User Guide for Cisco Secure ACS for Windows Server Version 3.3 May 2004 Corporate Headquarters Cisco Systems, Inc. 170 West Tasman Drive San Jose, CA 95134-1706 USA http://www.cisco.
THE SPECIFICATIONS AND INFORMATION REGARDING THE PRODUCTS IN THIS MANUAL ARE SUBJECT TO CHANGE WITHOUT NOTICE. ALL STATEMENTS, INFORMATION, AND RECOMMENDATIONS IN THIS MANUAL ARE BELIEVED TO BE ACCURATE BUT ARE PRESENTED WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED. USERS MUST TAKE FULL RESPONSIBILITY FOR THEIR APPLICATION OF ANY PRODUCTS.
C O N T E N T S Preface xxix Audience xxix Organization xxix Conventions xxxi Product Documentation xxxii Related Documentation xxxiii Obtaining Documentation xxxv Cisco.
Contents AAA Protocols—TACACS+ and RADIUS 1-6 TACACS+ 1-7 RADIUS 1-7 Authentication 1-8 Authentication Considerations 1-9 Authentication and User Databases 1-10 Authentication Protocol-Database Compatibility 1-10 Passwords 1-11 Other Authentication-Related Features 1-16 Authorization 1-17 Max Sessions 1-18 Dynamic Usage Quotas 1-18 Shared Profile Components 1-19 Support for Cisco Device-Management Applications 1-19 Other Authorization-Related Features 1-21 Accounting 1-22 Other Accounting-Related Features
Contents Administrative Sessions through a NAT Gateway 1-31 Accessing the HTML Interface 1-32 Logging Off the HTML Interface 1-33 Online Help and Online Documentation 1-33 Using Online Help 1-34 Using the Online Documentation 1-34 CHAPTER 2 Deployment Considerations 2-1 Basic Deployment Requirements for Cisco Secure ACS 2-2 System Requirements 2-2 Hardware Requirements 2-2 Operating System Requirements 2-2 Third-Party Software Requirements 2-3 Network and Port Requirements 2-4 Basic Deployment Factors f
Contents CHAPTER 3 Interface Configuration 3-1 Interface Design Concepts 3-2 User-to-Group Relationship 3-2 Per-User or Per-Group Features 3-2 User Data Configuration Options 3-3 Defining New User Data Fields 3-3 Advanced Options 3-4 Setting Advanced Options for the Cisco Secure ACS User Interface 3-6 Protocol Configuration Options for TACACS+ 3-7 Setting Options for TACACS+ 3-9 Protocol Configuration Options for RADIUS 3-11 Setting Protocol Configuration Options for IETF RADIUS Attributes 3-16 Setting P
Contents AAA Client Configuration 4-11 AAA Client Configuration Options 4-11 Adding a AAA Client 4-16 Editing a AAA Client 4-19 Deleting a AAA Client 4-21 AAA Server Configuration 4-21 AAA Server Configuration Options 4-22 Adding a AAA Server 4-24 Editing a AAA Server 4-26 Deleting a AAA Server 4-28 Network Device Group Configuration 4-28 Adding a Network Device Group 4-29 Assigning an Unassigned AAA Client or AAA Server to an NDG 4-30 Reassigning a AAA Client or AAA Server to an NDG 4-31 Renaming a Networ
Contents Deleting a Network Access Filter 5-7 Downloadable IP ACLs 5-7 About Downloadable IP ACLs 5-8 Adding a Downloadable IP ACL 5-10 Editing a Downloadable IP ACL 5-13 Deleting a Downloadable IP ACL 5-14 Network Access Restrictions 5-14 About Network Access Restrictions 5-15 About IP-based NAR Filters 5-17 About Non-IP-based NAR Filters 5-18 Adding a Shared Network Access Restriction 5-19 Editing a Shared Network Access Restriction 5-23 Deleting a Shared Network Access Restriction 5-24 Command Authoriza
Contents Basic User Group Settings 6-3 Group Disablement 6-4 Enabling VoIP Support for a User Group 6-4 Setting Default Time-of-Day Access for a User Group 6-5 Setting Callback Options for a User Group 6-7 Setting Network Access Restrictions for a User Group 6-8 Setting Max Sessions for a User Group 6-12 Setting Usage Quotas for a User Group 6-14 Configuration-specific User Group Settings 6-16 Setting Token Card Settings for a User Group 6-18 Setting Enable Privilege Options for a User Group 6-19 Enabling
Contents Configuring BBSM RADIUS Settings for a User Group 6-51 Configuring Custom RADIUS VSA Settings for a User Group 6-53 Group Setting Management 6-54 Listing Users in a User Group 6-54 Resetting Usage Quota Counters for a User Group 6-55 Renaming a User Group 6-55 Saving Changes to User Group Settings 6-56 CHAPTER 7 User Management 7-1 About User Setup Features and Functions 7-1 About User Databases 7-2 Basic User Setup Options 7-3 Adding a Basic User Account 7-4 Setting Supplementary User Informat
Contents Configuring Device-Management Command Authorization for a User 7-30 Configuring the Unknown Service Setting for a User 7-32 Advanced TACACS+ Settings (User) 7-33 Setting Enable Privilege Options for a User 7-33 Setting TACACS+ Enable Password Options for a User 7-35 Setting TACACS+ Outbound Password for a User 7-37 RADIUS Attributes 7-37 Setting IETF RADIUS Parameters for a User 7-38 Setting Cisco IOS/PIX RADIUS Parameters for a User 7-39 Setting Cisco Aironet RADIUS Parameters for a User 7-41 Set
Contents CHAPTER 8 System Configuration: Basic 8-1 Service Control 8-1 Determining the Status of Cisco Secure ACS Services 8-2 Stopping, Starting, or Restarting Services 8-2 Logging 8-3 Date Format Control 8-3 Setting the Date Format 8-4 Local Password Management 8-5 Configuring Local Password Management 8-7 Cisco Secure ACS Backup 8-9 About Cisco Secure ACS Backup 8-9 Backup File Locations 8-10 Directory Management 8-10 Components Backed Up 8-10 Reports of Cisco Secure ACS Backups 8-11 Backup Options 8-
Contents Event Logging 8-20 Setting Up Event Logging 8-20 VoIP Accounting Configuration 8-21 Configuring VoIP Accounting 8-21 CHAPTER 9 System Configuration: Advanced 9-1 CiscoSecure Database Replication 9-1 About CiscoSecure Database Replication 9-2 Replication Process 9-4 Replication Frequency 9-7 Important Implementation Considerations 9-7 Database Replication Versus Database Backup 9-10 Database Replication Logging 9-10 Replication Options 9-11 Replication Components Options 9-11 Outbound Replicatio
Contents RDBMS Synchronization Components 9-29 About CSDBSync 9-29 About the accountActions Table 9-31 Cisco Secure ACS Database Recovery Using the accountActions Table 9-32 Reports and Event (Error) Handling 9-33 Preparing to Use RDBMS Synchronization 9-33 Considerations for Using CSV-Based Synchronization 9-35 Preparing for CSV-Based Synchronization 9-36 Configuring a System Data Source Name for RDBMS Synchronization 9-37 RDBMS Synchronization Options 9-38 RDBMS Setup Options 9-38 Synchronization Schedul
Contents EAP-TLS Authentication 10-2 About the EAP-TLS Protocol 10-3 EAP-TLS and Cisco Secure ACS 10-4 EAP-TLS Limitations 10-6 Enabling EAP-TLS Authentication 10-7 PEAP Authentication 10-8 About the PEAP Protocol 10-8 PEAP and Cisco Secure ACS 10-9 PEAP and the Unknown User Policy 10-11 Enabling PEAP Authentication 10-12 EAP-FAST Authentication 10-13 About EAP-FAST 10-13 About Master Keys 10-15 About PACs 10-17 Master Key and PAC TTLs 10-21 Replication and EAP-FAST 10-22 Enabling EAP-FAST 10-25 Global Aut
Contents Generating a Certificate Signing Request 10-45 Using Self-Signed Certificates 10-47 About Self-Signed Certificates 10-47 Self-Signed Certificate Configuration Options 10-48 Generating a Self-Signed Certificate 10-49 Updating or Replacing a Cisco Secure ACS Certificate 10-50 CHAPTER 11 Logs and Reports 11-1 Logging Formats 11-2 Special Logging Attributes 11-2 NAC Attributes in Logs 11-4 Update Packets in Accounting Logs 11-5 About Cisco Secure ACS Logs and Reports 11-6 Accounting Logs 11-6 Dynam
Contents Configuring an ODBC Log 11-23 Remote Logging 11-26 About Remote Logging 11-26 Implementing Centralized Remote Logging 11-27 Remote Logging Options 11-28 Enabling and Configuring Remote Logging 11-29 Disabling Remote Logging 11-31 Service Logs 11-31 Services Logged 11-32 Configuring Service Logs 11-33 CHAPTER 12 Administrators and Administrative Policy 12-1 Administrator Accounts 12-1 About Administrator Accounts 12-2 Administrator Privileges 12-3 Adding an Administrator Account 12-6 Editing an
Contents CHAPTER 13 User Databases 13-1 CiscoSecure User Database 13-2 About the CiscoSecure User Database 13-2 User Import and Creation 13-3 About External User Databases 13-4 Authenticating with External User Databases 13-5 External User Database Authentication Process 13-6 Windows User Database 13-7 What’s Supported with Windows User Databases 13-8 Authentication with Windows User Databases 13-9 Trust Relationships 13-9 Windows Dial-up Networking Clients 13-10 Windows Dial-up Networking Clients with a
Contents Generic LDAP 13-32 Cisco Secure ACS Authentication Process with a Generic LDAP User Database 13-33 Multiple LDAP Instances 13-33 LDAP Organizational Units and Groups 13-34 Domain Filtering 13-34 LDAP Failover 13-36 Successful Previous Authentication with the Primary LDAP Server 13-36 Unsuccessful Previous Authentication with the Primary LDAP Server 13-37 LDAP Configuration Options 13-37 Configuring a Generic LDAP External User Database 13-43 Novell NDS Database 13-49 About Novell NDS User Database
Contents PAP Procedure Output 13-65 CHAP/MS-CHAP/ARAP Authentication Procedure Input 13-66 CHAP/MS-CHAP/ARAP Procedure Output 13-66 EAP-TLS Authentication Procedure Input 13-67 EAP-TLS Procedure Output 13-68 Result Codes 13-69 Configuring a System Data Source Name for an ODBC External User Database 13-70 Configuring an ODBC External User Database 13-71 LEAP Proxy RADIUS Server Database 13-75 Configuring a LEAP Proxy RADIUS Server External User Database 13-76 Token Server User Databases 13-78 About Token Se
Contents NAC Databases 14-10 About NAC Databases 14-10 About NAC Credentials and Attributes 14-11 NAC Database Configuration Options 14-12 Policy Selection Options 14-13 Configuring a NAC Database 14-14 NAC Policies 14-16 Local Policies 14-17 About Local Policies 14-18 About Rules, Rule Elements, and Attributes 14-19 Local Policy Configuration Options 14-22 Rule Configuration Options 14-24 Creating a Local Policy 14-25 External Policies 14-28 About External Policies 14-28 External Policy Configuration Opti
Contents Performance of Unknown User Authentication 15-8 Added Authentication Latency 15-9 Authentication Timeout Value on AAA clients 15-9 Posture Validation and the Unknown User Policy 15-10 NAC and the Unknown User Policy 15-10 Posture Validation Use of the Unknown User Policy 15-11 Required Use for Posture Validation 15-12 Authorization of Unknown Users 15-13 Unknown User Policy Options 15-13 Database Search Order 15-14 Configuring the Unknown User Policy 15-16 Disabling Unknown User Authentication 15-
Contents NAC Group Mapping 16-13 Configuring NAC Group Mapping 16-13 RADIUS-Based Group Specification 16-14 APPENDIX A Troubleshooting A-1 Administration Issues A-2 Browser Issues A-4 Cisco IOS Issues A-5 Database Issues A-7 Dial-in Connection Issues A-10 Debug Issues A-14 Proxy Issues A-15 Installation and Upgrade Issues A-16 MaxSessions Issues A-16 Report Issues A-17 Third-Party Server Issues A-19 User Authentication Issues A-20 TACACS+ and RADIUS Attribute Issues A-22 APPENDIX B TACACS+ Attribute-
Contents Cisco VPN 3000 Concentrator Dictionary of RADIUS VSAs C-9 Cisco VPN 5000 Concentrator Dictionary of RADIUS VSAs C-13 Cisco Building Broadband Service Manager Dictionary of RADIUS VSA C-14 IETF Dictionary of RADIUS AV Pairs C-14 Microsoft MPPE Dictionary of RADIUS VSAs C-28 Ascend Dictionary of RADIUS AV Pairs C-31 Nortel Dictionary of RADIUS VSAs C-43 Juniper Dictionary of RADIUS VSAs C-44 APPENDIX D CSUtil Database Utility D-1 Location of CSUtil.exe and Related Files D-2 CSUtil.
Contents ADD_NAS Statements D-21 DEL_NAS Statements D-23 Import File Example D-24 Exporting User List to a Text File D-24 Exporting Group Information to a Text File D-25 Exporting Registry Information to a Text File D-26 Decoding Error Numbers D-27 Recalculating CRC Values D-28 User-Defined RADIUS Vendors and VSA Sets D-28 About User-Defined RADIUS Vendors and VSA Sets D-29 Adding a Custom RADIUS Vendor and VSA Set D-29 Deleting a Custom RADIUS Vendor and VSA Set D-31 Listing Custom RADIUS Vendors D-32 Exp
Contents APPENDIX VPDN Processing E-1 E VPDN Process E-1 APPENDIX RDBMS Synchronization Import Definitions F-1 F accountActions Specification F-1 accountActions Format F-2 accountActions Mandatory Fields F-3 accountActions Processing Order F-4 Action Codes F-4 Action Codes for Setting and Deleting Values F-5 Action Codes for Creating and Modifying User Accounts F-7 Action Codes for Initializing and Modifying Access Filters F-14 Action Codes for Modifying TACACS+ and RADIUS Group and User Settings F-
Contents CSMon G-4 Monitoring G-5 Recording G-6 Notification G-7 Response G-7 CSTacacs and CSRadius G-8 INDEX User Guide for Cisco Secure ACS for Windows Server 78-16592-01 xxvii
Contents User Guide for Cisco Secure ACS for Windows Server xxviii 78-16592-01
Preface This document will help you configure and use Cisco Secure Access Control Server (ACS) and its features and utilities. Audience This guide is for system administrators who use Cisco Secure ACS and who set up and maintain accounts and dial-in network security. Organization This document contains the following chapters and appendixes: • Chapter 1, “Overview”—An overview of Cisco Secure ACS and its features, network diagrams, and system requirements.
Preface Organization • Chapter 5, “Shared Profile Components”—Concepts and procedures regarding Cisco Secure ACS shared profile components: downloadable IP acls, network access filters, network access restrictions, and device command sets. • Chapter 6, “User Group Management”—Concepts and procedures for establishing and maintaining Cisco Secure ACS user groups. • Chapter 7, “User Management”—Concepts and procedures for establishing and maintaining Cisco Secure ACS user accounts.
Preface Conventions • Appendix A, “Troubleshooting”—How to identify and solve certain problems you might have with Cisco Secure ACS. • Appendix B, “TACACS+ Attribute-Value Pairs”—A list of supported TACACS+ AV pairs and accounting AV pairs. • Appendix C, “RADIUS Attributes”—A list of supported RADIUS AV pairs and accounting AV pairs. • Appendix D, “CSUtil Database Utility”—Instructions for using CSUtil.
Preface Product Documentation Tip Identifies information to help you get the most benefit from your product. Note Means reader take note. Notes identify important information that you should reflect upon before continuing, contain helpful suggestions, or provide references to materials not contained in the document. Caution Means reader be careful. In this situation, you might do something that could result in equipment damage, loss of data, or a potential breach in your network security.
Preface Related Documentation Table 1 Product Documentation (continued) Document Title Available Formats Installation Guide for Cisco Secure ACS for Windows Server • PDF on the product CD-ROM. • On Cisco.com. • Printed document available by order (part number DOC-7816529=).1 • PDF on the product CD-ROM. • On Cisco.com. • Printed document available by order (part number DOC-7816530=).1 Installation and User Guide for Cisco Secure ACS User-Changeable Passwords • PDF on the product CD-ROM.
Preface Related Documentation Table 2 describes a set of white papers about Cisco Secure ACS. All white papers are available on Cisco.com. To view them, go to the following URL: http://www.cisco.com/warp/public/cc/pd/sqsw/sq/tech/index.
Preface Obtaining Documentation Table 2 Related Documentation (continued) Document Title Description and Available Formats External ODBC Authentication This paper presents concepts and configuration issues in deploying Cisco Secure ACS for Windows Server to authenticate users against an external open database connectivity (ODBC) database.
Preface Documentation Feedback Cisco.com You can access the most current Cisco documentation at this URL: http://www.cisco.com/univercd/home/home.htm You can access the Cisco website at this URL: http://www.cisco.com You can access international Cisco websites at this URL: http://www.cisco.com/public/countries_languages.shtml Ordering Documentation You can find instructions for ordering documentation at this URL: http://www.cisco.com/univercd/cc/td/doc/es_inpck/pdi.
Preface Obtaining Technical Assistance You can submit comments by using the response card (if present) behind the front cover of your document or by writing to the following address: Cisco Systems Attn: Customer Document Ordering 170 West Tasman Drive San Jose, CA 95134-9883 We appreciate your comments.
Preface Obtaining Technical Assistance recommended solutions. If your issue is not resolved using the recommended resources, your service request will be assigned to a Cisco TAC engineer. The TAC Service Request Tool is located at this URL: http://www.cisco.com/techsupport/servicerequest For S1 or S2 service requests or if you do not have Internet access, contact the Cisco TAC by telephone. (S1 or S2 service requests are those in which your production network is down or severely degraded.
Preface Obtaining Additional Publications and Information Obtaining Additional Publications and Information Information about Cisco products, technologies, and network solutions is available from various online and printed sources. • Cisco Marketplace provides a variety of Cisco books, reference guides, and logo merchandise. Visit Cisco Marketplace, the company store, at this URL: http://www.cisco.
Preface Obtaining Additional Publications and Information • Internet Protocol Journal is a quarterly journal published by Cisco Systems for engineering professionals involved in designing, developing, and operating public and private internets and intranets. You can access the Internet Protocol Journal at this URL: http://www.cisco.com/ipj • World-class networking training is available from Cisco. You can view current offerings at this URL: http://www.cisco.com/en/US/learning/index.
C H A P T E R 1 Overview This chapter provides an overview of Cisco Secure ACS for Windows Server.
Chapter 1 Overview The Cisco Secure ACS Paradigm – Accessing the HTML Interface, page 1-32 – Logging Off the HTML Interface, page 1-33 – Online Help and Online Documentation, page 1-33 The Cisco Secure ACS Paradigm Cisco Secure ACS provides authentication, authorization, and accounting (AAA—pronounced “triple A”) services to network devices that function as AAA clients, such as a network access server, PIX Firewall, or router.
Chapter 1 Overview Cisco Secure ACS Specifications services that ensure a secure environment. For more information about support for TACACS+ and RADIUS in Cisco Secure ACS, see AAA Protocols—TACACS+ and RADIUS, page 1-6. Cisco Secure ACS Specifications Note For hardware, operating system, third-party software, and network requirements, see Basic Deployment Requirements for Cisco Secure ACS, page 2-2.
Chapter 1 Overview Cisco Secure ACS Specifications • Maximum users supported by the CiscoSecure user database—There is no theoretical limit to the number of users the CiscoSecure user database can support. We have successfully tested Cisco Secure ACS with databases in excess of 100,000 users. The practical limit for a single Cisco Secure ACS authenticating against all its databases, internal and external, is 300,000 to 500,000 users.
Chapter 1 Overview AAA Server Functions and Concepts When you install Cisco Secure ACS, the installation adds several Windows services. The services provide the core of Cisco Secure ACS functionality. For a full discussion of each service, see Appendix G, “Internal Architecture”. The Cisco Secure ACS services on the computer running Cisco Secure ACS include the following: • CSAdmin—Provides the HTML interface for administration of Cisco Secure ACS. • CSAuth—Provides authentication services.
Chapter 1 Overview AAA Server Functions and Concepts • Authorization, page 1-17 • Accounting, page 1-22 • Administration, page 1-23 • Posture Validation, page 1-25 Cisco Secure ACS and the AAA Client A AAA client is software running on a network device that enables the network device to defer authentication, authorization, and logging (accounting) of user sessions to a AAA server.
Chapter 1 Overview AAA Server Functions and Concepts Table 1-1 TACACS+ and RADIUS Protocol Comparison Point of Comparison TACACS+ RADIUS Transmission Protocol TCP—connection-oriented transport layer protocol, reliable full-duplex data transmission UDP—connectionless transport layer protocol, datagram exchange without acknowledgments or guaranteed delivery Ports Used 49 Authentication and Authorization: 1645 and 1812 Accounting: 1646 and 1813 Encryption Full packet encryption Encrypts only pas
Chapter 1 Overview AAA Server Functions and Concepts • RFC 2868 • RFC 2869 The ports used for authentication and accounting have changed in RADIUS RFC documents. To support both the older and newer RFCs, Cisco Secure ACS accepts authentication requests on port 1645 and port 1812. For accounting, Cisco Secure ACS accepts accounting packets on port 1646 and 1813. In addition to support for standard IETF RADIUS attributes, Cisco Secure ACS includes support for RADIUS vendor-specific attributes (VSAs).
Chapter 1 Overview AAA Server Functions and Concepts There is a fundamental implicit relationship between authentication and authorization. The more authorization privileges granted to a user, the stronger the authentication should be. Cisco Secure ACS supports this relationship by providing various methods of authentication.
Chapter 1 Overview AAA Server Functions and Concepts Authentication and User Databases Cisco Secure ACS supports a variety of user databases.
Chapter 1 Overview AAA Server Functions and Concepts Table 1-2 Non-EAP Authentication Protocol and User Database Compatibility (continued) Database ASCII/PAP CHAP ARAP MS-CHAP v.1 MS-CHAP v.2 LEAP Proxy RADIUS Yes Server No No Yes Yes All Token Servers No No No No Yes Table 1-3 specifies EAP authentication protocol support.
Chapter 1 Overview AAA Server Functions and Concepts • PEAP(EAP-GTC) • PEAP(EAP-MSCHAPv2) • EAP-FAST • ARAP Passwords can be processed using these password authentication protocols based on the version and type of security control protocol used (for example, RADIUS or TACACS+) and the configuration of the AAA client and end-user client. The following sections outline the different conditions and functions of password handling.
Chapter 1 Overview AAA Server Functions and Concepts • ARAP—Uses a two-way challenge-response mechanism. The AAA client challenges the end-user client to authenticate itself, and the end-user client challenges the AAA client to authenticate itself. MS-CHAP Cisco Secure ACS supports Microsoft Challenge-Handshake Authentication Protocol (MS-CHAP) for user authentication.
Chapter 1 Overview AAA Server Functions and Concepts • EAP-FAST—EAP Flexible Authentication via Secured Tunnel (EAP-FAST), a faster means of encrypting EAP authentication, supports EAP-GTC authentication. For more information, see EAP-FAST Authentication, page 10-13. The architecture of Cisco Secure ACS is extensible with regard to EAP; additional varieties of EAP will be supported as those protocols mature.
Chapter 1 Overview AAA Server Functions and Concepts • Outbound passwords—The TACACS+ protocol supports outbound passwords that can be used, for example, when a AAA client has to be authenticated by another AAA client and end-user client. Passwords from the CiscoSecure user database are then sent back to the second AAA client and end-user client.
Chapter 1 Overview AAA Server Functions and Concepts For information on the requirements and configuration of the password aging feature controlled by the CiscoSecure user database, see Enabling Password Aging for the CiscoSecure User Database, page 6-21. The Windows-based password aging feature enables you to control the following password aging parameters: • Maximum password age in days. • Minimum password age in days.
Chapter 1 Overview AAA Server Functions and Concepts • Configurable character string stripping from proxied authentication requests (see Stripping, page 4-6). • Self-signed server certificates (see Using Self-Signed Certificates, page 10-47). • Certificate revocation list checking during EAP-TLS authentication (see Managing Certificate Revocation Lists, page 10-40). Authorization Authorization determines what a user is allowed to do.
Chapter 1 Overview AAA Server Functions and Concepts This section contains the following topics: • MaxSessions Issues, page A-16 • Dynamic Usage Quotas, page 1-18 • Shared Profile Components, page 1-19 • Support for Cisco Device-Management Applications, page 1-19 • Other Authorization-Related Features, page 1-21 Max Sessions Max Sessions is a useful feature for organizations that need to limit the number of concurrent sessions available to either a user or a group: • User Max Sessions—For exam
Chapter 1 Overview AAA Server Functions and Concepts Quotas can be either absolute or based on daily, weekly, or monthly periods. To grant access to users who have exceeded their quotas, you can reset session quota counters as needed. To support time-based quotas, we recommend enabling accounting update packets on all AAA clients. If update packets are not enabled, the quota is updated only when the user logs off and the accounting stop packet is received from the AAA client.
Chapter 1 Overview AAA Server Functions and Concepts AAA client that uses TACACS+. Also, you must provide the device-management application with a valid administrator name and password. When a management application initially communicates with Cisco Secure ACS, these requirements ensure the validity of the communication. For information about configuring a AAA client, see AAA Client Configuration, page 4-11. For information about administrator accounts, see Administrator Accounts, page 12-1.
Chapter 1 Overview AAA Server Functions and Concepts Other Authorization-Related Features In addition to the authorization-related features discussed in this section, the following features are provided by Cisco Secure ACS: • Group administration of users, with support for 500 groups (see Chapter 6, “User Group Management”). • Ability to map a user from an external user database to a specific Cisco Secure ACS group (see Chapter 16, “User Group Mapping and Specification”).
Chapter 1 Overview AAA Server Functions and Concepts Accounting AAA clients use the accounting functions provided by the RADIUS and TACACS+ protocols to communicate relevant data for each user session to the AAA server for recording. Cisco Secure ACS writes accounting records to a comma-separated value (CSV) log file or ODBC database, depending upon your configuration. You can easily import these logs into popular database and spreadsheet applications for billing, security audits, and report generation.
Chapter 1 Overview AAA Server Functions and Concepts Administration To configure, maintain, and protect its AAA functionality, Cisco Secure ACS provides a flexible administration scheme. You can perform nearly all administration of Cisco Secure ACS through its HTML interface. For more information about the HTML interface, including steps for accessing the HTML interface, see Cisco Secure ACS HTML Interface, page 1-25.
Chapter 1 Overview AAA Server Functions and Concepts For information about configuring the HTTP port allocation feature, see Access Policy, page 12-11. Network Device Groups With a network device group (NDG), you can view and administer a collection of AAA clients and AAA servers as a single logical group. To simplify administration, you can assign each group a convenient name that can be used to refer to all devices within that group.
Chapter 1 Overview Cisco Secure ACS HTML Interface • CSMonitor service, providing monitoring, notification, logging, and limited automated failure response (see Cisco Secure ACS Active Service Management, page 8-17). • Ability to automate configuration of users, groups, network devices, and custom RADIUS VSAs (see RDBMS Synchronization, page 9-25). • Replication of CiscoSecure user database components to other Cisco Secure ACSes (see CiscoSecure Database Replication, page 9-1).
Chapter 1 Overview Cisco Secure ACS HTML Interface This section contains the following topics: • About the Cisco Secure ACS HTML Interface, page 1-26 • HTML Interface Layout, page 1-27 • Uniform Resource Locator for the HTML Interface, page 1-29 • Network Environments and Administrative Sessions, page 1-30 • Accessing the HTML Interface, page 1-32 • Logging Off the HTML Interface, page 1-33 • Online Help and Online Documentation, page 1-33 About the Cisco Secure ACS HTML Interface After ins
Chapter 1 Overview Cisco Secure ACS HTML Interface Administrative sessions timeout after a configurable length of idle time. Regardless, we recommend that you log out of the HTML interface after each session. For information about logging out of Cisco Secure ACS, see Logging Off the HTML Interface, page 1-33. For information about configuring the idle timeout feature, see Access Policy, page 12-11. You can enable secure socket layer (SSL) for administrative sessions.
Chapter 1 Overview Cisco Secure ACS HTML Interface advanced features such as database replication, see Chapter 9, “System Configuration: Advanced”. For information about configuring authentication protocols and certificate-related features, see Chapter 10, “System Configuration: Authentication and Certificates”. For information about configuring logs and reports, see Chapter 11, “Logs and Reports”. – Interface Configuration—Display or hide product features and options to be configured.
Chapter 1 Overview Cisco Secure ACS HTML Interface – Online Help—Displays basic help about the page currently shown in the configuration area. This help does not offer in-depth information, rather it gives some basic information about what can be accomplished in the middle frame. For more information about online help, see Using Online Help, page 1-34. – Reports or Lists—Displays lists or reports, including accounting reports.
Chapter 1 Overview Cisco Secure ACS HTML Interface If SSL is enabled and you do not specify HTTPS, Cisco Secure ACS redirects the initial request to HTTPS for you. Using SSL to access the login page protects administrator credentials. For more information about enabling SSL to protect administrative sessions, see Access Policy, page 12-11. From the computer running Cisco Secure ACS, you can also use the following URLs: • http://127.0.0.
Chapter 1 Overview Cisco Secure ACS HTML Interface Also, IP filtering of proxied administrative sessions has to be based on the IP address of the proxy server rather than the IP address of the computer. This conflicts with administrative session communication that does use the actual IP address of the computer. For more information about IP filtering of administrative sessions, see Access Policy, page 12-11.
Chapter 1 Overview Cisco Secure ACS HTML Interface If Cisco Secure ACS is behind a NAT gateway and the URL used to access the HTML interface specifies Cisco Secure ACS by its hostname, administrative sessions operate correctly, provided that DNS is functioning correctly on your network or that computers used to access the HTML interface have a hosts file entry for Cisco Secure ACS.
Chapter 1 Overview Cisco Secure ACS HTML Interface Step 2 In the Address or Location bar in the web browser, type the applicable URL. For a list of possible URLs, see Uniform Resource Locator for the HTML Interface, page 1-29. Step 3 If the Cisco Secure ACS login page appears, follow these steps: a. In the Username box, type a valid Cisco Secure ACS administrator name. b. In the Password box, type the password for the administrator name you specified. c. Click Login.
Chapter 1 Overview Cisco Secure ACS HTML Interface Using Online Help Online help is the default content in the display area. For every page that appears in the configuration area, there is a corresponding online help page. At the top of each online help page is a list of topics covered by that page. To jump from the top of the online help page to a particular topic, click the topic name in the list at the top of the page.
Chapter 1 Overview Cisco Secure ACS HTML Interface To access online documentation, follow these steps: Step 1 In the Cisco Secure ACS HTML interface, click Online Documentation. Tip To open the online documentation in a new browser window, right-click Online Documentation, and then click Open Link in New Window (for Microsoft Internet Explorer) or Open in New Window (for Netscape Navigator). The table of contents opens in the configuration area.
Chapter 1 Overview Cisco Secure ACS HTML Interface User Guide for Cisco Secure ACS for Windows Server 1-36 78-16592-01
C H A P T E R 2 Deployment Considerations Deployment of Cisco Secure ACS for Windows Server can be complex and iterative, depending on the specific implementation required. This chapter provides insight into the deployment process and presents a collection of factors that you should consider before deploying Cisco Secure ACS.
Chapter 2 Deployment Considerations Basic Deployment Requirements for Cisco Secure ACS Basic Deployment Requirements for Cisco Secure ACS This section details the minimum requirements you must meet to successfully deploy Cisco Secure ACS.
Chapter 2 Deployment Considerations Basic Deployment Requirements for Cisco Secure ACS • Windows 2000 Server, with Service Pack 4 installed • Windows 2000 Advanced Server, with the following conditions: – with Service Pack 4 installed – without Microsoft clustering service installed – without other features specific to Windows 2000 Advanced Server enabled Note We have not tested and cannot support the multi-processor feature of Windows 2000 Advanced Server.
Chapter 2 Deployment Considerations Basic Deployment Requirements for Cisco Secure ACS Other than the software products described in the Release Notes, we have not tested the interoperability of Cisco Secure ACS and other software products on the same computer. We only support interoperability issues of software products that are mentioned in the Release Notes. The most recent version of the Release Notes are posted on Cisco.com, accessible from the following URL: http://www.cisco.
Chapter 2 Deployment Considerations Basic Deployment Requirements for Cisco Secure ACS Note • We tested Cisco Secure ACS on computers that have only one network interface card. If you want to have Cisco Secure ACS use the “Grant Dial-in Permission to User” feature in Windows when authorizing network users, this option must be selected in the Windows User Manager or Active Directory Users and Computers for the applicable user accounts.
Chapter 2 Deployment Considerations Basic Deployment Factors for Cisco Secure ACS Basic Deployment Factors for Cisco Secure ACS Generally, the ease in deploying Cisco Secure ACS is directly related to the complexity of the implementation planned and the degree to which you have defined your policies and requirements. This section presents some basic factors you should consider before you begin implementing Cisco Secure ACS.
Chapter 2 Deployment Considerations Basic Deployment Factors for Cisco Secure ACS In the small LAN environment, see Figure 2-1, network architects typically place a single Cisco Secure ACS internal to the AAA client, protected from outside access by a firewall and the AAA client. In this environment, the user database is usually small, there are few devices that require access to the Cisco Secure ACS for AAA, and any database replication is limited to a secondary Cisco Secure ACS as a backup.
Chapter 2 Deployment Considerations Basic Deployment Factors for Cisco Secure ACS Figure 2-2 Large Dial-up Network Cisco AS5300 Cisco AS5300's UNIX server Novell server Windows NT server Macintosh server 63487 Cisco Secure Access Control Server In a very large, geographically dispersed network (Figure 2-3), there may be access servers located in different parts of a city, in different cities, or on different continents.
Chapter 2 Deployment Considerations Basic Deployment Factors for Cisco Secure ACS Figure 2-3 Geographically Dispersed Network Cisco Secure Access Control Server Cisco Secure Access Control Server 63488 Cisco Secure Access Control Server Wireless Network The wireless network access point is a relatively new client for AAA services. The wireless access point (AP), such as the Cisco Aironet series, provides a bridged connection for mobile end-user clients into the LAN.
Chapter 2 Deployment Considerations Basic Deployment Factors for Cisco Secure ACS In the simple WLAN, there may be a single AP installed (Figure 2-4). Because there is only one AP, the primary issue is security. In this environment, there is generally a small user base and few network devices to worry about. Providing AAA services to the other devices on the network does not cause any significant additional load on the Cisco Secure ACS.
Chapter 2 Deployment Considerations Basic Deployment Factors for Cisco Secure ACS Figure 2-5 Campus WLAN Cisco Aironet APs Dial-up connection UNIX server Novell server Windows NT server Macintosh server 63490 Cisco Secure Access Control Server This is particularly true when the regional topology is the campus WLAN. This model starts to change when you deploy WLANs in many small sites that more resemble the simple WLAN shown in Figure 2-4.
Chapter 2 Deployment Considerations Basic Deployment Factors for Cisco Secure ACS Figure 2-6 Large Deployment of Small Sites 63491 I For the model in Figure 2-6, the location of Cisco Secure ACS depends on whether all users need access on any AP, or whether users require only regional or local network access. Along with database type, these factors control whether local or regional Cisco Secure ACSes are required, and how database continuity is maintained.
Chapter 2 Deployment Considerations Basic Deployment Factors for Cisco Secure ACS • Security—VPNs provide the highest level of security using advanced encryption and authentication protocols that protect data from unauthorized access. • Scalability—VPNs allow corporations to use remote access infrastructure within ISPs; therefore, corporations can add a large amount of capacity without adding significant infrastructure.
Chapter 2 Deployment Considerations Basic Deployment Factors for Cisco Secure ACS Figure 2-8 Enterprise VPN Solution Tunnel Home office ISP VPN concentrator Internet Tunnel Mobile worker Cisco Secure Access Control Server 63493 ISP For more information about implementing VPN solutions, see the reference guide A Primer for Implementing a Cisco Virtual Private Network. Remote Access Policy Remote access is a broad concept.
Chapter 2 Deployment Considerations Basic Deployment Factors for Cisco Secure ACS Cisco Secure ACS remote access policies provides control by using central authentication and authorization of remote users. The CiscoSecure user database maintains all user IDs, passwords, and privileges. Cisco Secure ACS access policies can be downloaded in the form of ACLs to network access servers such as the Cisco AS5300 Network Access Server, or by allowing access during specific periods, or on specific access servers.
Chapter 2 Deployment Considerations Basic Deployment Factors for Cisco Secure ACS The type of access is also an important consideration. If there are to be different administrative access levels to the AAA clients, or if a subset of administrators is to be limited to certain systems, Cisco Secure ACS can be used with command authorization per network device to restrict network administrators as necessary.
Chapter 2 Deployment Considerations Basic Deployment Factors for Cisco Secure ACS Separation of Administrative and General Users It is important to keep the general network user from accessing network devices. Even though the general user may not intend to gain unauthorized access, inadvertent access could accidentally disrupt network access. AAA and Cisco Secure ACS provide the means to separate the general user from the administrative user.
Chapter 2 Deployment Considerations Basic Deployment Factors for Cisco Secure ACS Conversely, if a general user attempts to use his or her remote access to log in to a network device, Cisco Secure ACS checks and approves the username and password, but the authorization process would fail because that user would not have credentials that allow shell or exec access to the device.
Chapter 2 Deployment Considerations Suggested Deployment Sequence Network Latency and Reliability Network latency and reliability are also important factors in how you deploy Cisco Secure ACS. Delays in authentication can result in timeouts at the end-user client or the AAA client. The general rule for large, extended networks, such as a globally dispersed corporation, is to have at least one Cisco Secure ACS deployed in each region.
Chapter 2 Deployment Considerations Suggested Deployment Sequence For more information about setting up administrators, see Chapter 1, “Overview”. • Configure the Cisco Secure ACS HTML Interface—You can configure the Cisco Secure ACS HTML interface to show only those features and controls that you intend to use. This makes using Cisco Secure ACS less difficult than it would be if you had to contend with multiple parts of the HTML interface that you do not plan to use.
Chapter 2 Deployment Considerations Suggested Deployment Sequence Along with the decision to implement an external user database (or databases), you should have detailed plans that specify your requirements for Cisco Secure ACS database replication, backup, and synchronization. These aspects of configuring CiscoSecure user database management are detailed in Chapter 8, “System Configuration: Basic”.
Chapter 2 Deployment Considerations Suggested Deployment Sequence User Guide for Cisco Secure ACS for Windows Server 2-22 78-16592-01
C H A P T E R 3 Interface Configuration Ease of use is the overriding design principle of the HTML interface in the Cisco Secure ACS for Windows Server. Cisco Secure ACS presents intricate concepts of network security from the perspective of an administrator.
Chapter 3 Interface Configuration Interface Design Concepts • Protocol Configuration Options for TACACS+, page 3-7 • Protocol Configuration Options for RADIUS, page 3-11 Interface Design Concepts Before you begin to configure the Cisco Secure ACS HTML interface for your particular configuration, you should understand a few basic precepts of the system operation. The information in the following sections is necessary for effective interface configuration.
Chapter 3 Interface Configuration User Data Configuration Options User Data Configuration Options The Configure User Defined Fields page enables you to add (or edit) up to five fields for recording information on each user. The fields you define in this section subsequently appear in the Supplementary User Information section at the top of the User Setup page. For example, you could add the user’s company name, telephone number, department, billing code, and so on.
Chapter 3 Interface Configuration Advanced Options Restarting Cisco Secure ACS-related Windows services should be done during off hours because it briefly interrupts authentication, authorization, and accounting. Advanced Options The Advanced Options page enables you to determine which advanced features Cisco Secure ACS displays. You can simplify the pages displayed in other areas of the Cisco Secure ACS HTML interface by hiding advanced features that you do not use.
Chapter 3 Interface Configuration Advanced Options • User-Level Network Access Restrictions—When selected, this feature enables the two sets of options for defining user-level, IP-based and CLI/DNIS-based NARs on the User Setup page. • User-Level Downloadable ACLs—When selected, this feature enables the Downloadable ACLs (access control lists) section on the User Setup page.
