Main
Page
Page
Page
Page
Page
Page
Page
Page
Page
Page
Page
Page
Page
Page
Page
Page
Page
Page
Page
Page
Page
Page
Page
Page
Page
Preface
Document Objectives
Who Should Read This Guide
How This Guide is Organized
Page
Conventions Used in This Guide
Related Documentation
Obtaining Documentation
World Wide Web
Documentation CD-ROM
Ordering Documentation
Documentation Feedback
Obtaining Technical Assistance
Cisco.com
Technical Assistance Center
Cisco TAC Web Site
Cisco TAC Escalation Center
Page
Overview of Cisco Secure ACS
The Cisco Secure ACS Paradigm
Cisco Secure ACS Specifications
System Performance Specifications
Cisco Secure ACS Windows Services
AAA Server Functions and Concepts
Cisco Secure ACS and the AAA Client
AAA ProtocolsTACACS+ and RADIUS
TACACS+
RADIUS
Authentication
Authentication Considerations
Authentication and User Databases
Page
Passwords
Comparing PAP, CHAP, and ARAP
MS-CHAP
Basic Password Configurations
Advanced Password Configurations
Password Aging
User-Changeable Passwords
Other Authentication-Related Features
Authorization
Max Sessions
Dynamic Usage Quotas
Other Authorization-Related Features
Accounting
Other Accounting-Related Features
Administration
HTTP Port Allocation for Remote Administrative Sessions
Network Device Groups
Other Administration-Related Features
Cisco Secure ACS HTML Interface
About the Cisco Secure ACS HTML Interface
HTML Interface Layout
Page
Uniform Resource Locator for the HTML Interface
Network Environments and Remote Administrative Sessions
Remote Administrative Sessions and HTTP Proxy
Remote Administrative Sessions through Firewalls
Remote Administrative Sessions through a NAT Gateway
Accessing the HTML Interface
Logging Off the HTML Interface
Online Help and Online Documentation
Using Online Help
Using the Online Documentation
Page
Page
Deploying Cisco Secure ACS
Basic Deployment Requirements for Cisco Secure ACS
System Requirements
Hardware Requirements
Operating System Requirements
Third-Party Software Requirements
Network Requirements
Basic Deployment Factors for Cisco Secure ACS
Network Topology
Dial-Up Topology
Page
Page
Wireless Network
Page
Page
Remote Access using VPN
I
Page
Remote Access Policy
Security Policy
Administrative Access Policy
Page
Separation of Administrative and General Users
Database
Number of Users
Type of Database
Network Speed and Reliability
Suggested Deployment Sequence
Page
Page
Page
Page
Setting Up the Cisco Secure ACS HTML Interface
Interface Design Concepts
User-to-Group Relationship
Per-User or Per-Group Features
User Data Configuration Options
Defining New User Data Fields
Advanced Options
Page
Setting Advanced Options for the Cisco Secure ACS User Interface
Protocol Configuration Options for TACACS+
Page
Setting Options for TACACS+
Protocol Configuration Options for RADIUS
Page
Setting Protocol Configuration Options for (IETF) RADIUS
Page
Setting Protocol Configuration Options for RADIUS (Cisco IOS/PIX)
Setting Protocol Configuration Options for RADIUS (Ascend)
Setting Protocol Configuration Options for RADIUS (Cisco VPN 3000)
Setting Protocol Configuration Options for RADIUS (Cisco VPN 5000)
Setting Protocol Configuration Options for RADIUS (Microsoft)
Setting Protocol Configuration Options for RADIUS (Nortel)
Setting Protocol Configuration Options for RADIUS (Juniper)
Setting Protocol Configuration Options for RADIUS (Cisco BBSM)
Setting Up and Managing Network Configuration
About Distributed Systems
AAA Servers in Distributed Systems
Default Distributed System Settings
Proxy in Distributed Systems
Fallback on Failed Connection
Character String
Stripping
Proxy in an Enterprise
Remote Use of Accounting Packets
Other Features Enabled by System Distribution
AAA Client Configuration
Adding and Configuring a AAA Client
Page
Page
Editing an Existing AAA Client
Page
Deleting a AAA Client
AAA Server Configuration
Adding and Configuring a AAA Server
Page
Editing a AAA Server Configuration
Page
Deleting a AAA Server
Network Device Group Configuration
Adding a Network Device Group
Assigning an Unassigned AAA Client or AAA Server to an NDG
Reassigning a AAA Client or AAA Server to an NDG
Renaming a Network Device Group
Deleting a Network Device Group
Proxy Distribution Table Configuration
