Sign In
Upload
Manuals
Brands
Cisco Manuals
Software
Servers
Cisco Servers Manuals
Manuals and User Guides for Cisco Servers. We have
1
Cisco Servers manual available for free PDF download: User Manual
Cisco Servers User Manual (654 pages)
for Windows 2000/NT Servers
Brand:
Cisco
| Category:
Software
| Size: 5.3 MB
Table of Contents
Version
2
Table of Contents
4
Who Should Read this Guide
27
How this Guide Is Organized
28
System Messages
29
Conventions Used in this Guide
30
Related Documentation
31
Obtaining Documentation
32
World Wide Web
32
Documentation Feedback
33
Obtaining Technical Assistance
33
AAA Server Functions and Concepts
40
Cisco Secure ACS and the AAA Client
41
AAA Protocols-TACACS+ and RADIUS
41
Radius
42
Tacacs
42
Authentication
43
Authentication and User Databases
44
Authentication Considerations
44
Passwords
46
Other Authentication-Related Features
50
Authorization
51
Dynamic Usage Quotas
52
Max Sessions
52
Other Authorization-Related Features
53
Accounting
53
Other Accounting-Related Features
54
Administration
54
HTTP Port Allocation for Remote Administrative Sessions
55
Network Device Groups
56
Other Administration-Related Features
56
Cisco Secure ACS HTML Interface
57
About the Cisco Secure ACS HTML Interface
57
HTML Interface Layout
58
Uniform Resource Locator for the HTML Interface
60
Network Environments and Remote Administrative Sessions
60
Remote Administrative Sessions and HTTP Proxy
60
Remote Administrative Sessions through a NAT Gateway
61
Remote Administrative Sessions through Firewalls
61
Accessing the HTML Interface
62
Logging off the HTML Interface
62
Online Help and Online Documentation
63
Using Online Help
63
Using the Online Documentation
64
Chapter 2 Deploying Cisco Secure ACS
67
Basic Deployment Requirements for Cisco Secure ACS
68
System Requirements
68
Hardware Requirements
68
Operating System Requirements
68
Third-Party Software Requirements
69
Network Requirements
70
Basic Deployment Factors for Cisco Secure ACS
70
Network Topology
71
Dial-Up Topology
71
Wireless Network
74
Remote Access Using VPN
77
Remote Access Policy
79
Security Policy
80
Administrative Access Policy
80
Separation of Administrative and General Users
82
Database
83
Number of Users
83
Type of Database
83
Network Speed and Reliability
84
Suggested Deployment Sequence
84
Chapter 3 Setting up the Cisco Secure ACS HTML Interface
89
Interface Design Concepts
90
User-To-Group Relationship
90
Per-User or Per-Group Features
90
User Data Configuration Options
91
Defining New User Data Fields
91
Advanced Options
92
Setting Advanced Options for the Cisco Secure ACS User Interface
94
Protocol Configuration Options for TACACS
95
Setting Options for TACACS
97
Protocol Configuration Options for RADIUS
98
Setting Protocol Configuration Options for (IETF) RADIUS
100
Setting Protocol Configuration Options for RADIUS (Cisco IOS/PIX)
102
Setting Protocol Configuration Options for RADIUS (Ascend)
102
Setting Protocol Configuration Options for RADIUS (Cisco VPN 3000)
103
Setting Protocol Configuration Options for RADIUS (Cisco VPN 5000)
104
Setting Protocol Configuration Options for RADIUS (Microsoft)
105
Setting Protocol Configuration Options for RADIUS (Nortel)
106
Setting Protocol Configuration Options for RADIUS (Juniper)
107
Setting Protocol Configuration Options for RADIUS (Cisco BBSM)
108
CHAPTER 4 Setting up and Managing Network Configuration
109
C H a P T E R 4 Setting up and Managing Network Configuration
110
About Distributed Systems
110
AAA Servers in Distributed Systems
111
Default Distributed System Settings
111
Proxy in Distributed Systems
112
Fallback on Failed Connection
113
Character String
114
Stripping
114
Proxy in an Enterprise
114
Remote Use of Accounting Packets
115
Other Features Enabled by System Distribution
116
AAA Client Configuration
116