Chapter 3 Interface Configuration Advanced Options • RDBMS Synchronization—When selected, this feature enables the RDBMS (Relational Database Management System) Synchronization option on the System Configuration page. If RDBMS Synchronization is configured, this option always appears. • IP Pools—When selected, this feature enables the IP Pools Address Recovery and IP Pools Server options on the System Configuration page.
Chapter 3 Interface Configuration Protocol Configuration Options for TACACS+ advanced feature is no longer displayed. Further, the interface displays any advanced feature that has non-default settings, even if you have configured that advanced feature to be hidden. If you later disable the feature or delete its settings, Cisco Secure ACS hides the advanced feature. The only exception is the Network Device Groups feature.
Chapter 3 Interface Configuration Protocol Configuration Options for TACACS+ Note • If you have configured Cisco Secure ACS to interact with device management applications for other Cisco products, such as Management Center for Firewalls, Cisco Secure ACS may display new TACACS+ services as dictated by these device management applications.
Chapter 3 Interface Configuration Protocol Configuration Options for TACACS+ – Display a window for each service selected in which you can enter customized TACACS+ attributes—If this option is selected, an area appears on the User Setup and Group Setup pages that enables you to enter custom TACACS+ attributes. Cisco Secure ACS can also display a custom command field for each service.
Chapter 3 Interface Configuration Protocol Configuration Options for TACACS+ To configure the user interface for TACACS+ options, follow these steps: Note Step 1 The Cisco Secure ACS HTML interface displays any protocol option that is enabled or has non-default values, even if you have configured that protocol option to be hidden. If you later disable the option or delete its value and the protocol option is configured to be hidden, Cisco Secure ACS hides the protocol option.
Chapter 3 Interface Configuration Protocol Configuration Options for RADIUS The selections made in this procedure determine what TACACS+ options Cisco Secure ACS displays in other sections of the HTML interface. Protocol Configuration Options for RADIUS It is unlikely that you would want to install every attribute available for every protocol. Displaying each would make setting up a user or group cumbersome. To simplify setup, this section allows you to customize the attributes that are displayed.
Chapter 3 Interface Configuration Protocol Configuration Options for RADIUS Table 3-1 RADIUS Listings in Interface Configure this Type of AAA Client... ...
Chapter 3 Interface Configuration Protocol Configuration Options for RADIUS Table 3-1 RADIUS Listings in Interface (continued) Configure this Type of AAA Client... ...
Chapter 3 Interface Configuration Protocol Configuration Options for RADIUS selecting check boxes in a list of attributes, you determine whether the corresponding (IETF) RADIUS attribute or vendor-specific attribute (VSA) is configurable from the User Setup and Group Setup sections. Details regarding the types of RADIUS settings pages follow: • (IETF) RADIUS Settings—This page lists attributes available for (IETF) RADIUS.
Chapter 3 Interface Configuration Protocol Configuration Options for RADIUS Session-Timeout attribute. This enables you to provide different session timeout values for wireless and wired end-user clients. For detailed steps, see Setting Protocol Configuration Options for Non-IETF RADIUS Attributes, page 3-17. • RADIUS (Ascend) Settings—From this section you enable the RADIUS VSAs for RADIUS (Ascend). This page appears if you have configured a RADIUS (Ascend) or a RADIUS (Cisco IOS/PIX) device.
Chapter 3 Interface Configuration Protocol Configuration Options for RADIUS appear as configurable options on the User Setup or Group Setup page. For information about creating user-defined RADIUS VSAs, see Custom RADIUS Vendors and VSAs, page 9-28. Setting Protocol Configuration Options for IETF RADIUS Attributes This procedure enables you to hide or display any of the standard IETF RADIUS attributes for configuration from other portions of the Cisco Secure ACS HTML interface.
Chapter 3 Interface Configuration Protocol Configuration Options for RADIUS Step 4 When you have finished selecting the attributes, click Submit at the bottom of the page. Each IETF RADIUS attribute that you selected appears as a configurable option on the User Setup or Group Setup page, as applicable.
Chapter 3 Interface Configuration Protocol Configuration Options for RADIUS Step 4 Click Submit at the bottom of the page. According to your selections, the RADIUS VSAs appear on the User Setup or Group Setup pages, or both, as a configurable option.
C H A P T E R 4 Network Configuration This chapter details concepts and procedures for configuring Cisco Secure ACS for Windows Server to interact with AAA clients and servers and for establishing a distributed system.
Chapter 4 Network Configuration About Distributed Systems If you are using network device groups (NDGs), this table does not appear on the initial page, but is accessed through the Network Device Group table. For more information about this interface configuration, see Advanced Options, page 3-4. • AAA Servers—This table lists each AAA server that is configured on the network together with its IP address and associated type.
Chapter 4 Network Configuration About Distributed Systems • CiscoSecure database replication • Remote and centralized logging AAA Servers in Distributed Systems “AAA server” is the generic term for an access control server (ACS), and the two terms are often used interchangeably. AAA servers are used to determine who can access the network and what services are authorized for each user. The AAA server stores a profile containing authentication and authorization information for each user.
Chapter 4 Network Configuration Proxy in Distributed Systems with one another. Each table contains a Cisco Secure ACS entry for itself. In the AAA Servers table, the only AAA server initially listed is itself; the Proxy Distribution Table lists an initial entry of (Default), which displays how the local Cisco Secure ACS is configured to handle each authentication request locally. You can configure additional AAA servers in the AAA Servers table.
Chapter 4 Network Configuration Proxy in Distributed Systems Note When a Cisco Secure ACS receives a TACACS+ authentication request forwarded by proxy, any Network Access Restrictions for TACACS+ requests are applied to the IP address of the forwarding AAA server, not to the IP address of the originating AAA client.
Chapter 4 Network Configuration Proxy in Distributed Systems continues, in order, down the list until a AAA server handles the authentication request. (Failed connections are detected by failure of the nominated server to respond within a specified time period. That is, the request is timed out.) If Cisco Secure ACS cannot connect to any server in the list, authentication fails.
Chapter 4 Network Configuration Proxy in Distributed Systems Because Mary works in the Los Angeles office, her user profile, which defines her authentication and authorization privileges, resides on the local Los Angeles AAA server. However, Mary occasionally travels to a division within the corporation in New York, where she still needs to access the corporate network to get her e-mail and other files. When Mary is in New York, she dials in to the New York office and logs in as mary@la.corporate.com.
Chapter 4 Network Configuration Network Device Searches You can also choose to have Voice-over-IP (VoIP) accounting information logged remotely, either appended to the RADIUS Accounting log, in a separate VoIP Accounting log, or both. Other Features Enabled by System Distribution Beyond basic proxy and fallback features, configuring a Cisco Secure ACS to interact with distributed systems enables several other features that are beyond the scope of this chapter.
Chapter 4 Network Configuration Network Device Searches or “m*”. Name-based searches are case insensitive. If you do not want to search based on device name, you can leave the Name box blank or you can put only an asterisk in the Name box. • IP Address—The IP address specified for the network device in Cisco Secure ACS. For each octet in the address, you have three options, as follows: – Number—You can specify a number, for example, 10.3.157.98.
Chapter 4 Network Configuration Network Device Searches Tip Step 3 Set the criteria for a device search. For information about search criteria, see Network Device Search Criteria, page 4-8. Tip Step 4 When you leave the Search for Network Devices page, Cisco Secure ACS retains your search criteria and results for the duration of the current administrative session.
Chapter 4 Network Configuration AAA Client Configuration Step 6 If you want to download a file containing the search results in a comma-separated value format, click Download and use your browser to save the file to a location and filename of your choice. Step 7 If you want to search again using different criteria, repeat Step 3 and Step 4.
Chapter 4 Network Configuration AAA Client Configuration recommend that you adopt a descriptive, consistent naming convention for AAA client hostnames. Maximum length for a AAA client hostname is 32 characters. Note • After you submit the AAA client hostname, you cannot change it. If you want to use a different name for a AAA client, delete the AAA client configuration and create a AAA client configuration using the new name.
Chapter 4 Network Configuration AAA Client Configuration For correct operation, the key must be identical on the AAA client and Cisco Secure ACS. Keys are case sensitive. Because shared secrets are not synchronized, it is easy to make mistakes when entering them on network devices and Cisco Secure ACS. If the shared secret does not match, Cisco Secure ACS discards all packets from the network device. Note • Network Device Group—The name of the NDG to which this AAA client should belong.
Chapter 4 Network Configuration AAA Client Configuration When an authentication request from a RADIUS (Cisco Aironet) AAA client arrives, Cisco Secure ACS first attempts authentication by using LEAP; if this fails, Cisco Secure ACS fails over to EAP-TLS. If LEAP is not enabled on the Global Authentication Setup page, Cisco Secure ACS immediately attempts EAP-TLS authentication.
Chapter 4 Network Configuration AAA Client Configuration attributes. If the AAA client represents a Cisco Aironet Access Point used only by users authenticating with PEAP or EAP-TLS, this is also the protocol to select. – RADIUS (Ascend)—RADIUS using Ascend RADIUS VSAs. Select this option if the network device is an Ascend network device supporting authentication via RADIUS. – RADIUS (Juniper)—RADIUS using Juniper RADIUS VSAs.
Chapter 4 Network Configuration AAA Client Configuration • Replace RADIUS Port info with Username from this AAA Client—Enables use of username rather than port number for session state tracking. This option is useful when the AAA client cannot provide unique port values, such as a gateway GPRS support node (GGSN).
Chapter 4 Network Configuration AAA Client Configuration Step 2 Do one of the following: • If you are using NDGs, click the name of the NDG to which the AAA client is to be assigned. Then, click Add Entry below the AAA Clients table. • To add a AAA client when you have not enabled NDGs, click Add Entry below the AAA Clients table. The Add AAA Client page appears. Step 3 In the AAA Client Hostname box, type the name assigned to this AAA client (up to 32 characters).
Chapter 4 Network Configuration AAA Client Configuration Step 7 From the Authenticate Using list, select the network security protocol used by the AAA client. Tip Step 8 If you are uncertain which protocol to select on the Authenticate Using list, see AAA Client Configuration Options, page 4-11. If you want to enable a single connection from a AAA client, rather than a new one for every TACACS+ request, select the Single Connect TACACS+ AAA Client (Record stop in accounting on failure) check box.
Chapter 4 Network Configuration AAA Client Configuration Tip If you want to save your changes and apply them later, click Submit. When you are ready to implement the changes, click System Configuration, click Service Control, and then click Restart. Editing a AAA Client You can use this procedure to edit the settings for a AAA client configuration.
Chapter 4 Network Configuration AAA Client Configuration Step 2 Do one of the following: • If you are using NDGs, click the name of the NDG to which the AAA client is assigned. Then, click the name of the AAA client. • To edit a AAA client when you have not enabled NDGs, click the name of the AAA client in the AAA Client Hostname column of the AAA Clients table. The AAA Client Setup For Name page appears. Step 3 Modify the AAA client settings, as needed.
Chapter 4 Network Configuration AAA Server Configuration Deleting a AAA Client To delete a AAA client, follow these steps: Step 1 In the navigation bar, click Network Configuration. The Network Configuration page opens. Step 2 Do one of the following: • If you are using NDGs, click the name of the NDG to which the AAA client is assigned. Then, click the AAA client hostname in the AAA Clients table.
Chapter 4 Network Configuration AAA Server Configuration To configure distributed system features for a given Cisco Secure ACS, you must first define the other AAA server(s). For example, all Cisco Secure ACSes involved in replication, remote logging, authentication proxying, and RDBMS synchronization must have AAA server configurations for each other; otherwise, incoming communication from an unknown Cisco Secure ACS is ignored and the distributed system feature will fail.
Chapter 4 Network Configuration AAA Server Configuration Note After you submit the AAA server name, you cannot change it. If you want to use a different name for a AAA server, delete the AAA server configuration and create a AAA server configuration using the new name. • AAA Server IP Address—The IP address of the AAA server, in dotted, four octet format. For example, 10.77.234.3. • Key—The shared secret of the AAA server. Maximum length for a AAA server key is 32 characters.
Chapter 4 Network Configuration AAA Server Configuration – Cisco Secure ACS—Select this option if the remote AAA server is another Cisco Secure ACS. This enables you to configure features that are only available with other Cisco Secure ACSes, such as CiscoSecure user database replication and remote logging. The remote Cisco Secure ACS must be using version 2.1 or later.
Chapter 4 Network Configuration AAA Server Configuration To add and configure a AAA server, follow these steps: Step 1 In the navigation bar, click Network Configuration. The Network Configuration page opens. Step 2 Do one of the following: • If you are using NDGs, click the name of the NDG to which the AAA server is to be assigned. Then, click Add Entry below the [name] AAA Servers table. • To add a AAA server when you have not enabled NDGs, below the AAA Servers table, click Add Entry.
Chapter 4 Network Configuration AAA Server Configuration Step 9 From the Traffic Type list, select the type of traffic you want to permit between the remote AAA server and Cisco Secure ACS. Step 10 To save your changes and apply them immediately, click Submit + Restart. Tip To save your changes and apply them later, click Submit. When you are ready to implement the changes, click System Configuration, click Service Control, and then click Restart.
Chapter 4 Network Configuration AAA Server Configuration To edit a AAA server, follow these steps: Step 1 In the navigation bar, click Network Configuration. The Network Configuration page opens. Step 2 Do one of the following: • If you are using NDGs, click the name of the NDG to which the AAA server is assigned. Then, in the AAA Servers table, click the name of the AAA server to be edited. • If you have not enabled NDGs, in the AAA Servers table, click the name of the AAA server to be edited.
Chapter 4 Network Configuration Network Device Group Configuration Deleting a AAA Server To delete a AAA server, follow these steps: Step 1 In the navigation bar, click Network Configuration. The Network Configuration page opens. Step 2 Do one of the following: • If you are using NDGs, click the name of the NDG to which the AAA server is assigned. Then, click the AAA server name in the AAA Servers table. • If you have not enabled NDGs, click the AAA server name in the AAA Servers table.
Chapter 4 Network Configuration Network Device Group Configuration Cisco Secure ACS—single discrete devices such as an individual router or network access server, and an NDG; that is, a collection of routers or AAA servers. Caution To see the Network Device Groups table in the HTML interface, you must have the Network Device Groups option selected on the Advanced Options page of the Interface Configuration section.
Chapter 4 Network Configuration Network Device Group Configuration Tip Step 3 In the Network Device Group Name box, type the name of the new NDG. Tip Step 4 If the Network Device Groups table does not appear, click Interface Configuration, click Advanced Options, and then select Network Device Groups. The maximum name length is 24 characters. Quotation marks (“) and commas (,) are not allowed. Spaces are allowed. Click Submit. The Network Device Groups table displays the new NDG.
Chapter 4 Network Configuration Network Device Group Configuration Tip If the Network Device Groups table does not appear, click Interface Configuration, click Advanced Options, and then select the Network Device Groups check box. Step 3 Click the name of the network device you want to assign to an NDG. Step 4 From the Network Device Groups list, select the NDG to which you want to assign the AAA client or AAA server. Step 5 Click Submit. The client or server is assigned to an NDG.
Chapter 4 Network Configuration Network Device Group Configuration Renaming a Network Device Group Caution When renaming an NDG, ensure that there are no NARs or other shared profile components (SPCs) that invoke the original NDG name. Cisco Secure ACS performs no automatic checking to determine whether the original NDG is still invoked. If a user’s authentication request incorporates an SPC that invokes a non-existent (or renamed) NDG, the attempt will fail and the user will be rejected.
Chapter 4 Network Configuration Network Device Group Configuration Tip Caution It may be useful to empty an NDG of AAA clients and AAA servers before you delete it. You can do this manually by performing the procedure Reassigning a AAA Client or AAA Server to an NDG, page 4-31, or, in cases where there are a large number of devices to reassign, you can use the RDBMS Synchronization feature. When deleting an NDG, ensure that there are no NARs or other SPCs that invoke the original NDG.
Chapter 4 Network Configuration Proxy Distribution Table Configuration Proxy Distribution Table Configuration This section describes the Proxy Distribution Table and provides procedures for working with the Proxy Distribution Table.
Chapter 4 Network Configuration Proxy Distribution Table Configuration character strings. While you cannot change the character string definition for the “(Default)” entry, you can change the distribution of authentication requests matching the “(Default)” entry. At installation, the AAA server associated with the “(Default)” entry is the local Cisco Secure ACS.
Chapter 4 Network Configuration Proxy Distribution Table Configuration Step 7 Tip You can also select additional AAA servers to use for backup proxy if the prior servers fail. To set the order of AAA servers, in the Forward To column, click the name of the applicable server and click Up or Down to move it into the position you want. Tip If the AAA server you want to use is not listed, click Network Configuration, click AAA Servers, click Add Entry and complete the applicable information.
Chapter 4 Network Configuration Proxy Distribution Table Configuration Step 1 In the navigation bar, click Network Configuration. The Network Configuration page opens. Step 2 Below the Proxy Distribution Table, click Sort Entries. Tip Before you sort the entries, you must have configured at least two unique Proxy Distribution Table entries in addition to the (Default) table entry.
Chapter 4 Network Configuration Proxy Distribution Table Configuration Deleting a Proxy Distribution Table Entry To delete a Proxy Distribution Table entry, follow these steps: Step 1 In the navigation bar, click Network Configuration. The Network Configuration page opens. Step 2 In the Character String column of the Proxy Distribution Table, click the distribution entry you want to delete. The Edit Proxy Distribution Entry page appears. Step 3 Click Delete. A confirmation dialog box appears.
C H A P T E R 5 Shared Profile Components This chapter addresses the Cisco Secure ACS for Windows Server features found in the Shared Profile Components section of the HTML interface.
Chapter 5 Shared Profile Components Network Access Filters named shared profile components (downloadable IP ACLs, NAFs, NARs, and command authorization sets) makes it unnecessary to repeatedly enter long lists of devices or commands when defining network access parameters. Network Access Filters This section describes NAFs and provides instructions for creating and managing them.
Chapter 5 Shared Profile Components Network Access Filters • Tip NAFs in shared network access restrictions—An essential part of specifying a shared NAR is listing the AAA clients from which user access is permitted or denied. Rather than list every AAA client that makes up a shared NAR, you can simply list one or more NAFs instead of, or in combination with, individual AAA clients. For more information on using NAFs in shared NARs, see About Network Access Restrictions, page 5-15.
Chapter 5 Shared Profile Components Network Access Filters Step 3 Click Add. The Network Access Filtering edit page appears. Step 4 In the Name box, type the name of the new network access filter. Note The name of a NAF can contain up to 31 characters. Spaces are not allowed. Names cannot contain the following 10 characters: [],/—-“‘>< Step 5 In the Description box, type a description of the new network access filter. Step 6 Add network elements to the NAF definition as applicable: a.
Chapter 5 Shared Profile Components Network Access Filters Tip Step 8 You can also remove an item from the Selected Items box by selecting the item and then clicking <-- (left arrow button) to remove it from the list. To save your NAF and apply it immediately, click Submit + Restart. Tip To save your NAF and apply it later, click Submit. When you are ready to implement the changes, click System Configuration, click Service Control, and then click Restart.
Chapter 5 Shared Profile Components Network Access Filters Caution If you change the name of a NAF, you invalidate all existing references to that NAF; this may affect the access of users or groups associated with NARs or downloadable ACLs that use that NAF. Step 5 To add a NDG to the NAF definition, from the Network Device Groups box, select the NDG you want to add. Click --> (right arrow button) to move it to the Selected Items box.
Chapter 5 Shared Profile Components Downloadable IP ACLs Note Restarting the service clears the Logged-in User report and temporarily interrupts all Cisco Secure ACS services. This affects the Max Sessions counter and resets it to zero. Cisco Secure ACS re-enters the NAF with the new information, which takes effect immediately. Deleting a Network Access Filter Before You Begin Before you delete a NAF you should remove its association with any NAR or downloadable IP ACL that uses it.
Chapter 5 Shared Profile Components Downloadable IP ACLs This section contains the following topics: • About Downloadable IP ACLs, page 5-8 • Adding a Downloadable IP ACL, page 5-10 • Editing a Downloadable IP ACL, page 5-13 • Deleting a Downloadable IP ACL, page 5-14 About Downloadable IP ACLs Downloadable IP ACLs enable you to create sets of ACL definitions that you can apply to many users or user groups. These sets of ACL definitions are called ACL contents.
Chapter 5 Shared Profile Components Downloadable IP ACLs ACL to each applicable user or user group by referencing its name. This is more efficient than configuring the RADIUS Cisco cisco-av-pair attribute for each user or user group. Further, by employing NAFs you can apply different ACL contents to the same user or group of users according to the AAA client they are using.
Chapter 5 Shared Profile Components Downloadable IP ACLs Examples of Cisco devices that support downloadable IP ACLs are: • PIX Firewalls • VPN 3000-series concentrators • Cisco devices running IOS version 12.3(8)T or greater An example of the format you should use to enter PIX Firewall ACLs in the ACL Definitions box follows: permit permit permit permit tcp any host 10.0.0.254 udp any host 10.0.0.254 icmp any host 10.0.0.254 tcp any host 10.0.0.
Chapter 5 Shared Profile Components Downloadable IP ACLs To add a downloadable IP ACL, follow these steps: Step 1 In the navigation bar, click Shared Profile Components. The Shared Profile Components page appears. Step 2 Click Downloadable IP ACLs.
Chapter 5 Shared Profile Components Downloadable IP ACLs Step 9 To save the ACL content, click Submit. The Downloadable IP ACLs page appears with the new ACL content listed by name in the ACL Contents column. Step 10 To associate a NAF to the ACL content, select a NAF from the Network Access Filtering box to the right of the new ACL content. For information on adding a NAF see Adding a Network Access Filter, page 5-3.
Chapter 5 Shared Profile Components Downloadable IP ACLs Editing a Downloadable IP ACL Before You Begin You should have already configured any NAFs that you intend to use in your editing of the downloadable IP ACL. To edit a downloadable IP ACL, follow these steps: Step 1 In the navigation bar, click Shared Profile Components. The Shared Profile Components page appears. Step 2 Click Downloadable IP ACLs. The Downloadable IP ACLs table appears.
Chapter 5 Shared Profile Components Network Access Restrictions Cisco Secure ACS saves the IP ACL with the new information, which takes effect immediately. Deleting a Downloadable IP ACL Before You Begin You should remove the association of a IP ACL with any user or user group profile before deleting the IP ACL. To delete an IP ACL, follow these steps: Step 1 In the navigation bar, click Shared Profile Components. The Shared Profile Components page appears. Step 2 Click Downloadable IP ACLs.
Chapter 5 Shared Profile Components Network Access Restrictions This section contains the following topics: • About Network Access Restrictions, page 5-15 • Adding a Shared Network Access Restriction, page 5-19 • Editing a Shared Network Access Restriction, page 5-23 • Deleting a Shared Network Access Restriction, page 5-24 About Network Access Restrictions A NAR is a definition, which you make in Cisco Secure ACS, of additional conditions that must be met before a user can access the network.
Chapter 5 Shared Profile Components Network Access Restrictions the client. For this type of NAR to operate, the value in the NAR description must exactly match what is being sent from the client, including whatever format is used. For example, (217) 555-4534 does not match 217-555-4534. For more information on this type of NAR filter, see About Non-IP-based NAR Filters, page 5-18. You can define a NAR for, and apply it to, a specific user or user group.
Chapter 5 Shared Profile Components Network Access Restrictions About IP-based NAR Filters For IP-based NAR filters, ACS uses the following attributes, depending upon the AAA protocol of the authentication request: • If you are using TACACS+—The rem_addr field from the TACACS+ start packet body is used.
Chapter 5 Shared Profile Components Network Access Restrictions About Non-IP-based NAR Filters A non-IP-based NAR filter (that is, a DNIS/CLI-based NAR filter) is a list of permitted or denied “calling”/“point of access” locations that you can use in restricting a AAA client when you do not have an established IP-based connection. The non-IP-based NAR feature generally uses the calling line ID (CLI) number and the Dialed Number Identification Service (DNIS) number.
Chapter 5 Shared Profile Components Network Access Restrictions • If you are using RADIUS—The NAR fields listed use the following values: – AAA client—The NAS-IP-address (attribute 4) or, if NAS-IP-address does not exist, NAS-identifier (RADIUS attribute 32) is used. – Port—The NAS-port (attribute 5) or, if NAS-port does not exist, NAS-port-ID (attribute 87) is used. – CLI—The calling-station-ID (attribute 31) is used. – DNIS—The called-station-ID (attribute 30) is used.
Chapter 5 Shared Profile Components Network Access Restrictions To add a shared NAR, follow these steps: Step 1 In the navigation bar, click Shared Profile Components. The Shared Profile Components page appears. Step 2 Click Network Access Restrictions. Step 3 Click Add. The Network Access Restriction page appears. Step 4 In the Name box, type a name for the new shared NAR. The name can contain up to 31 characters. Leading and trailing spaces are not allowed.
Chapter 5 Shared Profile Components Network Access Restrictions Note d. The total number of characters in the AAA Client list and the Port and Src IP Address boxes must not exceed 1024. Although Cisco Secure ACS accepts more than 1024 characters when you add a NAR, you cannot edit the NAR and Cisco Secure ACS cannot accurately apply it to users. Click enter. The AAA client, port, and address information appears as a line item in the table. e. Step 7 To enter additional IP-based line items, repeat c.
Chapter 5 Shared Profile Components Network Access Restrictions d. To specify the information that this NAR should filter on, type values in the following boxes, as applicable: Tip You can type an asterisk (*) as a wildcard to specify “all” as a value. • Port—Type the number of the port to filter on. • CLI—Type the CLI number to filter on.
Chapter 5 Shared Profile Components Network Access Restrictions Editing a Shared Network Access Restriction To edit a shared NAR, follow these steps: Step 1 In the navigation bar, click Shared Profile Components. The Shared Profile Components page appears. Step 2 Click Network Access Restrictions. The Network Access Restrictions table appears. Step 3 In the Name column, click the shared NAR you want to edit. The Network Access Restriction page appears with information displayed for the selected NAR.
Chapter 5 Shared Profile Components Network Access Restrictions Step 7 To edit a line item in the CLI/DNIS access restrictions table, follow these steps: a. Double-click the line item that you want to edit. Information for the line item is removed from the table and written to the boxes below the table. b. Edit the information, as necessary. Note c. The total number of characters in the AAA Client list and the Port, CLI, and DNIS boxes must not exceed 1024.
Chapter 5 Shared Profile Components Command Authorization Sets To delete a shared NAR, follow these steps: Step 1 In the navigation bar, click Shared Profile Components. The Shared Profile Components page appears. Step 2 Click Network Access Restrictions. Step 3 Click the Name of the shared NAR you want to delete. The Network Access Restriction page appears with information displayed for the selected NAR. Step 4 At the bottom of the page, click Delete.
Chapter 5 Shared Profile Components Command Authorization Sets About Command Authorization Sets This section contains the following topics: • Command Authorization Sets Description, page 5-26 • Command Authorization Sets Assignment, page 5-28 • Case Sensitivity and Command Authorization, page 5-29 • Arguments and Command Authorization, page 5-29 • About Pattern Matching, page 5-30 Command Authorization Sets Description Command authorization sets provide a central mechanism to control the author
Chapter 5 Shared Profile Components Command Authorization Sets To offer fine-grained control of device-hosted, administrative Telnet sessions, a network device using TACACS+ can request authorization for each command line before its execution. You can define a set of commands that are either permitted or denied for execution by a particular user on a given device.
Chapter 5 Shared Profile Components Command Authorization Sets Cisco Secure ACS has three sequential stages of command authorization filtering. Each command authorization request is evaluated in the following order: 1. Command Match: Cisco Secure ACS determines whether the command being processed matches a command listed in the command authorization set. If no matching command is found, command authorization is determined by the Unmatched Commands setting, which is either permit or deny.
Chapter 5 Shared Profile Components Command Authorization Sets • Device Management Command Authorization Sets—See either of the following: – Configuring Device-Management Command Authorization for a User Group, page 6-37 – Configuring Device-Management Command Authorization for a User, page 7-30 Case Sensitivity and Command Authorization When performing command authorization, Cisco Secure ACS evaluates commands and arguments in a case-sensitive manner.
Chapter 5 Shared Profile Components Command Authorization Sets For example, if a user typed the following command during a router-hosted session: interface FastEthernet0/1 the router may send the command and arguments Cisco Secure ACS as follows: 01:44:53: 01:44:53: 01:44:53: 01:44:53: 01:44:53: tty2 tty2 tty2 tty2 tty2 AAA/AUTHOR/CMD(390074395): AAA/AUTHOR/CMD(390074395): AAA/AUTHOR/CMD(390074395): AAA/AUTHOR/CMD(390074395): AAA/AUTHOR/CMD(390074395): send send send send send AV AV AV AV AV cmd=in
Chapter 5 Shared Profile Components Command Authorization Sets To permit/deny commands that carry no arguments, you can use absolute matching to specify the null argument condition. For example, you use permit ^$ to permit a command with no arguments. Alternatively, entering permit has the same effect. Either of these methods can be used, with the Permit Unmatched Args option unselected, to match and therefore permit or deny commands that have no argument.
Chapter 5 Shared Profile Components Command Authorization Sets Step 6 If Cisco Secure ACS displays an expandable checklist tree below the Name and Description boxes, use the checklist tree to specify the actions permitted by the command authorization set. To do so, follow these steps: a. To expand a checklist node, click the plus (+) symbol to its left. b. To enable an action, select its check box. For example, to enable a Device View action, select the View check box under the Device checklist node.
Chapter 5 Shared Profile Components Command Authorization Sets c. Click Add Command. The typed command is added to the command list box. d. To add an argument to a command, in the command list box, select the command and then type the argument in the box to the right of the command. Note Tip Step 8 The correct format for arguments is . For example, with the command show already listed, you might enter permit run as the argument.
Chapter 5 Shared Profile Components Command Authorization Sets Step 3 From the Name column, click the name of the set you want to change. Information for the selected set appears on the applicable Command Authorization Set page. Step 4 If an expandable checklist tree appears below the Name and Description boxes, you can do any or all of the following: • To expand a checklist node, click the plus (+) symbol to its left. To collapse an expanded checklist node, click the minus (-) symbol to its left.
Chapter 5 Shared Profile Components Command Authorization Sets Deleting a Command Authorization Set To delete a command authorization set, follow these steps: Step 1 In the navigation bar, click Shared Profile Components. The Shared Profile Components page lists the command authorization set types available. Step 2 Click a command authorization set type, as applicable. The selected Command Authorization Sets table appears.
Chapter 5 Shared Profile Components Command Authorization Sets User Guide for Cisco Secure ACS for Windows Server 5-36 78-16592-01
C H A P T E R 6 User Group Management This chapter provides information about setting up and managing user groups in Cisco Secure ACS for Windows Server to control authorization. Cisco Secure ACS enables you to group network users for more efficient administration. Each user can belong to only one group in Cisco Secure ACS. You can establish up to 500 groups to effect different levels of authorization.
Chapter 6 User Group Management About User Group Setup Features and Functions About User Group Setup Features and Functions The Group Setup section of the Cisco Secure ACS HTML interface is the centralized location for operations regarding user group configuration and administration. For information about network device groups (NDGs), see Network Device Group Configuration, page 4-28.
Chapter 6 User Group Management Basic User Group Settings If you have configured Cisco Secure ACS to interact with a Cisco device-management application, new TACACS+ services may appear automatically, as needed, to support the device-management application. For more information about Cisco Secure ACS interaction with device-management applications, see Support for Cisco Device-Management Applications, page 1-19. You can use the Shell Command Authorization Set feature to configure TACACS+ group settings.
Chapter 6 User Group Management Basic User Group Settings Group Disablement You perform this procedure to disable a user group and, thereby, to prevent any member of the disabled group from authenticating. Note Group Disablement is the only setting in Cisco Secure ACS where the setting at the group level may override the setting at the user level. If group disablement is set, all users within the disabled group are denied authentication, regardless of whether or not the user account is disabled.
Chapter 6 User Group Management Basic User Group Settings Perform this procedure to enable support for the null password function of VoIP. This enables users to authenticate (session or telephone call) on only the user ID (telephone number). When you enable VoIP at the group level, all users in this group become VoIP users, and the user IDs are treated similarly to a telephone number. VoIP users do not need to enter passwords to authenticate.
Chapter 6 User Group Management Basic User Group Settings To define the times during which users in a particular group are permitted or denied access, follow these steps: Step 1 In the navigation bar, click Group Setup. The Group Setup Select page opens. Step 2 From the Group list, select a group, and then click Edit Settings. The Group Settings page displays the name of the group at its top. Step 3 In the Default Time-of-Day Access Settings table, select the Set as default Access Times check box.
Chapter 6 User Group Management Basic User Group Settings Setting Callback Options for a User Group Callback is a command string that is passed back to the access server. You can use callback strings to initiate a modem to call the user back on a specific number for added security or reversal of line charges. There are three options, as follows: Note • No callback allowed—Disables callback for users in this group. This is the default setting.
Chapter 6 User Group Management Basic User Group Settings Step 5 To continue specifying other group settings, perform other procedures in this chapter, as applicable. Setting Network Access Restrictions for a User Group The Network Access Restrictions table in Group Setup enables you to apply network access restrictions (NARs) in three distinct ways: • Apply existing shared NARs by name.
Chapter 6 User Group Management Basic User Group Settings Note When an authentication request is forwarded by proxy to a Cisco Secure ACS server, any NARs for TACACS+ requests are applied to the IP address of the forwarding AAA server, not to the IP address of the originating AAA client. To set NARs for a user group, follow these steps: Step 1 In the navigation bar, click Group Setup. The Group Setup Select page opens. Step 2 From the Group list, select a group, and then click Edit Settings.
Chapter 6 User Group Management Basic User Group Settings Step 4 To define and apply a NAR, for this particular user group, that permits or denies access to this group based on IP address, or IP address and port, follow these steps: You should define most NARs from within the Shared Components section so that the restrictions can be applied to more than one group or user. For more information, see Adding a Shared Network Access Restriction, page 5-19. Tip a.
Chapter 6 User Group Management Basic User Group Settings Step 5 To permit or deny access to this user group based on calling location or values other than an established IP address, follow these steps: a. Select the Define CLI/DNIS-based access restrictions check box. b. To specify whether the subsequent listing specifies permitted or denied values, from the Table Defines list, select one of the following: • Permitted Calling/Point of Access Locations • Denied Calling/Point of Access Locations c.
Chapter 6 User Group Management Basic User Group Settings Note e. The total number of characters in the AAA Client list and the Port, CLI, and DNIS boxes must not exceed 1024. Although Cisco Secure ACS accepts more than 1024 characters when you add a NAR, you cannot edit the NAR and Cisco Secure ACS cannot accurately apply it to users. Click Enter. The information, specifying the AAA client, port, CLI, and DNIS appears in the list. Step 6 To save the group settings you have just made, click Submit.
Chapter 6 User Group Management Basic User Group Settings Note A session is any type of connection supported by RADIUS or TACACS+, such as PPP, NAS prompt, Telnet, ARAP, IPX/SLIP. Note The default setting for group Max Sessions is Unlimited for both the group and the user within the group. To configure max sessions settings for a user group, follow these steps: Step 1 In the navigation bar, click Group Setup. The Group Setup Select page opens.
Chapter 6 User Group Management Basic User Group Settings Step 6 To continue specifying other group settings, perform other procedures in this chapter, as applicable. Setting Usage Quotas for a User Group Note If this feature does not appear, click Interface Configuration, click Advanced Options, and then select the Usage Quotas check box. Perform this procedure to define usage quotas for members of a group. Session quotas affect each user of a group individually, not the group collectively.
Chapter 6 User Group Management Basic User Group Settings network fails, the quota is not updated. In the case of multiple sessions, such as with ISDN, the quota is not updated until all sessions terminate. This means that a second channel will be accepted even if the first channel has exhausted the quota for the user. To set user usage quotas for a user group, follow these steps: Step 1 In the navigation bar, click Group Setup. The Group Setup Select page opens.
Chapter 6 User Group Management Configuration-specific User Group Settings Note c. Step 5 Up to 5 characters are allowed in the to x sessions box. Select the period for which the session quota is effective from the following: • per Day—From 12:01 a.m. until midnight. • per Week—From 12:01 a.m. Sunday until midnight Saturday. • per Month—From 12:01 a.m. on the first of the month until midnight on the last day of the month. • Total—An ongoing count of session, with no end.
Chapter 6 User Group Management Configuration-specific User Group Settings • To cause specific protocol attributes to appear on a group profile page, you must enable the display of those attributes in the Interface Configuration section of the HTML interface. For more information, see Protocol Configuration Options for TACACS+, page 3-7, or Protocol Configuration Options for RADIUS, page 3-11.
Chapter 6 User Group Management Configuration-specific User Group Settings Setting Token Card Settings for a User Group Note If this section does not appear, configure a token server. Then, click External User Databases, click Database Configuration, and then add the applicable token card server. Perform this procedure to allow a token to be cached. This means users can use a second B channel without having to enter a second one-time password (OTP).
Chapter 6 User Group Management Configuration-specific User Group Settings Step 4 In the Token Card Settings table, to cache the token for the entire session, select Session. Step 5 Also in the Token Card Settings table, to cache the token for a specified time period (measured from the time of first authentication), follow these steps: Step 6 a. Select Duration. b. Type the duration length in the box. c. Select the unit of measure, either Seconds, Minutes or Hours.
Chapter 6 User Group Management Configuration-specific User Group Settings Note To define levels in this manner, you must have configured the option in Interface Configuration; if you have not done so already, click Interface Configuration, click Advanced Settings, and then select the Network Device Groups check box. If you are using NDGs, this option lets you configure the NDG for enable-level mapping rather than having to do it for each user in the group.
Chapter 6 User Group Management Configuration-specific User Group Settings Enabling Password Aging for the CiscoSecure User Database The password aging feature of Cisco Secure ACS enables you to force users to change their passwords under one or more of the following conditions: • After a specified number of days (age-by-date rules). • After a specified number of logins (age-by-uses rules). • The first time a new user logs in (password change rule).
Chapter 6 User Group Management Configuration-specific User Group Settings the calling station. (Watchdog packets are interim packets sent periodically during a session. They provide an approximate session length in the event that no stop packet is received to mark the end of the session.) You can control whether Cisco Secure ACS propagates passwords changed by this feature. For more information, see Local Password Management, page 8-5.
Chapter 6 User Group Management Configuration-specific User Group Settings and displays the number of days left before the password expires. For example, if you enter 5 in this box and 20 in the Active period box, users will be notified to change their passwords on the 21st through 25th days. – Grace period—The number of days to provide as the user grace period. The grace period allows a user to log in once to change the password.
Chapter 6 User Group Management Configuration-specific User Group Settings requesting them to change their passwords on their 11th and 12th login attempts. On the 13th login attempt, they receive a prompt telling them that they must change their passwords. If users do not change their passwords now, their accounts expire and they cannot log in. This number must be greater than the Issue warning after x login number.
Chapter 6 User Group Management Configuration-specific User Group Settings To set password aging rules for a user group, follow these steps: Step 1 In the navigation bar, click Group Setup. The Group Setup Select page opens. Step 2 From the Group list, select a group, and then click Edit Settings. The Group Settings page displays the name of the group at its top. Step 3 From the Jump To list at the top of the page, choose Password Aging. The Password Aging Rules table appears.
Chapter 6 User Group Management Configuration-specific User Group Settings Step 8 To save the group settings you have just made, click Submit. For more information, see Saving Changes to User Group Settings, page 6-56. Step 9 To continue specifying other group settings, perform other procedures in this chapter, as applicable. Enabling Password Aging for Users in Windows Databases Cisco Secure ACS supports two types of password aging for users in Windows databases.
Chapter 6 User Group Management Configuration-specific User Group Settings Tip For information on enabling MS CHAP for password changes, see Configuring a Windows External User Database, page 13-30. For information on enabling MS CHAP in System Configuration, see Global Authentication Setup, page 10-26. • PEAP password aging—PEAP password aging depends upon the PEAP(EAP-GTC) or PEAP(EAP-MSCHAPv2) authentication protocol to send and receive the password change messages.
