User Guide for Cisco Secure Access Control Server 4.2
Index
Downloads: This chapterpdf (PDF - 846.0KB) The complete bookPDF (PDF - 8.43MB) | Feedback

Index

Table Of Contents

Numerics - A - B - C - D - E - F - G - H - I - K - L - M - N - O - P - Q - R - S - T - U - V - W -

Index

Numerics

3COMUSR

settings 2-14

A

AAA

See also AAA clients

See also AAA servers

pools for IP address assignment 6-7

AAA clients 1-1

adding and configuring 3-12

configuration management 8-18

configuring 3-8

deleting 3-14

editing 3-13

IP pools 6-7

multiple IP addresses for 3-8

number of 1-22

searching for 3-6

table 3-1

timeout values 15-6

AAA protocols

TACACS+ and RADIUS 1-3

AAA-related logs 10-1

AAA servers 1-3

adding 3-17

configuring 3-15

deleting 3-18

editing 3-17

enabling in interface (table) 2-15

functions and concepts 1-3

in distributed systems 3-2

master 8-2

overview 3-15

primary 8-2

replicating 8-2

searching for 3-6

secondary 8-2

accessing Cisco Secure ACS

how to 2-3

URL 1-21

with SSL enabled 1-21

Account Actions

RDBMS Setup 8-33

accountActions codes

ADD_USER E-5

CREATE_DACL E-28

CREATE_USER_DACL E-28

deleting 8-26

READ_DACL 8-25

READ_NAS 8-23

UPDATE_DACL 8-26

UPDATE_NAS 8-23

accountActions File 8-29

accountActions table 8-27, 8-28

account disablement

Account Disabled check box 6-3

manual 6-38

resetting 6-40

setting options for 6-13

accounting

See also logging

administrative 1-15

overview 1-15

RADIUS 1-15

TACACS+ 1-15

VoIP 1-15

accounting logs

updating packets 10-37

Account Never Expires option 11-3

ACLs

See downloadable IP ACLs

default 14-12

ACS

additional features 1-5

features, functions and concepts 1-3

internal database 1-3

introduction to 1-1

managing and administrating 1-16

specifications 1-22

Windows Services 1-23

ACS internal database

See also databases

overview 12-1

password encryption 12-2

replication 2-15

action codes

for creating and modifying user accounts E-5

for initializing and modifying access filters E-10

for modifying network configuration E-18

for modifying TACACS+ and RADIUS settings E-13

for setting and deleting values E-4

in accountActions E-3

Active Service Management

See Cisco Secure ACS Active Service Management

ADD_USER E-5

adding

external audit servers 13-25

external servers 13-22, 13-23

ADF

importing for vendors 13-13

Administration Audit logs 10-5

administrative accounting 1-15

administrative sessions

and HTTP proxy 2-2

network environment limitations of 2-1

through firewalls 2-2

through NAT (network address translation) 2-2

Administrator Entitlements reports 10-12

administrators

See also Administration Audit log

See also Administration Control

See also administrative access policies

deleting 11-7

locked out 11-3

locking out 11-18

unlocking 11-3

Aentless Host for L2 and L3 template 14-20

AES 128 algorithm 12-2

age-by-date rules for groups 5-18

Agentless Host for L2 (802.1x Fallback) 14-17

Agentless Host for L2 Template 14-17

Agentless Request Processing 14-24

Aironet

AAA client configuration 3-10

RADIUS parameters for group 5-30

RADIUS parameters for user 6-27

anonymous TLS renegotiation 9-16

appliance

configuration 7-22

Appliance Administration Audit logs 10-5

Appliance Status report 10-11

viewing 10-35

ARAP 1-9

in User Setup 6-4

attribute definition file

see also ADF 13-13

attributes 13-5

adding 8-47

adding external audit device types C-40

definition file 8-44

definition file sample 8-51

deleting 8-48

dumping 8-50

enabling in interface 2-5

exporting 8-50

extended entity 8-49

extended property 8-50

group-specific (table) E-26

logging 10-3

management 8-44

NAC (posture validation) 8-44

per-group 2-5

per-user 2-5

posture validation (NAC) 8-44

user-specific (table) E-25

attribute-value pairs

See AV (attribute value) pairs

audit device types

external, adding attributes C-40

audit logs 10-5

audit server

functionality 14-30

setting up 13-25

audit servers

setting up 13-25

Authenticate MAC With 14-47

authentication 1-7

configuration 9-21

configuring policies 14-27

considerations 1-7

denying unknown users 15-9

options 9-21

overview 1-7

protocol-database compatibility 1-8

request handling 15-3

user databases 1-7

via external user databases 12-4

Windows 12-7

authorization 1-12

configuring policies 14-34

ordering rules 14-37

rules 14-34

sets

See command authorization sets

setsSee command authorization sets

AV (attribute value) pairs

See also RADIUS VSAs (vendor specific attributes)

