manualshive.com logo in svg

Cisco 2509 - Router - EN, User Manual, Page: 49 / 686

Share
Download
Cisco 2509 - Router - EN User Manual Download Page 49

 

1-15

User Guide for Cisco Secure ACS for Windows Server

78-14696-01, Version 3.1

Chapter 1      Overview of Cisco Secure ACS

AAA Server Functions and Concepts

The methods and functionality of Windows password aging differ according to 
whether you are using Windows NT or Windows 2000 and whether you employ 
Active Directory (AD) or Security Accounts Manager (SAM). For information on 
the requirements and configuration of the Windows-based password aging 
feature, see 

Enabling Password Aging for Users in Windows Databases, 

page 6-25

.

User-Changeable Passwords

With Cisco Secure ACS, you can install a separate program that enables users to 
change their passwords by using a web-based utility. For more information about 
installing user-changeable passwords, see the Installation and User Guide for 
Cisco Secure ACS User-Changeable Passwords.

Other Authentication-Related Features

In addition to the authentication-related features discussed in this section, the 
following features are provided by Cisco Secure ACS:

Authentication of unknown users with external user databases (see 

Unknown 

User Processing, page 12-1

).

Microsoft Windows Callback feature (see 

Setting User Callback Option, 

page 7-10

).

Ability to configure user accounts, including passwords, using an external 
data source (see 

About RDBMS Synchronization, page 8-30

).

Ability for external users to authenticate via an enable password (see 

Setting 

 Enable Password Options for a User, page 7-35

).

Proxy of authentication requests to other AAA servers (see 

Proxy in 

Distributed Systems, page 4-4

).

Configurable character string stripping from proxied authentication requests 
(see 

Stripping, page 4-6

).

Authorization

Authorization determines what a user is allowed to do. Cisco Secure ACS can 
send user profile policies to a AAA client to determine the network services the 
user can access. You can configure authorization to give different users and 

Summary of Contents for 2509 - Router - EN

Page 1: ... Inc 170 West Tasman Drive San Jose CA 95134 1706 USA http www cisco com Tel 408 526 4000 800 553 NETS 6387 Fax 408 526 4100 User Guide for Cisco Secure ACS for Windows Server Customer Order Number DOC 7814696 Text Part Number 78 14696 01 ...

Page 2: ...HOUT LIMITATION LOST PROFITS OR LOSS OR DAMAGE TO DATA ARISING OUT OF THE USE OR INABILITY TO USE THIS MANUAL EVEN IF CISCO OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES User Guide for Cisco Secure ACS for Windows Server Copyright 2002 Cisco Systems Inc All rights reserved CCIP the Cisco Arrow logo the Cisco Powered Network mark the Cisco Systems Verified logo Cisco Unity F...

Page 3: ...xxx Ordering Documentation xxx Documentation Feedback xxxi Obtaining Technical Assistance xxxi Cisco com xxxi Technical Assistance Center xxxii Cisco TAC Web Site xxxii Cisco TAC Escalation Center xxxiii C H A P T E R 1 Overview of Cisco Secure ACS 1 1 The Cisco Secure ACS Paradigm 1 1 Cisco Secure ACS Specifications 1 2 System Performance Specifications 1 3 Cisco Secure ACS Windows Services 1 4 A...

Page 4: ...lications 1 18 Other Authorization Related Features 1 19 Accounting 1 20 Other Accounting Related Features 1 20 Administration 1 21 HTTP Port Allocation for Remote Administrative Sessions 1 21 Network Device Groups 1 22 Other Administration Related Features 1 22 Cisco Secure ACS HTML Interface 1 23 About the Cisco Secure ACS HTML Interface 1 23 HTML Interface Security 1 24 HTML Interface Layout 1 ...

Page 5: ... 2 2 System Requirements 2 2 Hardware Requirements 2 2 Operating System Requirements 2 2 Third Party Software Requirements 2 3 Network Requirements 2 4 Basic Deployment Factors for Cisco Secure ACS 2 5 Network Topology 2 5 Dial Up Topology 2 5 Wireless Network 2 8 Remote Access using VPN 2 11 Remote Access Policy 2 13 Security Policy 2 14 Administrative Access Policy 2 14 Separation of Administrat...

Page 6: ...figuration Options for RADIUS 3 10 Setting Protocol Configuration Options for IETF RADIUS Attributes 3 15 Setting Protocol Configuration Options for Non IETF RADIUS Attributes 3 16 C H A P T E R 4 Setting Up and Managing Network Configuration 4 1 About Network Configuration 4 2 About Distributed Systems 4 3 AAA Servers in Distributed Systems 4 3 Default Distributed System Settings 4 4 Proxy in Dis...

Page 7: ... or AAA Server to an NDG 4 29 Reassigning a AAA Client or AAA Server to an NDG 4 30 Renaming a Network Device Group 4 31 Deleting a Network Device Group 4 31 Proxy Distribution Table Configuration 4 32 About the Proxy Distribution Table 4 32 Adding a New Proxy Distribution Table Entry 4 33 Sorting the Character String Match Order of Distribution Entries 4 35 Editing a Proxy Distribution Table Entr...

Page 8: ...Command Authorization Sets Configuration 5 16 Adding a Command Authorization Set 5 16 Editing a Command Authorization Set 5 19 Deleting a Command Authorization Set 5 20 C H A P T E R 6 Setting Up and Managing User Groups 6 1 User Group Setup Features and Functions 6 2 Default Group 6 2 Group TACACS Settings 6 2 Common User Group Settings 6 3 Enabling VoIP Support for a User Group 6 4 Setting Defau...

Page 9: ...US Settings for a User Group 6 37 Configuring Cisco IOS PIX RADIUS Settings for a User Group 6 38 Configuring Cisco Aironet RADIUS Settings for a User Group 6 39 Configuring Ascend RADIUS Settings for a User Group 6 41 Configuring Cisco VPN 3000 Concentrator RADIUS Settings for a User Group 6 42 Configuring Cisco VPN 5000 Concentrator RADIUS Settings for a User Group 6 43 Configuring Microsoft RAD...

Page 10: ...tting Options for User Account Disablement 7 20 Assigning a PIX ACL to a User 7 21 Advanced User Authentication Settings 7 22 TACACS Settings User 7 22 Configuring TACACS Settings for a User 7 23 Configuring a Shell Command Authorization Set for a User 7 25 Configuring a PIX Command Authorization Set for a User 7 28 Configuring Device Management Command Authorization for a User 7 30 Configuring th...

Page 11: ...S Parameters for a User 7 51 Setting Custom RADIUS Attributes for a User 7 52 User Management 7 53 Listing All Users 7 54 Finding a User 7 54 Disabling a User Account 7 55 Deleting a User Account 7 56 Resetting User Session Quota Counters 7 57 Resetting a User Account after Login Failure 7 58 Saving User Settings 7 59 C H A P T E R 8 Establishing Cisco Secure ACS System Configuration 8 1 Service C...

Page 12: ...8 20 Implementing Primary and Secondary Replication Setups on Cisco Secure ACSes 8 20 Configuring a Secondary Cisco Secure ACS 8 21 Replicating Immediately 8 24 Scheduling Replication 8 26 Disabling CiscoSecure Database Replication 8 29 Database Replication Event Errors 8 29 RDBMS Synchronization 8 29 About RDBMS Synchronization 8 30 Users 8 31 User Groups 8 32 Network Configuration 8 32 Custom RA...

Page 13: ...ns 8 46 Cisco Secure ACS Backup 8 47 About Cisco Secure ACS Backup 8 47 Backup File Locations 8 48 Directory Management 8 48 Components Backed Up 8 48 Reports of Cisco Secure ACS Backups 8 49 Backup Options 8 49 Performing a Manual Cisco Secure ACS Backup 8 50 Scheduling Cisco Secure ACS Backups 8 50 Disabling Scheduled Cisco Secure ACS Backups 8 51 Cisco Secure ACS System Restore 8 52 About Cisco...

Page 14: ...ls Address Recovery 8 67 Enabling IP Pool Address Recovery 8 67 VoIP Accounting Configuration 8 68 Configuring VoIP Accounting 8 68 Cisco Secure ACS Certificate Setup 8 69 Background on Protocols and Certification 8 69 Digital Certificates 8 69 About the EAP TLS Protocol 8 70 About the PEAP Protocol 8 72 Installing a Cisco Secure ACS Server Certificate 8 74 Adding a Certificate Authority Certifica...

Page 15: ...ed Accounts Report 9 10 Cisco Secure ACS System Logs 9 11 Configuring the Administration Audit Log 9 12 Working with CSV Logs 9 13 CSV Log File Names 9 13 CSV Log File Locations 9 13 Enabling or Disabling a CSV Log 9 14 Viewing a CSV Report 9 15 Configuring a CSV Log 9 16 Working with ODBC Logs 9 19 Preparing for ODBC Logging 9 19 Configuring a System Data Source Name for ODBC Logging 9 20 Configu...

Page 16: ...inistrator Account 10 10 Deleting an Administrator Account 10 11 Access Policy 10 11 Access Policy Options 10 12 Setting Up Access Policy 10 14 Session Policy 10 16 Session Policy Options 10 16 Setting Up Session Policy 10 17 Audit Policy 10 18 C H A P T E R 11 Working with User Databases 11 1 CiscoSecure User Database 11 2 About the CiscoSecure User Database 11 2 User Import and Creation 11 3 Abo...

Page 17: ... Generic LDAP 11 16 Cisco Secure ACS Authentication Process with a Generic LDAP User Database 11 17 Multiple LDAP Instances 11 17 LDAP Organizational Units and Groups 11 18 Domain Filtering 11 18 LDAP Failover 11 20 Successful Previous Authentication with the Primary LDAP Server 11 21 Unsuccessful Previous Authentication with the Primary LDAP Server 11 21 LDAP Configuration Options 11 22 Configuri...

Page 18: ... 11 48 CHAP MS CHAP ARAP Procedure Output 11 48 Result Codes 11 49 Configuring a System Data Source Name for an ODBC External User Database 11 50 Configuring an ODBC External User Database 11 51 LEAP Proxy RADIUS Server Database 11 54 Configuring a LEAP Proxy RADIUS Server External User Database 11 55 Token Server User Databases 11 57 About Token Servers and Cisco Secure ACS 11 57 Token Servers an...

Page 19: ...etwork Access Authorization 12 8 Unknown User Policy 12 8 Database Search Order 12 9 Configuring the Unknown User Policy 12 9 Turning off External User Database Authentication 12 11 Database Group Mappings 12 11 Group Mapping by External User Database 12 12 Creating a Cisco Secure ACS Group Mapping for a Token Server ODBC Database or LEAP Proxy RADIUS Server Database 12 13 Group Mapping by Group S...

Page 20: ...sues A 3 Cisco IOS Issues A 3 Database Issues A 5 Dial in Connection Issues A 6 Debug Issues A 10 Proxy Issues A 11 Installation and Upgrade Issues A 11 MaxSessions Issues A 12 Report Issues A 12 Third Party Server Issues A 13 PIX Firewall Issues A 13 User Authentication Issues A 14 TACACS and RADIUS Attribute Issues A 16 A P P E N D I X B TACACS Attribute Value Pairs B 1 Cisco IOS AV Pair Diction...

Page 21: ... P P E N D I X D Cisco Secure ACS Command Line Database Utility D 1 Location of CSUtil exe and Related Files D 2 CSUtil exe Syntax D 2 CSUtil exe Options D 3 Backing Up Cisco Secure ACS with CSUtil exe D 4 Restoring Cisco Secure ACS with CSUtil exe D 5 Creating a CiscoSecure User Database D 7 Creating a Cisco Secure ACS Database Dump File D 8 Loading the Cisco Secure ACS Database from a Dump File ...

Page 22: ...ustom RADIUS Vendor and VSA Set D 28 Deleting a Custom RADIUS Vendor and VSA Set D 30 Listing Custom RADIUS Vendors D 31 Exporting Custom RADIUS Vendor and VSA Sets D 32 RADIUS Vendor VSA Import File D 33 About the RADIUS Vendor VSA Import File D 33 Vendor and VSA Set Definition D 34 Attribute Definition D 35 Enumeration Definition D 37 Example RADIUS Vendor VSA Import File D 38 A P P E N D I X E ...

Page 23: ...S Group and User Settings F 19 Action Codes for Modifying Network Configuration F 25 Cisco Secure ACS Attributes and Action Codes F 33 User Specific Attributes F 33 User Defined Attributes F 35 Group Specific Attributes F 36 An Example of accountActions F 37 A P P E N D I X G Cisco Secure ACS Internal Architecture G 1 Windows 2000 Services G 1 Windows 2000 Registry G 2 CSAdmin G 2 CSAuth G 3 CSDBS...

Page 24: ...Contents xxiv User Guide for Cisco Secure ACS for Windows Server 78 14696 01 Version 3 1 ...

Page 25: ...the Cisco Secure Access Control Server Cisco Secure ACS for Windows Server version 3 1 User Guide Document Objective This document will help you configure and use Cisco Secure ACS and its features and utilities Audience This publication is for system administrators who use Cisco Secure ACS and who set up and maintain accounts and dial in network security ...

Page 26: ...ing Cisco Secure ACS network configuration and building a distributed system Chapter 5 Setting Up and Managing Shared Profile Components Concepts and procedures regarding Cisco Secure ACS shared profile components network access restrictions and device command sets Chapter 6 Setting Up and Managing User Groups Concepts and procedures for establishing and maintaining Cisco Secure ACS user groups Ch...

Page 27: ...upported TACACS AV pairs and accounting AV pairs Appendix C RADIUS Attributes A list of supported RADIUS AV pairs and accounting AV pairs Appendix D Cisco Secure ACS Command Line Database Utility Instructions for using the database import utility CSUtil to import an ODBC database and back up maintain or restore the Cisco Secure ACS database Appendix E Cisco Secure ACS and Virtual Private Dial up N...

Page 28: ...s of data or a breach in your network security Warning Means danger You are in a situation that could cause bodily injury Before you work on any equipment you must be aware of the hazards involved with electrical circuitry and be familiar with standard practices for preventing accidents To see translated versions of the warning refer to the Regulatory Compliance and Safety document that accompanie...

Page 29: ...sion You should also read the README TXT file for additional important information Cisco Secure ACS includes an installation guide Installation Guide for Cisco Secure ACS for Windows Server to help you install the software efficiently and correctly Installation and User Guide for Cisco Secure ACS User Changeable Passwords contains information on installing and configuring the optional user changea...

Page 30: ...uct The Documentation CD ROM is updated monthly and may be more current than printed documentation The CD ROM package is available as a single unit or as an annual subscription Ordering Documentation You can order Cisco documentation in these ways Registered Cisco com users Cisco direct customers can order Cisco product documentation from the Networking Products MarketPlace http www cisco com cgi ...

Page 31: ...Cisco com as a starting point for all technical assistance Customers and partners can obtain online documentation troubleshooting tips and sample configurations from online tools by using the Cisco Technical Assistance Center TAC Web Site Cisco com registered users have complete access to the technical support resources on the Cisco TAC Web Site Cisco com Cisco com is the foundation of a suite of ...

Page 32: ... or assistance concerning Cisco product capabilities product installation or basic product configuration Priority level 3 P3 Your network performance is degraded Network functionality is noticeably impaired but most business operations continue Priority level 2 P2 Your production network is severely degraded affecting significant aspects of business operations No workaround is available Priority l...

Page 33: ...e Internet access we recommend that you open P3 and P4 cases through the Cisco TAC Web Site Cisco TAC Escalation Center The Cisco TAC Escalation Center addresses priority level 1 or priority level 2 issues These classifications are assigned when severe network degradation significantly impacts business operations When you contact the TAC Escalation Center with a P1 or P2 problem a Cisco TAC engine...

Page 34: ...Preface Obtaining Technical Assistance xxxiv User Guide for Cisco Secure ACS for Windows Server 78 14696 01 Version 3 1 ...

Page 35: ...Cisco Secure ACS Specifications page 1 2 AAA Server Functions and Concepts page 1 5 Cisco Secure ACS HTML Interface page 1 23 The Cisco Secure ACS Paradigm Cisco Secure ACS provides authentication authorization and accounting AAA pronounced triple A services to network devices that function as AAA clients such as a network access server PIX Firewall or router The AAA client in Figure 1 1 represent...

Page 36: ...AAA clients such as the Cisco 2509 2511 3620 3640 AS5200 and AS5300 AS5800 the Cisco PIX Firewall Cisco Aironet Access Point wireless networking devices Cisco VPN 3000 Concentrators and Cisco VPN 5000 Concentrators It also supports third party devices that can be configured with the Terminal Access Controller Access Control System TACACS or the Remote Access Dial In User Service RADIUS protocol Ci...

Page 37: ...s the CiscoSecure user database can support We have successfully tested Cisco Secure ACS with databases in excess of 100 000 users The practical limit for a single Cisco Secure ACS authenticating against all its databases internal and external is 300 000 to 500 000 users This number increases significantly if the authentication load is spread across a number of replicated Cisco Secure ACS servers ...

Page 38: ...he installation adds several Windows services The services provide the core of Cisco Secure ACS functionality For a full discussion of each service see Appendix G Cisco Secure ACS Internal Architecture The Cisco Secure ACS services on your Cisco Secure ACS server include the following CSAdmin Provides the HTML interface for administration of Cisco Secure ACS CSAuth Provides authentication services...

Page 39: ... server AAA clients must be configured to direct all end user client access requests to Cisco Secure ACS for authentication of users and authorization of service requests Using the TACACS or RADIUS protocol the AAA client sends authentication requests to Cisco Secure ACS Cisco Secure ACS verifies the username and password using the user databases it is configured to query Cisco Secure ACS returns ...

Page 40: ...lowing Requests for Comments RFCs RFC 2138 Remote Authentication Dial In User Service RFC 2139 RADIUS Accounting RFC 2865 Table 1 1 TACACS and RADIUS Protocol Comparison Point of Comparison TACACS RADIUS Transmission Protocol TCP connection oriented transport layer protocol reliable full duplex data transmission UDP connectionless transport layer protocol datagram exchange without acknowledgments ...

Page 41: ...so supports up to 10 RADIUS VSAs that you define After you define a new RADIUS VSA you can use it as you would one of the RADIUS VSAs that come predefined in Cisco Secure ACS In the Network Configuration section of the Cisco Secure ACS HTML interface you can configure a AAA client to use a user defined RADIUS VSA as its AAA protocol In Interface Configuration you can enable user level and group le...

Page 42: ... on the network use encryption Client and server access control protocols such as TACACS and RADIUS encrypt passwords to prevent them from being captured within a network However TACACS and RADIUS operate only between the AAA client and the access control server Before this point in the authentication process unauthorized persons can obtain clear text passwords such as the communication between an...

Page 43: ...he various password protocols supported by Cisco Secure ACS for authentication are supported unevenly by the various databases supported by Cisco Secure ACS Table 1 2 on page 1 9 provides a reference of the password protocols supported by the various databases For more information about the password protocols supported by Cisco Secure ACS see Passwords page 1 10 Table 1 2 Authentication Protocol a...

Page 44: ...e RADIUS or TACACS and the configuration of the AAA client and end user client The following sections outline the different conditions and functions of password handling RSA Yes Yes No No No No No No No Yes ActivCard Yes Yes No No No No No No No Yes CRYPTOCard Yes Yes No No No No No No No Yes PassGo Yes Yes No No No No No No No Yes Safeword Yes Yes No No No No No No No Yes Vasco Yes Yes No No No N...

Page 45: ...e CHAP with the CiscoSecure user database ARAP support is included to support Apple clients Comparing PAP CHAP and ARAP PAP CHAP and ARAP are authentication protocols used to encrypt passwords However each protocol provides a different level of security PAP Uses clear text passwords that is unencrypted passwords and is the least sophisticated authentication protocol If you are using the Windows NT...

Page 46: ...schap 00 txt RADIUS Attributes for MS CHAP Support EAP Support The Extensible Authentication Protocol EAP based on the IETF 802 1x is an end to end framework that allows the creation of authentication types without the necessity of changing the implementation of the AAA clients For more information about EAP go to PPP Extensible Authentication Protocol EAP RFC 2284 Cisco Secure ACS supports the fo...

Page 47: ...xternal user database the user does not need a password stored in the CiscoSecure user database Instead Cisco Secure ACS records which external user database it should query to authenticate the user Advanced Password Configurations Cisco Secure ACS supports the following advanced password configurations Inbound passwords Passwords used by most Cisco Secure ACS users These are supported by both the...

Page 48: ...compromised If you want to use outbound passwords and maintain the highest level of security we recommend that you configure users in the CiscoSecure user database with an outbound password that is different from the inbound password Password Aging With Cisco Secure ACS you can choose whether and how you want to employ password aging Control for password aging may reside either in the CiscoSecure ...

Page 49: ...entication Related Features In addition to the authentication related features discussed in this section the following features are provided by Cisco Secure ACS Authentication of unknown users with external user databases see Unknown User Processing page 12 1 Microsoft Windows Callback feature see Setting User Callback Option page 7 10 Ability to configure user accounts including passwords using a...

Page 50: ...ts Access lists on a per user or per group basis can restrict users from reaching parts of the network where critical information is stored or prevent them from using certain services such as File Transfer Protocol FTP or Simple Network Management Protocol SNMP One fast growing service being offered by service providers and adopted by corporations is a service authorization for Virtual Private Dia...

Page 51: ... duration of sessions or the total number of sessions Quotas can be either absolute or based on daily weekly or monthly periods To grant access to users who have exceeded their quotas you can reset session quota counters as needed To support time based quotas we recommend enabling accounting update packets on all AAA clients If update packets are not enabled the quota is updated only when the user...

Page 52: ...lient that uses TACACS Also you must provide the device management application with a valid administrator name and password When a management application initially communicates with Cisco Secure ACS these requirements ensure the validity of the communication For information about configuring a AAA client see AAA Client Configuration page 4 11 For information about administrator accounts see Admini...

Page 53: ... with support for up to 500 groups see Chapter 6 Setting Up and Managing User Groups Ability to map a user from an external user database to a specific Cisco Secure ACS group see Database Group Mappings page 12 11 Ability to disable an account after a number of failed attempts specified by the administrator see Setting Options for User Account Disablement page 7 20 Ability to disable an account on...

Page 54: ...formation records the duration of each session RADIUS Accounting Lists when sessions stop and start records AAA client messages with username provides caller line identification information records the duration of each session Administrative Accounting Lists commands entered on a network device with TACACS command authorization enabled For more information about Cisco Secure ACS logging capabiliti...

Page 55: ...P port allocation feature reduces the risk of unauthorized access to your network by a port open for administrative sessions We do not recommend that you administer Cisco Secure ACS through a firewall Doing so requires that you configure the firewall to permit HTTP traffic over the range of HTTP administrative session ports that Cisco Secure ACS uses While narrowing this range reduces the risk of ...

Page 56: ...nts spread across a large geographical area to logically organize its environment within Cisco Secure ACS to reflect the physical setup For example all routers in Europe could belong to a group named Europe all routers in the United States could belong to a US group and so on This would be especially convenient if the AAA clients in each region were administered along the same divisions Alternativ...

Page 57: ...o Secure ACS configuration user accounts and group profiles from a backup file see Cisco Secure ACS System Restore page 8 52 Cisco Secure ACS HTML Interface This section discusses the Cisco Secure ACS HTML interface and provides procedures for using it This section contains the following topics About the Cisco Secure ACS HTML Interface page 1 23 HTML Interface Layout page 1 25 Uniform Resource Loc...

Page 58: ...ck connection activity show which users are logged in list failed authentication and authorization attempts and show administrators recent tasks HTML Interface Security Accessing the HTML interface requires a valid administrator name and password The Cisco Secure ACS Login page encrypts the administrator credentials before sending them to Cisco Secure ACS Administrative sessions timeout after a co...

Page 59: ... users and groups Network Configuration Add and edit network access devices and configure distributed systems System Configuration Configure database information and accounting Interface Configuration Display or hide product features and options to be configured Administration Control Define and configure access policies External User Databases Configure external databases for authentication Repor...

Page 60: ...er The list of usernames beginning with a specified letter is displayed in this section The usernames are hyperlinks to the specific user configuration so clicking the name enables you to edit that user System Messages Displays messages after you click Submit if you have typed in incorrect or incomplete data For example if the information you entered in the Password box does not match the informat...

Page 61: ...ive Sessions and HTTP Proxy Cisco Secure ACS does not support HTTP proxy for remote administrative sessions If the browser used for a remote administrative session is configured to use a proxy server Cisco Secure ACS sees the administrative session originating from the IP address of the proxy server rather than from the actual address of the remote workstation Remote administrative session trackin...

Page 62: ...TP Port Allocation for Remote Administrative Sessions page 1 21 Remote Administrative Sessions through a NAT Gateway We do not recommend conducting remote administrative sessions across a network device performing NAT If the administrator runs a browser on a workstation behind a NAT gateway Cisco Secure ACS receives the HTTP requests from the public IP address of the NAT device which conflicts wit...

Page 63: ...ssing The latest revision to the Release Notes is posted on Cisco com http www cisco com Step 2 In the Address or Location bar in the web browser type the applicable URL For a list of possible URLs see Uniform Resource Locator for the HTML Interface page 1 26 Step 3 If the Cisco Secure ACS for Windows 2000 NT Login page appears follow these steps a In the Username box type a valid Cisco Secure ACS...

Page 64: ...e help page is a list of topics covered by that page To jump from the top of the online help page to a particular topic click the topic name in the list at the top of the page There are three icons that appear on many pages in Cisco Secure ACS Question Mark Many subsections of the pages in the configuration area contain an icon with a question mark To jump to the applicable topic in an online help...

Page 65: ...hese steps Step 1 In the Cisco Secure ACS HTML interface click Online Documentation Tip To open the online documentation in a new browser window right click Online Documentation and then click Open Link in New Window for Microsoft Internet Explorer or Open in New Window for Netscape Navigator Result The table of contents opens in the configuration area Step 2 If you want to select a topic from the...

Page 66: ...or Windows Server 78 14696 01 Version 3 1 c Click an instance number for the desired topic Result The online documentation for the topic selected appears in the display area Step 4 If you want to print the online documentation click in the display area and then click Print in the navigation bar of your browser ...

Page 67: ...bases grew and the locations of AAA clients became more dispersed more capability was required of the AAA server Regional and then global requirements became common Today Cisco Secure ACS is required to provide AAA services for dial up access dial out access wireless VLAN access firewalls VPN concentrators administrative controls and more The list of external databases supported has also continued...

Page 68: ...quirements page 2 3 Network Requirements page 2 4 System Requirements Your Cisco Secure ACS server must meet the minimum hardware and software requirements detailed in the following sections Hardware Requirements Your Cisco Secure ACS server must meet the following minimum hardware requirements Pentium III processor 550 MHz or faster 256 MB of RAM At least 250 MB of free disk space If you are runn...

Page 69: ...g the operating system of a server running Cisco Secure ACS see the Installation Guide for Cisco Secure ACS for Windows Server version 3 1 For the latest information about tested operating systems and service packs see the Release Notes The latest version of the Release Notes are posted on Cisco com atthe following URL http www cisco com univercd cc td doc product access acs_soft csacs4nt Third Pa...

Page 70: ...s must be configured with TACACS and or RADIUS Dial in VPN or wireless clients must be able to connect to the applicable AAA clients The computer running Cisco Secure ACS must be able to ping all AAA clients Gateway devices between AAA clients and Cisco Secure ACS must permit communication over the ports needed to support the applicable AAA protocol RADIUS or TACACS For information about ports use...

Page 71: ...ology How your enterprise network is configured is likely to be the most important factor in deploying Cisco Secure ACS While an exhaustive treatment of this topic is beyond the scope of this guide this section details how the growth of network topology options has made Cisco Secure ACS deployment decisions more complex When AAA was created network access was restricted to either devices directly ...

Page 72: ...y small there are few devices that require access to the Cisco Secure ACS for AAA and any database replication is limited to a secondary Cisco Secure ACS as a backup Figure 2 1 Small Dial up Network In a larger dial in environment a single Cisco Secure ACS installation with a backup may be suitable too The suitability of this configuration depends on network and server access latency Figure 2 2 sh...

Page 73: ...preferable to a central Cisco Secure ACS If the need for a globally coherent user database is most important database replication or synchronization from a central Cisco Secure ACS may be necessary Authentication using external databases such as Windows NT 2000 or the Lightweight Directory Access Protocol LDAP can further complicate the deployment of distributed localized Cisco Secure ACSes While ...

Page 74: ...dial up scenario and is discussed in more detail later in this section Scaling can be a serious issue in the wireless network Like the wired LAN the mobility factor of the wireless LAN WLAN requires considerations similar to those given to the dial up network Unlike the wired LAN however the WLAN can be more readily expanded Though WLAN technology does have physical limits as to the number of user...

Page 75: ...he network does not cause any significant additional load on the Cisco Secure ACS Figure 2 4 Simple WLAN In the LAN where a number of APs are deployed as in a large building or a campus environment your decisions on how to deploy Cisco Secure ACS become a little more involved Though Figure 2 5 shows all APs on the same LAN they may be distributed throughout the LAN connected via routers switches a...

Page 76: ... regional topology is the campus WLAN This model starts to change when you deploy WLANs in many small sites that more resemble the simple WLAN shown in Figure 2 4 This model may apply to a chain of small stores distributed throughout a city or state nationally or globally Figure 2 6 63490 Macintosh server Cisco Aironet APs Novell server UNIX server Windows NT server Cisco Secure Access Control Ser...

Page 77: ...s maintained In this very large deployment model security becomes a more complicated issue too Remote Access using VPN Virtual Private Networks VPNs use advanced encryption and tunneling to permit organizations to establish secure end to end private network connections over third party networks such as the Internet or extranets Figure 2 7 The benefits of a VPN include the following Cost Savings By...

