Installation Guide for the Cisco 1120 Secure Access Control Server 4.2 - Installing and Configuring the Cisco 1120 Secure Access Control Server 4.2 [Cisco Secure Access Control Server Solution Engine]

Table Of Contents

Installing and Configuring the Cisco 1120 Secure Access Control Server 4.2

Rack-Mounting Configuration Guidelines

Mounting the CSACS 1120 Series Appliance in a 4-Post Rack

4-Post Rack-Mount Hardware Kit

Installing the Slide Rails into a Rack with Square Holes

Setting the Multi-Pin Adapters for the Rack Type

Installing and Securing the Slide Rails in a Rack

Installing the Slide Rails into a Rack with Round Holes

Installing the Appliance into the Slide Rails

Connecting Cables

Connecting to the AC Power Source

Connecting the Network Interface

Connecting the Console

Connecting the Keyboard and Video Monitor

Cable Management

Powering Up the CSACS 1120 Series Appliance

Checklist for Power Up

Power-Up Procedure

Checking the LEDs

Removing or Replacing the CSACS 1120 Series Appliance

Removing a CSACS 1120 Series Appliance

Replacing a CSACS 1120 Series Appliance

Initial Configuration

Establishing a Serial Console Connection

Configuring CSACS 1120

Verifying the Initial Configuration

Setting Up a GUI Administrator Account

Next Steps

Installing and Configuring the Cisco 1120 Secure Access Control Server 4.2

This chapter describes how to install your CSACS 1120 Series appliance and connect it to the network.

This chapter contains:

•Rack-Mounting Configuration Guidelines

•Mounting the CSACS 1120 Series Appliance in a 4-Post Rack

•Connecting Cables

•Connecting to the AC Power Source

•Powering Up the CSACS 1120 Series Appliance

•Removing or Replacing the CSACS 1120 Series Appliance

•Initial Configuration

•Next Steps

Before you begin the installation, read the Regulatory Compliance and Safety Information for the Cisco 1120 Secure Access Control Server 4.2 and the Site Preparation and Safety Guide that is shipped with your appliance.

Warning Only trained and qualified personnel should be allowed to install, replace, or service this equipment. Statement 1030

Warning This unit is intended for installation in restricted access areas. A restricted access area can be accessed only through the use of a special tool, lock and key, or other means of security.
Statement 1017

Rack-Mounting Configuration Guidelines

Each CSACS 1120 Series appliance has a set of rack handles (installed at the factory). You will use these handles later when you install the appliance in a 4-post rack. You can front (flush) mount or mid-mount the appliance in a 19-inch (48.3-cm) equipment rack that conforms to the 4-post rack specification (the inside width of the rack should be 17.5 inches [44.45 cm]). Mount the appliance in the brackets. When the appliance is installed in the rack, it requires one EIA 1.75-inch (4.4-cm) vertical mounting space or 1 rack unit (RU) for mounting.

Caution You must leave clearance in the front and rear of the CSACS 1120 Series appliance, to allow cooling air to be drawn in through the front and circulated through the appliance and out the rear of the appliance.

The Rack Installation Safety Guidelines, page 2-6 and the following information will help you plan the equipment rack configuration:

•When mounting an appliance in an equipment rack, ensure that the rack is bolted to the floor.

• Because you may install more than one appliance in the rack, ensure that the weight of all the appliances installed does not make the rack unstable.

Caution Some equipment racks are also secured to ceiling brackets due to the weight of the equipment in the rack. If you use this type of installation, make sure that the rack you are using to install the appliances is secured to the building structure.

•As mentioned in Airflow Guidelines, page 2-8, maintain a 6-inch (15.2-cm) clearance at the front and rear of the appliance to ensure adequate air intake and exhaust.

•Avoid installing appliances in an overly congested rack. Air flowing to or from other appliances in the rack might interfere with the normal flow of cooling air through the appliances, increasing the potential for overtemperature conditions within the appliances. For more information about overtemperature conditions, see Overtemperature Protection (OTP), page 1-10.

•Allow at least 24 inches (61 cm) of clearance at the front and rear of the rack for appliance maintenance.

Caution To prevent appliance overheating, never install an appliance in an enclosed rack or a room that is not properly ventilated or air conditioned.

•Follow your local practices for cable management. Ensure that cables to and from appliances do not impede access for performing equipment maintenance or upgrades.

Note The rack-mount hardware kit does not include a 2-post equipment rack.

