Page 1 User Guide for Cisco Secure ACS for Windows Server Version 3.3 May 2004 Corporate Headquarters Cisco Systems, Inc. 170 West Tasman Drive San Jose, CA 95134-1706 http://www.cisco.com Tel: 408 526-4000 800 553-NETS (6387) Fax: 408 526-4100 Customer Order Number: DOC-7816592=...
Page 2 CCIP, CCSP, the Cisco Arrow logo, the Cisco Powered Network mark, Cisco Unity, Follow Me Browsing, FormShare, and StackWise are trademarks of Cisco Systems, Inc.; Changing the Way We Work, Live, Play, and Learn, and iQuick Study are service marks of Cisco Systems, Inc.; and Aironet, ASIST,...
Page 3 Definitions of Service Request Severity System Performance Specifications Cisco Secure ACS Windows Services Cisco Secure ACS and the AAA Client User Guide for Cisco Secure ACS for Windows Server C O N T E N T S xxxvii xxxviii xxxix...
Page 4: Table Of Contents
Cisco Secure ACS HTML Interface About the Cisco Secure ACS HTML Interface HTML Interface Layout Uniform Resource Locator for the HTML Interface Network Environments and Administrative Sessions User Guide for Cisco Secure ACS for Windows Server TACACS+ RADIUS Authentication Considerations Authentication and User Databases...
Page 5 Administrative Access Policy 2-15 Separation of Administrative and General Users Database 2-18 Number of Users 2-18 Type of Database 2-18 Network Latency and Reliability 2-19 User Guide for Cisco Secure ACS for Windows Server Contents 1-31 1-33 1-33 1-34 2-12 2-17 2-19...
Page 6 About Network Configuration About Distributed Systems Proxy in Distributed Systems Network Device Searches User Guide for Cisco Secure ACS for Windows Server User-to-Group Relationship Per-User or Per-Group Features Defining New User Data Fields Setting Advanced Options for the Cisco Secure ACS User Interface...
Page 7 Deleting a AAA Server 4-28 Adding a Network Device Group Assigning an Unassigned AAA Client or AAA Server to an NDG Reassigning a AAA Client or AAA Server to an NDG Renaming a Network Device Group Deleting a Network Device Group...
Page 8 Command Authorization Sets User Group Management C H A P T E R About User Group Setup Features and Functions User Guide for Cisco Secure ACS for Windows Server viii Deleting a Network Access Filter About Downloadable IP ACLs Adding a Downloadable IP ACL...
Page 9 Configuring Microsoft RADIUS Settings for a User Group Configuring Nortel RADIUS Settings for a User Group Configuring Juniper RADIUS Settings for a User Group 78-16592-01 6-37 6-44 6-46 User Guide for Cisco Secure ACS for Windows Server Contents 6-12 6-14 6-16 6-18 6-19...
Page 10 About User Setup Features and Functions About User Databases Basic User Setup Options Advanced User Authentication Settings User Guide for Cisco Secure ACS for Windows Server Configuring BBSM RADIUS Settings for a User Group Configuring Custom RADIUS VSA Settings for a User Group 6-54...
Page 11 Setting Juniper RADIUS Parameters for a User Setting BBSM RADIUS Parameters for a User Setting Custom RADIUS Attributes for a User 7-54 7-55 7-55 7-56 7-57 7-60 User Guide for Cisco Secure ACS for Windows Server Contents 7-32 7-33 7-33 7-35 7-37 7-38 7-39...
Page 12 Cisco Secure ACS Backup Cisco Secure ACS System Restore Cisco Secure ACS Active Service Management User Guide for Cisco Secure ACS for Windows Server Determining the Status of Cisco Secure ACS Services Stopping, Starting, or Restarting Services Setting the Date Format...
Page 13 Database Replication Event Errors 9-25 About RDBMS Synchronization Users 9-27 User Groups 9-27 Network Configuration 9-28 Custom RADIUS Vendors and VSAs User Guide for Cisco Secure ACS for Windows Server 9-10 9-11 9-12 9-15 9-17 9-24 9-25 9-26 9-28 Contents...
Page 14 IP Pools Address Recovery System Configuration: Authentication and Certificates C H A P T E R About Certification and EAP Protocols User Guide for Cisco Secure ACS for Windows Server RDBMS Synchronization Components About CSDBSync 9-29 About the accountActions Table...
Page 15 About Certificate Revocation Lists Certificate Revocation List Configuration Options Adding a Certificate Revocation List Issuer Editing a Certificate Revocation List Issuer Deleting a Certificate Revocation List Issuer User Guide for Cisco Secure ACS for Windows Server Contents 10-4 10-7 10-11...
Page 16 Update Packets in Accounting Logs About Cisco Secure ACS Logs and Reports Working with CSV Logs Working with ODBC Logs User Guide for Cisco Secure ACS for Windows Server Generating a Certificate Signing Request Using Self-Signed Certificates 10-47 About Self-Signed Certificates...
Page 17 Deleting an Administrator Account 12-11 Access Policy Options 12-12 Setting Up Access Policy 12-14 12-16 Session Policy Options 12-16 Setting Up Session Policy 12-17 12-18 User Guide for Cisco Secure ACS for Windows Server Contents 11-27 11-29 12-1 12-6 12-7 12-10 12-11 xvii...
Page 18 User Databases C H A P T E R CiscoSecure User Database About External User Databases Windows User Database User Guide for Cisco Secure ACS for Windows Server xviii 13-1 13-2 About the CiscoSecure User Database User Import and Creation...
Page 19 Unsuccessful Previous Authentication with the Primary LDAP Server 13-37 13-37 13-49 13-51 13-55 13-58 13-59 Type Definitions 13-61 13-63 User Guide for Cisco Secure ACS for Windows Server Contents 13-34 13-43 13-50 13-52 13-53 13-57 13-60 13-61 13-64 13-36 13-62...
Page 20 Deleting an External User Database Configuration Network Admission Control C H A P T E R About Network Admission Control Implementing Network Admission Control User Guide for Cisco Secure ACS for Windows Server PAP Procedure Output 13-65 CHAP/MS-CHAP/ARAP Authentication Procedure Input CHAP/MS-CHAP/ARAP Procedure Output...
Page 21 About Unknown User Authentication General Authentication of Unknown Users Windows Authentication of Unknown Users Domain-Qualified Unknown Windows Users Windows Authentication with Domain Qualification Multiple User Account Creation User Guide for Cisco Secure ACS for Windows Server 14-11 14-12 14-19 14-22 14-24...
Page 22 Posture Validation Use of the Unknown User Policy Required Use for Posture Validation 15-13 15-13 15-14 Creating a Cisco Secure ACS Group Mapping for a Token Server, ODBC Database, or LEAP Proxy RADIUS Server Database Group Mapping Order 16-5 No Access Group for Group Set Mappings...
Page 23 About the cisco-av-pair RADUIS Attribute 78-16592-01 16-13 Configuring NAC Group Mapping A-10 A-14 A-15 A-16 A-16 A-17 A-19 A-20 TACACS+ AV Pairs TACACS+ Accounting AV Pairs User Guide for Cisco Secure ACS for Windows Server 16-13 16-14 A-22 Contents xxiii...
Page 24 Creating a Cisco Secure ACS Database Dump File Loading the Cisco Secure ACS Database from a Dump File Compacting the CiscoSecure User Database User and AAA Client Import Option User Guide for Cisco Secure ACS for Windows Server xxiv C-43 Importing User and AAA Client Information...
Page 25 About the RADIUS Vendor/VSA Import File Vendor and VSA Set Definition Attribute Definition D-36 Enumeration Definition D-38 Example RADIUS Vendor/VSA Import File D-40 D-41 D-43 D-44 User Guide for Cisco Secure ACS for Windows Server Contents D-25 D-26 D-28 D-29 D-29 D-31 D-33 D-34 D-35...
Page 26 Windows Services Windows Registry CSAdmin CSAuth CSDBSync CSLog User Guide for Cisco Secure ACS for Windows Server xxvi accountActions Format accountActions Mandatory Fields accountActions Processing Order Action Codes for Setting and Deleting Values Action Codes for Creating and Modifying User Accounts...
Page 27 CSMon CSTacacs and CSRadius N D E X 78-16592-01 Monitoring Recording Notification Response User Guide for Cisco Secure ACS for Windows Server Contents xxvii...
Page 28 Contents User Guide for Cisco Secure ACS for Windows Server xxviii 78-16592-01...
Page 29 Preface This document will help you configure and use Cisco Secure Access Control Server (ACS) and its features and utilities. Audience This guide is for system administrators who use Cisco Secure ACS and who set up and maintain accounts and dial-in network security.
Page 30 Chapter 16, “User Group Mapping and • procedures regarding the assignment of groups for users authenticated by an external user database. User Guide for Cisco Secure ACS for Windows Server Components”—Concepts and procedures Management”—Concepts and procedures for Management”—Concepts and procedures for Basic”—Concepts and procedures...
Page 31 Processing”—An introduction to Virtual Private Architecture”—A description of Cisco Secure ACS Convention boldface font italic font screen boldface screen italic screen font boldface font Option > Network Preferences User Guide for Cisco Secure ACS for Windows Server Conventions Definitions”—A list of font font xxxi...
Page 32: Product Documentation
Table 1 Product Documentation Document Title Release Notes for Cisco Secure ACS for Windows Server User Guide for Cisco Secure ACS for Windows Server xxxii describes the product documentation that is available. Available Formats • Printed document that was included with the product.
Page 33: Related Documentation
In the Cisco Secure ACS HTML interface, click Online Documentation. In the Cisco Secure ACS HTML interface, online help appears in the right-hand frame when you are configuring a feature. xxxv. User Guide for Cisco Secure ACS for Windows Server Related Documentation xxxiii...
Page 34 TCP/IP protocols and utilities supported by Cisco devices. This document presents planning, design, and implementation practices for deploying Cisco Secure ACS for Windows Server in support of Cisco Catalyst Switch networks. It discusses network topology regarding AAA, user database choices, password protocol choices, access requirements, and capabilities of Cisco Secure ACS.
Page 35: Obtaining Documentation
(RDBMS) with ODBC and Cisco Secure ACS, and provides sample Structured Query Language (SQL) procedures. This document discusses planning, design, and implementation practices for deploying Cisco Secure ACS for Windows Server in an enterprise network. It discusses network topology, user database choices, access requirements, integration of external databases, and capabilities of Cisco Secure ACS.
Page 36: Documentation Feedback
Ordering tool: http://www.cisco.com/en/US/partner/ordering/index.shtml Nonregistered Cisco.com users can order documentation through a local • account representative by calling Cisco Systems Corporate Headquarters (California, USA) at 408 526-7208 or, elsewhere in North America, by calling 800 553-NETS (6387). Documentation Feedback You can send comments about technical documentation to bug-doc@cisco.com.
Page 37: Obtaining Technical Assistance
(S3 and S4 service requests are those in which your network is minimally impaired or for which you require product information.) After you describe your situation, the TAC Service Request Tool automatically provides 78-16592-01 Obtaining Technical Assistance User Guide for Cisco Secure ACS for Windows Server xxxvii...
Page 38 Severity 4 (S4)—You require information or assistance with Cisco product capabilities, installation, or configuration. There is little or no effect on your business operations. User Guide for Cisco Secure ACS for Windows Server xxxviii 78-16592-01...
Page 39: Obtaining Additional Publications And Information
The Cisco Product Catalog describes the networking products offered by • Cisco Systems, as well as ordering and customer support services. Access the Cisco Product Catalog at this URL: http://cisco.com/univercd/cc/td/doc/pcat/ Cisco Press publishes a wide range of general networking, training and •...
Page 40 Obtaining Additional Publications and Information Internet Protocol Journal is a quarterly journal published by Cisco Systems • for engineering professionals involved in designing, developing, and operating public and private internets and intranets. You can access the Internet Protocol Journal at this URL: http://www.cisco.com/ipj...
Page 41 Overview This chapter provides an overview of Cisco Secure ACS for Windows Server. This chapter contains the following topics: The Cisco Secure ACS Paradigm, page 1-2 • Cisco Secure ACS Specifications, page 1-3 • System Performance Specifications, page 1-3 –...
Page 42 Cisco Secure ACS provides authentication, authorization, and accounting (AAA—pronounced “triple A”) services to network devices that function as AAA clients, such as a network access server, PIX Firewall, or router. The AAA client Figure 1-1 and uses one of the AAA protocols supported by Cisco Secure ACS.
Page 43 System Performance Specifications The performance capabilities of Cisco Secure ACS are largely dependent upon the Windows server it is installed upon, your network topology and network management, the selection of user databases, and other factors. For example, Cisco Secure ACS can perform many more authentications per second if it is...
Page 44 Cisco Secure ACS Windows Services Cisco Secure ACS operates as a set of Microsoft Windows services and controls the authentication, authorization, and accounting of users accessing networks. User Guide for Cisco Secure ACS for Windows Server Chapter 1 Overview 78-16592-01...
Page 45: Aaa Server Functions And Concepts
For information about stopping and starting Cisco Secure ACS services, Service Control, page AAA Server Functions and Concepts Cisco Secure ACS is a AAA server, providing AAA services to network devices that can act as AAA clients. As a AAA server, Cisco Secure ACS incorporates many technologies to render AAA services to AAA clients.
Page 46: Aaa Protocols-Tacacs+ And Radius
A AAA client is software running on a network device that enables the network device to defer authentication, authorization, and logging (accounting) of user sessions to a AAA server. AAA clients must be configured to direct all end-user client access requests to Cisco Secure ACS for authentication of users and authorization of service requests.
Page 47: Tacacs
Authentication and Authorization: 1645 and 1812 Accounting: 1646 and 1813 Encrypts only passwords up to 16 bytes Authentication and authorization combined as one service User access control User Guide for Cisco Secure ACS for Windows Server...
Page 48: Authentication
More modern and secure methods use technologies such as CHAP and one-time passwords (OTPs). Cisco Secure ACS supports a variety of these authentication methods. User Guide for Cisco Secure ACS for Windows Server Chapter 1 9-28.
Page 49: Authentication Considerations
ISDN line terminating at a network access server, or over a Telnet session between an end-user client and the hosting device.
Page 50: Authentication Protocol-Database Compatibility
Cisco Secure ACS Windows SAM Windows AD LDAP Novell NDS ODBC User Guide for Cisco Secure ACS for Windows Server 1-10 For more information about token server support, see User Databases, page 13-78 Passwords, page specifies non-EAP authentication protocol support.
Page 51: Passwords
EAP-MD5 • EAP-TLS • 78-16592-01 CHAP ARAP specifies EAP authentication protocol support. PEAP (EAP-GTC) User Guide for Cisco Secure ACS for Windows Server AAA Server Functions and Concepts MS-CHAP v.1 MS-CHAP v.2 PEAP (EAP-MS EAP-FAST EAP-FAST CHAPv2) Phase Zero Phase Two...
Page 52 In the case of token servers, Cisco Secure ACS acts as a client to the token server, using either its proprietary API or its RADIUS interface, depending on the token server.
Page 53 Card (GTC) and EAP-MSCHAPv2 protocols. For more information, see PEAP Authentication, page 78-16592-01 EAP-TLS Deployment Guide for Wireless LAN Networks EAP-TLS Authentication, page 10-8. User Guide for Cisco Secure ACS for Windows Server AAA Server Functions and Concepts 2284. 10-2. 1-13...
Page 54 These are supported by both the TACACS+ and RADIUS protocols. They are held internally to the CiscoSecure user database and are not usually given up to an external source if an outbound password has been configured. User Guide for Cisco Secure ACS for Windows Server 1-14 10-13.
Page 55 • After a specified number of days. After a specified number of logins. • The first time a new user logs in. • 78-16592-01 AAA Server Functions and Concepts User Guide for Cisco Secure ACS for Windows Server 1-15...
Page 56: Other Authentication-Related Features
Ability for external users to authenticate via an enable password (see • TACACS+ Enable Password Options for a User, page Proxy of authentication requests to other AAA servers (see • Distributed Systems, page User Guide for Cisco Secure ACS for Windows Server 1-16 6-21. 15-4). 13-16). 7-9).
Page 57: Authorization
Internet. The information can be for the access server (such as the home gateway for that user) or for the home gateway router to validate the user at the customer premises.
Page 58: Max Sessions
You define quotas by duration of sessions or the total number of sessions. User Guide for Cisco Secure ACS for Windows Server 1-18...
Page 59: Support For Cisco Device-Management Applications
ACS, the management application must be configured in Cisco Secure ACS as a 78-16592-01 Setting Usage Quotas for a User Setting User Usage Quotas Options, page About Shared Profile Components, page User Guide for Cisco Secure ACS for Windows Server AAA Server Functions and Concepts 7-18. 5-1. 1-19...
Page 60 Device-Management Command Authorization for a User Group, page 6-37. For information about applying a shared device command-authorization set to a user, Configuring Device-Management Command Authorization for a User, page 7-30. User Guide for Cisco Secure ACS for Windows Server 1-20 78-16592-01...
Page 61: Other Authorization-Related Features
7-20). 7-20). Downloadable IP ACLs, page 5-2). 3-4). Enabling VoIP Support for a User Group, page User Guide for Cisco Secure ACS for Windows Server AAA Server Functions and Concepts Chapter 6, Setting Options for User Group Disablement, page 6-4).
Page 62: Accounting
AAA clients use the accounting functions provided by the RADIUS and TACACS+ protocols to communicate relevant data for each user session to the AAA server for recording. Cisco Secure ACS writes accounting records to a comma-separated value (CSV) log file or ODBC database, depending upon your configuration.
Page 63: Administration
“spoof”, the IP address of the legitimate remote host to make use of the active administrative session HTTP port. 78-16592-01 Cisco Secure ACS HTML Interface, page User Guide for Cisco Secure ACS for Windows Server AAA Server Functions and Concepts 1-25. 1-23...
Page 64: Network Device Groups
This creates two levels of network devices within Cisco Secure ACS—discrete devices such as an individual router, access server, AAA server, or PIX Firewall, and NDGs, which are named collections of AAA clients and AAA servers.
Page 65: Posture Validation
Cisco Secure ACS Active Service 8-17). RDBMS Synchronization, page CiscoSecure Database Replication, page 8-9). Cisco Secure ACS System Restore, 8-14). Chapter 14, “Network Admission User Guide for Cisco Secure ACS for Windows Server Cisco Secure ACS HTML Interface 9-25). 9-1). Control”. 1-25...
Page 66: About The Cisco Secure Acs Html Interface
Accessing the HTML interface requires a valid administrator name and password. The Cisco Secure ACS Login page encrypts the administrator credentials before sending them to Cisco Secure ACS. User Guide for Cisco Secure ACS for Windows Server 1-26 Chapter 1...
Page 67: Html Interface Layout
HTML interface. For information about fundamental features such as backup scheduling and service controls, see Chapter 8, “System Configuration: User Guide for Cisco Secure ACS for Windows Server Cisco Secure ACS HTML Interface Logging Off 12-11.
Page 68 Note Display Area—The frame on the right of the browser window, the display • area shows one of the following options: User Guide for Cisco Secure ACS for Windows Server 1-28 Advanced”. For information about configuring Reports”. Chapter 3, “Interface Configuration”.
Page 69: Uniform Resource Locator For The Html Interface
Cisco Secure ACS displays an error message here. The incorrect information remains in the configuration area so that you can retype and resubmit the information correctly. User Guide for Cisco Secure ACS for Windows Server Cisco Secure ACS HTML Interface Using Online...
Page 70: Network Environments And Administrative Sessions
Administrative Sessions and HTTP Proxy Cisco Secure ACS does not support HTTP proxy for administrative sessions. If the browser used for an administrative session is configured to use a proxy server, Cisco Secure ACS sees the administrative session originating from the IP address of the proxy server rather than from the actual address of the computer.
Page 71: Administrative Sessions Through Firewalls
Overview Also, IP filtering of proxied administrative sessions has to be based on the IP address of the proxy server rather than the IP address of the computer. This conflicts with administrative session communication that does use the actual IP address of the computer.
Page 72: Accessing The Html Interface
Open a web browser. For a list of supported web browsers, see the Release Notes Step 1 for the version of Cisco Secure ACS you are accessing. The most recent revision to the Release Notes is posted on Cisco.com (http://www.cisco.com). User Guide for Cisco Secure ACS for Windows Server 1-32 78-16592-01...
Page 73: Logging Off The Html Interface
Online Help—Contains basic information about the page shown in the • configuration area. Online Documentation—Contains the entire user guide. • 78-16592-01 Cisco Secure ACS HTML Interface Uniform Resource Locator for the HTML Interface, User Guide for Cisco Secure ACS for Windows Server 1-33...
Page 74: Using Online Help
Cisco Secure ACS, please go to http://www.cisco.com Click Section Information on any online help page to view online documentation relevant to the section of the HTML interface you are using. User Guide for Cisco Secure ACS for Windows Server 1-34 Chapter 1 Overview...
Page 75 If you want to print the online documentation, click in the display area, and then Step 4 click Print in the navigation bar of your browser. 78-16592-01 Cisco Secure ACS HTML Interface User Guide for Cisco Secure ACS for Windows Server 1-35...
Page 76 Chapter 1 Overview Cisco Secure ACS HTML Interface User Guide for Cisco Secure ACS for Windows Server 1-36 78-16592-01...
Page 77 Deployment Considerations Deployment of Cisco Secure ACS for Windows Server can be complex and iterative, depending on the specific implementation required. This chapter provides insight into the deployment process and presents a collection of factors that you should consider before deploying Cisco Secure ACS.
Page 78: Chapter 2 Deployment Considerations
Minimum graphics resolution of 256 colors at 800 x 600 lines. • Operating System Requirements Cisco Secure ACS for Windows Servers 3.3 supports the Windows operating systems listed below. Both the operating system and the service pack must be English-language versions.
Page 79: Third-Party Software Requirements
Windows 2000 Advanced Server enabled We have not tested and cannot support the multi-processor feature of Windows 2000 Advanced Server. Windows 2000 Datacenter Server is not a supported operating system. User Guide for Cisco Secure ACS for Windows Server...
Page 80: Network And Port Requirements
If there is a disabled network card on the computer running Cisco Secure ACS, installing Cisco Secure ACS may proceed slowly due to delays caused by Microsoft CryptoAPI. User Guide for Cisco Secure ACS for Windows Server 2-1. Chapter 2...
Page 81 In some cases, these ports are configurable, such as with LDAP and RADIUS token server databases. For more information about ports that a particular external user database listens to, see the documentation for that database.
Page 82: Basic Deployment Factors For Cisco Secure Acs
ISDN connection is granted access to an intranet via a network access server (NAS) functioning as a AAA client. Users may be able to connect via only a single AAA client as in a small business, or have the option of numerous geographically dispersed AAA clients.
Page 83 Modem In a larger dial-in environment, a single Cisco Secure ACS with a backup may be suitable, too. The suitability of this configuration depends on network and server access latency. scenario the addition of a backup Cisco Secure ACS is a recommended addition.
Page 84 Cisco Secure ACS uses encryption for all replication and database synchronization traffic, additional security measures may be required to protect the network and user information that Cisco Secure ACS sends across the WAN. User Guide for Cisco Secure ACS for Windows Server 78-16592-01...
Page 85: Wireless Network
This raises a unique issue with the WLAN: the ability of a user to “roam” between APs. 78-16592-01 Basic Deployment Factors for Cisco Secure ACS Cisco Secure Access Control Server User Guide for Cisco Secure ACS for Windows Server...
Page 86 LAN, connected via routers, switches, and so on. In the larger, geographical distribution of WLANs, deployment of Cisco Secure ACS is similar to that of large regional distribution of dial-up LANs (Figure 2-3). User Guide for Cisco Secure ACS for Windows Server 2-10 78-16592-01...
Page 87 WLAN shown in Figure 2-4. This model may apply to a chain of small stores distributed throughout a city or state, nationally, or globally (Figure 2-6). User Guide for Cisco Secure ACS for Windows Server 2-11 78-16592-01...
Page 88: Remote Access Using Vpn
Internet service provider (ISP) instead of using expensive toll-free or long-distance calls to resource-consuming modem banks. User Guide for Cisco Secure ACS for Windows Server 2-12 Figure 2-6, the location of Cisco Secure ACS depends on...
Page 89 AAA model very effectively 78-16592-01 Basic Deployment Factors for Cisco Secure ACS Simple VPN Configuration VPN concentrator Cisco Secure Access Control Server User Guide for Cisco Secure ACS for Windows Server Tunnel (Figure 2-8). 2-13...
Page 90: Remote Access Policy
(PSTN). Such policies are enforced at the corporate campus with Cisco Secure ACS and the AAA client. Inside the enterprise network, remote access policies can control wireless access by individual employees. User Guide for Cisco Secure ACS for Windows Server 2-14 VPN concentrator...
Page 91: Security Policy
IDs, passwords, and privileges. Cisco Secure ACS access policies can be downloaded in the form of ACLs to network access servers such as the Cisco AS5300 Network Access Server, or by allowing access during specific periods, or on specific access servers.
Page 92 If this is not a suitable solution, using TACACS+ for administrative (shell/exec) logins, and RADIUS for remote network access, provides sufficient security for the network devices. User Guide for Cisco Secure ACS for Windows Server 2-16 78-16592-01...
Page 93: Separation Of Administrative And General Users
15 default group tacacs+ none username line con 0 login authentication console 78-16592-01 Basic Deployment Factors for Cisco Secure ACS ip-address secret-key ip-address secret-key user password password User Guide for Cisco Secure ACS for Windows Server 2-17...
Page 94: Database
Cisco Secure ACS configuration. A WAN failure could render a local network inaccessible because of the loss of the authentication server. In addition to this issue, reducing the number of users that a single Cisco Secure ACS handles improves performance by lowering the number of logins occurring at any given time and by reducing the load on the database itself.
Page 95: Network Latency And Reliability
Configure Administrators—You should configure at least one administrator • at the outset of deployment; otherwise, there is no remote administrative access and all configuration activity must be done from the server. You should also have a detailed plan for establishing and maintaining an administrative policy.
Page 96 For information about the types of databases Cisco Secure ACS supports and instructions for establishing them, see Databases”. User Guide for Cisco Secure ACS for Windows Server 2-20 Interface Design Concepts, page Chapter 8, “System Configuration: Configuration”.
Page 97 Chapter 1, 78-16592-01 Basic”. Chapter 5, “Shared Profile About Unknown User Authentication, Chapter 16, “User Group Mapping and Management”. Chapter 7, “User Management”. “Overview”. User Guide for Cisco Secure ACS for Windows Server Suggested Deployment Sequence Components”. Specification”. Then, 2-21...
Page 98 Chapter 2 Deployment Considerations Suggested Deployment Sequence User Guide for Cisco Secure ACS for Windows Server 2-22 78-16592-01...
Page 99: Interface Configuration
Interface Configuration Ease of use is the overriding design principle of the HTML interface in the Cisco Secure ACS for Windows Server. Cisco Secure ACS presents intricate concepts of network security from the perspective of an administrator. The Interface Configuration section of Cisco Secure ACS enables you to configure the Cisco Secure ACS HTML interface—you can tailor the interface to simplify the...
Page 100: Chapter 3 Interface Configuration
You can configure most features at both group and user levels, with the following exceptions: • User level only—Static IP address, password, and expiration. Group level only—Password aging and time-of-day/day-of-week • restrictions. User Guide for Cisco Secure ACS for Windows Server Chapter 3 Interface Configuration 78-16592-01...
Page 101: User Data Configuration Options
Service Control page in the System Configuration section and then stopping and restarting the CSAdmin service by using the Services section of the Administrative Tools folder in Windows Control Panel. User Guide for Cisco Secure ACS for Windows Server User Data Configuration Options 11-6. For information on the...
Page 102: Advanced Options
For information on defining a NAR, or NAR set, within Shared Profile Components, see page User Guide for Cisco Secure ACS for Windows Server Restarting Cisco Secure ACS-related Windows services should be done during off hours because it briefly interrupts authentication, authorization, and accounting.
Page 103 Distributed System Settings—When selected, this feature displays the AAA • server and proxy tables on the Network Interface page. If the tables have information other than the defaults in them, they always appear. Remote Logging—When selected, this feature enables the Remote Logging •...
Page 104: Setting Advanced Options For The Cisco Secure Acs User Interface
IP Pools—When selected, this feature enables the IP Pools Address Recovery • and IP Pools Server options on the System Configuration page. Network Device Groups—When selected, this option enables network • device groups (NDGs). When NDGs are enabled, the Network Configuration section and parts of the User Setup and Group Setup pages change to enable you to manage groups of network devices (AAA clients or AAA servers).
Page 105: Protocol Configuration Options For Tacacs
User Setup page or Group Setup page. New Services—In this area you can enter any services or protocols particular • to your network configuration. 78-16592-01 Protocol Configuration Options for TACACS+ User Guide for Cisco Secure ACS for Windows Server...
Page 106 This provides a common method to control access regardless of the access control protocol. User Guide for Cisco Secure ACS for Windows Server If you have configured Cisco Secure ACS to interact with device management applications for other Cisco products, such as...
Page 107: Setting Options For Tacacs
User Setup and Group Setup pages that enables you to permit unknown TACACS+ services, such as Cisco Discovery Protocol (CDP). This option should be used by advanced system administrators only. User Guide for Cisco Secure ACS for Windows Server Protocol Configuration Options for TACACS+...
Page 108 When you have finished setting TACACS+ interface display options, click Step 5 Submit. User Guide for Cisco Secure ACS for Windows Server 3-10 If you have configured Cisco Secure ACS to interact with device management applications for other Cisco products, such as a...
Page 109: Protocol Configuration Options For Radius
RADIUS type. The settings that appear for various types of AAA client depend on what settings that type of device can employ. These combinations are detailed Table 3-1 on page 3-12. User Guide for Cisco Secure ACS for Windows Server 3-11 78-16592-01...
Page 110 RADIUS RADIUS (Cisco (IETF) Aironet) RADIUS (IETF) RADIUS (Cisco Aironet) RADIUS (BBSM) RADIUS (Cisco IOS/PIX) User Guide for Cisco Secure ACS for Windows Server 3-12 RADIUS RADIUS RADIUS (Cisco (Micro- RADIUS (BBSM) IOS/PIX) soft) (Ascend) Chapter 3 Interface Configuration RADIUS...
Page 111 Otherwise, only the Group check box for each attribute appears. By 78-16592-01 RADIUS RADIUS RADIUS (Cisco (Micros RADIUS (BBSM) IOS/PIX) oft) (Ascend) User Guide for Cisco Secure ACS for Windows Server Protocol Configuration Options for RADIUS RADIUS RADIUS (Cisco (Cisco RADIUS RADIUS 3000) 5000) (Juniper) (Nortel)
Page 112 Access Point and the Cisco-Aironet-Session-Timeout attribute is configured, Cisco Secure ACS sends to the wireless device this value in the IETF User Guide for Cisco Secure ACS for Windows Server 3-14 The RADIUS (IETF) attributes are shared with RADIUS VSAs. You must configure the first RADIUS attributes from RADIUS (IETF) for the RADIUS vendor.
