Table of Contents:
INTRODUCTION:....................................................................................................................................... 2
GETTING STARTED: ................................................................................................................................ 3
STEP-1: INTERFACE CONFIGURATION ............................................................................................. 4
STEP-2: NETWORK CONFIGURATION ............................................................................................... 5
STEP-3: SYSTEM CONFIGURATION .................................................................................................... 9
STEP 4: EXTERNAL USER DATABASE .............................................................................................. 22
STEP-5 REPORTS AND ACTIVITY: ..................................................................................................... 24
BIND YOUR AAA CLIENTS AND ACS SERVER TOGETHER WITH A SHARED SECRET: .... 26
1

Step-by-step Guide for Configuring Cisco® ACS server as the
Radius with an External Windows Database
Introduction:
This is a simple step by step configuration for Setting up Cisco ACS server as the Radius for granting secure network access for Intel AMT clients. The configuration here uses Windows AD as external database for simplicity. CISCO ACS server has been configured here to allow several popular Radius protocols like EAP-PEAP, EAP-TLS and EAP-
FAST.
You can use this as a quick start guide for validating Intel AMT access to secure networks where CISCO ACS has been deployed as Radius.
This configuration has been successfully used for validating wired and wireless access to AMT FW over secure networks in a simple environment with a single domain controller using SCCM SP1 & SP2 consoles.
It is assumed that the reader is familiar with the basic concepts of
802.1x networks, wireless & radius protocols and the process used to create and install certificates and other related aspects of AMT provisioning. Refer to other material available on the vPro Expert center for assistance with any of these topics.
For a high level overview on navigating 802.1x networks with AMT client refer to my posting Navigating Secure Networks with AMT Client http://communities.intel.com/docs/DOC-3866
2

Getting Started:
For demonstration of our simple ACS configuration we have Windows
2003 Virtual Machine Domain Controller with DHCP, DNS, Microsoft CA and CISCO ACS 4.0 installed.
Start ACS Admin console: “Start/Program/Cisco ACS Admin 4.0/ACS
Admin”
We will follow these five simple steps to configure the ACS server for validating customer scenarios for navigating secure networks using
Intel AMT.
3

Step-1: Interface Configuration
Click on “Interface Configuration”, “Advanced Options” and un-check all options and click “Submit”. This will ensure that you do not have any advanced options and will facilitate simple configuration for your
ACS server.
4

Step-2: Network Configuration
Click on “Network Configuration”.
Step2-A: Click on the existing AAA Server Name “VPRODEMODC” (in our case) installed and set a shared secret (key) “password1234” between the server and the Radius clients to be defined in the next step.
5

Click “Submit + Apply”.
Note: If at any time when you click “Submit”, you get a message if the service needs to be restarted, Click on “System Configuration”,
“Service Control” and Restart the service.
6

Step2-B: Under “Network Configuration”, Click “Add Entry” to add
AAA client for Wired access. Fill-in details for “AAA Client Hostname” and “IP Address” and the same shared secret. Select other setting as shown. Click “Submit + Apply”.
7

Step2-B: Under Network Configuration, Click Add Entry to add AAA client for Wireless access. Fill-in details for your wireless AP and IP address and Click “Submit + Apply”.
Note: The shared secret (key) should be configured also on the web interface for each of these AAA clients as the Radius server shared secret under Radius configuration on the AAA clients.
8

Step-3: System Configuration
Click on “System Configuration”.
Configure the “ACS Certificate Setup” to facilitate EAP-PEAP and EAP-
TLS setup – Step 3-A to Step 3-E.
Note: It is assumed that the reader is familiar with requesting certificates from the installed Microsoft CA using the web enrollment.
After that, configure “Global Authentication Setup” where the Radius authentication protocols are setup – Step 3-F.
9

Step 3-A: Click on “System Configuration”, Click “ACS Certificate
Setup” as shown.
Access the Web Enrollment form for your Microsoft CA on the domain controller http://localhost/certsrv and download the RootCA file (Base
64 format) for importing into ACS (Give a name for the file and save it).
Tip: If you don’t have the CA running you can also use self-signed certificate.
10

Click on “ACS Certification Authority Setup” and fill-in the Root CA CER file saved above. Click “Submit”.
11

Step 3-B: Click “Generate Certificate Signing Request” and create a certificate request for ACS server as shown
CN=vprodemodc.vprodemo.com (FQDN for ACS server)
Private key file: C:\Certs\acs.pvk (choose any file name)
Private key password: P@ssw0rd (choose a password and retype to confirm.
Fill-in rest of the information as shown. Click “Submit”.
12

Cut & Paste the CSR file as shown for submission to the CA
13

Invoke web enrollment for your CA and submit CSR http://localhost/certsrv/
Request a “Certificate”, “Advanced Certificate Request”,
“Submit a certificate request by using the base-64-encoded CMC or
PKCS #10 file, or submit a renewal request by using a base-64encoded PKCS #7 file”
Paste the CSR file generated in the previous step, select “Web Server template” and click “Submit”.
Download certificate ACSVPRODEMO.CER in Base64 format
14

