Cisco 2509 - Router - EN, Secure ACS User Manual

User Guide for Cisco Secure ACS for Windows Server

Corporate Headquarters

Cisco Systems, Inc. 170 West Tasman Drive San Jose, CA 95134-1706 USA http://www.cisco.com Tel: 408 526-4000

800 553-NETS (6387)

Fax: 408 526-4100

Customer Order Number: DOC-7814696= Text Part Number: 78-14696-01

THE SPECIFICATIONS AND INFORMATION REGARDING THE PRODUCTS IN THIS MANUAL ARE SUBJECT TO CHANGE WITHOUT NOTICE. ALL STATEMENTS, INFORMATION, AND RECOMMENDATIONS IN THIS MANUAL ARE BELIEVED TO BE ACCURATE BUT ARE PRESENTED WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED. USERS MUST TAKE FULL RESPONSIBILITY FOR THEIR APPLICATION OF ANY PRODUCTS.

THE SOFTWARE LICENSE AND LIMITED WARRANTY FOR T HE A CCOMPANYING PRODUCT ARE SET FOR TH IN T HE INFORMATION PACKET THAT SHIPPED WITH THE PRODUCT AND ARE INCORPORATED HEREIN BY THIS REFERENCE. IF YOU ARE UNABLE TO LOCATE THE SOFTWARE LICENSE OR LIMITED WARRANTY, CONTACT YOUR CISCO REPRESENTATIVE FOR A COPY.

The Cisco implementation of TCP header com pression i s an adap tati on o f a pr ogr am d eveloped by the University of California, Berkeley (UCB) as part of UCB’s public domain version of the UNIX operating system. All rights reserved. Copyright © 1981, Regents of the University of California.

NOTWITHSTANDIN G ANY OTHER WA RRANTY HEREIN, AL L DOCUMENT FILE S AND SOFTWARE OF THESE SUPPLIERS ARE PROVIDED “AS IS” WITH ALL FAULTS. CISCO AND THE ABOVE-NAMED SUPPLIERS DISCLAIM ALL WARRANTIES, EXPRESSED OR IMPLIED, INCLUDING, WITHOUT LIMITATION, THOSE OF MERCHANTABILITY, FITNESS FOR A PARTICU LAR PURPOSE AND NONINFRINGEMENT OR ARISING FROM A COURSE OF DEALING, USAGE, OR TRADE PRACTICE.

IN NO EVENT SHALL CISCO OR ITS SUPPLIERS BE LIABLE FOR ANY INDIRECT, SPECIAL, CONSEQUENTIAL, OR INCIDENTAL DAMAGES, INCLUDING, WITHOUT LIMITATION, LOST PROFITS OR LOSS OR DAMAGE TO DATA ARISING OUT OF THE USE OR INABILITY TO USE THIS MANUAL, EVEN IF CISCO OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.

CCIP, the Cisco Arrow logo, the Cisco Powered Network mark, the Cisco Systems Verified logo, Cisco Unity, Follow Me Browsing, FormShare, Internet Quotient, iQ Breakthrough, iQ Expertise, iQ FastTrack, the iQ Logo, iQ Net Readiness Scorecard, Networking Academy, ScriptShare, SMARTnet, TransPath, and Voice LAN are trademarks of Cisco Systems, Inc.; Changing the Way We Work, Live, Play, and Learn, Discover All That’s Possible, The Fastest Way to Increase Your Internet Quotient, and iQuick Study are service marks of Cisco Systems, Inc.; and Aironet, ASIST, BPX, Catalyst, CCDA, CCDP, CCIE, CCNA, CCNP, Cisco, the Cisco Certified Internetwork Expert logo, Cisco IOS, the Cisco IOS logo, Cisco Press, Cisco Systems, Cisco Systems Capital, the Cisco Systems logo, Empowering the Internet Generation, Enterprise/Solver, EtherChannel, EtherSwitch, Fast Step, GigaStack, IOS, IP/TV, LightStream, MGX, MICA, the Networkers logo, Network Registrar, Packet, PIX, Post-Routing, Pre-Routing, RateMUX, Registrar, SlideCast, StrataView Plus, Stratm, SwitchProbe, TeleRouter, and VCO are registered trademarks of Cisco Systems, Inc. and/or its affiliates in the U.S. and certain other countries.