Page 113 VSA and then set the options for how particular attributes 78-16592-01 Protocol Configuration Options for RADIUS Setting Protocol Configuration Options for Non-IETF 3-17. Setting Protocol Configuration Setting Protocol Configuration Options for 3-17. User Guide for Cisco Secure ACS for Windows Server 3-17. Setting Protocol 3-17. Setting Protocol 3-17. 3-15...
Page 114: Setting Protocol Configuration Options For Ietf Radius Attributes
Group Setup pages, select the Tags to Display Per Attribute option, and then select a value from the corresponding list. Examples of tagged attributes are Tunnel-Type User Guide for Cisco Secure ACS for Windows Server 3-16 9-28. Each attribute selected must be supported by your RADIUS network devices.
Page 115: Setting Protocol Configuration Options For Non-Ietf Radius Attributes
Configuration: Advanced Options is selected, a User check box appears alongside the Group check box for each attribute. Each attribute selected must be supported by your RADIUS network devices. User Guide for Cisco Secure ACS for Windows Server Protocol Configuration Options for RADIUS RADIUS 3-17...
Page 116 Click Submit at the bottom of the page. Step 4 According to your selections, the RADIUS VSAs appear on the User Setup or Group Setup pages, or both, as a configurable option. User Guide for Cisco Secure ACS for Windows Server 3-18 78-16592-01...
Page 117: Network Configuration
Network Configuration This chapter details concepts and procedures for configuring Cisco Secure ACS for Windows Server to interact with AAA clients and servers and for establishing a distributed system. This chapter contains the following topics: About Network Configuration, page 4-1 •...
Page 118: Chapter 4 Network Configuration
Servers table do not appear on the opening page. To configure a AAA client or AAA server, you must click the name of the NDG to which the device is assigned. If the newly configured device is not assigned to an NDG, it belongs to the (Not Assigned) group.
Page 119: Aaa Servers In Distributed Systems
• AAA Servers in Distributed Systems “AAA server” is the generic term for an access control server (ACS), and the two terms are often used interchangeably. AAA servers are used to determine who can access the network and what services are authorized for each user. The AAA server stores a profile containing authentication and authorization information for each user.
Page 120: Proxy In Distributed Systems
AAA server. After the request has been successfully authenticated, the authorization privileges that have been configured for the user on the remote AAA server are passed back to the original Cisco Secure ACS, where the AAA client applies the user profile information for that session.
Page 121: Fallback On Failed Connection
Note by proxy, any Network Access Restrictions for TACACS+ requests are applied to the IP address of the forwarding AAA server, not to the IP address of the originating AAA client. When a Cisco Secure ACS proxies to a second Cisco Secure ACS, the second...
Page 122: Character String
For example, in the proxy example that follows, the character string that accompanies the username establishes the ability to forward the request to another AAA server. If the user must enter the user ID of mary@corporate.com to be forwarded correctly to the AAA server for authentication, Cisco Secure ACS might find a match on the “@corporate.com”...
Page 123: Remote Use Of Accounting Packets
Max Sessions feature. The Max Sessions feature uses the Start and Stop records in the accounting packet. If the remote AAA server is a Cisco Secure ACS and the Max Sessions feature is implemented, you can track the number of sessions allowed for each user or group.
Page 124: Other Features Enabled By System Distribution
• can use asterisks (*) as wildcard characters. For example, if you wanted to find all devices with names starting with the letter M, you would enter “M*” User Guide for Cisco Secure ACS for Windows Server 9-1. 9-25. 11-26.
Page 125: Searching For Network Devices
Type—The device type, as specified by the AAA protocol it is configured to • use, or the kind of AAA server it is. If you do not want to limit the search based on device type, select Device Group—The NDG the device is assigned to. This search criterion •...
Page 126 Cisco Secure ACS displays the applicable setup page. For information about the AAA Client Setup page, see information about the AAA Server Setup page, see Options, page User Guide for Cisco Secure ACS for Windows Server 4-10 4-8. AAA Client Configuration Options, page 4-22.
Page 127: Aaa Client Configuration
Each AAA client configuration can represent multiple network devices; thus, the AAA client hostname configured in Cisco Secure ACS is not required to match the hostname configured on a network device. We 78-16592-01 User Guide for Cisco Secure ACS for Windows Server AAA Client Configuration 4-11...
Page 128 Key—The shared secret of the AAA client. Maximum length for a AAA • client key is 32 characters. User Guide for Cisco Secure ACS for Windows Server 4-12 After you submit the AAA client hostname, you cannot change it. If...
Page 129 TACACS+ (Cisco IOS)—The Cisco IOS TACACS+ protocol, which is – the standard choice when using Cisco Systems access servers, routers, and firewalls. If the AAA client is a Cisco device-management application, such as Management Center for Firewalls, you must use this option.
Page 130 – option if the AAA client represents RADIUS-enabled devices from more than one manufacturer and you want to use standard IETF RADIUS User Guide for Cisco Secure ACS for Windows Server 4-14 10-26. If all authentication requests from a particular Cisco Aironet Access Point are PEAP or EAP-TLS requests, use RADIUS (IETF) instead of RADIUS (Cisco Aironet).
Page 131 RADIUS Accounting reports of Reports and Activity. By default, this check ox is not selected. 78-16592-01 If TCP connections between Cisco Secure ACS and the AAA client are unreliable, do not use this feature. User Guide for Cisco Secure ACS for Windows Server AAA Client Configuration 4-15...
Page 132: Adding A Aaa Client
GPRS support node (GGSN). For example, if you use the Cisco Secure ACS IP pools server and the AAA client does not provide unique port for each user, Cisco Secure ACS assumes that a reused...
Page 133 Cisco Secure ACS to provide AAA services to a network device and is used solely for command authorization of Cisco multi-device management applications, such as Management Center for Firewalls. User Guide for Cisco Secure ACS for Windows Server AAA Client Configuration AAA Client 4-17...
Page 134 Note Restarting the service clears the Logged-in User report and temporarily interrupts all Cisco Secure ACS services. This affects the Max Sessions counter. User Guide for Cisco Secure ACS for Windows Server 4-18 AAA Client Configuration Options, page Chapter 4 Network Configuration 4-11.
Page 135: Editing A Aaa Client
When you are ready to implement the changes, click System Configuration, click Service Control, and then click Restart. 4-16. AAA Client Configuration Options, page User Guide for Cisco Secure ACS for Windows Server AAA Client Configuration Deleting a AAA Client, Adding a 4-11.
Page 136 Restarting the service clears the Logged-in User report and temporarily Note interrupts all Cisco Secure ACS services. This affects the Max Sessions counter. User Guide for Cisco Secure ACS for Windows Server 4-20 4-11. 4-21. For steps about creating a AAA client entry, see 4-16.
Page 137: Deleting A Aaa Client
Delete. However, when you do this, the change does not take effect until you restart the system, which you can do by clicking System Configuration, clicking Service Control, and then clicking Restart. 4-3. User Guide for Cisco Secure ACS for Windows Server AAA Server Configuration 4-21...
Page 138: Aaa Server Configuration Options
• AAA Server Configuration Options A AAA server configuration enables Cisco Secure ACS to interact with the AAA server that the configuration represents. A AAA server that does not have a corresponding configuration in Cisco Secure ACS, or whose configuration in...
Page 139 TACACS+ protocol. 78-16592-01 After you submit the AAA server name, you cannot change it. If you want to use a different name for a AAA server, delete the AAA server configuration and create a AAA server configuration using the new name.
Page 140: Adding A Aaa Server
AAA Server Configuration – Note Traffic Type—The Traffic Type list defines the direction in which traffic to • and from the remote AAA server is permitted to flow from this Cisco Secure ACS. The list includes the following options: – – –...
Page 141 • Servers table, click Add Entry. The Add AAA Server page appears. In the AAA Server Name box, type a name for the remote AAA server (up to 32 Step 3 characters). In the AAA Server IP Address box, type the IP address assigned to the remote Step 4 AAA server.
Page 142: Editing A Aaa Server
Use this procedure to edit the settings for a AAA server that you have previously configured. You cannot edit the name of a AAA server. To rename a AAA server, you must Note delete the existing AAA server entry and then add a new server entry with the new name.
Page 143 The Network Configuration page opens. Do one of the following: Step 2 If you are using NDGs, click the name of the NDG to which the AAA server • is assigned. Then, in the AAA Servers table, click the name of the AAA server to be edited.
Page 144: Deleting A Aaa Server
The Network Configuration page opens. Do one of the following: Step 2 If you are using NDGs, click the name of the NDG to which the AAA server • is assigned. Then, click the AAA server name in the AAA Servers table.
Page 145: Adding A Network Device Group
Network Configuration Cisco Secure ACS—single discrete devices such as an individual router or network access server, and an NDG; that is, a collection of routers or AAA servers. To see the Network Device Groups table in the HTML interface, you must have...
Page 146: Assigning An Unassigned Aaa Client Or Aaa Server To An Ndg
• Assigning an Unassigned AAA Client or AAA Server to an NDG You use this procedure to assign an unassigned AAA client or AAA server to an NDG. Before you begin this procedure, you should have already configured the client or server and it should appear in the Not Assigned AAA Clients or Not Assigned AAA Servers table.
Page 147: Reassigning A Aaa Client Or Aaa Server To An Ndg
The client or server is assigned to an NDG. Reassigning a AAA Client or AAA Server to an NDG To reassign a AAA client or AAA server to a new NDG, follow these steps: Step 1 In the navigation bar, click Network Configuration.
Page 148: Renaming A Network Device Group
When you delete an NDG, all AAA clients and AAA servers that belong to the deleted group appear in the Not Assigned AAA Clients or Not Assigned AAA Servers table. User Guide for Cisco Secure ACS for Windows Server 4-32 If the Network Device Groups table does not appear, click Interface Configuration, click Advanced Options, and then select the Network Device Groups check box.
Page 149 It may be useful to empty an NDG of AAA clients and AAA servers before you delete it. You can do this manually by performing the procedure AAA Client or AAA Server to an NDG, page large number of devices to reassign, you can use the RDBMS Synchronization feature.
Page 150: Proxy Distribution Table Configuration
The Character String column in the Proxy Distribution Table always contains an entry of “(Default)”. The “(Default)” entry matches authentication requests received by the local Cisco Secure ACS that do not match any other defined User Guide for Cisco Secure ACS for Windows Server 4-34 Chapter 4...
Page 151: Adding A New Proxy Distribution Table Entry
Step 5 off the username, or select No if it is to be left intact. In the AAA Servers column, select the AAA server you want to use for proxy. Step 6 Click --> (right arrow button) to move it to the Forward To column.
Page 152: Sorting The Character String Match Order Of Distribution Entries
You can also select additional AAA servers to use for backup proxy if the prior servers fail. To set the order of AAA servers, in the Forward To column, click the name of the applicable server and click Up or Down to move it into the position you want.
Page 153: Editing A Proxy Distribution Table Entry
Proxy Distribution Table entries in addition to the (Default) table entry. For information about the parameters that make up a distribution entry, Adding a New Proxy Distribution Table Entry, page User Guide for Cisco Secure ACS for Windows Server Proxy Distribution Table Configuration 4-35.
Page 154: Deleting A Proxy Distribution Table Entry
The Edit Proxy Distribution Entry page appears. Click Delete. Step 3 A confirmation dialog box appears. Click OK. Step 4 The distribution entry is deleted from the Proxy Distribution Table. User Guide for Cisco Secure ACS for Windows Server 4-38 Chapter 4 Network Configuration 78-16592-01...
Page 155: Shared Profile Components
Shared Profile Components This chapter addresses the Cisco Secure ACS for Windows Server features found in the Shared Profile Components section of the HTML interface. This chapter contains the following topics: About Shared Profile Components, page 5-1 • Network Access Filters, page 5-2 •...
Page 156: Network Access Filters
IP address of the AAA client making the access request. For more information on using NAFs in downloadable IP ACLs, see Downloadable IP ACLs, page User Guide for Cisco Secure ACS for Windows Server Chapter 5 Shared Profile Components About 5-8.
Page 157: Chapter 5 Shared Profile Component
If Network Access Filtering does not appear as a selection on the Shared Profile Components page, you must enable it on the Advanced Options page of the Interface Configuration section. User Guide for Cisco Secure ACS for Windows Server Network Access Filters 5-15.
Page 158 Selected Items box, click the name of an item and then click Up or Down to move it to the position you want. User Guide for Cisco Secure ACS for Windows Server You can use the wildcard (*) to designate a range within an IP address.
Page 159: Editing A Network Access Filter
Control, and then click Restart. Restarting the service clears the Logged-in User report and temporarily interrupts all Cisco Secure ACS services. This affects the Max Sessions counter and resets it to zero. User Guide for Cisco Secure ACS for Windows Server Network Access Filters...
Page 160 To save your NAF and apply it later, click Submit. When you are ready to implement the changes, click System Configuration, click Service Control, and then click Restart. User Guide for Cisco Secure ACS for Windows Server Chapter 5 Shared Profile Components...
Page 161: Deleting A Network Access Filter
78-16592-01 Restarting the service clears the Logged-in User report and temporarily interrupts all Cisco Secure ACS services. This affects the Max Sessions counter and resets it to zero. User Guide for Cisco Secure ACS for Windows Server Downloadable IP ACLs...
Page 162: About Downloadable Ip Acls
Cisco cisco-av-pair attribute [26/9/1] of each user or user group. You can create a downloadable IP ACL once, give it a name, and then assign the downloadable IP User Guide for Cisco Secure ACS for Windows Server Chapter 5 Shared Profile Components About Network Access Filters, page 5-2).
Page 163 To use a downloadable IP ACL on a particular AAA client, the following requirements must be met: The AAA client must use RADIUS for authentication. • The AAA client must support downloadable IP ACLs. • 78-16592-01 5-2. User Guide for Cisco Secure ACS for Windows Server Downloadable IP ACLs About Network...
Page 164: Adding A Downloadable Ip Acl
Adding a Downloadable IP ACL Before You Begin You should have already configured any NAFS that you intend to use in your downloadable IP ACL. User Guide for Cisco Secure ACS for Windows Server 5-10 Chapter 5 Shared Profile Components...
Page 165 For an example of the proper format of the ACL definitions, see 78-16592-01 About Downloadable IP ACLs, page User Guide for Cisco Secure ACS for Windows Server Downloadable IP ACLs 5-8. 5-11...
Page 166 IP ACL assigned to his or her user or group profile. For information on assigning a downloadable IP ACL to user or a user group, see Downloadable IP ACL to a User, page ACL to a Group, page User Guide for Cisco Secure ACS for Windows Server 5-12 through Step 10...
Page 167: Editing A Downloadable Ip Acl
For an example of the proper format of the ACL definitions, see About Downloadable IP ACLs, page About Network Access Filters, page through Step 8 until you are finished. User Guide for Cisco Secure ACS for Windows Server Downloadable IP ACLs 5-8. 5-2. 5-13...
Page 168: Deleting A Downloadable Ip Acl
The selected IP ACL is deleted. Network Access Restrictions This section describes network access restrictions (NARs) and provides detailed instructions for configuring and managing shared NARs. User Guide for Cisco Secure ACS for Windows Server 5-14 Chapter 5 Shared Profile Components...
Page 169: About Network Access Restrictions
Service (DNIS) number, the MAC address, or other value originating from 78-16592-01 Non-IP Based Insufficient Information Access Denied Access Denied Access Granted Access Denied About IP-based NAR Filters, page User Guide for Cisco Secure ACS for Windows Server Network Access Restrictions Table 5-1. 5-17. 5-15...
Page 170 Cisco Secure ACS backup and restore features to back up and restore them. You can also replicate the shared NARs, along with other configurations, to secondary Cisco Secure ACSes. User Guide for Cisco Secure ACS for Windows Server 5-16 5-18.
Page 171: About Ip-Based Nar Filters
When an authentication request is forwarded by proxy to a Cisco Secure ACS, any NARs for TACACS+ requests are applied to the IP address of the forwarding AAA server, not to the IP address of the originating AAA client. (attribute 30) fields are used.
Page 172: About Non-Ip-Based Nar Filters
When an authentication request is forwarded by proxy to a Cisco Secure ACS, any NARs for TACACS+ requests are applied to the IP address of the forwarding AAA server, not to the IP address of the originating AAA client. Chapter 5...
Page 173: Adding A Shared Network Access Restriction
(attribute 87) is used. NAS-port-ID CLI—The calling-station-ID DNIS—The called-station-ID User Guide for Cisco Secure ACS for Windows Server Network Access Restrictions (attribute 4) or, if NAS-IP-address (RADIUS attribute 32) is used. (attribute 31) is used. (attribute 30) is used. About Network Access Restrictions,...
Page 174 Src IP Address—Type the IP address to filter on when performing • access restrictions. You can use the wildcard asterisk (*) to specify all IP addresses. User Guide for Cisco Secure ACS for Windows Server 5-20 Chapter 5 Shared Profile Components...
Page 175 ACS accepts more than 1024 characters when you add a NAR, you cannot edit the NAR and Cisco Secure ACS cannot accurately apply it to users. User Guide for Cisco Secure ACS for Windows Server Network Access Restrictions and d..
Page 176 Step 8 Cisco Secure ACS saves the shared NAR and lists it in the Network Access Restrictions table. User Guide for Cisco Secure ACS for Windows Server 5-22 5-15. The total number of characters in the AAA Client list and the Port, CLI, and DNIS boxes must not exceed 1024.
Page 177: Editing A Shared Network Access Restriction
ACS is capable of accepting more than 1024 characters when you add a NAR, you cannot edit such a NAR and Cisco Secure ACS cannot accurately apply it to users. User Guide for Cisco Secure ACS for Windows Server Network Access Restrictions 5-23...
Page 178: Deleting A Shared Network Access Restriction
Ensure that you remove the association of a shared NAR to any user or group before you delete that NAR. User Guide for Cisco Secure ACS for Windows Server 5-24 The total number of characters in the AAA Client list and the Port, CLI, and DNIS boxes must not exceed 1024.
Page 179: Command Authorization Sets
Command Authorization Sets Description, page 5-26 Command Authorization Sets Assignment, page 5-28 Case Sensitivity and Command Authorization, page 5-29 Arguments and Command Authorization, page 5-29 About Pattern Matching, page 5-30 User Guide for Cisco Secure ACS for Windows Server Command Authorization Sets 5-25...
Page 180: About Command Authorization Sets
PIX OS your firewalls use; if not, use Shell Command Authorization Sets to perform command authorization for PIXes. As of PIX OS version 6.3, the pixshell service has not been implemented. User Guide for Cisco Secure ACS for Windows Server 5-26 Chapter 5...
Page 181 The Cisco Secure ACS groups can correspond to different roles within the device-management application and you can apply different command authorization sets to each group, as applicable. 78-16592-01 Command Authorization Sets User Guide for Cisco Secure ACS for Windows Server 5-27...
Page 182: Command Authorization Sets Assignment
PIX Command Authorization Sets—See either of the following: • – – User Guide for Cisco Secure ACS for Windows Server 5-28 If any argument is unmatched, command authorization is determined by whether the Permit Unmatched Args option is enabled. If unmatched arguments are permitted, the command is authorized and evaluation ends;...
Page 183: Case Sensitivity And Command Authorization
78-16592-01 Configuring Device-Management Command Authorization for a User Group, page 6-37 Configuring Device-Management Command Authorization for a User, page 7-30 User Guide for Cisco Secure ACS for Windows Server Command Authorization Sets 5-29...
Page 184: About Pattern Matching
You can combine these expressions to specify absolute matching. In the example given, you would use permit ^wid$ to ensure that only wid was permitted, and not anywid or widget. User Guide for Cisco Secure ACS for Windows Server 5-30 Chapter 5...
Page 185: Adding A Command Authorization Set
The set name can contain up to 27 characters. Names cannot contain the following characters: # ? " * > < Leading and trailing spaces are not allowed. User Guide for Cisco Secure ACS for Windows Server Command Authorization Sets 5-31...
Page 186 Enter the full command word; if you use command abbreviations, authorization Caution control may not function. Note User Guide for Cisco Secure ACS for Windows Server 5-32 The default setting is Deny. Enter only the command portion of the command/argument string here.
Page 187: Editing A Command Authorization Set
You can list several arguments for a single command by pressing Enter between arguments. User Guide for Cisco Secure ACS for Windows Server Command Authorization Sets 5-33...
Page 188 To save the set, click Submit. Step 6 User Guide for Cisco Secure ACS for Windows Server 5-34 Chapter 5 Shared Profile Components...
Page 189: Deleting A Command Authorization Set
To confirm that you want to delete that command authorization set, click OK. Step 5 Cisco Secure ACS displays the applicable Command Authorization Sets table. The command authorization set is no longer listed. 78-16592-01 Command Authorization Sets User Guide for Cisco Secure ACS for Windows Server 5-35...
Page 190 Chapter 5 Shared Profile Components Command Authorization Sets User Guide for Cisco Secure ACS for Windows Server 5-36 78-16592-01...
Page 191: User Group Management
User Group Management This chapter provides information about setting up and managing user groups in Cisco Secure ACS for Windows Server to control authorization. Cisco Secure ACS enables you to group network users for more efficient administration. Each user can belong to only one group in Cisco Secure ACS. You can establish up to 500 groups to effect different levels of authorization.
Page 192: About User Group Setup Features And Functions
Cisco Secure ACS also enables you to enter and configure new TACACS+ services. For information about how to configure a new TACACS+ service to appear on the group setup page, see TACACS+, page User Guide for Cisco Secure ACS for Windows Server 4-28. Protocol Configuration Options for 3-7.
Page 193: Chapter 6 User Group Management
Setting Max Sessions for a User Group, page 6-12 • Setting Usage Quotas for a User Group, page 6-14 • 78-16592-01 Support for Cisco Device-Management Applications, page Components”. User Guide for Cisco Secure ACS for Windows Server Basic User Group Settings 1-19. Chapter 5,...
Page 194: Group Disablement
If this feature does not appear, click Interface Configuration, click Advanced Note Options, and then select the Voice-over-IP (VoIP) Group Settings check box. User Guide for Cisco Secure ACS for Windows Server Chapter 6 Saving Changes to User Group Settings, page User Group Management 6-56.
Page 195: Setting Default Time-Of-Day Access For A User Group
If this feature does not appear, click Interface Configuration, click Advanced Note Options, and then select the Default Time-of-Day / Day-of-Week Specification check box. 78-16592-01 Saving Changes to User Group Settings, page User Guide for Cisco Secure ACS for Windows Server Basic User Group Settings 6-56.
Page 196 For more information, see To continue specifying other group settings, perform other procedures in this Step 6 chapter, as applicable. User Guide for Cisco Secure ACS for Windows Server Chapter 6 Saving Changes to User Group Settings, page User Group Management 6-56.
Page 197: Setting Callback Options For A User Group
User Group Management Setting Callback Options for a User Group Callback is a command string that is passed back to the access server. You can use callback strings to initiate a modem to call the user back on a specific number for added security or reversal of line charges.
Page 198: Setting Network Access Restrictions For A User Group
CLI/DNIS-based filter options to appear in the Cisco Secure ACS HTML interface. User Guide for Cisco Secure ACS for Windows Server You can also use the CLI/DNIS-based access restrictions area to specify other values. For more information, see Access Restrictions, page 5-15.
Page 199 When an authentication request is forwarded by proxy to a Cisco Secure ACS Note server, any NARs for TACACS+ requests are applied to the IP address of the forwarding AAA server, not to the IP address of the originating AAA client.
Page 200 Note Click Enter. The specified the AAA client, port, and address information appears in the NAR Access Control list. User Guide for Cisco Secure ACS for Windows Server 6-10 Adding a Shared Network Access 5-19. The total number of characters in the AAA Client list and the Port and Src IP Address boxes must not exceed 1024.
Page 201 AAA client. You can determine this format from your RADIUS Accounting Log. About Network Access Restrictions, page About Network Access Restrictions, page User Guide for Cisco Secure ACS for Windows Server Basic User Group Settings 5-15. 5-15.
Page 202: Setting Max Sessions For A User Group
2. If each user is using the maximum 2 simultaneous sessions, no more than 5 users can log in. User Guide for Cisco Secure ACS for Windows Server 6-12 The total number of characters in the AAA Client list and the Port, CLI, and DNIS boxes must not exceed 1024.
Page 203 To save the group settings you have just made, click Submit. Step 5 For more information, see 78-16592-01 Setting Max Sessions Options for a User, page Saving Changes to User Group Settings, page User Guide for Cisco Secure ACS for Windows Server Basic User Group Settings 7-16. 6-56. 6-13...
Page 204: Setting Usage Quotas For A User Group
AAA clients. If update packets are not enabled, the quota is updated when the user logs off. If the AAA client through which the user is accessing your User Guide for Cisco Secure ACS for Windows Server 6-14...
Page 205 Type the number of sessions to which you want to limit users in the to x sessions box. 78-16592-01 Up to 5 characters are allowed in the to x hours box. User Guide for Cisco Secure ACS for Windows Server Basic User Group Settings 6-15...
Page 206: Configuration-Specific User Group Settings
This section details procedures that you perform only as applicable to your particular network security configuration. For instance, if you have no token server configured, you do not have to set token card settings for each group. When a vendor-specific variety of RADIUS is configured for use by network...
Page 207 Configuring BBSM RADIUS Settings for a User Group, page 6-51 • • Configuring Custom RADIUS VSA Settings for a User Group, page 6-53 78-16592-01 Configuration-specific User Group Settings 3-7, or Protocol Configuration 3-11. User Guide for Cisco Secure ACS for Windows Server Protocol 6-17...
Page 208: Setting Token Card Settings For A User Group
Configuration-specific User Group Settings Setting Token Card Settings for a User Group If this section does not appear, configure a token server. Then, click External Note User Databases, click Database Configuration, and then add the applicable token card server. Perform this procedure to allow a token to be cached. This means users can use a second B channel without having to enter a second one-time password (OTP).
Page 209: Setting Enable Privilege Options For A User Group
See your AAA client documentation for information about privilege levels. 78-16592-01 Configuration-specific User Group Settings Saving Changes to User Group Settings, page User Guide for Cisco Secure ACS for Windows Server 6-56. 6-19...
Page 210 To set the maximum privilege level for this user group, for any ACS on which • this group is authorized, select the Max Privilege for Any Access Server option. Then, select the maximum privilege level from the list. To define the maximum NDG privilege level for this user group, select the •...
Page 211: Enabling Password Aging For The Ciscosecure User Database
(aaa accounting new-info update) with the IP address of 78-16592-01 6-26. Enabling Password Aging for Users in Windows Databases, 6-26. Local Password Management, page User Guide for Cisco Secure ACS for Windows Server Configuration-specific User Group Settings Enabling Password Aging for Users 8-5. 6-21...
Page 212 Warning period—The number of days users will be notified to change – their passwords. The existing password can be used, but the Cisco Secure ACS presents a warning indicating that the password must be changed User Guide for Cisco Secure ACS for Windows Server 6-22 Chapter 6 Local Password Management, Enabling Password Aging for Users in 6-26.
Page 213 12, users receive prompts 78-16592-01 All passwords expire at midnight, not the time at which they were set. User Guide for Cisco Secure ACS for Windows Server Configuration-specific User Group Settings 6-23...
Page 214 Set up your AAA client to use Cisco IOS Release 11.2.7 or later and to send • a watchdog accounting packet (aaa accounting new-info update) with the IP address of the calling station. User Guide for Cisco Secure ACS for Windows Server 6-24 Chapter 6 Local Password Management, page User Group Management 8-5.
Page 215 Apply password change rule check box. To enable a Greetings message display, select the Generate greetings for Step 7 successful logins check box. 78-16592-01 Configuration-specific User Group Settings User Guide for Cisco Secure ACS for Windows Server 6-25...
Page 216: Enabling Password Aging For Users In Windows Databases
– – – – – User Guide for Cisco Secure ACS for Windows Server 6-26 Saving Changes to User Group Settings, page Communication between Cisco Secure ACS and the AAA client must be using RADIUS. The AAA client must support MS CHAP password aging in addition to MS CHAP authentication.
Page 217 Users must be in a Windows user database. 78-16592-01 Configuration-specific User Group Settings 13-30. For information on enabling MS Global Authentication Setup, page 10-26. 13-7. User Guide for Cisco Secure ACS for Windows Server Configuring a 10-26. Global Windows User 6-27...
Page 218: Setting Ip Address Assignment Method For A User Group
• Assigned by dialup client—Use the IP address that is configured on the dialup client network settings for TCP/IP. User Guide for Cisco Secure ACS for Windows Server 6-28 Users must be using a client that supports EAP-FAST. You must enable EAP-FAST on the Global Authentication Configuration page within the System Configuration section.
Page 219 Select Assigned from AAA Client pool. Then, type the AAA client IP pool • name. Select Assigned from AAA pool. Then, select the AAA server IP pool name • in the Available Pools list and click --> (right arrow button) to move the name into the Selected Pools list.
Page 220: Assigning A Downloadable Ip Acl To A Group
Under the Downloadable ACLs section, click the Assign IP ACL check box. Step 4 Select an IP ACL from the list. Step 5 User Guide for Cisco Secure ACS for Windows Server 6-30 Chapter 6 Saving Changes to User Group Settings, page 5-10.
Page 221: Configuring Tacacs+ Settings For A User Group
78-16592-01 Saving Changes to User Group Settings, page Configuring a Shell Command Authorization Set for a User Group, User Guide for Cisco Secure ACS for Windows Server Configuration-specific User Group Settings 6-56. 6-31...
Page 222 To continue specifying other group settings, perform other procedures in this Step 7 chapter, as applicable. User Guide for Cisco Secure ACS for Windows Server 6-32 Pairs”, or your AAA client documentation. Leave the attribute value box blank if the default (as defined on the AAA client) should be used.
Page 223: Configuring A Shell Command Authorization Set For A User Group
To prevent the application of any shell command authorization set, select (or Step 5 accept the default of) the None option. 78-16592-01 Configuration-specific User Group Settings Adding a Command Authorization Set, User Guide for Cisco Secure ACS for Windows Server 6-33...
Page 224 Cisco IOS commands. Correct syntax is the responsibility of the administrator. For information on how Cisco Secure ACS uses pattern matching in command arguments, see User Guide for Cisco Secure ACS for Windows Server 6-34 Chapter 6 About Pattern Matching, page User Group Management 5-30.
Page 225: Configuring A Pix Command Authorization Set For A User Group
To enter several commands, you must click Submit after specifying a command. A new command entry box appears below the box you just completed. 5-31. User Guide for Cisco Secure ACS for Windows Server Configuration-specific User Group Settings Adding a Command Authorization 6-35...
Page 226 Click Add Association. The associated NDG and PIX command authorization set appear in the table. Note User Guide for Cisco Secure ACS for Windows Server 6-36 To remove or edit an existing PIX command authorization set association, you can select the association from the list, and then click Remove Association.