RADIUS

Cisco IOS B-3

IETF B-11

TACACS+

accounting A-3

general A-1

Available Credentials 14-48

AV pairs 14-11

B

Backup and Restore logs 10-5

backups

components backed up 7-9

directory management 7-9

disabling scheduled 7-14

filename 7-9

filenames 7-15

locations 7-9

manual 7-11

options 7-10

overview 7-8

reports 7-10

scheduled vs. manual 7-8

scheduling 7-12

vs. replication 8-6

with CSUtil.exe C-3

browsers

See also web interface 1-19

C

cab file 7-25

cached users

See discovered users

CA configuration 9-28

callback options

in Group Setup 5-5

in User Setup 6-6

cascading replication 8-4, 8-9

cautions

significance of I-XXIX

certificate database for LDAP servers 12-47

DB path 12-30

trusted root CA 12-30

certificate trust list

see CTL

certification

See also EAP-TLS

See also PEAP

adding certificate authority certificates 9-26

background 9-1

backups 7-9

Certificate Revocation Lists 9-29

certificate signing request generation 9-32

deleting the certificate from the Certificate Trust List 9-29

editing the certificate trust list 9-28

replacing certificate 9-36

self-signed certificates

configuring 9-35

NAC 13-13

overview 9-33

server certificate installation 9-22

updating certificate 9-36

Change Password page 11-4

CHAP 1-9

in User Setup 6-4

Cisco

Identity-Based Networking Services (IBNS) 1-2

Cisco Discovery Protocol 2-12

Cisco IOS

RADIUS

AV (attribute value) pairs B-2

group attributes 5-28

user attributes 6-26

TACACS+ AV (attribute value) pairs A-1

Cisco Secure ACS Active Service Management

event logging configuration 7-20

overview 7-18

system monitoring

configuring 7-19

custom actions 7-19

Cisco Secure ACS administration overview 1-16

Cisco Secure ACS backups

See backups

Cisco Secure ACS system restore

See restore

CiscoSecure Authentication Agent 5-16

Cisco Secure DBSync 8-20

Cisco Security Agent 1-17

See also CSAgent

integration 1-17

logging 1-17

policies 1-18

restrictions 1-18

viewing logs 7-27

CLID-based filters 4-20

cloning

Network Access Profiles 14-6

policies or rules 13-20

codes

See action codes

collect log files

diagnostic log information 7-25

collect previous days logs

archive system logs 7-25

collect user database

ACS internal database collection in support file 7-25

command authorization sets

See also shell command authorization sets

adding 4-29

configuring 4-25, 4-29

deleting 4-31

editing 4-30

overview 4-25

pattern matching 4-28

PIX command authorization sets 4-25

command-line database utility

See CSUtil.exe

condition sets, defining 13-17

configuration provider

remote agent logs on 10-28

configuring

internal policies 13-17

configuring advanced filtering

Network Access Profiles 14-2

conventions I-XXVIII

copying

policies or rules 13-20

CREATE_DACL E-28

CREATE_USER_DACL E-28

creating

external servers 13-22, 13-23

credentials 13-5

Credential Validation Databases 14-27, 14-47

critical loggers 10-23

Critical Loggers Configuration Page 10-38

CRLs 9-29

CSAdmin

Windows Services 1-23

CSAdmin service 7-2

CSAgent F-8

behavior 1-18

disabling 7-22

enabling 7-22

logging 1-17

overview 1-17

policies 1-18

CSAgent service 1-17, 7-2

CSAuth

Windows Services 1-23

CSDBSync 8-27

Windows Services 1-23

CSLog

Windows Services 1-23

CSMon

See also Cisco Secure ACS Active Service Management

configuration F-10

log F-11

windows Services 1-23

CSNTacctInfo 12-41, 12-42, 12-43

CSNTAuthUserPap 12-39

CSNTerrorString 12-41, 12-42, 12-43

CSNTExtractUserClearTextPw 12-40

CSNTFindUser 12-40

CSNTgroups 12-41, 12-42, 12-43

CSNTpasswords 12-41, 12-42

CSNTresults 12-41, 12-42, 12-43

CSNTusernames 12-41, 12-42, 12-43

CSRadius F-12

Windows Services 1-23

CSTacacs F-12

Windows Services 1-23

CSUtil.exe

add and delete posture validation attributes C-29

adding external audit device type attributes C-40

backing up with C-3

cleaning up database with C-8

decoding error numbers with C-17

dumping database file with C-6

exporting data with C-15

exporting group information with C-16

import text file (example) C-15

initializing database with C-5

loading database file with C-7

overview C-1

restoring with C-4

updating database with C-9

CSV (comma-separated values) logs

configuring 10-24

downloading 10-33

enabling and disabling 10-24

filename formats 10-31

locations 10-6

logging to 10-6

size and retention 10-7

viewing 10-31

CSV file

local 8-18

RDBMS Synchronization 8-18

CSV log File Configuration Page 10-40

