Cisco Systems Windows Server User Manual

User Guide for Cisco Secure ACS for Windows Server

Version 3.3

May 2004

Corporate Headquarters

Cisco Systems, Inc. 170 West Tasman Drive San Jose, CA 95134-1706 USA http://www.cisco.com Tel: 408 526-4000

800 553-NETS (6387)

Fax: 408 526-4100

Customer Order Number: DOC-7816592= Text Part Number: 78-16592-01

THE SPECIFICATIONS AND INFORMATION REGARDING THE PRODUCTS IN THIS MANUAL ARE SUBJECT TO CHANGE WITHOUT NOTICE. ALL STATEMENTS, INFORMATION, AND RECOMMENDATIONS IN THIS MANUAL ARE BELIEVED TO BE ACCURATE BUT ARE PRESENTED WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED. USERS MUST TAKE FULL RESPONSIBILITY FOR THEIR APPLICATION OF ANY PRODUCTS.

THE SOFTWARE LICENSE AND LIMITED WARRANTY FOR THE ACCOMPANYING PRODUCT ARE SET FORTH IN THE INFORMATION PACKET THAT SHIPPED WITH THE PRODUCT AND ARE INCORPORATED HEREIN BY THIS REFERENCE. IF YOU ARE UNABLE TO LOCATE THE SOFTWARE LICENSE OR LIMITED WARRANTY, CONTACT YOUR CISCO REPRESENTATIVE FOR A COPY.

The Cisco implementation of TCP header compression is an adaptation of a program developed by the University of California, Berkeley (UCB) as part of UCB’s public domain version of the UNIX operating system. All rights reserved. Copyright © 1981, Regents of the University of California.

NOTWITHSTANDING ANY OTHER WARRANTY HEREIN, ALL DOCUMENT FILES AND SOFTWARE OF THESE SUPPLIERS ARE PROVIDED “AS IS” WITH ALL FAULTS. CISCO AND THE ABOVE-NAMED SUPPLIERS DISCLAIM ALL WARRANTIES, EXPRESSED OR IMPLIED, INCLUDING, WITHOUT LIMITATION, THOSE OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OR ARISING FROM A COURSE OF DEALING, USAGE, OR TRADE PRACTICE.

IN NO EVENT SHALL CISCO OR ITS SUPPLIERS BE LIABLE FOR ANY INDIRECT, SPECIAL, CONSEQUENTIAL, OR INCIDENTAL DAMAGES, INCLUDING, WITHOUT LIMITATION, LOST PROFITS OR LOSS OR DAMAGE TO DATA ARISING OUT OF THE USE OR INABILITY TO USE THIS MANUAL, EVEN IF CISCO OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.

CCIP, CCSP, the Cisco Arrow logo, the Cisco Powered Network mark, Cisco Unity, Follow Me Browsing, FormShare, and StackWise are trademarks of Cisco Systems, Inc.; Changing the Way We Work, Live, Play, and Learn, and iQuick Study are service marks of Cisco Systems, Inc.; and Aironet, ASIST, BPX, Catalyst, CCDA, CCDP, CCIE, CCNA, CCNP, Cisco, the Cisco Certified Internetwork Expert logo, Cisco IOS, the Cisco IOS logo, Cisco Press, Cisco Systems, Cisco Systems Capital, the Cisco Systems logo, Empowering the Internet Generation, Enterprise/Solver, EtherChannel, EtherFast, EtherSwitch, Fast Step, GigaDrive, GigaStack, HomeLink, Internet Quotient, IOS, IP/TV, iQ Expertise, the iQ logo, iQ Net Readiness Scorecard, LightStream, Linksys, MeetingPlace, MGX, the Networkers logo, Networking Academy, Network Registrar, Pac ke t, PIX, Post-Routing, Pre-Routing, ProConnect, RateMUX, Registrar, ScriptShare, SlideCast, SMARTnet, StrataView Plus, SwitchProbe, TeleRouter, The Fastest Way to Increase Your Internet Quotient, TransPath, and VCO are registered trademarks of Cisco Systems, Inc. and/or its affiliates in the United States and certain other countries.

All other trademarks mentioned in this document or Website are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (0403R)

User Guide for Cisco Secure ACS for Windows Server

Preface xxix

Audience xxix

Organization xxix

Conventions xxxi

Product Documentation xxxii

Related Documentation xxxiii

Obtaining Documentation xxxv

Cisco.com xxxvi Ordering Documentation xxxvi

Documentation Feedback xxxvi

Obtaining Technical Assistance xxxvii

Cisco Technical Support Website xxxvii Submitting a Service Request xxxvii Definitions of Service Request Severity xxxviii

