manualshive.com logo in svg

Cisco 3.3, User Manual

Get your hands on the comprehensive User Manual for the Cisco 3.3, available for free download exclusively at manualshive.com. This invaluable resource provides detailed instructions and insights into operating and maximizing the potential of this cutting-edge product. Don't miss out on the ultimate user guide for the Cisco 3.3.

Share
Download
background image

 

Appendix D      CSUtil Database Utility

PAC File Generation

D-42

User Guide for Cisco Secure ACS for Windows Server

78-16592-01

-f 

list

—CSUtil.exe generates a PAC file for each username contained in 

the file specified, where 

list

 represents the full path and filename of the 

list of usernames.

Lists of usernames should contain one username per line with no 
additional spaces or other characters.

For example, if list.txt in d:\temp\pacs contains the following usernames:

seaniemop

jwiedman

echamberlain

and you ran 

CSUtil.exe -t -f d:\temp\pacs\list.txt

, CSUtil.exe generates 

three PAC files: 

seaniemop.pac

jwiedman.pac

, and 

echamberlain.pac

.

Tip

You can also specify domain-qualified usernames, using the format 

DOMAIN

\

username

. For example, if you specify 

ENIGINEERING\augustin

Cisco Secure ACS generates a PAC file name 

ENGINEERING_augustin.pac

.

-passwd 

password

—CSUtil.exe uses the password specified, rather than the 

default password, to protect the PAC files it generates. The password you 
specify is required when the PACs it protects are loaded into an EAP-FAST 
end-user client.

Note

We recommend that you use a password you devise rather than the 
default password.

PAC passwords 

can contain any character

are 

between four and 128 

characters long, and 

case sensitive. While CSUtil.exe does not enforce strong  

password rules, we 

recommend that you use a strong password, that is, your  

PAC password 

should:

Be very long.

Contain uppercase and lowercase letters.

Contain numbers in addition to letters.

Contain no common words or names.

Summary of Contents for 3.3

Page 1: ...st Tasman Drive San Jose CA 95134 1706 USA http www cisco com Tel 408 526 4000 800 553 NETS 6387 Fax 408 526 4100 User Guide for Cisco Secure ACS for Windows Server Version 3 3 May 2004 Customer Order Number DOC 7816592 Text Part Number 78 16592 01 ...

Page 2: ...INCLUDING WITHOUT LIMITATION LOST PROFITS OR LOSS OR DAMAGE TO DATA ARISING OUT OF THE USE OR INABILITY TO USE THIS MANUAL EVEN IF CISCO OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES User Guide for Cisco Secure ACS for Windows Server Copyright 2004 Cisco Systems Inc All rights reserved CCIP CCSP the Cisco Arrow logo the Cisco Powered Network mark Cisco Unity Follow Me Brows...

Page 3: ...ion Feedback xxxvi Obtaining Technical Assistance xxxvii Cisco Technical Support Website xxxvii Submitting a Service Request xxxvii Definitions of Service Request Severity xxxviii Obtaining Additional Publications and Information xxxix C H A P T E R 1 Overview 1 1 The Cisco Secure ACS Paradigm 1 2 Cisco Secure ACS Specifications 1 3 System Performance Specifications 1 3 Cisco Secure ACS Windows Se...

Page 4: ...isco Device Management Applications 1 19 Other Authorization Related Features 1 21 Accounting 1 22 Other Accounting Related Features 1 22 Administration 1 23 HTTP Port Allocation for Administrative Sessions 1 23 Network Device Groups 1 24 Other Administration Related Features 1 24 Posture Validation 1 25 Cisco Secure ACS HTML Interface 1 25 About the Cisco Secure ACS HTML Interface 1 26 HTML Inter...

Page 5: ...isco Secure ACS 2 2 System Requirements 2 2 Hardware Requirements 2 2 Operating System Requirements 2 2 Third Party Software Requirements 2 3 Network and Port Requirements 2 4 Basic Deployment Factors for Cisco Secure ACS 2 6 Network Topology 2 6 Dial Up Topology 2 6 Wireless Network 2 9 Remote Access using VPN 2 12 Remote Access Policy 2 14 Security Policy 2 15 Administrative Access Policy 2 15 S...

Page 6: ...ation Options for RADIUS 3 11 Setting Protocol Configuration Options for IETF RADIUS Attributes 3 16 Setting Protocol Configuration Options for Non IETF RADIUS Attributes 3 17 C H A P T E R 4 Network Configuration 4 1 About Network Configuration 4 1 About Distributed Systems 4 2 AAA Servers in Distributed Systems 4 3 Default Distributed System Settings 4 3 Proxy in Distributed Systems 4 4 Fallback...

Page 7: ...Client or AAA Server to an NDG 4 30 Reassigning a AAA Client or AAA Server to an NDG 4 31 Renaming a Network Device Group 4 32 Deleting a Network Device Group 4 32 Proxy Distribution Table Configuration 4 34 About the Proxy Distribution Table 4 34 Adding a New Proxy Distribution Table Entry 4 35 Sorting the Character String Match Order of Distribution Entries 4 36 Editing a Proxy Distribution Tabl...

Page 8: ...Restriction 5 19 Editing a Shared Network Access Restriction 5 23 Deleting a Shared Network Access Restriction 5 24 Command Authorization Sets 5 25 About Command Authorization Sets 5 26 Command Authorization Sets Description 5 26 Command Authorization Sets Assignment 5 28 Case Sensitivity and Command Authorization 5 29 Arguments and Command Authorization 5 29 About Pattern Matching 5 30 Adding a C...

Page 9: ...signment Method for a User Group 6 28 Assigning a Downloadable IP ACL to a Group 6 30 Configuring TACACS Settings for a User Group 6 31 Configuring a Shell Command Authorization Set for a User Group 6 33 Configuring a PIX Command Authorization Set for a User Group 6 35 Configuring Device Management Command Authorization for a User Group 6 37 Configuring IETF RADIUS Settings for a User Group 6 38 C...

Page 10: ...s 7 3 Adding a Basic User Account 7 4 Setting Supplementary User Information 7 6 Setting a Separate CHAP MS CHAP ARAP Password 7 7 Assigning a User to a Group 7 8 Setting User Callback Option 7 9 Assigning a User to a Client IP Address 7 10 Setting Network Access Restrictions for a User 7 11 Setting Max Sessions Options for a User 7 16 Setting User Usage Quotas Options 7 18 Setting Options for Use...

Page 11: ...isco Aironet RADIUS Parameters for a User 7 41 Setting Ascend RADIUS Parameters for a User 7 43 Setting Cisco VPN 3000 Concentrator RADIUS Parameters for a User 7 44 Setting Cisco VPN 5000 Concentrator RADIUS Parameters for a User 7 46 Setting Microsoft RADIUS Parameters for a User 7 47 Setting Nortel RADIUS Parameters for a User 7 49 Setting Juniper RADIUS Parameters for a User 7 51 Setting BBSM ...

Page 12: ...p File Locations 8 10 Directory Management 8 10 Components Backed Up 8 10 Reports of Cisco Secure ACS Backups 8 11 Backup Options 8 11 Performing a Manual Cisco Secure ACS Backup 8 12 Scheduling Cisco Secure ACS Backups 8 12 Disabling Scheduled Cisco Secure ACS Backups 8 13 Cisco Secure ACS System Restore 8 14 About Cisco Secure ACS System Restore 8 14 Backup Filenames and Locations 8 15 Component...

Page 13: ...se Replication Versus Database Backup 9 10 Database Replication Logging 9 10 Replication Options 9 11 Replication Components Options 9 11 Outbound Replication Options 9 12 Inbound Replication Options 9 15 Implementing Primary and Secondary Replication Setups on Cisco Secure ACSes 9 15 Configuring a Secondary Cisco Secure ACS 9 17 Replicating Immediately 9 19 Scheduling Replication 9 21 Disabling C...

Page 14: ...DBMS Setup Options 9 38 Synchronization Scheduling Options 9 39 Synchronization Partners Options 9 39 Performing RDBMS Synchronization Immediately 9 40 Scheduling RDBMS Synchronization 9 41 Disabling Scheduled RDBMS Synchronizations 9 43 IP Pools Server 9 44 About IP Pools Server 9 44 Allowing Overlapping IP Pools or Forcing Unique Pool Address Ranges 9 45 Refreshing the AAA Server IP Pools Table ...

Page 15: ... Master Key and PAC TTLs 10 21 Replication and EAP FAST 10 22 Enabling EAP FAST 10 25 Global Authentication Setup 10 26 Authentication Configuration Options 10 27 Configuring Authentication Options 10 33 Cisco Secure ACS Certificate Setup 10 34 Installing a Cisco Secure ACS Server Certificate 10 35 Adding a Certificate Authority Certificate 10 37 Editing the Certificate Trust List 10 38 Managing C...

Page 16: ...butes in Logs 11 4 Update Packets in Accounting Logs 11 5 About Cisco Secure ACS Logs and Reports 11 6 Accounting Logs 11 6 Dynamic Administration Reports 11 9 Viewing the Logged in Users Report 11 10 Deleting Logged in Users 11 11 Viewing the Disabled Accounts Report 11 12 Cisco Secure ACS System Logs 11 13 Configuring the Administration Audit Log 11 14 Working with CSV Logs 11 15 CSV Log File Na...

Page 17: ...ed 11 32 Configuring Service Logs 11 33 C H A P T E R 12 Administrators and Administrative Policy 12 1 Administrator Accounts 12 1 About Administrator Accounts 12 2 Administrator Privileges 12 3 Adding an Administrator Account 12 6 Editing an Administrator Account 12 7 Unlocking a Locked Out Administrator Account 12 10 Deleting an Administrator Account 12 11 Access Policy 12 11 Access Policy Optio...

Page 18: ... Windows Dial up Networking Clients with a Domain Field 13 10 Windows Dial up Networking Clients without a Domain Field 13 11 Usernames and Windows Authentication 13 11 Username Formats and Windows Authentication 13 11 Non domain qualified Usernames 13 13 Domain Qualified Usernames 13 14 UPN Usernames 13 14 EAP and Windows Authentication 13 15 EAP TLS Domain Stripping 13 16 Machine Authentication ...

Page 19: ...Databases 13 50 User Contexts 13 51 Novell NDS External User Database Options 13 52 Configuring a Novell NDS External User Database 13 53 ODBC Database 13 55 What is Supported with ODBC User Databases 13 57 Cisco Secure ACS Authentication Process with an ODBC External User Database 13 58 Preparing to Authenticate Users with an ODBC Compliant Relational Database 13 59 Implementation of Stored Proce...

Page 20: ...se 13 76 Token Server User Databases 13 78 About Token Servers and Cisco Secure ACS 13 78 Token Servers and ISDN 13 79 RADIUS Enabled Token Servers 13 79 About RADIUS Enabled Token Servers 13 80 Token Server RADIUS Authentication Request and Response Contents 13 80 Configuring a RADIUS Token Server External User Database 13 81 RSA SecurID Token Servers 13 84 Configuring an RSA SecurID Token Server...

Page 21: ... Rule Configuration Options 14 24 Creating a Local Policy 14 25 External Policies 14 28 About External Policies 14 28 External Policy Configuration Options 14 29 Creating an External Policy 14 32 Editing a Policy 14 34 Deleting a Policy 14 36 C H A P T E R 15 Unknown User Policy 15 1 Known Unknown and Discovered Users 15 2 Authentication and Unknown Users 15 4 About Unknown User Authentication 15 ...

Page 22: ...H A P T E R 16 User Group Mapping and Specification 16 1 About User Group Mapping and Specification 16 1 Group Mapping by External User Database 16 2 Creating a Cisco Secure ACS Group Mapping for a Token Server ODBC Database or LEAP Proxy RADIUS Server Database 16 3 Group Mapping by Group Set Membership 16 4 Group Mapping Order 16 5 No Access Group for Group Set Mappings 16 5 Default Group Mapping...

Page 23: ... 10 Debug Issues A 14 Proxy Issues A 15 Installation and Upgrade Issues A 16 MaxSessions Issues A 16 Report Issues A 17 Third Party Server Issues A 19 User Authentication Issues A 20 TACACS and RADIUS Attribute Issues A 22 A P P E N D I X B TACACS Attribute Value Pairs B 1 Cisco IOS AV Pair Dictionary B 1 TACACS AV Pairs B 2 TACACS Accounting AV Pairs B 4 A P P E N D I X C RADIUS Attributes C 1 Ci...

Page 24: ...ility D 1 Location of CSUtil exe and Related Files D 2 CSUtil exe Syntax D 2 CSUtil exe Options D 3 Displaying Command Line Syntax D 5 Backing Up Cisco Secure ACS with CSUtil exe D 6 Restoring Cisco Secure ACS with CSUtil exe D 7 Creating a CiscoSecure User Database D 8 Creating a Cisco Secure ACS Database Dump File D 10 Loading the Cisco Secure ACS Database from a Dump File D 11 Compacting the Ci...

Page 25: ... Vendor and VSA Set D 31 Listing Custom RADIUS Vendors D 32 Exporting Custom RADIUS Vendor and VSA Sets D 33 RADIUS Vendor VSA Import File D 34 About the RADIUS Vendor VSA Import File D 34 Vendor and VSA Set Definition D 35 Attribute Definition D 36 Enumeration Definition D 38 Example RADIUS Vendor VSA Import File D 39 PAC File Generation D 40 PAC File Options and Examples D 41 Generating PAC File...

Page 26: ...eleting Values F 5 Action Codes for Creating and Modifying User Accounts F 7 Action Codes for Initializing and Modifying Access Filters F 14 Action Codes for Modifying TACACS and RADIUS Group and User Settings F 19 Action Codes for Modifying Network Configuration F 25 Cisco Secure ACS Attributes and Action Codes F 32 User Specific Attributes F 32 User Defined Attributes F 34 Group Specific Attribu...

Page 27: ...xxvii User Guide for Cisco Secure ACS for Windows Server 78 16592 01 Contents CSMon G 4 Monitoring G 5 Recording G 6 Notification G 7 Response G 7 CSTacacs and CSRadius G 8 I N D E X ...

Page 28: ...Contents xxviii User Guide for Cisco Secure ACS for Windows Server 78 16592 01 ...

Page 29: ...pters and appendixes Chapter 1 Overview An overview of Cisco Secure ACS and its features network diagrams and system requirements Chapter 2 Deployment Considerations A guide to deploying Cisco Secure ACS that includes requirements options trade offs and suggested sequences Chapter 3 Interface Configuration Concepts and procedures regarding how to use the Interface Configuration section of Cisco Se...

Page 30: ... Chapter 10 System Configuration Authentication and Certificates Concepts and procedures regarding the Global Authentication and ACS Certificate Setup pages found in the System Configuration section of Cisco Secure ACS Chapter 11 Logs and Reports Concepts and procedures regarding Cisco Secure ACS logging and reports Chapter 12 Administrators and Administrative Policy Concepts and procedures for es...

Page 31: ...o Virtual Private Dial up Networks VPDN including stripping and tunneling with instructions for enabling VPDN on Cisco Secure ACS Appendix F RDBMS Synchronization Import Definitions A list of import definitions for use with the RDBMS Synchronization feature Appendix G Internal Architecture A description of Cisco Secure ACS architectural components Conventions This document uses the following conve...

Page 32: ... potential breach in your network security Warning Identifies information that you must heed to prevent damaging yourself the state of software or equipment Warnings identify definite security breaches that will result if the information presented is not followed carefully Product Documentation Note We sometimes update the printed and electronic documentation after original publication Therefore y...

Page 33: ...n the product CD ROM On Cisco com Printed document available by order part number DOC 7816530 1 Installation and User Guide for Cisco Secure ACS User Changeable Passwords PDF on the product CD ROM On Cisco com Supported and Interoperable Devices and Software Tables for Cisco Secure ACS for Windows Server On Cisco com Recommended Resources for the Cisco Secure ACS User On Cisco com Online Documenta...

Page 34: ...work topology regarding AAA user database choices password protocol choices access requirements and capabilities of Cisco Secure ACS Cisco Secure ACS for Windows vs Cisco Secure ACS for UNIX This bulletin compares the overall feature sets of Cisco Secure ACS for Windows and CiscoSecure ACS for UNIX It also examines the advantages and disadvantages of both platforms and discusses issues related to ...

Page 35: ...on practices for deploying Cisco Secure ACS for Windows Server in an enterprise network It discusses network topology user database choices access requirements integration of external databases and capabilities of Cisco Secure ACS Initializing MC Authorization on ACS 3 1 This application note explains how to initialize Management Center authorization on Cisco Secure ACS Securing ACS Running on Mic...

Page 36: ...ns for ordering documentation at this URL http www cisco com univercd cc td doc es_inpck pdi htm You can order Cisco documentation in these ways Registered Cisco com users Cisco direct customers can order Cisco product documentation from the Ordering tool http www cisco com en US partner ordering index shtml Nonregistered Cisco com users can order documentation through a local account representati...

Page 37: ...rt If you do not hold a valid Cisco service contract contact your reseller Cisco Technical Support Website The Cisco Technical Support Website provides online documents and tools for troubleshooting and resolving technical issues with Cisco products and technologies The website is available 24 hours a day 365 days a year at this URL http www cisco com techsupport Access to all tools on the Cisco T...

Page 38: ...C contacts go to this URL http www cisco com techsupport contacts Definitions of Service Request Severity To ensure that all service requests are reported in a standard format Cisco has established severity definitions Severity 1 S1 Your network is down or there is a critical impact to your business operations You and Cisco will commit all necessary resources around the clock to resolve the situat...

Page 39: ...co Press titles and other information go to Cisco Press at this URL http www ciscopress com Packet magazine is the Cisco Systems technical user magazine for maximizing Internet and networking investments Each quarter Packet delivers coverage of the latest industry trends technology breakthroughs and Cisco products and solutions as well as network deployment and troubleshooting tips configuration e...

Page 40: ...l published by Cisco Systems for engineering professionals involved in designing developing and operating public and private internets and intranets You can access the Internet Protocol Journal at this URL http www cisco com ipj World class networking training is available from Cisco You can view current offerings at this URL http www cisco com en US learning index html ...

Page 41: ...sco Secure ACS Windows Services page 1 4 AAA Server Functions and Concepts page 1 5 Cisco Secure ACS and the AAA Client page 1 6 AAA Protocols TACACS and RADIUS page 1 6 Authentication page 1 8 Authorization page 1 17 Accounting page 1 22 Administration page 1 23 Posture Validation page 1 25 Cisco Secure ACS HTML Interface page 1 25 About the Cisco Secure ACS HTML Interface page 1 26 HTML Interfac...

Page 42: ...rs can quickly administer accounts and globally change levels of service offerings for entire groups of users Although the external user database shown in Figure 1 1 is optional support for many popular user repository implementations enables companies to put to use the working knowledge gained from and the investment already made in building their corporate user repositories Cisco Secure ACS supp...

Page 43: ...CS are largely dependent upon the Windows server it is installed upon your network topology and network management the selection of user databases and other factors For example Cisco Secure ACS can perform many more authentications per second if it is using its internal user database and running on a computer using the fastest processor and network interface card available than it can if it is usi...

Page 44: ...nfigurations This limitation is primarily a limitation of the Cisco Secure ACS HTML interface Performance of the HTML interface degrades when Cisco Secure ACS has more than approximately 5000 AAA client configurations However a AAA client configuration in Cisco Secure ACS can represent more than one physical network device provided that the network devices use the same AAA protocol and use the sam...

Page 45: ...f Cisco Secure ACS performance and includes automatic response to some scenarios CSTacacs Provides communication between TACACS AAA clients and the CSAuth service CSRadius Provides communication between RADIUS AAA clients and the CSAuth service Each module can be started and stopped individually from within the Microsoft Service Control Panel or as a group from within the Cisco Secure ACS HTML int...

Page 46: ...ses it is configured to query Cisco Secure ACS returns a success or failure response to the AAA client which permits or denies user access based on the response it receives When the user authenticates successfully Cisco Secure ACS sends a set of authorization attributes to the AAA client The AAA client then begins forwarding accounting information to Cisco Secure ACS When the user has successfully...

Page 47: ...9 RADIUS Accounting RFC 2865 RFC 2866 RFC 2867 Table 1 1 TACACS and RADIUS Protocol Comparison Point of Comparison TACACS RADIUS Transmission Protocol TCP connection oriented transport layer protocol reliable full duplex data transmission UDP connectionless transport layer protocol datagram exchange without acknowledgments or guaranteed delivery Ports Used 49 Authentication and Authorization 1645 ...

Page 48: ...RADIUS VSAs that you define After you define a new RADIUS VSA you can use it as you would one of the RADIUS VSAs that come predefined in Cisco Secure ACS In the Network Configuration section of the Cisco Secure ACS HTML interface you can configure a AAA client to use a user defined RADIUS VSA as its AAA protocol In Interface Configuration you can enable user level and group level attributes for us...

Page 49: ...ured Simple unencrypted username and password is not considered a strong authentication mechanism but can be sufficient for low authorization or privilege levels such as Internet access To reduce the risk of password capturing on the network use encryption Client and server access control protocols such as TACACS and RADIUS encrypt passwords to prevent them from being captured within a network How...

Page 50: ...out token server support see Token Server User Databases page 13 78 Authentication Protocol Database Compatibility The various password protocols supported by Cisco Secure ACS for authentication are supported unevenly by the various databases supported by Cisco Secure ACS For more information about the password protocols supported by Cisco Secure ACS see Passwords page 1 11 Table 1 2 specifies non...

Page 51: ...tication Protocol and User Database Compatibility continued Database ASCII PAP CHAP ARAP MS CHAP v 1 MS CHAP v 2 Table 1 3 EAP Authentication Protocol and User Database Compatibility Database LEAP EAP MD5 EAP TLS PEAP EAP GTC PEAP EAP MS CHAPv2 EAP FAST Phase Zero EAP FAST Phase Two Cisco Secure ACS Yes Yes Yes Yes Yes Yes Yes Windows SAM Yes No No Yes Yes Yes Yes Windows AD Yes No Yes Yes Yes Yes...

Page 52: ...ity for the client PAP allows authentication against the Windows database With this configuration users need to log in only once CHAP allows a higher level of security for encrypting passwords when communicating from an end user client to the AAA client You can use CHAP with the CiscoSecure user database ARAP support is included to support Apple clients Comparing PAP CHAP and ARAP PAP CHAP and ARA...

Page 53: ...es additional failure codes in the Failure packet Message field For more information on MS CHAP refer to RFC draft ietf pppext mschap 00 txt RADIUS Attributes for MS CHAP Support EAP Support The Extensible Authentication Protocol EAP based on IETF 802 1x is an end to end framework that allows the creation of authentication types without changing AAA client configurations For more information about...

Page 54: ... is the same as the PAP password and the PAP password is transmitted in clear text during an ASCII PAP login there is the chance that the CHAP password can be compromised Separate passwords for ASCII PAP and CHAP MS CHAP ARAP For a higher level of security users can be given two separate passwords If the ASCII PAP password is compromised the CHAP ARAP password can remain secure External user datab...

Page 55: ... AAA client to authenticate itself to another AAA client or an end user client via outbound authentication The outbound authentication can be PAP CHAP or ARAP With outbound authentication the Cisco Secure ACS password is given out By default ASCII PAP or CHAP ARAP password is used depending on how this has been configured however we recommend that the separate SENDAUTH password be configured for t...

Page 56: ...cure ACS you can install a separate program that enables users to change their passwords by using a web based utility For more information about installing user changeable passwords see the Installation and User Guide for Cisco Secure ACS User Changeable Passwords Other Authentication Related Features In addition to the authentication related features discussed in this section the following featur...

Page 57: ...ould make it possible for a service provider to offer a 30 day free trial The same authorization could be used to create a temporary account for a consultant with login permission limited to Monday through Friday 9 A M to 5 P M You can restrict users to a service or combination of services such as PPP AppleTalk Remote Access ARA Serial Line Internet Protocol SLIP or EXEC After a service is selecte...

Page 58: ...or all users in any one department In addition to enabling simple User and Group Max Sessions control Cisco Secure ACS enables the administrator to specify a Group Max Sessions value and a group based User Max Sessions value that is a User Max Sessions value based on the group membership of the user For example an administrator can allocate a Group Max Sessions value of 50 to the group Sales and a...

Page 59: ...or specifying authorization profile components that you can apply to multiple user groups and users For example you may have multiple user groups that have identical network access restrictions Rather than configuring the network access restrictions several times once per group you can configure a network access restriction set in the Shared Profile Components section of the HTML interface and the...

Page 60: ...ized by TACACS The custom service appears on the TACACS Cisco IOS page in the Interface Configuration section of the HTML interface For information about enabling TACACS services see Protocol Configuration Options for TACACS page 3 7 For information about device command authorization sets for management applications see Command Authorization Sets page 5 25 After the management application has dict...

Page 61: ...sable groups of users see Group Disablement page 6 4 Ability to restrict time of day and day of week access see Setting Default Time of Day Access for a User Group page 6 5 Network access restrictions NARs based on remote address caller line identification CLID and dialed number identification service DNIS see Setting Network Access Restrictions for a User Group page 6 8 Downloadable ACLs for user...

Page 62: ...sages with username provides caller line identification information records the duration of each session RADIUS Accounting Lists when sessions stop and start records AAA client messages with username provides caller line identification information records the duration of each session Administrative Accounting Lists commands entered on a network device with TACACS command authorization enabled For ...

Page 63: ...zed access to your network by a port open for administrative sessions We do not recommend that you administer Cisco Secure ACS through a firewall Doing so requires that you configure the firewall to permit HTTP traffic over the range of HTTP administrative session ports that Cisco Secure ACS uses While narrowing this range reduces the risk of unauthorized access a greater risk of attack remains if...

Page 64: ... a large geographical area to logically organize its environment within Cisco Secure ACS to reflect the physical setup For example all routers in Europe could belong to a group named Europe all routers in the United States could belong to a US group and so on This would be especially convenient if the AAA clients in each region were administered along the same divisions Alternatively the environme...

Page 65: ... Validation Cisco Secure ACS supports Network Admission Control NAC by providing posture validation services to NAC compliant AAA clients and the NAC client computers seeking network access using those AAA clients NAC provides a powerful means to defend your network The data with which you can configure Cisco Secure ACS to evaluate posture validation requests can include operating system patch lev...

Page 66: ...owser The design primarily uses HTML along with some Java functions to enhance ease of use This design keeps the interface responsive and straightforward The inclusion of Java requires that the browser used for administrative sessions supports Java For a list of supported browsers see the Release Notes The most recent revision to the Release Notes is posted on Cisco com http www cisco com The HTML...

Page 67: ...task buttons Each button changes the configuration area see below to a unique section of the Cisco Secure ACS application such as the User Setup section or the Interface Configuration section This frame does not change it always contains the following buttons User Setup Add and edit user profiles For more information about the User Setup section see Chapter 7 User Management Group Setup Configure ...

Page 68: ...ormation about configuring databases see Chapter 13 User Databases For information about the Unknown User Policy see Chapter 15 Unknown User Policy For information about user group mapping see Chapter 16 User Group Mapping and Specification Reports and Activity Display accounting and logging information For information about viewing reports see Chapter 11 Logs and Reports Online Documentation View...

Page 69: ... incomplete data For example if the information you entered in the Password box does not match the information in the Confirm Password box in the User Setup section Cisco Secure ACS displays an error message here The incorrect information remains in the configuration area so that you can retype and resubmit the information correctly Uniform Resource Locator for the HTML Interface You can access th...

Page 70: ...ive sessions take place without the use of an HTTP proxy server without a firewall between the browser and Cisco Secure ACS and without a NAT gateway between the browser and Cisco Secure ACS Because these limitations are not always practical this section discusses how various network environmental issues affect administrative sessions This section contains the following topics Administrative Sessi...

Page 71: ...isco Secure ACS and the firewall This is because Cisco Secure ACS assigns a random HTTP port at the beginning of an administrative session To allow administrative sessions from browsers outside a firewall that protects Cisco Secure ACS the firewall must permit HTTP traffic across the range of ports that Cisco Secure ACS is configured to use You can control the HTTP port range using the HTTP port a...

Page 72: ...configured in the Administration Control section If the Allow automatic local login check box is cleared on the Sessions Policy Setup page in the Administration Control section Cisco Secure ACS requires a valid administrator name and password for administrative sessions accessed from a browser on the computer running Cisco Secure ACS Before You Begin Determine whether a supported web browser is in...

Page 73: ... HTML Interface When you are finished using the HTML interface we recommend that you log off While Cisco Secure ACS can timeout unused administrative sessions logging off prevents unauthorized access by someone using the browser after you or by unauthorized persons using the HTTP port left open to support the administrative session To log off the Cisco Secure ACS HTML interface click the Logoff bu...

Page 74: ...ormation icon at the bottom of the page To view an applicable section of the online documentation click the Section Information icon Back to Help Wherever you find a online help page with a Section Information icon the corresponding page in the configuration area contains a Back to Help icon If you have accessed the online documentation by clicking a Section Information icon and want to view the o...

Page 75: ... the table of contents and click the applicable topic The online documentation for the topic selected appears in the display area Step 3 If you want to select a topic from the index follow these steps a Click Index The index appears in the display area b Scroll through the index to find an entry for the topic you are researching Tip Use the lettered shortcut links to jump to a particular section o...

Page 76: ...Chapter 1 Overview Cisco Secure ACS HTML Interface 1 36 User Guide for Cisco Secure ACS for Windows Server 78 16592 01 ...

Page 77: ...of AAA clients became more dispersed more capability was required of the AAA server Regional and then global requirements became common Today Cisco Secure ACS is required to provide AAA services for dial up access dial out access wireless VLAN access firewalls VPN concentrators administrative controls and more The list of external databases supported has also continued to grow and the use of multi...

Page 78: ...ements page 2 4 System Requirements The computer running Cisco Secure ACS must meet the minimum hardware and software requirements detailed in the following sections Hardware Requirements The computer running Cisco Secure ACS must meet the following minimum hardware requirements Pentium III processor 550 MHz or faster 256 MB of RAM At least 250 MB of free disk space If you are running your databas...

Page 79: ...lling Cisco Secure ACS If you do not install a required service pack before installing Cisco Secure ACS the Cisco Secure ACS installation program may warn you that the required service pack is not present If you receive a service pack message continue the installation and then install the required service pack before starting user authentication with Cisco Secure ACS For the most recent informatio...

Page 80: ...n Cisco IOS AAA clients must be configured with TACACS and or RADIUS Dialin VPN or wireless clients must be able to connect to the applicable AAA clients The computer running Cisco Secure ACS must be able to ping all AAA clients Gateway devices between Cisco Secure ACS and other network devices must permit communication over the ports needed to support the applicable feature or protocol For inform...

Page 81: ...sco Secure ACS uses other ports to communicate with external user databases however it initiates those communications rather than listening to specific ports In some cases these ports are configurable such as with LDAP and RADIUS token server databases For more information about ports that a particular external user database listens to see the documentation for that database Table 2 1 Ports that C...

Page 82: ...ow your enterprise network is configured is likely to be the most important factor in deploying Cisco Secure ACS While an exhaustive treatment of this topic is beyond the scope of this guide this section details how the growth of network topology options has made Cisco Secure ACS deployment decisions more complex When AAA was created network access was restricted to either devices directly connect...

Page 83: ...ll there are few devices that require access to the Cisco Secure ACS for AAA and any database replication is limited to a secondary Cisco Secure ACS as a backup Figure 2 1 Small Dial up Network In a larger dial in environment a single Cisco Secure ACS with a backup may be suitable too The suitability of this configuration depends on network and server access latency Figure 2 2 shows an example of ...

Page 84: ...to a central Cisco Secure ACS If the need for a globally coherent user database is most important database replication or synchronization from a central Cisco Secure ACS may be necessary Authentication using external databases such as a Windows user database or the Lightweight Directory Access Protocol LDAP can further complicate the deployment of distributed localized Cisco Secure ACSes While Cis...

Page 85: ... the dial up scenario and is discussed in more detail later in this section Scaling can be a serious issue in the wireless network The mobility factor of the wireless LAN WLAN requires considerations similar to those given to the dial up network Unlike the wired LAN however the WLAN can be more readily expanded Though WLAN technology does have physical limits as to the number of users that can be ...

Page 86: ...work does not cause any significant additional load on the Cisco Secure ACS Figure 2 4 Simple WLAN In the LAN where a number of APs are deployed as in a large building or a campus environment your decisions on how to deploy Cisco Secure ACS become a little more involved Though Figure 2 5 shows all APs on the same LAN they may be distributed throughout the LAN connected via routers switches and so ...

Page 87: ...al topology is the campus WLAN This model starts to change when you deploy WLANs in many small sites that more resemble the simple WLAN shown in Figure 2 4 This model may apply to a chain of small stores distributed throughout a city or state nationally or globally Figure 2 6 63490 Macintosh server Cisco Aironet APs Novell server UNIX server Windows NT server Cisco Secure Access Control Server Dia...

Page 88: ...tained In this very large deployment model security becomes a more complicated issue too Remote Access using VPN Virtual Private Networks VPNs use advanced encryption and tunneling to permit organizations to establish secure end to end private network connections over third party networks such as the Internet or extranets Figure 2 7 The benefits of a VPN include the following Cost Savings By lever...

Page 89: ...ty and efficiency Figure 2 7 Simple VPN Configuration There are two types of VPN access into a network Site to Site VPNs Extend the classic WAN by providing large scale encryption between multiple fixed sites such as remote offices and central offices over a public network such as the Internet Remote Access VPNs Permit secure encrypted connections between mobile or remote users and their corporate...

Page 90: ...ntages and provides a unique challenge to providing AAA services This closely ties remote access policies to the enterprise network topology In addition to the method of access other decisions can also affect how Cisco Secure ACS is deployed these include specific network routing access lists time of day access individual restrictions on AAA client access access control lists ACLs and so on Remote...

Page 91: ... Network Security Policy Best Practices White Paper Delivering End to End Security in Policy Based Networks Cisco IOS Security Configuration Guide Administrative Access Policy Managing a network is a matter of scale Providing a policy for administrative access to network devices depends directly on the size of the network and the number of administrators required to maintain the network Local auth...

Page 92: ...th a small number of network devices may require only one or two individuals to administer it Local authentication on the device is usually sufficient If you require more granular control than that which authentication can provide some means of authorization is necessary As discussed earlier controlling access using privilege levels can be cumbersome Cisco Secure ACS reduces this problem In large ...

Page 93: ...to allow shell exec access For example if the administrator is dialing in to the network as a general user a AAA client would use RADIUS as the authenticating and authorizing protocol and the PPP protocol would be authorized In turn if the same administrator remotely connects to a AAA client to make configuration changes the AAA client would use the TACACS protocol for authentication and authoriza...

Page 94: ...ortably handling 100 000 users This is usually more than adequate for a corporation In an environment that exceeds these numbers the user base would typically be geographically dispersed which lends itself to the use of more than one Cisco Secure ACS configuration A WAN failure could render a local network inaccessible because of the loss of the authentication server In addition to this issue redu...

Page 95: ...to Cisco Secure ACS to ensure reliable and timely access Using a local Cisco Secure ACS with a remote database can result in the same problems as using a remote Cisco Secure ACS Another possible problem in this scenario is that a user may experience timeout problems The AAA client would be able to contact Cisco Secure ACS but Cisco Secure ACS would wait for a reply that might be delayed or never a...

Page 96: ...ons for RADIUS page 3 11 Configure System There are more than a dozen functions within the System Configuration section to be considered from setting the format for the display of dates and password validation to configuring settings for database replication and RDBMS synchronization These functions are detailed in Chapter 8 System Configuration Basic Of particular note during initial system confi...

Page 97: ...ed Profile Components Configure Groups Having previously configured any external user databases you intend to employ and before configuring your user groups you should decide how to implement two other Cisco Secure ACS features related to external user databases unknown user processing and database group mapping For more information see About Unknown User Authentication page 15 4 and Chapter 16 Us...

Page 98: ...Chapter 2 Deployment Considerations Suggested Deployment Sequence 2 22 User Guide for Cisco Secure ACS for Windows Server 78 16592 01 ...

Page 99: ... use and by adding fields for your specific configuration Note We recommend that you return to this section to review and confirm your initial settings While it is logical to begin your Cisco Secure ACS configuration efforts with configuring the interface sometimes a section of the HTML interface that you initially believed should be hidden from view may later require configuration from within thi...

Page 100: ...ionship A user can belong to only one group at a time As long as there are no conflicting attributes users inherit group settings Note If a user profile has an attribute configured differently from the same attribute in the group profile the user setting always overrides the group setting If a user has a unique configuration requirement you can make that user a part of a group and set unique requi...

Page 101: ...s To configure new user data fields follow these steps Step 1 Click Interface Configuration and then click User Data Configuration The Configure User Defined Fields page appears Check boxes in the Display column indicate which fields are configured to appear in the Supplementary User Information section at the top of the User Setup page Step 2 Select a check box in the Display column Step 3 In the...

