Cisco Systems Windows Server User Manual

Download

User Guide for Cisco Secure ACS for Windows Server

Version 3.3

May 2004

Corporate Headquarters

Cisco Systems, Inc. 170 West Tasman Drive San Jose, CA 95134-1706 USA http://www.cisco.com Tel: 408 526-4000

800 553-NETS (6387)

Fax: 408 526-4100

Customer Order Number: DOC-7816592= Text Part Number: 78-16592-01

THE SPECIFICATIONS AND INFORMATION REGARDING THE PRODUCTS IN THIS MANUAL ARE SUBJECT TO CHANGE WITHOUT NOTICE. ALL STATEMENTS, INFORMATION, AND RECOMMENDATIONS IN THIS MANUAL ARE BELIEVED TO BE ACCURATE BUT ARE PRESENTED WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED. USERS MUST TAKE FULL RESPONSIBILITY FOR THEIR APPLICATION OF ANY PRODUCTS.

THE SOFTWARE LICENSE AND LIMITED WARRANTY FOR THE ACCOMPANYING PRODUCT ARE SET FORTH IN THE INFORMATION PACKET THAT SHIPPED WITH THE PRODUCT AND ARE INCORPORATED HEREIN BY THIS REFERENCE. IF YOU ARE UNABLE TO LOCATE THE SOFTWARE LICENSE OR LIMITED WARRANTY, CONTACT YOUR CISCO REPRESENTATIVE FOR A COPY.

The Cisco implementation of TCP header compression is an adaptation of a program developed by the University of California, Berkeley (UCB) as part of UCB’s public domain version of the UNIX operating system. All rights reserved. Copyright © 1981, Regents of the University of California.

NOTWITHSTANDING ANY OTHER WARRANTY HEREIN, ALL DOCUMENT FILES AND SOFTWARE OF THESE SUPPLIERS ARE PROVIDED “AS IS” WITH ALL FAULTS. CISCO AND THE ABOVE-NAMED SUPPLIERS DISCLAIM ALL WARRANTIES, EXPRESSED OR IMPLIED, INCLUDING, WITHOUT LIMITATION, THOSE OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OR ARISING FROM A COURSE OF DEALING, USAGE, OR TRADE PRACTICE.

IN NO EVENT SHALL CISCO OR ITS SUPPLIERS BE LIABLE FOR ANY INDIRECT, SPECIAL, CONSEQUENTIAL, OR INCIDENTAL DAMAGES, INCLUDING, WITHOUT LIMITATION, LOST PROFITS OR LOSS OR DAMAGE TO DATA ARISING OUT OF THE USE OR INABILITY TO USE THIS MANUAL, EVEN IF CISCO OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.

CCIP, CCSP, the Cisco Arrow logo, the Cisco Powered Network mark, Cisco Unity, Follow Me Browsing, FormShare, and StackWise are trademarks of Cisco Systems, Inc.; Changing the Way We Work, Live, Play, and Learn, and iQuick Study are service marks of Cisco Systems, Inc.; and Aironet, ASIST, BPX, Catalyst, CCDA, CCDP, CCIE, CCNA, CCNP, Cisco, the Cisco Certified Internetwork Expert logo, Cisco IOS, the Cisco IOS logo, Cisco Press, Cisco Systems, Cisco Systems Capital, the Cisco Systems logo, Empowering the Internet Generation, Enterprise/Solver, EtherChannel, EtherFast, EtherSwitch, Fast Step, GigaDrive, GigaStack, HomeLink, Internet Quotient, IOS, IP/TV, iQ Expertise, the iQ logo, iQ Net Readiness Scorecard, LightStream, Linksys, MeetingPlace, MGX, the Networkers logo, Networking Academy, Network Registrar, Pac ke t, PIX, Post-Routing, Pre-Routing, ProConnect, RateMUX, Registrar, ScriptShare, SlideCast, SMARTnet, StrataView Plus, SwitchProbe, TeleRouter, The Fastest Way to Increase Your Internet Quotient, TransPath, and VCO are registered trademarks of Cisco Systems, Inc. and/or its affiliates in the United States and certain other countries.

All other trademarks mentioned in this document or Website are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (0403R)

User Guide for Cisco Secure ACS for Windows Server

Preface xxix

Audience xxix

Organization xxix

Conventions xxxi

Product Documentation xxxii

Preface

This document will help you configure and use Cisco Secure Access Control Server (ACS) and its features and utilities.

Audience

This guide is for system administrators who use Cisco Secure ACS and who set up and maintain accounts and dial-in network security.

Organization

This document contains the following chapters and appendixes:

• Chapter 1, “Overview”—An overview of Cisco Secure ACS and its

features, network diagrams, and system requirements.

• Chapter 2, “Deployment Considerations”—A guide to deploying

Cisco Secure ACS that includes requirements, options, trade-offs, and suggested sequences.

• Chapter 3, “Interface Configuration”—Concepts and procedures

regarding how to use the Interface Configuration section of Cisco Secure ACS to configure the HTML interface.

78-16592-01

• Chapter 4, “Network Configuration”—Concepts and procedures for

establishing Cisco Secure ACS network configuration and building a distributed system.

User Guide for Cisco Secure ACS for Windows Server

xxix

Organization

Preface

• Chapter 5, “Shared Profile Components”—Concepts and procedures

regarding Cisco Secure ACS shared profile components: downloadable IP acls, network access filters, network access restrictions, and device command sets.

• Chapter 6, “User Group Management”—Concepts and procedures for

establishing and maintaining Cisco Secure ACS user groups.

• Chapter 7, “User Management”—Concepts and procedures for

establishing and maintaining Cisco Secure ACS user accounts.

• Chapter 8, “System Configuration: Basic”—Concepts and procedures

regarding the basic features found in the System Configuration section of Cisco Secure ACS.

• Chapter 9, “System Configuration: Advanced”—Concepts and procedures

regarding RDBMS Synchronization, CiscoSecure Database Replication, and IP pools, found in the System Configuration section of Cisco Secure ACS.

• Chapter 10, “System Configuration: Authentication and

Certificates”—Concepts and procedures regarding the Global

Authentication and ACS Certificate Setup pages, found in the System Configuration section of Cisco Secure ACS.

xxx

• Chapter 11, “Logs and Reports”—Concepts and procedures regarding

Cisco Secure ACS logging and reports.

• Chapter 12, “Administrators and Administrative Policy”—Concepts and

procedures for establishing and maintaining Cisco Secure ACS administrators.

• Chapter 13, “User Databases”—Concepts about user databases and

procedures for configuring Cisco Secure ACS to perform user authentication with external user databases.

• Chapter 14, “Network Admission Control”—Concepts and procedures for

implementing Network Admission Control (NAC) and configuring NAC databases, policies, and rules.

• Chapter 15, “Unknown User Policy”—Concepts and procedures about

using the Unknown User Policy with posture validation and unknown user authentication.

• Chapter 16, “User Group Mapping and Specification”—Concepts and

procedures regarding the assignment of groups for users authenticated by an external user database.

User Guide for Cisco Secure ACS for Windows Server

78-16592-01

Preface

Conventions

• Appendix A, “Troubleshooting”—How to identify and solve certain

problems you might have with Cisco Secure ACS.

• Appendix B, “TACACS+ Attribute-Value Pairs”—A list of supported

TACACS+ AV pairs and accounting AV pairs.

• Appendix C, “RADIUS Attributes”—A list of supported RADIUS AV

pairs and accounting AV pairs.

• Appendix D, “CSUtil Database Utility”—Instructions for using

CSUtil.exe, a command line utility you can use to work with the CiscoSecure user database, to import AAA clients and users, to define RADIUS vendors and attributes, and to generate PAC files for EAP-FAST clients.

• Appendix E, “VPDN Processing”—An introduction to Virtual Private

Dial-up Networks (VPDN), including stripping and tunneling, with instructions for enabling VPDN on Cisco Secure ACS.

• Appendix F, “RDBMS Synchronization Import Definitions”—A list of

import definitions, for use with the RDBMS Synchronization feature.

• Appendix G, “Internal Architecture”—A description of Cisco Secure ACS

architectural components.

Conventions

This document uses the following conventions:

Item Convention

Commands, keywords, special terminology, and options that should be selected during procedures

Variables for which you supply values and new or important terminology

Displayed session and system information, paths and file names

Information you enter boldface screen font

Variables you enter italic screen font

Menu items and button names boldface font

Indicates menu items to select, in the order you select them. Option > Network Preferences

User Guide for Cisco Secure ACS for Windows Server

78-16592-01

boldface font

italic font

screen font

xxxi

Product Documentation

Tip Identifies information to help you get the most benefit from your product.

Note Means reader take note. Notes identify important information that you should

Caution Means reader be careful. In this situation, you might do something that could

Preface

reflect upon before continuing, contain helpful suggestions, or provide references to materials not contained in the document.

result in equipment damage, loss of data, or a potential breach in your network security.

Warning

Identifies information that you must heed to prevent damaging yourself, the state of software, or equipment. Warnings identify definite security breaches that will result if the information presented is not followed carefully.

Product Documentation

Note We sometimes update the printed and electronic documentation after original

publication. Therefore, you should also review the documentation on Cisco.com for any updates.

Table 1 describes the product documentation that is available.

Table 1 Product Documentation

Document Title Available Formats

Release Notes for Cisco Secure ACS for Windows Server

• Printed document that was included with the

product.

• On Cisco.com.

xxxii

User Guide for Cisco Secure ACS for Windows Server

78-16592-01

Preface

Table 1 Product Documentation (continued)

Document Title Available Formats

Installation Guide for Cisco Secure ACS for Windows Server

• PDF on the product CD-ROM.

• On Cisco.com.

Obtaining Documentation

Table 2 Related Documentation (continued)

Document Title Description and Available Formats

External ODBC Authentication This paper presents concepts and configuration issues in

deploying Cisco Secure ACS for Windows Server to authenticate users against an external open database connectivity (ODBC) database. This paper also describes configuring, testing, and troubleshooting a relational database management system (RDBMS) with ODBC and Cisco Secure ACS, and provides sample Structured Query Language (SQL) procedures.

Guidelines for Placing ACS in the Network

Initializing MC Authorization on ACS 3.1

Securing ACS Running on Microsoft Windows Platforms

This document discusses planning, design, and implementation practices for deploying Cisco Secure ACS for Windows Server in an enterprise network. It discusses network topology, user database choices, access requirements, integration of external databases, and capabilities of Cisco Secure ACS.

This application note explains how to initialize Management Center authorization on Cisco Secure ACS.

This paper describes how the Cisco Secure ACS can be protected against the vulnerabilities of the Windows 2000 operating system and explains how to improve security on the computer running Cisco Secure ACS. It discusses making the system dedicated to Cisco Secure ACS, removing all unnecessary services, and other measures. It also discusses how to improve administrative security for Cisco Secure ACS through such methods as stronger passwords and controlled administrative access. This paper concludes with considerations of physical security for Cisco Secure ACS and its host.

Obtaining Documentation

Cisco documentation and additional literature are available on Cisco.com. Cisco also provides several ways to obtain technical assistance and other technical resources. These sections explain how to obtain technical information from Cisco Systems.

User Guide for Cisco Secure ACS for Windows Server

78-16592-01

xxxv

Documentation Feedback

Cisco.com

You can access the most current Cisco documentation at this URL:

http://www.cisco.com/univercd/home/home.htm

You can access the Cisco website at this URL:

http://www.cisco.com

You can access international Cisco websites at this URL:

http://www.cisco.com/public/countries_languages.shtml

Ordering Documentation

You can find instructions for ordering documentation at this URL:

http://www.cisco.com/univercd/cc/td/doc/es_inpck/pdi.htm

You can order Cisco documentation in these ways:

• Registered Cisco.com users (Cisco direct customers) can order Cisco product

documentation from the Ordering tool:

http://www.cisco.com/en/US/partner/ordering/index.shtml

Preface

• Nonregistered Cisco.com users can order documentation through a local

account representative by calling Cisco Systems Corporate Headquarters (California, USA) at 408 526-7208 or, elsewhere in North America, by calling 800 553-NETS (6387).

Documentation Feedback

You can send comments about technical documentation to bug-doc@cisco.com.

User Guide for Cisco Secure ACS for Windows Server

xxxvi

78-16592-01

Preface

You can submit comments by using the response card (if present) behind the front cover of your document or by writing to the following address:

Cisco Systems Attn: Customer Document Ordering 170 West Tasman Drive San Jose, CA 95134-9883

We appreciate your comments.

Obtaining Technical Assistance

For all customers, partners, resellers, and distributors who hold valid Cisco service contracts, Cisco Technical Support provides 24-hour-a-day, award-winning technical assistance. The Cisco Technical Support Website on Cisco.com features extensive online support resources. In addition, Cisco Technical Assistance Center (TAC) engineers provide telephone support. If you do not hold a valid Cisco service contract, contact your reseller.

