Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide November 2001 Corporate Headquarters Cisco Systems, Inc. 170 West Tasman Drive San Jose, CA 95134-1706 USA http://www.cisco.
THE SPECIFICATIONS AND INFORMATION REGARDING THE PRODUCTS IN THIS MANUAL ARE SUBJECT TO CHANGE WITHOUT NOTICE. ALL STATEMENTS, INFORMATION, AND RECOMMENDATIONS IN THIS MANUAL ARE BELIEVED TO BE ACCURATE BUT ARE PRESENTED WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED. USERS MUST TAKE FULL RESPONSIBILITY FOR THEIR APPLICATION OF ANY PRODUCTS.
C O N T E N T S Preface xxvii Document Objectives xxvii Who Should Read This Guide xxvii How This Guide is Organized xxviii Conventions Used in This Guide xxx Related Documentation xxxi Obtaining Documentation xxxii World Wide Web xxxii Documentation CD-ROM xxxii Ordering Documentation xxxii Documentation Feedback xxxiii Obtaining Technical Assistance xxxiii Cisco.
Contents AAA Server Functions and Concepts 1-4 Cisco Secure ACS and the AAA Client 1-5 AAA Protocols—TACACS+ and RADIUS 1-5 TACACS+ 1-6 RADIUS 1-6 Authentication 1-7 Authentication Considerations 1-8 Authentication and User Databases 1-8 Passwords 1-10 Other Authentication-Related Features 1-14 Authorization 1-15 Max Sessions 1-16 Dynamic Usage Quotas 1-16 Other Authorization-Related Features 1-17 Accounting 1-17 Other Accounting-Related Features 1-18 Administration 1-18 HTTP Port Allocation for Remote Adm
Contents Remote Administrative Sessions through a NAT Gateway 1-25 Accessing the HTML Interface 1-26 Logging Off the HTML Interface 1-26 Online Help and Online Documentation 1-27 Using Online Help 1-27 Using the Online Documentation 1-28 CHAPTER 2 Deploying Cisco Secure ACS 2-1 Basic Deployment Requirements for Cisco Secure ACS 2-2 System Requirements 2-2 Hardware Requirements 2-2 Operating System Requirements 2-3 Third-Party Software Requirements 2-3 Network Requirements 2-4 Basic Deployment Factors fo
Contents Network Speed and Reliability 2-18 Suggested Deployment Sequence 2-18 CHAPTER 3 Setting Up the Cisco Secure ACS HTML Interface 3-1 Interface Design Concepts 3-2 User-to-Group Relationship 3-2 Per-User or Per-Group Features 3-2 User Data Configuration Options 3-3 Defining New User Data Fields 3-3 Advanced Options 3-4 Setting Advanced Options for the Cisco Secure ACS User Interface 3-6 Protocol Configuration Options for TACACS+ 3-7 Setting Options for TACACS+ 3-9 Protocol Configuration Options fo
Contents Default Distributed System Settings 4-3 Proxy in Distributed Systems 4-4 Fallback on Failed Connection 4-5 Character String 4-6 Stripping 4-6 Proxy in an Enterprise 4-6 Remote Use of Accounting Packets 4-7 Other Features Enabled by System Distribution 4-8 AAA Client Configuration 4-8 Adding and Configuring a AAA Client 4-9 Editing an Existing AAA Client 4-12 Deleting a AAA Client 4-14 AAA Server Configuration 4-15 Adding and Configuring a AAA Server 4-16 Editing a AAA Server Configuration 4-18 Del
Contents Editing a Proxy Distribution Table Entry 4-28 Deleting a Proxy Distribution Table Entry 4-29 CHAPTER 5 Setting Up and Managing Shared Profile Components 5-1 Downloadable PIX ACLs 5-2 About Downloadable PIX ACLs 5-2 Downloadable PIX ACL Configuration 5-3 Adding a Downloadable PIX ACL 5-3 Editing a Downloadable PIX ACL 5-4 Deleting a Downloadable PIX ACL 5-5 Network Access Restrictions 5-6 About Network Access Restrictions 5-6 Shared Network Access Restrictions Configuration 5-7 Adding a Shared N
Contents Group TACACS+ Settings 6-2 Common User Group Settings 6-3 Enabling VoIP Support for a User Group 6-4 Setting Default Time of Day Access for a User Group 6-5 Setting Callback Options for a User Group 6-6 Setting Network Access Restrictions for a User Group 6-7 Setting Max Sessions for a User Group 6-11 Setting Usage Quotas for a User Group 6-13 Configuration-specific User Group Settings 6-15 Setting Token Card Settings for a User Group 6-17 Setting Enable Privilege Options for a User Group 6-18 Ena
Contents Configuring Microsoft RADIUS Settings for a User Group 6-41 Configuring Nortel RADIUS Settings for a User Group 6-42 Configuring Juniper RADIUS Settings for a User Group 6-44 Configuring Cisco BBSM RADIUS Settings for a User Group 6-45 Configuring Custom RADIUS VSA Settings for a User Group 6-46 Group Setting Management 6-48 Listing Users in a User Group 6-48 Resetting Usage Quota Counters for a User Group 6-49 Renaming a User Group 6-49 Saving Changes to User Group Settings 6-50 CHAPTER 7 Sett
Contents Advanced User Authentication Settings 7-23 TACACS+ Settings (User) 7-24 Configuring TACACS+ Settings for a User 7-24 Configuring a Shell Command Authorization Set for a User 7-26 Configuring a PIX Command Authorization Set for a User 7-29 Configuring the Unknown Service Setting for a User 7-31 Advanced TACACS+ Settings (User) 7-31 Setting Enable Privilege Options for a User 7-32 Setting TACACS+ Enable Password Options for a User 7-34 Setting TACACS+ Outbound Password for a User 7-35 RADIUS Attribu
Contents Deleting a User Account 7-54 Resetting User Session Quota Counters 7-55 Resetting a User Account after Login Failure 7-55 Saving User Settings 7-56 CHAPTER 8 Establishing Cisco Secure ACS System Configuration 8-1 Service Control 8-2 Determining the Status of Cisco Secure ACS Services 8-2 Stopping, Starting, or Restarting Services 8-2 Logging 8-3 Date Format Control 8-3 Setting the Date Format 8-4 Password Validation 8-4 Setting Password Validation Options 8-5 CiscoSecure Database Replication 8-
Contents Configuring a Secondary Cisco Secure ACS Server 8-17 Replicating Immediately 8-18 Scheduling Replication 8-20 Disabling CiscoSecure Database Replication 8-23 Database Replication Event Error Alert Notification 8-23 RDBMS Synchronization 8-24 About RDBMS Synchronization 8-24 RDBMS Synchronization Components 8-25 About CSDBSync 8-25 About the accountActions Table 8-26 Cisco Secure ACS Database Recovery Using the accountActions Table 8-28 Reports and Event (Error) Handling 8-29 Preparing to Use RDBMS
Contents Components Backed Up 8-41 Reports of Cisco Secure ACS Backups 8-42 Performing a Manual Cisco Secure ACS Backup 8-42 Scheduling Cisco Secure ACS Backups 8-43 Disabling Scheduled Cisco Secure ACS Backups 8-44 Cisco Secure ACS System Restore 8-45 About Cisco Secure ACS System Restore 8-45 Backup File Names and Locations 8-45 Components Restored 8-47 Reports of Cisco Secure ACS Restorations 8-47 Restoring Cisco Secure ACS from a Backup File 8-47 Cisco Secure ACS Active Service Management 8-48 System M
Contents VoIP Accounting Configuration 8-60 Configuring VoIP Accounting 8-61 Cisco Secure ACS Certificate Setup 8-61 Background on Certification 8-62 EAP-TLS Setup Overview 8-63 Requirements for Certificate Enrollment 8-63 Generating a Request for a Certificate 8-64 Installing Cisco Secure ACS Certification with Manual Enrollment 8-66 Installing Cisco Secure ACS Certification with Automatic Enrollment 8-68 Performing Cisco Secure ACS Certification Update or Replacement 8-69 Certification Authority Setup 8-
Contents Passed Authentications Log 9-10 Dynamic Cisco Secure ACS Administration Reports 9-10 Logged-In Users Report 9-11 Disabled Accounts Report 9-14 Cisco Secure ACS System Logs 9-15 ACS Backup and Restore Log 9-15 RDBMS Synchronization Log 9-16 Database Replication Log 9-16 Administration Audit Log 9-17 ACS Service Monitoring Log 9-18 Working with CSV Logs 9-19 CSV Log File Names 9-19 Enabling or Disabling a CSV Log 9-19 Viewing a CSV Report 9-20 Configuring a CSV Log 9-22 Working with ODBC Logs 9-25 P
Contents Service Logs 9-34 Services Logged 9-34 Configuring Service Logs 9-35 CHAPTER 10 Setting Up and Managing Administrators and Policy 10-1 Administrator Accounts 10-1 Administrator Privileges 10-2 Adding an Administrator Account 10-6 Editing an Administrator Account 10-7 Deleting an Administrator Account 10-9 Access Policy 10-10 Access Policy Options 10-10 Setting Up Access Policy 10-12 Session Policy 10-13 Session Policy Options 10-13 Setting Up Session Policy 10-14 Audit Policy 10-16 CHAPTER 11
Contents Windows Dial-up Networking Clients 11-9 About the Windows NT/2000 Dial-up Networking Client 11-9 About the Windows 95/98/Millennium Edition Dial-up Networking Client 11-10 Windows NT/2000 Authentication 11-10 User-Changeable Passwords with Windows NT/2000 User Databases 11-12 Preparing Users for Authenticating with Windows NT/2000 11-12 Configuring a Windows NT/2000 External User Database 11-13 Generic LDAP 11-14 Cisco Secure ACS Authentication Process with a Generic LDAP User Database 11-15 Multi
Contents Implementation of Stored Procedures for ODBC Authentication 11-33 Type Definitions 11-34 Microsoft SQL Server and Case-Sensitive Passwords 11-34 Sample Routine for Generating a PAP Authentication SQL Procedure 11-35 Sample Routine for Generating an SQL CHAP Authentication Procedure 11-36 PAP Authentication Procedure Input 11-36 PAP Procedure Output 11-37 CHAP/MS-CHAP/ARAP Authentication Procedure Input 11-38 CHAP/MS-CHAP/ARAP Procedure Output 11-38 Result Codes 11-39 Configuring a System Data Sour
Contents Configuring an AXENT Token Server External User Database AXENT 11-55 Configuring an RSA SecurID Token Server External User Database 11-56 Deleting an External User Database Configuration 11-58 CHAPTER 12 Administering External User Databases 12-1 Unknown User Processing 12-1 Known, Unknown, and Cached Users 12-2 General Authentication Request Handling and Rejection Mode 12-3 Authentication Request Handling and Rejection Mode with the Windows NT/2000 User Database 12-4 Windows Authentication wit
Contents Default Group Mapping for Windows NT/2000 12-14 Creating a Cisco Secure ACS Group Mapping for Windows NT/2000, Novell NDS, or Generic LDAP Groups 12-15 Editing a Windows NT/2000, Novell NDS, or Generic LDAP Group Set Mapping 12-17 Deleting a Windows NT/2000, Novell NDS, or Generic LDAP Group Set Mapping 12-18 Deleting a Windows NT/2000 Domain Group Mapping Configuration 12-19 Changing Group Set Mapping Order 12-20 RADIUS-Based Group Specification 12-21 APPENDIX A Troubleshooting Information for
Contents APPENDIX B System Messages B-1 Windows NT/2000 Event Log Service Startup Errors B-1 System Monitored Events B-2 Replication Messages B-6 Failed Attempts Messages B-9 APPENDIX C TACACS+ Attribute-Value Pairs C-1 Cisco IOS Attribute-Value Pair Dictionary C-1 TACACS+ AV Pairs C-2 TACACS+ Accounting AV Pairs C-4 APPENDIX D RADIUS Attributes D-1 Cisco IOS Dictionary of RADIUS AV Pairs D-2 Cisco IOS/PIX Dictionary of RADIUS VSAs D-4 Cisco VPN 3000 Concentrator Dictionary of RADIUS VSAs D-6 Cisco
Contents APPENDIX E Cisco Secure ACS Command-Line Database Utility E-1 Location of CSUtil.exe and Related Files E-2 CSUtil.exe Syntax E-2 CSUtil.exe Options E-3 Backing Up Cisco Secure ACS with CSUtil.exe E-5 Restoring Cisco Secure ACS with CSUtil.
Contents User-Defined RADIUS Vendors and VSA Sets E-27 About User-Defined RADIUS Vendors and VSA Sets E-27 Adding a Custom RADIUS Vendor and VSA Set E-28 Deleting a Custom RADIUS Vendor and VSA Set E-29 Listing Custom RADIUS Vendors E-30 RADIUS Vendor/VSA Import File E-31 About the RADIUS Vendor/VSA Import File E-32 Vendor and VSA Set Definition E-33 Attribute Definition E-34 Enumeration Definition E-35 Example RADIUS Vendor/VSA Import File E-37 APPENDIX Cisco Secure ACS and Virtual Private Dial-up Netwo
Contents Action Code for Deleting the CiscoSecure User Database G-31 Cisco Secure ACS Attributes and Action Codes G-31 User-Specific Attributes G-31 User-Defined Attributes G-34 Group-Specific Attributes G-34 An Example accountActions Table G-36 APPENDIX H Cisco Secure ACS Internal Architecture H-1 Windows NT/2000 Environment Overview H-2 Windows NT/2000 Services H-2 Windows NT/2000 Registry H-2 Cisco Secure ACS Web Server H-2 CSAdmin H-3 CSAuth H-3 CSDBSync H-6 CSLog H-6 CSMon H-7 Monitoring H-7 Record
Contents Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide xxvi 78-13751-01, Version 3.
Preface This section discusses the objectives, audience, and organization of the Cisco Secure Access Control Server for Windows NT/2000 Servers Version 3.0 User Guide. Document Objectives The objective of this document is to help you configure and use the Cisco Secure Access Control Server for Windows NT/2000 Servers Version 3.0 (Cisco Secure ACS) software and its features and utilities.
Preface How This Guide is Organized How This Guide is Organized The Cisco Secure ACS User Guide is organized into the following chapters: • Chapter 1, “Overview of Cisco Secure ACS.” An overview of Cisco Secure ACS and its features, network diagrams, and system requirements. • Chapter 2, “Deploying Cisco Secure ACS.” A guide to deploying the Cisco Secure ACS that includes requirements, options, trade-offs, and suggested sequences. • Chapter 3, “Setting Up the Cisco Secure ACS HTML Interface.
Preface How This Guide is Organized • Chapter 11, “Working with User Databases.” Concepts and procedures for establishing user databases. • Chapter 12, “Administering External User Databases.” Concepts and procedures for administering and maintaining user databases external to Cisco Secure ACS. This guide also comprises the following appendixes: • Appendix A, “Troubleshooting Information for Cisco Secure ACS.” How to identify and solve certain problems you might have with Cisco Secure ACS.
Preface Conventions Used in This Guide Conventions Used in This Guide This guide uses the following typographical conventions: Typographic Conventions Convention Meaning Italics Introduces new or important terminology and variable input for commands. Script Denotes paths, file names, and example screen output. Also denotes Secure Script translations of security policy decision trees. Bold Identifies special terminology and options that should be selected during procedures.
Preface Related Documentation Related Documentation Included in the Cisco Secure ACS HTML interface are two sources of information: • Online Help contains information for each associated page in the Cisco Secure ACS HTML interface. • Online Documentation is a complete copy of the Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide. We recommend that you read Release Notes for Cisco Secure Access Control Server Version 3.0 for Windows 2000/NT Servers.
Preface Obtaining Documentation Obtaining Documentation The following sections explain how to obtain documentation from Cisco Systems. World Wide Web You can access the most current Cisco documentation on the World Wide Web at the following URL: http://www.cisco.com Translated documentation is available at the following URL: http://www.cisco.com/public/countries_languages.
Preface Obtaining Technical Assistance Documentation Feedback If you are reading Cisco product documentation on Cisco.com, you can submit technical comments electronically. Click Feedback at the top of the Cisco Documentation home page. After you complete the form, print it out and fax it to Cisco at 408 527-0730. You can e-mail your comments to bug-doc@cisco.com.
Preface Obtaining Technical Assistance • Order Cisco learning materials and merchandise • Register for online skill assessment, training, and certification programs You can self-register on Cisco.com to obtain customized information and service. To access Cisco.com, go to the following URL: http://www.cisco.com Technical Assistance Center The Cisco TAC is available to all customers who need technical assistance with a Cisco product, technology, or solution.
Preface Obtaining Technical Assistance All customers, partners, and resellers who have a valid Cisco services contract have complete access to the technical support resources on the Cisco TAC Web Site. The Cisco TAC Web Site requires a Cisco.com login ID and password. If you have a valid service contract but do not have a login ID or password, go to the following URL to register: http://www.cisco.com/register/ If you cannot resolve your technical issues by using the Cisco TAC Web Site, and you are a Cisco.
Preface Obtaining Technical Assistance Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide xxxvi 78-13751-01, Version 3.
C H A P T E R 1 Overview of Cisco Secure ACS This chapter provides an overview of Cisco Secure Access Control Server for Windows NT/2000 Servers Version 3.0 (Cisco Secure ACS).
Chapter 1 Overview of Cisco Secure ACS Cisco Secure ACS Specifications Figure 1-1 A Simple AAA Scenario End-user client AAA client External user database 67472 Cisco Secure Access Control Server Cisco Secure ACS helps centralize access control and accounting, in addition to router and switch access management. With Cisco Secure ACS, network administrators can quickly administer accounts and globally change levels of service offerings for entire groups of users.
Chapter 1 Overview of Cisco Secure ACS Cisco Secure ACS Specifications System Performance Specifications The performance capabilities of Cisco Secure ACS are largely dependent upon the Windows server it is installed upon, your network topology and network management, the selection of user databases, and other factors. For example, Cisco Secure ACS can perform many more authentications per second if it is running on a 1.
Chapter 1 Overview of Cisco Secure ACS AAA Server Functions and Concepts When you install Cisco Secure ACS on your server, the installation adds several Windows services. The services provide the core of Cisco Secure ACS functionality. For a full discussion of each service, see the “Cisco Secure ACS Internal Architecture” section on page H-1. The Cisco Secure ACS services on your Cisco Secure ACS server include the following: • CSAdmin—Provides the HTML interface for administration of Cisco Secure ACS.
Chapter 1 Overview of Cisco Secure ACS AAA Server Functions and Concepts • Authorization, page 1-15 • Accounting, page 1-17 • Administration, page 1-18 Cisco Secure ACS and the AAA Client A AAA client is software running on a network device that enables the network device to defer authentication, authorization, and logging (accounting) of user sessions to a AAA server.
Chapter 1 Overview of Cisco Secure ACS AAA Server Functions and Concepts Table 1-1 TACACS+ and RADIUS Protocol Comparison TACACS+ RADIUS TCP UDP Connection-oriented transport layer protocol, reliable full-duplex data transmission Connectionless transport layer protocol, datagram exchange without acknowledgments or guaranteed delivery Full packet encryption Encrypts only passwords up to 16 bytes Independent AAA architecture Authentication and authorization combined Useful for router management
Chapter 1 Overview of Cisco Secure ACS AAA Server Functions and Concepts In addition to support for standard IETF RADIUS attributes, Cisco Secure ACS includes support for RADIUS vendor-specific attributes (VSAs). We have predefined the following RADIUS VSAs in Cisco Secure ACS: • Cisco IOS/PIX • Cisco VPN 3000 • Cisco VPN 5000 • Ascend • Juniper • Microsoft • Nortel Cisco Secure ACS also supports up to 10 RADIUS VSAs that you define.
Chapter 1 Overview of Cisco Secure ACS AAA Server Functions and Concepts Authentication Considerations Username and password is the most popular, simplest, and least expensive method used for authentication. No special equipment is required. This is a popular method for service providers because of its easy application by the client. The disadvantage is that this information can be told to someone else, guessed, or captured.
Chapter 1 Overview of Cisco Secure ACS AAA Server Functions and Concepts • AXENT token server • RSA SecureID token server • ActivCard token server • Vasco token server The various password protocols supported by Cisco Secure ACS for authentication are supported unevenly by the various databases supported by Cisco Secure ACS. Table 1-2 provides a reference of the password protocols supported by the various databases.
Chapter 1 Overview of Cisco Secure ACS AAA Server Functions and Concepts Passwords Cisco Secure ACS supports many common password protocols: • ASCII/PAP • CHAP • MS-CHAP • LEAP • EAP-CHAP • EAP-TLS • ARAP Passwords can be processed using these password authentication protocols based on the version and type of security control protocol used (for example, RADIUS or TACACS+) and the configuration of the AAA client and end-user client.
Chapter 1 Overview of Cisco Secure ACS AAA Server Functions and Concepts Comparing PAP, CHAP, and ARAP PAP, CHAP, and ARAP are authentication protocols used to encrypt passwords. However, each protocol provides a different level of security. • PAP—Uses clear-text passwords (that is, unencrypted passwords) and is the least sophisticated authentication protocol. If you are using the Windows NT/2000 user database to authenticate users, you must use PAP password encryption or MS-CHAP.
Chapter 1 Overview of Cisco Secure ACS AAA Server Functions and Concepts Basic Password Configurations There are several basic password configurations: Note These configurations are all classed as inbound authentication. • Single password for ASCII/PAP/CHAP/MS-CHAP/ARAP—This is the most convenient method for both the administrator when setting up accounts and the user when obtaining authentication.
Chapter 1 Overview of Cisco Secure ACS AAA Server Functions and Concepts request from the AAA client should include the OTP in the username value (for example Fredpassword) while the password value contains an ASCII/PAP/ARAP password. The TACACS+ and RADIUS servers then verify that the token is still cached and validate the incoming password against either the single ASCII/PAP/ARAP or separate CHAP/ARAP password, depending on the user’s configuration.
Chapter 1 Overview of Cisco Secure ACS AAA Server Functions and Concepts The methods and functionality of Windows password aging differ according to whether you are using Windows NT or Windows 2000 and whether you employ Active Directory (AD) or Security Accounts Manager (SAM). For information on the requirements and configuration of the Windows-based password aging feature, see the “Enabling Password Aging for Users in Windows Databases” section on page 6-25.
Chapter 1 Overview of Cisco Secure ACS AAA Server Functions and Concepts Authorization Authorization determines what a user is allowed to do. Cisco Secure ACS can send user profile policies to a AAA client to determine the network services the user can access. You can configure authorization to give different users and groups different levels of service. For example, standard dial-up users might not have the same access privileges as premium customers and users.
Chapter 1 Overview of Cisco Secure ACS AAA Server Functions and Concepts Max Sessions Max Sessions is a useful feature for organizations that need to limit the number of concurrent sessions available to either a user or a group: • User Max Sessions—For example, an Internet service provider can limit each account holder to a single session.
Chapter 1 Overview of Cisco Secure ACS AAA Server Functions and Concepts Other Authorization-Related Features In addition to the authorization-related features discussed in this section, the following features are provided by Cisco Secure ACS: • Group administration of users, with support for up to 500 groups (see the “Setting Up and Managing User Groups” section on page 6-1) • Ability to map a user from an external user database to a specific Cisco Secure ACS group (see the “Database Group Mappings” s
Chapter 1 Overview of Cisco Secure ACS AAA Server Functions and Concepts configuration. You can easily import these logs into popular database and spreadsheet applications for billing, security audits, and report generation. Among the types of accounting logs you can generate are the following: • TACACS+ Accounting—Lists when sessions start and stop; records AAA client messages with username; provides caller line identification information; records the duration of each session.
Chapter 1 Overview of Cisco Secure ACS AAA Server Functions and Concepts You can access the HTML interface from computers other than the Cisco Secure ACS server. This enables remote administration of Cisco Secure ACS. For more information about the HTML interface, including steps for accessing the HTML interface, see the “Cisco Secure ACS HTML Interface” section on page 1-21.
Chapter 1 Overview of Cisco Secure ACS AAA Server Functions and Concepts Network Device Groups With a network device group (NDG), you can view and administer a collection of AAA clients and AAA servers as a single logical group. To simplify administration, you can assign each group a convenient name that can be used to refer to all devices within that group.
Chapter 1 Overview of Cisco Secure ACS Cisco Secure ACS HTML Interface • Ability to import of large numbers of users with the CSUtil.
Chapter 1 Overview of Cisco Secure ACS Cisco Secure ACS HTML Interface The Cisco Secure ACS HTML interface is designed to be viewed using a web browser. The design primarily uses HTML, along with some Java functions, to enhance ease of use. This design keeps the interface responsive and straightforward. The inclusion of Java requires that the browser used for administrative sessions supports Java. For a list of supported browsers, see the Release Notes.
Chapter 1 Overview of Cisco Secure ACS Cisco Secure ACS HTML Interface – External User Databases—Configure external databases for authentication – Reports and Activity—Display accounting and logging information – • Online Documentation—View the Cisco Secure ACS User Guide Configuration Area—The frame in the middle of the browser window, the configuration area displays web pages that belong to one of the sections represented by the buttons in the navigation bar.
Chapter 1 Overview of Cisco Secure ACS Cisco Secure ACS HTML Interface Uniform Resource Locator for the HTML Interface The HTML interface is available by web browser at one of the following uniform resource locators (URLs): • http://Windows server IP address:2002 • http://Windows server host name:2002 From the server on which Cisco Secure ACS is installed, you can also use the following URLs: • http://localhost:2002 • http://127.0.0.
Chapter 1 Overview of Cisco Secure ACS Cisco Secure ACS HTML Interface For these reasons, we do not recommend performing administrative sessions using a web browser that is configured to use a proxy server. Administrative sessions using a proxy-enabled web browser is not tested. If your web browser is configured to use a proxy server, disable HTTP proxying when attempting remote Cisco Secure ACS administrative sessions.
Chapter 1 Overview of Cisco Secure ACS Cisco Secure ACS HTML Interface Accessing the HTML Interface Remote administrative sessions always require that you login using a valid administrator name and password, as configured in the Administration Control section.
Chapter 1 Overview of Cisco Secure ACS Cisco Secure ACS HTML Interface Note The Logoff button appears in the upper right corner of the browser window, except on the initial page, where it appears in the upper left of the configuration area. Online Help and Online Documentation We provide two sources of information in the HTML interface: • Online Help—Contains basic information about the page shown in the configuration area. • Online Documentation—Contains the entire user guide.
Chapter 1 Overview of Cisco Secure ACS Cisco Secure ACS HTML Interface Using the Online Documentation The Cisco Secure ACS online documentation is the user guide for Cisco Secure ACS. The user guide provides information about the configuration, operation, and concepts of Cisco Secure ACS. The information presented in the online documentation is as current as the release date of the Cisco Secure ACS version you are using.
Chapter 1 Overview of Cisco Secure ACS Cisco Secure ACS HTML Interface Result: Entries appear with numbered links after them. The numbered links lead to separate instances of the entry topic. c. Click an instance number for the desired topic. Result: The online documentation for the topic selected appears in the display area. Step 4 To print the online documentation, click in the display area, and then click Print in your browser’s navigation bar. Cisco Secure ACS 3.
Chapter 1 Overview of Cisco Secure ACS Cisco Secure ACS HTML Interface Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide 1-30 78-13751-01, Version 3.
C H A P T E R 2 Deploying Cisco Secure ACS Deployment of Cisco Secure Access Control Server for Windows NT/2000 Servers Version 3.0 (Cisco Secure ACS) can be a complex and iterative process that differs depending on the specific implementation required. This chapter provides insight into many aspects of the deployment process; it is designed not as a one-size-fits-all procedure, but as a collection of interconnected factors that you should consider before you install Cisco Secure ACS.
Chapter 2 Deploying Cisco Secure ACS Basic Deployment Requirements for Cisco Secure ACS Basic Deployment Requirements for Cisco Secure ACS This section details the minimum requirements you must meet to be able to successfully deploy Cisco Secure ACS.
Chapter 2 Deploying Cisco Secure ACS Basic Deployment Requirements for Cisco Secure ACS Operating System Requirements Your Cisco Secure ACS server must have an English-language version of one of the following Microsoft Windows operating systems installed: • Windows 2000 Server with Service Pack 1 or Service Pack 2 installed • Windows 2000 Advanced Server, with these additional requirements: – without Microsoft Clustering Services installed – with Service Pack 1 or Service Pack 2 installed.
Chapter 2 Deploying Cisco Secure ACS Basic Deployment Factors for Cisco Secure ACS For the latest information about tested browsers and other third-party applications, such as Novell NDS clients and token-card clients, see the Release Notes. The latest version of the Release Notes is posted on http://www.cisco.com. Network Requirements Your network should meet the following requirements before you begin installing Cisco Secure ACS.
Chapter 2 Deploying Cisco Secure ACS Basic Deployment Factors for Cisco Secure ACS • Administrative Access Policy, page 2-14 • Database, page 2-17 • Network Speed and Reliability, page 2-18 Network Topology How the enterprise network is configured is likely to be the single most important factor in deciding how to deploy Cisco Secure ACS.
Chapter 2 Deploying Cisco Secure ACS Basic Deployment Factors for Cisco Secure ACS Figure 2-1 Small Dial-up Network Server-based dial access PSTN Modem Cisco Secure Access Control Server 63486 Network In a larger dial-in environment, a single Cisco Secure ACS installation with a backup may be suitable, too. The suitability of this configuration is dependent on network and server access latency. Figure 2-2 on page 2-7 shows an example of a large dial-in arrangement.
Chapter 2 Deploying Cisco Secure ACS Basic Deployment Factors for Cisco Secure ACS Figure 2-2 Large Dial-up Network Cisco AS5300 Cisco AS5300's UNIX server Novell server Windows NT server Macintosh server 63487 Cisco Secure Access Control Server In a very large, geographically dispersed network, see Figure 2-3 on page 2-8, there may be access servers located in different parts of a city, in different cities, or in different continents.
Chapter 2 Deploying Cisco Secure ACS Basic Deployment Factors for Cisco Secure ACS Figure 2-3 Geographically Dispersed Network Cisco Secure Access Control Server Cisco Secure Access Control Server 63488 Cisco Secure Access Control Server Wireless Network The wireless network access point is a relatively new client for AAA services. The wireless access point (AP), such as the Cisco Aironet series, provides a bridged connection for mobile end-user clients into the LAN.
Chapter 2 Deploying Cisco Secure ACS Basic Deployment Factors for Cisco Secure ACS In the simple WLAN, there may be a single AP installed; see Figure 2-4. Because there is only one AP, the primary issue is security. In this environment, there is generally a small user base and few network devices to worry about. Providing AAA services to the other devices on the network does not cause any significant additional load on the Cisco Secure ACS.
