Table Of Contents
A - B - C - D - E - F - G - H - I - L - M - N - O - P - Q - R - S - T - U - V - W -
Index
A
AAA 1
See also AAA clients
See also AAA servers
pools for IP address assignment 7
AAA clients 1
adding and configuring 11
configuring 7
deleting 14
editing 13
IP pools 7
multiple IP addresses for 8
number of 20
searching for 6
table 1
timeout values 6
AAA protocols
TACACS+ and RADIUS 3
AAA servers 3
adding 16
configuring 15
deleting 19
editing 18
enabling in interface (table) 6
functions and concepts 2
in distributed systems 2
master 2
overview 15
primary 2
replicating 2
searching for 6
secondary 2
troubleshooting 1
accessing Cisco Secure ACS
how to 3
URL 18
with SSL enabled 18
access policies
See administrative access policies
accountActions table 19, 20
account disablement
Account Disabled check box 3
manual 38
resetting 39
setting options for 13
accounting
See also logging
administrative 15
overview 14
RADIUS 15
TACACS+ 15
ACLs
See downloadable IP ACLs
ACS
additional features 4
extended replication components 5
features, functions and concepts 2
internal database 3
introduction to 1
managing and administrating 15
scalability improvements 5
specifications 19
Windows Services 20
ACS internal database
See also databases
overview 1
password encryption 2
ACS internal database replication
See replication
action codes
for creating and modifying user accounts 4
for initializing and modifying access filters 9
for modifying network configuration 17
for modifying TACACS+ and RADIUS settings 12
for setting and deleting values 4
in accountActions 3
Active Service Management
See Cisco Secure ACS Active Service Management
adding
external servers 24
ADF
importing for vendors 5
Administration Audit log
configuring 9
CSV file directory 11
viewing 12
Administration Control
See also administrators
audit policy setup 12
administrative access policies
See also administrators
configuring 9
limits 8
options 8
overview 8
administrative accounting 15
administrative sessions
and HTTP proxy 2
network environment limitations of 1
session policies 11
through firewalls 2
through NAT (network address translation) 2
administrators
See also Administration Audit log
See also Administration Control
See also administrative access policies
adding 4
deleting 7
editing 5
locked out 7
locking out 11
overview 1
privileges 2
separation from general users 9
troubleshooting 2
unlocking 7
advanced options in interface 7
AES 128 algorithm 2
age-by-date rules for groups 18
Aironet
AAA client configuration 9
RADIUS parameters for group 30
RADIUS parameters for user 28
ARAP 9
in User Setup 4
attribute definition file
see also ADF 5
attributes
enabling in interface 4
group-specific (table) 24
logging of user data 2
per-group 4
per-user 4
user-specific (table) 24
attribute-value pairs
See AV (attribute value) pairs
audit policies
See also Administration Audit log
overview 12
audit server
functionality 40
audit servers
setting up 25
authentication 6
configuration 19
configuring policies 27
considerations 6
denying unknown users 9
functionality 12
options 19
overview 6
protocol-database compatibility 7
request handling 3
user databases 7
via external user databases 4
Windows 8
authorization 12
configuring policies 43
ordering rules 46
rules 43
setsSee command authorization sets
AV (attribute value) pairs
See also RADIUS VSAs (vendor specific attributes)
RADIUS
Cisco IOS 3
IETF 11
TACACS+
accounting 3
general 1
Available Credentials 38
B
Backup and Restore log directory
See Cisco Secure ACS Backup and Restore log
backups
components backed up 8
directory management 8
disabling scheduled 10
filenames 11
locations 8
manual 9
options 9
overview 7
reports 8
scheduled vs. manual 7
scheduling 9
vs. replication 6
with CSUtil.exe 3
browsers
troubleshooting 3
C
cached users
See discovered users
CA configuration 28
callback options
in Group Setup 5
in User Setup 6
cascading replication 4, 9
cautions
significance of 27
