User Guide for Cisco Secure ACS for Windows Server Version 3.3
User Management

Table Of Contents

User Management

About User Setup Features and Functions

About User Databases

Basic User Setup Options

Adding a Basic User Account

Setting Supplementary User Information

Setting a Separate CHAP/MS-CHAP/ARAP Password

Assigning a User to a Group

Setting User Callback Option

Assigning a User to a Client IP Address

Setting Network Access Restrictions for a User

Setting Max Sessions Options for a User

Setting User Usage Quotas Options

Setting Options for User Account Disablement

Assigning a Downloadable IP ACL to a User

Advanced User Authentication Settings

TACACS+ Settings (User)

Configuring TACACS+ Settings for a User

Configuring a Shell Command Authorization Set for a User

Configuring a PIX Command Authorization Set for a User

Configuring Device-Management Command Authorization for a User

Configuring the Unknown Service Setting for a User

Advanced TACACS+ Settings (User)

Setting Enable Privilege Options for a User

Setting TACACS+ Enable Password Options for a User

Setting TACACS+ Outbound Password for a User

RADIUS Attributes

Setting IETF RADIUS Parameters for a User

Setting Cisco IOS/PIX RADIUS Parameters for a User

Setting Cisco Aironet RADIUS Parameters for a User

Setting Ascend RADIUS Parameters for a User

Setting Cisco VPN 3000 Concentrator RADIUS Parameters for a User

Setting Cisco VPN 5000 Concentrator RADIUS Parameters for a User

Setting Microsoft RADIUS Parameters for a User

Setting Nortel RADIUS Parameters for a User

Setting Juniper RADIUS Parameters for a User

Setting BBSM RADIUS Parameters for a User

Setting Custom RADIUS Attributes for a User

User Management

Listing All Users

Finding a User

Disabling a User Account

Deleting a User Account

Resetting User Session Quota Counters

Resetting a User Account after Login Failure

Saving User Settings


User Management


This chapter provides information about setting up and managing user accounts in Cisco Secure ACS for Windows Server.


Note Settings at the user level override settings configured at the group level.


Before you configure User Setup, you should understand how this section functions. Cisco Secure ACS dynamically builds the User Setup section interface depending on the configuration of your AAA client and the security protocols being used. That is, what you see under User Setup is affected by settings in both the Network Configuration and Interface Configuration sections.

This chapter contains the following topics:

About User Setup Features and Functions

About User Databases

Basic User Setup Options

Advanced User Authentication Settings

User Management

About User Setup Features and Functions

The User Setup section of the Cisco Secure ACS HTML interface is the centralized location for all operations regarding user account configuration and administration.

From within the User Setup section, you can perform the following tasks:

View a list of all users in the CiscoSecure user database.

Find a user.

Add a user.

Assign the user to a group, including Voice-over-IP (VoIP) Groups.

Edit user account information.

Establish or change user authentication type.

Configure callback information for the user.

Set network access restrictions (NARs) for the user.

Configure Advanced Settings.

Set the maximum number of concurrent sessions (Max Sessions) for the user.

Disable or re-enable the user account.

Delete the user.

About User Databases

Cisco Secure ACS authenticates users against one of several possible databases, including its CiscoSecure user database. Regardless of which database you configure Cisco Secure ACS to use when authenticating a user, all users have accounts within the CiscoSecure user database, and authorization of users is always performed against the user records in the CiscoSecure user database. The following list details the basic user databases used and provides links to greater details on each:

CiscoSecure user database—Authenticates a user from the local CiscoSecure user database. For more information, see CiscoSecure User Database.


Tip The following authentication types appear in the HTML interface only when the corresponding external user database has been configured in the Database Configuration area of the External User Databases section.


Windows Database—Authenticates a user with an existing account in the Windows user database located in the local domain or in domains configured in the Windows user database. For more information, see Windows User Database.

Generic LDAP—Authenticates a user from a Generic LDAP external user database. For more information, see Generic LDAP.

Novell NDS—Authenticates a user using Novell NetWare Directory Services (NDS). For more information, see Novell NDS Database.

ODBC Database—Authenticates a user from an Open Database Connectivity-compliant database server. For more information, see ODBC Database.

LEAP Proxy RADIUS Server Database—Authenticates a user from an LEAP Proxy RADIUS server. For more information, see LEAP Proxy RADIUS Server Database.

Token Server—Authenticates a user from a token server database. Cisco Secure ACS supports the use of a variety of token servers for the increased security provided by one-time passwords. For more information, see Token Server User Databases

Basic User Setup Options

This section presents the basic activities you perform when configuring a new user. At its most basic level, configuring a new user requires only three steps, as follows:

Specify a name.

Specify either an external user database or a password.

Submit the information.

The steps for editing user account settings are essentially identical to those used when adding a user account but, to edit, you navigate directly to the field or fields to be changed. You cannot edit the name associated with a user account; to change a username you must delete the user account and establish another.

What other procedures you perform when setting up new user accounts is a function both of the complexity of your network and of the granularity of control you desire.

This section contains the following topics:

Adding a Basic User Account

Setting Supplementary User Information

Setting a Separate CHAP/MS-CHAP/ARAP Password

Assigning a User to a Group

Setting User Callback Option

Assigning a User to a Client IP Address

Setting Network Access Restrictions for a User

Setting Max Sessions Options for a User

Setting User Usage Quotas Options

Setting Options for User Account Disablement

Assigning a Downloadable IP ACL to a User

Adding a Basic User Account

This procedure details the minimum steps necessary to add a new user account to the CiscoSecure user database.

To add a user account, follow these steps:


Step 1 In the navigation bar, click User Setup.

The User Setup Select page opens.

Step 2 Type a name in the User box.


Note The username can contain up to 64 characters. Names cannot contain the following special characters:
# ? " * > <
Leading and trailing spaces are not allowed.


Step 3 Click Add/Edit.

The User Setup Edit page opens. The username being added is at the top of the page.

Step 4 Make sure that the Account Disabled check box is cleared.


Note Alternatively, you can select the Account Disabled check box to create a user account that is disabled, and enable the account at another time.


Step 5 Under Password Authentication in the User Setup table, select the applicable authentication type from the list.


Tip The authentication types that appear reflect the databases that you have configured in the Database Configuration area of the External User Databases section.


Step 6 Specify a single CiscoSecure PAP password by typing it in the first set of Password and Confirm Password boxes.


Note Up to 32 characters are allowed each for the Password box and the Confirm Password box.



Tip The CiscoSecure PAP password is also used for CHAP/MS-CHAP/ARAP if the Separate CHAP/MS-CHAP/ARAP check box is not selected.



Tip You can configure the AAA client to ask for a PAP password first and then a CHAP or MS-CHAP password so that when users dial in using a PAP password, they will authenticate. For example, the following line in the AAA client configuration file causes the AAA client to enable CHAP after PAP:  
ppp authentication pap chap


Step 7 Do one of the following:

To finish configuring the user account options and establish the user account, click Submit.

To continue to specify the user account options, perform other procedures in this chapter, as applicable.


Tip For lengthy account configurations, you can click Submit before continuing. This will prevent loss of information you have already entered if an unforeseen problem occurs.



Setting Supplementary User Information

Supplementary User Information can contain up to five fields that you configure. The default configuration includes two fields: Real Name and Description.

For information about how to display and configure these optional fields, see User Data Configuration Options.

To enter optional information into the Supplementary User Information table, follow these steps:


Step 1 Perform Step 1 through Step 3 of Adding a Basic User Account.

The User Setup Edit page opens. The username being added or edited is at the top of the page.

Step 2 Complete each box that appears in the Supplementary User Info table.


Note Up to 128 characters are allowed each for the Real Name and the Description boxes.


Step 3 Do one of the following:

If you are finished configuring the user account options, click Submit to record the options.

To continue to specify the user account options, perform other procedures in this chapter, as applicable.


Setting a Separate CHAP/MS-CHAP/ARAP Password

Setting a separate CHAP/MS-CHAP/ARAP password adds more security to Cisco Secure ACS authentication. However, you must have a AAA client configured to support the separate password.

To allow the user to authenticate using a CHAP, MS-CHAP, or ARAP password, instead of the PAP password in the CiscoSecure user database, follow these steps:


Step 1 Perform Step 1 through Step 3 of Adding a Basic User Account.

The User Setup Edit page opens. The username being added or edited is at the top of the page.

Step 2 Select the Separate CHAP/MS-CHAP/ARAP check box in the User Setup table.

Step 3 Specify the CHAP/MS-CHAP/ARAP password to be used by typing it in each of the second set of Password/Confirm boxes under the Separate (CHAP/MS-CHAP/ARAP) check box.


Note Up to 32 characters are allowed each for the Password box and the Confirm Password box.



Note These Password and Confirm Password boxes are only required for authentication by the Cisco Secure ACS database. Additionally, if a user is assigned to a VoIP (null password) group, and the optional password is also included in the user profile, the password is not used until the user is re-mapped to a non-VoIP group.


Step 4 Do one of the following:

If you are finished configuring the user account options, click Submit to record the options.

To continue to specify the user account options, perform other procedures in this chapter, as applicable.


Assigning a User to a Group

A user can only belong to one group in Cisco Secure ACS. The user inherits the attributes and operations assigned to his or her group. However, in the case of conflicting settings, the settings at the user level override the settings configured at the group level.