CHAPTER

78-16592-01

Obtaining Additional Publications and Information xxxix

1 Overview 1-1

The Cisco Secure ACS Paradigm 1-2

Cisco Secure ACS Specifications 1-3

System Performance Specifications 1-3 Cisco Secure ACS Windows Services 1-4

AAA Server Functions and Concepts 1-5

Cisco Secure ACS and the AAA Client 1-6

User Guide for Cisco Secure ACS for Windows Server

iii

Contents

AAA Protocols—TACACS+ and RADIUS 1-6

TACACS+ 1-7 RADIUS 1-7

Authentication 1-8

Authentication Considerations 1-9 Authentication and User Databases 1-10 Authentication Protocol-Database Compatibility 1-10 Passwords 1-11 Other Authentication-Related Features 1-16

Authorization 1-17

Max Sessions 1-18 Dynamic Usage Quotas 1-18 Shared Profile Components 1-19 Support for Cisco Device-Management Applications 1-19 Other Authorization-Related Features 1-21

Accounting 1-22

Other Accounting-Related Features 1-22

Administration 1-23

HTTP Port Allocation for Administrative Sessions 1-23 Network Device Groups 1-24 Other Administration-Related Features 1-24

Posture Validation 1-25

Cisco Secure ACS HTML Interface 1-25

About the Cisco Secure ACS HTML Interface 1-26

HTML Interface Security 1-26 HTML Interface Layout 1-27 Uniform Resource Locator for the HTML Interface 1-29 Network Environments and Administrative Sessions 1-30

Administrative Sessions and HTTP Proxy 1-30

Administrative Sessions through Firewalls 1-31

User Guide for Cisco Secure ACS for Windows Server

78-16592-01

Administrative Sessions through a NAT Gateway 1-31 Accessing the HTML Interface 1-32 Logging Off the HTML Interface 1-33 Online Help and Online Documentation 1-33

Using Online Help 1-34

Using the Online Documentation 1-34

Contents

CHAPTER

2 Deployment Considerations 2-1

Basic Deployment Requirements for Cisco Secure ACS 2-2

System Requirements 2-2

Hardware Requirements 2-2

Operating System Requirements 2-2

Third-Party Software Requirements 2-3 Network and Port Requirements 2-4

Basic Deployment Factors for Cisco Secure ACS 2-6

Network Topology 2-6

Dial-Up Topology 2-6

Wireless Network 2-9

Remote Access using VPN 2-12 Remote Access Policy 2-14 Security Policy 2-15 Administrative Access Policy 2-15

Separation of Administrative and General Users 2-17 Database 2-18

Number of Users 2-18

Type of Database 2-18 Network Latency and Reliability 2-19

78-16592-01

Suggested Deployment Sequence 2-19

User Guide for Cisco Secure ACS for Windows Server

Contents

CHAPTER

3 Interface Configuration 3-1

Interface Design Concepts 3-2

User-to-Group Relationship 3-2 Per-User or Per-Group Features 3-2

User Data Configuration Options 3-3

Defining New User Data Fields 3-3

Advanced Options 3-4

Setting Advanced Options for the Cisco Secure ACS User Interface 3-6

Protocol Configuration Options for TACACS+ 3-7

Setting Options for TACACS+ 3-9

Protocol Configuration Options for RADIUS 3-11

Setting Protocol Configuration Options for IETF RADIUS Attributes 3-16 Setting Protocol Configuration Options for Non-IETF RADIUS Attributes 3-17

4 Network Configuration 4-1

About Network Configuration 4-1

About Distributed Systems 4-2

AAA Servers in Distributed Systems 4-3 Default Distributed System Settings 4-3

Proxy in Distributed Systems 4-4

Fallback on Failed Connection 4-5

Character String 4-6

Stripping 4-6 Proxy in an Enterprise 4-6 Remote Use of Accounting Packets 4-7 Other Features Enabled by System Distribution 4-8

Network Device Searches 4-8

Network Device Search Criteria 4-8 Searching for Network Devices 4-9

User Guide for Cisco Secure ACS for Windows Server

78-16592-01

AAA Client Configuration 4-11

AAA Client Configuration Options 4-11 Adding a AAA Client 4-16 Editing a AAA Client 4-19 Deleting a AAA Client 4-21

AAA Server Configuration 4-21

AAA Server Configuration Options 4-22 Adding a AAA Server 4-24 Editing a AAA Server 4-26 Deleting a AAA Server 4-28

Network Device Group Configuration 4-28

Adding a Network Device Group 4-29 Assigning an Unassigned AAA Client or AAA Server to an NDG 4-30 Reassigning a AAA Client or AAA Server to an NDG 4-31 Renaming a Network Device Group 4-32 Deleting a Network Device Group 4-32

Contents

CHAPTER

78-16592-01

Proxy Distribution Table Configuration 4-34

About the Proxy Distribution Table 4-34 Adding a New Proxy Distribution Table Entry 4-35 Sorting the Character String Match Order of Distribution Entries 4-36 Editing a Proxy Distribution Table Entry 4-37 Deleting a Proxy Distribution Table Entry 4-38