CTL

external policy servers

CTL editing 9-28

custom attributes

in group-level TACACS+ settings 5-22

in user-level TACACS+ settings 6-15

customer support

collecting data for 10-29

providing package.cab file 10-29

D

database group mappings

configuring

for token servers 16-2

for Windows domains 16-6

no access groups 16-4

order 16-8

deleting

group set mappings 16-7

Windows domain configurations 16-7

Database Replication logs 10-5

databases

See also external user databases

ACS internal database 12-1

authentication search process 15-3

cleaning up C-8

deleting 12-58

external

See also external user databases

See also Unknown User Policy

initializing C-5

remote agent selection 12-17

replication

See replication

search order 15-7

search process 15-7

selecting user databases 12-1

synchronization

See RDBMS synchronization

token cards

See token servers

types

See generic LDAP user databases

See LEAP proxy RADIUS user databases

See ODBC features

See RADIUS user databases

unknown users 15-1

user databases 6-2

user import methods 12-2

Windows user databases 12-5

data source names

for ODBC logging 10-9

for RDMBS synchronization 8-33

using with ODBC databases 12-35, 12-44, 12-45

data types, NAC attribute 13-6

date and time setting 7-23

date format control 7-3

debug logs, detail levels 10-29

default ACLs 14-12

default group

in Group Setup 5-2

mapping for Windows 16-4

default time-of-day/day-of-week specification 2-14

default time-of-day access settings for groups 5-5

DELETE_DACL 8-26

deleting 14-6

external audit servers 13-27

external servers 13-23, 13-25

logged-in users 10-34

Network Access Profiles 14-6

policies or rules 13-21

device command sets

See command authorization sets

device management applications support 1-14

DHCP with IP pools 8-40

diagnostic logs 7-27, 10-12

dial-in permission to users in Windows 12-17

dial-up networking clients 12-6, 12-7

digital certificates

See certification

Disabled Accounts report 10-11

viewing 10-35

Disabling NETBIOS F-12

discovered users 15-2

Distinguished Name Caching 12-26

distributed systems

See also proxy

AAA servers in 3-2

overview 3-2

settings

configuring 3-28

default entry 3-3

enabling in interface 2-15

distribution table

See Proxy Distribution Table

DNIS-based filters 4-20

documentation

conventions I-XXVIII

objectives I-XXVII

online 1-21

related I-XXXI, 1-24

Domain List

configuring 12-22

inadvertent user lockouts 12-9, 12-21

overview 12-9

unknown user authentication 15-5

domain name and hostname configuration 7-24

domain names

Windows operating systems 12-8, 12-9

downloadable ACLs 14-9

downloadable IP ACLs

adding 4-15

assigning to groups 5-22

assigning to users 6-14

deleting 4-17

editing 4-16

enabling in interface

group-level 2-15

user-level 2-14

overview 4-13

draft-ietf-radius-tunnel-auth 1-4

dump files

loading a database from C-7

loading a database to C-6

dynamic administration logs 10-11

viewing 10-34

dynamic usage quotas 1-13

dynamic users

removing 6-41

E

EAP (Extensible Authentication Protocol)

Configuration 14-25

overview 1-10

supported protocols 1-10

with Windows authentication 12-10

EAP authentication

protocol 1-8

EAP FAST

for anonymous TLS renegotiation 9-16

EAP-FAST 1-10

enabling 9-19

identity protection 9-11

logging 9-10

master keys

definition 9-11

states 9-11

master server 9-18

overview 9-9

PAC

automatic provisioning 9-14

definition 9-12

manual provisioning 9-15

refresh 9-17

states 9-14

PAC Files Generation 9-37

password aging 5-20

phases 9-10

replication 9-17

EAP-FAST PKI Authorization Bypass 9-16

EAPoUDP failure 14-24

EAPoUDP support 14-24

EAP-TLS 1-10

See also certification

authentication configuration 9-21

comparison methods 9-3

enabling 9-4

limitations 9-4

options 9-42

overview 9-2

with RADIUS Key Wrap 14-25

EAP-TLS authentication

outer identity 9-44

editing

external audit servers 13-27

external posture validation servers 13-23, 13-24

internal policies 13-19

Network Access Profiles 14-5

enable password options for TACACS+ 6-23

enable privilege options for groups 5-13

entitlement reports 10-11

entity field 13-6

error number decoding with CSUtil.exe C-17

Event log

configuring 7-20

exception events F-11

event logging 7-20

exception events F-11

exemption list

external audit 13-10

exports

of user lists C-15

Extensible Authentication Protocol

See EAP (Extensible Authentication Protocol)