Chapter 6 User Group Management Configuration-specific User Group Settings – Users must be using a client that supports EAP-FAST. – You must enable EAP-FAST on the Global Authentication Configuration page within the System Configuration section. Tip For information about enabling EAP-FAST in System Configuration, see Global Authentication Setup, page 10-26. – You must enable EAP-FAST password changes on the Windows Authentication Configuration page within the External User Databases section.
Chapter 6 User Group Management Configuration-specific User Group Settings • Assigned from AAA Client pool—The IP address is assigned by an IP address pool assigned on the AAA client. • Assigned from AAA server pool—The IP address is assigned by an IP address pool assigned on the AAA server. To set an IP address assignment method for a user group, follow these steps: Step 1 In the navigation bar, click Group Setup. The Group Setup Select page opens.
Chapter 6 User Group Management Configuration-specific User Group Settings Step 5 To save the group settings you have just made, click Submit. For more information, see Saving Changes to User Group Settings, page 6-56. Step 6 To continue specifying other group settings, perform other procedures in this chapter, as applicable. Assigning a Downloadable IP ACL to a Group The Downloadable ACLs feature enables you to assign an IP ACL at the group level.
Chapter 6 User Group Management Configuration-specific User Group Settings Step 6 To save the group settings you have just made, click Submit. For more information, see Saving Changes to User Group Settings, page 6-56. Step 7 To continue specifying other group settings, perform other procedures in this chapter, as applicable.
Chapter 6 User Group Management Configuration-specific User Group Settings To employ custom attributes for a particular service, you must select the Custom attributes check box under that service, and then specify the attribute/value in the box below the check box. For more information about attributes, see Appendix B, “TACACS+ Attribute-Value Pairs”, or your AAA client documentation.
Chapter 6 User Group Management Configuration-specific User Group Settings Configuring a Shell Command Authorization Set for a User Group Use this procedure to specify the shell command authorization set parameters for a group. There are four options: Note • None—No authorization for shell commands. • Assign a Shell Command Authorization Set for any network device—One shell command authorization set is assigned, and it applies to all network devices.
Chapter 6 User Group Management Configuration-specific User Group Settings Step 6 Step 7 To assign a particular shell command authorization set to be effective on any configured network device, follow these steps: a. Select the Assign a Shell Command Authorization Set for any network device option. b. Then, from the list directly below that option, select the shell command authorization set you want applied to this group.
Chapter 6 User Group Management Configuration-specific User Group Settings Tip To enter several commands, you must click Submit after specifying a command. A new command entry box appears below the box you just completed. Configuring a PIX Command Authorization Set for a User Group Use this procedure to specify the PIX command authorization set parameters for a user group. There are three options: • None—No authorization for PIX commands.
Chapter 6 User Group Management Configuration-specific User Group Settings Step 3 From the Jump To list at the top of the page, choose TACACS+. The system displays the TACACS+ Settings table section. Step 4 Scroll down to the PIX Command Authorization Set feature area within the TACACS+ Settings table. Step 5 To prevent the application of any PIX command authorization set, select (or accept the default of) the None option.
Chapter 6 User Group Management Configuration-specific User Group Settings Configuring Device-Management Command Authorization for a User Group Use this procedure to specify the device-management command authorization set parameters for a group. Device-management command authorization sets support the authorization of tasks in Cisco device-management applications that are configured to use Cisco Secure ACS for authorization.
Chapter 6 User Group Management Configuration-specific User Group Settings Step 5 To prevent the application of any command authorization set for the applicable device-management application, select the None option. Step 6 To assign a particular command authorization set that affects device-management application actions on any network device, follow these steps: Step 7 a. Select the Assign a device-management application for any network device option. b.
Chapter 6 User Group Management Configuration-specific User Group Settings To configure IETF RADIUS attribute settings to be applied as an authorization for each user in the current group, follow these steps: Step 1 In the navigation bar, click Group Setup. The Group Setup Select page opens. Step 2 From the Group list, select a group, and then click Edit Settings. The Group Settings page displays the name of the group at its top.
Chapter 6 User Group Management Configuration-specific User Group Settings Configuring Cisco IOS/PIX RADIUS Settings for a User Group The Cisco IOS/PIX RADIUS parameters appear only when both the following are true: • A AAA client has been configured to use RADIUS (Cisco IOS/PIX) in Network Configuration. • Group-level RADIUS (Cisco IOS/PIX) attributes have been enabled in Interface Configuration: RADIUS (Cisco IOS/PIX). Cisco IOS/PIX RADIUS represents only the Cisco VSAs.
Chapter 6 User Group Management Configuration-specific User Group Settings Step 3 If you want to use other Cisco IOS/PIX RADIUS attributes, select the corresponding check box and specify the required values in the adjacent text box. Step 4 To save the group settings you have just made, click Submit. For more information, see Saving Changes to User Group Settings, page 6-56. Step 5 To continue specifying other group settings, perform other procedures in this chapter, as applicable.
Chapter 6 User Group Management Configuration-specific User Group Settings The Cisco-Aironet-Session-Timeout VSA appears on the Group Setup page only when both the following are true: Note • A AAA client has been configured to use RADIUS (Cisco Aironet) in Network Configuration. • The group-level RADIUS (Cisco Aironet) attribute has been enabled in Interface Configuration: RADIUS (Cisco Aironet).
Chapter 6 User Group Management Configuration-specific User Group Settings Step 7 To save the group settings you have just made, click Submit. For more information, see Saving Changes to User Group Settings, page 6-56. Step 8 To continue specifying other group settings, perform other procedures in this chapter, as applicable.
Chapter 6 User Group Management Configuration-specific User Group Settings Step 3 From the Group list, select a group, and then click Edit Settings. The Group Settings page displays the name of the group at its top. Step 4 From the Jump To list at the top of the page, choose RADIUS (Ascend). Step 5 In the Ascend RADIUS Attributes table, determine the attributes to be authorized for the group by selecting the check box next to the attribute.
Chapter 6 User Group Management Configuration-specific User Group Settings Cisco VPN 3000 Concentrator RADIUS represents only the Cisco VPN 3000 Concentrator VSA. You must configure both the IETF RADIUS and Cisco VPN 3000 Concentrator RADIUS attributes. Note To hide or display Cisco VPN 3000 Concentrator RADIUS attributes, see Setting Protocol Configuration Options for Non-IETF RADIUS Attributes, page 3-17.
Chapter 6 User Group Management Configuration-specific User Group Settings Configuring Cisco VPN 5000 Concentrator RADIUS Settings for a User Group The Cisco VPN 5000 Concentrator RADIUS attribute configurations display only when both the following are true: • A network device has been configured to use RADIUS (Cisco VPN 5000) in Network Configuration. • Group-level RADIUS (Cisco VPN 5000) attributes have been enabled on the RADIUS (Cisco VPN 5000) page of the Interface Configuration section.
Chapter 6 User Group Management Configuration-specific User Group Settings Step 5 In the Cisco VPN 5000 Concentrator RADIUS Attributes table, select the attributes that should be authorized for the group by selecting the check box next to the attribute. Further define the authorization for each attribute in the field next to it. For more information about attributes, see Appendix C, “RADIUS Attributes”, or the documentation for network devices using RADIUS.
Chapter 6 User Group Management Configuration-specific User Group Settings The following Cisco Secure ACS RADIUS protocols support the Microsoft RADIUS VSA: • Cisco IOS/PIX • Cisco VPN 3000 • Ascend Microsoft RADIUS represents only the Microsoft VSA. You must configure both the IETF RADIUS and Microsoft RADIUS attributes. Note To hide or display Microsoft RADIUS attributes, see Setting Protocol Configuration Options for Non-IETF RADIUS Attributes, page 3-17.
Chapter 6 User Group Management Configuration-specific User Group Settings Note Step 6 The MS-CHAP-MPPE-Keys attribute value is autogenerated by Cisco Secure ACS; there is no value to set in the HTML interface. To save the group settings you have just made, click Submit. For more information, see Saving Changes to User Group Settings, page 6-56. Step 7 To continue specifying other group settings, perform other procedures in this chapter, as applicable.
Chapter 6 User Group Management Configuration-specific User Group Settings Step 2 In the navigation bar, click Group Setup. The Group Setup Select page opens. Step 3 From the Group list, select a group, and then click Edit Settings. The Group Settings page displays the name of the group at its top. Step 4 From the Jump To list at the top of the page, choose RADIUS (Nortel).
Chapter 6 User Group Management Configuration-specific User Group Settings To configure and enable Juniper RADIUS attributes to be applied as an authorization for each user in the current group, follow these steps: Step 1 Confirm that your IETF RADIUS attributes are configured properly. For more information about setting IETF RADIUS attributes, see Configuring IETF RADIUS Settings for a User Group, page 6-38. Step 2 In the navigation bar, click Group Setup. The Group Setup Select page opens.
Chapter 6 User Group Management Configuration-specific User Group Settings Note To hide or display BBSM RADIUS attributes, see Setting Protocol Configuration Options for Non-IETF RADIUS Attributes, page 3-17. A VSA applied as an authorization to a particular group persists, even when you remove or replace the associated AAA client; however, if you have no AAA clients of this (vendor) type configured, the VSA settings do not appear in the group configuration interface.
Chapter 6 User Group Management Configuration-specific User Group Settings Configuring Custom RADIUS VSA Settings for a User Group User-defined, custom Radius VSA configurations appear only when all the following are true: • You have defined and configured the custom RADIUS VSAs. (For information about creating user-defined RADIUS VSAs, see Custom RADIUS Vendors and VSAs, page 9-28.
Chapter 6 User Group Management Group Setting Management Step 6 To save the group settings you have just made, click Submit. For more information, see Saving Changes to User Group Settings, page 6-56. Step 7 To continue specifying other group settings, perform other procedures in this chapter, as applicable. Group Setting Management This section describes how to use the Group Setup section to perform a variety of managerial tasks.
Chapter 6 User Group Management Group Setting Management Resetting Usage Quota Counters for a User Group You can reset the usage quota counters for all members of a group, either before or after a quota has been exceeded. To reset usage quota counters for all members of a user group, follow these steps: Step 1 In the navigation bar, click Group Setup. The Group Setup Select page opens. Step 2 From the Group list, select the group.
Chapter 6 User Group Management Group Setting Management Step 5 Click Submit. Note The group remains in the same position in the list. The number value of the group is still associated with this group name. Some utilities, such as the database import utility, use the numeric value associated with the group. The Select page opens with the new group name selected. Saving Changes to User Group Settings After you have completed configuration for a group, be sure to save your work.
C H A P T E R 7 User Management This chapter provides information about setting up and managing user accounts in Cisco Secure ACS for Windows Server. Note Settings at the user level override settings configured at the group level. Before you configure User Setup, you should understand how this section functions. Cisco Secure ACS dynamically builds the User Setup section interface depending on the configuration of your AAA client and the security protocols being used.
Chapter 7 User Management About User Databases From within the User Setup section, you can perform the following tasks: • View a list of all users in the CiscoSecure user database. • Find a user. • Add a user. • Assign the user to a group, including Voice-over-IP (VoIP) Groups. • Edit user account information. • Establish or change user authentication type. • Configure callback information for the user. • Set network access restrictions (NARs) for the user. • Configure Advanced Settings.
Chapter 7 User Management Basic User Setup Options • Windows Database—Authenticates a user with an existing account in the Windows user database located in the local domain or in domains configured in the Windows user database. For more information, see Windows User Database, page 13-7. • Generic LDAP—Authenticates a user from a Generic LDAP external user database. For more information, see Generic LDAP, page 13-32. • Novell NDS—Authenticates a user using Novell NetWare Directory Services (NDS).
Chapter 7 User Management Basic User Setup Options This section contains the following topics: • Adding a Basic User Account, page 7-4 • Setting Supplementary User Information, page 7-6 • Setting a Separate CHAP/MS-CHAP/ARAP Password, page 7-7 • Assigning a User to a Group, page 7-8 • Setting User Callback Option, page 7-9 • Assigning a User to a Client IP Address, page 7-10 • Setting Network Access Restrictions for a User, page 7-11 • Setting Max Sessions Options for a User, page 7-16 •
Chapter 7 User Management Basic User Setup Options Step 4 Make sure that the Account Disabled check box is cleared. Note Step 5 Under Password Authentication in the User Setup table, select the applicable authentication type from the list. Tip Step 6 Step 7 Alternatively, you can select the Account Disabled check box to create a user account that is disabled, and enable the account at another time.
Chapter 7 User Management Basic User Setup Options Tip For lengthy account configurations, you can click Submit before continuing. This will prevent loss of information you have already entered if an unforeseen problem occurs. Setting Supplementary User Information Supplementary User Information can contain up to five fields that you configure. The default configuration includes two fields: Real Name and Description.
Chapter 7 User Management Basic User Setup Options Setting a Separate CHAP/MS-CHAP/ARAP Password Setting a separate CHAP/MS-CHAP/ARAP password adds more security to Cisco Secure ACS authentication. However, you must have a AAA client configured to support the separate password.
Chapter 7 User Management Basic User Setup Options Assigning a User to a Group A user can only belong to one group in Cisco Secure ACS. The user inherits the attributes and operations assigned to his or her group. However, in the case of conflicting settings, the settings at the user level override the settings configured at the group level. By default, users are assigned to the Default Group.
Chapter 7 User Management Basic User Setup Options Setting User Callback Option Callback is a command string that is passed to the access server. You can use a callback string to initiate a modem to call the user back on a specific number for added security or reversal of line charges. To set the user callback option, follow these steps: Step 1 Perform Step 1 through Step 3 of Adding a Basic User Account, page 7-4. The User Setup Edit page opens.
Chapter 7 User Management Basic User Setup Options Step 3 Do one of the following: • If you are finished configuring the user account options, click Submit to record the options. • To continue to specify the user account options, perform other procedures in this chapter, as applicable. Assigning a User to a Client IP Address To assign a user to a client IP address, follow these steps: Step 1 Perform Step 1 through Step 3 of Adding a Basic User Account, page 7-4. The User Setup Edit page opens.
Chapter 7 User Management Basic User Setup Options Step 3 • Assigned by AAA client pool—Select this option and type the AAA client IP pool name in the box, if this user is to have the IP address assigned by an IP address pool configured on the AAA client. • Assigned from AAA pool—Select this option and type the applicable pool name in the box, if this user is to have the IP address assigned by an IP address pool configured on the AAA server.
Chapter 7 User Management Basic User Setup Options Typically, you define (shared) NARs from within the Shared Components section so that these restrictions can be applied to more than one group or user. For more information, see Adding a Shared Network Access Restriction, page 5-19. You must have selected the User-Level Shared Network Access Restriction check box on the Advanced Options page of the Interface Configuration section for this set of options to appear in the HTML interface.
Chapter 7 User Management Basic User Setup Options Step 2 To apply a previously configured shared NAR to this user, follow these steps: To apply a shared NAR, you must have configured it under Network Access Restrictions in the Shared Profile Components section. For more information, see Adding a Shared Network Access Restriction, page 5-19. Note a. Select the Only Allow network access when check box. b.
Chapter 7 User Management Basic User Setup Options c. Select or enter the information in the following boxes: • AAA Client—Select All AAA Clients, or the name of a network device group (NDG), or the name of the individual AAA client, to which to permit or deny access. • Port—Type the number of the port to which to permit or deny access. You can use the wildcard asterisk (*) to permit or deny access to all ports on the selected AAA client.
Chapter 7 User Management Basic User Setup Options c. Complete the following boxes: Note • AAA Client—Select All AAA Clients, or the name of the NDG, or the name of the individual AAA client, to which to permit or deny access. • PORT—Type the number of the port to which to permit or deny access. You can use the wildcard asterisk (*) to permit or deny access to all ports. • CLI—Type the CLI number to which to permit or deny access.
Chapter 7 User Management Basic User Setup Options d. Click enter. The information, specifying the AAA client, port, CLI, and DNIS, appears in the table above the AAA Client list. Step 5 Do one of the following: • If you are finished configuring the user account options, click Submit to record the options. • To continue to specify the user account options, perform other procedures in this chapter, as applicable.
Chapter 7 User Management Basic User Setup Options To set max sessions options for a user, follow these steps: Step 1 Perform Step 1 through Step 3 of Adding a Basic User Account, page 7-4. The User Setup Edit page opens. The username being added or edited is at the top of the page. Step 2 Step 3 In the Max Sessions table, under Sessions available to user, select one of the following three options: • Unlimited—Select to allow this user an unlimited number of simultaneous sessions.
Chapter 7 User Management Basic User Setup Options Setting User Usage Quotas Options You can define usage quotas for individual users. You can limit users in one or both of two ways: • By total duration of sessions for the period selected. • By the total number of sessions for the period selected. For Cisco Secure ACS purposes, a session is considered any type of user connection supported by RADIUS or TACACS+, for example PPP, or Telnet, or ARAP.
Chapter 7 User Management Basic User Setup Options with ISDN, the quota is not updated until all sessions terminate, which means that a second channel will be accepted even if the first channel has exhausted the quota allocated to the user. To set usage quota options for a user, follow these steps: Step 1 Perform Step 1 through Step 3 of Adding a Basic User Account, page 7-4. The User Setup Edit page opens. The username being added or edited is at the top of the page.
Chapter 7 User Management Basic User Setup Options c. Select the period for which you want to enforce the session usage quota: • per Day—From 12:01 a.m. until midnight. • per Week—From 12:01 a.m. Sunday until midnight Saturday. • per Month—From 12:01 a.m. on the first of the month until midnight on the last day of the month. • Absolute—A continuous, open-ended count of hours.
Chapter 7 User Management Basic User Setup Options b. Select the Disable account if option to disable the account under specific circumstances. Then, specify one or both of the circumstances under the following boxes: • Note • Note Step 3 Date exceeds—Select the Date exceeds: check box. Then select the month and type the date (two characters) and year (four characters) on which to disable the account. The default is 30 days after the user is added.
Chapter 7 User Management Advanced User Authentication Settings To assign a downloadable IP ACL to a user account, follow these steps: Step 1 Perform Step 1 through Step 3 of Adding a Basic User Account, page 7-4. The User Setup Edit page opens. The username being added and edited is at the top of the page. Step 2 Under the Downloadable ACLs section, click the Assign IP ACL: check box. Step 3 Select an IP ACL from the list.
Chapter 7 User Management Advanced User Authentication Settings • RADIUS Attributes, page 7-37 – Setting IETF RADIUS Parameters for a User, page 7-38 – Setting Cisco IOS/PIX RADIUS Parameters for a User, page 7-39 – Setting Cisco Aironet RADIUS Parameters for a User, page 7-41 – Setting Ascend RADIUS Parameters for a User, page 7-43 – Setting Cisco VPN 3000 Concentrator RADIUS Parameters for a User, page 7-44 – Setting Cisco VPN 5000 Concentrator RADIUS Parameters for a User, page 7-46 – Setting Micros
Chapter 7 User Management Advanced User Authentication Settings Configuring TACACS+ Settings for a User You can use this procedure to configure TACACS+ settings at the user level for the following service/protocols: • PPP IP • PPP IPX • PPP Multilink • PPP Apple Talk • PPP VPDN • PPP LCP • ARAP • Shell (exec) • PIX Shell (pixShell) • SLIP You can also enable any new TACACS+ services that you may have configured.
Chapter 7 User Management Advanced User Authentication Settings Before You Begin • For the TACACS+ service/protocol configuration to be displayed, a AAA client must be configured to use TACACS+ as the security control protocol. • In the Advanced Options section of Interface Configuration, ensure that the Per-user TACACS+/RADIUS Attributes check box is selected. To configure TACACS+ settings for a user, follow these steps: Step 1 Click Interface Configuration and then click TACACS+ (Cisco IOS).
Chapter 7 User Management Advanced User Authentication Settings Step 6 Do one of the following: • If you are finished configuring the user account options, click Submit to record the options. • To continue to specify the user account options, perform other procedures in this chapter, as applicable. Configuring a Shell Command Authorization Set for a User Use this procedure to specify the shell command authorization set parameters for a user.
Chapter 7 User Management Advanced User Authentication Settings To specify shell command authorization set parameters for a user, follow these steps: Step 1 Perform Step 1 through Step 3 of Adding a Basic User Account, page 7-4. The User Setup Edit page opens. The username being added or edited is at the top of the page. Step 2 Scroll down to the TACACS+ Settings table and to the Shell Command Authorization Set feature area within it.
Chapter 7 User Management Advanced User Authentication Settings Step 7 To define the specific Cisco IOS commands and arguments to be permitted or denied for this user, follow these steps: a. Select the Per User Command Authorization option. b. Under Unmatched Cisco IOS commands, select either Permit or Deny. If you select Permit, the user can issue all commands not specifically listed. If you select Deny, the user can issue only those commands listed. c.
Chapter 7 User Management Advanced User Authentication Settings Configuring a PIX Command Authorization Set for a User Use this procedure to specify the PIX command authorization set parameters for a user. There are four options: • None—No authorization for PIX commands. • Group—For this user, the group-level PIX command authorization set applies. • Assign a PIX Command Authorization Set for any network device—One PIX command authorization set is assigned, and it applies to all network devices.
Chapter 7 User Management Advanced User Authentication Settings Step 4 To assign the PIX command authorization set at the group level, select the As Group option. Step 5 To assign a particular PIX command authorization set to be effective on any configured network device, follow these steps: Step 6 a. Select the Assign a PIX Command Authorization Set for any network device option. b. From the list directly below that option, select the PIX command authorization set you want applied to this user.
Chapter 7 User Management Advanced User Authentication Settings • Assign a device-management application for any network device—For the applicable device-management application, one command authorization set is assigned, and it applies to management tasks on all network devices.
Chapter 7 User Management Advanced User Authentication Settings Step 5 Step 6 To assign a particular command authorization set that affects device-management application actions on any network device, follow these steps: a. Select the Assign a device-management application for any network device option. b. Then, from the list directly below that option, select the command authorization set you want applied to this user.
Chapter 7 User Management Advanced User Authentication Settings Step 3 To allow TACACS+ AAA clients to permit unknown services for this user, select the Default (Undefined) Services check box. Step 4 Do one of the following: • If you are finished configuring the user account options, click Submit to record the options. • To continue to specify the user account options, perform other procedures in this chapter, as applicable.
Chapter 7 User Management Advanced User Authentication Settings Note • Max Privilege for any AAA Client—Enables you to select from a list the maximum privilege level that will apply to this user on any AAA client on which this user is authorized. • Define Max Privilege on a per-Network Device Group Basis—Enables you to associate maximum privilege levels to this user in one or more NDGs. Note Tip This is the default setting.
Chapter 7 User Management Advanced User Authentication Settings Step 4 If you selected Define Max Privilege on a per-Network Device Group Basis in Step 2, perform the following steps to define the privilege levels on each NDG, as applicable: a. From the Device Group list, select a device group. Note You must have already configured a device group for it to be listed. b. From the Privilege list, select a privilege level to associate with the selected device group. c. Click Add Association.
Chapter 7 User Management Advanced User Authentication Settings To set the options for the TACACS+ Enable password, follow these steps: Step 1 Perform Step 1 through Step 3 of Adding a Basic User Account, page 7-4. The User Setup Edit page opens. The username being added or edited is at the top of the page. Step 2 Do one of the following: • To use the information configured in the Password Authentication section, select Use CiscoSecure PAP password.
Chapter 7 User Management Advanced User Authentication Settings Setting TACACS+ Outbound Password for a User The TACACS+ outbound password enables a AAA client to authenticate itself to another AAA client via outbound authentication. The outbound authentication can be PAP, CHAP, MS-CHAP, or ARAP, and results in the Cisco Secure ACS password being given out. By default, the user ASCII/PAP or CHAP/MS-CHAP/ARAP password is used.
Chapter 7 User Management Advanced User Authentication Settings This section contains the following topics: • Setting IETF RADIUS Parameters for a User, page 7-38 • Setting Cisco IOS/PIX RADIUS Parameters for a User, page 7-39 • Setting Cisco Aironet RADIUS Parameters for a User, page 7-41 • Setting Ascend RADIUS Parameters for a User, page 7-43 • Setting Cisco VPN 3000 Concentrator RADIUS Parameters for a User, page 7-44 • Setting Cisco VPN 5000 Concentrator RADIUS Parameters for a User, page
Chapter 7 User Management Advanced User Authentication Settings Note For a list and explanation of RADIUS attributes, see Appendix C, “RADIUS Attributes”, or the documentation for your particular network device using RADIUS. To configure IETF RADIUS attribute settings to be applied as an authorization for the current user, follow these steps: Step 1 Perform Step 1 through Step 3 of Adding a Basic User Account, page 7-4. The User Setup Edit page opens.
Chapter 7 User Management Advanced User Authentication Settings replace the associated AAA client; however, if you have no AAA clients of this (vendor) type configured, the VSA settings do not appear in the user configuration interface. Cisco IOS RADIUS represents only the Cisco IOS VSAs. You must configure both the IETF RADIUS and Cisco IOS RADIUS attributes.
Chapter 7 User Management Advanced User Authentication Settings Setting Cisco Aironet RADIUS Parameters for a User The single Cisco Aironet RADIUS VSA, Cisco-Aironet-Session-Timeout, is a virtual VSA. It acts as a specialized implementation (that is, a remapping) of the IETF RADIUS Session-Timeout attribute (27) to respond to a request from a Cisco Aironet Access Point. You use it to provide a different timeout values when a user must be able to connect via both wireless and wired devices.
Chapter 7 User Management Advanced User Authentication Settings To configure and enable the Cisco Aironet RADIUS attribute to be applied as an authorization for the current user, follow these steps: Step 1 Perform Step 1 through Step 3 of Adding a Basic User Account, page 7-4. The User Setup Edit page opens. The username being added or edited is at the top of the page. Step 2 Before configuring Cisco Aironet RADIUS attributes, be sure your IETF RADIUS attributes are configured properly.
Chapter 7 User Management Advanced User Authentication Settings Setting Ascend RADIUS Parameters for a User The Ascend RADIUS parameters appear only if all the following are true: • A AAA client is configured to use RADIUS (Ascend) in Network Configuration. • The Per-user TACACS+/RADIUS Attributes check box is selected under Advanced Options in the Interface Configuration section.
Chapter 7 User Management Advanced User Authentication Settings For more information about attributes, see Appendix C, “RADIUS Attributes”, or your AAA client documentation. Step 4 Do one of the following: • If you are finished configuring the user account options, click Submit to record the options. • To continue to specify the user account options, perform other procedures in this chapter, as applicable.
Chapter 7 User Management Advanced User Authentication Settings Note To hide or display Cisco VPN 5000 Concentrator RADIUS attributes, see Setting Protocol Configuration Options for Non-IETF RADIUS Attributes, page 3-17. A VSA applied as an authorization to a particular user persists, even when you remove or replace the associated AAA client; however, if you have no AAA clients of this (vendor) type configured, the VSA settings do not appear in the user configuration interface.
Chapter 7 User Management Advanced User Authentication Settings Setting Cisco VPN 5000 Concentrator RADIUS Parameters for a User The Cisco VPN 5000 Concentrator RADIUS attribute configurations display only if all the following are true: • A AAA client is configured to use RADIUS (Cisco VPN 5000) in Network Configuration. • The Per-user TACACS+/RADIUS Attributes check box is selected under Advanced Options in the Interface Configuration section.
Chapter 7 User Management Advanced User Authentication Settings Step 3 In the Cisco VPN 5000 Concentrator Attribute table, to specify the attributes that should be authorized for the user, follow these steps: a. Select the check box next to the particular attribute. b. Further define the authorization for that attribute in the box next to it. c. Continue to select and define attributes, as applicable.
Chapter 7 User Management Advanced User Authentication Settings The Microsoft RADIUS attribute configurations display only if both the following are true: • A AAA client is configured in Network Configuration that uses a RADIUS protocol that supports the Microsoft RADIUS VSA. • The Per-user TACACS+/RADIUS Attributes check box is selected under Advanced Options in the Interface Configuration section.
Chapter 7 User Management Advanced User Authentication Settings Step 3 In the Microsoft RADIUS Attributes table, to specify the attributes that should be authorized for the user, follow these steps: a. Select the check box next to the particular attribute. b. Further define the authorization for that attribute in the box next to it. c. Continue to select and define attributes, as applicable. For more information about attributes, see Appendix C, “RADIUS Attributes”, or your AAA client documentation.
Chapter 7 User Management Advanced User Authentication Settings Note To hide or display Nortel RADIUS attributes, see Setting Protocol Configuration Options for Non-IETF RADIUS Attributes, page 3-17. A VSA applied as an authorization to a particular user persists, even when you remove or replace the associated AAA client; however, if you have no AAA clients of this (vendor) type configured, the VSA settings do not appear in the user configuration interface.
Chapter 7 User Management Advanced User Authentication Settings Setting Juniper RADIUS Parameters for a User The Juniper RADIUS parameters appear only if all the following are true: • A AAA client is configured to use RADIUS (Juniper) in Network Configuration. • The Per-user TACACS+/RADIUS Attributes check box is selected under Advanced Options in the Interface Configuration section.
Chapter 7 User Management Advanced User Authentication Settings For more information about attributes, see Appendix C, “RADIUS Attributes”, or your AAA client documentation. Step 4 Do one of the following: • If you are finished configuring the user account options, click Submit to record the options. • To continue to specify the user account options, perform other procedures in this chapter, as applicable.
Chapter 7 User Management Advanced User Authentication Settings Step 2 Before configuring BBSM RADIUS attributes, be sure your IETF RADIUS attributes are configured properly. For more information about setting IETF RADIUS attributes, see Setting IETF RADIUS Parameters for a User, page 7-38. Step 3 In the BBSM RADIUS Attributes table, to specify the attributes that should be authorized for the user, follow these steps: a. Select the check box next to the particular attribute. b.
Chapter 7 User Management User Management To configure and enable custom RADIUS attributes to be applied as an authorization for the current user, follow these steps: Step 1 Perform Step 1 through Step 3 of Adding a Basic User Account, page 7-4. The User Setup Edit page opens. The username being added or edited is at the top of the page. Step 2 Before configuring custom RADIUS attributes, be sure your IETF RADIUS attributes are configured properly.
Chapter 7 User Management User Management • Deleting a User Account, page 7-57 • Resetting User Session Quota Counters, page 7-58 • Resetting a User Account after Login Failure, page 7-59 • Saving User Settings, page 7-60 Listing All Users The User List displays all user accounts (enabled and disabled). The list includes, for each user, the username, status, and the group to which the user belongs. Usernames are displayed in the order in which they were entered into the database.
Chapter 7 User Management User Management Tip You can use wildcard characters (*) in this box. Tip To display a list of usernames that begin with a particular letter or number, click the letter or number in the alphanumeric list. A list of users whose names begin with that letter or number opens in the display area on the right. The username, status (enabled or disabled), and group to which the user belongs appear in the display area on the right.
Chapter 7 User Management User Management Step 3 Click Add/Edit. The User Setup Edit page opens. The username being edited is at the top of the page. Step 4 Select the Account Disabled check box. Step 5 Click Submit at the bottom of the page. The specified user account is disabled. Deleting a User Account You can delete user accounts one at a time using the HTML interface.
Chapter 7 User Management User Management Step 3 Click Add/Edit. Step 4 At the bottom of the User Setup page, click Delete. Note The Delete button appears only when you are editing user information, not when you are adding a username. A popup window appears that asks you to confirm the user deletion. Step 5 Click OK. The user account is removed from the CiscoSecure user database.
Chapter 7 User Management User Management Step 5 Click Submit at the bottom of the browser page. The session quota counters are reset for this user. The User Setup Select page appears. Resetting a User Account after Login Failure Perform this procedure when an account is disabled because the failed attempts count has been exceeded during an unsuccessful user attempt to log in. To reset a user account after login failure, follow these steps: Step 1 Click User Setup.
Chapter 7 User Management User Management Note If the user authenticates with a Windows user database, this expiration information is in addition to the information in the Windows user account. Changes here do not alter settings configured in Windows. Saving User Settings After you have completed configuration for a user, be sure to save your work. To save the configuration for the current user, follow these steps: Step 1 To save the user account configuration, click Submit.
C H A P T E R 8 System Configuration: Basic This chapter addresses the basic features found in the System Configuration section of Cisco Secure ACS for Windows Server.
Chapter 8 System Configuration: Basic Service Control Tip You can configure Cisco Secure ACS service logs. For more information, see Configuring Service Logs, page 11-33. This section contains the following topics: • Determining the Status of Cisco Secure ACS Services, page 8-2 • Stopping, Starting, or Restarting Services, page 8-2 Determining the Status of Cisco Secure ACS Services You can determine whether Cisco Secure ACS services are running or stopped by accessing the Service Control page.
Chapter 8 System Configuration: Basic Logging Step 1 In the navigation bar, click System Configuration. Step 2 Click Service Control. The status of the services appears in the CiscoSecure ACS on hostname table, where hostname is the name of the Cisco Secure ACS. If the services are running, the Restart and Stop buttons appear at the bottom of the page. If the services are stopped, the Start button appears at the bottom of the page. Step 3 Click Stop, Start, or Restart, as applicable.
Chapter 8 System Configuration: Basic Date Format Control report generated on July 12, 2001. If you subsequently change to the day/month/year format, on December 7, 2001, Cisco Secure ACS creates a file also named 2001-07-12.csv and overwrites the existing file. To set the date format, follow these steps: Step 1 In the navigation bar, click System Configuration. Step 2 Click Date Format Control. Cisco Secure ACS displays the Date Format Selection table. Step 3 Select a date format option.
Chapter 8 System Configuration: Basic Local Password Management Local Password Management You use the Local Password Management page to configure settings that apply to managing passwords stored in the CiscoSecure user database. It contains the following three sections: • Password Validation Options—These settings enable you to configure validation parameters for user passwords.
Chapter 8 System Configuration: Basic Local Password Management – Upon remote user password change, immediately propagate the change to selected replication partners—This setting determines whether Cisco Secure ACS sends to its replication partners any passwords changed during a Telnet session hosted by a TACACS+ AAA client, by the CiscoSecure Authentication Agent, or by the User-Changeable Passwords web interface.
Chapter 8 System Configuration: Basic Local Password Management Configuring Local Password Management To configure password validation options, follow these steps: Step 1 In the navigation bar, click System Configuration. Step 2 Click Local Password Management. The Local Password Management page appears. Step 3 Step 4 Under Password Validation Options, follow these steps: a. In Password length between X and Y characters, type the minimum valid number of characters for a password in the X box.
Chapter 8 System Configuration: Basic Local Password Management d. Tip Step 5 If you want Cisco Secure ACS to send changed password information immediately after a user has changed a password, select the Upon remote user password change, immediately propagate the change to selected replication partners check box.
Chapter 8 System Configuration: Basic Cisco Secure ACS Backup Cisco Secure ACS Backup This section provides information about the Cisco Secure ACS Backup feature, including procedures for implementing this feature.
Chapter 8 System Configuration: Basic Cisco Secure ACS Backup where drive is the local drive where you installed Cisco Secure ACS and path is the path from the root of drive to the Cisco Secure ACS directory. For example, if you installed Cisco Secure ACS version 3.0 in the default location, the default backup location would be c:\Program Files\CiscoSecure ACS v3.0\CSAuth\System Backups The filename given to a backup is determined by Cisco Secure ACS.
Chapter 8 System Configuration: Basic Cisco Secure ACS Backup Backup Options The ACS System Backup Setup page contains the following configuration options: • Manually—Cisco Secure ACS does not perform automatic backups. When this option is selected, you can only perform a backup by following the steps in Performing a Manual Cisco Secure ACS Backup, page 8-12. • Every X minutes—Cisco Secure ACS performs automatic backups on a set frequency.
Chapter 8 System Configuration: Basic Cisco Secure ACS Backup Step 2 Click ACS Backup. The ACS System Backup Setup page appears. Step 3 In the Directory box under Backup Location, type the drive and path to the directory on a local hard drive where you want the backup file to be written. Step 4 Click Backup Now. Cisco Secure ACS immediately begins a backup.
Chapter 8 System Configuration: Basic Cisco Secure ACS Backup Tip Clicking times of day on the graph selects those times; clicking again clears them. At any time you can click Clear All to clear all hours, or you can click Set All to select all hours. Step 5 To change the location where Cisco Secure ACS writes backup files, type the drive letter and path in the Directory box. Step 6 To manage which backup files Cisco Secure ACS keeps, follow these steps: Step 7 a.
Chapter 8 System Configuration: Basic Cisco Secure ACS System Restore Cisco Secure ACS does not continue any scheduled backups. You can still perform manual backups as needed. Cisco Secure ACS System Restore This section provides information about the Cisco Secure ACS System Restore feature, including procedures for restoring your Cisco Secure ACS from a backup file.
Chapter 8 System Configuration: Basic Cisco Secure ACS System Restore hard drive. You can restore from any backup file you select. For example, you can restore from the latest backup file, or if you suspect that the latest backup was incorrect, you can select an earlier backup file to restore from. The backup directory is selected when you schedule backups or perform a manual backup.
Chapter 8 System Configuration: Basic Cisco Secure ACS System Restore Reports of Cisco Secure ACS Restorations When a Cisco Secure ACS system restoration takes place, the event is logged in the Administration Audit report and the ACS Backup and Restore report. You can view recent reports in the Reports and Activity section of Cisco Secure ACS. For more information about Cisco Secure ACS reports, see Chapter 1, “Overview”.
Chapter 8 System Configuration: Basic Cisco Secure ACS Active Service Management Step 5 To restore user and group database information, select the User and Group Database check box. Step 6 To restore system configuration information, select the CiscoSecure ACS System Configuration check box. Step 7 Click Restore Now. Cisco Secure ACS displays a confirmation dialog box indicating that performing the restoration will restart Cisco Secure ACS services and log out all administrators.
Chapter 8 System Configuration: Basic Cisco Secure ACS Active Service Management System Monitoring Options You have the following options for configuring system monitoring: • Test login process every X minutes—Controls whether or not Cisco Secure ACS tests its login process. The value in the X box defines, in minutes, how often Cisco Secure ACS tests its login process. The default frequency is once per minute, which is also the most frequent testing interval possible.
Chapter 8 System Configuration: Basic Cisco Secure ACS Active Service Management • Email notification of event—Specifies whether Cisco Secure ACS sends an e-mail notification for each event. – To—The e-mail address that notification e-mail is sent to. For example, joeadmin@company.com. – SMTP Mail Server—The simple mail transfer protocol (SMTP) server that Cisco Secure ACS should use to send notification e-mail. You can identify the SMTP server either by its hostname or by its IP address.
Chapter 8 System Configuration: Basic Cisco Secure ACS Active Service Management Step 6 If you are done setting up Cisco Secure ACS Service Management, click Submit. Cisco Secure ACS implements the service management settings you made. Event Logging The Event Logging feature enables you to configure whether Cisco Secure ACS logs events to the Windows event log and whether Cisco Secure ACS generates an e-mail when an event occurs.
Chapter 8 System Configuration: Basic VoIP Accounting Configuration c. In the SMTP Mail Server box, type the hostname (up to 200 characters) of the sending e-mail server. Note The SMTP mail server must be operational and must be available from the Cisco Secure ACS. Step 5 If you want to set up system monitoring, see Setting Up System Monitoring, page 8-19. Step 6 If you are done setting up Cisco Secure ACS Service Management, click Submit.
Chapter 8 System Configuration: Basic VoIP Accounting Configuration To configure VoIP accounting, follow these steps: Step 1 In the navigation bar, click System Configuration. Step 2 Click VoIP Accounting Configuration. Note If this feature does not appear, click Interface Configuration, click Advanced Options, and then select the Voice-over-IP (VoIP) Accounting Configuration check box. The VoIP Accounting Configuration page appears.
C H A P T E R 9 System Configuration: Advanced This chapter addresses the CiscoSecure Database Replication and RDBMS Synchronization features found in the System Configuration section of Cisco Secure ACS for Windows Server.
