Table Of Contents
A - B - C - D - E - F - G - H - I - L - M - N - O - P - Q - R - S - T - U - V - W -
Index
A
AAA
See also AAA clients
See also AAA servers
definition 1-2
pools for IP address assignment 7-11
AAA clients
adding and configuring 4-16
configuration 4-11
definition 1-6
deleting 4-21
editing 4-19
interaction with AAA servers 1-6
IP pools 7-11
multiple IP addresses for 4-12
number of 1-4
searching for 4-8
supported Cisco AAA clients 1-2
table 4-1
timeout values 16-9
AAA servers
adding 4-24
configuring 4-21
deleting 4-28
editing 4-26
enabling in interface (table) 3-5
functions and concepts 1-5
in distributed systems 4-3
master 9-3
overview 4-21
primary 9-3
replicating 9-3
searching for 4-8
secondary 9-3
troubleshooting A-1
access devices 1-6
accessing Cisco Secure ACS
how to 1-32
URL 1-29
with SSL enabled 1-29
access policies
See administrative access policies
accountActions table 9-29, 9-31
account disablement
Account Disabled check box 7-5
manual 7-56
resetting 7-59
setting options for 7-20
accounting
See also logging
overview 1-22
ACLs
See downloadable IP ACLs
action codes
for creating and modifying user accounts F-7
for initializing and modifying access filters F-14
for modifying network configuration F-25
for modifying TACACS+ and RADIUS settings F-19
for setting and deleting values F-5
in accountActions F-4
Active Service Management
See Cisco Secure ACS Active Service Management
Administration Audit log
configuring 11-14
CSV file directory 11-16
viewing 11-18
Administration Control
See also administrators
audit policy setup 12-18
administrative access policies
See also administrators
configuring 12-14
limits 12-11
options 12-12
overview 2-15
administrative sessions
and HTTP proxy 1-30
network environment limitations of 1-30
session policies 12-16
through firewalls 1-31
through NAT (network address translation) 1-31
administrators
See also Administration Audit log
See also Administration Control
See also administrative access policies
adding 12-6
deleting 12-11
editing 12-7
locked out 12-10
locking out 12-17
overview 12-2
privileges 12-3
separation from general users 2-17
troubleshooting A-2
unlocking 12-10
advanced options in interface 3-6
age-by-date rules for groups 6-25
Aironet
AAA client configuration 4-13
RADIUS parameters for group 6-41
RADIUS parameters for user 7-41
ARAP
compatible databases 1-10
in User Setup 7-5
protocol supported 1-11
Architecture G-1
ASCII/PAP
compatible databases 1-10
protocol supported 1-11
attributes
enabling in interface 3-2
group-specific (table) F-35
logging of user data 11-2
per-group 3-2
per-user 3-2
user-specific (table) F-34
attribute-value pairs
See AV (attribute value) pairs
audit policies
See also Administration Audit log
overview 12-18
authentication
compatibility of protocols 1-10
configuration 10-26
denying unknown users 16-17
options 10-33
overview 1-8
request handling 16-5
via external user databases 13-5
Windows 13-11
authorization 1-17
authorization sets
See command authorization sets
AV (attribute value) pairs
See also RADIUS VSAs (vendor specific attributes)
RADIUS
Cisco IOS C-3
IETF C-14
TACACS+
accounting B-4
general B-1
B
Backup and Restore log directory
See Cisco Secure ACS Backup and Restore log
backups
components backed up 8-10
directory management 8-10
disabling scheduled 8-13
filenames 8-15
locations 8-10
manual 8-12
options 8-11
overview 8-9
reports 8-11
scheduled vs. manual 8-9
scheduling 8-12
vs. replication 9-10
with CSUtil.exe D-6
browsers
See also HTML interface
troubleshooting A-4
C
cached users
See discovered users
CA configuration 10-38
callback options
in Group Setup 6-7
in User Setup 7-9
cascading replication 9-6, 9-13
cautions
significance of xlviii
certification
See also EAP-TLS
See also PEAP
adding certificate authority certificates 10-37
background 10-1
backups 8-10
Certificate Revocation Lists 10-40
certificate signing request generation 10-45
editing the certificate trust list 10-38
replacing certificate 10-50
self-signed certificates