Page 78: ...ficant flexibility and efficiency Figure 2 7 Simple VPN Configuration There are two types of VPN access into a network Site to Site VPNs Extend the classic WAN by providing large scale encryption between multiple fixed sites such as remote offices and central offices over a public network such as the Internet Remote Access VPNs Permit secure encrypted connections between mobile or remote users and...

Page 79: ... disadvantages and provides a unique challenge to providing AAA services This closely ties remote access policy to the enterprise network topology In addition to the method of access other decisions can also affect how Cisco Secure ACS is deployed these include specific network routing access lists time of day access individual restrictions on AAA client access access control lists ACLs and so on ...

Page 80: ...ocuments Network Security Policy Best Practices White Paper Delivering End to End Security in Policy Based Networks Cisco IOS Security Configuration Guide Administrative Access Policy Managing a network is a matter of scale Providing a policy for administrative access to network devices depends directly on the size of the network and the number of administrators required to maintain the network Lo...

Page 81: ... A small network with a small number of network devices may require only one or two individuals to administer it Local authentication on the device is usually sufficient If you require more granular control than that which authentication can provide some means of authorization is necessary As discussed earlier controlling access using privilege levels can be cumbersome Cisco Secure ACS reduces thi...

Page 82: ...configured to allow shell exec access For example if the administrator is dialing into the network as a general user a AAA client would use RADIUS as the authenticating authorizing protocol and the PPP protocol would be authorized In turn if the same administrator remotely connects to a AAA client to make configuration changes the AAA client would use the TACACS protocol for authentication authori...

Page 83: ...ly handling 100 000 users This is usually more than adequate for a corporation In an environment that exceeds these numbers the user base would typically be geographically dispersed which lends itself to the use of more than one Cisco Secure ACS configuration A WAN failure could render a local network inaccessible because of the loss of the authentication server In addition to this issue reducing ...

Page 84: ...se enough to Cisco Secure ACS to ensure reliable and timely access Using a local Cisco Secure ACS with a remote database can result in the same problems as using a remote Cisco Secure ACS Another possible problem in this scenario is that a user may experience timeout problems The AAA client would be able to contact Cisco Secure ACS but Cisco Secure ACS would wait for a reply that might be delayed ...

Page 85: ...nfiguration Options for TACACS page 3 7 Protocol Configuration Options for RADIUS page 3 10 Configure System There are more than a dozen functions within the System Configuration section to be considered from setting the format for the display of dates and password validation to configuring settings for database replication and RDBMS synchronization These functions are detailed in Chapter 8 Establ...

Page 86: ...information about Shared Profile Components see Chapter 5 Setting Up and Managing Shared Profile Components Configure Groups Having previously configured any external user databases you intend to employ and before configuring your user groups you should decide how to implement two other Cisco Secure ACS features related to external user databases unknown user processing and database group mapping ...

Page 87: ... to simplify the screens you will use by hiding the features that you do not use and by adding fields for your specific configuration This chapter presents the details of configuring the Cisco Secure ACS interface through four topics User Data Configuration Options page 3 3 Advanced Options page 3 4 Protocol Configuration Options for TACACS page 3 7 Protocol Configuration Options for RADIUS page 3...

Page 88: ...essary for effective interface configuration User to Group Relationship A user can belong to only one group at a time As long as there are no conflicting attributes users inherit group settings Note If a user profile has an attribute configured differently from the same attribute in the group profile the user setting always overrides the group setting If a user has a unique configuration requireme...

Page 89: ...k Interface Configuration and then click User Data Configuration Result The Configure User Defined Fields page appears Check boxes in the Display column indicate which fields are configured to appear in the Supplementary User Information section at the top of the User Setup page Step 2 Select a check box in the Display column Step 3 In the corresponding Field Title box type a title for the new fie...

Page 90: ...etwork Device Groups are in use they are hidden when deselected on the Advanced Options page The advanced option features include the following Per User TACACS RADIUS Attributes When selected this feature enables TACACS RADIUS attributes to be set at a per user level in addition to being set at the group level User Level Shared Network Access Restrictions When selected this feature enables the Sha...

Page 91: ...ions When selected this feature enables the Max Sessions section on the User Setup and Group Setup pages The Max Sessions option sets the maximum number of simultaneous connections for a group or a user Usage Quotas When selected this feature enables the Usage Quotas sections on the User Setup and Group Setup pages The Usage Quotas option sets one or more quotas for usage by a group or a user Dist...

Page 92: ...s on the Logging page of the System Configuration section Setting Advanced Options for the Cisco Secure ACS User Interface To set advanced options for the Cisco Secure ACS HTML interface follow these steps Step 1 Click Interface Configuration and then click Advanced Options Result The Advanced Options table appears Step 2 Select each option that you want displayed enabled in the Cisco Secure ACS H...

Page 93: ...t the group level only for selecting TACACS Services Settings and New Service Settings To view two columns of check boxes that enable you to configure settings at the Group level or the User level you must have enabled the Per user TACACS RADIUS Attributes option on the Advanced Options page of Interface Configuration section TACACS Services Settings In this area is a list of the most commonly use...

Page 94: ...se of each TACACS service by the time of day and day of week For example you can restrict Exec Telnet access to business hours but permit PPP IP access at any time The default setting is to control time of day access for all services as part of authentication However you can override the default and display a time of day access grid for every service This keeps user and group setup easy to manage ...

Page 95: ...e user level take precedence over settings at the group level Setting Options for TACACS This procedure enables you to display or hide TACACS administrative and accounting options It is unlikely that you will use every service and protocol available for TACACS Displaying each would make setting up a user or group cumbersome To simplify setup you can use the TACACS Cisco IOS Edit page to customize ...

Page 96: ...h Cisco Secure ACS interacts and of the Cisco network devices managed by those applications do not change or delete automatically generated TACACS service types b Select the appropriate check box to select those that should be displayed for configuration either under User Setup or Group Setup or both Step 4 In the Advanced Configurations Options section select the check boxes of the display option...

Page 97: ...tings that appear for various types of AAA client depend on what settings that type of device can employ These combinations are detailed in Table 3 1 as follows Table 3 1 RADIUS Listings in Interface Configure this Type of AAA Client and the Interface Configuration Page Lists These Types of Settings RADIUS IETF RADIUS Cisco Aironet RADIUS BBSM RADIUS Cisco IOS PIX RADIUS Micro soft RADIUS Ascend R...

Page 98: ...s a User check box appears alongside the Group check box for each attribute Otherwise only the Group check box for each attribute appears By selecting check boxes in a list of attributes you determine whether the corresponding IETF RADIUS attribute or vendor specific attribute VSA is configurable from the User Setup and Group Setup sections RADIUS Cisco VPN 5000 Yes No No No No No No Yes No No RAD...

Page 99: ...and Group Setup pages Examples of tagged attributes include 064 Tunnel Type and 069 Tunnel Password For detailed procedural information see Setting Protocol Configuration Options for IETF RADIUS Attributes page 3 15 RADIUS Cisco IOS PIX Settings This section allows you to enable the specific attributes for RADIUS Cisco IOS PIX Selecting the first attribute listed under RADIUS Cisco IOS PIX 026 009...

Page 100: ...ettings From this section you enable the RADIUS VSAs for RADIUS Microsoft This page appears if you configure a RADIUS Ascend or a RADIUS VPN 3000 or a RADIUS Cisco IOS PIX device For detailed procedures see Setting Protocol Configuration Options for Non IETF RADIUS Attributes page 3 16 RADIUS Nortel Settings From this section you enable the RADIUS VSAs for RADIUS Nortel For detailed procedures see...

Page 101: ...selected a User check box appears alongside the Group check box for each attribute Note Each selected IETF RADIUS attribute must be supported by all your network devices using RADIUS To set protocol configuration options for IETF RADIUS attributes follow these steps Step 1 Click Interface Configuration and then click RADIUS IETF Result The RADIUS IETF page appears Step 2 For each IETF RADIUS attri...

Page 102: ...om the User Setup and Group Setup portions of the Cisco Secure ACS HTML interface To set protocol configuration options for a set of RADIUS VSAs follow these steps Step 1 Click Interface Configuration Step 2 Click one of the RADIUS VSA set types displayed for example RADIUS Ascend Result The page listing the selected set of available RADIUS VSAs appears Note If the Per user TACACS RADIUS Attribute...

Page 103: ... 1 Chapter 3 Setting Up the Cisco Secure ACS HTML Interface Protocol Configuration Options for RADIUS Step 4 Click Submit at the bottom of the page Result According to your selections the RADIUS VSAs appear on the User Setup or Group Setup pages or both as a configurable option ...

Page 104: ...Chapter 3 Setting Up the Cisco Secure ACS HTML Interface Protocol Configuration Options for RADIUS 3 18 User Guide for Cisco Secure ACS for Windows Server 78 14696 01 Version 3 1 ...

Page 105: ...for Windows Server version 3 1 to interact with AAA clients and servers and for establishing a distributed system It includes the following sections About Network Configuration page 4 2 About Distributed Systems page 4 3 Proxy in Distributed Systems page 4 4 Network Device Searches page 4 8 AAA Client Configuration page 4 11 AAA Server Configuration page 4 20 Network Device Group Configuration pag...

Page 106: ...able does not appear on the initial page but is accessed through the Network Device Groups table For more information about this interface configuration see Advanced Options page 3 4 Network Device Groups This table lists the name of each NDG that has been configured and the number of AAA clients and AAA servers assigned to each NDG If you are using NDGs the AAA Clients table and AAA Servers table...

Page 107: ...ofile containing authentication and authorization information for each user Authentication information validates user identity and authorization information determines what network services a user is permitted to use A single AAA server can provide concurrent AAA services to many dial up access servers routers and firewalls Each network device can be configured to communicate with a AAA server Thi...

Page 108: ...rs in the AAA Servers table This enables these devices to become available in the HTML interface so that they can be configured for other distributed features such as proxy CiscoSecure user database replication remote logging and RDBMS synchronization For information about configuring additional AAA servers see Adding a AAA Server page 4 23 Proxy in Distributed Systems Proxy is a powerful feature ...

Page 109: ...isco Secure ACS proxies to a second Cisco Secure ACS the second Cisco Secure ACS responds to the first using only IETF attributes no VSAs when it recognizes the first Cisco Secure ACS as a AAA server Alternatively you can configure an Cisco Secure ACS to be seen as a AAA client by the second Cisco Secure ACS in this case the second Cisco Secure ACS responses include the RADIUS VSAs for whatever RA...

Page 110: ...ests using a configurable set of characters with a delimiter such as dots slashes or hyphens When configuring the Cisco Secure ACS character string to match you must specify whether the character string is the prefix or suffix For example you can use domain us as a suffix character string in username domain us where represents any delimiter An example of a prefix character string is domain usernam...

Page 111: ...k she dials in to the New York office and logs in as mary la corporate com Her username is not recognized by the New York Cisco Secure ACS but the Proxy Distribution Table contains an entry la corporate com to forward the authentication request to the Los Angeles Cisco Secure ACS Because the username and password information for Mary reside on that AAA server when she authenticates correctly the a...

Page 112: ...wed for each user or group You can also choose to have Voice over IP VoIP accounting information logged remotely either appended to the RADIUS Accounting log in a separate VoIP Accounting log or both Other Features Enabled by System Distribution Beyond basic proxy and fallback features configuring a Cisco Secure ACS to interact with distributed systems enables several other features that are beyon...

Page 113: ...ACS For each octet in the address you have three options as follows Number You can specify a number for example 10 3 157 98 Numeric Range You can specify the low and high numbers of the range in the octet separated by a hyphen for example 10 3 157 10 50 Wildcard You can use an asterisk to match all numbers in that octet for example 10 3 157 Cisco Secure ACS allows any octet or octets in the IP Add...

Page 114: ... page to view your most recent search criteria and results Step 3 Set the criteria for a device search For information about search criteria see Network Device Search Criteria page 4 9 Tip To reset the search criteria to default settings click Clear Step 4 Click Search Result A table lists each network device configured in Cisco Secure ACS that matches the search criteria you specified If Cisco Se...

Page 115: ...f your choice Step 7 If you want to search again using different criteria repeat Step 3 and Step 4 AAA Client Configuration In this guide we use the term AAA client comprehensively to signify the device through which or to which service access is being attempted This is the RADIUS or TACACS client device and may comprise network access servers NASes PIX Firewalls routers or any other RADIUS or TAC...

Page 116: ...of a AAA client If you want a AAA client configuration in Cisco Secure ACS to represent multiple network devices you can specify multiple IP addresses Separate each IP address by pressing Enter In each IP address you specify you have three options for each octet in the address as follows Number You can specify a number for example 10 3 157 98 Numeric Range You can specify the low and high numbers ...

Page 117: ...DIUS vendors and VSAs those vendor specific RADIUS implementations appear on the list also For information about creating user defined RADIUS VSAs see Custom RADIUS Vendors and VSAs page 8 33 The Authenticate Using list always contains the following selections TACACS Cisco IOS The Cisco IOS TACACS protocol which is the standard choice when using Cisco Systems access servers routers and firewalls I...

Page 118: ...h key TACACS functions are required to support Cisco IOS equipment RADIUS Cisco VPN 3000 RADIUS using Cisco VPN 3000 VSAs Select this option if the network device is a Cisco VPN 3000 series Concentrator RADIUS Cisco VPN 5000 RADIUS using Cisco VPN 5000 VSAs Select this option if the network device is a Cisco VPN 5000 series Concentrator RADIUS IETF IETF standard RADIUS using no VSAs Select this op...

Page 119: ...her than a new one for every TACACS request In single connection mode multiple requests from a network device are multiplexed over a single TCP session Note If TCP connections between Cisco Secure ACS and the AAA client are unreliable do not use this feature Log Update Watchdog Packets from this AAA Client Enables logging of update or watchdog packets Watchdog packets are interim packets sent peri...

Page 120: ...ed Then click Add Entry below the AAA Clients table To add a AAA client when you have not enabled NDGs click Add Entry below the AAA Clients table Result The Add AAA Client page appears Step 3 In the AAA Client Hostname box type the name assigned to this AAA client up to 32 characters Step 4 In the AAA Client IP Address box type the AAA client IP address or addresses Step 5 In the Key box type the...

Page 121: ...e check box Note If TCP connections between Cisco Secure ACS the AAA client is unreliable do not use this feature Step 9 To enable logging of watchdog packets select the Log Update Watchdog Packets from this AAA Client check box Step 10 To enable logging of RADIUS tunneling accounting packets select the Log RADIUS tunneling Packets from this AAA Client check box Step 11 To save your changes and ap...

Page 122: ...t the applicable AAA protocol RADIUS or TACACS For information about ports used by AAA protocols see AAA Protocols TACACS and RADIUS page 1 6 To edit a AAA client follow these steps Step 1 In the navigation bar click Network Configuration Result The Network Configuration page opens Step 2 Do one of the following If you are using NDGs click the name of the NDG to which the AAA client is assigned Th...

Page 123: ...tep 7 Change the status of any or all of the following three options as applicable Single Connect TACACS AAA Client Log Update Watchdog Packets from this Access Server Log RADIUS tunneling Packets from this Access Server Step 8 To save your changes and apply them immediately click Submit Restart Tip To save your changes and apply them later click Submit When you are ready to implement the changes ...

Page 124: ... Secure ACS services As an alternative to restarting when you delete a AAA client you can click Delete However when you do this the change does not take effect until you restart the system To restart the system click System Configuration click Service Control and then click Restart Result A confirmation dialog box appears Step 4 Click OK Result Cisco Secure ACS restarts AAA services and the AAA cl...

Page 125: ...uted systems features require that the other Cisco Secure ACSes included in the distributed system be represented in the AAA Servers table For more information about distributed systems features see About Distributed Systems page 4 3 The Add AAA Server and AAA Server Setup pages include the following options AAA Server Name The name you assign to the AAA server configuration The AAA server hostnam...

Page 126: ... To enable NDGs click Interface Configuration click Advanced Options and then select the Network Device Groups check box Log Update Watchdog Packets from this remote AAA Server Enables logging of update or watchdog packets from AAA clients that are forwarded by the remote AAA server to this Cisco Secure ACS Watchdog packets are interim packets sent periodically during a session They provide you wi...

Page 127: ...tion requests to a AAA server that is configured for Outbound the authentication request is not sent Inbound Outbound The remote AAA server forwards and accepts authentication requests This allows the selected server to handle authentication requests in any manner defined in the distribution tables Adding a AAA Server Before You Begin For descriptions of the options available while adding a remote...

Page 128: ...emote AAA server and the Cisco Secure ACS use to encrypt the data up to 32 characters Note The key is case sensitive If the keys between the two AAA servers are not identical when authentication is forwarded the request is incorrectly encrypted and authentication fails Step 6 From the Network Device Group list select the NDG to which this AAA server belongs Note To enable NDGs click Interface Conf...

Page 129: ...zero Editing a AAA Server Use this procedure to edit the settings for a AAA server that you have previously configured Note You cannot edit the name of a AAA server To rename a AAA server you must delete the existing AAA server and then add a new server entry with the new name Before You Begin For descriptions of the options available while editing a remote AAA server configuration see AAA Server ...

Page 130: ...e AAA Servers table click the name of the AAA server to be edited Result The AAA Server Setup for X page appears Step 3 Enter or select new settings for one or more of the following fields AAA Server IP Address Key Log Update Watchdog Packets from this remote AAA Server AAA Server Type Traffic Type Step 4 To save your changes and apply them immediately click Submit Restart Tip To save your changes...

Page 131: ...ly click Delete Restart Note Restarting the service clears the Logged in User report and temporarily interrupts all Cisco Secure ACS services As an alternative to restarting when you delete a AAA server in the preceding step you can click Delete However when you do this the change does not take effect until you restart the system which you can do by clicking System Configuration clicking Service C...

Page 132: ...Groups option Therefore if you choose to configure NDGs make sure you leave the Network Device Groups option selected on the Advanced Option page This section contains the following procedures for working with NDGs Adding a Network Device Group page 4 28 Assigning an Unassigned AAA Client or AAA Server to an NDG page 4 29 Reassigning a AAA Client or AAA Server to an NDG page 4 30 Renaming a Networ...

Page 133: ...isplays the new NDG Step 5 To populate the newly established NDG with AAA clients or AAA servers perform one or more of the following procedures as applicable Adding a AAA Client page 4 15 Adding a AAA Server page 4 23 Assigning an Unassigned AAA Client or AAA Server to an NDG page 4 29 Reassigning a AAA Client or AAA Server to an NDG page 4 30 Assigning an Unassigned AAA Client or AAA Server to a...

Page 134: ...the AAA client or AAA server Step 5 Click Submit Result The client or server is assigned to an NDG Reassigning a AAA Client or AAA Server to an NDG To reassign a AAA client or AAA server to a new NDG follow these steps Step 1 In the navigation bar click Network Configuration Result The Network Configuration page opens Step 2 In the Network Device Groups table click the name of the current group of...

Page 135: ...dvanced Options and then select the Network Device Groups check box Step 3 At the bottom of the page click Rename Result The Rename Network Device Group page appears Step 4 In the Network Device Group Name box type the new name up to 24 characters Step 5 Click Submit Result The name of the NDG is changed Deleting a Network Device Group To delete an NDG follow these steps Step 1 In the navigation b...

Page 136: ...Character String Match Order of Distribution Entries page 4 35 Editing a Proxy Distribution Table Entry page 4 35 Deleting a Proxy Distribution Table Entry page 4 36 About the Proxy Distribution Table If you have Distributed Systems Settings enabled when you click Network Configuration you will see the Proxy Distribution Table Tip To enable Distributed Systems Settings in the Cisco Secure ACS clic...

Page 137: ... change the distribution of authentication requests matching the Default entry At installation the AAA server associated with the Default entry is the local Cisco Secure ACS It can sometimes be easier to define strings that match authentication requests to be processed locally rather than defining strings that match authentication requests to be processed remotely In such a case associating the De...

Page 138: ...erver and click Up or Down to move it into the position you want Tip If the AAA server you want to use is not listed click Network Configuration click AAA Servers click Add Entry and complete the applicable information Step 7 From the Send Accounting Information list select one of the following areas to which to report accounting information Local Keep accounting packets on the local Cisco Secure ...

Page 139: ...uration page opens Step 2 Below the Proxy Distribution Table click Sort Entries Tip Before you sort the entries you must have configured at least two unique Proxy Distribution Table entries in addition to the default table entry Step 3 Select the character string entry to reorder and then click Up or Down to move its position to reflect the search order you want Step 4 When you finish sorting clic...

Page 140: ...ng the entry click Submit or Submit Restart Deleting a Proxy Distribution Table Entry To delete a Proxy Distribution Table entry follow these steps Step 1 In the navigation bar click Network Configuration Result The Network Configuration page opens Step 2 In the Character String column of the Proxy Distribution Table click the distribution entry you want to delete Result The Edit Proxy Distributio...

Page 141: ...Shared Profile Components The Shared Profile Components section enables you to develop and name reusable shared sets of authorization components which may be applied to one or more users or groups of users and referenced by name within their profiles These include network access restrictions NARs command authorization sets and downloadable PIX ACLs The Shared Profile Components section of Cisco Se...

Page 142: ...abilities A way to determine the list of commands a user could issue against one or more devices in the network A way to determine the list of devices on which a particular user may execute a particular command Downloadable PIX ACLs This section describes downloadable PIX ACLs followed by detailed instructions for configuring and managing them About Downloadable PIX ACLs Downloadable PIX ACLs enab...

Page 143: ...0 0 253 See the Command Reference section of your PIX Firewall configuration guide for detailed ACL definition information ACLs entered into the Cisco Secure ACS are protected by whatever backup or replication regime you have established for the Cisco Secure ACS After you configure an ACL as a named shared profile component you can include that ACL in any Cisco Secure ACS user or user group profil...

Page 144: ...omponents page appears Step 2 Click Downloadable PIX ACLs Step 3 Click Add Result The Downloadable PIX ACLs page appears Step 4 In the Name box type the name of the new PIX ACL Note The name of a PIX ACL may contain up to 32 characters The name may contain spaces but it cannot contain leading trailing or multiple spaces or the following characters Step 5 In the Description box type a description o...

Page 145: ...Downloadable PIX ACL To edit a downloadable PIX ACL follow these steps Step 1 In the navigation bar click Shared Profile Components Result The Shared Profile Components page appears Step 2 Click Downloadable PIX ACLs Result The Downloadable PIX ACLs table appears Step 3 In the Name column click the PIX ACL you want to edit Result The Downloadable PIX ACLs page appears with information displayed fo...

Page 146: ...t to delete a PIX ACL Step 5 To confirm that you intend to delete the PIX ACL click OK Result The selected PIX ACL is deleted Network Access Restrictions This section describes network access restrictions NARs and provides detailed instructions for configuring and managing shared NARs About Network Access Restrictions NARs enable you to define additional authorization and authentication conditions...

Page 147: ...F The calling station id attribute 31 and called station id attribute 30 fields are used AAA clients that do not provide sufficient IP address information for example some types of firewall do not support full NAR functionality A non IP based NAR is a list of permitted or denied calling point of access locations that you can employ in restricting a AAA client when you do not have an IP based conne...

Page 148: ...Restrictions for a User page 7 12 or Setting Network Access Restrictions for a User Group page 6 7 However in the Shared Profile Components section of Cisco Secure ACS you can create and name a shared NAR without directly citing any user or user group You give the shared NAR a name that can be referenced in other parts of the Cisco Secure ACS HTML interface Then when you set up users or user group...

Page 149: ...work Access Restrictions Step 3 Click Add Result The Network Access Restriction page appears Step 4 In the Name box type a name for the new shared NAR Note The name can contain up to 32 characters Leading and trailing spaces are not allowed Names cannot contain the following four characters Step 5 In the Description box type a description of the new shared NAR Step 6 To permit or deny access based...

Page 150: ...rictions You can type multiple entries separated by a comma or use the wildcard asterisk to specify all IP addresses d Click enter Result The AAA client port and address information appears as a line item in the table e To enter additional IP based line items repeat Step c and Step d Step 7 To permit or deny access based on calling location or values other than an established IP address follow the...

Page 151: ...being dialed into to filter on e Click enter Result The information specifying the NAR line item appears in the table f To enter additional non IP based NAR line items repeat Step c through Step e Step 8 When you are finished defining the shared NAR click Submit Result Cisco Secure ACS saves the named shared NAR and lists it in the Network Access Restriction Sets table Editing a Shared Network Acc...

Page 152: ...ions table Step 6 To remove a line item from the IP based access restrictions table follow these steps a Select the line item b Below the table click remove Result The line item is removed from the IP based access restrictions table Step 7 To edit a line item in the CLI DNIS access restrictions table follow these steps a Double click the line item that you want to edit Result Information for the l...

Page 153: ...vigation bar click Shared Profile Components Result The Shared Profile Components page appears Step 2 Click Network Access Restrictions Step 3 Click the Name of the shared NAR you want to delete Result The Network Access Restriction page appears with information displayed for the selected NAR Step 4 At the bottom of the page click Delete Result A dialog box warns you that you are about to delete a...

Page 154: ...mmand authorizations You can define several command authorization sets each delineating different access profiles For example a Help desk command authorization set could permit access to high level browsing commands such as show run and deny any configuration commands An All network engineers command authorization set could contain a limited list of permitted commands for any network engineer in t...

Page 155: ...f the following Configuring a PIX Command Authorization Set for a User Group page 6 33 Configuring a PIX Command Authorization Set for a User page 7 28 Device Management Command Authorization Sets See either of the following Configuring Device Management Command Authorization for a User Group page 6 35 Configuring Device Management Command Authorization for a User page 7 30 About Pattern Matching ...

Page 156: ...n the navigation bar click Shared Profile Components Result The Shared Profile Components page lists the command authorization set types available These always include Shell Command Authorization Sets and may include others such as command authorization set types that support Cisco device management applications Step 2 Click one of the listed command authorization set types as applicable Result Th...

Page 157: ...ts check box For example to enable a Device View action select the View check box under the Device checklist node Tip Selecting an expandable check box node selects all the check boxes within that node Selecting the first check box in the checklist tree selects all check boxes in the checklist tree c To enable other actions in this command authorization set repeat Step a and Step b as needed Step ...

Page 158: ...d then type the argument in the box to the right of the command Note The correct format for arguments is permit deny argument For example with the command show already listed you might enter permit run as the argument Tip You can list several arguments for a single command by pressing Enter between arguments e To allow arguments which you have not listed to be effective with this command select th...

Page 159: ...nformation for the selected set appears on the applicable Command Authorization Set page Step 4 If an expandable checklist tree appears below the Name and Description boxes you can do any or all of the following To expand a checklist node click the plus symbol to its left To collapse an expanded checklist node click the minus symbol to its left To enable an action select its check box For example ...

Page 160: ...k Submit Deleting a Command Authorization Set To delete a command authorization set follow these steps Step 1 In the navigation bar click Shared Profile Components Result The Shared Profile Components page lists the command authorization set types available Step 2 Click a command authorization set type as applicable Result The selected Command Authorization Sets table appears Step 3 From the Name ...

Page 161: ... And if the external database does not support groups you can map all users from that database to a Cisco Secure ACS user group For information about external database mapping see Database Group Mappings page 12 11 Before you configure Group Setup you should understand how this section functions Cisco Secure ACS dynamically builds the Group Setup section interface depending on the configuration of...

Page 162: ...n page 4 27 Default Group If you have not configured group mapping for an external user database Cisco Secure ACS assigns users who are authenticated by the Unknown User Policy to the Default Group the first time they log in The privileges and restrictions for the default group are applied to first time users If you have upgraded from a previous version of Cisco Secure ACS and kept your database i...

Page 163: ...re TACACS group settings This feature enables you to apply shell commands to a particular user group in the following ways Assign a shell command authorization set which you have already configured for any network device Assign a shell command authorization set which you have already configured to particular NDGs Permit or deny specific shell commands which you define on a per group basis For more...

Page 164: ...d to enter passwords to authenticate Caution Enabling VoIP disables password authentication and most advanced settings including password aging and protocol attributes To enable VoIP support for a group follow these steps Step 1 In the navigation bar click Group Setup Result The Group Setup Select page opens Step 2 From the Group list select the group you want to configure for VoIP support and the...

Page 165: ...up list select a group and then click Edit Settings Result The Group Settings page displays the name of the group at its top Step 3 In the Default Time of Day Access Settings table select the Set as default Access Times check box Note You must select the Set as default Access Times check box to limit access based on time or day Result Times at which the system permits access are highlighted in gre...

Page 166: ... setting Dialup client specifies callback number Allows the dialup client to specify the callback number The dialup client must support RFC 1570 PPP LCP Extensions Use Microsoft NT 2000 Callback settings where possible Uses the Microsoft Windows NT 2000 callback settings If a Windows account for a user resides in a remote domain the domain in which Cisco Secure ACS resides must have a two way trus...

Page 167: ...ID CLI number or the Dialed Number Identification Service DNIS number used Note You can also use the CLI DNIS based access restrictions area to specify other values For more information see About Network Access Restrictions page 5 6 Typically you define shared NARs from within the Shared Components section so that these restrictions can be applied to more than one group or user For more informatio...

Page 168: ...Step 3 To apply a previously configured shared NAR to this group follow these steps Note To apply a shared NAR you must have configured it under Network Access Restrictions in the Shared Profile Components section For more information see Shared Network Access Restrictions Configuration page 5 8 a Select the Only Allow network access when check box b To specify whether one or all shared NARs must ...