5 Shared Profile Components 5-1

About Shared Profile Components 5-1

Network Access Filters 5-2

About Network Access Filters 5-2 Adding a Network Access Filter 5-3 Editing a Network Access Filter 5-5

User Guide for Cisco Secure ACS for Windows Server

vii

Contents

Deleting a Network Access Filter 5-7

Downloadable IP ACLs 5-7

About Downloadable IP ACLs 5-8 Adding a Downloadable IP ACL 5-10 Editing a Downloadable IP ACL 5-13 Deleting a Downloadable IP ACL 5-14

Network Access Restrictions 5-14

About Network Access Restrictions 5-15

About IP-based NAR Filters 5-17

About Non-IP-based NAR Filters 5-18 Adding a Shared Network Access Restriction 5-19 Editing a Shared Network Access Restriction 5-23 Deleting a Shared Network Access Restriction 5-24

Command Authorization Sets 5-25

About Command Authorization Sets 5-26

Command Authorization Sets Description 5-26

Command Authorization Sets Assignment 5-28

Case Sensitivity and Command Authorization 5-29

Arguments and Command Authorization 5-29

About Pattern Matching 5-30 Adding a Command Authorization Set 5-31 Editing a Command Authorization Set 5-33 Deleting a Command Authorization Set 5-35

CHAPTER

viii

6 User Group Management 6-1

About User Group Setup Features and Functions 6-2

Default Group 6-2 Group TACACS+ Settings 6-2

User Guide for Cisco Secure ACS for Windows Server

78-16592-01

Basic User Group Settings 6-3

Group Disablement 6-4 Enabling VoIP Support for a User Group 6-4 Setting Default Time-of-Day Access for a User Group 6-5 Setting Callback Options for a User Group 6-7 Setting Network Access Restrictions for a User Group 6-8 Setting Max Sessions for a User Group 6-12 Setting Usage Quotas for a User Group 6-14

Configuration-specific User Group Settings 6-16

Setting Token Card Settings for a User Group 6-18 Setting Enable Privilege Options for a User Group 6-19 Enabling Password Aging for the CiscoSecure User Database 6-21 Enabling Password Aging for Users in Windows Databases 6-26 Setting IP Address Assignment Method for a User Group 6-28 Assigning a Downloadable IP ACL to a Group 6-30 Configuring TACACS+ Settings for a User Group 6-31 Configuring a Shell Command Authorization Set for a User Group 6-33 Configuring a PIX Command Authorization Set for a User Group 6-35 Configuring Device-Management Command Authorization for a User

Group Configuring IETF RADIUS Settings for a User Group 6-38 Configuring Cisco IOS/PIX RADIUS Settings for a User Group 6-40 Configuring Cisco Aironet RADIUS Settings for a User Group 6-41 Configuring Ascend RADIUS Settings for a User Group 6-43 Configuring Cisco VPN 3000 Concentrator RADIUS Settings for a User

Group Configuring Cisco VPN 5000 Concentrator RADIUS Settings for a User

Group Configuring Microsoft RADIUS Settings for a User Group 6-47 Configuring Nortel RADIUS Settings for a User Group 6-49 Configuring Juniper RADIUS Settings for a User Group 6-50

6-37

6-44

6-46

Contents

78-16592-01

User Guide for Cisco Secure ACS for Windows Server

Contents

Configuring BBSM RADIUS Settings for a User Group 6-51 Configuring Custom RADIUS VSA Settings for a User Group 6-53

Group Setting Management 6-54

Listing Users in a User Group 6-54 Resetting Usage Quota Counters for a User Group 6-55 Renaming a User Group 6-55 Saving Changes to User Group Settings 6-56

CHAPTER

7 User Management 7-1

About User Setup Features and Functions 7-1

About User Databases 7-2

Basic User Setup Options 7-3

Adding a Basic User Account 7-4 Setting Supplementary User Information 7-6 Setting a Separate CHAP/MS-CHAP/ARAP Password 7-7 Assigning a User to a Group 7-8 Setting User Callback Option 7-9 Assigning a User to a Client IP Address 7-10 Setting Network Access Restrictions for a User 7-11 Setting Max Sessions Options for a User 7-16 Setting User Usage Quotas Options 7-18 Setting Options for User Account Disablement 7-20 Assigning a Downloadable IP ACL to a User 7-21

Advanced User Authentication Settings 7-22

TACACS+ Settings (User) 7-23

Configuring TACACS+ Settings for a User 7-24

Configuring a Shell Command Authorization Set for a User 7-26

Configuring a PIX Command Authorization Set for a User 7-29

User Guide for Cisco Secure ACS for Windows Server

78-16592-01

Configuring Device-Management Command Authorization for a

User

7-30

Configuring the Unknown Service Setting for a User 7-32 Advanced TACACS+ Settings (User) 7-33