Extensible Authentication Protocol (EAP) 1-2

external audit policy

what triggers an 13-10

external audit server

setting up 13-25

external audit servers

about 13-9

adding 13-25

deleting 13-27

editing 13-27

external policies 13-8

exemption list support 13-10

external servers

creating 13-22, 13-23

deleting 13-23, 13-25

editing 13-23, 13-24

external token servers

See token servers

external user databases

See also databases

authentication via 12-4

configuring 12-3

deleting configuration 12-58

latency factors 15-6

search order 15-6, 15-8

supported 1-7

Unknown User Policy 15-1

F

Failed Attempts logs 10-2

failed log-on attempts F-11

failure events

customer-defined actions F-11

predefined actions F-11

fallbacks on failed connection 3-4

finding users 6-37

FTP server 7-8

G

gateways D-2

generating 9-39

Generic LDAP 1-7

generic LDAP user databases

authentication 12-23

certificate database downloading 12-47

configuring

database 12-31

options 12-27

directed authentications 12-24

domain filtering 12-24

failover 12-25

multiple instances 12-24

organizational units and groups 12-24

Global Authentication Setup 9-21

global authentication setup

enabling posture validation 13-14

grant dial-in permission to users 12-6, 12-17

greeting after login 5-18

group-level interface enabling

downloadable IP ACLs 2-15

network access restrictions 2-15

network access restriction sets 2-15

password aging 2-15

group-level network access restrictions

See network access restrictions

groups

See also network device groups

assigning users to 6-5

configuring RADIUS settings for

See RADIUS

Default Group 5-2, 16-4

enabling VoIP (Voice-over-IP) support for 5-4

exporting group information C-16

listing all users in 5-40

mapping order 16-8

mappings 16-1

no access groups 16-4

overriding settings 2-4

relationship to users 2-4

renaming 5-41

resetting usage quota counters for 5-40

settings for

callback options 5-5

configuration-specific 5-12

configuring common 5-3

device management command authorization sets 5-26

enable privilege 5-13

IP address assignment method 5-21

management tasks 5-40

max sessions 5-9

network access restrictions 5-6

password aging rules 5-15

PIX command authorization sets 5-25

shell command authorization sets 5-23

TACACS+ 5-2, 5-3, 5-22

time-of-day access 5-5

token cards 5-14

usage quotas 5-10

setting up and managing 5-1

specifications by ODBC authentications 12-41, 12-42, 12-43

H

handle counts F-10

hard disk space F-10

HCAP errors 10-4

host and domain names configuration 7-24

Host Credentials Authorization Protocol (HCAP) 9-6

host system state F-10

HTML interface

logging off 2-4

HTTP port allocation

for administrative sessions 1-19

I

IEEE 802.1x 1-2

IETF 802.1x 1-10

IETF RADIUS attributes 1-4

importing passwords C-9

imports with CSUtil.exe C-9

inbound

authentication 1-10

password configuration 1-11

installation

related documentation I-XXXI, 1-24

Interface Configuration

See also HTML interface

advanced options 2-6

configuring 2-1

customized user data fields 2-5

Internal ACS Database 14-47

internal architecture F-1

internal policies

editing 13-19

steps to set up 13-17

invalid PAC 9-45

IP ACLs

See downloadable IP ACLs

IP addresses

in User Setup 6-7

multiple, for AAA client 3-8

requirement for CSTacacs and CSRadius F-12

setting assignment method for user groups 5-21

IP pools

address recovery 8-44

deleting 8-43

DHCP 8-40

editing IP pool definitions 8-42

enabling in interface 2-15

overlapping 8-40, 8-41

refreshing 8-41

resetting 8-42

servers

adding IP pools 8-41

overview 8-39

replicating IP pools 8-39

user IP addresses 6-7

K

Key Wrap

configuring for AAA client 3-9

configuring for NDG 3-24

key wrap

enabling 14-26

Key Wrap, RADIUS 14-25

L

LAN manager 1-10

LDAP

Admin Logon Connection Management 12-26

Distinguished Name 12-26

group attributes 14-24

LDAP Server 14-47

LEAP 1-10

LEAP proxy RADIUS user databases

configuring external databases 12-49

group mappings 16-1

overview 12-48

RADIUS-based group specifications 16-8

list all users

in Group Setup 5-40

in User Setup 6-37

local policies

see internal policies

log files

storage directory 7-3

Logged-In Users report 10-11

deleting logged-in users 10-34

viewing 10-34

logging 10-1

attributes 10-3

configuring

configuring

logs     1

configuring CSV (comma-separated values) 10-24

configuring ODBC 10-25

configuring remote logging server 10-26

configuring service logs 10-29

configuring syslog 10-24

critical loggers 10-23

CSAgent 1-17

CSV (comma-separated values) 10-6

custom RADIUS dictionaries 8-2

debug logs, detail levels 10-29

diagnostic logs 7-27

enabling and disabling ODBC 10-25

enabling CSV (comma-separated values) 10-24

enabling syslog 10-24

formats and targets 10-5

ODBC 10-9

RDBMS synchronization 8-2

remote, configuring ACS to send data to 10-27

remote, configuring and enabling 10-26

remote, for ACS for Windows 10-10

remote, hosts for 10-10

remote agents, configuring logs on configuration provider 10-28

remote agents, configuring to 10-27

remote agents,sending data to 10-28

remote agents for ACS SE remote agents

for remote logging for ACS SE 10-10

See also logs

See also reports

service logs 10-12

service logs for customer support 10-29

syslog 10-7

watchdog packets 10-37

Logging Configuration Page 10-37

Login Process Fail page 11-3

login process test frequency 7-18

logins

greeting upon 5-18

password aging dependency 5-17

logs 10-1

AAA-related 10-1

Administration Audit 10-5

Appliance Administration Audit 10-5

audit 10-5

Backup and Restore 10-5