Obtaining Technical Assistance

Cisco Technical Support Website

The Cisco Technical Support Website provides online documents and tools for troubleshooting and resolving technical issues with Cisco products and technologies. The website is available 24 hours a day, 365 days a year at this URL:

http://www.cisco.com/techsupport

Access to all tools on the Cisco Technical Support Website requires a Cisco.com user ID and password. If you have a valid service contract but do not have a user ID or password, you can register at this URL:

http://tools.cisco.com/RPF/register/register.do

Submitting a Service Request

Using the online TAC Service Request Tool is the fastest way to open S3 and S4 service requests. (S3 and S4 service requests are those in which your network is minimally impaired or for which you require product information.) After you describe your situation, the TAC Service Request Tool automatically provides

User Guide for Cisco Secure ACS for Windows Server

78-16592-01

xxxvii

Obtaining Technical Assistance

recommended solutions. If your issue is not resolved using the recommended resources, your service request will be assigned to a Cisco TAC engineer. The TAC Service Request Tool is located at this URL:

http://www.cisco.com/techsupport/servicerequest

For S1 or S2 service requests or if you do not have Internet access, contact the Cisco TAC by telephone. (S1 or S2 service requests are those in which your production network is down or severely degraded.) Cisco TAC engineers are assigned immediately to S1 and S2 service requests to help keep your business operations running smoothly.

To open a service request by telephone, use one of the following numbers:

Asia-Pacific: +61 2 8446 7411 (Australia: 1 800 805 227) EMEA: +32 2 704 55 55 USA: 1 800 553 2447

For a complete list of Cisco TAC contacts, go to this URL:

http://www.cisco.com/techsupport/contacts

Preface

Definitions of Service Request Severity

To ensure that all service requests are reported in a standard format, Cisco has established severity definitions.

Severity 1 (S1)—Your network is “down,” or there is a critical impact to your business operations. You and Cisco will commit all necessary resources around the clock to resolve the situation.

Severity 2 (S2)—Operation of an existing network is severely degraded, or significant aspects of your business operation are negatively affected by inadequate performance of Cisco products. You and Cisco will commit full-time resources during normal business hours to resolve the situation.

Severity 3 (S3)—Operational performance of your network is impaired, but most business operations remain functional. You and Cisco will commit resources during normal business hours to restore service to satisfactory levels.

Severity 4 (S4)—You require information or assistance with Cisco product capabilities, installation, or configuration. There is little or no effect on your business operations.

User Guide for Cisco Secure ACS for Windows Server

xxxviii

78-16592-01

Preface

Obtaining Additional Publications and Information

Information about Cisco products, technologies, and network solutions is available from various online and printed sources.

• Cisco Marketplace provides a variety of Cisco books, reference guides, and

logo merchandise. Visit Cisco Marketplace, the company store, at this URL:

http://www.cisco.com/go/marketplace/

• The Cisco Product Catalog describes the networking products offered by

Cisco Systems, as well as ordering and customer support services. Access the Cisco Product Catalog at this URL:

http://cisco.com/univercd/cc/td/doc/pcat/

• Cisco Press publishes a wide range of general networking, training and

certification titles. Both new and experienced users will benefit from these publications. For current Cisco Press titles and other information, go to Cisco Press at this URL:

http://www.ciscopress.com

• Packet magazine is the Cisco Systems technical user magazine for

maximizing Internet and networking investments. Each quarter, Packet delivers coverage of the latest industry trends, technology breakthroughs, and Cisco products and solutions, as well as network deployment and troubleshooting tips, configuration examples, customer case studies, certification and training information, and links to scores of in-depth online resources. You can access Packet magazine at this URL:

http://www.cisco.com/packet

78-16592-01

• iQ Magazine is the quarterly publication from Cisco Systems designed to

help growing companies learn how they can use technology to increase revenue, streamline their business, and expand services. The publication identifies the challenges facing these companies and the technologies to help solve them, using real-world case studies and business strategies to help readers make sound technology investment decisions. You can access iQ Magazine at this URL:

http://www.cisco.com/go/iqmagazine

User Guide for Cisco Secure ACS for Windows Server

xxxix

Obtaining Additional Publications and Information

• Internet Protocol Journal is a quarterly journal published by Cisco Systems

for engineering professionals involved in designing, developing, and operating public and private internets and intranets. You can access the Internet Protocol Journal at this URL:

http://www.cisco.com/ipj

• World-class networking training is available from Cisco. You can view

current offerings at this URL:

http://www.cisco.com/en/US/learning/index.html

Preface

User Guide for Cisco Secure ACS for Windows Server

78-16592-01

CHAPTER

Overview

This chapter provides an overview of Cisco Secure ACS for Windows Server.

This chapter contains the following topics:

• The Cisco Secure ACS Paradigm, page 1-2

• Cisco Secure ACS Specifications, page 1-3

–

System Performance Specifications, page 1-3

–

Cisco Secure ACS Windows Services, page 1-4

• AAA Server Functions and Concepts, page 1-5

–

Cisco Secure ACS and the AAA Client, page 1-6

–

AAA Protocols—TACACS+ and RADIUS, page 1-6

–

Authentication, page 1-8

78-16592-01

–

Authorization, page 1-17

–

Accounting, page 1-22

–

Administration, page 1-23

–

Posture Validation, page 1-25

• Cisco Secure ACS HTML Interface, page 1-25

–

About the Cisco Secure ACS HTML Interface, page 1-26

–

HTML Interface Layout, page 1-27

–

Uniform Resource Locator for the HTML Interface, page 1-29

–

Network Environments and Administrative Sessions, page 1-30

User Guide for Cisco Secure ACS for Windows Server

1-1

The Cisco Secure ACS Paradigm

–

Accessing the HTML Interface, page 1-32

–

Logging Off the HTML Interface, page 1-33

–

Online Help and Online Documentation, page 1-33

The Cisco Secure ACS Paradigm

Cisco Secure ACS provides authentication, authorization, and accounting (AAA—pronounced “triple A”) services to network devices that function as AAA clients, such as a network access server, PIX Firewall, or router. The AAA client in Figure 1-1 represents any such device that provides AAA client functionality and uses one of the AAA protocols supported by Cisco Secure ACS.

Figure 1-1 A Simple AAA Scenario

Chapter 1 Overview

Cisco Secure Access Control Server

1-2

End-user client AAA client

Cisco Secure ACS centralizes access control and accounting, in addition to router and switch access management. With Cisco Secure ACS, network administrators can quickly administer accounts and globally change levels of service offerings for entire groups of users. Although the external user database shown in

Figure 1-1 is optional, support for many popular user repository implementations

enables companies to put to use the working knowledge gained from and the investment already made in building their corporate user repositories.

Cisco Secure ACS supports Cisco AAA clients such as the Cisco 2509, 2511, 3620, 3640, AS5200 and AS5300, AS5800, the Cisco PIX Firewall, Cisco Aironet Access Point wireless networking devices, Cisco VPN 3000 Concentrators, and Cisco VPN 5000 Concentrators. It also supports third-party devices that can be configured with the Terminal Access Controller Access Control System (TACACS+) or the Remote Access Dial-In User Service (RADIUS) protocol. Cisco Secure ACS treats all such devices as AAA clients. Cisco Secure ACS uses the TACACS+ and RADIUS protocols to provide AAA

User Guide for Cisco Secure ACS for Windows Server

External user database

67472

78-16592-01

Chapter 1 Overview

services that ensure a secure environment. For more information about support for TACACS+ and RADIUS in Cisco Secure ACS, see AAA Protocols—TACACS+

and RADIUS, page 1-6.

Cisco Secure ACS Specifications

Note For hardware, operating system, third-party software, and network requirements,

see Basic Deployment Requirements for Cisco Secure ACS, page 2-2.

This section contains the following topics:

• System Performance Specifications, page 1-3

• Cisco Secure ACS Windows Services, page 1-4

System Performance Specifications

Cisco Secure ACS Specifications

78-16592-01

The performance capabilities of Cisco Secure ACS are largely dependent upon the Windows server it is installed upon, your network topology and network management, the selection of user databases, and other factors. For example, Cisco Secure ACS can perform many more authentications per second if it is using its internal user database and running on a computer using the fastest processor and network interface card available than it can if it is using several external user databases and running on a computer that complies with the minimum system requirements (see System Requirements, page 2-2).

For more information about the expected performance of Cisco Secure ACS in your network setting, contact your Cisco sales representative. The following items are general answers to common system performance questions. The performance of Cisco Secure ACS in your network depends on your specific environment and AAA requirements.

User Guide for Cisco Secure ACS for Windows Server

1-3

Cisco Secure ACS Specifications

• Maximum users supported by the CiscoSecure user database—There is

no theoretical limit to the number of users the CiscoSecure user database can support. We have successfully tested Cisco Secure ACS with databases in excess of 100,000 users. The practical limit for a single Cisco Secure ACS authenticating against all its databases, internal and external, is 300,000 to 500,000 users. This number increases significantly if the authentication load is spread across a number of replicated Cisco Secure ACSes.

• Transactions per second—Authentication and authorization transactions

per second is dependent on many factors, most of which are external to Cisco Secure ACS. For example, high network latency in communication with an external user database lowers the transactions per second that Cisco Secure ACS can perform.

• Maximum number of AAA clients supported—Cisco Secure ACS can

support AAA services for approximately 5000 AAA client configurations. This limitation is primarily a limitation of the Cisco Secure ACS HTML interface. Performance of the HTML interface degrades when Cisco Secure ACS has more than approximately 5000 AAA client configurations. However, a AAA client configuration in Cisco Secure ACS can represent more than one physical network device, provided that the network devices use the same AAA protocol and use the same shared secret. If you make use of this ability, the number of actual AAA clients supported approaches 20,000.

Chapter 1 Overview

If your network has several thousand AAA clients, we recommend using multiple Cisco Secure ACSes and assigning no more than 5000 AAA clients to each Cisco Secure ACS. For example, if you have 20,000 AAA clients, you could use four Cisco Secure ACSes and divide the AAA client load among them so that no single Cisco Secure ACS manages more than 5000 AAA client configurations. If you use replication to propagate configuration data among Cisco Secure ACSes, limit replication of AAA client data to Cisco Secure ACSes that serve the same set of AAA clients.

Cisco Secure ACS Windows Services

Cisco Secure ACS operates as a set of Microsoft Windows services and controls the authentication, authorization, and accounting of users accessing networks.

User Guide for Cisco Secure ACS for Windows Server

1-4

78-16592-01

Chapter 1 Overview

AAA Server Functions and Concepts

When you install Cisco Secure ACS, the installation adds several Windows services. The services provide the core of Cisco Secure ACS functionality. For a full discussion of each service, see Appendix G, “Internal Architecture”. The Cisco Secure ACS services on the computer running Cisco Secure ACS include the following:

• CSAdmin—Provides the HTML interface for administration of Cisco Secure

ACS.

• CSAuth—Provides authentication services.

• CSDBSync—Provides synchronization of the CiscoSecure user database

with an external RDBMS application.

• CSLog—Provides logging services, both for accounting and system activity.

• CSMon—Provides monitoring, recording, and notification of Cisco Secure

ACS performance, and includes automatic response to some scenarios.

• CSTacacs—Provides communication between TACACS+ AAA clients and

the CSAuth service.

• CSRadius—Provides communication between RADIUS AAA clients and

the CSAuth service.

Each module can be started and stopped individually from within the Microsoft Service Control Panel or as a group from within the Cisco Secure ACS HTML interface. For information about stopping and starting Cisco Secure ACS services, see Service Control, page 8-1.

AAA Server Functions and Concepts

Cisco Secure ACS is a AAA server, providing AAA services to network devices that can act as AAA clients.

As a AAA server, Cisco Secure ACS incorporates many technologies to render AAA services to AAA clients. Understanding Cisco Secure ACS requires knowledge of many of these technologies.

This section contains the following topics:

• Cisco Secure ACS and the AAA Client, page 1-6

• AAA Protocols—TACACS+ and RADIUS, page 1-6

• Authentication, page 1-8

User Guide for Cisco Secure ACS for Windows Server

78-16592-01

1-5

AAA Server Functions and Concepts

• Authorization, page 1-17

• Accounting, page 1-22

• Administration, page 1-23

• Posture Validation, page 1-25

Cisco Secure ACS and the AAA Client

A AAA client is software running on a network device that enables the network device to defer authentication, authorization, and logging (accounting) of user sessions to a AAA server. AAA clients must be configured to direct all end-user client access requests to Cisco Secure ACS for authentication of users and authorization of service requests. Using the TACACS+ or RADIUS protocol, the AAA client sends authentication requests to Cisco Secure ACS. Cisco Secure ACS verifies the username and password using the user databases it is configured to query. Cisco Secure ACS returns a success or failure response to the AAA client, which permits or denies user access, based on the response it receives. When the user authenticates successfully, Cisco Secure ACS sends a set of authorization attributes to the AAA client. The AAA client then begins forwarding accounting information to Cisco Secure ACS.

When the user has successfully authenticated, a set of session attributes can be sent to the AAA client to provide additional security and control of privileges, otherwise known as authorization. These attributes might include the IP address pool, access control list, or type of connection (for example, IP, IPX, or Telnet). More recently, networking vendors are expanding the use of the attribute sets returned to cover an increasingly wider aspect of user session provisioning.

Chapter 1 Overview

AAA Protocols—TACACS+ and RADIUS

Cisco Secure ACS can use both the TACACS+ and RADIUS AAA protocols.

Table 1-1 compares the two protocols.

