Cisco Secure ACS 3.0 for Windows
2000/NT Servers User Guide
November 2001
Corporate Headquarters
Cisco Systems, Inc.
170 West Tasman Drive
San Jose, CA 95134-1706
USA
http://www.cisco.com
Tel: 408 526-4000
800 553-NETS (6387)
Fax: 408 526-4100
Customer Order Number: DOC-7813751=
Text Part Number: 78-13751-01
THE SPECIFICATIONS A ND INFORM ATION REGARDING THE PRODUCTS IN THIS MANUAL ARE SUBJECT TO CHANGE WITHOUT
NOTICE. ALL STATEMENTS, INFORMATION, AND RECOMMENDATIONS IN THIS MANUAL ARE BELIEVED TO BE ACCURATE BUT
ARE PRESENTED WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED. USERS MUST TAKE FULL RESPONSIBILITY FOR
THEIR APPLICATION OF ANY PRODUCTS.
THE SOFTW ARE LICENSE AND LIMITED WARRANTY FOR THE ACCOMP ANYING PR ODUCT ARE SET FOR TH IN THE INFORMATION
PACKET THAT SHIPPED WITH THE PRODUCT AND ARE INCORPORATED HEREIN BY THIS REF ERENCE . IF YOU ARE UNABLE TO
LOCATE THE SOFTWARE LICENSE OR LIMITED WARRANTY, CONTACT YOUR CISCO REPRESENTATIVE FOR A COPY.
The Cisco implementation of TCP header compression is an adaptation of a program developed by the University of California, Berkeley (UCB) as
part of UCB’s public domain version of the UNIX operating system. All rights reserved. Copyright © 1981, Regents of the University of California.
NOTWITHSTANDING ANY OTHER WARRANTY HE REIN, ALL DOCU MENT FILES AND SOFTWARE OF THESE SUPPLIERS ARE
PROVIDED “AS IS” WITH ALL FAULTS. CISCO AND THE ABOVE-NAMED SUPPLIERS DISCLAIM ALL WARRANTIES, EXPRESSED
OR IMPLIED, INCLUDING, WITHOUT LIMITATION, THOSE OF MERCHAN TABILITY, FITNESS FOR A PARTICULAR PURPOSE AN D
NONINFRINGEMENT OR ARISING FROM A COURSE OF DEAL ING, USAGE, OR TRADE PRACTICE.
IN NO EVENT SHALL CISCO OR ITS SUPPLIERS BE LIABLE F OR ANY INDIRECT, SPECIAL, CONSEQUENTIAL, OR INCIDENTAL
DAMAGES, INCLUDING, WITHOUT LIMITATION, LOST PROFITS OR LO SS OR DAMAGE TO DATA ARISING OUT OF THE USE OR
INABILITY TO USE THIS MANUAL, EVEN IF CISCO OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH
DAMAGES.
AccessPath, AtmDirector, Browse with Me, CCIP, CCSI, CD-PAC, CiscoLink, the Cis co Po wered Network logo, Cisco Systems Networking
Academy, the Cisco Systems Networking Academy logo, Cisco Unity, Fast Step, Follow Me Browsing, FormShare, FrameShare, IGX, Internet
Quotient, IP/VC, iQ Breakthrough, iQ Expertise, iQ FastTrack, the iQ Logo, iQ Net Readiness Sco recard, MGX, the Networkers logo , ScriptBuilder,
ScriptShare, SMARTnet, TransPath, Voice LAN, Wavelength Router, and WebViewer are trademarks of Cisco Systems, Inc.; Changing the Way
We Work, Live, Play, and Learn, and Discover All That’s Possible are service marks of Cisco Systems, Inc.; and Aironet, ASIST, BPX, Catalyst,
CCDA, CCDP, CCIE, CCNA, CCNP, Cisco, the Cisco Certified Internetwork Expert logo, Cisco IOS, the Cisco IOS logo, Cisco Press, Cisco
Systems, Cisco Systems Capital, the Cisco Sy stems logo, Empowering t he Internet Generati on, Enterpris e/Solve r, EtherChan nel, EtherSwitch,
FastHub, FastSwitch, GigaStack, IOS, IP/TV, LightStream, MICA, Network Registrar, Packet, PIX, Post-Routing, Pre-Routing, RateMUX,
Registrar, SlideCast, StrataView Plus, Stratm, SwitchProbe, TeleRouter, and VCO are registered trademarks of Cisco Systems, Inc. and/or its
affiliates in the U.S. and certain other countries.
All other trademarks mentioned in this document or Web site are the property of thei r respective owners. The use of t he word partner does not imply
a partnership relationship between Cisco and any other company. (0110R)
Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide
Copyright © 2001, Cisco S ystems , Inc.
All rights reserved
Preface xxvii
CONTENTS
Document Objectives
xxvii
Who Should Read This Guide xxvii
How This Guide is Organized xxviii
Conventions Used in This Guide xxx
Related Documentation xxxi
Obtaining Documentation xxxii
World Wide Web xxxii
Documentation CD-ROM xxxii
Ordering Documentation xxxii
Documentation Feedback xxxiii
Obtaining Technical Assistance xxxiii
Cisco.com xxxiii
Technical Assistance Center xxxiv
Cisco TAC Web Site xxxiv
CHAPTER
1 Overview of Cisco Secure ACS 1-1
The Cisco SecureACS Paradigm 1-1
Cisco Secure ACS Specifications 1-2
System Performance Specifications 1-3
78-13751-01, Version 3.0
Cisco TAC Escalation Center xxxv
Cisco Secure ACS Windows Services 1-3
Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide
iii
Contents
AAA Server Functions and Concepts 1-4
Cisco Secure ACS and the AAA Client 1-5
AAA Protocols—TACACS+ and RADIUS 1-5
TACACS+ 1-6
RADIUS 1-6
Authentication 1-7
Authentication Considerations 1-8
Authentication and User Databases 1-8
Passwords 1-10
Other Authentication-Related Features 1-14
Authorization 1-15
Max Sessions 1-16
Dynamic Usage Quotas 1-16
Other Authorization-Related Features 1-17
Accounting 1-17
Other Accounting-Related Features 1-18
Administration 1-18
HTTP Port Allocation for Remote Administrative Sessions 1-19
Network Device Groups 1-20
Other Administration-Related Features 1-20
Cisco Secure ACS HTML Interface 1-21
About the Cisco Secure ACS HTML Interface 1-21
HTML Interface Layout 1-22
Uniform Resource Locator for the HTML Interface 1-24
Network Environments and Remote Administrative Sessions 1-24
Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide
iv
Remote Administrative Sessions and HTTP Proxy 1-24
Remote Administrative Sessions through Firewalls 1-25
78-13751-01, Version 3.0
Remote Administrative Sessions through a NAT Gateway 1-25
Accessing the HTML Interface 1-26
Logging Off the HTML Interface 1-26
Online Help and Online Documentation 1-27
Using Online Help 1-27
Using the Online Documentation 1-28
Contents
CHAPTER
2 Deploying Cisco Secure ACS 2-1
Basic Deployment Requirements for Cisco Secure ACS 2-2
System Requirements 2-2
Hardware Requirements 2-2
Operating System Requirements 2-3
Third-Party Software Requirements 2-3
Network Requirements 2-4
Basic Deployment Factors for Cisco Secure ACS 2-4
Network Topology 2-5
Dial-Up Topology 2-5
Wireless Network 2-8
Remote Access using VPN 2-11
Remote Access Policy 2-13
Security Policy 2-14
Administrative Access Policy 2-14
Database 2-17
78-13751-01, Version 3.0
Separation of Administrative and General Users 2-16
Number of Users 2-17
Type of Database 2-17
Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide
v
Contents
Network Speed and Reliability 2-18
Suggested Deployment Sequence 2-18
CHAPTER
3 Setting Up the Cisco Secure ACS HTML Interface 3-1
Interface Design Concepts 3-2
User-to-Group Relationship 3-2
Per-User or Per-Group Features 3-2
User Data Configuration Options 3-3
Defining New User Data Fields 3-3
Advanced Options 3-4
Setting Advanced Options for the Cisco Secure ACS User Interface 3-6
Protocol Configuration Options for TACACS+ 3-7
Setting Options for TACACS+ 3-9
Protocol Configuration Options for RADIUS 3-10
Setting Protocol Configuration Options for (IETF) RADIUS 3-12
Setting Protocol Configuration Options for RADIUS (Cisco IOS/PIX) 3-14
Setting Protocol Configuration Options for RADIUS (Ascend) 3-14
CHAPTER
vi
Setting Protocol Configuration Options for RADIUS (Cisco VPN 3000) 3-15
Setting Protocol Configuration Options for RADIUS (Cisco VPN 5000) 3-16
Setting Protocol Configuration Options for RADIUS (Microsoft) 3-17
Setting Protocol Configuration Options for RADIUS (Nortel) 3-18
Setting Protocol Configuration Options for RADIUS (Juniper) 3-19
Setting Protocol Configuration Options for RADIUS (Cisco BBSM) 3-20
4 Setting Up and Managing Network Configuration 4-1
About Distributed Systems 4-2
AAA Servers in Distributed Systems 4-3
Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide
78-13751-01, Version 3.0
Default Distributed System Settings 4-3
Proxy in Distributed Systems 4-4
Fallback on Failed Connection 4-5
Character String 4-6
Stripping 4-6
Proxy in an Enterprise 4-6
Remote Use of Accounting Packets 4-7
Other Features Enabled by System Distribution 4-8
AAA Client Configuration 4-8
Adding and Configuring a AAA Client 4-9
Editing an Existing AAA Client 4-12
Contents
Deleting a AAA Client 4-14
AAA Server Configuration 4-15
Adding and Configuring a AAA Server 4-16
Editing a AAA Server Configuration 4-18
Deleting a AAA Server 4-20
Network Device Group Configuration 4-20
Adding a Network Device Group 4-21
Assigning an Unassigned AAA Client or AAA Server to an NDG 4-22
Reassigning a AAA Client or AAA Server to an NDG 4-23
Renaming a Network Device Group 4-23
Deleting a Network Device Group 4-24
Proxy Distribution Table Configuration 4-25
About the Proxy Distribution Table 4-25
Adding a New Proxy Distribution Table Entry 4-26
78-13751-01, Version 3.0
Sorting the Character String Match Order of Distribution Entries 4-28
Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide
vii
Contents
Editing a Proxy Distribution Table Entry 4-28
Deleting a Proxy Distribution Table Entry 4-29
CHAPTER
5 Setting Up and Managing Shared Profile Components 5-1
Downloadable PIX ACLs 5-2
About Downloadable PIX ACLs 5-2
Downloadable PIX ACL Configuration 5-3
Adding a Downloadable PIX ACL 5-3
Editing a Downloadable PIX ACL 5-4
Deleting a Downloadable PIX ACL 5-5
Network Access Restrictions 5-6
About Network Access Restrictions 5-6
Shared Network Access Restrictions Configuration 5-7
Adding a Shared Network Access Restriction 5-8
Editing a Shared Network Access Restriction 5-10
Deleting a Shared Network Access Restriction 5-12
Command Authorization Sets 5-12
CHAPTER
viii
About Command Authorization Sets 5-13
About Pattern Matching 5-14
Command Authorization Sets Configuration 5-14
Adding a Command Authorization Set 5-15
Editing a Command Authorization Set 5-17
Deleting a Command Authorization Set 5-17
6 Setting Up and Managing User Groups 6-1
User Group Setup Features and Functions 6-2
Default Group 6-2
Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide
78-13751-01, Version 3.0
Group TACACS+ Settings 6-2
Common User Group Settings 6-3
Enabling VoIP Support for a User Group 6-4
Setting Default Time of Day Access for a User Group 6-5
Setting Callback Options for a User Group 6-6
Setting Network Access Restrictions for a User Group 6-7
Setting Max Sessions for a User Group 6-11
Setting Usage Quotas for a User Group 6-13
Configuration-specific User Group Settings 6-15
Setting Token Card Settings for a User Group 6-17
Setting Enable Privilege Options for a User Group 6-18
Contents
Enabling Password Aging for the CiscoSecure User Database 6-20
Varieties of Password Aging Supp o rte d by Cis c oSecureACS 6-20
Password Aging Feature Settings 6-21
Enabling Password Aging for Users in Windows Databases 6-25
Setting IP Address Assignment Method for a User Group 6-26
Assigning a Downloadable PIX ACL to a Group 6-27
Configuring TACACS+ Settings for a User Group 6-28
Configuring a Shell Command Authorization Set for a User Group 6-30
Configuring a PIX Command Authorization Set for a User Group 6-32
Configuring IETF RADIUS Settings for a User Group 6-34
Configuring Cisco IOS/PIX RADIUS Settings for a User Group 6-36
Configuring Ascend RADIUS Settings for a User Group 6-37
Configuring Cisco VPN 3000 Concentrator RADIUS Settings for a User
Group
6-38
Configuring Cisco VPN 5000 Concentrator RADIUS Settings for a User
Group
78-13751-01, Version 3.0
6-39
Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide
ix
Contents
Configuring Microsoft RADIUS Settings for a User Group 6-41
Configuring Nortel RADIUS Settings for a User Group 6-42
Configuring Juniper RADIUS Settings for a User Group 6-44
Configuring Cisco BBSM RADIUS Settings for a User Group 6-45
Configuring Custom RADIUS VSA Settings for a User Group 6-46
Group Setting Management 6-48
Listing Users in a User Group 6-48
Resetting Usage Quota Counters for a User Group 6-49
Renaming a User Group 6-49
Saving Changes to User Group Settings 6-50
CHAPTER
7 Setting Up and Managing User Accounts 7-1
User Setup Features and Functions 7-2
About User Databases 7-3
Basic User Setup Options 7-4
Adding a Basic User Account 7-5
Setting Supplementary User Information 7-7
Setting a Separate CHAP/MS-CHAP/ARAP Password 7-8
Assigning a User to a Group 7-9
Setting User Callback Option 7-10
Assigning a User to a Client IP Address 7-11
Setting Network Access Restrictions for a User 7-12
Setting Max Sessions Options for a User 7-17
Setting User Usage Quotas Options 7-19
Setting Options for User Account Disablement 7-21
Assigning a PIX ACL to a User 7-22
Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide
x
78-13751-01, Version 3.0
Advanced User Authentication Settings 7-23
TACACS+ Settings (User) 7-24
Configuring TACACS+ Settings for a User 7-24
Configuring a Shell Command Authorization Set for a User 7-26
Configuring a PIX Command Authorization Set for a User 7-29
Configuring the Unknown Service Setting for a User 7-31
Advanced TACACS+ Settings (User) 7-31
Setting Enable Privilege Options for a User 7-32
Setting TACACS+ Enable Password Options for a User 7-34
Setting TACACS+ Outbound Password for a User 7-35
RADIUS Attributes 7-36
Contents
Setting IETF RADIUS Parameters for a User 7-37
Setting Cisco IOS/PIX RADIUS Parameters for a User 7-38
Setting Ascend RADIUS Parameters for a User 7-39
Setting Cisco VPN 3000 Concentrator RADIUS Parameters for a
User
7-41
Setting Cisco VPN 5000 Concentrator RADIUS Parameters for a
User
7-42
Setting Microsoft RADIUS Parameters for a User 7-44
Setting Nortel RADIUS Parameters for a User 7-45
Setting Juniper RADIUS Parameters for a User 7-47
Setting BBSM RADIUS Parameters for a User 7-48
Setting Custom RADIUS Attributes for a User 7-49
User Management 7-51
Listing All Users 7-51
Finding a User 7-52
Disabling a User Account 7-53
78-13751-01, Version 3.0
Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide
xi
Contents
Deleting a User Account 7-54
Resetting User Session Quota Counters 7-55
Resetting a User Account after Login Failure 7-55
Saving User Settings 7-56
CHAPTER
8 Establishing Cisco Secure ACS System Configura tion 8-1
Service Control 8-2
Determining the Status of Cisco Secure ACS Services 8-2
Stopping, Starting, or Restarting Services 8-2
Logging 8-3
Date Format Control 8-3
Setting the Date Format 8-4
Password Validation 8-4
Setting Password Validation Options 8-5
CiscoSecure Database Replication 8-6
About CiscoSecure Database Replication 8-6
Replication Process 8-8
Replication Frequency 8-10
Important Implementation Considerations 8-10
Database Replication Versus Database Backup 8-11
Database Replication Logging 8-12
Replication Options 8-13
Implementing Primary and Secondary Replication Setups on
Cisco Secure ACS Servers
Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide
xii
Replication Components Options 8-13
Replication Scheduling Options 8-14
Replication Partners Options 8-15
8-16
78-13751-01, Version 3.0
Configuring a Secondary Cisco Secure ACS Server 8-17
Replicating Immediately 8-18
Scheduling Replication 8-20
Disabling CiscoSecure Database Replication 8-23
Database Replication Event Error Alert Notification 8-23
RDBMS Synchronization 8-24
About RDBMS Synchronization 8-24
RDBMS Synchronization Components 8-25
About CSDBSync 8-25
About the accountActions Table 8-26
Cisco Secure ACS Database Recovery Using the accountActions Table 8-28
Contents
Reports and Event (Error) Handling 8-29
Preparing to Use RDBMS Synchronization 8-29
Considerations for Using CSV-Based Synchronization 8-30
Preparing for CSV-Based Synchronization 8-31
Configuring a System Data Source Name for RDBMS Synchronization 8-32
RDBMS Synchronization Options 8-33
RDBMS Setup Options 8-34
Synchronization Scheduling Options 8-34
Synchronization Partners Options 8-35
Performing RDBMS Synchronization Immediately 8-35
Scheduling RDBMS Synchronization 8-37
Disabling Scheduled RDBMS Synchronizations 8-39
Cisco Secure ACS Backup 8-40
