Step 1. | Select Users and Identity Stores > Identity Groups. The Identity Groups page appears. |
Step 2. | Click Create. The Create Identity Group page appears as shown in Figure 4-10. |
Step 3. | Enter a unique name for the group. For our example, use Admin. |
Step 4. | (Optional) Enter a description. |
Step 5. | Click Select to select a parent group for this group. For this example, use the Root group. |
Step 6. | Click Submit. The Identity Group page appears with the Admin group listed under the root. |
Creating an Identity Group
Adding a User in the Internal Identity Store
Adding a user to the internal identity store is very simple in ACS 5.1. To add a user, follow these steps:
Step 1. | Select Users and Identity Stores > Internal Identity Stores > Users. The Internal Users page appears. |
Step 2. | Click Create. The User Properties page appears as shown in Figure 4-11. |
Step 3. | Enter a name for the user. This name will be used by the user to authenticate. For our example, use User1. |
Step 4. | (Optional) Enter a description. |
Step 5. | Click Select and select an identity group for the user. For this example, select the Admin group created in the previous section. |
Step 6. | Enter the password and confirm the password. The password must match the restriction shown in the Password Information section on the page. By default, the password must be 4 to 32 characters long. For this example, use Cisco as the password. |
Step 7. | (Optional) An enable password can be entered for users to log in to the privilege mode of devices. This option is enabled by default and can be disabled from the User Authentication settings section. For this example, leave this field blank. |
Step 8. | Click Submit. The user configuration will be saved and the Internal Users page will appear with the new user listed. |
Note - Identity attributes can be used in a policy. For more information on dictionaries and identity attributes see Chapter 15, “ACS 5.1 Advanced Configuration.”
Adding a User to the Internal Identity Store
Adding a Host in the Internal Identity Store
Adding a host in the ACS internal data or identity store is not a new concept. In versions of ACS prior to ACS 5.1, the MAC address of a host could be added as a user for MAC address-based authentication. ACS 5.1 provides separate user and host identity stores! Steps for adding a host in the internal identity stores are similar to that of adding a user. To add a host, follow these steps:
Step 1. | Select Users and Identity Stores > Internal Identity Stores > Hosts. The Internal Hosts page appears. |
Step 2. | Click Create. The host properties page appears as shown in Figure 4-12. |
Step 3. | Enter the MAC address of the host. You can enter the MAC address in any of the following formats: —xx-xx-xx-xx-xx-xx —xx:xx:xx:xx:xx:xx —xxxx.xxxx.xxxx —xxxxxxxxxxxx Although you can enter the MAC address in any of the formats in the preceding list, ACS will convert and store the MAC address in the first format. For this example, use 00-19-01-02-AA-EE. |
Step 4. | (Optional) Enter a description. |
Step 5. | Click Select and select an identity group. For our example, use the Admin group created in the previous sections. |
Step 6. | Click Submit. The host configuration will be saved and the Internal Hosts page will appear with the new host listed. |
Adding a Host to the Internal Identity Store
Note - The Users and Identity Stores drawer contains Certificate Authority and Certificate Authentication Profiles menu items. These are used to configure ACS for Certificate based authentication. These sections are discussed in Chapter 8, “IOS Switches.”
The Identity Store Sequences menu item is used to define sequences of databases to be used in a policy. This section is covered in Chapter 5, “Configuring External Databases with ACS.”