Page 1 User Guide for Cisco Secure ACS for Windows Server Corporate Headquarters Cisco Systems, Inc. 170 West Tasman Drive San Jose, CA 95134-1706 http://www.cisco.com Tel: 408 526-4000 800 553-NETS (6387) Fax: 408 526-4100 Customer Order Number: DOC-7814696= Text Part Number: 78-14696-01...
Page 2 Quotient, iQ Breakthrough, iQ Expertise, iQ FastTrack, the iQ Logo, iQ Net Readiness Scorecard, Networking Academy, ScriptShare, SMARTnet, TransPath, and Voice LAN are trademarks of Cisco Systems, Inc.; Changing the Way We Work, Live, Play, and Learn, Discover All That’s Possible, The Fastest Way to Increase Your Internet Quotient, and iQuick Study are service marks of Cisco Systems, Inc.;...
Page 3 The Cisco Secure ACS Paradigm Cisco Secure ACS Specifications System Performance Specifications Cisco Secure ACS Windows Services AAA Server Functions and Concepts Cisco Secure ACS and the AAA Client User Guide for Cisco Secure ACS for Windows Server 78-14696-01, Version 3.1...
Page 4: Table Of Contents
Network Environments and Remote Administrative Sessions 1-27 Remote Administrative Sessions and HTTP Proxy 1-27 Remote Administrative Sessions through Firewalls 1-28 Remote Administrative Sessions through a NAT Gateway 1-28 User Guide for Cisco Secure ACS for Windows Server 78-14696-01, Version 3.1...
Page 5 Administrative Access Policy 2-14 Separation of Administrative and General Users 2-16 Database 2-17 Number of Users 2-17 Type of Database 2-17 Network Latency and Reliability 2-18 Suggested Deployment Sequence 2-18 User Guide for Cisco Secure ACS for Windows Server 78-14696-01, Version 3.1...
Page 6 Per-User or Per-Group Features User Data Configuration Options Defining New User Data Fields Advanced Options Setting Advanced Options for the Cisco Secure ACS User Interface Protocol Configuration Options for TACACS+ Setting Options for TACACS+ Protocol Configuration Options for RADIUS 3-10...
Page 7 Setting Up and Managing Shared Profile Components C H A P T E R About Shared Profile Components Downloadable PIX ACLs About Downloadable PIX ACLs Downloadable PIX ACL Configuration Adding a Downloadable PIX ACL User Guide for Cisco Secure ACS for Windows Server 78-14696-01, Version 3.1...
Page 8 Setting Max Sessions for a User Group 6-11 Setting Usage Quotas for a User Group 6-13 Configuration-specific User Group Settings 6-15 Setting Token Card Settings for a User Group 6-16 User Guide for Cisco Secure ACS for Windows Server viii 78-14696-01, Version 3.1...
Page 9 Configuring Cisco Aironet RADIUS Settings for a User Group 6-39 Configuring Ascend RADIUS Settings for a User Group 6-41 Configuring Cisco VPN 3000 Concentrator RADIUS Settings for a User Group 6-42 Configuring Cisco VPN 5000 Concentrator RADIUS Settings for a User...
Page 10 RADIUS Attributes 7-37 Setting IETF RADIUS Parameters for a User 7-38 Setting Cisco IOS/PIX RADIUS Parameters for a User 7-39 Setting Cisco Aironet RADIUS Parameters for a User 7-40 User Guide for Cisco Secure ACS for Windows Server 78-14696-01, Version 3.1...
Page 11 Contents Setting Ascend RADIUS Parameters for a User 7-42 Setting Cisco VPN 3000 Concentrator RADIUS Parameters for a User 7-43 Setting Cisco VPN 5000 Concentrator RADIUS Parameters for a User 7-45 Setting Microsoft RADIUS Parameters for a User 7-46 Setting Nortel RADIUS Parameters for a User...
Page 12 RDBMS Synchronization Components 8-33 About CSDBSync 8-33 About the accountActions Table 8-34 Cisco Secure ACS Database Recovery Using the accountActions Table 8-36 Reports and Event (Error) Handling 8-37 Preparing to Use RDBMS Synchronization 8-37 User Guide for Cisco Secure ACS for Windows Server...
Page 13 Restoring Cisco Secure ACS from a Backup File 8-54 Cisco Secure ACS Active Service Management 8-55 System Monitoring 8-56 System Monitoring Options 8-56 Setting Up System Monitoring 8-57 User Guide for Cisco Secure ACS for Windows Server xiii 78-14696-01, Version 3.1...
Page 14 Editing the Certificate Trust List 8-77 Generating a Certificate Signing Request 8-78 Updating or Replacing a Cisco Secure ACS Certificate 8-80 Global Authentication Setup 8-81 Configuring Authentication Options 8-81 User Guide for Cisco Secure ACS for Windows Server 78-14696-01, Version 3.1...
Page 15 Configuring an ODBC Log 9-20 Remote Logging 9-23 About Remote Logging 9-23 Implementing Centralized Remote Logging 9-24 Remote Logging Options 9-25 Enabling and Configuring Remote Logging 9-26 Disabling Remote Logging 9-28 User Guide for Cisco Secure ACS for Windows Server 78-14696-01, Version 3.1...
Page 16 About External User Databases 11-4 Authenticating with External User Databases 11-5 External User Database Authentication Process 11-6 Windows NT/2000 User Database 11-7 What’s Supported with Windows NT/2000 User Databases 11-8 User Guide for Cisco Secure ACS for Windows Server 78-14696-01, Version 3.1...
Page 17 Contents The Cisco Secure ACS Authentication Process with Windows NT/2000 User Databases 11-9 Trust Relationships 11-9 Windows Dial-up Networking Clients 11-10 Windows Dial-up Networking Clients with a Domain Field 11-10 Windows Dial-up Networking Clients without a Domain Field 11-11 Windows Authentication...
Page 18 Configuring a RADIUS Token Server External User Database 11-60 RSA SecurID Token Servers 11-64 Configuring an RSA SecurID Token Server External User Database 11-65 Deleting an External User Database Configuration 11-66 User Guide for Cisco Secure ACS for Windows Server xviii 78-14696-01, Version 3.1...
Page 19 12-11 Database Group Mappings 12-11 Group Mapping by External User Database 12-12 Creating a Cisco Secure ACS Group Mapping for a Token Server, ODBC Database, or LEAP Proxy RADIUS Server Database 12-13 Group Mapping by Group Set Membership 12-14 Group Mapping Order...
Page 20 Cisco IOS AV Pair Dictionary TACACS+ AV Pairs TACACS+ Accounting AV Pairs RADIUS Attributes A P P E N D I X Cisco IOS Dictionary of RADIUS AV Pairs User Guide for Cisco Secure ACS for Windows Server 78-14696-01, Version 3.1...
Page 21 Restoring Cisco Secure ACS with CSUtil.exe Creating a CiscoSecure User Database Creating a Cisco Secure ACS Database Dump File Loading the Cisco Secure ACS Database from a Dump File Compacting the CiscoSecure User Database D-11 User and AAA Client Import Option...
Page 22 A P P E N D I X VPDN Process RDBMS Synchronization Import Definitions A P P E N D I X accountActions Specification accountActions Format accountActions Mandatory Fields accountActions Processing Order User Guide for Cisco Secure ACS for Windows Server xxii 78-14696-01, Version 3.1...
Page 23 A P P E N D I X Windows 2000 Services Windows 2000 Registry CSAdmin CSAuth CSDBSync CSLog CSMon Monitoring Recording Notification Response CSTacacs and CSRadius N D E X User Guide for Cisco Secure ACS for Windows Server xxiii 78-14696-01, Version 3.1...
Page 24 Contents User Guide for Cisco Secure ACS for Windows Server xxiv 78-14696-01, Version 3.1...
Page 25 Cisco Secure Access Control Server (Cisco Secure ACS) for Windows Server version 3.1 User Guide. Document Objective This document will help you configure and use Cisco Secure ACS and its features and utilities. Audience This publication is for system administrators who use Cisco Secure ACS and who set up and maintain accounts and dial-in network security.
Page 26 Preface Organization Organization The Cisco Secure ACS user guide is organized into the following chapters: • Chapter 1, “Overview of Cisco Secure ACS.” An overview of Cisco Secure ACS and its features, network diagrams, and system requirements. Chapter 2, “Deploying Cisco Secure ACS.”...
Page 27 This guide also comprises the following appendixes: • Appendix A, “Troubleshooting Information for Cisco Secure ACS.” How to identify and solve certain problems you might have with Cisco Secure ACS. Appendix B, “TACACS+ Attribute-Value Pairs.” A list of supported •...
Page 28 To see translated versions of the warning, refer to the Regulatory Compliance and Safety document that accompanied the device. User Guide for Cisco Secure ACS for Windows Server xxviii 78-14696-01, Version 3.1...
Page 29: Related Documentation
Online Help contains information for each associated page in the • Cisco Secure ACS HTML interface. Online Documentation is a complete copy of the User Guide for Cisco Secure • ACS for Windows Server. We recommend that you read Release Notes for Cisco Secure ACS for Windows Server Version 3.1.
Page 30: Obtaining Documentation
Obtaining Documentation Obtaining Documentation These sections explain how to obtain documentation from Cisco Systems. World Wide Web You can access the most current Cisco documentation on the World Wide Web at this URL: http://www.cisco.com • Translated documentation is available at this URL: •...
Page 31: Documentation Feedback
Cisco Technical Assistance Center (TAC) Web Site. Cisco.com registered users have complete access to the technical support resources on the Cisco TAC Web Site. Cisco.com Cisco.com is the foundation of a suite of interactive, networked services that provides immediate, open access to Cisco information, networking solutions, services, programs, and resources at any time, from anywhere in the world.
Page 32: Technical Assistance Center
Cisco TAC Web Site You can use the Cisco TAC Web Site to resolve P3 and P4 issues yourself, saving both cost and time. The site provides around-the-clock access to online tools, knowledge bases, and software.
Page 33 URL to register: http://www.cisco.com/register/ If you are a Cisco.com registered user, and you cannot resolve your technical issues by using the Cisco TAC Web Site, you can open a case online by using the TAC Case Open tool at this URL: http://www.cisco.com/tac/caseopen If you have Internet access, we recommend that you open P3 and P4 cases through the Cisco TAC Web Site.
Page 34 Preface Obtaining Technical Assistance User Guide for Cisco Secure ACS for Windows Server xxxiv 78-14696-01, Version 3.1...
Page 35 C H A P T E R Overview of Cisco Secure ACS This chapter provides an overview of Cisco Secure Access Control Server (Cisco Secure ACS) for Windows Server version 3.1. It contains the following sections: The Cisco Secure ACS Paradigm, page 1-1 •...
Page 36 Cisco Secure ACS supports Cisco AAA clients such as the Cisco 2509, 2511, 3620, 3640, AS5200 and AS5300, AS5800, the Cisco PIX Firewall, Cisco Aironet Access Point wireless networking devices, Cisco VPN 3000 Concentrators, and Cisco VPN 5000 Concentrators.
Page 37 Windows server it is installed upon, your network topology and network management, the selection of user databases, and other factors. For example, Cisco Secure ACS can perform many more authentications per second if it is using its internal user database and running on a 2.1-GHz Pentium IV server on a 1 GB Ethernet backbone than it can if it is using an external user database and running on a 550-MHz Pentium III server on a 10 MB LAN.
Page 38 If your network has several thousand AAA clients, we recommend using multiple Cisco Secure ACSes and assigning no more than 5000 AAA clients to each Cisco Secure ACS. For example, if you have 20,000 AAA clients, you could use four Cisco Secure ACSes and divide the AAA client load among them so that no single Cisco Secure ACS manages more than 5000 AAA client configurations.
Page 39 Cisco Secure ACS verifies the username and password using the user databases it is configured to query. Cisco Secure ACS returns a success or failure response to the AAA client, which permits or denies user access, based on the response it receives.
Page 40: Aaa Protocols-Tacacs+ And Radius
User access control TACACS+ Cisco Secure ACS conforms to the TACACS+ protocol as defined by Cisco Systems in draft 1.77. For more information, refer to the Cisco IOS software documentation or Cisco.com (http://www.cisco.com). RADIUS Cisco Secure ACS conforms to the RADIUS protocol as defined in draft April 1997 and in the following Requests for Comments (RFCs): •...
Page 41: Authentication
• Nortel Cisco Secure ACS also supports up to 10 RADIUS VSAs that you define. After you define a new RADIUS VSA, you can use it as you would one of the RADIUS VSAs that come predefined in Cisco Secure ACS. In the Network Configuration section of the Cisco Secure ACS HTML interface, you can configure a AAA client to use a user-defined RADIUS VSA as its AAA protocol.
Page 42: Authentication Considerations
Network administrators who offer increased levels of security services, and corporations that want to lessen the chance of intruder access resulting from password capturing, can use an OTP. Cisco Secure ACS supports several types of OTP solutions, including PAP for Point-to-Point Protocol (PPP) remote-node login.
Page 43: Authentication Protocol-Database Compatibility
ActivCard token server • Vasco token server • In addition to the token servers listed above, Cisco Secure ACS supports any token server that provides a RADIUS server interface. For more information about token server support, see Token Server User Databases, page 11-57.
Page 44: Passwords
(for example, RADIUS or TACACS+) and the configuration of the AAA client and end-user client. The following sections outline the different conditions and functions of password handling. User Guide for Cisco Secure ACS for Windows Server 1-10 78-14696-01, Version 3.1...
Page 45 Overview of Cisco Secure ACS AAA Server Functions and Concepts In the case of token servers, Cisco Secure ACS acts as a client to the token server, using either its proprietary API or its RADIUS interface, depending on the token server.
Page 46 Card (GTC). For more information, see About the PEAP Protocol, page 8-72. The architecture of Cisco Secure ACS is extensible with regard to EAP; additional varieties of EAP will be supported as those protocols mature. User Guide for Cisco Secure ACS for Windows Server 1-12 78-14696-01, Version 3.1...
Page 47 External user database authentication—For authentication by an external • user database, the user does not need a password stored in the CiscoSecure user database. Instead, Cisco Secure ACS records which external user database it should query to authenticate the user. Advanced Password Configurations Cisco Secure ACS supports the following advanced password configurations: Inbound passwords—Passwords used by most Cisco Secure ACS users.
Page 48 Password Aging With Cisco Secure ACS you can choose whether and how you want to employ password aging. Control for password aging may reside either in the CiscoSecure user database, or in a Windows NT/2000 user database. Each password aging mechanism differs as to requirements and setting configurations.
Page 49: Other Authentication-Related Features
6-25. User-Changeable Passwords With Cisco Secure ACS, you can install a separate program that enables users to change their passwords by using a web-based utility. For more information about installing user-changeable passwords, see the Installation and User Guide for Cisco Secure ACS User-Changeable Passwords.
Page 50: Max Sessions
Internet. The information can be for the access server (such as the home gateway for that user) or for the home gateway router to validate the user at the customer premises. In either case, Cisco Secure ACS can be used for each end of the VPDN.
Page 51: Dynamic Usage Quotas
Overview of Cisco Secure ACS AAA Server Functions and Concepts In addition to simple User and Group Max Sessions control, Cisco Secure ACS enables the administrator to specify a Group Max Sessions value and a group-based User Max Sessions value; that is, a User Max Sessions value based on the group membership of the user.
Page 52: Support For Cisco Device-Management Applications
For a management application to communicate with Cisco Secure ACS, the management application must be configured in Cisco Secure ACS as a AAA client that uses TACACS+. Also, you must provide the device-management application with a valid administrator name and password.
Page 53: Other Authorization-Related Features
Advanced Options, page 3-4). • Support for Voice over IP (VoIP), including configurable logging of accounting data (see Enabling VoIP Support for a User Group, page 6-4). User Guide for Cisco Secure ACS for Windows Server 1-19 78-14696-01, Version 3.1...
Page 54: Accounting
AAA clients use the accounting functions provided by the RADIUS and TACACS+ protocols to communicate relevant data for each user session to the AAA server for recording. Cisco Secure ACS writes accounting records to a comma-separated value (CSV) log file or ODBC database, depending upon your configuration.
Page 55: Administration
We do not recommend that you administer Cisco Secure ACS through a firewall. Doing so requires that you configure the firewall to permit HTTP traffic over the range of HTTP administrative session ports that Cisco Secure ACS uses.
Page 56: Network Device Groups
Using NDGs enables an organization with a large number of AAA clients spread across a large geographical area to logically organize its environment within Cisco Secure ACS to reflect the physical setup. For example, all routers in Europe could belong to a group named Europe; all routers in the United States could belong to a US group;...
Page 57: Cisco Secure Acs Html Interface
Online Help and Online Documentation, page 1-30 About the Cisco Secure ACS HTML Interface After installing Cisco Secure ACS, you configure and administer it through the HTML interface. The HTML interface enables you to easily modify Cisco Secure ACS configuration from any connection on your LAN or WAN.
Page 58: Html Interface Security
Overview of Cisco Secure ACS Cisco Secure ACS HTML Interface The Cisco Secure ACS HTML interface is designed to be viewed using a web browser. The design primarily uses HTML, along with some Java functions, to enhance ease of use. This design keeps the interface responsive and straightforward.
Page 59: Html Interface Layout
• navigation bar contains the task buttons. Each button changes the configuration area (see below) to a unique section of the Cisco Secure ACS application, such as the User Setup section or the Interface Configuration section. This frame does not change; it always contains the following buttons: –...
Page 60: Uniform Resource Locator For The Html Interface
• where IP address is the dotted decimal IP address of the computer running Cisco Secure ACS and hostname is the hostname of the computer running Cisco Secure ACS. User Guide for Cisco Secure ACS for Windows Server 1-26...
Page 61: Network Environments And Remote Administrative Sessions
Chapter 1 Overview of Cisco Secure ACS Cisco Secure ACS HTML Interface From the server on which Cisco Secure ACS is installed, you can also use the following URLs: http://127.0.0.1:2002 • http://hostname:2002 • where hostname is the hostname of the computer running Cisco Secure ACS.
Page 62: Remote Administrative Sessions Through Firewalls
IP address, included in the content of the HTTP requests. Cisco Secure ACS does not permit this. If Cisco Secure ACS is behind a NAT gateway and the URL used to access the HTML interface specifies the Windows 2000 server running Cisco Secure ACS...
Page 63: Accessing The Html Interface
Step 1 Open a web browser. For a list of supported web browsers, see the Release Notes for the version of Cisco Secure ACS you are accessing. The latest revision to the Release Notes is posted on Cisco.com (http://www.cisco.com). In the Address or Location bar in the web browser, type the applicable URL. For...
Page 64: Online Help And Online Documentation
To jump from the top of the online help page to a particular topic, click the topic name in the list at the top of the page. There are three icons that appear on many pages in Cisco Secure ACS: Question Mark—Many subsections of the pages in the configuration area •...
Page 65: Using The Online Documentation
Cisco Secure ACS. The user guide provides information about the configuration, operation, and concepts of Cisco Secure ACS. The information presented in the online documentation is as current as the release date of the Cisco Secure ACS version you are using. For the most up-to-date documentation about Cisco Secure ACS, please go to http://www.cisco.com.
Page 66 If you want to print the online documentation, click in the display area, and then Step 4 click Print in the navigation bar of your browser. User Guide for Cisco Secure ACS for Windows Server 1-32 78-14696-01, Version 3.1...
Page 67: Chapter 2 Deploying Cisco Secure Acs
Cisco Secure ACS. The complexity of deploying Cisco Secure ACS reflects the evolution of AAA servers in general, and the advanced capabilities, flexibility, and features of Cisco Secure ACS in particular.
Page 68: Basic Deployment Requirements For Cisco Secure Acs
Third-Party Software Requirements, page 2-3 Network Requirements, page 2-4 • System Requirements Your Cisco Secure ACS server must meet the minimum hardware and software requirements detailed in the following sections. Hardware Requirements Your Cisco Secure ACS server must meet the following minimum hardware requirements: Pentium III processor, 550 MHz or faster.
Page 69: Third-Party Software Requirements
Netscape Communicator 6.2 Note To use a web browser to access the Cisco Secure ACS HTML interface, you must enable both Java and JavaScript in the browser. Also, the web browser must not be configured to use a proxy server. For more information about other network...
Page 70: Network Requirements
Dial-in, VPN, or wireless clients must be able to connect to the applicable • AAA clients. The computer running Cisco Secure ACS must be able to ping all AAA • clients. Gateway devices between AAA clients and Cisco Secure ACS must permit •...
Page 71: Basic Deployment Factors For Cisco Secure Acs
Basic Deployment Factors for Cisco Secure ACS Basic Deployment Factors for Cisco Secure ACS Generally, the ease in deploying Cisco Secure ACS is directly related to the complexity of the implementation planned and the degree to which you have defined your policies and requirements. This section presents some basic factors you should consider before you begin implementing Cisco Secure ACS.
Page 72 Figure 2-2 shows an example of a large dial-in arrangement. In this scenario the addition of a backup Cisco Secure ACS is a recommended addition. User Guide for Cisco Secure ACS for Windows Server 78-14696-01, Version 3.1...
Page 73 If network latency is not an issue, a central Cisco Secure ACS may work but connection reliability over long distances may cause problems. In this case, local Cisco Secure ACSes may be preferable to a central Cisco Secure ACS.
Page 74: Wireless Network
Wireless Network The wireless network access point is a relatively new client for AAA services. The wireless access point (AP), such as the Cisco Aironet series, provides a bridged connection for mobile end-user clients into the LAN. Authentication is absolutely necessary due to the ease of access to the AP. Encryption is also necessary because of the ease of eavesdropping on communications.
Page 75 APs on the same LAN, they may be distributed throughout the LAN, connected via routers, switches, and so on. In the larger, geographical distribution of WLANs, deployment of Cisco Secure ACS is similar to that of large regional distribution of dial-up LANs (Figure 2-3).
Page 76 WLAN shown in Figure 2-4. This model may apply to a chain of small stores distributed throughout a city or state, nationally, or globally (Figure 2-6). User Guide for Cisco Secure ACS for Windows Server 2-10 78-14696-01, Version 3.1...
Page 77: Remote Access Using Vpn
AP, or whether users require only regional or local network access. Along with database type, these factors control whether local or regional Cisco Secure ACSes are required, and how database continuity is maintained. In this very large deployment model, security becomes a more complicated issue, too.
Page 78 IPSec tunneling protocol. Remote Access VPNs, however, are similar to classic remote connection technology (modem/ISDN) and lend themselves to using the AAA model effectively (Figure 2-8). User Guide for Cisco Secure ACS for Windows Server 2-12 78-14696-01, Version 3.1...
Page 79: Remote Access Policy
ISDN or public switched telephone network (PSTN). Such policies are enforced at the corporate campus with Cisco Secure ACS and the AAA client. Inside the enterprise network, remote access policies can control wireless access by individual employees.
Page 80: Security Policy
IDs, passwords, and privileges. Cisco Secure ACS access policies can be downloaded in the form of ACLs to network access servers such as the Cisco AS5300 Network Access Server, or by allowing access during specific periods, or on specific access servers.
Page 81 The type of access is also an important consideration. If there are to be different administrative access levels to the AAA clients, or if a subset of administrators is to be limited to certain systems, Cisco Secure ACS can be used with command authorization per network device to restrict network administrators as necessary.
Page 82: Separation Of Administrative And General Users
RADIUS for the general remote access user and TACACS+ for the administrative user. An issue that arises is that an administrator may also require remote network access, like the general user. If you use Cisco Secure ACS this poses no problem. The administrator can have both RADIUS and TACACS+ configurations in Cisco Secure ACS.
Page 83: Database
Aside from topological considerations, the user database is one of the most influential factors involved in making deployment decisions for Cisco Secure ACS. The size of the user base, distribution of users throughout the network, access requirements, and type of user database contribute to how Cisco Secure ACS is deployed.
Page 84: Network Latency And Reliability
LAN, the loss of WAN connection to a remote Cisco Secure ACS could be catastrophic. The same issue can be applied to an external database used by Cisco Secure ACS. The database should be deployed close enough to Cisco Secure ACS to ensure reliable and timely access.
Page 85 Chapter 8, “Establishing Cisco Secure ACS System Configuration.” Of particular note during initial system configuration is setting up the logs and reports to be generated by Cisco Secure ACS; for more information, see Chapter 9, “Working with Logging and Reports.”...
Page 86 12-1, and Database Group Mappings, page 12-11. Then, you can configure your user groups with a complete plan of how Cisco Secure ACS is to implement authorization and authentication. For more information, see Chapter 6, “Setting Up and Managing User Groups.”...
Page 87: Chapter 3 Setting Up The Cisco Secure Acs Html Interface
We recommend that you return to this section to review and confirm your initial Note settings. While it is logical to begin your Cisco Secure ACS configuration efforts with configuring the interface, sometimes a section of the HTML interface that you initially believed should be hidden from view may later require configuration from within this section.
Page 88: Interface Design Concepts
