User Guide for Cisco Secure ACS for Windows 4.0
Administrators and Administrative Policy

Table Of Contents

Administrators and Administrative Policy

Administrator Accounts

About Administrator Accounts

Administrator Privileges

Adding an Administrator Account

Editing an Administrator Account

Unlocking a Locked Out Administrator Account

Deleting an Administrator Account

Access Policy

Access Policy Options

Setting Up Access Policy

Session Policy

Session Policy Options

Setting Up Session Policy

Audit Policy


Administrators and Administrative Policy


This chapter addresses the features found in the Administration Control section of Cisco Secure Access Control Server Release 4.0 for Windows, hereafter referred to as ACS.

This chapter contains the following topics:

Administrator Accounts

Access Policy

Session Policy

Audit Policy

Administrator Accounts

This section provides details about ACS administrators.

This section contains the following topics:

About Administrator Accounts

Administrator Privileges

Adding an Administrator Account

Editing an Administrator Account

Unlocking a Locked Out Administrator Account

Deleting an Administrator Account

About Administrator Accounts

Administrators are the only users of the ACS web interface. To access the ACS web interface from a browser run elsewhere than on the ACS Windows server itself, you must log in to ACS by using an administrator account. If your ACS is so configured, you may need to log in to ACS even in a browser run on the ACS Windows server. For more information about automatic local logins, see Session Policy.


Note ACS administrator accounts are unique to ACS. They are not related to other administrator accounts, such as Windows users with administrator privileges.


In the web interface, an administrator can configure any of the features provided in ACS; however, the ability to access various parts of the web interface can be limited by revoking privileges to those parts of the web interface that a given administrator is not allowed to access.

By default no privileges are granted to a new administrator, unless Grant All is selected.

For example, you may want to limit access to the Network Configuration section of the web interface to administrators whose responsibilities include network management. To do so, you would select only the Network Configuration privilege for applicable administrator accounts. For more information about administrator privileges, see Administrator Privileges.

ACS administrator accounts have no correlation with ACS user accounts or username and password authentication. ACS stores accounts created for authentication of network service requests and those created for ACS administrative access in separate internal databases.


Note When ACS is running on Windows 2003, the ACS administrator account that runs the ACS services must have a Domain Administrator account to authenticate against Windows 2003.


Administrator Privileges

You can grant appropriate privileges to each ACS administrator by assigning privileges on an administrator-by-administrator basis. You control privileges by selecting the options from the Administrator Privileges table on the Add Administrator or Edit Administrator pages. These options are:

User and Group Setup—Contains the following privilege options for the User Setup and Group Setup sections of the web interface:

Add/Edit users in these groups—Enables the administrator to add or edit users and to assign users to the groups in the Editable groups list.

Setup of these groups—Enables the administrator to edit the settings for the groups in the Editable groups list.

Available Groups—Lists the user groups for which the administrator does not have edit privileges and to which the administrator cannot add users.

Editable Groups—Lists the user groups for which the administrator does have edit privileges and to which the administrator can add users.

Shared Profile Components—Contains the following privilege options for the Shared Profile Components section of the web interface:

Network Access Restriction Sets—Allows the administrator full access to the Network Access Restriction Sets feature.

Network Access Filtering Sets—Allows the administrator full access to the Network Access Filtering Sets feature.

Downloadable ACLs—Allows the administrator full access to the Downloadable PIX ACLs feature.

RADIUS Authorization Components—Allows the administrator full access to RAC.

Create New Device Command Set Type—Allows the administrator account to be used as valid credentials by another Cisco application for adding new device command set types. New device command set types that are added to ACS using this privilege appear in the Shared Profile Components section of the web interface.

Shell Command Authorization Sets—Allows the administrator full access to the Shell Command Authorization Sets feature.

PIX/ASA Command Authorization Sets—Allows the administrator full access to the PIX/ASA Command Authorization Sets feature.


Note Additional command authorization set privilege options may appear, if other Cisco network management applications, such as CiscoWorks, have updated the configuration of ACS.


Network Configuration—Allows the administrator full access to the features in the Network Configuration section of the web interface.

System Configuration—Contains the privilege options for the features found in the System Configuration section of the web interface. For each of the following features, enabling the option allows the administrator full access to the feature.