Setting Enable Privilege Options for a User 7-33

Setting TACACS+ Enable Password Options for a User 7-35

Setting TACACS+ Outbound Password for a User 7-37 RADIUS Attributes 7-37

Setting IETF RADIUS Parameters for a User 7-38

Setting Cisco IOS/PIX RADIUS Parameters for a User 7-39

Setting Cisco Aironet RADIUS Parameters for a User 7-41

Setting Ascend RADIUS Parameters for a User 7-43

Setting Cisco VPN 3000 Concentrator RADIUS Parameters for a

User

7-44

Setting Cisco VPN 5000 Concentrator RADIUS Parameters for a

User

7-46

Setting Microsoft RADIUS Parameters for a User 7-47

Setting Nortel RADIUS Parameters for a User 7-49

Setting Juniper RADIUS Parameters for a User 7-51

Setting BBSM RADIUS Parameters for a User 7-52

Setting Custom RADIUS Attributes for a User 7-53

Contents

78-16592-01

User Management 7-54

Listing All Users 7-55 Finding a User 7-55 Disabling a User Account 7-56 Deleting a User Account 7-57 Resetting User Session Quota Counters 7-58 Resetting a User Account after Login Failure 7-59 Saving User Settings 7-60

User Guide for Cisco Secure ACS for Windows Server

Contents

CHAPTER

8 System Configuration: Basic 8-1

Service Control 8-1

Determining the Status of Cisco Secure ACS Services 8-2 Stopping, Starting, or Restarting Services 8-2

Logging 8-3

Date Format Control 8-3

Setting the Date Format 8-4

Local Password Management 8-5

Configuring Local Password Management 8-7

Cisco Secure ACS Backup 8-9

About Cisco Secure ACS Backup 8-9 Backup File Locations 8-10 Directory Management 8-10 Components Backed Up 8-10 Reports of Cisco Secure ACS Backups 8-11 Backup Options 8-11 Performing a Manual Cisco Secure ACS Backup 8-12 Scheduling Cisco Secure ACS Backups 8-12 Disabling Scheduled Cisco Secure ACS Backups 8-13

xii

Cisco Secure ACS System Restore 8-14

About Cisco Secure ACS System Restore 8-14 Backup Filenames and Locations 8-15 Components Restored 8-16 Reports of Cisco Secure ACS Restorations 8-16 Restoring Cisco Secure ACS from a Backup File 8-16

Cisco Secure ACS Active Service Management 8-17

System Monitoring 8-18

System Monitoring Options 8-18

Setting Up System Monitoring 8-19

User Guide for Cisco Secure ACS for Windows Server

78-16592-01

Event Logging 8-20

Setting Up Event Logging 8-20

VoIP Accounting Configuration 8-21

Configuring VoIP Accounting 8-21

Contents

CHAPTER

9 System Configuration: Advanced 9-1

CiscoSecure Database Replication 9-1

About CiscoSecure Database Replication 9-2

Replication Process 9-4

Replication Frequency 9-7 Important Implementation Considerations 9-7 Database Replication Versus Database Backup 9-10 Database Replication Logging 9-10 Replication Options 9-11

Replication Components Options 9-11

Outbound Replication Options 9-12

Inbound Replication Options 9-15 Implementing Primary and Secondary Replication Setups on Cisco Secure

ACSes

9-15

Configuring a Secondary Cisco Secure ACS 9-17 Replicating Immediately 9-19 Scheduling Replication 9-21 Disabling CiscoSecure Database Replication 9-24 Database Replication Event Errors 9-25

78-16592-01

RDBMS Synchronization 9-25

About RDBMS Synchronization 9-26

Users 9-27

User Groups 9-27

Network Configuration 9-28

Custom RADIUS Vendors and VSAs 9-28

User Guide for Cisco Secure ACS for Windows Server

xiii

Contents

RDBMS Synchronization Components 9-29

About CSDBSync 9-29

About the accountActions Table 9-31 Cisco Secure ACS Database Recovery Using the accountActions Table 9-32 Reports and Event (Error) Handling 9-33 Preparing to Use RDBMS Synchronization 9-33 Considerations for Using CSV-Based Synchronization 9-35

Preparing for CSV-Based Synchronization 9-36 Configuring a System Data Source Name for RDBMS Synchronization 9-37 RDBMS Synchronization Options 9-38

RDBMS Setup Options 9-38

Synchronization Scheduling Options 9-39

Synchronization Partners Options 9-39 Performing RDBMS Synchronization Immediately 9-40 Scheduling RDBMS Synchronization 9-41 Disabling Scheduled RDBMS Synchronizations 9-43

CHAPTER

xiv

IP Pools Server 9-44

About IP Pools Server 9-44 Allowing Overlapping IP Pools or Forcing Unique Pool Address Ranges 9-45 Refreshing the AAA Server IP Pools Table 9-47 Adding a New IP Pool 9-47 Editing an IP Pool Definition 9-48 Resetting an IP Pool 9-49 Deleting an IP Pool 9-50

