ACS 5.2 - Cisco Secure Access Control System

$2,695.00


  • classroom

  • virtual

  • Onsite
Duration: 3 Days

In this course, you will learn to provide secure access to network resources using the Cisco Secure Access Control System (ACS) 5.2. You'll examine how the ACS has grown by leaps and bounds since 4.x., discover new features, and learn how the 4.x configurations map to 5.x configurations. You will also get a look into future ACS technologies.

You will learn about the role and importance of ACS in Cisco TrustSec, whether TrustSec is deployed as an appliance-based overlay solution or as a network-integrated 802.1X solution. You will learn about user authentication and authorization, posture assessment, device profiling, guest access, data integrity and confidentiality, centralized policy, collaborative monitoring, troubleshooting, and reporting in Cisco TrustSec solutions.

In this device-centric course, you will learn about:

  • History of ACS and its lineage
  • Feature differences between 4.x and 5.x
  • Positioning of the ACS in the TrustSec architecture
  • Configuring device authentication using TACACS+ and RADIUS and the differences of using both protocols
  • Device authorization and configuring restrictions on who can configure specific policies on a device
  • Reporting capabilities within ACS, including accounting-based reports
  • Extensible Authentication Protocol (EAP) and 802.1X protocols
  • Using digital certificates in an 802.1X and ACS 5.2 environment using Windows XP, Windows 7, and AnyConnect 3.x
  • Using and administering the ACS

Bonus Lab Credits Included

Only at Proven Impact, you'll receive five extra ACS e-Lab credits. Redeem them within 30 Days to review a topic after class, refine your skills, or get in extra practice-whatever lab activities complete your training.

What You Will Learn

 

  • RADIUS and TACACS+ protocols
  • ACS solutions, including ACS Express, ACS Enterprise, ACS on VMware, and appliances such as the CSACS-1120 Series and CSACS-1121 Series
  • Major components of ACS
  • ACS 5.2 installation best practices
  • Configure the ACS from a default install
  • License requirements
  • How attributes, value types, and predefined values are used
  • Types of Authentication, Authorization, and Accounting (AAA) clients and how they access network resources and other AAA clients
  • Work with a local identity store and identity store sequence
  • Users and identity stores
  • Configure an external identity store with LDAP
  • Fundamentals of LDAP
  • Set up LDAP SSL
  • Set up an external identity store with Active Directory
  • Perform AAA with TACACS+
  • Monitor and troubleshoot ACS (AAA with TACACS+)
  • Using a local certificate authority to replace digital certificates self-signed by ACS
  • Introduction to IEEE 802.1X and EAP
  • 802.1X using Windows XP, Windows 7, and AnyConnect 3.x supplicants
  • 802.1X single host authentication
  • 802.1X troubleshooting

Audience

 

  • Security professionals, architects, and engineers and network administrators responsible for securing their networks to assure authorized access only by authenticated users, with accounting of their activities
  • Cisco channel partners who sell, implement, and maintain Cisco ACS solutions
  • Cisco ACS solutions sales engineers

Prerequistes

 

  • CCNA certification or the equivalent knowledge and experience
  • Working knowledge of Microsoft Windows
  • CCNA Security certification or the equivalent knowledge and experience is recommended

Course Outline

 

1. Identity Management Solution

  • Identity Management Models
  • Secure Borderless Network Architecture
  • Identity-Enabled Network Use Case Summary