Adding and Configuring a AAA Client
117
Editing an Existing AAA Client
120
Deleting a AAA Client
122
AAA Server Configuration
123
Adding and Configuring a AAA Server
124
Editing a AAA Server Configuration
126
Deleting a AAA Server
128
Network Device Group Configuration
128
Adding a Network Device Group
129
Assigning an Unassigned AAA Client or AAA Server to an NDG
130
Reassigning a AAA Client or AAA Server to an NDG
131
Renaming a Network Device Group
131
Deleting a Network Device Group
132
Proxy Distribution Table Configuration
133
About the Proxy Distribution Table
133
Adding a New Proxy Distribution Table Entry
133
Deleting a Proxy Distribution Table Entry
133
Editing a Proxy Distribution Table Entry
133
Sorting the Character String Match Order of Distribution Entries
133
Chapter 5 Setting up and Managing Shared Profile Components
139
Downloadable PIX Acls
140
About Downloadable PIX Acls
140
Downloadable PIX ACL Configuration
141
Adding a Downloadable PIX ACL
141
Editing a Downloadable PIX ACL
142
Deleting a Downloadable PIX ACL
143
Network Access Restrictions
144
About Network Access Restrictions
144
Shared Network Access Restrictions Configuration
145
Adding a Shared Network Access Restriction
145
Deleting a Shared Network Access Restriction
145
Editing a Shared Network Access Restriction
145
Command Authorization Sets
150
About Command Authorization Sets
151
About Pattern Matching
152
Command Authorization Sets Configuration
152
Adding a Command Authorization Set
152
Deleting a Command Authorization Set
152
Editing a Command Authorization Set
152
Chapter 6 Setting up and Managing User Groups
157
User Group Setup Features and Functions
158
Default Group
158
Group TACACS+ Settings
158
Common User Group Settings
159
Enabling Voip Support for a User Group
160
Setting Default Time of Day Access for a User Group
161
Setting Callback Options for a User Group
162
Setting Network Access Restrictions for a User Group
163
Setting Max Sessions for a User Group
167
Setting Usage Quotas for a User Group
169
Configuration-Specific User Group Settings
171
Setting Token Card Settings for a User Group
173
Setting Enable Privilege Options for a User Group
174
Enabling Password Aging for the Ciscosecure User Database
176
Varieties of Password Aging Supported by Cisco Secure ACS
176
Password Aging Feature Settings
177
Enabling Password Aging for Users in Windows Databases
181
Setting IP Address Assignment Method for a User Group
182
Assigning a Downloadable PIX ACL to a Group
183
Configuring TACACS+ Settings for a User Group
184
Configuring a Shell Command Authorization Set for a User Group
186
Configuring a PIX Command Authorization Set for a User Group
188
Configuring IETF RADIUS Settings for a User Group
190
Configuring Cisco IOS/PIX RADIUS Settings for a User Group
192
Configuring Ascend RADIUS Settings for a User Group
193
Configuring Cisco VPN 3000 Concentrator RADIUS Settings for a User Group
194
Configuring Cisco VPN 5000 Concentrator RADIUS Settings for a User Group
195
Configuring Microsoft RADIUS Settings for a User Group
197
Configuring Nortel RADIUS Settings for a User Group
198
Configuring Juniper RADIUS Settings for a User Group
200
Configuring Cisco BBSM RADIUS Settings for a User Group
201
Configuring Custom RADIUS VSA Settings for a User Group
202
Group Setting Management
204
Listing Users in a User Group
204
Resetting Usage Quota Counters for a User Group
205
Renaming a User Group
205
Saving Changes to User Group Settings
206
Chapter 7 Setting up and Managing User Accounts
207
User Setup Features and Functions
208
About User Databases
209
Basic User Setup Options
210
Adding a Basic User Account
211
Setting Supplementary User Information
213
Setting a Separate CHAP/MS-CHAP/ARAP Password
214
Assigning a User to a Group
215
Setting User Callback Option
216