By default, users are assigned to the Default Group. Users who authenticate via the Unknown User method and who are not mapped to an existing Cisco Secure ACS group are also assigned to the Default Group.

Alternatively, you can choose not to map a user to a particular group, but rather, to have the group mapped by an external authenticator. For external user databases from which Cisco Secure ACS can derive group information, you can associate the group memberships—defined for the users in the external user database—to specific Cisco Secure ACS groups. For more information, see "User Group Mapping and Specification".

To assign a user to a group, follow these steps:


Step 1 Perform Step 1 through Step 3 of Adding a Basic User Account.

The User Setup Edit page opens. The username being added or edited appears at the top of the page.

Step 2 From the Group to which user is assigned list in the User Setup table, select the group to which you want to assign the user.


Tip Alternatively, you can scroll up in the list to select the Mapped By External Authenticator option.


Step 3 Do one of the following:

If you are finished configuring the user account options, click Submit to record the options.

To continue to specify the user account options, perform other procedures in this chapter, as applicable.


Setting User Callback Option

Callback is a command string that is passed to the access server. You can use a callback string to initiate a modem to call the user back on a specific number for added security or reversal of line charges.

To set the user callback option, follow these steps:


Step 1 Perform Step 1 through Step 3 of Adding a Basic User Account.

The User Setup Edit page opens. The username being added or edited appears at the top of the page.

Step 2 Under Callback in the User Setup table, select the applicable option. Choices include the following:

Use group setting—Select if you want this user to use the setting for the group.

No callback allowed—Select to disable callback for this user.

Callback using this number—Select and type the complete number, including area code if necessary, on which to always call back this user.


Note The maximum character length for the callback number is 199 characters.


Dialup client specifies callback number—Select to enable the Windows dialup client to specify the callback number.

Use Windows Database callback settings—Select to use the settings specified for Windows callback. If a Windows account for a user resides in a remote domain, the domain in which Cisco Secure ACS resides must have a two-way trust with that domain for the Microsoft Windows callback settings to operate for that user.


Note The dial-in user must have configured software that supports callback.


Step 3 Do one of the following:

If you are finished configuring the user account options, click Submit to record the options.

To continue to specify the user account options, perform other procedures in this chapter, as applicable.


Assigning a User to a Client IP Address

To assign a user to a client IP address, follow these steps:


Step 1 Perform Step 1 through Step 3 of Adding a Basic User Account.

The User Setup Edit page opens. The username being added or edited is at the top of the page.

Step 2 Under Client IP Address Assignment in the User Setup table, select the applicable option. Choices include the following:


Note The IP address assignment in User Setup overrides the IP address assignment in Group Setup.


Use group settings—Select this option to use the IP address group assignment.

No IP address assignment—Select this option to override the group setting if you do not want an IP address returned by the client.

Assigned by dialup client—Select this option to use the IP address dialup client assignment.

Assign static IP address—Select this option and type the IP address in the box (up to 15 characters), if a specific IP address should be used for this user.


Note If the IP address is being assigned from a pool of IP addresses or by the dialup client, leave the Assign IP address box blank.


Assigned by AAA client pool—Select this option and type the AAA client IP pool name in the box, if this user is to have the IP address assigned by an IP address pool configured on the AAA client.

Assigned from AAA pool—Select this option and type the applicable pool name in the box, if this user is to have the IP address assigned by an IP address pool configured on the AAA server. Select the AAA server IP pool name from the Available Pools list, and then click --> (right arrow button) to move the name into the Selected Pools list. If there is more than one pool in the Selected Pools list, the users in this group are assigned to the first available pool in the order listed. To move the position of a pool in the list, select the pool name and click Up or Down until the pool is in the position you want.

Step 3 Do one of the following:

If you are finished configuring the user account options, click Submit to record the options.

To continue to specify the user account options, perform other procedures in this chapter, as applicable.


Setting Network Access Restrictions for a User

The Network Access Restrictions table in the Advanced Settings area of User Setup enables you to set NARs in three distinct ways:

Apply existing shared NARs by name.

Define IP-based access restrictions to permit or deny user access to a specified AAA client or to specified ports on a AAA client when an IP connection has been established.

Define CLI/DNIS-based access restrictions to permit or deny user access based on the CLI/DNIS used.


Note You can also use the CLI/DNIS-based access restrictions area to specify other values. For more information, see About Network Access Restrictions.


Typically, you define (shared) NARs from within the Shared Components section so that these restrictions can be applied to more than one group or user. For more information, see Adding a Shared Network Access Restriction. You must have selected the User-Level Shared Network Access Restriction check box on the Advanced Options page of the Interface Configuration section for this set of options to appear in the HTML interface.

However, Cisco Secure ACS also enables you to define and apply a NAR for a single user from within the User Setup section. You must have enabled the User-Level Network Access Restriction setting on the Advanced Options page of the Interface Configuration section for single user IP-based filter options and single user CLI/DNIS-based filter options to appear in the HTML interface.


Note When an authentication request is forwarded by proxy to a Cisco Secure ACS, any NARs for TACACS+ requests are applied to the IP address of the forwarding AAA server, not to the IP address of the originating AAA client.


When you create access restrictions on a per-user basis, Cisco Secure ACS does not enforce limits to the number of access restrictions and it does not enforce a limit to the length of each access restriction; however, there are strict limits, as follows.

The combination of fields for each line item cannot exceed 1024 characters in length.

The shared NAR cannot have more than 16 KB of characters. The number of line items supported depends on the length of each line item. For example, if you create a CLI/DNIS-based NAR where the AAA client names are 10 characters, the port numbers are 5 characters, the CLI entries are 15 characters, and the DNIS entries are 20 characters, you can add 450 line items before reaching the 16 KB limit.

To set NARs for a user, follow these steps:


Step 1 Perform Step 1 through Step 3 of Adding a Basic User Account.

The User Setup Edit page opens. The username being added or edited is at the top of the page.

Step 2 To apply a previously configured shared NAR to this user, follow these steps:


Note To apply a shared NAR, you must have configured it under Network Access Restrictions in the Shared Profile Components section. For more information, see Adding a Shared Network Access Restriction.


a. Select the Only Allow network access when check box.

b. To specify whether one or all shared NARs must apply for the user to be permitted access, select one of the following two options, as applicable:

All selected NARS result in permit

Any one selected NAR results in permit

c. Select a shared NAR name in the NARs list, and then click --> (right arrow button) to move the name into the Selected NARs list.


Tip To view the server details of the shared NARs you have selected to apply, you can click either View IP NAR or View CLID/DNIS NAR, as applicable.


Step 3 To define and apply a NAR, for this particular user, that permits or denies this user access based on IP address, or IP address and port, follow these steps:


Tip You should define most NARs from within the Shared Components section so that they can be applied to more than one group or user. For more information, see Adding a Shared Network Access Restriction.


a. In the Network Access Restrictions table, under Per User Defined Network Access Restrictions, select the Define IP-based access restrictions check box.

b. To specify whether the subsequent listing specifies permitted or denied IP addresses, from the Table Defines list, select one of the following:

Permitted Calling/Point of Access Locations

Denied Calling/Point of Access Locations

c. Select or enter the information in the following boxes:

AAA Client—Select All AAA Clients, or the name of a network device group (NDG), or the name of the individual AAA client, to which to permit or deny access.

Port—Type the number of the port to which to permit or deny access. You can use the wildcard asterisk (*) to permit or deny access to all ports on the selected AAA client.

Address—Type the IP address or addresses to use when performing access restrictions. You can use the wildcard asterisk (*).


Note The total number of characters in the AAA Client list and the Port and Src IP Address boxes must not exceed 1024. Although Cisco Secure ACS accepts more than 1024 characters when you add a NAR, you cannot edit the NAR and Cisco Secure ACS cannot accurately apply it to users.


d. Click enter.

The specified AAA client, port, and address information appears in the table above the AAA Client list.

Step 4 To permit or deny this user access based on calling location or values other than an established IP address, follow these steps:

a. Select the Define CLI/DNIS based access restrictions check box.

b. To specify whether the subsequent listing specifies permitted or denied values, from the Table Defines list, select one of the following:

Permitted Calling/Point of Access Locations

Denied Calling/Point of Access Locations

c. Complete the following boxes:


Note You must make an entry in each box. You can use the wildcard asterisk (*) for all or part of a value. The format you use must match the format of the string you receive from your AAA client. You can determine this format from your RADIUS Accounting Log.


AAA Client—Select All AAA Clients, or the name of the NDG, or the name of the individual AAA client, to which to permit or deny access.

PORT—Type the number of the port to which to permit or deny access. You can use the wildcard asterisk (*) to permit or deny access to all ports.

CLI—Type the CLI number to which to permit or deny access. You can use the wildcard asterisk (*) to permit or deny access based on part of the number.


Tip This is also the selection to use if you want to restrict access based on other values such as a Cisco Aironet client MAC address. For more information, see About Network Access Restrictions.


DNIS—Type the DNIS number to which to permit or deny access. Use this to restrict access based on the number into which the user will be dialing. You can use the wildcard asterisk (*) to permit or deny access based on part of the number.


