Cisco Servers User Manual

For windows 2000/nt servers

Table of Contents

Quick Links

Download this manual

Cisco Secure ACS 3.0 for Windows

2000/NT Servers User Guide

November 2001

Corporate Headquarters

Cisco Systems, Inc.

170 West Tasman Drive

San Jose, CA 95134-1706

USA

http://www.cisco.com

Tel:

408 526-4000

800 553-NETS (6387)

Fax:

408 526-4100

Customer Order Number: DOC-7813751=

Text Part Number: 78-13751-01

Table of Contents

Troubleshooting

Summary of Contents for Cisco Servers

Page 1 Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide November 2001 Corporate Headquarters Cisco Systems, Inc. 170 West Tasman Drive San Jose, CA 95134-1706 http://www.cisco.com Tel: 408 526-4000 800 553-NETS (6387) Fax: 408 526-4100 Customer Order Number: DOC-7813751= Text Part Number: 78-13751-01...
Page 2: Version
ScriptShare, SMARTnet, TransPath, Voice LAN, Wavelength Router, and WebViewer are trademarks of Cisco Systems, Inc.; Changing the Way We Work, Live, Play, and Learn, and Discover All That’s Possible are service marks of Cisco Systems, Inc.; and Aironet, ASIST, BPX, Catalyst,...
Page 3 Cisco TAC Web Site xxxiv Cisco TAC Escalation Center xxxv Cisco Secure ACS Windows Services Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide C O N T E N T S...
Page 4: Table Of Contents
About the Cisco Secure ACS HTML Interface HTML Interface Layout Uniform Resource Locator for the HTML Interface Network Environments and Remote Administrative Sessions Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide TACACS+ RADIUS Authentication Considerations Authentication and User Databases...
Page 5 Security Policy 2-14 Administrative Access Policy 2-14 Separation of Administrative and General Users Database 2-17 Number of Users 2-17 Type of Database 2-17 Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide Contents 1-25 1-26 1-27 1-28 2-11 2-16...
Page 6 Protocol Configuration Options for RADIUS Setting Up and Managing Network Configuration C H A P T E R About Distributed Systems Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide Network Speed and Reliability 2-18 User-to-Group Relationship Per-User or Per-Group Features...
Page 7 4-15 4-20 4-20 4-21 4-24 4-25 Adding a New Proxy Distribution Table Entry Sorting the Character String Match Order of Distribution Entries Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide Contents 4-16 4-18 4-22 4-23 4-23 4-25 4-26...
Page 8 Setting Up and Managing User Groups C H A P T E R User Group Setup Features and Functions Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide viii Editing a Proxy Distribution Table Entry Deleting a Proxy Distribution Table Entry...
Page 9 Configuring Cisco VPN 5000 Concentrator RADIUS Settings for a User Group 78-13751-01, Version 3.0 Varieties of Password Aging Supported by Cisco Secure ACS Password Aging Feature Settings 6-38 6-39 Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide Contents 6-11 6-13 6-15 6-17 6-18...
Page 10 User Setup Features and Functions About User Databases Basic User Setup Options Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide Configuring Microsoft RADIUS Settings for a User Group Configuring Nortel RADIUS Settings for a User Group Configuring Juniper RADIUS Settings for a User Group...
Page 11 Setting Juniper RADIUS Parameters for a User Setting BBSM RADIUS Parameters for a User Setting Custom RADIUS Attributes for a User 7-51 7-51 7-52 7-53 Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide Contents 7-23 7-24 7-26 7-29 7-31...
Page 12 Service Control Logging Date Format Control Password Validation CiscoSecure Database Replication Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide Deleting a User Account 7-54 Resetting User Session Quota Counters Resetting a User Account after Login Failure Saving User Settings...
Page 13 8-29 Preparing for CSV-Based Synchronization 8-33 RDBMS Setup Options 8-34 Synchronization Scheduling Options Synchronization Partners Options 8-40 8-40 8-41 8-41 Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide Contents 8-17 8-23 8-23 8-25 8-26 8-29 8-30 8-31 8-34...
Page 14 Adding a New IP Pool Editing an IP Pool Definition Resetting an IP Pool Deleting an IP Pool IP Pools Address Recovery Enabling IP Pool Address Recovery Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide 8-41 8-45 8-45 8-47 8-49...
Page 15 Adding a New CA Certificate to Local Certificate Storage 8-73 Accounting Logs TACACS+ Accounting Log TACACS+ Administration Log RADIUS Accounting Log VoIP Accounting Log Failed Attempts Log Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide 8-61 8-63 8-64 8-71 8-72 8-72 Contents...
Page 16 About Remote Logging Remote Logging Options Configuring a Central Logging Server Enabling and Configuring Remote Logging Disabling Remote Logging Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide Passed Authentications Log 9-10 Logged-In Users Report 9-11 Disabled Accounts Report...
Page 17 11-2 11-4 Authenticating with External User Databases 11-6 The Cisco Secure ACS Authentication Process with Windows NT/2000 User Databases 11-7 Trust Relationships 11-8 Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide Contents 10-1 10-6 10-7 10-9 11-5 xvii...
Page 18 Cisco Secure ACS Authentication Process with an ODBC External User Database Preparing to Authenticate Users with an ODBC-Compliant Relational Database Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide xviii About the Windows NT/2000 Dial-up Networking Client About the Windows 95/98/Millennium Edition Dial-up Networking...
Page 19 Token Server RADIUS Authentication Request and Response Contents 11-50 Configuring a RADIUS Token Server External User Database About Token Servers with Proprietary Interfaces Configuring a SafeWord Token Server External User Database Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide Contents 11-33 11-34 11-36 11-38...
Page 20 Administering External User Databases C H A P T E R Unknown User Processing Database Group Mappings Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide Configuring an AXENT Token Server External User Database AXENT 11-55 Configuring an RSA SecurID Token Server External User Database...
Page 21 Deleting a Windows NT/2000 Domain Group Mapping Configuration 12-19 Changing Group Set Mapping Order RADIUS-Based Group Specification A-11 A-12 A-13 A-13 A-14 A-15 A-16 A-16 Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide Contents 12-14 12-15 12-20 12-21 A-18...
Page 22 Microsoft MPPE Dictionary of RADIUS VSAs Ascend Dictionary of RADIUS AV Pairs Nortel Dictionary of RADIUS VSAs Juniper Dictionary of RADIUS VSAs Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide xxii System Monitored Events TACACS+ AV Pairs TACACS+ Accounting AV Pairs...
Page 23 UPDATE Statements E-18 DELETE Statements E-20 ADD_NAS Statements E-20 DEL_NAS Statements E-22 Import File Examples E-22 E-23 E-25 E-26 Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide E-10 E-11 E-13 E-13 E-15 E-15 E-16 E-24 E-25 Contents xxiii...
Page 24 ODBC Import Definitions A P P E N D I X accountActions Table Specification Action Codes Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide xxiv About User-Defined RADIUS Vendors and VSA Sets Adding a Custom RADIUS Vendor and VSA Set...
Page 25 Action Code for Deleting the CiscoSecure User Database User-Specific Attributes G-31 User-Defined Attributes G-34 Group-Specific Attributes G-34 G-36 Windows NT/2000 Services Windows NT/2000 Registry Monitoring Recording Sample Scripts H-10 Configuration H-10 H-11 Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide Contents G-31 G-31...
Page 26 Contents Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide xxvi 78-13751-01, Version 3.0...
Page 27: Who Should Read This Guide
Preface This section discusses the objectives, audience, and organization of the Cisco Secure Access Control Server for Windows NT/2000 Servers Version 3.0 User Guide. Document Objectives The objective of this document is to help you configure and use the Cisco Secure Access Control Server for Windows NT/2000 Servers Version 3.0 (Cisco Secure ACS) software and its features and utilities.
Page 28: How This Guide Is Organized
Chapter 10, “Setting Up and Managing Administrators and Policy.” • and procedures for establishing and maintaining Cisco Secure ACS administrators. Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide xxviii Preface An overview of A guide to deploying the...
Page 29: System Messages
A list and explanation of most system A list of supported RADIUS AV pairs A list of ODBC import Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide How This Guide is Organized Concepts and procedures for Concepts and...
Page 30: Conventions Used In This Guide
To see translated versions of the warning, refer to the Regulatory Compliance and Safety document that accompanied the device. Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide Meaning Introduces new or important terminology and variable input for commands.
Page 31: Related Documentation
Windows 2000/NT Servers User Guide. We recommend that you read Release Notes for Cisco Secure Access Control Server Version 3.0 for Windows 2000/NT Servers. While a printed copy of this document comes with Cisco Secure ACS, check Cisco.com for the latest version.
Page 32: Obtaining Documentation
Obtaining Documentation Obtaining Documentation The following sections explain how to obtain documentation from Cisco Systems. World Wide Web You can access the most current Cisco documentation on the World Wide Web at the following URL: http://www.cisco.com Translated documentation is available at the following URL: http://www.cisco.com/public/countries_languages.shtml...
Page 33: Documentation Feedback
Streamline business processes and improve productivity • Resolve technical issues with online support • • Download and test software packages 78-13751-01, Version 3.0 Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide Obtaining Technical Assistance xxxiii...
Page 34 The site provides around-the-clock access to online tools, knowledge bases, and software. To access the Cisco TAC Web Site, go to the following URL: http://www.cisco.com/tac Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide xxxiv Preface 78-13751-01, Version 3.0...
Page 35 Cisco support services to which your company is entitled; for example, SMARTnet, SMARTnet Onsite, or Network Supported Accounts (NSA). In addition, please have available your service agreement number and your product serial number. Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide xxxv 78-13751-01, Version 3.0...
Page 36 Preface Obtaining Technical Assistance Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide xxxvi 78-13751-01, Version 3.0...
Page 37 Overview of Cisco Secure ACS This chapter provides an overview of Cisco Secure Access Control Server for Windows NT/2000 Servers Version 3.0 (Cisco Secure ACS). It contains the following sections: The Cisco Secure ACS Paradigm, page 1-1 • Cisco Secure ACS Specifications, page 1-2 •...
Page 38 Cisco Secure ACS Specifications This section provides information about Cisco Secure ACS performance specifications and the Windows services that compose Cisco Secure ACS. Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide A Simple AAA Scenario AAA client Figure 1-1...
Page 39 Cisco Secure ACS can perform many more authentications per second if it is running on a 1.4-GHz Pentium IV server with Windows 2000 Server on a 1 GB ethernet backbone than it can if it is running on a 200-MHz Pentium II server with Windows NT 4.0 on a 10 MB LAN.
Page 40: Aaa Server Functions And Concepts
• AAA Protocols—TACACS+ and RADIUS, page 1-5 Authentication, page 1-7 • Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide Chapter 1 H-1. The Cisco Secure ACS services on “Service Control” section on page Overview of Cisco Secure ACS “Cisco Secure ACS...
Page 41: Cisco Secure Acs And The Aaa Client
Cisco Secure ACS can use both the TACACS+ and RADIUS AAA protocols. Table 1-1 on page 1-6 78-13751-01, Version 3.0 provides a comparison of the two protocols. Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide AAA Server Functions and Concepts...
Page 42: Tacacs
To support both the older and newer RFCs, Cisco Secure ACS accepts authentication requests on port 1645 and port 1812. For accounting, Cisco Secure ACS accepts accounting packets on port 1646 and 1813. Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide TACACS+ and RADIUS Protocol Comparison RADIUS...
Page 43: Authentication
The more authorization privileges granted to a user, the stronger the authentication should be. Cisco Secure ACS supports this fundamental relationship by providing various methods of authentication. 78-13751-01, Version 3.0 Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide AAA Server Functions and Concepts E-27.
Page 44: Authentication Considerations
Novell NetWare Directory Services (NDS) • • Open Database Connectivity (ODBC)-compliant relational databases CRYPTOCard token server • • SafeWord token server Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide Chapter 1 Overview of Cisco Secure ACS 78-13751-01, Version 3.0...
Page 45 AXENT Safeword 78-13751-01, Version 3.0 Table 1-2 provides a reference of the password protocols MS-CHAP CHAP ARAP Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide AAA Server Functions and Concepts “Passwords” section on MS-CHAP EAP- EAP- LEAP CHAP...
Page 46: Passwords
In the case of token servers, Cisco Secure ACS acts as a client to the token server, either using its proprietary API or its RADIUS interface, depending on the token server.
Page 47 MS-CHAP provides additional failure codes in the Failure packet Message • field. For more information on MS-CHAP, refer to RFC draft-ietf-pppext-mschap-00.txt, RADIUS Attributes for MS-CHAP Support. 78-13751-01, Version 3.0 Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide AAA Server Functions and Concepts 1-11...
Page 48 Token caching—When token caching is enabled, ISDN users can connect (for a limited time) a second B Channel using the same OTP entered during original authentication. For greater security, the B-Channel authentication Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide 1-12 Chapter 1 Overview of Cisco Secure ACS 78-13751-01, Version 3.0...
Page 49 The Windows NT/2000-based password aging feature enables you to control the following password aging parameters: Maximum password age in days • Minimum password age in days • 78-13751-01, Version 3.0 Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide AAA Server Functions and Concepts “Enabling Password 6-20. 1-13...
Page 50: Other Authentication-Related Features
Ability for external users to authenticate via an enable password (see the “Setting TACACS+ Enable Password Options for a User” section on page Proxy of authentication requests to other AAA servers (see the • Distributed Systems” section on page Configurable character string stripping from proxied authentication requests •...
Page 51: Authorization
In either case, Cisco Secure ACS can be used for each end of the VPDN. Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide 1-15 78-13751-01, Version 3.0...
Page 52: Max Sessions
ISDN, the quota would not be updated until all sessions terminate, which means that a second channel will be accepted even if the first channel has exhausted the user’s quota. Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide 1-16 Chapter 1 Overview of Cisco Secure ACS 78-13751-01, Version 3.0...
Page 53: Other Authorization-Related Features
“Setting Network Access Restrictions for a User Group” section on 6-7) 3-4) “Enabling VoIP Support for a User Group” section 6-4) Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide AAA Server Functions and Concepts 6-1) “Setting Options for 7-21) “Setting...
Page 54: Other Accounting-Related Features
In addition to the accounting-related features discussed in this section, the following features are provided by Cisco Secure ACS: • Centralized logging, allowing several Cisco Secure ACS servers to forward their accounting data to a remote Cisco Secure ACS server (see the Logging” section on page Configurable supplementary user ID fields for capturing additional •...
Page 55: Http Port Allocation For Remote Administrative Sessions
HTTP port. For information about configuring the HTTP port allocation feature, see the “Access Policy” section on page 10-10. Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide 1-19 78-13751-01, Version 3.0...
Page 56: Network Device Groups
With a network device group (NDG), you can view and administer a collection of AAA clients and AAA servers as a single logical group. To simplify administration, you can assign each group a convenient name that can be used to refer to all devices within that group.
Page 57: Cisco Secure Acs Html Interface
78-13751-01, Version 3.0 “Cisco Secure ACS Command-Line Database E-1) 8-24) “CiscoSecure Database Replication” 8-6) “Cisco Secure ACS System Restore” 8-45) Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide Cisco Secure ACS HTML Interface “RDBMS Synchronization” section 8-40) 1-21...
Page 58: Html Interface Layout
– – – – – Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide 1-22 User Setup—Add and edit user profiles Group Setup—Configure network services and protocols for groups of users Shared Profile Components—Add and edit network access restriction and command authorization sets, to be applied to users and groups Network Configuration—Add and edit network access devices and...
Page 59 Cisco Secure ACS displays an error message here. The incorrect information remains in the configuration area so that you can retype and resubmit the information correctly. 78-13751-01, Version 3.0 Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide Cisco Secure ACS HTML Interface 1-23...
Page 60: Uniform Resource Locator For The Html Interface
If the browser used for a remote administrative session is configured to use a proxy server, Cisco Secure ACS sees the administrative session originating from the IP address of the proxy server rather than the actual address of the remote workstation. Remote administrative session tracking assumes each browser resides on a workstation with a unique IP.
Page 61: Remote Administrative Sessions Through Firewalls
We have not tested such a configuration and do not recommend implementing it. 78-13751-01, Version 3.0 “HTTP Port Allocation for Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide Cisco Secure ACS HTML Interface 1-19. “HTTP Port Allocation for 1-19.
Page 62: Accessing The Html Interface
HTTP port left open to support the administrative session. To log off the Cisco Secure ACS HTML interface, click the Logoff button. Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide 1-26 Chapter 1 Overview of Cisco Secure ACS “Uniform Resource Locator for the HTML...
Page 63: Online Help And Online Documentation
Back to Help icon. If you have accessed the online documentation by clicking a Section Information icon and want to view the online help page again, click the Back to Help icon. 78-13751-01, Version 3.0 Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide Cisco Secure ACS HTML Interface 1-27...
Page 64: Using The Online Documentation
Scroll through the index to find an entry for the topic you are researching. Use the lettered shortcut links to jump to a particular section of the index. Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide 1-28 Chapter 1 Overview of Cisco Secure ACS 78-13751-01, Version 3.0...
Page 65 Step 4 To print the online documentation, click in the display area, and then click Print in your browser’s navigation bar. 78-13751-01, Version 3.0 Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide Cisco Secure ACS HTML Interface 1-29...
Page 66 Chapter 1 Overview of Cisco Secure ACS Cisco Secure ACS HTML Interface Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide 1-30 78-13751-01, Version 3.0...
Page 67: Chapter 2 Deploying Cisco Secure Acs
Deploying Cisco Secure ACS Deployment of Cisco Secure Access Control Server for Windows NT/2000 Servers Version 3.0 (Cisco Secure ACS) can be a complex and iterative process that differs depending on the specific implementation required. This chapter provides insight into many aspects of the deployment process; it is designed not as a one-size-fits-all procedure, but as a collection of interconnected factors that you should consider before you install Cisco Secure ACS.
Page 68: Basic Deployment Requirements For Cisco Secure Acs
Minimum graphics resolution of 256 colors at 800 x 600 lines • Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide Hardware Requirements, page 2-2 Operating System Requirements, page 2-3 Third-Party Software Requirements, page 2-3...
Page 69: Third-Party Software Requirements
Basic Deployment Requirements for Cisco Secure ACS without Microsoft Clustering Services installed with Service Pack 1 or Service Pack 2 installed. without Microsoft Clustering Services installed with Service Pack 1 or Service Pack 2 installed. Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide...
Page 70: Network Requirements
Network Topology, page 2-5 Remote Access Policy, page 2-13 • Security Policy, page 2-14 • Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide “Third-Party Software Requirements” section on 2-3. Chapter 2 Deploying Cisco Secure ACS 78-13751-01, Version 3.0...
Page 71: Network Topology
Cisco Secure ACS for AAA, and any database replication is limited to a secondary Cisco Secure ACS as a backup. 78-13751-01, Version 3.0 Basic Deployment Factors for Cisco Secure ACS Figure 2-1 on page Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide 2-6, network architects...
Page 72 Figure 2-2 on page 2-7 shows an example of a large dial-in arrangement. In this scenario the addition of a backup Cisco Secure ACS unit is a recommended addition. Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide 78-13751-01, Version 3.0...
Page 73 Figure 2-3 on page 2-8, there may be access servers located in different parts of a city, in different cities, or in different continents. A central Cisco Secure ACS may work if network latency is not an issue, but connection reliability over long distances may cause problems.
Page 74: Wireless Network
WLAN to allow full access for all users, or to provide restricted access to different subnets between sites, buildings, floors, or rooms. This brings up a unique issue with the WLAN: the ability of a user to “roam” between APs. Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide Chapter 2 Cisco Secure...
Page 75 In the larger, geographical distribution of WLANs, deployment of Cisco Secure ACS is similar to that of large regional distribution of dial-up LANs; see Figure 2-3 on page 2-8. Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide 78-13751-01, Version 3.0...
Page 76 2-9. This model may be applicable to a chain of small stores distributed throughout a city or state, nationally, or globally; see Figure 2-6 on page 2-11. Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide 2-10 78-13751-01, Version 3.0...
Page 77: Remote Access Using Vpn
78-13751-01, Version 3.0 Basic Deployment Factors for Cisco Secure ACS Large Deployment of Small Sites Figure 2-6, the decision where to site Cisco Secure ACS depends Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide Figure 2-7 on 2-11...
Page 78 (modem/ISDN) and lend themselves to using the AAA model very effectively; see page 2-13. Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide 2-12 Simple VPN Configuration VPN concentrator Cisco Secure...
Page 79: Remote Access Policy
78-13751-01, Version 3.0 Basic Deployment Factors for Cisco Secure ACS Enterprise VPN Solution Tunnel Internet Tunnel Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide VPN concentrator Cisco Secure Access Control Server 2-13...
Page 80: Security Policy
The CiscoSecure user database maintains all user IDs, passwords, and privileges. Cisco Secure ACS access policies can be downloaded in the form of ACLs to network access servers such as the Cisco AS5300 Network Access Server, or by allowing access during specific periods, or on specific access servers.
Page 81 If this is not a suitable solution, using TACACS+ for administrative (shell/exec) logins, and RADIUS for remote network access, provides sufficient security for the network devices. Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide 2-15 78-13751-01, Version 3.0...
Page 82: Separation Of Administrative And General Users
15 default group tacacs+ none username line con 0 login authentication console Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide 2-16 ip-address secret-key ip-address secret-key...
Page 83: Database
78-13751-01, Version 3.0 Basic Deployment Factors for Cisco Secure ACS 1-8, or Chapter 11, “Working with User Databases,” Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide “Authentication and User Each database option 2-17...
Page 84: Network Speed And Reliability
Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide 2-18 Chapter 2 Deploying Cisco Secure ACS...
Page 85 Configure Network—You control distributed and proxied AAA functions in the Network Configuration section of the HTML interface. From here, you establish the identity, location, and grouping of AAA clients and servers, and determine what authentication protocols each is to employ. For more information, see Configuration.”...
Page 86 Cisco Secure ACS is to implement authorization and authentication. For more information, see the Groups” section on page Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide 2-20 Chapter 2 Chapter 5, “Setting Up and Managing Shared Profile “Unknown User Processing”...