Mounting the CSACS 1120 Series Appliance in a 4-Post Rack

Warning When the appliance is installed in a rack and is fully extended on its slide rail, it is possible for the rack to become unstable and tip over, which could cause serious injury. To eliminate the risk of rack instability from extending the rail or in the event of an earthquake, you should affix the rack to the floor.

This section contains:

•4-Post Rack-Mount Hardware Kit

•Installing the Slide Rails into a Rack with Square Holes

•Installing the Slide Rails into a Rack with Round Holes

•Installing the Appliance into the Slide Rails

4-Post Rack-Mount Hardware Kit

Figure 3-1 shows the rails and release levers that you need to install the CSACS 1120 Series appliance in a 4-post rack.

Figure 3-1 Release Levers on the Slide Rail Hardware

The following table describes the callouts in Figure 3-1.

1

Slide release lever

2

Component release lever

Table 3-1 lists the contents of the rack-mount hardware kit (Cisco part number CSACS-1U-RAILS).

Table 3-1 Rack-Mount Hardware Kit

Item

Quantity

Slide rails

2

Multi-pin adapters

4

Fastener screws

4

Depending on the type of holes that your rack has, you will use different hardware to attach the appliance to the rack:

•For racks with square holes, you use the multi-pin adapters to attach the appliance to the rack. The installation kit includes four fastener screws that secure the multi-pin adapters after you install them in the rack. Table 3-1 lists the contents of the installation kit.

•For racks with round holes, you use rack screws, rather than the multi-pin adapters. Rack screws are not included in the installation kit.

Note Each rail consists of three pieces that slide to extend the rail to its full length. To access the features of the innermost piece, such as the release levers, you must grasp the end of the innermost piece and pull it firmly out of the piece that contains it. Figure 3-2 shows you the release levers.

Proceed to the next section, Installing the Slide Rails into a Rack with Square Holes, to continue the installation process.

Installing the Slide Rails into a Rack with Square Holes

This section contains:

•Setting the Multi-Pin Adapters for the Rack Type

•Installing and Securing the Slide Rails in a Rack

Setting the Multi-Pin Adapters for the Rack Type

The multi-pin adapters allow the slide rails to be used in racks that have square mounting holes or round mounting holes.

To set the adapters for the rack type:

Step 1 On each slide rail, reverse the multi-pin adapter position to match the rack-mounting hole type, if necessary. Remove the multi-pin adapter by rotating the swivel lock upward, pressing the mounting pins together, and then pulling the adapter from the multi-pin bracket.

Step 2 Install the multi-pin adapter by pressing the pins together while inserting the adapter into the bracket. The multi-pin adapter must be fully locked in the bracket. Ensure that both mounting pins on the multi-pin adapter are fully engaged in the multi-pin bracket, then lock the multi-pin adapter in place using the swivel lock.

Step 3 Repeat Steps 1 and 2 for both ends of each slide rail.

Step 4 To lock the adapters in place:

a. Rotate the swivel lock to the up position. position, as shown in the illustration at the left in Figure 3-2. Press the pins together and insert the rack-mounting end of the multi-pin adapter through the corresponding holes in the bracket.

Note Insert the adapter into the bracket with the slotted pin in the up position, as shown in Figure 3-2.

Figure 3-2 Locking the Adapter into Place

b. When the multi-pin adapter is fully seated in the bracket, close the swivel lock, as shown in the illustration to the right in Figure 3-2.

If the adapter is seated properly, you should be able to easily rotate the swivel lock to the fully locked (closed) position.

Proceed to the next section, Installing and Securing the Slide Rails in a Rack, to continue the installation.

Installing and Securing the Slide Rails in a Rack

Caution If you mount the slide rail in holes that are not vertically aligned from front to back, you could damage the slide rail, and your mounting may not be secure.

To install the slide rails into the rack:

Step 1 At all four upright racks, determine the vertical position in the rack where the slide rails are to be installed. The top-most mounting hole for a particular RU mounting position is typically identified by a mark or hole, as shown in Figure 3-3.

Figure 3-3 Mounting Position Marks on a Rack

Step 2 Noting the holes that you located in Step 1, align the left slide rail with its mounting holes.

Step 3 Hold the slide rail in the desired rack-mounting position. At the rear of the slide rail, press the multi-pin adapter mounting pins together (see location 1 in Figure 3-4) and insert the slide rail into the rack post (see location 2 in Figure 3-4).

