Cisco systems network assistant getting started guide (32 pages)
Summary of Contents for Cisco 3.3
Page 1
User Guide for Cisco Secure ACS for Windows Server Version 3.3 May 2004 Corporate Headquarters Cisco Systems, Inc. 170 West Tasman Drive San Jose, CA 95134-1706 http://www.cisco.com Tel: 408 526-4000 800 553-NETS (6387) Fax: 408 526-4100 Customer Order Number: DOC-7816592=...
Page 2
CCIP, CCSP, the Cisco Arrow logo, the Cisco Powered Network mark, Cisco Unity, Follow Me Browsing, FormShare, and StackWise are trademarks of Cisco Systems, Inc.; Changing the Way We Work, Live, Play, and Learn, and iQuick Study are service marks of Cisco Systems, Inc.; and Aironet, ASIST,...
Page 3
Definitions of Service Request Severity System Performance Specifications Cisco Secure ACS Windows Services Cisco Secure ACS and the AAA Client User Guide for Cisco Secure ACS for Windows Server C O N T E N T S xxxvii xxxviii xxxix...
Cisco Secure ACS HTML Interface About the Cisco Secure ACS HTML Interface HTML Interface Layout Uniform Resource Locator for the HTML Interface Network Environments and Administrative Sessions User Guide for Cisco Secure ACS for Windows Server TACACS+ RADIUS Authentication Considerations Authentication and User Databases...
Page 5
Administrative Access Policy 2-15 Separation of Administrative and General Users Database 2-18 Number of Users 2-18 Type of Database 2-18 Network Latency and Reliability 2-19 User Guide for Cisco Secure ACS for Windows Server Contents 1-31 1-33 1-33 1-34 2-12 2-17 2-19...
Page 6
About Network Configuration About Distributed Systems Proxy in Distributed Systems Network Device Searches User Guide for Cisco Secure ACS for Windows Server User-to-Group Relationship Per-User or Per-Group Features Defining New User Data Fields Setting Advanced Options for the Cisco Secure ACS User Interface...
Page 7
Deleting a AAA Server 4-28 Adding a Network Device Group Assigning an Unassigned AAA Client or AAA Server to an NDG Reassigning a AAA Client or AAA Server to an NDG Renaming a Network Device Group Deleting a Network Device Group...
Page 8
Command Authorization Sets User Group Management C H A P T E R About User Group Setup Features and Functions User Guide for Cisco Secure ACS for Windows Server viii Deleting a Network Access Filter About Downloadable IP ACLs Adding a Downloadable IP ACL...
Page 9
Configuring Microsoft RADIUS Settings for a User Group Configuring Nortel RADIUS Settings for a User Group Configuring Juniper RADIUS Settings for a User Group 78-16592-01 6-37 6-44 6-46 User Guide for Cisco Secure ACS for Windows Server Contents 6-12 6-14 6-16 6-18 6-19...
Page 10
About User Setup Features and Functions About User Databases Basic User Setup Options Advanced User Authentication Settings User Guide for Cisco Secure ACS for Windows Server Configuring BBSM RADIUS Settings for a User Group Configuring Custom RADIUS VSA Settings for a User Group 6-54...
Page 11
Setting Juniper RADIUS Parameters for a User Setting BBSM RADIUS Parameters for a User Setting Custom RADIUS Attributes for a User 7-54 7-55 7-55 7-56 7-57 7-60 User Guide for Cisco Secure ACS for Windows Server Contents 7-32 7-33 7-33 7-35 7-37 7-38 7-39...
Page 12
Cisco Secure ACS Backup Cisco Secure ACS System Restore Cisco Secure ACS Active Service Management User Guide for Cisco Secure ACS for Windows Server Determining the Status of Cisco Secure ACS Services Stopping, Starting, or Restarting Services Setting the Date Format...
Page 13
Database Replication Event Errors 9-25 About RDBMS Synchronization Users 9-27 User Groups 9-27 Network Configuration 9-28 Custom RADIUS Vendors and VSAs User Guide for Cisco Secure ACS for Windows Server 9-10 9-11 9-12 9-15 9-17 9-24 9-25 9-26 9-28 Contents...
Page 14
IP Pools Address Recovery System Configuration: Authentication and Certificates C H A P T E R About Certification and EAP Protocols User Guide for Cisco Secure ACS for Windows Server RDBMS Synchronization Components About CSDBSync 9-29 About the accountActions Table...
Page 15
About Certificate Revocation Lists Certificate Revocation List Configuration Options Adding a Certificate Revocation List Issuer Editing a Certificate Revocation List Issuer Deleting a Certificate Revocation List Issuer User Guide for Cisco Secure ACS for Windows Server Contents 10-4 10-7 10-11...
Page 16
Update Packets in Accounting Logs About Cisco Secure ACS Logs and Reports Working with CSV Logs Working with ODBC Logs User Guide for Cisco Secure ACS for Windows Server Generating a Certificate Signing Request Using Self-Signed Certificates 10-47 About Self-Signed Certificates...
Page 17
Deleting an Administrator Account 12-11 Access Policy Options 12-12 Setting Up Access Policy 12-14 12-16 Session Policy Options 12-16 Setting Up Session Policy 12-17 12-18 User Guide for Cisco Secure ACS for Windows Server Contents 11-27 11-29 12-1 12-6 12-7 12-10 12-11 xvii...
Page 18
User Databases C H A P T E R CiscoSecure User Database About External User Databases Windows User Database User Guide for Cisco Secure ACS for Windows Server xviii 13-1 13-2 About the CiscoSecure User Database User Import and Creation...
Page 19
Unsuccessful Previous Authentication with the Primary LDAP Server 13-37 13-37 13-49 13-51 13-55 13-58 13-59 Type Definitions 13-61 13-63 User Guide for Cisco Secure ACS for Windows Server Contents 13-34 13-43 13-50 13-52 13-53 13-57 13-60 13-61 13-64 13-36 13-62...
Page 20
Deleting an External User Database Configuration Network Admission Control C H A P T E R About Network Admission Control Implementing Network Admission Control User Guide for Cisco Secure ACS for Windows Server PAP Procedure Output 13-65 CHAP/MS-CHAP/ARAP Authentication Procedure Input CHAP/MS-CHAP/ARAP Procedure Output...
Page 21
About Unknown User Authentication General Authentication of Unknown Users Windows Authentication of Unknown Users Domain-Qualified Unknown Windows Users Windows Authentication with Domain Qualification Multiple User Account Creation User Guide for Cisco Secure ACS for Windows Server 14-11 14-12 14-19 14-22 14-24...
Page 22
Posture Validation Use of the Unknown User Policy Required Use for Posture Validation 15-13 15-13 15-14 Creating a Cisco Secure ACS Group Mapping for a Token Server, ODBC Database, or LEAP Proxy RADIUS Server Database Group Mapping Order 16-5 No Access Group for Group Set Mappings...
Page 23
About the cisco-av-pair RADUIS Attribute 78-16592-01 16-13 Configuring NAC Group Mapping A-10 A-14 A-15 A-16 A-16 A-17 A-19 A-20 TACACS+ AV Pairs TACACS+ Accounting AV Pairs User Guide for Cisco Secure ACS for Windows Server 16-13 16-14 A-22 Contents xxiii...
Page 24
Creating a Cisco Secure ACS Database Dump File Loading the Cisco Secure ACS Database from a Dump File Compacting the CiscoSecure User Database User and AAA Client Import Option User Guide for Cisco Secure ACS for Windows Server xxiv C-43 Importing User and AAA Client Information...
Page 25
About the RADIUS Vendor/VSA Import File Vendor and VSA Set Definition Attribute Definition D-36 Enumeration Definition D-38 Example RADIUS Vendor/VSA Import File D-40 D-41 D-43 D-44 User Guide for Cisco Secure ACS for Windows Server Contents D-25 D-26 D-28 D-29 D-29 D-31 D-33 D-34 D-35...
Page 26
Windows Services Windows Registry CSAdmin CSAuth CSDBSync CSLog User Guide for Cisco Secure ACS for Windows Server xxvi accountActions Format accountActions Mandatory Fields accountActions Processing Order Action Codes for Setting and Deleting Values Action Codes for Creating and Modifying User Accounts...
Page 27
CSMon CSTacacs and CSRadius N D E X 78-16592-01 Monitoring Recording Notification Response User Guide for Cisco Secure ACS for Windows Server Contents xxvii...
Page 28
Contents User Guide for Cisco Secure ACS for Windows Server xxviii 78-16592-01...
Page 29
Preface This document will help you configure and use Cisco Secure Access Control Server (ACS) and its features and utilities. Audience This guide is for system administrators who use Cisco Secure ACS and who set up and maintain accounts and dial-in network security.
Page 30
Chapter 16, “User Group Mapping and • procedures regarding the assignment of groups for users authenticated by an external user database. User Guide for Cisco Secure ACS for Windows Server Components”—Concepts and procedures Management”—Concepts and procedures for Management”—Concepts and procedures for Basic”—Concepts and procedures...
Page 31
Processing”—An introduction to Virtual Private Architecture”—A description of Cisco Secure ACS Convention boldface font italic font screen boldface screen italic screen font boldface font Option > Network Preferences User Guide for Cisco Secure ACS for Windows Server Conventions Definitions”—A list of font font xxxi...
Table 1 Product Documentation Document Title Release Notes for Cisco Secure ACS for Windows Server User Guide for Cisco Secure ACS for Windows Server xxxii describes the product documentation that is available. Available Formats • Printed document that was included with the product.
In the Cisco Secure ACS HTML interface, click Online Documentation. In the Cisco Secure ACS HTML interface, online help appears in the right-hand frame when you are configuring a feature. xxxv. User Guide for Cisco Secure ACS for Windows Server Related Documentation xxxiii...
Page 34
TCP/IP protocols and utilities supported by Cisco devices. This document presents planning, design, and implementation practices for deploying Cisco Secure ACS for Windows Server in support of Cisco Catalyst Switch networks. It discusses network topology regarding AAA, user database choices, password protocol choices, access requirements, and capabilities of Cisco Secure ACS.
(RDBMS) with ODBC and Cisco Secure ACS, and provides sample Structured Query Language (SQL) procedures. This document discusses planning, design, and implementation practices for deploying Cisco Secure ACS for Windows Server in an enterprise network. It discusses network topology, user database choices, access requirements, integration of external databases, and capabilities of Cisco Secure ACS.
Ordering tool: http://www.cisco.com/en/US/partner/ordering/index.shtml Nonregistered Cisco.com users can order documentation through a local • account representative by calling Cisco Systems Corporate Headquarters (California, USA) at 408 526-7208 or, elsewhere in North America, by calling 800 553-NETS (6387). Documentation Feedback You can send comments about technical documentation to bug-doc@cisco.com.
(S3 and S4 service requests are those in which your network is minimally impaired or for which you require product information.) After you describe your situation, the TAC Service Request Tool automatically provides 78-16592-01 Obtaining Technical Assistance User Guide for Cisco Secure ACS for Windows Server xxxvii...
Page 38
Severity 4 (S4)—You require information or assistance with Cisco product capabilities, installation, or configuration. There is little or no effect on your business operations. User Guide for Cisco Secure ACS for Windows Server xxxviii 78-16592-01...
The Cisco Product Catalog describes the networking products offered by • Cisco Systems, as well as ordering and customer support services. Access the Cisco Product Catalog at this URL: http://cisco.com/univercd/cc/td/doc/pcat/ Cisco Press publishes a wide range of general networking, training and •...
Page 40
Obtaining Additional Publications and Information Internet Protocol Journal is a quarterly journal published by Cisco Systems • for engineering professionals involved in designing, developing, and operating public and private internets and intranets. You can access the Internet Protocol Journal at this URL: http://www.cisco.com/ipj...
Page 41
Overview This chapter provides an overview of Cisco Secure ACS for Windows Server. This chapter contains the following topics: The Cisco Secure ACS Paradigm, page 1-2 • Cisco Secure ACS Specifications, page 1-3 • System Performance Specifications, page 1-3 –...
Page 42
Cisco Secure ACS provides authentication, authorization, and accounting (AAA—pronounced “triple A”) services to network devices that function as AAA clients, such as a network access server, PIX Firewall, or router. The AAA client Figure 1-1 and uses one of the AAA protocols supported by Cisco Secure ACS.
Page 43
System Performance Specifications The performance capabilities of Cisco Secure ACS are largely dependent upon the Windows server it is installed upon, your network topology and network management, the selection of user databases, and other factors. For example, Cisco Secure ACS can perform many more authentications per second if it is...
Page 44
Cisco Secure ACS Windows Services Cisco Secure ACS operates as a set of Microsoft Windows services and controls the authentication, authorization, and accounting of users accessing networks. User Guide for Cisco Secure ACS for Windows Server Chapter 1 Overview 78-16592-01...
For information about stopping and starting Cisco Secure ACS services, Service Control, page AAA Server Functions and Concepts Cisco Secure ACS is a AAA server, providing AAA services to network devices that can act as AAA clients. As a AAA server, Cisco Secure ACS incorporates many technologies to render AAA services to AAA clients.
A AAA client is software running on a network device that enables the network device to defer authentication, authorization, and logging (accounting) of user sessions to a AAA server. AAA clients must be configured to direct all end-user client access requests to Cisco Secure ACS for authentication of users and authorization of service requests.
Authentication and Authorization: 1645 and 1812 Accounting: 1646 and 1813 Encrypts only passwords up to 16 bytes Authentication and authorization combined as one service User access control User Guide for Cisco Secure ACS for Windows Server...
More modern and secure methods use technologies such as CHAP and one-time passwords (OTPs). Cisco Secure ACS supports a variety of these authentication methods. User Guide for Cisco Secure ACS for Windows Server Chapter 1 9-28.
Cisco Secure ACS Windows SAM Windows AD LDAP Novell NDS ODBC User Guide for Cisco Secure ACS for Windows Server 1-10 For more information about token server support, see User Databases, page 13-78 Passwords, page specifies non-EAP authentication protocol support.
EAP-MD5 • EAP-TLS • 78-16592-01 CHAP ARAP specifies EAP authentication protocol support. PEAP (EAP-GTC) User Guide for Cisco Secure ACS for Windows Server AAA Server Functions and Concepts MS-CHAP v.1 MS-CHAP v.2 PEAP (EAP-MS EAP-FAST EAP-FAST CHAPv2) Phase Zero Phase Two...
Page 52
In the case of token servers, Cisco Secure ACS acts as a client to the token server, using either its proprietary API or its RADIUS interface, depending on the token server.
Page 53
Card (GTC) and EAP-MSCHAPv2 protocols. For more information, see PEAP Authentication, page 78-16592-01 EAP-TLS Deployment Guide for Wireless LAN Networks EAP-TLS Authentication, page 10-8. User Guide for Cisco Secure ACS for Windows Server AAA Server Functions and Concepts 2284. 10-2. 1-13...
Page 54
These are supported by both the TACACS+ and RADIUS protocols. They are held internally to the CiscoSecure user database and are not usually given up to an external source if an outbound password has been configured. User Guide for Cisco Secure ACS for Windows Server 1-14 10-13.
Page 55
• After a specified number of days. After a specified number of logins. • The first time a new user logs in. • 78-16592-01 AAA Server Functions and Concepts User Guide for Cisco Secure ACS for Windows Server 1-15...
Ability for external users to authenticate via an enable password (see • TACACS+ Enable Password Options for a User, page Proxy of authentication requests to other AAA servers (see • Distributed Systems, page User Guide for Cisco Secure ACS for Windows Server 1-16 6-21. 15-4). 13-16). 7-9).
Internet. The information can be for the access server (such as the home gateway for that user) or for the home gateway router to validate the user at the customer premises.
ACS, the management application must be configured in Cisco Secure ACS as a 78-16592-01 Setting Usage Quotas for a User Setting User Usage Quotas Options, page About Shared Profile Components, page User Guide for Cisco Secure ACS for Windows Server AAA Server Functions and Concepts 7-18. 5-1. 1-19...
Page 60
Device-Management Command Authorization for a User Group, page 6-37. For information about applying a shared device command-authorization set to a user, Configuring Device-Management Command Authorization for a User, page 7-30. User Guide for Cisco Secure ACS for Windows Server 1-20 78-16592-01...
7-20). 7-20). Downloadable IP ACLs, page 5-2). 3-4). Enabling VoIP Support for a User Group, page User Guide for Cisco Secure ACS for Windows Server AAA Server Functions and Concepts Chapter 6, Setting Options for User Group Disablement, page 6-4).
AAA clients use the accounting functions provided by the RADIUS and TACACS+ protocols to communicate relevant data for each user session to the AAA server for recording. Cisco Secure ACS writes accounting records to a comma-separated value (CSV) log file or ODBC database, depending upon your configuration.
“spoof”, the IP address of the legitimate remote host to make use of the active administrative session HTTP port. 78-16592-01 Cisco Secure ACS HTML Interface, page User Guide for Cisco Secure ACS for Windows Server AAA Server Functions and Concepts 1-25. 1-23...
This creates two levels of network devices within Cisco Secure ACS—discrete devices such as an individual router, access server, AAA server, or PIX Firewall, and NDGs, which are named collections of AAA clients and AAA servers.
Cisco Secure ACS Active Service 8-17). RDBMS Synchronization, page CiscoSecure Database Replication, page 8-9). Cisco Secure ACS System Restore, 8-14). Chapter 14, “Network Admission User Guide for Cisco Secure ACS for Windows Server Cisco Secure ACS HTML Interface 9-25). 9-1). Control”. 1-25...
Accessing the HTML interface requires a valid administrator name and password. The Cisco Secure ACS Login page encrypts the administrator credentials before sending them to Cisco Secure ACS. User Guide for Cisco Secure ACS for Windows Server 1-26 Chapter 1...
HTML interface. For information about fundamental features such as backup scheduling and service controls, see Chapter 8, “System Configuration: User Guide for Cisco Secure ACS for Windows Server Cisco Secure ACS HTML Interface Logging Off 12-11.
Page 68
Note Display Area—The frame on the right of the browser window, the display • area shows one of the following options: User Guide for Cisco Secure ACS for Windows Server 1-28 Advanced”. For information about configuring Reports”. Chapter 3, “Interface Configuration”.
Cisco Secure ACS displays an error message here. The incorrect information remains in the configuration area so that you can retype and resubmit the information correctly. User Guide for Cisco Secure ACS for Windows Server Cisco Secure ACS HTML Interface Using Online...
Administrative Sessions and HTTP Proxy Cisco Secure ACS does not support HTTP proxy for administrative sessions. If the browser used for an administrative session is configured to use a proxy server, Cisco Secure ACS sees the administrative session originating from the IP address of the proxy server rather than from the actual address of the computer.
Overview Also, IP filtering of proxied administrative sessions has to be based on the IP address of the proxy server rather than the IP address of the computer. This conflicts with administrative session communication that does use the actual IP address of the computer.
Open a web browser. For a list of supported web browsers, see the Release Notes Step 1 for the version of Cisco Secure ACS you are accessing. The most recent revision to the Release Notes is posted on Cisco.com (http://www.cisco.com). User Guide for Cisco Secure ACS for Windows Server 1-32 78-16592-01...
Online Help—Contains basic information about the page shown in the • configuration area. Online Documentation—Contains the entire user guide. • 78-16592-01 Cisco Secure ACS HTML Interface Uniform Resource Locator for the HTML Interface, User Guide for Cisco Secure ACS for Windows Server 1-33...
Cisco Secure ACS, please go to http://www.cisco.com Click Section Information on any online help page to view online documentation relevant to the section of the HTML interface you are using. User Guide for Cisco Secure ACS for Windows Server 1-34 Chapter 1 Overview...
Page 75
If you want to print the online documentation, click in the display area, and then Step 4 click Print in the navigation bar of your browser. 78-16592-01 Cisco Secure ACS HTML Interface User Guide for Cisco Secure ACS for Windows Server 1-35...
Page 76
Chapter 1 Overview Cisco Secure ACS HTML Interface User Guide for Cisco Secure ACS for Windows Server 1-36 78-16592-01...
Page 77
Deployment Considerations Deployment of Cisco Secure ACS for Windows Server can be complex and iterative, depending on the specific implementation required. This chapter provides insight into the deployment process and presents a collection of factors that you should consider before deploying Cisco Secure ACS.
Minimum graphics resolution of 256 colors at 800 x 600 lines. • Operating System Requirements Cisco Secure ACS for Windows Servers 3.3 supports the Windows operating systems listed below. Both the operating system and the service pack must be English-language versions.
Windows 2000 Advanced Server enabled We have not tested and cannot support the multi-processor feature of Windows 2000 Advanced Server. Windows 2000 Datacenter Server is not a supported operating system. User Guide for Cisco Secure ACS for Windows Server...
If there is a disabled network card on the computer running Cisco Secure ACS, installing Cisco Secure ACS may proceed slowly due to delays caused by Microsoft CryptoAPI. User Guide for Cisco Secure ACS for Windows Server 2-1. Chapter 2...
Page 81
In some cases, these ports are configurable, such as with LDAP and RADIUS token server databases. For more information about ports that a particular external user database listens to, see the documentation for that database.
ISDN connection is granted access to an intranet via a network access server (NAS) functioning as a AAA client. Users may be able to connect via only a single AAA client as in a small business, or have the option of numerous geographically dispersed AAA clients.
Page 83
Modem In a larger dial-in environment, a single Cisco Secure ACS with a backup may be suitable, too. The suitability of this configuration depends on network and server access latency. scenario the addition of a backup Cisco Secure ACS is a recommended addition.
Page 84
Cisco Secure ACS uses encryption for all replication and database synchronization traffic, additional security measures may be required to protect the network and user information that Cisco Secure ACS sends across the WAN. User Guide for Cisco Secure ACS for Windows Server 78-16592-01...
This raises a unique issue with the WLAN: the ability of a user to “roam” between APs. 78-16592-01 Basic Deployment Factors for Cisco Secure ACS Cisco Secure Access Control Server User Guide for Cisco Secure ACS for Windows Server...
Page 86
LAN, connected via routers, switches, and so on. In the larger, geographical distribution of WLANs, deployment of Cisco Secure ACS is similar to that of large regional distribution of dial-up LANs (Figure 2-3). User Guide for Cisco Secure ACS for Windows Server 2-10 78-16592-01...
Page 87
WLAN shown in Figure 2-4. This model may apply to a chain of small stores distributed throughout a city or state, nationally, or globally (Figure 2-6). User Guide for Cisco Secure ACS for Windows Server 2-11 78-16592-01...
Internet service provider (ISP) instead of using expensive toll-free or long-distance calls to resource-consuming modem banks. User Guide for Cisco Secure ACS for Windows Server 2-12 Figure 2-6, the location of Cisco Secure ACS depends on...
Page 89
AAA model very effectively 78-16592-01 Basic Deployment Factors for Cisco Secure ACS Simple VPN Configuration VPN concentrator Cisco Secure Access Control Server User Guide for Cisco Secure ACS for Windows Server Tunnel (Figure 2-8). 2-13...
(PSTN). Such policies are enforced at the corporate campus with Cisco Secure ACS and the AAA client. Inside the enterprise network, remote access policies can control wireless access by individual employees. User Guide for Cisco Secure ACS for Windows Server 2-14 VPN concentrator...
IDs, passwords, and privileges. Cisco Secure ACS access policies can be downloaded in the form of ACLs to network access servers such as the Cisco AS5300 Network Access Server, or by allowing access during specific periods, or on specific access servers.
Page 92
If this is not a suitable solution, using TACACS+ for administrative (shell/exec) logins, and RADIUS for remote network access, provides sufficient security for the network devices. User Guide for Cisco Secure ACS for Windows Server 2-16 78-16592-01...
15 default group tacacs+ none username line con 0 login authentication console 78-16592-01 Basic Deployment Factors for Cisco Secure ACS ip-address secret-key ip-address secret-key user password password User Guide for Cisco Secure ACS for Windows Server 2-17...
Cisco Secure ACS configuration. A WAN failure could render a local network inaccessible because of the loss of the authentication server. In addition to this issue, reducing the number of users that a single Cisco Secure ACS handles improves performance by lowering the number of logins occurring at any given time and by reducing the load on the database itself.
Configure Administrators—You should configure at least one administrator • at the outset of deployment; otherwise, there is no remote administrative access and all configuration activity must be done from the server. You should also have a detailed plan for establishing and maintaining an administrative policy.
Page 96
For information about the types of databases Cisco Secure ACS supports and instructions for establishing them, see Databases”. User Guide for Cisco Secure ACS for Windows Server 2-20 Interface Design Concepts, page Chapter 8, “System Configuration: Configuration”.
Page 97
Chapter 1, 78-16592-01 Basic”. Chapter 5, “Shared Profile About Unknown User Authentication, Chapter 16, “User Group Mapping and Management”. Chapter 7, “User Management”. “Overview”. User Guide for Cisco Secure ACS for Windows Server Suggested Deployment Sequence Components”. Specification”. Then, 2-21...
Page 98
Chapter 2 Deployment Considerations Suggested Deployment Sequence User Guide for Cisco Secure ACS for Windows Server 2-22 78-16592-01...
Interface Configuration Ease of use is the overriding design principle of the HTML interface in the Cisco Secure ACS for Windows Server. Cisco Secure ACS presents intricate concepts of network security from the perspective of an administrator. The Interface Configuration section of Cisco Secure ACS enables you to configure the Cisco Secure ACS HTML interface—you can tailor the interface to simplify the...
You can configure most features at both group and user levels, with the following exceptions: • User level only—Static IP address, password, and expiration. Group level only—Password aging and time-of-day/day-of-week • restrictions. User Guide for Cisco Secure ACS for Windows Server Chapter 3 Interface Configuration 78-16592-01...
Service Control page in the System Configuration section and then stopping and restarting the CSAdmin service by using the Services section of the Administrative Tools folder in Windows Control Panel. User Guide for Cisco Secure ACS for Windows Server User Data Configuration Options 11-6. For information on the...
For information on defining a NAR, or NAR set, within Shared Profile Components, see page User Guide for Cisco Secure ACS for Windows Server Restarting Cisco Secure ACS-related Windows services should be done during off hours because it briefly interrupts authentication, authorization, and accounting.
Page 103
Distributed System Settings—When selected, this feature displays the AAA • server and proxy tables on the Network Interface page. If the tables have information other than the defaults in them, they always appear. Remote Logging—When selected, this feature enables the Remote Logging •...
IP Pools—When selected, this feature enables the IP Pools Address Recovery • and IP Pools Server options on the System Configuration page. Network Device Groups—When selected, this option enables network • device groups (NDGs). When NDGs are enabled, the Network Configuration section and parts of the User Setup and Group Setup pages change to enable you to manage groups of network devices (AAA clients or AAA servers).
User Setup page or Group Setup page. New Services—In this area you can enter any services or protocols particular • to your network configuration. 78-16592-01 Protocol Configuration Options for TACACS+ User Guide for Cisco Secure ACS for Windows Server...
Page 106
This provides a common method to control access regardless of the access control protocol. User Guide for Cisco Secure ACS for Windows Server If you have configured Cisco Secure ACS to interact with device management applications for other Cisco products, such as...
User Setup and Group Setup pages that enables you to permit unknown TACACS+ services, such as Cisco Discovery Protocol (CDP). This option should be used by advanced system administrators only. User Guide for Cisco Secure ACS for Windows Server Protocol Configuration Options for TACACS+...
Page 108
When you have finished setting TACACS+ interface display options, click Step 5 Submit. User Guide for Cisco Secure ACS for Windows Server 3-10 If you have configured Cisco Secure ACS to interact with device management applications for other Cisco products, such as a...
RADIUS type. The settings that appear for various types of AAA client depend on what settings that type of device can employ. These combinations are detailed Table 3-1 on page 3-12. User Guide for Cisco Secure ACS for Windows Server 3-11 78-16592-01...
