenarios for navigating secure networks using Intel AMT. 3
Step-1: Interface Configuration Click on Interface Configuration, Advanced Options and un-check all options and click Submit. This will ensure that you do not have any advanced options and will facilitate simple configuration for your ACS server. 4
Step-2: Network Configuration Click on Network Configuration. Step2-A: Click on the existing AAA Server Name VPRODEMODC (in our case) installed and set a shared secret (key) password1234 between the server and the Radius clients to be defined in the next step. 5
Click Submit + Apply. Note: If at any time when you click Submit, you get a message if the service needs to be restarted, Click on System Configuration, Service Control and Restart the service. 6
Step2-B: Under Network Configuration, Click Add Entry to add AAA client for Wired access. Fill-in details for AAA Client Hostname and IP Address and the same shared secret. Select other setting as shown. Click Submit + Apply. 7
Step2-B: Under Network Configuration, Click Add Entry to add AAA client for Wireless access. Fill-in details for your wireless AP and IP address and Click Submit + Apply. Note: The shared secret (key) should be configured also on the web interface for each of these AAA clients as the Radius server shared secret under Radius configuration on the AAA clients. 8
Step-3: System Configuration Click on System Configuration. Configure the ACS Certificate Setup to facilitate EAP-PEAP and EAP- TLS setup Step 3-A to Step 3-E. Note: It is assumed that the reader is familiar with requesting certificates from the installed Microsoft CA using the web enrollment. After that, configure Global Authentication Setup where the Radius authentication protocols are setup Step 3-F. 9
Step 3-A: Click on System Configuration, Click ACS Certificate Setup as shown. Access the Web Enrollment form for your Microsoft CA on the domain controller http://localhost/certsrv and download the RootCA file (Base 64 format) for importing into ACS (Give a name for the file and save it). Tip: If you don t have the CA running you can also use self-signed certificate. 10
Click on ACS Certification Authority Setup and fill-in the Root CA CER file saved above. Click Submit. 11
Step 3-B: Click Generate Certificate Signing Request and create a certificate request for ACS server as shown CN=vprodemodc.vprodemo.com (FQDN for ACS server) Private key file: C:\Certs\acs.pvk (choose any file name) Private key password: P@ssw0rd (choose a password and retype to confirm. Fill-in rest of the information as shown. Click Submit. 12
Cut & Paste the CSR file as shown for submission to the CA 13
Invoke web enrollment for your CA and submit CSR http://localhost/certsrv/ Request a Certificate, Advanced Certificate Request, Submit a certificate request by using the base-64-encoded CMC or PKCS #10 file, or submit a renewal request by using a base-64- encoded PKCS #7 file Paste the CSR file generated in the previous step, select Web Server template and click Submit. Download certificate ACSVPRODEMO.CER in Base64 format 14
Step 3-C: Click Install ACS Certificate and select the certificate file downloaded in the previous step. Click Submit. 15
Click Install New Certificate and accept the dialog box to the remove the old certificate (if one was installed). Click System Configuration, Click Service Control and Restart the service to get rid of the message in Red. 16
You may want to skip Step 3-D & Step 3-E if you do not want to implement Certificate revocation list. If so proceed to Step 3-F. Step 3-D: Click on System Configuration, Click ACS Certificate Setup Click Edit Certificate Trust List Check your cert authority (VPRODEMOCA in our case) to implement CRL from this CA, Click Submit 17
Step 3-E: Click on System Configuration, Click ACS Certificate Setup Click Certificate Revocation Lists, click on VPRODEMOCA and fill in the CRL URL: http://localhost/certenroll/vprodemoca+.crl See directory for correct name of your CRL file c:\windows\system32\certsrv\certenroll\ Check the box for CRL is in use and click Submit. Click System Configuration, Click Service Control and Restart the service to get rid of the message as needed. 18
Step 3F: Click on System Configuration, Click Global Authentication Setup Configure EAP-PEAP and EAP-TLS Radius protocols on the ACS server by checking the boxes appropriately as shown. Click Submit + Restart. 19
Click on the EAP-FAST protocol configuration. Allow EAP-Fast by checking the appropriate boxes as shown. Choose a name for Authority ID info (we chose ACS) and allow anonymous in-band PAC provisioning as required in your situation. Click Submit + Restart. Note: EAP-FAST is very flexible Radius protocol in that it will allow either tokens, username/password or certificate based authentication inside a secure tunnel. We use it with username/password here. Also notice the machine authentication parameters so computer can be authenticated without user being signed on. In order to select anonymous PAC (Protected Access Credentials) provisioning to clients you need to select both inner protocols EAP-GTC as well as EAP- MSCHAP2 on your Radius server as shown. 20
Tip: Machine Authentication In the previous screen shot for EAP-FAST authentication you noticed where to turn on the machine authentication. Where do you configure the corresponding machine authentication for EAP-PEAP and EAP- TLS protocols? See Step 4 for details. Although you configure machine authentication, Windows XP clients will not maintain wireless connection when the user logs off unless you create administrator profile. See my posting on the expert center for more details to enable Windows XP clients to connect to wireless AP without user sign-on. http://communities.intel.com/docs/doc-4143 21
Step 4: External User Database Click on External User Database, click database configuration, click Windows Database, Click Configure. Leave most of the defaults as shown in the next two screen shots. 22
Allow for Machine authentication within EAP-PEAP and EAP-TLS as shown and click Submit. We are done with most of the configuration. We just need to know where to see the failed and successful events in the logs which is in the next step 23
Step-5 Reports and Activity: Click Reports and Activity, Highlighted are the two reports of interest. Click on each of these links. Clcik on Passed authentication, click Passed Authentication Active.CSV to see if there is any data for that day. 24
Our ACS configuration is set to default such that a new file is created once every day. If there is data it will be displayed. In our example there is no data for today. When data is displayed you can click download and save the log to a CSV file. We are now done with the simple configuration of CISCO ACS to use with an external windows database. Don t forget to define the shared secret in all your AAA clients under Radius configuration. If you are unfamiliar you can read rest of this document for some clues. See my Step-by-Step guide for navigating secure networks with Intel AMT using CISCO ACS as the Radius where I used this configuration to validate several Radius protocols and their access to AMT FW using SCCM SP2 25
Bind your AAA clients and ACS Server together with a Shared Secret: Overview: Once you install ACS, add your wired switch & wireless AP as the Radius clients, you need to correspondingly add the Radius server in the configuration for both the wired switch as well as the wireless AP. The Radius server and the switch share a common secret that needs to be configured on both. Likewise, the Radius and the wireless AP share a common secret which should be configured on both of them. Further, it is assumed that the wired switch is configured with some ports for open access and other ports for secure access so you can test secure 802.1x connectivity by moving the client from open port to secured port and looking for entries in the log files for access being granted or rejected. Open the Administration interface for your switch where Radius is defined and verify the shared secret. In our case it is under the Security settings for the Radius server. Our shared secret is password1234 on our switch as well as on the IAS server. 26
Open the Administration interface for (our case Aironet 1200) wireless AP where Radius is defined and verify the shared secret for the Radius server under the Security/Server Manager. Make sure EAP Authentication is set for the single Radius server with the Priority 1. There are no backup Radius servers in our simple setup scenario. 27
Configure SSID EAPTLS for EAP Radius authentication on your AP 28
Configure Encryption AES CCMP on your AP 29
Enable the radio on your AP. Note: Your wireless AP configuration may be slightly different. 30