Tip This is also the selection to use if you want to restrict access based on other values such as a Cisco Aironet AP MAC address. For more information, see About Network Access Restrictions.



Note The total number of characters in the AAA Client list and the Port, CLI, and DNIS boxes must not exceed 1024. Although Cisco Secure ACS accepts more than 1024 characters when you add a NAR, you cannot edit the NAR and Cisco Secure ACS cannot accurately apply it to users.


d. Click enter.

The information, specifying the AAA client, port, CLI, and DNIS, appears in the table above the AAA Client list.

Step 5 Do one of the following:

If you are finished configuring the user account options, click Submit to record the options.

To continue to specify the user account options, perform other procedures in this chapter, as applicable.


Setting Max Sessions Options for a User

The Max Sessions feature enables you to set the maximum number of simultaneous connections permitted for this user. For Cisco Secure ACS purposes, a session is considered any type of user connection supported by RADIUS or TACACS+, for example PPP, or Telnet, or ARAP. Note, however, that accounting must be enabled on the AAA client for Cisco Secure ACS to be aware of a session. All session counts are based on user and group names only. Cisco Secure ACS does not support any differentiation by type of session—all sessions are counted as the same. To illustrate, a user with a Max Session count of 1 who is dialed in to a AAA client with a PPP session will be refused a connection if that user then tries to Telnet to a location whose access is controlled by the same Cisco Secure ACS.


Note Each Cisco Secure ACS holds its own Max Sessions counts. There is no mechanism for Cisco Secure ACS to share Max Sessions counts across multiple Cisco Secure ACSes. Therefore, if two Cisco Secure ACS are set up as a mirror pair with the workload distributed between them, they will have completely independent views of the Max Sessions totals.



Tip If the Max Sessions table does not appear, click Interface Configuration, click Advanced Options, and then select the Max Sessions check box.


To set max sessions options for a user, follow these steps:


Step 1 Perform Step 1 through Step 3 of Adding a Basic User Account.

The User Setup Edit page opens. The username being added or edited is at the top of the page.

Step 2 In the Max Sessions table, under Sessions available to user, select one of the following three options:

Unlimited—Select to allow this user an unlimited number of simultaneous sessions. (This effectively disables Max Sessions.)

n—Select and then type the maximum number of simultaneous sessions to allow this user.

Use group setting—Select to use the Max Sessions value for the group.


Note The default setting is Use group setting.



Note User Max Sessions settings override the group Max Sessions settings. For example, if the group Sales has a Max Sessions value of only 10, but a user in the group Sales, John, has a User Max Sessions value of Unlimited, John is still allowed an unlimited number of sessions.


Step 3 Do one of the following:

If you are finished configuring the user account options, click Submit to record the options.

To continue to specify the user account options, perform other procedures in this chapter, as applicable.


Setting User Usage Quotas Options

You can define usage quotas for individual users. You can limit users in one or both of two ways:

By total duration of sessions for the period selected.

By the total number of sessions for the period selected.

For Cisco Secure ACS purposes, a session is considered any type of user connection supported by RADIUS or TACACS+, for example PPP, or Telnet, or ARAP. Note, however, that accounting must be enabled on the AAA client for Cisco Secure ACS to be aware of a session. If you make no selections in the Session Quotas section for an individual user, Cisco Secure ACS applies the session quotas of the group to which the user is assigned.


Note If the User Usage Quotas feature does not appear, click Interface Configuration, click Advanced Options, and then select the Usage Quotas check box.



Tip The Current Usage table under the User Usage Quotas table on the User Setup Edit page displays usage statistics for the current user. The Current Usage table lists both online time and sessions used by the user, with columns for daily, weekly, monthly, and total usage. The Current Usage table appears only on user accounts that you have established; that is, it does not appear during initial user setup.


For a user who has exceeded his quota, Cisco Secure ACS denies him access upon his next attempt to start a session. If a quota is exceeded during a session, Cisco Secure ACS allows the session to continue. If a user account has been disabled because the user has exceeded usage quotas, the User Setup Edit page displays a message stating that the account has been disabled for this reason.

You can reset the session quota counters on the User Setup page for a user. For more information about resetting usage quota counters, see Resetting User Session Quota Counters.

To support time-based quotas, we recommend enabling accounting update packets on all AAA clients. If update packets are not enabled, the quota is updated only when the user logs off. If the AAA client through which the user is accessing your network fails, the quota is not updated. In the case of multiple sessions, such as with ISDN, the quota is not updated until all sessions terminate, which means that a second channel will be accepted even if the first channel has exhausted the quota allocated to the user.

To set usage quota options for a user, follow these steps:


Step 1 Perform Step 1 through Step 3 of Adding a Basic User Account.

The User Setup Edit page opens. The username being added or edited is at the top of the page.

Step 2 In the Usage Quotas table, select Use these settings.

Step 3 To define a usage quota based on duration of sessions for a user, follow these steps:

a. Select the Limit user to x hours of online time check box.

b. Type the number of hours to which you want to limit the user in the Limit user to x hours of online time box. Use decimal values to indicate minutes. For example, a value of 10.5 would equal 10 hours and 30 minutes.


Note Up to 10 characters are allowed for this field.


c. Select the period for which you want to enforce the time usage quota:

per Day—From 12:01 a.m. until midnight.

per Week—From 12:01 a.m. Sunday until midnight Saturday.

per Month—From 12:01 a.m. on the first of the month until midnight on the last day of the month.

Absolute—A continuous, open-ended count of hours.

Step 4 To define usage quotas based on the number of sessions for a user, follow these steps:

a. Select the Limit user to x sessions check box.

b. Type the number of sessions to which you want to limit the user in the Limit user to x sessions box.


Note Up to 10 characters are allowed for this field.


c. Select the period for which you want to enforce the session usage quota:

per Day—From 12:01 a.m. until midnight.

per Week—From 12:01 a.m. Sunday until midnight Saturday.

per Month—From 12:01 a.m. on the first of the month until midnight on the last day of the month.

Absolute—A continuous, open-ended count of hours.


Setting Options for User Account Disablement

The Account Disable feature defines the circumstances upon which a user account is disabled.


Note Do not confuse this feature with account expiration due to password aging. Password aging is defined for groups only, not for individual users. Also note that this feature is distinct from the Account Disabled check box. For instructions on how to disable a user account, see Disabling a User Account.



Note If the user is authenticated with a Windows user database, this expiration information is in addition to the information in the Windows user account. Changes here do not alter settings configured in Windows.


To set options for user account disablement, follow these steps:


Step 1 Perform Step 1 through Step 3 of Adding a Basic User Account.

The User Setup Edit page opens. The username being added or edited is at the top of the page.

Step 2 Do one of the following:

a. Select the Never option to keep the user account always enabled.


Note This is the default setting.


b. Select the Disable account if option to disable the account under specific circumstances. Then, specify one or both of the circumstances under the following boxes:

Date exceeds—Select the Date exceeds: check box. Then select the month and type the date (two characters) and year (four characters) on which to disable the account.


Note The default is 30 days after the user is added.


Failed attempts exceed—Select the Failed attempts exceed check box and then type the number of consecutive unsuccessful login attempts to allow before disabling the account.


Note The default is 5.


Step 3 Do one of the following:

If you are finished configuring the user account options, click Submit to record the options.

To continue to specify the user account options, perform other procedures in this chapter, as applicable.


Assigning a Downloadable IP ACL to a User

The Downloadable ACLs feature enables you to assign an IP Access Control List (ACL) at the user level. You must configure one or more IP ACLs before you assign one. For instructions on how to configure a downloadable IP ACL using the Shared Profile Components section of the Cisco Secure ACS HTML interface, see Adding a Downloadable IP ACL.


Note The Downloadable ACLs table does not appear if it has not been enabled. To enable the Downloadable ACLs table, click Interface Configuration, click Advanced Options, and then select the User-Level Downloadable ACLs check box.


To assign a downloadable IP ACL to a user account, follow these steps:


Step 1 Perform Step 1 through Step 3 of Adding a Basic User Account.

The User Setup Edit page opens. The username being added and edited is at the top of the page.

Step 2 Under the Downloadable ACLs section, click the Assign IP ACL: check box.

Step 3 Select an IP ACL from the list.

Step 4 Do one of the following:

If you are finished configuring the user account options, click Submit to record the options.

To continue to specify the user account options, perform other procedures in this chapter, as applicable.


Advanced User Authentication Settings

This section presents the activities you perform to configure user-level TACACS+ and RADIUS enable parameters.

This section contains the following topics:

TACACS+ Settings (User)

Configuring TACACS+ Settings for a User

Configuring a Shell Command Authorization Set for a User

Configuring a PIX Command Authorization Set for a User

Configuring Device-Management Command Authorization for a User

Configuring the Unknown Service Setting for a User

Advanced TACACS+ Settings (User)

Setting Enable Privilege Options for a User

Setting TACACS+ Enable Password Options for a User

Setting TACACS+ Outbound Password for a User

RADIUS Attributes

Setting IETF RADIUS Parameters for a User

Setting Cisco IOS/PIX RADIUS Parameters for a User

Setting Cisco Aironet RADIUS Parameters for a User

Setting Ascend RADIUS Parameters for a User

Setting Cisco VPN 3000 Concentrator RADIUS Parameters for a User

Setting Cisco VPN 5000 Concentrator RADIUS Parameters for a User

Setting Microsoft RADIUS Parameters for a User

Setting Nortel RADIUS Parameters for a User

Setting Juniper RADIUS Parameters for a User

Setting BBSM RADIUS Parameters for a User

Setting Custom RADIUS Attributes for a User

TACACS+ Settings (User)

The TACACS+ Settings section permits you to enable and configure the service/protocol parameters to be applied for the authorization of a user.