Page 87 Cisco Secure ACS HTML interface, you can specify the nature and scope of logging that Cisco Secure ACS performs. For more information, see Chapter 9, “Working with Logging and Reports.” 78-13751-01, Version 3.0 Chapter 7, “Setting Up and Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide Suggested Deployment Sequence 2-21...
Page 88 Chapter 2 Deploying Cisco Secure ACS Suggested Deployment Sequence Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide 2-22 78-13751-01, Version 3.0...
Page 89: Chapter 3 Setting Up The Cisco Secure Acs Html Interface
HTML Interface Ease of use is the overriding design principle of the HTML interface in the Cisco Secure Access Control Server for Windows NT/2000 Servers Version 3.0 (Cisco Secure ACS). Cisco Secure ACS presents intricate concepts of network security from the perspective of an administrator. The Interface Configuration section of Cisco Secure ACS enables you to configure the Cisco Secure ACS HTML interface—you can tailor the interface to simplify the screens you will use...
Page 90: Interface Design Concepts
User level only—Static IP address, password, and expiration • • Group level only—Password aging and time-of-day/day-of-week restrictions Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide Chapter 3 Setting Up the Cisco Secure ACS HTML Interface 78-13751-01, Version. 3.0...
Page 91: User Data Configuration Options
You can change the title of a field by editing the text in the Field Title box and then clicking Submit. 78-13751-01, Version. 3.0 G-34. Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide User Data Configuration Options 9-4. For “User-Defined...
Page 92: Advanced Options
Default Time-of-Day/Day-of-Week Specification—When selected, this • feature enables the default time-of-day/day-of-week access settings grid on the Group Setup page. Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide Chapter 3 Setting Up the Cisco Secure ACS HTML Interface “Shared Network Access Restrictions Configuration”...
Page 93 IP Pools—When selected, this feature enables the IP Pools Address • Recovery and IP Pools Server options on the System Configuration page. 78-13751-01, Version. 3.0 Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide Advanced Options 5-7.
Page 94: Setting Advanced Options For The Cisco Secure Acs User Interface
(NDGs). When NDGs are enabled, the Network Configuration section and parts of the User Setup and Group Setup pages change to enable you to manage groups of network devices (AAA clients or AAA servers). This feature is useful if you have many devices to administer.
Page 95: Protocol Configuration Options For Tacacs
• to your network configuration. Advanced Configuration Options—In this area you can add more detailed • information for even more tailored configurations. 78-13751-01, Version. 3.0 Protocol Configuration Options for TACACS+ Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide...
Page 96 This text field enables you to make specialized configurations to be downloaded for a particular service for users in a particular group. Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide Chapter 3 Setting Up the Cisco Secure ACS HTML Interface...
Page 97: Setting Options For Tacacs
User Setup and Group Setup pages that enables you to permit unknown TACACS+ services, such as CDP. This option should be used by advanced system administrators only. Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide Protocol Configuration Options for TACACS+...
Page 98: Protocol Configuration Options For Radius
RADIUS. If you want to use IETF attribute number 26, the vendor-specific attribute (VSA), select Interface Configuration and then RADIUS for the vendors whose network devices you Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide 3-10 Chapter 3 Setting Up the Cisco Secure ACS HTML Interface 78-13751-01, Version.
Page 99 “Setting Protocol Configuration Options for RADIUS 3-14. “Setting Protocol Configuration Options for RADIUS 3-14. “Setting Protocol Configuration Options for “Setting Protocol Configuration Options for “Setting Protocol Configuration Options for RADIUS 3-17. Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide 3-12. 3-15. 3-16. 3-11...
Page 100: Setting Protocol Configuration Options For (Ietf) Radius
If the Per-user TACACS+/RADIUS Attributes check box in Interface Configuration: Advanced Options is selected, a User check box appears alongside the Group check box for each attribute. Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide 3-12 Chapter 3 “Setting Protocol Configuration Options for RADIUS (Nortel)”...
Page 101 Result: Each IETF RADIUS attribute that you selected appears as a configurable option on the User Setup or Group Setup page, as applicable. 78-13751-01, Version. 3.0 Protocol Configuration Options for RADIUS Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide 3-13...
Page 102: Setting Protocol Configuration Options For Radius (Cisco Ios/Pix)
Setting Protocol Configuration Options for RADIUS (Ascend) This procedure enables you to hide or display RADIUS (Ascend) attributes for configuration from other portions of the Cisco Secure ACS HTML interface. Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide 3-14 Chapter 3 Setting Up the Cisco Secure ACS HTML Interface 78-13751-01, Version.
Page 103: Setting Protocol Configuration Options For Radius (Cisco Vpn 3000)
Options page of Interface Configuration is selected, a User check box appears alongside the Group check box for each attribute. 78-13751-01, Version. 3.0 Each attribute selected must be supported by your RADIUS network devices. Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide Protocol Configuration Options for RADIUS 3-15...
Page 104: Setting Protocol Configuration Options For Radius (Cisco Vpn 5000)
If the Per-user TACACS+/RADIUS Attributes check box on the Advanced Options page of Interface Configuration is selected, a User check box appears alongside the Group check box for each attribute. Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide 3-16 Chapter 3 Each attribute selected must be supported by the Cisco VPN 3000 Concentrator RADIUS network devices.
Page 105: Setting Protocol Configuration Options For Radius (Microsoft)
Result: The RADIUS (Microsoft) edit page appears. 78-13751-01, Version. 3.0 Each attribute selected must be supported by the Cisco VPN 5000 Concentrator RADIUS network devices. Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide Protocol Configuration Options for RADIUS 3-17...
Page 106: Setting Protocol Configuration Options For Radius (Nortel)
Step 1 Click Interface Configuration. Click RADIUS (Nortel). Step 2 Result: The RADIUS (Nortel) edit page appears. Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide 3-18 Chapter 3 Each attribute selected must be supported by the Microsoft RADIUS VSA.
Page 107: Setting Protocol Configuration Options For Radius (Juniper)
Click RADIUS (Juniper). Step 2 Result: The RADIUS (Juniper) edit page appears. 78-13751-01, Version. 3.0 Each attribute selected must be supported by the Nortel RADIUS VSA. Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide Protocol Configuration Options for RADIUS 3-19...
Page 108: Setting Protocol Configuration Options For Radius (Cisco Bbsm)
User Setup or Group Setup page. Click Submit at the bottom of the page. Step 4 Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide 3-20 Chapter 3 Each attribute selected must be supported by the Juniper RADIUS VSA.
Page 109: Setting Up And Managing Network Configuration
Network Device Group table. For more information about this interface configuration, see the Options” section on page AAA Servers—This table lists each AAA server that is configured on the • network together with its IP Address and associated type.
Page 110: C H A P T E R 4 Setting Up And Managing Network Configuration
NDG. If you are using NDGs, the AAA Clients table and AAA Servers table do not appear on the opening page. To configure a AAA client or AAA server, you must click the name of the NDG to which the device is assigned.
Page 111: Aaa Servers In Distributed Systems
Default Distributed System Settings You use both the AAA Servers table and the Proxy Distribution Table to establish distributed system settings. The parameters configured within these tables create the foundation to enable multiple Cisco Secure ACS servers to be configured to 78-13751-01, Version 3.0...
Page 112: Proxy In Distributed Systems
Each table contains a Cisco Secure ACS entry for itself. In the AAA Servers table, the only AAA server initially listed is itself; the Proxy Distribution Table lists an initial entry of (Default), which displays how the local Cisco Secure ACS is configured to handle each authentication request locally.
Page 113: Fallback On Failed Connection
Fallback on Failed Connection You can configure the order in which Cisco Secure ACS checks remote AAA servers upon the failure of the network connection to the primary AAA server. If an authentication request cannot be sent to the first listed server, because of a network failure for example, the next listed server is checked.
Page 114: Character String
Because Mary works in the Los Angeles office, her user profile, which defines her authentication and authorization privileges, resides on the local Los Angeles Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide Chapter 4 Setting Up and Managing Network Configuration...
Page 115: Remote Use Of Accounting Packets
You can also choose to have Voice over IP (VoIP) accounting information logged remotely, either appended to the RADIUS Accounting log, in a separate VoIP Accounting log, or both. 78-13751-01, Version 3.0 Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide Proxy in Distributed Systems...
Page 116: Other Features Enabled By System Distribution
In this guide we use the term AAA client comprehensively to signify the device through which or to which service access is being attempted. This is the RADIUS or TACACS+ client device, and may comprise network access servers (NASes), PIX Firewalls, routers, or any other RADIUS or TACACS+ hardware/software client.
Page 117: Adding And Configuring A Aaa Client
In the Key box, type the shared secret that the AAA client and Cisco Secure ACS Step 5 use to encrypt the data. 78-13751-01, Version 3.0 This field does not appear if you are configuring an existing AAA client. Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide AAA Client Configuration...
Page 118 RADIUS VSA that you have configured: • TACACS+ (Cisco IOS)—Select this option to use TACACS+, which is the standard choice when using Cisco Systems access servers, routers, and firewalls. RADIUS (Cisco Aironet)—Select this option if the network device is a •...
Page 119 If your connection is unreliable, do not use this feature. Note 78-13751-01, Version 3.0 “User-Defined RADIUS Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide AAA Client Configuration E-27. 4-11...
Page 120: Editing An Existing Aaa Client
To edit a AAA client, follow these steps: In the navigation bar, click Network Configuration. Step 1 Result: The Network Configuration section opens. Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide 4-12 Chapter 4 Restarting the service clears the Logged-in User report and temporarily interrupts all Cisco Secure ACS services.
Page 121 Step 7 Single Connect TACACS+ NAS • • Log Update/Watchdog Packets from this Access Server Log RADIUS tunneling Packets from this Access Server • 78-13751-01, Version 3.0 Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide AAA Client Configuration 4-13...
Page 122: Deleting A Aaa Client
To delete the AAA client and have the deletion take effect immediately, click Step 3 Delete + Restart. Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide 4-14 Chapter 4 Restarting the service clears the Logged-in User report and temporarily interrupts all Cisco Secure ACS services.
Page 123: Aaa Server Configuration
To configure distributed system features for a given Cisco Secure ACS server, you must first define the other AAA server(s). If the AAA Servers table does not appear, click Interface Configuration, click Advanced Options, and then select the Distributed System Settings check box.
Page 124: Adding And Configuring A Aaa Server
Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide 4-16 Chapter 4 The key is case sensitive. If the keys between the two AAA servers are not identical when authentication is forwarded, the request is incorrectly encrypted and authentication fails.
Page 125 Cisco Secure ACS for Windows 2000/NT—Select this option if the remote • AAA server is another Cisco Secure ACS. This enables you to configure features that are only available with other Cisco Secure ACS servers, such as CiscoSecure user database replication and remote logging. Note...
Page 126: Editing A Aaa Server Configuration
For detailed information on the AAA server settings, see the Configuring a AAA Server” section on page Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide 4-18 Chapter 4 Restarting the service clears the Logged-in User report and temporarily interrupts all Cisco Secure ACS services.
Page 127 Then, in the AAA Servers table, click the name of the AAA server to be edited. If you have not enabled NDGs, in the AAA Servers table, click the name of the AAA server to be edited. Result: The AAA Server Setup for X page appears.
Page 128: Deleting A Aaa Server
If you are using NDGs, click the name of the NDG to which the AAA Server is assigned. Then, click the AAA Server Name in the AAA Servers table. If you have not enabled NDGs, click the AAA Server Name in the AAA Servers table.
Page 129: Adding A Network Device Group
In the Network Device Group Name box, type the name of the new NDG. The maximum name length is 19 characters. Quotation marks (") and commas (,) are not allowed. Spaces are allowed. 78-13751-01, Version 3.0 Network Device Group Configuration Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide 4-21...
Page 130: Assigning An Unassigned Aaa Client Or Aaa Server To An Ndg
Step 4 Click Submit. Result: The Network Device Groups table displays the new NDG. To populate the newly established NDG with AAA clients or AAA servers, Step 5 perform one or more of the following procedures, as applicable: Adding and Configuring a AAA Client, page 4-9 •...
Page 131: Reassigning A Aaa Client Or Aaa Server To An Ndg
In the Network Device Groups table, click the name of the network device’s current group. In either the AAA Clients table or AAA Servers table, as applicable, click the Step 3 name of the client or server you want to assign to a new NDG.
Page 132: Deleting A Network Device Group
Result: A confirmation dialog box appears. Step 4 Click OK. Result: The name of the NDG is changed. Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide 4-24 Chapter 4 Setting Up and Managing Network Configuration 78-13751-01, Version 3.0...
Page 133: Proxy Distribution Table Configuration
Distributed System Settings check box. The Proxy Distribution Table comprises entries that show the character strings on which to proxy, the AAA Servers to proxy to, whether to strip the character string, and where to send the accounting information (Local/Remote, Remote, or Local).
Page 134 Step 5 off the username, or select No if it is to be left intact. In the AAA Servers column, select the AAA server you want to use for proxy. Step 6 Click —> (right arrow button) to move it to the Forward To column.
Page 135 You can also select additional AAA servers to use for backup proxy in the event the prior servers fail. To set the order of AAA servers, in the Forward To column, click the name of the applicable server and click Up or Down to move it into the position you want.
Page 136 In the Character String column of the Proxy Distribution Table, click the Step 2 distribution entry you want to edit. Result: The Edit Proxy Distribution Entry page appears. Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide 4-28 Chapter 4 Setting Up and Managing Network Configuration...
Page 137 Result: A confirmation dialog box appears. Click OK. Step 4 Result: Cisco Secure ACS deletes the distribution entry from the Proxy Distribution Table. 78-13751-01, Version 3.0 Proxy Distribution Table Configuration Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide 4-26. 4-29...
Page 138 Chapter 4 Setting Up and Managing Network Configuration Proxy Distribution Table Configuration Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide 4-30 78-13751-01, Version 3.0...
Page 139: Chapter 5 Setting Up And Managing Shared Profile Components
PIX ACLs. The Shared Profile Components section of Cisco Secure Access Control Server for Windows NT/2000 Servers Version 3.0 (Cisco Secure ACS) addresses the scalability of selective authorization. Shared profile components can be configured once and then applied to many users or groups. Without this ability,...
Page 140: Downloadable Pix Acls
11.0.0.253 See the “Command Reference” section of your PIX Firewall configuration guide for detailed ACL definition information. Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide Chapter 5 Setting Up and Managing Shared Profile Components...
Page 141: Downloadable Pix Acl Configuration
Click Add. Step 3 Result: The Downloadable PIX ACLs page appears. Step 4 In the Name: box, type the name of the new PIX ACL. 78-13751-01, Version 3.0 Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide Downloadable PIX ACLs...
Page 142: Editing A Downloadable Pix Acl
Step 2 Click Downloadable PIX ACLs. Result: The Downloadable PIX ACLs table appears. Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide Chapter 5 Setting Up and Managing Shared Profile Components The name of a PIX ACL may contain up to 32 characters. The name may contain spaces;...
Page 143: Deleting A Downloadable Pix Acl
Result: A dialog box warns you that you are about to delete a PIX ACL. To confirm that you intend to delete the PIX ACL, click OK. Step 5 Result: The selected PIX ACL is deleted. 78-13751-01, Version 3.0 Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide Downloadable PIX ACLs...
Page 144: Network Access Restrictions
NAR definitions. All the values/conditions in a NAR specification must be met for the NAR to restrict access; that is, the values are “ANDed”. Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide Chapter 5 Setting Up and Managing Shared Profile Components...
Page 145: Shared Network Access Restrictions Configuration
Shared access restrictions are kept in the CiscoSecure user database and can be backed up/restored by the Cisco Secure ACS backup and restore features and replicated to secondary Cisco Secure ACS servers along with other configurations. Shared Network Access Restrictions Configuration You can configure multiple shared NARs to restrict access to particular AAA clients, all AAA clients, or to named NDGs.
Page 146 To specify whether you are listing addresses that are permitted or denied, from the Table Defines list, select the applicable value. Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide Chapter 5 Setting Up and Managing Shared Profile Components The name can contain up to 32 characters.
Page 147 • • The name of the particular AAA client All AAA clients • Only NDGs that you have previously configured appear in the list. 78-13751-01, Version 3.0 Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide Network Access Restrictions...
Page 148 In the Name column, click the shared NAR you want to edit. Step 3 Result: The Network Access Restriction page appears with information displayed for the selected filter. Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide 5-10 Chapter 5 Setting Up and Managing Shared Profile Components Port—Type the number of the port to filter on.
Page 149 Step 8 steps: Select the line item. Below the table, click remove. Result: The line item is removed from the CLI/DNIS access restrictions table. 78-13751-01, Version 3.0 Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide Network Access Restrictions 5-11...
Page 150: Command Authorization Sets
This section includes a description of command authorization sets and pattern matching followed by detailed instructions regarding their configuration and management. Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide 5-12 Chapter 5 Setting Up and Managing Shared Profile Components...
Page 151: About Command Authorization Sets
CiscoSecure user database and can be backed up/restored by the Cisco Secure ACS backup and restore features and replicated to secondary Cisco Secure ACS servers along with other configuration. 78-13751-01, Version 3.0 Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide Command Authorization Sets 5-13...
Page 152: About Pattern Matching
Editing a Command Authorization Set, page 5-17 • • Deleting a Command Authorization Set, page 5-17 Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide 5-14 Chapter 5 Setting Up and Managing Shared Profile Components Configuring a Shell Command Authorization Set for a User Group,...
Page 153 The set name can contain up to 32 characters. Names cannot contain the following special characters: # ? " * > < Leading and trailing spaces are not allowed. Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide Command Authorization Sets 5-15...
Page 154 Submit. Result: Cisco Secure ACS displays the name and description of the new command authorization set in the applicable Command Authorization Sets table. Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide 5-16 Chapter 5 Setting Up and Managing Shared Profile Components Enter only the command portion of the command/argument string here.
Page 155 Result: The Shared Profile Components page lists the command authorization set types available. Click a command authorization set, as applicable. Step 2 Result: The selected Command Authorization Sets table appears. 78-13751-01, Version 3.0 Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide Command Authorization Sets 5-17...
Page 156 Step 5 Result: Cisco Secure ACS displays the applicable Command Authorization Sets table. The command authorization set no longer listed. Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide 5-18 Chapter 5 Setting Up and Managing Shared Profile Components...
Page 157: Chapter 6 Setting Up And Managing User Groups
Setting Up and Managing User Groups This chapter provides information about setting up and managing user groups in the Cisco Secure Access Control Server for Windows NT/2000 Servers Version 3.0 (Cisco Secure ACS) to control authorization. Cisco Secure ACS enables you to group together network users for more efficient administration.
Page 158: User Group Setup Features And Functions
You can also configure TACACS+ settings at the individual user level. Note User-level settings always override group level settings. Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide Chapter 6 Setting Up and Managing User Groups 6-15—This section 6-48—This section includes basic...
Page 159: Common User Group Settings
Setting Max Sessions for a User Group, page 6-11 • Setting Usage Quotas for a User Group, page 6-13 78-13751-01, Version 3.0 “Protocol Configuration Options for 3-7. Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide Common User Group Settings Chapter 5,...
Page 160: Enabling Voip Support For A User Group
Step 5 To continue, and specify other group settings, perform other procedures in this chapter, as applicable. Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide “Saving Changes to User Group Settings” section 6-50. Chapter 6 Setting Up and Managing User Groups...
Page 161: Setting Default Time Of Day Access For A User Group
All to select all hours. 78-13751-01, Version 3.0 You must select the Set as default Access Times check box, to limit access based on time or day. Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide Common User Group Settings...
Page 162: Setting Callback Options For A User Group
Setting Callback Options for a User Group Callback is a command string that is passed back to the access server. You can use callback strings to initiate a modem to call the user back on a specific number for added security or reversal of line charges.
Page 163: Setting Network Access Restrictions For A User Group
For more information, see the Access Restrictions” section on page “Shared Network Access Restrictions Configuration” section 5-7. You must have enabled the Group-Level Shared Network Access Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide Common User Group Settings “About Network 5-6.
Page 164 To view the server details of the shared NARs you have selected to apply, you can click on either View IP NAR or View CLID/DNIS NAR, as applicable. Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide Chapter 6 Setting Up and Managing User Groups “Shared Network Access...
Page 165 From the AAA Client list, select either All AAA Clients or the name of the NDG or the name of the particular AAA client to which to permit or deny access. 78-13751-01, Version 3.0 “Shared Network Access Restrictions Configuration” 5-7. Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide Common User Group Settings...
Page 166 Click Enter. Result: The information, specifying the AAA client, Port, CLI, and DNIS appears in the list. Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide 6-10 Chapter 6 You must make an entry in each box. You can use the wildcard asterisk (*) for all or part of a value.
Page 167: Setting Max Sessions For A User Group
The default setting for group Max Sessions is Unlimited for both the group and Note the user within the group. 78-13751-01, Version 3.0 “Saving Changes to User Group Settings” section 6-50. Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide Common User Group Settings 6-11...