Figure 3-4 Inserting the Adapter Pins into the Mounting Holes

The following table describes the callouts in Figure 3-4.

1

Appliance mounting kit lock

2

Rack holes

Figure 3-5 Correct and Incorrect Adapter Pin Insertion

The following table describes some of the correct and incorrect ways to insert the adapter pins into the rack as shown in Figure 3-5.

1

Correct

The multi-pin adapter pins are fully engaged in the rack holes. Also, the rack hole into which the top pin was inserted aligns with one of the round RU holes.

2

Incorrect

Note that the multi-pin adapter pins are not fully engaged in the rack holes.

3

Incorrect

The rack hole into which the top pin was inserted does not align with one of the RU holes.

Step 4 After ensuring that the proper mounting holes on the rack upright are selected, repeat Step 2 at the slide rail front-mounting position. Ensure that the slide rail is level.

Step 5 Extend the slide rail to its fully extended (locked) position. Press the slide extension release levers to release the lock. Move the slide rail in and out throughout its entire range of motion and make certain it does not bind. If you notice some binding, recheck the mounting positions.

Step 6 Repeat Steps 2 through 5 for the right slide rail, ensuring that it is parallel and level with the left slide rail.

Proceed to Installing the Slide Rails into a Rack with Round Holes to continue the installation process.

Installing the Slide Rails into a Rack with Round Holes

Installing the slide rails into a rack with round holes requires rack screws (not included in the rack-mount installation kit). Before you begin the installation, obtain the appropriate rack screws.

Caution If you mount the slide rail, in holes that are not vertically aligned from front to back, you could damage the slide rail and your mounting may not be secure.

Note When you install the rail hardware into a rack with round holes, you must position the rails so that they are inside the rack with the brackets facing outward. This placement decreases the amount of space between the posts into which you will slide the appliance. Ensure that you have adequate space for the appliance to slide into the rack. The required clearance is approximately 17.4 inches (44.2 cm).

Installing the slide rails on a round-hole rack does not require the multi-pin adapters. If the multi-pin adapters are already installed in the slide rails, remove them by rotating the swivel lock upward, pressing the mounting pins together, and then pulling the adapter from the multi-pin bracket, as shown in Figure 3-2.

To install the slide rails into the rack:

Step 1 At all four rack uprights, determine the vertical position in the rack where the slide rails are to be installed. The top-most mounting hole for a particular RU mounting position is typically identified by a mark or hole.

Step 2 After noting the holes that you located in Step 1, align the left slide rail with its mounting holes.

Step 3 Hold the slide rail in the desired rack-mounting position, with the rail on the inside of the rack and the brackets facing outward. At the rear of the slide rail, press the rear bracket against the rear post of the rack and secure the bracket to the rack with rack screws.

Step 4 After ensuring that you selected the proper mounting holes on the front rail post (by verifying that the rail is level), place the front bracket against the front post and secure the bracket to the rack with rack screws.

Step 5 Extend the slide rail to its fully extended (locked) position. Press the slide extension release levers to release the lock. Move the slide rail in and out throughout its entire range of motion and ensure that it does not bind. If you notice any binding, recheck the mounting positions.

Step 6 Repeat Steps 2 through 5 for the right slide rail, ensuring that it is parallel and level with the left slide rail.

Proceed to the next section, Installing the Appliance into the Slide Rails, to continue the installation.

Installing the Appliance into the Slide Rails

To install the CSACS 1120 Series appliance into the slide rails:

Step 1 Extend both slide rails to their fully extended (locked) position.

Step 2 Align the mounting studs with the mounting channels on the slide rails, as shown in Figure 3-6.

Figure 3-6 Aligning the Slide Rail with the Mounting Studs

Step 3 Carefully place the component's mounting studs in the mounting channels on the slide rails. Allow the component mounting studs to fully seat in the mounting channels.

The component release levers (one on each slide rail) pivot to lock when the studs are fully engaged in the mounting channels, and then to release the studs when you press the release. Ensure that the component release levers are in the locked position.

Step 4 Press and hold the left and right slide extension release levers, and slowly slide the component and the slide rails into the fully retracted position.

Connecting Cables

This section describes how to connect your CSACS 1120 Series appliance to the network and the appliance console. This section includes:

•Connecting the Network Interface

•Connecting the Console

•Connecting the Keyboard and Video Monitor

•Cable Management

Figure 3-7 CSACS 1120 Series Appliance Rear View

The following table describes the callouts in Figure 3-7.