Page 169: ...ons or Denied Calling Point of Access Locations c Select or enter the information in the following boxes AAA Client Select either All AAA Clients or the name of the NDG or the name of the individual AAA client to which to permit or deny access Port Type the number of the port to which to permit or deny access You can use the wildcard asterisk to permit or deny access to all ports on the selected A...

Page 170: ...ermit or deny access to all ports CLI Type the CLI number to which to permit or deny access You can use the wildcard asterisk to permit or deny access based on part of the number or all numbers Tip This is also the selection to use if you want to restrict access based on other values such as a Cisco Aironet client MAC address For more information see About Network Access Restrictions page 5 6 DNIS...

Page 171: ...ure to define the maximum number of sessions available to a group or to each user in a group or both The settings are as follows Sessions available to group Sets the maximum number of simultaneous connections for the entire group Sessions available to users of this group Sets the maximum number of total simultaneous connections for each user in this group Tip As an example Sessions available to gr...

Page 172: ...s effectively disables Max Sessions n Type the maximum number of simultaneous sessions to allow this group Step 4 In the lower portion of the Max Sessions table under Sessions available to users of this group select one of the following two options Unlimited Select to allow each individual in this group an unlimited number of simultaneous sessions This effectively disables Max Sessions n Type the ...

Page 173: ...istics are available only on the settings page for an individual user For more information see Setting User Usage Quotas Options page 7 18 When a user exceeds his or her assigned quota Cisco Secure ACS denies that user access upon attempting to start a session If a quota is exceeded during a session Cisco Secure ACS allows the session to continue You can reset the usage quota counters for all user...

Page 174: ...of hours to which you want to limit group members in the to x hours box Use decimal values to indicate minutes For example a value of 10 5 would equal ten hours and 30 minutes Note Up to 5 characters are allowed in the to x hours box c Select the period for which the quota is effective from the following per Day From 12 01 a m until midnight per Week From 12 01 a m Sunday until midnight Saturday p...

Page 175: ...s section details procedures that you perform only as applicable to your particular network security configuration For instance if you have no token server configured you do not have to set token card settings for each group This section contains the following procedures Setting Token Card Settings for a User Group page 6 16 Setting Enable Privilege Options for a User Group page 6 18 Enabling Pass...

Page 176: ...tings for a User Group page 6 49 Note When a vendor specific variety of RADIUS is configured for use by network devices the RADIUS IETF attributes are available because they are the base set of attributes used as the first 74 attributes for all RADIUS vendors The content of these subsections is dynamic and based on two factors as follows For a particular protocol to be listed a AAA client must be ...

Page 177: ...l to dynamically go in and out of service Duration You can select Duration and specify a period of time to have the token cached from the time of first authentication If this time period expires the user cannot start a second B channel Session and Duration You can select both Session and Duration so that if the session runs longer than the duration value a new token is required to open a second B ...

Page 178: ...Options for a User Group Note If this section does not appear click Interface Configuration and then click TACACS Cisco At the bottom of the page in the Advanced Configuration Options table select the Advanced TACACS features check box Perform this procedure to configure group level TACACS enable parameters The three possible TACACS enable options are as follows No Enable Privilege default Select ...

Page 179: ... displays the name of the group at its top Step 3 From the Jump To list at the top of the page choose Enable Options Step 4 Do one of the following To disallow enable privileges for this user group select the No Enable Privilege option To set the maximum privilege level for this user group for any ACS on which this group is authorized select the Max Privilege for Any Access Server option Then sele...

Page 180: ...for Users in Windows Databases page 6 25 RADIUS based Windows NT 2000 Password Aging Users must be in the Windows NT 2000 database and be using the Windows Dial up Networking DUN client For information on the requirements and configuration of this password aging mechanism see Enabling Password Aging for Users in Windows Databases page 6 25 Password Aging for Device hosted Sessions Users must be in...

Page 181: ...nections using the RADIUS protocol Caution If a user with a RADIUS connection tries to make a Telnet connection to the AAA client during or after the password aging warning or grace period the change password option does not appear and the user account is expired Password Aging Feature Settings This section details only the Password Aging for Device hosted Sessions and Password Aging for Transit S...

Page 182: ...race period a user who did not log in during the active and warning periods would be permitted to change passwords up to and including the 30th day However even though the grace period is set for 5 days a user is allowed only one attempt to change the password when the password is in the grace period Cisco Secure ACS displays the last chance warning only once If the user does not change the passwo...

Page 183: ...greetings for successful logins Selecting this check box enables a Greetings message to display whenever users log in successfully via the CAA client The message contains up to date password information specific to this user account The password aging rules are not mutually exclusive a rule is applied for each check box that is selected For example users can be forced to change their passwords eve...

Page 184: ...isplays the name of the group at its top Step 3 From the Jump To list at the top of the page choose Password Aging Result The Password Aging Rules table appears Step 4 To set password aging by date select the Apply age by date rules check box and type the number of days for the following options as applicable Active period Warning period Grace period Note Up to 5 characters are allowed in each fie...

Page 185: ... user database see Enabling Password Aging for the CiscoSecure User Database page 6 20 Note You can run both the Windows NT 2000 Password Aging and the Cisco Secure ACS Password Aging for Transit Sessions mechanisms concurrently provided that the users authenticate from the two different databases The two types of password aging in Windows databases are as follows RADIUS based password aging RADIU...

Page 186: ...ers must be using an EAP compliant Microsoft client such as Windows XP You must enable PEAP on the Global Authentication Configuration page within the System Configuration section Tip For information on enabling PEAP in System Configuration see Global Authentication Setup page 8 81 Users whose Windows accounts reside in remote domains that is not the domain within which Cisco Secure ACS is running...

Page 187: ...assigned on the AAA server To set an IP address assignment method for a user group follow these steps Step 1 In the navigation bar click Group Setup Result The Group Setup Select page opens Step 2 From the Group list select a group and then click Edit Settings Result The Group Settings page displays the name of the group at its top Step 3 From the Jump To list at the top of the page choose IP Addr...

Page 188: ... level Note You must have established one or more PIX ACLs before attempting to assign one For instructions on how to add a downloadable PIX ACL using the Shared Profile Components section of the Cisco Secure ACS HTML interface see Adding a Downloadable PIX ACL page 5 4 Tip The Downloadable ACLs table does not appear if it has not been enabled To enable the Downloadable ACLs table click Interface ...

Page 189: ...parameters to be applied for the authorization of each user who belongs to the group For information on how to configure settings for the Shell Command Authorization Set see Configuring a Shell Command Authorization Set for a User Group page 6 31 Note To display or hide additional services or protocols click Interface Configuration click TACACS Cisco IOS and then select or clear items in the group...

Page 190: ...dix B TACACS Attribute Value Pairs or your AAA client documentation Tip For ACLs and IP address pools the name of the ACL or pool as defined on the AAA client should be entered An ACL is a list of Cisco IOS commands used to restrict access to or from other devices and users on the network Note Leave the attribute value box blank if the default as defined on the AAA client should be used Note You c...

Page 191: ...device One shell command authorization set is assigned and it applies to all network devices Assign a Shell Command Authorization Set on a per Network Device Group Basis Enables you to associate particular shell command authorization sets to be effective on particular NDGs Per Group Command Authorization Enables you to permit or deny specific Cisco IOS commands and arguments at the group level Not...

Page 192: ...rization set you want applied to this group Step 7 To create associations that assign a particular shell command authorization set to be effective on a particular NDG for each association follow these steps a Select the Assign a Shell Command Authorization Set on a per Network Device Group Basis option b Select a Device Group and a corresponding Command Set Tip You can select a Command Set that wi...

Page 193: ...trator For information on how Cisco Secure ACS uses pattern matching in command arguments see About Pattern Matching page 5 15 Tip To enter several commands you must click Submit after specifying a command A new command entry box appears below the box you just completed Configuring a PIX Command Authorization Set for a User Group Use this procedure to specify the PIX command authorization set para...

Page 194: ...displays the name of the group at its top Step 3 From the Jump To list at the top of the page choose TACACS Result The system displays the TACACS Settings table section Step 4 Scroll down to the PIX Command Authorization Set feature area within the TACACS Settings table Step 5 To prevent the application of any PIX command authorization set select or accept the default of the None option Step 6 To ...

Page 195: ...plications that are configured to use Cisco Secure ACS for authorization There are three options None No authorization is performed for commands issued in the applicable Cisco device management application Assign a device management application for any network device For the applicable device management application one command authorization set is assigned and it applies to management tasks on all...

Page 196: ...ble Cisco device management application Step 5 To prevent the application of any command authorization set for the applicable device management application select the None option Step 6 To assign a particular command authorization set that affects device management application actions on any network device follow these steps a Select the Assign a device management application for any network devic...

Page 197: ... an authorization for each user in the current group follow these steps Step 1 In the navigation bar click Group Setup Result The Group Setup Select page opens Step 2 From the Group list select a group and then click Edit Settings Result The Group Settings page displays the name of the group at its top Step 3 From the Jump To list at the top of the page choose RADIUS IETF Step 4 For each IETF RADI...

Page 198: ... RADIUS Settings for a User Group The Cisco IOS PIX RADIUS parameters appear only when both the following are true A AAA client has been configured to use RADIUS Cisco IOS PIX in Network Configuration Group level RADIUS Cisco IOS PIX attributes have been enabled in Interface Configuration RADIUS Cisco IOS PIX Cisco IOS PIX RADIUS represents only the Cisco VSAs You must configure both the IETF RADI...

Page 199: ... see Saving Changes to User Group Settings page 6 53 Step 4 To continue specifying other group settings perform other procedures in this chapter as applicable Configuring Cisco Aironet RADIUS Settings for a User Group The Cisco Aironet RADIUS VSA appears only when both the following are true A AAA client has been configured to use RADIUS Cisco Aironet in Network Configuration The group level RADIU...

Page 200: ...navigation bar click Group Setup Result The Group Setup Select page opens Step 3 From the Group list select a group and then click Edit Settings Result The Group Settings page displays the name of the group at its top Step 4 From the Jump To list at the top of the page choose RADIUS Cisco Aironet Step 5 In the Cisco Aironet RADIUS Attributes table select the 5842 001 Cisco Aironet Session Timeout ...

Page 201: ...hen you remove or replace the associated AAA client however if you have no AAA clients of this vendor type configured the VSA settings do not appear in the group configuration interface To configure and enable Ascend RADIUS attributes to be applied as an authorization for each user in the current group follow these steps Step 1 Confirm that your IETF RADIUS attributes are configured properly For m...

Page 202: ... of the Interface Configuration section Cisco VPN 3000 Concentrator RADIUS represents only the Cisco VPN 3000 Concentrator VSA You must configure both the IETF RADIUS and Cisco VPN 3000 Concentrator RADIUS attributes Note To hide or display Cisco VPN 3000 Concentrator RADIUS attributes see Setting Protocol Configuration Options for Non IETF RADIUS Attributes page 3 16 A VSA applied as an authoriza...

Page 203: ... 6 To save the group settings you have just made click Submit For more information see Saving Changes to User Group Settings page 6 53 Step 7 To continue specifying other group settings perform other procedures in this chapter as applicable Configuring Cisco VPN 5000 Concentrator RADIUS Settings for a User Group The Cisco VPN 5000 Concentrator RADIUS attribute configurations display only when both...

Page 204: ...igation bar click Group Setup Result The Group Setup Select page opens Step 3 From the Group list select a group and then click Edit Settings Result The Group Settings page displays the name of the group at its top Step 4 From the Jump To list at the top of the page choose RADIUS Cisco VPN 5000 Step 5 In the Cisco VPN 5000 Concentrator RADIUS Attributes table select the attributes that should be a...

Page 205: ...ols support the Microsoft RADIUS VSA Cisco IOS PIX Cisco VPN 3000 Ascend Microsoft RADIUS represents only the Microsoft VSA You must configure both the IETF RADIUS and Microsoft RADIUS attributes Note To hide or display Microsoft RADIUS attributes see Setting Protocol Configuration Options for Non IETF RADIUS Attributes page 3 16 A VSA applied as an authorization to a particular group persists eve...

Page 206: ...umentation for network devices using RADIUS Note The MS CHAP MPPE Keys attribute value is autogenerated by Cisco Secure ACS there is no value to set in the HTML interface Step 6 To save the group settings you have just made click Submit For more information see Saving Changes to User Group Settings page 6 53 Step 7 To continue specifying other group settings perform other procedures in this chapte...

Page 207: ...r a User Group page 6 37 Step 2 In the navigation bar click Group Setup Result The Group Setup Select page opens Step 3 From the Group list select a group and then click Edit Settings Result The Group Settings page displays the name of the group at its top Step 4 From the Jump To list at the top of the page choose RADIUS Nortel Step 5 In the Nortel RADIUS Attributes table specify the attributes to...

Page 208: ...ADIUS attributes are configured properly For more information about setting IETF RADIUS attributes see Configuring IETF RADIUS Settings for a User Group page 6 37 Step 2 In the navigation bar click Group Setup Result The Group Setup Select page opens Step 3 From the Group list select a group and then click Edit Settings Result The Group Settings page displays the name of the group at its top Step ...

Page 209: ...rsists even when you remove or replace the associated AAA client however if you have no AAA clients of this vendor type configured the VSA settings do not appear in the group configuration interface To configure and enable BBSM RADIUS attributes to be applied as an authorization for each user in the current group follow these steps Step 1 Confirm that your IETF RADIUS attributes are configured pro...

Page 210: ...fying other group settings perform other procedures in this chapter as applicable Configuring Custom RADIUS VSA Settings for a User Group User defined custom Radius VSA configurations appear only when all the following are true You have defined and configured the custom RADIUS VSAs For information about creating user defined RADIUS VSAs see Custom RADIUS Vendors and VSAs page 8 33 A network device...

Page 211: ...n the field next to it For more information about attributes see Appendix C RADIUS Attributes or the documentation for network devices using RADIUS Note The MS CHAP MPPE Keys attribute value is autogenerated by Cisco Secure ACS there is no value to set in the HTML interface Step 6 To save the group settings you have just made click Submit For more information see Saving Changes to User Group Setti...

Page 212: ...me of the user in the User List Result The User Setup page for the particular user account selected appears Resetting Usage Quota Counters for a User Group You can reset the usage quota counters for all members of a group either before or after a quota has been exceeded To reset usage quota counters for all members of a user group follow these steps Step 1 In the navigation bar click Group Setup R...

Page 213: ...bmit Note The group remains in the same position in the list The number value of the group is still associated with this group name Some utilities such as the database import utility use the numeric value associated with the group Result The Select page opens with the new group name selected Saving Changes to User Group Settings After you have completed configuration for a group be sure to save yo...

Page 214: ...1 Result The group attributes are applied and services are restarted The Edit page opens Note Restarting the service clears the Logged in User Report and temporarily interrupts all Cisco Secure ACS services This affects the Max Sessions counter Step 2 To verify that your changes were applied select the group and click Edit Settings View the settings ...

Page 215: ...ynamically builds the User Setup section interface depending on the configuration of your AAA client and the security protocols being used That is what you see under User Setup is affected by both your system configuration and your settings in the Interface Configuration section This chapter contains the following sections User Setup Features and Functions page 7 2 An overview of the User Setup se...

Page 216: ... the User Setup section you can perform the following tasks View a list of all users in the CiscoSecure user database Find a user Add a user Assign the user to a group including Voice over IP VoIP Groups Edit user account information Establish or change user authentication type Configure callback information for the user Set network access restrictions NARs for the user Configure Advanced Settings...

Page 217: ...abase located in the local domain or in domains configured in the Windows NT 2000 user database For more information see Windows NT 2000 User Database page 11 7 Generic LDAP Authenticates a user from a Generic LDAP external user database For more information see Generic LDAP page 11 16 Novell NDS Authenticates a user using Novell NetWare Directory Services NDS For more information see Novell NDS D...

Page 218: ...ollowing Setting Supplementary User Information page 7 7 Setting a Separate CHAP MS CHAP ARAP Password page 7 8 Assigning a User to a Group page 7 9 Setting User Callback Option page 7 10 Assigning a User to a Client IP Address page 7 11 Setting Network Access Restrictions for a User page 7 12 Setting Max Sessions Options for a User page 7 16 Setting User Usage Quotas Options page 7 18 Setting Opt...

Page 219: ...d a new user account to the CiscoSecure user database To add a user account follow these steps Step 1 In the navigation bar click User Setup Result The User Setup Select page opens Step 2 Type a name in the User box Note The username can contain up to 32 characters Names cannot contain the following special characters Leading and trailing spaces are not allowed Step 3 Click Add Edit Result The Use...

Page 220: ...p to 32 characters are allowed each for the Password box and the Confirm Password box Tip The CiscoSecure PAP password is also used for CHAP MS CHAP ARAP if the Separate CHAP MS CHAP ARAP check box is not selected Tip You can configure the AAA client to ask for a PAP password first and then a CHAP or MS CHAP password so that when users dial in using a PAP password they will authenticate For exampl...

Page 221: ...display and configure these optional fields see User Data Configuration Options page 3 3 To enter optional information into the Supplementary User Information table follow these steps Step 1 Perform Step 1 through Step 3 of Adding a Basic User Account page 7 5 Result The User Setup Edit page opens The username being added or edited is at the top of the page Step 2 Complete each box that appears in...

Page 222: ...of the page Step 2 Select the Separate CHAP MS CHAP ARAP check box in the User Setup table Step 3 Specify the CHAP MS CHAP ARAP password to be used by typing it in each of the second set of Password Confirm boxes under the Separate CHAP MS CHAP ARAP check box Note Up to 32 characters are allowed each for the Password box and the Confirm Password box Note These Password and Confirm Password boxes a...

Page 223: ...nticator For external user databases from which Cisco Secure ACS can derive group information you can associate the group memberships defined for the users in the external user database to specific Cisco Secure ACS groups For more information see Database Group Mappings page 12 11 To assign a user to a group follow these steps Step 1 Perform Step 1 through Step 3 of Adding a Basic User Account pag...

Page 224: ...ude the following Use group setting Select if you want this user to use the setting for the group No callback allowed Select to disable callback for this user Callback using this number Select and type the complete number including area code if necessary on which to always call back this user Note The maximum character length for the callback number is 199 characters Dialup client specifies callba...

Page 225: ...is at the top of the page Step 2 Under Client IP Address Assignment in the User Setup table select the applicable option Choices include the following Note The IP address assignment in User Setup overrides the IP address assignment in Group Setup Use group settings Select this option to use the IP address group assignment No IP address assignment Select this option to override the group setting if...

Page 226: ... order listed To move the position of a pool in the list select the pool name and click Up or Down until the pool is in the position you want Step 3 Do one of the following If you are finished configuring the user account options click Submit to record the options To continue to specify the user account options perform other procedures in this chapter as applicable Setting Network Access Restricti...

Page 227: ...tions and single user CLI DNIS based filter options to appear in the Cisco Secure ACS HTML interface Note When an authentication request is forwarded by proxy to a Cisco Secure ACS any NARs for TACACS requests are applied to the IP address of the forwarding AAA server not to the IP address of the originating AAA client To set NARs for a user follow these steps Step 1 Perform Step 1 through Step 3 ...

Page 228: ...ccess Restrictions Configuration page 5 8 a In the Network Access Restrictions table under Per User Defined Network Access Restrictions select the Define IP based access restrictions check box b To specify whether the subsequent listing specifies permitted or denied IP addresses from the Table Defines list select one of the following Permitted Calling Point of Access Locations Denied Calling Point...

Page 229: ...part of a value The format you use must match the format of the string you receive from your AAA client You can determine this format from your RADIUS Accounting Log AAA Client Select All AAA Clients or the name of the NDG or the name of the individual AAA client to which to permit or deny access PORT Type the number of the port to which to permit or deny access You can use the wildcard asterisk t...

Page 230: ...ons permitted for this user For Cisco Secure ACS purposes a session is considered any type of user connection supported by RADIUS or TACACS for example PPP or Telnet or ARAP Note however that accounting must be enabled on the AAA client for Cisco Secure ACS to be aware of a session All session counts are based on user and group names only Cisco Secure ACS does not support any differentiation by ty...

Page 231: ...e options Unlimited Select to allow this user an unlimited number of simultaneous sessions This effectively disables Max Sessions n Select and then type the maximum number of simultaneous sessions to allow this user Use group setting Select to use the Max Sessions value for the group Note The default setting is Use group setting Note User Max Sessions settings override the group Max Sessions setti...

Page 232: ...le on the User Setup Edit page displays usage statistics for the current user The Current Usage table lists both online time and sessions used by the user with columns for daily weekly monthly and total usage The Current Usage table appears only on user accounts that you have established that is it does not appear during initial user setup For a user who has exceeded his quota Cisco Secure ACS den...

Page 233: ...heck box b Type the number of hours up to 10 characters to which you want to limit the user in the Limit user to x hours of online time box Use decimal values to indicate minutes For example a value of 10 5 would equal 10 hours and 30 minutes c Select the period for which you want to enforce the time usage quota per Day From 12 01 a m until midnight per Week From 12 01 a m Sunday until midnight Sa...

Page 234: ...s Also note that this feature is distinct from the Account Disabled check box For instructions on how to disable a user account see Disabling a User Account page 7 55 Note If the user is authenticated with a Windows NT 2000 external user database this expiration information is in addition to the information in the Windows NT 2000 user account Changes here do not alter settings configured in Window...

Page 235: ...ling the account Note The default is 5 Step 3 Do one of the following If you are finished configuring the user account options click Submit to record the options To continue to specify the user account options perform other procedures in this chapter as applicable Assigning a PIX ACL to a User The Downloadable ACLs feature enables you to assign a PIX Access Control List ACL at the user level You m...

Page 236: ...ick Submit to record the options To continue to specify the user account options perform other procedures in this chapter as applicable Advanced User Authentication Settings This section presents the activities you perform to configure user level TACACS and RADIUS enable parameters This section contains the following subsections TACACS Settings User page 7 22 Advanced TACACS Settings User page 7 3...

Page 237: ...gs display within the User Setup section would be cumbersome you choose what settings to hide or display at the user level when you configure the interface For more information about setting up new or existing TACACS services in the Cisco Secure ACS HTML interface see Protocol Configuration Options for TACACS page 3 7 If you have configured Cisco Secure ACS to interact with a Cisco device manageme...

Page 238: ...s at the top of the page Step 3 Scroll down to the TACACS Settings table and select the bold service name check box to enable that protocol for example PPP IP Step 4 To enable specific parameters within the selected service select the check box next to a specific parameter and then do one of the following as applicable Select the Enabled check box Specify a value in the corresponding attribute box...

Page 239: ...he group level shell command authorization set applies Assign a Shell Command Authorization Set for any network device One shell command authorization set is assigned and it applies all network devices Assign a Shell Command Authorization Set on a per Network Device Group Basis Particular shell command authorization sets are to be effective on particular NDGs When you select this option you create...

Page 240: ... the application of any shell command authorization set select or accept the default of the None option Step 4 To assign the shell command authorization set at the group level select the As Group option Step 5 To assign a particular shell command authorization set to be effective on any configured network device follow these steps a Select the Assign a Shell Command Authorization Set for any netwo...

Page 241: ... to be permitted or denied select the Command check box and then type the name of the command define its arguments using standard permit or deny syntax and select whether unlisted arguments are to be permitted or denied Warning This is a powerful advanced feature and should be used by an administrator skilled with Cisco IOS commands Correct syntax is the responsibility of the administrator For inf...

Page 242: ...A client has been configured to use TACACS as the security control protocol In the Advanced Options section of Interface Configuration ensure that the Per user TACACS RADIUS Attributes check box is selected In the TACACS Cisco section of Interface Configuration ensure that the PIX Shell pixShell option is selected in the User column Ensure that you have already configured one or more PIX command a...

Page 243: ...ion select the PIX command authorization set you want applied to this user Step 6 To create associations that assign a particular PIX command authorization set to be effective on a particular NDG for each association follow these steps a Select the Assign a PIX Command Authorization Set on a per Network Device Group Basis option b Select a Device Group and an associated Command Set c Click Add Ass...

Page 244: ...nagement application one command authorization set is assigned and it applies to management tasks on all network devices Assign a device management application on a per Network Device Group Basis For the applicable device management application this option enables you to apply command authorization sets to specific NDGs so that it affects all management tasks on the network devices belonging to th...

Page 245: ...option Step 4 To assign command authorization for the applicable device management application at the group level select the As Group option Step 5 To assign a particular command authorization set that affects device management application actions on any network device follow these steps a Select the Assign a device management application for any network device option b Then from the list directly...

Page 246: ...nder Checking this option will PERMIT all UNKNOWN Services To configure the Unknown Service setting for a user follow these steps Step 1 Perform Step 1 through Step 3 of Adding a Basic User Account page 7 5 Result The User Setup Edit page opens The username being added or edited is at the top of the page Step 2 Scroll down to the table under the heading Checking this option will PERMIT all UNKNOWN...

Page 247: ...ns for a User page 7 35 Setting TACACS Outbound Password for a User page 7 36 Setting Enable Privilege Options for a User You use TACACS Enable Control with Exec session to control administrator access Typically you use it for router management control From the following four options you can select and specify the privilege level you want a user to have Use Group Level Setting Sets the privileges ...

Page 248: ...anced TACACS Settings table select one of the four privilege options as follows Use Group Level Setting No Enable Privilege Note No Enable Privilege is the default setting when setting up an new user account it should already be selected Max Privilege for Any Access Server Define Max Privilege on a per Network Device Group Basis Step 3 If you selected Max Privilege for Any Access Server in Step 2 ...

Page 249: ...llowing If you are finished configuring the user account options click Submit to record the options To continue to specify the user account options perform other procedures in this chapter as applicable Setting TACACS Enable Password Options for a User When setting the TACACS Enable Password Options for a user you have three options to chose from Use CiscoSecure PAP password Use external database ...

Page 250: ...l User Databases page 11 4 To use a separate password click Use separate password and then type and retype to confirm a control password for this user This password is used in addition to the regular authentication Step 3 Do one of the following If you are finished configuring the user account options click Submit to record the options To continue to specify the user account options perform other ...

Page 251: ...y the user account options perform other procedures in this chapter as applicable RADIUS Attributes You can configure user attributes for RADIUS authentication either generally at the IETF level or for vendor specific attributes VSAs on a vendor by vendor basis For general attributes see Setting IETF RADIUS Parameters for a User page 7 38 Cisco Secure ACS ships with many popular VSAs already loade...

Page 252: ...r a User RADIUS attributes are sent as a profile for the user from Cisco Secure ACS to the requesting AAA client These parameters display only if all the following are true A AAA client has been configured to use one of the RADIUS protocols in Network Configuration The Per user TACACS RADIUS Attributes check box is selected under Advanced Options in the Interface Configuration section User level I...

Page 253: ...tions click Submit to record the options To continue to specify the user account options perform other procedures in this chapter as applicable Setting Cisco IOS PIX RADIUS Parameters for a User The Cisco IOS RADIUS parameters appear only if all the following are true A AAA client has been configured to use RADIUS Cisco IOS PIX in Network Configuration The Per user TACACS RADIUS Attributes check b...

Page 254: ... page 7 38 Step 3 In the Cisco IOS PIX RADIUS Attributes table to specify the attributes to be authorized for the user follow these steps a Select the 009 001 cisco av pair attribute check box b Type the commands such as TACACS commands to be packed as a RADIUS VSA c Continue to select and define attributes as applicable Step 4 Do one of the following If you are finished configuring the user accou...

Page 255: ...ed the VSA settings do not appear in the user configuration interface To configure and enable the Cisco Aironet RADIUS attribute to be applied as an authorization for the current user follow these steps Step 1 Perform Step 1 through Step 3 of Adding a Basic User Account page 7 5 Result The User Setup Edit page opens The username being added or edited is at the top of the page Step 2 Before configu...

Page 256: ...IUS Ascend in the Interface Configuration section Ascend RADIUS represents only the Ascend proprietary attributes You must configure both the IETF RADIUS and Ascend RADIUS attributes Proprietary attributes override IETF attributes The default attribute setting displayed for RADIUS is Ascend Remote Addr Note To hide or display Ascend RADIUS attributes see Setting Protocol Configuration Options for ...

Page 257: ...ttributes or your AAA client documentation Step 4 Do one of the following If you are finished configuring the user account options click Submit to record the options To continue to specify the user account options perform other procedures in this chapter as applicable Setting Cisco VPN 3000 Concentrator RADIUS Parameters for a User The Cisco VPN 3000 Concentrator RADIUS attribute configurations ap...

Page 258: ...lt The User Setup Edit page opens The username being added or edited is at the top of the page Step 2 Before configuring Cisco VPN 3000 Concentrator RADIUS attributes be sure your IETF RADIUS attributes are configured properly For more information about setting IETF RADIUS attributes see Setting IETF RADIUS Parameters for a User page 7 38 Step 3 In the Cisco VPN 3000 Concentrator Attribute table t...

Page 259: ...nd Cisco VPN 5000 Concentrator RADIUS attributes Note To hide or display Cisco VPN 5000 Concentrator RADIUS attributes see Setting Protocol Configuration Options for Non IETF RADIUS Attributes page 3 16 A VSA applied as an authorization to a particular user persists even when you remove or replace the associated AAA client however if you have no AAA clients of this vendor type configured the VSA s...

Page 260: ...erform other procedures in this chapter as applicable Setting Microsoft RADIUS Parameters for a User Microsoft RADIUS provides VSAs supporting Microsoft Point to Point Encryption MPPE which is an encryption technology developed by Microsoft to encrypt point to point PPP links These PPP connections can be via a dial in line or over a Virtual Private Network VPN tunnel The Microsoft RADIUS attribute...

Page 261: ...t user follow these steps Step 1 Perform Step 1 through Step 3 of Adding a Basic User Account page 7 5 Result The User Setup Edit page opens The username being added or edited is at the top of the page Step 2 Before configuring Cisco IOS RADIUS attributes be sure your IETF RADIUS attributes are configured properly For more information about setting IETF RADIUS attributes see Setting IETF RADIUS Pa...

