quick start and documentation

7/30/2019 Quick Start and Documentation

1/20

Americas Headquarters:

2008 Cisco Systems, Inc. All rights reserved.

Cisco Systems, Inc., 170 West Tasman Drive, San Jose, CA 95134-1706 USA

Quick Start and Documentation Guidefor Cisco Secure ACS Express, 5.0

Revised: March 26, 2008, 78-17961-02

This guide provides the information you need to get started installing,configuring, and using Cisco Secure ACS Express 5.0 and includes the following

sections:

Supplemental License Agreement, page 2

This Supplemental License Agreement (SLA) contains additional limitations

on the license to the Software provided to Customer under the End User

License Agreement between Customer and Cisco.

Product Documentation Set, page 3

Installing the ACS Express Appliance, page 5

Using the GUI, page 7

Configuration Overview, page 14

Obtaining Documentation, Obtaining Support, and Security Guidelines,

page 12


2/20

Supplemental License Agreement

2

Quick Start and Documentation Guide for Cisco Secure ACS Express, 5.0

78-17961-02

Supplemental License AgreementSupplemental License Agreement forCisco Systems Network Management:Cisco Secure Access Control Server Express Software

IMPORTANTREAD CAREFULLY: This Supplemental License Agreement

(SLA) contains additional limitations on the license to the Software provided to

Customer under the End User License Agreement between Customer and Cisco.

Capitalized terms used in this SLA and not otherwise defined herein shall have

the meanings assigned to them in the Software License Agreement. To the extent

that there is a conflict among any of these terms and conditions applicable to the

Software, the terms and conditions in this SLA shall take precedence.

By installing, downloading, accessing or otherwise using the Software, Customer

agrees to be bound by the terms of this SLA. If Customer does not agree to the

terms of this SLA, Customer may not install, download or otherwise use the

Software.

1. ADDITIONAL LICENSE RESTRICTIONS

Installation and Use. The Cisco Secure Access Control Server Express Software

component of the Cisco 1010 Hardware Platform is preinstalled. CDs containing

tools to restore this Software to the 1010 hardware are provided to Customer for

reinstallation purposes only. Customer may only run the supported Cisco Secure

Access Control Server Software on the Cisco 1010 Hardware Platform designed

for its use. No unsupported Software product or component may be installed on

the Cisco 1010 Hardware Platform.Software Upgrades, Major and Minor Releases. Cisco may provide Cisco

Secure Access Control Server Express Software updates and new version releases

for the 1010 Hardware Platform. If the Software update and new version releases

can be purchased through Cisco or a recognized partner or reseller, the Customer

should purchase one Software update for each Cisco 1010 Hardware Platform. If

the Customer is eligible to receive the Software update or new version release

through a Cisco extended service program, the Customer should request to receiveonly one Software update or new version release per valid service contract.


3/20

3


78-17961-02

Product Documentation Set

Reproduction and Distribution. Customer may not reproduce nor distribute

software.

2. DESCRIPTION OF OTHER RIGHTS AND LIMITATIONS

Please refer to the Cisco Systems, Inc., End User License Agreement:

http://www.cisco.com/en/US/docs/general/warranty/English/EU1KEN_.html

Product Documentation SetThis section provides a list of the ACS Express product documentation with links

to the online documentation. You can find links to all ACS Express product

documentation at the following URL:

http://cisco.com/en/US/products/ps8543/tsd_products_support_series_home.html

The following documents comprise the Cisco Secure ACS Express documentation

set and should be read in the following order:

Quick Start and Documentation Guide for Cisco Secure ACS Express 5.0

(78-17961-02, this document)

http://cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_express/5.0/roadmap/xpguide.html