About Cisco SecureACS Backup 8-40
Backup File Locations 8-41
Directory Management 8-41
78-13751-01, Version 3.0
Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide
xiii
Contents
Components Backed Up 8-41
Reports of Cisco SecureACS Backups 8-42
Performing a Manual Cisco Secure ACS Backup 8-42
Scheduling Cisco SecureACS Backups 8-43
Disabling Scheduled Cisco Secure ACS Backu ps 8-44
Cisco Secure ACS System Restore 8-45
About Cisco SecureACS System Restore 8-45
Backup File Names and Locations 8-45
Components Restored 8-47
Reports of Cisco SecureACS Restorations 8-47
Restoring Cisco Secure ACS from a Backup File 8-47
Cisco Secure ACS Active Service Managemen t 8-48
System Monitoring 8-49
System Monitoring Options 8-49
Setting Up System Monitoring 8-50
Event Logging 8-51
Setting Up Event Logging 8-51
IP Pools Server 8-52
Allowing Overlapping IP Pools or Forcing Unique Pool Address Ranges 8-53
Refreshing the AAA Server IP Pools Table 8-55
Adding a New IP Pool 8-55
Editing an IP Pool Definition 8-56
Resetting an IP Pool 8-57
Deleting an IP Pool 8-58
IP Pools Address Recovery 8-59
Enabling IP Pool Address Recovery 8-59
Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide
xiv
78-13751-01, Version 3.0
VoIP Accounting Configuration 8-60
Configuring VoIP Accounting 8-61
Cisco Secure ACS Certificate Setup 8-61
Background on Certification 8-62
EAP-TLS Setup Overview 8-63
Requirements for Certificate Enrollment 8-63
Generating a Request for a Certificate 8-64
Installing Cisco Secure ACS Certification with Manual Enrollment 8-66
Installing Cisco Secure ACS Certification with Automatic Enrollment 8-68
Performing Cisco Secure ACS Certification Update or Replacement 8-69
Certification Authority Setup 8-70
Contents
CHAPTER
Trust Requirements and Models 8-71
Editing the Certificate Trust List 8-72
Adding a New CA Certificate to Local Certificate Storage 8-72
Global Authentication Setup 8-73
9 Working with Logging and Reports 9-1
Logging Formats 9-1
Special Logging Attributes 9-2
Update Packets In Accounting Logs 9-3
About Cisco SecureACS Logs and Reports 9-4
Accounting Logs 9-4
TACACS+ Accounting Log 9-5
TACACS+ Administration Log 9-6
RADIUS Accounting Log 9-7
78-13751-01, Version 3.0
VoIP Accounting Log 9-8
Failed Attempts Log 9-9
Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide
xv
Contents
Passed Authentications Log 9-10
Dynamic Cisco Secure ACS Administration Reports 9-10
Logged-In Users Report 9-11
Disabled Accounts Report 9-14
Cisco Secure ACS System Logs 9-15
ACS Backup and Restore Log 9-15
RDBMS Synchronization Log 9-16
Database Replication Log 9-16
Administration Audit Log 9-17
ACS Service Monitoring Log 9-18
Working with CSV Logs 9-19
CSV Log File Names 9-19
Enabling or Disabling a CSV Log 9-19
Viewing a CSV Report 9-20
Configuring a CSV Log 9-22
Working with ODBC Logs 9-25
Preparing to Use ODBC Logging 9-25
Configuring a System Data Source Name for ODBC Logging 9-26
Configuring an ODBC Log 9-27
Remote Logging 9-29
About Remote Logging 9-30
Remote Logging Options 9-31
Configuring a Central Logging Server 9-31
Enabling and Configuring Remote Logging 9-32
Disabling Remote Logging 9-33
Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide
xvi
78-13751-01, Version 3.0
Service Logs 9-34
Services Logged 9-34
Configuring Service Logs 9-35
Contents
CHAPTER
10 Setting Up and Managing Administrators and Policy 10-1
Administrator Accounts 10-1
Administrator Privileges 10-2
Adding an Administrator Account 10-6
Editing an Administrator Account 10-7
Deleting an Administrator Account 10-9
Access Policy 10-10
Access Policy Options 10-10
Setting Up Access Policy 10-12
Session Policy 10-13
Session Policy Options 10-13
Setting Up Session Policy 10-14
Audit Policy 10-16
CHAPTER
11 Working with User Databases 11-1
CiscoSecure User Database 11-2
About External User Databases 11-4
Authenticating with External User Databases 11-5
Windows NT/2000 User Database 11-6
The Cisco SecureACS Authentication Process with Windows NT/2000 User
Databases
Trust Relationships 11-8
78-13751-01, Version 3.0
11-7
Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide
xvii
Contents
Windows Dial-up Networking Clients 11-9
About the Windows NT/2000 Dial-up Networking Client 11-9
About the Windows 95/98/Millennium Edition Dial-up Networking
Client
11-10
Windows NT/2000 Authentication 11-10
User-Changeable Passwords with Windows NT/2000 User Databases 11-12
Preparing Users for Authenticating with Windows NT/2000 11-12
Configuring a Windows NT/2000 External User Database 11-13
Generic LDAP 11-14
Cisco Secure ACS Authentication Process with a Generic LDAP User
Database
11-15
Multiple LDAP Instances 11-16
LDAP Organizational Units and Groups 11-17
Directed Authentications 11-17
LDAP Failover 11-17
Successful Previous Authentication with the Primary LDAP Server 11-18
Unsuccessful Previous Authentication with the Primary LDAP
Server
11-18
Configuring a Generic LDAP External User Database 11-19
Novell NDS Database 11-24
User Contexts 11-25
Novell NDS External User Database Options 11-27
Configuring a Novell NDS External User Database 11-28
ODBC Database 11-30
Cisco Secure ACS Authentication Process with an ODBC External User
Database
11-31
Preparing to Authenticate Users with an ODBC-Compliant Relational
Database
Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide
xviii
11-32
78-13751-01, Version 3.0
Contents
Implementation of Stored Procedures for ODBC Authentication 11-33
Type Definitions 11-34
Microsoft SQL Server and Case-Sensitive Passwords 11-34
Sample Routine for Generating a PAP Authentication SQL Procedure 11-35
Sample Routine for Generating an SQL CHAP Authentication
Procedure
11-36
PAP Authentication Procedure Input 11-36
PAP Procedure Output 11-37
CHAP/MS-CHAP/ARAP Authentication Procedure Input 11-38
CHAP/MS-CHAP/ARAP Procedure Output 11-38
Result Codes 11-39
Configuring a System Data Source Name for an ODBC External User
Database
11-40
Configuring an ODBC External User Database 11-41
LEAP Proxy RADIUS Server Database 11-44
Configuring a LEAP Proxy RADIUS Server External User Database 11-45
Token Server User Databases 11-47
About Token Servers and Cisco Secure ACS 11-48
Token Servers and ISDN 11-48
RADIUS-Enabled Token Servers 11-49
About RADIUS-Enabled Token Servers 11-49
Token Server RADIUS Authentication Request and Response
Contents
11-50
Configuring a RADIUS Token Server External User Database 11-50
Token Servers with Vendor-Proprietary Interfaces 11-53
About Token Servers with Proprietary Interfaces 11-53
Configuring a SafeWord Token Server External User Database 11-53
78-13751-01, Version 3.0
Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide
xix
Contents
Configuring an AXENT Token Server External User Database
AXENT
11-55
Configuring an RSA SecurID Token Server External User Database 11-56
Deleting an External User Database Configuration 11-58
CHAPTER
12 Administering External User Databases 12-1
Unknown User Processing 12-1
Known, Unknown, and Cached Users 12-2
General Authentication Request Handling and Rejection Mode 12-3
Authentication Request Handling and Rejection Mode with the
Windows NT/2000 User Database
12-4
Windows Authentication with a Domain Specified 12-4
Windows Authentication with Domain Omitted 12-5
Performance of Unknown User Authentication 12-6
Added Latency 12-6
Authentication Timeout Value on AAA clients 12-6
Network Access Authorization 12-7
Unknown User Policy 12-7
Database Search Order 12-8
Database Group Mappings 12-10
Group Mapping by External User Database 12-10
Group Mapping by Group Set Membership 12-13
Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide
xx
Configuring the Unknown User Policy 12-8
Turning off External User Database Authentication 12-9
Creating a Cisco Secure ACS Group Mapping for a Token Server, ODBC
Database, or LEAP Proxy RADIUS Server Database
12-12
Group Mapping Order 12-13
No Access Group for Group Set Mappings 12-14
78-13751-01, Version 3.0
Contents
Default Group Mapping for Windows NT/2000 12-14
Creating a Cisco Secure ACS Group Mapping for Windows NT/2000,
Novell NDS, or Generic LDAP Groups
12-15
Editing a Windows NT/2000, Novell NDS, or Generic LDAP Group Set
Mapping
12-17
Deleting a Windows NT/2000, Novell NDS, or Generic LDAP Group Set
Mapping
12-18
Deleting a Windows NT/2000 Domain Group Mapping
Configuration
12-19
Changing Group Set Mapping Order 12-20
RADIUS-Based Group Specification 12-21
APPENDIX
A Troubleshooting Information for CiscoSecure ACS A-1
Administration Issues A-2
Browser Issues A-3
Cisco IOS Issues A-4
Database Issues A-5
Dial-in Connection Issues A-6
Debug Issues A-11
Proxy Issues A-12
Installation and Upgrade Issues A-13
MaxSessions Issues A-13
Report Issues A-14
Third-Party Server Issues A-15
PIX Firewall Issues A-16
User Authentication Issues A-16
TACACS+ and RADIUS Attribute Issues A-18
78-13751-01, Version 3.0
Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide
xxi
Contents
APPENDIX
APPENDIX
APPENDIX
B System Messages B-1
Windows NT/2000 Event Log Service Startup Errors B-1
System Monitored Events B-2
Replication Messages B-6
Failed Attempts Messages B-9
C TACACS+ Attribute-Value Pairs C-1
Cisco IOS Attribute-Value Pair Dictionary C-1
TACACS+ AV Pairs C-2
TACACS+ Accounting AV Pairs C-4
D RADIUS Attributes D-1
Cisco IOS Dictionary of RADIUS AV Pairs D-2
Cisco IOS/PIX Dictionary of RADIUS VSAs D-4
Cisco VPN 3000 Concentrator Dictionary of RADIUS VSAs D-6
Cisco VPN 5000 Concentrator Dictionary of RADIUS VSAs D-9
Cisco Building Broadband Service Manager Dictionary of RADIUS VSA D-9
Vendor-Proprietary IETF RADIUS AV Pairs D-10
IETF Dictionary of RADIUS AV Pairs D-12
RADIUS (IETF) Accounting AV Pairs D-16
Microsoft MPPE Dictionary of RADIUS VSAs D-18
Ascend Dictionary of RADIUS AV Pairs D-21
Nortel Dictionary of RADIUS VSAs D-29
Juniper Dictionary of RADIUS VSAs D-30
Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide
xxii
78-13751-01, Version 3.0
Contents
APPENDIX
E Cisco Secure ACS Command-Line Database Utility E-1
Location of CSUtil.exe and Related Files E-2
CSUtil.exe Syntax E-2
CSUtil.exe Options E-3
Backing Up Cisco SecureACS with CSUtil.exe E-5
Restoring Cisco SecureACS with CSUtil.exe E-6
Creating a CiscoSecure User Database E-7
Creating a Cisco SecureACS Database Dump File E-9
Loading the Cisco SecureACS Database from a Dump File E-10
Compacting the CiscoSecure User Database E-11
User and AAA Client Import Option E-13
Importing User and AAA Client Information E-13
User and AAA Client Import File Format E-15
About User and AAA Client Import File Format E-15
ONLINE or OFFLINE Statement E-16
ADD Statements E-16
UPDATE Statements E-18
DELETE Statements E-20
ADD_NAS Statements E-20
DEL_NAS Statements E-22
Import File Examples E-22
Exporting User List to a Text File E-23
Exporting Group Information to a Text File E-24
Exporting Registry Information to a Text File E-25
Decoding Error Numbers E-25
Recalculating CRC Values E-26
78-13751-01, Version 3.0
Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide
xxiii
Contents
User-Defined RADIUS Vendors and VSA Sets E-27
About User-Defined RADIUS Vendors and VSA Sets E-27
Adding a Custom RADIUS Vendor and VSA Set E-28
Deleting a Custom RADIUS Vendor and VSA Set E-29
Listing Custom RADIUS Vendors E-30
RADIUS Vendor/VSA Import File E-31
About the RADIUS Vendor/VSA Import File E-32
Vendor and VSA Set Definition E-33
Attribute Definition E-34
Enumeration Definition E-35
Example RADIUS Vendor/VSA Import File E-37
APPENDIX
APPENDIX
F Cisco Secure ACS and Virtual Private Dial-up Networks F-1
VPDN Process F-1
G ODBC Import Definitions G-1
accountActions Table Specification G-1
accountActions Table Format G-2
accountActions Table Mandatory Fields G-3
accountActions Table Processing Order G-4
Action Codes G-5
Action Codes for Setting and Deleting Values G-5
Action Codes for Creating and Modifying User Accounts G-7
Action Codes for Initializing and Modifying Access Filters G-15
Action Codes for Modifying TACACS+ and RADIUS Group and User
Settings
G-20
Action Codes for Modifying Network Configuration G-27
Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide
xxiv
78-13751-01, Version 3.0
Action Code for Deleting the CiscoSecure User Database G-31
Cisco Secure ACS Attributes and Action Codes G-31
User-Specific Attributes G-31
User-Defined Attributes G-34
Group-Specific Attributes G-34
An Example accountActions Table G-36
Contents
APPENDIX
H Cisco Secure ACS
Internal Architecture
Windows NT/2000 Environment Overview H-2
Windows NT/2000 Services H-2
Windows NT/2000 Registry H-2
Cisco Secure ACS Web Server H-2
CSAdmin H-3
CSAuth H-3
CSDBSync H-6
CSLog H-6
CSMon H-7
Monitoring H-7
Recording H-9
Sample Scripts H-10
H-1
Configuration H-10
CSTacacs and CSRadius H-11
INDEX
78-13751-01, Version 3.0
Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide
xxv
Contents
Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide
xxvi
78-13751-01, Version 3.0
Preface
This section discusses the objectives, audience, and organization of the
Cisco Secure Access Control Server for Windows NT/2000 Servers Version 3.0
User Guide.
Document Objectives
The objective of this document is to help you configure and use the
Cisco Secure Access Control Server for Windows NT/2000 Servers Version 3.0
(Cisco Secure ACS) software and its features and utilities.
Who Should Read This Guide
This publication was written for system administrators who are using the
Cisco Secure ACS software and are responsible for setting up and maintaining
accounts and dial-in network security.
78-13751-01, Version 3.0
Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide
xxvii
How This Guide is Organized
How This Guide is Organized
The Cisco Secure ACS User Guide is organized into the following chapters:
• Chapter 1, “Overview of Cisco Secure ACS.” An ove r vi ew o f
Cisco Secure ACS and its features, network diagrams, and system
requirements.
• Chapter 2, “Deploying Cisco Secure ACS.” A guide to deploying the
Cisco Secure ACS that includes requirements, options, trade-offs, and
suggested sequences.
• Chapter 3, “Setting Up the Cisco Secure ACS HTML Interface.” Concepts
and procedures regarding how to use the Interface Configuration section of
the Cisco Secure ACS to configure the user interface.
• Chapter 4, “Setting Up and Managing Network Configuration. ” Concepts and
procedures for Cisco Secure ACS network configuration and establishing a
distributed system.
Preface
• Chapter 5, “Setting Up and Managing Shared Profile Components.” Concepts
and procedures regarding Cisco Secure ACS shared profile components:
network access restrictions and device command sets.
• Chapter 6, “Setting Up and Managing User Groups.” Concepts and
procedures for establishing and maintai ning Cisco Secure ACS user groups.
• Chapter 7, “Setting Up and Managing User Accounts”. Concepts and
procedures for establishing and maintai ning Cisco Sec ure ACS user
accounts.
• Chapter 8, “Establishing Cisco Secure ACS System Configuration.”
Concepts and procedures regarding the System Configuration portion of
Cisco Secure ACS.
• Chapter 9, “Working with Logging and Reports.” Concepts and p rocedures
regarding Cisco Secure ACS logging and reports.
• Chapter 10, “Setting Up and Managing Administrators and Policy . ” Concepts
and procedures for establishing and maintaining Cisco Secure ACS
administrators.
Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide
xxviii
78-13751-01, Version 3.0
Preface
How This Guide is Organized
• Chapter 11, “Working with User Databases.” C oncepts and procedures for
establishing user databases.
• Chapter 12, “Administering External User Databases.” Concepts and
procedures for administering and maintaining user databases external to
Cisco Secure ACS.