Page 227: Configuring Device-Management Command Authorization For A User Group
Use the vertical scrollbar to scroll to the device-management application feature Step 4 area, where device-management application is the name of the applicable Cisco device-management application. 78-16592-01 Configuration-specific User Group Settings 5-31. User Guide for Cisco Secure ACS for Windows Server 6-37...
Page 228: Configuring Ietf Radius Settings For A User Group
Configuration Options for RADIUS, page RADIUS attributes, see information about how your AAA client uses RADIUS, refer to your AAA client vendor documentation. User Guide for Cisco Secure ACS for Windows Server 6-38 Chapter 6 3-11. For a list and explanation of Appendix C, “RADIUS...
Page 229 • To continue specifying other group settings, perform other procedures in this Step 7 chapter, as applicable. 78-16592-01 Configuration-specific User Group Settings Saving Changes to User Group Settings, page User Guide for Cisco Secure ACS for Windows Server 6-56. 6-39...
Page 230: Configuring Cisco Ios/Pix Radius Settings For A User Group
Infected, you could specify values for the url-redirect, posture-token, and status-query-timeout attributes as follows: url-redirect=http://10.1.1.1 posture-token=Infected status-query-timeout=150 User Guide for Cisco Secure ACS for Windows Server 6-40 Configuring IETF RADIUS Settings for a User 6-38. Chapter 6...
Page 231: Configuring Cisco Aironet Radius Settings For A User Group
Cisco Aironet AP. 78-16592-01 Configuration-specific User Group Settings Saving Changes to User Group Settings, page User Guide for Cisco Secure ACS for Windows Server 6-56. 6-41...
Page 232 Configuration to use the RADIUS (Cisco Aironet) authentication option. The recommended value is 600 seconds. For more information about the IETF RADIUS Session-Timeout attribute, see Appendix C, “RADIUS User Guide for Cisco Secure ACS for Windows Server 6-42 Chapter 6 6-38.
Page 233: Configuring Ascend Radius Settings For A User Group
The Group Setup Select page opens. 78-16592-01 Configuration-specific User Group Settings Saving Changes to User Group Settings, page Ascend-Remote-Addr Setting Protocol Configuration 3-17. A VSA applied as an Configuring IETF 6-38. User Guide for Cisco Secure ACS for Windows Server 6-56. 6-43...
Page 234: Configuring Cisco Vpn 3000 Concentrator Radius Settings For A User Group
Group-level RADIUS (Cisco VPN 3000) attributes have been enabled on the • RADIUS (Cisco VPN 3000) page of the Interface Configuration section. User Guide for Cisco Secure ACS for Windows Server 6-44 Appendix C, “RADIUS Attributes”, or your AAA client...
Page 235 To continue specifying other group settings, perform other procedures in this Step 7 chapter, as applicable. 78-16592-01 Configuration-specific User Group Settings 6-38. Appendix C, “RADIUS Saving Changes to User Group Settings, page User Guide for Cisco Secure ACS for Windows Server Setting 3-17. A Configuring Attributes”, or 6-56. 6-45...
Page 236: Configuring Cisco Vpn 5000 Concentrator Radius Settings For A User Group
The Group Settings page displays the name of the group at its top. From the Jump To list at the top of the page, choose RADIUS (Cisco VPN 5000). Step 4 User Guide for Cisco Secure ACS for Windows Server 6-46 Chapter 6...
Page 237: Configuring Microsoft Radius Settings For A User Group
Group-level Microsoft RADIUS attributes have been enabled on the RADIUS • (Microsoft) page of the Interface Configuration section. 78-16592-01 Configuration-specific User Group Settings Appendix C, “RADIUS Saving Changes to User Group Settings, page User Guide for Cisco Secure ACS for Windows Server Attributes”, or 6-56. 6-47...
Page 238 For more information about attributes, see documentation for network devices using RADIUS. User Guide for Cisco Secure ACS for Windows Server 6-48 Chapter 6 User Group Management Setting Protocol 6-38.
Page 239: Configuring Nortel Radius Settings For A User Group
The MS-CHAP-MPPE-Keys attribute value is autogenerated by Cisco Secure ACS; there is no value to set in the HTML interface. Saving Changes to User Group Settings, page User Guide for Cisco Secure ACS for Windows Server Configuration-specific User Group Settings 6-56.
Page 240: Configuring Juniper Radius Settings For A User Group
AAA client; however, if you have no AAA clients of this (vendor) type configured, the VSA settings do not appear in the group configuration interface. User Guide for Cisco Secure ACS for Windows Server 6-50 Appendix C, “RADIUS The MS-CHAP-MPPE-Keys attribute value is autogenerated by Cisco Secure ACS;...
Page 241: Configuring Bbsm Radius Settings For A User Group
The MS-CHAP-MPPE-Keys attribute value is autogenerated by Cisco Secure ACS; there is no value to set in the HTML interface. Saving Changes to User Group Settings, page User Guide for Cisco Secure ACS for Windows Server Configuration-specific User Group Settings Configuring 6-38.
Page 242 For more information, see To continue specifying other group settings, perform other procedures in this Step 7 chapter, as applicable. User Guide for Cisco Secure ACS for Windows Server 6-52 Chapter 6 Setting Protocol Configuration 3-17. A VSA applied as an 6-38.
Page 243: Configuring Custom Radius Vsa Settings For A User Group
RADIUS. Note 78-16592-01 The MS-CHAP-MPPE-Keys attribute value is autogenerated by Cisco Secure ACS; there is no value to set in the HTML interface. User Guide for Cisco Secure ACS for Windows Server Configuration-specific User Group Settings Custom 9-28.) Configuring 6-38.
Page 244: Group Setting Management
To open a user account (to view, modify, or delete a user), click the name of the Step 4 user in the User List. The User Setup page for the particular user account selected appears. User Guide for Cisco Secure ACS for Windows Server 6-54 Chapter 6 Saving Changes to User Group Settings, page User Group Management 6-56.
Page 245: Resetting Usage Quota Counters For A User Group
The Renaming Group: Group Name page appears. Type the new name in the Group field. Group names cannot contain angle Step 4 brackets (< or >). 78-16592-01 Group Setting Management User Guide for Cisco Secure ACS for Windows Server 6-55...
Page 246: Saving Changes To User Group Settings
To verify that your changes were applied, select the group and click Edit Settings. Step 2 View the settings. User Guide for Cisco Secure ACS for Windows Server 6-56 The group remains in the same position in the list. The number value of the group is still associated with this group name.
Page 247: User Management
The User Setup section of the Cisco Secure ACS HTML interface is the centralized location for all operations regarding user account configuration and administration. 78-16592-01 C H A P T E R User Guide for Cisco Secure ACS for Windows Server...
Page 248: Chapter 7 User Management
The following authentication types appear in the HTML interface only when the corresponding external user database has been configured in the Database Configuration area of the External User Databases section. User Guide for Cisco Secure ACS for Windows Server 13-2. Chapter 7...
Page 249: Basic User Setup Options
ODBC Database—Authenticates a user from an Open Database • Connectivity-compliant database server. For more information, see Database, page LEAP Proxy RADIUS Server Database—Authenticates a user from an • LEAP Proxy RADIUS server. For more information, see RADIUS Server Database, page Token Server—Authenticates a user from a token server database.
Page 250: Adding A Basic User Account
The User Setup Edit page opens. The username being added is at the top of the page. User Guide for Cisco Secure ACS for Windows Server The username can contain up to 64 characters. Names cannot contain the following special characters: # ? "...
Page 251 To finish configuring the user account options and establish the user account, • click Submit. To continue to specify the user account options, perform other procedures in • this chapter, as applicable. 78-16592-01 User Guide for Cisco Secure ACS for Windows Server Basic User Setup Options...
Page 252: Setting Supplementary User Information
To continue to specify the user account options, perform other procedures in • this chapter, as applicable. User Guide for Cisco Secure ACS for Windows Server For lengthy account configurations, you can click Submit before continuing. This will prevent loss of information you have already entered if an unforeseen problem occurs.
Page 253: Setting A Separate Chap/Ms-Chap/Arap Password
VoIP (null password) group, and the optional password is also included in the user profile, the password is not used until the user is re-mapped to a non-VoIP group. User Guide for Cisco Secure ACS for Windows Server Basic User Setup Options 7-4.
Page 254: Assigning A User To A Group
To continue to specify the user account options, perform other procedures in • this chapter, as applicable. User Guide for Cisco Secure ACS for Windows Server Specification”. Adding a Basic User Account, page Alternatively, you can scroll up in the list to select the Mapped By External Authenticator option.
Page 255: Setting User Callback Option
User Management Setting User Callback Option Callback is a command string that is passed to the access server. You can use a callback string to initiate a modem to call the user back on a specific number for added security or reversal of line charges.
Page 256: Assigning A User To A Client Ip Address
• box (up to 15 characters), if a specific IP address should be used for this user. Note User Guide for Cisco Secure ACS for Windows Server 7-10 Adding a Basic User Account, page The IP address assignment in User Setup overrides the IP address assignment in Group Setup.
Page 257: Setting Network Access Restrictions For A User
IP address assigned by an IP address pool configured on the AAA server. Select the AAA server IP pool name from the Available Pools list, and then click --> (right arrow button) to move the name into the Selected Pools list.
Page 258 Note NARs for TACACS+ requests are applied to the IP address of the forwarding AAA server, not to the IP address of the originating AAA client. When you create access restrictions on a per-user basis, Cisco Secure ACS does not enforce limits to the number of access restrictions and it does not enforce a limit to the length of each access restriction;...
Page 259 Select a shared NAR name in the NARs list, and then click --> (right arrow button) to move the name into the Selected NARs list. To view the server details of the shared NARs you have selected to apply, you can click either View IP NAR or View CLID/DNIS NAR, as applicable.
Page 260 • • Denied Calling/Point of Access Locations User Guide for Cisco Secure ACS for Windows Server 7-14 The total number of characters in the AAA Client list and the Port and Src IP Address boxes must not exceed 1024. Although Cisco Secure...
Page 261 ACS accepts more than 1024 characters when you add a NAR, you cannot edit the NAR and Cisco Secure ACS cannot accurately apply it to users. User Guide for Cisco Secure ACS for Windows Server Basic User Setup Options 5-15.
Page 262: Setting Max Sessions Options For A User
Max Sessions totals. If the Max Sessions table does not appear, click Interface Configuration, click Advanced Options, and then select the Max Sessions check box. User Guide for Cisco Secure ACS for Windows Server 7-16 Chapter 7...
Page 263 To continue to specify the user account options, perform other procedures in • this chapter, as applicable. 78-16592-01 Adding a Basic User Account, page User Guide for Cisco Secure ACS for Windows Server Basic User Setup Options 7-4. 7-17...
Page 264: Setting User Usage Quotas Options
If the AAA client through which the user is accessing your network fails, the quota is not updated. In the case of multiple sessions, such as User Guide for Cisco Secure ACS for Windows Server 7-18...
Page 265 78-16592-01 Adding a Basic User Account, page Up to 10 characters are allowed for this field. Up to 10 characters are allowed for this field. User Guide for Cisco Secure ACS for Windows Server Basic User Setup Options 7-4. 7-19...
Page 266: Setting Options For User Account Disablement
Do one of the following: Step 2 Select the Never option to keep the user account always enabled. Note User Guide for Cisco Secure ACS for Windows Server 7-20 per Day—From 12:01 a.m. until midnight. per Week—From 12:01 a.m. Sunday until midnight Saturday.
Page 267: Assigning A Downloadable Ip Acl To A User
Failed attempts exceed—Select the Failed attempts exceed check box and then type the number of consecutive unsuccessful login attempts to allow before disabling the account. The default is 5. User Guide for Cisco Secure ACS for Windows Server Basic User Setup Options 5-10. 7-21...
Page 268: Advanced User Authentication Settings
Advanced TACACS+ Settings (User), page 7-33 • – – – User Guide for Cisco Secure ACS for Windows Server 7-22 Adding a Basic User Account, page Configuring TACACS+ Settings for a User, page 7-24 Configuring a Shell Command Authorization Set for a User, page 7-26...
Page 269: Tacacs+ Settings (User)
Setting Juniper RADIUS Parameters for a User, page 7-51 Setting BBSM RADIUS Parameters for a User, page 7-52 Setting Custom RADIUS Attributes for a User, page 7-53 User Guide for Cisco Secure ACS for Windows Server Advanced User Authentication Settings 7-23...
Page 270: Configuring Tacacs+ Settings For A User
For more information about attributes, see Attribute-Value assigning an IP ACL, see User Guide for Cisco Secure ACS for Windows Server 7-24 Support for Cisco Device-Management Applications, page Appendix B, “TACACS+ Pairs”, or your AAA client documentation. For information on...
Page 271 78-16592-01 Advanced User Authentication Settings Adding a Basic User Account, page Pairs”, or your AAA client 7-21. User Guide for Cisco Secure ACS for Windows Server 7-4. Assigning a 7-25...
Page 272: Configuring A Shell Command Authorization Set For A User
Shell (exec) option is selected in the User column. Ensure that you have already configured one or more shell command • authorization sets. For detailed steps, see Set, page User Guide for Cisco Secure ACS for Windows Server 7-26 5-31. Chapter 7 User Management...
Page 273 <default> listing. The NDG or NDGs and associated shell command authorization set or sets are paired in the table. 78-16592-01 Advanced User Authentication Settings Adding a Basic User Account, page User Guide for Cisco Secure ACS for Windows Server 7-4. 7-27...
Page 274 • record the options. To continue to specify the user account options, perform other procedures in • this chapter, as applicable. User Guide for Cisco Secure ACS for Windows Server 7-28 Chapter 7 About Pattern Matching, page User Management 5-30.
Page 275: Configuring A Pix Command Authorization Set For A User
To prevent the application of any PIX command authorization set, select (or Step 3 accept the default of) the None option. 78-16592-01 Adding a Command Authorization Set, 5-31. Adding a Basic User Account, page User Guide for Cisco Secure ACS for Windows Server Advanced User Authentication Settings 7-4. 7-29...
Page 276: User
None—No authorization is performed for commands issued in the applicable • Cisco device-management application. Group—For this user, the group-level command authorization set applies for • the applicable device-management application. User Guide for Cisco Secure ACS for Windows Server 7-30 Chapter 7 User Management 78-16592-01...
Page 277 Step 4 application at the group level, select the As Group option. 78-16592-01 Advanced User Authentication Settings Adding a Command Authorization Set, page Adding a Basic User Account, page User Guide for Cisco Secure ACS for Windows Server 5-31. 7-4. 7-31...
Page 278: Configuring The Unknown Service Setting For A User
Step 2 Scroll down to the table under the heading Checking this option will PERMIT all UNKNOWN Services. User Guide for Cisco Secure ACS for Windows Server 7-32 Chapter 7 Adding a Basic User Account, page User Management 7-4.
Page 279: Advanced Tacacs+ Settings (User)
Use Group Level Setting—Sets the privileges for this user as those • configured at the group level. No Enable Privilege—Disallows enable privileges for this user. • 78-16592-01 Advanced User Authentication Settings User Guide for Cisco Secure ACS for Windows Server 7-33...
Page 280 • Define Max Privilege on a per-Network Device Group Basis • If you selected Max Privilege for Any Access Server in Step 2, select the Step 3 appropriate privilege level from the corresponding list. User Guide for Cisco Secure ACS for Windows Server 7-34 This is the default setting.
Page 281: Setting Tacacs+ Enable Password Options For A User
78-16592-01 You must have already configured a device group for it to be listed. To delete an entry, select the entry and then click Remove Associate. User Guide for Cisco Secure ACS for Windows Server Advanced User Authentication Settings 7-35...
Page 282 To continue to specify the user account options, perform other procedures in • this chapter, as applicable. User Guide for Cisco Secure ACS for Windows Server 7-36 Adding a Basic User Account, page For information about basic password setup, see Account, page 7-4.
Page 283: Setting Tacacs+ Outbound Password For A User
RADIUS VSAs, see 78-16592-01 Advanced User Authentication Settings Adding a Basic User Account, page Setting IETF RADIUS Parameters for a User, Custom RADIUS Vendors and VSAs, page User Guide for Cisco Secure ACS for Windows Server 7-4. 9-28. 7-37...
Page 284: Setting Cisco Ios/Pix Radius Parameters For A User
User-level IETF RADIUS attributes are enabled under RADIUS (IETF) in the • Interface Configuration section. To display or hide any of these attributes in the HTML interface, see Note Configuration Options for RADIUS, page User Guide for Cisco Secure ACS for Windows Server 7-38 Chapter 7 User Management Protocol 3-11.
Page 285 78-16592-01 Advanced User Authentication Settings Appendix C, “RADIUS Adding a Basic User Account, page Setting Protocol User Guide for Cisco Secure ACS for Windows Server 7-4. 3-17. A VSA 7-39...
Page 286 To continue to specify the user account options, perform other procedures in • this chapter, as applicable. User Guide for Cisco Secure ACS for Windows Server 7-40 Adding a Basic User Account, page Setting IETF RADIUS Parameters for a User, page...
Page 287 AAA client; however, if you have no AAA clients of this (vendor) type configured, the VSA settings do not appear in the user configuration interface. 78-16592-01 Advanced User Authentication Settings User Guide for Cisco Secure ACS for Windows Server Setting Protocol 3-17. A VSA 7-41...
Page 288 To continue to specify the user account options, perform other procedures in • this chapter, as applicable. User Guide for Cisco Secure ACS for Windows Server 7-42 Adding a Basic User Account, page Setting IETF RADIUS Parameters for a User, Attributes”, or your AAA client documentation.
Page 289: Setting Ascend Radius Parameters For A User
Advanced User Authentication Settings Ascend-Remote-Addr Setting Protocol Configuration 3-17. A VSA applied as an Adding a Basic User Account, page Setting IETF RADIUS Parameters for a User, page User Guide for Cisco Secure ACS for Windows Server 7-4. 7-38. 7-43...
Page 290: Setting Cisco Vpn 3000 Concentrator Radius Parameters For A User
Cisco VPN 3000 Concentrator RADIUS represents only the Cisco VPN 3000 Concentrator VSA. You must configure both the IETF RADIUS and Cisco VPN 3000 Concentrator RADIUS attributes. User Guide for Cisco Secure ACS for Windows Server 7-44 Chapter 7 User Management Appendix C, “RADIUS...
Page 291 To continue to specify the user account options, perform other procedures in • this chapter, as applicable. 78-16592-01 Advanced User Authentication Settings Adding a Basic User Account, page 7-38. Appendix C, “RADIUS User Guide for Cisco Secure ACS for Windows Server Setting 3-17. A 7-4. Setting IETF 7-45...
Page 292: Setting Cisco Vpn 5000 Concentrator Radius Parameters For A User
IETF RADIUS attributes are configured properly. For more information about setting IETF RADIUS attributes, see a User, page User Guide for Cisco Secure ACS for Windows Server 7-46 Adding a Basic User Account, page Setting IETF RADIUS Parameters for 7-38.
Page 293: Setting Microsoft Radius Parameters For A User
RADIUS (Microsoft) attributes are enabled in the Cisco Secure ACS HTML interface or how those attributes might be configured. 78-16592-01 Advanced User Authentication Settings Appendix C, “RADIUS User Guide for Cisco Secure ACS for Windows Server 7-47...
Page 294 Before configuring Cisco IOS RADIUS attributes, be sure your IETF RADIUS Step 2 attributes are configured properly. For more information about setting IETF RADIUS attributes, see User Guide for Cisco Secure ACS for Windows Server 7-48 Setting Protocol Adding a Basic User Account, page...
Page 295: Setting Nortel Radius Parameters For A User
IETF attributes. 78-16592-01 The MS-CHAP-MPPE-Keys attribute value is autogenerated by Cisco Secure ACS; there is no value to set in the HTML interface. User Guide for Cisco Secure ACS for Windows Server Advanced User Authentication Settings Appendix C, “RADIUS 7-49...
Page 296 To continue to specify the user account options, perform other procedures in • this chapter, as applicable. User Guide for Cisco Secure ACS for Windows Server 7-50 Setting Protocol Configuration 3-17. A VSA applied as an Adding a Basic User Account, page Setting IETF RADIUS Parameters for a User, page Appendix C, “RADIUS...
Page 297: Setting Juniper Radius Parameters For A User
78-16592-01 Advanced User Authentication Settings Setting Protocol Configuration 3-17. A VSA applied as an Adding a Basic User Account, page Setting IETF RADIUS Parameters for a User, page User Guide for Cisco Secure ACS for Windows Server 7-4. 7-38. 7-51...
Page 298: Setting Bbsm Radius Parameters For A User
Perform Step 1 through Step 3 of Step 1 The User Setup Edit page opens. The username being added or edited is at the top of the page. User Guide for Cisco Secure ACS for Windows Server 7-52 Chapter 7 Appendix C, “RADIUS Setting Protocol Configuration 3-17.
Page 299: Setting Custom Radius Attributes For A User
You must configure both the IETF RADIUS and the custom RADIUS attributes. Proprietary attributes override IETF attributes. 78-16592-01 Advanced User Authentication Settings Setting IETF RADIUS Parameters for a User, page Appendix C, “RADIUS 9-28.) User Guide for Cisco Secure ACS for Windows Server 7-38. Custom 7-53...
Page 300: User Management
Finding a User, page 7-55 • Disabling a User Account, page 7-56 • User Guide for Cisco Secure ACS for Windows Server 7-54 Adding a Basic User Account, page Setting IETF RADIUS Parameters for a User, page Appendix C, “RADIUS...
Page 301: Listing All Users
In the navigation bar, click User Setup. Step 1 The User Setup Select page opens. Type the name in the User box, and then click Find. Step 2 78-16592-01 User Guide for Cisco Secure ACS for Windows Server User Management 7-55...
Page 302: Disabling A User Account
The User Setup Select page opens. In the User box, type the name of the user whose account is to be disabled. Step 2 User Guide for Cisco Secure ACS for Windows Server 7-56 You can use wildcard characters (*) in this box.
Page 303: Deleting A User Account
In the User box, type the complete username to be deleted. Step 2 Note 78-16592-01 RDBMS Synchronization, page Alternatively, you can click List All Users and then select the user from the list that appears. User Guide for Cisco Secure ACS for Windows Server User Management 9-25, for more 7-57...
Page 304: Resetting User Session Quota Counters
In the Session Quotas section, select the Reset All Counters on submit check Step 4 box. User Guide for Cisco Secure ACS for Windows Server 7-58 The Delete button appears only when you are editing user information, not when you are adding a username.
Page 305: Resetting A User Account After Login Failure
Alternatively, you can click List All Users and then select the user from the list that appears. This counter shows the number of unsuccessful login attempts since the last time this user logged in successfully. User Guide for Cisco Secure ACS for Windows Server User Management 7-59...
Page 306: Saving User Settings
To verify that your changes were applied, type the username in the User box and Step 2 click Add/Edit, and then review the settings. User Guide for Cisco Secure ACS for Windows Server 7-60 If the user authenticates with a Windows user database, this expiration information is in addition to the information in the Windows user account.
Page 307: System Configuration: Basic
For more information about Cisco Secure ACS services, see 78-16592-01 C H A P T E R Chapter 1, “Overview”. User Guide for Cisco Secure ACS for Windows Server...
Page 308: Determining The Status Of Cisco Secure Acs Services
To stop, start, or restart Cisco Secure ACS services, follow these steps: User Guide for Cisco Secure ACS for Windows Server Chapter 8 System Configuration: Basic 11-33.
Page 309: Chapter 8 System Configuration: Basic
For example, if you are using the month/day/year format, Cisco Secure ACS assigns the name 2001-07-12.csv to a 78-16592-01 Chapter 1, User Guide for Cisco Secure ACS for Windows Server Logging “Overview”.
Page 310 Cisco Secure ACS. Click the Logoff button (a button with an X) in the upper-right corner of the browser window. User Guide for Cisco Secure ACS for Windows Server Chapter 8 System Configuration: Basic...
Page 311: Local Password Management
Telnet session hosted by a TACACS+ AAA client. Users who submit a password change receive the text message that you type in the corresponding box. User Guide for Cisco Secure ACS for Windows Server Local Password Management...
Page 312 If the maximum number of files is exceeded, Cisco Secure ACS deletes the oldest log file. If the maximum age of a file is exceeded, Cisco Secure ACS deletes the file. User Guide for Cisco Secure ACS for Windows Server Chapter 8 System Configuration: Basic 9-1.
Page 313: Configuring Local Password Management
Telnet session and when the Telnet password change feature has been disabled (Step b). 78-16592-01 Local Password Management User Guide for Cisco Secure ACS for Windows Server...
Page 314 Cisco Secure ACS should retain a User Password Changes log file before deleting it. Click Submit. Step 8 Cisco Secure ACS restarts its services and implements the settings you specified. User Guide for Cisco Secure ACS for Windows Server Chapter 8 System Configuration: Basic 78-16592-01...
Page 315: Cisco Secure Acs Backup
For information about using a backup file to restore Cisco Secure ACS, see Cisco Secure ACS System Restore, page Backup File Locations The default directory for backup files is the following: drive path 78-16592-01 8-14. \CSAuth\System Backups User Guide for Cisco Secure ACS for Windows Server Cisco Secure ACS Backup...
Page 316: Directory Management
Windows Registry that is relevant to Cisco Secure ACS. The user database backup includes all user information, such as username, password, and other authentication information, including server certificates and the certificate trust list. The Windows Registry information includes any system information that is stored in the Windows Registry, such as NDG information, AAA client configuration, and administrator accounts.
Page 317: Backup Options
Directory—The directory where Cisco Secure ACS writes the backup file. • The directory must be specified by its full path on the Windows server that runs Cisco Secure ACS, such as Manage Directory—Defines whether Cisco Secure ACS deletes older •...
Page 318: Scheduling Cisco Secure Acs Backups
In the day and hour graph, click the times at which you want Cisco Secure ACS to perform a backup. User Guide for Cisco Secure ACS for Windows Server 8-12 Because Cisco Secure ACS is momentarily shut down during backup, if the backup interval is too frequent, users might be unable to authenticate.
Page 319: Disabling Scheduled Cisco Secure Acs Backups
Clicking times of day on the graph selects those times; clicking again clears them. At any time you can click Clear All to clear all hours, or you can click Set All to select all hours. User Guide for Cisco Secure ACS for Windows Server Cisco Secure ACS Backup 8-13...
Page 320: Cisco Secure Acs System Restore
The ACS System Restore feature restores the Cisco Secure ACS user database and Cisco Secure ACS Windows Registry information from a file that was created by the ACS Backup feature. Cisco Secure ACS writes backup files only on the local User Guide for Cisco Secure ACS for Windows Server 8-14 Chapter 8...
Page 321: Components Restored
Components Restored You can select the components to restore: the user and group databases, the system configuration, or both. 78-16592-01 \CSAuth\System Backups yyyy hh .dmp User Guide for Cisco Secure ACS for Windows Server Cisco Secure ACS System Restore 8-15...
Page 322: Reports Of Cisco Secure Acs Restorations
Step 4 In the list below the Directory box, select the backup file you want to use to restore Cisco Secure ACS. User Guide for Cisco Secure ACS for Windows Server 8-16 Chapter 8 System Configuration: Basic Chapter 1, appears <No Matching Files>...
Page 323: Cisco Secure Acs Active Service Management
Cisco Secure ACS accomplishes system monitoring with the CSMon service. For more information about the CSMon service, see 78-16592-01 Cisco Secure ACS Active Service Management User Guide for Cisco Secure ACS for Windows Server CSMon, page G-4. 8-17...
Page 324: System Monitoring Options
Log all events to the NT Event log—Specifies whether Cisco Secure ACS • generates a Windows event log entry for each exception event. User Guide for Cisco Secure ACS for Windows Server 8-18 *Restart All—Restart all Cisco Secure ACS services.
Page 325: Setting Up System Monitoring
SMTP Mail Server—The simple mail transfer protocol (SMTP) server that Cisco Secure ACS should use to send notification e-mail. You can identify the SMTP server either by its hostname or by its IP address. User Guide for Cisco Secure ACS for Windows Server...
Page 326: Event Logging
In the To box, type the e-mail address (up to 200 characters) to which Cisco Secure ACS should send event notification e-mail. Note User Guide for Cisco Secure ACS for Windows Server 8-20 System Monitoring Options, page Do not use underscores in the e-mail addresses you type in this box.
Page 327: Voip Accounting Configuration
Chapter 8 System Configuration: Basic In the SMTP Mail Server box, type the hostname (up to 200 characters) of the sending e-mail server. Note Step 5 If you want to set up system monitoring, see page 8-19. If you are done setting up Cisco Secure ACS Service Management, click Submit.
Page 328 Accounting Configuration table displays the options for VoIP accounting. Select the VoIP accounting option you want. Step 3 Click Submit. Step 4 Cisco Secure ACS implements the VoIP accounting configuration you specified. User Guide for Cisco Secure ACS for Windows Server 8-22 Chapter 8 System Configuration: Basic 78-16592-01...
Page 329: Ciscosecure Database Replication
This chapter addresses the CiscoSecure Database Replication and RDBMS Synchronization features found in the System Configuration section of Cisco Secure ACS for Windows Server. It contains the following sections: This chapter contains the following topics: CiscoSecure Database Replication, page 9-1 •...
Page 330: C H A P T E R 9 System Configuration: Advanced
Update the secondary Cisco Secure ACSes to create matching configurations. • The following items cannot be replicated: User Guide for Cisco Secure ACS for Windows Server Replication Components Options, page 9-11 Outbound Replication Options, page 9-12 Inbound Replication Options, page 9-15...
Page 331 Cisco Secure ACS software. For example, if the primary Cisco Secure ACS is running Cisco Secure ACS version 3.2, all secondary Cisco Secure ACSes should 78-16592-01 CiscoSecure Database Replication About IP Pools Server, 9-7). User Guide for Cisco Secure ACS for Windows Server Important...
Page 332: Replication Process
The primary Cisco Secure ACS contacts the secondary Cisco Secure ACS. In this initial connection, the following four events occur: Note User Guide for Cisco Secure ACS for Windows Server The two Cisco Secure ACSes perform mutual authentication based upon the shared secret of the primary Cisco Secure ACS. If authentication fails, replication fails.
Page 333 Cisco Secure ACS. During this step, if AAA clients are configured properly, those that usually use the secondary Cisco Secure ACS failover to another Cisco Secure ACS. 78-16592-01 CiscoSecure Database Replication User Guide for Cisco Secure ACS for Windows Server...
Page 334 Cisco Secure ACSes. After replication from server 1 to server 2 has completed, server 2 acts as a primary Cisco Secure ACS while replicating to servers 4 and 5. Similarly, server 3 acts as a primary Cisco Secure ACS while replicating to servers 6 and 7.
Page 335: Replication Frequency
Cisco Secure ACSes involved in replication use the same patch level, too. You must ensure correct configuration of the AAA Servers table in all • Cisco Secure ACSes involved in replication. 78-16592-01 CiscoSecure Database Replication User Guide for Cisco Secure ACS for Windows Server...
