Filter
Top Products
4-16
User Guide for Cisco Secure Access Control System 5.3
OL-24201-01
Chapter 4 Common Scenarios Using ACS
Agentless Network Access
Agentless Network Access Flow
This topic describes the end-to-end flow for agentless network access and lists the tasks that you must
perform. The information about how to configure the tasks is located in the relevant task chapters.
Perform these tasks in the order listed to configure agentless network access in ACS:
Step 1 Configure network devices and AAA clients.
This is the general task to configure network devices and AAA clients in ACS and is not specific to
agentless network access. Select Network Resources > Network Devices and AAA Clients and click
Create. See Network Devices and AAA Clients, page 7-5.
Step 2 Configure an identity store for internal hosts.
• Configure an internal identity store. See Adding a Host to an Internal Identity Store, page 4-17
or
• Configure an external identity store. See Configuring an LDAP External Identity Store for Host
Lookup, page 4-17.
For more information, see Chapter 8, “Managing Users and Identity Stores.”
Step 3 Configure the identity group. See Configuring an Identity Group for Host Lookup Network Access
Requests, page 4-18.
For more information, see Chapter 8, “Managing Users and Identity Stores.”
Step 4 Define policy elements and authorization profiles for Host Lookup requests.
For more information, see Chapter 9, “Managing Policy Elements.”
Step 5 Create an empty service by defining an access service for Host Lookup. For more information, see
Creating an Access Service for Host Lookup, page 4-18.
Step 6 Return to the service that you created:
a. Define an identity policy. For more information, see Configuring an Identity Policy for Host Lookup
Requests, page 4-19.
ACS has the option to look for host MAC addresses in multiple identity stores.
For example, MAC addresses can be in the Internal Hosts identity store, in one of the configured
LDAP identity stores, or in the Internal Users identity store.
The MAC address lookup may be in one of the configured identity stores, and the MAC attributes
may be fetched from a different identity store that you configured in the identity sequence.
You can configure ACS to continue processing a Host Lookup request even if the MAC address was
not found in the identity store. An administrator can define an authorization policy based on the
event, regardless of whether or not the MAC address was found.
The ACS::UseCase attribute is available for selection in the Authentication Policy, but is not
mandatory for Host Lookup support.
b. Return to the service that you created.
c. Define an authorization policy. For more information, see Configuring an Authorization Policy for
Host Lookup Requests, page 4-20.