Setting Up the Cisco Secure ACS HTML Interface Interface Design Concepts If a section of the Cisco Secure ACS HTML interface appears to be “missing” or “broken”, return to the Interface Configuration section and confirm that the particular section has been activated.
Page 89: User Data Configuration Options
You can change the title of a field by editing the text in the Field Title box and then clicking Submit. For the change to take effect, you must restart the Cisco Secure ACS services by clicking Restart at the bottom of the Service Control page in the System Configuration section and then stopping and restarting the CSAdmin service by using the Services section of the Administrative Tools folder in Windows Control Panel.
Page 90: Advanced Options
Advanced Options The Advanced Options page enables you to determine which advanced features Cisco Secure ACS displays. You can simplify the pages displayed in other areas of the Cisco Secure ACS HTML interface by hiding advanced features that you do not use.
Page 91 Logging page of the System Configuration section. Cisco Secure ACS Database Replication—When selected, this feature • enables the Cisco Secure ACS database replication information on the System Configuration page. • RDBMS Synchronization—When selected, this feature enables the RDBMS (Relational Database Management System) Synchronization option on the System Configuration page.
Page 92: Setting Advanced Options For The Cisco Secure Acs User Interface
Logging page of the System Configuration section. Setting Advanced Options for the Cisco Secure ACS User Interface To set advanced options for the Cisco Secure ACS HTML interface, follow these steps: Click Interface Configuration, and then click Advanced Options.
Page 93: Protocol Configuration Options For Tacacs
Protocol Configuration Options for TACACS+ When you have finished making selections, click Submit. Step 3 Result: Cisco Secure ACS alters the contents of various sections of the HTML interface according to the selections you have made. Protocol Configuration Options for TACACS+ The TACACS+ (Cisco) page details the configuration of the Cisco Secure ACS HTML interface for TACACS+ settings.
Page 94 Chapter 3 Setting Up the Cisco Secure ACS HTML Interface Protocol Configuration Options for TACACS+ Cisco Secure ACS interacts, and of the Cisco network devices managed by those applications, do not change or delete automatically generated TACACS+ service types. •...
Page 95: Setting Options For Tacacs
It is unlikely that you will use every service and protocol available for TACACS+. Displaying each would make setting up a user or group cumbersome. To simplify setup, you can use the TACACS+ (Cisco IOS) Edit page to customize the services and protocols that appear.
Page 96: Protocol Configuration Options For Radius
In the New Services section of the TACACS+ Services table, type in any Service and Protocol to be added. If you have configured Cisco Secure ACS to interact with device Note management applications for other Cisco products, such as a...
Page 97 (Cisco (Micro- (Ascend) (Cisco (Cisco (Juniper) (Nortel) Aironet) IOS/PIX) soft) 3000) 5000) RADIUS (IETF) RADIUS (Cisco Aironet) RADIUS (BBSM) RADIUS (Cisco IOS/PIX) RADIUS (Ascend) RADIUS (Cisco 3000) User Guide for Cisco Secure ACS for Windows Server 3-11 78-14696-01, Version 3.1...
Page 98 (IETF) RADIUS attribute or vendor-specific attribute (VSA) is configurable from the User Setup and Group Setup sections. User Guide for Cisco Secure ACS for Windows Server 3-12 78-14696-01, Version 3.1...
Page 99 Cisco Secure ACS responds to an authentication request from a Cisco Aironet Access Point and the Cisco-Aironet-Session-Timeout attribute is configured, Cisco Secure ACS sends to the wireless device this value in the IETF Session-Timeout attribute. This enables you to provide different session...
Page 100 While Cisco Secure ACS ships with these listed VSAs prepackaged, it also enables you to define and configure custom attributes for any VSA set not already contained in Cisco Secure ACS. If you have configured a custom VSA and a corresponding AAA client, from the Interface Configuration section you can...
Page 101: Setting Protocol Configuration Options For Ietf Radius Attributes
Setting Protocol Configuration Options for IETF RADIUS Attributes This procedure enables you to hide or display any of the standard IETF RADIUS attributes for configuration from other portions of the Cisco Secure ACS HTML interface. If the Per-user TACACS+/RADIUS Attributes check box in Interface...
Page 102: Setting Protocol Configuration Options For Non-Ietf Radius Attributes
For each RADIUS VSA that you want to appear as a configurable option on the Step 3 User Setup or Group Setup page, select the corresponding check box. Each attribute selected must be supported by your RADIUS network Note devices. User Guide for Cisco Secure ACS for Windows Server 3-16 78-14696-01, Version 3.1...
Page 103 Click Submit at the bottom of the page. Step 4 Result: According to your selections, the RADIUS VSAs appear on the User Setup or Group Setup pages, or both, as a configurable option. User Guide for Cisco Secure ACS for Windows Server 3-17 78-14696-01, Version 3.1...
Page 104 Chapter 3 Setting Up the Cisco Secure ACS HTML Interface Protocol Configuration Options for RADIUS User Guide for Cisco Secure ACS for Windows Server 3-18 78-14696-01, Version 3.1...
Page 105 Configuration This chapter details concepts and procedures for configuring Cisco Secure Access Control Server (Cisco Secure ACS) for Windows Server version 3.1 to interact with AAA clients and servers and for establishing a distributed system. It includes the following sections: About Network Configuration, page 4-2 •...
Page 106: C H A P T E R 4 Setting Up And Managing Network Configuration
4-32. This table appears only when you have configured the interface to enable Distributed Systems Settings. For more information about this interface configuration, see Advanced Options, page 3-4. User Guide for Cisco Secure ACS for Windows Server 78-14696-01, Version 3.1...
Page 107: About Distributed Systems
About Distributed Systems About Distributed Systems Cisco Secure ACS can be used in a distributed system; that is, multiple Cisco Secure ACS servers and authentication, authorization, and accounting (AAA) servers can be configured to communicate with one another as primary, backup, client, or peer systems.
Page 108: Default Distributed System Settings
Chapter 4 Setting Up and Managing Network Configuration Proxy in Distributed Systems If the fields mentioned in this section do not appear in the Cisco Secure ACS Note HTML interface, enable them by clicking Interface Configuration, clicking Advanced Options, and then selecting the Distributed System Settings check box.
Page 109 Cisco Secure ACS as a AAA server. Alternatively, you can configure an Cisco Secure ACS to be seen as a AAA client by the second Cisco Secure ACS; in this case, the second Cisco Secure ACS responses include the RADIUS VSAs for whatever RADIUS vendor is specified in the AAA client definition table entry—in the same manner as any other AAA client.
Page 110: Fallback On Failed Connection
Proxy in Distributed Systems, page 4-4, Cisco Secure ACS strips off the character string if you have configured it to do so. For example, in the proxy example that follows, the character string that accompanies the username establishes the ability to forward the request to another AAA server.
Page 111: Proxy In An Enterprise
AAA server, the remote AAA server logs an entry in the accounting report for that session on the destination server. Cisco Secure ACS also caches the user connection information and adds an entry in the List Logged on Users report. You can then view the information for users that are currently connected.
Page 112: Other Features Enabled By System Distribution
Max Sessions feature. The Max Sessions feature uses the Start and Stop records in the accounting packet. If the remote AAA server is a Cisco Secure ACS and the Max Sessions feature is implemented, you can track the number of sessions allowed for each user or group.
Page 113: Network Device Search Criteria
Wildcard—You can use an asterisk (*) to match all numbers in that octet, for example, 10.3.157.*. Cisco Secure ACS allows any octet or octets in the IP Address box to be a number, a numeric range, or an asterisk, for example 172.16-31.*.*.
Page 114: Searching For Network Devices
Until you log out of Cisco Secure ACS, you can return to the Search for Network Devices page to view your most recent search criteria and results.
Page 115: Aaa Client Configuration
Deleting a AAA Client, page 4-19 AAA Client Configuration Options A AAA client configuration enables Cisco Secure ACS to interact with the network devices the configuration represents. A network device that does not have a corresponding configuration in Cisco Secure ACS, or whose configuration in Cisco Secure ACS is incorrect, does not receive AAA services from Cisco Secure ACS.
Page 116 Wildcard—You can use an asterisk (*) to match all numbers in that octet, for example, 10.3.157.*. Cisco Secure ACS allows any octet or octets in the IP Address box to be a number, a numeric range, or an asterisk, for example 172.16-31.*.*.
Page 117 – RADIUS (Cisco Aironet)—RADIUS using Cisco Aironet VSAs. Select this option if the network device is a Cisco Aironet Access Point used by users authenticating with LEAP or EAP-TLS. When Cisco Secure ACS receives an authentication request from a RADIUS (Cisco Aironet) AAA client, Cisco Secure ACS first attempts authentication by using LEAP;...
Page 118 RADIUS (Cisco IOS/PIX)—RADIUS using Cisco IOS/PIX VSAs. This – option enables you to pack commands sent to a Cisco IOS AAA client. The commands are defined in the Group Setup section. Select this option for RADIUS environments in which key TACACS+ functions are required to support Cisco IOS equipment.
Page 119: Adding A Aaa Client
• failure)—If you select TACACS+ (Cisco IOS) from the Authenticate Using list, you can use this option to specify that Cisco Secure ACS use a single TCP connection for all TACACS+ communication with the AAA client, rather than a new one for every TACACS+ request. In single connection mode, multiple requests from a network device are multiplexed over a single TCP session.
Page 120 In the AAA Client IP Address box, type the AAA client IP address or addresses. Step 4 In the Key box, type the shared secret that the AAA client and Cisco Secure ACS Step 5 use to encrypt the data (up to 32 characters).
Page 121 To enable a single connection from a AAA client, rather than a new one for every TACACS+ request, select the Single Connect TACACS+ AAA Client (Record stop in accounting on failure) check box. If TCP connections between Cisco Secure ACS the AAA client is Note unreliable, do not use this feature.
Page 122: Editing A Aaa Client
AAA Client Configuration Options, page 4-11. For Cisco Secure ACS to provide AAA services to a AAA client, you must ensure that gateway devices between AAA clients and Cisco Secure ACS allow communication over the ports needed to support the applicable AAA protocol (RADIUS or TACACS+).
Page 123: Deleting A Aaa Client
System Configuration, click Service Control, and then click Restart. Note Restarting the service clears the Logged-in User report and temporarily interrupts all Cisco Secure ACS services. This affects the Max Sessions counter. Deleting a AAA Client To delete a AAA client, follow these steps: In the navigation bar, click Network Configuration.
Page 124: Aaa Server Configuration
Result: A confirmation dialog box appears. Click OK. Step 4 Result: Cisco Secure ACS restarts AAA services and the AAA client is deleted. AAA Server Configuration This section presents procedures for configuring AAA servers in the Cisco Secure ACS HTML interface. For additional information about AAA...
Page 125: Aaa Server Configuration Options
• AAA Server Configuration Options A AAA server configuration enables Cisco Secure ACS to interact with the AAA server that the configuration represents. A AAA server that does not have a corresponding configuration in Cisco Secure ACS, or whose configuration in Cisco Secure ACS is incorrect, does not receive AAA services from Cisco Secure ACS, such as proxied authentication requests.
Page 126 Cisco Secure ACS. Keys are case sensitive. Because shared secrets are not synchronized, it is easy to make mistakes when entering them upon remote AAA servers and Cisco Secure ACS. If the shared secret does not match, Cisco Secure ACS discards all packets from the remote AAA server.
Page 127: Adding A Aaa Server
AAA Server Configuration Options, page 4-21. For Cisco Secure ACS to provide AAA services to a remote AAA server, you must ensure that gateway devices between the remote AAA server and Cisco Secure ACS permit communication over the ports that support the applicable AAA protocol (RADIUS or TACACS+).
Page 128 Step 8 From the AAA Server Type list, select the AAA server type applicable to the remote AAA server. If the remote AAA server is another Cisco Secure ACS, identify it as such by selecting CiscoSecure ACS. From the Traffic Type list, select the type of traffic you want to permit between Step 9 the remote AAA server and Cisco Secure ACS.
Page 129: Editing A Aaa Server
AAA Server Configuration Options, page 4-21. For Cisco Secure ACS to provide AAA services to a remote AAA server, you must ensure that gateway devices between the remote AAA server and Cisco Secure ACS permit communication over the ports that support the applicable AAA protocol (RADIUS or TACACS+).
Page 130 Restart. Restarting the service clears the Logged-in User report and temporarily Note interrupts all Cisco Secure ACS services. This affects the Max Sessions counter and resets it to zero. User Guide for Cisco Secure ACS for Windows Server 4-26 78-14696-01, Version 3.1...
Page 131: Deleting A Aaa Server
Result: A confirmation dialog box appears. Step 4 Click OK. Result: Cisco Secure ACS performs a restart and the AAA server is deleted. Network Device Group Configuration Network Device Grouping is an advanced feature that enables you to view and administer a collection of network devices as a single logical group.
Page 132: Adding A Network Device Group
Chapter 4 Setting Up and Managing Network Configuration Network Device Group Configuration Cisco Secure ACS—single discrete devices such as an individual router or network access server, and an NDG; that is, a collection of routers or AAA servers. To see the Network Device Groups table in the HTML interface, you must have...
Page 133: Assigning An Unassigned Aaa Client Or Aaa Server To An Ndg
Assigned AAA Servers table. To assign a network device to an NDG, follow these steps: In the navigation bar, click Network Configuration. Step 1 Result: The Network Configuration page opens. User Guide for Cisco Secure ACS for Windows Server 4-29 78-14696-01, Version 3.1...
Page 134: Reassigning A Aaa Client Or Aaa Server To An Ndg
From the Network Device Group list, select the NDG to which you want to Step 4 reassign the network device. Click Submit. Step 5 Result: The network device is assigned to the NDG you selected. User Guide for Cisco Secure ACS for Windows Server 4-30 78-14696-01, Version 3.1...
Page 135: Renaming A Network Device Group
In the Network Device Groups table, click the NDG that you want to delete. If the Network Device Groups table does not appear, click Interface Configuration, click Advanced Options, and then select the Network Device Groups check box. User Guide for Cisco Secure ACS for Windows Server 4-31 78-14696-01, Version 3.1...
Page 136: Proxy Distribution Table Configuration
If you have Distributed Systems Settings enabled, when you click Network Configuration, you will see the Proxy Distribution Table. To enable Distributed Systems Settings in the Cisco Secure ACS, click Interface Configuration, click Advanced Options, and then select the Distributed System Settings check box.
Page 137: Adding A New Proxy Distribution Table Entry
“(Default)” entry, you can change the distribution of authentication requests matching the “(Default)” entry. At installation, the AAA server associated with the “(Default)” entry is the local Cisco Secure ACS. It can sometimes be easier to define strings that match authentication requests to be processed locally rather than defining strings that match authentication requests to be processed remotely.
Page 138 From the Send Accounting Information list, select one of the following areas to Step 7 which to report accounting information: Local—Keep accounting packets on the local Cisco Secure ACS. • Remote—Send accounting packets to the remote Cisco Secure ACS. •...
Page 139: Sorting The Character String Match Order Of Distribution Entries
Proxy Distribution Table Configuration Sorting the Character String Match Order of Distribution Entries You can use this procedure to set the priority by which Cisco Secure ACS searches character string entries in the Proxy Distribution Table when users dial To determine the order by which Cisco Secure ACS searches entries in the Proxy...
Page 140: Deleting A Proxy Distribution Table Entry
Result: The Edit Proxy Distribution Entry page appears. Step 3 Click Delete. Result: A confirmation dialog box appears. Click OK. Step 4 Result: The distribution entry is deleted from the Proxy Distribution Table. User Guide for Cisco Secure ACS for Windows Server 4-36 78-14696-01, Version 3.1...
Page 141: Chapter 5 Setting Up And Managing Shared Profile Components
Setting Up and Managing Shared Profile Components This chapter addresses the Cisco Secure Access Control Server (Cisco Secure ACS) for Windows Server version 3.1 features found in the Shared Profile Components section of the HTML interface. It contains the following sections: About Shared Profile Components, page 5-1 •...
Page 142: Downloadable Pix Acls
About Downloadable PIX ACLs Downloadable PIX ACLs enable you to enter an ACL once, in Cisco Secure ACS, and then load that ACL to any number of PIX Firewalls that authenticate using the Cisco IOS/PIX protocol. This is far more efficient than directly entering the ACL into each PIX Firewall via its CLI.
Page 143 Setting Up and Managing Shared Profile Components Downloadable PIX ACLs The ACL definitions that you enter into Cisco Secure ACS consist of one or more PIX ACL commands, with each command on a separate line. Using standard RADIUS Cisco AV-pairs permits you to enter a maximum of 4 kilobytes of ACLs;...
Page 144: Downloadable Pix Acl Configuration
For an example of the proper format of the ACL definitions, see About Downloadable PIX ACLs, page 5-2. User Guide for Cisco Secure ACS for Windows Server 78-14696-01, Version 3.1...
Page 145: Editing A Downloadable Pix Acl
When you have completed specifying the PIX ACL, click Submit. Step 7 Result: Cisco Secure ACS enters the new PIX ACL, which takes effect immediately. That is, it is available to be sent to any PIX Firewall that is attempting authentication of a user who has that ACL name as part of his or her user or group profile.
Page 146: Network Access Restrictions
About Network Access Restrictions NARs enable you to define additional authorization and authentication conditions that must be met before a user can access the network. Cisco Secure ACS applies these conditions using information from attributes sent by your AAA clients.
Page 147 CLI or DNIS. In another exception to entering a CLI, you can enter a MAC address to permit or deny; for example, when you are using a Cisco Aironet AAA client. Likewise, you could enter the Cisco Aironet AP MAC address in place of the DNIS.
Page 148: Shared Network Access Restrictions Configuration
NAR a name that can be referenced in other parts of the Cisco Secure ACS HTML interface. Then, when you set up users or user groups, you can select none, one, or multiple shared restrictions to be applied. When you specify the application of multiple shared NARs to a user or user group, you choose one of two access criteria: either “All selected filters must permit”, or...
Page 149: Adding A Shared Network Access Restriction
Select the Define IP-based access descriptions check box. To specify whether you are listing addresses that are permitted or denied, from the Table Defines list, select the applicable value. User Guide for Cisco Secure ACS for Windows Server 78-14696-01, Version 3.1...
Page 150 The name of the NDG • • The name of the particular AAA client All AAA clients • Only NDGs that you have already configured are listed. User Guide for Cisco Secure ACS for Windows Server 5-10 78-14696-01, Version 3.1...
Page 151 Step e. When you are finished defining the shared NAR, click Submit. Step 8 Result: Cisco Secure ACS saves the named shared NAR and lists it in the Network Access Restriction Sets table. Editing a Shared Network Access Restriction To edit a shared network access restriction, follow these steps: In the navigation bar, click Shared Profile Components.
Page 152 To remove a line item from the CLI/DNIS access restrictions table, follow these Step 8 steps: Select the line item. Below the table, click remove. Result: The line item is removed from the CLI/DNIS access restrictions table. User Guide for Cisco Secure ACS for Windows Server 5-12 78-14696-01, Version 3.1...
Page 153: Command Authorization Sets
When you have finished editing the line items that make up the filter, click Step 9 Submit. Result: Cisco Secure ACS re-enters the filter with the new information, which takes effect immediately. Deleting a Shared Network Access Restriction To delete a shared network access restriction, follow these steps: In the navigation bar, click Shared Profile Components.
Page 154: About Command Authorization Sets
TACACS+ can request authorization for each command line before its execution. You can define a set of commands that are either permitted or denied for execution by a particular user on a given device. Cisco Secure ACS has further enhanced this capability as follows: •...
Page 155: About Pattern Matching
Setting Up and Managing Shared Profile Components Command Authorization Sets application by applying command authorization sets to Cisco Secure ACS groups that contain users of the device-management application. The Cisco Secure ACS groups can correspond to different roles within the device-management application and you can apply different command authorization sets to each group, as applicable.
Page 156: Command Authorization Sets Configuration
In the navigation bar, click Shared Profile Components. Result: The Shared Profile Components page lists the command authorization set types available. These always include Shell Command Authorization Sets and may include others, such as command authorization set types that support Cisco device-management applications. Step 2 Click one of the listed command authorization set types, as applicable.
Page 157 In the Description box, type a description of the command authorization set. Step 5 Step 6 If Cisco Secure ACS displays an expandable checklist tree below the Name and Description boxes, use the checklist tree to specify the actions permitted by the command authorization set. To do so, follow these steps: To expand a checklist node, click the plus (+) symbol to its left.
Page 158 Step 8 When you finish creating the command authorization set, click Submit. Result: Cisco Secure ACS displays the name and description of the new command authorization set in the applicable Command Authorization Sets table. User Guide for Cisco Secure ACS for Windows Server 5-18 78-14696-01, Version 3.1...
Page 159: Editing A Command Authorization Set
• To disable an action, clear its check box. For example, to disable a Device View action, clear the View check box under the Device checklist node. User Guide for Cisco Secure ACS for Windows Server 5-19 78-14696-01, Version 3.1...
Page 160: Deleting A Command Authorization Set
Step 5 To confirm that you want to delete that command authorization set, click OK. Result: Cisco Secure ACS displays the applicable Command Authorization Sets table. The command authorization set is no longer listed. User Guide for Cisco Secure ACS for Windows Server 5-20 78-14696-01, Version 3.1...
Page 161: Chapter 6 Setting Up And Managing User Groups
3.1 to control authorization. Cisco Secure ACS enables you to group together network users for more efficient administration. Each user can belong to only one group in Cisco Secure ACS. You can establish up to 500 different groups to effect different levels of authorization.
Page 162: User Group Setup Features And Functions
Group TACACS+ Settings Cisco Secure ACS enables a full range of settings for TACACS+ at the group level. If a AAA client has been configured to use TACACS+ as the security control protocol, you can configure standard service protocols, including PPP IP, PPP LCP, ARAP, SLIP, and Shell (exec), to be applied for the authorization of each user who belongs to a particular group.
Page 163: Common User Group Settings
Setting Up and Managing User Groups Common User Group Settings Cisco Secure ACS also enables you to enter and configure new TACACS+ services. For information about how to configure a new TACACS+ service to appear on the group setup page, see...
Page 164: Enabling Voip Support For A User Group
For more information, see Saving Changes to User Group Settings, page 6-53. Step 5 To continue, and specify other group settings, perform other procedures in this chapter, as applicable. User Guide for Cisco Secure ACS for Windows Server 78-14696-01, Version 3.1...
Page 165: Setting Default Time-Of-Day Access For A User Group
Clicking times of day on the graph deselects those times; clicking again reselects them. At any time, you can click Clear All to clear all hours, or you can click Set All to select all hours. User Guide for Cisco Secure ACS for Windows Server 78-14696-01, Version 3.1...
Page 166: Setting Callback Options For A User Group
• Microsoft Windows NT/2000 callback settings. If a Windows account for a user resides in a remote domain, the domain in which Cisco Secure ACS resides must have a two-way trust with that domain for the Microsoft NT/2000 callback settings to operate for that user.
Page 167: Setting Network Access Restrictions For A User Group
Cisco Secure ACS HTML interface. However, Cisco Secure ACS also enables you to define and apply a NAR for a single group from within the Group Setup section. You must have enabled the...
Page 168 Chapter 6 Setting Up and Managing User Groups Common User Group Settings When an authentication request is forwarded by proxy to a Cisco Secure ACS Note server, any NARs for TACACS+ requests are applied to the IP address of the forwarding AAA server, not to the IP address of the originating AAA client.
Page 169 To specify whether the subsequent listing specifies permitted or denied values, from the Table Defines list, select one of the following: Permitted Calling/Point of Access Locations • • Denied Calling/Point of Access Locations User Guide for Cisco Secure ACS for Windows Server 78-14696-01, Version 3.1...