configuring 10-49
NAC 14-6
overview 10-47
server certificate installation 10-35
updating certificate 10-50
CHAP
compatible databases 1-10
in User Setup 7-5
protocol supported 1-11
Cisco IOS
RADIUS
AV (attribute value) pairs C-2
group attributes 6-40
user attributes 7-39
TACACS+ AV (attribute value) pairs B-1
troubleshooting A-5
Cisco Secure ACS Active Service Management
event logging configuration 8-20
overview 8-17
system monitoring
configuring 8-19
custom actions 8-18
Cisco Secure ACS Active Service Monitoring logs
file location 11-17
viewing 11-18
Cisco Secure ACS administration overview 1-23
Cisco Secure ACS Backup and Restore log
CSV (comma-separated values) file directory 11-16
viewing 11-18
Cisco Secure ACS backups
See backups
Cisco Secure ACS system restore
See restore
CiscoSecure Authentication Agent 1-16, 6-21
CiscoSecure database replication
See replication
CiscoSecure user database
See also databases
overview 13-2
password encryption 13-2
Cisco Trust Agent
definition 14-2
unavailable 14-5
CLID-based filters 5-18
codes
See action codes
command authorization sets
See also shell command authorization sets
adding 5-31
configuring 5-25, 5-31
deleting 5-35
editing 5-33
overview 5-26
pattern matching 5-30
PIX command authorization sets 5-26
command-line database utility
See CSUtil.exe
conventions xlvii
CRLs 10-40
CSAdmin G-2
CSAuth G-3
CSDBSync 9-29, G-4
CSLog G-4
CSMon
See also Cisco Secure ACS Active Service Management
Cisco Secure ACS Service Monitoring logs 11-32
configuration G-4
failure events
customer-defined actions G-7
predefined actions G-7
functions G-4
log G-6
overview G-4
CSNTacctInfo 13-65, 13-67, 13-68
CSNTAuthUserPap 13-62
CSNTerrorString 13-65, 13-67, 13-68
CSNTExtractUserClearTextPw 13-63
CSNTFindUser 13-64
CSNTgroups 13-65, 13-67, 13-68
CSNTpasswords 13-65, 13-67
CSNTresults 13-65, 13-67, 13-68
CSNTusernames 13-65, 13-66, 13-68
CSRadius G-8
CSTacacs G-8
CSUtil.exe
decoding error numbers with D-27
displaying syntax D-5
import text file (example) D-24
overview D-1
CSV (comma-separated values) files
downloading 11-18
filename formats 11-15
logging format 11-2
viewing 11-18
CTL editing 10-38
custom attributes
in group-level TACACS+ settings 6-31
in user-level TACACS+ settings 7-23
D
database group mappings
configuring
for token servers 17-3
for Windows domains 17-9
no access groups 17-7
order 17-12
deleting
group set mappings 17-10
Windows domain configurations 17-11
in external user databases 17-1
overview 17-1
Database Replication log
CSV (comma-separated values) file directory 11-16
viewing 11-18
databases
See also external user databases
authentication search process 16-5
CiscoSecure user database 13-2
compacting D-12
deleting 13-86
deployment considerations 2-18
dump files D-10
external
See also external user databases
See also Unknown User Policy
NAC 14-10
posture validation search process 16-11
protocol compatibility 1-10
replication
See replication
search order 16-14
search process 16-14
selecting user databases 13-1
synchronization
See RDBMS synchronization
token cards
See token servers
troubleshooting A-7, A-19
types
See generic LDAP user databases
See LEAP proxy RADIUS user databases
See Novell NDS user databases
See ODBC features
See RADIUS user databases
See RSA user databases
unknown users 16-1
user databases 7-2
user import methods 13-3
Windows user databases 13-7
data source names
configuring for ODBC logging 11-22
for RDMBS synchronization 9-38
using with ODBC databases 13-56, 13-70, 13-72
date format control 8-3
DbSync log directory 11-16
debug logs
detail levels 11-33
frequency 11-33
troubleshooting A-14
default group in Group Setup 6-2
default group mapping for Windows 17-6
default time-of-day/day-of-week specification 3-5
default time-of-day access settings for groups 6-5
deleting logged-in users 11-11
deployment
overview 2-1
sequence 2-19
device command sets
See command authorization sets
device groups
See network device groups
device management applications support 1-19
DHCP with IP pools 9-45