Page 110
RADIUS RADIUS (Cisco (IETF) Aironet) RADIUS (IETF) RADIUS (Cisco Aironet) RADIUS (BBSM) RADIUS (Cisco IOS/PIX) User Guide for Cisco Secure ACS for Windows Server 3-12 RADIUS RADIUS RADIUS (Cisco (Micro- RADIUS (BBSM) IOS/PIX) soft) (Ascend) Chapter 3 Interface Configuration RADIUS...
Page 111
Otherwise, only the Group check box for each attribute appears. By 78-16592-01 RADIUS RADIUS RADIUS (Cisco (Micros RADIUS (BBSM) IOS/PIX) oft) (Ascend) User Guide for Cisco Secure ACS for Windows Server Protocol Configuration Options for RADIUS RADIUS RADIUS (Cisco (Cisco RADIUS RADIUS 3000) 5000) (Juniper) (Nortel)
Page 112
Access Point and the Cisco-Aironet-Session-Timeout attribute is configured, Cisco Secure ACS sends to the wireless device this value in the IETF User Guide for Cisco Secure ACS for Windows Server 3-14 The RADIUS (IETF) attributes are shared with RADIUS VSAs. You must configure the first RADIUS attributes from RADIUS (IETF) for the RADIUS vendor.
Page 113
VSA and then set the options for how particular attributes 78-16592-01 Protocol Configuration Options for RADIUS Setting Protocol Configuration Options for Non-IETF 3-17. Setting Protocol Configuration Setting Protocol Configuration Options for 3-17. User Guide for Cisco Secure ACS for Windows Server 3-17. Setting Protocol 3-17. Setting Protocol 3-17. 3-15...
Group Setup pages, select the Tags to Display Per Attribute option, and then select a value from the corresponding list. Examples of tagged attributes are Tunnel-Type User Guide for Cisco Secure ACS for Windows Server 3-16 9-28. Each attribute selected must be supported by your RADIUS network devices.
Configuration: Advanced Options is selected, a User check box appears alongside the Group check box for each attribute. Each attribute selected must be supported by your RADIUS network devices. User Guide for Cisco Secure ACS for Windows Server Protocol Configuration Options for RADIUS RADIUS 3-17...
Page 116
Click Submit at the bottom of the page. Step 4 According to your selections, the RADIUS VSAs appear on the User Setup or Group Setup pages, or both, as a configurable option. User Guide for Cisco Secure ACS for Windows Server 3-18 78-16592-01...
Network Configuration This chapter details concepts and procedures for configuring Cisco Secure ACS for Windows Server to interact with AAA clients and servers and for establishing a distributed system. This chapter contains the following topics: About Network Configuration, page 4-1 •...
Servers table do not appear on the opening page. To configure a AAA client or AAA server, you must click the name of the NDG to which the device is assigned. If the newly configured device is not assigned to an NDG, it belongs to the (Not Assigned) group.
• AAA Servers in Distributed Systems “AAA server” is the generic term for an access control server (ACS), and the two terms are often used interchangeably. AAA servers are used to determine who can access the network and what services are authorized for each user. The AAA server stores a profile containing authentication and authorization information for each user.
AAA server. After the request has been successfully authenticated, the authorization privileges that have been configured for the user on the remote AAA server are passed back to the original Cisco Secure ACS, where the AAA client applies the user profile information for that session.
Note by proxy, any Network Access Restrictions for TACACS+ requests are applied to the IP address of the forwarding AAA server, not to the IP address of the originating AAA client. When a Cisco Secure ACS proxies to a second Cisco Secure ACS, the second...
For example, in the proxy example that follows, the character string that accompanies the username establishes the ability to forward the request to another AAA server. If the user must enter the user ID of mary@corporate.com to be forwarded correctly to the AAA server for authentication, Cisco Secure ACS might find a match on the “@corporate.com”...
Max Sessions feature. The Max Sessions feature uses the Start and Stop records in the accounting packet. If the remote AAA server is a Cisco Secure ACS and the Max Sessions feature is implemented, you can track the number of sessions allowed for each user or group.
• can use asterisks (*) as wildcard characters. For example, if you wanted to find all devices with names starting with the letter M, you would enter “M*” User Guide for Cisco Secure ACS for Windows Server 9-1. 9-25. 11-26.
Type—The device type, as specified by the AAA protocol it is configured to • use, or the kind of AAA server it is. If you do not want to limit the search based on device type, select Device Group—The NDG the device is assigned to. This search criterion •...
Page 126
Cisco Secure ACS displays the applicable setup page. For information about the AAA Client Setup page, see information about the AAA Server Setup page, see Options, page User Guide for Cisco Secure ACS for Windows Server 4-10 4-8. AAA Client Configuration Options, page 4-22.
Each AAA client configuration can represent multiple network devices; thus, the AAA client hostname configured in Cisco Secure ACS is not required to match the hostname configured on a network device. We 78-16592-01 User Guide for Cisco Secure ACS for Windows Server AAA Client Configuration 4-11...
Page 128
Key—The shared secret of the AAA client. Maximum length for a AAA • client key is 32 characters. User Guide for Cisco Secure ACS for Windows Server 4-12 After you submit the AAA client hostname, you cannot change it. If...
Page 129
TACACS+ (Cisco IOS)—The Cisco IOS TACACS+ protocol, which is – the standard choice when using Cisco Systems access servers, routers, and firewalls. If the AAA client is a Cisco device-management application, such as Management Center for Firewalls, you must use this option.
Page 130
– option if the AAA client represents RADIUS-enabled devices from more than one manufacturer and you want to use standard IETF RADIUS User Guide for Cisco Secure ACS for Windows Server 4-14 10-26. If all authentication requests from a particular Cisco Aironet Access Point are PEAP or EAP-TLS requests, use RADIUS (IETF) instead of RADIUS (Cisco Aironet).
Page 131
RADIUS Accounting reports of Reports and Activity. By default, this check ox is not selected. 78-16592-01 If TCP connections between Cisco Secure ACS and the AAA client are unreliable, do not use this feature. User Guide for Cisco Secure ACS for Windows Server AAA Client Configuration 4-15...
GPRS support node (GGSN). For example, if you use the Cisco Secure ACS IP pools server and the AAA client does not provide unique port for each user, Cisco Secure ACS assumes that a reused...
Page 133
Cisco Secure ACS to provide AAA services to a network device and is used solely for command authorization of Cisco multi-device management applications, such as Management Center for Firewalls. User Guide for Cisco Secure ACS for Windows Server AAA Client Configuration AAA Client 4-17...
Page 134
Note Restarting the service clears the Logged-in User report and temporarily interrupts all Cisco Secure ACS services. This affects the Max Sessions counter. User Guide for Cisco Secure ACS for Windows Server 4-18 AAA Client Configuration Options, page Chapter 4 Network Configuration 4-11.
When you are ready to implement the changes, click System Configuration, click Service Control, and then click Restart. 4-16. AAA Client Configuration Options, page User Guide for Cisco Secure ACS for Windows Server AAA Client Configuration Deleting a AAA Client, Adding a 4-11.
Page 136
Restarting the service clears the Logged-in User report and temporarily Note interrupts all Cisco Secure ACS services. This affects the Max Sessions counter. User Guide for Cisco Secure ACS for Windows Server 4-20 4-11. 4-21. For steps about creating a AAA client entry, see 4-16.
Delete. However, when you do this, the change does not take effect until you restart the system, which you can do by clicking System Configuration, clicking Service Control, and then clicking Restart. 4-3. User Guide for Cisco Secure ACS for Windows Server AAA Server Configuration 4-21...
• AAA Server Configuration Options A AAA server configuration enables Cisco Secure ACS to interact with the AAA server that the configuration represents. A AAA server that does not have a corresponding configuration in Cisco Secure ACS, or whose configuration in...
Page 139
TACACS+ protocol. 78-16592-01 After you submit the AAA server name, you cannot change it. If you want to use a different name for a AAA server, delete the AAA server configuration and create a AAA server configuration using the new name.
AAA Server Configuration – Note Traffic Type—The Traffic Type list defines the direction in which traffic to • and from the remote AAA server is permitted to flow from this Cisco Secure ACS. The list includes the following options: – – –...
Page 141
• Servers table, click Add Entry. The Add AAA Server page appears. In the AAA Server Name box, type a name for the remote AAA server (up to 32 Step 3 characters). In the AAA Server IP Address box, type the IP address assigned to the remote Step 4 AAA server.
Use this procedure to edit the settings for a AAA server that you have previously configured. You cannot edit the name of a AAA server. To rename a AAA server, you must Note delete the existing AAA server entry and then add a new server entry with the new name.
Page 143
The Network Configuration page opens. Do one of the following: Step 2 If you are using NDGs, click the name of the NDG to which the AAA server • is assigned. Then, in the AAA Servers table, click the name of the AAA server to be edited.
The Network Configuration page opens. Do one of the following: Step 2 If you are using NDGs, click the name of the NDG to which the AAA server • is assigned. Then, click the AAA server name in the AAA Servers table.
Network Configuration Cisco Secure ACS—single discrete devices such as an individual router or network access server, and an NDG; that is, a collection of routers or AAA servers. To see the Network Device Groups table in the HTML interface, you must have...
• Assigning an Unassigned AAA Client or AAA Server to an NDG You use this procedure to assign an unassigned AAA client or AAA server to an NDG. Before you begin this procedure, you should have already configured the client or server and it should appear in the Not Assigned AAA Clients or Not Assigned AAA Servers table.
The client or server is assigned to an NDG. Reassigning a AAA Client or AAA Server to an NDG To reassign a AAA client or AAA server to a new NDG, follow these steps: Step 1 In the navigation bar, click Network Configuration.
When you delete an NDG, all AAA clients and AAA servers that belong to the deleted group appear in the Not Assigned AAA Clients or Not Assigned AAA Servers table. User Guide for Cisco Secure ACS for Windows Server 4-32 If the Network Device Groups table does not appear, click Interface Configuration, click Advanced Options, and then select the Network Device Groups check box.
Page 149
It may be useful to empty an NDG of AAA clients and AAA servers before you delete it. You can do this manually by performing the procedure AAA Client or AAA Server to an NDG, page large number of devices to reassign, you can use the RDBMS Synchronization feature.
The Character String column in the Proxy Distribution Table always contains an entry of “(Default)”. The “(Default)” entry matches authentication requests received by the local Cisco Secure ACS that do not match any other defined User Guide for Cisco Secure ACS for Windows Server 4-34 Chapter 4...
Step 5 off the username, or select No if it is to be left intact. In the AAA Servers column, select the AAA server you want to use for proxy. Step 6 Click --> (right arrow button) to move it to the Forward To column.
You can also select additional AAA servers to use for backup proxy if the prior servers fail. To set the order of AAA servers, in the Forward To column, click the name of the applicable server and click Up or Down to move it into the position you want.
Proxy Distribution Table entries in addition to the (Default) table entry. For information about the parameters that make up a distribution entry, Adding a New Proxy Distribution Table Entry, page User Guide for Cisco Secure ACS for Windows Server Proxy Distribution Table Configuration 4-35.
The Edit Proxy Distribution Entry page appears. Click Delete. Step 3 A confirmation dialog box appears. Click OK. Step 4 The distribution entry is deleted from the Proxy Distribution Table. User Guide for Cisco Secure ACS for Windows Server 4-38 Chapter 4 Network Configuration 78-16592-01...
Shared Profile Components This chapter addresses the Cisco Secure ACS for Windows Server features found in the Shared Profile Components section of the HTML interface. This chapter contains the following topics: About Shared Profile Components, page 5-1 • Network Access Filters, page 5-2 •...
IP address of the AAA client making the access request. For more information on using NAFs in downloadable IP ACLs, see Downloadable IP ACLs, page User Guide for Cisco Secure ACS for Windows Server Chapter 5 Shared Profile Components About 5-8.
If Network Access Filtering does not appear as a selection on the Shared Profile Components page, you must enable it on the Advanced Options page of the Interface Configuration section. User Guide for Cisco Secure ACS for Windows Server Network Access Filters 5-15.
Page 158
Selected Items box, click the name of an item and then click Up or Down to move it to the position you want. User Guide for Cisco Secure ACS for Windows Server You can use the wildcard (*) to designate a range within an IP address.
Control, and then click Restart. Restarting the service clears the Logged-in User report and temporarily interrupts all Cisco Secure ACS services. This affects the Max Sessions counter and resets it to zero. User Guide for Cisco Secure ACS for Windows Server Network Access Filters...
Page 160
To save your NAF and apply it later, click Submit. When you are ready to implement the changes, click System Configuration, click Service Control, and then click Restart. User Guide for Cisco Secure ACS for Windows Server Chapter 5 Shared Profile Components...
78-16592-01 Restarting the service clears the Logged-in User report and temporarily interrupts all Cisco Secure ACS services. This affects the Max Sessions counter and resets it to zero. User Guide for Cisco Secure ACS for Windows Server Downloadable IP ACLs...
Cisco cisco-av-pair attribute [26/9/1] of each user or user group. You can create a downloadable IP ACL once, give it a name, and then assign the downloadable IP User Guide for Cisco Secure ACS for Windows Server Chapter 5 Shared Profile Components About Network Access Filters, page 5-2).
Page 163
To use a downloadable IP ACL on a particular AAA client, the following requirements must be met: The AAA client must use RADIUS for authentication. • The AAA client must support downloadable IP ACLs. • 78-16592-01 5-2. User Guide for Cisco Secure ACS for Windows Server Downloadable IP ACLs About Network...
Adding a Downloadable IP ACL Before You Begin You should have already configured any NAFS that you intend to use in your downloadable IP ACL. User Guide for Cisco Secure ACS for Windows Server 5-10 Chapter 5 Shared Profile Components...
Page 165
For an example of the proper format of the ACL definitions, see 78-16592-01 About Downloadable IP ACLs, page User Guide for Cisco Secure ACS for Windows Server Downloadable IP ACLs 5-8. 5-11...
Page 166
IP ACL assigned to his or her user or group profile. For information on assigning a downloadable IP ACL to user or a user group, see Downloadable IP ACL to a User, page ACL to a Group, page User Guide for Cisco Secure ACS for Windows Server 5-12 through Step 10...
For an example of the proper format of the ACL definitions, see About Downloadable IP ACLs, page About Network Access Filters, page through Step 8 until you are finished. User Guide for Cisco Secure ACS for Windows Server Downloadable IP ACLs 5-8. 5-2. 5-13...
The selected IP ACL is deleted. Network Access Restrictions This section describes network access restrictions (NARs) and provides detailed instructions for configuring and managing shared NARs. User Guide for Cisco Secure ACS for Windows Server 5-14 Chapter 5 Shared Profile Components...
Service (DNIS) number, the MAC address, or other value originating from 78-16592-01 Non-IP Based Insufficient Information Access Denied Access Denied Access Granted Access Denied About IP-based NAR Filters, page User Guide for Cisco Secure ACS for Windows Server Network Access Restrictions Table 5-1. 5-17. 5-15...
Page 170
Cisco Secure ACS backup and restore features to back up and restore them. You can also replicate the shared NARs, along with other configurations, to secondary Cisco Secure ACSes. User Guide for Cisco Secure ACS for Windows Server 5-16 5-18.
When an authentication request is forwarded by proxy to a Cisco Secure ACS, any NARs for TACACS+ requests are applied to the IP address of the forwarding AAA server, not to the IP address of the originating AAA client. (attribute 30) fields are used.
When an authentication request is forwarded by proxy to a Cisco Secure ACS, any NARs for TACACS+ requests are applied to the IP address of the forwarding AAA server, not to the IP address of the originating AAA client. Chapter 5...
(attribute 87) is used. NAS-port-ID CLI—The calling-station-ID DNIS—The called-station-ID User Guide for Cisco Secure ACS for Windows Server Network Access Restrictions (attribute 4) or, if NAS-IP-address (RADIUS attribute 32) is used. (attribute 31) is used. (attribute 30) is used. About Network Access Restrictions,...
Page 174
Src IP Address—Type the IP address to filter on when performing • access restrictions. You can use the wildcard asterisk (*) to specify all IP addresses. User Guide for Cisco Secure ACS for Windows Server 5-20 Chapter 5 Shared Profile Components...
Page 175
ACS accepts more than 1024 characters when you add a NAR, you cannot edit the NAR and Cisco Secure ACS cannot accurately apply it to users. User Guide for Cisco Secure ACS for Windows Server Network Access Restrictions and d..
Page 176
Step 8 Cisco Secure ACS saves the shared NAR and lists it in the Network Access Restrictions table. User Guide for Cisco Secure ACS for Windows Server 5-22 5-15. The total number of characters in the AAA Client list and the Port, CLI, and DNIS boxes must not exceed 1024.
ACS is capable of accepting more than 1024 characters when you add a NAR, you cannot edit such a NAR and Cisco Secure ACS cannot accurately apply it to users. User Guide for Cisco Secure ACS for Windows Server Network Access Restrictions 5-23...
Ensure that you remove the association of a shared NAR to any user or group before you delete that NAR. User Guide for Cisco Secure ACS for Windows Server 5-24 The total number of characters in the AAA Client list and the Port, CLI, and DNIS boxes must not exceed 1024.
Command Authorization Sets Description, page 5-26 Command Authorization Sets Assignment, page 5-28 Case Sensitivity and Command Authorization, page 5-29 Arguments and Command Authorization, page 5-29 About Pattern Matching, page 5-30 User Guide for Cisco Secure ACS for Windows Server Command Authorization Sets 5-25...
PIX OS your firewalls use; if not, use Shell Command Authorization Sets to perform command authorization for PIXes. As of PIX OS version 6.3, the pixshell service has not been implemented. User Guide for Cisco Secure ACS for Windows Server 5-26 Chapter 5...
Page 181
The Cisco Secure ACS groups can correspond to different roles within the device-management application and you can apply different command authorization sets to each group, as applicable. 78-16592-01 Command Authorization Sets User Guide for Cisco Secure ACS for Windows Server 5-27...
PIX Command Authorization Sets—See either of the following: • – – User Guide for Cisco Secure ACS for Windows Server 5-28 If any argument is unmatched, command authorization is determined by whether the Permit Unmatched Args option is enabled. If unmatched arguments are permitted, the command is authorized and evaluation ends;...
78-16592-01 Configuring Device-Management Command Authorization for a User Group, page 6-37 Configuring Device-Management Command Authorization for a User, page 7-30 User Guide for Cisco Secure ACS for Windows Server Command Authorization Sets 5-29...
You can combine these expressions to specify absolute matching. In the example given, you would use permit ^wid$ to ensure that only wid was permitted, and not anywid or widget. User Guide for Cisco Secure ACS for Windows Server 5-30 Chapter 5...
The set name can contain up to 27 characters. Names cannot contain the following characters: # ? " * > < Leading and trailing spaces are not allowed. User Guide for Cisco Secure ACS for Windows Server Command Authorization Sets 5-31...
Page 186
Enter the full command word; if you use command abbreviations, authorization Caution control may not function. Note User Guide for Cisco Secure ACS for Windows Server 5-32 The default setting is Deny. Enter only the command portion of the command/argument string here.
You can list several arguments for a single command by pressing Enter between arguments. User Guide for Cisco Secure ACS for Windows Server Command Authorization Sets 5-33...
Page 188
To save the set, click Submit. Step 6 User Guide for Cisco Secure ACS for Windows Server 5-34 Chapter 5 Shared Profile Components...
To confirm that you want to delete that command authorization set, click OK. Step 5 Cisco Secure ACS displays the applicable Command Authorization Sets table. The command authorization set is no longer listed. 78-16592-01 Command Authorization Sets User Guide for Cisco Secure ACS for Windows Server 5-35...
Page 190
Chapter 5 Shared Profile Components Command Authorization Sets User Guide for Cisco Secure ACS for Windows Server 5-36 78-16592-01...
User Group Management This chapter provides information about setting up and managing user groups in Cisco Secure ACS for Windows Server to control authorization. Cisco Secure ACS enables you to group network users for more efficient administration. Each user can belong to only one group in Cisco Secure ACS. You can establish up to 500 groups to effect different levels of authorization.
Cisco Secure ACS also enables you to enter and configure new TACACS+ services. For information about how to configure a new TACACS+ service to appear on the group setup page, see TACACS+, page User Guide for Cisco Secure ACS for Windows Server 4-28. Protocol Configuration Options for 3-7.
Setting Max Sessions for a User Group, page 6-12 • Setting Usage Quotas for a User Group, page 6-14 • 78-16592-01 Support for Cisco Device-Management Applications, page Components”. User Guide for Cisco Secure ACS for Windows Server Basic User Group Settings 1-19. Chapter 5,...
If this feature does not appear, click Interface Configuration, click Advanced Note Options, and then select the Voice-over-IP (VoIP) Group Settings check box. User Guide for Cisco Secure ACS for Windows Server Chapter 6 Saving Changes to User Group Settings, page User Group Management 6-56.
If this feature does not appear, click Interface Configuration, click Advanced Note Options, and then select the Default Time-of-Day / Day-of-Week Specification check box. 78-16592-01 Saving Changes to User Group Settings, page User Guide for Cisco Secure ACS for Windows Server Basic User Group Settings 6-56.
Page 196
For more information, see To continue specifying other group settings, perform other procedures in this Step 6 chapter, as applicable. User Guide for Cisco Secure ACS for Windows Server Chapter 6 Saving Changes to User Group Settings, page User Group Management 6-56.
User Group Management Setting Callback Options for a User Group Callback is a command string that is passed back to the access server. You can use callback strings to initiate a modem to call the user back on a specific number for added security or reversal of line charges.
CLI/DNIS-based filter options to appear in the Cisco Secure ACS HTML interface. User Guide for Cisco Secure ACS for Windows Server You can also use the CLI/DNIS-based access restrictions area to specify other values. For more information, see Access Restrictions, page 5-15.
Page 199
When an authentication request is forwarded by proxy to a Cisco Secure ACS Note server, any NARs for TACACS+ requests are applied to the IP address of the forwarding AAA server, not to the IP address of the originating AAA client.
Page 200
Note Click Enter. The specified the AAA client, port, and address information appears in the NAR Access Control list. User Guide for Cisco Secure ACS for Windows Server 6-10 Adding a Shared Network Access 5-19. The total number of characters in the AAA Client list and the Port and Src IP Address boxes must not exceed 1024.
Page 201
AAA client. You can determine this format from your RADIUS Accounting Log. About Network Access Restrictions, page About Network Access Restrictions, page User Guide for Cisco Secure ACS for Windows Server Basic User Group Settings 5-15. 5-15.
2. If each user is using the maximum 2 simultaneous sessions, no more than 5 users can log in. User Guide for Cisco Secure ACS for Windows Server 6-12 The total number of characters in the AAA Client list and the Port, CLI, and DNIS boxes must not exceed 1024.
Page 203
To save the group settings you have just made, click Submit. Step 5 For more information, see 78-16592-01 Setting Max Sessions Options for a User, page Saving Changes to User Group Settings, page User Guide for Cisco Secure ACS for Windows Server Basic User Group Settings 7-16. 6-56. 6-13...
AAA clients. If update packets are not enabled, the quota is updated when the user logs off. If the AAA client through which the user is accessing your User Guide for Cisco Secure ACS for Windows Server 6-14...
Page 205
Type the number of sessions to which you want to limit users in the to x sessions box. 78-16592-01 Up to 5 characters are allowed in the to x hours box. User Guide for Cisco Secure ACS for Windows Server Basic User Group Settings 6-15...
This section details procedures that you perform only as applicable to your particular network security configuration. For instance, if you have no token server configured, you do not have to set token card settings for each group. When a vendor-specific variety of RADIUS is configured for use by network...
Page 207
Configuring BBSM RADIUS Settings for a User Group, page 6-51 • • Configuring Custom RADIUS VSA Settings for a User Group, page 6-53 78-16592-01 Configuration-specific User Group Settings 3-7, or Protocol Configuration 3-11. User Guide for Cisco Secure ACS for Windows Server Protocol 6-17...
Configuration-specific User Group Settings Setting Token Card Settings for a User Group If this section does not appear, configure a token server. Then, click External Note User Databases, click Database Configuration, and then add the applicable token card server. Perform this procedure to allow a token to be cached. This means users can use a second B channel without having to enter a second one-time password (OTP).
See your AAA client documentation for information about privilege levels. 78-16592-01 Configuration-specific User Group Settings Saving Changes to User Group Settings, page User Guide for Cisco Secure ACS for Windows Server 6-56. 6-19...
Page 210
To set the maximum privilege level for this user group, for any ACS on which • this group is authorized, select the Max Privilege for Any Access Server option. Then, select the maximum privilege level from the list. To define the maximum NDG privilege level for this user group, select the •...
(aaa accounting new-info update) with the IP address of 78-16592-01 6-26. Enabling Password Aging for Users in Windows Databases, 6-26. Local Password Management, page User Guide for Cisco Secure ACS for Windows Server Configuration-specific User Group Settings Enabling Password Aging for Users 8-5. 6-21...
Page 212
Warning period—The number of days users will be notified to change – their passwords. The existing password can be used, but the Cisco Secure ACS presents a warning indicating that the password must be changed User Guide for Cisco Secure ACS for Windows Server 6-22 Chapter 6 Local Password Management, Enabling Password Aging for Users in 6-26.
Page 213
12, users receive prompts 78-16592-01 All passwords expire at midnight, not the time at which they were set. User Guide for Cisco Secure ACS for Windows Server Configuration-specific User Group Settings 6-23...
Page 214
Set up your AAA client to use Cisco IOS Release 11.2.7 or later and to send • a watchdog accounting packet (aaa accounting new-info update) with the IP address of the calling station. User Guide for Cisco Secure ACS for Windows Server 6-24 Chapter 6 Local Password Management, page User Group Management 8-5.
Page 215
Apply password change rule check box. To enable a Greetings message display, select the Generate greetings for Step 7 successful logins check box. 78-16592-01 Configuration-specific User Group Settings User Guide for Cisco Secure ACS for Windows Server 6-25...
– – – – – User Guide for Cisco Secure ACS for Windows Server 6-26 Saving Changes to User Group Settings, page Communication between Cisco Secure ACS and the AAA client must be using RADIUS. The AAA client must support MS CHAP password aging in addition to MS CHAP authentication.
Page 217
Users must be in a Windows user database. 78-16592-01 Configuration-specific User Group Settings 13-30. For information on enabling MS Global Authentication Setup, page 10-26. 13-7. User Guide for Cisco Secure ACS for Windows Server Configuring a 10-26. Global Windows User 6-27...
• Assigned by dialup client—Use the IP address that is configured on the dialup client network settings for TCP/IP. User Guide for Cisco Secure ACS for Windows Server 6-28 Users must be using a client that supports EAP-FAST. You must enable EAP-FAST on the Global Authentication Configuration page within the System Configuration section.
Page 219
Select Assigned from AAA Client pool. Then, type the AAA client IP pool • name. Select Assigned from AAA pool. Then, select the AAA server IP pool name • in the Available Pools list and click --> (right arrow button) to move the name into the Selected Pools list.
Under the Downloadable ACLs section, click the Assign IP ACL check box. Step 4 Select an IP ACL from the list. Step 5 User Guide for Cisco Secure ACS for Windows Server 6-30 Chapter 6 Saving Changes to User Group Settings, page 5-10.
78-16592-01 Saving Changes to User Group Settings, page Configuring a Shell Command Authorization Set for a User Group, User Guide for Cisco Secure ACS for Windows Server Configuration-specific User Group Settings 6-56. 6-31...
Page 222
To continue specifying other group settings, perform other procedures in this Step 7 chapter, as applicable. User Guide for Cisco Secure ACS for Windows Server 6-32 Pairs”, or your AAA client documentation. Leave the attribute value box blank if the default (as defined on the AAA client) should be used.