certificate authority, trusted root 13
certificate trust list
see CTL
certification
See also EAP-TLS
See also PEAP
adding certificate authority certificates 28
background 1
backups 8
Certificate Revocation Lists 29
certificate signing request generation 32
editing the certificate trust list 28
replacing certificate 36
self-signed certificates
configuring 35
NAC 5
overview 34
server certificate installation 26
updating certificate 36
Certification Revocation List (CRL) 5
CHAP 9
in User Setup 4
Cisco
Identity-Based Networking Services (IBNS) 2
Cisco IOS
RADIUS
AV (attribute value) pairs 2
group attributes 28
user attributes 26
TACACS+ AV (attribute value) pairs 1
troubleshooting 3
Cisco NAC support 4
Cisco Secure ACS Active Service Management
event logging configuration 15
overview 13
system monitoring
configuring 14
custom actions 14
Cisco Secure ACS Active Service Monitoring logs
file location 11
viewing 12
Cisco Secure ACS administration overview 15
Cisco Secure ACS Backup and Restore log
CSV (comma-separated values) file directory 11
viewing 12
Cisco Secure ACS backups
See backups
Cisco Secure ACS system restore
See restore
CiscoSecure Authentication Agent 16
CLID-based filters 19
cloning
Network Access Profiles 9
policies or rules 21
codes
See action codes
command authorization sets
See also shell command authorization sets
adding 28
configuring 24, 28
deleting 30
editing 29
overview 24
pattern matching 27
PIX command authorization sets 24
command-line database utility
See CSUtil.exe
condition sets, defining 19
configuring
internal policies 18
configuring advanced filtering
Network Access Profiles 7
conventions 26
copying
policies or rules 21
creating
external servers 24
Credential Validation Databases 30
CRLs 29
CSAdmin
Windows Services 20
CSAuth
Windows Services 20
CSDBSync 19
Windows Services 20
CSLog
Windows Services 20
CSMon
See also Cisco Secure ACS Active Service Management
Cisco Secure ACS Service Monitoring logs 23
configuration 4
log 5
windows Services 20
CSNTacctInfo 40, 41, 42
CSNTAuthUserPap 38
CSNTerrorString 40, 41, 42
CSNTExtractUserClearTextPw 39
CSNTFindUser 39
CSNTgroups 40, 41, 42
CSNTpasswords 40, 41
CSNTresults 40, 41, 42
CSNTusernames 40, 41, 42
CSRadius 6
Windows Services 20
CSTacacs 6
Windows Services 20
CSUtil.exe
decoding error numbers with 17
import text file (example) 15
overview 1
CSV (comma-separated values) files
downloading 12
filename formats 10
logging format 1
viewing 12
CTL
external policy servers
CTL editing 28
custom attributes
in group-level TACACS+ settings 22
in user-level TACACS+ settings 16
customer support
collecting data for 25
D
database group mappings
configuring
for token servers 2
for Windows domains 6
no access groups 4
order 8
deleting
group set mappings 7
Windows domain configurations 7
Database Replication log
CSV (comma-separated values) file directory 11
viewing 12
databases
See also external user databases
ACS internal database 1
authentication search process 3
compacting 8
deleting 54
deployment considerations 10
external
See also external user databases
See also Unknown User Policy
replication
See replication
search order 7
search process 7
selecting user databases 1
synchronization
See RDBMS synchronization
token cards
See token servers
troubleshooting 6, 14
types
See generic LDAP user databases
See LEAP proxy RADIUS user databases
See Novell NDS user databases
See ODBC features
See RADIUS user databases
See RSA user databases
unknown users 1
user databases 2
user import methods 2
Windows user databases 5
data source names
configuring for ODBC logging 17
for RDMBS synchronization 24
using with ODBC databases 34, 43, 44
data types, NAC attribute 8
date format control 3
DbSync log directory 11
debug logs
detail levels 24
frequency 24
default group
in Group Setup 2
mapping for Windows 4
default time-of-day/day-of-week specification 6
default time-of-day access settings for groups 5
deleting 10
external audit servers 27
external servers 25