Release Notes for Cisco Secure ACS Express, 5.0 (OL-11674-01)

http://cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server

_express/5.0/release/notes/xpnote.html

TheRelease Notes for Cisco Secure ACS Express, 5.0 provide a collection of

information including related documentation, how to get the latest software,information about specific software and hardware requirements,

configuration information, lists of known and resolved anomalies, and release

note enclosure information for all known anomalies.
http://www.cisco.com/en/US/docs/general/warranty/English/EU1KEN_.htmlhttp://cisco.com/en/US/products/ps8543/tsd_products_support_series_home.htmlhttp://cisco.com/en/US/products/ps8543/tsd_products_support_series_home.htmlhttp://cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_express/5.0/roadmap/xpguide.htmlhttp://cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_express/5.0/roadmap/xpguide.htmlhttp://cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_express/5.0/release/notes/xpnote.htmlhttp://cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_express/5.0/release/notes/xpnote.htmlhttp://cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_express/5.0/release/notes/xpnote.htmlhttp://cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_express/5.0/roadmap/xpguide.htmlhttp://cisco.com/en/US/products/ps8543/tsd_products_support_series_home.htmlhttp://www.cisco.com/en/US/docs/general/warranty/English/EU1KEN_.html


4/20

Product Documentation Set

4


78-17961-02

Installation and Setup Guide for Cisco Secure ACS Express, 5.0

(OL-11671-01)


_express/5.0/installation/guide/install.html

TheInstallation and Setup Guide for Cisco Secure ACS Express is an online

only document that provides information about how to set up the ACS

Express appliance including location, internet connection, and initial

configuration.

User Guide for Cisco Secure ACS Express, 5.0 (OL-11672-01)


_express/5.0/user/guide/users.html

The User Guide for Cisco Secure ACS Express is an online only document

that provides information about how to use the ACS Express GUI and how to

perform routine tasks associated with the features and functionality of Cisco

ACS Express.

Cisco Secure ACS Express Command Reference, 5.0 (OL-11673-01)


_express/5.0/command/reference/guide/cmdref.html

The Cisco Secure ACS Express Command Reference focuses on the following

topics:

Command-line interface configurations

Command-line interface reference

Each topic provides a high-level summary of the tasks required for using the

CLI in the Application Deployment Engine OS 1.0.1, and the procedures for

performing these tasks.

Troubleshooting Guide for Cisco Secure ACS Express, 5.0 (OL-14650-01)


_express/5.0/troubleshooting/guide/trouble.html

This guide provides information about troubleshooting strategies and shows

example ACS Express logs with pointers to things to look for when

experiencing difficulties.
http://cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_express/5.0/installation/guide/install.htmlhttp://cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_express/5.0/installation/guide/install.htmlhttp://cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_express/5.0/user/guide/users.htmlhttp://cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_express/5.0/user/guide/users.htmlhttp://cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_express/5.0/command/reference/guide/cmdref.htmlhttp://cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_express/5.0/command/reference/guide/cmdref.htmlhttp://cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_express/5.0/troubleshooting/guide/trouble.htmlhttp://cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_express/5.0/troubleshooting/guide/trouble.htmlhttp://cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_express/5.0/troubleshooting/guide/trouble.htmlhttp://cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_express/5.0/command/reference/guide/cmdref.htmlhttp://cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_express/5.0/user/guide/users.htmlhttp://cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_express/5.0/installation/guide/install.html


5/20

5


78-17961-02

Installing the ACS Express Appliance

Installing the ACS Express ApplianceThe Cisco Secure ACS Express product comprises an appliance, the Cisco

Application Deployment Engine (ADE) 1010, and the ACS Express server

software. The software for ACS Express is already installed on the appliance.

This section provides an overview of installation tasks required to install the ACS

Express appliance.

Step 1 Open the box and check the contents.

The package containing your ACS Express appliance includes the following:

ACS Express appliance

Hardware accessory kits

Software accessory kits

Rack mount kit

Power cord

Step 2 Read Chapter 3, Chapter 1, Preparing to Install the Cisco ACS Express

Appliance, of theInstallation and Setup Guide for Cisco Secure ACS Express and

pay special attention to all safety guidelines found in Safety Guidelines.

