Cisco Systems Servers User Manual

Cisco Secure ACS 3.0 for Windows 20 00/NT Servers User Guide

November 2001

Corporate Headquarters

Cisco Systems, Inc. 170 West Tasman Drive San Jose, CA 95134-1706 USA http://www.cisco.com Tel: 408 526-4000

800 553-NETS (6387)

Fax: 408 526-4100

Customer Order Number: DOC-7813751= Text Part Number: 78-13751-01

THE SPECIFICATIONS AND INFORMATION REGARDING THE PRODUCTS IN THIS MANUAL ARE SUBJECT TO CHANGE WITHOUT NOTICE. ALL STATEMENTS, INFORMATION, AND RECOMMENDATIONS IN THIS MANUAL ARE BELIEVED TO BE ACCURATE BUT ARE PRESENTED WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED. USERS MUST TAKE FULL RESPONSIBILITY FOR THEIR APPLICATION OF ANY PRODUCTS.

THE SOFTW ARE LICENSE AND LIMITED WARRANTY FOR THE ACCOMP ANYING PR ODUCT ARE SET FOR TH IN THE INFORMATION PACKET THAT SHIPPED WITH THE PRODUCT AND ARE INCORPORATED HEREIN BY THIS REF ERENCE . IF YOU ARE UNABLE TO LOCATE THE SOFTWARE LICENSE OR LIMITED WARRANTY, CONTACT YOUR CISCO REPRESENTATIVE FOR A COPY.

The Cisco implementation of TCP header compression is an adaptation of a program developed by the University of California, Berkeley (UCB) as part of UCB’s public domain version of the UNIX operating system. All rights reserved. Copyright © 1981, Regents of the University of California.

NOTWITHSTANDING ANY OTHER WARRANTY HEREIN, ALL DOCUMENT FILES AND SOFTWARE OF THESE SUPPLIERS ARE PROVIDED “AS IS” WITH ALL FAULTS. CISCO AND THE ABOVE-NAMED SUPPLIERS DISCLAIM ALL WARRANTIES, EXPRESSED OR IM PLIED, IN CLUDIN G, WITHO UT LIM ITATION, THOSE OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OR ARISING FROM A COURSE OF DEALING, USAGE, OR TRADE PRACTICE.

IN NO EVENT SHALL CISCO OR ITS SUPPLIERS BE LIABLE FOR ANY INDIRECT, SPECIAL, CONSEQUENTIAL, OR INCIDENTAL DAMAGES, INCLUDING, WITHOUT LIMITATION, LOST PROFITS OR LOSS OR DAMAGE TO DATA ARISING OUT OF THE USE OR INABILITY TO USE THIS MANUAL, EVEN IF CISCO OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.

AccessPath, AtmDirector, Browse with Me, CCIP, CCSI, CD-PAC, CiscoLink, the Cisco Powered Network logo, Cisco Systems Networking Academy, the Cisco Systems Networking Academy logo, Cisco Unity, Fast Step, Follow Me Browsing, FormShare, FrameShare, IGX, Internet Quotient, IP/VC, iQ Breakthrough, iQ Expertise, iQ FastTrack, the iQ Logo, iQ Net Readiness Scorecard, MGX, the Netwo rkers logo, ScriptBuilder, ScriptShare, SMARTnet, TransPath, Voice LAN, Wavelength Router, and WebViewer are trademarks of Cisco Systems, Inc.; Changing the Way We Work, Live, Play, and Learn, and Discover All That’s Possible are service marks of Cisco Systems, Inc.; and Aironet, ASIST, BPX, Catalyst, CCDA, CCDP, CCIE, CCNA, CCNP, Cisco, the Cisco Certified Internetwork Expert logo, Cisco IOS, the Cisco IOS logo, Cisco Press, Cisco Systems, Cisco Systems Capital, the Cisco Systems logo, Empower ing the Internet Generation, Ent erprise/Sol ver, Ether Channel, EtherSwitch, FastHub, FastSwitch, GigaStack, IOS, IP/TV, LightStream, MICA, Network Registrar, Packet, PIX, Post-Routing, Pre-Routing, RateMUX, Registrar, SlideCast, StrataView Plus, Stratm, SwitchProbe, TeleRouter, and VCO are registered trademarks of Cisco Systems, Inc. and/or its affiliates in the U.S. and certain other countries.