.

1

AC power receptacle

7

NIC 2 port LED (activity)

2

PS/2 connector (video monitor)

8

NIC 2 port LED (link)

3

PS/2 connector (keyboard)

9

Two USB 2.0 ports

4

Serial (EIA/TIA-232) console port

10

NIC 1 port (10/100/1000 Mb/s) or Ethernet 0

5

Video Graphics Array (VGA) port

11

PCI adapter card slot (expansion)

6

NIC 2 (10/100/1000 Mb/s) port or Ethernet 1

Note ACS must use only the NIC 1 port on the appliance. If NIC 2 is used, it may lead to software configuration problems.

Connecting to the AC Power Source

Warning This equipment must be grounded. Never defeat the ground conductor or operate the equipment in the absence of a suitably installed ground conductor. Contact the appropriate electrical inspection authority or an electrician if you are uncertain that suitable grounding is available. Statement 1024

Connect the AC power receptacle to the AC power source with the provided power cable.

Connecting the Network Interface

Warning Do not work on the system or connect or disconnect cables during periods of lightning activity. Statement 1001

This section describes how to connect the CSACS 1120 Series appliance NIC port.

The RJ-45 port supports standard straight-through and crossover Category 5 unshielded twisted-pair (UTP) cables. Cisco does not supply Category 5 UTP cables; these cables are available commercially.

To connect the cable to the appliance NIC port:

Step 1 Verify that the appliance is turned off.

Step 2 Connect one end of the cable to the NIC 1 port on the appliance. For cable pinouts, see Ethernet Port Connector, page 1-8.

Note ACS must use only NIC 1 port on the appliance. If NIC 2 is used, it may lead to software configuration problems.

Step 3 Connect the other end to a hub or switch in your network.

Connecting the Console

Warning Do not work on the system or connect or disconnect cables during periods of lightning activity. Statement 1001

Your CSACS 1120 Series appliance has a DCE-mode console port for connecting a console terminal to your appliance. The appliance uses a DB-9 serial connector for the console port. For more information, see Serial (Console) Port, page 1-8.

To connect a terminal or a PC running terminal-emulation software to the console port on the CSACS 1120 Series appliance:

Step 1 Connect the terminal using a null-modem cable to the console port. For cable pinouts, see the Serial (Console) Port Connector, page 1-8.

Step 2 Configure your terminal or terminal-emulation software for 9600 baud, 8 data bits, no parity, 1 stop bit, and no hardware flow control.

Connecting the Keyboard and Video Monitor

Warning Do not work on the system or connect or disconnect cables during periods of lightning activity. Statement 1001

This section describes how to connect a keyboard and video monitor to the CSACS 1120 Series appliance.

The CSACS 1120 supports two PS/2 connector ports which can be used to connect a keyboard and video monitor directly to the appliance.

To connect a keyboard and video monitor to the appliance:

Step 1 Verify that the appliance is turned off.

Step 2 Connect the end of the keyboard cable to the PS/2 (keyboard) port which is located on the back panel of the appliance. For cable pinouts, see CSACS 1120 Appliance Back-Panel View, page 1-5.

Step 3 Connect the end of the video monitor cable to the PS/2 (video monitor) port which is located on the back panel of the appliance. For cable pinouts, see CSACS 1120 Appliance Back-Panel View, page 1-5.

Step 4 Power on the appliance.

Cable Management

Cable management is the most visual aspect of your appliance setup. However, cable management is often overlooked because it can be time consuming.

Equipment racks and enclosures house more equipment today than ever before. This growth has increased the need for organized cable management both inside and outside the rack. Poor cable management not only leads to damaged cables or increased time for adding or changing cables, but also blocks critical airflow or access. These problems can lead to inefficiencies in the performance of your equipment or even downtime.

There are many solutions to address cable management. They can range from simple cable management rings, to vertical or horizontal organizers, to troughs and ladders.

All CSACS 1120 Series appliance cables should be properly dressed so as not to interfere with each other or other pieces of equipment. Use local practices to ensure that the cables attached to your appliance are properly dressed.

Proceed to the next section, Powering Up the CSACS 1120 Series Appliance, to continue the installation process.