Service Control—For more information about this feature, see Service Control.

Date/Time Format Control—For more information about this feature, see Date Format Control.

Logging Control—For more information about this feature, see Logging.

Password Validation—For more information about this feature, see Local Password Management.

DB Replication—For more information about this feature, see ACS Internal Database Replication.

RDBMS Synchronization—For more information about this feature, see RDBMS Synchronization.

IP Pool Address Recovery—For more information about this feature, see IP Pools Address Recovery.

IP Pool Server Configuration—For more information about this feature, see IP Pools Server.

ACS Backup—For more information about this feature, see ACS Backup.

ACS Restore—For more information about this feature, see ACS System Restore.

ACS Service Management—For more information about this feature, see ACS Active Service Management.

VoIP Accounting Configuration—For more information about this feature, see VoIP Accounting Configuration.

ACS Certificate Setup—For more information about this feature, see ACS Certificate Setup.

Global Authentication Setup—For more information about this feature, see Global Authentication Setup.

Interface Configuration—Allows the administrator full access to the features in the Interface Configuration section of the web interface.

Administration Control—Allows the administrator full access to the features in the Administration Control section of the web interface.

External User Databases—Allows the administrator full access to the features in the External User Databases section of the web interface.

Posture Validation—Allows the administrator access to Network Admission Control (NAC) configuration.

Network Access Profiles—Allows the administrator access to service-based policy configuration.

Reports & Activity—Contains the privilege options for the reports and features found in the Reports and Activity section of the web interface. For each of the following features, enabling the option allows the administrator full access to the feature.

TACACS+ Accounting—For more information about this report, see Accounting Logs.

TACACS+ Administration—For more information about this report, see Accounting Logs.

RADIUS Accounting—For more information about this report, see Accounting Logs.

VoIP Accounting—For more information about this report, see Accounting Logs.

Passed Authentications—For more information about this report, see Accounting Logs.

Failed Attempts—For more information about this report, see Accounting Logs.

Logged-in Users—For more information about this report, see Dynamic Administration Reports.

Purge of Logged-in Users—For more information about this feature, see Deleting Logged-in Users.

Disabled Accounts—For more information about this report, see Dynamic Administration Reports.

ACS Backup and Restore—For more information about this report, see ACS System Logs.

DB Replication—For more information about this report, see ACS System Logs.

RDBMS Synchronization—For more information about this report, see ACS System Logs.

Administration Audit—For more information about this report, see ACS System Logs.

ACS Service Monitor—For more information about this report, see ACS System Logs.

User Change Password—For more information about this report, see ACS System Logs.

Adding an Administrator Account

Before You Begin

For descriptions of the options available while adding an administrator account, see Administrator Privileges.

To add a ACS administrator account:


Step 1 In the navigation bar, click Administration Control.

Step 2 Click Add Administrator.

The Add Administrator page appears.

Step 3 Complete the boxes in the Administrator Details table:

a. In the Administrator Name box, type the login name (up to 32 characters) for the new ACS administrator account.

b. In the Password box, type the password (from 4 to 32 characters) for the new ACS administrator account.

c. In the Confirm Password box, type the password a second time.

Step 4 To select all privileges, including user group editing privileges for all user groups, click Grant All.

All privilege options are selected. All user groups move to the Editable groups list.


Tip To clear all privileges, including user group editing privileges for all user groups, click Revoke All.


Step 5 To grant user and user group editing privileges:

a. Check the desired check boxes under User & Group Setup.

b. To move a user group to the Editable groups list, select the group in the Available groups list, and then click --> (right arrow button).

The selected group moves to the Editable groups list.

c. To remove a user group from the Editable groups list, select the group in the Editable groups list, and then click <-- (left arrow button).

The selected group moves to the Available groups list.

d. To move all user groups to the Editable groups list, click >>.

The user groups in the Available groups list move to the Editable groups list.

e. To remove all user groups from the Editable groups list, click <<.

The user groups in the Editable groups list move to the Available groups list.

Step 6 To grant any of the remaining privilege options, in the Administrator Privileges table, check the applicable check boxes.

Step 7 Click Submit.

ACS saves the new administrator account. The new account appears in the list of administrator accounts on the Administration Control page.


Editing an Administrator Account

You can edit a ACS administrator account to change the privileges granted to the administrator. You can effectively disable an administrator account by revoking all privileges.