Page 168 6-50. To continue specifying other group settings, perform other procedures in this Step 6 chapter, as applicable. Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide 6-12 Chapter 6 Setting Up and Managing User Groups “Setting Max Sessions Options for a User”...
Page 169: Setting Usage Quotas For A User Group
78-13751-01, Version 3.0 “Setting User Usage Quotas Options” section 7-19. “Resetting Usage Quota Counters for a User Group” section 6-49. Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide Common User Group Settings 6-13...
Page 170 Type the number of sessions to which you want to limit users in the to x sessions box. Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide 6-14 Chapter 6 Setting Up and Managing User Groups...
Page 171: Configuration-Specific User Group Settings
Month—From 12:01 a.m. on the first of the month until midnight on the last day of the month Total—An ongoing count of session, without an end “Saving Changes to User Group Settings” section 6-50. Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide Configuration-specific User Group Settings 6-15...
Page 172 For more information, see the Options for TACACS+” section on page 3-7 Options for RADIUS” section on page Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide 6-16 Chapter 6 Setting Up and Managing User Groups 4-8.
Page 173: Setting Token Card Settings For A User Group
Result: The Group Settings page displays the name of the group at its top. Step 3 From the Jump To list at the top of the page, choose Token Cards. 78-13751-01, Version 3.0 Configuration-specific User Group Settings Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide 6-17...
Page 174: Setting Enable Privilege Options For A User Group
NDG. To use this option, you create a list of device groups and corresponding maximum privilege levels. See your AAA client documentation for information about privilege levels. Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide 6-18 “Saving Changes to User Group Settings” section 6-50.
Page 175 Step 6 To continue specifying other group settings, perform other procedures in this chapter, as applicable. 78-13751-01, Version 3.0 Configuration-specific User Group Settings “Saving Changes to User Group Settings” section Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide 6-19...
Page 176: Enabling Password Aging For The Ciscosecure User Database
They enable an approximation of session length in the event that the AAA client fails and, thereby, no stop packet is received to mark the end of the session.) Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide 6-20 Chapter 6 Setting Up and Managing User Groups “Enabling Password Aging for Users in...
Page 177: Password Aging Feature Settings
Then, a dialog box warns the user that the account will be Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide Configuration-specific User Group Settings...
Page 178 If users do not change their passwords now, their accounts expire and they cannot log in. This number must be greater than the Issue warning after x login number. Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide 6-22 Chapter 6 Setting Up and Managing User Groups 78-13751-01, Version 3.0...
Page 179 From the Group list, select a group, and then click Edit Settings. Step 2 Result: The Group Settings page displays the name of the group at its top. 78-13751-01, Version 3.0 Configuration-specific User Group Settings Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide 6-23...
Page 180 6-50. To continue specifying other group settings, perform other procedures in this Step 9 chapter, as applicable. Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide 6-24 Chapter 6 Setting Up and Managing User Groups “Saving Changes to User Group Settings” section...
Page 181: Enabling Password Aging For Users In Windows Databases
Cisco Secure ACS is running) can only use the Windows-based password aging if they supply their domain name. 78-13751-01, Version 3.0 Configuration-specific User Group Settings “Enabling Password Aging for the 6-20. Requirements for Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide 8-73. 6-25...
Page 182: Setting Ip Address Assignment Method For A User Group
Select Assigned from AAA pool. Then, select the AAA server IP pool name in the Available Pools list and click —> (right arrow button) to move the name into the Selected Pools list. Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide 6-26 Chapter 6 Setting Up and Managing User Groups 78-13751-01, Version 3.0...
Page 183: Assigning A Downloadable Pix Acl To A Group
If there is more than one pool in the Selected Pools list, the users in this group are assigned to the first available pool in the order listed. “Saving Changes to User Group Settings” section 6-50. Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide Configuration-specific User Group Settings 5-3. 6-27...
Page 184: Configuring Tacacs+ Settings For A User Group
To display or hide additional services or protocols, click Interface Note Configuration, click TACACS+ (Cisco IOS), and then select or clear items in the group column, as applicable. Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide 6-28 “Saving Changes to User Group Settings” section 6-50.
Page 185 Display a window for each service selected in which you can enter customized TACACS+ attributes. A box opens under each service/protocol in which you can define an ACL. Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide Configuration-specific User Group Settings Appendix C, “TACACS+...
Page 186: Configuring A Shell Command Authorization Set For A User Group
This feature requires that you have previously configured a shell command authorization set. For detailed steps, see the Configuration” section on page Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide 6-30 “Saving Changes to User Group Settings” section 6-50.
Page 187 Select the Per Group Command Authorization option. Under Unmatched Cisco IOS commands, select either Permit or Deny. 78-13751-01, Version 3.0 Configuration-specific User Group Settings Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide 6-31...
Page 188: Configuring A Pix Command Authorization Set For A User Group
Assign a PIX Command Authorization Set on a per Network Device • Group Basis—Particular PIX command authorization sets are to be effective on particular NDGs Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide 6-32 Chapter 6 Setting Up and Managing User Groups 5-14.
Page 189 From the list directly below that option, select the PIX command authorization set you want applied to this user group. 78-13751-01, Version 3.0 Configuration-specific User Group Settings 5-14. Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide “Command Authorization Sets 6-33...
Page 190: Configuring Ietf Radius Settings For A User Group
RADIUS attributes, see For more information about how your AAA client uses RADIUS, refer to your AAA client vendor documentation. Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide 6-34 Chapter 6 Setting Up and Managing User Groups 3-10.
Page 191 To continue specifying other group settings, perform other procedures in this Step 7 chapter, as applicable. 78-13751-01, Version 3.0 Configuration-specific User Group Settings “Saving Changes to User Group Settings” section Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide 6-35...
Page 192: Configuring Cisco Ios/Pix Radius Settings For A User Group
Step 4 To continue specifying other group settings, perform other procedures in this chapter, as applicable. Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide 6-36 “Configuring IETF RADIUS Settings for a User 6-34. “Saving Changes to User Group Settings” section 6-50.
Page 193: Configuring Ascend Radius Settings For A User Group
For more information about attributes, see AAA client documentation. 78-13751-01, Version 3.0 Configuration-specific User Group Settings Appendix D, “RADIUS Attributes,” Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide Ascend-Remote-Addr “Setting Protocol 3-14. “Configuring IETF 6-34.
Page 194: Configuring Cisco Vpn 3000 Concentrator Radius Settings For A User Group
“Configuring IETF RADIUS Settings for a User Group” section on page Step 2 In the navigation bar, click Group Setup. Result: The Group Setup Select page opens. Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide 6-38 “Saving Changes to User Group Settings” section 6-50.
Page 195: Configuring Cisco Vpn 5000 Concentrator Radius Settings For A User Group
“Setting Protocol Configuration Options for RADIUS (Cisco VPN 5000)” section on page 78-13751-01, Version 3.0 “Saving Changes to User Group Settings” section 6-50. 3-16. Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide Configuration-specific User Group Settings Appendix D, “RADIUS Attributes,” 6-39...
Page 196 6-50. Step 7 To continue specifying other group settings, perform other procedures in this chapter, as applicable. Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide 6-40 Chapter 6 Setting Up and Managing User Groups Appendix D, “RADIUS Attributes,”...
Page 197: Configuring Microsoft Radius Settings For A User Group
Result: The Group Settings page displays the name of the group at its top. From the Jump To list at the top of the page, choose RADIUS (Microsoft). Step 4 78-13751-01, Version 3.0 Configuration-specific User Group Settings Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide “Setting Protocol 3-17. 6-34. 6-41...
Page 198: Configuring Nortel Radius Settings For A User Group
Note To hide or display Nortel RADIUS attributes, see the Configuration Options for RADIUS (Nortel)” section on page Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide 6-42 Appendix D, “RADIUS Attributes,” The MS-CHAP-MPPE-Keys attribute value is generated by Cisco Secure ACS;...
Page 199 To continue specifying other group settings, perform other procedures in this Step 7 chapter, as applicable. 78-13751-01, Version 3.0 Configuration-specific User Group Settings 6-34. Appendix D, “RADIUS Attributes,” “Saving Changes to User Group Settings” section Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide Configuring or the 6-43...
Page 200: Configuring Juniper Radius Settings For A User Group
For more information about attributes, see documentation for network devices using RADIUS. Note Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide 6-44 Appendix D, “RADIUS Attributes,” The MS-CHAP-MPPE-Keys attribute value is generated by Cisco Secure ACS;...
Page 201: Configuring Cisco Bbsm Radius Settings For A User Group
From the Jump To list at the top of the page, choose RADIUS (Cisco BBSM). Step 4 78-13751-01, Version 3.0 “Saving Changes to User Group Settings” section 6-50. Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide Configuration-specific User Group Settings “Setting Protocol 3-20. 6-34.
Page 202: Configuring Custom Radius Vsa Settings For A User Group
Group-level custom RADIUS attributes have been enabled on the RADIUS (Name) page of the Interface Configuration section. You must configure both the IETF RADIUS and the custom RADIUS attributes. Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide 6-46 The MS-CHAP-MPPE-Keys attribute value is generated by Cisco Secure ACS;...
Page 203 To continue specifying other group settings, perform other procedures in this Step 7 chapter, as applicable. 78-13751-01, Version 3.0 Configuration-specific User Group Settings Appendix D, “RADIUS Attributes,” “Saving Changes to User Group Settings” section Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide 6-34. 6-47...
Page 204: Group Setting Management
To open a user account (to view, modify, or delete a user), click the name of the Step 4 user in the User List. Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide 6-48 Chapter 6 Setting Up and Managing User Groups...
Page 205: Resetting Usage Quota Counters For A User Group
Result: The Renaming Group: Group Name page appears. Type the new name in the Group field. Group names cannot contain angle Step 4 brackets (< or >). 78-13751-01, Version 3.0 Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide Group Setting Management 6-49...
Page 206: Saving Changes To User Group Settings
To verify that your changes were applied, select the group and click Edit Settings. View the settings. Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide 6-50 The group remains in the same position in the list. The number value of the group is still associated with this group name.
Page 207: Chapter 7 Setting Up And Managing User Accounts
Setting Up and Managing User Accounts This chapter provides information about setting up and managing user accounts in Cisco Secure Access Control Server for Windows NT/2000 Servers Version 3.0 (Cisco Secure ACS). Note Settings at the user level override settings configured at the group level.
Page 208: User Setup Features And Functions
Set the maximum number of concurrent sessions (Max Sessions) for the user • Disable or re-enable the user account Delete the user • Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide Chapter 7 Setting Up and Managing User Accounts 7-23—Details on the steps 7-51—Information about viewing, disabling, and...
Page 209: About User Databases
RADIUS Server Database” section on page • Token Server—Authenticates a user from a token server database. Cisco Secure ACS supports the use of a variety of token servers for the increased security provided by one-time passwords. For more information, see the 78-13751-01, Version 3.0...
Page 210: Basic User Setup Options
TACACS+ and RADIUS; these procedures are located under the page 7-23. Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide Chapter 7 “Adding a Basic User Account” 7-5. “Advanced User Authentication Settings” section on Setting Up and Managing User Accounts 78-13751-01, Version 3.0...
Page 211: Adding A Basic User Account
The username can contain up to 32 characters. Names cannot contain the following special characters: # ? " * > < Leading and trailing spaces are not allowed. Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide Basic User Setup Options...
Page 212 For example, the following line in the AAA client configuration file causes the AAA client to enable CHAP after PAP: ppp authentication pap chap Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide Chapter 7 Setting Up and Managing User Accounts...
Page 213: Setting Supplementary User Information
To continue to specify the user account options, perform other procedures in this chapter, as applicable. 78-13751-01, Version 3.0 “Adding a Basic User Account” section on Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide Basic User Setup Options 3-3.
Page 214: Setting A Separate Chap/Ms-Chap/Arap Password
To continue to specify the user account options, perform other procedures in this chapter, as applicable. Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide Chapter 7 “Adding a Basic User Account” section on These Password and Confirm Password boxes are only required for authentication by the Cisco Secure ACS database.
Page 215: Assigning A User To A Group
To continue to specify the user account options, perform other procedures in this chapter, as applicable. 78-13751-01, Version 3.0 “Adding a Basic User Account” section on Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide Basic User Setup Options...
Page 216: Setting User Callback Option
Basic User Setup Options Setting User Callback Option Callback is a command string that is passed to the access server. You can use a callback string to initiate a modem to call the user back on a specific number for added security or reversal of line charges.
Page 217: Assigning A User To A Client Ip Address
If the IP address is being assigned from a pool of IP addresses or by the dialup client, leave the Assign IP address box blank. Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide Basic User Setup Options 7-11...
Page 218: Setting Network Access Restrictions For A User
Define CLI/DNIS-based access restrictions to permit or deny user access • based on the CLI/DNIS used Note Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide 7-12 Chapter 7 You can also use the CLI/DNIS-based access restrictions area to specify other values.
Page 219 Select the Only Allow network access when check box. 78-13751-01, Version 3.0 “Shared Network Access Restrictions Configuration” section “Adding a Basic User Account” section on “Shared Network Access Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide Basic User Setup Options 5-7. 7-13...
Page 220 Table Defines list, select one of the following: Permitted Calling/Point of Access Locations • • Denied Calling/Point of Access Locations Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide 7-14 Chapter 7 Setting Up and Managing User Accounts 78-13751-01, Version 3.0...
Page 221 Table Defines list, select one of the following: Permitted Calling/Point of Access Locations • Denied Calling/Point of Access Locations • 78-13751-01, Version 3.0 Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide Basic User Setup Options 7-15...
Page 222 Click enter. Result: The information, specifying the AAA client, port, CLI, and DNIS appears in the table above the AAA Client list. Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide 7-16 Chapter 7 You must make an entry in each box. You can use the wildcard asterisk (*) for all or part of a value.
Page 223: Setting Max Sessions Options For A User
Note mechanism for Cisco Secure ACS to share Max Sessions counts across multiple servers. Therefore, if two Cisco Secure ACS servers are set up as a mirror pair with the workload distributed between them, they will have completely independent views of the Max Sessions totals.
Page 224 If you are finished configuring the user account options, click Submit to record the options. To continue to specify the user account options, perform other procedures in this chapter, as applicable. Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide 7-18 Chapter 7 Setting Up and Managing User Accounts “Adding a Basic User Account”...
Page 225: Setting User Usage Quotas Options
AAA clients. If update packets are not enabled, the quota is updated only when the user logs off. If the AAA client through which the user is accessing your 78-13751-01, Version 3.0 7-55. Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide Basic User Setup Options “Resetting User 7-19...
Page 226 Select the Limit user to x sessions check box. Type the number of sessions to which you want to limit the user in the Limit user to x sessions box. Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide 7-20 Chapter 7 Setting Up and Managing User Accounts “Adding a Basic User Account”...
Page 227: Setting Options For User Account Disablement
Month—From 12:01 a.m. on the first of the month until midnight on the last day of the month Absolute—A continuous, open-ended count of hours 7-53. “Adding a Basic User Account” section on Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide Basic User Setup Options “Disabling a User 7-21...
Page 228: Assigning A Pix Acl To A User
(ACL) at the user level. You must have established one or more PIX ACLs before attempting to assign one. For instructions on how to configure a downloadable Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide 7-22 Chapter 7 This is the default setting.
Page 229: Advanced User Authentication Settings
Advanced TACACS+ Settings (User), page 7-31 • • RADIUS Attributes, page 7-36 78-13751-01, Version 3.0 Advanced User Authentication Settings “Adding a Downloadable PIX ACL” section on “Adding a Basic User Account” section on Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide 7-23...
Page 230: Tacacs+ Settings (User)
TACACS+ services in the Cisco Secure ACS HTML interface, see the page 3-7. Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide 7-24 Chapter 7 Setting Up and Managing User Accounts “Protocol Configuration Options for TACACS+” section on...
Page 231 AAA client documentation. For information on “Assigning a PIX ACL to a User” section on “Adding a Basic User Account” section on 7-22. Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide or your AAA client “Assigning 7-25...
Page 232: Configuring A Shell Command Authorization Set For A User
In the Advanced Options section of Interface Configuration, ensure that the • Per-user TACACS+/RADIUS Attributes check box is selected. Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide 7-26 Chapter 7 Setting Up and Managing User Accounts...
Page 233 Result: The associated NDG and shell command authorization set appear in the table. 78-13751-01, Version 3.0 Advanced User Authentication Settings 5-14. “Adding a Basic User Account” section on Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide “Command Authorization Sets 7-27...
Page 234 If you are finished configuring the user account options, click Submit to record the options. To continue to specify the user account options, perform other procedures in this chapter, as applicable. Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide 7-28 Chapter 7 Setting Up and Managing User Accounts 5-14.
Page 235: Configuring A Pix Command Authorization Set For A User
To prevent the application of any PIX command authorization set, select (or accept the default of) the None option. 78-13751-01, Version 3.0 Advanced User Authentication Settings 5-14. “Adding a Basic User Account” section on Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide “Command Authorization Sets 7-29...
Page 236 If you are finished configuring the user account options, click Submit to record the options. To continue to specify the user account options, perform other procedures in this chapter, as applicable. Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide 7-30 Chapter 7 Setting Up and Managing User Accounts...
Page 237: Configuring The Unknown Service Setting For A User
If the Advanced TACACS+ Settings (User) table does not appear, click Interface Configuration, click TACACS+ (Cisco IOS), and then click Advanced TACACS+ Features. 78-13751-01, Version 3.0 Advanced User Authentication Settings “Adding a Basic User Account” section on Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide 7-31...
Page 238: Setting Enable Privilege Options For A User
NDGs. Note You must configure NDGs from within Interface Configuration before you can assign user privilege levels to them. Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide 7-32 Chapter 7 This is the default setting.
Page 239 (No Enable Privilege is the default setting; when setting up an new user account, it should already be selected.) You must have previously configured a device group for it to be listed. Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide Advanced User Authentication Settings 7-33...
Page 240: Setting Tacacs+ Enable Password Options For A User
7-5. Result: The User Setup Edit page opens. The username being added or edited appears at the top of the page. Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide 7-34 Chapter 7 Setting Up and Managing User Accounts “Adding a Basic User Account”...
Page 241: Setting Tacacs+ Outbound Password For A User
The list of databases displays only the databases that you have configured. For more information, see the Databases” section on page 11-4. Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide Advanced User Authentication Settings “Adding a 7-5. “About External User...
Page 242: Radius Attributes
Setting Ascend RADIUS Parameters for a User, page 7-39 Setting Cisco VPN 3000 Concentrator RADIUS Parameters for a User, • page 7-41 Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide 7-36 Chapter 7 Setting Up and Managing User Accounts “Adding a Basic User Account”...
Page 243 IETF RADIUS attribute 27, Session-Timeout. 78-13751-01, Version 3.0 “Setting Custom RADIUS Attributes for a 7-49. or the documentation for your particular network device using Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide Advanced User Authentication Settings 3-10. Appendix D, “RADIUS 7-37...
Page 244 RADIUS (Cisco IOS/PIX) in the Interface Configuration section. Cisco IOS RADIUS represents only the Cisco IOS VSAs. You must configure both the IETF RADIUS and Cisco IOS RADIUS attributes. Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide 7-38 Chapter 7 Setting Up and Managing User Accounts “Adding a Basic User Account”...
Page 245: Setting Ascend Radius Parameters For A User
RADIUS (Ascend) in the Interface Configuration section. 78-13751-01, Version 3.0 Advanced User Authentication Settings “Adding a Basic User Account” section on “Setting IETF RADIUS Parameters for a User” 7-37. Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide 7-39...
Page 246 If you are finished configuring the user account options, click Submit to record the options. To continue to specify the user account options, perform other procedures in this chapter, as applicable. Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide 7-40 Chapter 7 “Adding a Basic User Account” section on “Setting IETF RADIUS Parameters for a User”...
Page 247: Setting Cisco Vpn 3000 Concentrator Radius Parameters For A User
For more information about setting IETF RADIUS attributes, see the IETF RADIUS Parameters for a User” section on page 78-13751-01, Version 3.0 Advanced User Authentication Settings 3-15. “Adding a Basic User Account” section on Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide “Setting 7-37. 7-41...
Page 248: Setting Cisco Vpn 5000 Concentrator Radius Parameters For A User
To hide or display Cisco VPN 5000 Concentrator RADIUS attributes, see the Note “Setting Protocol Configuration Options for RADIUS (Cisco VPN 5000)” section on page Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide 7-42 Chapter 7 or your AAA client documentation.
