Configuration Guide for Cisco Secure ACS with 802.1x Authentication for Avaya 3631 Wireless Telephone This document details how to configure the Cisco Secure ACS (Access Control Server) v3.3 with 802.1x Authentication for use with Avaya 3631 Wireless IP telephones. Product Summary RADIUS Servers Manufacturer: Cisco Systems: www.cisco.com Products Cisco Secure ACS v3.3 The Cisco Secure ACS Paradigm Cisco Secure ACS provides authentication, authorization, and accounting (AAA pronounced "triple A") services to network devices that function as AAA clients, such as a network access server, PIX Firewall, Access Points or router. The AAA client in Figure 1 represents any such device that provides AAA client functionality and uses one of the AAA protocols supported by Cisco Secure ACS. Figure 1 A Simple AAA Scenario Cisco Secure ACS centralizes access control and accounting, in addition to router and switch access management. With Cisco Secure ACS, network administrators can quickly administer accounts and globally change levels of service offerings for entire groups of users. Although the external user database shown in Figure 1 is optional, support for many popular user repository implementations enables companies to put to use the working knowledge gained from and the investment already made in building their corporate user repositories. Cisco Secure ACS supports Cisco AAA clients such as the Cisco PIX Firewall, Cisco Aironet Access Point wireless networking devices, Cisco VPN 3000 Concentrators, and Cisco VPN 5000 Concentrators. It also supports third-party devices that can be configured with the Terminal Access Controller Access Control System (TACACS+) or the Remote Access Dial-In User Service (RADIUS) protocol. Cisco Secure ACS treats all such devices as AAA clients. Cisco Secure ACS uses the TACACS+ and RADIUS protocols to provide AAA services that ensure a secure environment. PN: Cisco Secure ACS v3.3 with 802.1x Authentication for 3631 phone - 1 -
Cisco Secure ACS Specifications Configuration Note System Performance Specifications The performance capabilities of Cisco Secure ACS are largely dependent upon the Windows server it is installed upon, your network topology and network management, the selection of user databases, and other factors. For example, Cisco Secure ACS can perform many more authentications per second if it is using its internal user database and running on a computer using the fastest processor and network interface card available than it can if it is using several external user databases and running on a computer that complies with the minimum system requirements. For more information about the expected performance of Cisco Secure ACS in your network setting, contact your Cisco sales representative. The following items are general answers to common system performance questions. The performance of Cisco Secure ACS in your network depends on your specific environment and AAA requirements. Maximum users supported by the CiscoSecure user database There is no theoretical limit to the number of users the CiscoSecure user database can support. We have successfully tested Cisco Secure ACS with databases in excess of 100,000 users. The practical limit for a single Cisco Secure ACS authenticating against all its databases, internal and external, is 300,000 to 500,000 users. This number increases significantly if the authentication load is spread across a number of replicated Cisco Secure ACSes. Transactions per second Authentication and authorization transactions per second is dependent on many factors, most of which are external to Cisco Secure ACS. For example, high network latency in communication with an external user database lowers the transactions per second that Cisco Secure ACS can perform. Maximum number of AAA clients supported Cisco Secure ACS can support AAA services for approximately 5000 AAA client configurations. This limitation is primarily a limitation of the Cisco Secure ACS HTML interface. Performance of the HTML interface degrades when Cisco Secure ACS has more than approximately 5000 AAA client configurations. However, an AAA client configuration in Cisco Secure ACS can represent more than one physical network device, provided that the network devices use the same AAA protocol and use the same shared secret. If you make use of this ability, the number of actual AAA clients supported approaches 20,000. If your network has several thousand AAA clients, we recommend using multiple Cisco Secure ACSes and assigning no more than 5000 AAA clients to each Cisco Secure ACS. For example, if you have 20,000 AAA clients, you could use four Cisco Secure ACSes and divide the AAA client load among them so that no single Cisco Secure ACS manages more than 5000 AAA client configurations. If you use replication to propagate configuration data among Cisco Secure ACSes, limit replication of AAA client data to Cisco Secure ACSes that serve the same set of AAA clients. Cisco Secure ACS Windows Services Cisco Secure ACS operates as a set of Microsoft Windows services and controls the authentication, authorization, and accounting of users accessing networks. When you install Cisco Secure ACS, the installation adds several Windows services. The services provide the core of Cisco Secure ACS functionality. The Cisco Secure ACS services on the computer running Cisco Secure ACS include the following: CSAdmin Provides the HTML interface for administration of Cisco Secure ACS. PN: Cisco Secure ACS v3.3 with 802.1x Authentication for 3631 phone - 2 -
