User Guide for Cisco Secure ACS
for Windows Server
Corporate Headquarters
Cisco Systems, Inc.
170 West Tasman Drive
San Jose, CA 95134-1706
USA
http://www.cisco.com
Tel: 408 526-4000
800 553-NETS (6387)
Fax: 408 526-4100
Customer Order Number: DOC-7814696=
Text Part Number: 78-14696-01
THE SPECIFICATIONS AND INFORMATION REGARDING THE PRODUCTS IN THIS MANUAL ARE SUBJECT TO CHANGE WITHOUT
NOTICE. ALL STATEMENTS, INFORMATION, AND RECOMMENDATIONS IN THIS MANUAL ARE BELIEVED TO BE ACCURATE BUT
ARE PRESENTED WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED. USERS MUST TAKE FULL RESPONSIBILITY FOR
THEIR APPLICATION OF ANY PRODUCTS.
THE SOFTWARE LICENSE AND LIMITED WARRANTY FOR T HE A CCOMPANYING PRODUCT ARE SET FOR TH IN T HE INFORMATION
PACKET THAT SHIPPED WITH THE PRODUCT AND ARE INCORPORATED HEREIN BY THIS REFERENCE. IF YOU ARE UNABLE TO
LOCATE THE SOFTWARE LICENSE OR LIMITED WARRANTY, CONTACT YOUR CISCO REPRESENTATIVE FOR A COPY.
The Cisco implementation of TCP header com pression i s an adap tati on o f a pr ogr am d eveloped by the University of California, Berkeley (UCB) as
part of UCB’s public domain version of the UNIX operating system. All rights reserved. Copyright © 1981, Regents of the University of California.
NOTWITHSTANDIN G ANY OTHER WA RRANTY HEREIN, AL L DOCUMENT FILE S AND SOFTWARE OF THESE SUPPLIERS ARE
PROVIDED “AS IS” WITH ALL FAULTS. CISCO AND THE ABOVE-NAMED SUPPLIERS DISCLAIM ALL WARRANTIES, EXPRESSED
OR IMPLIED, INCLUDING, WITHOUT LIMITATION, THOSE OF MERCHANTABILITY, FITNESS FOR A PARTICU LAR PURPOSE AND
NONINFRINGEMENT OR ARISING FROM A COURSE OF DEALING, USAGE, OR TRADE PRACTICE.
IN NO EVENT SHALL CISCO OR ITS SUPPLIERS BE LIABLE FOR ANY INDIRECT, SPECIAL, CONSEQUENTIAL, OR INCIDENTAL
DAMAGES, INCLUDING, WITHOUT LIMITATION, LOST PROFITS OR LOSS OR DAMAGE TO DATA ARISING OUT OF THE USE OR
INABILITY TO USE THIS MANUAL, EVEN IF CISCO OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH
DAMAGES.
CCIP, the Cisco Arrow logo, the Cisco Powered Network mark, the Cisco Systems Verified logo, Cisco Unity, Follow Me Browsing, FormShare, Internet
Quotient, iQ Breakthrough, iQ Expertise, iQ FastTrack, the iQ Logo, iQ Net Readiness Scorecard, Networking Academy, ScriptShare, SMARTnet,
TransPath, and Voice LAN are trademarks of Cisco Systems, Inc.; Changing the Way We Work, Live, Play, and Learn, Discover All That’s Possible, The
Fastest Way to Increase Your Internet Quotient, and iQuick Study are service marks of Cisco Systems, Inc.; and Aironet, ASIST, BPX, Catalyst, CCDA,
CCDP, CCIE, CCNA, CCNP, Cisco, the Cisco Certified Internetwork Expert logo, Cisco IOS, the Cisco IOS logo, Cisco Press, Cisco Systems, Cisco
Systems Capital, the Cisco Systems logo, Empowering the Internet Generation, Enterprise/Solver, EtherChannel, EtherSwitch, Fast Step, GigaStack,
IOS, IP/TV, LightStream, MGX, MICA, the Networkers logo, Network Registrar, Packet, PIX, Post-Routing, Pre-Routing, RateMUX, Registrar,
SlideCast, StrataView Plus, Stratm, SwitchProbe, TeleRouter, and VCO are registered trademarks of Cisco Systems, Inc. and/or its affiliates in the U.S.
and certain other countries.
All other trademarks mentioned in this document or Web site are the property of their respective owners. The use of the word partner does not imply a
partnership relationship between Cisco and any other company. (0206R)
User Guide for Cisco Secure ACS for Windows Server
Copyright © 2002, Cisco Sys tems, Inc.
All rights reserved.
Preface xxv
Document Objective xxv
Audience xxv
Organization xxvi
Conventions xxviii
Related Documentation xxix
Obtaining Documentation xxx
World Wide Web xxx
Documentation CD-ROM xxx
CONTENTS
CHAPTER
Ordering Documentation xxx
Documentation Feedback xxxi
Obtaining Technical Assistance xxxi
Cisco.com xxxi
Technical Assistance Center xxxii
Cisco TAC Web Si te xxxii
Cisco TAC Escalation Center xxxiii
1 Overview of CiscoSecure ACS 1-1
The CiscoSecure ACS Paradigm 1-1
CiscoSecure ACS Specifications 1-2
System Performance Specificati ons 1-3
CiscoSecure ACS Windows Services 1-4
AAA Server Functions and Concepts 1-5
CiscoSecure ACS and the AAA Client 1-5
78-14696-01, Version 3.1
User Guide for Cisco Secure ACS for Windows Server
iii
Contents
AAA Protocols—TACACS+ and RADIUS 1-6
TACACS+ 1-6
RADIUS 1-6
Authentication 1-7
Authentication Considerat ions 1-8
Authentication and User Databases 1-8
Authentication Protocol-D atabase Compatibility 1-9
Passwords 1-10
Other Authentication-Related Features 1-15
Authorization 1-15
Max Sessions 1-16
Dynamic Usage Quotas 1-17
Shared Profile Components 1-17
Support for Cisco Device-Management Applications 1-18
Other Authorization-Related Features 1-19
Accounting 1-20
Other Accounting-Related Features 1-20
Administration 1-21
HTTP Port Allocation for Remote Administrative Sessions 1-21
Network Device Groups 1-22
Other Administration-Related Features 1-22
CiscoSecure ACS HTML Interface 1-23
About the Ci sc o Secure ACS HTML Interface 1-23
HTML Interf ac e S ec ur ity 1-24
HTML Interf ac e La y out 1-25
Uniform Resour ce Locator for the HTML Interface 1-26
Network Enviro nments and Remote Administrative Sessions 1-27
Remote Administrative Sessions an d HTTP Proxy 1-27
User Guide for Cisco Secure ACS for Windows Server
iv
Remote Administrative Sessions through Firewalls 1-28
Remote Administrative Sessions th rough a NAT Gateway 1-28
78-14696-01, Version 3.1
Accessing th e HTML Interface 1-29
Logging Off the HTML Interface 1-29
Online Help and Online Documentation 1-30
Using Online Help 1-30
Using the Online Documentation 1-31
Contents
CHAPTER
2 Deploying Cisco Secure ACS 2-1
Basic Deployment Requirements for Ci sco Secure ACS 2-2
System Requirements 2-2
Hardware Requirements 2-2
Operating System Requirements 2-2
Third-Part y Software Requir ements 2-3
Network Requirements 2-4
Basic Deployment Factors for CiscoSecureACS 2-5
Network Topology 2-5
Dial-Up Topology 2-5
Wireless Network 2-8
Remote Access using VPN 2-11
Remote Access Policy 2-13
Security Policy 2-14
Administrative Access Policy 2-14
Database 2-17
Network Lat en c y and Reliabi lit y 2-18
Suggested Deployment Sequence 2-18
78-14696-01, Version 3.1
Separation of Administrative and General Users 2-16
Number of Users 2-17
Type of Database 2-17
User Guide for Cisco Secure ACS for Windows Server
v
Contents
CHAPTER
CHAPTER
3 Setting Up the CiscoSecure ACS HTML Interface 3-1
Interface Design Concepts 3-2
User-to-Gro up Relationship 3-2
Per-User or Per-Group Features 3-2
User Data Configuration Options 3-3
Defining New User Data Fields 3-3
Advanced Options 3-4
Setting Advanc ed Options for the Cisco Secure ACS User Interface 3-6
Protocol Configuration Options for TACACS+ 3-7
Setting Options for TACACS+ 3-9
Protocol Configuration Options for RADIUS 3-10
Setting Protocol Configuration Options for IETF RADIUS Attributes 3-15
Setting Protoc ol Conf igur at ion Opt i ons fo r Non-I ET F RADIUS At tr ibut es 3-16
4 Setting Up and Managing Net work Configuration 4-1
About Network Configuration 4-2
About Distributed Systems 4-3
AAA Servers in Distributed Systems 4-3
Default Distributed System Settings 4-4
Proxy in Distributed Systems 4-4
Fallback on Fai le d C on ne ction 4-6
Character String 4-6
Stripping 4-6
Proxy in an Enterprise 4-7
Remote Use of Accoun ting Packets 4-7
Other Features Enabled by System Distribution 4-8
Network Device Searches 4-8
Network Device Se arch Criteria 4-9
Searching fo r Ne twork Devic es 4-10
User Guide for Cisco Secure ACS for Windows Server
vi
78-14696-01, Version 3.1
AAA Client Configur ation 4-11
AAA Client Configur ation Options 4-11
Adding a AAA Client 4-15
Editing a AAA Client 4-18
Deleting a AAA Client 4-19
AAA Server Configuration 4-20
AAA Server Config uration Options 4-21
Adding a AAA Server 4-23
Editing a AAA Server 4-25
Deleting a AAA Server 4-27
Network Device Group Configuration 4-27
Adding a Network Device Group 4-28
Contents
CHAPTER
Assigning an Unassigned AAA Client or AAA Server to an NDG 4-29
Reassigning a AAA Client or AAA Server to an NDG 4-30
Renaming a Network Device Group 4-31
Deleting a Network Device Group 4-31
Proxy Distribution Table Confi guration 4-32
About the Proxy Distribution Table 4-32
Adding a New Proxy Distribution Table Entry 4-33
Sorting the Character String Match Order of Distribution Entr ies 4-35
Editing a Proxy Distribution Ta ble Entry 4-35
Deleting a Proxy Distribution Table Entry 4-36
5 Setting Up and Managing Shared Profile Components 5-1
About Shared Profile Components 5-1
Downloadable PIX ACLs 5-2
About Downloadable PIX ACLs 5-2
Downloadable PIX ACL Configuration 5-4
78-14696-01, Version 3.1
Adding a Downloadable PIX ACL 5-4
User Guide for Cisco Secure ACS for Windows Server
vii
Contents
Editing a Downloadable PIX ACL 5-5
Deleting a Downloadable PIX ACL 5-5
Network Access Restrictions 5-6
About Network Acce ss Restrictions 5-6
Shared Network Acc ess Restrictions Configuration 5-8
Adding a Shared Network Access Restriction 5-9
Editing a Shared Network Access Restriction 5-11
Deleting a Shared Network Access Restriction 5-13
Command Authorization Sets 5-13
About Command Authorization Sets 5-14
About Pattern Matching 5-15
Command Authoriz ation Sets Configuration 5-16
CHAPTER
Adding a Command Auth orization Set 5-16
Editing a Command Authorization Set 5-19
Deleting a Command Authorization Set 5-20
6 Setting Up and Managing User Groups 6-1
User Group Setup Features and Functions 6-2
Default Group 6-2
Group TACACS+ Settings 6-2
Common User Group Setti ngs 6-3
Enabling VoI P Support for a User Group 6-4
Setting Default Time-of-Day Access for a User Group 6-5
Setting Callback Options for a User Group 6-6
Setting Networ k Access Restrictions for a User Group 6-7
Setting Max Sessions for a User Group 6-11
Setting Usage Quotas for a User Group 6-13
Configurati on-specific User Group Settings 6-15
Setting Token Card Settings for a User Group 6-16
User Guide for Cisco Secure ACS for Windows Server
viii
78-14696-01, Version 3.1
Contents
Setting Enable Privilege Options for a User Group 6-18
Enabling Pass word Aging for the CiscoSecure User Database 6-20
Enabling Pass word Aging for Users in Windows Databases 6-25
Setting IP Address Assignment Method for a User Group 6-27
Assigning a Downloadable PIX ACL to a Group 6-28
Configurin g TACACS+ Settings for a User Group 6-29
Configurin g a Shell Command Authori zation Set for a User Group 6-31
Configurin g a PIX Command Authorizat ion Set for a User Group 6-33
Configurin g Device-Management Command Authorization for a User
Group
Configuring IETF RADIUS Settings for a User Group 6-37
Configurin g Cisco IOS/PIX RADIUS Settings for a User Group 6-38
Configurin g Cisco Aironet RADIUS Settings for a User Group 6-39
6-35
Configuring Ascend RADIUS Settings for a User Group 6-41
Configuring Cisco VPN 3000 Concentrator RADIUS Settings for a User
Group
6-42
Configuring Cisco VPN 5000 Concentrator RADIUS Settings for a User
Group
6-43
Configurin g Mi crosoft RADIUS Settings for a User Group 6-45
Configurin g Nortel RADIUS Settings for a User Group 6-46
Configuring Juniper RADIUS Settings for a User Gro up 6-48
Configurin g BBSM RADIUS Settings for a Us er Group 6-49
Configurin g Custom RADIUS VSA Settings for a User Group 6-50
Group Setting Management 6-51
Listing Use rs in a User Gro up 6-52
Resetting Usage Quota Counters for a Us er Group 6-52
Renaming a User Group 6-53
Saving Changes to User Group Settings 6-53
78-14696-01, Version 3.1
User Guide for Cisco Secure ACS for Windows Server
ix
Contents
CHAPTER
7 Setting Up and Managing User Accounts 7-1
User Setup Features and Function s 7-2
About User Databases 7-2
Basic User Setup Options 7-4
Adding a Basic User Account 7-5
Setting Supp le m e ntary User Info rm a ti on 7-7
Setting a Separate CHAP/MS-CHAP/ARAP Password 7-8
Assigning a User to a Group 7-9
Setting User Callback Option 7-10
Assigning a User to a Client IP Address 7-11
Setting Network Access Restric tions for a User 7-12
Setting Max Sessions Options for a User 7-16
Setting User Usage Quotas Options 7-18
Setting Options for User Account Disablement 7-20
Assigning a PIX ACL to a User 7-21
Advanced User Authentication Settings 7-22
TACACS+ Settings (User) 7-22
Configuring TACACS+ Settings fo r a User 7-23
Configurin g a Shell Command Authori zation Set for a User 7-25
Configurin g a PIX Command Authorizat ion Set for a User 7-28
Configurin g Device Management Command Authorization for a User 7-30
Configuring the Unknown Service Setting for a User 7-32
Advanced TACACS+ Settings (User) 7-33
Setting Enable Privilege Options for a User 7-33
Setting TACACS+ Enable Password Opt ions for a User 7-35
Setting TACACS+ Outbound Password fo r a User 7-36
RADIUS Attributes 7-37
Setting IETF R ADIUS Parameters for a User 7-38
Setting Cisco IOS/PIX RADIUS Paramet ers for a User 7-39
Setting Cisco Aironet RADIUS Parameters for a User 7-40
User Guide for Cisco Secure ACS for Windows Server
x
78-14696-01, Version 3.1
Setting Ascend RADIUS Parameters for a User 7-42
Setting Cisco VPN 3000 Concentrator RADIUS Parameters for a
User
7-43
Setting Cisco VPN 5000 Concentrator RADIUS Parameters for a
User
7-45
Setting Micro soft RADIUS Parameters for a User 7-46
Setting Nortel RADIUS Parameters for a User 7-48
Setting Juniper RADIUS Parameters for a User 7-49
Setting BBSM RADIUS Pa rameters for a User 7-51
Setting Cu st om RA D I US Attribut e s fo r a Us e r 7-52
User Management 7-53
Listing All Use rs 7-54
Finding a User 7-54
Contents
CHAPTER
Disabling a User Account 7-55
Deleting a User Account 7-56
Resetting User Session Quota Counters 7-57
Resetting a User Account after Login Failure 7-58
Saving User Settings 7-59
8 Establishing Cisco Secure ACS System Configuration 8-1
Service Control 8-2
Determining the Status of CiscoSecureACS Services 8-2
Stopping, Starting, or Restarting Services 8-2
Logging 8-3
Date Format Control 8-3
Setting the Date Format 8-4
Local Password Management 8-5
Configurin g Local Password Management 8-7
78-14696-01, Version 3.1
User Guide for Cisco Secure ACS for Windows Server
xi
Contents
CiscoSecure Database Replication 8-9
About CiscoSecure Database Replication 8-9
Replication Process 8-12
Replication Frequency 8-14
Important Implementation Considerations 8-15
Database Replication Versus Database Backup 8-16
Database Repli cation Logging 8-17
Replication Options 8-17
Replicatio n Components Options 8-17
Outbound Replication Options 8-18
Inbound Replication Options 8-20
Implementing Primary and Secondary Replication Setups on
CiscoSecure ACSes
8-20
Configuring a Secondary CiscoSecureACS 8-21
Replicatin g Immediately 8-24
Scheduling Rep lication 8-26
Disabling CiscoSecure Database Replication 8-29
Database Repli cation Event Errors 8-29
RDBMS Synchronization 8-29
About RDBMS Synchronization 8-30
Users 8-31
User Groups 8-32
Network Configuration 8-32
Custom RADIUS Vendors and VSAs 8-33
RDBMS Synchronization Components 8-33
About CSDBSync 8-33
About the accountActions Table 8-34
CiscoSecure ACS Database Recovery Using the accountActions Tab le 8-36
Reports and Even t (Error) Handling 8-37
Preparing to Use RDBMS Synchronization 8-37
User Guide for Cisco Secure ACS for Windows Server
xii
78-14696-01, Version 3.1
Considerations for Using CSV-Based Synchronization 8-38
Preparing for CSV-Based Synchronization 8-39
Configurin g a System Data Source Name for RDBMS Synchronization 8-40
RDBMS Synchronization Options 8-41
RDBMS Setup Options 8-41
Synchronization Scheduling Options 8-42
Synchronization Par tn er s O pt io ns 8-42
Performing RDBMS Synchronization Immediately 8-43
Scheduling RDBMS Synchronization 8-44
Disabling Scheduled RDBMS Synchronizations 8-46
CiscoSecure ACS Backup 8-47
About Cisco Secure ACS Backup 8-47
Backup File Locations 8-48
Contents
Directory Management 8-48
Components Backed Up 8-48
Reports of CiscoSecureACS Backups 8-49
Backup Options 8-49
Performing a Manu al CiscoSecure A CS Backup 8-50
Scheduling Cisco Secure ACS Bac kups 8-50
Disabling Scheduled CiscoSecure ACS Backups 8-51
CiscoSecure ACS System Restore 8-52
About Cisco Secure ACS System Restore 8-52
Backup File Names and Locations 8-53
Components Restored 8-54
Reports of CiscoSecureACS Restorations 8-54
Restoring Cisco Secure ACS from a Backup File 8-54
CiscoSecure ACS Active Service Management 8-55
System Monitoring 8-56
78-14696-01, Version 3.1
System Monitoring Options 8-56
Setting Up System Monitoring 8-57
User Guide for Cisco Secure ACS for Windows Server
xiii
Contents
Event Logging 8-58
Setting Up Event Logging 8-58
IP Pools Server 8-59
About IP Pools Se rver 8-60
Allowing Overlapping IP Pools or Forcing Unique Pool Address Ranges 8-61
Refreshing the AAA Server IP Pools Table 8-62
Adding a New IP Pool 8-63
Editing an IP Pool Definition 8-64
Resetting an IP Pool 8-65
Deleting an IP Pool 8-66
IP Pools Address Recovery 8-67
Enabling IP Pool Address Recovery 8-67
VoIP Accounting Configuration 8-68
Configuring VoIP Accounting 8-68
CiscoSecure ACS Certificate Setup 8-69
Background on Protocols and Certification 8-69
Digital Certif ic at e s 8-69
About the EA P -T LS Protocol 8-70
About the PE A P Pr ot ocol 8-72
Installing a CiscoSecure ACS Server Certificate 8-74
Adding a Certificate Authority Certificate 8-76
Editing the Certificate Trust List 8-77
Generating a Cer tificate Signing Request 8-78
Updating or Replacing a CiscoSecure ACS Certificate 8-80
Global Authentication Setup 8-81
Configuring Authenticati on Options 8-81
User Guide for Cisco Secure ACS for Windows Server
xiv
78-14696-01, Version 3.1
Contents
CHAPTER
9 Working with Logging and Reports 9-1
Logging Formats 9-1
Special Logging Attributes 9-2
Update Packets In Accounting Logs 9-4
About Cisc o Secure ACS Logs and Rep o rts 9-4
Accounting Logs 9-5
Dynamic Administr ation Reports 9-7
Viewing the Logged-in Users Report 9-8
Deleting Logged-in Users 9-9
Viewing the D is ab l e d A cc o un ts Re po rt 9-10
CiscoSecure ACS System Logs 9-11
Configuring the Administration Audit Log 9-12
Working with CSV Logs 9-13
CSV Log File Names 9-13
CSV Log File Locations 9-13
Enabling or Dis abling a CSV Log 9-14
Viewing a CSV Report 9-15
Configuring a CSV Log 9-16
Working with ODBC Logs 9-19
Preparing for ODBC Logging 9-19
Configurin g a System Data Source Name for ODBC Logging 9-20
Configuring an ODBC Log 9-20
Remote Logging 9-23
About Remote Logging 9-23