All other trademarks mentioned in this document or Web site are the property of thei r respective owners. The use of t he word partner does not imply a partnership relationship between Cisco and any other company. (0110R)

Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide

Preface xxvii

CONTENTS

CHAPTER

Document Objectives

xxvii

Who Should Read This Guide xxvii How This Guide is Organized xxviii Conventions Used in This Guide xxx Related Documentation xxxi Obtaining Documentation xxxii

World Wide Web xxxii Documentation CD-ROM xxxii Ordering Documentation xxxii Documentation Feedback xxxiii

Obtaining Technical Assistance xxxiii

Cisco.com xxxiii Technical Assistance Center xxxiv

Cisco TAC Web Site xxxiv Cisco TAC Escalation Center xxxv

1 Overview of Cisco Secure ACS 1-1

78-13751-01, Version 3.0

The Cisco Secure ACS Paradigm 1-1 Cisco Secure ACS Specifications 1-2

System Performance Specifications 1-3

Cisco Secure ACS Windows Services 1-3

Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide

iii

Contents

AAA Server Functions and Concepts 1-4

Cisco Secure ACS and the AAA Client 1-5 AAA Protocols—TACACS+ and RADIUS 1-5

TACACS+ 1-6 RADIUS 1-6

Authentication 1-7

Authentication Considerations 1-8 Authentication and User Databases 1-8 Passwords 1-10 Other Authentication-Related Features 1-14

Authorization 1-15

Max Sessions 1-16 Dynamic Usage Quotas 1-16 Other Authorization-Related Features 1-17

Accounting 1-17

Other Accounting-Related Features 1-18

Administration 1-18

HTTP Port Allocation for Remote Administrative Sessions 1-19 Network Device Groups 1-20 Other Administration-Related Features 1-20

Cisco Secure ACS HTML Interface 1-21

About the Cisco Secure ACS HTML Interface 1-21 HTML Interface Layout 1-22 Uniform Resource Locator for the HTML Interface 1-24 Network Environments and Remote Administrative Sessions 1-24

Remote Administrative Sessions and HTTP Proxy 1-24 Remote Administrative Sessions through Firewalls 1-25

Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide

78-13751-01, Version 3.0

Remote Administrative Sessions through a NAT Gateway 1-25 Accessing the HTML Interface 1-26 Logging Off the HTML Interface 1-26 Online Help and Online Documentation 1-27

Using Online Help 1-27

Using the Online Documentation 1-28

Contents

CHAPTER

2 Deploying Cisco Secure ACS 2-1

Basic Deployment Requirements for Cisco Secure ACS 2-2

System Requirements 2-2

Hardware Requirements 2-2

Operating System Requirements 2-3

Third-Party Software Requirements 2-3 Network Requirements 2-4

Basic Deployment Factors for Cisco Secure ACS 2-4

Network Topology 2-5

Dial-Up Topology 2-5

Wireless Network 2-8

Remote Access using VPN 2-11 Remote Access Policy 2-13 Security Policy 2-14 Administrative Access Policy 2-14

Separation of Administrative and General Users 2-16 Database 2-17

78-13751-01, Version 3.0

Number of Users 2-17

Type of Database 2-17

Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide

Contents

Network Speed and Reliability 2-18

Suggested Deployment Sequence 2-18

CHAPTER

3 Setting Up the Cisco Secure ACS HTML Interface 3-1

Interface Design Concepts 3-2

User-to-Group Relationship 3-2 Per-User or Per-Group Features 3-2

User Data Configuration Options 3-3

Defining New User Data Fields 3-3

Advanced Options 3-4

Setting Advanced Options for the Cisco Secure ACS User Interface 3-6

Protocol Configuration Options for TACACS+ 3-7

Setting Options for TACACS+ 3-9

Protocol Configuration Options for RADIUS 3-10

Setting Protocol Configuration Options for (IETF) RADIUS 3-12 Setting Protocol Configuration Options for RADIUS (Cisco IOS/PIX) 3-14 Setting Protocol Configuration Options for RADIUS (Ascend) 3-14 Setting Protocol Configuration Options for RADIUS (Cisco VPN 3000) 3-15 Setting Protocol Configuration Options for RADIUS (Cisco VPN 5000) 3-16 Setting Protocol Configuration Options for RADIUS (Microsoft) 3-17

CHAPTER

Setting Protocol Configuration Options for RADIUS (Nortel) 3-18 Setting Protocol Configuration Options for RADIUS (Juniper) 3-19 Setting Protocol Configuration Options for RADIUS (Cisco BBSM) 3-2 0

4 Setting Up and Managing Network Configuration 4-1

About Distributed Systems 4-2

AAA Servers in Distributed Systems 4-3

Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide

78-13751-01, Version 3.0

Default Distributed System Settings 4-3

Proxy in Distributed Systems 4-4

Fallback on Failed Connection 4-5

Character String 4-6

Stripping 4-6 Proxy in an Enterprise 4-6 Remote Use of Accounting Packets 4-7

Other Features Enabled by System Distribution 4-8 AAA Client Configuration 4-8

Adding and Configuring a AAA Client 4-9 Editing an Existing AAA Client 4-12 Deleting a AAA Client 4-14