All other trademarks mentioned in this document or Web site are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (0206R)

User Guide for Cisco Secure ACS for Windows Server

Preface xxv

Document Objective xxv Audience xxv Organization xxvi Conventions xxviii Related Documentation xxix Obtaining Documentation xxx

World Wide Web xxx Documentation CD-ROM xxx

CONTENTS

CHAPTER

Ordering Documentation xxx Documentation Feedback xxxi

Obtaining Technical Assistance xxxi

Cisco.com xxxi Technical Assistance Center xxxii

Cisco TAC Web Si te xxxii Cisco TAC Escalation Center xxxiii

1 Overview of CiscoSecure ACS 1-1

The CiscoSecure ACS Paradigm 1-1 CiscoSecure ACS Specifications 1-2

System Performance Specificati ons 1-3 CiscoSecure ACS Windows Services 1-4

AAA Server Functions and Concepts 1-5

CiscoSecure ACS and the AAA Client 1-5

78-14696-01, Version 3.1

User Guide for Cisco Secure ACS for Windows Server

iii

Contents

AAA Protocols—TACACS+ and RADIUS 1-6

TACACS+ 1-6 RADIUS 1-6

Authentication 1-7

Authentication Considerat ions 1-8 Authentication and User Databases 1-8 Authentication Protocol-D atabase Compatibility 1-9 Passwords 1-10 Other Authentication-Related Features 1-15

Authorization 1-15

Max Sessions 1-16 Dynamic Usage Quotas 1-17 Shared Profile Components 1-17 Support for Cisco Device-Management Applications 1-18 Other Authorization-Related Features 1-19

Accounting 1-20

Other Accounting-Related Features 1-20

Administration 1-21

HTTP Port Allocation for Remote Administrative Sessions 1-21 Network Device Groups 1-22 Other Administration-Related Features 1-22

CiscoSecure ACS HTML Interface 1-23

About the Ci sc o Secure ACS HTML Interface 1-23

HTML Interf ac e S ec ur ity 1-24 HTML Interf ac e La y out 1-25 Uniform Resour ce Locator for the HTML Interface 1-26 Network Enviro nments and Remote Administrative Sessions 1-27

Remote Administrative Sessions an d HTTP Proxy 1-27

User Guide for Cisco Secure ACS for Windows Server

Remote Administrative Sessions through Firewalls 1-28

Remote Administrative Sessions th rough a NAT Gateway 1-28

78-14696-01, Version 3.1

Accessing th e HTML Interface 1-29 Logging Off the HTML Interface 1-29 Online Help and Online Documentation 1-30

Using Online Help 1-30

Using the Online Documentation 1-31

Contents

CHAPTER

2 Deploying Cisco Secure ACS 2-1

Basic Deployment Requirements for Ci sco Secure ACS 2-2

System Requirements 2-2

Hardware Requirements 2-2

Operating System Requirements 2-2

Third-Part y Software Requir ements 2-3 Network Requirements 2-4

Basic Deployment Factors for CiscoSecureACS 2-5

Network Topology 2-5

Dial-Up Topology 2-5

Wireless Network 2-8

Remote Access using VPN 2-11 Remote Access Policy 2-13 Security Policy 2-14 Administrative Access Policy 2-14

Database 2-17

Network Lat en c y and Reliabi lit y 2-18

Suggested Deployment Sequence 2-18

78-14696-01, Version 3.1

Separation of Administrative and General Users 2-16

Number of Users 2-17

Type of Database 2-17

User Guide for Cisco Secure ACS for Windows Server

Contents

CHAPTER

3 Setting Up the CiscoSecure ACS HTML Interface 3-1

Interface Design Concepts 3-2

User-to-Gro up Relationship 3-2 Per-User or Per-Group Features 3-2

User Data Configuration Options 3-3

Defining New User Data Fields 3-3

Advanced Options 3-4

Setting Advanc ed Options for the Cisco Secure ACS User Interface 3-6

Protocol Configuration Options for TACACS+ 3-7

Setting Options for TACACS+ 3-9

Protocol Configuration Options for RADIUS 3-10

Setting Protocol Configuration Options for IETF RADIUS Attributes 3-15 Setting Protoc ol Conf igur at ion Opt i ons fo r Non-I ET F RADIUS At tr ibut es 3-16

4 Setting Up and Managing Net work Configuration 4-1

About Network Configuration 4-2 About Distributed Systems 4-3

AAA Servers in Distributed Systems 4-3 Default Distributed System Settings 4-4

Proxy in Distributed Systems 4-4

Fallback on Fai le d C on ne ction 4-6

Character String 4-6

Stripping 4-6 Proxy in an Enterprise 4-7 Remote Use of Accoun ting Packets 4-7 Other Features Enabled by System Distribution 4-8

Network Device Searches 4-8

Network Device Se arch Criteria 4-9 Searching fo r Ne twork Devic es 4-10

User Guide for Cisco Secure ACS for Windows Server

78-14696-01, Version 3.1

AAA Client Configur ation 4-11

AAA Client Configur ation Options 4-11 Adding a AAA Client 4-15 Editing a AAA Client 4-18 Deleting a AAA Client 4-19

AAA Server Configuration 4-20

AAA Server Config uration Options 4-21 Adding a AAA Server 4-23 Editing a AAA Server 4-25 Deleting a AAA Server 4-27

