CiscoSecure ACS 2.3 for UNIX Installation Guide Product Number DOC-CSASC2.3UX-IG= Use this guide to install the following CiscoSecure Access Control Server (ACS) products: • CiscoSecure ACS 2.3 for UNIX (CSU-2.3)— Installs a new CiscoSecure ACS 2.3 for UNIX site without the optional Distributed Session Manager (DSM) module licensed or enabled. • CiscoSecure ACS 2.3 for UNIX Distributed Session Manager (CSU-2.3-DSM)—Installs a new CiscoSecure ACS 2.
Table 1 Sections of this Document Section Description Accessing CiscoSecure ACS 2.3 for UNIX Documentation, page xxiv This section lists the online and printed sources of CiscoSecure documentation. Installing without a CD-ROM, page xxv Read this section if you intend to install CiscoSecure ACS on a workstation with no CD-ROM. Manually Enabling Profile Cache Read this section if you intend to run third-party programs that Updating, page xxvi directly edit the CiscoSecure profile database.
Considerations Before You Install CiscoSecure ACS Considerations Before You Install CiscoSecure ACS Considerations Before You Install CiscoSecure ACS Before you begin, consider the following situations and steps you must take before starting the basic installation procedures in the next section.
Considerations Before You Install CiscoSecure ACS Considerations Before You Install CiscoSecure ACS Table 2 Considerations Before You Install CiscoSecure ACS Consideration • If you are installing the product CiscoSecure ACS 2.
Basic Installation Procedures Basic Installation Procedures Table 2 Considerations Before You Install CiscoSecure ACS Consideration • If you plan to install more than one CiscoSecure ACS, and have your users authenticated from a common replicated profile database or Requirements You need to purchase and preinstall Oracle Enterprise or Sybase Enterprise software for each of your CiscoSecure ACSes.
Check System Requirements Basic Installation Procedures Check System Requirements The network components that interact with CiscoSecure ACS 2.
Check System Requirements Basic Installation Procedures • Solaris 2.6, or Solaris 2.5.1 with patches (see “Solaris 2.5.1 Patches,” page xiv for special instructions concerning Solaris 2.5.1) Note To check your version of Solaris, enter the Solaris command uname -a. If the system returns 5.5.1, Solaris 2.5.1 is installed. If the system returns 5.6, Solaris 2.6 is installed. Note To support the RADIUS tunneling feature of CiscoSecure ACS 2.
Obtain a CiscoSecure Software License Key Basic Installation Procedures Database Installation Requirements To support CiscoSecure database requirements, you can use either the supplied SQLAnywhere database engine or supported versions of your own preinstalled Oracle Enterprise or Sybase Enterprise software running on your network.
Prepare Your Answers to the Installation Questions Basic Installation Procedures If you are installing CiscoSecure ACS for the first time on this Ultra 1 workstation: Step 1 At the Ultra 1 workstation where you want to install CiscoSecure ACS, enter the hostid command to obtain the host ID of the system host. For example: # /usr/ucb/hostid 55412315 Step 2 Note the host ID for the primary and backup CiscoSecure ACS systems.
Prepare Your Answers to the Installation Questions Basic Installation Procedures • IP Address to use for CiscoSecure. ______________________ The default is the primary IP address of the server on which you are installing the CiscoSecure ACS. For single server installation, use the default; otherwise, specify the address of the first ACS. • Enter the AAA Server License Key. ______________________ Specify the software license key code that you received from Cisco.
Prepare Your Answers to the Installation Questions Basic Installation Procedures • Choose a Database: (1. SQLAnywhere, 2. Oracle Enterprise, 3. Sybase Enterprise) _______________________ Specify the database for AAA data. SQLAnywhere is the default choice and is supplied with CiscoSecure ACS. Oracle Enterprise or Sybase Enterprise support require that those products already be installed and accessible on your network during CiscoSecure installation.
Install and Start CiscoSecure ACS Basic Installation Procedures If no directory is specified, the root directory of the system will be used for profile caching. Install and Start CiscoSecure ACS Step 1 Log in as [Root] at the Ultra 1 workstation where you want to install CiscoSecure ACS.