dial-in permission to users in Windows 13-26
dial-in troubleshooting A-10
dial-up networking clients 13-10
dial-up topologies 2-6
digital certificates
See certification
Disabled Accounts report
viewing 11-12
Disabled Accounts reports
description 11-9
discovered users 16-3
distributed systems
See also proxy
AAA servers in 4-3
overview 4-2
settings
configuring 4-34
default entry 4-3
enabling in interface 3-5
distribution table
See Proxy Distribution Table
DNIS-based filters 5-18
documentation
conventions xlvii
objectives xlv
online 1-33
related xlix
Domain List
configuring 13-30
inadvertent user lockouts 13-14, 13-27
overview 13-13
unknown user authentication 16-7
domain names
Windows operating systems 13-13, 13-14
downloadable IP ACLs
adding 5-10
assigning to groups 6-30
assigning to users 7-21
deleting 5-14
editing 5-13
enabling in interface
group-level 3-5
user-level 3-5
overview 5-7
draft-ietf-radius-tunnel-auth 1-7
dump files
creating database dump files D-10
loading a database from a dump file D-11
E
EAP (Extensible Authentication Protocol)
overview 1-13
with Windows authentication 13-15
EAP-FAST
compatible databases 1-10
enabling 10-25
identity protection 10-14
logging 10-14
master keys
definition 10-15
states 10-15
master server 10-23
options 10-28
overview 10-13
PAC
automatic provisioning 10-18
definition 10-17
manual provisioning 10-20
refresh 10-21
states 10-18
password aging 6-27
phases 10-13
replication 10-22
EAP-TLS
See also certification
authentication configuration 10-26
comparison methods 10-4
compatible databases 1-10
domain stripping 13-16
enabling 10-7
limitations 10-6
options 10-31
overview 10-3
session resume 10-5
enable password options for TACACS+ 7-35
enable privilege options for groups 6-19
error number decoding with CSUtil.exe D-27
Event log
configuring 8-20
exception events G-6
exception events G-7
exports
of user lists D-24
Extensible Authentication Protocol
See EAP (Extensible Authentication Protocol)
external token servers
See token servers
external user databases
See also databases
authentication via 13-5
configuring 13-4
deleting configuration 13-86
latency factors 16-9
search order 16-9, 16-15
supported 1-10
Unknown User Policy 16-1
F
Failed Attempts log
configuring
CSV (comma-separated values) 11-19
ODBC 11-23
CSV (comma-separated values) file directory 11-16
enabling
log 11-17
ODBC 11-23
viewing 11-18
failed log-on attempts G-6
failure events
customer-defined actions G-7
predefined actions G-7
fallbacks on failed connection 4-5
finding users 7-55
firewalls
administering AAA servers through 1-23
G
gateways E-3
generic LDAP user databases
authentication 13-32
configuring
database 13-43
options 13-37
directed authentications 13-34
domain filtering 13-34
failover 13-36
mapping database groups to AAA groups 17-4
mutiple instances 13-33
organizational units and groups 13-34
supported protocols 1-10
Global Authentication Setup 10-33
grant dial-in permission to users 13-9, 13-26
greeting after login 6-24
group-level interface enabling
downloadable IP ACLs 3-5
network access restrictions 3-5
network access restriction sets 3-5
password aging 3-5
group-level network access restrictions
See network access restrictions
groups
See also network device groups
assigning users to 7-8
configuring RADIUS settings for
See RADIUS
Default Group 6-2, 17-6
enabling VoIP (Voice-over-IP) support for 6-4
exporting group information D-25
listing all users in 6-54
mapping order 17-12
mappings 17-1, 17-2
multiple mappings 17-5
no access groups 17-5
overriding settings 3-2
relationship to users 3-2
renaming 6-55
resetting usage quota counters for 6-55
settings for
callback options 6-7
configuration-specific 6-16
configuring common 6-3
device management command authorization sets 6-37
enable privilege 6-19
IP address assignment method 6-28
management tasks 6-54
max sessions 6-12
network access restrictions 6-8
password aging rules 6-21
PIX command authorization sets 6-35
shell command authorization sets 6-33
TACACS+ 6-2, 6-31
