Main
User Guide for Cisco Secure ACS for Windows Server
Version 3.3 May 2004
Page
CONTENTS
Page
Page
Page
Page
Page
Page
Page
Page
Page
Page
Page
Page
Page
Page
Page
Page
Page
Page
Page
Page
Page
Page
Page
Page
Page
Preface
Audience
Organization
Page
Conventions
Product Documentation
Related Documentation
Page
Obtaining Documentation
Cisco.com
Ordering Documentation
Documentation Feedback
Obtaining Technical Assistance
Cisco Technical Support Website
Submitting a Service Request
Definitions of Service Request Severity
Obtaining Additional Publications and Information
Page
Overview
The Cisco Secure ACS Paradigm
Cisco Secure ACS Specifications
System Performance Specifications
Cisco Secure ACS Windows Services
AAA Server Functions and Concepts
Cisco Secure ACS and the AAA Client
AAA ProtocolsTACACS+ and RADIUS
TACACS+
RADIUS
Authentication
Authentication Considerations
Authentication and User Databases
Authentication Protocol-Database Compatibility
Passwords
Comparing PAP, CHAP, and ARAP
MS-CHAP
EAP Support
Basic Password Configurations
Advanced Password Configurations
Password Aging
User-Changeable Passwords
Other Authentication-Related Features
Authorization
Max Sessions
Dynamic Usage Quotas
Shared Profile Components
Support for Cisco Device-Management Applications
Page
Other Authorization-Related Features
Accounting
Other Accounting-Related Features
Administration
HTTP Port Allocation for Administrative Sessions
Network Device Groups
Other Administration-Related Features
Posture Validation
Cisco Secure ACS HTML Interface
About the Cisco Secure ACS HTML Interface
HTML Interface Security
HTML Interface Layout
Page
Uniform Resource Locator for the HTML Interface
Network Environments and Administrative Sessions
Administrative Sessions and HTTP Proxy
Administrative Sessions through Firewalls
Administrative Sessions through a NAT Gateway
Accessing the HTML Interface
Logging Off the HTML Interface
Online Help and Online Documentation
Using Online Help
Using the Online Documentation
Page
Page
Deployment Considerations
Basic Deployment Requirements for Cisco Secure ACS
System Requirements
Hardware Requirements
Operating System Requirements
Third-Party Software Requirements
Network and Port Requirements
Page
Basic Deployment Factors for Cisco Secure ACS
Network Topology
Dial-Up Topology
Page
Page
Wireless Network
Page
Page
Remote Access using VPN
I
Page
Remote Access Policy
Security Policy
Administrative Access Policy
Page
Separation of Administrative and General Users
Database
Number of Users
Type of Database
Network Latency and Reliability
Suggested Deployment Sequence
Page
Page
Page
Interface Configuration
Interface Design Concepts
User-to-Group Relationship
Per-User or Per-Group Features
User Data Configuration Options
Defining New User Data Fields
Advanced Options
Page
Setting Advanced Options for the Cisco Secure ACS User Interface
Protocol Configuration Options for TACACS+
Page
Setting Options for TACACS+
Page
Protocol Configuration Options for RADIUS
Page
Page
Page
Page
Setting Protocol Configuration Options for IETF RADIUS Attributes
Setting Protocol Configuration Options for Non-IETF RADIUS Attributes
Page
Network Configuration
About Network Configuration
About Distributed Systems
AAA Servers in Distributed Systems
Default Distributed System Settings
Proxy in Distributed Systems
Fallback on Failed Connection
Character String
Stripping
Proxy in an Enterprise
Remote Use of Accounting Packets
Other Features Enabled by System Distribution
Network Device Searches
Network Device Search Criteria
Searching for Network Devices
Page
AAA Client Configuration
AAA Client Configuration Options
Page
Page
Page
Page
Adding a AAA Client
Page
Page
Editing a AAA Client
Page
Deleting a AAA Client
AAA Server Configuration
AAA Server Configuration Options
Page
Adding a AAA Server
Page
Editing a AAA Server
Page
Deleting a AAA Server
Network Device Group Configuration
Adding a Network Device Group
Assigning an Unassigned AAA Client or AAA Server to an NDG
