Solved: ACS 1121 appliance configuration

vinodjad1234 · ‎11-15-2010

Hi,

I have WLC 5508 along with 3502i AP and i want to configure the ACS hardware appliance. I have worked on windows server based acs 4.1. I just want to know how different this hardware appliace configuration and installation ?

what are all inputs required for ACS configuration ?

and how to install this hardware ?

Please give me some light on this ?

And i want to know the difference between PEAP and LEAP protocol ?

It would be appriciative for getting knowledge on this ?

Nicolas Darchis · ‎11-15-2010

Hi Vinod,

-Differences : Well it's not really the hardware but that appliances is made to run ACS 5.x which is 100% different from ACS 4. Nothing like what you're used to. You can also install acs 4.2 on that appliance but then you lose many of the cool points of that new appliance.

-How to install : http://www.cisco.com/en/US/partner/docs/net_mgmt/cisco_secure_access_control_system/5.1/installation/guide/acs5_1_install_guide.html

-How to configure :

http://tools.cisco.com/search/display?url=http%3A%2F%2Fwww.cisco.com%2Fen%2FUS%2Fpartner%2Fdocs%2Fnet_mgmt%2Fcisco_secure_access_control_system%2F5.1%2Fuser%2Fguide%2Fintrod.html&pos=1&strqueryid=2&websessionid=aBn1DBcDKGKxnWGHI5Avsh5

-Main difference between LEAP and PEAP : LEAP is considered as totally insecure nowadays and there is little reason why you would use it. PEAP is the most common and present in the windows default supplicant (which helps in making it common). It requires a certificate on the ACS side but validation can be ignored on the client side .

More about PEAP : http://fr.wikipedia.org/wiki/Protected_Extensible_Authentication_Protocol

more about LEAP : http://en.wikipedia.org/wiki/Lightweight_Extensible_Authentication_Protocol

Hope this helps,

Nicolas

===

Don't forget to rate answers that you find useful

View solution in original post

Nicolas Darchis · ‎11-15-2010

Hi Vinod,

-Differences : Well it's not really the hardware but that appliances is made to run ACS 5.x which is 100% different from ACS 4. Nothing like what you're used to. You can also install acs 4.2 on that appliance but then you lose many of the cool points of that new appliance.

-How to install : http://www.cisco.com/en/US/partner/docs/net_mgmt/cisco_secure_access_control_system/5.1/installation/guide/acs5_1_install_guide.html

-How to configure :

http://tools.cisco.com/search/display?url=http%3A%2F%2Fwww.cisco.com%2Fen%2FUS%2Fpartner%2Fdocs%2Fnet_mgmt%2Fcisco_secure_access_control_system%2F5.1%2Fuser%2Fguide%2Fintrod.html&pos=1&strqueryid=2&websessionid=aBn1DBcDKGKxnWGHI5Avsh5

-Main difference between LEAP and PEAP : LEAP is considered as totally insecure nowadays and there is little reason why you would use it. PEAP is the most common and present in the windows default supplicant (which helps in making it common). It requires a certificate on the ACS side but validation can be ignored on the client side .

More about PEAP : http://fr.wikipedia.org/wiki/Protected_Extensible_Authentication_Protocol

more about LEAP : http://en.wikipedia.org/wiki/Lightweight_Extensible_Authentication_Protocol

Hope this helps,

Nicolas

===

Don't forget to rate answers that you find useful

vinodjad1234 · ‎11-15-2010

Hi Nicolas,

Thanks for your response.......

I need to have discussion with client for implementation of mentioned ACS appliance , I want to know , what are all point need to raised and get the inputs for the same ?

It would be better to have idea from you to raise the query for the same and clarify the same with client ...

Nicolas Darchis · ‎11-15-2010

what do you mean with "what are all the points that need to be raised" ?

Nicolas

vinodjad1234 · ‎11-15-2010

Hi,

"what are all the points that need to be raised" ?

Means , I will have minutes of meeting with client for getting details about existing network set-up and how to go about implementation of ACS.

Regarding that, i need to get some details like , existing network segment , network diagram , what kind of EAP-protocol client required ( PEAP,LEAP, EAP-TLS etc.)

do client need dynamic vlan assignment through ACS ?

like that, what are all valid points or information need to collect to proceed for configuring and implementing ACS in network set-up ?

I hope , you understand my query now .

Nicolas Darchis · ‎11-15-2010

I understand it, but there is no finite list of things to ask.

It's more "what do they want to achieve with ACS ?"

The basic things is "how would they like to authenticate on the client side?" => you deduct EAP methods from this

"Where do they store users in the background?" => AD ? LDAP ? ACS db ?

and "is there any specific feature required ? => vlan assignement, special attributes assignements, ip address assignement, machine authentication ?etc... etc ....

You should not be listing ACS features and asking if they need it. You should be asking what are their needs.

If they have dot1x on all ports or not. If they do Mac authentication or not on the switchports. If they want to assign things on the user switchport (ACL,ip, vlan ...).

Nicolas

===

Don't forget to rate answers that you find useful

vinodjad1234 · ‎11-15-2010

Hi,

Thanks for quick reply,

Actually client is looking to implement ACS with external database with user name and password which will be fetched from AD.

Nicolas Darchis · ‎11-15-2010

Ah. So you can ask what is their AD version in order to check if it's compatible with ACS.

You can check if they are storing other valuables attributes on AD, if they want to do group mapping, ...

Nicolas