Chapter 2 Deploying Cisco Secure ACS Basic Deployment Factors for Cisco Secure ACS Figure 2-5 Campus WLAN Cisco Aironet APs Dial-up connection UNIX server Novell server Windows NT server Macintosh server 63490 Cisco Secure Access Control Server This is particularly true when the regional topology is the campus WLAN. This model starts to change when you deploy WLANs in many small sites that more resemble the simple WLAN shown in Figure 2-4 on page 2-9.
Chapter 2 Deploying Cisco Secure ACS Basic Deployment Factors for Cisco Secure ACS Figure 2-6 Large Deployment of Small Sites 63491 I For the model in Figure 2-6, the decision where to site Cisco Secure ACS depends on whether users from the entire network need access on any AP, or whether they only require regional or local network access. This, along with database type, controls whether local or regional Cisco Secure ACS installations are required, and how database continuity is maintained.
Chapter 2 Deploying Cisco Secure ACS Basic Deployment Factors for Cisco Secure ACS • Security—VPNs provide the highest level of security using advanced encryption and authentication protocols that protect data from unauthorized access. • Scalability—VPNs allow corporations to use remote access infrastructure within ISPs. Therefore, corporations can add a virtually unlimited amount of capacity without adding significant infrastructure.
Chapter 2 Deploying Cisco Secure ACS Basic Deployment Factors for Cisco Secure ACS Figure 2-8 Enterprise VPN Solution Tunnel Home office ISP VPN concentrator Internet Tunnel Mobile worker Cisco Secure Access Control Server 63493 ISP For more information about implementing VPN solutions, see the reference guide A Primer for Implementing a Cisco Virtual Private Network. Remote Access Policy Remote access is a broad concept.
Chapter 2 Deploying Cisco Secure ACS Basic Deployment Factors for Cisco Secure ACS Cisco Secure ACS remote access policy provides control by using central authentication and authorization of remote users. The CiscoSecure user database maintains all user IDs, passwords, and privileges. Cisco Secure ACS access policies can be downloaded in the form of ACLs to network access servers such as the Cisco AS5300 Network Access Server, or by allowing access during specific periods, or on specific access servers.
Chapter 2 Deploying Cisco Secure ACS Basic Deployment Factors for Cisco Secure ACS The type of access is also an important consideration. If there are to be different administrative access levels to the AAA clients, or if a subset of administrators is to be limited to certain systems, Cisco Secure ACS can be used with command authorization per network device to restrict network administrators as necessary.
Chapter 2 Deploying Cisco Secure ACS Basic Deployment Factors for Cisco Secure ACS Separation of Administrative and General Users It is important to keep the general network user from accessing network devices. Even though the general user may not have any intention to “hack the system,” inadvertent access could easily cause accidental disruption to network access. Separation of the general user from the administrative user falls into the realm of AAA and Cisco Secure ACS.
Chapter 2 Deploying Cisco Secure ACS Basic Deployment Factors for Cisco Secure ACS Conversely, if a general user attempts to use their remote access to log in to a network device, Cisco Secure ACS checks and approves the user’s username and password, but the authorization process would fail because that user would not have credentials that allow shell/exec access to the device.
Chapter 2 Deploying Cisco Secure ACS Suggested Deployment Sequence Network Speed and Reliability Network speed, also referred to as network latency, and network reliability are also important factors in how Cisco Secure ACS is deployed. Delays in authentication can result in timeouts at the end user’s client side or the AAA client. The general rule for large, extended networks, such as a globally dispersed corporation, is to have at least one Cisco Secure ACS deployed in each region.
Chapter 2 Deploying Cisco Secure ACS Suggested Deployment Sequence • Configure Administrators—You should configure at least one administrator at the outset of deployment; otherwise, there is not remote administrative access and all configuration activity must be done from the server. You should also have a detailed plan for establishing and maintaining an administrative policy. For more information about setting up administrators, see Chapter 10, “Setting Up and Managing Administrators and Policy.
Chapter 2 Deploying Cisco Secure ACS Suggested Deployment Sequence • Configure External User Database—During this phase of deployment you must decide whether and how you intend to implement an external database to establish and maintain user authentication accounts. Typically, this decision is made according to your existing network administration mechanisms.
Chapter 2 Deploying Cisco Secure ACS Suggested Deployment Sequence • Configure Users—With groups established, you can establish user accounts. It is useful to remember that a particular user can belong to only one user group, and that settings made at the user level override settings made at the group level. For more information, see the Chapter 7, “Setting Up and Managing User Accounts.
Chapter 2 Deploying Cisco Secure ACS Suggested Deployment Sequence Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide 2-22 78-13751-01, Version 3.
C H A P T E R 3 Setting Up the Cisco Secure ACS HTML Interface Ease of use is the overriding design principle of the HTML interface in the Cisco Secure Access Control Server for Windows NT/2000 Servers Version 3.0 (Cisco Secure ACS). Cisco Secure ACS presents intricate concepts of network security from the perspective of an administrator.
Chapter 3 Setting Up the Cisco Secure ACS HTML Interface Interface Design Concepts Tip If a section of the Cisco Secure ACS HTML interface appears to be “missing” or “broken” return to the Interface Configuration section and confirm that the particular section has been activated. Interface Design Concepts Before you begin to configure the Cisco Secure ACS HTML interface for your particular configuration, it is helpful to understand a few basic precepts of the system’s operation.
Chapter 3 Setting Up the Cisco Secure ACS HTML Interface User Data Configuration Options User Data Configuration Options The Configure User Defined Fields page enables you to add (or edit) up to five fields for recording information on each user. The fields you define in this section subsequently appear in the Supplementary User Information section at the top of the User Setup page. For example, you could add the user’s company name, telephone number, department, billing code, and so on.
Chapter 3 Setting Up the Cisco Secure ACS HTML Interface Advanced Options Advanced Options This feature enables you to determine which advanced features Cisco Secure ACS displays. You can simplify the pages displayed in other areas of the Cisco Secure ACS HTML interface by hiding advanced features that you do not use. Many of these options do not appear if they are not enabled.
Chapter 3 Setting Up the Cisco Secure ACS HTML Interface Advanced Options • Group-Level Network Access Restriction Sets—When selected, this feature enables the Shared Profile Component NAR options on the Group Setup page. These options allow you to apply previously configured, named, IP-based and CLID/DNIS-based NARs at the group level. For information on defining a NAR, or NAR set, within Shared Profile Components, see the “Shared Network Access Restrictions Configuration” section on page 5-7.
Chapter 3 Setting Up the Cisco Secure ACS HTML Interface Advanced Options • Network Device Groups—When selected, this option enables network device groups (NDGs). When NDGs are enabled, the Network Configuration section and parts of the User Setup and Group Setup pages change to enable you to manage groups of network devices (AAA clients or AAA servers). This feature is useful if you have many devices to administer.
Chapter 3 Setting Up the Cisco Secure ACS HTML Interface Protocol Configuration Options for TACACS+ Step 4 When you have finished making selections, click Submit. Result: Cisco Secure ACS alters the contents of various sections of the HTML interface according to the selections made. Protocol Configuration Options for TACACS+ The TACACS+ (Cisco) section details the configuration of the Cisco Secure ACS HTML interface for TACACS+ settings.
Chapter 3 Setting Up the Cisco Secure ACS HTML Interface Protocol Configuration Options for TACACS+ The four items you can choose to hide or display are as follows: – Advanced TACACS+ Features—This option displays or hides the Advanced TACACS+ Options section on the User Setup page. These options include Privilege Level Authentication and Outbound Password Configuration for SENDPASS and SENDAUTH clients, such as routers.
Chapter 3 Setting Up the Cisco Secure ACS HTML Interface Protocol Configuration Options for TACACS+ You can use this feature to send many TACACS+ commands to the access device for the service, provided that the device supports the command, and that the command syntax is correct. This feature is disabled by default, but you can enable it the same way you enable attributes and time-of-day access.
Chapter 3 Setting Up the Cisco Secure ACS HTML Interface Protocol Configuration Options for RADIUS Result: The TACACS+ (Cisco) page of the Interface Configuration section appears. Step 3 In the TACACS+ Services table, select the check box for each TACACS+ service you want displayed on the applicable setup page. Step 4 To add new services and protocols, follow these steps: a. In the New Services section of the TACACS+ Services table, type in any Service and Protocol to be added. b.
Chapter 3 Setting Up the Cisco Secure ACS HTML Interface Protocol Configuration Options for RADIUS use. Attributes for (IETF) RADIUS and the VSA for each RADIUS network device vendor supported by Cisco Secure ACS appear in User Setup or Group Setup. Note The RADIUS (IETF) attributes are shared with RADIUS VSAs. You must configure the first RADIUS attributes from RADIUS (IETF) for the RADIUS vendor.
Chapter 3 Setting Up the Cisco Secure ACS HTML Interface Protocol Configuration Options for RADIUS • RADIUS (Nortel) Settings—This section allows you to enable the RADIUS vendor-specific attributes for RADIUS (Nortel). For detailed procedures, see the “Setting Protocol Configuration Options for RADIUS (Nortel)” section on page 3-18. • RADIUS (Juniper) Settings—This section allows you to enable the RADIUS vendor-specific attributes for RADIUS (Juniper).
Chapter 3 Setting Up the Cisco Secure ACS HTML Interface Protocol Configuration Options for RADIUS Note Each selected IETF RADIUS attribute must be supported by all network devices using RADIUS. To set protocol configuration options for (IETF) RADIUS attributes, follow these steps: Step 1 Click Interface Configuration. Step 2 Click RADIUS (IETF). Result: The RADIUS (IETF) page appears.
Chapter 3 Setting Up the Cisco Secure ACS HTML Interface Protocol Configuration Options for RADIUS Setting Protocol Configuration Options for RADIUS (Cisco IOS/PIX) This procedure allows you to enable the Cisco IOS/PIX RADIUS VSA. Selecting this attribute displays an entry field under User Setup and/or Group Setup in which any TACACS+ commands can be entered to fully leverage TACACS+ in a RADIUS environment.
Chapter 3 Setting Up the Cisco Secure ACS HTML Interface Protocol Configuration Options for RADIUS Note If the Per-user TACACS+/RADIUS Attributes check box on the Advanced Options page of Interface Configuration is selected, a User check box appears alongside the Group check box for each attribute. To set protocol configuration options for RADIUS (Ascend) attributes, follow these steps: Step 1 Click Interface Configuration. Step 2 Click RADIUS (Ascend).
Chapter 3 Setting Up the Cisco Secure ACS HTML Interface Protocol Configuration Options for RADIUS To set protocol configuration options for RADIUS (Cisco VPN 3000) attributes, follow these steps: Step 1 Click Interface Configuration. Step 2 Click RADIUS (Cisco VPN 3000). Result: The RADIUS (Cisco VPN 3000 Concentrator) edit page appears.
Chapter 3 Setting Up the Cisco Secure ACS HTML Interface Protocol Configuration Options for RADIUS To set protocol configuration options for RADIUS (Cisco VPN 5000) attributes, follow these steps: Step 1 Click Interface Configuration. Step 2 Click RADIUS (Cisco VPN 5000). Result: The RADIUS (Cisco VPN 3000 Concentrator) edit page appears.
Chapter 3 Setting Up the Cisco Secure ACS HTML Interface Protocol Configuration Options for RADIUS Step 3 Select the check box for either User or Group, or both, for each RADIUS (Microsoft) service you want to appear as a configurable option on the User Setup or Group Setup page. Note Step 4 Each attribute selected must be supported by the Microsoft RADIUS VSA. Click Submit at the bottom of the page.
Chapter 3 Setting Up the Cisco Secure ACS HTML Interface Protocol Configuration Options for RADIUS Step 3 Select the check box for either User or Group, or both, for each RADIUS (Nortel) service you want to appear as a configurable option on the User Setup or Group Setup page. Note Step 4 Each attribute selected must be supported by the Nortel RADIUS VSA. Click Submit at the bottom of the page.
Chapter 3 Setting Up the Cisco Secure ACS HTML Interface Protocol Configuration Options for RADIUS Step 3 Select the check box for either User or Group, or both, for each RADIUS (Juniper) service you want to appear as a configurable option on the User Setup or Group Setup page. Note Step 4 Each attribute selected must be supported by the Juniper RADIUS VSA. Click Submit at the bottom of the page.
C H A P T E R 4 Setting Up and Managing Network Configuration This chapter details concepts and procedures for configuring the Cisco Secure ACS network and establishing a distributed system. The appearance of the opening page you see when you click Network Configuration differs according to the network configuration selections you’ve made in the Interface Configuration section.
Chapter 4 Setting Up and Managing Network Configuration About Distributed Systems • Network Device Groups—This table lists the name of each NDG that has been configured, and the number of AAA clients and AAA servers assigned to each NDG. If you are using NDGs, the AAA Clients table and AAA Servers table do not appear on the opening page. To configure a AAA client or AAA server, you must click the name of the NDG to which the device is assigned.
Chapter 4 Setting Up and Managing Network Configuration About Distributed Systems • CiscoSecure database replication • Remote and centralized logging AAA Servers in Distributed Systems “AAA server” is the generic term for an access control server (ACS), and the two terms are often used interchangeably. AAA servers are used to determine who can access the network and what services are authorized for each user.
Chapter 4 Setting Up and Managing Network Configuration Proxy in Distributed Systems work with one another. Each table contains a Cisco Secure ACS entry for itself. In the AAA Servers table, the only AAA server initially listed is itself; the Proxy Distribution Table lists an initial entry of (Default), which displays how the local Cisco Secure ACS is configured to handle each authentication request locally. You can configure additional AAA servers in the AAA Servers table.
Chapter 4 Setting Up and Managing Network Configuration Proxy in Distributed Systems Note When a Cisco Secure ACS receives a TACACS+ authentication request forwarded by proxy, any Network Access Restrictions for TACACS+ requests are applied to the IP address of the forwarding AAA server, not to the IP address of the originating AAA client. Note In a network that uses more than one type of RADIUS protocol, Cisco Secure ACS accepts only IETF attributes.
Chapter 4 Setting Up and Managing Network Configuration Proxy in Distributed Systems request. If Cisco Secure ACS cannot connect to any server in the list, authentication fails. Failed connections are detected by failure of the nominated server to respond within a specified time period. That is, the request is timed out. Character String Cisco Secure ACS forwards authentication requests using a configurable set of characters with a delimiter, such as dots (.
Chapter 4 Setting Up and Managing Network Configuration Proxy in Distributed Systems AAA server. However, Mary occasionally travels to a division within the corporation in New York, where she still needs to access the corporate network to get her e-mail and other files. When Mary is in New York, she dials in to the New York office and logs in as mary@corporate.com.
Chapter 4 Setting Up and Managing Network Configuration Other Features Enabled by System Distribution Other Features Enabled by System Distribution Beyond basic proxy and fallback features, configuring a Cisco Secure ACS to interact with distributed systems enables several other features that are beyond the scope of this chapter. These features include the following: • Replication—For more information, see the “CiscoSecure Database Replication” section on page 8-6.
Chapter 4 Setting Up and Managing Network Configuration AAA Client Configuration Adding and Configuring a AAA Client You can use this procedure to add and configure a AAA client. To add a AAA client, follow these steps: Step 1 In the navigation bar, click Network Configuration. Result: The Network Configuration section opens. Step 2 Do one of the following: a. If you are using NDGs, click the name of the NDG to which the AAA client is to be assigned. Then, click Add Entry below the AAA Clients table.
Chapter 4 Setting Up and Managing Network Configuration AAA Client Configuration Note Step 6 If you are using NDGs, from the Network Device Group list, select the name of the NDG to which this AAA client should belong, or select Not Assigned to set this AAA client to be independent of NDGs. Note Step 7 For correct operation, the identical key must be configured on the AAA client and Cisco Secure ACS. Keys are case sensitive.
Chapter 4 Setting Up and Managing Network Configuration AAA Client Configuration • RADIUS (Cisco BBMS)—Select this option if the network device is a Cisco BBMS network device supporting authentication via RADIUS. • RADIUS (IETF)—Select this option if you are using devices using RADIUS from more than one manufacturer and want to use standard IETF RADIUS attributes. This is also the protocol to select if you want EAP-TLS to be used with Cisco Aironet AAA clients.
Chapter 4 Setting Up and Managing Network Configuration AAA Client Configuration Step 9 To enable Watchdog packets, select the Log Update/Watchdog Packets from this AAA Client check box. Watchdog packets are interim packets sent periodically during a session. They serve to enable an approximation of session length if the AAA client fails and, thereby, no stop packet is received to mark the end of the session.
Chapter 4 Setting Up and Managing Network Configuration AAA Client Configuration Step 2 Do one of the following: a. If you are using NDGs, click the name of the NDG to which the AAA client is assigned. Then, click the name of the AAA client. b. To edit a AAA client when you have not enabled NDGs, click the name of the AAA client from the AAA Client Hostname column of the AAA Clients table. Result: The AAA Client Setup For Name page appears.
Chapter 4 Setting Up and Managing Network Configuration AAA Client Configuration Step 8 To save your changes and apply them immediately, click Submit + Restart. Tip To save your changes and apply them later, click Submit. When you are ready to implement the changes, click System Configuration, click Service Control, and then click Restart. Note Restarting the service clears the Logged-in User report and temporarily interrupts all Cisco Secure ACS services. This affects the Max Sessions counter.
Chapter 4 Setting Up and Managing Network Configuration AAA Server Configuration Note Restarting the service clears the Logged-in User report and temporarily interrupts all Cisco Secure ACS services. As an alternative to restarting when you delete a AAA client, you can click Delete. However, when you do this, the change does not take effect until you restart the system, which you can do by clicking System Configuration, clicking Service Control, and then clicking Restart.
Chapter 4 Setting Up and Managing Network Configuration AAA Server Configuration Adding and Configuring a AAA Server To add and configure a AAA server, follow these steps: Step 1 In the navigation bar, click Network Configuration. Result: The Network Configuration section opens. Step 2 Do one of the following: a. If you are using NDGs, click the name of the NDG to which the AAA server is to be assigned. Then, click Add Entry below the [name] AAA Servers table. b.
Chapter 4 Setting Up and Managing Network Configuration AAA Server Configuration Step 8 In the AAA Server Type list, select the protocol the remote AAA server is configured to use: • RADIUS—Select this option if the remote AAA server is configured using any type of RADIUS protocol. • TACACS+—Select this option if the remote AAA server is configured using the TACACS+ protocol. • Cisco Secure ACS for Windows 2000/NT—Select this option if the remote AAA server is another Cisco Secure ACS.
Chapter 4 Setting Up and Managing Network Configuration AAA Server Configuration Step 10 To save your changes and apply them immediately, click Submit + Restart. Tip To save your changes and apply them later, click Submit. When you are ready to implement the changes, click System Configuration, click Service Control, and then click Restart. Note Restarting the service clears the Logged-in User report and temporarily interrupts all Cisco Secure ACS services.
Chapter 4 Setting Up and Managing Network Configuration AAA Server Configuration To edit a AAA server configuration, follow these steps: Step 1 In the navigation bar, click Network Configuration. Result: The Network Configuration section opens. Step 2 Do one of the following: a. If you are using NDGs, click the name of the NDG to which the AAA server is assigned. Then, in the AAA Servers table, click the name of the AAA server to be edited. b.
Chapter 4 Setting Up and Managing Network Configuration Network Device Group Configuration Deleting a AAA Server To delete a AAA server, follow these steps: Step 1 In the navigation bar, click Network Configuration. Result: The Network Configuration section opens. Step 2 Do one of the following: a. If you are using NDGs, click the name of the NDG to which the AAA Server is assigned. Then, click the AAA Server Name in the AAA Servers table. b.
Chapter 4 Setting Up and Managing Network Configuration Network Device Group Configuration refer to all devices within that group. This creates two levels of network devices within Cisco Secure ACS—single discrete devices such as an individual router or network access server, and an NDG; that is, a collection of routers or AAA servers.
Chapter 4 Setting Up and Managing Network Configuration Network Device Group Configuration Step 4 Click Submit. Result: The Network Device Groups table displays the new NDG.
Chapter 4 Setting Up and Managing Network Configuration Network Device Group Configuration Step 4 From the Network Device Groups list, select the NDG to which you want to assign the AAA client or AAA server. Step 5 Click Submit. Result: The client or server is assigned to an NDG. Reassigning a AAA Client or AAA Server to an NDG To reassign a AAA client or AAA server to a new NDG, follow these steps: Step 1 In the navigation bar, click Network Configuration.
Chapter 4 Setting Up and Managing Network Configuration Network Device Group Configuration Tip Step 3 If the Network Device Groups table does not appear, click Interface Configuration, click Advanced Options, and then select the Network Device Groups check box. At the bottom of the page, click Rename. Result: The Rename Network Device Group page appears. Step 4 In the Network Device Group Name box, type the new name. Step 5 Click Submit. Result: The name of the NDG is changed.
Chapter 4 Setting Up and Managing Network Configuration Proxy Distribution Table Configuration Proxy Distribution Table Configuration This section begins with a description of the Proxy Distribution Table and then details the following Proxy Distribution Table configuration procedures: • Adding a New Proxy Distribution Table Entry, page 4-26 • Sorting the Character String Match Order of Distribution Entries, page 4-28 • Editing a Proxy Distribution Table Entry, page 4-28 • Deleting a Proxy Distribu
Chapter 4 Setting Up and Managing Network Configuration Proxy Distribution Table Configuration the “(Default)” entry is the local Cisco Secure ACS server. It can sometimes be easier to define strings that match authentication requests to be processed locally rather than defining strings that match authentication requests to be processed remotely.
Chapter 4 Setting Up and Managing Network Configuration Proxy Distribution Table Configuration Tip You can also select additional AAA servers to use for backup proxy in the event the prior servers fail. To set the order of AAA servers, in the Forward To column, click the name of the applicable server and click Up or Down to move it into the position you want.
Chapter 4 Setting Up and Managing Network Configuration Proxy Distribution Table Configuration Sorting the Character String Match Order of Distribution Entries You can use this procedure to set the priority by which Cisco Secure ACS searches character string entries in the Proxy Distribution Table when users dial in. To determine the priority order by which Cisco Secure ACS searches entries in the Proxy Distribution Table, follow these steps: Step 1 In the navigation bar, click Network Configuration.
Chapter 4 Setting Up and Managing Network Configuration Proxy Distribution Table Configuration Step 3 Edit the entry as necessary. Tip For information about the parameters that make up a distribution entry, see the “Adding a New Proxy Distribution Table Entry” section on page 4-26. Step 4 When you have finished editing the entry, click Submit or Submit + Restart.
Chapter 4 Setting Up and Managing Network Configuration Proxy Distribution Table Configuration Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide 4-30 78-13751-01, Version 3.
C H A P T E R 5 Setting Up and Managing Shared Profile Components The Shared Profile Components section enables administrators to develop and name reusable, shared sets of authorization components which may be applied to one or more users or groups of users and referenced by name within their profiles. These comprise network access restrictions (NARs), command authorization sets, and downloadable PIX ACLs.
Chapter 5 Setting Up and Managing Shared Profile Components Downloadable PIX ACLs This chapter contains the following sections: • Downloadable PIX ACLs, page 5-2 • Network Access Restrictions, page 5-6 • Command Authorization Sets, page 5-12 Downloadable PIX ACLs This section includes a description of downloadable PIX ACLs followed by detailed instructions regarding their configuration and management.
Chapter 5 Setting Up and Managing Shared Profile Components Downloadable PIX ACLs ACLs entered into the Cisco Secure ACS are protected by whatever backup or replication regime you have established for the Cisco Secure ACS. After you configure an ACL as a named shared profile component, you can include that ACL in any Cisco Secure ACS user, or user group, profile.
Chapter 5 Setting Up and Managing Shared Profile Components Downloadable PIX ACLs Note The name of a PIX ACL may contain up to 32 characters. The name may contain spaces; but it may not contain leading, trailing, or multiple spaces, or the following characters: - [ ] / — Step 5 In the Description: box, type a description of the new PIX ACL. Step 6 In the ACL Definitions box, type the new PIX ACL definitions.
Chapter 5 Setting Up and Managing Shared Profile Components Downloadable PIX ACLs Step 3 In the Name column, click the PIX ACL you want to edit. Result: The Downloadable PIX ACLs page appears with information displayed for the selected filter. Step 4 Edit the Name or Description or ACL Definitions information, as applicable. Step 5 When you have finished editing the information for the PIX ACL, click Submit.
Chapter 5 Setting Up and Managing Shared Profile Components Network Access Restrictions Network Access Restrictions This section includes a description of NARs followed by detailed instructions regarding shared NAR access configuration and management. About Network Access Restrictions NARs enable you to define additional authorization conditions that must be met before a user can gain access to the network.
Chapter 5 Setting Up and Managing Shared Profile Components Network Access Restrictions Note When an authentication request is forwarded by proxy to a Cisco Secure ACS, any NARs for TACACS+ requests are applied to the IP address of the forwarding AAA server, not to the IP address of the originating AAA client. You can define a NAR for, and apply it to, a single, particular user or user group.
Chapter 5 Setting Up and Managing Shared Profile Components Network Access Restrictions Adding a Shared Network Access Restriction To add a shared NAR, follow these steps: Step 1 In the navigation bar, click Shared Profile Components. Result: The Shared Profile Components page appears. Step 2 Click Network Access Restrictions. Step 3 Click Add. Result: The Network Access Restriction page appears. Step 4 In the Name box, type a name for the new shared NAR.
Chapter 5 Setting Up and Managing Shared Profile Components Network Access Restrictions c. d. Select or type the applicable information in each of the following boxes: • AAA Client—Select All AAA clients, or the name of the network device group (NDG), or the individual AAA client, to which access is permitted or denied. • Port—Type the number of the port to which to permit or deny access. You can use the wildcard asterisk (*) to permit or deny access to all ports on the selected AAA client.
Chapter 5 Setting Up and Managing Shared Profile Components Network Access Restrictions d. Tip To specify the information that this NAR should filter on, fill in the following boxes, as applicable: You can type an asterisk (*) as a wild card to specify “all” either as a value or within a range. e. • Port—Type the number of the port to filter on. • CLI—Type the CLI number to filter on.
Chapter 5 Setting Up and Managing Shared Profile Components Network Access Restrictions Step 4 To edit the Name or Description of the filter, type and delete information, as applicable. Step 5 To edit a line item in the IP-based access restrictions table, follow these steps: a. Double-click the line item to be edited. Result: Information for the line item is removed from the table and written to the boxes below the table. b. Edit the information, as applicable. c. Click enter.
Chapter 5 Setting Up and Managing Shared Profile Components Command Authorization Sets Step 9 When you have finished editing the line items that make up the filter, click Submit. Result: Cisco Secure ACS re-enters the filter with the new information, which takes effect immediately. Deleting a Shared Network Access Restriction To delete a shared network access restriction, follow these steps: Step 1 In the navigation bar, click Shared Profile Components.
Chapter 5 Setting Up and Managing Shared Profile Components Command Authorization Sets About Command Authorization Sets Command authorization sets provide a central mechanism to control the authorization of each command on each network device. This greatly enhances the scalability and manageability of setting authorization restrictions. In Cisco Secure ACS, the default command authorization sets include the Shell Command Authorization Sets and the PIX Command Authorization Sets.
Chapter 5 Setting Up and Managing Shared Profile Components Command Authorization Sets For information on assigning command authorization sets, see the following procedures: • Shell Command Authorization Sets—See either of the following: – Configuring a Shell Command Authorization Set for a User Group, page 6-30 – Configuring a Shell Command Authorization Set for a User, page 7-26 • PIX Command Authorization Sets—See either of the following: – Configuring a PIX Command Authorization Set for a User Gro
Chapter 5 Setting Up and Managing Shared Profile Components Command Authorization Sets Adding a Command Authorization Set To add a command authorization set, follow these steps: Step 1 In the navigation bar, click Shared Profile Components. Result: The Shared Profile Components page lists the command authorization set types available. These always include Shell Command Authorization Sets and PIX Command Authorization Sets. Step 2 Click one of the listed command authorization set types, as applicable.
Chapter 5 Setting Up and Managing Shared Profile Components Command Authorization Sets Step 7 For each command you want to enter as part of this command authorization set, follow these steps: a. In the box just above the Add Command button, type a command that is to be part of the set. Note b. Enter only the command portion of the command/argument string here. Arguments are added only after the command is listed.
Chapter 5 Setting Up and Managing Shared Profile Components Command Authorization Sets Editing a Command Authorization Set To edit a command authorization set, follow these steps: Step 1 In the navigation bar, click Shared Profile Components. Result: The Shared Profile Components page lists the command authorization set types available. Step 2 Click a command authorization set, as applicable. Result: The selected Command Authorization Sets table appears.
Chapter 5 Setting Up and Managing Shared Profile Components Command Authorization Sets Step 3 From the Name column, click the name of the command set you want to delete. Result: Information for the selected set appears on the applicable Command Authorization Set page. Step 4 Click Delete. Result: A dialog box warns you that you are about to delete an command authorization set. Step 5 To confirm that you intend to delete that command authorization set, click OK.
C H A P T E R 6 Setting Up and Managing User Groups This chapter provides information about setting up and managing user groups in the Cisco Secure Access Control Server for Windows NT/2000 Servers Version 3.0 (Cisco Secure ACS) to control authorization. Cisco Secure ACS enables you to group together network users for more efficient administration. You can establish up to 500 different groups to effect different levels of authorization.
Chapter 6 Setting Up and Managing User Groups User Group Setup Features and Functions • Configuration-specific User Group Settings, page 6-15—This section details procedures that you would perform only as applicable to your particular network security configuration. • Group Setting Management, page 6-48—This section includes basic administrative procedures, such as determining the users in a group or renaming a group.
Chapter 6 Setting Up and Managing User Groups Common User Group Settings Cisco Secure ACS also enables you to enter and configure new TACACS+ services. For information about how to configure a new TACACS+ service to appear on the group setup page, see the “Protocol Configuration Options for TACACS+” section on page 3-7. You can use the Shell Command Authorization Set feature to configure TACACS+ group settings.
Chapter 6 Setting Up and Managing User Groups Common User Group Settings Enabling VoIP Support for a User Group Note If this feature does not appear, click Interface Configuration, click Advanced Options, and then select the Voice-over-IP (VoIP) Group Settings check box. Perform this procedure to enable support for the null password function of VoIP. This enables users to authenticate (session or telephone call) on only the user ID (telephone number).
Chapter 6 Setting Up and Managing User Groups Common User Group Settings Setting Default Time of Day Access for a User Group Note If this feature does not appear, click Interface Configuration, click Advanced Options. Then select the Default Time-of-Day / Day-of-Week Specification check box. To define the times during which users in a particular group are allowed, or not allowed access, follow these steps: Step 1 In the navigation bar, click Group Setup. Result: The Group Setup Select page opens.