logged-in users 7
Network Access Profiles 10
policies or rules 23
deployment
overview 1
sequence 11
device command sets
See command authorization sets
device management applications support 13
DHCP with IP pools 29
dial-in permission to users in Windows 18
dial-in troubleshooting 8
dial-up networking clients 7
dial-up topologies 2
digital certificates
See certification
Disabled Accounts report
viewing 8
Disabled Accounts reports
description 6
discovered users 2
Distinguished Name Caching 26
distributed systems
See also proxy
AAA servers in 2
overview 2
settings
configuring 23
default entry 3
enabling in interface 6
distribution table
See Proxy Distribution Table
DNIS-based filters 19
documentation
conventions 26
objectives 25
online 18
related 28
Domain List
configuring 21
inadvertent user lockouts 9, 21
overview 9
unknown user authentication 5
domain names
Windows operating systems 9
downloadable IP ACLs 5
adding 15
assigning to groups 22
assigning to users 14
deleting 17
editing 16
enabling in interface
group-level 6
user-level 5
overview 13
draft-ietf-radius-tunnel-auth 3
dump files
loading a database from a dump file 7
dynamic usage quotas 13
dynamic users
removing 40
E
EAP (Extensible Authentication Protocol)
Configuration 29
overview 9
supported protocols 9
with Windows authentication 10
EAP authentication
protocol 8
EAP-FAST 9
enabling 17
identity protection 10
logging 9
master keys
definition 10
states 10
master server 16
overview 9
PAC
automatic provisioning 13
definition 11
manual provisioning 14
refresh 15
states 13
password aging 20
phases 9
replication 15
EAP-Flexible Authentication via Secure Tunneling (FAST) 5
EAP-TLS 9
See also certification
authentication configuration 19
comparison methods 3
domain stripping 10
enabling 4
limitations 4
options 22, 25
overview 2
editing
external audit servers 26
external posture validation servers 25
internal policies 20
Network Access Profiles 9
enable password options for TACACS+ 23
enable privilege options for groups 13
entity field 8
error number decoding with CSUtil.exe 17
Event log
configuring 15
exception events 5
exception events 5
exemption list
external audit 15
exports
of user lists 15
Extensible Authentication Protocol
See EAP (Extensible Authentication Protocol)
Extensible Authentication Protocol (EAP) 2
external audit policy
what triggers an 15
external audit server
setting up 25
external audit servers
about 14
deleting 27
editing 26
external policies 11
exemption list support 15
external servers
creating 24
deleting 25
editing 25
external token servers
See token servers
external user databases
See also databases
authentication via 4
configuring 3
deleting configuration 54
latency factors 6
search order 6, 8
supported 7
Unknown User Policy 1
F
Failed Attempts log
configuring
CSV (comma-separated values) 14
ODBC 17
CSV (comma-separated values) file directory 11
enabling
log 11
ODBC 17
viewing 12
failed log-on attempts 5
failure events
customer-defined actions 5
predefined actions 5
fallbacks on failed connection 4
finding users 37
G
gateways 2
Generic LDAP 7
generic LDAP user databases
authentication 22
configuring
database 30
options 26
directed authentications 24
domain filtering 24
failover 25
mapping database groups to AAA groups 3
mutiple instances 23
organizational units and groups 23
Global Authentication Setup 19
global authentication setup
enabling posture validation 5
grant dial-in permission to users 6, 18
greeting after login 18
group-level interface enabling
downloadable IP ACLs 6
network access restrictions 6
network access restriction sets 6
password aging 6
group-level network access restrictions
See network access restrictions
groups
See also network device groups
assigning users to 5
configuring RADIUS settings for
See RADIUS
Default Group 2, 4
enabling VoIP (Voice-over-IP) support for 4
exporting group information 16
listing all users in 40
mapping order 8
mappings 1
no access groups 4