Chapter 9 System Configuration: Advanced CiscoSecure Database Replication • Replication Options, page 9-11 – Replication Components Options, page 9-11 – Outbound Replication Options, page 9-12 – Inbound Replication Options, page 9-15 • Implementing Primary and Secondary Replication Setups on Cisco Secure ACSes, page 9-15 • Configuring a Secondary Cisco Secure ACS, page 9-17 • Replicating Immediately, page 9-19 • Scheduling Replication, page 9-21 • Disabling CiscoSecure Database Replication, pa
Chapter 9 System Configuration: Advanced CiscoSecure Database Replication • IP pool definitions (for more information, see About IP Pools Server, page 9-44). • Cisco Secure ACS certificate and private key files. • All external user database configurations, including Network Admission Control (NAC) databases. • Unknown user group mapping configuration. • User-defined RADIUS dictionaries (for more information, see Important Implementation Considerations, page 9-7).
Chapter 9 System Configuration: Advanced CiscoSecure Database Replication be running Cisco Secure ACS version 3.2. Because patch releases can introduce significant changes to the CiscoSecure database, we strongly recommend that Cisco Secure ACSes involved in replication use the same patch level, too. Replication Process This topic describes the process of database replication, including the interaction between a primary Cisco Secure ACS and each of its secondary Cisco Secure ACSes.
Chapter 9 System Configuration: Advanced CiscoSecure Database Replication c. The primary Cisco Secure ACS verifies that the version of Cisco Secure ACS that the secondary Cisco Secure ACS is running is the same as its own version of Cisco Secure ACS. If not, replication fails. d. The primary Cisco Secure ACS compares the list of database components it is configured to send with the list of database components the secondary Cisco Secure ACS is configured to receive.
Chapter 9 System Configuration: Advanced CiscoSecure Database Replication c. The secondary Cisco Secure ACS resumes its authentication service. Cisco Secure ACS can act as both a primary Cisco Secure ACS and a secondary Cisco Secure ACS. Figure 9-1 shows a cascading replication scenario. Server 1 acts only as a primary Cisco Secure ACS, replicating to servers 2 and 3, which act as secondary Cisco Secure ACSes.
Chapter 9 System Configuration: Advanced CiscoSecure Database Replication Replication Frequency The frequency with which your Cisco Secure ACSes replicate can have important implications for overall AAA performance. With shorter replication frequencies, a secondary Cisco Secure ACS is more up-to-date with the primary Cisco Secure ACS. This allows for a more current secondary Cisco Secure ACS if the primary Cisco Secure ACS fails. There is a cost to having frequent replications.
Chapter 9 System Configuration: Advanced CiscoSecure Database Replication – In its AAA Servers table, a primary Cisco Secure ACS must have an accurately configured entry for each secondary Cisco Secure ACS.
Chapter 9 System Configuration: Advanced CiscoSecure Database Replication • A secondary Cisco Secure ACS receiving replicated components must be configured to accept database replication from the primary Cisco Secure ACS. To configure a secondary Cisco Secure ACS for database replication, see Configuring a Secondary Cisco Secure ACS, page 9-17. • Cisco Secure ACS does not support bidirectional database replication.
Chapter 9 System Configuration: Advanced CiscoSecure Database Replication of settings using user-defined RADIUS vendors and VSAs is supported. For more information about user-defined RADIUS vendors and VSAs, see Custom RADIUS Vendors and VSAs, page 9-28. Database Replication Versus Database Backup Do not confuse database replication with system backup. Database replication does not replace System Backup.
Chapter 9 System Configuration: Advanced CiscoSecure Database Replication For more information about Cisco Secure ACS reports, see Chapter 1, “Overview”. Replication Options The Cisco Secure ACS HTML interface provides three sets of options for configuring CiscoSecure Database Replication, documented in this section.
Chapter 9 System Configuration: Advanced CiscoSecure Database Replication Note If you intend to use cascading replication to replicate network configuration device tables, you must configure the primary Cisco Secure ACS with all Cisco Secure ACSes that will receive replicated database components, regardless of whether they receive replication directly or indirectly from the primary Cisco Secure ACS.
Chapter 9 System Configuration: Advanced CiscoSecure Database Replication – Manually—Cisco Secure ACS does not perform automatic database replication. – Automatically Triggered Cascade—Cisco Secure ACS performs database replication to the configured list of secondary Cisco Secure ACSes when database replication from a primary Cisco Secure ACS completes.
Chapter 9 System Configuration: Advanced CiscoSecure Database Replication Note The items in the AAA Server and Replication lists reflect the AAA servers configured in the AAA Servers table in Network Configuration. To make a particular Cisco Secure ACS available as a secondary Cisco Secure ACS, you must first add that Cisco Secure ACS to the AAA Servers table of the primary Cisco Secure ACS.
Chapter 9 System Configuration: Advanced CiscoSecure Database Replication Inbound Replication Options You can specify the primary Cisco Secure ACSes from which a secondary Cisco Secure ACS accepts replication. This option appears in the Inbound Replication table on the CiscoSecure Database Replication page. The Accept replication from list controls which Cisco Secure ACSes the current Cisco Secure ACS does accept replicated components from.
Chapter 9 System Configuration: Advanced CiscoSecure Database Replication To implement primary and secondary replication setups on Cisco Secure ACSes, follow these steps: Step 1 On each secondary Cisco Secure ACS, follow these steps: a. In the Network Configuration section, add the primary Cisco Secure ACS to the AAA Servers table. For more information about adding entries to the AAA Servers table, see AAA Server Configuration, page 4-21. b.
Chapter 9 System Configuration: Advanced CiscoSecure Database Replication Configuring a Secondary Cisco Secure ACS Note If this feature does not appear, click Interface Configuration, click Advanced Options, and select the CiscoSecure ACS Database Replication check box. Select the Distributed System Settings check box if not already selected. The CiscoSecure Database Replication feature requires that you configure specific Cisco Secure ACSes to act as secondary Cisco Secure ACSes.
Chapter 9 System Configuration: Advanced CiscoSecure Database Replication Step 4 In the Replication Components table, select the Receive check box for each database component to be received from a primary Cisco Secure ACS. For more information about replication components, see Replication Components Options, page 9-11. Step 5 Make sure that no Cisco Secure ACS that the secondary Cisco Secure ACS is to receive replicated components from is included in the Replication list.
Chapter 9 System Configuration: Advanced CiscoSecure Database Replication Note Step 8 For each primary Cisco Secure ACS for this secondary Cisco Secure ACS, on both the primary and secondary Cisco Secure ACS, the AAA Servers table entries for the primary Cisco Secure ACS must have identical shared secrets. Click Submit.
Chapter 9 System Configuration: Advanced CiscoSecure Database Replication Note If this feature does not appear, click Interface Configuration, click Advanced Options, and select the CiscoSecure ACS Database Replication check box. Select the Distributed System Settings check box if not already selected. The Database Replication Setup page appears.
Chapter 9 System Configuration: Advanced CiscoSecure Database Replication Note Replication only occurs when the database of the primary Cisco Secure ACS has changed since the last successful replication. You can force replication to occur by making one change to a user or group profile, such as changing a password or RADIUS attribute. Scheduling Replication You can schedule when a primary Cisco Secure ACS sends its replicated database components to a secondary Cisco Secure ACS.
Chapter 9 System Configuration: Advanced CiscoSecure Database Replication Note If this feature does not appear, click Interface Configuration, click Advanced Options, and select the CiscoSecure ACS Database Replication check box. Select the Distributed System Settings check box if not already selected. The Database Replication Setup page appears.
Chapter 9 System Configuration: Advanced CiscoSecure Database Replication Tip Step 7 If you want to have this Cisco Secure ACS send replicated database components immediately upon receiving replicated database components from another Cisco Secure ACS, select the Automatically triggered cascade option. Note Step 8 Clicking times of day on the graph selects those times; clicking again clears them. At any time you can click Clear All to clear all hours, or you can click Set All to select all hours.
Chapter 9 System Configuration: Advanced CiscoSecure Database Replication c. Repeat Step a and Step b for each secondary Cisco Secure ACS to which you want the primary Cisco Secure ACS to send its selected replicated database components. Step 9 In the Replication timeout text box, specify how long this Cisco Secure ACS will perform replication to each of its secondary Cisco Secure ACS before terminating the replication attempt and restarting the CSAuth service. Step 10 Click Submit.
Chapter 9 System Configuration: Advanced RDBMS Synchronization Database Replication Event Errors The Database Replication report contains messages indicating errors that occur during replication. For more information about the Database Replication report, see Cisco Secure ACS System Logs, page 11-13.
Chapter 9 System Configuration: Advanced RDBMS Synchronization – Synchronization Partners Options, page 9-39 • Performing RDBMS Synchronization Immediately, page 9-40 • Scheduling RDBMS Synchronization, page 9-41 • Disabling Scheduled RDBMS Synchronizations, page 9-43 About RDBMS Synchronization The RDBMS Synchronization feature enables you to update the CiscoSecure user database with information from an ODBC-compliant data source.
Chapter 9 System Configuration: Advanced RDBMS Synchronization Users Among the user-related configuration actions that RDBMS Synchronization can perform are the following: Note • Adding users. • Deleting users. • Setting passwords. • Setting user group memberships. • Setting Max Sessions parameters. • Setting network usage quota parameters. • Configuring command authorizations. • Configuring network access restrictions. • Configuring time-of-day/day-of-week access restrictions.
Chapter 9 System Configuration: Advanced RDBMS Synchronization • Note Specifying outbound TACACS+ attribute values. For specific information about all actions that RDBMS Synchronization can perform, see Appendix F, “RDBMS Synchronization Import Definitions”. Network Configuration Among the network device-related configuration actions that RDBMS Synchronization can perform are the following: Note • Adding AAA clients. • Deleting AAA clients. • Setting AAA client configuration details.
Chapter 9 System Configuration: Advanced RDBMS Synchronization Note If you intend to replicate user-defined RADIUS vendor and VSA configurations, user-defined RADIUS vendor and VSA definitions to be replicated must be identical on the primary and secondary Cisco Secure ACSes, including the RADIUS vendor slots that the user-defined RADIUS vendors occupy. For more information about database replication, see CiscoSecure Database Replication, page 9-1.
Chapter 9 System Configuration: Advanced RDBMS Synchronization Figure 9-2 RDBMS Synchronization Cisco Secure Access Control Server 1 Third Party RDBMS ODBC Cisco Secure Access Control Server 2 Cisco Secure Access Control Server 3 67474 accountActions CSDBSync reads each record from the accountActions table and updates the CiscoSecure user database as specified by the action code in the record. For example, a record could instruct CSDBSync to add a user or change a user password.
Chapter 9 System Configuration: Advanced RDBMS Synchronization About the accountActions Table The accountActions table contains a set of rows that define actions CSDBSync is to perform in the CiscoSecure user database. Each row in the accountActions table holds user, user group, or AAA client information. Each row also contains an action field and several other fields. These fields provide CSDBSync with the information it needs to update the CiscoSecure user database.
Chapter 9 System Configuration: Advanced RDBMS Synchronization • Oracle 7—Contains the files accountActions.sql and testData.sql. The accountActions.sql file contains the Oracle 7 SQL procedure needed to generate an accountActions table. The testData.sql file contains Oracle 7 SQL procedures for updating the accountActions table with sample transactions that CSDBSync can process. • Oracle 8—Contains the files accountActions.sql and testData.sql. The accountActions.
Chapter 9 System Configuration: Advanced RDBMS Synchronization Replaying transaction logs that slightly predate the checkpoint does not damage the CiscoSecure user database, although some transactions might be invalid and reported as errors. As long as the entire transaction log is replayed, the CiscoSecure user database is consistent with the database of the external RDBMS application. Reports and Event (Error) Handling The CSDBSync service provides event and error logging.
Chapter 9 System Configuration: Advanced RDBMS Synchronization implementation. If the third-party system you are using to update the accountActions table is a commercial product, for assistance, refer to the documentation supplied by your third-party system vendor. For information about the format and content of the accountActions table, see Appendix F, “RDBMS Synchronization Import Definitions”. Step 4 Validate that your third-party system updates the accountActions table properly.
Chapter 9 System Configuration: Advanced RDBMS Synchronization Step 7 Schedule RDBMS synchronization on the senior synchronization partner. For steps, see Scheduling RDBMS Synchronization, page 9-41. Step 8 Configure your third-party system to begin updating the accountActions table with information to be imported into the CiscoSecure user database. Step 9 Confirm that RDBMS synchronization is operating properly by monitoring the RDBMS Synchronization report in the Reports and Activity section.
Chapter 9 System Configuration: Advanced RDBMS Synchronization Preparing for CSV-Based Synchronization If you want to use a CSV file for your accountActions table, some additional configuration is necessary. This is because the Microsoft ODBC CSV driver cannot access the accountActions table unless the file has a .csv file extension.
Chapter 9 System Configuration: Advanced RDBMS Synchronization net start CSDBSync and then press Enter. The Microsoft ODBC CSV driver can now access the accountActions CSV file properly. Configuring a System Data Source Name for RDBMS Synchronization On the Cisco Secure ACS, a system DSN must exist for Cisco Secure ACS to access the accountActions table. If you plan to use the CiscoSecure Transactions.
Chapter 9 System Configuration: Advanced RDBMS Synchronization Step 6 Complete the other fields required by the ODBC driver you selected. These fields may include information such as the IP address of the server on which the ODBC-compliant database runs. Step 7 Click OK. The name you assigned to the DSN appears in the System Data Sources list. Step 8 Close the ODBC window and Windows Control Panel.
Chapter 9 System Configuration: Advanced RDBMS Synchronization • Password—Specifies the password Cisco Secure ACS uses to access the database that contains the accountActions table. Synchronization Scheduling Options The Synchronization Scheduling table defines when synchronization occurs. It contains the following scheduling options: • Manually—Cisco Secure ACS does not perform automatic RDBMS synchronization. • Every X minutes—Cisco Secure ACS performs synchronization on a set frequency.
Chapter 9 System Configuration: Advanced RDBMS Synchronization For more information about the AAA Servers table in Network Configuration, see AAA Server Configuration, page 4-21. Performing RDBMS Synchronization Immediately You can manually start an RDBMS synchronization event. To perform manual RDBMS synchronization, follow these steps: Step 1 In the navigation bar, click System Configuration. Step 2 Click RDBMS Synchronization.
Chapter 9 System Configuration: Advanced RDBMS Synchronization Note Step 4 You do not have to select Manually under Replication Scheduling. For more information, see Disabling Scheduled RDBMS Synchronizations, page 9-43. For each Cisco Secure ACS that you want this Cisco Secure ACS to update with data from the accountActions table, select the Cisco Secure ACS in the AAA Servers list, and then click --> (right arrow button). The selected Cisco Secure ACS appears in the Synchronize list.
Chapter 9 System Configuration: Advanced RDBMS Synchronization Note a. For more information about RDBMS setup, see RDBMS Setup Options, page 9-38. From the Data Source list, select the system DSN you configured to communicate with the database that contains your accountActions table. For more information about configuring a system DSN for use with RDBMS Synchronization, see Configuring a System Data Source Name for RDBMS Synchronization, page 9-37. b.
Chapter 9 System Configuration: Advanced RDBMS Synchronization Note a. For more information about synchronization targets, see Inbound Replication Options, page 9-15. In the Synchronization Partners table, from the AAA Servers list, select the name of a Cisco Secure ACS that you want this Cisco Secure ACS to update with data from the accountActions table. Note b.
Chapter 9 System Configuration: Advanced IP Pools Server Step 2 Click RDBMS Synchronization. The RDBMS Synchronization Setup page appears. Step 3 Under Synchronization Scheduling, select the Manually option. Step 4 Click Submit. Cisco Secure ACS does not perform scheduled RDBMS synchronizations. IP Pools Server This section provides information about the IP Pools feature, including procedures for creating and maintaining IP pools.
Chapter 9 System Configuration: Advanced IP Pools Server you enable this feature, Cisco Secure ACS dynamically issues IP addresses from the IP pools you have defined by number or name. You can configure up to 999 IP pools, for approximately 255,000 users. If you are using IP pooling and proxy, all accounting packets are proxied so that the Cisco Secure ACS that is assigning the IP addresses can confirm whether an IP address is already in use.
Chapter 9 System Configuration: Advanced IP Pools Server You can determine whether overlapping IP pools are allowed by checking which button appears below the AAA Server IP Pools table: • Allow Overlapping Pool Address Ranges—Indicates that overlapping IP pool address ranges are not allowed. Clicking this button allows IP address ranges to overlap between pools. • Force Unique Pool Address Range—Indicates that overlapping IP pool address ranges are allowed.
Chapter 9 System Configuration: Advanced IP Pools Server Refreshing the AAA Server IP Pools Table You can refresh the AAA Server IP Pools table. This allows you to get the latest usage statistics for your IP pools. To refresh the AAA Server IP Pools table, follow these steps: Step 1 In the navigation bar, click System Configuration. Step 2 Click IP Pools Server. The AAA Server IP Pools table lists any IP pools you have configured, their address ranges, and the percentage of pooled addresses in use.
Chapter 9 System Configuration: Advanced IP Pools Server Note All addresses in an IP pool must be on the same Class C network, so the first three octets of the start and end addresses must be the same. For example, if the start address is 192.168.1.1, the end address must be between 192.168.1.2 and 192.168.1.254. Step 6 In the End Address box, type the highest IP address (up to 15 characters) of the range of addresses for the new pool. Step 7 Click Submit.
Chapter 9 System Configuration: Advanced IP Pools Server Note All addresses in an IP pool must be on the same Class C network, so the first three octets of the start and end addresses must be the same. For example, if the start address is 192.168.1.1, the end address must be between 192.168.1.2 and 192.168.1.254. Step 6 To change the ending address of the pool range of IP addresses, in the End Address box, type the highest IP address (up to 15 characters) of the new range of addresses for the pool.
Chapter 9 System Configuration: Advanced IP Pools Server The name pool table appears, where name is the name of the IP pool you selected. The In Use field displays how many IP addresses in this pool are assigned to a user. The Available field displays how many IP addresses are not assigned to users. Step 4 Click Reset. Cisco Secure ACS displays a dialog box indicating the possibility of assigning user addresses that are already in use. Step 5 To continue resetting the IP pool, click OK.
Chapter 9 System Configuration: Advanced IP Pools Address Recovery Step 4 Click Delete. Cisco Secure ACS displays a dialog box to confirm that you want to delete the IP pool. Step 5 To delete the IP pool, click OK. The IP pool is deleted. The AAA Server IP Pools table does not list the deleted IP pool. IP Pools Address Recovery The IP Pools Address Recovery feature enables you to recover assigned IP addresses that have not been used for a specified period of time.
Chapter 9 System Configuration: Advanced IP Pools Address Recovery Cisco Secure ACS implements the IP pools address recovery settings you made.
C H A P T E R 10 System Configuration: Authentication and Certificates This chapter addresses authentication and certification features found in the System Configuration section of Cisco Secure ACS Solution Engine.
Chapter 10 System Configuration: Authentication and Certificates About Certification and EAP Protocols Digital Certificates The ACS Certificate Setup pages enable you to install digital certificates to support EAP-TLS and PEAP authentication, as well as to support HTTPS protocol for secure access to the Cisco Secure ACS HTML interface. Cisco Secure ACS uses the X.509 v3 digital certificate standard. Certificate files must be in either Base64-encoded X.509 format or DER-encoded binary X.509 format.
Chapter 10 System Configuration: Authentication and Certificates About Certification and EAP Protocols About the EAP-TLS Protocol EAP and TLS are both IETF RFC standards. The EAP protocol carries initial authentication information, specifically EAPOL (the encapsulation of EAP over LANs as established by IEEE 802.1X). TLS uses certificates both for user authentication and for dynamic ephemeral session key generation.
Chapter 10 System Configuration: Authentication and Certificates About Certification and EAP Protocols EAP-TLS and Cisco Secure ACS Cisco Secure ACS supports EAP-TLS with any end-user client that supports EAP-TLS, such as Windows XP. To learn which user databases support EAP-TLS, see Authentication Protocol-Database Compatibility, page 1-10.
Chapter 10 System Configuration: Authentication and Certificates About Certification and EAP Protocols Note If you use certificate binary comparison, the user certificate must be stored in a binary format. Also, for generic LDAP and Active Directory, the attribute storing the certificate must be the standard LDAP attribute named “usercertificate”. When you set up EAP-TLS, you can select the criterion (one, two, or all) that Cisco Secure ACS uses.
Chapter 10 System Configuration: Authentication and Certificates About Certification and EAP Protocols To force an EAP-TLS session to end before the session timeout is reached, either restart the CSAuth service or delete the user from the CiscoSecure user database CiscoSecure user database. Disabling or deleting the user in an external user database has no effect because the session resume feature does not involve the use of external user databases.
Chapter 10 System Configuration: Authentication and Certificates About Certification and EAP Protocols Enabling EAP-TLS Authentication This procedure provides an overview of the detailed procedures required to configure Cisco Secure ACS to support EAP-TLS authentication. Note End-user client computers must be configured to support EAP-TLS. This procedure is specific to configuration of Cisco Secure ACS only.
Chapter 10 System Configuration: Authentication and Certificates About Certification and EAP Protocols Step 2 Edit the certification trust list so that the certification authority (CA) issuing end-user client certificates is trusted. If you do not perform this step, Cisco Secure ACS only trusts user certificates issued by the same CA that issued the certificate installed in Cisco Secure ACS. For detailed steps, see Editing the Certificate Trust List, page 10-38.
Chapter 10 System Configuration: Authentication and Certificates About Certification and EAP Protocols PEAP authentications always involve two phases. In the first phase, the end-user client authenticates Cisco Secure ACS. This requires a server certificate and authenticates Cisco Secure ACS to the end-user client, ensuring that the user or machine credentials sent in phase two are sent to a AAA server that has a certificate issued by a trusted CA.
Chapter 10 System Configuration: Authentication and Certificates About Certification and EAP Protocols When the end-user client is the Cisco Aironet PEAP client and both PEAP(EAP-GTC) and PEAP(EAP-MSCHAPv2) are enabled on the Global Authentication Setup page, Cisco Secure ACS first attempts PEAP(EAP-GTC) authentication with the end-user client. If the client rejects this protocol (by sending an EAP NAK message), Cisco Secure ACS attempts authentication with PEAP(EAP-MSCHAPv2).
Chapter 10 System Configuration: Authentication and Certificates About Certification and EAP Protocols Changes to group assignment in an external user database are not enforced by the session resume feature. This is because group mapping does not occur when a user session is extended by the session resume feature. Instead, the user is mapped to the same Cisco Secure ACS group that the user was mapped to upon the beginning of the session.
Chapter 10 System Configuration: Authentication and Certificates About Certification and EAP Protocols Enabling PEAP Authentication This procedure provides an overview of the detailed procedures required to configure Cisco Secure ACS to support PEAP authentication. Note End-user client computers must be configured to support PEAP. This procedure is specific to configuration of Cisco Secure ACS only.
Chapter 10 System Configuration: Authentication and Certificates About Certification and EAP Protocols EAP-FAST Authentication This section contains the following topics: • About EAP-FAST, page 10-13 • About Master Keys, page 10-15 • About PACs, page 10-17 – Automatic PAC Provisioning, page 10-18 – Manual PAC Provisioning, page 10-20 • Master Key and PAC TTLs, page 10-21 • Table 10-2 • Enabling EAP-FAST, page 10-25 About EAP-FAST The EAP Flexible Authentication via Secured Tunnel (EAP-FAST) pr
Chapter 10 System Configuration: Authentication and Certificates About Certification and EAP Protocols Note Phase zero is optional and PACs can be manually provided to end-user clients (see Manual PAC Provisioning, page 10-20). You control whether Cisco Secure ACS supports phase zero by selecting the Allow automatic PAC provisioning check box in the Global Authentication Configuration page.
Chapter 10 System Configuration: Authentication and Certificates About Certification and EAP Protocols Cisco Secure ACS supports password aging with EAP-FAST for users authenticated by Windows user databases. Password aging can work with either phase zero or phase two of EAP-FAST. If password aging requires a user to change passwords during phase zero, the new password would be effective in phase two.
Chapter 10 System Configuration: Authentication and Certificates About Certification and EAP Protocols before the next successful master key replication. If the backup master key also retires before the next successful master key replication, EAP-FAST authentication fails for all users requesting network access with EAP-FAST.
Chapter 10 System Configuration: Authentication and Certificates About Certification and EAP Protocols About PACs PACs are strong shared secrets that enable Cisco Secure ACS and an EAP-FAST end-user client to authenticate each other and establish a TLS tunnel for use in EAP-FAST phase two. Cisco Secure ACS generates PACs using the active master key and a username. An EAP-FAST end-user client stores PACs for each user accessing the network with the client.
Chapter 10 System Configuration: Authentication and Certificates About Certification and EAP Protocols The following list contrasts the various means by which an end-user client can receive PACs: • PAC provisioning—Required when an end-user client has no PAC or has a PAC that is based on an expired master key. For more information about how master key and PAC states determine whether PAC provisioning is required, see Master Key and PAC TTLs, page 10-21.
Chapter 10 System Configuration: Authentication and Certificates About Certification and EAP Protocols EAP-FAST phase zero requires EAP-MSCHAPv2 authentication of the user. Upon successful user authentication, Cisco Secure ACS establishes a Diffie-Hellman tunnel with the end-user client. Cisco Secure ACS generates a PAC for the user and sends it to the end-user client within this tunnel, along with the Authority ID and Authority ID information about this Cisco Secure ACS.
Chapter 10 System Configuration: Authentication and Certificates About Certification and EAP Protocols Manual PAC Provisioning Manual PAC provisioning requires a Cisco Secure ACS administrator to generate PAC files, which must then be distributed to the applicable network users. Users must configure end-user clients with their PAC files. For example, if your EAP-FAST end-user client is the Cisco Aironet Client Utility (ACU), configuring the ACU to support EAP-FAST requires that you import a PAC file.
Chapter 10 System Configuration: Authentication and Certificates About Certification and EAP Protocols Master Key and PAC TTLs The TTL values for master keys and PACs determine their states, as described in About Master Keys, page 10-15 and About PACs, page 10-17. Master key and PAC states determine whether someone requesting network access with EAP-FAST requires PAC provisioning or PAC refreshing. Table 10-1 summarizes Cisco Secure ACS behavior with respect to PAC and master key states.
Chapter 10 System Configuration: Authentication and Certificates About Certification and EAP Protocols Replication and EAP-FAST The CiscoSecure Database Replication feature supports the replication of EAP-FAST settings, Authority ID, and master keys. Replication of EAP-FAST data occurs only if the following are true: • On the Database Replication Setup page of the primary Cisco Secure ACS, under Send, you have selected the EAP-FAST master keys and policies check box.
Chapter 10 System Configuration: Authentication and Certificates About Certification and EAP Protocols The Database Replication log on the primary Cisco Secure ACS records replication of master keys. Entries related to master key replication contain the text “MKEYReplicate”. Table 10-2 EAP-FAST Components and Replication EAP-FAST Component Replicated? Configurable? EAP-FAST Enable No Yes, on the Global Authentication Setup page. Master key TTL Yes Yes, on the Global Authentication Setup page.
Chapter 10 System Configuration: Authentication and Certificates About Certification and EAP Protocols accepted by the secondary Cisco Secure ACS in a replication scheme where the EAP-FAST master server setting is enabled on the secondary Cisco Secure ACS. Tip In a replicated Cisco Secure ACS environment, use the EAP-FAST master server feature in conjunction with disallowing automatic PAC provisioning to control EAP-FAST access to different segments of your network.
Chapter 10 System Configuration: Authentication and Certificates About Certification and EAP Protocols Enabling EAP-FAST This procedure provides an overview of the detailed procedures required to configure Cisco Secure ACS to support EAP-FAST authentication. Note End-user clients must be configured to support EAP-FAST. This procedure is specific to configuring Cisco Secure ACS only. Before You Begin The steps in this procedure are a suggested order only.
Chapter 10 System Configuration: Authentication and Certificates Global Authentication Setup For information about how master key and PAC TTL values determine whether PAC provisioning or PAC refreshing is required, see Master Key and PAC TTLs, page 10-21. Step 3 Determine whether you want to use automatic or manual PAC provisioning. For more information about the two means of PAC provisioning, see Automatic PAC Provisioning, page 10-18, and Manual PAC Provisioning, page 10-20.
Chapter 10 System Configuration: Authentication and Certificates Global Authentication Setup Authentication Configuration Options The Global Authentication Setup page contains the following configuration options: • PEAP—You can configure the following options for PEAP: – Allow EAP-MSCHAPv2—Whether Cisco Secure ACS attempts EAP-MSCHAPv2 authentication with PEAP clients.
Chapter 10 System Configuration: Authentication and Certificates Global Authentication Setup session timeout (minutes) box, selecting the Enable Fast Reconnect check box has no effect on PEAP authentication and phase two of PEAP authentication always occurs. • EAP-FAST—You can configure the following options for EAP-FAST: – Allow EAP-FAST—Whether Cisco Secure ACS permits EAP-FAST authentication.
Chapter 10 System Configuration: Authentication and Certificates Global Authentication Setup Note Decreasing the retired master key TTL is likely to cause some retired master keys to expire; therefore, end-user clients with PACs based on the newly expired master keys require PAC provisioning.
Chapter 10 System Configuration: Authentication and Certificates Global Authentication Setup Note Authority ID information is not the same as the Authority ID, which is generated automatically by Cisco Secure ACS and is not configurable. While the Authority ID is used by end-user clients to determine which PAC to send to Cisco Secure ACS, the Authority ID information is strictly the human-readable label associated with the Authority ID.
Chapter 10 System Configuration: Authentication and Certificates Global Authentication Setup • EAP-TLS—You can configure the following options for EAP-TLS: – Allow EAP-TLS—Whether Cisco Secure ACS permits EAP-TLS authentication.
Chapter 10 System Configuration: Authentication and Certificates Global Authentication Setup • LEAP—The Allow LEAP (For Aironet only) check box controls whether Cisco Secure ACS performs LEAP authentication. LEAP is currently used only for Cisco Aironet wireless networking. If you disable this option, Cisco Aironet end-user clients configured to perform LEAP authentication cannot access the network.
Chapter 10 System Configuration: Authentication and Certificates Global Authentication Setup Note • Cisco Aironet RADIUS VSA Cisco-Aironet-Session-Timeout (01) is not a true RADIUS VSA; instead, it represents the value that Cisco Secure ACS sends in the IETF RADIUS Session-Timeout attribute when the AAA client sending the RADIUS request is defined in the Network Configuration as authenticating with RADIUS (Cisco Aironet).
Chapter 10 System Configuration: Authentication and Certificates Cisco Secure ACS Certificate Setup Before You Begin For information about the options on the Global Authentication Setup page, see Authentication Configuration Options, page 10-27. To configure authentication options, follow these steps: Step 1 In the navigation bar, click System Configuration. Step 2 Click Global Authentication Setup. Cisco Secure ACS displays the Global Authentication Setup page.
Chapter 10 System Configuration: Authentication and Certificates Cisco Secure ACS Certificate Setup • Using Self-Signed Certificates, page 10-47 • Updating or Replacing a Cisco Secure ACS Certificate, page 10-50 Installing a Cisco Secure ACS Server Certificate Perform this procedure to install (that is, enroll) a server certificate for your Cisco Secure ACS.
Chapter 10 System Configuration: Authentication and Certificates Cisco Secure ACS Certificate Setup Step 3 Click Install ACS Certificate. Cisco Secure ACS displays the Install ACS Certificate page. Step 4 You must specify whether Cisco Secure ACS reads the certificate from a specified file or uses a certificate already in storage on the local machine.
Chapter 10 System Configuration: Authentication and Certificates Cisco Secure ACS Certificate Setup Step 7 Click Submit.
Chapter 10 System Configuration: Authentication and Certificates Cisco Secure ACS Certificate Setup To add a certificate authority certificate to your local storage, follow these steps: Step 1 In the navigation bar, click System Configuration. Step 2 Click ACS Certificate Setup. Step 3 Click ACS Certification Authority Setup. Cisco Secure ACS displays the CA Operations table on the Certification Authorities Setup page.
Chapter 10 System Configuration: Authentication and Certificates Cisco Secure ACS Certificate Setup How you edit your CTL determines the type of trust model you have. Many use a restricted trust model wherein very few, privately controlled CAs are trusted. This model provides the highest level of security but restricts adaptability and scalability. The alternative, an open trust model, allows for more CAs or public CAs.
Chapter 10 System Configuration: Authentication and Certificates Cisco Secure ACS Certificate Setup Managing Certificate Revocation Lists Certificate revocation lists (CRLs) are the means by which Cisco Secure ACS determines that the certificates employed by users seeking authentication are still valid, according to the CA that issued them.
Chapter 10 System Configuration: Authentication and Certificates Cisco Secure ACS Certificate Setup the CRL. If the new CRL differs from the existing CRL, the new version is saved and added to the local cache. CRL retrievals appear in the log for the CSAuth service only when you have configured the level of detail in service logs to “full”. The status, date, and time of the last retrieval is shown on the Certificate Revocation List Issuer edit page of the Cisco Secure ACS HTML interface.
Chapter 10 System Configuration: Authentication and Certificates Cisco Secure ACS Certificate Setup • Retrieve CRL every—The quantity and period of time that Cisco Secure ACS should wait between retrieving a CRL. For example 10 Days or 2 Months. • Retrieve on “Submit”—Selecting this option causes Cisco Secure ACS to immediately attempt to contact the distribution URL and obtain the current CRL when the new CRL request page is submitted for processing.
Chapter 10 System Configuration: Authentication and Certificates Cisco Secure ACS Certificate Setup Tip Step 8 Only CRL Issuers that are listed on the CTL are listed as possible selections. That is, you must list an entity as trusted on the CTL before you can select their Issuer’s Certificate. In the CRL Distribution URL box, type the URL for CRL distribution repository. Tip The URL must specify the CRL itself when the repository contains multiple files.
Chapter 10 System Configuration: Authentication and Certificates Cisco Secure ACS Certificate Setup Editing a Certificate Revocation List Issuer To edit a certificate revocation list issuer, follow these steps: Step 1 In the navigation bar, click System Configuration. Step 2 Click ACS Certificate Setup. Step 3 Click Certificate Revocation Lists. Cisco Secure ACS displays the CRL Issuers edit page. Step 4 Click the name of the CRL issuer you want to edit.
Chapter 10 System Configuration: Authentication and Certificates Cisco Secure ACS Certificate Setup Step 5 Click Delete. The specified CRL issuer, and all CRLs from that issuer, is deleted from Cisco Secure ACS. Generating a Certificate Signing Request You can use Cisco Secure ACS to generate a certificate signing request (CSR). After you generate a CSR, you can submit it to a CA to obtain your certificate. You perform this procedure to generate the CSR for future use with a certificate enrollment tool.
Chapter 10 System Configuration: Authentication and Certificates Cisco Secure ACS Certificate Setup Field Field Name Min. Length Max.
Chapter 10 System Configuration: Authentication and Certificates Cisco Secure ACS Certificate Setup Using Self-Signed Certificates You can use Cisco Secure ACS to generate a self-signed digital certificate to be used for PEAP authentication protocol or for HTTPS support of Cisco Secure ACS administration. This capability supports TLS/SSL protocols and technologies without the requirement of interacting with a CA.
Chapter 10 System Configuration: Authentication and Certificates Cisco Secure ACS Certificate Setup Self-Signed Certificate Configuration Options The Generate Self-Signed Certificate edit page contains the following mandatory configuration fields: • Certificate subject—The subject for the certificate, prefixed with “cn=”. We recommend using the Cisco Secure ACS name. For example, “cn=ACS11”.
Chapter 10 System Configuration: Authentication and Certificates Cisco Secure ACS Certificate Setup • Digest to sign with—Select the hash digest to be used to encrypt the key from the choices listed. The choices include SHA1, SHA, MD2, and MD5. • Install generated certificate—Select this check box if you want Cisco Secure ACS to install the self-signed certificate that it generates when you click Submit.
Chapter 10 System Configuration: Authentication and Certificates Cisco Secure ACS Certificate Setup Step 11 Step 12 To install the self-signed certificate when you submit the page, select the Install generated certificate option. Note If you use the Install generated certificate option you must restart Cisco Secure ACS services after submitting this form to adopt the new settings.
Chapter 10 System Configuration: Authentication and Certificates Cisco Secure ACS Certificate Setup Note Step 3 If your Cisco Secure ACS has not already been enrolled with a certificate, you do not see the Installed Certificate Information table. Rather, you see the Install new certificate table. If this is the case, you can proceed to Step 5. Click Enroll New Certificate. A confirmation dialog box appears. Step 4 To confirm that you intend to enroll a new certificate, click OK.
Chapter 10 System Configuration: Authentication and Certificates Cisco Secure ACS Certificate Setup User Guide for Cisco Secure ACS for Windows Server 10-52 78-16592-01
C H A P T E R 11 Logs and Reports Cisco Secure ACS for Windows Server produces a variety of logs and provides a way to view most of these logs in the Cisco Secure ACS HTML interface as HTML reports.
Chapter 11 Logs and Reports Logging Formats Logging Formats Cisco Secure ACS logs a variety of user and system activities. Depending on the log, and how you have configured Cisco Secure ACS, logs can be recorded in one of two formats: • Comma-separated value (CSV) files—The CSV format records data in columns separated by commas. This format is easily imported into a variety of third-party applications, such as Microsoft Excel or Microsoft Access.
Chapter 11 Logs and Reports Special Logging Attributes The content of these attributes is determined by the values entered in the corresponding fields in the user account. For more information about user attributes, see User Data Configuration Options, page 3-3. • ExtDB Info—If the user is authenticated with an external user database, this attribute contains a value returned by the database.
Chapter 11 Logs and Reports NAC Attributes in Logs Note Cisco Secure ACS cannot determine how a remote logging service is configured to process accounting packets that it is forwarded.
Chapter 11 Logs and Reports Update Packets in Accounting Logs Posture validation requests resulting in an system posture token (SPT) of Healthy are logged in the Passed Authentications log. Posture validation requests resulting in an SPT of anything other than Healthy are logged in the Failed Attempts log. For more information about posture tokens, see Posture Tokens, page 14-4.
Chapter 11 Logs and Reports About Cisco Secure ACS Logs and Reports About Cisco Secure ACS Logs and Reports The logs that Cisco Secure ACS provides can be divided into four types: • Accounting logs • Dynamic Cisco Secure ACS administration reports • Cisco Secure ACS system logs • Service logs This section contains information about the first three types of logs. For information about service logs, see Service Logs, page 11-31.
Chapter 11 Logs and Reports About Cisco Secure ACS Logs and Reports Table 11-1 Accounting Log Descriptions Log Description TACACS+ Accounting Contains the following information: • User sessions stop and start times • AAA client messages with username • Caller line identification (CLID) information • Session duration TACACS+ Administration Lists configuration commands entered on a AAA client using TACACS+ (Cisco IOS).
Chapter 11 Logs and Reports About Cisco Secure ACS Logs and Reports Table 11-1 Accounting Log Descriptions (continued) Log Description Failed Attempts Lists authentication and authorization failures with an indication of the cause. For posture validation requests, this log records the results of any posture validation that returns a posture token other than Healthy. Note Passed Authentications Lists successful authentication requests.
Chapter 11 Logs and Reports About Cisco Secure ACS Logs and Reports Table 11-2 What You Can Do with Accounting Logs (continued) What You Can Do Description and Related Topics View an accounting report For instructions on viewing an accounting report in the HTML interface, see Viewing a CSV Report, page 11-18. Configure an accounting log The steps for configuring an accounting log vary depending upon which format you want to use.
Chapter 11 Logs and Reports About Cisco Secure ACS Logs and Reports Table 11-3 Dynamic Administration Report Descriptions and Related Topics Report Description and Related Topics Logged-In Users Lists all users receiving services for a single AAA client or all AAA clients.
Chapter 11 Logs and Reports About Cisco Secure ACS Logs and Reports Tip Step 3 You can sort the table by any column’s entries, in either ascending or descending order. Click a column title once to sort the table by the entries in that column in ascending order. Click the column a second time to sort the table by the entries in that column in descending order. Do one of the following: • To see a list of all users logged in, click All AAA Clients.
Chapter 11 Logs and Reports About Cisco Secure ACS Logs and Reports Note Deleting logged-in users only ends the Cisco Secure ACS accounting record of users logged in to a particular AAA client. It does not terminate active user sessions, nor does it affect user records. To delete logged-in users, follow these steps: Step 1 In the navigation bar, click Reports and Activity. Step 2 Click Logged-in Users.