Reassigning a AAA Client or AAA Server to an NDG
Renaming a Network Device Group
Deleting a Network Device Group
Page
Proxy Distribution Table Configuration
About the Proxy Distribution Table
Adding a New Proxy Distribution Table Entry
Sorting the Character String Match Order of Distribution Entries
Editing a Proxy Distribution Table Entry
Deleting a Proxy Distribution Table Entry
Shared Profile Components
About Shared Profile Components
Network Access Filters
About Network Access Filters
Adding a Network Access Filter
Page
Editing a Network Access Filter
Page
Deleting a Network Access Filter
Downloadable IP ACLs
About Downloadable IP ACLs
Page
Adding a Downloadable IP ACL
Page
Page
Editing a Downloadable IP ACL
Deleting a Downloadable IP ACL
Network Access Restrictions
About Network Access Restrictions
Page
About IP-based NAR Filters
About Non-IP-based NAR Filters
Adding a Shared Network Access Restriction
Page
Page
Page
Editing a Shared Network Access Restriction
Deleting a Shared Network Access Restriction
Command Authorization Sets
About Command Authorization Sets
Command Authorization Sets Description
Page
Command Authorization Sets Assignment
Case Sensitivity and Command Authorization
Arguments and Command Authorization
About Pattern Matching
Adding a Command Authorization Set
Page
Editing a Command Authorization Set
Page
Deleting a Command Authorization Set
Page
User Group Management
About User Group Setup Features and Functions
Default Group
Group TACACS+ Settings
Basic User Group Settings
Group Disablement
Enabling VoIP Support for a User Group
Setting Default Time-of-Day Access for a User Group
Page
Setting Callback Options for a User Group
Setting Network Access Restrictions for a User Group
Page
Page
Page
Setting Max Sessions for a User Group
Page
Setting Usage Quotas for a User Group
Page
Configuration-specific User Group Settings
Page
Setting Token Card Settings for a User Group
Setting Enable Privilege Options for a User Group
Page
Enabling Password Aging for the CiscoSecure User Database
Page
Page
Page
Page
Enabling Password Aging for Users in Windows Databases
Page
Setting IP Address Assignment Method for a User Group
Page
Assigning a Downloadable IP ACL to a Group
Configuring TACACS+ Settings for a User Group
Page
Configuring a Shell Command Authorization Set for a User Group
Page
Configuring a PIX Command Authorization Set for a User Group
Page
Configuring Device-Management Command Authorization for a
Configuring IETF RADIUS Settings for a User Group
Page
Configuring Cisco IOS/PIX RADIUS Settings for a User Group
Configuring Cisco Aironet RADIUS Settings for a User Group
Page
Configuring Ascend RADIUS Settings for a User Group
Configuring Cisco VPN 3000 Concentrator RADIUS Settings for a
Page
Configuring Cisco VPN 5000 Concentrator RADIUS Settings for a
Configuring Microsoft RADIUS Settings for a User Group
Page
Configuring Nortel RADIUS Settings for a User Group
Configuring Juniper RADIUS Settings for a User Group
Configuring BBSM RADIUS Settings for a User Group
Page
Configuring Custom RADIUS VSA Settings for a User Group
Group Setting Management
Listing Users in a User Group
Resetting Usage Quota Counters for a User Group
Renaming a User Group
Saving Changes to User Group Settings
User Management
About User Setup Features and Functions
About User Databases
Basic User Setup Options
Adding a Basic User Account
Page
Setting Supplementary User Information
Setting a Separate CHAP/MS-CHAP/ARAP Password
Assigning a User to a Group
Setting User Callback Option
Assigning a User to a Client IP Address
Setting Network Access Restrictions for a User
Page
Page
Page
Page
Setting Max Sessions Options for a User
Page
Setting User Usage Quotas Options
Page
Setting Options for User Account Disablement
Assigning a Downloadable IP ACL to a User
Advanced User Authentication Settings
TACACS+ Settings (User)
Configuring TACACS+ Settings for a User
Page
Configuring a Shell Command Authorization Set for a User
Page
Page
Configuring a PIX Command Authorization Set for a User