Implementing Centralized Remote Logging 9-24
Remote Logging Options 9-25
Enabling and Configuring Remote Logging 9-26
Disabling Remo te Logging 9-28
78-14696-01, Version 3.1
User Guide for Cisco Secure ACS for Windows Server
xv
Contents
Service Logs 9-28
Services Logged 9-29
Configuring Service Logs 9-30
CHAPTER
10 Setting Up and Managing Administrators and Policy 10-1
Administ ra to r A cc o un ts 10-1
About Administrator Accounts 10-2
Administra tor Privileges 10-3
Adding an Administrator Account 10-6
Editing an Admini strator Account 10-8
Unlocking a Loc ked Out Administrato r Account 10-10
Deleting an Administrator Account 10-11
Access Policy 10-11
Access Policy Options 10-12
Setting Up Access Policy 10-14
Session Poli cy 10-16
Session Poli cy Options 10-16
Setting Up Session Policy 10-17
Audit Policy 10-18
CHAPTER
11 Working with User Databases 11-1
CiscoSecure User Database 11-2
About the CiscoSecure User Database 11-2
User Import and Creation 11-3
About External User Databases 11-4
Authenticating with External User Databases 11-5
External User Database Authentication Process 11-6
Windows NT/2000 User Database 11-7
What’s Supported with Windows NT/2000 User Databases 11-8
User Guide for Cisco Secure ACS for Windows Server
xvi
78-14696-01, Version 3.1
Contents
The CiscoSecure ACS Authentication Process with Windows NT/2000 User
Databases
Trust Relationships 11-9
Windows Dial-up Networking Clients 11-10
Windows Dial-up Networking Clients with a Domain Field 11-10
Windows Dial-up Networking Clients without a Domain Field 11-11
Windows Authentication 11-11
User-Changeable Pas swords wit h Windows NT /20 00 Us er Data bas es 11-13
Preparing Users for Authenticating with WindowsNT/2000 11-14
Configuring a WindowsNT/2000 External User Database 11-14
Generic LDAP 11-16
CiscoSecure ACS Authentication Process with a Gener ic LDAP User
Database
11-9
11-17
Multiple LDAP Instances 11-17
LDAP Organizational Units and Groups 11-18
Domain Filtering 11-18
LDAP Failover 11-20
Successful Previous Authentication with the Primary LDAP Server 11-21
Unsuccessful Pr evious Authentication with the Primary LDAP
Server
11-21
LDAP Configuration Options 11-22
Configuring a Generic LDAP Exter nal User Database 11-28
Novell NDS Database 11-33
About Novell NDS User Databases 11-34
User Contexts 11-35
Novell NDS External User Database Options 11-36
Configurin g a Novell NDS External User Database 11-37
ODBC Database 11-39
What is Supported with ODBC User Databases 11-40
Cisco Secure ACS Authentication Process with an ODBC External User
Database
78-14696-01, Version 3.1
11-41
User Guide for Cisco Secure ACS for Windows Server
xvii
Contents
Preparing to Authenticate Users with an ODBC-Compliant Relational
Database
Implementati on of Stored Procedures for ODBC Authentication 11-43
Type Definitions 11-44
Microsoft SQL Ser ver and Case-Sensitive Passwords 11-44
Sample Routine for Generating a PAP Auth entication SQL Pro cedure 11-45
Sample Routine for Generating an SQL CHAP Authentication
Procedure
PAP Authentication Procedure Input 11-46
PAP Procedure Output 11-47
CHAP/MS-CHAP/ARAP Authentication Procedure Input 11-48
CHAP/MS-CHAP/ARAP Procedure Output 11-48
Result Codes 11-49
11-42
11-46
Configurin g a System Data Source Name for an ODBC External User
Database
11-50
Configurin g an ODBC External User Database 11-51
LEAP Proxy RADIUS Server Database 11-54
Configurin g a LEAP Proxy RADIUS Server External User Database 11-55
Token Server User Databases 11-57
About Token Serv ers and CiscoSecure ACS 11-57
Token Servers an d ISDN 11-58
RADIUS-Enabled Token Servers 11-59
About RADIUS-Enabled Token Servers 11-59
Token Server RADIUS Authentication Request and Response
Contents
11-60
Configuring a RADIUS Token Server External User Database 11-60
RSA SecurID Token Se rvers 11-64
Configurin g an RSA Se curID Toke n Server Extern al User Dat abase 11-65
Deleting an External User Database Configuration 11-66
User Guide for Cisco Secure ACS for Windows Server
xviii
78-14696-01, Version 3.1
Contents
CHAPTER
12 Administering External User Databases 12-1
Unknown User Processing 12-1
Known, Unknown, and Discovered Users 12-2
General Authen tication Request Handling and Rejection Mode 12-3
Authentication Request Handl ing and Rejection Mode with the
WindowsNT/2000 User Database
12-4
Windows Authe nt i c at io n wi t h a Do ma in Specified 12-5
Windows Authentication with Domain Omitted 12-6
Performance of Unknown User Authentication 12-7
Added Latency 12-7
Authenticat ion Timeout Value on AAA clients 12-7
Network Access Authorization 12-8
Unknown User Policy 12-8
Database Search Order 12-9
Configuring the Unknown User Policy 12-9
Turning off External User Database Authentication 12-11
Database Group Mappings 12-11
Group Mapping by Ex ternal User Database 12-12
Creating a CiscoSecure ACS Group Mapping for a Token Server, ODBC
Database, or LEAP Proxy RADIUS Server Database
Group Mapping by Group Set Membership 12-14
Group Mapping Order 12-15
No Access Group for Group Set Mappings 12-15
Default Group Mapping for Windows NT/2000 12-16
Creating a CiscoSecure ACS Group Mapping for WindowsNT/2000,
Novell NDS, or Generic LDAP Groups
Editing a Windows NT/2000, Novell NDS, or Generic LDAP Group Set
Mapping
12-18
Deleting a WindowsNT/2000, Novell NDS, or Generic LDAP Group Set
Mapping
12-20
12-13
12-16
78-14696-01, Version 3.1
User Guide for Cisco Secure ACS for Windows Server
xix
Contents
Deleting a WindowsNT/2000 Domain Group Mapping
Configuration
Changing Group Set Mapping Order 12-21
RADIUS-Based Group Specification 12-22
12-20
APPENDIX
A Troub leshooting Information for CiscoSecure ACS A-1
Administration Issues A-2
Browser Issues A-3
Cisco IOS Issues A-3
Database Issues A-5
Dial-in Connection Issues A-6
Debug Issues A-10
Proxy Issues A-11
Installation and Upgrade Issues A-11
MaxSessions Issues A-12
Report Issues A-12
Third-Party Server Issues A-13
PIX Firewall Issues A-13
User Authentication Issues A-14
TACACS+ and RADIUS Attribute Issues A-16
APPENDIX
B TACACS+ Attribute-Val ue Pairs B-1
Cisco IOS AV Pair Dictionary B-1
TACACS+ AV Pairs B-2
TACACS+ Accounting AV Pairs B-4
APPENDIX
C RADIUS Attributes C-1
CiscoIOS Dictionary of RADIUS AV Pairs C-2
User Guide for Cisco Secure ACS for Windows Server
xx
78-14696-01, Version 3.1
Contents
CiscoIOS/PIX Dictionary of RADIUS VSAs C-5
CiscoVPN 3000 Concentrator Dictionary of RADIUS VSAs C-7
Cisco VPN 5000 Conc entrator Dictio nary of RADIUS VSAs C-11
Cisco Building Broadband Service Manager Dictionary of RADIUS VSA C-12
IETF Dictionary of RADIUS AV Pairs C-12
Microsoft MPPE Dictionary of RADIUS VSAs C-27
Ascend Dictionary of RADIUS AV Pairs C-30
Nortel Dictionary of RADIUS VSAs C-42
Juniper Dictionary of RADIUS VSAs C-43
APPENDIX
D CiscoSecure ACS Command-Line Database Utility D-1
Location of CSUt il.exe and Related Files D-2
CSUtil.exe Syntax D-2
CSUtil.exe Options D-3
Backing Up CiscoSecureACS with CSUtil.exe D-4
Restoring CiscoSecureACS with CSUtil.exe D-5
Creating a CiscoSecure User Database D-7
Creating a Cisco Secure ACS Database Dump File D-8
Loading the Cisco Secure ACS Database from a Dump File D-9
Compacting the CiscoSecure User Database D-11
User and AAA Client Import Option D-13
Importing User and AAA Client Information D-13
User and AAA Client Import File Format D-15
About User and AAA Client Import File Format D-15
78-14696-01, Version 3.1
ONLINE or OFFLINE Stat ement D-15
ADD Statements D-16
UPDATE Statements D-18
DELETE Statements D-20
User Guide for Cisco Secure ACS for Windows Server
xxi
Contents
ADD_NAS Statements D-21
DEL_NAS Statements D-22
Import File Example D-23
Exporting User List to a Text Fil e D-23
Exporting Group Information to a Text File D-24
Exporting Registry Information to a Text File D-25
Decoding Error Numbers D-26
Recalculating CRC Values D-27
User-Defined RADIUS Vendors and VSA Sets D-27
About User-Defined RADIUS Vendors and VSA Sets D-28
Adding a Custom RADIUS Vendor and VSA Set D-28
Deleting a Custom RADIUS Vendor and VSA Set D-30
APPENDIX
APPENDIX
Listing Custom RADIUS Vendors D-31
Exporting Custom RADIUS Vendor an d VSA Sets D-32
RADIUS Vendor/VSA Import File D-33
About the RADIUS Vend or/VSA Import File D-33
Vendor and VSA Set Def inition D-34
Attribute Definition D-35
Enumeration Definition D-37
Example RADIUS Vendor/VSA Import File D-38
E Cisco SecureACS and Virtual Private Dial-up Networks E-1
VPDN Process E- 1
F RDBMS Synchronization Import Definitions F-1
accountActions Specification F-1
accountActions Format F-2
accountActions Mandatory Fields F-3
accountActions Processing Order F-4
User Guide for Cisco Secure ACS for Windows Server
xxii
78-14696-01, Version 3.1
Action Codes F-4
Action Codes for Setting and Deleting Values F-5
Action Codes for Creating and Modifying User Accounts F-7
Action Codes for Initializing and Modifyin g Access Filters F-15
Action Codes for Modifying TACACS+ an d RADIUS Group and User
Settings
Action Codes for Modifying Network Configuration F-25
CiscoSecure ACS Attributes and Action Codes F-33
User-Specific Attributes F-33
User-Defined Attributes F-35
Group-Specific Attributes F-36
An Example of accountAc tions F-37
F-19
Contents
APPENDIX
I
NDEX
G CiscoSecure ACS Internal Architecture G-1
Windows2000 Services G-1
Windows2000 Registry G-2
CSAdmin G-2
CSAuth G-3
CSDBSync G-4
CSLog G-4
CSMon G-4
Monitoring G-5
Recording G-6
Notification G-7
Response G-7
CSTacacs and CSRadius G-8
78-14696-01, Version 3.1
User Guide for Cisco Secure ACS for Windows Server
xxiii
Contents
User Guide for Cisco Secure ACS for Windows Server
xxiv
78-14696-01, Version 3.1
Preface
This section di scusse s th e objec tives, audienc e, a nd organizati on of the
Cisco Secure Access Control Server (Cisco Secure ACS) for Windows Server
version 3.1 User Guide.
Document Objective
This document will help you conf igure and use Cisc o Sec ure A CS and its f eatures
and utilities.
Audience
This publication is for system administrators who use Cisco Secure ACS and who
set up and maintain accou nts and dial-i n network secu rity.
78-14696-01, Version 3.1
User Guide for Cisco Secure ACS for Windows Server
xxv
Organization
Organization
The Cisco Secure ACS user guide is organized into the following chapters:
• Chapter 1, “Overview of Cisco Secure ACS.” An overvi ew o f
• Chapter 2, “Deploying Cisco Secure ACS.” A guide to depl oying
• Chapter 3, “Setting Up the Cisco Secure ACS HTML Interface.” Concep ts
• Chapter 4, “Setting Up and Managing Network Configuration.” Concepts and
Preface
Cisco Secure ACS and its features, net work diagra ms, and syste m
requirements.
Cisco Secure ACS th at includes requirements, options, trade-offs, and
suggested sequenc es.
and procedures regarding how to use the Interface Configura tion secti on of
Cisco Secure ACS to configure the user interface.
procedures for e stabl ishin g C isco Secure ACS network configuration and
building a distributed system.
• Chapter 5, “Setting Up and Managing Shared Profile Components.” Concepts
and procedures regarding Cisco Secure ACS shared profile components:
network access restr ictions a nd device c omma nd se ts.
• Chapter 6, “Setting Up a nd Man ag ing Us er G ro ups. ” Concepts and
procedures for establi shing and maintaining Ci sco Secure ACS user groups.
• Chapter 7, “Setting Up a nd M anag ing U ser Ac co unts. ” Concepts and
procedures for establishing and maintaining Cisco Secure ACS user
accounts.
• Chapter 8, “Establishing Cisco Secure ACS System Configuration.”
Concepts and procedur es regarding t he System Con figuration sect ion of
Cisco Secure ACS.
• Chapter 9, “Wo rking with Logging and Reports.” Conce pts an d procedu res
regarding Cisco Secure ACS logging and reports.
• Chapter 10, “Setting Up and Managing Administrators and Policy .” Concepts
and procedures for est ablishi ng and maint aining Ci sco Secure ACS
administrato rs .
User Guide for Cisco Secure ACS for Windows Server
xxvi
78-14696-01, Version 3.1
Preface
Organization
• Chapter 11, “Working with User Databases.” Concepts and pr oced ure s for
establishing u s er da ta bases.
• Chapter 12, “Administering Ext ernal User Data bases.” Concept s a nd
procedures for admin istering and maintain ing user databa ses external to
Cisco Secure ACS.
This guide a lso c om prise s th e foll owing appe nd ixes:
• Appendix A, “Troubleshootin g Infor ma tion f or C isco Secure ACS.” How to
identify and solve certain problems you might have with Cisco Secure ACS.
• Appendix B, “TACACS+ Attribute-Value Pairs.” A list of supported
TACACS+ AV pairs and accounting AV pai rs.
• Appendix C, “RADIUS Attributes.” A list of supported RADIUS AV pairs
and account ing AV pai rs.
• Appendix D, “Cisco Secure ACS Command-Line Database Utility.”
Instructions for using the da tabase import utility, CSUtil, to import an ODBC
database, and back up, maintain, or restore the Cisco Secure ACS database.
• Appendix E, “Cisco Secure ACS and Virtual Private Dial-up Networks.” An
introduction to Virtual Private Dial-up Networ ks (V PDN) , inc luding
stripping and tunneling, with instructions for enabling VPDN on
Cisco Secure ACS.
• Appendix F, “RDBMS Synchronization Import Definitions.” A list of import
definitions, for u se with the R DBMS Synchr oniz atio n f eat ure.
• Appendix G, “Cisco Secure ACS Internal Architecture.” A description of
Cisco Secure ACS architectural components.
78-14696-01, Version 3.1
User Guide for Cisco Secure ACS for Windows Server
xxvii
Conventions
Conventions
This guide uses th e following typ ograp hical conventions:
Table 1 Typographic Conventions
Convention Meaning
Italics Introduces new or importan t terminology and v ariable input for
Preface
commands.
Script
Denotes paths, file names, and example screen output. Also
denotes Secure Script translations of security policy decision
trees.
Bold Identifies special terminol ogy and options t hat should be
selected durin g procedur es.
Tip Means the following information will help you solve a problem. The tip
information mi g ht no t be troub lesh ooti ng or even an act ion, but cou ld b e useful
information.
Note Means reader take note. Notes contain helpful suggestions or references to
materials not covered in the ma nual.
Caution Means rea de r b e ca ref ul. In this situation, you might do something that could
result in equipment damage, loss of data, or a br each in yo ur network secu rity.
Warning
User Guide for Cisco Secure ACS for Windows Server
Means danger. You are in a situation that could cause bodily injury. Before you
work on any equipment, you must be aware of the hazards involved with
electrical circuitry and be familiar with standard practices for preventing
accidents. To see translated versions of the warning, refer to the Regulatory
Compliance and Safety document that accompanied the device.
xxviii
78-14696-01, Version 3.1
Preface
Related Documentation
Included in the Cisco Secure ACS HTML interface are two sources of
information:
• Online Help contains information for each associated page in the
Cisco Secure ACS HTML interface.
• Online Documentation i s a complete cop y of the User Guide for Cisco Secur e
ACS for Windo ws Server.
We re co mmend t hat y ou re ad Release Notes for Cisco Secure ACS for Windows
Server Version 3.1. While a printed copy of this document comes with
Cisco Secure ACS, check Cisco.com for the most recent version.
You should a lso r e ad t he RE A DME .TX T file f or addi tiona l i mpor tant
information.
Related Do cu m entation
Cisco Secure ACS includes an installation guide, Installation Guide for Cisco
Secure ACS for Windows Serve r, to help you install the software efficiently and
correctly.
Installation and User Gui de for Cisco Secure ACS User-Changeable Passwords
contains inf orm atio n o n in sta lli ng an d con figuring t he o pt iona l u ser-chang ea ble
password feature.
You can find o th er p rod uct li terat ur e, i ncl udin g w hite p ap ers, da ta sheet s, a nd
product bulletin s, at
http://www.cisco.com/warp/public/cc/pd/sqsw/sq/prodlit/index.shtml.
You should refer to the documentation that came with your AAA clients for more
information about those prod ucts. You might also want to consult th e Cisco
Systems publication Cisco Systems’ Internetworking Terms and Acronyms.
78-14696-01, Version 3.1
User Guide for Cisco Secure ACS for Windows Server
xxix
Obtaining Documentation
Obtaining Documentation
These sections explain how to obtain do cumentat ion from Cisco Systems.
World Wide Web
You can access the most current Cisco do cumentation on the World Wide Web at
this URL:
• http://www.cisco.com
Translated documentation is available at this URL:
• http://www.cisco.com/public/countries_languages.shtml
Preface
Documentation CD-ROM
Cisco documentation and additional literature are available in a Cisco
Documentatio n CD-ROM package, whi ch is shippe d with you r product . The
Documentation CD -ROM is updated monthly and ma y be more cur rent than
printed docume ntation . The CD-ROM package i s available as a single unit or as
an annual s ubs cr ip t ion .
Ordering Documentation
You can order Cisco doc umen tation in these ways:
• Register ed Cisco.co m users (Cis co direct cus tomers) can order Cisco product
documentation from the Ne twork ing Prod ucts Mar ketPlac e:
http://www.cisco.com/cgi-bin/order/order_root.pl
• Registered Cisco.com users can orde r the Document ation CD-ROM through
the online Subscriptio n Stor e:
http://www.cisco.com/go/subscription
• Nonregistered Cisco.com users can orde r documen tation thro ugh a loca l
account representa tive by calling Cisco Systems Corpor ate Head quarte rs
(California, U.S.A) at 408 526-7208 or, in North America, by calling 800
553-NETS(6387)
User Guide for Cisco Secure ACS for Windows Server
xxx
78-14696-01, Version 3.1
Preface
Documentation Feedback
You can submit comm ent s electron ical ly on Cisco. com. In the Cisco
Documentatio n home page , click the Fax or Email option in the “Leave
Feedback” section at th e botto m o f t h e page .
You can e-mai l your comm ents t o bug-doc@c isco.com.
You can submit yo ur comm ents by mail by using the respon se card beh ind the
front cover of your document or by writing to the following address:
Cisco Systems, Inc.
Attn: Document Resource Connection
170 West Tasma n Drive
San Jose, CA 95134-9883
We ap prec iate yo ur comm ents .