Powering Up the CSACS 1120 Series Appliance

Warning Do not touch the power supply when the power cord is connected. For systems with a power switch, line voltages are present within the power supply even when the power switch is off and the power cord is connected. For systems without a power switch, line voltages are present within the power supply when the power cord is connected. Statement 4

Warning This equipment is intended to be grounded. Ensure that the host is connected to earth ground during normal use. Statement 39

This section contains:

•Checklist for Power Up

•Power-Up Procedure

•Checking the LEDs

Checklist for Power Up

You are ready to power up the CSACS 1120 Series appliance if:

•The appliance is securely mounted.

•Power, network, and interface cables are properly connected.

Power-Up Procedure

To power up the CSACS 1120 Series appliance and verify its initialization and self-test, follow this procedure. When the procedure is completed, the appliance is ready to be configured.

Step 1 Review the information in Safety Guidelines, page 2-1.

Step 2 Plug the AC power cord into the power cord receptacle at the rear of the appliance. (See location 1 in Figure 3-7.)

Step 3 Connect the other end of the power cord to a power source at your installation site.

Step 4 Press the power button on the front of the appliance. (See location 2 in Figure 3-8.)

The appliance should begin booting. Once the operating system boots, you are ready to initialize the basic software configuration.

Figure 3-8 CSACS 1120 Series Appliance Front View

The following table describes the callouts in Figure 3-8.

1

USB port

4

Hard disk drive activity LED

2

Power button

5

NIC 1 LED

3

Appliance power LED

6

NIC 2 LED

Checking the LEDs

When the CSACS 1120 Series appliance is up and running, observe the front-panel LEDs. The following LEDs provide power, activity, and status information:

CSACS 1120 Appliance Front-Panel LEDs

•Appliance power, green:

–On when power is on.

–Off when power is off or an error condition has been detected in the operating voltages.

•Hard disk activity, green:

–On when appliance software has booted up and the appliance is operational.

–Off when appliance has not yet booted or an error condition has been detected in the boot process.

•NIC 1 or NIC 2, green:

–On when packets are being transferred.

–Off when no packets are being transferred.

For more detailed information about the LEDs, see Appendix D, "Troubleshooting."

Removing or Replacing the CSACS 1120 Series Appliance

Warning Before working on a system that has an On/Off switch, turn OFF the power and unplug the power cord. Statement 1

Warning Ultimate disposal of this product should be handled according to all national laws and regulations. Statement 1040

This section contains:

•Removing a CSACS 1120 Series Appliance

•Replacing a CSACS 1120 Series Appliance

Removing a CSACS 1120 Series Appliance

To remove a CSACS 1120 Series appliance from your network:

Step 1 Power down the appliance.

Step 2 Disconnect the power cords and network cables.

Step 3 Physically remove the appliance from the rack.

The appliance is in constant communication on your network; thus, when the network notices that the appliance is no longer responding to it, the network stops sending requests to the appliance. This change is visible to users.

Note If other appliances are attached to the network, the network continues sending requests to the other appliances.

Replacing a CSACS 1120 Series Appliance

To replace an appliance:

Step 1 Remove the appliance from the network.

Step 2 Install a new appliance using the same installation procedures that you used for the previous appliance.

Configure the new appliance using the same configuration parameters that you used for the removed appliance.

Initial Configuration

The first three steps of the four steps that are required to configure the ACS, are documented in this manual:

•Establishing a Serial Console Connection

•Configuring CSACS 1120

•Verifying the Initial Configuration

•Setting Up a GUI Administrator Account

Note You perform the fourth and final part of the configuration, which includes providing AAA services by establishing administrative and user accounts, and configuring network connections, from the web interface. For more information, see User Guide for Cisco Secure ACS 4.2.

Establishing a Serial Console Connection

Before you can perform the initial configuration of ACS SE, you must establish a serial console connection to it. This procedure requires a PC, two DB-9 to RJ-45 adapters (provided), an RJ-45 cable (provided), and terminal emulation communication software (Hyper Terminal or equivalent).

To establish a serial console connection:

If you performed the procedure in Connecting Cables, you can skip to Step 2.

Step 1 Connect a console to the serial console port on the back panel:

a. Attach a DB-9 to RJ-45 adapter (provided) to the serial port of the console.

b. Attach a DB-9 to RJ-45 adapter (provided) to the serial port of the CSACS 1120. For the location of the serial port, see Figure 1-5.

c. Use an RJ-45 cable (provided) to connect the console to the CSACS 1120.

Tip You may also use a serial concentrator connection, if desired.

Step 2 Power on CSACS 1120 and the console, and open your terminal emulation communication software on the console.