Page 102: ... displays any advanced feature that has non default settings even if you have configured that advanced feature to be hidden If you later disable the feature or delete its settings Cisco Secure ACS hides the advanced feature The only exception is the Network Device Groups feature Regardless of whether Network Device Groups are in use they are hidden when deselected on the Advanced Options page The ...

Page 103: ... defining group level IP based and CLI DNIS based NARs on the Group Setup page Group Level Downloadable ACLs When selected this feature enables the Downloadable ACLs section on the Group Setup page Group Level Password Aging When selected this feature enables the Password Aging section on the Group Setup page The Password Aging feature enables you to force users to change their passwords Max Sessi...

Page 104: ...Settings When selected this feature enables the VoIP option on the Group Setup page Voice over IP VoIP Accounting Configuration When selected this feature enables the VoIP Accounting Configuration option on the System Configuration page This option is used to determine the logging format of RADIUS VoIP accounting packets ODBC Logging When selected this feature enables the ODBC logging sections on ...

Page 105: ...onfiguration of the Cisco Secure ACS HTML interface for TACACS settings The interface settings enable you to display or hide TACACS administrative and accounting options You can simplify the HTML interface by hiding the features that you do not use The TACACS Cisco page comprises three distinct areas as follows Tip The default interface setting presents a single column of check boxes at the group ...

Page 106: ...ntication and Outbound Password Configuration for SENDPASS and SENDAUTH clients such as routers Display a Time of Day access grid for every TACACS service where you can override the default Time of Day settings If this option is selected a grid appears on the User Setup page that enables you to override the TACACS scheduling attributes on the Group Setup page You can control the use of each TACACS...

Page 107: ...nd that the command syntax is correct This feature is disabled by default but you can enable it the same way you enable attributes and time of day access Display enable Default Undefined Service Configuration If this check box is selected an area appears on the User Setup and Group Setup pages that enables you to permit unknown TACACS services such as Cisco Discovery Protocol CDP Note This option ...

Page 108: ...ge Step 3 To add new services and protocols follow these steps a In the New Services section of the TACACS Services table type in any Service and Protocol to be added Note If you have configured Cisco Secure ACS to interact with device management applications for other Cisco products such as a Management Center for Firewalls Cisco Secure ACS may display new TACACS services as dictated by these dev...

Page 109: ...n allows you to customize the attributes that are displayed For a list of supported RADIUS AV pairs and accounting AV pairs see Appendix C RADIUS Attributes Depending on which AAA client or clients you have configured the Interface Configuration page displays different types of RADIUS protocol configuration settings choices The Interface Configuration page displays RADIUS IETF settings whenever an...

Page 110: ...erface Configuration Page Lists the Types of Settings Shown RADIUS IETF RADIUS Cisco Aironet RADIUS BBSM RADIUS Cisco IOS PIX RADIUS Micro soft RADIUS Ascend RADIUS Cisco VPN 3000 RADIUS Cisco VPN 5000 RADIUS Juniper RADIUS Nortel RADIUS IETF Yes No No No No No No No No No RADIUS Cisco Aironet Yes Yes No Yes No No No No No No RADIUS BBSM Yes No Yes No No No No No No No RADIUS Cisco IOS PIX Yes No ...

Page 111: ...nfiguration Advanced Options a User check box appears alongside the Group check box for each attribute Otherwise only the Group check box for each attribute appears By RADIUS IETF RADIUS Cisco Aironet RADIUS BBSM RADIUS Cisco IOS PIX RADIUS Micros oft RADIUS Ascend RADIUS Cisco VPN 3000 RADIUS Cisco VPN 5000 RADIUS Juniper RADIUS Nortel RADIUS Ascend Yes No No No Yes Yes No No No No RADIUS Cisco V...

Page 112: ...n located under Advanced Configuration Options enables you to specify how many values to display for tagged attributes on the User Setup and Group Setup pages Examples of tagged attributes include 064 Tunnel Type and 069 Tunnel Password For detailed steps see Setting Protocol Configuration Options for IETF RADIUS Attributes page 3 16 RADIUS Cisco IOS PIX Settings This section allows you to enable ...

Page 113: ...icrosoft Settings From this section you enable the RADIUS VSAs for RADIUS Microsoft This page appears if you configure a RADIUS Ascend or a RADIUS VPN 3000 or a RADIUS Cisco IOS PIX device For detailed procedures see Setting Protocol Configuration Options for Non IETF RADIUS Attributes page 3 17 RADIUS Nortel Settings From this section you enable the RADIUS VSAs for RADIUS Nortel For detailed proc...

Page 114: ...r check box appears alongside the Group check box for each attribute Note Each selected IETF RADIUS attribute must be supported by all your network devices using RADIUS To set protocol configuration options for IETF RADIUS attributes follow these steps Step 1 Click Interface Configuration and then click RADIUS IETF The RADIUS IETF page appears Step 2 For each IETF RADIUS attribute that you want to...

Page 115: ...and Group Setup portions of the Cisco Secure ACS HTML interface To set protocol configuration options for a set of RADIUS VSAs follow these steps Step 1 Click Interface Configuration Step 2 Click one of the RADIUS VSA set types displayed for example RADIUS Ascend The page listing the selected set of available RADIUS VSAs appears Note If the Per user TACACS RADIUS Attributes check box in Interface ...

Page 116: ... Options for RADIUS 3 18 User Guide for Cisco Secure ACS for Windows Server 78 16592 01 Step 4 Click Submit at the bottom of the page According to your selections the RADIUS VSAs appear on the User Setup or Group Setup pages or both as a configurable option ...

Page 117: ...ted Systems page 4 4 Network Device Searches page 4 8 AAA Client Configuration page 4 11 AAA Server Configuration page 4 21 Network Device Group Configuration page 4 28 Proxy Distribution Table Configuration page 4 34 About Network Configuration The appearance of the page you see when you click Network Configuration differs according to the network configuration selections you made in the Interfac...

Page 118: ... the opening page To configure a AAA client or AAA server you must click the name of the NDG to which the device is assigned If the newly configured device is not assigned to an NDG it belongs to the Not Assigned group This table appears only when you have configured the interface to use NDGs For more information about this interface configuration see Advanced Options page 3 4 Proxy Distribution T...

Page 119: ... to secure network devices from unauthorized access These types of access control have unique authentication and authorization requirements With Cisco Secure ACS system administrators can use a variety of authentication methods that are used with different degrees of authorization privileges Completing the AAA functionality Cisco Secure ACS serves as a central repository for accounting information...

Page 120: ...st has been successfully authenticated the authorization privileges that have been configured for the user on the remote AAA server are passed back to the original Cisco Secure ACS where the AAA client applies the user profile information for that session Proxy provides a useful service to users such as business travelers who dial in to a network device other than the one they normally use and wou...

Page 121: ...he server distribution table as being associated with another specific AAA server The Cisco Secure ACS receiving the authentication request for mary smith corporate com then forwards the request to the AAA server with which that character string is associated The entry in the Proxy Distribution Table defines the association Administrators with geographically dispersed networks can configure and ma...

Page 122: ... string from the username When you enable stripping Cisco Secure ACS examines each authentication request for matching information When Cisco Secure ACS finds a match by character string in the Proxy Distribution Table as described in the example under Proxy in Distributed Systems page 4 4 Cisco Secure ACS strips off the character string if you have configured it to do so For example in the proxy ...

Page 123: ...s When proxy is employed Cisco Secure ACS can dispatch AAA accounting packets in one of three ways Log them locally Forward them to the destination AAA server Log them locally and forward copies to the destination AAA server Sending accounting packets to the remote Cisco Secure ACS offers several benefits When Cisco Secure ACS is configured to send accounting packets to the remote AAA server the r...

Page 124: ...base Replication page 9 1 RDBMS synchronization For more information see RDBMS Synchronization page 9 25 Remote and centralized logging For more information see Remote Logging page 11 26 Network Device Searches You can search for any network device configured in the Network Configuration section of the Cisco Secure ACS HTML interface This section contains the following topics Network Device Search...

Page 125: ...ess box to be a number a numeric range or an asterisk for example 172 16 31 Type The device type as specified by the AAA protocol it is configured to use or the kind of AAA server it is If you do not want to limit the search based on device type select Any from the Type list Device Group The NDG the device is assigned to This search criterion only appears if you have enabled Network Device Groups ...

Page 126: ...e the message No Search Results appears The table listing matching network devices includes the device name IP address and type If you have enabled Network Device Groups on the Advanced Options page in the Interface Configuration Section the table also includes the NDG of each matching network device Tip You can sort the table rows by whichever column you like in either ascending or descending ord...

Page 127: ... TACACS hardware software client This section contains the following topics AAA Client Configuration Options page 4 11 Adding a AAA Client page 4 16 Editing a AAA Client page 4 19 Deleting a AAA Client page 4 21 AAA Client Configuration Options A AAA client configuration enables Cisco Secure ACS to interact with the network devices the configuration represents A network device that does not have a...

Page 128: ...Firewalls Cisco Secure ACS only provides AAA services to devices based on IP address so it ignores such requests from a device whose AAA client configuration only has the keyword dynamic in the Client IP Address box If you want a AAA client configuration in Cisco Secure ACS to represent multiple network devices you can specify multiple IP addresses Separate each IP address by pressing Enter In eac...

Page 129: ...Options and then select the Network Device Groups check box Authenticate Using The AAA protocol to be used for communications with the AAA client The Authenticate Using list includes Cisco IOS TACACS and several vendor specific implementations of RADIUS If you have configured user defined RADIUS vendors and VSAs those vendor specific RADIUS implementations appear on the list also For information a...

Page 130: ...articular Cisco Aironet Access Point are PEAP or EAP TLS requests use RADIUS IETF instead of RADIUS Cisco Aironet Cisco Secure ACS cannot support PEAP authentication using the RADIUS Cisco Aironet protocol RADIUS Cisco BBMS RADIUS using Cisco BBMS VSAs Select this option if the network device is a Cisco BBMS network device supporting authentication via RADIUS RADIUS Cisco IOS PIX RADIUS using Cisc...

Page 131: ...gle Connect TACACS AAA Client Record stop in accounting on failure If you select TACACS Cisco IOS from the Authenticate Using list you can use this option to specify that Cisco Secure ACS use a single TCP connection for all TACACS communication with the AAA client rather than a new one for every TACACS request In single connection mode multiple requests from a network device are multiplexed over a...

Page 132: ...option is enabled Cisco Secure ACS cannot determine the number of user sessions for each user Each session uses the same session identifier the username therefore the Max Sessions feature is ineffective for users accessing the network through a AAA client with this feature enabled Adding a AAA Client You can use this procedure to add a AAA client configuration Before You Begin For descriptions of ...

Page 133: ... will only be used for command authorization of Cisco multi device management applications type dynamic Note If you only provide the keyword dynamic the AAA client configuration cannot be used by Cisco Secure ACS to provide AAA services to a network device and is used solely for command authorization of Cisco multi device management applications such as Management Center for Firewalls Step 5 In th...

Page 134: ...ackets select the Log Update Watchdog Packets from this AAA Client check box Step 10 If you want to enable logging of RADIUS tunneling accounting packets select the Log RADIUS tunneling Packets from this AAA Client check box Step 11 If you want to track session state by username rather than port number select the Replace RADIUS Port info with Username from this AAA check box Note If this option is...

Page 135: ... about deleting a AAA client configuration see Deleting a AAA Client page 4 21 For steps about creating a AAA client configuration see Adding a AAA Client page 4 16 Before You Begin For descriptions of the options available while editing a AAA client configuration see AAA Client Configuration Options page 4 11 For Cisco Secure ACS to provide AAA services to a AAA client you must ensure that gatewa...

Page 136: ... AAA client see AAA Client Configuration Options page 4 11 Note You cannot directly edit the name of a AAA client rather you must delete the AAA client entry and then re establish the entry with the corrected name For steps about deleting a AAA client entry see Deleting a AAA Client page 4 21 For steps about creating a AAA client entry see Adding a AAA Client page 4 16 Step 4 To save your changes ...

Page 137: ...delete the AAA client and have the deletion take effect immediately click Delete Restart Note Restarting Cisco Secure ACS services clears the Logged in User report and temporarily interrupts all Cisco Secure ACS services As an alternative to restarting when you delete a AAA client you can click Delete However when you do this the change does not take effect until you restart the system which you c...

Page 138: ...ions A AAA server configuration enables Cisco Secure ACS to interact with the AAA server that the configuration represents A AAA server that does not have a corresponding configuration in Cisco Secure ACS or whose configuration in Cisco Secure ACS is incorrect does not receive AAA services from Cisco Secure ACS such as proxied authentication requests database replication communication remote loggi...

Page 139: ...ds all packets from the remote AAA server Network Device Group The name of the NDG to which this AAA server should belong To make the AAA server independent of NDGs use the Not Assigned selection Note This option does not appear if you have not configured Cisco Secure ACS to use NDGs To enable NDGs click Interface Configuration click Advanced Options and then select the Network Device Groups check...

Page 140: ...tion requests to be forwarded from the remote AAA server Outbound The remote AAA server sends out authentication requests but does not receive them If a Proxy Distribution Table entry is configured to proxy authentication requests to a AAA server that is configured for Outbound the authentication request is not sent Inbound Outbound The remote AAA server forwards and accepts authentication request...

Page 141: ... In the AAA Server IP Address box type the IP address assigned to the remote AAA server Step 5 In the Key box type the shared secret that the remote AAA server and the Cisco Secure ACS use to encrypt the data up to 32 characters Note The key is case sensitive If the shared secret does not match Cisco Secure ACS discards all packets from the remote AAA server Step 6 From the Network Device Group li...

Page 142: ...his affects the Max Sessions counter and resets it to zero Editing a AAA Server Use this procedure to edit the settings for a AAA server that you have previously configured Note You cannot edit the name of a AAA server To rename a AAA server you must delete the existing AAA server entry and then add a new server entry with the new name Before You Begin For descriptions of the options available whi...

Page 143: ...e click the name of the AAA server to be edited The AAA Server Setup for X page appears Step 3 Enter or select new settings for one or more of the following fields AAA Server IP Address Key Log Update Watchdog Packets from this remote AAA Server AAA Server Type Traffic Type Step 4 To save your changes and apply them immediately click Submit Restart Tip To save your changes and apply them later cli...

Page 144: ...start Note Restarting the service clears the Logged in User report and temporarily interrupts all Cisco Secure ACS services As an alternative to restarting when you delete a AAA server in the preceding step you can click Delete However when you do this the change does not take effect until you restart the system which you can do by clicking System Configuration clicking Service Control and then cl...

Page 145: ...hoose to configure NDGs make sure you leave the Network Device Groups option selected on the Advanced Option page This section contains the following topics Adding a Network Device Group page 4 29 Assigning an Unassigned AAA Client or AAA Server to an NDG page 4 30 Reassigning a AAA Client or AAA Server to an NDG page 4 31 Renaming a Network Device Group page 4 32 Deleting a Network Device Group p...

Page 146: ...ts or AAA servers perform one or more of the following procedures as applicable Adding a AAA Client page 4 16 Adding a AAA Server page 4 24 Assigning an Unassigned AAA Client or AAA Server to an NDG page 4 30 Reassigning a AAA Client or AAA Server to an NDG page 4 31 Assigning an Unassigned AAA Client or AAA Server to an NDG You use this procedure to assign an unassigned AAA client or AAA server t...

Page 147: ...ick Submit The client or server is assigned to an NDG Reassigning a AAA Client or AAA Server to an NDG To reassign a AAA client or AAA server to a new NDG follow these steps Step 1 In the navigation bar click Network Configuration The Network Configuration page opens Step 2 In the Network Device Groups table click the name of the current group of the network device Step 3 In either the AAA Clients...

Page 148: ... follow these steps Step 1 In the navigation bar click Network Configuration The Network Configuration page opens Step 2 In the Network Device Groups table click the NDG that you want to rename Tip If the Network Device Groups table does not appear click Interface Configuration click Advanced Options and then select the Network Device Groups check box Step 3 At the bottom of the page click Rename ...

Page 149: ...still invoked If a user authentication request incorporates an SPC that invokes a non existent or renamed NDG the attempt will fail and the user will be rejected To delete an NDG follow these steps Step 1 In the navigation bar click Network Configuration The Network Configuration page opens Step 2 In the Network Device Groups table click the NDG that you want to delete Tip If the Network Device Gr...

Page 150: ...on click Advanced Options and then select the Distributed System Settings check box The Proxy Distribution Table includes entries that show the character strings on which to proxy the AAA servers to proxy to whether to strip the character string and where to send the accounting information Local Remote Remote or Local For more information about the proxy feature see Proxy in Distributed Systems pa...

Page 151: ...Distribution Table entry follow these steps Step 1 In the navigation bar click Network Configuration The Network Configuration page opens Step 2 Under the Proxy Distribution Table click Add Entry Note If the Proxy Distribution Table does not appear click Interface Configuration click Advanced Options and then select the Distributed System Settings check box Step 3 In the Character String box type ...

Page 152: ...packets to the remote Cisco Secure ACS Local Remote Keep accounting packets on the local Cisco Secure ACS and send them to the remote Cisco Secure ACS Tip This information is especially important if you are using the Max Sessions feature to control the number of connections a user is allowed Max Sessions depends on accounting start and stop records and where the accounting information is sent dete...

Page 153: ...wn to move its position to reflect the search order you want Step 4 When you finish sorting click Submit or Submit Restart Editing a Proxy Distribution Table Entry To edit a Proxy Distribution Table entry follow these steps Step 1 In the navigation bar click Network Configuration The Network Configuration page opens Step 2 In the Character String column of the Proxy Distribution Table click the di...

Page 154: ...ntry follow these steps Step 1 In the navigation bar click Network Configuration The Network Configuration page opens Step 2 In the Character String column of the Proxy Distribution Table click the distribution entry you want to delete The Edit Proxy Distribution Entry page appears Step 3 Click Delete A confirmation dialog box appears Step 4 Click OK The distribution entry is deleted from the Prox...

Page 155: ...mponents section enables you to develop and name reusable shared sets of authorization components that may be applied to one or more users or groups of users and referenced by name within their profiles These include network access filters NAFs downloadable IP access control lists ACLs network access restrictions NARs and command authorization sets The Shared Profile Components section addresses t...

Page 156: ...ess Filters A NAF is a named group of any combination of one or more of the following network elements IP addresses AAA clients network devices Network device groups NDGs Using a NAF to specify a downloadable IP ACL or NAR based on the AAA clients by which the user may access the network saves you the effort of listing each AAA client explicitly NAFs in downloadable IP ACLs You can associate a NAF...

Page 157: ...nfigured them in Cisco Secure ACS The network elements that make up a NAF can be arranged in any order For best performance place the elements most commonly encountered at the top of the Selected Items list For example in a NAF where the majority of users gain network access through the NDG accounting but you also grant access to a single technical support AAA client with the IP address 205 205 11...

Page 158: ...t in the NAF definition from the Network Device Groups box select the applicable NDG and then from the Network Devices box select the AAA client you want to include Finally click right arrow button to move it to the Selected Items box Tip If you are using NDGs the AAA clients appear in the Network Devices box only when you have selected the NDG to which they belong Otherwise if you are not using N...

Page 159: ...vice clears the Logged in User report and temporarily interrupts all Cisco Secure ACS services This affects the Max Sessions counter and resets it to zero The Network Access Filtering table page appears and lists the name and description of the new NAF Editing a Network Access Filter To edit a NAF follow these steps Step 1 In the navigation bar click Shared Profile Components The Shared Profile Co...

Page 160: ...ox Step 7 To add an IP address to the NAF definition in the IP Address box type the IP address you want to add Click right arrow button to move it to the Selected Items box Step 8 To edit an IP address select it in the Selected Items box and then click left arrow button to move it to the IP address box Type the changes to the IP address and then click right arrow button to move it back to the Sele...

Page 161: ...with any NAR or downloadable IP ACL that uses it Otherwise any NAR or downloadable IP ACL that references the deleted NAF will be misconfigured and will produce an error To delete a NAF follow these steps Step 1 In the navigation bar click Network Access Filtering The Network Access Filtering table page appears Step 2 Click the Name of the NAF you want to delete The Network Access Filtering edit p...

Page 162: ... For more information on NAFs and how they regulate downloadable IP ACLs see About Network Access Filters page 5 2 Downloadable IP ACLs operate as follows 1 When Cisco Secure ACS grants a user access to the network Cisco Secure ACS determines whether a downloadable IP ACL is assigned to that user or to that user s group 2 If Cisco Secure ACS locates a downloadable IP ACL assigned to the user or th...

Page 163: ...h ACL content applies to all AAA clients however if you have defined NAFs you can limit the applicability of each ACL content to the AAA clients listed in the NAF you associate to it That is by employing NAFs you can make each ACL content within a single downloadable IP ACL applicable to multiple different network devices or network device groups in accordance with your network security strategy F...

Page 164: ...tions box follows permit ip 10 153 0 0 0 0 255 255 host 10 158 9 1 permit ip 10 154 0 0 0 0 255 255 10 158 10 0 0 0 0 255 permit 0 any host 10 159 1 22 deny ip 10 155 10 0 0 0 0 255 10 159 2 0 0 0 0 255 log permit TCP any host 10 160 0 1 eq 80 log permit TCP any host 10 160 0 2 eq 23 log permit TCP any host 10 160 0 3 range 20 30 permit 6 any host HOSTNAME1 permit UDP any host HOSTNAME2 neq 53 den...

Page 165: ...rs Step 4 In the Name box type the name of the new IP ACL Note The name of an IP ACL may contain up to 27 characters The name must not contain spaces nor any of the following characters Step 5 In the Description box type a description of the new IP ACL Step 6 To add an ACL content to the new IP ACL click Add Step 7 In the Name box type the name of the new ACL content Note The name of an ACL conten...

Page 166: ... an ACL definition and then click Up or Down to reposition it in the list Tip The order of ACL contents is significant Working from top to bottom Cisco Secure ACS downloads only the first ACL definition that has an applicable NAF setting including the All AAA Clients default setting if used Typically your list of ACL contents will proceed from the one with the most specific narrowest NAF to the on...

Page 167: ...k on the ACL Contents entry you want to change The Downloadable IP ACL Content page appears Step 6 Edit the Name or ACL Definitions as applicable Tip Do not use keyword and name entries in the ACL Definitions box instead begin with a permit deny keyword For an example of the proper format of the ACL definitions see About Downloadable IP ACLs page 5 8 Step 7 To save the edited ACL definition click ...

Page 168: ...gation bar click Shared Profile Components The Shared Profile Components page appears Step 2 Click Downloadable IP ACLs Step 3 Click the name of the downloadable IP ACL you want to delete The Downloadable IP ACLs page appears with information displayed for the selected IP ACL Step 4 At the bottom of the page click Delete A dialog box warns you that you are about to delete an IP ACL Step 5 To confi...

Page 169: ...ARs In setting up a NAR you can choose whether the filter operates positively or negatively That is in the NAR you specify whether to permit or deny network access based on comparison of information sent from AAA clients to the information stored in the NAR However if a NAR does not encounter sufficient information to operate it defaults to denied access This is shown in Table 5 1 Cisco Secure ACS...

Page 170: ...ultiple shared restrictions to be applied When you specify the application of multiple shared NARs to a user or user group you choose one of two access criteria either All selected filters must permit or Any one selected filter must permit It is important to understand the order of precedence related to the different types of NARs The order of NAR filtering is as follows 1 Shared NAR at the user l...

Page 171: ...nd called station id attribute 30 fields are used AAA clients that do not provide sufficient IP address information for example some types of firewall do not support full NAR functionality Other attributes for IP based restrictions per protocol include the following NAR fields If you are using TACACS The NAR fields listed in Cisco Secure ACS use the following values AAA client The NAS IP address i...

Page 172: ...the Cisco Aironet AP MAC address in place of the DNIS The format of what you specify in the CLI box CLI IP address or MAC address must match the format of what you receive from your AAA client You can determine this format from your RADIUS Accounting Log Attributes for DNIS CLI based restrictions per protocol include the following NAR fields If you are using TACACS The NAR fields listed employ the...

Page 173: ...access restrictions Although the Cisco Secure ACS HTML interface does not enforce limits to the number of access restrictions in a shared NAR or to the length of each access restriction there are limits that you must adhere to as follows The combination of fields for each line item cannot exceed 1024 characters The shared NAR cannot have more than 16 KB of characters The number of line items suppo...

Page 174: ...f the new shared NAR Step 6 If you want to permit or deny access based on IP addressing follow these steps a Select the Define IP based access descriptions check box b To specify whether you are listing addresses that are permitted or denied from the Table Defines list select the applicable value c Select or type the applicable information in each of the following boxes AAA Client Select All AAA c...

Page 175: ...pears as a line item in the table e To enter additional IP based line items repeat c and d Step 7 If you want to permit or deny access based on calling location or values other than IP addresses follow these steps a Select the Define CLI DNIS based access restrictions check box b To specify whether you are listing locations that are permitted or denied from the Table Defines list select the applic...

Page 176: ... MAC address for information see About Network Access Restrictions page 5 15 DNIS Type the number being dialed into to filter on Note The total number of characters in the AAA Client list and the Port CLI and DNIS boxes must not exceed 1024 Although Cisco Secure ACS accepts more than 1024 characters when you add a NAR you cannot edit the NAR and Cisco Secure ACS cannot accurately apply it to users...

Page 177: ... IP based access restrictions table follow these steps a Double click the line item that you want to edit Information for the line item is removed from the table and written to the boxes below the table b Edit the information as necessary Note The total number of characters in the AAA Client list and the Port and Src IP Address boxes must not exceed 1024 Although Cisco Secure ACS is capable of acc...

Page 178: ... more than 1024 characters when you add a NAR you cannot edit such a NAR and Cisco Secure ACS cannot accurately apply it to users c Click enter The edited information for this line item is written to the CLI DNIS access restrictions table Step 8 To remove a line item from the CLI DNIS access restrictions table follow these steps a Select the line item b Below the table click remove The line item i...

Page 179: ...e about to delete a shared NAR Step 5 To confirm that you want to delete the shared NAR click OK The selected shared NAR is deleted Command Authorization Sets This section describes command authorization sets and pattern matching and provides detailed instructions for configuring and managing them This section contains the following topics About Command Authorization Sets page 5 26 Command Authori...

Page 180: ...ny given network device This greatly enhances the scalability and manageability of setting authorization restrictions In Cisco Secure ACS the default command authorization sets include Shell Command Authorization Sets and PIX Command Authorization Sets Cisco device management applications such as Management Center for Firewalls can instruct Cisco Secure ACS to support additional command authorizat...

Page 181: ...ization set could permit all commands including IP address configuration Fine Configuration Granularity You can create associations between named command authorization sets and NDGs Thus you can define different access profiles for users depending on which network devices they access You can associate the same named command authorization set with more than one NDG and use it for more than one user...

Page 182: ...d arguments are permitted the command is authorized and evaluation ends otherwise the command is not authorized and evaluation ends If all arguments are matched evaluation continues 3 Argument Policy Having determined that the arguments in the command being evaluated match the arguments listed in the command authorization set Cisco Secure ACS determines whether each command argument is explicitly ...

Page 183: ... example if you type the following command during a router hosted session interface FASTETHERNET 0 1 the router may submit the command and arguments to Cisco Secure ACS as interface FastEthernet 0 1 If for the interface command the command authorization set explicitly permits the FastEthernet argument using the spelling fastethernet Cisco Secure ACS fails the command authorization request If the c...

Page 184: ...he command authorization request because it does not match what the router submitted to Cisco Secure ACS If the command authorization rule instead permits the argument FastEthernet 0 1 Cisco Secure ACS grants the command authorization request The case of arguments specified in command authorization sets must match what the device sends which may or may not match the case you use when you type the ...

Page 185: ...de Shell Command Authorization Sets and may include others such as command authorization set types that support Cisco device management applications Step 2 Click one of the listed command authorization set types as applicable The selected Command Authorization Sets table appears Step 3 Click Add The applicable Command Authorization Set page appears Depending upon the type of command authorization ...

Page 186: ...oxes in the checklist tree c To enable other actions in this command authorization set repeat Step a and Step b as needed Step 7 If Cisco Secure ACS displays additional boxes below the Name and Description boxes use the boxes to specify the commands and arguments permitted or denied by the command authorization set To do so follow these steps a To specify how Cisco Secure ACS should handle unmatch...

Page 187: ...tween arguments e To allow arguments which you have not listed to be effective with this command select the Permit Unmatched Args check box f To add other commands to this command authorization set repeat Step a through Step e Step 8 To save the command authorization set click Submit Cisco Secure ACS displays the name and description of the new command authorization set in the applicable Command A...

Page 188: ...box under the Device checklist node Tip Selecting an expandable check box node selects all check boxes within that node Selecting the first check box in the checklist tree selects all check boxes in the checklist tree To disable an action clear its check box For example to disable a Device View action clear the View check box under the Device checklist node Step 5 If additional boxes appear below ...

Page 189: ...lick a command authorization set type as applicable The selected Command Authorization Sets table appears Step 3 From the Name column click the name of the command set you want to delete Information for the selected set appears on the applicable Command Authorization Set page Step 4 Click Delete A dialog box warns you that you are about to delete a command authorization set Step 5 To confirm that ...

Page 190: ...Chapter 5 Shared Profile Components Command Authorization Sets 5 36 User Guide for Cisco Secure ACS for Windows Server 78 16592 01 ...

Page 191: ...o Secure ACS And if the external database does not support groups you can map all users from that database to a Cisco Secure ACS user group For information about external database mapping see Chapter 16 User Group Mapping and Specification Before you configure Group Setup you should understand how this section functions Cisco Secure ACS dynamically builds the Group Setup section interface dependin...

Page 192: ...privileges and restrictions for the default group are applied to first time users If you have upgraded from a previous version of Cisco Secure ACS and kept your database information Cisco Secure ACS retains the group mappings you configured before upgrading Group TACACS Settings Cisco Secure ACS enables a full range of settings for TACACS at the group level If a AAA client has been configured to u...

Page 193: ...ign a shell command authorization set which you have already configured for any network device Assign a shell command authorization set which you have already configured to particular NDGs Permit or deny specific shell commands which you define on a per group basis For more information about shell command authorization sets see Chapter 5 Shared Profile Components Basic User Group Settings This sec...

Page 194: ...ds when group and user account disablement settings differ Cisco Secure ACS defaults to preventing network access To disable a group follow these steps Step 1 In the navigation bar click Group Setup The Group Setup Select page opens Step 2 From the Group list select the group you want to disable and then click Edit Settings The Group Settings page displays the name of the group at its top Step 3 I...

Page 195: ...ese steps Step 1 In the navigation bar click Group Setup The Group Setup Select page opens Step 2 From the Group list select the group you want to configure for VoIP support and then click Edit Settings The Group Settings page displays the name of the group at its top Step 3 In the Voice over IP Support table select the check box labeled This is a Voice over IP VoIP group and all users of this gro...

Page 196: ...t the Set as default Access Times check box to limit access based on time or day Times at which the system permits access are highlighted in green on the day and hour matrix Note The default sets accessibility during all hours Step 4 In the day and hour matrix click the times at which you do not want to permit access to members of this group Tip Clicking times of day on the graph deselects those t...

Page 197: ...ount for a user resides in a remote domain the domain in which Cisco Secure ACS resides must have a two way trust with that domain for the Microsoft Windows callback settings to operate for that user Note The password aging feature does not operate correctly if you also use the callback feature When callback is used users cannot receive password aging messages at login To set callback options for ...

Page 198: ...ou can also use the CLI DNIS based access restrictions area to specify other values For more information see About Network Access Restrictions page 5 15 Typically you define shared NARs from within the Shared Components section so that these restrictions can be applied to more than one group or user For more information see Adding a Shared Network Access Restriction page 5 19 You must have enabled...

Page 199: ...previously configured shared NAR to this group follow these steps Note To apply a shared NAR you must have configured it under Network Access Restrictions in the Shared Profile Components section For more information see Adding a Shared Network Access Restriction page 5 19 a Select the Only Allow network access when check box b To specify whether one or all shared NARs must apply for a member of t...

Page 200: ...ines list select either Permitted Calling Point of Access Locations or Denied Calling Point of Access Locations c Select or enter the information in the following boxes AAA Client Select either All AAA Clients or the name of the NDG or the name of the individual AAA client to which to permit or deny access Port Type the number of the port to which to permit or deny access You can use the wildcard ...

Page 201: ...format you use must match the format of the string you receive from your AAA client You can determine this format from your RADIUS Accounting Log PORT Type the number of the port to which to permit or deny access You can use the wildcard asterisk to permit or deny access to all ports CLI Type the CLI number to which to permit or deny access You can use the wildcard asterisk to permit or deny acces...

Page 202: ...inue specifying other group settings perform other procedures in this chapter as applicable Setting Max Sessions for a User Group Note If this feature does not appear click Interface Configuration click Advanced Options and then select the Max Sessions check box Perform this procedure to define the maximum number of sessions available to a group or to each user in a group or both The settings are ...

Page 203: ...ns available to group select one of the following options Unlimited Select to allow this group an unlimited number of simultaneous sessions This effectively disables Max Sessions n Type the maximum number of simultaneous sessions to allow this group Step 4 In the lower portion of the Max Sessions table under Sessions available to users of this group select one of the following two options Unlimite...

Page 204: ...that group unless you configure usage quotas for the individual users Note The Usage Quotas section on the Group Settings page does not show usage statistics Usage statistics are available only on the settings page for an individual user For more information see Setting User Usage Quotas Options page 7 18 When a user exceeds his or her assigned quota Cisco Secure ACS denies that user access upon a...

Page 205: ...s a In the Usage Quotas table select the Limit each user of this group to x hours of online time per time unit check box b Type the number of hours to which you want to limit group members in the to x hours box Use decimal values to indicate minutes For example a value of 10 5 would equal ten hours and 30 minutes Note Up to 5 characters are allowed in the to x hours box c Select the period for whi...

Page 206: ...erform other procedures in this chapter as applicable Configuration specific User Group Settings This section details procedures that you perform only as applicable to your particular network security configuration For instance if you have no token server configured you do not have to set token card settings for each group Note When a vendor specific variety of RADIUS is configured for use by netw...

Page 207: ...L to a Group page 6 30 Configuring TACACS Settings for a User Group page 6 31 Configuring a Shell Command Authorization Set for a User Group page 6 33 Configuring a PIX Command Authorization Set for a User Group page 6 35 Configuring Device Management Command Authorization for a User Group page 6 37 Configuring IETF RADIUS Settings for a User Group page 6 38 Configuring Cisco IOS PIX RADIUS Settin...

Page 208: ...ptions for token caching include the following Session You can select Session to cache the token for the entire session This allows the second B channel to dynamically go in and out of service Duration You can select Duration and specify a period of time to have the token cached from the time of first authentication If this time period expires the user cannot start a second B channel Session and D...

Page 209: ...pplicable Setting Enable Privilege Options for a User Group Note If this section does not appear click Interface Configuration and then click TACACS Cisco At the bottom of the page in the Advanced Configuration Options table select the Advanced TACACS features check box Perform this procedure to configure group level TACACS enable parameters The three possible TACACS enable options are as follows ...

Page 210: ...f the group at its top Step 3 From the Jump To list at the top of the page choose Enable Options Step 4 Do one of the following To disallow enable privileges for this user group select the No Enable Privilege option To set the maximum privilege level for this user group for any ACS on which this group is authorized select the Max Privilege for Any Access Server option Then select the maximum privi...

Page 211: ...be in the Windows user database and be using the Windows Dial up Networking DUN client For information on the requirements and configuration of this password aging mechanism see Enabling Password Aging for Users in Windows Databases page 6 26 Password Aging for Device hosted Sessions Users must be in the CiscoSecure user database the AAA client must be running TACACS and the connection must use Te...

Page 212: ...sword Aging for Device hosted Sessions and Password Aging for Transit Sessions mechanisms For information on the Windows Password Aging mechanism see Enabling Password Aging for Users in Windows Databases page 6 26 For information on configuring local password validation options see Local Password Management page 8 5 Note The password aging feature does not operate correctly if you also use the ca...

Page 213: ...only one attempt to change the password when the password is in the grace period Cisco Secure ACS displays the last chance warning only once If the user does not change the password this login is still permitted but the password expires and the next authentication is denied An entry is logged in the Failed Attempts log and the user must contact an administrator to have the account reinstated Note ...

Page 214: ...ly exclusive a rule is applied for each check box that is selected For example users can be forced to change their passwords every 20 days and every 10 logins and to receive warnings and grace periods accordingly If no options are selected passwords never expire Unlike most other parameters which have corresponding settings at the user level password aging parameters are configured only on a group...

Page 215: ...assword aging by date select the Apply age by date rules check box and type the number of days for the following options as applicable Active period Warning period Grace period Note Up to 5 characters are allowed in each field Step 5 To set password aging by use select the Apply age by uses rules check box and type the number of logins for each of the following options as applicable Issue warning ...

Page 216: ...re user database see Enabling Password Aging for the CiscoSecure User Database page 6 21 Note You can run both Windows Password Aging and Cisco Secure ACS Password Aging for Transit Sessions mechanisms concurrently provided that the users authenticate from the two different databases The types of password aging in Windows databases are as follows RADIUS based password aging RADIUS based password a...