Obtaining Technical Assistance
Obtaining Technical Ass istance
Cisco provides Cisco.com as a starting point for all technical assistance.
Customers and partner s can obta in online do cume ntation , troubl eshooting tips,
and sample configurations from online tools by using the Cisco Technical
Assistance Center (TAC) Web Site. Cisco.com registered users have complete
access to the technical support resources on the Cisco TAC Web Site.
Cisco.com
Cisco.com is the found ation of a suite of inter active, networked service s that
provides immediate, ope n access to Cisco infor mation, ne tworking sol utions,
services, programs, and resources at any time, from anywhere in the world.
Cisco.com is a highly integrated Interne t application and a powerful, easy-to-use
tool that provides a broa d range of fe ature s and servic es to help you wi th thes e
tasks:
• Streamline business processes and impr ove productivity
• Resolve technical issues with online support
• Download and t e st so ft ware pa ck ag es
78-14696-01, Version 3.1
User Guide for Cisco Secure ACS for Windows Server
xxxi
Obtaining Technical Assistance
• Order Cisco lea rning m ateria ls and merc handi se
• Register for online skill assessment, training, and certificate programs
If you want to obtain customized information and service, you can self-register on
Cisco.com. To access Cisco.com, go to this URL:
http://www.cisco.com
Technical Assistance Center
The Cisco Technical Assista nce Cent er (TAC) is available to all custom ers wh o
need technical assistance with a Cisc o product , technolo gy, or solution. Two
levels of support are available: the Cisco TAC We b Site and the Cisco TAC
Escalation Center.
Cisco TAC inquiries are categoriz ed accordi ng to the urgency of the issue :
Preface
• Priority level 4 (P4)—You need information or assistance concerning Cisco
• Priority level 3 (P3)—You r network perf ormance is degraded. Network
• Priority level 2 (P2)—You r produc tion netwo rk is severely degraded,
• Priority lev el 1 (P1)—Your production network is down, and a critical impact
The Cisco TAC resource that you ch oose is base d on the prio rity of the pr oblem
and the conditions of service contracts, when applicable.
Cisco TAC Web Site
You can use the Cisco TAC Web Site to resolve P3 and P4 issues yourself, saving
both cost and time. The site provides around-the-clock access to online tools,
knowledge bases, and software. To access the Cisco TAC Web Site, go to this
URL:
product capabilitie s, product installati on, or basi c product con figuration.
functionality is noticeably impaired, but most business operations continue.
affecting significant aspects of busine ss operatio ns. No workar ound is
available.
to business operations will occur if serv ice is not rest ored quickl y. No
workaround is available.
http://www.cisco.com/tac
User Guide for Cisco Secure ACS for Windows Server
xxxii
78-14696-01, Version 3.1
Preface
All customers, p art ners, and rese llers who have a valid Cisco serv ice cont ract
have complete access to the technical support resour ces on the Cisco TAC Web
Site. The Cisco TAC Web Site requires a Cisco .com login ID and pa ssword. If
you have a valid service cont rac t but do not have a login I D or pa ssword, g o to
this URL to register:
http://www.cisco.com/register/
If you are a Cisco.com registered use r, and you cannot resolve your tec hnica l
issues by usin g the Cis co TA C Web Site, you can open a cas e on lin e by using the
TAC Case Open tool at this URL:
http://www.cisco.com/tac/caseopen
If you have Internet access, we recommend that you open P3 and P4 cases through
the Cisco TAC Web Site.
Cisco TAC Escalation Center
Obtaining Technical Assistance
The Cisco TAC Escalation Center addresses priority level 1 or priority level 2
issues. These classifications are assigned when severe network degradation
significantly impacts business opera tions . When you conta ct the TAC Esca lati on
Center with a P1 or P2 problem, a Cisco TAC engineer automatically opens a
case.
To obtain a directory of toll-free Cisco TAC telephone numbers for your country,
go to this URL :
http://www.cisco.com/warp/public/687/Directory/DirTAC.shtml
Before calling, please check with your network operations center to determine the
level of Cisco support services to which your company is entitled: for example,
SMARTnet, SMARTne t Onsite , or Network Supp orted Acc ounts (NSA). When
you call the center , pl ease hav e ava ilable your service agreement numbe r and your
product serial n umb er.
78-14696-01, Version 3.1
User Guide for Cisco Secure ACS for Windows Server
xxxiii
Obtaining Technical Assistance
Preface
User Guide for Cisco Secure ACS for Windows Server
xxxiv
78-14696-01, Version 3.1
CHAPTER
1
Overview of Cisco Secure ACS
This chapter provides an overview of Cisco Secure Access Control Server
(Cisco Secure ACS) for Windows Server version 3.1. It contains the following
sections:
• The Cisco Secure ACS Pa radigm , page 1-1
• Cisco Secure ACS Specifications, page 1-2
• AAA Server Functions and Concepts, page 1-5
• Cisco Secure ACS HTML Interface , page 1-23
The Cisco Secure ACS Paradigm
Cisco Secure ACS provides authentication, authorization, and accounting
(AAA—pronounced “triple A”) services to netwo rk devices that func tion as AAA
clients, such as a network access server, PIX Firewall, or router. The AAA client
in Figure 1-1 represents any such device that provides AAA client functionality
and uses one of the AAA protocols supported by Cisco Secure ACS.
User Guide for Cisco Secure ACS for Windows Server
78-14696-01, Version 3.1
1-1
Cisco Secure ACS Specifications
Figure 1-1 A Simple AAA Scenario
Chapter1 Overview of Cisco SecureACS
Cisco Secure
Access Control Server
End-user client AAA client
External user
database
67472
Cisco Secure ACS ce ntralizes a ccess contr ol and accoun ting, in addi tion to route r
and switch access management. With Cisco Secure ACS, network administrators
can quickly administe r accoun ts and globa lly chang e levels of service offerings
for entire groups of users. Alt hough the externa l user database shown in
Figure 1-1 is optional, support for many popular user repository implementations
enables companies to put to use the working knowledge gained from and the
investment already made in building their corporate user repositories.
Cisco Secure ACS supports Cisco AAA clients such as the Cisco 2509, 2511,
3620, 3640, AS5200 an d AS5300, AS5 800, th e Cisco PIX Firewall, Cisco
Aironet Access Poi nt wi rele ss n etworking devices, C isco VPN 3000
Concentrators, an d Cisco VPN 5000 Concentra tors. It also supp orts thi rd-party
devices that can be configured with the Terminal Access Controller Access
Control System (TACACS+) or the Remote Access Dial-In User Service
(RADIUS) protocol. Cisco Secure ACS treats all such devices as AAA clients.
Cisco Secure ACS uses the TACACS+ and RADIUS protocols to provide AAA
services that ensure a secure environment. For more information about support for
TACACS+ and RADIUS in Cisco Secure ACS, se e AAA Protocols—TACACS+
and RADIUS, pag e 1-6.
Cisco Secure ACS Specifications
This section provides infor mati on about Cisco Secure ACS performance
specifications and the Windows services that compose Cisco Secure ACS.
User Guide for Cisco Secure ACS for Windows Server
1-2
78-14696-01, Version 3.1
Chapter 1 Over view of Cisco Secure ACS
System Performance Specifications
The performance capabilities of Cisco Secure ACS are largely dependent upon
the Windows server it is installed up on, your ne twork t opol ogy and network
management, the sel ecti on of use r da tab ases, a nd othe r fac tors. For exampl e,
Cisco Secure ACS can perform many more authentications per second if it is
using it s internal user data base and running on a 2.1-GHz Pentium I V server on a
1 GB Ethernet backbone than it can if it i s using an external user databa se and
running on a 5 50- MHz Pe ntium I II server on a 10 M B L AN.
For more information about the expected performance of Cisco Secure ACS in
your network setting, co ntact your Cisco sales re presentat ive. The following
items are general answers to common system performance questions. The
performance of Ci sco Secure ACS in your network depe nds o n y our sp ecific
environment and AAA requirements.
• Maximum users supported by the CiscoSecure user database—Th ere i s
no theoretical limit to the number of users the CiscoSecure user database can
support. We have successfully tested Cisco Secure ACS with databases in
excess of 100,000 users. The practical limit for a single Cisco Secure ACS
authenticat ing aga inst a ll it s d ata bases, int ern al and ext erna l, i s 30 0,000 t o
500,000 users. This number increases significantly if the authentication load
is spread across a number of replicated Cisco Secure ACS servers.
Cisco Secure ACS Specifications
78-14696-01, Version 3.1
• Transactions per second—Authentication and authorization transactions
per second is dependent on ma ny factors, most of which a re external to
Cisco Secure ACS. For example, high network la tency in c ommun ica tion
with an external user database lowers the transactions per second that
Cisco Secure ACS can perform.
• Maximum number of AAA clients supported—Cisco Secure ACS can
support AAA services for approximately 5000 AAA client configurations.
This limitation is primarily a limitation of the Cisco Secure ACS HTML
interface. Performance of the HTML interface degrades when
Cisco Secure ACS has more than a pproxi mat ely 5 000 A AA c lient
configurations. However, a AAA client configuration in Cisco Secure ACS
can represent mor e than one physical network device, pr ovided that the
network devi ces use th e same AAA protoc ol and use the same shared secret.
If you make use of this ability, the number of actual AAA clients supported
approaches 20,000 .
User Guide for Cisco Secure ACS for Windows Server
1-3
Cisco Secure ACS Specifications
If your network has several thousand AAA clients, w e recomm end using
multiple Cisco Secure ACSes and assignin g no mor e than 5000 AAA cli ents
to each Cisco Secure AC S. For exam ple, if you hav e 20,000 AAA clie nts, you
could use four Cisco Secure ACSes and divide the AAA client load among
them so that no single Cisco Secure ACS manages more than 5000 AAA
client configuratio ns. I f y ou use r epl icat ion t o pr opa gate con figurati on dat a
among Cisco Secure ACSes, limit replication of AAA client data to
Cisco Secure ACSes that serve the same set of AAA clients.
Cisco Secure ACS Windows Services
Cisco Secure ACS ope rat es as a se t o f Windows 2000 services and contr ols t he
authentication, authorizat ion, and accoun ting of use rs accessin g networks.
When you install Cisco Secure ACS on your server, the installation adds several
Windows services. The services provide the core of Cisco Secure ACS
functionality. For a full discussion of each service, see Appendix G,
“Cisco Secure ACS Internal Architecture.” The Cisco Secure ACS services on
your Cisco Secure ACS server include the following:
Chapter1 Overview of Cisco Secure ACS
• CSAdmin—Provides the HTML interface for administration of
Cisco Secure ACS.
• CSAuth—Provides authentication services.
• CSDBSync—Provides synchroniz ation of the Ci scoSecur e user databa se
with an external RDBMS application.
• CSLog—Provides logging services, both for accounting and system activity.
• CSMon—Provides monitor ing, rec ord ing, and no tification of
Cisco Secure ACS performance, an d includ es a utom atic res pons e to som e
scenarios.
• CSTacacs—Provides commun icat ion betw een TAC ACS+ AAA clients and
the CSAuth service.
• CSRadius—Provides communication between RADIUS AAA clients and
the CSAuth service.
Each module can be sta rted an d stopped individual ly from wit hin the Mi crosoft
Service Contr ol Pane l or a s a gro up fr om w ith in t he C is co Secure ACS HTML
interface. For informa tion a bo ut stop pi ng a nd star ting C is co Secure ACS
services, see Service Cont ro l, p age 8-2.
User Guide for Cisco Secure ACS for Windows Server
1-4
78-14696-01, Version 3.1
Chapter 1 Over view of Cisco Secure ACS
AAA Server Functions and Concepts
Cisco Secure ACS is a AAA server, providing authenticat ion, aut hori zati on, an d
accounting services to network devices that can act as AAA clients.
As a AAA server, Cisco Secure ACS incorporates many technologies to render
AAA services to AAA clients. Understanding Cisco Secure ACS requires
knowledge of many of these technologies. To address the most significant aspects,
this section contains the following topics:
• Cisco Secure ACS and the AAA Client, page 1-5
• AAA Protocols—TACACS+ and RADIUS, page 1-6
• Authentication, page 1-7
• Authorization, pa ge 1-15
• Accounting, page 1-20
AAA Server Functions and Concepts
• Administration, page 1-21
Cisco Secure ACS and the AAA Client
A AAA client is sof tware run ning on a ne twor k device tha t e nabl es th e netwo rk
device to defer authentication, authorization, and logging (accounting) of user
sessions to a AAA server. AAA clients must be configured to direct all end-user
client access requests to Cisco Secure ACS for authentication of users and
authorization of service requests. Using the TACACS+ or RADIUS protocol, the
AAA client sends authentication requests to Cisco Secure ACS.
Cisco Secure A CS verifies the username and password using the user databases it
is configured to query. Cisco Secure ACS returns a success or failure response to
the AAA client, which permi ts or denies use r access , based on the response it
receiv es. When the user au thenticat es succes sfully, Cisco Secur e ACS sends a set
of authorization attributes to the AAA client. The AAA client then begins
forwarding accounti ng inform ation to Ci sco Secure ACS.
When the user has successfully authenticated, a set of session attributes can be
sent to the AAA client to provide additional security and control of privileges,
otherwise known as author izat ion. Thes e attri butes might includ e the IP addr ess
pool, access cont rol list, or type of con necti on (for exampl e, IP, IPX, or Telnet).
More recentl y, networking vendors ar e expa nding the use of the a ttri bute se ts
returned t o cover a n in cr ea si ngly w ide r asp ec t o f u s er se ssi on pr ovisio n ing.
78-14696-01, Version 3.1
User Guide for Cisco Secure ACS for Windows Server
1-5
Chapter1 Overview of Cisco Secure ACS
AAA Server Funct ions and Concepts
AAA Protocols—TACACS+ and RADIUS
Cisco Secure ACS can use both the TACACS+ and RADIUS AAA protocols.
Table 1-1 compares the two pr otocol s.
Table 1-1 TACACS+ and RADIUS Protocol Comparison
Point of Comparison TACACS+ RADIUS
Tr ansm ission P rotocol TCP—connection-oriented transport
layer protocol , reliable full-du plex
data transmission
Port s U sed 49 Authentication and Authorization:
Encryption Full packet encryption Encrypts only passwords up to 16
AAA Architecture Separate contr ol of ea ch se rv ice:
authentication, authorization, and
accounting
Intended Purpose Device management User access control
UDP—connectionless transport layer
protocol, datagram exchange without
acknowledgments o r gua ra nte ed
delivery
1645 and 1812
Accounting: 1646 and 181 3
bytes
Authentication and authorization
combined as one servic e
TACACS+
Cisco Secure AC S conforms to the TACACS+ protocol as defined by Cisco
Systems in draft 1.77 . For more info rmatio n, refe r to the Cis co IOS software
documentation or Cisco. co m (http://www.cisco.com).
RADIUS
Cisco Secure ACS conforms to the RAD IUS proto col as defined in draft Apr il
1997 and in the following Requests for Comments (RFCs):
• RFC 2138, Remote Authen ticatio n Dial In Use r Service
• RFC 2139, RADIUS Accounting
• RFC 2865
User Guide for Cisco Secure ACS for Windows Server
1-6
78-14696-01, Version 3.1
Chapter 1 Over view of Cisco Secure ACS
• RFC 2866
• RFC 2867
• RFC 2868
The ports used for authentication and accounting have changed in RADIUS RFC
documents. To support both the older and newer RFCs, Cisco Secure A CS accepts
authenticatio n request s on port 1645 and port 1812 . For accountin g,
Cisco Secure ACS accepts accounting packet s on port 1646 an d 1813.
In addition t o s uppo rt f or st anda rd IE TF RAD IUS at tributes , Cisco Secure ACS
includes support for RADIUS vendor-specific attributes (VSAs). We have
predefined the following RADIUS VSAs in Cisco Secure ACS:
• Cisco IOS/PIX
• Cisco VPN 3000
• Cisco VPN 5000
AAA Server Functions and Concepts
Authentication
• Ascend
• Juniper
• Microsoft
• Nortel
Cisco Secure ACS also supports up to 10 RADIUS VSA s that you define. After
you define a new RADIUS VSA, you can use it as you would one of the RADIUS
VSAs that com e prede fined in Cisc o Secure ACS. In the Network C onfigur ati on
section of the Cisco Secure ACS HTML interface, you can configure a AAA
client to use a user-defined RADIUS VSA as its AA A protocol . In Inter face
Configuration, you ca n en ab le u se r-level and group- level attri butes for
user-defined RADIUS VSAs. In User Setup and Group Setup, you can configure
the values for enabled attributes of a user-defined RADIUS VSA.
For more information about creating user-defined RADIUS VSAs, see Custom
RADIUS Vendor s and V SA s, pa ge 8-33.
Authentication determines user identity and verifies the information. Traditional
authenticatio n uses a name an d a fixed password. More mode rn and secu re
methods use t echno logi es su ch as CHA P an d one -ti me p asswords (OTPs).
Cisco Secure ACS supports a variety of these authentication methods.
78-14696-01, Version 3.1
User Guide for Cisco Secure ACS for Windows Server
1-7
AAA Server Funct ions and Concepts
There is a fundamental implicit relationship between authentication and
authorization . The more authorization pri vileges granted to a user , the stronger the
authentication shou ld be . Ci sco Secure ACS supports this relat ionsh ip by
providing various methods of authent ication.
Authentication Considerations
Username and password is the most popular, simplest, and least expensive method
used for authentication. No special equipment is required. This is a popular
method for service provi ders beca use of its easy appl icati on by the client. The
disadvantage is that this information can be told to someone else, guessed, or
captured. Simpl e unencrypted username and password is not considered a strong
authentication mechan ism but can be sufficient for low authorization or privileg e
levels such as Internet access.
To reduce the risk of password capturing on the network, use encryption. Client
and server access control protocols such as TACACS+ and RADIUS encrypt
passwords to prevent them f ro m b ein g ca pture d w ith in a n etwork. However,
TACACS+ and RADIUS operate only between the AAA client and the access
control server. Before this point in the authentication process, unauthorized
persons can obtain clear-text passwords, such as the communication between an
end-user client dialing up over a phone line or an ISDN line terminating at a
network access server, or over a T elnet session between an end-user client and the
hosting device.
Chapter1 Overview of Cisco Secure ACS
Network administra tors who offer incr eased levels of security ser vices, and
corporatio ns th at wan t to les sen th e cha nce of in trud er acce ss re sult ing fro m
password capturing, can use an OTP. Cisco Secure ACS supports several types of
OTP solutions, including PAP for Point-to-Point Protocol (PPP) remote-node
login. Token cards are considered on e of the str ong est OTP authenti cati on
mechanisms.
Authentication and User Databases
Cisco Secure ACS supports a variety o f user d ata bases. I t su pport s the
CiscoSecure user datab ase and several external user databases, i ncluding the
following:
• Windows NT/2000 User Database
• Generic LDAP
User Guide for Cisco Secure ACS for Windows Server
1-8
78-14696-01, Version 3.1
Chapter 1 Over view of Cisco Secure ACS
• Novell NetWare Directory Services (NDS)
• Open Database Connectiv ity (ODBC)-compliant relational databases
• CRYPTOCard token server
• SafeWord token server
• PassGo token server
• RSA SecureID token ser ver
• ActivCard token server
• Vasco token server
In addition to the token servers list ed above, Cisco Secure ACS supports any
token server that provides a RAD IUS ser ver interface . For more inf orma tion
about token server support , see Token Server User Databases, page 11-57.
AAA Server Functions and Concepts
Authentication Protocol-Database Compatibility
The various password protocols support ed by Cisco Secure ACS for
authenticatio n are support ed unevenly by the various databases support ed by
Cisco Secure ACS. Tabl e 1-2 on pa ge 1-9 provides a reference of the password
protocols support ed by the various databa ses. For mo re inf orm ation a bou t the
password protocols supported by Cisco Secure ACS, see Passwords, page 1-10.