Chapter 11 Logs and Reports About Cisco Secure ACS Logs and Reports For more information about editing a user account, see Basic User Setup Options, page 7-3. Cisco Secure ACS System Logs System logs are logs about the Cisco Secure ACS system and therefore record system-related events. These logs are useful for troubleshooting or audits. They are always enabled and are only available in CSV format. Some system logs can be configured.
Chapter 11 Logs and Reports About Cisco Secure ACS Logs and Reports Table 11-4 Accounting Log Descriptions and Related Topics (continued) Log Description and Related Topics User Password Changes Lists user password changes initiated by users, regardless of which password change mechanism was used to change the password.
Chapter 11 Logs and Reports Working with CSV Logs Step 4 To generate a new Administrative Audit CSV file when the current file reaches a specific size, select the When size is greater than X KB option and type the file size threshold in kilobytes in the X box. Step 5 To manage which Administrative Audit CSV files Cisco Secure ACS keeps, follow these steps: Step 6 a. Select the Manage Directory check box. b.
Chapter 11 Logs and Reports Working with CSV Logs Older files are named in the following format: logyyyy-mm-dd.csv where log is the name of the log. yyyy is the year the CSV file was started. mm is the month the CSV file was started, in numeric characters. dd is the date the CSV file was started. For example, a Database Replication log file that was generated on October 13, 2002, would be named Database Replication 2002-10-13.csv.
Chapter 11 Logs and Reports Working with CSV Logs Table 11-5 Default CSV Log File Locations (continued) Log Default Location Configurable? User Password Changes CSAuth\PasswordLogs No Cisco Secure ACS Active Service Monitoring Logs\ServiceMonitoring No Enabling or Disabling a CSV Log This procedure describes how to enable or disable a CSV log. For instructions about configuring the content of a CSV log, see Configuring a CSV Log, page 11-19. Note Some CSV logs are always enabled.
Chapter 11 Logs and Reports Working with CSV Logs Viewing a CSV Report When you select Logged-in Users or Disabled Accounts, a list of logged-in users or disabled accounts appears in the display area, which is the frame on the right side of the web browser. For all other types of reports, a list of applicable reports appears. Files are listed in chronological order, with the most recent file at the top of the list.
Chapter 11 Logs and Reports Working with CSV Logs Tip Step 4 To check for newer information in the current CSV report, click Refresh. If you want to download the CSV log file for the report you are viewing, follow these steps: a. Click Download. Your browser displays a dialog box for accepting and saving the CSV file. b. Choose a location to save the CSV file and save the file. Configuring a CSV Log This procedure describes how to configure the content of a CSV log.
Chapter 11 Logs and Reports Working with CSV Logs • CSV file location—You can specify where on the local hard drive Cisco Secure ACS writes the CSV file. • CSV file retention—You can specify how many old CSV files Cisco Secure ACS maintains or set a maximum number of files it is to retain. To configure a CSV log, follow these steps: Step 1 In the navigation bar, click System Configuration. Step 2 Click Logging. Step 3 Click the name of the CSV log you want to enable.
Chapter 11 Logs and Reports Working with ODBC Logs Step 7 To generate a new CSV file at a regular interval, select one of the following options: • Every day—Cisco Secure ACS generates a new CSV file at the start of each day. • Every week—Cisco Secure ACS generates a new CSV file at the start of each week. • Every month—Cisco Secure ACS generates a new CSV file at the start of each month.
Chapter 11 Logs and Reports Working with ODBC Logs Preparing for ODBC Logging To prepare for ODBC logging, there are several steps you must complete. After you have prepared for ODBC logging, you can configure individual ODBC logs. To prepare for ODBC logging, follow these steps: Step 1 Set up the relational database to which you want to export logging data. For more information, refer to your relational database documentation.
Chapter 11 Logs and Reports Working with ODBC Logs Step 3 Click Add. Step 4 Select the driver you need to use with your new DSN, and then click Finish. A dialog box displays fields requiring information specific to the ODBC driver you selected. Step 5 Type a descriptive name for the DSN in the Data Source Name box. Step 6 Complete the other fields required by the ODBC driver you selected.
Chapter 11 Logs and Reports Working with ODBC Logs To configure an ODBC log, follow these steps: Step 1 In the navigation bar, click System Configuration. Step 2 Click Logging. Step 3 Click the name of the ODBC log you want to enable. The ODBC log Configuration page appears, where log is the name of the ODBC log you selected. The Select Columns To Log table contains two lists: Attributes and Logged Attributes.
Chapter 11 Logs and Reports Working with ODBC Logs Note Step 6 The user must have sufficient privileges in the relational database to write the ODBC logging data to the appropriate table. c. In the Password box, type the password (up to 80 characters) for the relational database user account you specified in Step b. d. In the Table Name box, type the name (up to 80 characters) of the table to which you want ODBC logging data appended. Click Submit. Cisco Secure ACS saves the log configuration.
Chapter 11 Logs and Reports Remote Logging c. Click the name of the ODBC log you are configuring. The ODBC log Configuration page appears, where log is the name of the ODBC log you selected. Step 11 Select the Log to ODBC log report check box, where log is the name of the ODBC log you selected. Step 12 Click Submit. Cisco Secure ACS begins sending logging data to the relational database table specified, using the system DSN you configured.
Chapter 11 Logs and Reports Remote Logging generates the accounting logs in the formats it is configured to use—CSV and ODBC—regardless of the local logging configuration on the Cisco Secure ACSes sending the data to the central logging server. Cisco Secure ACS listens on TCP port 2001 for remote logging communication. Remote logging data is encrypted by a 128-bit proprietary algorithm. Note The Remote Logging feature does not affect the forwarding of accounting data for proxied authentication requests.
Chapter 11 Logs and Reports Remote Logging b. Add to the AAA Servers table each Cisco Secure ACS that the central logging server is to receive accounting data from. For more information, see AAA Server Configuration, page 4-21. Note Step 3 Step 4 If the central logging server is to log watchdog and update packets for a Cisco Secure ACS, be sure that the Log Update/Watchdog Packets from this remote AAA Server check box is selected for that Cisco Secure ACS in the AAA Servers table.
Chapter 11 Logs and Reports Remote Logging behavior enables you to configure one or more backup central logging servers so that no accounting data is lost if the first central logging server fails or is otherwise unavailable to Cisco Secure ACS. • Remote Log Services—This list represents the Cisco Secure ACSes configured in the Remote Agents table in Network Configuration to which Cisco Secure ACS does not send accounting data for locally authenticated sessions.
Chapter 11 Logs and Reports Remote Logging Step 5 Select the applicable remote logging option: a. To send the accounting information for this Cisco Secure ACS to more than one Cisco Secure ACS, select the Log to all selected remote log services option. b. To send the accounting information for this Cisco Secure ACS to one Cisco Secure ACS, select the Log to subsequent remote log services on failure option.
Chapter 11 Logs and Reports Service Logs Step 8 Click Submit. Cisco Secure ACS saves and implements the remote logging configuration you specified. Disabling Remote Logging By disabling the Remote Logging feature, you prevent Cisco Secure ACS from sending its accounting information to a central logging Cisco Secure ACS. To disable remote logging, follow these steps: Step 1 In the navigation bar, click System Configuration. Step 2 Click Logging. Step 3 Click Remote Logging.
Chapter 11 Logs and Reports Service Logs Services Logged Cisco Secure ACS generates logs for the following services: • CSAdmin • CSAuth • CSDBSync • CSLog • CSMon • CSRadius • CSTacacs These files are located in the \Logs subdirectory of the applicable service directory. For example, the following is the default directory for the CiscoSecure authentication service: c:\Program Files\CiscoSecure ACS vx .x \CSAuth\Logs The most recent debug log is named as follows: SERVICE.
Chapter 11 Logs and Reports Service Logs Configuring Service Logs You can configure how Cisco Secure ACS generates and manages the service log file. The options for configuring the service log file are listed below. • Level of detail—You can set the service log file to contain one of three levels of detail: – None—No log file is generated. – Low—Only start and stop actions are logged. This is the default setting. – Full—All services actions are logged.
Chapter 11 Logs and Reports Service Logs Step 3 To disable the service log file, under Level of detail, select the None option. After you click Restart, Cisco Secure ACS does not generate new service logs file. Step 4 To configure how often Cisco Secure ACS creates a service log file, select one of the options under Generate New File. Note Step 5 Step 6 Settings under Generate New File have no effect if you selected None under Level of detail.
C H A P T E R 12 Administrators and Administrative Policy This chapter addresses the Cisco Secure ACS Solution Engine features found in the Administration Control section of the HTML interface. This chapter contains the following topics: • Administrator Accounts, page 12-1 • Access Policy, page 12-11 • Session Policy, page 12-16 • Audit Policy, page 12-18 Administrator Accounts This section provides details about Cisco Secure ACS administrators.
Chapter 12 Administrators and Administrative Policy Administrator Accounts About Administrator Accounts Administrators are the only users of the Cisco Secure ACS HTML interface. To access the Cisco Secure ACS HTML interface from a browser run elsewhere than on the Cisco Secure ACS Windows server itself, you must log in to Cisco Secure ACS using an administrator account.
Chapter 12 Administrators and Administrative Policy Administrator Accounts Administrator Privileges You can grant appropriate privileges to each Cisco Secure ACS administrator by assigning privileges on an administrator-by-administrator basis. You control privileges by selecting the options from the Administrator Privileges table on the Add Administrator or Edit Administrator pages.
Chapter 12 Administrators and Administrative Policy Administrator Accounts Note Additional command authorization set privilege options may appear, if other Cisco network management applications, such as CiscoWorks2000, have updated the configuration of Cisco Secure ACS. • Network Configuration—Allows the administrator full access to the features in the Network Configuration section of the HTML interface. • System Configuration...
Chapter 12 Administrators and Administrative Policy Administrator Accounts – VoIP Accounting Configuration—For more information about this feature, see VoIP Accounting Configuration, page 8-21. – ACS Certificate Setup—For more information about this feature, see Cisco Secure ACS Certificate Setup, page 10-34. – Global Authentication Setup—For more information about this feature, see Global Authentication Setup, page 10-26.
Chapter 12 Administrators and Administrative Policy Administrator Accounts – ACS Backup and Restore—For more information about this report, see Cisco Secure ACS System Logs, page 11-13. – DB Replication—For more information about this report, see Cisco Secure ACS System Logs, page 11-13. – RDBMS Synchronization—For more information about this report, see Cisco Secure ACS System Logs, page 11-13.
Chapter 12 Administrators and Administrative Policy Administrator Accounts All privilege options are selected. All user groups move to the Editable groups list. Tip Step 5 To clear all privileges, including user group editing privileges for all user groups, click Revoke All. To grant user and user group editing privileges, follow these steps: a. Select the desired check boxes under User & Group Setup. b.
Chapter 12 Administrators and Administrative Policy Administrator Accounts Note You cannot change the name of an administrator account; however, you can delete an administrator account and then create an account with the new name. For information about deleting an administrator account, see Deleting an Administrator Account, page 12-11. For information about creating an administrator account, see Adding an Administrator Account, page 12-6.
Chapter 12 Administrators and Administrative Policy Administrator Accounts Note Step 5 If the Reset current failed attempts count check box appears below the Confirm Password box, the administrator cannot access Cisco Secure ACS unless you complete Step 4. For more information about re-enabling an administrator account, see Unlocking a Locked Out Administrator Account, page 12-10. To select all privileges, including user group editing privileges for all user groups, click Grant All.
Chapter 12 Administrators and Administrative Policy Administrator Accounts Step 9 To revoke any remaining privilege options, clear the applicable check boxes in the Administrator Privileges table. Step 10 Click Submit. Cisco Secure ACS saves the changes to the administrator account.
Chapter 12 Administrators and Administrative Policy Access Policy Deleting an Administrator Account You can delete a Cisco Secure ACS administrator account when you no longer need it. We recommend deleting any unused administrator accounts. To delete a Cisco Secure ACS administrator account, follow these steps: Step 1 In the navigation bar, click Administration Control. Cisco Secure ACS displays the Administration Control page.
Chapter 12 Administrators and Administrative Policy Access Policy Access Policy Options You can configure the following options on the Access Policy Setup page: • IP Address Filtering—Contains the following IP address filtering options: – Allow all IP addresses to connect—Allow access to the HTML interface from any IP address. – Allow only listed IP addresses to connect—Allow access to the HTML interface only from IP addresses inside the address range(s) specified in the IP Address Ranges table.
Chapter 12 Administrators and Administrative Policy Access Policy Cisco Secure ACS uses port 2002 to start all administrative sessions. You do not need to include port 2002 in the port range. Also, Cisco Secure ACS does not allow you to define an HTTP port range that consists only of port 2002. Your port range must consist of at least one port other than port 2002.
Chapter 12 Administrators and Administrative Policy Access Policy Setting Up Access Policy For information about access policy options, see Access Policy Options, page 12-12. Before You Begin If you want to enable SSL for administrative access, before completing this procedure, you must have completed the steps in Installing a Cisco Secure ACS Server Certificate, page 10-35, and Adding a Certificate Authority Certificate, page 10-37.
Chapter 12 Administrators and Administrative Policy Access Policy b. For each IP address range from outside which you want to allow remote access to the HTML interface, complete one row of the IP Address Ranges table. Type the lowest IP address (up to 16 characters) in the range in the Start IP Address box. Type the highest IP address (up to 16 characters) in the range in the End IP Address box. Note The IP addresses entered to define a range must differ only in the last octet.
Chapter 12 Administrators and Administrative Policy Session Policy Session Policy The Session Policy feature controls various aspects of Cisco Secure ACS administrative sessions.
Chapter 12 Administrators and Administrative Policy Session Policy • Respond to Invalid IP Address Connections—Enables an error message in response to attempts to start a remote administrative session using an IP address that is invalid according to the IP address ranges configured in Access Policy. Disabling this option can help prevent unauthorized users from discovering Cisco Secure ACS.
Chapter 12 Administrators and Administrative Policy Audit Policy Step 5 Step 6 Step 7 Set the invalid IP address response policy: a. To configure Cisco Secure ACS to respond with a message when an administrative session is requested from an invalid IP address, select the Respond to invalid IP address connections check box. b.
C H A P T E R 13 User Databases Cisco Secure ACS for Windows Server authenticates users against one of several possible databases, including its internal database. You can configure Cisco Secure ACS to authenticate users with more than one type of database. This flexibility enables you to use user accounts data collected in different locations without having to explicitly import the users from each external user database into the CiscoSecure user database.
Chapter 13 User Databases CiscoSecure User Database • Token Server User Databases, page 13-78 • Deleting an External User Database Configuration, page 13-86 CiscoSecure User Database The CiscoSecure user database is the database internal to Cisco Secure ACS. It supports authentication using ASCII, PAP, CHAP, MS-CHAP, ARAP, LEAP, EAP-MD5, EAP-TLS, PEAP(EAP-GTC), PEAP(EAP-MSCHAPv2), and EAP-FAST (phase zero and phase two). The CiscoSecure user database is crucial for the authorization process.
Chapter 13 User Databases CiscoSecure User Database User Import and Creation There are five ways to create user accounts in the in Cisco Secure ACS for Windows 2000 Servers. Of these, RDBMS Synchronization and CSUtil.exe support importing user accounts from external sources. • Cisco Secure ACS HTML interface—The HTML interface provides the ability to create user accounts manually, one user at a time. Regardless of how a user account was created, you can edit a user account by using the HTML interface.
Chapter 13 User Databases About External User Databases Cisco Secure ACS. Any user accounts unique to a secondary Cisco Secure ACS are lost in the replication. For more information, see CiscoSecure Database Replication, page 9-1. About External User Databases You can configure Cisco Secure ACS to forward authentication of users to one external user database or more.
Chapter 13 User Databases About External User Databases For Cisco Secure ACS to interact with an external user database, Cisco Secure ACS requires an API for third-party authentication source. The Cisco Secure ACS communicates with the external user database using the API. For Windows user databases and Generic LDAP, the program interface for the external authentication is local to Cisco Secure ACS. In these cases, no further components are required.
Chapter 13 User Databases About External User Databases • By Unknown User Policy—You can configure Cisco Secure ACS to attempt authentication of users not found in the CiscoSecure user database by using an external user database. Users do not need to be defined in the CiscoSecure user database for this method. For more information about the Unknown User Policy, see About Unknown User Authentication, page 15-4.
Chapter 13 User Databases Windows User Database Windows User Database You can configure Cisco Secure ACS to use a Windows user database to authenticate users.
Chapter 13 User Databases Windows User Database What’s Supported with Windows User Databases Cisco Secure ACS supports the use of Windows external user databases for the following features: • User Authentication—Cisco Secure ACS supports ASCII, PAP, MS-CHAP (versions 1 and 2), LEAP, PEAP(EAP-GTC), PEAP(EAP-MSCHAPv2), and EAP-FAST (phase zero and phase two) authentication with Windows Security Accounts Manager (SAM) database or a Windows Active Directory database.
Chapter 13 User Databases Windows User Database Authentication with Windows User Databases Cisco Secure ACS forwards user credentials to a Windows database by passing the user credentials to the Windows operating system of the computer running Cisco Secure ACS. The Windows database either passes or fails the authentication request from Cisco Secure ACS.
Chapter 13 User Databases Windows User Database but no trust relationship is established between domain A and domain C. If domain B trusts domain C, Cisco Secure ACS in domain A can authenticate users whose accounts reside in domain C, making use of the indirect trust of domain C. For more information on trust relationships, refer to your Microsoft Windows documentation.
Chapter 13 User Databases Windows User Database Windows Dial-up Networking Clients without a Domain Field If users access your network using the dial-up networking client provided with Windows 95, Windows 98, Windows ME, or Windows XP Home, two fields appear: • username—Type your username. Note • You can also prefix your username with the name of the domain you want to log in to.
Chapter 13 User Databases Windows User Database To determine the format of a username submitted for Windows authentication, Cisco Secure ACS searches the username for the presence of the following two special characters: • @ (the “at” character) • \ (the “backslash” character) Based upon the presence and position of these two characters in the username, Cisco Secure ACS determines username format as follows: 1.
Chapter 13 User Databases Windows User Database Non-domain-qualified Usernames Cisco Secure ACS supports Windows authentication of usernames that are not domain qualified, provided the username does not contain an “at” character. Users with “at” characters in their usernames must either submit the username in UPN format or in a domain-qualified format. Examples of non-domain-qualified usernames are cyril.yang and msmith.
Chapter 13 User Databases Windows User Database Note If your Domain List contains domains and your Windows SAM or Active Directory user databases are configured to lock out users after a number of failed attempts, users can be inadvertently locked out because Cisco Secure ACS tries each domain in the Domain List explicitly, resulting in failed attempts for identical usernames that reside in different domains.
Chapter 13 User Databases Windows User Database If the authentication protocol used is EAP-TLS, by default, Cisco Secure ACS submits the username to Windows in UPN format; however, you can configure Cisco Secure ACS to strip from the username all characters after and including the last “at” character (@). For more information, see EAP-TLS Domain Stripping, page 13-16.
Chapter 13 User Databases Windows User Database EAP-TLS Domain Stripping If you use Windows Active Directory to authenticate users with EAP-TLS, Cisco Secure ACS enables you to strip the domain name from the username stored in the Subject Alternative Name field of the user certificate. Performing domain name stripping can speed EAP-TLS authentication when the domain that must authenticate a user is not the domain represented in the SAN field.
Chapter 13 User Databases Windows User Database When machine authentication is enabled, there are three different types of authentications. Upon starting up a computer, the authentications occur in the following order: Tip • Machine authentication—The computer is authenticated by Cisco Secure ACS prior to user authentication. Cisco Secure ACS checks the credentials provided by the computer against the Windows user database.
Chapter 13 User Databases Windows User Database Cisco Secure ACS supports both EAP-TLS and PEAP(EAP-MSCHAPv2) for machine authentication. You can enable each separately on the Windows User Database Configuration page, which allows a mix of computers authenticating with EAP-TLS or with PEAP(EAP-MSCHAPv2). Microsoft operating systems that perform machine authentication may limit the user authentication protocol to the same protocol used for machine authentication.
Chapter 13 User Databases Windows User Database that was added to the local machine storage later. As with PEAP-based machine authentication, the computer name must appear in the CiscoSecure user database in the format contained in the computer client certificate and the user profile corresponding to the computer name must be configured to authenticate using the Windows external user database.
Chapter 13 User Databases Windows User Database – Calling-Station-Id value not found in the cache—Cisco Secure ACS assigns the user to the user group specified by “Group map for successful user authentication without machine authentication” list. This can include the group. Note User profile settings always override group profile settings.
Chapter 13 User Databases Windows User Database Client operating systems supporting machine authentication are: • Microsoft Windows XP with Service Pack 1 applied. • Microsoft Windows 2000 with the following: – Service Pack 4 applied. – Patch Q313664 applied (available from Microsoft.com). The following list describes the essential details of enabling machine authentication on a client computer with a Cisco Aironet 350 wireless adapter.
Chapter 13 User Databases Windows User Database d. On the Protected EAP Properties dialog box, you can enforce that Cisco Secure ACS has a valid server certificate by selecting the Validate server certificate check box. If you do select this check box, you must also select the applicable Trusted Root Certification Authorities. e. Also open the PEAP properties dialog box, from the Select Authentication Method list, select Secured password (EAP-MSCHAP v2). 5.
Chapter 13 User Databases Windows User Database Note End-user client computers and the applicable Active Directory must be configured to support machine authentication. This procedure is specific to configuration of Cisco Secure ACS only. For information about configuring Microsoft Windows operating systems to support machine authentication, see Microsoft Windows and Machine Authentication, page 13-20.
Chapter 13 User Databases Windows User Database Cisco Secure ACS allows you to complete this step only after you have successfully completed Step 1. For detailed steps, see Configuring Authentication Options, page 10-33. Step 4 Configure a Windows external user database and enable the applicable types of machine authentication on the Windows User Database Configuration page: • To support machine authentication with PEAP, select the Permit PEAP machine authentication check box.
Chapter 13 User Databases Windows User Database User-Changeable Passwords with Windows User Databases For network users who are authenticated by a Windows user database, Cisco Secure ACS supports user-changeable passwords upon password expiration. You can enable this feature in the MS-CHAP Settings and Windows EAP Settings tables on the Windows User Database Configuration page in the External User Databases section.
Chapter 13 User Databases Windows User Database Preparing Users for Authenticating with Windows Before using the Windows user database for authentication, follow these steps: Step 1 Make sure the username exists in the Windows user database.
Chapter 13 User Databases Windows User Database Tip Windows dialin permission is enabled in the Dialin section of user properties in Windows NT and on the Dial-In tab of the user properties in Windows 2000. • Configure Domain List—The Domain List controls what Cisco Secure ACS does when user authentication is requested for a username that is not domain-qualified.
Chapter 13 User Databases Windows User Database Note The check boxes under MS CHAP Settings do no affect password aging for Microsoft PEAP, EAP-FAST, or machine authentication. For more information about Windows password changes, see Enabling Password Aging for Users in Windows Databases, page 6-26.
Chapter 13 User Databases Windows User Database • EAP-TLS and PEAP machine authentication name prefix—This box defines the string of characters that Cisco Secure ACS adds to the beginning of any machine name being authenticated. By default, the end-user client prefixes machine names with “host/”. If any text is present in the PEAP machine authentication name prefix box, Cisco Secure ACS prefixes the machine name with this instead.
Chapter 13 User Databases Windows User Database Note Tip If you do not change the value of the Aging time (hours) box to something other than zero, all EAP-TLS and Microsoft PEAP users whose computers perform machine authentication are assigned to the group specified in the “Group map for successful user authentication without machine authentication” list. To clear the cache of Calling-Station-Id values, type 0 in the Aging time (hours) box and click Submit.
Chapter 13 User Databases Windows User Database Step 3 Click Windows Database. If no Windows database configuration exists, the Database Configuration Creation table appears. Otherwise, the External User Database Configuration page appears. Step 4 If you are creating a configuration, follow these steps: a. Click Create New Configuration. b. Type a name for the new configuration for Windows authentication in the box provided, or accept the default name in the box. c. Click Submit.
Chapter 13 User Databases Generic LDAP Step 7 Click Submit. Cisco Secure ACS saves the Windows user database configuration you created. You can now add it to your Unknown User Policy or assign specific user accounts to use this database for authentication. For more information about the Unknown User Policy, see About Unknown User Authentication, page 15-4. For more information about configuring user accounts to authenticate using this database, see Chapter 7, “User Management”.
Chapter 13 User Databases Generic LDAP • LDAP Failover, page 13-36 • LDAP Configuration Options, page 13-37 • Configuring a Generic LDAP External User Database, page 13-43 Cisco Secure ACS Authentication Process with a Generic LDAP User Database Cisco Secure ACS forwards the username and password to an LDAP database using a TCP connection on a port that you specify. The LDAP database either passes or fails the authentication request from Cisco Secure ACS.
Chapter 13 User Databases Generic LDAP For each LDAP instance, you can add or leave it out of the Unknown User Policy. For more information, see About Unknown User Authentication, page 15-4. For each LDAP instance, you can establish unique group mapping. For more information, see Group Mapping by Group Set Membership, page 16-4. Multiple LDAP instances is also important when you use domain filtering. For more information, see Domain Filtering, page 13-34.
Chapter 13 User Databases Generic LDAP If you choose to make use of domain filtering, each LDAP configuration you create in Cisco Secure ACS can perform domain filtering in one of two ways: • Limiting users to one domain—Per each LDAP configuration in Cisco Secure ACS, you can require that Cisco Secure ACS only attempts to authenticate usernames that are qualified with a specific domain name. This corresponds to the “Only process usernames that are domain qualified” option on the LDAP Configuration page.
Chapter 13 User Databases Generic LDAP Note With this option, Cisco Secure ACS submits usernames that are non-domain qualified, too. Usernames are not required to be domain qualified to be submitted to an LDAP server. LDAP Failover Cisco Secure ACS supports failover between a primary LDAP server and secondary LDAP server.
Chapter 13 User Databases Generic LDAP Unsuccessful Previous Authentication with the Primary LDAP Server If, on the previous LDAP authentication attempt, Cisco Secure ACS could not connect to the primary LDAP server, whether Cisco Secure ACS first attempts to connect to the primary server or secondary LDAP server for the current authentication attempt depends on the value in the Failback Retry Delay box.
Chapter 13 User Databases Generic LDAP This table contains the following options: – Process all usernames—When this option is selected, Cisco Secure ACS does not perform domain filtering on usernames before submitting them to the LDAP server for authentication. – Only process usernames that are domain qualified—When this option is selected, Cisco Secure ACS only attempts authentication for usernames that are domain qualified for a single domain.
Chapter 13 User Databases Generic LDAP – Strip domain before submitting username to LDAP server—When “Only process usernames that are domain qualified” is selected, this option specifies whether Cisco Secure ACS removes the domain qualifier and its delimiting character before submitting a username to an LDAP server. For example, if the username is “jwiedman@domain.com”, the stripped username is “jwiedman”.
Chapter 13 User Databases Generic LDAP For example, if the delimiter character is “@” and the username is “jwiedman@domain”, then Cisco Secure ACS submits “jwiedman” to an LDAP server. The X box cannot contain the following special characters: #?"*>< Cisco Secure ACS does not allow these characters in usernames; therefore, if any of these characters are in the X box, stripping fails.
Chapter 13 User Databases Generic LDAP – UserObjectType—The name of the attribute in the user record that contains the username. You can obtain this attribute name from your Directory Server. For more information, refer to your LDAP database documentation. Cisco Secure ACS provides default values that reflect the default configuration of a Netscape Directory Server. Confirm all values for these fields with your LDAP server configuration and documentation.
Chapter 13 User Databases Generic LDAP – Port—The TCP/IP port number on which the LDAP server is listening. The default is 389, as stated in the LDAP specification. If you do not know the port number, you can find this information by viewing those properties on the LDAP server. If you want to use secure authentication, port 636 is usually used. – LDAP Version—Whether Cisco Secure ACS uses LDAP version 3 or version 2 to communicate with your LDAP database.
Chapter 13 User Databases Generic LDAP – Admin DN—The DN of the administrator; that is, the LDAP account which, if bound to, permits searches for all required users under the User Directory Subtree. It must contain the following information about your LDAP server: uid=user id,[ou=organizational unit,][ou=next organizational unit]o=organization where user id is the username, organizational unit is the last level of the tree, and next organizational unit is the next level up the tree.
Chapter 13 User Databases Generic LDAP To configure Cisco Secure ACS to use the LDAP User Database, follow these steps: Step 1 In the navigation bar, click External User Databases. Step 2 Click Database Configuration. Cisco Secure ACS displays a list of all possible external user database types. Step 3 Click Generic LDAP. Note The user authenticates against only one LDAP database. If no LDAP database configuration exists, only the Database Configuration Creation table appears.
Chapter 13 User Databases Generic LDAP Step 8 If you want to limit authentications processed by this LDAP configuration to usernames with a specific domain qualification, follow these steps: Note For information about domain filtering, see Domain Filtering, page 13-34. a. Under Domain Filtering, select Only process usernames that are domain qualified. b. From the “Qualified by” list, select the applicable type of domain qualification, either Suffix or Prefix.
Chapter 13 User Databases Generic LDAP Note For information about domain filtering, see Domain Filtering, page 13-34. a. Under Domain Filtering, select Process all usernames after stripping domain name and delimiter. b. If you want Cisco Secure ACS to strip prefixed domain qualifiers, select the Strip starting characters through the last X character check box, and then type the domain-qualifier delimiting character in the X box. Note c.
Chapter 13 User Databases Generic LDAP Step 13 In the User Object Class box, type the value of the LDAP “objectType” attribute that identifies the record as a user. Often, user records have several values for the objectType attribute, some of which are unique to the user, some of which are shared with other object types. Select a value that is not shared. Step 14 In the GroupObjectType box, type the name of the attribute in the group record that contains the group name.
Chapter 13 User Databases Generic LDAP Step 20 For the Primary LDAP Server and Secondary LDAP Server tables, follow these steps: Note If you did not select the On Timeout Use Secondary check box, you do not need to complete the options in the Secondary LDAP Server table. a. In the Hostname box, type the name or IP address of the server that is running the LDAP software. If you are using DNS on your network, you can type the hostname instead of the IP address. b.
Chapter 13 User Databases Novell NDS Database For example: uid=joesmith,ou=members,ou=administrators,o=cisco Tip If you are using Netscape DS as your LDAP software, you can copy this information from the Netscape Console. For more information, refer to your LDAP database documentation. g. Step 21 In the Password box, type the password for the administrator account specified in the Admin DN box. Password case sensitivity is determined by the server. Click Submit.
Chapter 13 User Databases Novell NDS Database About Novell NDS User Databases Cisco Secure ACS supports ASCII, PAP, and PEAP(EAP-GTC) authentication with Novell NetWare Directory Services (NDS) servers. To use NDS authentication, you must have a Novell NDS database. Other authentication protocols are not supported with Novell NDS external user databases. Note Authentication protocols not supported with Novell NDS external user databases may be supported by another type of external user database.
Chapter 13 User Databases Novell NDS Database For users to authenticate against a Novell NDS database, Cisco Secure ACS must be correctly configured to recognize the Novell NDS structure. Cisco Secure ACS supports up to twenty Novell NDS trees. Each Novell NDS tree configuration can support a list of user contexts. For a user to authenticate against a Novell NDS context, the applicable user object must exist in one of the contexts provided and the user password must be able to log the name into the tree.
Chapter 13 User Databases Novell NDS Database Table 13-1 Example Usernames with Contexts User Valid Username With Context Agamemnon Agamemnon Odysseus Odysseus.marketing Penelope Penelope.marketing-research.marketing Telemachus Telemachus.marketing-product.marketing Novell NDS External User Database Options You create and maintain configurations for Novell NDS database authentication on the NDS Authentication Support page in Cisco Secure ACS.
Chapter 13 User Databases Novell NDS Database Note If the administrator username specified does not have permission to see the group name attribute in searches, group mapping fails for users authenticated by Novell NDS. • Administrator Password—The password for the administrator of the Novell server. • Context List—The full context list with each context specified in canonical, typeless form; that is, remove the o= and ou= and separate each part of the context using a period (.).
Chapter 13 User Databases Novell NDS Database Before You Begin The Novell Requestor Software for Novell NDS must be installed on the same computer as Cisco Secure ACS. If the Novell Requestor Software for Novell NDS is not on the same computer as Cisco Secure ACS, you cannot complete this procedure. To configure Novell NDS authentication, follow these steps: Step 1 See your Novell NetWare administrator to get the names and other information on the Tree, Container, and Context.
Chapter 13 User Databases ODBC Database For more information about the content of the NDS Authentication Support page, see Novell NDS External User Database Options, page 13-52. Step 7 If you want to add a new Novell NDS server configuration, complete the fields in the blank form at the bottom of the NDS Authentication Support page. Note Step 8 You must select the Add New NDS Host check box to confirm that you want to create a Novell NDS server configuration.
Chapter 13 User Databases ODBC Database ACS to authenticate against an ODBC-compliant relational database does not affect the configuration of the relational database. To manage your relational database, refer to your relational database documentation. Note As with all other external databases supported by Cisco Secure ACS, the ODBC-compliant relational database is not supplied as part of Cisco Secure ACS.
Chapter 13 User Databases ODBC Database • EAP-TLS Authentication Procedure Input, page 13-67 • EAP-TLS Procedure Output, page 13-68 • Result Codes, page 13-69 • Configuring a System Data Source Name for an ODBC External User Database, page 13-70 • Configuring an ODBC External User Database, page 13-71 What is Supported with ODBC User Databases Cisco Secure ACS supports the use of ODBC external user databases for the following features: • Authentication—Cisco Secure ACS supports ASCII, PAP, ARAP
Chapter 13 User Databases ODBC Database • Group Mapping for Unknown Users—Cisco Secure ACS supports group mapping for unknown users by requesting group membership information from Windows user databases. For more information about group mapping for users authenticated with a Windows user database, see Group Mapping by Group Set Membership, page 16-4.
Chapter 13 User Databases ODBC Database Cisco Secure ACS grants authorization based on the Cisco Secure ACS group to which the user is assigned. While the group to which a user is assigned can be determined by information from the ODBC database using a process known as “group specification”, it is Cisco Secure ACS that grants authorization privileges.
Chapter 13 User Databases ODBC Database Step 4 Write the stored procedures intended to return the required authentication information to Cisco Secure ACS. For more information about these stored procedures, see Implementation of Stored Procedures for ODBC Authentication, page 13-60. Step 5 Set up a system DSN on the computer running Cisco Secure ACS. For steps, see Configuring a System Data Source Name for an ODBC External User Database, page 13-70.
Chapter 13 User Databases ODBC Database The Cisco Secure ACS product CD provides “stub” routines for creating a procedure in either Microsoft SQL Server or an Oracle database. You can either modify a copy of these routines to create your stored procedure or write your own.
Chapter 13 User Databases ODBC Database will default to case sensitive, whereas Microsoft SQL Server defaults to case insensitive. However, in the case of CHAP/ARAP, the password is case sensitive if the CHAP stored procedure is configured. For example, with Telnet or PAP authentication, the passwords cisco or CISCO or CiScO will all work if the SQL Server is configured to be case insensitive.
Chapter 13 User Databases ODBC Database GRANT EXECUTE ON dbo.CSNTAuthUserPap TO ciscosecure GO Sample Routine for Generating an SQL CHAP Authentication Procedure The following example routine creates in Microsoft SQL Server a procedure named CSNTExtractUserClearTextPw, the default procedure used by Cisco Secure ACS for CHAP/MS-CHAP/ARAP authentication. Table and column names that could vary for your database schema are presented in variable text.
Chapter 13 User Databases ODBC Database Sample Routine for Generating an EAP-TLS Authentication Procedure The following example routine creates in Microsoft SQL Server a procedure named CSNTFindUser, the default procedure used by Cisco Secure ACS for EAP-TLS authentication. Table and column names that could vary for your database schema are presented in variable text. For more information about data type definitions, procedure parameters, and procedure results, see ODBC Database, page 13-55.
Chapter 13 User Databases ODBC Database Table 13-2 PAP Stored Procedure Input Field Type Explanation CSNTusername String 0-64 characters CSNTpassword String 0-255 characters The input names are for guidance only. Procedure variables created from them can have different names; however, they must be defined in the procedure in the order shown—the username must precede the password variable. PAP Procedure Output The stored procedure must return a single row containing the non-null fields.
Chapter 13 User Databases ODBC Database Note If the ODBC database returns data in recordset format rather than in parameters, the procedure must return the result fields in the order listed above. CHAP/MS-CHAP/ARAP Authentication Procedure Input Cisco Secure ACS provides a single value for input to the stored procedure supporting CHAP/MS-CHAP/ARAP authentication. The stored procedure should accept the named input value as a variable.
Chapter 13 User Databases ODBC Database Table 13-5 CHAP/MS-CHAP/ARAP Stored Procedure Results Field Type Explanation CSNTresult Integer See Table 13-8 Result Codes. CSNTgroup Integer The Cisco Secure ACS group number for authorization. 0xFFFFFFFF is used to assign the default value. Values other than 0-499 are converted to the default. Note The group specified in the CSNTgroup field overrides group mapping configured for the ODBC external user database. CSNTacctInfo String 0-15 characters.
Chapter 13 User Databases ODBC Database Note Because Cisco Secure ACS performs authentication for EAP-TLS, the user password is not an input (Table 13-4). Table 13-6 EAP-TLS Stored Procedure Input Field Type Explanation CSNTusername String 0-64 characters The input name is for guidance only. A procedure variable created from it can have a different name. EAP-TLS Procedure Output The stored procedure must return a single row containing the non-null fields.
Chapter 13 User Databases ODBC Database The CSNTGroup and CSNTacctInfo fields are processed only after a successful authentication. The CSNTerrorString file is logged only after a failure (if the result is greater than or equal to 4). Note If the ODBC database returns data in recordset format rather than in parameters, the procedure must return the result fields in the order listed above. Result Codes You can set the result codes listed in Table 13-8.
Chapter 13 User Databases ODBC Database Configuring a System Data Source Name for an ODBC External User Database On the computer running Cisco Secure ACS, you must create a system DSN for Cisco Secure ACS to communicate with the relational database. To create a system DSN for use with an ODBC external user database, follow these steps: Step 1 Using the local administrator account, log in to the computer running Cisco Secure ACS. Step 2 In Windows Control Panel, double-click the ODBC Data Sources icon.
Chapter 13 User Databases ODBC Database Step 10 Close the ODBC Data Source Administrator window and Windows Control Panel. The system DSN to be used by Cisco Secure ACS for communication with the relational database is created on the computer running Cisco Secure ACS. Configuring an ODBC External User Database Creating an ODBC database configuration provides Cisco Secure ACS information that enables it to pass authentication requests to an ODBC-compliant relational database.
Chapter 13 User Databases ODBC Database Step 6 From the System DSN list, select the DSN that is configured to communicate with the ODBC-compliant relational database you want to use. Note If you have not configured on the computer running Cisco Secure ACS a DSN for the relational database, do so before completing these steps. For more information about creating a DSN for Cisco Secure ACS ODBC authentication, see Configuring a System Data Source Name for an ODBC External User Database, page 13-70.
Chapter 13 User Databases ODBC Database Step 11 Step 12 From the DSN Procedure Type list, select the type of output your relational database provides. Different databases return different output: • Returns Recordset—The database returns a raw record set in response to an ODBC query. Microsoft SQL Server responds in this manner. • Returns Parameters—The database returns a set of named parameters in response to an ODBC query. Oracle databases respond in this manner.
Chapter 13 User Databases ODBC Database Note Step 14 To support EAP-TLS authentication with the ODBC database, follow these steps: a. Select the Support EAP-TLS Authentication check box. b. In the EAP-TLS SQL Procedure box, type the name of the EAP-TLS SQL procedure routine on the ODBC server. The default value in this box is CSNTFindUser. If you named the EAP-TLS SQL procedure something else, change this entry to match the name given to the EAP-TLS SQL procedure.