Page 217: ...oft PEAP client such as Windows XP You must enable PEAP on the Global Authentication Configuration page within the System Configuration section Tip For information about enabling PEAP in System Configuration see Global Authentication Setup page 10 26 You must enable PEAP password changes on the Windows Authentication Configuration page within the External User Databases section Tip For information...

Page 218: ...in which Cisco Secure ACS is running can only use the Windows based password aging if they supply their domain names The methods and functionality of Windows password aging differ according to which Microsoft Windows operating system you are using and whether you employ Active Directory AD or Security Accounts Manager SAM Setting password aging for users in the Windows user database is only one pa...

Page 219: ...p Settings page displays the name of the group at its top Step 3 From the Jump To list at the top of the page choose IP Address Assignment Step 4 In the IP Assignment table do one of the following Select No IP address assignment Select Assigned by dialup client Select Assigned from AAA Client pool Then type the AAA client IP pool name Select Assigned from AAA pool Then select the AAA server IP poo...

Page 220: ...dable IP ACL using the Shared Profile Components section of the Cisco Secure ACS HTML interface see Adding a Downloadable IP ACL page 5 10 Tip The Downloadable ACLs table does not appear if it has not been enabled To enable the Downloadable ACLs table click Interface Configuration click Advanced Options and then select the Group Level Downloadable ACLs check box To assign a downloadable IP ACL to ...

Page 221: ...display or hide additional services or protocols click Interface Configuration click TACACS Cisco IOS and then select or clear items in the group column as applicable To configure TACACS settings for a user group follow these steps Step 1 In the navigation bar click Group Setup The Group Setup Select page opens Step 2 From the Group list select a group and then click Edit Settings The Group Settin...

Page 222: ... if the default as defined on the AAA client should be used Note You can define and download an ACL Click Interface Configuration click TACACS Cisco IOS and then select Display a window for each service selected in which you can enter customized TACACS attributes A box opens under each service protocol in which you can define an ACL Step 5 To allow all services to be permitted unless specifically ...

Page 223: ...thorization Enables you to permit or deny specific Cisco IOS commands and arguments at the group level Note This feature requires that you have previously configured a shell command authorization set For detailed steps see Adding a Command Authorization Set page 5 31 To specify shell command authorization set parameters for a user group follow these steps Step 1 In the navigation bar click Group S...

Page 224: ...therwise assigned by assigning that set to the default Device Group c Click Add Association The associated NDG and shell command authorization set appear in the table Step 8 To define the specific Cisco IOS commands and arguments to be permitted or denied at the group level follow these steps a Select the Per Group Command Authorization option b Under Unmatched Cisco IOS commands select either Per...

Page 225: ...n a PIX Command Authorization Set on a per Network Device Group Basis Particular PIX command authorization sets are to be effective on particular NDGs Before You Begin Ensure that a AAA client has been configured to use TACACS as the security control protocol On the TACACS Cisco page of Interface Configuration section ensure that the PIX Shell pixShell option is selected in the Group column Make s...

Page 226: ...evice follow these steps a Select the Assign a PIX Command Authorization Set for any network device option b From the list directly below that option select the PIX command authorization set you want applied to this user group Step 7 To create associations that assign a particular PIX command authorization set to be effective on a particular NDG for each association follow these steps a Select the...

Page 227: ...n a per Network Device Group Basis For the applicable device management application this option enables you to apply command authorization sets to specific NDGs so that it affects all management tasks on the network devices belonging to the NDG Note This feature requires that you have configured a command authorization set for the applicable Cisco device management application For detailed steps s...

Page 228: ...low these steps a Select the Assign a device management application on a per Network Device Group Basis option b Select a Device Group and a corresponding device management application c Click Add Association The associated NDG and command authorization set appear in the table Configuring IETF RADIUS Settings for a User Group These parameters appear only when both the following are true A AAA clie...

Page 229: ...e group settings you have just made click Submit For more information see Saving Changes to User Group Settings page 6 56 Step 6 To configure the vendor specific attributes VSAs for any RADIUS network device vendor supported by Cisco Secure ACS see the appropriate section Configuring Cisco IOS PIX RADIUS Settings for a User Group page 6 40 Configuring Cisco Aironet RADIUS Settings for a User Group...

Page 230: ...A clients of this vendor type configured the VSA settings do not appear in the group configuration interface To configure and enable Cisco IOS PIX RADIUS attributes to be applied as an authorization for each user in the current group follow these steps Step 1 Before you configure Cisco IOS PIX RADIUS attributes be sure your IETF RADIUS attributes are configured properly For more information about ...

Page 231: ...or WLAN connections you avoid the difficulties that would arise if you had to use a standard timeout value typically measured in hours for a WLAN connection that is typically measured in minutes Tip Only enable and configure the Cisco Aironet Session Timeout when some or all members of a group may connect through wired or wireless access devices If members of a group always connect with a Cisco Ai...

Page 232: ...thorization for each user in the current group follow these steps Step 1 Confirm that your IETF RADIUS attributes are configured properly For more information about setting IETF RADIUS attributes see Configuring IETF RADIUS Settings for a User Group page 6 38 Step 2 In the navigation bar click Group Setup The Group Setup Select page opens Step 3 From the Group list select a group and then click Ed...

Page 233: ...st configure both the IETF RADIUS and Ascend RADIUS attributes Proprietary attributes override IETF attributes The default attribute setting displayed for RADIUS is Ascend Remote Addr Note To hide or display Ascend RADIUS attributes see Setting Protocol Configuration Options for Non IETF RADIUS Attributes page 3 17 A VSA applied as an authorization to a particular group persists even when you remo...

Page 234: ...dures in this chapter as applicable Configuring Cisco VPN 3000 Concentrator RADIUS Settings for a User Group To control Microsoft MPPE settings for users accessing the network through a Cisco VPN 3000 series concentrator use the CVPN3000 PPTP Encryption VSA 20 and CVPN3000 L2TP Encryption VSA 21 attributes Settings for CVPN3000 PPTP Encryption VSA 20 and CVPN3000 L2TP Encryption VSA 21 override Mi...

Page 235: ...nfirm that your IETF RADIUS attributes are configured properly For more information about setting IETF RADIUS attributes see Configuring IETF RADIUS Settings for a User Group page 6 38 Step 2 In the navigation bar click Group Setup The Group Setup Select page opens Step 3 From the Group list select a group and then click Edit Settings The Group Settings page displays the name of the group at its t...

Page 236: ...utes see Setting Protocol Configuration Options for Non IETF RADIUS Attributes page 3 17 A VSA applied as an authorization to a particular group persists even when you remove or replace the associated AAA client however if you have no AAA clients of this vendor type configured the VSA settings do not appear in the group configuration interface To configure and enable Cisco VPN 5000 Concentrator RA...

Page 237: ...ed by Microsoft to encrypt PPP links These PPP connections can be via a dial in line or over a VPN tunnel To control Microsoft MPPE settings for users accessing the network through a Cisco VPN 3000 series concentrator use the CVPN3000 PPTP Encryption VSA 20 and CVPN3000 L2TP Encryption VSA 21 attributes Settings for CVPN3000 PPTP Encryption VSA 20 and CVPN3000 L2TP Encryption VSA 21 override Micro...

Page 238: ...ure and enable Microsoft RADIUS attributes to be applied as an authorization for each user in the current group follow these steps Step 1 Confirm that your IETF RADIUS attributes are configured properly For more information about setting IETF RADIUS attributes see Configuring IETF RADIUS Settings for a User Group page 6 38 Step 2 In the navigation bar click Group Setup The Group Setup Select page ...

Page 239: ...el RADIUS VSA Group level Nortel RADIUS attributes have been enabled on the RADIUS Nortel page of the Interface Configuration section Nortel RADIUS represents only the Nortel VSA You must configure both the IETF RADIUS and Nortel RADIUS attributes Note To hide or display Nortel RADIUS attributes see Setting Protocol Configuration Options for Non IETF RADIUS Attributes page 3 17 A VSA applied as an...

Page 240: ...n for network devices using RADIUS Note The MS CHAP MPPE Keys attribute value is autogenerated by Cisco Secure ACS there is no value to set in the HTML interface Step 6 To save the group settings you have just made click Submit For more information see Saving Changes to User Group Settings page 6 56 Step 7 To continue specifying other group settings perform other procedures in this chapter as appl...

Page 241: ...f the page choose RADIUS Juniper Step 5 In the Juniper RADIUS Attributes table specify the attributes to be authorized for the group by selecting the check box next to the attribute Where applicable further define the authorization for that attribute in the field next to it For more information about attributes see Appendix C RADIUS Attributes or the documentation for network devices using RADIUS ...

Page 242: ...er Group page 6 38 Step 2 In the navigation bar click Group Setup The Group Setup Select page opens Step 3 From the Group list select a group and then click Edit Settings The Group Settings page displays the name of the group at its top Step 4 From the Jump To list at the top of the page choose RADIUS BBSM Step 5 In the BBSM RADIUS Attributes table specify the attribute to be authorized for the gr...

Page 243: ...or each user in the current group follow these steps Step 1 Confirm that your IETF RADIUS attributes are configured properly For more information about setting IETF RADIUS attributes see Configuring IETF RADIUS Settings for a User Group page 6 38 Step 2 In the navigation bar click Group Setup The Group Setup Select page opens Step 3 From the Group list select a group and then click Edit Settings T...

Page 244: ...on contains the following topics Listing Users in a User Group page 6 54 Resetting Usage Quota Counters for a User Group page 6 55 Renaming a User Group page 6 55 Saving Changes to User Group Settings page 6 56 Listing Users in a User Group To list all users in a specified group follow these steps Step 1 In the navigation bar click Group Setup The Group Setup Select page opens Step 2 From the Grou...

Page 245: ...2 From the Group list select the group Step 3 In the Usage Quotas section select the On submit reset all usage counters for all users of this group check box Step 4 Click Submit at the bottom of the browser page The usage quota counters for all users in the group are reset The Group Setup Select page appears Renaming a User Group To rename a user group follow these steps Step 1 In the navigation b...

Page 246: ... for a group be sure to save your work To save the configuration for the current group follow these steps Step 1 To save your changes and apply them later click Submit When you are ready to implement the changes click System Configuration and then click Service Control and click Restart Tip To save your changes and apply them immediately click Submit Restart The group attributes are applied and se...

Page 247: ...nding on the configuration of your AAA client and the security protocols being used That is what you see under User Setup is affected by settings in both the Network Configuration and Interface Configuration sections This chapter contains the following topics About User Setup Features and Functions page 7 1 About User Databases page 7 2 Basic User Setup Options page 7 3 Advanced User Authenticatio...

Page 248: ... User Databases Cisco Secure ACS authenticates users against one of several possible databases including its CiscoSecure user database Regardless of which database you configure Cisco Secure ACS to use when authenticating a user all users have accounts within the CiscoSecure user database and authorization of users is always performed against the user records in the CiscoSecure user database The f...

Page 249: ... see LEAP Proxy RADIUS Server Database page 13 75 Token Server Authenticates a user from a token server database Cisco Secure ACS supports the use of a variety of token servers for the increased security provided by one time passwords For more information see Token Server User Databases page 13 78 Basic User Setup Options This section presents the basic activities you perform when configuring a ne...

Page 250: ...or a User page 7 16 Setting User Usage Quotas Options page 7 18 Setting Options for User Account Disablement page 7 20 Assigning a Downloadable IP ACL to a User page 7 21 Adding a Basic User Account This procedure details the minimum steps necessary to add a new user account to the CiscoSecure user database To add a user account follow these steps Step 1 In the navigation bar click User Setup The ...

Page 251: ...PAP password by typing it in the first set of Password and Confirm Password boxes Note Up to 32 characters are allowed each for the Password box and the Confirm Password box Tip The CiscoSecure PAP password is also used for CHAP MS CHAP ARAP if the Separate CHAP MS CHAP ARAP check box is not selected Tip You can configure the AAA client to ask for a PAP password first and then a CHAP or MS CHAP pa...

Page 252: ...nfigure these optional fields see User Data Configuration Options page 3 3 To enter optional information into the Supplementary User Information table follow these steps Step 1 Perform Step 1 through Step 3 of Adding a Basic User Account page 7 4 The User Setup Edit page opens The username being added or edited is at the top of the page Step 2 Complete each box that appears in the Supplementary Us...

Page 253: ...lect the Separate CHAP MS CHAP ARAP check box in the User Setup table Step 3 Specify the CHAP MS CHAP ARAP password to be used by typing it in each of the second set of Password Confirm boxes under the Separate CHAP MS CHAP ARAP check box Note Up to 32 characters are allowed each for the Password box and the Confirm Password box Note These Password and Confirm Password boxes are only required for ...

Page 254: ...l user databases from which Cisco Secure ACS can derive group information you can associate the group memberships defined for the users in the external user database to specific Cisco Secure ACS groups For more information see Chapter 16 User Group Mapping and Specification To assign a user to a group follow these steps Step 1 Perform Step 1 through Step 3 of Adding a Basic User Account page 7 4 T...

Page 255: ... the following Use group setting Select if you want this user to use the setting for the group No callback allowed Select to disable callback for this user Callback using this number Select and type the complete number including area code if necessary on which to always call back this user Note The maximum character length for the callback number is 199 characters Dialup client specifies callback ...

Page 256: ... page Step 2 Under Client IP Address Assignment in the User Setup table select the applicable option Choices include the following Note The IP address assignment in User Setup overrides the IP address assignment in Group Setup Use group settings Select this option to use the IP address group assignment No IP address assignment Select this option to override the group setting if you do not want an ...

Page 257: ...move the position of a pool in the list select the pool name and click Up or Down until the pool is in the position you want Step 3 Do one of the following If you are finished configuring the user account options click Submit to record the options To continue to specify the user account options perform other procedures in this chapter as applicable Setting Network Access Restrictions for a User Th...

Page 258: ... authentication request is forwarded by proxy to a Cisco Secure ACS any NARs for TACACS requests are applied to the IP address of the forwarding AAA server not to the IP address of the originating AAA client When you create access restrictions on a per user basis Cisco Secure ACS does not enforce limits to the number of access restrictions and it does not enforce a limit to the length of each acce...

Page 259: ...row button to move the name into the Selected NARs list Tip To view the server details of the shared NARs you have selected to apply you can click either View IP NAR or View CLID DNIS NAR as applicable Step 3 To define and apply a NAR for this particular user that permits or denies this user access based on IP address or IP address and port follow these steps Tip You should define most NARs from w...

Page 260: ...Note The total number of characters in the AAA Client list and the Port and Src IP Address boxes must not exceed 1024 Although Cisco Secure ACS accepts more than 1024 characters when you add a NAR you cannot edit the NAR and Cisco Secure ACS cannot accurately apply it to users d Click enter The specified AAA client port and address information appears in the table above the AAA Client list Step 4 ...

Page 261: ...isk to permit or deny access based on part of the number Tip This is also the selection to use if you want to restrict access based on other values such as a Cisco Aironet client MAC address For more information see About Network Access Restrictions page 5 15 DNIS Type the DNIS number to which to permit or deny access Use this to restrict access based on the number into which the user will be dial...

Page 262: ...at accounting must be enabled on the AAA client for Cisco Secure ACS to be aware of a session All session counts are based on user and group names only Cisco Secure ACS does not support any differentiation by type of session all sessions are counted as the same To illustrate a user with a Max Session count of 1 who is dialed in to a AAA client with a PPP session will be refused a connection if tha...

Page 263: ...This effectively disables Max Sessions n Select and then type the maximum number of simultaneous sessions to allow this user Use group setting Select to use the Max Sessions value for the group Note The default setting is Use group setting Note User Max Sessions settings override the group Max Sessions settings For example if the group Sales has a Max Sessions value of only 10 but a user in the gr...

Page 264: ...p Edit page displays usage statistics for the current user The Current Usage table lists both online time and sessions used by the user with columns for daily weekly monthly and total usage The Current Usage table appears only on user accounts that you have established that is it does not appear during initial user setup For a user who has exceeded his quota Cisco Secure ACS denies him access upon...

Page 265: ...er to x hours of online time check box b Type the number of hours to which you want to limit the user in the Limit user to x hours of online time box Use decimal values to indicate minutes For example a value of 10 5 would equal 10 hours and 30 minutes Note Up to 10 characters are allowed for this field c Select the period for which you want to enforce the time usage quota per Day From 12 01 a m u...

Page 266: ...due to password aging Password aging is defined for groups only not for individual users Also note that this feature is distinct from the Account Disabled check box For instructions on how to disable a user account see Disabling a User Account page 7 56 Note If the user is authenticated with a Windows user database this expiration information is in addition to the information in the Windows user a...

Page 267: ...nt Note The default is 5 Step 3 Do one of the following If you are finished configuring the user account options click Submit to record the options To continue to specify the user account options perform other procedures in this chapter as applicable Assigning a Downloadable IP ACL to a User The Downloadable ACLs feature enables you to assign an IP Access Control List ACL at the user level You mus...

Page 268: ...cify the user account options perform other procedures in this chapter as applicable Advanced User Authentication Settings This section presents the activities you perform to configure user level TACACS and RADIUS enable parameters This section contains the following topics TACACS Settings User page 7 23 Configuring TACACS Settings for a User page 7 24 Configuring a Shell Command Authorization Set...

Page 269: ...arameters for a User page 7 47 Setting Nortel RADIUS Parameters for a User page 7 49 Setting Juniper RADIUS Parameters for a User page 7 51 Setting BBSM RADIUS Parameters for a User page 7 52 Setting Custom RADIUS Attributes for a User page 7 53 TACACS Settings User The TACACS Settings section permits you to enable and configure the service protocol parameters to be applied for the authorization o...

Page 270: ...ide or display at the user level when you configure the interface For more information about setting up new or existing TACACS services in the Cisco Secure ACS HTML interface see Protocol Configuration Options for TACACS page 3 7 If you have configured Cisco Secure ACS to interact with a Cisco device management application new TACACS services may appear automatically as needed to support the devic...

Page 271: ... 3 Scroll down to the TACACS Settings table and select the bold service name check box to enable that protocol for example PPP IP Step 4 To enable specific parameters within the selected service select the check box next to a specific parameter and then do one of the following as applicable Select the Enabled check box Specify a value in the corresponding attribute box To specify ACLs and IP addre...

Page 272: ...is assigned and it applies all network devices Assign a Shell Command Authorization Set on a per Network Device Group Basis Particular shell command authorization sets are to be effective on particular NDGs When you select this option you create the table that lists what NDG associates with what shell command authorization set Per User Command Authorization Enables you to permit or deny specific C...

Page 273: ...5 To assign a particular shell command authorization set to be effective on any configured network device follow these steps a Select the Assign a Shell Command Authorization Set for any network device option b Then from the list directly below that option select the shell command authorization set you want applied to this user Step 6 To create associations that assign a particular shell command a...

Page 274: ... the name of the command define its arguments using standard permit or deny syntax and select whether unlisted arguments are to be permitted or denied Caution This is a powerful advanced feature and should be used by an administrator skilled with Cisco IOS commands Correct syntax is the responsibility of the administrator For information on how Cisco Secure ACS uses pattern matching in command arg...

Page 275: ...t is configured to use TACACS as the security control protocol In the Advanced Options section of Interface Configuration make sure that the Per user TACACS RADIUS Attributes check box is selected In the TACACS Cisco section of Interface Configuration make sure that the PIX Shell pixShell option is selected in the User column Make sure that you have configured one or more PIX command authorization...

Page 276: ...Basis option b Select a Device Group and an associated Command Set c Click Add Association The associated NDG and PIX command authorization set appear in the table Step 7 Do one of the following If you are finished configuring the user account options click Submit to record the options To continue to specify the user account options perform other procedures in this chapter as applicable Configurin...

Page 277: ...n of Interface Configuration make sure that under New Services the new TACACS service corresponding to the applicable device management application is selected in the User column If you want to apply command authorization sets make sure that you have configured one or more device management command authorization sets For detailed steps see Adding a Command Authorization Set page 5 31 To specify de...

Page 278: ...on b Select a Device Group and an associated device management application c Click Add Association The associated NDG and command authorization set appear in the table Step 7 Do one of the following If you are finished configuring the user account options click Submit to record the options To continue to specify the user account options perform other procedures in this chapter as applicable Config...

Page 279: ...ured Tip If the Advanced TACACS Settings User table does not appear click Interface Configuration click TACACS Cisco IOS and then click Advanced TACACS Features This section contains the following topics Setting Enable Privilege Options for a User page 7 33 Setting TACACS Enable Password Options for a User page 7 35 Setting TACACS Outbound Password for a User page 7 37 Setting Enable Privilege Opt...

Page 280: ...nfiguration before you can assign user privilege levels to them To select and specify the privilege level for a user follow these steps Step 1 Perform Step 1 through Step 3 of Adding a Basic User Account page 7 4 The User Setup Edit page opens The username being added or edited is at the top of the page Step 2 Under TACACS Enable Control in the Advanced TACACS Settings table select one of the four...

Page 281: ... Click Add Association An entry appears in the table associating the device group with a particular privilege level d Repeat Step a through Step c for each device group you want to associate to this user Tip To delete an entry select the entry and then click Remove Associate Step 5 Do one of the following If you are finished configuring the user account options click Submit to record the options T...

Page 282: ...dding a Basic User Account page 7 4 To use an external database password select Use external database password and then choose from the list the database that authenticates the enable password for this user Note The list of databases displays only the databases that you have configured For more information see About External User Databases page 13 4 To use a separate password click Use separate pa...

Page 283: ...ese steps Step 1 Perform Step 1 through Step 3 of Adding a Basic User Account page 7 4 The User Setup Edit page opens The username being added or edited is at the top of the page Step 2 Type and retype to confirm a TACACS outbound password for this user Step 3 Do one of the following If you are finished configuring the user account options click Submit to record the options To continue to specify ...

Page 284: ...arameters for a User page 7 49 Setting Juniper RADIUS Parameters for a User page 7 51 Setting BBSM RADIUS Parameters for a User page 7 52 Setting Custom RADIUS Attributes for a User page 7 53 Setting IETF RADIUS Parameters for a User RADIUS attributes are sent as a profile for the user from Cisco Secure ACS to the requesting AAA client These parameters display only if all the following are true A ...

Page 285: ... for the attribute in the box or boxes next to it as applicable Step 3 Do one of the following If you are finished configuring the user account options click Submit to record the options To continue to specify the user account options perform other procedures in this chapter as applicable Setting Cisco IOS PIX RADIUS Parameters for a User The Cisco IOS RADIUS parameters appear only if all the foll...

Page 286: ...ormation about setting IETF RADIUS attributes see Setting IETF RADIUS Parameters for a User page 7 38 Step 3 If you want to use the 009 001 cisco av pair attribute to specify authorizations select the check box next to the attribute and then type the attribute value pairs in the text box Separate each attribute value pair by pressing Enter For example if the current user profile corresponds to a N...

Page 287: ...US Session Timeout set to 3 hours When the user connects via a VPN Cisco Secure ACS uses 3 hours as the timeout value However if that same user connects via a Cisco Aironet Access Point Cisco Secure ACS responds to an authentication request from the Aironet AP by sending 600 seconds in the IETF RADIUS Session Timeout attribute Thus with the Cisco Aironet Session Timeout attribute configured differ...

Page 288: ... Parameters for a User page 7 38 Step 3 In the Cisco Aironet RADIUS Attributes table select the 5842 001 Cisco Aironet Session Timeout check box Step 4 In the 5842 001 Cisco Aironet Session Timeout box type the session timeout value in seconds that Cisco Secure ACS is to send in the IETF RADIUS Session Timeout 27 attribute when the AAA client is configured in Network Configuration to use the RADIU...

Page 289: ...IETF RADIUS Attributes page 3 17 A VSA applied as an authorization to a particular user persists even when you remove or replace the associated AAA client however if you have no AAA clients of this vendor type configured the VSA settings do not appear in the user configuration interface To configure and enable Ascend RADIUS attributes to be applied as an authorization for the current user follow t...

Page 290: ...1 override Microsoft MPPE RADIUS settings If either of these attributes is enabled Cisco Secure ACS determines the values to be sent in outbound RADIUS Microsoft attributes and sends them along with the RADIUS Cisco VPN 3000 attributes regardless of whether RADIUS Microsoft attributes are enabled in the Cisco Secure ACS HTML interface or how those attributes might be configured The Cisco VPN 3000 ...

Page 291: ...it page opens The username being added or edited is at the top of the page Step 2 Before configuring Cisco VPN 3000 Concentrator RADIUS attributes be sure your IETF RADIUS attributes are configured properly For more information about setting IETF RADIUS attributes see Setting IETF RADIUS Parameters for a User page 7 38 Step 3 In the Cisco VPN 3000 Concentrator Attribute table to specify the attrib...

Page 292: ...oncentrator RADIUS attributes Note To hide or display Cisco VPN 5000 Concentrator RADIUS attributes see Setting Protocol Configuration Options for Non IETF RADIUS Attributes page 3 17 A VSA applied as an authorization to a particular user persists even when you remove or replace the associated AAA client however if you have no AAA clients of this vendor type configured the VSA settings do not appe...

Page 293: ...pplicable Setting Microsoft RADIUS Parameters for a User Microsoft RADIUS provides VSAs supporting Microsoft Point to Point Encryption MPPE which is an encryption technology developed by Microsoft to encrypt point to point PPP links These PPP connections can be via a dial in line or over a Virtual Private Network VPN tunnel To control Microsoft MPPE settings for users accessing the network through...

Page 294: ... must configure both the IETF RADIUS and Microsoft RADIUS attributes Note To hide or display Microsoft RADIUS attributes see Setting Protocol Configuration Options for Non IETF RADIUS Attributes page 3 17 A VSA applied as an authorization to a particular user persists even when you remove or replace the associated AAA client however if you have no AAA clients of this vendor type configured the VSA...

Page 295: ...in the HTML interface Step 4 Do one of the following If you are finished configuring the user account options click Submit to record the options To continue to specify the user account options perform other procedures in this chapter as applicable Setting Nortel RADIUS Parameters for a User The Nortel RADIUS parameters appear only if all the following are true A AAA client is configured to use RAD...

Page 296: ...age opens The username being added or edited is at the top of the page Step 2 Before configuring Nortel RADIUS attributes be sure your IETF RADIUS attributes are configured properly For more information about setting IETF RADIUS attributes see Setting IETF RADIUS Parameters for a User page 7 38 Step 3 In the Nortel RADIUS Attributes table to specify the attributes that should be authorized for the...

Page 297: ...A VSA applied as an authorization to a particular user persists even when you remove or replace the associated AAA client however if you have no AAA clients of this vendor type configured the VSA settings do not appear in the user configuration interface To configure and enable Juniper RADIUS attributes to be applied as an authorization for the current user follow these steps Step 1 Perform Step 1...

Page 298: ...er level RADIUS BBSM attributes you want to apply are enabled under RADIUS BBSM in the Interface Configuration section BBSM RADIUS represents only the BBSM proprietary attributes You must configure both the IETF RADIUS and BBSM RADIUS attributes Proprietary attributes override IETF attributes Note To hide or display BBSM RADIUS attributes see Setting Protocol Configuration Options for Non IETF RAD...

Page 299: ...tep 4 Do one of the following If you are finished configuring the user account options click Submit to record the options To continue to specify the user account options perform other procedures in this chapter as applicable Setting Custom RADIUS Attributes for a User Custom RADIUS parameters appear only if all the following are true You have defined and configured the custom RADIUS VSAs For infor...

Page 300: ...le to specify the attributes that should be authorized for the user follow these steps a Select the check box next to the particular attribute b Further define the authorization for that attribute in the box next to it as required c Continue to select and define attributes as applicable For more information about attributes see Appendix C RADIUS Attributes or your AAA client documentation Step 4 D...

Page 301: ...s Usernames are displayed in the order in which they were entered into the database This list cannot be sorted To view a list of all user accounts follow these steps Step 1 In the navigation bar click User Setup The User Setup Select page opens Step 2 Click List All Users In the display area on the right the User List appears Step 3 To view or edit the information for an individual user click the ...

Page 302: ...he information for the user click the username in the display area on the right The user account information appears Disabling a User Account This procedure details how to manually disable a user account in the CiscoSecure user database Note To configure the conditions by which a user account will automatically be disabled see Setting Options for User Account Disablement page 7 20 Note This is not...

Page 303: ...u want deny a user access by deleting the user account you must also delete the user account from the external user database This prevents the username from being automatically re added to the CiscoSecure user database the next time the user attempts to log in Tip For deleting batches of user accounts use the RDBMS Synchronization feature with action code 101 see RDBMS Synchronization page 9 25 fo...

Page 304: ... the CiscoSecure user database Resetting User Session Quota Counters You can reset the session quota counters for a user either before or after the user exceeds a quota To reset user usage quota counters follow these steps Step 1 Click User Setup The Select page of the HTML interface opens Step 2 In the User box type the complete username of the user whose session quota counters you are going to r...

Page 305: ...fter login failure follow these steps Step 1 Click User Setup The User Setup Select page of the HTML interface opens Step 2 In the User box type the complete username of the account to be reset Note Alternatively you can click List All Users and then select the user from the list that appears Step 3 Click Add Edit Step 4 In the Account Disable table select the Reset current failed attempts count o...

Page 306: ...n the Windows user account Changes here do not alter settings configured in Windows Saving User Settings After you have completed configuration for a user be sure to save your work To save the configuration for the current user follow these steps Step 1 To save the user account configuration click Submit Step 2 To verify that your changes were applied type the username in the User box and click Ad...

Page 307: ... Format Control page 8 3 Local Password Management page 8 5 Cisco Secure ACS Backup page 8 9 Cisco Secure ACS System Restore page 8 14 Cisco Secure ACS Active Service Management page 8 17 VoIP Accounting Configuration page 8 21 Service Control Cisco Secure ACS uses several services The Service Control page provides basic status information about the services and enables you to configure the servic...

Page 308: ...lick System Configuration Step 2 Click Service Control The status of the services appears in the CiscoSecure ACS on hostname table where hostname is the name of the Cisco Secure ACS Stopping Starting or Restarting Services You can stop start or restart Cisco Secure ACS services as needed This achieves the same result as starting and stopping Cisco Secure ACS services from within Windows Control pa...

Page 309: ... ACS services changes to the state appropriate to the button you clicked Logging You can configure Cisco Secure ACS to generate logs for administrative and accounting events depending on the protocols and options you have enabled For more information including configuration steps see Chapter 1 Overview Date Format Control Cisco Secure ACS allows for one of two possible date formats in its logs rep...

Page 310: ...te format follow these steps Step 1 In the navigation bar click System Configuration Step 2 Click Date Format Control Cisco Secure ACS displays the Date Format Selection table Step 3 Select a date format option Step 4 Click Submit Restart Cisco Secure ACS restarts its services and implements the date format you selected Note For the new date format to be seen in the HTML interface reports you must...

Page 311: ...are listed below Password length between X and Y characters Enforces that password lengths be between the values specified in the X and Y boxes inclusive Cisco Secure ACS supports passwords up to 32 characters long Password may not contain the username Requires that a user password does not contain the username anywhere within it Password is different from the previous value Requires a new user pa...

Page 312: ...re ACS The automatically triggered cascade setting for the CiscoSecure Database Replication feature does not cause Cisco Secure ACSes that receive changed password information to send it to their replication partners For more information about CiscoSecure Database Replication see CiscoSecure Database Replication page 9 1 Password Change Log File Management These settings enable you to configure ho...

Page 313: ... the username select the Password may not contain the username check box d If you want to require that a user password must be different than the previous user password select the Password is different from the previous value check box e If you want to require that passwords must contain both letters and numbers select the Password must be alphanumeric check box Step 4 Under Remote Change Password...

Page 314: ...t of each week Every month Cisco Secure ACS generates a new User Password Changes log file at the start of each month Step 6 If you want Cisco Secure ACS to generate a new User Password Changes log file when the current file reaches a specific size select the When size is greater than X KB option and type the file size threshold in kilobytes in the X box Step 7 If you want to manage which User Pas...

Page 315: ...page 8 12 Disabling Scheduled Cisco Secure ACS Backups page 8 13 About Cisco Secure ACS Backup The ACS Backup feature backs up your Cisco Secure ACS system information to a file on the local hard drive You can manually back up the Cisco Secure ACS system You can also establish automated backups that occur at regular intervals or at selected days of the week and times Maintaining backup files can m...

Page 316: ... often you back up the system the more diligent we recommend you be about clearing out old databases from the Cisco Secure ACS hard drive Components Backed Up The ACS System Backup feature backs up the Cisco Secure ACS user database and information from the Windows Registry that is relevant to Cisco Secure ACS The user database backup includes all user information such as username password and oth...

Page 317: ... Cisco Secure ACS writes the backup file The directory must be specified by its full path on the Windows server that runs Cisco Secure ACS such as c acs bups Manage Directory Defines whether Cisco Secure ACS deletes older backup files Using the following options you can specify how Cisco Secure ACS determines which log files to delete Keep only the last X files Cisco Secure ACS retains the most re...

Page 318: ...ule the times at which Cisco Secure ACS performs a backup follow these steps Step 1 In the navigation bar click System Configuration Step 2 Click ACS Backup The ACS System Backup Setup page appears Step 3 To schedule backups at regular intervals under ACS Backup Scheduling select the Every X minutes option and in the X box type the length of the interval at which Cisco Secure ACS should perform ba...

Page 319: ...n and type in the X box the number of files you want Cisco Secure ACS to retain c To limit how old backup files retained by Cisco Secure ACS can be select the Delete files older than X days option and type the number of days for which Cisco Secure ACS should retain a backup file before deleting it Step 7 Click Submit Cisco Secure ACS implements the backup schedule you configured Disabling Schedule...

Page 320: ...of Cisco Secure ACS Restorations page 8 16 Restoring Cisco Secure ACS from a Backup File page 8 16 About Cisco Secure ACS System Restore The ACS System Restore feature enables you to restore your system configuration from backup files generated by the ACS Backup feature This feature helps minimize downtime if Cisco Secure ACS system information becomes corrupted or is misconfigured The ACS System ...

Page 321: ...or example if you installed Cisco Secure ACS version 3 0 in the default location the default backup location would be c Program Files CiscoSecure ACS v3 0 CSAuth System Backups Cisco Secure ACS creates backup files using the date and time format dd mmm yyyy hh nn ss dmp where dd is the date the backup started mmm is the month abbreviated in alphabetic characters yyyy is the year hh is the hour in ...

Page 322: ...ogs out all administrators To restore Cisco Secure ACS from a backup file generated by the Cisco Secure ACS Backup feature follow these steps Step 1 In the navigation bar click System Configuration Step 2 Click ACS Restore The ACS System Restore Setup page appears The Directory box displays the drive and path to the backup directory most recently configured in the Directory box on the ACS Backup p...

Page 323: ... several minutes to complete depending on which components you selected to restore and the size of your database When the restoration is complete you can log in again to Cisco Secure ACS Cisco Secure ACS Active Service Management ACS Active Service Management is an application specific service monitoring tool that is tightly integrated with ACS The two features that compose ACS Active Service Mana...

Page 324: ... This list contains several built in actions and reflects actions that you define The items beginning with asterisks are predefined actions Restart All Restart all Cisco Secure ACS services Restart RADIUS TACACS Restart only the RADIUS and TACACS services Reboot Reboot Cisco Secure ACS Custom actions You can define other actions for Cisco Secure ACS to take upon failure of the login process Cisco ...

Page 325: ...p 1 In the navigation bar click System Configuration Step 2 Click ACS Service Management The ACS Active Service Management Setup page appears Step 3 To have Cisco Secure ACS test the login process follow these steps a Select the Test login process every X minutes check box b Type in the X box the number of minutes up to 3 characters that should pass between each login process test c From the If no...

Page 326: ...g Up Event Logging To view the Windows event log select Start Programs Administrative Tools Event Viewer For more information about the Windows event log or Event Viewer refer to your Microsoft Windows documentation To set up Cisco Secure ACS event logging follow these steps Step 1 In the navigation bar click System Configuration Step 2 Click ACS Service Management The ACS Active Service Managemen...

Page 327: ...nting logs receive VoIP accounting data There are three options for VoIP accounting Send to both RADIUS and VoIP Accounting Log Targets Cisco Secure ACS appends VoIP accounting data to the RADIUS accounting data and logs it separately to a CSV file To view the data you can use either RADIUS Accounting or VoIP Accounting under Reports and Activity Send only to VoIP Accounting Log Targets Cisco Secu...

Page 328: ...g Configuration Note If this feature does not appear click Interface Configuration click Advanced Options and then select the Voice over IP VoIP Accounting Configuration check box The VoIP Accounting Configuration page appears The Voice over IP VoIP Accounting Configuration table displays the options for VoIP accounting Step 3 Select the VoIP accounting option you want Step 4 Click Submit Cisco Se...