Note You cannot change the name of an administrator account; however, you can delete an administrator account and then create an account with the new name. For information about deleting an administrator account, see Deleting an Administrator Account. For information about creating an administrator account, see Adding an Administrator Account.


For information about administrator privilege options, see Administrator Privileges.

Before You Begin

For descriptions of the options available while editing an administrator account, see Administrator Privileges.

To edit ACS administrator account privileges:


Step 1 In the navigation bar, click Administration Control.

ACS displays the Administration Control page.

Step 2 Click the name of the administrator account whose privileges you want to edit.

The Edit Administrator name page appears, where name is the name of the administrator account that you just selected.

Step 3 To change the administrator password:

a. In the Password box, double-click the asterisks (*), and then type the new password (from 4 to 32 characters) for the administrator.

The new password replaces the existing, masked password.

b. In the Confirm Password box, double-click the asterisks, and then type the new administrator password a second time.

The new password is effective immediately after you click Submit in Step 9.

Step 4 If the Reset current failed attempts count check box appears below the Confirm Password box and you want to allow the administrator whose account you are editing to access the ACS web interface, check the Reset current failed attempts count check box.


Note If the Reset current failed attempts count check box appears below the Confirm Password box, the administrator cannot access ACS unless you complete Step 4. For more information about re-enabling an administrator account, see Unlocking a Locked Out Administrator Account.


Step 5 To select all privileges, including user group editing privileges for all user groups, click Grant All.

All privilege options are selected. All user groups move to the Editable groups list.

Step 6 To clear all privileges, including user group editing privileges for all user groups, click Revoke All.

All privileges options are cleared. All user groups move to the Available groups list.

Step 7 To grant user and user group editing privileges, follow these steps:

a. Under User & Group Setup, check the applicable check boxes.

b. To move all user groups to the Editable groups list, click >>.

The user groups in the Available groups list move to the Editable groups list.

c. To move a user group to the Editable groups list, select the group in the Available groups list, and then click --> (right arrow button).

The selected group moves to the Editable groups list.

d. To remove all user groups from the Editable groups list, click <<.

The user groups in the Editable groups list move to the Available groups list.

e. To remove a user group from the Editable groups list, select the group in the Editable groups list, and then click <-- (left arrow button).

The selected group moves to the Available groups list.

Step 8 To grant any remaining privilege options, check the applicable check boxes in the Administrator Privileges table.

Step 9 To revoke any remaining privilege options, clear the applicable check boxes in the Administrator Privileges table.

Step 10 Click Submit.

ACS saves the changes to the administrator account.


Unlocking a Locked Out Administrator Account

ACS disables the accounts of administrators who have attempted to access the ACS web interface and have provided an incorrect password in more successive attempts than is specified on the Session Policy Setup page. Until the failed attempts counter for a disabled administrator account is reset, the administrator cannot access the web interface.

For more information about configuring how many successive failed login attempts can occur before ACS disables an administrator account, see Session Policy.

To reset the failed attempts count for an administrator:


Step 1 In the navigation bar, click Administration Control.

ACS displays the Administration Control page.

Step 2 Click the name of the administrator account whose account you want to re-enable.

The Edit Administrator name page appears, where name is the name of the administrator account you just selected.

If the Reset current failed attempts count check box appears below the Confirm Password box, the administrator account cannot access the web interface.

Step 3 Check the Reset current failed attempts count check box.

Step 4 Click Submit.

ACS saves the changes to the administrator account.


Deleting an Administrator Account

You can delete a ACS administrator account when you no longer need it. We recommend deleting any unused administrator accounts.

To delete a ACS administrator account:


Step 1 In the navigation bar, click Administration Control.

ACS displays the Administration Control page.

Step 2 In the Administrators table, click the name of the administrator account that you want to delete.

The Edit Administrator name page appears, where name is the name of the administrator account you just selected.

Step 3 Click Delete.

ACS displays a confirmation dialog box.

Step 4 Click OK.

ACS deletes the administrator account. The Administrators table on the Administration Control page no longer lists the administrator account that you deleted.


Access Policy

The Access Policy feature affects access to the ACS web interface. You can limit access by IP address and by the TCP port range used for administrative sessions. You can also enable secure socket layer (SSL) for access to the web interface.