About the Proxy Distribution Table
Adding a New Proxy Distribution Table Entry
Page
Sorting the Character String Match Order of Distribution Entries
Editing a Proxy Distribution Table Entry
Deleting a Proxy Distribution Table Entry
Page
Setting Up and Managing Shared Profile Components
Downloadable PIX ACLs
About Downloadable PIX ACLs
Downloadable PIX ACL Configuration
Adding a Downloadable PIX ACL
Editing a Downloadable PIX ACL
Deleting a Downloadable PIX ACL
Network Access Restrictions
About Network Access Restrictions
Shared Network Access Restrictions Configuration
Adding a Shared Network Access Restriction
Page
Editing a Shared Network Access Restriction
Page
Deleting a Shared Network Access Restriction
Command Authorization Sets
About Command Authorization Sets
About Pattern Matching
Command Authorization Sets Configuration
Adding a Command Authorization Set
Page
Editing a Command Authorization Set
Deleting a Command Authorization Set
Page
Setting Up and Managing User Groups
User Group Setup Features and Functions
Default Group
Group TACACS+ Settings
Common User Group Settings
Enabling VoIP Support for a User Group
Setting Default Time of Day Access for a User Group
Setting Callback Options for a User Group
Setting Network Access Restrictions for a User Group
Page
Page
Page
Setting Max Sessions for a User Group
Page
Setting Usage Quotas for a User Group
Page
Configuration-specific User Group Settings
Page
Setting Token Card Settings for a User Group
Setting Enable Privilege Options for a User Group
Page
Enabling Password Aging for the CiscoSecure User Database
Varieties of Password Aging Supported by Cisco Secure ACS
Password Aging Feature Settings
Page
Page
Page
Enabling Password Aging for Users in Windows Databases
Setting IP Address Assignment Method for a User Group
Assigning a Downloadable PIX ACL to a Group
Configuring TACACS+ Settings for a User Group
Page
Configuring a Shell Command Authorization Set for a User Group
Page
Configuring a PIX Command Authorization Set for a User Group
Page
Configuring IETF RADIUS Settings for a User Group
Page
Configuring Cisco IOS/PIX RADIUS Settings for a User Group
Configuring Ascend RADIUS Settings for a User Group
Configuring Cisco VPN 3000 Concentrator RADIUS Settings for a User Group
Configuring Cisco VPN 5000 Concentrator RADIUS Settings for a User Group
Page
Configuring Microsoft RADIUS Settings for a User Group
Configuring Nortel RADIUS Settings for a User Group
Page
Configuring Juniper RADIUS Settings for a User Group
Configuring Cisco BBSM RADIUS Settings for a User Group
Configuring Custom RADIUS VSA Settings for a User Group
Page
Group Setting Management
Listing Users in a User Group
Resetting Usage Quota Counters for a User Group
Renaming a User Group
Saving Changes to User Group Settings
Setting Up and Managing User Accounts
User Setup Features and Functions
About User Databases
Basic User Setup Options
Adding a Basic User Account
Page
Setting Supplementary User Information
Setting a Separate CHAP/MS-CHAP/ARAP Password
Assigning a User to a Group
Setting User Callback Option
Assigning a User to a Client IP Address
Setting Network Access Restrictions for a User
Page
Page
Page
Page
Setting Max Sessions Options for a User
Page
Setting User Usage Quotas Options
Page
Setting Options for User Account Disablement
Assigning a PIX ACL to a User
Advanced User Authentication Settings
TACACS+ Settings (User)
Configuring TACACS+ Settings for a User
Page
Configuring a Shell Command Authorization Set for a User
Page
Page
Configuring a PIX Command Authorization Set for a User
Page
Configuring the Unknown Service Setting for a User
Advanced TACACS+ Settings (User)
Setting Enable Privilege Options for a User
Page
Setting TACACS+ Enable Password Options for a User
Setting TACACS+ Outbound Password for a User
RADIUS Attributes
Setting IETF RADIUS Parameters for a User
Setting Cisco IOS/PIX RADIUS Parameters for a User
Setting Ascend RADIUS Parameters for a User
Page
Setting Cisco VPN 3000 Concentrator RADIUS Parameters for a User
Setting Cisco VPN 5000 Concentrator RADIUS Parameters for a User
Page
Setting Microsoft RADIUS Parameters for a User
Setting Nortel RADIUS Parameters for a User