Network Device Group Configuration 4-27

Adding a Network Device Group 4-28

Contents

CHAPTER

Assigning an Unassigned AAA Client or AAA Server to an NDG 4-29 Reassigning a AAA Client or AAA Server to an NDG 4-30 Renaming a Network Device Group 4-31 Deleting a Network Device Group 4-31

Proxy Distribution Table Confi guration 4-32

About the Proxy Distribution Table 4-32

Adding a New Proxy Distribution Table Entry 4-33

Sorting the Character String Match Order of Distribution Entr ies 4-35

Editing a Proxy Distribution Ta ble Entry 4-35

Deleting a Proxy Distribution Table Entry 4-36

5 Setting Up and Managing Shared Profile Components 5-1

About Shared Profile Components 5-1 Downloadable PIX ACLs 5-2

About Downloadable PIX ACLs 5-2 Downloadable PIX ACL Configuration 5-4

78-14696-01, Version 3.1

Adding a Downloadable PIX ACL 5-4

User Guide for Cisco Secure ACS for Windows Server

vii

Contents

Editing a Downloadable PIX ACL 5-5

Deleting a Downloadable PIX ACL 5-5

Network Access Restrictions 5-6

About Network Acce ss Restrictions 5-6 Shared Network Acc ess Restrictions Configuration 5-8

Adding a Shared Network Access Restriction 5-9

Editing a Shared Network Access Restriction 5-11

Deleting a Shared Network Access Restriction 5-13

Command Authorization Sets 5-13

About Command Authorization Sets 5-14 About Pattern Matching 5-15 Command Authoriz ation Sets Configuration 5-16

CHAPTER

Adding a Command Auth orization Set 5-16

Editing a Command Authorization Set 5-19

Deleting a Command Authorization Set 5-20

6 Setting Up and Managing User Groups 6-1

User Group Setup Features and Functions 6-2

Default Group 6-2 Group TACACS+ Settings 6-2

Common User Group Setti ngs 6-3

Enabling VoI P Support for a User Group 6-4 Setting Default Time-of-Day Access for a User Group 6-5 Setting Callback Options for a User Group 6-6 Setting Networ k Access Restrictions for a User Group 6-7 Setting Max Sessions for a User Group 6-11 Setting Usage Quotas for a User Group 6-13

Configurati on-specific User Group Settings 6-15

Setting Token Card Settings for a User Group 6-16

User Guide for Cisco Secure ACS for Windows Server

viii

78-14696-01, Version 3.1

Contents

Setting Enable Privilege Options for a User Group 6-18 Enabling Pass word Aging for the CiscoSecure User Database 6-20 Enabling Pass word Aging for Users in Windows Databases 6-25 Setting IP Address Assignment Method for a User Group 6-27 Assigning a Downloadable PIX ACL to a Group 6-28 Configurin g TACACS+ Settings for a User Group 6-29 Configurin g a Shell Command Authori zation Set for a User Group 6-31 Configurin g a PIX Command Authorizat ion Set for a User Group 6-33 Configurin g Device-Management Command Authorization for a User

Group Configuring IETF RADIUS Settings for a User Group 6-37 Configurin g Cisco IOS/PIX RADIUS Settings for a User Group 6-38 Configurin g Cisco Aironet RADIUS Settings for a User Group 6-39

6-35

Configuring Ascend RADIUS Settings for a User Group 6-41 Configuring Cisco VPN 3000 Concentrator RADIUS Settings for a User

Group

6-42

Configuring Cisco VPN 5000 Concentrator RADIUS Settings for a User Group

6-43

Configurin g Mi crosoft RADIUS Settings for a User Group 6-45 Configurin g Nortel RADIUS Settings for a User Group 6-46 Configuring Juniper RADIUS Settings for a User Gro up 6-48 Configurin g BBSM RADIUS Settings for a Us er Group 6-49 Configurin g Custom RADIUS VSA Settings for a User Group 6-50

Group Setting Management 6-51

Listing Use rs in a User Gro up 6-52 Resetting Usage Quota Counters for a Us er Group 6-52 Renaming a User Group 6-53 Saving Changes to User Group Settings 6-53

78-14696-01, Version 3.1

User Guide for Cisco Secure ACS for Windows Server

Contents

CHAPTER

7 Setting Up and Managing User Accounts 7-1

User Setup Features and Function s 7-2 About User Databases 7-2 Basic User Setup Options 7-4

Adding a Basic User Account 7-5 Setting Supp le m e ntary User Info rm a ti on 7-7 Setting a Separate CHAP/MS-CHAP/ARAP Password 7-8 Assigning a User to a Group 7-9 Setting User Callback Option 7-10 Assigning a User to a Client IP Address 7-11 Setting Network Access Restric tions for a User 7-12 Setting Max Sessions Options for a User 7-16 Setting User Usage Quotas Options 7-18 Setting Options for User Account Disablement 7-20 Assigning a PIX ACL to a User 7-21