User Guide for Cisco Secure ACS for Windows Server

1-6

78-16592-01

Chapter 1 Overview

AAA Server Functions and Concepts

Table 1-1 TACACS+ and RADIUS Protocol Comparison

Point of Comparison TACACS+ RADIUS

Transmission Protocol TCP—connection-oriented

transport layer protocol, reliable full-duplex data transmission

UDP—connectionless transport layer protocol, datagram exchange without acknowledgments or guaranteed delivery

Ports Used 49 Authentication and Authorization:

1645 and 1812

Accounting: 1646 and 1813

Encryption Full packet encryption Encrypts only passwords up to 16

bytes

AAA Architecture Separate control of each service:

authentication, authorization, and

Authentication and authorization combined as one service

accounting

Intended Purpose Device management User access control

TACACS+

RADIUS

78-16592-01

Cisco Secure ACS conforms to the TACACS+ protocol as defined by Cisco Systems in draft 1.77. For more information, refer to the Cisco IOS software documentation or Cisco.com (http://www.cisco.com).

Cisco Secure ACS conforms to the RADIUS protocol as defined in draft April 1997 and in the following Requests for Comments (RFCs):

• RFC 2138, Remote Authentication Dial In User Service

• RFC 2139, RADIUS Accounting

• RFC 2865

• RFC 2866

• RFC 2867

User Guide for Cisco Secure ACS for Windows Server

1-7

AAA Server Functions and Concepts

• RFC 2868

• RFC 2869

The ports used for authentication and accounting have changed in RADIUS RFC documents. To support both the older and newer RFCs, Cisco Secure ACS accepts authentication requests on port 1645 and port 1812. For accounting, Cisco Secure ACS accepts accounting packets on port 1646 and 1813.

In addition to support for standard IETF RADIUS attributes, Cisco Secure ACS includes support for RADIUS vendor-specific attributes (VSAs). We have predefined the following RADIUS VSAs in Cisco Secure ACS:

• Cisco IOS/PIX

• Cisco VPN 3000

• Cisco VPN 5000

• Ascend

• Juniper

• Microsoft

• Nortel

Chapter 1 Overview

Authentication

User Guide for Cisco Secure ACS for Windows Server

1-8

Cisco Secure ACS also supports up to 10 RADIUS VSAs that you define. After you define a new RADIUS VSA, you can use it as you would one of the RADIUS VSAs that come predefined in Cisco Secure ACS. In the Network Configuration section of the Cisco Secure ACS HTML interface, you can configure a AAA client to use a user-defined RADIUS VSA as its AAA protocol. In Interface Configuration, you can enable user-level and group-level attributes for user-defined RADIUS VSAs. In User Setup and Group Setup, you can configure the values for enabled attributes of a user-defined RADIUS VSA.

For more information about creating user-defined RADIUS VSAs, see Custom

RADIUS Vendors and VSAs, page 9-28.

Authentication determines user identity and verifies the information. Traditional authentication uses a name and a fixed password. More modern and secure methods use technologies such as CHAP and one-time passwords (OTPs). Cisco Secure ACS supports a variety of these authentication methods.

78-16592-01

Chapter 1 Overview

There is a fundamental implicit relationship between authentication and authorization. The more authorization privileges granted to a user, the stronger the authentication should be. Cisco Secure ACS supports this relationship by providing various methods of authentication.

This section contains the following topics:

• Authentication Considerations, page 1-9

• Authentication and User Databases, page 1-10

• Authentication Protocol-Database Compatibility, page 1-10

• Passwords, page 1-11

• Other Authentication-Related Features, page 1-16

Authentication Considerations

Username and password is the most popular, simplest, and least expensive method used for authentication. No special equipment is required. This is a popular method for service providers because of its easy application by the client. The disadvantage is that this information can be told to someone else, guessed, or captured. Simple unencrypted username and password is not considered a strong authentication mechanism but can be sufficient for low authorization or privilege levels such as Internet access.

To reduce the risk of password capturing on the network, use encryption. Client and server access control protocols such as TACACS+ and RADIUS encrypt passwords to prevent them from being captured within a network. However, TACACS+ and RADIUS operate only between the AAA client and the access control server. Before this point in the authentication process, unauthorized persons can obtain clear-text passwords, such as the communication between an end-user client dialing up over a phone line or an ISDN line terminating at a network access server, or over a Telnet session between an end-user client and the hosting device.

AAA Server Functions and Concepts

78-16592-01

Network administrators who offer increased levels of security services, and corporations that want to lessen the chance of intruder access resulting from password capturing, can use an OTP. Cisco Secure ACS supports several types of OTP solutions, including PAP for Point-to-Point Protocol (PPP) remote-node login. Token cards are considered one of the strongest OTP authentication mechanisms.

User Guide for Cisco Secure ACS for Windows Server

1-9

AAA Server Functions and Concepts

Authentication and User Databases

Cisco Secure ACS supports a variety of user databases. It supports the CiscoSecure user database and several external user databases, including the following:

• Windows User Database

• Generic LDAP

• Novell NetWare Directory Services (NDS)

• Open Database Connectivity (ODBC)-compliant relational databases

• RSA SecurID token server

• RADIUS-compliant token servers

Note For more information about token server support, see Token Server

User Databases, page 13-78

Authentication Protocol-Database Compatibility

Chapter 1 Overview

The various password protocols supported by Cisco Secure ACS for authentication are supported unevenly by the various databases supported by Cisco Secure ACS. For more information about the password protocols supported by Cisco Secure ACS, see Passwords, page 1-11.

Table 1-2 specifies non-EAP authentication protocol support.

Table 1-2 Non-EAP Authentication Protocol and User Database Compatibility

Database ASCII/PAP CHAP ARAP MS-CHAP v.1 MS-CHAP v.2

Cisco Secure ACS Yes Yes Yes Yes Yes

Windows SAM Yes No No Yes Yes

Windows AD Yes No No Yes Yes

LDAP YesNoNoNoNo

Novell NDS Yes No No No No

ODBC Yes Yes Yes Yes Yes

User Guide for Cisco Secure ACS for Windows Server

1-10

78-16592-01

Chapter 1 Overview

AAA Server Functions and Concepts

Table 1-2 Non-EAP Authentication Protocol and User Database Compatibility (continued)

Database ASCII/PAP CHAP ARAP MS-CHAP v.1 MS-CHAP v.2

LEAP Proxy RADIUS

Ye s N o N o Ye s Ye s

Server

All Token Servers Yes No No No No

Table 1-3 specifies EAP authentication protocol support.

Table 1-3 EAP Authentication Protocol and User Database Compatibility

PEAP

Database LEAP EAP-MD5 EAP-TLS

PEAP (EAP-GTC)

(EAP-MS CHAPv2)

EAP-FAST Phase Zero

EAP-FAST Phase Two

Cisco Secure ACS Yes Yes Yes Yes Yes Yes Yes

Win dow s S AM Ye s N o No Ye s Ye s Ye s Ye s

Windows AD Yes No Yes Yes Yes Yes Yes

LDAP No No Yes Yes No No Yes

Novell NDS No No No Yes No No Yes

ODBC Yes Yes Yes Yes Yes Yes Yes

LEAP Proxy

Ye s No N o Yes Ye s Ye s Ye s

RADIUS Server

All Token Servers No No No Yes No No No

Passwords

78-16592-01

Cisco Secure ACS supports many common password protocols:

• ASCII/PAP

• CHAP

• MS-CHAP

• LEAP

• EAP-MD5

• EAP-TLS

User Guide for Cisco Secure ACS for Windows Server

1-11

AAA Server Functions and Concepts

• PEAP(EAP-GTC)

• PEAP(EAP-MSCHAPv2)

• EAP-FAST

• ARAP

Passwords can be processed using these password authentication protocols based on the version and type of security control protocol used (for example, RADIUS or TACACS+) and the configuration of the AAA client and end-user client. The following sections outline the different conditions and functions of password handling.

In the case of token servers, Cisco Secure ACS acts as a client to the token server, using either its proprietary API or its RADIUS interface, depending on the token server. For more information, see About Token Servers and Cisco Secure ACS,

page 13-78.

Different levels of security can be concurrently used with Cisco Secure ACS for different requirements. The basic user-to-network security level is PAP. Although it represents the unencrypted security, PAP does offer convenience and simplicity for the client. PAP allows authentication against the Windows database. With this configuration, users need to log in only once. CHAP allows a higher level of security for encrypting passwords when communicating from an end-user client to the AAA client. You can use CHAP with the CiscoSecure user database. ARAP support is included to support Apple clients.

Chapter 1 Overview

Comparing PAP, CHAP, and ARAP

PAP, CHAP, and ARAP are authentication protocols used to encrypt passwords. However, each protocol provides a different level of security.

• PAP—Uses clear-text passwords (that is, unencrypted passwords) and is the

least sophisticated authentication protocol. If you are using the Windows user database to authenticate users, you must use PAP password encryption or MS-CHAP.

• CHAP—Uses a challenge-response mechanism with one-way encryption on

the response. CHAP enables Cisco Secure ACS to negotiate downward from the most secure to the least secure encryption mechanism, and it protects passwords transmitted in the process. CHAP passwords are reusable. If you are using the CiscoSecure user database for authentication, you can use either PAP or CHAP. CHAP does not work with the Windows user database.

User Guide for Cisco Secure ACS for Windows Server

1-12

78-16592-01

Chapter 1 Overview

MS-CHAP

AAA Server Functions and Concepts

• ARAP—Uses a two-way challenge-response mechanism. The AAA client

challenges the end-user client to authenticate itself, and the end-user client challenges the AAA client to authenticate itself.

Cisco Secure ACS supports Microsoft Challenge-Handshake Authentication Protocol (MS-CHAP) for user authentication. Differences between MS-CHAP and standard CHAP are the following:

• The MS-CHAP Response packet is in a format compatible with Microsoft

Windows and LAN Manager 2.x. The MS-CHAP format does not require the authenticator to store a clear-text or reversibly encrypted password.

• MS-CHAP provides an authentication-retry mechanism controlled by the

authenticator.

• MS-CHAP provides additional failure codes in the Failure packet Message

field.

For more information on MS-CHAP, refer to RFC draft-ietf-pppext-mschap-00.txt, RADIUS Attributes for MS-CHAP Support.

EAP Support

78-16592-01

The Extensible Authentication Protocol (EAP), based on IETF 802.1x, is an end-to-end framework that allows the creation of authentication types without changing AAA client configurations. For more information about EAP, go to

PPP Extensible Authentication Protocol (EAP) RFC 2284.

Cisco Secure ACS supports the following varieties of EAP:

• EAP-MD5—An EAP protocol that does not support mutual authentication.

• EAP-TLS—EAP incorporating Transport Layer Security. For more

information, see EAP-TLS Deployment Guide for Wireless LAN Networks and EAP-TLS Authentication, page 10-2.

• LEAP—An EAP protocol used by Cisco Aironet wireless equipment; it

supports mutual authentication.

• PEAP—Protected EAP, which is implemented with EAP-Generic Token

Card (GTC) and EAP-MSCHAPv2 protocols. For more information, see

PEAP Authentication, page 10-8.

User Guide for Cisco Secure ACS for Windows Server

1-13

AAA Server Functions and Concepts

• EAP-FAST—EAP Flexible Authentication via Secured Tunnel

(EAP-FAST), a faster means of encrypting EAP authentication, supports EAP-GTC authentication. For more information, see EAP-FAST

Authentication, page 10-13.

The architecture of Cisco Secure ACS is extensible with regard to EAP; additional varieties of EAP will be supported as those protocols mature.

Basic Password Configurations

There are several basic password configurations:

Note These configurations are all classed as inbound authentication.

• Single password for ASCII/PAP/CHAP/MS-CHAP/ARAP—This is the

most convenient method for both the administrator when setting up accounts and the user when obtaining authentication. However, because the CHAP password is the same as the PAP password, and the PAP password is transmitted in clear text during an ASCII/PAP login, there is the chance that the CHAP password can be compromised.

Chapter 1 Overview

• Separate passwords for ASCII/PAP and CHAP/MS-CHAP/ARAP—For a

higher level of security, users can be given two separate passwords. If the ASCII/PAP password is compromised, the CHAP/ARAP password can remain secure.

• External user database authentication—For authentication by an external

user database, the user does not need a password stored in the CiscoSecure user database. Instead, Cisco Secure ACS records which external user database it should query to authenticate the user.

Advanced Password Configurations

Cisco Secure ACS supports the following advanced password configurations:

• Inbound passwords—Passwords used by most Cisco Secure ACS users.

These are supported by both the TACACS+ and RADIUS protocols. They are held internally to the CiscoSecure user database and are not usually given up to an external source if an outbound password has been configured.

User Guide for Cisco Secure ACS for Windows Server

1-14

78-16592-01

Chapter 1 Overview

AAA Server Functions and Concepts

• Outbound passwords—The TACACS+ protocol supports outbound

passwords that can be used, for example, when a AAA client has to be authenticated by another AAA client and end-user client. Passwords from the CiscoSecure user database are then sent back to the second AAA client and end-user client.

• Token caching—When token caching is enabled, ISDN users can connect

(for a limited time) a second B Channel using the same OTP entered during original authentication. For greater security, the B-Channel authentication request from the AAA client should include the OTP in the username value (for example, Fredpassword) while the password value contains an ASCII/PAP/ARAP password. The TACACS+ and RADIUS servers then verify that the token is still cached and validate the incoming password against either the single ASCII/PAP/ARAP or separate CHAP/ARAP password, depending on the configuration the user employs.