Chapter 6 Setting Up and Managing User Groups Common User Group Settings Step 5 To save the group settings you have just made, click Submit. For more information, see the “Saving Changes to User Group Settings” section on page 6-50. Step 6 To continue specifying other group settings, perform other procedures in this chapter, as applicable. Setting Callback Options for a User Group Callback is a command string that is passed back to the access server.
Chapter 6 Setting Up and Managing User Groups Common User Group Settings Step 4 To save the group settings you have just made, click Submit. For more information, see the “Saving Changes to User Group Settings” section on page 6-50. Step 5 To continue specifying other group settings, perform other procedures in this chapter, as applicable.
Chapter 6 Setting Up and Managing User Groups Common User Group Settings page of the Interface Configuration section for single group IP-based filter options and single group CLI/DNIS-based filter options to appear in the Cisco Secure ACS HTML interface. Note When an authentication request is forwarded by proxy to a Cisco Secure ACS server, any NARs for TACACS+ requests are applied to the IP address of the forwarding AAA server, not to the IP address of the originating AAA client.
Chapter 6 Setting Up and Managing User Groups Common User Group Settings Step 4 Tip To define and apply a NAR, for this particular user group, that permits or denies this group’s access based on IP address, or IP address and port, follow these steps: You should define most NARs from within the Shared Components section so that the restrictions can be applied to more than one group or user. For more information, see the “Shared Network Access Restrictions Configuration” section on page 5-7. a.
Chapter 6 Setting Up and Managing User Groups Common User Group Settings d. Tip Complete the following boxes: Note You must make an entry in each box. You can use the wildcard asterisk (*) for all or part of a value. The format you use must match the format of the string you receive from your AAA client. You can determine this format from your RADIUS Accounting Log. • PORT—Type the number of the port to which to permit or deny access.
Chapter 6 Setting Up and Managing User Groups Common User Group Settings Step 6 To save the group settings you have just made, click Submit. For more information, see the “Saving Changes to User Group Settings” section on page 6-50. Step 7 To continue specifying other group settings, perform other procedures in this chapter, as applicable. Setting Max Sessions for a User Group Note If this feature does not appear, click Interface Configuration, click Advanced Options.
Chapter 6 Setting Up and Managing User Groups Common User Group Settings To configure the max sessions settings for a user group, follow these steps: Step 1 In the navigation bar, click Group Setup. Result: The Group Setup Select page opens. Step 2 From the Group list, select a group, and then click Edit Settings. Result: The Group Settings page displays the name of the group at its top.
Chapter 6 Setting Up and Managing User Groups Common User Group Settings Setting Usage Quotas for a User Group Note If this feature does not appear, click Interface Configuration, click Advanced Options. Then select the Usage Quotas check box. Perform this procedure to define usage quotas for members of a group. Session quotas affect each user of a group individually, not the group collectively.
Chapter 6 Setting Up and Managing User Groups Common User Group Settings Tip To support time-based quotas, we recommend enabling accounting update packets on all AAA clients. If update packets are not enabled, the quota is updated when the user logs off. If the AAA client through which the user is accessing your network fails, the quota is not updated.
Chapter 6 Setting Up and Managing User Groups Configuration-specific User Group Settings c. Step 5 Select the period for which the session quota is effective from the following: • per Day—From 12:01 a.m. until midnight • per Week—From 12:01 a.m. Sunday until midnight Saturday • per Month—From 12:01 a.m. on the first of the month until midnight on the last day of the month • Total—An ongoing count of session, without an end To save the group settings you have just made, click Submit.
Chapter 6 Setting Up and Managing User Groups Configuration-specific User Group Settings • Configuring Ascend RADIUS Settings for a User Group, page 6-37 • Configuring Cisco VPN 3000 Concentrator RADIUS Settings for a User Group, page 6-38 • Configuring Cisco VPN 5000 Concentrator RADIUS Settings for a User Group, page 6-39 • Configuring Microsoft RADIUS Settings for a User Group, page 6-41 • Configuring Nortel RADIUS Settings for a User Group, page 6-42 • Configuring Juniper RADIUS Settings f
Chapter 6 Setting Up and Managing User Groups Configuration-specific User Group Settings Setting Token Card Settings for a User Group Note If this section does not appear, configure a token server. Then click External User Databases, click Database Configuration, and then add the applicable token card server. Perform this procedure to allow a token to be cached. This means users can use a second B channel without having to enter a second one-time password (OTP).
Chapter 6 Setting Up and Managing User Groups Configuration-specific User Group Settings Step 4 In the Token Card Settings table, to cache the token for the entire session, select Session. Step 5 Also in the Token Card Settings table, to cache the token for a specified time period (measured from the time of first authentication) follow these steps: Step 6 a. Select Duration. b. Type the duration length in the box. c. Select the unit of measure, either Seconds, Minutes or Hours.
Chapter 6 Setting Up and Managing User Groups Configuration-specific User Group Settings Note To define levels in this manner, you must have configured the option in Interface Configuration; if you have not done so already, click Interface Configuration, click Advanced Settings, and then select the Network Device Groups check box. If you are using NDGs, this option lets you easily configure the NDG for enable-level mapping rather than having to do it for each user in the group.
Chapter 6 Setting Up and Managing User Groups Configuration-specific User Group Settings Enabling Password Aging for the CiscoSecure User Database The password aging feature of Cisco Secure ACS enables you to force users to change their passwords under one or more of the following conditions: • After a specified number of days (age-by-date rules) • After a specified number of logins (age-by-uses rules) • The first time a new user logs in (password change rule) Varieties of Password Aging Supported
Chapter 6 Setting Up and Managing User Groups Configuration-specific User Group Settings Cisco Secure ACS supports password aging using the RADIUS protocol under MS CHAP versions 1 and 2. Cisco Secure ACS does not support password aging over Telnet connections using the RADIUS protocol.
Chapter 6 Setting Up and Managing User Groups Configuration-specific User Group Settings disabled if the password is not changed, and enables the user to change it. Continuing with the examples above, if you allow a 5-day grace period, a user who did not log in during the active and warning periods would be permitted to change passwords up to and including the 30th day.
Chapter 6 Setting Up and Managing User Groups Configuration-specific User Group Settings Tip To allow users to log in an unlimited number of times without changing their passwords, type -1. • Apply password change rule—Selecting this check box forces new users to change their password the first time they log in. • Generate greetings for successful logins—Selecting this check box enables a “Greetings” message to display whenever users log in successfully via the CAA client.
Chapter 6 Setting Up and Managing User Groups Configuration-specific User Group Settings Step 3 From the Jump To list at the top of the page, choose Password Aging. Result: The Password Aging Rules table appears.
Chapter 6 Setting Up and Managing User Groups Configuration-specific User Group Settings Enabling Password Aging for Users in Windows Databases The Windows NT/2000 Password Aging mechanism is separate and distinct from the other Cisco Secure ACS password aging mechanisms. For information on the requirements and settings for the password aging mechanisms that control users in the CiscoSecure user database, see the “Enabling Password Aging for the CiscoSecure User Database” section on page 6-20.
Chapter 6 Setting Up and Managing User Groups Configuration-specific User Group Settings The methods and functionality of Windows password aging differ according to whether you are using Windows NT or Windows 2000, and whether you employ Active Directory (AD) or Security Accounts Manager (SAM). Setting password aging for users in the Windows NT/2000 database is only one part of the larger task of setting security policies in Windows.
Chapter 6 Setting Up and Managing User Groups Configuration-specific User Group Settings Note Tip Step 5 If there is more than one pool in the Selected Pools list, the users in this group are assigned to the first available pool in the order listed. To change the position of a pool in the list, select the pool name and click Up or Down until the pool is in the position you want. To save the group settings you have just made, click Submit.
Chapter 6 Setting Up and Managing User Groups Configuration-specific User Group Settings To assign a downloadable PIX ACL to a group, follow these steps: Step 1 In the navigation bar, click Group Setup. Result: The Group Setup Select page opens. Step 2 From the Group list, select a group, and then click Edit Settings. Result: The Group Settings page displays the name of the group at its top. Step 3 From the Jump To list at the top of the page, choose Downloadable ACLs.
Chapter 6 Setting Up and Managing User Groups Configuration-specific User Group Settings To configure TACACS+ settings for a user group, follow these steps: Step 1 In the navigation bar, click Group Setup. Result: The Group Setup Select page opens. Step 2 From the Group list, select a group, and then click Edit Settings. Result: The Group Settings page displays the name of the group at its top. Step 3 From the Jump To list at the top of the page, choose TACACS+.
Chapter 6 Setting Up and Managing User Groups Configuration-specific User Group Settings Step 5 Warning Step 6 To allow all services to be permitted unless specifically listed and disabled, you can select the Default (Undefined) Services check box under the Checking this option will PERMIT all UNKNOWN Services table. This is an advanced feature and should only be used by administrators who understand the security implications. To save the group settings you have just made, click Submit.
Chapter 6 Setting Up and Managing User Groups Configuration-specific User Group Settings To specify shell command authorization set parameters for a user group, follow these steps: Step 1 In the navigation bar, click Group Setup. Result: The Group Setup Select page opens. Step 2 From the Group list, select a group, and then click Edit Settings. Result: The Group Settings page displays the name of the group at its top. Step 3 From the Jump To list at the top of the page, choose TACACS+.
Chapter 6 Setting Up and Managing User Groups Configuration-specific User Group Settings If you select Permit, users can issue all commands not specifically listed. If you select Deny, users can issue only those commands listed. c. Warning Tip To list particular commands to be permitted or denied, select the Command check box and then type the name of the command, define its arguments using standard permit or deny syntax, and select whether unlisted arguments should be permitted or denied.
Chapter 6 Setting Up and Managing User Groups Configuration-specific User Group Settings Before You Begin • Ensure that a AAA client has been configured to use TACACS+ as the security control protocol. • In the TACACS+ (Cisco) section of Interface Configuration, ensure that the PIX Shell (pixShell) option is selected in the Group column. • Ensure that you have previously configured one or more PIX command authorization sets.
Chapter 6 Setting Up and Managing User Groups Configuration-specific User Group Settings Step 7 To create associations that assign a particular PIX command authorization set to be effective on a particular NDG, for each association, follow these steps: a. Select the Assign a PIX Command Authorization Set on a per Network Device Group Basis option. b. Select a Device Group and an associated Command Set. c. Click Add Association.
Chapter 6 Setting Up and Managing User Groups Configuration-specific User Group Settings To configure IETF RADIUS attribute settings to be applied as an authorization for each user in the current group, follow these steps: Step 1 In the navigation bar, click Group Setup. Result: The Group Setup Select page opens. Step 2 From the Group list, select a group, and then click Edit Settings. Result: The Group Settings page displays the name of the group at its top.
Chapter 6 Setting Up and Managing User Groups Configuration-specific User Group Settings Configuring Cisco IOS/PIX RADIUS Settings for a User Group The Cisco IOS/PIX RADIUS parameters appear only when both the following are true: • A AAA client has been configured to use RADIUS (Cisco IOS/PIX) in Network Configuration. • Group-level RADIUS (Cisco IOS/PIX) attributes have been enabled in Interface Configuration: RADIUS (Cisco IOS/PIX). Cisco IOS/PIX RADIUS represents only the Cisco VSAs.
Chapter 6 Setting Up and Managing User Groups Configuration-specific User Group Settings Configuring Ascend RADIUS Settings for a User Group The Ascend RADIUS parameters appear only when both the following are true: • A AAA client has been configured to use RADIUS (Ascend) or RADIUS (Cisco IOS/PIX) in Network Configuration. • Group-level RADIUS (Ascend) attributes have been enabled in Interface Configuration: RADIUS (Ascend). Ascend RADIUS represents only the Ascend proprietary attributes.
Chapter 6 Setting Up and Managing User Groups Configuration-specific User Group Settings Step 6 To save the group settings you have just made, click Submit. For more information, see the “Saving Changes to User Group Settings” section on page 6-50. Step 7 To continue specifying other group settings, perform other procedures in this chapter, as applicable.
Chapter 6 Setting Up and Managing User Groups Configuration-specific User Group Settings Step 3 From the Group list, select a group, and then click Edit Settings. Result: The Group Settings page displays the name of the group at its top. Step 4 From the Jump To list at the top of the page, choose RADIUS (Cisco VPN 3000). Step 5 In the Cisco VPN 3000 Concentrator RADIUS Attributes table, determine the attributes to be authorized for the group by selecting the check box next to the attribute.
Chapter 6 Setting Up and Managing User Groups Configuration-specific User Group Settings To configure and enable Cisco VPN 5000 Concentrator RADIUS attributes to be applied as an authorization for each user in the current group, follow these steps: Step 1 Confirm that your IETF RADIUS attributes are configured properly. For more information about setting IETF RADIUS attributes, see the “Configuring IETF RADIUS Settings for a User Group” section on page 6-34.
Chapter 6 Setting Up and Managing User Groups Configuration-specific User Group Settings Configuring Microsoft RADIUS Settings for a User Group Microsoft RADIUS provides VSAs supporting MPPE, which is an encryption technology developed by Microsoft to encrypt PPP links. These PPP connections can be via a dial-in line, or over a VPN tunnel.
Chapter 6 Setting Up and Managing User Groups Configuration-specific User Group Settings Step 5 In the Microsoft RADIUS Attributes table, specify the attributes to be authorized for the group by selecting the check box next to the attribute. Where applicable, further define the authorization for that attribute in the field next to it. For more information about attributes, see Appendix D, “RADIUS Attributes,” or the documentation for network devices using RADIUS.
Chapter 6 Setting Up and Managing User Groups Configuration-specific User Group Settings To configure and enable Nortel RADIUS attributes to be applied as an authorization for each user in the current group, follow these steps: Step 1 Confirm that your IETF RADIUS attributes are configured properly. For more information about setting IETF RADIUS attributes, see the Configuring IETF RADIUS Settings for a User Group, page 6-34. Step 2 In the navigation bar, click Group Setup.
Chapter 6 Setting Up and Managing User Groups Configuration-specific User Group Settings Configuring Juniper RADIUS Settings for a User Group Juniper RADIUS represents only the Juniper VSAs. You must configure both the IETF RADIUS and Juniper RADIUS attributes. Note To hide or display Juniper RADIUS attributes, see the “Setting Protocol Configuration Options for RADIUS (Juniper)” section on page 3-19.
Chapter 6 Setting Up and Managing User Groups Configuration-specific User Group Settings Step 6 To save the group settings you have just made, click Submit. For more information, see the “Saving Changes to User Group Settings” section on page 6-50. Step 7 To continue specifying other group settings, perform other procedures in this chapter, as applicable. Configuring Cisco BBSM RADIUS Settings for a User Group Cisco BBSM RADIUS represents only the Cisco BBSM RADIUS VSAs.
Chapter 6 Setting Up and Managing User Groups Configuration-specific User Group Settings Step 5 In the Cisco BBSM RADIUS Attributes table, specify the attribute to be authorized for the group by selecting the check box next to the attribute. Where applicable, further define the authorization for that attribute in the field next to it. For more information about attributes, see Appendix D, “RADIUS Attributes,” or the documentation for network devices using RADIUS.
Chapter 6 Setting Up and Managing User Groups Configuration-specific User Group Settings To configure and enable custom RADIUS attributes to be applied as an authorization for each user in the current group, follow these steps: Step 1 Confirm that your IETF RADIUS attributes are configured properly. For more information about setting IETF RADIUS attributes, see the “Configuring IETF RADIUS Settings for a User Group” section on page 6-34. Step 2 In the navigation bar, click Group Setup.
Chapter 6 Setting Up and Managing User Groups Group Setting Management Group Setting Management This section describes how to use the Cisco Secure ACS Group Setup section to perform a variety of managerial tasks.
Chapter 6 Setting Up and Managing User Groups Group Setting Management Resetting Usage Quota Counters for a User Group You can reset the usage quota counters for all members of a group, either before or after a quota has been exceeded. To reset usage quota counters for all members of a user group, follow these steps: Step 1 In the navigation bar, click Group Setup. Result: The Group Setup Select page opens. Step 2 From the Group list, select the group.
Chapter 6 Setting Up and Managing User Groups Group Setting Management Step 5 Click Submit. Note The group remains in the same position in the list. The number value of the group is still associated with this group name. Some utilities, such as the database import utility, use the numeric value associated with the group. Result: The Select page opens with the new group name selected. Saving Changes to User Group Settings After you have completed configuration for a group, be sure to save your work.
C H A P T E R 7 Setting Up and Managing User Accounts This chapter provides information about setting up and managing user accounts in Cisco Secure Access Control Server for Windows NT/2000 Servers Version 3.0 (Cisco Secure ACS). Note Settings at the user level override settings configured at the group level. Before you configure User Setup, it is important to understand how this section functions.
Chapter 7 Setting Up and Managing User Accounts User Setup Features and Functions • Advanced User Authentication Settings, page 7-23—Details on the steps necessary to configure a user account for authentication outside the system using the TACACS+ or RADIUS protocol options. • User Management, page 7-51—Information about viewing, disabling, and resetting user accounts.
Chapter 7 Setting Up and Managing User Accounts About User Databases About User Databases Cisco Secure ACS authenticates users against one of several possible databases, including its CiscoSecure user database. Regardless of which database you configure Cisco Secure ACS to use when authenticating a user, all users have accounts within the CiscoSecure user database, and authorization of users is always performed against the user records in the CiscoSecure user database.
Chapter 7 Setting Up and Managing User Accounts Basic User Setup Options Basic User Setup Options This section presents the basic activities you perform when configuring a new user.
Chapter 7 Setting Up and Managing User Accounts Basic User Setup Options Note The steps for editing user account settings are essentially identical to those used when adding a user account but, to edit, you navigate directly to the field or fields to be changed. You can not edit the name associated with a user account; to change a user name you must delete the user account and establish another.
Chapter 7 Setting Up and Managing User Accounts Basic User Setup Options Step 4 Ensure that the Account Disabled check box is not selected. Note Alternatively, you can select the Account Disabled check box to create a user account that is disabled, and enable the account at another time. Step 5 Under Password Authentication in the User Setup table, select the applicable authentication type from the list.
Chapter 7 Setting Up and Managing User Accounts Basic User Setup Options Step 7 Tip Do one of the following: a. To finish configuring the user account options and establish the user account, click Submit. b. To continue to specify the user account options, perform other procedures in this chapter, as applicable. For lengthy account configurations, you can click Submit before continuing. This will prevent loss of information you have already entered if an unforeseen problem occurs.
Chapter 7 Setting Up and Managing User Accounts Basic User Setup Options Setting a Separate CHAP/MS-CHAP/ARAP Password Setting a separate CHAP/MS-CHAP/ARAP password adds more security to Cisco Secure ACS authentication. However, you must have a AAA client configured to support the separate password.
Chapter 7 Setting Up and Managing User Accounts Basic User Setup Options Assigning a User to a Group A user can only belong to one group in Cisco Secure ACS. The user inherits the attributes and operations assigned to his or her group. However, in the case of conflicting settings, the settings at the user level override the settings configured at the group level. By default, users are assigned to the Default Group.
Chapter 7 Setting Up and Managing User Accounts Basic User Setup Options Setting User Callback Option Callback is a command string that is passed to the access server. You can use a callback string to initiate a modem to call the user back on a specific number for added security or reversal of line charges. To set the user callback option, follow these steps: Step 1 Perform Steps 1 through 3 of the “Adding a Basic User Account” section on page 7-5. Result: The User Setup Edit page opens.
Chapter 7 Setting Up and Managing User Accounts Basic User Setup Options Step 3 Do one of the following: a. If you are finished configuring the user account options, click Submit to record the options. b. To continue to specify the user account options, perform other procedures in this chapter, as applicable. Assigning a User to a Client IP Address To assign a user to a client IP address, follow these steps: Step 1 Perform Steps 1 through 3 of the “Adding a Basic User Account” section on page 7-5.
Chapter 7 Setting Up and Managing User Accounts Basic User Setup Options Step 3 • Assigned by AAA client pool—Select this option and type the AAA client IP pool name in the box, if this user is to have the IP address assigned by an IP address pool configured on the AAA client. • Assigned from AAA pool—Select this option and type the applicable pool name in the box, if this user is to have the IP address assigned by an IP address pool configured on the AAA server.
Chapter 7 Setting Up and Managing User Accounts Basic User Setup Options Typically, you define (shared) NARs from within the Shared Components section so that these restrictions can be applied to more than one group or user. For more information, see the “Shared Network Access Restrictions Configuration” section on page 5-7.
Chapter 7 Setting Up and Managing User Accounts Basic User Setup Options b. c. Tip Step 3 Tip To specify whether one or all shared NARs must apply for the user to be permitted access, select one of the following two options, as applicable: • All selected NARS result in permit • Any one selected NAR results in permit Select a shared NAR name in the NARs list, and then click —> (right arrow button) to move the name into the Selected NARs list.
Chapter 7 Setting Up and Managing User Accounts Basic User Setup Options c. d. Select or enter the information in the following boxes: • AAA Client—Select All AAA Clients, or the name of a network device group (NDG), or the name of the individual AAA client, to which to permit or deny access. • Port—Type the number of the port to which to permit or deny access. You can use the wildcard asterisk (*) to permit or deny access to all ports on the selected AAA client.
Chapter 7 Setting Up and Managing User Accounts Basic User Setup Options c. Tip Complete the following boxes: Note You must make an entry in each box. You can use the wildcard asterisk (*) for all or part of a value. The format you use must match the format of the string you receive from your AAA client. You can determine this format from your RADIUS Accounting Log.
Chapter 7 Setting Up and Managing User Accounts Basic User Setup Options Step 5 Do one of the following: a. If you are finished configuring the user account options, click Submit to record the options. b. To continue to specify the user account options, perform other procedures in this chapter, as applicable. Setting Max Sessions Options for a User The Max Sessions feature enables you to set the maximum number of simultaneous connections permitted for this user.
Chapter 7 Setting Up and Managing User Accounts Basic User Setup Options To set max sessions options for a user, follow these steps: Step 1 Perform Steps 1 through 3 of the “Adding a Basic User Account” section on page 7-5. Result: The User Setup Edit page opens. The username being added or edited appears at the top of the page.
Chapter 7 Setting Up and Managing User Accounts Basic User Setup Options Setting User Usage Quotas Options You can define usage quotas for individual users. You can limit users in one or both of two ways: • By total duration of sessions for the period selected • By the total number of sessions for the period selected For Cisco Secure ACS purposes, a session is considered any type of user connection supported by RADIUS or TACACS+, for example PPP, or Telnet, or ARAP.
Chapter 7 Setting Up and Managing User Accounts Basic User Setup Options network fails, the quota is not updated. In the case of multiple sessions, such as with ISDN, the quota is not updated until all sessions terminate, which means that a second channel will be accepted even if the first channel has exhausted the user’s quota. To set usage quota options for a user, follow these steps: Step 1 Perform Steps 1 through 3 of the “Adding a Basic User Account” section on page 7-5.
Chapter 7 Setting Up and Managing User Accounts Basic User Setup Options c. Select the period for which you want to enforce the session usage quota: • per Day—From 12:01 a.m. until midnight • per Week—From 12:01 a.m. Sunday until midnight Saturday • per Month—From 12:01 a.m.
Chapter 7 Setting Up and Managing User Accounts Basic User Setup Options Step 2 Do one of the following: a. Select the Never option to keep the user account always enabled. Note b. Select the Disable account if option to disable the account under specific circumstances. Then, specify one or both of the circumstances under the following boxes: • Note • Note Step 3 This is the default setting. Date exceeds—Select the Date exceeds: check box.
Chapter 7 Setting Up and Managing User Accounts Advanced User Authentication Settings PIX ACL using the Shared Profile Components section of the Cisco Secure ACS HTML interface, see the “Adding a Downloadable PIX ACL” section on page 5-3. Note The Downloadable ACLs table does not appear if it has not been enabled. To enable the Downloadable ACLs table, click Interface Configuration followed by Advanced Options. Then select the User-Level Downloadable ACLs check box.
Chapter 7 Setting Up and Managing User Accounts Advanced User Authentication Settings TACACS+ Settings (User) The TACACS+ Settings section permits you to enable and configure the service/protocol parameters to be applied for the authorization of a user.
Chapter 7 Setting Up and Managing User Accounts Advanced User Authentication Settings For more information about attributes, see Appendix C, “TACACS+ Attribute-Value Pairs,” or your AAA client documentation. For information on assigning a PIX ACL, see the “Assigning a PIX ACL to a User” section on page 7-22. Before You Begin • For the TACACS+ service/protocol configuration to be displayed, a AAA client must have been configured to use TACACS+ as the security control protocol.
Chapter 7 Setting Up and Managing User Accounts Advanced User Authentication Settings Step 5 To employ custom attributes for a particular service, select the Custom attributes check box under that service, and then specify the attribute/value in the box below the check box. Step 6 Do one of the following: a. If you are finished configuring the user account options, click Submit to record the options. b.
Chapter 7 Setting Up and Managing User Accounts Advanced User Authentication Settings • In the TACACS+ (Cisco) section of Interface Configuration, ensure that the Shell (exec) option is selected in the User column. • Ensure that you have previously configured one or more shell command authorization sets. For detailed steps, see the “Command Authorization Sets Configuration” section on page 5-14.
Chapter 7 Setting Up and Managing User Accounts Advanced User Authentication Settings Step 7 To define the specific Cisco IOS commands and arguments to be permitted or denied for this user, follow these steps: a. Select the Per User Command Authorization option. b. Under Unmatched Cisco IOS commands, select either Permit or Deny. If you select Permit, the user can issue all commands not specifically listed. If you select Deny, the user can issue only those commands listed. c.
Chapter 7 Setting Up and Managing User Accounts Advanced User Authentication Settings Configuring a PIX Command Authorization Set for a User Use this procedure to specify the PIX command authorization set parameters for a user.
Chapter 7 Setting Up and Managing User Accounts Advanced User Authentication Settings Step 4 To assign the PIX command authorization set at the group level, select the As Group option. Step 5 To assign a particular PIX command authorization set to be effective on any configured network device, follow these steps: Step 6 a. Select the Assign a PIX Command Authorization Set for any network device option. b.
Chapter 7 Setting Up and Managing User Accounts Advanced User Authentication Settings Configuring the Unknown Service Setting for a User If you want TACACS+ AAA clients to permit unknown services, you can select the Default (Undefined) Services check box under Checking this option will PERMIT all UNKNOWN Services. To configure the Unknown Service setting for a user, follow these steps: Step 1 Perform Steps 1 through 3 of the “Adding a Basic User Account” section on page 7-5.
Chapter 7 Setting Up and Managing User Accounts Advanced User Authentication Settings Details on configuring user options with the Advanced TACACS+ Settings are presented in the following three procedures: • Setting Enable Privilege Options for a User, page 7-32 • Setting TACACS+ Enable Password Options for a User, page 7-34 • Setting TACACS+ Outbound Password for a User, page 7-35 Setting Enable Privilege Options for a User You use TACACS+ Enable Control with Exec session to control administrator
Chapter 7 Setting Up and Managing User Accounts Advanced User Authentication Settings To select and specify the privilege level for a user, follow these steps: Step 1 Perform Steps 1 through 3 of the “Adding a Basic User Account” section on page 7-5. Result: The User Setup Edit page opens. The username being added or edited appears at the top of the page.
Chapter 7 Setting Up and Managing User Accounts Advanced User Authentication Settings c. Click Add Association. Result: An entry appears in the table, associating the device group with a particular privilege level. d. Tip Step 5 Repeat Steps a through c for each device group you want to associate to this user. To delete an entry, select the entry and then click Remove Associate. Do one of the following: a. If you are finished configuring the user account options, click Submit to record the options.
Chapter 7 Setting Up and Managing User Accounts Advanced User Authentication Settings Step 2 Do one of the following: a. To use the information configured in the Password Authentication section, select Use CiscoSecure PAP password. Note b. To employ an external database password, select Use external database password, and then choose from the list the database that authenticates this user’s enable password. Note c.
Chapter 7 Setting Up and Managing User Accounts Advanced User Authentication Settings Caution Use an outbound password only if you are familiar with the use of a TACACS+ SendAuth/OutBound password. To set a TACACS+ outbound password for a user, follow these steps: Step 1 Perform Steps 1 through 3 of the “Adding a Basic User Account” section on page 7-5. Result: The User Setup Edit page opens. The username being added or edited appears at the top of the page.
Chapter 7 Setting Up and Managing User Accounts Advanced User Authentication Settings • Setting Cisco VPN 5000 Concentrator RADIUS Parameters for a User, page 7-42 • Setting Microsoft RADIUS Parameters for a User, page 7-44 • Setting Nortel RADIUS Parameters for a User, page 7-45 • Setting Juniper RADIUS Parameters for a User, page 7-47 • Setting BBSM RADIUS Parameters for a User, page 7-48 To configure custom VSAs, see the “Setting Custom RADIUS Attributes for a User” section on page 7-49.
Chapter 7 Setting Up and Managing User Accounts Advanced User Authentication Settings To configure IETF RADIUS attribute settings to be applied as an authorization for the current user, follow these steps: Step 1 Perform Steps 1 through 3 of the “Adding a Basic User Account” section on page 7-5. Result: The User Setup Edit page opens. The username being added or edited appears at the top of the page.
Chapter 7 Setting Up and Managing User Accounts Advanced User Authentication Settings To configure and enable Cisco IOS RADIUS attributes to be applied as an authorization for the current user, follow these steps: Step 1 Perform Steps 1 through 3 of the “Adding a Basic User Account” section on page 7-5. Result: The User Setup Edit page opens. The username being added or edited appears at the top of the page.
Chapter 7 Setting Up and Managing User Accounts Advanced User Authentication Settings Ascend RADIUS represents only the Ascend proprietary attributes. You must configure both the IETF RADIUS and Ascend RADIUS attributes. Proprietary attributes override IETF attributes. The default attribute setting displayed for RADIUS is Ascend-Remote-Addr. Note To hide or display Ascend RADIUS attributes, see the “Setting Protocol Configuration Options for RADIUS (Ascend)” section on page 3-14.
Chapter 7 Setting Up and Managing User Accounts Advanced User Authentication Settings Setting Cisco VPN 3000 Concentrator RADIUS Parameters for a User The Cisco VPN 3000 Concentrator RADIUS attribute configurations appear only if all the following are true: • A AAA client has been configured to use RADIUS (Cisco VPN 3000) in Network Configuration. • The Per-user TACACS+/RADIUS Attributes check box is selected under Advanced Options in the Interface Configuration section.