Advanced User Authentication Settings 7-22

TACACS+ Settings (User) 7-22 Configuring TACACS+ Settings fo r a User 7-23 Configurin g a Shell Command Authori zation Set for a User 7-25 Configurin g a PIX Command Authorizat ion Set for a User 7-28 Configurin g Device Management Command Authorization for a User 7-30 Configuring the Unknown Service Setting for a User 7-32 Advanced TACACS+ Settings (User) 7-33

Setting Enable Privilege Options for a User 7-33

Setting TACACS+ Enable Password Opt ions for a User 7-35

Setting TACACS+ Outbound Password fo r a User 7-36 RADIUS Attributes 7-37

Setting IETF R ADIUS Parameters for a User 7-38

Setting Cisco IOS/PIX RADIUS Paramet ers for a User 7-39

Setting Cisco Aironet RADIUS Parameters for a User 7-40

User Guide for Cisco Secure ACS for Windows Server

78-14696-01, Version 3.1

Setting Ascend RADIUS Parameters for a User 7-42

Setting Cisco VPN 3000 Concentrator RADIUS Parameters for a

User

7-43

Setting Cisco VPN 5000 Concentrator RADIUS Parameters for a

User

7-45

Setting Micro soft RADIUS Parameters for a User 7-46

Setting Nortel RADIUS Parameters for a User 7-48

Setting Juniper RADIUS Parameters for a User 7-49

Setting BBSM RADIUS Pa rameters for a User 7-51

Setting Cu st om RA D I US Attribut e s fo r a Us e r 7-52

User Management 7-53

Listing All Use rs 7-54 Finding a User 7-54

Contents

CHAPTER

Disabling a User Account 7-55 Deleting a User Account 7-56 Resetting User Session Quota Counters 7-57 Resetting a User Account after Login Failure 7-58 Saving User Settings 7-59

8 Establishing Cisco Secure ACS System Configuration 8-1

Service Control 8-2

Determining the Status of CiscoSecureACS Services 8-2 Stopping, Starting, or Restarting Services 8-2

Logging 8-3 Date Format Control 8-3

Setting the Date Format 8-4

Local Password Management 8-5

Configurin g Local Password Management 8-7

78-14696-01, Version 3.1

User Guide for Cisco Secure ACS for Windows Server

Contents

CiscoSecure Database Replication 8-9

About CiscoSecure Database Replication 8-9

Replication Process 8-12

Replication Frequency 8-14 Important Implementation Considerations 8-15 Database Replication Versus Database Backup 8-16 Database Repli cation Logging 8-17 Replication Options 8-17

Replicatio n Components Options 8-17

Outbound Replication Options 8-18

Inbound Replication Options 8-20 Implementing Primary and Secondary Replication Setups on

CiscoSecure ACSes

8-20

Configuring a Secondary CiscoSecureACS 8-21 Replicatin g Immediately 8-24 Scheduling Rep lication 8-26 Disabling CiscoSecure Database Replication 8-29 Database Repli cation Event Errors 8-29

RDBMS Synchronization 8-29

About RDBMS Synchronization 8-30

Users 8-31

User Groups 8-32

Network Configuration 8-32

Custom RADIUS Vendors and VSAs 8-33 RDBMS Synchronization Components 8-33

About CSDBSync 8-33

About the accountActions Table 8-34 CiscoSecure ACS Database Recovery Using the accountActions Tab le 8-36 Reports and Even t (Error) Handling 8-37 Preparing to Use RDBMS Synchronization 8-37

User Guide for Cisco Secure ACS for Windows Server

xii

78-14696-01, Version 3.1

Considerations for Using CSV-Based Synchronization 8-38

Preparing for CSV-Based Synchronization 8-39 Configurin g a System Data Source Name for RDBMS Synchronization 8-40 RDBMS Synchronization Options 8-41

RDBMS Setup Options 8-41

Synchronization Scheduling Options 8-42

Synchronization Par tn er s O pt io ns 8-42 Performing RDBMS Synchronization Immediately 8-43 Scheduling RDBMS Synchronization 8-44 Disabling Scheduled RDBMS Synchronizations 8-46

CiscoSecure ACS Backup 8-47

About Cisco Secure ACS Backup 8-47 Backup File Locations 8-48

Contents

Directory Management 8-48 Components Backed Up 8-48 Reports of CiscoSecureACS Backups 8-49 Backup Options 8-49 Performing a Manu al CiscoSecure A CS Backup 8-50 Scheduling Cisco Secure ACS Bac kups 8-50 Disabling Scheduled CiscoSecure ACS Backups 8-51

CiscoSecure ACS System Restore 8-52

About Cisco Secure ACS System Restore 8-52 Backup File Names and Locations 8-53 Components Restored 8-54 Reports of CiscoSecureACS Restorations 8-54 Restoring Cisco Secure ACS from a Backup File 8-54