Page 329: ...9 1 RDBMS Synchronization page 9 25 IP Pools Server page 9 44 IP Pools Address Recovery page 9 51 CiscoSecure Database Replication This section provides information about the CiscoSecure Database Replication feature including procedures for implementing this feature and configuring the Cisco Secure ACSes involved This section contains the following topics About CiscoSecure Database Replication pag...

Page 330: ...CSes You can configure your AAA clients to use these secondary Cisco Secure ACSes if the primary Cisco Secure ACS fails or is unreachable With a secondary Cisco Secure ACS whose CiscoSecure database is a replica of the CiscoSecure database on the primary Cisco Secure ACS if the primary Cisco Secure ACS goes out of service incoming requests are authenticated without network downtime provided that y...

Page 331: ...Secure ACS that sends replicated CiscoSecure database components to other Cisco Secure ACSes Secondary Cisco Secure ACS A Cisco Secure ACS that receives replicated CiscoSecure database components from a primary Cisco Secure ACS In the HTML interface these are identified as replication partners A Cisco Secure ACS can be both a primary Cisco Secure ACS and a secondary Cisco Secure ACS provided that ...

Page 332: ...ecure ACSes Tip You can force replication to occur by making one change to a user or group profile such as changing a password or modifying a RADIUS attribute 2 The primary Cisco Secure ACS contacts the secondary Cisco Secure ACS In this initial connection the following four events occur a The two Cisco Secure ACSes perform mutual authentication based upon the shared secret of the primary Cisco Se...

Page 333: ...roperly those that usually use the primary Cisco Secure ACS failover to another Cisco Secure ACS b The primary Cisco Secure ACS resumes its authentication service It also compresses and encrypts the copy of its database components for transmission to the secondary Cisco Secure ACS c The primary Cisco Secure ACS transmits the compressed encrypted copy of its database components to the secondary Cis...

Page 334: ...uration device tables you must configure the primary Cisco Secure ACS with all Cisco Secure ACSes that will receive replicated database components regardless of whether they receive replication directly or indirectly from the primary Cisco Secure ACS In Figure 9 1 server 1 must have an entry in its AAA Servers table for each of the other six Cisco Secure ACSes If this is not done after replication...

Page 335: ...e of the Cisco Secure ACS Note Regardless of how frequently replication is scheduled to occur it only occurs when the database of the primary Cisco Secure ACS has changed since the last successful replication This issue is more apparent with databases that are large or that frequently change Database replication is a non incremental destructive backup In other words it completely replaces the data...

Page 336: ...an accurately configured entry for each of its primary Cisco Secure ACSes On a primary Cisco Secure ACS and all its secondary Cisco Secure ACSes the AAA Servers table entries for the primary Cisco Secure ACS must have identical shared secrets Only suitably configured valid Cisco Secure ACSes can be secondary Cisco Secure ACSes To configure a secondary Cisco Secure ACS for database replication see ...

Page 337: ...r example if user account is associated with a database named WestCoast LDAP on the primary Cisco Secure ACS the replicated user account on all secondary Cisco Secure ACSes remains associated with an external user database named WestCoast LDAP even if you have not configured an LDAP database instance of that name If you replicate NAC policies secondary Cisco Secure ACSes associate policies to NAC ...

Page 338: ...e backup files CiscoSecure Database Replication enables you to copy various components of the CiscoSecure database to other Cisco Secure ACSes This can help you plan a failover AAA architecture and can reduce the complexity of your configuration and maintenance tasks While it is unlikely it is possible that CiscoSecure Database Replication can propagate a corrupted database to the Cisco Secure ACS...

Page 339: ...at it receives as a secondary Cisco Secure ACS Note The CiscoSecure database components received by a secondary Cisco Secure ACS overwrite the CiscoSecure database components on the secondary Cisco Secure ACS Any information unique to the overwritten database component is lost The Replication Components table on the CiscoSecure Database Replication page presents the options that control which comp...

Page 340: ...ttings and TACACS settings from the Interface Configuration section Interface security settings Replicate administrators and security information for the Cisco Secure ACS HTML interface Password validation settings Replicate password validation settings EAP FAST master keys and policies Replicate active and retired master keys and policies for EAP FAST CNAC policies Replicate NAC local policies ex...

Page 341: ...hey receive replication directly or indirectly from the primary Cisco Secure ACS For example if the primary Cisco Secure ACS replicates to two secondary Cisco Secure ACSes which in turn each replicate to two more Cisco Secure ACSes the primary Cisco Secure ACS must have AAA server configurations for all six Cisco Secure ACSes that will receive replicated database components Every X minutes Cisco S...

Page 342: ...ded Cisco Secure ACS terminates replication to the secondary Cisco Secure ACS is was attempting to replicate to and then it restarts the CSAuth service The replication timeout feature helps prevent loss of AAA services due to stalled replication communication which can occur when the network connection between the primary and secondary Cisco Secure ACS is abnormally slow or when a fault occurs wit...

Page 343: ...sco Secure ACS accepts replicated components only from the Cisco Secure ACS specified Note Cisco Secure ACS does not support bidirectional database replication A secondary Cisco Secure ACS receiving replicated components verifies that the primary Cisco Secure ACS is not on its Replication list If not the secondary Cisco Secure ACS accepts the replicated components If so it rejects the components F...

Page 344: ... you intend to use cascading replication to replicate network configuration device tables you must configure the primary Cisco Secure ACS with all Cisco Secure ACSes that will receive replicated database components regardless of whether they receive replication directly or indirectly from the primary Cisco Secure ACS For example if the primary Cisco Secure ACS replicates to two secondary Cisco Sec...

Page 345: ...g Replication page 9 21 Caution The CiscoSecure database components received by a secondary Cisco Secure ACS overwrite the CiscoSecure database components on the secondary Cisco Secure ACS Any information unique to the overwritten database component is lost Before You Begin Ensure correct configuration of the AAA Servers table in the secondary Cisco Secure ACS This secondary Cisco Secure ACS must ...

Page 346: ...tion list If not the secondary Cisco Secure ACS accepts the replicated components If so it aborts replication Step 6 If the secondary Cisco Secure ACS is to receive replication components from only one primary Cisco Secure ACS from the Accept replication from list select the name of the primary Cisco Secure ACS The primary Cisco Secure ACSes available in the Accept replication from list are determ...

Page 347: ...ion Note Replication cannot occur until you have configured at least one secondary Cisco Secure ACS For more information about configuring a secondary Cisco Secure ACS see Configuring a Secondary Cisco Secure ACS page 9 17 Before You Begin Ensure correct configuration of the primary and secondary Cisco Secure ACSes For detailed steps see Implementing Primary and Secondary Replication Setups on Cis...

Page 348: ...ick right arrow button Tip If you want to remove a secondary Cisco Secure ACSes from the Replication list select the secondary Cisco Secure ACS in the Replication list and then click left arrow button Note Cisco Secure ACS does not support bidirectional database replication A secondary Cisco Secure ACS receiving replicated components verifies that the primary Cisco Secure ACS is not on its Replica...

Page 349: ...ptions page 9 12 Note Replication cannot occur until the secondary Cisco Secure ACSes are configured properly For more information see Configuring a Secondary Cisco Secure ACS page 9 17 Before You Begin Ensure correct configuration of the primary and secondary Cisco Secure ACSes For detailed steps see Implementing Primary and Secondary Replication Setups on Cisco Secure ACSes page 9 15 For each se...

Page 350: ...icated database components to its secondary Cisco Secure ACSes at regular intervals under Replication Scheduling select the Every X minutes option and in the X box type the length of the interval at which Cisco Secure ACS should perform replication up to 7 characters Note Because Cisco Secure ACS is momentarily shut down during replication a short replication interval may cause frequent failover o...

Page 351: ...isco Secure ACSes that this Cisco Secure ACS should replicate to To do so follow these steps Note Cisco Secure ACS does not support bidirectional database replication A secondary Cisco Secure ACS receiving replicated database components verifies that the primary Cisco Secure ACS is not on its Replication list If not the secondary Cisco Secure ACS accepts the replicated database components If so it...

Page 352: ... you created Disabling CiscoSecure Database Replication You can disable scheduled CiscoSecure database replications without losing the schedule itself This allows you to cease scheduled replications temporarily and later resume them without having to re enter the schedule information To disable CiscoSecure database replication follow these steps Step 1 Log in to the HTML interface on the primary C...

Page 353: ...olved This section contains the following topics About RDBMS Synchronization page 9 26 Users page 9 27 User Groups page 9 27 Network Configuration page 9 28 Custom RADIUS Vendors and VSAs page 9 28 RDBMS Synchronization Components page 9 29 About CSDBSync page 9 29 About the accountActions Table page 9 31 Cisco Secure ACS Database Recovery Using the accountActions Table page 9 32 Reports and Event...

Page 354: ...e you can alternatively maintain through this feature RDBMS Synchronization supports addition modification and deletion for all data items it can access You can configure synchronization to occur on a regular schedule You can also perform synchronizations manually updating the CiscoSecure user database on demand Synchronization performed by a single Cisco Secure ACS can update the internal databas...

Page 355: ...iguring time of day day of week access restrictions Assigning IP addresses Specifying outbound RADIUS attribute values Specifying outbound TACACS attribute values Note For specific information about all actions that RDBMS Synchronization can perform see Appendix F RDBMS Synchronization Import Definitions User Groups Among the group related configuration actions that RDBMS Synchronization can perfo...

Page 356: ...iguration details Adding and configuring Proxy Distribution Table entries Note For specific information about all actions that RDBMS Synchronization can perform see Appendix F RDBMS Synchronization Import Definitions Custom RADIUS Vendors and VSAs RDBMS Synchronization enables you to configure custom RADIUS vendors and VSAs In addition to supporting a set of predefined RADIUS vendors and vendor sp...

Page 357: ...information about all actions that RDBMS Synchronization can perform see Appendix F RDBMS Synchronization Import Definitions RDBMS Synchronization Components The RDBMS Synchronization feature comprises two components CSDBSync A dedicated Windows service that performs automated user and group account management services for Cisco Secure ACS accountActions Table The data object that holds informatio...

Page 358: ...The senior synchronization partner must have AAA configurations for each Cisco Secure ACS that is a synchronization partners In turn each of the synchronization partners must have a AAA server configuration for the senior partner Synchronization commands from the senior partner are ignored if the Cisco Secure ACS receiving the synchronization commands does not have a AAA server configuration for t...

Page 359: ...s on the Cisco Secure ACS in the following location assuming a default installation of Cisco Secure ACS C Program Files CiscoSecure ACS vx x CSDBSync Databases The Databases directory contains the following subdirectories Access Contains the file CiscoSecure Transactions mdb CiscoSecure Transactions mdb contains a preconfigured accountActions table When you install Cisco Secure ACS the installatio...

Page 360: ...sactions that CSDBSync can process Cisco Secure ACS Database Recovery Using the accountActions Table Because the RDBMS Synchronization feature deletes each record in the accountActions table after processing the record the accountActions table can be considered a transaction queue The RDBMS Synchronization feature does not maintain a transaction log audit trail If a log is required the external sy...

Page 361: ...ization Synchronizing the CiscoSecure user database using data from the accountActions table requires that you complete several steps external to Cisco Secure ACS before you configure the RDBMS Synchronization feature within Cisco Secure ACS If you are planning to use a CSV file as your accountActions table also see Considerations for Using CSV Based Synchronization page 9 35 To prepare to use RDB...

Page 362: ...follow these steps a Determine which Cisco Secure ACS you want to use to communicate with the third party system This is the senior synchronization partner which you will later configure to send synchronization data to its synchronization partners which are the other Cisco Secure ACSes needing synchronization b On the senior synchronization partner verify that there is a AAA server configuration f...

Page 363: ...ing to use a CSV based accountActions table The Microsoft ODBC driver for text files always operates in a read only mode It cannot delete records from a CSV accountActions table Because of this synchronization events initiated or scheduled in the HTML interface never release the CSV file so the updates to the accountActions table from your third party system fail The solution is to initiate synchr...

Page 364: ...e ACS the accountactions file is at the following location C Program Files CiscoSecure ACS vx x CSDBSync Databases CSV Where x x refers to the version of your Cisco Secure ACS Step 2 Edit the Windows Registry a Access the following key HKEY_LOCAL_MACHINE SOFTWARE Cisco CiscoAAAvx x CSDBSync b Change the OdbcUpdateTable value from AccountActions to accountactions csv Note You cannot perform synchro...

Page 365: ...ecure DBSync system DSN rather than create one For more information about the CiscoSecure Transactions mdb file see Preparing to Use RDBMS Synchronization page 9 33 To create a system DSN for use with RDBMS synchronization follow these steps Step 1 From Windows Control Panel open the ODBC Data Source Administrator window Tip In Windows 2000 the ODBC Data Sources icon is located in the Administrati...

Page 366: ... available from System Configuration provides control of the RDBMS Synchronization feature It contains three tables whose options are described in this section This section contains the following topics RDBMS Setup Options page 9 38 Synchronization Scheduling Options page 9 39 Synchronization Partners Options page 9 39 RDBMS Setup Options The RDBMS Setup table defines how Cisco Secure ACS accesses...

Page 367: ...The Synchronization Partners table defines which Cisco Secure ACSes are synchronized with data from the accountActions table It provides the following options AAA Server This list represents the AAA servers configured in the AAA Servers table in Network Configuration for which the Cisco Secure ACS does not perform RDBMS synchronization Synchronize This list represents the AAA servers configured in...

Page 368: ... Synchronization check box The RDBMS Synchronization Setup page appears Step 3 To specify options in the RDBMS Setup table follow these steps Note For more information about RDBMS setup see RDBMS Setup Options page 9 38 a From the Data Source list select the system DSN you configured to communicate with the database that contains your accountActions table For more information about configuring a s...

Page 369: ...d then click left arrow button The selected Cisco Secure ACS appears in the AAA Servers list Step 6 At the bottom of the browser window click Synchronize Now Cisco Secure ACS immediately begins a synchronization event To check the status of the synchronization view the RDBMS Synchronization report in Reports and Activity Scheduling RDBMS Synchronization You can schedule when a Cisco Secure ACS per...

Page 370: ...ame specified in the Step b Step 4 To have this Cisco Secure ACS perform RDBMS synchronization at regular intervals under Synchronization Scheduling select the Every X minutes option and in the X box type the length of the interval at which Cisco Secure ACS should perform synchronization up to 7 characters Step 5 To schedule times at which this Cisco Secure ACS performs RDBMS synchronization follo...

Page 371: ...the AAA Servers table see AAA Server Configuration page 4 21 b Click right arrow button The selected Cisco Secure ACS moves to the Synchronize list Note At least one Cisco Secure ACS must be in the Synchronize list This includes the server on which you are configuring RDBMS Synchronization RDBMS Synchronization does not automatically include the internal database of the current server Step 7 Click...

Page 372: ...rcing Unique Pool Address Ranges page 9 45 Refreshing the AAA Server IP Pools Table page 9 47 Adding a New IP Pool page 9 47 Editing an IP Pool Definition page 9 48 Resetting an IP Pool page 9 49 Deleting an IP Pool page 9 50 About IP Pools Server If you are using VPNs you may have to overlap IP address assignments that is it may be advantageous for a PPTP tunnel client within a given tunnel to us...

Page 373: ...ready assigned to a different workstation To support IP pools in a AAA environment that uses replication you must manually configure each secondary Cisco Secure ACS to have IP pools with names identical to the IP pools defined on the primary Cisco Secure ACS To use IP pools the AAA client must have network authorization in IOS aaa authorization network and accounting in IOS aaa accounting enabled ...

Page 374: ...this feature does not appear click Interface Configuration click Advanced Options and then select the IP Pools check box The AAA Server IP Pools table lists any IP pools you have configured their address ranges and the percentage of pooled addresses in use Step 3 If you want to allow overlapping IP pool address ranges follow these steps a If the Allow Overlapping Pool Address Ranges button appears...

Page 375: ... percentage of pooled addresses in use Step 3 Click Refresh Cisco Secure ACS updates the percentages of pooled addresses in use Adding a New IP Pool You can define up to 999 IP address pools To add an IP pool follow these steps Step 1 In the navigation bar click System Configuration Step 2 Click IP Pools Server The AAA Server IP Pools table lists any IP pools you have already configured their addr...

Page 376: ... these steps Step 1 In the navigation bar click System Configuration Step 2 Click IP Pools Server The AAA Server IP Pools table lists any IP pools you have configured their address ranges and the percentage of pooled addresses in use Step 3 Click the name of the IP pool you need to edit The name pool table appears where name is the name of the IP pool you selected The In Use field displays how man...

Page 377: ...within an IP pool when there are dangling connections A dangling connection occurs when a user disconnects and Cisco Secure ACS does not receive an accounting stop packet from the applicable AAA client If the Failed Attempts log in Reports and Activity shows a large number of Failed to Allocate IP Address For User messages consider using the Reset function to reclaim all allocated addresses in thi...

Page 378: ...users Deleting an IP Pool Note If you delete an IP pool that has users assigned to it those users cannot authenticate until you edit the user profile and change their IP assignment settings Alternatively if the users receive their IP assignment based on group membership you can edit the user group profile and change the IP assignment settings for the group To delete an IP pool follow these steps S...

Page 379: ...period of time You must configure an accounting network on the AAA client for Cisco Secure ACS to reclaim the IP addresses correctly Enabling IP Pool Address Recovery To enable IP pool address recovery follow these steps Step 1 In the navigation bar click System Configuration Step 2 Click IP Pools Address Recovery Note If this feature does not appear click Interface Configuration click Advanced Op...

Page 380: ...ter 9 System Configuration Advanced IP Pools Address Recovery 9 52 User Guide for Cisco Secure ACS for Windows Server 78 16592 01 Cisco Secure ACS implements the IP pools address recovery settings you made ...

Page 381: ...1 Global Authentication Setup page 10 26 Cisco Secure ACS Certificate Setup page 10 34 About Certification and EAP Protocols Cisco Secure ACS uses EAP TLS and PEAP authentication protocols in combination with digital certification to ensure the protection and validity of authentication information Digital certification EAP TLS PEAP and machine authentication are described in the topics that follow...

Page 382: ...tabase credentials They can be scaled and trusted over large deployments If managed properly they can serve as a method of authentication that is stronger and more secure than shared secret systems Mutual trust requires that Cisco Secure ACS have an installed certificate that can be verified by end user clients This server certificate may be issued from a certification authority CA or if you choos...

Page 383: ...sesses a certificate only provides a username keypair binding The second element of trust is to use a third party signature usually from a certification authority CA that verifies the information in a certificate This third party binding is similar to the real world equivalent of the seal on a passport You trust the passport because you trust the preparation and identity checking that the particul...

Page 384: ...on about machine authentication see Machine Authentication page 13 16 Cisco Secure ACS supports domain stripping for EAP TLS authentication using Windows Active Directory For more information see EAP TLS Domain Stripping page 13 16 Cisco Secure ACS also supports three methods of certificate comparison and a session resume feature This topic discusses these features To permit access to the network ...

Page 385: ... session has not timed out Cisco Secure ACS uses the cached TLS session resulting in faster EAP TLS performance and lessened AAA server load When Cisco Secure ACS resumes an EAP TLS session the user reauthenticates by SSL handshake only without a certificate comparison In effect enabling EAP TLS session resume allows Cisco Secure ACS to trust a user based on the cached TLS session from the origina...

Page 386: ...rom files rather than from certificate storage server and CA certificate files must be in either Base64 encoded X 509 format or DER encoded binary X 509 format LDAP attribute for binary comparison If you configure Cisco Secure ACS to perform binary comparison of user certificates the user certificate must be stored in Active Directory or an LDAP server using a binary format Also the attribute stor...

Page 387: ...ation authority server configured on the domain controller you can configure a policy in Active Directory to produce a client certificate automatically when a computer is added to the domain For more information see Microsoft Knowledge Base Article 313407 HOW TO Create Automatic Certificate Requests with Group Policy in Windows To enable EAP TLS authentication follow these steps Step 1 Install a s...

Page 388: ...vocation List Issuer page 10 42 Step 4 Enable EAP TLS on the Global Authentication Setup page Cisco Secure ACS allows you to complete this step only after you have successfully completed Step 1 For detailed steps see Configuring Authentication Options page 10 33 Step 5 Configure a user database To determine which user databases support EAP TLS authentication see Authentication Protocol Database Co...

Page 389: ...mbinations of PEAP and EAP protocols are denoted with the EAP protocol within parentheses such as PEAP EAP GTC For the authentication protocols that Cisco Secure ACS supports in phase two of PEAP see Authentication Protocol Database Compatibility page 1 10 One improvement in security offered by PEAP is identity protection This is the potential of protecting the username in all PEAP transactions Af...

Page 390: ...enticated user sessions When this feature is enabled Cisco Secure ACS caches the TLS session created during phase one of PEAP authentication provided that the user successfully authenticates in phase two of PEAP If a user needs to reconnect and the original PEAP session has not timed out Cisco Secure ACS uses the cached TLS session resulting in faster PEAP performance and lessened AAA server load ...

Page 391: ... PEAP fast reconnect feature on the Global Authentication Setup page For more information about enabling this feature see Global Authentication Setup page 10 26 PEAP and the Unknown User Policy During PEAP authentication the real username to be authenticated may not be known by Cisco Secure ACS until phase two of authentication While the Microsoft PEAP client does reveal the actual username during...

Page 392: ...o Secure ACS administration you do not need to perform this step A single server certificate is sufficient to support all certificate based Cisco Secure ACS services and remote administration however EAP TLS and PEAP require that the certificate be suitable for server authentication purposes Step 2 Enable PEAP on the Global Authentication Setup page Cisco Secure ACS allows you to complete this ste...

Page 393: ... users These secrets are called Protected Access Credentials PACs which Cisco Secure ACS generates using a master key known only to Cisco Secure ACS Because handshakes based upon shared secrets are intrinsically faster than handshakes based upon PKI EAP FAST is the significantly faster of the two solutions that provide encrypted EAP transactions No certificate management is required to implement E...

Page 394: ... is enabled by phase one of EAP FAST Phase two In phase two Cisco Secure ACS authenticates the user credentials with EAP GTC which is protected by the TLS tunnel created in phase one No other EAP types are supported for EAP FAST To determine which databases support EAP FAST phase two see Authentication Protocol Database Compatibility page 1 10 Cisco Secure ACS authorizes network service with a suc...

Page 395: ...ther the active master key or a retired master key To increase the security of EAP FAST Cisco Secure ACS changes the master key that it uses to generate PACs Cisco Secure ACS uses time to live TTL values you define to determine when it generates a new master key and to determine the age of all master keys Based on TTL values Cisco Secure ACS assigns master keys one of the three following states Ac...

Page 396: ...g it When you define TTLs for master keys and retired master keys Cisco Secure ACS permits only TTL settings that require storing 255 or fewer retired master keys For example if the master key TTL is 1 hour and the retired master key TTL is 4 weeks this would require storing up to 671 retired master keys therefore Cisco Secure ACS presents an error message and does not allow these settings When a ...

Page 397: ...ed can never be used to gain network access When an end user client has a PAC generated with an expired master key the end user client must receive a new PAC before EAP FAST phase one can succeed The means of providing PACs to end user clients known as PAC provisioning are discussed in Automatic PAC Provisioning page 10 18 and Manual PAC Provisioning page 10 20 After end user clients are provided ...

Page 398: ...and master key and PAC TTLs dictate that the PAC must be refreshed For more information about how master key and PAC states determine whether a PAC is refreshed see Master Key and PAC TTLs page 10 21 PACs have the following two states determined by the PAC TTL setting Active A PAC younger than the PAC TTL is considered active and can be used to complete EAP FAST phase one provided that the master ...

Page 399: ...ero For the databases with which Cisco Secure ACS can support EAP FAST phase zero and phase two see Authentication Protocol Database Compatibility page 1 10 No network service is enabled by phase zero of EAP FAST therefore Cisco Secure ACS logs a EAP FAST phase zero transaction in the Failed Attempts log including an entry that PAC provisioning occurred After the end user client has received a PAC...

Page 400: ...eless access in its Chicago and Boston offices and the Cisco Aironet Access Points at each of these two offices are configured to use different Cisco Secure ACSes you can determine on a per employee basis whether Boston employees visiting the Chicago office can have wireless access Note Replicating EAP FAST master keys and policies affects the ability to require different PACs per Cisco Secure ACS...

Page 401: ...t end of phase two Phase one succeeds PAC is refreshed at end of phase two Master key retired Phase one succeeds PAC is refreshed at end of phase two Phase one succeeds PAC is refreshed at end of phase two Master key expired PAC provisioning is required If automatic provisioning is enabled phase zero occurs and a new PAC is sent The end user client initiates a new EAP FAST authentication request u...

Page 402: ...enabled EAP FAST and deselected the EAP FAST master server check box EAP FAST related replication occurs for three events Generation of master keys A primary Cisco Secure ACS sends newly generated active and backup master keys to secondary Cisco Secure ACSes This occurs immediately after master key generation provided that replication is configured properly and is not affected by replication sched...

Page 403: ...the end user client a PAC from the primary Cisco Secure ACS that is different than the PAC from the secondary Cisco Secure ACS Because the primary and secondary Cisco Secure ACSes send different Authority IDs at the beginning of the EAP FAST transaction the end user client must have a PAC for each Authority ID A PAC generated by the primary Cisco Secure ACS is not Table 10 2 EAP FAST Components an...

Page 404: ... ACS during replication rather than using master keys it generates and its unique Authority ID Note When you deselect the EAP FAST master server check box the Actual EAP FAST server status remains Master until Cisco Secure ACS receives replicated EAP FAST components and then the Actual EAP FAST server status changes to Slave Until Actual EAP FAST server status changes to Slave Cisco Secure ACS act...

Page 405: ...r database support To enable Cisco Secure ACS to perform EAP FAST authentication follow these steps Step 1 Configure a user database that supports EAP FAST authentication To determine which user databases support EAP FAST authentication see Authentication Protocol Database Compatibility page 1 10 For user database configuration see Chapter 13 User Databases Note User database support differs for E...

Page 406: ...of EAP FAST followed by using manual PAC provisioning for adding small numbers of new end user clients to your network and for replacing PACs based on expired master keys Step 4 Using the decisions during Step 2 and Step 3 enable EAP FAST on the Global Authentication Setup page For detailed steps see Configuring Authentication Options page 10 33 Cisco Secure ACS is ready to perform EAP FAST authen...

Page 407: ...to do next for example Enter your passcode The message is limited to 60 characters PEAP session timeout minutes The maximum PEAP session length you want to allow users in minutes A session timeout value greater than 0 zero enables the PEAP session resume feature which caches the TLS session created in phase one of PEAP authentication When a PEAP client reconnects Cisco Secure ACS uses the cached T...

Page 408: ...cure ACS retires the master key and generates a new master key The default master key TTL is one month Note Decreasing the master key TTL can cause retired master keys to expire because a master key expires when it is older than the sum of the master key TTL and the retired master key TTL therefore decreasing the master key TTL requires PAC provisioning for end user clients with PACs based on the ...

Page 409: ...he duration that a PAC is used before it expires and must be replaced If the master key used to generate it has not expired new PAC creation and assignment are automatic If the master key used to generate it has expired in band or out of band provisioning must be used to provide the end user client with a new PAC The default PAC TTL is one week For more information about PACs see About PACs page 1...

Page 410: ...C provisioning must be performed out of band manually EAP FAST Master Server When this check box is not selected and when Cisco Secure ACS receives replicated EAP FAST policies Authority ID and master keys Cisco Secure ACS uses them rather than its own EAP FAST policies Authority ID and master keys When this check box is selected Cisco Secure ACS uses its own EAP FAST policies Authority ID and mas...

Page 411: ...tempts the next enabled comparison type Comparison stops after the first successful comparison Certificate CN comparison Whether authentication is performed by comparing the Common Name of the end user client certificate to the username in the applicable user database Certificate Binary comparison Whether authentication is performed by a binary comparison of the end user client certificate to the ...

Page 412: ...ls whether Cisco Secure ACS performs EAP MD5 authentication If you disable this option end user clients configured to perform EAP MD5 authentication cannot access the network If no end user clients use EAP MD5 we recommend that you disable this option AP EAP request timeout seconds Whether Cisco Secure ACS instructs Cisco Aironet Access Points APs to use the specified timeout value during EAP conv...

Page 413: ...ured to authenticate with that version using RADIUS cannot access the network If no end user clients are configured to use a specific version of MS CHAP with RADIUS we recommend that you disable that version of MS CHAP Note For TACACS Cisco Secure ACS supports only MS CHAP version 1 TACACS support for MS CHAP version 1 is always enabled and is not configurable Configuring Authentication Options Us...

Page 414: ...n Options page 10 27 Step 4 If you want to immediately implement the settings you have made click Submit Restart Cisco Secure ACS restarts its services and implements the authentication configuration options you selected Step 5 If you want to save the settings you have made but implement them later click Submit Tip You can restart Cisco Secure ACS services at any time by using the Service Control ...

Page 415: ... not already have a server certificate in storage you can use the procedure in Generating a Certificate Signing Request page 10 45 or any other means to obtain a certificate for installation If you are installing a server certificate that replaces an existing server certificate the installation could affect the configuration of the CTL and CRL settings your Cisco Secure ACS After you have installe...

Page 416: ... existing certificate from local machine certificate storage select the Use certificate from storage option and then type the certificate CN common name subject name in the Certificate CN box Tip Type the certificate CN only omit the cn prefix Step 5 If you generated the request using Cisco Secure ACS in the Private key file box type the full directory path and name of the file that contains the p...

Page 417: ...o not need to perform this procedure because Cisco Secure ACS automatically trusts the CA that issued its certificate When a user certificate is from an unknown CA that is one that is different from the CA that certifies the Cisco Secure ACS you must specifically configure Cisco Secure ACS to trust that CA or authentication fails Until you perform this procedure to explicitly extend trust by addin...

Page 418: ... To use this new CA certificate to authenticate users you must edit the certificate trust list to signify that this CA is trusted For more information see Editing the Certificate Trust List page 10 38 Editing the Certificate Trust List Cisco Secure ACS uses the CTL to verify the client certificates For a CA to be trusted by Cisco Secure ACS its certificate must be installed and the Cisco Secure AC...

Page 419: ...be configured as trusted on the CTL you must have added the CA to the local certificate storage for more information see Adding a Certificate Authority Certificate page 10 37 If a user s certificate is from a CA that you have not specifically configured Cisco Secure ACS to trust authentication fails To edit the CTL follow these steps Step 1 In the navigation bar click System Configuration Step 2 C...

Page 420: ...uch circumstances might include compromise or suspected compromise of the corresponding private key or a change in the CAs issuance program Under such circumstances a CRL provides the mechanism by which the CA revokes the legitimacy of a certificate and calls for its managed replacement Cisco Secure ACS performs certificate revocation using the X 509 CRL profile A CRL is a signed and time stamped ...

Page 421: ...issuers can only be added in association with trusted CAs that is CAs on the CTL If you install a new server certificate for Cisco Secure ACS your CTL is cleared of all trust relationships While you must reestablish CAs on the CTL the associated CRLs that you previously configured remain in place and do not have to be reconfigured Certificate Revocation List Configuration Options The Certificate R...

Page 422: ...and time of the last CRL retrieval or retrieval attempt Adding a Certificate Revocation List Issuer Before You Begin Before adding a CRL issuer to Cisco Secure ACS you should ensure that you have listed the corresponding CA on the system s CTL and you have determined the URL of the CRL distribution repository for the appropriate issuer and class of certificate For the automatic CRL retrieval funct...

Page 423: ... every box type the quantity and period of time that Cisco Secure ACS should wait between retrieving a CRL Step 10 Select the Retrieve on Submit option to have Cisco Secure ACS attempt to obtain the current CRL when the page is submitted for processing Tip Selecting the Retrieve on Submit option is recommended If Cisco Secure ACS cannot obtain the CRL from the distribution repository you listed it...

Page 424: ...se Step 5 Edit the information and settings you want to change Step 6 Click Submit The corresponding CRL is changed in Cisco Secure ACS to that of the edited issuer or is scheduled to be changed if the Retrieve on Submit option was not selected Tip You can refer to the Last Retrieve date box to see the status date and time of the last CRL retrieval attempt Deleting a Certificate Revocation List Is...

Page 425: ... Certificate Setup page To generate a certificate signing request follow these steps Step 1 In the navigation bar click System Configuration Step 2 Click ACS Certificate Setup and then click Generate Certificate Signing Request Cisco Secure ACS displays the Generate Certificate Signing Request page Step 3 In the Certificate subject box type values for the certificate fields required by the CA you ...

Page 426: ... of the key to be used Tip The choices for Key length are 512 or 1024 bits The default and more secure choice is 1024 bits Step 8 From the Digest to sign with list select the digest or hashing algorithm The choices for are MD2 MD5 SHA and SHA1 The default is SHA1 Step 9 Click Submit Cisco Secure ACS displays a CSR on the right side of the browser Step 10 Submit the CSR to the CA of your choice Aft...

Page 427: ...ation authority CA to obtain and install the certificate for the Cisco Secure ACS The self signed certificate feature in Cisco Secure ACS allows the administrator to generate the self signed digital certificate and use it for PEAP authentication protocol or for HTTPS support in web administration service Other than the lack of interaction with a CA to obtain the certificate installing a self signe...

Page 428: ...ight appear as follows cn ACS 11 O Acme Enterprises E admin acme com Certificate file The full path and filename for the certificate file that you want to generate For example c acs_server_cert acs_server_cert cer When you submit this page Cisco Secure ACS creates the certificate file using the location and filename you specify Private key file The full path and filename for the private key file y...

Page 429: ...ry For information on the fields contents see Self Signed Certificate Configuration Options page 10 48 To generate a self signed certificate follow these steps Step 1 In the navigation bar click System Configuration Step 2 Click ACS Certificate Setup Step 3 Click Generate Self Signed Certificate Cisco Secure ACS displays the Generate Self Signed Certificate edit page Step 4 In the Certificate subj...

Page 430: ...not installed into local machine storage Step 12 Click Submit The specified certificate and private key files are generated and stored as specified The certificate becomes operational if you also selected the Install generated certificate option only after you restart Cisco Secure ACS services Updating or Replacing a Cisco Secure ACS Certificate Use this procedure to update or replace an existing ...

Page 431: ...ather you see the Install new certificate table If this is the case you can proceed to Step 5 Step 3 Click Enroll New Certificate A confirmation dialog box appears Step 4 To confirm that you intend to enroll a new certificate click OK The existing Cisco Secure ACS certificate is removed and your CTL configuration is erased Step 5 You can now install the replacement certificate in the same manner a...

Page 432: ...Chapter 10 System Configuration Authentication and Certificates Cisco Secure ACS Certificate Setup 10 52 User Guide for Cisco Secure ACS for Windows Server 78 16592 01 ...

Page 433: ...ogs in the Cisco Secure ACS HTML interface as HTML reports This chapter contains the following topics Logging Formats page 11 2 Special Logging Attributes page 11 2 NAC Attributes in Logs page 11 4 Update Packets in Accounting Logs page 11 5 About Cisco Secure ACS Logs and Reports page 11 6 Working with CSV Logs page 11 15 Working with ODBC Logs page 11 21 Remote Logging page 11 26 Service Logs pa...

Page 434: ...formation about downloading the CSV file from the HTML interface see Viewing a CSV Report page 11 18 ODBC compliant database tables ODBC logging enables you to configure Cisco Secure ACS to log directly in an ODBC compliant relational database where it is stored in tables one table per log After the data is exported to the relational database you can use the data however you need For more informat...

Page 435: ... applicable NARs permitted the user access all applicable NARs denied the user access or more specific information about which NAR denied the user access If no NARs apply to the user this logging attribute notes that no NARs were applied The Filter Information attribute is available for Passed Authentication and Failed Attempts logs Device Command Set The name of the device command set if any that...

Page 436: ...em posture token SPT returned by a Network Admission Control NAC database during a posture validation request This attribute is available only in the Passed Authentications and Failed Attempts logs For more information see NAC Attributes in Logs page 11 4 Other posture validation attributes Attributes sent to Cisco Secure ACS by a NAC client in a posture validation request identified by the vendor...

Page 437: ...es via CiscoSecure Authentication Agent In this use the update packets are referred to as watchdog packets Note To record update packets in Cisco Secure ACS accounting logs you must configure your AAA clients to send the update packets For more information about configuring your AAA client to send update packets refer to the documentation for your AAA clients Logging Update Packets Locally To log ...

Page 438: ...owing topics Accounting Logs page 11 6 Dynamic Administration Reports page 11 9 Cisco Secure ACS System Logs page 11 13 Accounting Logs Accounting logs contain information about the use of remote access services by users By default these logs are available in CSV format With the exception of the Passed Authentications log you can also configure Cisco Secure ACS to export the data for these logs to...

Page 439: ...g Note To use the TACACS Administration log you must configure TACACS AAA clients to perform command accounting with Cisco Secure ACS RADIUS Accounting Contains the following information User sessions stop and start times AAA client messages with username Caller line identification information Session duration You can configure Cisco Secure ACS to include accounting for Voice over IP VoIP in the R...