CSAuth Provides authentication services. CSDBSync Provides synchronization of the CiscoSecure user database with an external RDBMS application. CSLog Provides logging services, both for accounting and system activity. CSMon Provides monitoring, recording, and notification of Cisco Secure ACS performance, and includes automatic response to some scenarios. CSTacacs Provides communication between TACACS+ AAA clients and the CSAuth service. CSRadius Provides communication between RADIUS AAA clients and the CSAuth service. Each module can be started and stopped individually from within the Microsoft Service Control Panel or as a group from within the Cisco Secure ACS HTML interface. PN: Cisco Secure ACS v3.3 with 802.1x Authentication for 3631 phone - 3 -
Cisco Secure ACS HTML Interface Configuration Note This section discusses the Cisco Secure ACS HTML interface and provides procedures for using it. About the Cisco Secure ACS HTML Interface After installing Cisco Secure ACS, you configure and administer it through the HTML interface. The HTML interface enables you to easily modify Cisco Secure ACS configuration from any connection on your LAN or WAN. The Cisco Secure ACS HTML interface is designed to be viewed using a web browser. The design primarily uses HTML, along with some Java functions, to enhance ease of use. This design keeps the interface responsive and straightforward. The inclusion of Java requires that the browser used for administrative sessions supports Java. For a list of supported browsers, see the Release Notes. The most recent revision to the Release Notes is posted on Cisco.com (http://www.cisco.com). The HTML interface not only makes viewing and editing user and group information possible, it also enables you to restart services, add remote administrators, change AAA client information, back up the system, view reports from anywhere on the network, and more. The reports track connection activity, show which users are logged in, list failed authentication and authorization attempts, and show administrators' recent tasks. HTML Interface Security Accessing the HTML interface requires a valid administrator name and password. The Cisco Secure ACS Login page encrypts the administrator credentials before sending them to Cisco Secure ACS. Administrative sessions timeout after a configurable length of idle time. Regardless, we recommend that you log out of the HTML interface after each session. You can enable secure socket layer (SSL) for administrative sessions. This ensures that all communication between the web browser and Cisco Secure ACS is encrypted. Your browser must support SSL. You can enable this feature on the Access Policy Setup page in the Administration Control section. Note: It works best with IE 6.0. The above information about Cisco Secure ACS is referred from the Cisco Secure ACS s Online Documentation. PN: Cisco Secure ACS v3.3 with 802.1x Authentication for 3631 phone - 4 -
Configuring Cisco Secure ACS To configure Cisco Secure ACS, open the HTML interface for Cisco Secure ACS and perform the steps mentioned below: Creating a Local User 1. From the main screen, Click on User Setup. 2. In the User field, add the name of the user (ex. kimchi) and click on Add/Edit. Note: To configure the 3631 IP Phone with 802.1x methods, you need to enter the EAP Identity and EAP User Name. The EAP Identity and EAP Username can either be a Local User created on the Cisco Secure ACS or a user created in Windows Active Directory. In the above example kimchi is a local user created on Cisco Secure ACS. PN: Cisco Secure ACS v3.3 with 802.1x Authentication for 3631 phone - 5 -
3. Type kimchi in the Real Name. 4. Enter Password. Ex: kimchi123 (This password will come under EAP Password on the Kimchi Phone). 5. You can use the same or separate password for CHAP/MS-CHAP/ARAP. 6. Click Submit to save the settings. PN: Cisco Secure ACS v3.3 with 802.1x Authentication for 3631 phone - 6 -