To prevent the application of any shell command authorization set, select (or Step 5 accept the default of) the None option. 78-16592-01 Configuration-specific User Group Settings Adding a Command Authorization Set, User Guide for Cisco Secure ACS for Windows Server 6-33...
Page 224
Cisco IOS commands. Correct syntax is the responsibility of the administrator. For information on how Cisco Secure ACS uses pattern matching in command arguments, see User Guide for Cisco Secure ACS for Windows Server 6-34 Chapter 6 About Pattern Matching, page User Group Management 5-30.
To enter several commands, you must click Submit after specifying a command. A new command entry box appears below the box you just completed. 5-31. User Guide for Cisco Secure ACS for Windows Server Configuration-specific User Group Settings Adding a Command Authorization 6-35...
Page 226
Click Add Association. The associated NDG and PIX command authorization set appear in the table. Note User Guide for Cisco Secure ACS for Windows Server 6-36 To remove or edit an existing PIX command authorization set association, you can select the association from the list, and then click Remove Association.
Use the vertical scrollbar to scroll to the device-management application feature Step 4 area, where device-management application is the name of the applicable Cisco device-management application. 78-16592-01 Configuration-specific User Group Settings 5-31. User Guide for Cisco Secure ACS for Windows Server 6-37...
Configuration Options for RADIUS, page RADIUS attributes, see information about how your AAA client uses RADIUS, refer to your AAA client vendor documentation. User Guide for Cisco Secure ACS for Windows Server 6-38 Chapter 6 3-11. For a list and explanation of Appendix C, “RADIUS...
Page 229
• To continue specifying other group settings, perform other procedures in this Step 7 chapter, as applicable. 78-16592-01 Configuration-specific User Group Settings Saving Changes to User Group Settings, page User Guide for Cisco Secure ACS for Windows Server 6-56. 6-39...
Infected, you could specify values for the url-redirect, posture-token, and status-query-timeout attributes as follows: url-redirect=http://10.1.1.1 posture-token=Infected status-query-timeout=150 User Guide for Cisco Secure ACS for Windows Server 6-40 Configuring IETF RADIUS Settings for a User 6-38. Chapter 6...
Cisco Aironet AP. 78-16592-01 Configuration-specific User Group Settings Saving Changes to User Group Settings, page User Guide for Cisco Secure ACS for Windows Server 6-56. 6-41...
Page 232
Configuration to use the RADIUS (Cisco Aironet) authentication option. The recommended value is 600 seconds. For more information about the IETF RADIUS Session-Timeout attribute, see Appendix C, “RADIUS User Guide for Cisco Secure ACS for Windows Server 6-42 Chapter 6 6-38.
The Group Setup Select page opens. 78-16592-01 Configuration-specific User Group Settings Saving Changes to User Group Settings, page Ascend-Remote-Addr Setting Protocol Configuration 3-17. A VSA applied as an Configuring IETF 6-38. User Guide for Cisco Secure ACS for Windows Server 6-56. 6-43...
Group-level RADIUS (Cisco VPN 3000) attributes have been enabled on the • RADIUS (Cisco VPN 3000) page of the Interface Configuration section. User Guide for Cisco Secure ACS for Windows Server 6-44 Appendix C, “RADIUS Attributes”, or your AAA client...
Page 235
To continue specifying other group settings, perform other procedures in this Step 7 chapter, as applicable. 78-16592-01 Configuration-specific User Group Settings 6-38. Appendix C, “RADIUS Saving Changes to User Group Settings, page User Guide for Cisco Secure ACS for Windows Server Setting 3-17. A Configuring Attributes”, or 6-56. 6-45...
The Group Settings page displays the name of the group at its top. From the Jump To list at the top of the page, choose RADIUS (Cisco VPN 5000). Step 4 User Guide for Cisco Secure ACS for Windows Server 6-46 Chapter 6...
Group-level Microsoft RADIUS attributes have been enabled on the RADIUS • (Microsoft) page of the Interface Configuration section. 78-16592-01 Configuration-specific User Group Settings Appendix C, “RADIUS Saving Changes to User Group Settings, page User Guide for Cisco Secure ACS for Windows Server Attributes”, or 6-56. 6-47...
Page 238
For more information about attributes, see documentation for network devices using RADIUS. User Guide for Cisco Secure ACS for Windows Server 6-48 Chapter 6 User Group Management Setting Protocol 6-38.
The MS-CHAP-MPPE-Keys attribute value is autogenerated by Cisco Secure ACS; there is no value to set in the HTML interface. Saving Changes to User Group Settings, page User Guide for Cisco Secure ACS for Windows Server Configuration-specific User Group Settings 6-56.
AAA client; however, if you have no AAA clients of this (vendor) type configured, the VSA settings do not appear in the group configuration interface. User Guide for Cisco Secure ACS for Windows Server 6-50 Appendix C, “RADIUS The MS-CHAP-MPPE-Keys attribute value is autogenerated by Cisco Secure ACS;...
The MS-CHAP-MPPE-Keys attribute value is autogenerated by Cisco Secure ACS; there is no value to set in the HTML interface. Saving Changes to User Group Settings, page User Guide for Cisco Secure ACS for Windows Server Configuration-specific User Group Settings Configuring 6-38.
Page 242
For more information, see To continue specifying other group settings, perform other procedures in this Step 7 chapter, as applicable. User Guide for Cisco Secure ACS for Windows Server 6-52 Chapter 6 Setting Protocol Configuration 3-17. A VSA applied as an 6-38.
RADIUS. Note 78-16592-01 The MS-CHAP-MPPE-Keys attribute value is autogenerated by Cisco Secure ACS; there is no value to set in the HTML interface. User Guide for Cisco Secure ACS for Windows Server Configuration-specific User Group Settings Custom 9-28.) Configuring 6-38.
To open a user account (to view, modify, or delete a user), click the name of the Step 4 user in the User List. The User Setup page for the particular user account selected appears. User Guide for Cisco Secure ACS for Windows Server 6-54 Chapter 6 Saving Changes to User Group Settings, page User Group Management 6-56.
The Renaming Group: Group Name page appears. Type the new name in the Group field. Group names cannot contain angle Step 4 brackets (< or >). 78-16592-01 Group Setting Management User Guide for Cisco Secure ACS for Windows Server 6-55...
To verify that your changes were applied, select the group and click Edit Settings. Step 2 View the settings. User Guide for Cisco Secure ACS for Windows Server 6-56 The group remains in the same position in the list. The number value of the group is still associated with this group name.
The User Setup section of the Cisco Secure ACS HTML interface is the centralized location for all operations regarding user account configuration and administration. 78-16592-01 C H A P T E R User Guide for Cisco Secure ACS for Windows Server...
The following authentication types appear in the HTML interface only when the corresponding external user database has been configured in the Database Configuration area of the External User Databases section. User Guide for Cisco Secure ACS for Windows Server 13-2. Chapter 7...
ODBC Database—Authenticates a user from an Open Database • Connectivity-compliant database server. For more information, see Database, page LEAP Proxy RADIUS Server Database—Authenticates a user from an • LEAP Proxy RADIUS server. For more information, see RADIUS Server Database, page Token Server—Authenticates a user from a token server database.
The User Setup Edit page opens. The username being added is at the top of the page. User Guide for Cisco Secure ACS for Windows Server The username can contain up to 64 characters. Names cannot contain the following special characters: # ? "...
Page 251
To finish configuring the user account options and establish the user account, • click Submit. To continue to specify the user account options, perform other procedures in • this chapter, as applicable. 78-16592-01 User Guide for Cisco Secure ACS for Windows Server Basic User Setup Options...
To continue to specify the user account options, perform other procedures in • this chapter, as applicable. User Guide for Cisco Secure ACS for Windows Server For lengthy account configurations, you can click Submit before continuing. This will prevent loss of information you have already entered if an unforeseen problem occurs.
VoIP (null password) group, and the optional password is also included in the user profile, the password is not used until the user is re-mapped to a non-VoIP group. User Guide for Cisco Secure ACS for Windows Server Basic User Setup Options 7-4.
To continue to specify the user account options, perform other procedures in • this chapter, as applicable. User Guide for Cisco Secure ACS for Windows Server Specification”. Adding a Basic User Account, page Alternatively, you can scroll up in the list to select the Mapped By External Authenticator option.
User Management Setting User Callback Option Callback is a command string that is passed to the access server. You can use a callback string to initiate a modem to call the user back on a specific number for added security or reversal of line charges.
• box (up to 15 characters), if a specific IP address should be used for this user. Note User Guide for Cisco Secure ACS for Windows Server 7-10 Adding a Basic User Account, page The IP address assignment in User Setup overrides the IP address assignment in Group Setup.
IP address assigned by an IP address pool configured on the AAA server. Select the AAA server IP pool name from the Available Pools list, and then click --> (right arrow button) to move the name into the Selected Pools list.
Page 258
Note NARs for TACACS+ requests are applied to the IP address of the forwarding AAA server, not to the IP address of the originating AAA client. When you create access restrictions on a per-user basis, Cisco Secure ACS does not enforce limits to the number of access restrictions and it does not enforce a limit to the length of each access restriction;...
Page 259
Select a shared NAR name in the NARs list, and then click --> (right arrow button) to move the name into the Selected NARs list. To view the server details of the shared NARs you have selected to apply, you can click either View IP NAR or View CLID/DNIS NAR, as applicable.
Page 260
• • Denied Calling/Point of Access Locations User Guide for Cisco Secure ACS for Windows Server 7-14 The total number of characters in the AAA Client list and the Port and Src IP Address boxes must not exceed 1024. Although Cisco Secure...
Page 261
ACS accepts more than 1024 characters when you add a NAR, you cannot edit the NAR and Cisco Secure ACS cannot accurately apply it to users. User Guide for Cisco Secure ACS for Windows Server Basic User Setup Options 5-15.
Max Sessions totals. If the Max Sessions table does not appear, click Interface Configuration, click Advanced Options, and then select the Max Sessions check box. User Guide for Cisco Secure ACS for Windows Server 7-16 Chapter 7...
Page 263
To continue to specify the user account options, perform other procedures in • this chapter, as applicable. 78-16592-01 Adding a Basic User Account, page User Guide for Cisco Secure ACS for Windows Server Basic User Setup Options 7-4. 7-17...
If the AAA client through which the user is accessing your network fails, the quota is not updated. In the case of multiple sessions, such as User Guide for Cisco Secure ACS for Windows Server 7-18...
Page 265
78-16592-01 Adding a Basic User Account, page Up to 10 characters are allowed for this field. Up to 10 characters are allowed for this field. User Guide for Cisco Secure ACS for Windows Server Basic User Setup Options 7-4. 7-19...
Do one of the following: Step 2 Select the Never option to keep the user account always enabled. Note User Guide for Cisco Secure ACS for Windows Server 7-20 per Day—From 12:01 a.m. until midnight. per Week—From 12:01 a.m. Sunday until midnight Saturday.
Failed attempts exceed—Select the Failed attempts exceed check box and then type the number of consecutive unsuccessful login attempts to allow before disabling the account. The default is 5. User Guide for Cisco Secure ACS for Windows Server Basic User Setup Options 5-10. 7-21...
Advanced TACACS+ Settings (User), page 7-33 • – – – User Guide for Cisco Secure ACS for Windows Server 7-22 Adding a Basic User Account, page Configuring TACACS+ Settings for a User, page 7-24 Configuring a Shell Command Authorization Set for a User, page 7-26...
Setting Juniper RADIUS Parameters for a User, page 7-51 Setting BBSM RADIUS Parameters for a User, page 7-52 Setting Custom RADIUS Attributes for a User, page 7-53 User Guide for Cisco Secure ACS for Windows Server Advanced User Authentication Settings 7-23...
For more information about attributes, see Attribute-Value assigning an IP ACL, see User Guide for Cisco Secure ACS for Windows Server 7-24 Support for Cisco Device-Management Applications, page Appendix B, “TACACS+ Pairs”, or your AAA client documentation. For information on...
Page 271
78-16592-01 Advanced User Authentication Settings Adding a Basic User Account, page Pairs”, or your AAA client 7-21. User Guide for Cisco Secure ACS for Windows Server 7-4. Assigning a 7-25...
Shell (exec) option is selected in the User column. Ensure that you have already configured one or more shell command • authorization sets. For detailed steps, see Set, page User Guide for Cisco Secure ACS for Windows Server 7-26 5-31. Chapter 7 User Management...
Page 273
<default> listing. The NDG or NDGs and associated shell command authorization set or sets are paired in the table. 78-16592-01 Advanced User Authentication Settings Adding a Basic User Account, page User Guide for Cisco Secure ACS for Windows Server 7-4. 7-27...
Page 274
• record the options. To continue to specify the user account options, perform other procedures in • this chapter, as applicable. User Guide for Cisco Secure ACS for Windows Server 7-28 Chapter 7 About Pattern Matching, page User Management 5-30.
To prevent the application of any PIX command authorization set, select (or Step 3 accept the default of) the None option. 78-16592-01 Adding a Command Authorization Set, 5-31. Adding a Basic User Account, page User Guide for Cisco Secure ACS for Windows Server Advanced User Authentication Settings 7-4. 7-29...
None—No authorization is performed for commands issued in the applicable • Cisco device-management application. Group—For this user, the group-level command authorization set applies for • the applicable device-management application. User Guide for Cisco Secure ACS for Windows Server 7-30 Chapter 7 User Management 78-16592-01...
Page 277
Step 4 application at the group level, select the As Group option. 78-16592-01 Advanced User Authentication Settings Adding a Command Authorization Set, page Adding a Basic User Account, page User Guide for Cisco Secure ACS for Windows Server 5-31. 7-4. 7-31...
Step 2 Scroll down to the table under the heading Checking this option will PERMIT all UNKNOWN Services. User Guide for Cisco Secure ACS for Windows Server 7-32 Chapter 7 Adding a Basic User Account, page User Management 7-4.
Use Group Level Setting—Sets the privileges for this user as those • configured at the group level. No Enable Privilege—Disallows enable privileges for this user. • 78-16592-01 Advanced User Authentication Settings User Guide for Cisco Secure ACS for Windows Server 7-33...
Page 280
• Define Max Privilege on a per-Network Device Group Basis • If you selected Max Privilege for Any Access Server in Step 2, select the Step 3 appropriate privilege level from the corresponding list. User Guide for Cisco Secure ACS for Windows Server 7-34 This is the default setting.
78-16592-01 You must have already configured a device group for it to be listed. To delete an entry, select the entry and then click Remove Associate. User Guide for Cisco Secure ACS for Windows Server Advanced User Authentication Settings 7-35...
Page 282
To continue to specify the user account options, perform other procedures in • this chapter, as applicable. User Guide for Cisco Secure ACS for Windows Server 7-36 Adding a Basic User Account, page For information about basic password setup, see Account, page 7-4.
RADIUS VSAs, see 78-16592-01 Advanced User Authentication Settings Adding a Basic User Account, page Setting IETF RADIUS Parameters for a User, Custom RADIUS Vendors and VSAs, page User Guide for Cisco Secure ACS for Windows Server 7-4. 9-28. 7-37...
User-level IETF RADIUS attributes are enabled under RADIUS (IETF) in the • Interface Configuration section. To display or hide any of these attributes in the HTML interface, see Note Configuration Options for RADIUS, page User Guide for Cisco Secure ACS for Windows Server 7-38 Chapter 7 User Management Protocol 3-11.
Page 285
78-16592-01 Advanced User Authentication Settings Appendix C, “RADIUS Adding a Basic User Account, page Setting Protocol User Guide for Cisco Secure ACS for Windows Server 7-4. 3-17. A VSA 7-39...
Page 286
To continue to specify the user account options, perform other procedures in • this chapter, as applicable. User Guide for Cisco Secure ACS for Windows Server 7-40 Adding a Basic User Account, page Setting IETF RADIUS Parameters for a User, page...
Page 287
AAA client; however, if you have no AAA clients of this (vendor) type configured, the VSA settings do not appear in the user configuration interface. 78-16592-01 Advanced User Authentication Settings User Guide for Cisco Secure ACS for Windows Server Setting Protocol 3-17. A VSA 7-41...
Page 288
To continue to specify the user account options, perform other procedures in • this chapter, as applicable. User Guide for Cisco Secure ACS for Windows Server 7-42 Adding a Basic User Account, page Setting IETF RADIUS Parameters for a User, Attributes”, or your AAA client documentation.
Advanced User Authentication Settings Ascend-Remote-Addr Setting Protocol Configuration 3-17. A VSA applied as an Adding a Basic User Account, page Setting IETF RADIUS Parameters for a User, page User Guide for Cisco Secure ACS for Windows Server 7-4. 7-38. 7-43...
Cisco VPN 3000 Concentrator RADIUS represents only the Cisco VPN 3000 Concentrator VSA. You must configure both the IETF RADIUS and Cisco VPN 3000 Concentrator RADIUS attributes. User Guide for Cisco Secure ACS for Windows Server 7-44 Chapter 7 User Management Appendix C, “RADIUS...
Page 291
To continue to specify the user account options, perform other procedures in • this chapter, as applicable. 78-16592-01 Advanced User Authentication Settings Adding a Basic User Account, page 7-38. Appendix C, “RADIUS User Guide for Cisco Secure ACS for Windows Server Setting 3-17. A 7-4. Setting IETF 7-45...
IETF RADIUS attributes are configured properly. For more information about setting IETF RADIUS attributes, see a User, page User Guide for Cisco Secure ACS for Windows Server 7-46 Adding a Basic User Account, page Setting IETF RADIUS Parameters for 7-38.
RADIUS (Microsoft) attributes are enabled in the Cisco Secure ACS HTML interface or how those attributes might be configured. 78-16592-01 Advanced User Authentication Settings Appendix C, “RADIUS User Guide for Cisco Secure ACS for Windows Server 7-47...
Page 294
Before configuring Cisco IOS RADIUS attributes, be sure your IETF RADIUS Step 2 attributes are configured properly. For more information about setting IETF RADIUS attributes, see User Guide for Cisco Secure ACS for Windows Server 7-48 Setting Protocol Adding a Basic User Account, page...
IETF attributes. 78-16592-01 The MS-CHAP-MPPE-Keys attribute value is autogenerated by Cisco Secure ACS; there is no value to set in the HTML interface. User Guide for Cisco Secure ACS for Windows Server Advanced User Authentication Settings Appendix C, “RADIUS 7-49...
Page 296
To continue to specify the user account options, perform other procedures in • this chapter, as applicable. User Guide for Cisco Secure ACS for Windows Server 7-50 Setting Protocol Configuration 3-17. A VSA applied as an Adding a Basic User Account, page Setting IETF RADIUS Parameters for a User, page Appendix C, “RADIUS...
78-16592-01 Advanced User Authentication Settings Setting Protocol Configuration 3-17. A VSA applied as an Adding a Basic User Account, page Setting IETF RADIUS Parameters for a User, page User Guide for Cisco Secure ACS for Windows Server 7-4. 7-38. 7-51...
Perform Step 1 through Step 3 of Step 1 The User Setup Edit page opens. The username being added or edited is at the top of the page. User Guide for Cisco Secure ACS for Windows Server 7-52 Chapter 7 Appendix C, “RADIUS Setting Protocol Configuration 3-17.
You must configure both the IETF RADIUS and the custom RADIUS attributes. Proprietary attributes override IETF attributes. 78-16592-01 Advanced User Authentication Settings Setting IETF RADIUS Parameters for a User, page Appendix C, “RADIUS 9-28.) User Guide for Cisco Secure ACS for Windows Server 7-38. Custom 7-53...
Finding a User, page 7-55 • Disabling a User Account, page 7-56 • User Guide for Cisco Secure ACS for Windows Server 7-54 Adding a Basic User Account, page Setting IETF RADIUS Parameters for a User, page Appendix C, “RADIUS...
In the navigation bar, click User Setup. Step 1 The User Setup Select page opens. Type the name in the User box, and then click Find. Step 2 78-16592-01 User Guide for Cisco Secure ACS for Windows Server User Management 7-55...
The User Setup Select page opens. In the User box, type the name of the user whose account is to be disabled. Step 2 User Guide for Cisco Secure ACS for Windows Server 7-56 You can use wildcard characters (*) in this box.
In the User box, type the complete username to be deleted. Step 2 Note 78-16592-01 RDBMS Synchronization, page Alternatively, you can click List All Users and then select the user from the list that appears. User Guide for Cisco Secure ACS for Windows Server User Management 9-25, for more 7-57...
In the Session Quotas section, select the Reset All Counters on submit check Step 4 box. User Guide for Cisco Secure ACS for Windows Server 7-58 The Delete button appears only when you are editing user information, not when you are adding a username.
Alternatively, you can click List All Users and then select the user from the list that appears. This counter shows the number of unsuccessful login attempts since the last time this user logged in successfully. User Guide for Cisco Secure ACS for Windows Server User Management 7-59...
To verify that your changes were applied, type the username in the User box and Step 2 click Add/Edit, and then review the settings. User Guide for Cisco Secure ACS for Windows Server 7-60 If the user authenticates with a Windows user database, this expiration information is in addition to the information in the Windows user account.
For more information about Cisco Secure ACS services, see 78-16592-01 C H A P T E R Chapter 1, “Overview”. User Guide for Cisco Secure ACS for Windows Server...
To stop, start, or restart Cisco Secure ACS services, follow these steps: User Guide for Cisco Secure ACS for Windows Server Chapter 8 System Configuration: Basic 11-33.
For example, if you are using the month/day/year format, Cisco Secure ACS assigns the name 2001-07-12.csv to a 78-16592-01 Chapter 1, User Guide for Cisco Secure ACS for Windows Server Logging “Overview”.
Page 310
Cisco Secure ACS. Click the Logoff button (a button with an X) in the upper-right corner of the browser window. User Guide for Cisco Secure ACS for Windows Server Chapter 8 System Configuration: Basic...
Telnet session hosted by a TACACS+ AAA client. Users who submit a password change receive the text message that you type in the corresponding box. User Guide for Cisco Secure ACS for Windows Server Local Password Management...
Page 312
If the maximum number of files is exceeded, Cisco Secure ACS deletes the oldest log file. If the maximum age of a file is exceeded, Cisco Secure ACS deletes the file. User Guide for Cisco Secure ACS for Windows Server Chapter 8 System Configuration: Basic 9-1.
Telnet session and when the Telnet password change feature has been disabled (Step b). 78-16592-01 Local Password Management User Guide for Cisco Secure ACS for Windows Server...
Page 314
Cisco Secure ACS should retain a User Password Changes log file before deleting it. Click Submit. Step 8 Cisco Secure ACS restarts its services and implements the settings you specified. User Guide for Cisco Secure ACS for Windows Server Chapter 8 System Configuration: Basic 78-16592-01...
For information about using a backup file to restore Cisco Secure ACS, see Cisco Secure ACS System Restore, page Backup File Locations The default directory for backup files is the following: drive path 78-16592-01 8-14. \CSAuth\System Backups User Guide for Cisco Secure ACS for Windows Server Cisco Secure ACS Backup...
Windows Registry that is relevant to Cisco Secure ACS. The user database backup includes all user information, such as username, password, and other authentication information, including server certificates and the certificate trust list. The Windows Registry information includes any system information that is stored in the Windows Registry, such as NDG information, AAA client configuration, and administrator accounts.
Directory—The directory where Cisco Secure ACS writes the backup file. • The directory must be specified by its full path on the Windows server that runs Cisco Secure ACS, such as Manage Directory—Defines whether Cisco Secure ACS deletes older •...
In the day and hour graph, click the times at which you want Cisco Secure ACS to perform a backup. User Guide for Cisco Secure ACS for Windows Server 8-12 Because Cisco Secure ACS is momentarily shut down during backup, if the backup interval is too frequent, users might be unable to authenticate.
Clicking times of day on the graph selects those times; clicking again clears them. At any time you can click Clear All to clear all hours, or you can click Set All to select all hours. User Guide for Cisco Secure ACS for Windows Server Cisco Secure ACS Backup 8-13...
The ACS System Restore feature restores the Cisco Secure ACS user database and Cisco Secure ACS Windows Registry information from a file that was created by the ACS Backup feature. Cisco Secure ACS writes backup files only on the local User Guide for Cisco Secure ACS for Windows Server 8-14 Chapter 8...
Components Restored You can select the components to restore: the user and group databases, the system configuration, or both. 78-16592-01 \CSAuth\System Backups yyyy hh .dmp User Guide for Cisco Secure ACS for Windows Server Cisco Secure ACS System Restore 8-15...
Step 4 In the list below the Directory box, select the backup file you want to use to restore Cisco Secure ACS. User Guide for Cisco Secure ACS for Windows Server 8-16 Chapter 8 System Configuration: Basic Chapter 1, appears <No Matching Files>...
Cisco Secure ACS accomplishes system monitoring with the CSMon service. For more information about the CSMon service, see 78-16592-01 Cisco Secure ACS Active Service Management User Guide for Cisco Secure ACS for Windows Server CSMon, page G-4. 8-17...
Log all events to the NT Event log—Specifies whether Cisco Secure ACS • generates a Windows event log entry for each exception event. User Guide for Cisco Secure ACS for Windows Server 8-18 *Restart All—Restart all Cisco Secure ACS services.
SMTP Mail Server—The simple mail transfer protocol (SMTP) server that Cisco Secure ACS should use to send notification e-mail. You can identify the SMTP server either by its hostname or by its IP address. User Guide for Cisco Secure ACS for Windows Server...
In the To box, type the e-mail address (up to 200 characters) to which Cisco Secure ACS should send event notification e-mail. Note User Guide for Cisco Secure ACS for Windows Server 8-20 System Monitoring Options, page Do not use underscores in the e-mail addresses you type in this box.
Chapter 8 System Configuration: Basic In the SMTP Mail Server box, type the hostname (up to 200 characters) of the sending e-mail server. Note Step 5 If you want to set up system monitoring, see page 8-19. If you are done setting up Cisco Secure ACS Service Management, click Submit.
Page 328
Accounting Configuration table displays the options for VoIP accounting. Select the VoIP accounting option you want. Step 3 Click Submit. Step 4 Cisco Secure ACS implements the VoIP accounting configuration you specified. User Guide for Cisco Secure ACS for Windows Server 8-22 Chapter 8 System Configuration: Basic 78-16592-01...
This chapter addresses the CiscoSecure Database Replication and RDBMS Synchronization features found in the System Configuration section of Cisco Secure ACS for Windows Server. It contains the following sections: This chapter contains the following topics: CiscoSecure Database Replication, page 9-1 •...
Update the secondary Cisco Secure ACSes to create matching configurations. • The following items cannot be replicated: User Guide for Cisco Secure ACS for Windows Server Replication Components Options, page 9-11 Outbound Replication Options, page 9-12 Inbound Replication Options, page 9-15...
Page 331
Cisco Secure ACS software. For example, if the primary Cisco Secure ACS is running Cisco Secure ACS version 3.2, all secondary Cisco Secure ACSes should 78-16592-01 CiscoSecure Database Replication About IP Pools Server, 9-7). User Guide for Cisco Secure ACS for Windows Server Important...
The primary Cisco Secure ACS contacts the secondary Cisco Secure ACS. In this initial connection, the following four events occur: Note User Guide for Cisco Secure ACS for Windows Server The two Cisco Secure ACSes perform mutual authentication based upon the shared secret of the primary Cisco Secure ACS. If authentication fails, replication fails.
Page 333
Cisco Secure ACS. During this step, if AAA clients are configured properly, those that usually use the secondary Cisco Secure ACS failover to another Cisco Secure ACS. 78-16592-01 CiscoSecure Database Replication User Guide for Cisco Secure ACS for Windows Server...