time-of-day access 6-5
token cards 6-18
usage quotas 6-14
setting up and managing 6-1
sort order within group mappings 17-5
specifications by ODBC authentications 13-65, 13-67, 13-68
GUI
See HTML interface
H
handle counts G-6
hard disk space G-5
hardware requirements 2-2
Help 1-29
host system state G-5
HTML interface
See also Interface Configuration
encrypting 12-13
logging off 1-33
overview 1-25
security 1-26
SSL 1-26
web servers G-2
HTTP port allocation
configuring 12-14
overview 1-23
HTTPS 12-13
I
IETF 802.1x 1-13
importing passwords D-14
imports with CSUtil.exe D-14
inbound authentication 1-14
inbound password configuration 1-14
installation
related documentation xlix
system requirements 2-2
troubleshooting A-16
Interface Configuration
See also HTML interface
advanced options 3-4
configuring 3-1
customized user data fields 3-3
security protocol options 3-9
IP ACLs
See downloadable IP ACLs
IP addresses
in User Setup 7-10
multiple IP addresses for AAA client 4-12
requirement for CSTacacs and CSRadius G-8
setting assignment method for user groups 6-28
IP pools
address recovery 9-51
deleting 9-50
DHCP 9-45
editing IP pool definitions 9-48
enabling in interface 3-6
overlapping 9-45, 9-47
refreshing 9-47
resetting 9-49
servers
adding IP pools 9-47
overview 9-44
replicating IP pools 9-45
user IP addresses 7-11
L
LAN manager 1-13
latency in networks 2-19
LDAP
See generic LDAP user databases
LEAP proxy RADIUS user databases
configuring external databases 13-76
group mappings 17-2
overview 13-75
RADIUS-based group specifications 17-14
list all users
in Group Setup 6-54
in User Setup 7-55
Logged-In Users report
deleting logged-in users 11-11
description 11-10
viewing 11-10
logging
See also Reports and Activity
accounting logs 11-6
Administration Audit log 11-14
administration reports 11-9
configuring 11-20
CSV (comma-separated values) files 11-2
custom RADIUS dictionaries 9-2
debug logs
detail levels 11-33
frequency 11-33
Disabled Accounts reports 11-9
domain names 11-3
external user databases 11-3
Failed Attempts logs 11-6
formats 11-2
Logged-In Users reports 11-9
ODBC logs
enabling in interface 3-6
overview 11-2
working with 11-21
overview 11-6
Passed Authentication logs 11-6
RADIUS logs 11-6
RDBMS synchronization 9-2
remote logging
centralized 11-27
configuring 11-29
disabling 11-31
enabling in interface 3-5
logging hosts 11-26
options 11-28
overview 11-26
services
configuring service logs 11-33
list of logs generated 11-32
system logs 11-13
TACACS+ logs 11-6
troubleshooting A-17
user data attributes 11-2
VoIP logs 11-6
watchdog packets 11-5
login process test frequency 8-18
logins
greeting upon 6-24
password aging dependency 6-23
logs
See logging
See Reports and Activity
M
machine authentication
enabling 13-22
overview 13-16
with Microsoft Windows 13-20
management application support 1-19
mappings
database groups to AAA groups 17-4
databases to AAA groups 17-2
master AAA servers 9-3
master key
definition 10-15
states 10-15
max sessions
enabling in interface 3-5
in Group Setup 6-12
in User Setup 7-16
overview 1-18
troubleshooting A-16
memory utilization G-5
monitoring
configuring 8-19
CSMon G-5
overview 8-18
MS-CHAP
compatible databases 1-10
configuring 10-26
overview 1-13
protocol supported 1-11
multiple group mappings 17-5
multiple IP addresses for AAA clients 4-12
N
NAC
attributes
about 14-11
adding D-44
data types 14-19
deleting D-44
exporting D-44
attribute-value pairs 14-9
Certificate Trust List 14-6
credentials
about 14-11
definition 14-2
databases
configuring 14-14
default database 14-10
definition of 14-10
group mapping 17-13
implementing 14-5
introduction 1-25
logging 14-6
NAC client
Cisco Trust Agent 14-2
definition 14-2
policies
about 14-16
external 14-28
local 14-17
results 14-16
remediation server
definition 14-2
url-redirect attribute C-8
rules
about 14-19
default 14-23
operators 14-20
self-signed certificates 14-6
tokens
assigning to rules 14-23
definition 14-4
group mapping 17-13
returned by local policies 14-18
Unknown User Policy 16-10