Page 440: ...t dependent upon accounting packets from your AAA clients so it is available even if your AAA clients do not support RADIUS accounting or if you have disabled accounting on your AAA clients For posture validation requests this log records the results of any posture validation that returns a posture token of Healthy Note The Passed Authentications log cannot be configured using an ODBC format Table...

Page 441: ...at you can do regarding dynamic administration reports View an accounting report For instructions on viewing an accounting report in the HTML interface see Viewing a CSV Report page 11 18 Configure an accounting log The steps for configuring an accounting log vary depending upon which format you want to use For more information about log formats see Logging Formats page 11 2 CSV For instructions o...

Page 442: ... the RADIUS Service Type attribute for rekey authentications On a computer configured to perform machine authentication machine authentication occurs when the computer started When a computer is started and before a user logs in on that computer the computer appears on the Logged In Users List in the Reports and Activity section Once user authentication begins the computer no longer appears on the...

Page 443: ... Secure ACS displays a table of users logged in including the following information Date and Time User Group Assigned IP Port Source AAA Client Tip You can sort the table by the entries in any column in either ascending or descending order Click a column title once to sort the table by the entries in that column in ascending order Click the column a second time to sort the table by the entries tha...

Page 444: ...number of users logged in Step 3 Click the name of the AAA client whose users you want to delete from the Logged in Users report Cisco Secure ACS displays a table of all users logged in through the AAA client The Purge Logged in Users button appears below the table Step 4 Click Purge Logged in Users Cisco Secure ACS displays a message indicating the number of users purged from the report and the I...

Page 445: ...re configurable see Table 11 4 For instructions on viewing a CSV report in the HTML interface see Viewing a CSV Report page 11 18 Table 11 4 Accounting Log Descriptions and Related Topics Log Description and Related Topics ACS Backup and Restore Lists Cisco Secure ACS backup and restore activity This log cannot be configured RDBMS Synchronization Lists RDBMS Synchronization activity This log canno...

Page 446: ...ure ACS generates a new Administrative Audit CSV file at the start of each week Every month Cisco Secure ACS generates a new Administrative Audit CSV file at the start of each month User Password Changes Lists user password changes initiated by users regardless of which password change mechanism was used to change the password Thus this log contains records of password changes accomplished by the ...

Page 447: ...S to retain c To limit how old Administrative Audit CSV files retained by Cisco Secure ACS can be select the Delete files older than X days option and type the number of days for which Cisco Secure ACS should retain a Administrative Audit CSV file before deleting it Step 6 Click Submit Cisco Secure ACS saves and implements the Administrative Audit log settings you specified Working with CSV Logs T...

Page 448: ... to configure the log file location for some logs while the location for other log files is not configurable The default directories for all logs are within sysdrive Program Files CiscoSecure ACS vx x For the subdirectory of this location for a specific log see Table 11 5 Table 11 5 Default CSV Log File Locations Log Default Location Configurable TACACS Accounting Logs TACACS Accounting Yes CSV TA...

Page 449: ...V log you want to enable The CSV log Comma Separated Values File Configuration page appears where log is the name of the CSV log you selected Step 4 To enable the log under Enable Logging select the Log to CSV log report check box where log is the name of the CSV log you selected in Step 3 Step 5 To disable the log under Enable Logging clear the Log to CSV report log check box where log is the nam...

Page 450: ...data For example aaa reports by Extraxi supports Cisco Secure ACS http www extraxi com You can download the CSV file for any CSV report you view in Cisco Secure ACS The procedure below includes steps for doing so To view a CSV report follow these steps Step 1 In the navigation bar click Reports and Activity Step 2 Click the name of the CSV report you want to view On the right side of the browser C...

Page 451: ...w to configure the content of a CSV log For instructions to enable or disable a CSV log see Enabling or Disabling a CSV Log page 11 17 The logs to which this procedure applies are as follows TACACS Accounting TACACS Administration RADIUS Accounting VoIP Accounting Failed Attempts Passed Authentications Note The ACS Backup and Restore RDBMS Synchronization and Database Replication CSV logs cannot b...

Page 452: ...of the CSV log you selected The Select Columns To Log table contains two lists Attributes and Logged Attributes The attributes in the Logged Attributes list appear on the log selected Step 4 To add an attribute to the log select the attribute in the Attributes list and then click right arrow button The attribute moves to the Logged Attributes list Tip Use the vertical scroll bar to find attributes...

Page 453: ...s in the X box Step 9 To manage which CSV files Cisco Secure ACS keeps follow these steps a Select the Manage Directory check box b To limit the number of CSV files Cisco Secure ACS retains select the Keep only the last X files option and type the number of files you want Cisco Secure ACS to retain in the X box c To limit how old CSV files retained by Cisco Secure ACS can be select the Delete file...

Page 454: ...p 3 Enable ODBC logging in the Cisco Secure ACS HTML interface a In the navigation bar click Interface Configuration b Click Advanced Options c Select the ODBC Logging check box d Click Submit Cisco Secure ACS enables the ODBC logging feature On the Logging page in the System Configuration section Cisco Secure ACS displays links for configuring ODBC logs You can now configure individual ODBC logs ...

Page 455: ... IP address of the server on which the ODBC compliant relational database runs Step 7 Click OK Step 8 Close the ODBC window and Windows Control Panel The System DSN to be used by Cisco Secure ACS for communicating with the relational database is created on the computer running Cisco Secure ACS The name you assigned to the DSN appears in the Data Source list on each ODBC log configuration page Conf...

Page 456: ... database a To add an attribute to the log select the attribute in the Attributes list and then click right arrow button The attribute moves to the Logged Attributes list Tip Use the vertical scroll bar to find attributes not visible in the list box b To remove an attribute from the log select the attribute in the Logged Attributes list and then click left arrow button The attribute moves to the A...

Page 457: ...tep 8 Click Show Create Table The right side of the browser displays an SQL create table statement for Microsoft SQL Server The table name is the name specified in the Table Name box The column names are the attributes specified in the Logged Attributes list Note The generated SQL is valid for Microsoft SQL Server only If you are using another relational database refer to your relational database ...

Page 458: ...mplementing Centralized Remote Logging page 11 27 Remote Logging Options page 11 28 Enabling and Configuring Remote Logging page 11 29 Disabling Remote Logging page 11 31 About Remote Logging The Remote Logging feature enables you to centralize accounting logs generated by multiple Cisco Secure ACSes You can configure each Cisco Secure ACS to point to one Cisco Secure ACS that is to be used as a c...

Page 459: ...ation page 4 34 Implementing Centralized Remote Logging Before You Begin Make sure that gateway devices between remote Cisco Secure ACSes and the central logging Cisco Secure ACS permit the central logging Cisco Secure ACS to receive data on TCP port 2001 To implement centralized remote logging follow these steps Step 1 On a computer that you want to use to store centralized logging data install C...

Page 460: ... Configuration page 4 21 b Enable remote logging For more information see Enabling and Configuring Remote Logging page 11 29 Step 4 If you want to create other central logging servers for use either as secondary servers or as mirrored logging servers perform Step 1 through Step 3 for each additional server Remote Logging Options Cisco Secure ACS provides the remote logging options listed below The...

Page 461: ...rk Configuration to which Cisco Secure ACS does send accounting data for locally authenticated sessions Enabling and Configuring Remote Logging Note Before configuring the Remote Logging feature on a Cisco Secure ACS make sure that you have configured your central logging Cisco Secure ACS For more information see Implementing Centralized Remote Logging page 11 27 To enable and configure remote log...

Page 462: ... Cisco Secure ACS you want to have in the Selected Log Services list follow these steps a In the Remote Log Services list select the name of a Cisco Secure ACS to which you want to send accounting data for locally authenticated sessions Note The Cisco Secure ACSes available in the Remote Log Services list is determined by the AAA Servers table in Network Configuration For more information about th...

Page 463: ...ubmit Cisco Secure ACS no longer sends its accounting information for locally authenticated sessions to remote logging servers Service Logs Service logs are considered diagnostic logs and are used for troubleshooting or debugging purposes only These logs are not intended for general use by Cisco Secure ACS administrators instead they are mainly sources of information for Cisco support personnel Se...

Page 464: ...ing is the default directory for the CiscoSecure authentication service c Program Files CiscoSecure ACS vx x CSAuth Logs The most recent debug log is named as follows SERVICE log where SERVICE is the name of the applicable service Older debug logs are named with the year month and date they were created For example a file created on July 13 1999 would be named as follows SERVICE 1999 07 13 log whe...

Page 465: ...og file at 12 01 A M local time every Sunday Every Month Cisco Secure ACS generates a new log file at 12 01 A M on the first day of every month When Size is Greater than x KB Cisco Secure ACS generates a new log file after the current service log file reaches the size specified in kilobytes by x Manage Directory You can control how long service log files are kept Keep only the last x files Cisco S...

Page 466: ...vel of detail Step 5 To manage which service log files Cisco Secure ACS keeps follow these steps a Select the Manage Directory check box b To limit the number of service log files Cisco Secure ACS retains select the Keep only the last X files option and in the X box type the number of files you want Cisco Secure ACS to retain c To limit how old service log files retained by Cisco Secure ACS can be...

Page 467: ...s Administrator Accounts page 12 1 Access Policy page 12 11 Session Policy page 12 16 Audit Policy page 12 18 Administrator Accounts This section provides details about Cisco Secure ACS administrators This section contains the following topics About Administrator Accounts page 12 2 Administrator Privileges page 12 3 Adding an Administrator Account page 12 6 Editing an Administrator Account page 12...

Page 468: ...users with administrator privileges In the HTML interface an administrator can configure any of the features provided in Cisco Secure ACS however the ability to access various parts of the HTML interface can be limited by revoking privileges to those parts of the HTML interface that a given administrator is not allowed to access For example you may want to limit access to the Network Configuration...

Page 469: ...inistrator does not have edit privileges and to which the administrator cannot add users Editable Groups Lists the user groups for which the administrator does have edit privileges and to which the administrator can add users Shared Profile Components Contains the following privilege options for the Shared Profile Components section of the HTML interface Network Access Restriction Sets Allows the ...

Page 470: ...8 1 Date Time Format Control For more information about this feature see Date Format Control page 8 3 Logging Control For more information about this feature see Logging page 8 3 Local Password Management For more information about this feature see Local Password Management page 8 5 DB Replication For more information about this feature see CiscoSecure Database Replication page 9 1 RDBMS Synchroni...

Page 471: ...rface Reports Activity Contains the privilege options for the reports and features found in the Reports and Activity section of the HTML interface For each of the following features enabling the option allows the administrator full access to the feature TACACS Accounting For more information about this report see Accounting Logs page 11 6 TACACS Administration For more information about this repor...

Page 472: ...ormation about this report see Cisco Secure ACS System Logs page 11 13 Adding an Administrator Account Before You Begin For descriptions of the options available while adding an administrator account see Administrator Privileges page 12 3 To add a Cisco Secure ACS administrator account follow these steps Step 1 In the navigation bar click Administration Control Step 2 Click Add Administrator The A...

Page 473: ...oup in the Editable groups list and then click left arrow button The selected group moves to the Available groups list d To move all user groups to the Editable groups list click The user groups in the Available groups list move to the Editable groups list e To remove all user groups from the Editable groups list click The user groups in the Editable groups list move to the Available groups list S...

Page 474: ...tep 1 In the navigation bar click Administration Control Cisco Secure ACS displays the Administration Control page Step 2 Click the name of the administrator account whose privileges you want to edit The Edit Administrator name page appears where name is the name of the administrator account you just selected Step 3 To change the administrator password follow these steps a In the Password box doub...

Page 475: ...are cleared All user groups move to the Available groups list Step 7 To grant user and user group editing privileges follow these steps a Under User Group Setup select the applicable check boxes b To move all user groups to the Editable groups list click The user groups in the Available groups list move to the Editable groups list c To move a user group to the Editable groups list select the group...

Page 476: ...the administrator cannot access the HTML interface For more information about configuring how many successive failed login attempts can occur before Cisco Secure ACS disables an administrator account see Session Policy page 12 16 To reset the failed attempts count for an administrator follow these steps Step 1 In the navigation bar click Administration Control Cisco Secure ACS displays the Adminis...

Page 477: ...nt that you want to delete The Edit Administrator name page appears where name is the name of the administrator account you just selected Step 3 Click Delete Cisco Secure ACS displays a confirmation dialog box Step 4 Click OK Cisco Secure ACS deletes the administrator account The Administrators table on the Administration Control page no longer lists the administrator account that you deleted Acce...

Page 478: ...ess ranges The ranges are always inclusive that is the range includes the start and end IP addresses The IP addresses entered to define a range must differ only in the last octet Class C format The IP Address Ranges table contains one column of each of the following boxes Start IP Address Defines the lowest IP address of the range specified in the current row End IP Address Defines the highest IP ...

Page 479: ...the HTML interface from outside a firewall keep the HTTP port range as narrow as possible This can help prevent accidental discovery of an active administrative port by unauthorized users An unauthorized user would have to impersonate or spoof the IP address of a legitimate host to make use of the active administrative session HTTP port Secure Socket Layer Setup The Use HTTPS Transport for Adminis...

Page 480: ...any IP address in the IP Address Filtering table select the Allow all IP addresses to connect option Step 4 To allow remote access to the HTML interface only from IP addresses within a range or ranges of IP addresses follow these steps a In the IP Address Filtering table select the Allow only listed IP addresses to connect option b For each IP address range from within which you want to allow remo...

Page 481: ...Cisco Secure ACS to use only a specified range of TCP ports for administrative sessions follow these steps a Under HTTP Port Allocation select the Restrict Administration Sessions to the following port range From Port X to Port Y option b In the X box type the lowest TCP port up to 5 characters in the range c In the Y box type the highest TCP port up to 5 characters in the range Step 8 If you want...

Page 482: ...nistrative dial up session An administrator whose administrative session is terminated receives a dialog box asking whether or not the administrator wants to continue If the administrator chooses to continue Cisco Secure ACS starts a new administrative session Allow Automatic Local Login Enables administrators to start an administrative session without logging in if they are using a browser on the...

Page 483: ...isco Secure ACS allows unlimited successive failed login attempts by an administrator Setting Up Session Policy For information about session policy options see Session Policy Options page 12 16 To setup Cisco Secure ACS Session Policy follow these steps Step 1 In the navigation bar click Administration Control Cisco Secure ACS displays the Administration Control page Step 2 Click Session Policy T...

Page 484: ...x Step 6 Set the failed administrative login attempts policy a To enable Cisco Secure ACS to lock out an administrator after a specified number of successive failed administrative login attempts select the Lock out Administrator after X successive failed attempts check box b In the X box type the number of successive failed login attempts after which Cisco Secure ACS locks out an administrator The...

Page 485: ...les you to apply different databases to different types of users depending on the security requirements associated with user authorizations on your network For example a common configuration is to use a Windows user database for standard network users and a token server for network administrators Note For information about the Unknown User Policy and group mapping features see Chapter 15 Unknown U...

Page 486: ...ave an account in the CiscoSecure user database About the CiscoSecure User Database The CiscoSecure user database draws information from several data sources including a memory mapped hash indexed file VarsDB MDB in Microsoft Jet database format and the Windows Registry VarsDB MDB uses an index and tree structure so searches can occur logarithmically rather than linearly thus yielding very fast lo...

Page 487: ...licy is authenticated the user group assignment is made dynamically For some external user database types user group assignment is based on group membership in the external user database For other database types all users authenticated by a given database are assigned to a single Cisco Secure ACS user group For more information about group mapping see Chapter 16 User Group Mapping and Specificatio...

Page 488: ... Cisco Secure ACS can perform authentication for TACACS enable privileges using external user databases For more information about TACACS enable passwords see Setting TACACS Enable Password Options for a User page 7 35 Note You can only use external users databases to authenticate users and to determine which group Cisco Secure ACS assigns a user to The CiscoSecure user database internal to Cisco ...

Page 489: ...ers with an external user database requires more than configuring Cisco Secure ACS to communicate with an external user database Performing one of the configuration procedures for an external database that are provided in this chapter does not on its own instruct Cisco Secure ACS to authenticate any users with that database After you have configured Cisco Secure ACS to communicate with an external...

Page 490: ... the authentication request from Cisco Secure ACS Upon receiving the response from the external user database Cisco Secure ACS instructs the requesting AAA client to grant or deny the user access depending upon the response from the external user database Figure 13 1 shows a AAA configuration with an external user database Figure 13 1 A Simple AAA Scenario The specifics of the method used to commu...

Page 491: ...orking Clients without a Domain Field page 13 11 Usernames and Windows Authentication page 13 11 Username Formats and Windows Authentication page 13 11 Non domain qualified Usernames page 13 13 Domain Qualified Usernames page 13 14 UPN Usernames page 13 14 EAP and Windows Authentication page 13 15 EAP TLS Domain Stripping page 13 16 Machine Authentication page 13 16 Machine Access Restrictions pag...

Page 492: ...Authentication Protocol Database Compatibility page 1 10 Machine Authentication Cisco Secure ACS supports machine authentication with EAP TLS and PEAP EAP MSCHAPv2 For more information see EAP and Windows Authentication page 13 15 Group Mapping for Unknown Users Cisco Secure ACS supports group mapping for unknown users by requesting group membership information from Windows user databases For more...

Page 493: ...in permission to the user This setting is labeled Grant dialin permission to user in Windows NT and Allow access in the Remote Access Permission area in Windows 2000 If this feature is disabled for the user access is denied even if the username and password are typed correctly Trust Relationships Cisco Secure ACS can take advantage of trust relationships that have been established between Windows ...

Page 494: ...Networking Clients The dial up networking clients for Windows NT 2000 XP Professional and Windows 95 98 Millennium Edition ME XP Home enable users to connect to your network remotely but the fields provided differ Windows Dial up Networking Clients with a Domain Field If users dial in to your network using the dial up networking client provided with Windows NT Windows 2000 or Windows XP Profession...

Page 495: ... page 13 13 password Type your password Usernames and Windows Authentication This section contains the following topics Username Formats and Windows Authentication page 13 11 Non domain qualified Usernames page 13 13 Domain Qualified Usernames page 13 14 UPN Usernames page 13 14 Username Formats and Windows Authentication Cisco Secure ACS supports Windows authentication for usernames in a variety ...

Page 496: ...l yang is non domain qualified For more information see Non domain qualified Usernames page 13 13 2 If the username contains a backslash character that precedes any at characters Cisco Secure ACS considers the username to be domain qualified For example Cisco Secure ACS considers the following usernames to be domain qualified MAIN cyril yang MAIN cyril yang central office For more information see ...

Page 497: ...n domain qualified username succeeds the privileges assigned upon authentication will be those associated with the Windows user account in the first domain with a matching username and password This also illustrates the importance of removing usernames from a domain when the user account is no longer needed Note If the credentials submitted by the user do not match the credentials associated with ...

Page 498: ...ected to a specific domain rather than depending upon Windows to attempt authentication with the correct domain or upon using the Domain List to direct Cisco Secure ACS to submit the username repeatedly in a domain qualified format Domain qualified usernames have the following format DOMAIN user For example the domain qualified username for user Mary Smith msmith in Domain10 would be Domain10 msmi...

Page 499: ...ang If the username received is cyril yang central office example com Cisco Secure ACS submits to Windows an authentication request containing the username cyril yang central office Note Cisco Secure ACS cannot tell the difference between a non domain qualified username that contains an at character and a UPN username all usernames containing an at character that are not preceded by a backslash ch...

Page 500: ...after jsmith cannot be found in corporation com will Cisco Secure ACS use the Domain List and find the user in the engineering domain The additional delay could be several seconds For more information about the Domain List see Non domain qualified Usernames page 13 13 You can enable EAP TLS domain name stripping on the Windows User Database Configuration page Note EAP TLS domain name stripping ope...

Page 501: ... not enforce domain policies such as running login scripts dictated by the domain Tip If a computer fails machine authentication and the user hasn t successfully logged in to the domain using the computer since the most recent user password change the cached credentials on the computer will not match the new password Instead the cached credentials will match an older password of the user provided ...

Page 502: ...authentication machine authentication occurs when the computer started Provided that the AAA client sends RADIUS accounting data to Cisco Secure ACS when a computer is started and before a user logs in on that computer the computer appears on the Logged In Users List in the Reports and Activity section Once user authentication begins the computer no longer appears on the Logged In Users List PEAP ...

Page 503: ...feature Cisco Secure ACS does the following For every successful machine authentication Cisco Secure ACS caches the value received in IETF RADIUS Calling Station Id attribute 31 as evidence of the successful machine authentication Cisco Secure ACS stores each Calling Station Id attribute value for the number of hours specified on the Windows User Database Configuration page before deleting it from...

Page 504: ...Microsoft PEAP and fast reconnections for Microsoft PEAP The MAR feature has the following limitations and requirements Machine authentication must be enabled Users must authenticate with EAP TLS or a Microsoft PEAP client MAR does not apply to users authenticated by other protocols such as EAP FAST LEAP or MS CHAP The AAA client must send a value in the IETF RADIUS Calling Station Id attribute 31...

Page 505: ...icate of the CA that issued the Cisco Secure ACS server certificate is stored in machine storage on client computers User storage is not available during machine authentication therefore if the CA certificate is in user storage machine authentication fails 3 Select the wireless network In Windows XP you can select the network on the Wireless Networks tab of the wireless network connection properti...

Page 506: ...e as computer when computer information is available check box c From the EAP type list select Smart Card or other Certificate d On the Smart Card or other Certificate Properties dialog box select the Use a certificate on this computer option e Also on the Smart Card or other Certificate Properties dialog box you can enforce that Cisco Secure ACS has a valid server certificate by selecting the Val...

Page 507: ...PEAP user authentication or to support HTTPS protection of remote Cisco Secure ACS administration you do not need to perform this step A single server certificate will support all certificate based Cisco Secure ACS services and remote administration Step 2 For EAP TLS machine authentication if certificates on end user clients are issued by a different CA than the CA that issued the server certific...

Page 508: ...e a Windows external user database configured modify its configuration to enable the applicable machine authentication types For detailed steps see Configuring a Windows External User Database page 13 30 Cisco Secure ACS is ready to perform machine authentication for computers whose names exist in CiscoSecure user database Step 5 If you have not already enabled the Unknown User Policy and added th...

Page 509: ...database for authentication End user clients must be compatible with MS CHAP PEAP EAP GTC PEAP EAP MSCHAPv2 or EAP FAST The AAA client that the end user clients connect to must support the applicable protocols For MS CHAP password aging the AAA client must support RADIUS based MS CHAP authentication For PEAP EAP MSCHAPv2 PEAP EAP GTC and EAP FAST password aging the AAA client must support EAP When...

Page 510: ... Group Mappings in the External User Databases section of Cisco Secure ACS Windows User Database Configuration Options The Windows User Database Configuration page contains the following configuration options Dialin Permission You can restrict network access to users whose Windows accounts have Windows dialin permission The Grant dialin permission to user check box controls this feature Note This ...

Page 511: ...thenticates the user Note Configuring the Domain List list is optional For more information about the Domain List see Non domain qualified Usernames page 13 13 Caution If your Domain List contains domains and your Windows SAM or Active Directory user databases are configured to lock out users after a number of failed attempts users can be inadvertently locked out because Cisco Secure ACS tries eac...

Page 512: ...te Performing domain name stripping can speed EAP TLS authentication when the domain that must authenticate a user is not the domain represented in the SAN field For example a user s SAN field may contain jsmith corporation com but jsmith may need to authenticate using the domain controller for a subdomain named engineering Stripping corporation com from the username eliminates the needless attemp...

Page 513: ...twork with computer that fail machine authentication For more information about the MAR feature see Machine Access Restrictions page 13 19 Note Be sure you have enabled the types of machine authentication that your Windows computers are configured to use either PEAP machine authentication or EAP TLS authentication or both If the MAR feature is enabled but Cisco Secure ACS does not perform machine ...

Page 514: ...on for longer than the number of hours specified in the Aging time hours box To deny such users any access to the network select No Access which is the default setting Note User profile settings always override group profile settings If a user profile grants an authorization that is denied by the group specified in the Group map for successful user authentication without machine authentication lis...

Page 515: ... provided or accept the default name in the box c Click Submit Cisco Secure ACS lists the new configuration in the External User Database Configuration table Step 5 Click Configure The Windows User Database Configuration page appears Step 6 As needed configure the options in the following tables Dialin Permission Domain List MS CHAP Settings EAP Settings For information about the options on the Wi...

Page 516: ...AP external user databases Note Authentication protocols not supported with LDAP databases may be supported by another type of external user database For more information about authentication protocols and the external database types that support them see Authentication Protocol Database Compatibility page 1 10 Cisco Secure ACS supports group mapping for unknown users by requesting group membershi...

Page 517: ... ACS that grants authorization privileges Multiple LDAP Instances You can create more than one LDAP configuration in Cisco Secure ACS By creating more than one LDAP configuration with different IP address or port settings you can configure Cisco Secure ACS to authenticate using different LDAP servers or using different databases on the same LDAP server Each primary server IP address and port confi...

Page 518: ...ain Filtering Using domain filtering you can control which LDAP instance is used to authenticate a user based on domain qualified usernames Domain filtering is based on parsing the characters either at the beginning or end of a username submitted for authentication Domain filtering provides you with greater control over the LDAP instance that Cisco Secure ACS submits any given user authentication ...

Page 519: ...d or non domain qualified The end user client or AAA client must submit the username to Cisco Secure ACS in a domain qualified format otherwise Cisco Secure ACS cannot determine the user s domain and does not attempt to authenticate the user with the LDAP configuration that uses this form of domain filtering Allowing any domain but stripping domain qualifiers Per each LDAP configuration in Cisco S...

Page 520: ...ry check box is selected and if the first LDAP server that Cisco Secure ACS attempts to contact cannot be reached Cisco Secure ACS always attempts to contact the other LDAP server The first server Cisco Secure ACS attempts to contact may not always be the primary LDAP server Instead the first LDAP server that Cisco Secure ACS attempts to contact depends on the previous LDAP authentication attempt ...

Page 521: ...t to the primary LDAP server first And if Cisco Secure ACS cannot connect to the primary LDAP server Cisco Secure ACS then attempts to connect to the secondary LDAP server If fewer minutes have passed than the value specified in the Failback Retry Delay box Cisco Secure ACS attempts to connect to the secondary LDAP server first And if Cisco Secure ACS cannot connect to the secondary LDAP server Ci...

Page 522: ...usernames that are domain qualified is selected this option specifies the type of domain qualification If you select Prefix Cisco Secure ACS only processes usernames that begin with the characters specified in the Domain Qualifier box If you select Suffix Cisco Secure ACS only processes usernames that end in the characters specified in the Domain Qualifier box Note Regardless of the domain qualifi...

Page 523: ...ACS finds the delimiter character that is specified in the X box it strips all characters from the beginning of the username through the delimiter character If the username contains more than one of the characters specified in the X box Cisco Secure ACS strips characters through the last occurrence of the delimiter character For example if the delimiter character is and the username is DOMAIN echa...

Page 524: ...ether the authentication is handled by the primary or secondary LDAP server This table contains the following options User Directory Subtree The distinguished name DN for the subtree that contains all users For example ou organizational unit ou next organizational unit o corporation com If the tree containing users is the base DN type o corporation com or dc corporation dc com as applicable to you...

Page 525: ...Name The name of the attribute of the group record that contains the list of user records that are a member of that group Server Timeout The number of seconds Cisco Secure ACS waits for a response from an LDAP server before determining that the connection with that server has failed On Timeout Use Secondary Whether Cisco Secure ACS performs failover of LDAP authentication attempts For more informa...

Page 526: ...ile must contain the certificates for the server to be queried and the trusted CA You can use a Netscape web browser to generate cert7 db files For information about generating a cert7 db file refer to Netscape documentation To perform secure authentication using SSL you must provide a cert7 db certificate database file Cisco Secure ACS requires a certificate database so that it can establish the ...

Page 527: ...ntials Otherwise you must specify an administrator username that permits the group name attribute to be visible to searches Note If the administrator username specified does not have permission to see the group name attribute in searches group mapping fails for users authenticated by LDAP Password The password for the administrator account specified in the Admin DN box Password case sensitivity is...

Page 528: ...ternal User Database Configuration table appears Step 4 If you are creating a configuration follow these steps a Click Create New Configuration b Type a name for the new configuration for generic LDAP in the box provided c Click Submit Cisco Secure ACS lists the new configuration in the External User Database Configuration table Step 5 Under External User Database Configuration select the name of ...

Page 529: ...the Domain Qualifier box type the name of the domain that you want this LDAP configuration to authenticate usernames for Include the delimiting character that separates the user ID from the domain name Be sure that the delimiting character appears in the applicable position at the end of the domain name if Prefix is selected on the Qualified by list at the beginning of the domain name if Suffix is...

Page 530: ...ers from the first X character check box and then type the domain qualifier delimiting character in the X box Note The X box cannot contain the following special characters If any of these characters are in the X box stripping fails Step 10 Under Common LDAP Configuration in the User Directory Subtree box type the DN of the tree containing all your users Step 11 In the Group Directory Subtree box ...

Page 531: ... 16 In the GroupAttributeName box type the name of the attribute of the group record that contains the list of user records who are a member of that group Step 17 In the Server Timeout box type the number of seconds Cisco Secure ACS waits for a response from an LDAP server before determining that the connection with that server has failed Step 18 To enable failover of LDAP authentication attempts ...

Page 532: ...lly used c To specify that Cisco Secure ACS should use LDAP version 3 to communicate with your LDAP database select the LDAP Version check box If the LDAP Version check box is not selected Cisco Secure ACS uses LDAP version 2 d The username and password credentials are normally passed over the network to the LDAP directory in clear text To enhance security select the Use secure authentication chec...

Page 533: ...cure ACS saves the generic LDAP configuration you created You can now add it to your Unknown User Policy or assign specific user accounts to use this database for authentication For more information about the Unknown User Policy see About Unknown User Authentication page 15 4 For more information about configuring user accounts to authenticate using this database see Chapter 7 User Management Nove...

Page 534: ...formation Cisco Secure ACS retrieves no user settings from Novell NDS databases however Cisco Secure ACS enforces password restrictions login restrictions time restrictions and account restrictions for each user Cisco Secure ACS accomplishes this by interpreting authentication responses received from a Novell NDS database Cisco Secure ACS does not enforce address restrictions Configuring Cisco Sec...

Page 535: ... fully qualified usernames In other words if none of the contexts in the list of contexts contains a username submitted for authentication the username must specify exactly how they are subordinate to the contexts in the list of contexts The user specifies the manner in which a username is subordinate to a context by providing the additional context information needed to uniquely identify the user...

Page 536: ...ing this check box indicates that you want to delete the tree configuration when you click Submit Test Login Selecting this check box causes Cisco Secure ACS to test the administrative login of the tree to the Novell server when you click Submit Tree Name Appears only on the blank form for new trees The name of the Novell NDS tree against which Cisco Secure ACS should authenticate users Administra...

Page 537: ...ng Chicago Corporation Marketing Chicago Corporation You do not need to add users in the Context List box Note Users can provide a portion of their context when they login For more information see User Contexts page 13 51 Context Subtree Selecting this check box causes Cisco Secure ACS to search subtrees for users during authentication The subtrees searched are those of the contexts specified in t...

Page 538: ...xternal user database types Step 4 Click Novell NDS If no Novell NDS database has yet been configured the Database Configuration Creation page appears Otherwise the External User Database Configuration page appears Step 5 If you are creating a configuration follow these steps a Click Create New Configuration b Type a name for the new configuration for Novell NDS Authentication in the box provided ...

Page 539: ...amed tree section and click Submit Then add a new tree with the same configuration data as the deleted misnamed tree making sure the tree name is correct before clicking Submit Step 9 If you want to delete an existing tree configuration select the Delete Tree check box Step 10 Click Submit Cisco Secure ACS saves the NDS configuration you created You can add it to your Unknown User Policy or assign...

Page 540: ...ting with the database Among the parameters you provide are the username and password required for the ODBC driver to gain access to your ODBC compliant relational database This section contains the following topics What is Supported with ODBC User Databases page 13 57 Cisco Secure ACS Authentication Process with an ODBC External User Database page 13 58 Preparing to Authenticate Users with an ODB...

Page 541: ...the ODBC authenticator feature Other authentication protocols are not supported with ODBC external user databases Note Authentication protocols not supported with ODBC external user databases may be supported by another type of external user database For more information about authentication protocols and the external database types that support them see Authentication Protocol Database Compatibil...

Page 542: ...n ODBC database configuration as the authentication method The second is when the user is unknown to the CiscoSecure user database and the Unknown User Policy dictates that an ODBC database is the next external user database to try In either case Cisco Secure ACS forwards user credentials to the ODBC database via an ODBC connection The relational database must have a stored procedure that queries ...

Page 543: ...ompliant relational database on its server For more information refer to the relational database documentation Note The relational database you use is not supplied with Cisco Secure ACS Step 2 Create the database to hold the usernames and passwords The database name is irrelevant to Cisco Secure ACS so you can name the database however you like Step 3 Create the table or tables that will hold the ...

Page 544: ...uthentication protocol used Authentication for ASCII PAP or PEAP EAP GTC occurs within the relational database that is if the stored procedure finds a record with both the username and the password matching the input the user is considered authenticated Authentication for CHAP MS CHAP ARAP LEAP or EAP MD5 occurs within Cisco Secure ACS The stored procedure returns the fields for the record with a ...

Page 545: ...ation while writing your authentication stored procedures in your relational database Type Definitions The Cisco Secure ACS types and their matching SQL types are as follows Integer SQL_INTEGER String SQL_CHAR or SQL_VARCHAR Note For SQL database columns that hold user passwords we recommend using varchar format If you define password columns as char password comparison may fail if the password do...

Page 546: ...tine creates a procedure named CSNTAuthUserPap in Microsoft SQL Server the default procedure used by Cisco Secure ACS for PAP authentication Table and column names that could vary for your database schema are presented in variable text For your convenience the Cisco Secure ACS product CD includes a stub routine for creating a procedure in either SQL Server or Oracle For more information about data...

Page 547: ...r your database schema are presented in variable text For more information about data type definitions procedure parameters and procedure results see ODBC Database page 13 55 if exists select from sysobjects where id object_id dbo CSNTExtractUserClearTextPw and sysstat 0xf 4 drop procedure dbo CSNTExtractUserClearTextPw GO CREATE PROCEDURE CSNTExtractUserClearTextPw username varchar 64 AS SET NOCO...

Page 548: ...arameters and procedure results see ODBC Database page 13 55 if exists select from sysobjects where id object_id dbo CSNTFindUser and sysstat 0xf 4 drop procedure dbo CSNTFindUser GO CREATE PROCEDURE CSNTFindUser username varchar 64 AS SET NOCOUNT ON IF EXISTS SELECT username FROM users WHERE username username SELECT 0 csntgroup csntacctinfo No Error FROM users WHERE username username ELSE SELECT ...

Page 549: ...fter a failure if the result is greater than or equal to 4 Table 13 2 PAP Stored Procedure Input Field Type Explanation CSNTusername String 0 64 characters CSNTpassword String 0 255 characters Table 13 3 PAP Stored Procedure Results Field Type Explanation CSNTresult Integer See Table 13 8 CSNTgroup Integer The Cisco Secure ACS group number for authorization 0xFFFFFFFF is used to assign the default...

Page 550: ...RAP authentication The stored procedure should accept the named input value as a variable Note Because Cisco Secure ACS performs authentication for CHAP MS CHAP ARAP the user password is not an input Table 13 4 The input name is for guidance only A procedure variable created from it can have a different name CHAP MS CHAP ARAP Procedure Output The stored procedure must return a single row containin...

Page 551: ...t Integer See Table 13 8 Result Codes CSNTgroup Integer The Cisco Secure ACS group number for authorization 0xFFFFFFFF is used to assign the default value Values other than 0 499 are converted to the default Note The group specified in the CSNTgroup field overrides group mapping configured for the ODBC external user database CSNTacctInfo String 0 15 characters A customer defined string that Cisco ...

Page 552: ...cedure Input Field Type Explanation CSNTusername String 0 64 characters Table 13 7 EAP TLS Stored Procedure Results Field Type Explanation CSNTresult Integer See Table 13 8 Result Codes CSNTgroup Integer The Cisco Secure ACS group number for authorization 0xFFFFFFFF is used to assign the default value Values other than 0 499 are converted to the default Note The group specified in the CSNTgroup fi...

Page 553: ...n you want the failed authentication log files to include A return code of 4 or higher results in an authentication error event These errors do not increment per user failed attempt counters Additionally error codes are returned to the AAA client so it can distinguish between errors and failures and if configured to do so fall back to a backup AAA server Successful or failed authentications are no...

Page 554: ...strative Tools Data Sources ODBC Tip If Control Panel is not expanded on the Start menu choose Start Settings Control Panel double click Administrative Tools and then double click Data Sources ODBC The ODBC Data Source Administrator window appears Step 4 Click the System DSN tab Step 5 Click Add Step 6 Select the driver you need to use with your new DSN and then click Finish A dialog box displays ...