Page 336 Cisco Secure ACSes which, in turn, each replicate to two more Cisco Secure ACSes, the primary Cisco Secure ACS must have AAA server configurations for all six Cisco Secure ACSes that will receive replicated database components. Configuring a Secondary Cisco Secure ACS,...
Page 337 VSA definitions on primary and secondary Cisco Secure ACSes, making sure that the RADIUS vendor slots that the user-defined RADIUS vendors occupy are identical on each Cisco Secure ACS. After you have done so, replication 78-16592-01 CiscoSecure Database Replication User Guide for Cisco Secure ACS for Windows Server 9-17.
Page 338: Database Replication Versus Database Backup
Do not confuse database replication with system backup. Database replication does not replace System Backup. While both features protect against partial or complete server loss, each feature addresses the issue in a different way. System Backup archives data into a format that you can later use to restore the configuration if the system fails or the data becomes corrupted.
Page 339: Replication Options
Network Configuration Device tables—Replicate the AAA Servers tables • and the AAA Clients tables in the Network Configuration section. This also controls whether NDGs are replicated. 78-16592-01 CiscoSecure Database Replication User Guide for Cisco Secure ACS for Windows Server Chapter 1, 9-11...
Page 340: Outbound Replication Options
For example, if the primary Cisco Secure ACS replicates to two secondary Cisco Secure ACSes which, in turn, each replicate to two more Cisco Secure ACSes, the primary Cisco Secure ACS must have AAA server configurations for all six Cisco Secure ACSes that will receive replicated database components. Chapter 9...
Page 341 Cisco Secure ACSes which, in turn, each replicate to two more Cisco Secure ACSes, the primary Cisco Secure ACS must have AAA server configurations for all six Cisco Secure ACSes that will receive replicated database components. User Guide for Cisco Secure ACS for Windows Server...
Page 342 User Guide for Cisco Secure ACS for Windows Server 9-14 The items in the AAA Server and Replication lists reflect the AAA servers configured in the AAA Servers table in Network Configuration. To make a particular Cisco Secure ACS available as a secondary Cisco Secure ACS, you must first add that Cisco Secure ACS to the AAA Servers table of the primary Cisco Secure ACS.
Page 343: Inbound Replication Options
Other AAA servers—The list displays all the AAA servers configured in the • AAA Servers table in Network Configuration. If a specific AAA server name is selected, Cisco Secure ACS accepts replicated components only from the Cisco Secure ACS specified.
Page 344 For example, if the primary Cisco Secure ACS replicates to two secondary Cisco Secure ACSes which, in turn, each replicate to two more Cisco Secure ACSes, the primary Cisco Secure ACS must have AAA server configurations for all six Cisco Secure ACSes that will receive replicated database components. 4-21.
Page 345: Configuring A Secondary Cisco Secure Acs
In the navigation bar, click System Configuration. Step 2 Click CiscoSecure Database Replication. Step 3 The Database Replication Setup page appears. 78-16592-01 Scheduling Replication, page 4-21. User Guide for Cisco Secure ACS for Windows Server CiscoSecure Database Replication Replicating Immediately, 9-21. AAA Server 9-17...
Page 346 Cisco Secure ACS, from the Accept replication from list, select Any Known CiscoSecure ACS Server. The Any Known CiscoSecure ACS Server option is limited to the Cisco Secure ACSes listed in the AAA Servers table in Network Configuration.
Page 347: Replicating Immediately
Servers table entries for the primary Cisco Secure ACS must have identical shared secrets. Configuring a Secondary Cisco Secure ACS, page Implementing Primary and Secondary Replication Setups 9-15. User Guide for Cisco Secure ACS for Windows Server CiscoSecure Database Replication 9-17. 9-17. 9-19...
Page 348 Step 7 Cisco Secure ACS saves the replication configuration. Cisco Secure ACS immediately begins sending replicated database components to the secondary Cisco Secure ACSes you specified. User Guide for Cisco Secure ACS for Windows Server 9-20 Chapter 9 System Configuration: Advanced...
Page 349: Scheduling Replication
RADIUS attribute. Outbound Replication Options, page Configuring a Secondary Cisco Secure ACS, Implementing Primary and Secondary Replication Setups 9-15. Configuring a Secondary Cisco Secure ACS, User Guide for Cisco Secure ACS for Windows Server CiscoSecure Database Replication 9-12. 9-21...
Page 350 In the Outbound Replication table, select the At specific times option. In the day and hour graph, click the times at which you want Cisco Secure ACS to perform replication. User Guide for Cisco Secure ACS for Windows Server 9-22 Chapter 9 System Configuration: Advanced 9-11.
Page 351 The secondary Cisco Secure ACSes available in the AAA Servers list are determined by the AAA Servers table in Network Configuration. For more information about the AAA Servers table, see Configuration, page 4-21. User Guide for Cisco Secure ACS for Windows Server CiscoSecure Database Replication 9-15. AAA Server 9-23...
Page 352: Disabling Ciscosecure Database Replication
In the Outbound Replication table, select the Manually option. Step 5 Click Submit. Step 6 Cisco Secure ACS does not permit any replication to or from this Cisco Secure ACS server. User Guide for Cisco Secure ACS for Windows Server 9-24 Chapter 9 System Configuration: Advanced 78-16592-01...
Page 353: Rdbms Synchronization
Custom RADIUS Vendors and VSAs, page 9-28 About CSDBSync, page 9-29 About the accountActions Table, page 9-31 Preparing for CSV-Based Synchronization, page 9-36 RDBMS Setup Options, page 9-38 Synchronization Scheduling Options, page 9-39 User Guide for Cisco Secure ACS for Windows Server RDBMS Synchronization 11-13. 9-25...
Page 354: About Rdbms Synchronization
For more information about accountActions, see information about all actions that RDBMS Synchronization can perform, see Appendix F, “RDBMS Synchronization Import User Guide for Cisco Secure ACS for Windows Server 9-26 Synchronization Partners Options, page 9-39 About the accountActions Table, page...
Page 355: Users
• Configuring command authorizations. • Configuring network access restrictions. • Configuring time-of-day/day-of-week access restrictions. • Specifying outbound RADIUS attribute values. • 78-16592-01 Appendix F, “RDBMS Synchronization Import User Guide for Cisco Secure ACS for Windows Server RDBMS Synchronization Definitions”. 9-27...
Page 356: Network Configuration
You can define up to ten custom RADIUS vendors. Cisco Secure ACS allows only one instance of any given vendor, as defined by the unique vendor IETF ID number and by the vendor name. User Guide for Cisco Secure ACS for Windows Server 9-28 Appendix F, “RDBMS Synchronization Import Appendix F, “RDBMS Synchronization Import...
Page 357: Rdbms Synchronization Components
“accountActions”. Synchronization events fail if CSDBSync cannot access the accountActions table. 78-16592-01 Appendix F, “RDBMS Synchronization Import Figure 9-2. This service looks specifically for a User Guide for Cisco Secure ACS for Windows Server RDBMS Synchronization CiscoSecure Database Replication, Definitions”. 9-29...
Page 358 In Figure 9-2, Cisco Secure Access Control Server 1 is the senior synchronization partner and the other two Cisco Secure ACSes are its synchronization partners. The senior synchronization partner must have AAA configurations for each Note Cisco Secure ACS that is a synchronization partners.
Page 359: About The Accountactions Table
Microsoft ODBC text file driver schema.ini User Guide for Cisco Secure ACS for Windows Server RDBMS Synchronization Appendix F, “RDBMS \CSDBSync\Databases CiscoSecure CiscoSecure schema.ini...
Page 360: Cisco Secure Acs Database Recovery Using The Accountactions Table
SQL Server 6.5—Contains the files • testData.sql procedure needed to generate an accountActions table. The file contains Microsoft SQL Server 6.5 SQL procedures for updating the accountActions table with sample transactions that CSDBSync can process. Cisco Secure ACS Database Recovery Using the accountActions Table...
Page 361: Reports And Event (Error) Handling
78-16592-01 11-31. 9-31. For details on the format and content of the Appendix F, “RDBMS Synchronization Import User Guide for Cisco Secure ACS for Windows Server RDBMS Synchronization Cisco Secure ACS System Logs, Service 9-35.
Page 362 For detailed steps about adding a AAA server, see On all the other synchronization partners, verify that there is a AAA server configuration for the senior synchronization partner. If no AAA server configuration for the senior synchronization partner exists, create one. For...
Page 363: Considerations For Using Csv-Based Synchronization
Cisco Secure ACS and to Cisco Secure ACS configuration. For more information, Preparing for CSV-Based Synchronization, page 78-16592-01 Scheduling RDBMS Synchronization, page 11-13. Service Logs, page User Guide for Cisco Secure ACS for Windows Server RDBMS Synchronization 9-41. Cisco Secure ACS 11-31. \CSDBSync 9-36.
Page 364: Preparing For Csv-Based Synchronization
Step 3 Type: net stop CSDBSync and then press Enter. Type: User Guide for Cisco Secure ACS for Windows Server 9-36 accountactions.csv \CSDBSync\Databases\CSV You cannot perform synchronization using a relational database table rather than a CSV file when the OdbcUpdateTable value is .
Page 365: Configuring A System Data Source Name For Rdbms Synchronization
Microsoft Access database provided with CiscoSecure DBSync CiscoSecure Transactions.mdb In Windows 2000, the ODBC Data Sources icon is located in the Administrative Tools folder. User Guide for Cisco Secure ACS for Windows Server RDBMS Synchronization system DSN rather than file, see 9-33.
Page 366: Rdbms Synchronization Options
RDBMS Synchronization Complete the other fields required by the ODBC driver you selected. These fields Step 6 may include information such as the IP address of the server on which the ODBC-compliant database runs. Click OK. Step 7 The name you assigned to the DSN appears in the System Data Sources list.
Page 367: Synchronization Scheduling Options
The Synchronization Partners table defines which Cisco Secure ACSes are synchronized with data from the accountActions table. It provides the following options: AAA Server—This list represents the AAA servers configured in the AAA • Servers table in Network Configuration for which the Cisco Secure ACS does not perform RDBMS synchronization.
Page 368: Performing Rdbms Synchronization Immediately
In the Password box, type the password for the username specified in the Step b. Cisco Secure ACS has the information necessary to access the accountActions table. User Guide for Cisco Secure ACS for Windows Server 9-40 4-21. If this feature does not appear, click Interface Configuration, click Advanced Options, and then select the RDBMS Synchronization check box.
Page 369: Scheduling Rdbms Synchronization
Disabling Scheduled RDBMS Synchronizations, page 9-43. If this feature does not appear, click Interface Configuration, click Advanced Options, and then select the RDBMS Synchronization check box. User Guide for Cisco Secure ACS for Windows Server RDBMS Synchronization 9-41...
Page 370 Set All to select all hours. For each Cisco Secure ACS you want to synchronize with data from the Step 6 accountActions table, follow these steps: User Guide for Cisco Secure ACS for Windows Server 9-42 Chapter 9 9-38.
Page 371: Disabling Scheduled Rdbms Synchronizations
The Cisco Secure ACSes available in the AAA Servers list is determined by the AAA Servers table in Network Configuration, with the addition of the name of the current Cisco Secure ACS server. For more information about the AAA Servers table, see Configuration, page 4-21.
Page 372: Ip Pools Server
IP address as that used by another PPTP tunnel client in a different tunnel. The IP Pools Server feature enables you to assign the same IP address to multiple users, provided that the users are being tunnelled to different home gateways for routing beyond the boundaries of your own network.
Page 373: Allowing Overlapping Ip Pools Or Forcing Unique Pool Address Ranges
To use overlapping pools, you must be using RADIUS with VPN, and you cannot Note be using Dynamic Host Configuration Protocol (DHCP). 78-16592-01 7-10. User Guide for Cisco Secure ACS for Windows Server IP Pools Server Setting IP Address Assigning a User to a Client 9-45...
Page 374 Note Advanced Options, and then select the IP Pools check box. The AAA Server IP Pools table lists any IP pools you have configured, their address ranges, and the percentage of pooled addresses in use. If you want to allow overlapping IP pool address ranges, follow these steps:...
Page 375: Refreshing The Aaa Server Ip Pools Table
System Configuration: Advanced Refreshing the AAA Server IP Pools Table You can refresh the AAA Server IP Pools table. This allows you to get the latest usage statistics for your IP pools. To refresh the AAA Server IP Pools table, follow these steps: In the navigation bar, click System Configuration.
Page 376: Editing An Ip Pool Definition
Click IP Pools Server. Step 2 The AAA Server IP Pools table lists any IP pools you have configured, their address ranges, and the percentage of pooled addresses in use. Click the name of the IP pool you need to edit.
Page 377: Resetting An Ip Pool
Click IP Pools Server. Step 2 The AAA Server IP Pools table lists any IP pools you have configured, their address ranges, and the percentage of pooled addresses in use. Click the name of the IP pool you need to reset.
Page 378: Deleting An Ip Pool
Step 5 The IP pool is reset. All its IP addresses are reclaimed. In the In Use column of the AAA Server IP Pools table, zero percent of the IP pool addresses are assigned to users. Deleting an IP Pool...
Page 379: Ip Pools Address Recovery
To delete the IP pool, click OK. Step 5 The IP pool is deleted. The AAA Server IP Pools table does not list the deleted IP pool. IP Pools Address Recovery The IP Pools Address Recovery feature enables you to recover assigned IP addresses that have not been used for a specified period of time.
Page 380 Chapter 9 System Configuration: Advanced IP Pools Address Recovery Cisco Secure ACS implements the IP pools address recovery settings you made. User Guide for Cisco Secure ACS for Windows Server 9-52 78-16592-01...
Page 381: About Certification And Eap Protocols
This section contains the following topics: Digital Certificates, page 10-2 • EAP-TLS Authentication, page 10-2 • PEAP Authentication, page 10-8 • EAP-FAST Authentication, page 10-13 • 78-16592-01 C H A P T E R User Guide for Cisco Secure ACS for Windows Server 10-1...
Page 382: C H A P T E R 10 System Configuration: Authentication And Certificates
Depending on the end-user client involved, the CA certificate for the CA that Note issued the Cisco Secure ACS server certificate is likely to be required in local storage for trusted root CAs on the end-user client computer. EAP-TLS Authentication...
Page 383: About The Eap-Tls Protocol
Cisco Secure ACS self-signed certificate capability. Depending on the end-user client involved, the CA certificate for the CA that issued the Cisco Secure ACS server certificate is likely to be required in local storage for trusted root CAs on the end-user client computer.
Page 384: Eap-Tls And Cisco Secure Acs
Certificate Binary Comparison—Based on a binary comparison between • the user certificate stored in the user object in the LDAP server or Active Directory and the certificate presented by the user during EAP-TLS authentication. This comparison method cannot be used to authenticate users stored in an ODBC external user database.
Page 385 EAP-TLS session has not timed out, Cisco Secure ACS uses the cached TLS session, resulting in faster EAP-TLS performance and lessened AAA server load. When Cisco Secure ACS resumes an EAP-TLS session, the user reauthenticates by SSL handshake only, without a certificate comparison.
Page 386: Eap-Tls Limitations
• ACS to perform binary comparison of user certificates, the user certificate must be stored in Active Directory or an LDAP server, using a binary format. Also, the attribute storing the certificate must be named “usercertificate”. Windows server type—If you want to use Active Directory to authenticate •...
Page 387: Enabling Eap-Tls Authentication
Before You Begin For EAP-TLS machine authentication, if you have a Microsoft certification authority server configured on the domain controller, you can configure a policy in Active Directory to produce a client certificate automatically when a computer is added to the domain. For more information, see...
Page 388: Peap Authentication
Enabling PEAP Authentication, page 10-12 About the PEAP Protocol The PEAP (Protected EAP) protocol is a client-server security architecture that provides a means of encrypting EAP transactions, thereby protecting the contents of EAP authentications. PEAP has been posted as an IETF Internet Draft by RSA, Cisco, and Microsoft and is available at draft-josefsson-pppext-eap-tls-eap-05.txt.
Page 389: Peap And Cisco Secure Acs
Cisco Secure ACS to the end-user client, ensuring that the user or machine credentials sent in phase two are sent to a AAA server that has a certificate issued by a trusted CA. The first phase uses a TLS handshake to establish an SSL tunnel.
Page 390 PEAP. If a user needs to reconnect and the original PEAP session has not timed out, Cisco Secure ACS uses the cached TLS session, resulting in faster PEAP performance and lessened AAA server load.
Page 391: Peap And The Unknown User Policy
Unknown User Policy is enabled, Cisco Secure ACS attempts to authenticate the PEAP user with unknown user processing. For more information about unknown user processing, see About Unknown User Authentication, page 15-4. User Guide for Cisco Secure ACS for Windows Server 10-11 78-16592-01...
Page 392: Enabling Peap Authentication
End-user client computers must be configured to support PEAP. This procedure is Note specific to configuration of Cisco Secure ACS only. To enable PEAP authentication, follow these steps: Install a server certificate in Cisco Secure ACS. PEAP requires a server Step 1 certificate. For detailed steps, see Certificate, page Note Enable PEAP on the Global Authentication Setup page.
Page 393: Eap-Fast Authentication
About EAP-FAST The EAP Flexible Authentication via Secured Tunnel (EAP-FAST) protocol is a client-server security architecture that encrypts EAP transactions with a TLS tunnel. While similar to PEAP in this respect, it differs significantly in that EAP-FAST tunnel establishment is based upon strong secrets that are unique to users.
Page 394 After phase one of EAP-FAST, all data is encrypted, including username information usually sent in clear text. User Guide for Cisco Secure ACS for Windows Server 10-14 Chapter 10 System Configuration: Authentication and Certificates...
Page 395: About Master Keys
The backup master key is used only if the active master key retires 78-16592-01 Enabling Password Aging for Users in Windows Databases, About PACs, page Master Key and PAC TTLs, page User Guide for Cisco Secure ACS for Windows Server About Certification and EAP Protocols 10-17. 10-21. 10-15...
Page 396 An end-user client presenting a PAC that was generated with an expired master key must be provided a new PAC using automatic or manual provisioning before phase one of EAP-FAST can succeed. User Guide for Cisco Secure ACS for Windows Server 10-16 Chapter 10 System Configuration: Authentication and Certificates 10-21.
Page 397: About Pacs
EAP-FAST phase two. Cisco Secure ACS generates PACs using the active master key and a username. An EAP-FAST end-user client stores PACs for each user accessing the network with the client. Additionally, a AAA server that supports EAP-FAST has a unique Authority ID. An end-user client associates a user’s PACs with the Authority ID of the AAA server that generated them.
Page 398 Cisco Secure ACS administrator, provided that both Cisco Secure ACS and the end-user client are configured to support automatic provisioning. User Guide for Cisco Secure ACS for Windows Server 10-18 Chapter 10 System Configuration: Authentication and Certificates Master Key and PAC TTLs, page Automatic provision—Sends a PAC using a secure network connection.
Page 399 Global Authentication Setup page in the System Configuration section. For more information, see Options, page 78-16592-01 10-27. User Guide for Cisco Secure ACS for Windows Server About Certification and EAP Protocols 1-10. Manual PAC Provisioning, Authentication Configuration...
Page 400 When you generate PAC files for groups of users or all users, the users must be known or discovered users and cannot be unknown users. Cisco Secure ACS for Windows Server supports the generation of PAC files with CSUtil.exe. For more information about generating PACs with CSUtil.exe, see PAC File Generation, page D-40.
Page 401: Master Key And Pac Ttls
PAC. If automatic provisioning is disabled, phase zero does not occur and phase one fails. You must use manual provisioning to give the user a new PAC. User Guide for Cisco Secure ACS for Windows Server Table 10-1 summarizes 10-21...
Page 402: Replication And Eap-Fast
Send, you have selected the EAP-FAST master keys and policies check box. On the Global Authentication Setup page of the primary Cisco Secure ACS, • you have enabled EAP-FAST and selected the EAP-FAST master server check box. On the Database Replication Setup page of the secondary Cisco Secure ACS, •...
Page 403 Client initial message Master keys EAP-FAST master server Actual EAP-FAST server status The EAP-FAST master server setting has a significant effect upon EAP-FAST authentication and replication, as follows: Enabled—When the EAP-FAST master server check box is selected, the • “Actual EAP-FAST server status” is...
Page 404 Cisco Secure ACS. Also, a PAC generated for a user by one Cisco Secure ACS in a replication scheme where the EAP-FAST master server setting is disabled is accepted by all other Cisco Secure ACSes in the same replication scheme.
Page 405: Enabling Eap-Fast
PACs based on expired master keys. 78-16592-01 Databases”. User database support differs for EAP-FAST phase zero and phase two. User Guide for Cisco Secure ACS for Windows Server About Certification and EAP Protocols Authentication 1-10. For user database configuration, see...
Page 406: Global Authentication Setup
This section contains the following topics: Authentication Configuration Options, page 10-27 • Configuring Authentication Options, page 10-33 • User Guide for Cisco Secure ACS for Windows Server 10-26 Chapter 10 System Configuration: Authentication and Certificates 10-18, and Manual PAC Provisioning, page...
Page 407: Authentication Configuration Options
Fast reconnection can occur only when Cisco Secure ACS allows the session to resume because the session has not timed out. If you disable the PEAP session resume feature by entering 0 (zero) in the PEAP User Guide for Cisco Secure ACS for Windows Server Global Authentication Setup 10-27...
Page 408 The default retired master key TTL is three months. When a retired master key ages past the retired master key TTL, it expires and Cisco Secure ACS deletes it. User Guide for Cisco Secure ACS for Windows Server 10-28 Chapter 10 System Configuration: Authentication and Certificates...
Page 409 Authority ID Info—A short description of this Cisco Secure ACS, sent – along with PACs issued by Cisco Secure ACS. EAP-FAST end-user clients use it to describe the AAA server that issued the PAC. Maximum length is 64 characters. 78-16592-01 Decreasing the retired master key TTL is likely to cause some retired master keys to expire;...
Page 410 Authority ID. If this option displays “Slave”, Cisco Secure ACS uses master keys and the Authority ID it receives during replication. For more information, see If you deselect the EAP-FAST Master Server check box, EAP-FAST server status remains “Master” until Cisco Secure ACS receives replicated EAP-FAST components.
Page 411 If the one comparison type fails, Cisco Secure ACS attempts the next enabled comparison type. Comparison stops after the first successful comparison. User Guide for Cisco Secure ACS for Windows Server Global Authentication Setup 10-31...
Page 412 Session-Timeout (27) attribute is the value specified in the Cisco Aironet RADIUS VSA Cisco-Aironet-Session-Timeout (01) or, if that attribute is not enabled, the IETF RADIUS Session-Timeout (27) attribute. User Guide for Cisco Secure ACS for Windows Server 10-32 Chapter 10...
Page 413: Configuring Authentication Options
1. TACACS+ support for MS-CHAP version 1 is always enabled and is not configurable. 10-8. For more information on the PEAP protocol, see 10-13. For details regarding how various 1-10. User Guide for Cisco Secure ACS for Windows Server Global Authentication Setup EAP-TLS Authentication, PEAP Authentication...
Page 414: Cisco Secure Acs Certificate Setup
Submit. Cisco Secure ACS saves the authentication configuration options you selected. Cisco Secure ACS Certificate Setup This section contains the following topics: Installing a Cisco Secure ACS Server Certificate, page 10-35 • Adding a Certificate Authority Certificate, page 10-37 •...
Page 415: Installing A Cisco Secure Acs Server Certificate
You must have a server certificate for your Cisco Secure ACS before you can install it. With Cisco Secure ACS, certificate files must be in Base64-encoded X.509. If you do not already have a server certificate in storage, you can use the procedure in means, to obtain a certificate for installation.
Page 416 If the certificate was installed in storage with the private key, you do not Note have the private key file and do not need to type it. This is the private key associated with the server certificate. In the Private key password box, type the private key password. Step 6...
Page 417: Adding A Certificate Authority Certificate
CA is to be trusted. (Cisco Secure ACS comes configured with a list of popular CAs, none of which are enabled until you explicitly signify trustworthiness.) 78-16592-01 Cisco Secure ACS Certificate Setup 10-38, where you signify that the User Guide for Cisco Secure ACS for Windows Server 10-37...
Page 418: Editing The Certificate Trust List
Cisco Secure ACS administrator must explicitly configure the CA as trusted by editing the CTL. If the Cisco Secure ACS server certificate is replaced, the CTL is erased; you must configure the CTL explicitly each time you install or replace a Cisco Secure ACS server certificate.
Page 419 78-16592-01 10-37. If a user’s certificate is from a CA that you have not User Guide for Cisco Secure ACS for Windows Server Cisco Secure ACS Certificate Setup Adding a Certificate Authority...
Page 420: Managing Certificate Revocation Lists
A CRL is a signed and time-stamped data structure issued by a CA (or CRL issuer) and made freely available in a public repository (for example, in an LDAP server). Details on the operation of the X.509 CRL profile are contained in RFC3280.
Page 421 CRL issuers can only be added in association with trusted CAs (that is, CAs on the CTL). If you install a new server certificate for Cisco Secure ACS, your CTL is cleared of all trust relationships. While you must reestablish CAs on the CTL, the associated CRLs that you previously configured remain in place and do not have to be reconfigured.
Page 422 In the Issuer’s Certificate box, use the drop-down arrow to select from the list the Step 7 CA certificate associated with this CRL issuer. User Guide for Cisco Secure ACS for Windows Server 10-42 Chapter 10 System Configuration: Authentication and Certificates...
Page 423 You can refer to the Last Retrieve date: box to see the status, date, and time of the last retrieval attempt. 78-16592-01 Cisco Secure ACS Certificate Setup User Guide for Cisco Secure ACS for Windows Server Failed to retrieve 10-43...
Page 424 Click the name of the CRL issuer you want to delete. Step 4 The system displays the details of the CRL issuer that you selected. User Guide for Cisco Secure ACS for Windows Server 10-44 Chapter 10 System Configuration: Authentication and Certificates You can refer to the Last Retrieve date: box to see the status, date, and time of the last CRL retrieval attempt.
Page 425: Generating A Certificate Signing Request
After you generate a CSR, you can submit it to a CA to obtain your certificate. You perform this procedure to generate the CSR for future use with a certificate enrollment tool. If you already have a server certificate, you do not need to use this portion of the Note ACS Certificate Setup page.
Page 426 Step 10 After you receive the certificate from the CA, you can perform the steps in Installing a Cisco Secure ACS Server Certificate, page User Guide for Cisco Secure ACS for Windows Server 10-46 Chapter 10 System Configuration: Authentication and Certificates Min.
Page 427: Using Self-Signed Certificates
10-35. To ensure that a self-signed certificate interoperates with the client, refer to your client documentation. You may find that you must import the self-signed server certificate as a CA certificate on your particular client. 78-16592-01 Cisco Secure ACS Certificate Setup...
Page 428: Self-Signed Certificate Configuration Options
Key length—Select the key length from the choices listed. The choices • include 512 bits, 1024 bits, and 2048 bits. User Guide for Cisco Secure ACS for Windows Server 10-48 Chapter 10 System Configuration: Authentication and Certificates CN—common name (the mandatory entry) OU—organizational unit name...
Page 429: Generating A Self-Signed Certificate
In the Digest to sign with box, select the hash digest to be used to encrypt the key. Step 10 78-16592-01 Self-Signed Certificate Configuration 10-48. 10-48. User Guide for Cisco Secure ACS for Windows Server Cisco Secure ACS Certificate Setup Self-Signed 10-49...
Page 430: Updating Or Replacing A Cisco Secure Acs Certificate
Click ACS Certificate Setup. Step 2 Cisco Secure ACS displays the Installed Certificate Information table on the ACS Certificate Setup page. User Guide for Cisco Secure ACS for Windows Server 10-50 Chapter 10 System Configuration: Authentication and Certificates If you use the Install generated certificate option you must restart Cisco Secure ACS services after submitting this form to adopt the new settings.
Page 431 You can now install the replacement certificate in the same manner as an original Step 5 certificate. For detailed steps, see Certificate, page 78-16592-01 Installing a Cisco Secure ACS Server 10-35. User Guide for Cisco Secure ACS for Windows Server Cisco Secure ACS Certificate Setup 10-51...
Page 432 Chapter 10 System Configuration: Authentication and Certificates Cisco Secure ACS Certificate Setup User Guide for Cisco Secure ACS for Windows Server 10-52 78-16592-01...
Page 433 Logs and Reports Cisco Secure ACS for Windows Server produces a variety of logs and provides a way to view most of these logs in the Cisco Secure ACS HTML interface as HTML reports. This chapter contains the following topics: Logging Formats, page 11-2 •...
Page 434: Logs And Reports
CSV file in a third-party application such as Microsoft Excel, please see the documentation supplied by the third-party vendor. You can access the CSV files either on the Cisco Secure ACS server hard drive or by downloading the CSV file from the HTML interface. For more information...
Page 435 A value of remote logging service did not process the accounting packet successfully. 78-16592-01 User Data Configuration Options, page Remote-logging-successful Remote-logging-failed User Guide for Cisco Secure ACS for Windows Server Special Logging Attributes 3-3. indicates that the 11-3...
Page 436: Nac Attributes In Logs
Authentications and Failed Attempts logs. All inbound attributes are available for logging. The only two outbound attributes that you can record in logs are Application-Posture-Token and System-Posture-Token. User Guide for Cisco Secure ACS for Windows Server 11-4 Cisco Secure ACS cannot determine how a remote logging service is configured to process accounting packets that it is forwarded.
Page 437: Update Packets In Accounting Logs
• logging server, enable the Log Update/Watchdog Packets from this remote AAA Server option for the remote server AAA Server table entry on the local Cisco Secure ACS. For more information on setting this option for a AAA server, see...
Page 438: About Cisco Secure Acs Logs And Reports
In the HTML interface, all accounting logs can be enabled, configured, and viewed. Cisco Secure ACS HTML interface regarding accounting logs. User Guide for Cisco Secure ACS for Windows Server 11-6 Service Logs, page Table 11-1...
Page 439 AAA client messages with username Caller line identification information Session duration VoIP session stop and start times AAA client messages with username CLID information VoIP session duration User Guide for Cisco Secure ACS for Windows Server About Cisco Secure ACS Logs and Reports 11-7...
Page 440 Table 11-2 What You Can Do with Accounting Logs What You Can Do Enable an accounting log User Guide for Cisco Secure ACS for Windows Server 11-8 In entries in the Failed Attempts log, the ExtDB Info attribute contains the database that last successfully authenticated the user.
Page 441: Dynamic Administration Reports
ODBC—For instructions on configuring ODBC accounting log, • Configuring an ODBC Log, page contains descriptions of all dynamic administration reports and User Guide for Cisco Secure ACS for Windows Server About Cisco Secure ACS Logs and Reports 11-18. 11-19. 11-23.
Page 442: Viewing The Logged-In Users Report
AAA client. At the bottom of the table, the All AAA Clients entry shows the total number of users logged in. User Guide for Cisco Secure ACS for Windows Server 11-10 13-15.