overriding settings 4
relationship to users 4
renaming 40
resetting usage quota counters for 40
settings for
callback options 5
configuration-specific 12
configuring common 3
device management command authorization sets 26
enable privilege 13
IP address assignment method 21
management tasks 39
max sessions 9
network access restrictions 6
password aging rules 15
PIX command authorization sets 25
shell command authorization sets 24
TACACS+ 2, 3, 22
time-of-day access 5
token cards 14
usage quotas 10
setting up and managing 1
specifications by ODBC authentications 40, 41, 42
H
handle counts 5
hard disk space 4
host system state 4
HTML interface
encrypting 9
logging off 3
HTTP port allocation
configuring 9
for administrative sessions 16
HTTPS 9
I
IEEE 802.1x 2
IETF 802.1x 9
IETF RADIUS attributes 4
importing passwords 9
imports with CSUtil.exe 9
inbound
authentication 10
password configuration 10
installation
related documentation 28
troubleshooting 11
Interface Configuration
See also HTML interface
advanced options 5
configuring 1
customized user data fields 4
security protocol options 9
internal architecture 1
internal policies
configuration options 10
editing 20
rules 10
steps to set up 18
IP ACLs
See downloadable IP ACLs
IP addresses
in User Setup 7
multiple IP addresses for AAA client 8
requirement for CSTacacs and CSRadius 6
setting assignment method for user groups 21
IP pools
address recovery 33
deleting 32
DHCP 29
editing IP pool definitions 31
enabling in interface 6
overlapping 29, 30
refreshing 30
resetting 32
servers
adding IP pools 30
overview 28
replicating IP pools 29
user IP addresses 7
L
LAN manager 9
latency in networks 10
LDAP
Admin Logon Connection Management 26
Distinguished Name 26
LEAP 9
LEAP proxy RADIUS user databases
configuring external databases 47
group mappings 1
overview 46
RADIUS-based group specifications 8
list all users
in Group Setup 40
in User Setup 37
local policies
see internal policies
log files
storage directory 3
Logged-In Users report
deleting logged-in users 7
description 6
viewing 7
logging
See also Reports and Activity
accounting logs 4
Administration Audit log 9
administration reports 6
configuring 15
CSV (comma-separated values) files 1
custom RADIUS dictionaries 2
debug logs
detail levels 24
frequency 24
Disabled Accounts reports 6
domain names 2
external user databases 2
Failed Attempts logs 4
formats 1
Logged-In Users reports 6
ODBC logs
enabling in interface 7
overview 1
working with 16
overview 4
Passed Authentication logs 4
RADIUS logs 4
RDBMS synchronization 2
remote logging
centralized 20
configuring 21
disabling 22
enabling in interface 6
logging hosts 19
options 21
overview 19
service logs 12
services
configuring service logs 24
list of logs generated 23
system logs 8
TACACS+ logs 4
troubleshooting 12
user data attributes 2
VoIP logs 4
watchdog packets 3
login process test frequency 13
logins
greeting upon 18
password aging dependency 17
logs
See logging
See Reports and Activity
M
MAC-Authentication Bypass 29
Machine Access Restrictions (MAR) 6
machine authentication
enabling 16
overview 11
with Microsoft Windows 14
management application support 13
mappings
database groups to AAA groups 3
databases to AAA groups 1
master AAA servers 2
master key
definition 10
states 10
max sessions 12
enabling in interface 6
group 12
in Group Setup 9
in User Setup 11
overview 12
troubleshooting 11
user 12
memory utilization 4
monitoring
configuring 14
CSMon 4
overview 13
MS-CHAP 9
configuring 19
overview 9
protocol supported 8
multiple IP addresses for AAA clients 8
N
NAC 2
agentless host see also NAH 14
attributes
about 7
adding 28
data types 8
deleting 28
exporting 28
configuring ACS for support for 4
credentials
about 7
implementing 4
logging 5
overview
policies
about 18
external 11
internal 9
results 18
remediation server
url-redirect attribute 6
rules
about 10, 6
default 11
operators 6
self-signed certificates 5
tokens
definition 3
descriptions of 3