The TACACS+ SENDAUTH feature enables a AAA client to authenticate itself to another AAA client or an end-user client via outbound authentication. The outbound authentication can be PAP, CHAP, or ARAP. With outbound authentication, the Cisco Secure ACS password is given out. By default, ASCII/PAP or CHAP/ARAP password is used, depending on how this has been configured; however, we recommend that the separate SENDAUTH password be configured for the user so that Cisco Secure ACS inbound passwords are never compromised.

Password Aging

78-16592-01

If you want to use outbound passwords and maintain the highest level of security, we recommend that you configure users in the CiscoSecure user database with an outbound password that is different from the inbound password.

With Cisco Secure ACS you can choose whether and how you want to employ password aging. Control for password aging may reside either in the CiscoSecure user database, or in a Windows user database. Each password aging mechanism differs as to requirements and setting configurations.

The password aging feature controlled by the CiscoSecure user database enables you force users to change their passwords under any of the following conditions:

• After a specified number of days.

• After a specified number of logins.

• The first time a new user logs in.

User Guide for Cisco Secure ACS for Windows Server

1-15

AAA Server Functions and Concepts

For information on the requirements and configuration of the password aging feature controlled by the CiscoSecure user database, see Enabling Password

Aging for the CiscoSecure User Database, page 6-21.

The Windows-based password aging feature enables you to control the following password aging parameters:

• Maximum password age in days.

• Minimum password age in days.

The methods and functionality of Windows password aging differ according to which Windows operating system you use and whether you employ Active Directory (AD) or Security Accounts Manager (SAM). For information on the requirements and configuration of the Windows-based password aging feature, see Enabling Password Aging for Users in Windows Databases, page 6-26.

User-Changeable Passwords

With Cisco Secure ACS, you can install a separate program that enables users to change their passwords by using a web-based utility. For more information about installing user-changeable passwords, see the Installation and User Guide for Cisco Secure ACS User-Changeable Passwords.

Chapter 1 Overview

Other Authentication-Related Features

In addition to the authentication-related features discussed in this section, the following features are provided by Cisco Secure ACS:

• Authentication of unknown users with external user databases (see About

Unknown User Authentication, page 15-4).

• Authentication of computers running Microsoft Windows (see Machine

Authentication, page 13-16).

• Support for the Microsoft Windows Callback feature (see Setting User

Callback Option, page 7-9).

• Ability to configure user accounts, including passwords, using an external

data source (see About RDBMS Synchronization, page 9-26).

• Ability for external users to authenticate via an enable password (see Setting

TACACS+ Enable Password Options for a User, page 7-35).

• Proxy of authentication requests to other AAA servers (see Proxy in

Distributed Systems, page 4-4).

User Guide for Cisco Secure ACS for Windows Server

1-16

78-16592-01

Chapter 1 Overview

Authorization

AAA Server Functions and Concepts

• Configurable character string stripping from proxied authentication requests

(see Stripping, page 4-6).

• Self-signed server certificates (see Using Self-Signed Certificates,

page 10-47).

• Certificate revocation list checking during EAP-TLS authentication (see

Managing Certificate Revocation Lists, page 10-40).

Authorization determines what a user is allowed to do. Cisco Secure ACS can send user profile policies to a AAA client to determine the network services the user can access. You can configure authorization to give different users and groups different levels of service. For example, standard dial-up users might not have the same access privileges as premium customers and users. You can also differentiate by levels of security, access times, and services.

The Cisco Secure ACS access restrictions feature enables you to permit or deny logins based on time-of-day and day-of-week. For example, you could create a group for temporary accounts that can be disabled on specified dates. This would make it possible for a service provider to offer a 30-day free trial. The same authorization could be used to create a temporary account for a consultant with login permission limited to Monday through Friday, 9 A.M. to 5 P.M.

You can restrict users to a service or combination of services such as PPP, AppleTalk Remote Access (ARA), Serial Line Internet Protocol (SLIP), or EXEC. After a service is selected, you can restrict Layer 2 and Layer 3 protocols, such as IP and IPX, and you can apply individual access lists. Access lists on a per-user or per-group basis can restrict users from reaching parts of the network where critical information is stored or prevent them from using certain services such as File Transfer Protocol (FTP) or Simple Network Management Protocol (SNMP).

78-16592-01

One fast-growing service being offered by service providers and adopted by corporations is a service authorization for Virtual Private Dial-Up Networks (VPDNs). Cisco Secure ACS can provide information to the network device for a specific user to configure a secure tunnel through a public network such as the Internet. The information can be for the access server (such as the home gateway for that user) or for the home gateway router to validate the user at the customer premises. In either case, Cisco Secure ACS can be used for each end of the VPDN.

User Guide for Cisco Secure ACS for Windows Server

1-17

AAA Server Functions and Concepts

Max Sessions

Chapter 1 Overview

This section contains the following topics:

• MaxSessions Issues, page A-16

• Dynamic Usage Quotas, page 1-18

• Shared Profile Components, page 1-19

• Support for Cisco Device-Management Applications, page 1-19

• Other Authorization-Related Features, page 1-21

Max Sessions is a useful feature for organizations that need to limit the number of concurrent sessions available to either a user or a group:

• User Max Sessions—For example, an Internet service provider can limit

each account holder to a single session.

• Group Max Sessions—For example, an enterprise administrator can allow

the remote access infrastructure to be shared equally among several departments and limit the maximum number of concurrent sessions for all users in any one department.

In addition to enabling simple User and Group Max Sessions control, Cisco Secure ACS enables the administrator to specify a Group Max Sessions value and a group-based User Max Sessions value; that is, a User Max Sessions value based on the group membership of the user. For example, an administrator can allocate a Group Max Sessions value of 50 to the group “Sales” and also limit each member of the “Sales” group to 5 sessions each. This way no single member of a group account would be able to use more than 5 sessions at any one time, but the group could still have up to 50 active sessions.

For more information about the Max Sessions feature, see Setting Max Sessions

for a User Group, page 6-12 and Setting Max Sessions Options for a User, page 7-16.

Dynamic Usage Quotas

Cisco Secure ACS enables you to define network usage quotas for users. Using quotas, you can limit the network access of each user in a group or of individual users. You define quotas by duration of sessions or the total number of sessions.

User Guide for Cisco Secure ACS for Windows Server

1-18

78-16592-01

Chapter 1 Overview

Quotas can be either absolute or based on daily, weekly, or monthly periods. To grant access to users who have exceeded their quotas, you can reset session quota counters as needed.

To support time-based quotas, we recommend enabling accounting update packets on all AAA clients. If update packets are not enabled, the quota is updated only when the user logs off and the accounting stop packet is received from the AAA client. If the AAA client through which the user is accessing your network fails, the session information is not updated. In the case of multiple sessions, such as with ISDN, the quota would not be updated until all sessions terminate, which means that a second channel will be accepted even if the first channel has exhausted the quota allocated to the user.

For more information about usage quotas, see Setting Usage Quotas for a User

Group, page 6-14 and Setting User Usage Quotas Options, page 7-18.

Shared Profile Components

Cisco Secure ACS provides a means for specifying authorization profile components that you can apply to multiple user groups and users. For example, you may have multiple user groups that have identical network access restrictions. Rather than configuring the network access restrictions several times, once per group, you can configure a network access restriction set in the Shared Profile Components section of the HTML interface, and then configure each group to use the network access restriction set you created.

AAA Server Functions and Concepts

For information about the types of shared profile components supported by Cisco Secure ACS, see About Shared Profile Components, page 5-1.

Support for Cisco Device-Management Applications

Cisco Secure ACS supports Cisco device-management applications, such as, by providing command authorization for network users who are using the management application to configure managed network devices. Support for command authorization for management application users is accomplished by using unique command authorization set types for each management application configured to use Cisco Secure ACS for authorization.

Cisco Secure ACS uses TACACS+ to communicate with management applications. For a management application to communicate with Cisco Secure ACS, the management application must be configured in Cisco Secure ACS as a

User Guide for Cisco Secure ACS for Windows Server

78-16592-01

1-19

AAA Server Functions and Concepts

AAA client that uses TACACS+. Also, you must provide the device-management application with a valid administrator name and password. When a management application initially communicates with Cisco Secure ACS, these requirements ensure the validity of the communication. For information about configuring a AAA client, see AAA Client Configuration, page 4-11. For information about administrator accounts, see Administrator Accounts, page 12-1.

Additionally, the administrator used by the management application must have the Create New Device Command Set Type privilege enabled. When a management application initially communicates with Cisco Secure ACS, it dictates to Cisco Secure ACS the creation of a device command set type, which appears in the Shared Profile Components section of the HTML interface. It also dictates a custom service to be authorized by TACACS+. The custom service appears on the TACACS+ (Cisco IOS) page in the Interface Configuration section of the HTML interface. For information about enabling TACACS+ services, see Protocol

Configuration Options for TACACS+, page 3-7. For information about device

command-authorization sets for management applications, see Command

Authorization Sets, page 5-25.

After the management application has dictated the custom TACACS+ service and device command-authorization set type to Cisco Secure ACS, you can configure command-authorization sets for each role supported by the management application and apply those sets to user groups that contain network administrators or to individual users who are network administrators. For information about configuring a command-authorization set, see Adding a

Command Authorization Set, page 5-31. For information about applying a shared

device command-authorization set to a user group, see Configuring

Device-Management Command Authorization for a User Group, page 6-37. For

information about applying a shared device command-authorization set to a user, see Configuring Device-Management Command Authorization for a User,

page 7-30.

Chapter 1 Overview

1-20

User Guide for Cisco Secure ACS for Windows Server

78-16592-01

Chapter 1 Overview

Other Authorization-Related Features

In addition to the authorization-related features discussed in this section, the following features are provided by Cisco Secure ACS:

• Group administration of users, with support for 500 groups (see Chapter 6,

“User Group Management”).

• Ability to map a user from an external user database to a specific

Cisco Secure ACS group (see Chapter 16, “User Group Mapping and

Specification”).

• Ability to disable an account after a number of failed attempts, specified by

the administrator (see Setting Options for User Account Disablement,

page 7-20).

• Ability to disable an account on a specific date (see Setting Options for User

Account Disablement, page 7-20).

• Ability to disable groups of users (see Group Disablement, page 6-4).

• Ability to restrict time-of-day and day-of-week access (see Setting Default

Time-of-Day Access for a User Group, page 6-5).

• Network access restrictions (NARs) based on remote address caller line

identification (CLID) and dialed number identification service (DNIS) (see

Setting Network Access Restrictions for a User Group, page 6-8).

AAA Server Functions and Concepts

78-16592-01

• Downloadable ACLs for users or groups, enabling centralized, modular ACL

management (see Downloadable IP ACLs, page 5-7).

• Network access filters, enabling you to apply different downloadable ACLs

and NARs based upon a user’s point of entry into your network (see Network

Access Filters, page 5-2).

• IP pools for IP address assignment of end-user client hosts (see Setting IP

Address Assignment Method for a User Group, page 6-28).

• Per-user and per-group TACACS+ or RADIUS attributes (see Advanced

Options, page 3-4).

• Support for Voice-over-IP (VoIP), including configurable logging of

accounting data (see Enabling VoIP Support for a User Group, page 6-4).

User Guide for Cisco Secure ACS for Windows Server

1-21

AAA Server Functions and Concepts

Accounting

Chapter 1 Overview

AAA clients use the accounting functions provided by the RADIUS and TACACS+ protocols to communicate relevant data for each user session to the AAA server for recording. Cisco Secure ACS writes accounting records to a comma-separated value (CSV) log file or ODBC database, depending upon your configuration. You can easily import these logs into popular database and spreadsheet applications for billing, security audits, and report generation. You can also use a third-party reporting tool to manage accounting data. For example, aaa-reports! by Extraxi supports Cisco Secure ACS (http://www.extraxi.com).

Among the types of accounting logs you can generate are the following:

• TACACS+ Accounting—Lists when sessions start and stop; records AAA

client messages with username; provides caller line identification information; records the duration of each session.

• RADIUS Accounting—Lists when sessions stop and start; records AAA

client messages with username; provides caller line identification information; records the duration of each session.

• Administrative Accounting—Lists commands entered on a network device

with TACACS+ command authorization enabled.

For more information about Cisco Secure ACS logging capabilities, see

Chapter 11, “Logs and Reports”.

Other Accounting-Related Features

In addition to the accounting-related features discussed in this section, the following features are provided by Cisco Secure ACS:

• Centralized logging, allowing several Cisco Secure ACS for Windows Server

installations to forward their accounting data to a remote Cisco Secure ACS (see Remote Logging, page 11-26).

• Configurable supplementary user ID fields for capturing additional

information in logs (see User Data Configuration Options, page 3-3).

• Configurable logs, allowing you to capture as much information as needed

(see Accounting Logs, page 11-6).

User Guide for Cisco Secure ACS for Windows Server

1-22

78-16592-01

Chapter 1 Overview

Administration

To configure, maintain, and protect its AAA functionality, Cisco Secure ACS provides a flexible administration scheme. You can perform nearly all administration of Cisco Secure ACS through its HTML interface. For more information about the HTML interface, including steps for accessing the HTML interface, see Cisco Secure ACS HTML Interface, page 1-25.

This section contains the following topics:

• HTTP Port Allocation for Administrative Sessions, page 1-23

• Network Device Groups, page 1-24

• Other Administration-Related Features, page 1-24

HTTP Port Allocation for Administrative Sessions

The HTTP port allocation feature allows you to configure the range of TCP ports used by Cisco Secure ACS for administrative HTTP sessions. Narrowing this range with the HTTP port allocation feature reduces the risk of unauthorized access to your network by a port open for administrative sessions.