Table 1-2 Authentication Protocol and User Database Compatibility
MSCHAP
Database ASCII PAP C HAP ARAP
v.1
Cisco Secure ACS Yes Yes Yes Yes Yes Yes Yes Yes Yes No
Windows SAM Yes Yes No No Yes Yes Yes No No Yes
Windows AD Yes Yes No No Yes Yes Yes No Yes Yes
LDAP Yes Yes No No No No No No Yes Yes
Novell ND S Yes Yes No No No No No No No Yes
MSCHAP
v.2 LEAP
EAP
-MD5
EAP
-TLS
PEAP
(EAPGTC)
ODBC Yes Yes Yes Yes Yes Yes Yes Yes No Yes
LEAP Proxy
Yes Yes No No Yes Yes Yes No No No
RADIUS Server
78-14696-01, Version 3.1
User Guide for Cisco Secure ACS for Windows Server
1-9
Chapter1 Overview of Cisco Secure ACS
AAA Server Funct ions and Concepts
Table 1-2 Authentication Protocol and User Database Compatibility (continued)
Database ASCII PAP C HAP ARAP
MSCHAP
v.1
MSCHAP
v.2 LEAP
EAP
-MD5
EAP
-TLS
PEAP
(EAPGTC)
RSA YesYesNoNoNoNoNoNoNoYes
ActivCard YesYesNoNoNoNoNoNoNoYes
CRYPTOCard Yes Yes No No No No No No No Yes
PassGo YesYesNoNoNoNoNoNoNoYes
Safeword Ye s Yes No No No No No No No Yes
Vasco YesYesNoNoNoNoNoNoNoYes
RADIUS Token
Yes Yes No No No No No No No Ye s
Server
Passwords
Cisco Secure ACS supp orts many comm on password protoc ols:
• ASCII/PAP
1-10
• CHAP
• MS-CHAP
• LEAP
• EAP-MD5
• EAP-TLS
• PEAP(EAP-GTC)
• ARAP
Passwords can be processed using these password authentication protocols based
on the version and type of se curi ty con trol prot ocol used (for example, RADIUS
or TACACS+) and the configuration of the AAA client and end-user client. The
following sections outline the different conditions and functions of password
handling.
User Guide for Cisco Secure ACS for Windows Server
78-14696-01, Version 3.1
Chapter 1 Over view of Cisco Secure ACS
In the case of token servers, Cisco Secure A CS acts as a client to the token server,
using either its proprietary API or its RADIUS interface, depending on the token
server. For more info rma tion, se e A bout Token Servers and Cisco Secure ACS,
page 11-57.
Different levels of security can be concurrent ly used with Ci sco Secure ACS for
different requirements. The basic user-to-network security level is PAP . Although
it represents the unencrypted security, PAP does offer convenience and simplicity
for the client. PAP allows authentication against the Windows NT/2000 database.
With this configuration, users need to log in only once. CHAP allows a higher
level of security for encrypting passwords when communicating from an end-user
client to the AAA clien t. You can use CHAP with the CiscoSecure u ser datab ase.
ARAP support i s in clud ed t o supp ort A pple cl ients.
Comparing PAP, CHAP, and ARAP
PAP, CHAP, and ARAP a re a uthent icat ion pr otocol s used to e ncryp t pa sswords.
However, each protocol provides a di fferent level of secur ity.
AAA Server Functions and Concepts
• PAP—Uses clear-text passwords (that is, unencrypted passwords) and is the
least sophisticated authentication protocol. If you are using the
Windows NT/20 00 user database to authenti cate users, you must use PAP
password encryption or MS-CHA P.
• CHAP—Uses a challenge-res po ns e me ch an is m w ith on e- w ay en cr yp tion on
the response. CHAP enables Cisco Secure ACS to ne gotia te downward from
the most secure to the least secure encryption mechanism, and it protects
passwords transmitted in the process. CHAP passwords are reusable. If you
are using the CiscoSecure user database for authentication, you can use either
PAP or CHAP. CHAP does not work with the Windows NT/2000 user
database.
• ARAP—Uses a two-way chal lenge -res ponse me chan ism. The AAA cli ent
challenges the end-user client to authenticate itself, and the end-user client
challenges the AAA client to authenticate itself.
78-14696-01, Version 3.1
User Guide for Cisco Secure ACS for Windows Server
1-11
AAA Server Funct ions and Concepts
MS-CHAP
Cisco Secure ACS supports Microsoft Challenge-Handshake Authentication
Protocol (MS-CHAP) for user authentication. Differences between MS-CHAP
and standard CHAP are the following:
For more inform at ion on M S-C HA P, refer to R FC
draft-ietf-pppext-mschap-00.txt, RADIUS Attributes for MS-CHAP Support.
Chapter1 Overview of Cisco Secure ACS
• The MS-CHAP Response packet is in a format compatible with Microsoft
Windows NT/20 00, Windows 95/98/ME/XP, and L A N M anag er 2.x. The
MS-CHAP form at doe s not r e quire th e au the ntic at or t o sto re a c l ear-text or
reversibly encrypted password .
• MS-CHAP provides an authentication-retry mechanism controlled by the
authenticator.
• MS-CHAP provides additional failure codes in the Failure packet Message
field.
EAP Support
The Extensible Au thent icatio n Protocol (E AP), based on the IETF 802. 1x, is an
end-to-end frame work that allo ws the crea tion of authe ntication t ypes without the
necessity of changing the implementation of the AAA clients. For more
information about EAP, go to PPP Extensible Authentication Protocol (EAP) RFC
2284.
Cisco Secure ACS supports the following varieties of EAP:
• EAP-MD5—An EAP proto col that does not suppor t mutual authen ticat ion.
• EAP-TLS—EAP incorporating Transport Layer Security. For more
information, see EA P-TLS Deployment Guide for Wireless LAN Networks
and About the EAP- TLS Protocol , page 8-70.
• LEAP—A Network- EAP protocol that suppor ts mutual authe nticatio n.
• PEAP—Pro tected E AP, which is impleme nted with EA P-Gene ric Token
Card (GTC). For more information, see About the PEAP Protocol, page 8-72.
The architecture of Cisco Secure ACS is extensible with regard to EAP;
additional varieties of EAP will be sup ported as those prot ocols mature .
User Guide for Cisco Secure ACS for Windows Server
1-12
78-14696-01, Version 3.1
Chapter 1 Over view of Cisco Secure ACS
Basic Password Configurations
There are several bas ic pass word con figuratio ns:
Note These configurations ar e all classe d as inbound a uthenti cation.
• Single password for ASCII/PAP/CHAP/MS-CHAP/ARAP—This is the
most convenient method for both the administrator when setting up accounts
and the user when o btain ing auth entic ation. However, because the CHAP
password is the same a s the PAP password, and the PAP pa ssword is
transmitted in clear text during an ASCII/PAP login, there is the chance that
the CHAP password can be compromised.
• Separate passwords f or ASCII/P AP and CH AP/MS-CHAP/ARAP—For a
higher level of secur ity, users can be given two separa te password s. If the
ASCII/PA P password is compromi sed, the CHA P/ARAP password can
remain secure.
AAA Server Functions and Concepts
• External user da taba se a uth en tic ation—For authentication by an external
user database, the user does not need a password st ored in the Cisc oSecure
user database. Instea d, Cisco Secure ACS records which external user
database it should query to authenticate the user.
Advanced Password Configurations
Cisco Secure ACS supports the following advanced password configura tions:
• Inbound passwords—Passwords used by most Cisco Secure ACS users.
These are supported by both the T A CA CS+ and RADIUS protocols. They are
held internally to the CiscoSecure user database and are not usually given up
to an external source if an outbo und password ha s been configur ed.
• Outbound passwords—The TACACS+ protocol su ppo rts outbo und
passwords that can be used, for example, when a AAA client has to be
authenticated b y another AAA client and end-user client. Passw ords from the
CiscoSecure user dat abase are th en sent ba ck to the seco nd AAA cl ient and
end-user c li en t.
• Token caching—When token caching is enabled, ISDN users can connect
(for a limited time) a se cond B Channel usin g the same OTP entered during
original authentication. For greater security, the B-Channel authentication
request from the AAA cli ent should i nclude the OTP in the username value
78-14696-01, Version 3.1
User Guide for Cisco Secure ACS for Windows Server
1-13
AAA Server Funct ions and Concepts
(for example, Fred passw ord) while the password value contains an
ASCII/PAP/ARAP password. The TACACS+ and RADIUS servers then
verify that the token is still cached and validate the incoming password
against either th e single AS CII/ PAP/ARAP or separate CHAP/AR AP
password, dependin g o n th e co nfigurat ion the u ser emp loys.
The TACACS+ SENDAUTH feature enables a AAA client to authenticate
itself to another AAA client or an end-user client via outbound
authentication. The outbound authentication can be PAP, CHAP, or ARAP.
With outbound authentication, the Cisco Secure ACS password is given out.
By default, ASCII/PAP or CHAP/ARAP password is used, depending on how
this has been configured; however, we recommend that the separate
SENDAUTH passwo rd be configured for the user so that Cisco Secure ACS
inbound passwords are never compromised.
If you want to use outbound passwords and maintain the highest level of security ,
we recommend that you configure users in the CiscoSecure user database with an
outbound password that is different from th e inbound password.
Chapter1 Overview of Cisco Secure ACS
Password Aging
With Cisco Secure AC S yo u c an cho ose w he the r an d how you want t o empl oy
password aging. Control for password aging may reside either in the CiscoSecure
user database, or in a Windows NT/2000 user database. Each password a ging
mechanism differs as to requirements and setting configurations.
The password aging feature co ntrolled by the CiscoSecure user database enables
you force use rs to ch ange t heir passwor ds u nder a ny of the fol lowing co ndit ions:
• After a specified nu mber of days.
• After a specified number of logins.
• The first time a new user logs in.
For information on the requi rement s and configurat ion of the passwor d aging
feature controlled by the CiscoSecure user database, see Enabling Password
Aging for the Cisco Secur e User Da tabase, pa ge 6-20.
The Windows NT/2000-based password a ging fe atur e enable s yo u to c on trol t he
following password aging parame ters:
• Maximum password age i n days.
• Minimum password age in days.
User Guide for Cisco Secure ACS for Windows Server
1-14
78-14696-01, Version 3.1
Chapter 1 Over view of Cisco Secure ACS
The methods and func tionality of Windows password aging differ according to
whether you are using Windows NT or Windows 2000 and wh eth er yo u em ploy
Active Directory (AD) or Security Accounts Manager (SAM). For information on
the requireme nts and c onfigura tio n of th e Windows-based p asswo rd ag i ng
feature, see Enabling Password Aging for Users in Windows Databases,
page 6-25.
User-Changeable Passwords
With Cisco Secure ACS, you can install a separate program that enables users to
change their passwords by using a web-based utility. For more information about
installing user-changeable passwords, see the Installation and User Guide for
Cisco Secure ACS User-Changeable Passwords .
Other Authentication-Related Features
AAA Server Functions and Concepts
Authorization
In addition to the authentication-related features discussed in this section, the
following features ar e provide d by Cisc o Secure ACS:
• Authentication of unknown users with external user databases (see Unknown
User Processing , pa ge 12-1).
• Microsoft Windows Callback feature (see Setting User Callback Option,
page 7-10).
• Ability to configure user ac counts, includin g passwords , using an exter nal
data source (see About RDBM S Sync hro nization, p age 8-30).
• Ability for exte rnal u ser s to authenticate via an enab le p assw ord ( s ee Setting
TACACS+ Enable Password Options for a User, page 7-3 5).
• Proxy of authenticatio n requests to othe r AAA servers (see Pro xy in
Distributed Systems, page 4 -4).
• Configurable character string stripping from proxied authentication requests
(see Stripping, page 4-6).
Authorization de term ine s wha t a u ser is al lowed to do . Cisco Secure ACS can
send user profile policies to a AAA client to determine the network services the
user can access. You can configure authorization to give different users and
78-14696-01, Version 3.1
User Guide for Cisco Secure ACS for Windows Server
1-15
AAA Server Funct ions and Concepts
groups different levels of s erv ice. For exam ple, sta ndard di al -up use r s mig ht no t
have the same access privileges as premium customers and users. You can also
differentiate by levels of security, access times, and services.
The Cisco Secure ACS access restrictions feature enab les you to perm it or deny
logins based on tim e-of- da y and d ay -of-w eek. For exa mp le, yo u c ou ld c rea te a
group for temporary accounts that can be disabled on specified dates. This would
make it possible for a service provider to offer a 30-day free trial. The same
authorization could be used to create a temporary account for a consultant with
login permission limite d to Monday through Frida y, 9 A.M. to 5 P.M.
You can restrict users to a servi ce or combin ation of service s such as PPP,
AppleTalk Remote Access (ARA), Serial Line Int ernet Pro tocol (SL IP), or
EXEC. After a service is selected, you can restrict Layer 2 and Layer 3 protocols,
such as IP and IPX, and you can a pply individual acc ess lists. Ac cess lists on a
per-user or per-group basis can restrict users fr om reach ing parts of the ne twork
where critical information is stored or prevent them from using certain services
such as File Transfer Protocol (FTP) or Simple Network Management Protocol
(SNMP).
Chapter1 Overview of Cisco Secure ACS
Max Sessions
One fast-growing serv ice b eing offered by ser vice prov ider s and a dop ted by
corporations is a service authorization for Virtual Private Dial-Up Networks
(VPDNs). Cisco Secure ACS can provide information to the network device for a
specific user to configure a secure tunn el throu gh a public ne twork such as the
Internet. The in fo r mat io n can be for the access server (such as the home gatew ay
for that user) or fo r the hom e gateway rout er to validate th e user at the cu stome r
premises. In either case, Cisco Secure ACS can be used for each end of the
VPDN.
Max Sessions is a u sef ul f eature for o rganizati on s tha t n eed to l imi t the num ber
of concurrent se ssion s available to e ither a u ser or a gro up:
• User Max Sessions—For example, an Internet service provider can limit
each account holde r to a single sessi on.
• Group Max Sessions—For example, an enterprise administrator can allow
the remote access infrastructure to be shared equally among several
departments an d lim it the maxi mum nu mbe r of conc ur rent session s f or all
users in any one department.
User Guide for Cisco Secure ACS for Windows Server
1-16
78-14696-01, Version 3.1
Chapter 1 Over view of Cisco Secure ACS
In addition to s im ple U se r and Gro up Max Sessi ons co nt rol, C isco Secure ACS
enables the administrator to specify a Group Max Sessions value and a
group-based User Max Ses sions value; that is, a User Max Sessions value based
on the group membership of the user. For example, an administrator can allocate
a Group Max Sessions value of 50 to the group “Sales” and also limit each
member of the “Sales” group to 5 sessions each. This way no single member of a
group account would be able to use more than 5 sessions at any one time, but the
group could still have up to 50 active sessions.
For more information about the Max Sessions feature, see Setting Max Sessions
for a User Group, page 6-11, and Setting Max Sessions Options for a User,
page 7-16.
Dynamic Usage Quotas
Cisco Secure AC S enables you t o define network usage quota s for users. Using
quotas, you can l imit the net work a ccess of e ach u ser i n a grou p o r o f ind ividual
users. You define quotas by duration of sessions or the t otal numbe r of sessions.
Quotas can be either a bsolute o r based on dail y, weekly, or mo nthly pe riods. To
grant access to users who have exceeded their quotas, you can reset session quota
counters as needed.
AAA Server Functions and Concepts
T o support time-based quotas, we recommend enabling accounting update packets
on all AAA clients. If up date pac kets are not enab led, the quo ta is upda ted only
when the user logs off and the accounting stop packet is received from the AAA
client. If t he A AA c lien t t hro ugh whi ch t he us er is acc essi ng your ne twor k fails ,
the session information is not updated. In the case of multiple sessions, such as
with ISDN, the quota would not be updated until all sessions terminate, which
means that a second channel will be accepted even if the first channel has
exhausted the quota allocated to the user.
For more inform atio n a bou t usa ge quot as, se e Setting Usage Quotas for a User
Group, page 6-13, and Settin g User Usage Q uotas Option s, page 7-18.
Shared Profile Components
Cisco Secure ACS provides a means for specifying authorization profile
components that you can apply to multiple user groups and users. For example,
you may have multiple user groups that ha ve identica l network access restriction s.
Rather than configuring the ne twork acce ss restrict ions several times, once pe r
78-14696-01, Version 3.1
User Guide for Cisco Secure ACS for Windows Server
1-17
AAA Server Funct ions and Concepts
group, you can c onfigure a ne twork a cce ss re strict ion set in the Share d Profile
Components section of the HTML interface, and then configure each group to use
the network access restriction set you created.
For information about t he types of share d profile compon ents suppor ted by
Cisco Secure ACS, see Abou t Shared Profile Compone nts, page 5-1.
Support for Cisco Device-Management Applications
Cisco Secure AC S supports Cisco device-manageme nt appl ications, such as
Management Center for PIX Firewall, by providing command autho rization fo r
network users who a re us ing t h e ma nage me nt app l icatio n to c onfigure m ana ged
network devices. Support for command authorization for management application
users is accomplished by using unique command authorization set types for each
management appl ication con figured to use Ci sco Secure ACS for authorization.
Cisco Secure ACS uses TACACS+ to communicate with management
applications. For a management application to communicate with
Cisco Secure ACS, the management application must be configured in
Cisco Secure ACS as a AAA client that uses TACACS+. Also, you must provide
the device-management application with a valid administrator name and
password. When a management application initially communicates with
Cisco Secur e ACS, these requi reme nt s en sure t he validity of the communication.
For information about configuring a AAA client, see AAA Client Configuration,
page 4-11. For information about adm inist rator ac counts , see Adm inist rat or
Accounts, page 10-1.
Chapter1 Overview of Cisco Secure ACS
Additionally , the administrator used b y the management ap plication must ha ve the
Create New Device Command Set Type privilege enabled. When a management
application initially communicates with Cisco Secure ACS, it dictates to
Cisco Secure ACS the creation of a device command set type, which appears in
the Shared Profile Components section of the HTML interface. It also dictates a
custom servi ce to be autho rized b y TA CA CS+. The cu stom ser vice app ears on the
TACACS+ (Cisco IOS) page in the Interface Configuration section of the HTML
interface. For information about enabling TACACS+ services, see Protocol
Configuration Options for TACACS+ , page 3-7. For information about device
command-auth ori zat ion se ts f or ma nage ment app l icat ions, se e Comma nd
Authorization Sets, page 5-13.
After the management applicatio n has dictated the custom TA CA CS+ service an d
device command-aut horiz at ion se t type to C is co Secure ACS, you can configure
command-aut ho riz atio n se ts fo r ea c h ro le suppor t ed by the m anag em ent
User Guide for Cisco Secure ACS for Windows Server
1-18
78-14696-01, Version 3.1
Chapter 1 Over view of Cisco Secure ACS
application and app ly those sets to user groups tha t contain net work
administrator s o r to individua l use rs w ho ar e ne twork adm in istra tors. For
information about configurin g a comm and-au thori zation se t, see Command
Authorization Sets Configura tion, page 5-16. For infor mation ab out ap plying a
shared device comma nd -aut hor izat ion set t o a u ser g rou p, see Con figuring
Device-Management Command Authorization for a User Group, page 6-35. For
information about applying a shared device command-authorization set to a user,
see Configuring Device Mana ge ment Co mman d Au thoriz a tion f or a Use r,
page 7-30.
Other Authorization-Related Features
In addition to the authorization-related features discussed in this section, the
following features ar e provide d by Cisc o Secure ACS:
• Group administra tio n of use rs, w ith su ppo rt f or up to 500 gr ou ps ( see
Chapter 6, “Setting Up a nd M anag ing U ser Gro ups”).
AAA Server Functions and Concepts
• Ability to map a user from an ex ternal user database to a specific
Cisco Secure ACS group (see Database Group Mappings, pa ge 12-11).
• Ability to disable an account after a number of failed attempts, specified by
the administrator (see Setting Options for User Account Disablement,
page 7-20).
• Ability to disable an account o n a specific date (see Setting Options for User
Account Disablement, page 7-20).
• Ability to restrict time-of-day and day-of-week access (see Setting Default
Time-of-Day Access for a U se r Gr oup , pa ge 6-5).
• Ability to restrict network access based on remote address caller line
identification (CLID) and dialed number identification service (DNIS) (see
Setting Network Access Restrictio ns for a User Group, page 6-7).
• IP Pools for IP a ddr ess a ssignm en t of end- user cli ent host s (s ee Setting IP
Address Assignment Method for a User G roup, page 6-27).
• Per-user and per-group TACACS+ or RA DIU S at tributes (see Advanced
Options, page 3-4).
• Support for Voice over IP (VoIP), including con figurable loggi ng of
accounting data (see Enabling VoIP Su ppo rt f or a U se r Gr oup , pa ge 6-4).
78-14696-01, Version 3.1
User Guide for Cisco Secure ACS for Windows Server
1-19
AAA Server Funct ions and Concepts
Accounting
AAA clients use the accounting functions provided by the RADIUS and
TACACS+ protocols to communicate relevant data for each user session to the
AAA server for recording. Cisco Secure AC S writes accounting records to a
comma-separ ated value (CSV ) log file or ODB C da tabase , depe ndin g upo n you r
configuration. You can eas ily import these l ogs into popu lar data base and
spreadsheet applications for billing, security audits, and report generation.
Among the types of acc ounting logs you ca n genera te are the following:
Chapter1 Overview of Cisco Secure ACS
• TACACS+ Accounting—Lists when sessions start and stop; records AAA
client messages with username; provides caller line identification
information; re cords the durati on of each sessio n.