Page 443: Deleting Logged-In Users
Click the column a second time to sort the table by the entries that column in descending order. User Guide for Cisco Secure ACS for Windows Server About Cisco Secure ACS Logs and Reports...
Page 444: Viewing The Disabled Accounts Report
To edit a user account listed, in the User column, click the username. Step 3 Cisco Secure ACS opens the user account for editing. User Guide for Cisco Secure ACS for Windows Server 11-12 Chapter 11 Logs and Reports...
Page 445: Cisco Secure Acs System Logs
For instructions on configuring the Administration Audit log, see Configuring the Administration Audit Log, page 78-16592-01 About Cisco Secure ACS Logs and Reports Table 11-4. 11-18. User Guide for Cisco Secure ACS for Windows Server Basic User Setup Options, Viewing a 11-14. 11-13...
Page 446: Configuring The Administration Audit Log
• Every month—Cisco Secure ACS generates a new Administrative Audit CSV file at the start of each month. User Guide for Cisco Secure ACS for Windows Server 11-14 Chapter 11 Logs and Reports 8-7.
Page 447: Working With Csv Logs
CSV files in chronological order, with the current CSV file at the top of the list. The current file is named log.csv, where log is the name of the log. 78-16592-01 User Guide for Cisco Secure ACS for Windows Server Working with CSV Logs 11-15...
Page 448: Csv Log File Locations
CSV VoIP Accounting CSV Failed Attempts Passed Authentications Cisco Secure ACS Backup and Restore RDBMS Synchronization RDBMS Synchronization Administration Audit User Guide for Cisco Secure ACS for Windows Server 11-16 .csv Database Replication 2002-10-13.csv :\Program Files\CiscoSecure ACS v Default Location Logs\TACACS+Accounting...
Page 449: Enabling Or Disabling A Csv Log
If you disabled the log, Cisco Secure ACS stops logging information for the log selected. 78-16592-01 Default Location CSAuth\PasswordLogs Logs\ServiceMonitoring 11-6. User Guide for Cisco Secure ACS for Windows Server Working with CSV Logs Configurable? Configuring a CSV Log, About Cisco Secure ACS Logs and 11-17...
Page 450: Viewing A Csv Report
Click the CSV report filename whose contents you want to view. If the CSV report file contains information, the information appears in the display area. User Guide for Cisco Secure ACS for Windows Server 11-18 You can configure how Cisco Secure ACS handles old CSV report files.
Page 451: Configuring A Csv Log
CSV file reaches a particular size. 78-16592-01 To check for newer information in the current CSV report, click Refresh. User Guide for Cisco Secure ACS for Windows Server Working with CSV Logs Enabling or Disabling a CSV Log, 11-19...
Page 452 To set the attributes in the Logged Attributes list back to the default selections, at Step 6 the bottom of the browser window, click Reset Columns. User Guide for Cisco Secure ACS for Windows Server 11-20 Chapter 11 Logs and Reports...
Page 453: Working With Odbc Logs
Preparing for ODBC Logging, page 11-22 • Configuring a System Data Source Name for ODBC Logging, page 11-22 • Configuring an ODBC Log, page 11-23 • 78-16592-01 User Guide for Cisco Secure ACS for Windows Server Working with ODBC Logs 11-21...
Page 454: Preparing For Odbc Logging
In Windows Control Panel, double-click ODBC Data Sources. Step 1 In the ODBC Data Source Administrator page, click the System DSN tab. Step 2 User Guide for Cisco Secure ACS for Windows Server 11-22 Configuring a System Data Source Name for an ODBC 13-70.
Page 455: Configuring An Odbc Log
Type a descriptive name for the DSN in the Data Source Name box. Step 5 Complete the other fields required by the ODBC driver you selected. These fields Step 6 may include information such as the IP address of the server on which the ODBC-compliant relational database runs. Click OK. Step 7 Close the ODBC window and Windows Control Panel.
Page 456 Cisco Secure ACS to send ODBC logging data to your relational database. In the Username box, type the username of a user account in your relational database (up to 80 characters). User Guide for Cisco Secure ACS for Windows Server 11-24 Chapter 11...
Page 457 The right side of the browser displays an SQL create table statement for Microsoft SQL Server. The table name is the name specified in the Table Name box. The column names are the attributes specified in the Logged Attributes list.
Page 458: Remote Logging
Cisco Secure ACSes. You can configure each Cisco Secure ACS to point to one Cisco Secure ACS that is to be used as a central logging server. The central logging Cisco Secure ACS still performs AAA functions, but it also is the repository for accounting logs it receives.
Page 459: Implementing Centralized Remote Logging
Server. Step 2 In the Cisco Secure ACS running on the central logging server, follow these steps: Configure the accounting logs as needed. All accounting data sent to the central logging server will be recorded in the way you configure accounting logs on this Cisco Secure ACS.
Page 460: Remote Logging Options
User Guide for Cisco Secure ACS for Windows Server 11-28 4-21. If the central logging server is to log watchdog and update packets for a Cisco Secure ACS, be sure that the Log Update/Watchdog Packets from this remote AAA Server check box is selected for that Cisco Secure ACS in the AAA Servers table.
Page 461: Enabling And Configuring Remote Logging
Logs and Reports behavior enables you to configure one or more backup central logging servers so that no accounting data is lost if the first central logging server fails or is otherwise unavailable to Cisco Secure ACS. Remote Log Services—This list represents the Cisco Secure ACSes •...
Page 462 Note selected, Cisco Secure ACS logs to the first accessible Cisco Secure ACS in the Selected Log Services list. User Guide for Cisco Secure ACS for Windows Server 11-30 Use the “Log to subsequent remote log services on failure” option...
Page 463: Disabling Remote Logging
For example, RADIUS service logs are created even if you are not using the RADIUS protocol in your network. For more information about Cisco Secure ACS services, see “Overview”. 78-16592-01 User Guide for Cisco Secure ACS for Windows Server Service Logs Chapter 1, 11-31...
Page 464: Services Logged
SERVICE where SERVICE is the name of the applicable service. If you selected the Day/Month/Year format, the file would be named as follows: SERVICE User Guide for Cisco Secure ACS for Windows Server 11-32 subdirectory of the applicable service \Logs .log...
Page 465: Configuring Service Logs
Delete files older than x days—Cisco Secure ACS retains only those service logs that are not older than the number of days specified by x. User Guide for Cisco Secure ACS for Windows Server Service Logs 11-33...
Page 466 Cisco Secure ACS should retain a service log file before deleting it. Step 6 Click Restart. Cisco Secure ACS restarts its services and implements the service log settings you specified. User Guide for Cisco Secure ACS for Windows Server 11-34 Chapter 11 Logs and Reports 78-16592-01...
Page 467: Administrator Accounts
Editing an Administrator Account, page 12-7 • Unlocking a Locked Out Administrator Account, page 12-10 • Deleting an Administrator Account, page 12-11 • 78-16592-01 C H A P T E R User Guide for Cisco Secure ACS for Windows Server 12-1...
Page 468: C H A P T E R 12 Administrators And Administrative Policy
Cisco Secure ACS HTML interface from a browser run elsewhere than on the Cisco Secure ACS Windows server itself, you must log in to Cisco Secure ACS using an administrator account. If your Cisco Secure ACS is so configured, you may need to log in to Cisco Secure ACS even in a browser run on the Cisco Secure ACS Windows server.
Page 469: Administrator Privileges
Shell Command Authorization Sets—Allows the administrator full access to the Shell Command Authorization Sets feature. PIX Command Authorization Sets—Allows the administrator full access to the PIX Command Authorization Sets feature. User Guide for Cisco Secure ACS for Windows Server Administrator Accounts 12-3...
Page 470 – Cisco Secure ACS System Restore, page ACS Service Management—For more information about this feature, – User Guide for Cisco Secure ACS for Windows Server 12-4 Chapter 12 Additional command authorization set privilege options may appear, if other Cisco network management applications, such as CiscoWorks2000, have updated the configuration of Cisco Secure ACS.
Page 471 Dynamic Administration Reports, page 78-16592-01 VoIP Accounting Configuration, page Global Authentication Setup, page 11-6. Accounting Logs, page 11-6. 11-6. 11-6. 11-6. 11-6. 11-9. 11-11. User Guide for Cisco Secure ACS for Windows Server Administrator Accounts 8-21. 10-34. 10-26. Dynamic 11-9. 12-5...
Page 472: Adding An Administrator Account
To select all privileges, including user group editing privileges for all user groups, Step 4 click Grant All. User Guide for Cisco Secure ACS for Windows Server 12-6 Chapter 12 ACS Backup and Restore—For more information about this report, see Cisco Secure ACS System Logs, page DB Replication—For more information about this report, see...
Page 473: Editing An Administrator Account
You can effectively disable an administrator account by revoking all privileges. 78-16592-01 To clear all privileges, including user group editing privileges for all user groups, click Revoke All. User Guide for Cisco Secure ACS for Windows Server Administrator Accounts 12-7...
Page 474: Edit Cisco Acs Administrator Account Privileges
Password box and you want to allow the administrator whose account you are editing to access the Cisco Secure ACS HTML interface, select the Reset current failed attempts count check box. User Guide for Cisco Secure ACS for Windows Server 12-8 Chapter 12 Administrators and Administrative Policy 12-11.
Page 475 The selected group moves to the Available groups list. To grant any remaining privilege options, select the applicable check boxes in the Step 8 Administrator Privileges table. 78-16592-01 Unlocking a Locked Out Administrator 12-10. User Guide for Cisco Secure ACS for Windows Server Administrator Accounts 12-9...
Page 476: Unlocking A Locked Out Administrator Account
Select the Reset current failed attempts count check box. Click Submit. Step 4 Cisco Secure ACS saves the changes to the administrator account. User Guide for Cisco Secure ACS for Windows Server 12-10 Chapter 12 Administrators and Administrative Policy 12-16.
Page 477: Deleting An Administrator Account
You can also enable secure socket layer (SSL) for access to the HTML interface. This section contains the following topics: Access Policy Options, page 12-12 • Setting Up Access Policy, page 12-14 • 78-16592-01 User Guide for Cisco Secure ACS for Windows Server Access Policy 12-11...
Page 478: Access Policy Options
• TCP ports used for remote access to the HTML interface. – – User Guide for Cisco Secure ACS for Windows Server 12-12 Chapter 12 Allow all IP addresses to connect—Allow access to the HTML interface from any IP address.
Page 479 An unauthorized user would have to impersonate, or “spoof,” the IP address of a legitimate host to make use of the active administrative session HTTP port. User Guide for Cisco Secure ACS for Windows Server Access Policy Installing a...
Page 480: Setting Up Access Policy
Step 5 range or ranges of IP addresses, follow these steps: In the IP Address Filtering table, select the Reject connections from listed IP addresses option. User Guide for Cisco Secure ACS for Windows Server 12-14 Chapter 12 10-35, and...
Page 481 HTTPS. Any current administrator sessions are unaffected. 78-16592-01 The IP addresses entered to define a range must differ only in the last octet. User Guide for Cisco Secure ACS for Windows Server Access Policy Installing a 10-35, and Adding a 10-37.
Page 482: Session Policy
Administrative Audit report under the local_login administrator name. Note User Guide for Cisco Secure ACS for Windows Server 12-16 Chapter 12 If there are no administrator accounts defined, no administrator name and password are required to access Cisco Secure ACS locally.
Page 483: Setting Up Session Policy
To require administrators to log in to Cisco Secure ACS locally using their administrator names and passwords, clear the Allow Automatic Local Login check box. 78-16592-01 Session Policy Options, User Guide for Cisco Secure ACS for Windows Server Session Policy 12-17...
Page 484: Audit Policy
The Audit Policy feature controls the generation of the Administrative Audit log. For more information about enabling, viewing, or configuring the Administrative Audit log, see User Guide for Cisco Secure ACS for Windows Server 12-18 Chapter 12 Cisco Secure ACS System Logs, page Administrators and Administrative Policy 11-13.
Page 485 For example, a common configuration is to use a Windows user database for standard network users and a token server for network administrators. For information about the Unknown User Policy and group mapping features, see Note Chapter 15, “Unknown User Policy”...
Page 486: Chapter 13 User Database
Cisco Secure ACS uses usernames and passwords in the CiscoSecure user database during authentication. For more information about specifying an external user database for authentication of a user, see Basic User Account, page User Guide for Cisco Secure ACS for Windows Server 13-2 Chapter 13 VarsDB.MDB VarsDB.MDB...
Page 487: User Import And Creation
Cisco Secure ACS with the user accounts from the primary 78-16592-01 Adding a Basic User Account, page Policy”. Specification”. RDBMS Synchronization, page Utility”. User Guide for Cisco Secure ACS for Windows Server CiscoSecure User Database 7-4. Chapter 16, “User Group 9-25. 13-3...
Page 488: About External User Databases
Open Database Connectivity (ODBC)-compliant relational databases • LEAP Proxy RADIUS servers • RSA SecurID token servers • RADIUS-compliant token servers • User Guide for Cisco Secure ACS for Windows Server 13-4 9-1. Chapter 16, “User Group Mapping and Chapter 13 User Databases CiscoSecure Setting 7-35.
Page 489: Authenticating With External User Databases
ODBC driver must be installed on the Cisco Secure ACS Windows server. To communicate with an RSA token server, you must have installed software components provided by RSA. For token servers by other vendors, the standard RADIUS interface serves as the third-party API.
Page 490: External User Database Authentication Process
RADIUS. For RSA token servers, Cisco Secure ACS acts an RSA client in order to use the RSA proprietary interface. For more information, see the section regarding the database type you are interested in. User Guide for Cisco Secure ACS for Windows Server 13-6 About Unknown User Authentication, page Cisco Secure...
Page 491: Windows User Database
UPN Usernames, page 13-14 EAP-TLS Domain Stripping, page 13-16 Machine Authentication, page 13-16 Machine Access Restrictions, page 13-19 Microsoft Windows and Machine Authentication, page 13-20 Enabling Machine Authentication, page 13-22 User Guide for Cisco Secure ACS for Windows Server Windows User Database 13-7...
Page 492: What's Supported With Windows User Databases
Windows user databases. For information about configuring Cisco Secure ACS to use Windows callback settings, see Callback Option, page User Guide for Cisco Secure ACS for Windows Server 13-8 Authentication protocols not supported with Windows external user databases may be supported by a different external user database. For...
Page 493: Authentication With Windows User Databases
Cisco Secure ACS can take advantage of indirect trusts for Windows authentication. Consider the example of Windows domains A, B, and C, where Cisco Secure ACS resides on a server in domain A. Domain A trusts domain B, 78-16592-01 User Guide for Cisco Secure ACS for Windows Server...
Page 494: Windows Dial-Up Networking Clients
• • password—Type your password. domain—Type your valid domain name. • Note User Guide for Cisco Secure ACS for Windows Server 13-10 For more information about the implications of completing or leaving the domain box blank, see Non-domain-qualified Usernames, page 13-13.
Page 495: Windows Dial-Up Networking Clients Without A Domain Field
For more information about the implications of prefixing or not prefixing the domain name before the username, see Non-domain-qualified Usernames, page User Guide for Cisco Secure ACS for Windows Server Windows User Database 13-13. 13-11...
Page 496 – cyril.yang@main.example.com – cyril.yang@main – cyril.yang@central-office@example.com – cyril.yang@main\example.com – For more information, see User Guide for Cisco Secure ACS for Windows Server 13-12 13-13. Domain-Qualified Usernames, page UPN Usernames, page Chapter 13 User Databases is non-domain cyril.yang Non-domain-qualified Usernames, 13-14.
Page 497: Non-Domain-Qualified Usernames
If Windows does not find the username in its local domain database, it then checks all trusted domains. If Cisco Secure ACS runs on a member server and the username is not found in trusted domains, Windows also checks its local accounts database. Windows attempts to authenticate a user with the first occurrence of the username that it finds.
Page 498: Domain-Qualified Usernames
13-14. UPN Usernames Cisco Secure ACS supports authentication of usernames in User Principal Name (UPN) format, such as cyril.yang@example.com or cyril.yang@central-office@example.com. User Guide for Cisco Secure ACS for Windows Server 13-14 user Chapter 13 User Databases UPN Usernames, 78-16592-01...
Page 499: Eap And Windows Authentication
Machine Authentication, page 13-16 • Machine Access Restrictions, page 13-19 • Microsoft Windows and Machine Authentication, page 13-20 • Enabling Machine Authentication, page 13-22 • 78-16592-01 13-16. User Guide for Cisco Secure ACS for Windows Server Windows User Database EAP-TLS Domain 13-15...
Page 500: Eap-Tls Domain Stripping
Active Directory. This is especially useful for wireless networks, where unauthorized users outside the physical premises of your workplace can access your wireless access points. User Guide for Cisco Secure ACS for Windows Server 13-16 Chapter 13 User Databases 13-13.
Page 501 This prepares the network connection for the next user login. Microsoft PEAP clients may also initiate machine authentication when a user has selected to shutdown or restart the computer rather than just logging off. 78-16592-01 User Guide for Cisco Secure ACS for Windows Server Windows User Database 13-17...
Page 502 EAP-TLS-based machine authentication uses EAP-TLS to authenticate the computer using a client certificate. The certificate used by the computer can be one installed automatically when the computer was added to the domain or one User Guide for Cisco Secure ACS for Windows Server 13-18 13-20.
Page 503: Machine Access Restrictions
137, Cisco Secure ACS applies to the user session the authorization settings specified in group 137. User Guide for Cisco Secure ACS for Windows Server Windows User Database 13-19...
Page 504: Microsoft Windows And Machine Authentication
Complete the steps in • Modify Dial-In Permissions for Computers That Use Wireless User Guide for Cisco Secure ACS for Windows Server 13-20 Calling-Station-Id value not found in the cache—Cisco Secure ACS assigns the user to the user group specified by “Group map for successful user authentication without machine authentication”...
Page 505 Make sure the certification authority (CA) certificate of the CA that issued the Cisco Secure ACS server certificate is stored in machine storage on client computers. User storage is not available during machine authentication; therefore, if the CA certificate is in user storage, machine authentication fails.
Page 506: Enabling Machine Authentication
On the Protected EAP Properties dialog box, you can enforce that Cisco Secure ACS has a valid server certificate by selecting the Validate server certificate check box. If you do select this check box, you must also select the applicable Trusted Root Certification Authorities.
Page 507 If you do not perform this step and the CA of the server certificate is not the same as the CA of an end-user client certificate CA, EAP-TLS will operate normally but reject the EAP-TLS machine authentication because it does not trust the correct CA.
Page 508 Cisco Secure ACS is ready to perform machine authentication for computers, regardless of whether the computer names exist in CiscoSecure user database. User Guide for Cisco Secure ACS for Windows Server 13-24 10-33. Configuring a Windows External User Database,...
Page 509: User-Changeable Passwords With Windows User Databases
78-16592-01 For MS-CHAP password aging, the AAA client must support RADIUS-based MS-CHAP authentication. For PEAP(EAP-MSCHAPv2), PEAP(EAP-GTC), and EAP-FAST password aging, the AAA client must support EAP. User Guide for Cisco Secure ACS for Windows Server Windows User Database 6-26. 13-25...
Page 510: Preparing Users For Authenticating With Windows
For example, if you have configured a PIX Firewall to authenticate Telnet sessions using Cisco Secure ACS as a RADIUS server, a user authenticated by a Windows external user database would be denied Telnet access to the PIX Firewall if the Dialin Permission feature is enabled and the Windows user account does not have dialin permission.
Page 511 MS CHAP Cisco Secure ACS supports password changes using. 78-16592-01 Configuring the Domain List list is optional. For more information about the Domain List, see Non-domain-qualified Usernames, page 13-13. User Guide for Cisco Secure ACS for Windows Server Windows User Database 13-27...
Page 512 Cisco Secure ACS performs machine authentication using machine name and password with EAP-TLS. For more information about machine authentication, see User Guide for Cisco Secure ACS for Windows Server 13-28 The check boxes under MS CHAP Settings do no affect password aging for Microsoft PEAP, EAP-FAST, or machine authentication.
Page 513 PEAP users accessing the network with that computer will be assigned to the group specified in the “Group map for successful user authentication without machine authentication” list. User Guide for Cisco Secure ACS for Windows Server Windows User Database Machine Access Restrictions,...
Page 514: Configuring A Windows External User Database
Click Database Configuration. Step 2 Cisco Secure ACS displays a list of all possible external user database types. User Guide for Cisco Secure ACS for Windows Server 13-30 If you do not change the value of the Aging time (hours) box to...
Page 515 All the settings on the Windows User Database Configuration page are optional and need not be enabled unless you want to permit and configure the specific features they support. 78-16592-01 User Guide for Cisco Secure ACS for Windows Server Windows User Database 13-26. 13-31...
Page 516: Generic Ldap
Multiple LDAP Instances, page 13-33 • LDAP Organizational Units and Groups, page 13-34 • Domain Filtering, page 13-34 • User Guide for Cisco Secure ACS for Windows Server 13-32 About Unknown User Authentication, page Management”. Chapter 13 User Databases 15-4. For more 1-10.
Page 517: Cisco Secure Acs Authentication Process With A Generic Ldap User Database
Cisco Secure ACS grants authorization based on the Cisco Secure ACS group to which the user is assigned. While the group to which a user is assigned can be determined by information from the LDAP server, it is Cisco Secure ACS that grants authorization privileges.
Page 518: Ldap Organizational Units And Groups
LDAP instance that Cisco Secure ACS submits any given user authentication request to. You also have control of whether usernames are submitted to an LDAP server with their domain qualifiers intact. For example, when EAP-TLS authentication is initiated by a Windows XP client,...
Page 519 If the LDAP server stores usernames in a domain-qualified format, you should not configure Cisco Secure ACS to strip domain qualifiers. Limiting users to one domain is useful when the LDAP server stores usernames differently per domain, either by user context or by how the username is stored in Cisco Secure ACS—domain qualified or non-domain...
Page 520: Ldap Failover
ACS, failover applies when an authentication request fails because Cisco Secure ACS could not connect to an LDAP server, such as when the server is down or is otherwise unreachable by Cisco Secure ACS. To use this feature, you must define the primary and secondary LDAP servers on the LDAP Database Configuration page.
Page 521: Unsuccessful Previous Authentication With The Primary Ldap Server
Failback Retry Delay box is set to 0 (zero), Cisco Secure ACS always attempts to connect to the primary LDAP server first. And if Cisco Secure ACS cannot connect to the primary LDAP server, Cisco Secure ACS then attempts to connect to the secondary LDAP server.
Page 522 Cisco Secure ACS can submit the username to an LDAP server. The Domain box accepts up to 512 characters; however, only one domain name and its delimiting character are permitted.
Page 523 – delimiter—When this option is selected, Cisco Secure ACS submits all usernames to an LDAP server after attempting to strip domain names. Usernames that are not domain qualified are processed, too. Domain name stripping occurs as specified by the following two options.
Page 524 LDAP authentication performed using this configuration. Cisco Secure ACS uses the settings in this section regardless of whether the authentication is handled by the primary or secondary LDAP server. This table contains the following options: User Directory Subtree—The distinguished name (DN) for the subtree –...
Page 525 Secondary LDAP Server table enable you to identify the LDAP servers and make settings that are unique to each. The Secondary LDAP Server table does not need to be completed if you do not intend to use LDAP failover. These tables contain the following options: Hostname—The name or IP address of the server that is running the...
Page 526 LDAP server in clear text. – Certificate Database Path—The path to the must contain the certificates for the server to be queried and the trusted CA. You can use a Netscape web browser to generate information about generating a documentation.
Page 527: Configuring A Generic Ldap External User Database
You can use anonymous credentials for the administrator username if the LDAP server is configured to make the group name attribute visible in searches by anonymous credentials. Otherwise, you must specify an administrator username that permits the group name attribute to be visible to searches.
Page 528 Caution If you do not want Cisco Secure ACS to filter LDAP authentication requests by Step 7 username, under Domain Filtering, select Process all usernames. User Guide for Cisco Secure ACS for Windows Server 13-44 Chapter 13 User Databases 78-16592-01...
Page 529 LDAP server check box. If you want to enable Cisco Secure ACS to strip domain qualifiers from Step 9 usernames before submitting them to an LDAP server, follow these steps: 78-16592-01 13-34. User Guide for Cisco Secure ACS for Windows Server...
Page 530 In the User Object Type box, type the name of the attribute in the user record that Step 12 contains the username. You can obtain this attribute name from your Directory Server. For more information, refer to your LDAP database documentation. The default values in the UserObjectType and following fields reflect the Note default configuration of the Netscape Directory Server.
Page 531 Step 16 that contains the list of user records who are a member of that group. In the Server Timeout box, type the number of seconds Cisco Secure ACS waits Step 17 for a response from an LDAP server before determining that the connection with that server has failed.
Page 532 Secondary LDAP Server table. In the Hostname box, type the name or IP address of the server that is running the LDAP software. If you are using DNS on your network, you can type the hostname instead of the IP address.
Page 533: Novell Nds Database
If you are using Netscape DS as your LDAP software, you can copy this information from the Netscape Console. About Unknown User Authentication, page Management”. User Guide for Cisco Secure ACS for Windows Server Novell NDS Database 15-4. For more 13-49...
Page 534: About Novell Nds User Databases
To authenticate users with a Novell NDS database, Cisco Secure ACS depends upon Novell Requestor. Novell Requestor must be installed on the same Windows server as Cisco Secure ACS. You can download the Requestor software from the Novell website. For more information, refer to your Novell and Microsoft documentation.
Page 535: User Contexts
If he submitted only “Agamemnon”, authentication would fail. Table 13-1 that would allow each user to authenticate successfully. 78-16592-01 CN=Penelope CN=Telemachus lists the users given in the example tree and the username with context User Guide for Cisco Secure ACS for Windows Server Novell NDS Database 13-51...
Page 536: Novell Nds External User Database Options
Test Login—Selecting this check box causes Cisco Secure ACS to test the • administrative login of the tree to the Novell server when you click Submit. Tree Name—Appears only on the blank form for new trees. The name of the •...
Page 537: Configuring A Novell Nds External User Database
Users can provide a portion of their context when they login. For more information, see User Contexts, page User Contexts, page User Guide for Cisco Secure ACS for Windows Server Novell NDS Database and separate each part of the 13-51.
Page 538 Caution database is deleted. The NDS Authentication Support page appears. The NDS Authentication Support page enables you to add a configuration for a Novell NDS server, change existing Novell NDS server configurations, and delete existing Novell NDS server configurations. User Guide for Cisco Secure ACS for Windows Server...
Page 539: Odbc Database
For more information about the content of the NDS Authentication Support page, Novell NDS External User Database Options, page If you want to add a new Novell NDS server configuration, complete the fields in Step 7 the blank form at the bottom of the NDS Authentication Support page.
Page 540 PAP Authentication Procedure Input, page 13-64 • PAP Procedure Output, page 13-65 • CHAP/MS-CHAP/ARAP Authentication Procedure Input, page 13-66 • CHAP/MS-CHAP/ARAP Procedure Output, page 13-66 • User Guide for Cisco Secure ACS for Windows Server 13-56 Chapter 13 User Databases 78-16592-01...
Page 541: What Is Supported With Odbc User Databases
For more information about authentication protocols and the external database types that support them, see Protocol-Database Compatibility, page 13-65, CHAP/MS-CHAP/ARAP Procedure Output, 13-66, and EAP-TLS Procedure Output, page User Guide for Cisco Secure ACS for Windows Server ODBC Database Authentication 1-10. PAP Procedure 13-68. 13-57...
Page 542: Cisco Secure Acs Authentication Process With An Odbc External User Database
Figure 13-2 Using the ODBC Database for Authentication Name, pap password CiscoSecure "Unknown user" interface Chap/Arap password, authen result, acct info User Guide for Cisco Secure ACS for Windows Server 13-58 16-4. (Figure 13-2). Pap authentication ODBC (MS) Chap/Arap Extraction Chapter 13...
Page 543: Preparing To Authenticate Users With An Odbc-Compliant Relational Database
Cisco Secure ACS with an ODBC external user database. To prepare for authenticating with an ODBC-compliant relational database, follow these steps: Install your ODBC-compliant relational database on its server. For more Step 1 information, refer to the relational database documentation.
Page 544: Implementation Of Stored Procedures For Odbc Authentication
ODBC authentication request. This requires a separate stored procedure in the relational database to support each of the three sets of protocols. User Guide for Cisco Secure ACS for Windows Server 13-60 Implementation of Stored Procedures for ODBC Authentication,...
Page 545: Type Definitions
The Cisco Secure ACS product CD provides “stub” routines for creating a procedure in either Microsoft SQL Server or an Oracle database. You can either modify a copy of these routines to create your stored procedure or write your own.
Page 546: Sample Routine For Generating A Pap Authentication Sql Procedure
For example, with Telnet or PAP authentication, the passwords cisco or CISCO or CiScO will all work if the SQL Server is configured to be case insensitive. For CHAP/ARAP, the passwords cisco or CISCO or CiScO are not the same, regardless of whether or not the SQL Server is configured for case-sensitive passwords.
Page 547: Sample Routine For Generating An Sql Chap Authentication Procedure
GRANT EXECUTE ON dbo.CSNTAuthUserPap TO ciscosecure Sample Routine for Generating an SQL CHAP Authentication Procedure The following example routine creates in Microsoft SQL Server a procedure named CSNTExtractUserClearTextPw, the default procedure used by Cisco Secure ACS for CHAP/MS-CHAP/ARAP authentication. Table and column names that could vary for your database schema are presented in variable text.
Page 548: Sample Routine For Generating An Eap-Tls Authentication Procedure
Sample Routine for Generating an EAP-TLS Authentication Procedure The following example routine creates in Microsoft SQL Server a procedure named CSNTFindUser, the default procedure used by Cisco Secure ACS for EAP-TLS authentication. Table and column names that could vary for your database schema are presented in variable text.
Page 549: Pap Procedure Output
0-16 characters. A customer-defined string that Cisco Secure ACS adds to subsequent account log file entries. 0-255 characters. A customer-defined string that Cisco Secure ACS writes to the CSAuth service log file if an error occurs. User Guide for Cisco Secure ACS for Windows Server ODBC Database 13-65...
Page 550: Chap/Ms-Chap/Arap Authentication Procedure Input
CHAP/MS-CHAP/ARAP Procedure Output The stored procedure must return a single row containing the non-null fields. Table 13-5 stored procedure. User Guide for Cisco Secure ACS for Windows Server 13-66 Type String lists the procedure results Cisco Secure ACS expects as output from...
Page 551: Eap-Tls Authentication Procedure Input
VARCHAR, the database may return a string 255 characters long, regardless of actual password length. We recommend using the VARCHAR datatype for the CHAP password field in your ODBC database. User Guide for Cisco Secure ACS for Windows Server ODBC Database 13-67...
Page 552: Eap-Tls Procedure Output
CSNTerrorString String 0-255 characters. A customer-defined string that Cisco Secure ACS writes to the CSAuth service log file if an error occurs. User Guide for Cisco Secure ACS for Windows Server 13-68 (Table 13-4). Type...