Tip See Figure 1-4 for the location of the power switch on CSACS 1120.

Step 3 Set your terminal emulation communication software to operate with the following settings:

Note CSACS 1120 works with only a baud rate of 9600. CSACS 1120 does not support a baud rate of 115200 which other appliances use.

•Baud = 9600

•Databits = 8

•Stops = 1

•Flow control = None

•Terminal emulation type = ANSI

Result: The login: prompt appears.

Configuring CSACS 1120

You must configure the CSACS 1120 when you boot the system for the first time and whenever you re-image the system. For more information on re-imaging the system, see Upgrade Scenarios.

Table 3-2 lists the essential configuration tasks that are unique to SE.

Table 3-2 SE Configuration Tasks

Task

Available Resources

Remote Agent configuration

On Cisco.com:

http://www.cisco.com/en/US/docs/net_mgmt/
cisco_secure_access_control_server_for_windows/4.2/
user/guide/NetCfg.html#wp386216

System Configuration

On Cisco.com:

http://www.cisco.com/en/US/docs/net_mgmt/
cisco_secure_access_control_server_for_windows/4.2/
user/guide/SCBasic.html

ACS Back up

On Cisco.com:

http://www.cisco.com/en/US/docs/net_mgmt/
cisco_secure_access_control_server_for_windows/4.2/
user/guide/SCBasic.html#wp222373

ACS Restore

On Cisco.com:

http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.2/user/guide/SCBasic.html#wp330795

Certificate setup

On Cisco.com:

http://www.cisco.com/en/US/docs/net_mgmt/
cisco_secure_access_control_server_for_windows/4.2/
user/guide/SCAuth.html#wp373226

EAP-FAST PAC files configuration

On Cisco.com:

http://www.cisco.com/en/US/docs/net_mgmt/
cisco_secure_access_control_server_for_windows/4.2/
user/guide/SCAuth.html#wp419531

Date/Time configuration

On Cisco.com:

http://www.cisco.com/en/US/docs/net_mgmt/
cisco_secure_access_control_server_for_windows/4.2/
user/guide/SCBasic.html#wp288064

SNMP setup

On Cisco.com:

http://www.cisco.com/en/US/docs/net_mgmt/
cisco_secure_access_control_server_for_windows/4.2/
user/guide/SCBasic.html#wp288047

Before you begin to configure the CSACS 1120, you should have the following information:

•Network hostname of the CSACS 1120.

•DNS domain name.

•Administrator name and password.

•Database password.

•GUI administrator name and password.

•Whether you will enable DHCP (enabling DHCP is not recommended).

•IP, netmask, and gateway addresses you will assign to the .

•Whether you will be using NTP synchronization and, if yes, the address of the NTP server.

To configure CSACS 1120:

Step 1 Establish a serial console connection to the CSACS 1120.

Note If CSACS 1120 is not configured (that is, it is new or has been re-imaged), the system displays the system information, including the software version.

Step 2 Confirm that the following information appears above the login prompt:
Cisco Secure ACS: [version number]
Appliance Management Software: [version number]
Appliance Base Image: [version number]
CSA build [version number]: (Patch: [version number])
Status: Appliance is functioning properly
The ACS Appliance has not been configured. 
Logon as "Administrator" with password "setup" to configure appliance.
Note If this information does not appear and only the Cisco Secure ACS: [version number] prompt appears, you must reboot the appliance and then log in.

Step 3 At the Appliance Management Software: [version number] prompt, enter Administrator, and press Enter.

Note When you boot the system for the first time, it is not configured. You must log in as the command line interface (CLI) administrator to configure the system.

Step 4 At the password: prompt, enter setup, and press Enter.

Note The password is case sensitive.

Result: The console displays:
Initialize Appliance.
Machine will be rebooted after initialization.
Entering Ctrl-C before setting appliance name will shutdown the appliance
Step 5 At the ACS Appliance name [deliverance1]: prompt, enter the name that you intend to use for your CSACS 1120, and press Enter.

Tip The name can contain up to 15 letters and numbers, but no spaces.

Result: The console displays:
ACS Appliance name is set to xxx.
Step 6 At theAppliance Base Image: [version number]DNS domain [ ]: prompt, enter the domain name, and press Enter.

Result: The console displays:
DNS name is set to xxx.com.
You need to set the administrator account name and password.
Step 7 At the Enter new account name: prompt, enter the ACS administrator account name, and press Enter.