Page 170 (*) to permit or deny access based on part of the number or all numbers. This is also the selection to use if you want to restrict access based on other values, such as a Cisco Aironet client MAC address. For more information, see About Network Access Restrictions, page 5-6.
Page 171: Setting Max Sessions For A User Group
Note PPP, NAS prompt, Telnet, ARAP, IPX/SLIP. Note The default setting for group Max Sessions is Unlimited for both the group and the user within the group. User Guide for Cisco Secure ACS for Windows Server 6-11 78-14696-01, Version 3.1...
Page 172 For more information, see Saving Changes to User Group Settings, page 6-53. To continue specifying other group settings, perform other procedures in this Step 6 chapter, as applicable. User Guide for Cisco Secure ACS for Windows Server 6-12 78-14696-01, Version 3.1...
Page 173: Setting Usage Quotas For A User Group
Setting User Usage Quotas Options, page 7-18. When a user exceeds his or her assigned quota, Cisco Secure ACS denies that user access upon attempting to start a session. If a quota is exceeded during a session, Cisco Secure ACS allows the session to continue.
Page 174 Type the number of sessions to which you want to limit users in the to x sessions box. Up to 5 characters are allowed in the to x sessions box. Note User Guide for Cisco Secure ACS for Windows Server 6-14 78-14696-01, Version 3.1...
Page 175: Configuration-Specific User Group Settings
Configuring a PIX Command Authorization Set for a User Group, page 6-33 • Configuring Device-Management Command Authorization for a User Group, • page 6-35 Configuring IETF RADIUS Settings for a User Group, page 6-37 • User Guide for Cisco Secure ACS for Windows Server 6-15 78-14696-01, Version 3.1...
Page 176: Setting Token Card Settings For A User Group
Chapter 6 Setting Up and Managing User Groups Configuration-specific User Group Settings Configuring Cisco IOS/PIX RADIUS Settings for a User Group, page 6-38 • Configuring Cisco Aironet RADIUS Settings for a User Group, page 6-39 • Configuring Ascend RADIUS Settings for a User Group, page 6-41 •...
Page 177 From the Jump To list at the top of the page, choose Token Cards. Step 3 In the Token Card Settings table, to cache the token for the entire session, select Step 4 Session. User Guide for Cisco Secure ACS for Windows Server 6-17 78-14696-01, Version 3.1...
Page 178: Setting Enable Privilege Options For A User Group
Note If this section does not appear, click Interface Configuration and then click TACACS+ (Cisco). At the bottom of the page in the Advanced Configuration Options table, select the Advanced TACACS+ features check box. Perform this procedure to configure group-level TACACS+ enable parameters.
Page 179 For more information, see Saving Changes to User Group Settings, page 6-53. To continue specifying other group settings, perform other procedures in this Step 6 chapter, as applicable. User Guide for Cisco Secure ACS for Windows Server 6-19 78-14696-01, Version 3.1...
Page 180: Enabling Password Aging For The Ciscosecure User Database
Setting Up and Managing User Groups Configuration-specific User Group Settings Enabling Password Aging for the CiscoSecure User Database The password aging feature of Cisco Secure ACS enables you to force users to change their passwords under one or more of the following conditions: •...
Page 181 8-5. Cisco Secure ACS supports password aging using the RADIUS protocol under MS CHAP versions 1 and 2. Cisco Secure ACS does not support password aging over Telnet connections using the RADIUS protocol. If a user with a RADIUS connection tries to make a Telnet connection to the AAA...
Page 182 All passwords expire at midnight, not the time at which they were set. Apply age-by-uses rules—Selecting this check box configures • Cisco Secure ACS to determine password aging by the number of logins. The age-by-uses rules contain the following settings: Issue warning after x logins—The number of the login upon which –...
Page 183 • (TACACS+ only supports password aging for device-hosted sessions.) Set up your AAA client to perform authentication and accounting using the • same protocol, either TACACS+ RADIUS. User Guide for Cisco Secure ACS for Windows Server 6-23 78-14696-01, Version 3.1...
Page 184 Local Password Management, page 8-5. Set up your AAA client to use Cisco IOS Release 11.2.7 or later and to send • a watchdog accounting packet (aaa accounting new-info update) with the IP address of the calling station.
Page 185: Enabling Password Aging For Users In Windows Databases
Enabling Password Aging for Users in Windows Databases Cisco Secure ACS supports two types of password aging for users in Windows databases. Both types of Windows password aging mechanisms are separate and distinct from the other Cisco Secure ACS password aging mechanisms. For...
Page 186 8-81. Users whose Windows accounts reside in “remote” domains (that is, not the domain within which Cisco Secure ACS is running) can only use the Windows-based password aging if they supply their domain names. The methods and functionality of Windows password aging differ according to whether you are using Windows NT or Windows 2000, and whether you employ Active Directory (AD) or Security Accounts Manager (SAM).
Page 187: Setting Ip Address Assignment Method For A User Group
Setting Up and Managing User Groups Configuration-specific User Group Settings Setting IP Address Assignment Method for a User Group Perform this procedure to configure the way Cisco Secure ACS assigns IP addresses to users in the group. The four possible methods are as follows: •...
Page 188: Assigning A Downloadable Pix Acl To A Group
You must have established one or more PIX ACLs before attempting to assign one. For instructions on how to add a downloadable PIX ACL using the Shared Profile Components section of the Cisco Secure ACS HTML interface, see Adding a Downloadable PIX ACL, page 5-4.
Page 189: Configuring Tacacs+ Settings For A User Group
6-31. To display or hide additional services or protocols, click Interface Note Configuration, click TACACS+ (Cisco IOS), and then select or clear items in the group column, as applicable. To configure TACACS+ settings for a user group, follow these steps: In the navigation bar, click Group Setup.
Page 190 For ACLs and IP address pools, the name of the ACL or pool as defined on the AAA client should be entered. (An ACL is a list of Cisco IOS commands used to restrict access to or from other devices and users on the network.)
Page 191: Configuring A Shell Command Authorization Set For A User Group
NDGs. Per Group Command Authorization—Enables you to permit or deny • specific Cisco IOS commands and arguments at the group level. Note This feature requires that you have previously configured a shell command authorization set.
Page 192 Result: The associated NDG and shell command authorization set appear in the table. Step 8 To define the specific Cisco IOS commands and arguments to be permitted or denied at the group level, follow these steps: Select the Per Group Command Authorization option.
Page 193: Configuring A Pix Command Authorization Set For A User Group
This is a powerful, advanced feature and should be used by an administrator Warning skilled with Cisco IOS commands. Correct syntax is the responsibility of the administrator. For information on how Cisco Secure ACS uses pattern matching in command arguments, see About Pattern Matching, page 5-15.
Page 194 Ensure that a AAA client has been configured to use TACACS+ as the • security control protocol. On the TACACS+ (Cisco) page of Interface Configuration section, ensure • that the PIX Shell (pixShell) option is selected in the Group column.
Page 195: Configuring Device-Management Command Authorization For A User Group
Device-management command authorization sets support the authorization of tasks in Cisco device-management applications that are configured to use Cisco Secure ACS for authorization. There are three options: • None—No authorization is performed for commands issued in the applicable Cisco device-management application.
Page 196 Result: The system displays the TACACS+ Settings table section. Use the vertical scrollbar to scroll to the device-management application feature Step 4 area, where device-management application is the name of the applicable Cisco device-management application. Step 5 To prevent the application of any command authorization set for the applicable device-management application, select the None option.
Page 197: Configuring Ietf Radius Settings For A User Group
• page in the Interface Configuration section of the HTML interface. RADIUS attributes are sent as a profile for each user from Cisco Secure ACS to the requesting AAA client. To display or hide any of these attributes, see Protocol Configuration Options for RADIUS, page 3-10.
Page 198: Configuring Cisco Ios/Pix Radius Settings For A User Group
Step 7 chapter, as applicable. Configuring Cisco IOS/PIX RADIUS Settings for a User Group The Cisco IOS/PIX RADIUS parameters appear only when both the following are true: A AAA client has been configured to use RADIUS (Cisco IOS/PIX) in •...
Page 199: Configuring Cisco Aironet Radius Settings For A User Group
Configuring IETF RADIUS Settings for a User Group, page 6-37. For the Cisco attributes, determine the attributes to be authorized for the group by Step 2 selecting the check box next to the attribute, and then type the commands (such as TACACS+ commands) to be packed as a RADIUS VSA.
Page 200 Result: The Group Settings page displays the name of the group at its top. Step 4 From the Jump To list at the top of the page, choose RADIUS (Cisco Aironet). In the Cisco Aironet RADIUS Attributes table, select the [5842\001] Step 5 Cisco-Aironet-Session-Timeout check box.
Page 201: Configuring Ascend Radius Settings For A User Group
Be sure to define the authorization for that attribute in the field next to it. For more information about attributes, see Appendix C, “RADIUS Attributes,” or your AAA client documentation. User Guide for Cisco Secure ACS for Windows Server 6-41 78-14696-01, Version 3.1...
Page 202: Configuring Cisco Vpn 3000 Concentrator Radius Settings For A User Group
User Group The Cisco VPN 3000 Concentrator RADIUS attribute configurations appear only if both the following are true: A AAA client has been configured to use RADIUS (Cisco VPN 3000) in • Network Configuration. Group-level RADIUS (Cisco VPN 3000) attributes have been enabled on the •...
Page 203: Configuring Cisco Vpn 5000 Concentrator Radius Settings For A User Group
From the Group list, select a group, and then click Edit Settings. Step 3 Result: The Group Settings page displays the name of the group at its top. From the Jump To list at the top of the page, choose RADIUS (Cisco VPN 3000). Step 4 Step 5...
Page 204 Step 3 Result: The Group Settings page displays the name of the group at its top. From the Jump To list at the top of the page, choose RADIUS (Cisco VPN 5000). Step 4 In the Cisco VPN 5000 Concentrator RADIUS Attributes table, select the...
Page 205: Configuring Microsoft Radius Settings For A User Group
RADIUS protocol that supports the Microsoft RADIUS VSA. • Group-level Microsoft RADIUS attributes have been enabled on the RADIUS (Microsoft) page of the Interface Configuration section. The following Cisco Secure ACS RADIUS protocols support the Microsoft RADIUS VSA: Cisco IOS/PIX •...
Page 206: Configuring Nortel Radius Settings For A User Group
RADIUS. The MS-CHAP-MPPE-Keys attribute value is autogenerated by Note Cisco Secure ACS; there is no value to set in the HTML interface. Step 6 To save the group settings you have just made, click Submit.
Page 207 RADIUS. Note The MS-CHAP-MPPE-Keys attribute value is autogenerated by Cisco Secure ACS; there is no value to set in the HTML interface. To save the group settings you have just made, click Submit. Step 6...
Page 208: Configuring Juniper Radius Settings For A User Group
RADIUS. The MS-CHAP-MPPE-Keys attribute value is autogenerated by Note Cisco Secure ACS; there is no value to set in the HTML interface. To save the group settings you have just made, click Submit. Step 6...
Page 209: Configuring Bbsm Radius Settings For A User Group
Result: The Group Settings page displays the name of the group at its top. From the Jump To list at the top of the page, choose RADIUS (BBSM). Step 4 User Guide for Cisco Secure ACS for Windows Server 6-49 78-14696-01, Version 3.1...
Page 210: Configuring Custom Radius Vsa Settings For A User Group
RADIUS. Note The MS-CHAP-MPPE-Keys attribute value is autogenerated by Cisco Secure ACS; there is no value to set in the HTML interface. To save the group settings you have just made, click Submit. Step 6...
Page 211: Group Setting Management
To continue specifying other group settings, perform other procedures in this Step 7 chapter, as applicable. Group Setting Management This section describes how to use the Cisco Secure ACS Group Setup section to perform a variety of managerial tasks. This section contains the following procedures: •...
Page 212: Listing Users In A User Group
Click Submit at the bottom of the browser page. Result: The usage quota counters for all users in the group are reset. The Group Setup Select page appears. User Guide for Cisco Secure ACS for Windows Server 6-52 78-14696-01, Version 3.1...
Page 213: Renaming A User Group
Step 1 implement the changes, click System Configuration, and then click Service Control, and click Restart. To save your changes and apply them immediately, click Submit + Restart. User Guide for Cisco Secure ACS for Windows Server 6-53 78-14696-01, Version 3.1...
Page 214 Restarting the service clears the Logged-in User Report and temporarily Note interrupts all Cisco Secure ACS services. This affects the Max Sessions counter. To verify that your changes were applied, select the group and click Edit Settings. Step 2 View the settings.
Page 215: Chapter 7 Setting Up And Managing User Accounts
Setting Up and Managing User Accounts This chapter provides information about setting up and managing user accounts in Cisco Secure Access Control Server (Cisco Secure ACS) for Windows Server version 3.1. Settings at the user level override settings configured at the group level.
Page 216: User Setup Features And Functions
• resetting user accounts. User Setup Features and Functions The User Setup section of the Cisco Secure ACS HTML interface is the centralized location for all operations regarding user account configuration and administration. From within the User Setup section, you can perform the following tasks: View a list of all users in the CiscoSecure user database •...
Page 217 11-54. • Token Server—Authenticates a user from a token server database. Cisco Secure ACS supports the use of a variety of token servers for the increased security provided by one-time passwords. For more information, Token Server User Databases, page 11-57 User Guide for Cisco Secure ACS for Windows Server 78-14696-01, Version 3.1...
Page 218: Basic User Setup Options
You cannot edit the name associated with a user account; to change a username you must delete the user account and establish another. User Guide for Cisco Secure ACS for Windows Server 78-14696-01, Version 3.1...
Page 219: Adding A Basic User Account
Ensure that the Account Disabled check box is cleared. Step 4 Note Alternatively, you can select the Account Disabled check box to create a user account that is disabled, and enable the account at another time. User Guide for Cisco Secure ACS for Windows Server 78-14696-01, Version 3.1...
Page 220 To finish configuring the user account options and establish the user account, • click Submit. To continue to specify the user account options, perform other procedures in • this chapter, as applicable. User Guide for Cisco Secure ACS for Windows Server 78-14696-01, Version 3.1...
Page 221: Setting Supplementary User Information
If you are finished configuring the user account options, click Submit to record the options. • To continue to specify the user account options, perform other procedures in this chapter, as applicable. User Guide for Cisco Secure ACS for Windows Server 78-14696-01, Version 3.1...
Page 222: Setting A Separate Chap/Ms-Chap/Arap Password
Setting a Separate CHAP/MS-CHAP/ARAP Password Setting a separate CHAP/MS-CHAP/ARAP password adds more security to Cisco Secure ACS authentication. However, you must have a AAA client configured to support the separate password. To allow the user to authenticate using a CHAP, MS-CHAP, or ARAP password,...
Page 223: Assigning A User To A Group
Basic User Setup Options Assigning a User to a Group A user can only belong to one group in Cisco Secure ACS. The user inherits the attributes and operations assigned to his or her group. However, in the case of conflicting settings, the settings at the user level override the settings configured at the group level.
Page 224: Setting User Callback Option
• specified for Windows NT/2000 callback. If a Windows account for a user resides in a remote domain, the domain in which Cisco Secure ACS resides must have a two-way trust with that domain for the Microsoft NT/2000 callback settings to operate for that user.
Page 225: Assigning A User To A Client Ip Address
(up to 15 characters), if a specific IP address should be used for this user. If the IP address is being assigned from a pool of IP addresses or by Note the dialup client, leave the Assign IP address box blank. User Guide for Cisco Secure ACS for Windows Server 7-11 78-14696-01, Version 3.1...
Page 226: Setting Network Access Restrictions For A User
CLI/DNIS used. You can also use the CLI/DNIS-based access restrictions area to Note specify other values. For more information, see About Network Access Restrictions, page 5-6. User Guide for Cisco Secure ACS for Windows Server 7-12 78-14696-01, Version 3.1...
Page 227 Cisco Secure ACS HTML interface. However, Cisco Secure ACS also enables you to define and apply a NAR for a single user from within the User Setup section. You must have enabled the...
Page 228 Address—Type the IP address or addresses to use when performing • access restrictions. You can type multiple entries separated by a comma or use the wildcard asterisk (*). User Guide for Cisco Secure ACS for Windows Server 7-14 78-14696-01, Version 3.1...
Page 229 (*) to permit or deny access based on part of the number. This is also the selection to use if you want to restrict access based on other values such as a Cisco Aironet client MAC address. For more information, see About Network Access Restrictions, page 5-6.
Page 230: Setting Max Sessions Options For A User
RADIUS or TACACS+, for example PPP, or Telnet, or ARAP. Note, however, that accounting must be enabled on the AAA client for Cisco Secure ACS to be aware of a session. All session counts are based on user and group names only.
Page 231 If you are finished configuring the user account options, click Submit to record the options. • To continue to specify the user account options, perform other procedures in this chapter, as applicable. User Guide for Cisco Secure ACS for Windows Server 7-17 78-14696-01, Version 3.1...
Page 232: Setting User Usage Quotas Options
ARAP. Note, however, that accounting must be enabled on the AAA client for Cisco Secure ACS to be aware of a session. If you make no selections in the Session Quotas section for an individual user, Cisco Secure ACS applies the session quotas of the group to which the user is assigned.
Page 233 Select the period for which you want to enforce the session usage quota: per Day—From 12:01 a.m. until midnight. • • per Week—From 12:01 a.m. Sunday until midnight Saturday. User Guide for Cisco Secure ACS for Windows Server 7-19 78-14696-01, Version 3.1...
Page 234: Setting Options For User Account Disablement
Step 2 Do one of the following: Select the Never option to keep the user account always enabled. This is the default setting. Note User Guide for Cisco Secure ACS for Windows Server 7-20 78-14696-01, Version 3.1...
Page 235: Assigning A Pix Acl To A User
(ACL) at the user level. You must have established one or more PIX ACLs before attempting to assign one. For instructions on how to configure a downloadable PIX ACL using the Shared Profile Components section of the Cisco Secure ACS HTML interface, see Adding a Downloadable PIX ACL, page 5-4.
Page 236: Advanced User Authentication Settings
Configuring TACACS+ Settings for a User, page 7-23 • Configuring a Shell Command Authorization Set for a User, page 7-25 • Configuring a PIX Command Authorization Set for a User, page 7-28 • User Guide for Cisco Secure ACS for Windows Server 7-22 78-14696-01, Version 3.1...
Page 237: Configuring Tacacs+ Settings For A User
For more information about setting up new or existing TACACS+ services in the Cisco Secure ACS HTML interface, Protocol Configuration Options for TACACS+, page 3-7.
Page 238 PIX ACL to a User, page 7-21. An ACL is a list of Cisco IOS commands used to restrict access to or from other devices and users on the network. To employ custom attributes for a particular service, select the Custom...
Page 239: Configuring A Shell Command Authorization Set For A User
NDG associates with what shell command authorization set. • Per User Command Authorization—Enables you to permit or deny specific Cisco IOS commands and arguments at the user level. Before You Begin Ensure that a AAA client has been configured to use TACACS+ as the •...
Page 240 Chapter 7 Setting Up and Managing User Accounts Advanced User Authentication Settings In the TACACS+ (Cisco) section of Interface Configuration, ensure that the • Shell (exec) option is selected in the User column. Ensure that you have already configured one or more shell command •...
Page 241 Result: The NDG or NDGs and associated shell command authorization set or sets appear paired in the table. To define the specific Cisco IOS commands and arguments to be permitted or Step 7 denied for this user, follow these steps: Select the Per User Command Authorization option.
Page 242: Configuring A Pix Command Authorization Set For A User
In the Advanced Options section of Interface Configuration, ensure that the • Per-user TACACS+/RADIUS Attributes check box is selected. In the TACACS+ (Cisco) section of Interface Configuration, ensure that the • PIX Shell (pixShell) option is selected in the User column.
Page 243 If you are finished configuring the user account options, click Submit to • record the options. To continue to specify the user account options, perform other procedures in • this chapter, as applicable. User Guide for Cisco Secure ACS for Windows Server 7-29 78-14696-01, Version 3.1...
Page 244: Configuring Device Management Command Authorization For A User
Device management command authorization sets support the authorization of tasks in Cisco device-management applications that are configured to use Cisco Secure ACS for authorization. You can choose one of four options: None—No authorization is performed for commands issued in the applicable •...
Page 245 Group Basis option. Select a Device Group and an associated device-management application. Click Add Association. Result: The associated NDG and command authorization set appear in the table. User Guide for Cisco Secure ACS for Windows Server 7-31 78-14696-01, Version 3.1...
Page 246: Configuring The Unknown Service Setting For A User
If you are finished configuring the user account options, click Submit to record the options. To continue to specify the user account options, perform other procedures in • this chapter, as applicable. User Guide for Cisco Secure ACS for Windows Server 7-32 78-14696-01, Version 3.1...
Page 247: Advanced Tacacs+ Settings (User)
The information presented in this section applies when you have a AAA client with TACACS+ configured. If the Advanced TACACS+ Settings (User) table does not appear, click Interface Configuration, click TACACS+ (Cisco IOS), and then click Advanced TACACS+ Features. Details on configuring user options with the Advanced TACACS+ Settings are...
Page 248 You must have already configured a device group for it to be listed. Note From the Privilege list, select a privilege level to associate with the selected device group. User Guide for Cisco Secure ACS for Windows Server 7-34 78-14696-01, Version 3.1...
Page 249: Setting Tacacs+ Enable Password Options For A User
Adding a Basic User Account, page 7-5. Result: The User Setup Edit page opens. The username being added or edited is at the top of the page. User Guide for Cisco Secure ACS for Windows Server 7-35 78-14696-01, Version 3.1...
Page 250: Setting Tacacs+ Outbound Password For A User
The TACACS+ outbound password enables a AAA client to authenticate itself to another AAA client via outbound authentication. The outbound authentication can be PAP, CHAP, MS-CHAP, or ARAP, and results in the Cisco Secure ACS password being given out. By default, the user ASCII/PAP or CHAP/MS-CHAP/ARAP password is used.
Page 251: Radius Attributes
For general attributes, see Setting IETF RADIUS Parameters for a User, page 7-38. Cisco Secure ACS ships with many popular VSAs already loaded and available to configure and apply. For information about creating additional, custom RADIUS VSAs, see Custom RADIUS Vendors and VSAs, page 8-33.
Page 252: Setting Ietf Radius Parameters For A User
Setting Custom RADIUS Attributes for a User, page 7-52. Setting IETF RADIUS Parameters for a User RADIUS attributes are sent as a profile for the user from Cisco Secure ACS to the requesting AAA client. These parameters display only if all the following are true: •...
Page 253: Setting Cisco Ios/Pix Radius Parameters For A User
• this chapter, as applicable. Setting Cisco IOS/PIX RADIUS Parameters for a User The Cisco IOS RADIUS parameters appear only if all the following are true: A AAA client has been configured to use RADIUS (Cisco IOS/PIX) in • Network Configuration.
Page 254: Setting Cisco Aironet Radius Parameters For A User
Cisco IOS RADIUS represents only the Cisco IOS VSAs. You must configure both the IETF RADIUS and Cisco IOS RADIUS attributes. To configure and enable Cisco IOS RADIUS attributes to be applied as an authorization for the current user, follow these steps:...
Page 255 When Cisco Secure ACS responds to an authentication request from a Cisco Aironet Access Point and the Cisco-Aironet-Session-Timeout attribute is configured, Cisco Secure ACS sends to the wireless device this value in the IETF Session-Timeout attribute. This enables you to provide different session timeout values for wireless and wired end-user clients.
Page 256: Setting Ascend Radius Parameters For A User
Adding a Basic User Account, page 7-5. Step 1 Result: The User Setup Edit page opens. The username being added or edited is at the top of the page. User Guide for Cisco Secure ACS for Windows Server 7-42 78-14696-01, Version 3.1...
Page 257: User