This guide also comprises the following appendixes:
• Appendix A, “Troubleshooting Information for Cisco Secure ACS.” How to
identify and solve certain problems you might have with Cisco Secure ACS.
• Appendix B, “System Messages.” A list and explanation of most system
messages you might encounter.
• Appendix C, “TACACS+ Attribute-Value Pairs.” A list of supported
TACACS+ AV pairs and accounting AV pairs.
• Appendix D, “RADIUS Attributes.” A list of supported RADIUS AV pairs
and accounting AV pairs.
• Appendix E, “Cisco Secure ACS Command-Line Database Utility.”
Instructions for using the database import utili ty, CSUtil, to import an ODBC
database, and back up, maintain, or restore the Cisco Secure ACS database.
• Appendix F, “Cisco Secure ACS and Virtual Private Dial-up Networks.” An
introduction to Virtual Private Dial-up Networks (VPDN), including
stripping and tunneling, with instructions for enabling VPDN on
Cisco Secure ACS.
• Appendix G, “ODBC Import Definitions.” A list of ODBC import
definitions, for use with the RDBMS Synchronization feature.
• Appendix H, “Cisco Secure ACS Internal Architecture.” A description of
Cisco Secure ACS architectural components.
78-13751-01, Version 3.0
Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide
xxix
Conventions Used in This Guide
Conventions Used in This Guide
This guide uses the following typographical conventions:
Typographic Conventions
Convention Meaning
Italics Introduces new or important terminology and variable input
for commands.
Script Denotes paths, file names, and example screen output. Also
denotes Secure Script translations of security policy decision
trees.
Bold Identifies special terminology and options that should be
selected during procedures.
Preface
Tip Means the following information will help you solve a problem. The tip’s
information might not be troubleshooting or even an action, but could be
useful information.
Note Means reader take note. Notes contain helpful suggestions or references to
materials not covered in the manual.
Caution Means reader be carefu l. In this situ ation, yo u might do somethi ng that could
result in equipment damage, loss of data, or a breach in your network security.
Warning
Means danger. You are in a situation that could cause bodily injury. Before
you work on any equipment, you must be aware of the hazards involved with
electrical circuitry and be familiar with standard practices for preventing
accidents. To see translated versions of the warning, refer to the Regulatory
Compliance and Safety document that accompanied the device.
Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide
xxx
78-13751-01, Version 3.0
Preface
Related Documentation
Included in the Cisco Secure ACS HTML interface are two sources of
information:
• Online Help contains information for each associated page in the
Cisco Secure ACS HTML interface.
• Online Documentation is a complete copy of the Ci sco Secure ACS 3.0 for
Windows 2000/NT Servers User Guide.
We recommend that you read Release Notes for Cisco Secure Access Control
Server Version 3.0 for Windows 2000/NT Servers. While a printed copy of this
document comes with Cisco Secure ACS, check Cisco.com for the latest version.
You should also read the README.TXT file for additional important
information.
Related Documentation
Cisco Secure ACS includ es an installation guide, Installing Cisco Secure ACS 3.0
for Windows 2000/NT Servers, to help you install the software efficiently and
correctly.
Web Server Installation for Cisco Secure ACS for Windows 2000/NT
User-Changeable Passwords contains information on installing and configuring
the optional user-changeable password feature.
Yo u can find other produ ct literatu re, includ ing white papers , data sh eets, and
product bulletins, at:
http://www.cisco.com/warp/public/cc/pd/sqsw/sq/prodlit/index.shtml.
You should refer to the documentation that came with your AAA clients for more
information about those products. You might also want to consult the Cisco
Systems publication Cisco Systems’ Internetworking Terms and Acronyms.
78-13751-01, Version 3.0
Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide
xxxi
Obtaining Documentation
Obtaining Documentation
The following sections e xplain ho w to obtain documentati on from Cisco Systems.
World Wide Web
You can access the most current Cisco documentation on the Wo rld Wide Web at
the following URL:
http://www.cisco.com
Translated documentation is available at the following URL:
http://www.cisco.com/public/countries_languages.shtml
Preface
Documentation CD-ROM
Cisco documentation and additional literature are available in a Cisco
Documentation CD-ROM package, which is shipped with your product. The
Documentation CD-ROM is updated monthly and may be more current than
printed documentation. The CD-ROM package is available as a single unit or
through an annual subscription.
Ordering Documentation
Cisco documentation is available in the following ways:
• Registered Cisco Direct Customers can order Cisco product documentation
from the Networking Products MarketPlace:
http://www.cisco.com/cgi-bin/order/order_root.pl
• Registered Cisco.com users can order the Documentation CD-ROM through
the online Subscription Store:
http://www.cisco.com/go/subscription
• Nonregistered Cisco.com users can order documentation through a local
account representative by calling Cisco corporate headquarters (California,
USA) at 408 526-7208 or, elsewhere in North America, by calling 800
553-NETS (6387).
Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide
xxxii
78-13751-01, Version 3.0
Preface
Documentation Feedback
If you are reading Cisco product documentation on Cisco.com, you can submit
technical comments electronically. Click Feedback at the top of the Cisco
Documentation home page. After you complete the f orm, pri nt it o ut and f ax i t to
Cisco at 408 527-0730.
You can e-mail your comments to bug-doc@cisco.com.
To submit your comments by mail, use the response card behind the front cover
of your document, or write to the following address:
Cisco Systems
Attn: Document Resource Connection
170 West Tasman Drive
San Jose, CA 95134-9883
We appreciate your comments.
Obtaining Technical Assistance
Obtaining Technical Assistance
Cisco provides Cisco.com as a starting point for all technical assistance.
Customers and partners can obtain documentation, troubleshooting tips, and
sample configurations from online tools by using the Cisco Technical Assistance
Center (TAC) Web Site. Cisco.com registered users have complete access to the
technical support resources on the Cisco TAC Web Site.
Cisco.com
Cisco.com is the foundation of a suite of interactive, networked services that
provides immediate, open access to Cisco information, networking solutions,
services, programs, and resources at any time, from anywhere in the world.
Cisco.com is a highly integrated Internet application and a powerful, easy-to-use
tool that provides a broad range of features and services to help you to
• Streamline business processes and improve productivity
• Resolve technical issues with online support
• Download and test software packages
78-13751-01, Version 3.0
Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide
xxxiii
Obtaining Technical Assistance
• Order Cisco learning materials and merchandise
• Register for online skill assessment, training, and certification programs
You can self-register on Cisco.com to obtain customized information and service.
To access Cisco.com, go to the following URL:
http://www.cisco.com
Technical Assistance Center
The Cisco TAC is available to all customers who need technical assistance with a
Cisco product, technology , or solut ion. T wo types of support are av ailable through
the Cisco TAC: the Cisco TAC Web Site and the Cisco TAC Escalation Center.
Inquiries to Cisco TAC are categorized according to the urgency of the issue:
• Priority level 4 (P4)—You need information or assistance concerning Cisco
product capabilities, product installation, or basic product configuration.
Preface
• Priority level 3 (P3)—Your network performance is degraded. Network
• Priority level 2 (P2)—Your production network is severely degraded,
• Priority level 1 (P1)—Yo ur production network is do wn, and a critical impact
Which Cisco T A C resource you choose is based on the priority of the problem and
the conditions of service contracts, when applicable.
Cisco TAC Web Site
The Cisco TAC Web Site allows you to resolve P3 and P4 issues yourself, saving
both cost and time. The site provides around-the-clock access to online tools,
knowledge bases, and software. To access the Cisco TAC Web Site, go to the
following URL:
http://www.cisco.com/tac
functionality is noticeably impaired, but most business operations continue.
affecting significant aspects of business operations. No workaround is
available.
to business operations will occur if service is not resto red quic kly. No
workaround is available.
Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide
xxxiv
78-13751-01, Version 3.0
Preface
All customers, partners, and resellers who have a valid Cisco services contract
have complete access to the technical support resources on the Cisco TAC Web
Site. The Cisco TAC Web Site requires a Cisco.com lo gin ID and password. If you
have a valid service contract but do not have a login ID or password, go to the
following URL to register:
http://www.cisco.com/register/
If you cannot resolve your technical issues by usin g the Cisco TAC Web Site, and
you are a Cisco.com registered user , you can open a case online b y using the TAC
Case Open tool at the following URL:
http://www.cisco.com/tac/caseopen
If you have Internet access, it is recommended that you open P3 and P4 cases
through the Cisco TAC Web Site.
Cisco TAC Escalation Center
Obtaining Technical Assistance
The Cisco TAC Escalation Center addresses issues that are classified as priority
level 1 or priority level 2; these classifications are assigned when severe network
degradation significantly impacts b usiness operations. When you contact the TAC
Escalation Center with a P1 or P2 problem, a Cisco TAC engineer will
automatically open a case.
To obtain a directory of toll-free Cisco TAC telephone numbers for your country,
go to the following URL:
http://www.cisco.com/warp/public/687/Directory/DirTAC.shtml
Before calling, please check with your netwo rk operations center to determine the
level of Cisco support services to which your company is entitled; for example,
SMARTnet, SMARTnet Onsite, or Network Supported Accounts (NSA). In
addition, please have available your service agreement number and your product
serial number.
78-13751-01, Version 3.0
Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide
xxxv
Obtaining Technical Assistance
Preface
Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide
xxxvi
78-13751-01, Version 3.0
CHAPTER
1
Overview of Cisco SecureACS
This chapter provides an overview of Cisco Secure Access Control Server for
Windows NT/2000 Servers Version 3.0 (Cisco Secure ACS). It contains the
following sections:
• The Cisco Secure ACS Paradigm, page 1-1
• Cisco Secure ACS Specifications, page 1-2
• AAA Server Functions and Concepts, page 1-4
• Cisco Secure ACS HTML Interface, page 1-21
The Cisco Secure ACS Paradigm
Cisco Secure ACS provides authentication, authorization, and accounting
(AAA—pronounced “triple A”) services to network de vices that function as AAA
clients, such as a network access server, PIX Firewall, or router. The AAA client
in Figure 1-1 on page 1-2 represents any such device that provides AAA client
functionality and uses one of the AAA protocols suppor ted by Ci sco Secure ACS.
Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide
78-13751-01, Version 3.0
1-1
Cisco SecureACS Specifications
Figure 1-1 A Simple AAA Scenario
Chapter 1 Overview of Cisco Secure ACS
Cisco Secure
Access Control Server
End-user client AAA client
External user
database
67472
Cisco Secure ACS helps centralize access control and accounting, in addition to
router and switch access management. With Cisco Secure ACS, network
administrators can quickly administer accounts and globally change levels of
service offerings for entire groups of users. Although the external user database
shown in Figure 1-1 is optional, support for many popular user repository
implementations enables companies to put to use the working knowledge gained
from and the investment already made in building their corporate user
repositories.
Cisco Secure ACS supports Cisco AAA clients such as the Cisco 2509, 2511,
3620, 3640, AS5200 and AS5300, AS5800, the Cisco PIX Firewall, Cisco
Aironet Access Point wireless networking devices, Cisco VPN 3000
Concentrators, and Cisco VPN 5000 Concentrators. It also supports third-party
devices that can be configured with the Terminal Access Controller Access
Control System (TACACS+) or the Remote Access Dial-In User Servic e
(RADIUS) protocol. Cisco Secure ACS treats all such devices as AAA clients.
Cisco Secure ACS uses the TACACS+ and RADIUS protocols to provide AAA
services that ensure a secure environment. For more information about support for
TACACS+ and RADIUS in Cisco Secure ACS, see the “AAA
Protocols—TACACS+ and RADIUS” section on p age 1-5.
Cisco Secure ACS Specifications
This section provides information about Cisco Secure ACS performance
specifications and the Windows services that compose Cisco Secure ACS.
Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide
1-2
78-13751-01, Version 3.0
Chapter 1 Overview of Cisco Secure ACS
System Performance Specifications
The performance capabilities of Cisco Secure ACS are largely dependent upon
the Windows server it is installed upon, your network topology and network
management, the selection of user databases, and other factors. For example,
Cisco Secure ACS can perform many more authentications per second if it is
running on a 1.4-GHz Pentium IV server with Windows 2000 Server on a 1 GB
ethernet backbone than it can if it is running on a 200-MHz Pentium II serv er with
Windows NT 4.0 on a 10 MB LAN.
For more information about the expected performance of Cisco Secure ACS in
your network setting, contact your Cisco sales representative. The following
items are general answers to common system performance questions. The
performance of Cisco Secure ACS in your network depends on your specific
environment and AAA requirements.
• Maximum users supported by the CiscoSecure user database—There is
no theoretical limit to the number of users the CiscoSecure user database can
support. We have successfully tested Cisco Secure ACS with databases in
excess of 100,000 users. The practical limit for a single Cisco Secure ACS
server authenticating against all its databases, internal and external, is
approximately 300,000 to 500,000 users. This number increases sign ificantly
if the authentication load is spread across a number of replicated
Cisco Secure ACS servers.
Cisco Secure ACS Specifications
• Transactions per second per number of users—Assuming 10,000 users in
the CiscoSecure user database, a single processor 300-MHz Pentium II server
provides 80 RADIUS full login cycles (authentication, accounting start, and
accounting stop) per second and approximately 40 TACACS+ logins per
second. As the database grows, this performance declines roughly
proportionately.
• Maximum number of AAA clients supported—Cisco Secure ACS can
support AAA services for approximately 2000 network devices running a
AAA client.
Cisco Secure ACS Windows Services
Cisco Secure ACS operates as a set of Windows N T or Windows 2000 services
and controls the authentication, authorization, and accounting of users accessing
networks.
Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide
78-13751-01, Version 3.0
1-3
AAA Server Functions and Concepts
When you install Cisco Secure ACS on your server, the installation adds several
Windows services. The services provide the core of Cisco Secure ACS
functionality. For a full discussion of each service, see the “Cisco Secure ACS
Internal Architecture” section on page H-1. The Cisco Secure ACS services on
your Cisco Secure ACS server include the following:
• CSAdmin—Provides the HTML interface for administration of
Cisco Secure ACS.
• CSAuth—Provides authentication services.
• CSDBSync—Provides synchronization of the CiscoSecure user database
with an external RDBMS application.
• CSLog—Provides logging services, both for accounting and system activity.
• CSMon—Provides monitoring, recording, and notification of
Cisco Secure ACS performance, and includes automatic response to some
scenarios.
Chapter 1 Overview of Cisco Secure ACS
• CSTacacs—Provides communication between TACACS+ AAA clients and
the CSAuth service.
• CSRadius—Provides communication between RADIUS AAA clients and
the CSAuth service.
Each module can be started and stop ped individually from with in the Microsoft
Service Control Panel or as a group from within the Cisco Secure ACS HTML
interface. For information about stopping and starting Cisco Secure ACS
services, see the “Service Control” section on page 8-2.
AAA Server Functions and Concepts
Cisco Secure ACS is a AAA server, providing authentication, authorization, and
accounting services to network devices that can act as AAA clients.
As a AAA server, Cisco Secure ACS incorporates many technologies to render
AAA services to AAA clients. Understanding Cisco Secure ACS requires
knowledge of many of these technolo gies. T o addre ss the most signif icant aspects,
this section contains the following topics:
• Cisco Secure ACS and the AAA Client, page 1-5
• AAA Protocols—TACACS+ and RADIUS, page 1-5
• Authentication, page 1-7
Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide
1-4
78-13751-01, Version 3.0
Chapter 1 Overview of Cisco Secure ACS
• Authorization, page 1-15
• Accounting, page 1-17
• Administration, page 1-18
Cisco Secure ACS and the AAA Client
A AAA client is software running on a network device that enables the network
device to defer authentication, authorization, and logging (accounting) of user
sessions to a AAA server. AAA clients must be configured to direct all end-user
client access requests to Cisco Secure ACS for authentication of users and
authorization of service requests. Using the TACACS+ or RADIUS protocol, the
AAA client sends authentication requests to Cisco Secure ACS.
Cisco Secure ACS v erif ies the username and password using the user databases it
is configured to query. Cisco Secure ACS returns a success or failure response to
the AAA client, which permits or denies user access, based on the response it
receives. When the user authenticates successfully , Cisco Secure A CS sends a set
of authorization attributes to the AAA client. The AAA client then begins
forwarding accounting information to Cisco Secure ACS.
AAA Server Functions and Concepts
When the user has successfully authenticated, a set of session attributes can be
sent to the AAA client to provide additional security and control of privileges,
otherwise known as authorization. These attributes might include the IP address
pool, access control list, or type of connection (for example, IP, IPX, or Telnet).
More recently, networking vendors are expanding the use of the attribute sets
returned to cover an increasingly wider aspect of user session provisioning.
AAA Protocols—TACACS+ and RADIUS
Cisco Secure ACS can use both the TACACS+ and RADIUS AAA protocols.
Table 1-1 on pa ge 1-6 provides a comparison of the two protocols.