AAA Server Functions and Concepts

78-16592-01

We do not recommend that you administer Cisco Secure ACS through a firewall. Doing so requires that you configure the firewall to permit HTTP traffic over the range of HTTP administrative session ports that Cisco Secure ACS uses. While narrowing this range reduces the risk of unauthorized access, a greater risk of attack remains if you allow administration of Cisco Secure ACS from outside a firewall. A firewall configured to permit HTTP traffic over the Cisco Secure ACS administrative port range must also permit HTTP traffic through port 2002, because this is the port a web browser must address to initiate an administrative session.

Note A broad HTTP port range could create a security risk. To prevent accidental

discovery of an active administrative port by unauthorized users, keep the HTTP port range as narrow as possible. Cisco Secure ACS tracks the IP address associated with each administrative session. An unauthorized user would have to impersonate, or “spoof”, the IP address of the legitimate remote host to make use of the active administrative session HTTP port.

User Guide for Cisco Secure ACS for Windows Server

1-23

AAA Server Functions and Concepts

For information about configuring the HTTP port allocation feature, see Access

Policy, page 12-11.

Network Device Groups

With a network device group (NDG), you can view and administer a collection of AAA clients and AAA servers as a single logical group. To simplify administration, you can assign each group a convenient name that can be used to refer to all devices within that group. This creates two levels of network devices within Cisco Secure ACS—discrete devices such as an individual router, access server, AAA server, or PIX Firewall, and NDGs, which are named collections of AAA clients and AAA servers.

A network device can belong to only one NDG at a time.

Using NDGs enables an organization with a large number of AAA clients spread across a large geographical area to logically organize its environment within Cisco Secure ACS to reflect the physical setup. For example, all routers in Europe could belong to a group named Europe; all routers in the United States could belong to a US group; and so on. This would be especially convenient if the AAA clients in each region were administered along the same divisions. Alternatively, the environment could be organized by some other attribute such as divisions, departments, business functions, and so on.

Chapter 1 Overview

You can assign a group of users to an NDG. For more information on NDGs, see

Network Device Group Configuration, page 4-28.

Other Administration-Related Features

In addition to the administration-related features discussed in this section, the following features are provided by Cisco Secure ACS:

• Ability to define different privileges per administrator (see Administrator

Accounts, page 12-1).

• Ability to log administrator activities (see Cisco Secure ACS System Logs,

page 11-13).

• Ability to view a list of logged-in users (see Dynamic Administration

Reports, page 11-9).

User Guide for Cisco Secure ACS for Windows Server

1-24

78-16592-01

Chapter 1 Overview

• CSMonitor service, providing monitoring, notification, logging, and limited

automated failure response (see Cisco Secure ACS Active Service

Management, page 8-17).

• Ability to automate configuration of users, groups, network devices, and

custom RADIUS VSAs (see RDBMS Synchronization, page 9-25).

• Replication of CiscoSecure user database components to other Cisco Secure

ACSes (see CiscoSecure Database Replication, page 9-1).

• Scheduled and on-demand Cisco Secure ACS system backups (see

Cisco Secure ACS Backup, page 8-9).

• Ability to restore Cisco Secure ACS configuration, user accounts, and group

profiles from a backup file (see Cisco Secure ACS System Restore,

page 8-14).

Posture Validation

Cisco Secure ACS supports Network Admission Control (NAC) by providing posture validation services to NAC-compliant AAA clients and the NAC-client computers seeking network access using those AAA clients. NAC provides a powerful means to defend your network. The data with which you can configure Cisco Secure ACS to evaluate posture validation requests can include operating system patch level and anti-virus DAT file versions and dates.

Cisco Secure ACS HTML Interface

Instead of establishing identity, posture validation determines the state of the NAC-client computer using data sent to Cisco Secure ACS by the NAC client. Cisco Secure ACS uses the result of evaluating the state of the computer to determine whether network access is to be granted from the computer and to determine the degree of that access.

For more information, see Chapter 14, “Network Admission Control”.

Cisco Secure ACS HTML Interface

This section discusses the Cisco Secure ACS HTML interface and provides procedures for using it.

User Guide for Cisco Secure ACS for Windows Server

78-16592-01

1-25

Cisco Secure ACS HTML Interface

This section contains the following topics:

• About the Cisco Secure ACS HTML Interface, page 1-26

• HTML Interface Layout, page 1-27

• Uniform Resource Locator for the HTML Interface, page 1-29

• Network Environments and Administrative Sessions, page 1-30

• Accessing the HTML Interface, page 1-32

• Logging Off the HTML Interface, page 1-33

• Online Help and Online Documentation, page 1-33

About the Cisco Secure ACS HTML Interface

After installing Cisco Secure ACS, you configure and administer it through the HTML interface. The HTML interface enables you to easily modify Cisco Secure ACS configuration from any connection on your LAN or WAN.

The Cisco Secure ACS HTML interface is designed to be viewed using a web browser. The design primarily uses HTML, along with some Java functions, to enhance ease of use. This design keeps the interface responsive and straightforward. The inclusion of Java requires that the browser used for administrative sessions supports Java. For a list of supported browsers, see the Release Notes. The most recent revision to the Release Notes is posted on Cisco.com (http://www.cisco.com).

Chapter 1 Overview

The HTML interface not only makes viewing and editing user and group information possible, it also enables you to restart services, add remote administrators, change AAA client information, back up the system, view reports from anywhere on the network, and more. The reports track connection activity, show which users are logged in, list failed authentication and authorization attempts, and show administrators’ recent tasks.

HTML Interface Security

Accessing the HTML interface requires a valid administrator name and password. The Cisco Secure ACS Login page encrypts the administrator credentials before sending them to Cisco Secure ACS.

User Guide for Cisco Secure ACS for Windows Server

1-26

78-16592-01

Chapter 1 Overview

Administrative sessions timeout after a configurable length of idle time. Regardless, we recommend that you log out of the HTML interface after each session. For information about logging out of Cisco Secure ACS, see Logging Off

the HTML Interface, page 1-33. For information about configuring the idle

timeout feature, see Access Policy, page 12-11.

You can enable secure socket layer (SSL) for administrative sessions. This ensures that all communication between the web browser and Cisco Secure ACS is encrypted. Your browser must support SSL. You can enable this feature on the Access Policy Setup page in the Administration Control section. For more information about enabling SSL for HTML interface security, see Access Policy,

page 12-11.

HTML Interface Layout

The HTML interface has three vertical partitions, known as frames:

• Navigation Bar—The gray frame on the left of the browser window, the

navigation bar contains the task buttons. Each button changes the configuration area (see below) to a unique section of the Cisco Secure ACS application, such as the User Setup section or the Interface Configuration section. This frame does not change; it always contains the following buttons:

Cisco Secure ACS HTML Interface

78-16592-01

–

User Setup—Add and edit user profiles. For more information about the User Setup section, see Chapter 7, “User Management”.

–

Group Setup—Configure network services and protocols for groups of users. For more information about the Group Setup section, see

Chapter 6, “User Group Management”.

–

Shared Profile Components—Add and edit network access restriction and command authorization sets, to be applied to users and groups. For more information about the Shared Profile Components section, see

Chapter 5, “Shared Profile Components”.

–

Network Configuration—Add and edit network access devices and configure distributed systems. For more information about the Network Configuration section, see Chapter 4, “Network Configuration”.

–

System Configuration—Configure system-level features. Four chapters address this large section of the HTML interface. For information about fundamental features such as backup scheduling and service controls, see

Chapter 8, “System Configuration: Basic”. For information about

User Guide for Cisco Secure ACS for Windows Server

1-27

Cisco Secure ACS HTML Interface

–

Chapter 1 Overview

advanced features such as database replication, see Chapter 9, “System

Configuration: Advanced”. For information about configuring

authentication protocols and certificate-related features, see Chapter 10,

“System Configuration: Authentication and Certificates”. For

information about configuring logs and reports, see Chapter 11, “Logs

and Reports”.

Interface Configuration—Display or hide product features and options to be configured. For more information about the Interface Configuration section, Chapter 3, “Interface Configuration”.

Administration Control—Define and configure access policies. For more information about the Administration Control section, Chapter 12,

“Administrators and Administrative Policy”.

External User Databases—Configure databases, the Unknown User Policy, and user group mapping. For information about configuring databases, see Chapter 13, “User Databases”. For information about the Unknown User Policy, see Chapter 15, “Unknown User Policy”. For information about user group mapping, see Chapter 16, “User Group

Mapping and Specification”.

Reports and Activity—Display accounting and logging information. For information about viewing reports, see Chapter 11, “Logs and

Reports”.

1-28

–

Online Documentation—View the user guide. For information about using the online documentation, see Online Help and Online

Documentation, page 1-33.

• Configuration Area—The frame in the middle of the browser window, the

configuration area displays web pages that belong to one of the sections represented by the buttons in the navigation bar. The configuration area is where you add, edit, or delete information. For example, you configure user information in this frame on the User Setup Edit page.

Note Most pages have a Submit button at the bottom. Click Submit to

confirm your changes. If you do not click Submit, changes are not saved.

• Display Area—The frame on the right of the browser window, the display

area shows one of the following options:

User Guide for Cisco Secure ACS for Windows Server

78-16592-01

Chapter 1 Overview

Cisco Secure ACS HTML Interface

–

Online Help—Displays basic help about the page currently shown in the configuration area. This help does not offer in-depth information, rather it gives some basic information about what can be accomplished in the middle frame. For more information about online help, see Using Online

Help, page 1-34.

–

Reports or Lists—Displays lists or reports, including accounting reports. For example, in User Setup you can show all usernames that start with a specific letter. The list of usernames beginning with a specified letter is displayed in this section. The usernames are hyperlinks to the specific user configuration, so clicking the name enables you to edit that user.

–

System Messages—Displays messages after you click Submit if you have typed in incorrect or incomplete data. For example, if the information you entered in the Password box does not match the information in the Confirm Password box in the User Setup section, Cisco Secure ACS displays an error message here. The incorrect information remains in the configuration area so that you can retype and resubmit the information correctly.

Uniform Resource Locator for the HTML Interface

You can access the Cisco Secure ACS HTML interface by using one of the following uniform resource locators (URLs):

• http://IP address:2002

• http://hostname:2002

where IP address is the dotted decimal IP address of the computer running Cisco Secure ACS and hostname is the hostname of the computer running Cisco Secure ACS. If you use the hostname, DNS must be functioning properly on your network or the hostname must be listed in the local hosts file of the computer running the browser.

If Cisco Secure ACS is configured to use SSL to protect administrative sessions, you can also access the HTML interface by specifying the HTTPS protocol in the URLs:

• https://IP address:2002

• https://hostname:2002

User Guide for Cisco Secure ACS for Windows Server

78-16592-01

1-29

Cisco Secure ACS HTML Interface

If SSL is enabled and you do not specify HTTPS, Cisco Secure ACS redirects the initial request to HTTPS for you. Using SSL to access the login page protects administrator credentials. For more information about enabling SSL to protect administrative sessions, see Access Policy, page 12-11.

From the computer running Cisco Secure ACS, you can also use the following URLs:

• http://127.0.0.1:2002

• http://hostname:2002

where hostname is the hostname of the computer running Cisco Secure ACS. If SSL is enabled, you can specify the HTTP protocol in the URLs:

• https://127.0.0.1:2002

• https://hostname:2002

Network Environments and Administrative Sessions

We recommend that administrative sessions take place without the use of an HTTP proxy server, without a firewall between the browser and Cisco Secure ACS, and without a NAT gateway between the browser and Cisco Secure ACS. Because these limitations are not always practical, this section discusses how various network environmental issues affect administrative sessions.

This section contains the following topics:

Chapter 1 Overview

• Administrative Sessions and HTTP Proxy, page 1-30

• Administrative Sessions through Firewalls, page 1-31

• Administrative Sessions through a NAT Gateway, page 1-31

Administrative Sessions and HTTP Proxy

Cisco Secure ACS does not support HTTP proxy for administrative sessions. If the browser used for an administrative session is configured to use a proxy server, Cisco Secure ACS sees the administrative session originating from the IP address of the proxy server rather than from the actual address of the computer. Administrative session tracking assumes each browser resides on a computer with a unique IP.

User Guide for Cisco Secure ACS for Windows Server

1-30

78-16592-01

Chapter 1 Overview

Also, IP filtering of proxied administrative sessions has to be based on the IP address of the proxy server rather than the IP address of the computer. This conflicts with administrative session communication that does use the actual IP address of the computer. For more information about IP filtering of administrative sessions, see Access Policy, page 12-11.

For these reasons, we do not recommend performing administrative sessions using a web browser that is configured to use a proxy server. Administrative sessions using a proxy-enabled web browser is not tested. If your web browser is configured to use a proxy server, disable HTTP proxying when attempting Cisco Secure ACS administrative sessions.

Administrative Sessions through Firewalls

In the case of firewalls that do not perform network address translation (NAT), administrative sessions conducted across the firewall can require additional configuration of Cisco Secure ACS and the firewall. This is because Cisco Secure ACS assigns a random HTTP port at the beginning of an administrative session.

To allow administrative sessions from browsers outside a firewall that protects Cisco Secure ACS, the firewall must permit HTTP traffic across the range of ports that Cisco Secure ACS is configured to use. You can control the HTTP port range using the HTTP port allocation feature. For more information about the HTTP port allocation feature, see HTTP Port Allocation for Administrative Sessions,

page 1-23.