Step 3Install the appliance in either a two-post or four-post rack.Detailed information about how to mount the appliance is included in the rack

mount kit.

Step 4 Connect the AC power cord.

Figure 1 shows the rear of the ACS Express appliance and the various cable

connectors. Connect the AC power cord to the receptacle (#1) on the left-hand

side of the rear panel. Connect the other end of the power cord to an AC power

source.
http://prepare.pdf/http://prepare.pdf/http://prepare.pdf/http://prepare.pdf/http://prepare.pdf/http://prepare.pdf/


6/20

Installing the ACS Express Appliance

6


78-17961-02

Figure 1 Cable Connectors on Rear of ACS Express Appliance

Step 5 Establish a terminal connection.

Configure a terminal (an ASCII terminal or a PC running terminal-emulation

software) for 9600 baud, 8 data bits, no parity, 1 stop bit, and no hardware flow

control.

Note Use the NIC 1 connector for your Ethernet connection. Using the NIC 2 port is

not supported and attempting to use the NIC 2 connector will cause an unstable

environment.

Step 6 Connect the ACS Express appliance to an Ethernet connection using the NIC 1

connector (#6 in Figure 1).

Step 7 Turn power on to the ACS Express appliance.

After you turn on power to the ACS Express appliance and it boots up for the first

time, the following displays on the console:

*************************************************

Please log in as setup to configure the appliance

*************************************************

localhost login:

1 AC Power Connector 5 Video connector

2 Mouse 6 NIC 1 (10/100/1000 Mb) port

3 Keyboard 7 Unsupported NIC 2 port

4 Serial Port 8 USB ports

211910

1 2 4 6

3 5 7 8


7/20

7


78-17961-02

Using the GUI

Step 8 At the login prompt, enter setup.

localhost login: setup

Enter setup to begin the setup program; the ACS Express appliance will prompt

you for the setup parameters.

Step 9 Use your browser to access the ACS Express GUI by entering the server name and

domain name of your ACS Express server into the browser address field:

https://server_name.domain

where server_name is the name and domain or IP address of the ACS Express

server.

Step 10 Log in to the ACS Express server.

See Logging In and Logging Out, page 8, for information about logging in and

using the GUI.

Step 11 Configure the ACS Express server for your sites requirements.

See Chapter 6 of theInstallation and Setup Guide for Cisco Secure ACS Express,

5.0, Administering Cisco ACS Express, for an overview of what you need to do

to get started configuring the ACS Express server.


_express/5.0/installation/guide/admin.html

You can find detailed information to help you configure the ACS Express server

in the User Guide for Cisco Secure ACS Express. See also, Configuration

Overview, page 14.

The ACS Express GUI also provides online help for each configuration window

and configuration tips for GUI fields.

Using the GUIThis section describes how to use the ACS Express graphical user interface (GUI).

Logging In and Logging Out, page 8

Navigating the GUI, page 9

Using Online Help, page 12
http://cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_express/5.0/installation/guide/admin.htmlhttp://cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_express/5.0/installation/guide/admin.htmlhttp://cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_express/5.0/installation/guide/admin.html


8/20

Using the GUI

8


78-17961-02

Logging In and Logging Out

ACS Express uses a web-based browser to log in and log out of the graphical user

interface (GUI). To log in to ACS Express, launch a browser and enter a URL into

the browser address field:

https://server_name.domain

Where server_name is the name and domain or IP address of the ACS Express

server.

Figure 2 shows an example of the ACS Express login window. Enter your

username and password to log in. ClickReset to clear the Username and Password

fields.

Figure 2 ACS Express Login Window

To log out of a session on the ACS Express server, clickLogout in the upper right

corner of the GUI window (Figure 3) in the status pane. This area of the GUI also

has the hostname of the ACS Express server and an About button for software

version information. Click the circle with the question mark (?) to access online

help.


9/20

9


78-17961-02

Using the GUI

Figure 3 ACS Express Server Status Pane

Navigating the GUI

The top-level window of the ACS Express GUI is called the Workspace. The

Workspace contains the following areas:

Status Pane

Navigation Pane

Content Pane

Workspace

Figure 4 shows an example of the top-level ACS Express window called the

Workspace.