Page
Setting Juniper RADIUS Parameters for a User
Setting BBSM RADIUS Parameters for a User
Setting Custom RADIUS Attributes for a User
Page
User Management
Listing All Users
Finding a User
Disabling a User Account
Deleting a User Account
Resetting User Session Quota Counters
Resetting a User Account after Login Failure
Saving User Settings
Establishing Cisco Secure ACS System Configuration
Service Control
Determining the Status of Cisco Secure ACS Services
Stopping, Starting, or Restarting Services
Logging
Date Format Control
Setting the Date Format
Password Validation
Setting Password Validation Options
CiscoSecure Database Replication
About CiscoSecure Database Replication
Page
Replication Process
Page
Replication Frequency
Important Implementation Considerations
Database Replication Versus Database Backup
Database Replication Logging
Replication Options
Replication Components Options
Replication Scheduling Options
Replication Partners Options
Implementing Primary and Secondary Replication Setups on Cisco Secure ACS Servers
Configuring a Secondary Cisco Secure ACS Server
Replicating Immediately
Page
Scheduling Replication
Page
Page
Disabling CiscoSecure Database Replication
Database Replication Event Error Alert Notification
RDBMS Synchronization
About RDBMS Synchronization
RDBMS Synchronization Components
About CSDBSync
About the accountActions Table
Page
Cisco Secure ACS Database Recovery Using the accountActions Table
Reports and Event (Error) Handling
Preparing to Use RDBMS Synchronization
Considerations for Using CSV-Based Synchronization
Preparing for CSV-Based Synchronization
Configuring a System Data Source Name for RDBMS Synchronization
RDBMS Synchronization Options
RDBMS Setup Options
Synchronization Scheduling Options
Synchronization Partners Options
Performing RDBMS Synchronization Immediately
Page
Scheduling RDBMS Synchronization
Page
Disabling Scheduled RDBMS Synchronizations
Cisco Secure ACS Backup
About Cisco Secure ACS Backup
Backup File Locations
Directory Management
Components Backed Up
Reports of Cisco Secure ACS Backups
Performing a Manual Cisco Secure ACS Backup
Scheduling Cisco Secure ACS Backups
Disabling Scheduled Cisco Secure ACS Backups
Cisco Secure ACS System Restore
About Cisco Secure ACS System Restore
Backup File Names and Locations
Page
Components Restored
Reports of Cisco Secure ACS Restorations
Restoring Cisco Secure ACS from a Backup File
Cisco Secure ACS Active Service Management
System Monitoring
System Monitoring Options
Setting Up System Monitoring
Event Logging
Setting Up Event Logging
IP Pools Server
Allowing Overlapping IP Pools or Forcing Unique Pool Address Ranges
Page
Refreshing the AAA Server IP Pools Table
Adding a New IP Pool
Editing an IP Pool Definition
Resetting an IP Pool
Deleting an IP Pool
IP Pools Address Recovery
Enabling IP Pool Address Recovery
VoIP Accounting Configuration
Configuring VoIP Accounting
Cisco Secure ACS Certificate Setup
Background on Certification
EAP-TLS Setup Overview
Requirements for Certificate Enrollment
Generating a Request for a Certificate
Page
Installing Cisco Secure ACS Certification with Manual Enrollment
Page
Installing Cisco Secure ACS Certification with Automatic Enrollment
Performing Cisco Secure ACS Certification Update or Replacement
Certification Authority Setup
Trust Requirements and Models
Editing the Certificate Trust List
Adding a New CA Certificate to Local Certificate Storage
Global Authentication Setup
Page
Working with Logging and Reports
Logging Formats
Special Logging Attributes
Update Packets In Accounting Logs
About Cisco Secure ACS Logs and Reports
Accounting Logs
TACACS+ Accounting Log
TACACS+ Administration Log
RADIUS Accounting Log
VoIP Accounting Log
Failed Attempts Log
Passed Authentications Log
Dynamic Cisco Secure ACS Administration Reports
Logged-In Users Report
Viewing the Logged-in Users Report
Deleting Logged-in Users
Page
Disabled Accounts Report
Viewing the Disabled Accounts Report
Cisco Secure ACS System Logs
ACS Backup and Restore Log
RDBMS Synchronization Log
Database Replication Log
Administration Audit Log
Configuring the Administration Audit Log
ACS Service Monitoring Log
Working with CSV Logs
CSV Log File Names