Page 555: ...gured or functions For information about your relational database refer to your relational documentation Note Before performing this procedure you should have completed the steps in Preparing to Authenticate Users with an ODBC Compliant Relational Database page 13 59 To configure Cisco Secure ACS for ODBC authentication follow these steps Step 1 In the navigation bar click External User Databases ...

Page 556: ...red to perform transactions with your ODBC database Step 9 In the DSN Connection Retries box type the number of times Cisco Secure ACS should try to connect to the ODBC database before timing out The default is 3 Note If you have connection problems when Windows starts increase this value Step 10 To change the ODBC worker thread count in the ODBC Worker Threads box type the number of ODBC worker t...

Page 557: ... else change this entry to match the name given to the PAP SQL procedure For more information and an example routine see Sample Routine for Generating a PAP Authentication SQL Procedure page 13 62 Note If you enabled PAP authentication the PAP authentication SQL procedure must exist on the ODBC database and must have the exact name specified in the PAP SQL Procedure box If it does not be sure to c...

Page 558: ...rocedure something else change this entry to match the name given to the EAP TLS SQL procedure For more information and an example routine see Sample Routine for Generating an EAP TLS Authentication Procedure page 13 64 Note If you enabled EAP TLS authentication the EAP TLS authentication SQL procedure must exist on the ODBC database and must have the exact name specified in the EAP TLS SQL Proced...

Page 559: ...ocol LEAP proxy RADIUS server authentication allows you to authenticate users against existing Kerberos databases that support MS CHAP authentication You can use the LEAP Proxy RADIUS Server database to authenticate users with any third party RADIUS server that supports MS CHAP authentication Note The third party RADIUS server must return Microsoft Point to Point Encryption MPPE keys in the Micros...

Page 560: ...Proxy RADIUS Server If no LEAP Proxy RADIUS Server configuration exists only the Database Configuration Creation table appears Otherwise in addition to the Database Configuration Creation table the External User Database Configuration table appears Step 4 If you are creating a configuration follow these steps a Click Create New Configuration b Type a name for the new configuration for the LEAP Pro...

Page 561: ...e ACS for RADIUS see RADIUS page 1 7 Timeout seconds The number of seconds Cisco Secure ACS waits before sending notification to the user that the authentication attempt has timed out Retries The number of authentication attempts Cisco Secure ACS makes before failing over to the secondary proxy RADIUS server Failback Retry Delay minutes The number of minutes after which Cisco Secure ACS attempts a...

Page 562: ...about authentication protocols and the external database types that support them see Authentication Protocol Database Compatibility page 1 10 Requests from the AAA client are first sent to Cisco Secure ACS If Cisco Secure ACS has been configured to authenticate against a token server and finds the username it forwards the authentication request to the token server If it does not find the username ...

Page 563: ...o service Cisco Secure ACS caches the token to help make the OTPs easier for users This means that if a token card is being used to authenticate a user on the first B channel a specified period can be set during which the second B channel can come into service without requiring the user to enter another OTP To lessen the risk of unauthorized access to the second B channel you can limit the time th...

Page 564: ... Database page 13 81 Cisco Secure ACS provides a means for specifying a user group assignment in the RADIUS response from the RADIUS enabled token server Group specification always takes precedence over group mapping For more information see RADIUS Based Group Specification page 16 14 Cisco Secure ACS also supports mapping users authenticated by a RADIUS enabled token server to a single group Grou...

Page 565: ...should install and configure your RADIUS token server before configuring Cisco Secure ACS to authenticate users with it For information about installing the RADIUS token server refer to the documentation included with your token server To configure Cisco Secure ACS to authenticate users with a RADIUS Token Sever follow these steps Step 1 In the navigation bar click External User Databases Step 2 C...

Page 566: ...e resolvable by DNS Secondary Server Name IP The hostname or IP address of the secondary RADIUS token server If you provide the hostname the hostname must be resolvable by DNS Shared Secret The shared secret of the RADIUS server This must be identical to the shared secret with which the RADIUS token server is configured Authentication Port The UDP port over which the RADIUS server conducts authent...

Page 567: ...AAA client you must configure the options in the TACACS Shell Configuration table Do one of the following a If you want Cisco Secure ACS to present a custom prompt for tokens select Static sync and async tokens and then type in the Prompt box the prompt that Cisco Secure ACS will present For example if you type Enter your PassGo token in the Prompt box users receive an Enter your PassGo token prom...

Page 568: ...tication for RSA SecurID token servers Other authentication protocols are not supported with RSA SecurID external user databases Note Authentication protocols not supported with RSA SecurID databases may be supported by another type of external user database For more information about authentication protocols and the external database types that support them see Authentication Protocol Database Co...

Page 569: ... Secure ACS to authenticate users with an RSA token server follow these steps Step 1 Install the RSA client on the computer running Cisco Secure ACS a With a username that has administrative privileges log in to the computer running Cisco Secure ACS b Run the Setup program of the ACE Client software following setup instructions provided by RSA Note Do not restart Windows when installation is compl...

Page 570: ...it Cisco Secure ACS lists the new configuration in the External User Database Configuration table Step 6 Click Configure Cisco Secure ACS displays the name of the token server and the path to the authenticator DLL This information confirms that Cisco Secure ACS can contact the RSA client You can add the RSA SecurID external user database to your Unknown User Policy or assign specific user accounts...

Page 571: ...e for which you want to delete a configuration The External User Database Configuration table appears Step 4 If a list appears in the External User Database Configuration table select the configuration you want to delete Otherwise proceed to Step 5 Step 5 Click Delete A confirmation dialog box appears Step 6 Click OK to confirm that you want to delete the selected external user database configurat...

Page 572: ...Chapter 13 User Databases Deleting an External User Database Configuration 13 88 User Guide for Cisco Secure ACS for Windows Server 78 16592 01 ...

Page 573: ...omputers on a network The role of Cisco Secure Access Control Server ACS for Windows Server in NAC is to perform posture validation This chapter contains the following topics About Network Admission Control page 14 1 Implementing Network Admission Control page 14 5 NAC Databases page 14 10 NAC Policies page 14 16 About Network Admission Control This section contains the following topics NAC AAA Co...

Page 574: ...see About NAC Credentials and Attributes page 14 11 NAC compliant applications Applications that integrate with the NAC client Examples of such applications are Cisco Security Agent and anti virus programs from Network Associates Symantec or Trend Micro These applications provide the NAC client with attributes about themselves such as the version number of a virus definition file AAA client A netw...

Page 575: ... compliant application installed on the computer 5 Using the received credentials Cisco Secure ACS does the following a Cisco Secure ACS uses the Unknown User Policy to determine which NAC database to use to perform the posture validation selecting the first NAC database whose mandatory credential types are satisfied by the credentials in the validation request Note If the Unknown User Policy cann...

Page 576: ...dles the results of the posture validation request according to its configuration The AAA client enforces network access as dictated by Cisco Secure ACS in its RADIUS response By configuring group mapping you define authorizations and therefore network access control based on the system posture token determined as a result of posture validation Posture Tokens Posture tokens are symbols that repres...

Page 577: ...s that do not respond to attempts to start a posture validation session with CTA This occurs if CTA is not installed on the computer or is unreachable for other reasons To account for this scenario IOS enables you to define a username and password that it uses for authorization requests on behalf of all non responsive computers In Cisco Secure ACS you must create the corresponding user account and...

Page 578: ...with external policies and the following are both true Cisco Secure ACS uses HTTPS to communicate with external NAC servers The external NAC servers use a different CA than the CA that issued the Cisco Secure ACS server certificate installed in Step 1 then you must configure the Certificate Trust List CTL For detailed steps see Editing the Certificate Trust List page 10 38 If the CA that issued th...

Page 579: ... configured in the Network Configuration section do so now For detailed steps see Adding a AAA Client page 4 16 Step 7 Select the user groups that you want to use for NAC You are likely to want a separate user group for each possible SPT therefore select five user groups If possible choose groups that have not been configured to authorize users Additionally consider using groups widely separated f...

Page 580: ... database has no mandatory credential types and therefore can perform posture validation for any request regardless of the credentials included in the request Step 10 For each SPT create a downloadable IP ACL set that limits network access appropriately If you have more than one NAC database and need to control network access differently for the same SPT for each NAC you must create downloadable I...

Page 581: ...osture token can result in the incorrect SPT being sent to the AAA client or if the AV pair name is mistyped the AAA client not receiving the SPT at all Note The AV pair names above are case sensitive For detailed steps about configuring the RADIUS Cisco IOS PIX cisco av pair attribute in a group profile see Configuring Cisco IOS PIX RADIUS Settings for a User Group page 6 40 For more information ...

Page 582: ...l databases and Cisco Secure ACS performs no user authentication with a NAC database A NAC database consists of the following Mandatory credential types A NAC database has zero or more mandatory credential types Cisco Secure ACS determines whether to use a NAC database to evaluate a posture validation request by comparing the credentials received in the request to the mandatory credentials types a...

Page 583: ...l NAC server In either case the contents of inbound attributes provide the information used to determine posture and thus to control network admission for the computer Cisco Secure ACS uses NAC attributes in its response to the NAC client These attributes are known as outbound attributes For example APTs and the SPT are sent to the NAC client in attributes Credential types are uniquely identified ...

Page 584: ...iguration page you can configure a NAC database The options for configuring a NAC database are as follows Mandatory Credential Types Displays the following options Credential Types Displays the credential types that must be present in a posture validation request in order for Cisco Secure ACS to use the database to evaluate the request If a request does not contain the mandatory credential types C...

Page 585: ...bles you to go to the Select External Policies page for the current NAC database From that page you can select external policies that the current NAC database uses and you can also access the External Policy Configuration page to create additional local policies Policy Selection Options Policy selection pages enable you to specify the policies that Cisco Secure ACS should use to evaluate posture v...

Page 586: ...ase Configuration Cisco Secure ACS displays a list of all possible external user database types Step 3 Click Network Admission Control If no NAC database exists only the Database Configuration Creation table appears Otherwise in addition to the Database Configuration Creation table the External User Database Configuration table appears Step 4 If you are creating a configuration follow these steps ...

Page 587: ... credential type appears in the Selected Credentials list Tip To remove a credential type from the Selected Credentials list select it and click the left arrow c Click Submit The Expected Host Configuration page for this NAC database reappears The Mandatory Credential Types table lists the selected credential types Cisco Secure ACS will use this NAC database for posture validation only when the va...

Page 588: ...policy appears in the Selected Policies list Tip To remove a policy from the Selected Policies list select it and click the left arrow d Click Submit In the Credential Validation Policies table the Expected Host Configuration page displays the policies you selected e Repeat a through d as needed Step 9 Click Save Configuration Cisco Secure ACS saves the NAC database you created You can add the new...

Page 589: ...e as follows Result credential type The credential type and therefore the NAC compliant application to which the policy evaluation result applies Token One of five predefined tokens that represents the posture of the NAC client and specifically the application defined by the result credential type Action An optional text string sent in the posture validation response to the application defined by ...

Page 590: ...ction associated with the rule Cisco Secure ACS does not evaluate the credentials with any additional rules No configurable rule matches When the attributes included in the posture validation request satisfy no policy rules Cisco Secure ACS uses the result credential type application posture token and action associated with the default rule as the result of the policy Note Applying a policy to a p...

Page 591: ... In the HTML interface when you define a rule element with a boolean attribute valid input are the words false and true Valid operators are equal to and not equal to When a rule element using a boolean attribute is evaluated false corresponds to a value of 0 zero and true corresponds to 1 For example if a rule element for a boolean attribute requires that the attribute is not equal to false and th...

Page 592: ...y hh mm ss version The attribute can contain an application or data file version Valid operators are equal to not equal to greater than less than less than or equal to and greater than or equal to Valid format in rule elements n n n n where each n can be an integer from 0 to 65535 octet array The attribute can contain data of arbitrary type and variable length Valid operators are equal to and not ...

Page 593: ... in the attribute is less than the value that you specify less than or equal to The rule element is true if the value contained in the attribute is less than or equal to the value that you specify greater than or equal to The rule element is true if the value contained in the attribute is greater than or equal to the value that you specify contains The rule element is true if the attribute contain...

Page 594: ...k and IP address that you specify as the rule element value The format for the rule element value is mask IP For example using the mask operator with a value of 255 255 255 0 192 168 73 8 would match an attribute containing an IP address of 192 168 73 0 to 192 168 73 255 Any mask is permissible and Cisco Secure ACS determines the set of IP addresses matching the value specified using standard subn...

Page 595: ...about the order of rules see About Local Policies page 14 18 The Configurable Rules table contains the following options Result Credential Type Specifies a vendor and application If the rule is true the Result Credential Type determines the application to which the token in the corresponding Token list is associated Credential types are listed by the vendor name and application name For example CT...

Page 596: ...rule element was created For details about the meaning of each column see the corresponding option description below The Rule Elements Table is limited to displaying 27 characters in the Attribute column and 11 characters in the Value column Remove button Removes the selected rule element from the Rule Elements Table and sets the Attribute Operator and Value options to the values in the correspond...

Page 597: ... the contents of the attribute Enter button Adds the rule element defined in the Attribute Operator and Value options to the Rule Elements Table Creating a Local Policy This procedure describes how you can create a local policy Before You Begin Although local policies can be selected for more than one NAC database the page for creating a local policy must be accessed through the configuration page...

Page 598: ...ck Local Policies The Select Local Policies page appears e Click New Local Policy The Local Policy Configuration page appears Step 2 In the Name box type a descriptive name for the policy Step 3 In the Description box type a useful description of the policy Step 4 Create one or more rules as needed to define the policy For each rule you want to create follow these steps a Click New Rule The Edit R...

Page 599: ...ation about tokens see Posture Tokens page 14 4 If the rule matches the posture validation request Cisco Secure ACS associates with the policy the result credential type token and action that you specify Step 5 After you create the rules required to define the policy order the rules as needed Cisco Secure ACS applies a policy by attempting to match rules in the order they appear on the Policy Conf...

Page 600: ...4 14 External Policies This section contains the following topics About External Policies page 14 28 External Policy Configuration Options page 14 29 Creating an External Policy page 14 32 About External Policies External policies are policies that define an external NAC server usually from an anti virus vendor and a set of credential types to be forwarded to the external database You also have th...

Page 601: ...on the policy selection page therefore you should make the name as useful as possible Note The name can contain up to 32 characters Leading and trailing spaces are not allowed Names cannot contain the following four characters Description Specifies a text description of the policy up to 255 characters For each NAC database using the policy the text you type in the Description box appears beside th...

Page 602: ... beginning with the hostname are assumed to be using HTTP To use HTTPS you must specify the URL beginning with https If the port is omitted the default port is used The default port for HTTP is port 80 The default port for HTTPS is port 443 If the NAC server hostname is antivirus1 which uses port 8080 to respond to HTTP requests for the service provided policy asp a script kept in a web directory ...

Page 603: ...wards credentials to a server only if the certificate it presents is issued by the CA specified on this list If Cisco Secure ACS cannot forward the request to the primary or secondary NAC server because the trusted root CAs did not issue the server certificates the external policy cannot be applied and therefore the posture validation request is rejected If the CA that issued a NAC server certific...

Page 604: ...you use to access the External Policy Configuration page does not limit which NAC databases can select the new external policy For descriptions of the options available on the External Policy Configuration page see External Policy Configuration Options page 14 29 To create an external policy follow these steps Step 1 If you have not already done so access the External Policy Configuration page To ...

Page 605: ...est is rejected b Provide configuration details about the primary NAC server For more information about the boxes and list in this area see External Policy Configuration Options page 14 29 Step 5 Optional In the Secondary Server configuration area do the following a Select the Secondary Server configuration check box b Provide configuration details about the secondary NAC server For more informati...

Page 606: ... edited only by accessing it through a NAC database that includes the policy in its Credential Validation Policies table To edit a policy follow these steps Step 1 In the navigation bar click External User Databases Step 2 Click Database Configuration Network Admission Control Cisco Secure ACS displays a list of NAC databases Step 3 Select a NAC database from the list of NAC databases and click Co...

Page 607: ...ore creating the new policy When you click Submit after changing the policy name the applicable policy selection page for the NAC database you selected in Step 3 You can modify the policy selection if desired and then click Submit To edit a local policy rule in the Configurable Rules table click the rule name The Edit Rule page displays the Rule Elements table Add modify or remove rule elements fr...

Page 608: ...ick Configure Tip If there is only one NAC database no list of databases appears and you can click Configure The Expected Host Configuration page for the selected NAC database appears The Credential Validation Policies table lists the policies selected for this NAC database Step 4 Under Name click the name of the policy you want to delete Tip If the policy you want to delete does not appear in the...

Page 609: ...Policies Step 5 Click Delete Policy Step 6 Click Submit Cisco Secure ACS deletes the policy The Expected Host Configuration page reappears and the Credential Validation Policies table no longer lists the deleted policy All NAC databases that were configured to use the policy no longer include the deleted policy ...

Page 610: ...Chapter 14 Network Admission Control NAC Policies 14 38 User Guide for Cisco Secure ACS for Windows Server 78 16592 01 ...

Page 611: ...he Unknown User Policy feature found in the External User Databases section of the Cisco Secure ACS HTML interface For information about user group mapping see Chapter 16 User Group Mapping and Specification For information about databases supported by Cisco Secure ACS and how to configure databases in the HTML interface see Chapter 13 User Databases This chapter contains the following topics Know...

Page 612: ... varies depending on whether the service requested is authentication or posture validation Known Users Users explicitly added either manually or automatically to the CiscoSecure user database These are users added by an administrator using the HTML interface by the RDBMS Synchronization feature by the Database Replication feature or by the CSUtil exe utility For more information about CSUtil exe s...

Page 613: ...bout unknown user authentication see General Authentication of Unknown Users page 15 5 Posture validation Cisco Secure ACS always uses the Unknown User Policy to determine which NAC database to use for a posture validation request For more information see Posture Validation and the Unknown User Policy page 15 10 Discovered Users Users whose accounts Cisco Secure ACS created in the CiscoSecure user...

Page 614: ... User Account page 7 57 Authentication and Unknown Users This section provides information about using the Unknown User Policy with authentication For information about using the Unknown User Policy with NAC see Posture Validation and the Unknown User Policy page 15 10 This section contains the following topics About Unknown User Authentication page 15 4 General Authentication of Unknown Users pag...

Page 615: ...ol of the request and the database specified in the user account Authentication either passes or fails 2 If the user does not exist in the CiscoSecure user database that is is an unknown user Cisco Secure ACS tries each external user database that supports the authentication protocol of the request in the order specified in the Selected Databases list If authentication with one of the external use...

Page 616: ...nt than the password for the John who authenticated first the other Johns are unable to access the network Windows Authentication of Unknown Users Because there can be multiple occurrences of the same username across the trusted Windows domains against which Cisco Secure ACS authenticates users Cisco Secure ACS treats authentication with a Windows user database as a special case To perform authent...

Page 617: ...hich Cisco Secure ACS cannot control Though the order of resources used can differ when searching for a non domain qualified username or UPN username Windows usually follows the order in the list below 1 The local domain controller 2 The domain controllers in any trusted domains in an order determined by Windows 3 If Cisco Secure ACS runs on a member server the local accounts database Windows atte...

Page 618: ...an one user account for the same user For example if a user provides a domain qualified username and successfully authenticates Cisco Secure ACS creates an account in the format DOMAIN username If the same user successfully authenticates without prefixing the domain name to the username Cisco Secure ACS creates an account in the format username If the same user also authenticates with a UPN versio...

Page 619: ...is added latency by setting the order of databases If you are using an authentication protocol that is particularly time sensitive such as PEAP we recommend configuring unknown user authentication to attempt authentication first with the database most likely to contain unknown users using the time sensitive protocol For more information see Database Search Order page 15 14 Authentication Timeout V...

Page 620: ...of the username associated with a posture validation request CTA sends in the EAP Identity field a string in the following format hostname username where hostname is the name of the NAC client computer and username identifies the user logged into the NAC client computer at the time that CTA sends the posture validation request For example while the user cyril yang is logged into the computer named...

Page 621: ...wn User Policy If you configured the Unknown User Policy in Cisco Secure ACS Cisco Secure ACS uses the Selected Databases list of the Unknown User Policy to find a NAC database that can support the posture validation request A NAC database can perform posture validation only for requests whose credentials satisfy the mandatory credential types of that database In addition because you can create a ...

Page 622: ...been installed on the computers Consider the following scenario 1 A NAC client computer is added to the network This computer has CTA installed with no NAC compliant applications 2 When Cisco Secure ACS performs posture validation for the new computer it uses a NAC database that only requires the credentials of CTA Cisco Secure ACS creates a user account corresponding to the NAC client computer 3 ...

Page 623: ... Secure ACS does for posture validation and unknown user authentication The options for configuring the Unknown User Policy are as follows Fail the attempt Disables unknown user authentication therefore Cisco Secure ACS rejects authentication requests for users not found in the CiscoSecure user database Selecting this option excludes the use of the Check the following external user databases optio...

Page 624: ...rder You can configure the order in which Cisco Secure ACS checks the selected databases when Cisco Secure ACS attempts posture validation and unknown authentication The following processes reveal why database order in the Selected Databases list is significant Authentication The Unknown User Policy supports unknown user authentication using the following logic a Find the next user database in the...

Page 625: ... see NAC and the Unknown User Policy page 15 10 d Perform group mapping and apply the authorizations specified in the mapped group to the NAC client When you specify the order of databases in the Selected Databases list we recommend placing as near to the top of the list as possible databases that Process the most requests Process requests that are associated with particularly time sensitive AAA c...

Page 626: ...on requests select the Fail the attempt option Note Selecting the Fail the attempt option does not affect posture validation requests Cisco Secure ACS always uses the Unknown User Policies for posture validation Step 3 To allow unknown user authentication enable the Unknown User Policy To do so follow these steps a Select the Check the following external user databases option b For each database t...

Page 627: ...n the Selected Databases list Disabling Unknown User Authentication You can configure Cisco Secure ACS so that it does not provide authentication service to users who are not in the CiscoSecure user database Note This procedure does not affect posture validation For more information see Posture Validation and the Unknown User Policy page 15 10 To turn off unknown user authentication follow these s...

Page 628: ...Chapter 15 Unknown User Policy Disabling Unknown User Authentication 15 18 User Guide for Cisco Secure ACS for Windows Server 78 16592 01 ...

Page 629: ... 1 Group Mapping by External User Database page 16 2 Group Mapping by Group Set Membership page 16 4 NAC Group Mapping page 16 13 RADIUS Based Group Specification page 16 14 About User Group Mapping and Specification The Database Group Mapping feature in the External User Databases section enables you to associate unknown users with a Cisco Secure ACS group for assigning authorization profiles For...

Page 630: ... assign a group setup that is appropriate for users who are working away from home such as MaxSessions 1 Or you could configure restricted hours for other groups but give unrestricted access to Telecommuters group members While you can configure Cisco Secure ACS to map all unknown users found in any external user database type to a single Cisco Secure ACS group the following external user database...

Page 631: ... 1 In the navigation bar click External User Databases Step 2 Click Database Group Mappings Step 3 Click the name of the token server LEAP Proxy RADIUS Server or ODBC database configuration for which you want to configure a group mapping The Define Group Mapping table appears Step 4 From the Select a default group for database list click the group to which users authenticated with this database sh...

Page 632: ...ng for Windows authentication supports only those users who belong to no more than 500 Windows groups Novell NDS Generic LDAP When you configure a Cisco Secure ACS group mapping based on group set membership you can add one or many external user database groups to the set For Cisco Secure ACS to map a user to the specified Cisco Secure ACS group the user must match all external user database group...

Page 633: ...l user database group memberships of the user Cisco Secure ACS assigns the user to the Cisco Secure ACS group of that group mapping and terminates the mapping process Clearly the order of group mappings is important because it affects the network access and services allowed to users When defining mappings for users who belong to multiple groups make sure they are in the correct order so that users...

Page 634: ...ad of selecting a valid domain name on the Domain Configurations page select DEFAULT For more information about editing an existing group mapping see Editing a Windows Novell NDS or Generic LDAP Group Set Mapping page 16 9 Windows Group Mapping Limitations Cisco Secure ACS has the following limits with respect to group mapping for users authenticated by a Windows user database Cisco Secure ACS can...

Page 635: ...s Otherwise the Group Mappings for database Users table appears Step 4 If you are mapping a Windows group set for a new domain follow these steps a Click New configuration The Define New Domain Configuration page appears b If the Windows domain for which you want to create a group set mapping configuration appears in the Detected domains list select the name of the domain Tip To clear your domain ...

Page 636: ...ist so that Cisco Secure ACS can use this group set mapping to map the user to a Cisco Secure ACS group however a user can also belong to other groups in addition to the groups listed and still be mapped to a Cisco Secure ACS group Tip To remove a group from the mapping select the name of the group in the Selected list and then click Remove from selected The Selected list shows all the groups that...

Page 637: ...rnal user database groups from the group set mapping delete the group set mapping and create one with the revised set of groups To edit a Windows Novell NDS or generic LDAP group mapping follow these steps Step 1 In the navigation bar click External User Databases Step 2 Click Database Group Mappings Step 3 Click the external user database name for which you want to edit a group set mapping If you...

Page 638: ...e CiscoSecure group list select the name of the group to which the set of external database groups should be mapped and then click Submit Note You can also select No Access For more information about the No Access group see No Access Group for Group Set Mappings page 16 5 Step 8 Click Submit The Group Mappings for database page opens again with the changed group set mapping listed Deleting a Windo...

Page 639: ...p Mappings for NDS Users table appears Step 6 Click the group set mapping you want to delete Step 7 Click Delete Cisco Secure ACS displays a confirmation dialog box Step 8 Click OK in the confirmation dialog box Cisco Secure ACS deletes the selected external user database group set mapping Deleting a Windows Domain Group Mapping Configuration You can delete an entire group mapping configuration fo...

Page 640: ...ing follow these steps Step 1 In the navigation bar click External User Databases Step 2 Click Database Group Mappings Step 3 Click the external user database name for which you want to configure group set mapping order If you are ordering Windows group set mappings the Domain Configurations table appears If you are ordering NDS group set mappings the NDS Trees table appears Otherwise the Group Ma...

Page 641: ...em posture token SPT that is the result of posture validation to the user group whose authorizations you have configured to correspond to that SPT Through the use of group mapping the applicable downloadable IP ACLs and Cisco RADIUS cisco av pair attribute values are assigned to network sessions of a Network Admission Control NAC client workstation Each NAC database instance that you create has un...

Page 642: ...the NAC client displays messages depends upon the configuration and design of the NAC client Step 5 Click Submit Cisco Secure ACS saves the SPT to user group mapping RADIUS Based Group Specification For some types of external user databases Cisco Secure ACS supports the assignment of users to specific Cisco Secure ACS groups based upon the RADIUS authentication response from the external user data...

Page 643: ... RADIUS attribute 1 009 001 cisco av pair with the following value ACS CiscoSecure Group Id N where N is the Cisco Secure ACS group number 0 through 499 to which Cisco Secure ACS should assign the user For example if the LEAP Proxy RADIUS Server authenticated a user and included the following value for the Cisco IOS PIX RADIUS attribute 1 009 001 cisco av pair ACS CiscoSecure Group Id 37 Cisco Sec...

Page 644: ...Chapter 16 User Group Mapping and Specification RADIUS Based Group Specification 16 16 User Guide for Cisco Secure ACS for Windows Server 78 16592 01 ...

Page 645: ... each corresponding recovery action offered in the column on the right This chapter contains the following topics Administration Issues page A 2 Browser Issues page A 4 Cisco IOS Issues page A 5 Database Issues page A 7 Dial in Connection Issues page A 10 Debug Issues page A 14 Proxy Issues page A 15 Installation and Upgrade Issues page A 16 MaxSessions Issues page A 16 Report Issues page A 17 Thi...

Page 646: ...a device performing Network Address Translation or from a browser configured to use an HTTP proxy server For more information about accessing the HTML interface in these networking scenarios see Network Environments and Administrative Sessions page 1 30 No remote administrators can log in The option Allow only listed IP addresses to connect is selected but no start or stop IP addresses are listed ...

Page 647: ...er or receives a warning that access is not permitted If Network Address Translation is enabled on the PIX Firewall administration through the firewall cannot work To administer Cisco Secure ACS through a firewall you must configure an HTTP port range in Administrator Control Access Policy The PIX Firewall must be configured to permit HTTP traffic over all ports included in the range specified in ...

Page 648: ...browser displays the Java message that your session connection is lost Check the Session idle timeout value for remote administrators This is on the Session Policy Setup page of the Administration Control section Increase the value as needed Administrator database appears corrupted The remote Netscape client is caching the password If you specify an incorrect password it is cached When you attempt...

Page 649: ... posture token SPT In the user groups configured for use with NAC be sure that the Cisco IOS PIX cisco av pair VSA is configured correctly For example in a group configured to authorize NAC clients receiving a Healthy SPT be sure the 009 001 cisco av pair check box is selected and that the following string appears in the 009 001 cisco av pair text box posture token Healthy Caution The posture toke...

Page 650: ...formation regarding your particular AAA client IETF RADIUS attributes not supported in Cisco IOS 12 0 5 T Cisco incorporated RADIUS IETF attributes in Cisco IOS Release 11 1 However there are a few attributes that are not yet supported or that require a later version of the Cisco IOS software For more information see the RADIUS Attributes page on Cisco com Unable to enter Enable Mode after doing a...

Page 651: ... sure that the replication schedule on the sending Cisco Secure ACS is not conflicting with the replication schedule on the receiving Cisco Secure ACS If the receiving server has dual network cards on the sending server add a AAA server to the AAA Servers table in the Network Configuration section for every IP address of the receiving server If the sending server has dual network cards on the rece...

Page 652: ... Requestor is installed on the same Windows server as the Cisco Secure ACS Unknown users are not authenticated Go to External User Databases Unknown User Policy Select the Check the following external user databases option From the External Databases list select the database s against which to authenticate unknown users Click right arrow button to add the database to the Selected Databases list Cl...

Page 653: ...sure that for PPP you have PAP authentication configured on the asynchronous interface Same user appears in multiple groups or duplicate users exist in the Cisco Secure ACS database Unable to delete user from database Clean up the database typing the following command from the command line csutil q d n l dump txt This command causes the database to be unloaded and reloaded to clear up the counters...

Page 654: ...ion not Cisco Secure ACS LAN connections for both the AAA client and the computer running Cisco Secure ACS are physically connected IP address of the AAA client in the Cisco Secure ACS configuration is correct IP address of Cisco Secure ACS in AAA client configuration is correct TACACS or RADIUS key in both AAA client and Cisco Secure ACS are identical case sensitive The command ppp authentication...

Page 655: ...oes not have Grant dial in permission to user disabled if Cisco Secure ACS is using this option for authenticating From within Cisco Secure ACS confirm the following If the username has already been entered into Cisco Secure ACS a Windows user database configuration is selected in the Password Authentication list on the User Setup page for the user If the username has already been entered into Cis...

Page 656: ...if a change has been made Expiration information has not caused failed authentication Set to Expiration Never for troubleshooting A dial in user cannot connect to the AAA client however a Telnet connection can be authenticated across the LAN The problem is isolated to one of three areas Line modem configuration problem Review the documentation that came with your modem and verify that the modem is...

Page 657: ...ser does not exist in the Windows user database or the CiscoSecure user database and might not have the correct password Authentication parameters can be modified under User Setup The Cisco Secure ACS or TACACS or RADIUS configuration is not correct in the AAA client Callback is not working Ensure that callback works on the AAA client when using local authentication Then add AAA authentication Use...

Page 658: ...ntication chap pap is entered for each interface if authentication against the CiscoSecure user database is being used The AAA and TACACS or RADIUS configuration is correct in the AAA client When you run debug aaa authentication and debug aaa authorization on the AAA client Cisco Secure ACS returns a PASS for authentication but returns a FAIL for authorization This problem occurs because authoriza...

Page 659: ...tches the shared secret of one or both Cisco Secure ACSes The character string and delimiter match the stripping information configured in the Proxy Distribution Table and the position is set correctly to either Prefix or Suffix If the conditions above are met one or more servers is probably down or no fallback server is configured Go to the Network Configuration section and configure a fallback s...

Page 660: ...all CiscoSecure All previous accounting logs are missing When reinstalling or upgrading the Cisco Secure ACS software these files are deleted unless they have been moved to an alternative directory location Condition Recovery Action MaxSessions over VPDN is not working The use of MaxSessions over VPDN is not supported User MaxSessions fluctuates or is unreliable Services were restarted possibly be...

Page 661: ...ogging Log Target reportname You must also set Network Configuration servername Access Server Type to Cisco Secure ACS for Windows NT No Unknown User information is included in reports The Unknown User database was changed Accounting reports will still contain unknown user information Two entries are logged for one user session Make sure that the remote logging function is not configured to send a...

Page 662: ...ving sessions packets should include at least the following fields Authentication Request packet nas ip address nas port Accounting Start packet nas ip address nas port session id framed ip address Accounting Stop packet nas ip address nas port session id framed ip address Also if a connection is so brief that there is little time between the start and stop packets for example HTTP through the PIX...

Page 663: ... lmhosts file 7 Verify that support for RSA is enabled in External User Database Database Configuration in the Cisco Secure ACS 8 Run Test Authentication from the Windows control panel for the ACE Client application 9 From Cisco Secure ACS install the token server Authentication request does not hit the external database Set logging to full in System Configuration Service Control Check csauth log ...

Page 664: ...t Cisco Secure ACS services For steps see Stopping Starting or Restarting Services page 8 2 User did not inherit settings from new group Users moved to a new group inherit new group settings but they keep their existing user settings Manually change the settings in the User Setup section Authentication fails Check the Failed Attempts report The retry interval may be too short The default is 5 seco...

Page 665: ...Verify that the TACACS or RADIUS keys in both AAA client and Cisco Secure ACS are identical case sensitive Re enter the keys to confirm they are identical User can authenticate but authorizations are not what is expected Different vendors use different AV pairs AV pairs used in one vendor protocol may be ignored by another vendor protocol Make sure that the user settings reflect the correct vendor...

Page 666: ...CS and RADIUS attributes do not appear on the Group Setup page Make sure that you have at least one RADIUS or TACACS AAA client configured in the Network Configuration section and that in the Interface Configuration section you have enabled the attributes you need to configure Note Some attributes are not customer configurable in Cisco Secure ACS instead their values are set by Cisco Secure ACS ...

Page 667: ...with Cisco Secure ACS but do not fully support the TACACS features in Cisco Secure ACS Note If you specify a given AV pair in Cisco Secure ACS you must also enable the corresponding AV pair in the Cisco IOS software running on the AAA client Therefore you must consider which AV pairs your Cisco IOS release supports If Cisco Secure ACS sends an AV pair to the AAA client that the Cisco IOS software ...

Page 668: ...ack dialstring Additionally these attributes cannot be set via database synchronization and ip addr n n n n is not allowed as a Cisco vendor specific attribute VSA Cisco Secure ACS supports many TACACS AV pairs For descriptions of these attributes refer to Cisco IOS documentation for the release of Cisco IOS running on your AAA clients TACACS AV pairs supported in Cisco Secure ACS are as follows a...

Page 669: ...tionary ip addresses link compression load threshold n max links n nas password nocallback verify noescape nohangup old prompts outacl n outacl pool def n pool timeout ppp vj slot compression priv lvl protocol route route n routing rte ftr in n rte ftr out n sap n sap fltr in n sap fltr out n service source ip timeout tunnel id ...

Page 670: ... AV pairs For descriptions of these attributes see Cisco IOS documentation for the release of Cisco IOS running on your AAA clients TACACS accounting AV pairs supported in Cisco Secure ACS are as follows bytes_in bytes_out cmd data rate disc cause disc cause ext elapsed_time event mlp links max mlp sess id nas rx speed nas tx speed paks_in paks_out port pre bytes in pre bytes out pre paks in pre p...

Page 671: ... User Guide for Cisco Secure ACS for Windows Server 78 16592 01 Appendix B TACACS Attribute Value Pairs Cisco IOS AV Pair Dictionary protocol reason service start_time stop_time task_id timezone xmit rate ...

Page 672: ...Appendix B TACACS Attribute Value Pairs Cisco IOS AV Pair Dictionary B 6 User Guide for Cisco Secure ACS for Windows Server 78 16592 01 ...

Page 673: ...In the Network Configuration section the AAA client entry corresponding to the access device that grants network access to the user must be configured to use a variety of RADIUS that supports the attribute you want sent to the AAA client For more information about the RADIUS attribute sets supported by RADIUS varieties see Protocol Configuration Options for RADIUS page 3 11 2 In the Interface Conf...

Page 674: ...user profile This chapter contains the following topics Cisco IOS Dictionary of RADIUS AV Pairs page C 2 Cisco IOS PIX Dictionary of RADIUS VSAs page C 5 About the cisco av pair RADUIS Attribute page C 7 Cisco VPN 3000 Concentrator Dictionary of RADIUS VSAs page C 9 Cisco VPN 5000 Concentrator Dictionary of RADIUS VSAs page C 13 Cisco Building Broadband Service Manager Dictionary of RADIUS VSA pag...