Chapter 7 Setting Up and Managing User Accounts Advanced User Authentication Settings Step 3 In the Cisco VPN 3000 Concentrator Attribute table, to specify the attributes that should be authorized for the user, follow these steps: a. Select the check box next to the particular attribute. b. Further define the authorization for that attribute in the box next to it. c. Continue to select and define attributes, as applicable.
Chapter 7 Setting Up and Managing User Accounts Advanced User Authentication Settings To configure and enable Cisco VPN 5000 Concentrator RADIUS attributes to be applied as an authorization for the current user, follow these steps: Step 1 Perform Steps 1 through 3 of the “Adding a Basic User Account” section on page 7-5. Result: The User Setup Edit page opens. The username being added or edited appears at the top of the page.
Chapter 7 Setting Up and Managing User Accounts Advanced User Authentication Settings Setting Microsoft RADIUS Parameters for a User Microsoft RADIUS provides VSAs supporting Microsoft Point-to-Point Encryption (MPPE), which is an encryption technology developed by Microsoft to encrypt point-to-point (PPP) links. These PPP connections can be via a dial-in line, or over a Virtual Private Network (VPN) tunnel.
Chapter 7 Setting Up and Managing User Accounts Advanced User Authentication Settings Step 2 Before configuring Cisco IOS RADIUS attributes, be sure your IETF RADIUS attributes are configured properly. For more information about setting IETF RADIUS attributes, see the “Setting IETF RADIUS Parameters for a User” section on page 7-37. Step 3 In the Microsoft RADIUS Attributes table, to specify the attributes that should be authorized for the user, follow these steps: a.
Chapter 7 Setting Up and Managing User Accounts Advanced User Authentication Settings Nortel RADIUS represents only the Nortel proprietary attributes. You must configure both the IETF RADIUS and Nortel RADIUS attributes. Proprietary attributes override IETF attributes. Note To hide or display Nortel RADIUS attributes, see the “Setting Protocol Configuration Options for RADIUS (Nortel)” section on page 3-18.
Chapter 7 Setting Up and Managing User Accounts Advanced User Authentication Settings Setting Juniper RADIUS Parameters for a User The Juniper RADIUS parameters appear only if all the following are true: • A AAA client has been configured to use RADIUS (Juniper) in Network Configuration. • The Per-user TACACS+/RADIUS Attributes check box is selected under Advanced Options in the Interface Configuration section.
Chapter 7 Setting Up and Managing User Accounts Advanced User Authentication Settings Step 4 Do one of the following: a. If you are finished configuring the user account options, click Submit to record the options. b. To continue to specify the user account options, perform other procedures in this chapter, as applicable.
Chapter 7 Setting Up and Managing User Accounts Advanced User Authentication Settings Step 3 In the BBSM RADIUS Attributes table, to specify the attributes that should be authorized for the user, follow these steps: a. Select the check box next to the particular attribute. b. Further define the authorization for that attribute in the box next to it. c. Continue to select and define attributes, as applicable.
Chapter 7 Setting Up and Managing User Accounts Advanced User Authentication Settings To configure and enable custom RADIUS attributes to be applied as an authorization for the current user, follow these steps: Step 1 Perform Steps 1 through 3 of the “Adding a Basic User Account” section on page 7-5. Result: The User Setup Edit page opens. The username being added or edited appears at the top of the page.
Chapter 7 Setting Up and Managing User Accounts User Management User Management This section describes how to use the Cisco Secure ACS User Setup section to perform a variety of user account managerial tasks.
Chapter 7 Setting Up and Managing User Accounts User Management Step 3 To view or edit the information for an individual user, click the username in the right window. Result: The user’s account information appears. Finding a User To find a user, follow these steps: Step 1 In the navigation bar, click User Setup. Result: The User Setup Select page opens. Step 2 Type the name in the User box and then click Find. Tip You can use wildcard characters (*) in this box.
Chapter 7 Setting Up and Managing User Accounts User Management Disabling a User Account This procedure details how to manually disable a user account in the CiscoSecure user database. Note To configure the conditions by which a user account will automatically be disabled, see the “Setting Options for User Account Disablement” section on page 7-21. Note This is not to be confused with account expiration due to password aging. Password aging is defined for groups only, not for individual users.
Chapter 7 Setting Up and Managing User Accounts User Management Deleting a User Account Caution If you are authenticating using the Unknown User policy, you must also delete the user account from the external user database. This prevents the username from being automatically re-added to the CiscoSecure user database the next time the user attempts to log in. To delete a user account, follow these steps: Step 1 Click User Setup. Result: The User Setup Select page of the HTML interface opens.
Chapter 7 Setting Up and Managing User Accounts User Management Resetting User Session Quota Counters You can reset the session quota counters for a user either before or after the user exceeds a quota. To reset user usage quota counters, follow these steps: Step 1 Click User Setup. Result: The Select page of the HTML interface opens. Step 2 In the User box, type the complete username of the user whose session quota counters you are going to reset.
Chapter 7 Setting Up and Managing User Accounts User Management Note Alternatively, you can click List All Users and then select the user from the list that appears. Step 3 Click Add/Edit. Step 4 In the Account Disable table, select the Reset current failed attempts count on submit check box, and then click Submit. Result: The Failed attempts since last successful login: counter resets to 0 (zero) and the system re-enables the account.
C H A P T E R 8 Establishing Cisco Secure ACS System Configuration This chapter addresses the features found in the System Configuration section of Cisco Secure Access Control Server for Windows NT/2000 Servers Version 3.0 (Cisco Secure ACS).
Chapter 8 Establishing Cisco Secure ACS System Configuration Service Control Service Control Cisco Secure ACS comprises several Windows NT/2000 services. The Service Control page provides basic status information about the services, enables you to configure the service log files, and to stop or restart the services. For more information about Cisco Secure ACS services, see Appendix H, “Cisco Secure ACS Internal Architecture.
Chapter 8 Establishing Cisco Secure ACS System Configuration Logging Note If the CSAdmin service needs to be restarted, you can do so using the Control Panel Services applet; however, it is best to allow Cisco Secure ACS to handle the services because there are dependencies in the order in which the services are started. To stop, start, or restart Cisco Secure ACS services, follow these steps: Step 1 In the navigation bar, click System Configuration. Step 2 Click Service Control.
Chapter 8 Establishing Cisco Secure ACS System Configuration Password Validation Setting the Date Format Note If you have reports that were generated before you changed the date format, be sure to move or rename them to avoid conflicts. For example, if you are using the month/day/year format, Cisco Secure ACS assigns the name 2001-07-12.csv to a report generated on July 12, 2001.
Chapter 8 Establishing Cisco Secure ACS System Configuration Password Validation Note Password validation options apply only to user passwords stored in the CiscoSecure user database. They do not apply to passwords in user records kept in external user databases nor do they apply to enable or admin passwords for Cisco IOS network devices.
Chapter 8 Establishing Cisco Secure ACS System Configuration CiscoSecure Database Replication Step 7 To require that passwords must contain both letters and numbers, select the Password must be alphanumeric check box. Step 8 Click Submit. Result: Cisco Secure ACS restarts its services and implements the password validation settings you specified.
Chapter 8 Establishing Cisco Secure ACS System Configuration CiscoSecure Database Replication these secondary Cisco Secure ACS servers if the primary Cisco Secure ACS server fails or is unreachable.
Chapter 8 Establishing Cisco Secure ACS System Configuration CiscoSecure Database Replication Note All Cisco Secure ACS servers involved in replication must run the same release of the Cisco Secure ACS software, including patch level. For example, if the primary Cisco Secure ACS server is running Cisco Secure ACS version 3.0.1, all secondary Cisco Secure ACS servers should be running Cisco Secure ACS version 3.0.1.
Chapter 8 Establishing Cisco Secure ACS System Configuration CiscoSecure Database Replication After the preceding events on the primary Cisco Secure ACS server, the database replication process continues on the secondary Cisco Secure ACS server as follows: 1. The secondary Cisco Secure ACS server receives the compressed, encrypted copy of the primary Cisco Secure ACS server’s CiscoSecure database components.
Chapter 8 Establishing Cisco Secure ACS System Configuration CiscoSecure Database Replication Replication Frequency The frequency with which your Cisco Secure ACS servers replicate can have important implications for overall AAA performance. With shorter replication frequencies, a secondary server is more up-to-date with the primary server. This allows for a more current secondary Cisco Secure ACS server if the primary Cisco Secure ACS server fails, including a more current CiscoSecure user database.
Chapter 8 Establishing Cisco Secure ACS System Configuration CiscoSecure Database Replication • Replication to secondary Cisco Secure ACS servers takes place sequentially in the order listed in the Replication list under Replication Partners on the CiscoSecure Database Replication page. • The secondary Cisco Secure ACS server receiving the replicated components must be configured to accept database replication from the primary Cisco Secure ACS server.
Chapter 8 Establishing Cisco Secure ACS System Configuration CiscoSecure Database Replication Caution The possibility of backing up a corrupted database exists regardless of whether you use CiscoSecure Database Replication. Because of this small risk, if you are using Cisco Secure ACS in mission-critical environments, we strongly recommend that you implement a backup plan that accounts for this possibility.
Chapter 8 Establishing Cisco Secure ACS System Configuration CiscoSecure Database Replication Replication Options The Cisco Secure ACS HTML interface provides three sets of options for configuring CiscoSecure Database Replication: • Replication Components Options, page 8-13 • Replication Scheduling Options, page 8-14 • Replication Partners Options, page 8-15 Replication Components Options You can specify both the CiscoSecure database components that a Cisco Secure ACS server sends as a primary Cisco
Chapter 8 Establishing Cisco Secure ACS System Configuration CiscoSecure Database Replication If mirroring the entire database with a secondary Cisco Secure ACS server might send confidential information, such as the proxy distribution table, you can configure the primary Cisco Secure ACS server to send only a specific category of database information. Note Cisco Secure ACS does not replicate server certificates used for EAP-TLS authentication.
Chapter 8 Establishing Cisco Secure ACS System Configuration CiscoSecure Database Replication Replication Partners Options You can specify the Cisco Secure ACS servers for which a Cisco Secure ACS performs as a primary Cisco Secure ACS server or as a secondary Cisco Secure ACS server.
Chapter 8 Establishing Cisco Secure ACS System Configuration CiscoSecure Database Replication Implementing Primary and Secondary Replication Setups on Cisco Secure ACS Servers If you implement a replication scheme that uses cascading replication, the Cisco Secure ACS server configured to replicate only when it has received replicated components from another Cisco Secure ACS server acts both as a primary Cisco Secure ACS server and as a secondary Cisco Secure ACS server.
Chapter 8 Establishing Cisco Secure ACS System Configuration CiscoSecure Database Replication Configuring a Secondary Cisco Secure ACS Server Note If this feature does not appear, click Interface Configuration, click Advanced Options, and select the CiscoSecure ACS Database Replication check box. Also, verify that the Distributed System Settings check box is selected; if not, select the Distributed System Settings check box.
Chapter 8 Establishing Cisco Secure ACS System Configuration CiscoSecure Database Replication Step 5 If the secondary Cisco Secure ACS server is to receive replication components from only one primary Cisco Secure ACS server, from the Accept replication from list, select the other Cisco Secure ACS server name. Note Step 6 The primary Cisco Secure ACS servers available in the Accept replication from list is determined by the AAA Servers table in the Network Configuration section.
Chapter 8 Establishing Cisco Secure ACS System Configuration CiscoSecure Database Replication To initiate database replication immediately, follow these steps: Step 1 Log in to the primary Cisco Secure ACS server’s HTML interface. Step 2 In the navigation bar, click System Configuration. Step 3 Click CiscoSecure Database Replication. Note If this feature does not appear, click Interface Configuration, click Advanced Options, and select the CiscoSecure ACS Database Replication check box.
Chapter 8 Establishing Cisco Secure ACS System Configuration CiscoSecure Database Replication Scheduling Replication You can schedule when a primary Cisco Secure ACS server sends its replication components to a secondary Cisco Secure ACS server. For more information about replication scheduling options, see the “Configuring a Secondary Cisco Secure ACS Server” section on page 8-17. Note Replication cannot occur until the secondary Cisco Secure ACS servers are configured properly.
Chapter 8 Establishing Cisco Secure ACS System Configuration CiscoSecure Database Replication Step 5 To have the primary Cisco Secure ACS server send replication components to its secondary Cisco Secure ACS servers at regular intervals, under Replication Scheduling, select the Every X minutes option and in the X box type the length of the interval at which Cisco Secure ACS should perform replication.
Chapter 8 Establishing Cisco Secure ACS System Configuration CiscoSecure Database Replication Step 8 To specify the secondary Cisco Secure ACS servers for the primary Cisco Secure ACS server, follow these steps: Note a. For more information about replication partners, see the “Replication Partners Options” section on page 8-15.
Chapter 8 Establishing Cisco Secure ACS System Configuration CiscoSecure Database Replication Disabling CiscoSecure Database Replication You can disable scheduled CiscoSecure database replications without losing the schedule itself. This allows you to cease scheduled replications temporarily and later resume them without having to re-enter the schedule information. To disable CiscoSecure database replication, follow these steps: Step 1 Log in to the primary Cisco Secure ACS server’s HTML interface.
Chapter 8 Establishing Cisco Secure ACS System Configuration RDBMS Synchronization RDBMS Synchronization This section provides information about the RDBMS Synchronization feature, including procedures for implementing this feature, both within Cisco Secure ACS and the external data source involved.
Chapter 8 Establishing Cisco Secure ACS System Configuration RDBMS Synchronization You can configure synchronization to occur on a regular schedule. You can also perform synchronizations manually, updating the CiscoSecure user database on demand. Synchronization performed by a single Cisco Secure ACS server can update the internal databases of other Cisco Secure ACS servers, so that you only need configure RDBMS Synchronization on one Cisco Secure ACS server.
Chapter 8 Establishing Cisco Secure ACS System Configuration RDBMS Synchronization Figure 8-2 RDBMS Synchronization Cisco Secure Access Control Server 1 Third Party RDBMS ODBC Cisco Secure Access Control Server 2 Cisco Secure Access Control Server 3 67474 accountActions CSDBSync reads each record from the accountActions table and updates the CiscoSecure user database as specified by the action code in the record.
Chapter 8 Establishing Cisco Secure ACS System Configuration RDBMS Synchronization The database containing the accountActions table must support a multi-threaded ODBC driver. This is required to prevent problems in the event that Cisco Secure ACS and the third-party system attempt to access the accountActions table simultaneously. Cisco Secure ACS includes files to help you create your accountActions table for several common formats.
Chapter 8 Establishing Cisco Secure ACS System Configuration RDBMS Synchronization • Oracle 8—Contains the files accountActions.sql and testData.sql. The accountActions.sql file contains the Oracle 8 SQL procedure needed to generate an accountActions table. The testData.sql file contains Oracle 8 SQL procedures for updating the accountActions table with sample transactions that CSDBSync can process. • SQL Server 6.5—Contains the files accountActions.sql and testData.sql. The accountActions.
Chapter 8 Establishing Cisco Secure ACS System Configuration RDBMS Synchronization Reports and Event (Error) Handling The CSDBSync service provides event and error logging. For more information about the RDBMS Synchronization log, see the “RDBMS Synchronization Log” section on page 9-16. For more information about the CSDBSync service log, see the “Service Logs” section on page 9-34.
Chapter 8 Establishing Cisco Secure ACS System Configuration RDBMS Synchronization Step 4 Validate your third-party system to ensure that it updates the accountActions table properly. Rows generated in the accountActions table must be valid. For details on the format and content of the accountActions table, see Appendix G, “ODBC Import Definitions.
Chapter 8 Establishing Cisco Secure ACS System Configuration RDBMS Synchronization The solution is to initiate synchronization events from a script, such as a DOS batch file. In the script, RDBMS synchronization is initiated with the CSDBSync -run command. Assuming a default installation, CSDBSync.exe is installed at: C:\Program Files\CiscoSecure ACS vx.x\CSDBSync After you have written a script that uses the CSDBsync command, you can schedule synchronization events using the Windows at command.
Chapter 8 Establishing Cisco Secure ACS System Configuration RDBMS Synchronization Step 3 At a DOS prompt, follow these steps: a. Type: net stop CSDBSync and press Enter. b. Type: net start CSDBSync and press Enter. Result: The Microsoft ODBC CSV driver can now access the accountActions CSV file properly. Configuring a System Data Source Name for RDBMS Synchronization On the Cisco Secure ACS server, a system DSN must exist for Cisco Secure ACS to access the accountActions table.
Chapter 8 Establishing Cisco Secure ACS System Configuration RDBMS Synchronization Step 6 Complete the other fields required by the ODBC driver you selected. These fields may include information such as the IP address of the server on which the ODBC-compliant database runs. Step 7 Click OK. Result: The name you assigned to the DSN appears in the System Data Sources list. Step 8 Close the ODBC window and Windows Control Panel.
Chapter 8 Establishing Cisco Secure ACS System Configuration RDBMS Synchronization RDBMS Setup Options The RDBMS Synchronization feature provides the following RDBMS setup options: • Data Source—Specifies which of all the system DSNs available on the Cisco Secure ACS server is to be used to access the accountActions table • Username—Specifies the username Cisco Secure ACS should use to access the database that contains the accountActions table Note The database user account specified by the username
Chapter 8 Establishing Cisco Secure ACS System Configuration RDBMS Synchronization Synchronization Partners Options The RDBMS Synchronization feature provides the following synchronization partners options: • AAA Server—This list represents the AAA servers configured in the AAA Servers table in Network Configuration for which the Cisco Secure ACS server does not perform RDBMS synchronization.
Chapter 8 Establishing Cisco Secure ACS System Configuration RDBMS Synchronization Step 3 To specify options in the RDBMS Setup table, follow these steps: Note a. For more information about RDBMS setup, see the “RDBMS Setup Options” section on page 8-34. From the Data Source list, select the system DSN you configured to communicate with the database that contains your accountActions table.
Chapter 8 Establishing Cisco Secure ACS System Configuration RDBMS Synchronization Step 6 At the bottom of the browser window, click Synchronize Now. Result: Cisco Secure ACS immediately begins a synchronization event. To check on the status of the synchronization, view the RDBMS Synchronization report in Reports and Activity. Scheduling RDBMS Synchronization You can schedule when a Cisco Secure ACS server performs RDBMS synchronization.
Chapter 8 Establishing Cisco Secure ACS System Configuration RDBMS Synchronization b. In the Username box, type the username for a database user account that has read/write access to the accountActions table. c. In the Password box, type the password for the username specified in the previous step.
Chapter 8 Establishing Cisco Secure ACS System Configuration RDBMS Synchronization b. Click —> (right arrow button). Result: The selected Cisco Secure ACS server moves to the Synchronize list. Note Step 7 At least one Cisco Secure ACS server must be in the Synchronize list. This includes the server on which you are configuring RDBMS Synchronization. RDBMS Synchronization does not automatically include the current server’s internal database. Click Submit.
Chapter 8 Establishing Cisco Secure ACS System Configuration Cisco Secure ACS Backup Cisco Secure ACS Backup This section provides information about the Cisco Secure ACS Backup feature, including procedures for implementing this feature.
Chapter 8 Establishing Cisco Secure ACS System Configuration Cisco Secure ACS Backup Backup File Locations The default directory for backup files is the following: drive:\path\CSAuth\System Backups where drive is the local drive where you installed Cisco Secure ACS and path is the path from the root of drive to the Cisco Secure ACS directory. For example, if you installed Cisco Secure ACS Version 3.0 in the default location, the default backup location would be: c:\Program Files\CiscoSecure ACS v3.
Chapter 8 Establishing Cisco Secure ACS System Configuration Cisco Secure ACS Backup Reports of Cisco Secure ACS Backups When a system backup takes place, whether it was manually generated or scheduled, the event is logged in the Administration Audit report and the ACS Backup and Restore report. You can view recent reports in the Reports and Activity section of Cisco Secure ACS. For more information about Cisco Secure ACS reports, see Chapter 9, “Working with Logging and Reports.
Chapter 8 Establishing Cisco Secure ACS System Configuration Cisco Secure ACS Backup Scheduling Cisco Secure ACS Backups You can schedule Cisco Secure ACS backups to occur at regular intervals or at selected days of the week and times. To schedule the times at which Cisco Secure ACS performs a backup, follow these steps: Step 1 In the navigation bar, click System Configuration. Step 2 Click ACS Backup. Result: The ACS System Backup Setup page appears.
Chapter 8 Establishing Cisco Secure ACS System Configuration Cisco Secure ACS Backup Step 6 Step 7 To manage which backup files Cisco Secure ACS keeps, follow these steps: a. Select the Manage Directory check box. b. To limit the number of backup files Cisco Secure ACS retains, select the Keep only the last X files option and type the number of files you want Cisco Secure ACS to retain in the X box. c.
Chapter 8 Establishing Cisco Secure ACS System Configuration Cisco Secure ACS System Restore Cisco Secure ACS System Restore This section provides information about the Cisco Secure ACS System Restore feature, including procedures for restoring your Cisco Secure ACS server from a backup file.
Chapter 8 Establishing Cisco Secure ACS System Configuration Cisco Secure ACS System Restore The backup directory is selected when you schedule backups or perform a manual backup. The default directory for backup files is the following: drive:\path\CSAuth\System Backups where drive is the local drive where you installed Cisco Secure ACS and path is the path from the root of drive to the Cisco Secure ACS directory. For example, if you installed Cisco Secure ACS Version 3.
Chapter 8 Establishing Cisco Secure ACS System Configuration Cisco Secure ACS System Restore Components Restored You can select the components to restore: the user and group databases, the system configuration, or both. Reports of Cisco Secure ACS Restorations When a Cisco Secure ACS system restoration takes place, the event is logged in the Administration Audit report and the ACS Backup and Restore report. You can view recent reports in the Reports and Activity section of Cisco Secure ACS.
Chapter 8 Establishing Cisco Secure ACS System Configuration Cisco Secure ACS Active Service Management Step 3 To change the backup directory, type the new drive and path to the backup directory in the Directory box, and then click OK. Result: Cisco Secure ACS displays the backup files, if any, in the backup directory you specified. Step 4 In the list below the Directory box, select the backup file you want to use to restore Cisco Secure ACS.
Chapter 8 Establishing Cisco Secure ACS System Configuration Cisco Secure ACS Active Service Management System Monitoring Cisco Secure ACS system monitoring enables you to determine how often Cisco Secure ACS tests its authentication and accounting processes, and what automated actions it takes should tests detect a failure of these processes.
Chapter 8 Establishing Cisco Secure ACS System Configuration Cisco Secure ACS Active Service Management – Custom actions—You can define other actions for Cisco Secure ACS to take upon failure of the login process. Cisco Secure ACS can execute a batch file or executable upon the failure of the login process.
Chapter 8 Establishing Cisco Secure ACS System Configuration Cisco Secure ACS Active Service Management Step 5 If you want to setup event logging, proceed to the “Setting Up Event Logging” section on page 8-51. Step 6 If you are done setting up Cisco Secure ACS Service Management, click Submit. Result: Cisco Secure ACS implements the service management settings you made.
Chapter 8 Establishing Cisco Secure ACS System Configuration IP Pools Server Step 4 To have Cisco Secure ACS send an e-mail when an event occurs, follow these steps: a. Select the Email notification of event check box. b. In the To box, type the e-mail address to which Cisco Secure ACS should send event notification e-mail. Note c. Do not use underscores in the e-mail addresses you type in this box. In the SMTP Mail Server box, type the hostname of the sending email server.
Chapter 8 Establishing Cisco Secure ACS System Configuration IP Pools Server To use IP pools, the AAA client must have network authorization (aaa and accounting (aaa accounting) enabled. authorization network) Note To use the IP Pools feature, you must set up your AAA client to perform authentication and accounting using the same protocol—either TACACS+ or RADIUS.
Chapter 8 Establishing Cisco Secure ACS System Configuration IP Pools Server To allow overlapping IP pools or to force unique pool address ranges, follow these steps: Step 1 In the navigation bar, click System Configuration. Step 2 Click IP Pools Server. Note If this feature does not appear, click Interface Configuration, click Advanced Options, and then select the IP Pools check box.
Chapter 8 Establishing Cisco Secure ACS System Configuration IP Pools Server Refreshing the AAA Server IP Pools Table You can refresh the AAA Server IP Pools table. This allows you to get the latest usage statistics for your IP pools. To refresh the AAA Server IP Pools table, follow these steps: Step 1 In the navigation bar, click System Configuration. Step 2 Click IP Pools Server.
Chapter 8 Establishing Cisco Secure ACS System Configuration IP Pools Server Step 5 In the Start Address box, type the lowest IP address of the range of addresses for the new pool. Note All addresses in an IP pool must be on the same Class C network, so the first three octets of the start and end addresses must be the same. For example, if the start address is 192.168.1.1, the end address must be between 192.168.1.2 and 192.168.1.254.
Chapter 8 Establishing Cisco Secure ACS System Configuration IP Pools Server Step 5 To change the starting address of the pool range of IP addresses, in the Start Address box, type the lowest IP address of the new range of addresses for the pool. Note All addresses in an IP pool must be on the same Class C network, so the first three octets of the start and end addresses must be the same. For example, if the start address is 192.168.1.1, the end address must be between 192.168.1.2 and 192.168.1.254.
Chapter 8 Establishing Cisco Secure ACS System Configuration IP Pools Server Step 3 Click the name of the IP pool you need to reset. Result: The name pool table appears, where name is the name of the IP pool you selected. The In Use field displays the number of IP addresses of this pool that are currently assigned to a user. The Available field displays the number of IP addresses currently not assigned to users. Step 4 Click Reset.
Chapter 8 Establishing Cisco Secure ACS System Configuration IP Pools Address Recovery Step 3 Click the name of the IP pool you need to delete. Result: The name pool table appears, where name is the name of the IP pool you selected. The In Use column displays the number of IP addresses of this pool that are currently assigned to a user. The Available column displays the number of IP addresses currently not assigned to users. Step 4 Click Delete.
Chapter 8 Establishing Cisco Secure ACS System Configuration VoIP Accounting Configuration Step 3 Select the Release address if allocated for longer than X hours check box and in the X box type the number of hours after which Cisco Secure ACS should recover assigned, unused IP addresses. Step 4 Click Submit. Result: Cisco Secure ACS implements the IP pools address recovery settings you made.
Chapter 8 Establishing Cisco Secure ACS System Configuration Cisco Secure ACS Certificate Setup Configuring VoIP Accounting Note The VoIP Accounting Configuration feature does not enable VoIP accounting. To enable VoIP accounting, see Chapter 9, “Working with Logging and Reports.” To configure VoIP accounting, follow these steps: Step 1 In the navigation bar, click System Configuration. Step 2 Click VoIP Accounting Configuration.
Chapter 8 Establishing Cisco Secure ACS System Configuration Cisco Secure ACS Certificate Setup Background on Certification EAP and TLS are both IETF RFC standards. The EAP protocol extends the network point-to-point protocol (PPP) by providing new methods for carrying authentication information before establishing PPP connections, specifically, EAPOL (the encapsulation of EAP over LANs as established by IEEE 802.1X).
Chapter 8 Establishing Cisco Secure ACS System Configuration Cisco Secure ACS Certificate Setup EAP-TLS Setup Overview This section outlines the basic steps necessary to implement EAP-TLS in Cisco Secure ACS. • Obtain, and install on Cisco Secure ACS, a “server” certificate. You can perform the “server” certificate installation using either the manual enrollment procedure or automatic enrollment procedure in this section.
Chapter 8 Establishing Cisco Secure ACS System Configuration Cisco Secure ACS Certificate Setup This section contains procedures for the following subjects: • Generating a Request for a Certificate, page 8-64 • Installing Cisco Secure ACS Certification with Manual Enrollment, page 8-66 • Installing Cisco Secure ACS Certification with Automatic Enrollment, page 8-68 • Performing Cisco Secure ACS Certification Update or Replacement, page 8-69 Generating a Request for a Certificate You perform this
Chapter 8 Establishing Cisco Secure ACS System Configuration Cisco Secure ACS Certificate Setup Step 3 Select the Manual certificate enrollment option. Step 4 To have Cisco Secure ACS generate a certificate signing request (CSR), follow these steps: Tip Tip a. Select the Generate certificate signing request (CSR) option. b. In the Certificate subject box, type cn= followed by the name that you would like to use as subject name in this ACS certificate, for example, cn=ACSWireless. c.
Chapter 8 Establishing Cisco Secure ACS System Configuration Cisco Secure ACS Certificate Setup Step 6 Open a browser window and navigate to the web site of your CA. Then copy the encoded certificate signing request from Cisco Secure ACS and paste it into the CA submission form, as applicable. Result: The CA receives the request and issues a certificate. Tip Typically, the CA generates the certificate and provides the means for you to download it.
Chapter 8 Establishing Cisco Secure ACS System Configuration Cisco Secure ACS Certificate Setup Step 4 Select the Use existing certificate option. Step 5 You must specify whether the system should read the certificate from a specified file or use a certificate already in storage on the local machine. Do one of the following: Step 6 a.
Chapter 8 Establishing Cisco Secure ACS System Configuration Cisco Secure ACS Certificate Setup Installing Cisco Secure ACS Certification with Automatic Enrollment You can use this process to install ACS certification using your existing Microsoft enterprise CA.
Chapter 8 Establishing Cisco Secure ACS System Configuration Cisco Secure ACS Certificate Setup Step 4 To specify the Microsoft CA, under Microsoft Windows 2000 Certificate Services, follow these steps: a. In the CA server name box, type the name of the CA server. b. In the CA common name box, type the common name of the CA. c. In the Certificate subject box, type the name you want to use as subject name for the Cisco Secure ACS certificate.
Chapter 8 Establishing Cisco Secure ACS System Configuration Certification Authority Setup Result: Cisco Secure ACS displays the Installed Certificate Information table on the ACS Certificate Setup page. Note Step 3 If your Cisco Secure ACS has not already been enrolled with a certificate, you do not see the Installed Certificate Information table. Rather, you see the Install new certificate table. If this is the case, you can proceed to Step 5. Click Enroll New Certificate.
Chapter 8 Establishing Cisco Secure ACS System Configuration Certification Authority Setup This section contains procedures for the following subjects: Note • Editing the Certificate Trust List, page 8-72 • Adding a New CA Certificate to Local Certificate Storage, page 8-72 The CAs on the CTL should be those that issue user certificates that you want Cisco Secure ACS to recognize as trustworthy. Trust Requirements and Models TLS authentications require two elements of trust.
Chapter 8 Establishing Cisco Secure ACS System Configuration Certification Authority Setup Editing the Certificate Trust List You use this procedure to add CAs to or remove CAs from your CTL. To edit the CTL, follow these steps: Step 1 In the navigation bar, click System Configuration. Step 2 Click Certification Authority Setup. Result: Cisco Secure ACS displays the CA Operations table. Step 3 To edit the certificate trust list, click Edit certificate trust list.