2. Product Overview and Initial Configuration

  • RADIUS and TACACS+
    • RADIUS Basics
    • TACACS+ Basics
    • RADIUS vs. TACACS+
  • ACS 5.2
    • Hardware Platform Solutions
    • Software Platform Solutions
    • New, Changed, and Supported Features
  • ACS 5.2 Installation
    • Installation on the CSACS+ Series Appliance
    • Installation with VMware ESX Server
    • Using Setup Scripts
    • Licensing
  • ACS Attribute Types
    • Attribute Definitions
    • Attribute Value Types
    • Predefined Values
    • Attribute Dictionaries
    • Attribute Aliases
    • Availability of Attributes Based on Policy
  • Adding Network Devices to ACS
    • Network Resources
    • Types of AAA Clients
    • Network Device Groups: Location
    • Network Device Groups: Device Type
    • Network Devices and AAA Clients
  • Local Identity Store and Identity Store Sequence
    • Users and Identity Stores
    • Internal Identity Store
    • External Identity Store
    • Certificate Profile
    • Internal Identity Stores
      • Users
      • Groups
      • Hosts

3. Advanced ACS Configuration and Device Management

  • External Identity Store with LDAP
    • LDAP Overview
    • External Identity Stores: OpenLDAP
    • Enable LDAP Diagnostics Log
  • External Identity Store with Active Directory
    • Interface with Active Directory
    • DNS Considerations
    • NTP Server Considerations
    • Considerations of Authenticating Usernames with Domains
    • Machine Access Restrictions (MAR)
    • Windows 2008 Compatibility and Feature Support
    • Testing Connectivity between ACS and AD
    • Group Names Differences in ACS 4.x and 5.x
    • Identity Store Sequences
    • PAP Authentication via Kerberos
  • Authentication, Authorization, and Accounting with TACACS+
    • Shell Profile
    • Command Sets
    • Access Services
    • Service Selection Rules
    • Default Device Admin: Authorization and Identity
  • Monitoring and Troubleshooting ACS
    • Cisco Secure ACS View
    • Monitoring and Debugging RADIUS Authentication
    • Monitoring and Debugging RADIUS Authorization
    • Monitoring and Debugging TACACS+ Authentication
    • Monitoring and Debugging TACACS+ Authorization
    • Debugging TACACS+ Packets and Accounting
  • ACS and Certificate Authority
    • Certificate-Based Authentication
    • Self-Signed Certificates
    • Third-Party Digital Certificates

4. IEEE 802.1X with ACS 5.2

  • IEEE 802.1X
    • History
    • Introduction
    • The Port
    • EAP
    • EAP-TLS
    • PEAP
  • 802.1X Policy Elements (RADIUS)
    • Date and Time
    • Custom
    • Authorization Profiles
    • Authorization: Downloadable ACL
    • Access Policies
      • Service Selection Rules
      • Access Services
      • Identity
  • 802.1X and Windows XP
    • Configure 802.1X
  • 802.1X and the Cisco Secure Services Client (SSC)
    • Configure 802.1X on the SSC
  • Configure 802.1X Single Host Authentication on a Cisco Switch
    • Single Host Authentication
    • Single Host Authentication Commands
    • Cisco Switch 802.1X Configuration Review
    • 802.1X Troubleshooting
    • ACS, Switch, and Windows Troubleshooting
    • Windows XP and Switch Debug Output
    • ACS Monitoring and Reports

5. System Operations

  • Distributed Deployment
    • ACS Operation Management
    • ACS Deployment Structure
    • Local Operations
    • Distributed System Management
    • Distributed Management Operations
    • Replication
    • Local Operations
    • Log Collector
    • Change Password Flow
  • System Administration
    • Administrators
    • Users
    • Operations
    • Configuration
    • Downloads

Course Labs

 

Lab 0: Remote Lab Familiarity

Lab 1: Verify the Cisco Secure ACS Installation

Lab 2: Set Up AAA Clients in Cisco Secure ACS

Lab 3: User and Local Identity Store

Lab 4: External Identity Store (Active Directory)

Lab 5: Configure Command Authorization

Lab 6: Install a Certificate on the Secure ACS Server

Lab 7: Configure Basic 802.1X Authorization

Lab 8: Configure Advanced 802.1X Authorization

Lab 9: Configure 802.1X VLAN Assignments

Lab 10: Troubleshoot

Lab 11: Distributed Deployment