Assigning a User to a Client IP Address
217
Setting Network Access Restrictions for a User
218
Setting Max Sessions Options for a User
223
Setting User Usage Quotas Options
225
Setting Options for User Account Disablement
227
Assigning a PIX ACL to a User
228
Advanced User Authentication Settings
229
TACACS+ Settings (User)
230
Configuring TACACS+ Settings for a User
230
Configuring a Shell Command Authorization Set for a User
232
Configuring a PIX Command Authorization Set for a User
235
Configuring the Unknown Service Setting for a User
237
Advanced TACACS+ Settings (User)
237
Setting Enable Privilege Options for a User
238
Setting TACACS+ Enable Password Options for a User
240
Setting TACACS+ Outbound Password for a User
241
RADIUS Attributes
242
Setting Cisco IOS/PIX RADIUS Parameters for a User
242
Setting IETF RADIUS Parameters for a User
242
Setting Ascend RADIUS Parameters for a User
245
Setting Cisco VPN 3000 Concentrator RADIUS Parameters for a User
247
Setting Cisco VPN 5000 Concentrator RADIUS Parameters for a User
248
Setting Microsoft RADIUS Parameters for a User
250
Setting Nortel RADIUS Parameters for a User
251
Setting Juniper RADIUS Parameters for a User
253
Setting BBSM RADIUS Parameters for a User
254
Setting Custom RADIUS Attributes for a User
255
User Management
257
Listing All Users
257
Finding a User
258
Disabling a User Account
259
Deleting a User Account
260
Resetting User Session Quota Counters
261
Resetting a User Account after Login Failure
261
Saving User Settings
262
System Configuration
263
C H a P T E R 8 Establishing Cisco Secure ACS System Configuration
264
CHAPTER 8 Establishing Cisco Secure ACS System Configuration
264
Service Control
264
Determining the Status of Cisco Secure ACS Services
264
Stopping, Starting, or Restarting Services
264
Logging
265
Date Format Control
265
Setting the Date Format
266
Password Validation
266
Setting Password Validation Options
267
Ciscosecure Database Replication
268
About Ciscosecure Database Replication
268
Replication Process
270
Replication Frequency
272
Important Implementation Considerations
272
Database Replication Versus Database Backup
273
Database Replication Logging
274
Replication Options
275
Replication Components Options
275
Replication Scheduling Options
276
Replication Partners Options
277
Implementing Primary and Secondary Replication Setups on Cisco Secure ACS Servers
278
Configuring a Secondary Cisco Secure ACS Server
279
Replicating Immediately
280
Scheduling Replication
282
Disabling Ciscosecure Database Replication
285
Database Replication Event Error Alert Notification
285
RDBMS Synchronization
286
About RDBMS Synchronization
286
RDBMS Synchronization Components
287
About Csdbsync
287
About the Accountactions Table
288
Cisco Secure ACS Database Recovery Using the Accountactions Table
290
Reports and Event (Error) Handling
291
Preparing to Use RDBMS Synchronization
291
Considerations for Using CSV-Based Synchronization
292
Preparing for CSV-Based Synchronization
293
Configuring a System Data Source Name for RDBMS Synchronization
294
RDBMS Synchronization Options
295
RDBMS Setup Options
296
Synchronization Scheduling Options
296
Synchronization Partners Options
297
Performing RDBMS Synchronization Immediately
297
Scheduling RDBMS Synchronization
299
Disabling Scheduled RDBMS Synchronizations
301
Cisco Secure ACS Backup
302
About Cisco Secure ACS Backup
302
Backup File Locations
303
Directory Management
303
Components Backed up
303
Reports of Cisco Secure ACS Backups
304
Performing a Manual Cisco Secure ACS Backup
304
Scheduling Cisco Secure ACS Backups
305
Disabling Scheduled Cisco Secure ACS Backups
306
Cisco Secure ACS System Restore
307
About Cisco Secure ACS System Restore
307
Backup File Names and Locations
307
Components Restored
309
Reports of Cisco Secure ACS Restorations