Chapter 13 User Databases LEAP Proxy RADIUS Server Database LEAP Proxy RADIUS Server Database For Cisco Secure ACS-authenticated users accessing your network via Cisco Aironet devices, Cisco Secure ACS supports ASCII, PAP, MS-CHAP (versions 1 and 2), LEAP, and EAP-FAST (phase zero and phase two) authentication with a proxy RADIUS server. Other authentication protocols are not supported with LEAP Proxy RADIUS Server databases.
Chapter 13 User Databases LEAP Proxy RADIUS Server Database Configuring a LEAP Proxy RADIUS Server External User Database You should install and configure your proxy RADIUS server before configuring Cisco Secure ACS to authenticate users with it. For information about installing the proxy RADIUS server, refer to the documentation included with your RADIUS server. To configure LEAP proxy RADIUS authentication, follow these steps: Step 1 In the navigation bar, click External User Databases.
Chapter 13 User Databases LEAP Proxy RADIUS Server Database Step 7 In the following boxes, type the required information: • Primary Server Name/IP—IP address of the primary proxy RADIUS server. • Secondary Server Name/IP—IP address of the secondary proxy RADIUS server. • Shared Secret—The shared secret of the proxy RADIUS server. This must be identical to the shared secret with which the proxy RADIUS server is configured.
Chapter 13 User Databases Token Server User Databases Token Server User Databases Cisco Secure ACS supports the use of token servers for the increased security provided by one-time passwords (OTPs).
Chapter 13 User Databases Token Server User Databases For RSA SecurID, Cisco Secure ACS uses an RSA proprietary API. For more information about Cisco Secure ACS support of RSA SecurID token servers, see RSA SecurID Token Servers, page 13-84. Token Servers and ISDN Cisco Secure ACS supports token caching for ISDN terminal adapters and routers. One inconvenience of using token cards for OTP authentication with ISDN is that each B channel requires its own OTP.
Chapter 13 User Databases Token Server User Databases About RADIUS-Enabled Token Servers Cisco Secure ACS supports token servers using the RADIUS server built into the token server. Rather than using a vendor-proprietary API, Cisco Secure ACS sends standard RADIUS authentication requests to the RADIUS authentication port on the token server. This feature enables Cisco Secure ACS to support any IETF RFC 2865-compliant token server. You can create multiple instances of RADIUS token servers.
Chapter 13 User Databases Token Server User Databases Cisco Secure ACS expects to receive one of the following three responses: • access-accept—No attributes are required; however, the response can indicate the Cisco Secure ACS group to which the user should be assigned. For more information, see RADIUS-Based Group Specification, page 16-14. • access-reject—No attributes required.
Chapter 13 User Databases Token Server User Databases c. Click Submit. Cisco Secure ACS lists the new configuration in the External User Database Configuration table. Step 5 Under External User Database Configuration, select the name of the RADIUS-enabled token server you need to configure. Note If only one RADIUS-enabled token server configuration exists, the name of that configuration appears instead of the list. Proceed to Step 6. Step 6 Click Configure.
Chapter 13 User Databases Token Server User Databases • Timeout (seconds):—The number of seconds Cisco Secure ACS waits for a response from the RADIUS token server before retrying the authentication request. • Retries—The number of authentication attempts Cisco Secure ACS makes before failing over to the secondary RADIUS token server. • Failback Retry Delay (minutes)—The number of minutes that Cisco Secure ACS sends authentication requests to the secondary server when the primary server has failed.
Chapter 13 User Databases Token Server User Databases Note Step 9 You should only use the From Token Server (async tokens only) option if all tokens submitted to this token server are asynchronous tokens. Click Submit. Cisco Secure ACS saves the RADIUS token server database configuration you created. You can add it to your Unknown User Policy or assign specific user accounts to use this database for authentication.
Chapter 13 User Databases Token Server User Databases Configuring an RSA SecurID Token Server External User Database Cisco Secure ACS supports the RSA SecurID token server custom interface for authentication of users. You can create only one RSA SecurID configuration within Cisco Secure ACS. Before You Begin You should install and configure your RSA SecurID token server before configuring Cisco Secure ACS to authenticate users with it.
Chapter 13 User Databases Deleting an External User Database Configuration Step 2 In the navigation bar, click External User Databases. Step 3 Click Database Configuration. Cisco Secure ACS lists all possible external user database types. Step 4 Click RSA SecurID Token Server. If no RSA SecurID token server configuration exists, the Database Configuration Creation table appears. Otherwise, the External User Database Configuration page appears.
Chapter 13 User Databases Deleting an External User Database Configuration Step 2 Click Database Configuration. Cisco Secure ACS lists all possible external user database types. Step 3 Click the external user database type for which you want to delete a configuration. The External User Database Configuration table appears. Step 4 If a list appears in the External User Database Configuration table, select the configuration you want to delete. Otherwise, proceed to Step 5. Step 5 Click Delete.
Chapter 13 User Databases Deleting an External User Database Configuration User Guide for Cisco Secure ACS for Windows Server 13-88 78-16592-01
C H A P T E R 14 Network Admission Control NAC enables you to control the degree of access permitted from computers accessing your network through a AAA client configured to enforce NAC. The basis of NAC is the validation of the posture, or state, of computers on a network. The role of Cisco Secure Access Control Server (ACS) for Windows Server in NAC is to perform posture validation.
Chapter 14 Network Admission Control About Network Admission Control NAC AAA Components The following list defines the components of the NAC AAA paradigm. Posture Validation, page 14-3, describes the posture validation process in which these components are used. • NAC-client computer—A computer running NAC software, as follows: – NAC client—The NAC client is the Cisco Trust Agent (CTA) application.
Chapter 14 Network Admission Control About Network Admission Control Posture Validation Cisco Secure ACS determines the posture of a computer by using the credentials received from a NAC-client computer. The following list provides an overview of the steps and systems involved in posture validation. Details about various concepts, such as posture tokens and policies, are provided in topics that follow. 1. The NAC-client computer sends traffic on the network. 2.
Chapter 14 Network Admission Control About Network Admission Control 6. Cisco Secure ACS sends the NAC-client computer the system posture token and the results of each policy applied to the posture validation request, and then ends the PEAP session. 7. Cisco Secure ACS sends the AAA client the RADIUS attributes as configured in the mapped user group, including ACLs and attribute-value pairs configured in the Cisco IOS/PIX RADIUS attribute cisco-av-pair. 8.
Chapter 14 Network Admission Control Implementing Network Admission Control From the perspective of Cisco Secure ACS, the meaning of an SPT is determined by which groups you map each SPT to and how you configure those groups. In other words, the SPTs for each NAC database are associated with configurable network authorizations. Posture validation requests resulting in an SPT of Healthy are logged in the Passed Authentications log.
Chapter 14 Network Admission Control Implementing Network Admission Control To implement NAC, follow these steps: Step 1 Install a server certificate. Cisco Secure ACS requires a server certificate for NAC because NAC communication with an end-user client is protected by a TLS tunnel. You can use a certificate acquired from a third-party certificate authority (CA) or you can use a self-signed certificate.
Chapter 14 Network Admission Control Implementing Network Admission Control Step 4 Configure the Failed Attempts log to include NAC attributes. Posture validation requests receiving an SPT other than Healthy are logged to the Failed Attempts log. Including NAC attributes in this log can help you debug errors in your NAC implementation. For example, a local policy may return a result that you did not anticipate because of errors in the rules that compose the policy.
Chapter 14 Network Admission Control Implementing Network Admission Control b. Create SPT-to-user-group mappings. Each NAC database has its own group mappings. For detailed steps, see Configuring NAC Group Mapping, page 16-13. Step 9 Configure the Unknown User Policy to include NAC databases.
Chapter 14 Network Admission Control Implementing Network Admission Control b. Caution (Optional) If AAA clients participating in NAC are configured to make use of NAC-related attribute-value (AV) pairs in the RADIUS (Cisco IOS/PIX) cisco-av-pair attribute, configure the RADIUS (Cisco IOS/PIX) cisco-av-pair attribute with the applicable AV pairs.
Chapter 14 Network Admission Control NAC Databases NAC Databases This section contains the following topics: • About NAC Databases, page 14-10 • About NAC Credentials and Attributes, page 14-11 • NAC Database Configuration Options, page 14-12 • Policy Selection Options, page 14-13 • Configuring a NAC Database, page 14-14 About NAC Databases NAC databases validate the posture of a NAC-client computer, using the credentials that the NAC clients sends to Cisco Secure ACS in the posture validation
Chapter 14 Network Admission Control NAC Databases mandatory credential types. This design enables you to create a default database so that no posture validation request is rejected due to missing credential types. • Credential validation policies—A NAC database has one or more credential validation policies. When Cisco Secure ACS uses a NAC database to evaluate a posture validation request, it applies each policy associated with the NAC database to the attributes received in the request.
Chapter 14 Network Admission Control NAC Databases Cisco Secure ACS communicates with a NAC client, the identifiers are numerical. In the HTML interface, when you define rules for local policies, attributes are identified by the names assigned to vendor, application, and attribute. For example, the CTA attribute for the version of the operating system is Cisco:PA:OS-Version.
Chapter 14 Network Admission Control NAC Databases – Name—Displays the policy name as a link. You can click the link to open the applicable policy configuration page, which enables you to view policy details, edit the policy, or delete the policy. – Description—Displays the description associated with the policy. The text displayed in the Description column for a given policy corresponds to the text last saved in the Description box.
Chapter 14 Network Admission Control NAC Databases Configuring a NAC Database This procedure describes how you can configure a NAC database. Before You Begin For descriptions of the options available on the Expected Host Configuration page, see NAC Database Configuration Options, page 14-12. For descriptions of the options available on the Select Local Policies page and Select Local Policies page, see Policy Selection Options, page 14-13.
Chapter 14 Network Admission Control NAC Databases Step 6 Caution Click Configure. If you click Delete, the selected NAC database is deleted. Cisco Secure ACS displays the Expected Host Configuration page for the selected NAC database. Step 7 Configure mandatory credential types. To do so, follow these steps: a. Under Mandatory Credential Types, click Edit List. The Edit Credential Types page appears. b.
Chapter 14 Network Admission Control NAC Policies b. c. If you need to create a policy, do one of the following, as applicable: • Click New Local Policy and follow the steps in Creating a Local Policy, page 14-25 before continuing this procedure. • Click New External Policy and follow the steps in Creating an External Policy, page 14-32 before continuing this procedure.
Chapter 14 Network Admission Control NAC Policies Policies are reusable; that is, you can associate a single policy with more than one NAC database. For example, if your NAC implementation requires two NAC databases, one for NAC clients using NAI software and one for NAC clients using Symantec software, you may need to apply the same rules about the operating system of the NAC client regardless of which anti-virus application is installed.
Chapter 14 Network Admission Control NAC Policies About Local Policies Local policies consist of one or more rules that you that define in Cisco Secure ACS. When Cisco Secure ACS applies a local policy, it uses the policy rules to evaluate credentials received with the posture validation request. Each rule is associated with an APT, a credential type, and an action. The credential type determines which NAC-compliant application the APT and action are associated with.
Chapter 14 Network Admission Control NAC Policies About Rules, Rule Elements, and Attributes A rule is a set of one or more rule elements. A rule element is a logical statement consisting of the following three items: • A posture validation attribute • An operator • A value Cisco Secure ACS uses the operator to compare the contents of an attribute to the value. Each rule element of a rule must be true for the whole rule to be true. In other words, all rule elements of a rule are “anded” together.
Chapter 14 Network Admission Control NAC Policies • unsigned integer—The attribute can contain only an integer without a sign. Valid operators are = (equal to), != (not equal to), > (greater than), < (less than), <= (less than or equal to), and >= (greater than or equal to). Valid input in rule elements is a whole number between 0 and 4294967295. • ipaddr—The attribute can contain an IPv4 address. Valid operators are = (equal to), != (not equal to), and mask.
Chapter 14 Network Admission Control NAC Policies The following are the operators that Cisco Secure ACS supports: Tip • = (equal to)—The rule element is true if the value contained in the attribute is exactly equal to the value that you specify. • != (not equal to)—The rule element is true if the value contained in the attribute does not equal to the value that you specify. Using the != operator can lead to confusion, especially with boolean attributes.
Chapter 14 Network Admission Control NAC Policies – $ (dollar)—The $ operator matches the end of a string. For example, co$ would match the string Cisco or the string Tibco. • days-since-last-update—The rule element is true if the attribute contains a date and if the difference in days between that date and the current date is less than or equal to the number that you specify.
Chapter 14 Network Admission Control NAC Policies • Description—Specifies a text description of the policy, up to 255 characters. Use the Description box to provide details that you could not convey in the name of the policy. For example, you could describe its purpose or summarize its rules.
Chapter 14 Network Admission Control NAC Policies Note Under Default Rule, the meanings of the Result Credential Type list, Token list, and Action box are identical to the options of the same name in the Configurable Rules table, except that the default rule is automatically true, provided that no rule in the Configurable Rules table is true. Rule Configuration Options On the Rule Configuration page you can specify the rule elements that make up a rule.
Chapter 14 Network Admission Control NAC Policies appear in the Attribute list. Each attribute is uniquely identified by the vendor name, application name, and attribute name, displayed alphabetically in the following format: vendor-name:application-name:attribute-name • Operator—Defines the comparison method by which Cisco Secure ACS evaluates whether the rule element is true. The operators available in the Operator list vary depending upon the type of attribute selected from the Attribute list.
Chapter 14 Network Admission Control NAC Policies b. Click Database Configuration > Network Admission Control. Cisco Secure ACS displays a list of NAC databases. c. Select a NAC database from the list of NAC databases and click Configure. If there is only one NAC database, no list of databases appears and you can click Configure. Tip The Expected Host Configuration page for the selected NAC database appears. The Credential Validation Policies table lists the policies selected for this NAC database.
Chapter 14 Network Admission Control NAC Policies If you want to change a rule element that you have already added to the Rules Elements table, you edit it by selecting the rule element, clicking remove, editing its attribute, operator, or value, and clicking enter again. Tip d. Click Submit. The Policy Configuration page appears again. The new rule appears at the bottom of the Configurable Rules table. You can return to the Edit Rule page by clicking the rule. Tip e.
Chapter 14 Network Admission Control NAC Policies When Cisco Secure ACS applies this policy to a posture validation request and none of the configurable rules match the request, Cisco Secure ACS associates with the policy the default result credential type, token, and action that you specify. Step 7 Click Submit. The Select Local Policies page displays the new policy in the Available Policies list.
Chapter 14 Network Admission Control NAC Policies Cisco Secure ACS evaluates a posture validation request using a NAC database that has 10 local policies and one external policy, but the external NAC servers associated with the external policy are not online, it is irrelevant that the 10 local policies all return SPTs. The failure of the single external policy causes Cisco Secure ACS to reject the posture validation request.
Chapter 14 Network Admission Control NAC Policies ACS cannot reach the primary server or the primary server fails to respond to the request, Cisco Secure ACS will use the secondary server, if it is configured and enabled. For the primary and secondary server configurations, each have the following options: – URL—Specifies the HTTP or HTTPS URL for the server.
Chapter 14 Network Admission Control NAC Policies – Password—Specifies the password for the username in the Username box. – Timeout (Sec)—The number of seconds that Cisco Secure ACS waits for a reply from a server after it forwards the credentials. If a secondary server is configured, requests to the primary server that timeout are forwarded to the secondary server.
Chapter 14 Network Admission Control NAC Policies • Forwarding Credential Types—Contains two lists for use in specifying which credential types are forwarded to the external server. – Available Credentials—Specifies the credential types that are not sent to the external server. – Selected Credentials—Specifies the credential types that are sent to the external server. Creating an External Policy This procedure describes how you can create an external policy.
Chapter 14 Network Admission Control NAC Policies d. Under Credential Validation Policies, click External Policies. The Select External Policies page appears. e. Click New External Policy. The External Policy Configuration page appears. Step 2 In the Name box, type a descriptive name for the policy. Step 3 In the Description box, type a useful description of the policy. Step 4 In the Primary Server configuration area, do the following: a. Select the Primary Server configuration check box.
Chapter 14 Network Admission Control NAC Policies The Select External Policies page displays the new policy in the Available Policies list. Tip Step 8 You can add the policy to any NAC database, not just the NAC database you clicked through to reach the External Policy Configuration page. If you are in the process of configuring a NAC database, resume performing the steps in Configuring a NAC Database, page 14-14.
Chapter 14 Network Admission Control NAC Policies Tip If the policy you want to edit does not appear in the Credential Validation Policies table, click Local Policies or External Policies, as applicable, move the policy you want to edit to the Selected Policies list, and click Submit. You can remove the policy from the Credential Validation Policies table when you are done editing it. The applicable policy configuration page appears. Step 5 Edit the policy as needed.
Chapter 14 Network Admission Control NAC Policies Deleting a Policy Before You Begin A policy can be deleted only by accessing it through a NAC database that includes the policy in its Credential Validation Policies table. To delete a policy, follow these steps: Step 1 In the navigation bar, click External User Databases. Step 2 Click Database Configuration > Network Admission Control. Cisco Secure ACS displays a list of all possible external user database types.
Chapter 14 Network Admission Control NAC Policies Step 5 Click Delete Policy. Step 6 Click Submit. Cisco Secure ACS deletes the policy. The Expected Host Configuration page reappears and the Credential Validation Policies table no longer lists the deleted policy. All NAC databases that were configured to use the policy no longer include the deleted policy.
Chapter 14 Network Admission Control NAC Policies User Guide for Cisco Secure ACS for Windows Server 14-38 78-16592-01
C H A P T E R 15 Unknown User Policy After you have configured at least one database in the External User Databases section of the HTML interface of Cisco Secure Access Control Server (ACS) for Windows Server, you can decide how to implement other Cisco Secure ACS features related to authentication and posture validation. These features are the Unknown User Policy and user group mapping.
Chapter 15 Unknown User Policy Known, Unknown, and Discovered Users • Posture Validation and the Unknown User Policy, page 15-10 – NAC and the Unknown User Policy, page 15-10 – Posture Validation Use of the Unknown User Policy, page 15-11 – Required Use for Posture Validation, page 15-12 • Authorization of Unknown Users, page 15-13 • Unknown User Policy Options, page 15-13 • Database Search Order, page 15-14 • Configuring the Unknown User Policy, page 15-16 • Disabling Unknown User Authenticat
Chapter 15 Unknown User Policy Known, Unknown, and Discovered Users Cisco Secure ACS does not support failover authentication. If authentication fails with the database that the user is associated with, Cisco Secure ACS uses no other means to authenticate the user and Cisco Secure ACS informs the AAA client of the authentication failure.
Chapter 15 Unknown User Policy Authentication and Unknown Users – Authentication—The authentication process for discovered users is identical to the authentication process for known users who are authenticated with external user databases and whose Cisco Secure ACS group membership is determined by group mapping. – Posture Validation—Cisco Secure ACS always uses the Unknown User Policy to determine which NAC database to use for a posture validation request.
Chapter 15 Unknown User Policy Authentication and Unknown Users The Unknown User Policy enables Cisco Secure ACS to use a variety of external databases to attempt authentication of unknown users. This feature provides the foundation for a basic single sign-on capability through Cisco Secure ACS. Because the incoming authentication requests are handled by external user databases, there is no need for you to maintain within Cisco Secure ACS the credentials of users, such as passwords.
Chapter 15 Unknown User Policy Authentication and Unknown Users Note Because usernames in the CiscoSecure user database must be unique, Cisco Secure ACS supports a single instance of any given username across all databases that it is configured to use. For example, assume every external user database contains a user account with the username John. Each account is for a different user, but they each, coincidentally, have the same username.
Chapter 15 Unknown User Policy Authentication and Unknown Users with various Windows versions differ in the method by which users can specify their domains. For more information, see Windows Dial-up Networking Clients, page 13-10. Using a domain-qualified username allows Cisco Secure ACS to differentiate a user from multiple instances of the same username in different domains.
Chapter 15 Unknown User Policy Authentication and Unknown Users Note If your network has multiple occurrences of a username across domains (for example, every domain has a user called Administrator) or if users do not provide their domains as part of their authentication credentials, be sure to configure the Domain List for the Windows user database in the External User Databases section. If not, only the user whose account Windows happens to check first authenticates successfully.
Chapter 15 Unknown User Policy Authentication and Unknown Users Added Authentication Latency Adding external user databases against which to authenticate unknown users can significantly increase the time needed for each individual authentication. At best, the time needed for each authentication is the time taken by the external user database to authenticate, plus some time for Cisco Secure ACS processing.
Chapter 15 Unknown User Policy Posture Validation and the Unknown User Policy Posture Validation and the Unknown User Policy This section contains the following topics: • NAC and the Unknown User Policy, page 15-10 • Posture Validation Use of the Unknown User Policy, page 15-11 • Required Use for Posture Validation, page 15-12 NAC and the Unknown User Policy For posture validation requests, the Unknown User Policy automates the association of users to a NAC database that applies to the posture vali
Chapter 15 Unknown User Policy Posture Validation and the Unknown User Policy Creating different user accounts for the same NAC-client computer enables you to determine from Cisco Secure ACS logs who was logged into a NAC-client computer during posture validation. Because the NAC-compliant applications running on a computer can differ depending upon who is logged into the computer, knowing who is logged in helps you troubleshoot posture validation issues.
Chapter 15 Unknown User Policy Posture Validation and the Unknown User Policy Note If the credentials included in a posture validation request do not satisfy any NAC databases in the Selected Databases list, Cisco Secure ACS rejects the posture validation request. For more information about NAC databases, including information about mandatory credential types, see Chapter 14, “Network Admission Control”.
Chapter 15 Unknown User Policy Authorization of Unknown Users Authorization of Unknown Users Although the Unknown User Policy allows authentication and posture validation requests to be processed by databases configured in the External User Database section, Cisco Secure ACS is responsible for all authorizations sent to AAA clients and end-user clients.
Chapter 15 Unknown User Policy Database Search Order • External Databases—Of the databases that you have configured in the External User Databases section, lists the databases that Cisco Secure ACS does not use during posture validation or unknown user authentication. • Selected Databases—Of the databases that you have configured in the External User Databases section, lists the databases that Cisco Secure ACS does use during posture validation and unknown user authentication.
Chapter 15 Unknown User Policy Database Search Order • Posture validation—The Unknown User Policy supports all posture validation requests using the following logic: a. Of the NAC database in the Selected Databases list, find the first database whose mandatory credential types are satisfied by the credentials received in the posture validation request. If the credentials in the request do not match the mandatory credentials of any database in the list, reject the posture validation request. b.
Chapter 15 Unknown User Policy Configuring the Unknown User Policy Tip If you create a default NAC database, that is, a NAC database with no mandatory credential types, be sure you list it below all other NAC databases. Configuring the Unknown User Policy Use this procedure to configure your Unknown User Policy. Before You Begin For information about the Configure the Unknown User Policy page, see Unknown User Policy Options, page 15-13.
Chapter 15 Unknown User Policy Disabling Unknown User Authentication Note Step 4 For more information about the significance of database order, see Database Search Order, page 15-14. Click Submit. Cisco Secure ACS saves and implements the Unknown User Policy configuration you created. Cisco Secure ACS processes posture validation requests and unknown user authentication requests using the databases in the order listed in the Selected Databases list.
Chapter 15 Unknown User Policy Disabling Unknown User Authentication User Guide for Cisco Secure ACS for Windows Server 15-18 78-16592-01
C H A P T E R 16 User Group Mapping and Specification This chapter provides information about group mapping and specification. Cisco Secure Access Control Server (ACS) for Windows Server uses these features to assign users authenticated by an external user database to a single Cisco Secure ACS group.
Chapter 16 User Group Mapping and Specification Group Mapping by External User Database specified by domain, because each domain maintains its own user database. For Novell NDS user databases, group mapping is further specified by trees, because Cisco Secure ACS supports multiple trees in a single Novell NDS user database. In addition to the Database Group Mapping feature, for some database types, Cisco Secure ACS supports RADIUS-based group specification.
Chapter 16 User Group Mapping and Specification Group Mapping by External User Database Additionally, users authenticated by an ODBC external user database can also be assigned to a specified Cisco Secure ACS group. Group specification by ODBC database authentication overrides group mapping. For more information about specifying group membership for users authenticated with an ODBC database, see ODBC Database, page 13-55.
Chapter 16 User Group Mapping and Specification Group Mapping by Group Set Membership Note For more information about group specification for RADIUS token servers, see RADIUS-Based Group Specification, page 16-14. For more information about group specification for ODBC databases, see Cisco Secure ACS Authentication Process with an ODBC External User Database, page 13-58.
Chapter 16 User Group Mapping and Specification Group Mapping by Group Set Membership Group Mapping Order Cisco Secure ACS always maps users to a single Cisco Secure ACS group, yet a user can belong to more than one group set mapping. For example, a user, John, could be a member of the group combination Engineering and California, and at the same time be a member of the group combination Engineering and Managers.
Chapter 16 User Group Mapping and Specification Group Mapping by Group Set Membership Default Group Mapping for Windows For Windows user databases, Cisco Secure ACS includes the ability to define a default group mapping. If no other group mapping matches an unknown user authenticated by a Windows user database, Cisco Secure ACS assigns the user to a group based on the default group mapping.
Chapter 16 User Group Mapping and Specification Group Mapping by Group Set Membership Creating a Cisco Secure ACS Group Mapping for Windows, Novell NDS, or Generic LDAP Groups Before You Begin To map a Windows, Novell NDS, or generic LDAP group to a Cisco Secure ACS group, follow these steps: Step 1 In the navigation bar, click External User Databases. Step 2 Click Database Group Mappings. Step 3 Click the external user database name for which you want to configure a group mapping.
Chapter 16 User Group Mapping and Specification Group Mapping by Group Set Membership Step 6 If you are mapping a Novell NDS group set, click the name of the Novell NDS tree for which you want to configure group set mappings. The Group Mappings for NDS Users table appears. Step 7 Click Add Mapping. The Create new group mapping for database page opens. The group list displays group names derived from the external user database.
Chapter 16 User Group Mapping and Specification Group Mapping by Group Set Membership Note The asterisk at the end of each set of groups indicates that users authenticated with the external user database can belong to other groups besides those in the set. Editing a Windows, Novell NDS, or Generic LDAP Group Set Mapping You can change the Cisco Secure ACS group to which a group set mapping is mapped. Note The external user database groups of an existing group set mapping cannot be edited.
Chapter 16 User Group Mapping and Specification Group Mapping by Group Set Membership Step 5 If you are editing a Novell NDS group set mapping, click the name of the Novell NDS tree for which you want to edit a group set mapping. The Group Mappings for NDS Users table appears. Step 6 Click the group set mapping to be edited. The Edit mapping for database page opens. The external user database group or groups included in the group set mapping appear above the CiscoSecure group list.
Chapter 16 User Group Mapping and Specification Group Mapping by Group Set Membership If you are deleting a Windows group set mapping, the Domain Configurations table appears. If you are deleting an NDS group set mapping, the NDS Trees table appears. Otherwise, the Group Mappings for database Users table appears. Step 4 If you are deleting a Windows group set mapping, click the domain name whose group set mapping you want to delete. The Group Mappings for Domain: domainname table appears.
Chapter 16 User Group Mapping and Specification Group Mapping by Group Set Membership Step 6 Click OK in the confirmation dialog box. Cisco Secure ACS deletes the selected external user database group mapping configuration. Changing Group Set Mapping Order You can change the order in which Cisco Secure ACS checks group set mappings for users authenticated by Windows, Novell NDS, and generic LDAP databases. To order group mappings, you must have already mapped them.
Chapter 16 User Group Mapping and Specification NAC Group Mapping The Order mappings for database page appears. The group mappings for the current database appear in the Order list. Step 7 Select the name of a group set mapping you want to move, and then click Up or Down until it is in the position you want. Step 8 Repeat Step 7 until the group mappings are in the order you need. Step 9 Click Submit. The Group Mappings for database page displays the group set mappings in the order you defined.
Chapter 16 User Group Mapping and Specification RADIUS-Based Group Specification Cisco Secure ACS displays the Token-to-User-Group Mapping page for the NAC database you selected. Step 4 For each SPT, follow these steps: a. From the User Group list, select a group or, if you want to deny access, select the option, which is the default selection.
Chapter 16 User Group Mapping and Specification RADIUS-Based Group Specification To enable per-user group mapping, configure the external user database to return authentication responses that contain the Cisco IOS/PIX RADIUS attribute 1, [009\001] cisco-av-pair with the following value: ACS:CiscoSecure-Group-Id = N where N is the Cisco Secure ACS group number (0 through 499) to which Cisco Secure ACS should assign the user.
Chapter 16 User Group Mapping and Specification RADIUS-Based Group Specification User Guide for Cisco Secure ACS for Windows Server 16-16 78-16592-01
A P P E N D I X A Troubleshooting This appendix provides information about certain basic problems and describes how to resolve them. Scan the column on the left to identify the condition that you are trying to resolve, and then carefully go through each corresponding recovery action offered in the column on the right.
Appendix A Troubleshooting Administration Issues Administration Issues Condition Recovery Action Remote administrator cannot bring up the Cisco Secure ACS HTML interface in a browser or receives a warning that access is not permitted. • Verify that you are using a supported browser. Refer to the Release Notes for Cisco Secure Access Control Server for Windows Server Version 3.3 for a list of supported browsers. • Ping Cisco Secure ACS to confirm connectivity.
Appendix A Troubleshooting Administration Issues Condition Recovery Action Administrator configured for event notification is not receiving e-mail. Ensure that the SMTP server name is correct. If the name is correct, ensure that the computer running Cisco Secure ACS can ping the SMTP server or can send e-mail via a third-party e-mail software package. Make sure you have not used underscores in the e-mail address. Remote Administrator receives Restart the CSADMIN service.
Appendix A Troubleshooting Browser Issues Browser Issues Condition Recovery Action The browser cannot bring up the Cisco Secure ACS HTML interface. Open Internet Explorer or Netscape Navigator and choose Help > About to determine the version of the browser. See System Requirements, page 2-2, for a list of browsers supported by Cisco Secure ACS and the release notes for known issues with a particular browser version.
Appendix A Troubleshooting Cisco IOS Issues Cisco IOS Issues Condition Recovery Action or include postures that do not match the actual result of posture validation or display “-------” instead of a posture. The results of show eou all show eou ip address If the posture displayed is “-------”, the AAA client is not receiving the posture-token attribute-value (AV) pair within a Cisco IOS/PIX RADIUS cisco-av-pair vendor-specific attribute (VSA).
Appendix A Troubleshooting Cisco IOS Issues Condition Recovery Action Under EXEC Commands, Cisco IOS commands are not being denied when checked. Examine the Cisco IOS configuration at the AAA client. If it is not already present, add the following Cisco IOS command to the AAA client configuration: aaa authorization command <0-15> default group TACACS+ The correct syntax for the arguments in the text box is permit argument or deny argument.
Appendix A Troubleshooting Database Issues Database Issues Condition Recovery Action RDBMS Synchronization is not operating properly. Make sure that the correct server is listed in the Partners list. Database Replication not operating properly. The external user database is not available in the Group Mapping section. • Make sure you have set the server correctly as either Send or Receive. • On the sending server, make sure the receiving server is in the Replication list.
Appendix A Troubleshooting Database Issues Condition Recovery Action External databases not operating properly. Make sure that a two-way trust (for dial-in check) has been established between the Cisco Secure ACS domain and the other domains. If Cisco Secure ACS is installed on a Member Server and is authenticating to a Domain Controller, see the “Authentication Failures When ACS/NT 3.0 Is Authenticating to Active Directory” Field Notice at the following URL: http://www.cisco.
Appendix A Troubleshooting Database Issues Condition Recovery Action Unable to authenticate against the Novell NDS database. Make sure that the tree name, context name, and container name are all specified correctly. Start with one container where users are present; then you can add more containers later, if needed. If you are successful, check on the AAA client to see if you can authenticate the shell user (Telnet user).
Appendix A Troubleshooting Dial-in Connection Issues Dial-in Connection Issues Condition Recovery Action A dial-in user cannot connect to the AAA client. Examine the Cisco Secure ACS Reports or AAA client Debug output to narrow the problem to a system error or a user error. Confirm the following: No record of the attempt appears in either the TACACS+ or RADIUS Accounting Report (in the Reports & Activity section, click TACACS+ Accounting or RADIUS Accounting or Failed Attempts).
Appendix A Troubleshooting Dial-in Connection Issues Condition Recovery Action A dial-in user cannot connect to the AAA client. Create a local user in the CiscoSecure user database and test whether authentication is successful. If it is successful, the issue is that the user information is not correctly configured for authentication in Windows or Cisco Secure ACS.
Appendix A Troubleshooting Dial-in Connection Issues Condition Recovery Action A dial-in user cannot connect to the AAA client. From within Cisco Secure ACS confirm the following: The CiscoSecure user database is being used for authentication. A record of a failed attempt is displayed in the Failed Attempts Report (in the Reports & Activity section, click Failed Attempts). • The username has been entered into Cisco Secure ACS.
Appendix A Troubleshooting Dial-in Connection Issues Condition Recovery Action A dial-in user cannot connect to the AAA client, and a Telnet connection cannot be authenticated across the LAN. Determine whether the Cisco Secure ACS is receiving the request. This can be done by viewing the Cisco Secure ACS reports. Based on what does not appear in the reports and which database is being used, troubleshoot the problem based on one of the following: • Line/modem configuration problem.
Appendix A Troubleshooting Debug Issues Debug Issues Condition Recovery Action The configurations of the AAA client or Cisco Secure ACS are When you run debug aaa likely to be at fault. authentication on the AAA client, Cisco Secure ACS returns From within Cisco Secure ACS confirm the following: a failure message. Cisco Secure ACS is receiving the request. This can be done by viewing the Cisco Secure ACS reports.
Appendix A Troubleshooting Proxy Issues Proxy Issues Condition Recovery Action Proxying requests to another server fail Make sure that the following conditions are met: • The direction on the remote server is set to Incoming/Outgoing or Incoming, and that the direction on the authentication forwarding server is set to Incoming/Outgoing or Outgoing. • The shared secret (key) matches the shared secret of one or both Cisco Secure ACSes.
Appendix A Troubleshooting Installation and Upgrade Issues Installation and Upgrade Issues Condition Recovery Action From the Windows Registry, delete the following Registry key: The following error message appears when you try to upgrade HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\ or uninstall Cisco Secure ACS: CurrentVersion\Uninstall\CiscoSecure The following file is invalid or the data is corrupted "DelsL1.
Appendix A Troubleshooting Report Issues Report Issues Condition Recovery Action The lognameactive.csv report is blank. You changed protocol configurations recently. Whenever protocol configurations change, the existing lognameactive.csv report file is renamed to lognameyyyy-mm-dd.csv, and a new, blank lognameactive.csv report is generated A report is blank. Make sure you have selected Log to reportname Report under System Configuration: Logging: Log Target: reportname.
Appendix A Troubleshooting Report Issues Condition Recovery Action For the Logged in Users report to work (and this also applies to The Logged in Users report works with some devices, but not most other features involving sessions), packets should include at with others least the following fields: • Authentication Request packet – nas-ip-address – nas-port • Accounting Start packet – nas-ip-address – nas-port – session-id – framed-ip-address • Accounting Stop packet – nas-ip-address – nas-port – s
Appendix A Troubleshooting Third-Party Server Issues Third-Party Server Issues Condition You cannot successfully implement the RSA token server. Recovery Action 1. Log in to the computer running Cisco Secure ACS. (Make sure your login account has administrative privileges.) 2. Make sure the RSA Client software is installed on the same computer as Cisco Secure ACS. 3. Follow the setup instructions. Do not restart at the end of the installation. 4. Get the file named sdconf.
Appendix A Troubleshooting User Authentication Issues User Authentication Issues Condition Recovery Action After the administrator disables the Dialin Permission setting, Windows database users can still dial in and apply the Callback string configured under the Windows user database. (You can locate the Dialin Permission check box by clicking External User Databases, clicking Database Configuration, clicking Windows Database, and clicking Configure.) Restart Cisco Secure ACS services.
Appendix A Troubleshooting User Authentication Issues Condition Recovery Action Authentication fails; the error “Unknown NAS” appears in the Failed Attempts log. Verify the following: • AAA client is configured under the Network Configuration section. • If you have RADIUS/TACACS source-interface command configured on the AAA client, make sure the client on ACS is configured using the IP address of the interface specified.
Appendix A Troubleshooting TACACS+ and RADIUS Attribute Issues TACACS+ and RADIUS Attribute Issues Condition Recovery Action TACACS+ and RADIUS attributes do not appear on the Group Setup page. Make sure that you have at least one RADIUS or TACACS+ AAA client configured in the Network Configuration section and that, in the Interface Configuration section, you have enabled the attributes you need to configure.
A P P E N D I X B TACACS+ Attribute-Value Pairs Cisco Secure Access Control Server (ACS) for Windows Server supports Terminal Access Controller Access Control System (TACACS+) attribute-value (AV) pairs. You can enable different AV pairs for any supported attribute value. Cisco IOS AV Pair Dictionary Before selecting TACACS+ AV pairs for Cisco Secure ACS, confirm that your AAA client is running Cisco IOS Release 11.2 or later.
Appendix B TACACS+ Attribute-Value Pairs Cisco IOS AV Pair Dictionary TACACS+ AV Pairs Note Beginning with Cisco Secure ACS 2.3, some TACACS+ attributes no longer appear on the Group Setup page. This is because IP pools and callback supersede the following attributes: addr addr-pool callback-dialstring Additionally, these attributes cannot be set via database synchronization, and ip:addr=n.n.n.n is not allowed as a Cisco vendor-specific attribute (VSA). Cisco Secure ACS supports many TACACS+ AV pairs.
Appendix B TACACS+ Attribute-Value Pairs Cisco IOS AV Pair Dictionary • ip-addresses • link-compression= • load-threshold=n • max-links=n • nas-password • nocallback-verify • noescape= • nohangup= • old-prompts • outacl#n • outacl= • pool-def#n • pool-timeout= • ppp-vj-slotcompression • priv-lvl= • protocol= • route • route#n • routing= • rte-ftr-in#n • rte-ftr-out#n • sap#n • sap-fltr-in#n • sap-fltr-out#n • service= • source-ip= • timeout= • tunnel-
Appendix B TACACS+ Attribute-Value Pairs Cisco IOS AV Pair Dictionary • wins-servers= • zonelist= TACACS+ Accounting AV Pairs Cisco Secure ACS supports many TACACS+ accounting AV pairs. For descriptions of these attributes, see Cisco IOS documentation for the release of Cisco IOS running on your AAA clients.
Appendix B TACACS+ Attribute-Value Pairs Cisco IOS AV Pair Dictionary • protocol • reason • service • start_time • stop_time • task_id • timezone • xmit-rate User Guide for Cisco Secure ACS for Windows Server 78-16592-01 B-5
Appendix B TACACS+ Attribute-Value Pairs Cisco IOS AV Pair Dictionary User Guide for Cisco Secure ACS for Windows Server B-6 78-16592-01
A P P E N D I X C RADIUS Attributes Cisco Secure Access Control Server (ACS) for Windows Server supports many RADIUS attributes. You can enable different attribute-value (AV) pairs for IETF RADIUS and for any supported vendor. This appendix lists the standard attributes, vendor-proprietary attributes, and vendor-specific attributes supported by Cisco Secure ACS. For outbound attributes, you can configure the attributes sent and their content using the Cisco Secure ACS HTML interface.
Appendix C RADIUS Attributes Cisco IOS Dictionary of RADIUS AV Pairs 3. In the profile you use to control authorizations for the user—either in User Setup or Group Setup—the attribute must be enabled. This causes Cisco Secure ACS to send the attribute to the AAA client in the access-accept message. In the options associated with the attribute, you can determine the value of the attribute sent to the AAA client. Note Settings in a user profile override settings in a group profile.
Appendix C RADIUS Attributes Cisco IOS Dictionary of RADIUS AV Pairs Note If you specify a given AV pair on Cisco Secure ACS, the corresponding AV pair must be implemented in the Cisco IOS software running on the network device. Always consider which AV pairs your Cisco IOS release supports. If Cisco Secure ACS sends an AV pair that the Cisco IOS software does not support, the attribute is not implemented.
