Configuration Guide for Cisco Secure ACS with 802.1x Authentication for Avaya 3631 Wireless Telephone This document details how to configure the Cisco Secure ACS (Access Control Server) v3.3 with 802.1x Authentication for use with Avaya 3631 Wireless IP telephones.
Cisco Secure ACS provides authentication, authorization, and accounting (AAA—pronounced "triple A") services to network devices that function as AAA clients, such as a network access server, PIX Firewall, Access Points or router. The AAA client in Figure 1 represents any such device that provides AAA client functionality and uses one of the AAA protocols supported by Cisco Secure ACS.
Figure 1— A Simple AAA Scenario
Cisco Secure ACS centralizes access control and accounting, in addition to router and switch access management. With Cisco Secure ACS, network administrators can quickly administer accounts and globally change levels of service offerings for entire groups of users. Although the external user database shown in Figure 1 is optional, support for many popular user repository implementations enables companies to put to use the working knowledge gained from and the investment already made in building their corporate user repositories.
Cisco Secure ACS supports Cisco AAA clients such as the Cisco PIX Firewall, Cisco Aironet Access Point wireless networking devices, Cisco VPN 3000 Concentrators, and Cisco VPN 5000 Concentrators. It also supports third-party devices that can be configured with the Terminal Access Controller Access Control System (TACACS+) or the Remote Access Dial-In User Service (RADIUS) protocol. Cisco Secure ACS treats all such devices as AAA clients. Cisco Secure ACS uses the TACACS+ and RADIUS protocols to provide AAA services that ensure a secure environment.
System Performance Specifications The performance capabilities of Cisco Secure ACS are largely dependent upon the Windows server it is installed upon, your network topology and network management, the selection of user databases, and other factors. For example, Cisco Secure ACS can perform many more authentications per second if it is using its internal user database and running on a computer using the fastest processor and network interface card available than it can if it is using several external user databases and running on a computer that complies with the minimum system requirements.
For more information about the expected performance of Cisco Secure ACS in your network setting, contact your Cisco sales representative. The following items are general answers to common system performance questions. The performance of Cisco Secure ACS in your network depends on your specific environment and AAA requirements.
• Maximum users supported by the CiscoSecure user database — There is no theoretical limit to the number of users the CiscoSecure user database can support. We have successfully tested Cisco Secure ACS with databases in excess of 100,000 users. The practical limit for a single Cisco Secure ACS authenticating against all its databases, internal and external, is 300,000 to 500,000 users. This number increases significantly if the authentication load is spread across a number of replicated Cisco Secure ACSes.
• Transactions per second — Authentication and authorization transactions per second is dependent on many factors, most of which are external to Cisco Secure ACS. For example, high network latency in communication with an external user database lowers the transactions per second that Cisco Secure ACS can perform.
• Maximum number of AAA clients supported — Cisco Secure ACS can support AAA services for approximately 5000 AAA client configurations. This limitation is primarily a limitation of the Cisco Secure ACS HTML interface. Performance of the HTML interface degrades when Cisco Secure ACS has more than approximately 5000 AAA client configurations. However, an AAA client configuration in Cisco Secure ACS can represent more than one physical network device, provided that the network devices use the same AAA protocol and use the same shared secret. If you make use of this ability, the number of actual AAA clients supported approaches 20,000.
If your network has several thousand AAA clients, we recommend using multiple Cisco Secure ACSes and assigning no more than 5000 AAA clients to each Cisco Secure ACS. For example, if you have 20,000 AAA clients, you could use four Cisco Secure ACSes and divide the AAA client load among them so that no single Cisco Secure ACS manages more than 5000 AAA client configurations. If you use replication to propagate configuration data among Cisco Secure ACSes, limit replication of AAA client data to Cisco Secure ACSes that serve the same set of AAA clients.
Cisco Secure ACS Windows Services Cisco Secure ACS operates as a set of Microsoft Windows services and controls the authentication, authorization, and accounting of users accessing networks.
When you install Cisco Secure ACS, the installation adds several Windows services. The services provide the core of Cisco Secure ACS functionality. The Cisco Secure ACS services on the computer running Cisco Secure ACS include the following:
• CSAdmin — Provides the HTML interface for administration of Cisco Secure ACS.
• CSAuth — Provides authentication services. • CSDBSync — Provides synchronization of the CiscoSecure user database with an external
RDBMS application. • CSLog — Provides logging services, both for accounting and system activity. • CSMon — Provides monitoring, recording, and notification of Cisco Secure ACS
performance, and includes automatic response to some scenarios. • CSTacacs — Provides communication between TACACS+ AAA clients and the CSAuth
service. • CSRadius — Provides communication between RADIUS AAA clients and the CSAuth
service.
Each module can be started and stopped individually from within the Microsoft Service Control Panel or as a group from within the Cisco Secure ACS HTML interface.
This section discusses the Cisco Secure ACS HTML interface and provides procedures for using it.