309
Restoring Cisco Secure ACS from a Backup File
309
Cisco Secure ACS Active Service Management
310
System Monitoring
311
System Monitoring Options
311
Setting up System Monitoring
312
Event Logging
313
Setting up Event Logging
313
IP Pools Server
314
Allowing Overlapping IP Pools or Forcing Unique Pool Address Ranges
315
Refreshing the AAA Server IP Pools Table
317
Adding a New IP Pool
317
Editing an IP Pool Definition
318
Resetting an IP Pool
319
Deleting an IP Pool
320
IP Pools Address Recovery
321
Enabling IP Pool Address Recovery
321
Voip Accounting Configuration
322
Configuring Voip Accounting
323
Cisco Secure ACS Certificate Setup
323
Background on Certification
324
EAP-TLS Setup Overview
325
Requirements for Certificate Enrollment
325
Generating a Request for a Certificate
326
Installing Cisco Secure ACS Certification with Manual Enrollment
328
Installing Cisco Secure ACS Certification with Automatic Enrollment
330
Performing Cisco Secure ACS Certification Update or Replacement
331
Certification Authority Setup
332
Trust Requirements and Models
333
Adding a New CA Certificate to Local Certificate Storage
334
Editing the Certificate Trust List
334
Global Authentication Setup
335
CHAPTER 9 Working with Logging and Reports
338
Special Logging Attributes
338
Update Packets in Accounting Logs
339
About Cisco Secure ACS Logs and Reports
340
Accounting Logs
340
Passed Authentications Log
346
Dynamic Cisco Secure ACS Administration Reports
346
Logged-In Users Report
347
Disabled Accounts Report
350
Cisco Secure ACS System Logs
351
ACS Backup and Restore Log
351
RDBMS Synchronization Log
352
Database Replication Log
352
Administration Audit Log
353
ACS Service Monitoring Log
354
Working with CSV Logs
355
CSV Log File Names
355
Enabling or Disabling a CSV Log
355
Failed Attempts Log
356
RADIUS Accounting Log
356
TACACS+ Accounting Log
356
TACACS+ Administration Log
356
Voip Accounting Log
356
Viewing a CSV Report
356
Configuring a CSV Log
358
Working with ODBC Logs
361
Preparing to Use ODBC Logging
361
Configuring a System Data Source Name for ODBC Logging
362
Configuring an ODBC Log
363
Remote Logging
365
About Remote Logging
366
Remote Logging Options
367
Configuring a Central Logging Server
367
Enabling and Configuring Remote Logging
368
Disabling Remote Logging
369
Service Logs
370
Services Logged
370
Configuring Service Logs
371
CHAPTER 10 Setting up and Managing Administrators and Policy
375
Administrator Accounts
375
Administrator Privileges
376
C H a P T E R 10 Setting up and Managing Administrators and Policy
376
Adding an Administrator Account
380
Editing an Administrator Account
381
Deleting an Administrator Account
383
Access Policy
384
Access Policy Options
384
Setting up Access Policy
386
Session Policy
387
Session Policy Options
387
Setting up Session Policy
388
Audit Policy
390
Chapter 11 Working with User Database
392
Ciscosecure User Database
392
About External User Databases
394
Authenticating with External User Databases
395
Windows NT/2000 User Database
396
Databases
397
The Cisco Secure ACS Authentication Process with Windows NT/2000 User Databases
397
Trust Relationships
398
Windows Dial-Up Networking Clients
399
About the Windows NT/2000 Dial-Up Networking Client
399
About the Windows 95/98/Millennium Edition Dial-Up Networking Client
400
Windows NT/2000 Authentication
400
User-Changeable Passwords with Windows NT/2000 User Databases
402
Preparing Users for Authenticating with Windows NT/2000
402
Configuring a Windows NT/2000 External User Database
403
Generic LDAP
404
Cisco Secure ACS Authentication Process with a Generic LDAP User Database
405
Multiple LDAP Instances
406
LDAP Organizational Units and Groups
407
Directed Authentications
407
LDAP Failover
407
Successful Previous Authentication with the Primary LDAP Server