Setting Cisco VPN 3000 Concentrator RADIUS Parameters for a User The Cisco VPN 3000 Concentrator RADIUS attribute configurations appear only if all the following are true: A AAA client has been configured to use RADIUS (Cisco VPN 3000) in • Network Configuration.
Page 258 RADIUS Parameters for a User, page 7-38. Step 3 In the Cisco VPN 3000 Concentrator Attribute table, to specify the attributes that should be authorized for the user, follow these steps: Select the check box next to the particular attribute.
Page 259: User
The Cisco VPN 5000 Concentrator RADIUS attribute configurations display only if all the following are true: • A AAA client has been configured to use RADIUS (Cisco VPN 5000) in Network Configuration. • The Per-user TACACS+/RADIUS Attributes check box is selected under Advanced Options in the Interface Configuration section.
Page 260: Setting Microsoft Radius Parameters For A User
Chapter 7 Setting Up and Managing User Accounts Advanced User Authentication Settings In the Cisco VPN 5000 Concentrator Attribute table, to specify the attributes that Step 3 should be authorized for the user, follow these steps: Select the check box next to the particular attribute.
Page 261 Attributes,” or your AAA client documentation. The MS-CHAP-MPPE-Keys attribute value is autogenerated by Note Cisco Secure ACS; there is no value to set in the HTML interface. User Guide for Cisco Secure ACS for Windows Server 7-47 78-14696-01, Version 3.1...
Page 262: Setting Nortel Radius Parameters For A User
Adding a Basic User Account, page 7-5. Step 1 Result: The User Setup Edit page opens. The username being added or edited is at the top of the page. User Guide for Cisco Secure ACS for Windows Server 7-48 78-14696-01, Version 3.1...
Page 263: Setting Juniper Radius Parameters For A User
RADIUS (Juniper) in the Interface Configuration section. Juniper RADIUS represents only the Juniper proprietary attributes. You must configure both the IETF RADIUS and Juniper RADIUS attributes. Proprietary attributes override IETF attributes. User Guide for Cisco Secure ACS for Windows Server 7-49 78-14696-01, Version 3.1...
Page 264 If you are finished configuring the user account options, click Submit to • record the options. To continue to specify the user account options, perform other procedures in • this chapter, as applicable. User Guide for Cisco Secure ACS for Windows Server 7-50 78-14696-01, Version 3.1...
Page 265: Setting Bbsm Radius Parameters For A User
Select the check box next to the particular attribute. Further define the authorization for that attribute in the box next to it. Continue to select and define attributes, as applicable. User Guide for Cisco Secure ACS for Windows Server 7-51 78-14696-01, Version 3.1...
Page 266: Setting Custom Radius Attributes For A User
Before configuring custom RADIUS attributes, be sure your IETF RADIUS attributes are configured properly. For more information about setting IETF RADIUS attributes, see Setting IETF RADIUS Parameters for a User, page 7-38. User Guide for Cisco Secure ACS for Windows Server 7-52 78-14696-01, Version 3.1...
Page 267: User Management
• this chapter, as applicable. User Management This section describes how to use the Cisco Secure ACS User Setup section to perform a variety of user account managerial tasks. This section contains the following procedures: Listing All Users, page 7-54 •...
Page 268: Listing All Users
Setting Up and Managing User Accounts User Management Listing All Users The Cisco Secure ACS User List displays all user accounts (enabled and disabled). The list includes, for each user, the username, status, and the group to which the user belongs.
Page 269: Disabling A User Account
In the User box, type the name of the user whose account is to be disabled. Step 2 Click Add/Edit. Step 3 Result: The User Setup Edit page opens. The username being edited is at the top of the page. User Guide for Cisco Secure ACS for Windows Server 7-55 78-14696-01, Version 3.1...
Page 270: Deleting A User Account
The Delete button appears only when you are editing user information, Note not when you are adding a username. Result: A popup window appears that asks you to confirm the user deletion. User Guide for Cisco Secure ACS for Windows Server 7-56 78-14696-01, Version 3.1...
Page 271: Resetting User Session Quota Counters
Click Submit at the bottom of the browser page. Step 5 Result: The session quota counters are reset for this user. The User Setup Select page appears. User Guide for Cisco Secure ACS for Windows Server 7-57 78-14696-01, Version 3.1...
Page 272: Resetting A User Account After Login Failure
If the user authenticates with a Windows NT/2000 external user database, this expiration information is in addition to the information in the Windows NT/2000 user account. Changes here do not alter settings configured in Windows NT/2000. User Guide for Cisco Secure ACS for Windows Server 7-58 78-14696-01, Version 3.1...
Page 273: Saving User Settings
To save the user account configuration, click Submit. To verify that your changes were applied, type the username in the User box and Step 2 click Add/Edit, and then review the settings. User Guide for Cisco Secure ACS for Windows Server 7-59 78-14696-01, Version 3.1...
Page 274 Chapter 7 Setting Up and Managing User Accounts User Management User Guide for Cisco Secure ACS for Windows Server 7-60 78-14696-01, Version 3.1...
Page 275 C H A P T E R Establishing Cisco Secure ACS System Configuration This chapter addresses the features found in the System Configuration section of Cisco Secure Access Control Server (Cisco Secure ACS) for Windows Server version 3.1. It contains the following topics: •...
Page 276: C H A P T E R 8 Establishing Cisco Secure Acs System Configuration
Cisco Secure ACS. Stopping, Starting, or Restarting Services You can stop, start, or restart Cisco Secure ACS services as needed. This achieves the same result as starting and stopping Cisco Secure ACS services from within Windows Control panel.
Page 277: Logging
If the CSAdmin service needs to be restarted, you can do so using the Control Note Panel Services applet; however, it is best to allow Cisco Secure ACS to handle the services because there are dependencies in the order in which the services are started.
Page 278: Setting The Date Format
Cisco Secure ACS assigns the name 2001-07-12.csv to a report generated on July 12, 2001. If you subsequently change to the day/month/year format, on December 7, 2001, Cisco Secure ACS creates a file also named 2001-07-12.csv and overwrites the existing file.
Page 279: Local Password Management
Remote Change Password—These settings enable you to configure whether Telnet password change is enabled and, if it is enabled, whether Cisco Secure ACS immediately sends the updated user data to its replication partners. User Guide for Cisco Secure ACS for Windows Server...
Page 280 8-9. • Password Change Log File Management—These settings enable you to configure how Cisco Secure ACS handles log files generated for the User Password Change report. For more information about this report, see Cisco Secure ACS System Logs, page 9-11.
Page 281: Configuring Local Password Management
If the maximum number of files is exceeded, Cisco Secure ACS deletes the oldest log file. If the maximum age of a file is exceeded, Cisco Secure ACS deletes the file.
Page 282 Cisco Secure ACS retains, select the Keep only the last X files option and type the number of files you want Cisco Secure ACS to retain in the X box. If you want to limit how old User Password Changes log files retained by...
Page 283: Ciscosecure Database Replication
Cisco Secure ACSes if the primary Cisco Secure ACS fails or is unreachable. With a secondary Cisco Secure ACS whose CiscoSecure database is a replica of the CiscoSecure database on the primary Cisco Secure ACS, if the User Guide for Cisco Secure ACS for Windows Server...
Page 284 Cisco Secure ACS. Database replication allows you to do the following: • Select the parts of the primary Cisco Secure ACS configuration to be replicated. • Control the timing of the replication process, including creating schedules •...
Page 285 Cisco Secure ACS. In the HTML interface, these are identified as replication partners. A Cisco Secure ACS can be both a primary Cisco Secure ACS and a secondary Cisco Secure ACS, provided that it is not configured to be a secondary Cisco Secure ACS to a Cisco Secure ACS for which it performs as a primary Cisco Secure ACS.
Page 286: Replication Process
On the secondary Cisco Secure ACS, the AAA Servers table entry for Note the primary Cisco Secure ACS must have the same shared secret that the primary Cisco Secure ACS has for itself in its own AAA Servers table entry. The secondary Cisco Secure ACS’s shared secret is irrelevant.
Page 287 Figure 8-1 shows a cascading replication scenario. Server 1 acts only as a primary Cisco Secure ACS, replicating to servers 2 and 3, which act as secondary Cisco Secure ACSes. After replication from server 1 to server 2 has completed, server 2 acts as a primary Cisco Secure ACS while replicating to servers 4 and 5.
Page 288: Replication Frequency
Cisco Secure ACS fails. There is a cost to having frequent replications. The more frequent the replication, the higher the load on a multi-server Cisco Secure ACS architecture and on your network environment. If you schedule frequent replication, network traffic is much higher.
Page 289: Important Implementation Considerations
Chapter 8 Establishing Cisco Secure ACS System Configuration CiscoSecure Database Replication Cisco Secure ACS every time it runs. Therefore, a large database results in substantial amounts of data being transferred, and the processing overhead can also be large. Important Implementation Considerations...
Page 290: Database Replication Versus Database Backup
Cisco Secure ACS does not support bidirectional database replication. The • secondary Cisco Secure ACS receiving the replicated components verifies that the primary Cisco Secure ACS is not on its Replication list. If not, the secondary Cisco Secure ACS accepts the replicated components. If so, it rejects the components.
Page 291: Database Replication Logging
The Database Replication report • To view the Windows Event Log, use the Windows administration utilities. You can view recent reports in the Reports and Activity section of Cisco Secure ACS. For more information about Cisco Secure ACS reports, see Chapter 9, “Working with Logging and Reports.”...
Page 292: Outbound Replication Options
Password validation settings—Replicate password validation settings. • If mirroring the entire database with a secondary Cisco Secure ACS might send confidential information, such as the Proxy Distribution Table, you can configure the primary Cisco Secure ACS to send only a specific category of database information.
Page 293 AAA Servers table in Network Configuration. To make a particular Cisco Secure ACS available as a secondary Cisco Secure ACS, you must first add that Cisco Secure ACS to the AAA Servers table of the primary Cisco Secure ACS.
Page 294: Inbound Replication Options
Cisco Secure ACS configured to replicate only when it has received replicated components from another Cisco Secure ACS acts both as a primary Cisco Secure ACS and as a secondary Cisco Secure ACS. First, it acts as a secondary Cisco Secure ACS while it receives replicated components, and then it...
Page 295: Configuring A Secondary Cisco Secure Acs
Chapter 8 Establishing Cisco Secure ACS System Configuration CiscoSecure Database Replication acts as a primary Cisco Secure ACS while it replicates components to other Cisco Secure ACS servers. For an illustration of cascade replication, see Figure 8-1. To implement primary and secondary replication setups on Cisco Secure ACSes,...
Page 296 Servers table entry for each primary Cisco Secure ACS must have the same shared secret that the primary Cisco Secure ACS has for its own entry in its AAA Servers table. For more information about the AAA Servers table, see...
Page 297 Chapter 8 Establishing Cisco Secure ACS System Configuration CiscoSecure Database Replication Make sure that no Cisco Secure ACS that the secondary Cisco Secure ACS is to Step 5 receive replicated components from is included in the Replication list. If so, select the primary Cisco Secure ACS in the Replication list and click the <-- (left arrow)
Page 298: Replicating Immediately
Configuring a Secondary Cisco Secure ACS, page 8-21. Before You Begin For each secondary Cisco Secure ACS that this Cisco Secure ACS is to send replicated components to, ensure that you have completed the steps in Configuring a Secondary Cisco Secure ACS, page 8-21.
Page 299 Cisco Secure ACS does not support bidirectional database replication. A Note secondary Cisco Secure ACS receiving replicated components verifies that the primary Cisco Secure ACS is not on its Replication list. If not, the secondary Cisco Secure ACS accepts the replicated components. If so, it rejects the components.
Page 300: Scheduling Replication
Establishing Cisco Secure ACS System Configuration CiscoSecure Database Replication Scheduling Replication You can schedule when a primary Cisco Secure ACS sends its replicated database components to a secondary Cisco Secure ACS. For more information about replication scheduling options, see Outbound Replication Options, page 8-18.
Page 301 Replication Frequency, page 8-14. Step 6 If you want to schedule times at which the primary Cisco Secure ACS sends its replicated database components to its secondary Cisco Secure ACSes, follow these steps: In the Outbound Replication table, select the At specific times option.
Page 302 Result: The selected secondary Cisco Secure ACS moves to the Replication list. Repeat Step a and Step b for each secondary Cisco Secure ACS to which you want the primary Cisco Secure ACS to send its selected replicated database components.
Page 303: Disabling Ciscosecure Database Replication
In the Outbound Replication table, select the Manually option. Click Submit. Step 6 Result: Cisco Secure ACS does not permit any replication to or from this Cisco Secure ACS server. Database Replication Event Errors The Database Replication report contains messages indicating errors that occur during replication.
Page 304: About Rdbms Synchronization
It can also be an intermediate file or database that a third-party system updates. Regardless of where the file or database resides, Cisco Secure ACS reads the file or database via the ODBC connection. You can also regard RDBMS Synchronization as an API—much of what you can configure for a user, group, or device through the Cisco Secure ACS HTML interface, you can alternatively maintain through this feature.
Page 305: Users
Specifying outbound RADIUS attribute values • • Specifying outbound TACACS+ attribute values For specific information about all actions that RDBMS Synchronization can Note perform, see Appendix F, “RDBMS Synchronization Import Definitions.” User Guide for Cisco Secure ACS for Windows Server 8-31 78-14696-01, Version 3.1...
Page 306: User Groups
• Adding and configuring Proxy Distribution Table entries Note For specific information about all actions that RDBMS Synchronization can perform, see Appendix F, “RDBMS Synchronization Import Definitions.” User Guide for Cisco Secure ACS for Windows Server 8-32 78-14696-01, Version 3.1...
Page 307: Custom Radius Vendors And Vsas
VSAs that you add must be sub-attributes of IETF RADIUS attribute number 26. You can define up to ten custom RADIUS vendors. Cisco Secure ACS allows only one instance of any given vendor, as defined by the unique vendor IETF ID number and by the vendor name.
Page 308: About The Accountactions Table
CiscoSecure user database. For full details of the accountActions table format and available actions, see Appendix F, “RDBMS Synchronization Import Definitions.” User Guide for Cisco Secure ACS for Windows Server 8-34 78-14696-01, Version 3.1...
Page 309 Cisco Secure ACS includes files to help you create your accountActions table for several common formats. You can find these files on the Cisco Secure ACS in the following location, assuming a default installation of Cisco Secure ACS:...
Page 310: Cisco Secure Acs Database Recovery Using The Accountactions Table
CiscoSecure user database, although some transactions might be invalid and reported as errors. As long as the entire transaction log is replayed, the CiscoSecure user database is consistent with the database of the external RDBMS application. User Guide for Cisco Secure ACS for Windows Server 8-36 78-14696-01, Version 3.1...
Page 311: Reports And Event (Error) Handling
Cisco Secure ACS before you configure the RDBMS Synchronization feature within Cisco Secure ACS. If you are planning to use a CSV file as your accountActions table, also see Considerations for Using CSV-Based Synchronization, page 8-38.
Page 312: Considerations For Using Csv-Based Synchronization
Note properly, discontinue updating the accountActions table until after you have completed Step 5 and Step 6. Set up a system DSN on the Cisco Secure ACS. For steps, see Configuring a Step 5 System Data Source Name for RDBMS Synchronization, page 8-40.
Page 313: Preparing For Csv-Based Synchronization
To prepare for RDBMS synchronization using a CSV file, follow these steps: Step 1 Rename the accountactions CSV file installed on your Cisco Secure ACS server accountactions.csv Assuming a default installation of Cisco Secure ACS, the accountactions file is at the following location: C:\Program Files\CiscoSecure ACS v \CSDBSync\Databases\CSV Where x.x refers to the version of your Cisco Secure ACS.
Page 314: Configuring A System Data Source Name For Rdbms Synchronization
CSV file properly. Configuring a System Data Source Name for RDBMS Synchronization On the Cisco Secure ACS, a system DSN must exist for Cisco Secure ACS to access the accountActions table. If you plan to use the Microsoft Access database provided with CiscoSecure Transactions.mdb...
Page 315: Rdbms Synchronization Options
Step 8 Close the ODBC window and Windows Control Panel. Result: The system DSN to be used by Cisco Secure ACS to access your accountActions table is created on your Cisco Secure ACS. RDBMS Synchronization Options The RDBMS Synchronization Setup page, available from System Configuration,...
Page 316: Synchronization Scheduling Options
AAA Server—This list represents the AAA servers configured in the AAA • Servers table in Network Configuration for which the Cisco Secure ACS does not perform RDBMS synchronization. • Synchronize—This list represents the AAA servers configured in the AAA Servers table in Network Configuration for which the Cisco Secure ACS does perform RDBMS synchronization.
Page 317: Performing Rdbms Synchronization Immediately
In the Password box, type the password for the username specified in the Step b. Result: Cisco Secure ACS has the information necessary to access the accountActions table. You do not have to select Manually under Replication Scheduling. For...
Page 318: Scheduling Rdbms Synchronization
Chapter 8 Establishing Cisco Secure ACS System Configuration RDBMS Synchronization For each Cisco Secure ACS that you want this Cisco Secure ACS to update with Step 4 data from the accountActions table, select the Cisco Secure ACS in the AAA Servers list, and then click —>...
Page 319 To have this Cisco Secure ACS perform RDBMS synchronization at regular intervals, under Synchronization Scheduling, select the Every X minutes option and in the X box type the length of the interval at which Cisco Secure ACS should perform synchronization (up to 7 characters).
Page 320: Disabling Scheduled Rdbms Synchronizations
Replication Options, page 8-20. In the Synchronization Partners table, from the AAA Servers list, select the name of a Cisco Secure ACS that you want this Cisco Secure ACS to update with data from the accountActions table. Note The Cisco Secure ACSes available in the AAA Servers list is determined by the AAA Servers table in Network Configuration, with the addition of the name of the current Cisco Secure ACS server.
Page 321: Cisco Secure Acs Backup
The ACS Backup process backs up your Cisco Secure ACS system information to a file on the local hard drive. You can manually back up the Cisco Secure ACS system. You can also establish automated backups that occur at regular intervals or at selected days of the week and times.
Page 322: Backup File Locations
Cisco Secure ACS and path is the path from the root of drive to the Cisco Secure ACS directory. For example, if you installed Cisco Secure ACS version 3.0 in the default location, the default backup location would be c:\Program Files\CiscoSecure ACS v3.0\CSAuth\System Backups...
Page 323: Reports Of Cisco Secure Acs Backups
Using the following options, you can specify how Cisco Secure ACS determines which log files to delete: Keep only the last X files—Cisco Secure ACS retains the most recent – backup files, up to the number of files specified. When the number of files specified is exceeded, Cisco Secure ACS deletes the oldest files.
Page 324: Performing A Manual Cisco Secure Acs Backup
Result: Cisco Secure ACS immediately begins a backup. Scheduling Cisco Secure ACS Backups You can schedule Cisco Secure ACS backups to occur at regular intervals or on selected days of the week and times. To schedule the times at which Cisco Secure ACS performs a backup, follow these steps: In the navigation bar, click System Configuration.
Page 325: Disabling Scheduled Cisco Secure Acs Backups
Keep only the last X files option and type in the X box the number of files you want Cisco Secure ACS to retain. To limit how old backup files retained by Cisco Secure ACS can be, select the Delete files older than X days option and type the number of days for which Cisco Secure ACS should retain a backup file before deleting it.
Page 326: Cisco Secure Acs System Restore
Under ACS Backup Scheduling, select the Manual option. Click Submit. Step 4 Result: Cisco Secure ACS does not continue any scheduled backups. You can still perform manual backups as needed. Cisco Secure ACS System Restore This section provides information about the Cisco Secure ACS System Restore feature, including procedures for restoring your Cisco Secure ACS from a backup file.
Page 327: Backup File Names And Locations
\CSAuth\System Backups where drive is the local drive where you installed Cisco Secure ACS and path is the path from the root of drive to the Cisco Secure ACS directory. For example, if you installed Cisco Secure ACS version 3.0 in the default location, the default backup location would be: c:\Program Files\CiscoSecure ACS v3.0\CSAuth\System Backups...
Page 328: Components Restored
Reports of Cisco Secure ACS Restorations When a Cisco Secure ACS system restoration takes place, the event is logged in the Administration Audit report and the ACS Backup and Restore report. You can view recent reports in the Reports and Activity section of Cisco Secure ACS.
Page 329: Cisco Secure Acs Active Service Management
When the restoration is complete, you can log in again to Cisco Secure ACS. Cisco Secure ACS Active Service Management ACS Active Service Management is an application-specific service monitoring tool that is tightly integrated with ACS.
Page 330: System Monitoring
Test login process every X minutes—Controls whether or not • Cisco Secure ACS tests its login process. The value in the X box defines, in minutes, how often Cisco Secure ACS tests its login process. The default frequency is once per minute, which is also the most frequent testing interval possible.
Page 331: Setting Up System Monitoring
\CSMon\Scripts where drive is the local drive where you installed Cisco Secure ACS and path is the path from the root of drive to the Cisco Secure ACS directory. – Take No Action—Leave Cisco Secure ACS operating as is.
Page 332: Event Logging
Cisco Secure ACS should take when the login test fails five successive times. To have Cisco Secure ACS generate a Windows event when a user attempts to log Step 4 in to your network using a disabled account, select the Generate event when an attempt is made to log in to a disabled account check box.
Page 333: Ip Pools Server
Chapter 8 Establishing Cisco Secure ACS System Configuration IP Pools Server To have Cisco Secure ACS send an e-mail when an event occurs, follow these Step 4 steps: Select the Email notification of event check box. In the To box, type the e-mail address (up to 200 characters) to which Cisco Secure ACS should send event notification e-mail.
Page 334: About Ip Pools Server
999 IP pools, for approximately 255,000 users. If you are using IP pooling and proxy, all accounting packets are proxied so that the Cisco Secure ACS that is assigning the IP addresses can confirm whether an IP address is already in use.
Page 335: Allowing Overlapping Ip Pools Or Forcing Unique Pool Address Ranges
7-11. Allowing Overlapping IP Pools or Forcing Unique Pool Address Ranges Cisco Secure ACS provides automated detection of overlapping pools. Note To use overlapping pools, you must be using RADIUS with VPN, and you cannot be using Dynamic Host Configuration Protocol (DHCP).
Page 336: Refreshing The Aaa Server Ip Pools Table
Click Refresh. Step 3 Result: Cisco Secure ACS updates the percentages of pooled addresses in use. User Guide for Cisco Secure ACS for Windows Server 8-62 78-14696-01, Version 3.1...
Page 337: Adding A New Ip Pool
In the End Address box, type the highest IP address (up to 15 characters) of the Step 6 range of addresses for the new pool. Click Submit. Step 7 Result: The new IP pool appears in the AAA Server IP Pools table. User Guide for Cisco Secure ACS for Windows Server 8-63 78-14696-01, Version 3.1...
Page 338: Editing An Ip Pool Definition
Address box, type the highest IP address (up to 15 characters) of the new range of addresses for the pool. Step 7 Click Submit. Result: The edited IP pool appears in the AAA Server IP Pools table. User Guide for Cisco Secure ACS for Windows Server 8-64 78-14696-01, Version 3.1...
Page 339: Resetting An Ip Pool
The Reset function recovers IP addresses within an IP pool when there are “dangling” connections. A dangling connection occurs when a user disconnects and Cisco Secure ACS does not receive an accounting stop packet from the applicable AAA client. If the Failed Attempts log in Reports and Activity shows a large number of “Failed to Allocate IP Address For User”...
Page 340: Deleting An Ip Pool
The Available column displays how many IP addresses are not assigned to users. Click Delete. Step 4 Result: Cisco Secure ACS displays a dialog box to confirm that you want to delete the IP pool. To delete the IP pool, click OK. Step 5 Result: The IP pool is deleted.
Page 341: Ip Pools Address Recovery
The IP Pools Address Recovery feature enables you to recover assigned IP addresses that have not been used for a specified period of time. You must configure an accounting network on the AAA client for Cisco Secure ACS to reclaim the IP addresses correctly.
Page 342: Voip Accounting Configuration