Page 675: ... do not appear on the Group Setup page 8 Framed IP Address 19 Callback Number 218 Ascend Assign IP Pool None of these attributes can be set via RDBMS Synchronization Table C 1 lists the supported Cisco IOS RADIUS AV pairs Table C 1 Cisco IOS Software RADIUS AV Pairs Number Attribute Type of Value Inbound Outbound Multiple 1 User Name String Inbound No 2 User Password String Outbound No 3 CHAP Pass...

Page 676: ...ound Yes 26 Vendor specific String Outbound Yes 27 Session Timeout Integer maximum length 10 characters Outbound No 28 Idle Timeout Integer maximum length 10 characters Outbound No 30 Called Station ID String Inbound No 31 Calling Station ID String Inbound No 33 Login LAT Service String maximum length 253 characters Inbound No 40 Acct Status Type Integer Inbound No 41 Acct Delay Time Integer Inbou...

Page 677: ...s refer to Cisco IOS Voice over IP documentation Note For details about the Cisco IOS Node Route Processor Service Selection Gateway VSAs VSAs 250 251 and 252 refer to Cisco IOS documentation 47 Acct Input Packets Integer Inbound No 48 Acct Output Packets Integer Inbound No 49 Acct Terminate Cause Integer Inbound No 61 NAS Port Type Integer Inbound No 62 NAS Port Limit Integer maximum length 10 ch...

Page 678: ...ngth 247 characters Outbound No 102 cisco h323 credit time String maximum length 247 characters Outbound No 103 cisco h323 return code String maximum length 247 characters Outbound No 104 cisco h323 prompt id String maximum length 247 characters Outbound No 105 cisco h323 day and time String maximum length 247 characters Outbound No 106 cisco h323 redirect number String maximum length 247 characte...

Page 679: ...an AV pair is case sensitive Typically attribute names are all in lowercase letters The following is an example of two AV pairs included in a single Cisco IOS PIX RADIUS cisco av pair attribute ip addr pool first shell priv lvl 15 The first example causes the Cisco multiple named IP address pools feature to be activated during IP authorization during PPP IPCP address assignment The second example ...

Page 680: ...rived by posture validation The SPT is always sent in numeric format and using the posture token AV pair makes viewing the result of a posture validation request more easily read on the AAA client For example posture token Healthy Caution The posture token AV pair is the only way that Cisco Secure ACS notifies the AAA client of the SPT returned by posture validation Because you manually configure ...

Page 681: ...entrator use the CVPN3000 PPTP Encryption VSA 20 and CVPN3000 L2TP Encryption VSA 21 attributes Settings for CVPN3000 PPTP Encryption VSA 20 and CVPN3000 L2TP Encryption VSA 21 override Microsoft MPPE RADIUS settings If either of these attributes is enabled Cisco Secure ACS determines the values to be sent in outbound RADIUS Microsoft attributes and sends them along with the RADIUS Cisco VPN 3000 ...

Page 682: ...th 247 characters Outbound No 13 CVPN3000 IPSec Authentication Integer Outbound No 15 CVPN3000 IPSec Banner1 String maximum length 247 characters Outbound No 16 CVPN3000 IPSec Allow Passwd Store Integer Outbound No 17 CVPN3000 Use Client Address Integer Outbound No 20 CVPN3000 PPTP Encryption Integer Outbound No 21 CVPN3000 L2TP Encryption Integer Outbound No 27 CVPN3000 IPSec Split Tunnel List St...

Page 683: ...2TP MPPC Compression Integer Outbound No 39 CVPN3000 IPSec IP Compression Integer Outbound No 40 CVPN3000 IPSec IKE Peer ID Check Integer Outbound No 41 CVPN3000 IKE Keep Alives Integer Outbound No 42 CVPN3000 IPSec Auth On Rekey Integer Outbound No 45 CVPN3000 Required Client Firewall Vendor Code Integer maximum length 10 characters Outbound No 46 CVPN3000 Required Client Firewall Product Code In...

Page 684: ...acters Outbound No 55 CVPN3000 IPSec Split Tunneling Policy Integer Outbound No 56 CVPN3000 IPSec Required Client Firewall Capability Integer Outbound No 57 CVPN3000 IPSec Client Firewall Filter Name String maximum length 247 characters Outbound No 58 CVPN3000 IPSec Client Firewall Filter Optional Integer Outbound No 59 CVPN3000 IPSec Backup Servers Integer Outbound No 60 CVPN3000 IPSec Backup Ser...

Page 685: ...35 CVPN3000 Strip Realm Integer Outbound No Table C 3 Cisco VPN 3000 Concentrator RADIUS VSAs continued Number Attribute Type of Value Inbound Outbound Multiple Table C 4 Cisco VPN 5000 Concentrator RADIUS VSAs Number Attribute Type of Value Inbound Outbound Multiple 001 CVPN5000 Tunnel Throughput Integer Inbound No 002 CVPN5000 Client Assigned IP String Inbound No 003 CVPN5000 Client Real IP Stri...

Page 686: ... specific format the format is specified Table C 5 Cisco BBSM RADIUS VSA Number Attribute Type of Value Inbound Outbound Multiple 001 CBBSM Bandwidth Integer Both No Table C 6 RADIUS IETF Attributes Number Name Description Type of Value Inbound Out bound Multiple 1 User Name Name of the user being authenticated String Inbound No 2 User Password User password or input following an access challenge ...

Page 687: ... integer interpreted as follows For asynchronous terminal lines async network interfaces and virtual async interfaces the value is 00ttt where ttt is the line number or async interface unit number For ordinary synchronous network interfaces the value is 10xxx For channels on a primary rate ISDN Integrated Services Digital Network interface the value is 2ppcc For channels on a basic rate ISDN inter...

Page 688: ...LIP or PPP Administrative User Start an EXEC or enable ok Exec User Start an EXEC session Integer Both No 7 Framed Protocol Framing to be used for framed access Integer Both No 8 Framed IP Address Address to be configured for the user 9 Framed IP Netmask IP netmask to be configured for the user when the user is a router to a network This AV results in a static route being added for Framed IP Addre...

Page 689: ... d in for input access list The numbers are self encoding to the protocol to which they refer String Outbound Yes 12 Framed MTU Indicates the maximum transmission unit MTU that can be configured for the user when the MTU is not negotiated by PPP or some other means Integer maximum length 10 characters Outbound No 13 Framed Compression Compression protocol used for the link This attribute results i...

Page 690: ...sent Integer maximum length 10 characters Outbound No 18 Reply Message Text to be displayed to the user String Outbound Yes 19 Callback Number String Outbound No 20 Callback Id String Outbound No 22 Framed Route Routing information to be configured for the user on this AAA client The RADIUS RFC Request for Comments format net bits router metric and the old style dotted mask net mask router metric ...

Page 691: ...attributes VSAs a feature of RADIUS that allows vendors to support their own extended attributes Subattributes are identified by IANA assigned vendor numbers in combination with the vendor assigned subattribute number For example the vendor number for Cisco IOS PIX RADIUS is 9 The cisco av pair VSA is attribute 1 in the set of VSAs related to vendor number 9 String Outbound Yes 27 Session Timeout ...

Page 692: ...tic number identification or similar technology Different devices provide different identifiers String Inbound No 31 Calling Station Id Allows the AAA client to send the telephone number or other information identifying the end user client into as part of the access request packet using DNIS Dialed Number Identification Server or similar technology For example Cisco Aironet Access Points usually s...

Page 693: ...leTalk Network Integer Outbound Yes 39 Framed AppleTalk Zone String Out No 40 Acct Status Type Specifies whether this accounting request marks the beginning of the user service start or the end stop Integer Inbound No 41 Acct Delay Time Number of seconds the client has been trying to send a particular record Integer Inbound No 42 Acct Input Octets Number of octets received from the port while this...

Page 694: ...te authentication protocol This attribute is set to radius for users authenticated by RADIUS to remote for TACACS and Kerberos or to local for local enable line and if needed methods For all other methods the attribute is omitted Integer Inbound No 46 Acct Session Time Number of seconds the user has been receiving service Integer Inbound No 47 Acct Input Packets Number of packets received from the...

Page 695: ...Lost carrier 3 Lost service 4 Idle timeout 5 Session timeout 6 Admin reset 7 Admin reboot 8 Port error 9 AAA client error 10 AAA client request 11 AAA client reboot 12 Port unneeded 13 Port pre empted 14 Port suspended 15 Service unavailable 16 Callback 17 User error 18 Host request Integer Inbound No 50 Acct Multi Session Id String Inbound No 51 Acct Link Count Integer Inbound No Table C 6 RADIUS...

Page 696: ...ticate the user Physical ports are indicated by a numeric value as follows 0 Asynchronous 1 Synchronous 2 ISDN Synchronous 3 ISDN Asynchronous V 120 4 ISDN Asynchronous V 110 5 Virtual Integer Inbound No 62 Port Limit Sets the maximum number of ports to be provided to the user by the network access server Integer maximum length 10 characters Both No 63 Login LAT Port String Both No 64 Tunnel Type ...

Page 697: ...String Inbound No 71 ARAP Features String Outbound No 72 ARAP Zone Access Integer Outbound No 73 ARAP Security Integer Inbound No 74 ARAP Security Data String Inbound No 75 Password Retry Integer Internal use only No 76 Prompt Integer Internal use only No 77 Connect Info String Inbound No 78 Configuration Token String Internal use only No 79 EAP Message String Internal use only No 80 Message Authe...

Page 698: ...ing Inbound No 88 Framed Pool String Internal use only No 90 Tunnel Client Auth ID tagged string Both Yes 91 Tunnel Server Auth ID tagged string Both Yes 135 Primary DNS Server Ipaddr Both No 136 Secondary DNS Server Ipaddr Both No 187 Multilink ID Integer Inbound No 188 Num In Multilink Integer Inbound No 190 Pre Input Octets Integer Inbound No 191 Pre Output Octets Integer Inbound No 192 Pre Inp...

Page 699: ...PW Lifetime Integer Outbound No 209 IP Direct Ipaddr Outbound No 210 PPP VJ Slot Comp Integer Outbound No 218 Assign IP pool Integer Outbound No 228 Route IP Integer Outbound No 233 Link Compression Integer Outbound No 234 Target Utils Integer Outbound No 235 Maximum Channels Integer Outbound No 242 Data Filter Ascend filter Outbound Yes 243 Call Filter Ascend filter Outbound Yes 244 Idle Limit In...

Page 700: ...rosoft MPPE settings for users accessing the network through a Cisco VPN 3000 series concentrator use the CVPN3000 PPTP Encryption VSA 20 and CVPN3000 L2TP Encryption VSA 21 attributes Settings for CVPN3000 PPTP Encryption VSA 20 and CVPN3000 L2TP Encryption VSA 21 override Microsoft MPPE RADIUS settings If either of these attributes is enabled Cisco Secure ACS determines the values to be sent in ...

Page 701: ...ed in the MS MPPE Encryption Types attribute can be used If the Policy field is equal to 2 Encryption Required any of the encryption types specified in the MS MPPE Encryption Types attribute can be used but at least one must be used Outbound No 8 MS MPPE Encryption Ty pes Integer The MS MPPE Encryption Types attribute signifies the types of encryption available for use with MPPE It is a four octet...

Page 702: ...contains a session key for use by MPPE This key is for encrypting packets sent from the AAA client to the remote host This attribute is only included in Access Accept packets Outbound No 17 MS MPPE Recv Key String maximum length 240 characters The MS MPPE Recv Key attribute contains a session key for use by MPPE This key is for encrypting packets received by the AAA client from the remote host Thi...

Page 703: ...file Note RADIUS filters are retrieved only when a call is placed using a RADIUS outgoing profile or answered using a RADIUS incoming profile Filter entries are applied in the order in which they are entered If you make changes to a filter in an Ascend RADIUS profile the changes do not take effect until a call uses that profile Date 32 bit value in big endian order For example seconds since 00 00 ...

Page 704: ...th No 16 Login TCP Port Integer Outbound No 17 Change Password String 18 Reply Message String Outbound Yes 19 Callback ID String Outbound No 20 Callback Name String Outbound No 22 Framed Route String Outbound Yes 23 Framed IPX Network Integer Outbound No 24 State String Outbound No 25 Class String Outbound Yes 26 Vendor Specific String Outbound Yes 30 Call Station ID String Inbound No 31 Calling S...

Page 705: ...ct Tunnel Connection Integer maximum length 253 characters Inbound No 104 Ascend Private Route String maximum length 253 characters Both No 105 Ascend Numbering Plan ID Integer maximum length 10 characters Both No 106 Ascend FR Link Status Dlci Integer maximum length 10 characters Both No 107 Ascend Calling Subaddress String maximum length 253 characters Both No 108 Ascend Callback Delay String ma...

Page 706: ... 119 Ascend FCP Parameter String maximum length 253 characters Both No 120 Ascend Modem PortNo Integer maximum length 10 characters Inbound No 121 Ascend Modem SlotNo Integer maximum length 10 characters Inbound No 122 Ascend Modem ShelfNo Integer maximum length 10 characters Inbound No 123 Ascend Call Attempt Limit Integer maximum length 10 characters Both No 124 Ascend Call Block_Duration Intege...

Page 707: ...haracters Both No 136 Ascend Client Secondary DNS Address maximum length 15 characters Both No 137 Ascend Client Assign DNS Enum Both No 138 Ascend User Acct Type Enum Both No 139 Ascend User Acct Host Address maximum length 15 characters Both No 140 Ascend User Acct Port Integer maximum length 10 characters Both No 141 Ascend User Acct Key String maximum length 253 characters Both No 142 Ascend U...

Page 708: ...t Type for an Ascend Event Packet 150 Ascend Event Type Integer maximum length 10 characters Inbound No RADIUS Server Session Key 151 Ascend Session Svr Key String maximum length 253 characters Outbound No Multicast Rate Limit Per Client 152 Ascend Multicast Rate Limit Integer maximum length 10 characters Outbound No Connection Profile Fields to Support Interface Based Routing 153 Ascend IF Netmas...

Page 709: ... FR N391 Integer maximum length 10 characters Outbound No 162 Ascend FR DCE N392 Integer maximum length 10 characters Outbound No 163 Ascend FR DTE N392 Integer maximum length 10 characters Outbound No 164 Ascend FR DCE N393 Integer maximum length 10 characters Outbound No 165 Ascend FR DTE N393 Integer maximum length 10 characters Outbound No 166 Ascend FR T391 Integer maximum length 10 character...

Page 710: ...er maximum length 10 characters Inbound No 176 Ascend Backup String maximum length 253 characters Inbound No 177 Ascend Call Type Integer Inbound No 178 Ascend Group String maximum length 253 characters Inbound No 179 Ascend FR DLCI Integer maximum length 10 characters Inbound No 180 Ascend FR Profile Name String maximum length 253 characters Inbound No 181 Ascend Ara PW String maximum length 253 ...

Page 711: ...ackets Integer Inbound No 194 Ascend Maximum Time Integer maximum length 10 characters Both No 195 Ascend Disconnect Cause Integer Inbound No 196 Ascend Connect Progress Integer Inbound No 197 Ascend Data Rate Integer Inbound No 198 Ascend PreSession Time Integer Inbound No 199 Ascend Token Idle Integer maximum length 10 characters Outbound No 200 Ascend Token Immediate Integer Outbound No 201 Asc...

Page 712: ...tbound No 211 Ascend PPP VJ 1172 Integer maximum length 10 characters Outbound No 212 Ascend PPP Async Map Integer maximum length 10 characters Outbound No 213 Ascend Third Prompt String maximum length 253 characters Outbound No 214 Ascend Send Secret String maximum length 253 characters Outbound No 215 Ascend Receive Secret String maximum length 253 characters Outbound No 216 Ascend IPX Peer Mode...

Page 713: ...m length 253 characters Outbound No Connection Profile PPP Options 228 Ascend Route IP Integer Outbound No 229 Ascend Route IPX Integer Outbound No 230 Ascend Bridge Integer Outbound No 231 Ascend Send Auth Integer Outbound No 232 Ascend Send Passwd String maximum length 253 characters Outbound No 233 Ascend Link Compression Integer Outbound No 234 Ascend Target Util Integer maximum length 10 char...

Page 714: ...4 Ascend Idle Limit Integer maximum length 10 characters Outbound No 245 Ascend Preempt Limit Integer maximum length 10 characters Outbound No Connection Profile Telco Options 246 Ascend Callback Integer Outbound No 247 Ascend Data Svc Integer Outbound No 248 Ascend Force 56 Integer Outbound No 249 Ascend Billing Number String maximum length 253 characters Outbound No 250 Ascend Call By Call Integ...

Page 715: ...m length 10 characters Outbound No Table C 8 Ascend RADIUS Attributes continued Number Attribute Type of Value Inbound Outbound Multiple Table C 9 Nortel RADIUS VSAs Number Attribute Type of Value Inbound Outbound Multiple 035 Bay Local IP Address Ipaddr maximum length 15 characters Outbound No 054 Bay Primary DNS Server Ipaddr maximum length 15 characters Outbound No 055 Bay Secondary DNS Server ...

Page 716: ... RADIUS VSAs supported by Cisco Secure ACS The Juniper vendor ID number is 2636 Table C 10 Juniper RADIUS VSAs Number Attribute Type of Value Inbound Outbound Multiple 001 Juniper Local User Name String maximum length 247 characters Outbound No 002 Juniper Allow Commands String maximum length 247 characters Outbound No 003 Juniper Deny Commands String maximum length 247 characters Outbound No ...

Page 717: ...re Database Replication and RDBMS Synchronization features For more information on these features see Chapter 9 System Configuration Advanced This chapter contains the following topics Location of CSUtil exe and Related Files page D 2 CSUtil exe Syntax page D 2 CSUtil exe Options page D 3 Displaying Command Line Syntax page D 5 Backing Up Cisco Secure ACS with CSUtil exe page D 6 Restoring Cisco S...

Page 718: ...stall Cisco Secure ACS in the default location CSUtil exe is located in the following directory C Program Files CiscoSecure ACS vX X Utils where X X is the version of your Cisco Secure ACS software Regardless of where you install Cisco Secure ACS CSUtil exe is located in the Utils directory Files generated by or accessed by CSUtil exe are also located in the Utils directory CSUtil exe Syntax The s...

Page 719: ...nfigurations and then generate a dump of all Cisco Secure ACS internal data CSUtil exe i newnases txt d CSUtil exe Options CSUtil exe can perform several actions The options listed below in alphabetical order are detailed in later sections of this chapter b Backup system to a specified filename For more information about this option see Backing Up Cisco Secure ACS with CSUtil exe page D 6 c Recalc...

Page 720: ...ump File page D 11 q Run CSUtil exe without confirmation prompts r Restore system from a specified backup filename For more information about this option see Restoring Cisco Secure ACS with CSUtil exe page D 7 t Generate PAC files for EAP FAST end user clients For more information about this option see PAC File Generation page D 40 u Export user information sorted by group membership to a file nam...

Page 721: ...ibutes For more information about this option see Exporting Posture Validation Attribute Definitions page D 48 Displaying Command Line Syntax CSUtil exe displays command line syntax for any one of the following reasons The x option is included in the CSUtil exe command No options are included with the CSUtil exe command Incorrect syntax is used with the CSUtil exe command For more information abou...

Page 722: ...Cisco Secure ACS open an MS DOS command prompt and change directories to the directory containing CSUtil exe For more information about the location of CSUtil exe see Location of CSUtil exe and Related Files page D 2 Step 2 Type CSUtil exe b filename where filename is the name of the backup file Press Enter CSUtil exe displays a confirmation prompt Step 3 To confirm that you want to perform a back...

Page 723: ...Backup feature see Cisco Secure ACS Backup page 8 9 Note During the restoration all services are automatically stopped and restarted No users are authenticated while the restoration is occurring To restore Cisco Secure ACS with CSUtil exe follow these steps Step 1 On the computer running Cisco Secure ACS open an MS DOS command prompt and change directories to the directory containing CSUtil exe Fo...

Page 724: ...ote If the backup file is missing a database component CSUtil exe displays an error message Such an error message applies only to the restoration of the missing component The absence of a database component in a backup is usually intentional and indicates that the component was empty in Cisco Secure ACS at the time the backup was created Creating a CiscoSecure User Database You can use the n optio...

Page 725: ...abase Dump File page D 10 Step 2 On the computer running Cisco Secure ACS open an MS DOS command prompt and change directories to the directory containing CSUtil exe For more information about the location of CSUtil exe see Location of CSUtil exe and Related Files page D 2 Step 3 If the CSAuth service is running type net stop csauth and press Enter The CSAuth service stops Step 4 Type CSUtil exe n...

Page 726: ...sing the d option requires that you stop the CSAuth service While CSAuth is stopped no users are authenticated To dump all Cisco Secure ACS internal data into a text file follow these steps Step 1 On the computer running Cisco Secure ACS open an MS DOS command prompt and change directories to the directory containing CSUtil exe For more information about the location of CSUtil exe see Location of ...

Page 727: ...option only produces dump text files that are named dump txt the l option allows for loading renamed dump files For more information about creating dump text files see Creating a Cisco Secure ACS Database Dump File page D 10 You can use the p option in conjunction with the l option to reset password aging counters Note Using the l option requires that you stop the CSAuth service While CSAuth is st...

Page 728: ...xt file Step 4 To confirm that you want to replace all Cisco Secure ACS internal data type Y and press Enter CSUtil exe initializes all Cisco Secure ACS internal data and then loads Cisco Secure ACS with the information in the dump file specified This process may take a few minutes Step 5 To resume user authentication type net start csauth and press Enter Compacting the CiscoSecure User Database L...

Page 729: ...ation prompts that otherwise appear before CSUtil exe performs the n and l options Note Compacting the CiscoSecure user database requires that you stop the CSAuth service While CSAuth is stopped no users are authenticated To compact the CiscoSecure user database follow these steps Step 1 On the computer running Cisco Secure ACS open an MS DOS command prompt and change directories to the directory ...

Page 730: ... all Cisco Secure ACS internal data from dump txt This process may take a few minutes Step 5 To resume user authentication type net start csauth and press Enter User and AAA Client Import Option The i option enables you to update Cisco Secure ACS with data from a colon delimited text file You can also update AAA client definitions For user accounts you can add users change user information such as...

Page 731: ...cation of CSUtil exe and Related Files page D 2 Step 4 On the computer running Cisco Secure ACS open an MS DOS command prompt and change directories to the directory containing CSUtil exe Step 5 Type CSUtil exe i filename where filename is the name of the import text file you want CSUtil exe to use to update Cisco Secure ACS Press Enter CSUtil exe displays a confirmation prompt for updating the da...

Page 732: ...op cstacacs and press Enter The CSTacacs service stops b To start CSTacacs type net start cstacacs and press Enter User and AAA Client Import File Format This section contains the following topics About User and AAA Client Import File Format page D 17 ONLINE or OFFLINE Statement page D 17 ADD Statements page D 18 UPDATE Statements page D 19 DELETE Statements page D 21 ADD_NAS Statements page D 21 ...

Page 733: ...gin with a line that contains only an ONLINE or OFFLINE token The ONLINE and OFFLINE tokens are described in Table D 1 Table D 1 ONLINE OFFLINE Statement Tokens Token Required Value Required Description ONLINE Either ONLINE or OFFLINE must be present The CSAuth service remains active while CSUtil exe imports the text file CSUtil exe performance is slower when run in this mode but Cisco Secure ACS ...

Page 734: ...he user record and assigns the user to the LDAP database that was added to Cisco Secure ACS first Table D 2 ADD Statement Tokens Token Required Value Required Description ADD Yes username Add user information to Cisco Secure ACS If the username already exists no information is changed PROFILE No group number Group number to which the user is assigned This must be a number from 0 to 499 not a name ...

Page 735: ... tokens are included no changes are made to the user account You can use the UPDATE statement to update the group a user is assigned to or to update which database Cisco Secure ACS uses to authenticate the user The valid tokens for UPDATE statements are listed in Table D 3 EXT_SDI No Authenticate the username with an RSA external user database EXT_ODBC No Authenticate the username with an ODBC ext...

Page 736: ...Require a CHAP password for authentication CSDB No password Authenticate the username with the CiscoSecure user database CSDB_UNIX No UNIX encrypted password Authenticate the username with the CiscoSecure user database using a UNIX password format EXT_NT No Authenticate the username with a Windows external user database EXT_NDS No Authenticate the username with a Novell NDS external user database ...

Page 737: ...en and its value are required to delete a user account from Cisco Secure ACS The DELETE token detailed in Table D 4 is the only token in a DELETE statement For example the following DELETE statement causes CSUtil exe to permanently remove the account with username John from the CiscoSecure user database DELETE John ADD_NAS Statements ADD_NAS statements are optional The ADD_NAS IP KEY and VENDOR to...

Page 738: ...EY Yes Shared secret The shared secret for the AAA client VENDOR Yes See description The authentication protocol the AAA client uses For RADIUS this includes the VSA Note The valid values are listed below Quotation marks are required due to the spaces in the protocol names TACACS Cisco IOS RADIUS Cisco Aironet RADIUS Cisco BBSM RADIUS Cisco IOS PIX RADIUS Cisco VPN 3000 RADIUS Cisco VPN 5000 RADIU...

Page 739: ...sco Secure ACS For example the following DEL_NAS statement causes CSUtil exe to delete a AAA client with the name SVR2 T DEL_NAS SVR2 T SINGLE_CON No Y or N For AAA clients using TACACS only the value set for this TOKEN specifies whether the Single Connect TACACS AAA Client option is enabled For more information see Adding a AAA Client page 4 16 KEEPALIVE No Y or N For AAA clients using TACACS onl...

Page 740: ...t a list of all users in the CiscoSecure user database to a text file named users txt The users txt file organizes users by group Within each group users are listed in the order that their user accounts were created in the CiscoSecure user database For example if accounts were created for Pat Dana and Lloyd in that order users txt lists them in that order as well rather than alphabetically Note Us...

Page 741: ...e You can use the g option to export group configuration data including device command sets from the CiscoSecure user database to a text file named groups txt The groups txt file is useful primarily for debugging purposes while working with the TAC Note Using the g option requires that you stop the CSAuth service While CSAuth is stopped no users are authenticated To export group information from t...

Page 742: ...nter Exporting Registry Information to a Text File You can use the y option to export Windows Registry information for Cisco Secure ACS CSUtil exe exports the Registry information to a file named setup txt The setup txt file is primarily useful for debugging purposes while working with the TAC To export Registry information from Cisco Secure ACS to a text file follow these steps Step 1 On the comp...

Page 743: ... could use CSUtil exe to decode is 1087 C Program Files CiscoSecure ACS vx x Utils CSUtil exe e 1087 CSUtil v3 0 1 14 Copyright 1997 2001 Cisco Systems Inc Code 1087 External database reported error during authentication Note The e option applies to Cisco Secure ACS internal error codes only not to Windows error codes sometimes captured in Cisco Secure ACS logs such as when Windows authentication ...

Page 744: ...value conflicts between files manually copied into your Cisco Secure ACS directories and the values recorded in the Windows Registry Note Do not use the c option unless a Cisco representative requests that you do User Defined RADIUS Vendors and VSA Sets This section provides information and procedures about user defined RADIUS vendors and VSAs This section contains the following topics About User ...

Page 745: ...endors you add must be IETF compliant therefore all VSAs that you add must be sub attributes of IETF RADIUS attribute number 26 You can define up to ten custom RADIUS vendors numbered 0 zero through 9 CSUtil exe allows only one instance of any given vendor as defined by the unique vendor IETF ID number and by the vendor name Note If you intend to replicate user defined RADIUS vendor and VSA config...

Page 746: ...hange directories to the directory containing CSUtil exe For more information about the location of CSUtil exe see Location of CSUtil exe and Related Files page D 2 Step 2 Type CSUtil exe addUDV slot number filename where slot number is an unused Cisco Secure ACS RADIUS vendor slot and filename is the name of a RADIUS vendor VSA import file The filename can include a relative or absolute path to t...

Page 747: ...Secure ACS services are automatically stopped and restarted No users are authenticated while this process is occurring Before You Begin Verify that in the Network Configuration section of the Cisco Secure ACS HTML interface no AAA client uses the RADIUS vendor For more information about configuring AAA clients see AAA Client Configuration page 4 11 Verify that your RADIUS accounting log does not c...

Page 748: ... want to delete the RADIUS vendor type Y and press Enter CSUtil exe halts Cisco Secure ACS services deletes the specified RADIUS vendor from Cisco Secure ACS This process may take a few minutes After it is complete CSUtil exe restarts Cisco Secure ACS services Listing Custom RADIUS Vendors You can use the listUDV option to determine what custom RADIUS vendors are defined in Cisco Secure ACS This o...

Page 749: ...d you have misplaced the original file used to import the set Note Exporting a custom RADIUS vendor and VSA set does not remove the vendor and VSA set from Cisco Secure ACS Cisco Secure ACS places all exported vendor VSA files in a subdirectory of the directory containing CSUtil exe The subdirectory is named System UDVs For more information about the location of CSUtil exe see Location of CSUtil e...

Page 750: ...des the Utils directory where CSUtil exe is located is replaced including all its contents Backing up RADIUS vendor VSA import files ensures that you can recover your custom RADIUS vendors and VSAs after reinstallation or upgrading to a later release This section contains the following topics About the RADIUS Vendor VSA Import File page D 34 Vendor and VSA Set Definition page D 35 Attribute Defini...

Page 751: ...page D 36 Enumeration No 0 to 255 Defines enumerations for attributes with integer data types For more information see Enumeration Definition page D 38 Table D 8 Vendor and VSA Set Keys Keys Required Value Required Description Name Yes Vendor name The name of the RADIUS vendor IETF Code Yes An integer The IETF assigned vendor number for this vendor VSA n where n is the VSA number Yes you can defin...

Page 752: ...ections User Defined Vendor Name Widget IETF Code 9999 VSA 1 widget encryption VSA 2 widget admin interface VSA 3 widget group VSA 4 widget admin encryption Attribute Definition Each RADIUS vendor VSA import file must have one attribute definition section for each attribute defined in the vendor and VSA set section The section header of each attribute definition section must match the attribute na...

Page 753: ...ues must be present in the Profile key definition IN The attribute is used for accounting After you add the attribute to Cisco Secure ACS you can configure your RADIUS accounting log to record the new attribute For more information about RADIUS accounting logs see Accounting Logs page 11 6 OUT The attribute is used for authorization In addition you can use the value MULTI to allow several instance...

Page 754: ...ute In the Group Setup and User Setup sections of the Cisco Secure ACS HTML interface the text values you define appear in lists associated with the attributes that use the enumerations Enumeration definition sections are required only if an attribute definition section references them Only attributes that are integer type attributes can reference an enumeration definition section The section head...

Page 755: ...d one is for accounting Only one attribute can have multiple instances in a single RADIUS message Two attributes have enumerations for their valid integer values and they share the same enumeration definition section User Defined Vendor Name Widget IETF Code 9999 VSA 1 widget encryption Table D 10 Enumerations Definition Keys Keys Required Value Required Description n See description Yes String Fo...

Page 756: ...pe IPADDR Profile OUT widget group Type STRING Profile MULTI OUT widget admin encryption Type INTEGER Profile OUT Enums Encryption Types widget remote address Type STRING Profile IN Encryption Types 0 56 bit 1 128 bit 2 256 bit PAC File Generation You can use the t option to generate PAC files for use with EAP FAST clients For more information about PACs and EAP FAST see EAP FAST Authentication pa...

Page 757: ...generate 3278 PAC files one for each user Note Using the a option restarts the CSAuth service No users are authenticated while CSAuth is unavailable g N CSUtil exe generates a PAC file for each user in the user group specified by number N Cisco Secure ACS has 500 groups numbered from 0 zero to 499 For example if group 7 has 43 users and you ran CSUtil exe t g 7 CSUtil exe would generate 43 PAC fil...

Page 758: ...omain qualified usernames using the format DOMAIN username For example if you specify ENIGINEERING augustin Cisco Secure ACS generates a PAC file name ENGINEERING_augustin pac passwd password CSUtil exe uses the password specified rather than the default password to protect the PAC files it generates The password you specify is required when the PACs it protects are loaded into an EAP FAST end use...

Page 759: ...password We recommend passwords that are long use uppercase and lowercase letters and include numbers The full path to the directory you want the PAC files to be created in If necessary create the directory Step 2 On the computer running Cisco Secure ACS open an MS DOS command prompt and change directories to the directory containing CSUtil exe Step 3 Type CSUtil exe t additional arguments where a...

Page 760: ... Importing Posture Validation Attribute Definitions page D 49 Deleting a Posture Validation Attribute Definition page D 51 Default Posture Validation Attribute Definition File page D 52 Posture Validation Attribute Definition File A posture validation attribute definition file is a text file that contains one or more posture validation attribute definitions Each definition consists of a definition...

Page 761: ...efinition must begin with a line containing the definition header The first attribute definition in the file must have the header attr 0 the second attribute definition in a file must have the header attr 1 and so on A break in the numbering causes CSUtil exe to ignore attribute definitions at the break and beyond For example if a file with 10 attribute definitions the fifth attribute is defined a...

Page 762: ...attribute is associated with the Cisco application with an ID of 1 which is the Cisco Trust Agent CTA also known as a posture agent PA application name A string the application name appears in the Cisco Secure ACS HTML interface and logs for the associated posture validation attribute For example if the vendor ID is 9 and the application ID is 1 the application name would be PA an abbreviation of ...

Page 763: ...send the attribute in posture validation responses but you cannot use it in local policy rule definitions Attributes with an out attribute profile are also known as outbound attributes The only outbound attributes that you can configure Cisco Secure ACS to log are the attributes for Application Posture Tokens and System Posture Tokens however these are system defined attributes that you cannot mod...

Page 764: ...tion File page D 52 To export posture validation attributes follow these steps Step 1 On the computer running Cisco Secure ACS open an MS DOS command prompt and change directories to the directory containing CSUtil exe Step 2 Type CSUtil exe dumpavp filename where filename is the name of the file in which you want CSUtil exe to write all attribute definitions Press Enter Tip When you specify filen...

Page 765: ...rvice which temporarily suspends authentication services consider performing this procedure when demand for Cisco Secure ACS services is low Use the steps in Exporting Posture Validation Attribute Definitions page D 48 to create a backup of posture validation attribute definitions You can also use the exported attribute definition file to double check the vendor ID application ID and attribute ID ...

Page 766: ...to registry Attribute 9876 1 6 Melpomene added to registry Attribute 9876 1 7 Polyhymnia added to registry Attribute 9876 1 8 Terpsichore added to registry Attribute 9876 1 9 Thalia added to registry Attribute 9876 1 10 Urania added to registry AVPs from myavp txt were successfully added Step 4 If you are ready to make the imported attribute definitions take effect restart the CSAuth and CSAdmin s...

Page 767: ...re validation attributes follow these steps Step 1 On the computer running Cisco Secure ACS open an MS DOS command prompt and change directories to the directory containing CSUtil exe Step 2 Type CSUtil exe delavp vendor ID application ID attribute ID For more information about vendor application and attribute IDs see Posture Validation Attribute Definition File page D 44 CSUtil exe prompts you to...

Page 768: ... time to perform each command net stop csauth net start csauth net stop cslog net start cslog net stop csadmin net start csadmin Deleted posture validation attributes no longer are available in Cisco Secure ACS Default Posture Validation Attribute Definition File Example D 2 provides the definitions for the posture validation attributes that we provide with Cisco Secure ACS Should you need to rese...

Page 769: ... attribute type unsigned integer attr 2 vendor id 9 vendor name Cisco application id 1 application name PA attribute id 00003 attribute name PA Name attribute profile in out attribute type string attr 3 vendor id 9 vendor name Cisco application id 1 application name PA attribute id 00004 attribute name PA Version attribute profile in out attribute type version attr 4 vendor id 9 vendor name Cisco ...

Page 770: ...ile out attribute type string attr 7 vendor id 9 vendor name Cisco application id 2 application name Host attribute id 00001 attribute name Application Posture Token attribute profile out attribute type unsigned integer attr 8 vendor id 9 vendor name Cisco application id 2 application name Host attribute id 00002 attribute name System Posture Token attribute profile out attribute type unsigned int...

Page 771: ...ostFQDN attribute profile in attribute type string attr 12 vendor id 9 vendor name Cisco application id 5 application name HIP attribute id 00001 attribute name Application Posture Token attribute profile out attribute type unsigned integer attr 13 vendor id 9 vendor name Cisco application id 5 application name HIP attribute id 00002 attribute name System Posture Token attribute profile out attrib...

Page 772: ...ibute id 00011 attribute name TimeSinceLastSuccessfulPoll attribute profile in attribute type unsigned integer attr 17 vendor id 9 vendor name Cisco application id 5 application name HIP attribute id 32768 attribute name CSAMCName attribute profile in attribute type string attr 18 vendor id 9 vendor name Cisco application id 5 application name HIP attribute id 32769 attribute name CSAStates attrib...