Page 262: ... to apply have been enabled under RADIUS Nortel in the Interface Configuration section Nortel RADIUS represents only the Nortel proprietary attributes You must configure both the IETF RADIUS and Nortel RADIUS attributes Proprietary attributes override IETF attributes Note To hide or display Nortel RADIUS attributes see Setting Protocol Configuration Options for Non IETF RADIUS Attributes page 3 16...

Page 263: ...attributes see Appendix C RADIUS Attributes or your AAA client documentation Step 4 Do one of the following If you are finished configuring the user account options click Submit to record the options To continue to specify the user account options perform other procedures in this chapter as applicable Setting Juniper RADIUS Parameters for a User The Juniper RADIUS parameters appear only if all the...

Page 264: ...he User Setup Edit page opens The username being added or edited is at the top of the page Step 2 Before configuring Juniper RADIUS attributes be sure your IETF RADIUS attributes are configured properly For more information about setting IETF RADIUS attributes see Setting IETF RADIUS Parameters for a User page 7 38 Step 3 In the Juniper RADIUS Attributes table to specify the attributes that should...

Page 265: ...page 3 16 A VSA applied as an authorization to a particular user persists even when you remove or replace the associated AAA client however if you have no AAA clients of this vendor type configured the VSA settings do not appear in the user configuration interface To configure and enable BBSM RADIUS attributes to be applied as an authorization for the current user follow these steps Step 1 Perform...

Page 266: ...red in Network Configuration that uses a RADIUS protocol that supports the custom VSA The Per user TACACS RADIUS Attributes check box is selected under Advanced Options in the Interface Configuration section User level RADIUS custom name attributes you want to apply have been enabled under RADIUS custom name in the Interface Configuration section You must configure both the IETF RADIUS and the cus...

Page 267: ...ix C RADIUS Attributes or your AAA client documentation Step 4 Do one of the following If you are finished configuring the user account options click Submit to record the options To continue to specify the user account options perform other procedures in this chapter as applicable User Management This section describes how to use the Cisco Secure ACS User Setup section to perform a variety of user...

Page 268: ...not be sorted To view a list of all user accounts follow these steps Step 1 In the navigation bar click User Setup Result The User Setup Select page opens Step 2 Click List All Users Result In the display area on the right the User List appears Step 3 To view or edit the information for an individual user click the username in the right window Result The user account information appears Finding a ...

Page 269: ...on the right Result The user account information appears Disabling a User Account This procedure details how to manually disable a user account in the CiscoSecure user database Note To configure the conditions by which a user account will automatically be disabled see Setting Options for User Account Disablement page 7 20 Note This is not to be confused with account expiration due to password agin...

Page 270: ...e from being automatically re added to the CiscoSecure user database the next time the user attempts to log in To delete a user account follow these steps Step 1 Click User Setup Result The User Setup Select page of the HTML interface opens Step 2 In the User box type the complete username to be deleted Note Alternatively you can click List All Users and then select the user from the list that app...

Page 271: ...usage quota counters follow these steps Step 1 Click User Setup Result The Select page of the HTML interface opens Step 2 In the User box type the complete username of the user whose session quota counters you are going to reset Note Alternatively you can click List All Users and then select the user from the list that appears Step 3 Click Add Edit Step 4 In the Session Quotas section select the R...

Page 272: ... account to be reset Note Alternatively you can click List All Users and then select the user from the list that appears Step 3 Click Add Edit Step 4 In the Account Disable table select the Reset current failed attempts count on submit check box and then click Submit Result The Failed attempts since last successful login counter resets to 0 zero and the system re enables the account Note This coun...

Page 273: ...ing User Settings After you have completed configuration for a user be sure to save your work To save the configuration for the current user follow these steps Step 1 To save the user account configuration click Submit Step 2 To verify that your changes were applied type the username in the User box and click Add Edit and then review the settings ...

Page 274: ...Chapter 7 Setting Up and Managing User Accounts User Management 7 60 User Guide for Cisco Secure ACS for Windows Server 78 14696 01 Version 3 1 ...

Page 275: ...ains the following topics Service Control page 8 2 Logging page 8 3 Date Format Control page 8 3 Local Password Management page 8 5 CiscoSecure Database Replication page 8 9 RDBMS Synchronization page 8 29 Cisco Secure ACS Backup page 8 47 Cisco Secure ACS System Restore page 8 52 Cisco Secure ACS Active Service Management page 8 55 IP Pools Server page 8 59 IP Pools Address Recovery page 8 67 VoI...

Page 276: ...nfigure Cisco Secure ACS service logs For more information see Configuring Service Logs page 9 30 Determining the Status of Cisco Secure ACS Services You can determine whether Cisco Secure ACS services are running or stopped by accessing the Service Control page To determine the status of Cisco Secure ACS services follow these steps Step 1 In the navigation bar click System Configuration Step 2 Cl...

Page 277: ...le where hostname is the name of the Cisco Secure ACS If the services are running the Restart and Stop buttons appear at the bottom of the page If the services are stopped the Start button appears at the bottom of the page Step 3 Click Stop Start or Restart as applicable Result The status of Cisco Secure ACS services changes to the state appropriate to the button you clicked Logging You can config...

Page 278: ... month year format on December 7 2001 Cisco Secure ACS creates a file also named 2001 07 12 csv and overwrites the existing file To set the date format follow these steps Step 1 In the navigation bar click System Configuration Step 2 Click Date Format Control Result Cisco Secure ACS displays the Date Format Selection table Step 3 Select a date format option Step 4 Click Submit Restart Result Cisco...

Page 279: ...scoSecure user database They do not apply to passwords in user records kept in external user databases nor do they apply to enable or admin passwords for Cisco IOS network devices The password validation options are listed below Password length between X and Y characters Enforces that password lengths be between the values specified in the X and Y boxes inclusive Cisco Secure ACS supports password...

Page 280: ...the CiscoSecure Database Replication feature configured properly however replication scheduling does not apply to propagation of changed password information Cisco Secure ACS sends changed password information immediately regardless of replication scheduling Changed password information is replicated only to Cisco Secure ACSes that are properly configured to receive replication data from this Cisc...

Page 281: ...aracters type the minimum valid number of characters for a password in the X box up to 2 characters b In Password length between X and Y characters type the maximum valid number of characters for a password in the Y box up to 2 characters c If you want to disallow passwords that contain the username select the Password may not contain the username check box d If you want to require that a user pas...

Page 282: ...select one of the following options Every day Cisco Secure ACS generates a new User Password Changes log file at the start of each day Every week Cisco Secure ACS generates a new User Password Changes log file at the start of each week Every month Cisco Secure ACS generates a new User Password Changes log file at the start of each month Step 6 If you want Cisco Secure ACS to generate a new User Pa...

Page 283: ...base Backup page 8 16 Database Replication Logging page 8 17 Replication Options page 8 17 Implementing Primary and Secondary Replication Setups on Cisco Secure ACSes page 8 20 Configuring a Secondary Cisco Secure ACS page 8 21 Replicating Immediately page 8 24 Scheduling Replication page 8 26 Disabling CiscoSecure Database Replication page 8 29 Database Replication Event Errors page 8 29 About Ci...

Page 284: ...mary Cisco Secure ACS Securely transport selected configuration data from the primary Cisco Secure ACS to one or more secondary Cisco Secure ACSes Update the secondary Cisco Secure ACSes to create matching configurations The following items cannot be replicated IP pool definitions for more information see About IP Pools Server page 8 60 Cisco Secure ACS certificate and private key files External u...

Page 285: ... provided that it is not configured to be a secondary Cisco Secure ACS to a Cisco Secure ACS for which it performs as a primary Cisco Secure ACS Note Bidirectional replication wherein an Cisco Secure ACS both sends database components to and receives database components from the same remote Cisco Secure ACS is not supported Replication fails if an Cisco Secure ACS is configured to replicate to and...

Page 286: ...econdary Cisco Secure ACS s shared secret is irrelevant b The secondary Cisco Secure ACS verifies that it is not configured to replicate to the primary Cisco Secure ACS If it is replication is aborted Cisco Secure ACS does not support bidirectional replication wherein an Cisco Secure ACS can act as both a primary and a secondary Cisco Secure ACS to the same remote Cisco Secure ACS c The primary Ci...

Page 287: ... After the preceding events on the primary Cisco Secure ACS the database replication process continues on the secondary Cisco Secure ACS as follows a The secondary Cisco Secure ACS receives the compressed encrypted copy of the CiscoSecure database components from the primary Cisco Secure ACS After transmission of the database components is complete the secondary Cisco Secure ACS uncompresses the d...

Page 288: ...ary Cisco Secure ACS is more up to date with the primary Cisco Secure ACS This allows for a more current secondary Cisco Secure ACS if the primary Cisco Secure ACS fails There is a cost to having frequent replications The more frequent the replication the higher the load on a multi server Cisco Secure ACS architecture and on your network environment If you schedule frequent replication network tra...

Page 289: ...In its AAA Servers table a primary Cisco Secure ACS must have for each of its secondary Cisco Secure ACS an accurately configured entry In its AAA Servers table a secondary Cisco Secure ACS must have for each of its primary Cisco Secure ACSes an accurately configured entry On a primary Cisco Secure ACS and all its secondary Cisco Secure ACSes the AAA Servers table entries for the primary Cisco Sec...

Page 290: ...m Backup While both features protect against partial or complete server loss each feature addresses the issue in a different way System Backup archives data into a format that you can later use to restore the configuration if the system fails or the data becomes corrupted The backup data is stored on the local hard drive and can be copied and removed from the system for long term storage You can s...

Page 291: ... see Chapter 9 Working with Logging and Reports Replication Options The Cisco Secure ACS HTML interface provides three sets of options for configuring CiscoSecure Database Replication Replication Components Options page 8 17 Outbound Replication Options page 8 18 Inbound Replication Options page 8 20 Replication Components Options You can specify both the CiscoSecure database components that a Cis...

Page 292: ...L interface Password validation settings Replicate password validation settings If mirroring the entire database with a secondary Cisco Secure ACS might send confidential information such as the Proxy Distribution Table you can configure the primary Cisco Secure ACS to send only a specific category of database information Outbound Replication Options In the Outbound Replication table on the CiscoS...

Page 293: ...cure ACS The options that control the secondary Cisco Secure ACSes to which a primary Cisco Secure ACS replicates appear in the Partners section of the Outbound Replication table Note The items in the AAA Server and Replication lists reflect the AAA servers configured in the AAA Servers table in Network Configuration To make a particular Cisco Secure ACS available as a secondary Cisco Secure ACS y...

Page 294: ...ervers table in Network Configuration If a specific AAA server name is selected Cisco Secure ACS accepts replicated components only from the Cisco Secure ACS specified Note Cisco Secure ACS does not support bidirectional database replication A secondary Cisco Secure ACS receiving replicated components verifies that the primary Cisco Secure ACS is not on its Replication list If not the secondary Ci...

Page 295: ...mponents For instructions see Configuring a Secondary Cisco Secure ACS page 8 21 Step 2 On the primary Cisco Secure ACS follow these steps a In the Network Configuration section add each secondary Cisco Secure ACS to the AAA Servers table For more information about adding entries to the AAA Servers table see AAA Server Configuration page 4 20 b If you want to replicate according to a schedule at i...

Page 296: ...omponent is lost Before You Begin Ensure correct configuration of the AAA Servers table in the secondary Cisco Secure ACS This secondary Cisco Secure ACS must have an entry in its AAA Servers table for each of its primary Cisco Secure ACSes Also the AAA Servers table entry for each primary Cisco Secure ACS must have the same shared secret that the primary Cisco Secure ACS has for its own entry in ...

Page 297: ...sco Secure ACS from the Accept replication from list select the other Cisco Secure ACS name The primary Cisco Secure ACSes available in the Accept replication from list are determined by the AAA Servers table in the Network Configuration section For more information about the AAA Servers table see AAA Server Configuration page 4 20 Note On the primary Cisco Secure ACS and all secondary Cisco Secur...

Page 298: ...guring a secondary Cisco Secure ACS see Configuring a Secondary Cisco Secure ACS page 8 21 Before You Begin For each secondary Cisco Secure ACS that this Cisco Secure ACS is to send replicated components to ensure that you have completed the steps in Configuring a Secondary Cisco Secure ACS page 8 21 Ensure correct configuration of the AAA Servers table in the primary Cisco Secure ACS This primary...

Page 299: ...Cisco Secure ACS that you want the primary Cisco Secure ACS server to replicate its select components to select the secondary Cisco Secure ACS server from the AAA Servers list and then click right arrow button Tip If you want to remove a secondary Cisco Secure ACSes from the Replication list select the secondary Cisco Secure ACS in the Replication list and then click left arrow button Note Cisco S...

Page 300: ... ACS page 8 21 Ensure correct configuration of the AAA Servers table of this primary Cisco Secure ACS For each secondary Cisco Secure ACS of this primary Cisco Secure ACS this Cisco Secure ACS must have an accurately configured entry in its AAA Servers table For more information about the AAA Servers table see AAA Server Configuration page 4 20 To schedule when a primary Cisco Secure ACS replicate...

Page 301: ...during replication a short replication interval may cause frequent failover of your AAA clients to other Cisco Secure ACSes If AAA clients are not configured to failover to other Cisco Secure ACSes the brief interruption in authentication service may prevent users from authenticating For more information see Replication Frequency page 8 14 Step 6 If you want to schedule times at which the primary ...

Page 302: ...e secondary Cisco Secure ACS accepts the replicated database components If so it rejects the components For more information about replication partners see Inbound Replication Options page 8 20 a In the Outbound Replication table from the AAA Servers list select the name of a secondary Cisco Secure ACS to which you want the primary Cisco Secure ACS to send its selected replicated database componen...

Page 303: ...esult The Database Replication Setup page appears Step 4 In the Replication Components table clear all check boxes Step 5 In the Outbound Replication table select the Manually option Step 6 Click Submit Result Cisco Secure ACS does not permit any replication to or from this Cisco Secure ACS server Database Replication Event Errors The Database Replication report contains messages indicating errors...

Page 304: ...e of a third party application It can also be an intermediate file or database that a third party system updates Regardless of where the file or database resides Cisco Secure ACS reads the file or database via the ODBC connection You can also regard RDBMS Synchronization as an API much of what you can configure for a user group or device through the Cisco Secure ACS HTML interface you can alternat...

Page 305: ...onization can perform see Appendix F RDBMS Synchronization Import Definitions Users Among the user related configuration actions that RDBMS Synchronization can perform are the following Adding users Deleting users Setting passwords Setting user group memberships Setting Max Sessions parameters Setting network usage quota parameters Configuring command authorizations Configuring network access rest...

Page 306: ...DIUS attribute values Specifying outbound TACACS attribute values Note For specific information about all actions that RDBMS Synchronization can perform see Appendix F RDBMS Synchronization Import Definitions Network Configuration Among the network device related configuration actions that RDBMS Synchronization can perform are the following Adding AAA clients Deleting AAA clients Setting AAA clien...

Page 307: ...instance of any given vendor as defined by the unique vendor IETF ID number and by the vendor name Note For specific information about all actions that RDBMS Synchronization can perform see Appendix F RDBMS Synchronization Import Definitions RDBMS Synchronization Components The RDBMS Synchronization feature comprises two components CSDBSync A dedicated Windows service that performs automated user ...

Page 308: ... have both read and write privileges For more information about CSDBSync or other Windows services used by Cisco Secure ACS see Appendix G Cisco Secure ACS Internal Architecture About the accountActions Table The accountActions table contains a set of rows that define actions CSDBSync is to perform in the CiscoSecure user database Each row in the accountActions table holds user user group or AAA c...

Page 309: ...n routine creates a system DSN named CiscoSecure DBSync This system DSN is configured to communicate with CiscoSecure Transactions mdb Note By default the username and password for the CiscoSecure Transactions mdb database are set to null To increase the security of RDBMS synchronizations performed using this database change the username and password both in the CiscoSecure Transactions mdb databa...

Page 310: ...tion feature does not maintain a transaction log audit trail If a log is required the external system that adds records to the accountActions table must create it Unless the external system can recreate the entire transaction history in the accountActions table we recommend that you construct a transaction log file for recovery purposes To do this create a second table that is stored in a safe loc...

Page 311: ...lso see Considerations for Using CSV Based Synchronization page 8 38 To prepare to use RDBMS Synchronization follow these steps Step 1 Determine where you want to create the accountActions table and in what format For more information about the accountActions table see About the accountActions Table page 8 34 For details on the format and content of the accountActions table see Appendix F RDBMS Sy...

Page 312: ...accountActions table with information to be imported into the CiscoSecure user database Step 8 Confirm that RDBMS synchronization is operating properly by monitoring the RDBMS Synchronization report in the Reports and Activity section For more information about the RDBMS Synchronization log see Cisco Secure ACS System Logs page 9 11 Also monitor the CSDBSync service log For more information about ...

Page 313: ...CSV Based Synchronization page 8 39 Preparing for CSV Based Synchronization If you want to use a CSV file for your accountActions table some additional configuration is necessary This is because the Microsoft ODBC CSV driver cannot access the accountActions table unless the file has a csv file extension To prepare for RDBMS synchronization using a CSV file follow these steps Step 1 Rename the acco...

Page 314: ...e the CiscoSecure Transactions mdb Microsoft Access database provided with Cisco Secure ACS you can use the CiscoSecure DBSync system DSN rather than creating one For more information about the CiscoSecure Transactions mdb file see Preparing to Use RDBMS Synchronization page 8 37 To create a system DSN for use with RDBMS synchronization follow these steps Step 1 In Windows Control Panel double cli...

Page 315: ...co Secure ACS RDBMS Synchronization Options The RDBMS Synchronization Setup page available from System Configuration provides control of the following items RDBMS Setup Options page 8 41 Defines how Cisco Secure ACS accesses the accountActions table Synchronization Scheduling Options page 8 42 Defines when synchronization occurs Synchronization Partners Options page 8 42 Defines which Cisco Secure...

Page 316: ...ency The unit of measurement is minutes with a default update frequency of 60 minutes At specific times Cisco Secure ACS performs synchronization at the time specified in the day and hour graph The minimum interval is one hour and the synchronization takes place on the hour selected Synchronization Partners Options The RDBMS Synchronization feature provides the following synchronization partners o...

Page 317: ...tup table follow these steps Note For more information about RDBMS setup see RDBMS Setup Options page 8 41 a From the Data Source list select the system DSN you configured to communicate with the database that contains your accountActions table For more information about configuring a system DSN for use with RDBMS Synchronization see Configuring a System Data Source Name for RDBMS Synchronization ...

Page 318: ...n Result The selected Cisco Secure ACS appears in the AAA Servers list Step 6 At the bottom of the browser window click Synchronize Now Result Cisco Secure ACS immediately begins a synchronization event To check the status of the synchronization view the RDBMS Synchronization report in Reports and Activity Scheduling RDBMS Synchronization You can schedule when a Cisco Secure ACS performs RDBMS syn...

Page 319: ...t that has read write access to the accountActions table c In the Password box type the password for the username specified in the Step b Step 4 To have this Cisco Secure ACS perform RDBMS synchronization at regular intervals under Synchronization Scheduling select the Every X minutes option and in the X box type the length of the interval at which Cisco Secure ACS should perform synchronization u...

Page 320: ...table in Network Configuration with the addition of the name of the current Cisco Secure ACS server For more information about the AAA Servers table see AAA Server Configuration page 4 20 b Click right arrow button Result The selected Cisco Secure ACS moves to the Synchronize list Note At least one Cisco Secure ACS must be in the Synchronize list This includes the server on which you are configuri...

Page 321: ...isco Secure ACS Backup feature including procedures for implementing this feature This section contains the following topics About Cisco Secure ACS Backup page 8 47 Backup File Locations page 8 48 Directory Management page 8 48 Components Backed Up page 8 48 Reports of Cisco Secure ACS Backups page 8 49 Performing a Manual Cisco Secure ACS Backup page 8 50 Scheduling Cisco Secure ACS Backups page ...

Page 322: ... CSAuth System Backups The filename given to a backup is determined by Cisco Secure ACS For more information about filenames assigned to backup files generated by Cisco Secure ACS see Backup File Names and Locations page 8 53 Directory Management You can configure the number of backup files to keep and the number of days after which backup files are deleted The more complex your configuration and ...

Page 323: ...s automatic backups on a set frequency The unit of measurement is minutes with a default backup frequency of 60 minutes At specific times Cisco Secure ACS performs automatic backups at the time specified in the day and hour graph The minimum interval is one hour and the backup takes place on the hour selected Directory The directory where Cisco Secure ACS writes the backup file The directory must ...

Page 324: ... backup file to be written Step 4 Click Backup Now Result Cisco Secure ACS immediately begins a backup Scheduling Cisco Secure ACS Backups You can schedule Cisco Secure ACS backups to occur at regular intervals or on selected days of the week and times To schedule the times at which Cisco Secure ACS performs a backup follow these steps Step 1 In the navigation bar click System Configuration Step 2...

Page 325: ...and path in the Directory box Step 6 To manage which backup files Cisco Secure ACS keeps follow these steps a Select the Manage Directory check box b To limit the number of backup files Cisco Secure ACS retains select the Keep only the last X files option and type in the X box the number of files you want Cisco Secure ACS to retain c To limit how old backup files retained by Cisco Secure ACS can b...

Page 326: ...co Secure ACS System Restore feature including procedures for restoring your Cisco Secure ACS from a backup file This section contains the following topics About Cisco Secure ACS System Restore page 8 52 Backup File Names and Locations page 8 53 Components Restored page 8 54 Reports of Cisco Secure ACS Restorations page 8 54 Restoring Cisco Secure ACS from a Backup File page 8 54 About Cisco Secur...

Page 327: ...or backup files is the following drive path CSAuth System Backups where drive is the local drive where you installed Cisco Secure ACS and path is the path from the root of drive to the Cisco Secure ACS directory For example if you installed Cisco Secure ACS version 3 0 in the default location the default backup location would be c Program Files CiscoSecure ACS v3 0 CSAuth System Backups Cisco Secu...

Page 328: ... Working with Logging and Reports Restoring Cisco Secure ACS from a Backup File You can perform a system restoration of Cisco Secure ACS whenever needed Note Using the Cisco Secure ACS System Restore feature restarts all Cisco Secure ACS services and logs out all administrators To restore Cisco Secure ACS from a backup file generated by the Cisco Secure ACS Backup feature follow these steps Step 1...

Page 329: ... CiscoSecure ACS System Configuration check box Step 7 Click Restore Now Result Cisco Secure ACS displays a confirmation dialog box indicating that performing the restoration will restart Cisco Secure ACS services and log out all administrators Step 8 To continue with the restoration click OK Result Cisco Secure ACS restores the system components specified using the backup file you selected The re...

Page 330: ...cure ACS tests its login process The value in the X box defines in minutes how often Cisco Secure ACS tests its login process The default frequency is once per minute which is also the most frequent testing interval possible When this option is enabled at the interval defined Cisco Secure ACS tests authentication and accounting If the test fails after four unsuccessful re tries Cisco Secure ACS pe...

Page 331: ...s to log in to your network using a disabled account Log all events to the NT Event log Specifies whether Cisco Secure ACS generates a Windows event log entry for each exception event Email notification of event Specifies whether Cisco Secure ACS sends an e mail notification for each event To The e mail address that notification e mail is sent to For example joeadmin company com SMTP Mail Server T...

Page 332: ... the service management settings you made Event Logging The Event Logging feature enables you to configure whether Cisco Secure ACS logs events to the Windows event log and whether Cisco Secure ACS generates an e mail when an event occurs Cisco Secure ACS uses the System Monitoring feature to detect the events to be logged For more information about system monitoring see System Monitoring Options ...

Page 333: ...nding e mail server Note The SMTP mail server must be operational and must be available from the Cisco Secure ACS Step 5 If you want to set up system monitoring see Setting Up System Monitoring page 8 57 Step 6 If you are done setting up Cisco Secure ACS Service Management click Submit Result Cisco Secure ACS implements the service management settings you made IP Pools Server This section provides...

Page 334: ...y number or name You can configure up to 999 IP pools for approximately 255 000 users If you are using IP pooling and proxy all accounting packets are proxied so that the Cisco Secure ACS that is assigning the IP addresses can confirm whether an IP address is already in use Note IP pool definitions are not replicated by the CiscoSecure Database Replication feature however user and group assignment...

Page 335: ...by checking which button appears below the AAA Server IP Pools table Allow Overlapping Pool Address Ranges Indicates that overlapping IP pool address ranges are not allowed Clicking this button allows IP address ranges to overlap between pools Force Unique Pool Address Range Indicates that overlapping IP pool address ranges are allowed Clicking this button prevents IP address ranges from overlappi...

Page 336: ...rlapping Pool Address Ranges button appears do nothing Cisco Secure ACS already does not permit overlapping IP pool address ranges b If the Force Unique Pool Address Range button appears click that button Result Cisco Secure ACS does not permit overlapping IP pool address ranges Refreshing the AAA Server IP Pools Table You can refresh the AAA Server IP Pools table This allows you to get the latest...

Page 337: ...ntry Result The New Pool table appears Step 4 In the Name box type the name up to 31 characters you want to assign to the new IP pool Step 5 In the Start Address box type the lowest IP address up to 15 characters of the range of addresses for the new pool Note All addresses in an IP pool must be on the same Class C network so the first three octets of the start and end addresses must be the same F...

Page 338: ...e field displays how many IP addresses are unallocated to users Step 4 To change the name of the pool in the Name box type the name up to 31 characters to which you want to change the IP pool Step 5 To change the starting address of the pool range of IP addresses in the Start Address box type the lowest IP address up to 15 characters of the new range of addresses for the pool Note All addresses in...

Page 339: ...e To reset an IP pool and reclaim all its IP addresses follow these steps Step 1 In the navigation bar click System Configuration Step 2 Click IP Pools Server Result The AAA Server IP Pools table lists any IP pools you have configured their address ranges and the percentage of pooled addresses in use Step 3 Click the name of the IP pool you need to reset Result The name pool table appears where na...

Page 340: ... navigation bar click System Configuration Step 2 Click IP Pools Server Result The AAA Server IP Pools table lists any IP pools you have configured their address ranges and the percentage of pooled addresses in use Step 3 Click the name of the IP pool you need to delete Result The name pool table appears where name is the name of the IP pool you selected The In Use column displays how many IP addr...

Page 341: ... Pool Address Recovery To enable IP pool address recovery follow these steps Step 1 In the navigation bar click System Configuration Step 2 Click IP Pools Address Recovery Note If this feature does not appear click Interface Configuration click Advanced Options and then select the IP Pools check box Result The IP Address Recovery page appears Step 3 Select the Release address if allocated for long...

Page 342: ...a CSV file To view the data you can use VoIP Accounting under Reports and Activity Send only to RADIUS Accounting Log Targets Cisco Secure ACS only appends VoIP accounting data to the RADIUS accounting data To view the data you can use RADIUS Accounting under Reports and Activity Configuring VoIP Accounting Note The VoIP Accounting Configuration feature does not enable VoIP accounting To enable Vo...

Page 343: ...e 8 77 Generating a Certificate Signing Request page 8 78 Background on Protocols and Certification Cisco Secure ACS uses EAP TLS and PEAP authentication protocols in combination with digital certification to ensure the protection and validity of authentication information Digital certification EAP TLS and PEAP are described in the topics that follow Digital Certificates The ACS Certificate Setup ...

Page 344: ...r who is authenticated using EAP TLS can then be mapped to user or group authorization information kept in the CiscoSecure user database or in a Windows 2000 or generic LDAP Directory Server Also to accomplish secure Cisco Aironet connectivity EAP TLS generates a dynamic per user per connection unique session key EAP TLS requires support from both the end client and the AAA client An example of an...

Page 345: ...it Cisco Secure ACS is being attacked After EAP TLS authentication successfully concludes Cisco Secure ACS must verify that the claimed identity presented in the EAP Identity response corresponds to the certificate presented by the user Cisco Secure ACS can accomplish this verification in two ways Certificate Name Comparison Based on the name in the certificate Certificate Binary Comparison Betwee...

Page 346: ...token authentication PEAP has been posted as an IETF Internet Draft by RSA Cisco and Microsoft and is available at http www ietf org internet drafts draft josefsson pppext eap tls eap 02 txt PEAP operates with two phrases The first phase server authentication comprises a handshake and the establishment of and SSL tunnel User authentication occurs in the second phase using a new EAP type that is pr...

Page 347: ...of user databases For more information regarding what protocols are compatible with the different databases see Authentication Protocol Database Compatibility page 1 9 PEAP Limitations The Cisco Secure ACS implementation of PEAP has the following limitations External Databases Only PEAP only supports external user databases The CiscoSecure user database cannot support PEAP authentication therefore...

Page 348: ...ne storage we recommend that you read Extensible Authentication Protocol Transport Layer Security Deployment Guide for Wireless LAN Networks available on the Cisco Secure ACS CD and at http www cisco com warp public cc pd sqsw sq tech index shtml This white paper provides information about how to add a certificate to machine storage and how to configure a Microsoft certification authority server f...

Page 349: ...ontains the private key Note If the certificate was installed in storage with the private key you do not have the private key file and do not need to type it Tip This is the private key associated with the server certificate Step 6 In the Private key password box type the private key password Tip If you used Cisco Secure ACS to generate the certificate signing request this is the value you entered...

Page 350: ...zes certificates from the CA that issued its own certificate Configuring Cisco Secure ACS to trust a specific CA is a two step process that comprises both this procedure of adding a CA s certificate and the procedure in Editing the Certificate Trust List page 8 77 where you signify that the particular CA is to be trusted Cisco Secure ACS comes preconfigured with a list of popular CAs none of which...