Page 249 78-13751-01, Version 3.0 Advanced User Authentication Settings “Adding a Basic User Account” section on 7-37. or your AAA client documentation. Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide “Setting IETF RADIUS Appendix D, “RADIUS 7-43...
Page 250: Setting Microsoft Radius Parameters For A User
7-5. Result: The User Setup Edit page opens. The username being added or edited appears at the top of the page. Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide 7-44 Chapter 7 Setting Up and Managing User Accounts “Setting Protocol...
Page 251: Setting Nortel Radius Parameters For A User
AAA client documentation. The MS-CHAP-MPPE-Keys attribute value is generated by Cisco Secure ACS; there is no value to set in the HTML interface. Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide Advanced User Authentication Settings Appendix D, “RADIUS...
Page 252 If you are finished configuring the user account options, click Submit to record the options. To continue to specify the user account options, perform other procedures in this chapter, as applicable. Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide 7-46 Chapter 7 “Adding a Basic User Account” section on “Setting IETF RADIUS Parameters for a User”...
Page 253: Setting Juniper Radius Parameters For A User
Advanced User Authentication Settings “Adding a Basic User Account” section on “Setting IETF RADIUS Parameters for a User” 7-37. or your AAA client documentation. Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide “Setting Protocol 3-19. Appendix D, “RADIUS 7-47...
Page 254: Setting Bbsm Radius Parameters For A User
Step 2 attributes are configured properly. For more information about setting IETF RADIUS attributes, see the section on page Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide 7-48 Chapter 7 “Adding a Basic User Account” section on “Setting IETF RADIUS Parameters for a User”...
Page 255: Setting Custom Radius Attributes For A User
You must configure both the IETF RADIUS and the custom RADIUS attributes. Proprietary attributes override IETF attributes. 78-13751-01, Version 3.0 Advanced User Authentication Settings or your AAA client documentation. Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide Appendix D, “RADIUS E-27.) 7-49...
Page 256 If you are finished configuring the user account options, click Submit to record the options. To continue to specify the user account options, perform other procedures in this chapter, as applicable. Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide 7-50 Chapter 7 “Adding a Basic User Account” section on “Setting IETF RADIUS Parameters for a User”...
Page 257: User Management
Result: The User Setup Select page opens. Step 2 Click List All Users. Result: In the display area on the right, the User List appears. 78-13751-01, Version 3.0 Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide User Management Appendix E, 7-51...
Page 258: Finding A User
To view or edit the information for the user, click the username in the display area Step 3 on the right. Result: The user’s account information appears. Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide 7-52 Chapter 7 Setting Up and Managing User Accounts...
Page 259: Disabling A User Account
Click Submit at the bottom of the page. Step 5 Result: The specified user account is disabled. 78-13751-01, Version 3.0 “Setting Options for User Account Disablement” section on Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide User Management 7-53...
Page 260: Deleting A User Account
Click OK. Step 5 Result: The user account is removed from the CiscoSecure user database. Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide 7-54 Chapter 7 Alternatively, you can click List All Users and then select the user from the list that appears.
Page 261: Resetting User Session Quota Counters
In the User box, type the complete username of the account to be reset. Step 2 78-13751-01, Version 3.0 Alternatively, you can click List All Users and then select the user from the list that appears. Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide User Management 7-55...
Page 262: Saving User Settings
To verify that your changes were applied, type the username in the User box and Step 2 click Add/Edit, and then review the settings. Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide 7-56 Chapter 7 Alternatively, you can click List All Users and then select the user from the list that appears.
Page 263: System Configuration
Establishing Cisco Secure ACS System Configuration This chapter addresses the features found in the System Configuration section of Cisco Secure Access Control Server for Windows NT/2000 Servers Version 3.0 (Cisco Secure ACS). It contains the following topics: Service Control, page 8-2 •...
Page 264: C H A P T E R 8 Establishing Cisco Secure Acs System Configuration
Windows NT/2000 Control panel. This stops, starts, or restarts the Cisco Secure ACS services except for CSAdmin, which is responsible for the HTML interface. Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide Chapter 8 Establishing Cisco Secure ACS System Configuration Appendix H, 9-35.
Page 265: Logging
Cisco Secure ACS allows for one of two possible date formats in its logs, reports, and administrative interface. You can choose either a month/day/year format or a day/month/year format. 78-13751-01, Version 3.0 Chapter 9, “Working with Logging and Reports.” Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide Logging...
Page 266: Setting The Date Format
CiscoSecure user database and when a user attempts to change passwords using the CiscoSecure Authentication Agent applet. Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide Chapter 8 Establishing Cisco Secure ACS System Configuration...
Page 267: Setting Password Validation Options
To require that a user’s password must be different than the user’s previous Step 6 password, select the Password is different from the previous value check box. 78-13751-01, Version 3.0 Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide Password Validation...
Page 268: Ciscosecure Database Replication
Database replication helps create mirror systems of Cisco Secure ACS servers by duplicating parts of the primary Cisco Secure ACS server setup to one or more secondary Cisco Secure ACS servers. You can configure your AAA clients to use Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide...
Page 269 Chapter 8 Establishing Cisco Secure ACS System Configuration these secondary Cisco Secure ACS servers if the primary Cisco Secure ACS server fails or is unreachable. With a secondary Cisco Secure ACS server whose CiscoSecure database is a replica of the primary Cisco Secure ACS server’s...
Page 270: Replication Process
CiscoSecure Database Replication All Cisco Secure ACS servers involved in replication must run the same Note release of the Cisco Secure ACS software, including patch level. For example, if the primary Cisco Secure ACS server is running Cisco Secure ACS version 3.0.1, all secondary Cisco Secure ACS servers should be running...
Page 271 Figure 8-1 primary Cisco Secure ACS server, replicating to servers 2 and 3, which act as secondary Cisco Secure ACS servers. After replication from server 1 to server 2 has completed, server 2 acts as a primary Cisco Secure ACS server while replicating to servers 4 and 5.
Page 272: Replication Frequency
• Cisco Secure ACS servers. To add a secondary Cisco Secure ACS server, configure the Cisco Secure ACS server in the AAA Servers table in the Network Configuration section. When a Cisco Secure ACS server is added to the AAA Servers table, it appears for selection as a secondary Cisco Secure ACS server in the AAA Servers list under Replication Partners on the CiscoSecure Database Replication page.
Page 273: Database Replication Versus Database Backup
You can store several generations of database backup files. CiscoSecure Database Replication offers the convenience of copying various components of the CiscoSecure database to other Cisco Secure ACS servers. This can help you plan a failover AAA architecture and can help reduce the complexity of your configuration and maintenance tasks.
Page 274: Database Replication Logging
Database Utility.” Database replication provides fairly comprehensive replication of Cisco Secure ACS servers, but it does not replicate all the Cisco Secure ACS setup. Because Cisco Secure ACS relies on several communication dynamic link libraries (DLLs), database replication does not include external authentication sources.
Page 275: Replication Options
User and group database—Replicate the information for groups and users. • • AAA Servers and AAA Clients tables—Replicate the AAA Servers tables and the AAA Clients tables in the Network Configuration section. Distribution table—Replicate the Proxy Distribution Table in the Network •...
Page 276: Replication Scheduling Options
Figure 8-1 on page Every X minutes—Cisco Secure ACS performs, on a set frequency, database • replication to the configured list of secondary Cisco Secure ACS servers. The unit of measurement is minutes, with a default update frequency of 60 minutes.
Page 277: Replication Partners Options
Establishing Cisco Secure ACS System Configuration Replication Partners Options You can specify the Cisco Secure ACS servers for which a Cisco Secure ACS performs as a primary Cisco Secure ACS server or as a secondary Cisco Secure ACS server. The options that control the Cisco Secure ACS servers...
Page 278: Implementing Primary And Secondary Replication Setups On Cisco Secure Acs Servers
In the Network Configuration section, add the primary Cisco Secure ACS server to the AAA Servers table. For more information about adding entries to the AAA Servers table, see the “AAA Server Configuration” section on page Configure the secondary Cisco Secure ACS server to receive replicated components.
Page 279: Configuring A Secondary Cisco Secure Acs Server
Distributed System Settings check box. The CiscoSecure Database Replication feature requires that you configure Cisco Secure ACS servers that are to receive replication components, that is, that you configure Cisco Secure ACS servers to act as secondary Cisco Secure ACS servers.
Page 280: Replicating Immediately
Any Known CiscoSecure ACS for Windows 2000/NT Server. The Any Known CiscoSecure ACS for Windows 2000/NT Server option is limited to the Cisco Secure ACS servers listed in the AAA Servers table in Network Configuration. Step 7 Click Submit.
Page 281 Step 5 Cisco Secure ACS server to replicate its select components to, select the secondary Cisco Secure ACS server from the AAA Servers list, and then click —> (right arrow button). To remove secondary Cisco Secure ACS servers from Replication list, select the Step 6 secondary Cisco Secure ACS server in the Replication list, and then click <—...
Page 282: Scheduling Replication
To specify which CiscoSecure database components the primary Step 4 Cisco Secure ACS server is to send to its secondary Cisco Secure ACS servers, under Replication Components, select the corresponding Send check box for each database component to be sent.
Page 283 Note replication, a short replication interval may cause frequent failover of your AAA clients to other Cisco Secure ACS servers. If AAA clients are not properly configured to failover to other Cisco Secure ACS servers, the brief interruption in authentication service may prevent users from authenticating.
Page 284 Note Partners Options” section on page In the Replication Partners table, from the AAA Servers list, select the name of a secondary Cisco Secure ACS server to which you want the primary Cisco Secure ACS server to send its selected replication components.
Page 285: Disabling Ciscosecure Database Replication
To acknowledge and close the message, click OK. 78-13751-01, Version 3.0 Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide CiscoSecure Database Replication 8-23...
Page 286: Rdbms Synchronization
Cisco Secure ACS HTML interface, you can alternatively maintain through this feature. RDBMS Synchronization supports addition, modification, and deletion for all data items it can access. Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide 8-24 Chapter 8 Establishing Cisco Secure ACS System Configuration 78-13751-01, Version 3.0...
Page 287: Rdbms Synchronization Components
Synchronization performed by a single Cisco Secure ACS server can update the internal databases of other Cisco Secure ACS servers, so that you only need configure RDBMS Synchronization on one Cisco Secure ACS server. Communication between Cisco Secure ACS servers for the purposes of RDBMS Synchronization occurs using an encrypted, Cisco-proprietary protocol.
Page 288: About The Accountactions Table
CiscoSecure user database. For full details of the accountActions table format and available actions, see Appendix G, “ODBC Import Definitions.” Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide 8-26 78-13751-01, Version 3.0...
Page 289 CiscoSecure Transactions.mdb contains a preconfigured accountActions CiscoSecure Transactions.mdb database are set to null. To increase database and in Cisco Secure ACS. Any other CiscoSecure Transactions.mdb Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide RDBMS Synchronization CiscoSecure database 8-27...
Page 290: Cisco Secure Acs Database Recovery Using The Accountactions Table
As long as the entire transaction log is replayed, the CiscoSecure user database is consistent with the external RDBMS application’s database. Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide 8-28 Chapter 8 Establishing Cisco Secure ACS System Configuration “Cisco Secure ACS Backup”...
Page 291: Reports And Event (Error) Handling
9-16. For more information about the CSDBSync service log, see 9-34. “Considerations for Using CSV-Based 8-30. 8-26. For details on the format and Appendix G, “ODBC Import Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide RDBMS Synchronization “RDBMS Synchronization Log” “About the 8-29...
Page 292: Considerations For Using Csv-Based Synchronization
HTML interface never release the CSV file, so the updates to the accountActions table from your third-party system fail. Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide 8-30 Chapter 8 Establishing Cisco Secure ACS System Configuration...
Page 293: Preparing For Csv-Based Synchronization
Access the following key: HKEY_LOCAL_MACHINE\SOFTWARE\Cisco\CiscoAAAv Edit the OdbcUpdateTable value from accountactions.csv Save your changes to the registry. 78-13751-01, Version 3.0 \CSDBSync “Preparing for CSV-Based Synchronization” section on \CSDBSync\Databases\CSV AccountActions Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide RDBMS Synchronization \CSDBSync 8-31...
Page 294: Configuring A System Data Source Name For Rdbms Synchronization
Result: A dialog box displays fields requiring information specific to the ODBC driver you selected. Step 5 In the Data Source Name box, type a descriptive name for the DSN. Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide 8-32 Chapter 8 Establishing Cisco Secure ACS System Configuration...
Page 295: Rdbms Synchronization Options
Synchronization Scheduling Options, page • synchronization occurs Synchronization Partners Options, page • Cisco Secure ACS servers are synchronized with data from the accountActions table 78-13751-01, Version 3.0 8-34—Defines how Cisco Secure ACS 8-35—Defines which Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide RDBMS Synchronization 8-34—Defines when...
Page 296: Rdbms Setup Options
• time specified in the day and hour graph. The minimum resolution is one hour, and the synchronization takes place on the hour selected. Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide 8-34 Chapter 8 Establishing Cisco Secure ACS System Configuration The database user account specified by the username must have sufficient privileges to read and write to the accountActions table.
Page 297: Synchronization Partners Options
• Servers table in Network Configuration for which the Cisco Secure ACS server does perform RDBMS synchronization. For more information about the AAA Servers table in Network Configuration, see “AAA Server Configuration” section on page Performing RDBMS Synchronization Immediately You can manually start an RDBMS synchronization event.
Page 298 Step 5 Cisco Secure ACS server in the Synchronize list, and then click <— (left arrow button). Result: The selected Cisco Secure ACS server appears in the AAA Servers list. Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide 8-36...
Page 299: Scheduling Rdbms Synchronization
Advanced Options, and then select the RDBMS Synchronization check box. For more information about RDBMS setup, see the Options” section on page 8-34. “Configuring a System Data Source Name for Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide RDBMS Synchronization “RDBMS Setup 8-32. 8-37...
Page 300 Note “Replication Partners Options” section on page In the Synchronization Partners table, from the AAA Servers list, select the name of a Cisco Secure ACS server that you want this Cisco Secure ACS server to update with data from the accountActions table.
Page 301: Disabling Scheduled Rdbms Synchronizations
Result: The RDBMS Synchronization Setup page appears. Under Synchronization Scheduling, select the Manually option. Step 3 Step 4 Click Submit. Result: Cisco Secure ACS does not perform scheduled RDBMS synchronizations. 78-13751-01, Version 3.0 Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide RDBMS Synchronization 8-39...
Page 302: Cisco Secure Acs Backup
For information about using a backup file to restore Cisco Secure ACS, see the “Cisco Secure ACS System Restore” section on page Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide 8-40 Chapter 8 Establishing Cisco Secure ACS System Configuration 8-45.
Page 303: Backup File Locations
Windows Registry, such as NDG information, AAA client configuration, and administrator accounts. 78-13751-01, Version 3.0 \CSAuth\System Backups “Backup File Names and Locations” section on Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide Cisco Secure ACS Backup 8-41...
Page 304: Reports Of Cisco Secure Acs Backups
Step 4 Click Backup Now. Result: Cisco Secure ACS immediately begins a backup. Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide 8-42 Chapter 8 Establishing Cisco Secure ACS System Configuration Chapter 9, “Working...
Page 305: Scheduling Cisco Secure Acs Backups
78-13751-01, Version 3.0 Because Cisco Secure ACS is momentarily shut down during backup, if the backup interval is set too low, users might be unable to authenticate. Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide Cisco Secure ACS Backup 8-43...
Page 306: Disabling Scheduled Cisco Secure Acs Backups
Step 4 Click Submit. Result: Cisco Secure ACS does not continue any scheduled backups. You can still perform manual backups as needed. Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide 8-44 Chapter 8 Establishing Cisco Secure ACS System Configuration...
Page 307: Cisco Secure Acs System Restore
78-13751-01, Version 3.0 Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide Cisco Secure ACS System Restore 8-45...
Page 308 13-Oct-1999 11-41-35.dmp If you are not sure of the location of the latest backup file, check your scheduled backup configuration on the ACS Backup page. Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide 8-46 Chapter 8 Establishing Cisco Secure ACS System Configuration \CSAuth\System Backups .dmp...
Page 309: Components Restored
Beneath the Directory box, Cisco Secure ACS displays the backup files in the current backup directory. If no backup files exist, in place of file names. 78-13751-01, Version 3.0 Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide Cisco Secure ACS System Restore Chapter 9, “Working appears <No Matching Files>...
Page 310: Cisco Secure Acs Active Service Management
ACS. The ACS Active Service Management comprises two features: • System Monitoring, page 8-49 Event Logging, page 8-51 • Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide 8-48 Chapter 8 Establishing Cisco Secure ACS System Configuration 78-13751-01, Version 3.0...
Page 311: System Monitoring
“Setting Up Event Logging” section on page *Restart All—Restart all Cisco Secure ACS services. *Restart RADIUS/TACACS+—Restart only the RADIUS and TACACS+ services. *Reboot—Reboot the Cisco Secure ACS server. Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide Cisco Secure ACS Active Service Management 8-51. 8-49...
Page 312: Setting Up System Monitoring
To have Cisco Secure ACS generate a Windows event when a user attempts to login to your network using a disabled account, select the Generate event when an attempt is made to log in to a disabled account check box. Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide 8-50 Chapter 8 Establishing Cisco Secure ACS System Configuration Custom actions—You can define other actions for Cisco Secure ACS to...
Page 313: Event Logging
To have Cisco Secure ACS send all events to the Windows event log, select Log Step 3 all events to the NT Event log. 78-13751-01, Version 3.0 Cisco Secure ACS Active Service Management 8-51. Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide “Setting Up Event Logging” 8-49. 8-51...
Page 314: Ip Pools Server
If you are using IP pooling and proxy, all accounting packets are proxied so that the Cisco Secure ACS that is assigning the IP addresses can confirm whether an IP address is already in use. Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide 8-52 Chapter 8...
Page 315: Allowing Overlapping Ip Pools Or Forcing Unique Pool Address Ranges
Clicking the button prevents IP address ranges from overlapping between pools. 78-13751-01, Version 3.0 ) and accounting ( aaa accounting Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide IP Pools Server ) enabled. “Setting IP or the 7-11.
Page 316 If the Force Unique Pool Address Range button appears, click that button. Result: Cisco Secure ACS does not permit overlapping IP pool address ranges. Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide 8-54 Chapter 8 Establishing Cisco Secure ACS System Configuration...
Page 317: Refreshing The Aaa Server Ip Pools Table
Establishing Cisco Secure ACS System Configuration Refreshing the AAA Server IP Pools Table You can refresh the AAA Server IP Pools table. This allows you to get the latest usage statistics for your IP pools. To refresh the AAA Server IP Pools table, follow these steps: In the navigation bar, click System Configuration.
Page 318: Editing An Ip Pool Definition
To change the name of the pool, in the Name box, type the name to which you Step 4 want to change the IP pool. Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide 8-56 Chapter 8 Establishing Cisco Secure ACS System Configuration All addresses in an IP pool must be on the same Class C network, so the first three octets of the start and end addresses must be the same.
Page 319: Resetting An Ip Pool
For example, if the start address is 192.168.1.1, the end address must be between 192.168.1.2 and 192.168.1.254. Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide IP Pools Server 8-57...
Page 320: Deleting An Ip Pool
Step 2 Result: The AAA Server IP Pools table lists any IP pools you have configured, their address ranges, and the percentage of pooled addresses in use. Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide 8-58 Chapter 8 Establishing Cisco Secure ACS System Configuration 78-13751-01, Version 3.0...
Page 321: Ip Pools Address Recovery
IP pool. To continue with deleting the IP pool, click OK. Step 5 Result: The IP pool is deleted. The AAA Server IP Pools table does not list the deleted IP pool. IP Pools Address Recovery The IP Pools Address Recovery feature enables you to recover assigned IP addresses that have not been used for a specified period of time.
Page 322: Voip Accounting Configuration
• appends VoIP accounting data to the RADIUS accounting data. To view the data, you can use RADIUS Accounting under Reports and Activity. Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide 8-60 Chapter 8 Establishing Cisco Secure ACS System Configuration...
Page 323: Configuring Voip Accounting
Chapter 9, “Working with Logging and If this feature does not appear, click Interface Configuration, click Advanced Options, and then select the Voice-over-IP (VoIP) Accounting Configuration check box. Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide Cisco Secure ACS Certificate Setup 8-61...
Page 324: Background On Certification
(such as the Catalyst 6000 product line), and Cisco Aironet Wireless solutions. In addition, Cisco Secure ACS needs to generate or enroll into an existing PKI and be granted an X.509 v3 digital certificate. Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide 8-62 78-13751-01, Version 3.0...
Page 325: Eap-Tls Setup Overview
You must only employ certificates that meet the X.509 v3 digital certificate standard. • The certificate’s intended purpose must include server authentication. 78-13751-01, Version 3.0 “Certification Authority Setup” 8-70. Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide Cisco Secure ACS Certificate Setup 8-72. 8-73. 8-63...
Page 326: Generating A Request For A Certificate
Result: If you are accessing this page for the first time, Cisco Secure ACS displays the Install new certificate table on the ACS Certificate Setup page. (If you have already installed a server certificate, information on it is displayed.) Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide 8-64 Chapter 8 Establishing Cisco Secure ACS System Configuration 78-13751-01, Version 3.0...