408
Unsuccessful Previous Authentication with the Primary LDAP Server
408
Configuring a Generic LDAP External User Database
409
Novell NDS Database
414
User Contexts
415
Novell NDS External User Database Options
417
Configuring a Novell NDS External User Database
418
ODBC Database
420
Cisco Secure ACS Authentication Process with an ODBC External User Database
421
Preparing to Authenticate Users with an ODBC-Compliant Relational Database
422
Implementation of Stored Procedures for ODBC Authentication
423
Type Definitions
424
Microsoft SQL Server and Case-Sensitive Passwords
424
Sample Routine for Generating a PAP Authentication SQL Procedure
425
Sample Routine for Generating an SQL CHAP Authentication Procedure
426
PAP Authentication Procedure Input
426
PAP Procedure Output
427
CHAP/MS-CHAP/ARAP Authentication Procedure Input
428
CHAP/MS-CHAP/ARAP Procedure Output
428
Result Codes
429
Configuring a System Data Source Name for an ODBC External User Database
430
Configuring an ODBC External User Database
431
LEAP Proxy RADIUS Server Database
434
Configuring a LEAP Proxy RADIUS Server External User Database
435
Token Server User Databases
437
About Token Servers and Cisco Secure ACS
438
Token Servers and ISDN
438
RADIUS-Enabled Token Servers
439
About RADIUS-Enabled Token Servers
439
Configuring a RADIUS Token Server External User Database
440
Token Server RADIUS Authentication Request and Response Contents
440
Token Servers with Vendor-Proprietary Interfaces
443
About Token Servers with Proprietary Interfaces
443
Configuring a Safeword Token Server External User Database
443
Configuring an AXENT Token Server External User Database AXENT
445
Configuring an RSA Securid Token Server External User Database
446
Deleting an External User Database Configuration
448
CHAPTER 12 Administering External User Databases
451
Unknown User Processing
451
C H a P T E R 12 Administering External User Databases
452
Known, Unknown, and Cached Users
452
General Authentication Request Handling and Rejection Mode
453
Authentication Request Handling and Rejection Mode with the Windows NT/2000 User Database
454
Windows Authentication with a Domain Specified
454
Windows Authentication with Domain Omitted
455
Performance of Unknown User Authentication
456
Added Latency
456
Authentication Timeout Value on AAA Clients
456
Network Access Authorization
457
Unknown User Policy
457
Configuring the Unknown User Policy
458
Database Search Order
458
Turning off External User Database Authentication
459
Database Group Mappings
460
Group Mapping by External User Database
460
Creating a Cisco Secure ACS Group Mapping for a Token Server, ODBC Database, or LEAP Proxy RADIUS Server Database
462
Group Mapping by Group Set Membership
463
Group Mapping Order
463
Default Group Mapping for Windows NT/2000
464
No Access Group for Group Set Mappings
464
Creating a Cisco Secure ACS Group Mapping for Windows NT/2000, Novell NDS, or Generic LDAP Groups
465
Mapping
465
Mapping
467
Deleting a Windows NT/2000 Domain Group Mapping Configuration
469
Changing Group Set Mapping Order
470
RADIUS-Based Group Specification
471
Appendix
473
Troubleshooting Information for Cisco Secure ACS
473
Administration Issues
474
A P P E N D I X a Troubleshooting Information for Cisco Secure ACS
475
Browser Issues
475
Cisco IOS Issues
476
Database Issues
477
Dial-In Connection Issues
478
Debug Issues
483
Proxy Issues
484
Installation and Upgrade Issues
485
Maxsessions Issues
485
Report Issues
486
Third-Party Server Issues
487
PIX Firewall Issues
488
User Authentication Issues
488
TACACS+ and RADIUS Attribute Issues
490
Appendix
491
System Messages
491
Windows NT/2000 Event Log Service Startup Errors
491
System Monitored Events
492
Replication Messages
496
Failed Attempts Messages
499
Appendix
501
TACACS+ Attribute-Value Pairs
501