Chapter 8 Establishing Cisco Secure ACS System Configuration Global Authentication Setup Note Cisco Secure ACS requires that the certificate and CA files be in Base64-encoded X.509. You can also add the CA certificate by installing it outside of Cisco Secure ACS (in Windows). After you install it, you should be able to see the new CA in the CA list from within Cisco Secure ACS.
Chapter 8 Establishing Cisco Secure ACS System Configuration Global Authentication Setup To configure authentication options, follow these steps: Step 1 In the navigation bar, click System Configuration. Step 2 Click Global Authentication Setup. Result: Cisco Secure ACS displays the Global Authentication Setup page.
C H A P T E R 9 Working with Logging and Reports Cisco Secure Access Control Server for Windows NT/2000 Servers Version 3.0 (Cisco Secure ACS) produces a wide variety of logs and provides a way to view most of these logs in the Cisco Secure ACS HTML interface as HTML reports.
Chapter 9 Working with Logging and Reports Special Logging Attributes charts or perform queries, such as determining how many hours a user was logged in to the network during a given period. For information about how to use a CSV file in a third-party application such as Microsoft Excel, please see the documentation supplied by the third-party vendor. You can access the CSV files either on the Cisco Secure ACS server hard drive or by downloading the CSV file from the HTML interface.
Chapter 9 Working with Logging and Reports Update Packets In Accounting Logs For more information about configuring the content of CSV logs, see the “Configuring a CSV Log” section on page 9-22. For more information about configuring the content of an ODBC log, see the “Configuring an ODBC Log” section on page 9-27. • Access Device—The name of the AAA client sending the logging data to Cisco Secure ACS. • Network Device Group—The network device group to which the access device (AAA client) belongs.
Chapter 9 Working with Logging and Reports About Cisco Secure ACS Logs and Reports • Logging Update Packets Locally—To log update packets on the local Cisco Secure ACS server, enable the Log Update/Watchdog Packets from this Access Server option for each AAA client in Network Configuration. For more information on setting this option for a AAA client, see the “Adding and Configuring a AAA Client” section on page 4-9.
Chapter 9 Working with Logging and Reports About Cisco Secure ACS Logs and Reports • RADIUS Accounting Log, page 9-7 • VoIP Accounting Log, page 9-8 • Failed Attempts Log, page 9-9 • Passed Authentications Log, page 9-10 TACACS+ Accounting Log The TACACS+ Accounting log contains the following information: • User sessions stop and start times • AAA client messages with username • Caller line identification information • Session duration Topics regarding this log include the following: • En
Chapter 9 Working with Logging and Reports About Cisco Secure ACS Logs and Reports • Configuring a TACACS+ Accounting Log—The steps for configuring a TACACS+ Accounting log vary depending upon which format you want to use. For more information about log formats, see the “Logging Formats” section on page 9-1. – CSV—The default location for CSV TACACS+ Accounting files is Program Files\CiscoSecure ACS vx.x \Logs\TACACS+Accounting.
Chapter 9 Working with Logging and Reports About Cisco Secure ACS Logs and Reports • Configuring a TACACS+ Administration Log—The steps for configuring a TACACS+ Administration log vary depending upon which format you want to use. For more information about log formats, see the “Logging Formats” section on page 9-1. – CSV—The default location for CSV TACACS+ Administration files is Program Files\CiscoSecure ACS vx.x \Logs\TACACS+Administration.
Chapter 9 Working with Logging and Reports About Cisco Secure ACS Logs and Reports • Configuring a RADIUS Accounting Log—The steps for configuring a RADIUS Accounting log vary depending upon which format you want to use. For more information about log formats, see the “Logging Formats” section on page 9-1. – CSV—The default location for CSV RADIUS Accounting files is Program Files\CiscoSecure ACS vx.x\Logs\RADIUSAccounting.
Chapter 9 Working with Logging and Reports About Cisco Secure ACS Logs and Reports • Configuring a VoIP Accounting Log—The steps for configuring a VoIP Accounting log vary depending upon which format you want to use. For more information about log formats, see the “Logging Formats” section on page 9-1. – CSV—The default location for CSV VoIP Accounting files is Program Files\CiscoSecure ACS vx.x \Logs\VoIP Accounting.
Chapter 9 Working with Logging and Reports About Cisco Secure ACS Logs and Reports Passed Authentications Log The Passed Authentications log lists successful authentication requests. This log is not dependent upon accounting packets from your AAA clients, so it is available even if your AAA clients do not support RADIUS accounting or if you have disabled accounting on your AAA clients.
Chapter 9 Working with Logging and Reports About Cisco Secure ACS Logs and Reports Logged-In Users Report The Logged-in Users report lists all users currently receiving services for a single AAA client or all AAA clients with access to Cisco Secure ACS. Note To use the logged-in user list feature, your AAA client must perform authentication and accounting using the same protocol—either TACACS+ or RADIUS.
Chapter 9 Working with Logging and Reports About Cisco Secure ACS Logs and Reports Tip Step 3 You can sort the table by any column’s entries, in either ascending or descending order. Click a column title once to sort the table by that column’s entries in ascending order. Click the column a second time to sort the table by that column’s entries in descending order. Do one of the following: a. To see a list of all users logged in, click All AAA Clients. b.
Chapter 9 Working with Logging and Reports About Cisco Secure ACS Logs and Reports Note Deleting logged-in users only ends the Cisco Secure ACS accounting record of users logged in to a particular AAA client. It does not terminate active user sessions, nor does it affect user records. To delete logged-in users, follow these steps: Step 1 In the navigation bar, click Reports and Activity. Step 2 Click Logged-in Users.
Chapter 9 Working with Logging and Reports About Cisco Secure ACS Logs and Reports Disabled Accounts Report The Disabled Accounts report lists all user accounts that are currently disabled and the reason they were disabled. Topics regarding this report include the following: • Enabling a Disabled Accounts Report—The Disabled Accounts report is always enabled. You cannot disable this report.
Chapter 9 Working with Logging and Reports About Cisco Secure ACS Logs and Reports Cisco Secure ACS System Logs The system logs are logs about the Cisco Secure ACS system and therefore record system-related events. These logs are primarily useful for troubleshooting or audits. They are only available in CSV format.
Chapter 9 Working with Logging and Reports About Cisco Secure ACS Logs and Reports RDBMS Synchronization Log The RDBMS Synchronization log lists RDBMS Synchronization activity. Topics regarding this log include the following: • Enabling the RDBMS Synchronization Log—The RDBMS Synchronization log is always enabled. You cannot disable this log.
Chapter 9 Working with Logging and Reports About Cisco Secure ACS Logs and Reports Administration Audit Log The Administration Audit log lists actions taken by each system administrator, such as adding users, editing groups, configuring a AAA client, or viewing reports. Topics regarding this log include the following: • Enabling the Administration Audit Log—The Administration Audit log is always enabled. You cannot disable this log.
Chapter 9 Working with Logging and Reports About Cisco Secure ACS Logs and Reports Step 4 To generate a new Administrative Audit CSV file when the current file reaches a specific size, select the When size is greater than x KB option and type the file size threshold in kilobytes in the x box. Step 5 To manage which Administrative Audit CSV files Cisco Secure ACS keeps, follow these steps: Step 6 a. Select the Manage Directory check box. b.
Chapter 9 Working with Logging and Reports Working with CSV Logs Working with CSV Logs This section contains the following topics: • CSV Log File Names, page 9-19 • Enabling or Disabling a CSV Log, page 9-19 • Viewing a CSV Report, page 9-20 • Configuring a CSV Log, page 9-22 CSV Log File Names When you access a report in Reports and Activity, Cisco Secure ACS lists the CSV files in chronological order, with the current CSV file at the top of the list. The current file is named log.
Chapter 9 Working with Logging and Reports Working with CSV Logs The logs to which this procedure applies are: • TACACS+ Accounting Log • TACACS+ Administration Log • RADIUS Accounting Log • VoIP Account Log • Failed Attempts Log • Passed Authentications log To enable or disable a CSV log, follow these steps: Step 1 In the navigation bar, click System Configuration. Step 2 Click Logging. Step 3 Click the name of the CSV log you want to enable.
Chapter 9 Working with Logging and Reports Working with CSV Logs • VoIP Accounting • Failed Attempts • Passed Authentications • ACS Backup and Restore • RDBMS Synchronization • Database Replication • Administration Audit • ACS Service Monitoring When you select Logged-in Users or Disabled Accounts, a list of logged-in users or disabled accounts appears in the display area, which is the frame on the right side of the web browser.
Chapter 9 Working with Logging and Reports Working with CSV Logs Tip Step 3 You can configure how Cisco Secure ACS handles old CSV report files. For more information, see the “Configuring a CSV Log” section on page 9-22. Click the CSV report file name whose contents you want to view. Result: If the CSV report file contains information, the information appears in the display area. Tip You can sort the table by any column’s entries, in either ascending or descending order.
Chapter 9 Working with Logging and Reports Working with CSV Logs Note • RADIUS Accounting • VoIP Accounting • Failed Attempts • Passed Authentications The ACS Backup and Restore, RDBMS Synchronization, and Database Replication CSV logs cannot be configured. You can configure several aspects of a CSV log: • Log content—You can select which data attributes are included in the log.
Chapter 9 Working with Logging and Reports Working with CSV Logs Step 5 To remove an attribute from the log, select the attribute in the Logged Attributes list, then click <— (left arrow button). Result: The attribute moves to the Attributes list. Tip Use the vertical scroll bar to find attributes not visible in the list. Step 6 To set the attributes in the Logged Attributes list back to the default selections, at the bottom of the browser window, click Reset Columns.
Chapter 9 Working with Logging and Reports Working with ODBC Logs Working with ODBC Logs This section contains procedures for the following topics: • Preparing to Use ODBC Logging, page 9-25 • Configuring a System Data Source Name for ODBC Logging, page 9-26 • Configuring a CSV Log, page 9-22 Preparing to Use ODBC Logging If you plan to use ODBC logging, there are several steps you must complete before you configure an ODBC log.
Chapter 9 Working with Logging and Reports Working with ODBC Logs Configuring a System Data Source Name for ODBC Logging On the Cisco Secure ACS server, you must create a system DSN for Cisco Secure ACS to communicate with the relational database that is to store your logging data. To create a system DSN for use with ODBC logging, follow these steps: Step 1 In Windows Control Panel, double-click ODBC Data Sources. Step 2 In the ODBC Data Source Administrator page, click the System DSN tab.
Chapter 9 Working with Logging and Reports Working with ODBC Logs Configuring an ODBC Log The logs to which this procedure applies are: Note • TACACS+ Accounting • TACACS+ Administration • RADIUS Accounting • VoIP Accounting • Failed Attempts Before you can configure an ODBC log, you must prepare for ODBC logging. For more information, see the “Preparing to Use ODBC Logging” section on page 9-25.
Chapter 9 Working with Logging and Reports Working with ODBC Logs b. To remove an attribute from the log, select the attribute in the Logged Attributes list, and then click <— (left arrow button). Result: The attribute moves to the Attributes list. Tip Use the vertical scroll bar to find attributes not visible in the list box. c. Step 5 To set the attributes in the Logged Attributes list back to the default selections, click Reset Columns.
Chapter 9 Working with Logging and Reports Remote Logging Note The generated SQL is valid for Microsoft SQL Server only. If you are using another relational database, refer to your relational database documentation for information about writing a command to create a table. Step 9 Using the information provided in the generated SQL, create a table in your relational database for this ODBC log.
Chapter 9 Working with Logging and Reports Remote Logging • Enabling and Configuring Remote Logging, page 9-32 • Disabling Remote Logging, page 9-33 About Remote Logging The Remote Logging feature enables you to centralize accounting logs generated by multiple Cisco Secure ACS servers. You can configure each Cisco Secure ACS to point to a single Cisco Secure ACS that is to be used as the logging server.
Chapter 9 Working with Logging and Reports Remote Logging Remote Logging Options Cisco Secure ACS provides the remote logging options listed below. These options appear on the Remote Logging page, available from the Logging page in the System Configuration section. • Do not Log Remotely—Cisco Secure ACS writes accounting data of locally authenticated sessions only to the local logs that are enabled.
Chapter 9 Working with Logging and Reports Remote Logging Enabling and Configuring Remote Logging Note Before configuring the Remote Logging feature on a Cisco Secure ACS server, make sure that you have configured your central logging server. For more information, see the “Configuring a Central Logging Server” section on page 9-31. To enable and configure remote logging, follow these steps: Step 1 To enable the Remote Logging feature in the HTML interface, follow these steps: a.
Chapter 9 Working with Logging and Reports Remote Logging Step 6 For each remote Cisco Secure ACS server you want to have in the Log To list, follow these steps: a. In the Log Servers list, select the name of a Cisco Secure ACS server to which you want to send accounting data for locally authenticated sessions. Note b. Step 7 Click —> (right arrow button) to move the selected Cisco Secure ACS server to the Log To list.
Chapter 9 Working with Logging and Reports Service Logs Step 3 Click Remote Logging. Step 4 Select the Do not Log Remotely option. Step 5 Click Submit. Result: This Cisco Secure ACS server no longer sends its accounting information for locally authenticated sessions to remote logging servers. Service Logs The service logs may be considered diagnostic logs and are used for troubleshooting or debugging purposes only.
Chapter 9 Working with Logging and Reports Service Logs These files are located in the \Logs subdirectory of the applicable service’s directory. For example, the following is the default directory for the CiscoSecure authentication service: c:\Program Files\CiscoSecure ACS v2.6\CSAuth\Logs The most recent debug log is named as follows: SERVICE.log where SERVICE is the name of the applicable service. Older debug logs are named with the year, month, and date they were created.
Chapter 9 Working with Logging and Reports Service Logs – Every Month—Cisco Secure ACS generates a new log file at 12:01 A.M. on the first day of every month. – When Size is Greater than x KB—Cisco Secure ACS generates a new log file after the current service log file reaches the size specified, in kilobytes, by x. • Manage Directory—You can control how long services log files are kept: – Keep only the last x files—Cisco Secure ACS retains, at most, the number of files specified by x.
Chapter 9 Working with Logging and Reports Service Logs Step 5 Step 6 To manage which service log files Cisco Secure ACS keeps, follow these steps: a. Select the Manage Directory check box. b. To limit the number of service log files Cisco Secure ACS retains, select the Keep only the last x files option and in the x box type the number of files you want Cisco Secure ACS to retain. c.
Chapter 9 Working with Logging and Reports Service Logs Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide 9-38 78-13751-01, Version 3.
C H A P T E R 10 Setting Up and Managing Administrators and Policy This chapter addresses the Cisco Secure Access Control Server for Windows NT/2000 Servers Version 3.0 (Cisco Secure ACS) features found in the Administration Control section of the HTML interface.
Chapter 10 Setting Up and Managing Administrators and Policy Administrator Accounts Note Cisco Secure ACS administrator accounts have no correlation with Cisco Secure ACS user accounts or username/password authentication. Cisco Secure ACS stores accounts created for authentication of network service requests and those created for Cisco Secure ACS administrative access in separate internal databases.
Chapter 10 Setting Up and Managing Administrators and Policy Administrator Accounts • Shared Profile Components—Contains the following privilege options for the Shared Profile Components section of the HTML interface: – Network Access Restriction Sets—Allows the administrator full access to the Network Access Restriction Sets feature. – Downloadable ACLs—Allows the administrator full access to the Downloadable PIX ACLs feature.
Chapter 10 Setting Up and Managing Administrators and Policy Administrator Accounts – RDBMS Synchronization—For more information about this feature, see the “RDBMS Synchronization” section on page 8-24. – IP Pool Address Recovery—For more information about this feature, see the “IP Pools Address Recovery” section on page 8-59. – IP Pool Server Configuration—For more information about this feature, see the “IP Pools Server” section on page 8-52.
Chapter 10 Setting Up and Managing Administrators and Policy Administrator Accounts • Reports & Activity—Contains the privilege options for the reports and features found in the Reports and Activity section of the HTML interface. For each of the following features, enabling the option allows the administrator full access to the feature. – TACACS+ Accounting—For more information about this report, see the “TACACS+ Accounting Log” section on page 9-5.
Chapter 10 Setting Up and Managing Administrators and Policy Administrator Accounts Adding an Administrator Account You can add Cisco Secure ACS administrator accounts to allow remote access to the HTML interface. If, on the Session Policy page, the Allow automatic local login check box is not selected, Cisco Secure ACS requires that you log in using an administrative account for administrative sessions local to the Cisco Secure ACS server, too.
Chapter 10 Setting Up and Managing Administrators and Policy Administrator Accounts Step 5 To grant user and user group editing privileges, follow these steps: a. Select the desired check boxes under User & Group Setup. b. To move a user group to the Editable groups list, select the group in the Available groups list, and then click —> (right arrow button). Result: The selected group moves to the Editable groups list. c.
Chapter 10 Setting Up and Managing Administrators and Policy Administrator Accounts Note You cannot change the name of an administrator account; however, you can delete an administrator account and then create an account with the new name. For information about deleting an administrator account, see the “Deleting an Administrator Account” section on page 10-9. For information about creating an administrator account, see the “Adding an Administrator Account” section on page 10-6.
Chapter 10 Setting Up and Managing Administrators and Policy Administrator Accounts Step 6 To grant user and user group editing privileges, follow these steps: a. Under User & Group Setup, select the applicable check boxes. b. To move all user groups to the Editable groups list, click >>. Result: The user groups in the Available groups list move to the Editable groups list. c.
Chapter 10 Setting Up and Managing Administrators and Policy Access Policy Step 2 In the Administrators table, click the name of the administrator account that you want to delete. Result: The Edit Administrator name page appears, where name is the name of the administrator account you selected in Step 2. Step 3 Click Delete. Result: Cisco Secure ACS displays a confirmation dialog box. Step 4 Click OK. Result: Cisco Secure ACS deletes the administrator account.
Chapter 10 Setting Up and Managing Administrators and Policy Access Policy – Reject connections from listed IP addresses—Allow remote access to the HTML interface only from IP addresses outside the address range(s) specified in the IP Address Ranges table. • IP Address Ranges—The IP Address Ranges table contains ten rows for configuring IP address ranges. The ranges are always inclusive; that is, the range includes the start and end IP addresses.
Chapter 10 Setting Up and Managing Administrators and Policy Access Policy Setting Up Access Policy For information about access policy options, see the “Access Policy Options” section on page 10-10. To set up Cisco Secure ACS Access Policy, follow these steps: Step 1 In the navigation bar, click Administration Control. Result: Cisco Secure ACS displays the Administration Control page. Step 2 Click Access Policy. Result: The Access Policy Setup page appears.
Chapter 10 Setting Up and Managing Administrators and Policy Session Policy Step 7 Step 8 To allow Cisco Secure ACS to use only a specified range of TCP ports for administrative sessions, follow these steps: a. Select the Restrict Administration Sessions to the following port range From Port x to Port y option. b. In the y box type the highest TCP port in the range. c. In the x box type the lowest TCP port in the range. Click Submit.
Chapter 10 Setting Up and Managing Administrators and Policy Session Policy • Allow Automatic Local Login—Enables administrators to start an administrative session without logging in if they are using a browser on the Cisco Secure ACS server. Local administrative sessions with automatic local login are recorded in the Administrative Audit report with the administrator name “local_login”.
Chapter 10 Setting Up and Managing Administrators and Policy Session Policy Step 4 Step 5 Step 6 Set the automatic local login policy: a. To allow administrators to login to Cisco Secure ACS locally without using their administrator names and passwords, select the Allow Automatic Local Login check box. b. To require administrators to login to Cisco Secure ACS locally using their administrator names and passwords, clear the Allow Automatic Local Login check box.
Chapter 10 Setting Up and Managing Administrators and Policy Audit Policy Audit Policy The Audit Policy feature controls the generation of the Administrative Audit log. For more information about enabling, viewing, or configuring the Administrative Audit log, see the “Administration Audit Log” section on page 9-17. Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide 10-16 78-13751-01, Version 3.
C H A P T E R 11 Working with User Databases Cisco Secure Access Control Server for Windows NT/2000 Servers Version 3.0 (Cisco Secure ACS) authenticates users against one of several possible databases, including its internal database. You can configure Cisco Secure ACS to authenticate users with more than one type of database.
Chapter 11 Working with User Databases CiscoSecure User Database CiscoSecure User Database The CiscoSecure user database is the database internal to Cisco Secure ACS. The CiscoSecure user database draws information from a number of data sources, including a memory-mapped, hash-indexed file, VarsDB.MDB (in Microsoft Jet database format), and the Windows NT/2000 Registry.
Chapter 11 Working with User Databases CiscoSecure User Database Figure 11-1 Using the CiscoSecure User Database for Authentication There are five ways to create user accounts in the CiscoSecure user database: • Using the Cisco Secure ACS HTML interface (see the “Adding a Basic User Account” section on page 7-5). • Using the Database Replication feature (see the “CiscoSecure Database Replication” section on page 8-6). • Using the Database Import utility, CSUtil.
Chapter 11 Working with User Databases About External User Databases If you implement an external user database, Cisco Secure ACS offers two powerful features that you must configure. The first feature is the Unknown User Policy. This feature automates the creation of user accounts in the CiscoSecure user database for users authenticated by an external user database. The other feature is Cisco Secure ACS user group mappings for users authenticated by external user databases.
Chapter 11 Working with User Databases About External User Databases Regardless of which database is used to authenticate users, the CiscoSecure user database, internal to Cisco Secure ACS, is used to authorize requested network services. For Cisco Secure ACS to interact with an external user database, Cisco Secure ACS requires an API for third-party authentication source. The Cisco Secure ACS communicates with the external user database using the API.
Chapter 11 Working with User Databases Windows NT/2000 User Database After you have configured Cisco Secure ACS to communicate with an external user database, you can configure Cisco Secure ACS to authenticate users with the external user database in one of two ways: • By Specific User Assignment—You can configure Cisco Secure ACS to authenticate specific users with an external user database.
Chapter 11 Working with User Databases Windows NT/2000 User Database This section contains the following topics: • The Cisco Secure ACS Authentication Process with Windows NT/2000 User Databases, page 11-7 • Trust Relationships, page 11-8 • Windows Dial-up Networking Clients, page 11-9 • Windows NT/2000 Authentication, page 11-10 • User-Changeable Passwords with Windows NT/2000 User Databases, page 11-12 • Preparing Users for Authenticating with Windows NT/2000, page 11-12 • Configuring a Win
Chapter 11 Working with User Databases Windows NT/2000 User Database Figure 11-2 Using the Windows NT/2000 User Database for Authentication To further control access by a user from within the Windows NT User Manager or the Windows 2000 Active Directory Users and Computers, you can configure Cisco Secure ACS to also check the setting for granting dialin permission to user.
Chapter 11 Working with User Databases Windows NT/2000 User Database Windows 2000 server in domain A. Domain A trusts domain B, but no trust relationship is established between domain A and domain C. If domain B trusts domain C, the Cisco Secure ACS server in domain A can authenticate users whose accounts reside in domain C, making use of the indirect trust of domain C. For more information on trust relationships, refer to your Microsoft Windows NT/2000 documentation.
Chapter 11 Working with User Databases Windows NT/2000 User Database About the Windows 95/98/Millennium Edition Dial-up Networking Client If you use the Windows 95/98/ME Dial-Up Networking client to dial in to the AAA client, two fields appear: • Note • username—Type your username. You also have the option of prefixing your username with the name of the domain you want to log in to.
Chapter 11 Working with User Databases Windows NT/2000 User Database matching username and password. This also illustrates the importance of removing usernames from a domain when the privileges associated with the user are no longer required. Tip For Windows 95/98/ME and Windows NT/2000, entering the domain name can speed up authentication, because Cisco Secure ACS can go directly to the domain rather than searching through the local domain and all trusted domains until it finds the username.
Chapter 11 Working with User Databases Windows NT/2000 User Database User-Changeable Passwords with Windows NT/2000 User Databases For network users who are authenticated by a Windows NT/2000 user database, Cisco Secure ACS supports the user-changeable passwords upon password expiration. You can enable this feature in the MS-CHAP Settings on the Windows NT/2000 User Database Configuration page in the External User Databases section.
Chapter 11 Working with User Databases Windows NT/2000 User Database Step 3 If you want to control dial-in access from within Windows NT, click Dial-in and select Grant dialin permission to user. In Windows 2000, access the User Properties dialog box, select the Dial-In tab, and in the Remote Access area, click Allow access. You must also configure the option to reference this feature under Database Group Mappings in the External User Databases section of Cisco Secure ACS.
Chapter 11 Working with User Databases Generic LDAP Step 6 To restrict network access to users who have Windows dial-in permission, select the Grant dialin permission to user check box. Windows dialin permission is enabled in the Dialin section of user properties in Windows NT and on the Dial-in tab of the user properties in Windows 2000.
Chapter 11 Working with User Databases Generic LDAP This section contains the following topics: • Cisco Secure ACS Authentication Process with a Generic LDAP User Database, page 11-15 • Multiple LDAP Instances, page 11-16 • LDAP Organizational Units and Groups, page 11-17 • Directed Authentications, page 11-17 • LDAP Failover, page 11-17 • Configuring a Generic LDAP External User Database, page 11-19 Cisco Secure ACS Authentication Process with a Generic LDAP User Database Cisco Secure ACS for
Chapter 11 Working with User Databases Generic LDAP Figure 11-3 Using an LDAP Server for Authentication Multiple LDAP Instances You can create several LDAP configurations in Cisco Secure ACS. For each LDAP configuration, you can add or leave it out of the Unknown User Policy. Also for each LDAP configuration, you can establish unique group mapping. Cisco Secure ACS does not require that each LDAP instance corresponds to a unique LDAP database.
Chapter 11 Working with User Databases Generic LDAP LDAP Organizational Units and Groups LDAP groups do not need to have the same name as their corresponding Cisco Secure ACS groups. The LDAP group can be mapped to a Cisco Secure ACS group with any name you want to assign. For more information about how your LDAP database handles group membership, see your LDAP database documentation. For more information on LDAP group mappings and Cisco Secure ACS, see the “Database Group Mappings” section on page 12-10.
Chapter 11 Working with User Databases Generic LDAP If the On Timeout Use Secondary check box is selected, and if the first LDAP server that Cisco Secure ACS attempts to contact cannot be reached, Cisco Secure ACS always attempts to contact the other LDAP server. The first server Cisco Secure ACS attempts to contact may not always be the primary LDAP server.
Chapter 11 Working with User Databases Generic LDAP If fewer minutes have passed than the value specified in the Failback Retry Delay box, Cisco Secure ACS attempts to connect to the secondary LDAP server first. And if Cisco Secure ACS cannot connect to the secondary LDAP server, Cisco Secure ACS then attempts to connect to the primary LDAP server. If Cisco Secure ACS cannot connect to either LDAP server, Cisco Secure ACS stops attempting LDAP authentication for the user.
Chapter 11 Working with User Databases Generic LDAP Step 4 If you are creating a configuration, follow these steps: a. Click Create New Configuration. b. Type a name for the new configuration for generic LDAP in the box provided. c. Click Submit. Result: Cisco Secure ACS lists the new configuration in the External User Database Configuration table. Step 5 Under External User Database Configuration, select the name of the LDAP database you need to configure.
Chapter 11 Working with User Databases Generic LDAP Step 9 To enable Cisco Secure ACS to direct LDAP authentications by filtering on the end of a username, follow these steps: a. From the Filter Domains list, select Suffix. b. In the Domain Markup box, type the string of characters that a username must end with in order for Cisco Secure ACS to use this LDAP configuration for authentication.
Chapter 11 Working with User Databases Generic LDAP Note Step 12 Your groups could be located under an organizational unit rather than an organization. If this is the case, in the Group Directory Subtree, type ou=subtree. In the User Object Type box, type the name of the attribute in the user record that contains the user name. You can obtain this attribute name from your Directory Server. For more information, refer to your LDAP database documentation.
Chapter 11 Working with User Databases Generic LDAP Note Step 20 To specify that Cisco Secure ACS should always use the primary LDAP server first, type 0 (zero) in the Failback Retry Delay box. For the Primary LDAP Server and Secondary LDAP Server tables, follow these steps: Note If you did not select the On Timeout Use Secondary check box, you do not need to complete the options in the Secondary LDAP Server table. a.
Chapter 11 Working with User Databases Novell NDS Database In the Admin DN box, type the following information from your LDAP server: uid=user id,[ou=organizational unit,][ou=next organizational unit]o=organization where user id is the username organizational unit is the last level of the tree next organizational unit is the next level up the tree. For example: uid=joesmith,ou=members,ou=administrators,o=cisco Tip If you are using Netscape DS, you can copy this information from the Netscape Console.
Chapter 11 Working with User Databases Novell NDS Database Some versions of Novell NDS provide standard LDAP implementations. If your Novell NDS supports standard LDAP and you have implemented standard LDAP, you should configure a Cisco Secure ACS generic LDAP external user database to authenticate users defined in your Novell NDS. For more information about generic LDAP external user databases, see the “Generic LDAP” section on page 11-14.
Chapter 11 Working with User Databases Novell NDS Database Consider the following example tree: [Root] whose treename=ABC OU=ABC-Company OU=sales CN=Agamemnon OU=marketing CN=Odysseus OU=marketing-research CN=Penelope OU=marketing-product CN=Telemachus If the context list configured in Cisco Secure ACS were: ABC-Company,sales.ABC-Company then Agamemnon would successfully authenticate if he submitted “Agamemnon.sales” as his username. If he submitted only “Agamemnon”, authentication would fail.
Chapter 11 Working with User Databases Novell NDS Database Novell NDS External User Database Options You create and maintain configurations for Novell NDS database authentication on the NDS Authentication Support page in Cisco Secure ACS. This page enables you to add a configuration for a Novell NDS tree, change existing tree configurations, and delete existing tree configurations in a single submission to the Cisco Secure ACS web server.
Chapter 11 Working with User Databases Novell NDS Database Configuring a Novell NDS External User Database You can allow users to enter their own context as part of the login process. Creating an Novell NDS database configuration is a process that provides Cisco Secure ACS information that enables it to pass authentication requests to an NDS database. This information reflects the way you have implemented your NDS database and does not dictate how your NDS database is configured or functions.
Chapter 11 Working with User Databases Novell NDS Database Step 6 Caution Click Configure. If you click Delete, the Cisco Secure ACS configuration for your Novell NDS database is deleted. Result: The NDS Authentication Support page appears. The NDS Authentication Support page enables you to add a configuration for an Novell NDS tree, change existing tree configurations, and delete existing tree configurations.