Page 327 Now your certificate signing request is ready. You can copy and paste it into any certification authority enrollment tool. 78-13751-01, Version 3.0 Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide Cisco Secure ACS Certificate Setup c:\privateKeyFile.pem 8-65...
Page 328: Installing Cisco Secure Acs Certification With Manual Enrollment
Result: Cisco Secure ACS displays the Install new certificate table on the ACS Certificate Setup page. Step 3 Select the Manual certificate enrollment option. Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide 8-66 Chapter 8 Establishing Cisco Secure ACS System Configuration “Generating a Request for a...
Page 329 Issued to: certificate subject • • Issued by: CA common name Valid from: • Valid to: • • Validity 78-13751-01, Version 3.0 Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide Cisco Secure ACS Certificate Setup 8-67...
Page 330: Installing Cisco Secure Acs Certification With Automatic Enrollment
Installed Certificate Information table. Select the Automatic certificate enrollment option in the lower portion of the Step 3 page. Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide 8-68 Chapter 8 Establishing Cisco Secure ACS System Configuration 78-13751-01, Version 3.0...
Page 331: Performing Cisco Secure Acs Certification Update Or Replacement
To install a new ACS certificate, follow these steps: In the navigation bar, click System Configuration. Step 1 Click ACS Certificate Setup. Step 2 78-13751-01, Version 3.0 Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide Cisco Secure ACS Certificate Setup 8-69...
Page 332: Certification Authority Setup
CA that issued the Cisco Secure ACS Server Certificate, but there is no need to add it to the CTL. Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide 8-70 Chapter 8 Establishing Cisco Secure ACS System Configuration 8-68.
Page 333: Trust Requirements And Models
We recommend that you fully understand the implications of your trust model before editing the CTL in Cisco Secure ACS. 78-13751-01, Version 3.0 Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide Certification Authority Setup 8-71...
Page 334: Editing The Certificate Trust List
Use this procedure to add a new certificate to local certificate storage. You must perform this procedure for the CA that issued your server certificate to distinguish it from CAs trusted to issue user certification. Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide 8-72 Chapter 8 Establishing Cisco Secure ACS System Configuration “Trust Requirements and Models”...
Page 335: Global Authentication Setup
In particular, you use this procedure to allow either EAP-MD5 or EAP-TLS, and to allow either MS-CHAP Version 1 or MS-CHAP Version 2, or both. 78-13751-01, Version 3.0 Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide Global Authentication Setup 8-73...
Page 336 Click Submit + Restart. Step 5 Result: Cisco Secure ACS restarts its services and implements the authentication configuration options you selected. Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide 8-74 Chapter 8 Establishing Cisco Secure ACS System Configuration...
Page 337 Working with Logging and Reports Cisco Secure Access Control Server for Windows NT/2000 Servers Version 3.0 (Cisco Secure ACS) produces a wide variety of logs and provides a way to view most of these logs in the Cisco Secure ACS HTML interface as HTML reports.
Page 338: Working With Logging And Reports
In the case of a Windows NT/2000 user database, this attribute contains the name of the domain that authenticated the user. Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide 9-20. “User Data Configuration Options” section on 3-3.
Page 339: Update Packets In Accounting Logs
AAA client to send update packets, refer to the documentation for your AAA clients. 78-13751-01, Version 3.0 9-22. For more information about 9-27. Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide Update Packets In Accounting Logs “Configuring an ODBC...
Page 340: About Cisco Secure Acs Logs And Reports
The accounting logs include: TACACS+ Accounting Log, page 9-5 • • TACACS+ Administration Log, page 9-6 Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide Chapter 9 Working with Logging and Reports 4-9. “Service Logs” section on page “Adding 4-16.
Page 341 ODBC—For instructions on how to enable the ODBC TACACS+ Accounting log, see the “Configuring an ODBC Log” section on page 9-27. 9-20. Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide About Cisco Secure ACS Logs and Reports “Viewing a...
Page 342 • viewing the TACACS+ Administration report in the HTML interface, see the “Viewing a CSV Report” section on page Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide 9-1. CSV—The default location for CSV TACACS+ Accounting files is Program Files\CiscoSecure ACS v For instructions on configuring the CSV TACACS+ Accounting log, see “Configuring a CSV Log”...
Page 343 ODBC—For instructions on how to enable the ODBC RADIUS Accounting log, see the “Configuring an ODBC Log” section on page 9-27. 9-20. Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide About Cisco Secure ACS Logs and Reports “Logging Formats” \Logs\TACACS+Administration 9-22. “Viewing a CSV...
Page 344 Viewing a VoIP Accounting Report—For instructions on viewing the VoIP • Accounting report in the HTML interface, see the section on page Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide 9-1. CSV—The default location for CSV RADIUS Accounting files is Program Files\CiscoSecure ACS v For instructions on configuring the CSV RADIUS Accounting log, see “Configuring a CSV Log”...
Page 345 ODBC—For instructions on configuring the ODBC Failed Attempts log, see the “Configuring an ODBC Log” section on page Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide About Cisco Secure ACS Logs and Reports “Logging Formats” section on \Logs\VoIP Accounting 9-22.
Page 346: Passed Authentications Log
The Dynamic Cisco Secure ACS Administration reports include: • Logged-In Users Report, page 9-11 Disabled Accounts Report, page 9-14 • Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide 9-10 Chapter 9 “Enabling or Disabling a CSV Log” 9-19.
Page 347: Logged-In Users Report
All AAA Clients entry shows the total number of users logged in. 78-13751-01, Version 3.0 About Cisco Secure ACS Logs and Reports 9-11. 9-12. Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide “Viewing the “Deleting 9-11...
Page 348 AAA client sending an accounting stop packet to the Cisco Secure ACS server, the Logged-in Users Report continues to show the user. Deleting logged-in users from a AAA client ends the accounting for those user sessions. Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide 9-12 Chapter 9 Working with Logging and Reports 78-13751-01, Version 3.0...
Page 349 Result: Cisco Secure ACS displays a message, indicating the number of users purged from the report and the IP address of the AAA client. 78-13751-01, Version 3.0 About Cisco Secure ACS Logs and Reports Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide 9-13...
Page 350: Disabled Accounts Report
Result: Cisco Secure ACS opens the user account for editing. For more information about editing a user account, see the Options” section on page Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide 9-14 Chapter 9 Working with Logging and Reports 9-14.
Page 351: Cisco Secure Acs System Logs
The default location for ACS Backup and Restore files is Program Files\CiscoSecure ACS v 78-13751-01, Version 3.0 About Cisco Secure ACS Logs and Reports 9-20. \Logs\Backup and Restore Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide “Viewing a CSV 9-15...
Page 352: Rdbms Synchronization Log
CSV file, viewable in the HTML interface. There are no configuration options for the Database Replication log. The default location for RDBMS Synchronization files is Program Files\CiscoSecure ACS v Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide 9-16 Chapter 9 Working with Logging and Reports 9-20.
Page 353: Administration Audit Log
Every month—Cisco Secure ACS generates a new Administrative Audit CSV file at the start of each month. 78-13751-01, Version 3.0 About Cisco Secure ACS Logs and Reports 9-20. \Logs\AdminAudit Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide “Viewing a CSV 9-17. 9-17...
Page 354: Acs Service Monitoring Log
ACS Service Monitoring log, see the Active Service Management” section on page The default location for ACS Service Monitoring files is Program Files\CiscoSecure ACS v Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide 9-18 Chapter 9 Working with Logging and Reports 9-20.
Page 355: Working With Csv Logs
CSV log, see the section on page 78-13751-01, Version 3.0 .csv Database Replication 1999-10-13.csv 9-22. Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide Working with CSV Logs Database Replication “Configuring a CSV Log” 9-19...
Page 356: Tacacs+ Accounting Log
Viewing a CSV Report The reports to which this procedure applies are: TACACS+ Accounting • TACACS+ Administration • • RADIUS Accounting Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide 9-20 Chapter 9 Working with Logging and Reports 78-13751-01, Version 3.0...
Page 357 CSV report files. 78-13751-01, Version 3.0 was created on October 5, 1999. 1999-10-05.csv . For instructions, see the “Date Format Control” section on Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide Working with CSV Logs 9-21...
Page 358: Configuring A Csv Log
The logs to which this procedure applies are: TACACS+ Accounting • • TACACS+ Administration Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide 9-22 Chapter 9 Working with Logging and Reports “Configuring a CSV Log” section on page 9-19.
Page 359 Result: The attribute moves to the Logged Attributes list. Use the vertical scroll bar to find attributes not visible in the list box. 78-13751-01, Version 3.0 Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide Working with CSV Logs 9-23...
Page 360 Cisco Secure ACS should retain a CSV file before deleting it. Step 10 Click Submit. Result: Cisco Secure ACS implements the CSV log configuration that you specified. Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide 9-24 Chapter 9 Working with Logging and Reports 78-13751-01, Version 3.0...
Page 361: Working With Odbc Logs
Result: You can now configure individual ODBC logs. For instructions, see the “Configuring an ODBC Log” section on page 78-13751-01, Version 3.0 “Configuring a System Data Source Name for ODBC 9-26. 9-27. Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide Working with ODBC Logs 9-25...
Page 362: Configuring A System Data Source Name For Odbc Logging
Cisco Secure ACS server. The name you assigned to the DSN appears in the Data Source list on each ODBC log configuration page. Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide 9-26 Chapter 9 Working with Logging and Reports 78-13751-01, Version 3.0...
Page 363: Configuring An Odbc Log
Result: The attribute moves to the Logged Attributes list. Use the vertical scroll bar to find attributes not visible in the list box. 78-13751-01, Version 3.0 “Preparing to Use ODBC Logging” section on Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide Working with ODBC Logs 9-27...
Page 364 Microsoft SQL Server. The table name is the name specified in the Table Name box. The column names are the attributes specified in the Logged Attributes list. Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide 9-28 Chapter 9 The user must have sufficient privileges in the relational database to write the ODBC logging data to the appropriate table.
Page 365: Remote Logging
• 78-13751-01, Version 3.0 In order for ODBC logging to work, the table name and the column names must match exactly the names in the generated SQL. Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide Remote Logging 9-29...
Page 366: About Remote Logging
The Remote Logging feature enables you to centralize accounting logs generated by multiple Cisco Secure ACS servers. You can configure each Cisco Secure ACS to point to a single Cisco Secure ACS that is to be used as the logging server. The logging Cisco Secure ACS server can still perform its AAA duties, but it also is the repository for accounting logs it receives.
Page 367: Remote Logging Options
Cisco Secure ACS servers configured to do remote logging. Configuring a central logging server consists entirely of making sure that all Cisco Secure ACS servers that are to send their accounting data are defined in the central logging server’s AAA Servers table.
Page 368: Enabling And Configuring Remote Logging
To send this Cisco Secure ACS server’s accounting information to a single Cisco Secure ACS server, select the Log to Subsequent Selected Hosts on Failure option. Note Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide 9-32 Chapter 9 “Configuring a Central Logging Server” section on...
Page 369: Disabling Remote Logging
Click —> (right arrow button) to move the selected Cisco Secure ACS server to the Log To list. Step 7 To assign an order to the servers in the Log To list, click Up and Down to move selected Cisco Secure ACS servers until you have created the order you need. Note Step 8 Click Submit.
Page 370: Service Logs
Cisco Secure ACS generates logs for the following services: • CSAdmin CSAuth • CSDBSync • • CSLog CSMon • CSRadius • CSTacacs • Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide 9-34 Chapter 9 Working with Logging and Reports Appendix H, 78-13751-01, Version 3.0...
Page 371: Configuring Service Logs
Every Day—Cisco Secure ACS generates a new log file at 12:01 A.M. local time every day. Every Week—Cisco Secure ACS generates a new log file at 12:01 A.M. local time every Sunday. Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide Service Logs 9-35...
Page 372 Generate New File. Settings under Generate New File have no effect if you selected None Note under Level of detail. Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide 9-36 Chapter 9 Working with Logging and Reports...
Page 373 Cisco Secure ACS should retain a service log file before deleting it. Step 6 Click Restart. Result: Cisco Secure ACS restarts its services and implements the service log settings you specified. 78-13751-01, Version 3.0 Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide Service Logs 9-37...
Page 374 Chapter 9 Working with Logging and Reports Service Logs Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide 9-38 78-13751-01, Version 3.0...
Page 375: Setting Up And Managing Administrators And Policy
Setting Up and Managing Administrators and Policy This chapter addresses the Cisco Secure Access Control Server for Windows NT/2000 Servers Version 3.0 (Cisco Secure ACS) features found in the Administration Control section of the HTML interface. It contains the following sections: Administrator Accounts, page 10-1 •...
Page 376: C H A P T E R 10 Setting Up And Managing Administrators And Policy
User Setup and Group Setup sections of the HTML interface: – – – – Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide 10-2 Chapter 10 Setting Up and Managing Administrators and Policy Add/Edit users in these groups—Enables the administrator to add or edit users and to assign users to the groups in the Editable groups list.
Page 377 DB Replication—For more information about this feature, see the – “CiscoSecure Database Replication” section on page 78-13751-01, Version 3.0 8-2. “Date Format Control” section on page 8-3. Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide Administrator Accounts 8-3. 8-4. 8-6. 10-3...
Page 378 • External User Databases—Allows the administrator full access to the features in the External User Databases section of the HTML interface. Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide 10-4 Chapter 10 Setting Up and Managing Administrators and Policy “RDBMS Synchronization”...
Page 379 “Passed Authentications Log” section on page “Deleting Logged-in Users” section on page “ACS Backup and Restore Log” section on page “RDBMS Synchronization Log” section on page Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide Administrator Accounts 9-5. 9-6.
Page 380: Adding An Administrator Account
Result: All privileges options are selected. All user groups move to the Editable groups list. To clear all privileges, including user group editing privileges for all user groups, click Revoke All. Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide 10-6 Chapter 10 Setting Up and Managing Administrators and Policy The Administrator Name can contain special characters, including spaces.
Page 381: Editing An Administrator Account
You can edit a Cisco Secure ACS administrator account to change the privileges granted to the administrator. You can effectively disable an administrator account by revoking all privileges. 78-13751-01, Version 3.0 Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide Administrator Accounts 10-7...
Page 382 To clear all privileges, including user group editing privileges for all user groups, click Revoke All. Result: All privileges options are cleared. All user groups move to the Available groups list. Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide 10-8 Chapter 10 Setting Up and Managing Administrators and Policy 10-9.
Page 383: Deleting An Administrator Account
To delete a Cisco Secure ACS administrator account, follow these steps: Step 1 In the navigation bar, click Administration Control. Result: Cisco Secure ACS displays the Administration Control page. 78-13751-01, Version 3.0 Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide Administrator Accounts 10-9...
Page 384: Access Policy
IP Address Filtering—Contains the following IP address filtering options: • – – Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide 10-10 Chapter 10 Setting Up and Managing Administrators and Policy Allow all IP addresses to connect—Allow remote access to the HTML interface from any IP address.
Page 385 An unauthorized user would have to impersonate, or “spoof,” the IP address of a legitimate remote host to make use of the active administrative session HTTP port. Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide Access Policy 10-11...
Page 386: Setting Up Access Policy
To allow Cisco Secure ACS to use any valid TCP port for administrative sessions, either local or remote, select the Allow any TCP ports to be used for Administration HTTP Access option. Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide 10-12 Chapter 10 Setting Up and Managing Administrators and Policy 10-10.
Page 387: Session Policy
If the administrator chooses to continue, Cisco Secure ACS starts a new administrative session. 78-13751-01, Version 3.0 Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide Session Policy 10-13...
Page 388: Setting Up Session Policy
To define the number of minutes of inactivity after which Cisco Secure ACS ends an administrative session, in the Session idle timeout (minutes) box, type the number of minutes. Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide 10-14 Chapter 10...
Page 389 78-13751-01, Version 3.0 If the Lock out Administrator after x successive failed attempts check box is selected, the x box cannot be set to zero. Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide Session Policy 10-15...
Page 390: Audit Policy
The Audit Policy feature controls the generation of the Administrative Audit log. For more information about enabling, viewing, or configuring the Administrative Audit log, see the “Administration Audit Log” section on page 9-17. Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide 10-16 78-13751-01, Version 3.0...
Page 391 Working with User Databases Cisco Secure Access Control Server for Windows NT/2000 Servers Version 3.0 (Cisco Secure ACS) authenticates users against one of several possible databases, including its internal database. You can configure Cisco Secure ACS to authenticate users with more than one type of database. This flexibility enables...
Page 392: Chapter 11 Working With User Database
For more information about specifying an external user database for authentication of a user, see the “Adding a Basic User Account” section on page 7-5. Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide 11-2 78-13751-01, Version 3.0...
Page 393 CiscoSecure user database. As always, user settings override group settings. 78-13751-01, Version 3.0 7-5). 8-6). CSUtil.exe 8-24). 12-1). Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide CiscoSecure User Database “Adding a Basic User “CiscoSecure Database (see the “Cisco Secure ACS E-1.) “RDBMS “Administering External...
Page 394: About External User Databases
• • RADIUS-based token servers, including: – – – – Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide 11-4 ActivCard token servers CRYPTOCard token servers Vasco token servers Generic RADIUS token servers Chapter 11 Working with User Databases Chapter 12, 78-13751-01, Version 3.0...
Page 395: Authenticating With External User Databases
Cisco Secure ACS components. You must also specify in User Setup that a token card server is to be used. For RADIUS-based token servers, such as ActivCard, CRYPTOCard, and Vasco, the standard RADIUS interface serves as the third-party API. Authenticating with External User Databases Authenticating users with an external user database requires more than configuring Cisco Secure ACS to communicate with an external user database.
Page 396: Windows Nt/2000 User Database
Windows NT/2000 user database already exists, Cisco Secure ACS can leverage the work already invested in building the database without any additional input. This eliminates the need for separate databases. Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide 11-6 Chapter 11 “Unknown User Processing”...
Page 397: Databases
Windows NT/2000 database, it is Cisco Secure ACS that grants authorization privileges. See page 11-8. 78-13751-01, Version 3.0 Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide Windows NT/2000 User Database Figure 11-2 on 11-7...
Page 398: Trust Relationships
Trust Relationships Cisco Secure ACS can take advantage of trust relationships that have been established between Windows NT/2000 servers. If the domain that contains the Cisco Secure ACS server trusts another domain, Cisco Secure ACS can authenticate users whose accounts reside in the other domain. Cisco Secure ACS can also reference the Grant dialin permission to user setting across trusted domains.
Page 399: Windows Dial-Up Networking Clients
78-13751-01, Version 3.0 For more information about the implications of completing or leaving the domain field blank, see the section on page 11-10. Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide Windows NT/2000 User Database “Windows NT/2000 Authentication” 11-9...
Page 400: About The Windows 95/98/Millennium Edition Dial-Up Networking Client
In this case, the privileges assigned upon authentication will be those associated with the account in the first domain with a Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide 11-10 You also have the option of prefixing your username with the name of the domain you want to log in to.
Page 401 Cisco Secure ACS tries each domain in the Domain List explicitly, resulting in failed attempts for identical usernames that reside in different domains. 78-13751-01, Version 3.0 Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide Windows NT/2000 User Database 11-11...
Page 402: User-Changeable Passwords With Windows Nt/2000 User Databases
Computers, clear the following User Properties check boxes: User must change password at next logon • • Account disabled Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide 11-12 Chapter 11 Working with User Databases 78-13751-01, Version 3.0...
Page 403: Configuring A Windows Nt/2000 External User Database
Result: Cisco Secure ACS lists the new configuration in the External User Database Configuration table. Click Configure. Step 5 Result: The Windows NT/2000 User Database Configuration page appears. 78-13751-01, Version 3.0 Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide Windows NT/2000 User Database 11-13...
Page 404: Generic Ldap
LDAP database does not affect the configuration of the LDAP database. To manage your LDAP database, see your LDAP database documentation. Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide 11-14 Windows dialin permission is enabled in the Dialin section of user properties in Windows NT and on the Dial-in tab of the user properties in Windows 2000.
Page 405: Cisco Secure Acs Authentication Process With A Generic Ldap User Database
While the group to which a user is assigned can be determined by information from the LDAP server, it is Cisco Secure ACS that grants authorization privileges. See 78-13751-01, Version 3.0 Figure 11-3 on page Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide Generic LDAP 11-16. 11-15...
Page 406: Multiple Ldap Instances
LDAP instances for each user directory subtree and group directory subtree combination for which Cisco Secure ACS should submit authentication requests. Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide 11-16 Chapter 11 Working with User Databases...
Page 407: Ldap Organizational Units And Groups
LDAP server, such as when the server is down or is otherwise unreachable by the Cisco Secure ACS server. To use this feature, you must define the primary and secondary LDAP servers on the LDAP Database Configuration page. Also, you must select the On Timeout Use Secondary check box.
Page 408: Successful Previous Authentication With The Primary Ldap Server