This section contains the following topics:

Access Policy Options

Setting Up Access Policy

Access Policy Options

You can configure the following options on the Access Policy Setup page:

IP Address Filtering—Contains the following IP address filtering options:

Allow all IP addresses to connect—Allow access to the web interface from any IP address.

Allow only listed IP addresses to connect—Allow access to the web interface only from IP addresses inside the address range(s) specified in the IP Address Ranges table.

Reject connections from listed IP addresses—Allow access to the web interface only from IP addresses outside the address range(s) specified in the IP Address Ranges table.

IP Address Ranges—The IP Address Ranges table contains ten rows for configuring IP address ranges. The ranges are always inclusive; that is, the range includes the start and end IP addresses. The IP addresses entered to define a range must differ only in the last octet (Class C format).

The IP Address Ranges table contains one column of each of the following boxes:

Start IP Address—Defines the lowest IP address of the range specified in the current row.

End IP Address—Defines the highest IP address of the range specified in the current row.

HTTP Port Allocation—Contains the following options for configuring TCP ports used for remote access to the web interface.

Allow any TCP ports to be used for Administration HTTP Access—Allow the ports used by administrative HTTP sessions to include the full range of TCP ports.

Restrict Administration Sessions to the following port range From Port X to Port Y—Restrict the ports used by administrative HTTP sessions to the range specified in the X and Y boxes, inclusive. The size of the range specified determines the maximum number of concurrent administrative sessions.

ACS uses port 2002 to start all administrative sessions. You do not need to include port 2002 in the port range. Also, ACS does not allow you to define an HTTP port range that consists only of port 2002. Your port range must consist of at least one port other than port 2002.

A firewall configured to permit HTTP traffic over the ACS administrative port range must also permit HTTP traffic through port 2002, because this is the port that a web browser must address to initiate an administrative session.


Note We do not recommend allowing administration of ACS from outside a firewall. If you do choose to allow access to the web interface from outside a firewall, keep the HTTP port range as narrow as possible. This can help prevent accidental discovery of an active administrative port by unauthorized users. An unauthorized user would have to impersonate, or "spoof," the IP address of a legitimate host to make use of the active administrative session HTTP port.


Secure Socket Layer Setup—The Use HTTPS Transport for Administration Access check box defines whether ACS uses secure socket layer protocol to encrypt HTTP traffic between the CSAdmin service and a web browser used to access the web interface. When this option is enabled, all HTTP traffic between the browser and ACS is encrypted, as reflected by the URLs, which begin with HTTPS. Additionally, most browsers include an indicator for when a connection is SSL-encrypted.

To enable SSL, you must have completed the steps in Installing an ACS Server Certificate, and Adding a Certificate Authority Certificate.

Setting Up Access Policy

For information about access policy options, see Access Policy Options.

Before You Begin

If you want to enable SSL for administrative access, before completing this procedure, you must have completed the steps in Installing an ACS Server Certificate, and Adding a Certificate Authority Certificate.

To set up ACS Access Policy:


Step 1 In the navigation bar, click Administration Control.

ACS displays the Administration Control page.

Step 2 Click Access Policy.

The Access Policy Setup page appears.

Step 3 To allow remote access to the web interface from any IP address, in the IP Address Filtering table, select the Allow all IP addresses to connect option.

Step 4 To allow remote access to the web interface only from IP addresses within a range or ranges of IP addresses, follow these steps:

a. In the IP Address Filtering table, select the Allow only listed IP addresses to connect option.

b. For each IP address range from within which you want to allow remote access to the web interface, complete one row of the IP Address Ranges table. In the Start IP Address box, type the lowest IP address (up to 16 characters) in the range. In the End IP Address box, type the highest IP address (up to 16 characters) in the range. Use dotted decimal format.


Note The IP addresses entered to define a range must differ only in the last octet.


Step 5 To allow remote access to the web interface only from IP addresses outside a range or ranges of IP addresses, follow these steps:

a. In the IP Address Filtering table, select the Reject connections from listed IP addresses option.

b. For each IP address range from outside which you want to allow remote access to the web interface, complete one row of the IP Address Ranges table. Type the lowest IP address (up to 16 characters) in the range in the Start IP Address box. Type the highest IP address (up to 16 characters) in the range in the End IP Address box.