This section contains the following topics:

Configuring TACACS+ Settings for a User

Configuring a Shell Command Authorization Set for a User

Configuring a PIX Command Authorization Set for a User

Configuring Device-Management Command Authorization for a User

Configuring the Unknown Service Setting for a User

Configuring TACACS+ Settings for a User

You can use this procedure to configure TACACS+ settings at the user level for the following service/protocols:

PPP IP

PPP IPX

PPP Multilink

PPP Apple Talk

PPP VPDN

PPP LCP

ARAP

Shell (exec)

PIX Shell (pixShell)

SLIP

You can also enable any new TACACS+ services that you may have configured. Because having all service/protocol settings display within the User Setup section would be cumbersome, you choose what settings to hide or display at the user level when you configure the interface. For more information about setting up new or existing TACACS+ services in the Cisco Secure ACS HTML interface, see Protocol Configuration Options for TACACS+.

If you have configured Cisco Secure ACS to interact with a Cisco device-management application, new TACACS+ services may appear automatically, as needed to support the device-management application. For more information about Cisco Secure ACS interaction with device-management applications, see Support for Cisco Device-Management Applications.

For more information about attributes, see "TACACS+ Attribute-Value Pairs", or your AAA client documentation. For information on assigning an IP ACL, see Assigning a Downloadable IP ACL to a User.

Before You Begin

For the TACACS+ service/protocol configuration to be displayed, a AAA client must be configured to use TACACS+ as the security control protocol.

In the Advanced Options section of Interface Configuration, ensure that the Per-user TACACS+/RADIUS Attributes check box is selected.

To configure TACACS+ settings for a user, follow these steps:


Step 1 Click Interface Configuration and then click TACACS+ (Cisco IOS). In the TACACS+ Services table, under the heading User, ensure that the check box is selected for each service/protocol you want to configure.

Step 2 Perform Step 1 through Step 3 of Adding a Basic User Account.

The User Setup Edit page opens. The username being added or edited is at the top of the page.

Step 3 Scroll down to the TACACS+ Settings table and select the bold service name check box to enable that protocol; for example (PPP IP).

Step 4 To enable specific parameters within the selected service, select the check box next to a specific parameter and then do one of the following, as applicable:

Select the Enabled check box.

Specify a value in the corresponding attribute box.

To specify ACLs and IP address pools, enter the name of the ACL or pool as defined on the AAA client. Leave the box blank if the default (as defined on the AAA client) should be used. For more information about attributes, see "TACACS+ Attribute-Value Pairs", or your AAA client documentation. For information on assigning a IP ACL, see Assigning a Downloadable IP ACL to a User.


Tip An ACL is a list of Cisco IOS commands used to restrict access to or from other devices and users on the network.


Step 5 To employ custom attributes for a particular service, select the Custom attributes check box under that service, and then specify the attribute/value in the box below the check box.

Step 6 Do one of the following:

If you are finished configuring the user account options, click Submit to record the options.

To continue to specify the user account options, perform other procedures in this chapter, as applicable.


Configuring a Shell Command Authorization Set for a User

Use this procedure to specify the shell command authorization set parameters for a user. You can choose one of five options:

None—There is no authorization for shell commands.

Group—For this user, the group-level shell command authorization set applies.

Assign a Shell Command Authorization Set for any network device—One shell command authorization set is assigned, and it applies all network devices.

Assign a Shell Command Authorization Set on a per Network Device Group Basis—Particular shell command authorization sets are to be effective on particular NDGs. When you select this option, you create the table that lists what NDG associates with what shell command authorization set.

Per User Command Authorization—Enables you to permit or deny specific Cisco IOS commands and arguments at the user level.

Before You Begin

Make sure that a AAA client has been configured to use TACACS+ as the security control protocol.

In the Advanced Options section of Interface Configuration, ensure that the Per-user TACACS+/RADIUS Attributes check box is selected.

In the TACACS+ (Cisco) section of Interface Configuration, ensure that the Shell (exec) option is selected in the User column.

Ensure that you have already configured one or more shell command authorization sets. For detailed steps, see Adding a Command Authorization Set.

To specify shell command authorization set parameters for a user, follow these steps:


Step 1 Perform Step 1 through Step 3 of Adding a Basic User Account.

The User Setup Edit page opens. The username being added or edited is at the top of the page.

Step 2 Scroll down to the TACACS+ Settings table and to the Shell Command Authorization Set feature area within it.

Step 3 To prevent the application of any shell command authorization set, select (or accept the default of) the None option.

Step 4 To assign the shell command authorization set at the group level, select the As Group option.

Step 5 To assign a particular shell command authorization set to be effective on any configured network device, follow these steps:

a. Select the Assign a Shell Command Authorization Set for any network device option.

b. Then, from the list directly below that option, select the shell command authorization set you want applied to this user.

Step 6 To create associations that assign a particular shell command authorization set to be effective on a particular NDG, for each association, follow these steps:

a. Select the Assign a Shell Command Authorization Set on a per Network Device Group Basis option.

b. Select a Device Group and an associated Command Set.

c. Click Add Association.


Tip You can also select which command set applies to network device groups that are not listed simply by associating that command set with the NDG <default> listing.


The NDG or NDGs and associated shell command authorization set or sets are paired in the table.

Step 7 To define the specific Cisco IOS commands and arguments to be permitted or denied for this user, follow these steps:

a. Select the Per User Command Authorization option.

b. Under Unmatched Cisco IOS commands, select either Permit or Deny.

If you select Permit, the user can issue all commands not specifically listed. If you select Deny, the user can issue only those commands listed.

c. To list particular commands to be permitted or denied, select the Command check box and then type the name of the command, define its arguments using standard permit or deny syntax, and select whether unlisted arguments are to be permitted or denied.


Caution This is a powerful, advanced feature and should be used by an administrator skilled with Cisco IOS commands. Correct syntax is the responsibility of the administrator. For information on how Cisco Secure ACS uses pattern matching in command arguments, see About Pattern Matching.


Tip To enter several commands, you must click Submit after specifying a command. A new command entry box appears below the box you just completed.


Step 8 Do one of the following:

If you are finished configuring the user account options, click Submit to record the options.

To continue to specify the user account options, perform other procedures in this chapter, as applicable.


Configuring a PIX Command Authorization Set for a User

Use this procedure to specify the PIX command authorization set parameters for a user. There are four options:

None—No authorization for PIX commands.

Group—For this user, the group-level PIX command authorization set applies.

Assign a PIX Command Authorization Set for any network device—One PIX command authorization set is assigned, and it applies to all network devices.

Assign a PIX Command Authorization Set on a per Network Device Group Basis—Particular PIX command authorization sets are to be effective on particular NDGs.

Before You Begin

Make sure that a AAA client is configured to use TACACS+ as the security control protocol.

In the Advanced Options section of Interface Configuration, make sure that the Per-user TACACS+/RADIUS Attributes check box is selected.

In the TACACS+ (Cisco) section of Interface Configuration, make sure that the PIX Shell (pixShell) option is selected in the User column.

Make sure that you have configured one or more PIX command authorization sets. For detailed steps, see Adding a Command Authorization Set.

To specify PIX command authorization set parameters for a user, follow these steps:


Step 1 Perform Step 1 through Step 3 of Adding a Basic User Account.

The User Setup Edit page opens. The username being added or edited is at the top of the page.

Step 2 Scroll down to the TACACS+ Settings table and to the PIX Command Authorization Set feature area within it.

Step 3 To prevent the application of any PIX command authorization set, select (or accept the default of) the None option.

Step 4 To assign the PIX command authorization set at the group level, select the As Group option.

Step 5 To assign a particular PIX command authorization set to be effective on any configured network device, follow these steps:

a. Select the Assign a PIX Command Authorization Set for any network device option.

b. From the list directly below that option, select the PIX command authorization set you want applied to this user.

Step 6 To create associations that assign a particular PIX command authorization set to be effective on a particular NDG, for each association, follow these steps:

a. Select the Assign a PIX Command Authorization Set on a per Network Device Group Basis option.

b. Select a Device Group and an associated Command Set.

c. Click Add Association.

The associated NDG and PIX command authorization set appear in the table.

Step 7 Do one of the following:

If you are finished configuring the user account options, click Submit to record the options.

To continue to specify the user account options, perform other procedures in this chapter, as applicable.


Configuring Device-Management Command Authorization for a User

Use this procedure to specify the device-management command authorization set parameters for a user. Device-management command authorization sets support the authorization of tasks in Cisco device-management applications that are configured to use Cisco Secure ACS for authorization. You can choose one of four options:

None—No authorization is performed for commands issued in the applicable Cisco device-management application.

Group—For this user, the group-level command authorization set applies for the applicable device-management application.

Assign a device-management application for any network device—For the applicable device-management application, one command authorization set is assigned, and it applies to management tasks on all network devices.