Cisco Secure ACS attempts to connect to the primary LDAP server first. And if Cisco Secure ACS cannot connect to the primary LDAP server, Cisco Secure ACS then attempts to connect to the secondary LDAP server. Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide 11-18 Chapter 11 Working with User Databases 12-1.
Page 409: Configuring A Generic Ldap External User Database
Configuration Creation table appears. Otherwise, in addition to the Database Configuration Creation table, the External User Database Configuration table appears. 78-13751-01, Version 3.0 The user authenticates against only one LDAP database. Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide Generic LDAP 12-1. 11-19...
Page 410 Strip Markup check box. To pass the username to the LDAP database without removing the characters defined in Domain Markup, clear the Strip Markup check box. Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide 11-20 Chapter 11 Working with User Databases...
Page 411 User Directory Subtree box. This is configured when you set up your LDAP database. For more information, refer to your LDAP database documentation. 78-13751-01, Version 3.0 Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide Generic LDAP 11-21...
Page 412 In the Failback Retry Delay box, type the number of minutes after the primary Step 19 LDAP server fails to authenticate a user that Cisco Secure ACS resumes sending authentication requests to the primary LDAP server first. Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide 11-22 subtree. 11-17.
Page 413 LDAP account which, if bound to, permits searches for all required users under the User Directory Subtree. 78-13751-01, Version 3.0 (zero) in the Failback Retry Delay box. Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide Generic LDAP file, which cert7.db...
Page 414: Novell Nds Database
Novell NDS Database Cisco Secure ACS supports PAP authentication with Novell NetWare Directory Services (NDS) servers. To use NDS authentication, you must have a Novell NDS database. Configuring Cisco Secure ACS to authenticate against an NDS database does not affect the configuration of the NDS database. To manage your NDS database, refer to your NDS database documentation.
Page 415: User Contexts
NDS database. 78-13751-01, Version 3.0 “Generic LDAP” section on Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide Novell NDS Database 11-25...
Page 416 Table 11-1 Example Usernames with Contexts User Agamemnon Odysseus Penelope Telemachus Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide 11-26 lists the users given in the example tree and the username with context Valid Username With Context Agamemnon Odysseus.marketing Penelope.marketing-research.marketing...
Page 417: Novell Nds External User Database Options
Users can provide a portion of their context when they login. For more information, see the “User Contexts” section on page Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide Novell NDS Database and separate each part of the 11-25.
Page 418: Configuring A Novell Nds External User Database
Type a name for the new configuration for Novell NDS Authentication in the box provided. Click Submit. Result: Cisco Secure ACS lists the new configuration in the External User Database Configuration table. Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide 11-28 Chapter 11 Working with User Databases 78-13751-01, Version 3.0...
Page 419 Chapter 7, “Setting Up and Managing User Accounts.” 78-13751-01, Version 3.0 “Unknown User Processing” section on page Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide Novell NDS Database 11-27. 12-1. For more...
Page 420: Odbc Database
PAP Procedure Output, page 11-37 CHAP/MS-CHAP/ARAP Authentication Procedure Input, page 11-38 • CHAP/MS-CHAP/ARAP Procedure Output, page 11-38 • • Result Codes, page 11-39 Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide 11-30 Chapter 11 Working with User Databases 78-13751-01, Version 3.0...
Page 421: Cisco Secure Acs Authentication Process With An Odbc External User Database
Cisco Secure ACS instructs the requesting AAA client to grant or deny the user access, depending upon the response from the ODBC database. 78-13751-01, Version 3.0 Figure 11-4. Upon receiving the response from the ODBC database, Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide ODBC Database 11-31...
Page 422: Preparing To Authenticate Users With An Odbc-Compliant Relational Database
Authenticating users with an ODBC-compliant relational database requires that you complete several significant steps external to Cisco Secure ACS before configuring Cisco Secure ACS with an ODBC external user database. Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide 11-32 Chapter 11...
Page 423: Implementation Of Stored Procedures For Odbc Authentication
78-13751-01, Version 3.0 “Implementation of Stored Procedures for ODBC 11-33. 11-40. “Configuring an ODBC External User Database” section on Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide ODBC Database 11-33...
Page 424: Type Definitions
Telnet login, the password might not be case sensitive, depending on how the case-sensitivity option is set on the SQL Server. For example, an Oracle database Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide 11-34 Chapter 11 Working with User Databases “Sample Routine for Generating...
Page 425: Sample Routine For Generating A Pap Authentication Sql Procedure
GRANT EXECUTE ON dbo.CSNTAuthUserPap TO ciscosecure 78-13751-01, Version 3.0 “ODBC Database” section on page username = @username = @pass ) csntgroup csntacctinfo ,"No Error" = @username Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide ODBC Database 11-30. 11-35...
Page 426: Sample Routine For Generating An Sql Chap Authentication Procedure
GRANT EXECUTE ON dbo.CSNTExtractUserClearTextPw TO ciscosecure PAP Authentication Procedure Input Table 11-2 procedure supporting PAP authentication. The stored procedure should accept the named input values as variables. Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide 11-36 username = @username ) csntgroup csntacctinfo ,"No Error",...
Page 427: Pap Procedure Output
0-16 characters. A third-party defined string is added to subsequent account log file entries. 0-255 characters. A third-party defined string is written to the CSAuth service log file if an error occurs. Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide ODBC Database 11-37...
Page 428: Chap/Ms-Chap/Arap Authentication Procedure Input
The input name is for guidance only. A procedure variable created from it can have a different name. CHAP/MS-CHAP/ARAP Procedure Output The stored procedure must return a single row containing the non-null fields. Table 11-5 stored procedure. Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide 11-38 Type Explanation String 0-64 characters...
Page 429: Result Codes
CSAuth service log file if an error occurs. 0-255 characters. The password is authenticated by Cisco Secure ACS for CHAP authentication. Table Meaning Authentication successful Unknown username Invalid password Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide ODBC Database Result Codes. 11-6. 11-39...
Page 430: Configuring A System Data Source Name For An Odbc External User Database
Select the driver you need to use with your new DSN, and then click Finish. Result: A dialog box displays fields requiring information specific to the ODBC driver you selected. Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide 11-40 Chapter 11...
Page 431: Configuring An Odbc External User Database
Click Database Configuration. Step 2 Result: Cisco Secure ACS displays a list of all possible external user database types. Click External ODBC Database. Step 3 78-13751-01, Version 3.0 11-32. Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide ODBC Database 11-41...
Page 432 To change the ODBC worker thread count, in the ODBC Worker Threads box, Step 10 type the number of ODBC worker threads. The maximum thread count is 10. The default is 1. Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide 11-42 Chapter 11 Working with User Databases “Configuring a System Data Source Name for...
Page 433 PAP SQL Procedure box. If it does not, be sure to create it in the ODBC database before attempting to authenticate users against the ODBC database. Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide ODBC Database “Sample Routine for 11-35.
Page 434: Leap Proxy Radius Server Database
MS-CHAP authentication. You can use the LEAP Proxy RADIUS Server database to authenticate users with any third-party RADIUS server that supports MS-CHAP authentication. Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide 11-44 11-36. If you enabled CHAP/MS-CHAP/ARAP authentication, the...
Page 435: Configuring A Leap Proxy Radius Server External User Database
Configuration Creation table appears. Otherwise, in addition to the Database Configuration Creation table, the External User Database Configuration table appears. 78-13751-01, Version 3.0 LEAP Proxy RADIUS Server Database Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide 12-21. 11-45...
Page 436 • Timeout (seconds):—The number of seconds Cisco Secure ACS waits before sending notification to the user that the authentication attempt has timed out. Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide 11-46 Chapter 11 Working with User Databases “RADIUS”...
Page 437: Token Server User Databases
Accounts.” Token Server User Databases Cisco Secure ACS supports the use of token servers for the increased security provided by one-time passwords (OTPs). This section includes the following topics: • About Token Servers and Cisco Secure ACS, page 11-48 About Token Servers and Cisco Secure ACS, page 11-48 •...
Page 438: About Token Servers And Cisco Secure Acs
Cisco Secure ACS then maintains the accounting information. Cisco Secure ACS acts as a client to the token server. For the token servers supported, Cisco Secure ACS accomplishes this in one of two ways. The first method uses the token server’s RADIUS interface.
Page 439: Radius-Enabled Token Servers
Chapter 11 Working with User Databases RADIUS-Enabled Token Servers This section describes Cisco Secure ACS support for token servers that provide a standard RADIUS interface. About RADIUS-Enabled Token Servers Cisco Secure ACS can support token servers using the RADIUS server built into the token server.
Page 440: Token Server Radius Authentication Request And Response Contents
Cisco Secure ACS to authenticate users with it. For information about installing the RADIUS token server, refer to the documentation included with your token server. Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide 11-50 “RADIUS-Based Group Specification” section 12-21.
Page 441 In the navigation bar, click External User Databases. Click Database Configuration. Step 2 Result: Cisco Secure ACS displays a list of all possible external user database types. The external user databases that represent RADIUS-enabled token servers are as follows: • ActivCard CRYPTOCard •...
Page 442 When this duration is ended, Cisco Secure ACS reverts to sending authentication requests to the primary server. Note Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide 11-52 “RADIUS” section on page 1-6.
Page 443: Token Servers With Vendor-Proprietary Interfaces
Accounts.” Token Servers with Vendor-Proprietary Interfaces Cisco Secure ACS supports several token servers by communicating via the token server vendor’s proprietary API. About Token Servers with Proprietary Interfaces For token servers supported by using the token server vendor’s proprietary API, Cisco Secure ACS acts as a token-card client to the token server.
Page 444 Server Name—Mnemonic for the user, preferably the name of the remote • sever. Server Address—The IP address of the SafeWord token server. • Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide 11-54 Chapter 11 Working with User Databases 78-13751-01, Version 3.0...
Page 445: Configuring An Axent Token Server External User Database Axent
Configuration page appears. 78-13751-01, Version 3.0 12-1. For more information about configuring user accounts to Chapter 7, “Setting Up and Managing User Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide Token Server User Databases “Unknown User Processing” 11-55...
Page 446: Configuring An Rsa Securid Token Server External User Database
Cisco Secure ACS supports the RSA SecurID token server custom interface for authentication of users. You can create only one RSA SecurID configuration within Cisco Secure ACS. Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide 11-56 “Unknown User Processing” section on page Chapter 7, “Setting Up and Managing User Accounts.”...
Page 447 Result: Cisco Secure ACS displays a list of all possible external user database types. 78-13751-01, Version 3.0 and place it in your Windows NT directory: sdconf.rec \system32\drivers\etc\hosts Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide Token Server User Databases /sdi/ace/data 11-57...
Page 448: Deleting An External User Database Configuration
Step 2 Click Database Configuration. Result: Cisco Secure ACS displays a list of all possible external user database types. Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide 11-58 Chapter 11 Working with User Databases 12-1. For more information about Chapter 7, 78-13751-01, Version 3.0...
Page 449 Click OK to confirm that you want to delete the external user database Step 6 configuration. Result: The external user database configuration you selected is deleted from Cisco Secure ACS. 78-13751-01, Version 3.0 Deleting an External User Database Configuration Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide 11-59...
Page 450 Chapter 11 Working with User Databases Deleting an External User Database Configuration Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide 11-60 78-13751-01, Version 3.0...
Page 451: Administering External User Databases
Databases After you have configured Cisco Secure Access Control Server for Windows NT/2000 Servers Version 3.0 (Cisco Secure ACS) to communicate with an external user database, you can decide how to implement other Cisco Secure ACS features related to external user databases. To address these features, this chapter contains the following sections: •...
Page 452: C H A P T E R 12 Administering External User Databases
Unknown User Policy. All cached users were once unknown users. The authentication process for cached users is identical to the authentication process for known users. Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide 12-2 Chapter 12 Appendix E, “Cisco Secure ACS Command-Line Database Utility.”...
Page 453: General Authentication Request Handling And Rejection Mode
John. Assuming their passwords are different than the password for the John who authenticated first, the other Johns are unable to access the network. 78-13751-01, Version 3.0 Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide Unknown User Processing 12-3...
Page 454: Authentication Request Handling And Rejection Mode With The Windows Nt/2000 User Database
Specifying the domain name allows Cisco Secure ACS to differentiate a user from multiple instances of the same username in different domains. For unknown users who provide a domain name and who are authenticated by a Windows Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide 12-4 Chapter 12 Administering External User Databases “Authentication Request Handling and Rejection Mode...
Page 455: Windows Authentication With Domain Omitted
If Cisco Secure ACS has tried each domain listed in the Domain List, or if no trusted domains have been configured in the Domain List, Cisco Secure ACS fails the authentication request for that user. 78-13751-01, Version 3.0 Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide Unknown User Processing 12-5...
Page 456: Performance Of Unknown User Authentication
If the AAA client timeout value is not set high enough to account for the delay required by unknown user authentication, the AAA client times out the request and every unknown user authentication fails. Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide 12-6 Chapter 12 Administering External User Databases 78-13751-01, Version 3.0...
Page 457: Network Access Authorization
Check the following external user databases—Enables unknown user processing. Cisco Secure ACS uses databases in the Selected Databases list to authenticate users that are not found in the CiscoSecure user database. Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide Unknown User Processing 12-10. 12-7...
Page 458: Database Search Order
Cisco Secure ACS database, follow these steps: In the navigation bar, click External User Databases. Step 1 Step 2 Click Unknown User Policy. Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide 12-8 Chapter 12 Administering External User Databases “Database Search Order” section on page 11-7.) If Cisco Secure ACS does not find the user in...
Page 459: Turning Off External User Database Authentication
To turn off external user database authentication, follow these steps: Step 1 In the navigation bar, click External User Databases. Click Unknown User Policy. Step 2 78-13751-01, Version 3.0 Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide Unknown User Processing 12-9...
Page 460: Database Group Mappings
For example, you could configure Cisco Secure ACS so that all unknown users who authenticate with a certain token server database belong to a group called Telecommuters. You could then Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide 12-10 Chapter 12 Administering External User Databases 78-13751-01, Version 3.0...
Page 461 For more information about specifying group membership for users authenticated with one of these database types, see the section on page 78-13751-01, Version 3.0 “RADIUS-Based Group Specification” 12-21. Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide Database Group Mappings 12-11...
Page 462: Creating A Cisco Secure Acs Group Mapping For A Token Server, Odbc Database, Or Leap Proxy Radius Server Database
Step 4. For users authenticated by an ODBC, ActivCard, or LEAP Proxy RADIUS Server database, the mapping is only applied as a default if those databases did not specify a Cisco Secure ACS group for the user. Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide 12-12 Chapter 12 Administering External User Databases 11-30.
Page 463: Group Mapping By Group Set Membership
When a user authenticated by an external user database is to be assigned to a Cisco Secure ACS group, Cisco Secure ACS 78-13751-01, Version 3.0 Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide Database Group Mappings 12-13...
Page 464: No Access Group For Group Set Mappings
When editing the default group mapping for Windows NT/2000, instead of selecting a valid domain name on the Domain Configurations page, select \DEFAULT. Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide 12-14 Chapter 12 Administering External User Databases 78-13751-01, Version 3.0...
Page 465: Creating A Cisco Secure Acs Group Mapping For Windows Nt/2000, Novell Nds, Or Generic Ldap Groups
Windows NT/2000 domain in the Domain box. Click Submit. Result: The new Windows NT/2000 domain appears in the list of domains in the Domain Configurations page. 78-13751-01, Version 3.0 12-17. Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide Database Group Mappings “Editing 12-15...
Page 466 You can also select <No Access>. For more information about the <No Note Access> group, see the section on page Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide 12-16 Chapter 12 Administering External User Databases “No Access Group for Group Set Mappings”...
Page 467: Mapping
If you are editing a Windows NT/2000 group set mapping, click the domain name Step 4 for which you want to edit a group set mapping. Result: The Group Mappings for Domain: domainname table appears. 78-13751-01, Version 3.0 Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide Database Group Mappings 12-17...
Page 468 Configurations table appears. If you are deleting an NDS group set mapping, the NDS Trees table appears. Otherwise, the Group Mappings for database Users table appears. Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide 12-18 Chapter 12 You can also select <No Access>. For more information about the <No Access>...
Page 469: Deleting A Windows Nt/2000 Domain Group Mapping Configuration
Result: Cisco Secure ACS displays a confirmation dialog box. Click OK in the confirmation dialog box. Step 6 Result: Cisco Secure ACS deletes the selected external user database group mapping configuration. 78-13751-01, Version 3.0 Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide Database Group Mappings 12-19...
Page 470: Changing Group Set Mapping Order
Select the name of a group set mapping you want to move, and then click Up or Step 7 Down until it is in the position you want. Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide 12-20 Chapter 12 The Order mappings button appears only if more than one group set mapping exists for the current database.
Page 471: Radius-Based Group Specification
LEAP Proxy RADIUS Server database. This is provided in addition to the default group mapping described in the Database” section on page 78-13751-01, Version 3.0 “Group Mapping by External User 12-10. Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide Database Group Mappings “Group 12-10. RADIUS-based 12-21...
Page 472 Cisco IOS/PIX RADIUS attribute 1, [009\001] cisco-av-pair: ACS:CiscoSecure-Group-Id = 37 Cisco Secure ACS assigns the user to group 37 and applies authorization associated with group 37. Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide 12-22 78-13751-01, Version 3.0...
Page 473: Appendix
Scan the column on the left to identify the condition that you are trying to resolve, and then carefully go through each corresponding recovery action offered in the column on the right. Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide 78-13751-01, Version 3.0...
Page 474: Administration Issues
Administrator configured for event notification is not receiving e-mail. Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide Appendix A Troubleshooting Information for Cisco Secure ACS Recovery Action Ping the machine running Cisco Secure ACS to confirm connectivity.
Page 475: A P P E N D I X A Troubleshooting Information For Cisco Secure Acs
Clear the cache before attempting to reauthenticate or close the browser and open a new session. Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide Browser Issues System 1-24.
Page 476: Cisco Ios Issues
Cisco IOS 12.0.5.T AAA client times out when authenticating against Windows NT/2000. Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide Appendix A Troubleshooting Information for Cisco Secure ACS Recovery Action Examine the Cisco IOS configuration at the AAA client. If not...
Page 477: Database Issues
Cisco Secure ACS. If the receiving server has dual network cards, on the sending server add a AAA server to the AAA Servers table in Network Configuration for every IP address of the receiving server. If the...
Page 478: Dial-In Connection Issues
Reports & Activity section, click TACACS+ Accounting or RADIUS Accounting or Failed Attempts). Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide Appendix A Troubleshooting Information for Cisco Secure ACS Recovery Action Examine the Cisco Secure ACS Reports or AAA client Debug output to narrow the problem to a system error or a user error.
Page 479 The user’s expiration information in the Windows NT/2000 database has not caused failed authentication. For troubleshooting purposes, disable password expiry for the user in the Windows NT/2000 database. Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide Dial-in Connection Issues...
Page 480 Failed Attempts Report (in the Reports & Activity section, click Failed Attempts). Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide Appendix A Troubleshooting Information for Cisco Secure ACS Recovery Action Click External User Databases, and click List All Databases Configured, and then make sure that the database configuration for Windows NT/2000 is listed.
Page 481 Telnet to the access server from a workstation connected to the LAN. A successful authentication for Telnet confirms that Cisco Secure ACS is working with the AAA client. Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide Dial-in Connection Issues \TacConfig.txt \RadConfig.txt...
Page 482 A dial-in user is unable to make a connection to the AAA client, and a Telnet connection cannot be authenticated across the LAN. Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide A-10 Appendix A Troubleshooting Information for Cisco Secure ACS Recovery Action Determine if the Cisco Secure ACS is receiving the request.
Page 483: Debug Issues
If a specific attribute for TACACS+ or RADIUS is not displayed within the Group Setup section, this might indicate it has not been enabled in Interface Configuration: TACACS+ (Cisco IOS) or RADIUS. Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide Debug Issues \TacConfig.txt \RadConfig.txt \README.TXT...
Page 484: Proxy Issues
Proxy Distribution Table, and the position is set correctly to either Prefix or Suffix. One or more servers is down, or no fallback server is configured. Go to Network Configuration and configure a fallback server. Fallback servers are used only under the following circumstances: The remote Cisco Secure ACS is down.
Page 485: Installation And Upgrade Issues
Services were restarted, possibly because the connection between the Cisco Secure ACS and the AAA client is unstable. Clear the Single Connect TACACS+ AAA Client check box. Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide Installation and Upgrade Issues A-13...
Page 486: Report Issues