Database Replication 10-5

dynamic administration 10-11

Failed Attempts 10-2

logged-in users 10-11

Passed Authentications 10-2

RADIUS accounting 10-2

RDBMS Synchronization 10-5

See also logging

See also reports

service 10-12

Service Monitoring 10-5

TACACS+ accounting 10-2

TACACS+ administration 10-2

User Password Changes 10-5

viewing and downloading 10-30

VOIP accounting 10-2

M

MAC address

standard formats 14-24

machine authentication

enabling 12-15

overview 12-10

with Microsoft Windows 12-13

management application support 1-14

mappings

databases to AAA groups 16-1

master AAA servers 8-2

master key

definition 9-11

states 9-11

max sessions 1-13

enabling in interface 2-15

group 1-13

in Group Setup 5-9

in User Setup 6-11

overview 1-13

user 1-13

member server 12-6, 12-8

memory utilization F-10

Microsoft Health Registration Authority 9-5

Microsoft Network Policy Server (NPS) 9-6

Microsoft Text Driver 8-20

monitoring

configuring 7-19

CSMon F-10

overview 7-18

services 7-26

MS-CHAP 1-9

configuring 9-21

overview 1-9

protocol supported 1-8

multiple IP addresses for AAA clients 3-8

N

NAC 1-2

agentless hosts 13-9

attributes

about 13-5

data types 13-6

deleting C-29

exporting C-29

configuring ACS for support for 13-13

credentials

about 13-5

implementing 13-4

logging 13-14

overview

policies

about 13-16

external 13-8

internal 13-7

results 13-16

remediation server

url-redirect attribute B-6

rules

about 13-8

default 13-32

self-signed certificates 13-13

tokens

definition 13-3

descriptions of 13-3

returned by internal policies 13-7

NAC Agentless Host 14-18

NAC L2 IP 14-11

NAC L3 IP 14-9

NAFs

See network access filters

NAR

See network access restrictions

NAS

See AAA clients

Network Access Filter (NAF)

editing 4-5

Network Access Filters (NAF) 14-2

adding 4-3

deleting 4-6

overview 4-2

Network Access Profiles 14-1, 14-6, 14-23

cloning 14-6

configuring advanced filtering 14-2

editing 14-5

network access quotas 1-13

network access restrictions

deleting 4-24

editing 4-23

enabling in interface

group-level 2-15

user-level 2-14

in Group Setup 5-6

interface configuration 2-15

in User Setup 5-6, 6-8

non-IP-based filters 4-20

overview 4-18

network access servers

See AAA clients

Network Admission Control

see NAC

network configuration 3-1

network device groups

adding 3-24

assigning AAA clients to 3-25

assigning AAA servers to 3-25

configuring 3-23

deleting 3-27

editing 3-26

enabling in interface 2-15

reassigning AAA clients to 3-26

reassigning AAA servers to 3-26

network devices

searches for 3-6

network time protocol

See NTP server

noncompliant devices 1-2

non-EAP authentication

protocol 1-8

NTP server 7-23

O

ODBC features

authentication

CHAP 12-38

EAP-TLS 12-38

overview 12-35

PAP 12-38

preparation process 12-37

process with external user database 12-36

result codes 12-43

case-sensitive passwords 12-39

CHAP authentication sample procedure 12-40

configuring 12-45

data source names 12-35

DSN (data source name) configuration 12-44

EAP-TLS authentication sample procedure 12-40

features supported 12-36

group mappings 16-1

group specifications

CHAP 12-42

EAP-TLS 12-43

PAP 12-41

vs. group mappings 16-2

PAP authentication sample procedures 12-39

password case sensitivity 12-39

stored procedures

CHAP authentication 12-41

EAP-TLS authentication 12-42

implementing 12-38

PAP authentication 12-40

type definitions 12-39

user databases 12-35

ODBC log Configuration Page 10-42

ODBC logging 10-9

configuring 10-25

data source names 10-9

enabling and disabling 10-25

preparing for 10-9

One-time Passwords (OTPs) 1-7

online documentation 1-21

online help 1-21

location in HTML interface 1-20

using 1-21

online user guide 1-22

ordering rules, in policies 13-8

outbound password configuration 1-11

outer identity

EAP-TLS authentication 9-44

overview of Cisco Secure ACS 1-1

P

PAC

automatic provisioning 9-14

definition 9-12

manual provisioning 9-15

refresh 9-17

PAC File Generation

options 9-37

PAC files 9-39

generating 9-39

PAC Free EAP-FAST 9-16

package.cab file, for customer support 10-29

PAP 1-9

in User Setup 6-4

vs. ARAP 1-9

vs. CHAP 1-9

Passed Authentications logs 10-2

password

automatic change password configuration 8-16

password aging 1-11

age-by-uses rules 5-17

Cisco IOS release requirement for 5-16

EAP-FAST 12-16

interface configuration 2-15

in Windows databases 5-19

MS-CHAP 12-16

overview 1-11

PEAP 12-16

rules 5-15

password configurations

basic 1-10

passwords

See also password aging

case sensitive 12-39

CHAP/MS-CHAP/ARAP 6-5

configurations

caching 1-11

inbound passwords 1-11

outbound passwords 1-11

separate passwords 1-10

single password 1-10

token caching 1-11

token cards 1-11

encryption 12-2

expiration 5-17

import utility C-9

local management 7-4

post-login greeting 5-18

protocols supported 1-8

remote change 7-4

user-changeable 1-12

validation options in System Configuration 7-4

patch

overview 7-28

process 7-29

pattern matching in command authorization 4-28

PEAP 1-10

See also certification

configuring 9-21

enabling 9-8

identity protection 9-7

overview 9-6

password aging 5-19

phases 9-6

with Unknown User Policy 9-8

performance monitoring F-10

performance specifications 1-22

per-group attributes

See also groups

enabling in interface 2-5

per-user attributes

enabling in interface 2-5

TACACS+/RADIUS in Interface Configuration 2-14

ping command 1-18

PIX ACLs

See downloadable IP ACLs

PIX command authorization sets

See command authorization sets

PKI (public key infastructure)