NAFs
See network access filters
NAR
See network access restrictions
NAS
See AAA clients
NDG
See network device groups
NDS
See Novell NDS user databases
network access filters
adding 5-3
deleting 5-7
editing 5-5
overview 5-2
network access quotas 1-18
network access restrictions
adding 5-19
configuring 5-19
deleting 5-24
editing 5-23
enabling in interface
group-level 3-5
user-level 3-5
in Group Setup 6-8
interface configuration 3-5
in User Setup 6-8, 7-11
non-IP-based filters 5-18
overview 5-15
network access servers
See AAA clients
Network Admission Control
See NAC
network configuration 4-1
network device groups
adding 4-29
assigning AAA clients to 4-30
assigning AAA servers to 4-30
configuring 4-28
deleting 4-32
enabling in interface 3-6
overview 1-24
reassigning AAA clients to 4-31
reassigning AAA servers to 4-31
renaming 4-32
network devices
See AAA clients
searches for 4-8
network requirements 2-4
networks
latency 2-19
reliability 2-19
network topologies
deployment 2-6
wireless 2-9
notifications G-7
Novell NDS user databases
authentication 13-50
configuring 13-53
mapping database groups to AAA groups 17-4
Novell Requestor 13-50
options 13-52
supported protocols 1-10
supported versions 13-50
user contexts 13-51
O
ODBC features
accountActions table 9-32
authentication
CHAP 13-60
EAP-TLS 13-60
overview 13-55
PAP 13-60
preparation process 13-59
process with external user database 13-58
result codes 13-69
case-sensitive passwords 13-61
CHAP authentication sample procedure 13-63
configuring 13-71
data source names 11-22, 13-56
DSN (data source name) configuration 13-70
EAP-TLS authentication sample procedure 13-64
features supported 13-57
group mappings 17-2
group specifications
CHAP 13-67
EAP-TLS 13-68
PAP 13-65
vs. group mappings 17-3
PAP authentication sample procedures 13-62
password case sensitivity 13-61
stored procedures
CHAP authentication 13-66
EAP-TLS authentication 13-67
implementing 13-60
PAP authentication 13-64
type definitions 13-61
user databases 13-55
ODBC logs
See logging
Online Documentation 1-34
online Help
location in HTML interface 1-29
using 1-34
operating system requirements 2-2
outbound password configuration 1-15
overview of Cisco Secure ACS 1-1
P
PAC
automatic provisioning 10-18
definition 10-17
manual provisioning 10-20
refresh 10-21
PAP
compatible databases 1-10
in User Setup 7-5
vs. ARAP 1-12
vs. CHAP 1-12
Passed Authentications log
configuring CSV (comma-separated values) 11-19
CSV (comma-separated values) file directory 11-16
enabling CSV (comma-separated values) logging 11-17
viewing 11-18
password aging
age-by-uses rules 6-23
Cisco IOS release requirement for 6-21
EAP-FAST 13-25
interface configuration 3-5
in Windows databases 6-26
MS-CHAP 13-25
overview 1-15
PEAP 13-25
rules 6-21
passwords
See also password aging
case sensitive 13-61
CHAP/MS-CHAP/ARAP 7-7
configurations
caching 1-15
inbound passwords 1-14
outbound passwords 1-15
separate passwords 1-14
single password 1-14
token caching 1-15
token cards 1-14
encryption 13-2
expiration 6-23
import utility D-14
local management 8-5
password change log management 8-6
post-login greeting 6-24
protocols and user database compatibility 1-10
protocols supported 1-11
remote change 8-5
user-changeable 1-16
validation options in System Configuration 8-5
pattern matching in command authorization 5-30
PEAP
See also certification
compatible databases 1-10
configuring 10-26
enabling 10-12
identity protection 10-9
options 10-27
overview 10-8
password aging 6-27
phases 10-9
with Unknown User Policy 10-11
performance monitoring G-5
performance specifications 1-3
per-group attributes
See also groups
enabling in interface 3-2
per-user attributes
enabling in interface 3-2
TACACS+/RADIUS in Interface Configuration 3-4
PIX ACLs
See downloadable IP ACLs
PIX command authorization sets
See command authorization sets
PKI (public key infastructure)
See certification
port 2002
CSAdmin G-2
in HTTP port ranges 12-13
in URLs 1-29
port allocation
See HTTP port allocation