Chapter 11 Working with User Databases ODBC Database ODBC Database Cisco Secure ACS supports PAP, CHAP, MS-CHAP, and ARAP authentication using a relational database via the ODBC authenticator feature. As with Windows NT/2000 database support, Cisco Secure ACS’s ODBC-compliant relational database support enables you to make use of existing user records held in an external ODBC-compliant relational database.
Chapter 11 Working with User Databases ODBC Database • Configuring a System Data Source Name for an ODBC External User Database, page 11-40 • Configuring an ODBC External User Database, page 11-41 Cisco Secure ACS Authentication Process with an ODBC External User Database Cisco Secure ACS forwards user authentication requests to an ODBC database in one of two scenarios.
Chapter 11 Working with User Databases ODBC Database Figure 11-4 Using the ODBC Database for Authentication Name, pap password Pap authentication CiscoSecure ACS "Unknown user" interface RDBMS ODBC Chap/Arap password, authen result, acct info 16752 (MS) Chap/Arap Extraction Cisco Secure ACS grants authorization based on the Cisco Secure ACS group to which the user is assigned.
Chapter 11 Working with User Databases ODBC Database To prepare for authenticating with an ODBC-compliant relational database, follow these steps: Step 1 Install the database software on its server. For more information, refer to the relational database documentation. Step 2 Create the database to hold the usernames and passwords. The database name is irrelevant to Cisco Secure ACS, so you can name the database however you like.
Chapter 11 Working with User Databases ODBC Database Authentication for CHAP/MS-CHAP/ARAP occurs within Cisco Secure ACS. The stored procedure returns the fields for the record with a matching username, including the password. Cisco Secure ACS confirms or denies authentication based on the values returned from the procedure. To support the two protocols, Cisco Secure ACS provides different input to, and expects different output from, the ODBC authentication request.
Chapter 11 Working with User Databases ODBC Database will default to case sensitive, whereas Microsoft SQL Server defaults to case insensitive. However, in the case of CHAP/ARAP, the password is case sensitive if the CHAP stored procedure is configured. For example, with Telnet or PAP authentication, the passwords cisco or CISCO or CiScO will all work if the SQL Server is configured to be case insensitive.
Chapter 11 Working with User Databases ODBC Database Sample Routine for Generating an SQL CHAP Authentication Procedure The following example routine creates in Microsoft SQL Server a procedure named CSNTExtractUserClearTextPw, the default procedure used by Cisco Secure ACS for CHAP/MS-CHAP/ARAP authentication. Table and column names that could vary for your database’s schema are presented in variable text.
Chapter 11 Working with User Databases ODBC Database Table 11-2 PAP Stored Procedure Input Field Type Explanation CSNTusername String 0-64 characters CSNTpassword String 0-255 characters The input names are for guidance only. Procedure variables created from them can have different names; however, they must be defined in the procedure in the order shown—the username must precede the password variable.
Chapter 11 Working with User Databases ODBC Database The CSNTGroup and CSNTacctInfo fields are processed only after a successful authentication. The CSNTerrorString file is logged only after a failure (if the result is greater than or equal to 4). The procedure must return the result fields in the order listed above. CHAP/MS-CHAP/ARAP Authentication Procedure Input Cisco Secure ACS provides a single value for input to the stored procedure supporting CHAP/MS-CHAP/ARAP authentication.
Chapter 11 Working with User Databases ODBC Database Table 11-5 CHAP/MS-CHAP/ARAP Stored Procedure Results Field Type Explanation CSNTresult Integer See Table 11-6 on page 11-39 Result Codes. CSNTgroup Integer The Cisco Secure ACS group number for authorization. 0xFFFFFFFF is used to assign the default value. Values other than 0-499 are converted to the default. Note The group specified in the CSNTgroup field overrides group mapping configured for the ODBC external user database.
Chapter 11 Working with User Databases ODBC Database Table 11-6 Result Codes (continued) Result Code Meaning 3 Unknown username or invalid password 4+ Internal error—authentication not processed The SQL procedure can decide among 1, 2, or 3 to indicate a failure, depending on how much information you want the failed authentication log files to include. A return code of 4 or higher results in an authentication error event. These errors do not increment per-user failed attempt counters.
Chapter 11 Working with User Databases ODBC Database Step 5 Type a descriptive name for the DSN in the Data Source Name box. Step 6 Complete the other fields required by the ODBC driver you selected. These fields may include information such as the IP address of the server on which the ODBC-compliant database runs. Step 7 Click OK. Result: The name you assigned to the DSN appears in the System Data Sources list. Step 8 Close the ODBC window and Windows Control Panel.
Chapter 11 Working with User Databases ODBC Database Step 4 If you are creating a configuration, follow these steps: a. Click Create New Configuration. b. Type a name for the new configuration for ODBC authentication in the box provided, or accept the default name in the box. c. Click Submit. Result: Cisco Secure ACS lists the new configuration in the External User Database Configuration table. Step 5 Click Configure.
Chapter 11 Working with User Databases ODBC Database Note Step 11 Step 12 Increase the ODBC worker thread count only if the ODBC driver you are using is certified thread safe. For example, the Microsoft Access ODBC driver is not thread safe and can cause Cisco Secure ACS to become unstable if multiple threads are used. Where possible, Cisco Secure ACS queries the driver to find out if it is thread safe.
Chapter 11 Working with User Databases LEAP Proxy RADIUS Server Database procedure. For more information and an example routine, see the “Sample Routine for Generating an SQL CHAP Authentication Procedure” section on page 11-36. Note Step 14 If you enabled CHAP/MS-CHAP/ARAP authentication, the CHAP authentication SQL procedure must exist on the ODBC database and must have the exact name specified in the PAP SQL Procedure box.
Chapter 11 Working with User Databases LEAP Proxy RADIUS Server Database Note The third-party RADIUS server must return Microsoft Point-to-Point Encryption (MPPE) keys in the Microsoft RADIUS vendor-specific attribute (VSA) MSCHAP-MPPE-Keys (VSA 12). If the third-party RADIUS server does not return the MPPE keys, the authentication fails and is logged in the Failed Attempts log. Cisco Secure ACS support RADIUS-based group mapping for users authenticated by LEAP Proxy RADIUS Server databases.
Chapter 11 Working with User Databases LEAP Proxy RADIUS Server Database Step 4 If you are creating a configuration, follow these steps: a. Click Create New Configuration. b. Type a name for the new configuration for the LEAP Proxy RADIUS Server in the box provided, or accept the default name in the box. c. Click Submit. Result: Cisco Secure ACS lists the new configuration in the External User Database Configuration table.
Chapter 11 Working with User Databases Token Server User Databases • Retries—The number of authentication attempts Cisco Secure ACS makes before failing over to the secondary proxy RADIUS server. • Failback Retry Delay (minutes)—The number of minutes after which Cisco Secure ACS attempts authentications using a failed primary proxy RADIUS server. Note Step 8 If both the primary and the secondary servers fail, Cisco Secure ACS alternates between both servers until one responds. Click Submit.
Chapter 11 Working with User Databases Token Server User Databases About Token Servers and Cisco Secure ACS Cisco Secure ACS provides PAP authentication using token servers. Requests from the access device are first sent to Cisco Secure ACS. If Cisco Secure ACS has been configured to authenticate against a token server and finds the username, it forwards the authentication request to the token server.
Chapter 11 Working with User Databases Token Server User Databases RADIUS-Enabled Token Servers This section describes Cisco Secure ACS support for token servers that provide a standard RADIUS interface. About RADIUS-Enabled Token Servers Cisco Secure ACS can support token servers using the RADIUS server built into the token server. Rather than using the vendor’s proprietary API, Cisco Secure ACS sends standard RADIUS authentication requests to the RADIUS authentication port on the token server.
Chapter 11 Working with User Databases Token Server User Databases Token Server RADIUS Authentication Request and Response Contents When Cisco Secure ACS forwards an authentication request to a RADIUS-enabled token server, the RADIUS authentication request contains the following attributes: • User-Name (RADIUS attribute 1) • User-Password (RADIUS attribute 2) • NAS-IP-Address (RADIUS attribute 4) • NAS-Port (RADIUS attribute 5) • NAS-Identifier (RADIUS attribute 32) Cisco Secure ACS expects to
Chapter 11 Working with User Databases Token Server User Databases To configure Cisco Secure ACS to authenticate users with a ActivCard token server, CRYPTOCard token server, Vasco token server, or generic RADIUS Token Sever, follow these steps: Step 1 In the navigation bar, click External User Databases. Step 2 Click Database Configuration. Result: Cisco Secure ACS displays a list of all possible external user database types.
Chapter 11 Working with User Databases Token Server User Databases Step 6 Click Configure. Step 7 In the following boxes, type the required information: • Primary Server Name/IP—The hostname or IP address of the primary RADIUS token server. If you provide the hostname, the hostname must be resolvable by DNS. • Secondary Server Name/IP—The hostname or IP address of the secondary RADIUS token server. If you provide the hostname, the hostname must be resolvable by DNS.
Chapter 11 Working with User Databases Token Server User Databases Step 8 Click Submit. Result: Cisco Secure ACS saves the RADIUS token server database configuration you created. You can add it to your Unknown User Policy or assign specific user accounts to use this database for authentication. For more information about the Unknown User Policy, see the “Unknown User Processing” section on page 12-1.
Chapter 11 Working with User Databases Token Server User Databases Before You Begin You should install and configure your SafeWord token server before configuring Cisco Secure ACS to authenticate users with it. For information about installing the SafeWord server, refer to the documentation included with your token server. To configure Cisco Secure ACS to authenticate users with a SafeWord token server, follow these steps: Step 1 In the navigation bar, click External User Databases.
Chapter 11 Working with User Databases Token Server User Databases Step 7 Click Submit. Result: Cisco Secure ACS saves the SafeWord token server database configuration you created. You can add it to your Unknown User Policy or assign specific user accounts to use this database for authentication. For more information about the Unknown User Policy, see the “Unknown User Processing” section on page 12-1.
Chapter 11 Working with User Databases Token Server User Databases Step 4 If you are creating a configuration, follow these steps: a. Click Create New Configuration. b. Type a name for the new configuration for the AXENT token server in the box provided, or accept the default name in the box. c. Click Submit. Result: Cisco Secure ACS lists the new configuration in the External User Database Configuration table. Step 5 Click Configure.
Chapter 11 Working with User Databases Token Server User Databases Before You Begin You should install and configure your RSA SecurID token server before configuring Cisco Secure ACS to authenticate users with it. For information about installing the RSA SecurID server, refer to the documentation included with your token server. To configure Cisco Secure ACS to authenticate users with an RSA token server, follow these steps: Step 1 Install the RSA client on the Cisco Secure ACS server: a.
Chapter 11 Working with User Databases Deleting an External User Database Configuration Step 4 Click RSA SecurID Token Server. Result: If no RSA SecurID token server configuration exists, the Database Configuration Creation table appears. Otherwise, the External User Database Configuration page appears. Step 5 If you are creating a configuration, follow these steps: a. Click Create New Configuration. b.
Chapter 11 Working with User Databases Deleting an External User Database Configuration Step 3 Click the external user database type for which you want to delete a configuration. Result: The External User Database Configuration table appears. Step 4 If a list appears in the External User Database Configuration table, select the configuration you want to delete. Otherwise, proceed to the next step. Step 5 Click Delete. Result: A confirmation dialog box appears.
Chapter 11 Working with User Databases Deleting an External User Database Configuration Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide 11-60 78-13751-01, Version 3.
C H A P T E R 12 Administering External User Databases After you have configured Cisco Secure Access Control Server for Windows NT/2000 Servers Version 3.0 (Cisco Secure ACS) to communicate with an external user database, you can decide how to implement other Cisco Secure ACS features related to external user databases.
Chapter 12 Administering External User Databases Unknown User Processing The Unknown User feature enables Cisco Secure ACS to use a variety of external databases in addition to its own internal database to authenticate incoming user requests. With this feature, Cisco Secure ACS provides the foundation for a basic single sign-on capability by integrating network and host-level access control.
Chapter 12 Administering External User Databases Unknown User Processing General Authentication Request Handling and Rejection Mode If you have configured the Unknown User Policy in Cisco Secure ACS, Cisco Secure ACS attempts to authenticate users as follows: 1. Cisco Secure ACS checks its internal user database.
Chapter 12 Administering External User Databases Unknown User Processing Note The scenario given above is handled differently if the user accounts with identical usernames exist in separate Windows domains. For more information, see the “Authentication Request Handling and Rejection Mode with the Windows NT/2000 User Database” section on page 12-4.
Chapter 12 Administering External User Databases Unknown User Processing NT/2000 database, Cisco Secure ACS caches the username in the CiscoSecure user database in the form domain\user. The combination of username and domain makes this cached user unique in the Cisco Secure ACS database. Note Cisco Secure ACS does not support the user@domain form of qualified usernames. Note We recommend removing a username from a database when the privileges associated with that username are no longer required.
Chapter 12 Administering External User Databases Unknown User Processing Note If your network has multiple occurrences of a username across domains (for example, every domain has a user called Administrator) or if users dialing in do not provide their domains as part of their authentication credentials, be sure to configure the Domain List for the Windows NT/2000 database in the External User Databases section.
Chapter 12 Administering External User Databases Unknown User Processing The default AAA client timeout value is 5 seconds. If you have Cisco Secure ACS configured to search through several databases or if your databases are large, you might need to increase this value in your AAA client configuration file. For more information, refer to your Cisco IOS documentation.
Chapter 12 Administering External User Databases Unknown User Processing using the selected databases serially and in the order specified, top to bottom. For more information about the significance of the order of selected databases, see the “Database Search Order” section on page 12-8.
Chapter 12 Administering External User Databases Unknown User Processing Step 3 To deny authentication requests for any unknown user, select the Fail the attempt option. Step 4 To allow authentication requests for unknown users, follow these steps: Step 5 a. Select the Check the following external user databases option. b.
Chapter 12 Administering External User Databases Database Group Mappings Step 3 Select the Fail the attempt option. Step 4 Click Submit. Result: Unknown user processing is halted. Cisco Secure ACS does not allow unknown users to authenticate with external user databases. Database Group Mappings The Database Group Mapping feature in the External User Databases section enables you to associate unknown users with a Cisco Secure ACS group for the purposes of assigning authorization profiles.
Chapter 12 Administering External User Databases Database Group Mappings assign a group setup that is appropriate for users who are working away from home, such as MaxSessions=1. Or you could configure restricted hours for other groups, but give unrestricted access to Telecommuters group members.
Chapter 12 Administering External User Databases Database Group Mappings Additionally, users authenticated by an ODBC external user database can also be assigned to a specified Cisco Secure ACS group. Group specification by ODBC database authentication overrides group mapping. For more information about specifying group membership for users authenticated with an ODBC database, see the “ODBC Database” section on page 11-30.
Chapter 12 Administering External User Databases Database Group Mappings Group Mapping by Group Set Membership You can create group mappings for some external user databases based on the combination of external user database groups to which users belong. The following are the external user database types for which you can create group mappings based on group set membership: Note • Windows NT/2000 • Novell NDS • Generic LDAP Windows NT/2000 databases are defined by domain name.
Chapter 12 Administering External User Databases Database Group Mappings starts at the top of the list of group mappings for that database. Cisco Secure ACS checks the user’s group memberships in the external user database against each group mapping in the list sequentially. Upon finding the first group set mapping that matches the user’s external user database group memberships, Cisco Secure ACS assigns the user to that group mapping’s Cisco Secure ACS group and terminates the mapping process.
Chapter 12 Administering External User Databases Database Group Mappings For more information about editing an existing group mapping, see the “Editing a Windows NT/2000, Novell NDS, or Generic LDAP Group Set Mapping” section on page 12-17. Creating a Cisco Secure ACS Group Mapping for Windows NT/2000, Novell NDS, or Generic LDAP Groups To map a Windows NT/2000, Novell NDS, or generic LDAP group to a Cisco Secure ACS group, follow these steps: Step 1 In the navigation bar, click External User Databases.
Chapter 12 Administering External User Databases Database Group Mappings Step 5 If you are mapping a Windows NT/2000 group set, click the domain name for which you want to configure a group set mapping. Result: The Group Mappings for Domain: domainname table appears. Step 6 If you are mapping a Novell NDS group set, click the name of the Novell NDS tree for which you want to configure group set mappings. Result: The Group Mappings for NDS Users table appears. Step 7 Click Add Mapping.
Chapter 12 Administering External User Databases Database Group Mappings Step 10 Click Submit. Result: The group set you mapped to the Cisco Secure ACS list appears at the bottom of the database groups column. Note The asterisk at the end of each set of groups indicates that users authenticated with the external user database can belong to other groups besides those in the set.
Chapter 12 Administering External User Databases Database Group Mappings Step 5 If you are editing a Novell NDS group set mapping, click the name of the Novell NDS tree for which you want to edit a group set mapping. Result: The Group Mappings for NDS Users table appears. Step 6 Click the group set mapping to be edited. Result: The Edit mapping for database page opens. The external user database group or groups included in the group set mapping appear above the CiscoSecure group list.
Chapter 12 Administering External User Databases Database Group Mappings Step 4 If you are deleting a Windows NT/2000 group set mapping, click the domain name whose group set mapping you want to delete. Result: The Group Mappings for Domain: domainname table appears. Step 5 If you are deleting a Novell NDS group set mapping, click the name of the Novell NDS tree whose group set mapping you want to delete. Result: The Group Mappings for NDS Users table appears.
Chapter 12 Administering External User Databases Database Group Mappings Changing Group Set Mapping Order You can change the order in which Cisco Secure ACS checks group set mappings for users authenticated by Windows NT/2000, Novell NDS, and generic LDAP databases. To order group mappings, you must have already mapped them. For more information about creating group mappings, see the “Creating a Cisco Secure ACS Group Mapping for Windows NT/2000, Novell NDS, or Generic LDAP Groups” section on page 12-15.
Chapter 12 Administering External User Databases Database Group Mappings Step 8 Repeat Step 7 until the group mappings are in the order you need. Step 9 Click Submit. Result: The Group Mappings for database page displays the group set mappings in the order you defined.
Chapter 12 Administering External User Databases Database Group Mappings To enable per-user group mapping, configure the external user database to return authentication responses that contain the Cisco IOS/PIX RADIUS attribute 1, [009\001] cisco-av-pair with the following value: ACS:CiscoSecure-Group-Id = N where N is the Cisco Secure ACS group number (0 through 499) to which Cisco Secure ACS should assign the user.
A P P E N D I X A Troubleshooting Information for Cisco Secure ACS This appendix provides information about some basic problems and describes how to resolve them. Scan the column on the left to identify the condition that you are trying to resolve, and then carefully go through each corresponding recovery action offered in the column on the right. Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide 78-13751-01, Version 3.
Appendix A Troubleshooting Information for Cisco Secure ACS Administration Issues Administration Issues Condition Recovery Action Remote administrator cannot bring up the Cisco Secure ACS HTML interface in a browser or receives a warning that access is not permitted. Ping the machine running Cisco Secure ACS to confirm connectivity. Verify that the remote administrator is using a valid administrator name and password that has already been added in Administration Control.
Appendix A Troubleshooting Information for Cisco Secure ACS Browser Issues Browser Issues Condition Recovery Action The browser cannot bring up the Open Internet Explorer or Netscape Navigator and choose Help > About to determine the version of the browser. See System Cisco Secure ACS HTML Requirements, page 2-2 for a list of browsers supported by interface. Cisco Secure ACS and the Release Notes for known issues with a particular browser version.
Appendix A Troubleshooting Information for Cisco Secure ACS Cisco IOS Issues Cisco IOS Issues Condition Recovery Action Under EXEC Commands, Cisco IOS commands are not being denied when checked. Examine the Cisco IOS configuration at the AAA client. If not already present, add the following Cisco IOS command to the AAA client configuration: aaa authorization command <0-15> default group TACACS+ The correct syntax for the arguments in the text box is permit argument or deny argument.
Appendix A Troubleshooting Information for Cisco Secure ACS Database Issues Database Issues Condition Recovery Action RDBMS Synchronization is not operating properly. Make sure the correct server is listed in the Partners list. Database Replication not operating properly. Make sure you have set the server correctly as either Send or Receive. On the sending server, make sure the receiving server is in the Replication list.
Appendix A Troubleshooting Information for Cisco Secure ACS Dial-in Connection Issues Dial-in Connection Issues Condition Recovery Action A dial-in user is unable to make a connection to the AAA client. Examine the Cisco Secure ACS Reports or AAA client Debug output to narrow the problem to a system error or a user error.
Appendix A Troubleshooting Information for Cisco Secure ACS Dial-in Connection Issues Condition Recovery Action A dial-in user is unable to make a connection to the AAA client. The user information is not properly configured for authentication in Windows NT/2000 or Cisco Secure ACS. The Windows NT/2000 user database is being used for authentication. The Windows NT/2000 user database resides on the same machine as Cisco Secure ACS.
Appendix A Troubleshooting Information for Cisco Secure ACS Dial-in Connection Issues Condition Recovery Action (continued) Click External User Databases, and click List All Databases Configured, and then make sure that the database configuration for Windows NT/2000 is listed. Check the Unknown User Policy to make sure that Fail the Attempt is not selected. Select the Selected Databases check box in the Unknown User Policy page in the External User Databases section.
Appendix A Troubleshooting Information for Cisco Secure ACS Dial-in Connection Issues Condition Recovery Action A dial-in user is unable to make a connection to the AAA client; however, a Telnet connection can be authenticated across the LAN. This isolates the problem to one of three areas: • Line/modem configuration problem. Review the documentation that came with your modem and verify that the modem is properly configured.
Appendix A Troubleshooting Information for Cisco Secure ACS Dial-in Connection Issues Condition Recovery Action A dial-in user is unable to make a connection to the AAA client, and a Telnet connection cannot be authenticated across the LAN. Determine if the Cisco Secure ACS is receiving the request. This can be done by viewing the Cisco Secure ACS reports.
Appendix A Troubleshooting Information for Cisco Secure ACS Debug Issues Debug Issues Condition Recovery Action When running debug aaa authentication on the AAA client, a failure message is returned from Cisco Secure ACS. The configurations of the AAA client or Cisco Secure ACS are likely to be at fault. From within Cisco Secure ACS confirm the following: • Cisco Secure ACS is receiving the request. This can be done by viewing the Cisco Secure ACS reports.
Appendix A Troubleshooting Information for Cisco Secure ACS Proxy Issues Proxy Issues Condition Recovery Action Proxy fails. Make sure that the direction on the remote server is set to Incoming/Outgoing or Incoming, and that the direction on the authentication forwarding server is set to Incoming/Outgoing or Outgoing. Make sure the shared secret (key) matches the shared secret of one or both Cisco Secure ACS servers.
Appendix A Troubleshooting Information for Cisco Secure ACS Installation and Upgrade Issues Installation and Upgrade Issues Condition Recovery Action From the Windows NT/2000 Registry, delete the following registry The following error message displays when you try to upgrade key: or uninstall Cisco Secure ACS: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersi The following file is invalid or the data is corrupted "DelsL1.
Appendix A Troubleshooting Information for Cisco Secure ACS Report Issues Report Issues Condition Recovery Action The active.csv report is blank. You changed protocol configurations recently. Whenever protocol configurations change, the existing active.csv report file is renamed to yyyy-mm-dd.csv, and a new, blank active.csv report is generated A report is blank. Make sure you have selected Log to reportname Report under System Configuration: Logging: Log Target: reportname.
Appendix A Troubleshooting Information for Cisco Secure ACS Third-Party Server Issues Third-Party Server Issues Condition You cannot properly implement the RSA token server. Recovery Action 1. Log in to the Windows NT/2000 Server on which Cisco Secure ACS is installed. (Make sure your login account has administrative privileges.) 2. Make sure the RSA Client software is installed on the same WindowsNT/2000 server as the Cisco Secure ACS. 3. Follow the setup instructions.
Appendix A Troubleshooting Information for Cisco Secure ACS PIX Firewall Issues PIX Firewall Issues Condition Recovery Action Remote administrator cannot bring up Cisco Secure ACS from his or her browser or receives a warning that access is not permitted. If Network Address Translation is enabled on the PIX Firewall, administration through the firewall cannot work. To administer Cisco Secure ACS through a firewall, you must configure an HTTP port range in System Configuration: Access Policy.
Appendix A Troubleshooting Information for Cisco Secure ACS User Authentication Issues Condition Recovery Action Unknown users are not authenticated. Go to External User Databases: Unknown User Policy. Click Check the following external user databases. From the External Databases list, select the database(s) against which to authenticate unknown users. Click —> (right arrow button) to add the database to the Selected Databases list.
Appendix A Troubleshooting Information for Cisco Secure ACS TACACS+ and RADIUS Attribute Issues TACACS+ and RADIUS Attribute Issues Condition Recovery Action TACACS+ and RADIUS attributes do not appear on the Group Setup page. Ensure that you have at least one RADIUS or TACACS+ AAA client configured in the Network Configuration section and that, in the Interface Configuration section, you have enabled the attributes you need to configure.
A P P E N D I X B System Messages This appendix contains a partial list of system messages for Cisco Secure ACS, an explanation of their meanings, and recommended action to resolve any problems. Windows NT/2000 Event Log Service Startup Errors Error Message Could not initialize Crypto module Explanation The Microsoft Crypto API failed to initialize. Recommended Action Make sure you are running the U.S. version of Windows NT/2000. Make sure the Crypto API files are not missing or corrupted.
Appendix B System Messages Windows NT/2000 Event Log Service Startup Errors Error Message One or more registry entries were missing/corrupt Explanation The CSAuth Registry either is corrupt or has missing values. Recommended Action Reinstall Cisco Secure ACS. System Monitored Events Error Message Auth server down: Could not change Password Explanation CSMon could not change the password of the test account. Recommended Action No action required.
Appendix B System Messages Windows NT/2000 Event Log Service Startup Errors Error Message name: Logged Off Explanation CSMon logged off via a CiscoSecure service. Recommended Action No action required Error Message name: Logged On Explanation CSMon obtained a login via a CiscoSecure service. Recommended Action No action required.
Appendix B System Messages Windows NT/2000 Event Log Service Startup Errors Error Message Problem Logging on to name. Got as far as phase Explanation CSMon could not log on to the named account via a CiscoSecure service. phase is one of the following: – Launching Request to Protocol Module – Starting Processing in Protocol Module – Finishing Processing Protocol Module – Starting Processing in Auth Module – Finishing Processing in Auth Module – Logging Recommended Action No action required.
Appendix B System Messages Windows NT/2000 Event Log Service Startup Errors – Starting Processing in Auth Module – Finishing Processing in Auth Module – Logging Recommended Action No action required Error Message Service name could not be restarted Explanation CSMon has failed to restart the named CiscoSecure service.
Appendix B System Messages Replication Messages Error Message Service name in transition/unknown state... will try again Explanation Windows NT/2000 Service Manager does not know what state a service is in. Recommended Action No action required. Error Message Service name not running: will attempt to restart Explanation CSMon has detected that the named CiscoSecure service is not running.
Appendix B System Messages Replication Messages Error Message Database synchronization with host name failed - refer to CSAuth log file Explanation Part of the configuration set could not be sent to the named Cisco Secure ACS. Recommended Action Check the CSAuth log file to view the cause of the failure. The CSAuth log file is located in Program Files\Cisco Secure ACS v2.6\CSAuth\logs.
Appendix B System Messages Replication Messages Error Message Host ‘name’ not configured to receive any matching information Explanation The remote Cisco Secure ACS is not configured to accept the information offered. Recommended Action Verify that the remote ACS has at least some replication components checked. Error Message Inbound database replication from host ‘name’ denied Explanation Remote Cisco Secure ACS not authorized to replicate to this Cisco Secure ACS.
Appendix B System Messages Failed Attempts Messages Error Message Outbound database replication failed - refer to CSAuth log file Explanation Replication failed or was only partially successful. Recommended Action Check the CSAuth log file to view the cause of the failure. The CSAuth log file is located in: Program Files\Cisco Secure ACS vx.x\CSAuth\logs.
Appendix B System Messages Failed Attempts Messages Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide B-10 78-13751-01, Version 3.
A P P E N D I X C TACACS+ Attribute-Value Pairs Cisco Secure Access Control Server for Windows NT/2000 Servers Version 3.0 (Cisco Secure ACS) provides support for Terminal Access Controller Access Control System (TACACS+) attribute-value (AV) pairs. You can enable different AV pairs for any supported attribute value. Cisco IOS Attribute-Value Pair Dictionary Before selecting TACACS+ AV pairs for Cisco Secure ACS, confirm that your AAA client is running Cisco IOS Release 11.2 or later.
Appendix C TACACS+ Attribute-Value Pairs Cisco IOS Attribute-Value Pair Dictionary TACACS+ AV Pairs Note Beginning with Cisco Secure ACS 2.3, some TACACS+ attributes no longer appear on the Group Setup page. This is because IP pools and callback supersede the following attributes: addr addr-pool callback-dialstring Additionally, these attributes cannot be set via database synchronization, and ip:addr=n.n.n.n is not allowed as a Cisco vendor-specific attribute (VSA).
Appendix C TACACS+ Attribute-Value Pairs Cisco IOS Attribute-Value Pair Dictionary • ip-addresses • link-compression= • load-threshold=n • max-links=n • nas-password • nocallback-verify • noescape= • nohangup= • old-prompts • outacl#n • outacl= • pool-def#n • pool-timeout= • ppp-vj-slotcompression • priv-lvl= • protocol= • route • route#n • routing= • rte-ftr-in#n • rte-ftr-out#n • sap#n • sap-fltr-in#n • sap-fltr-out#n • service= • source-ip= Cisco Secu
Appendix C TACACS+ Attribute-Value Pairs Cisco IOS Attribute-Value Pair Dictionary • timeout= • tunnel-id • wins-servers= • zonelist= TACACS+ Accounting AV Pairs Cisco Secure ACS supports many TACACS+ accounting AV pairs. For descriptions of these attributes, see Cisco IOS documentation for the release of Cisco IOS running on your AAA clients.
Appendix C TACACS+ Attribute-Value Pairs Cisco IOS Attribute-Value Pair Dictionary • pre-session-time • priv_level • protocol • reason • service • start_time • stop_time • task_id • timezone • xmit-rate Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide 78-13751-01, Version 3.
Appendix C TACACS+ Attribute-Value Pairs Cisco IOS Attribute-Value Pair Dictionary Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide C-6 78-13751-01, Version 3.
A P P E N D I X D RADIUS Attributes Cisco Secure Access Control Server for Windows NT/2000 Servers Version 3.0 (Cisco Secure ACS) provides support for many RADIUS attributes.