• RADIUS Accounting—Lists when sessions stop and start; records AAA
client messages with username; provides caller line identification
information; re cords the durati on of each sessio n.
• Administrative Accounting—Lists commands entered on a network device
with TACACS+ com ma nd aut hor izat ion en ab led.
For more information about Cisco Secure ACS logging capabilities, see
Chapter 9, “Wo rking with Logging and Reports.”
Other Accounting-Related Features
In addition to the accounting-related features discussed in this section, the
following features ar e provide d by Cisc o Secure ACS:
• Centralized logging , allowing several Cisco Secure ACS servers to forward
their accounting data to a remote Cisco Secure ACS server (see Remote
Logging, page 9-23).
• Configurable supplement ary user ID fields for ca pturi ng additiona l
information in logs (see User Data Configuration O ption s, pa ge 3-3).
• Configurable logs, allowing you to capture as much in formation as needed
(see Accounting Logs, page 9-5).
User Guide for Cisco Secure ACS for Windows Server
1-20
78-14696-01, Version 3.1
Chapter 1 Over view of Cisco Secure ACS
Administration
To configure, maintain, and protect its AAA functionality, Cisco Secure ACS
provides a flexible adm i nistra tio n sche me. You can perfor m n early a ll
administration of Cisc o Secure ACS through its HTML in te rface .
You can access the HTML interface from computers other than the
Cisco Secure ACS server. This enables remote administration of
Cisco Secure ACS. For more information about the HTML interface, including
steps for access in g the HTML interface, see Cisco Secure AC S HTM L In te rface,
page 1-23.
HTTP Port Allocation for Remote Administrative Sessions
The HTTP port allocation feature allows you to configure the range of TCP ports
used by Cisco Secure ACS for remote administrative HTTP sessions (that is,
administrative sessions conducted by a browser running on a computer other than
the Cisco Secure ACS server). Narrowing this range with the HTTP port
allocation fea tur e reduc e s the risk of unaut h oriz ed ac cess t o yo ur ne twork by a
port open for ad mini strat ive sessions.
AAA Server Functions and Concepts
We do not recommend th at you administer Cisco Secure ACS through a firewall.
Doing so requires that you configure the firewall to permit HTTP traffic over the
range of HTTP administrative session ports that Cisco Secure ACS uses. While
narrowing this range redu ces the risk of un auth orized access, a grea ter ri sk of
attack remains if you allow administration of Cisco Secure ACS from outside a
fire wall. A f ire wall co nfig ured to permit HTTP tra ff ic o ver the Cisco Secure ACS
administrative port ran ge must al so p ermit HT TP tra ffic through po rt 2 002,
because this is the port a remote web browser must access to initiate an
administrative session.
Note A broad HTTP port r ange coul d cre ate a se curi ty risk . To prevent accidental
discovery of an active administrative port by unauthorize d users, keep the HTTP
port range as narrow as possible. Cisco Secure ACS tracks the IP address
associated wi th each remote administrative session. An unauthorized user would
have to impersonate, or “spoof”, the IP address of the legitimate remote host to
make use of the active administrative session HTTP port.
78-14696-01, Version 3.1
User Guide for Cisco Secure ACS for Windows Server
1-21
AAA Server Funct ions and Concepts
For information about configurin g the HTTP port alloc ation feature, se e Access
Policy, page 10-11.
Network Device Groups
Wit h a netw ork d e vice group (NDG), y ou can vie w a nd admi nist er a co llection of
AAA clients and AAA servers as a single logi cal group. To simplify
administration, you can assign ea ch group a convenient name that can be used to
refer to all devices within that group. This creates two levels of network devices
within Cisco Secure ACS—discrete devices such as an individual router, access
server, AAA server, or PIX Fir ewall, and NDG s, whic h ar e name d co llec tio ns of
AAA clients and AAA servers.
A network device can belong to only one NDG at a time.
Using NDGs enables an organization with a large number of AAA c li ents spread
across a large geographical area to logically organize its environment within
Cisco Secure A CS to reflect the physical setup. For example, all routers in Europe
could belong to a group na med Europ e; all rout ers in the Uni ted State s could
belong to a US group; and so on. This would be especially convenient if the AAA
clients in each region were ad ministered along the same divisions. A lternatively,
the environment could be organized by some other att ribute such as divisions,
departments, business funct ion s, and so o n.
Chapter1 Overview of Cisco Secure ACS
You can assign a group of users to an NDG. For more informat ion on NDGs, see
Network Device Group Configuration, page 4-27.
Other Administration-Related Features
In addition to the admi nistrat ion-re lated feat ures disc ussed in this sec tion, th e
following features ar e provide d by Cisc o Secure ACS:
• Ability to define different privileges per admini strator (see Ad mini strat or
Accounts, page 10-1).
• Ability to log administrator activities (see Cisco Secure ACS System Logs,
page 9-11).
• Ability to view a list of logged-in use rs (see Dynami c A d minist rati on
Reports, page 9-7).
User Guide for Cisco Secure ACS for Windows Server
1-22
78-14696-01, Version 3.1
Chapter 1 Over view of Cisco Secure ACS
• CSMonitor servic e, pr oviding mon ito ring, no tification, logg i ng, an d l imit ed
automated failure response (see Cisco Secure ACS Active Service
Management, pag e 8-55).
• Ability to au to mat e co nfigur ation of u ser s, gro ups, n etwor k devices, a nd
custom RADIUS VSAs (see RDBMS Synchronization, pa ge 8-29).
• Replication of CiscoSecu re user database co mpone nts to other
Cisco Secure ACS s erv ers (see CiscoSecure Database Replication, page 8-9).
• Scheduled and on -de mand Cisc o Secure ACS system backups (se e
Cisco Secure ACS Bac kup, page 8-47).
• Ability to restore Cisco Secure A CS configuration, user accounts, and group
profiles from a ba ckup file ( see Cisco Secure ACS System Restore,
page 8-52).
Cisco Secure ACS HTML Interface
Cisco Secure ACS HTML Interface
This section discusses the Cisco Secure ACS HTML interface and provides
procedures for using it. This section contains the following topics:
• About the Cisco Secure ACS HTML Interface, page 1-23
• HTML Interface L ayou t, pag e 1-25
• Uniform Resource Loc ator for the HTML Int erface , page 1-26
• Network Environments and Remote Admi nistrative Sessions, page 1-27
• Accessing the HTML Interface, page 1-29
• Logging Off the HTML Interface , page 1-29
• Online Help and Online Documentation, page 1-30
About the Cisco Secure ACS HTML Interface
After installing Ci sco Secure ACS, you configure and admin ister it thr ough the
HTML interface. The HTML interface enables you to easily modify
Cisco Secure ACS configuration from any connection on your LAN or WA N.
78-14696-01, Version 3.1
User Guide for Cisco Secure ACS for Windows Server
1-23
Cisco Secure ACS HTML Interface
The Cisco Secure ACS HTML interface is desi gned t o be viewed usin g a w e b
browser. The design primarily use s HTM L , al on g wit h some Java functions, t o
enhance ease of use. Thi s design keep s the interface re sponsive and
straightforward. T he in clusio n o f Java requires tha t the b rowser use d for
administrative sessions supports Java. For a list of supported browsers, see th e
Release Notes. The latest revision to the Release Notes is posted on Cisco.com
(http://www.cisco.com).
The HTML interface no t only makes viewing and edi ting user and group
information possible, it also enables you to restart services, add remote
administrators, change AAA client information, back up the system, view reports
from anywhere on the netwo rk, a nd m ore . Th e re po rts tr ac k conne c tion ac tivity,
show which users are logged in , list failed authentication and authorization
attempts, and show administrators’ recent tasks.
HTML Interface Security
Chapter1 Overview of Cisco Secure ACS
Accessing th e HTML interf ace req uires a v alid admi nistrator name and pa ssword .
The Cisco Secure ACS Login page encrypts the administrator credentials before
sending them to C is co Secure ACS.
Administrative sessions timeout after a configurable length of idle time.
Regardless, we recommend that you log out of the HTML interface after each
session . For inf ormation ab out loggi ng out of Cis co S ecure ACS, see Logging Off
the HTML Interface, page 1-29. For information about configur ing the idl e
timeout feat ur e, se e Ac cess Policy, page 10-11.
You can enable secure socket layer (SSL) for administrative sessions. This
ensures that all communi ca tio n betwee n th e web browser and Cisc o Secure ACS
is encrypted. Your browser must support SSL. You can enable this feature on the
Access Policy Setup page in the Administration Control section. For more
information about enabling SSL for HTML interface security, see Access Policy,
page 10-11.
User Guide for Cisco Secure ACS for Windows Server
1-24
78-14696-01, Version 3.1
Chapter 1 Over view of Cisco Secure ACS
HTML Interface Layout
The HTML interface has three vertical partitions, known as frames:
• Navigation Bar—The gra y fram e on the left of th e browser wind ow, the
navigation bar contains the task buttons. Each button changes the
configuration area (see below) to a unique section of the Cisco Secure ACS
application, such as the User Setup section or the Interface Configuration
section. This frame does not change; it always contains the following buttons:
–
User Setup—Add and e dit us er pr ofiles.
–
Group Setup—Configure network services and proto cols for gro ups of
users.
–
Shared Profile Components—Add and edit netwo rk access restric tion
and command autho rization se ts, to be app lied to users and groups.
Cisco Secure ACS HTML Interface
–
Network Configuration—Add and edit network access devices and
configure distributed systems.
–
System Configuration—Configure database information and
accounting.
–
Interface Conf igura tion—Display or hide product features and options
to be configured .
–
Administration Control—Define and configure access polici es.
–
External User Databases—Configure external databases for
authentication.
–
Reports and Activity—Display acc oun tin g and l oggi ng info rm ation.
–
Online Documentation—Vi ew the User Guide for Cisco Secure ACS
for Windows Server.
• Configuration Area—The frame in the middle of the browser window, the
configuration area displa ys web pages th at belo ng to one of the sec tions
represented by the bu ttons in the navigation bar. The configuration area is
where you add, edit, or delete information. For example, you configure user
information in this frame on the User Setup Edit page.
Note Most p ages have a Submit button at the bottom. Click Submit to
78-14696-01, Version 3.1
confirm your chan ge s. If yo u d o not c lick Su bmit , c hange s a re not
saved.
User Guide for Cisco Secure ACS for Windows Server
1-25
Cisco Secure ACS HTML Interface
• Display Area—The frame on the right of the browser window, the display
area shows one of th e foll owing opt ions:
–
–
–
Chapter1 Overview of Cisco Secure ACS
Online Help—Displays basic help about the page currently sho wn in the
configuration area. This help does not offer in-depth information, rather
it gives some basic information about what can be accomplished in the
middle frame. For more detailed information, click Section Information
at the botto m of the page t o go t o the appl ic ab le par t o f O nline
Documentation.
Reports or Lists—Displ ays lists or reports , inclu ding accoun ting
reports. For example, in User Setup you can show all usernames that start
with a specific letter. The list of usernames beginning with a specified
letter is displayed in this section. The usernames are hyperlinks to the
specific use r co nfiguration, so clicking the name enables y ou to edit that
user.
System Messages—Di splays m e ssages af ter y ou cli ck Su bmit if you
have typed in incorrect or incomplete data. For example, if the
information you ente red in the Password box do es not match the
information in the Con firm Password box in the User Setup secti on,
Cisco Secure ACS displays an error me ssage here . The inc orrect
information remains in the con figuration area so that you can rety pe an d
resubmit the information correctly.
Uniform Resource Locator for the HTML Interface
The HTML interface is available by web browser at one of the follo win g uniform
resource locators (URLs):
• http://IP address:2002
• http://hostname:2002
where IP address is the dotted decimal IP address of the computer running
Cisco Secure ACS and hostname is the hostname of the co mpu ter ru nni n g
Cisco Secure ACS.
User Guide for Cisco Secure ACS for Windows Server
1-26
78-14696-01, Version 3.1
Chapter 1 Over view of Cisco Secure ACS
Cisco Secure ACS HTML Interface
From the server on which Cisco Secure ACS is installed, you can also use the
following URLs:
• http://127.0.0.1: 2002
• http://hostname:2002
where hostname is the hostname of the com puter run ning Cisc o Secure ACS.
Network Environments and Remote Administrative Sessions
We r ecommend that remote administrative sessions take place without t he use of
an HTTP proxy server, without a firewall between the remote browser and
Cisco Secure ACS, and without a NAT gateway between the remote browser and
Cisco Secure ACS. Because these limitations are not always practical, we
included the following topics regarding these remote administration scenarios:
• Remote Administrative Sessions and HTTP Proxy, page 1-27
• Remote Administrative Sessions through Firewalls, page 1-28
• Remote Administrat ive Sessions through a NAT Gateway, page 1-28
Remote Administrative Sessions and HTTP Proxy
Cisco Secure AC S does not support HTTP proxy fo r remote adm inistrative
sessions. If the browser used for a remote administrative session is configured to
use a proxy server, Cisco Secure ACS sees the administrati ve session originating
from the IP address of the proxy server rather than from the a ct ual address of the
remote workstation. Remote administrative session tracking assumes each
browser resides on a workstation with a unique IP.
Also, IP filtering of proxied administrative sessions has to be based on the IP
address of the proxy server rather than the IP address of the workstation. This
conflicts with administrative session communication that does use the actual IP
address of the workstation. For more information about IP filtering of remote
administrative sessions, see Access Policy, page 10-11.
For these reasons, we do not recommend pe rform ing admi nistrat ive sessions
using a web b rowser tha t i s co nfigure d to u se a pr oxy se rver. Administrative
sessions using a proxy-enabled web browser is not tested. If your web browser is
configured to use a proxy server, disable HTTP proxying when attempting remote
Cisco Secure ACS administrative sessions.
78-14696-01, Version 3.1
User Guide for Cisco Secure ACS for Windows Server
1-27
Cisco Secure ACS HTML Interface
Remote Administrative Sessions through Firewalls
In the case of firewalls that do not perform network address translation (NAT),
remote administrative sessions conducted across the firewall can require
additional configuration of Cisco Secure ACS and the firewall. This is because
Cisco Secure ACS assi gns a rando m HT TP port at t he b eginning of a r emot e
administrative session.
To allow remote administrative sessions from browsers outside a firewall that
protects Cisco Secure ACS, the firewall must permit HTTP traffic across the
range of ports that Cisco Secure ACS is configured to use. You can control the
HTTP port range u sing th e HTT P p ort al loc ati on fea ture . For mo re inf or mat ion
about the HTTP port allocation feature, see HTTP Port Allocation for Remote
Administrative Sessions, page 1-21.
While administering Cisco Secure ACS through a firewall that is not performing
NAT is possible, we do not recomm end that you administer Cisc o Secure ACS
through a firewall. For more i nfo rma tio n, see HT T P Po rt A llo cat ion fo r R em ote
Administrative Sessions, page 1-21.
Chapter1 Overview of Cisco Secure ACS
Remote Administrative Sessions through a NAT Gateway
We do not re comm end conduc ting remot e administ rative sessions across a
network device perform ing NAT. If the administrato r r uns a br owser on a
workstation behi nd a NAT gateway, Cisco Secure AC S r ec eives the HTT P
requests from the public IP address of the NAT device, which conflicts with the
workstation private IP address, included in the content of the HTTP requests.
Cisco Secure ACS does not permit this.
If Cisco Secure ACS is behind a NAT gateway and the URL used to access the
HTML interface specifies the Windows 2000 server running Cisco Secure ACS
by its hostname, remote administrative sessions operate correctly, provided that
DNS is functioning correctly on your network or that workstations used to access
the HTML interface have a hosts file entry for the Windows server that runs
Cisco Secure ACS.
If the URL used to access the HTML interfac e specif ies the W indo ws 2000 serve r
running Cisco Secure ACS by its IP addre ss, you could c onfigure the gateway to
forward all connections to port 2002 to Cisco Secure ACS, using the same port.
Additionally, all the ports allowed using the HTTP port allocation feature would
have to be similarly mapped. We have not tested such a configur ation and do no t
recommend i mpl eme nt ing it.
User Guide for Cisco Secure ACS for Windows Server
1-28
78-14696-01, Version 3.1
Chapter 1 Over view of Cisco Secure ACS
Accessing the HTML Interface
Remote administrat ive sessions always require that you log in using a valid
administrator name and pass word, as co nfigured in the A dministr ation Control
section. If the Allow automatic local login check box is cleared on the Sessions
Policy Setup page in the Administrati on Control sec tion, Cisco Secure ACS
requires a valid administrator name and password for adm inistrative sessions
accessed from a browser on the Cisco Secure ACS server.
To access the HTML interface, follow these steps:
Step 1 Open a web browser. For a list of supported web browsers, see the Release Notes
for the version of Cisco Secure ACS you are accessing. Th e latest revision to the
Release Notes is posted on Cisco.com (http://www.cisco.com).
Step 2 In the Address or Location bar i n the web browser, type the appli ca b l e URL. For
a list of possible URLs, see Uniform Resource Locator for the HTML Interface,
page 1-26.
Cisco Secure ACS HTML Interface
Step 3 If the Cisco Secure ACS for W indow s 2000/NT Login page appears, follow these
steps:
a. In the Username box, type a valid Cisco Secure ACS administrator name.
b. In the Password box , type the password for the admin istrator nam e you
specified.
c. Click Login.
Result: The Cisco Secure ACS for Windows 2000 initial page appears.
Logging Off the HTML Interface
When you are finished using the HTML interface, we recommend that you log off.
While Cisco Secure ACS can timeout unused administrative sessions, logging off
prevents unauthorized ac cess by som eo ne us in g th e browser a fte r y ou or by
unauthorized persons using the HTTP port left open to support the administrative
session.
To log off the Cisco Secure ACS HTML interface, click the Logoff button.
78-14696-01, Version 3.1
User Guide for Cisco Secure ACS for Windows Server
1-29
Cisco Secure ACS HTML Interface
Note The Logoff button appears in the upper right corner of the browser window, except
on the initial page, where it appears in the upper left of the config uration area.
Online Help and Online Documentation
We provide two sources of in formation in the HTML interface:
• Online Help—Contains basic info rmat ion abou t the page shown in the
configuration a rea.
• Online Documentation—Contains the entire user gu ide.
Using Online Help
Chapter1 Overview of Cisco Secure ACS
Online help is the defau lt co nten t in the display ar ea . For ev er y pag e that a ppea rs
in the configuration area, there is a corresponding online help page. At the top of
each online help page is a list of topic s covered by that page.
To jump from the top of the online help page to a particular topic, click the topic
name in the list at the top of the page.
There are three icons that appear on many pages in Cisco Secure ACS:
• Question Mark—Many subsection s of t h e pa ges i n the c onfigura tion a rea
contain an icon with a question mark. To jump to the applicable topic in an
online help page, c lick the qu estion mark icon.
• Section Information—Many online help page s c ontai n a Sec ti on
Information icon at the bottom of the page. To view an applicable section of
the online documentation, click the Sectio n Information icon.
• Back to Help—Wherever you find a online h elp page w ith a Sect ion
Information icon , the co rresp onding p age in the co nfigurati on area c ontain s
a Back to H elp ico n. If y ou have accesse d th e onli ne d oc ument at ion by
clicking a Section Information icon and want to view the online help page
again, click the Back to Help icon.
User Guide for Cisco Secure ACS for Windows Server
1-30
78-14696-01, Version 3.1
Chapter 1 Over view of Cisco Secure ACS
Using the Online Documentation
The Cisco Secure ACS online documentat ion is t h e user guide f or
Cisco Secure A CS. The user guide provides information about the configuration,
operation, and concepts of Cisco Secure ACS. The information presented in the
online documentation is as current as the release date of the Cisco Secure ACS
version you are usi ng. For the most up-to -d ate do cu me nta tion a bo ut
Cisco Secure ACS, please go to http://www.cisco.com.
Tip Click Section Information on any online help page to view online documentation
relevant to the section of the HTML interface you are using.
To access online documentation, follow these steps:
Cisco Secure ACS HTML Interface
Step 1 In the Cisco Secure ACS HTML interface, click Online Documentation.
Tip To ope n the online documen tation i n a new browser window, right-click Online
Documentation, and then click Open Link in New Window (for Microsoft
Internet Expl orer) or Open in New Window (for Netscape N avigato r).
Result: The table of contents opens in the configuration area.
Step 2 If you want to select a topic from the table of contents, scroll through the table of
contents and click the applicable topic.
Result: The online documen tation fo r the topic selected appears in the display
area.
Step 3 If you want to select a topic from the index, follow these steps:
a. Click [Index].