After you have changed the date format, the Logged-In User list and CSAdmin log still display old format dates. Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide A-14 Appendix A Troubleshooting Information for Cisco Secure ACS Recovery Action...
Page 487: Third-Party Server Issues
Database: Database Configuration in the Cisco Secure ACS. Run Test Authentication from the WindowsNT/2000 Server control panel for the ACE/Client application. From Cisco Secure ACS, install the token server. Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide Third-Party Server Issues A-15...
Page 488: Pix Firewall Issues
Windows NT/2000 user database. Callback is not working. User authentication fails when using PAP. Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide A-16 Appendix A Troubleshooting Information for Cisco Secure ACS Recovery Action If Network Address Translation is enabled on the PIX Firewall, administration through the firewall cannot work.
Page 489 The retry interval is too short. (The default is 5 seconds.) Increase the retry interval (tacacs-server timeout 20) on the AAA client to 20 or greater. Check the Failed Attempts report. Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide User Authentication Issues A-17...
Page 490: Tacacs+ And Radius Attribute Issues
Group Setup page. Novell NDS or Generic LDAP Group Mapping not working correctly. Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide A-18 Appendix A Troubleshooting Information for Cisco Secure ACS Recovery Action...
Page 491: Appendix
The Microsoft Crypto API failed to initialize. Make sure you are running the U.S. version of The Registry might be corrupt, or the files under the CSAuth Reinstall Cisco Secure ACS Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide...
Page 492: System Monitored Events
Recommended Action Error Message Explanation Recommended Action Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide One or more registry entries were missing/corrupt The CSAuth Registry either is corrupt or has missing values. Reinstall Cisco Secure ACS. Auth server down: Could not change Password CSMon could not change the password of the test account.
Page 493 A CiscoSecure service was shut down because a service it No action required. Problem Authenticating from name. Got as far as phase CSMon could not authenticate a test account via a CiscoSecure No action required. Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide...
Page 494 – Finishing Processing Protocol Module – Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide Problem Logging on to name. Got as far as phase CSMon could not log on to the named account via a CiscoSecure No action required.
Page 495 The named CiscoSecure service was shut down via the No action required. Service name in transition state for too long... giving up CSMon waits only so long before giving up on a transitory No action required Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide...
Page 496: Replication Messages
Cisco Secure ACS and the replicating ACS. Verify that the IP address of the AAA server is correct under AAA entry. Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide Service name in transition/unknown state... will try again Windows NT/2000 Service Manager does not know what state a No action required.
Page 497 Verify that the remote ACS is accepting replication in Host ‘name’ not replied to replication request - possibly dead Remote Cisco Secure ACS did not respond to replication commit Check the systems’ connectivity. Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide Replication Messages...
Page 498 Error Message Explanation Recommended Action Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide Host ‘name’ not configured to receive any matching information The remote Cisco Secure ACS is not configured to accept the Verify that the remote ACS has at least some replication Inbound database replication from host ‘name’...
Page 499: Failed Attempts Messages
The ACS pool has run out of available IP addresses. Key Mismatch The AAA client secret key did not match the Cisco Secure ACS Check the shared key between the Cisco Secure ACS and Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide Failed Attempts Messages...
Page 500 Appendix B System Messages Failed Attempts Messages Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide B-10 78-13751-01, Version 3.0...
Page 501: Appendix
TACACS+ Attribute-Value Pairs Cisco Secure Access Control Server for Windows NT/2000 Servers Version 3.0 (Cisco Secure ACS) provides support for Terminal Access Controller Access Control System (TACACS+) attribute-value (AV) pairs. You can enable different AV pairs for any supported attribute value.
Page 502: Tacacs+ Av Pairs
• callback-dialstring callback-line • • callback-rotary cmd-arg= • cmd= • • dns-servers= gw-password • • idletime= • inacl#n inacl= • • interface-config= Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide Appendix C TACACS+ Attribute-Value Pairs 78-13751-01, Version 3.0...
Page 503 • protocol= route • • route#n routing= • rte-ftr-in#n • • rte-ftr-out#n sap#n • • sap-fltr-in#n sap-fltr-out#n • service= • • source-ip= 78-13751-01, Version 3.0 Cisco IOS Attribute-Value Pair Dictionary Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide...
Page 504: Tacacs+ Accounting Av Pairs
• mlp-links-max mlp-sess-id • nas-rx-speed • • nas-tx-speed paks_in • paks_out • • port pre-bytes-in • • pre-bytes-out pre-paks-in • pre-paks-out • Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide Appendix C TACACS+ Attribute-Value Pairs 78-13751-01, Version 3.0...
Page 505: Appendix
TACACS+ Attribute-Value Pairs • pre-session-time priv_level • protocol • • reason service • • start_time • stop_time task_id • • timezone xmit-rate • 78-13751-01, Version 3.0 Cisco IOS Attribute-Value Pair Dictionary Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide...
Page 506 Appendix C TACACS+ Attribute-Value Pairs Cisco IOS Attribute-Value Pair Dictionary Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide 78-13751-01, Version 3.0...
Page 507 RADIUS Attributes Cisco Secure Access Control Server for Windows NT/2000 Servers Version 3.0 (Cisco Secure ACS) provides support for many RADIUS attributes. This appendix lists the standard attributes, vendor-proprietary attributes, vendor-specific attributes supported by Cisco Secure ACS for the following vendors’...
Page 508 8, Framed-IP-Address 19, Callback-Number 218, Ascend-Assign-IP-Pool Neither can these attributes be set via RDBMS Synchronization. Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide “System Requirements” section on page Appendix D RADIUS Attributes 2-2. 78-13751-01, Version 3.0...
Page 509 Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide Cisco IOS Dictionary of RADIUS AV Pairs...
Page 510 Table D-7 on page For details about the Cisco IOS H.323 VSAs, refer to Cisco IOS Voice-over-IP Note documentation. Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide Cisco IOS Software RADIUS AV Pairs (continued) Number Type of Value...
Page 511 Number Type of Value string string string string string string string string string string string string string string string string string string string string string string string Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide Cisco IOS/PIX Dictionary of RADIUS VSAs...
Page 512: Cisco Vpn 3000 Concentrator Dictionary Of Radius Vsas
CVPN3000-Simultaneous-Logins CVPN3000-Primary-DNS CVPN3000-Secondary-DNS CVPN3000-Primary-WINS CVPN3000-Secondary-WINS CVPN3000-SEP-Card-Assignment CVPN3000-Tunneling-Protocols CVPN3000-IPSec-Sec-Association Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide Cisco IOS/PIX RADIUS VSAs (continued) Number Type of Value string string string Cisco VPN 3000 Concentrator RADIUS VSAs Appendix D RADIUS Attributes...
Page 513 CVPN3000-Required-Client-Firewall-Description CVPN3000-Require-HW-Client-Auth CVPN3000-Require-Individual-User-Auth CVPN3000-Authenticated-User-Idle-Timeout 78-13751-01, Version 3.0 Cisco VPN 3000 Concentrator Dictionary of RADIUS VSAs Cisco VPN 3000 Concentrator RADIUS VSAs (continued) Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide Type of Number Value integer string integer integer...
Page 514 CVPN3000-User-Auth-Server-Name CVPN3000-User-Auth-Server-Port CVPN3000-User-Auth-Server-Secret CVPN3000-IPSec-Split-Tunneling-Policy CVPN3000-IPSec-Required-Client-Firewall-Capability 56 CVPN3000-IPSec-Client-Firewall-Filter-Name CVPN3000-IPSec-Client-Firewall-Filter-Optional CVPN3000-IPSec-Backup-Servers CVPN3000-IPSec-Backup-Server-List CVPN3000-Strip-Realm Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide Cisco VPN 3000 Concentrator RADIUS VSAs (continued) Appendix D RADIUS Attributes Type of Number Value integer string integer string...
Page 515: Cisco Vpn 5000 Concentrator Dictionary Of Radius Vsas
Number Type of Value Table D-5 lists the supported Cisco BBSM RADIUS VSA. Cisco BBSM RADIUS VSA Number Type of Value integer Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide Table D-4 lists the supported integer string string string...
Page 516: Vendor-Proprietary Ietf Radius Av Pairs
Disconnect-Cause Data-Rate PreSession-Time PW-Lifetime IP-Direct PPP-VJ-Slot-Comp Assign-IP-pool Route-IP Link-Compression Target-Utils Maximum-Channels Data-Filter Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide D-10 lists the supported vendor-proprietary RADIUS (IETF) attributes Vendor-Proprietary RADIUS Attributes Appendix D RADIUS Attributes 78-13751-01, Version 3.0...
Page 517 Appendix D RADIUS Attributes Table D-6 Vendor-Proprietary Attribute Call-Filter Idle-Limit 78-13751-01, Version 3.0 Vendor-Proprietary RADIUS Attributes (continued) Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide Vendor-Proprietary IETF RADIUS AV Pairs D-11...
Page 518: Ietf Dictionary Of Radius Av Pairs
Attribute User-Name User-Password CHAP-Password NAS-IP Address NAS-Port Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide D-12 lists the supported RADIUS (IETF) attributes. If the attribute has a Table D-8 on page D-16. Description Name of the user being authenticated.
Page 519 Compression protocol used for the link. This attribute results in "/compress" being added to the PPP or SLIP autocommand generated during EXEC authorization. Not currently implemented for non-EXEC authorization. Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide IETF Dictionary of RADIUS AV Pairs D-13...
Page 520 Login-Service Login-TCP-Port Reply-Message Framed-Route State Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide D-14 Description Host to which the user will connect when the Login-Service attribute is included. Service that should be used to connect the user to the login host.
Page 521 This attribute is not valid for PPP sessions. System with which the user is to be connected by LAT. This attribute is only available in the EXEC mode. Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide IETF Dictionary of RADIUS AV Pairs D-15...
Page 522: Radius (Ietf) Accounting Av Pairs
RADIUS (IETF) Accounting Attributes Attribute Class Called-Station-Id Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide D-16 Description Indicates the type of physical port the AAA client is using to authenticate the user. Physical ports are indicated by a numeric value as...
Page 523 Number of packets received from the port while this service is being provided to a framed user. Number of packets sent to the port while this service is being delivered to a framed user. Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide IETF Dictionary of RADIUS AV Pairs D-17...
Page 524: Microsoft Mppe Dictionary Of Radius Vsas
Cisco Secure ACS supports the Microsoft RADIUS VSAs used for Microsoft Point-to-Point Encryption (MPPE). The vendor ID for this Microsoft RADIUS Implementation is 311. MPPE is an encryption technology developed by Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide D-18 Description Reports details on why the connection was terminated.
Page 525 MPPE. It is a four octet integer that is interpreted as a string of bits. Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide Microsoft MPPE Dictionary of RADIUS VSAs D-19...
Page 526 Microsoft MPPE RADIUS VSAs (continued) Attribute MS-CHAP-Domain MS-CHAP-Challenge MS-CHAP-MPPE-Keys MS-MPPE-Send-Key MS-MPPE-Recv-Key MS-RAS-Version MS-CHAP-NT-Enc-PW MS-CHAP2-Response MS-CHAP2-CPW Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide D-20 Number Type of Value Description string — string — string The MS-CHAP-MPPE-Keys attribute contains two session keys for use by the MPPE.
Page 527: Ascend Dictionary Of Radius Av Pairs
If you make changes to a filter in an Ascend RADIUS profile, the changes do not take effect until a call uses that profile. Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide Ascend Dictionary of RADIUS AV Pairs...
Page 528 Framed-Route Framed-IPX-Network State Class Vendor-Specific Client-Port-DNIS Caller-Id Acct-Status-Type Acct-Delay-Time Acct-Input-Octets Acct-Output-Octets Acct-Session-Id Acct-Authentic Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide D-22 Appendix D RADIUS Attributes Number Type of Value integer ipaddr ipaddr integer string integer integer ipaddr...
Page 529 Ascend-AppleTalk-Route Ascend-AppleTalk-Peer-Mode Ascend-Route-AppleTalk Ascend-FCP-Parameter Ascend-Modem-PortNo Ascend-Modem-SlotNo Ascend-Modem-ShelfNo 78-13751-01, Version 3.0 Ascend Dictionary of RADIUS AV Pairs Number Type of Value Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide integer integer integer string string string string integer string integer...
Page 530 Ascend-User-Acct-Base Ascend-User-Acct-Time Support IP Address Allocation from Global Pools Ascend-Assign-IP-Client Ascend-Assign-IP-Server Ascend-Assign-IP-Global-Pool DHCP Server Functions Ascend-DHCP-Reply Ascend-DHCP-Pool-Number Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide D-24 Appendix D RADIUS Attributes Number Type of Value integer integer integer string...
Page 531 Ascend-FR-DCE-N392 Ascend-FR-DTE-N392 Ascend-FR-DCE-N393 Ascend-FR-DTE-N393 Ascend-FR-T391 Ascend-FR-T392 Ascend-Bridge-Address 78-13751-01, Version 3.0 Ascend Dictionary of RADIUS AV Pairs Number Type of Value Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide integer integer string integer ipaddr ipaddr integer string integer integer...
Page 532 Ascend-IPX-Node-Addr Ascend-Home-Agent-IP-Addr Ascend-Home-Agent-Password Ascend-Home-Network-Name Ascend-Home-Agent-UDP-Port Ascend-Multilink-ID Ascend-Num-In-Multilink Ascend-First-Dest Ascend-Pre-Input-Octets Ascend-Pre-Output-Octets Ascend-Pre-Input-Packets Ascend-Pre-Output-Packets Ascend-Maximum-Time Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide D-26 Appendix D RADIUS Attributes Number Type of Value integer integer integer integer integer string integer string...
Page 533 Ascend-Send-Secret Ascend-Receive-Secret Ascend-IPX-Peer-Mode Ascend-IP-Pool-Definition Ascend-Assign-IP-Pool Ascend-FR-Direct Ascend-FR-Direct-Profile 78-13751-01, Version 3.0 Ascend Dictionary of RADIUS AV Pairs Number Type of Value Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide integer integer integer integer integer integer integer string string integer...
Page 534 Ascend-Max-Channels Ascend-Inc-Channel-Count Ascend-Dec-Channel-Count Ascend-Seconds-Of-History Ascend-History-Weigh-Type Ascend-Add-Seconds Ascend-Remove-Seconds Connection Profile/Session Options Ascend-Data-Filter Ascend-Call-Filter Ascend-Idle-Limit Ascend-Preempt-Limit Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide D-28 Appendix D RADIUS Attributes Number Type of Value integer integer integer integer integer integer string...
Page 535: Nortel Dictionary Of Radius Vsas
Bay-Secondary-DNS-Server Bay-Primary-NBNS-Server Bay-Secondary-NBNS-Server 78-13751-01, Version 3.0 lists the Nortel RADIUS VSAs supported by Cisco Secure ACS. The Number Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide Nortel Dictionary of RADIUS VSAs Number Type of Value integer integer integer...
Page 536: Juniper Dictionary Of Radius Vsas
Juniper vendor ID number is 2636. Table D-12 Juniper RADIUS VSAs Attribute Juniper-Local-User-Name Juniper-Allow-Commands Juniper-Deny-Commands Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide D-30 Number lists the Juniper RADIUS VSAs supported by Cisco Secure ACS. The Number Appendix D...
Page 537: Appendix
Loading the Cisco Secure ACS Database from a Dump File, page E-10 • • Compacting the CiscoSecure User Database, page E-11 78-13751-01, Version 3.0 A P P E N D I X Chapter 8, “Establishing Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide...
Page 538: A P P E N D I X E Cisco Secure Acs Command-Line Database Utility
CSAuth service is stopped, Cisco Secure ACS does not authenticate users. To determine if an option requires that you stop CSAuth, see the Options” section on page Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide Appendix E Cisco Secure ACS Command-Line Database Utility CSUtil.exe...
Page 539: Csutil.exe Options
“Backing Up Cisco Secure ACS with CSUtil.exe” section on E-5. “Recalculating CRC Values” section on page E-25. “Exporting Group Information to a Text File” section on E-24. Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide CSUtil.exe Options E-26. dump.txt “Creating a Cisco Secure ACS E-9.
Page 540 -listUDV—List all user-defined RADIUS VSAs currently defined in Cisco Secure ACS. For more information about this option, see the Custom RADIUS Vendors” section on page Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide Appendix E Cisco Secure ACS Command-Line Database Utility “Restoring Cisco Secure ACS with CSUtil.exe”...
Page 541: Backing Up Cisco Secure Acs With Csutil.exe
78-13751-01, Version 3.0 8-40. “Location of CSUtil.exe and Related Files” section E-2. filename Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide Backing Up Cisco Secure ACS with CSUtil.exe “Cisco Secure ACS Backup” when it attempts to Backup Failed...
Page 542: Restoring Cisco Secure Acs With Csutil.exe
To restore only user and group data, type: CSUtil.exe -r users where filename is the name of the backup file. Press Enter. Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide Appendix E 8-40. “Location of CSUtil.exe and Related Files” section E-2.
Page 543: Creating A Ciscosecure User Database
Unless you have a current backup or dump of your CiscoSecure user database, all user accounts are lost when you use this option. 78-13751-01, Version 3.0 Creating a CiscoSecure User Database Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide...
Page 544 Step 6 To resume user authentication, type: net start csauth and press Enter. Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide Appendix E Cisco Secure ACS Command-Line Database Utility “Location of CSUtil.exe and Related Files” section E-5.
Page 545: Creating A Cisco Secure Acs Database Dump File
Type: CSUtil.exe -d Press Enter. Result: CSUtil.exe displays a confirmation prompt. 78-13751-01, Version 3.0 Creating a Cisco Secure ACS Database Dump File “Location of CSUtil.exe and Related Files” section E-2. Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide...
Page 546: Loading The Cisco Secure Acs Database From A Dump File
On the Cisco Secure ACS server, open an MS DOS command prompt and change directories to the directory containing CSUtil.exe. For more information about the location of CSUtil.exe, see the on page Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide E-10 Appendix E , type Y and press Enter.
Page 547: Compacting The Ciscosecure User Database
To reduce the CiscoSecure user database size, you can compact it periodically. 78-13751-01, Version 3.0 Compacting the CiscoSecure User Database Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide E-11...
Page 548 Press Enter. If you include the -q option in the command, CSUtil.exe does not prompt you for confirmation of initializing or loading the database. Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide E-12 Appendix E Cisco Secure ACS Command-Line Database Utility “Location of CSUtil.exe and Related Files”...
Page 549: User And Aaa Client Import Option
“Loading the Cisco Secure ACS Database from a Dump File” E-10. . This process may take a few minutes. dump.txt Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide User and AAA Client Import Option “Creating a CiscoSecure dump.txt E-5.
Page 550 Result: The CSRadius service stops. To start CSRadius, type: net start csradius and press Enter. Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide E-14 Appendix E Cisco Secure ACS Command-Line Database Utility “User and AAA Client Import File Format” section on “Location of CSUtil.exe and...
Page 551: About User And Aaa Client Import File Format
CSUtil.exe expects the value of the token to be in the colon-delimited field immediately following the token. 78-13751-01, Version 3.0 Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide User and AAA Client Import Option E-15...
Page 552: Online Or Offline Statement
Cisco Secure ACS has two LDAP external user databases configured, CSUtil.exe creates the user record and assigns the user to the LDAP database that was added to Cisco Secure ACS first. Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide E-16 Appendix E...
Page 553 Authenticate the username with an ODBC external user database. Authenticate the username with a generic LDAP external user database. Authenticate the username with a SafeWord external user database. Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide User and AAA Client Import Option E-17...
Page 554: Update Statements
CHAP CHAP password SENDAUTH sendauth password Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide E-18 Appendix E Cisco Secure ACS Command-Line Database Utility Description Authenticate the username with a LEAP proxy RADIUS server external user database.
Page 555 Authenticate the username with an ActivCard external user database. Authenticate the username with a Vasco external user database. Authenticate the username with a RADIUS token server external user database. Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide User and AAA Client Import Option E-19...
Page 556: Delete Statements
ADD_NAS AAA client name The name of the AAA client that is to be added. IP address shared secret Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide E-20 Appendix E Cisco Secure ACS Command-Line Database Utility UPDATE Statement Tokens...
Page 557 Update/Watchdog Packets from this Access Server option is enabled. For more information, see the “Adding and Configuring a AAA Client” section on page 4-9. Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide User and AAA Client Import Option 4-9. E-21...
Page 558: Del_Nas Statements
ADD:mary:EXT_NT:CHAP:achappassword ADD:joe:EXT_SDI ADD:vanessa:CSDB:vanessaspassword ADD:juan:CSDB_UNIX:unixpassword UPDATE:foobar:PROFILE:10 DELETE:paul ADD_NAS:SVR2-T+:IP:209.165.202.136:KEY:A87il032bzg:VENDOR:"TACACS+ (Cisco IOS)":NDG:"East Coast" DEL_NAS:SVR16-RAD Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide E-22 Appendix E Cisco Secure ACS Command-Line Database Utility IP address shared secret :KEY: DEL_NAS Statement Tokens Required Value Required AAA client name :VENDOR:"TACACS+ (Cisco...
Page 559: Exporting User List To A Text File
78-13751-01, Version 3.0 users.txt “Location of CSUtil.exe and Related Files” section E-2. users.txt Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide Exporting User List to a Text File . The file organizes the users users.txt lists them in that order users.txt...
Page 560: Exporting Group Information To A Text File
Step 4 To resume user authentication, type: net start csauth and press Enter. Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide E-24 Appendix E . The file is useful primarily for debugging purposes groups.txt...
Page 561: Exporting Registry Information To A Text File
78-13751-01, Version 3.0 . The file is primarily useful for debugging purposes while setup.txt “Location of CSUtil.exe and Related Files” section E-2. setup.txt Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide Exporting Registry Information to a Text File E-25...
Page 562: Recalculating Crc Values
Cisco Secure ACS directories and the values recorded in the Windows Registry. Note Do not use the -c option unless a Cisco representative requests that you do. Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide E-26 Appendix E 9-34.
Page 563: User-Defined Radius Vendors And Vsa Sets
RADIUS vendor and VSA definitions to be replicated must be identical on the primary and secondary Cisco Secure ACS servers, including the RADIUS vendor slots that the user-defined RADIUS vendors occupy. For more information about database replication, see the “CiscoSecure Database Replication”...
Page 564: Adding A Custom Radius Vendor And Vsa Set
For example, to add the RADIUS vendor defined in the command would be: CSUtil.exe -addUDV 5 d:\acs\myvsa.ini Result: CSUtil.exe displays a confirmation prompt. Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide E-28 Appendix E “Location of CSUtil.exe and Related Files” section E-2.
Page 565: Deleting A Custom Radius Vendor And Vsa Set
RADIUS vendor you want to delete. For more information about configuring your RADIUS accounting log, see the page 9-7. 78-13751-01, Version 3.0 User-Defined RADIUS Vendors and VSA Sets “AAA Client Configuration” section on “RADIUS Accounting Log” section on Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide E-29...
Page 566: Listing Custom Radius Vendors
Cisco Secure ACS. This option also enables you to determine which of the ten possible custom RADIUS vendor slots are in use and which RADIUS vendor occupies each used slot. Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide E-30 Appendix E “Location of CSUtil.exe and Related Files”...