10/20

Using the GUI

10


78-17961-02

Figure 4 ACS Express GUI Workspace

Status Pane

The ACS Express GUI has a top-level application Status pane with the following

items.

Product NameCisco Secure ACS Express displays on the left side of the

status bar

Server HostnameName of the server where you are currently logged in

Callout Description

1 Status pane

2 Navigation pane

3 Content pane


11/20

11


78-17961-02

Using the GUI

Login NameUser ID for current session

LogoutLogs you out of the application and displays the login window

AboutDisplays information about the currently installed software version

and server hostname

Navigation Pane

The navigation pane contains six drawers, and each drawer contains subitems thatdisplay data in the content pane. The following list describes navigational

behaviors:

Clicking on a drawer name highlights and expands the drawer.

Clicking on a drawer arrow expands the drawer.

Clicking on an item highlights the drawer name and selected item, and the

content pane is refreshed. After refreshing the content pane, a status dialog will temporarily appear until

the content pane is downloaded fully.

Clicking on a drawer in which an item was previously selected does the

following:

Highlights the drawer

Expands the drawer

Selects the previously selected item

Refreshes the content pane

After you log in, the GUI keeps track of the last selected item in a cookie. If

the cookie is present, the last selected item will be active upon login.

You can collapse the navigation pane by clicking the toggle on left (center)

edge of the content pane. With the navigation pane collapsed, click the toggleagain to display the navigation pane.

Only one drawer and item can be active at a time.

Content Pane

The content pane displays information about the item you select from a drawer inthe navigation pane.


12/20

Using the GUI

12


78-17961-02

Dashboard

The Dashboard displays the following collections of information:

Configuration Summary

Usage Summary

Server Information

Server Status

Using Online Help

ACS Express provides online help in the form of HTML files mapped to the GUI

windows. To access online help, click the Question Mark icon in the upper right

corner of the GUI window (Figure 5). ACS Express provides context sensitive

help, so the window that displays after you click the online help icon is specificto the window from which you requested online help.

Along with the HTML online help files, you can also access a PDF version of the

User Guide for Cisco Secure ACS Express from the online help.

Figure 5 Online Help Icon

Configuration Tips

The ACS Express GUI provides configuration tips at each location on a GUI

window where you must provide a value or make a choice.

Simply hover your cursor over the name of the GUI field (underlined), and a

configuration tip will appear as shown in Figure 6 specific to that field.


13/20

13


78-17961-02

Using the GUI

Figure 6 Configuration Tips By Cursor

Additionally, some GUI windows have configuration tips available. These pages

have an additional Configuration Tip icon, Figure 7, next to the online help icon.

If displayed on a window, click this icon for general configuration tips about the

window.

Figure 7 Configuration Tip Icon

Online Configuration Overview

You can also click to view an online version of the Configuration Overview from

the Navigation pane (Figure 8). The online version differs slightly from the

information in the next section, Configuration Overview.

Figure 8 Online Configuration Overview


14/20

Configuration Overview

14


78-17961-02

Configuration OverviewThis section provides an overview of the required configuration for the ACS

Express server. Each section is associated with a drawer in the ACS Express GUI

as shown in Figure 4.

Network Resources

The Devices and Device Groups that make up your network are your network

resources. Use the GUI to add all Device Groups in your configuration, then add

your devices into the Device Groups. See Chapter 2 of the User Guide for Cisco

Secure ACS Express for more detailed information.


_express/5.0/user/guide/gui.html

Users and Identity Stores

Configure your ACS Express server with the Users and User Groups required for

your installation. ACS Express can authenticate users with its internal user

database and also through remote or external databases.

Internal User Database

Use the GUI to add all local users into the internal user database. Each local user

must belong to at least one User Group, so create the User Groups first, then

configure your local Users.