Cisco Secure ACS HTML Interface

While administering Cisco Secure ACS through a firewall that is not performing NAT is possible, we do not recommend that you administer Cisco Secure ACS through a firewall. For more information, see HTTP Port Allocation for

Administrative Sessions, page 1-23.

Administrative Sessions through a NAT Gateway

We do not recommend conducting administrative sessions across a network device performing NAT. If the administrator runs a browser on a computer behind a NAT gateway, Cisco Secure ACS receives the HTTP requests from the public IP address of the NAT device, which conflicts with the computer private IP address, included in the content of the HTTP requests. Cisco Secure ACS does not permit this.

User Guide for Cisco Secure ACS for Windows Server

78-16592-01

1-31

Cisco Secure ACS HTML Interface

If Cisco Secure ACS is behind a NAT gateway and the URL used to access the HTML interface specifies Cisco Secure ACS by its hostname, administrative sessions operate correctly, provided that DNS is functioning correctly on your network or that computers used to access the HTML interface have a hosts file entry for Cisco Secure ACS.

If the URL used to access the HTML interface specifies Cisco Secure ACS by its IP address, you could configure the gateway to forward all connections to port 2002 to Cisco Secure ACS, using the same port. Additionally, all the ports allowed using the HTTP port allocation feature would have to be similarly mapped. We have not tested such a configuration and do not recommend implementing it.

Accessing the HTML Interface

Remote administrative sessions always require that you log in using a valid administrator name and password, as configured in the Administration Control section. If the Allow automatic local login check box is cleared on the Sessions Policy Setup page in the Administration Control section, Cisco Secure ACS requires a valid administrator name and password for administrative sessions accessed from a browser on the computer running Cisco Secure ACS.

Chapter 1 Overview

1-32

Before You Begin

Determine whether a supported web browser is installed on the computer you want to use to access the HTML interface. If not, install a supported web browser or use a computer that already has a supported web browser installed. For a list of supported browsers, see the Release Notes. The latest revision to the Release Notes is posted on Cisco.com (http://www.cisco.com).

Because the HTML interface uses Java in a few places, the computer running the browser used to access the HTML interface must have a Java Virtual Machine available for the use of the browser.

To access the HTML interface, follow these steps:

Step 1 Open a web browser. For a list of supported web browsers, see the Release Notes

for the version of Cisco Secure ACS you are accessing. The most recent revision to the Release Notes is posted on Cisco.com (http://www.cisco.com).

User Guide for Cisco Secure ACS for Windows Server

78-16592-01

Chapter 1 Overview

Step 2 In the Address or Location bar in the web browser, type the applicable URL. For

a list of possible URLs, see Uniform Resource Locator for the HTML Interface,

page 1-29.

Step 3 If the Cisco Secure ACS login page appears, follow these steps:

a. In the Username box, type a valid Cisco Secure ACS administrator name.

b. In the Password box, type the password for the administrator name you

specified.

c. Click Login.

The initial page appears, listing build and copyright information.

Logging Off the HTML Interface

When you are finished using the HTML interface, we recommend that you log off. While Cisco Secure ACS can timeout unused administrative sessions, logging off prevents unauthorized access by someone using the browser after you or by unauthorized persons using the HTTP port left open to support the administrative session.

To log off the Cisco Secure ACS HTML interface, click the Logoff button.

Cisco Secure ACS HTML Interface

Note The Logoff button appears in the upper right corner of the browser window, except

on the initial page, where it appears in the upper left of the configuration area.

Online Help and Online Documentation

We provide two sources of information in the HTML interface:

• Online Help—Contains basic information about the page shown in the

configuration area.

• Online Documentation—Contains the entire user guide.

User Guide for Cisco Secure ACS for Windows Server

78-16592-01

1-33

Cisco Secure ACS HTML Interface

Using Online Help

Chapter 1 Overview

Online help is the default content in the display area. For every page that appears in the configuration area, there is a corresponding online help page. At the top of each online help page is a list of topics covered by that page.

To jump from the top of the online help page to a particular topic, click the topic name in the list at the top of the page.

There are three icons that appear on many pages in Cisco Secure ACS:

• Question Mark—Many subsections of the pages in the configuration area

contain an icon with a question mark. To jump to the applicable topic in an online help page, click the question mark icon.

• Section Information—Many online help pages contain a Section

Information icon at the bottom of the page. To view an applicable section of the online documentation, click the Section Information icon.

• Back to Help—Wherever you find a online help page with a Section

Information icon, the corresponding page in the configuration area contains a Back to Help icon. If you have accessed the online documentation by clicking a Section Information icon and want to view the online help page again, click the Back to Help icon.

Using the Online Documentation

Online documentation is the user guide for Cisco Secure ACS. The user guide provides information about the configuration, operation, and concepts of Cisco Secure ACS. The information presented in the online documentation is as current as the release date of the Cisco Secure ACS version you are using. For the most up-to-date documentation about Cisco Secure ACS, please go to

http://www.cisco.com

Tip Click Section Information on any online help page to view online documentation

relevant to the section of the HTML interface you are using.

User Guide for Cisco Secure ACS for Windows Server

1-34

78-16592-01

Chapter 1 Overview

Step 1 In the Cisco Secure ACS HTML interface, click Online Documentation.

Step 2 If you want to select a topic from the table of contents, scroll through the table of

Step 3 If you want to select a topic from the index, follow these steps:

Cisco Secure ACS HTML Interface

To access online documentation, follow these steps:

Tip To open the online documentation in a new browser window, right-click

Online Documentation, and then click Open Link in New Window (for Microsoft Internet Explorer) or Open in New Window (for Netscape Navigator).

The table of contents opens in the configuration area.

contents and click the applicable topic.

The online documentation for the topic selected appears in the display area.

a. Click [Index].

The index appears in the display area.

b. Scroll through the index to find an entry for the topic you are researching.

78-16592-01

Tip Use the lettered shortcut links to jump to a particular section of the index.

Entries appear with numbered links after them. The numbered links lead to separate instances of the entry topic.

c. Click an instance number for the desired topic.

The online documentation for the topic selected appears in the display area.

Step 4 If you want to print the online documentation, click in the display area, and then

click Print in the navigation bar of your browser.

User Guide for Cisco Secure ACS for Windows Server

1-35

Cisco Secure ACS HTML Interface

Chapter 1 Overview

1-36

User Guide for Cisco Secure ACS for Windows Server

78-16592-01

CHAPTER

Deployment Considerations

Deployment of Cisco Secure ACS for Windows Server can be complex and iterative, depending on the specific implementation required. This chapter provides insight into the deployment process and presents a collection of factors that you should consider before deploying Cisco Secure ACS.

The complexity of deploying Cisco Secure ACS reflects the evolution of AAA servers in general, and the advanced capabilities, flexibility, and features of Cisco Secure ACS in particular. AAA was conceived originally to provide a centralized point of control for user access via dial-up services. As user databases grew and the locations of AAA clients became more dispersed, more capability was required of the AAA server. Regional, and then global, requirements became common. Today, Cisco Secure ACS is required to provide AAA services for dial-up access, dial-out access, wireless, VLAN access, firewalls, VPN concentrators, administrative controls, and more. The list of external databases supported has also continued to grow and the use of multiple databases, as well as multiple Cisco Secure ACSes, has become more common. Regardless of the scope of your Cisco Secure ACS deployment, the information contained in this chapter should prove valuable. If you have deployment questions that are not addressed in this guide, contact your Cisco technical representative for assistance.

This chapter contains the following topics:

78-16592-01

• Basic Deployment Requirements for Cisco Secure ACS, page 2-2

• Basic Deployment Factors for Cisco Secure ACS, page 2-6

• Suggested Deployment Sequence, page 2-19

User Guide for Cisco Secure ACS for Windows Server

2-1

Chapter 2 Deployment Considerations

Basic Deployment Requirements for Cisco Secure ACS

This section details the minimum requirements you must meet to successfully deploy Cisco Secure ACS.

This section contains the following topics:

• System Requirements, page 2-2

–

Hardware Requirements, page 2-2

–

Operating System Requirements, page 2-2

–

Third-Party Software Requirements, page 2-3

• Network and Port Requirements, page 2-4

System Requirements

The computer running Cisco Secure ACS must meet the minimum hardware and software requirements detailed in the following sections.

Hardware Requirements

The computer running Cisco Secure ACS must meet the following minimum hardware requirements:

• Pentium III processor, 550 MHz or faster.

• 256 MB of RAM.

• At least 250 MB of free disk space. If you are running your database on the

same computer, more disk space is required.

• Minimum graphics resolution of 256 colors at 800 x 600 lines.

Operating System Requirements

Cisco Secure ACS for Windows Servers 3.3 supports the Windows operating systems listed below. Both the operating system and the service pack must be English-language versions.

User Guide for Cisco Secure ACS for Windows Server

2-2

78-16592-01

Chapter 2 Deployment Considerations

• Windows 2000 Server, with Service Pack 4 installed

• Windows 2000 Advanced Server, with the following conditions:

–

with Service Pack 4 installed

–

without Microsoft clustering service installed

–

without other features specific to Windows 2000 Advanced Server enabled

Note We have not tested and cannot support the multi-processor feature of

Windows 2000 Advanced Server. Windows 2000 Datacenter Server is not a supported operating system.

• Windows Server 2003, Enterprise Edition

• Windows Server 2003, Standard Edition

Windows service packs can be applied before or after installing Cisco Secure ACS. If you do not install a required service pack before installing Cisco Secure ACS, the Cisco Secure ACS installation program may warn you that the required service pack is not present. If you receive a service pack message, continue the installation, and then install the required service pack before starting user authentication with Cisco Secure ACS.

Basic Deployment Requirements for Cisco Secure ACS

For the most recent information about tested operating systems and service packs, see the Release Notes. The current version of the Release Notes are on Cisco.com, accessible from the following URL:

http://www.cisco.com/univercd/cc/td/doc/product/access/acs_soft/csacs4nt/ index.htm

Third-Party Software Requirements

The Release Notes provide information about third-party software products that we tested with Cisco Secure ACS and that we support, including applications such as:

• Web browsers and Java virtual machines

• Novell NDS clients

• Token-card clients

78-16592-01

User Guide for Cisco Secure ACS for Windows Server

2-3

Basic Deployment Requirements for Cisco Secure ACS

Other than the software products described in the Release Notes, we have not tested the interoperability of Cisco Secure ACS and other software products on the same computer. We only support interoperability issues of software products that are mentioned in the Release Notes. The most recent version of the Release Notes are posted on Cisco.com, accessible from the following URL:

http://www.cisco.com/univercd/cc/td/doc/product/access/acs_soft/csacs4nt/ index.htm

Network and Port Requirements

Your network should meet the following requirements before you begin deploying Cisco Secure ACS.

• For full TACACS+ and RADIUS support on Cisco IOS devices, AAA clients

must run Cisco IOS Release 11.2 or later.

• Non-Cisco IOS AAA clients must be configured with TACACS+ and/or

RADIUS.

• Dialin, VPN, or wireless clients must be able to connect to the applicable

AAA clients.

Chapter 2 Deployment Considerations

2-4

• The computer running Cisco Secure ACS must be able to ping all AAA

clients.

• Gateway devices between Cisco Secure ACS and other network devices must

permit communication over the ports needed to support the applicable feature or protocol. For information about ports that Cisco Secure ACS listens to, see

Table 2-1.

• A supported web browser must be installed on the computer running

Cisco Secure ACS. For the most recent information about tested browsers, see the Release Notes. The most recent version of the Release Notes are posted on Cisco.com, accessible from the following URL:

http://www.cisco.com/univercd/cc/td/doc/product/access/acs_soft/csacs4nt/ index.htm

• All network cards in the computer running Cisco Secure ACS must be

enabled. If there is a disabled network card on the computer running Cisco Secure ACS, installing Cisco Secure ACS may proceed slowly due to delays caused by Microsoft CryptoAPI.

User Guide for Cisco Secure ACS for Windows Server

78-16592-01

Chapter 2 Deployment Considerations

Note We tested Cisco Secure ACS on computers that have only one

• If you want to have Cisco Secure ACS use the “Grant Dial-in Permission to

User” feature in Windows when authorizing network users, this option must be selected in the Windows User Manager or Active Directory Users and Computers for the applicable user accounts.

Table 2-1 lists the ports that Cisco Secure ACS listens to for communications with

AAA clients, other Cisco Secure ACSes and applications, and web browsers. Cisco Secure ACS uses other ports to communicate with external user databases; however, it initiates those communications rather than listening to specific ports. In some cases, these ports are configurable, such as with LDAP and RADIUS token server databases. For more information about ports that a particular external user database listens to, see the documentation for that database.

Table 2-1 Ports that Cisco Secure ACS Listens To

Feature/Protocol UDP or TCP? Ports

RADIUS authentication and authorization UDP 1645, 1812

RADIUS accounting UDP 1646, 1813

TACACS+ TCP 49

CiscoSecure Database Replication TCP 2000

RDBMS Synchronization with synchronization partners

User-Changeable Password web application TCP 2000

Logging TCP 2001

Administrative HTTP port for new sessions TCP 2002

Administrative HTTP port range TCP Configurable;

Basic Deployment Requirements for Cisco Secure ACS

network interface card.