CiscoSecure ACS Active Service Management 8-55

System Monitoring 8-56

78-14696-01, Version 3.1

System Monitoring Options 8-56

Setting Up System Monitoring 8-57

User Guide for Cisco Secure ACS for Windows Server

xiii

Contents

Event Logging 8-58

Setting Up Event Logging 8-58

IP Pools Server 8-59

About IP Pools Se rver 8-60 Allowing Overlapping IP Pools or Forcing Unique Pool Address Ranges 8-61 Refreshing the AAA Server IP Pools Table 8-62 Adding a New IP Pool 8-63 Editing an IP Pool Definition 8-64 Resetting an IP Pool 8-65 Deleting an IP Pool 8-66

IP Pools Address Recovery 8-67

Enabling IP Pool Address Recovery 8-67

VoIP Accounting Configuration 8-68

Configuring VoIP Accounting 8-68

CiscoSecure ACS Certificate Setup 8-69

Background on Protocols and Certification 8-69

Digital Certif ic at e s 8-69

About the EA P -T LS Protocol 8-70

About the PE A P Pr ot ocol 8-72 Installing a CiscoSecure ACS Server Certificate 8-74 Adding a Certificate Authority Certificate 8-76 Editing the Certificate Trust List 8-77 Generating a Cer tificate Signing Request 8-78 Updating or Replacing a CiscoSecure ACS Certificate 8-80

Global Authentication Setup 8-81

Configuring Authenticati on Options 8-81

User Guide for Cisco Secure ACS for Windows Server

xiv

78-14696-01, Version 3.1

Contents

CHAPTER

9 Working with Logging and Reports 9-1

Logging Formats 9-1 Special Logging Attributes 9-2 Update Packets In Accounting Logs 9-4 About Cisc o Secure ACS Logs and Rep o rts 9-4

Accounting Logs 9-5 Dynamic Administr ation Reports 9-7

Viewing the Logged-in Users Report 9-8

Deleting Logged-in Users 9-9

Viewing the D is ab l e d A cc o un ts Re po rt 9-10 CiscoSecure ACS System Logs 9-11

Configuring the Administration Audit Log 9-12

Working with CSV Logs 9-13

CSV Log File Names 9-13 CSV Log File Locations 9-13 Enabling or Dis abling a CSV Log 9-14 Viewing a CSV Report 9-15 Configuring a CSV Log 9-16

Working with ODBC Logs 9-19

Preparing for ODBC Logging 9-19 Configurin g a System Data Source Name for ODBC Logging 9-20 Configuring an ODBC Log 9-20

Remote Logging 9-23

About Remote Logging 9-23 Implementing Centralized Remote Logging 9-24 Remote Logging Options 9-25 Enabling and Configuring Remote Logging 9-26 Disabling Remo te Logging 9-28

78-14696-01, Version 3.1

User Guide for Cisco Secure ACS for Windows Server

Contents

Service Logs 9-28

Services Logged 9-29 Configuring Service Logs 9-30

CHAPTER

10 Setting Up and Managing Administrators and Policy 10-1

Administ ra to r A cc o un ts 10-1

About Administrator Accounts 10-2 Administra tor Privileges 10-3 Adding an Administrator Account 10-6 Editing an Admini strator Account 10-8 Unlocking a Loc ked Out Administrato r Account 10-10 Deleting an Administrator Account 10-11

Access Policy 10-11

Access Policy Options 10-12 Setting Up Access Policy 10-14

Session Poli cy 10-16

Session Poli cy Options 10-16 Setting Up Session Policy 10-17

Audit Policy 10-18

CHAPTER

11 Working with User Databases 11-1

CiscoSecure User Database 11-2

About the CiscoSecure User Database 11-2 User Import and Creation 11-3

About External User Databases 11-4

Authenticating with External User Databases 11-5 External User Database Authentication Process 11-6

Windows NT/2000 User Database 11-7

What’s Supported with Windows NT/2000 User Databases 11-8

User Guide for Cisco Secure ACS for Windows Server

xvi

78-14696-01, Version 3.1

Contents

The CiscoSecure ACS Authentication Process with Windows NT/2000 User Databases

Trust Relationships 11-9 Windows Dial-up Networking Clients 11-10

Windows Dial-up Networking Clients with a Domain Field 11-10

Windows Dial-up Networking Clients without a Domain Field 11-11 Windows Authentication 11-11 User-Changeable Pas swords wit h Windows NT /20 00 Us er Data bas es 11-13 Preparing Users for Authenticating with WindowsNT/2000 11-14 Configuring a WindowsNT/2000 External User Database 11-14

Generic LDAP 11-16

CiscoSecure ACS Authentication Process with a Gener ic LDAP User Database

11-9

11-17

Multiple LDAP Instances 11-17 LDAP Organizational Units and Groups 11-18 Domain Filtering 11-18 LDAP Failover 11-20