ports
See also HTTP port allocation
See also port 2002
RADIUS 1-6, 1-7
TACACS+ 1-6
posture validation
See also NAC
request handling 16-11
PPP password aging 6-21
privileges
See administrators
processor utilization G-5
profile components
See shared profile components
proxy
See also Proxy Distribution Table
character strings
defining 4-6
stripping 4-6
configuring 4-34
in enterprise settings 4-6
overview 4-4
sending accounting packets 4-7
troubleshooting A-15
Proxy Distribution Table
See also proxy
adding entries 4-35
configuring 4-34
default entry 4-3, 4-34
deleting entries 4-38
editing entries 4-37
match order sorting 4-36
overview 4-34
Q
quotas
See network access quotas
See usage quotas
R
RADIUS
See also RADIUS VSAs (vendor specific attributes)
attributes
See also RADIUS VSAs (vendor specific attributes)
in User Setup 7-37
AV (attribute value) pairs
See also RADIUS VSAs (vendor specific attributes)
Cisco IOS C-3
IETF C-14
overview C-1
Cisco Aironet 4-13
IETF
in Group Setup 6-38
interface configuration 3-16
in User Setup 7-38
interface configuration overview 3-11
password aging 6-26
ports 1-6, 1-7
specifications 1-7
token servers 13-79
troubleshooting A-22
tunneling packets 4-18
vs. TACACS+ 1-6
RADIUS Accounting log
configuring
CSV (comma-separated values) 11-19
ODBC 11-23
configuring CSV (comma-separated values) 11-18
CSV (comma-separated values) file directory 11-16
enabling
ODBC 11-23
enabling CSV (comma-separated values) 11-17
RADIUS user databases
configuring 13-81
group mappings 17-2
RADIUS-based group specifications 17-14
RADIUS VSAs (vendor specific attributes)
Ascend
in Group Setup 6-43
in User Setup 7-43
supported attributes C-31
Cisco Aironet
in Group Setup 6-41
in User Setup 7-41
Cisco BBSM (Building Broadband Service Manager)
in Group Setup 6-51
in User Setup 7-52
supported attributes C-14
Cisco IOS/PIX
in Group Setup 6-40
interface configuration 3-17
in User Setup 7-39
supported attributes C-5
Cisco VPN 3000
in Group Setup 6-44
in User Setup 7-44
supported attributes C-9
Cisco VPN 5000
in Group Setup 6-46
in User Setup 7-46
supported attributes C-13
custom
about 9-28
in Group Setup 6-53
in User Setup 7-53
Juniper
in Group Setup 6-50
in User Setup 7-51
supported attributes C-44
Microsoft
in Group Setup 6-47
in User Setup 7-47
supported attributes C-28
Nortel
in Group Setup 6-49
in User Setup 7-49
supported attributes C-43
overview C-1
user-defined
about 9-28, D-28
action codes for F-19
adding D-29
deleting D-31
import files D-34
listing D-32
replicating 9-29, D-29
RDBMS synchronization
accountActions table as transaction queue 9-32
configuring 9-41
CSV-based 9-35
data source name configuration 9-37, 9-38
disabling 9-43
enabling in interface 3-6
group-related configuration 9-27
import definitions F-1
log
CSV (comma-separated values) file directory 11-16
viewing 11-18
manual initialization 9-40
network configuration 9-28
overview 9-26
partners 9-39
preparing to use 9-33
report and error handling 9-33
scheduling options 9-39
user-related configuration 9-27
Registry G-2
rejection mode
general 16-5
posture validation 16-11
Windows user databases 16-6
related documentation xlix
reliability of network 2-19
remote access policies 2-14
remote logging
See logging
replication
ACS Service Management page 9-2
backups recommended (Caution) 9-10
cascading 9-6, 9-13
certificates 9-2
client configuration 9-17
components
overwriting (Caution) 9-17
overwriting (Note) 9-11
selecting 9-11
configuring 9-21
corrupted backups (Caution) 9-10
custom RADIUS dictionaries 9-2
disabling 9-24
EAP-FAST 10-22
encryption 9-5
external user databases 9-2
frequency 9-7
group mappings 9-2
immediate 9-19
implementing primary and secondary setups 9-15
important considerations 9-7
in System Configuration 9-21
interface configuration 3-5
IP pools 9-2, 9-45
logging 9-10
manual initiation 9-19
master AAA servers 9-3
notifications 9-25
options 9-11
overview 9-2
partners
configuring 9-23
options 9-12
process 9-4
scheduling 9-21
scheduling options 9-12
selecting data 9-11