If You Licensed and Installed CiscoSecure with DSM, Enable DSM Basic Installation Procedures After starting CiscoSecure ACS, access the CiscoSecure Administrator web site to perform some initial configuration: Note If you do not have access to the CiscoSecure Administrator web site, you can enable the DSM module by carefully editing the CSU.cfg and CSConfig.ini files. See “Editing Configuration Files to Enable or Disable the DSM Module,” page xxx.
What’s Next Solaris 2.5.1 Patches What’s Next The CiscoSecure ACS 2.3 for UNIX User Guide provides information about what to do next. • If you are using CiscoSecure ACS for the first time, go to the CiscoSecure ACS 2.3 for UNIX User Guide chapter “Configuring Initial Test Group and User Profiles” for a tutorial on setting up an initial test user profile. • If you are familiar with earlier versions of CiscoSecure, go to the CiscoSecure ACS 2.
Upgrading from CiscoSecure ACS 2.x to 2.3 Upgrading from CiscoSecure ACS 2.x to 2.3 Note Step 1 If you want CiscoSecure ACS 2.3 for UNIX with the DSM module installed, first follow this procedure to upgrade to version 2.3. Then use the CiscoSecure ACS Distributed Session Manager Option product to license and enable the DSM module. To support DSM, make sure that an Oracle or Sybase RDBMS is installed for CiscoSecure prior to running the CiscoSecure upgrade installation program.
Upgrading from CiscoSecure ACS 2.x to 2.3 Upgrading from CiscoSecure ACS 2.x to 2.3 Step 7 Step 8 During installation, enter your old software license key (either primary or backup) when prompted by the installer and complete the installation. Note If you did not enter the software key value at the time of installation, you can specify it after installation in the CiscoSecure License Key field in the CiscoSecure ACS AAA General web page.
Upgrading CiscoSecure at Sites with a Non-Updatable Replicated Database Upgrading from CiscoSecure ACS 2.x to 2.3 Step 9 (Optional) After installation, if you saved your old CSU.cfg file as described in step 3, you can cut and paste your old settings from your old CSU.cfg file to the new CSU.cfg file to restore your original ACS debug level, TACACS+ NAS configurations, and supported authentication methods settings.
Activating the DSM Module on an Existing CiscoSecure ACS 2.3 Activating the DSM Module on an Existing CiscoSecure ACS 2.3 Activating the DSM Module on an Existing CiscoSecure ACS 2.3 If you are using the product labeled CiscoSecure ACS Distributed Session Manager Option (CSU-DSM) to enable the Distributed Session Manager module on an already existing CiscoSecure ACS 2.
Setting Up an Oracle Database for CiscoSecure Setting Up an Oracle Database for CiscoSecure Setting Up an Oracle Database for CiscoSecure Note If you are installing and supporting the per user, per group, and per VPDN session limitation features of the optional CiscoSecure Distributed Session Manager feature, you must configure your Oracle databases for database replication. Oracle software is not bundled with CiscoSecure ACS.
Oracle Information Required During CiscoSecure Installation Setting Up an Oracle Database for CiscoSecure • CiscoSecure ACS requires an Oracle user database account setup prior to the CiscoSecure installation: – This user account must have a privilege to create/drop tables. (Connect and Resource privilege). – This user account should also have Select privilege on two of Oracle’s system views: sys.dba_free_space and sys.dba_users.
Troubleshooting if the CiscoSecure Installation Fails to Access your Oracle Database Setting Up an Oracle Database for CiscoSecure Note If you intend to set up CiscoSecure with Oracle database replication, Cisco recommends that you read the PDF document Using CiscoSecure with Oracle’s Distributed Database Feature (filename csbsdoc.pdf) before you install the Oracle or CiscoSecure software. This document is located in the $BASEDIR/FastAdmin/docs directory of the CiscoSecure distribution CD-ROM.
Setting Up a Sybase Enterprise SQL Server for CiscoSecure Setting Up a Sybase Enterprise SQL Server for CiscoSecure Setting Up a Sybase Enterprise SQL Server for CiscoSecure If you intend to use a Sybase Enterprise database with CiscoSecure ACS, make sure the Sybase Enterprise SQL server meets the following requirements. Sybase Setup Requirements Prior to CiscoSecure Installation Before you install CiscoSecure: • SQL server should be version 11.0.2 or higher.