Assign a device-management application on a per Network Device Group Basis—For the applicable device-management application, this option enables you to apply command authorization sets to specific NDGs, so that it affects all management tasks on the network devices belonging to the NDG.

Before You Begin

Make sure that a AAA client is configured to use TACACS+ as the security control protocol.

In the Advanced Options section of Interface Configuration, make sure that the Per-user TACACS+/RADIUS Attributes check box is selected.

In the TACACS+ (Cisco) section of Interface Configuration, make sure that, under New Services, the new TACACS+ service corresponding to the applicable device-management application is selected in the User column.

If you want to apply command authorization sets, make sure that you have configured one or more device management command authorization sets. For detailed steps, see Adding a Command Authorization Set.

To specify device-management application command authorization for a user, follow these steps:


Step 1 Perform Step 1 through Step 3 of Adding a Basic User Account.

The User Setup Edit page opens. The username being added or edited is at the top of the page.

Step 2 Scroll down to the TACACS+ Settings table and to the applicable device-management command authorization feature area within it.

Step 3 To prevent the application of any command authorization for actions performed in the applicable device-management application, select (or accept the default of) the None option.

Step 4 To assign command authorization for the applicable device-management application at the group level, select the As Group option.

Step 5 To assign a particular command authorization set that affects device-management application actions on any network device, follow these steps:

a. Select the Assign a device-management application for any network device option.

b. Then, from the list directly below that option, select the command authorization set you want applied to this user.

Step 6 To create associations that assign a particular command authorization set that affects device-management application actions on a particular NDG, for each association, follow these steps:

a. Select the Assign a device-management application on a per Network Device Group Basis option.

b. Select a Device Group and an associated device-management application.

c. Click Add Association.

The associated NDG and command authorization set appear in the table.

Step 7 Do one of the following:

If you are finished configuring the user account options, click Submit to record the options.

To continue to specify the user account options, perform other procedures in this chapter, as applicable.


Configuring the Unknown Service Setting for a User

If you want TACACS+ AAA clients to permit unknown services, you can select the Default (Undefined) Services check box under Checking this option will PERMIT all UNKNOWN Services.

To configure the Unknown Service setting for a user, follow these steps:


Step 1 Perform Step 1 through Step 3 of Adding a Basic User Account.

The User Setup Edit page opens. The username being added or edited is at the top of the page.

Step 2 Scroll down to the table under the heading Checking this option will PERMIT all UNKNOWN Services.

Step 3 To allow TACACS+ AAA clients to permit unknown services for this user, select the Default (Undefined) Services check box.

Step 4 Do one of the following:

If you are finished configuring the user account options, click Submit to record the options.

To continue to specify the user account options, perform other procedures in this chapter, as applicable.


Advanced TACACS+ Settings (User)

The information presented in this section applies when you have a AAA client with TACACS+ configured.


Tip If the Advanced TACACS+ Settings (User) table does not appear, click Interface Configuration, click TACACS+ (Cisco IOS), and then click Advanced TACACS+ Features.


This section contains the following topics:

Setting Enable Privilege Options for a User

Setting TACACS+ Enable Password Options for a User

Setting TACACS+ Outbound Password for a User

Setting Enable Privilege Options for a User

You use TACACS+ Enable Control with Exec session to control administrator access. Typically, you use it for router management control. From the following four options, you can select and specify the privilege level you want a user to have.

Use Group Level Setting—Sets the privileges for this user as those configured at the group level.

No Enable Privilege—Disallows enable privileges for this user.


Note This is the default setting.


Max Privilege for any AAA Client—Enables you to select from a list the maximum privilege level that will apply to this user on any AAA client on which this user is authorized.

Define Max Privilege on a per-Network Device Group Basis—Enables you to associate maximum privilege levels to this user in one or more NDGs.


Note For information about privilege levels, refer to your AAA client documentation.



Tip You must configure NDGs from within Interface Configuration before you can assign user privilege levels to them.


To select and specify the privilege level for a user, follow these steps:


Step 1 Perform Step 1 through Step 3 of Adding a Basic User Account.

The User Setup Edit page opens. The username being added or edited is at the top of the page.

Step 2 Under TACACS+ Enable Control in the Advanced TACACS+ Settings table, select one of the four privilege options, as follows:

Use Group Level Setting

No Enable Privilege


Note (No Enable Privilege is the default setting; when setting up an new user account, it should already be selected.)


Max Privilege for Any Access Server

Define Max Privilege on a per-Network Device Group Basis

Step 3 If you selected Max Privilege for Any Access Server in Step 2, select the appropriate privilege level from the corresponding list.

Step 4 If you selected Define Max Privilege on a per-Network Device Group Basis in Step 2, perform the following steps to define the privilege levels on each NDG, as applicable:

a. From the Device Group list, select a device group.


Note You must have already configured a device group for it to be listed.


b. From the Privilege list, select a privilege level to associate with the selected device group.

c. Click Add Association.

An entry appears in the table, associating the device group with a particular privilege level.

d. Repeat Step a through Step c for each device group you want to associate to this user.


Tip To delete an entry, select the entry and then click Remove Associate.


Step 5 Do one of the following:

If you are finished configuring the user account options, click Submit to record the options.

To continue to specify the user account options, perform other procedures in this chapter, as applicable.


Setting TACACS+ Enable Password Options for a User

When setting the TACACS+ Enable Password Options for a user, you have three options to chose from:

Use CiscoSecure PAP password.

Use external database password.

Use separate password.

To set the options for the TACACS+ Enable password, follow these steps:


Step 1 Perform Step 1 through Step 3 of Adding a Basic User Account.

The User Setup Edit page opens. The username being added or edited is at the top of the page.

Step 2 Do one of the following:

To use the information configured in the Password Authentication section, select Use CiscoSecure PAP password.


Note For information about basic password setup, see Adding a Basic User Account.


To use an external database password, select Use external database password, and then choose from the list the database that authenticates the enable password for this user.


Note The list of databases displays only the databases that you have configured. For more information, see About External User Databases.


To use a separate password, click Use separate password, and then type and retype to confirm a control password for this user. This password is used in addition to the regular authentication.

Step 3 Do one of the following:

If you are finished configuring the user account options, click Submit to record the options.

To continue to specify the user account options, perform other procedures in this chapter, as applicable.


Setting TACACS+ Outbound Password for a User

The TACACS+ outbound password enables a AAA client to authenticate itself to another AAA client via outbound authentication. The outbound authentication can be PAP, CHAP, MS-CHAP, or ARAP, and results in the Cisco Secure ACS password being given out. By default, the user ASCII/PAP or CHAP/MS-CHAP/ARAP password is used. To prevent compromising inbound passwords, you can configure a separate SENDAUTH password.


Caution Use an outbound password only if you are familiar with the use of a TACACS+ SendAuth/OutBound password.

To set a TACACS+ outbound password for a user, follow these steps:


Step 1 Perform Step 1 through Step 3 of Adding a Basic User Account.

The User Setup Edit page opens. The username being added or edited is at the top of the page.

Step 2 Type and retype to confirm a TACACS+ outbound password for this user.

Step 3 Do one of the following:

If you are finished configuring the user account options, click Submit to record the options.

To continue to specify the user account options, perform other procedures in this chapter, as applicable.


RADIUS Attributes

You can configure user attributes for RADIUS authentication either generally, at the IETF level, or for vendor-specific attributes (VSAs) on a vendor-by-vendor basis. For general attributes, see Setting IETF RADIUS Parameters for a User. Cisco Secure ACS ships with many popular VSAs already loaded and available to configure and apply. For information about creating additional, custom RADIUS VSAs, see Custom RADIUS Vendors and VSAs.

This section contains the following topics:

Setting IETF RADIUS Parameters for a User

Setting Cisco IOS/PIX RADIUS Parameters for a User

Setting Cisco Aironet RADIUS Parameters for a User

Setting Ascend RADIUS Parameters for a User

Setting Cisco VPN 3000 Concentrator RADIUS Parameters for a User

Setting Cisco VPN 5000 Concentrator RADIUS Parameters for a User

Setting Microsoft RADIUS Parameters for a User

Setting Nortel RADIUS Parameters for a User

Setting Juniper RADIUS Parameters for a User

Setting BBSM RADIUS Parameters for a User

Setting Custom RADIUS Attributes for a User

Setting IETF RADIUS Parameters for a User

RADIUS attributes are sent as a profile for the user from Cisco Secure ACS to the requesting AAA client.

These parameters display only if all the following are true:

A AAA client is configured to use one of the RADIUS protocols in Network Configuration.

The Per-user TACACS+/RADIUS Attributes check box is selected under Advanced Options in the Interface Configuration section.

User-level IETF RADIUS attributes are enabled under RADIUS (IETF) in the Interface Configuration section.


Note To display or hide any of these attributes in the HTML interface, see Protocol Configuration Options for RADIUS.



Note For a list and explanation of RADIUS attributes, see "RADIUS Attributes", or the documentation for your particular network device using RADIUS.


To configure IETF RADIUS attribute settings to be applied as an authorization for the current user, follow these steps:


Step 1 Perform Step 1 through Step 3 of Adding a Basic User Account.

The User Setup Edit page opens. The username being added or edited is at the top of the page.