Page 334
Cisco Secure ACSes. After replication from server 1 to server 2 has completed, server 2 acts as a primary Cisco Secure ACS while replicating to servers 4 and 5. Similarly, server 3 acts as a primary Cisco Secure ACS while replicating to servers 6 and 7.
Cisco Secure ACSes involved in replication use the same patch level, too. You must ensure correct configuration of the AAA Servers table in all • Cisco Secure ACSes involved in replication. 78-16592-01 CiscoSecure Database Replication User Guide for Cisco Secure ACS for Windows Server...
Page 336
Cisco Secure ACSes which, in turn, each replicate to two more Cisco Secure ACSes, the primary Cisco Secure ACS must have AAA server configurations for all six Cisco Secure ACSes that will receive replicated database components. Configuring a Secondary Cisco Secure ACS,...
Page 337
VSA definitions on primary and secondary Cisco Secure ACSes, making sure that the RADIUS vendor slots that the user-defined RADIUS vendors occupy are identical on each Cisco Secure ACS. After you have done so, replication 78-16592-01 CiscoSecure Database Replication User Guide for Cisco Secure ACS for Windows Server 9-17.
Do not confuse database replication with system backup. Database replication does not replace System Backup. While both features protect against partial or complete server loss, each feature addresses the issue in a different way. System Backup archives data into a format that you can later use to restore the configuration if the system fails or the data becomes corrupted.
Network Configuration Device tables—Replicate the AAA Servers tables • and the AAA Clients tables in the Network Configuration section. This also controls whether NDGs are replicated. 78-16592-01 CiscoSecure Database Replication User Guide for Cisco Secure ACS for Windows Server Chapter 1, 9-11...
For example, if the primary Cisco Secure ACS replicates to two secondary Cisco Secure ACSes which, in turn, each replicate to two more Cisco Secure ACSes, the primary Cisco Secure ACS must have AAA server configurations for all six Cisco Secure ACSes that will receive replicated database components. Chapter 9...
Page 341
Cisco Secure ACSes which, in turn, each replicate to two more Cisco Secure ACSes, the primary Cisco Secure ACS must have AAA server configurations for all six Cisco Secure ACSes that will receive replicated database components. User Guide for Cisco Secure ACS for Windows Server...
Page 342
User Guide for Cisco Secure ACS for Windows Server 9-14 The items in the AAA Server and Replication lists reflect the AAA servers configured in the AAA Servers table in Network Configuration. To make a particular Cisco Secure ACS available as a secondary Cisco Secure ACS, you must first add that Cisco Secure ACS to the AAA Servers table of the primary Cisco Secure ACS.
Other AAA servers—The list displays all the AAA servers configured in the • AAA Servers table in Network Configuration. If a specific AAA server name is selected, Cisco Secure ACS accepts replicated components only from the Cisco Secure ACS specified.
Page 344
For example, if the primary Cisco Secure ACS replicates to two secondary Cisco Secure ACSes which, in turn, each replicate to two more Cisco Secure ACSes, the primary Cisco Secure ACS must have AAA server configurations for all six Cisco Secure ACSes that will receive replicated database components. 4-21.
In the navigation bar, click System Configuration. Step 2 Click CiscoSecure Database Replication. Step 3 The Database Replication Setup page appears. 78-16592-01 Scheduling Replication, page 4-21. User Guide for Cisco Secure ACS for Windows Server CiscoSecure Database Replication Replicating Immediately, 9-21. AAA Server 9-17...
Page 346
Cisco Secure ACS, from the Accept replication from list, select Any Known CiscoSecure ACS Server. The Any Known CiscoSecure ACS Server option is limited to the Cisco Secure ACSes listed in the AAA Servers table in Network Configuration.
Servers table entries for the primary Cisco Secure ACS must have identical shared secrets. Configuring a Secondary Cisco Secure ACS, page Implementing Primary and Secondary Replication Setups 9-15. User Guide for Cisco Secure ACS for Windows Server CiscoSecure Database Replication 9-17. 9-17. 9-19...
Page 348
Step 7 Cisco Secure ACS saves the replication configuration. Cisco Secure ACS immediately begins sending replicated database components to the secondary Cisco Secure ACSes you specified. User Guide for Cisco Secure ACS for Windows Server 9-20 Chapter 9 System Configuration: Advanced...
RADIUS attribute. Outbound Replication Options, page Configuring a Secondary Cisco Secure ACS, Implementing Primary and Secondary Replication Setups 9-15. Configuring a Secondary Cisco Secure ACS, User Guide for Cisco Secure ACS for Windows Server CiscoSecure Database Replication 9-12. 9-21...
Page 350
In the Outbound Replication table, select the At specific times option. In the day and hour graph, click the times at which you want Cisco Secure ACS to perform replication. User Guide for Cisco Secure ACS for Windows Server 9-22 Chapter 9 System Configuration: Advanced 9-11.
Page 351
The secondary Cisco Secure ACSes available in the AAA Servers list are determined by the AAA Servers table in Network Configuration. For more information about the AAA Servers table, see Configuration, page 4-21. User Guide for Cisco Secure ACS for Windows Server CiscoSecure Database Replication 9-15. AAA Server 9-23...
In the Outbound Replication table, select the Manually option. Step 5 Click Submit. Step 6 Cisco Secure ACS does not permit any replication to or from this Cisco Secure ACS server. User Guide for Cisco Secure ACS for Windows Server 9-24 Chapter 9 System Configuration: Advanced 78-16592-01...
Custom RADIUS Vendors and VSAs, page 9-28 About CSDBSync, page 9-29 About the accountActions Table, page 9-31 Preparing for CSV-Based Synchronization, page 9-36 RDBMS Setup Options, page 9-38 Synchronization Scheduling Options, page 9-39 User Guide for Cisco Secure ACS for Windows Server RDBMS Synchronization 11-13. 9-25...
For more information about accountActions, see information about all actions that RDBMS Synchronization can perform, see Appendix F, “RDBMS Synchronization Import User Guide for Cisco Secure ACS for Windows Server 9-26 Synchronization Partners Options, page 9-39 About the accountActions Table, page...
You can define up to ten custom RADIUS vendors. Cisco Secure ACS allows only one instance of any given vendor, as defined by the unique vendor IETF ID number and by the vendor name. User Guide for Cisco Secure ACS for Windows Server 9-28 Appendix F, “RDBMS Synchronization Import Appendix F, “RDBMS Synchronization Import...
“accountActions”. Synchronization events fail if CSDBSync cannot access the accountActions table. 78-16592-01 Appendix F, “RDBMS Synchronization Import Figure 9-2. This service looks specifically for a User Guide for Cisco Secure ACS for Windows Server RDBMS Synchronization CiscoSecure Database Replication, Definitions”. 9-29...
Page 358
In Figure 9-2, Cisco Secure Access Control Server 1 is the senior synchronization partner and the other two Cisco Secure ACSes are its synchronization partners. The senior synchronization partner must have AAA configurations for each Note Cisco Secure ACS that is a synchronization partners.
Microsoft ODBC text file driver schema.ini User Guide for Cisco Secure ACS for Windows Server RDBMS Synchronization Appendix F, “RDBMS \CSDBSync\Databases CiscoSecure CiscoSecure schema.ini...
SQL Server 6.5—Contains the files • testData.sql procedure needed to generate an accountActions table. The file contains Microsoft SQL Server 6.5 SQL procedures for updating the accountActions table with sample transactions that CSDBSync can process. Cisco Secure ACS Database Recovery Using the accountActions Table...
78-16592-01 11-31. 9-31. For details on the format and content of the Appendix F, “RDBMS Synchronization Import User Guide for Cisco Secure ACS for Windows Server RDBMS Synchronization Cisco Secure ACS System Logs, Service 9-35.
Page 362
For detailed steps about adding a AAA server, see On all the other synchronization partners, verify that there is a AAA server configuration for the senior synchronization partner. If no AAA server configuration for the senior synchronization partner exists, create one. For...
Cisco Secure ACS and to Cisco Secure ACS configuration. For more information, Preparing for CSV-Based Synchronization, page 78-16592-01 Scheduling RDBMS Synchronization, page 11-13. Service Logs, page User Guide for Cisco Secure ACS for Windows Server RDBMS Synchronization 9-41. Cisco Secure ACS 11-31. \CSDBSync 9-36.
Step 3 Type: net stop CSDBSync and then press Enter. Type: User Guide for Cisco Secure ACS for Windows Server 9-36 accountactions.csv \CSDBSync\Databases\CSV You cannot perform synchronization using a relational database table rather than a CSV file when the OdbcUpdateTable value is .
Microsoft Access database provided with CiscoSecure DBSync CiscoSecure Transactions.mdb In Windows 2000, the ODBC Data Sources icon is located in the Administrative Tools folder. User Guide for Cisco Secure ACS for Windows Server RDBMS Synchronization system DSN rather than file, see 9-33.
RDBMS Synchronization Complete the other fields required by the ODBC driver you selected. These fields Step 6 may include information such as the IP address of the server on which the ODBC-compliant database runs. Click OK. Step 7 The name you assigned to the DSN appears in the System Data Sources list.
The Synchronization Partners table defines which Cisco Secure ACSes are synchronized with data from the accountActions table. It provides the following options: AAA Server—This list represents the AAA servers configured in the AAA • Servers table in Network Configuration for which the Cisco Secure ACS does not perform RDBMS synchronization.
In the Password box, type the password for the username specified in the Step b. Cisco Secure ACS has the information necessary to access the accountActions table. User Guide for Cisco Secure ACS for Windows Server 9-40 4-21. If this feature does not appear, click Interface Configuration, click Advanced Options, and then select the RDBMS Synchronization check box.
Disabling Scheduled RDBMS Synchronizations, page 9-43. If this feature does not appear, click Interface Configuration, click Advanced Options, and then select the RDBMS Synchronization check box. User Guide for Cisco Secure ACS for Windows Server RDBMS Synchronization 9-41...
Page 370
Set All to select all hours. For each Cisco Secure ACS you want to synchronize with data from the Step 6 accountActions table, follow these steps: User Guide for Cisco Secure ACS for Windows Server 9-42 Chapter 9 9-38.
The Cisco Secure ACSes available in the AAA Servers list is determined by the AAA Servers table in Network Configuration, with the addition of the name of the current Cisco Secure ACS server. For more information about the AAA Servers table, see Configuration, page 4-21.
IP address as that used by another PPTP tunnel client in a different tunnel. The IP Pools Server feature enables you to assign the same IP address to multiple users, provided that the users are being tunnelled to different home gateways for routing beyond the boundaries of your own network.
To use overlapping pools, you must be using RADIUS with VPN, and you cannot Note be using Dynamic Host Configuration Protocol (DHCP). 78-16592-01 7-10. User Guide for Cisco Secure ACS for Windows Server IP Pools Server Setting IP Address Assigning a User to a Client 9-45...
Page 374
Note Advanced Options, and then select the IP Pools check box. The AAA Server IP Pools table lists any IP pools you have configured, their address ranges, and the percentage of pooled addresses in use. If you want to allow overlapping IP pool address ranges, follow these steps:...
System Configuration: Advanced Refreshing the AAA Server IP Pools Table You can refresh the AAA Server IP Pools table. This allows you to get the latest usage statistics for your IP pools. To refresh the AAA Server IP Pools table, follow these steps: In the navigation bar, click System Configuration.
Click IP Pools Server. Step 2 The AAA Server IP Pools table lists any IP pools you have configured, their address ranges, and the percentage of pooled addresses in use. Click the name of the IP pool you need to edit.
Click IP Pools Server. Step 2 The AAA Server IP Pools table lists any IP pools you have configured, their address ranges, and the percentage of pooled addresses in use. Click the name of the IP pool you need to reset.
Step 5 The IP pool is reset. All its IP addresses are reclaimed. In the In Use column of the AAA Server IP Pools table, zero percent of the IP pool addresses are assigned to users. Deleting an IP Pool...
To delete the IP pool, click OK. Step 5 The IP pool is deleted. The AAA Server IP Pools table does not list the deleted IP pool. IP Pools Address Recovery The IP Pools Address Recovery feature enables you to recover assigned IP addresses that have not been used for a specified period of time.
Page 380
Chapter 9 System Configuration: Advanced IP Pools Address Recovery Cisco Secure ACS implements the IP pools address recovery settings you made. User Guide for Cisco Secure ACS for Windows Server 9-52 78-16592-01...
This section contains the following topics: Digital Certificates, page 10-2 • EAP-TLS Authentication, page 10-2 • PEAP Authentication, page 10-8 • EAP-FAST Authentication, page 10-13 • 78-16592-01 C H A P T E R User Guide for Cisco Secure ACS for Windows Server 10-1...
Depending on the end-user client involved, the CA certificate for the CA that Note issued the Cisco Secure ACS server certificate is likely to be required in local storage for trusted root CAs on the end-user client computer. EAP-TLS Authentication...
Cisco Secure ACS self-signed certificate capability. Depending on the end-user client involved, the CA certificate for the CA that issued the Cisco Secure ACS server certificate is likely to be required in local storage for trusted root CAs on the end-user client computer.
Certificate Binary Comparison—Based on a binary comparison between • the user certificate stored in the user object in the LDAP server or Active Directory and the certificate presented by the user during EAP-TLS authentication. This comparison method cannot be used to authenticate users stored in an ODBC external user database.
Page 385
EAP-TLS session has not timed out, Cisco Secure ACS uses the cached TLS session, resulting in faster EAP-TLS performance and lessened AAA server load. When Cisco Secure ACS resumes an EAP-TLS session, the user reauthenticates by SSL handshake only, without a certificate comparison.
• ACS to perform binary comparison of user certificates, the user certificate must be stored in Active Directory or an LDAP server, using a binary format. Also, the attribute storing the certificate must be named “usercertificate”. Windows server type—If you want to use Active Directory to authenticate •...
Before You Begin For EAP-TLS machine authentication, if you have a Microsoft certification authority server configured on the domain controller, you can configure a policy in Active Directory to produce a client certificate automatically when a computer is added to the domain. For more information, see...
Enabling PEAP Authentication, page 10-12 About the PEAP Protocol The PEAP (Protected EAP) protocol is a client-server security architecture that provides a means of encrypting EAP transactions, thereby protecting the contents of EAP authentications. PEAP has been posted as an IETF Internet Draft by RSA, Cisco, and Microsoft and is available at draft-josefsson-pppext-eap-tls-eap-05.txt.
Cisco Secure ACS to the end-user client, ensuring that the user or machine credentials sent in phase two are sent to a AAA server that has a certificate issued by a trusted CA. The first phase uses a TLS handshake to establish an SSL tunnel.
Page 390
PEAP. If a user needs to reconnect and the original PEAP session has not timed out, Cisco Secure ACS uses the cached TLS session, resulting in faster PEAP performance and lessened AAA server load.
Unknown User Policy is enabled, Cisco Secure ACS attempts to authenticate the PEAP user with unknown user processing. For more information about unknown user processing, see About Unknown User Authentication, page 15-4. User Guide for Cisco Secure ACS for Windows Server 10-11 78-16592-01...
End-user client computers must be configured to support PEAP. This procedure is Note specific to configuration of Cisco Secure ACS only. To enable PEAP authentication, follow these steps: Install a server certificate in Cisco Secure ACS. PEAP requires a server Step 1 certificate. For detailed steps, see Certificate, page Note Enable PEAP on the Global Authentication Setup page.
About EAP-FAST The EAP Flexible Authentication via Secured Tunnel (EAP-FAST) protocol is a client-server security architecture that encrypts EAP transactions with a TLS tunnel. While similar to PEAP in this respect, it differs significantly in that EAP-FAST tunnel establishment is based upon strong secrets that are unique to users.
Page 394
After phase one of EAP-FAST, all data is encrypted, including username information usually sent in clear text. User Guide for Cisco Secure ACS for Windows Server 10-14 Chapter 10 System Configuration: Authentication and Certificates...
The backup master key is used only if the active master key retires 78-16592-01 Enabling Password Aging for Users in Windows Databases, About PACs, page Master Key and PAC TTLs, page User Guide for Cisco Secure ACS for Windows Server About Certification and EAP Protocols 10-17. 10-21. 10-15...
Page 396
An end-user client presenting a PAC that was generated with an expired master key must be provided a new PAC using automatic or manual provisioning before phase one of EAP-FAST can succeed. User Guide for Cisco Secure ACS for Windows Server 10-16 Chapter 10 System Configuration: Authentication and Certificates 10-21.
EAP-FAST phase two. Cisco Secure ACS generates PACs using the active master key and a username. An EAP-FAST end-user client stores PACs for each user accessing the network with the client. Additionally, a AAA server that supports EAP-FAST has a unique Authority ID. An end-user client associates a user’s PACs with the Authority ID of the AAA server that generated them.
Page 398
Cisco Secure ACS administrator, provided that both Cisco Secure ACS and the end-user client are configured to support automatic provisioning. User Guide for Cisco Secure ACS for Windows Server 10-18 Chapter 10 System Configuration: Authentication and Certificates Master Key and PAC TTLs, page Automatic provision—Sends a PAC using a secure network connection.
Page 399
Global Authentication Setup page in the System Configuration section. For more information, see Options, page 78-16592-01 10-27. User Guide for Cisco Secure ACS for Windows Server About Certification and EAP Protocols 1-10. Manual PAC Provisioning, Authentication Configuration...
Page 400
When you generate PAC files for groups of users or all users, the users must be known or discovered users and cannot be unknown users. Cisco Secure ACS for Windows Server supports the generation of PAC files with CSUtil.exe. For more information about generating PACs with CSUtil.exe, see PAC File Generation, page D-40.
PAC. If automatic provisioning is disabled, phase zero does not occur and phase one fails. You must use manual provisioning to give the user a new PAC. User Guide for Cisco Secure ACS for Windows Server Table 10-1 summarizes 10-21...
Send, you have selected the EAP-FAST master keys and policies check box. On the Global Authentication Setup page of the primary Cisco Secure ACS, • you have enabled EAP-FAST and selected the EAP-FAST master server check box. On the Database Replication Setup page of the secondary Cisco Secure ACS, •...
Page 403
Client initial message Master keys EAP-FAST master server Actual EAP-FAST server status The EAP-FAST master server setting has a significant effect upon EAP-FAST authentication and replication, as follows: Enabled—When the EAP-FAST master server check box is selected, the • “Actual EAP-FAST server status” is...
Page 404
Cisco Secure ACS. Also, a PAC generated for a user by one Cisco Secure ACS in a replication scheme where the EAP-FAST master server setting is disabled is accepted by all other Cisco Secure ACSes in the same replication scheme.
PACs based on expired master keys. 78-16592-01 Databases”. User database support differs for EAP-FAST phase zero and phase two. User Guide for Cisco Secure ACS for Windows Server About Certification and EAP Protocols Authentication 1-10. For user database configuration, see...
This section contains the following topics: Authentication Configuration Options, page 10-27 • Configuring Authentication Options, page 10-33 • User Guide for Cisco Secure ACS for Windows Server 10-26 Chapter 10 System Configuration: Authentication and Certificates 10-18, and Manual PAC Provisioning, page...
Fast reconnection can occur only when Cisco Secure ACS allows the session to resume because the session has not timed out. If you disable the PEAP session resume feature by entering 0 (zero) in the PEAP User Guide for Cisco Secure ACS for Windows Server Global Authentication Setup 10-27...
Page 408
The default retired master key TTL is three months. When a retired master key ages past the retired master key TTL, it expires and Cisco Secure ACS deletes it. User Guide for Cisco Secure ACS for Windows Server 10-28 Chapter 10 System Configuration: Authentication and Certificates...
Page 409
Authority ID Info—A short description of this Cisco Secure ACS, sent – along with PACs issued by Cisco Secure ACS. EAP-FAST end-user clients use it to describe the AAA server that issued the PAC. Maximum length is 64 characters. 78-16592-01 Decreasing the retired master key TTL is likely to cause some retired master keys to expire;...
Page 410
Authority ID. If this option displays “Slave”, Cisco Secure ACS uses master keys and the Authority ID it receives during replication. For more information, see If you deselect the EAP-FAST Master Server check box, EAP-FAST server status remains “Master” until Cisco Secure ACS receives replicated EAP-FAST components.
Page 411
If the one comparison type fails, Cisco Secure ACS attempts the next enabled comparison type. Comparison stops after the first successful comparison. User Guide for Cisco Secure ACS for Windows Server Global Authentication Setup 10-31...
Page 412
Session-Timeout (27) attribute is the value specified in the Cisco Aironet RADIUS VSA Cisco-Aironet-Session-Timeout (01) or, if that attribute is not enabled, the IETF RADIUS Session-Timeout (27) attribute. User Guide for Cisco Secure ACS for Windows Server 10-32 Chapter 10...
1. TACACS+ support for MS-CHAP version 1 is always enabled and is not configurable. 10-8. For more information on the PEAP protocol, see 10-13. For details regarding how various 1-10. User Guide for Cisco Secure ACS for Windows Server Global Authentication Setup EAP-TLS Authentication, PEAP Authentication...
Submit. Cisco Secure ACS saves the authentication configuration options you selected. Cisco Secure ACS Certificate Setup This section contains the following topics: Installing a Cisco Secure ACS Server Certificate, page 10-35 • Adding a Certificate Authority Certificate, page 10-37 •...
You must have a server certificate for your Cisco Secure ACS before you can install it. With Cisco Secure ACS, certificate files must be in Base64-encoded X.509. If you do not already have a server certificate in storage, you can use the procedure in means, to obtain a certificate for installation.
Page 416
If the certificate was installed in storage with the private key, you do not Note have the private key file and do not need to type it. This is the private key associated with the server certificate. In the Private key password box, type the private key password. Step 6...
CA is to be trusted. (Cisco Secure ACS comes configured with a list of popular CAs, none of which are enabled until you explicitly signify trustworthiness.) 78-16592-01 Cisco Secure ACS Certificate Setup 10-38, where you signify that the User Guide for Cisco Secure ACS for Windows Server 10-37...
Cisco Secure ACS administrator must explicitly configure the CA as trusted by editing the CTL. If the Cisco Secure ACS server certificate is replaced, the CTL is erased; you must configure the CTL explicitly each time you install or replace a Cisco Secure ACS server certificate.
Page 419
78-16592-01 10-37. If a user’s certificate is from a CA that you have not User Guide for Cisco Secure ACS for Windows Server Cisco Secure ACS Certificate Setup Adding a Certificate Authority...
A CRL is a signed and time-stamped data structure issued by a CA (or CRL issuer) and made freely available in a public repository (for example, in an LDAP server). Details on the operation of the X.509 CRL profile are contained in RFC3280.
Page 421
CRL issuers can only be added in association with trusted CAs (that is, CAs on the CTL). If you install a new server certificate for Cisco Secure ACS, your CTL is cleared of all trust relationships. While you must reestablish CAs on the CTL, the associated CRLs that you previously configured remain in place and do not have to be reconfigured.
Page 422
In the Issuer’s Certificate box, use the drop-down arrow to select from the list the Step 7 CA certificate associated with this CRL issuer. User Guide for Cisco Secure ACS for Windows Server 10-42 Chapter 10 System Configuration: Authentication and Certificates...
Page 423
You can refer to the Last Retrieve date: box to see the status, date, and time of the last retrieval attempt. 78-16592-01 Cisco Secure ACS Certificate Setup User Guide for Cisco Secure ACS for Windows Server Failed to retrieve 10-43...
Page 424
Click the name of the CRL issuer you want to delete. Step 4 The system displays the details of the CRL issuer that you selected. User Guide for Cisco Secure ACS for Windows Server 10-44 Chapter 10 System Configuration: Authentication and Certificates You can refer to the Last Retrieve date: box to see the status, date, and time of the last CRL retrieval attempt.
After you generate a CSR, you can submit it to a CA to obtain your certificate. You perform this procedure to generate the CSR for future use with a certificate enrollment tool. If you already have a server certificate, you do not need to use this portion of the Note ACS Certificate Setup page.
Page 426
Step 10 After you receive the certificate from the CA, you can perform the steps in Installing a Cisco Secure ACS Server Certificate, page User Guide for Cisco Secure ACS for Windows Server 10-46 Chapter 10 System Configuration: Authentication and Certificates Min.
10-35. To ensure that a self-signed certificate interoperates with the client, refer to your client documentation. You may find that you must import the self-signed server certificate as a CA certificate on your particular client. 78-16592-01 Cisco Secure ACS Certificate Setup...
Key length—Select the key length from the choices listed. The choices • include 512 bits, 1024 bits, and 2048 bits. User Guide for Cisco Secure ACS for Windows Server 10-48 Chapter 10 System Configuration: Authentication and Certificates CN—common name (the mandatory entry) OU—organizational unit name...
In the Digest to sign with box, select the hash digest to be used to encrypt the key. Step 10 78-16592-01 Self-Signed Certificate Configuration 10-48. 10-48. User Guide for Cisco Secure ACS for Windows Server Cisco Secure ACS Certificate Setup Self-Signed 10-49...
Click ACS Certificate Setup. Step 2 Cisco Secure ACS displays the Installed Certificate Information table on the ACS Certificate Setup page. User Guide for Cisco Secure ACS for Windows Server 10-50 Chapter 10 System Configuration: Authentication and Certificates If you use the Install generated certificate option you must restart Cisco Secure ACS services after submitting this form to adopt the new settings.
Page 431
You can now install the replacement certificate in the same manner as an original Step 5 certificate. For detailed steps, see Certificate, page 78-16592-01 Installing a Cisco Secure ACS Server 10-35. User Guide for Cisco Secure ACS for Windows Server Cisco Secure ACS Certificate Setup 10-51...
Page 432
Chapter 10 System Configuration: Authentication and Certificates Cisco Secure ACS Certificate Setup User Guide for Cisco Secure ACS for Windows Server 10-52 78-16592-01...
Page 433
Logs and Reports Cisco Secure ACS for Windows Server produces a variety of logs and provides a way to view most of these logs in the Cisco Secure ACS HTML interface as HTML reports. This chapter contains the following topics: Logging Formats, page 11-2 •...
CSV file in a third-party application such as Microsoft Excel, please see the documentation supplied by the third-party vendor. You can access the CSV files either on the Cisco Secure ACS server hard drive or by downloading the CSV file from the HTML interface. For more information...
Page 435
A value of remote logging service did not process the accounting packet successfully. 78-16592-01 User Data Configuration Options, page Remote-logging-successful Remote-logging-failed User Guide for Cisco Secure ACS for Windows Server Special Logging Attributes 3-3. indicates that the 11-3...
Authentications and Failed Attempts logs. All inbound attributes are available for logging. The only two outbound attributes that you can record in logs are Application-Posture-Token and System-Posture-Token. User Guide for Cisco Secure ACS for Windows Server 11-4 Cisco Secure ACS cannot determine how a remote logging service is configured to process accounting packets that it is forwarded.
• logging server, enable the Log Update/Watchdog Packets from this remote AAA Server option for the remote server AAA Server table entry on the local Cisco Secure ACS. For more information on setting this option for a AAA server, see...
In the HTML interface, all accounting logs can be enabled, configured, and viewed. Cisco Secure ACS HTML interface regarding accounting logs. User Guide for Cisco Secure ACS for Windows Server 11-6 Service Logs, page Table 11-1...
Page 439
AAA client messages with username Caller line identification information Session duration VoIP session stop and start times AAA client messages with username CLID information VoIP session duration User Guide for Cisco Secure ACS for Windows Server About Cisco Secure ACS Logs and Reports 11-7...
Page 440
Table 11-2 What You Can Do with Accounting Logs What You Can Do Enable an accounting log User Guide for Cisco Secure ACS for Windows Server 11-8 In entries in the Failed Attempts log, the ExtDB Info attribute contains the database that last successfully authenticated the user.
ODBC—For instructions on configuring ODBC accounting log, • Configuring an ODBC Log, page contains descriptions of all dynamic administration reports and User Guide for Cisco Secure ACS for Windows Server About Cisco Secure ACS Logs and Reports 11-18. 11-19. 11-23.