IP Pools Address Recovery 9-51

Enabling IP Pool Address Recovery 9-51

10 System Configuration: Authentication and Certificates 10-1

About Certification and EAP Protocols 10-1

Digital Certificates 10-2

User Guide for Cisco Secure ACS for Windows Server

78-16592-01

EAP-TLS Authentication 10-2

About the EAP-TLS Protocol 10-3

EAP-TLS and Cisco Secure ACS 10-4

EAP-TLS Limitations 10-6

Enabling EAP-TLS Authentication 10-7 PEAP Authentication 10-8

About the PEAP Protocol 10-8

PEAP and Cisco Secure ACS 10-9

PEAP and the Unknown User Policy 10-11

Enabling PEAP Authentication 10-12 EAP-FAST Authentication 10-13

About EAP-FAST 10-13

About Master Keys 10-15

About PACs 10-17

Master Key and PAC TTLs 10-21

Replication and EAP-FAST 10-22

Enabling EAP-FAST 10-25

Contents

78-16592-01

Global Authentication Setup 10-26

Authentication Configuration Options 10-27 Configuring Authentication Options 10-33

Cisco Secure ACS Certificate Setup 10-34

Installing a Cisco Secure ACS Server Certificate 10-35 Adding a Certificate Authority Certificate 10-37 Editing the Certificate Trust List 10-38 Managing Certificate Revocation Lists 10-40

About Certificate Revocation Lists 10-40

Certificate Revocation List Configuration Options 10-41

Adding a Certificate Revocation List Issuer 10-42

Editing a Certificate Revocation List Issuer 10-44

Deleting a Certificate Revocation List Issuer 10-44

User Guide for Cisco Secure ACS for Windows Server

Contents

Generating a Certificate Signing Request 10-45 Using Self-Signed Certificates 10-47

About Self-Signed Certificates 10-47

Self-Signed Certificate Configuration Options 10-48

Generating a Self-Signed Certificate 10-49 Updating or Replacing a Cisco Secure ACS Certificate 10-50

CHAPTER

11 Logs and Reports 11-1

Logging Formats 11-2

Special Logging Attributes 11-2

NAC Attributes in Logs 11-4

Update Packets in Accounting Logs 11-5

About Cisco Secure ACS Logs and Reports 11-6

Accounting Logs 11-6 Dynamic Administration Reports 11-9

Viewing the Logged-in Users Report 11-10

Deleting Logged-in Users 11-11

Viewing the Disabled Accounts Report 11-12 Cisco Secure ACS System Logs 11-13

Configuring the Administration Audit Log 11-14

Working with CSV Logs 11-15

CSV Log File Names 11-15 CSV Log File Locations 11-16 Enabling or Disabling a CSV Log 11-17 Viewing a CSV Report 11-18 Configuring a CSV Log 11-19

xvi

Working with ODBC Logs 11-21

Preparing for ODBC Logging 11-22 Configuring a System Data Source Name for ODBC Logging 11-22

User Guide for Cisco Secure ACS for Windows Server

78-16592-01

Configuring an ODBC Log 11-23

Remote Logging 11-26

About Remote Logging 11-26 Implementing Centralized Remote Logging 11-27 Remote Logging Options 11-28 Enabling and Configuring Remote Logging 11-29 Disabling Remote Logging 11-31

Service Logs 11-31

Services Logged 11-32 Configuring Service Logs 11-33

Contents

CHAPTER

12 Administrators and Administrative Policy 12-1

Administrator Accounts 12-1

About Administrator Accounts 12-2 Administrator Privileges 12-3 Adding an Administrator Account 12-6 Editing an Administrator Account 12-7 Unlocking a Locked Out Administrator Account 12-10 Deleting an Administrator Account 12-11

Access Policy 12-11

Access Policy Options 12-12 Setting Up Access Policy 12-14

Session Policy 12-16

Session Policy Options 12-16 Setting Up Session Policy 12-17

Audit Policy 12-18

78-16592-01

User Guide for Cisco Secure ACS for Windows Server

xvii

Contents

CHAPTER

13 User Databases 13-1

CiscoSecure User Database 13-2

About the CiscoSecure User Database 13-2 User Import and Creation 13-3

About External User Databases 13-4

Authenticating with External User Databases 13-5 External User Database Authentication Process 13-6

Windows User Database 13-7

What’s Supported with Windows User Databases 13-8 Authentication with Windows User Databases 13-9 Trust Relationships 13-9 Windows Dial-up Networking Clients 13-10

Windows Dial-up Networking Clients with a Domain Field 13-10

Windows Dial-up Networking Clients without a Domain Field 13-11 Usernames and Windows Authentication 13-11