Result: The index appears in the di splay ar ea.
b. Scroll t hr ough th e index to find an ent ry f or t he t opic y ou ar e rese ar ch ing.
Tip Use the lettered shortcut links to jump to a particular section of the inde x.
Result: Entries appear w ith num be red lin ks aft er the m. T he numbe r ed links
lead to separate instances of the entry topic.
78-14696-01, Version 3.1
User Guide for Cisco Secure ACS for Windows Server
1-31
Cisco Secure ACS HTML Interface
c. Click a n instan ce n umb er f or th e de sire d t opic .
Result: The online documentation for the topic selected appea rs in the display
area.
Step 4 If you want to print th e online doc umen t ation, cli ck in the di spla y area , and the n
click Print in the n avigation ba r of yo ur browser.
Chapter1 Overview of Cisco Secure ACS
User Guide for Cisco Secure ACS for Windows Server
1-32
78-14696-01, Version 3.1
CHAPTER
2
Deploying Cisco Secure ACS
Deployment of Cisco Secure Access Control Server (Cisco Secure ACS) for
Windows Ser ver version 3.1 can be co mplex a nd iter a tive, depending o n th e
specific implementation required. This chapter provides insight into the
deployment process and presents a collection of factors that you should consider
before deploying Ci sco Secure ACS.
The complexity of deploying Cisco Secure ACS reflects the evolution of AAA
servers in general, and the advanced capabilities, flexibility, and features of
Cisco Secure ACS in particular. AAA was conceived originally to provide a
centralized point of control for user access via dial-up services. As user databases
grew and the locations of AAA clients became more dispersed, more capability
was required of the AAA serv er. Regional, and then global, requir ements be came
common. Today, Cisco Secure ACS is required to provide AAA ser vices fo r
dial-up access, dial -out ac cess, wire less, VL AN acce ss, firewalls, VPN
concentrators, administrative controls, and more. The list of external databases
supported has al so cont inue d to g row and th e u se of m ul tipl e databa ses, as w ell
as multiple Cisco Secure ACSes, has become more comm on. Regardle ss of the
scope of your C isco Secure ACS deployment, the in for mat ion co ntaine d in this
chapter sho uld prove valuab le. If y ou have dep loym ent qu esti ons tha t a re n ot
addressed in this guide, contact your Cisco technical representative for assistance.
This chapter contains the following sections:
• Basic Deployment Requir ements for Ci sco Secure ACS, page 2 -2
• Basic Deployment Factors for Ci sco Secure ACS, page 2 -5
• Suggested Deployment Seq uence, page 2-18
78-14696-01, Version 3.1
User Guide for Cisco Secure ACS for Windows Server
2-1
Chapter2 Deploying CiscoSecure ACS
Basic Deployment Requi rem ents for Cisco Secure ACS
Basic Deployment Requirements for
Cisco Secure ACS
This section de ta ils the min imum r equi reme nts you mu st m eet t o be a ble to
successfully deploy Cisco Secure ACS. The following topics are covered:
• System Requirements, page 2-2
–
Hardware Requir eme nts , page 2-2
–
Operating System Requirements, page 2-2
–
Third-Party Software Requi reme nts, pag e 2-3
• Network Requirements , page 2-4
System Requirements
Your Cisco Secure ACS server must meet the minimum hardware and software
requirements detaile d in the following sections .
Hardware Requirements
Your Cisco Secure ACS server must meet the following minimum hardware
requirements:
• Pentium III processor, 550 MHz or faster.
• 256 MB of RAM.
• At least 250 MB o f f ree disk spac e. I f you are runn ing y our d ataba se on the
same machine, more disk space is required.
• Minimum graphic s r esolu tion of 256 col ors a t 80 0 x 6 00 lines.
Operating System Requirements
The server that run s Cisc o Secure ACS should use an Engl ish-l angu age versi on
of Windows 2000 Server with Service Pack 3 installed.
User Guide for Cisco Secure ACS for Windows Server
2-2
78-14696-01, Version 3.1
Chapter 2 Depl oy ing Cisco Sec ure ACS
Note Both the operating system and the applicable service pack must be
English-language versions.
Windows service packs can be appli ed ei ther before or after insta llin g
Cisco Secure ACS. If you do not install a required service pack before installing
Cisco Secure ACS, the C isco Secure ACS installation program m ay warn yo u
that the required service pack is not present on your server. If you receive a
service pack message, continue the installation, and then install the required
service pack before starting user authentication with Cisco Secure ACS.
Note Beginning with Cisco Secure ACS version 3.1, we n o lo nger supp ort run ning
Cisco Secure A CS on a Windows NT 4.0 server. F or information about upgrading
the operating system of a se rver ru nning C isco Secure ACS, see the Installation
Guide for Cisco Secure ACS for Windows Server, version 3.1.
Basic Deployment Requirements for Cisco Secure ACS
For the latest information about tested operating systems and service packs, see
the Release Notes. The latest version of the Release Notes are posted on
Cisco.com atthe following URL:
http://www.cisco.com/univercd/cc/td/doc/product/access/acs_soft/csacs4nt/
Third-Party Software Requirements
The Windows server that runs Cisco Secure ACS must have a compatible browser
installed. We tested Cisco Secure ACS with English-language versions of the
following browsers on Microsoft Windows operating systems:
• Microsoft Intern et Exp lorer 5.5 and 6.0
• Netscape Communicator 6.2
Note To use a web browser to acc ess th e Ci sco Secure A CS HTML in terf ace , you must
enable both Java and JavaScript in the browser. Also, the web browser must not
be configured to use a proxy server. For more information a bout other ne twork
environment factors that affect access to the HTML interface, see Network
Environments and Remote Admi nistra tive Sessions, page 1-27.
78-14696-01, Version 3.1
User Guide for Cisco Secure ACS for Windows Server
2-3
Basic Deployment Requi rem ents for Cisco Secure ACS
For the latest information about tested browsers and other third-party
applications, see the Release Notes. The latest version of the Release Notes are
posted on Cisco.com at
http://www.cisco.com/univercd/cc/td/doc/product/access/acs_soft/csacs4nt/
index.htm.
Network Requiremen ts
Your network sh oul d me et the fol lowing re quireme nts be fore yo u begin
deploying Cisco Secure ACS.
• For full TAC A CS + and RADIUS su pport on C isco IO S de vices, AAA clients
must run Cisco IOS Release 11. 2 or later.
• Non-Cisco IOS AAA clie nts must be configured with TACACS+ and/or
RADIUS.
Chapter2 Deploying CiscoSecure ACS
• Dial-in, VPN, or wireless clients must be able to connect to the applicable
AAA clients.
• The computer running Cisco Secure ACS must be able to ping all AAA
clients.
• Gateway devices between AAA clients and Cisco Secure ACS mus t permit
communication over the ports needed to support the applicable AAA protocol
(RADIUS or TACACS+). For information about ports used by AAA
protocols, see AAA Protoc ols—TACACS+ and RADIUS, page 1-6.
• Make sure a compatibl e web browser is insta lled on the compute r that run s
Cisco Secure ACS. For more information, see Third-Party Software
Requirements, page 2-3.
• To have Cisco Secure ACS use the Grant Dial-in Permission to User feature
in Windows when authorizing network users, enable this option for the
applicable user accounts in the relevant Active Directory or Windows
Security Accounts Ma nager (SA M) databa se.
User Guide for Cisco Secure ACS for Windows Server
2-4
78-14696-01, Version 3.1
Chapter 2 Depl oy ing Cisco Sec ure ACS
Basic Deployment Factors for CiscoSecureACS
Basic Deployment Factors for CiscoSecure ACS
Generally, the ease in deploying Cisco Secure ACS is directly related to the
complexity of the imp lementa tion pl anned and the degree to whi ch you have
defined your policies and requ ire ment s. Thi s sect ion pre sent s some basic fac tors
you should co nside r be fo re yo u b egin i mpl em entin g C isco Secure ACS.
This section includes the following topics:
• Network To pology, page 2-5
• Remote Access Policy, page 2 -13
• Security Policy, page 2-14
• Administrative Access Policy, page 2-14
• Database, page 2-17
• Network Latency and Relia bility, page 2-18
Network Topology
How your enterprise network is configured is likely to be the most important
factor in deploying Cisc o Secure ACS. While an exhaustive treatme nt of thi s
topic is beyond the scope of this guide, this section details how the growth of
network topology options has made Cisco Secure ACS deployment decisions
more complex.
When AAA was created, network access was restricted to either devices directly
connected to the LAN or remote devices gaining access via modem. Today,
enterprise networks can be complex and, thanks to tunneling technologies, can be
widely geographi cally di spersed.
Dial-Up Topology
In the traditional model of dial-up access (a PPP connection), a user employing a
modem or ISDN connection is granted access to an intranet via a network access
server (NAS) functioning as a AAA client. Users may be able to connect via only
a single AAA client as in a small business, or have the option of numerous
geographically dispe rsed AAA cli ents.
78-14696-01, Version 3.1
User Guide for Cisco Secure ACS for Windows Server
2-5
Basic Deployment Factors fo r Cis co Secure ACS
In the small LAN environment, see Figure 2-1, network arch itects typica lly p lace
a single Cisco Secure ACS internal to the AAA client, protected from outside
access by means of a firewall and the AAA client. In this environment, the user
database is usually small, there are few devices that require access to the
Cisco Secure ACS for AAA, and any database replication is limited to a
secondary Cisco Secure ACS as a backup.
Figure 2-1 Small Dial-up Network
Server-based
dial access
PSTN
Modem
Chapter2 Deploying CiscoSecure ACS
Network
Cisco Secure
Access Control
Server
63486
In a larger dial-in environment, a single Cisco Secure ACS installation with a
backup may be su itabl e, too. T he sui ta bility of thi s co nfigurati on de pe nds on
network and server access latency. Figure 2-2 sho ws an exam ple of a lar ge dial- in
arrangemen t. In this scenar io th e addi tion of a ba ckup C isco Secure ACS is a
recommende d add i tion .
User Guide for Cisco Secure ACS for Windows Server
2-6
78-14696-01, Version 3.1
Chapter 2 Depl oy ing Cisco Sec ure ACS
Figure 2-2 Large Dial-up Network
Cisco AS5300's
Basic Deployment Factors for CiscoSecureACS
Cisco AS5300
UNIX server
Novell server
Windows NT server
Cisco Secure
Access Control
Server
Macintosh server
63487
In a very large, geographically dispersed network (Figure 2-3), there may be
access server s located in dif ferent parts of a cit y, in different c ities, or on d if ferent
continents. If network latency is not an issue, a central Cisco Secure ACS may
work but connection reliability over long distances may cause problems. In this
case, local Cisco Secure ACSes may be preferable to a central Cisco Secure ACS.
If the need for a globally coherent user database is most important, database
replication or synch ronizat ion from a ce ntral Ci sco Secure ACS may be
necessary. Authentication using external databases, such as Windows NT/2000 or
the Lightwei gh t D ire cto ry Acc es s Pro toc ol ( LDAP), can fu rthe r co mplic at e t he
deployment of distributed, local ized Cisco Secure ACSes. While
Cisco Secure ACS uses encryption for all replication and database
synchronizatio n traffic, additional security me asures may be requir ed to protec t
the network and use r inf ormat ion tha t Ci sco Secure ACS sends across the WAN .
78-14696-01, Version 3.1
User Guide for Cisco Secure ACS for Windows Server
2-7
Basic Deployment Factors fo r Cis co Secure ACS
Figure 2-3 Geographically Dispersed Network
Cisco Secure
Access Control
Server
Cisco Secure
Access Control
Server
Access Control
Chapter2 Deploying CiscoSecure ACS
Cisco Secure
Server
Wireless Network
63488
The wireless network access point is a relatively new client for AAA services.
The wireles s acce ss poin t (AP ), such as th e Cisco Airo net se ries, provid es a
bridged connection for mobile end-user clients into the LAN. Authentication is
absolutely necessary due to the ease of access to the AP. Encryption is also
necessary becaus e of the eas e of eavesdropping on comm unica tions. As such,
security plays an ev en bigg er role tha n in the dial-u p scenario an d is discussed in
more detail later in this section.
Scaling can be a serious issue in the wireless network. Like the “wi r ed” LAN, the
mobility factor of the wireless LAN (WLAN) requires considerations similar to
those given to the dia l-up ne twork . Unl ike the wi red LA N, however, the WLAN
can be more readily expande d. Though WL AN techn ology does have physical
limits as to the number of users that can be connected via an AP, the number of
APs can grow quic kly. As with the d ial -u p net work, y ou can struc tur e you r
WLAN to allo w full access for all user s, or to provide restricted access to different
subnets between sites, buildi ngs, floor s, or rooms. This brings up a uniqu e issue
with the WLAN: the ability of a user to “roam” between APs.
User Guide for Cisco Secure ACS for Windows Server
2-8
78-14696-01, Version 3.1
Chapter 2 Depl oy ing Cisco Sec ure ACS
In the simple WLAN, there may be a single AP installed (Figure 2-4). Because
there is only one AP, the primary issue is security. In this environment, there is
generally a sma ll user base an d f ew network devices to worr y a bout . Provid ing
AAA services to th e oth er devices on t he ne twork d oes not cause a ny significant
additional load on the Cisco Secure ACS.
Figure 2-4 Simple WLAN
Basic Deployment Factors for CiscoSecureACS
Cisco Aironet AP
Network
Cisco Secure
Access Control Server
63489
In the LAN where a number of APs are deployed, as in a large building or a
campus environment, your decisions on how to deploy Cisco Secure A CS become
a little more involved. Though Figure 2-5 shows all APs on the same LAN, they
may be distributed th rou ghout the LA N, co nnec ted via rout ers, swit ches, and so
on. In the larger, geographical distribution of WLANs, de ployment of
Cisco Secure A CS is similar to that of large regional distribution of dial-up LANs
(Figure 2-3).
78-14696-01, Version 3.1
User Guide for Cisco Secure ACS for Windows Server
2-9
Basic Deployment Factors fo r Cis co Secure ACS
C
Figure 2-5 Campus WLAN
isco Aironet APs
Chapter2 Deploying CiscoSecure ACS
Dial-up connection
UNIX server
Novell server
Windows NT server
Cisco Secure
Access Control
Server
Macintosh server
63490
This is part icula rly true when t he r egiona l t opolo gy is t he c am pus WLA N. T his
model starts t o ch ange w hen you de ploy W LAN s in m any sm all site s th at mor e
resemble the simple WLAN shown in Figure 2-4. This model may apply to a chain
of small store s distr ibuted throu gho ut a c it y or st ate , na tiona lly, or globally
(Figure 2-6).
User Guide for Cisco Secure ACS for Windows Server
2-10
78-14696-01, Version 3.1
Chapter 2 Depl oy ing Cisco Sec ure ACS
Figure 2-6 Large Deployment of Small Sites
I
Basic Deployment Factors for CiscoSecureACS
For the model in Figure 2-6, the location of Cisco Secure ACS depends on
whether all users need access on any AP, or whether users require only regional
or local network access. Al ong wit h dat abase type , the se fact ors cont rol whethe r
local or regional Cisco Secure ACSes are required, an d how database conti nuity
is maintained. In this very large deployment model, security becomes a more
complicated issue, too.
Remote Access using VPN
Virtual Private Networks (VPNs) use advanced encryption an d tunneling to
permit organizations to establish secure, end-to-end, private network connections
over third-party netwo rks, su ch a s th e Inte rn et o r extran et s (Figur e 2-7). The
benefits of a VPN include th e following:
• Cost Savings—By leveraging third-party networks with VPN, organizations
no longer have to use expensive leased or fra me rel ay lines and can conn ect
remote users to their corporate network s via a local Internet service provider
(ISP) instead of using expensive toll-free or long-distance calls to
resource-consuming modem banks.
63491
78-14696-01, Version 3.1
User Guide for Cisco Secure ACS for Windows Server
2-11
Basic Deployment Factors fo r Cis co Secure ACS
• Security—VPNs provide the highest level of security using advanced
encryption and au thenti cation pro tocol s that prote ct data fro m unautho rized
access.
• Scalability—VPNs allow corporations to use remote access infrastructure
within ISPs; therefore, corporations can add a large amount of capacity
without addi ng si gnificant in fra stru ctur e.
• Compatibility with Broadband Technology—VPNs allow mobile workers,
telecommuter s, and da y extenders to take advantage of high-spe ed,
broadband connectivity, such as DSL and cable, when gaining access to their
corporate networks, providing workers significant flexibility and efficiency.
Figure 2-7 Simple VPN Configuration
Chapter2 Deploying CiscoSecure ACS
VPN concentrator
Network WAN
Tunnel
Cisco Secure
Access Control Server
63492
There are two ty pes of VPN acce ss i nto a netwo rk:
• Site-to-Site VP N s—Extend the classic WAN by providing large-scale
encryption between multiple fixed sites such as remote offices and central
offices, over a public network, such as the Internet.
• Remote Access VPNs—Permit secure, encrypted connections between
mobile or remote use rs and their c orpora te network s via a third- party
network, such as an ISP, via VPN client software.
Generally speaking, site-to-site VPNs can be viewed as a typical WAN
connection and are not usually configured to use AAA to secure the initial
connection and a re l ikely to u se t he device- orien ted IPSe c tunn eli ng pr ot ocol.
Remote Access VPNs, however, are similar to classic remote connection
technology (modem/ISD N) and len d themselves to using the AAA mod el
effectively (Figure 2-8).
User Guide for Cisco Secure ACS for Windows Server
2-12
78-14696-01, Version 3.1
Chapter 2 Depl oy ing Cisco Sec ure ACS
Figure 2-8 Enterprise VPN Solution
Tunnel
Home office
ISP
ISP
Basic Deployment Factors for CiscoSecureACS
VPN concentrator
Internet
Tunnel
Mobile
worker
For more informati on about implementing V PN solutions, see the re ference guide
A Primer for Implementing a Cisco Virtual Private Network.
Remote Access Policy
Remote access is a br oad concept. In general, it de fines how the user ca n co nn ec t
to the LAN, or from the LAN to outside res ources (that is, th e Internet ). Ther e are
several ways this may occur. The methods incl ude di al-i n, ISD N, wi reless
bridges, and secure Internet connections. Each method incurs its own advantages
and disadvantages, and provides a unique challenge to providing AAA services.
This closely ties remote access policy to the enterprise network topology. In
addition to the meth od of access, ot her decisi ons can also affect how
Cisco Secure AC S is depl oyed; thes e inc lude s pecific ne twork rout ing (acc ess
lists), time-of-day access, individual restrictions on AAA client access, access
control lists (ACLs), and so on.
Cisco Secure
Access Control
Server
63493
Remote access policies can be implemented for employees who telecommute or
for mobile u sers w ho dia l in over ISD N or p ublic swi tched t elepho ne net work
(PSTN). Such policies are enforced at the corporate campus with
Cisco Secure ACS and the AAA client. Inside the enterprise network, remote
access policies can control wireless access by individual employees.
78-14696-01, Version 3.1
User Guide for Cisco Secure ACS for Windows Server
2-13
Basic Deployment Factors fo r Cis co Secure ACS
Cisco Secure ACS remote access policy provides control by using central
authenticatio n and authorization of remote users. The CiscoSecure user database
maintains all user IDs, passwords, and privileges. Cisco Secure ACS access
policies can be downloaded in the form of ACLs to network access servers such
as the Cisco AS530 0 N et work A cce ss Server, or by all owing acce ss duri ng
specific periods, or on specific access servers.
The remote ac cess policy is pa rt of th e overall co rpora te sec uri ty pol icy.
Security Policy
We re commend that every organization that mai ntain s a network develop a
security policy for the organization. The sophistication, nature, and scope of your
security policy dire c tly a ffect how you d eploy Cisco Secure ACS.
For more inform ati on abou t developing a nd mai ntai n ing a co mpreh en sive
security policy, refer to the following documents:
Chapter2 Deploying CiscoSecure ACS
• Network Security Policy: Best Practices White Paper
• Delivering End-to-End Security in Policy-Based Networks
• Cisco IOS Security Configuration Gu ide
Administrative Access Policy
Managing a network is a matte r of scale . Providing a policy for ad ministra tive
access to network devices depends direc tly on the size of the network and th e
number of administrators required to maintain the network. Local authentication
on a network device can be performe d, but it is not scalable . The use of ne twork
management tools can help in large networks, but if local authentication is used
on each network device, the pol icy usu ally co nsist s o f a singl e l ogin on the
network device.This do es not pr omote ad eq uate n etwor k device s ec urity. Using
Cisco Secure ACS allows a centralized administrator database, and
administrators can be added or deleted at one location. TACACS+ is the
recommended AAA protocol for controlling AAA client administrative access
because of its ability to provide per-comma nd contro l (comma nd author izatio n)
of AAA client administrator access to the device. RADIUS is not well-suited for
this purpose be cause of the one- time transf er o f a uthori zation inf ormatio n a t t ime
of initial authentication.