AAA Server Configuration 4-15

Adding and Configuring a AAA Server 4-16

Contents

78-13751-01, Version 3.0

Editing a AAA Server Configuration 4-18 Deleting a AAA Server 4-20

Network Device Group Configuration 4-20

Adding a Network Device Group 4-21 Assigning an Unassigned AAA Client or AAA Server to an NDG 4-22 Reassigning a AAA Client or AAA Server to an NDG 4-23 Renaming a Network Device Group 4-23 Deleting a Network Device Group 4-24

Proxy Distribution Table Configuration 4-25

About the Proxy Distribution Table 4-25

Adding a New Proxy Distribution Table Entry 4-26

Sorting the Character String Match Order of Distribution Entries 4-28

Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide

vii

Contents

Editing a Proxy Distribution Table Entry 4-28

Deleting a Proxy Distribution Table Entry 4-29

CHAPTER

5 Setting Up and Managing Shared Profile Components 5-1

Downloadable PIX ACLs 5-2

About Downloadable PIX ACLs 5-2 Downloadable PIX ACL Configuration 5-3

Adding a Downloadable PIX ACL 5-3

Editing a Downloadable PIX ACL 5-4

Deleting a Downloadable PIX ACL 5-5

Network Access Restrictions 5-6

About Network Access Restrictions 5-6 Shared Network Access Restrictions Configuration 5-7

Adding a Shared Network Access Restriction 5-8

Editing a Shared Network Access Restriction 5-10

Deleting a Shared Network Access Restriction 5-12

Command Authorization Sets 5-12

About Command Authorization Sets 5-13 About Pattern Matching 5-14 Command Authorization Sets Configuration 5-14

CHAPTER

viii

Adding a Command Authorization Set 5-15

Editing a Command Authorization Set 5-17

Deleting a Command Authorization Set 5-17

6 Setting Up and Managing User Groups 6-1

User Group Setup Features and Functions 6-2

Default Group 6-2

Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide

78-13751-01, Version 3.0

Group TACACS+ Settings 6-2

Common User Group Settings 6-3

Enabling VoIP Support for a User Group 6-4 Setting Default Time of Day Access for a User Group 6-5 Setting Callback Options for a User Group 6-6 Setting Network Access Restrictions for a User Group 6-7 Setting Max Sessions for a User Group 6-11 Setting Usage Quotas for a User Group 6-13

Configuration-specific User Group Settings 6-15

Setting Token Card Settings for a User Group 6-17 Setting Enable Privilege Options for a User Group 6-18 Enabling Password Aging for the CiscoSecure User Database 6-20

Varieties of Password Aging Supported by Cis c oSecure ACS 6-20

Password Aging Feature Settings 6-21

Contents

78-13751-01, Version 3.0

Enabling Password Aging for Users in Windows Databases 6-25 Setting IP Address Assignment Method for a User Group 6-26 Assigning a Downloadable PIX ACL to a Group 6-27 Configuring TACACS+ Settings for a User Group 6-28 Configuring a Shell Command Authorization Set for a User Group 6-30 Configuring a PIX Command Authorization Set for a User Group 6-32 Configuring IETF RADIUS Settings for a User Group 6-34 Configuring Cisco IOS/PIX RADIUS Settings for a User Group 6-36 Configuring Ascend RADIUS Settings for a User Group 6-37 Configuring Cisco VPN 3000 Concentrator RADIUS Settings for a User

Group

6-38

Configuring Cisco VPN 5000 Concentrator RADIUS Settings for a User Group

6-39

Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide

Contents

Configuring Microsoft RADIUS Settings for a User Group 6-41 Configuring Nortel RADIUS Settings for a User Group 6-42 Configuring Juniper RADIUS Settings for a User Group 6-44 Configuring Cisco BBSM RADIUS Settings for a User Group 6-45 Configuring Custom RADIUS VSA Settings for a User Group 6-46

Group Setting Management 6-48

Listing Users in a User Group 6-48 Resetting Usage Quota Counters for a User Group 6-49 Renaming a User Group 6-49 Saving Changes to User Group Settings 6-50

CHAPTER

7 Setting Up and Managing User Accounts 7-1

User Setup Features and Functions 7-2 About User Databases 7-3 Basic User Setup Options 7-4

Adding a Basic User Account 7-5 Setting Supplementary User Information 7-7 Setting a Separate CHAP/MS-CHAP/ARAP Password 7-8 Assigning a User to a Group 7-9 Setting User Callback Option 7-10 Assigning a User to a Client IP Address 7-11 Setting Network Access Restrictions for a User 7-12 Setting Max Sessions Options for a User 7-17 Setting User Usage Quotas Options 7-19 Setting Options for User Account Disablement 7-21 Assigning a PIX ACL to a User 7-22

Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide

78-13751-01, Version 3.0

Advanced User Authentication Settings 7-23

TACACS+ Settings (User) 7-24 Configuring TACACS+ Settings for a User 7-24 Configuring a Shell Command Authorization Set for a User 7-26 Configuring a PIX Command Authorization Set for a User 7-29 Configuring the Unknown Service Setting for a User 7-31 Advanced TACACS+ Settings (User) 7-31

Setting Enable Privilege Options for a User 7-32

Setting TACACS+ Enable Password Options for a User 7-34

Setting TACACS+ Outbound Password for a User 7-35 RADIUS Attributes 7-36

Setting IETF RADIUS Parameters for a User 7-37

Setting Cisco IOS/PIX RADIUS Parameters for a User 7-38

Setting Ascend RADIUS Parameters for a User 7-39

Contents

78-13751-01, Version 3.0

Setting Cisco VPN 3000 Concentrator RADIUS Parameters for a

User

7-41

Setting Cisco VPN 5000 Concentrator RADIUS Parameters for a

User

7-42

Setting Microsoft RADIUS Parameters for a User 7-44

Setting Nortel RADIUS Parameters for a User 7-45

Setting Juniper RADIUS Parameters for a User 7-47

Setting BBSM RADIUS Parameters for a User 7-48

Setting Custom RADIUS Attributes for a User 7-49

User Management 7-51

Listing All Users 7-51 Finding a User 7-52 Disabling a User Account 7-53

Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide

Contents

Deleting a User Account 7-54 Resetting User Session Quota Counters 7-55 Resetting a User Account after Login Failure 7-55 Saving User Settings 7-56

CHAPTER

8 Establishing Cisco Secure ACS System Configuration 8-1

Service Control 8-2

Determining the Status of Cisco Secure ACS Services 8-2 Stopping, Starting, or Restarting Services 8-2

Logging 8-3 Date Format Control 8-3

Setting the Date Format 8-4

Password Validation 8-4

Setting Password Validation Options 8-5

CiscoSecure Database Replication 8-6

About CiscoSecure Database Replication 8-6

Replication Process 8-8

Replication Frequency 8-10 Important Implementation Considerations 8-10 Database Replication Versus Database Backup 8-11 Database Replication Logging 8-12 Replication Options 8-13

xii

Replication Components Options 8-13

Replication Scheduling Options 8-14

Replication Partners Options 8-15 Implementing Primary and Secondary Replication Setups on

Cisco Secure ACS Servers

Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide

8-16

78-13751-01, Version 3.0

Configuring a Secondary Cisco Secure ACS Server 8-17 Replicating Immediately 8-18 Scheduling Replication 8-20 Disabling CiscoSecure Database Replication 8-23 Database Replication Event Error Alert Notification 8-23

RDBMS Synchronization 8-24

About RDBMS Synchronization 8-24 RDBMS Synchronization Components 8-25

About CSDBSync 8-25

About the accountActions Table 8-26 Cisco Secure ACS Database Recovery Using the accountActions Table 8-28 Reports and Event (Error) Handling 8-29 Preparing to Use RDBMS Synchronization 8-29 Considerations for Using CSV-Based Synchronization 8-30

Contents

78-13751-01, Version 3.0

Preparing for CSV-Based Synchronization 8-31 Configuring a System Data Source Name for RDBMS Synchronization 8-32 RDBMS Synchronization Options 8-33

RDBMS Setup Options 8-34

Synchronization Scheduling Options 8-34

Synchronization Partners Options 8-35 Performing RDBMS Synchronization Immediately 8-35 Scheduling RDBMS Synchronization 8-37 Disabling Scheduled RDBMS Synchronizations 8-39

Cisco Secure ACS Backup 8-40

About Cisco Secure ACS Backup 8-40 Backup File Locations 8-41 Directory Management 8-41

Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide

xiii

Contents

Components Backed Up 8-41 Reports of Cisco Secure ACS Backups 8-42 Performing a Manual Cisco Secure ACS Backup 8-42 Scheduling Cisco Secure ACS Backups 8-43 Disabling Scheduled Cisco Secure ACS Backups 8-44

Cisco Secure ACS System Restore 8-45

About Cisco Secure ACS System Restore 8-45 Backup File Names and Locations 8-45 Components Restored 8-47 Reports of Cisco Secure ACS Restorations 8-47 Restoring Cisco Secure ACS from a Backup File 8-47