Username Formats and Windows Authentication 13-11

Non-domain-qualified Usernames 13-13

Domain-Qualified Usernames 13-14

UPN Usernames 13-14 EAP and Windows Authentication 13-15

EAP-TLS Domain Stripping 13-16

Machine Authentication 13-16

Machine Access Restrictions 13-19

Microsoft Windows and Machine Authentication 13-20

Enabling Machine Authentication 13-22 User-Changeable Passwords with Windows User Databases 13-25 Preparing Users for Authenticating with Windows 13-26 Windows User Database Configuration Options 13-26 Configuring a Windows External User Database 13-30

xviii

User Guide for Cisco Secure ACS for Windows Server

78-16592-01

Generic LDAP 13-32

Cisco Secure ACS Authentication Process with a Generic LDAP User Database

Multiple LDAP Instances 13-33 LDAP Organizational Units and Groups 13-34 Domain Filtering 13-34 LDAP Failover 13-36

LDAP Configuration Options 13-37 Configuring a Generic LDAP External User Database 13-43

Novell NDS Database 13-49

About Novell NDS User Databases 13-50 User Contexts 13-51 Novell NDS External User Database Options 13-52 Configuring a Novell NDS External User Database 13-53

13-33

Successful Previous Authentication with the Primary LDAP Server 13-36

Unsuccessful Previous Authentication with the Primary LDAP

Server

13-37

Contents

78-16592-01

ODBC Database 13-55

What is Supported with ODBC User Databases 13-57 Cisco Secure ACS Authentication Process with an ODBC External User

Database

13-58

Preparing to Authenticate Users with an ODBC-Compliant Relational Database

13-59

Implementation of Stored Procedures for ODBC Authentication 13-60

Type Definitions 13-61 Microsoft SQL Server and Case-Sensitive Passwords 13-61 Sample Routine for Generating a PAP Authentication SQL Procedure 13-62 Sample Routine for Generating an SQL CHAP Authentication

Procedure

13-63

Sample Routine for Generating an EAP-TLS Authentication Procedure 13-64 PAP Authentication Procedure Input 13-64

User Guide for Cisco Secure ACS for Windows Server

xix

Contents

PAP Procedure Output 13-65 CHAP/MS-CHAP/ARAP Authentication Procedure Input 13-66 CHAP/MS-CHAP/ARAP Procedure Output 13-66 EAP-TLS Authentication Procedure Input 13-67 EAP-TLS Procedure Output 13-68 Result Codes 13-69 Configuring a System Data Source Name for an ODBC External User

Database Configuring an ODBC External User Database 13-71

LEAP Proxy RADIUS Server Database 13-75

Configuring a LEAP Proxy RADIUS Server External User Database 13-76

Token Server User Databases 13-78

About Token Servers and Cisco Secure ACS 13-78

RADIUS-Enabled Token Servers 13-79

RSA SecurID Token Servers 13-84

13-70

Token Servers and ISDN 13-79

About RADIUS-Enabled Token Servers 13-80

Token Server RADIUS Authentication Request and Response

Contents

13-80

Configuring a RADIUS Token Server External User Database 13-81

Configuring an RSA SecurID Token Server External User Database 13-85

CHAPTER

Deleting an External User Database Configuration 13-86

14 Network Admission Control 14-1

About Network Admission Control 14-1

NAC AAA Components 14-2 Posture Validation 14-3 Posture Tokens 14-4 Non-Responsive NAC-Client Computers 14-5

Implementing Network Admission Control 14-5

User Guide for Cisco Secure ACS for Windows Server

78-16592-01

NAC Databases 14-10

About NAC Databases 14-10 About NAC Credentials and Attributes 14-11 NAC Database Configuration Options 14-12 Policy Selection Options 14-13 Configuring a NAC Database 14-14

NAC Policies 14-16

Local Policies 14-17

About Local Policies 14-18

About Rules, Rule Elements, and Attributes 14-19

Local Policy Configuration Options 14-22

Rule Configuration Options 14-24

Creating a Local Policy 14-25 External Policies 14-28

About External Policies 14-28

External Policy Configuration Options 14-29

Creating an External Policy 14-32 Editing a Policy 14-34 Deleting a Policy 14-36

Contents

CHAPTER

78-16592-01

15 Unknown User Policy 15-1

Known, Unknown, and Discovered Users 15-2

Authentication and Unknown Users 15-4

About Unknown User Authentication 15-4 General Authentication of Unknown Users 15-5 Windows Authentication of Unknown Users 15-6

Domain-Qualified Unknown Windows Users 15-6

Windows Authentication with Domain Qualification 15-7

Multiple User Account Creation 15-8

User Guide for Cisco Secure ACS for Windows Server

xxi

Contents

Performance of Unknown User Authentication 15-8

Added Authentication Latency 15-9

Authentication Timeout Value on AAA clients 15-9

Posture Validation and the Unknown User Policy 15-10

NAC and the Unknown User Policy 15-10 Posture Validation Use of the Unknown User Policy 15-11 Required Use for Posture Validation 15-12