TCP 2000

default 1024 through 65535

78-16592-01

User Guide for Cisco Secure ACS for Windows Server

2-5

Chapter 2 Deployment Considerations

Basic Deployment Factors for Cisco Secure ACS

Generally, the ease in deploying Cisco Secure ACS is directly related to the complexity of the implementation planned and the degree to which you have defined your policies and requirements. This section presents some basic factors you should consider before you begin implementing Cisco Secure ACS.

This section contains the following topics:

• Network Topology, page 2-6

• Remote Access Policy, page 2-14

• Security Policy, page 2-15

• Administrative Access Policy, page 2-15

• Database, page 2-18

• Network Latency and Reliability, page 2-19

Network Topology

Dial-Up Topology

User Guide for Cisco Secure ACS for Windows Server

2-6

How your enterprise network is configured is likely to be the most important factor in deploying Cisco Secure ACS. While an exhaustive treatment of this topic is beyond the scope of this guide, this section details how the growth of network topology options has made Cisco Secure ACS deployment decisions more complex.

When AAA was created, network access was restricted to either devices directly connected to the LAN or remote devices gaining access via modem. Today, enterprise networks can be complex and, because of tunneling technologies, can be widely geographically dispersed.

In the traditional model of dial-up access (a PPP connection), a user employing a modem or ISDN connection is granted access to an intranet via a network access server (NAS) functioning as a AAA client. Users may be able to connect via only a single AAA client as in a small business, or have the option of numerous geographically dispersed AAA clients.

78-16592-01

Chapter 2 Deployment Considerations

In the small LAN environment, see Figure 2-1, network architects typically place a single Cisco Secure ACS internal to the AAA client, protected from outside access by a firewall and the AAA client. In this environment, the user database is usually small, there are few devices that require access to the Cisco Secure ACS for AAA, and any database replication is limited to a secondary Cisco Secure ACS as a backup.

Figure 2-1 Small Dial-up Network

Server-based

dial access

PSTN

Modem

Cisco Secure

Access Control

Server

Basic Deployment Factors for Cisco Secure ACS

Network

63486

78-16592-01

In a larger dial-in environment, a single Cisco Secure ACS with a backup may be suitable, too. The suitability of this configuration depends on network and server access latency. Figure 2-2 shows an example of a large dial-in arrangement. In this scenario the addition of a backup Cisco Secure ACS is a recommended addition.

User Guide for Cisco Secure ACS for Windows Server

2-7

Basic Deployment Factors for Cisco Secure ACS

Figure 2-2 Large Dial-up Network

Cisco AS5300's

Chapter 2 Deployment Considerations

Cisco AS5300

UNIX server

Novell server

Windows NT server

2-8

Cisco Secure

Access Control

Server

In a very large, geographically dispersed network (Figure 2-3), there may be access servers located in different parts of a city, in different cities, or on different continents. If network latency is not an issue, a central Cisco Secure ACS may work but connection reliability over long distances may cause problems. In this case, local Cisco Secure ACSes may be preferable to a central Cisco Secure ACS. If the need for a globally coherent user database is most important, database replication or synchronization from a central Cisco Secure ACS may be necessary. Authentication using external databases, such as a Windows user database or the Lightweight Directory Access Protocol (LDAP), can further complicate the deployment of distributed, localized Cisco Secure ACSes. While Cisco Secure ACS uses encryption for all replication and database synchronization traffic, additional security measures may be required to protect the network and user information that Cisco Secure ACS sends across the WAN.

User Guide for Cisco Secure ACS for Windows Server

Macintosh server

63487

78-16592-01

Chapter 2 Deployment Considerations

Figure 2-3 Geographically Dispersed Network

Cisco Secure

Access Control

Server

Cisco Secure

Access Control

Server

Access Control

Basic Deployment Factors for Cisco Secure ACS

Cisco Secure

Server

63488

Wireless Network

78-16592-01

The wireless network access point is a relatively new client for AAA services. The wireless access point (AP), such as the Cisco Aironet series, provides a bridged connection for mobile end-user clients into the LAN. Authentication is absolutely necessary due to the ease of access to the AP. Encryption is also necessary because of the ease of eavesdropping on communications. As such, security plays an even bigger role than in the dial-up scenario and is discussed in more detail later in this section.

Scaling can be a serious issue in the wireless network. The mobility factor of the wireless LAN (WLAN) requires considerations similar to those given to the dial-up network. Unlike the wired LAN, however, the WLAN can be more readily expanded. Though WLAN technology does have physical limits as to the number of users that can be connected via an AP, the number of APs can grow quickly. As with the dial-up network, you can structure your WLAN to allow full access for all users, or to provide restricted access to different subnets between sites, buildings, floors, or rooms. This raises a unique issue with the WLAN: the ability of a user to “roam” between APs.

User Guide for Cisco Secure ACS for Windows Server

2-9

Basic Deployment Factors for Cisco Secure ACS

In the simple WLAN, there may be a single AP installed (Figure 2-4). Because there is only one AP, the primary issue is security. In this environment, there is generally a small user base and few network devices to worry about. Providing AAA services to the other devices on the network does not cause any significant additional load on the Cisco Secure ACS.

Figure 2-4 Simple WLAN

Cisco Aironet AP

Cisco Secure

Access Control Server

Chapter 2 Deployment Considerations

Network

63489

2-10

In the LAN where a number of APs are deployed, as in a large building or a campus environment, your decisions on how to deploy Cisco Secure ACS become a little more involved. Though Figure 2-5 shows all APs on the same LAN, they may be distributed throughout the LAN, connected via routers, switches, and so on. In the larger, geographical distribution of WLANs, deployment of Cisco Secure ACS is similar to that of large regional distribution of dial-up LANs (Figure 2-3).

User Guide for Cisco Secure ACS for Windows Server

78-16592-01

Chapter 2 Deployment Considerations

Figure 2-5 Campus WLAN

Cisco Aironet APs

Basic Deployment Factors for Cisco Secure ACS

Dial-up connection

Cisco Secure

Access Control

Server

UNIX server

Novell server

Windows NT server

Macintosh server

78-16592-01

63490

This is particularly true when the regional topology is the campus WLAN. This model starts to change when you deploy WLANs in many small sites that more resemble the simple WLAN shown in Figure 2-4. This model may apply to a chain of small stores distributed throughout a city or state, nationally, or globally (Figure 2-6).

User Guide for Cisco Secure ACS for Windows Server

2-11

Basic Deployment Factors for Cisco Secure ACS

Figure 2-6 Large Deployment of Small Sites

Chapter 2 Deployment Considerations

63491

For the model in Figure 2-6, the location of Cisco Secure ACS depends on whether all users need access on any AP, or whether users require only regional or local network access. Along with database type, these factors control whether local or regional Cisco Secure ACSes are required, and how database continuity is maintained. In this very large deployment model, security becomes a more complicated issue, too.

Remote Access using VPN

Virtual Private Networks (VPNs) use advanced encryption and tunneling to permit organizations to establish secure, end-to-end, private network connections over third-party networks, such as the Internet or extranets (Figure 2-7). The benefits of a VPN include the following:

• Cost Savings—By leveraging third-party networks with VPN, organizations

no longer have to use expensive leased or frame relay lines and can connect remote users to their corporate networks via a local Internet service provider (ISP) instead of using expensive toll-free or long-distance calls to resource-consuming modem banks.

User Guide for Cisco Secure ACS for Windows Server

2-12

78-16592-01

Chapter 2 Deployment Considerations

• Security—VPNs provide the highest level of security using advanced

encryption and authentication protocols that protect data from unauthorized access.

• Scalability—VPNs allow corporations to use remote access infrastructure

within ISPs; therefore, corporations can add a large amount of capacity without adding significant infrastructure.

• Compatibility with Broadband Technology—VPNs allow mobile workers

and telecommuters to take advantage of high-speed, broadband connectivity, such as DSL and cable, when gaining access to their corporate networks, providing workers significant flexibility and efficiency.

Figure 2-7 Simple VPN Configuration

Network WAN

Basic Deployment Factors for Cisco Secure ACS

VPN concentrator

78-16592-01

Tunnel

Cisco Secure

Access Control Server

63492

There are two types of VPN access into a network:

• Site-to-Site VPNs—Extend the classic WAN by providing large-scale

encryption between multiple fixed sites such as remote offices and central offices, over a public network, such as the Internet.

• Remote Access VPNs—Permit secure, encrypted connections between

mobile or remote users and their corporate networks via a third-party network, such as an ISP, via VPN client software.

Generally speaking, site-to-site VPNs can be viewed as a typical WAN connection and are not usually configured to use AAA to secure the initial connection and are likely to use the device-oriented IPSec tunneling protocol. Remote access VPNs, however, are similar to classic remote connection technology (modem/ISDN) and lend themselves to using the AAA model very effectively (Figure 2-8).

User Guide for Cisco Secure ACS for Windows Server

2-13

Basic Deployment Factors for Cisco Secure ACS

Figure 2-8 Enterprise VPN Solution

Tunnel

Chapter 2 Deployment Considerations

Home office

ISP

Tunnel

Mobile worker

For more information about implementing VPN solutions, see the reference guide

A Primer for Implementing a Cisco Virtual Private Network.

Remote Access Policy

Remote access is a broad concept. In general, it defines how the user can connect to the LAN, or from the LAN to outside resources (that is, the Internet). There are several ways this may occur. The methods include dial-in, ISDN, wireless bridges, and secure Internet connections. Each method incurs its own advantages and disadvantages, and provides a unique challenge to providing AAA services. This closely ties remote access policies to the enterprise network topology. In addition to the method of access, other decisions can also affect how Cisco Secure ACS is deployed; these include specific network routing (access lists), time-of-day access, individual restrictions on AAA client access, access control lists (ACLs), and so on.

Remote access policies can be implemented for employees who telecommute or for mobile users who dial in over ISDN or public switched telephone network (PSTN). Such policies are enforced at the corporate campus with Cisco Secure ACS and the AAA client. Inside the enterprise network, remote access policies can control wireless access by individual employees.

Internet

VPN concentrator

Cisco Secure

Access Control

Server

63493

2-14

User Guide for Cisco Secure ACS for Windows Server

78-16592-01

Chapter 2 Deployment Considerations

Cisco Secure ACS remote access policies provides control by using central authentication and authorization of remote users. The CiscoSecure user database maintains all user IDs, passwords, and privileges. Cisco Secure ACS access policies can be downloaded in the form of ACLs to network access servers such as the Cisco AS5300 Network Access Server, or by allowing access during specific periods, or on specific access servers.

Remote access policies are part of overall corporate security policy.

Security Policy

We recommend that every organization that maintains a network develop a security policy for the organization. The sophistication, nature, and scope of your security policy directly affect how you deploy Cisco Secure ACS.

For more information about developing and maintaining a comprehensive security policy, refer to the following documents:

• Network Security Policy: Best Practices White Paper

• Delivering End-to-End Security in Policy-Based Networks

Basic Deployment Factors for Cisco Secure ACS

• Cisco IOS Security Configuration Guide

Administrative Access Policy

Managing a network is a matter of scale. Providing a policy for administrative access to network devices depends directly on the size of the network and the number of administrators required to maintain the network. Local authentication on a network device can be performed, but it is not scalable. The use of network management tools can help in large networks, but if local authentication is used on each network device, the policy usually consists of a single login on the network device. This does not promote adequate network device security. Using Cisco Secure ACS allows a centralized administrator database, and administrators can be added or deleted at one location. TACACS+ is the recommended AAA protocol for controlling AAA client administrative access because of its ability to provide per-command control (command authorization) of AAA client administrator access to the device. RADIUS is not well suited for this purpose because of the one-time transfer of authorization information at time of initial authentication.

78-16592-01

User Guide for Cisco Secure ACS for Windows Server

2-15

Basic Deployment Factors for Cisco Secure ACS

The type of access is also an important consideration. If there are to be different administrative access levels to the AAA clients, or if a subset of administrators is to be limited to certain systems, Cisco Secure ACS can be used with command authorization per network device to restrict network administrators as necessary. Using local authentication restricts the administrative access policy to no login on a device or using privilege levels to control access. Controlling access by means of privilege levels is cumbersome and not very scalable. This requires that the privilege levels of specific commands are altered on the AAA client device and specific privilege levels are defined for the user login. It is also very easy to create more problems by editing command privilege levels. Using command authorization on Cisco Secure ACS does not require that you alter the privilege level of controlled commands. The AAA client sends the command to Cisco Secure ACS to be parsed and Cisco Secure ACS determines whether the administrator has permission to use the command. The use of AAA allows authentication on any AAA client to any user on Cisco Secure ACS and limits access to these devices on a per-AAA client basis.

A small network with a small number of network devices may require only one or two individuals to administer it. Local authentication on the device is usually sufficient. If you require more granular control than that which authentication can provide, some means of authorization is necessary. As discussed earlier, controlling access using privilege levels can be cumbersome. Cisco Secure ACS reduces this problem.