Appendix C RADIUS Attributes Cisco IOS Dictionary of RADIUS AV Pairs Table C-1 Cisco IOS Software RADIUS AV Pairs (continued) Number Attribute Type of Value Inbound/Outbound Multiple 13 Framed-Compression Integer Outbound Yes 14 Login-IP-Host Ipaddr (maximum length 15 characters) Both Yes 15 Login-Service Integer Both No 16 Login-TCP-Port Integer (maximum length Outbound 10 characters) No 18 Reply-Message String Outbound Yes 21 Expiration Date — — 22 Framed-Route Str
Appendix C RADIUS Attributes Cisco IOS/PIX Dictionary of RADIUS VSAs Table C-1 Cisco IOS Software RADIUS AV Pairs (continued) Number Attribute Type of Value Inbound/Outbound Multiple 47 Acct-Input-Packets Integer Inbound No 48 Acct-Output-Packets Integer Inbound No 49 Acct-Terminate-Cause Integer Inbound No 61 NAS-Port-Type Integer Inbound No 62 NAS-Port-Limit Integer (maximum length Both 10 characters) No Cisco IOS/PIX Dictionary of RADIUS VSAs Cisco Secure ACS supports Cis
Appendix C RADIUS Attributes Cisco IOS/PIX Dictionary of RADIUS VSAs Table C-2 Cisco IOS/PIX RADIUS VSAs (continued) Number Attribute Type of Value Inbound/Outbound Multiple 24 cisco-h323-conf-id String Inbound No 25 cisco-h323-setup-time String Inbound No 26 cisco-h323-call-origin String Inbound No 27 cisco-h323-call-type String Inbound No 28 cisco-h323-connect-time String Inbound No 29 cisco-h323-disconnect-time String Inbound No 30 cisco-h323-disconnect-cause Str
Appendix C RADIUS Attributes About the cisco-av-pair RADUIS Attribute Table C-2 Cisco IOS/PIX RADIUS VSAs (continued) Number Attribute Type of Value Inbound/Outbound Multiple 250 cisco-ssg-account-info String (maximum length 247 characters) Outbound No 251 cisco-ssg-service-info String (maximum length 247 characters) Both No 253 cisco-ssg-control-info String (maximum length 247 characters) Both No About the cisco-av-pair RADUIS Attribute The first attribute in the Cisco IOS/PIX RADIU
Appendix C RADIUS Attributes About the cisco-av-pair RADUIS Attribute In IOS, support for Network Admission Control (NAC) includes the use of the following AV pairs: • url-redirect—Enables the AAA client to intercept an HTTP request and redirect it to a new URL. This is especially useful if the result of posture validation indicates that the NAC-client computer requires an update or patch that you have made available on a remediation web server.
Appendix C RADIUS Attributes Cisco VPN 3000 Concentrator Dictionary of RADIUS VSAs Cisco VPN 3000 Concentrator Dictionary of RADIUS VSAs Cisco Secure ACS supports Cisco VPN 3000 RADIUS VSAs. The vendor ID for this Cisco RADIUS Implementation is 3076. Table C-3 lists the supported Cisco VPN 3000 Concentrator RADIUS VSAs. Note Some of the RADIUS VSAs supported by Cisco VPN 3000 Concentrators are interdependent.
Appendix C RADIUS Attributes Cisco VPN 3000 Concentrator Dictionary of RADIUS VSAs Table C-3 Cisco VPN 3000 Concentrator RADIUS VSAs (continued) Number Attribute Type of Value Inbound/Outbound Multiple 6 CVPN3000-Secondary-DNS Ipaddr (maximum length 15 characters) Outbound No 7 CVPN3000-Primary-WINS Ipaddr (maximum length 15 characters) Outbound No 8 CVPN3000-Secondary-WINS Ipaddr (maximum length 15 characters) Outbound No 9 CVPN3000-SEP-Card-Assignment Integer Outbound No 11
Appendix C RADIUS Attributes Cisco VPN 3000 Concentrator Dictionary of RADIUS VSAs Table C-3 Cisco VPN 3000 Concentrator RADIUS VSAs (continued) Number Attribute Type of Value Inbound/Outbound Multiple 30 CVPN3000-IPSec-Tunnel-Type Integer Outbound No 31 CVPN3000-IPSec-Mode-Config Integer Outbound No 33 CVPN3000-IPSec-User-Group-Lock Integer Outbound No 34 CVPN3000-IPSec-Over-UDP Integer Outbound No 35 CVPN3000-IPSec-Over-UDP-Port Integer (maximum Outbound length 10 characters
Appendix C RADIUS Attributes Cisco VPN 3000 Concentrator Dictionary of RADIUS VSAs Table C-3 Cisco VPN 3000 Concentrator RADIUS VSAs (continued) Number Attribute Type of Value Inbound/Outbound Multiple 50 CVPN3000-Authenticated-User-IdleTimeout Integer (maximum Outbound length 10 characters) No 51 CVPN3000-Cisco-IP-Phone-Bypass Integer Outbound No 52 CVPN3000-User-Auth-Server-Name String (maximum length 247 characters) Outbound No 53 CVPN3000-User-Auth-Server-Port Integer (maximum
Appendix C RADIUS Attributes Cisco VPN 5000 Concentrator Dictionary of RADIUS VSAs Table C-3 Cisco VPN 3000 Concentrator RADIUS VSAs (continued) Number Attribute Type of Value Inbound/Outbound Multiple 64 CVPN3000-Allow-NetworkExtension-Mode Integer Outbound No 135 CVPN3000-Strip-Realm Integer Outbound No Cisco VPN 5000 Concentrator Dictionary of RADIUS VSAs Cisco Secure ACS supports the Cisco VPN 5000 RADIUS VSAs. The vendor ID for this Cisco RADIUS Implementation is 255.
Appendix C RADIUS Attributes Cisco Building Broadband Service Manager Dictionary of RADIUS VSA Cisco Building Broadband Service Manager Dictionary of RADIUS VSA Cisco Secure ACS supports a Cisco Building Broadband Service Manager (BBSM) RADIUS VSA. The vendor ID for this Cisco RADIUS Implementation is 5263. Table C-5 lists the supported Cisco BBSM RADIUS VSA.
Appendix C RADIUS Attributes IETF Dictionary of RADIUS AV Pairs Table C-6 RADIUS (IETF) Attributes (continued) Type of Value Number Name Description 5 NAS-Port Integer Physical port number of the AAA client that is authenticating the user. The AAA client port value (32 bits) consists of one or two 16-bit values, depending on the setting of the RADIUS server extended portnames command.
Appendix C RADIUS Attributes IETF Dictionary of RADIUS AV Pairs Table C-6 RADIUS (IETF) Attributes (continued) Type of Value Number Name Description 6 Service-Type Type of service requested or type of Integer service to be provided: • Inbound/Out bound Multiple Both No In a request: – Framed—For known PPP or SLIP (Serial Line Internet Protocol) connection. – Administrative User—For enable command. • In a response: – Login—Make a connection. – Framed—Start SLIP or PPP.
Appendix C RADIUS Attributes IETF Dictionary of RADIUS AV Pairs Table C-6 RADIUS (IETF) Attributes (continued) Type of Value Inbound/Out bound Multiple Integer Outbound No Outbound Yes Outbound No Compression protocol used for the Integer link. This attribute results in “/compress” being added to the PPP or SLIP autocommand generated during EXEC authorization. Not currently implemented for non-EXEC authorization.
Appendix C RADIUS Attributes IETF Dictionary of RADIUS AV Pairs Table C-6 RADIUS (IETF) Attributes (continued) Number Name Description 15 Login-Service Service that should be used to connect the user to the login host.
Appendix C RADIUS Attributes IETF Dictionary of RADIUS AV Pairs Table C-6 RADIUS (IETF) Attributes (continued) Type of Value Inbound/Out bound Multiple String (maximum length 253 characters) Outbound No Arbitrary value that the AAA client String includes in all accounting packets for this user if supplied by the RADIUS server.
Appendix C RADIUS Attributes IETF Dictionary of RADIUS AV Pairs Table C-6 RADIUS (IETF) Attributes (continued) Type of Value Inbound/Out bound Multiple Maximum number of consecutive seconds of idle connection time allowed to the user before the session terminates. This AV becomes the per-user session-timeout. This attribute is not valid for PPP sessions.
Appendix C RADIUS Attributes IETF Dictionary of RADIUS AV Pairs Table C-6 RADIUS (IETF) Attributes (continued) Number Name Description Type of Value Inbound/Out bound Multiple 34 Login-LATService System with which the user is to be connected by local area transport (LAT) protocol. This attribute is only available in the EXEC mode.
Appendix C RADIUS Attributes IETF Dictionary of RADIUS AV Pairs Table C-6 RADIUS (IETF) Attributes (continued) Type of Value Number Name Description 44 Acct-SessionId String Unique accounting identifier that makes it easy to match start and stop records in a log file. The Acct-Session-Id restarts at 1 each time the router is power cycled or the software is reloaded. Contact Cisco support if this is unsuitable.
Appendix C RADIUS Attributes IETF Dictionary of RADIUS AV Pairs Table C-6 RADIUS (IETF) Attributes (continued) Type of Value Number Name Description 49 AcctTerminateCause Reports details on why the Integer connection was terminated.
Appendix C RADIUS Attributes IETF Dictionary of RADIUS AV Pairs Table C-6 RADIUS (IETF) Attributes (continued) Number Name Description Type of Value Inbound/Out bound Multiple 52 Acct-InputGigawords — Integer Inbound No 53 Acct-OutputGigawords — Integer Inbound No 55 EventTimestamp — Date Inbound No 60 CHAPChallenge — String Inbound No 61 NAS-PortType Integer Indicates the type of physical port the AAA client is using to authenticate the user.
Appendix C RADIUS Attributes IETF Dictionary of RADIUS AV Pairs Table C-6 RADIUS (IETF) Attributes (continued) Type of Value Inbound/Out bound Multiple — tagged string Both Yes 67 Tunnel-Server- — Endpoint Tagged string Both Yes 68 Acct-TunnelConnection — String Inbound No 69 TunnelPassword — tagged string Both Yes 70 ARAPPassword — String Inbound No 71 ARAPFeatures — String Outbound No 72 ARAP-ZoneAccess — Integer Outbound No 73 ARAPSecurity — Integer Inboun
Appendix C RADIUS Attributes IETF Dictionary of RADIUS AV Pairs Table C-6 RADIUS (IETF) Attributes (continued) Type of Value Inbound/Out bound Multiple — TunnelPrivate-GroupID tagged string Both Yes 82 Tunnel— Assignment-ID tagged string Both Yes 83 TunnelPreference — Tagged integer Both No 85 Acct-InterimInterval — Integer Outbound No 87 NAS-Port-Id — String Inbound No 88 Framed-Pool — String Internal use No only 90 Tunnel-ClientAuth-ID — tagged string Both Yes
Appendix C RADIUS Attributes IETF Dictionary of RADIUS AV Pairs Table C-6 RADIUS (IETF) Attributes (continued) Number Name Description Type of Value Inbound/Out bound Multiple 193 Pre-OutputPackets — Integer Inbound No 194 MaximumTime — Integer Both No 195 DisconnectCause — Integer Inbound No 197 Data-Rate — Integer Inbound No 198 PreSessionTime — Integer Inbound No 208 PW-Lifetime — Integer Outbound No 209 IP-Direct — Ipaddr Outbound No 210 PPP-VJ-SlotCom
Appendix C RADIUS Attributes Microsoft MPPE Dictionary of RADIUS VSAs Microsoft MPPE Dictionary of RADIUS VSAs Cisco Secure ACS supports the Microsoft RADIUS VSAs used for Microsoft Point-to-Point Encryption (MPPE). The vendor ID for this Microsoft RADIUS Implementation is 311. MPPE is an encryption technology developed by Microsoft to encrypt point-to-point (PPP) links. These PPP connections can be via a dial-up line, or over a VPN tunnel such as PPTP.
Appendix C RADIUS Attributes Microsoft MPPE Dictionary of RADIUS VSAs Table C-7 Microsoft MPPE RADIUS VSAs (continued) Type of Value Description Inbound/ Outbound Multiple MS-CHAPLM-Enc-PW String — Inbound No 6 MS-CHAPNT-Enc-PW String — Inbound No 7 Integer MS-MPPEEncryption-Pol icy Outbound No The MS-MPPE-Encryption-Policy attribute signifies whether the use of encryption is allowed or required.
Appendix C RADIUS Attributes Microsoft MPPE Dictionary of RADIUS VSAs Table C-7 Microsoft MPPE RADIUS VSAs (continued) Number Attribute 12 MS-CHAPMPPE-Keys Type of Value String Description Inbound/ Outbound Multiple The MS-CHAP-MPPE-Keys attribute Outbound No contains two session keys for use by the MPPE. This attribute is only included in Access-Accept packets. Note The MS-CHAP-MPPE-Keys attribute value is autogenerated by Cisco Secure ACS; there is no value to set in the HTML interface.
Appendix C RADIUS Attributes Ascend Dictionary of RADIUS AV Pairs Ascend Dictionary of RADIUS AV Pairs Cisco Secure ACS supports the Ascend RADIUS AV pairs. Table C-8 contains Ascend RADIUS dictionary translations for parsing requests and generating responses. All transactions are composed of AV pairs. The value of each attribute is specified as one of the following valid data types: • String—0-253 octets. • Abinary—0-254 octets. • Ipaddr—4 octets in network byte order.
Appendix C RADIUS Attributes Ascend Dictionary of RADIUS AV Pairs Table C-8 Ascend RADIUS Attributes (continued) Number Attribute Type of Value Inbound/ Outbound Multiple 6 Service-Type Integer Both No 7 Framed-Protocol Integer Both No 8 Framed-IP-Address Ipaddr Both No 9 Framed-IP-Netmask Ipaddr Outbound No 10 Framed-Routing Integer Outbound No 11 Framed-Filter String Outbound Yes 12 Framed-MTU Integer Outbound No 13 Framed-Compression Integer Outbound Yes 14 L
Appendix C RADIUS Attributes Ascend Dictionary of RADIUS AV Pairs Table C-8 Ascend RADIUS Attributes (continued) Number Attribute Type of Value Inbound/ Outbound Multiple 44 Acct-Session-Id Integer Inbound No 45 Acct-Authentic Integer Inbound No 46 Acct-Session-Time Integer Inbound No 47 Acct-Input-Packets Integer Inbound No 48 Acct-Output-Packets Integer Inbound No 64 Tunnel-Type String Both Yes 65 Tunnel-Medium-Type String Both Yes 66 Tunnel-Client-Endpoint St
Appendix C RADIUS Attributes Ascend Dictionary of RADIUS AV Pairs Table C-8 Ascend RADIUS Attributes (continued) Number Attribute Type of Value Inbound/ Outbound Multiple 112 Ascend-CBCP-Enable String Both No 113 Ascend-CBCP-Mode String Both No 114 Ascend-CBCP-Delay String (maximum length 10 characters) Both No 115 Ascend-CBCP-Trunk-Group String (maximum length 10 characters) Both No 116 Ascend-AppleTalk-Route String (maximum length 253 characters) Both No 117 Ascend-Appl
Appendix C RADIUS Attributes Ascend Dictionary of RADIUS AV Pairs Table C-8 Ascend RADIUS Attributes (continued) Number Attribute Type of Value Inbound/ Outbound Multiple 128 Ascend-Shared-Profile-Enable Integer Both No 129 Ascend-Primary-Home-Agent String (maximum length 253 characters) Both No 130 Ascend-Secondary-Home-Agent String (maximum length 253 characters) Both No 131 Ascend-Dialout-Allowed Integer Both No 133 Ascend-BACP-Enable Integer Both No 134 Ascend-DHCP-Max
Appendix C RADIUS Attributes Ascend Dictionary of RADIUS AV Pairs Table C-8 Ascend RADIUS Attributes (continued) Inbound/ Outbound Number Attribute Type of Value Multiple 145 Ascend-Assign-IP-Server Ipaddr (maximum length 15 characters) Outbound No 146 Ascend-Assign-IP-Global-Pool String (maximum length 253 characters) Outbound No DHCP Server Functions 147 Ascend-DHCP-Reply Integer Outbound No 148 Ascend-DHCP-Pool-Number Integer (maximum length 10 characters) Outbound No Integer O
Appendix C RADIUS Attributes Ascend Dictionary of RADIUS AV Pairs Table C-8 Number Ascend RADIUS Attributes (continued) Attribute Type of Value Inbound/ Outbound Multiple Frame Datalink Profiles 156 Ascend-FR-Circuit-Name String (maximum length 253 characters) Outbound No 157 Ascend-FR-LinkUp Integer (maximum length 10 characters) Outbound No 158 Ascend-FR-Nailed-Group Integer (maximum length 10 characters) Outbound No 159 Ascend-FR-Type Integer (maximum length 10 characters) Outboun
Appendix C RADIUS Attributes Ascend Dictionary of RADIUS AV Pairs Table C-8 Ascend RADIUS Attributes (continued) Inbound/ Outbound Number Attribute Type of Value Multiple 170 Ascend-TS-Idle-Mode Integer (maximum length 10 characters) Outbound No 171 Ascend-DBA-Monitor Integer (maximum length 10 characters) Outbound No 172 Ascend-Base-Channel-Count Integer (maximum length 10 characters) Outbound No 173 Ascend-Minimum-Channels Integer (maximum length 10 characters) Outbound No IPX St
Appendix C RADIUS Attributes Ascend Dictionary of RADIUS AV Pairs Table C-8 Ascend RADIUS Attributes (continued) Inbound/ Outbound Number Attribute Type of Value Multiple 185 Ascend-Home-Network-Name String (maximum length 253 characters) Outbound No 186 Ascend-Home-Agent-UDP-Port Integer (maximum length 10 characters) Outbound No 187 Ascend-Multilink-ID Integer Inbound No 188 Ascend-Num-In-Multilink Integer Inbound No 189 Ascend-First-Dest Ipaddr Inbound No 190 Ascend-Pre-I
Appendix C RADIUS Attributes Ascend Dictionary of RADIUS AV Pairs Table C-8 Ascend RADIUS Attributes (continued) Inbound/ Outbound Number Attribute Type of Value Multiple 205 Ascend-Menu-Selector String (maximum length 253 characters) Outbound No 206 Ascend-Menu-Item String Outbound Yes RADIUS Password Expiration Options 207 Ascend-PW-Warntime Integer (maximum length 10 characters) Outbound No 208 Ascend-PW-Lifetime Integer (maximum length 10 characters) Outbound No 209 Ascend-IP-
Appendix C RADIUS Attributes Ascend Dictionary of RADIUS AV Pairs Table C-8 Ascend RADIUS Attributes (continued) Inbound/ Outbound Number Attribute Type of Value Multiple 221 Ascend-FR-Direct-DLCI Integer (maximum length 10 characters) Outbound No 222 Ascend-Handle-IPX Integer Outbound No 223 Ascend-Netware-Timeout Integer (maximum length 10 characters) Outbound No 224 Ascend-IPX-Alias String (maximum length 253 characters) Outbound No 225 Ascend-Metric Integer (maximum length 10
Appendix C RADIUS Attributes Ascend Dictionary of RADIUS AV Pairs Table C-8 Ascend RADIUS Attributes (continued) Inbound/ Outbound Number Attribute Type of Value Multiple 238 Ascend-Seconds-Of-History Integer (maximum length 10 characters) Outbound No 239 Ascend-History-Weigh-Type Integer Outbound No 240 Ascend-Add-Seconds Integer (maximum length 10 characters) Outbound No 241 Ascend-Remove-Seconds Integer (maximum length 10 characters) Outbound No Connection Profile/Session Option
Appendix C RADIUS Attributes Nortel Dictionary of RADIUS VSAs Table C-8 Ascend RADIUS Attributes (continued) Inbound/ Outbound Number Attribute Type of Value Multiple 253 Ascend-PPP-Address Ipaddr (maximum length 15 characters) Outbound No MPP Percent Idle Attribute 254 Ascend-MPP-Idle-Percent Integer (maximum length 10 characters) Outbound No 255 Ascend-Xmit-Rate Integer (maximum length 10 characters) Outbound No Nortel Dictionary of RADIUS VSAs Table C-9 lists the Nortel RADIUS VSAs s
Appendix C RADIUS Attributes Juniper Dictionary of RADIUS VSAs Juniper Dictionary of RADIUS VSAs Table C-10 lists the Juniper RADIUS VSAs supported by Cisco Secure ACS. The Juniper vendor ID number is 2636.
A P P E N D I X D CSUtil Database Utility This appendix details the Cisco Secure Access Control Server (ACS) for Windows Server command-line utility, CSUtil.exe. Among its several functions, CSUtil.exe enables you to add, change, and delete users from a colon-delimited text file. You can also use the utility to add and delete AAA client configurations. Note You can accomplish similar tasks using the ACS System Backup, ACS System Restore, Database Replication, and RDBMS Synchronization features.
Appendix D CSUtil Database Utility Location of CSUtil.exe and Related Files • Exporting User List to a Text File, page D-24 • Exporting Group Information to a Text File, page D-25 • Exporting Registry Information to a Text File, page D-26 • Decoding Error Numbers, page D-27 • Recalculating CRC Values, page D-28 • User-Defined RADIUS Vendors and VSA Sets, page D-28 • PAC File Generation, page D-40 • Posture Validation Attributes, page D-44 Location of CSUtil.
Appendix D CSUtil Database Utility CSUtil.exe Options Note Most CSUtil.exe options require that you stop the CSAuth service. While the CSAuth service is stopped, Cisco Secure ACS does not authenticate users. To determine if an option requires that you stop CSAuth, refer to the detailed topics about the option. For a list of options and references to the detailed topics about each option, see CSUtil.exe Options, page D-3. You can combine many of the options in a single use of CSUtil.exe.
Appendix D CSUtil Database Utility CSUtil.exe Options • -i—Import user or AAA client information from a file named import.txt or a specified file. For more information about this option, see Importing User and AAA Client Information, page D-15. • -l—Load all Cisco Secure ACS internal data from a file named dump.txt or named file. Using this option requires that you stop the CSAuth service. For more information about this option, see Loading the Cisco Secure ACS Database from a Dump File, page D-11.
Appendix D CSUtil Database Utility Displaying Command-Line Syntax • -listUDV—List all user-defined RADIUS VSAs currently defined in Cisco Secure ACS. For more information about this option, see Listing Custom RADIUS Vendors, page D-32. • -addAVP—Add or modify a posture validation attribute. For more information about this option, see Importing Posture Validation Attribute Definitions, page D-49. • -delAVP—Delete a posture validation attribute.
Appendix D CSUtil Database Utility Backing Up Cisco Secure ACS with CSUtil.exe Backing Up Cisco Secure ACS with CSUtil.exe You can use the -b option to create a system backup of all Cisco Secure ACS internal data. The resulting backup file has the same data as the backup files produced by the ACS Backup feature found in the HTML interface. For more information about the ACS Backup feature, see Cisco Secure ACS Backup, page 8-9.
Appendix D CSUtil Database Utility Restoring Cisco Secure ACS with CSUtil.exe Restoring Cisco Secure ACS with CSUtil.exe You can use the -r option to restore all Cisco Secure ACS internal data. The backup file from which you restore Cisco Secure ACS can be one generated by the CSUtil.exe -b option or by the ACS Backup feature in the HTML interface. Cisco Secure ACS backup files contain two types of data: • User and group data. • System configuration.
Appendix D CSUtil Database Utility Creating a CiscoSecure User Database • To restore only the system configuration, type: CSUtil.exe -r config filename where filename is the name of the backup file. Press Enter. CSUtil.exe displays a confirmation prompt. Step 3 To confirm that you want to perform a restoration and to halt all Cisco Secure ACS services during the restoration, type Y and press Enter. CSUtil.exe restores the specified portions of your Cisco Secure ACS data.
Appendix D CSUtil Database Utility Creating a CiscoSecure User Database To create a CiscoSecure user database, follow these steps: Step 1 If you have not performed a backup or dump of the CiscoSecure user database, do so now before proceeding. For more information about backing up the database, see Backing Up Cisco Secure ACS with CSUtil.exe, page D-6. For more information about performing a dump of the database, see Creating a Cisco Secure ACS Database Dump File, page D-10.
Appendix D CSUtil Database Utility Creating a Cisco Secure ACS Database Dump File Creating a Cisco Secure ACS Database Dump File You can use the -d option to dump all contents of the CiscoSecure user database into a text file. This provides a thorough and compressible backup of all Cisco Secure ACS internal data. Using the -l option, you can reload the Cisco Secure ACS internal data from a dump file created by the -d option.
Appendix D CSUtil Database Utility Loading the Cisco Secure ACS Database from a Dump File Step 5 To resume user authentication, type: net start csauth and press Enter. Loading the Cisco Secure ACS Database from a Dump File You can use the -l option to overwrite all Cisco Secure ACS internal data from a dump text file. This option replaces the existing all Cisco Secure ACS internal data with the data in the dump text file.
Appendix D CSUtil Database Utility Compacting the CiscoSecure User Database Step 3 Type: CSUtil.exe -l filename where filename is the name of the dump file you want CSUtil.exe to use to load Cisco Secure ACS internal data. Press Enter. CSUtil.exe displays a confirmation prompt for overwriting all Cisco Secure ACS internal data with the data in the dump text file.
Appendix D CSUtil Database Utility Compacting the CiscoSecure User Database Compacting the CiscoSecure user database consists of using in conjunction three CSUtil.exe options: • -d—Export all Cisco Secure ACS internal data to a text file named dump.txt. • -n—Create a CiscoSecure user database and index. • -l—Load all Cisco Secure ACS internal data from a text file. If you do not specify the filename, CSUtil.exe uses the default file name dump.txt.
Appendix D CSUtil Database Utility User and AAA Client Import Option If you do not use the -q option, CSUtil.exe displays a confirmation prompt for initializing the database and then for loading the database. For more information about the effects of the -n option, see Creating a CiscoSecure User Database, page D-8. For more information about the effects of the -l option, see Loading the Cisco Secure ACS Database from a Dump File, page D-11.
Appendix D CSUtil Database Utility User and AAA Client Import Option Importing User and AAA Client Information To import user or AAA client information, follow these steps: Step 1 If you have not performed a backup or dump of Cisco Secure ACS, do so now before proceeding. For more information about backing up the database, see Backing Up Cisco Secure ACS with CSUtil.exe, page D-6. Step 2 Create an import text file.
Appendix D CSUtil Database Utility User and AAA Client Import Option b. To start CSRadius, type: net start csradius and press Enter. Step 8 To restart CSTacacs, follow these steps: a. Type: net stop cstacacs and press Enter. The CSTacacs service stops. b. To start CSTacacs, type: net start cstacacs and press Enter.
Appendix D CSUtil Database Utility User and AAA Client Import Option About User and AAA Client Import File Format The import file can contain six different line types, as discussed in following topics. The first line of the import file must be one of the tokens defined in Table D-1. Each line of a CSUtil.exe import file is a series of colon-separated tokens. Some of the tokens are followed by values. Values, like tokens, are colon-delimited. For tokens that require values, CSUtil.
Appendix D CSUtil Database Utility User and AAA Client Import Option ADD Statements ADD statements are optional. Only the ADD token and its value are required to add a user to Cisco Secure ACS. The valid tokens for ADD statements are listed in Table D-2. Note Table D-2 CSUtil.exe provides no means to specify a particular instance of an external user database type.
Appendix D CSUtil Database Utility User and AAA Client Import Option Table D-2 ADD Statement Tokens (continued) Token Required Value Required EXT_SDI No — Authenticate the username with an RSA external user database. EXT_ODBC No — Authenticate the username with an ODBC external user database. EXT_LDAP No — Authenticate the username with a generic LDAP external user database. EXT_LEAP No — Authenticate the username with a LEAP proxy RADIUS server external user database.
Appendix D CSUtil Database Utility User and AAA Client Import Option Table D-3 UPDATE Statement Tokens Token Required Value Required Description UPDATE Yes username Update user information to Cisco Secure ACS. PROFILE No group number Group number to which the user is assigned. This must be a number from 0 to 499, not a name. Note If you do not specify a database token, such as CSDB or EXT_NT, updating a group assignment may erase a user’s password.
Appendix D CSUtil Database Utility User and AAA Client Import Option For example, the following UPDATE statement causes CSUtil.exe to update the account with username “John”, assign it to Group 50, specify that John should be authenticated by a UNIX-encrypted password, with a separate CHAP password “goodoldchap”: UPDATE:John:PROFILE:50:CSDB_UNIX:3Al3qf9:CHAP:goodoldchap DELETE Statements DELETE statements are optional.
Appendix D CSUtil Database Utility User and AAA Client Import Option Table D-5 ADD_NAS Statement Tokens Value Required Token Required Description ADD_NAS Yes AAA client The name of the AAA client that is to be added. name IP Yes IP address The IP address of the AAA client being added. KEY Yes Shared secret The shared secret for the AAA client. VENDOR Yes See description The authentication protocol the AAA client uses. For RADIUS, this includes the VSA.
Appendix D CSUtil Database Utility User and AAA Client Import Option Table D-5 ADD_NAS Statement Tokens (continued) Token Required Value Required Description SINGLE_CON No Y or N For AAA clients using TACACS+ only, the value set for this TOKEN specifies whether the Single Connect TACACS+ AAA Client option is enabled. For more information, see Adding a AAA Client, page 4-16.
Appendix D CSUtil Database Utility Exporting User List to a Text File Import File Example The following is an example import text file: OFFLINE ADD:user01:CSDB:userpassword:PROFILE:1 ADD:user02:EXT_NT:PROFILE:2 ADD:chapuser:CSDB:hello:CHAP:chappw:PROFILE:3 ADD:mary:EXT_NT:CHAP:achappassword ADD:joe:EXT_SDI ADD:vanessa:CSDB:vanessaspassword ADD:juan:CSDB_UNIX:unixpassword UPDATE:foobar:PROFILE:10 DELETE:paul ADD_NAS:SVR2-T+:IP:209.165.202.
Appendix D CSUtil Database Utility Exporting Group Information to a Text File Step 2 If the CSAuth service is running, type: net stop csauth and press Enter. The CSAuth service stops. Step 3 Type: CSUtil.exe -u and press Enter. CSUtil.exe exports information for all users in the CiscoSecure user database to a file named users.txt. Step 4 To resume user authentication, type: net start csauth and press Enter.
Appendix D CSUtil Database Utility Exporting Registry Information to a Text File Step 2 If the CSAuth service is running, type: net stop csauth and press Enter. The CSAuth service stops. Step 3 Type: CSUtil.exe -g and press Enter. CSUtil.exe exports information for all groups in the CiscoSecure user database to a file named groups.txt. Step 4 To resume user authentication, type: net start csauth and press Enter.
Appendix D CSUtil Database Utility Decoding Error Numbers CSUtil.exe exports Windows Registry information for Cisco Secure ACS to a file named setup.txt. Decoding Error Numbers You can use the -e option to decode error numbers found in Cisco Secure ACS service logs. These are error codes internal to Cisco Secure ACS. For example, the CSRadius log could contain a message similar to the following: CSRadius/Logs/RDS.
Appendix D CSUtil Database Utility Recalculating CRC Values Step 2 Type: CSUtil.exe -e -number where number is the error number found in the Cisco Secure ACS service log. Press Enter. Note The hyphen (-) before number is required. CSUtil.exe displays the text message equivalent to the error number specified. Recalculating CRC Values The -c option is for use by the TAC.
Appendix D CSUtil Database Utility User-Defined RADIUS Vendors and VSA Sets About User-Defined RADIUS Vendors and VSA Sets In addition to supporting a set of predefined RADIUS vendors and vendor-specific attributes (VSAs), Cisco Secure ACS supports RADIUS vendors and VSAs that you define. We recommend that you use RDBMS Synchronization to add and configure custom RADIUS vendors; however, you can use CSUtil.
Appendix D CSUtil Database Utility User-Defined RADIUS Vendors and VSA Sets Before You Begin • Define a custom RADIUS vendor and VSA set in a RADIUS vendor/VSA import file. For more information, see RADIUS Vendor/VSA Import File, page D-34. • Determine the RADIUS vendor slot to which you want to add the new RADIUS vendor and VSAs. For more information, see Listing Custom RADIUS Vendors, page D-32. • Make sure that regedit is not running.
Appendix D CSUtil Database Utility User-Defined RADIUS Vendors and VSA Sets Note We recommend that you archive RADIUS vendor/VSA import files. During upgrades, the Utils directory, where CSUtil.exe is located, is replaced, including all its contents. Backing up RADIUS vendor/VSA import files ensures that you can recover your custom RADIUS vendors and VSAs after reinstallation or upgrading to a later release.
Appendix D CSUtil Database Utility User-Defined RADIUS Vendors and VSA Sets Step 2 Type: CSUtil.exe -delUDV slot-number where slot-number is the slot containing the RADIUS vendor that you want to delete. Press Enter. Note For more information about determining what RADIUS vendor a particular slot contains, see Listing Custom RADIUS Vendors, page D-32. CSUtil.exe displays a confirmation prompt.
Appendix D CSUtil Database Utility User-Defined RADIUS Vendors and VSA Sets Step 2 Type: CSUtil.exe -listUDV Press Enter. CSUtil.exe lists each user-defined RADIUS vendor slot in slot number order. CSUtil.exe lists slots that do not contain a custom RADIUS vendor as “Unassigned”. An unassigned slot is empty. You can add a custom RADIUS vendor to any slot listed as “Unassigned”. Exporting Custom RADIUS Vendor and VSA Sets You can export all custom RADIUS vendor and VSA sets to files.
Appendix D CSUtil Database Utility User-Defined RADIUS Vendors and VSA Sets Step 2 Type: CSUtil.exe -dumpUDV Press Enter. For each custom RADIUS vendor and VSA set currently configured in Cisco Secure ACS, CSUtil.exe writes a file in the System UDVs subdirectory. RADIUS Vendor/VSA Import File To import a custom RADIUS vendor and VSA set into Cisco Secure ACS, you must define the RADIUS vendor and VSA set in an import file. This section details the format and content of RADIUS VSA import files.
Appendix D CSUtil Database Utility User-Defined RADIUS Vendors and VSA Sets Table D-7 RADIUS VSA Import File Section Types Section Required Number Description Vendor and VSA set definition Yes 1 Defines the RADIUS vendor and VSA set. For more information, see Vendor and VSA Set Definition, page D-35. Attribute definition Yes 1 to 255 Defines a single attribute of the VSA set. For more information, see Attribute Definition, page D-36.
Appendix D CSUtil Database Utility User-Defined RADIUS Vendors and VSA Sets For example, the following vendor and VSA set section defines the vendor “Widget”, whose IETF-assigned vendor number is 9999.
Appendix D CSUtil Database Utility User-Defined RADIUS Vendors and VSA Sets Table D-9 Attribute Definition Keys Keys Required Type Yes Value Required Description See The data type of the attribute. It must be one of the Description following: • STRING • INTEGER • IPADDR If the attribute is an integer, the Enums key is valid. Profile Yes See The attribute profile defines if the attribute is used for Description authorization or accounting (or both).
Appendix D CSUtil Database Utility User-Defined RADIUS Vendors and VSA Sets For example, the following attribute definition section defines the widget-encryption VSA, which is an integer used for authorization, and for which enumerations exist in the Encryption-Types enumeration section: [widget-encryption] Type=INTEGER Profile=OUT Enums=Encryption-Types Enumeration Definition Enumeration definitions enable you to associate a text-based name for each valid numeric value of an integer-type attribute.
Appendix D CSUtil Database Utility User-Defined RADIUS Vendors and VSA Sets Table D-10 Enumerations Definition Keys Keys Required Value Required n Yes String (See description.) Description For each valid integer value of the corresponding attribute, an enumerations section must have one key. Each key defines a string value associated with an integer value. Cisco Secure ACS uses these string values in the HTML interface.
Appendix D CSUtil Database Utility PAC File Generation VSA VSA VSA VSA 2=widget-admin-interface 3=widget-group 4=widget-admin-encryption 5=widget-remote-address [widget-encryption] Type=INTEGER Profile=OUT Enums=Encryption-Types [widget-admin-interface] Type=IPADDR Profile=OUT [widget-group] Type=STRING Profile=MULTI OUT [widget-admin-encryption] Type=INTEGER Profile=OUT Enums=Encryption-Types [widget-remote-address] Type=STRING Profile=IN [Encryption-Types] 0=56-bit 1=128-bit 2=256-bit PAC File Gener
Appendix D CSUtil Database Utility PAC File Generation PAC File Options and Examples When you use the -t option generate PAC files with CSUtil.exe, you have the following additional options. • User specification options—While you can choose which user specification option you want to use, you must choose one of the four options for specifying which users you want PAC files for; otherwise, CSUtil.exe displays an error message because no users are specified.
Appendix D CSUtil Database Utility PAC File Generation – -f list—CSUtil.exe generates a PAC file for each username contained in the file specified, where list represents the full path and filename of the list of usernames. Lists of usernames should contain one username per line with no additional spaces or other characters. For example, if list.txt in d:\temp\pacs contains the following usernames: seaniemop jwiedman echamberlain and you ran CSUtil.exe -t -f d:\temp\pacs\list.txt, CSUtil.
Appendix D CSUtil Database Utility PAC File Generation Generating PAC Files Note If you use the -a or -g option during PAC file generation, CSUtil.exe restarts the CSAuth service. No users are authenticated while CSAuth is unavailable. For more information about PACs, see About PACs, page 10-17. To generate PAC files, follow these steps: Step 1 Use the discussion in PAC File Options and Examples, page D-41, to determine the following: • Which users you want to generate PAC files for.
Appendix D CSUtil Database Utility Posture Validation Attributes If you specified a filepath, the PAC files are saved where you specified. You can distribute the PAC files to the applicable end-user clients. Posture Validation Attributes You can use CSUtil.exe to export, add, and delete posture validation attributes, which are essential to Network Admission Control (NAC). For more information about NAC, see Chapter 14, “Network Admission Control”.
Appendix D CSUtil Database Utility Posture Validation Attributes Example D-1 shows an example of a posture validation attribute definition, including a comment after the attribute definition: Example D-1 Example Attribute Definition [attr#0] vendor-id=9 vendor-name=Cisco application-id=1 application-name=PA attribute-id=00001 attribute-name=Application-Posture-Token attribute-profile=out attribute-type=unsigned integer ; attribute 1 is reserved for the APT A posture validation attribute is uniquely def
Appendix D CSUtil Database Utility Posture Validation Attributes Vendor IDs have one or more applications associated with them, identified by the application-id value. • vendor-name—A string, the vendor name appears in the Cisco Secure ACS HTML interface and logs for the associated posture validation attribute. For example, any attribute definition with a vendor ID of 9 could have a vendor name “Cisco”. Note The vendor name cannot differ for each attribute that shares the same vendor ID.
Appendix D CSUtil Database Utility Posture Validation Attributes • attribute-name—A string, the attribute name appears in the Cisco Secure ACS HTML interface and logs for the associated posture validation attribute. For example, if the vendor ID is 9, the application ID is 1, and the attribute ID is 1, the attribute name is “Application-Posture-Token”.
Appendix D CSUtil Database Utility Posture Validation Attributes – date – version – octet-array For more information about attribute data types, see NAC Attribute Data Types, page 14-19. Exporting Posture Validation Attribute Definitions The -dumpAVP option exports the current posture validation attributes to an attribute definition file. For an explanation of the contents of a posture validation attribute definition file, see Posture Validation Attribute Definition File, page D-44.
Appendix D CSUtil Database Utility Posture Validation Attributes • To preserve the file, type N, press Enter, and return to Step 2. CSUtil.exe writes all posture validation attribute definitions in the file specified. To view the contents of the file, use the text editor of your choice. Importing Posture Validation Attribute Definitions The -addAVP option imports into Cisco Secure ACS posture validation attribute definitions from an attribute definition file.
Appendix D CSUtil Database Utility Posture Validation Attributes Tip When you specify filename, you can prefix the filename with a relative or absolute path, too. For example, CSUtil.exe -addavp c:\temp\addavp.txt writes the file addavp.txt in c:\temp. CSUtil.exe adds or modifies the attributes specified in the file. An example of a successful addition of nine posture validation attributes follows: C:.../Utils 21: csutil -addavp myavp.txt CSUtil v3.3(1.