Authorization of Unknown Users 15-13

Unknown User Policy Options 15-13

Database Search Order 15-14

Configuring the Unknown User Policy 15-16

Disabling Unknown User Authentication 15-17

CHAPTER

xxii

16 User Group Mapping and Specification 16-1

About User Group Mapping and Specification 16-1

Group Mapping by External User Database 16-2

Creating a Cisco Secure ACS Group Mapping for a Token Server, ODBC Database, or LEAP Proxy RADIUS Server Database

Group Mapping by Group Set Membership 16-4

Group Mapping Order 16-5 No Access Group for Group Set Mappings 16-5 Default Group Mapping for Windows 16-6 Windows Group Mapping Limitations 16-6 Creating a Cisco Secure ACS Group Mapping for Windows, Novell NDS, or

Generic LDAP Groups

16-7

Editing a Windows, Novell NDS, or Generic LDAP Group Set Mapping 16-9 Deleting a Windows, Novell NDS, or Generic LDAP Group Set

Mapping

16-10

Deleting a Windows Domain Group Mapping Configuration 16-11 Changing Group Set Mapping Order 16-12

User Guide for Cisco Secure ACS for Windows Server

16-3

78-16592-01

NAC Group Mapping 16-13

Configuring NAC Group Mapping 16-13

RADIUS-Based Group Specification 16-14

Contents

APPENDIX

A Troubleshooting A-1

Administration Issues A-2

Browser Issues A-4

Cisco IOS Issues A-5

Database Issues A-7

Dial-in Connection Issues A-10

Debug Issues A-14

Proxy Issues A-15

Installation and Upgrade Issues A-16

MaxSessions Issues A-16

Report Issues A-17

Third-Party Server Issues A-19

User Authentication Issues A-20

TACACS+ and RADIUS Attribute Issues A-22

B TACACS+ Attribute-Value Pairs B-1

Cisco IOS AV Pair Dictionary B-1

TACACS+ AV Pairs B-2 TACACS+ Accounting AV Pairs B-4

APPENDIX

78-16592-01

C RADIUS Attributes C-1

Cisco IOS Dictionary of RADIUS AV Pairs C-2

Cisco IOS/PIX Dictionary of RADIUS VSAs C-5

About the cisco-av-pair RADUIS Attribute C-7

User Guide for Cisco Secure ACS for Windows Server

xxiii

Contents

Cisco VPN 3000 Concentrator Dictionary of RADIUS VSAs C-9

Cisco VPN 5000 Concentrator Dictionary of RADIUS VSAs C-13

Cisco Building Broadband Service Manager Dictionary of RADIUS VSA C-14

IETF Dictionary of RADIUS AV Pairs C-14

Microsoft MPPE Dictionary of RADIUS VSAs C-28

Ascend Dictionary of RADIUS AV Pairs C-31

Nortel Dictionary of RADIUS VSAs C-43

Juniper Dictionary of RADIUS VSAs C-44

APPENDIX

D CSUtil Database Utility D-1

Location of CSUtil.exe and Related Files D-2

CSUtil.exe Syntax D-2

CSUtil.exe Options D-3

Displaying Command-Line Syntax D-5

Backing Up Cisco Secure ACS with CSUtil.exe D-6

Restoring Cisco Secure ACS with CSUtil.exe D-7

Creating a CiscoSecure User Database D-8

Creating a Cisco Secure ACS Database Dump File D-10

Loading the Cisco Secure ACS Database from a Dump File D-11

Compacting the CiscoSecure User Database D-12

User and AAA Client Import Option D-14

Importing User and AAA Client Information D-15 User and AAA Client Import File Format D-16

About User and AAA Client Import File Format D-17

ONLINE or OFFLINE Statement D-17

ADD Statements D-18

UPDATE Statements D-19

DELETE Statements D-21

xxiv

User Guide for Cisco Secure ACS for Windows Server

78-16592-01

ADD_NAS Statements D-21

DEL_NAS Statements D-23

Import File Example D-24

Exporting User List to a Text File D-24

Exporting Group Information to a Text File D-25

Exporting Registry Information to a Text File D-26

Decoding Error Numbers D-27

Recalculating CRC Values D-28

User-Defined RADIUS Vendors and VSA Sets D-28

About User-Defined RADIUS Vendors and VSA Sets D-29 Adding a Custom RADIUS Vendor and VSA Set D-29 Deleting a Custom RADIUS Vendor and VSA Set D-31 Listing Custom RADIUS Vendors D-32 Exporting Custom RADIUS Vendor and VSA Sets D-33 RADIUS Vendor/VSA Import File D-34