Step 2 In the IETF RADIUS table, for each attribute that you need to authorize for the current user, select the check box next to the attribute and then further define the authorization for the attribute in the box or boxes next to it, as applicable.

Step 3 Do one of the following:

If you are finished configuring the user account options, click Submit to record the options.

To continue to specify the user account options, perform other procedures in this chapter, as applicable.


Setting Cisco IOS/PIX RADIUS Parameters for a User

The Cisco IOS RADIUS parameters appear only if all the following are true:

A AAA client is configured to use RADIUS (Cisco IOS/PIX) in Network Configuration.

The Per-user TACACS+/RADIUS Attributes check box is selected under Advanced Options in the Interface Configuration section.

User-level RADIUS (Cisco IOS/PIX) attributes are enabled under RADIUS (Cisco IOS/PIX) in the Interface Configuration section.


Note To hide or display the Cisco IOS RADIUS VSA, see Setting Protocol Configuration Options for Non-IETF RADIUS Attributes. A VSA applied as an authorization to a particular user persists, even when you remove or replace the associated AAA client; however, if you have no AAA clients of this (vendor) type configured, the VSA settings do not appear in the user configuration interface.


Cisco IOS RADIUS represents only the Cisco IOS VSAs. You must configure both the IETF RADIUS and Cisco IOS RADIUS attributes.

To configure and enable Cisco IOS RADIUS attributes to be applied as an authorization for the current user, follow these steps:


Step 1 Perform Step 1 through Step 3 of Adding a Basic User Account.

The User Setup Edit page opens. The username being added or edited is at the top of the page.

Step 2 Before configuring Cisco IOS RADIUS attributes, be sure your IETF RADIUS attributes are configured properly. For more information about setting IETF RADIUS attributes, see Setting IETF RADIUS Parameters for a User.

Step 3 If you want to use the [009\001] cisco-av-pair attribute to specify authorizations, select the check box next to the attribute and then type the attribute-value pairs in the text box. Separate each attribute-value pair by pressing Enter.

For example, if the current user profile corresponds to a Network Admission Control (NAC) client to which Cisco Secure ACS always assigns a status-query-timeout attribute value that needs to be different than a value that any applicable group profile contains, you could specify that value as follows:

status-query-timeout=1200 

Step 4 If you want to use other Cisco IOS/PIX RADIUS attributes, select the corresponding check box and specify the required values in the adjacent text box.

Step 5 Do one of the following:

If you are finished configuring the user account options, click Submit to record the options.

To continue to specify the user account options, perform other procedures in this chapter, as applicable.


Setting Cisco Aironet RADIUS Parameters for a User

The single Cisco Aironet RADIUS VSA, Cisco-Aironet-Session-Timeout, is a virtual VSA. It acts as a specialized implementation (that is, a remapping) of the IETF RADIUS Session-Timeout attribute (27) to respond to a request from a Cisco Aironet Access Point. You use it to provide a different timeout values when a user must be able to connect via both wireless and wired devices. This capability to provide a second timeout value specifically for WLAN connections avoids the difficulties that would arise if you had to use a standard timeout value (typically measured in hours) for a WLAN connection (that is typically measured in minutes). You do not need to use Cisco-Aironet-Session-Timeout if the particular user will always connect only with a Cisco Aironet Access Point. Rather, use this setting when a user may connect via wired or wireless clients.

For example, imagine a user's Cisco-Aironet-Session-Timeout set to 600 seconds (10 minutes) and that same user's IETF RADIUS Session-Timeout set to 3 hours. When the user connects via a VPN, Cisco Secure ACS uses 3 hours as the timeout value. However, if that same user connects via a Cisco Aironet Access Point, Cisco Secure ACS responds to an authentication request from the Aironet AP by sending 600 seconds in the IETF RADIUS Session-Timeout attribute. Thus, with the Cisco-Aironet-Session-Timeout attribute configured, different session timeout values can be sent depending on whether the end-user client is a wired device or a Cisco Aironet Access Point.

The Cisco Aironet RADIUS parameters appear on the User Setup page only if all the following are true:

A AAA client is configured to use RADIUS (Cisco Aironet) in Network Configuration.

The Per-user TACACS+/RADIUS Attributes check box is selected under Advanced Options in the Interface Configuration section.

User-level RADIUS (Cisco Aironet) attribute is enabled under RADIUS (Cisco Aironet) in the Interface Configuration section.


Note To hide or display the Cisco Aironet RADIUS VSA, see Setting Protocol Configuration Options for Non-IETF RADIUS Attributes. A VSA applied as an authorization to a particular user persists, even when you remove or replace the associated AAA client; however, if you have no AAA clients of this (vendor) type configured, the VSA settings do not appear in the user configuration interface.


To configure and enable the Cisco Aironet RADIUS attribute to be applied as an authorization for the current user, follow these steps:


Step 1 Perform Step 1 through Step 3 of Adding a Basic User Account.

The User Setup Edit page opens. The username being added or edited is at the top of the page.

Step 2 Before configuring Cisco Aironet RADIUS attributes, be sure your IETF RADIUS attributes are configured properly. For more information about setting IETF RADIUS attributes, see Setting IETF RADIUS Parameters for a User.

Step 3 In the Cisco Aironet RADIUS Attributes table, select the [5842\001] Cisco-Aironet-Session-Timeout check box.

Step 4 In the [5842\001] Cisco-Aironet-Session-Timeout box, type the session timeout value (in seconds) that Cisco Secure ACS is to send in the IETF RADIUS Session-Timeout (27) attribute when the AAA client is configured in Network Configuration to use the RADIUS (Cisco Aironet) authentication option. The recommended value is 600 seconds.

For more information about the IETF RADIUS Session-Timeout attribute, see "RADIUS Attributes", or your AAA client documentation.

Step 5 Do one of the following:

If you are finished configuring the user account options, click Submit to record the options.

To continue to specify the user account options, perform other procedures in this chapter, as applicable.


Setting Ascend RADIUS Parameters for a User

The Ascend RADIUS parameters appear only if all the following are true:

A AAA client is configured to use RADIUS (Ascend) in Network Configuration.

The Per-user TACACS+/RADIUS Attributes check box is selected under Advanced Options in the Interface Configuration section.

User-level RADIUS (Ascend) attributes you want to apply are enabled under RADIUS (Ascend) in the Interface Configuration section.

Ascend RADIUS represents only the Ascend proprietary attributes. You must configure both the IETF RADIUS and Ascend RADIUS attributes. Proprietary attributes override IETF attributes.

The default attribute setting displayed for RADIUS is Ascend-Remote-Addr.


Note To hide or display Ascend RADIUS attributes, see Setting Protocol Configuration Options for Non-IETF RADIUS Attributes. A VSA applied as an authorization to a particular user persists, even when you remove or replace the associated AAA client; however, if you have no AAA clients of this (vendor) type configured, the VSA settings do not appear in the user configuration interface.


To configure and enable Ascend RADIUS attributes to be applied as an authorization for the current user, follow these steps:


Step 1 Perform Step 1 through Step 3 of Adding a Basic User Account.

The User Setup Edit page opens. The username being added or edited is at the top of the page.

Step 2 Before configuring Ascend RADIUS attributes, be sure your IETF RADIUS attributes are configured properly. For more information about setting IETF RADIUS attributes, see Setting IETF RADIUS Parameters for a User.

Step 3 In the Ascend RADIUS Attributes table, to specify the attributes that should be authorized for the user, follow these steps:

a. Select the check box next to the particular attribute.

b. Further define the authorization for that attribute in the box next to it.

c. Continue to select and define attributes, as applicable.

For more information about attributes, see "RADIUS Attributes", or your AAA client documentation.

Step 4 Do one of the following:

If you are finished configuring the user account options, click Submit to record the options.

To continue to specify the user account options, perform other procedures in this chapter, as applicable.


Setting Cisco VPN 3000 Concentrator RADIUS Parameters for a User

To control Microsoft MPPE settings for users accessing the network through a Cisco VPN 3000-series concentrator, use the CVPN3000-PPTP-Encryption (VSA 20) and CVPN3000-L2TP-Encryption (VSA 21) attributes. Settings for CVPN3000-PPTP-Encryption (VSA 20) and CVPN3000-L2TP-Encryption (VSA 21) override Microsoft MPPE RADIUS settings. If either of these attributes is enabled, Cisco Secure ACS determines the values to be sent in outbound RADIUS (Microsoft) attributes and sends them along with the RADIUS (Cisco VPN 3000) attributes, regardless of whether RADIUS (Microsoft) attributes are enabled in the Cisco Secure ACS HTML interface or how those attributes might be configured.

The Cisco VPN 3000 Concentrator RADIUS attribute configurations appear only if all the following are true:

A AAA client is configured to use RADIUS (Cisco VPN 3000) in Network Configuration.

The Per-user TACACS+/RADIUS Attributes check box is selected under Advanced Options in the Interface Configuration section.

User-level RADIUS (Cisco VPN 3000) attributes you want to apply are enabled under RADIUS (Cisco VPN 3000) in the Interface Configuration section.

Cisco VPN 3000 Concentrator RADIUS represents only the Cisco VPN 3000 Concentrator VSA. You must configure both the IETF RADIUS and Cisco VPN 3000 Concentrator RADIUS attributes.