AAA client. At the bottom of the table, the All AAA Clients entry shows the total number of users logged in. User Guide for Cisco Secure ACS for Windows Server 11-10 13-15.
Click the column a second time to sort the table by the entries that column in descending order. User Guide for Cisco Secure ACS for Windows Server About Cisco Secure ACS Logs and Reports...
To edit a user account listed, in the User column, click the username. Step 3 Cisco Secure ACS opens the user account for editing. User Guide for Cisco Secure ACS for Windows Server 11-12 Chapter 11 Logs and Reports...
For instructions on configuring the Administration Audit log, see Configuring the Administration Audit Log, page 78-16592-01 About Cisco Secure ACS Logs and Reports Table 11-4. 11-18. User Guide for Cisco Secure ACS for Windows Server Basic User Setup Options, Viewing a 11-14. 11-13...
• Every month—Cisco Secure ACS generates a new Administrative Audit CSV file at the start of each month. User Guide for Cisco Secure ACS for Windows Server 11-14 Chapter 11 Logs and Reports 8-7.
CSV files in chronological order, with the current CSV file at the top of the list. The current file is named log.csv, where log is the name of the log. 78-16592-01 User Guide for Cisco Secure ACS for Windows Server Working with CSV Logs 11-15...
If you disabled the log, Cisco Secure ACS stops logging information for the log selected. 78-16592-01 Default Location CSAuth\PasswordLogs Logs\ServiceMonitoring 11-6. User Guide for Cisco Secure ACS for Windows Server Working with CSV Logs Configurable? Configuring a CSV Log, About Cisco Secure ACS Logs and 11-17...
Click the CSV report filename whose contents you want to view. If the CSV report file contains information, the information appears in the display area. User Guide for Cisco Secure ACS for Windows Server 11-18 You can configure how Cisco Secure ACS handles old CSV report files.
CSV file reaches a particular size. 78-16592-01 To check for newer information in the current CSV report, click Refresh. User Guide for Cisco Secure ACS for Windows Server Working with CSV Logs Enabling or Disabling a CSV Log, 11-19...
Page 452
To set the attributes in the Logged Attributes list back to the default selections, at Step 6 the bottom of the browser window, click Reset Columns. User Guide for Cisco Secure ACS for Windows Server 11-20 Chapter 11 Logs and Reports...
Preparing for ODBC Logging, page 11-22 • Configuring a System Data Source Name for ODBC Logging, page 11-22 • Configuring an ODBC Log, page 11-23 • 78-16592-01 User Guide for Cisco Secure ACS for Windows Server Working with ODBC Logs 11-21...
In Windows Control Panel, double-click ODBC Data Sources. Step 1 In the ODBC Data Source Administrator page, click the System DSN tab. Step 2 User Guide for Cisco Secure ACS for Windows Server 11-22 Configuring a System Data Source Name for an ODBC 13-70.
Type a descriptive name for the DSN in the Data Source Name box. Step 5 Complete the other fields required by the ODBC driver you selected. These fields Step 6 may include information such as the IP address of the server on which the ODBC-compliant relational database runs. Click OK. Step 7 Close the ODBC window and Windows Control Panel.
Page 456
Cisco Secure ACS to send ODBC logging data to your relational database. In the Username box, type the username of a user account in your relational database (up to 80 characters). User Guide for Cisco Secure ACS for Windows Server 11-24 Chapter 11...
Page 457
The right side of the browser displays an SQL create table statement for Microsoft SQL Server. The table name is the name specified in the Table Name box. The column names are the attributes specified in the Logged Attributes list.
Cisco Secure ACSes. You can configure each Cisco Secure ACS to point to one Cisco Secure ACS that is to be used as a central logging server. The central logging Cisco Secure ACS still performs AAA functions, but it also is the repository for accounting logs it receives.
Server. Step 2 In the Cisco Secure ACS running on the central logging server, follow these steps: Configure the accounting logs as needed. All accounting data sent to the central logging server will be recorded in the way you configure accounting logs on this Cisco Secure ACS.
User Guide for Cisco Secure ACS for Windows Server 11-28 4-21. If the central logging server is to log watchdog and update packets for a Cisco Secure ACS, be sure that the Log Update/Watchdog Packets from this remote AAA Server check box is selected for that Cisco Secure ACS in the AAA Servers table.
Logs and Reports behavior enables you to configure one or more backup central logging servers so that no accounting data is lost if the first central logging server fails or is otherwise unavailable to Cisco Secure ACS. Remote Log Services—This list represents the Cisco Secure ACSes •...
Page 462
Note selected, Cisco Secure ACS logs to the first accessible Cisco Secure ACS in the Selected Log Services list. User Guide for Cisco Secure ACS for Windows Server 11-30 Use the “Log to subsequent remote log services on failure” option...
For example, RADIUS service logs are created even if you are not using the RADIUS protocol in your network. For more information about Cisco Secure ACS services, see “Overview”. 78-16592-01 User Guide for Cisco Secure ACS for Windows Server Service Logs Chapter 1, 11-31...
SERVICE where SERVICE is the name of the applicable service. If you selected the Day/Month/Year format, the file would be named as follows: SERVICE User Guide for Cisco Secure ACS for Windows Server 11-32 subdirectory of the applicable service \Logs .log...
Delete files older than x days—Cisco Secure ACS retains only those service logs that are not older than the number of days specified by x. User Guide for Cisco Secure ACS for Windows Server Service Logs 11-33...
Page 466
Cisco Secure ACS should retain a service log file before deleting it. Step 6 Click Restart. Cisco Secure ACS restarts its services and implements the service log settings you specified. User Guide for Cisco Secure ACS for Windows Server 11-34 Chapter 11 Logs and Reports 78-16592-01...
Editing an Administrator Account, page 12-7 • Unlocking a Locked Out Administrator Account, page 12-10 • Deleting an Administrator Account, page 12-11 • 78-16592-01 C H A P T E R User Guide for Cisco Secure ACS for Windows Server 12-1...
Cisco Secure ACS HTML interface from a browser run elsewhere than on the Cisco Secure ACS Windows server itself, you must log in to Cisco Secure ACS using an administrator account. If your Cisco Secure ACS is so configured, you may need to log in to Cisco Secure ACS even in a browser run on the Cisco Secure ACS Windows server.
Shell Command Authorization Sets—Allows the administrator full access to the Shell Command Authorization Sets feature. PIX Command Authorization Sets—Allows the administrator full access to the PIX Command Authorization Sets feature. User Guide for Cisco Secure ACS for Windows Server Administrator Accounts 12-3...
Page 470
– Cisco Secure ACS System Restore, page ACS Service Management—For more information about this feature, – User Guide for Cisco Secure ACS for Windows Server 12-4 Chapter 12 Additional command authorization set privilege options may appear, if other Cisco network management applications, such as CiscoWorks2000, have updated the configuration of Cisco Secure ACS.
Page 471
Dynamic Administration Reports, page 78-16592-01 VoIP Accounting Configuration, page Global Authentication Setup, page 11-6. Accounting Logs, page 11-6. 11-6. 11-6. 11-6. 11-6. 11-9. 11-11. User Guide for Cisco Secure ACS for Windows Server Administrator Accounts 8-21. 10-34. 10-26. Dynamic 11-9. 12-5...
To select all privileges, including user group editing privileges for all user groups, Step 4 click Grant All. User Guide for Cisco Secure ACS for Windows Server 12-6 Chapter 12 ACS Backup and Restore—For more information about this report, see Cisco Secure ACS System Logs, page DB Replication—For more information about this report, see...
You can effectively disable an administrator account by revoking all privileges. 78-16592-01 To clear all privileges, including user group editing privileges for all user groups, click Revoke All. User Guide for Cisco Secure ACS for Windows Server Administrator Accounts 12-7...
Password box and you want to allow the administrator whose account you are editing to access the Cisco Secure ACS HTML interface, select the Reset current failed attempts count check box. User Guide for Cisco Secure ACS for Windows Server 12-8 Chapter 12 Administrators and Administrative Policy 12-11.
Page 475
The selected group moves to the Available groups list. To grant any remaining privilege options, select the applicable check boxes in the Step 8 Administrator Privileges table. 78-16592-01 Unlocking a Locked Out Administrator 12-10. User Guide for Cisco Secure ACS for Windows Server Administrator Accounts 12-9...
Select the Reset current failed attempts count check box. Click Submit. Step 4 Cisco Secure ACS saves the changes to the administrator account. User Guide for Cisco Secure ACS for Windows Server 12-10 Chapter 12 Administrators and Administrative Policy 12-16.
You can also enable secure socket layer (SSL) for access to the HTML interface. This section contains the following topics: Access Policy Options, page 12-12 • Setting Up Access Policy, page 12-14 • 78-16592-01 User Guide for Cisco Secure ACS for Windows Server Access Policy 12-11...
• TCP ports used for remote access to the HTML interface. – – User Guide for Cisco Secure ACS for Windows Server 12-12 Chapter 12 Allow all IP addresses to connect—Allow access to the HTML interface from any IP address.
Page 479
An unauthorized user would have to impersonate, or “spoof,” the IP address of a legitimate host to make use of the active administrative session HTTP port. User Guide for Cisco Secure ACS for Windows Server Access Policy Installing a...
Step 5 range or ranges of IP addresses, follow these steps: In the IP Address Filtering table, select the Reject connections from listed IP addresses option. User Guide for Cisco Secure ACS for Windows Server 12-14 Chapter 12 10-35, and...
Page 481
HTTPS. Any current administrator sessions are unaffected. 78-16592-01 The IP addresses entered to define a range must differ only in the last octet. User Guide for Cisco Secure ACS for Windows Server Access Policy Installing a 10-35, and Adding a 10-37.
Administrative Audit report under the local_login administrator name. Note User Guide for Cisco Secure ACS for Windows Server 12-16 Chapter 12 If there are no administrator accounts defined, no administrator name and password are required to access Cisco Secure ACS locally.
To require administrators to log in to Cisco Secure ACS locally using their administrator names and passwords, clear the Allow Automatic Local Login check box. 78-16592-01 Session Policy Options, User Guide for Cisco Secure ACS for Windows Server Session Policy 12-17...
The Audit Policy feature controls the generation of the Administrative Audit log. For more information about enabling, viewing, or configuring the Administrative Audit log, see User Guide for Cisco Secure ACS for Windows Server 12-18 Chapter 12 Cisco Secure ACS System Logs, page Administrators and Administrative Policy 11-13.
Page 485
For example, a common configuration is to use a Windows user database for standard network users and a token server for network administrators. For information about the Unknown User Policy and group mapping features, see Note Chapter 15, “Unknown User Policy”...
Cisco Secure ACS uses usernames and passwords in the CiscoSecure user database during authentication. For more information about specifying an external user database for authentication of a user, see Basic User Account, page User Guide for Cisco Secure ACS for Windows Server 13-2 Chapter 13 VarsDB.MDB VarsDB.MDB...
Cisco Secure ACS with the user accounts from the primary 78-16592-01 Adding a Basic User Account, page Policy”. Specification”. RDBMS Synchronization, page Utility”. User Guide for Cisco Secure ACS for Windows Server CiscoSecure User Database 7-4. Chapter 16, “User Group 9-25. 13-3...
Open Database Connectivity (ODBC)-compliant relational databases • LEAP Proxy RADIUS servers • RSA SecurID token servers • RADIUS-compliant token servers • User Guide for Cisco Secure ACS for Windows Server 13-4 9-1. Chapter 16, “User Group Mapping and Chapter 13 User Databases CiscoSecure Setting 7-35.
ODBC driver must be installed on the Cisco Secure ACS Windows server. To communicate with an RSA token server, you must have installed software components provided by RSA. For token servers by other vendors, the standard RADIUS interface serves as the third-party API.
RADIUS. For RSA token servers, Cisco Secure ACS acts an RSA client in order to use the RSA proprietary interface. For more information, see the section regarding the database type you are interested in. User Guide for Cisco Secure ACS for Windows Server 13-6 About Unknown User Authentication, page Cisco Secure...
UPN Usernames, page 13-14 EAP-TLS Domain Stripping, page 13-16 Machine Authentication, page 13-16 Machine Access Restrictions, page 13-19 Microsoft Windows and Machine Authentication, page 13-20 Enabling Machine Authentication, page 13-22 User Guide for Cisco Secure ACS for Windows Server Windows User Database 13-7...
Windows user databases. For information about configuring Cisco Secure ACS to use Windows callback settings, see Callback Option, page User Guide for Cisco Secure ACS for Windows Server 13-8 Authentication protocols not supported with Windows external user databases may be supported by a different external user database. For...
Cisco Secure ACS can take advantage of indirect trusts for Windows authentication. Consider the example of Windows domains A, B, and C, where Cisco Secure ACS resides on a server in domain A. Domain A trusts domain B, 78-16592-01 User Guide for Cisco Secure ACS for Windows Server...
• • password—Type your password. domain—Type your valid domain name. • Note User Guide for Cisco Secure ACS for Windows Server 13-10 For more information about the implications of completing or leaving the domain box blank, see Non-domain-qualified Usernames, page 13-13.
For more information about the implications of prefixing or not prefixing the domain name before the username, see Non-domain-qualified Usernames, page User Guide for Cisco Secure ACS for Windows Server Windows User Database 13-13. 13-11...
Page 496
– cyril.yang@main.example.com – cyril.yang@main – cyril.yang@central-office@example.com – cyril.yang@main\example.com – For more information, see User Guide for Cisco Secure ACS for Windows Server 13-12 13-13. Domain-Qualified Usernames, page UPN Usernames, page Chapter 13 User Databases is non-domain cyril.yang Non-domain-qualified Usernames, 13-14.
If Windows does not find the username in its local domain database, it then checks all trusted domains. If Cisco Secure ACS runs on a member server and the username is not found in trusted domains, Windows also checks its local accounts database. Windows attempts to authenticate a user with the first occurrence of the username that it finds.
13-14. UPN Usernames Cisco Secure ACS supports authentication of usernames in User Principal Name (UPN) format, such as cyril.yang@example.com or cyril.yang@central-office@example.com. User Guide for Cisco Secure ACS for Windows Server 13-14 user Chapter 13 User Databases UPN Usernames, 78-16592-01...
Machine Authentication, page 13-16 • Machine Access Restrictions, page 13-19 • Microsoft Windows and Machine Authentication, page 13-20 • Enabling Machine Authentication, page 13-22 • 78-16592-01 13-16. User Guide for Cisco Secure ACS for Windows Server Windows User Database EAP-TLS Domain 13-15...
Active Directory. This is especially useful for wireless networks, where unauthorized users outside the physical premises of your workplace can access your wireless access points. User Guide for Cisco Secure ACS for Windows Server 13-16 Chapter 13 User Databases 13-13.
Page 501
This prepares the network connection for the next user login. Microsoft PEAP clients may also initiate machine authentication when a user has selected to shutdown or restart the computer rather than just logging off. 78-16592-01 User Guide for Cisco Secure ACS for Windows Server Windows User Database 13-17...
Page 502
EAP-TLS-based machine authentication uses EAP-TLS to authenticate the computer using a client certificate. The certificate used by the computer can be one installed automatically when the computer was added to the domain or one User Guide for Cisco Secure ACS for Windows Server 13-18 13-20.
137, Cisco Secure ACS applies to the user session the authorization settings specified in group 137. User Guide for Cisco Secure ACS for Windows Server Windows User Database 13-19...
Complete the steps in • Modify Dial-In Permissions for Computers That Use Wireless User Guide for Cisco Secure ACS for Windows Server 13-20 Calling-Station-Id value not found in the cache—Cisco Secure ACS assigns the user to the user group specified by “Group map for successful user authentication without machine authentication”...
Page 505
Make sure the certification authority (CA) certificate of the CA that issued the Cisco Secure ACS server certificate is stored in machine storage on client computers. User storage is not available during machine authentication; therefore, if the CA certificate is in user storage, machine authentication fails.
On the Protected EAP Properties dialog box, you can enforce that Cisco Secure ACS has a valid server certificate by selecting the Validate server certificate check box. If you do select this check box, you must also select the applicable Trusted Root Certification Authorities.
Page 507
If you do not perform this step and the CA of the server certificate is not the same as the CA of an end-user client certificate CA, EAP-TLS will operate normally but reject the EAP-TLS machine authentication because it does not trust the correct CA.
Page 508
Cisco Secure ACS is ready to perform machine authentication for computers, regardless of whether the computer names exist in CiscoSecure user database. User Guide for Cisco Secure ACS for Windows Server 13-24 10-33. Configuring a Windows External User Database,...
78-16592-01 For MS-CHAP password aging, the AAA client must support RADIUS-based MS-CHAP authentication. For PEAP(EAP-MSCHAPv2), PEAP(EAP-GTC), and EAP-FAST password aging, the AAA client must support EAP. User Guide for Cisco Secure ACS for Windows Server Windows User Database 6-26. 13-25...
For example, if you have configured a PIX Firewall to authenticate Telnet sessions using Cisco Secure ACS as a RADIUS server, a user authenticated by a Windows external user database would be denied Telnet access to the PIX Firewall if the Dialin Permission feature is enabled and the Windows user account does not have dialin permission.
Page 511
MS CHAP Cisco Secure ACS supports password changes using. 78-16592-01 Configuring the Domain List list is optional. For more information about the Domain List, see Non-domain-qualified Usernames, page 13-13. User Guide for Cisco Secure ACS for Windows Server Windows User Database 13-27...
Page 512
Cisco Secure ACS performs machine authentication using machine name and password with EAP-TLS. For more information about machine authentication, see User Guide for Cisco Secure ACS for Windows Server 13-28 The check boxes under MS CHAP Settings do no affect password aging for Microsoft PEAP, EAP-FAST, or machine authentication.
Page 513
PEAP users accessing the network with that computer will be assigned to the group specified in the “Group map for successful user authentication without machine authentication” list. User Guide for Cisco Secure ACS for Windows Server Windows User Database Machine Access Restrictions,...
Click Database Configuration. Step 2 Cisco Secure ACS displays a list of all possible external user database types. User Guide for Cisco Secure ACS for Windows Server 13-30 If you do not change the value of the Aging time (hours) box to...
Page 515
All the settings on the Windows User Database Configuration page are optional and need not be enabled unless you want to permit and configure the specific features they support. 78-16592-01 User Guide for Cisco Secure ACS for Windows Server Windows User Database 13-26. 13-31...
Multiple LDAP Instances, page 13-33 • LDAP Organizational Units and Groups, page 13-34 • Domain Filtering, page 13-34 • User Guide for Cisco Secure ACS for Windows Server 13-32 About Unknown User Authentication, page Management”. Chapter 13 User Databases 15-4. For more 1-10.
Cisco Secure ACS grants authorization based on the Cisco Secure ACS group to which the user is assigned. While the group to which a user is assigned can be determined by information from the LDAP server, it is Cisco Secure ACS that grants authorization privileges.
LDAP instance that Cisco Secure ACS submits any given user authentication request to. You also have control of whether usernames are submitted to an LDAP server with their domain qualifiers intact. For example, when EAP-TLS authentication is initiated by a Windows XP client,...
Page 519
If the LDAP server stores usernames in a domain-qualified format, you should not configure Cisco Secure ACS to strip domain qualifiers. Limiting users to one domain is useful when the LDAP server stores usernames differently per domain, either by user context or by how the username is stored in Cisco Secure ACS—domain qualified or non-domain...
ACS, failover applies when an authentication request fails because Cisco Secure ACS could not connect to an LDAP server, such as when the server is down or is otherwise unreachable by Cisco Secure ACS. To use this feature, you must define the primary and secondary LDAP servers on the LDAP Database Configuration page.
Failback Retry Delay box is set to 0 (zero), Cisco Secure ACS always attempts to connect to the primary LDAP server first. And if Cisco Secure ACS cannot connect to the primary LDAP server, Cisco Secure ACS then attempts to connect to the secondary LDAP server.
Page 522
Cisco Secure ACS can submit the username to an LDAP server. The Domain box accepts up to 512 characters; however, only one domain name and its delimiting character are permitted.
Page 523
– delimiter—When this option is selected, Cisco Secure ACS submits all usernames to an LDAP server after attempting to strip domain names. Usernames that are not domain qualified are processed, too. Domain name stripping occurs as specified by the following two options.
Page 524
LDAP authentication performed using this configuration. Cisco Secure ACS uses the settings in this section regardless of whether the authentication is handled by the primary or secondary LDAP server. This table contains the following options: User Directory Subtree—The distinguished name (DN) for the subtree –...
Page 525
Secondary LDAP Server table enable you to identify the LDAP servers and make settings that are unique to each. The Secondary LDAP Server table does not need to be completed if you do not intend to use LDAP failover. These tables contain the following options: Hostname—The name or IP address of the server that is running the...
Page 526
LDAP server in clear text. – Certificate Database Path—The path to the must contain the certificates for the server to be queried and the trusted CA. You can use a Netscape web browser to generate information about generating a documentation.
You can use anonymous credentials for the administrator username if the LDAP server is configured to make the group name attribute visible in searches by anonymous credentials. Otherwise, you must specify an administrator username that permits the group name attribute to be visible to searches.
Page 528
Caution If you do not want Cisco Secure ACS to filter LDAP authentication requests by Step 7 username, under Domain Filtering, select Process all usernames. User Guide for Cisco Secure ACS for Windows Server 13-44 Chapter 13 User Databases 78-16592-01...
Page 529
LDAP server check box. If you want to enable Cisco Secure ACS to strip domain qualifiers from Step 9 usernames before submitting them to an LDAP server, follow these steps: 78-16592-01 13-34. User Guide for Cisco Secure ACS for Windows Server...
Page 530
In the User Object Type box, type the name of the attribute in the user record that Step 12 contains the username. You can obtain this attribute name from your Directory Server. For more information, refer to your LDAP database documentation. The default values in the UserObjectType and following fields reflect the Note default configuration of the Netscape Directory Server.
Page 531
Step 16 that contains the list of user records who are a member of that group. In the Server Timeout box, type the number of seconds Cisco Secure ACS waits Step 17 for a response from an LDAP server before determining that the connection with that server has failed.
Page 532
Secondary LDAP Server table. In the Hostname box, type the name or IP address of the server that is running the LDAP software. If you are using DNS on your network, you can type the hostname instead of the IP address.
If you are using Netscape DS as your LDAP software, you can copy this information from the Netscape Console. About Unknown User Authentication, page Management”. User Guide for Cisco Secure ACS for Windows Server Novell NDS Database 15-4. For more 13-49...
To authenticate users with a Novell NDS database, Cisco Secure ACS depends upon Novell Requestor. Novell Requestor must be installed on the same Windows server as Cisco Secure ACS. You can download the Requestor software from the Novell website. For more information, refer to your Novell and Microsoft documentation.
If he submitted only “Agamemnon”, authentication would fail. Table 13-1 that would allow each user to authenticate successfully. 78-16592-01 CN=Penelope CN=Telemachus lists the users given in the example tree and the username with context User Guide for Cisco Secure ACS for Windows Server Novell NDS Database 13-51...
Test Login—Selecting this check box causes Cisco Secure ACS to test the • administrative login of the tree to the Novell server when you click Submit. Tree Name—Appears only on the blank form for new trees. The name of the •...
Users can provide a portion of their context when they login. For more information, see User Contexts, page User Contexts, page User Guide for Cisco Secure ACS for Windows Server Novell NDS Database and separate each part of the 13-51.
Page 538
Caution database is deleted. The NDS Authentication Support page appears. The NDS Authentication Support page enables you to add a configuration for a Novell NDS server, change existing Novell NDS server configurations, and delete existing Novell NDS server configurations. User Guide for Cisco Secure ACS for Windows Server...
For more information about the content of the NDS Authentication Support page, Novell NDS External User Database Options, page If you want to add a new Novell NDS server configuration, complete the fields in Step 7 the blank form at the bottom of the NDS Authentication Support page.
Page 540
PAP Authentication Procedure Input, page 13-64 • PAP Procedure Output, page 13-65 • CHAP/MS-CHAP/ARAP Authentication Procedure Input, page 13-66 • CHAP/MS-CHAP/ARAP Procedure Output, page 13-66 • User Guide for Cisco Secure ACS for Windows Server 13-56 Chapter 13 User Databases 78-16592-01...
For more information about authentication protocols and the external database types that support them, see Protocol-Database Compatibility, page 13-65, CHAP/MS-CHAP/ARAP Procedure Output, 13-66, and EAP-TLS Procedure Output, page User Guide for Cisco Secure ACS for Windows Server ODBC Database Authentication 1-10. PAP Procedure 13-68. 13-57...
Figure 13-2 Using the ODBC Database for Authentication Name, pap password CiscoSecure "Unknown user" interface Chap/Arap password, authen result, acct info User Guide for Cisco Secure ACS for Windows Server 13-58 16-4. (Figure 13-2). Pap authentication ODBC (MS) Chap/Arap Extraction Chapter 13...
Cisco Secure ACS with an ODBC external user database. To prepare for authenticating with an ODBC-compliant relational database, follow these steps: Install your ODBC-compliant relational database on its server. For more Step 1 information, refer to the relational database documentation.
ODBC authentication request. This requires a separate stored procedure in the relational database to support each of the three sets of protocols. User Guide for Cisco Secure ACS for Windows Server 13-60 Implementation of Stored Procedures for ODBC Authentication,...
The Cisco Secure ACS product CD provides “stub” routines for creating a procedure in either Microsoft SQL Server or an Oracle database. You can either modify a copy of these routines to create your stored procedure or write your own.
For example, with Telnet or PAP authentication, the passwords cisco or CISCO or CiScO will all work if the SQL Server is configured to be case insensitive. For CHAP/ARAP, the passwords cisco or CISCO or CiScO are not the same, regardless of whether or not the SQL Server is configured for case-sensitive passwords.
GRANT EXECUTE ON dbo.CSNTAuthUserPap TO ciscosecure Sample Routine for Generating an SQL CHAP Authentication Procedure The following example routine creates in Microsoft SQL Server a procedure named CSNTExtractUserClearTextPw, the default procedure used by Cisco Secure ACS for CHAP/MS-CHAP/ARAP authentication. Table and column names that could vary for your database schema are presented in variable text.
Sample Routine for Generating an EAP-TLS Authentication Procedure The following example routine creates in Microsoft SQL Server a procedure named CSNTFindUser, the default procedure used by Cisco Secure ACS for EAP-TLS authentication. Table and column names that could vary for your database schema are presented in variable text.
0-16 characters. A customer-defined string that Cisco Secure ACS adds to subsequent account log file entries. 0-255 characters. A customer-defined string that Cisco Secure ACS writes to the CSAuth service log file if an error occurs. User Guide for Cisco Secure ACS for Windows Server ODBC Database 13-65...
CHAP/MS-CHAP/ARAP Procedure Output The stored procedure must return a single row containing the non-null fields. Table 13-5 stored procedure. User Guide for Cisco Secure ACS for Windows Server 13-66 Type String lists the procedure results Cisco Secure ACS expects as output from...
VARCHAR, the database may return a string 255 characters long, regardless of actual password length. We recommend using the VARCHAR datatype for the CHAP password field in your ODBC database. User Guide for Cisco Secure ACS for Windows Server ODBC Database 13-67...
CSNTerrorString String 0-255 characters. A customer-defined string that Cisco Secure ACS writes to the CSAuth service log file if an error occurs. User Guide for Cisco Secure ACS for Windows Server 13-68 (Table 13-4). Type...
Additionally, error codes are returned to the AAA client so it can distinguish between errors and failures and, if configured to do so, fall back to a backup AAA server. Successful or failed authentications are not logged; general Cisco Secure ACS logging mechanisms apply.