Page 351: ... You do not need to add this CA to the CTL because Cisco Secure ACS automatically trusts the CA that issued its certificate How you edit your CTL determines the type of trust model you have Many use a restricted trust model wherein very few privately controlled CAs are trusted This model provides the highest level of security but restricts adaptability and scalability The alternative an open trust...

Page 352: ...as trusted select the corresponding check box Tip You can select or deselect as many CAs as you want Deselecting a CA s check box configures the CA as not trusted Step 5 Click Submit Result Cisco Secure ACS configures the specified CA or CAs as trusted or not trusted in accordance with selecting or deselecting check boxes Generating a Certificate Signing Request You can use Cisco Secure ACS to gen...

Page 353: ...ame that you would like to use as subject name in this ACS certificate for example cn ACSWireless Step 5 In the Private key file box type the full directory path and name of the file in which the private key is saved for example c privateKeyFile pem Step 6 In the Private key password box type the private key password that you have invented Step 7 In the Retype private key password box retype the p...

Page 354: ...S certificate that is out of date or out of order Warning This procedure eliminates your existing Cisco Secure ACS certificate To install a new ACS certificate follow these steps Step 1 In the navigation bar click System Configuration Step 2 Click ACS Certificate Setup Result Cisco Secure ACS displays the Installed Certificate Information table on the ACS Certificate Setup page Note If your Cisco ...

Page 355: ...at you allow and to specify whether you allow either MS CHAP Version 1 or MS CHAP Version 2 or both For more information on the EAP TLS Protocol see About the EAP TLS Protocol page 8 70 for more information on the PEAP protocol see About the PEAP Protocol page 8 72 For details regarding how various password protocols are supported by the various databases see Authentication Protocol Database Compa...

Page 356: ...ient is restarted the user must enter a password even if the session timeout interval has not ended Step 4 If you want to allow EAP TLS follow these steps a In the EAP Configuration table select the Allow EAP TLS check box b Select the appropriate radio button to specify whether EAP TLS should require Certificate name comparison Certificate binary comparison or Either comparison type Note If you s...

Page 357: ... Setup Note You can select both check boxes to allow MS CHAP authentication with either version and likewise at any time you can deselect one or both check boxes to disable the corresponding MS CHAP authentication version Step 7 Click Submit Restart Result Cisco Secure ACS restarts its services and implements the authentication configuration options you selected ...

Page 358: ...Chapter 8 Establishing Cisco Secure ACS System Configuration Global Authentication Setup 8 84 User Guide for Cisco Secure ACS for Windows Server 78 14696 01 Version 3 1 ...

Page 359: ...ckets In Accounting Logs page 9 4 About Cisco Secure ACS Logs and Reports page 9 4 Working with CSV Logs page 9 13 Working with ODBC Logs page 9 19 Remote Logging page 9 23 Service Logs page 9 28 Logging Formats Cisco Secure ACS logs a variety of user and system activities Depending on the log and how you have configured Cisco Secure ACS logs can be recorded in one of two formats Comma separated v...

Page 360: ...ied by the relational database vendor For information about the formats available for a specific log see About Cisco Secure ACS Logs and Reports page 9 4 Special Logging Attributes Among the many attributes that Cisco Secure ACS can record in its logs a few are of special importance The following list explains the special logging attributes provided by Cisco Secure ACS User Attributes These loggin...

Page 361: ...ssfully processed by a remote logging service This attribute is useful for determining which accounting packets if any may not have been logged by a central logging service It is dependent upon the receipt of an acknowledgment message from the remote logging service The acknowledgment message indicates that the remote logging service properly processed the accounting packet in the manner that the ...

Page 362: ... about configuring your AAA client to send update packets refer to the documentation for your AAA clients Logging Update Packets Locally To log update packets on the local Cisco Secure ACS server enable the Log Update Watchdog Packets from this Access Server option for each AAA client in Network Configuration For more information on setting this option for a AAA client see Adding a AAA Client page...

Page 363: ...o store the log data Table 9 1 describes all accounting logs In the HTML interface all accounting logs can be enabled configured and viewed Table 9 2 contains information about what you can do in the Cisco Secure ACS HTML interface regarding accounting logs Table 9 1 Accounting Log Descriptions Log Description TACACS Accounting Contains the following information User sessions stop and start times ...

Page 364: ...and start times AAA client messages with username Caller line identification CLID information VoIP session duration You can configure Cisco Secure ACS to include accounting for VoIP in this separate VoIP accounting log in the RADIUS Accounting log or in both places Failed Attempts Lists authentication and authorization failures with an indication of the cause Passed Authentications Lists successfu...

Page 365: ...elated Topics Enable an accounting log You can enable the log in either CSV or ODBC format CSV For instructions on how to enable an accounting log in CSV format see Enabling or Disabling a CSV Log page 9 14 ODBC For instructions on how to enable an account log in ODBC format see Configuring an ODBC Log page 9 20 View an accounting report For instructions on viewing an accounting report in the HTML...

Page 366: ...column a second time to sort the table by the entries in that column in descending order Table 9 3 Dynamic Administration Report Descriptions and Related Topics Report Description and Related Topics Logged In Users Lists all users receiving services for a single AAA client or all AAA clients with access to Cisco Secure ACS Note To use the logged in user list feature you must configure AAA clients ...

Page 367: ...ng order Click a column title once to sort the table by the entries in that column in ascending order Click the column a second time to sort the table by the entries that column in descending order Deleting Logged in Users From a Logged in Users Report you can instruct Cisco Secure ACS to delete users logged into a specific AAA client When a user session terminates without a AAA client sending an ...

Page 368: ...Secure ACS displays a table of all users logged in through the AAA client The Purge Logged in Users button appears below the table Step 4 Click Purge Logged in Users Result Cisco Secure ACS displays a message indicating the number of users purged from the report and the IP address of the AAA client Viewing the Disabled Accounts Report To view the Disabled Accounts report follow these steps Step 1 ...

Page 369: ...is log cannot be configured Database Replication Lists database replication activity This log cannot be configured Administration Audit Lists actions taken by each system administrator such as adding users editing groups configuring a AAA client or viewing reports For instructions on configuring the Administration Audit log see Configuring the Administration Audit Log page 9 12 User Password Chang...

Page 370: ... Audit CSV file at the start of each month Step 4 To generate a new Administrative Audit CSV file when the current file reaches a specific size select the When size is greater than X KB option and type the file size threshold in kilobytes in the X box Step 5 To manage which Administrative Audit CSV files Cisco Secure ACS keeps follow these steps a Select the Manage Directory check box b To limit t...

Page 371: ...he log Older files are named in the following format logyyyy mm dd csv where log is the name of the log yyyy is the year the CSV file was started mm is the month the CSV file was started in numeric characters dd is the date the CSV file was started For example a Database Replication log file that was generated on October 13 2002 would be named Database Replication 2002 10 13 csv CSV Log File Locat...

Page 372: ... follow these steps Step 1 In the navigation bar click System Configuration Step 2 Click Logging Table 9 5 Default CSV Log File Locations Log Default Location Configurable TACACS Accounting Logs TACACS Accounting Yes CSV TACACS Administration Logs TACACS Administration Yes CSV RADIUS Accounting Logs RADIUS Accounting Yes CSV VoIP Accounting Logs VoIP Accounting Yes CSV Failed Attempts Logs Failed ...

Page 373: ...gged in Users or Disabled Accounts a list of logged in users or disabled accounts appears in the display area which is the frame on the right side of the web browser For all other types of reports a list of applicable reports appears Files are listed in chronological order with the most recent file at the top of the list The reports are named and listed by the date on which they were created for e...

Page 374: ...sort the table by that column s entries in ascending order Click the column a second time to sort the table by the entries in that column in descending order Tip To check for newer information in the current CSV report click Refresh Step 4 If you want to download the CSV log file for the report you are viewing follow these steps a Click Download Result Your browser displays a dialog box for accept...

Page 375: ...co Secure ACS writes the CSV file CSV file retention You can specify how many old CSV files Cisco Secure ACS maintains or set a maximum number of files it is to retain To configure a CSV log follow these steps Step 1 In the navigation bar click System Configuration Step 2 Click Logging Step 3 Click the name of the CSV log you want to enable Result The CSV log Comma Separated Values File Configurat...

Page 376: ... ACS generates a new CSV file at the start of each week Every month Cisco Secure ACS generates a new CSV file at the start of each month Step 8 To generate a new CSV file when the current file reaches a specific size select the When size is greater than X KB option and type the file size threshold in kilobytes in the X box Step 9 To manage which CSV files Cisco Secure ACS keeps follow these steps ...

Page 377: ...ps Step 1 Set up the relational database to which you want to export logging data For more information refer to your relational database documentation Step 2 Set up a system data source name DSN on the Cisco Secure ACS server For instructions see Configuring a System Data Source Name for ODBC Logging page 9 20 Step 3 Enable ODBC logging in the Cisco Secure ACS HTML interface a In the navigation ba...

Page 378: ...and then click Finish Result A dialog box displays fields requiring information specific to the ODBC driver you selected Step 5 Type a descriptive name for the DSN in the Data Source Name box Step 6 Complete the other fields required by the ODBC driver you selected These fields may include information such as the IP address of the server on which the ODBC compliant relational database runs Step 7 ...

Page 379: ...the ODBC configuration page for a log the Logged Attributes list contains the default set of attributes Cisco Secure ACS includes in the log only those attributes that are in the Logged Attributes list Step 4 Specify the attributes that you want Cisco Secure ACS to send to the relational database a To add an attribute to the log select the attribute in the Attributes list and then click right arro...

Page 380: ...x type the name up to 80 characters of the table to which you want ODBC logging data appended Step 6 Click Submit Result Cisco Secure ACS saves the log configuration Step 7 Click the name of the ODBC log you are configuring Result Cisco Secure ACS displays the ODBC log configuration page again Step 8 Click Show Create Table Result The right side of the browser displays an SQL create table statemen...

Page 381: ...ional database table specified using the system DSN you configured Remote Logging This section discusses remote logging capabilities of Cisco Secure ACS It contains the following topics About Remote Logging page 9 23 Remote Logging Options page 9 25 Implementing Centralized Remote Logging page 9 24 Enabling and Configuring Remote Logging page 9 26 Disabling Remote Logging page 9 28 About Remote Lo...

Page 382: ...data for sessions authenticated by proxy is logged locally For more information about proxied authentication requests and accounting data for sessions authenticated by proxy see Proxy Distribution Table Configuration page 4 32 Implementing Centralized Remote Logging Before You Begin Make sure that gateway devices between remote Cisco Secure ACSes and the central logging Cisco Secure ACS permit the...

Page 383: ... For each Cisco Secure ACS that is to send its accounting data to the central logging server follow these steps a Add the central logging server to the AAA Servers table in Network Configuration For more information see AAA Server Configuration page 4 20 b Enable remote logging For more information see Enabling and Configuring Remote Logging page 9 26 Step 4 If you want to create other central log...

Page 384: ...henticated sessions Selected Log Services This list represents the Cisco Secure ACSes configured in the Remote Agents table in Network Configuration to which Cisco Secure ACS does send accounting data for locally authenticated sessions Enabling and Configuring Remote Logging Note Before configuring the Remote Logging feature on a Cisco Secure ACS make sure that you have configured your central log...

Page 385: ...S fails Step 6 For each remote Cisco Secure ACS you want to have in the Selected Log Services list follow these steps a In the Remote Log Services list select the name of a Cisco Secure ACS to which you want to send accounting data for locally authenticated sessions Note The Cisco Secure ACSes available in the Remote Log Services list is determined by the AAA Servers table in Network Configuration...

Page 386: ...ely option Step 5 Click Submit Result Cisco Secure ACS no longer sends its accounting information for locally authenticated sessions to remote logging servers Service Logs Service logs are considered diagnostic logs and are used for troubleshooting or debugging purposes only These logs are not intended for general use by Cisco Secure ACS administrators instead they are mainly sources of informatio...

Page 387: ...rectory of the applicable service directory For example the following is the default directory for the CiscoSecure authentication service c Program Files CiscoSecure ACS vx x CSAuth Logs The most recent debug log is named as follows SERVICE log where SERVICE is the name of the applicable service Older debug logs are named with the year month and date they were created For example a file created on...

Page 388: ...log file at 12 01 A M local time every Sunday Every Month Cisco Secure ACS generates a new log file at 12 01 A M on the first day of every month When Size is Greater than x KB Cisco Secure ACS generates a new log file after the current service log file reaches the size specified in kilobytes by x Manage Directory You can control how long service log files are kept Keep only the last x files Cisco ...

Page 389: ...None under Level of detail Step 5 To manage which service log files Cisco Secure ACS keeps follow these steps a Select the Manage Directory check box b To limit the number of service log files Cisco Secure ACS retains select the Keep only the last X files option and in the X box type the number of files you want Cisco Secure ACS to retain c To limit how old service log files retained by Cisco Secu...

Page 390: ...Chapter 9 Working with Logging and Reports Service Logs 9 32 User Guide for Cisco Secure ACS for Windows Server 78 14696 01 Version 3 1 ...

Page 391: ...ace It contains the following sections Administrator Accounts page 10 1 Access Policy page 10 11 Session Policy page 10 16 Audit Policy page 10 18 Administrator Accounts This section provides details about Cisco Secure ACS administrators It contains the following topics About Administrator Accounts page 10 2 Administrator Privileges page 10 3 Adding an Administrator Account page 10 6 Editing an Ad...

Page 392: ...as Windows users with administrator privileges In the HTML interface an administrator can configure any of the features provided in Cisco Secure ACS however the ability to access various parts of the HTML interface can be limited by revoking privileges to those parts of the HTML interface that a given administrator is not allowed to access For example you may want to limit access to the Network Co...

Page 393: ...ich the administrator does not have edit privileges and to which the administrator cannot add users Editable Groups Lists the user groups for which the administrator does have edit privileges and to which the administrator can add users Shared Profile Components Contains the following privilege options for the Shared Profile Components section of the HTML interface Network Access Restriction Sets ...

Page 394: ...trol page 8 2 Date Time Format Control For more information about this feature see Date Format Control page 8 3 Logging Control For more information about this feature see Logging page 8 3 Local Password Management For more information about this feature see Local Password Management page 8 5 DB Replication For more information about this feature see CiscoSecure Database Replication page 8 9 RDBMS...

Page 395: ...f the HTML interface Reports Activity Contains the privilege options for the reports and features found in the Reports and Activity section of the HTML interface For each of the following features enabling the option allows the administrator full access to the feature TACACS Accounting For more information about this report see Accounting Logs page 9 5 TACACS Administration For more information ab...

Page 396: ...nistration Reports page 9 7 User Change Password For more information about this report see Dynamic Administration Reports page 9 7 Adding an Administrator Account Before You Begin For descriptions of the options available while adding an administrator account see Administrator Privileges page 10 3 To add a Cisco Secure ACS administrator account follow these steps Step 1 In the navigation bar clic...

Page 397: ... list and then click right arrow button Result The selected group moves to the Editable groups list c To remove a user group from the Editable groups list select the group in the Editable groups list and then click left arrow button Result The selected group moves to the Available groups list d To move all user groups to the Editable groups list click Result The user groups in the Available groups...

Page 398: ...istrator Privileges page 10 3 Before You Begin For descriptions of the options available while editing an administrator account see Administrator Privileges page 10 3 To edit Cisco Secure ACS administrator account privileges follow these steps Step 1 In the navigation bar click Administration Control Result Cisco Secure ACS displays the Administration Control page Step 2 Click the name of the admi...

Page 399: ...are selected All user groups move to the Editable groups list Step 6 To clear all privileges including user group editing privileges for all user groups click Revoke All Result All privileges options are cleared All user groups move to the Available groups list Step 7 To grant user and user group editing privileges follow these steps a Under User Group Setup select the applicable check boxes b To ...

Page 400: ...d attempts counter for a disabled administrator account is reset the administrator cannot access the HTML interface For more information about configuring how many successive failed login attempts can occur before Cisco Secure ACS disables an administrator account see Session Policy page 10 16 To reset the failed attempts count for an administrator follow these steps Step 1 In the navigation bar c...

Page 401: ...account that you want to delete Result The Edit Administrator name page appears where name is the name of the administrator account you just selected Step 3 Click Delete Result Cisco Secure ACS displays a confirmation dialog box Step 4 Click OK Result Cisco Secure ACS deletes the administrator account The Administrators table on the Administration Control page no longer lists administrator account...

Page 402: ...ng IP address ranges The ranges are always inclusive that is the range includes the start and end IP addresses The IP addresses entered to define a range must differ only in the last octet Class C format The IP Address Ranges table contains one column of each of the following boxes Start IP Address Defines the lowest IP address of the range specified in the current row End IP Address Defines the h...

Page 403: ... help prevent accidental discovery of an active administrative port by unauthorized users An unauthorized user would have to impersonate or spoof the IP address of a legitimate host to make use of the active administrative session HTTP port Secure Socket Layer Setup The Use HTTPS Transport for Administration Access check box defines whether Cisco Secure ACS uses secure socket layer protocol to enc...

Page 404: ...elect the Allow only listed IP addresses to connect option b For each IP address range from within which you want to allow remote access to the HTML interface complete one row of the IP Address Ranges table In the Start IP Address box type the lowest IP address up to 16 characters in the range In the End IP Address box type the highest IP address up to 16 characters in the range Use dotted decimal...

Page 405: ... the Restrict Administration Sessions to the following port range From Port X to Port Y option b In the X box type the lowest TCP port up to 5 characters in the range c In the Y box type the highest TCP port up to 5 characters in the range Step 8 If you want to enable SSL encryption of administrator access to the HTML interface under Secure Socket Layer Setup select the Use HTTPS Transport for Adm...

Page 406: ... to an administrative dial up session An administrator whose administrative session is terminated receives a dialog box asking whether or not the administrator wants to continue If the administrator chooses to continue Cisco Secure ACS starts a new administrative session Allow Automatic Local Login Enables administrators to start an administrative session without logging in if they are using a bro...

Page 407: ...selected Cisco Secure ACS allows unlimited successive failed login attempts by an administrator Setting Up Session Policy For information about session policy options see Session Policy Options page 10 16 To setup Cisco Secure ACS Session Policy follow these steps Step 1 In the navigation bar click Administration Control Result Cisco Secure ACS displays the Administration Control page Step 2 Click...

Page 408: ...s policy a To enable Cisco Secure ACS to lock out an administrator after a specified number of successive failed administrative login attempts select the Lock out Administrator after X successive failed attempts check box b In the X box type how many successive failed login attempts can occur before Cisco Secure ACS locks out an administrator Note If the Lock out Administrator after X successive f...

Page 409: ... you to apply different databases to different types of users depending on the security requirements associated with user authorizations on your network For example a common configuration is to use a Windows 2000 NT user database for standard network users and a token server for network administrators This chapter contains the following sections CiscoSecure User Database page 11 2 About External U...

Page 410: ...ated by Cisco Secure ACS even those authenticated by an external user database have an account in the CiscoSecure user database About the CiscoSecure User Database The CiscoSecure user database draws information from a number of data sources including a memory mapped hash indexed file VarsDB MDB in Microsoft Jet database format and the Windows Registry VarsDB MDB uses an index and tree structure s...

Page 411: ...ternal User Databases If you use Unknown User Policy you can also configure group mappings so that each time a user added to the CiscoSecure user database by Unknown User Policy is authenticated the user group assignment is made dynamically For some external user database types user group assignment is based on group membership in the external user database For other database types all users authe...

Page 412: ...verage the work already invested in building the database without any additional input In addition to performing authentication for network access Cisco Secure ACS can perform authentication for TACACS enable privileges using external user databases For more information about TACACS enable passwords see Setting TACACS Enable Password Options for a User page 7 35 Note You can only use external user...

Page 413: ...equired In the case of Novell NDS authentication Novell Requestor must be installed on the same Windows server as Cisco Secure ACS In the case of ODBC authentication sources in addition to the Windows ODBC interface the third party ODBC driver must be installed on the Cisco Secure ACS Windows server To communicate with an RSA token server you must have installed software components provided by RSA...

Page 414: ...tication of users not found in the CiscoSecure user database by using an external user database Users do not need to be defined in the CiscoSecure user database for this method For more information about the Unknown User Policy see Unknown User Processing page 12 1 You can also configure Cisco Secure ACS with both methods above these two methods are not mutually exclusive External User Database Au...

Page 415: ...his section contains the following topics What s Supported with Windows NT 2000 User Databases page 11 8 The Cisco Secure ACS Authentication Process with Windows NT 2000 User Databases page 11 9 Trust Relationships page 11 9 Windows Dial up Networking Clients page 11 10 Windows Authentication page 11 11 User Changeable Passwords with Windows NT 2000 User Databases page 11 13 Preparing Users for Au...

Page 416: ...n about authentication protocols and the external database types that support them see Authentication Protocol Database Compatibility page 1 9 Group Mapping for Unknown Users Cisco Secure ACS supports group mapping for unknown users by requesting group membership information from Windows user databases For more information about group mapping for users authenticated with a Windows user database se...

Page 417: ...ther control access by a user from within the Windows NT User Manager or the Windows 2000 Active Directory Users and Computers you can configure Cisco Secure ACS to also check the setting for granting dialin permission to the user This setting is labeled Grant dialin permission to user in Windows NT and Allow access in the Remote Access Permission area in Windows 2000 If this feature is disabled f...

Page 418: ...main C making use of the indirect trust of domain C For more information on trust relationships refer to your Microsoft Windows NT 2000 documentation Windows Dial up Networking Clients The dial up networking clients for Windows NT 2000 XP Professional and Windows 95 98 Millennium Edition ME XP Home enable users to connect to your network remotely but the fields provided differ Windows Dial up Netw...

Page 419: ... most reliable method of authenticating users against a specific domain is to require users to submit the domains they should be authenticated against along with their usernames With the dial up networking client provided with Windows NT Windows 2000 and Windows XP Professional submitting a domain name is accomplished by typing the domain name in the domain field or selecting it from the drop down...

Page 420: ...d domains If Cisco Secure ACS runs on a member server and the username is not found in trusted domains Windows also checks its local accounts database Windows attempts to authenticate a user with the first occurrence of the username that it finds Note If the credentials submitted by the user do not match the credentials associated with the first matching username that Windows finds authentication ...

Page 421: ...e MS CHAP Settings on the Windows NT 2000 User Database Configuration page in the External User Databases section Using this feature in your network requires the following Users must be present in the Windows NT 2000 user database User accounts in Cisco Secure ACS must specify the Windows NT 2000 user database for authentication End user clients must be MS CHAP compatible such as the Windows dial ...

Page 422: ...ssion to user In Windows 2000 access the User Properties dialog box select the Dial In tab and in the Remote Access area click Allow access You must also configure the option to reference this feature under Database Group Mappings in the External User Databases section of Cisco Secure ACS Configuring a Windows NT 2000 External User Database To configure Cisco Secure ACS to authenticate users again...

Page 423: ...mission is enabled in the Dialin section of user properties in Windows NT and on the Dial In tab of the user properties in Windows 2000 Step 7 If you want Cisco Secure ACS to authenticate explicitly using each trusted Windows domain for usernames that are not domain qualified select the domains you want Cisco Secure ACS to use to authenticate unqualified usernames in the Available Domains list and...

Page 424: ...Generic LDAP Cisco Secure ACS supports ASCII PAP EAP TLS and PEAP EAP GTC authentication via generic Lightweight Directory Access Protocol LDAP databases such as Netscape Directory Services Other authentication protocols are not supported with LDAP external user databases Note Authentication protocols not supported with LDAP databases may be supported by another type of external user database For ...

Page 425: ...e ACS Upon receiving the response from the LDAP database Cisco Secure ACS instructs the requesting AAA client to grant or deny the user access depending upon the response from the LDAP server Cisco Secure ACS grants authorization based on the Cisco Secure ACS group to which the user is assigned While the group to which a user is assigned can be determined by information from the LDAP server it is ...

Page 426: ...ing For more information see Domain Filtering page 11 18 LDAP Organizational Units and Groups LDAP groups do not need to have the same name as their corresponding Cisco Secure ACS groups The LDAP group can be mapped to a Cisco Secure ACS group with any name you want to assign For more information about how your LDAP database handles group membership see your LDAP database documentation For more in...

Page 427: ...ou can specify whether Cisco Secure ACS strips the domain qualification before submitting the username to an LDAP server If the LDAP server stores usernames in a domain qualified format you should not configure Cisco Secure ACS to strip domain qualifiers Limiting users to one domain is useful when the LDAP server stores usernames differently per domain either by user context or by how the username...

Page 428: ...In the context of LDAP authentication with Cisco Secure ACS failover applies when an authentication request fails because Cisco Secure ACS could not connect to an LDAP server such as when the server is down or is otherwise unreachable by Cisco Secure ACS To use this feature you must define the primary and secondary LDAP servers on the LDAP Database Configuration page Also you must select the On Ti...

Page 429: ...Cisco Secure ACS first attempts to connect to the primary server or secondary LDAP server for the current authentication attempt depends on the value in the Failback Retry Delay box If the Failback Retry Delay box is set to 0 zero Cisco Secure ACS always attempts to connect to the primary LDAP server first And if Cisco Secure ACS cannot connect to the primary LDAP server Cisco Secure ACS then atte...

Page 430: ... all usernames When this option is selected Cisco Secure ACS does not perform domain filtering on usernames before submitting them to the LDAP server for authentication Only process usernames that are domain qualified When this option is selected Cisco Secure ACS only attempts authentication for usernames that are domain qualified for a single domain You must specify the type of domain qualifier a...

Page 431: ...y process usernames that are domain qualified is selected this option specifies whether Cisco Secure ACS removes the domain qualifier and its delimiting character before submitting a username to an LDAP server For example if the username is jwiedman domain com the stripped username is jwiedman Process all usernames after stripping domain name and delimiter When this option is selected Cisco Secure...

Page 432: ...r character through the end of the username If the username contains more than one of the character specified in the Y box Cisco Secure ACS strips characters starting with the first occurrence of the delimiter character For example if the delimiter character is and the username is jwiedman domain then Cisco Secure ACS submits jwiedman to an LDAP server Note The X box cannot contain the following s...

Page 433: ...ame of the attribute in the user record that contains the username You can obtain this attribute name from your Directory Server For more information refer to your LDAP database documentation Cisco Secure ACS provides default values that reflect the default configuration of a Netscape Directory Server Confirm all values for these fields with your LDAP server configuration and documentation UserObj...

Page 434: ...able and the Secondary LDAP Server table enable you to identify the LDAP servers and make settings that are unique to each The Secondary LDAP Server table does not need to be completed if you do not intend to use LDAP failover These tables contain the following options Hostname The name or IP address of the server that is running the LDAP software If you are using DNS on your network you can type ...

Page 435: ...nfigure two LDAP instances in Cisco Secure ACS that would communicate with the same LDAP servers Each LDAP instance would have a primary and secondary LDAP server Even though the two LDAP configurations share the same primary server each LDAP configuration requires that you download a certificate database file to Cisco Secure ACS Note The database must be a cert7 db certificate database file No ot...

Page 436: ... page 11 22 To configure Cisco Secure ACS to use the LDAP User Database follow these steps Step 1 In the navigation bar click External User Databases Step 2 Click Database Configuration Result Cisco Secure ACS displays a list of all possible external user database types Step 3 Click Generic LDAP Note The user authenticates against only one LDAP database Result If no LDAP database configuration exi...

Page 437: ...e 11 18 a Under Domain Filtering select Only process usernames that are domain qualified b From the Qualified by list select the applicable type of domain qualification either Suffix or Prefix Only one type of domain qualification is supported per LDAP configuration For example if you want this LDAP configuration to authenticate usernames that begin with a specific domain name select Prefix If you...

Page 438: ...ct Process all usernames after stripping domain name and delimiter b If you want Cisco Secure ACS to strip prefixed domain qualifiers select the Strip starting characters through the last X character check box and then type the domain qualifier delimiting character in the X box Note The X box cannot contain the following special characters If any of these characters are in the X box stripping fail...

Page 439: ...GroupObjectType box type the name of the attribute in the group record that contains the group name Step 15 In the GroupObjectClass box type a value of the LDAP objectType attribute in the group record that identifies the record as a group Step 16 In the GroupAttributeName box type the name of the attribute of the group record that contains the list of user records who are a member of that group S...

Page 440: ...t 636 is usually used c To specify that Cisco Secure ACS should use LDAP version 3 to communicate with your LDAP database select the LDAP Version check box If the LDAP Version check box is not selected Cisco Secure ACS uses LDAP version 2 d The username and password credentials are normally passed over the network to the LDAP directory in clear text To enhance security select the Use secure authen...

Page 441: ...t Cisco Secure ACS saves the generic LDAP configuration you created You can now add it to your Unknown User Policy or assign specific user accounts to use this database for authentication For more information about the Unknown User Policy see Unknown User Processing page 12 1 For more information about configuring user accounts to authenticate using this database see Chapter 7 Setting Up and Manag...

Page 442: ...embership information Cisco Secure ACS retrieves no user settings from Novell NDS databases however Cisco Secure ACS enforces password restrictions login restrictions time restrictions and account restrictions for each user Cisco Secure ACS accomplishes this by interpreting authentication responses received from a Novell NDS database Cisco Secure ACS does not enforce address restrictions Configuri...

Page 443: ... that defines their fully qualified usernames In other words if none of the contexts in the list of contexts contains a username submitted for authentication the username must specify exactly how they are subordinate to the contexts in the list of contexts The user specifies the manner in which a username is subordinate to a context by providing the additional context information needed to uniquel...