Cisco Secure ACS Active Service Management 8-48

System Monitoring 8-49

System Monitoring Options 8-49

xiv

Setting Up System Monitoring 8-50 Event Logging 8-51

Setting Up Event Logging 8-51

IP Pools Server 8-52

Allowing Overlapping IP Pools or Forcing Unique Pool Address Ranges 8-53 Refreshing the AAA Server IP Pools Table 8-55 Adding a New IP Pool 8-55 Editing an IP Pool Definition 8-56 Resetting an IP Pool 8-57 Deleting an IP Pool 8-58

IP Pools Address Recovery 8-59

Enabling IP Pool Address Recovery 8-59

Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide

78-13751-01, Version 3.0

VoIP Accounting Configuration 8-60

Configuring VoIP Accounting 8-61

Cisco Secure ACS Certificate Setup 8-61

Background on Certification 8-62 EAP-TLS Setup Overview 8-63 Requirements for Certificate Enrollment 8-63 Generating a Request for a Certificate 8-64 Installing Cisco Secure ACS Certification with Manual Enrollment 8-66 Installing Cisco Secure ACS Certification with Automatic Enrollment 8-68 Performing Cisco Secure ACS Certification Update or Replacement 8-69

Certification Authority Setup 8-70

Trust Requirements and Models 8-71 Editing the Certificate Trust List 8-72 Adding a New CA Certificate to Local Certificate Storage 8-72

Contents

CHAPTER

78-13751-01, Version 3.0

9 Working with Logging and Reports 9-1

Global Authentication Setup 8-73

Logging Formats 9-1 Special Logging Attributes 9-2 Update Packets In Accounting Logs 9-3 About Cisco Secure ACS Logs and Reports 9-4

Accounting Logs 9-4

TACACS+ Accounting Log 9-5

TACACS+ Administration Log 9-6

RADIUS Accounting Log 9-7

VoIP Accounting Log 9-8

Failed Attempts Log 9-9

Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide

Contents

Passed Authentications Log 9-10 Dynamic Cisco Secure ACS Administration Reports 9-10

Logged-In Users Report 9-11

Disabled Accounts Report 9-14 Cisco Secure ACS System Logs 9-15

ACS Backup and Restore Log 9-15

RDBMS Synchronization Log 9-16

Database Replication Log 9-16

Administration Audit Log 9-17

ACS Service Monitoring Log 9-18

Working with CSV Logs 9-19

CSV Log File Names 9-19 Enabling or Disabling a CSV Log 9-19 Viewing a CSV Report 9-20

xvi

Configuring a CSV Log 9-22

Working with ODBC Logs 9-25

Preparing to Use ODBC Logging 9-25 Configuring a System Data Source Name for ODBC Logging 9-26 Configuring an ODBC Log 9-27

Remote Logging 9-29

About Remote Logging 9-30 Remote Logging Options 9-31 Configuring a Central Logging Server 9-31 Enabling and Configuring Remote Logging 9-32 Disabling Remote Logging 9-33

Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide

78-13751-01, Version 3.0

Service Logs 9-34

Services Logged 9-34 Configuring Service Logs 9-35

Contents

CHAPTER

10 Setting Up and Managing Administrators and Policy 10-1

Administrator Accounts 10-1

Administrator Privileges 10-2 Adding an Administrator Account 10-6 Editing an Administrator Account 10-7 Deleting an Administrator Account 10-9

Access Policy 10-10

Access Policy Options 10-10 Setting Up Access Policy 10-12

Session Policy 10-13

Session Policy Options 10-13 Setting Up Session Policy 10-14

Audit Policy 10-16

11 Working with User Databases 11-1

CiscoSecure User Database 11-2 About External User Databases 11-4

78-13751-01, Version 3.0

Authenticating with External User Databases 11-5

Windows NT/2000 User Database 11-6

The Cisco Secure ACS Authentication Process with Windows NT/2000 User Databases

11-7

Trust Relationships 11-8

Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide

xvii

Contents

Windows Dial-up Networking Clients 11-9

About the Windows NT/2000 Dial-up Networking Client 11-9

About the Windows 95/98/Millennium Edition Dial-up Networking

Client

11-10

Windows NT/2000 Authentication 11-10 User-Changeable Passwords with Windows NT/2000 User Databases 11-12 Preparing Users for Authenticating with Windows NT/2000 11-12 Configuring a Windows NT/2000 External User Database 11-13

Generic LDAP 11-14

Cisco Secure ACS Authentication Process with a Generic LDAP User Database

11-15

Multiple LDAP Instances 11-16 LDAP Organizational Units and Groups 11-17 Directed Authentications 11-17 LDAP Failover 11-17

xviii

Successful Previous Authentication with the Primary LDAP Server 11-18

Unsuccessful Previous Authentication with the Primary LDAP

Server

11-18

Configuring a Generic LDAP External User Database 11-19

Novell NDS Database 11-24

User Contexts 11-25 Novell NDS External User Database Options 11-27 Configuring a Novell NDS External User Database 11-28