Type a descriptive name for the DSN in the Data Source Name box. Complete the other fields required by the ODBC driver you selected. These fields Step 8 may include information such as the IP address of the server on which the ODBC-compliant database runs. Click OK.
Click Submit. Cisco Secure ACS lists the new configuration in the External User Database Configuration table. Step 5 Click Configure. 78-16592-01 User Guide for Cisco Secure ACS for Windows Server ODBC Database 13-71...
Page 556
The thread count to use is a factor of how long the DSN takes to execute the procedure and the rate at which authentications are required. User Guide for Cisco Secure ACS for Windows Server 13-72 Chapter 13 Configuring a System Data Source Name for an 13-70.
Page 557
Select the Support PAP authentication check box. In the PAP SQL Procedure box, type the name of the PAP SQL procedure routine that runs on the ODBC server. The default value in this box is CSNTAuthUserPap. If you named the PAP SQL procedure something else, change this entry to match the name given to the PAP SQL procedure.
Page 558
Select the Support EAP-TLS Authentication check box. In the EAP-TLS SQL Procedure box, type the name of the EAP-TLS SQL procedure routine on the ODBC server. The default value in this box is CSNTFindUser. If you named the EAP-TLS SQL procedure something else, change this entry to match the name given to the EAP-TLS SQL procedure.
For more information about authentication protocols and the external database types that support them, see Cisco Secure ACS uses MS-CHAP version 1 for LEAP Proxy RADIUS Server authentication. To manage your proxy RADIUS database, refer to your RADIUS database documentation.
If you are creating a configuration, follow these steps: Step 4 Click Create New Configuration. Type a name for the new configuration for the LEAP Proxy RADIUS Server in the box provided, or accept the default name in the box. Click Submit.
Page 561
• server. Shared Secret—The shared secret of the proxy RADIUS server. This must • be identical to the shared secret with which the proxy RADIUS server is configured. Authentication Port—The UDP port over which the proxy RADIUS server • conducts authentication sessions. If the LEAP Proxy RADIUS server is installed on the same Windows server as Cisco Secure ACS, this port should not be the same port used by Cisco Secure ACS for RADIUS authentication.
Cisco Secure ACS then maintains the accounting information. Cisco Secure ACS acts as a client to the token server. For all token servers except RSA SecurID, Cisco Secure ACS accomplishes this using the RADIUS interface of the token server. For more information about Cisco Secure ACS support of...
About RADIUS-Enabled Token Servers, page 13-80 • Token Server RADIUS Authentication Request and Response Contents, • page 13-80 Configuring a RADIUS Token Server External User Database, page 13-81 • 78-16592-01 Token Server User Databases 13-84. User Guide for Cisco Secure ACS for Windows Server...
Page 564
Rather than using a vendor-proprietary API, Cisco Secure ACS sends standard RADIUS authentication requests to the RADIUS authentication port on the token server. This feature enables Cisco Secure ACS to support any IETF RFC 2865-compliant token server. You can create multiple instances of RADIUS token servers. For information...
Page 565
You should install and configure your RADIUS token server before configuring Cisco Secure ACS to authenticate users with it. For information about installing the RADIUS token server, refer to the documentation included with your token server. To configure Cisco Secure ACS to authenticate users with a RADIUS Token...
Page 566
• conducts authentication sessions. If the RADIUS token server is installed on the same Windows server as Cisco Secure ACS, this port should not be the same port used by Cisco Secure ACS for RADIUS authentication. For more information about the ports used by Cisco Secure ACS for RADIUS, see...
Page 567
“Enter your PassGo token” prompt rather than a password prompt. Note If you want Cisco Secure ACS to send the token server a password to trigger a challenge, select From Token Server (async tokens only), and then, in the Password box, type the password that Cisco Secure ACS will forward to the token server.
Cisco Secure ACS supports PPP (ISDN and async) and Telnet for RSA SecurID token servers. It does so by acting as a token-card client to the RSA SecurID token server. This requires that RSA token-card client software must be installed on the computer running Cisco Secure ACS. The following procedure includes steps required to install the RSA client correctly on the computer running Cisco Secure ACS.
RSA SecurID server, refer to the documentation included with your token server. Make sure you have the applicable RSA ACE Client. To configure Cisco Secure ACS to authenticate users with an RSA token server, follow these steps: Install the RSA client on the computer running Cisco Secure ACS:...
Click Configure. Step 6 Cisco Secure ACS displays the name of the token server and the path to the authenticator DLL. This information confirms that Cisco Secure ACS can contact the RSA client. You can add the RSA SecurID external user database to your Unknown User Policy or assign specific user accounts to use this database for authentication.
Page 571
Click OK to confirm that you want to delete the selected external user database Step 6 configuration. The external user database configuration you selected is deleted from Cisco Secure ACS. 78-16592-01 Deleting an External User Database Configuration User Guide for Cisco Secure ACS for Windows Server 13-87...
Page 572
Chapter 13 User Databases Deleting an External User Database Configuration User Guide for Cisco Secure ACS for Windows Server 13-88 78-16592-01...
AAA client configured to enforce NAC. The basis of NAC is the validation of the posture, or state, of computers on a network. The role of Cisco Secure Access Control Server (ACS) for Windows Server in NAC is to perform posture validation.
When external policies are used, Cisco Secure ACS forwards posture validation requests to a NAC server. NAC server—Performs posture validation of the NAC-client computer when • Cisco Secure ACS is configured to use external policies.
Cisco Secure ACS uses the system posture token and group mappings for the selected NAC database to determine which user group contains the authorizations applicable to the NAC-client computer. User Guide for Cisco Secure ACS for Windows Server About Network Admission Control 14-3...
There are five predefined, non-configurable posture tokens, used for both SPTs and APTs. Listed in order from best to worst, they are as follows: Healthy • Checkup • Quarantine • Infected • Unknown • User Guide for Cisco Secure ACS for Windows Server 14-4 Chapter 14 Network Admission Control 78-16592-01...
Implementing Network Admission Control This procedure provides steps for implementing NAC support in Cisco Secure ACS, with references to more detailed procedures for each step. 78-16592-01 Implementing Network Admission Control User Guide for Cisco Secure ACS for Windows Server 14-5...
Page 578
Certificate Trust List (CTL). For detailed steps, see Editing the Certificate Trust List, page If the CA that issued the server certificates used by the external database servers does not appear on the CTL, you must add the CA. For detailed steps, see a Certificate Authority Certificate, page (Optional) If the Passed Authentications log is not enabled, consider enabling it.
Page 579
78-16592-01 Implementing Network Admission Control Configuring Authentication Options, page Adding a AAA Client, page 6-55. Configuring a NAC Database, page User Guide for Cisco Secure ACS for Windows Server Configuring a CSV Log, 10-33. 4-16. Renaming a User 14-14. 14-7...
Page 580
NAC databases, one for NAI posture validation and one for Symantec posture validation, you may want separate downloadable IP ACLs for a Quarantine SPT, one that allows access only to a Symantec anti-virus server and one that allows access only to a NAI anti-virus server.
Page 581
Cisco Secure ACS is configured to support NAC of non-responsive computers. 78-16592-01 The AV pair names above are case sensitive. Non-Responsive NAC-Client Computers, page User Guide for Cisco Secure ACS for Windows Server Implementing Network Admission Control Configuring Cisco IOS/PIX 6-40. For more information about About the C-7.
A NAC database without any mandatory credential types is a valid configuration. Cisco Secure ACS considers any posture validation request to satisfy the mandatory credential types of a NAC database that has zero User Guide for Cisco Secure ACS for Windows Server 14-10 Chapter 14...
ID and application ID. The vendor ID is the number assigned to the vendor in the IANA Assigned Numbers Cisco Systems, Inc. Vendors assign numbers to the NAC applications they provide. For example, with Cisco Systems, Inc. applications, application ID 1 corresponds to CTA. In the HTML interface, when you specify result credential types for a local policy, credential types are identified by the names assigned to the vendor and application.
NAC database. This table contains the following options: – User Guide for Cisco Secure ACS for Windows Server 14-12 About Rules, Rule Elements, and Attributes, Credential Types—Displays the credential types that must be present in a posture validation request in order for Cisco Secure ACS to use the database to evaluate the request.
Policies page for the current NAC database. From that page, you can select external policies that the current NAC database uses and you can also access the External Policy Configuration page to create additional local policies. User Guide for Cisco Secure ACS for Windows Server NAC Databases 14-13...
Under External User Database Configuration, select the name of the NAC Step 5 database that you need to configure. Note User Guide for Cisco Secure ACS for Windows Server 14-14 NAC Database Configuration Options, page Policy Selection Options, page If only one NAC database exists, the name of that database appears instead of the list.
Page 587
NAC database. You can select local policies, external policies, or both. To do so, follow these steps: Click either Local Policies or External Policies, as applicable. A policy selection page displays Available Policies and Selected Policies lists. 78-16592-01 User Guide for Cisco Secure ACS for Windows Server NAC Databases 14-15...
Cisco Secure ACS applies to a validation request the policies that you have selected for the NAC database that Cisco Secure ACS uses to evaluate the request. User Guide for Cisco Secure ACS for Windows Server 14-16 Click New Local Policy and follow the steps in page 14-25 before continuing this procedure.
About Rules, Rule Elements, and Attributes, page 14-19 • Local Policy Configuration Options, page 14-22 • Rule Configuration Options, page 14-24 • Creating a Local Policy, page 14-25 • 78-16592-01 User Guide for Cisco Secure ACS for Windows Server NAC Policies 14-17...
NAC clients whose posture matches the second rule; therefore, the second rule should be listed first. User Guide for Cisco Secure ACS for Windows Server 14-18 Chapter 14...
0 (zero) and and the attribute in a specific posture validation false User Guide for Cisco Secure ACS for Windows Server NAC Policies . Valid operators are = (equal to) and corresponds to 1.
Page 592
Cisco:PA:OS-Version attribute, Cisco Secure ACS only permits the use of mathematical operators. For more information about attribute types, see page 14-19. User Guide for Cisco Secure ACS for Windows Server 14-20 Rule Operators, page yyyy Cisco:PA:PA-Name...
Page 593
, the string , or the string Cisco scsi or the string Cisco or the string Cisco User Guide for Cisco Secure ACS for Windows Server NAC Policies disc would match an attribute Ciena Ciena 14-21...
Note User Guide for Cisco Secure ACS for Windows Server 14-22 $ (dollar)—The $ operator matches the end of a string. For example,...
Page 595
Cisco Secure ACS uses as the result of applying the policy. 78-16592-01 14-18. . For more information about credential Cisco:PA About NAC Credentials and Attributes, page Posture Tokens, page User Guide for Cisco Secure ACS for Windows Server NAC Policies 14-11. 14-4. 14-23...
Attributes that can only be sent, such as Cisco:PA:System-Posture-Token, cannot be used in a rule and thus never User Guide for Cisco Secure ACS for Windows Server 14-24 Under Default Rule, the meanings of the Result Credential Type list,...
If you have not already done so, access the Local Policy Configuration page. To do so, follow these steps: In the navigation bar, click External User Databases. 78-16592-01 application-name attribute-name About Rules, Rule Elements, and Attributes, 14-19. 14-24. User Guide for Cisco Secure ACS for Windows Server NAC Policies 14-22. Rule 14-25...
Page 598
The rule element appears in the Rule Elements table. Verify that the rule elements are configured as intended. User Guide for Cisco Secure ACS for Windows Server 14-26 14-19. For more information about operators, see 14-20. Chapter 14...
Page 599
Configure the Default Rule; in the Default Rule table, do each of the following. Step 6 Select a result credential type. • Select a token. • • Type an action. 78-16592-01 Posture Tokens, page User Guide for Cisco Secure ACS for Windows Server NAC Policies 14-4. 14-27...
• About External Policies External policies are policies that define an external NAC server, usually from an anti-virus vendor, and a set of credential types to be forwarded to the external database. You also have the option of defining a secondary external NAC server.
Cisco Secure ACS to reject the posture validation request. External Policy Configuration Options On the External Policy Configuration page you can specify a NAC server (and an optional second NAC server) that Cisco Secure ACS relies upon to apply the policy and you can configure the set of credential types that Cisco Secure ACS forwards.
Page 602
[http[s]://] where host is the hostname or IP address of the NAC server, port is the port number used, and resource is the rest of the URL, as required by the NAC server itself. The URL varies depending upon the server vendor and configuration.
Page 603
If the CA that issued a NAC server certificate is not present on the Trusted Root CA list, you must add the CA certificate to Cisco Secure ACS. For more information, see...
NAC Policies Forwarding Credential Types—Contains two lists for use in specifying • which credential types are forwarded to the external server. – – Creating an External Policy This procedure describes how you can create an external policy. Before You Begin...
Page 605
NAC server. For each posture validation credential type that you want Cisco Secure ACS to send to the external NAC server, select the credential type in the Available Credentials list and click the right arrow (-->). The credential type appears in the Selected Credentials list.
Step 4 Under Name, click the name of the policy you want to edit. User Guide for Cisco Secure ACS for Windows Server 14-34 You can add the policy to any NAC database, not just the NAC database you clicked through to reach the External Policy Configuration page.
Page 607
Selected Policies list. To do so, click Local Policies or External Policies, as applicable, move the policy to the Available Policies list, and click Submit. 78-16592-01 Step User Guide for Cisco Secure ACS for Windows Server NAC Policies Step 3. You can modify 14-35...
Under Name, click the name of the policy you want to delete. Step 4 The applicable policy configuration page appears. User Guide for Cisco Secure ACS for Windows Server 14-36 If there is only one NAC database, no list of databases appears and you can click Configure.
Page 609
Credential Validation Policies table no longer lists the deleted policy. All NAC databases that were configured to use the policy no longer include the deleted policy. 78-16592-01 User Guide for Cisco Secure ACS for Windows Server NAC Policies 14-37...
Page 610
Chapter 14 Network Admission Control NAC Policies User Guide for Cisco Secure ACS for Windows Server 14-38 78-16592-01...
Unknown User Policy After you have configured at least one database in the External User Databases section of the HTML interface of Cisco Secure Access Control Server (ACS) for Windows Server, you can decide how to implement other Cisco Secure ACS features related to authentication and posture validation.
Page 612
Cisco Secure ACS handles authentication and posture validation requests for known users as follows: – User Guide for Cisco Secure ACS for Windows Server 15-2 NAC and the Unknown User Policy, page 15-10 Posture Validation Use of the Unknown User Policy, page 15-11 Required Use for Posture Validation, page 15-12 Authentication—Cisco Secure ACS attempts to authenticate a known...
Note 78-16592-01 15-10. Cisco Secure ACS does not import credentials (such as passwords, certificates, or NAC credential types) for a discovered user. User Guide for Cisco Secure ACS for Windows Server Known, Unknown, and Discovered Users Posture 15-10. 15-5. Posture Validation and the Unknown...
The scenario given above is handled differently if the user accounts with identical usernames exist in separate Windows domains. For more information, see Windows Authentication of Unknown Users, page 78-16592-01 Authentication and Unknown Users 15-6. User Guide for Cisco Secure ACS for Windows Server 15-5...
When a domain name is supplied as part of a authentication request, Cisco Secure ACS detects that a domain name was supplied and tries the authentication credentials against the specified domain. The dial-up networking clients provided User Guide for Cisco Secure ACS for Windows Server 15-6 Chapter 15...
The domain controllers in any trusted domains, in an order determined by Windows. If Cisco Secure ACS runs on a member server, the local accounts database. Windows attempts to authenticate the user with the first account it finds whose username matches the one passed to Windows by Cisco Secure ACS. Whether authentication fails or succeeds, Windows does not search for other accounts with the same username;...
This small delay may require additional timeout configuration on the AAA clients through which unknown users may attempt to access your network. User Guide for Cisco Secure ACS for Windows Server 15-8 username. If the same user successfully authenticates without...
AAA clients. For more information about authentication timeout values in IOS, refer to your Cisco IOS documentation. 78-16592-01 Authentication and Unknown Users Database Search Order, User Guide for Cisco Secure ACS for Windows Server 15-9...
EAP-Identity field contains the string yang-laptop01:david.fry and Cisco Secure ACS creates a user account named yang-laptop01:david.fry. User Guide for Cisco Secure ACS for Windows Server 15-10 username Chapter 15...
NAC database. For more information about the order of NAC databases in the Selected Databases list, see Order, page 78-16592-01 Posture Validation and the Unknown User Policy 15-14. User Guide for Cisco Secure ACS for Windows Server Database Search 15-11...
Databases list, you can ensure that each posture validation request is handled by a NAC database with the most restrictive mandatory credential types and, therefore, the most applicable policies. User Guide for Cisco Secure ACS for Windows Server 15-12 Chapter 15 Unknown User Policy Chapter 14, “Network Admission...
For authentication requests, Cisco Secure ACS applies the Unknown User Policy to unknown users only. Cisco Secure ACS does not support fallback to unknown user authentication when known or discovered users fail authentication. User Guide for Cisco Secure ACS for Windows Server Authorization of Unknown Users Specification”. 15-13...
Databases list is significant: Authentication—The Unknown User Policy supports unknown user • authentication using the following logic: User Guide for Cisco Secure ACS for Windows Server 15-14 Database Search Order, page Find the next user database in the Selected Databases list that supports the authentication protocol of the request.
Page 625
Cisco Secure ACS may use a NAC database whose policies do not evaluate client posture using the additional credential types sent by the NAC client. 78-16592-01 15-10. User Guide for Cisco Secure ACS for Windows Server Database Search Order NAC and the 15-15...
External Databases list. To assign the database search order, select a database from the Selected Databases list and click Up or Down to move it into the position you want. User Guide for Cisco Secure ACS for Windows Server 15-16 15-13.
Unknown user authentication is halted. Cisco Secure ACS does not allow unknown users to authenticate with external user databases. 78-16592-01 For more information about the significance of database order, see Database Search Order, page 15-14. User Guide for Cisco Secure ACS for Windows Server Disabling Unknown User Authentication 15-10. 15-17...
Page 628
Chapter 15 Unknown User Policy Disabling Unknown User Authentication User Guide for Cisco Secure ACS for Windows Server 15-18 78-16592-01...
User Group Mapping and Specification This chapter provides information about group mapping and specification. Cisco Secure Access Control Server (ACS) for Windows Server uses these features to assign users authenticated by an external user database to a single Cisco Secure ACS group.
For example, you could configure Cisco Secure ACS so that all unknown users who authenticate with a certain token server database belong to a group called Telecommuters. You could then assign a group setup that is appropriate for users who are working away from home, such as MaxSessions=1.
Creating a Cisco Secure ACS Group Mapping for a Token Server, ODBC Database, or LEAP Proxy RADIUS Server Database To set or change a token server, ODBC, or LEAP Proxy RADIUS Server database group mapping, follow these steps: In the navigation bar, click External User Databases.
Engineering group that would map other members of the Engineering group who were not members of Tokyo or London. User Guide for Cisco Secure ACS for Windows Server 16-4 Chapter 16...
“Contractors” to the No Access group so they could not dial in to the network remotely. 78-16592-01 Group Mapping by Group Set Membership User Guide for Cisco Secure ACS for Windows Server 16-5...
Cisco Secure ACS group mapping. This restriction is not removed by adding a remote group to a group local to the domain providing authentication. User Guide for Cisco Secure ACS for Windows Server 16-6 Chapter 16 User Group Mapping and Specification Editing a 16-9.
The Group Mappings for Domain: domainname table appears. 78-16592-01 To clear your domain selection, click Clear Selection. User Guide for Cisco Secure ACS for Windows Server Group Mapping by Group Set Membership 16-7...
Page 636
Step 10 The group set you mapped to the Cisco Secure ACS list appears at the bottom of the database groups column. User Guide for Cisco Secure ACS for Windows Server 16-8 Chapter 16 No Access Group for Group Set Mappings, 16-5.
The asterisk at the end of each set of groups indicates that users authenticated with the external user database can belong to other groups besides those in the set. User Guide for Cisco Secure ACS for Windows Server Group Mapping by Group Set Membership 16-9...
Click the external user database configuration whose group set mapping you need Step 3 to delete. User Guide for Cisco Secure ACS for Windows Server 16-10 Chapter 16 You can also select <No Access>. For more information about the <No Access>...
Click the domain name whose group set mapping you want to delete. Step 4 Click Delete Configuration. Step 5 Cisco Secure ACS displays a confirmation dialog box. 78-16592-01 Group Mapping by Group Set Membership User Guide for Cisco Secure ACS for Windows Server 16-11...
The Group Mappings for NDS Users table appears. Click Order mappings. Step 6 Note User Guide for Cisco Secure ACS for Windows Server 16-12 Chapter 16 The Order mappings button appears only if more than one group set mapping exists for the current database.
Cisco Secure ACS displays a list of all external databases, including NAC databases. Click the name of the NAC database whose SPT-to-group mappings you want to Step 3 configure. 78-16592-01 Posture Tokens, page User Guide for Cisco Secure ACS for Windows Server NAC Group Mapping 14-4. 16-13...
• • RADIUS token server Cisco Secure ACS supports per-user group mapping for users authenticated with a LEAP Proxy RADIUS Server database. This is provided in addition to the default group mapping described in page 16-2. User Guide for Cisco Secure ACS for Windows Server...
Page 643
N is the Cisco Secure ACS group number (0 through 499) to which Cisco Secure ACS should assign the user. For example, if the LEAP Proxy RADIUS Server authenticated a user and included the following value for the Cisco IOS/PIX RADIUS attribute 1, [009\001] cisco-av-pair:...
Page 644
Chapter 16 User Group Mapping and Specification RADIUS-Based Group Specification User Guide for Cisco Secure ACS for Windows Server 16-16 78-16592-01...
Report Issues, page A-17 • Third-Party Server Issues, page A-19 • User Authentication Issues, page A-20 • TACACS+ and RADIUS Attribute Issues, page A-22 • 78-16592-01 A P P E N D I X User Guide for Cisco Secure ACS for Windows Server...
Verify that you are using a supported browser. Refer to the • Release Notes for Cisco Secure Access Control Server for Windows Server Version 3.3 for a list of supported browsers. Ping Cisco Secure ACS to confirm connectivity. • Verify that the remote administrator is using a valid •...
ACS. Authentication fails. 78-16592-01 Recovery Action Ensure that the SMTP server name is correct. If the name is correct, ensure that the computer running Cisco Secure ACS can ping the SMTP server or can send e-mail via a third-party e-mail software package.
Administrator database appears corrupted. Remote administrator intermittently can’t browse the Cisco Secure ACS HTML interface. User Guide for Cisco Secure ACS for Windows Server Appendix A Recovery Action Open Internet Explorer or Netscape Navigator and choose Help > About to determine the version of the browser.
For information about group mapping for NAC databases, see Group Mapping, page 16-13. For more information about the Cisco IOS/PIX cisco-av-pair VSA, see Attribute, page C-7. User Guide for Cisco Secure ACS for Windows Server Cisco IOS Issues About the cisco-av-pair RADUIS...
Page 650
If you have a fallback method configured on your AAA client, disable connectivity to the AAA server and log in using local/line username and password. Try to connect directly to the AAA client at the console port. If that...
The external user database is not available in the Group Mapping section. 78-16592-01 Recovery Action Make sure that the correct server is listed in the Partners list. • Make sure you have set the server correctly as either Send or Receive.
Page 652
Unknown users are not authenticated. Novell NDS or Generic LDAP Group Mapping not working correctly. User Guide for Cisco Secure ACS for Windows Server Appendix A Recovery Action Make sure that a two-way trust (for dial-in check) has been established between the Cisco Secure ACS domain and the other domains.
Page 653
When you install Cisco Secure ACS in the default location, CSUtil.exe is located in the following directory: Files\CiscoSecure ACS vX.X\Utils For more information on using the csutil command see Appendix D, “CSUtil Database Utility”. User Guide for Cisco Secure ACS for Windows Server Database Issues C:\Program...
Program Files\CiscoSecure ACS vx.x\TacConfig.txt Program Files\CiscoSecure ACS vx.x\RadConfig.txt The Cisco Secure ACS Services are running (CSAdmin, CSAuth, • CSDBSync CSLog, CSRadius, CSTacacs) on the computer running Cisco Secure ACS. User Guide for Cisco Secure ACS for Windows Server A-10 Appendix A Troubleshooting 78-16592-01...
Page 655
Fail the attempt is not selected. And ensure that the Selected Databases list reflects the necessary database. Verify that the Windows group that the user belongs to has not been mapped to No Access. 78-16592-01 User Guide for Cisco Secure ACS for Windows Server Dial-in Connection Issues A-11...
Page 656
AAA client. Additionally, you can verify Cisco Secure ACS connectivity by attempting to Telnet to the access server from a workstation connected to the LAN. A successful authentication for Telnet confirms that Cisco Secure ACS is working with the AAA client.
Page 657
Per-User Advanced TACACS+ Features check box. Then, go to the TACACS+ Outbound Password section of the Advanced TACACS+ Settings table on the User Setup page and type and confirm the password in the boxes provided. 78-16592-01 User Guide for Cisco Secure ACS for Windows Server Dial-in Connection Issues A-13...
PASS returns a for authorization. FAIL User Guide for Cisco Secure ACS for Windows Server A-14 Recovery Action The configurations of the AAA client or Cisco Secure ACS are likely to be at fault. From within Cisco Secure ACS confirm the following: Cisco Secure ACS is receiving the request.
Proxying requests to another server fail 78-16592-01 Recovery Action Make sure that the following conditions are met: The direction on the remote server is set to • Incoming/Outgoing or Incoming, and that the direction on the authentication forwarding server is set to Incoming/Outgoing or Outgoing.
Condition MaxSessions over VPDN is not working. User MaxSessions fluctuates or is unreliable. User MaxSessions not taking affect. User Guide for Cisco Secure ACS for Windows Server A-16 Recovery Action From the Windows Registry, delete the following Registry key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\...
Make sure you have selected Log to reportname Report under System Configuration: Logging: Log Target: reportname. You must also set Network Configuration: servername: Access Server Type to Cisco Secure ACS for Windows NT. The Unknown User database was changed. Accounting reports will still contain unknown user information.
Page 662
Report Issues Condition report Logged in Users works with some devices, but not with others User Guide for Cisco Secure ACS for Windows Server A-18 Recovery Action For the report to work (and this also applies to Logged in Users...
For dial-up users, make sure you are using PAP and not MS-CHAP or CHAP; RSA/SDI does not support CHAP, and Cisco Secure ACS will not send the request to the RSA server, but rather it will log an error with external database failure.
User did not inherit settings from new group. Authentication fails. The AAA client times out when authenticating against a Windows user database. User Guide for Cisco Secure ACS for Windows Server A-20 Appendix A Recovery Action Restart Cisco Secure ACS services. For steps, see...
Page 665
Network-EAP check box is selected If you are using an external user database for authentication, verify that it is supported. For more information, see Authentication Protocol-Database Compatibility, page User Guide for Cisco Secure ACS for Windows Server 1-10. A-21...
TACACS+ and RADIUS Attribute Issues Condition TACACS+ and RADIUS attributes do not appear on the Group Setup page. User Guide for Cisco Secure ACS for Windows Server A-22 Appendix A Recovery Action Make sure that you have at least one RADIUS or...
TACACS+ Attribute-Value Pairs Cisco Secure Access Control Server (ACS) for Windows Server supports Terminal Access Controller Access Control System (TACACS+) attribute-value (AV) pairs. You can enable different AV pairs for any supported attribute value. Cisco IOS AV Pair Dictionary Before selecting TACACS+ AV pairs for Cisco Secure ACS, confirm that your AAA client is running Cisco IOS Release 11.2 or later.
RADIUS Attributes Cisco Secure Access Control Server (ACS) for Windows Server supports many RADIUS attributes. You can enable different attribute-value (AV) pairs for IETF RADIUS and for any supported vendor. This appendix lists the standard attributes, vendor-proprietary attributes, and vendor-specific attributes supported by Cisco Secure ACS.