Page 444: ...ng this check box confirms that you want to add a new tree Delete Tree Appears only on existing tree configurations Selecting this check box indicates that you want to delete the tree configuration when you click Submit Test Login Selecting this check box causes Cisco Secure ACS to test the administrative login of the tree to the Novell server when you click Submit Tree Name Appears only on the bl...

Page 445: ...enter their own context as part of the login process Creating an Novell NDS database configuration is a process that provides Cisco Secure ACS information that enables it to pass authentication requests to an NDS database This information reflects the way you have implemented your NDS database and does not dictate how your NDS database is configured or functions For information about your NDS data...

Page 446: ...eleted Result The NDS Authentication Support page appears The NDS Authentication Support page enables you to add a configuration for an Novell NDS tree change existing tree configurations and delete existing tree configurations For more information about the content of the NDS Authentication Support page see Novell NDS External User Database Options page 11 36 Step 7 To add a new tree configuratio...

Page 447: ...onal database Configuring Cisco Secure ACS to authenticate against an ODBC compliant relational database does not affect the configuration of the relational database To manage your relational database refer to your relational database documentation The Windows ODBC feature enables you to create a data source name DSN which specifies the database and other important parameters necessary for communi...

Page 448: ...s Authentication Cisco Secure ACS supports ASCII PAP ARAP CHAP MS CHAP versions 1 and 2 LEAP EAP MD5 and PEAP EAP GTC authentication using a relational database via the ODBC authenticator feature Other authentication protocols are not supported with ODBC external user databases Note Authentication protocols not supported with ODBC external user databases may be supported by another type of externa...

Page 449: ...t in the CiscoSecure user database lists an ODBC database configuration as the authentication method The second is when the user is unknown to the CiscoSecure user database and the Unknown User Policy dictates that an ODBC database is the next external user database to try In either case Cisco Secure ACS forwards the username and password to the ODBC database via an ODBC connection The ODBC databa...

Page 450: ...ODBC connection The relational database must have a stored procedure that queries the appropriate tables and returns values to Cisco Secure ACS If the returned values indicate that the username and password provided are valid Cisco Secure ACS grants the user access Otherwise Cisco Secure ACS denies the user access Figure 11 2 Preparing to Authenticate Users with an ODBC Compliant Relational Databa...

Page 451: ...ecure ACS server For steps see Configuring a System Data Source Name for an ODBC External User Database page 11 50 Step 6 Configure Cisco Secure ACS to authenticate users with an ODBC database For steps see Configuring an ODBC External User Database page 11 51 Implementation of Stored Procedures for ODBC Authentication When you configure Cisco Secure ACS to authenticate users against an ODBC compl...

Page 452: ...types PAP authentication procedure inputs and outputs CHAP MS CHAP ARAP authentication procedure inputs and outputs and expected result codes You can use this information while writing your authentication stored procedures in your relational database Type Definitions The Cisco Secure ACS types and their matching SQL types are as follows Integer SQL_INTEGER String SQL_CHAR or SQL_VARCHAR Microsoft ...

Page 453: ...atabase schema are presented in variable text For your convenience the Cisco Secure ACS product CD includes a stub routine for creating a procedure in either SQL Server or Oracle For more information about data type definitions procedure parameters and procedure results see ODBC Database page 11 39 if exists select from sysobjects where id object_id dbo CSNTAuthUserPap and sysstat 0xf 4 drop proce...

Page 454: ...and procedure results see ODBC Database page 11 39 if exists select from sysobjects where id object_id dbo CSNTExtractUserClearTextPw and sysstat 0xf 4 drop procedure dbo CSNTExtractUserClearTextPw GO CREATE PROCEDURE CSNTExtractUserClearTextPw username varchar 64 AS SET NOCOUNT ON IF EXISTS SELECT username FROM users WHERE username username SELECT 0 csntgroup csntacctinfo No Error csntpassword FR...

Page 455: ...if the result is greater than or equal to 4 The procedure must return the result fields in the order listed above Table 11 2 PAP Stored Procedure Input Field Type Explanation CSNTusername String 0 64 characters CSNTpassword String 0 255 characters Table 11 3 PAP Stored Procedure Results Field Type Explanation CSNTresult Integer See Table 11 6 on page 11 49 CSNTgroup Integer The Cisco Secure ACS gr...

Page 456: ...ted from it can have a different name CHAP MS CHAP ARAP Procedure Output The stored procedure must return a single row containing the non null fields Table 11 5 lists the procedure results Cisco Secure ACS expects as output from stored procedure Table 11 4 CHAP Stored Procedure Input Field Type Explanation CSNTusername String 0 64 characters Table 11 5 CHAP MS CHAP ARAP Stored Procedure Results Fi...

Page 457: ...pending on how much information you want the failed authentication log files to include CSNTacctInfo String 0 16 characters A third party defined string is added to subsequent account log file entries CSNTerrorString String 0 255 characters A third party defined string is written to the CSAuth service log file if an error occurs CSNTpassword String 0 255 characters The password is authenticated by...

Page 458: ...ODBC External User Database On the Cisco Secure ACS server you must create a system DSN for Cisco Secure ACS to communicate with the relational database To create a system DSN for use with an ODBC external user database follow these steps Step 1 In Windows Control Panel double click the ODBC Data Sources icon Step 2 In the ODBC Data Source Administrator window click the System DSN tab Step 3 Click...

Page 459: ...functions For information about your relational database refer to your relational documentation Note Before performing this procedure you should have completed the steps in Preparing to Authenticate Users with an ODBC Compliant Relational Database page 11 42 To configure Cisco Secure ACS for ODBC authentication follow these steps Step 1 In the navigation bar click External User Databases Step 2 Cl...

Page 460: ...type the password required to perform transactions with your ODBC database Step 9 In the DSN Connection Retries box type the number of times Cisco Secure ACS should try to connect to the ODBC database before timing out The default is 3 Note If you have connection problems when Windows starts increase this value Step 10 To change the ODBC worker thread count in the ODBC Worker Threads box type the ...

Page 461: ...enerating a PAP Authentication SQL Procedure page 11 45 Note If you enabled PAP authentication the PAP authentication SQL procedure must exist on the ODBC database and must have the exact name specified in the PAP SQL Procedure box If it does not be sure to create it in the ODBC database before attempting to authenticate users against the ODBC database Step 13 To support CHAP authentication with t...

Page 462: ...s 1 and 2 LEAP and EAP TLS authentication with a proxy RADIUS server Other authentication protocols are not supported with LEAP Proxy RADIUS Server databases Note Authentication protocols not supported with LEAP Proxy RADIUS Server databases may be supported by another type of external user database For more information about authentication protocols and the external database types that support th...

Page 463: ...lied to an unknown user if RADIUS based group specification did not occur For more information about group mapping users authenticated by a LEAP Proxy RADIUS Server database see Group Mapping by External User Database page 12 12 Configuring a LEAP Proxy RADIUS Server External User Database You should install and configure your proxy RADIUS server before configuring Cisco Secure ACS to authenticate...

Page 464: ...tead of the list Proceed to Step 6 Step 6 Click Configure Step 7 In the following boxes type the required information Primary Server Name IP IP address of the primary proxy RADIUS server Secondary Server Name IP IP address of the secondary proxy RADIUS server Shared Secret The shared secret of the proxy RADIUS server This must be identical to the shared secret with which the proxy RADIUS server is...

Page 465: ...ou can add it to your Unknown User Policy or assign specific user accounts to use this database for authentication For more information about the Unknown User Policy see Unknown User Processing page 12 1 For more information about configuring user accounts to authenticate using this database see Chapter 7 Setting Up and Managing User Accounts Token Server User Databases Cisco Secure ACS supports t...

Page 466: ...S interface of the token server For more information about Cisco Secure ACS support of token servers with a RADIUS interface see RADIUS Enabled Token Servers page 11 59 For RSA SecurID Cisco Secure ACS uses an RSA proprietary API For more information about Cisco Secure ACS support of RSA SecurID token servers see RSA SecurID Token Servers page 11 64 Token Servers and ISDN Cisco Secure ACS supports...

Page 467: ...o Secure ACS sends standard RADIUS authentication requests to the RADIUS authentication port on the token server The token servers supported through their RADIUS servers are as follows ActivCard CRYPTOCard Vasco SafeWord PassGo Note PassGo was formerly known as AXENT Any IETF RFC 2865 compliant token server You can create multiple instances of each of these token server types in Cisco Secure ACS F...

Page 468: ...ute 5 NAS Identifier RADIUS attribute 32 Cisco Secure ACS expects to receive one of the following three responses access accept No attributes are required however the response can indicate the Cisco Secure ACS group to which the user should be assigned For more information see RADIUS Based Group Specification page 12 22 access reject No attributes required access challenge Attributes required per ...

Page 469: ...present RADIUS enabled token servers are as follows ActivCard CRYPTOCard RADIUS Token Server Vasco SafeWord PassGo Note PassGo was formerly known as AXENT Step 3 Click the link for the applicable RADIUS enabled token server Result The Database Configuration Creation table appears If at least one configuration exists for the selected external user database type the External User Database Configurat...

Page 470: ...provide the hostname the hostname must be resolvable by DNS Shared Secret The shared secret of the RADIUS server This must be identical to the shared secret with which the RADIUS token server is configured Authentication Port The UDP port over which the RADIUS server conducts authentication sessions If the RADIUS token server is installed on the same Windows server as Cisco Secure ACS this port sh...

Page 471: ...Configuration table Do one of the following a If you want Cisco Secure ACS to present a custom prompt for tokens select Static sync and async tokens and then type in the Prompt box the prompt that Cisco Secure ACS will present For example if you type Enter your PassGo token in the Prompt box users receive an Enter your PassGo token prompt rather than a password prompt Note If some tokens submitted...

Page 472: ...PEAP EAP GTC authentication for RSA SecurID token servers Other authentication protocols are not supported with RSA SecurID external user databases Note Authentication protocols not supported with RSA SecurID databases may be supported by another type of external user database For more information about authentication protocols and the external database types that support them see Authentication P...

Page 473: ...onfigure Cisco Secure ACS to authenticate users with an RSA token server follow these steps Step 1 Install the RSA client on the Cisco Secure ACS server a Log in to the Cisco Secure ACS Windows server with administrative privileges b Run the Setup program of the ACE Client software following setup instructions provided by RSA Note Do not restart your Windows server when installation is complete c ...

Page 474: ...configuration in the External User Database Configuration table Step 6 Click Configure Result Cisco Secure ACS displays the name of the token server and the path to the authenticator DLL This information confirms that Cisco Secure ACS can contact the RSA client You can add the RSA SecurID external user database to your Unknown User Policy or assign specific user accounts to use this database for a...

Page 475: ...ou want to delete a configuration Result The External User Database Configuration table appears Step 4 If a list appears in the External User Database Configuration table select the configuration you want to delete Otherwise proceed to Step 5 Step 5 Click Delete Result A confirmation dialog box appears Step 6 Click OK to confirm that you want to delete the selected external user database configura...

Page 476: ...Chapter 11 Working with User Databases Deleting an External User Database Configuration 11 68 User Guide for Cisco Secure ACS for Windows Server 78 14696 01 Version 3 1 ...

Page 477: ...ngs page 12 11 For information about the databases supported by Cisco Secure ACS and how to configure Cisco Secure ACS to communicate with an external user database see Chapter 11 Working with User Databases Unknown User Processing Unknown users are users who are not listed in the Cisco Secure ACS database The Unknown User feature is a form of authentication forwarding In essence this feature is a...

Page 478: ...automatically into the Cisco Secure ACS database These are users added through User Setup in the HTML interface by the RDBMS Synchronization feature by the Database Replication feature or by the CSUtil exe utility For more information about CSUtil exe see Appendix D Cisco Secure ACS Command Line Database Utility Cisco Secure ACS attempts to authenticate a known user with the single database that t...

Page 479: ...thentication process for known users who are authenticated with external user databases and whose Cisco Secure ACS group membership is determined by group mapping Note We recommend removing a username from a database when the privileges associated with that username are no longer required General Authentication Request Handling and Rejection Mode If you have configured the Unknown User Policy in C...

Page 480: ... have the same username After the first John attempts to access the network and has authenticated through the unknown user process Cisco Secure ACS retains a discovered user account for that John and only that John Now Cisco Secure ACS tries to authenticate subsequent attempts by any user named John using the same external user database that originally authenticated John Assuming their passwords a...

Page 481: ...ogs the request as a failed attempt For Windows 95 Windows 98 Windows ME and Windows XP Home the dial up networking client provided with Windows only allows users to specify their domains by submitting the usernames in a domain qualified format that is DOMAIN username Using a domain qualified username allows Cisco Secure ACS to differentiate a user from multiple instances of the same username in d...

Page 482: ...ws by Cisco Secure ACS Whether authentication fails or succeeds Windows does not search for other accounts with the same username therefore Windows can fail to authenticate a user who supplies valid credentials because Windows may check the supplied credentials against the wrong account that coincidentally has an identical username You can circumvent this difficulty by using the Domain List in the...

Page 483: ...ency for Cisco Secure ACS processing In some circumstances for example when using a Windows NT 2000 user database the extra latency introduced by an external database can be as much as tens of seconds If you have configured multiple databases this number is multiplied by the time taken for each one to complete You can account for added latency by setting the order of databases If you are using an ...

Page 484: ...he RADIUS or TACACS response packet For more information about assignment of user authorization see Database Group Mappings page 12 11 Unknown User Policy You can configure how Cisco Secure ACS processes unknown users on the Configure Unknown User Policy page in the External User Databases section of the HTML interface The Configure Unknown User Policy page contains the following fields Unknown Us...

Page 485: ...t in the order listed until the user authenticates or until Cisco Secure ACS has tried all the databases listed Authentication with a Windows NT 2000 database is more complex For more information about Windows NT 2000 authentication see The Cisco Secure ACS Authentication Process with Windows NT 2000 User Databases page 11 9 If Cisco Secure ACS does not find the user in any of the listed databases...

Page 486: ...to the Selected Databases list To remove a database from the Selected Databases list select the database and then click left arrow button to move it back to the External Databases list c To assign the order in which Cisco Secure ACS should use the selected external databases when attempting to authenticate an unknown user click a database name in the Selected Databases list and click Up or Down to...

Page 487: ...rnal User Databases section enables you to associate unknown users with a Cisco Secure ACS group for assigning authorization profiles For external user databases from which Cisco Secure ACS can derive group information you can associate the group memberships defined for the users in the external user database to specific Cisco Secure ACS groups For Windows NT 2000 user databases group mapping is f...

Page 488: ...to Telecommuters group members While you can configure Cisco Secure ACS to map all unknown users found in any external user database type to a single Cisco Secure ACS group the following external user database types are the external user database types whose users you can only map to a single Cisco Secure ACS group ODBC LEAP Proxy RADIUS server ActivCard token server PassGo token server CRYPTOCard...

Page 489: ...RADIUS Server database group mapping follow these steps Step 1 In the navigation bar click External User Databases Step 2 Click Database Group Mappings Step 3 Click the name of the token server LEAP Proxy RADIUS Server or ODBC database configuration for which you want to configure a group mapping Result The Define Group Mapping table appears Step 4 From the Select a default group for database list...

Page 490: ...ndows NT 2000 Novell NDS Generic LDAP Note Windows NT 2000 databases are defined by domain name When you configure a Cisco Secure ACS group mapping based on group set membership you can add one or many external user database groups to the set For Cisco Secure ACS to map a user to the specified Cisco Secure ACS group the user must match all external user database groups in the set As an example you...

Page 491: ...l user database group memberships of the user Cisco Secure ACS assigns the user to the Cisco Secure ACS group of that group mapping and terminates the mapping process Clearly the order of group mappings is important because it affects the network access and services allowed to users When defining mappings for users who belong to multiple groups make sure they are in the correct order so that users...

Page 492: ...apping see Editing a Windows NT 2000 Novell NDS or Generic LDAP Group Set Mapping page 12 18 Creating a Cisco Secure ACS Group Mapping for Windows NT 2000 Novell NDS or Generic LDAP Groups To map a Windows NT 2000 Novell NDS or generic LDAP group to a Cisco Secure ACS group follow these steps Step 1 In the navigation bar click External User Databases Step 2 Click Database Group Mappings Step 3 Cli...

Page 493: ...l NDS tree for which you want to configure group set mappings Result The Group Mappings for NDS Users table appears Step 7 Click Add Mapping Result The Create new group mapping for database page opens The group list displays group names derived from the external user database Step 8 For each group to be added to the group set mapping select the name of the applicable external user database group i...

Page 494: ...of the database groups column Note The asterisk at the end of each set of groups indicates that users authenticated with the external user database can belong to other groups besides those in the set Editing a Windows NT 2000 Novell NDS or Generic LDAP Group Set Mapping You can change the Cisco Secure ACS group to which a group set mapping is mapped Note The external user database groups of an exi...

Page 495: ...omain domainname table appears Step 5 If you are editing a Novell NDS group set mapping click the name of the Novell NDS tree for which you want to edit a group set mapping Result The Group Mappings for NDS Users table appears Step 6 Click the group set mapping to be edited Result The Edit mapping for database page opens The external user database group or groups included in the group set mapping ...

Page 496: ...appings for database Users table appears Step 4 If you are deleting a Windows NT 2000 group set mapping click the domain name whose group set mapping you want to delete Result The Group Mappings for Domain domainname table appears Step 5 If you are deleting a Novell NDS group set mapping click the name of the Novell NDS tree whose group set mapping you want to delete Result The Group Mappings for ...

Page 497: ...can change the order in which Cisco Secure ACS checks group set mappings for users authenticated by Windows NT 2000 Novell NDS and generic LDAP databases To order group mappings you must have already mapped them For more information about creating group mappings see Creating a Cisco Secure ACS Group Mapping for Windows NT 2000 Novell NDS or Generic LDAP Groups page 12 16 To change the order of gro...

Page 498: ...rs The group mappings for the current database appear in the Order list Step 7 Select the name of a group set mapping you want to move and then click Up or Down until it is in the position you want Step 8 Repeat Step 7 until the group mappings are in the order you need Step 9 Click Submit Result The Group Mappings for database page displays the group set mappings in the order you defined RADIUS Ba...

Page 499: ...l User Database page 12 12 To enable per user group mapping configure the external user database to return authentication responses that contain the Cisco IOS PIX RADIUS attribute 1 009 001 cisco av pair with the following value ACS CiscoSecure Group Id N where N is the Cisco Secure ACS group number 0 through 499 to which Cisco Secure ACS should assign the user For example if the LEAP Proxy RADIUS...

Page 500: ...Chapter 12 Administering External User Databases Database Group Mappings 12 24 User Guide for Cisco Secure ACS for Windows Server 78 14696 01 Version 3 1 ...

Page 501: ...Information for Cisco Secure ACS This appendix provides information about certain basic problems and describes how to resolve them Scan the column on the left to identify the condition that you are trying to resolve and then carefully go through each corresponding recovery action offered in the column on the right ...

Page 502: ...inistrative Sessions page 1 27 Unauthorized users can log in Reject listed IP addresses is selected but no start or stop IP addresses are listed Go to Administrator Control Access Policy and specify the Start IP Address and Stop IP Address Restart Services does not work The system is not responding To manually restart services from the Windows Start menu choose Control Panel Services Click CSAdmin...

Page 503: ... as needed Administrator database appears corrupted The remote Netscape client is caching the password If you specify an incorrect password it is cached When you attempt to re authenticate with the correct password the incorrect password is sent Clear the cache before attempting to re authenticate or close the browser and open a new session Condition Recovery Action Under EXEC Commands Cisco IOS c...

Page 504: ...d RADIUS IETF attributes in Cisco IOS Release 11 1 However there are a few attributes that are not yet supported or that require a later version of the Cisco IOS software The following attributes fall into this category AAA client times out when authenticating against Windows NT 2000 Increase the TACACS timeout interval from the default 5 to 20 Set the Cisco IOS command as follows tacacs server ti...

Page 505: ...ng server has dual network cards on the sending server add a AAA server to the AAA Servers table in Network Configuration for every IP address of the receiving server If the sending server has dual network cards on the receiving server add a AAA server to the AAA Servers table in Network Configuration for every IP address of the receiving server The external user database is not available in the G...

Page 506: ...lient modem configuration not Cisco Secure ACS LAN connections for both the AAA client and the Windows 2000 server supporting Cisco Secure ACS are physically connected IP address of the AAA client in the Cisco Secure ACS configuration is correct IP address of Cisco Secure ACS in AAA client configuration is correct TACACS or RADIUS key in both AAA client and Cisco Secure ACS are identical case sens...

Page 507: ...co Secure ACS is using this option for authenticating From within the Cisco Secure ACS confirm the following If the username has already been entered into Cisco Secure ACS a Windows NT 2000 database configuration is selected in the Password Authentication list in User Setup for the user If the username has already been entered into Cisco Secure ACS the Cisco Secure ACS group to which the user is a...

Page 508: ...entication Set to Expiration Never for troubleshooting A dial in user is unable to connect to the AAA client however a Telnet connection can be authenticated across the LAN This isolates the problem to one of three areas Line modem configuration problem Review the documentation that came with your modem and verify that the modem is properly configured The user is not assigned to a group that has t...

Page 509: ...eshoot the problem based on one of the following Line modem configuration problem Review the documentation that came with your modem and verify that the modem is properly configured The user does not exist in the Windows NT 2000 user database or the CiscoSecure user database and might not have the correct password Authentication parameters can be modified under User Setup The Cisco Secure ACS or T...

Page 510: ...tion chap pap is entered for each interface if authentication against the CiscoSecure user database is being used The AAA and TACACS or RADIUS configuration is correct in the AAA client The necessary commands are listed in the following Program Files CiscoSecure ACS vx x TacConfig txt Program Files CiscoSecure ACS vx x RadConfig txt Program Files CiscoSecure ACS vx x README TXT When you run debug ...

Page 511: ...Prefix or Suffix One or more servers is down or no fallback server is configured Go to Network Configuration and configure a fallback server Fallback servers are used only under the following circumstances The remote Cisco Secure ACS is down One or more services CSTacacs CSRadius or CSAuth are down The secret key is misconfigured Inbound Outbound messaging is misconfigured Condition Recovery Actio...

Page 512: ... file is renamed to yyyy mm dd csv and a new blank active csv report is generated A report is blank Make sure you have selected Log to reportname Report under System Configuration Logging Log Target reportname You must also set Network Configuration servername Access Server Type to CiscoSecure ACS for Windows NT No Unknown User information is included in reports The Unknown User database was chang...

Page 513: ...rectory 6 Make sure you can ping the machine that is running the ACE server by hostname You might need to add the machine in the lmhosts file 7 Verify that support for RSA is enabled in External User Database Database Configuration in the Cisco Secure ACS 8 Run Test Authentication from the Windows 2000 server control panel for the ACE Client application 9 From Cisco Secure ACS install the token se...

Page 514: ...Failed Attempts report shows that you are using outbound PAP go to Interface Configuration and select the Per User Advanced TACACS Features check box Then go to User Setup Advanced TACACS Settings Click TACACS Enable Control and type and confirm the password in the TACACS Outbound Password box Unknown users are not authenticated Go to External User Databases Unknown User Policy Click Check the fol...

Page 515: ... AV pairs not used in one vendor protocol are ignored by another vendor protocol Make sure the user settings reflect the correct vendor protocol for example Cisco RADIUS User cannot log in Re enable the user account or reset the failed attempts counter Authentication fails The retry interval is too short The default is 5 seconds Increase the retry interval tacacs server timeout 20 on the AAA clien...

Page 516: ...t customer configurable in Cisco Secure ACS instead their values are set by Cisco Secure ACS Beginning with Cisco Secure ACS version 2 3 some TACACS attributes no longer appear on the Group Setup page This is because IP pools and callback supersede the following attributes TACACS addr addr pool callback dialstring Ascend RADIUS 8 Framed IP Address 19 Callback Number 218 Ascend Assign IP Pool Addit...

Page 517: ... of Cisco IOS work with Cisco Secure ACS but do not fully support the TACACS features in Cisco Secure ACS Note If you specify a given AV pair in Cisco Secure ACS you must also enable the corresponding AV pair in the Cisco IOS software running on the AAA client Therefore you must consider which AV pairs your Cisco IOS release supports If Cisco Secure ACS sends an AV pair to the AAA client that the ...

Page 518: ... callback dialstring Additionally these attributes cannot be set via database synchronization and ip addr n n n n is not allowed as a Cisco vendor specific attribute VSA Cisco Secure ACS supports many TACACS AV pairs For descriptions of these attributes refer to Cisco IOS documentation for the release of Cisco IOS running on your AAA clients TACACS AV Pairs supported in Cisco Secure ACS are as fol...

Page 519: ...ir Dictionary ip addresses link compression load threshold n max links n nas password nocallback verify noescape nohangup old prompts outacl n outacl pool def n pool timeout ppp vj slot compression priv lvl protocol route route n routing rte ftr in n rte ftr out n sap n sap fltr in n sap fltr out n service source ip timeout tunnel id ...

Page 520: ...unting AV pairs For descriptions of these attributes see Cisco IOS documentation for the release of Cisco IOS running on your AAA clients TACACS accounting AV pairs supported in Cisco Secure ACS are as follows bytes_in bytes_out cmd data rate disc cause disc cause ext elapsed_time event mlp links max mlp sess id nas rx speed nas tx speed paks_in paks_out port pre bytes in pre bytes out pre paks in...

Page 521: ...Guide for Cisco Secure ACS for Windows Server 78 14696 01 Version 3 1 Appendix B TACACS Attribute Value Pairs Cisco IOS AV Pair Dictionary protocol reason service start_time stop_time task_id timezone xmit rate ...

Page 522: ...Appendix B TACACS Attribute Value Pairs Cisco IOS AV Pair Dictionary B 6 User Guide for Cisco Secure ACS for Windows Server 78 14696 01 Version 3 1 ...

Page 523: ...OS RADIUS Cisco VPN 3000 Concentrator RADIUS Cisco VPN 5000 Concentrator RADIUS Cisco Building Broadband Service Manager RADIUS Microsoft RADIUS Ascend RADIUS Nortel RADIUS Juniper RADIUS Internet Engineering Task Force IETF RADIUS You can enable different attribute value AV pairs for IETF RADIUS and for any supported vendor This appendix provides information about the following RADIUS AV pairs Ci...

Page 524: ...m that your AAA client is a compatible release of Cisco IOS or compatible AAA client software For more information see System Requirements page 2 2 Note If you specify a given AV pair on Cisco Secure ACS the corresponding AV pair must be implemented in the Cisco IOS software running on the network device Always take into consideration which AV pairs your Cisco IOS release supports If Cisco Secure ...

Page 525: ...rvice Type 6 integer Both No Framed Protocol 7 integer Both No Framed IP Netmask 9 ipaddr maximum length 15 characters Outbound No Framed Routing 10 integer Outbound No Filter Id 11 string Outbound Yes Framed MTU 12 integer maximum length 10 characters Outbound No Framed Compression 13 integer Outbound Yes Login IP Host 14 ipaddr maximum length 15 characters Both Yes Login Service 15 integer Both ...

Page 526: ...ing maximum length 253 characters Inbound No Acct Status Type 40 integer Inbound No Acct Delay Time 41 integer Inbound No Acct Input Octets 42 integer Inbound No Acct Output Octets 43 integer Inbound No Acct Session ID 44 string Inbound No Acct Authentic 45 integer Inbound No Acct Session Time 46 integer Inbound No Acct Input Packets 47 integer Inbound No Acct Output Packets 48 integer Inbound No ...

Page 527: ...mentation Note For details about the Cisco IOS Node Route Processor Service Selection Gateway VSAs VSAs 250 251 and 252 refer to Cisco IOS documentation Table C 2 Cisco IOS PIX RADIUS VSAs Attribute Number Type of Value Inbound Outbound Multiple cisco av pair 1 string Both Yes cisco nas port 2 string Inbound No cisco h323 remote address 23 string Inbound No cisco h323 conf id 24 string Inbound No ...

Page 528: ...23 prompt id 104 string maximum length 247 characters Outbound No cisco h323 day and time 105 string maximum length 247 characters Outbound No cisco h323 redirect number 106 string maximum length 247 characters Outbound No cisco h323 preferred lang 107 string maximum length 247 characters Outbound No cisco h323 redirect ip addr 108 string maximum length 247 characters Outbound No cisco h323 billin...

Page 529: ... Before you implement them we recommend that you refer to Cisco VPN 3000 series Concentrator documentation cisco ssg account info 250 string maximum length 247 characters Outbound No cisco ssg service info 251 string maximum length 247 characters Both No cisco ssg control info 253 string maximum length 247 characters Both No Table C 2 Cisco IOS PIX RADIUS VSAs continued Attribute Number Type of Va...

Page 530: ...teger Outbound No CVPN3000 Tunneling Protocols 11 integer Outbound No CVPN3000 IPSec Sec Association 12 string maximum length 247 characters Outbound No CVPN3000 IPSec Authentication 13 integer Outbound No CVPN3000 IPSec Banner1 15 string maximum length 247 characters Outbound No CVPN3000 IPSec Allow Passwd Store 16 integer Outbound No CVPN3000 Use Client Address 17 integer Outbound No CVPN3000 PP...

Page 531: ...4 integer Outbound No CVPN3000 IPSec Over UDP Port 35 integer maximum length 10 characters Outbound No CVPN3000 IPSec Banner2 36 string maximum length 247 characters Outbound No CVPN3000 PPTP MPPC Compression 37 integer Outbound No CVPN3000 L2TP MPPC Compression 38 integer Outbound No CVPN3000 IPSec IP Compression 39 integer Outbound No CVPN3000 IPSec IKE Peer ID Check 40 integer Outbound No CVPN3...