About the RADIUS Vendor/VSA Import File D-34

Vendor and VSA Set Definition D-35

Attribute Definition D-36

Enumeration Definition D-38

Example RADIUS Vendor/VSA Import File D-39

Contents

78-16592-01

PAC File Generation D-40

PAC File Options and Examples D-41 Generating PAC Files D-43

Posture Validation Attributes D-44

Posture Validation Attribute Definition File D-44 Exporting Posture Validation Attribute Definitions D-48 Importing Posture Validation Attribute Definitions D-49 Deleting a Posture Validation Attribute Definition D-51 Default Posture Validation Attribute Definition File D-52

User Guide for Cisco Secure ACS for Windows Server

xxv

Contents

APPENDIX

E VPDN Processing E-1

VPDN Process E-1

F RDBMS Synchronization Import Definitions F-1

accountActions Specification F-1

accountActions Format F-2 accountActions Mandatory Fields F-3 accountActions Processing Order F-4

Action Codes F-4

Action Codes for Setting and Deleting Values F-5 Action Codes for Creating and Modifying User Accounts F-7 Action Codes for Initializing and Modifying Access Filters F-14 Action Codes for Modifying TACACS+ and RADIUS Group and User

Settings

F-19

Action Codes for Modifying Network Configuration F-25

Cisco Secure ACS Attributes and Action Codes F-32

User-Specific Attributes F-32 User-Defined Attributes F-34 Group-Specific Attributes F-35

APPENDIX

xxvi

An Example of accountActions F-36

G Internal Architecture G-1

Windows Services G-1

Windows Registry G-2

CSAdmin G-2

CSAuth G-3

CSDBSync G-4

CSLog G-4

User Guide for Cisco Secure ACS for Windows Server

78-16592-01

NDEX

Contents

CSMon G-4

Monitoring G-5 Recording G-6 Notification G-7 Response G-7

CSTacacs and CSRadius G-8

78-16592-01

User Guide for Cisco Secure ACS for Windows Server

xxvii

Contents

xxviii

User Guide for Cisco Secure ACS for Windows Server

78-16592-01

Preface

This document will help you configure and use Cisco Secure Access Control Server (ACS) and its features and utilities.

Audience

This guide is for system administrators who use Cisco Secure ACS and who set up and maintain accounts and dial-in network security.

Organization

This document contains the following chapters and appendixes:

• Chapter 1, “Overview”—An overview of Cisco Secure ACS and its

features, network diagrams, and system requirements.

• Chapter 2, “Deployment Considerations”—A guide to deploying

Cisco Secure ACS that includes requirements, options, trade-offs, and suggested sequences.

• Chapter 3, “Interface Configuration”—Concepts and procedures

regarding how to use the Interface Configuration section of Cisco Secure ACS to configure the HTML interface.

78-16592-01

• Chapter 4, “Network Configuration”—Concepts and procedures for

establishing Cisco Secure ACS network configuration and building a distributed system.

User Guide for Cisco Secure ACS for Windows Server

xxix

Organization

Preface

• Chapter 5, “Shared Profile Components”—Concepts and procedures

regarding Cisco Secure ACS shared profile components: downloadable IP acls, network access filters, network access restrictions, and device command sets.

• Chapter 6, “User Group Management”—Concepts and procedures for

establishing and maintaining Cisco Secure ACS user groups.

• Chapter 7, “User Management”—Concepts and procedures for

establishing and maintaining Cisco Secure ACS user accounts.

• Chapter 8, “System Configuration: Basic”—Concepts and procedures

regarding the basic features found in the System Configuration section of Cisco Secure ACS.

• Chapter 9, “System Configuration: Advanced”—Concepts and procedures

regarding RDBMS Synchronization, CiscoSecure Database Replication, and IP pools, found in the System Configuration section of Cisco Secure ACS.

• Chapter 10, “System Configuration: Authentication and

Certificates”—Concepts and procedures regarding the Global

Authentication and ACS Certificate Setup pages, found in the System Configuration section of Cisco Secure ACS.

xxx

• Chapter 11, “Logs and Reports”—Concepts and procedures regarding

Cisco Secure ACS logging and reports.

• Chapter 12, “Administrators and Administrative Policy”—Concepts and

procedures for establishing and maintaining Cisco Secure ACS administrators.

• Chapter 13, “User Databases”—Concepts about user databases and

procedures for configuring Cisco Secure ACS to perform user authentication with external user databases.

• Chapter 14, “Network Admission Control”—Concepts and procedures for

implementing Network Admission Control (NAC) and configuring NAC databases, policies, and rules.

• Chapter 15, “Unknown User Policy”—Concepts and procedures about

using the Unknown User Policy with posture validation and unknown user authentication.

• Chapter 16, “User Group Mapping and Specification”—Concepts and

procedures regarding the assignment of groups for users authenticated by an external user database.

User Guide for Cisco Secure ACS for Windows Server

78-16592-01

+ 830 hidden pages

Cisco Systems Windows Server User Manual

CONTENTS

Preface

Audience

Organization