Page 553: Result Codes
Additionally, error codes are returned to the AAA client so it can distinguish between errors and failures and, if configured to do so, fall back to a backup AAA server. Successful or failed authentications are not logged; general Cisco Secure ACS logging mechanisms apply.
Page 554: Configuring A System Data Source Name For An Odbc External User Database
Type a descriptive name for the DSN in the Data Source Name box. Complete the other fields required by the ODBC driver you selected. These fields Step 8 may include information such as the IP address of the server on which the ODBC-compliant database runs. Click OK.
Page 555: Configuring An Odbc External User Database
Click Submit. Cisco Secure ACS lists the new configuration in the External User Database Configuration table. Step 5 Click Configure. 78-16592-01 User Guide for Cisco Secure ACS for Windows Server ODBC Database 13-71...
Page 556 The thread count to use is a factor of how long the DSN takes to execute the procedure and the rate at which authentications are required. User Guide for Cisco Secure ACS for Windows Server 13-72 Chapter 13 Configuring a System Data Source Name for an 13-70.
Page 557 Select the Support PAP authentication check box. In the PAP SQL Procedure box, type the name of the PAP SQL procedure routine that runs on the ODBC server. The default value in this box is CSNTAuthUserPap. If you named the PAP SQL procedure something else, change this entry to match the name given to the PAP SQL procedure.
Page 558 Select the Support EAP-TLS Authentication check box. In the EAP-TLS SQL Procedure box, type the name of the EAP-TLS SQL procedure routine on the ODBC server. The default value in this box is CSNTFindUser. If you named the EAP-TLS SQL procedure something else, change this entry to match the name given to the EAP-TLS SQL procedure.
Page 559: Leap Proxy Radius Server Database
For more information about authentication protocols and the external database types that support them, see Cisco Secure ACS uses MS-CHAP version 1 for LEAP Proxy RADIUS Server authentication. To manage your proxy RADIUS database, refer to your RADIUS database documentation.
Page 560: Configuring A Leap Proxy Radius Server External User Database
If you are creating a configuration, follow these steps: Step 4 Click Create New Configuration. Type a name for the new configuration for the LEAP Proxy RADIUS Server in the box provided, or accept the default name in the box. Click Submit.
Page 561 • server. Shared Secret—The shared secret of the proxy RADIUS server. This must • be identical to the shared secret with which the proxy RADIUS server is configured. Authentication Port—The UDP port over which the proxy RADIUS server • conducts authentication sessions. If the LEAP Proxy RADIUS server is installed on the same Windows server as Cisco Secure ACS, this port should not be the same port used by Cisco Secure ACS for RADIUS authentication.
Page 562: Token Server User Databases
Cisco Secure ACS then maintains the accounting information. Cisco Secure ACS acts as a client to the token server. For all token servers except RSA SecurID, Cisco Secure ACS accomplishes this using the RADIUS interface of the token server. For more information about Cisco Secure ACS support of...
Page 563: Token Servers And Isdn
About RADIUS-Enabled Token Servers, page 13-80 • Token Server RADIUS Authentication Request and Response Contents, • page 13-80 Configuring a RADIUS Token Server External User Database, page 13-81 • 78-16592-01 Token Server User Databases 13-84. User Guide for Cisco Secure ACS for Windows Server...
Page 564 Rather than using a vendor-proprietary API, Cisco Secure ACS sends standard RADIUS authentication requests to the RADIUS authentication port on the token server. This feature enables Cisco Secure ACS to support any IETF RFC 2865-compliant token server. You can create multiple instances of RADIUS token servers. For information...
Page 565 You should install and configure your RADIUS token server before configuring Cisco Secure ACS to authenticate users with it. For information about installing the RADIUS token server, refer to the documentation included with your token server. To configure Cisco Secure ACS to authenticate users with a RADIUS Token...
Page 566 • conducts authentication sessions. If the RADIUS token server is installed on the same Windows server as Cisco Secure ACS, this port should not be the same port used by Cisco Secure ACS for RADIUS authentication. For more information about the ports used by Cisco Secure ACS for RADIUS, see...
Page 567 “Enter your PassGo token” prompt rather than a password prompt. Note If you want Cisco Secure ACS to send the token server a password to trigger a challenge, select From Token Server (async tokens only), and then, in the Password box, type the password that Cisco Secure ACS will forward to the token server.
Page 568: Rsa Securid Token Servers
Cisco Secure ACS supports PPP (ISDN and async) and Telnet for RSA SecurID token servers. It does so by acting as a token-card client to the RSA SecurID token server. This requires that RSA token-card client software must be installed on the computer running Cisco Secure ACS. The following procedure includes steps required to install the RSA client correctly on the computer running Cisco Secure ACS.
Page 569: Configuring An Rsa Securid Token Server External User Database
RSA SecurID server, refer to the documentation included with your token server. Make sure you have the applicable RSA ACE Client. To configure Cisco Secure ACS to authenticate users with an RSA token server, follow these steps: Install the RSA client on the computer running Cisco Secure ACS:...
Page 570: Deleting An External User Database Configuration
Click Configure. Step 6 Cisco Secure ACS displays the name of the token server and the path to the authenticator DLL. This information confirms that Cisco Secure ACS can contact the RSA client. You can add the RSA SecurID external user database to your Unknown User Policy or assign specific user accounts to use this database for authentication.
Page 571 Click OK to confirm that you want to delete the selected external user database Step 6 configuration. The external user database configuration you selected is deleted from Cisco Secure ACS. 78-16592-01 Deleting an External User Database Configuration User Guide for Cisco Secure ACS for Windows Server 13-87...
Page 572 Chapter 13 User Databases Deleting an External User Database Configuration User Guide for Cisco Secure ACS for Windows Server 13-88 78-16592-01...
Page 573: About Network Admission Control
AAA client configured to enforce NAC. The basis of NAC is the validation of the posture, or state, of computers on a network. The role of Cisco Secure Access Control Server (ACS) for Windows Server in NAC is to perform posture validation.
Page 574: Nac Aaa Components
When external policies are used, Cisco Secure ACS forwards posture validation requests to a NAC server. NAC server—Performs posture validation of the NAC-client computer when • Cisco Secure ACS is configured to use external policies.
Page 575: Posture Validation
Cisco Secure ACS uses the system posture token and group mappings for the selected NAC database to determine which user group contains the authorizations applicable to the NAC-client computer. User Guide for Cisco Secure ACS for Windows Server About Network Admission Control 14-3...
Page 576: Posture Tokens
There are five predefined, non-configurable posture tokens, used for both SPTs and APTs. Listed in order from best to worst, they are as follows: Healthy • Checkup • Quarantine • Infected • Unknown • User Guide for Cisco Secure ACS for Windows Server 14-4 Chapter 14 Network Admission Control 78-16592-01...
Page 577: Non-Responsive Nac-Client Computers
Implementing Network Admission Control This procedure provides steps for implementing NAC support in Cisco Secure ACS, with references to more detailed procedures for each step. 78-16592-01 Implementing Network Admission Control User Guide for Cisco Secure ACS for Windows Server 14-5...
Page 578 Certificate Trust List (CTL). For detailed steps, see Editing the Certificate Trust List, page If the CA that issued the server certificates used by the external database servers does not appear on the CTL, you must add the CA. For detailed steps, see a Certificate Authority Certificate, page (Optional) If the Passed Authentications log is not enabled, consider enabling it.
Page 579 78-16592-01 Implementing Network Admission Control Configuring Authentication Options, page Adding a AAA Client, page 6-55. Configuring a NAC Database, page User Guide for Cisco Secure ACS for Windows Server Configuring a CSV Log, 10-33. 4-16. Renaming a User 14-14. 14-7...
Page 580 NAC databases, one for NAI posture validation and one for Symantec posture validation, you may want separate downloadable IP ACLs for a Quarantine SPT, one that allows access only to a Symantec anti-virus server and one that allows access only to a NAI anti-virus server.
Page 581 Cisco Secure ACS is configured to support NAC of non-responsive computers. 78-16592-01 The AV pair names above are case sensitive. Non-Responsive NAC-Client Computers, page User Guide for Cisco Secure ACS for Windows Server Implementing Network Admission Control Configuring Cisco IOS/PIX 6-40. For more information about About the C-7.
Page 582: Nac Databases
A NAC database without any mandatory credential types is a valid configuration. Cisco Secure ACS considers any posture validation request to satisfy the mandatory credential types of a NAC database that has zero User Guide for Cisco Secure ACS for Windows Server 14-10 Chapter 14...
Page 583: About Nac Credentials And Attributes
ID and application ID. The vendor ID is the number assigned to the vendor in the IANA Assigned Numbers Cisco Systems, Inc. Vendors assign numbers to the NAC applications they provide. For example, with Cisco Systems, Inc. applications, application ID 1 corresponds to CTA. In the HTML interface, when you specify result credential types for a local policy, credential types are identified by the names assigned to the vendor and application.
Page 584: Nac Database Configuration Options
NAC database. This table contains the following options: – User Guide for Cisco Secure ACS for Windows Server 14-12 About Rules, Rule Elements, and Attributes, Credential Types—Displays the credential types that must be present in a posture validation request in order for Cisco Secure ACS to use the database to evaluate the request.
Page 585: Policy Selection Options
Policies page for the current NAC database. From that page, you can select external policies that the current NAC database uses and you can also access the External Policy Configuration page to create additional local policies. User Guide for Cisco Secure ACS for Windows Server NAC Databases 14-13...
Page 586: Configuring A Nac Database
Under External User Database Configuration, select the name of the NAC Step 5 database that you need to configure. Note User Guide for Cisco Secure ACS for Windows Server 14-14 NAC Database Configuration Options, page Policy Selection Options, page If only one NAC database exists, the name of that database appears instead of the list.
Page 587 NAC database. You can select local policies, external policies, or both. To do so, follow these steps: Click either Local Policies or External Policies, as applicable. A policy selection page displays Available Policies and Selected Policies lists. 78-16592-01 User Guide for Cisco Secure ACS for Windows Server NAC Databases 14-15...
Page 588: Nac Policies
Cisco Secure ACS applies to a validation request the policies that you have selected for the NAC database that Cisco Secure ACS uses to evaluate the request. User Guide for Cisco Secure ACS for Windows Server 14-16 Click New Local Policy and follow the steps in page 14-25 before continuing this procedure.
Page 589: Local Policies
About Rules, Rule Elements, and Attributes, page 14-19 • Local Policy Configuration Options, page 14-22 • Rule Configuration Options, page 14-24 • Creating a Local Policy, page 14-25 • 78-16592-01 User Guide for Cisco Secure ACS for Windows Server NAC Policies 14-17...
Page 590: About Local Policies
NAC clients whose posture matches the second rule; therefore, the second rule should be listed first. User Guide for Cisco Secure ACS for Windows Server 14-18 Chapter 14...
Page 591: About Rules, Rule Elements, And Attributes
0 (zero) and and the attribute in a specific posture validation false User Guide for Cisco Secure ACS for Windows Server NAC Policies . Valid operators are = (equal to) and corresponds to 1.
Page 592 Cisco:PA:OS-Version attribute, Cisco Secure ACS only permits the use of mathematical operators. For more information about attribute types, see page 14-19. User Guide for Cisco Secure ACS for Windows Server 14-20 Rule Operators, page yyyy Cisco:PA:PA-Name...
Page 593 , the string , or the string Cisco scsi or the string Cisco or the string Cisco User Guide for Cisco Secure ACS for Windows Server NAC Policies disc would match an attribute Ciena Ciena 14-21...
Page 594: Local Policy Configuration Options
Note User Guide for Cisco Secure ACS for Windows Server 14-22 $ (dollar)—The $ operator matches the end of a string. For example,...
Page 595 Cisco Secure ACS uses as the result of applying the policy. 78-16592-01 14-18. . For more information about credential Cisco:PA About NAC Credentials and Attributes, page Posture Tokens, page User Guide for Cisco Secure ACS for Windows Server NAC Policies 14-11. 14-4. 14-23...
Page 596: Rule Configuration Options
Attributes that can only be sent, such as Cisco:PA:System-Posture-Token, cannot be used in a rule and thus never User Guide for Cisco Secure ACS for Windows Server 14-24 Under Default Rule, the meanings of the Result Credential Type list,...
Page 597: Creating A Local Policy
If you have not already done so, access the Local Policy Configuration page. To do so, follow these steps: In the navigation bar, click External User Databases. 78-16592-01 application-name attribute-name About Rules, Rule Elements, and Attributes, 14-19. 14-24. User Guide for Cisco Secure ACS for Windows Server NAC Policies 14-22. Rule 14-25...
Page 598 The rule element appears in the Rule Elements table. Verify that the rule elements are configured as intended. User Guide for Cisco Secure ACS for Windows Server 14-26 14-19. For more information about operators, see 14-20. Chapter 14...
Page 599 Configure the Default Rule; in the Default Rule table, do each of the following. Step 6 Select a result credential type. • Select a token. • • Type an action. 78-16592-01 Posture Tokens, page User Guide for Cisco Secure ACS for Windows Server NAC Policies 14-4. 14-27...
Page 600: External Policies
• About External Policies External policies are policies that define an external NAC server, usually from an anti-virus vendor, and a set of credential types to be forwarded to the external database. You also have the option of defining a secondary external NAC server.
Page 601: External Policy Configuration Options
Cisco Secure ACS to reject the posture validation request. External Policy Configuration Options On the External Policy Configuration page you can specify a NAC server (and an optional second NAC server) that Cisco Secure ACS relies upon to apply the policy and you can configure the set of credential types that Cisco Secure ACS forwards.
Page 602 [http[s]://] where host is the hostname or IP address of the NAC server, port is the port number used, and resource is the rest of the URL, as required by the NAC server itself. The URL varies depending upon the server vendor and configuration.
Page 603 If the CA that issued a NAC server certificate is not present on the Trusted Root CA list, you must add the CA certificate to Cisco Secure ACS. For more information, see...
Page 604: Creating An External Policy
NAC Policies Forwarding Credential Types—Contains two lists for use in specifying • which credential types are forwarded to the external server. – – Creating an External Policy This procedure describes how you can create an external policy. Before You Begin...
Page 605 NAC server. For each posture validation credential type that you want Cisco Secure ACS to send to the external NAC server, select the credential type in the Available Credentials list and click the right arrow (-->). The credential type appears in the Selected Credentials list.
Page 606: Editing A Policy
Step 4 Under Name, click the name of the policy you want to edit. User Guide for Cisco Secure ACS for Windows Server 14-34 You can add the policy to any NAC database, not just the NAC database you clicked through to reach the External Policy Configuration page.
Page 607 Selected Policies list. To do so, click Local Policies or External Policies, as applicable, move the policy to the Available Policies list, and click Submit. 78-16592-01 Step User Guide for Cisco Secure ACS for Windows Server NAC Policies Step 3. You can modify 14-35...
Page 608: Deleting A Policy
Under Name, click the name of the policy you want to delete. Step 4 The applicable policy configuration page appears. User Guide for Cisco Secure ACS for Windows Server 14-36 If there is only one NAC database, no list of databases appears and you can click Configure.
Page 609 Credential Validation Policies table no longer lists the deleted policy. All NAC databases that were configured to use the policy no longer include the deleted policy. 78-16592-01 User Guide for Cisco Secure ACS for Windows Server NAC Policies 14-37...
Page 610 Chapter 14 Network Admission Control NAC Policies User Guide for Cisco Secure ACS for Windows Server 14-38 78-16592-01...
Page 611: Unknown User Policy
Unknown User Policy After you have configured at least one database in the External User Databases section of the HTML interface of Cisco Secure Access Control Server (ACS) for Windows Server, you can decide how to implement other Cisco Secure ACS features related to authentication and posture validation.
Page 612 Cisco Secure ACS handles authentication and posture validation requests for known users as follows: – User Guide for Cisco Secure ACS for Windows Server 15-2 NAC and the Unknown User Policy, page 15-10 Posture Validation Use of the Unknown User Policy, page 15-11 Required Use for Posture Validation, page 15-12 Authentication—Cisco Secure ACS attempts to authenticate a known...
Page 613: Chapter 15 Unknown User Policy
Note 78-16592-01 15-10. Cisco Secure ACS does not import credentials (such as passwords, certificates, or NAC credential types) for a discovered user. User Guide for Cisco Secure ACS for Windows Server Known, Unknown, and Discovered Users Posture 15-10. 15-5. Posture Validation and the Unknown...
Page 614: About Unknown User Authentication
User Guide for Cisco Secure ACS for Windows Server 15-4 Authentication—The authentication process for discovered users is...
Page 615: General Authentication Of Unknown Users
The scenario given above is handled differently if the user accounts with identical usernames exist in separate Windows domains. For more information, see Windows Authentication of Unknown Users, page 78-16592-01 Authentication and Unknown Users 15-6. User Guide for Cisco Secure ACS for Windows Server 15-5...
Page 616: Windows Authentication Of Unknown Users
When a domain name is supplied as part of a authentication request, Cisco Secure ACS detects that a domain name was supplied and tries the authentication credentials against the specified domain. The dial-up networking clients provided User Guide for Cisco Secure ACS for Windows Server 15-6 Chapter 15...
Page 617: Windows Authentication With Domain Qualification
The domain controllers in any trusted domains, in an order determined by Windows. If Cisco Secure ACS runs on a member server, the local accounts database. Windows attempts to authenticate the user with the first account it finds whose username matches the one passed to Windows by Cisco Secure ACS. Whether authentication fails or succeeds, Windows does not search for other accounts with the same username;...
Page 618: Multiple User Account Creation
This small delay may require additional timeout configuration on the AAA clients through which unknown users may attempt to access your network. User Guide for Cisco Secure ACS for Windows Server 15-8 username. If the same user successfully authenticates without...
Page 619: Added Authentication Latency
AAA clients. For more information about authentication timeout values in IOS, refer to your Cisco IOS documentation. 78-16592-01 Authentication and Unknown Users Database Search Order, User Guide for Cisco Secure ACS for Windows Server 15-9...
Page 620: Posture Validation And The Unknown User Policy
EAP-Identity field contains the string yang-laptop01:david.fry and Cisco Secure ACS creates a user account named yang-laptop01:david.fry. User Guide for Cisco Secure ACS for Windows Server 15-10 username Chapter 15...
Page 621: Posture Validation Use Of The Unknown User Policy
NAC database. For more information about the order of NAC databases in the Selected Databases list, see Order, page 78-16592-01 Posture Validation and the Unknown User Policy 15-14. User Guide for Cisco Secure ACS for Windows Server Database Search 15-11...
Page 622: Required Use For Posture Validation
Databases list, you can ensure that each posture validation request is handled by a NAC database with the most restrictive mandatory credential types and, therefore, the most applicable policies. User Guide for Cisco Secure ACS for Windows Server 15-12 Chapter 15 Unknown User Policy Chapter 14, “Network Admission...
Page 623: Authorization Of Unknown Users
For authentication requests, Cisco Secure ACS applies the Unknown User Policy to unknown users only. Cisco Secure ACS does not support fallback to unknown user authentication when known or discovered users fail authentication. User Guide for Cisco Secure ACS for Windows Server Authorization of Unknown Users Specification”. 15-13...
Page 624: Database Search Order
Databases list is significant: Authentication—The Unknown User Policy supports unknown user • authentication using the following logic: User Guide for Cisco Secure ACS for Windows Server 15-14 Database Search Order, page Find the next user database in the Selected Databases list that supports the authentication protocol of the request.
Page 625 Cisco Secure ACS may use a NAC database whose policies do not evaluate client posture using the additional credential types sent by the NAC client. 78-16592-01 15-10. User Guide for Cisco Secure ACS for Windows Server Database Search Order NAC and the 15-15...
Page 626: Configuring The Unknown User Policy
External Databases list. To assign the database search order, select a database from the Selected Databases list and click Up or Down to move it into the position you want. User Guide for Cisco Secure ACS for Windows Server 15-16 15-13.
Page 627: Disabling Unknown User Authentication
Unknown user authentication is halted. Cisco Secure ACS does not allow unknown users to authenticate with external user databases. 78-16592-01 For more information about the significance of database order, see Database Search Order, page 15-14. User Guide for Cisco Secure ACS for Windows Server Disabling Unknown User Authentication 15-10. 15-17...
Page 628 Chapter 15 Unknown User Policy Disabling Unknown User Authentication User Guide for Cisco Secure ACS for Windows Server 15-18 78-16592-01...
Page 629: User Group Mapping And Specification
User Group Mapping and Specification This chapter provides information about group mapping and specification. Cisco Secure Access Control Server (ACS) for Windows Server uses these features to assign users authenticated by an external user database to a single Cisco Secure ACS group.
Page 630: C H A P T E R 16 User Group Mapping And Specification
For example, you could configure Cisco Secure ACS so that all unknown users who authenticate with a certain token server database belong to a group called Telecommuters. You could then assign a group setup that is appropriate for users who are working away from home, such as MaxSessions=1.
Page 631: Creating A Cisco Secure Acs Group Mapping For A Token Server, Odbc Database, Or Leap Proxy Radius Server Database
Creating a Cisco Secure ACS Group Mapping for a Token Server, ODBC Database, or LEAP Proxy RADIUS Server Database To set or change a token server, ODBC, or LEAP Proxy RADIUS Server database group mapping, follow these steps: In the navigation bar, click External User Databases.
Page 632: Group Mapping By Group Set Membership
Engineering group that would map other members of the Engineering group who were not members of Tokyo or London. User Guide for Cisco Secure ACS for Windows Server 16-4 Chapter 16...
Page 633: Group Mapping Order
“Contractors” to the No Access group so they could not dial in to the network remotely. 78-16592-01 Group Mapping by Group Set Membership User Guide for Cisco Secure ACS for Windows Server 16-5...
Page 634: Default Group Mapping For Windows
Cisco Secure ACS group mapping. This restriction is not removed by adding a remote group to a group local to the domain providing authentication. User Guide for Cisco Secure ACS for Windows Server 16-6 Chapter 16 User Group Mapping and Specification Editing a 16-9.
Page 635: Generic Ldap Groups
The Group Mappings for Domain: domainname table appears. 78-16592-01 To clear your domain selection, click Clear Selection. User Guide for Cisco Secure ACS for Windows Server Group Mapping by Group Set Membership 16-7...
Page 636 Step 10 The group set you mapped to the Cisco Secure ACS list appears at the bottom of the database groups column. User Guide for Cisco Secure ACS for Windows Server 16-8 Chapter 16 No Access Group for Group Set Mappings, 16-5.
Page 637: Editing A Windows, Novell Nds, Or Generic Ldap Group Set Mapping
The asterisk at the end of each set of groups indicates that users authenticated with the external user database can belong to other groups besides those in the set. User Guide for Cisco Secure ACS for Windows Server Group Mapping by Group Set Membership 16-9...
Page 638: Deleting A Windows, Novell Nds, Or Generic Ldap Group Set Mapping
Click the external user database configuration whose group set mapping you need Step 3 to delete. User Guide for Cisco Secure ACS for Windows Server 16-10 Chapter 16 You can also select <No Access>. For more information about the <No Access>...
Page 639: Deleting A Windows Domain Group Mapping Configuration
Click the domain name whose group set mapping you want to delete. Step 4 Click Delete Configuration. Step 5 Cisco Secure ACS displays a confirmation dialog box. 78-16592-01 Group Mapping by Group Set Membership User Guide for Cisco Secure ACS for Windows Server 16-11...
Page 640: Changing Group Set Mapping Order
The Group Mappings for NDS Users table appears. Click Order mappings. Step 6 Note User Guide for Cisco Secure ACS for Windows Server 16-12 Chapter 16 The Order mappings button appears only if more than one group set mapping exists for the current database.
Page 641: Nac Group Mapping
Cisco Secure ACS displays a list of all external databases, including NAC databases. Click the name of the NAC database whose SPT-to-group mappings you want to Step 3 configure. 78-16592-01 Posture Tokens, page User Guide for Cisco Secure ACS for Windows Server NAC Group Mapping 14-4. 16-13...
Page 642: Radius-Based Group Specification
• • RADIUS token server Cisco Secure ACS supports per-user group mapping for users authenticated with a LEAP Proxy RADIUS Server database. This is provided in addition to the default group mapping described in page 16-2. User Guide for Cisco Secure ACS for Windows Server...
Page 643 N is the Cisco Secure ACS group number (0 through 499) to which Cisco Secure ACS should assign the user. For example, if the LEAP Proxy RADIUS Server authenticated a user and included the following value for the Cisco IOS/PIX RADIUS attribute 1, [009\001] cisco-av-pair:...
Page 644 Chapter 16 User Group Mapping and Specification RADIUS-Based Group Specification User Guide for Cisco Secure ACS for Windows Server 16-16 78-16592-01...
Page 645: Appendix
Report Issues, page A-17 • Third-Party Server Issues, page A-19 • User Authentication Issues, page A-20 • TACACS+ and RADIUS Attribute Issues, page A-22 • 78-16592-01 A P P E N D I X User Guide for Cisco Secure ACS for Windows Server...
Page 646: A Troubleshooting
Verify that you are using a supported browser. Refer to the • Release Notes for Cisco Secure Access Control Server for Windows Server Version 3.3 for a list of supported browsers. Ping Cisco Secure ACS to confirm connectivity. • Verify that the remote administrator is using a valid •...
Page 647: Appendix A Troubleshooting
ACS. Authentication fails. 78-16592-01 Recovery Action Ensure that the SMTP server name is correct. If the name is correct, ensure that the computer running Cisco Secure ACS can ping the SMTP server or can send e-mail via a third-party e-mail software package.
Page 648: Browser Issues
Administrator database appears corrupted. Remote administrator intermittently can’t browse the Cisco Secure ACS HTML interface. User Guide for Cisco Secure ACS for Windows Server Appendix A Recovery Action Open Internet Explorer or Netscape Navigator and choose Help > About to determine the version of the browser.
Page 649: Cisco Ios Issues
For information about group mapping for NAC databases, see Group Mapping, page 16-13. For more information about the Cisco IOS/PIX cisco-av-pair VSA, see Attribute, page C-7. User Guide for Cisco Secure ACS for Windows Server Cisco IOS Issues About the cisco-av-pair RADUIS...
Page 650 If you have a fallback method configured on your AAA client, disable connectivity to the AAA server and log in using local/line username and password. Try to connect directly to the AAA client at the console port. If that...
Page 651: Database Issues
The external user database is not available in the Group Mapping section. 78-16592-01 Recovery Action Make sure that the correct server is listed in the Partners list. • Make sure you have set the server correctly as either Send or Receive.
Page 652 Unknown users are not authenticated. Novell NDS or Generic LDAP Group Mapping not working correctly. User Guide for Cisco Secure ACS for Windows Server Appendix A Recovery Action Make sure that a two-way trust (for dial-in check) has been established between the Cisco Secure ACS domain and the other domains.
Page 653 When you install Cisco Secure ACS in the default location, CSUtil.exe is located in the following directory: Files\CiscoSecure ACS vX.X\Utils For more information on using the csutil command see Appendix D, “CSUtil Database Utility”. User Guide for Cisco Secure ACS for Windows Server Database Issues C:\Program...
Page 654: Dial-In Connection Issues
Program Files\CiscoSecure ACS vx.x\TacConfig.txt Program Files\CiscoSecure ACS vx.x\RadConfig.txt The Cisco Secure ACS Services are running (CSAdmin, CSAuth, • CSDBSync CSLog, CSRadius, CSTacacs) on the computer running Cisco Secure ACS. User Guide for Cisco Secure ACS for Windows Server A-10 Appendix A Troubleshooting 78-16592-01...
Page 655 Fail the attempt is not selected. And ensure that the Selected Databases list reflects the necessary database. Verify that the Windows group that the user belongs to has not been mapped to No Access. 78-16592-01 User Guide for Cisco Secure ACS for Windows Server Dial-in Connection Issues A-11...
Page 656 AAA client. Additionally, you can verify Cisco Secure ACS connectivity by attempting to Telnet to the access server from a workstation connected to the LAN. A successful authentication for Telnet confirms that Cisco Secure ACS is working with the AAA client.
Page 657 Per-User Advanced TACACS+ Features check box. Then, go to the TACACS+ Outbound Password section of the Advanced TACACS+ Settings table on the User Setup page and type and confirm the password in the boxes provided. 78-16592-01 User Guide for Cisco Secure ACS for Windows Server Dial-in Connection Issues A-13...
Page 658: Debug Issues
PASS returns a for authorization. FAIL User Guide for Cisco Secure ACS for Windows Server A-14 Recovery Action The configurations of the AAA client or Cisco Secure ACS are likely to be at fault. From within Cisco Secure ACS confirm the following: Cisco Secure ACS is receiving the request.
Page 659: Proxy Issues
Proxying requests to another server fail 78-16592-01 Recovery Action Make sure that the following conditions are met: The direction on the remote server is set to • Incoming/Outgoing or Incoming, and that the direction on the authentication forwarding server is set to Incoming/Outgoing or Outgoing.
Page 660: Installation And Upgrade Issues
Condition MaxSessions over VPDN is not working. User MaxSessions fluctuates or is unreliable. User MaxSessions not taking affect. User Guide for Cisco Secure ACS for Windows Server A-16 Recovery Action From the Windows Registry, delete the following Registry key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\...
Page 661: Report Issues
Make sure you have selected Log to reportname Report under System Configuration: Logging: Log Target: reportname. You must also set Network Configuration: servername: Access Server Type to Cisco Secure ACS for Windows NT. The Unknown User database was changed. Accounting reports will still contain unknown user information.
Page 662 Report Issues Condition report Logged in Users works with some devices, but not with others User Guide for Cisco Secure ACS for Windows Server A-18 Recovery Action For the report to work (and this also applies to Logged in Users...
Page 663: Third-Party Server Issues
For dial-up users, make sure you are using PAP and not MS-CHAP or CHAP; RSA/SDI does not support CHAP, and Cisco Secure ACS will not send the request to the RSA server, but rather it will log an error with external database failure.
Page 664: User Authentication Issues
User did not inherit settings from new group. Authentication fails. The AAA client times out when authenticating against a Windows user database. User Guide for Cisco Secure ACS for Windows Server A-20 Appendix A Recovery Action Restart Cisco Secure ACS services. For steps, see...
Page 665 Network-EAP check box is selected If you are using an external user database for authentication, verify that it is supported. For more information, see Authentication Protocol-Database Compatibility, page User Guide for Cisco Secure ACS for Windows Server 1-10. A-21...
Page 666: Tacacs+ And Radius Attribute Issues
TACACS+ and RADIUS Attribute Issues Condition TACACS+ and RADIUS attributes do not appear on the Group Setup page. User Guide for Cisco Secure ACS for Windows Server A-22 Appendix A Recovery Action Make sure that you have at least one RADIUS or...
Page 667: Appendix
TACACS+ Attribute-Value Pairs Cisco Secure Access Control Server (ACS) for Windows Server supports Terminal Access Controller Access Control System (TACACS+) attribute-value (AV) pairs. You can enable different AV pairs for any supported attribute value. Cisco IOS AV Pair Dictionary Before selecting TACACS+ AV pairs for Cisco Secure ACS, confirm that your AAA client is running Cisco IOS Release 11.2 or later.