Step 3-C: Click “Install ACS Certificate” and select the certificate file downloaded in the previous step.
Click “Submit”.
15

Click “Install New Certificate” and accept the dialog box to the remove the old certificate (if one was installed).
Click “System Configuration”, Click “Service Control” and “Restart” the service to get rid of the message in Red.
16

You may want to skip Step 3-D & Step 3-E if you do not want to implement Certificate revocation list. If so proceed to Step 3-F.
Step 3-D:
Click on “System Configuration”, Click “ACS Certificate Setup”
Click “Edit Certificate Trust List”
Check your cert authority (VPRODEMOCA in our case) to implement
CRL from this CA, Click “Submit
17

Step 3-E:
Click on “System Configuration”, Click “ACS Certificate Setup”
Click “Certificate Revocation Lists”, click on VPRODEMOCA and fill in the CRL URL: http://localhost/certenroll/vprodemoca+.crl
See directory for correct name of your CRL file c:\windows\system32\certsrv\certenroll\
Check the box for CRL is in use and click Submit.
Click “System Configuration”, Click “Service Control” and Restart the service to get rid of the message as needed.
18

Step 3F:
Click on “System Configuration”, Click “Global Authentication Setup”
Configure EAP-PEAP and EAP-TLS Radius protocols on the ACS server by checking the boxes appropriately as shown. Click “Submit +
Restart”.
19

Click on the EAP-FAST protocol configuration. Allow EAP-Fast by checking the appropriate boxes as shown. Choose a name for
Authority ID info (we chose ACS) and allow anonymous in-band PAC provisioning as required in your situation. Click “Submit + Restart”.
Note: EAP-FAST is very flexible Radius protocol in that it will allow either tokens, username/password or certificate based authentication inside a secure tunnel. We use it with username/password here. Also notice the machine authentication parameters so computer can be authenticated without user being signed on. In order to select anonymous PAC (Protected Access Credentials) provisioning to clients you need to select both inner protocols EAP-GTC as well as EAP-
MSCHAP2 on your Radius server as shown.
20

Tip: Machine Authentication – In the previous screen shot for
EAP-FAST authentication you noticed where to turn on the machine authentication. Where do you configure the corresponding machine authentication for EAP-PEAP and EAP-
TLS protocols? See Step 4 for details.
Although you configure machine authentication, Windows XP clients will not maintain wireless connection when the user logs off unless you create administrator profile. See my posting on the expert center for more details to enable
Windows XP clients to connect to wireless AP without user sign-on. http://communities.intel.com/docs/DOC-4143
21

Step 4: External User Database
Click on “External User Database”, click “database configuration”, click
“Windows Database”, Click “Configure”. Leave most of the defaults as shown in the next two screen shots.
22

Allow for Machine authentication within EAP-PEAP and EAP-TLS as shown and click “Submit”.
We are done with most of the configuration. We just need to know where to see the failed and successful events in the logs which is in the next step
23

Step-5 Reports and Activity:
Click “Reports and Activity”, Highlighted are the two reports of interest.
Click on each of these links.
Clcik on “Passed authentication”, click Passed Authentication
Active.CSV to see if there is any data for that day.
24

Our ACS configuration is set to default such that a new file is created once every day. If there is data it will be displayed. In our example there is no data for today. When data is displayed you can click download and save the log to a CSV file.
We are now done with the simple configuration of CISCO ACS to use with an external windows database. Don’t forget to define the shared secret in all your AAA clients under Radius configuration. If you are unfamiliar you can read rest of this document for some clues.
See my “Step-by-Step guide for navigating secure networks with Intel
AMT using CISCO ACS as the Radius” where I used this configuration to validate several Radius protocols and their access to AMT FW using
SCCM SP2
25

Bind your AAA clients and ACS Server together with a Shared
Secret:
Overview: Once you install ACS, add your wired switch & wireless AP as the Radius clients, you need to correspondingly add the Radius server in the configuration for both the wired switch as well as the wireless AP. The Radius server and the switch share a common secret that needs to be configured on both. Likewise, the Radius and the wireless AP share a common secret which should be configured on both of them.
Further, it is assumed that the wired switch is configured with some ports for open access and other ports for secure access so you can test secure 802.1x connectivity by moving the client from open port to secured port and looking for entries in the log files for access being granted or rejected.
Open the Administration interface for your switch where Radius is defined and verify the shared secret. In our case it is under the
Security settings for the Radius server. Our shared secret is
“password1234” on our switch as well as on the IAS server.
26

Open the Administration interface for (our case Aironet 1200) wireless
AP where Radius is defined and verify the shared secret for the Radius server under the Security/Server Manager. Make sure EAP
Authentication is set for the single Radius server with the Priority 1.
There are no backup Radius servers in our simple setup scenario.
27

Configure SSID “EAPTLS” for EAP Radius authentication on your AP
28

Configure Encryption “AES CCMP” on your AP
29

Enable the radio on your AP.
Note: Your wireless AP configuration may be slightly different.
30