Page 674
Cisco IOS or compatible AAA client software. For more information, see Network and Port Requirements, page User Guide for Cisco Secure ACS for Windows Server Settings in a user profile override settings in a group profile. For example, if Session-Timeout is configured in the user profile and also in the group the user is assigned to, Cisco Secure ACS sends the AAA client the Session-Timeout value specified in the user profile.
Ipaddr Integer Integer Integer Ipaddr (maximum length 15 characters) Integer String Integer (maximum length 10 characters) User Guide for Cisco Secure ACS for Windows Server Cisco IOS Dictionary of RADIUS AV Pairs Inbound/Outbound Multiple Inbound Outbound Outbound Inbound Inbound Both...
Page 676
Session-Timeout Idle-Timeout Called-Station-ID Calling-Station-ID Login-LAT-Service Acct-Status-Type Acct-Delay-Time Acct-Input-Octets Acct-Output-Octets Acct-Session-ID Acct-Authentic Acct-Session-Time User Guide for Cisco Secure ACS for Windows Server Appendix C Type of Value Inbound/Outbound Integer Outbound Ipaddr (maximum length Both 15 characters) Integer Both Integer (maximum length...
Inbound Integer Inbound Integer Inbound Integer Inbound Integer (maximum length Both 10 characters) C-7. Type of Value Inbound/Outbound String Both String Inbound String Inbound User Guide for Cisco Secure ACS for Windows Server Multiple Table C-2 lists the About Multiple...
Page 678
User Guide for Cisco Secure ACS for Windows Server Type of Value Inbound/Outbound String Inbound String Inbound String Inbound String Inbound String Inbound String Inbound...
EXEC commands. 78-16592-01 About the cisco-av-pair RADUIS Attribute Type of Value Inbound/Outbound String (maximum length Outbound 247 characters) String (maximum length Both 247 characters) String (maximum length Both 247 characters) User Guide for Cisco Secure ACS for Windows Server Multiple...
Page 680
NAC-client computer requires an update or patch that you have made available on a remediation web server. For example, a user can be redirected to a remediation web server to download and apply a new virus DAT file or an operating system patch. For example: url-redirect=http://10.1.1.1...
Cisco VPN 3000 Concentrator Dictionary of RADIUS VSAs Table C-3 lists the supported Type of Value Inbound/Outbound String (maximum Outbound length 247 characters) Integer (maximum Outbound length 10 characters) Ipaddr (maximum Outbound length 15 characters) User Guide for Cisco Secure ACS for Windows Server Multiple...
Page 682
CVPN3000-SEP-Card-Assignment CVPN3000-Tunneling-Protocols CVPN3000-IPSec-Sec-Association CVPN3000-IPSec-Authentication CVPN3000-IPSec-Banner1 CVPN3000-IPSec-Allow-Passwd-Store Integer CVPN3000-Use-Client-Address CVPN3000-PPTP-Encryption CVPN3000-L2TP-Encryption CVPN3000-IPSec-Split-Tunnel-List CVPN3000-IPSec-Default-Domain CVPN3000-IPSec-Split-DNS-Names User Guide for Cisco Secure ACS for Windows Server C-10 Appendix C Type of Value Inbound/Outbound Ipaddr (maximum Outbound length 15 characters) Ipaddr (maximum Outbound length 15...
Page 683
Integer Outbound Outbound Integer Outbound Integer Outbound Integer (maximum Outbound length 10 characters) Integer (maximum Outbound length 10 characters) String (maximum Outbound length 247 characters) Integer Outbound Integer Outbound User Guide for Cisco Secure ACS for Windows Server Multiple C-11...
Page 684
CVPN3000-IPSec-Split-Tunneling- Policy CVPN3000-IPSec-Required-Client- Firewall-Capability CVPN3000-IPSec-Client-Firewall- Filter-Name CVPN3000-IPSec-Client-Firewall- Filter-Optional CVPN3000-IPSec-Backup-Servers CVPN3000-IPSec-Backup-Server-List CVPN3000-MS-Client-Intercept- DHCP-Configure-Message CVPN3000-MS-Client-Subnet-Mask User Guide for Cisco Secure ACS for Windows Server C-12 Appendix C Type of Value Inbound/Outbound Integer (maximum Outbound length 10 characters) Integer Outbound String (maximum Outbound...
Type of Value Inbound/Outbound Integer Inbound String Inbound String Inbound String (maximum Outbound length 247 characters) String (maximum Outbound length 247 characters) Integer Inbound Integer Inbound User Guide for Cisco Secure ACS for Windows Server Multiple lists the supported Multiple C-13...
Authentication Protocol) response to an Access-Challenge. NAS-IP IP address of the AAA client that is Address requesting authentication. User Guide for Cisco Secure ACS for Windows Server C-14 Table C-5 lists the supported Cisco BBSM RADIUS VSA. Type of Value Integer lists the supported RADIUS (IETF) attributes.
Page 687
For channels on a basic rate ISDN interface, the value is 3bb0c For other types of interfaces, the value is 6nnss User Guide for Cisco Secure ACS for Windows Server IETF Dictionary of RADIUS AV Pairs Type of Inbound/Out Value bound...
Page 688
This AV results in a static route being added for Framed-IP-Address with the mask specified. User Guide for Cisco Secure ACS for Windows Server C-16 In a request: Framed—For known PPP –...
Page 689
IETF Dictionary of RADIUS AV Pairs Type of Value Integer String Integer (maximum length 10 characters) Integer Ipaddr (maximum length 15 characters) User Guide for Cisco Secure ACS for Windows Server Inbound/Out bound Multiple Outbound Outbound Outbound Outbound Both C-17...
Page 690
[metric]]) are supported. If the router field is omitted or 0 (zero), the peer IP address is used. Metrics are ignored. Framed-IPX- — Network User Guide for Cisco Secure ACS for Windows Server C-18 0: Telnet 1: Rlogin 2: TCP-Clear 3: PortMaster 4: LAT...
Page 691
PPP sessions. 78-16592-01 IETF Dictionary of RADIUS AV Pairs Type of Value String (maximum length 253 characters) String String Integer (maximum length 10 characters) User Guide for Cisco Secure ACS for Windows Server Inbound/Out bound Multiple Outbound Both Outbound Outbound C-19...
Page 692
Included in proxied RADIUS requests per RADIUS standards. The operation of Cisco Secure ACS does not depend on the contents of this attribute. User Guide for Cisco Secure ACS for Windows Server C-20 Appendix C RADIUS Attributes Type of Inbound/Out...
Page 693
IETF Dictionary of RADIUS AV Pairs Type of Value String (maximum length 253 characters) String String Integer Integer String Integer Integer Integer Integer User Guide for Cisco Secure ACS for Windows Server Inbound/Out bound Multiple Inbound Inbound Inbound Outbound Outbound Inbound Inbound Inbound Inbound C-21...
Page 694
Acct-Output- Number of packets sent to the port Packets while this service is being delivered to a framed user. User Guide for Cisco Secure ACS for Windows Server C-22 Appendix C RADIUS Attributes Type of Inbound/Out...
Page 695
12: Port unneeded 13: Port pre-empted 14: Port suspended 15: Service unavailable 16: Callback 17: User error 18: Host request User Guide for Cisco Secure ACS for Windows Server IETF Dictionary of RADIUS AV Pairs Type of Inbound/Out Value bound Multiple...
Page 696
Login-LAT- — Port Tunnel-Type — Tunnel- — Medium-Type User Guide for Cisco Secure ACS for Windows Server C-24 0: Asynchronous 1: Synchronous 2: ISDN-Synchronous 3: ISDN-Asynchronous (V.120) 4: ISDN- Asynchronous (V.110) 5: Virtual Appendix C...
Page 697
String tagged string String String Integer Integer String Integer Integer String String String String User Guide for Cisco Secure ACS for Windows Server Inbound/Out bound Multiple Both Both Inbound Both Inbound Outbound Outbound Inbound Inbound Internal use only Internal use...
Page 698
Multilink-ID — Num-In- — Multilink Pre-Input- — Octets Pre-Output- — Octets Pre-Input- — Packets User Guide for Cisco Secure ACS for Windows Server C-26 Appendix C RADIUS Attributes Type of Inbound/Out Value bound Multiple tagged Both string tagged Both string...
Page 699
Integer Integer Integer Integer Ipaddr Integer Integer Integer Integer Integer Integer Ascend filter Ascend filter Integer User Guide for Cisco Secure ACS for Windows Server Inbound/Out bound Multiple Inbound Both Inbound Inbound Inbound Outbound Outbound Outbound Outbound Outbound Outbound Outbound...
MS-CHAP- String Response MS-CHAP- String Error MS-CHAP- String CPW-1 MS-CHAP- String CPW-2 User Guide for Cisco Secure ACS for Windows Server C-28 lists the supported MPPE RADIUS VSAs. Description — — — — Appendix C RADIUS Attributes Inbound/ Outbound Multiple...
Page 701
MPPE. It is a four octet integer that is interpreted as a string of bits. — — User Guide for Cisco Secure ACS for Windows Server Inbound/ Outbound Multiple Inbound Inbound...
String NT-Enc-PW MS-CHAP2- String Response MS-CHAP2- String User Guide for Cisco Secure ACS for Windows Server C-30 Description The MS-CHAP-MPPE-Keys attribute contains two session keys for use by the MPPE. This attribute is only included in Access-Accept packets. The MS-CHAP-MPPE-Keys...
Type of Value String String String Ipaddr Integer User Guide for Cisco Secure ACS for Windows Server Ascend Dictionary of RADIUS AV Pairs Table C-8 contains Inbound/ Outbound Multiple...
Page 704
Reply-Message Callback-ID Callback-Name Framed-Route Framed-IPX-Network State Class Vendor-Specific Call-Station-ID Calling-Station-ID Acct-Status-Type Acct-Delay-Time Acct-Input-Octets Acct-Output-Octets User Guide for Cisco Secure ACS for Windows Server C-32 Appendix C Inbound/ Type of Value Outbound Integer Both Integer Both Ipaddr Both Ipaddr Outbound No...
253 characters) String (maximum length 10 characters) String (maximum length 253 characters) String (maximum length 253 characters) Integer (maximum length 10 characters) User Guide for Cisco Secure ACS for Windows Server Inbound/ Outbound Multiple Inbound Inbound Inbound Inbound Inbound...
Page 706
Ascend-CBCP-Trunk-Group Ascend-AppleTalk-Route Ascend-AppleTalk-Peer-Mode Ascend-Route-AppleTalk Ascend-FCP-Parameter Ascend-Modem-PortNo Ascend-Modem-SlotNo Ascend-Modem-ShelfNo Ascend-Call-Attempt-Limit Ascend-Call-Block_Duration Ascend-Maximum-Call-Duration Ascend-Router-Preference Ascend-Tunneling-Protocol User Guide for Cisco Secure ACS for Windows Server C-34 Appendix C Inbound/ Type of Value Outbound String Both String Both String (maximum Both length 10 characters)
Page 707
10 characters) String (maximum length 253 characters) Enum (maximum length 10 characters) Integer (maximum length 10 characters) Ipaddr (maximum length 15 characters) User Guide for Cisco Secure ACS for Windows Server Inbound/ Outbound Multiple Both Both Both Both Both...
Page 708
Ascend-Session-Svr-Key Multicast Rate Limit Per Client Ascend-Multicast-Rate-Limit Connection Profile Fields to Support Interface-Based Routing Ascend-IF-Netmask Ascend-Remote-Addr Multicast Support Ascend-Multicast-Client User Guide for Cisco Secure ACS for Windows Server C-36 Appendix C Inbound/ Type of Value Outbound Ipaddr (maximum Outbound No...
Page 709
Integer (maximum length 10 characters) Integer (maximum length 10 characters) String (maximum length 253 characters) Integer (maximum length 10 characters) User Guide for Cisco Secure ACS for Windows Server Inbound/ Outbound Multiple Outbound No Outbound No Outbound No Outbound No...
Page 710
Ascend-IPX-Route Ascend-FT1-Caller Ascend-Backup Ascend-Call-Type Ascend-Group Ascend-FR-DLCI Ascend-FR-Profile-Name Ascend-Ara-PW Ascend-IPX-Node-Addr Ascend-Home-Agent-IP-Addr Ascend-Home-Agent-Password User Guide for Cisco Secure ACS for Windows Server C-38 Appendix C Inbound/ Type of Value Outbound Integer (maximum Outbound No length 10 characters) Integer (maximum Outbound No length 10 characters)
Page 711
Integer Integer (maximum length 10 characters) String (maximum length 253 characters) String (maximum length 253 characters) Integer (maximum length 10 characters) User Guide for Cisco Secure ACS for Windows Server Inbound/ Outbound Multiple Outbound No Outbound No Inbound Inbound Inbound...
Page 712
Ascend-PPP-VJ-Slot-Comp Ascend-PPP-VJ-1172 Ascend-PPP-Async-Map Ascend-Third-Prompt Ascend-Send-Secret Ascend-Receive-Secret Ascend-IPX-Peer-Mode Ascend-IP-Pool-Definition Ascend-Assign-IP-Pool Ascend-FR-Direct Ascend-FR-Direct-Profile User Guide for Cisco Secure ACS for Windows Server C-40 Appendix C Inbound/ Type of Value Outbound String (maximum Outbound No length 253 characters) String Outbound Yes Integer (maximum...
Page 713
Integer (maximum length 10 characters) Integer (maximum length 10 characters) Integer (maximum length 10 characters) Integer (maximum length 10 characters) User Guide for Cisco Secure ACS for Windows Server Inbound/ Outbound Multiple Outbound No Outbound No Outbound No Outbound No...
Page 714
Connection Profile/Telco Options Ascend-Callback Ascend-Data-Svc Ascend-Force-56 Ascend-Billing-Number Ascend-Call-By-Call Ascend-Transit-Number Terminal Server Attributes Ascend-Host-Info PPP Local Address Attribute User Guide for Cisco Secure ACS for Windows Server C-42 Appendix C Inbound/ Type of Value Outbound Integer (maximum Outbound No length 10 characters) Integer...
Ipaddr (maximum length 15 characters) Ipaddr (maximum length 15 characters) Ipaddr (maximum length 15 characters) Integer Integer User Guide for Cisco Secure ACS for Windows Server Nortel Dictionary of RADIUS VSAs Inbound/ Outbound Multiple Outbound No Outbound No Outbound No...
Table C-10 Juniper RADIUS VSAs Number Attribute Juniper-Local-User-Name Juniper-Allow-Commands Juniper-Deny-Commands User Guide for Cisco Secure ACS for Windows Server C-44 lists the Juniper RADIUS VSAs supported by Cisco Secure ACS. The Type of Value String (maximum length 247 characters) String (maximum length...
CSUtil Database Utility This appendix details the Cisco Secure Access Control Server (ACS) for Windows Server command-line utility, CSUtil.exe. Among its several functions, CSUtil.exe enables you to add, change, and delete users from a colon-delimited text file. You can also use the utility to add and delete AAA client configurations.
] [-f] [-n] [-u] [-x] [-y] [-listUDV] [-addUDV [-delUDV slot] [-t -filepath username user list filepath | -f vendor-ID application-ID attribute-ID [-delAVP User Guide for Cisco Secure ACS for Windows Server CSUtil.exe filename filename ] [[-p] -l full filepath password...
Backing Up Cisco Secure ACS with CSUtil.exe, page Recalculating CRC Values, page Creating a Cisco Secure ACS Database D-10. Decoding Error Numbers, page Exporting Group Information to a Text File, page User Guide for Cisco Secure ACS for Windows Server CSUtil.exe Options D-6. D-28. dump.txt D-27.
Page 720
Vendor and VSA Set, page -delUDV—Delete a user-defined RADIUS VSA. For more information about • this option, see User Guide for Cisco Secure ACS for Windows Server D-15. Loading the Cisco Secure ACS D-11. Restoring Cisco Secure ACS with CSUtil.exe, PAC File Generation, page .
CSUtil.exe generates a complete backup of all Cisco Secure ACS internal data, including user accounts and system configuration. This process may take a few minutes. Note User Guide for Cisco Secure ACS for Windows Server D-2. filename CSUtil.exe displays the error message “Backup Failed” when it attempts to back up components of Cisco Secure ACS that are empty, such as when no administrator accounts exist.
CSUtil.exe -r users where filename is the name of the backup file. Press Enter. 78-16592-01 Restoring Cisco Secure ACS with CSUtil.exe Location of CSUtil.exe and D-2. filename filename User Guide for Cisco Secure ACS for Windows Server Cisco Secure ACS Backup,...
Unless you have a current backup or dump of your CiscoSecure user database, all user accounts are lost when you use this option. User Guide for Cisco Secure ACS for Windows Server filename If the backup file is missing a database component, CSUtil.exe displays an error message.
Page 725
To resume user authentication, type: Step 6 net start csauth and press Enter. 78-16592-01 Creating a CiscoSecure User Database D-10. Location of CSUtil.exe and D-2. User Guide for Cisco Secure ACS for Windows Server D-6. For more Creating a...
To confirm that you want to dump all Cisco Secure ACS internal data into Step 4 dump.txt CSUtil.exe creates the User Guide for Cisco Secure ACS for Windows Server D-10 D-2. , type Y and press Enter. file. This process may take a few minutes.
The CSAuth service stops. 78-16592-01 Loading the Cisco Secure ACS Database from a Dump File , the -l option allows for loading renamed dump dump.txt D-10. Location of CSUtil.exe and D-2. User Guide for Cisco Secure ACS for Windows Server Creating a D-11...
Over time, your CiscoSecure user database may be substantially larger than is required by the number of users it contains. To reduce the CiscoSecure user database size, you can compact it periodically. User Guide for Cisco Secure ACS for Windows Server D-12 filename Overwriting the database does not preserve any data;...
Page 729
If you include the -q option in the command, CSUtil.exe does not prompt you for confirmation of initializing or loading the database. 78-16592-01 Compacting the CiscoSecure User Database Location of CSUtil.exe and D-2. User Guide for Cisco Secure ACS for Windows Server dump.txt dump.txt D-13...
– – – – – User Guide for Cisco Secure ACS for Windows Server D-14 Creating a CiscoSecure User Database, . This process may take a few minutes. About User and AAA Client Import File Format, page D-17 ONLINE or OFFLINE Statement, page D-17...
Enter. The CSRadius service stops. 78-16592-01 User and AAA Client Import File Format, page D-2. filename User Guide for Cisco Secure ACS for Windows Server User and AAA Client Import Option D-6. D-16. Location of CSUtil.exe and D-15...
For example, importing 100,000 users in the OFFLINE mode takes less than one minute. User Guide for Cisco Secure ACS for Windows Server User and AAA Client Import Option Table D-1.
EXT_NT — EXT_NDS — User Guide for Cisco Secure ACS for Windows Server D-18 D-2. Description Add user information to Cisco Secure ACS. If the username already exists, no information is changed. Group number to which the user is assigned. This must be a number from 0 to 499, not a name.
Authenticate the username with a LEAP proxy RADIUS server external user database. Authenticate the username with a RADIUS token server external user database. Table D-3. User Guide for Cisco Secure ACS for Windows Server User and AAA Client Import Option D-19...
Page 736
EXT_LDAP — EXT_LEAP — EXT_RADIUS No — User Guide for Cisco Secure ACS for Windows Server D-20 Appendix D Description Update user information to Cisco Secure ACS. Group number to which the user is assigned. This must be a number from 0 to 499, not a name.
Cisco Secure ACS. The valid tokens for ADD_NAS statements are listed in Table D-5. 78-16592-01 Description The name of the user account that is to be deleted. User Guide for Cisco Secure ACS for Windows Server User and AAA Client Import Option D-21...
Page 738
VENDOR description NDG name The name of the Network Device Group to which the AAA User Guide for Cisco Secure ACS for Windows Server D-22 Appendix D Description The name of the AAA client that is to be added.
Adding a AAA Client, page For AAA clients using TACACS+ only, the value set for this token specifies whether the Log Update/Watchdog Packets from this Access Server option is enabled. For more information, see Adding a AAA Client, page shared secret :KEY: :VENDOR:"TACACS+ (Cisco IOS)":NDG:"East...
On the computer running Cisco Secure ACS, open an MS DOS command prompt Step 1 and change directories to the directory containing CSUtil.exe. For more information about the location of CSUtil.exe, see Related Files, page User Guide for Cisco Secure ACS for Windows Server D-24 Appendix D . The users.txt users.txt...
CSUtil.exe, see Related Files, page 78-16592-01 users.txt . The file is useful primarily for debugging purposes groups.txt D-2. User Guide for Cisco Secure ACS for Windows Server Exporting Group Information to a Text File Location of CSUtil.exe and D-25...
CSUtil.exe, see Related Files, page Type: Step 2 CSUtil.exe -y and press Enter. User Guide for Cisco Secure ACS for Windows Server D-26 groups.txt . The file is primarily useful for debugging purposes while setup.txt D-2.
In this example, the error code number that you could use CSUtil.exe to decode is “-1087”: C:\Program Files\CiscoSecure ACS v CSUtil v3.0(1.14), Copyright 1997-2001, Cisco Systems Inc Code -1087 : External database reported error during authentication The -e option applies to Cisco Secure ACS internal error codes only, not to...
• Exporting Custom RADIUS Vendor and VSA Sets, page D-33 • RADIUS Vendor/VSA Import File, page D-34 • User Guide for Cisco Secure ACS for Windows Server D-28 number The hyphen (-) before number is required. Appendix D CSUtil Database Utility...
Note ACS, all Cisco Secure ACS services are automatically stopped and restarted. No users are authenticated during this process. 78-16592-01 User-Defined RADIUS Vendors and VSA Sets 9-25. CiscoSecure Database Replication, User Guide for Cisco Secure ACS for Windows Server D-29...
Page 746
Make sure that regedit is not running. If regedit is running on the • Cisco Secure ACS Windows server, it can prevent Registry updates required for adding a custom RADIUS vendor and VSA set. To add a custom RADIUS VSA to Cisco Secure ACS, follow these steps:...
RADIUS vendors and VSAs after reinstallation or upgrading to a later release. AAA Client Configuration, page Accounting Logs, page D-2. User Guide for Cisco Secure ACS for Windows Server User-Defined RADIUS Vendors and VSA Sets 4-11. 11-6. Location of CSUtil.exe and...
CSUtil.exe. For more information about the location of CSUtil.exe, see Related Files, page User Guide for Cisco Secure ACS for Windows Server D-32 slot-number For more information about determining what RADIUS vendor a...
CSUtil.exe, see Related Files, page 78-16592-01 D-2. D-2. User Guide for Cisco Secure ACS for Windows Server User-Defined RADIUS Vendors and VSA Sets System UDVs Location of CSUtil.exe , where n is the slot number UDV_ .ini...
Each section comprises a section header and a set of keys and values. The order of the sections in the RADIUS vendor/VSA import file is irrelevant. User Guide for Cisco Secure ACS for Windows Server D-34 directory, where CSUtil.exe is located, is replaced, including...
To facilitate this, we recommend that you prefix the vendor name to each attribute name, such as “widget-encryption” for an encryption-related attribute for the vendor Widget. This also makes accounting logs easier to understand. User Guide for Cisco Secure ACS for Windows Server D-35. D-36. Table D-8 lists...
VSA set section. Table D-8 lists the valid keys for an attribute definition section. User Guide for Cisco Secure ACS for Windows Server D-36 78-16592-01...
Page 753
Several attributes can reference the same Note section enumeration section. For more information, see name Enumeration Definition, page User Guide for Cisco Secure ACS for Windows Server User-Defined RADIUS Vendors and VSA Sets Accounting Logs, page 11-6. D-38. D-37...
Enums key, thus allowing for reuse of common enumeration definitions. An enumeration definition section can have up to 1000 keys. Table D-10 lists the valid keys for an enumeration definition section. User Guide for Cisco Secure ACS for Windows Server D-38 78-16592-01...
Cisco Secure ACS uses these string values in the HTML interface. For example, if 0 through 4 are valid integer values for a given attribute, its enumeration definition would contain the following: value0 value1 value2 value3 value4 User Guide for Cisco Secure ACS for Windows Server D-39...
Authentication, page This section contains the following topics: PAC File Options and Examples, page D-41 • Generating PAC Files, page D-43 • User Guide for Cisco Secure ACS for Windows Server D-40 Appendix D 10-13. CSUtil Database Utility EAP-FAST 78-16592-01...
-u username—CSUtil.exe generates a PAC file for the user specified by name (username). For example, if you ran CSUtil.exe -t -u seaniemop, CSUtil.exe would generate a single PAC file, named User Guide for Cisco Secure ACS for Windows Server PAC File Generation seaniemop.pac ENIGINEERING\augustin ENGINEERING_augustin.pac...
Page 758
– – Contain numbers in addition to letters. Contain no common words or names. – User Guide for Cisco Secure ACS for Windows Server D-42 seaniemop.pac jwiedman.pac We recommend that you use a password you devise rather than the default password.
About PACs, page PAC File Options and Examples, page additional arguments would be seaniemop seaniemop.pac ENGINEERING\augustin User Guide for Cisco Secure ACS for Windows Server PAC File Generation 10-17. D-41, to determine and a PAC file for the would be D-43...
Use a semi-colon to identify lines that are comments. User Guide for Cisco Secure ACS for Windows Server D-44 Chapter 14, “Network Admission Default Posture Validation D-52.
Page 761
The vendor number should be the number assigned to the vendor in the example, vendor ID 9 corresponds to Cisco Systems, Inc. 78-16592-01 shows an example of a posture validation attribute definition,...
Page 762
ID and application ID specified. Note User Guide for Cisco Secure ACS for Windows Server D-46 The vendor name cannot differ for each attribute that shares the same vendor ID. For example, you cannot add an attribute with a vendor-id of 9 if the vendor-name is not “Cisco”.
Page 763
Valid values of attribute-type are: boolean – string – integer – – unsigned integer ipaddr – 78-16592-01 , the attribute-type determines the types of operators available for User Guide for Cisco Secure ACS for Windows Server Posture Validation Attributes D-47...
If you are prompted to confirm overwriting a file with the same path and name that you specified in • To overwrite the file, type Y and press Enter. User Guide for Cisco Secure ACS for Windows Server D-48 date version octet-array 14-19.
D-44. For an example of an attribute definition file, see Exporting Posture Validation Attribute Definitions, page Posture Validation Attribute Definition File, page filename User Guide for Cisco Secure ACS for Windows Server Posture Validation Attributes Step Posture Validation Attribute D-52.
Page 766
CSUtil.exe adds or modifies the attributes specified in the file. An example of a successful addition of nine posture validation attributes follows: C:.../Utils 21: csutil -addavp myavp.txt CSUtil v3.3(1.6), Copyright 1997-2001, Cisco Systems Inc Attribute 9876:1:11 (Calliope) added to registry Attribute 9876:1:3 (Clio) added to registry...
ID of 9876, an application ID of 1, and an attribute ID of 1. 78-16592-01 Exporting Posture Validation Attribute Definitions, page vendor-ID You can use the -q option to suppress the confirmation prompt. User Guide for Cisco Secure ACS for Windows Server Posture Validation Attributes D-48, to Posture D-44.
Posture Validation Attributes CSUtil v3.3, Copyright 1997-2004, Cisco Systems Inc Are you sure you want to delete vendor 9876; application 1; attribute 1? (y/n) Vendor 9876; application 1; attribute 1 was successfully deleted If you are ready to make the attribute deletion take effect, restart the CSAuth and Step 4 CSAdmin services.