Page 668: Appendix B Tacac+ Attribute-Value Pair
• autocmd= • callback-dialstring • callback-line • callback-rotary • cmd-arg= • cmd= • • dns-servers= gw-password • idletime= • inacl#n • inacl= • interface-config= • User Guide for Cisco Secure ACS for Windows Server Appendix B TACACS+ Attribute-Value Pairs 78-16592-01...
Page 669 • route • route#n • routing= • rte-ftr-in#n • rte-ftr-out#n • sap#n • sap-fltr-in#n • sap-fltr-out#n • service= • source-ip= • timeout= • tunnel-id • 78-16592-01 Cisco IOS AV Pair Dictionary User Guide for Cisco Secure ACS for Windows Server...
Page 670: Tacacs+ Accounting Av Pairs
• mlp-sess-id • nas-rx-speed • • nas-tx-speed paks_in • paks_out • port • pre-bytes-in • pre-bytes-out • pre-paks-in • pre-paks-out • pre-session-time • priv_level • User Guide for Cisco Secure ACS for Windows Server Appendix B TACACS+ Attribute-Value Pairs 78-16592-01...
Page 671 Appendix B TACACS+ Attribute-Value Pairs protocol • reason • service • start_time • stop_time • task_id • timezone • xmit-rate • 78-16592-01 Cisco IOS AV Pair Dictionary User Guide for Cisco Secure ACS for Windows Server...
Page 672 Appendix B TACACS+ Attribute-Value Pairs Cisco IOS AV Pair Dictionary User Guide for Cisco Secure ACS for Windows Server 78-16592-01...
Page 673: Appendix
RADIUS Attributes Cisco Secure Access Control Server (ACS) for Windows Server supports many RADIUS attributes. You can enable different attribute-value (AV) pairs for IETF RADIUS and for any supported vendor. This appendix lists the standard attributes, vendor-proprietary attributes, and vendor-specific attributes supported by Cisco Secure ACS.
Page 674 Cisco IOS or compatible AAA client software. For more information, see Network and Port Requirements, page User Guide for Cisco Secure ACS for Windows Server Settings in a user profile override settings in a group profile. For example, if Session-Timeout is configured in the user profile and also in the group the user is assigned to, Cisco Secure ACS sends the AAA client the Session-Timeout value specified in the user profile.
Page 675: Cisco Ios Dictionary Of Radius Av Pairs
Ipaddr Integer Integer Integer Ipaddr (maximum length 15 characters) Integer String Integer (maximum length 10 characters) User Guide for Cisco Secure ACS for Windows Server Cisco IOS Dictionary of RADIUS AV Pairs Inbound/Outbound Multiple Inbound Outbound Outbound Inbound Inbound Both...
Page 676 Session-Timeout Idle-Timeout Called-Station-ID Calling-Station-ID Login-LAT-Service Acct-Status-Type Acct-Delay-Time Acct-Input-Octets Acct-Output-Octets Acct-Session-ID Acct-Authentic Acct-Session-Time User Guide for Cisco Secure ACS for Windows Server Appendix C Type of Value Inbound/Outbound Integer Outbound Ipaddr (maximum length Both 15 characters) Integer Both Integer (maximum length...
Page 677: Cisco Ios/Pix Dictionary Of Radius Vsas
Inbound Integer Inbound Integer Inbound Integer Inbound Integer (maximum length Both 10 characters) C-7. Type of Value Inbound/Outbound String Both String Inbound String Inbound User Guide for Cisco Secure ACS for Windows Server Multiple Table C-2 lists the About Multiple...
Page 678 User Guide for Cisco Secure ACS for Windows Server Type of Value Inbound/Outbound String Inbound String Inbound String Inbound String Inbound String Inbound String Inbound...
Page 679: About The Cisco-Av-Pair Raduis Attribute
EXEC commands. 78-16592-01 About the cisco-av-pair RADUIS Attribute Type of Value Inbound/Outbound String (maximum length Outbound 247 characters) String (maximum length Both 247 characters) String (maximum length Both 247 characters) User Guide for Cisco Secure ACS for Windows Server Multiple...
Page 680 NAC-client computer requires an update or patch that you have made available on a remediation web server. For example, a user can be redirected to a remediation web server to download and apply a new virus DAT file or an operating system patch. For example: url-redirect=http://10.1.1.1...
Page 681: Cisco Vpn 3000 Concentrator Dictionary Of Radius Vsas
Cisco VPN 3000 Concentrator Dictionary of RADIUS VSAs Table C-3 lists the supported Type of Value Inbound/Outbound String (maximum Outbound length 247 characters) Integer (maximum Outbound length 10 characters) Ipaddr (maximum Outbound length 15 characters) User Guide for Cisco Secure ACS for Windows Server Multiple...
Page 682 CVPN3000-SEP-Card-Assignment CVPN3000-Tunneling-Protocols CVPN3000-IPSec-Sec-Association CVPN3000-IPSec-Authentication CVPN3000-IPSec-Banner1 CVPN3000-IPSec-Allow-Passwd-Store Integer CVPN3000-Use-Client-Address CVPN3000-PPTP-Encryption CVPN3000-L2TP-Encryption CVPN3000-IPSec-Split-Tunnel-List CVPN3000-IPSec-Default-Domain CVPN3000-IPSec-Split-DNS-Names User Guide for Cisco Secure ACS for Windows Server C-10 Appendix C Type of Value Inbound/Outbound Ipaddr (maximum Outbound length 15 characters) Ipaddr (maximum Outbound length 15...
Page 683 Integer Outbound Outbound Integer Outbound Integer Outbound Integer (maximum Outbound length 10 characters) Integer (maximum Outbound length 10 characters) String (maximum Outbound length 247 characters) Integer Outbound Integer Outbound User Guide for Cisco Secure ACS for Windows Server Multiple C-11...
Page 684 CVPN3000-IPSec-Split-Tunneling- Policy CVPN3000-IPSec-Required-Client- Firewall-Capability CVPN3000-IPSec-Client-Firewall- Filter-Name CVPN3000-IPSec-Client-Firewall- Filter-Optional CVPN3000-IPSec-Backup-Servers CVPN3000-IPSec-Backup-Server-List CVPN3000-MS-Client-Intercept- DHCP-Configure-Message CVPN3000-MS-Client-Subnet-Mask User Guide for Cisco Secure ACS for Windows Server C-12 Appendix C Type of Value Inbound/Outbound Integer (maximum Outbound length 10 characters) Integer Outbound String (maximum Outbound...
Page 685: Cisco Vpn 5000 Concentrator Dictionary Of Radius Vsas
Type of Value Inbound/Outbound Integer Inbound String Inbound String Inbound String (maximum Outbound length 247 characters) String (maximum Outbound length 247 characters) Integer Inbound Integer Inbound User Guide for Cisco Secure ACS for Windows Server Multiple lists the supported Multiple C-13...
Page 686: Cisco Building Broadband Service Manager Dictionary Of Radius Vsa
Authentication Protocol) response to an Access-Challenge. NAS-IP IP address of the AAA client that is Address requesting authentication. User Guide for Cisco Secure ACS for Windows Server C-14 Table C-5 lists the supported Cisco BBSM RADIUS VSA. Type of Value Integer lists the supported RADIUS (IETF) attributes.
Page 687 For channels on a basic rate ISDN interface, the value is 3bb0c For other types of interfaces, the value is 6nnss User Guide for Cisco Secure ACS for Windows Server IETF Dictionary of RADIUS AV Pairs Type of Inbound/Out Value bound...
Page 688 This AV results in a static route being added for Framed-IP-Address with the mask specified. User Guide for Cisco Secure ACS for Windows Server C-16 In a request: Framed—For known PPP –...
Page 689 IETF Dictionary of RADIUS AV Pairs Type of Value Integer String Integer (maximum length 10 characters) Integer Ipaddr (maximum length 15 characters) User Guide for Cisco Secure ACS for Windows Server Inbound/Out bound Multiple Outbound Outbound Outbound Outbound Both C-17...
Page 690 [metric]]) are supported. If the router field is omitted or 0 (zero), the peer IP address is used. Metrics are ignored. Framed-IPX- — Network User Guide for Cisco Secure ACS for Windows Server C-18 0: Telnet 1: Rlogin 2: TCP-Clear 3: PortMaster 4: LAT...
Page 691 PPP sessions. 78-16592-01 IETF Dictionary of RADIUS AV Pairs Type of Value String (maximum length 253 characters) String String Integer (maximum length 10 characters) User Guide for Cisco Secure ACS for Windows Server Inbound/Out bound Multiple Outbound Both Outbound Outbound C-19...
Page 692 Included in proxied RADIUS requests per RADIUS standards. The operation of Cisco Secure ACS does not depend on the contents of this attribute. User Guide for Cisco Secure ACS for Windows Server C-20 Appendix C RADIUS Attributes Type of Inbound/Out...
Page 693 IETF Dictionary of RADIUS AV Pairs Type of Value String (maximum length 253 characters) String String Integer Integer String Integer Integer Integer Integer User Guide for Cisco Secure ACS for Windows Server Inbound/Out bound Multiple Inbound Inbound Inbound Outbound Outbound Inbound Inbound Inbound Inbound C-21...
Page 694 Acct-Output- Number of packets sent to the port Packets while this service is being delivered to a framed user. User Guide for Cisco Secure ACS for Windows Server C-22 Appendix C RADIUS Attributes Type of Inbound/Out...
Page 695 12: Port unneeded 13: Port pre-empted 14: Port suspended 15: Service unavailable 16: Callback 17: User error 18: Host request User Guide for Cisco Secure ACS for Windows Server IETF Dictionary of RADIUS AV Pairs Type of Inbound/Out Value bound Multiple...
Page 696 Login-LAT- — Port Tunnel-Type — Tunnel- — Medium-Type User Guide for Cisco Secure ACS for Windows Server C-24 0: Asynchronous 1: Synchronous 2: ISDN-Synchronous 3: ISDN-Asynchronous (V.120) 4: ISDN- Asynchronous (V.110) 5: Virtual Appendix C...
Page 697 String tagged string String String Integer Integer String Integer Integer String String String String User Guide for Cisco Secure ACS for Windows Server Inbound/Out bound Multiple Both Both Inbound Both Inbound Outbound Outbound Inbound Inbound Internal use only Internal use...
Page 698 Multilink-ID — Num-In- — Multilink Pre-Input- — Octets Pre-Output- — Octets Pre-Input- — Packets User Guide for Cisco Secure ACS for Windows Server C-26 Appendix C RADIUS Attributes Type of Inbound/Out Value bound Multiple tagged Both string tagged Both string...
Page 699 Integer Integer Integer Integer Ipaddr Integer Integer Integer Integer Integer Integer Ascend filter Ascend filter Integer User Guide for Cisco Secure ACS for Windows Server Inbound/Out bound Multiple Inbound Both Inbound Inbound Inbound Outbound Outbound Outbound Outbound Outbound Outbound Outbound...
Page 700: Microsoft Mppe Dictionary Of Radius Vsas
MS-CHAP- String Response MS-CHAP- String Error MS-CHAP- String CPW-1 MS-CHAP- String CPW-2 User Guide for Cisco Secure ACS for Windows Server C-28 lists the supported MPPE RADIUS VSAs. Description — — — — Appendix C RADIUS Attributes Inbound/ Outbound Multiple...
Page 701 MPPE. It is a four octet integer that is interpreted as a string of bits. — — User Guide for Cisco Secure ACS for Windows Server Inbound/ Outbound Multiple Inbound Inbound...
Page 702: Microsoft Mppe Dictionary Of Radius Vsas
String NT-Enc-PW MS-CHAP2- String Response MS-CHAP2- String User Guide for Cisco Secure ACS for Windows Server C-30 Description The MS-CHAP-MPPE-Keys attribute contains two session keys for use by the MPPE. This attribute is only included in Access-Accept packets. The MS-CHAP-MPPE-Keys...
Page 703: Ascend Dictionary Of Radius Av Pairs
Type of Value String String String Ipaddr Integer User Guide for Cisco Secure ACS for Windows Server Ascend Dictionary of RADIUS AV Pairs Table C-8 contains Inbound/ Outbound Multiple...
Page 704 Reply-Message Callback-ID Callback-Name Framed-Route Framed-IPX-Network State Class Vendor-Specific Call-Station-ID Calling-Station-ID Acct-Status-Type Acct-Delay-Time Acct-Input-Octets Acct-Output-Octets User Guide for Cisco Secure ACS for Windows Server C-32 Appendix C Inbound/ Type of Value Outbound Integer Both Integer Both Ipaddr Both Ipaddr Outbound No...
Page 705: Ascend Dictionary Of Radius Av Pairs
253 characters) String (maximum length 10 characters) String (maximum length 253 characters) String (maximum length 253 characters) Integer (maximum length 10 characters) User Guide for Cisco Secure ACS for Windows Server Inbound/ Outbound Multiple Inbound Inbound Inbound Inbound Inbound...
Page 706 Ascend-CBCP-Trunk-Group Ascend-AppleTalk-Route Ascend-AppleTalk-Peer-Mode Ascend-Route-AppleTalk Ascend-FCP-Parameter Ascend-Modem-PortNo Ascend-Modem-SlotNo Ascend-Modem-ShelfNo Ascend-Call-Attempt-Limit Ascend-Call-Block_Duration Ascend-Maximum-Call-Duration Ascend-Router-Preference Ascend-Tunneling-Protocol User Guide for Cisco Secure ACS for Windows Server C-34 Appendix C Inbound/ Type of Value Outbound String Both String Both String (maximum Both length 10 characters)
Page 707 10 characters) String (maximum length 253 characters) Enum (maximum length 10 characters) Integer (maximum length 10 characters) Ipaddr (maximum length 15 characters) User Guide for Cisco Secure ACS for Windows Server Inbound/ Outbound Multiple Both Both Both Both Both...
Page 708 Ascend-Session-Svr-Key Multicast Rate Limit Per Client Ascend-Multicast-Rate-Limit Connection Profile Fields to Support Interface-Based Routing Ascend-IF-Netmask Ascend-Remote-Addr Multicast Support Ascend-Multicast-Client User Guide for Cisco Secure ACS for Windows Server C-36 Appendix C Inbound/ Type of Value Outbound Ipaddr (maximum Outbound No...
Page 709 Integer (maximum length 10 characters) Integer (maximum length 10 characters) String (maximum length 253 characters) Integer (maximum length 10 characters) User Guide for Cisco Secure ACS for Windows Server Inbound/ Outbound Multiple Outbound No Outbound No Outbound No Outbound No...
Page 710 Ascend-IPX-Route Ascend-FT1-Caller Ascend-Backup Ascend-Call-Type Ascend-Group Ascend-FR-DLCI Ascend-FR-Profile-Name Ascend-Ara-PW Ascend-IPX-Node-Addr Ascend-Home-Agent-IP-Addr Ascend-Home-Agent-Password User Guide for Cisco Secure ACS for Windows Server C-38 Appendix C Inbound/ Type of Value Outbound Integer (maximum Outbound No length 10 characters) Integer (maximum Outbound No length 10 characters)
Page 711 Integer Integer (maximum length 10 characters) String (maximum length 253 characters) String (maximum length 253 characters) Integer (maximum length 10 characters) User Guide for Cisco Secure ACS for Windows Server Inbound/ Outbound Multiple Outbound No Outbound No Inbound Inbound Inbound...
Page 712 Ascend-PPP-VJ-Slot-Comp Ascend-PPP-VJ-1172 Ascend-PPP-Async-Map Ascend-Third-Prompt Ascend-Send-Secret Ascend-Receive-Secret Ascend-IPX-Peer-Mode Ascend-IP-Pool-Definition Ascend-Assign-IP-Pool Ascend-FR-Direct Ascend-FR-Direct-Profile User Guide for Cisco Secure ACS for Windows Server C-40 Appendix C Inbound/ Type of Value Outbound String (maximum Outbound No length 253 characters) String Outbound Yes Integer (maximum...
Page 713 Integer (maximum length 10 characters) Integer (maximum length 10 characters) Integer (maximum length 10 characters) Integer (maximum length 10 characters) User Guide for Cisco Secure ACS for Windows Server Inbound/ Outbound Multiple Outbound No Outbound No Outbound No Outbound No...
Page 714 Connection Profile/Telco Options Ascend-Callback Ascend-Data-Svc Ascend-Force-56 Ascend-Billing-Number Ascend-Call-By-Call Ascend-Transit-Number Terminal Server Attributes Ascend-Host-Info PPP Local Address Attribute User Guide for Cisco Secure ACS for Windows Server C-42 Appendix C Inbound/ Type of Value Outbound Integer (maximum Outbound No length 10 characters) Integer...
Page 715: Nortel Dictionary Of Radius Vsas
Ipaddr (maximum length 15 characters) Ipaddr (maximum length 15 characters) Ipaddr (maximum length 15 characters) Integer Integer User Guide for Cisco Secure ACS for Windows Server Nortel Dictionary of RADIUS VSAs Inbound/ Outbound Multiple Outbound No Outbound No Outbound No...
Page 716: Juniper Dictionary Of Radius Vsas
Table C-10 Juniper RADIUS VSAs Number Attribute Juniper-Local-User-Name Juniper-Allow-Commands Juniper-Deny-Commands User Guide for Cisco Secure ACS for Windows Server C-44 lists the Juniper RADIUS VSAs supported by Cisco Secure ACS. The Type of Value String (maximum length 247 characters) String (maximum length...
Page 717: Appendix
CSUtil Database Utility This appendix details the Cisco Secure Access Control Server (ACS) for Windows Server command-line utility, CSUtil.exe. Among its several functions, CSUtil.exe enables you to add, change, and delete users from a colon-delimited text file. You can also use the utility to add and delete AAA client configurations.
Page 718: Appendix D Csutil Database Utility
] [-f] [-n] [-u] [-x] [-y] [-listUDV] [-addUDV [-delUDV slot] [-t -filepath username user list filepath | -f vendor-ID application-ID attribute-ID [-delAVP User Guide for Cisco Secure ACS for Windows Server CSUtil.exe filename filename ] [[-p] -l full filepath password...
Page 719: Csutil Database Utility
Backing Up Cisco Secure ACS with CSUtil.exe, page Recalculating CRC Values, page Creating a Cisco Secure ACS Database D-10. Decoding Error Numbers, page Exporting Group Information to a Text File, page User Guide for Cisco Secure ACS for Windows Server CSUtil.exe Options D-6. D-28. dump.txt D-27.
Page 720 Vendor and VSA Set, page -delUDV—Delete a user-defined RADIUS VSA. For more information about • this option, see User Guide for Cisco Secure ACS for Windows Server D-15. Loading the Cisco Secure ACS D-11. Restoring Cisco Secure ACS with CSUtil.exe, PAC File Generation, page .
Page 721: Displaying Command-Line Syntax
Importing Posture Validation Attribute D-49. Deleting a Posture Validation Attribute Definition, D-51. Exporting Posture Validation Attribute Definitions, D-48. D-2. User Guide for Cisco Secure ACS for Windows Server Displaying Command-Line Syntax Listing CSUtil.exe Syntax, page D-2. Location of CSUtil.exe and...
Page 722: Backing Up Cisco Secure Acs With Csutil.exe
CSUtil.exe generates a complete backup of all Cisco Secure ACS internal data, including user accounts and system configuration. This process may take a few minutes. Note User Guide for Cisco Secure ACS for Windows Server D-2. filename CSUtil.exe displays the error message “Backup Failed” when it attempts to back up components of Cisco Secure ACS that are empty, such as when no administrator accounts exist.
Page 723: Restoring Cisco Secure Acs With Csutil.exe
CSUtil.exe -r users where filename is the name of the backup file. Press Enter. 78-16592-01 Restoring Cisco Secure ACS with CSUtil.exe Location of CSUtil.exe and D-2. filename filename User Guide for Cisco Secure ACS for Windows Server Cisco Secure ACS Backup,...
Page 724: Creating A Ciscosecure User Database
Unless you have a current backup or dump of your CiscoSecure user database, all user accounts are lost when you use this option. User Guide for Cisco Secure ACS for Windows Server filename If the backup file is missing a database component, CSUtil.exe displays an error message.
Page 725 To resume user authentication, type: Step 6 net start csauth and press Enter. 78-16592-01 Creating a CiscoSecure User Database D-10. Location of CSUtil.exe and D-2. User Guide for Cisco Secure ACS for Windows Server D-6. For more Creating a...
Page 726: Creating A Cisco Secure Acs Database Dump File
To confirm that you want to dump all Cisco Secure ACS internal data into Step 4 dump.txt CSUtil.exe creates the User Guide for Cisco Secure ACS for Windows Server D-10 D-2. , type Y and press Enter. file. This process may take a few minutes.
Page 727: Loading The Cisco Secure Acs Database From A Dump File
The CSAuth service stops. 78-16592-01 Loading the Cisco Secure ACS Database from a Dump File , the -l option allows for loading renamed dump dump.txt D-10. Location of CSUtil.exe and D-2. User Guide for Cisco Secure ACS for Windows Server Creating a D-11...
Page 728: Compacting The Ciscosecure User Database
Over time, your CiscoSecure user database may be substantially larger than is required by the number of users it contains. To reduce the CiscoSecure user database size, you can compact it periodically. User Guide for Cisco Secure ACS for Windows Server D-12 filename Overwriting the database does not preserve any data;...
Page 729 If you include the -q option in the command, CSUtil.exe does not prompt you for confirmation of initializing or loading the database. 78-16592-01 Compacting the CiscoSecure User Database Location of CSUtil.exe and D-2. User Guide for Cisco Secure ACS for Windows Server dump.txt dump.txt D-13...
Page 730: User And Aaa Client Import Option
– – – – – User Guide for Cisco Secure ACS for Windows Server D-14 Creating a CiscoSecure User Database, . This process may take a few minutes. About User and AAA Client Import File Format, page D-17 ONLINE or OFFLINE Statement, page D-17...
Page 731: Importing User And Aaa Client Information
Enter. The CSRadius service stops. 78-16592-01 User and AAA Client Import File Format, page D-2. filename User Guide for Cisco Secure ACS for Windows Server User and AAA Client Import Option D-6. D-16. Location of CSUtil.exe and D-15...
Page 732: User And Aaa Client Import File Format
UPDATE Statements, page D-19 • • DELETE Statements, page D-21 ADD_NAS Statements, page D-21 • DEL_NAS Statements, page D-23 • Import File Example, page D-24 • User Guide for Cisco Secure ACS for Windows Server D-16 Appendix D CSUtil Database Utility 78-16592-01...
Page 733: About User And Aaa Client Import File Format
For example, importing 100,000 users in the OFFLINE mode takes less than one minute. User Guide for Cisco Secure ACS for Windows Server User and AAA Client Import Option Table D-1.
Page 734: Add Statements
EXT_NT — EXT_NDS — User Guide for Cisco Secure ACS for Windows Server D-18 D-2. Description Add user information to Cisco Secure ACS. If the username already exists, no information is changed. Group number to which the user is assigned. This must be a number from 0 to 499, not a name.
Page 735: Update Statements
Authenticate the username with a LEAP proxy RADIUS server external user database. Authenticate the username with a RADIUS token server external user database. Table D-3. User Guide for Cisco Secure ACS for Windows Server User and AAA Client Import Option D-19...
Page 736 EXT_LDAP — EXT_LEAP — EXT_RADIUS No — User Guide for Cisco Secure ACS for Windows Server D-20 Appendix D Description Update user information to Cisco Secure ACS. Group number to which the user is assigned. This must be a number from 0 to 499, not a name.
Page 737: Delete Statements
Cisco Secure ACS. The valid tokens for ADD_NAS statements are listed in Table D-5. 78-16592-01 Description The name of the user account that is to be deleted. User Guide for Cisco Secure ACS for Windows Server User and AAA Client Import Option D-21...
Page 738 VENDOR description NDG name The name of the Network Device Group to which the AAA User Guide for Cisco Secure ACS for Windows Server D-22 Appendix D Description The name of the AAA client that is to be added.
Page 739: Del_Nas Statements
Adding a AAA Client, page For AAA clients using TACACS+ only, the value set for this token specifies whether the Log Update/Watchdog Packets from this Access Server option is enabled. For more information, see Adding a AAA Client, page shared secret :KEY: :VENDOR:"TACACS+ (Cisco IOS)":NDG:"East...
Page 740: Import File Example
On the computer running Cisco Secure ACS, open an MS DOS command prompt Step 1 and change directories to the directory containing CSUtil.exe. For more information about the location of CSUtil.exe, see Related Files, page User Guide for Cisco Secure ACS for Windows Server D-24 Appendix D . The users.txt users.txt...
Page 741: Exporting Group Information To A Text File
CSUtil.exe, see Related Files, page 78-16592-01 users.txt . The file is useful primarily for debugging purposes groups.txt D-2. User Guide for Cisco Secure ACS for Windows Server Exporting Group Information to a Text File Location of CSUtil.exe and D-25...
Page 742: Exporting Registry Information To A Text File
CSUtil.exe, see Related Files, page Type: Step 2 CSUtil.exe -y and press Enter. User Guide for Cisco Secure ACS for Windows Server D-26 groups.txt . The file is primarily useful for debugging purposes while setup.txt D-2.
Page 743: Decoding Error Numbers
In this example, the error code number that you could use CSUtil.exe to decode is “-1087”: C:\Program Files\CiscoSecure ACS v CSUtil v3.0(1.14), Copyright 1997-2001, Cisco Systems Inc Code -1087 : External database reported error during authentication The -e option applies to Cisco Secure ACS internal error codes only, not to...
Page 744: Recalculating Crc Values
• Exporting Custom RADIUS Vendor and VSA Sets, page D-33 • RADIUS Vendor/VSA Import File, page D-34 • User Guide for Cisco Secure ACS for Windows Server D-28 number The hyphen (-) before number is required. Appendix D CSUtil Database Utility...
Page 745: About User-Defined Radius Vendors And Vsa Sets
Note ACS, all Cisco Secure ACS services are automatically stopped and restarted. No users are authenticated during this process. 78-16592-01 User-Defined RADIUS Vendors and VSA Sets 9-25. CiscoSecure Database Replication, User Guide for Cisco Secure ACS for Windows Server D-29...
Page 746 Make sure that regedit is not running. If regedit is running on the • Cisco Secure ACS Windows server, it can prevent Registry updates required for adding a custom RADIUS vendor and VSA set. To add a custom RADIUS VSA to Cisco Secure ACS, follow these steps:...
Page 747: Deleting A Custom Radius Vendor And Vsa Set
RADIUS vendors and VSAs after reinstallation or upgrading to a later release. AAA Client Configuration, page Accounting Logs, page D-2. User Guide for Cisco Secure ACS for Windows Server User-Defined RADIUS Vendors and VSA Sets 4-11. 11-6. Location of CSUtil.exe and...
Page 748: Listing Custom Radius Vendors
CSUtil.exe. For more information about the location of CSUtil.exe, see Related Files, page User Guide for Cisco Secure ACS for Windows Server D-32 slot-number For more information about determining what RADIUS vendor a...
Page 749: Exporting Custom Radius Vendor And Vsa Sets
CSUtil.exe, see Related Files, page 78-16592-01 D-2. D-2. User Guide for Cisco Secure ACS for Windows Server User-Defined RADIUS Vendors and VSA Sets System UDVs Location of CSUtil.exe , where n is the slot number UDV_ .ini...
Page 750: Radius Vendor/Vsa Import File
Each section comprises a section header and a set of keys and values. The order of the sections in the RADIUS vendor/VSA import file is irrelevant. User Guide for Cisco Secure ACS for Windows Server D-34 directory, where CSUtil.exe is located, is replaced, including...
Page 751: Vendor And Vsa Set Definition
To facilitate this, we recommend that you prefix the vendor name to each attribute name, such as “widget-encryption” for an encryption-related attribute for the vendor Widget. This also makes accounting logs easier to understand. User Guide for Cisco Secure ACS for Windows Server D-35. D-36. Table D-8 lists...
Page 752: Attribute Definition
VSA set section. Table D-8 lists the valid keys for an attribute definition section. User Guide for Cisco Secure ACS for Windows Server D-36 78-16592-01...
Page 753 Several attributes can reference the same Note section enumeration section. For more information, see name Enumeration Definition, page User Guide for Cisco Secure ACS for Windows Server User-Defined RADIUS Vendors and VSA Sets Accounting Logs, page 11-6. D-38. D-37...
Page 754: Enumeration Definition
Enums key, thus allowing for reuse of common enumeration definitions. An enumeration definition section can have up to 1000 keys. Table D-10 lists the valid keys for an enumeration definition section. User Guide for Cisco Secure ACS for Windows Server D-38 78-16592-01...
Page 755: Example Radius Vendor/Vsa Import File
Cisco Secure ACS uses these string values in the HTML interface. For example, if 0 through 4 are valid integer values for a given attribute, its enumeration definition would contain the following: value0 value1 value2 value3 value4 User Guide for Cisco Secure ACS for Windows Server D-39...
Page 756: Pac File Generation
Authentication, page This section contains the following topics: PAC File Options and Examples, page D-41 • Generating PAC Files, page D-43 • User Guide for Cisco Secure ACS for Windows Server D-40 Appendix D 10-13. CSUtil Database Utility EAP-FAST 78-16592-01...
Page 757: Pac File Options And Examples
-u username—CSUtil.exe generates a PAC file for the user specified by name (username). For example, if you ran CSUtil.exe -t -u seaniemop, CSUtil.exe would generate a single PAC file, named User Guide for Cisco Secure ACS for Windows Server PAC File Generation seaniemop.pac ENIGINEERING\augustin ENGINEERING_augustin.pac...
Page 758 – – Contain numbers in addition to letters. Contain no common words or names. – User Guide for Cisco Secure ACS for Windows Server D-42 seaniemop.pac jwiedman.pac We recommend that you use a password you devise rather than the default password.
Page 759: Generating Pac Files
About PACs, page PAC File Options and Examples, page additional arguments would be seaniemop seaniemop.pac ENGINEERING\augustin User Guide for Cisco Secure ACS for Windows Server PAC File Generation 10-17. D-41, to determine and a PAC file for the would be D-43...
Page 760: Posture Validation Attributes
Use a semi-colon to identify lines that are comments. User Guide for Cisco Secure ACS for Windows Server D-44 Chapter 14, “Network Admission Default Posture Validation D-52.
Page 761 The vendor number should be the number assigned to the vendor in the example, vendor ID 9 corresponds to Cisco Systems, Inc. 78-16592-01 shows an example of a posture validation attribute definition,...
Page 762 ID and application ID specified. Note User Guide for Cisco Secure ACS for Windows Server D-46 The vendor name cannot differ for each attribute that shares the same vendor ID. For example, you cannot add an attribute with a vendor-id of 9 if the vendor-name is not “Cisco”.