See certification

Point-to-Point Protocol (PPP) 1-23

policies

agentless hosts 13-9

cloning 13-20

configuring 13-15

copying 13-20

deleting 13-21

external 13-8

internal 13-7

local

see internal policies

overview 13-5

renaming 13-20

rule order 13-8

setting up an external audit server 13-25

setting up external servers 13-22, 13-23

Populate from Global 14-13, 14-23, 14-47

Network Access Profiles 14-23

port 2002

in HTTP port ranges 11-19

in URLs 1-21

ports

See also HTTP port allocation

See also port 2002

RADIUS 1-3, 1-4

TACACS+ 1-3

Posture Validation

for Agentless Hosts 14-33

posture validation

attributes 13-5

adding C-29

configuring ACS for 13-13

credentials 13-5

CTL 13-13

enabling 13-14

failed attempts log 13-14

implementing 13-4

options 13-16

passed authentications log 13-14

policy overview 13-5

and profile-based policies 13-3

profiles, adding user groups 13-14

rule

assigning posture tokens 13-14

rules, about 13-8

server certificate requirement 13-13

Posture Validation Policies

configuring 14-29

PPP password aging 5-16

processor utilization F-10

profile 14-1

Profile-based Policies 14-3

profile components

See shared profile components

profiles 14-38

profile templates 14-7

prerequisites 14-7

protocols supported 1-8

protocol support

EAP authentication 1-8

non-EAP authentication

1-8

protocol types

Network Access Profiles 14-2

proxy

See also Proxy Distribution Table

character strings

defining 3-5

stripping 3-5

configuring 3-28

in enterprise settings 3-4

overview 3-3

sending accounting packets 3-5

Proxy Distribution Table

See also proxy

adding entries 3-28

configuring 3-28

default entry 3-3, 3-28

deleting entries 3-30

editing entries 3-30

match order sorting 3-29

overview 3-28

Q

quotas

See network access quotas

See usage quotas

R

RAC and Groups 4-7

RADIUS 1-4

See also RADIUS VSAs (vendor specific attributes)

accounting 1-15

attributes

See also RADIUS VSAs (vendor specific attributes)

in User Setup 6-24

AV (attribute value) pairs

See also RADIUS VSAs (vendor specific attributes)

Cisco IOS B-3

IETF B-11

overview B-1

Cisco Aironet 3-10

IETF

in Group Setup 5-27

interface configuration 2-9

in User Setup 6-25

interface configuration overview 2-7

Key Wrap 14-25

Key Wrap, configuring for AAA client 3-9

Key Wrap, configuring for NDG 3-24

key wrap, enabling 14-26

password aging 5-19

ports 1-3, 1-4

specifications 1-4

token servers 12-51

vs. TACACS+ 1-3

RADIUS user databases

configuring 12-52

group mappings 16-1

RADIUS-based group specifications 16-8

RADIUS VSAs (vendor specific attributes)

3COM/USR

in Group Setup 5-37

in User Setup 6-34

supported attributes B-28

Ascend

in Group Setup 5-31

in User Setup 6-29

supported attributes B-21

Cisco Aironet

in Group Setup 5-30

in User Setup 6-27

Cisco BBSM (Building Broadband Service Manager)