Page 567: Radius Vendor/Vsa Import File
Example RADIUS Vendor/VSA Import File, page E-37 78-13751-01, Version 3.0 “Location of CSUtil.exe and Related Files” section E-2. directory, where CSUtil.exe is located, is replaced, including Utils Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide User-Defined RADIUS Vendors and VSA Sets E-31...
Page 568: About The Radius Vendor/Vsa Import File
1 to 255 Defines a single attribute of the VSA set. For more information, definition Enumeration No 0 to 255 Defines enumerations for attributes with integer data types. For Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide E-32 Appendix E Cisco Secure ACS Command-Line Database Utility Defines the RADIUS vendor and VSA set.
Page 569: Vendor And Vsa Set Definition
"widget-encryption" for an encryption-related attribute for the vendor Widget. This also makes accounting logs easier to understand. Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide Table E-8 lists E-33...
Page 570: Attribute Definition
See Description. The data type of the attribute. It must be one of the Profile Yes See Description. The attribute profile defines if the attribute is used for Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide E-34 Appendix E...
Page 571: Enumeration Definition
The name of the enumeration section. Several attributes can reference the same enumeration section. For more information, see the Definition” section on page lists the valid keys for an enumeration definition Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide “Enumeration E-35. E-35...
Page 572 Encryption-Types enumeration, which associates the string value 56-bit with the integer 0 and the string value 128-bit with the integer 1: [Encryption-Types] 0=56-bit 1=128-bit Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide E-36 Appendix E Value Required Description...
Page 573: Example Radius Vendor/Vsa Import File
VSA 4=widget-admin-encryption VSA 5=widget-remote-address [widget-encryption] Type=INTEGER Profile=OUT Enums=Encryption-Types [widget-admin-interface] Type=IPADDR Profile=OUT [widget-group] Type=STRING Profile=MULTI OUT [widget-admin-encryption] Type=INTEGER Profile=OUT Enums=Encryption-Types [widget-remote-address] Type=STRING Profile=IN [Encryption-Types] 0=56-bit 1=128-bit 2=256-bit Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide E-37 78-13751-01, Version 3.0...
Page 574 Appendix E Cisco Secure ACS Command-Line Database Utility User-Defined RADIUS Vendors and VSA Sets Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide E-38 78-13751-01, Version 3.0...
Page 575: Appendix
Cisco Secure ACS and Virtual Private Dial-up Networks Cisco Secure Access Control Server for Windows NT/2000 Servers Version 3.0 (Cisco Secure ACS) supports authentication forwarding of virtual private dial-up network (VPDN) requests. There are two basic types of “roaming” users: Internet and intranet;...
Page 576: A P P E N D I X F Cisco Secure Acs And Virtual Private Dial-Up Networks
The NAS then authenticates (not authorizes) the user as if the user is a standard non-VPDN dial user. See Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide Appendix F Cisco Secure ACS and Virtual Private Dial-up Networks Call setup / PPP setup Username = mary@corporation.us...
Page 577 78-13751-01, Version 3.0 failed User = mary@corporation.us F-4. Authorization reply Tunnel ID = nas_tun IP address = 10.1.1.1 User = mary@corporation.us Figure F-5 on page Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide VPDN Process VPDN user VPDN user F-4.
Page 578 Corporation The NAS now uses its ACS to authenticate the tunnel from the HG. See Figure F-7 on page Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide Appendix F Cisco Secure ACS and Virtual Private Dial-up Networks Username = nas_tun Password = CHAP_stuff User = mary@corporation.us...
Page 579 HG uses its ACS to authenticate the user. See 78-13751-01, Version 3.0 Username = home_gate Password = CHAP_stuff User = mary@corporation.us User = mary@corporation.us Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide VPDN Process VPDN user Figure F-8. VPDN user Figure F-9 on page F-6.
Page 580 Figure F-10 Another User Dials In While Tunnel is Up Username = sue@corporation.us Password = secret2 VPDN Corporation customer Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide Appendix F Cisco Secure ACS and Virtual Private Dial-up Networks User = mary@corporation.us F-10. User = sue@corporation.us User = mary@corporation.us...
Page 581 ODBC import definitions are a listing of the action codes allowable in an accountActions table. The RDBMS Synchronization feature of Cisco Secure Access Control Server for Windows NT/2000 Servers Version 3.0 (Cisco Secure ACS) uses a table named “accountActions” as input for automated or manual updates of the CiscoSecure user database.
Page 582: Odbc Import Definitions
SequenceId Priority UserName GroupName Action ValueName Value1 Value2 Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide lists the fields that compose an accountActions table in the order in G-5. “An Example accountActions Table” G-36. Type Size AutoNumber —...
Page 583: Appendix G Odbc Import Definition
String RESERVED by CSDBSync. String The type of configuration parameter to change. Number TRI-STATE:0=not processed, 1=done, 2=failed. This should normally be set to 0. Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide accountActions Table Specification...
Page 584: Accountactions Table Processing Order
When changing transaction priorities, be careful that they are processed in the correct order; for example, a user account must be created before the user password is assigned. Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide Appendix G ODBC Import Definitions...
Page 585: Action Codes
Cisco Secure ACS. Unless asked to 78-13751-01, Version 3.0 Table G-1 on page “accountActions Table G-3. Table G-2 on page G-6, instruct RDBMS Synchronization to Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide Action Codes G-2. For more Table G-2 on page G-6.
Page 586 Action Code Name Required SET_VALUE UN|GN, AI, VN, V1, V2 Sets a value (V1) named (VN) of type (V2) for app Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide Appendix G G-31). Description (AI). App IDs (AI) can be one of the following: APP_CSAUTH •...
Page 587: Action Codes For Setting And Deleting Values
CHAP/ARAP will also default to this. UN, V1 Set the CHAP/ARAP password for a user (64 characters maximum). UN, V1 Sets the CHAP/ARAP password for a user (32 characters maximum). Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide Action Codes...
Page 588 User Creation and Modification Action Codes (continued) Action Code Name SET_T+_ENABLE_ PASS SET_GROUP Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide Required Description UN, V1, V2 Sets the TACACS+ enable password (V1) (32 characters maximum) and Max Privilege level (V2) (0-15).
Page 589 PASS_TYPE_ODBC—External ODBC database • password PASS_TYPE_LEAP—External LEAP proxy • RADIUS server database password PASS_TYPE_ACTIVCARD—External • ActivCard database password PASS_TYPE_VASCO—External Vasco • database password • PASS_TYPE_RADIUS_TOKEN—External RADIUS token server database password Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide Action Codes...
Page 590 Name REMOVE_PASS_ STATUS ADD_PASS_STATUS UN, V1 SET_PASS_EXPIRY _WRONG Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide G-10 Required Description UN,V1 Remove a password status flag. This results in the status states being linked in a logical XOR condition by the CSAuth server.
Page 591 MAX_SESSIONS_UNLIMITED • • MAX_SESSIONS_AS_GROUP • 1-65534 GN,V1 Set the max sessions for a user of the group to one of the following values: MAX_SESSIONS_UNLIMITED • • 1-65534 Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide Action Codes G-11...
Page 592 Table G-3 User Creation and Modification Action Codes (continued) Action Code Name SET_QUOTA Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide G-12 Required Description GN,VN,V1, Used to set a quota for a user or group. VN defines the quota type. Valid values are: online time—The quota limits the user or group...
Page 593 V1 makes this specification. Valid values for V1 are: ASSIGNMENT_FROM_USER • ASSIGNMENT_FROM_GROUP • Resets usage quota counters for a user or group. Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide Action Codes G-13...
Page 594 Table G-3 User Creation and Modification Action Codes (continued) Action Code Name SET_DCS_TYPE Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide G-14 Required Description UN|GN,VN, Set the type of device command set (DCS) authorization for a group or user.
Page 595: Action Codes For Initializing And Modifying Access Filters
AAA Chapter 7, “Setting Up and Managing User For more information about the Group Setup section, see Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide Action Codes PIX Shell (pixshell)
Page 596 Action Code Name INIT_NAS_ACCESS_ CONTROL INIT_DIAL_ACCESS_ CONTROL ADD_NAS_ACCESS_FILTER Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide G-16 Appendix G Required Description UN|GN,V1 Clear the AAA client access filter list and initialize permit/deny for any forthcoming filters. V1 should be one of the following...
Page 597 Enable/disable token caching for an entire session; V1 is 0=disable, 1=enable. GN, V1 Set the duration that tokens are cached. V1 is the token cache duration in seconds. Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide Action Codes G-17...
Page 598 Action Codes Table G-4 Action Codes for Initializing and Modifying Access Filters (continued) Action Code Name SET_TODDOW_ACCESS Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide G-18 Appendix G Required Description UN|GN, V1 Set periods during which access is permitted.
Page 599 AAA server) will be assigned to the user. ALLOC_METHOD_CLIENT—The • dial-in client will assign its own IP address. ALLOC_METHOD_AS_GROUP— • The IP address assignment configured for the group will be used. Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide Action Codes G-19...
Page 600: Action Codes For Modifying Tacacs+ And Radius Group And User Settings
Setup and Group Setup sections of the HTML interface. For more information about the User Setup section, see the section on page “Setting Up and Managing User Groups” section on page Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide G-20 Required Description...
Page 601 V2 = IETF vendor ID V3 = VSA attribute ID • For example, to specify the Cisco IOS/PIX vendor ID and the Cisco AV Pair: VN=“Vendor-Specific” V2=“9” V3=“1” Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide Action Codes G-21...
Page 602 Action Codes for Modifying TACACS+ and RADIUS Group and User Settings (continued) Action Code Name ADD_RADIUS_ ATTR Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide G-22 Required Description UN|GN, VN, Add the numbered attribute (VN) to value (V) for the V1, Optionally user/group (UN|GN).
Page 603 Denies the service for that user or group of users. For example: Optionally V2 GN=“Group 1”, V1=“ppp” V2=“ip” UN=“fred” V1=“ppp” V2=“ip” UN=“fred” V1=“exec” This also resets the valid attributes for the service. Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide Action Codes G-23...
Page 604 Code Name ADD_TACACS_ ATTR REMOVE_ TACACS_ ATTR Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide G-24 Required Description UN|GN, VN, Sets a service specific attribute. The service must V1, V3 already have been permitted either via the HTML...
Page 605 GN=“Group 1" VN=“telnet” UN=“fred” VN=“configure” Users of Group 1 can no longer use the Cisco IOS telnet command. User fred can no longer use the configure command. Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide Action Codes G-25...
Page 606 Action Code Name ADD_IOS_ COMMAND_ REMOVE_IOS_ COMMAND_ Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide G-26 Required Description UN|GN, VN, Specifies a set of command-line arguments that are V1, V2 either permitted or denied for the Cisco IOS command contained in VN.
Page 607: Action Codes For Modifying Network Configuration
RESET_GROUP SET_VOIP Action Codes for Modifying Network Configuration Table G-6 on page G-28 servers, and network device groups, in addition to proxy table entries. Transactions using these codes affect the configuration displayed in the Network 78-13751-01, Version 3.0 Required Description...
Page 608 Code Name Required ADD_NAS VN, V1, V2, V3 Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide G-28 Appendix G Chapter 4, “Setting Up and Managing Description Add a new AAA client (named in VN) with an IP address (V1), shared secret key (V2), and vendor (V3).
Page 609 For the named AAA server (VN), set the appropriate traffic type (V1): TRAFFIC_TYPE_INBOUND • • TRAFFIC_TYPE_OUTBOUND TRAFFIC_TYPE_BOTH • The default is TRAFFIC_TYPE_BOTH. Delete the named AAA server (VN). Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide Action Codes G-29...
Page 610 ADD_HOST_TO VN, V1 _NDG RESTART_ — PROTO_MODU Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide G-30 Appendix G Description Add a new proxy markup (VN) with markup type (V1) strip markup flag (V2) and accounting flag (V3). The markup type (V1) must be one of the following: MARKUP_TYPE_PREFIX •...
Page 611: Action Code For Deleting The Ciscosecure User Database
Delete all users and groups from the CiscoSecure user database. This code is particularly useful if you intend to rebuild the CiscoSecure user database using RDBMS synchronization. lists the attributes that define a Cisco Secure ACS user, Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide G-31...
Page 612 TACACS+ Enable Password String Password Integer privilege level Group Password Supplier Password Type Password Expiry Status Expiry Data Expiry date Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide G-32 G-5. Logical Type Limits String 1-64 characters String 4-32 characters...
Page 613 String 0-31 KB Description String 0-31 KB String 0-31 KB String 0-31 KB Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide Cisco Secure ACS Attributes and Action Codes Default Actions MAX_SESSI ONS_AS_GR 111111111111 140 NULL 120, 122 NULL...
Page 614: User-Defined Attributes
For more information about action codes, see the page G-5. Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide G-34 3-3. lists the data fields that define UDAs. For more information about “Action Codes”...
Page 615 Table G-4 on page G-16.) 0-31 KB NULL Formatted 0-31 KB NULL String Formatted 0-31 KB NULL String Bool NULL disabled Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide Actions 120, 122 121, 123 160, 162 170, 173 G-35...
Page 616: An Example Accountactions Table
— — fred — — fred — — Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide G-36 presents an example of an accountActions table that contains some of Action Codes, page Value1 (V1) fred freds_password freds_chap_ password...
Page 617 STRING [a string of — 168 ones (1)] DISABLE — — Welcome to — Your Internet Service Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide An Example accountActions Table Value3 AppId (V3) (AI) — — — — —...
Page 618 Appendix G ODBC Import Definitions An Example accountActions Table Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide G-38 78-13751-01, Version 3.0...
Page 619: Appendix
Cisco Secure ACS Internal Architecture Cisco Secure Access Control Server for Windows NT/2000 Servers Version 3.0 (Cisco Secure ACS) is designed to be modular and flexible to fit the needs of both simple and large networks. This chapter describes the Cisco Secure ACS architectural components.
Page 620: Windows Nt/2000 Environment Overview
Cisco Secure ACS web server uses port 2002, you can use another web server on the same machine to provide other web services. Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide Appendix H Cisco Secure ACS Internal Architecture...
Page 621: Csadmin
When a request for authentication arrives, Cisco Secure ACS checks the database that is configured for that user. If the user is unknown, Cisco Secure ACS checks the database(s) configured for unknown users. 78-13751-01, Version 3.0 Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide CSAdmin...
Page 622 RSA SecurID, SafeWord AXENT, and any hexadecimal X.909 token card such as CRYPTOCard. For some token servers, Cisco Secure ACS acts as a client to the token server. For others, it uses the token server’s RADIUS interface for authentication requests. As...
Page 623 Lightweight Directory Access Protocol (LDAP). Cisco Secure ACS interacts with the most popular directory servers, including Novell and Netscape. Both PAP and CHAP passwords can be used when authenticating against the LDAP database.
Page 624: Csdbsync
• TACACS+ Accounting—Contains the log files of successful authentication • and authorization activity for TACACS+ users Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide Appendix H Cisco Secure ACS Internal Architecture “RDBMS Synchronization” section on \Logs\. There are 10 subdirectories...
Page 625: Csmon
CSMon monitors a small number of additional key system thresholds: Available space on the system hard disk (the drive with the • Windows NT/2000 directory). 78-13751-01, Version 3.0 Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide CSMon...
Page 626 This feature is more oriented to security and user support than system viability. If configured, it provides Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide Appendix H Cisco Secure ACS Internal Architecture...
Page 627: Recording
– – 78-13751-01, Version 3.0 Warning events—Service is maintained but some monitored threshold is breached Failure events—One or more Cisco Secure ACS components stop providing service Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide CSMon...
Page 628: Sample Scripts
You can disable test authentications or set the frequency higher; however, the overhead generated by this feature is small and there is no real benefit from setting it higher. Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide H-10 Appendix H Predefined actions—These actions are hard-coded into the program and...
Page 629: Cstacacs And Csradius
When only one security protocol is used, only the applicable service needs to be running; however, the other service will not interfere with normal operation and 78-13751-01, Version 3.0 Program Files\CiscoSecure ACS v2.6\CSMon\Scripts Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide CSTacacs and CSRadius H-11...
Page 630 See Appendix C, “TACACS+ Attribute-Value Pairs” for more information on TACACS+ AV pairs, or Appendix D, “RADIUS Attributes” for more information on RADIUS+ AV pairs. Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide H-12 78-13751-01, Version 3.0...
Page 631 ACLs See downloadable PIX ACLs ACS Backup and Restore log CSV file directory overview viewing Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide I N D E X 4-15 1-26 10-10 7-21 1-17 7-53 9-15...
Page 632 CSV file directory 9-17 overview 9-17 viewing 9-20 Administration Control audit policy setup 10-16 session policies 10-13 Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide IN-2 administrative access policies administrators adding 10-6 deleting 10-9 editing 10-7 troubleshooting age-by-date rules...
Page 633 CAs authority automatic enrollment backups generating requests for manual enrollment models replacement update Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide Index 8-42 8-40 8-43 8-11 12-2 1-12 7-10 8-61 8-70 8-72...
Page 634 5-15 configuring 5-12, 5-14 deleting 5-17 editing 5-17 Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide IN-4 overview PIX command authorization sets command-line database utility See CSUtil.exe CRYPTOCard user databases configuring group mappings RADIUS-based group specification...
Page 635 See LEAP proxy RADIUS user databases See Novell NDS user databases See ODBC features See RADIUS user databases See RSA user databases See SafeWord user databases Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide Index 11-2 11-58 2-17 12-6...
Page 636 Group Setup deleting logged-in users 9-12 deployment overview sequence 2-18 device groups See network device groups Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide IN-6 DHCP with IP pools dial-in troubleshooting dial-up networking clients digital certificates See certification...
Page 637 Failed Attempts log configuring 8-73 ODBC 7-32 CSV file directory enabling ODBC viewing failed log-on attempts failure events fallback on failed connection Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide Index 8-51 11-4 12-8 9-22 9-27 9-19 9-27 9-20 IN-7...
Page 638 See network access restrictions groups assigning users to Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide IN-8 configuring RADIUS settings for See RADIUS Default Group 1-19 enabling VoIP support for...
Page 639 See also IP pools server user IP addresses IP pools address recovery configuring in System Configuration IP pools server adding IP pools overview Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide Index xxxi A-13 7-11 H-11 6-26 8-53, 8-55...
Page 640 ODBC logs enabling in interface overview remote logging configuring 9-32 enabling in interface logging hosts 9-30 Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide IN-10 overview See also logs See also reports service logs 11-45 configuring services 12-21...
Page 641 Group Setup interface configuration in User Setup overview network access restriction sets enabling in interface group-level Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide Index 1-16 5-12 5-4, 5-10 6-7, 7-12 IN-11...
Page 642 AAA group Novell Requestor 11-25 supported databases supported protocols 1-10 supported versions 11-24 Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide IN-12 ODBC features accountActions table authentication CHAP overview 11-33 result codes case-sensitive passwords...
Page 643 Microsoft SQL servers case-sensitive Oracle case-sensitive protocols and user database compatibility protocols supported user-changeable validation options in System performance monitoring 6-20 Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide 6-20 1-12 1-12 1-12 1-12 1-12 1-12 1-12 6-22...
Page 644 4-25 in enterprise setting overview sending accounting packets Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide IN-14 troubleshooting Proxy Distribution Table adding entries configuring default entry deleting entries editing entries match order sorting...
Page 645 User Setup supported attributes Cisco VPN 5000 in Group Setup interface configuration in User Setup supported attributes 12-21 custom in Group Setup Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide Index 6-37 3-14 7-39 6-16 7-37 6-45 7-48 6-36...
Page 646 E-27 RDBMS synchronization accountActions table as a transaction queue 8-28 configuring 8-37 data source name configuration Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide IN-16 disabling enabling in interface overview partners report and error handling RDBMS Synchronization log...
Page 647 8-11 filenames in System Configuration overview performing reports with CSUtil.exe RFC2138 RFC2139 RSA user databases configuring group mappings Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide 12-3 12-4 H-10 8-47 8-47 8-45 8-45 8-45 8-47 8-47 11-57 12-10...
Page 648 Service Monitoring log See ACS Service Monitoring log services logs configuring 9-35 list of logs generated 9-34 management 8-48 Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide IN-18 overview starting stopping session policies configuring 10-14 options 10-13 overview...
Page 649 User Setup AV pairs accounting general custom commands enable passwords in User Setup enable privilege options in Group Setup interface configuration interface options Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide Index 7-31 7-34 7-32 6-28 IN-19...
Page 650 9-22 ODBC 9-27 CSV file directory enabling 9-19 ODBC 9-27 viewing 9-20 Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide IN-20 Technical Assistance Center See TAC Telnet password aging 6-20 test login frequency internal testing H-10 third-party software requirements...
Page 651 See groups user-level downloadable ACLs enabling in interface network access restrictions enabling in interface See also network access restriction sets Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide Index 12-1 12-7 A-13 6-13 7-19 6-49 7-55...
Page 652 12-2 known 12-2 unknown 12-2 VPDN dialup User Setup basic options Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide IN-22 configuring deleting user accounts saving settings Users in Group button in Group Setup 7-11 validation passwords in System Configuration...
Page 653 Registry 4-12 rejection mode 4-16 request handling trust relationships user databases configuring grant dial-in permission to user overview Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide Index 12-5 11-9 11-9 11-9 11-11, 12-4 12-17 11-8, 11-11 11-8, 11-13...
Page 654 Index passwords 1-10 supported databases user manager 11-12 Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide IN-24 78-13751-01, Version 3.0...

This manual is also suitable for:

Secure acs 3.0

Cisco Servers User Manual

Chapter 2 Deploying Cisco Secure ACS

Chapter 3 Setting up the Cisco Secure ACS HTML Interface

CHAPTER 4 Setting up and Managing Network Configuration

Chapter 5 Setting up and Managing Shared Profile Components

Chapter 6 Setting up and Managing User Groups

Chapter 7 Setting up and Managing User Accounts

CHAPTER 8 Establishing Cisco Secure ACS System Configuration

Quick Links

Troubleshooting

Related Manuals for Cisco Servers

Summary of Contents for Cisco Servers