If CiscoSecure Installation Does Not Update the Sybase Database Setting Up a Sybase Enterprise SQL Server for CiscoSecure If CiscoSecure Installation Does Not Update the Sybase Database The CiscoSecure installation might fail to update the Sybase Enterprise database for early CiscoSecure for UNIX 2.x versions.
Accessing CiscoSecure ACS 2.3 for UNIX Documentation Accessing CiscoSecure ACS 2.3 for UNIX Documentation Accessing CiscoSecure ACS 2.3 for UNIX Documentation After you install the CiscoSecure ACS 2.3 for UNIX software, the following documentation is available to you in several formats and several locations: • Printed documents included with the CiscoSecure ACS 2.3 for UNIX product package include: – CiscoSecure ACS 2.
Installing without a CD-ROM Installing without a CD-ROM To access—While running the CiscoSecure ACS Administrator web pages, click Help, click User Guide and then click the PDF icon on the Contents page of the CiscoSecure ACS 2.3 for UNIX User Guide. You need Adobe Acrobat Reader installed on your system. Free copies of the Acrobat Reader can be downloaded from the Adobe web site: http://www.adobe.
Manually Enabling Profile Cache Updating Manually Enabling Profile Cache Updating Step 11 Obtain your server license key and answer the preinstallation questions according to the instructions in the section “Basic Installation Procedures,” page iv. Note Step 12 Do not enter the pkgadd -d/cdrom/csus_23 CSCEacs string to start the installation program.
CiscoSecure System Description CiscoSecure System Description CiscoSecure System Description The CiscoSecure ACS 2.3 for UNIX software provides authentication, authorization, and accounting services on users dialing in to the network through TACACS+ or RADIUS based network access servers (NASes). Basic CiscoSecure Components Basic network components that interact with CiscoSecure ACS are shown in Figure 1.
Multiple CiscoSecure ACS Installation CiscoSecure System Description Table 3 Basic CiscoSecure Components Node Description CiscoSecure Profile database The profile database contains the authentication, authorization, and accounting information for each of your users and groups. Each CiscoSecure ACS requires a relational database management system (RDBMS) engine installed to store, retrieve, and maintain this information.
Distributed Session Manager Features Distributed Session Manager Features In order to support database replication among your ACSes, you need to purchase and preinstall Oracle Enterprise or Sybase Enterprise RDBMS software at each ACS database site where you want replication of the CiscoSecure profile database to be carried out. The per user, per group, or per VPDN maximum session limit feature of the CiscoSecure ACS 2.3 for UNIX with DSM package requires you to configure profile database replication.
Editing Configuration Files to Enable or Disable the DSM Module Editing Configuration Files to Enable or Disable the DSM Module Caution • After installation or upgrade, you needed to log in to the CiscoSecure Administrator web site located the Max Sessions Enabled field in the AAA General web page, select Distributed to activate the DSM module, and restart the CiscoSecure ACS server. • You needed to confirm that the AAA accounting functions are enabled on the client NASes. See the CiscoSecure ACS 2.
Editing CSU.cfg to Specify a CiscoSecure Software License Key Editing CSU.cfg to Specify a CiscoSecure Software License Key Table 4 Type of Max Sessions Editing Configuration Files to Enable or Disable the DSM CSU.
Obtaining Documentation Obtaining Documentation Step 3 After changing the software license key, stop and restart CiscoSecure ACS for your changes to the CSU.cfg file to take effect. • Log in as [Root] to the Ultra 1 workstation where you installed CiscoSecure ACS. To stop CiscoSecure ACS, enter: # /etc/rc0.d/K80CiscoSecure • To restart CiscoSecure ACS, enter: # /etc/rc2.
Cisco Connection Online Obtaining Technical Assistance Cisco Connection Online Cisco continues to revolutionize how business is done on the Internet. Cisco Connection Online is the foundation of a suite of interactive, networked services that provides immediate, open access to Cisco information and resources at anytime, from anywhere in the world. This highly integrated Internet application is a powerful, easy-to-use tool for doing business with Cisco.
Documentation Feedback Obtaining Technical Assistance Documentation Feedback If you are reading Cisco product documentation on the World Wide Web, you can submit technical comments electronically. Click Feedback in the toolbar and select Documentation. After you complete the form, click Submit to send it to Cisco. You can e-mail your comments to bug-doc@cisco.com. To submit your comments by mail, for your convenience many documents contain a response card behind the front cover.
