Configuring CISCO ACS Server as Radius for Intel AMT 802.1x Clients with Windows DB Rev 3

advertisement
Step-by-step Guide for Configuring Cisco® ACS server
as the Radius with an External Windows Database
Table of Contents:
INTRODUCTION:....................................................................................................................................... 2
GETTING STARTED: ................................................................................................................................ 3
STEP-1: INTERFACE CONFIGURATION ............................................................................................. 4
STEP-2: NETWORK CONFIGURATION ............................................................................................... 5
STEP-3: SYSTEM CONFIGURATION .................................................................................................... 9
STEP 4: EXTERNAL USER DATABASE .............................................................................................. 22
STEP-5 REPORTS AND ACTIVITY: ..................................................................................................... 24
BIND YOUR AAA CLIENTS AND ACS SERVER TOGETHER WITH A SHARED SECRET: .... 26
1
Step-by-step Guide for Configuring Cisco® ACS server as the
Radius with an External Windows Database
Introduction:
This is a simple step by step configuration for Setting up Cisco ACS
server as the Radius for granting secure network access for Intel AMT
clients. The configuration here uses Windows AD as external database
for simplicity. CISCO ACS server has been configured here to allow
several popular Radius protocols like EAP-PEAP, EAP-TLS and EAPFAST.
You can use this as a quick start guide for validating Intel AMT access
to secure networks where CISCO ACS has been deployed as Radius.
This configuration has been successfully used for validating wired and
wireless access to AMT FW over secure networks in a simple
environment with a single domain controller using SCCM SP1 & SP2
consoles.
It is assumed that the reader is familiar with the basic concepts of
802.1x networks, wireless & radius protocols and the process used to
create and install certificates and other related aspects of AMT
provisioning. Refer to other material available on the vPro Expert
center for assistance with any of these topics.
For a high level overview on navigating 802.1x networks with AMT
client refer to my posting Navigating Secure Networks with AMT Client
http://communities.intel.com/docs/DOC-3866
2
Getting Started:
For demonstration of our simple ACS configuration we have Windows
2003 Virtual Machine Domain Controller with DHCP, DNS, Microsoft CA
and CISCO ACS 4.0 installed.
Start ACS Admin console: “Start/Program/Cisco ACS Admin 4.0/ACS
Admin”
We will follow these five simple steps to configure the ACS server for
validating customer scenarios for navigating secure networks using
Intel AMT.
3
Step-1: Interface Configuration
Click on “Interface Configuration”, “Advanced Options” and un-check
all options and click “Submit”. This will ensure that you do not have
any advanced options and will facilitate simple configuration for your
ACS server.
4
Step-2: Network Configuration
Click on “Network Configuration”.
Step2-A: Click on the existing AAA Server Name “VPRODEMODC” (in
our case) installed and set a shared secret (key) “password1234”
between the server and the Radius clients to be defined in the next
step.
5
Click “Submit + Apply”.
Note: If at any time when you click “Submit”, you get a message if the
service needs to be restarted, Click on “System Configuration”,
“Service Control” and Restart the service.
6
Step2-B: Under “Network Configuration”, Click “Add Entry” to add
AAA client for Wired access. Fill-in details for “AAA Client Hostname”
and “IP Address” and the same shared secret. Select other setting as
shown. Click “Submit + Apply”.
7
Step2-B: Under Network Configuration, Click Add Entry to add AAA
client for Wireless access. Fill-in details for your wireless AP and IP
address and Click “Submit + Apply”.
Note: The shared secret (key) should be configured also on the web
interface for each of these AAA clients as the Radius server shared
secret under Radius configuration on the AAA clients.
8
Step-3: System Configuration
Click on “System Configuration”.
Configure the “ACS Certificate Setup” to facilitate EAP-PEAP and EAPTLS setup – Step 3-A to Step 3-E.
Note: It is assumed that the reader is familiar with requesting
certificates from the installed Microsoft CA using the web enrollment.
After that, configure “Global Authentication Setup” where the Radius
authentication protocols are setup – Step 3-F.
9
Step 3-A: Click on “System Configuration”, Click “ACS Certificate
Setup” as shown.
Access the Web Enrollment form for your Microsoft CA on the domain
controller http://localhost/certsrv and download the RootCA file (Base
64 format) for importing into ACS (Give a name for the file and save
it).
Tip: If you don’t have the CA running you can also use self-signed
certificate.
10
Click on “ACS Certification Authority Setup” and fill-in the Root CA CER
file saved above. Click “Submit”.
11
Step 3-B: Click “Generate Certificate Signing Request” and create a
certificate request for ACS server as shown
CN=vprodemodc.vprodemo.com (FQDN for ACS server)
Private key file: C:\Certs\acs.pvk (choose any file name)
Private key password: [email protected] (choose a password and retype to
confirm.
Fill-in rest of the information as shown. Click “Submit”.
12
Cut & Paste the CSR file as shown for submission to the CA
13
Invoke web enrollment for your CA and submit CSR
http://localhost/certsrv/
Request a “Certificate”, “Advanced Certificate Request”,
“Submit a certificate request by using the base-64-encoded CMC or
PKCS #10 file, or submit a renewal request by using a base-64encoded PKCS #7 file”
Paste the CSR file generated in the previous step, select “Web Server
template” and click “Submit”.