returned by internal policies 9
NAC Agentless Host 25
NAC L2 IP 17
NAC L3 IP 15
NAFs
See network access filters
NAH
policies 14
NAR
See network access restrictions
NAS
See AAA clients
Network Access Filter (NAF)
editing 5
Network Access Filters (NAF) 6, 4
adding 3
deleting 6
overview 2
Network Access Profiles 5, 1, 10, 28
cloning 9
configuring advanced filtering 7
editing 9
setting up 3
network access quotas 13
network access restrictions
deleting 23
editing 22
enabling in interface
group-level 6
user-level 5
in Group Setup 6
interface configuration 6
in User Setup 6, 8
non-IP-based filters 19
overview 18
network access servers
See AAA clients
Network Admission Control
see NAC
network configuration 1
network device groups
adding 20
assigning AAA clients to 21
assigning AAA servers to 21
configuring 19
deleting 22
enabling in interface 6
reassigning AAA clients to 21
reassigning AAA servers to 21
renaming 22
network devices
searches for 6
networks
latency 10
reliability 10
network topologies
deployment 2
wireless 4
noncompliant devices 2
non-EAP authentication
protocol 7
Novell NDS user databases
mapping database groups to AAA groups 3
O
ODBC features
accountActions table 21
authentication
CHAP 37
EAP-TLS 37
overview 34
PAP 37
preparation process 36
process with external user database 35
result codes 43
case-sensitive passwords 38
CHAP authentication sample procedure 39
configuring 44
data source names 17, 34
DSN (data source name) configuration 43
EAP-TLS authentication sample procedure 39
features supported 35
group mappings 1
group specifications
CHAP 41
EAP-TLS 42
PAP 40
vs. group mappings 2
PAP authentication sample procedures 38
password case sensitivity 38
stored procedures
CHAP authentication 41
EAP-TLS authentication 42
implementing 37
PAP authentication 40
type definitions 38
user databases 34
ODBC logs
See logging
One-time Passwords (OTPs) 6
online documentation 18
online help 18
location in HTML interface 17
using 18
online user guide 19
Open Database Connectivity (ODBC) 7
ordering rules, in policies 10
outbound password configuration 10
overview of Cisco Secure ACS 1
P
PAC
automatic provisioning 13
definition 11
manual provisioning 14
refresh 15
package.cab file 25
PAP 9
in User Setup 4
vs. ARAP 9
vs. CHAP 9
Passed Authentications log
configuring CSV (comma-separated values) 14
CSV (comma-separated values) file directory 11
enabling CSV (comma-separated values) logging 11
viewing 12
password
automatic change password configuration 16
password aging 11
age-by-uses rules 17
Cisco IOS release requirement for 16
EAP-FAST 17
interface configuration 6
in Windows databases 19
MS-CHAP 17
overview 11
PEAP 17
rules 15
password configurations
basic 10
passwords
See also password aging
case sensitive 38
CHAP/MS-CHAP/ARAP 5
configurations
caching 10
inbound passwords 10
outbound passwords 10
separate passwords 10
single password 10
token caching 10
token cards 10
encryption 2
expiration 17
import utility 9
local management 4
password change log management 5
post-login greeting 18
protocols supported 8
remote change 5
user-changeable 11
validation options in System Configuration 4
pattern matching in command authorization 27
PEAP 9
See also certification
configuring 19
enabling 8
identity protection 6
options 21
overview 6
password aging 19
phases 6
with Unknown User Policy 7
performance monitoring 4
performance specifications 19
per-group attributes
See also groups
enabling in interface 4
per-user attributes
enabling in interface 4
TACACS+/RADIUS in Interface Configuration 5
PIX ACLs
See downloadable IP ACLs
PIX command authorization sets
See command authorization sets
PKI (public key infastructure)
See certification
Point-to-Point Protocol (PPP) 20
policies
cloning 21
configuring 17
copying 21
deleting 23
external 11
configuration options 12
internal 9
local
see internal policies
NAH 14
overview 7
renaming 22
rule order 10
setting up an external audit server 25