User Guide for Cisco Secure ACS for Windows Server
2-14
78-14696-01, Version 3.1
Chapter 2 Depl oy ing Cisco Sec ure ACS
The type of access is also an import ant consi derat ion. If th ere are t o be different
administrativ e access le v els to the AAA cli ents, or if a subset o f administ rators is
to be limited to certain systems, Cisco Secure ACS can be used with command
authorization per network device to restrict network administrators as necessary.
To use local authentication restricts the administrative access policy to no login
on a device or using p rivilege levels to co ntrol ac cess . C ontr ol ling a cce ss by
means of privilege levels is cumbersome and not very scalable. This requires that
the privilege levels of specific commands are altered on the AAA client device
and specific privilege levels are defined for the user login. It is also very easy to
create more problems by editing command privilege levels. Using command
authorization on Cisco Secure ACS does not require that you alter the privilege
level of controlled commands. The AAA client sends the command to
Cisco Secure ACS to be parsed and Cisco Secure ACS determines whether the
administrator has permissio n to use the co mman d. The use o f AAA allows
authentication on any AAA client to any user on Cisco Secure ACS and facilitates
the limitation of access to these devices on a per-AAA client basis.
Basic Deployment Factors for CiscoSecureACS
A small network with a small number of network devices may require only one or
two individuals to administer it. Loca l authent ication on t he device is usually
suff icient. If you requir e more granular contr ol than that which authen tication can
provide, some means of authorization is necessary. As discussed earlier,
controlling access using privilege levels can be cumbersome. Cisco Secure ACS
reduces this probl em.
In large enterprise networks, with many devices to administer, the use of
Cisco Secure ACS becomes a practical necessity. Because administration of
many devices requires a l arger nu mber of n etwork a dm ini strat ors, wit h varying
levels of access, the use of local control is simply not a viable way of keeping
track of networ k device con figura ti on ch an ges re qu ire d whe n cha ngi ng
administrator s o r d evices. Th e use o f net work mana ge ment to ols, suc h as
CiscoWorks 2000, helps to ease this burden, but maintaining security is still an
issue. Because C isco Secure ACS can comfortably h andl e up to 1 00, 00 0 us ers,
the number of network administrators that Cisco Secure ACS supports is rarely an
issue. If there is a large remote access population using RADIUS for AAA
support, the corporate IT team should consider separate TACACS+ authentication
using Cisco Secure ACS for the administrative team.This would isolate the
general user populatio n from the ad ministrati ve te am and reduce the likel ihood of
inadvertent access to network devices. If this is not a suitable solution, using
TACACS+ for administrative (shell/exec) logins, and RADIUS for remote
network access, provi des su fficient security for the ne twork devices.
78-14696-01, Version 3.1
User Guide for Cisco Secure ACS for Windows Server
2-15
Basic Deployment Factors fo r Cis co Secure ACS
Separation of Administrative and General Users
It is important to keep the general network user from accessing network devices.
Even though the gene ral u ser may no t i nte nd to ga in una utho rize d acc ess ,
inadvertent access could accidentally disrupt network access. AAA and
Cisco Secure ACS provide the means to separate the general user from the
administrative user.
The easiest , and r ecom me nded, m eth od to p erfor m such sep ar ation i s to use
RADIUS for the general re mote acces s user and TACA C S+ for the adm inistra tiv e
user . An issue th at arises is that an adm inistrator may also require rem ote network
access, like the general user. If you use Cisc o Secure ACS this poses no prob lem .
The administrat or can have both RADIUS and TACACS+ configurati ons in
Cisco Secure ACS. Using authorization, RADIUS users can have PPP (or other
network access protocols) set as the permitted protocol. Under TACACS+, only
the administrator would be configured to allow shell (exec) access.
Chapter2 Deploying CiscoSecure ACS
For example, if t he a dm ini stra tor is dia lin g into the netwo rk as a ge ne ral us er, a
AAA client would use RAD IUS as th e authe nticati ng/aut horizing protocol and
the PPP protocol would be authorized. In turn, if the same administrator remotely
connects to a AAA cl ient to make configurat ion chan ges, th e AAA clie nt would
use the TACACS+ protocol for authentication/ author ization. Because thi s
administrator is configured on Cisco Secure ACS with permission for shell under
TACACS+, he would be authorized to log in to that device. This does require that
the AAA client have two separate configurations on Ci sco Secure ACS, one for
RADIUS and one for TACACS+. An example of a AAA client configuration
under IOS that effectively separates PPP and shell logins follows:
aaa new-model
tacacs-server host
tacacs-server key secret-key
radius-server host ip-address
radius-server key secret-key
aaa authentication ppp default group radius
aaa authentication login default group tacacs+ local
aaa authentication login console none
aaa authorization network default group radius
aaa authorization exec default group tacacs+ none
aaa authorization command 15 default group tacacs+ none
username
line con 0
login authentication console
user password password
ip-address
User Guide for Cisco Secure ACS for Windows Server
2-16
78-14696-01, Version 3.1
Chapter 2 Depl oy ing Cisco Sec ure ACS
Conversely, if a general user attempts to use his or her remote access to log in to
a network device, Cisco Secure ACS checks and approves the username and
password, but the autho ri zat ion pr ocess wou ld fai l beca use tha t u ser woul d not
have credentials that allow shell/exec access to the device.
Database
Aside from t opo logic al co nside rat ions, the u ser d ata base is one of the m ost
influential fact ors involved in making de ployme nt de cision s f or
Cisco Secure ACS. The size of the user base, distribution of users throughout the
network, access requir emen ts, and typ e of user datab ase cont ribute to how
Cisco Secure ACS is deployed.
Number of Users
Basic Deployment Factors for CiscoSecureACS
Type of Database
Cisco Secure ACS is designed for the enter prise environment, com fortab ly
handling 100,0 00 users. Th is i s usu ally mor e th an ade quat e for a corp ora tion. In
an environment that exceeds these numbers, the user base would typically be
geographically di spersed, which lends its elf to the use of mo re than one
Cisco Secure ACS configuration. A WAN failur e could re nder a loc al network
inaccessible because of the loss of the authentication server. In addition to this
issue, reducing the n umb er of us ers t hat a singl e Cisc o Secure ACS handles
improves performance by lowering the num ber of logins occurr ing at any given
time and by reducing the load on the data base itself.
Cisco Secure ACS supports a number of datab ase options , includ ing the
CiscoSecure user database or using remote authen tication with an y of the exter nal
databases supporte d. For more inform ation about data base opti ons, type s, and
features, see Authentication and User Databases, page 1-8, or Chapter 11,
“Working with User Databases,” or Chapter 12, “Administering External User
Databases.” Each database option has its own advantages and limitations in
scalability a nd pe rf orman ce.
78-14696-01, Version 3.1
User Guide for Cisco Secure ACS for Windows Server
2-17
Suggested Deployment Sequence
Network Latency and Reliability
Network latency and reliability are also important factors in how you deploy
Cisco Secur e A CS. Dela ys in authentication can result in timeouts at the end-user
client or the AAA client.
The general rule for large, extended network s, such as a glob ally di spersed
corporation, is to have at least one Cisc o Secure ACS deployed in each region.
This may not be adequate without a reliable, high-speed connection between sites.
Many corporations use secure VPN co nnections between sites so that the Internet
provides the link. This sa ves time and money but it does not pro vide the speed and
reliability that a dedicated frame relay or T1 link provides. If reliable
authentication service is critical to business functionality, such as retail outlets
with cash registers that are linked by a wireless LA N, the loss of WAN connection
to a remote C isco Secure ACS could be catast rophi c.
The same issue can be applied to an external database used by Cisco Secure ACS.
The database sh oul d be d ep loyed clo se en oug h to Ci sco Secure ACS to ensure
reliable and timely access. Using a local Cisco Secure ACS with a remote
database c a n r e su lt i n th e sa me p ro b le m s a s u sin g a re m o te Cisco Secure ACS.
Another possibl e probl em i n this sce na rio is t hat a use r ma y experi enc e time out
problems. The AAA client would be able to contact Cisco Secure ACS, but
Cisco Secure ACS would wait for a r ep ly tha t m ight be del ayed o r never arrive
from the external user database. If the Cisco Secure ACS were remote, the AAA
client would time out and try an alternative method to authenticate the user, but
in the latter case, it is likely the end-user client would time out first.
Chapter2 Deploying CiscoSecure ACS
Suggested Deployment Sequence
While there is no single process for all Cisco Secure ACS deployments, you
should consider following the sequence, key ed to the high-level functions
represented in the navigation toolbar. Also bear in mind that many of these
deployment act ivities are i te rat ive in natur e; you may find that you re pea ted ly
return to suc h ta sks as i nte rface c onfigura tion a s you r d epl oyment pr ocee ds.
• Configure Administrators—You should configu re a t le ast one
administrator at the o utse t of de ployme nt; o the rwis e, t here is no re m ote
administrative access and all co nfiguration a ctivity must be done from the
server. You should also have a detailed plan f or e stab lishin g and main ta ini ng
an administrative policy.
User Guide for Cisco Secure ACS for Windows Server
2-18
78-14696-01, Version 3.1
Chapter 2 Depl oy ing Cisco Sec ure ACS
For more information about setting up administrators, see Chapter 10,
“Setting Up and Managing Administrators and Policy.”
• Configure the Cisco Secure ACS HTML Interface—You can configure
the Cisco Secure ACS HTML interface to show only those featur es and
controls that yo u in tend to use . Th i s m akes usi ng Ci sco Secure ACS less
difficult than it would be if you had to contend with multiple parts of the
HTML interface th at you do not plan to use . The pric e of this co nvenience
can sometimes be frustration that features and controls do not appear because
you failed to configure them in the Interface Configuration section. For
guidance on configuring the HTML interface, see Interface Design Concepts,
page 3-2.
For inform ation about conf ig u rin g pa rticular aspects o f the HTML interface ,
see the following sections of the interface configuration chapter:
–
User Data Configu rat ion O ptio ns, pa ge 3-3
Suggested Deployment Sequence
–
Advanced Option s, page 3-4
–
Protocol Configuration Options for TACACS+, page 3-7
–
Protocol Configuration Options for RADIUS, page 3-10
• Configure System—There are more than a dozen functions within the
System Configuration se ctio n to be co nsi dere d, fr om set ting t h e for ma t f or
the display of da tes and pa ssword validatio n to configuri ng setting s f or
database replicat ion a nd RD BMS sync hroni zation . Th ese f unct ions are
detailed in Chapter 8, “Establishing Cisco Secure ACS System
Configuration.” Of particular note during initial system configuration is
setting up the lo gs and r eport s to b e ge nera ted by Ci sco Secure ACS; for
more information, see Chapter 9, “Worki ng with Logg ing and Rep orts.”
• Configure Net work—You control distrib uted a nd proxied AAA fu nctions in
the Network Configuration sec tion of the HTML inte rface. Fro m here, you
establish the identity, location, and grouping of AAA clients and servers, and
determine what authentication protocols each is to use. For more information,
see Chapter 4, “Setting Up and Manag ing Network Configurat ion.”
• Configure External User Database—During this phas e of depl oyment you
must decide whether and how you intend to impleme nt an external data base
to establish and maintain user authentication accounts. Typically, this
decision is made accor ding to you r existing network administr ation
78-14696-01, Version 3.1
User Guide for Cisco Secure ACS for Windows Server
2-19
Suggested Deployment Sequence
mechanisms. For in formation about the types of datab ases Cisco Sec ure A CS
supports and instructions fo r establ ishing the m, see Chapter 11, “Work ing
with User Databases.”
Along with the decision to implement an external user database (or
databases), you should have detailed plans that specify your requirements for
Cisco Secure AC S database replication, backup, and synchron ization. These
aspects of configuring CiscoSecure user database management are detailed in
Chapter 8, “Establishing Cisco Secure ACS System Configuration.”
• Configure Shared Profile Components—With most aspects of network
configuration al read y e sta blis hed an d be fo re c on figuring user gr oup s, you
should configure y our Sh ar ed Pro file Comp onent s. When yo u s et u p an d
name the network access restri ctions an d command authoriza tion sets yo u
intend to employ, you lay out an efficient basis for specifying user group and
single user acc ess p rivileges. For m ore i n forma tio n ab out Shar ed Pr ofile
Components, see Chapter 5, “Settin g Up a nd Ma nagi n g Shar ed Pro file
Components.”
Chapter2 Deploying CiscoSecure ACS
• Configure Groups—Having previously configured any external user
databases you intend to employ, and before configuring your user groups, you
should decide h ow to imple ment two ot her Cisc o Secure ACS features
related to external user database s: unknown user processing an d databa se
group mapping. For mo re inf or mat ion, see U nknown User Proce ssing,
page 12-1, and Database Group M appings, p age 12-11. T he n, you ca n
configure your user groups with a complete plan of how Cisco Secure ACS
is to implement authorization and authentication. For more information, see
Chapter 6, “Setting Up a nd Man ag ing Us er G ro ups. ”
• Configure Use rs—With groups established, you can establish user accounts.
It is useful to remember that a particular user can belong to only one user
group, and that settings ma de at the u ser level override settings made at the
group level. For more information, see Chapter 7, “Setting Up and Managing
User Accounts.”
• Configure Reports—Using t he R ep orts an d A ct ivities sec tio n of t he
Cisco Secure ACS HTML interface, you can specify the nature and scope of
logging that Cisco Secure ACS performs. For more in for mati on, se e
Chapter 9, “Wo rking with Logging and Reports.”
User Guide for Cisco Secure ACS for Windows Server
2-20
78-14696-01, Version 3.1
CHAPTER
3
Setting Up the CiscoSecure ACS
HTML Interface
Ease of use is the overriding design principle of the HTML interface in the
Cisco Secure Access Control Server (Cisco Secure ACS) for Windows Server ve
rsion 3.1 . Cisco Secure ACS prese nts intricate co ncepts of network secur ity from
the perspective of a n adm i nistra to r. The Interface C onfigurat ion se ction o f
Cisco Secure ACS enables you to configure the Cisc o Secure ACS HTML
interface—you can tailor the interface to simplify the screens you will use by
hiding the features tha t you do not use a nd by adding fields for your specific
configuration.
Note We recommend that you return to this section to review and confirm your initial
78-14696-01, Version 3.1
This chapter presents the details of configuring the Cisco Secure ACS interface
through four topic s:
• User Data Configu ratio n Op tion s, page 3-3
• Advanced Option s, page 3-4
• Protocol Configuration Options for TACACS+, page 3-7
• Protocol Configuration Options for RADIUS, page 3-10
settings. While it is logical to begin your Cisco Secure ACS configuration efforts
with configuring the interface, sometimes a section of the HTML interface that
you initially believed should be hidden from view may later require configuration
from within this section.
User Guide for Cisco Secure ACS for Windows Server
3-1
Interface Design Con cepts
Tip If a section of the Cisco Secure ACS HTML interface appears to be “missing” or
“broken”, return to the Interface Configuration section and confirm that the
particular section has been activated.
Interface Design Concep ts
Before you begin to configure the Cisco Secure ACS HTML interface for your
particular configura tion, you should un derstan d a few basic prece pts of the
system’s operation. The information in the following sections is necessary for
effective interface configuration.
Chapter 3 Setting Up the Cisco Secure ACS HTML Interface
User-to-Gr ou p Re lation sh ip
A user can belong to only one group at a time. As long as there are no conflicting
attributes, users inherit grou p settings.
Note If a user profile has an attri bute configured differently from the same attribute in
the group profile, t he u se r set ting always overrides t he group se ttin g.
If a user has a unique configuration requirement, you can make that user a part of
a group and set unique requ irement s on the User Setup page , or you can assign
that user to hi s or h er own gr oup .
Per-User or Per-Group Features
You can configure most features at both group and user levels, with the following
exceptions:
• User level only—Static IP address, password, and expiration.
• Group level only—Password aging a nd t ime -of-da y/d ay-of -w eek
restrictions.
User Guide for Cisco Secure ACS for Windows Server
3-2
78-14696-01, Version 3.1
Chapter 3 Setting U p t he Cisco Secure ACS HTML Interface
User Data Configuration Options
The Configure Use r D efined Fie lds page ena bles yo u to a dd (o r e dit ) up t o five
fields for recording information on each user. The fields you define in this section
subsequently appear in the Supplementar y User Informa tio n section at th e top of
the User Setup pa ge . For exam ple, y ou co ul d add t h e user’s company name,
telephone number, department, billing code, and so on. Y ou can also include these
fields in the accountin g logs. Fo r more inf ormation about t he accounting logs, see
About Cisco Secure ACS Logs and Reports, page 9-4. For information on the data
fields that compose the user data options, see User-Defined Attribu tes, page F-35.
Defining New User Data Fields
To configure new user data fields, follow these steps:
User Data Configuration Options
Step 1 Click Interface Configuration, and then click User Data Configuration.
Result: The Configure User Defined Fields page appea rs. Check boxes in the
Display column indicate which fields are configured to appear in the
Supplementary Us er Inf orma tio n sec tio n at th e top of the U se r Se tup page .
Step 2 Select a check box in the Display column.
Step 3 In the corre spon ding Fi eld Title box, typ e a t itle for t he new field.
Step 4 To configure another field, repeat Step 2 and Step 3.
Step 5 When you have finished configuring new user data fields, click Submit.
Tip You can change the title of a field by editing the text in the Field Title box and
then clicking Submit. For the change to take effect, you must restart the
Cisco Secure ACS services by clicking Restart at the bottom of the Service
Control page in the System Configuration section and then stopping and restarting
the CSAdmin ser vice by u sing the Se rvic es se cti on of the Admini stra tive Tools
folder in Windows Control Panel. Restarting Cisco Secure ACS-related Windows
services should be done during off hours because it bri efly interr upts
authenticatio n, a uthor iza ti on, a nd acc ount ing.
78-14696-01, Version 3.1
User Guide for Cisco Secure ACS for Windows Server
3-3
Advanced Options
Advanced Options
The Advanced Options page enables you to determine which advanced features
Cisco Secure AC S displays. You can simplify the pages displayed in other areas
of the Cisco Secure AC S HTML interface by hiding advanced features that you
do not use.
Caution Disabling an advanced feature in the Interface Configuration section does not
affect anything except the display of that featu r e in th e H TML in ter face. Settings
made while an advanced feature was displayed remain in effect when that
advanced feature i s no l ong er di sp layed. Fu rthe r, the interfac e di sp lays any
advanced feature th at h as no n-d efaul t se tting s, even if you have con figured t hat
advanced feature to be hidden. If you later disable the feature or delete its settings,
Cisco Secure AC S hide s the adv anc ed feat ure. The o nly e xception is the Netw ork
Device Groups feature. Regardless of whether Network Device Groups are in use,
they are hidden when deselected on the Advanced Options page.
Chapter 3 Setting Up the Cisco Secure ACS HTML Interface
The advanced op tio n f ea tur es inc lude t he f ol lowing:
• Per-User TACACS+/RADIUS Attributes—When selected, this feature
enables T A CA CS+/RADIUS attrib utes to be set at a per-user le vel, in add ition
to being set at the group level.
• User-Level Shared Network Access Restrictions—When s e lec t ed , this
feature enables the Shared Profile C omponent network access restrictions
(NARs) options on the User Setup page. Th ese opti ons allow you to apply
previously configured, named, IP-based and CLID/DNIS-based NARs at the
user level. For information on defining a NAR, or NAR set, within Shared
Profile Components, see Shared Network Access Restrictions Configuration,
page 5-8.
• User-Level Network Access Restrictions—When selected, this feature
enables the two sets of op tions for defining use r-level, IP-based and
CLI/DNIS-based NARs on the User Setup page.
• User-Level Downloadable ACLs—When selecte d, thi s feat ure en ables the
Downloadable ACLs (access control lists) section on the User Setup page.
• Default Time-of-D ay/ Day-o f-Week Specification—When selected, this
feature enables the default time-of-day/day-of-week access settings grid on
the Group Setup page.
User Guide for Cisco Secure ACS for Windows Server
3-4
78-14696-01, Version 3.1
Chapter 3 Setting U p t he Cisco Secure ACS HTML Interface
• Group-Level Shared Network Access Restrictions—When selected, this
feature enable s the Sh ared Pr ofile Comp one nt NAR options o n the Grou p
Setup page. These options allow you to apply previously configured, named,
IP-based and CLID/DNIS-based NARs at the group level. For information on
defining a NAR, or NAR set, within Shared Profile Components, see Shar ed
Network Access Restrictions Configur ation, page 5-8.