78-13751-01, Version 3.0
Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide
1-5
AAA Server Functions and Concepts
Table 1-1 TACACS+ and RADIUS Protocol Comparison
TACAC S+ RADIUS
Chapter 1 Overview of Cisco Secure ACS
TACACS+
RADIUS
TCP
Connection-oriented transport
layer protocol, reliable
full-duplex data transmissio n
UDP
Connectionless transport layer protocol,
datagram exchange without
acknowledgments or guaranteed delivery
Full packet encryption Encrypts only passwords up to 16 bytes
Independent AAA architecture Authentication and authorization combined
Useful for router management Less intrinsically suited for router
management
Cisco Secure ACS conforms to the TACACS+ protocol as defined by Cisco
Systems in draft 1.77. For more information, refer to the Cisco IOS software
documentation or Cisco.com (http://www.cisco.com).
Cisco Secure ACS conforms to the RADIUS protocol as defined in draft April
1997 and in the following Requests for Comments (RFCs):
• RFC 2138, Remote Authentication Dial In User Service
• RFC 2139, RADIUS Accounting
• RFC 2865
• RFC 2866
• RFC 2867
• RFC 2868
The ports used for authentication and accounting have changed in RADIUS RFC
documents. T o support both the older and newer RFCs, Cisco Secure ACS accepts
authentication requests on port 1645 and port 1812. For accounting,
Cisco Secure ACS accepts accounting packets on port 1646 and 1813.
Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide
1-6
78-13751-01, Version 3.0
Chapter 1 Overview of Cisco Secure ACS
In addition to support for standard IETF RADIUS attributes, Cisco Secure ACS
includes support for RADIUS vendor-specific attributes (VSAs). We have
predefined the following RADIUS VSAs in Cisco Secure ACS:
• Cisco IOS/PIX
• Cisco VPN 3000
• Cisco VPN 5000
• Ascend
• Juniper
• Microsoft
• Nortel
Cisco Secure ACS also supports up to 10 RADIUS VSAs that you define. After
you define a ne w RADIUS V SA, you can us e it as you would one of the RADIUS
VSAs that come predefined in Cisco Secure ACS. In the N etwork Configuration
section of the Cisco Secure ACS HTML interface, you can configure a AAA
client to use a user-defined RADIUS VSA as its AAA protocol. In Interface
Configuration, you can enable user-level and group-level attributes for
user-defined RADIUS VSAs. In User Setup and Group Setup, you can configure
the values for enabled attributes of a user-defined RADIUS VSA.
AAA Server Functions and Concepts
Authentication
For more information about creating user-defined RADIUS VSAs, see the
“User-Defined RADIUS Vendors and VSA Sets” section on page E-27 .
Authentication determines user identity and verifies the information. Traditional
authentication uses a name and a fixed password. More modern and secure
methods use technologies such as CHAP and one-time passwords (OTPs).
Cisco Secure ACS supports a wide variety of these authentication methods.
There is a fundamental implicit relationship between authentication and
authorization. The more authorization privileges granted to a user, the stronger
the authentication should be. Cisco Secure ACS supports this fundamental
relationship by providing various methods of authentication.
78-13751-01, Version 3.0
Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide
1-7
AAA Server Functions and Concepts
Authentication Considerations
Username and password is the most popular, simplest, and least expensive
method used for authentication. No special equipment is required. This is a
popular method for service providers because of its easy application by the client.
The disadvantage is that this information can be told to someone else, guessed, or
captured. Simple unencrypted username and password is not considered a strong
authentication mechanism but can be sufficient for low authorizati on or privilege
levels such as Internet access.
To reduce the risk of password capturing on the network, use encryption. Client
and server access control protocols such as TACACS+ and RADIUS enc rypt
passwords to prevent them from being captured within a network. However,
TACACS+ and RADIUS operate only between the AA A client and the access
control server. Before this point in the authentication process, unauthorized
persons can obtain clear-text passwords, such as the communication between an
end-user client dialing up over a phone line or an ISDN line terminating at a
network access server, or o ver a Telnet session between an end-user client and the
hosting device.
Chapter 1 Overview of Cisco Secure ACS
Network administrators who offer increased levels of security services, and
corporations that want to lessen the chance of intruder access resulting from
password capturing, can use an O TP. Cisco Secure A CS supports se v eral types of
OTP solutions, including PAP for Point-to-Point Protocol (PPP) remote-node
login. Token cards are considered one of the strongest OTP authentication
mechanisms.
Authentication and User Databases
Cisco Secure ACS supports a variety of user databases. In addition to the
CiscoSecure user database, Cisco Secure ACS supports several external user
databases, including the following:
• Windows NT/2000 User Database
• Generic LDAP
• Novell NetWare Directory Services (NDS)
• Open Database Connectivity (ODBC)-compliant relational databases
• CRYPTOCard token server
• SafeWord token server
Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide
1-8
78-13751-01, Version 3.0
Chapter 1 Overview of Cisco Secure ACS
AAA Server Functions and Concepts
• AXENT token server
• RSA SecureID token server
• ActivCard token server
• Vasc o token server
The various password protocols supported by Cisco Secure ACS for
authentication are supported unevenly by the various databases supported by
Cisco Secure ACS. Table 1-2 provides a reference of the password protocols
supported by the various databases. For more information about the password
protocols supported by Cisco Secure ACS, see the “Pas swords” section on
page 1-10.
Table 1-2 Password Authentication Protocol and User Database Compatibility
Database ASCII PAP CHAP ARAP
MS-CHAP
v.1
MS-CHAP
v.2 LEAP
EAPCHAP
EAPTLS
Cisco Secure ACS Yes Yes Yes Yes Yes Yes Yes Yes Yes
Windows SAM Yes Yes No No Yes Yes Yes No No
Windows AD Yes Yes No No Yes Yes Yes No Yes
Novell ND S Yes Yes No No No No No No No
LDAP Yes Yes No No No No No No Yes
ODBC Yes Yes Yes Yes Yes Yes Yes No No
LEAP Proxy RADIUS
No No No No Yes No Yes No No
Server
ActivCard Yes Yes No No No No No No No
CRYPTOCard Yes Yes No No No No No No No
RADIUS Token
Yes Yes No No No No No No No
Server
Vasco Yes Yes No No No No No No No
AXENT Yes Yes No No No No No No No
RSA Yes Yes No No No No No No No
Safeword Yes Yes No No No No No No No
78-13751-01, Version 3.0
Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide
1-9
AAA Server Functions and Concepts
Passwords
Cisco Secure ACS supports many common password protocols:
Passwords can be processed using these password authentication protocols based
on the version and type of security control protocol used (for example, RADIUS
or TACACS+) and the configuration of the AAA client and end-user client. The
following sections outline the different conditions and functions of password
handling.
Chapter 1 Overview of Cisco Secure ACS
• ASCII/PAP
• CHAP
• MS-CHAP
• LEAP
• EAP-CHAP
• EAP-TLS
• ARAP
In the case of token servers, Cisco Secure ACS acts as a client to the token server ,
either using its proprietary API or its RADIUS interface, depend ing on the token
server. For more information, see the “About Token Servers and
Cisco Secure ACS” section on page 11-48.
Different levels of security can be concurrently used with Cisco Secure ACS for
different requirements. The basic user -to-network secur ity le vel is PAP . Al though
it represents the unencrypted security , PAP does offer convenience and simplicity
for the client. PAP allows authentication against the Windows NT/2000 database.
With this configuration, users need to log in only once. CHAP allows a higher
level of security for encrypting passwords when communicatin g from an end-user
client to the AAA client. You can use CHAP with the CiscoSecure u ser database.
ARAP support is included to support Apple clients.
Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide
1-10
78-13751-01, Version 3.0
Chapter 1 Overview of Cisco Se cu re ACS
Comparing PAP, CHAP, and ARAP
PAP, CHAP, and ARAP are authentication protocols used to encrypt passwords.
However, each protocol provides a different level of security.
• PAP—Uses clear-text passwords (that is, unencrypted passwords) and is the
least sophisticated authentication protocol. If you are using the
Windows NT/2000 user database to authenticate users, you must use PAP
password encryption or MS-CHAP.
• CHAP—Uses a challenge-response mechanism with one-way encryption on
the response. CHAP enables Cisco Secure ACS to negotiate downward from
the most secure to the least secure encryption mechanism, and it protects
passwords transmitted in the process. CHAP passwords are reusable. If you
are using the CiscoSecur e user database for authentic ation, you can use either
PAP or CHAP. CHAP does not work with the Windows NT/2000 user
database.
AAA Server Functions and Concepts
MS-CHAP
• ARAP—Uses a two-way challenge-response mechanism. The AAA client
challenges the end-user client to authenticate itself, and the end-user client
challenges the AAA client to authenticate itself.
Cisco Secure ACS supports Microsoft Challenge-Handshake Authentication
Protocol (MS-CHAP) for user authentication. Differences between MS-CHAP
and standard CHAP are the following:
• The MS-CHAP Response packet is in a format compatible with Microsoft
Windows NT/2000, Windows 95/98/ME, and LAN Manager 2.x. The
MS-CHAP format does not require the authenticator to store a clear-text or
reversibly encrypted password.
• MS-CHAP provides an authentication-retry mechanism controlled by the
authenticator.
• MS-CHAP provides additional failure codes in the Failure packet Message
field.
For more information on MS-CHAP, refer to RFC
draft-ietf-pppext-mschap-00.txt, RADIUS Attributes for MS-CHAP Support.
78-13751-01, Version 3.0
Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide
1-11
AAA Server Functions and Concepts
Basic Password Configurations
There are several basic password configurations:
Note These configurations are all classed as inbound authentication.
• Single password for ASCII/PAP/CHAP/MS-CHAP/ARAP—This is the
most con venient method for both the administrator when setting up accounts
and the user when obtaining authentication. However, because the CHAP
password is the same as the PAP password, and the PAP password is
transmitted in clear text during an ASCII/PAP login, there is the chance that
the CHAP password can be compromised.
• Separate passwords for ASCII/PAP and CHAP/MS-CHAP/ARAP—For a
higher level of security, users can be given two separate passwords. If th e
ASCII/PAP password is compromised, the CHAP/ARAP password can
remain secure.
Chapter 1 Overview of Cisco Secure ACS
• External user database authentication— For authentication by an external
user database, the user does not need a password stored in the CiscoSecure
user database. Instead, Cisco Secure ACS records which external user
database it should query to authenticate the user.
Advanced Password Configurations
In addition to the basic password configurations listed above, Cisco Secure ACS
supports the following:
• Inbound passwords— Passwords used by most Cisco Secure ACS users.
These are supported by both the TACACS+ and RADIUS pr otocols. They are
held internally to the CiscoSecure user database and are not u sually g iven up
to an external source if an outbound password has been configured.
• Outbound passwords—The TACACS+ protocol supports outbound
passwords that can be used, for example, when a AAA client has to be
authenticated by another AAA client and end-user cli ent. Passwords from th e
CiscoSecure user database are then sent back to the second AAA client and
end-user client.
• Token caching—When token caching is enabled, ISDN users can connect
(for a limited time) a second B C hannel using the same OTP entered during
original authentication. For greater security, the B-Channel authentication
Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide
1-12
78-13751-01, Version 3.0
Chapter 1 Overview of Cisco Se cu re ACS
request from the AAA client should include the OTP in the username value
(for example Fredpassword) while the password value contains an
ASCII/PAP/ARAP password. The TACACS+ and RADIUS servers then
verify that the token is still cached and validate the incoming password
against either the single ASCII/PAP/ARAP or separate CHAP/ARAP
password, depending on the user’s configuration.
The TACACS+ SENDAUTH feature enables a AAA client to authenticate
itself to another AAA client or an end-user client via outbound
authentication. The outbound authentication can be PAP, CHAP, or ARAP.
With outbound authentication, the Cisco Secure ACS password is given out.
By default, the user’s ASCII/PAP or CHAP/ARAP password is used,
depending on how this has been configured; howe ver, we recommend that the
separate SENDAUTH password be configured for the user so that
Cisco Secure ACS inbound passwords are never compromised.
If you want to use outbound password s and maintain the highest le v el of security,
we recommend that you configure users in the CiscoSecure user database with an
outbound password that is different from the inbound password.
AAA Server Functions and Concepts
Password Aging
With Cisco Secure ACS you can choose whether and how you want to employ
password aging. Control for password aging may resid e either in the CiscoSecure
user database, or in the Windows NT/2000 directory. Each password aging
mechanism differs as to requirements and setting configurations.
The password aging feature controlled by the CiscoSecure user database enables
you force users to change their passwords under any of the following conditions:
• After a specified number of days
• After a specified number of logins
• The first time a new user logs in
For information on the requirements and configuration of the password aging
feature controlled by the CiscoSecure user database, see the “Enabling Password
Aging for the CiscoSecure User Database” section on page 6-20.
The Windows NT/2000-based password aging feature enables you to control the
following password aging parameters:
• Maximum password age in days
• Minimum password age in days
78-13751-01, Version 3.0
Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide
1-13
AAA Server Functions and Concepts
The methods and functionality of Windows password aging differ according to
whether you are using Windows NT or Windows 2000 and whether you employ
Active Direct ory (AD) or Security Accounts Manager (SAM). F or information on
the requirements and configuration of the Windows-based password aging
feature, see the “Enabling Password Aging for Users in Windows Databases”
section on page 6-25.
User-Changeable Passwords
With Cisco Secure ACS, you can install a separate program that enables users to
change their passwords by using a web-based u tilit y. For more information about
installing user-changeable passwords, refer to the Web Server Installation for
Cisco Secure ACS for Windows NT/2000 User-Changeable Passwords quick
reference card.
Chapter 1 Overview of Cisco Secure ACS
Other Authentication-Related Features
In addition to the authentication-related features discussed in this section, the
following features are provided by Cisco Secure ACS:
• Authentication of unknown users with external user databases (see the
“Unknown User Processing” section on page 12-1)
• Microsoft Windo ws Callback feature (see the “Setting User Callback Option”
section on page 7-10)
• Ability to import a UNIX password f ile to the CiscoSecure user database (see
the “Importing User and AAA Client Information” section on page E-13)
• Ability for external users to authenticate via an enable password (see the
“Setting TACACS+ Enable Password Options for a User” section on
page 7-34)
• Proxy of authentication requests to other AAA servers (see the “Proxy in
Distributed Systems” section on page 4-4)
• Configurable character string stripping from proxied authentication requests
(see the “Stripping” section on page 4-6)
Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide
1-14
78-13751-01, Version 3.0
Chapter 1 Overview of Cisco Se cu re ACS
Authorization
Authorization determines what a user is allowed to do. Cisco Secure ACS can
send user profile policies to a AAA client to determine the network services the
user can access. You can configure authorization to give different users and
groups different levels of service. For example, standard dial-up users might not
have the same access privileges as premium customers and users. You can also
differentiate by levels of security, access times, and services.
The Cisco Secure ACS access restrictions feature enables you to permit or deny
logins based on time-of-day and day-of-week. For example, you could create a
group for temporary accounts that can be disabled on specified dates. This w ould
make it possible for a service provider to offer a 30-day free trial. The same
authorization could be used to create a temporary account for a consultant with
login permission limited to Monday through Friday, 9 A.M. to 5 P.M.
You c an restrict users to a service or combina tion of services such as PPP,
AppleTalk Remote Access (ARA), Serial Line Internet Protocol (SLIP), or
EXEC. After a service is selected, you can restrict Layer 2 and Layer 3 protocols,
such as IP and IPX, and you can apply individual access lists. Access lists on a
per-user or per-group basis can restrict users from reaching parts of the network
where critical information is stored or prevent them from using certain services
such as File Transfer Protocol (FTP) or Simple Network Management Protocol
(SNMP).
AAA Server Functions and Concepts
78-13751-01, Version 3.0
One fast-growing service being offered by service providers and adopted by
corporations is a service authorization for Virtual Private Dial-Up Networks
(VPDNs). Cisco Secure A CS can p rovi de information to the netw ork device for a
specific user to configure a secure tunnel through a public network such as the
Internet. The information can be for the access server (such as the home gateway
for that user) or for the home gateway router to validate the user at the customer
premises. In either case, Cisco Secure ACS can be used for each end of the
VPDN.
Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide
1-15
AAA Server Functions and Concepts
Max Sessions
Max Sessions is a useful feature fo r organizations that need to limit the n umber
of concurrent sessions available to either a user or a group:
In addition to simple User and Group Max Sessions control, Cisco Secure ACS
enables the administrator to specify a Group Max Sessions value and a
group-based User Max Sessions value; that is, a User Max Sessions value based
on the user’s group membership. For example, an administrator can allocate a
Group Max Sessions value of 50 to the g roup “Sales” and also limit each member
of the “Sales” group to 5 sessions each. This way no single member of a group
account would be able to use more than 5 sessions at any one time, but the group
could still have up to 50 active sessions.
Chapter 1 Overview of Cisco Secure ACS
• User Max Sessions—For example, an Internet service provider can limit
each account holder to a single session.
• Group Max Sessions—For example, an enterprise administrator can allow
the remote access infrastructure to be shared equally among several
departments and limit the maximum number of concurrent sessions for all
users in any one department.
Dynamic Usage Quotas
Cisco Secure ACS enables you to def ine usage quotas for users. You can limit the
network access of each user in a group or of individual users. You define quotas
by duration of sessions or the total number of sessions. Quotas can be either
absolute or based on daily, weekly, or monthly periods. To grant access to users
who have exceeded their quotas, you can reset session quota counters as needed.