RADIUS Accounting or VoIP Accounting under Reports and Activity. • Send only to VoIP Accounting Log Targets—Cisco Secure ACS only logs VoIP accounting data to a CSV file. To view the data, you can use VoIP Accounting under Reports and Activity.
Page 343: Cisco Secure Acs Certificate Setup
The ACS Certificate Setup section is used to install digital certificates to support EAP-TLS and PEAP authentication, as well as to support HTTPS protocol for secure access to the Cisco Secure ACS HTML interface. Cisco Secure ACS employs the X.509 v3 digital certificate standard. Certificate files must be in either Base64-encoded X.509 format or DER-encoded binary X.509 format.
Page 344: About The Eap-Tls Protocol
EAP-TLS client includes the Windows XP operating system; EAP-TLS compliant AAA clients include Cisco 802.1x-enabled switch platforms (such as the Catalyst 6000 product line), and Cisco Aironet Wireless solutions. To support EAP-TLS, Cisco Secure ACS must operate with an X.509 v3 digital certificate.
Page 345 You trust digital certificates by installing the root certificate CA signature. If Cisco Secure ACS receives traffic from a wireless AP that has the wrong shared secret, the error message logged in to the failed attempts log reads “EAP request has invalid signature.”...
Page 346: About The Peap Protocol
The PEAP (Protected EAP) protocol is a client-server security architecture. PEAP provides stronger security, greater extensibility, and support for one-time token authentication. PEAP has been posted as an IETF Internet Draft by RSA, Cisco, and Microsoft and is available at http://www.ietf.org/internet-drafts/draft-josefsson-pppext-eap-tls-eap-02.txt.
Page 347 PEAP authentication. Cisco Secure ACS uses unknown user processing during phase 1 of PEAP authentication, when the username is not known to Cisco Secure ACS. For more information about the Unknown User Policy, see Unknown User Processing, page 12-1.
Page 348: Installing A Cisco Secure Acs Server Certificate
Cisco Secure ACS. Before You Begin You must have a server certificate for your Cisco Secure ACS before you can install it. With Cisco Secure ACS, certificate files must be in Base64-encoded X.509. If you do not already have a server certificate in storage, you can use the...
Page 349 Certificate CN box. Type the certificate CN only; omit the cn= prefix. If you generated the request using Cisco Secure ACS, in the Private key file box, Step 5 type the full directory path and name of the file that contains the private key.
Page 350: Adding A Certificate Authority Certificate
Editing the Certificate Trust List, page 8-77, where you signify that the particular CA is to be trusted. (Cisco Secure ACS comes preconfigured with a list of popular CAs, none of which are enabled until you explicitly signify trustworthiness.) To add a certificate authority’s certificate to your local storage, follow these steps: In the navigation bar, click System Configuration.
Page 351: Editing The Certificate Trust List
8-77. Editing the Certificate Trust List Cisco Secure ACS uses the CTL to verify the client certificates. For a CA to be trusted by Cisco Secure ACS, its certificate must be installed, and the Cisco Secure ACS administrator must explicitly configure the CA as trusted by editing the CTL.
Page 352: Generating A Certificate Signing Request
CA as not trusted. Step 5 Click Submit. Result: Cisco Secure ACS configures the specified CA (or CAs) as trusted or not trusted in accordance with selecting or deselecting check boxes. Generating a Certificate Signing Request You can use Cisco Secure ACS to generate a certificate signing request (CSR).
Page 353 Click ACS Certificate Setup. Click Generate Certificate Signing Request. Step 3 Result: Cisco Secure ACS displays the Generate new request table on the Generate Certificate Signing Request page. Step 4 In the Certificate subject box, type cn= followed by the name that you would like...
Page 354: Updating Or Replacing A Cisco Secure Acs Certificate
Cisco Secure ACS Certificate Setup Click Submit. Step 10 Result: Cisco Secure ACS displays a CSR in the display area, on the right, under a banner that reads: “Now your certificate signing request is ready. You can copy and paste it into any certification authority enrollment tool.”...
Page 355: Global Authentication Setup
MS-CHAP authentication requests. Configuring Authentication Options Use this procedure to select and configure how Cisco Secure ACS handles options for authentication. In particular, use this procedure to specify and configure the varieties of EAP that you allow, and to specify whether you allow either MS-CHAP Version 1 or MS-CHAP Version 2, or both.
Page 356 Select the appropriate radio button to specify whether EAP-TLS should require Certificate name comparison, Certificate binary comparison, or Either comparison type. If you select Either comparison type, Cisco Secure ACS first Note compares the certificate name and, if necessary, then performs the certificate binary comparison.
Page 357 MS-CHAP authentication version. Click Submit + Restart. Step 7 Result: Cisco Secure ACS restarts its services and implements the authentication configuration options you selected. User Guide for Cisco Secure ACS for Windows Server 8-83...
Page 358 Chapter 8 Establishing Cisco Secure ACS System Configuration Global Authentication Setup User Guide for Cisco Secure ACS for Windows Server 8-84 78-14696-01, Version 3.1...
Page 359: Logging Formats
• Logging Formats Cisco Secure ACS logs a variety of user and system activities. Depending on the log, and how you have configured Cisco Secure ACS, logs can be recorded in one of two formats: • Comma-separated value (CSV) files—The CSV format records data in columns separated by commas.
Page 360: Special Logging Attributes
Cisco Secure ACS Logs and Reports, page 9-4. Special Logging Attributes Among the many attributes that Cisco Secure ACS can record in its logs, a few are of special importance. The following list explains the special logging attributes provided by Cisco Secure ACS.
Page 361: Chapter 9 Working With Logging And Report
Note Cisco Secure ACS cannot determine how a remote logging service is configured to process accounting packets that it is forwarded. For example, if a remote logging service is configured to discard...
Page 362: Update Packets In Accounting Logs
Update Packets In Accounting Logs Whenever you configure Cisco Secure ACS to record accounting data for user sessions, Cisco Secure ACS records start and stop packets. If you want, you can configure Cisco Secure ACS to record update packets, too. In addition to providing interim accounting information during a user session, update packets drive password expiry messages via CiscoSecure Authentication Agent.
Page 363: Accounting Logs
Accounting logs contain information about the use of remote access services by users. By default, these logs are available in CSV format. With the exception of the Passed Authentications log, you can also configure Cisco Secure ACS to export the data for these logs to an ODBC-compliant relational database that you configure to store the log data.
Page 364 • Caller line identification (CLID) information VoIP session duration • You can configure Cisco Secure ACS to include accounting for VoIP in this separate VoIP accounting log, in the RADIUS Accounting log, or in both places. Failed Attempts Lists authentication and authorization failures with an indication of the cause.
Page 365: Dynamic Administration Reports
Dynamic Administration Reports These reports show the status of user accounts at the moment you access them in the Cisco Secure ACS HTML interface. They are available only in the HTML interface, are always enabled, and require no configuration. Table 9-3 on page 9-8 contains descriptions of all dynamic administration reports and information about what you can do regarding dynamic administration reports.
Page 366: Viewing The Logged-In Users Report
Click a column title once to sort the table by the entries in that column in ascending order. Click the column a second time to sort the table by the entries in that column in descending order. User Guide for Cisco Secure ACS for Windows Server 78-14696-01, Version 3.1...
Page 367: Deleting Logged-In Users
From a Logged-in Users Report, you can instruct Cisco Secure ACS to delete users logged into a specific AAA client. When a user session terminates without a AAA client sending an accounting stop packet to the Cisco Secure ACS server, the Logged-in Users Report continues to show the user. Deleting logged-in users from a AAA client ends the accounting for those user sessions.
Page 368: Viewing The Disabled Accounts Report
Click the name of the AAA client whose users you want to delete from the Step 3 Logged-in Users report. Result: Cisco Secure ACS displays a table of all users logged in through the AAA client. The Purge Logged in Users button appears below the table. Click Purge Logged in Users.
Page 369: Cisco Secure Acs System Logs
Table 9-4 Accounting Log Descriptions and Related Topics Description and Related Topics ACS Backup and Restore Lists Cisco Secure ACS backup and restore activity. This log cannot be configured. RDBMS Synchronization Lists RDBMS Synchronization activity. This log cannot be configured.
Page 370: Configuring The Administration Audit Log
Cisco Secure ACS to retain. To limit how old Administrative Audit CSV files retained by Cisco Secure ACS can be, select the Delete files older than X days option and type the number of days for which Cisco Secure ACS should retain a Administrative Audit CSV file before deleting it.
Page 371: Working With Csv Logs
Database Replication 2002-10-13.csv CSV Log File Locations By default, Cisco Secure ACS keeps log files in directories unique to the log. The HTML interface enables you to configure the log file location for some logs while the location for other log files is not configurable. The default directories for all logs are within sysdrive x.x.
Page 372: Enabling Or Disabling A Csv Log
About Cisco Secure ACS Logs and Reports, page 9-4. To enable or disable a CSV log, follow these steps: In the navigation bar, click System Configuration. Step 1 Step 2 Click Logging. User Guide for Cisco Secure ACS for Windows Server 9-14 78-14696-01, Version 3.1...
Page 373: Viewing A Csv Report
Step 2 Click the name of the CSV report you want to view. Result: On the right side of the browser, Cisco Secure ACS lists the current CSV report file name and the file names of any old CSV report files.
Page 374: Configuring A Csv Log
Chapter 9 Working with Logging and Reports Working with CSV Logs You can configure how Cisco Secure ACS handles old CSV report files. For more information, see Configuring a CSV Log, page 9-16. Click the CSV report file name whose contents you want to view.
Page 375 • CSV file retention—You can specify how many old CSV files Cisco Secure ACS maintains or set a maximum number of files it is to retain. To configure a CSV log, follow these steps: In the navigation bar, click System Configuration.
Page 376 X files option and type the number of files you want Cisco Secure ACS to retain in the X box. To limit how old CSV files retained by Cisco Secure ACS can be, select the Delete files older than X days option and type the number of days for which Cisco Secure ACS should retain a CSV file before deleting it.
Page 377: Working With Odbc Logs
Set up the relational database to which you want to export logging data. For more Step 1 information, refer to your relational database documentation. Set up a system data source name (DSN) on the Cisco Secure ACS server. For Step 2 instructions, see...
Page 378: Configuring A System Data Source Name For Odbc Logging
Result: The System DSN to be used by Cisco Secure ACS for communicating with the relational database is created on the computer running Cisco Secure ACS. The name you assigned to the DSN appears in the Data Source list on each ODBC log configuration page.
Page 379 Logged Attributes list. Step 4 Specify the attributes that you want Cisco Secure ACS to send to the relational database: To add an attribute to the log, select the attribute in the Attributes list, and then click —>...
Page 380 ODBC database. To do so, follow these steps: From the Data Source list, select the system DSN you created to allow Cisco Secure ACS to send ODBC logging data to your relational database. In the Username box, type the username of a user account in your relational database (up to 80 characters).
Page 381: Remote Logging
Cisco Secure ACSes. You can configure each Cisco Secure ACS to point to one Cisco Secure ACS that is to be used as a central logging server. The central logging Cisco Secure ACS still performs AAA functions, but it also is the repository for accounting logs it receives.
Page 382: Implementing Centralized Remote Logging
3.1. For information about installing Cisco Secure ACS, see the Installation Guide for Cisco Secure ACS for Windows Server. In the Cisco Secure ACS running on the central logging server, follow these steps: Step 2 Configure the accounting logs as needed. All accounting data sent to the central logging server will be recorded in the way you configure accounting logs on this Cisco Secure ACS.
Page 383: Remote Logging Options
Cisco Secure ACS in the AAA Servers table. Step 3 For each Cisco Secure ACS that is to send its accounting data to the central logging server, follow these steps: Add the central logging server to the AAA Servers table in Network Configuration.
Page 384: Enabling And Configuring Remote Logging
• sends accounting data for locally authenticated sessions to the first Cisco Secure ACS that is operational in the Selected Log Services list. This behavior enables you to configure one or more backup central logging servers so that no accounting data is lost if the first central logging server fails or is otherwise unavailable to Cisco Secure ACS.
Page 385 Cisco Secure ACS to send accounting data to a second remote Cisco Secure ACS if the first Cisco Secure ACS fails. For each remote Cisco Secure ACS you want to have in the Selected Log Services Step 6...
Page 386: Disabling Remote Logging
Result: Cisco Secure ACS saves and implements the remote logging configuration you specified. Disabling Remote Logging By disabling the Remote Logging feature, you prevent Cisco Secure ACS from sending its accounting information to a central logging Cisco Secure ACS. To disable remote logging, follow these steps: In the navigation bar, click System Configuration.
Page 387: Services Logged
Chapter 9 Working with Logging and Reports Service Logs For more information about Cisco Secure ACS services, see Appendix G, “Cisco Secure ACS Internal Architecture.” Services Logged Cisco Secure ACS generates logs for the following services: CSAdmin • • CSAuth CSDBSync •...
Page 388: Configuring Service Logs
Working with Logging and Reports Service Logs Configuring Service Logs You can configure how Cisco Secure ACS generates and manages the service log file. The options for configuring the service log file are listed below. • Level of detail—You can set the service log file to contain one of three levels of detail: –...
Page 389 Step 3 Result: After you click Restart, Cisco Secure ACS does not generate new service logs file. To configure how often Cisco Secure ACS creates a service log file, select one of Step 4 the options under Generate New File.
Page 390 Chapter 9 Working with Logging and Reports Service Logs User Guide for Cisco Secure ACS for Windows Server 9-32 78-14696-01, Version 3.1...
Page 391: Administrator Accounts
Setting Up and Managing Administrators and Policy This chapter addresses the Cisco Secure Access Control Server (Cisco Secure ACS) for Windows Server version 3.1 features found in the Administration Control section of the HTML interface. It contains the following sections: Administrator Accounts, page 10-1 •...
Page 392: C H A P T E R 10 Setting Up And Managing Administrators And Policy
Cisco Secure ACS using an administrative account. If your Cisco Secure ACS is so configured, you may need to log in to Cisco Secure ACS even in a browser run on the Cisco Secure ACS Windows server. For more information about automatic...
Page 393: Administrator Privileges
Cisco application for adding new device command set types. New device command set types that are added to Cisco Secure ACS using this privilege appear in the Shared Profile Components section of the HTML interface.
Page 394 ACS Restore—For more information about this feature, see – Cisco Secure ACS System Restore, page 8-52. – ACS Service Management—For more information about this feature, Cisco Secure ACS Active Service Management, page 8-55. User Guide for Cisco Secure ACS for Windows Server 10-4 78-14696-01, Version 3.1...
Page 395 Purge of Logged-in Users—For more information about this feature, – Deleting Logged-in Users, page 9-9. Disabled Accounts—For more information about this report, see – Dynamic Administration Reports, page 9-7. User Guide for Cisco Secure ACS for Windows Server 10-5 78-14696-01, Version 3.1...
Page 396: Adding An Administrator Account
Before You Begin For descriptions of the options available while adding an administrator account, Administrator Privileges, page 10-3. To add a Cisco Secure ACS administrator account, follow these steps: Step 1 In the navigation bar, click Administration Control. Click Add Administrator.
Page 397 Step 7 Click Submit. Result: Cisco Secure ACS saves the new administrator account. The new account appears in the list of administrator accounts on the Administration Control page. User Guide for Cisco Secure ACS for Windows Server 10-7 78-14696-01, Version 3.1...
Page 398: Editing An Administrator Account
Setting Up and Managing Administrators and Policy Administrator Accounts Editing an Administrator Account You can edit a Cisco Secure ACS administrator account to change the privileges granted to the administrator. You can effectively disable an administrator account by revoking all privileges.
Page 399 Step 4 Password box and you want to allow the administrator whose account you are editing to access the Cisco Secure ACS HTML interface, select the Reset current failed attempts count check box. If the Reset current failed attempts count check box appears below the...
Page 400: Unlocking A Locked Out Administrator Account
Result: Cisco Secure ACS saves the changes to the administrator account. Unlocking a Locked Out Administrator Account Cisco Secure ACS disables the accounts of administrators who have attempted to access the Cisco Secure ACS HTML interface and have provided an incorrect password in more successive attempts than is specified in on the Session Policy Setup page.
Page 401: Deleting An Administrator Account
Setting Up and Managing Administrators and Policy Access Policy Deleting an Administrator Account You can delete a Cisco Secure ACS administrator account when you no longer need it. We recommend deleting any unused administrator accounts. To delete a Cisco Secure ACS administrator account, follow these steps: In the navigation bar, click Administration Control.
Page 402: Access Policy Options
Port X to Port Y—Restrict the ports used by administrative HTTP sessions to the range specified in the X and Y boxes, inclusive. The size of the range specified determines the maximum number of concurrent administrative sessions. User Guide for Cisco Secure ACS for Windows Server 10-12 78-14696-01, Version 3.1...
Page 403 2002 in the port range. Also, Cisco Secure ACS does not allow you to define an HTTP port range that consists only of port 2002. Your port range must consist of at least one port other than port 2002.
Page 404: Setting Up Access Policy
For information about access policy options, see Access Policy Options, page 10-12. To set up Cisco Secure ACS Access Policy, follow these steps: In the navigation bar, click Administration Control. Step 1 Result: Cisco Secure ACS displays the Administration Control page.
Page 405 HTTP Port Allocation, select the Allow any TCP ports to be used for Administration HTTP Access option. If you want to allow Cisco Secure ACS to use only a specified range of TCP ports Step 7 for administrative sessions, follow these steps: Under HTTP Port Allocation, select the Restrict Administration Sessions to the following port range From Port X to Port Y option.
Page 406: Session Policy
If there are no administrator accounts defined, no administrator name and Note password is required to access Cisco Secure ACS locally. This prevents you from accidentally locking yourself out of Cisco Secure ACS. User Guide for Cisco Secure ACS for Windows Server 10-16 78-14696-01, Version 3.1...
Page 407: Setting Up Session Policy
X box. If this check box is selected, the X box cannot be set to zero. If this check box is not selected, Cisco Secure ACS allows unlimited successive failed login attempts by an administrator.
Page 408: Audit Policy
Set the failed administrative login attempts policy: Step 6 To enable Cisco Secure ACS to lock out an administrator after a specified number of successive failed administrative login attempts, select the Lock out Administrator after X successive failed attempts check box.
Page 409 C H A P T E R Working with User Databases Cisco Secure Access Control Server (Cisco Secure ACS) for Windows Server version 3.1 authenticates users against one of several possible databases, including its internal database. You can configure Cisco Secure ACS to authenticate users with more than one type of database.
Page 410: Ciscosecure User Database
Working with User Databases CiscoSecure User Database CiscoSecure User Database The CiscoSecure user database is the database internal to Cisco Secure ACS. It supports authentication using ASCII, PAP, CHAP, MS-CHAP, ARAP, LEAP, EAP-MD5, EAP-TLS, and PEAP(EAP-GTC). The CiscoSecure user database is crucial for the authorization process. Regardless...
Page 411: Chapter 11 Working With User Database
• Unknown User Policy—The Unknown User Policy enables Cisco Secure ACS to add users automatically when a user without an account in the CiscoSecure user database is found in an external user database. The creation of a user account in the CiscoSecure user database occurs only when the user attempts to access the network and is successfully authenticated by an external user database.
Page 412: About External User Databases
You can configure Cisco Secure ACS to forward authentication of users to one external user database or more. Support for external user databases means that Cisco Secure ACS does not require that you create duplicate user entries in the CiscoSecure user database. In organizations in which a substantial user database already exists, Cisco Secure ACS can leverage the work already invested in building the database without any additional input.
Page 413: Authenticating With External User Databases
Cisco Secure ACS to communicate with an external user database. Performing one of the configuration procedures for an external database that are provided in this chapter does not on its own instruct Cisco Secure ACS to authenticate any users with that database.
Page 414: External User Database Authentication Process
In addition, the users may be placed in the desired Cisco Secure ACS group and thereby receive the applicable access profile.
Page 415: Windows Nt/2000 User Database
AAA client External user database Windows NT/2000 User Database You can configure Cisco Secure ACS to use a Windows NT/2000 user database to authenticate users. This section contains the following topics: • What’s Supported with Windows NT/2000 User Databases, page 11-8 The Cisco Secure ACS Authentication Process with Windows NT/2000 User •...
Page 416: What's Supported With Windows Nt/2000 User Databases
Chapter 11 Working with User Databases Windows NT/2000 User Database What’s Supported with Windows NT/2000 User Databases Cisco Secure ACS supports the use of Windows external user databases for the following features: • Authentication—Cisco Secure ACS supports ASCII, PAP, MS-CHAP (versions 1 and 2), LEAP, and PEAP(EAP-GTC) authentication with Windows NT 4.0 Security Accounts Manager (SAM) database or a Windows...
Page 417: Databases
To further control access by a user from within the Windows NT User Manager or the Windows 2000 Active Directory Users and Computers, you can configure Cisco Secure ACS to also check the setting for granting dialin permission to the user. This setting is labeled “Grant dialin permission to user” in Windows NT and “Allow access”...
Page 418: Windows Dial-Up Networking Clients
If your domains are Windows 2000 domains, Cisco Secure ACS can take advantage of indirect trusts for Windows authentication. Consider the example of Windows 2000 domains A, B, and C, where Cisco Secure ACS resides on a Windows 2000 server in domain A. Domain A trusts domain B, but no trust relationship is established between domain A and domain C.
Page 419: Windows Dial-Up Networking Clients Without A Domain Field
In this case, the privileges assigned upon authentication will be those associated with the account in the first domain with a User Guide for Cisco Secure ACS for Windows Server 11-11 78-14696-01, Version 3.1...
Page 420 Cisco Secure ACS submits the username to the Windows operating system on the server than runs Cisco Secure ACS. If Windows does not find the username in its local domain database, it then checks all trusted domains. If Cisco Secure ACS runs on a member server and the username is not found in trusted domains, Windows also checks its local accounts database.
Page 421: User-Changeable Passwords With Windows Nt/2000 User Databases
Note Directory user databases are configured to lock out users after a number of failed attempts, users can be inadvertently locked out because Cisco Secure ACS tries each domain in the Domain List explicitly, resulting in failed attempts for identical usernames that reside in different domains.
Page 422: Preparing Users For Authenticating With Windows Nt/2000
In the navigation bar, click External User Databases. Step 1 Step 2 Click Database Configuration. Result: Cisco Secure ACS displays a list of all possible external user database types. Click Windows NT/2000. Step 3 Result: If no Windows NT/2000 database configuration exists, the Database Configuration Creation table appears.
Page 423 Step 7 Windows domain for usernames that are not domain-qualified, select the domains you want Cisco Secure ACS to use to authenticate unqualified usernames in the Available Domains list and move them to the Domain List list by clicking —>.
Page 424: Generic Ldap
LDAP user database, see Group Mapping by Group Set Membership, page 12-14. Configuring Cisco Secure ACS to authenticate against an LDAP database has no effect on the configuration of the LDAP database. To manage your LDAP database, see your LDAP database documentation.
Page 425: Multiple Ldap Instances
AAA client to grant or deny the user access, depending upon the response from the LDAP server. Cisco Secure ACS grants authorization based on the Cisco Secure ACS group to which the user is assigned. While the group to which a user is assigned can be determined by information from the LDAP server, it is Cisco Secure ACS that grants authorization privileges.