Enabling or Disabling a CSV Log
Viewing a CSV Report
Page
Configuring a CSV Log
Page
Page
Working with ODBC Logs
Preparing to Use ODBC Logging
Configuring a System Data Source Name for ODBC Logging
Configuring an ODBC Log
Page
Remote Logging
About Remote Logging
Remote Logging Options
Configuring a Central Logging Server
Enabling and Configuring Remote Logging
Disabling Remote Logging
Service Logs
Services Logged
Configuring Service Logs
Page
Page
Page
Setting Up and Managing Administrators and Policy
Administrator Accounts
Administrator Privileges
Page
Page
Page
Adding an Administrator Account
Editing an Administrator Account
Page
Deleting an Administrator Account
Access Policy
Access Policy Options
Page
Setting Up Access Policy
Session Policy
Session Policy Options
Setting Up Session Policy
Page
Page
Working with User Databases
CiscoSecure User Database
Page
About External User Databases
Authenticating with External User Databases
Windows NT/2000 User Database
The Cisco Secure ACS Authentication Process with Windows NT/2000 User Databases
Trust Relationships
Windows Dial-up Networking Clients
About the Windows NT/2000 Dial-up Networking Client
About the Windows 95/98/Millennium Edition Dial-up Networking Client
Windows NT/2000 Authentication
Page
User-Changeable Passwords with Windows NT/2000 User Databases
Preparing Users for Authenticating with Windows NT/2000
Configuring a Windows NT/2000 External User Database
Generic LDAP
Cisco Secure ACS Authentication Process with a Generic LDAP User Database
Multiple LDAP Instances
LDAP Organizational Units and Groups
Directed Authentications
LDAP Failover
Successful Previous Authentication with the Primary LDAP Server
Unsuccessful Previous Authentication with the Primary LDAP Server
Configuring a Generic LDAP External User Database
Page
Page
Page
Page
Novell NDS Database
User Contexts
Page
Novell NDS External User Database Options
Configuring a Novell NDS External User Database
Page
ODBC Database
Cisco Secure ACS Authentication Process with an ODBC External User Database
Preparing to Authenticate Users with an ODBC-Compliant Relational Database
Implementation of Stored Procedures for ODBC Authentication
Type Definitions
Microsoft SQL Server and Case-Sensitive Passwords
Sample Routine for Generating a PAP Authentication SQL Procedure
Sample Routine for Generating an SQL CHAP Authentication Procedure
PAP Authentication Procedure Input
PAP Procedure Output
CHAP/MS-CHAP/ARAP Authentication Procedure Input
CHAP/MS-CHAP/ARAP Procedure Output
Result Codes
CSNTerror- String String
CSNTpass- word String
Configuring a System Data Source Name for an ODBC External User Database
Configuring an ODBC External User Database
Page
Page
LEAP Proxy RADIUS Server Database
Configuring a LEAP Proxy RADIUS Server External User Database
Page
Token Server User Databases
About Token Servers and Cisco Secure ACS
Token Servers and ISDN
RADIUS-Enabled Token Servers
About RADIUS-Enabled Token Servers
Token Server RADIUS Authentication Request and Response Contents
Configuring a RADIUS Token Server External User Database
Page
Page
Token Servers with Vendor-Proprietary Interfaces
About Token Servers with Proprietary Interfaces
Configuring a SafeWord Token Server External User Database
Page
Configuring an AXENT Token Server External User Database AXENT
Configuring an RSA SecurID Token Server External User Database
Page
Deleting an External User Database Configuration
Page
Page
Administering External User Databases
Unknown User Processing
Known, Unknown, and Cached Users
General Authentication Request Handling and Rejection Mode
Authentication Request Handling and Rejection Mode with the Windows NT/2000 User Database
Windows Authentication with a Domain Specified
Windows Authentication with Domain Omitted
Performance of Unknown User Authentication
Added Latency
Authentication Timeout Value on AAA clients
Network Access Authorization
Unknown User Policy
Database Search Order
Configuring the Unknown User Policy
Turning off External User Database Authentication
Database Group Mappings
Group Mapping by External User Database
Page
Page
Group Mapping by Group Set Membership
Group Mapping Order
No Access Group for Group Set Mappings
