Starting Point for Configuring Your Server
Often, it is difficult to find a starting point for configuring your ACS. It might seem logical for you to begin in many places.
In this step sequence, you begin your configuration of ACS by applying administrator passwords and controlling access to the ACS device. Then you configure some interface parameters that influence the look of the HTML interface. This makes it easier to administer.
You begin by assigning an administrator password to the ACS device. Follow these steps to complete this task:
Step 1 |
Select Administration Control from the left menu bar. |
Step 2 |
Select Add Administrator. |
Step 3 |
Enter the required information into the input fields such as admin name and password. In the example in Figure 6-15, the user ADMIN is entered. The password used is cisco. |
Step 4 |
If this is the first entry for an administrator, select the Grant All option. |
NOTE
This allows your administrator to have full administrative access. Later, as you add more administrators, you can specify what groups they can modify.
Step 5 |
Select Submit. |
|
You now see that your administrator has been added to the ACS device. If you access the ACS device from the server it is installed on, you will, by default, not need to authenticate. This is against some security policies, so change that. Follow the steps below to force ACS to authenticate administrators even when they access ACS from the server itself. |
Step 6 |
Select Session Policy. |
Step 7 |
Deselect Allow automatic local login. |
Step 8 |
Select Submit. |
Step 9 |
To test your work, click the X in the top right-hand corner of the screen. Then, you can log back in to the ACS device. If you see Username and Password fields, you were successful. |
|
Now, plan for the possibility that ACS might be behind a firewall and that perhaps you want to administer it from outside the network. Go back to the Administration Control section and control the ports that are redirected when ACS is accessed. |
Step 10 |
Select Access Policy. |
Step 11 |
Scroll to the HTTP Configuration. |
Step 12 |
Select the radio button that indicates you want to Restrict Administration Sessions to the following port range. |
Step 13 |
Add a port range, such as 65501 to 65535. |
Step 14 |
Select Submit. |
Figure 6-15 Adding an Administrator to ACS
This now restricts the port ranges that ACS redirects your browser to and does so to the range that you specified.
In Figure 6-16, you see an example of a network similar to that described in the preceding step sequence. A PIX Firewall, an ACS server, and a separate workstation are used to demonstrate the login and management actions based on the preceding steps. You are going to run into an issue here. When you access ACS using an IP address, all links to ACS configuration pages use the IP address. When you access the ACS from outside a firewall and you are performing Network Address Translation (NAT), you initially access ACS using a NAT address, but when you are redirected to one of the previously restricted ports, ACS returns the private (nontranslated) IP address. This causes you to lose management connectivity. By accessing ACS using a domain name, or the hostname, all links to configuration pages return the domain name or hostname instead of the private (nontranslated) IP address. This sustains your management connection.
Figure 6-16 also shows the topology using a PIX Firewall. The ACS is on the inside network, and a workstation from the 192.168.84.0/24 network is going to access ACS for management. Before you can access the ACS device, you need to allow access through the PIX Firewall to ACS. Follow these steps to configure the access list on PIX Firewall to allow access to the ACS. It is assumed that you already have a firewall configuration in place. If you attempt to do this in a production network, you might need to add these steps to an existing access list:
Step 1 |
Enter Configuration mode on the PIX. |
|
Pixfirewall#config t |
Step 2 |
Create an access list that enables administrators on any network to access the administrative port of ACS. |
|
Pixfirewall(config)#access-list ACS-in permit TCP any host 192.168.84.10 eq 2002 |
Step 3 |
Add another access list statement that allows the administrator to access ports 65501 and higher on the firewall after the ACS redirects. |
|
Pixfirewall(config)#access-list ACS-in permit TCP any host 192.168.84.10 range 65501 65635 |
Step 4 |
Apply the access list to the outside interface of the PIX Firewall. |
|
Pixfirewall(config)#access-group ACS-in in interface outside |
Figure 6-16 Simple PIX Firewall Network
Now you are at the point where you must access the ACS device via Domain Name System (DNS). This causes ACS to return a DNS resolved name to the workstation. If you access the ACS via IP address, it returns the private IP address (RFC 1918), and you can no longer access the device after you sent your login credentials. Figure 6-17 shows the login prompt as seen from the remote workstation when accessing ACS by DNS name.
Figure 6-17 Login with DNS Name Resolution
Now that you are logged in, note that your URL has been redirected to a different port and that it matches the HTTP port range that you specified earlier. You also want to note that ACS returned a DNS name and not the private (nontranslated) IP address upon redirection.