Note To hide or display Cisco VPN 5000 Concentrator RADIUS attributes, see Setting Protocol Configuration Options for Non-IETF RADIUS Attributes. A VSA applied as an authorization to a particular user persists, even when you remove or replace the associated AAA client; however, if you have no AAA clients of this (vendor) type configured, the VSA settings do not appear in the user configuration interface.


To configure and enable Cisco VPN 3000 Concentrator RADIUS attributes to be applied as an authorization for the current user, follow these steps:


Step 1 Perform Step 1 through Step 3 of Adding a Basic User Account.

The User Setup Edit page opens. The username being added or edited is at the top of the page.

Step 2 Before configuring Cisco VPN 3000 Concentrator RADIUS attributes, be sure your IETF RADIUS attributes are configured properly.

For more information about setting IETF RADIUS attributes, see Setting IETF RADIUS Parameters for a User.

Step 3 In the Cisco VPN 3000 Concentrator Attribute table, to specify the attributes that should be authorized for the user, follow these steps:

a. Select the check box next to the particular attribute.

b. Further define the authorization for that attribute in the box next to it.

c. Continue to select and define attributes, as applicable.

For more information about attributes, see "RADIUS Attributes", or your AAA client documentation.

Step 4 Do one of the following:

If you are finished configuring the user account options, click Submit to record the options.

To continue to specify the user account options, perform other procedures in this chapter, as applicable.


Setting Cisco VPN 5000 Concentrator RADIUS Parameters for a User

The Cisco VPN 5000 Concentrator RADIUS attribute configurations display only if all the following are true:

A AAA client is configured to use RADIUS (Cisco VPN 5000) in Network Configuration.

The Per-user TACACS+/RADIUS Attributes check box is selected under Advanced Options in the Interface Configuration section.

User-level RADIUS (Cisco VPN 5000) attributes you want to apply are enabled under RADIUS (Cisco VPN 5000) in the Interface Configuration section.

Cisco VPN 5000 Concentrator RADIUS represents only the Cisco VPN 5000 Concentrator VSA. You must configure both the IETF RADIUS and Cisco VPN 5000 Concentrator RADIUS attributes.


Note To hide or display Cisco VPN 5000 Concentrator RADIUS attributes, see Setting Protocol Configuration Options for Non-IETF RADIUS Attributes. A VSA applied as an authorization to a particular user persists, even when you remove or replace the associated AAA client; however, if you have no AAA clients of this (vendor) type configured, the VSA settings do not appear in the user configuration interface.


To configure and enable Cisco VPN 5000 Concentrator RADIUS attributes to be applied as an authorization for the current user, follow these steps:


Step 1 Perform Step 1 through Step 3 of Adding a Basic User Account.

The User Setup Edit page opens. The username being added or edited is at the top of the page.

Step 2 Before configuring Cisco VPN 5000 Concentrator RADIUS attributes, be sure your IETF RADIUS attributes are configured properly. For more information about setting IETF RADIUS attributes, see Setting IETF RADIUS Parameters for a User.

Step 3 In the Cisco VPN 5000 Concentrator Attribute table, to specify the attributes that should be authorized for the user, follow these steps:

a. Select the check box next to the particular attribute.

b. Further define the authorization for that attribute in the box next to it.

c. Continue to select and define attributes, as applicable.

For more information about attributes, see "RADIUS Attributes", or your AAA client documentation.

Step 4 Do one of the following:

If you are finished configuring the user account options, click Submit to record the options.

To continue to specify the user account options, perform other procedures in this chapter, as applicable.


Setting Microsoft RADIUS Parameters for a User

Microsoft RADIUS provides VSAs supporting Microsoft Point-to-Point Encryption (MPPE), which is an encryption technology developed by Microsoft to encrypt point-to-point (PPP) links. These PPP connections can be via a dial-in line, or over a Virtual Private Network (VPN) tunnel.

To control Microsoft MPPE settings for users accessing the network through a Cisco VPN 3000-series concentrator, use the CVPN3000-PPTP-Encryption (VSA 20) and CVPN3000-L2TP-Encryption (VSA 21) attributes. Settings for CVPN3000-PPTP-Encryption (VSA 20) and CVPN3000-L2TP-Encryption (VSA 21) override Microsoft MPPE RADIUS settings. If either of these attributes is enabled, Cisco Secure ACS determines the values to be sent in outbound RADIUS (Microsoft) attributes and sends them along with the RADIUS (Cisco VPN 3000) attributes, regardless of whether RADIUS (Microsoft) attributes are enabled in the Cisco Secure ACS HTML interface or how those attributes might be configured.

The Microsoft RADIUS attribute configurations display only if both the following are true:

A AAA client is configured in Network Configuration that uses a RADIUS protocol that supports the Microsoft RADIUS VSA.

The Per-user TACACS+/RADIUS Attributes check box is selected under Advanced Options in the Interface Configuration section.

The user-level RADIUS (Microsoft) attributes you want to apply are enabled under RADIUS (Microsoft) in the Interface Configuration section.

The following Cisco Secure ACS RADIUS protocols support the Microsoft RADIUS VSA:

Cisco IOS

Cisco VPN 3000

Cisco VPN 5000

Ascend

Microsoft RADIUS represents only the Microsoft VSA. You must configure both the IETF RADIUS and Microsoft RADIUS attributes.


Note To hide or display Microsoft RADIUS attributes, see Setting Protocol Configuration Options for Non-IETF RADIUS Attributes. A VSA applied as an authorization to a particular user persists, even when you remove or replace the associated AAA client; however, if you have no AAA clients of this (vendor) type configured, the VSA settings do not appear in the user configuration interface.


To configure and enable Microsoft RADIUS attributes to be applied as an authorization for the current user, follow these steps:


Step 1 Perform Step 1 through Step 3 of Adding a Basic User Account.

The User Setup Edit page opens. The username being added or edited is at the top of the page.

Step 2 Before configuring Cisco IOS RADIUS attributes, be sure your IETF RADIUS attributes are configured properly. For more information about setting IETF RADIUS attributes, see Setting IETF RADIUS Parameters for a User.

Step 3 In the Microsoft RADIUS Attributes table, to specify the attributes that should be authorized for the user, follow these steps:

a. Select the check box next to the particular attribute.

b. Further define the authorization for that attribute in the box next to it.

c. Continue to select and define attributes, as applicable.

For more information about attributes, see "RADIUS Attributes", or your AAA client documentation.


Note The MS-CHAP-MPPE-Keys attribute value is autogenerated by Cisco Secure ACS; there is no value to set in the HTML interface.


Step 4 Do one of the following:

If you are finished configuring the user account options, click Submit to record the options.

To continue to specify the user account options, perform other procedures in this chapter, as applicable.


Setting Nortel RADIUS Parameters for a User

The Nortel RADIUS parameters appear only if all the following are true:

A AAA client is configured to use RADIUS (Nortel) in Network Configuration.

The Per-user TACACS+/RADIUS Attributes check box is selected under Advanced Options in the Interface Configuration section.

User-level RADIUS (Nortel) attributes you want to apply are enabled under RADIUS (Nortel) in the Interface Configuration section.

Nortel RADIUS represents only the Nortel proprietary attributes. You must configure both the IETF RADIUS and Nortel RADIUS attributes. Proprietary attributes override IETF attributes.


Note To hide or display Nortel RADIUS attributes, see Setting Protocol Configuration Options for Non-IETF RADIUS Attributes. A VSA applied as an authorization to a particular user persists, even when you remove or replace the associated AAA client; however, if you have no AAA clients of this (vendor) type configured, the VSA settings do not appear in the user configuration interface.


To configure and enable Nortel RADIUS attributes to be applied as an authorization for the current user, follow these steps:


Step 1 Perform Step 1 through Step 3 of Adding a Basic User Account.

The User Setup Edit page opens. The username being added or edited is at the top of the page.

Step 2 Before configuring Nortel RADIUS attributes, be sure your IETF RADIUS attributes are configured properly. For more information about setting IETF RADIUS attributes, see Setting IETF RADIUS Parameters for a User.

Step 3 In the Nortel RADIUS Attributes table, to specify the attributes that should be authorized for the user, follow these steps:

a. Select the check box next to the particular attribute.

b. Further define the authorization for that attribute in the box next to it.

c. Continue to select and define attributes, as applicable.

For more information about attributes, see "RADIUS Attributes", or your AAA client documentation.

Step 4 Do one of the following:

If you are finished configuring the user account options, click Submit to record the options.

To continue to specify the user account options, perform other procedures in this chapter, as applicable.


Setting Juniper RADIUS Parameters for a User

The Juniper RADIUS parameters appear only if all the following are true:

A AAA client is configured to use RADIUS (Juniper) in Network Configuration.

The Per-user TACACS+/RADIUS Attributes check box is selected under Advanced Options in the Interface Configuration section.

User-level RADIUS (Juniper) attributes you want to apply are enabled under RADIUS (Juniper) in the Interface Configuration section.

Juniper RADIUS represents only the Juniper proprietary attributes. You must configure both the IETF RADIUS and Juniper RADIUS attributes. Proprietary attributes override IETF attributes.