unsupported 9-2
user-defined RADIUS vendors 9-9
vs. backup 9-10
Reports and Activity
See also logging
configuration privileges 12-5
configuring 11-20
CSV (comma-separated values) logs 11-13
in interface 1-29
overview 11-6
request handling
general 16-5
posture validation 16-11
Windows user databases 16-6
requirements
hardware 2-2
network 2-4
operating system 2-2
system 2-2
resource consumption G-6
restarting services 8-2
restore
components restored
configuring 8-16
overview 8-16
filenames 8-15
in System Configuration 8-14
overview 8-14
performing 8-16
reports 8-16
with CSUtil.exe D-7
RFC2138 1-7
RFC2139 1-7
RSA user databases
configuring 13-85
group mappings 17-2
S
search order of external user databases 16-15
security policies 2-15
security protocols
Cisco AAA client devices 1-2
CSRadius G-8
CSTacacs G-8
interface options 3-9
RADIUS 1-6, C-1
TACACS+
custom commands 3-9
overview 1-6
time-of-day access 3-8
server certificate installation 10-35
service control in System Configuration 11-33
Service Monitoring logs
See Cisco Secure ACS Service Monitoring logs
services
determining status of 8-2
logs
configuring 11-33
list of logs generated 11-32
management 8-17
overview 1-4, G-1
starting 8-2
stopping 8-2
session policies
configuring 12-17
options 12-16
overview 12-16
shared profile components
See also command authorization sets
See also downloadable IP ACLs
See also network access filters
See also network access restrictions
overview 5-1
shared secret G-8
shell command authorization sets
See also command authorization sets
in Group Setup 6-33
in User Setup 7-26
single password configurations 1-14
SMTP (simple mail-transfer protocol) G-7
specifications
RADIUS
RFC2138 1-7
RFC2139 1-7
system performance 1-3
TACACS+ 1-7
SSL (secure socket layer) 12-13
starting services 8-2
static IP addresses 7-10
stopping services 8-2
stored procedures
CHAP authentication
configuring 13-73
input values 13-66
output values 13-66
result codes 13-69
EAP-TLS authentication
configuring 13-74
input values 13-67
output values 13-68
implementing 13-60
PAP authentication
configuring 13-73
input values 13-64
output values 13-65
result codes 13-69
sample procedures 13-62
type definitions
integer 13-61
string 13-61
supplementary user information
in User Setup 7-6
setting 7-6
synchronization
See RDBMS synchronization
system
configuration
advanced 9-1
authentication 10-1
basic 8-1
certificates 10-1
privileges 12-4
health G-5
messages in interface 1-29
monitoring
See monitoring
performance specifications 1-3
requirements 2-2
services
See services
T
TACACS+
advanced TACACS+ settings
in Group Setup 6-2
in User Setup 7-33
AV (attribute value) pairs
accounting B-4
general B-1
custom commands 3-9
enable password options for users 7-35
enable privilege options 7-33
interface configuration 3-7
interface options 3-9
outbound passwords for users 7-37
ports 1-6
SENDAUTH 1-15
settings
in Group Setup 6-2, 6-31
in User Setup 7-22, 7-23
specifications 1-7
time-of-day access 3-8
troubleshooting A-22
vs. RADIUS 1-6
TACACS+ Accounting log
configuring
CSV (comma-separated values) 11-19
ODBC 11-23
CSV (comma-separated values) file directory 11-16
enabling CSV (comma-separated values) 11-17
enabling for ODBC 11-23
viewing 11-18
TACACS+ Administration log
configuring
CSV(comma-separated values) 11-19
ODBC 11-23
CSV (comma-separated values) file directory 11-16
enabling
ODBC 11-23
enabling CSV (comma-separated values) 11-17
viewing 11-18
Telnet
See also command authorization sets
password aging 6-21
test login frequency internally 8-18
thread used G-6
time-of-day/day-of-week specification
See also date format control
enabling in interface 3-5
timeout values on AAA clients 16-9
TLS (transport level security)
See certification
token caching 1-15, 13-79
token cards
password configuration 1-14
settings in Group Setup 6-18
token servers
ISDN terminal adapters 13-79
overview 13-78
RADIUS-enabled 13-79
RADIUS token servers 13-80
RSA 13-84
supported servers 1-10
token caching 13-79
topologies