External User Database

ACS Express supports the following external user databases:

Microsoft Active Directory

LDAP Databases

One-Time-Password Servers
http://cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_express/5.0/user/guide/gui.htmlhttp://cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_express/5.0/user/guide/gui.htmlhttp://cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_express/5.0/user/guide/gui.html


15/20

15


78-17961-02


Access Policies

Access Services in ACS Express are classified into two types:

Network Access

Device Administration

Network Access policies apply to users attempting to access a wireless, wired, or

VPN network. Network Access policies also support various authentication

schemes like PAP, CHAP, MSCHAPv2, PEAP, EAP-TLS, EAP-FAST, LEAP, andWindows machine authentication. Network Access policies apply to network

devices that communicate with ACS Express via RADIUS. Network Access

policies can be configured to authenticate users against Active Directory, LDAP,

One-Time-Password databases, or the ACS Express internal user database.

Device Administration policies apply to users who attempt to access and

configure a network device. ACS Express can authenticate and authorize the

maximum allowed privilege level for users. Network devices communicate withACS Express via TACACS+ or RADIUS. You can configure Device

Administration policies to authenticate users against Active Directory, LDAP,

One-Time-Password databases, or the ACS Express internal user database.

Access Rules

Access rules enable you to use the ACS Express server to do the following:

Specify user entitlements based on the users role in your organization

Assign different VLANs for employees and contractors

Restrict network access based on the time of day such as from Monday to

Friday from 9 a.m. to 5 p.m.

We find it very helpful to create a worksheet to list the rules we want to enforce.

Each rule should specify the access conditions and the resulting user entitlements.

Access conditions include the type of network access, groups to which a user

should belong, and the time of day the user is allowed access. Results specify

granted entitlements if all the conditions are met.

Table 1 shows an example worksheet.


16/20


16


78-17961-02

With a completed worksheet, you can now configure the policy elements

including the Time of Day periods in which to allow access and the entitlements

you grant users when they log in to the network. Entitlements are specified as a

RADIUS response returned to the network device.

RADIUS Access ServicesAfter you have set up your access rules, you can create the RADIUS Access

Services your require. A RADIUS Access Service specifies the network device

groups from which to process requests, a database to use for authentication,

protocol settings, and access rules to grant entitlements.

Based on your worksheet, create a RADIUS Access Service for each network

access type. For example, from the example worksheet in Table 1, we wouldcreate two RADIUS Access Services, Wireless Access and VPN Access. We also

need to configure for two User Groups,Employee and RemoteUser.

A RADIUS Access Service requires the following configuration:

General SettingsSpecifies the name and description of access service.

Selection RulesSpecifies the network devices groups for the types of

network access. From the example worksheet, the Wireless Access access

service would handle requests from the Wireless Controllers device group.

Authentication RulesSpecifies the configured database for user

authentication and the protocol settings.

Configure the access rules as listed in your worksheet.

Table 1 Example Access Rule Worksheet

Network Access User Groups Time of Access Entitlements

Wireless Access Employee Mon-Fri, 8 a.m. - 6 p.m. Assign VLANEmployee

Wireless Access Employee Sat-Sun, 8 a.m. - 6 p.m. Deny access

VPN Access Employee,

RemoteUsers

Mon-Sun, 7/24 Assign VPN GroupRemoteUsers


17/20

17


78-17961-02


Device Administration

Network devices can communicate with ACS Express via TACACS+ or RADIUS.

This section describes how to configure a Device Administration policy for

network devices to communicate via TACACS+.

You should already have completed the following:

Configured your network devices for login authentication against a AAA

server

Configured the user database

Access Rules

To determine your Device Administration access rules, we find it very helpful to

create a worksheet to list your rules. Each rule should specify the access

conditions and the resulting privilege level if granted. Access conditions includethe network device group being administered, groups a user should belong to, and

allowed time of access. Results specify the command privilege to grant if all the

conditions are met. See Table 2 for an example device access rule worksheet.

With a completed worksheet, you can now configure the policy elements.