About the Cisco Secure ACS HTML Interface After installing Cisco Secure ACS, you configure and administer it through the HTML interface. The HTML interface enables you to easily modify Cisco Secure ACS configuration from any connection on your LAN or WAN. The Cisco Secure ACS HTML interface is designed to be viewed using a web browser. The design primarily uses HTML, along with some Java functions, to enhance ease of use. This design keeps the interface responsive and straightforward. The inclusion of Java requires that the browser used for administrative sessions supports Java. For a list of supported browsers, see the Release Notes. The most recent revision to the Release Notes is posted on Cisco.com (http://www.cisco.com). The HTML interface not only makes viewing and editing user and group information possible, it also enables you to restart services, add remote administrators, change AAA client information, back up the system, view reports from anywhere on the network, and more. The reports track connection activity, show which users are logged in, list failed authentication and authorization attempts, and show administrators' recent tasks.
HTML Interface Security Accessing the HTML interface requires a valid administrator name and password. The Cisco Secure ACS Login page encrypts the administrator credentials before sending them to Cisco Secure ACS. Administrative sessions timeout after a configurable length of idle time. Regardless, we recommend that you log out of the HTML interface after each session. You can enable secure socket layer (SSL) for administrative sessions. This ensures that all communication between the web browser and Cisco Secure ACS is encrypted. Your browser must support SSL. You can enable this feature on the Access Policy Setup page in the Administration Control section.
Note: It works best with IE 6.0. The above information about Cisco Secure ACS is referred from the Cisco Secure ACS’s Online Documentation.
To configure Cisco Secure ACS, open the HTML interface for Cisco Secure ACS and perform the steps mentioned below: Creating a Local User
1. From the main screen, Click on User Setup. 2. In the User field, add the name of the user (ex. kimchi) and click on Add/Edit. Note: To configure the 3631 IP Phone with 802.1x methods, you need to enter the EAP Identity and EAP User Name. The EAP Identity and EAP Username can either be a Local User created on the Cisco Secure ACS or a user created in Windows Active Directory. In the above example ‘kimchi’ is a local user created on Cisco Secure ACS.
1. From the main screen, click on External User Database. 2. Click on Database Configuration. Note: You need to configure the External User Database if you are not using the Internal Database of Cisco Secure ACS i.e. if you have not created a local user in Cisco Secure ACS.
3. Under AAA Client Hostname, enter the System Name of Cisco WLC or Autonomous AP.
4. Enter the IP Address of Cisco WLC or Autonomous AP under AAA Client IP Address. 5. Enter the Key (ex: avaya123). This must match with the shared secret entered in the
Cisco WLC. 6. Select RADIUS (Cisco Aironet), under Authenticate Using field. 7. Click Submit to save the settings.
8. Once the settings are saved you are moved back to the Network Configuration screen. 9. You see a new entry added for the Cisco WLC under the AAA Clients. 10. The Cisco Secure ACS needs to be restarted after these changes. Click on System
Configuration Service Control. 11. Click the Restart Button to restart the Server.
9. Once the settings are saved you are moved back to the Network Configuration screen. 10. You see a new entry added for the Radius Server under the AAA Servers. 11. The Cisco Secure ACS needs to be restarted after these changes. Click on System
Configuration Service Control. 12. Click the Restart Button to restart the Server.
6. Configure the certificate options. Select Web Server as the certificate template. Enter the name of the ACS server. (ex: OurKimchi).
7. Set the key size to 1024. Select the options for Mark keys as exportable and Use local machine store. Configure other options as needed, and then click Submit.
Note: We have verified that 3631 Phones supports a keysize of 1024 and 2048.
6. Once the settings are saved you are moved back to the System Configuration screen. 7. You see the certificate information added under the Installed Certificate Information. 8. The Cisco Secure ACS needs to be restarted after these changes. Click on System
Configuration Service Control. 9. Click the Restart Button to restart the Server.
1. From the main screen, click System Configuration. 2. Click on ACS Certificate Setup. 3. Then Click on Edit Certificate Trust List. 4. Check all the CAs that the ACS should trust, and uncheck all the CAs that the ACS
should not trust. Click Submit to save the settings.
Note: i) The above screenshot shows that all the EAP Methods are enabled. ii) Configure the above screen as per your requirement. iii) Ex: for PEAP-MsCHAP v2 select ‘Allow EAP-MSCHAPv2’ and select ‘Allow MS-
CHAP version1/2 Authentication’. iv) Similarly for PEAP-GTC select ‘Allow EAP-GTC’, for EAP-TLS select ‘EAP-TLS’ and
for LEAP select ‘LEAP’. v) Cisco Secure ACS does not support EAP-TTLS method which is supported by the
Further Assistance 1. Configuring Cisco Secure ACS for Windows v3.2 With PEAP-MS-CHAPv2 Machine Authentication can be found on Cisco’s website: http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_configuration_example09186a00801df0e4.shtml 2. Installation Guide for Cisco Secure ACS for Windows Server Version 3.3 can be found on Cisco’s Website: http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_windows/3.3/installation/guide/windows/install.html 3. EAP-TLS Deployment Guide for Wireless LAN Networks can be found on Cisco’s Website: http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_white_paper09186a008009256b.shtml 4. For other assistance, contact Avaya's customer service at: http://support.avaya.com