Chapter 2 Deployment Considerations

2-16

In large enterprise networks, with many devices to administer, the use of Cisco Secure ACS becomes a practical necessity. Because administration of many devices requires a larger number of network administrators, with varying levels of access, the use of local control is simply not a viable way of keeping track of network device configuration changes required when changing administrators or devices. The use of network management tools, such as CiscoWorks 2000, helps to ease this burden, but maintaining security is still an issue. Because Cisco Secure ACS can comfortably handle up to 100,000 users, the number of network administrators that Cisco Secure ACS supports is rarely an issue. If there is a large remote access population using RADIUS for AAA support, the corporate IT team should consider separate TACACS+ authentication using Cisco Secure ACS for the administrative team. This would isolate the general user population from the administrative team and reduce the likelihood of inadvertent access to network devices. If this is not a suitable solution, using TACACS+ for administrative (shell/exec) logins, and RADIUS for remote network access, provides sufficient security for the network devices.

User Guide for Cisco Secure ACS for Windows Server

78-16592-01

Chapter 2 Deployment Considerations

Separation of Administrative and General Users

It is important to keep the general network user from accessing network devices. Even though the general user may not intend to gain unauthorized access, inadvertent access could accidentally disrupt network access. AAA and Cisco Secure ACS provide the means to separate the general user from the administrative user.

The easiest, and recommended, method to perform such separation is to use RADIUS for the general remote access user and TACACS+ for the administrative user. An issue that arises is that an administrator may also require remote network access, like the general user. If you use Cisco Secure ACS this poses no problem. The administrator can have both RADIUS and TACACS+ configurations in Cisco Secure ACS. Using authorization, RADIUS users can have PPP (or other network access protocols) set as the permitted protocol. Under TACACS+, only the administrator would be configured to allow shell (exec) access.

For example, if the administrator is dialing in to the network as a general user, a AAA client would use RADIUS as the authenticating and authorizing protocol and the PPP protocol would be authorized. In turn, if the same administrator remotely connects to a AAA client to make configuration changes, the AAA client would use the TACACS+ protocol for authentication and authorization. Because this administrator is configured on Cisco Secure ACS with permission for shell under TACACS+, he would be authorized to log in to that device. This does require that the AAA client have two separate configurations on Cisco Secure ACS, one for RADIUS and one for TACACS+. An example of a AAA client configuration under IOS that effectively separates PPP and shell logins follows:

aaa new-model tacacs-server host tacacs-server key secret-key radius-server host ip-address radius-server key secret-key aaa authentication ppp default group radius aaa authentication login default group tacacs+ local aaa authentication login console none aaa authorization network default group radius aaa authorization exec default group tacacs+ none aaa authorization command 15 default group tacacs+ none username line con 0 login authentication console

user password password

ip-address

Basic Deployment Factors for Cisco Secure ACS

78-16592-01

User Guide for Cisco Secure ACS for Windows Server

2-17

Basic Deployment Factors for Cisco Secure ACS

Conversely, if a general user attempts to use his or her remote access to log in to a network device, Cisco Secure ACS checks and approves the username and password, but the authorization process would fail because that user would not have credentials that allow shell or exec access to the device.

Database

Aside from topological considerations, the user database is one of the most influential factors involved in making deployment decisions for Cisco Secure ACS. The size of the user base, distribution of users throughout the network, access requirements, and type of user database contribute to how Cisco Secure ACS is deployed.

Number of Users

Cisco Secure ACS is designed for the enterprise environment, comfortably handling 100,000 users. This is usually more than adequate for a corporation. In an environment that exceeds these numbers, the user base would typically be geographically dispersed, which lends itself to the use of more than one Cisco Secure ACS configuration. A WAN failure could render a local network inaccessible because of the loss of the authentication server. In addition to this issue, reducing the number of users that a single Cisco Secure ACS handles improves performance by lowering the number of logins occurring at any given time and by reducing the load on the database itself.

Chapter 2 Deployment Considerations

Type of Database

User Guide for Cisco Secure ACS for Windows Server

2-18

Cisco Secure ACS supports several database options, including the CiscoSecure user database or using remote authentication with any of the external databases supported. For more information about database options, types, and features, see

Authentication and User Databases, page 1-10, Chapter 13, “User Databases”, or Chapter 16, “User Group Mapping and Specification”. Each database option has

its own advantages and limitations in scalability and performance.

78-16592-01

Chapter 2 Deployment Considerations

Network Latency and Reliability

Network latency and reliability are also important factors in how you deploy Cisco Secure ACS. Delays in authentication can result in timeouts at the end-user client or the AAA client.

The general rule for large, extended networks, such as a globally dispersed corporation, is to have at least one Cisco Secure ACS deployed in each region. This may not be adequate without a reliable, high-speed connection between sites. Many corporations use secure VPN connections between sites so that the Internet provides the link. This saves time and money but it does not provide the speed and reliability that a dedicated frame relay or T1 link provides. If reliable authentication service is critical to business functionality, such as retail outlets with cash registers that are linked by a WLAN, the loss of WAN connection to a remote Cisco Secure ACS could be catastrophic.

The same issue can be applied to an external database used by Cisco Secure ACS. The database should be deployed close enough to Cisco Secure ACS to ensure reliable and timely access. Using a local Cisco Secure ACS with a remote database can result in the same problems as using a remote Cisco Secure ACS. Another possible problem in this scenario is that a user may experience timeout problems. The AAA client would be able to contact Cisco Secure ACS, but Cisco Secure ACS would wait for a reply that might be delayed or never arrive from the external user database. If the Cisco Secure ACS were remote, the AAA client would time out and try an alternative method to authenticate the user, but in the latter case, it is likely the end-user client would time out first.

Suggested Deployment Sequence

While there is no single process for all Cisco Secure ACS deployments, you should consider following the sequence, keyed to the high-level functions represented in the navigation toolbar. Also bear in mind that many of these deployment activities are iterative in nature; you may find that you repeatedly return to such tasks as interface configuration as your deployment proceeds.

• Configure Administrators—You should configure at least one administrator

at the outset of deployment; otherwise, there is no remote administrative access and all configuration activity must be done from the server. You should also have a detailed plan for establishing and maintaining an administrative policy.

User Guide for Cisco Secure ACS for Windows Server

78-16592-01

2-19

Suggested Deployment Sequence

For more information about setting up administrators, see Chapter 1,

“Overview”.

• Configure the Cisco Secure ACS HTML Interface—You can configure the

Cisco Secure ACS HTML interface to show only those features and controls that you intend to use. This makes using Cisco Secure ACS less difficult than it would be if you had to contend with multiple parts of the HTML interface that you do not plan to use. The price of this convenience can sometimes be frustration that features and controls do not appear because you failed to configure them in the Interface Configuration section. For guidance on configuring the HTML interface, see Interface Design Concepts, page 3-2.

For information about configuring particular aspects of the HTML interface, see the following sections of the interface configuration chapter:

• Configure System—There are more than a dozen functions within the

System Configuration section to be considered, from setting the format for the display of dates and password validation to configuring settings for database replication and RDBMS synchronization. These functions are detailed in Chapter 8, “System Configuration: Basic”. Of particular note during initial system configuration is setting up the logs and reports to be generated by Cisco Secure ACS; for more information, see Chapter 1,

“Overview”.

Chapter 2 Deployment Considerations

–

User Data Configuration Options, page 3-3

–

Advanced Options, page 3-4

–

Protocol Configuration Options for TACACS+, page 3-7

–

Protocol Configuration Options for RADIUS, page 3-11

2-20

• Configure Network—You control distributed and proxied AAA functions in

the Network Configuration section of the HTML interface. From here, you establish the identity, location, and grouping of AAA clients and servers, and determine what authentication protocols each is to use. For more information, see Chapter 4, “Network Configuration”.

• Configure External User Database—During this phase of deployment you

must decide whether and how you intend to implement an external database to establish and maintain user authentication accounts. Typically, this decision is made according to your existing network administration mechanisms. For information about the types of databases Cisco Secure ACS supports and instructions for establishing them, see Chapter 13, “User

Databases”.

User Guide for Cisco Secure ACS for Windows Server

78-16592-01

Chapter 2 Deployment Considerations

Along with the decision to implement an external user database (or databases), you should have detailed plans that specify your requirements for Cisco Secure ACS database replication, backup, and synchronization. These aspects of configuring CiscoSecure user database management are detailed in

Chapter 8, “System Configuration: Basic”.

• Configure Shared Profile Components—With most aspects of network

configuration already established and before configuring user groups, you should configure your Shared Profile Components. When you set up and name the network access restrictions and command authorization sets you intend to employ, you lay out an efficient basis for specifying user group and single user access privileges. For more information about Shared Profile Components, see Chapter 5, “Shared Profile Components”.

• Configure Groups—Having previously configured any external user

databases you intend to employ, and before configuring your user groups, you should decide how to implement two other Cisco Secure ACS features related to external user databases: unknown user processing and database group mapping. For more information, see About Unknown User Authentication,

page 15-4 and Chapter 16, “User Group Mapping and Specification”. Then,

you can configure your user groups with a complete plan of how Cisco Secure ACS is to implement authorization and authentication. For more information, see Chapter 6, “User Group Management”.

Suggested Deployment Sequence

78-16592-01

• Configure Users—With groups established, you can establish user accounts.

Remember that a particular user can belong to only one user group, and that settings made at the user level override settings made at the group level. For more information, see Chapter 7, “User Management”.

• Configure Reports—Using the Reports and Activities section of the

Cisco Secure ACS HTML interface, you can specify the nature and scope of logging that Cisco Secure ACS performs. For more information, see

Chapter 1, “Overview”.

User Guide for Cisco Secure ACS for Windows Server

2-21

Suggested Deployment Sequence

Chapter 2 Deployment Considerations

2-22

User Guide for Cisco Secure ACS for Windows Server

78-16592-01

CHAPTER

Interface Configuration

Ease of use is the overriding design principle of the HTML interface in the Cisco Secure ACS for Windows Server. Cisco Secure ACS presents intricate concepts of network security from the perspective of an administrator. The Interface Configuration section of Cisco Secure ACS enables you to configure the Cisco Secure ACS HTML interface—you can tailor the interface to simplify the screens you will use by hiding the features that you do not use and by adding fields for your specific configuration.

Note We recommend that you return to this section to review and confirm your initial

settings. While it is logical to begin your Cisco Secure ACS configuration efforts with configuring the interface, sometimes a section of the HTML interface that you initially believed should be hidden from view may later require configuration from within this section.

78-16592-01

Tip If a section of the Cisco Secure ACS HTML interface appears to be “missing” or

“broken”, return to the Interface Configuration section and confirm that the particular section has been activated.

This chapter contains the following topics:

• Interface Design Concepts, page 3-2

• User Data Configuration Options, page 3-3

• Advanced Options, page 3-4

User Guide for Cisco Secure ACS for Windows Server

3-1

Interface Design Concepts

• Protocol Configuration Options for TACACS+, page 3-7

• Protocol Configuration Options for RADIUS, page 3-11

Interface Design Concepts

Before you begin to configure the Cisco Secure ACS HTML interface for your particular configuration, you should understand a few basic precepts of the system operation. The information in the following sections is necessary for effective interface configuration.

User-to-Group Relationship

A user can belong to only one group at a time. As long as there are no conflicting attributes, users inherit group settings.

Note If a user profile has an attribute configured differently from the same attribute in

the group profile, the user setting always overrides the group setting.

Chapter 3 Interface Configuration

If a user has a unique configuration requirement, you can make that user a part of a group and set unique requirements on the User Setup page, or you can assign that user to his or her own group.

Per-User or Per-Group Features

You can configure most features at both group and user levels, with the following exceptions:

• User level only—Static IP address, password, and expiration.

• Group level only—Password aging and time-of-day/day-of-week

restrictions.

User Guide for Cisco Secure ACS for Windows Server

3-2

78-16592-01

Cisco Systems Windows Server User Manual

Specifications and Main Features

Frequently Asked Questions

User Manual

CONTENTS

Preface

Audience

Organization

Conventions

Product Documentation

Related Documentation

Obtaining Documentation

Documentation Feedback

Cisco.com

Ordering Documentation

Obtaining Technical Assistance

Cisco Technical Support Website

Submitting a Service Request

Definitions of Service Request Severity

Obtaining Additional Publications and Information

Overview

System Performance Specifications

AAA Server Functions and Concepts

AAA Protocols—TACACS+ and RADIUS

TACACS+

RADIUS

Authentication

Authentication Considerations

Authentication and User Databases

Authentication Protocol-Database Compatibility

Passwords

Comparing PAP, CHAP, and ARAP

MS-CHAP

EAP Support

Basic Password Configurations

Advanced Password Configurations

Password Aging

User-Changeable Passwords

Other Authentication-Related Features

Authorization

Max Sessions

Dynamic Usage Quotas

Shared Profile Components

Support for Cisco Device-Management Applications

Other Authorization-Related Features

Accounting

Other Accounting-Related Features

Administration

HTTP Port Allocation for Administrative Sessions

Network Device Groups

Other Administration-Related Features

Posture Validation

HTML Interface Security

HTML Interface Layout

Uniform Resource Locator for the HTML Interface

Network Environments and Administrative Sessions

Administrative Sessions and HTTP Proxy

Administrative Sessions through Firewalls

Administrative Sessions through a NAT Gateway

Accessing the HTML Interface

Logging Off the HTML Interface

Online Help and Online Documentation

Using Online Help

Using the Online Documentation

Deployment Considerations

System Requirements

Hardware Requirements

Operating System Requirements

Third-Party Software Requirements

Network and Port Requirements

Network Topology

Dial-Up Topology

Wireless Network

Remote Access using VPN

Remote Access Policy

Security Policy

Administrative Access Policy

Separation of Administrative and General Users

Database

Number of Users