Successful Previous Authentication with the Primary LDAP Server 11-21

Unsuccessful Pr evious Authentication with the Primary LDAP

Server

11-21

LDAP Configuration Options 11-22 Configuring a Generic LDAP Exter nal User Database 11-28

Novell NDS Database 11-33

About Novell NDS User Databases 11-34 User Contexts 11-35 Novell NDS External User Database Options 11-36 Configurin g a Novell NDS External User Database 11-37

ODBC Database 11-39

What is Supported with ODBC User Databases 11-40 Cisco Secure ACS Authentication Process with an ODBC External User

Database

78-14696-01, Version 3.1

11-41

User Guide for Cisco Secure ACS for Windows Server

xvii

Contents

Preparing to Authenticate Users with an ODBC-Compliant Relational Database

Implementati on of Stored Procedures for ODBC Authentication 11-43

Type Definitions 11-44 Microsoft SQL Ser ver and Case-Sensitive Passwords 11-44 Sample Routine for Generating a PAP Auth entication SQL Pro cedure 11-45 Sample Routine for Generating an SQL CHAP Authentication

Procedure PAP Authentication Procedure Input 11-46 PAP Procedure Output 11-47 CHAP/MS-CHAP/ARAP Authentication Procedure Input 11-48 CHAP/MS-CHAP/ARAP Procedure Output 11-48 Result Codes 11-49

11-42

11-46

Configurin g a System Data Source Name for an ODBC External User Database

11-50

Configurin g an ODBC External User Database 11-51

LEAP Proxy RADIUS Server Database 11-54

Configurin g a LEAP Proxy RADIUS Server External User Database 11-55

Token Server User Databases 11-57

About Token Serv ers and CiscoSecure ACS 11-57

Token Servers an d ISDN 11-58 RADIUS-Enabled Token Servers 11-59

About RADIUS-Enabled Token Servers 11-59

Token Server RADIUS Authentication Request and Response

Contents

11-60

Configuring a RADIUS Token Server External User Database 11-60 RSA SecurID Token Se rvers 11-64

Configurin g an RSA Se curID Toke n Server Extern al User Dat abase 11-65

Deleting an External User Database Configuration 11-66

User Guide for Cisco Secure ACS for Windows Server

xviii

78-14696-01, Version 3.1

Contents

CHAPTER

12 Administering External User Databases 12-1

Unknown User Processing 12-1

Known, Unknown, and Discovered Users 12-2 General Authen tication Request Handling and Rejection Mode 12-3 Authentication Request Handl ing and Rejection Mode with the

WindowsNT/2000 User Database

12-4

Windows Authe nt i c at io n wi t h a Do ma in Specified 12-5

Windows Authentication with Domain Omitted 12-6 Performance of Unknown User Authentication 12-7

Added Latency 12-7

Authenticat ion Timeout Value on AAA clients 12-7 Network Access Authorization 12-8 Unknown User Policy 12-8

Database Search Order 12-9

Configuring the Unknown User Policy 12-9

Turning off External User Database Authentication 12-11

Database Group Mappings 12-11

Group Mapping by Ex ternal User Database 12-12

Creating a CiscoSecure ACS Group Mapping for a Token Server, ODBC

Database, or LEAP Proxy RADIUS Server Database Group Mapping by Group Set Membership 12-14

Group Mapping Order 12-15

No Access Group for Group Set Mappings 12-15

Default Group Mapping for Windows NT/2000 12-16

Creating a CiscoSecure ACS Group Mapping for WindowsNT/2000,

Novell NDS, or Generic LDAP Groups

Editing a Windows NT/2000, Novell NDS, or Generic LDAP Group Set

Mapping

12-18

Deleting a WindowsNT/2000, Novell NDS, or Generic LDAP Group Set

Mapping

12-20

12-13

12-16

78-14696-01, Version 3.1

User Guide for Cisco Secure ACS for Windows Server

xix

Contents

Deleting a WindowsNT/2000 Domain Group Mapping

Configuration

Changing Group Set Mapping Order 12-21 RADIUS-Based Group Specification 12-22

12-20

APPENDIX

A Troub leshooting Information for CiscoSecure ACS A-1

Administration Issues A-2 Browser Issues A-3 Cisco IOS Issues A-3 Database Issues A-5 Dial-in Connection Issues A-6 Debug Issues A-10 Proxy Issues A-11 Installation and Upgrade Issues A-11 MaxSessions Issues A-12 Report Issues A-12 Third-Party Server Issues A-13 PIX Firewall Issues A-13 User Authentication Issues A-14 TACACS+ and RADIUS Attribute Issues A-16