Page 532: ...Timeout 50 integer maximum length 10 characters Outbound No CVPN3000 Cisco IP Phone Bypass 51 integer Outbound No CVPN3000 User Auth Server Name 52 string maximum length 247 characters Outbound No CVPN3000 User Auth Server Port 53 integer maximum length 10 characters Outbound No CVPN3000 User Auth Server Secret 54 string maximum length 247 characters Outbound No CVPN3000 IPSec Split Tunneling Poli...

Page 533: ... No CVPN3000 IPSec Backup Server List 60 string maximum length 247 characters Outbound No CVPN3000 MS Client Intercept DHCP Configure Message 62 integer Outbound No CVPN3000 MS Client Subnet Mask 63 ipaddr maximum length 15 characters Outbound No CVPN3000 Allow Network Extension Mode 64 integer Outbound No CVPN3000 Strip Realm 135 integer Outbound No Table C 3 Cisco VPN 3000 Concentrator RADIUS VS...

Page 534: ...Dictionary of RADIUS AV Pairs Table C 6 lists the supported RADIUS IETF attributes If the attribute has a security server specific format the format is specified CVPN5000 VPN GroupInfo 004 string maximum length 247 characters Outbound No CVPN5000 VPN Password 005 string maximum length 247 characters Outbound No CVPN5000 Echo 006 integer Inbound No CVPN5000 Client Assigned IPX 007 integer Inbound N...

Page 535: ...he user being authenticated string Inbound No User Password 2 User password or input following an access challenge Passwords longer than 16 characters are encrypted using IETF Draft 2 or later specifications string Outbound No CHAP Password 3 PPP Point to Point Protocol CHAP Challenge Handshake Authentication Protocol response to an Access Challenge string Outbound No NAS IP Address 4 IP address o...

Page 536: ...imal integer interpreted as follows For asynchronous terminal lines async network interfaces and virtual async interfaces the value is 00ttt where ttt is the line number or async interface unit number For ordinary synchronous network interfaces the value is 10xxx For channels on a primary rate ISDN Integrated Services Digital Network interface the value is 2ppcc For channels on a basic rate ISDN i...

Page 537: ...rt SLIP or PPP Administrative User Start an EXEC or enable ok Exec User Start an EXEC session integer Both No Framed Protocol 7 Framing to be used for framed access integer Both No Framed IP Address 8 Address to be configured for the user Framed IP Netmask 9 IP netmask to be configured for the user when the user is a router to a network This AV results in a static route being added for Framed IP A...

Page 538: ... and d in for input access list The numbers are self encoding to the protocol to which they refer string Outbound Yes Framed MTU 12 Indicates the maximum transmission unit MTU that can be configured for the user when the MTU is not negotiated by PPP or some other means integer maximum length 10 characters Outbound No Framed Compression 13 Compression protocol used for the link This attribute resul...

Page 539: ... present integer maximum length 10 characters Outbound No Reply Message 18 Text to be displayed to the user string Outbound Yes Callback Number 19 string Outbound No Callback Id 20 string Outbound No Framed Route 22 Routing information to be configured for the user on this AAA client The RADIUS RFC Request for Comments format net bits router metric and the old style dotted mask net mask router met...

Page 540: ...tween the AAA client and the RADIUS server This attribute is applicable only to CHAP challenges string maximum length 253 characters Outbound No Class 25 Arbitrary value that the AAA client includes in all accounting packets for this user if supplied by the RADIUS server string Both Yes Table C 6 RADIUS IETF Attributes continued Attribute Number Description Type of Value Inbound Outbound Multiple ...

Page 541: ...lar type of authorization Attribute and value are an appropriate AV pair defined in the Cisco TACACS specification and sep is for mandatory attributes and for optional attributes This allows the full set of TACACS authorization features to be used for RADIUS The following is an example cisco avpair ip addr pool first cisco avpair shell priv lvl 15 The first example causes the Cisco multiple named ...

Page 542: ...und No Termination Action 29 integer Both No Called Station Id 30 Allows the AAA client to send the telephone number the call came from as part of the access request packet using automatic number identification or similar technology This attribute has the same value as remote addr in TACACS This attribute is supported only on ISDN and for modem calls on the Cisco AS5200 if used with PRI string Inb...

Page 543: ...AT Node 35 string Inbound No Login LAT Group 36 string Inbound No Framed AppleTalk Link 37 integer Outbound No Framed AppleTalk Network 38 integer Outbound Yes Framed AppleTalk Zone 39 string Out No Acct Status Type 40 Specifies whether this accounting request marks the beginning of the user service start or the end stop integer Inbound No Acct Delay Time 41 Number of seconds the client has been t...

Page 544: ...remote authentication protocol This attribute is set to radius for users authenticated by RADIUS to remote for TACACS and Kerberos or to local for local enable line and if needed methods For all other methods the attribute is omitted integer Inbound No Acct Session Time 46 Number of seconds the user has been receiving service integer Inbound No Acct Input Packets 47 Number of packets received from...

Page 545: ...t service 4 Idle timeout 5 Session timeout 6 Admin reset 7 Admin reboot 8 Port error 9 AAA client error 10 AAA client request 11 AAA client reboot 12 Port unneeded 13 Port pre empted 14 Port suspended 15 Service unavailable 16 Callback 17 User error 18 Host request integer Inbound No Acct Multi Session Id 50 string Inbound No Acct Link Count 51 integer Inbound No Acct Input Gigawords 52 integer In...

Page 546: ... follows 0 Asynchronous 1 Synchronous 2 ISDN Synchronous 3 ISDN Asynchronous V 120 4 ISDN Asynchronous V 110 5 Virtual integer Inbound No Port Limit 62 Sets the maximum number of ports to be provided to the user by the network access server integer maximum length 10 characters Both No Login LAT Port 63 string Both No Tunnel Type 64 tagged integer Both Yes Tunnel Medium Type 65 tagged integer Both ...

Page 547: ...urity Data 74 string Inbound No Password Retry 75 integer Internal use only No Prompt 76 integer Internal use only No Connect Info 77 string Inbound No Configuration Token 78 string Internal use only No EAP Message 79 string Internal use only No Message Authenticator 80 string Outbound No Tunnel Private Group ID 81 tagged string Both Yes Tunnel Assignment ID 82 tagged string Both Yes Tunnel Prefer...

Page 548: ...Inbound No Num In Multilink 188 integer Inbound No Pre Input Octets 190 integer Inbound No Pre Output Octets 191 integer Inbound No Pre Input Packets 192 integer Inbound No Pre Output Packets 193 integer Inbound No Maximum Time 194 integer Both No Disconnect Cause 195 integer Inbound No Data Rate 197 integer Inbound No PreSession Time 198 integer Inbound No PW Lifetime 208 integer Outbound No IP D...

Page 549: ... dial up line or over a VPN tunnel such as PPTP MPPE is supported by several RADIUS network device vendors that Cisco Secure ACS supports The following Cisco Secure ACS RADIUS protocols support the Microsoft RADIUS VSAs Cisco IOS Cisco VPN 3000 Ascend Table C 7 lists the supported MPPE RADIUS VSAs Route IP 228 integer Outbound No Link Compression 233 integer Outbound No Target Utils 234 integer Ou...

Page 550: ...integer The MS MPPE Encryption Policy attribute signifies whether the use of encryption is allowed or required If the Policy field is equal to 1 Encryption Allowed any or none of the encryption types specified in the MS MPPE Encryption Types attribute can be used If the Policy field is equal to 2 Encryption Required any of the encryption types specified in the MS MPPE Encryption Types attribute ca...

Page 551: ...ns a session key for use by MPPE As the name implies this key is intended for encrypting packets sent from the AAA client to the remote host This attribute is only included in Access Accept packets Outbound No MS MPPE Recv Key 17 string maximum length 240 characters The MS MPPE Recv Key attribute contains a session key for use by MPPE As the name implies this key is intended for encrypting packets...

Page 552: ...he profile Note RADIUS filters are retrieved only when a call is placed using a RADIUS outgoing profile or answered using a RADIUS incoming profile Filter entries are applied in the order in which they are entered If you make changes to a filter in an Ascend RADIUS profile the changes do not take effect until a call uses that profile date 32 bit value in big endian order For example seconds since ...

Page 553: ...ger Both No Login TCP Port 16 integer Outbound No Change Password 17 string Reply Message 18 string Outbound Yes Callback ID 19 string Outbound No Callback Name 20 string Outbound No Framed Route 22 string Outbound Yes Framed IPX Network 23 integer Outbound No State 24 string Outbound No Class 25 string Outbound Yes Vendor Specific 26 string Outbound Yes Call Station ID 30 string Inbound No Callin...

Page 554: ... Acct Tunnel Connection 68 integer maximum length 253 characters Inbound No Ascend Private Route 104 string maximum length 253 characters Both No Ascend Numbering Plan ID 105 integer maximum length 10 characters Both No Ascend FR Link Status Dlci 106 integer maximum length 10 characters Both No Ascend Calling Subaddress 107 string maximum length 253 characters Both No Ascend Callback Delay 108 str...

Page 555: ...oth No Ascend FCP Parameter 119 string maximum length 253 characters Both No Ascend Modem PortNo 120 integer maximum length 10 characters Inbound No Ascend Modem SlotNo 121 integer maximum length 10 characters Inbound No Ascend Modem ShelfNo 122 integer maximum length 10 characters Inbound No Ascend Call Attempt Limit 123 integer maximum length 10 characters Both No Ascend Call Block_Duration 124 ...

Page 556: ...h 15 characters Both No Ascend Client Secondary DNS 136 address maximum length 15 characters Both No Ascend Client Assign DNS 137 enum Both No Ascend User Acct Type 138 enum Both No Ascend User Acct Host 139 address maximum length 15 characters Both No Ascend User Acct Port 140 integer maximum length 10 characters Both No Ascend User Acct Key 141 string maximum length 253 characters Both No Ascend...

Page 557: ... for an Ascend Event Packet Ascend Event Type 150 integer maximum length 10 characters Inbound No RADIUS Server Session Key Ascend Session Svr Key 151 string maximum length 253 characters Outbound No Multicast Rate Limit Per Client Ascend Multicast Rate Limit 152 integer maximum length 10 characters Outbound No Connection Profile Fields to Support Interface Based Routing Ascend IF Netmask 153 ipad...

Page 558: ...rs Outbound No Ascend FR DCE N392 162 integer maximum length 10 characters Outbound No Ascend FR DTE N392 163 integer maximum length 10 characters Outbound No Ascend FR DCE N393 164 integer maximum length 10 characters Outbound No Ascend FR DTE N393 165 integer maximum length 10 characters Outbound No Ascend FR T391 166 integer maximum length 10 characters Outbound No Ascend FR T392 167 integer ma...

Page 559: ...ximum length 253 characters Inbound No Ascend Call Type 177 integer Inbound No Ascend Group 178 string maximum length 253 characters Inbound No Ascend FR DLCI 179 integer maximum length 10 characters Inbound No Ascend FR Profile Name 180 string maximum length 253 characters Inbound No Ascend Ara PW 181 string maximum length 253 characters Inbound No Ascend IPX Node Addr 182 string maximum length 2...

Page 560: ...th 10 characters Both No Ascend Disconnect Cause 195 integer Inbound No Ascend Connect Progress 196 integer Inbound No Ascend Data Rate 197 integer Inbound No Ascend PreSession Time 198 integer Inbound No Ascend Token Idle 199 integer maximum length 10 characters Outbound No Ascend Token Immediate 200 integer Outbound No Ascend Require Auth 201 integer maximum length 10 characters Outbound No Asce...

Page 561: ... Outbound No Ascend PPP Async Map 212 integer maximum length 10 characters Outbound No Ascend Third Prompt 213 string maximum length 253 characters Outbound No Ascend Send Secret 214 string maximum length 253 characters Outbound No Ascend Receive Secret 215 string maximum length 253 characters Outbound No Ascend IPX Peer Mode 216 integer Outbound No Ascend IP Pool Definition 217 string maximum len...

Page 562: ...utbound No Ascend Route IPX 229 integer Outbound No Ascend Bridge 230 integer Outbound No Ascend Send Auth 231 integer Outbound No Ascend Send Passwd 232 string maximum length 253 characters Outbound No Ascend Link Compression 233 integer Outbound No Ascend Target Util 234 integer maximum length 10 characters Outbound No Ascend Max Channels 235 integer maximum length 10 characters Outbound No Asce...

Page 563: ...m length 10 characters Outbound No Connection Profile Telco Options Ascend Callback 246 integer Outbound No Ascend Data Svc 247 integer Outbound No Ascend Force 56 248 integer Outbound No Ascend Billing Number 249 string maximum length 253 characters Outbound No Ascend Call By Call 250 integer maximum length 10 characters Outbound No Ascend Transit Number 251 string maximum length 253 characters O...

Page 564: ...8 Ascend RADIUS Attributes continued Attribute Number Type of Value Inbound Outbound Multiple Table C 9 Nortel RADIUS VSAs Attribute Number Type of Value Inbound Outbound Multiple Bay Local IP Address 035 ipaddr maximum length 15 characters Outbound No Bay Primary DNS Server 054 ipaddr maximum length 15 characters Outbound No Bay Secondary DNS Server 055 ipaddr maximum length 15 characters Outboun...

Page 565: ...uniper RADIUS VSAs supported by Cisco Secure ACS The Juniper vendor ID number is 2636 Table C 10 Juniper RADIUS VSAs Attribute Number Type of Value Inbound Outbound Multiple Juniper Local User Name 001 string maximum length 247 characters Outbound No Juniper Allow Commands 002 string maximum length 247 characters Outbound No Juniper Deny Commands 003 string maximum length 247 characters Outbound N...

Page 566: ...Appendix C RADIUS Attributes Juniper Dictionary of RADIUS VSAs C 44 User Guide for Cisco Secure ACS for Windows Server 78 14696 01 Version 3 1 ...

Page 567: ...ystem Backup ACS System Restore Database Replication and RDBMS Synchronization features For more information on these features see Chapter 8 Establishing Cisco Secure ACS System Configuration This appendix contains the following topics Location of CSUtil exe and Related Files page D 2 CSUtil exe Syntax page D 2 CSUtil exe Options page D 3 Backing Up Cisco Secure ACS with CSUtil exe page D 4 Restor...

Page 568: ... default location CSUtil exe is located in the following directory C Program Files CiscoSecure ACS vX X Utils where X X is the version of your Cisco Secure ACS software Regardless of where you install Cisco Secure ACS CSUtil exe is located in the Utils directory Files generated by or accessed by CSUtil exe are also located in the Utils directory CSUtil exe Syntax The syntax for the CSUtil exe comm...

Page 569: ...e page D 4 c Recalculate database CRC values For more information about this option see Recalculating CRC Values page D 27 d Export all Cisco Secure ACS internal data to a file named dump txt Using this option requires that you stop the CSAuth service For more information about this option see Creating a Cisco Secure ACS Database Dump File page D 8 e Decode internal Cisco Secure ACS error numbers ...

Page 570: ...stop the CSAuth service For more information about this option see Exporting User List to a Text File page D 23 y Dump Windows Registry configuration information to a file named setup txt For more information about this option see Exporting Registry Information to a Text File page D 25 addUDV Add a user defined RADIUS vendor specific attribute VSA For more information about this option see Adding ...

Page 571: ...Enter Result CSUtil exe displays a confirmation prompt Step 3 To confirm that you want to perform a backup and to halt all Cisco Secure ACS services during the backup type Y and press Enter Result CSUtil exe generates a complete backup of all Cisco Secure ACS internal data including user accounts and system configuration This process may take a few minutes Note CSUtil exe displays the error messag...

Page 572: ...ure ACS with CSUtil exe follow these steps Step 1 On the Cisco Secure ACS server open an MS DOS command prompt and change directories to the directory containing CSUtil exe For more information about the location of CSUtil exe see Location of CSUtil exe and Related Files page D 2 Step 2 Perform the applicable restoration command a To restore all data user and group data and system configuration ty...

Page 573: ...kup was created Creating a CiscoSecure User Database You can use the n option to create a CiscoSecure user database Note Using the n option requires that you stop the CSAuth service While CSAuth is stopped no users are authenticated Caution Using the n option erases all user information in the CiscoSecure user database Unless you have a current backup or dump of your CiscoSecure user database all ...

Page 574: ...s Step 6 To resume user authentication type net start csauth and press Enter Creating a Cisco Secure ACS Database Dump File You can use the d option to dump all contents of the CiscoSecure user database into a text file In addition to providing a thorough eye readable and compressible backup of all Cisco Secure ACS internal data a database dump can also be useful for the Cisco Technical Assistance...

Page 575: ...stops Step 3 Type CSUtil exe d and press Enter Result CSUtil exe displays a confirmation prompt Step 4 To confirm that you want to dump all Cisco Secure ACS internal data into dump txt type Y and press Enter Result CSUtil exe creates the dump txt file This process may take a few minutes Step 5 To resume user authentication type net start csauth and press Enter Loading the Cisco Secure ACS Database...

Page 576: ...nal data from a text file follow these steps Step 1 On the Cisco Secure ACS server open an MS DOS command prompt and change directories to the directory containing CSUtil exe For more information about the location of CSUtil exe see Location of CSUtil exe and Related Files page D 2 Step 2 If the CSAuth service is running type net stop csauth and press Enter Result The CSAuth service stops Step 3 T...

Page 577: ...emoving the record from the database Over time your CiscoSecure user database may be substantially larger than is required by the number of users it contains To reduce the CiscoSecure user database size you can compact it periodically Compacting the CiscoSecure user database consists of using in conjunction three CSUtil exe options d Export all Cisco Secure ACS internal data to a text file named d...

Page 578: ...e the q option in the command CSUtil exe does not prompt you for confirmation of initializing or loading the database Result If you do not use the q option CSUtil exe displays a confirmation prompt for initializing the database and then for loading the database For more information about the effects of the n option see Creating a CiscoSecure User Database page D 7 For more information about the ef...

Page 579: ...n follow these steps Step 1 If you have not performed a backup or dump of Cisco Secure ACS do so now before proceeding For more information about backing up the database see Backing Up Cisco Secure ACS with CSUtil exe page D 4 Step 2 Create an import text file For more information about what an import text file can or must contain see User and AAA Client Import File Format page D 15 Step 3 Copy or...

Page 580: ...text file specified This process may take a few minutes If the import text file contained AAA client configuration data CSUtil exe warns you that you need to restart CSTacacs and CSRadius for these changes to take effect Step 7 To restart CSRadius follow these steps a Type net stop csradius and press Enter Result The CSRadius service stops b To start CSRadius type net start csradius and press Ente...

Page 581: ...TE Statements page D 18 DELETE Statements page D 20 ADD_NAS Statements page D 21 DEL_NAS Statements page D 22 Import File Example page D 23 About User and AAA Client Import File Format Each line of a CSUtil exe import file is a series of colon separated tokens Some of the tokens are followed by values Values like tokens are colon delimited For tokens that require values CSUtil exe expects the valu...

Page 582: ... exe creates the user record and assigns the user to the LDAP database that was added to Cisco Secure ACS first Table D 1 ONLINE OFFLINE Statement Tokens Token Required Value Required Description ONLINE Either ONLINE or OFFLINEmust be present The CSAuth service remains active while CSUtil exe imports the text file CSUtil exe performance is slower when run in this mode but Cisco Secure ACS continue...

Page 583: ...password Require a TACACS sendauth password CSDB No password Authenticate the username with the CiscoSecure user database CSDB_UNIX No UNIX encrypted password Authenticate the username with the CiscoSecure user database using a UNIX password format EXT_NT No Authenticate the username with a Windows NT 2000 external user database EXT_NDS No Authenticate the username with a Novell NDS external user ...

Page 584: ...d its value are required by CSUtil exe but if no other tokens are included no changes are made to the user account You can use the UPDATE statement to update the group a user is assigned to or to update which database Cisco Secure ACS uses to authenticate the user The valid tokens for UPDATE statements are listed in Table D 3 EXT_LEAP No Authenticate the username with a LEAP proxy RADIUS server ex...

Page 585: ...a TACACS sendauth password CSDB No password Authenticate the username with the CiscoSecure user database CSDB_UNIX No UNIX encrypted password Authenticate the username with the CiscoSecure user database using a UNIX password format EXT_NT No Authenticate the username with a Windows NT 2000 external user database EXT_NDS No Authenticate the username with a Novell NDS external user database EXT_SDI ...

Page 586: ...The DELETE token detailed in Table D 4 is the only token in a DELETE statement For example the following DELETE statement causes CSUtil exe to permanently remove the account with username John from the CiscoSecure user database DELETE John EXT_LEAP No Authenticate the username with a LEAP proxy RADIUS server external user database EXT_ACTV No Authenticate the username with an ActivCard external us...

Page 587: ...n ADD_NAS Yes AAA client name The name of the AAA client that is to be added IP Yes IP address The IP address of the AAA client being added KEY Yes Shared secret The shared secret for the AAA client VENDOR Yes See Description The authentication protocol the AAA client uses For RADIUS this includes the VSA Note The valid values are listed below Quotation marks are required due to the spaces in the ...

Page 588: ...itions from Cisco Secure ACS For example the following DEL_NAS statement causes CSUtil exe to delete a AAA client with the name SVR2 T DEL_NAS SVR2 T SINGLE_CON No Y or N For AAA clients using TACACS only the value set for this TOKEN specifies whether the Single Connect TACACS AAA Client option is enabled For more information see Adding a AAA Client page 4 15 KEEPALIVE No Y or N For AAA clients us...

Page 589: ... the u option to export a list of all users in the CiscoSecure user database to a text file named users txt The users txt file organizes users by group Within each group users are listed in the order that their user accounts were created in the CiscoSecure user database For example if accounts were created for Pat Dana and Lloyd in that order users txt lists them in that order as well rather than ...

Page 590: ...roup Information to a Text File You can use the g option to export group configuration data including device command sets from the CiscoSecure user database to a text file named groups txt The groups txt file is useful primarily for debugging purposes while working with the TAC Note Using the g option requires that you stop the CSAuth service While CSAuth is stopped no users are authenticated To e...

Page 591: ...r authentication type net start csauth and press Enter Exporting Registry Information to a Text File You can use the y option to export Windows Registry information for Cisco Secure ACS CSUtil exe exports the Registry information to a file named setup txt The setup txt file is primarily useful for debugging purposes while working with the TAC To export Registry information from Cisco Secure ACS to...

Page 592: ...this example the error code number that you could use CSUtil exe to decode is 1087 C Program Files CiscoSecure ACS vx x Utils CSUtil exe e 1087 CSUtil v3 0 1 14 Copyright 1997 2001 Cisco Systems Inc Code 1087 External database reported error during authentication Note The e option applies to Cisco Secure ACS internal error codes only not to Windows error codes sometimes captured in Cisco Secure AC...

Page 593: ...cyclical redundancy check value conflicts between files manually copied into your Cisco Secure ACS directories and the values recorded in the Windows Registry Note Do not use the c option unless a Cisco representative requests that you do User Defined RADIUS Vendors and VSA Sets This section provides information and procedures about user defined RADIUS vendors and VSAs It contains the following to...

Page 594: ...9 Vendors you add must be IETF compliant therefore all VSAs that you add must be sub attributes of IETF RADIUS attribute number 26 You can define up to ten custom RADIUS vendors numbered 0 zero through 9 CSUtil exe allows only one instance of any given vendor as defined by the unique vendor IETF ID number and by the vendor name Note If you intend to replicate user defined RADIUS vendor and VSA con...

Page 595: ...nd change directories to the directory containing CSUtil exe For more information about the location of CSUtil exe see Location of CSUtil exe and Related Files page D 2 Step 2 Type CSUtil exe addUDV slot number filename where slot number is an unused Cisco Secure ACS RADIUS vendor slot and filename is the name of a RADIUS vendor VSA import file The filename can include a relative or absolute path ...

Page 596: ...o Secure ACS all Cisco Secure ACS services are automatically stopped and restarted No users are authenticated while this process is occurring Before You Begin Verify that in the Network Configuration section of the Cisco Secure ACS HTML interface no AAA client uses the RADIUS vendor For more information about configuring AAA clients see AAA Client Configuration page 4 11 Verify that your RADIUS ac...

Page 597: ...Step 4 To confirm that you want to delete the RADIUS vendor type Y and press Enter Result CSUtil exe halts Cisco Secure ACS services deletes the specified RADIUS vendor from Cisco Secure ACS This process may take a few minutes After it is complete CSUtil exe restarts Cisco Secure ACS services Listing Custom RADIUS Vendors You can use the listUDV option to determine what custom RADIUS vendors are d...

Page 598: ...DIUS vendor and VSA set and you have misplaced the original file used to import the set Note Exporting a custom RADIUS vendor and VSA set does not remove the vendor and VSA set from Cisco Secure ACS Cisco Secure ACS places all exported vendor VSA files in a subdirectory of the directory containing CSUtil exe The subdirectory is named System UDVs For more information about the location of CSUtil ex...

Page 599: ...ocated is replaced including all its contents Backing up RADIUS vendor VSA import files ensures that you can recover your custom RADIUS vendors and VSAs after reinstallation or upgrading to a later release This section details the format and content of RADIUS VSA import files It includes the following topics About the RADIUS Vendor VSA Import File page D 33 Vendor and VSA Set Definition page D 34 ...

Page 600: ...ribute Definition page D 35 Enumeration No 0 to 255 Defines enumerations for attributes with integer data types For more information see Enumeration Definition page D 37 Table D 8 Vendor and VSA Set Keys Keys Required Value Required Description Name Yes Vendor name The name of the RADIUS vendor IETF Code Yes An integer The IETF assigned vendor number for this vendor VSA n where n is the VSA number...

Page 601: ...ibute definition sections User Defined Vendor Name Widget IETF Code 9999 VSA 1 widget encryption VSA 2 widget admin interface VSA 3 widget group VSA 4 widget admin encryption Attribute Definition Each RADIUS vendor VSA import file must have one attribute definition section for each attribute defined in the vendor and VSA set section The section header of each attribute definition section must matc...

Page 602: ... following two values must be present in the Profile key definition IN The attribute is used for accounting After you add the attribute to Cisco Secure ACS you can configure your RADIUS accounting log to record the new attribute For more information about RADIUS accounting logs see Accounting Logs page 9 5 OUT The attribute is used for authorization In addition you can use the value MULTI to allow...

Page 603: ...nteger type attribute In the Group Setup and User Setup sections of the Cisco Secure ACS HTML interface the text values you define appear in lists associated with the attributes that use the enumerations Enumeration definition sections are required only if an attribute definition section references them Only attributes that are integer type attributes can reference an enumeration definition sectio...

Page 604: ...5 VSAs Of those attributes 4 are for authorization and one is for accounting Only one attribute can have multiple instances in a single RADIUS message Two attributes have enumerations for their valid integer values and they share the same enumeration definition section Table D 10 Enumerations Definition Keys Keys Required Value Required Description n See Description Yes String For each valid integ...

Page 605: ...et encryption VSA 2 widget admin interface VSA 3 widget group VSA 4 widget admin encryption VSA 5 widget remote address widget encryption Type INTEGER Profile OUT Enums Encryption Types widget admin interface Type IPADDR Profile OUT widget group Type STRING Profile MULTI OUT widget admin encryption Type INTEGER Profile OUT Enums Encryption Types widget remote address Type STRING Profile IN Encrypt...

Page 606: ...Appendix D Cisco Secure ACS Command Line Database Utility User Defined RADIUS Vendors and VSA Sets D 40 User Guide for Cisco Secure ACS for Windows Server 78 14696 01 Version 3 1 ...

Page 607: ...Internet and intranet VPDN addresses the requirements of roaming intranet users This chapter provides information about the VPDN process and how it affects the operation of Cisco Secure ACS VPDN Process This section describes the steps for processing VPDN requests in a standard environment 1 A VPDN user dials in to the network access server NAS of the regional service provider RSP The standard cal...

Page 608: ...authenticates the domain portion corporation us with the ACS See Figure E 2 Figure E 2 NAS Attempts to Authorize Domain 3 If the domain authorization fails the NAS assumes the user is not a VPDN user The NAS then authenticates not authorizes the user as if the user is a standard non VPDN dial user See Figure E 3 S6645 Corporation VPDN user User mary corporation us Call setup PPP setup Username mar...

Page 609: ...the IP address of the home gateway HG these are used to create the tunnel See Figure E 4 Figure E 4 ACS Authorizes Domain 4 The HG uses its ACS to authenticate the tunnel where the username is the name of the tunnel nas_tun See Figure E 5 S6655 Corporation VPDN user User mary corporation us ACS RSP ACS Authorization failed S6647 Corporation VPDN user User mary corporation us ACS RSP Authorization ...

Page 610: ...of the HG This name is chosen based on the name of the tunnel so the HG might have different names depending on the tunnel being set up See Figure E 6 Figure E 6 HG Authenticates Tunnel with the NAS 6 The NAS now uses its ACS to authenticate the tunnel from the HG See Figure E 7 S6649 Username nas_tun Password CHAP_stuff Corporation VPDN user User mary corporation us ACS RSP Authentication request...

Page 611: ... is Established 8 The HG now authenticates the user as if the user dialed directly in to the HG The HG might now challenge the user for a password The Cisco Secure ACS at RSP can be configured to strip off the and domain before it passes the authentication to the HG The user is passed as mary corporation us The HG uses its ACS to authenticate the user See Figure E 9 S6651 Username home_gate Passwo...

Page 612: ...s up the NAS does not repeat the entire authorization authentication process Instead it passes the user through the existing tunnel to the HG See Figure E 10 Figure E 10 Another User Dials In While Tunnel is Up Username mary corporation us Password secret S6653 Corporation VPDN user User mary corporation us ACS RSP ACS Username sue corporation us Password secret2 VPDN user User sue corporation us ...