See network topologies
troubleshooting
AAA servers A-1
administration issues A-2
browser issues A-4
Cisco IOS issues A-5
database issues A-7
debug logs 11-31, A-14
dial-in issues A-10
installation issues A-16
max sessions issues A-16
proxy issues A-15
RADIUS issues A-22
report issues A-17
TACACS+ issues A-22
third-party server issues A-19
upgrade issues A-16
user issues A-20
trust lists
See certification
trust relationships 13-9
U
UNIX passwords D-18
unknown service user setting 7-32
Unknown User Policy
See also unknown users
configuring 16-16
in external user databases 13-3, 16-14
turning off 16-17
unknown users
See also Unknown User Policy
authentication 16-4
authentication performance 16-8
authentication processing 16-8
network access authorization 16-13
posture validation 16-10
update packets
See watchdog packets
upgrade troubleshooting A-16
usage quotas
in Group Setup 6-14
in Interface Configuration 3-5
in User Setup 7-18
overview 1-18
resetting
for groups 6-55
for single users 7-58
user-changeable passwords
overview 1-16
with Windows user databases 13-25
user databases
See databases
User Data Configuration 3-3
user groups
See groups
user-level
downloadable ACLs interface 3-5
network access restrictions
See also network access restrictions
enabling in interface 3-4
User Password Changes log location 11-17
users
See also User Setup
adding
basic steps 7-4
methods 13-3
assigning client IP addresses to 7-10
assigning to a group 7-8
callback options 7-9
configuring 7-2
configuring device management command authorization sets for 7-30
configuring PIX command authorization sets for 7-29
configuring shell command authorization sets for 7-26
customized data fields 3-3
data configuration
See User Data Configuration
deleting 11-11
deleting accounts 7-57
disabling accounts 7-5
finding 7-55
import methods 13-3
in multiple databases 16-7
listing all users 7-55
number allowed 2-18
number of 1-4
RDBMS synchronization 9-27
relationship to groups 3-2
resetting accounts 7-59
saving settings 7-60
supplementary information 7-6
troubleshooting A-20
types
discovered 16-3
known 16-2
unknown 16-3
VPDN dialup E-2
User Setup
account management tasks 7-54
basic options 7-3
configuring 7-2
deleting user accounts 7-57
saving settings 7-60
Users in Group button 6-54
V
validation of passwords 8-5
vendor-specific attributes
See RADIUS VSAs (vendor specific attributes)
viewing logs and reports
See logging
Voice-over-IP
See VoIP (Voice-over-IP)
VoIP (Voice-over-IP)
accounting configuration 3-6, 8-21
Accounting log
enabling csv log 11-17
viewing 11-18
enabling in interface 3-6
group settings in Interface Configuration 3-6
in Group Setup 6-4
VoIP (Voice-over-IP) Accounting log
configuring
CSV (comma-separated values) 11-19
ODBC 11-23
CSV (comma-separated values) file directory 11-16
enabling
ODBC 11-23
VPDN
advantages 2-12
authentication process E-1
domain authorization E-2
home gateways E-3
IP addresses E-3
tunnel IDs E-3
users E-2
VSAs
See RADIUS VSAs (vendor specific attributes)
W
warning events G-5, G-7
warnings
significance of xlviii
watchdog packets
configuring on AAA clients 4-18
configuring on AAA servers 4-25
logging 11-5
web servers G-2
Windows operating systems
authentication order 16-7
Cisco Secure ACS-related services
services 8-2
dial-up networking 13-10
dial-up networking clients
domain field 13-10
password field 13-10
username field 13-10
Domain List effect 16-7
domains
domain names 13-13, 13-14, 16-6
Event logs G-6
Registry G-2
Windows user databases
See also databases
Active Directory 13-26
configuring 13-30
Domain list
inadvertent user lockouts 13-27
domain mapping 17-9
domains
trusted 13-9
grant dial-in permission to users 13-9, 13-26
group mappings
editing 17-9
limitations 17-4
no access groups 17-7
remapping 17-9
mapping database groups to AAA groups 17-4
overview 13-7
password aging 6-26
passwords 1-11
rejection mode 16-6
request handling 16-6
trust relationships 13-9
user-changeable passwords 13-25
user manager 13-26
wireless network topologies 2-9