ODBC Database 11-30

Cisco Secure ACS Authentication Process with an ODBC External User Database

11-31

Preparing to Authenticate Users with an ODBC-Compliant Relational Database

Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide

11-32

78-13751-01, Version 3.0

Implementation of Stored Procedures for ODBC Authentication 11-33

Type Definitions 11-34 Microsoft SQL Server and Case-Sensitive Passwords 11-34 Sample Routine for Generating a PAP Authentication SQL Procedure 11-35 Sample Routine for Generating an SQL CHAP Authentication

Procedure

11-36

PAP Authentication Procedure Input 11-36 PAP Procedure Output 11-37 CHAP/MS-CHAP/ARAP Authentication Procedure Input 11-38 CHAP/MS-CHAP/ARAP Procedure Output 11-38 Result Codes 11-39 Configuring a System Data Source Name for an ODBC External User

Database

11-40

Configuring an ODBC External User Database 11-41

LEAP Proxy RADIUS Server Database 11-44

Contents

78-13751-01, Version 3.0

Configuring a LEAP Proxy RADIUS Server External User Database 11-45

Token Server User Databases 11-47

About Token Servers and Cisco SecureACS 11-48

Token Servers and ISDN 11-48 RADIUS-Enabled Token Servers 11-49

About RADIUS-Enabled Token Servers 11-49

Token Server RADIUS Authentication Request and Response

Contents

11-50

Configuring a RADIUS Token Server External User Database 11-50 Token Servers with Vendor-Proprietary Interfaces 11-53

About Token Servers with Proprietary Interfaces 11-53

Configuring a SafeWord Token Server External User Database 11-53

Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide

xix

Contents

Configuring an AXENT Token Server External User Database

AXENT

11-55

Configuring an RSA SecurID Token Server External User Database 11-56

Deleting an External User Database Configuration 11-58

CHAPTER

12 Administering External User Databases 12-1

Unknown User Processing 12-1

Known, Unknown, and Cached Users 12-2 General Authentication Request Handling and Rejection Mode 12-3 Authentication Request Handling and Rejection Mode with the

Windows NT/2000 User Database

12-4

Windows Authentication with a Domain Specified 12-4

Windows Authentication with Domain Omitted 12-5 Performance of Unknown User Authentication 12-6

Added Latency 12-6

Authentication Timeout Value on AAA clients 12-6 Network Access Authorization 12-7 Unknown User Policy 12-7

Database Search Order 12-8

Configuring the Unknown User Policy 12-8

Turning off External User Database Authentication 12-9

Database Group Mappings 12-10

Group Mapping by External User Database 12-10

Creating a Cisco Secure ACS Group Mapping for a Token Server, ODBC

Database, or LEAP Proxy RADIUS Server Database Group Mapping by Group Set Membership 12-13

Group Mapping Order 12-13

No Access Group for Group Set Mappings 12-14

Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide

12-12

78-13751-01, Version 3.0

Default Group Mapping for Windows NT/2000 12-14

Creating a Cisco Secure ACS Group Mapping for WindowsNT/2000,

Novell NDS, or Generic LDAP Groups

12-15

Editing a Windows NT/2000, Novell NDS, or Generic LDAP Group Set

Mapping

12-17

Deleting a Windows NT/2000, Novell NDS, or Generic LDAP Group Set

Mapping

12-18

Deleting a Windows NT/2000 Domain Group Mapping

Configuration

12-19

Changing Group Set Mapping Order 12-20 RADIUS-Based Group Specification 12-21

Contents

APPENDIX

A Troubleshooting Information for CiscoSecureACS A-1

Administration Issues A-2 Browser Issues A-3 Cisco IOS Issues A-4 Database Issues A-5 Dial-in Connection Issues A-6 Debug Issues A-11 Proxy Issues A-12 Installation and Upgrade Issues A-13 MaxSessions Issues A-13 Report Issues A-14 Third-Party Server Issues A-15 PIX Firewall Issues A-16 User Authentication Issues A-16 TACACS+ and RADIUS Attribute Issues A-18