Note To hide or display Juniper RADIUS attributes, see Setting Protocol Configuration Options for Non-IETF RADIUS Attributes. A VSA applied as an authorization to a particular user persists, even when you remove or replace the associated AAA client; however, if you have no AAA clients of this (vendor) type configured, the VSA settings do not appear in the user configuration interface.


To configure and enable Juniper RADIUS attributes to be applied as an authorization for the current user, follow these steps:


Step 1 Perform Step 1 through Step 3 of Adding a Basic User Account.

The User Setup Edit page opens. The username being added or edited is at the top of the page.

Step 2 Before configuring Juniper RADIUS attributes, be sure your IETF RADIUS attributes are configured properly. For more information about setting IETF RADIUS attributes, see Setting IETF RADIUS Parameters for a User.

Step 3 In the Juniper RADIUS Attributes table, to specify the attributes that should be authorized for the user, follow these steps:

a. Select the check box next to the particular attribute.

b. Further define the authorization for that attribute in the box next to it.

c. Continue to select and define attributes, as applicable.

For more information about attributes, see "RADIUS Attributes", or your AAA client documentation.

Step 4 Do one of the following:

If you are finished configuring the user account options, click Submit to record the options.

To continue to specify the user account options, perform other procedures in this chapter, as applicable.


Setting BBSM RADIUS Parameters for a User

The BBSM RADIUS parameters appear only if all the following are true:

A AAA client is configured to use RADIUS (BBSM) in Network Configuration.

The Per-user TACACS+/RADIUS Attributes check box is selected under Advanced Options in the Interface Configuration section.

User-level RADIUS (BBSM) attributes you want to apply are enabled under RADIUS (BBSM) in the Interface Configuration section.

BBSM RADIUS represents only the BBSM proprietary attributes. You must configure both the IETF RADIUS and BBSM RADIUS attributes. Proprietary attributes override IETF attributes.


Note To hide or display BBSM RADIUS attributes, see Setting Protocol Configuration Options for Non-IETF RADIUS Attributes. A VSA applied as an authorization to a particular user persists, even when you remove or replace the associated AAA client; however, if you have no AAA clients of this (vendor) type configured, the VSA settings do not appear in the user configuration interface.


To configure and enable BBSM RADIUS attributes to be applied as an authorization for the current user, follow these steps:


Step 1 Perform Step 1 through Step 3 of Adding a Basic User Account.

The User Setup Edit page opens. The username being added or edited is at the top of the page.

Step 2 Before configuring BBSM RADIUS attributes, be sure your IETF RADIUS attributes are configured properly. For more information about setting IETF RADIUS attributes, see Setting IETF RADIUS Parameters for a User.

Step 3 In the BBSM RADIUS Attributes table, to specify the attributes that should be authorized for the user, follow these steps:

a. Select the check box next to the particular attribute.

b. Further define the authorization for that attribute in the box next to it.

c. Continue to select and define attributes, as applicable.

For more information about attributes, see "RADIUS Attributes", or your AAA client documentation.

Step 4 Do one of the following:

If you are finished configuring the user account options, click Submit to record the options.

To continue to specify the user account options, perform other procedures in this chapter, as applicable.


Setting Custom RADIUS Attributes for a User

Custom RADIUS parameters appear only if all the following are true:

You have defined and configured the custom RADIUS VSAs. (For information about creating user-defined RADIUS VSAs, see Custom RADIUS Vendors and VSAs.)

A AAA client is configured in Network Configuration that uses a RADIUS protocol that supports the custom VSA.

The Per-user TACACS+/RADIUS Attributes check box is selected under Advanced Options in the Interface Configuration section.

User-level RADIUS (custom name) attributes you want to apply are enabled under RADIUS (custom name) in the Interface Configuration section.

You must configure both the IETF RADIUS and the custom RADIUS attributes. Proprietary attributes override IETF attributes.

To configure and enable custom RADIUS attributes to be applied as an authorization for the current user, follow these steps:


Step 1 Perform Step 1 through Step 3 of Adding a Basic User Account.

The User Setup Edit page opens. The username being added or edited is at the top of the page.

Step 2 Before configuring custom RADIUS attributes, be sure your IETF RADIUS attributes are configured properly. For more information about setting IETF RADIUS attributes, see Setting IETF RADIUS Parameters for a User.

Step 3 In the RADIUS custom name Attributes table, to specify the attributes that should be authorized for the user, follow these steps:

a. Select the check box next to the particular attribute.

b. Further define the authorization for that attribute in the box next to it, as required.

c. Continue to select and define attributes, as applicable.

For more information about attributes, see "RADIUS Attributes", or your AAA client documentation.

Step 4 Do one of the following:

If you are finished configuring the user account options, click Submit to record the options.

To continue to specify the user account options, perform other procedures in this chapter, as applicable.


User Management

This section describes how to use the User Setup section to perform a variety of user account managerial tasks.

This section contains the following topics:

Listing All Users

Finding a User

Disabling a User Account

Deleting a User Account

Resetting User Session Quota Counters

Resetting a User Account after Login Failure

Saving User Settings

Listing All Users

The User List displays all user accounts (enabled and disabled). The list includes, for each user, the username, status, and the group to which the user belongs.

Usernames are displayed in the order in which they were entered into the database. This list cannot be sorted.

To view a list of all user accounts, follow these steps:


Step 1 In the navigation bar, click User Setup.

The User Setup Select page opens.

Step 2 Click List All Users.

In the display area on the right, the User List appears.

Step 3 To view or edit the information for an individual user, click the username in the right window.

The user account information appears.


Finding a User

To find a user, follow these steps:


Step 1 In the navigation bar, click User Setup.

The User Setup Select page opens.

Step 2 Type the name in the User box, and then click Find.


Tip You can use wildcard characters (*) in this box.



Tip To display a list of usernames that begin with a particular letter or number, click the letter or number in the alphanumeric list. A list of users whose names begin with that letter or number opens in the display area on the right.


The username, status (enabled or disabled), and group to which the user belongs appear in the display area on the right.

Step 3 To view or edit the information for the user, click the username in the display area on the right.

The user account information appears.


Disabling a User Account

This procedure details how to manually disable a user account in the CiscoSecure user database.


Note To configure the conditions by which a user account will automatically be disabled, see Setting Options for User Account Disablement.



Note This is not to be confused with account expiration due to password aging. Password aging is defined for groups only, not for individual users.


To disable a user account, follow these steps:


Step 1 In the navigation bar, click User Setup.

The User Setup Select page opens.

Step 2 In the User box, type the name of the user whose account is to be disabled.

Step 3 Click Add/Edit.

The User Setup Edit page opens. The username being edited is at the top of the page.

Step 4 Select the Account Disabled check box.

Step 5 Click Submit at the bottom of the page.

The specified user account is disabled.


Deleting a User Account

You can delete user accounts one at a time using the HTML interface.


Note If you are authenticating using the Unknown User policy and you want deny a user access by deleting the user account, you must also delete the user account from the external user database. This prevents the username from being automatically re-added to the CiscoSecure user database the next time the user attempts to log in.



Tip For deleting batches of user accounts, use the RDBMS Synchronization feature with action code 101 (see RDBMS Synchronization, for more information.).


To delete a user account, follow these steps:


Step 1 Click User Setup.

The User Setup Select page of the HTML interface opens.

Step 2 In the User box, type the complete username to be deleted.


Note Alternatively, you can click List All Users and then select the user from the list that appears.


Step 3 Click Add/Edit.

Step 4 At the bottom of the User Setup page, click Delete.


Note The Delete button appears only when you are editing user information, not when you are adding a username.


A popup window appears that asks you to confirm the user deletion.

Step 5 Click OK.

The user account is removed from the CiscoSecure user database.


Resetting User Session Quota Counters

You can reset the session quota counters for a user either before or after the user exceeds a quota.

To reset user usage quota counters, follow these steps:


Step 1 Click User Setup.

The Select page of the HTML interface opens.

Step 2 In the User box, type the complete username of the user whose session quota counters you are going to reset.


Note Alternatively, you can click List All Users and then select the user from the list that appears.


Step 3 Click Add/Edit.

Step 4 In the Session Quotas section, select the Reset All Counters on submit check box.

Step 5 Click Submit at the bottom of the browser page.

The session quota counters are reset for this user. The User Setup Select page appears.


Resetting a User Account after Login Failure

Perform this procedure when an account is disabled because the failed attempts count has been exceeded during an unsuccessful user attempt to log in.

To reset a user account after login failure, follow these steps:


Step 1 Click User Setup.

The User Setup Select page of the HTML interface opens.

Step 2 In the User box, type the complete username of the account to be reset.


Note Alternatively, you can click List All Users and then select the user from the list that appears.


Step 3 Click Add/Edit.

Step 4 In the Account Disable table, select the Reset current failed attempts count on submit check box, and then click Submit.

The Failed attempts since last successful login: counter resets to 0 (zero) and the system re-enables the account.


Note This counter shows the number of unsuccessful login attempts since the last time this user logged in successfully.



Note If the user authenticates with a Windows user database, this expiration information is in addition to the information in the Windows user account. Changes here do not alter settings configured in Windows.



Saving User Settings

After you have completed configuration for a user, be sure to save your work.

To save the configuration for the current user, follow these steps:


Step 1 To save the user account configuration, click Submit.

Step 2 To verify that your changes were applied, type the username in the User box and click Add/Edit, and then review the settings.