APPENDIX

B TACACS+ Attribute-Val ue Pairs B-1

Cisco IOS AV Pair Dictionary B-1

TACACS+ AV Pairs B-2 TACACS+ Accounting AV Pairs B-4

APPENDIX

C RADIUS Attributes C-1

CiscoIOS Dictionary of RADIUS AV Pairs C-2

User Guide for Cisco Secure ACS for Windows Server

78-14696-01, Version 3.1

Contents

CiscoIOS/PIX Dictionary of RADIUS VSAs C-5 CiscoVPN 3000 Concentrator Dictionary of RADIUS VSAs C-7 Cisco VPN 5000 Conc entrator Dictio nary of RADIUS VSAs C-11 Cisco Building Broadband Service Manager Dictionary of RADIUS VSA C-12 IETF Dictionary of RADIUS AV Pairs C-12 Microsoft MPPE Dictionary of RADIUS VSAs C-27 Ascend Dictionary of RADIUS AV Pairs C-30 Nortel Dictionary of RADIUS VSAs C-42 Juniper Dictionary of RADIUS VSAs C-43

APPENDIX

D CiscoSecure ACS Command-Line Database Utility D-1

Location of CSUt il.exe and Related Files D-2 CSUtil.exe Syntax D-2 CSUtil.exe Options D-3 Backing Up CiscoSecureACS with CSUtil.exe D-4 Restoring CiscoSecureACS with CSUtil.exe D-5 Creating a CiscoSecure User Database D-7 Creating a Cisco Secure ACS Database Dump File D-8 Loading the Cisco Secure ACS Database from a Dump File D-9 Compacting the CiscoSecure User Database D-11 User and AAA Client Import Option D-13

Importing User and AAA Client Information D-13 User and AAA Client Import File Format D-15

About User and AAA Client Import File Format D-15

78-14696-01, Version 3.1

ONLINE or OFFLINE Stat ement D-15

ADD Statements D-16

UPDATE Statements D-18

DELETE Statements D-20

User Guide for Cisco Secure ACS for Windows Server

xxi

Contents

ADD_NAS Statements D-21

DEL_NAS Statements D-22

Import File Example D-23

Exporting User List to a Text Fil e D-23 Exporting Group Information to a Text File D-24 Exporting Registry Information to a Text File D-25 Decoding Error Numbers D-26 Recalculating CRC Values D-27 User-Defined RADIUS Vendors and VSA Sets D-27

About User-Defined RADIUS Vendors and VSA Sets D-28 Adding a Custom RADIUS Vendor and VSA Set D-28 Deleting a Custom RADIUS Vendor and VSA Set D-30

APPENDIX

Listing Custom RADIUS Vendors D-31 Exporting Custom RADIUS Vendor an d VSA Sets D-32 RADIUS Vendor/VSA Import File D-33

About the RADIUS Vend or/VSA Import File D-33

Vendor and VSA Set Def inition D-34

Attribute Definition D-35

Enumeration Definition D-37

Example RADIUS Vendor/VSA Import File D-38

E Cisco SecureACS and Virtual Private Dial-up Networks E-1

VPDN Process E- 1

F RDBMS Synchronization Import Definitions F-1

accountActions Specification F-1

accountActions Format F-2 accountActions Mandatory Fields F-3 accountActions Processing Order F-4

User Guide for Cisco Secure ACS for Windows Server

xxii

78-14696-01, Version 3.1

Action Codes F-4

Action Codes for Setting and Deleting Values F-5 Action Codes for Creating and Modifying User Accounts F-7 Action Codes for Initializing and Modifyin g Access Filters F-15 Action Codes for Modifying TACACS+ an d RADIUS Group and User

Settings Action Codes for Modifying Network Configuration F-25

CiscoSecure ACS Attributes and Action Codes F-33

User-Specific Attributes F-33 User-Defined Attributes F-35 Group-Specific Attributes F-36

An Example of accountAc tions F-37

F-19

Contents

APPENDIX

NDEX

G CiscoSecure ACS Internal Architecture G-1

Windows2000 Services G-1 Windows2000 Registry G-2 CSAdmin G-2 CSAuth G-3 CSDBSync G-4 CSLog G-4 CSMon G-4

Monitoring G-5 Recording G-6 Notification G-7 Response G-7

CSTacacs and CSRadius G-8

78-14696-01, Version 3.1

User Guide for Cisco Secure ACS for Windows Server

xxiii

Contents

User Guide for Cisco Secure ACS for Windows Server

xxiv

78-14696-01, Version 3.1

Preface

This section di scusse s th e objec tives, audienc e, a nd organizati on of the Cisco Secure Access Control Server (Cisco Secure ACS) for Windows Server version 3.1 User Guide.

Document Objective

This document will help you conf igure and use Cisc o Sec ure A CS and its f eatures and utilities.

Audience

This publication is for system administrators who use Cisco Secure ACS and who set up and maintain accou nts and dial-i n network secu rity.