Configuring External User Database Configuration Note 1. From the main screen, click on External User Database. 2. Click on Database Configuration. Note: You need to configure the External User Database if you are not using the Internal Database of Cisco Secure ACS i.e. if you have not created a local user in Cisco Secure ACS. PN: Cisco Secure ACS v3.3 with 802.1x Authentication for 3631 phone - 7 -
3. Click on Create New Configuration. PN: Cisco Secure ACS v3.3 with 802.1x Authentication for 3631 phone - 8 -
4. Enter the name for the new Windows Database (ex: Windows Database). 5. Click Submit to save the Configuration. PN: Cisco Secure ACS v3.3 with 802.1x Authentication for 3631 phone - 9 -
6. Click Configure, to configure the External User Database. PN: Cisco Secure ACS v3.3 with 802.1x Authentication for 3631 phone - 10 -
7. Check the box for Dialin Permission. Also make sure that Grant Dialin permission to user in Windows User Database authentication is enabled. 8. You will see all the available domains under Available Domains. Move the appropriate Domain using right arrow key to the Domain List. PN: Cisco Secure ACS v3.3 with 802.1x Authentication for 3631 phone - 11 -
9. Check/Uncheck the check boxes as per your network requirements. 10. Click Submit to save the changes. PN: Cisco Secure ACS v3.3 with 802.1x Authentication for 3631 phone - 12 -
Configuring AAA Clients Configuration Note 1. From the main screen, Click Network Configuration. 2. Click on Add Entry to add a new AAA Client (This will be your Autonomous AP or Cisco WLC). Note: If you have several autonomous AP s, you will have to list each of them here. PN: Cisco Secure ACS v3.3 with 802.1x Authentication for 3631 phone - 13 -
3. Under AAA Client Hostname, enter the System Name of Cisco WLC or Autonomous AP. 4. Enter the IP Address of Cisco WLC or Autonomous AP under AAA Client IP Address. 5. Enter the Key (ex: avaya123). This must match with the shared secret entered in the Cisco WLC. 6. Select RADIUS (Cisco Aironet), under Authenticate Using field. 7. Click Submit to save the settings. PN: Cisco Secure ACS v3.3 with 802.1x Authentication for 3631 phone - 14 -
8. Once the settings are saved you are moved back to the Network Configuration screen. 9. You see a new entry added for the Cisco WLC under the AAA Clients. 10. The Cisco Secure ACS needs to be restarted after these changes. Click on System Configuration Service Control. 11. Click the Restart Button to restart the Server. PN: Cisco Secure ACS v3.3 with 802.1x Authentication for 3631 phone - 15 -
Configuring AAA Server Configuration Note 1. From the main screen, Click Network Configuration. 2. Click on Add Entry under AAA Servers. PN: Cisco Secure ACS v3.3 with 802.1x Authentication for 3631 phone - 16 -
3. Enter the name of the Server under AAA Server Name. 4. Enter the IP Address of the Server on which Cisco Secure ACS is installed under AAA Server IP Address field. 5. Enter the Key (ex: avaya123). This should match with the shared secret entered in the Cisco WLC. 6. AAA Server Type should be Cisco Secure ACS. 7. Traffic Type should be inbound / outbound. 8. Click Submit to save the settings. PN: Cisco Secure ACS v3.3 with 802.1x Authentication for 3631 phone - 17 -
9. Once the settings are saved you are moved back to the Network Configuration screen. 10. You see a new entry added for the Radius Server under the AAA Servers. 11. The Cisco Secure ACS needs to be restarted after these changes. Click on System Configuration Service Control. 12. Click the Restart Button to restart the Server. PN: Cisco Secure ACS v3.3 with 802.1x Authentication for 3631 phone - 18 -
Obtain a Certificate for the ACS Server Follow these steps to obtain a certificate. Configuration Note 1. On the ACS server, open a web browser and browse to the CA server by entering http://ca ip address/certsrv in the address bar. 2. Log in to the domain as Administrator. 3. Select Request a certificate. PN: Cisco Secure ACS v3.3 with 802.1x Authentication for 3631 phone - 19 -
4. Select advanced certificate request. 5. Select Create and Submit a request to this CA. PN: Cisco Secure ACS v3.3 with 802.1x Authentication for 3631 phone - 20 -
6. Configure the certificate options. Select Web Server as the certificate template. Enter the name of the ACS server. (ex: OurKimchi). 7. Set the key size to 1024. Select the options for Mark keys as exportable and Use local machine store. Configure other options as needed, and then click Submit. Note: We have verified that 3631 Phones supports a keysize of 1024 and 2048. PN: Cisco Secure ACS v3.3 with 802.1x Authentication for 3631 phone - 21 -
8. If you see a warning window referring to a scripting violation (depending on your browser's security/privacy settings), click Yes to continue. 9. Click Install this certificate. 10. If you see a warning window referring to a scripting violation (depending on your browser's security/privacy settings), click Yes to continue. PN: Cisco Secure ACS v3.3 with 802.1x Authentication for 3631 phone - 22 -