Page 763 Valid values of attribute-type are: boolean – string – integer – – unsigned integer ipaddr – 78-16592-01 , the attribute-type determines the types of operators available for User Guide for Cisco Secure ACS for Windows Server Posture Validation Attributes D-47...
Page 764: Exporting Posture Validation Attribute Definitions
If you are prompted to confirm overwriting a file with the same path and name that you specified in • To overwrite the file, type Y and press Enter. User Guide for Cisco Secure ACS for Windows Server D-48 date version octet-array 14-19.
Page 765: Importing Posture Validation Attribute Definitions
D-44. For an example of an attribute definition file, see Exporting Posture Validation Attribute Definitions, page Posture Validation Attribute Definition File, page filename User Guide for Cisco Secure ACS for Windows Server Posture Validation Attributes Step Posture Validation Attribute D-52.
Page 766 CSUtil.exe adds or modifies the attributes specified in the file. An example of a successful addition of nine posture validation attributes follows: C:.../Utils 21: csutil -addavp myavp.txt CSUtil v3.3(1.6), Copyright 1997-2001, Cisco Systems Inc Attribute 9876:1:11 (Calliope) added to registry Attribute 9876:1:3 (Clio) added to registry...
Page 767: Deleting A Posture Validation Attribute Definition
ID of 9876, an application ID of 1, and an attribute ID of 1. 78-16592-01 Exporting Posture Validation Attribute Definitions, page vendor-ID You can use the -q option to suppress the confirmation prompt. User Guide for Cisco Secure ACS for Windows Server Posture Validation Attributes D-48, to Posture D-44.
Page 768: Default Posture Validation Attribute Definition File
Posture Validation Attributes CSUtil v3.3, Copyright 1997-2004, Cisco Systems Inc Are you sure you want to delete vendor 9876; application 1; attribute 1? (y/n) Vendor 9876; application 1; attribute 1 was successfully deleted If you are ready to make the attribute deletion take effect, restart the CSAuth and Step 4 CSAdmin services.
Page 769 [attr#3] vendor-id=9 vendor-name=Cisco application-id=1 application-name=PA attribute-id=00004 attribute-name=PA-Version attribute-profile=in out attribute-type=version [attr#4] vendor-id=9 vendor-name=Cisco application-id=1 application-name=PA attribute-id=00005 attribute-name=OS-Type attribute-profile=in out attribute-type=string [attr#5] vendor-id=9 vendor-name=Cisco application-id=1 User Guide for Cisco Secure ACS for Windows Server D-53 78-16592-01...
Page 770 [attr#8] vendor-id=9 vendor-name=Cisco application-id=2 application-name=Host attribute-id=00002 attribute-name=System-Posture-Token attribute-profile=out attribute-type=unsigned integer [attr#9] vendor-id=9 vendor-name=Cisco application-id=2 application-name=Host attribute-id=00006 attribute-name=ServicePacks attribute-profile=in attribute-type=string [attr#10] vendor-id=9 User Guide for Cisco Secure ACS for Windows Server D-54 78-16592-01...
Page 771 [attr#12] vendor-id=9 vendor-name=Cisco application-id=5 application-name=HIP attribute-id=00001 attribute-name=Application-Posture-Token attribute-profile=out attribute-type=unsigned integer [attr#13] vendor-id=9 vendor-name=Cisco application-id=5 application-name=HIP attribute-id=00002 attribute-name=System-Posture-Token attribute-profile=out attribute-type=unsigned integer [attr#14] vendor-id=9 vendor-name=Cisco application-id=5 application-name=HIP attribute-id=00005 attribute-name=CSAVersion attribute-profile=in attribute-type=version User Guide for Cisco Secure ACS for Windows Server D-55 78-16592-01...
Page 772 [attr#17] vendor-id=9 vendor-name=Cisco application-id=5 application-name=HIP attribute-id=32768 attribute-name=CSAMCName attribute-profile=in attribute-type=string [attr#18] vendor-id=9 vendor-name=Cisco application-id=5 application-name=HIP attribute-id=32769 attribute-name=CSAStates attribute-profile=in attribute-type=string [attr#19] vendor-id=393 vendor-name=Symantec application-id=3 application-name=AV attribute-id=00001 attribute-name=Application-Posture-Token attribute-profile=out User Guide for Cisco Secure ACS for Windows Server D-56 78-16592-01...
Page 773 [attr#22] vendor-id=393 vendor-name=Symantec application-id=3 application-name=AV attribute-id=00004 attribute-name=Software-ID attribute-profile=in out attribute-type=unsigned integer [attr#23] vendor-id=393 vendor-name=Symantec application-id=3 application-name=AV attribute-id=00005 attribute-name=Software-Version attribute-profile=in out attribute-type=version [attr#24] vendor-id=393 vendor-name=Symantec application-id=3 application-name=AV attribute-id=00006 User Guide for Cisco Secure ACS for Windows Server D-57 78-16592-01...
Page 774 [attr#27] vendor-id=393 vendor-name=Symantec application-id=3 application-name=AV attribute-id=00009 attribute-name=Protection-Enabled attribute-profile=in out attribute-type=unsigned integer [attr#28] vendor-id=393 vendor-name=Symantec application-id=3 application-name=AV attribute-id=00010 attribute-name=Action attribute-profile=out attribute-type=string [attr#29] vendor-id=3401 vendor-name=NAI application-id=3 User Guide for Cisco Secure ACS for Windows Server D-58 78-16592-01...
Page 775 [attr#32] vendor-id=3401 vendor-name=NAI application-id=3 application-name=AV attribute-id=00004 attribute-name=Software-ID attribute-profile=in out attribute-type=unsigned integer [attr#33] vendor-id=3401 vendor-name=NAI application-id=3 application-name=AV attribute-id=00005 attribute-name=Software-Version attribute-profile=in out attribute-type=version [attr#34] vendor-id=3401 User Guide for Cisco Secure ACS for Windows Server D-59 78-16592-01...
Page 776 [attr#37] vendor-id=3401 vendor-name=NAI application-id=3 application-name=AV attribute-id=00009 attribute-name=Protection-Enabled attribute-profile=in out attribute-type=unsigned integer [attr#38] vendor-id=3401 vendor-name=NAI application-id=3 application-name=AV attribute-id=00010 attribute-name=Action attribute-profile=out attribute-type=string User Guide for Cisco Secure ACS for Windows Server D-60 78-16592-01...
Page 777 [attr#42] vendor-id=6101 vendor-name=Trend application-id=3 application-name=AV attribute-id=00004 attribute-name=Software-ID attribute-profile=in out attribute-type=unsigned integer [attr#43] vendor-id=6101 vendor-name=Trend application-id=3 application-name=AV attribute-id=00005 attribute-name=Software-Version attribute-profile=in out User Guide for Cisco Secure ACS for Windows Server D-61 78-16592-01...
Page 778 [attr#46] vendor-id=6101 vendor-name=Trend application-id=3 application-name=AV attribute-id=00008 attribute-name=Dat-Date attribute-profile=in out attribute-type=date [attr#47] vendor-id=6101 vendor-name=Trend application-id=3 application-name=AV attribute-id=00009 attribute-name=Protection-Enabled attribute-profile=in out attribute-type=unsigned integer [attr#48] vendor-id=6101 vendor-name=Trend application-id=3 application-name=AV attribute-id=00010 User Guide for Cisco Secure ACS for Windows Server D-62 78-16592-01...
Page 779 [attr#49] vendor-id=10000 vendor-name=out application-id=1 application-name=CNAC attribute-id=00001 attribute-name=Application-Posture-Token attribute-profile=out attribute-type=string [attr#50] vendor-id=10000 vendor-name=out application-id=1 application-name=CNAC attribute-id=00002 attribute-name=System-Posture-Token attribute-profile=out attribute-type=string [attr#51] vendor-id=10000 vendor-name=out application-id=1 application-name=CNAC attribute-id=00003 attribute-name=Reason attribute-profile=out attribute-type=string User Guide for Cisco Secure ACS for Windows Server D-63 78-16592-01...
Page 780 Appendix D CSUtil Database Utility Posture Validation Attributes User Guide for Cisco Secure ACS for Windows Server D-64 78-16592-01...
Page 781: Appendix
This section describes the steps for processing VPDN requests in a standard environment. A VPDN user dials in to the network access server (NAS) of the regional service provider (RSP). The standard call/point-to-point protocol (PPP) setup is done. A username and password are sent to the NAS in the format username@domain (for example, mary@corporation.us).
Page 782 If the domain authorization fails, the NAS assumes the user is not a VPDN user. The NAS then authenticates (not authorizes) the user as if the user is a standard non-VPDN dial user. See User Guide for Cisco Secure ACS for Windows Server VPDN User Dials In E-2.
Page 783 (nas_tun). See 78-16592-01 failed User = mary@corporation.us E-4. Authorization reply Tunnel ID = nas_tun IP address = 10.1.1.1 User = mary@corporation.us Figure User Guide for Cisco Secure ACS for Windows Server VPDN Process VPDN user VPDN user E-5.
Page 784 HG Authenticates Tunnel with the NAS CHAP challenge Corporation The NAS now uses its ACS to authenticate the tunnel from the HG. See Figure User Guide for Cisco Secure ACS for Windows Server Username = nas_tun Password = CHAP_stuff User = mary@corporation.us E-6.
Page 785 HG uses its ACS to authenticate the user. See 78-16592-01 NAS Authenticates Tunnel with ACS VPDN Tunnel is Established CHAP response User Guide for Cisco Secure ACS for Windows Server VPDN Process Username = home_gate Password = CHAP_stuff VPDN user...
Page 786 Instead, it passes the user through the existing tunnel to the HG. See Figure Figure E-10 Another User Dials In While Tunnel is Up Corporation User Guide for Cisco Secure ACS for Windows Server HG Uses ACS to Authenticate User Username = mary@corporation.us Password = secret E-10.
Page 787: Appendix
RDBMS synchronization import definitions are a listing of the action codes allowable in an accountActions table. The RDBMS Synchronization feature of Cisco Secure Access Control Server (ACS) for Windows Server uses a table named “accountActions” as input for automated or manual updates of the CiscoSecure user database.
Page 788: Accountactions Format
SequenceId Priority UserName GroupName Action ValueName Value1 Value2 Value3 DateTime User Guide for Cisco Secure ACS for Windows Server Appendix F Table F-1 also reflects the order in which the fields F-4. An Example of accountActions, Size (Max. Type Length)
Page 789: Accountactions Mandatory Fields
Used to number related transactions for audit purposes. String RESERVED by CSDBSync. String The type of configuration parameter to change. Number TRI-STATE:0=not processed, 1=done, 2=failed. This should normally be set to 0. User Guide for Cisco Secure ACS for Windows Server accountActions Specification...
Page 790: Accountactions Processing Order
For more information about the mnemonic names of accountActions fields, see accountActions Mandatory Fields, page User Guide for Cisco Secure ACS for Windows Server Appendix F Table F-1. For more information about the mandatory fields, see F-3.
Page 791: Action Codes For Setting And Deleting Values
Cisco representative, you can only use these action codes for assigning values to user-defined fields (see Attributes, page 78-16592-01 Table F-2, instruct RDBMS Synchronization to assign a F-32). User Guide for Cisco Secure ACS for Windows Server Action Codes Table F-2. User-Specific...
Page 792 Name Required SET_VALUE UN|GN, AI, VN, V1, V2 DELETE_VALUE UN|GN, AI, User Guide for Cisco Secure ACS for Windows Server Appendix F RDBMS Synchronization Import Definitions Description Sets a value (V1) named (VN) of type (V2) for App ID (AI).
Page 793: Action Codes For Creating And Modifying User Accounts
CHAP/ARAP will also default to this. UN, V1 Sets the CHAP/ARAP password for a user (64 characters maximum). UN, V1 Sets the CHAP/ARAP password for a user (32 characters maximum). User Guide for Cisco Secure ACS for Windows Server Action Codes...
Page 794 User Creation and Modification Action Codes (continued) Action Code Name SET_T+_ENABLE_ PASS SET_GROUP User Guide for Cisco Secure ACS for Windows Server Appendix F Required Description UN, VN, Sets the TACACS+ enable password (V1) (32 V1, V2, characters maximum) and Max Privilege level (V2) (0-15).
Page 795 PASS_STATUS_EXPIRES—Password expires on a given date. PASS_STATUS_NEVER—Password never • expires. PASS_STATUS_WRONG—Password expires • after a given number of login attempts using the wrong password. PASS_STATUS_DISABLED—The account has • been disabled. User Guide for Cisco Secure ACS for Windows Server Action Codes...
Page 796 Name ADD_PASS_STATUS SET_PASS_EXPIRY_ WRONG SET_PASS_EXPIRY_ DATE SET_MAX_SESSIONS UN|GN, User Guide for Cisco Secure ACS for Windows Server F-10 Appendix F Required Description UN, V1 Defines how a password should be expired by Cisco Secure ACS. To set multiple password states for a user, use multiple instances of this action.
Page 797 12:01 A.M. on the first of the month until midnight on the last day of the month. QUOTA_PERIOD_ABSOLUTE—The quota is • enforced in an ongoing basis, without an end. User Guide for Cisco Secure ACS for Windows Server Action Codes F-11...
Page 798 User Creation and Modification Action Codes (continued) Action Code Name DISABLE_QUOTA RESET_COUNTERS SET_QUOTA_APPLY_ TYPE User Guide for Cisco Secure ACS for Windows Server F-12 Appendix F Required Description UN|GN, Disables a group or user usage quota. VN defines the quota type. Valid values are: online time—The quota limits the user or group by...
Page 799 271 to add DCS to NDG mappings for the user or group. Changing a user or group assignment type (V1) Note results in clearing previous data, including NDG to DCS mappings (defined by action 271). User Guide for Cisco Secure ACS for Windows Server Action Codes F-13...
Page 800: Action Codes For Initializing And Modifying Access Filters
Action Codes for Initializing and Modifying Access Filters Table F-4 filters. AAA client access filters control Telnet access to a AAA client. Dial access filters control access by dial-up users. User Guide for Cisco Secure ACS for Windows Server F-14 Appendix F Required...
Page 801 Optionally, the AAA client name can be “All AAA clients” to specify that the filter applies to all configured AAA clients and an asterisk (*) to represent all ports. User Guide for Cisco Secure ACS for Windows Server Action Codes Management”. For more F-15...
Page 802 Action Code Name ADD_DIAL_ACCESS_ FILTER SET_TOKEN_CACHE_ SESSION SET_TOKEN_CACHE_ TIME User Guide for Cisco Secure ACS for Windows Server F-16 Appendix F RDBMS Synchronization Import Definitions Required Description UN|GN, Adds a dial-up filter for the user|group. V1, V2 V1 should contain one of the following values: Calling station ID •...
Page 803 “0” represents an hour that is denied. If this parameter is not specified for a user, the group setting applies. The default group setting is “111111111111” and so on. User Guide for Cisco Secure ACS for Windows Server Action Codes F-17...
Page 804 Action Codes for Initializing and Modifying Access Filters (continued) Action Code Name SET_STATIC_IP SET_CALLBACK_NO User Guide for Cisco Secure ACS for Windows Server F-18 Appendix F RDBMS Synchronization Import Definitions Required Description UN, V1, V2 Configures the (TACACS+ and RADIUS) IP address assignment for this user.
Page 805: Action Codes For Modifying Tacacs+ And Radius Group And User Settings
For example, to specify the Cisco IOS/PIX vendor ID and the Cisco AV Pair: VN = "Vendor-Specific" V2 = "9" V3 = "1" User Guide for Cisco Secure ACS for Windows Server Action Codes Management”. For more Chapter 6, “User Group F-19...
Page 806 Action Codes for Modifying TACACS+ and RADIUS Group and User Settings (continued) Action Code Name ADD_RADIUS_ ATTR UN|GN, User Guide for Cisco Secure ACS for Windows Server F-20 Appendix F Required Description Adds to the attribute named (VN) the value (V1) for VN, V1, the user/group (UN|GN).
Page 807 V1 = "ppp" V2 = "ip" UN = "fred" V1 = "ppp" V2 = "ip" UN = "fred" V1 = "exec" This also resets the valid attributes for the service. User Guide for Cisco Secure ACS for Windows Server Action Codes F-21...
Page 808 Action Codes for Modifying TACACS+ and RADIUS Group and User Settings (continued) Action Code Name ADD_TACACS_ATTR REMOVE_TACACS_ ATTR User Guide for Cisco Secure ACS for Windows Server F-22 Appendix F Required Description UN|GN, Sets a service-specific attribute. The service must...
Page 809 UN = "fred" VN = "configure" Users of Group 1 can no longer use the Cisco IOS telnet command. User fred can no longer use the configure command. User Guide for Cisco Secure ACS for Windows Server Action Codes F-23...
Page 810 Action Codes for Modifying TACACS+ and RADIUS Group and User Settings (continued) Action Code Name ADD_IOS_ COMMAND_ARG REMOVE_IOS_ COMMAND_ARG User Guide for Cisco Secure ACS for Windows Server F-24 Appendix F Required Description UN|GN, Specifies a set of command-line arguments that are VN, V1, V2 either permitted or denied for the Cisco IOS command contained in VN.
Page 811: Action Codes For Modifying Network Configuration
GN = name of group • V1 = ENABLE or DISABLE • lists the action codes for adding AAA clients, AAA servers, network Configuration”. User Guide for Cisco Secure ACS for Windows Server Action Codes F-25...
Page 812 Action Codes Table F-6 Action Codes for Modifying Network Configuration Action Code Name ADD_NAS User Guide for Cisco Secure ACS for Windows Server F-26 Appendix F Required Description VN, V1, Adds a new AAA client (named in VN) with an IP...
Page 813 Adds a new AAA client (named in VN) with an IP address (V1), shared secret key (V2), and the enterprise code for the vendor (V3). VN, V1, V2 Adds a new AAA server named (VN) with IP address (V1), shared secret key (V2). VN, V1...
Page 814 Action Code Name SET_AAA_TRAFFIC_ TYPE DEL_AAA_SERVER ADD_PROXY ADD_PROXY_ TARGET DEL_PROXY User Guide for Cisco Secure ACS for Windows Server F-28 Appendix F Required Description VN, V1 Sets the appropriate traffic type (V1) for the named AAA server (VN): TRAFFIC_TYPE_INBOUND •...
Page 815 MODULES ADD_UDV 78-16592-01 Required Description Creates a network device group (NDG) named (VN). Deletes the named NDG. Adds to the named AAA client/AAA server (VN) the NDG (V1). — — — — — Restarts the CSRadius and CSTacacs services to apply new settings.
Page 816 Action Codes for Modifying Network Configuration (continued) Action Code Name DEL_UDV ADD_VSA User Guide for Cisco Secure ACS for Windows Server F-30 Appendix F Required Description Removes the vendor with the IETF code specified in V1 and any defined VSAs.
Page 817 V3 contains the VSA Enum Value. Example: VN = Disabled V1 = 9034 V2 = MyCo-Encryption V3 = 0 VN = Enabled V1 = 9034 V2 = MyCo-Encryption V3 = 1 User Guide for Cisco Secure ACS for Windows Server Action Codes F-31...
Page 818: Cisco Secure Acs Attributes And Action Codes
Some features are processed only if they have a value assigned to them. For more information about action codes, see User Guide for Cisco Secure ACS for Windows Server F-32 Appendix F...
Page 819 String 168 characters Bool enabled Bool permit/deny ACL String (See 0-31 KB Table F-4.) User Guide for Cisco Secure ACS for Windows Server Cisco Secure ACS Attributes and Action Codes Default “Default Group” F-3. LIBRARY_CSDB F-3. PASS_TYPE_CSDB (password is cleartext PAP) F-3.
Page 820 You can configure Cisco Secure ACS to include UDAs on accounting logs about user activity. For more information about configuring UDAs, see Configuration Options, page User Guide for Cisco Secure ACS for Windows Server F-34 Appendix F Logical Type...
Page 821 Engineering 949-555-1111 lists the attributes that define a Cisco Secure ACS group, including their Action Codes, page F-4. User Guide for Cisco Secure ACS for Windows Server Cisco Secure ACS Attributes and Action Codes Value2 (V2) AppId (AI) TYPE_STRING APP_CSAUTH...
Page 822: An Example Of Accountactions
VoIP Support An Example of accountActions Table F-10 the action codes described in along with his passwords, including a TACACS_ Enable password with privilege User Guide for Cisco Secure ACS for Windows Server F-36 Appendix F Logical Type Limits Unsigned short...
Page 823 — PASS_STATUS_ — NEVER PASS_STATUS_ — WRONG PASS_STATUS_ — EXPIRES — 19991231 — User Guide for Cisco Secure ACS for Windows Server An Example of accountActions Value3 (V3) AppId (AI) — — — — — — — — — —...
Page 824 Group 2 — — Group 2 — — Group 2 Reply- Message — Group 2 Vendor- Specific User Guide for Cisco Secure ACS for Windows Server F-38 Appendix F RDBMS Synchronization Import Definitions Value1 (V1) Value2 (V2) — — ACCESS_PERMIT —...
Page 825: Appendix
Internal Architecture This chapter describes the Cisco Secure ACS for Windows Server architectural components. It includes the following topics: • Windows Services, page G-1 Windows Registry, page G-2 • CSAdmin, page G-2 • CSAuth, page G-3 • CSDBSync, page G-4 •...
Page 826: Csadmin
CSAdmin CSAdmin is the service that provides the web server for the Cisco Secure ACS HTML interface. After Cisco Secure ACS is installed, you must configure it from its HTML interface; therefore, CSAdmin must be running when you configure Cisco Secure ACS.
Page 827: Csauth
HTML interface, this does not include starting or stopping CSAdmin. If CSAdmin stops abnormally because of an external action, you cannot access Cisco Secure ACS from any computer other than the Windows server on which it is running. You can start or stop CSAdmin from Windows Control Panel.
Page 828: Csdbsync
CSDBSync is the service used to synchronize the Cisco Secure ACS database with third-party relational database management system (RDBMS) systems. CSDBSync synchronizes AAA client, AAA server, network device groups (NDGs) and Proxy Table information with data from a table in an external relational database.
Page 829: Monitoring
Additionally, it records whether retries were necessary to achieve a successful response. By tracking the average time for each test authentication, CSMon can User Guide for Cisco Secure ACS for Windows Server CSMon...
Page 830: Recording
• Logging to the Windows Event Log is enabled by default but can be disabled. User Guide for Cisco Secure ACS for Windows Server build up a “picture” of expected response time on the system in question. CSMon can therefore detect whether excess re-tries are required for each authentication or if response times for a single authentication exceed a percentage threshold over the average.
Page 831: Notification
These actions include running the CSSupport utility, which captures most of the parameters dealing with the state of the system at the time of the event. 78-16592-01 Monitoring, page User Guide for Cisco Secure ACS for Windows Server CSMon G-5. These events are...
Page 832: Cstacacs And Csradius
For more information about TACACS+ AV pairs, see Appendix B, “TACACS+ Attribute-Value RADIUS+ AV pairs, see User Guide for Cisco Secure ACS for Windows Server Appendix G Pairs”. For more information about Appendix C, “RADIUS Attributes”.
Page 833 See administrative access policies accountActions table account disablement Account Disabled check box manual resetting setting options for User Guide for Cisco Secure ACS for Windows Server I N D E X 4-26 4-21 1-32 1-29 1-29 9-29, 9-31...
Page 834 See also administrators configuring 12-14 limits 12-11 options 12-12 overview 2-15 User Guide for Cisco Secure ACS for Windows Server IN-2 administrative sessions and HTTP proxy network environment limitations of session policies through firewalls through NAT (network address administrators See also Administration Audit log...
Page 835 13-5 scheduled vs. manual scheduling vs. replication with CSUtil.exe User Guide for Cisco Secure ACS for Windows Server attributes) C-14 8-10 8-10 8-13 8-15 8-10 8-12 8-11 8-11 8-12 9-10...
Page 836 10-50 self-signed certificates configuring 10-49 14-6 overview 10-47 User Guide for Cisco Secure ACS for Windows Server IN-4 server certificate installation updating certificate CHAP compatible databases in User Setup protocol supported Cisco IOS...
Page 837 CSNTFindUser CSNTgroups CSNTpasswords CSNTresults CSNTusernames 5-26 CSRadius CSTacacs CSUtil.exe decoding error numbers with User Guide for Cisco Secure ACS for Windows Server Index 9-29, G-4 11-32 13-65, 13-67, 13-68 13-62 13-65, 13-67, 13-68 13-63 13-64 13-65, 13-67, 13-68 13-65, 13-67...
Page 838 16-1 overview 16-1 Database Replication log CSV (comma-separated values) file directory 11-16 viewing 11-18 User Guide for Cisco Secure ACS for Windows Server IN-6 databases See also external user databases authentication search process CiscoSecure user database compacting deleting deployment considerations...
Page 839 16-6 configuring default entry enabling in interface distribution table See Proxy Distribution Table DNIS-based filters documentation conventions objectives online related User Guide for Cisco Secure ACS for Windows Server Index 9-45 A-10 13-10 11-12 11-9 15-3 4-34 5-18 xxxi xxix...
Page 840 EAP (Extensible Authentication Protocol) overview 1-13 with Windows authentication EAP-FAST compatible databases 1-10 User Guide for Cisco Secure ACS for Windows Server IN-8 enabling identity protection logging master keys definition 15-7 states...
Page 841 AAA groups multiple instances 11-19 organizational units and groups User Guide for Cisco Secure ACS for Windows Server Index 11-16 11-23 11-18 7-55 1-23 13-32 13-43 13-37 13-34...
Page 842 16-5 no access groups 16-5 overriding settings relationship to users renaming 6-55 resetting usage quota counters for User Guide for Cisco Secure ACS for Windows Server IN-10 settings for callback options configuration-specific 13-9, 13-26 configuring common device management command enable privilege...
Page 843 IP pools 1-14 overview replicating IP pools user IP addresses LAN manager latency in networks User Guide for Cisco Secure ACS for Windows Server 7-10 groups 6-28 9-51 9-50 9-45 9-48 9-45, 9-47 9-47 9-49...
Page 844 11-33 Disabled Accounts reports 11-9 domain names 11-3 external user databases 11-3 Failed Attempts logs 11-6 User Guide for Cisco Secure ACS for Windows Server IN-12 formats Logged-In Users reports ODBC logs enabling in interface 13-76 overview working with overview...
Page 845 Certificate Trust List credentials about definition databases configuring default database User Guide for Cisco Secure ACS for Windows Server Index 8-19 8-18 1-10 10-26 1-13 1-11 16-5 4-12 14-11 D-44 14-19 D-44...
Page 846 16-13 returned by local policies Unknown User Policy 15-10 NAFs See network access filters User Guide for Cisco Secure ACS for Windows Server IN-14 See network access restrictions See AAA clients See network device groups See Novell NDS user databases...
Page 847 CHAP authentication sample configuring data source names DSN (data source name) configuration EAP-TLS authentication sample features supported group mappings group specifications CHAP User Guide for Cisco Secure ACS for Windows Server 13-50 13-52 1-10 13-50 13-51 9-32 13-60 13-60 13-55...
Page 848 Cisco Secure ACS automatic provisioning 10-18 definition 10-17 manual provisioning 10-20 refresh 10-21 User Guide for Cisco Secure ACS for Windows Server IN-16 compatible databases in User Setup vs. ARAP 13-62 vs. CHAP Passed Authentications log configuring CSV (comma-separated...
Page 849 See HTTP port allocation ports See also HTTP port allocation See also port 2002 RADIUS TACACS+ posture validation See also NAC request handling User Guide for Cisco Secure ACS for Windows Server Index 10-11 12-13 1-6, 1-7 15-11 IN-17...
Page 850 4-38 editing entries 4-37 match order sorting 4-36 overview 4-34 User Guide for Cisco Secure ACS for Windows Server IN-18 quotas See network access quotas See usage quotas RADIUS See also RADIUS VSAs (vendor specific attributes See also RADIUS VSAs (vendor specific...
Page 851 Juniper in Group Setup in User Setup supported attributes Microsoft in Group Setup in User Setup supported attributes Nortel in Group Setup User Guide for Cisco Secure ACS for Windows Server Index 7-52 C-14 6-40 3-17 7-39 6-44 7-44 6-46...
Page 852 9-40 network configuration 9-28 overview 9-26 partners 9-39 preparing to use 9-33 User Guide for Cisco Secure ACS for Windows Server IN-20 report and error handling scheduling options user-related configuration Registry rejection mode general posture validation Windows user databases...
Page 853 System Configuration overview performing reports with CSUtil.exe RFC2138 RFC2139 RSA user databases configuring group mappings User Guide for Cisco Secure ACS for Windows Server Index 11-13 1-29 11-6 15-5 15-11 15-6 8-16 8-16 8-15 8-14 8-14...
Page 854 11-32 management 8-17 overview 1-4, G-1 starting stopping session policies configuring 12-17 User Guide for Cisco Secure ACS for Windows Server IN-22 options 12-16 overview 12-16 15-15 shared profile components See also command authorization sets See also downloadable IP ACLs...
Page 855 SENDAUTH 1-15 settings in Group Setup 6-2, 6-31 in User Setup 7-22, 7-23 specifications User Guide for Cisco Secure ACS for Windows Server Index 1-29 7-35 7-33 7-37 IN-23...
Page 856 6-21 test login frequency internally thread used time-of-day/day-of-week specification See also date format control User Guide for Cisco Secure ACS for Windows Server IN-24 enabling in interface timeout values on AAA clients TLS (transport level security) See certification...
Page 857 User Password Changes log location users 15-8 See also User Setup adding 15-13 basic steps methods assigning client IP addresses to assigning to a group User Guide for Cisco Secure ACS for Windows Server Index 6-14 7-18 1-18 6-55 7-58 1-16 13-25 11-17...
Page 858 7-60 supplementary information troubleshooting A-20 types discovered 15-3 known 15-2 unknown 15-3 User Guide for Cisco Secure ACS for Windows Server IN-26 VPDN dialup User Setup account management tasks 7-54 basic options configuring deleting user accounts 7-57 saving settings 7-60...
Page 859 4-18 limitations 4-25 no access groups remapping mapping database groups to AAA overview password aging User Guide for Cisco Secure ACS for Windows Server 13-10 13-10 13-10 13-10 15-7 13-13, 13-14, 15-6 13-26 13-30 13-27 16-9...
Page 860 Index passwords 1-11 rejection mode 15-6 request handling 15-6 trust relationships 13-9 user-changeable passwords 13-25 user manager 13-26 wireless network topologies User Guide for Cisco Secure ACS for Windows Server IN-28 78-16592-01...

This manual is also suitable for:

Secure access control server Secure acs

Cisco 3.3 User Manual

Chapter 2 Deployment Considerations

Chapter 3 Interface Configuration

Chapter 4 Network Configuration

Chapter 5 Shared Profile Component

Chapter 6 User Group Management

Chapter 7 User Management

Chapter 8 System Configuration: Basic

Quick Links

Troubleshooting

Related Manuals for Cisco 3.3

Summary of Contents for Cisco 3.3