Often, it is difficult to find a starting point for configuring your ACS. It might seem logical for you to begin in many places. In this step sequence, you begin your configuration of ACS by applying administrator passwords and controlling access to the ACS device. Then you configure some interface parameters that influence the look of the HTML interface. This makes it easier to administer. You begin by assigning an administrator password to the ACS device. Follow these steps to complete this task:
This now restricts the port ranges that ACS redirects your browser to and does so to the range that you specified. In Figure 6-16, you see an example of a network similar to that described in the preceding step sequence. A PIX Firewall, an ACS server, and a separate workstation are used to demonstrate the login and management actions based on the preceding steps. You are going to run into an issue here. When you access ACS using an IP address, all links to ACS configuration pages use the IP address. When you access the ACS from outside a firewall and you are performing Network Address Translation (NAT), you initially access ACS using a NAT address, but when you are redirected to one of the previously restricted ports, ACS returns the private (nontranslated) IP address. This causes you to lose management connectivity. Figure 6-16. Simple PIX Firewall NetworkBy accessing ACS using a domain name, or the hostname, all links to configuration pages return the domain name or hostname instead of the private (nontranslated) IP address. This sustains your management connection. Figure 6-16 also shows the topology using a PIX Firewall. The ACS is on the inside network, and a workstation from the 192.168.84.0/24 network is going to access ACS for management. Before you can access the ACS device, you need to allow access through the PIX Firewall to ACS. Follow these steps to configure the access list on PIX Firewall to allow access to the ACS. It is assumed that you already have a firewall configuration in place. If you attempt to do this in a production network, you might need to add these steps to an existing access list:
Now you are at the point where you must access the ACS device via Domain Name System (DNS). This causes ACS to return a DNS resolved name to the workstation. If you access the ACS via IP address, it returns the private IP address (RFC 1918), and you can no longer access the device after you sent your login credentials. Figure 6-17 shows the login prompt as seen from the remote workstation when accessing ACS by DNS name. Figure 6-17. Login with DNS Name ResolutionNow that you are logged in, note that your URL has been redirected to a different port and that it matches the HTTP port range that you specified earlier. You also want to note that ACS returned a DNS name and not the private (nontranslated) IP address upon redirection. |