78-13751-01, Version 3.0

Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide

xxi

Contents

APPENDIX

B System Messages B-1

Windows NT/2000 Event Log Service Startup Errors B-1

System Monitored Events B-2

Replication Messages B-6 Failed Attempts Messages B-9

C TACACS+ Attribute-Value Pairs C-1

Cisco IOS Attribute-Value Pair Dictionary C-1

TACACS+ AV Pairs C-2 TACACS+ Accounting AV Pairs C-4

D RADIUS Attributes D-1

Cisco IOS Dictionary of RADIUS AV Pairs D-2 Cisco IOS/PIX Dictionary of RADIUS VSAs D-4 Cisco VPN 3000 Concentrator Dictionary of RADIUS VSAs D-6 Cisco VPN 5000 Concentrator Dictionary of RADIUS VSAs D-9 Cisco Building Broadband Service Manager Dictionary of RADIUS VSA D-9

xxii

Vendor-Proprietary IETF RADIUS AV Pairs D-10 IETF Dictionary of RADIUS AV Pairs D-12

RADIUS (IETF) Accounting AV Pairs D-16

Microsoft MPPE Dictionary of RADIUS VSAs D-18 Ascend Dictionary of RADIUS AV Pairs D-21 Nortel Dictionary of RADIUS VSAs D-29 Juniper Dictionary of RADIUS VSAs D-30

Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide

78-13751-01, Version 3.0

Contents

APPENDIX

E Cisco Secure ACS Command-Line Database Utility E-1

Location of CSUtil.exe and Related Files E-2 CSUtil.exe Syntax E-2 CSUtil.exe Options E-3 Backing Up Cisco Secure ACS with CSUtil.exe E-5 Restoring Cisco Secure ACS with CSUtil.exe E-6 Creating a CiscoSecure User Database E-7 Creating a Cisco Secure ACS Database Dump File E-9 Loading the Cisco Secure ACS Database from a Dump File E-10 Compacting the CiscoSecure User Database E-11 User and AAA Client Import Option E-13

Importing User and AAA Client Information E-13 User and AAA Client Import File Format E-15

About User and AAA Client Import File Format E-15

ONLINE or OFFLINE Statement E-16

ADD Statements E-16

UPDATE Statements E-18

78-13751-01, Version 3.0

DELETE Statements E-20

ADD_NAS Statements E-20

DEL_NAS Statements E-22

Import File Examples E-22

Exporting User List to a Text File E-23 Exporting Group Information to a Text File E-24 Exporting Registry Information to a Text File E-25 Decoding Error Numbers E-25 Recalculating CRC Values E-26

Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide

xxiii

Contents

User-Defined RADIUS Vendors and VSA Sets E-27

About User-Defined RADIUS Vendors and VSA Sets E-27 Adding a Custom RADIUS Vendor and VSA Set E-28 Deleting a Custom RADIUS Vendor and VSA Set E-29 Listing Custom RADIUS Vendors E-30 RADIUS Vendor/VSA Import File E-31

About the RADIUS Vendor/VSA Import File E-32

Vendor and VSA Set Definition E-33

Attribute Definition E-34

Enumeration Definition E-35

Example RADIUS Vendor/VSA Import File E-37

APPENDIX

xxiv

F Cisco Secure ACS and Virtual Private Dial-up Networks F-1

VPDN Process F-1

G ODBC Import Definitions G-1

accountActions Table Specification G-1

accountActions Table Format G-2 accountActions Table Mandatory Fields G-3 accountActions Table Processing Order G-4

Action Codes G-5

Action Codes for Setting and Deleting Values G-5 Action Codes for Creating and Modifying User Accounts G-7 Action Codes for Initializing and Modifying Access Filters G-15 Action Codes for Modifying TACACS+ and RADIUS Group and User

Settings

G-20

Action Codes for Modifying Network Configuration G-27

Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide

78-13751-01, Version 3.0

Action Code for Deleting the CiscoSecure User Database G-31

Cisco Secure ACS Attributes and Action Codes G-31

User-Specific Attributes G-31 User-Defined Attributes G-34 Group-Specific Attributes G-34

An Example accountActions Table G-36

Contents

APPENDIX

H Cisco Secure ACS

Internal Architecture

Windows NT/2000 Environment Overview H-2

Windows NT/2000 Services H-2 Windows NT/2000 Registry H-2

Cisco Secure ACS Web Server H-2 CSAdmin H-3 CSAuth H-3 CSDBSync H-6 CSLog H-6 CSMon H-7

Monitoring H-7 Recording H-9

Sample Scripts H-10 Configuration H-10

CSTacacs and CSRadius H-11

H-1

INDEX

78-13751-01, Version 3.0

Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide

xxv

Contents

xxvi

Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide

78-13751-01, Version 3.0

Preface

This section discusses the objectives, audience, and organization of the Cisco Secure Access Control Server for Windows NT/2000 Servers Version 3.0 User Guide.

Document Objectives

The objective of this document is to help you configure and use the Cisco Secure Access Control Server for Windows NT/2000 Servers Version 3.0 (Cisco Secure ACS) software and its features and utilities.