Page 426: Ldap Organizational Units And Groups
LDAP groups do not need to have the same name as their corresponding Cisco Secure ACS groups. The LDAP group can be mapped to a Cisco Secure ACS group with any name you want to assign. For more information about how your LDAP database handles group membership, see your LDAP database documentation.
Page 427 LDAP database without domain filtering. If you choose to make use of domain filtering, each LDAP configuration you create in Cisco Secure ACS can perform domain filtering in one of two ways: • Limiting users to one domain—Per each LDAP configuration in Cisco Secure ACS, you can require that Cisco Secure ACS only attempts to authenticate usernames that are qualified with a specific domain name.
Page 428: Ldap Failover
Allowing usernames of any domain but stripping domain qualifiers is useful when the LDAP server stores usernames in a non-domain qualified format but the AAA client or end-user client submits the username to Cisco Secure ACS in a domain-qualified format.
Page 429: Successful Previous Authentication With The Primary Ldap Server
Failback Retry Delay box. If the Failback Retry Delay box is set to 0 (zero), Cisco Secure ACS always attempts to connect to the primary LDAP server first. And if Cisco Secure ACS cannot connect to the primary LDAP server, Cisco Secure ACS then attempts to connect to the secondary LDAP server.
Page 430: Ldap Configuration Options
Working with User Databases Generic LDAP If Cisco Secure ACS cannot connect to either LDAP server, Cisco Secure ACS stops attempting LDAP authentication for the user. If the user is an unknown user, Cisco Secure ACS tries the next external user database listed in the Unknown User Policy list.
Page 431 Strip starting characters through the last X character—When “Process all usernames after stripping domain name and delimiter” is selected, this option specifies that Cisco Secure ACS attempts to strip a prefixed domain qualifier. If, in the username, Cisco Secure ACS finds...
Page 432 Common LDAP Configuration—This table contains options that apply to • all LDAP authentication performed using this configuration. Cisco Secure ACS uses the settings in this section regardless of whether the authentication is handled by the primary or secondary LDAP server. This table contains the following options: User Directory Subtree—The distinguished name (DN) for the subtree...
Page 433 You can obtain this attribute name from your Directory Server. For more information, refer to your LDAP database documentation. Cisco Secure ACS provides default values that reflect the default configuration of a Netscape Directory Server. Confirm all values for these fields with your LDAP server configuration and documentation.
Page 434 LDAP Version—Whether Cisco Secure ACS uses LDAP version 3 or version 2 to communicate with your LDAP database. If this check box is selected, Cisco Secure ACS uses LDAP version 3. If it is not selected, Cisco Secure ACS uses LDAP version 2.
Page 435 Cisco Secure ACS requires a cert7.db certificate database so that it can establish the SSL connection. The certificate database must be local to the Cisco Secure ACS Windows server. Cisco Secure ACS requires a certificate database file for each cert7.db...
Page 436: Configuring A Generic Ldap External User Database
For information about the options on the LDAP Database Configuration page, see LDAP Configuration Options, page 11-22. To configure Cisco Secure ACS to use the LDAP User Database, follow these steps: Step 1 In the navigation bar, click External User Databases.
Page 437 If you click Delete, the configuration of the selected LDAP database is deleted. Caution Step 7 If you do not want Cisco Secure ACS to filter LDAP authentication requests by username, under Domain Filtering, select Process all usernames. Step 8...
Page 438 LDAP database, select the Strip domain before submitting username to LDAP server check box. If you want Cisco Secure ACS to pass the username to the LDAP database without removing the domain qualifier, clear the Strip domain before submitting username to LDAP server check box.
Page 439 Step 17 In the Server Timeout box, type the number of seconds Cisco Secure ACS waits for a response from an LDAP server before determining that the connection with that server has failed.
Page 440 To specify that Cisco Secure ACS should use LDAP version 3 to communicate with your LDAP database, select the LDAP Version check box. If the LDAP Version check box is not selected, Cisco Secure ACS uses LDAP version 2. The username and password credentials are normally passed over the network to the LDAP directory in clear text.
Page 441: Novell Nds Database
Click Submit. Step 21 Result: Cisco Secure ACS saves the generic LDAP configuration you created. You can now add it to your Unknown User Policy or assign specific user accounts to use this database for authentication. For more information about the Unknown...
Page 442: About Novell Nds User Databases
To authenticate users with a Novell NDS database, Cisco Secure ACS depends upon Novell Requestor. Novell Requestor must be installed on the same Windows server as Cisco Secure ACS. You can download the Requestor software from the Novell website. For more information, refer to your Novell and Microsoft documentation.
Page 443: User Contexts
User Contexts You must supply one or more contexts when you configure Cisco Secure ACS to authenticate with an NDS database; however, users can supply an additional portion of the full context that defines their fully-qualified usernames. In other...
Page 444: Novell Nds External User Database Options
Novell NDS External User Database Options You create and maintain configurations for Novell NDS database authentication on the NDS Authentication Support page in Cisco Secure ACS. This page enables you to add a configuration for a Novell NDS tree, change existing tree configurations, and delete existing tree configurations in a single submission to the Cisco Secure ACS web server.
Page 445: Configuring A Novell Nds External User Database
The Novell Requestor Software for Novell NDS must be installed on the same Windows NT server as Cisco Secure ACS. If the Novell Requestor Software for Novell NDS is not on the same Windows NT server as Cisco Secure ACS, you cannot complete this procedure.
Page 446 Result: Cisco Secure ACS lists the new configuration in the External User Database Configuration table. Click Configure. Step 6 If you click Delete, the Cisco Secure ACS configuration for your Novell NDS Caution database is deleted. Result: The NDS Authentication Support page appears. The NDS Authentication Support page enables you to add a configuration for an Novell NDS tree, change existing tree configurations, and delete existing tree configurations.
Page 447: Odbc Database
Click Submit. Step 10 Result: Cisco Secure ACS saves the NDS configuration you created. You can add it to your Unknown User Policy or assign specific user accounts to use this database for authentication. For more information about the Unknown User...
Page 448: What Is Supported With Odbc User Databases
Configuring an ODBC External User Database, page 11-51 • What is Supported with ODBC User Databases Cisco Secure ACS supports the use of ODBC external user databases for the following features: Authentication—Cisco Secure ACS supports ASCII, PAP, ARAP, CHAP, •...
Page 449: Database
(Figure 11-2). Upon receiving the response from the ODBC database, Cisco Secure ACS instructs the requesting AAA client to grant or deny the user access, depending upon the response from the ODBC database. User Guide for Cisco Secure ACS for Windows Server 11-41 78-14696-01, Version 3.1...
Page 450: Database
Cisco Secure ACS grants authorization based on the Cisco Secure ACS group to which the user is assigned. While the group to which a user is assigned can be determined by information from the ODBC database using a process known as “group specification”, it is Cisco Secure ACS that grants authorization privileges.
Page 451: Implementation Of Stored Procedures For Odbc Authentication
Cisco Secure ACS, so you can name the database however you like. Create the table or tables that will hold the usernames and passwords for your Step 3 users. The table names are irrelevant to Cisco Secure ACS, so you can name the tables and columns however you like. Step 4 Write the stored procedures intended to return the required authentication information to Cisco Secure ACS.
Page 452: Type Definitions
CHAP stored procedure is configured. For example, with Telnet or PAP authentication, the passwords cisco or CISCO or CiScO will all work if the SQL Server is configured to be case insensitive. User Guide for Cisco Secure ACS for Windows Server 11-44 78-14696-01, Version 3.1...
Page 453: Sample Routine For Generating A Pap Authentication Sql Procedure
Chapter 11 Working with User Databases ODBC Database For CHAP/ARAP, the passwords cisco or CISCO or CiScO are not the same, regardless of whether or not the SQL Server is configured for case-sensitive passwords. Sample Routine for Generating a PAP Authentication SQL...
Page 454: Procedure
GRANT EXECUTE ON dbo.CSNTExtractUserClearTextPw TO ciscosecure PAP Authentication Procedure Input Table 11-2 details the input provided by Cisco Secure ACS to the stored procedure supporting PAP authentication. The stored procedure should accept the named input values as variables. User Guide for Cisco Secure ACS for Windows Server 11-46 78-14696-01, Version 3.1...
Page 455: Pap Procedure Output
PAP Procedure Output The stored procedure must return a single row containing the non-null fields. Table 11-3 lists the procedure results Cisco Secure ACS expects as output from stored procedure. Table 11-3 PAP Stored Procedure Results Field...
Page 456: Chap/Ms-Chap/Arap Authentication Procedure Input
Chapter 11 Working with User Databases ODBC Database CHAP/MS-CHAP/ARAP Authentication Procedure Input Cisco Secure ACS provides a single value for input to the stored procedure supporting CHAP/MS-CHAP/ARAP authentication. The stored procedure should accept the named input value as a variable. Note...
Page 457: Result Codes
The SQL procedure can decide among 1, 2, or 3 to indicate a failure, depending on how much information you want the failed authentication log files to include. User Guide for Cisco Secure ACS for Windows Server 11-49 78-14696-01, Version 3.1...
Page 458: Database
Configuring a System Data Source Name for an ODBC External User Database On the Cisco Secure ACS server, you must create a system DSN for Cisco Secure ACS to communicate with the relational database. To create a system DSN for use with an ODBC external user database, follow...
Page 459: Configuring An Odbc External User Database
Close the ODBC window and Windows Control Panel. Step 8 Result: The system DSN to be used by Cisco Secure ACS for communication with the relational database is created on your Cisco Secure ACS server. Configuring an ODBC External User Database...
Page 460 Note If you have not configured on the Cisco Secure ACS server a DSN for the relational database, do so before completing these steps. For more information about creating a DSN for Cisco Secure ACS ODBC...
Page 461 PAP SQL Procedure box. If it does not, be sure to create it in the ODBC database before attempting to authenticate users against the ODBC database. User Guide for Cisco Secure ACS for Windows Server 11-53 78-14696-01, Version 3.1...
Page 462: Leap Proxy Radius Server Database
Click Submit. Step 14 Result: Cisco Secure ACS saves the ODBC configuration you created. You can add it to your Unknown User Policy or assign specific user accounts to use this database for authentication. For more information about the Unknown User...
Page 463: Configuring A Leap Proxy Radius Server External User Database
Configuring a LEAP Proxy RADIUS Server External User Database You should install and configure your proxy RADIUS server before configuring Cisco Secure ACS to authenticate users with it. For information about installing the proxy RADIUS server, refer to the documentation included with your RADIUS server.
Page 464 • conducts authentication sessions. If the LEAP Proxy RADIUS server is installed on the same Windows server as Cisco Secure ACS, this port should not be the same port used by Cisco Secure ACS for RADIUS authentication. For more information about the ports used by Cisco Secure ACS for...
Page 465: Token Server User Databases
Chapter 7, “Setting Up and Managing User Accounts.” Token Server User Databases Cisco Secure ACS supports the use of token servers for the increased security provided by one-time passwords (OTPs). This section includes the following topics: •...
Page 466: Token Servers And Isdn
Cisco Secure ACS then maintains the accounting information. Cisco Secure ACS acts as a client to the token server. For all token servers except RSA SecurID, Cisco Secure ACS accomplishes this using the RADIUS interface of the token server. For more information about Cisco Secure ACS support of...
Page 467: Radius-Enabled Token Servers
Token Server External User Database, page 11-60. Cisco Secure ACS provides a means for specifying a user group assignment in the RADIUS response from the RADIUS-enabled token server. Group specification always takes precedence over group mapping. For more information, see RADIUS-Based Group Specification, page 12-22.
Page 468: Token Server Radius Authentication Request And Response Contents
Cisco Secure ACS expects to receive one of the following three responses: access-accept—No attributes are required; however, the response can • indicate the Cisco Secure ACS group to which the user should be assigned. For more information, see RADIUS-Based Group Specification, page 12-22.
Page 469 Working with User Databases Token Server User Databases To configure Cisco Secure ACS to authenticate users with a ActivCard token server, CRYPTOCard token server, Vasco token server, Safeword token server, PassGo token server, or generic RADIUS Token Sever, follow these steps: In the navigation bar, click External User Databases.
Page 470 Authentication Port—The UDP port over which the RADIUS server conducts authentication sessions. If the RADIUS token server is installed on the same Windows server as Cisco Secure ACS, this port should not be the same port used by Cisco Secure ACS for RADIUS authentication. For more...
Page 471 Note must use the Static (sync and async tokens) option. If you want Cisco Secure ACS to send the token server a password to trigger a challenge, select From Token Server (async tokens only), and then, in the Password box, type the password that Cisco Secure ACS will forward to the token server.
Page 472: Rsa Securid Token Servers
Database, page 12-12. Cisco Secure ACS supports PPP (ISDN and async) and Telnet for RSA SecurID token servers. It does so by acting as a token-card client to the RSA SecurID token server. This requires that RSA token-card client software must be installed on the Cisco Secure ACS Windows 2000 server.
Page 473: Configuring An Rsa Securid Token Server External User Database
Make sure you have the RSA ACE Client for Windows 2000 software. To configure Cisco Secure ACS to authenticate users with an RSA token server, follow these steps: Install the RSA client on the Cisco Secure ACS server:...
Page 474: Deleting An External User Database Configuration
Click Configure. Step 6 Result: Cisco Secure ACS displays the name of the token server and the path to the authenticator DLL. This information confirms that Cisco Secure ACS can contact the RSA client. You can add the RSA SecurID external user database to your Unknown User Policy or assign specific user accounts to use this database for authentication.
Page 475 Chapter 11 Working with User Databases Deleting an External User Database Configuration Result: Cisco Secure ACS lists all possible external user database types. Click the external user database type for which you want to delete a configuration. Step 3 Result: The External User Database Configuration table appears.
Page 476 Chapter 11 Working with User Databases Deleting an External User Database Configuration User Guide for Cisco Secure ACS for Windows Server 11-68 78-14696-01, Version 3.1...
Page 477: Unknown User Processing
Chapter 11, “Working with User Databases.” Unknown User Processing Unknown users are users who are not listed in the Cisco Secure ACS database. The Unknown User feature is a form of authentication forwarding. In essence, this feature is an extra step in the authentication process. In this additional step of the...
Page 478: C H A P T E R 12 Administering External User Databases
Administering External User Databases Unknown User Processing The Unknown User feature enables Cisco Secure ACS to use a variety of external databases in addition to its own internal database to authenticate incoming user requests. With this feature, Cisco Secure ACS provides the foundation for a basic single sign-on capability by integrating network and host-level access control.
Page 479: General Authentication Request Handling And Rejection Mode
If you have configured the Unknown User Policy in Cisco Secure ACS, Cisco Secure ACS attempts to authenticate users as follows: Cisco Secure ACS checks its internal user database. If the user exists in the CiscoSecure user database (that is, is a known or discovered user), Cisco Secure ACS tries to authenticate the user with the specified password type against the specified database.
Page 480: Authentication Request Handling And Rejection Mode With The Windows Nt/2000 User Database
Because usernames in the CiscoSecure user database must be unique, Cisco Secure ACS supports a single instance of any given username across all the databases it is configured to use. For example, assume every external user database contains a user account with the username John.
Page 481: Windows Authentication With A Domain Specified
Windows Authentication with a Domain Specified When a domain name is supplied as part of a authentication request, Cisco Secure ACS detects that a domain name was supplied and tries the authentication credentials against the specified domain. The dial-up networking clients provided with various Windows versions differ in the method by which users can specify their domains.
Page 482: Windows Authentication With Domain Omitted
Cisco Secure ACS successfully authenticates the user or until Cisco Secure ACS has tried each domain listed in the Domain List. If your network has multiple occurrences of a username across domains (for...
Page 483: Performance Of Unknown User Authentication
At best, the time needed for each authentication is the time taken by the external database to authenticate, plus some latency for Cisco Secure ACS processing. In some circumstances (for example, when using a Windows NT/2000 user database), the extra latency introduced by an external database can be as much as tens of seconds.
Page 484: Network Access Authorization
Administering External User Databases Unknown User Processing The default AAA client timeout value is 5 seconds. If you have Cisco Secure ACS configured to search through several databases or if your databases are large, you might need to increase this value in your AAA client configuration file. For more information, refer to your Cisco IOS documentation.
Page 485: Database Search Order
Cisco Aironet Access Point. Configuring the Unknown User Policy In Cisco Secure ACS, an unknown user is defined as a user for whom no account has been created within the Cisco Secure ACS database.
Page 486 Chapter 12 Administering External User Databases Unknown User Processing To specify how Cisco Secure ACS should handle users who are not in the Cisco Secure ACS database, follow these steps: In the navigation bar, click External User Databases. Step 1 Click Unknown User Policy.
Page 487: Turning Off External User Database Authentication
Database Group Mappings Turning off External User Database Authentication You can configure Cisco Secure ACS so that users who are not in the Cisco Secure ACS database are not permitted to authenticate. To turn off external user database authentication, follow these steps: In the navigation bar, click External User Databases.
Page 488: Group Mapping By External User Database
Database Group Mappings Group Mapping by External User Database You can map an external database to a Cisco Secure ACS group. Unknown users who authenticate using the specified database automatically belong to, and inherit the authorizations of, the group. For example, you could configure Cisco Secure ACS so that all unknown users who authenticate with a certain token server database belong to a group called Telecommuters.
Page 489: Database, Or Leap Proxy Radius Server Database
Click Submit. Result: Cisco Secure ACS assigns unknown and discovered users authenticated by the external database type you selected in Step 3 to the Cisco Secure ACS group selected in Step 4. For users authenticated by an ODBC, CRYPTOCard, Safeword, ActivCard, Vasco, PassGo, or LEAP Proxy RADIUS Server database, the mapping is only applied as a default if those databases did not specify a Cisco Secure ACS group for the user.
Page 490: Group Mapping By Group Set Membership
For Cisco Secure ACS to map a user to the specified Cisco Secure ACS group, the user must match all external user database groups in the set.
Page 491: Group Mapping Order
Cisco Secure ACS group, Cisco Secure ACS starts at the top of the list of group mappings for that database. Cisco Secure ACS checks the user group memberships in the external user database against each group mapping in the list sequentially.
Page 492: Default Group Mapping For Windows Nt/2000
Database Group Mappings Default Group Mapping for Windows NT/2000 For Windows NT/2000 user databases, Cisco Secure ACS includes the ability to define a default group mapping. If no other group mapping matches an unknown user authenticated by a Windows NT/2000 user database, Cisco Secure ACS assigns the user to a group based on the default group mapping.
Page 493 A user must match all the groups in the Selected list so that Note Cisco Secure ACS can use this group set mapping to map the user to a Cisco Secure ACS group; however, a user can also belong to other groups (in addition to the groups listed) and still be mapped to a Cisco Secure ACS group.
Page 494: Mapping
Chapter 12 Administering External User Databases Database Group Mappings In the CiscoSecure group list, select the name of the Cisco Secure ACS group to Step 9 which you want to map users who belong to all the external user database groups in the Selected list.
Page 495 No Access Group for Group Set Mappings, page 12-15. Step 8 Click Submit. Result: The Group Mappings for database page opens again with the changed group set mapping listed. User Guide for Cisco Secure ACS for Windows Server 12-19 78-14696-01, Version 3.1...
Page 496: Configuration
Result: Cisco Secure ACS displays a confirmation dialog box. Click OK in the confirmation dialog box. Step 8 Result: Cisco Secure ACS deletes the selected external user database group set mapping. Deleting a Windows NT/2000 Domain Group Mapping Configuration You can delete an entire group mapping configuration for a Windows NT/2000 domain.
Page 497: Changing Group Set Mapping Order
Changing Group Set Mapping Order You can change the order in which Cisco Secure ACS checks group set mappings for users authenticated by Windows NT/2000, Novell NDS, and generic LDAP databases. To order group mappings, you must have already mapped them. For...
Page 498: Radius-Based Group Specification
RADIUS-Based Group Specification For some types of external user databases, Cisco Secure ACS supports the assignment of users to specific Cisco Secure ACS groups based upon the RADIUS authentication response from the external user database. This is...
Page 499 [009\001] cisco-av-pair with the following value: ACS:CiscoSecure-Group-Id = where N is the Cisco Secure ACS group number (0 through 499) to which Cisco Secure ACS should assign the user. For example, if the LEAP Proxy RADIUS Server authenticated a user and included the following value for the...
Page 500 Chapter 12 Administering External User Databases Database Group Mappings User Guide for Cisco Secure ACS for Windows Server 12-24 78-14696-01, Version 3.1...
Page 501 Scan the column on the left to identify the condition that you are trying to resolve, and then carefully go through each corresponding recovery action offered in the column on the right. User Guide for Cisco Secure ACS for Windows Server 78-14696-01, Version 3.1...
Page 502: Administration Issues
Make sure that the SMTP server name is correct. If the name is event notification is not correct, make sure that the Cisco Secure ACS server can ping the receiving e-mail. SMTP server or can send e-mail via a third-party e-mail software package.
Page 503: A P P E N D I X A Troubleshooting Information For Cisco Secure Acs
System interface. Requirements, page 2-2, for a list of browsers supported by Cisco Secure ACS and the release notes for known issues with a particular browser version. For information about various network scenarios that affect remote administrative sessions, see Network Environments and Remote Administrative Sessions, page 1-27.
Page 504 Cisco IOS 12.0.5.T Release 11.1. However, there are a few attributes that are not yet supported or that require a later version of the Cisco IOS software. The following attributes fall into this category: AAA client times out when Increase the TACACS+ timeout interval from the default, 5, to 20.
Page 505: Database Issues
Make sure a two-way trust (for dial-in check) has been established properly. between the Cisco Secure ACS domain and the other domains. Turn logging to the maximum and check the csauth service log file for any debug messages beginning with .
Page 506: Dial-In Connection Issues
Dial-in Connection Issues Condition Recovery Action A dial-in user cannot Examine the Cisco Secure ACS Reports or AAA client Debug output to narrow connect to the AAA the problem to a system error or a user error. Confirm the following: client.
Page 507 Failed Attempts The User Properties for the dial-in window does not have Grant dial-in • Report (in the permission to user disabled, if Cisco Secure ACS is using this option for Reports & Activity authenticating. section, click Failed From within the Cisco Secure ACS confirm the following: Attempts).
Page 508 The CiscoSecure and a password has been entered in User Setup for the user. user database is The Cisco Secure ACS group to which the user is assigned has the correct • being used for authorization enabled (such as IP/PPP, IPX/PPP or Exec/Telnet). Be sure to authentication.
Page 509 Condition Recovery Action A dial-in user is Determine if the Cisco Secure ACS is receiving the request. This can be done by unable to connect to viewing the Cisco Secure ACS reports. Based on what does not appear in the...