T o support time-based quotas, we recommend enabling accounting update packets
on all AAA clients. If update packets are not enabled, the quota is updated only
when the user logs off and the accounting stop packet is received from the AAA
client. If the AAA client through which the user is accessing your network fails,
the session information is not updated. In the case of multiple sessions, such as
with ISDN, the quota would not be updated until all sessions terminate, which
means that a second channel will be accepted even if the first channel has
exhausted the user’s quota.
Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide
1-16
78-13751-01, Version 3.0
Chapter 1 Overview of Cisco Se cu re ACS
Other Authorization-Related Features
In addition to the authorization-related features discussed in this section, the
following features are provided by Cisco Secure ACS:
• Group administration of users, with support for up to 500 groups (see the
“Setting Up and Managing User Groups” section on page 6-1)
• Ability to map a user from an external user database to a specific
Cisco Secure ACS group (see the “Database Group Mappings” section on
page 12-10)
• Ability to disable an account after a number of failed attempts, specified by
the administrator (see the “Setting Options for User Account Disablement”
section on page 7-21)
• Ability to disable an account on a specific date (see the “Setting Options for
User Account Disablement” section on page 7-21)
AAA Server Functions and Concepts
Accounting
• Ability to restrict time-of-day and day-of-week access (see the “Setting
Default Time of Day Access for a User Group” section on page 6-5)
• Ability to restrict network access based on remote address caller line
identification (CLID) and dialed number identification service (DNIS) (see
the “Setting Network Access Restrictions for a User Group” section on
page 6-7)
• IP Pools for IP address assignment of end-user client hosts (see the “Setting
IP Address Assignment Method for a User Group” section on page 6-26)
• Per-user and per-gro up TACACS+ or RADIUS attri butes (see th e “Advanced
Options” section on page 3-4)
• Support for Voice over IP (VoIP), including configurable logging of
accounting data (see the “Enabling VoIP Support for a User Group” section
on page 6-4)
AAA clients use the accounting functions provided by the RADIUS and
TACACS+ protocols to communicate relevant data for each user session to the
AAA server for recording. Cisco Secure ACS writes accounting records to a
comma-separated value (CSV) log file or ODBC database, depending upon your
78-13751-01, Version 3.0
Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide
1-17
AAA Server Functions and Concepts
configuration. You can easily import these logs into popular database and
spreadsheet applications for billing, security audits, and report generation.
Among the types of accounting logs you can generate are the following:
• TACACS+ Accounting—Lists when sessions start and stop; rec ords AAA
client messages with username; provides caller line identification
information; records the duration of each session.
• RADIUS Accounting—Lists when sessions stop and start; records AAA
client messages with username; provides caller line identification
information; records the duration of each session.
• Administrative Accounting—Lists commands entered on a network device
with TACACS+ command authorization enabled.
For more information about Cisco Secure ACS logging capabilities, see
Chapter 9, “Working with Logging and Reports”.
Chapter 1 Overview of Cisco Secure ACS
Other Accounting-Related Features
In addition to the accounting-related features discussed in this section, the
following features are provided by Cisco Secure ACS:
• Centralized logging, allowing several Cisco Secure ACS servers to forward
their accounting data to a remote Cisco Secure ACS server (see the “Remote
Logging” section on page 9-29)
• Configurable supplementary user ID fields for capturing additional
information in logs (see the “User Data Configuration Options” section on
page 3-3)
• Configurable logs, allowing you to capture as much information as needed
(see the “Accounting Logs” section on page 9-4)
Administration
To configure, maintain, and protect its AAA functionality, Cisco Secure ACS
provides a flexible administration scheme. You can perform nearly all
administration of Cisco Secure ACS through its HTML interface.
Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide
1-18
78-13751-01, Version 3.0
Chapter 1 Overview of Cisco Se cu re ACS
You c an access the HTML interface from computers other than the
Cisco Secure ACS server. This enables remote administration of
Cisco Secure ACS. For more information about the HTML interface, including
steps for accessing the HTML interface, see the “Cisco Secure ACS HTML
Interface” section on page 1-21.
HTTP Port Allocation for Remote Administrative Sessions
The HTTP port allocation feature allows you to configure the range of TCP ports
used by Cisco Secure ACS for remote administrative HTTP sessions (that is,
administrative sessio ns conducted by a browser runnin g on a computer other than
the Cisco Secure ACS server). Narrowing this range with the HTTP port
allocation feature reduces the risk of unauthorized access to your network by a
port open for administrative sessions.
We do not recommend that you administer Cisco Secure ACS through a firewall.
Doing so requires that you configure the firewall to permit HTTP traffic over the
range of HTTP administrative session ports that Cisco Secure ACS uses. While
narrowing this range reduces the risk of unauthorized access, a greater risk of
attack remains if you allow administration of Cisco Secure ACS from outside a
firew all. A f ire wall confi gured to permit HTTP traf f ic o ver th e Cisco Secure ACS
administrative port range must also permit HTTP traffic through port 2002,
because this is the port a remote web browser must access to initiate an
administrative session.
AAA Server Functions and Concepts
Note A broad HTTP port range could create a security risk. To prevent accidental
discovery of an active administrative port by unauthorized users, keep the
HTTP port range as narrow as possible. Cisco Secure ACS tracks the IP
address associated with each remote administrative session. An unauthorized
user would have to impersonate, or “spoof ”, the IP address of the legitimate
remote host to make use of the active administrative session HTTP port.
For information about configuring the HTTP port allocation feature, see the
“Access Policy” section on page 10-10 .
78-13751-01, Version 3.0
Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide
1-19
AAA Server Functions and Concepts
Network Device Groups
With a netw ork de vice group (NDG), you can vie w and ad minister a collecti on of
AAA clients and AAA servers as a single logical group. To simplify
administration, you can assign each group a convenient name that can be used to
refer to all devices within that group. This creates two levels of network devices
within Cisco Secure ACS—discrete devices such as an individual router, access
server, AAA server, or PIX Firewall, and NDGs, which are named collection of
AAA clients and AAA servers.
A network device can belong to only one NDG at a time.
Using NDGs enables an organization with a large number of AAA clients spread
across a large geographical area to logically organize its environment within
Cisco Secure ACS to reflect the physical setup. For example, all routers in Europe
could belong to a group nam ed Europe ; all router s in the Unit ed States co uld
belong to a US group; and so on. This would be especially convenient if each
region’s AAA clients were administered along the same divisions. Alternatively,
the environment could be organized by some other attribute such as divisions,
departments, business functions, and so on.
Chapter 1 Overview of Cisco Secure ACS
You ca n ass ign a group of users to an NDG. For more information on NDGs, see
the “Network Device Group Configuration” section on page 4-20.
Other Administration-Related Features
In addition to the administration-related features discussed in this section, the
following features are provided by Cisco Secure ACS:
• Ability to define different privileges per administrator (see the
“Administrator Accounts” section on page 10- 1)
• Ability to log administrator activities (see the “Administration Audit Log”
section on page 9-17)
• Ability to view a list of logged-in users (see the “Logged-In Users Report”
section on page 9-11)
• CSMonitor service, providing monitoring, notification, logging, and limited
automated failure response (see the “Cisco Secure ACS Active Serv ice
Management” sect ion on pa ge 8-48)
Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide
1-20
78-13751-01, Version 3.0
Chapter 1 Overview of Cisco Se cu re ACS
• Ability to import of large numbers of users with the CSUtil.exe
command-line utility (see the “Cisco Secure ACS Command-Line Database
Utility” section on page E-1)
• Synchronization of the CiscoSecure user database with a relational database
management system (RDBMS) (see the “RDBMS Synchronization” section
on page 8-24)
• Replication of CiscoSecure user database components to other
Cisco Secure ACS servers (see the “CiscoSecure Database Replication”
section on page 8-6)
• Scheduled and on-demand Cisco Secure ACS system backups (see the
“Cisco Secure ACS Backup” section on page 8-40)
• Ability to restore Cisco Secure ACS configuration, user accounts, and group
profiles from a backup file (see the “Cisco Secure ACS System Restore”
section on page 8-45)
Cisco Secure ACS HTML Interface
Cisco Secure ACS HTML Interface
This section discusses the Cisco Secure ACS HTML interface and provides
procedures for using it. This section contains the following topics:
• About the Cisco Secure ACS HTML Interface, page 1-21
• HTML Interface Layout, page 1-22
• Uniform Resource Locator for the HTML Interface, page 1-24
• Network Environments and Remote Administrative Sessions, page 1-24
• Accessing the HTML Interface, page 1-26
• Logging Off the HTML Interface, page 1-26
• Online Help and Online Documentation, page 1-27
About the Cisco Secure ACS HTML Interface
After installing Cisco Secure ACS, you configure and administer it through the
HTML interface. The HTML interface enables you to easily modify
Cisco Secure ACS configuration from any connection on your LAN or WAN.
78-13751-01, Version 3.0
Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide
1-21
Cisco Secure ACS HTML Interface
The Cisco Secure ACS HTML interface is designed to be viewed using a web
browser. The design primarily uses HTML, along with some Java functions, to
enhance ease of use. This design keeps the interface responsive and
straightforward. The inclusion of Java requires that the browser used for
administrative sessions supports Java. For a list of supported browsers, see the
Release Notes. The latest revision to the Release Notes is posted on Cisco.com
(http://www.cisco.com).
The HTML interface not only makes viewing and editing user and group
information possible , it also enabl es you t o restar t services, a dd remo te
administrators, change AAA client information, back up t he system, view reports
from anywhere on the network, and more. The reports track connection activity,
show which users are logged in, list the failed authentication and authorization
attempts, and show administrators’ recent tasks.
Chapter 1 Overview of Cisco Secure ACS
HTML Interface Layout
The HTML interface has three vertical partitions, known as frames:
• Navigation Bar—The gray frame on the left of the browser window, the
navigation bar contains the task buttons. Each button changes the
configuration area (see below) to a unique section of the Cisco Secure ACS
application, such as the User Setup section or the Interface Configuration
section. This frame does not change; it al ways contains the follo wing butto ns:
–
User Setup—Add and edi t user profiles
–
Group Setup—Configure network services and protocols for groups of
users
–
Shared Profile Components—Add and edit network access restriction
and command authorization sets, to be applied to users and groups
–
Network Configuration—Add and edit network access devices and
configure distributed systems
–
System Configuration—Configure database information and
accounting
–
Interface Configuration—Display or hide product features and options
to be configured
–
Administration Control—Define and configure access policies
Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide
1-22
78-13751-01, Version 3.0
Chapter 1 Overview of Cisco Se cu re ACS
–
External User Databases—Configure external databases for
authentication
–
Reports and Activity—Display accounting and logging information
–
Online Documentation—Vi ew the Cisco Secure ACS User Guide
• Configuration Area—The frame in the middle of the browser window, the
configuration area displays web pages that belong to one of the sections
represented by the buttons in the navigation bar. The configuration area is
where you add, edit, or delete information. For example, you configure user
information in this frame on the User Setup Edit page.
Note Most pages have a Submit button at the bottom. Click Submit to
confirm your changes. If you do not click Submit, changes are not
saved.
Cisco Secure ACS HTML Interface
• Display Area—The frame on the right of the browser window, the display
area shows one of the following options:
–
Online Help—Displays basic help about the page currently shown in the
configuration area. This help is not intended to offer in-depth
information, but rather give some basic information about what can be
accomplished in the middle frame. For more detailed information, click
Section Information at the bottom of the page to go to the applicable part
of Online Documentation.
–
Reports or Lists—Displays lists or reports, including accounting
reports. For example, in User Setup you can sho w all usernames that start
with a specific letter. The list of usernames beginning with a specified
letter is displayed in this section. The usernames are hyperlinks to the
specific user configuration, so clicking the name enables you to edit that
user.
–
System Messages—Displays messages after you click Submit if you
have typed in incorrect or incomplete data. For example, if the
information you entered in the Password box does not match the
information in the Confirm Password box in the User Setup section,
Cisco Secure ACS displays an error message here. The incorrect
information remains in the conf igu ratio n area so that you can rety pe an d
resubmit the information correctly.
78-13751-01, Version 3.0
Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide
1-23
Chapter 1 Overview of Cisco Secure ACS
Cisco Secure ACS HTML Interface
Uniform Resource Locator for the HTML Interface
The HTML interface is av ai lable b y web browser at one of the following uniform
resource locators (URLs):
• http://Windows server IP address:2002
• http://Windows server host name:2002
From the server on which Cisco Secure ACS is installed, you can also use the
following URLs:
• http://localhost:2002
• http://127.0.0.1:2002
Network Environments and Remote Administrative Sessions
We recommend that remote administrative sessions take place without the use of
an HTTP proxy server, without a firewall between the remote browser and the
Cisco Secure ACS server, and without a NAT gateway between the remote
browser and the Cisco Secure ACS server. Because these limitations are not
always practical, we included the following topics regarding these remote
administration scenarios.
Remote Administrative Sessions and HTTP Proxy
Cisco Secure ACS does not support HTTP proxy for remote administrative
sessions. If the browser used for a remote administrative session is configured to
use a proxy server , Cisco Secure ACS sees the administrative session originating
from the IP address of the proxy server rather than the actual address of the remote
workstation. Remote administrative session tracking assumes each browser
resides on a workstation with a unique IP.
Also, IP filtering of proxied administrative sessions has to be based on the IP
address of the proxy server rather than the IP address of the workstation. This
conflicts with administrative session communication that does use the actual IP
address of the workstation. For more information about IP filtering of remote
administrative sessions, see the “Access Policy” section on page 10-10.
Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide
1-24
78-13751-01, Version 3.0
Chapter 1 Overview of Cisco Se cu re ACS
For these reasons, we do not recommend performing administrative sessions
using a web browser that is configured to use a proxy server. Administrative
sessions using a proxy-enabled web browser is not tested. If your web browser is
configured to use a proxy serv er , disable HTTP proxying when att empting remote
Cisco Secure ACS administrative sessions.
Remote Administrative Sessions through Firewalls
In the case of firewalls that do no perform network address translation (NAT),
remote administrative sessions conducted across the firewall can require
additional configuration of Cisco Secure ACS and the firewall. This is because
Cisco Secure ACS assigns a random HTTP port at the beginning of a remote
administrative session.
To allow remote administrative sessions from browsers outside a firewall that
protects a Cisco Secure ACS server, the firewall must allow HTTP traffic across
the range of ports that Cisco Secure ACS is configured to use. You can control the
HTTP port range using the HTTP port allocation feature. For more information
about the HTTP port allocation feature, see the “HTTP Port Allocation for
Remote Administrative Sessions” sectio n on page 1-1 9.
Cisco Secure ACS HTML Interface
While administering Cisco Secure ACS through a firewall that is not performing
NAT is possible, we do not recommend that you administer Cisco Secure ACS
through a firewall. For more information, see the “HTTP Port Allocation for
Remote Administrative Sessions” sectio n on page 1-1 9.
Remote Administrative Sessions through a NAT Gateway
We do not recommend conducting remote administrative sessions across a
network device performing NAT. If the administrator runs a browser on a
workstation behind a NAT gateway, Cisco Secure ACS receives the HTTP
requests from the NAT device’s public IP address, which conflicts with the
workstation ’s private IP address, included in the content of the HTTP requests.
Cisco Secure ACS does not permit this.
If the Cisco Secure ACS server is behind a NAT gateway, you could configure the
gateway to forward all connections to port 2002 to the Cisco Secure ACS server,
using the same port. Additionally, all the ports allowed using the HTTP port
allocation feature would have to be similarly mapped. We have not tested such a
configuration and do not recommend implementing it.
78-13751-01, Version 3.0
Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide
1-25
Cisco Secure ACS HTML Interface
Accessing the HTML Interface
Remote administrative sessions always require that you login using a valid
administrator name and password, as configured in the Administration Control
section. If the Allow automatic local login check box is cleared on the Sessions
Policy Setup page in the Administration Control section, Cisco Secure ACS
requires a valid administrator name and password for administrative sessions
accessed from a browser on the Cisco Secure ACS server.
To access the HTML interface, follow these steps:
Step 1 Open a web browser. For a list of supported web browsers, see the Release Notes
for the version of Cisco Secure ACS you are accessing. The latest revision to the
Release Notes is posted on Cisco.com (http://www.cisco.com).
Step 2 In the Address or Location bar in the web browser, type the applicable URL. For
a list of possible URLs, see the “Uniform Resource Locator for the HTML
Interface” section on page 1-24.
Chapter 1 Overview of Cisco Secure ACS
Step 3 If the Cisco Secure A CS for W indo ws 2000/N T Login page appears, follo w these
steps:
a. In the Username box, type a valid Cisco Secure ACS administrator name.
b. In the Pa ss wo r d box, type the password for the administrator name you
specified.
c. Click Login.
Result: The Cisco Secure ACS for Windows 2000/NT initial page appears.
Logging Off the HTML Interface
When you are finished using the HTML interface, we recommend that you log off.
While Cisco Secure ACS can timeout unused administrati ve sessions, log ging of f
prevents unauthorized access by someone using the browser after you or by
unauthorized persons using the HTTP port left open to suppor t the administrati v e
session.
To log off the Cisco Secure ACS HTML interface, click the Logoff button.
Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide
1-26
78-13751-01, Version 3.0
Chapter 1 Overview of Cisco Se cu re ACS
Note The Logoff button appears in the upper right corner of the browser window,
except on the initial page, where it appears in the upper left of the
configuration area.