Who Should Read This Guide

This publication was written for system administrators who are using the Cisco Secure ACS software and are responsible for setting up and maintaining accounts and dial-in network security.

78-13751-01, Version 3.0

Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide

xxvii

How This Guide is Organized

The Cisco Secure ACS User Guide is organized into the following chapters:

• Chapter 1, “O verview of Cisco Secure ACS.” An overv iew o f

Cisco Secure ACS and its features, network diagrams, and system requirements.

• Chapter 2, “Deploying Cisco Secure ACS.” A guide to deploying the

Cisco Secure ACS that includes requirements, options, trade-offs, and suggested sequences.

• Chapter 3, “Setting Up the Cisco Secure ACS HTML Interface.” Concepts

and procedures regarding how to use the Interface Configuration section of the Cisco Secure ACS to configure the user interface.

• Chapter 4, “Setting Up and Managing Networ k Configuration.” Concepts and

procedures for Cisco Sec ure ACS network configuration and establishing a distributed system.

• Chapter 5, “Setting Up and Managing Shared Profile Components.” Concepts

and procedures regarding Cisco Se cure ACS shared profile components: network access restrictions and device command sets.

Preface

xxviii

• Chapter 6, “Setting Up and Managing User Groups.” Concepts and

procedures for establishing and main taining C isco Secure ACS user groups.

• Chapter 7, “Setting Up and Managing User Accounts”. Concepts and

procedures for establishing and main taining C isco Secure ACS user accounts.

• Chapter 8, “Establishing Cisco Secure ACS System Configuration.”

Concepts and procedures regarding the System Configuration portion of Cisco Secure ACS.

• Chapter 9, “Working with Logging and Reports.” Concepts and procedures

regarding Cisco Secure ACS logging and reports.

• Chapter 10, “Setting Up and Managing Administrators and Po licy .” Concepts

and procedures for establishing and maintaining Cisco Secure ACS administrators.

Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide

78-13751-01, Version 3.0

Preface

How This Guide is Organized

• Chapter 11, “Working with User Databases.” Concepts and procedures for

establishing user databases.

• Chapter 12, “Administering External User Databases.” Concepts and

procedures for administering and maintaining user databases external to Cisco Secure ACS.

This guide also comprises the following appendixes:

• Appendix A, “Troubleshooting Information for Cisco Secure ACS.” How to

identify and solve certain problems you might have with Cisco Secure ACS.

• Appendix B, “System Messages.” A list and explanation of most system

messages you might encounter.

• Appendix C, “TACACS+ Attribute-Value Pairs.” A list of supported

TACACS+ AV pairs and accounting AV pairs.

• Appendix D, “RADIUS Attributes.” A list of supported RADIUS AV pairs

and accounting AV pairs.

• Appendix E, “Cisco Secure ACS Command-Line Database Utility.”

Instructions for using the database import utility, CSUtil, to import an ODBC database, and back up, maintain, or restore the Cisco Secure ACS database.

78-13751-01, Version 3.0

• Appendix F, “Cisco Secure ACS and Virtual Private Dial-up Networks.” An

introduction to Virtual Private Dial-up Networks (VPDN), including stripping and tunneling, with instructions for enabling VPDN on Cisco Secure ACS.

• Appendix G, “ODBC Import Definitions.” A list of ODBC import

definitions, for use with the RDBMS Synchronization feature.

• Appendix H, “Cisco Secure ACS Internal Architecture.” A description of

Cisco Secure ACS architectural components.

Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide

xxix

Conventions Used in This Guide

This guide uses the following typographical conventions:

Typographic Conventions Convention Meaning

Italics Introduces new or important terminology and variable input

for commands.

Script Denotes paths, file names, and example screen output. Also

denotes Secure Script translations of security policy decision trees.

Bold Identifies special terminology and options that should be

selected during procedures.

Tip Means the following information will help you solve a problem. The tip’s

information might not be troubleshooting or even an action, but could be useful information.

Preface

xxx

Note Means reader take note. Notes contain helpful suggestions or references to

materials not covered in the manual.

Caution Means reader be careful. In this situation, you might do something that could

result in equipment damage, loss of data, or a breach in your network security .

Warning

Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide

Means danger. You are in a situation that could cause bodily injury. Before you work on any equipment, you must be aware of the hazards involved with electrical circuitry and be familiar with standard practices for preventing accidents. T o see translated versions of the warnin g, refer to the Regulatory Compliance and Safety document that accompanied the device.

78-13751-01, Version 3.0

+ 624 hidden pages

Cisco Systems Servers User Manual

Specifications and Main Features

Frequently Asked Questions

User Manual

Preface

Document Objectives

Who Should Read This Guide

How This Guide is Organized

Conventions Used in This Guide