Page 773: ...ec application id 3 application name AV attribute id 00003 attribute name Software Name attribute profile in out attribute type string attr 22 vendor id 393 vendor name Symantec application id 3 application name AV attribute id 00004 attribute name Software ID attribute profile in out attribute type unsigned integer attr 23 vendor id 393 vendor name Symantec application id 3 application name AV at...

Page 774: ...ersion attr 26 vendor id 393 vendor name Symantec application id 3 application name AV attribute id 00008 attribute name Dat Date attribute profile in out attribute type date attr 27 vendor id 393 vendor name Symantec application id 3 application name AV attribute id 00009 attribute name Protection Enabled attribute profile in out attribute type unsigned integer attr 28 vendor id 393 vendor name S...

Page 775: ...ttribute profile out attribute type unsigned integer attr 31 vendor id 3401 vendor name NAI application id 3 application name AV attribute id 00003 attribute name Software Name attribute profile in out attribute type string attr 32 vendor id 3401 vendor name NAI application id 3 application name AV attribute id 00004 attribute name Software ID attribute profile in out attribute type unsigned integ...

Page 776: ...attribute name Dat Version attribute profile in out attribute type version attr 36 vendor id 3401 vendor name NAI application id 3 application name AV attribute id 00008 attribute name Dat Date attribute profile in out attribute type date attr 37 vendor id 3401 vendor name NAI application id 3 application name AV attribute id 00009 attribute name Protection Enabled attribute profile in out attribu...

Page 777: ...ute id 00002 attribute name System Posture Token attribute profile out attribute type unsigned integer attr 41 vendor id 6101 vendor name Trend application id 3 application name AV attribute id 00003 attribute name Software Name attribute profile in out attribute type string attr 42 vendor id 6101 vendor name Trend application id 3 application name AV attribute id 00004 attribute name Software ID ...

Page 778: ...pplication id 3 application name AV attribute id 00007 attribute name Dat Version attribute profile in out attribute type version attr 46 vendor id 6101 vendor name Trend application id 3 application name AV attribute id 00008 attribute name Dat Date attribute profile in out attribute type date attr 47 vendor id 6101 vendor name Trend application id 3 application name AV attribute id 00009 attribu...

Page 779: ...cation name CNAC attribute id 00001 attribute name Application Posture Token attribute profile out attribute type string attr 50 vendor id 10000 vendor name out application id 1 application name CNAC attribute id 00002 attribute name System Posture Token attribute profile out attribute type string attr 51 vendor id 10000 vendor name out application id 1 application name CNAC attribute id 00003 att...

Page 780: ...Appendix D CSUtil Database Utility Posture Validation Attributes D 64 User Guide for Cisco Secure ACS for Windows Server 78 16592 01 ...

Page 781: ...ents of roaming intranet users This chapter provides information about the VPDN process and how it affects the operation of Cisco Secure ACS VPDN Process This section describes the steps for processing VPDN requests in a standard environment 1 A VPDN user dials in to the network access server NAS of the regional service provider RSP The standard call point to point protocol PPP setup is done A use...

Page 782: ...main portion corporation us with the ACS See Figure E 2 Figure E 2 NAS Attempts to Authorize Domain 3 If the domain authorization fails the NAS assumes the user is not a VPDN user The NAS then authenticates not authorizes the user as if the user is a standard non VPDN dial user See Figure E 3 Corporation VPDN user User mary corporatio Call setup PPP setup Username mary corporation us ACS RSP ACS A...

Page 783: ...e gateway HG these are used to create the tunnel See Figure E 4 Figure E 4 ACS Authorizes Domain 4 The HG uses its ACS to authenticate the tunnel where the username is the name of the tunnel nas_tun See Figure E 5 S6655 Corporation VPDN user User mary corporation us ACS RSP ACS Authorization failed S6647 Corporation VPDN user User mary corporation us ACS RSP Authorization reply Tunnel ID nas_tun I...

Page 784: ...osen based on the name of the tunnel so the HG might have different names depending on the tunnel being set up See Figure E 6 Figure E 6 HG Authenticates Tunnel with the NAS 6 The NAS now uses its ACS to authenticate the tunnel from the HG See Figure E 7 S6649 Username nas_tun Password CHAP_stuff Corporation VPDN user User mary corporation us ACS RSP Authentication request ACS S6650 CHAP challenge...

Page 785: ... 8 The HG now authenticates the user as if the user dialed directly in to the HG The HG might now challenge the user for a password The Cisco Secure ACS at RSP can be configured to strip off the and domain before it passes the authentication to the HG The user is passed as mary corporation us The HG uses its ACS to authenticate the user See Figure E 9 Username home_gate Password CHAP_stuff Corpora...

Page 786: ...does not repeat the entire authorization authentication process Instead it passes the user through the existing tunnel to the HG See Figure E 10 Figure E 10 Another User Dials In While Tunnel is Up Username mary corporation us Password secret Corporation VPDN user User mary corporatio ACS RSP ACS Username sue corporation us Password secret2 VPDN user User sue corporatio Corporation VPDN user User ...

Page 787: ...onization feature and accountActions see RDBMS Synchronization page 9 25 This chapter contains the following topics accountActions Specification page F 1 Action Codes page F 4 Cisco Secure ACS Attributes and Action Codes page F 32 An Example of accountActions page F 36 accountActions Specification Whether you create accountActions by hand in a text editor or through automation using a third party ...

Page 788: ...Actions Fields Field Name Mnemonic Type Size Max Length Comments SequenceId SI AutoNumber 32 The unique action ID Priority P Integer 1 The priority with which this update is to be treated 0 is the lowest priority UserName UN String 32 The name of the user to which the transaction applies GroupName GN String 32 The name of the group to which the transaction applies Action A Number 0 216 The Action ...

Page 789: ...nsaction is acting upon a group a valid value is required in the GroupName field If a transaction is acting upon AAA client configuration neither the UserName field nor the GroupName field require a value Note The UserName and GroupName fields are mutually exclusive only one of these two fields can have a value and neither field is always required MessageNo MN Integer Used to number related transa...

Page 790: ...portance to occur first such as deleting a user or changing a password In the most common implementations of RDBMS Synchronization a third party system writes to accountActions in batch mode with all actions rows assigned a priority of zero 0 Note When changing transaction priorities be careful that they are processed in the correct order for example a user account must be created before the user ...

Page 791: ...e F 7 Action Codes for Initializing and Modifying Access Filters page F 14 Action Codes for Modifying TACACS and RADIUS Group and User Settings page F 19 Action Codes for Modifying Network Configuration page F 25 Action Codes for Setting and Deleting Values The two most fundamental action codes are SET_VALUE action code 1 and DELETE_VALUE action code 2 described in Table F 2 The SET_VALUE action c...

Page 792: ...ng APP_CSAUTH APP_CSTACACS APP_CSRADIUS APP_CSADMIN Value types V2 can be one of the following TYPE_BYTE Single 8 bit number TYPE_SHORT Single 16 bit number TYPE_INT Single 32 bit number TYPE_STRING Single string TYPE_ENCRYPTED_STRING Single string to be saved encrypted TYPE_MULTI_STRING Tab separated set of substrings TYPE_MULTI_INT Tab separated set of 32 bit numbers For example UN fred AI APP_C...

Page 793: ...isplayed in the User Setup section of the HTML interface For more information about the User Setup section see Chapter 7 User Management Table F 3 User Creation and Modification Action Codes Action Code Name Required Description 100 ADD_USER UN GN V1 Creates a user 32 characters maximum V1 is used as the initial password Optionally the user can also be assigned to a group 101 DELETE_USER UN Remove...

Page 794: ...should be one of the following ENABLE_LEVEL_AS_GROUP Max privilege taken from group setting ENABLE_LEVEL_NONE No T enable configured ENABLE_LEVEL_STATIC Value set in V2 used during enable level check You can use VN to link the enable password to an external authenticator as per action 108 SET_PASS_TYPE 106 SET_GROUP UN GN Sets the Cisco Secure ACS group assignment of the user Table F 3 User Creati...

Page 795: ...TYPE_LDAP External generic LDAP database password PASS_TYPE_LEAP External LEAP proxy RADIUS server database password PASS_TYPE_RADIUS_TOKEN External RADIUS token server database password 109 REMOVE_PASS_ STATUS UN V1 Removes a password status flag This results in the status states being linked in a logical XOR condition V1 should contain one of the following PASS_STATUS_EXPIRES Password expires on...

Page 796: ...of login attempts using the wrong password PASS_STATUS_RIGHT Password expires after a given number of login attempts using the correct password PASS_STATUS_DISABLED The account has been disabled 112 SET_PASS_EXPIRY_ WRONG UN V1 Sets the maximum number of bad authentications allowed automatic reset on good password if not exceeded and reset current count 113 SET_PASS_EXPIRY_ DATE UN V1 Sets the dat...

Page 797: ...he network for the period defined in V2 V1 defines the quota If VN is set to sessions V1 is the maximum number of sessions in the period defined in V2 If VN is set to online time V1 is the maximum number of seconds V2 holds the period for the quota Valid values are QUOTA_PERIOD_DAILY The quota is enforced in 24 hour cycles from 12 01 A M to midnight QUOTA_PERIOD_WEEKLY The quota is enforced in 7 d...

Page 798: ...the period defined in V2 sessions The quota limits the user or group by the number of sessions on the network for the period defined in V2 262 RESET_COUNTERS UN GN Resets usage quota counters for a user or group 263 SET_QUOTA_APPLY_ TYPE V1 Defines whether a user usage quota is determined by the user group quota or by a quota unique to the user V1 makes this specification Valid values for V1 are A...

Page 799: ...The valid values for VN are none Sets no DCS for the user or group as group For users only this value signifies that the user DCS settings for the service specified should be the same as the user group DCS settings static Sets a DCS for the user or group for all devices enabled to perform command authorization for the service specified If V1 is set to static V2 is required and must contain the nam...

Page 800: ...hell Cisco PIX command authorization Note If additional DCS types have been added to your Cisco Secure ACS you can find the valid value in the Interface Configuration page for TACACS Cisco IOS The valid values appear in parentheses after the service title such as PIX Shell pixshell V1 defines the name of the NDG Use the name of the NDG as it appears in the HTML interface For example if you have co...

Page 801: ...AS_ACCESS_ CONTROL UN GN V1 Clears the AAA client access filter list and initialize permit deny for any forthcoming filters V1 should be one of the following values ACCESS_PERMIT ACCESS DENY 121 INIT_DIAL_ACCESS_ CONTROL UN GN V1 Clears the dial up access filter list and initialize permit deny for any forthcoming filters V1 should be one of the following values ACCESS_PERMIT ACCESS DENY 122 ADD_NA...

Page 802: ...in the filter type as one of the following values CLID The user is filtered by the calling station ID DNIS The user is filtered by the called station ID CLID DNIS The user is filtered by both calling and called station IDs AAA client PORT The user is filtered by AAA client IP and AAA client port address 130 SET_TOKEN_CACHE_ SESSION GN V1 Enables disables token caching for an entire session V1 is 0...

Page 803: ... contains a string of 168 characters Each character represents a single hour of the week A 1 represents an hour that is permitted while a 0 represents an hour that is denied If this parameter is not specified for a user the group setting applies The default group setting is 111111111111 and so on Table F 4 Action Codes for Initializing and Modifying Access Filters continued Action Code Name Requir...

Page 804: ...ser ALLOC_METHOD_AAA_POOL The IP pool named in V1 configured on the AAA server will be assigned to the user ALLOC_METHOD_CLIENT The dial in client will assign its own IP address ALLOC_METHOD_AS_GROUP The IP address assignment configured for the group will be used 151 SET_CALLBACK_NO UN GN V1 Sets the callback number for this user or group TACACS and RADIUS V1 should be one of the following Callbac...

Page 805: ... using these codes affect the configuration displayed in the User Setup and Group Setup sections of the HTML interface For more information about the User Setup section see Chapter 7 User Management For more information about the Group Setup section see Chapter 6 User Group Management Table F 5 Action Codes for Modifying TACACS and RADIUS Group and User Settings Action Code Name Required Descripti...

Page 806: ... set the IETF RADIUS Framed IP Address attribute attr 9 for a user UN fred VN Framed IP Address V1 10 1 1 1 To add a vendor specific attribute VSA set VN Vendor Specific and use V2 and V3 as follows V2 IETF vendor ID V3 VSA attribute ID For example to add the Cisco IOS PIX RADIUS cisco av pair attribute with a value of addr pool pool1 VN Vendor Specific V1 addr pool pool1 V2 9 V3 1 RADIUS attribut...

Page 807: ...For example GN Group 1 V1 ppp V2 ip or UN fred V1 ppp V2 ip or UN fred V1 exec 171 REMOVE_TACACS_ SERVICE UN GN V1 Optionally V2 Denies the service for that user or group of users For example GN Group 1 V1 ppp V2 ip or UN fred V1 ppp V2 ip or UN fred V1 exec This also resets the valid attributes for the service Table F 5 Action Codes for Modifying TACACS and RADIUS Group and User Settings continue...

Page 808: ...y have been permitted either via the HTML interface or using Action 170 GN Group 1 VN routing V1 ppp V2 ip V3 true or UN fred VN route V1 ppp V2 ip V3 10 2 2 2 173 REMOVE_TACACS_ ATTR UN GN VN V1 Optionally V2 Removes a service specific attribute GN Group 1 V1 ppp V2 ip VN routing or UN fred V1 ppp V2 ip VN route Table F 5 Action Codes for Modifying TACACS and RADIUS Group and User Settings contin...

Page 809: ...orized for users of Group 1 Any arguments can be supplied to the Telnet command as long as they are not matched against any arguments defined via Action 176 The second example permits the configure command to be authorized for user fred but only if the arguments supplied are permitted by the filter defined by a series of Action 176 175 REMOVE_IOS_ COMMAND UN GN VN Removes command authorization for...

Page 810: ... 1 VN telnet V1 permit V2 10 1 1 2 or UN fred VN show V1 deny V2 run The first example will allow the telnet command with argument 10 1 1 2 to be used by any user in Group 1 The second example ensures that user fred cannot issue the Cisco IOS command show run 177 REMOVE_IOS_ COMMAND_ARG UN GN VN V2 Removes the permit or deny entry for the given Cisco IOS command argument GN Group 1 VN telnet V2 10...

Page 811: ...isco IOS commands not defined via a combination of Actions 174 and 175 will be denied This behavior can be changed so that issued Cisco IOS commands that do not match any command command argument pairs are authorized GN Group 1 V1 permit or UN fred V1 deny The first example will permit any command not defined by Action 174 179 REMOVE_ALL_IOS_ COMMANDS UN GN This action removes all Cisco IOS comman...

Page 812: ...ndors are as follows VENDOR_ID_IETF_RADIUS For IETF RADIUS VENDOR_ID_CISCO_RADIUS For Cisco IOS PIX RADIUS VENDOR_ID_CISCO_TACACS For Cisco TACACS VENDOR_ID_ASCEND_RADIUS For Ascend RADIUS VENDOR_ID_ALTIGA_RADIUS For Cisco VPN 3000 RADIUS VENDOR_ID_COMPATIBLE_RADIUS For Cisco VPN 5000 RADIUS VENDOR_ID_AIRONET_RADIUS For Cisco Aironet RADIUS VENDOR_ID_NORTEL_RADIUS For Nortel RADIUS VENDOR_ID_JUNIP...

Page 813: ... new AAA client named in VN with an IP address V1 shared secret key V2 and the enterprise code for the vendor V3 230 ADD_AAA_SERVER VN V1 V2 Adds a new AAA server named VN with IP address V1 shared secret key V2 231 SET_AAA_TYPE VN V1 Sets the AAA server type for server VN to value in V1 which should be one of the following TYPE_ACS TYPE_TACACS TYPE_RADIUS The default is AAA_SERVER_TYPE_ACS 232 SE...

Page 814: ...lowing MARKUP_TYPE_PREFIX MARKUP_TYPE_SUFFIX The markup strip flag should be TRUE if the markup is to be removed from the username before forwarding The accounting flag V3 should be one of the following ACCT_FLAG_LOCAL ACCT_FLAG_REMOTE ACCT_FLAG_BOTH 241 ADD_PROXY_ TARGET VN V1 Adds to named proxy markup VN the host name V1 The host should already be configured on the Cisco Secure ACS Note The ord...

Page 815: ...od are know as User Defined Vendors UDV VN contains the name of the Vendor Note Cisco Secure ACS adds RADIUS to the name entered in the Variable Name field For example if you enter the name MyCo Cisco Secure ACS displays RADIUS MyCo in the HTML interface V1 contains the user defined vendor slot number or AUTO_ASSIGN_SLOT Cisco Secure ACS has ten vendor slots numbered 0 through 9 If you specify AUT...

Page 816: ... is assigned a group ID we recommend prefixing the vendor name or an abbreviation to all VSAs For example VSAs could be MyCo Assigned Group Id Note VSA names must be unique to both the vendor and to the Cisco Secure ACS dictionary For example MyCo Framed IP Address is allowed but Framed IP Address is not because Framed IP Address is used by IETF action code 8 in the RADIUS attributes V2 is the VSA...

Page 817: ...SA number V3 contains the profile one of the following IN OUT IN OUT MULTI OUT MULTI IN OUT 354 ADD_VSA_ENUM VN V1 V2 V3 Sets meaningful enumerated values if the VSA attribute has enumerated In the User Setup section the Cisco Secure ACS HTML interface displays the enumeration strings in a list VN contains the VSA Enum Name V1 contains the vendor IETF code V2 contains the VSA number V3 contains th...

Page 818: ...ts the attributes that define a Cisco Secure ACS user including their data types limits and default values It also provides the action code you can use in accountActions to affect each attribute Although there are many actions available adding a user requires only one transaction ADD_USER You can safely leave other user attributes at their default values The term NULL is not simply an empty string...

Page 819: ...ACS Enable Password 105 String Password 4 32 characters NULL Integer privilege level 0 15 characters NULL Group 106 String 0 100 characters Default Group Password Supplier 107 Enum See Table F 3 LIBRARY_CSDB Password Type 108 Enum See Table F 3 PASS_TYPE_CSDB password is cleartext PAP Password Expiry Status 109 110 Bitwise Enum See Table F 3 PASS_STATUS_ NEVER never expires Expiry Data 112 113 Sho...

Page 820: ...DAs see User Data Configuration Options page 3 3 Dial Up Access Control 121 123 Bool enabled T F NULL Bool permit deny T F NULL ACL String See Table F 4 0 31 KB NULL Static IP Address 150 Enum scheme See Table F 4 Client String IP Pool name 0 31 KB NULL Callback Number 151 String 0 31 KB NULL TACACS Attributes 160 162 Formatted String 0 31 KB NULL RADIUS Attributes 170 173 Formatted String 0 31 KB...

Page 821: ...action codes see Action Codes page F 4 Note If more than two UDAs are created only the first two are passed to accounting logs Group Specific Attributes Table F 9 lists the attributes that define a Cisco Secure ACS group including their data types limits and default values It also provides the action code you can use in your accountActions table to affect each field For more information about acti...

Page 822: ...MAX_SESSIONS_ UNLIMITED Max Sessions for user of group 115 Unsigned short 0 65534 MAX_SESSIONS_ UNLIMITED Token caching for session 130 Bool T F NULL Token caching for duration 131 Integer time in seconds 0 65535 NULL TODDOW Restrictions 140 String 168 characters 111111111111 NAS Access Control 120 122 Bool enabled T F NULL Bool permit deny T F ACL String See Table F 4 0 31 KB Dial Up Access Contr...

Page 823: ...ample omits several columns that should appear in any accountActions table The omitted columns are Sequence ID SI Priority P DateTime DT and MessageNo MN Table F 10 Example accountActions Table Action User name UN Group Name GN Value Name VN Value1 V1 Value2 V2 Value3 V3 AppId AI 100 fred fred 102 fred freds_password 103 fred freds_chap_ password 104 fred freds_outbound_ password 105 fred freds_en...

Page 824: ...01732 975374 123 fred 01732 975374 0162 2 123123 CLID DNIS 1 fred USER_ DEFINED_ FIELD_0 Fred Jones TYPE_ STRING APP_ CSAUTH 140 Group 2 a string of 168 ones 1 130 Group 2 DISABLE 131 Group 2 61 163 Group 2 Reply Message Welcome to Your Internet Service 163 Group 2 Vendor Specific addr pool pool2 9 1 Table F 10 Example accountActions Table continued Action User name UN Group Name GN Value Name VN ...

Page 825: ... Windows Services page G 1 Windows Registry page G 2 CSAdmin page G 2 CSAuth page G 3 CSDBSync page G 4 CSLog page G 4 CSMon page G 4 CSTacacs and CSRadius page G 8 Windows Services Cisco Secure ACS is modular and flexible to fit the needs of both simple and large networks This appendix describes the Cisco Secure ACS architectural components Cisco Secure ACS includes the following service modules ...

Page 826: ...at you do not modify Windows Registry settings pertaining to Cisco Secure ACS Warning Do not modify the Registry unless you have enough knowledge and experience to edit the file without destroying or corrupting crucial data CSAdmin CSAdmin is the service that provides the web server for the Cisco Secure ACS HTML interface After Cisco Secure ACS is installed you must configure it from its HTML inte...

Page 827: ...on and authorization service It permits or denies access to users by processing authentication and authorization requests CSAuth determines if access should be granted and defines the privileges for a particular user CSAuth is the Cisco Secure ACS database manager To authenticate users Cisco Secure ACS can use the internal user database or one of many external databases When a request for authenti...

Page 828: ... Synchronization page 9 25 CSLog CSLog is the service used to capture and place logging information CSLog gathers data from the TACACS or RADIUS packet and CSAuth and then manipulates the data to be placed into the comma separated value CSV files CSV files can be imported into spreadsheets that support this format For information about the logs generated by Cisco Secure ACS see Chapter 1 Overview ...

Page 829: ...nitors the following key system thresholds Available hard disk space Processor utilization Physical memory utilization All events related to generic host system state are categorized as warning events Application specific performance Application viability CSMon periodically performs a test login using a special built in test account the default period is one minute Problems with this authenticatio...

Page 830: ...log on attempts CSMon cooperates with CSAuth to keep track of user accounts being disabled by exceeding their failed attempts count maximum This feature is more oriented to security and user support than to system viability If configured it provides immediate warning of brute force attacks by alerting the administrator to a large number of accounts becoming disabled In addition it helps support te...

Page 831: ...toring page G 5 These events are application specific and hard coded into Cisco Secure ACS There are two types of responses Warning events Service is maintained but some monitored threshold is breached Failure events One or more Cisco Secure ACS components stop providing service CSMon responds to the event by logging the event sending notifications if configured and if the event is a failure takin...

Page 832: ...ing conditions CSTacacs and CSRadius services must be configured from CSAdmin CSTacacs and CSRadius services must communicate with access devices such as access servers routers switches and firewalls The identical shared secret key must be configured both in Cisco Secure ACS and on the access device The access device IP address must be specified in Cisco Secure ACS The type of security protocol be...

Page 833: ...pported Cisco AAA clients 1 2 table 4 1 timeout values 15 9 AAA servers adding 4 24 configuring 4 21 deleting 4 28 editing 4 26 enabling in interface table 3 5 functions and concepts 1 5 in distributed systems 4 3 master 9 3 overview 4 21 primary 9 3 replicating 9 3 searching for 4 8 secondary 9 3 troubleshooting A 1 access devices 1 6 accessing Cisco Secure ACS how to 1 32 URL 1 29 with SSL enabl...

Page 834: ...setup 12 18 administrative access policies See also administrators configuring 12 14 limits 12 11 options 12 12 overview 2 15 administrative sessions and HTTP proxy 1 30 network environment limitations of 1 30 session policies 12 16 through firewalls 1 31 through NAT network address translation 1 31 administrators See also Administration Audit log See also Administration Control See also administr...

Page 835: ...0 configuration 10 26 denying unknown users 15 17 options 10 33 overview 1 8 request handling 15 5 via external user databases 13 5 Windows 13 11 authorization 1 17 authorization sets See command authorization sets AV attribute value pairs See also RADIUS VSAs vendor specific attributes RADIUS Cisco IOS C 3 IETF C 14 TACACS accounting B 4 general B 1 B Backup and Restore log directory See Cisco Se...

Page 836: ...lacing certificate 10 50 self signed certificates configuring 10 49 NAC 14 6 overview 10 47 server certificate installation 10 35 updating certificate 10 50 CHAP compatible databases 1 10 in User Setup 7 5 protocol supported 1 11 Cisco IOS RADIUS AV attribute value pairs C 2 group attributes 6 40 user attributes 7 39 TACACS AV attribute value pairs B 1 troubleshooting A 5 Cisco Secure ACS Active S...

Page 837: ...g 5 33 overview 5 26 pattern matching 5 30 PIX command authorization sets 5 26 command line database utility See CSUtil exe conventions xxxi CRLs 10 40 CSAdmin G 2 CSAuth G 3 CSDBSync 9 29 G 4 CSLog G 4 CSMon See also Cisco Secure ACS Active Service Management Cisco Secure ACS Service Monitoring logs 11 32 configuration G 4 failure events customer defined actions G 7 predefined actions G 7 functio...

Page 838: ...abases 16 1 overview 16 1 Database Replication log CSV comma separated values file directory 11 16 viewing 11 18 databases See also external user databases authentication search process 15 5 CiscoSecure user database 13 2 compacting D 12 deleting 13 86 deployment considerations 2 18 dump files D 10 external See also external user databases See also Unknown User Policy NAC 14 10 posture validation ...

Page 839: ...s settings for groups 6 5 deleting logged in users 11 11 deployment overview 2 1 sequence 2 19 device command sets See command authorization sets device groups See network device groups device management applications support 1 19 DHCP with IP pools 9 45 dial in permission to users in Windows 13 26 dial in troubleshooting A 10 dial up networking clients 13 10 dial up topologies 2 6 digital certific...

Page 840: ...s D 10 loading a database from a dump file D 11 E EAP Extensible Authentication Protocol overview 1 13 with Windows authentication 13 15 EAP FAST compatible databases 1 10 enabling 10 25 identity protection 10 14 logging 10 14 master keys definition 10 15 states 10 15 master server 10 23 options 10 28 overview 10 13 PAC automatic provisioning 10 18 definition 10 17 manual provisioning 10 20 refres...

Page 841: ...tency factors 15 9 search order 15 9 15 15 supported 1 10 Unknown User Policy 15 1 F Failed Attempts log configuring CSV comma separated values 11 19 ODBC 11 23 CSV comma separated values file directory 11 16 enabling log 11 17 ODBC 11 23 viewing 11 18 failed log on attempts G 6 failure events customer defined actions G 7 predefined actions G 7 fallbacks on failed connection 4 5 finding users 7 55...

Page 842: ...in 6 54 mapping order 16 12 mappings 16 1 16 2 multiple mappings 16 5 no access groups 16 5 overriding settings 3 2 relationship to users 3 2 renaming 6 55 resetting usage quota counters for 6 55 settings for callback options 6 7 configuration specific 6 16 configuring common 6 3 device management command authorization sets 6 37 enable privilege 6 19 IP address assignment method 6 28 management ta...

Page 843: ...ystem requirements 2 2 troubleshooting A 16 Interface Configuration See also HTML interface advanced options 3 4 configuring 3 1 customized user data fields 3 3 security protocol options 3 9 IP ACLs See downloadable IP ACLs IP addresses in User Setup 7 10 multiple IP addresses for AAA client 4 12 requirement for CSTacacs and CSRadius G 8 setting assignment method for user groups 6 28 IP pools addr...

Page 844: ...es files 11 2 custom RADIUS dictionaries 9 2 debug logs detail levels 11 33 frequency 11 33 Disabled Accounts reports 11 9 domain names 11 3 external user databases 11 3 Failed Attempts logs 11 6 formats 11 2 Logged In Users reports 11 9 ODBC logs enabling in interface 3 6 overview 11 2 working with 11 21 overview 11 6 Passed Authentication logs 11 6 RADIUS logs 11 6 RDBMS synchronization 9 2 remo...

Page 845: ...ition 10 15 states 10 15 max sessions enabling in interface 3 5 in Group Setup 6 12 in User Setup 7 16 overview 1 18 troubleshooting A 16 memory utilization G 5 monitoring configuring 8 19 CSMon G 5 overview 8 18 MS CHAP compatible databases 1 10 configuring 10 26 overview 1 13 protocol supported 1 11 multiple group mappings 16 5 multiple IP addresses for AAA clients 4 12 N NAC attributes about 14...

Page 846: ...es 14 23 definition 14 4 group mapping 16 13 returned by local policies 14 18 Unknown User Policy 15 10 NAFs See network access filters NAR See network access restrictions NAS See AAA clients NDG See network device groups NDS See Novell NDS user databases network access filters adding 5 3 deleting 5 7 editing 5 5 overview 5 2 network access quotas 1 18 network access restrictions adding 5 19 confi...

Page 847: ... wireless 2 9 notifications G 7 Novell NDS user databases authentication 13 50 configuring 13 53 mapping database groups to AAA groups 16 4 Novell Requestor 13 50 options 13 52 supported protocols 1 10 supported versions 13 50 user contexts 13 51 O ODBC features accountActions table 9 32 authentication CHAP 13 60 EAP TLS 13 60 overview 13 55 PAP 13 60 preparation process 13 59 process with externa...

Page 848: ...guration 1 15 overview of Cisco Secure ACS 1 1 P PAC automatic provisioning 10 18 definition 10 17 manual provisioning 10 20 refresh 10 21 PAP compatible databases 1 10 in User Setup 7 5 vs ARAP 1 12 vs CHAP 1 12 Passed Authentications log configuring CSV comma separated values 11 19 CSV comma separated values file directory 11 16 enabling CSV comma separated values logging 11 17 viewing 11 18 pas...

Page 849: ... databases 1 10 configuring 10 26 enabling 10 12 identity protection 10 9 options 10 27 overview 10 8 password aging 6 27 phases 10 9 with Unknown User Policy 10 11 performance monitoring G 5 performance specifications 1 3 per group attributes See also groups enabling in interface 3 2 per user attributes enabling in interface 3 2 TACACS RADIUS in Interface Configuration 3 4 PIX ACLs See downloadab...

Page 850: ...so proxy adding entries 4 35 configuring 4 34 default entry 4 3 4 34 deleting entries 4 38 editing entries 4 37 match order sorting 4 36 overview 4 34 Q quotas See network access quotas See usage quotas R RADIUS See also RADIUS VSAs vendor specific attributes attributes See also RADIUS VSAs vendor specific attributes in User Setup 7 37 AV attribute value pairs See also RADIUS VSAs vendor specific ...

Page 851: ...end in Group Setup 6 43 in User Setup 7 43 supported attributes C 31 Cisco Aironet in Group Setup 6 41 in User Setup 7 41 Cisco BBSM Building Broadband Service Manager in Group Setup 6 51 in User Setup 7 52 supported attributes C 14 Cisco IOS PIX in Group Setup 6 40 interface configuration 3 17 in User Setup 7 39 supported attributes C 5 Cisco VPN 3000 in Group Setup 6 44 in User Setup 7 44 suppor...

Page 852: ...1 16 viewing 11 18 manual initialization 9 40 network configuration 9 28 overview 9 26 partners 9 39 preparing to use 9 33 report and error handling 9 33 scheduling options 9 39 user related configuration 9 27 Registry G 2 rejection mode general 15 5 posture validation 15 11 Windows user databases 15 6 related documentation xxxiii reliability of network 2 19 remote access policies 2 14 remote logg...

Page 853: ... 9 12 selecting data 9 11 unsupported 9 2 user defined RADIUS vendors 9 9 vs backup 9 10 Reports and Activity See also logging configuration privileges 12 5 configuring 11 20 CSV comma separated values logs 11 13 in interface 1 29 overview 11 6 request handling general 15 5 posture validation 15 11 Windows user databases 15 6 requirements hardware 2 2 network 2 4 operating system 2 2 system 2 2 re...

Page 854: ...1 32 management 8 17 overview 1 4 G 1 starting 8 2 stopping 8 2 session policies configuring 12 17 options 12 16 overview 12 16 shared profile components See also command authorization sets See also downloadable IP ACLs See also network access filters See also network access restrictions overview 5 1 shared secret G 8 shell command authorization sets See also command authorization sets in Group Se...

Page 855: ...See RDBMS synchronization system configuration advanced 9 1 authentication 10 1 basic 8 1 certificates 10 1 privileges 12 4 health G 5 messages in interface 1 29 monitoring See monitoring performance specifications 1 3 requirements 2 2 services See services T TACACS advanced TACACS settings in Group Setup 6 2 in User Setup 7 33 AV attribute value pairs accounting B 4 general B 1 custom commands 3 ...

Page 856: ...rization sets password aging 6 21 test login frequency internally 8 18 thread used G 6 time of day day of week specification See also date format control enabling in interface 3 5 timeout values on AAA clients 15 9 TLS transport level security See certification token caching 1 15 13 79 token cards password configuration 1 14 settings in Group Setup 6 18 token servers ISDN terminal adapters 13 79 o...

Page 857: ...processing 15 8 network access authorization 15 13 posture validation 15 10 update packets See watchdog packets upgrade troubleshooting A 16 usage quotas in Group Setup 6 14 in Interface Configuration 3 5 in User Setup 7 18 overview 1 18 resetting for groups 6 55 for single users 7 58 user changeable passwords overview 1 16 with Windows user databases 13 25 user databases See databases User Data C...

Page 858: ...ip to groups 3 2 resetting accounts 7 59 saving settings 7 60 supplementary information 7 6 troubleshooting A 20 types discovered 15 3 known 15 2 unknown 15 3 VPDN dialup E 2 User Setup account management tasks 7 54 basic options 7 3 configuring 7 2 deleting user accounts 7 57 saving settings 7 60 Users in Group button 6 54 V validation of passwords 8 5 vendor specific attributes See RADIUS VSAs v...

Page 859: ...eb servers G 2 Windows operating systems authentication order 15 7 Cisco Secure ACS related services services 8 2 dial up networking 13 10 dial up networking clients domain field 13 10 password field 13 10 username field 13 10 Domain List effect 15 7 domains domain names 13 13 13 14 15 6 Event logs G 6 Registry G 2 Windows user databases See also databases Active Directory 13 26 configuring 13 30 ...

Page 860: ...ide for Cisco Secure ACS for Windows Server 78 16592 01 passwords 1 11 rejection mode 15 6 request handling 15 6 trust relationships 13 9 user changeable passwords 13 25 user manager 13 26 wireless network topologies 2 9 ...

Reviews:

No comments

Related manuals for 3.3

Canon Optura Pi Install Manual preview
Optura Pi
Brand: Canon Pages: 2
MACROMEDIA COLFUSION MX 7 - INSTALLING AND USING COLDFUSION... Using Manual preview
COLFUSION MX 7 - INSTALLING AND USING COLDFUSION...
Brand: MACROMEDIA Pages: 72
AT&T OneVision DEFINITY G3 Fault Management and integration User Manual preview
OneVision DEFINITY G3 Fault Management and integration
Brand: AT&T Pages: 153
Xerox Integrated Fiery Color Server Quick Start Manual preview
Integrated Fiery Color Server
Brand: Xerox Pages: 24
Hamlet Exagerate ZELIG-CAM PRO User Manual preview
Exagerate ZELIG-CAM PRO
Brand: Hamlet Pages: 6
Primera PrimoDVD User Manual preview
PrimoDVD
Brand: Primera Pages: 19
Red Hat NETWORK 3.6 - Reference Manual preview
NETWORK 3.6 -
Brand: Red Hat Pages: 198
IBM SC34-5764-01 Manual preview
SC34-5764-01
Brand: IBM Pages: 481
Omron FLEXXPECT Brochure preview
FLEXXPECT
Brand: Omron Pages: 4
Braunschweiger Flammenfilter PROTEGO QuEST Quick Manual preview
PROTEGO QuEST
Brand: Braunschweiger Flammenfilter Pages: 4
Arturia Minimoog V Quick Start Manual preview
Minimoog V
Brand: Arturia Pages: 10
Honeywell Dolphin 7200 Software Manual preview
Dolphin 7200
Brand: Honeywell Pages: 2
Honeywell INTEGRA User Manual preview
INTEGRA
Brand: Honeywell Pages: 14
Honeywell 7850LP-I1-5210E - Hand Held Products Dolphin 7850 User Manual preview
7850LP-I1-5210E - Hand Held Products Dolphin 7850
Brand: Honeywell Pages: 36
Honeywell Dolphin Demos User Manual preview
Dolphin Demos
Brand: Honeywell Pages: 46
Honeywell RAPID EYE MULTI-MEDIA Operator'S Manual preview
RAPID EYE MULTI-MEDIA
Brand: Honeywell Pages: 144
Honeywell ARENA User Manual preview
ARENA
Brand: Honeywell Pages: 160
Honeywell WebVision User Manual preview
WebVision
Brand: Honeywell Pages: 176

Brands by name

Popular brands

Load more brands