Online Help and Online Documentation
We provide two sources of information in the HTML interface:
• Online Help—Contains basic information about the page shown in the
configuration area.
• Online Documentation—Contains the entire user guide.
Cisco Secure ACS HTML Interface
Using Online Help
Online help is the default content in the display area. For every page that appears
in the configuration area, there is a corresponding online help page. At the top of
each online help page is a list of topics covered by that page.
To jump from the top of the online help page to a particular topic, click the topic
name in the list at the top of the page.
There are three icons that appear on many pages in Cisco Secure ACS:
• Question Mark—Many subsections of the pages in the configuration area
contain an icon with a question mark. To jump to the applicable topic in an
online help page, click the question mark icon.
• Section Information—Many online help pages contain a Sectio n
Information icon at the bottom of the page. To view an applicable section of
the online documentation, click the Section Information icon.
• Back to Help—Wherever you find a online help page with a Section
Information icon, the corresponding page in the configuration area contains
a Back to Help icon. If you have accessed the online documentation by
clicking a Section Information icon and want to view the online help page
again, click the Back to Help icon.
78-13751-01, Version 3.0
Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide
1-27
Cisco Secure ACS HTML Interface
Using the Online Documentation
The Cisco Secure ACS online documentation is the user guide for
Cisco Secure ACS. The user guide pro vides information about the configuration,
operation, and concepts of Cisco Secure ACS. The information presented in the
online documentation is as current as the release date of the Cisco Secure ACS
version you are using. For the most up-to-date documentation about
Cisco Secure ACS, please go to http://www.cisco.com
Tip Click Section Information on any online help page to view online
documentation relevant to the section of the HTML interface you are using.
To access online documentation, follow these steps:
Chapter 1 Overview of Cisco Secure ACS
Step 1 In the Cisco Secure ACS HTML interface, click Online Documentation.
Tip To open the online documentation in a new browser window, right-click
Online Documentation, and then click Open Link in New Window (for
Microsoft Internet Explorer) or Open in New Window (for Netscape
Navigator).
Result: The table of contents opens in the configuration area.
Step 2 To select a topic from the table of contents, scroll through the table of contents
and click the applicable topic.
Result: The online documentation for the topic selected appears in the display
area.
Step 3 To select a topic from the index, follow these steps:
a. Click [Index].
Result: The index appears in the display area.
b. Scroll through the index to find an entry for the topic you are researching.
Tip Use the lettered shortcut links to jump to a particular section of the index.
Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide
1-28
78-13751-01, Version 3.0
Chapter 1 Overview of Cisco Se cu re ACS
Result: Entries appear with numbered links after them. The numbered links
lead to separate instances of the entry topic.
c. Click an instance number for the desired topic.
Result: The online documentation for the topic selected appears in the display
area.
Step 4 To print the online documentation, click in the display area, and then click Print
in your browser’s navigation bar.
Cisco Secure ACS HTML Interface
78-13751-01, Version 3.0
Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide
1-29
Cisco Secure ACS HTML Interface
Chapter 1 Overview of Cisco Secure ACS
Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide
1-30
78-13751-01, Version 3.0
CHAPTER
2
Deploying Cisco Secure ACS
Deployment of Cisco Secure Access Control Server for Windows NT/2000
Servers Version 3.0 (Cisco Secure ACS) can be a complex and iterative process
that differs depending on the specific implementation required. This chapter
provides insight into many aspects of the deployment process; it is designed not
as a one-size-fits-all procedure, but as a collection of interconnected factors that
you should consider before you install Cisco Secure ACS.
The level of complexity in deploying Cisco Secure ACS reflects the evolving
nature of AAA servers in general, and the advanced capabilities, flexibility, and
features of Cisco Secure ACS in particular. When AAA was first conceived, its
main purpose was to provide a centralized point of control for user access via
dial-up services. As user databases grew and the locations of the access servers
became more dispersed, more capability was required of the AAA server.
Regional, then global, requirements became common. Today, Cisco Secure ACS
is required to provide AAA services for dial-up access, dial-out access, wireless,
VLAN access, firewalls, VPN concentrators, administrative controls, and more.
The list of external databases supported has also continued to grow and the
employment of multiple databases, as well as multiple Cisco Secure ACSs, has
become more common. Regardless of the scope of your particular
Cisco Secure ACS deployment, the information contained in this chapter should
prove v aluable. If you ha v e parti cular deplo yment questions n ot addressed in this
guide, contact your Cisco technical representative for assistance.
This chapter contains the following sections:
• Basic Deployment Requirements for Cisco Secure ACS, page 2-2
• Basic Deployment Factors for Cisco Secure ACS, page 2-4
• Suggested Deployment Sequence, page 2-1 8
78-13751-01, Version 3.0
Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide
2-1
Chapter 2 Deploying Cisco Secure ACS
Basic Deployment Requirements for CiscoSecure ACS
Basic Deployment Requirements for
Cisco Secure ACS
This section details the min imum re quiremen ts you must m eet to be able to
successfully deploy Cisco Secure ACS. The following topics are covered:
• System Requirements, page 2-2
–
Hardware Requirements, page 2-2
–
Operating System Requirements, page 2-3
–
Third-Party Software Requirements, page 2-3
• Network Requirements, page 2- 4
System Requirements
Your Cisco Secure ACS server must meet the minimum hardware and software
requirements detailed in the sections that follow.
Hardware Requirements
Your Cisco Secure ACS server must meet the following minimum hardware
requirements:
• Pentium III processor, 550 MHz or faster
• 256 MB of RAM
• At least 250 MB of free disk space. If you are running your database on the
same machine, more disk space is required.
• Minimum graphics resolution of 256 colors at 800 x 600 lines
Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide
2-2
78-13751-01, Version 3.0
Chapter 2 Deploying Cisco Secure ACS
Operating System Requirements
Your Cisco Secure ACS server must ha ve an English-language version of one of
the following Microsoft Windows operating systems installed:
• Windows 2000 Server with Service Pack 1 or Service Pack 2 installed
• Windows 2000 Advanced Server, with these additional requirements:
–
without Microsoft Clustering Services installed
–
with Service Pack 1 or Service Pack 2 installed.
• Windows 2000 Datacenter Server, with these additional requirements:
–
without Microsoft Clustering Services installed
–
with Service Pack 1 or Service Pack 2 installed.
• Windows NT Server 4.0 with Service Pack 6a installed.
Basic Deployment Requirements for Cisco Secure ACS
Windows Service Packs can be applied either before or after installing
Cisco Secure ACS. If you do not install a required Service Pack before installing
Cisco Secure ACS, the Cisco Secure ACS installation program warns you that the
required Service Pack is not present on your server. If you receive a Service Pack
message, continue the installation, and then install the required Service Pack
before starting user authentication with Cisco Secure ACS.
For the latest information about tested operating systems and service packs, see
the Release Notes. The latest version of the Release Notes are posted at
http://www.cisco.com.
Third-Party Software Requirements
Your Cisco Secure ACS server must have a compatible browser installed.
Cisco Secure ACS has been tested with the following browsers on Microsoft
Windows operating systems:
• Microsoft Internet Explorer 5.0 and 5.5
• Netscape Communicator 4.76
Note Both Java and JavaScript must be enabled in browsers used to administer
Cisco Secure ACS.
78-13751-01, Version 3.0
Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide
2-3
Basic Deployment Factors for CiscoSecure A CS
For the latest information about tested browsers and other third-party
applications, such as Novell NDS clients and token-card clients, see the Release
Notes. The latest version of the Release Notes is posted on http://www.cisco.com.
Network Requirements
Your network should meet the following requirements before yo u begin i nstalling
Cisco Secure ACS.
• To have Cisco Secure ACS use the Grant Dial-in Permission to U ser feature
in Windows when authorizing network users, make sure this option is
checked in the Windows NT User Manager or Windows 2000 Active
Directory Users and Computers for the applicable user accounts.
• For full TACACS+ and RADIUS support on Cisco IOS devices, make sure
that your AAA clients are running Cisco IOS Release 11.2 or later.
Chapter 2 Deploying Cisco Secure ACS
• Make sure that any non-Cisco IOS AAA clients can be configured with
TACACS+ and/or RADIUS.
• Make sure that dial-in, VPN, or wireless clients can successfully connect to
the applicable AAA clients.
• Make sure that the Windows server can ping AAA clients.
• Make sure a compatible web browser is installed on the Windo ws serv er. For
more information, see the “Third-Party Software Requirements” section on
page 2-3.
Basic Deployment Factors for Cisco Secure ACS
Generally, the ease in deploying Cisco Secure ACS is directly related to the
complexity of the implementation planned and the degree to which you have
defined your policies and requirements. This section presen ts some of th e basic
factors you should consider before you begin implementing Cisco Secure ACS.
This section includes the following topics:
• Network Topology, page 2-5
• Remote Access Policy, page 2-13
• Security Policy, page 2-14
Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide
2-4
78-13751-01, Version 3.0
Chapter 2 Deploying Cisco Secure ACS
• Administrative Access Policy, page 2-14
• Database, page 2-17
• Network Speed and Reliability, page 2-18
Network Topology
How the enterprise network is conf igured is lik ely to be the single most important
factor in deciding how to deploy Cisco Secure ACS. While an exhaustive
treatment of this topic is beyond the scope of this guide, this section details how
the growth of netw ork topolog y opti ons h as made Cisco Secure ACS deployment
decisions more complex.
When AAA was first considered, network access was restricted to either devices
directly connected to the LAN or remote devices gaining access via modem.
Today, enterprise networks can be very complex and, thanks to tunneling
technologies, can be widely geographically dispersed.
Basic Deployment Factors for Cisco Secure ACS
Dial-Up Topology
In the traditional model of dial-up access (a PPP connection), a user employing a
modem or ISDN connection is granted access to an intranet via a network access
server (NAS) functioning as a AAA client. Users may be able to connect via only
a single AAA client as in a small business, or have the option of numerous
geographically dispersed AAA clients.
In the small LAN environment, see Figure 2-1 on page 2-6, network architects
typically place a single Cisco Secure ACS internal to the AAA client, protected
from outside access by means of a firewall and the AAA client. In this
environment, the user database is usually small, there are few de vices that require
access to the Cisco Secure ACS for AAA, and any database repli cation is li mited
to a secondary Cisco Secure ACS as a backup.
78-13751-01, Version 3.0
Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide
2-5
Basic Deployment Factors for CiscoSecure A CS
Figure 2-1 Small Dial-up Network
Modem
In a larger dial-in environment, a single Cisco Secure ACS installation with a
backup may be suitable, too. The suitabilit y of this configuration is dependent on
network and server access latency. Figure 2-2 on page 2-7 shows an e xample of a
large dial-in arrangement. In this scenario the addition of a backup
Cisco Secure ACS unit is a recommended addition.
Server-based
dial access
PSTN
Cisco Secure
Access Control
Server
Chapter 2 Deploying Cisco Secure ACS
Network
63486
Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide
2-6
78-13751-01, Version 3.0
Chapter 2 Deploying Cisco Secure ACS
Figure 2-2 Large Dial-up Network
Cisco AS5300's
Basic Deployment Factors for Cisco Secure ACS
Cisco AS5300
UNIX server
Novell server
Windows NT server
Cisco Secure
Access Control
Server
Macintosh server
63487
In a very large, geographically dispersed network, see Figure 2-3 on page 2-8,
there may be access servers located in different parts of a city, in different cities,
or in different continents. A central Cisco Secure ACS may work if network
latency is not an issue, but connection reliability over long distances may cause
problems. In this case, local Cisco Secure ACS installations may be preferable to
a central server. If the need for a globally coherent user database is paramount,
database replication or synchronization from a central server may be necessary.
This may be further complicated by the use of extern al databa ses (such as
Windows NT/2000 or the Lightweight Directory Acces s Protocol [LDAP]) for
authentication. Additional security measures may be required to protect the
network and user information being forwarded across the WAN. This combines
topology and security factors. Such a case calls for adding an encrypted
connection between regions.
78-13751-01, Version 3.0
Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide
2-7
Basic Deployment Factors for CiscoSecure A CS
Figure 2-3 Geographically Dispersed Network
Cisco Secure
Access Control
Server
Cisco Secure
Access Control
Server
Cisco Secure
Access Control
Chapter 2 Deploying Cisco Secure ACS
Server
Wireless Network
63488
The wireless network access point is a relatively new client for AAA services.
The wireless access point (AP), such as the Cisco Aironet series, provides a
bridged connection for mobile end-user clients into the LAN. Authentication is
absolutely necessary due to the ease of access to the AP. Encryption is also a
necessity because of the ease of eavesdropping on communications. As such,
security plays an ev en bigger role than in the dial-up scenario and is discussed in
more detail later in this section.
Scaling can be a serious issue in the wireless network. Like the “wired” LAN, the
mobility factor of the wireless LAN (WLAN) requires considerations similar to
those given to the dial-up network. Unlike the wired LAN, however, the WLAN
can be more readily expanded. Though WLAN t echnology do es have physical
limits as to the number of users that can be connected via an AP, the number of
APs can grow quickly. As with the dial-up network, you can structure your
WLAN to allow full access for all users, or to provide restricted access to different
subnets between sites, buildings, floors, or rooms. This brings up a unique issue
with the WLAN: the ability of a user to “roam” between APs.
Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide
2-8
78-13751-01, Version 3.0
Chapter 2 Deploying Cisco Secure ACS
In the simple WLAN, there may be a single AP installed; see Figure 2-4. Because
there is only one AP, the primary issue is sec urity. In this environment, there is
generally a small user base and few network devices to worry about. Providing
AAA services to the other devices on the network does not cause any significant
additional load on the Cisco Secure ACS.
Figure 2-4 Simple WLAN
Basic Deployment Factors for Cisco Secure ACS
Cisco Aironet AP
Network
Cisco Secure
Access Control Server
63489
In the LAN where a number of APs are deployed, as in a large building or a
campus enviro nment, your decisions on how to deplo y Cisco Secure ACS become
a little more in volv ed. Though Figure 2-5 on page 2-10 shows all APs on the sa me
LAN, they may be distributed throughout the LAN, connected via routers,
switches, and so forth. In the larger, geographical distribution of WLANs,
deployment of Cisco Secure ACS is similar to that of large regional distribution
of dial-up LANs; see Figure 2-3 on page 2-8.
78-13751-01, Version 3.0
Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide
2-9
Basic Deployment Factors for CiscoSecure A CS
Figure 2-5 Campus WLAN
Cisco Aironet APs
Chapter 2 Deploying Cisco Secure ACS
Dial-up connection
UNIX server
Novell server
Windows NT server
Cisco Secure
Access Control
Server
Macintosh server
63490
This is particularly true when the regional topology is the campus WLAN. This
model starts to change when you deploy WLANs in many small sites that more
resemble the simple WLAN shown in Figure 2-4 on page 2-9. This model may be
applicable to a chain of small stores distributed throughout a city or state,
nationally, or globally; see Figure 2-6 on page 2-11.
Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide
2-10
78-13751-01, Version 3.0
Chapter 2 Deploying Cisco Secure ACS
Figure 2-6 Large Deployment of Small Sites
Basic Deployment Factors for Cisco Secure ACS
I
For the model in Figure 2-6, the decision where to site Cisco Secure ACS depends
on whether users from the entir e net work need access on an y AP, or whether they
only require regional or local network access. This, along with database type,
controls whether local or regional Cisco Secure ACS installations are re quired,
and how database continuity is maintained. In this very large deployment model,
security becomes a more complicated issue, too.
Remote Access using VPN
Virtual Private Networks (VPNs) use advanced encryption and tunneling to
permit organization s to establish secur e, end-to-end, private network connections
over third-party networks, such as the Internet or extranets; see Figure 2-7 on
page 2-12. The benefits of a VPN include the following:
• Cost Savings—By lev eragi ng th ird- party networks with VPN, organizations
no longer have to use expensive leased or frame relay lines and ca n connect
remote users to their corporate networks via a local Inter net service pr o v id er
(ISP) instead of via expensive 800-number or long distance calls to
resource-consuming modem banks.
63491
78-13751-01, Version 3.0
Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide
2-11
Basic Deployment Factors for CiscoSecure A CS
• Security—VPNs provide the highest level of security using advanced
encryption and authentication protocols that protect data from unauthorized
access.
• Scalability—VPNs allow corporations to use remote access infrastructure
within ISPs. Therefore, corporations can add a virtually unlimited amou nt of
capacity without adding significant infrastructure.
• Compatibility with Broadband Technology—VPNs allow mobile worker s,
telecommuters, and day extenders to take advantage of high-speed,
broadband connectivity, such as DSL and cable, when gaining access to their
corporate networks, providing workers significant flexibility and efficiency.
Figure 2-7 Simple VPN Configuration
Chapter 2 Deploying Cisco Secure ACS
VPN concentrator
Network WAN
Tunnel
Cisco Secure
Access Control Server
63492
There are two types of VPN access into a network, as follows:
• Site-to-Site VPNs—Extend the classic WAN by providing large-scale
encryption between multiple fixed sites such as remote offices and central
offices, over a public network, such as the Internet.
• Remote Access VPNs—Permit secure, encrypted connections between
mobile or remote users and their corporate networks via a third-party
network, such as a service provider, via VPN client software.