Configuring Device-Management Command Authorization for a User
Page
Configuring the Unknown Service Setting for a User
Advanced TACACS+ Settings (User)
Setting Enable Privilege Options for a User
Page
Setting TACACS+ Enable Password Options for a User
Page
Setting TACACS+ Outbound Password for a User
RADIUS Attributes
Setting IETF RADIUS Parameters for a User
Setting Cisco IOS/PIX RADIUS Parameters for a User
Page
Setting Cisco Aironet RADIUS Parameters for a User
Page
Setting Ascend RADIUS Parameters for a User
Setting Cisco VPN 3000 Concentrator RADIUS Parameters for a User
Page
Setting Cisco VPN 5000 Concentrator RADIUS Parameters for a User
Setting Microsoft RADIUS Parameters for a User
Page
Setting Nortel RADIUS Parameters for a User
Page
Setting Juniper RADIUS Parameters for a User
Setting BBSM RADIUS Parameters for a User
Setting Custom RADIUS Attributes for a User
User Management
Listing All Users
Finding a User
Disabling a User Account
Deleting a User Account
Resetting User Session Quota Counters
Resetting a User Account after Login Failure
Saving User Settings
System Configuration: Basic
Service Control
Determining the Status of Cisco Secure ACS Services
Stopping, Starting, or Restarting Services
Logging
Date Format Control
Setting the Date Format
Page
Local Password Management
Page
Configuring Local Password Management
Page
Cisco Secure ACS Backup
About Cisco Secure ACS Backup
Backup File Locations
Directory Management
Components Backed Up
Reports of Cisco Secure ACS Backups
Backup Options
Performing a Manual Cisco Secure ACS Backup
Scheduling Cisco Secure ACS Backups
Disabling Scheduled Cisco Secure ACS Backups
Cisco Secure ACS System Restore
About Cisco Secure ACS System Restore
Backup Filenames and Locations
Components Restored
Reports of Cisco Secure ACS Restorations
Restoring Cisco Secure ACS from a Backup File
Cisco Secure ACS Active Service Management
System Monitoring
System Monitoring Options
Setting Up System Monitoring
Event Logging
Setting Up Event Logging
VoIP Accounting Configuration
Configuring VoIP Accounting
Page
System Configuration: Advanced
CiscoSecure Database Replication
About CiscoSecure Database Replication
Page
Replication Process
Page
Page
Replication Frequency
Important Implementation Considerations
Page
Page
Database Replication Versus Database Backup
Database Replication Logging
Replication Options
Replication Components Options
Outbound Replication Options
Page
Page
Inbound Replication Options
Implementing Primary and Secondary Replication Setups on Cisco Secure ACSes
Page
Configuring a Secondary Cisco Secure ACS
Page
Replicating Immediately
Page
Scheduling Replication
Page
Page
Disabling CiscoSecure Database Replication
Database Replication Event Errors
RDBMS Synchronization
About RDBMS Synchronization
Users
User Groups
Network Configuration
Custom RADIUS Vendors and VSAs
RDBMS Synchronization Components
About CSDBSync
Page
About the accountActions Table
Cisco Secure ACS Database Recovery Using the accountActions Table
Reports and Event (Error) Handling
Preparing to Use RDBMS Synchronization
Page
Considerations for Using CSV-Based Synchronization
Preparing for CSV-Based Synchronization
Configuring a System Data Source Name for RDBMS Synchronization
RDBMS Synchronization Options
RDBMS Setup Options
Synchronization Scheduling Options
Synchronization Partners Options
Performing RDBMS Synchronization Immediately
Scheduling RDBMS Synchronization
Page
Disabling Scheduled RDBMS Synchronizations
IP Pools Server
About IP Pools Server
Allowing Overlapping IP Pools or Forcing Unique Pool Address Ranges
Page
Refreshing the AAA Server IP Pools Table
Adding a New IP Pool
Editing an IP Pool Definition
Resetting an IP Pool
Deleting an IP Pool
IP Pools Address Recovery
Enabling IP Pool Address Recovery
Page
System Configuration: Authentication and Certificates
About Certification and EAP Protocols
Digital Certificates
EAP-TLS Authentication
About the EAP-TLS Protocol
EAP-TLS and Cisco Secure ACS