Page 510: Debug Issues
From within Cisco Secure ACS confirm the following: a failure message. Cisco Secure ACS is receiving the request. This can be done by viewing the Cisco Secure ACS reports. What does or does not appear in the reports may provide indications that your Cisco Secure ACS is misconfigured.
Page 511: Proxy Issues
All previous accounting logs are missing. When reinstalling or upgrading the Cisco Secure ACS software, these files are deleted unless they have been moved to an alternative directory location. User Guide for Cisco Secure ACS for Windows Server A-11 78-14696-01, Version 3.1...
Page 512: Maxsessions Issues
Restart the csadmin services by clicking X in the upper right corner format, the Logged-In User list of the HTML interface. and CSAdmin log still display old format dates. User Guide for Cisco Secure ACS for Windows Server A-12 78-14696-01, Version 3.1...
Page 513: Third-Party Server Issues
Third-Party Server Issues Condition Recovery Action You cannot Log in to the Windows 2000 server on which Cisco Secure ACS is installed. successfully (Make sure your login account has administrative privileges.) implement the RSA Make sure the RSA Client software is installed on the same Windows 2000 token server.
Page 514: User Authentication Issues
Databases list. Click Up or Down to move the database into the desired position in the authentication hierarchy. If you are using the Cisco Secure ACS Unknown User feature, external databases can authenticate using only PAP. User did not inherit settings from new group.
Page 515 The retry interval is too short. (The default is 5 seconds.) Increase the retry interval (tacacs-server timeout 20) on the AAA client to 20 or greater. Check the Failed Attempts report. User Guide for Cisco Secure ACS for Windows Server A-15 78-14696-01, Version 3.1...
Page 516: Tacacs+ And Radius Attribute Issues
Some attributes are not customer-configurable in Note Cisco Secure ACS; instead, their values are set by Cisco Secure ACS. Beginning with Cisco Secure ACS version 2.3, some TACACS+ attributes no longer appear on the Group Setup page. This is because...
Page 517: Cisco Ios Av Pair Dictionary
Cisco Secure ACS. Note If you specify a given AV pair in Cisco Secure ACS, you must also enable the corresponding AV pair in the Cisco IOS software running on the AAA client. Therefore, you must consider which AV pairs your Cisco IOS release supports. If Cisco Secure ACS sends an AV pair to the AAA client that the Cisco IOS software does not support, that attribute is not implemented.
Page 518: Appendix B Tacac+ Attribute-Value Pair
Cisco Secure ACS supports many TACACS+ AV pairs. For descriptions of these attributes, refer to Cisco IOS documentation for the release of Cisco IOS running on your AAA clients. TACACS+ AV Pairs supported in Cisco Secure ACS are as follows: acl= •...
Page 519 • protocol= • route • • route#n routing= • rte-ftr-in#n • • rte-ftr-out#n sap#n • sap-fltr-in#n • sap-fltr-out#n • service= • • source-ip= timeout= • tunnel-id • User Guide for Cisco Secure ACS for Windows Server 78-14696-01, Version 3.1...
Page 520: Tacacs+ Accounting Av Pairs
TACACS+ Accounting AV Pairs Cisco Secure ACS supports many TACACS+ accounting AV pairs. For descriptions of these attributes, see Cisco IOS documentation for the release of Cisco IOS running on your AAA clients. TACACS+ accounting AV pairs supported in Cisco Secure ACS are as follows: •...
Page 521 Appendix B TACACS+ Attribute-Value Pairs Cisco IOS AV Pair Dictionary protocol • reason • service • • start_time stop_time • • task_id timezone • xmit-rate • User Guide for Cisco Secure ACS for Windows Server 78-14696-01, Version 3.1...
Page 522 Appendix B TACACS+ Attribute-Value Pairs Cisco IOS AV Pair Dictionary User Guide for Cisco Secure ACS for Windows Server 78-14696-01, Version 3.1...
Page 523 A P P E N D I X RADIUS Attributes Cisco Secure Access Control Server (Cisco Secure ACS) for Windows Server ve rsion 3.1 supports many RADIUS attributes. This appendix lists the standard attributes, vendor-proprietary attributes, vendor-specific attributes supported by...
Page 524: Appendix C Radiu Attribute
Cisco IOS or compatible AAA client software. For more information, see System Requirements, page 2-2. If you specify a given AV pair on Cisco Secure ACS, the corresponding AV pair Note must be implemented in the Cisco IOS software running on the network device.
Page 525: Cisco Ios Dictionary Of Radius Av Pairs
Login-Service integer Both Login-TCP-Port integer (maximum Outbound length 10 characters) Reply-Message string Outbound Expiration date — — Framed-Route string Outbound State string (maximum Outbound length 253 characters) User Guide for Cisco Secure ACS for Windows Server 78-14696-01, Version 3.1...
Page 526 Acct-Session-ID string Inbound Acct-Authentic integer Inbound Acct-Session-Time integer Inbound Acct-Input-Packets integer Inbound Acct-Output-Packets integer Inbound Acct-Terminate-Cause integer Inbound NAS-Port-Type integer Inbound NAS-Port-Limit integer (maximum Both length 10 characters) User Guide for Cisco Secure ACS for Windows Server 78-14696-01, Version 3.1...
Page 527 Cisco Secure ACS supports Cisco IOS/PIX vendor-specific attributes (VSAs). The vendor ID for this Cisco RADIUS Implementation is 009. Table C-2 lists the supported Cisco IOS/PIX RADIUS VSAs. For a discussion of Cisco IOS/PIX RADIUS VSA 1, cisco-av-pair, see AV pair 26 Note Table C-6. Note For details about the Cisco IOS H.323 VSAs, refer to Cisco IOS Voice-over-IP...
Page 528: Cisco Ios/Pix Dictionary Of Radius Vsas
(maximum Outbound length 247 characters) cisco-h323-redirect-ip-addr string (maximum Outbound length 247 characters) cisco-h323-billing-model string (maximum Outbound length 247 characters) cisco-h323-currency string (maximum Outbound length 247 characters) User Guide for Cisco Secure ACS for Windows Server 78-14696-01, Version 3.1...
Page 529 247 characters) Cisco VPN 3000 Concentrator Dictionary of RADIUS VSAs Cisco Secure ACS supports Cisco VPN 3000 RADIUS VSAs. The vendor ID for this Cisco RADIUS Implementation is 3076. Table C-3 lists the supported Cisco VPN 3000 Concentrator RADIUS VSAs.
Page 530: Cisco Vpn 3000 Concentrator Dictionary Of Radius Vsas
CVPN3000-IPSec-Banner1 string (maximum Outbound length 247 characters) CVPN3000-IPSec-Allow-Passwd- integer Outbound Store CVPN3000-Use-Client-Address integer Outbound CVPN3000-PPTP-Encryption integer Outbound CVPN3000-L2TP-Encryption integer Outbound CVPN3000-IPSec-Split-Tunnel- string (maximum Outbound List length 247 characters) User Guide for Cisco Secure ACS for Windows Server 78-14696-01, Version 3.1...
Page 531 Outbound Compression CVPN3000-L2TP-MPPC- integer Outbound Compression CVPN3000-IPSec-IP-Compression integer Outbound CVPN3000-IPSec-IKE-Peer-ID- integer Outbound Check CVPN3000-IKE-Keep-Alives integer Outbound CVPN3000-IPSec-Auth-On-Rekey integer Outbound CVPN3000-Required-Client- integer (maximum Outbound Firewall-Vendor-Code length 10 characters) User Guide for Cisco Secure ACS for Windows Server 78-14696-01, Version 3.1...
Page 532 10 characters) CVPN3000-User-Auth-Server- string (maximum Outbound Secret length 247 characters) CVPN3000-IPSec-Split-Tunneling- integer Outbound Policy CVPN3000-IPSec-Required-Client- integer Outbound Firewall-Capability CVPN3000-IPSec-Client-Firewall- string (maximum Outbound Filter-Name length 247 characters) User Guide for Cisco Secure ACS for Windows Server C-10 78-14696-01, Version 3.1...
Page 533: Cisco Vpn 5000 Concentrator Dictionary Of Radius Vsas
Outbound Cisco VPN 5000 Concentrator Dictionary of RADIUS VSAs Cisco Secure ACS supports the Cisco VPN 5000 RADIUS VSAs. The vendor ID for this Cisco RADIUS Implementation is 255. Table C-4 lists the supported Cisco VPN 5000 Concentrator RADIUS VSAs.
Page 534: Cisco Building Broadband Service Manager Dictionary Of Radius Vsa
Cisco Building Broadband Service Manager Dictionary of RADIUS VSA Cisco Secure ACS supports a Cisco Building Broadband Service Manager (BBSM) RADIUS VSA. The vendor ID for this Cisco RADIUS Implementation is 5263. Table C-5 lists the supported Cisco BBSM RADIUS VSA.
Page 535: Ietf Dictionary Of Radius Av Pairs
PPP (Point-to-Point Protocol) CHAP string Outbound No (Challenge Handshake Authentication Protocol) response to an Access-Challenge. NAS-IP Address IP address of the AAA client that is ipaddr Inbound requesting authentication. User Guide for Cisco Secure ACS for Windows Server C-13 78-14696-01, Version 3.1...
Page 536 Digital Network) interface, the value is 2ppcc For channels on a basic rate • ISDN interface, the value is 3bb0c • For other types of interfaces, the value is 6nnss User Guide for Cisco Secure ACS for Windows Server C-14 78-14696-01, Version 3.1...
Page 537 (maximum network. This AV results in a static length 15 route being added for characters) Framed-IP-Address with the mask specified. User Guide for Cisco Secure ACS for Windows Server C-15 78-14696-01, Version 3.1...
Page 538 EXEC authorization. Not currently implemented for non-EXEC authorization. Login-IP-Host Host to which the user will connect ipaddr Both when the Login-Service attribute is (maximum included. length 15 characters) User Guide for Cisco Secure ACS for Windows Server C-16 78-14696-01, Version 3.1...
Page 539 [metric]]) are supported. If the router field is omitted or 0 (zero), the peer IP address is used. Metrics are ignored. Framed-IPX- — integer Outbound No Network User Guide for Cisco Secure ACS for Windows Server C-17 78-14696-01, Version 3.1...
Page 540 CHAP characters) challenges. Class Arbitrary value that the AAA client string Both includes in all accounting packets for this user if supplied by the RADIUS server. User Guide for Cisco Secure ACS for Windows Server C-18 78-14696-01, Version 3.1...
Page 541 IP authorization (during PPP IPCP address assignment). The second example causes a user of a device-hosted administrative session to have immediate access to EXEC commands. User Guide for Cisco Secure ACS for Windows Server C-19 78-14696-01, Version 3.1...
Page 542 Identification Server) or similar technology. This attribute is only supported on ISDN and for modem calls on the Cisco AS5200 if used with PRI (Primary Rate Interface). User Guide for Cisco Secure ACS for Windows Server C-20 78-14696-01, Version 3.1...
Page 543 Number of octets received from the integer Inbound port while this service is being provided. Acct-Output- Number of octets sent to the port integer Inbound Octets while this service is being delivered. User Guide for Cisco Secure ACS for Windows Server C-21 78-14696-01, Version 3.1...
Page 544 Acct-Output- Number of packets sent to the port integer Inbound Packets while this service is being delivered to a framed user. User Guide for Cisco Secure ACS for Windows Server C-22 78-14696-01, Version 3.1...
Page 545 15: Service unavailable • 16: Callback • • 17: User error 18: Host request • Acct-Multi- — string Inbound Session-Id Acct-Link-Count — integer Inbound Acct-Input- — integer Inbound Gigawords User Guide for Cisco Secure ACS for Windows Server C-23 78-14696-01, Version 3.1...
Page 546 Login-LAT-Port — string Both Tunnel-Type — tagged Both integer Tunnel-Medium- — tagged Both Type integer Tunnel-Client- — tagged Both Endpoint string Tunnel-Server- — Tagged Both Endpoint string User Guide for Cisco Secure ACS for Windows Server C-24 78-14696-01, Version 3.1...
Page 547 Outbound No Authenticator Tunnel-Private- — tagged Both Group-ID string Tunnel- — tagged Both Assignment-ID string Tunnel-Preference 83 — tagged Both integer Acct-Interim- — integer Outbound No Interval User Guide for Cisco Secure ACS for Windows Server C-25 78-14696-01, Version 3.1...
Page 548 Inbound PreSession-Time — integer Inbound PW-Lifetime — integer Outbound No IP-Direct — ipaddr Outbound No PPP-VJ-Slot- — integer Outbound No Comp Assign-IP-pool — integer Outbound No User Guide for Cisco Secure ACS for Windows Server C-26 78-14696-01, Version 3.1...
Page 549: Microsoft Mppe Dictionary Of Radius Vsas
Outbound No Microsoft MPPE Dictionary of RADIUS VSAs Cisco Secure ACS supports the Microsoft RADIUS VSAs used for Microsoft Point-to-Point Encryption (MPPE). The vendor ID for this Microsoft RADIUS Implementation is 311. MPPE is an encryption technology developed by Microsoft to encrypt point-to-point (PPP) links.
Page 550: Microsoft Mppe Dictionary Of Radius Vsas
MPPE. It is a four octet integer that is interpreted as a string of bits. MS-CHAP- string — Inbound Domain User Guide for Cisco Secure ACS for Windows Server C-28 78-14696-01, Version 3.1...
Page 551 This attribute is only included in Access-Accept packets. MS-RAS-Version string — Inbound MS-CHAP-NT- string — Inbound Enc-PW MS-CHAP2- string — Outbound No Response MS-CHAP2-CPW 27 string — Inbound User Guide for Cisco Secure ACS for Windows Server C-29 78-14696-01, Version 3.1...
Page 552: Ascend Dictionary Of Radius Av Pairs
Appendix C RADIUS Attributes Ascend Dictionary of RADIUS AV Pairs Ascend Dictionary of RADIUS AV Pairs Cisco Secure ACS supports the Ascend RADIUS AV pairs. Table C-8 contains Ascend RADIUS dictionary translations for parsing requests and generating responses. All transactions are composed of AV pairs. The value of each attribute is specified as one of the following valid data types: •...
Page 553: Ascend Dictionary Of Radius Av Pairs
Outbound No Class string Outbound Yes Vendor-Specific string Outbound Yes Call-Station-ID string Inbound Calling-Station-ID string Inbound Acct-Status-Type integer Inbound Acct-Delay-Time integer Inbound Acct-Input-Octets integer Inbound Acct-Output-Octets integer Inbound User Guide for Cisco Secure ACS for Windows Server C-31 78-14696-01, Version 3.1...
Page 554 (maximum length 10 Both characters) Ascend-Endpoint-Disc string (maximum length 253 Both characters) Ascend-Remote-FW string (maximum length 253 Both characters) Ascend-Multicast-GLeave- integer (maximum length 10 Both Delay characters) User Guide for Cisco Secure ACS for Windows Server C-32 78-14696-01, Version 3.1...
Page 555 (maximum length 10 Both characters) Ascend-Maximum-Call- integer (maximum length 10 Both Duration characters) Ascend-Router-Preference string (maximum length 10 Both characters) Ascend-Tunneling-Protocol string (maximum length 10 Both characters) User Guide for Cisco Secure ACS for Windows Server C-33 78-14696-01, Version 3.1...
Page 556 (maximum length 10 Both characters) Ascend-User-Acct-Time integer (maximum length 10 Both characters) Support IP Address Allocation from Global Pools Ascend-Assign-IP-Client ipaddr (maximum length 15 Outbound No characters) User Guide for Cisco Secure ACS for Windows Server C-34 78-14696-01, Version 3.1...
Page 557 (maximum length 15 Outbound No characters) Ascend-Remote-Addr ipaddr (maximum length 15 Outbound No characters) Multicast Support Ascend-Multicast-Client integer (maximum length 10 Outbound No characters) Frame Datalink Profiles User Guide for Cisco Secure ACS for Windows Server C-35 78-14696-01, Version 3.1...
Page 558 Outbound No characters) Ascend-Bridge-Address string (maximum length 253 Outbound No characters) Ascend-TS-Idle-Limit integer (maximum length 10 Outbound No characters) Ascend-TS-Idle-Mode integer (maximum length 10 Outbound No characters) User Guide for Cisco Secure ACS for Windows Server C-36 78-14696-01, Version 3.1...
Page 559 (maximum length 253 Both characters) Ascend-Home-Agent-IP-Addr ipaddr (maximum length 15 Outbound No characters) Ascend-Home-Agent-Password string (maximum length 253 Outbound No characters) Ascend-Home-Network-Name string (maximum length 253 Outbound No characters) User Guide for Cisco Secure ACS for Windows Server C-37 78-14696-01, Version 3.1...
Page 560 Outbound No characters) Ascend-Authen-Alias string (maximum length 253 Outbound No characters) Ascend-Token-Expiry integer (maximum length 10 Outbound No characters) Ascend-Menu-Selector string (maximum length 253 Outbound No characters) User Guide for Cisco Secure ACS for Windows Server C-38 78-14696-01, Version 3.1...
Page 561 Outbound No characters) Ascend-Assign-IP-Pool integer Outbound No Ascend-FR-Direct integer Outbound No Ascend-FR-Direct-Profile string (maximum length 253 Outbound No characters) Ascend-FR-Direct-DLCI integer (maximum length 10 Outbound No characters) User Guide for Cisco Secure ACS for Windows Server C-39 78-14696-01, Version 3.1...
Page 562 (maximum length 10 Outbound No characters) Ascend-Dec-Channel-Count integer (maximum length 10 Outbound No characters) Ascend-Seconds-Of-History integer (maximum length 10 Outbound No characters) Ascend-History-Weigh-Type integer Outbound No User Guide for Cisco Secure ACS for Windows Server C-40 78-14696-01, Version 3.1...
Page 563 Terminal Server Attributes Ascend-Host-Info string (maximum length 253 Outbound No characters) PPP Local Address Attribute Ascend-PPP-Address ipaddr (maximum length 15 Outbound No characters) MPP Percent Idle Attribute User Guide for Cisco Secure ACS for Windows Server C-41 78-14696-01, Version 3.1...
Page 564: Nortel Dictionary Of Radius Vsas
Ascend-Xmit-Rate integer (maximum length 10 Outbound No characters) Nortel Dictionary of RADIUS VSAs Table C-9 lists the Nortel RADIUS VSAs supported by Cisco Secure ACS. The Nortel vendor ID number is 1584. Table C-9 Nortel RADIUS VSAs Inbound/ Attribute Number...
Page 565: Juniper Dictionary Of Radius Vsas
Appendix C RADIUS Attributes Juniper Dictionary of RADIUS VSAs Juniper Dictionary of RADIUS VSAs Table C-10 lists the Juniper RADIUS VSAs supported by Cisco Secure ACS. The Juniper vendor ID number is 2636. Table C-10 Juniper RADIUS VSAs Inbound/ Attribute...
Page 566: Juniper Dictionary Of Radius Vsas
Appendix C RADIUS Attributes Juniper Dictionary of RADIUS VSAs User Guide for Cisco Secure ACS for Windows Server C-44 78-14696-01, Version 3.1...
Page 567 • Creating a CiscoSecure User Database, page D-7 Creating a Cisco Secure ACS Database Dump File, page D-8 • Loading the Cisco Secure ACS Database from a Dump File, page D-9 • • Compacting the CiscoSecure User Database, page D-11 User Guide for Cisco Secure ACS for Windows Server 78-14696-01, Version 3.1...
Page 568: A P P E N D I X D Cisco Secure Acs Command-Line Database Utility
When you install Cisco Secure ACS in the default location, CSUtil.exe is located in the following directory: C:\Program Files\CiscoSecure ACS v \Utils where X.X is the version of your Cisco Secure ACS software. Regardless of where you install Cisco Secure ACS, CSUtil.exe is located in the directory. Utils...
Page 569: Csutil.exe Options
Experienced CSUtil.exe users may find it useful to combine CSUtil.exe options, such as in the following example, which would first import AAA client configurations and then generate a dump of all Cisco Secure ACS internal data: CSUtil.exe -i newnases.txt -d CSUtil.exe Options...
Page 570: Backing Up Cisco Secure Acs With Csutil.exe
D-31. Backing Up Cisco Secure ACS with CSUtil.exe You can use the -b option to create a system backup of all Cisco Secure ACS internal data. The resulting backup file has the same data as the backup files produced by the ACS Backup feature found in the HTML interface. For more...
Page 571: Restoring Cisco Secure Acs With Csutil.exe
Result: CSUtil.exe displays a confirmation prompt. Step 3 To confirm that you want to perform a backup and to halt all Cisco Secure ACS services during the backup, type Y and press Enter. Result: CSUtil.exe generates a complete backup of all Cisco Secure ACS internal data, including user accounts and system configuration.
Page 572 To restore Cisco Secure ACS with CSUtil.exe, follow these steps: On the Cisco Secure ACS server, open an MS DOS command prompt and change Step 1 directories to the directory containing CSUtil.exe. For more information about the location of CSUtil.exe, see...
Page 573: Creating A Ciscosecure User Database
For more information about backing up the database, Backing Up Cisco Secure ACS with CSUtil.exe, page D-4. On the Cisco Secure ACS server, open an MS DOS command prompt and change Step 2 directories to the directory containing CSUtil.exe. For more information about the location of CSUtil.exe, see...
Page 574: Creating A Cisco Secure Acs Database Dump File
Cisco Technical Assistance Center (TAC) during troubleshooting. Using the -l option, you can reload the Cisco Secure ACS internal data from a dump file created by the -d option. For more information about the -l option, see Loading the Cisco Secure ACS Database from a Dump File, page D-9.
Page 575: Loading The Cisco Secure Acs Database From A Dump File
Loading the Cisco Secure ACS Database from a Dump File You can use the -l option to overwrite all Cisco Secure ACS internal data from a dump text file. This option replaces the existing all Cisco Secure ACS internal data with the data in the dump text file. In effect, the -l option initializes all Cisco Secure ACS internal data before loading it from the dump text file.
Page 576 Using the -l option requires that you stop the CSAuth service. While CSAuth is stopped, no users are authenticated. To load all Cisco Secure ACS internal data from a text file, follow these steps: On the Cisco Secure ACS server, open an MS DOS command prompt and change Step 1 directories to the directory containing CSUtil.exe.
Page 577: Compacting The Ciscosecure User Database
Appendix D Cisco Secure ACS Command-Line Database Utility Compacting the CiscoSecure User Database To confirm that you want to replace all Cisco Secure ACS internal data, type Y Step 4 and press Enter. Result: CSUtil.exe initializes all Cisco Secure ACS internal data, and then loads Cisco Secure ACS with the information in the dump file specified.
Page 578 Compacting the CiscoSecure User Database To compact the CiscoSecure user database, follow these steps: On the Cisco Secure ACS server, open an MS DOS command prompt and change Step 1 directories to the directory containing CSUtil.exe. For more information about the location of CSUtil.exe, see...
Page 579: User And Aaa Client Import Option
To import user or AAA client information, follow these steps: Step 1 If you have not performed a backup or dump of Cisco Secure ACS, do so now before proceeding. For more information about backing up the database, see Backing Up Cisco Secure ACS with CSUtil.exe, page D-4.
Page 580 Appendix D Cisco Secure ACS Command-Line Database Utility User and AAA Client Import Option To confirm that you want to update Cisco Secure ACS with the information from Step 6 the import text file specified, type Y and press Enter.
Page 581: User And Aaa Client Import File Format
CSUtil.exe requires an ONLINE or OFFLINE token in an import text file. The file must begin with a line that contains only an ONLINE or OFFLINE token. The ONLINE and OFFLINE tokens are described in Table D-1. User Guide for Cisco Secure ACS for Windows Server D-15 78-14696-01, Version 3.1...
Page 582: Add Statements
OFFLINE mode takes less than one minute. ADD Statements ADD statements are optional. Only the ADD token and its value are required to add a user to Cisco Secure ACS. The valid tokens for ADD statements are listed Table D-2.
Page 583 Table D-2 ADD Statement Tokens Token Required Value Required Description username Add user information to Cisco Secure ACS. If the username already exists, no information is changed. PROFILE group number Group number to which the user is assigned. This must be a number from 0 to 499, not a name. If you...
Page 584: Update Statements
You can use the UPDATE statement to update the group a user is assigned to or to update which database Cisco Secure ACS uses to authenticate the user. The valid tokens for UPDATE statements are listed in Table D-3.
Page 585 Authenticate the username with an ODBC external user database. EXT_LDAP — Authenticate the username with a generic LDAP external user database. EXT_ENIGMA — Authenticate the username with a SafeWord external user database. User Guide for Cisco Secure ACS for Windows Server D-19 78-14696-01, Version 3.1...
Page 586: Delete Statements
UPDATE:John:PROFILE:50:CSDB_UNIX:3Al3qf9:CHAP:goodoldchap DELETE Statements DELETE statements are optional. The DELETE token and its value are required to delete a user account from Cisco Secure ACS. The DELETE token, detailed in Table D-4, is the only token in a DELETE statement. Table D-4...
Page 587: Add_Nas Statements
ADD_NAS Statements ADD_NAS statements are optional. The ADD_NAS, IP, KEY, and VENDOR tokens and their values are required to add a AAA client definition to Cisco Secure ACS. The valid tokens for ADD_NAS statements are listed in Table D-5. Table D-5...
Page 588: Del_Nas Statements
The name of the AAA client that is to be deleted. For example, the following DEL_NAS statement causes CSUtil.exe to delete a AAA client with the name “SVR2-T+”: DEL_NAS:SVR2-T+ User Guide for Cisco Secure ACS for Windows Server D-22 78-14696-01, Version 3.1...
Page 589: Import File Example
To export user information from the CiscoSecure user database into a text file, follow these steps: On the Cisco Secure ACS server, open an MS DOS command prompt and change Step 1 directories to the directory containing CSUtil.exe. For more information about the location of CSUtil.exe, see...
Page 590: Exporting Group Information To A Text File
To export group information from the CiscoSecure user database to a text file, follow these steps: On the Cisco Secure ACS server, open an MS DOS command prompt and change Step 1 directories to the directory containing CSUtil.exe. For more information about the location of CSUtil.exe, see...
Page 591: Exporting Registry Information To A Text File
TAC. To export Registry information from Cisco Secure ACS to a text file, follow these steps: Step 1 On the Cisco Secure ACS server, open an MS DOS command prompt and change directories to the directory containing CSUtil.exe.
Page 592: Decoding Error Numbers
Decoding Error Numbers You can use the -e option to decode error numbers found in Cisco Secure ACS service logs. These are error codes internal to Cisco Secure ACS. For example, the CSRadius log could contain a message similar to the following: CSRadius/Logs/RDS.log:RDS 05/22/2001 10:09:02 E 2152 4756 Error -1087...
Page 593: Recalculating Crc Values
Type: Step 2 number CSUtil.exe -e - where number is the error number found in the Cisco Secure ACS service log. Press Enter. Note The hyphen (-) before number is required. Result: CSUtil.exe displays the text message equivalent to the error number specified.
Page 594: About User-Defined Radius Vendors And Vsa Sets
Adding a Custom RADIUS Vendor and VSA Set You can use the -addUDV option to add up to ten custom RADIUS vendors and VSA sets to Cisco Secure ACS. Each RADIUS vendor and VSA set is added to one of ten possible user-defined RADIUS vendor slots.
Page 595 RADIUS vendor and VSA set. To add a custom RADIUS VSA to Cisco Secure ACS, follow these steps: On the Cisco Secure ACS server, open an MS DOS command prompt and change Step 1 directories to the directory containing CSUtil.exe. For more information about the location of CSUtil.exe, see...