Generally speaking, site-to-site VPNs can be vi ewed as a typical WAN connection
and are not usually confi gured to use AAA to secure the initial connection and are
likely to use the device-orient ed IPSec tunneling protocol. Remote Access VPNs,
howev er , are similar to classic remote connection technology (modem/ISDN) and
lend themselves to using the AAA model very effectively; see Figure 2-8 on
page 2-13.
Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide
2-12
78-13751-01, Version 3.0
Chapter 2 Deploying Cisco Secure ACS
Figure 2-8 Enterprise VPN Solution
Basic Deployment Factors for Cisco Secure ACS
Tunnel
Home office
Mobile
worker
For more information about implementing VPN solutions, see the reference guide
A Primer for Implementing a Cisco Virtual Private Network.
Remote Access Policy
Remote access is a broad concept. In general, it defines how the user can connect
to the LAN, or from the LAN to outside resources (that is, the Internet). There are
several ways this may occur. The methods include dial-in, ISDN, wireless
bridges, and secure internet connections. Each method incurs its own advantages
and disadvantages, and provides a unique challenge to providing AAA services.
This closely ties remote access policy to the enterprise network topology. In
addition to the method of access, other decisions can also affect how
Cisco Secure ACS is deployed; these include: specific network routing (access
lists), time-of-day access, individual restrictions on AAA client access, access
control lists (ACLs), and so on.
ISP
ISP
Tunnel
Internet
VPN concentrator
Cisco Secure
Access Control
Server
63493
Remote access policies can be implemented for employees who telecommute or
for mobile users who dial in over ISDN or public switched telephone network
(PSTN). Such policies are enforced at the corporate campus with
Cisco Secure ACS and the AAA client. Inside the enterprise network, remote
access policies can control wireless access by individual employees.
78-13751-01, Version 3.0
Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide
2-13
Basic Deployment Factors for CiscoSecure A CS
Cisco Secure ACS remote access policy provides control by using central
authentication and authorization of remote users. The CiscoSecure user database
maintains all user IDs, passwords, and privileges. Cisco Secure ACS access
policies can be downloaded in the form of ACLs to network access servers such
as the Cisco AS5300 Network Access Server, or by allowing access during
specific periods, or on specific access servers.
The remote access policy is part of the overall corporate security policy.
Security Policy
We recommend that every organization that maintains a network develop a
security policy for the organization. The sophistication, nature, and scope of your
security policy directly affect how you deploy Cisco Secure ACS.
For more information about developing and maintaining a comprehensive
security policy, refer to the following documents:
Chapter 2 Deploying Cisco Secure ACS
• Network Security Policy: Best Practices White Paper
• Delivering End-to-End Security in Policy-Based Networks
• Cisco IOS Security Configuration Guide
Administrative Access Policy
Managing a network is a matter of scale. Providing a policy for administrative
access to network devices depends directly on the size of the network and the
number of administrators required to maintain the network. Local authentication
on a network device can be performed, but it is not scalable. The use of network
management tools can help in large networks, but if local authentication is used
on each network device, the policy usually consists of a single login on the
network device. This does not promote adequate network device security. Using
Cisco Secure ACS allows a centralized administrator database, and
administrators can be added or deleted at one location. TACACS+ is the
recommended AAA protocol for controlling AAA client administrative access
because of its ability to provide per-command control (command authorization)
of a AAA client administrator’s access to the device. RADIUS is not well-suited
for this purpose because of the one-time transfer of authorization information at
time of initial authentication.
Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide
2-14
78-13751-01, Version 3.0
Chapter 2 Deploying Cisco Secure ACS
The type of access is also an important consideration. If there are to be different
administrative access levels to the AAA clients, or if a subset of administrators is
to be limited to certain systems, Cisco Secure ACS can be used with command
authorization per network device to restrict network administrators as necessary.
To use local authentication restricts the administrative access policy to no login
on a device or using privilege levels to control access. Controlling access by
means of privilege le vels is cumbersome and not very scalable. This requires that
the privilege levels of specific commands are altered on the AAA client device
and specific privilege levels are defined for the user login. It is also very easy to
create more problems by editing command privilege levels. Using command
authorization on Cisco Secure ACS doesn’t require that you alter the privilege
level of controlled commands. The AAA client sends the command to
Cisco Secure ACS to be parsed and Cisco Secure ACS determines whether the
administrator has permission to use the command. The use of AAA allows
authentication on any AAA client to any user on Cisco Secure ACS and facilitates
the limitation of access to these devices on a per-AAA client basis.
Basic Deployment Factors for Cisco Secure ACS
A small network with a small number of network de vices may require only one or
two individuals to administer it. Local authentication on the device is usually
sufficient. If you require more granular control than that which authentication can
provide, some means of authorization is necessary. As discussed earlier,
controlling access using privilege levels can be cumbersome. Cisco Secure ACS
reduces this problem.
In large enterprise networks, with many devices to administer, the use of
Cisco Secure ACS becomes a practical necessity. Because administration of
many devices requires a larger number of network administrators, with varying
levels of access, the use of local control is simply not a viable way of keeping
track of network device configuration changes required when changing
administrators or devices. The use of network management tools, such as
CiscoWorks2000, he lps to ease t his burden, but maintaining secu rity is sti ll an
issue. Because Cisco Secure ACS can comfortably handle up to 100,000 users,
the number of network administrators that Cisco Secure ACS supports is rarely an
issue. If there is a large remote access population using RADIUS for AAA
support, the corporate IT team should consider separate T ACA CS+ authentication
using Cisco Secure ACS for the administrative team. This would isolate the
general user population from the administrati v e team and reduce the lik elihood of
inadvertent access to network devices. If this is not a suitable solution, using
TACACS+ for administrative (shell/exec) logins, and RADIUS for remote
network access, provides sufficient security for the network devices.
78-13751-01, Version 3.0
Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide
2-15
Basic Deployment Factors for CiscoSecure A CS
Separation of Administrative and General Users
It is important to keep the general network user from accessing network devices.
Even though the general user may not have any intention to “hack the system,”
inadvertent access could easily cause accidental disruption to network access.
Separation of the general user from the administrative user falls into the realm of
AAA and Cisco Secure ACS.
The easiest, and recommended, method to perform such separation is to use
RADIUS for the general remote access user and T ACACS+ for the administrative
user. An i ssue that arises is that an administrator may also req uire remote network
access, like the general user. If you use Cisco Secure ACS this poses no problem.
The administrator can have both RADIUS and TACACS+ configurations in
Cisco Secure ACS. Using authorization, RADIUS users can have PPP (or othe r
network access protocols) set as the permitted protocol. Under TACACS+, only
the administrator would be configured to allow shell (exec) access.
Chapter 2 Deploying Cisco Secure ACS
For example, if the administrator is dialing into the network as a general user, a
AAA client would use RADIUS as the authenticating/authorizing protocol and
the PPP protocol would be authorized. In turn, if the same administrator remotely
connects to a AAA client to make configuration changes, the AAA client would
use the TACACS+ protocol for authentication/authorization. Because this
administrator is configured on Cisco Secure ACS with permission for shell under
TACACS+, he would be authorized to log in to that device. This does require that
the AAA client have two separate configurations on Cisco Secure ACS, one for
RADIUS and one for TACACS+. An example of a AAA client configuration
under IOS that effectively separates PPP and shell logins follows:
aaa new-model
tacacs-server host
tacacs-server key secret-key
radius-server host ip-address
radius-server key secret-key
aaa authentication ppp default group radius
aaa authentication login default group tacacs+ local
aaa authentication login console none
aaa authorization network default group radius
aaa authorization exec default group tacacs+ none
aaa authorization command 15 default group tacacs+ none
username
line con 0
login authentication console
user password password
ip-address
Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide
2-16
78-13751-01, Version 3.0
Chapter 2 Deploying Cisco Secure ACS
Conversely, if a general user attempts to use their remote access to log in to a
network device, Cisco Secure ACS checks and appro ves the user’s username and
password, but the authorization process would fail because that user would not
have credentials that allow shell/exec access to the device.
Database
Aside from topological considerations, the database is one of the most influential
factors in volv ed in making deployment deci sions for Cisco Secure ACS. The size
of the user base, distribution of users throughout the network, access
requirements, and type of database employed all contribute to how
Cisco Secure ACS is used.
Number of Users
Basic Deployment Factors for Cisco Secure ACS
Type of Database
Cisco Secure ACS is designed for the enterprise environment, comfortably
handling 100,000 users. This is usually more than adequate for a corporation. In
an environment that exceeds these numbers, the user base would typically be
geographically dispersed, which lends itself to the use of more than one
Cisco Secure ACS configuration. A WAN failure could render a local network
inaccessible because of the loss of the authentication server. In addition to this
issue, reducing the number of users that a single Cisco Secure ACS handles
improves performance by lowering the number of logins occurring at any given
time and by reducing the load on the database itself.
Cisco Secure ACS supports a number of database options. Under the current
version, the options include using the Cisco Secur e user database or using remot e
authentication via any of the external databases supported. For more information
about database options, types, and features, see the “Authentication and User
Databases” secti on on pa ge 1-8 , or Chapter 11, “Working with User Databases,”
or Chapter 12, “Administering External User Databases.” Each database option
has its own advantages and limitations in scalability and performance.
78-13751-01, Version 3.0
Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide
2-17
Suggested Deployment Sequence
Network Speed and Reliability
Network speed, also referred to as network latency, and network reliability are
also important factors in how Cisco Sec ure ACS is deployed. Delays in
authentication can result in timeouts at the end user’s client side or the AAA
client.
The general rule for large, extended networks, such as a globally dispersed
corporation, is to have at least one Cisco Secure ACS deployed in each region.
This may not be adequate without a reliable, high-speed con nection between sites.
Many corporations are now using secure VPN connections between sites, using
the Internet to provide the link. This saves time and money, but does not provide
the speed and reliability that a dedicated frame r elay or T1 link w o ul d provide. If
authentication is critical to maintain business functionality, as in the case with a
store having cash registers linked via a wireless LAN, the loss of the WAN
connection to a remote C isco Secure ACS could be catastrophic.
Chapter 2 Deploying Cisco Secure ACS
The same issue can be applied to an external database used by Cisco Secure ACS.
The database should be deployed in proximity near enough to the
Cisco Secure ACS in stal lati on to en sure reliable and timely access. Using a lo cal
Cisco Secure ACS with a remote database can result in the same problems as
using a remote Cisco Secure ACS. Another possible problem in this scenario is
that a user may experience timeout problems. The AAA client would be able to
contact Cisco Secure ACS, but Cisco Secure ACS would wait for a reply from the
external user database that might be delayed or never arrive. If the
Cisco Secure ACS were remote, the AAA client would time out and try an
alternative method to authenticate the user , but in the latter case it is like ly the end
user client would time out first.
Suggested Deployment Sequence
While there is no single, one-size-fits-all process for all Cisco Secure ACS
deployments, you should consider follo wing the sequence, keyed to t he high-lev el
functions represented in the navigation toolbar. Also bear in mind that many of
these deployment activities are iterative in nature; you may find that you
repeatedly return to such tasks as interface configuration as your deployment
proceeds.
Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide
2-18
78-13751-01, Version 3.0
Chapter 2 Deploying Cisco Secure ACS
• Configure Administ rators—Y ou should configure at least one administrator
at the outset of deployment; otherwise, there is not remote administrative
access and all configuration activity must be done from the server. You
should also have a detailed plan for establishing and maintaining an
administrative policy.
For more information about setting up administrators, see Chapter 10,
“Setting Up and Managing Administrators and Policy.”
• Configure the Cisco Secure ACS HTML Interface—You can configure
Cisco Secure ACS HTML interface to show only those features and controls
that you intend to use. This makes using Ci sco Secure ACS less diff icult than
it would be if you had to contend with multiple parts of the HTML interface
that you did not plan to use. The price of this convenience can sometimes be
frustration that features and controls do not appear because you failed to
configure them in the Interface Configuration section. For guidance on
configuring the HTML interface, see the “Interface Design Concepts” section
on page 3-2.
Suggested Deployment Sequence
For information about config uring part icular aspects of the HTML interface,
see the following sections of the interface configuration chapter:
–
User Data Configuration Options, page 3-3
–
Advanced Options, page 3-4
–
Protocol Configuration Options for TACACS+, page 3-7
–
Protocol Configuration Options for RADIUS, page 3-10
• Configure System—There are more than a dozen functions within the
System Configuration section to be considered, from setting the format for
the display of dates and password validation to configuring settings for
database replication and RDBMS synchronization. These functions are
detailed in Chapter 8, “Establishing Cisco Secure ACS System
Configuration.” Of particular note during initial system configuration is
setting up the logs and repo rts to be genera ted by Cisco Secure ACS; for
more information, see Chapter 9, “Working with Logging and Reports.”
• Configure Network—You control distributed and proxied AAA functions in
the Network Configuration section of the HTML interface. From here, you
establish the identity, location, and grouping of AAA clients and server s, and
determine what authentication protocols each is to employ. For more
information, see Chapter 4, “Setting Up and Managing Network
Configuration.”
78-13751-01, Version 3.0
Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide
2-19
Suggested Deployment Sequence
• Configure External User Database—During this phase of deployment you
must decide whether and how you intend to implement an external database
to establish and maintain user authentication accounts. Typically, this
decision is made according to your existing network administration
mechanisms. For information about the t ypes of databases Cisco Secure ACS
supports and instructions for es tablis hing the m, see Chapter 11, “Working
with User Databases.”
Along with the decision to implement an external user database (or
databases), you should have detailed plans that specify your requirements for
Cisco Secure ACS database replication, backup, and synchronization. These
aspects of configuring CiscoSecure user database management are detailed in
Chapter 8, “Establishing Cisco Secure ACS System Configuration.”
• Configure Shared Profile Components—With most aspects of network
configuration already established and before configuring user groups, you
should configure your Shared Profile Components. When you set up and
name the network access restrictions and command authorization sets you
intend to employ, you lay out an efficient basis for specifying user group and
single user access privileges. For more information about Shared Profile
Components, see the Chapter 5, “Setting Up and Managing Shared Profile
Components.”
Chapter 2 Deploying Cisco Secure ACS
• Configure Groups—Having previously configured any external user
databases you intend to employ , and before configuring you r user groups, you
should decide how to implement two other Cisco Secure ACS features
related to external user databases: unknown user processing and database
group mapping. For more information see the “Unknown User Processing”
section on page 12-1 and the “Database Group Mappings” section on
page 12-10. Then, you are able to configure your user groups with a complete
plan of how Cisco Secure ACS is to implement authorization and
authentication. For more information, see the “Setting Up and Managing User
Groups” section on page 6-1.
Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide
2-20
78-13751-01, Version 3.0
Chapter 2 Deploying Cisco Secure ACS
• Configure Users—W ith groups established, you can establish user accounts.
It is useful to remember that a particular user can belong to only one user
group, and that settings made at the user level override settings made at the
group level. For more information, see the Chapter 7, “Setting Up and
Managing User Accounts.”
• Configure Reports—Using the Reports and Activities section of the
Cisco Secure ACS HTML interface, you can specify the nature and scope of
logging that Cisco Secure ACS performs. For more information, see
Chapter 9, “Working with Logging and Reports.”
Suggested Deployment Sequence
78-13751-01, Version 3.0
Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide
2-21
Suggested Deployment Sequence
Chapter 2 Deploying Cisco Secure ACS
Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide
2-22
78-13751-01, Version 3.0
CHAPTER
3
Setting Up the Cisco Secure ACS
HTML Interface
Ease of use is the overriding design principle of the HTML interface in the
Cisco Secure Access Control Server for Windows NT/2000 Servers Version 3.0
(Cisco Secure ACS). Cisco Secure ACS presents intricate concepts of network
security from the perspective of an administrator. The Interface Configuration
section of Cisco Secure ACS enables you to configure the Cisco Secure ACS
HTML interface—you can tailor the interface to simplify the screens you will use
by hiding the features that you do not use and by adding fields for your specific
configuration.
78-13751-01, Version. 3.0
This chapter presents the d etails of con figuring the Cisco S ecure ACS interface
through four topics:
• User Data Configuration Options, page 3-3
• Advanced Options, page 3-4
• Protocol Configuration Options for TACACS+, page 3-7
• Protocol Configuration Options for RADIU S, page 3-10
While it is logical to begin your Cisco Secure ACS configuration efforts
here—configuring the interface—we also recommend that you r eturn to this
section to review and confirm your initial settings. Sometimes a section of the
HTML interface that you initially be lie ved should be hidden from view may later
require configuration from within this section.
Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide
3-1
Interface Design Concepts
Tip If a section of the Cisco Secure ACS HTML interface appears to be “missing”
or “broken” return to the Interface Configuration section and confirm that the
particular section has been activated.
Interface Design Concepts
Before you begin to configure the Cisco Secure ACS HTML interface for your
particular configuration, it is helpful to understand a few basic precepts of the
system’s operation. The information in the following sections is necessary for
effective interface configuration.
Chapter 3 Setting Up the Cisco Secure ACS HTML Interface
User-to-Group Relationship
A user can belong to only one group at a time. As long as there are no conflicting
attributes, users inherit group settings.
Note If a user profile has an attribute configured dif ferently from the same attrib ute
in the group profile, the user setting always overrides the group setting.