Page
EAP-TLS Limitations
Enabling EAP-TLS Authentication
PEAP Authentication
About the PEAP Protocol
PEAP and Cisco Secure ACS
Page
PEAP and the Unknown User Policy
Enabling PEAP Authentication
EAP-FAST Authentication
About EAP-FAST
Page
About Master Keys
Page
About PACs
Automatic PAC Provisioning
Page
Manual PAC Provisioning
Master Key and PAC TTLs
Replication and EAP-FAST
Page
Page
Enabling EAP-FAST
Global Authentication Setup
Authentication Configuration Options
Page
Page
Page
Page
Page
Configuring Authentication Options
Cisco Secure ACS Certificate Setup
Installing a Cisco Secure ACS Server Certificate
Page
Adding a Certificate Authority Certificate
Editing the Certificate Trust List
Page
Managing Certificate Revocation Lists
About Certificate Revocation Lists
Certificate Revocation List Configuration Options
Adding a Certificate Revocation List Issuer
Page
Editing a Certificate Revocation List Issuer
Deleting a Certificate Revocation List Issuer
Generating a Certificate Signing Request
Page
Using Self-Signed Certificates
About Self-Signed Certificates
Self-Signed Certificate Configuration Options
Generating a Self-Signed Certificate
Updating or Replacing a Cisco Secure ACS Certificate
Page
Page
Logs and Reports
Logging Formats
Special Logging Attributes
Page
NAC Attributes in Logs
Update Packets in Accounting Logs
About Cisco Secure ACS Logs and Reports
Accounting Logs
Page
Page
Dynamic Administration Reports
Viewing the Logged-in Users Report
Deleting Logged-in Users
Viewing the Disabled Accounts Report
Cisco Secure ACS System Logs
Configuring the Administration Audit Log
Working with CSV Logs
CSV Log File Names
CSV Log File Locations
Enabling or Disabling a CSV Log
Viewing a CSV Report
Configuring a CSV Log
Page
Working with ODBC Logs
Preparing for ODBC Logging
Configuring a System Data Source Name for ODBC Logging
Configuring an ODBC Log
Page
Page
Remote Logging
About Remote Logging
Implementing Centralized Remote Logging
Remote Logging Options
Enabling and Configuring Remote Logging
Page
Disabling Remote Logging
Service Logs
Services Logged
Configuring Service Logs
Page
Administrators and Administrative Policy
Administrator Accounts
About Administrator Accounts
Administrator Privileges
Page
Page
Adding an Administrator Account
Editing an Administrator Account
Page
Page
Unlocking a Locked Out Administrator Account
Deleting an Administrator Account
Access Policy
Access Policy Options
Page
Setting Up Access Policy
Page
Session Policy
Session Policy Options
Setting Up Session Policy
Audit Policy
User Databases
CiscoSecure User Database
About the CiscoSecure User Database
User Import and Creation
About External User Databases
Authenticating with External User Databases
External User Database Authentication Process
Windows User Database
Whats Supported with Windows User Databases
Authentication with Windows User Databases
Trust Relationships
Windows Dial-up Networking Clients
Windows Dial-up Networking Clients with a Domain Field
Windows Dial-up Networking Clients without a Domain Field
Usernames and Windows Authentication
Username Formats and Windows Authentication
Page
Non-domain-qualified Usernames
Domain-Qualified Usernames
UPN Usernames
EAP and Windows Authentication
EAP-TLS Domain Stripping
Machine Authentication
Page
Page
Machine Access Restrictions
Microsoft Windows and Machine Authentication
Page
Enabling Machine Authentication
Page
Page
User-Changeable Passwords with Windows User Databases
Preparing Users for Authenticating with Windows
Windows User Database Configuration Options
Page
Page
Page
Configuring a Windows External User Database
Page
Generic LDAP
Cisco Secure ACS Authentication Process with a Generic LDAP User Database
Multiple LDAP Instances
LDAP Organizational Units and Groups
Domain Filtering
Page
LDAP Failover
Successful Previous Authentication with the Primary LDAP Server
Unsuccessful Previous Authentication with the Primary LDAP Server
LDAP Configuration Options
Page
Page
Page
Page
Page
Configuring a Generic LDAP External User Database