Page 596: Deleting A Custom Radius Vendor And Vsa Set
RADIUS accounting log, see Accounting Logs, page 9-5. To delete a custom RADIUS vendor and VSA set from Cisco Secure ACS, follow these steps: Step 1 On the Cisco Secure ACS server, open an MS DOS command prompt and change directories to the directory containing CSUtil.exe.
Page 597: Listing Custom Radius Vendors
D-31. Result: CSUtil.exe displays a confirmation prompt. To confirm that you want to halt all Cisco Secure ACS services while deleting the Step 3 custom RADIUS vendor and VSAs, type Y and press Enter. Result: CSUtil.exe displays a second confirmation prompt.
Page 598: Exporting Custom Radius Vendor And Vsa Sets
UDV_4.ini To export custom RADIUS vendor and VSA sets to files, follow these steps: On the Cisco Secure ACS server, open an MS DOS command prompt and change Step 1 directories to the directory containing CSUtil.exe. For more information about the location of CSUtil.exe, see...
Page 599: Radius Vendor/Vsa Import File
System UDVs RADIUS Vendor/VSA Import File To import a custom RADIUS vendor and VSA set into Cisco Secure ACS, you must define the RADIUS vendor and VSA set in an import file. We recommend that you archive RADIUS vendor/VSA import files. During upgrades, the directory, where CSUtil.exe is located, is replaced, including...
Page 600: Vendor And Vsa Set Definition
“widget-encryption” for an encryption-related attribute for the vendor Widget. This also makes accounting logs easier to understand. User Guide for Cisco Secure ACS for Windows Server D-34 78-14696-01, Version 3.1...
Page 601: Attribute Definition
VSA set section. Table D-9 lists the valid keys for an attribute definition section. User Guide for Cisco Secure ACS for Windows Server D-35 78-14696-01, Version 3.1...
Page 602 Profile key definition: IN—The attribute is used for accounting. After • you add the attribute to Cisco Secure ACS, you can configure your RADIUS accounting log to record the new attribute. For more information about RADIUS accounting logs, see...
Page 603: Enumeration Definition
Enumeration definitions enable you to associate a text-based name for each valid numeric value of an integer-type attribute. In the Group Setup and User Setup sections of the Cisco Secure ACS HTML interface, the text values you define appear in lists associated with the attributes that use the enumerations.
Page 604: Example Radius Vendor/Vsa Import File
(See Description.) Each key defines a string value associated with an integer value. Cisco Secure ACS uses these string values in the HTML interface. For example, if 0 through 4 are valid integer values for a given attribute, its enumeration definition would contain...
Page 605 VSA 3=widget-group VSA 4=widget-admin-encryption VSA 5=widget-remote-address [widget-encryption] Type=INTEGER Profile=OUT Enums=Encryption-Types [widget-admin-interface] Type=IPADDR Profile=OUT [widget-group] Type=STRING Profile=MULTI OUT [widget-admin-encryption] Type=INTEGER Profile=OUT Enums=Encryption-Types [widget-remote-address] Type=STRING Profile=IN [Encryption-Types] 0=56-bit 1=128-bit 2=256-bit User Guide for Cisco Secure ACS for Windows Server D-39 78-14696-01, Version 3.1...
Page 606 Appendix D Cisco Secure ACS Command-Line Database Utility User-Defined RADIUS Vendors and VSA Sets User Guide for Cisco Secure ACS for Windows Server D-40 78-14696-01, Version 3.1...
Page 607: Vpdn Process
Cisco Secure ACS and Virtual Private Dial-up Networks Cisco Secure Access Control Server (Cisco Secure ACS) for Windows Server ve rsion 3.1 supports authentication forwarding of virtual private dial-up network (VPDN) requests. There are two basic types of “roaming” users: Internet and intranet;...
Page 608: A P P E N D I X E Cisco Secure Acs And Virtual Private Dial-Up Networks
If the domain authorization fails, the NAS assumes the user is not a VPDN user. The NAS then authenticates (not authorizes) the user as if the user is a standard non-VPDN dial user. See Figure E-3. User Guide for Cisco Secure ACS for Windows Server 78-14696-01, Version 3.1...
Page 609 Corporation VPDN user User = [email protected] The HG uses its ACS to authenticate the tunnel, where the username is the name of the tunnel (nas_tun). See Figure E-5. User Guide for Cisco Secure ACS for Windows Server 78-14696-01, Version 3.1...
Page 610 HG Authenticates Tunnel with the NAS CHAP challenge Corporation VPDN user User = [email protected] The NAS now uses its ACS to authenticate the tunnel from the HG. See Figure E-7. User Guide for Cisco Secure ACS for Windows Server 78-14696-01, Version 3.1...
Page 611 The HG now authenticates the user as if the user dialed directly in to the HG. The HG might now challenge the user for a password. The Cisco Secure ACS at RSP can be configured to strip off the @ and domain before it passes the authentication to the HG.
Page 612 Figure E-10 Another User Dials In While Tunnel is Up VPDN user User = [email protected] Username = [email protected] Password = secret2 VPDN Corporation customer VPDN user User = [email protected] User Guide for Cisco Secure ACS for Windows Server 78-14696-01, Version 3.1...
Page 613: Accountactions Specification
RDBMS synchronization import definitions are a listing of the action codes allowable in an accountActions table. The RDBMS Synchronization feature of Cisco Secure Access Control Server (Cisco Secure ACS) for Windows Server ve rsion 3.1 uses a table named “accountActions” as input for automated or manual updates of the CiscoSecure user database.
Page 614: A P P E N D I X F Rdbms Synchronization Import Definitions
“ppp” or the RADIUS VSA attribute number. DateTime DateTime — The date/time the Action was created. MessageNo Integer — Used to number related transactions for audit purposes. User Guide for Cisco Secure ACS for Windows Server 78-14696-01, Version 3.1...
Page 615: Accountactions Mandatory Fields
UserName field nor the GroupName field require a value. The UserName and GroupName fields are mutually exclusive; only one of these Note two fields can have a value and neither field is always required. User Guide for Cisco Secure ACS for Windows Server 78-14696-01, Version 3.1...
Page 616: Accountactions Mandatory Fields
Cisco Secure ACS reads rows from accountActions and processes them in a specific order. Cisco Secure ACS determines the order first by the values in the Priority fields (mnemonic: P) and then by the values in the Sequence ID fields (mnemonic: SI).
Page 617: Action Codes
F-2, instruct RDBMS Synchronization to assign a value to various internal attributes in Cisco Secure ACS. Unless asked to use these action codes for other purposes by a Cisco representative, you can only use these action codes for assigning values to user-defined fields (see...
Page 618: Action Codes For Setting And Deleting Values
VN = "My Value" V2 = "TYPE_MULTI_STRING" V1 = "str1 str2 str3" DELETE_VALUE UN|GN, AI, Delete value (VN) for App ID (AI) and user (UN) or group (GN). User Guide for Cisco Secure ACS for Windows Server 78-14696-01, Version 3.1...
Page 619: Action Codes For Creating And Modifying User Accounts
CHAP/ARAP will also default to this. SET_CHAP_PASS UN, V1 Set the CHAP/ARAP password for a user (64 characters maximum). SET_OUTBOUND_ UN, V1 Sets the CHAP/ARAP password for a user (32 characters CHAP_PASS maximum). User Guide for Cisco Secure ACS for Windows Server 78-14696-01, Version 3.1...
Page 620 You can use VN to link the enable password to an external authenticator, as per action 108 SET_PASS_TYPE. SET_GROUP UN, GN Set the Cisco Secure ACS group assignment of the user. User Guide for Cisco Secure ACS for Windows Server 78-14696-01, Version 3.1...
Page 621 PASS_TYPE_ODBC—External ODBC database • password. PASS_TYPE_LEAP—External LEAP proxy • RADIUS server database password. PASS_TYPE_ACTIVCARD—External ActivCard • database password. • PASS_TYPE_VASCO—External Vasco database password. • PASS_TYPE_RADIUS_TOKEN—External RADIUS token server database password. User Guide for Cisco Secure ACS for Windows Server 78-14696-01, Version 3.1...
Page 622 UN, V1 Defines how a password should be expired by STATUS Cisco Secure ACS. To set multiple password states for a user, use multiple instances of this action. This results in the status states being linked in a logical XOR condition by the CSAuth server.
Page 623 MAX_SESSIONS_AS_GROUP • 1-65534 SET_MAX_ GN,V1 Set the max sessions for a user of the group to one of the SESSIONS_ following values: GROUP_USER MAX_SESSIONS_UNLIMITED • • 1-65534 User Guide for Cisco Secure ACS for Windows Server F-11 78-14696-01, Version 3.1...
Page 624 12:01 A.M. on the first of the month until midnight on the last day of the month. QUOTA_PERIOD_ABSOLUTE—The quota is • enforced in an ongoing basis, without an end. User Guide for Cisco Secure ACS for Windows Server F-12 78-14696-01, Version 3.1...
Page 625 Defines whether a user usage quota is determined by the APPLY_TYPE user group quota or by a quota unique to the user. V1 makes this specification. Valid values for V1 are: • ASSIGNMENT_FROM_USER ASSIGNMENT_FROM_GROUP • User Guide for Cisco Secure ACS for Windows Server F-13 78-14696-01, Version 3.1...
Page 626 • Note If additional DCS types have been added to your Cisco Secure ACS, you can find the valid value in the Interface Configuration page for TACACS+ (Cisco IOS). The valid values appear in parentheses after the service title, such as Shell (pixshell) V1 defines the assignment type.
Page 627: Action Codes For Initializing And Modifying Access Filters
• If additional DCS types have been added to your Note Cisco Secure ACS, you can find the valid value in the Interface Configuration page for TACACS+ (Cisco IOS). The valid values appear in parentheses after the service title, such as Shell (pixshell) V1 defines the name of the NDG.
Page 628: Action Codes For Initializing And Modifying Access Filters
Optionally, the AAA client name can be “All AAA clients” to specify that the filter applies to all configured AAA clients and an asterisk (*) to represent all ports. User Guide for Cisco Secure ACS for Windows Server F-16 78-14696-01, Version 3.1...
Page 629 “0” represents an hour that is denied. If this parameter is not specified for a user, the group setting applies. The default group setting is “111111111111” and so on. User Guide for Cisco Secure ACS for Windows Server F-17 78-14696-01, Version 3.1...
Page 630 • none—No callback is allowed. roaming—The dial-up client determines the • callback number. as group—Use the callback string or method defined • by the group. User Guide for Cisco Secure ACS for Windows Server F-18 78-14696-01, Version 3.1...
Page 631: User Settings
Table F-5 lists the action codes for creating, modifying, and deleting TACACS+ and RADIUS settings for Cisco Secure ACS groups and users. In the event that Cisco Secure ACS has conflicting user and group settings, user settings always override group settings.
Page 632: Settings
V2 = "9" V3 = "1" V1 = "addr-pool=pool3" RADIUS attribute values can be one of the following: INTEGER • TIME • IP ADDRESS • STRING • User Guide for Cisco Secure ACS for Windows Server F-20 78-14696-01, Version 3.1...
Page 633 V2 = "ip" UN = "fred" V1 = "ppp" V2 = "ip" UN = "fred" V1 = "exec" This also resets the valid attributes for the service. User Guide for Cisco Secure ACS for Windows Server F-21 78-14696-01, Version 3.1...
Page 634 VN, V1 GN = "Group 1" V1 = "ppp" Optionally V2 = "ip" VN = "routing" UN = "fred" V1 = "ppp" V2 = "ip" VN = "route" User Guide for Cisco Secure ACS for Windows Server F-22 78-14696-01, Version 3.1...
Page 635 VN = "telnet" UN = "fred" VN = "configure" Users of Group 1 can no longer use the Cisco IOS telnet command. User fred can no longer use the configure command. User Guide for Cisco Secure ACS for Windows Server F-23 78-14696-01, Version 3.1...
Page 636 10.1.1.2 to be used by any user in Group 1. The second example ensures that user fred cannot issue the Cisco IOS command show run. REMOVE_IOS_ UN|GN, Remove the permit or deny entry for the given Cisco IOS COMMAND_ARG VN, V2 command argument: GN = "Group 1"...
Page 637: Action Codes For Modifying Network Configuration
Code Name Required Description SET_PERMIT_ UN|GN, V1 The default is that any Cisco IOS commands not defined DENY_ via a combination of Actions 174 and 175 will be denied. UNMATCHED_ This behavior can be changed so that issued Cisco IOS...
Page 638: Action Codes For Modifying Network Configuration
VENDOR_ID_NORTEL_RADIUS—For Nortel • RADIUS. VENDOR_ID_JUNIPER_RADIUS—For Juniper • RADIUS. VENDOR_ID_CBBMS_RADIUS—For Cisco • BBMS RADIUS. For example: VN = AS5200-11 V1 = 192.168.1.11 V2 = byZantine32 V3 = VENDOR_ID_CISCO_RADIUS User Guide for Cisco Secure ACS for Windows Server F-26 78-14696-01, Version 3.1...
Page 639 VN, V1 For the named AAA server (VN) set one of the per-AAA client flags (V1): FLAG_LOG_KEEP_ALIVE • • FLAG_LOG_TUNNELS Use the action once for each flag required. User Guide for Cisco Secure ACS for Windows Server F-27 78-14696-01, Version 3.1...
Page 640 The order must be changed through the HTML interface. DEL_PROXY Delete the named proxy markup (VN). ADD_NDG Create a network device group (NDG) named (VN). User Guide for Cisco Secure ACS for Windows Server F-28 78-14696-01, Version 3.1...
Page 641 MODULES ADD_UDV VN, V1, V2 Adds a RADIUS vendor to the Cisco Secure ACS vendor database. Vendors added to Cisco Secure ACS by this method are know as User-Defined Vendors (UDV). VN contains the name of the Vendor.
Page 642 By default, VSAs are assumed to be outbound (or authorization) attributes. If the VSA is either multi-instance or used in accounting messages, use SET_VSA_PROFILE (Action code 353). User Guide for Cisco Secure ACS for Windows Server F-30 78-14696-01, Version 3.1...
Page 643 V1 contains the vendor IETF code. V2 contains the VSA number. V3 contains the profile, one of the following: IN OUT MULTI OUT MULTI IN OUT User Guide for Cisco Secure ACS for Windows Server F-31 78-14696-01, Version 3.1...
Page 644 V3 = 1 ADOPT_NEW_ — The CSAdmin, CSRadius, and CSLog services must be UDV_OR_VSA restarted before new UDVs or VSAs can become usable. This action restarts these services. User Guide for Cisco Secure ACS for Windows Server F-32 78-14696-01, Version 3.1...
Page 645: Cisco Secure Acs Attributes And Action Codes
Cisco Secure ACS Attributes and Action Codes This section complements the previous section by providing an inverse reference; the following topics contain tables that list Cisco Secure ACS attributes, their data types and limits, and the action codes you can use to act upon the Cisco Secure ACS attributes: •...
Page 646: Cisco Secure Acs Attributes And Action Codes
ACL String 0-31 KB (See Table F-4.) Dial-Up 121, 123 Bool enabled NULL Access Control Bool NULL permit/deny ACL String 0-31 KB NULL (See Table F-4.) User Guide for Cisco Secure ACS for Windows Server F-34 78-14696-01, Version 3.1...
Page 647 User-defined attributes (UDAs) are string values that can contain any data, such as social security number, department name, telephone number, and so on. You can configure Cisco Secure ACS to include UDAs on accounting logs about user activity. For more information about configuring UDAs, see...
Page 648: User-Defined Attributes
Group-Specific Attributes Table F-9 lists the attributes that define a Cisco Secure ACS group, including their data types, limits, and default values. It also provides the action code you can use in your accountActions table to affect each field. For more information...
Page 649: Group-Specific Attributes
10. Fred is assigned to “Group 2." His account expires after December 31, 1999, or after 10 incorrect authentication attempts. Attributes for Group 2 include Time-of-Day/Day-of-Week restrictions, token caching, and some RADIUS attributes. User Guide for Cisco Secure ACS for Windows Server F-37 78-14696-01, Version 3.1...
Page 650: An Example Of Accountactions
ACCESS_PERMIT — — — fred — — ACCESS_DENY — — — fred — — NAS01,tty0,01732-975374 — — — fred — — 01732-975374, CLID/ — — 01622-123123 DNIS User Guide for Cisco Secure ACS for Windows Server F-38 78-14696-01, Version 3.1...
Page 651 — Group 2 — — — — — Group 2 Reply- Welcome to Your Internet — — — Message Service — Group 2 Vendor- addr-pool=pool2 — Specific User Guide for Cisco Secure ACS for Windows Server F-39 78-14696-01, Version 3.1...
Page 652 Appendix F RDBMS Synchronization Import Definitions An Example of accountActions User Guide for Cisco Secure ACS for Windows Server F-40 78-14696-01, Version 3.1...
Page 653: Windows 2000 Services
CSTacacs and CSRadius, page G-8 • Windows 2000 Services Cisco Secure ACS is modular and flexible to fit the needs of both simple and large networks. This appendix describes the Cisco Secure ACS architectural components. Cisco Secure ACS includes the following service modules: CSAdmin •...
Page 654: Windows 2000 Registry
• CSTacacs CSRadius • You can stop or restart Cisco Secure ACS services as a group, except for CSAdmin, using the Cisco Secure ACS HTML interface. For more information, Service Control, page 8-2. Individual Cisco Secure ACS services can be started, stopped, and restarted from the Services window, available within the Windows 2000 Control Panel.
Page 655: A P P E N D I X G Cisco Secure Acs Internal Architecture
To authenticate users, Cisco Secure ACS can use the internal user database or one of many external databases. When a request for authentication arrives, Cisco Secure ACS checks the database that is configured for that user. If the user is unknown, Cisco Secure ACS checks the database(s) configured for unknown users.
Page 656: Csdbsync
CSMon works for both TACACS+ and RADIUS and automatically detects which protocols are in use. You can use the Cisco Secure ACS HTML interface to configure the CSMon service. The Cisco Secure ACS Active Service Management feature provides the options for configuring CSMon behavior.
Page 657: Monitoring
Response, page G-7 • Monitoring CSMon monitors the overall status of Cisco Secure ACS and the system on which it is running. CSMon actively monitors three basic sets of system parameters: • Generic host system state—CSMon monitors the following key system...
Page 658: Recording
• System resource consumption by Cisco Secure ACS—CSMon periodically monitors and records the usage by Cisco Secure ACS of a small set of key system resources and compares it against predetermined thresholds for indications of atypical behavior. The parameters monitored include the...
Page 659: Notification
Outcome of the response Notification for exception events and outcomes includes the current state of Cisco Secure ACS at the time of the message. The default notification method is simple mail-transfer protocol (SMTP) e-mail, but you can create scripts to enable other methods.
Page 660: Cstacacs And Csradius
The identical shared secret (key) must be configured both in Cisco Secure ACS and on the access device. • The access device IP address must be specified in Cisco Secure ACS. • The type of security protocol being used must be specified in Cisco Secure ACS.
Page 661 7-20 adding 4-23 accounting configuring 4-23 overview 1-20 deleting 4-27 See also logging editing 4-25 See also user data configuration enabling in interface (table) User Guide for Cisco Secure ACS for Windows Server IN-1 78-14696-01, Version 3.1...
Page 662 F-19 separation from general users 2-16 for setting and deleting values troubleshooting in accountActions unlocking 10-10 ActivCard user databases age-by-date rules for groups 6-24 configuring 11-60 User Guide for Cisco Secure ACS for Windows Server IN-2 78-14696-01, Version 3.1...
Page 663 11-5 overview 8-47 Windows 11-11 reports 8-49 authorization 1-15 scheduled vs. manual 8-47 authorization sets scheduling 8-50 See command authorization sets vs. replication 8-16 with CSUtil.exe User Guide for Cisco Secure ACS for Windows Server IN-3 78-14696-01, Version 3.1...
Page 664 12-22 Cisco IOS CSAdmin RADIUS CSAuth AV (attribute value) pairs CSDBSync 8-33, G-4 group attributes 6-38 CSLog user attributes 7-39 CSMon TACACS+ configuration AV (attribute value) pairs User Guide for Cisco Secure ACS for Windows Server IN-4 78-14696-01, Version 3.1...
Page 665 11-66 CSV (comma-separated values) files deployment considerations 2-17 downloading 9-15 dump files file name formats 9-13 external logging 9-15 See external user databases logging format User Guide for Cisco Secure ACS for Windows Server IN-5 78-14696-01, Version 3.1...
Page 666 Windows 11-14 unknown users 12-1 dial-in troubleshooting user dial-up networking clients 11-10, 11-11 CiscoSecure user databases dial-up topologies Windows user databases 11-7 User Guide for Cisco Secure ACS for Windows Server IN-6 78-14696-01, Version 3.1...
Page 667 Windows operating systems 11-11 exception events downloadable PIX ACLs monitoring system health adding exception events assigning to groups 6-28 exports assigning to users 7-21 of user lists D-23 User Guide for Cisco Secure ACS for Windows Server IN-7 78-14696-01, Version 3.1...
Page 668 6-23 ODBC 9-20 group-level interface enabling viewing 9-15 downloadable PIX ACLs failed log-on attempts network access restrictions failure events network access restriction sets customer-defined actions password aging User Guide for Cisco Secure ACS for Windows Server IN-8 78-14696-01, Version 3.1...
Page 669 IP address assignment method 6-27 HTTP port allocation max sessions 6-11 configuring 10-14 network access restrictions overview 1-21 password aging rules 6-20 HTTPS 10-13 shell command authorization sets 6-31 User Guide for Cisco Secure ACS for Windows Server IN-9 78-14696-01, Version 3.1...
Page 670 Logged-In Users report address recovery 8-67 deleting logged-in users deleting 8-66 viewing DHCP 8-61 logging enabling in interface accounting logs overlapping 8-61, 8-63 administration reports refreshing 8-62 User Guide for Cisco Secure ACS for Windows Server IN-10 78-14696-01, Version 3.1...
Page 671 AAA servers 8-11 logging hosts 9-23 max sessions options 9-25 enabling in interface overview 9-23 in Group Setup 6-11 in User Setup 7-16 overview 1-16 User Guide for Cisco Secure ACS for Windows Server IN-11 78-14696-01, Version 3.1...
Page 672 See AAA clients See network access restrictions network requirements network access quotas 1-17 networks network access restrictions latency 2-18 adding reliability 2-18 configuring User Guide for Cisco Secure ACS for Windows Server IN-12 78-14696-01, Version 3.1...
Page 673 CHAP authentication sample procedure 11-46 configuring 11-51 data source names 9-20, 11-39 compared with ARAP 1-11 DSN configuration 11-50 compared with CHAP 1-11 group mappings 12-12 compatible databases User Guide for Cisco Secure ACS for Windows Server IN-13 78-14696-01, Version 3.1...
Page 674 Configuration separate passwords 1-13 PIX ACLs single password 1-13 See downloadable PIX ACLs token caching 1-13 PIX command authorization sets token cards 1-13 See command authorization sets User Guide for Cisco Secure ACS for Windows Server IN-14 78-14696-01, Version 3.1...
Page 675 AV (attribute value) pairs in enterprise settings Cisco IOS overview IETF C-12 See also Proxy Distribution Table overview sending accounting packets See also RADIUS VSAs (vendor specific troubleshooting A-11 attributes) User Guide for Cisco Secure ACS for Windows Server IN-15 78-14696-01, Version 3.1...
Page 676 RADIUS-based group specifications 12-22 in User Setup 7-52 RADIUS VSAs (vendor specific attributes) Juniper Ascend in Group Setup 6-48 in Group Setup 6-41 in User Setup 7-49 User Guide for Cisco Secure ACS for Windows Server IN-16 78-14696-01, Version 3.1...
Page 677 1-27 data source name configuration 8-41 remote logging disabling See logging 8-46 enabling in interface replication import definitions ACS Service Management page 8-10 backups recommended (Caution) 8-16 User Guide for Cisco Secure ACS for Windows Server IN-17 78-14696-01, Version 3.1...
Page 678 AAA servers 8-11 restore notifications 8-29 components restored overview configuring 8-54 partners overview 8-54 configuring 8-28 filenames 8-53 options 8-18 in System Configuration 8-52 scheduling 8-26 User Guide for Cisco Secure ACS for Windows Server IN-18 78-14696-01, Version 3.1...
Page 679 TACACS+ See also command authorization sets custom commands single password configurations 1-13 overview SMTP (simple mail-transfer protocol) time-of-day access specifications service control in System Configuration 9-30 RADIUS User Guide for Cisco Secure ACS for Windows Server IN-19 78-14696-01, Version 3.1...
Page 680 User Setup outbound passwords for users 7-36 setting ports synchronization See also TACACS+ Accounting Log See RDBMS synchronization See also TACACS+ Administration Log User Guide for Cisco Secure ACS for Windows Server IN-20 78-14696-01, Version 3.1...
Page 681 9-14 SafeWord 11-59 enabling supported servers CSV (comma-separated values) 9-14 token caching 11-58 ODBC 9-20 Vasco 11-59 viewing 9-15 topologies Telnet See network topologies password aging 6-20 User Guide for Cisco Secure ACS for Windows Server IN-21 78-14696-01, Version 3.1...
Page 682 See also network access restrictions UNIX passwords D-17 User Password Changes log location 9-14 unknown user policies users configuring 12-10 adding in external user databases 11-3, 12-9 methods 11-3 overview 12-8 User Guide for Cisco Secure ACS for Windows Server IN-22 78-14696-01, Version 3.1...
Page 683 See also User Setup VoIP (Voice over IP) supplementary information accounting configuration 3-6, 8-68 troubleshooting A-14 accounting configurations 8-68 types enabling in interface discovered 12-2 group settings in Interface Configuration User Guide for Cisco Secure ACS for Windows Server IN-23 78-14696-01, Version 3.1...
Page 684 11-9, 11-14 warning events G-5, G-7 group mappings watchdog packets editing 12-18 configuring on AAA clients 4-17 no access groups 12-16 configuring on AAA servers 4-24 User Guide for Cisco Secure ACS for Windows Server IN-24 78-14696-01, Version 3.1...
Page 685 AAA groups 12-14 overview 11-7 passwords 1-10 rejection mode 12-4 request handling 12-4 trust relationships 11-9 user-changeable passwords 11-13 user manager 11-14 wireless network topologies User Guide for Cisco Secure ACS for Windows Server IN-25 78-14696-01, Version 3.1...
Page 686 Index User Guide for Cisco Secure ACS for Windows Server IN-26 78-14696-01, Version 3.1...

This manual is also suitable for:

Secure acs

Cisco 2509 - Router - EN User Manual

Chapter 2 Deploying Cisco Secure ACS

Chapter 3 Setting up the Cisco Secure ACS HTML Interface

CHAPTER 4 Setting up and Managing Network Configuration

Chapter 5 Setting up and Managing Shared Profile Components

Chapter 6 Setting up and Managing User Groups

Chapter 7 Setting up and Managing User Accounts

CHAPTER 8 Establishing Cisco Secure

APPENDIX E Ciscosecure ACS and Virtual Private Dial-Up Networks

RDBMS Synchronization

Quick Links

Related Manuals for Cisco 2509 - Router - EN

Summary of Contents for Cisco 2509 - Router - EN