If a user has a unique configuration requirement, you can make that user a part of
a group and set unique requirements on the User Setup page, or you can assign
that user to his or her own group.
Per-User or Per-Group Features
You can configure most features at both group and user levels, wi th the follo wi ng
exceptions:
• User level only—Static IP address, password, and expiration
• Group level only—Password aging and time-of-day/day-of-week
restrictions
Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide
3-2
78-13751-01, Version. 3.0
Chapter 3 Setting Up the Cisco Secure ACS HTML Interface
User Data Configuration Options
The Configure User Defined Fields page enables you to add (or edit) up to five
fields for recording information on each user . The f ields you define in this section
subsequently appear in the Supplementary User Information section at the top of
the User Setup page. For example, you could add the user’s company name,
telephone number , department, billing code, and so on. You can also include these
fields in the accounting logs. For more information about the accounting logs, see
the “About Cisco Secure ACS Logs and Reports” section on page 9-4. For
information on the data fields that comprise these options, see the “User-Defined
Attributes” section on page G-34.
Defining New User Data Fields
User Data Configuration Options
To configure new user data fields, follow these steps:
Step 1 Click Interface Configuration and then click User Data Configuration.
Result: The Configure User Defined Fields page appears. Check boxes in the
Display column indicate which fields are configured to appear in the
Supplementary User Information section at the top of the User Setup page.
Step 2 Select a check box in the Display column.
Step 3 In the corresponding Field Title box, type a title for the new field.
Step 4 To configure another field, repeat step 2 and step 3.
Step 5 When you have finished configuring new user data fields, click Submit.
Tip You can change the title of a field by editing t he tex t in the Field T i tle box and
then clicking Submit.
78-13751-01, Version. 3.0
Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide
3-3
Advanced Options
Advanced Options
This feature enables you to determine which advanced features
Cisco Secure ACS displays. You can simplify the pages displayed in other areas
of the Cisco Secure ACS HTML interface by hiding advanced features that you
do not use. Many of these options do not appear if they are not enabled.
Caution Disabling an advanced option in the Interface Configuration section does not
affect anything except the display of that function in the CSACS HTML
interface. Settings made while an advanced option was active (selected)
remain in effect when that advanced option is no longer displayed in the
interface (de-selected). Further, the interface displays any advanced option
that is enabled or has non-defaul t values, even if you have configured that
advanced option to be hidden. If you later disable the option or delete it s value,
Cisco Secure ACS hides the advanced option.
Chapter 3 Setting Up the Cisco Secure ACS HTML Interface
The advanced option features include the following:
• Per-User TACACS+/RADIUS Attributes—When selected, this feature
enables T A CACS+/RADIUS attrib utes to be set at a per-user le vel, in addition
to being set at the group level.
• User-Level Network Access R estriction Sets—When selected, this feature
enables the Shared Profile Component network access restrictions (NARs)
options on the User Setup page. These options allow you to ap ply previously
configured, named, IP-based and CLID/DNIS-based NARs at the user level.
For information on defining a NAR, or NAR set, within Shared Profile
Components, see the “Shared Network Access Restrictions Configuration”
section on page 5-7.
• User-Level Network Access Restrictions—When selected, this feature
enables the two sets of options for defining user-level, IP-based and
CLI/DNIS-based NARs on the User Setup page.
• User-Level Downloadable ACLs—When selected, this feature enables the
Downloadable ACLs section on the User Setup page.
• Default Time-of-Day/Day-of-Week Specification—When selected, this
feature enables the default time-of-day/day-of-week access settings grid on
the Group Setup page.
Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide
3-4
78-13751-01, Version. 3.0
Chapter 3 Setting Up the Cisco Secure ACS HTML Interface
• Group-Level Network Access Restriction Sets—When selected, this
feature enables the Shared Profile Component NAR options on the Group
Setup page. These options allow you to apply previously configured, named,
IP-based and CLID/DNIS-based NARs at the group le vel. F or information on
defining a NAR, or NAR set, within Shared Profile Components, see the
“Shared Network Access Restrictions Configuration” section on page 5-7.
• Group-Level Network Access Restrictions—When selected, this feature
enables the two sets of options for defining group-level, IP-based and
CLI/DNIS-based NARs on the on the Group Setup page.
• Group-Leve l Downloadable A CLs—When selected, this feature enables the
Downloadable ACLs section on the Group Setup page.
• Group-Level Password Aging—When selec ted, this feature enables the
Password Aging section on the Group Setup page. The Password Aging
feature enables you to force users to change their passwords.
Advanced Options
• Max Sessions—When selected, this feature enables the Max Sessions section
on the User Setup and Group Setup pages. The Max Sessions option sets the
maximum number of simultaneous connections for a group or a user.
• Usage Quotas—When selected, this feature enables the Usage Quotas
sections on the User Setup and Group Setup pages. The Usage Quotas op tion
sets one or more quotas for usage by a group or a use r.
• Distributed System Settings—When selected, this featur e displays the AAA
server and proxy table on the Network Interface page. If the tables are not
empty and have information other than the defaults in them, they always
appear.
• Remote Logging—When selected, this feature enables the Remote Logging
feature in the Logging page of the System Configuration section.
• Cisco Secure ACS Database Replicatio n—When selected, this feature
enables the Cisco Secure ACS database replicatio n inform ation on th e
System Configuration page.
• RDBMS Synchronization—When selected, this feature enables the RDBMS
(Relational Database Management System) Synchronization option on the
System Configuration page. If RDBMS Synchronization is configured, this
option always appears.
• IP Pools—When selected, this feature enables the IP Pools Address
Recovery and IP Pools Server options on the System Configuration page.
78-13751-01, Version. 3.0
Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide
3-5
Advanced Options
Chapter 3 Setting Up the Cisco Secure ACS HTML Interface
• Network Device Groups—When selected, this option enables network
device groups (NDGs). When NDGs are enabled, the Network Configuration
section and parts of the User Setup and Group Setup pages change to enable
you to manage groups of network devices (AAA clients or AAA servers).
This feature is useful if you have many devices to administer.
• Voice over IP (VoIP) Group Settings—When selected, this feature enables
the VoIP optio n on the G roup Setup page.
• Voice-over-IP (VoIP) Accounting Configuration—When selected, this
feature enables the VoIP Accounting Configuration option on the System
Configuration page. This option is used to determine the logging format of
RADIUS VoIP accounting packets.
• ODBC Logging—When selected, this feature enables the ODBC logging
sections on the Logging page of the System Configuration section.
Setting Advanced Options for the Cisco Secure ACS User
Interface
To set advanced options for the Cisco Secure ACS HTML interface, follow these
steps:
Step 1 Click Interface Configuration.
Step 2 Click Advanced Options.
Result: The Advanced Options table appears.
Step 3 Select each option that you want displayed (enabled) in the Cisco Secure ACS
HTML interface.
Caution Disabling an advanced option in the Interface Configuration section does not
affect anything except the display of that function in the Cisco Secure ACS
interface. Settings made while an advanced option was active (selected)
remain in effect when that advanced option is no longer displayed in the
interface (de-selected).
Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide
3-6
78-13751-01, Version. 3.0
Chapter 3 Setting Up the Cisco Secure ACS HTML Interface
Protocol Configuration Options for TACACS+
Step 4 When you have finished making selections, click Submit.
Result: Cisco Secure ACS alters the contents of various sections of the HTML
interface according to the selections made.
Protocol Configuration Options for TACACS+
The TACA CS+ (Cisco) section details the conf iguration of the Ci sco Secure ACS
HTML interface for TACACS+ settings. The interface settings enable you to
display or hide TACACS+ administrative and accounting options. You can
simplify the HTML interface by hiding the features that you do not use.
The TACACS+ (Cisco) section comprises three distinct areas, a s follows:
Tip The default interface setting presents a single column of check boxes, at the
group level only, for selecting TACACS+ Services Settings and New Service
Settings. To view two columns of check boxes that enable you to configure
settings at the Group level or the User level, you must have enabled the
Per-user TACACS+/RADIUS Attributes option on the Advanced Options
page of Interface Configuration section.
• TACACS+ Services Settings—In this area is a list of the most commonly
used services and protocols fo r TACACS+. You select each TACACS+
service that you want to appear as a configurable option on either the User
Setup page or Group Setup page.
• New Services—In this area you can enter any services or protocols particular
to your network configuration.
• Advanced Configuration Options—In this area you can add more detailed
information for even more tailored configurations.
78-13751-01, Version. 3.0
Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide
3-7
Protocol Configuration Options for TACACS+
The four items you can choose to hide or display are as follows:
–
Advanced TACACS+ Features—This option displays or hides the
Advanced TACACS+ Options section on the User Setup page. These
options include Privilege Level Authentication and Outbound Password
Configuration for SENDPASS and SENDAUTH clients, such as routers.
–
Display a Time-of-Day access grid for every TACA CS+ service where
you can override the default Time-of-Day settings—If this option is
selected, a grid appears on the User Setup page that enables you to
override the TACACS+ scheduling attributes on the Group Setup page.
You can control the use of each T A CA CS+ service by the time o f day and
day of week. For example, you can restrict Exec (Telnet) access to
business hours but permit PPP-IP access at any time.
The default setting is to control time-of-day access for all serv ices as part
of authentication. However, you can override the default and display a
time-of-day access grid for every service. This keeps user and group
setup easy to manage, while making this feature available for the most
sophisticated environments. This feature applies only to TACACS+
because TACACS+ ca n separate the authentication and authorization
processes. RADIUS time-of-day access applies to all services. If both
TACACS+ and RADIUS are used simultaneously, the default
time-of-day access applies to both. This provides a common method to
control access regardless of the access control protocol.
Chapter 3 Setting Up the Cisco Secure ACS HTML Interface
3-8
–
Display a window for each service selected in which you can enter
customized TACACS+ attributes—If this option is selected, an area
appears on the User Setup and Group Setup pages that enables you to
enter custom TACACS+ attributes.
Cisco Secure ACS can also display a custom command field for each
service. This text field enables you to mak e specialized configuratio ns to
be downloaded for a particular service for users in a particular group.
Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide
78-13751-01, Version. 3.0
Chapter 3 Setting Up the Cisco Secure ACS HTML Interface
You can use this feature to send many TACACS+ commands to the
access device for the service, provided that the device supports the
command, and that the command syntax is correct. This feature is
disabled by default, but you can enable it the same way you enable
attributes and time-of-day access.
–
Display enable Default (Undefined) Service Configuration—If th is
check box is selected, an area appears on the User Setup and Group Setup
pages that enables you to permit unknown TACACS+ services, such as
CDP.
Note This option should be used by advanced system administrators
only.
Protocol Configuration Options for TACACS+
Note Customized settings at the user level take precedence over settings at the
group level.
Setting Options for TACACS+
This procedure enables you to display or hide TACACS+ administrative and
accounting options. It is unlikely that you will use every service and protocol
available for TACACS+. Displaying each would make setting up a user or group
cumbersome. To simplify setup, you can use the TACACS+ (Cisco IOS) Edit
page to customize the services and protocols that appear.
To configure the user interface for TACACS+ options, follow these steps:
Note The Cisco Secure ACS HTML interface displays any protocol option that is
enabled or has non-default values, even if you have configured that protocol
option to be hidden. This behavior prevents Cisco Secure ACS from hiding
active settings. If you later disable the option or delete its value,
Cisco Secure ACS hides the protocol option.
Step 1 Click Interface Configuration.
Step 2 Click TACACS+ (Cisco IOS).
78-13751-01, Version. 3.0
Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide
3-9
Protocol Configuration Options for RADIUS
Result: The TACACS+ (Cisco) page of the Interface Configuration section
appears.
Step 3 In the TACACS+ Services table, select the check box for each TACACS+ service
you want displayed on the applicable setup page.
Step 4 To add new services and protocols, follow these steps:
a. In the New Services section of the TACACS+ Services table, type in any
Service and Protocol to be added.
b. Select the appropriate check box to select those tha t should be displayed for
configuration either under User Setup, or Group Setup, or both.
Step 5 In the Advanced Configurations Options section, select the check boxes of the
display options you want to enable.
Step 6 When you have finished setting TACACS+ interface display options, click
Submit.
Chapter 3 Setting Up the Cisco Secure ACS HTML Interface
Result: The selections made in this procedur e determine what TACA CS+ o ptions
Cisco Secure ACS displays in other sections of the HTML interface.
Protocol Configuration Options for RADIUS
This section details the configuration of the Cisco Secure ACS HTML interface
for RADIUS settings. The interface setting s enable you to display or hi de v arious
RADIUS administrative and accounting options. You can simplify the HTML
interface by hiding the features that you do not use.
Provided that you have the corresponding AAA clients configured, the User
Interface section displays the following RADIUS protocol configuration
selections:
• (IETF) RADIUS Settings—This page lists all attributes a vailable fo r (IETF)
RADIUS.
These standard (IETF) RADIUS attributes are available for any network
device configuration when using RADIUS. If you want to use IETF attribute
number 26, the vendor-specific attribute (VSA), select Interface
Configuration and then RADIUS for the v endor s whose netwo rk de vices you
Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide
3-10
78-13751-01, Version. 3.0
Chapter 3 Setting Up the Cisco Secure ACS HTML Interface
use. Attributes for (IETF) RADIUS and the VSA for each RADIUS network
device vendor supported b y Cisco Secure A CS appear in User Setup or Group
Setup.
Note The RADIUS (IETF) attributes are shared with RADIUS VSAs. You
must configure the first RADIUS att rib ut es from RADIUS (IETF) for
the RADIUS vendor.
The Tags to Display Pe r Attribute option (locat ed under Ad vanced
Configuration Options) enables you to specify how many values to display
for tagged attributes on the User Setup and Group Setup pages. Examples of
tagged attributes include [064]Tunnel-Type and [069]Tunnel-Password.
For detailed procedural information , see the “Setting Protocol Con figuration
Options for (IETF) RADIUS” section on page 3-12.
Protocol Configuration Options for RADIUS
• RADIUS (Cisco IOS/PIX) Settings—This section allows you to enable the
specific attributes for RADIUS (Cisco IOS/PIX). For detailed procedural
information, see the “Setting Protocol Configuration Options for RADIUS
(Cisco IOS/PIX)” section on page 3-14.
• RADIUS (Ascend) Settings—This section allows you to enable the
RADIUS vendor-specific attributes for RADIUS (Ascend). For detailed
procedures, see the “Setting Protocol Configuration Options for RADIUS
(Ascend)” section on pa ge 3-14.
• RADIUS (Cisco VPN 3000) Settings—This section allows you to enable the
RADIUS vendor-specific attributes for RADIUS (Cisco VPN 3000). For
detailed procedures, see the “Setting Protocol Configuration Options for
RADIUS (Cisco VPN 3000)” section on page 3-15.
• RADIUS (Cisco VPN 5000) Settings—This section allows you to enable the
RADIUS vendor-specific attributes for RADIUS (Cisco VPN 5000). For
detailed procedures, see the “Setting Protocol Configuration Options for
RADIUS (Cisco VPN 5000)” section on page 3-16.
• RADIUS (Microsoft) Settings—This section allows you to enable the
RADIUS vendor-specific attributes for RADIUS (Microsoft). For detailed
procedures, see the “Setting Protocol Configuration Options for RADIUS
(Microsoft)” section on page 3-17.
78-13751-01, Version. 3.0
Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide
3-11
Protocol Configuration Options for RADIUS
• RADIUS (Nortel) Settings—This section allows you to enable the RADIUS
vendor-speci fic attri butes for RADIUS (No rtel). For detailed procedures, see
the “Setting Protocol Configuration Options for RADIUS (Nortel)” section
on page 3-18.
• RADIUS (Juniper) Settings—This section allows you to enable the
RADIUS vendor-specific attributes for RADIUS (Juniper). For detailed
procedures, see the “Setting Protocol Configuration Options for RADIUS
(Juniper)” section on page 3-19.
• RADIUS (Cisco BBSM) Settings—This section allows you to enable the
RADIUS vendor-specif ic attributes for RADIUS (Cisco BBSM). Fo r detailed
procedures, see the “Setting Protocol Configuration Options for RADIUS
(Cisco BBSM)” section on page 3-20.
While Cisco Secure ACS ships with these listed VSAs prepackaged, it also
enables you to define and conf igure custom attrib utes for any VSA set not already
contained in Cisco Secure ACS. If you have configured a custom VSA and a
corresponding AAA client, from the Interface Configuration section you can
select the custom VSA and then set the options for how particular attributes
appear as configurable options on the User Setup or Group Setup page. For
information about creating user-defined RADIUS VSAs, see the “User-Defined
RADIUS Vendors and VSA Sets” section on page E-27.
Chapter 3 Setting Up the Cisco Secure ACS HTML Interface
Radius (Cisco Aironet) is not listed in Internet Configuration because there is no
configuration required.
Setting Protocol Configuration Options for (IETF) RADIUS
This procedure enables you to hide or display an y of the standard (IETF) RADIUS
attributes for configuration from other portions of the Cisco Secure ACS HTML
interface.
Note If the Per-user TACACS+/RADIUS Attributes check box in Interface
Configuration: Advanced Options is selected, a User check box appears
alongside the Group check box for each attribute.
Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide
3-12
78-13751-01, Version. 3.0
Loading...