Default Group Mapping for Windows NT/2000
Creating a Cisco Secure ACS Group Mapping for Windows NT/2000, Novell NDS, or Generic LDAP Groups
Page
Editing a Windows NT/2000, Novell NDS, or Generic LDAP Group Set Mapping
Deleting a Windows NT/2000, Novell NDS, or Generic LDAP Group Set Mapping
Deleting a Windows NT/2000 Domain Group Mapping Configuration
Changing Group Set Mapping Order
RADIUS-Based Group Specification
Page
A
Administration Issues
Browser Issues
Cisco IOS Issues
Database Issues
Dial-in Connection Issues
Page
Page
Page
Page
Debug Issues
Proxy Issues
Installation and Upgrade Issues
MaxSessions Issues
Report Issues
Third-Party Server Issues
Condition Recovery Action
PIX Firewall Issues
User Authentication Issues
Page
TACACS+ and RADIUS Attribute Issues
B
System Messages
Windows NT/2000 Event Log Service Startup Errors
System Monitored Events
Page
Page
Page
Replication Messages
Page
Page
Failed Attempts Messages
Page
C
TACACS+ Attribute-Value Pairs
Cisco IOS Attribute-Value Pair Dictionary
TACACS+ AV Pairs
Page
TACACS+ Accounting AV Pairs
Page
Page
D
RADIUS Attributes
Cisco IOS Dictionary of RADIUS AV Pairs
Page
Cisco IOS/PIX Dictionary of RADIUS VSAs
Page
Cisco VPN 3000 Concentrator Dictionary of RADIUS VSAs
Page
Page
Cisco VPN 5000 Concentrator Dictionary of RADIUS VSAs
Cisco Building Broadband Service Manager Dictionary of RADIUS VSA
Vendor-Proprietary IETF RADIUS AV Pairs
Page
IETF Dictionary of RADIUS AV Pairs
Page
Page
Page
RADIUS (IETF) Accounting AV Pairs
Page
Microsoft MPPE Dictionary of RADIUS VSAs
Page
Page
Ascend Dictionary of RADIUS AV Pairs
Page
Page
Page
Page
Page
Page
Page
Nortel Dictionary of RADIUS VSAs
Juniper Dictionary of RADIUS VSAs
E
Cisco Secure ACS Command-Line Database Utility
Location of CSUtil.exe and Related Files
CSUtil.exe Syntax
CSUtil.exe Options
Page
Backing Up Cisco Secure ACS with CSUtil.exe
Restoring Cisco Secure ACS with CSUtil.exe
Creating a CiscoSecure User Database
Page
Creating a Cisco Secure ACS Database Dump File
Loading the Cisco Secure ACS Database from a Dump File
Compacting the CiscoSecure User Database
Page
User and AAA Client Import Option
Importing User and AAA Client Information
Page
User and AAA Client Import File Format
About User and AAA Client Import File Format
ONLINE or OFFLINE Statement
ADD Statements
Page
UPDATE Statements
Page
DELETE Statements
ADD_NAS Statements
Page
DEL_NAS Statements
Import File Examples
Exporting User List to a Text File
Exporting Group Information to a Text File
Exporting Registry Information to a Text File
Decoding Error Numbers
Recalculating CRC Values
User-Defined RADIUS Vendors and VSA Sets
About User-Defined RADIUS Vendors and VSA Sets
Adding a Custom RADIUS Vendor and VSA Set
Deleting a Custom RADIUS Vendor and VSA Set
Listing Custom RADIUS Vendors
RADIUS Vendor/VSA Import File
About the RADIUS Vendor/VSA Import File
Vendor and VSA Set Definition
Attribute Definition
Enumeration Definition
Page
E-37
Example RADIUS Vendor/VSA Import File
Page
F
Cisco Secure ACS and Virtual Private Dial-up Networks
VPDN Process
Page
Page
Page
Page
F-6
G
ODBC Import Definitions
accountActions Table Specification
accountActions Table Format
accountActions Table Mandatory Fields
accountActions Table Processing Order
Action Codes
Action Codes for Setting and Deleting Values
Page
Action Codes for Creating and Modifying User Accounts
Page
Page
Page
Page
Page
Page
Page
Action Codes for Initializing and Modifying Access Filters
Page
Page
Page
Page
Action Codes for Modifying TACACS+ and RADIUS Group and User Settings
Page
Page
Page
Page
Page
Page
Action Codes for Modifying Network Configuration
Page
Page
Page
Action Code for Deleting the CiscoSecure User Database
Cisco Secure ACS Attributes and Action Codes
User-Specific Attributes
Page
Page
User-Defined Attributes
Group-Specific Attributes
Page
An Example accountActions Table
Page
Page
H
Cisco Secure ACS Internal Architecture
Windows NT/2000 Environment Overview
Windows NT/2000 Services
Windows NT/2000 Registry
Cisco Secure ACS Web Server
CSAdmin
CSAuth
Page
Page
CSDBSync
CSLog
CSMon
Monitoring
Page
Recording
Sample Scripts
Configuration
CSTacacs and CSRadius
Page
INDEX
A
Page
B
C
Page
D
Page
E
F
G
H
I
L
M
N
O
P
Q
R
Page
Page
Page
S
T
Page
U
V
W