Page
Page
Page
Page
Page
Novell NDS Database
About Novell NDS User Databases
User Contexts
Novell NDS External User Database Options
Configuring a Novell NDS External User Database
Page
ODBC Database
Page
What is Supported with ODBC User Databases
Cisco Secure ACS Authentication Process with an ODBC External User Database
Preparing to Authenticate Users with an ODBC-Compliant Relational Database
Implementation of Stored Procedures for ODBC Authentication
Type Definitions
Microsoft SQL Server and Case-Sensitive Passwords
Sample Routine for Generating a PAP Authentication SQL
Sample Routine for Generating an SQL CHAP Authentication
Sample Routine for Generating an EAP-TLS Authentication
PAP Authentication Procedure Input
PAP Procedure Output
CHAP/MS-CHAP/ARAP Authentication Procedure Input
CHAP/MS-CHAP/ARAP Procedure Output
EAP-TLS Authentication Procedure Input
EAP-TLS Procedure Output
Result Codes
Configuring a System Data Source Name for an ODBC External User Database
Configuring an ODBC External User Database
Page
Page
Page
LEAP Proxy RADIUS Server Database
Configuring a LEAP Proxy RADIUS Server External User Database
Page
Token Server User Databases
About Token Servers and Cisco Secure ACS
Token Servers and ISDN
RADIUS-Enabled Token Servers
About RADIUS-Enabled Token Servers
Token Server RADIUS Authentication Request and Response Contents
Configuring a RADIUS Token Server External User Database
Page
Page
RSA SecurID Token Servers
Configuring an RSA SecurID Token Server External User Database
Deleting an External User Database Configuration
Page
Page
Network Admission Control
About Network Admission Control
NAC AAA Components
Posture Validation
Posture Tokens
Non-Responsive NAC-Client Computers
Implementing Network Admission Control
Page
Page
Page
Page
NAC Databases
About NAC Databases
About NAC Credentials and Attributes
NAC Database Configuration Options
Policy Selection Options
Configuring a NAC Database
Page
NAC Policies
Local Policies
About Local Policies
About Rules, Rule Elements, and Attributes
NAC Attribute Data Types
Rule Operators
Page
Local Policy Configuration Options
Page
Rule Configuration Options
Creating a Local Policy
Page
Page
External Policies
About External Policies
External Policy Configuration Options
Page
Page
Creating an External Policy
Page
Editing a Policy
Page
Deleting a Policy
Page
Page
Unknown User Policy
Known, Unknown, and Discovered Users
Page
Authentication and Unknown Users
About Unknown User Authentication
General Authentication of Unknown Users
Windows Authentication of Unknown Users
Domain-Qualified Unknown Windows Users
Windows Authentication with Domain Qualification
Multiple User Account Creation
Performance of Unknown User Authentication
Added Authentication Latency
Authentication Timeout Value on AAA clients
Posture Validation and the Unknown User Policy
NAC and the Unknown User Policy
Posture Validation Use of the Unknown User Policy
Required Use for Posture Validation
Authorization of Unknown Users
Unknown User Policy Options
Database Search Order
Page
Configuring the Unknown User Policy
Disabling Unknown User Authentication
Page
User Group Mapping and Specification
About User Group Mapping and Specification
Group Mapping by External User Database
Page
Group Mapping by Group Set Membership
Group Mapping Order
No Access Group for Group Set Mappings
Default Group Mapping for Windows
Windows Group Mapping Limitations
Creating a Cisco Secure ACS Group Mapping for Windows, Novell NDS, or Generic LDAP Groups
Page
Editing a Windows, Novell NDS, or Generic LDAP Group Set Mapping
Deleting a Windows, Novell NDS, or Generic LDAP Group Set Mapping
Deleting a Windows Domain Group Mapping Configuration
Changing Group Set Mapping Order
NAC Group Mapping
Configuring NAC Group Mapping
RADIUS-Based Group Specification
Page
Page
A
Troubleshooting
Administration Issues
Page
Browser Issues
Cisco IOS Issues
Page
Database Issues
Page
Page
Dial-in Connection Issues
Page
Page
Page
Debug Issues