Cisco IOS Attribute-Value Pair Dictionary
501
TACACS+ AV Pairs
502
TACACS+ Accounting AV Pairs
504
Appendix
505
Cisco VPN 3000 Concentrator Dictionary of RADIUS Vsas
512
Cisco VPN 5000 Concentrator Dictionary of RADIUS Vsas
515
Cisco Building Broadband Service Manager Dictionary of RADIUS VSA
515
Vendor-Proprietary IETF RADIUS AV Pairs
516
IETF Dictionary of RADIUS AV Pairs
518
RADIUS (IETF) Accounting AV Pairs
522
Microsoft MPPE Dictionary of RADIUS Vsas
524
Ascend Dictionary of RADIUS AV Pairs
527
Nortel Dictionary of RADIUS Vsas
535
Juniper Dictionary of RADIUS Vsas
536
Appendix
537
Cisco Secure ACS Command-Line Database Utility
537
A P P E N D I X E Cisco Secure ACS Command-Line Database Utility
538
Csutil.exe Syntax
538
Location of Csutil.exe and Related Files
538
Csutil.exe Options
539
Backing up Cisco Secure ACS with Csutil.exe
541
Restoring Cisco Secure ACS with Csutil.exe
542
Creating a Ciscosecure User Database
543
Creating a Cisco Secure ACS Database Dump File
545
Loading the Cisco Secure ACS Database from a Dump File
546
Compacting the Ciscosecure User Database
547
User and AAA Client Import Option
549
Importing User and AAA Client Information
549
User and AAA Client Import File Format
549
About User and AAA Client Import File Format
551
ADD Statements
552
ONLINE or OFFLINE Statement
552
UPDATE Statements
554
ADD_NAS Statements
556
DELETE Statements
556
DEL_NAS Statements
558
Import File Examples
558
Exporting User List to a Text File
559
Exporting Group Information to a Text File
560
Decoding Error Numbers
561
Exporting Registry Information to a Text File
561
Recalculating CRC Values
562
User-Defined RADIUS Vendors and VSA Sets
563
About User-Defined RADIUS Vendors and VSA Sets
563
Adding a Custom RADIUS Vendor and VSA Set
564
Deleting a Custom RADIUS Vendor and VSA Set
565
Listing Custom RADIUS Vendors
566
RADIUS Vendor/Vsa Import File
567
About the RADIUS Vendor/Vsa Import File
568
Vendor and VSA Set Definition
569
Attribute Definition
570
Enumeration Definition
571
Example RADIUS Vendor/Vsa Import File
573
Appendix
575
Cisco Secure ACS and Virtual Private Dial-Up Networks
575
VPDN Process
575
A P P E N D I X F Cisco Secure ACS and Virtual Private Dial-Up Networks
576
ODBC Import Definitions
582
Accountactions Table Specification
582
Accountactions Table Format
582
Action Codes
585
Action Codes for Creating and Modifying User Accounts
587
Action Codes for Setting and Deleting Values
587
Action Codes for Initializing and Modifying Access Filters
595
Action Codes for Modifying TACACS+ and RADIUS Group and User Settings
600
Action Codes for Modifying Network Configuration
607
Action Code for Deleting the Ciscosecure User Database
611
Cisco Secure ACS Attributes and Action Codes
611
User-Specific Attributes
611
User-Defined Attributes
614
Group-Specific Attributes
614
An Example Accountactions Table
616
Appendix G ODBC Import Definition
583
Accountactions Table Mandatory Fields
583
Accountactions Table Processing Order
584
Appendix
619
Cisco Secure ACS Internal Architecture
619
Windows NT/2000 Environment Overview
620
Windows NT/2000 Services
620
Windows NT/2000 Registry
620
Cisco Secure ACS Web Server
620
Csadmin
621
Csauth
621
Csdbsync
624
Cslog
624
Csmon
625
Monitoring
625
Recording
627
Sample Scripts
628
Configuration
628
Cstacacs and Csradius
629
Advertisement
Advertisement
Related Products
Cisco Security Device Manager
Cisco Secure ACS
Cisco Secure Access Control Server
Cisco ST373307LC
Cisco Surveillance Media Server
Cisco CiscoWorks SIMS 3.4.1
Cisco SFS InfiniBand
Cisco SDM 2.2
Cisco S8500
Cisco SMART BUSINESS COMMUNICATIONS SYSTEM
Cisco Categories
Switch
IP Phone
Network Router
Wireless Access Point
Conference System
More Cisco Manuals
Login
Sign In
OR
Sign in with Facebook
Sign in with Google
Upload manual
Upload from disk
Upload from URL