Appendix D CSUtil Database Utility Posture Validation Attributes Deleting a Posture Validation Attribute Definition The -delAVP option deletes a single posture validation attribute from Cisco Secure ACS. Before You Begin Because completing this procedure requires restarting the CSAuth service, which temporarily suspends authentication services, consider performing this procedure when demand for Cisco Secure ACS services is low.
Appendix D CSUtil Database Utility Posture Validation Attributes CSUtil v3.3, Copyright 1997-2004, Cisco Systems Inc Are you sure you want to delete vendor 9876; application 1; attribute 1? (y/n) y Vendor 9876; application 1; attribute 1 was successfully deleted Step 4 Caution If you are ready to make the attribute deletion take effect, restart the CSAuth and CSAdmin services. While CSAuth is stopped, no users are authenticated.
Appendix D CSUtil Database Utility Posture Validation Attributes attribute-name=Application-Posture-Token attribute-profile=out attribute-type=unsigned integer [attr#1] vendor-id=9 vendor-name=Cisco application-id=1 application-name=PA attribute-id=00002 attribute-name=System-Posture-Token attribute-profile=out attribute-type=unsigned integer [attr#2] vendor-id=9 vendor-name=Cisco application-id=1 application-name=PA attribute-id=00003 attribute-name=PA-Name attribute-profile=in out attribute-type=string
Appendix D CSUtil Database Utility Posture Validation Attributes application-name=PA attribute-id=00006 attribute-name=OS-Version attribute-profile=in out attribute-type=version [attr#6] vendor-id=9 vendor-name=Cisco application-id=1 application-name=PA attribute-id=00007 attribute-name=PA-User-Notification attribute-profile=out attribute-type=string [attr#7] vendor-id=9 vendor-name=Cisco application-id=2 application-name=Host attribute-id=00001 attribute-name=Application-Posture-Token attribute-profile=
Appendix D CSUtil Database Utility Posture Validation Attributes vendor-name=Cisco application-id=2 application-name=Host attribute-id=00007 attribute-name=HotFixes attribute-profile=in attribute-type=string [attr#11] vendor-id=9 vendor-name=Cisco application-id=2 application-name=Host attribute-id=00008 attribute-name=HostFQDN attribute-profile=in attribute-type=string [attr#12] vendor-id=9 vendor-name=Cisco application-id=5 application-name=HIP attribute-id=00001 attribute-name=Application-Posture-Token
Appendix D CSUtil Database Utility Posture Validation Attributes [attr#15] vendor-id=9 vendor-name=Cisco application-id=5 application-name=HIP attribute-id=00009 attribute-name=CSAOperationalState attribute-profile=in attribute-type=unsigned integer [attr#16] vendor-id=9 vendor-name=Cisco application-id=5 application-name=HIP attribute-id=00011 attribute-name=TimeSinceLastSuccessfulPoll attribute-profile=in attribute-type=unsigned integer [attr#17] vendor-id=9 vendor-name=Cisco application-id=5 applicati
Appendix D CSUtil Database Utility Posture Validation Attributes attribute-type=unsigned integer [attr#20] vendor-id=393 vendor-name=Symantec application-id=3 application-name=AV attribute-id=00002 attribute-name=System-Posture-Token attribute-profile=out attribute-type=unsigned integer [attr#21] vendor-id=393 vendor-name=Symantec application-id=3 application-name=AV attribute-id=00003 attribute-name=Software-Name attribute-profile=in out attribute-type=string [attr#22] vendor-id=393 vendor-name=Symantec
Appendix D CSUtil Database Utility Posture Validation Attributes attribute-name=Scan-Engine-Version attribute-profile=in out attribute-type=version [attr#25] vendor-id=393 vendor-name=Symantec application-id=3 application-name=AV attribute-id=00007 attribute-name=Dat-Version attribute-profile=in out attribute-type=version [attr#26] vendor-id=393 vendor-name=Symantec application-id=3 application-name=AV attribute-id=00008 attribute-name=Dat-Date attribute-profile=in out attribute-type=date [attr#27] vendo
Appendix D CSUtil Database Utility Posture Validation Attributes application-name=AV attribute-id=00001 attribute-name=Application-Posture-Token attribute-profile=out attribute-type=unsigned integer [attr#30] vendor-id=3401 vendor-name=NAI application-id=3 application-name=AV attribute-id=00002 attribute-name=System-Posture-Token attribute-profile=out attribute-type=unsigned integer [attr#31] vendor-id=3401 vendor-name=NAI application-id=3 application-name=AV attribute-id=00003 attribute-name=Software-Nam
Appendix D CSUtil Database Utility Posture Validation Attributes vendor-name=NAI application-id=3 application-name=AV attribute-id=00006 attribute-name=Scan-Engine-Version attribute-profile=in out attribute-type=version [attr#35] vendor-id=3401 vendor-name=NAI application-id=3 application-name=AV attribute-id=00007 attribute-name=Dat-Version attribute-profile=in out attribute-type=version [attr#36] vendor-id=3401 vendor-name=NAI application-id=3 application-name=AV attribute-id=00008 attribute-name=Dat-D
Appendix D CSUtil Database Utility Posture Validation Attributes [attr#39] vendor-id=6101 vendor-name=Trend application-id=3 application-name=AV attribute-id=00001 attribute-name=Application-Posture-Token attribute-profile=out attribute-type=unsigned integer [attr#40] vendor-id=6101 vendor-name=Trend application-id=3 application-name=AV attribute-id=00002 attribute-name=System-Posture-Token attribute-profile=out attribute-type=unsigned integer [attr#41] vendor-id=6101 vendor-name=Trend application-id=3 ap
Appendix D CSUtil Database Utility Posture Validation Attributes attribute-type=version [attr#44] vendor-id=6101 vendor-name=Trend application-id=3 application-name=AV attribute-id=00006 attribute-name=Scan-Engine-Version attribute-profile=in out attribute-type=version [attr#45] vendor-id=6101 vendor-name=Trend application-id=3 application-name=AV attribute-id=00007 attribute-name=Dat-Version attribute-profile=in out attribute-type=version [attr#46] vendor-id=6101 vendor-name=Trend application-id=3 appli
Appendix D CSUtil Database Utility Posture Validation Attributes attribute-name=Action attribute-profile=out attribute-type=string [attr#49] vendor-id=10000 vendor-name=out application-id=1 application-name=CNAC attribute-id=00001 attribute-name=Application-Posture-Token attribute-profile=out attribute-type=string [attr#50] vendor-id=10000 vendor-name=out application-id=1 application-name=CNAC attribute-id=00002 attribute-name=System-Posture-Token attribute-profile=out attribute-type=string [attr#51] vend
Appendix D CSUtil Database Utility Posture Validation Attributes User Guide for Cisco Secure ACS for Windows Server D-64 78-16592-01
A P P E N D I X E VPDN Processing Cisco Secure ACS for Windows Server supports authentication forwarding of virtual private dial-up network (VPDN) requests. There are two basic types of “roaming” users: Internet and intranet; VPDN addresses the requirements of roaming intranet users. This chapter provides information about the VPDN process and how it affects the operation of Cisco Secure ACS. VPDN Process This section describes the steps for processing VPDN requests in a standard environment. 1.
Appendix E VPDN Processing VPDN Process Figure E-1 VPDN User Dials In Call setup / PPP setup Username = mary@corporation.us Corporation RSP ACS ACS VPDN user User = mary@corporatio 2. Figure E-2 If VPDN is enabled, the NAS assumes that the user is a VPDN user. The NAS strips off the “username@” (mary@) portion of the username and authorizes (not authenticates) the domain portion (corporation.us) with the ACS. See Figure E-2.
Appendix E VPDN Processing VPDN Process Authorization of Domain Fails Corporation Authorization failed ACS RSP S6655 Figure E-3 ACS VPDN user User = mary@corporation.us If the ACS authorizes the domain, it returns the Tunnel ID and the IP address of the home gateway (HG); these are used to create the tunnel. See Figure E-4. ACS Authorizes Domain Authorization reply Tunnel ID = nas_tun IP address = 10.1.1.
Appendix E VPDN Processing VPDN Process HG Authenticates Tunnel with ACS Username = nas_tun Password = CHAP_stuff Authentication request Corporation RSP ACS ACS S6649 Figure E-5 VPDN user User = mary@corporation.us 5. Figure E-6 The HG now authenticates the tunnel with the NAS, where the username is the name of the HG. This name is chosen based on the name of the tunnel, so the HG might have different names depending on the tunnel being set up. See Figure E-6.
Appendix E VPDN Processing VPDN Process Figure E-7 NAS Authenticates Tunnel with ACS Username = home_gate Password = CHAP_stuff Corporation RSP ACS ACS VPDN user User = mary@corporatio 7. After authenticating, the tunnel is established. Now the actual user (mary@corporation.us) must be authenticated. See Figure E-8. Figure E-8 VPDN Tunnel is Established CHAP response Corporation ACS RSP ACS VPDN user User = mary@corporatio 8.
Appendix E VPDN Processing VPDN Process Figure E-9 HG Uses ACS to Authenticate User Username = mary@corporation.us Password = secret Corporation RSP ACS ACS VPDN user User = mary@corporatio 9. If another user (sue@corporation.us) dials in to the NAS while the tunnel is up, the NAS does not repeat the entire authorization/authentication process. Instead, it passes the user through the existing tunnel to the HG. See Figure E-10.
A P P E N D I X F RDBMS Synchronization Import Definitions RDBMS synchronization import definitions are a listing of the action codes allowable in an accountActions table. The RDBMS Synchronization feature of Cisco Secure Access Control Server (ACS) for Windows Server uses a table named “accountActions” as input for automated or manual updates of the CiscoSecure user database. For more information about the RDBMS Synchronization feature and accountActions, see RDBMS Synchronization, page 9-25.
Appendix F RDBMS Synchronization Import Definitions accountActions Specification accountActions Format Each row in accountActions has 14 fields (or columns). Table F-1 lists the fields that compose accountActions. Table F-1 also reflects the order in which the fields appear in accountActions. The one-letter or two-letter abbreviations given in the Mnemonic column are a shorthand notation used to indicate required fields for each action code in Action Codes, page F-4.
Appendix F RDBMS Synchronization Import Definitions accountActions Specification Table F-1 accountActions Fields (continued) Field Name Mnemonic Type Size (Max. Length) MessageNo MN Integer — Used to number related transactions for audit purposes. ComputerNames CN String 32 RESERVED by CSDBSync. AppId AI String 255 The type of configuration parameter to change. Status S Number 32 TRI-STATE:0=not processed, 1=done, 2=failed. This should normally be set to 0.
Appendix F RDBMS Synchronization Import Definitions Action Codes accountActions Processing Order Cisco Secure ACS reads rows from accountActions and processes them in a specific order. Cisco Secure ACS determines the order first by the values in the Priority fields (mnemonic: P) and then by the values in the Sequence ID fields (mnemonic: SI). Cisco Secure ACS processes the rows with the highest Priority field. The lower the number in the Priority field, the higher the priority.
Appendix F RDBMS Synchronization Import Definitions Action Codes If an action can be applied to either a user or group, “UN|GN” appears, using the vertical bar to indicate that either one of the two fields is required. To make the action affect only the user, leave the group name empty; to make the action affect only the group, leave the user name empty.
Appendix F RDBMS Synchronization Import Definitions Action Codes Table F-2 Action Codes for Setting and Deleting Values Action Code Name 1 SET_VALUE Required Description UN|GN, AI, VN, V1, V2 Sets a value (V1) named (VN) of type (V2) for App ID (AI). App IDs (AI) can be one of the following: • APP_CSAUTH • APP_CSTACACS • APP_CSRADIUS • APP_CSADMIN Value types (V2) can be one of the following: • TYPE_BYTE—Single 8-bit number. • TYPE_SHORT—Single 16-bit number.
Appendix F RDBMS Synchronization Import Definitions Action Codes Action Codes for Creating and Modifying User Accounts Table F-3 lists the action codes for creating, modifying, and deleting user accounts. Note Before you can modify a user account, such as assigning a password, you must create the user account, either in the HTML interface or by using the ADD_USER action (action code: 100). Transactions using these codes affect the configuration displayed in the User Setup section of the HTML interface.
Appendix F RDBMS Synchronization Import Definitions Action Codes Table F-3 User Creation and Modification Action Codes (continued) Action Code Name 105 SET_T+_ENABLE_ PASS Required Description UN, VN, V1, V2, V3 Sets the TACACS+ enable password (V1) (32 characters maximum) and Max Privilege level (V2) (0-15). The enable type (V3) should be one of the following: • ENABLE_LEVEL_AS_GROUP—Max privilege taken from group setting. • ENABLE_LEVEL_NONE—No T+ enable configured.
Appendix F RDBMS Synchronization Import Definitions Action Codes Table F-3 User Creation and Modification Action Codes (continued) Action Code Name 108 109 SET_PASS_TYPE REMOVE_PASS_ STATUS Required Description UN|GN, V1 Sets the password type of the user. This can be one of the CiscoSecure user database password types or any of the external databases supported: UN,V1 • PASS_TYPE_CSDB—CSDB internal password. • PASS_ TYPE_CSDB_UNIX—CSDB internal password (UNIX encrypted).
Appendix F RDBMS Synchronization Import Definitions Action Codes Table F-3 User Creation and Modification Action Codes (continued) Action Code Name Required Description 110 UN, V1 Defines how a password should be expired by Cisco Secure ACS. To set multiple password states for a user, use multiple instances of this action. This results in the status states being linked in a logical XOR condition.
Appendix F RDBMS Synchronization Import Definitions Action Codes Table F-3 User Creation and Modification Action Codes (continued) Action Code Name Required Description 115 GN,V1 Sets the max sessions for a user of the group to one of the following values: 260 SET_MAX_ SESSIONS_GROUP_ USER SET_QUOTA VN,V1, V2 • MAX_SESSIONS_UNLIMITED • 1-65534 Sets a quota for a user or group. VN defines the quota type.
Appendix F RDBMS Synchronization Import Definitions Action Codes Table F-3 User Creation and Modification Action Codes (continued) Action Code Name 261 DISABLE_QUOTA Required Description UN|GN, VN Disables a group or user usage quota. 262 RESET_COUNTERS UN|GN 263 SET_QUOTA_APPLY_ V1 TYPE VN defines the quota type. Valid values are: • online time—The quota limits the user or group by the number of seconds logged in to the network for the period defined in V2.
Appendix F RDBMS Synchronization Import Definitions Action Codes Table F-3 User Creation and Modification Action Codes (continued) Action Code Name 270 SET_DCS_TYPE Required Description UN|GN, VN,V1, Optionally V2 Sets the type of device command set (DCS) authorization for a group or user. VN defines the service. Valid service types are: • shell—Cisco IOS shell command authorization. • pixshell—Cisco PIX command authorization.
Appendix F RDBMS Synchronization Import Definitions Action Codes Table F-3 User Creation and Modification Action Codes (continued) Action Code Name 271 Required SET_DCS_NDG_MAP UN|GN, VN,V1, V2 Description Use this action code to map between the device command set and the NDG when the assignment type specified by a 270 action code is ndg. VN defines the service. Valid service types are: • shell—Cisco IOS shell command authorization. • pixshell—Cisco PIX command authorization.
Appendix F RDBMS Synchronization Import Definitions Action Codes Transactions using these codes affect the configuration displayed in the User Setup and Group Setup sections of the HTML interface. For more information about the User Setup section, see Chapter 7, “User Management”. For more information about the Group Setup section, see Chapter 6, “User Group Management”.
Appendix F RDBMS Synchronization Import Definitions Action Codes Table F-4 Action Codes for Initializing and Modifying Access Filters (continued) Action Code Name Required Description ADD_DIAL_ACCESS_ FILTER UN|GN, V1, V2 Adds a dial-up filter for the user|group. 123 V1 should contain one of the following values: • Calling station ID • Called station ID • Calling and called station ID; for example: 01732-875374,0898-69696969 • AAA client IP address, AAA client port; for example: 10.45.6.
Appendix F RDBMS Synchronization Import Definitions Action Codes Table F-4 Action Codes for Initializing and Modifying Access Filters (continued) Action Code Name 140 Required Description SET_TODDOW_ACCESS UN|GN, V1 Sets periods during which access is permitted. V1 contains a string of 168 characters. Each character represents a single hour of the week. A “1” represents an hour that is permitted, while a “0” represents an hour that is denied.
Appendix F RDBMS Synchronization Import Definitions Action Codes Table F-4 Action Codes for Initializing and Modifying Access Filters (continued) Action Code Name Required 150 SET_STATIC_IP UN, V1, V2 Configures the (TACACS+ and RADIUS) IP address assignment for this user. Description V1 holds the IP address in the following format: xxx.xxx.xxx.xxx V2 should be one of the following: 151 SET_CALLBACK_NO • ALLOC_METHOD_STATIC—The IP address in V1 is assigned to the user in the format xxx.xxx.
Appendix F RDBMS Synchronization Import Definitions Action Codes Action Codes for Modifying TACACS+ and RADIUS Group and User Settings Table F-5 lists the action codes for creating, modifying, and deleting TACACS+ and RADIUS settings for Cisco Secure ACS groups and users. In the event that Cisco Secure ACS has conflicting user and group settings, user settings always override group settings.
Appendix F RDBMS Synchronization Import Definitions Action Codes Table F-5 Action Codes for Modifying TACACS+ and RADIUS Group and User Settings (continued) Action Code Name 163 Required ADD_RADIUS_ ATTR UN|GN, VN, V1, Optionally V2, V3 Description Adds to the attribute named (VN) the value (V1) for the user/group (UN|GN). For example, to set the IETF RADIUS Reply-Message attribute (attr.
Appendix F RDBMS Synchronization Import Definitions Action Codes Table F-5 Action Codes for Modifying TACACS+ and RADIUS Group and User Settings (continued) Action Code Name 170 ADD_TACACS_ SERVICE Required Description UN|GN, VN, V1, V3, Optionally V2 Permits the service for that user or group of users.
Appendix F RDBMS Synchronization Import Definitions Action Codes Table F-5 Action Codes for Modifying TACACS+ and RADIUS Group and User Settings (continued) Action Code Name 172 ADD_TACACS_ATTR Required Description UN|GN, Sets a service-specific attribute. The service must VN, V1, V3 already have been permitted either via the HTML Optionally interface or using Action 170: V2 GN VN V1 V2 V3 = = = = = "Group 1" "routing" "ppp" "ip" "true" = = = = = "fred" "route" "ppp" "ip" 10.2.2.
Appendix F RDBMS Synchronization Import Definitions Action Codes Table F-5 Action Codes for Modifying TACACS+ and RADIUS Group and User Settings (continued) Action Code Name 174 ADD_IOS_ COMMAND Required Description UN|GN, VN, V1 Authorizes the given Cisco IOS command and determines if any arguments given to the command are to be found in a defined set or are not to be found in a defined set.
Appendix F RDBMS Synchronization Import Definitions Action Codes Table F-5 Action Codes for Modifying TACACS+ and RADIUS Group and User Settings (continued) Action Code Name 176 ADD_IOS_ COMMAND_ARG Required Description UN|GN, Specifies a set of command-line arguments that are VN, V1, V2 either permitted or denied for the Cisco IOS command contained in VN. The command must have already been added via Action 174: GN VN V1 V2 = = = = "Group 1" "telnet" "permit" "10.1.1.
Appendix F RDBMS Synchronization Import Definitions Action Codes Table F-5 Action Codes for Modifying TACACS+ and RADIUS Group and User Settings (continued) Action Code Name 178 Required Description SET_PERMIT_DENY_ UN|GN, V1 Sets unmatched Cisco IOS command behavior. The UNMATCHED_IOS_ default is that any Cisco IOS commands not defined COMMANDS via a combination of Actions 174 and 175 will be denied.
Appendix F RDBMS Synchronization Import Definitions Action Codes Table F-6 Action Codes for Modifying Network Configuration Action Code Name 220 ADD_NAS Required Description VN, V1, V2, V3 Adds a new AAA client (named in VN) with an IP address (V1), shared secret key (V2), and vendor (V3). Valid vendors are as follows: • VENDOR_ID_IETF_RADIUS—For IETF RADIUS. • VENDOR_ID_CISCO_RADIUS—For Cisco IOS/PIX RADIUS. • VENDOR_ID_CISCO_TACACS—For Cisco TACACS+.
Appendix F RDBMS Synchronization Import Definitions Action Codes Table F-6 Action Codes for Modifying Network Configuration (continued) Action Code Name Required Description 221 VN, V1 Sets one of the per-AAA client flags (V1) for the named AAA client (VN). Use the action once for each flag required.
Appendix F RDBMS Synchronization Import Definitions Action Codes Table F-6 Action Codes for Modifying Network Configuration (continued) Action Code Name 233 Required SET_AAA_TRAFFIC_ VN, V1 TYPE Description Sets the appropriate traffic type (V1) for the named AAA server (VN): • TRAFFIC_TYPE_INBOUND • TRAFFIC_TYPE_OUTBOUND • TRAFFIC_TYPE_BOTH The default is TRAFFIC_TYPE_BOTH. 234 DEL_AAA_SERVER VN Deletes the named AAA server (VN).
Appendix F RDBMS Synchronization Import Definitions Action Codes Table F-6 Action Codes for Modifying Network Configuration (continued) Action Code Name Required Description 250 ADD_NDG VN Creates a network device group (NDG) named (VN). 251 DEL_NDG VN Deletes the named NDG. 252 ADD_HOST_TO_NDG VN, V1 Adds to the named AAA client/AAA server (VN) the NDG (V1).
Appendix F RDBMS Synchronization Import Definitions Action Codes Table F-6 Action Codes for Modifying Network Configuration (continued) Action Code Name Required Description 351 V1 Removes the vendor with the IETF code specified in V1 and any defined VSAs. DEL_UDV Action code 351 does not remove any instances of VSAs assigned to Cisco Secure ACS groups or users. If Cisco Secure ACS has AAA clients configured with the UDV specified in V1, the delete operation fails.
Appendix F RDBMS Synchronization Import Definitions Action Codes Table F-6 Action Codes for Modifying Network Configuration (continued) Action Code Name 353 SET_VSA_PROFILE Required Description V1, V2, V3 Sets the inbound/outbound profile of the VSA. The profile specifies usage “IN” for accounting, “OUT” for authorization, or “MULTI” if more than a singe instance is allowed per RADIUS message. Combinations are allowed. V1 contains the vendor IETF code. V2 contains the VSA number.
Appendix F RDBMS Synchronization Import Definitions Cisco Secure ACS Attributes and Action Codes Table F-6 Action Codes for Modifying Network Configuration (continued) Action Code Name Required Description 355 — Restarts the CSAdmin, CSRadius, and CSLog services. These services must be restarted before new UDVs or VSAs can become usable.
Appendix F RDBMS Synchronization Import Definitions Cisco Secure ACS Attributes and Action Codes Table F-7 User-Specific Attributes Attribute Actions Logical Type Limits Default Username 100, 101 String 1-64 characters — ASCII/PAP Password 100, 102 String 4-32 characters Random string CHAP Password 103 String 4-32 characters Random string Outbound CHAP Password 104 String 4-32 characters NULL TACACS+ Enable Password 105 String Password 4-32 characters NULL Integer privilege leve
Appendix F RDBMS Synchronization Import Definitions Cisco Secure ACS Attributes and Action Codes Table F-7 Attribute User-Specific Attributes (continued) Actions Dial-Up 121, 123 Access Control Static IP Address 150 Logical Type Limits Default Bool enabled T/F NULL Bool permit/deny T/F NULL ACL String (See Table F-4.) 0-31 KB NULL Enum scheme (See Table F-4.
Appendix F RDBMS Synchronization Import Definitions Cisco Secure ACS Attributes and Action Codes RDBMS Synchronization can set UDAs by using the SET_VALUE action (code 1) to create a value called “USER_DEFINED_FIELD_0” or “USER_DEFINED_FIELD_1”. For accountActions rows defining a UDA value, the AppId (AI) field must contain “APP_ CSAUTH” and the Value2(V2) field must contain “TYPE_STRING”. Table F-8 lists the data fields that define UDAs.
Appendix F RDBMS Synchronization Import Definitions An Example of accountActions Table F-9 Group-Specific Attributes Attribute Actions Logical Type Limits Default Max Sessions 114 Unsigned short 0-65534 MAX_SESSIONS_ UNLIMITED Max Sessions for user of group 115 Unsigned short 0-65534 MAX_SESSIONS_ UNLIMITED Token caching for session 130 Bool T/F NULL Token caching for duration 131 Integer time in seconds 0-65535 NULL TODDOW Restrictions 140 String 168 characters 11111111111
Appendix F RDBMS Synchronization Import Definitions An Example of accountActions level 10. Fred is assigned to “Group 2”. His account expires after December 31, 1999, or after 10 incorrect authentication attempts. Attributes for Group 2 include Time-of-Day/Day-of-Week restrictions, token caching, and some RADIUS attributes. Note This example omits several columns that should appear in any accountActions table. The omitted columns are Sequence ID (SI), Priority (P), DateTime (DT), and MessageNo (MN).
Appendix F RDBMS Synchronization Import Definitions An Example of accountActions Table F-10 Example accountActions Table (continued) User name Action (UN) Group Name (GN) Value Name (VN) Value1 (V1) Value2 (V2) Value3 (V3) AppId (AI) 114 fred — — 50 — — — 115 fred — — 50 — — — 120 fred — — ACCESS_PERMIT — — — 121 fred — — ACCESS_DENY — — — 122 fred — — NAS01,tty0,01732975374 — — — 123 fred — — 01732-975374,0162 CLID/ 2-123123 DNIS — — 1 fred — USER_
A P P E N D I X G Internal Architecture This chapter describes the Cisco Secure ACS for Windows Server architectural components. It includes the following topics: • Windows Services, page G-1 • Windows Registry, page G-2 • CSAdmin, page G-2 • CSAuth, page G-3 • CSDBSync, page G-4 • CSLog, page G-4 • CSMon, page G-4 • CSTacacs and CSRadius, page G-8 Windows Services Cisco Secure ACS is modular and flexible to fit the needs of both simple and large networks.
Appendix G Internal Architecture Windows Registry • CSMon • CSTacacs • CSRadius You can stop or restart Cisco Secure ACS services as a group, except for CSAdmin, using the Cisco Secure ACS HTML interface. For more information, see Service Control, page 8-1. Individual Cisco Secure ACS services can be started, stopped, and restarted from the Services window, available within Windows Control Panel.
Appendix G Internal Architecture CSAuth in the HTTP Port Allocation feature, you should not encounter port conflicts for HTTP traffic. For more information about the HTTP Port Allocation feature, see Access Policy, page 12-11. Note For more information about access to the HTML interface and network environments, see Network Environments and Administrative Sessions, page 1-30.
Appendix G Internal Architecture CSDBSync password-aging information. The authorizations, with the approval of authentication, are then passed to the CSTacacs or CSRadius modules to be forwarded to the requesting device. CSDBSync CSDBSync is the service used to synchronize the Cisco Secure ACS database with third-party relational database management system (RDBMS) systems.
Appendix G Internal Architecture CSMon Note CSMon is not intended as a replacement for system, network, or application management applications but is provided as an application-specific utility that can be used with other, more generic system management tools.
Appendix G Internal Architecture CSMon build up a “picture” of expected response time on the system in question. CSMon can therefore detect whether excess re-tries are required for each authentication or if response times for a single authentication exceed a percentage threshold over the average.
Appendix G Internal Architecture CSMon Notification CSMon can be configured to notify system administrators in the following cases: • Exception events • Response • Outcome of the response Notification for exception events and outcomes includes the current state of Cisco Secure ACS at the time of the message. The default notification method is simple mail-transfer protocol (SMTP) e-mail, but you can create scripts to enable other methods.
Appendix G Internal Architecture CSTacacs and CSRadius If the event is a warning event, it is logged and the administrator is notified. No further action is taken. CSMon also attempts to fix the cause of the failure after a sequence of re-tries and individual service restarts. • Customer-Definable Actions—If the predefined actions built into CSMon do not fix the problem, CSMon can execute an external program or script.
I N D EX A editing 4-26 enabling in interface (table) 3-5 AAA functions and concepts 1-5 See also AAA clients in distributed systems 4-3 See also AAA servers master 9-3 definition 1-2 overview 4-21 pools for IP address assignment 7-11 primary 9-3 AAA clients replicating 9-3 adding and configuring 4-16 searching for 4-8 configuration 4-11 secondary 9-3 definition 1-6 troubleshooting A-1 deleting 4-21 access devices 1-6 editing 4-19 accessing Cisco Secure ACS interaction with AAA serv
Index accounting administrative sessions See also logging and HTTP proxy 1-30 overview 1-22 network environment limitations of 1-30 ACLs session policies 12-16 See downloadable IP ACLs action codes for creating and modifying user accounts F-7 for initializing and modifying access filters F-14 through firewalls 1-31 through NAT (network address translation) 1-31 administrators See also Administration Audit log for modifying network configuration F-25 See also Administration Control for modifying
Index protocol supported 1-11 AV (attribute value) pairs Architecture G-1 See also RADIUS VSAs (vendor specific attributes) ASCII/PAP RADIUS compatible databases 1-10 Cisco IOS C-3 protocol supported 1-11 IETF C-14 attributes TACACS+ enabling in interface 3-2 accounting B-4 group-specific (table) F-35 general B-1 logging of user data 11-2 per-group 3-2 per-user 3-2 B user-specific (table) F-34 attribute-value pairs See AV (attribute value) pairs audit policies See also Administration Audi
Index browsers server certificate installation 10-35 See also HTML interface troubleshooting A-4 updating certificate 10-50 CHAP compatible databases 1-10 in User Setup 7-5 C protocol supported 1-11 Cisco IOS cached users See discovered users RADIUS CA configuration 10-38 AV (attribute value) pairs C-2 callback options group attributes 6-40 in Group Setup 6-7 in User Setup 7-9 cascading replication 9-6, 9-13 user attributes 7-39 TACACS+ AV (attribute value) pairs B-1 troubleshooting A-5 Cisco
Index Cisco Secure ACS backups See backups Cisco Secure ACS system restore See restore CRLs 10-40 CSAdmin G-2 CSAuth G-3 CSDBSync 9-29, G-4 CiscoSecure Authentication Agent 1-16, 6-21 CSLog G-4 CiscoSecure database replication CSMon See replication CiscoSecure user database See also databases overview 13-2 password encryption 13-2 Cisco Trust Agent definition 14-2 unavailable 14-5 CLID-based filters 5-18 codes See action codes command authorization sets See also shell command authorization sets addin
Index displaying syntax D-5 databases import text file (example) D-24 See also external user databases overview D-1 authentication search process 15-5 CSV (comma-separated values) files CiscoSecure user database 13-2 downloading 11-18 compacting D-12 filename formats 11-15 deleting 13-86 logging format 11-2 deployment considerations 2-18 viewing 11-18 dump files D-10 CTL editing 10-38 custom attributes in group-level TACACS+ settings 6-31 in user-level TACACS+ settings 7-23 external See al
Index See RADIUS user databases device management applications support 1-19 See RSA user databases DHCP with IP pools 9-45 unknown users 15-1 dial-in permission to users in Windows 13-26 user databases 7-2 dial-in troubleshooting A-10 user import methods 13-3 dial-up networking clients 13-10 Windows user databases 13-7 dial-up topologies 2-6 data source names configuring for ODBC logging 11-22 for RDMBS synchronization 9-38 using with ODBC databases 13-56, 13-70, 13-72 date format control 8-3 D
Index Domain List enabling 10-25 configuring 13-30 identity protection 10-14 inadvertent user lockouts 13-14, 13-27 logging 10-14 overview 13-13 master keys unknown user authentication 15-7 domain names Windows operating systems 13-13, 13-14 downloadable IP ACLs definition 10-15 states 10-15 master server 10-23 options 10-28 adding 5-10 overview 10-13 assigning to groups 6-30 PAC assigning to users 7-21 automatic provisioning 10-18 deleting 5-14 definition 10-17 editing 5-13 manual provi
Index enable password options for TACACS+ 7-35 enable privilege options for groups 6-19 error number decoding with CSUtil.
Index supported protocols 1-10 settings for Global Authentication Setup 10-33 callback options 6-7 grant dial-in permission to users 13-9, 13-26 configuration-specific 6-16 greeting after login 6-24 configuring common 6-3 group-level interface enabling device management command authorization sets 6-37 downloadable IP ACLs 3-5 enable privilege 6-19 network access restrictions 3-5 IP address assignment method 6-28 network access restriction sets 3-5 management tasks 6-54 password aging 3-5 m
Index Help 1-29 configuring 3-1 host system state G-5 customized user data fields 3-3 HTML interface security protocol options 3-9 See also Interface Configuration IP ACLs See downloadable IP ACLs encrypting 12-13 logging off 1-33 IP addresses overview 1-25 in User Setup 7-10 security 1-26 multiple IP addresses for AAA client 4-12 SSL 1-26 requirement for CSTacacs and CSRadius G-8 web servers G-2 setting assignment method for user groups 6-28 HTTP port allocation configuring 12-14 IP poo
Index LDAP formats 11-2 See generic LDAP user databases LEAP proxy RADIUS user databases Logged-In Users reports 11-9 ODBC logs configuring external databases 13-76 enabling in interface 3-6 group mappings 16-2 overview 11-2 overview 13-75 working with 11-21 RADIUS-based group specifications 16-14 list all users overview 11-6 Passed Authentication logs 11-6 in Group Setup 6-54 RADIUS logs 11-6 in User Setup 7-55 RDBMS synchronization 9-2 Logged-In Users report remote logging deleting logg
Index logins monitoring greeting upon 6-24 configuring 8-19 password aging dependency 6-23 CSMon G-5 logs See logging See Reports and Activity overview 8-18 MS-CHAP compatible databases 1-10 configuring 10-26 M machine authentication enabling 13-22 overview 1-13 protocol supported 1-11 multiple group mappings 16-5 multiple IP addresses for AAA clients 4-12 overview 13-16 with Microsoft Windows 13-20 management application support 1-19 mappings database groups to AAA groups 16-4 databases to AAA g
Index definition of 14-10 group mapping 16-13 implementing 14-5 introduction 1-25 logging 14-6 NAC client Cisco Trust Agent 14-2 definition 14-2 policies NAR See network access restrictions NAS See AAA clients NDG See network device groups NDS See Novell NDS user databases network access filters about 14-16 adding 5-3 external 14-28 deleting 5-7 local 14-17 editing 5-5 results 14-16 overview 5-2 remediation server network access quotas 1-18 definition 14-2 network access restrictions url-redi
Index Network Admission Control See NAC Novell Requestor 13-50 options 13-52 network configuration 4-1 supported protocols 1-10 network device groups supported versions 13-50 adding 4-29 user contexts 13-51 assigning AAA clients to 4-30 assigning AAA servers to 4-30 configuring 4-28 deleting 4-32 O ODBC features enabling in interface 3-6 accountActions table 9-32 overview 1-24 authentication reassigning AAA clients to 4-31 CHAP 13-60 reassigning AAA servers to 4-31 EAP-TLS 13-60 renaming
Index EAP-TLS 13-68 PAP PAP 13-65 compatible databases 1-10 vs. group mappings 16-3 in User Setup 7-5 PAP authentication sample procedures 13-62 vs. ARAP 1-12 password case sensitivity 13-61 vs.
Index outbound passwords 1-15 with Unknown User Policy 10-11 separate passwords 1-14 performance monitoring G-5 single password 1-14 performance specifications 1-3 token caching 1-15 per-group attributes token cards 1-14 encryption 13-2 expiration 6-23 See also groups enabling in interface 3-2 per-user attributes import utility D-14 enabling in interface 3-2 local management 8-5 TACACS+/RADIUS in Interface Configuration 3-4 password change log management 8-6 post-login greeting 6-24 protocols
Index PPP password aging 6-21 Q privileges See administrators quotas processor utilization G-5 See network access quotas profile components See usage quotas See shared profile components proxy See also Proxy Distribution Table character strings defining 4-6 stripping 4-6 configuring 4-34 in enterprise settings 4-6 overview 4-4 sending accounting packets 4-7 troubleshooting A-15 Proxy Distribution Table R RADIUS See also RADIUS VSAs (vendor specific attributes) attributes See also RADIUS VSAs (vend
Index token servers 13-79 in User Setup 7-52 troubleshooting A-22 supported attributes C-14 tunneling packets 4-18 vs.
Index in User Setup 7-49 report and error handling 9-33 supported attributes C-43 scheduling options 9-39 overview C-1 user-defined about 9-28, D-28 user-related configuration 9-27 Registry G-2 rejection mode action codes for F-19 general 15-5 adding D-29 posture validation 15-11 deleting D-31 Windows user databases 15-6 import files D-34 related documentation xxxiii listing D-32 reliability of network 2-19 replicating 9-29, D-29 remote access policies 2-14 RDBMS synchronization accountAc
Index external user databases 9-2 CSV (comma-separated values) logs 11-13 frequency 9-7 in interface 1-29 group mappings 9-2 overview 11-6 immediate 9-19 implementing primary and secondary setups 9-15 important considerations 9-7 in System Configuration 9-21 interface configuration 3-5 IP pools 9-2, 9-45 logging 9-10 manual initiation 9-19 master AAA servers 9-3 notifications 9-25 options 9-11 overview 9-2 partners configuring 9-23 options 9-12 process 9-4 scheduling 9-21 scheduling options 9-12 sele
Index options 12-16 S overview 12-16 search order of external user databases 15-15 shared profile components security policies 2-15 See also command authorization sets security protocols See also downloadable IP ACLs Cisco AAA client devices 1-2 See also network access filters CSRadius G-8 See also network access restrictions CSTacacs G-8 overview 5-1 interface options 3-9 shared secret G-8 RADIUS 1-6, C-1 shell command authorization sets TACACS+ See also command authorization sets cust
Index output values 13-66 messages in interface 1-29 result codes 13-69 monitoring See monitoring EAP-TLS authentication configuring 13-74 performance specifications 1-3 input values 13-67 requirements 2-2 output values 13-68 services implementing 13-60 See services PAP authentication configuring 13-73 input values 13-64 output values 13-65 result codes 13-69 T TACACS+ advanced TACACS+ settings sample procedures 13-62 in Group Setup 6-2 type definitions in User Setup 7-33 integer 13-61 st
Index time-of-day access 3-8 enabling in interface 3-5 troubleshooting A-22 timeout values on AAA clients 15-9 vs.
Index RADIUS issues A-22 usage quotas report issues A-17 in Group Setup 6-14 TACACS+ issues A-22 in Interface Configuration 3-5 third-party server issues A-19 in User Setup 7-18 upgrade issues A-16 overview 1-18 user issues A-20 resetting trust lists See certification trust relationships 13-9 for groups 6-55 for single users 7-58 user-changeable passwords overview 1-16 U UNIX passwords D-18 with Windows user databases 13-25 user databases See databases unknown service user setting 7-32 Use
Index callback options 7-9 configuring 7-2 VPDN dialup E-2 User Setup configuring device management command authorization sets for 7-30 account management tasks 7-54 configuring PIX command authorization sets for 7-29 configuring 7-2 configuring shell command authorization sets for 7-26 customized data fields 3-3 basic options 7-3 deleting user accounts 7-57 saving settings 7-60 Users in Group button 6-54 data configuration See User Data Configuration deleting 11-11 V deleting accounts 7-57 vali
Index ODBC 11-23 CSV (comma-separated values) file directory 11-16 enabling ODBC 11-23 VPDN advantages 2-12 authentication process E-1 domain authorization E-2 home gateways E-3 IP addresses E-3 tunnel IDs E-3 users E-2 VSAs See RADIUS VSAs (vendor specific attributes) services 8-2 dial-up networking 13-10 dial-up networking clients domain field 13-10 password field 13-10 username field 13-10 Domain List effect 15-7 domains domain names 13-13, 13-14, 15-6 Event logs G-6 Registry G-2 Windows user databases
Index passwords 1-11 rejection mode 15-6 request handling 15-6 trust relationships 13-9 user-changeable passwords 13-25 user manager 13-26 wireless network topologies 2-9 User Guide for Cisco Secure ACS for Windows Server IN-28 78-16592-01