Proxy Issues
Installation and Upgrade Issues
MaxSessions Issues
Report Issues
Page
Third-Party Server Issues
User Authentication Issues
Page
TACACS+ and RADIUS Attribute Issues
B
TACACS+ Attribute-Value Pairs
Cisco IOS AV Pair Dictionary
TACACS+ AV Pairs
Page
TACACS+ Accounting AV Pairs
Page
Page
C
RADIUS Attributes
Cisco IOS Dictionary of RADIUS AV Pairs
Page
Page
Cisco IOS/PIX Dictionary of RADIUS VSAs
Page
About the cisco-av-pair RADUIS Attribute
Page
Cisco VPN 3000 Concentrator Dictionary of RADIUS VSAs
Page
Page
Page
Cisco VPN 5000 Concentrator Dictionary of RADIUS VSAs
Cisco Building Broadband Service Manager Dictionary of RADIUS VSA
IETF Dictionary of RADIUS AV Pairs
Page
Page
Page
Page
Page
Page
Page
Page
Page
Page
Page
Page
Page
Microsoft MPPE Dictionary of RADIUS VSAs
Page
Page
Ascend Dictionary of RADIUS AV Pairs
Page
Page
Page
Page
Page
Page
Page
Page
Page
Page
Page
Nortel Dictionary of RADIUS VSAs
Juniper Dictionary of RADIUS VSAs
D
CSUtil Database Utility
Location of CSUtil.exe and Related Files
CSUtil.exe Syntax
CSUtil.exe Options
Page
Displaying Command-Line Syntax
Backing Up Cisco Secure ACS with CSUtil.exe
Restoring Cisco Secure ACS with CSUtil.exe
Creating a CiscoSecure User Database
Page
Creating a Cisco Secure ACS Database Dump File
Loading the Cisco Secure ACS Database from a Dump File
Compacting the CiscoSecure User Database
Page
User and AAA Client Import Option
Importing User and AAA Client Information
User and AAA Client Import File Format
About User and AAA Client Import File Format
ONLINE or OFFLINE Statement
ADD Statements
UPDATE Statements
Page
DELETE Statements
ADD_NAS Statements
Page
DEL_NAS Statements
Import File Example
Exporting User List to a Text File
Exporting Group Information to a Text File
Exporting Registry Information to a Text File
Decoding Error Numbers
Recalculating CRC Values
User-Defined RADIUS Vendors and VSA Sets
About User-Defined RADIUS Vendors and VSA Sets
Adding a Custom RADIUS Vendor and VSA Set
Page
Deleting a Custom RADIUS Vendor and VSA Set
Listing Custom RADIUS Vendors
Exporting Custom RADIUS Vendor and VSA Sets
RADIUS Vendor/VSA Import File
About the RADIUS Vendor/VSA Import File
Vendor and VSA Set Definition
Attribute Definition
Page
Enumeration Definition
Example RADIUS Vendor/VSA Import File
D-40
PAC File Generation
PAC File Options and Examples, page D-41 Generating PAC Files, page D-43
PAC File Options and Examples
Page
Generating PAC Files
Posture Validation Attributes
Posture Validation Attribute Definition File
Page
Page
Page
Exporting Posture Validation Attribute Definitions
Importing Posture Validation Attribute Definitions
Page
Deleting a Posture Validation Attribute Definition
Default Posture Validation Attribute Definition File
D-53
D-54
D-55
D-56
D-57
D-58
D-59
D-60
D-61
D-62
D-63
Page
E
VPDN Processing
VPDN Process
Page
Page
Page
Page
E-6
Figure E-9 HG Uses ACS to Authenticate User
Figure E-10 Another User Dials In While Tunnel is Up
9. If another user (sue@corporation.us) dials in to the NAS while the tunnel is
F
RDBMS Synchronization Import Definitions
accountActions Specification
accountActions Format
accountActions Mandatory Fields
accountActions Processing Order
Action Codes
Action Codes for Setting and Deleting Values
Page
Action Codes for Creating and Modifying User Accounts
Page
Page
Page
Page
Page
Page
Action Codes for Initializing and Modifying Access Filters
Page
Page
Page
Page
Action Codes for Modifying TACACS+ and RADIUS Group and User Settings
Page
Page
Page
Page
Page
Action Codes for Modifying Network Configuration
Page
Page
Page
Page
Page
Page
Cisco Secure ACS Attributes and Action Codes
User-Specific Attributes
Page
User-Defined Attributes
Group-Specific Attributes
An Example of accountActions
Page
Page
G
Internal Architecture
Windows Services
Windows Registry
CSAdmin
CSAuth
CSDBSync
CSLog
CSMon
Monitoring
Recording
Notification
Response
CSTacacs and CSRadius
INDEX
A
Page
B
C
Page
D
Page
E
F
G
H
I
L
Page
M
N
Page
O
P
Page
Q
R
Page
Page
Page
S
T
Page
U
V
W