Download certificate ACSVPRODEMO.CER in Base64 format
14
Step 3-C: Click “Install ACS Certificate” and select the certificate file
downloaded in the previous step.
Click “Submit”.
15
Click “Install New Certificate” and accept the dialog box to the remove
the old certificate (if one was installed).
Click “System Configuration”, Click “Service Control” and “Restart” the
service to get rid of the message in Red.
16
You may want to skip Step 3-D & Step 3-E if you do not want to
implement Certificate revocation list. If so proceed to Step 3-F.
Step 3-D:
Click on “System Configuration”, Click “ACS Certificate Setup”
Click “Edit Certificate Trust List”
Check your cert authority (VPRODEMOCA in our case) to implement
CRL from this CA, Click “Submit
17
Step 3-E:
Click on “System Configuration”, Click “ACS Certificate Setup”
Click “Certificate Revocation Lists”, click on VPRODEMOCA and fill in
the CRL URL: http://localhost/certenroll/vprodemoca+.crl
See directory for correct name of your CRL file
c:\windows\system32\certsrv\certenroll\
Check the box for CRL is in use and click Submit.
Click “System Configuration”, Click “Service Control” and Restart the
service to get rid of the message as needed.
18
Step 3F:
Click on “System Configuration”, Click “Global Authentication Setup”
Configure EAP-PEAP and EAP-TLS Radius protocols on the ACS server
by checking the boxes appropriately as shown. Click “Submit +
Restart”.
19
Click on the EAP-FAST protocol configuration. Allow EAP-Fast by
checking the appropriate boxes as shown. Choose a name for
Authority ID info (we chose ACS) and allow anonymous in-band PAC
provisioning as required in your situation. Click “Submit + Restart”.
Note: EAP-FAST is very flexible Radius protocol in that it will allow
either tokens, username/password or certificate based authentication
inside a secure tunnel. We use it with username/password here. Also
notice the machine authentication parameters so computer can be
authenticated without user being signed on. In order to select
anonymous PAC (Protected Access Credentials) provisioning to clients
you need to select both inner protocols EAP-GTC as well as EAPMSCHAP2 on your Radius server as shown.
20
Tip: Machine Authentication – In the previous screen shot for
EAP-FAST authentication you noticed where to turn on the
machine authentication. Where do you configure the
corresponding machine authentication for EAP-PEAP and EAPTLS protocols? See Step 4 for details.
Although you configure machine authentication, Windows XP
clients will not maintain wireless connection when the user
logs off unless you create administrator profile. See my
posting on the expert center for more details to enable
Windows XP clients to connect to wireless AP without user
sign-on.
http://communities.intel.com/docs/DOC-4143
21
Step 4: External User Database
Click on “External User Database”, click “database configuration”, click
“Windows Database”, Click “Configure”. Leave most of the defaults as
shown in the next two screen shots.
22
Allow for Machine authentication within EAP-PEAP and EAP-TLS
as shown and click “Submit”.
We are done with most of the configuration. We just need to know
where to see the failed and successful events in the logs which is in
the next step
23
Step-5 Reports and Activity:
Click “Reports and Activity”, Highlighted are the two reports of interest.
Click on each of these links.
Clcik on “Passed authentication”, click Passed Authentication
Active.CSV to see if there is any data for that day.
24
Our ACS configuration is set to default such that a new file is created
once every day. If there is data it will be displayed. In our example
there is no data for today. When data is displayed you can click
download and save the log to a CSV file.
We are now done with the simple configuration of CISCO ACS to use
with an external windows database. Don’t forget to define the shared
secret in all your AAA clients under Radius configuration. If you are
unfamiliar you can read rest of this document for some clues.
See my “Step-by-Step guide for navigating secure networks with Intel
AMT using CISCO ACS as the Radius” where I used this configuration
to validate several Radius protocols and their access to AMT FW using
SCCM SP2
25
Bind your AAA clients and ACS Server together with a Shared
Secret:
Overview: Once you install ACS, add your wired switch & wireless AP
as the Radius clients, you need to correspondingly add the Radius
server in the configuration for both the wired switch as well as the
wireless AP. The Radius server and the switch share a common secret
that needs to be configured on both. Likewise, the Radius and the
wireless AP share a common secret which should be configured on
both of them.
Further, it is assumed that the wired switch is configured with some
ports for open access and other ports for secure access so you can test
secure 802.1x connectivity by moving the client from open port to
secured port and looking for entries in the log files for access being
granted or rejected.
Open the Administration interface for your switch where Radius is
defined and verify the shared secret. In our case it is under the
Security settings for the Radius server. Our shared secret is
“password1234” on our switch as well as on the IAS server.
26
Open the Administration interface for (our case Aironet 1200) wireless
AP where Radius is defined and verify the shared secret for the Radius
server under the Security/Server Manager. Make sure EAP
Authentication is set for the single Radius server with the Priority 1.
There are no backup Radius servers in our simple setup scenario.
27
Configure SSID “EAPTLS” for EAP Radius authentication on your AP
28
Configure Encryption “AES CCMP” on your AP
29
Enable the radio on your AP.
Note: Your wireless AP configuration may be slightly different.
30
Download
Related flashcards
Create Flashcards