Tip Only one ACS CLI administrator account can exist at a time. This account allows access only through a serial cable and CLI commands. You can change the account's credentials. For more information, see Resetting the CSACS 1120 Administrator Password.

Step 8 At the Enter new password: prompt, enter the new ACS password, and press Enter.

Note The new password must be unique and should not be identical to the last ten passwords that have been used. It must contain a minimum of 6 characters and include a mix of at least three character types: uppercase letters, lowercase letters, digits, and special characters. Each of the following examples is acceptable: 1PaSsWoRd, *password44, Pass*word. The password cannot contain the account name.

Step 9 At the Enter new password again: prompt, enter the new ACS password again, and press Enter.

Result: The console displays:
Password is set successfully.
Administrator name is set to xxx.
Step 10 The following prompt appears for the new database password:
Please enter the Encryption Password for the Configuration Store.
Please note this is different from the administrator account,
it is used to encrypt the Database.
Note It must contain a minimum of 6 characters, and it must include a mix of at least three character types: uppercase letters, lowercase letters, digits, and special characters. Each of the following examples is acceptable: 1PaSsWoRd, *password44, Pass*word.

Step 11 At the Enter new password: prompt, enter the new database password, and press Enter.

Step 12 At the Enter new password again: prompt, enter new database password again, and press Enter.

Result: The console displays:
Password is set successfully.
Step 13 At the Would you like to add GUI Administrator now?: prompt, type y for yes or n for no, and press Enter.

Note If you do not enter y or n and press enter, the default value is (yes) is used.

Step 14 If you entered y, complete these steps:

a. When the CSA build [version number]: (Patch: [version number])enter the new GUI administrator name.

The following prompt appears:
Enter new password:
b. Enter the new password.

Note The password can only contain a maximum of 32 characters and a minimum of 4 characters.

The following prompt appears:
Enter new password again:
c. Enter the new password again.

Result: The console displays:
GUI Administrator added successfully.
For more information on adding a GUI administrator account, see Setting Up a GUI Administrator Account.

Step 15 At the Status: Appliance is functioning properly prompt, enter Y for yes or N for no, and press Enter.

Note To set or change the IP address of your CSACS 1120, it must be connected to a working Ethernet connection.

Note A static IP address must be assigned to your CSACS 1120. You can set the IP address directly by answering Y to this step and performing the substeps detailed in Step 16. Alternatively, you may use a DHCP address if it assigns a single IP address that does not change.

Step 16 The following prompts appear only if you set a static IP address manually. Otherwise the following message appears:
No change to the configuration.
Accept network setting [Yes]
a. To specify the CSACS 1120 IP address, at the The ACS Appliance has not been configured. Logon as "Administrator" with password "setup" to configure appliance. prompt, enter the IP address, and press Enter.

b. At the login prompt, enter the subnet mask value, and press Enter.

c. At the login: prompt, enter the default gateway value, and press Enter.

d. At theInitialize Appliance prompt, enter the address of any DNS server that you intend to use (separate each by a single space), and press Enter.

Note If you do not intend to use a DNS server, enter the IP address of the CSACS 1120 at the Machine will be rebooted after initialization [xx.xx.xx.xx] prompt. If you do not configure the CSACS 1120 to use a DNS server, you must respond to all prompts for hostname or IP address only with an IP address.

Result: The console displays:
IP Address is reconfigured.
e. At the Entering Ctrl-C before setting appliance name will shutdown the appliance prompt, enter Y, and press Enter.

Result: The console displays:
New ip address is set.
Default gateway is set to xx.xx.xx.xx
DNS servers are set to: xx.xx.xx.xx xx.xx.xx.xx.
f. At the ACS Appliance name is set to prompt, enter Y, and press Enter.

Result: The IP address for the appliance will be set.

g. At the prompt, enter Y, and press Enter.

Tip This step executes a ping command to ensure the connectivity of the .

h. At the DNS name is set to prompt, enter the IP address or hostname of a device connected to the , and press Enter.

Result: If successful, the system displays the ping statistics and displays the Test network connectivity prompt.

i. If network connectivity is validated in the previous two steps, at the You need to set the administrator account name and password. prompt, enter N, and press Enter.

Tip The system continues to provide you with the opportunity to test network connectivity until you answer no. This means that you can correct network connections or retype the IP address.

Step 17 If the settings appear correctly, at thePassword is set successfully. prompt, enter Y, and press Enter.