TACACS+ Access Service

After you have set up your access rules, you can create the TACACS+ Access

Services you require. A TACACS+ Access Service specifies the Conditions

required including the network device groups from which to process requests,

User Groups, and Time of Access and specifies the privilege level to grant if all

conditions are met. A TACACS+ authentication request must also match thesession Timeout Settings for Idle Timeout and Session Timeout.

Table 2 Example Device Access Rule Worksheet

Network Access User Groups Time of Access Privilege Level

Wireless Controllers Read-Write Admin Mon-Fri, 8 a.m. - 6 p.m. 15

Wireless Controllers Read-Only Admins - Deny Access

VPN Concentrators Read-Only Admin - 1


18/20


18


78-17961-02

Create a TACACS Access Service based on your worksheet. For example, from

the example worksheet in Table 2, we would create TACACS+ Access Servicesfor requests from the following:

Wireless controllers from members of the Read-Write Admin group

Wireless controllers from members of the Read-Only Admins group

VPN concentrators from members of the Read-Only Admins group

Configure the access rules as listed in your worksheet.

Obtaining Documentation and Submitting a ServiceRequest

For information on obtaining documentation, submitting a service request, and

gathering additional information, see the monthly Whats New in Cisco ProductDocumentation, which also lists all new and revised Cisco technical

documentation, at:

http://www.cisco.com/en/US/docs/general/whatsnew/whatsnew.html

Subscribe to the Whats New in Cisco Product Documentation as a Really Simple

Syndication (RSS) feed and set content to be delivered directly to your desktop using

a reader application. The RSS feeds are a free service and Cisco currently supportsRSS version 2.0.
http://www.cisco.com/en/US/docs/general/whatsnew/whatsnew.htmlhttp://www.cisco.com/en/US/docs/general/whatsnew/whatsnew.html


19/20

19


78-17961-02


This document is to be used in conjunction with the documents listed in theProduct Documentation Set section.

CCDE, CCENT, Cisco Eos, Cisco StadiumVision, the Cisco logo, DCE, and Welcome to the Human Network are

trademarks; Changing the Way We Work, Live, Play, and Learn is a service mark; and Access Registrar, Aironet,

AsyncOS, Bringing the Meeting To You, Catalyst, CCDA, CCDP, CCIE, CCIP, CCNA, CCNP, CCSP, CCVP, Cisco,the Cisco Certified Internetwork Expert logo, Cisco IOS, Cisco Press, Cisco Systems, Cisco Systems Capital, the

Cisco Systems logo, Cisco Unity, Collaboration Without Limitation, Enterprise/Solver, EtherChannel, EtherFast,

EtherSwitch, Event Center, Fast Step, Follow Me Browsing, FormShare, GigaDrive, HomeLink, Internet Quotient,

IOS, iPhone, iQ Expertise, the iQ logo, iQ Net Readiness Scorecard, iQuick Study, IronPort, the IronPort logo,

LightStream, Linksys, MediaTone, MeetingPlace, MGX, Networkers, Networking Academy, Network Registrar,

PCNow, PIX, PowerPanels, ProConnect, ScriptShare, SenderBase, SMARTnet, Spectrum Expert, StackWise, The

Fastest Way to Increase Your Internet Quotient , TransPath, WebEx, and the WebEx logo are registered trademarks of

Cisco Systems, Inc. and/or its affiliates in the United States and certain other countries.

All other trademarks mentioned in this document or Website are the property of their respective owners. The use ofthe word partner does not imply a partnership relationship between Cisco and any other company. (0803R)

Any Internet Protocol (IP) addresses used in this document are not intended to be actual addresses. Any examples,

command display output, and figures included in the document are shown for illustrative purposes only. Any use of

actual IP addresses in illustrative content is unintentional and coincidental.

2007-2008 Cisco Systems, Inc. All rights reserved.

Printed in the USA on recycled paper containing 10% postconsumer waste.


20/20


20


78-17961-02

quick start and documentation

Documents