Page 769
[attr#3] vendor-id=9 vendor-name=Cisco application-id=1 application-name=PA attribute-id=00004 attribute-name=PA-Version attribute-profile=in out attribute-type=version [attr#4] vendor-id=9 vendor-name=Cisco application-id=1 application-name=PA attribute-id=00005 attribute-name=OS-Type attribute-profile=in out attribute-type=string [attr#5] vendor-id=9 vendor-name=Cisco application-id=1 User Guide for Cisco Secure ACS for Windows Server D-53 78-16592-01...
Page 770
[attr#8] vendor-id=9 vendor-name=Cisco application-id=2 application-name=Host attribute-id=00002 attribute-name=System-Posture-Token attribute-profile=out attribute-type=unsigned integer [attr#9] vendor-id=9 vendor-name=Cisco application-id=2 application-name=Host attribute-id=00006 attribute-name=ServicePacks attribute-profile=in attribute-type=string [attr#10] vendor-id=9 User Guide for Cisco Secure ACS for Windows Server D-54 78-16592-01...
Page 771
[attr#12] vendor-id=9 vendor-name=Cisco application-id=5 application-name=HIP attribute-id=00001 attribute-name=Application-Posture-Token attribute-profile=out attribute-type=unsigned integer [attr#13] vendor-id=9 vendor-name=Cisco application-id=5 application-name=HIP attribute-id=00002 attribute-name=System-Posture-Token attribute-profile=out attribute-type=unsigned integer [attr#14] vendor-id=9 vendor-name=Cisco application-id=5 application-name=HIP attribute-id=00005 attribute-name=CSAVersion attribute-profile=in attribute-type=version User Guide for Cisco Secure ACS for Windows Server D-55 78-16592-01...
Page 772
[attr#17] vendor-id=9 vendor-name=Cisco application-id=5 application-name=HIP attribute-id=32768 attribute-name=CSAMCName attribute-profile=in attribute-type=string [attr#18] vendor-id=9 vendor-name=Cisco application-id=5 application-name=HIP attribute-id=32769 attribute-name=CSAStates attribute-profile=in attribute-type=string [attr#19] vendor-id=393 vendor-name=Symantec application-id=3 application-name=AV attribute-id=00001 attribute-name=Application-Posture-Token attribute-profile=out User Guide for Cisco Secure ACS for Windows Server D-56 78-16592-01...
Page 773
[attr#22] vendor-id=393 vendor-name=Symantec application-id=3 application-name=AV attribute-id=00004 attribute-name=Software-ID attribute-profile=in out attribute-type=unsigned integer [attr#23] vendor-id=393 vendor-name=Symantec application-id=3 application-name=AV attribute-id=00005 attribute-name=Software-Version attribute-profile=in out attribute-type=version [attr#24] vendor-id=393 vendor-name=Symantec application-id=3 application-name=AV attribute-id=00006 User Guide for Cisco Secure ACS for Windows Server D-57 78-16592-01...
Page 774
[attr#27] vendor-id=393 vendor-name=Symantec application-id=3 application-name=AV attribute-id=00009 attribute-name=Protection-Enabled attribute-profile=in out attribute-type=unsigned integer [attr#28] vendor-id=393 vendor-name=Symantec application-id=3 application-name=AV attribute-id=00010 attribute-name=Action attribute-profile=out attribute-type=string [attr#29] vendor-id=3401 vendor-name=NAI application-id=3 User Guide for Cisco Secure ACS for Windows Server D-58 78-16592-01...
Page 775
[attr#32] vendor-id=3401 vendor-name=NAI application-id=3 application-name=AV attribute-id=00004 attribute-name=Software-ID attribute-profile=in out attribute-type=unsigned integer [attr#33] vendor-id=3401 vendor-name=NAI application-id=3 application-name=AV attribute-id=00005 attribute-name=Software-Version attribute-profile=in out attribute-type=version [attr#34] vendor-id=3401 User Guide for Cisco Secure ACS for Windows Server D-59 78-16592-01...
Page 776
[attr#37] vendor-id=3401 vendor-name=NAI application-id=3 application-name=AV attribute-id=00009 attribute-name=Protection-Enabled attribute-profile=in out attribute-type=unsigned integer [attr#38] vendor-id=3401 vendor-name=NAI application-id=3 application-name=AV attribute-id=00010 attribute-name=Action attribute-profile=out attribute-type=string User Guide for Cisco Secure ACS for Windows Server D-60 78-16592-01...
Page 777
[attr#42] vendor-id=6101 vendor-name=Trend application-id=3 application-name=AV attribute-id=00004 attribute-name=Software-ID attribute-profile=in out attribute-type=unsigned integer [attr#43] vendor-id=6101 vendor-name=Trend application-id=3 application-name=AV attribute-id=00005 attribute-name=Software-Version attribute-profile=in out User Guide for Cisco Secure ACS for Windows Server D-61 78-16592-01...
Page 778
[attr#46] vendor-id=6101 vendor-name=Trend application-id=3 application-name=AV attribute-id=00008 attribute-name=Dat-Date attribute-profile=in out attribute-type=date [attr#47] vendor-id=6101 vendor-name=Trend application-id=3 application-name=AV attribute-id=00009 attribute-name=Protection-Enabled attribute-profile=in out attribute-type=unsigned integer [attr#48] vendor-id=6101 vendor-name=Trend application-id=3 application-name=AV attribute-id=00010 User Guide for Cisco Secure ACS for Windows Server D-62 78-16592-01...
Page 779
[attr#49] vendor-id=10000 vendor-name=out application-id=1 application-name=CNAC attribute-id=00001 attribute-name=Application-Posture-Token attribute-profile=out attribute-type=string [attr#50] vendor-id=10000 vendor-name=out application-id=1 application-name=CNAC attribute-id=00002 attribute-name=System-Posture-Token attribute-profile=out attribute-type=string [attr#51] vendor-id=10000 vendor-name=out application-id=1 application-name=CNAC attribute-id=00003 attribute-name=Reason attribute-profile=out attribute-type=string User Guide for Cisco Secure ACS for Windows Server D-63 78-16592-01...
Page 780
Appendix D CSUtil Database Utility Posture Validation Attributes User Guide for Cisco Secure ACS for Windows Server D-64 78-16592-01...
This section describes the steps for processing VPDN requests in a standard environment. A VPDN user dials in to the network access server (NAS) of the regional service provider (RSP). The standard call/point-to-point protocol (PPP) setup is done. A username and password are sent to the NAS in the format username@domain (for example, mary@corporation.us).
Page 782
If the domain authorization fails, the NAS assumes the user is not a VPDN user. The NAS then authenticates (not authorizes) the user as if the user is a standard non-VPDN dial user. See User Guide for Cisco Secure ACS for Windows Server VPDN User Dials In E-2.
Page 783
(nas_tun). See 78-16592-01 failed User = mary@corporation.us E-4. Authorization reply Tunnel ID = nas_tun IP address = 10.1.1.1 User = mary@corporation.us Figure User Guide for Cisco Secure ACS for Windows Server VPDN Process VPDN user VPDN user E-5.
Page 784
HG Authenticates Tunnel with the NAS CHAP challenge Corporation The NAS now uses its ACS to authenticate the tunnel from the HG. See Figure User Guide for Cisco Secure ACS for Windows Server Username = nas_tun Password = CHAP_stuff User = mary@corporation.us E-6.
Page 785
HG uses its ACS to authenticate the user. See 78-16592-01 NAS Authenticates Tunnel with ACS VPDN Tunnel is Established CHAP response User Guide for Cisco Secure ACS for Windows Server VPDN Process Username = home_gate Password = CHAP_stuff VPDN user...
Page 786
Instead, it passes the user through the existing tunnel to the HG. See Figure Figure E-10 Another User Dials In While Tunnel is Up Corporation User Guide for Cisco Secure ACS for Windows Server HG Uses ACS to Authenticate User Username = mary@corporation.us Password = secret E-10.
RDBMS synchronization import definitions are a listing of the action codes allowable in an accountActions table. The RDBMS Synchronization feature of Cisco Secure Access Control Server (ACS) for Windows Server uses a table named “accountActions” as input for automated or manual updates of the CiscoSecure user database.
SequenceId Priority UserName GroupName Action ValueName Value1 Value2 Value3 DateTime User Guide for Cisco Secure ACS for Windows Server Appendix F Table F-1 also reflects the order in which the fields F-4. An Example of accountActions, Size (Max. Type Length)
Used to number related transactions for audit purposes. String RESERVED by CSDBSync. String The type of configuration parameter to change. Number TRI-STATE:0=not processed, 1=done, 2=failed. This should normally be set to 0. User Guide for Cisco Secure ACS for Windows Server accountActions Specification...
For more information about the mnemonic names of accountActions fields, see accountActions Mandatory Fields, page User Guide for Cisco Secure ACS for Windows Server Appendix F Table F-1. For more information about the mandatory fields, see F-3.
Cisco representative, you can only use these action codes for assigning values to user-defined fields (see Attributes, page 78-16592-01 Table F-2, instruct RDBMS Synchronization to assign a F-32). User Guide for Cisco Secure ACS for Windows Server Action Codes Table F-2. User-Specific...
Page 792
Name Required SET_VALUE UN|GN, AI, VN, V1, V2 DELETE_VALUE UN|GN, AI, User Guide for Cisco Secure ACS for Windows Server Appendix F RDBMS Synchronization Import Definitions Description Sets a value (V1) named (VN) of type (V2) for App ID (AI).
CHAP/ARAP will also default to this. UN, V1 Sets the CHAP/ARAP password for a user (64 characters maximum). UN, V1 Sets the CHAP/ARAP password for a user (32 characters maximum). User Guide for Cisco Secure ACS for Windows Server Action Codes...
Page 794
User Creation and Modification Action Codes (continued) Action Code Name SET_T+_ENABLE_ PASS SET_GROUP User Guide for Cisco Secure ACS for Windows Server Appendix F Required Description UN, VN, Sets the TACACS+ enable password (V1) (32 V1, V2, characters maximum) and Max Privilege level (V2) (0-15).
Page 795
PASS_STATUS_EXPIRES—Password expires on a given date. PASS_STATUS_NEVER—Password never • expires. PASS_STATUS_WRONG—Password expires • after a given number of login attempts using the wrong password. PASS_STATUS_DISABLED—The account has • been disabled. User Guide for Cisco Secure ACS for Windows Server Action Codes...
Page 796
Name ADD_PASS_STATUS SET_PASS_EXPIRY_ WRONG SET_PASS_EXPIRY_ DATE SET_MAX_SESSIONS UN|GN, User Guide for Cisco Secure ACS for Windows Server F-10 Appendix F Required Description UN, V1 Defines how a password should be expired by Cisco Secure ACS. To set multiple password states for a user, use multiple instances of this action.
Page 797
12:01 A.M. on the first of the month until midnight on the last day of the month. QUOTA_PERIOD_ABSOLUTE—The quota is • enforced in an ongoing basis, without an end. User Guide for Cisco Secure ACS for Windows Server Action Codes F-11...
Page 798
User Creation and Modification Action Codes (continued) Action Code Name DISABLE_QUOTA RESET_COUNTERS SET_QUOTA_APPLY_ TYPE User Guide for Cisco Secure ACS for Windows Server F-12 Appendix F Required Description UN|GN, Disables a group or user usage quota. VN defines the quota type. Valid values are: online time—The quota limits the user or group by...
Page 799
271 to add DCS to NDG mappings for the user or group. Changing a user or group assignment type (V1) Note results in clearing previous data, including NDG to DCS mappings (defined by action 271). User Guide for Cisco Secure ACS for Windows Server Action Codes F-13...
Action Codes for Initializing and Modifying Access Filters Table F-4 filters. AAA client access filters control Telnet access to a AAA client. Dial access filters control access by dial-up users. User Guide for Cisco Secure ACS for Windows Server F-14 Appendix F Required...
Page 801
Optionally, the AAA client name can be “All AAA clients” to specify that the filter applies to all configured AAA clients and an asterisk (*) to represent all ports. User Guide for Cisco Secure ACS for Windows Server Action Codes Management”. For more F-15...
Page 802
Action Code Name ADD_DIAL_ACCESS_ FILTER SET_TOKEN_CACHE_ SESSION SET_TOKEN_CACHE_ TIME User Guide for Cisco Secure ACS for Windows Server F-16 Appendix F RDBMS Synchronization Import Definitions Required Description UN|GN, Adds a dial-up filter for the user|group. V1, V2 V1 should contain one of the following values: Calling station ID •...
Page 803
“0” represents an hour that is denied. If this parameter is not specified for a user, the group setting applies. The default group setting is “111111111111” and so on. User Guide for Cisco Secure ACS for Windows Server Action Codes F-17...
Page 804
Action Codes for Initializing and Modifying Access Filters (continued) Action Code Name SET_STATIC_IP SET_CALLBACK_NO User Guide for Cisco Secure ACS for Windows Server F-18 Appendix F RDBMS Synchronization Import Definitions Required Description UN, V1, V2 Configures the (TACACS+ and RADIUS) IP address assignment for this user.
For example, to specify the Cisco IOS/PIX vendor ID and the Cisco AV Pair: VN = "Vendor-Specific" V2 = "9" V3 = "1" User Guide for Cisco Secure ACS for Windows Server Action Codes Management”. For more Chapter 6, “User Group F-19...
Page 806
Action Codes for Modifying TACACS+ and RADIUS Group and User Settings (continued) Action Code Name ADD_RADIUS_ ATTR UN|GN, User Guide for Cisco Secure ACS for Windows Server F-20 Appendix F Required Description Adds to the attribute named (VN) the value (V1) for VN, V1, the user/group (UN|GN).
Page 807
V1 = "ppp" V2 = "ip" UN = "fred" V1 = "ppp" V2 = "ip" UN = "fred" V1 = "exec" This also resets the valid attributes for the service. User Guide for Cisco Secure ACS for Windows Server Action Codes F-21...
Page 808
Action Codes for Modifying TACACS+ and RADIUS Group and User Settings (continued) Action Code Name ADD_TACACS_ATTR REMOVE_TACACS_ ATTR User Guide for Cisco Secure ACS for Windows Server F-22 Appendix F Required Description UN|GN, Sets a service-specific attribute. The service must...
Page 809
UN = "fred" VN = "configure" Users of Group 1 can no longer use the Cisco IOS telnet command. User fred can no longer use the configure command. User Guide for Cisco Secure ACS for Windows Server Action Codes F-23...
Page 810
Action Codes for Modifying TACACS+ and RADIUS Group and User Settings (continued) Action Code Name ADD_IOS_ COMMAND_ARG REMOVE_IOS_ COMMAND_ARG User Guide for Cisco Secure ACS for Windows Server F-24 Appendix F Required Description UN|GN, Specifies a set of command-line arguments that are VN, V1, V2 either permitted or denied for the Cisco IOS command contained in VN.
GN = name of group • V1 = ENABLE or DISABLE • lists the action codes for adding AAA clients, AAA servers, network Configuration”. User Guide for Cisco Secure ACS for Windows Server Action Codes F-25...
Page 812
Action Codes Table F-6 Action Codes for Modifying Network Configuration Action Code Name ADD_NAS User Guide for Cisco Secure ACS for Windows Server F-26 Appendix F Required Description VN, V1, Adds a new AAA client (named in VN) with an IP...
Page 813
Adds a new AAA client (named in VN) with an IP address (V1), shared secret key (V2), and the enterprise code for the vendor (V3). VN, V1, V2 Adds a new AAA server named (VN) with IP address (V1), shared secret key (V2). VN, V1...
Page 814
Action Code Name SET_AAA_TRAFFIC_ TYPE DEL_AAA_SERVER ADD_PROXY ADD_PROXY_ TARGET DEL_PROXY User Guide for Cisco Secure ACS for Windows Server F-28 Appendix F Required Description VN, V1 Sets the appropriate traffic type (V1) for the named AAA server (VN): TRAFFIC_TYPE_INBOUND •...
Page 815
MODULES ADD_UDV 78-16592-01 Required Description Creates a network device group (NDG) named (VN). Deletes the named NDG. Adds to the named AAA client/AAA server (VN) the NDG (V1). — — — — — Restarts the CSRadius and CSTacacs services to apply new settings.
Page 816
Action Codes for Modifying Network Configuration (continued) Action Code Name DEL_UDV ADD_VSA User Guide for Cisco Secure ACS for Windows Server F-30 Appendix F Required Description Removes the vendor with the IETF code specified in V1 and any defined VSAs.
Page 817
V3 contains the VSA Enum Value. Example: VN = Disabled V1 = 9034 V2 = MyCo-Encryption V3 = 0 VN = Enabled V1 = 9034 V2 = MyCo-Encryption V3 = 1 User Guide for Cisco Secure ACS for Windows Server Action Codes F-31...
Some features are processed only if they have a value assigned to them. For more information about action codes, see User Guide for Cisco Secure ACS for Windows Server F-32 Appendix F...
Page 819
String 168 characters Bool enabled Bool permit/deny ACL String (See 0-31 KB Table F-4.) User Guide for Cisco Secure ACS for Windows Server Cisco Secure ACS Attributes and Action Codes Default “Default Group” F-3. LIBRARY_CSDB F-3. PASS_TYPE_CSDB (password is cleartext PAP) F-3.
Page 820
You can configure Cisco Secure ACS to include UDAs on accounting logs about user activity. For more information about configuring UDAs, see Configuration Options, page User Guide for Cisco Secure ACS for Windows Server F-34 Appendix F Logical Type...
Page 821
Engineering 949-555-1111 lists the attributes that define a Cisco Secure ACS group, including their Action Codes, page F-4. User Guide for Cisco Secure ACS for Windows Server Cisco Secure ACS Attributes and Action Codes Value2 (V2) AppId (AI) TYPE_STRING APP_CSAUTH...
VoIP Support An Example of accountActions Table F-10 the action codes described in along with his passwords, including a TACACS_ Enable password with privilege User Guide for Cisco Secure ACS for Windows Server F-36 Appendix F Logical Type Limits Unsigned short...
Page 823
— PASS_STATUS_ — NEVER PASS_STATUS_ — WRONG PASS_STATUS_ — EXPIRES — 19991231 — User Guide for Cisco Secure ACS for Windows Server An Example of accountActions Value3 (V3) AppId (AI) — — — — — — — — — —...
Page 824
Group 2 — — Group 2 — — Group 2 Reply- Message — Group 2 Vendor- Specific User Guide for Cisco Secure ACS for Windows Server F-38 Appendix F RDBMS Synchronization Import Definitions Value1 (V1) Value2 (V2) — — ACCESS_PERMIT —...
Internal Architecture This chapter describes the Cisco Secure ACS for Windows Server architectural components. It includes the following topics: • Windows Services, page G-1 Windows Registry, page G-2 • CSAdmin, page G-2 • CSAuth, page G-3 • CSDBSync, page G-4 •...
CSAdmin CSAdmin is the service that provides the web server for the Cisco Secure ACS HTML interface. After Cisco Secure ACS is installed, you must configure it from its HTML interface; therefore, CSAdmin must be running when you configure Cisco Secure ACS.
HTML interface, this does not include starting or stopping CSAdmin. If CSAdmin stops abnormally because of an external action, you cannot access Cisco Secure ACS from any computer other than the Windows server on which it is running. You can start or stop CSAdmin from Windows Control Panel.
CSDBSync is the service used to synchronize the Cisco Secure ACS database with third-party relational database management system (RDBMS) systems. CSDBSync synchronizes AAA client, AAA server, network device groups (NDGs) and Proxy Table information with data from a table in an external relational database.
Additionally, it records whether retries were necessary to achieve a successful response. By tracking the average time for each test authentication, CSMon can User Guide for Cisco Secure ACS for Windows Server CSMon...
• Logging to the Windows Event Log is enabled by default but can be disabled. User Guide for Cisco Secure ACS for Windows Server build up a “picture” of expected response time on the system in question. CSMon can therefore detect whether excess re-tries are required for each authentication or if response times for a single authentication exceed a percentage threshold over the average.
These actions include running the CSSupport utility, which captures most of the parameters dealing with the state of the system at the time of the event. 78-16592-01 Monitoring, page User Guide for Cisco Secure ACS for Windows Server CSMon G-5. These events are...
For more information about TACACS+ AV pairs, see Appendix B, “TACACS+ Attribute-Value RADIUS+ AV pairs, see User Guide for Cisco Secure ACS for Windows Server Appendix G Pairs”. For more information about Appendix C, “RADIUS Attributes”.
Page 833
See administrative access policies accountActions table account disablement Account Disabled check box manual resetting setting options for User Guide for Cisco Secure ACS for Windows Server I N D E X 4-26 4-21 1-32 1-29 1-29 9-29, 9-31...
Page 834
See also administrators configuring 12-14 limits 12-11 options 12-12 overview 2-15 User Guide for Cisco Secure ACS for Windows Server IN-2 administrative sessions and HTTP proxy network environment limitations of session policies through firewalls through NAT (network address administrators See also Administration Audit log...
Page 835
13-5 scheduled vs. manual scheduling vs. replication with CSUtil.exe User Guide for Cisco Secure ACS for Windows Server attributes) C-14 8-10 8-10 8-13 8-15 8-10 8-12 8-11 8-11 8-12 9-10...
Page 836
10-50 self-signed certificates configuring 10-49 14-6 overview 10-47 User Guide for Cisco Secure ACS for Windows Server IN-4 server certificate installation updating certificate CHAP compatible databases in User Setup protocol supported Cisco IOS...
Page 837
CSNTFindUser CSNTgroups CSNTpasswords CSNTresults CSNTusernames 5-26 CSRadius CSTacacs CSUtil.exe decoding error numbers with User Guide for Cisco Secure ACS for Windows Server Index 9-29, G-4 11-32 13-65, 13-67, 13-68 13-62 13-65, 13-67, 13-68 13-63 13-64 13-65, 13-67, 13-68 13-65, 13-67...
Page 838
16-1 overview 16-1 Database Replication log CSV (comma-separated values) file directory 11-16 viewing 11-18 User Guide for Cisco Secure ACS for Windows Server IN-6 databases See also external user databases authentication search process CiscoSecure user database compacting deleting deployment considerations...
Page 839
16-6 configuring default entry enabling in interface distribution table See Proxy Distribution Table DNIS-based filters documentation conventions objectives online related User Guide for Cisco Secure ACS for Windows Server Index 9-45 A-10 13-10 11-12 11-9 15-3 4-34 5-18 xxxi xxix...
Page 840
EAP (Extensible Authentication Protocol) overview 1-13 with Windows authentication EAP-FAST compatible databases 1-10 User Guide for Cisco Secure ACS for Windows Server IN-8 enabling identity protection logging master keys definition 15-7 states...
Page 841
AAA groups multiple instances 11-19 organizational units and groups User Guide for Cisco Secure ACS for Windows Server Index 11-16 11-23 11-18 7-55 1-23 13-32 13-43 13-37 13-34...
Page 842
16-5 no access groups 16-5 overriding settings relationship to users renaming 6-55 resetting usage quota counters for User Guide for Cisco Secure ACS for Windows Server IN-10 settings for callback options configuration-specific 13-9, 13-26 configuring common device management command enable privilege...
Page 843
IP pools 1-14 overview replicating IP pools user IP addresses LAN manager latency in networks User Guide for Cisco Secure ACS for Windows Server 7-10 groups 6-28 9-51 9-50 9-45 9-48 9-45, 9-47 9-47 9-49...
Page 844
11-33 Disabled Accounts reports 11-9 domain names 11-3 external user databases 11-3 Failed Attempts logs 11-6 User Guide for Cisco Secure ACS for Windows Server IN-12 formats Logged-In Users reports ODBC logs enabling in interface 13-76 overview working with overview...
Page 845
Certificate Trust List credentials about definition databases configuring default database User Guide for Cisco Secure ACS for Windows Server Index 8-19 8-18 1-10 10-26 1-13 1-11 16-5 4-12 14-11 D-44 14-19 D-44...
Page 846
16-13 returned by local policies Unknown User Policy 15-10 NAFs See network access filters User Guide for Cisco Secure ACS for Windows Server IN-14 See network access restrictions See AAA clients See network device groups See Novell NDS user databases...
Page 847
CHAP authentication sample configuring data source names DSN (data source name) configuration EAP-TLS authentication sample features supported group mappings group specifications CHAP User Guide for Cisco Secure ACS for Windows Server 13-50 13-52 1-10 13-50 13-51 9-32 13-60 13-60 13-55...
Page 848
Cisco Secure ACS automatic provisioning 10-18 definition 10-17 manual provisioning 10-20 refresh 10-21 User Guide for Cisco Secure ACS for Windows Server IN-16 compatible databases in User Setup vs. ARAP 13-62 vs. CHAP Passed Authentications log configuring CSV (comma-separated...
Page 849
See HTTP port allocation ports See also HTTP port allocation See also port 2002 RADIUS TACACS+ posture validation See also NAC request handling User Guide for Cisco Secure ACS for Windows Server Index 10-11 12-13 1-6, 1-7 15-11 IN-17...
Page 850
4-38 editing entries 4-37 match order sorting 4-36 overview 4-34 User Guide for Cisco Secure ACS for Windows Server IN-18 quotas See network access quotas See usage quotas RADIUS See also RADIUS VSAs (vendor specific attributes See also RADIUS VSAs (vendor specific...
Page 851
Juniper in Group Setup in User Setup supported attributes Microsoft in Group Setup in User Setup supported attributes Nortel in Group Setup User Guide for Cisco Secure ACS for Windows Server Index 7-52 C-14 6-40 3-17 7-39 6-44 7-44 6-46...
Page 852
9-40 network configuration 9-28 overview 9-26 partners 9-39 preparing to use 9-33 User Guide for Cisco Secure ACS for Windows Server IN-20 report and error handling scheduling options user-related configuration Registry rejection mode general posture validation Windows user databases...
Page 853
System Configuration overview performing reports with CSUtil.exe RFC2138 RFC2139 RSA user databases configuring group mappings User Guide for Cisco Secure ACS for Windows Server Index 11-13 1-29 11-6 15-5 15-11 15-6 8-16 8-16 8-15 8-14 8-14...
Page 854
11-32 management 8-17 overview 1-4, G-1 starting stopping session policies configuring 12-17 User Guide for Cisco Secure ACS for Windows Server IN-22 options 12-16 overview 12-16 15-15 shared profile components See also command authorization sets See also downloadable IP ACLs...
Page 855
SENDAUTH 1-15 settings in Group Setup 6-2, 6-31 in User Setup 7-22, 7-23 specifications User Guide for Cisco Secure ACS for Windows Server Index 1-29 7-35 7-33 7-37 IN-23...
Page 856
6-21 test login frequency internally thread used time-of-day/day-of-week specification See also date format control User Guide for Cisco Secure ACS for Windows Server IN-24 enabling in interface timeout values on AAA clients TLS (transport level security) See certification...
Page 857
User Password Changes log location users 15-8 See also User Setup adding 15-13 basic steps methods assigning client IP addresses to assigning to a group User Guide for Cisco Secure ACS for Windows Server Index 6-14 7-18 1-18 6-55 7-58 1-16 13-25 11-17...
Page 858
7-60 supplementary information troubleshooting A-20 types discovered 15-3 known 15-2 unknown 15-3 User Guide for Cisco Secure ACS for Windows Server IN-26 VPDN dialup User Setup account management tasks 7-54 basic options configuring deleting user accounts 7-57 saving settings 7-60...
Page 859
4-18 limitations 4-25 no access groups remapping mapping database groups to AAA overview password aging User Guide for Cisco Secure ACS for Windows Server 13-10 13-10 13-10 13-10 15-7 13-13, 13-14, 15-6 13-26 13-30 13-27 16-9...
Page 860
Index passwords 1-11 rejection mode 15-6 request handling 15-6 trust relationships 13-9 user-changeable passwords 13-25 user manager 13-26 wireless network topologies User Guide for Cisco Secure ACS for Windows Server IN-28 78-16592-01...