Page 613: ...t the RDBMS Synchronization feature and accountActions see RDBMS Synchronization page 8 29 This appendix contains the following sections accountActions Specification page F 1 Action Codes page F 4 Cisco Secure ACS Attributes and Action Codes page F 33 An Example of accountActions page F 37 accountActions Specification Whether you create accountActions by hand in a text editor or through automation...

Page 614: ...e Mnemonic Type Size Comments SequenceId SI AutoNumber 32 The unique action ID Priority P Integer The priority with which this update is to be treated 0 is the lowest priority UserName UN String 32 The name of the user to which the transaction applies GroupName GN String 32 The name of a group to which the transaction applies Action A Number 0 216 The Action required See Action Codes page F 4 Valu...

Page 615: ...d value is required in the UserName field If a transaction is acting upon a group a valid value is required in the GroupName field If a transaction is acting upon AAA client configuration neither the UserName field nor the GroupName field require a value Note The UserName and GroupName fields are mutually exclusive only one of these two fields can have a value and neither field is always required ...

Page 616: ...her importance to occur first such as deleting a user or changing a password In the most common implementations of RDBMS Synchronization a third party system writes to accountActions in batch mode with all actions rows assigned a priority of zero 0 Note When changing transaction priorities be careful that they are processed in the correct order for example a user account must be created before the...

Page 617: ...ser Accounts page F 7 Action Codes for Initializing and Modifying Access Filters page F 15 Action Codes for Modifying TACACS and RADIUS Group and User Settings page F 19 Action Codes for Modifying Network Configuration page F 25 Action Codes for Setting and Deleting Values The two most fundamental action codes are SET_VALUE action code 1 and DELETE_VALUE action code 2 described in Table F 2 The SE...

Page 618: ...llowing APP_CSAUTH APP_CSTACACS APP_CSRADIUS APP_CSADMIN Value types V2 can be one of the following TYPE_BYTE Single 8 bit number TYPE_SHORT Single 16 bit number TYPE_INT Single 32 bit number TYPE_STRING Single string TYPE_ENCRYPTED_STRING Single string to be saved encrypted TYPE_MULTI_STRING Tab separated set of substrings TYPE_MULTI_INT Tab separated set of 32 bit numbers For example UN fred AI ...

Page 619: ...layed in the User Setup section of the HTML interface For more information about the User Setup section see Chapter 7 Setting Up and Managing User Accounts Table F 3 User Creation and Modification Action Codes Action Code Name Required Description 100 ADD_USER UN GN V1 Create a user 32 characters maximum V1 is used as the initial password Optionally the user can also be assigned to a group 101 DEL...

Page 620: ...ype V3 should be one of the following ENABLE_LEVEL_AS_GROUP Max privilege taken from group setting ENABLE_LEVEL_NONE No T enable configured ENABLE_LEVEL_STATIC Value set in V2 used during enable level check You can use VN to link the enable password to an external authenticator as per action 108 SET_PASS_TYPE 106 SET_GROUP UN GN Set the Cisco Secure ACS group assignment of the user Table F 3 User ...

Page 621: ...nal Novell database password PASS_TYPE_LDAP External generic LDAP database password PASS_TYPE_SDI External RSA Security database password PASS_TYPE_ANPI External PassGo database password PASS_TYPE_ENIGMA External SafeWord database password PASS_TYPE_CRYPTO External CRYPTOCard database password PASS_TYPE_ODBC External ODBC database password PASS_TYPE_LEAP External LEAP proxy RADIUS server database ...

Page 622: ...pired by Cisco Secure ACS To set multiple password states for a user use multiple instances of this action This results in the status states being linked in a logical XOR condition by the CSAuth server V1 should contain one of the following PASS_STATUS_EXPIRES Password expires on a given date PASS_STATUS_NEVER Password never expires PASS_STATUS_WRONG Password expires after a given number of login ...

Page 623: ...MMDD 114 SET_MAX_ SESSIONS UN GN V1 Set the maximum number of simultaneous sessions for a user or group V1 should contain one of the following values MAX_SESSIONS_UNLIMITED MAX_SESSIONS_AS_GROUP 1 65534 115 SET_MAX_ SESSIONS_ GROUP_USER GN V1 Set the max sessions for a user of the group to one of the following values MAX_SESSIONS_UNLIMITED 1 65534 Table F 3 User Creation and Modification Action Co...

Page 624: ...N is set to sessions V1 is the maximum number of sessions in the period defined in V2 If VN is set to online time V1 is the maximum number of seconds V2 holds the period for the quota Valid values are QUOTA_PERIOD_DAILY The quota is enforced in 24 hour cycles from 12 01 A M to midnight QUOTA_PERIOD_WEEKLY The quota is enforced in 7 day cycles from 12 01 A M Sunday until midnight Saturday QUOTA_PER...

Page 625: ... for the period defined in V2 sessions The quota limits the user or group by the number of sessions on the network for the period defined in V2 262 RESET_ COUNTERS UN GN Resets usage quota counters for a user or group 263 SET_QUOTA_ APPLY_TYPE V1 Defines whether a user usage quota is determined by the user group quota or by a quota unique to the user V1 makes this specification Valid values for V1...

Page 626: ...type The valid values for VN are none Sets no DCS for the user or group as group For users only this value signifies that the user DCS settings for the service specified should be the same as the user group DCS settings static Sets a DCS for the user or group for all devices enabled to perform command authorization for the service specified If V1 is set to static V2 is required and must contain th...

Page 627: ...n pixshell Cisco PIX command authorization Note If additional DCS types have been added to your Cisco Secure ACS you can find the valid value in the Interface Configuration page for TACACS Cisco IOS The valid values appear in parentheses after the service title such as PIX Shell pixshell V1 defines the name of the NDG Use the name of the NDG as it appears in the HTML interface For example if you h...

Page 628: ...ed Description 120 INIT_NAS_ ACCESS_ CONTROL UN GN V1 Clear the AAA client access filter list and initialize permit deny for any forthcoming filters V1 should be one of the following values ACCESS_PERMIT ACCESS DENY 121 INIT_DIAL_ ACCESS_ CONTROL UN GN V1 Clear the dial up access filter list and initialize permit deny for any forthcoming filters V1 should be one of the following values ACCESS_PERM...

Page 629: ...ed by both calling and called station IDs AAA client PORT The user is filtered by AAA client IP and AAA client port address 130 SET_TOKEN_ CACHE_SESSION GN V1 Enable disable token caching for an entire session V1 is 0 disable 1 enable 131 SET_TOKEN_ CACHE_TIME GN V1 Set the duration that tokens are cached V1 is the token cache duration in seconds 140 SET_TODDOW_ ACCESS UN GN V1 Set periods during ...

Page 630: ... the user ALLOC_METHOD_AAA_POOL The IP pool named in V1 configured on the AAA server will be assigned to the user ALLOC_METHOD_CLIENT The dial in client will assign its own IP address ALLOC_METHOD_AS_GROUP The IP address assignment configured for the group will be used 151 SET_CALLBACK_ NO UN GN V1 Set the callback number for this user or group TACACS and RADIUS V1 should be one of the following C...

Page 631: ...codes affect the configuration displayed in the User Setup and Group Setup sections of the HTML interface For more information about the User Setup section see Chapter 7 Setting Up and Managing User Accounts For more information about the Group Setup section see Chapter 6 Setting Up and Managing User Groups Table F 5 Action Codes for Modifying TACACS and RADIUS Group and User Settings Action Code ...

Page 632: ...up UN GN For example GN Group 1 VN Reply Message V1 Greetings UN fred VN Framed IP Address V1 10 1 1 1 When VN Vendor Specific for the Vendor Specific VSA attribute V2 IETF vendor ID V3 VSA attribute ID For example V2 9 V3 1 V1 addr pool pool3 RADIUS attribute values can be one of the following INTEGER TIME IP ADDRESS STRING Table F 5 Action Codes for Modifying TACACS and RADIUS Group and User Set...

Page 633: ...users For example GN Group 1 V1 ppp V2 ip or UN fred V1 ppp V2 ip or UN fred V1 exec 171 REMOVE_ TACACS_SERVICE UN GN V1 Optionally V2 Denies the service for that user or group of users For example GN Group 1 V1 ppp V2 ip or UN fred V1 ppp V2 ip or UN fred V1 exec This also resets the valid attributes for the service Table F 5 Action Codes for Modifying TACACS and RADIUS Group and User Settings co...

Page 634: ...already have been permitted either via the HTML interface or using Action 170 GN Group 1 VN routing V1 ppp V2 ip V3 true or UN fred VN route V1 ppp V2 ip V3 10 2 2 2 173 REMOVE_ TACACS_ATTR UN GN VN V1 Optionally V2 Removes a service specific attribute GN Group 1 V1 ppp V2 ip VN routing or UN fred V1 ppp V2 ip VN route Table F 5 Action Codes for Modifying TACACS and RADIUS Group and User Settings ...

Page 635: ...e authorized for users of Group 1 Any arguments can be supplied to the Telnet command as long as they are not matched against any arguments defined via Action 176 The second example permits the configure command to be authorized for user fred but only if the arguments supplied are permitted by the filter defined by a series of Action 176 175 REMOVE_IOS_ COMMAND UN GN VN Removes command authorizati...

Page 636: ... Group 1 VN telnet V1 permit V2 10 1 1 2 or UN fred VN show V1 deny V2 run The first example will allow the telnet command with argument 10 1 1 2 to be used by any user in Group 1 The second example ensures that user fred cannot issue the Cisco IOS command show run 177 REMOVE_IOS_ COMMAND_ARG UN GN VN V2 Remove the permit or deny entry for the given Cisco IOS command argument GN Group 1 VN telnet ...

Page 637: ...o IOS commands not defined via a combination of Actions 174 and 175 will be denied This behavior can be changed so that issued Cisco IOS commands that do not match any command command argument pairs are authorized GN Group 1 V1 permit or UN fred V1 deny The first example will permit any command not defined by Action 174 179 REMOVE_ALL_ IOS_ COMMANDS UN GN This action removes all Cisco IOS commands...

Page 638: ...id vendors are as follows VENDOR_ID_IETF_RADIUS For IETF RADIUS VENDOR_ID_CISCO_RADIUS For Cisco IOS PIX RADIUS VENDOR_ID_CISCO_TACACS For Cisco TACACS VENDOR_ID_ASCEND_RADIUS For Ascend RADIUS VENDOR_ID_ALTIGA_RADIUS For Cisco VPN 3000 RADIUS VENDOR_ID_COMPATIBLE_RADIUS For Cisco VPN 5000 RADIUS VENDOR_ID_AIRONET_RADIUS For Cisco Aironet RADIUS VENDOR_ID_NORTEL_RADIUS For Nortel RADIUS VENDOR_ID_...

Page 639: ...Add a new AAA client named in VN with an IP address V1 shared secret key V2 and the enterprise code for the vendor V3 230 ADD_AAA_ SERVER VN V1 V2 Add a new AAA server named VN with IP address V1 shared secret key V2 231 SET_AAA_TYPE VN V1 Set the AAA server type for server VN to value in V1 which should be one of the following TYPE_ACS TYPE_TACACS TYPE_RADIUS The default is AAA_SERVER_TYPE_ACS 23...

Page 640: ...IX MARKUP_TYPE_SUFFIX The markup strip flag should be TRUE if the markup is to be removed from the username before forwarding The accounting flag V3 should be one of the following ACCT_FLAG_LOCAL ACCT_FLAG_REMOTE ACCT_FLAG_BOTH 241 ADD_PROXY_ TARGET VN V1 Add to named proxy markup VN the host name V1 The host should already be configured on the Cisco Secure ACS Note The order in which proxy target...

Page 641: ...ned Vendors UDV VN contains the name of the Vendor Note Cisco Secure ACS adds RADIUS to the name entered in the Variable Name field For example if you enter the name MyCo Cisco Secure ACS displays RADIUS MyCo in the HTML interface V1 contains the user defined vendor slot number or AUTO_ASSIGN_SLOT Cisco Secure ACS has ten vendor slots numbered 0 through 9 If you specify AUTO_ASSIGN_SLOT Cisco Secu...

Page 642: ...ribute is assigned a group ID we recommend prefixing the vendor name or an abbreviation to all VSAs For example VSAs could be MyCo Assigned Group Id Note VSA names must be unique to both the vendor and to the Cisco Secure ACS dictionary For example MyCo Framed IP Address is allowed but Framed IP Address is not because Framed IP Address is used by IETF action code 8 in the RADIUS attributes V2 is t...

Page 643: ... VSA The profile specifies usage IN for accounting OUT for authorization or MULTI if more than a singe instance is allowed per RADIUS message Combinations are allowed V1 contains the vendor IETF code V2 contains the VSA number V3 contains the profile one of the following IN OUT IN OUT MULTI OUT MULTI IN OUT Table F 6 Action Codes for Modifying Network Configuration continued Action Code Name Requi...

Page 644: ...the enumeration strings in a list VN contains the VSA Enum Name V1 contains the vendor IETF code V2 contains the VSA number V3 contains the VSA Enum Value Example VN Disabled V1 9034 V2 MyCo Encryption V3 0 or VN Enabled V1 9034 V2 MyCo Encryption V3 1 355 ADOPT_NEW_ UDV_OR_VSA The CSAdmin CSRadius and CSLog services must be restarted before new UDVs or VSAs can become usable This action restarts ...

Page 645: ...Cisco Secure ACS user including their data types limits and default values It also provides the action code you can use in accountActions to affect each attribute Although there are many actions available adding a user requires only one transaction ADD_USER You can safely leave other user attributes at their default values The term NULL is not simply an empty string but means not set that is the v...

Page 646: ...ASS_TYPE_CSDB password is cleartext PAP Password Expiry Status 109 110 Bitwise Enum See Table F 3 PASS_STATUS_ NEVER never expires Expiry Data 112 113 Short wrong max current 0 32 767 Expiry date Max Sessions 114 Unsigned short 0 65535 MAX_SESSIONS_AS_GROUP TODDOW Restrictions 140 String 168 characters 111111111111 NAS Access Control 120 122 Bool enabled T F NULL Bool permit deny T F ACL String Se...

Page 647: ...et UDAs by using the SET_VALUE action code 1 to create a value called USER_DEFINED_FIELD_0 or USER_DEFINED_FIELD_1 For accountActions rows defining a UDA value the AppId AI field must contain APP_ CSAUTH and the Value2 V2 field must contain TYPE_STRING Static IP Address 150 Enum scheme See Table F 4 Client String IP Pool name 0 31 KB NULL Callback Number 151 String 0 31 KB NULL TACACS Attributes 1...

Page 648: ...es It also provides the action code you can use in your accountActions table to affect each field For more information about action codes see Action Codes page F 4 Table F 8 User Defined Attributes Action Username UN ValueName VN Value1 V1 Value2 V2 AppId AI 1 fred USER_DEFINED_FIELD_0 SS123456789 TYPE_ STRING APP_ CSAUTH 1 fred USER_DEFINED_FIELD_1 Engineering TYPE_ STRING APP_ CSAUTH 1 fred USER...

Page 649: ...up 2 include Time of Day Day of Week restrictions token caching and some RADIUS attributes Token caching for duration 131 Integer time in seconds 0 65535 NULL TODDOW Restrictions 140 String 168 characters 111111111111 NAS Access Control 120 122 Bool enabled T F NULL Bool permit deny T F ACL String See Table F 4 0 31 KB Dial Up Access Control 121 123 Bool enabled T F NULL Bool permit deny T F NULL ...

Page 650: ...ctions Table Action User name UN Group Name GN Value Name VN Value1 V1 Value2 V2 Value3 V3 AppId AI 100 fred fred 102 fred freds_password 103 fred freds_chap_password 104 fred freds_outbound_password 105 fred freds_enable_password 10 106 fred Group 2 150 fred 123 123 123 123 151 fred 01832 123900 109 fred PASS_STATUS_NEVER 110 fred PASS_STATUS_WRONG 110 fred PASS_STATUS_EXPIRES 112 fred 10 113 fre...

Page 651: ...SER_ DEFINED_ FIELD_0 Fred Jones TYPE_ STRING APP_ CSAUTH 140 Group 2 a string of 168 ones 1 130 Group 2 DISABLE 131 Group 2 61 163 Group 2 Reply Message Welcome to Your Internet Service 163 Group 2 Vendor Specific addr pool pool2 9 1 Table F 10 Example accountActions Table continued Action User name UN Group Name GN Value Name VN Value1 V1 Value2 V2 Value3 V3 AppId AI ...

Page 652: ...Appendix F RDBMS Synchronization Import Definitions An Example of accountActions F 40 User Guide for Cisco Secure ACS for Windows Server 78 14696 01 Version 3 1 ...

Page 653: ...nents It includes the following topics Windows 2000 Services page G 1 Windows 2000 Registry page G 2 CSAdmin page G 2 CSAuth page G 3 CSDBSync page G 4 CSLog page G 4 CSMon page G 4 CSTacacs and CSRadius page G 8 Windows 2000 Services Cisco Secure ACS is modular and flexible to fit the needs of both simple and large networks This appendix describes the Cisco Secure ACS architectural components Cis...

Page 654: ...EY_LOCAL_MACHINE SOFTWARE CISCO Unless you are advised to do so by a Cisco representative we strongly recommend that you do not modify Windows Registry settings pertaining to Cisco Secure ACS Warning Do not modify the Registry unless you have enough knowledge and experience to edit the file without destroying or corrupting crucial data CSAdmin CSAdmin is the service that provides the web server fo...

Page 655: ...l Cisco Secure ACS administrators to access it at the same time Therefore CSAdmin is well suited for distributed multiprocessor environments CSAuth CSAuth is the authentication and authorization service It permits or denies access to users by processing authentication and authorization requests CSAuth determines if access should be granted and defines the privileges for a particular user CSAuth is...

Page 656: ...ernal relational database For information on RDBMS Synchronization see RDBMS Synchronization page 8 29 CSLog CSLog is the service used to capture and place logging information CSLog gathers data from the TACACS or RADIUS packet and CSAuth and then manipulates the data to be placed into the comma separated value CSV files CSV files can be imported into spreadsheets that support this format For info...

Page 657: ... state CSMon monitors the following key system thresholds Available hard disk space Processor utilization Physical memory utilization All events related to generic host system state are categorized as warning events Application specific performance Application viability CSMon periodically performs a test login using a special built in test account the default period is one minute Problems with thi...

Page 658: ...ead used Failed log on attempts CSMon cooperates with CSAuth to keep track of user accounts being disabled by exceeding their failed attempts count maximum This feature is more oriented to security and user support than system viability If configured it provides immediate warning of brute force attacks by alerting the administrator to a large number of accounts becoming disabled In addition it hel...

Page 659: ...events see Monitoring page G 5 These events are application specific and hard coded into Cisco Secure ACS There are two types of responses Warning events Service is maintained but some monitored threshold is breached Failure events One or more Cisco Secure ACS components stop providing service CSMon responds to the event by logging the event sending notifications if configured and if the event is ...

Page 660: ...eet the following conditions CSTacacs and CSRadius services must be configured from CSAdmin CSTacacs and CSRadius services must communicate with access devices such as access servers routers switches and firewalls The identical shared secret key must be configured both in Cisco Secure ACS and on the access device The access device IP address must be specified in Cisco Secure ACS The type of securi...

Page 661: ...ut 12 8 timeout values 12 7 AAA servers adding 4 23 configuring 4 23 deleting 4 27 editing 4 25 enabling in interface table 3 5 in distributed systems 4 3 master 8 11 overview 4 20 primary 8 11 replicating 8 11 searching for 4 8 secondary 8 11 troubleshooting A 1 access devices 1 5 accessing Cisco Secure ACS how to 1 29 URL 1 26 access policies See administrative access policies accountActions tab...

Page 662: ...rk configuration F 25 for modifying TACACS and RADIUS settings F 19 for setting and deleting values F 5 in accountActions F 4 ActivCard user databases configuring 11 60 group mappings 12 12 RADIUS based group specifications 12 22 Administration Audit log configuring 9 12 CSV file directory 9 14 viewing 9 15 Administration Control audit policy setup 10 18 session policies 10 16 administrative acces...

Page 663: ...entication configuration 8 81 overview 1 7 request handling 12 3 via external user databases 11 5 Windows 11 11 authorization 1 15 authorization sets See command authorization sets AV attribute value pairs RADIUS Cisco IOS C 2 IETF C 12 See also RADIUS VSAs vendor specific attributes TACACS accounting B 4 general B 1 Axent user databases See PassGo user databases B Backup and Restore log directory...

Page 664: ... Cisco IOS RADIUS AV attribute value pairs C 2 group attributes 6 38 user attributes 7 39 TACACS AV attribute value pairs B 1 troubleshooting A 3 CiscoSecure authentication agent 1 15 6 20 CiscoSecure database replication See replication CiscoSecure user database overview 11 2 See also databases codes See action codes command authorization sets adding 5 16 configuring 5 13 5 16 deleting 5 20 editi...

Page 665: ...ith D 26 import text file example D 23 overview D 1 CSV comma separated values files downloading 9 15 file name formats 9 13 logging 9 15 logging format 9 1 custom attributes in group level TACACS settings 6 29 in user level TACACS settings 7 22 D database group mappings configuring for token servers 12 13 for Windows NT 2000 domains 12 18 no access groups 12 16 order 12 21 deleting group set mapp...

Page 666: ...feWord user databases unknown users 12 1 user CiscoSecure user databases 8 2 Windows user databases 11 7 data source names for RDMBS synchronization 8 41 using with ODBC databases 11 39 11 52 date format control 8 3 DbSync log directory 9 14 debug logs detail levels 9 30 frequency 9 30 troubleshooting A 10 default group in Group Setup 6 2 default group mapping for windows 12 16 default time of day...

Page 667: ... domain names Windows operating systems 11 11 downloadable PIX ACLs adding 5 4 assigning to groups 6 28 assigning to users 7 21 configuring 5 4 deleting 5 5 enabling in interface group level 3 5 user level 3 4 overview 5 2 draft ietf radius tunnel auth 1 6 dump files creating database dump files D 8 loading a database from a dump file D 9 E EAP Extensible Authentication Protocol overview 1 12 EAP ...

Page 668: ...9 20 viewing 9 15 failed log on attempts G 6 failure events customer defined actions G 7 predefined actions G 7 fallbacks on failed connection 4 6 finding users 7 54 firewalls administering AAA servers through 1 21 troubleshooting A 13 G gateways E 3 generic LDAP user databases authentication 11 16 configuring options 11 22 procedure 11 28 directed authentications 11 18 domain filtering 11 18 fail...

Page 669: ...6 6 configuration specific 6 15 configuring common 6 3 device management command authorization sets 6 35 IP address assignment method 6 27 max sessions 6 11 network access restrictions 6 7 password aging rules 6 20 shell command authorization sets 6 31 TACACS 6 2 6 29 time of day access 6 5 token cards 6 16 usage quotas 6 13 setting up and managing 6 1 sort order within group mappings 12 15 specif...

Page 670: ... CSTacacs and CSRadius G 8 setting assignment method for user groups 6 27 IP pools address recovery 8 67 deleting 8 66 DHCP 8 61 enabling in interface 3 5 overlapping 8 61 8 63 refreshing 8 62 resetting 8 65 servers adding IP pools 8 63 overview 8 60 replicating IP pools 8 60 user IP addresses 7 12 L LAN manager 1 12 latency networks 2 18 LDAP See generic LDAP user databases LDAP databases See gen...

Page 671: ...onization 8 10 remote logging centralized 9 24 configuring 9 26 diabling 9 28 enabling in interface 3 5 logging hosts 9 23 options 9 25 overview 9 23 See also Reports and Activity services configuring service logs 9 30 list of logs generated 9 29 system logs 9 11 TACACS logs 9 5 troubleshooting A 12 user data attributes 9 2 VoIP logs 9 5 watchdog packets 9 4 login process test frequency 8 56 login...

Page 672: ...ss restrictions network access quotas 1 17 network access restrictions adding 5 9 configuring 5 8 deleting 5 13 editing 5 5 5 11 enabling in interface group level 3 5 user level 3 4 in Group Setup 6 7 interface configuration 3 5 in User Setup 6 7 7 12 overview 5 6 network access servers See AAA clients network configuration 4 1 network device groups adding 4 28 assigning AAA clients to 4 29 assign...

Page 673: ...tion sample procedure 11 46 configuring 11 51 data source names 9 20 11 39 DSN configuration 11 50 group mappings 12 12 group specifications CHAP 11 48 PAP 11 47 vs group mappings 12 13 PAP authentication sample procedures 11 45 password case sensitivity 11 44 stored procedures CHAP authentication 11 48 implementing 11 43 PAP authentication 11 46 type definitions 11 44 supported protocols 1 10 use...

Page 674: ...g 1 13 inbound passwords 1 13 outbound passwords 1 13 separate passwords 1 13 single password 1 13 token caching 1 13 token cards 1 13 expiration 6 22 import utility D 13 local management 8 5 post login greeting 6 23 protocols and user database compatibility 1 9 protocols supported 1 10 remote change 8 5 See also password aging user changeable 1 15 validation options in System Configuration 8 5 PE...

Page 675: ...le components proxy character strings defining 4 6 stripping 4 6 configuring 4 32 in enterprise settings 4 7 overview 4 4 See also Proxy Distribution Table sending accounting packets 4 7 troubleshooting A 11 Proxy Distribution Table adding entries 4 33 configuring 4 32 default entry 4 4 4 33 deleting entries 4 36 editing entries 4 35 match order sorting 4 35 overview 4 32 See also proxy Q quotas S...

Page 676: ... 9 20 RADIUS user databases configuring 11 60 group mappings 12 12 RADIUS based group specifications 12 22 RADIUS VSAs vendor specific attributes Ascend in Group Setup 6 41 in User Setup 7 42 supported attributes C 30 Cisco Aironet in Group Setup 6 39 in User Setup 7 40 Cisco BBSM Building Broadband Service Manager in Group Setup 6 49 in User Setup 7 51 supported attributes C 12 Cisco IOS PIX in G...

Page 677: ...ata source name configuration 8 41 disabling 8 46 enabling in interface 3 5 import definitions F 1 log CSV comma separated values file directory 9 14 viewing 9 15 manual initialization 8 43 network configuration 8 32 overview 8 30 partners 8 42 preparing to use 8 37 report and error handling 8 37 user related configuration 8 31 README TXT xxix Registry G 2 rejection mode general 12 3 Windows NT 20...

Page 678: ...n 3 5 IP pools 8 10 8 60 logging 8 17 manual initiation 8 24 master AAA servers 8 11 notifications 8 29 overview 8 9 partners configuring 8 28 options 8 18 scheduling 8 26 scheduling options 8 18 selecting data 8 18 unsupported 8 10 user defined RADIUS vendors 8 16 vs backup 8 16 reports See logging Reports and Activity configuring 9 17 CSV comma separated values logs 9 11 in interface 1 26 See al...

Page 679: ...mmands 3 8 overview 1 6 time of day access 3 8 service control in System Configuration 9 30 Service Monitoring log See ACS Service Monitoring log services determing status of 8 2 logs configuring 9 30 list of logs generated 9 29 management 8 55 overview 1 4 G 1 starting 8 2 stopping 8 2 session policies configuring 10 17 options 10 16 overview 10 16 shared profile components downloadable PIX ACLs ...

Page 680: ...res 11 45 type definitions integer 11 44 string 11 44 supplementary user information in User Setup 7 7 setting 7 7 synchronization See RDBMS synchronization system configuration 8 1 health G 5 messages in interface 1 26 monitoring See monitoring performance specifications 1 3 requirements 2 2 services See services T TACACS advanced TACACS settings in Group Setup 6 2 in User Setup 7 33 AV attribute...

Page 681: ...ry 9 14 enabling CSV comma separated values 9 14 ODBC 9 20 viewing 9 15 Telnet password aging 6 20 See also command authorization sets test login frequency internally 8 56 third party software requirements 2 3 thread used G 6 time of day day of week specification enabling in interface 3 4 See also date format control timeout 12 7 TLS transport level security See certification token caching 1 13 11...

Page 682: ...words D 17 unknown user policies configuring 12 10 in external user databases 11 3 12 9 overview 12 8 See also unknown users unknown users handling methods 12 1 network access authorization 12 8 See also unknown user policies upgrade troubleshooting A 11 usage quotas in Group Setup 6 13 in Interface Configuration 3 5 in User Setup 7 18 overview 1 17 resetting for groups 6 52 for single users 7 57 ...

Page 683: ...ronization 8 31 relationship to groups 3 2 resetting accounts 7 58 saving settings 7 59 See also User Setup supplementary information 7 7 troubleshooting A 14 types discovered 12 2 known 12 2 unknown 12 2 VPDN dialup E 2 User Setup basic options 7 4 configuring 7 2 deleting user accounts 7 56 saving settings 7 59 Users in Group button 6 52 V validation of passwords 8 5 Vasco user databases group m...

Page 684: ...tributes W warning events G 5 G 7 watchdog packets configuring on AAA clients 4 17 configuring on AAA servers 4 24 web servers G 2 Windows operating systems authentication order 12 6 Cisco Secure ACS related services services 8 2 dial up networking 11 11 dial up networking clients domain field 11 10 password field 11 10 username field 11 10 Domain list effect of 12 6 domains domain names 11 11 12 ...

Page 685: ...696 01 Version 3 1 Index remapping 12 18 mapping database groups to AAA groups 12 14 overview 11 7 passwords 1 10 rejection mode 12 4 request handling 12 4 trust relationships 11 9 user changeable passwords 11 13 user manager 11 14 wireless network topologies 2 8 ...

Page 686: ...Index IN 26 User Guide for Cisco Secure ACS for Windows Server 78 14696 01 Version 3 1 ...

Reviews:

No comments