Appendix D RADIUS Attributes Cisco IOS Dictionary of RADIUS AV Pairs • Cisco Building Broadband Service Manager Dictionary of RADIUS VSA, page D-9 • Vendor-Proprietary IETF RADIUS AV Pairs, page D-10 • IETF Dictionary of RADIUS AV Pairs, page D-12 • Microsoft MPPE Dictionary of RADIUS VSAs, page D-18 • Ascend Dictionary of RADIUS AV Pairs, page D-21 • Nortel Dictionary of RADIUS VSAs, page D-29 • Juniper Dictionary of RADIUS VSAs, page D-30 Cisco IOS Dictionary of RADIUS AV Pairs Cisco Secu
Appendix D RADIUS Attributes Cisco IOS Dictionary of RADIUS AV Pairs Table D-1 lists the supported Cisco IOS RADIUS AV pairs.
Appendix D RADIUS Attributes Cisco IOS/PIX Dictionary of RADIUS VSAs Table D-1 Cisco IOS Software RADIUS AV Pairs (continued) Attribute Number Type of Value Calling-Station-ID 31 string Login-LAT-Service 33 string Acct-Status-Type 40 integer Acct-Delay-Time 41 integer Acct-Input-Octets 42 integer Acct-Output-Octets 43 integer Acct-Session-ID 44 string Acct-Authentic 45 integer Acct-Session-Time 46 integer Acct-Input-Packets 47 integer Acct-Output-Packets 48 integer A
Appendix D RADIUS Attributes Cisco IOS/PIX Dictionary of RADIUS VSAs Note For details about the Cisco IOS Node Route Processor-Service Selection Gateway VSAs (VSAs 250, 251, and 252), refer to Cisco IOS documentation.
Appendix D RADIUS Attributes Cisco VPN 3000 Concentrator Dictionary of RADIUS VSAs Table D-2 Cisco IOS/PIX RADIUS VSAs (continued) Attribute Number Type of Value cisco-ssg-account-info 250 string cisco-ssg-service-info 251 string cisco-ssg-control-info 253 string Cisco VPN 3000 Concentrator Dictionary of RADIUS VSAs Cisco Secure ACS supports Cisco VPN 3000 RADIUS VSAs. The vendor ID for this Cisco RADIUS Implementation is 3076.
Appendix D RADIUS Attributes Cisco VPN 3000 Concentrator Dictionary of RADIUS VSAs Table D-3 Cisco VPN 3000 Concentrator RADIUS VSAs (continued) Attribute Type of Number Value CVPN3000-IPSec-Authentication 13 integer CVPN3000-IPSec-Banner1 15 string CVPN3000-IPSec-Allow-Passwd-Store 16 integer CVPN3000-Use-Client-Address 17 integer CVPN3000-PPTP-Encryption 20 integer CVPN3000-L2TP-Encryption 21 integer CVPN3000-IPSec-Split-Tunnel-List 27 string CVPN3000-IPSec-Default-Domain 28 s
Appendix D RADIUS Attributes Cisco VPN 3000 Concentrator Dictionary of RADIUS VSAs Table D-3 Cisco VPN 3000 Concentrator RADIUS VSAs (continued) Attribute Type of Number Value CVPN3000-Cisco-IP-Phone-Bypass 51 integer CVPN3000-User-Auth-Server-Name 52 string CVPN3000-User-Auth-Server-Port 53 integer CVPN3000-User-Auth-Server-Secret 54 string CVPN3000-IPSec-Split-Tunneling-Policy 55 integer CVPN3000-IPSec-Required-Client-Firewall-Capability 56 integer CVPN3000-IPSec-Client-Firewall-Fi
Appendix D RADIUS Attributes Cisco VPN 5000 Concentrator Dictionary of RADIUS VSAs Cisco VPN 5000 Concentrator Dictionary of RADIUS VSAs Cisco Secure ACS supports the Cisco VPN 5000 RADIUS VSAs. The vendor ID for this Cisco RADIUS Implementation is 255. Table D-4 lists the supported Cisco VPN 5000 Concentrator RADIUS VSAs.
Appendix D RADIUS Attributes Vendor-Proprietary IETF RADIUS AV Pairs Vendor-Proprietary IETF RADIUS AV Pairs Table D-6 lists the supported vendor-proprietary RADIUS (IETF) attributes Table D-6 Vendor-Proprietary RADIUS Attributes No.
Appendix D RADIUS Attributes Vendor-Proprietary IETF RADIUS AV Pairs Table D-6 Vendor-Proprietary RADIUS Attributes (continued) No. Vendor-Proprietary Attribute 243 Call-Filter 244 Idle-Limit Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide 78-13751-01, Version 3.
Appendix D RADIUS Attributes IETF Dictionary of RADIUS AV Pairs IETF Dictionary of RADIUS AV Pairs Table D-7 lists the supported RADIUS (IETF) attributes. If the attribute has a security server-specific format, the format is specified. Accounting attributes are listed in Table D-8 on page D-16. Table D-7 RADIUS (IETF) Attributes No. Attribute Description 1 User-Name Name of the user being authenticated. 2 User-Password User’s password or input following an access challenge.
Appendix D RADIUS Attributes IETF Dictionary of RADIUS AV Pairs Table D-7 RADIUS (IETF) Attributes (continued) No. Attribute Description 6 Service-Type Type of service requested or type of service to be provided: In a request: Framed—For known PPP or SLIP (Serial Line Internet Protocol) connection. Administrative User—For enable command. In a response: Login—Make a connection. Framed—Start SLIP or PPP. Administrative User—Start an EXEC or enable ok. Exec User—Start an EXEC session.
Appendix D RADIUS Attributes IETF Dictionary of RADIUS AV Pairs Table D-7 RADIUS (IETF) Attributes (continued) No. Attribute Description 14 Login-IP-Host Host to which the user will connect when the Login-Service attribute is included. 15 Login-Service Service that should be used to connect the user to the login host.
Appendix D RADIUS Attributes IETF Dictionary of RADIUS AV Pairs Table D-7 RADIUS (IETF) Attributes (continued) No. Attribute Description 26 Vendor-Specific Allows vendors to support their own extended attributes. The Cisco RADIUS implementation supports one vendor-specific option using the format recommended in the specification. Cisco’s vendor-ID is 9, and the supported option is vendor-type 1, cisco-avpair.
Appendix D RADIUS Attributes IETF Dictionary of RADIUS AV Pairs Table D-7 RADIUS (IETF) Attributes (continued) No. Attribute Description 61 NAS-Port-Type Indicates the type of physical port the AAA client is using to authenticate the user. Physical ports are indicated by a numeric value as follows: 0: Asynchronous 1: Synchronous 2: ISDN-Synchronous 3: ISDN-Asynchronous (V.120) 4: ISDN- Asynchronous (V.
Appendix D RADIUS Attributes IETF Dictionary of RADIUS AV Pairs Table D-8 RADIUS (IETF) Accounting Attributes (continued) No. Attribute Description 31 Calling-Station-Id Allows the AAA client to send the telephone number the call came from as part of the access-request packet using automatic number identification or similar technology. This attribute has the same value as remote-addr in TACACS+. This attribute is supported only on ISDN and for modem calls on the Cisco AS5200 if used with PRI.
Appendix D RADIUS Attributes Microsoft MPPE Dictionary of RADIUS VSAs Table D-8 RADIUS (IETF) Accounting Attributes (continued) No. Attribute Description 49 Acct-Terminate-Cause Reports details on why the connection was terminated.
Appendix D RADIUS Attributes Microsoft MPPE Dictionary of RADIUS VSAs Microsoft to encrypt point-to-point (PPP) links. These PPP connections can be via a dial-up line, or over a VPN tunnel such as PPTP. MPPE is supported by several RADIUS network device vendors that Cisco Secure ACS supports. The following Cisco Secure ACS RADIUS protocols support the Microsoft RADIUS VSAs: • Cisco IOS • Cisco VPN 3000 • Ascend Table D-9 lists the supported MPPE RADIUS VSAs.
Appendix D RADIUS Attributes Microsoft MPPE Dictionary of RADIUS VSAs Table D-9 Microsoft MPPE RADIUS VSAs (continued) Attribute Number Type of Value Description MS-CHAP-Domain 10 string — MS-CHAP-Challenge 11 string — MS-CHAP-MPPE-Keys 12 string The MS-CHAP-MPPE-Keys attribute contains two session keys for use by the MPPE. This attribute is only included in Access-Accept packets.
Appendix D RADIUS Attributes Ascend Dictionary of RADIUS AV Pairs Ascend Dictionary of RADIUS AV Pairs Cisco Secure ACS supports the Ascend RADIUS AV pairs. Table D-10 contains Ascend RADIUS dictionary translations for parsing requests and generating responses. All transactions are composed of AV pairs.
Appendix D RADIUS Attributes Ascend Dictionary of RADIUS AV Pairs Table D-10 Ascend RADIUS Attributes (continued) Attribute Number Type of Value Framed-Protocol 7 integer Framed-Address 8 ipaddr Framed-Netmask 9 ipaddr Framed-Routing 10 integer Framed-Filter 11 string Framed-MTU 12 integer Framed-Compression 13 integer Login-Host 14 ipaddr Login-Service 15 integer Login-TCP-Port 16 integer Change-Password 17 string Reply-Message 18 string Callback-Number 19 string
Appendix D RADIUS Attributes Ascend Dictionary of RADIUS AV Pairs Table D-10 Ascend RADIUS Attributes (continued) Attribute Number Type of Value Acct-Session-Time 46 integer Acct-Input-Packets 47 integer Acct-Output-Packets 48 integer Tunnel-Type 64 string Tunnel-Medium-Type 65 string Tunnel-Client-Endpoint 66 string Tunnel-Server-Endpoint 67 string Tunnel-ID 68 integer Ascend-Private-Route 104 string Ascend-Numbering-Plan-ID 105 integer Ascend-FR-Link-Status-Dlci 106 in
Appendix D RADIUS Attributes Ascend Dictionary of RADIUS AV Pairs Table D-10 Ascend RADIUS Attributes (continued) Attribute Number Type of Value Ascend-Call-Attempt-Limit 123 integer Ascend-Call-Block_Duration 124 integer Ascend-Maximum-Call-Duration 125 integer Ascend-Router-Preference 126 string Ascend-Tunneling-Protocol 127 string Ascend-Shared-Profile-Enable 128 string Ascend-Primary-Home-Agent 129 string Ascend-Secondary-Home-Agent 130 string Ascend-Dialout-Allowed 131 i
Appendix D RADIUS Attributes Ascend Dictionary of RADIUS AV Pairs Table D-10 Ascend RADIUS Attributes (continued) Attribute Number Type of Value Connection Profile/Telco Option Ascend-Expect-Callback 149 integer 150 integer 151 string 152 integer Event Type for an Ascend-Event Packet Ascend-Event-Type RADIUS Server Session Key Ascend-Session-Svr-Key Multicast Rate Limit Per Client Ascend-Multicast-Rate-Limit Connection Profile Fields to Support Interface-Based Routing Ascend-IF-Netmask
Appendix D RADIUS Attributes Ascend Dictionary of RADIUS AV Pairs Table D-10 Ascend RADIUS Attributes (continued) Attribute Number Type of Value Ascend-TS-Idle-Limit 169 integer Ascend-TS-Idle-Mode 170 integer Ascend-DBA-Monitor 171 integer Ascend-Base-Channel-Count 172 integer Ascend-Minimum-Channels 173 integer Ascend-IPX-Route 174 string Ascend-FT1-Caller 175 integer Ascend-Backup 176 string Ascend-Call-Type 177 integer Ascend-Group 178 string Ascend-FR-DLCI 179 inte
Appendix D RADIUS Attributes Ascend Dictionary of RADIUS AV Pairs Table D-10 Ascend RADIUS Attributes (continued) Attribute Number Type of Value Ascend-Disconnect-Cause 195 integer Ascend-Connect-Progress 196 integer Ascend-Data-Rate 197 integer Ascend-PreSession-Time 198 integer Ascend-Token-Idle 199 integer Ascend-Token-Immediate 200 integer Ascend-Require-Auth 201 integer Ascend-Number-Sessions 202 string Ascend-Authen-Alias 203 string Ascend-Token-Expiry 204 integer As
Appendix D RADIUS Attributes Ascend Dictionary of RADIUS AV Pairs Table D-10 Ascend RADIUS Attributes (continued) Attribute Number Type of Value Ascend-FR-Direct-DLCI 221 integer Ascend-Handle-IPX 222 integer Ascend-Netware-Timeout 223 integer Ascend-IPX-Alias 224 integer Ascend-Metric 225 integer Ascend-PRI-Number-Type 226 integer Ascend-Dial-Number 227 string Ascend-Route-IP 228 integer Ascend-Route-IPX 229 integer Ascend-Bridge 230 integer Ascend-Send-Auth 231 intege
Appendix D RADIUS Attributes Nortel Dictionary of RADIUS VSAs Table D-10 Ascend RADIUS Attributes (continued) Attribute Number Type of Value Connection Profile/Telco Options Ascend-Callback 246 integer Ascend-Data-Svc 247 integer Ascend-Force-56 248 integer Ascend-Billing-Number 249 string Ascend-Call-By-Call 250 integer Ascend-Transit-Number 251 string 252 string 253 ipaddr Ascend-MPP-Idle-Percent 254 integer Ascend-Xmit-Rate 255 integer Terminal Server Attributes Ascend-
Appendix D RADIUS Attributes Juniper Dictionary of RADIUS VSAs Table D-11 Nortel RADIUS VSAs Attribute Number Type of Value Bay-User-Level 100 integer Bay-Audit-Level 101 integer Juniper Dictionary of RADIUS VSAs Table D-12 lists the Juniper RADIUS VSAs supported by Cisco Secure ACS. The Juniper vendor ID number is 2636.
E A P P E N D I X Cisco Secure ACS Command-Line Database Utility This appendix details the Cisco Secure ACS command-line utility, CSUtil.exe. Among its several functions, CSUtil.exe enables you to add, change, and delete users from a colon-delimited text file. You can also use the utility to add and delete AAA client configurations. Note You can accomplish similar tasks using the ACS System Backup, ACS System Restore, Database Replication, and RDBMS Synchronization features.
Appendix E Cisco Secure ACS Command-Line Database Utility Location of CSUtil.exe and Related Files • User and AAA Client Import Option, page E-13 • Exporting User List to a Text File, page E-23 • Exporting Group Information to a Text File, page E-24 • Exporting Registry Information to a Text File, page E-25 • Decoding Error Numbers, page E-25 • Recalculating CRC Values, page E-26 • User-Defined RADIUS Vendors and VSA Sets, page E-27 Location of CSUtil.
Appendix E Cisco Secure ACS Command-Line Database Utility CSUtil.exe Options You can combine many of the options in a single use of CSUtil.exe. If you are new to using CSUtil.exe, we recommend performing only one option at a time, with the exception of those options, such as -p, that must be used in conjunction with other options. Experienced CSUtil.exe users may find it useful to combine CSUtil.
Appendix E Cisco Secure ACS Command-Line Database Utility CSUtil.exe Options • -l—Load all Cisco Secure ACS internal data from a file named dump.txt or named file. Using this option requires that you stop the CSAuth service. For more information about this option, see the “Loading the Cisco Secure ACS Database from a Dump File” section on page E-10. • -n—Create CiscoSecure user database and index. Using this option requires that you stop the CSAuth service.
Appendix E Cisco Secure ACS Command-Line Database Utility Backing Up Cisco Secure ACS with CSUtil.exe Backing Up Cisco Secure ACS with CSUtil.exe You can use the -b option to create a system backup of all Cisco Secure ACS internal data. The resulting backup file has the same data as the backup files produced by the ACS Backup feature found in the HTML interface. For more information about the ACS Backup feature, see the “Cisco Secure ACS Backup” section on page 8-40.
Appendix E Cisco Secure ACS Command-Line Database Utility Restoring Cisco Secure ACS with CSUtil.exe Restoring Cisco Secure ACS with CSUtil.exe You can use the -r option to restore all Cisco Secure ACS internal data. The backup file from which you restore Cisco Secure ACS can be one generated by the CSUtil.exe -b option or by the ACS Backup feature in the HTML interface.
Appendix E Cisco Secure ACS Command-Line Database Utility Creating a CiscoSecure User Database c. To restore only the system configuration, type: CSUtil.exe -r config filename where filename is the name of the backup file. Press Enter. Result: CSUtil.exe displays a confirmation prompt. Step 3 To confirm that you want to perform a restoration and to halt all Cisco Secure ACS services during the restoration, type Y and press Enter. Result: CSUtil.
Appendix E Cisco Secure ACS Command-Line Database Utility Creating a CiscoSecure User Database To create a CiscoSecure user database, follow these steps: Step 1 If you have not performed a backup or dump of the CiscoSecure user database, do so now before proceeding. For more information about backing up the database, see the “Backing Up Cisco Secure ACS with CSUtil.exe” section on page E-5.
Appendix E Cisco Secure ACS Command-Line Database Utility Creating a Cisco Secure ACS Database Dump File Creating a Cisco Secure ACS Database Dump File You can use the -d option to dump all the contents of the CiscoSecure user database into a text file. In addition to providing a thorough, eye-readable, and compressible backup of all Cisco Secure ACS internal data, a database dump can also be useful for the Cisco Technical Assistance Center (TAC) during troubleshooting.
Appendix E Cisco Secure ACS Command-Line Database Utility Loading the Cisco Secure ACS Database from a Dump File Step 4 To confirm that you want to dump all Cisco Secure ACS internal data into dump.txt, type Y and press Enter. Result: CSUtil.exe creates the dump.txt file. This process may take a few minutes. Step 5 To resume user authentication, type: net start csauth and press Enter.
Appendix E Cisco Secure ACS Command-Line Database Utility Compacting the CiscoSecure User Database Step 2 If the CSAuth service is running, type: net stop csauth and press Enter. Result: The CSAuth service stops. Step 3 Type: CSUtil.exe -l filename where filename is the name of the dump file you want CSUtil.exe to use to load Cisco Secure ACS internal data. Press Enter. Result: CSUtil.
Appendix E Cisco Secure ACS Command-Line Database Utility Compacting the CiscoSecure User Database Compacting the CiscoSecure user database consists of using in conjunction three CSUtil.exe options: • -d—Export all Cisco Secure ACS internal data to a text file named dump.txt. • -n—Create a CiscoSecure user database and index. • -l—Load all Cisco Secure ACS internal data from a text file. If you do not specify the file name, CSUtil.exe uses the default file name dump.txt.
Appendix E Cisco Secure ACS Command-Line Database Utility User and AAA Client Import Option Result: If you do not use the -q option, CSUtil.exe displays a confirmation prompt for initializing the database and then for loading the database. For more information about the effects of the -n option, see the “Creating a CiscoSecure User Database” section on page E-7. For more information about the effects of the -l option, see the “Loading the Cisco Secure ACS Database from a Dump File” section on page E-10.
Appendix E Cisco Secure ACS Command-Line Database Utility User and AAA Client Import Option Step 2 Create an import text file. For more information about what an import text file can or must contain, see the “User and AAA Client Import File Format” section on page E-15. Step 3 Copy or move the import text file to the same directory as CSUtil.exe. For more information about the location of CSUtil.exe, see the “Location of CSUtil.exe and Related Files” section on page E-2.
Appendix E Cisco Secure ACS Command-Line Database Utility User and AAA Client Import Option Step 8 To restart CSTacacs, follow these steps: a. Type: net stop cstacacs and press Enter. Result: The CSTacacs service stops. b. To start CSTacacs, type: net start cstacacs and press Enter. User and AAA Client Import File Format The import file can contain six different line types. At least two are required.
Appendix E Cisco Secure ACS Command-Line Database Utility User and AAA Client Import Option ONLINE or OFFLINE Statement CSUtil.exe requires an ONLINE or OFFLINE token in an import text file. The file must begin with a line that contains only a ONLINE or OFFLINE token. The ONLINE and OFFLINE tokens are described in Table E-1. Table E-1 ONLINE/OFFLINE Statement Tokens Token Required ONLINE Either ONLINE or — OFFLINE must be present The CSAuth service remains active while CSUtil.
Appendix E Cisco Secure ACS Command-Line Database Utility User and AAA Client Import Option Table E-2 ADD Statement Tokens Token Value Required Required ADD Yes username Add user information to Cisco Secure ACS. If the username already exists, no information is changed. PROFILE No group number Group number to which the user is assigned. This must be a number from 0 to 499, not a name. If you do not use the PROFILE token or fail to provide a group number, the user is added to the default group.
Appendix E Cisco Secure ACS Command-Line Database Utility User and AAA Client Import Option Table E-2 ADD Statement Tokens (continued) Token Value Required Required EXT_LEAP No — Authenticate the username with a LEAP proxy RADIUS server external user database. EXT_ACTV No — Authenticate the username with an ActivCard external user database. EXT_ VASCO No — Authenticate the username with a Vasco external user database.
Appendix E Cisco Secure ACS Command-Line Database Utility User and AAA Client Import Option Table E-3 UPDATE Statement Tokens (continued) Token Required Value Required Description CSDB No password Authenticate the username with the CiscoSecure user database. CSDB_UNIX No UNIX-encrypted password Authenticate the username with the CiscoSecure user database, using a UNIX password format. EXT_NT No — Authenticate the username with a Windows NT/2000 external user database.
Appendix E Cisco Secure ACS Command-Line Database Utility User and AAA Client Import Option For example, the following UPDATE statement causes CSUtil.exe to update the account with username "John", assign it to Group 50, specify that John should be authenticated by a UNIX-encrypted password, with a separate CHAP password "goodoldchap": UPDATE:John:PROFILE:50:CSDB_UNIX:3Al3qf9:CHAP:goodoldchap DELETE Statements DELETE statements are optional.
Appendix E Cisco Secure ACS Command-Line Database Utility User and AAA Client Import Option Table E-5 ADD_NAS Statement Tokens (continued) Token Required Value Required Description VENDOR Yes The authentication protocol the AAA client uses. For RADIUS, this includes the VSA. The valid values are listed below. Quotation marks are required due to the spaces in the protocol names.
Appendix E Cisco Secure ACS Command-Line Database Utility User and AAA Client Import Option For example, the following ADD_NAS statement causes CSUtil.exe to add a AAA client with the name "SVR2-T+", using TACACS+ with the single connection and keep alive packet options enabled: ADD_NAS:SVR2-T+:IP:IP address:KEY:shared secret:VENDOR:"TACACS+ (Cisco IOS)":NDG:"East Coast":SINGLE_CON:Y:KEEPALIVE:Y DEL_NAS Statements DEL_NAS statements are optional.
Appendix E Cisco Secure ACS Command-Line Database Utility Exporting User List to a Text File Exporting User List to a Text File You can use the -u option to export a list of all users in the CiscoSecure user database to a text file named users.txt. The users.txt file organizes the users by group. Within each group, users are listed by the order of the creation of the user account in the CiscoSecure user database. For example, if accounts were created for Pat, Dana, and Lloyd, in that order, users.
Appendix E Cisco Secure ACS Command-Line Database Utility Exporting Group Information to a Text File Exporting Group Information to a Text File You can use the -g option to export group configuration data, including device command sets, from the CiscoSecure user database to a text file named groups.txt. The groups.txt file is useful primarily for debugging purposes while working with the TAC. Note Using the -g option requires that you stop the CSAuth service.
Appendix E Cisco Secure ACS Command-Line Database Utility Exporting Registry Information to a Text File Exporting Registry Information to a Text File You can use the -y option to export Windows Registry information for Cisco Secure ACS. CSUtil.exe exports the Registry information to a file named setup.txt. The setup.txt file is primarily useful for debugging purposes while working with the TAC.
Appendix E Cisco Secure ACS Command-Line Database Utility Recalculating CRC Values Note The -e option applies to Cisco Secure ACS internal error codes only, not to Windows error codes sometimes captured in Cisco Secure ACS logs, such as when Windows NT/2000 authentication fails. For more information about Cisco Secure ACS service logs, see the “Service Logs” section on page 9-34.
Appendix E Cisco Secure ACS Command-Line Database Utility User-Defined RADIUS Vendors and VSA Sets User-Defined RADIUS Vendors and VSA Sets This section provides information and procedures about user-defined RADIUS vendors and VSAs.
Appendix E Cisco Secure ACS Command-Line Database Utility User-Defined RADIUS Vendors and VSA Sets Adding a Custom RADIUS Vendor and VSA Set You can use the -addUDV option to add up to ten custom RADIUS vendors and VSA sets to Cisco Secure ACS. Each RADIUS vendor and VSA set is added to one of ten possible user-defined RADIUS vendor slots. Note While CSUtil.exe adds a custom RADIUS vendor and VSA set to Cisco Secure ACS, all Cisco Secure ACS services are automatically stopped and restarted.
Appendix E Cisco Secure ACS Command-Line Database Utility User-Defined RADIUS Vendors and VSA Sets Step 3 To confirm that you want to add the RADIUS vendor and halt all Cisco Secure ACS services during the process, type Y and press Enter. Result: CSUtil.exe halts Cisco Secure ACS services, parses the vendor/VSA input file, and adds the new RADIUS vendor and VSAs to Cisco Secure ACS. This process may take a few minutes. After it is complete, CSUtil.exe restarts Cisco Secure ACS services.
Appendix E Cisco Secure ACS Command-Line Database Utility User-Defined RADIUS Vendors and VSA Sets To delete a custom RADIUS vendor and VSA set from Cisco Secure ACS, follow these steps: Step 1 On the Cisco Secure ACS server, open an MS DOS command prompt and change directories to the directory containing CSUtil.exe. For more information about the location of CSUtil.exe, see the “Location of CSUtil.exe and Related Files” section on page E-2. Step 2 Type: CSUtil.
Appendix E Cisco Secure ACS Command-Line Database Utility User-Defined RADIUS Vendors and VSA Sets To list all custom RADIUS vendors defined in Cisco Secure ACS, follow these steps: Step 1 On the Cisco Secure ACS server, open an MS DOS command prompt and change directories to the directory containing CSUtil.exe. For more information about the location of CSUtil.exe, see the “Location of CSUtil.exe and Related Files” section on page E-2. Step 2 Type: CSUtil.exe -listUDV Press Enter. Result: CSUtil.
Appendix E Cisco Secure ACS Command-Line Database Utility User-Defined RADIUS Vendors and VSA Sets About the RADIUS Vendor/VSA Import File RADIUS Vendor/VSA import files use a Windows .ini file format. Each RADIUS vendor/VSA import file comprises three types of sections, detailed in Table E-7. Each section comprises a section header and a set of keys and values. The order of the sections in the RADIUS vendor/VSA import file is irrelevant.
Appendix E Cisco Secure ACS Command-Line Database Utility User-Defined RADIUS Vendors and VSA Sets Vendor and VSA Set Definition Each RADIUS vendor/VSA import file must have one vendor and VSA set section. The section header must be “[User Defined Vendor]”. Table E-8 lists valid keys for the vendor and VSA set section. Table E-8 Vendor and VSA Set Keys Keys Required Value Required Description Name Yes Vendor name The name of the RADIUS vendor.
Appendix E Cisco Secure ACS Command-Line Database Utility User-Defined RADIUS Vendors and VSA Sets Attribute Definition Each RADIUS vendor/VSA import file must have one attribute definition section for each attribute defined in the vendor and VSA set section. The section header of each attribute definition section must match the attribute name defined for that attribute in the vendor and VSA set section. Table E-9 lists the valid keys for an attribute definition section.
Appendix E Cisco Secure ACS Command-Line Database Utility User-Defined RADIUS Vendors and VSA Sets Table E-9 Keys Attribute Definition Keys (continued) Required Value Required Enums No (only valid Enumerations section name when the TYPE value is INTEGER) Description The name of the enumeration section. Several attributes can reference the same enumeration section. For more information, see the “Enumeration Definition” section on page E-35.
Appendix E Cisco Secure ACS Command-Line Database Utility User-Defined RADIUS Vendors and VSA Sets Table E-10 Enumerations Definition Keys Keys Required Value Required Description n Yes String For each valid integer value of the corresponding attribute, an enumerations section must have one key. (See Description.) Each key defines a string value associated with an integer value. Cisco Secure ACS uses these string values in the HTML interface.
Appendix E Cisco Secure ACS Command-Line Database Utility User-Defined RADIUS Vendors and VSA Sets Example RADIUS Vendor/VSA Import File The example RADIUS vendor/VSA import file, below, defines the vendor Widget, whose IETF number is 9999. The vendor Widget has 5 VSAs. Of those attributes, 4 are for authorization and one is for accounting. Only one attribute can have multiple instances in a single RADIUS message.
Appendix E Cisco Secure ACS Command-Line Database Utility User-Defined RADIUS Vendors and VSA Sets Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide E-38 78-13751-01, Version 3.
F A P P E N D I X Cisco Secure ACS and Virtual Private Dial-up Networks Cisco Secure Access Control Server for Windows NT/2000 Servers Version 3.0 (Cisco Secure ACS) supports authentication forwarding of virtual private dial-up network (VPDN) requests. There are two basic types of “roaming” users: Internet and intranet; VPDN addresses the requirements of roaming intranet users. This chapter provides information about the VPDN process and how it affects the operation of Cisco Secure ACS.
Appendix F Cisco Secure ACS and Virtual Private Dial-up Networks VPDN Process Figure F-1 VPDN User Dials In Corporation RSP ACS ACS S6645 Call setup / PPP setup Username = mary@corporation.us VPDN user User = mary@corporation.us 2. Figure F-2 If VPDN is enabled, the NAS assumes that the user is a VPDN user. The NAS strips off the “username@” (mary@) portion of the username and authorizes (not authenticates) the domain portion (corporation.us) with the ACS. See Figure F-2.
Appendix F Cisco Secure ACS and Virtual Private Dial-up Networks VPDN Process Authorization of Domain Fails Corporation Authorization failed ACS RSP S6655 Figure F-3 ACS VPDN user User = mary@corporation.us If the ACS authorizes the domain, it returns the Tunnel ID and the IP address of the home gateway (HG); these are used to create the tunnel. See Figure F-4. ACS Authorizes Domain Authorization reply Tunnel ID = nas_tun IP address = 10.1.1.
Appendix F Cisco Secure ACS and Virtual Private Dial-up Networks VPDN Process HG Authenticates Tunnel with ACS Username = nas_tun Password = CHAP_stuff Authentication request Corporation RSP ACS S6649 Figure F-5 ACS VPDN user User = mary@corporation.us 5. Figure F-6 The HG now authenticates the tunnel with the NAS, where the username is the name of the HG. This name is chosen based on the name of the tunnel, so the HG might have different names depending on the tunnel being set up.
Appendix F Cisco Secure ACS and Virtual Private Dial-up Networks VPDN Process Figure F-7 NAS Authenticates Tunnel with ACS Username = home_gate Password = CHAP_stuff Corporation S6651 RSP ACS ACS VPDN user User = mary@corporation.us 7. Figure F-8 After authenticating, the tunnel is established. Now the actual user (mary@corporation.us) must be authenticated. See Figure F-8. VPDN Tunnel is Established CHAP response Corporation S6652 RSP ACS ACS VPDN user User = mary@corporation.us 8.