Note The IP addresses entered to define a range must differ only in the last octet.


Step 6 If you want to allow ACS to use any valid TCP port for administrative sessions, under HTTP Port Allocation, select the Allow any TCP ports to be used for Administration HTTP Access option.

Step 7 If you want to allow ACS to use only a specified range of TCP ports for administrative sessions, follow these steps:

a. Under HTTP Port Allocation, select the Restrict Administration Sessions to the following port range From Port X to Port Y option.

b. In the X box type the lowest TCP port (up to 5 characters) in the range.

c. In the Y box type the highest TCP port (up to 5 characters) in the range.

Step 8 If you want to enable SSL encryption of administrator access to the web interface, under Secure Socket Layer Setup, check the Use HTTPS Transport for Administration Access check box.


Note To enable SSL, you must have completed the steps in Installing an ACS Server Certificate, and Adding a Certificate Authority Certificate.


Step 9 Click Submit.

ACS saves and begins enforcing the access policy settings.

If you have enabled SSL, at the next administrator login, ACS begins using HTTPS. Any current administrator sessions are unaffected.


Session Policy

The Session Policy feature controls various aspects of ACS administrative sessions.

This section contains the following topics:

Session Policy Options

Setting Up Session Policy

Session Policy Options

You can configure the following options on the Session Policy Setup page:

Session idle timeout (minutes)—Defines the time in minutes that an administrative session, local or remote, must remain idle before ACS terminates the connection. This parameter applies to the ACS administrative session in the browser only. It does not apply to an administrative dial-up session.

An administrator whose administrative session is terminated receives a dialog box asking whether the administrator wants to continue. If the administrator chooses to continue, ACS starts a new administrative session.

Allow Automatic Local Login—Enables administrators to start an administrative session without logging in if they are using a browser on the computer running ACS. Such administrative sessions are conducted using a default administrator account named local_login. The local_login administrator account has all privileges. Local administrative sessions with automatic local login are recorded in the Administrative Audit report under the local_login administrator name.


Note If there are no administrator accounts defined, no administrator name and password are required to access ACS locally. This prevents you from accidentally locking yourself out of ACS.


Respond to Invalid IP Address Connections—Enables an error message in response to attempts to start a remote administrative session using an IP address that is invalid according to the IP address ranges configured in Access Policy. Disabling this option can help prevent unauthorized users from discovering ACS.

Lock out Administrator after X successive failed attempts—Enables ACS to lock out an administrator after a number of successive failed attempts to log in to the web interface. The number of successive attempts is specified in the X box. If this check box is checked, the X box cannot be set to zero. If this check box is not checked, ACS allows unlimited successive failed login attempts by an administrator.

Setting Up Session Policy

For information about session policy options, see Session Policy Options.

To set up ACS Session Policy:


Step 1 In the navigation bar, click Administration Control.

ACS displays the Administration Control page.

Step 2 Click Session Policy.

The Session Policy Setup page appears.

Step 3 To define the number of minutes of inactivity after which ACS ends an administrative session, in the Session idle timeout (minutes) box, type the number of minutes (up to 4 characters).

Step 4 Set the automatic local login policy:

a. To allow administrators to log in to ACS locally without using their administrator names and passwords, check the Allow Automatic Local Login check box.

b. To require administrators to log in to ACS locally using their administrator names and passwords, clear the Allow Automatic Local Login check box.

Step 5 Set the invalid IP address response policy:

a. To configure ACS to respond with a message when an administrative session is requested from an invalid IP address, check the Respond to invalid IP address connections check box.

b. To configure ACS to send no message when an administrative session is requested from an invalid IP address, clear the Respond to invalid IP address connections check box.

Step 6 Set the failed administrative login attempts policy:

a. To enable ACS to lock out an administrator after a specified number of successive failed administrative login attempts, check the Lock out Administrator after X successive failed attempts check box.

b. In the X box, type the number of successive failed login attempts after which ACS locks out an administrator. The X box accepts up to 4 characters.

Step 7 Click Submit.

ACS saves and begins enforcing the session policy settings you made.


Audit Policy

The Audit Policy feature controls the generation of the Administrative Audit log.

For more information about enabling, viewing, or configuring the Administrative Audit log, see ACS System Logs.