in Group Setup 5-38

in User Setup 6-35

supported attributes B-10

Cisco IOS/PIX

in Group Setup 5-28

interface configuration 2-9

in User Setup 6-26

supported attributes B-4

Cisco VPN 3000

in Group Setup 5-32

in User Setup 6-30

supported attributes B-6

Cisco VPN 5000

in Group Setup 5-33

in User Setup 6-30

supported attributes B-10

custom

about 8-27

in Group Setup 5-39

in User Setup 6-36

Juniper

in Group Setup 5-37

in User Setup 6-33

supported attributes B-28

Microsoft

in Group Setup 5-34

in User Setup 6-31

supported attributes B-19

Nortel

in Group Setup 5-36

in User Setup 6-33

supported attributes B-28

overview B-1

user-defined

about 8-27, C-17

action codes for E-13

adding C-18

deleting C-20

import files C-22

listing C-21

replicating 8-27, C-18

RDBMS Synchronization 8-17

RDBMS synchronization E-1

accountActions file

overview 8-29

configuring 8-36

data source name configuration 8-32, 8-33

disabling 8-37

enabling in interface 2-15

FTP configuration 8-34

group-related configuration 8-21

import definitions E-1

manual initialization 8-35

network configuration 8-22

overview 8-18

partners 8-34

preparing to use 8-30

report and error handling 8-30

scheduling options 8-34

user-related configuration 8-20

RDBMS Synchronization logs 10-5

READ_DACL 8-25

READ_NAS 8-23

Registry F-2

regular expressions syntax 10-32

rejection mode

general 15-3

Windows user databases 15-4

related documentation I-XXXI, 1-24

remote agent

selecting for authentication 12-17

remote agents

adding 3-21

configuration options 3-19

configuring 3-19

configuring logging to 10-27

configuring logs on configuration provider 10-28

deleting 3-23

editing 3-22

overview 3-19

Remote Agents table 3-2

selecting for authentication 12-17

sending data to 10-28

Remote Agents Reports Configuration Page 10-39

remote logging

configuring ACS to send data to 10-27

configuring and enabling 10-26

for ACS for Windows 10-10

hosts 10-10

remote agents, for ACS SE 10-10

See also logging

server, configuring 10-26

using remote agents 10-27

Remote Logging Setup Page 10-39

Remove Dynamic Users 6-41

removing

external audit servers 13-27

external servers 13-23, 13-25

policies or rules 13-21

removing dynamic users 6-41

renaming

policies 13-20

replication

ACS Service Management page 8-2

auto change password settings 8-16

backups recommended (Caution) 8-7

cascading 8-4, 8-9

certificates 8-2

client configuration 8-11

components

overwriting (Caution) 8-12

overwriting (Note) 8-7

selecting 8-7

configuring 8-14

corrupted backups (Caution) 8-7

custom RADIUS dictionaries 8-2

disabling 8-16

EAP-FAST 9-17

encryption 8-4

external user databases 8-2

frequency 8-5

group mappings 8-2

immediate 8-13

implementing primary and secondary setups 8-11

important considerations 8-5

in System Configuration 8-14

interface configuration 2-15

IP pools 8-2, 8-39

logging 8-7

manual initiation 8-13

master AAA servers 8-2

notifications 8-17

options 8-7

overview 8-2

partners

configuring 8-15

options 8-9

process 8-3

scheduling 8-14

scheduling options 8-9

selecting data 8-7

unsupported 8-2

user-defined RADIUS vendors 8-6

vs. backup 8-6

reports 10-1

downloading CSV 10-33

entitlement 10-11

entitlement, viewing and downloading 10-36

See also logging reports

See also logs

viewing and downloading 10-30

viewing appliance status 10-35

viewing CSV 10-31

viewing disabled accounts 10-35

viewing dynamic administration 10-34

viewing logged-in users, 10-34

Reports and Activity

in interface 1-20

Reports Page Reference 10-44

request handling

general 15-3

Windows user databases 15-4

Required Credential Types 14-48

resource consumption F-10

restarting services 7-2

restore

components restored

configuring 7-16

overview 7-16

filenames 7-15

in System Configuration 7-14

on a different server 7-14

overview 7-14

performing 7-16

reports 7-16

with CSUtil.exe C-4

restores

finding files 7-15

RFC2138 1-4

RFC2139 1-4

RSA user databases

configuring 12-55

group mappings 16-1

rule 13-8

rules

about 13-8

S

search order of external user databases 15-8

security protocols

CSRadius F-12

CSTacacs F-12

RADIUS 1-3, B-1

TACACS+

custom commands 2-12

overview 1-3

time-of-day access 2-12

Selected Credentials 14-48

server certificate installation 9-22

service control in System Configuration 10-29

Service Control Page Reference 10-43

service logs 10-12

configuring 10-29

for customer support 10-29

Service Monitoring logs 10-5

services

determining status of 7-2

logs generated 10-12

management 7-18

monitoring 7-26

starting 7-2

stopping 7-2

shared profile components

See also command authorization sets

See also downloadable IP ACLs

See also network access filters

See also network access restrictions

overview 4-1

Shared Profile Components (SPC) 1-14

Shared RAC 14-35

shared secret F-12

shell command authorization sets

See also command authorization sets

in Group Setup 5-23

in User Setup 6-17

Simple Network Management Protocol (SNMP) 1-13

single password configurations 1-10

SMTP (simple mail-transfer protocol) F-11

SNMP, support on appliance 7-23

specifications

RADIUS

RFC2138 1-4

RFC2139 1-4

system performance 1-22

TACACS+ 1-4

SSL (secure sockets layer) 12-30

starting services 7-2

Statements of Health(SoHs) 9-5

static IP addresses 6-7

stopping services 7-2

stored procedures

CHAP authentication

configuring 12-46

input values 12-41

output values 12-42

result codes 12-43

EAP-TLS authentication

configuring 12-46

input values 12-42

output values 12-43

implementing 12-38

PAP authentication

configuring 12-46

input values 12-40

output values 12-41

result codes 12-43

sample procedures 12-39

type definitions

integer 12-39

string 12-39

supplementary user information

in User Setup 6-4

setting 6-4

support

Cisco Device-Management Applications 1-14

supported password protocols 1-8

Support Page 7-25

synchronization

See RDBMS synchronization

Syslog log Configuration Page 10-41

syslog logging

configuring 10-24

enabling and disabling 10-24

message format 10-7

message length limitations 10-8

syslog logs

logging to 10-7

system

configuration

advanced 8-1

authentication 9-1

basic 7-1

certificates 9-1

health F-10

messages in interface 1-20

monitoring

See monitoring

performance specifications 1-22

services

See services

system monitoring

technical support file 7-25

system performance

specifications 1-22

T

TACACS+ 1-3, 1-4

accounting 1-15

accounting logs 10-2

administration logs 10-2

advanced TACACS+ settings

in Group Setup 5-2, 5-3

in User Setup 6-21

AV (attribute value) pairs

accounting A-3

general A-1

custom commands 2-12

enable password options for users 6-23

enable privilege options 6-22

interface configuration 2-6

outbound passwords for users 6-24

ports 1-3

SENDAUTH 1-11

settings

in Group Setup 5-2, 5-3, 5-22

in User Setup 6-15

specifications 1-4

time-of-day access 2-12

vs. RADIUS 1-3

Telnet

See also command authorization sets

password aging 5-16

test login frequency internally 7-18

thread used F-11

time and date setting 7-23

time format control 7-3

time-of-day/day-of-week specification

See also date format control

enabling in interface 2-14

timeout values on AAA clients 15-6

TLS (transport level security)