Appendix F Cisco Secure ACS and Virtual Private Dial-up Networks VPDN Process Figure F-9 HG Uses ACS to Authenticate User Username = mary@corporation.us Password = secret Corporation S6653 RSP ACS ACS VPDN user User = mary@corporation.us 9. If another user (sue@corporation.us) dials in to the NAS while the tunnel is up, the NAS does not repeat the entire authorization/authentication process. Instead, it passes the user through the existing tunnel to the HG. See Figure F-10.
A P P E N D I X G ODBC Import Definitions ODBC import definitions are a listing of the action codes allowable in an accountActions table. The RDBMS Synchronization feature of Cisco Secure Access Control Server for Windows NT/2000 Servers Version 3.0 (Cisco Secure ACS) uses a table named “accountActions” as input for automated or manual updates of the CiscoSecure user database.
Appendix G ODBC Import Definitions accountActions Table Specification accountActions Table Format Each row in an accountActions table has 14 fields (or columns). Table G-1 on page G-2 lists the fields that compose an accountActions table in the order in which they appear in the table. The one-letter or two-letter abbreviations given in the Mnemonic column are a shorthand notation used to indicate required fields for each action code in the “Action Codes” section on page G-5.
Appendix G ODBC Import Definitions accountActions Table Specification Table G-1 accountActions Table (continued) Field Name Mnemonic Type Size Comments Value3 V3 String 255 The name of a TACACS+ service; for example, "ppp" or the RADIUS VSA attribute number. DateTime DT DateTime — The date/time the Action was created. MessageNo MN Int — Used to number related transactions for audit purposes. ComputerNames CN String 32 RESERVED by CSDBSync.
Appendix G ODBC Import Definitions accountActions Table Specification In addition to the three required fields above, the UserName and GroupName fields are required for many actions: Note • If a transaction is acting upon a user account, a value is required in the UserName field. • If a transaction is acting upon a group, a value is required in the GroupName field. • If a transaction is acting upon AAA client configuration, neither the UserName field nor the GroupName field is required.
Appendix G ODBC Import Definitions Action Codes You can use the MessageNo field (mnemonic: MN) to associate related transactions, such as the addition of a user and subsequent actions to set password values and status. You can use the MessageNo field to create an audit trail for the third-party system that writes to the accountActions table. Action Codes This section provides the action codes valid for use in the Action field (mnemonic: A) of your accountActions table.
Appendix G ODBC Import Definitions Action Codes use these action codes for other purposes by a Cisco representative, you can only use these action codes for assigning values to user-defined fields (see the “User-Specific Attributes” section on page G-31). Table G-2 Action Codes for Setting and Deleting Values Action Code Name 1 Required Description SET_VALUE UN|GN, AI, VN, V1, V2 Sets a value (V1) named (VN) of type (V2) for app (AI).
Appendix G ODBC Import Definitions Action Codes Table G-2 Action Codes for Setting and Deleting Values (continued) Action Code Name Required Description 2 UN|GN, AI, VN Delete value (VN) for app (AI) and user (UN). DELETE_ VALUE Action Codes for Creating and Modifying User Accounts Table G-3 lists the action codes for creating, modifying, and deleting user accounts.
Appendix G ODBC Import Definitions Action Codes Table G-3 User Creation and Modification Action Codes (continued) Action Code Name Required Description 105 SET_T+_ENABLE_ PASS UN, V1, V2 Sets the TACACS+ enable password (V1) (32 characters maximum) and Max Privilege level (V2) (0-15). 106 SET_GROUP UN, GN Set the user’s Cisco Secure ACS group assignment. Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide G-8 78-13751-01, Version 3.
Appendix G ODBC Import Definitions Action Codes Table G-3 User Creation and Modification Action Codes (continued) Action Code Name Required Description 108 V1 Set the password type of the user.
Appendix G ODBC Import Definitions Action Codes Table G-3 User Creation and Modification Action Codes (continued) Action Code Name Required Description 109 UN,V1 Remove a password status flag. This results in the status states being linked in a logical XOR condition by the CSAuth server. V1 should contain one of the following: 110 112 REMOVE_PASS_ STATUS ADD_PASS_STATUS UN, V1 SET_PASS_EXPIRY _WRONG UN,V1 • PASS_STATUS_EXPIRES—Password expires on a given date.
Appendix G ODBC Import Definitions Action Codes Table G-3 User Creation and Modification Action Codes (continued) Action Code Name Required Description 113 SET_PASS_EXPIRY _DATE UN,V1 Set the date on which the account expires. The date format should be YYYYMMDD. 114 SET_MAX_ SESSIONS UN|GN,V1 115 GN,V1 SET_MAX_ SESSIONS_GROUP_ USER • Set the maximum number of simultaneous sessions for a user or group.
Appendix G ODBC Import Definitions Action Codes Table G-3 User Creation and Modification Action Codes (continued) Action Code Name 260 SET_QUOTA Required Description GN,VN,V1, V2 Used to set a quota for a user or group. VN defines the quota type. Valid values are: • online time—The quota limits the user or group by the number of seconds logged in to the network for the period defined in V2.
Appendix G ODBC Import Definitions Action Codes Table G-3 User Creation and Modification Action Codes (continued) Action Code Name Required Description 261 UN|GN,VN Disable a group or user usage quota. DISABLE_QUOTA VN defines the quota type. Valid values are: 262 263 SET_QUOTA_ APPLY_TYPE RESET_COUNTERS UN,VN UN|GN • online time—The quota limits the user or group by the number of seconds logged in to the network for the period defined in V2.
Appendix G ODBC Import Definitions Action Codes Table G-3 User Creation and Modification Action Codes (continued) Action Code Name 270 SET_DCS_TYPE Required Description UN|GN,VN, V1, Optionally V2 Set the type of device command set (DCS) authorization for a group or user. VN defines the service. Valid service types are: shell—Cisco IOS shell command authorization. pixshell—Cisco PIX command authorization.
Appendix G ODBC Import Definitions Action Codes Table G-3 User Creation and Modification Action Codes (continued) Action Code Name 271 SET_DCS_NDG_ MAP Required Description UN|GN,VN, V1,V2 When the assignment type specified by a 270 action code is ndg, use this action code to map between the device command set and the NDG. VN defines the service. Valid service types are: • shell—Cisco IOS shell command authorization. • pixshell—Cisco PIX command authorization.
Appendix G ODBC Import Definitions Action Codes Table G-4 Action Codes for Initializing and Modifying Access Filters Action Code Name Required Description 120 UN|GN,V1 Clear the AAA client access filter list and initialize permit/deny for any forthcoming filters.
Appendix G ODBC Import Definitions Action Codes Table G-4 Action Codes for Initializing and Modifying Access Filters (continued) Action Code Name 123 Required ADD_DIAL_ACCESS_FILTER UN|GN, V1, V2 Description Add a dial-up filter for the user|group. V1 should contain one of the following values: • Calling station ID • Called station ID • Calling and called station ID; for example: • 01732-875374,0898-69696969 AAA client IP address, AAA client port; for example: 10.45.6.
Appendix G ODBC Import Definitions Action Codes Table G-4 Action Codes for Initializing and Modifying Access Filters (continued) Action Code Name Required Description 140 UN|GN, V1 Set periods during which access is permitted. V1 contains a string of 168 characters. Each character represents a single hour of the week. A "1" represents an hour that is permitted, while a "0" represents an hour that is denied. If this parameter is not specified for a user, the group setting applies.
Appendix G ODBC Import Definitions Action Codes Table G-4 Action Codes for Initializing and Modifying Access Filters (continued) Action Code Name Required Description 150 UN, V1, V2 Configure the (TACACS+ and RADIUS) IP address assignment for this user. SET_STATIC_IP V1 holds the IP address in the following format: xxx.xxx.xxx.xxx V2 should be one of the following: • ALLOC_METHOD_STATIC—The IP address in V1 is assigned to the user in the format "xxx.xxx.xxx.xxx.
Appendix G ODBC Import Definitions Action Codes Table G-4 Action Codes for Initializing and Modifying Access Filters (continued) Action Code Name Required Description 151 UN|GN, V1 Set the callback number for this user or group (TACACS+ and RADIUS). V1 should be one of the following: SET_CALLBACK_NO Callback number—Literally, the phone number the AAA client is to call back. • none—No callback is allowed. • roaming—The dial-up client determines the callback number.
Appendix G ODBC Import Definitions Action Codes Table G-5 Action Codes for Modifying TACACS+ and RADIUS Group and User Settings Action Code Name 161 DEL_RADIUS_ ATTR Required Description UN|GN, VN, Optionally V2, V3 Deletes the named RADIUS attribute for the group or user, where: • VN = “Vendor-Specific” • V2 = IETF vendor ID • V3 = VSA attribute ID For example, to specify the Cisco IOS/PIX vendor ID and the Cisco AV Pair: VN=“Vendor-Specific” V2=“9” V3=“1” Cisco Secure ACS 3.
Appendix G ODBC Import Definitions Action Codes Table G-5 Action Codes for Modifying TACACS+ and RADIUS Group and User Settings (continued) Action Code Name 163 ADD_RADIUS_ ATTR Required Description UN|GN, VN, V1, Optionally V2, V3 Add the numbered attribute (VN) to value (V) for the user/group (UN|GN). For example: GN=“Group 1" VN=“Reply Message” V1=“Greetings” UN=“fred” VN=“Framed-IP-Address” V1=“10.1.1.
Appendix G ODBC Import Definitions Action Codes Table G-5 Action Codes for Modifying TACACS+ and RADIUS Group and User Settings (continued) Action Code Name 170 ADD_TACACS_ SERVICE Required Description UN|GN, VN, V1, V3, Optionally V2 Permits the service for that user or group of users. For example: GN=“Group 1" V1=“ppp” V2=“ip” or UN=“fred” V1=“ppp” V2=“ip” or UN=“fred” V1=exec 171 REMOVE_ TACACS_ SERVICE UN|GN, V1 Optionally V2 Denies the service for that user or group of users.
Appendix G ODBC Import Definitions Action Codes Table G-5 Action Codes for Modifying TACACS+ and RADIUS Group and User Settings (continued) Action Code Name 172 ADD_TACACS_ ATTR Required Description UN|GN, VN, V1, V3 Sets a service specific attribute. The service must already have been permitted either via the HTML interface or using Action 170: Optionally V2 GN=“Group 1" VN=“routing” V1=“ppp” V2=“ip” V3=“true” or UN=“fred” VN=“route” V1=“ppp” V2=“ip” V3=10.2.2.
Appendix G ODBC Import Definitions Action Codes Table G-5 Action Codes for Modifying TACACS+ and RADIUS Group and User Settings (continued) Action Code Name 174 ADD_IOS_ COMMAND Required Description UN|GN, VN, V1 Authorizes the given Cisco IOS command and determines if any arguments given to the command are to be found in a defined set or are not to be found in a defined set.
Appendix G ODBC Import Definitions Action Codes Table G-5 Action Codes for Modifying TACACS+ and RADIUS Group and User Settings (continued) Action Code Name 176 ADD_IOS_ COMMAND_ ARG Required Description UN|GN, VN, V1, V2 Specifies a set of command-line arguments that are either permitted or denied for the Cisco IOS command contained in VN. The command must have already been added via Action 174: GN=“Group 1" VN=“telnet” V1=“permit” V2=“10.1.1.
Appendix G ODBC Import Definitions Action Codes Table G-5 Action Codes for Modifying TACACS+ and RADIUS Group and User Settings (continued) Action Code Name Required Description 178 UN|GN, V1 The default is that any Cisco IOS commands not defined via a combination of Actions 174 and 175 will be denied.
Appendix G ODBC Import Definitions Action Codes Configuration section of the HTML interface. For more information about the Network Configuration section, see Chapter 4, “Setting Up and Managing Network Configuration.” Table G-6 Action Codes for Modifying Network Configuration Action Code Name 220 ADD_NAS Required Description VN, V1, V2, V3 Add a new AAA client (named in VN) with an IP address (V1), shared secret key (V2), and vendor (V3).
Appendix G ODBC Import Definitions Action Codes Table G-6 Action Codes for Modifying Network Configuration (continued) Action Code Name Required Description 221 VN, V1 For the named AAA client (VN) set one of the per-AAA client flags (V1). Use the action once for each flag required. Valid values for per-AAA client flags are as follows: SET_NAS_ FLAG • FLAG_SINGLE_CONNECT • FLAG_LOG_KEEP_ALIVE • FLAG_LOG_TUNNELS 222 DEL_HOST VN Delete the named AAA client (VN).
Appendix G ODBC Import Definitions Action Codes Table G-6 Action Codes for Modifying Network Configuration (continued) Action Code Name 240 ADD_PROXY Required Description VN, V1, V2, V3 Add a new proxy markup (VN) with markup type (V1) strip markup flag (V2) and accounting flag (V3). The markup type (V1) must be one of the following: • MARKUP_TYPE_PREFIX • MARKUP_TYPE_SUFFIX The markup strip flag should be TRUE if the markup is to be removed from the username before forwarding.
Appendix G ODBC Import Definitions Cisco Secure ACS Attributes and Action Codes Action Code for Deleting the CiscoSecure User Database Table G-7 lists the action code for deleting all users and groups from the CiscoSecure user database. Caution Table G-7 Action Code for Deleting the CiscoSecure User Database Action Code Name 200 Using action code 200 irrevocably deletes all users and groups from the CiscoSecure user database.
Appendix G ODBC Import Definitions Cisco Secure ACS Attributes and Action Codes term NULL is not simply an empty string, but means not set; that is, the value will not be processed. Some features are processed only if they have a value assigned to them. For more information about action codes, see the “Action Codes” section on page G-5.
Appendix G ODBC Import Definitions Cisco Secure ACS Attributes and Action Codes Table G-8 User-Specific Attributes (continued) Attribute Logical Type Limits Default Actions Max Sessions Unsigned short 0-65535 MAX_SESSI 114 ONS_AS_GR OUP TODDOW Restrictions String 168 characters 111111111111 140 NAS Access Control Bool enabled T/F NULL 120, 122 Bool permit/deny T/F ACL String (See Table G-4 on page G-16.
Appendix G ODBC Import Definitions Cisco Secure ACS Attributes and Action Codes User-Defined Attributes User-defined attributes (UDAs) are string values that can contain any data, such as social security number, department name, telephone number, and so on. You can configure Cisco Secure ACS to include UDAs on accounting logs about user activity. For more information about configuring UDAs, see “User Data Configuration Options” section on page 3-3.
Appendix G ODBC Import Definitions Cisco Secure ACS Attributes and Action Codes Table G-10 Group-Specific Attributes Attribute Logical Type Limits Default Actions Max Sessions Unsigned short 0-65534 MAX_SESSIONS_UNLI MITED 114 Max Sessions for user of group Unsigned short 0-65534 MAX_SESSIONS_UNLI MITED 115 Token caching for session Bool T/F NULL 130 Token caching for duration Integer time in seconds 0-65535 NULL 131 TODDOW Restrictions String 168 characters 111111111111 140
Appendix G ODBC Import Definitions An Example accountActions Table An Example accountActions Table Table G-11 presents an example of an accountActions table that contains some of the action codes described in Action Codes, page G-5. First user “fred” is created, along with his passwords, including a TACACS_ Enable password with privilege level 10. Fred is assigned to “Group 2.” His account expires after December 31, 1999, or after 10 incorrect authentication attempts.
Appendix G ODBC Import Definitions An Example accountActions Table Table G-11 Example accountActions Table (continued) User Group name Name Action (UN) (GN) Value Name (VN) 110 fred — 112 fred 113 Value1 (V1) Value2 (V2) Value3 AppId (V3) (AI) — PASS_STATUS_ EXPIRES — — — — — 10 — — — fred — — 19991231 — — — 114 fred — — 50 — — — 115 fred — — 50 — — — 120 fred — — ACCESS_PERMIT — — — 121 fred — — ACCESS_DENY — — — 122 fred — — NAS01,tty0, 0
Appendix G ODBC Import Definitions An Example accountActions Table Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide G-38 78-13751-01, Version 3.
A P P E N D I X H Cisco Secure ACS Internal Architecture Cisco Secure Access Control Server for Windows NT/2000 Servers Version 3.0 (Cisco Secure ACS) is designed to be modular and flexible to fit the needs of both simple and large networks. This chapter describes the Cisco Secure ACS architectural components.
Appendix H Cisco Secure ACS Internal Architecture Windows NT/2000 Environment Overview Windows NT/2000 Environment Overview This section gives a brief overview of essential Windows NT/2000 concepts that relate to Cisco Secure ACS as a service of Windows NT/2000. Windows NT/2000 Services All Cisco Secure ACS services can be started, stopped, and restarted from the Windows NT/2000 Services window. The Cisco Secure ACS services are preceded by the letters CS.
Appendix H Cisco Secure ACS Internal Architecture CSAdmin CSAdmin CSAdmin is the service for the internal web server. Cisco Secure ACS does not require the presence of a third-party web server; it is equipped with its own internal server. After Cisco Secure ACS is installed, you must configure it from its HTML interface. This means that CSAdmin must be running when you configure Cisco Secure ACS.
Appendix H Cisco Secure ACS Internal Architecture CSAuth Cisco Secure ACS can check the user database to authenticate first-time logins. If the username is not in the CiscoSecure user database, Cisco Secure ACS does not deny authentication yet; it forwards the request to the configured unknown user database to see if it can authenticate the user. If it can, authentication is granted. Note With unknown user databases such as Windows NT/2000 and Novell NDS, only PAP passwords are supported.
Appendix H Cisco Secure ACS Internal Architecture CSAuth verify the username and token-card password. The token server then provides a response approving or denying validation. If the response is approval, CSAuth knows that authentication should be granted for the user. • Generic LDAP—Cisco Secure ACS supports authentication of users against records kept in a directory server through the Lightweight Directory Access Protocol (LDAP).
Appendix H Cisco Secure ACS Internal Architecture CSDBSync CSDBSync CSDBSync is the service used to synchronize the Cisco Secure ACS database with third-party RDBMS systems and is an alternative to using the ODBC dynamic link library (DLL). Starting with Version 2.4, CSDBSync synchronizes AAA client, AAA server, network device groups (NDGs) and Proxy Table information. For information on relational database management system (RDBMS) synchronization, see the “RDBMS Synchronization” section on page 8-24.
Appendix H Cisco Secure ACS Internal Architecture CSMon • TACACS+ Administration—Contains the log files of TACACS+ administration events • VoIP Accounting—Contains the log files of successful authentication and authorization activity for Voice over IP (VoIP) users CSMon CSMon is a service provided as a part of Cisco Secure ACS that facilitates minimum down time in a remote access network environment.
Appendix H Cisco Secure ACS Internal Architecture CSMon • Available space on Cisco Secure ACS installation drive • Processor utilization • Physical memory utilization All events related to generic host system state are categorized as "warning events". • Application-specific performance— – Application viability—CSMon periodically performs a test login using a special built-in test account (the default period is one minute).
Appendix H Cisco Secure ACS Internal Architecture CSMon immediate warning of "brute force" attacks by alerting the administrator to a large number of accounts becoming disabled. In addition, it facilitates a support help desk to anticipate problems with individual users gaining access. Recording CSMon records all exception events in logs that you can use to diagnose problems.
Appendix H Cisco Secure ACS Internal Architecture CSMon CSMon responds to the event by logging the event, sending notifications (if configured) and, if the event is a failure, taking action. There are two types of actions: – Predefined actions—These actions are hard-coded into the program and are always carried out when a triggering event is detected. Because these actions are hard-coded, they are integral to the application and do not need to be configured.
Appendix H Cisco Secure ACS Internal Architecture CSTacacs and CSRadius • Script to execute in the event of a failure event—These scripts are normally standard Windows NT/2000 .BAT batch command files, but you can use any executable in the Program Files\CiscoSecure ACS v2.6\CSMon\Scripts directory. • Windows NT/2000 Event Log enable/disable—By default, CSMon logs events to the Windows NT/2000 Event Log, but you can disable this function. CSV logging cannot be disabled.
Appendix H Cisco Secure ACS Internal Architecture CSTacacs and CSRadius does not need to be disabled. See Appendix C, “TACACS+ Attribute-Value Pairs” for more information on TACACS+ AV pairs, or Appendix D, “RADIUS Attributes” for more information on RADIUS+ AV pairs. Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide H-12 78-13751-01, Version 3.
I N D E X overview 4-15 A primary 8-7 AAA replicating 8-7 definition 1-1 secondary 8-7 pools troubleshooting A-1 IP addresses assigned from 7-12 AAA clients access devices 1-5 accessing Cisco Secure ACS adding and configuring 4-9 how to 1-26 definition 1-5 URL 1-24 deleting 4-14 access policies editing 4-12 interaction with AAA servers 1-5 in Administration Control 10-10 account disablement IP Pools 7-12 Account Disabled check box 7-6 supported Cisco AAA clients 1-2 setting options for
Index ACS backups See backups ACS service management event logging configuring 8-51 overview 8-48 system monitoring configuring 8-50 custom actions 8-50 ACS Service Monitoring log administrative access policies 2-14 administrators adding 10-6 deleting 10-9 editing 10-7 troubleshooting A-2 age-by-date rules in Group Setup 6-23 ARAP compatible databases 1-9 CSV file directory 9-35 in User Setup 7-6 overview 9-18 protocol supported 1-10 viewing 9-20 ACS system restore See restore ASCII/PAP compatible d
Index overview 1-7 authorization overview 1-15 AV pairs RADIUS Ascend D-21 Cisco IOS D-3 reports 8-42 scheduled vs. manual 8-40 scheduling 8-43 vs. replication 8-11 with CSUtil.
Index CHAP overview 5-13 compatible databases 1-9 in User Setup 7-6 protocol supported 1-10 CHAP/MS-CHAP/ARAP in User Setup 7-6 Cisco.com PIX command authorization sets 5-13 command-line database utility See CSUtil.
Index CSTacacs H-11 databases CSUtil.
Index unknown users 12-1 DHCP with IP pools 8-53 user See CiscoSecure user database Windows NT user database See Windows NT/2000 operating systems data source name for RDMBS synchronization 8-34 data source names using with ODBC databases 11-30, 11-42 date format control in System Configuration 8-3 dial-in troubleshooting A-6 dial-up networking clients 11-9 digital certificates See certification Disabled Accounts report overview 9-14 viewing 9-14 distributed systems DbSync log directory 9-16 AAA serve
Index downloadable PIX ACLs exception events H-9 monitoring system health H-7 adding 5-3 assigning to groups 6-27 event logging assigning to users 7-22 configuring 8-51 configuring 5-3 exception events H-9 deleting 5-5 exports enabling in interface with CSUtil.
Index finding users 7-52 firewalls configuring RADIUS settings for See RADIUS administering AAA servers through 1-19 Default Group 6-2 troubleshooting A-16 enabling VoIP support for 6-4 listing all users in 6-48 mapping order 12-20 G mappings 12-10, 12-13 gateways F-3 multiple mappings 12-13 generic LDAP user databases no access groups authentication 11-14 for group set mappings 12-14 configuring 11-19 overriding settings 3-2 directed authentications 11-17 relationship to users 3-2 mappin
Index sort order within group mappings 12-13 specification by ODBC authentication 11-37, 11-39 TACACS+ settings in 6-2 installation related documentation xxxi system requirements 2-2 troubleshooting A-13 Interface Configuration H advanced options 3-4 configuring 3-1 handle counts H-8 customized user data fields 3-3 hard disk space H-7 security protocol options 3-9 hardware requirements 2-2 IP addresses Help 1-23 in User Setup 7-11 host system state H-7 requirement for CSTacacs and CSRadius H-
Index overview 9-30 L See also logs LAN manager 1-11 See also reports LEAP proxy RADIUS user databases service logs configuring external databases 11-45 group mappings 12-10 configuring 9-35 services RADIUS-based group specification 12-21 list all users list of logs generated 9-34 system logs 9-15 in Group Setup 6-48 troubleshooting A-14 in User Setup 7-51 user-defined attributes 9-2 Logged-In Users report deleting logged-in users 9-12 overview 9-11 viewing 9-11 logging watchdog packets 9-3
Index M N mappings NAR database groups to AAA groups 12-13 database to AAA groups 12-10 master AAA servers 8-7 max sessions enabling in interface 3-5 in Group Setup 6-11 in User Setup 7-17 overview 1-16 troubleshooting A-13 memory utilization H-8 Microsoft Access H-5 Microsoft SQL Server H-5 monitoring See network access restrictions NAS See AAA clients NDG See network device groups NDS See Novell NDS user databases network access filters See network access restrictions network access quotas overview
Index network access servers O See AAA clients Network Configuration 4-1 network device groups adding 4-21 ODBC features accountActions table 8-28 authentication assigning AAA clients or AAA servers to 4-22 CHAP 11-34 configuring 4-20 PAP 11-33 deleting 4-24 result codes 11-39 overview 11-30 enabling in interface 3-6 case-sensitive passwords 11-34 overview 1-20 CHAP authentication reassigning AAA clients or AAA servers to 4-23 renaming 4-23 network requirements 2-4 network topology 2-5 notif
Index type definitions 11-34 interface configuration 3-5 supported databases H-5 rules supported protocols 1-10 in Group Setup 6-20 user databases 11-30 passwords ODBC import definitions G-1 aging ODBC logs See password aging See logging CHAP/MS-CHAP/ARAP 7-8 configurations Online Documentation caching 1-12 using 1-28 online Help 1-23 inbound passwords 1-12 operating system requirements 2-3 outbound passwords 1-12 outbound passwords separate passwords 1-12 single password 1-12 configu
Index per-group attributes enabling in interface 3-2 troubleshooting A-12 Proxy Distribution Table per-user attributes adding entries 4-26 enabling in interface 3-2 configuring 4-25 TACACS+/RADIUS in Interface Configuration 3-4 default entry 4-3, 4-25 deleting entries 4-29 PIX ACLs editing entries 4-28 See downloadable PIX ACLs match order sorting 4-28 PIX command authorization sets overview 4-25 See command authorization sets PIX Firewalls troubleshooting A-16 port 2002 H-2 Q quotas port a
Index IETF vendor-proprietary D-10 RADIUS VSAs overview D-1 Ascend See also RADIUS VSAs in Group Setup 6-37 interface configuration 3-14 Cisco Aironet in User Setup 7-39 in Network Configuration 4-10 IETF Cisco Aironet in Group Setup 6-34 in Group Setup 6-16 interface configuration 3-12 in User Setup 7-37 in User Setup 7-37 Cisco BBSM interface configuration overview 3-10 in Group Setup 6-45 See also RADIUS VSAs in User Setup 7-48 specifications 1-6 supported attributes D-9 troublesho
Index in User Setup 7-49 Juniper disabling 8-39 enabling in interface 3-5 in Group Setup 6-44 overview 8-24 interface configuration 3-19, 3-20 partners 8-35 in User Setup 7-47 report and error handling 8-29 supported attributes D-30 Microsoft RDBMS Synchronization log CSV file directory 9-16 in Group Setup 6-41 overview 9-16 interface configuration 3-17 viewing 9-20 in User Setup 7-44 README.TXT xxxi supported attributes D-18 REBOOT.
Index configuring 8-20 request handling corrupted backups (Caution) 8-12 general 12-3 disabling 8-23 Windows NT/2000 user databases 12-4 frequency 8-10 requirements important considerations 8-10 hardware 2-2 in System Configuration 8-20 network 2-4 interface configuration 3-5 operating system 2-3 logging 8-12 system 2-2 master AAA servers 8-7 third-party software 2-3 messages B-6 resource consumption H-8 notifications 8-23 RESTART_ALL_SERVICES.
Index overview H-2 S starting 8-2 SafeWord user databases configuring 11-54 group mappings 12-10 search order stopping 8-2 session policies configuring 10-14 options 10-13 external user databases 12-8 security policies 2-14 security protocols overview 10-13 shared profile components overview 5-1 Cisco AAA client devices 1-2 See also command authorization sets CSRadius H-11 See also network access restrictions CSTacacs H-11 shared secret H-11 interface options 3-9 shell command authorization se
Index states H-9 static IP addresses 7-11 system monitored events B-2 system monitoring stopping services 8-2 stored procedures See monitoring system requirements 2-2 CHAP authentication configuring 11-43 input values 11-38 output values 11-38 T TAC result codes 11-39 accessing xxxiv implementing 11-33 overview xxxiv PAP authentication configuring 11-43 input values 11-36 output values 11-37 result codes 11-39 sample procedures 11-35 TACACS+ Accounting log See TACACS+ Accounting log Administrati
Index outbound passwords in User Setup 7-35 SENDAUTH 1-13 settings Technical Assistance Center See TAC Telnet password aging 6-20 in Group Setup 6-2 in User Setup 7-24 test login frequency internal testing H-10 specifications 1-6 third-party software requirements 2-3 time-of-day access 3-8 thread used H-8 troubleshooting A-18 time-of-day/day-of-week specification vs.
Index token caching 11-48 Vasco 11-49 topology See network topology troubleshooting administration issues A-2 browser issues A-3 Cisco IOS issues A-4 unknown users handling method 12-1 network access authorization 12-7 upgrading troubleshooting A-13 usage quotas in Group Setup session-based 6-13 database issues A-5 in Interface Configuration 3-5 debug logs 9-34, A-11 in User Setup 7-19 dial-in issues A-6 overview 1-16 installation issues A-13 resetting max sessions issues A-13 for groups 6-49 P
Index network access restriction sets configuring 7-2 enabling in interface 3-4 deleting user accounts 7-54 See also network access restrictions saving settings 7-56 Users in Group button users in Group Setup 6-48 adding 7-5 assigning client IP addresses to 7-11 assigning to a group 7-9 configuring 7-2 configuring shell command authorization sets for 7-26 customized data fields 3-3 deleting 9-12 deleting accounts 7-54 disabling accounts 7-6 finding 7-52 in multiple databases 12-4 in multiple domain
Index ODBC 9-27 CSV file directory 9-9 enabling CSV 9-19 ODBC 9-27 viewing 9-20 VPDN advantages 2-11 authentication order 12-5 Cisco Secure ACS-related services See services dial-up networking clients domain field 11-9 password field 11-9 username field 11-9 domains authentication process F-1 domain names 11-11, 12-4 domain authorization F-2 mappings 12-17 home gateways F-3 trusted 11-8, 11-11 IP addresses F-3 environment overview H-2 tunnel IDs F-3 Event logs H-9 users F-2 grant dial-in permi
Index passwords 1-10 supported databases H-4 user manager 11-12 Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide IN-24 78-13751-01, Version 3.