11. If the installation has been successful, you will see a confirmation message. PN: Cisco Secure ACS v3.3 with 802.1x Authentication for 3631 phone - 23 -
Installing ACS Certificate Configuration Note 1. From the main screen, Click System Configuration. 2. Click on ACS Certificate Setup. PN: Cisco Secure ACS v3.3 with 802.1x Authentication for 3631 phone - 24 -
3. Click on Install ACS Certificate. PN: Cisco Secure ACS v3.3 with 802.1x Authentication for 3631 phone - 25 -
4. Select Use Certificate from Storage and enter the CN name of the certificate. 5. Click Submit to save the settings. PN: Cisco Secure ACS v3.3 with 802.1x Authentication for 3631 phone - 26 -
Note: CN name can be seen under the Details Tab of the certificate. PN: Cisco Secure ACS v3.3 with 802.1x Authentication for 3631 phone - 27 -
6. Once the settings are saved you are moved back to the System Configuration screen. 7. You see the certificate information added under the Installed Certificate Information. 8. The Cisco Secure ACS needs to be restarted after these changes. Click on System Configuration Service Control. 9. Click the Restart Button to restart the Server. PN: Cisco Secure ACS v3.3 with 802.1x Authentication for 3631 phone - 28 -
Note: Compare the Installed Certificate Information seen on the Cisco Secure ACS with the information seen in the General Tab of the certificate. PN: Cisco Secure ACS v3.3 with 802.1x Authentication for 3631 phone - 29 -
Edit Certificate Trust List Configuration Note 1. From the main screen, click System Configuration. 2. Click on ACS Certificate Setup. 3. Then Click on Edit Certificate Trust List. 4. Check all the CAs that the ACS should trust, and uncheck all the CAs that the ACS should not trust. Click Submit to save the settings. PN: Cisco Secure ACS v3.3 with 802.1x Authentication for 3631 phone - 30 -
Configuring Global Authentication Setup Configuration Note 1. From the main screen, Click System Configuration. 2. Click on Global Authentication Setup. PN: Cisco Secure ACS v3.3 with 802.1x Authentication for 3631 phone - 31 -
3. Select the check box as per the requirement of your network. 4. Click Submit to save the settings. PN: Cisco Secure ACS v3.3 with 802.1x Authentication for 3631 phone - 32 -
Note: i) The above screenshot shows that all the EAP Methods are enabled. ii) Configure the above screen as per your requirement. iii) Ex: for PEAP-MsCHAP v2 select Allow EAP-MSCHAPv2 and select Allow MS- CHAP version1/2 Authentication. iv) Similarly for PEAP-GTC select Allow EAP-GTC, for EAP-TLS select EAP-TLS and for LEAP select LEAP. v) Cisco Secure ACS does not support EAP-TTLS method which is supported by the 3631 IP phone. PN: Cisco Secure ACS v3.3 with 802.1x Authentication for 3631 phone - 33 -
Configuring Logging Configuration Note 1. From the main screen, Click System Configuration. 2. Click on Logging. PN: Cisco Secure ACS v3.3 with 802.1x Authentication for 3631 phone - 34 -
3. Click on CSV Failed Attempts to get the logs of the failed connection. PN: Cisco Secure ACS v3.3 with 802.1x Authentication for 3631 phone - 35 -
4. Log to CSV Failed Attempts report should be enabled. 5. The attributes that needs to be logged should be moved from Attributes to Logged Attributes using the right arrow key. PN: Cisco Secure ACS v3.3 with 802.1x Authentication for 3631 phone - 36 -
6. Log File Management can be done as per the requirement. Click Submit to save the settings. 7. Repeat the above steps for CSV Passed Authentications. PN: Cisco Secure ACS v3.3 with 802.1x Authentication for 3631 phone - 37 -
Reports and Activity Configuration Note 1. From the main screen, Click Reports and Activity. 2. Click on Failed Attempts to view the logs of the failed attempts. 1. From the main screen, Click Reports and Activity. 2. Click on Passed Authentications to view the logs of the passed authentications. PN: Cisco Secure ACS v3.3 with 802.1x Authentication for 3631 phone - 38 -
Further Assistance 1. Configuring Cisco Secure ACS for Windows v3.2 With PEAP-MS-CHAPv2 Machine Authentication can be found on Cisco s website: http://www.cisco.com/en/us/products/sw/secursw/ps2086/products_configuration_example09186 a00801df0e4.shtml 2. Installation Guide for Cisco Secure ACS for Windows Server Version 3.3 can be found on Cisco s Website: http://www.cisco.com/en/us/docs/net_mgmt/cisco_secure_access_control_server_for_windows/3.3/installation/guide/windows/install.html 3. EAP-TLS Deployment Guide for Wireless LAN Networks can be found on Cisco s Website: http://www.cisco.com/en/us/products/sw/secursw/ps2086/products_white_paper09186a0080092 56b.shtml 4. For other assistance, contact Avaya's customer service at: http://support.avaya.com PN: Cisco Secure ACS v3.3 with 802.1x Authentication for 3631 phone - 39 -