Result: The console displays:
Current Date Time Setting:
Time Zone: (GMT -xx:xx) XXX Time
Date and Time: mm/dd/yyyy
NTP Server(s): NTP Synchronization Disabled.
Step 18 To set the time and date of the CSACS 1120, at the Administrator name is set to prompt, enter Y, and press Enter.

Result: The console displays a numbered list of time zones.

Step 19 At the Please enter the Encryption Password for the Configuration Store.prompt, enter the index number of the appropriate time zone for your geography and, press Enter.

Result: The console displays the new time zone.

Step 20 At the Please note this is different from the administrator account, prompt, do one of the following:

•To set the time manually, enter N, and press Enter.

•To use an NTP server for setting time, enter Y, and when prompted, enter the IP address of the NTP server that you want.

Tip Only if you choose to use an NTP server, can you subsequently use the ntpsync command.

Result: The console displays a confirmation message reflecting your choice.

Step 21 At the it is used to encrypt the Database. prompt, enter the date in the given format, and press Enter.

Step 22 At the Password is set successfully. prompt, enter the current time in the given format, and press Enter.

Result: The console displays:
Initial configuration is successful. Appliance will now reboot.
The system reboots.

Verifying the Initial Configuration

To verify that you have correctly completed the CSACS 1120 initial configuration:

Before You Begin

Establish a serial console connection to the CSACS 1120. For details, see Configuring CSACS 1120.

Step 1 Reboot the CSACS 1120. For more information, see Rebooting the CSACS 1120 from a Serial Console.

Result: When the system boots, a Enter new GUI administrator name: prompt appears, prompt appears on the console.

Step 2 At the Enter new password: prompt, enter the new administrator name, and press Enter.

Step 3 At the Enter new password again: prompt, enter the password you created during initial configuration, and press Enter.

Step 4 At the GUI Administrator added successfully. prompt, enter show and press Enter.

Result: The console displays the status information.

Step 5 Verify that the information on the screen is correct.

Setting Up a GUI Administrator Account

After initial installation or re-imaging, unless you specified a GUI administrator account during the initial configuration using the setup script, only one administrator account exists: the CLI administrator account. This account allows access only through a serial console log in and CLI commands.

If you specified a GUI administrator account when prompted for one by the setup script, a GUI administrator account exists. However, before the designated GUI administrator user can use this account, you must unlock it by entering the unlock guiadmin command.

You can also set up an additional GUI administrator account that can access the CSACS 1120.

To set up an initial web GUI account:

Step 1 Log in as the CLI administrator.

Step 2 If a GUI administrator account was specified during initial configuration using the setup script, enter the unlock guiadmin command to unlock the GUI administrator account:
unlock guiadmin <Admin> <Password>
where Admin is the name of the GUI administrator account and Password is the password for the account.

Step 3 If no GUI administrator account has been set up or you want to add additional GUI administrator accounts, at the command prompt, enter:

add guiadmin

Result: The console displays:
Adding new GUI Administrator
Note! All ACS services will be restarted.
GUI Administrator password policy is:
Password must be at least 4 character(s) long.
Step 4 At the Use Static IP Address [Yes]: prompt, enter the new GUI administrator name, and press Enter.

Step 5 At the No change to the configuration. prompt, enter the new password, and press Enter.

Note The password can only contain a maximum of 32 characters and a minimum of 4 characters.

Step 6 At the Enter new password again: prompt, enter the new password again, and press Enter.

Result: The console displays:
GUI Administrator added successfully.The new GUI administrator account is not usable until 
you unlock it by entering the unlock guiadmin command.
Now, you can now use the GUI administrator account to remotely access the ACS GUI running on the CSACS 1120.

Next Steps

After you have successfully performed the procedures in this guide, CSACS 1120 is installed and initially configured. The next step is to log in using the GUI administrator account and use a browser and the web interface to fully configure the CSACS 1120 to provide the AAA services that you want from this installation. The HTML address is in the following format: http://<ip address>:2002, where ip address is the address that you assign during configuration.

For information on setting up user, group, network, and other parameters, see the User Guide for Cisco Secure ACS 4.2.

Note The CSACS 1120 automatically creates an entry called Self in the AAA Servers Table. This entry identifies the CSACS 1120 machine. However, in the Proxy Distribution Table and the AAA Server Table for RDMS synchronization, the CSACS 1120 creates an entry for the hostname of the device that is running the CSACS 1120.