• Group-Level Network Access Restrictions—When selected, this feature
enables the two sets of option s for defining group- level, IP-based and
CLI/DNIS-based NARs on the G r oup Se tup pa ge.
• Group-Level Dow nloadable ACLs—When sel ected, this featu re enables the
Downloadable ACLs section on the Group Setup page.
• Group-Level Password Aging—When selected, this feature enables the
Password Aging section on the Group Setup pag e. The Password Aging
feature enables you to force users to change their passwords.
Advanced Options
• Max Ses sions—When selected, this feature enab les the Max Session s section
on the User Setup and Group Setup pages. The Max Sessions option sets the
maximum number of simu ltaneous connec tions for a grou p or a user.
• Usage Quotas—When selected, this feature enables the Usage Quotas
sections on the User Setup and Group Setup pages. The Usage Quotas option
sets one or mo re qu ota s f or usage by a g rou p o r a user.
• Distributed System Settings—When sel ected, this featur e displays the A AA
server and proxy t abl e on t he Net work I nter face page . If t he t abl es have
information other than the defaults in them, they always appear.
• Remote Logging—When selected, this feature enables the Remote Logging
feature on the Loggi ng page of the Syst em Configurat ion sectio n.
• Cisco Secure ACS Database Replication—When selected, this feature
enables the Cisco Secure ACS database replication informa tion on the
System Configuration page.
• RDBMS Synchronization—When selected, this featu re enables the RDBMS
(Relational Database M anagemen t System) Synchron ization option on t he
System Configuration pag e. I f RD BMS Syn ch roniza tio n is co nfigured, th is
option always appears.
• IP Pools—When selected, this featur e enables the IP Pools Addres s Recovery
and IP Pools Server op tio ns on the Syst em Configurat ion p age.
78-14696-01, Version 3.1
User Guide for Cisco Secure ACS for Windows Server
3-5
Advanced Options
Chapter 3 Setting Up the Cisco Secure ACS HTML Interface
• Network Device Groups—When selected, this option enables network
device gr oups ( NDGs). When NDGs a re enab led, th e Net work Conf igu ration
section and parts of the Use r Setup and Group Setup pag es chan ge to enabl e
you to manage groups of network devices (AAA clients or AAA servers).
This feature i s usefu l i f you have many devices t o admi niste r.
• Voice over IP ( VoIP) Group Settings—When selected, this feature en ables
the VoIP option on the Gro up Setup p age.
• Voice-over-IP (VoIP) Accounting Configuration—When selected, this
feature enabl es the Vo IP Ac coun tin g C onfigurati on o pt ion on the Syste m
Configuration page. This opt ion is used to de termine the loggin g format of
RADIUS Vo IP accounting packets.
• ODBC Logging—When selected, this feature enables the ODBC logging
sections on the Log gi ng pa ge of t he System C onfigura tion sec tio n.
Setting Advanced Options for the Cisco Secure ACS User
Interface
To set advanced options for the Cisco Secure ACS HTM L inter f a ce, follow these
steps:
Step 1 Click Interface Configuration, and then click Advanced Options.
Result: The Advanced Options table appears.
Step 2 Select each opti on t hat yo u want displ aye d ( enab led ) i n t he C isco Secure ACS
HTML interface.
Caution Disabling an advanced feature in the Interface Configuration section does not
affect anything except the display of that featu r e in th e H TML in ter face. Settings
made while an advanced feature was displayed remain in effect when that
advanced feature i s no l ong er di sp layed. Fu rthe r, the interfac e di sp lays any
advanced feature th at h as no n-d efaul t se tting s, even if you have con figured t hat
advanced feature to be hidden. If you later disable the feature or delete its settings,
Cisco Secure AC S hide s the adv anc ed feat ure. The o nly e xception is the Netw ork
Device Groups feature. Regardless of whether Network Device Groups are in use,
they are hidden when deselected on the Advanced Options page.
User Guide for Cisco Secure ACS for Windows Server
3-6
78-14696-01, Version 3.1
Chapter 3 Setting U p t he Cisco Secure ACS HTML Interface
Protocol Configuration Options for TACACS+
Step 3 When you have finished making selections, click Submit.
Result: Cisco Secure ACS alt ers the cont ents of various sections of the HTML
interface according to the selections you have made.
Protocol Configuration Options for TACACS+
The TACACS+ (Cisco) page details the configuration of the Cisco Secure ACS
HTML interface for TACACS+ settings. The interface settings enable you to
display or hide TACAC S+ admi nistrat ive and accounting optio ns. You ca n
simplify the HTML int erface by hiding the fea tures that you do not us e.
The TACACS+ (Cisco ) p ag e c omp ris es thr ee d i stin ct ar ea s, a s fo l lows:
Tip The default interface setting presents a single column of check boxes, at the group
level only, for selecting TACACS+ Services Settings and New Service Settings.
To view two columns of check boxes that enable you to configure settings at the
Group level or the User l evel, you must have enab led the Per-user
T A CA CS+/RADIUS Attributes option on the Advanced Options page of Interface
Configuration section.
• TACACS+ Services Settings—In this area is a list of the most commonly
used services and protocols for TACACS+. You select each TACACS+
service that you want to appear as a c onfigurabl e option on either th e User
Setup page or Group Setup page.
• New Services—In this area you can enter any services or protocols particular
to your network con figurati on.
Note If you have configured C isco Secure ACS to interact w it h device m anag em ent
applications fo r o the r C is co pr odu cts, such a s a Ma nage ment C ente r fo r
PIX Firewall, Cisco Secure AC S may displa y ne w TACACS+ service s as di ctated
by these device ma nag eme nt appl ic ati on s. To ensure the prope r func ti oning o f
Cisco Secure ACS, of device m anagem ent appl icati ons w ith whic h
78-14696-01, Version 3.1
User Guide for Cisco Secure ACS for Windows Server
3-7
Protocol Configuratio n Options for TACACS+
Cisco Secure ACS interacts, and of the Ci sco network devices managed by those
applications, do not change or delete automatically generated TACACS+ service
types.
• Advanced Configuration Options—In this area you c an a dd more de tailed
information for even more tailored configurations.
The four items you ca n choose to hi de or displa y are as fo llows:
–
Advanced TACACS+ Features—This option displays or hides the
Advanced TACACS+ Options section on the User Setup pa ge. These
options include Privilege Level Authent icat ion an d Out b ound Pas sword
Configuration for SENDPASS and SENDAUTH clients, such as routers.
–
Display a T ime-of-Day ac cess grid for e very TA CA CS+ s ervice whe re
you can override the default Time-o f-Day sett ings—If this option is
selected, a gri d a ppear s o n th e U ser Se tup pa ge t hat ena ble s yo u to
override the TACACS+ scheduling attributes on the Group Setup page.
Chapter 3 Setting Up the Cisco Secure ACS HTML Interface
You can contro l the use of each TAC A CS+ se rvice b y the t ime o f day and
day of week. For example, you can restrict Exec (Telnet) access to
business hours but permit PPP-IP access at any time.
The default setting is to c ontrol time-of-day a ccess for all service s as part
of authentica ti on. H owever, you can override the de fault an d d i splay a
time-of-day acc ess grid for every service. T his keeps user an d group
setup easy to manage, while making this feature available for the most
sophisticated environments. Th is feature ap plies only t o TACACS+
because TACACS+ can separate the authentication and authorization
processes. RADIUS time-of-day access applies to all services. If both
TACACS+ and RADIUS are used simultaneously, the default
time-of-day acc ess appli es t o bot h . This provi des a com mo n m ethod to
control acce ss regardle ss o f th e acc ess c ontro l pr otoc ol.
–
Display a window for each service selected in which you can enter
customized TACACS+ attributes—If this option is selected, an area
appears on th e User Se tup an d Gr oup Setu p page s tha t en able s yo u to
enter custom TACACS+ attributes.
Cisco Secure ACS can also display a custom command field for each
service. This text field en ables you to make sp ecialized co nfigur ations to
be downloaded for a pa r ticul ar s er vice for us er s in a pa rti cul ar gr ou p.
User Guide for Cisco Secure ACS for Windows Server
3-8
78-14696-01, Version 3.1
Chapter 3 Setting U p t he Cisco Secure ACS HTML Interface
You can use this feat ure to send man y T A CA CS+ comma nds to the access
device for the service, provided that the device suppor ts the comma nd,
and that the comm and synta x is corr ect. Th is feat ure is disa bled by
default, but you can enable it t he same way you enable att ributes and
time-of-day access .
–
Display enable Default (Undefined) Service Configuration—If this
check box is selected, an area appears on the User Setup and Group Setup
pages that enabl es y ou to p ermi t u nkn own TACAC S+ ser vic es, su ch a s
Cisco Discovery Protocol (CDP).
Note Th i s op tion s hould be use d by advanced sy st em a dm inist rato rs
only.
Protocol Configuration Options for TACACS+
Note Customized setting s at the user level take prece dence over settings at the group
level.
Setting Options for TACACS+
This procedure enabl es y ou to d i splay o r h ide TAC ACS+ administra tive and
accounting o pti ons. It is u nl ikel y th at you wi ll use every ser vi ce an d p ro toco l
available for TACACS+. Displaying each woul d make se tti ng u p a use r o r group
cumbersome. To simplify setup, you can use the TA CA CS+ (Cisco IOS) Edit page
to customize the se rvic es and pro toc ols t hat app ea r.
To configure the user interface for TACACS+ options, follow these steps:
Note The Cisco Secure ACS HTML interface displays any protoc ol option t hat is
enabled or ha s non -defau lt values, even if yo u have configured tha t p rot o col
option to be hidden. If you later disable the option or delete its value and the
protocol option is configured to be hidden, Cisco Secure ACS hides the protocol
option. This behavior p revents Cisc o Secure ACS from hiding ac tive settings.
Step 1 Click Interface Configuration, and then click TACACS+ (Cisco IOS).
Result: The TACACS+ (Cisco) page appears.
78-14696-01, Version 3.1
User Guide for Cisco Secure ACS for Windows Server
3-9
Protocol Configurat ion Options for RADI US
Step 2 In the TACACS+ Services table, sel ect the check bo x fo r e ach TACACS+ servic e
you want displayed on the appl icabl e se tup pa ge.
Step 3 To add new services and protocols, follow these steps:
a. In the New Services section of the TACACS+ Services table, type in any
Service and Protocol to be adde d.
Note If yo u have configured C isc o Secure ACS to interact wi th device
management appl ications for other Cisco pro ducts, suc h as a
Management Center for PIX Firewall, Cisco Secure ACS may
display new TACACS+ services as dictated by these device
management appl icatio ns. To ensure the proper functioning of
Cisco Secure ACS, of device management applications with which
Cisco Secure ACS in teracts, an d of the Cisco ne twork devices
managed by those applications, do not change or delete automatically
generated TACACS+ service types.
Chapter 3 Setting Up the Cisco Secure ACS HTML Interface
b. Select the appr opr iate ch eck b ox to se lec t those tha t shou ld be di spla yed fo r
configuration ei ther un der Us er Se tup, or Gr oup Setu p, or bo t h.
Step 4 In the Advanced Configurations Options section, select the check boxes of the
display options you wa nt to e nable .
Step 5 When you have finished setting TACACS+ interface display options, click
Submit.
Result: The sele ctio n s ma de in t his proced u re d ete rmin e w hat TACACS+ optio ns
Cisco Secure ACS displays in other sections of the HTML interface.
Protocol Configuration Options for RADIUS
It is unlikely that you would want to install every attribute available for every
protocol. Displ ayin g ea ch wou ld m ake se ttin g up a user or gro up very
cumbersome. T o simplify setup, this section allows you to customize the attrib utes
that are displaye d. For a li st o f support ed RADI US AV pai rs an d a cco unting AV
pairs, see Appendix C, “RADIUS Attributes.”
User Guide for Cisco Secure ACS for Windows Server
3-10
78-14696-01, Version 3.1
Chapter 3 Setting U p t he Cisco Secure ACS HTML Interface
Protocol Configuration Options for RADIUS
Depending on which AAA client or clients you have configured, the Interface
Configuration page displays differen t types of RAD IUS proto col configurat ion
settings choice s. The Inte rfac e Co nfigurat ion page d isplay s RA DIU S IETF
settings whenever any RADIUS AAA client is configured. The Interface
Configuration page also displays additional settings for each vendor-specific
RADIUS type. The settings that appear for various types of AAA client depend
on what settings that type of device can employ. These combinations are detailed
in Table 3-1 as foll ows:
Table 3-1 RADIUS Listings in Interface
Configure
this Type
of AAA
Client... ...and the Interface Configuration Page Lists These Types of Settings
RADIUS
(IETF)
RADIUS
(Cisco
Aironet)
RADIUS
(BBSM)
RADIUS
(Cisco
IOS/PIX)
RADIUS
(Ascend)
RADIUS
(Cisco
VPN
3000)
RADIUS
(IETF)
RADIUS
(Cisco
Aironet)
RADIUS
(BBSM)
RADIUS
(Cisco
IOS/PIX)
RADIUS
(Microsoft)
RADIUS
(Ascend)
RADIUS
(Cisco
VPN
3000)
RADIUS
(Cisco
VPN
5000)
RADIUS
(Juniper)
RADIUS
(Nortel)
YesNoNoNo NoNo NoNoNo No
Yes Yes No Yes No No No No No No
Yes No Yes No No No No No No No
YesNoNoYesYesYesNoNoNo No
YesNoNoNo YesYesNoNoNo No
YesNoNoNo YesNo YesNoNo No
78-14696-01, Version 3.1
User Guide for Cisco Secure ACS for Windows Server
3-11
Chapter 3 Setting Up the Cisco Secure ACS HTML Interface
Protocol Configurat ion Options for RADI US
Table 3-1 RADIUS Listings in Interface (continued)
Configure
this Type
of AAA
Client... ...and the Interface Configuration Page Lists These Types of Settings
RADIUS
(Cisco
VPN
5000)
RADIUS
(Juniper)
RADIUS
(Nortel)
RADIUS
(iPass)
RADIUS
(IETF)
RADIUS
(Cisco
Aironet)
RADIUS
(BBSM)
RADIUS
(Cisco
IOS/PIX)
RADIUS
(Microsoft)
RADIUS
(Ascend)
RADIUS
(Cisco
VPN
3000)
RADIUS
(Cisco
VPN
5000)
RADIUS
(Juniper)
RADIUS
(Nortel)
YesNoNoNo NoNo NoYesNo No
YesNoNoNo NoNo NoNoYesNo
YesNoNoNo NoNo NoNoNo Yes
YesNoNoNo NoNo NoNoNo No
Tip You must have your ne twork d evices configure d b efore you c an se lec t, on the
Interface Configurat ion p age, a typ e of se tting f or fu rthe r configur ati on.
From the Inte rface C onfigurat ion pa ge, whe n you clic k to se le ct a type of
RADIUS setting to conf igure, the HTML inter face displays th e corresponding list
of available RADIUS attributes and associated check boxes. If you have selected
the Per-user TA CACS+/RADIUS Attrib utes check box in Interface Co nfiguration:
Advanced Options, a User check box appears alongside the Group check box for
each attrib ute. Otherwise, onl y the Group check b ox for each attrib ute appear s. By
selecting check boxes in a list of attributes, you determine whether the
corresponding ( IE TF) RA DIU S att ribute or vendor-spec ific att ribute (V SA) is
configurable from the U ser Setup and Gr oup Setup se ctions.
User Guide for Cisco Secure ACS for Windows Server
3-12
78-14696-01, Version 3.1
Chapter 3 Setting U p t he Cisco Secure ACS HTML Interface
Details regarding the types of RADIUS settings pages follow:
• (IETF) RADIUS Settings—This page lists attributes available for (IETF)
RADIUS.
These standard (IETF) RADIUS attributes are available for any network
device configuration when using RADIUS. If you want to use IETF attribute
number 26 (for VSAs) , sele ct Int erfac e Configur ati on an d then RADIU S for
the vendors whose network devices y ou us e. At tributes for (IET F) RADI US
and the VSA for each RADIUS ne twork device vendor support ed by
Cisco Secure ACS appear in User Setup or Grou p Setup.
Note The RADIUS (IETF) attribute s are shar ed with RADIUS VSAs. You
must configure the f irst RADIUS attrib utes from RADIUS (IETF) for
the RADIUS vendor.
Protocol Configuration Options for RADIUS
The Tags to Display Per Attribute option (located under Advanced
Configuration Opti ons) enables you to specif y how man y values to display for
tagged attributes on the Use r Setup and G roup Set up pa ges. E xample s o f
tagged attributes i nclu de [ 064 ]Tunnel-Type and [069]Tunnel-Password.
For detailed procedural informa tion, see Setting Prot ocol Co nfigurati on
Options for IETF RADI US Attributes, page 3-15.
• RADIUS (Cisco IOS/PIX) Settings—This section allows you to enable the
specific attributes for RADIUS (Cisco IOS/PIX). Selecting the first attribute
listed under RADI US (Cisco IOS/PIX), 026/009/001, displays an entry field
under User Setup and/or Group Setup in which any TA CACS+ commands can
be entered to f ully leverage TACACS+ in a RA DIU S e nvironment. For
detailed procedural information, see Setting Protocol Configuration Options
for Non-IETF RAD IUS A ttr ibutes, pa ge 3-16.
• RADIUS (Cisco Aironet) Settings—This section allows you to enable the
specific attribute for RADIUS (Cisco Aironet). The single Cisco Aironet
RADIUS VSA, Cisco-Aironet-Session-Timeout, is a specialized
implementation of the IETF RADIUS Session-Timeout attribute (27). When
Cisco Secure ACS responds to an authentication request from a Cisco
Aironet Access Point and the Cisco-Aironet-Session-Timeout attribute is
configured, Cisco Secure ACS sends to the wireless device this value in the
IETF Session-Timeout attribute. This enables you to provide different session
78-14696-01, Version 3.1
User Guide for Cisco Secure ACS for Windows Server
3-13
Protocol Configurat ion Options for RADI US
timeout values for wireless and w ired end-use r clients. For de tailed
procedural information, see Setting Protocol Configuration Options for
Non-IETF RADIUS Attributes, page 3-16.
• RADIUS (Ascend) Settings—From this section you enable the RADIUS
VSAs for RADIUS (Asc end). Thi s page app ears if you have configured a
RADIUS (Ascend) or a RADIUS (Cisco IOS/PIX) device. For detailed
procedures, se e Setting Pro tocol Configuration O ptions for Non -IETF
RADIUS Attributes, page 3-16.
• RADIUS (Cisco VPN 3000) Settings—From this section you enable the
RADIUS VSAs for RADI US (Cisco VPN 3000). F or detail ed procedures, se e
Setting Protocol Configuration Options for Non-IETF RADIUS Attributes,
page 3-16.
• RADIUS (Cisco VPN 5000) Settings—From this section you enable the
RADIUS VSAs for RADI US (Cisco VPN 5000). F or detail ed procedures, se e
Setting Protocol Configuration Options for Non-IETF RADIUS Attributes,
page 3-16.
Chapter 3 Setting Up the Cisco Secure ACS HTML Interface
• RADIUS (Microsoft) Settings—From this section yo u en ab le the RADIU S
VSAs for RADIUS (Mi crosoft ). This pa ge appea rs if you configure a
RADIUS (Ascend), or a RADIUS (VPN 3000), or a RADIUS (Cisco
IOS/PIX) device. For detailed procedures, see Setting Protocol Configuration
Options for Non-IETF RADIUS Attributes , page 3-16.
• RADIUS (Nortel) Settings—From thi s sec tion you en ab le th e RA DIU S
VSAs for RADIUS (Nortel). For detailed procedures, see Setting Protocol
Configuration Options for Non -IETF RAD IUS Attributes , page 3-16.
• RADIUS (Juniper) Settings—From this section you enable the RADIUS
VSAs for RADIUS (Juniper) . For detailed proced ures, see Setting Protoc ol
Configuration Options for Non -IETF RAD IUS Attributes , page 3-16.
• RADIUS (BBSM) Settings—From this section you enable the RADIUS
VSAs for RADIU S “Bui lding Broa dband Se rvice Man ger” (BBSM). For
detailed procedur es, see Settin g Pr otocol C onfiguratio n Opti ons for
Non-IETF RADIUS Attributes, page 3-16.
While Cisco Secure ACS ships with these listed VSAs prepackaged, it also
enables you to def ine and conf igur e custom attrib utes for an y VSA set not alread y
contained in Cisco Secure ACS. If you have configured a custom VSA and a
corresponding AAA client, from the Interface Configuration section you can
select the custom VSA and then set the options for how particular attributes
User Guide for Cisco Secure ACS for Windows Server
3-14
78-14696-01, Version 3.1
Loading...