See certification

token caching 1-11, 12-51

token cards 1-23

password configuration 1-11

settings in Group Setup 5-14

token servers

ISDN terminal adapters 12-51

overview 12-50

RADIUS-enabled 12-51

RADIUS token servers 12-51

supported servers 1-7

token caching 12-51

troubleshooting 14-38

debug logs 10-12

trust lists

See certification

trust relationships 12-6

U

UNIX passwords C-12

unknown service user setting 6-21

Unknown User Policy 12-18

See also unknown users

configuring 15-8

in external user databases 12-2, 15-7

turning off 15-9

unknown users

See also Unknown User Policy

authentication 15-3

authentication performance 15-6

authentication processing 15-6

network access authorization 15-6

unmatched user requests 14-3

UPDATE_DACL 8-26

UPDATE_NAS 8-23

updating packets in accounting logs 10-37

upgrade

applying 7-33

CSAgent 1-18

distribution server requirements 7-29

overview 7-28

process 7-29

restrictions 1-18

transferring 7-30

usage quotas

in Group Setup 5-10

in Interface Configuration 2-15

in User Setup 6-12

overview 1-13

resetting

for groups 5-40

for single users 6-39

user-changeable passwords

overview 1-12

with Windows user databases 12-16

user databases

See databases

User Data Configuration 2-5

User Entitlements report 10-12

user groups

See groups

user guide

online 1-22

user-level

downloadable ACLs interface 2-14

network access restrictions

See also network access restrictions

enabling in interface 2-14

User Password Changes logs 10-5

users

See also User Setup

adding

basic steps 6-3

assigning client IP addresses to 6-7

assigning to a group 6-5

callback options 6-6

configuring 6-1

configuring device management command authorization sets for 6-20

configuring PIX command authorization sets for 6-19

configuring shell command authorization sets for 6-17

customized data fields 2-5

deleting 10-34

deleting accounts 6-39

disabling accounts 6-3

finding 6-37

import methods 12-2

in multiple databases 15-4

listing all users 6-37

number of 1-22

RDBMS synchronization 8-20

relationship to groups 2-4

removing dynamic 6-41

resetting accounts 6-40

saving settings 6-41

supplementary information 6-4

types

discovered 15-2

known 15-2

unknown 15-2

VPDN dialup D-1

User Setup

account management tasks 6-37

basic options 6-2

configuring 6-1

deleting user accounts 6-39

saving settings 6-41

Users in Group button 5-40

V

validation of passwords 7-4

vendors

adding audit 13-25

vendor-specific attributes

See RADIUS VSAs (vendor specific attributes)

in RDBMS synchronization 4-8, 8-27

vendor-specific attributes (VSAs) 1-4

Viewing Dynamic Administration Reports 10-34

Virtual Private Dial-Up Networks (VPDNs) 1-13

Voice-over-IP

See VoIP (Voice-over-IP)

VoIP

accounting 1-15

VoIP (Voice-over-IP)

accounting configuration 2-16, 7-21

enabling in interface 2-15

group settings in Interface Configuration 2-15

in Group Setup 5-4

VPDN

authentication process D-1

domain authorization D-2

home gateways D-2

IP addresses D-2

tunnel IDs D-2

users D-1

VSAs

See RADIUS VSAs (vendor specific attributes)

W

warning events F-10, F-11

warnings

significance of I-XXIX

watchdog packets

logging 10-37

web interface

See also Interface Configuration

layout 1-19

security 1-16

uniform resource locator 1-21

Windows Authentication Configuration 12-21

Windows Callback 12-18

Windows Database Callback 12-18

Windows operating systems

authentication order 15-5

Cisco Secure ACS-related services

services 7-2

dial-up networking 12-6

dial-up networking clients

domain field 12-7

password field 12-7

username field 12-7

Domain List effect 15-5

domains

domain names 12-8, 12-9, 15-4

Event logs F-11

Registry F-2

Windows Services 1-23

CSAdmin 1-23

CSAuth 1-23

CSDBSync 1-23

CSLog 1-23

CSMon 1-23

CSRadius 1-23

CSTacacs 1-23

overview 1-23

Windows user database 1-7

passwords 1-8

Windows user databases

See also databases

Active Directory 12-17

configuring 12-22

Domain list

inadvertent user lockouts 12-21

domain mapping 16-6

domains

trusted 12-6

grant dial-in permission to users 12-6, 12-17

group mappings

editing 16-6

no access groups 16-4

remapping 16-6

overview 12-5

password aging 5-19

rejection mode 15-4

request handling 15-4

trust relationships 12-6

user-changeable passwords 12-16

user manager 12-17