78-14696-01, Version 3.1

User Guide for Cisco Secure ACS for Windows Server

xxv

Organization

The Cisco Secure ACS user guide is organized into the following chapters:

• Chapter 1, “Overview of Cisco Secure ACS.” An overvi ew o f

• Chapter 2, “Deploying Cisco Secure ACS.” A guide to depl oying

• Chapter 3, “Setting Up the Cisco Secure ACS HTML Interface.” Concep ts

• Chapter 4, “Setting Up and Managing Network Configuration.” Concepts and

Preface

Cisco Secure ACS and its features, net work diagra ms, and syste m requirements.

Cisco Secure ACS th at includes requirements, options, trade-offs, and suggested sequenc es.

and procedures regarding how to use the Interface Configura tion secti on of Cisco Secure ACS to configure the user interface.

procedures for e stabl ishin g C isco Secure ACS network configuration and building a distributed system.

• Chapter 5, “Setting Up and Managing Shared Profile Components.” Concepts

and procedures regarding Cisco Secure ACS shared profile components: network access restr ictions a nd device c omma nd se ts.

• Chapter 6, “Setting Up a nd Man ag ing Us er G ro ups. ” Concepts and

procedures for establi shing and maintaining Ci sco Secure ACS user groups.

• Chapter 7, “Setting Up a nd M anag ing U ser Ac co unts. ” Concepts and

procedures for establishing and maintaining Cisco Secure ACS user accounts.

• Chapter 8, “Establishing Cisco Secure ACS System Configuration.”

Concepts and procedur es regarding t he System Con figuration sect ion of Cisco Secure ACS.

• Chapter 9, “Wo rking with Logging and Reports.” Conce pts an d procedu res

regarding Cisco Secure ACS logging and reports.

• Chapter 10, “Setting Up and Managing Administrators and Policy .” Concepts

and procedures for est ablishi ng and maint aining Ci sco Secure ACS administrato rs .

User Guide for Cisco Secure ACS for Windows Server

xxvi

78-14696-01, Version 3.1

Preface

Organization

• Chapter 11, “Working with User Databases.” Concepts and pr oced ure s for

establishing u s er da ta bases.

• Chapter 12, “Administering Ext ernal User Data bases.” Concept s a nd

procedures for admin istering and maintain ing user databa ses external to Cisco Secure ACS.

This guide a lso c om prise s th e foll owing appe nd ixes:

• Appendix A, “Troubleshootin g Infor ma tion f or C isco Secure ACS.” How to

identify and solve certain problems you might have with Cisco Secure ACS.

• Appendix B, “TACACS+ Attribute-Value Pairs.” A list of supported

TACACS+ AV pairs and accounting AV pai rs.

• Appendix C, “RADIUS Attributes.” A list of supported RADIUS AV pairs

and account ing AV pai rs.

• Appendix D, “Cisco Secure ACS Command-Line Database Utility.”

Instructions for using the da tabase import utility, CSUtil, to import an ODBC database, and back up, maintain, or restore the Cisco Secure ACS database.

• Appendix E, “Cisco Secure ACS and Virtual Private Dial-up Networks.” An

introduction to Virtual Private Dial-up Networ ks (V PDN) , inc luding stripping and tunneling, with instructions for enabling VPDN on Cisco Secure ACS.

• Appendix F, “RDBMS Synchronization Import Definitions.” A list of import

definitions, for u se with the R DBMS Synchr oniz atio n f eat ure.

• Appendix G, “Cisco Secure ACS Internal Architecture.” A description of

Cisco Secure ACS architectural components.

78-14696-01, Version 3.1

User Guide for Cisco Secure ACS for Windows Server

xxvii

Conventions

This guide uses th e following typ ograp hical conventions:

Table 1 Typographic Conventions

Convention Meaning

Italics Introduces new or importan t terminology and v ariable input for

Preface

commands.

Script

Denotes paths, file names, and example screen output. Also denotes Secure Script translations of security policy decision trees.

Bold Identifies special terminol ogy and options t hat should be

selected durin g procedur es.

Tip Means the following information will help you solve a problem. The tip

information mi g ht no t be troub lesh ooti ng or even an act ion, but cou ld b e useful information.

Note Means reader take note. Notes contain helpful suggestions or references to

materials not covered in the ma nual.

Caution Means rea de r b e ca ref ul. In this situation, you might do something that could

result in equipment damage, loss of data, or a br each in yo ur network secu rity.

Warning

User Guide for Cisco Secure ACS for Windows Server

Means danger. You are in a situation that could cause bodily injury. Before you work on any equipment, you must be aware of the hazards involved with electrical circuitry and be familiar with standard practices for preventing accidents. To see translated versions of the warning, refer to the Regulatory Compliance and Safety document that accompanied the device.

xxviii

78-14696-01, Version 3.1

Preface

Cisco 2509 - Router - EN, Secure ACS User Manual

Specifications and Main Features

Frequently Asked Questions

User Manual