setting up external servers 24
Populate from Global 28
Network Access Profiles 28
port 2002
in HTTP port ranges 9
in URLs 18
port allocation
See HTTP port allocation
ports
See also HTTP port allocation
See also port 2002
RADIUS 3
TACACS+ 3
Posture Validation
for Agentless Hosts 41
posture validation
attributes 7
configuring ACS for 4
credentials 7
CTL 5
enabling 5
failed attempts log 5
implementing 4
internal policy configuration options 10
options 17
passed authentications log 5
policy overview 7
process flow 6
and profile-based policies 27
profiles, adding user groups 5
rule
assigning posture tokens 6
rules, about 10
server certificate requirement 4
Posture Validation Policies
configuring 35
PPP password aging 16
privileges
See administrators
processor utilization 4
profile 1
Profile-based Policies 2
profile components
See shared profile components
profiles 47
profile templates 13
protocols supported 8
protocol support
EAP authentication 8
non-EAP authentication
7
protocol types
Network Access Profiles 5
proxy
See also Proxy Distribution Table
character strings
defining 4
stripping 4
configuring 23
in enterprise settings 5
overview 3
sending accounting packets 5
troubleshooting 11
Proxy Distribution Table
See also proxy
adding entries 24
configuring 23
default entry 3, 24
deleting entries 26
editing entries 25
match order sorting 25
overview 23
Q
quotas
See network access quotas
See usage quotas
R
RAC and Groups 47
RADIUS 3
See also RADIUS VSAs (vendor specific attributes)
accounting 15
attributes
See also RADIUS VSAs (vendor specific attributes)
in User Setup 24
AV (attribute value) pairs
See also RADIUS VSAs (vendor specific attributes)
Cisco IOS 3
IETF 11
overview 1
Cisco Aironet 9
compliant token servers 7
IETF
in Group Setup 27
interface configuration 12
in User Setup 25
interface configuration overview 9
password aging 19
ports 3
specifications 3
token servers 49
troubleshooting 15
tunneling packets 12
vs. TACACS+ 3
RADIUS Accounting log
configuring
CSV (comma-separated values) 14
ODBC 17
configuring CSV (comma-separated values) 12
CSV (comma-separated values) file directory 11
enabling
ODBC 17
enabling CSV (comma-separated values) 11
RADIUS user databases
configuring 50
group mappings 1
RADIUS-based group specifications 8
RADIUS VSAs (vendor specific attributes)
Ascend
in Group Setup 32
in User Setup 29
supported attributes 21
Cisco Aironet
in Group Setup 30
in User Setup 28
Cisco BBSM (Building Broadband Service Manager)
in Group Setup 38
in User Setup 35
supported attributes 10
Cisco IOS/PIX
in Group Setup 28
interface configuration 13
in User Setup 26
supported attributes 4
Cisco VPN 3000
in Group Setup 33
in User Setup 30
supported attributes 6
Cisco VPN 5000
in Group Setup 34
in User Setup 31
supported attributes 10
custom
about 19
in Group Setup 39
in User Setup 35
Juniper
in Group Setup 37
in User Setup 34
supported attributes 28
Microsoft
in Group Setup 35
in User Setup 32
supported attributes 19
Nortel
in Group Setup 36
in User Setup 33
supported attributes 28
overview 1
user-defined
about 19, 18
action codes for 12
adding 18
deleting 19
import files 21
listing 20
replicating 19, 18
RDBMS synchronization
accountActions table as transaction queue 21
configuring 26
data source name configuration 23, 24
disabling 28
enabling in interface 6
group-related configuration 18
import definitions 1
log
CSV (comma-separated values) file directory 11
viewing 12
manual initialization 25
network configuration 19
overview 17
partners 25
preparing to use 22
report and error handling 22
scheduling options 25
user-related configuration 18
Registry 2
Regular Expressions Syntax 14
rejection mode
general 3
Windows user databases 4
related documentation 28
reliability of network 10
remote access policies 7
remote logging
See logging
Remove Dynamic Users 40
removing
external audit servers 27
external servers 25
policies or rules 23
removing dynamic users 40
renaming
policies 22
replication
ACS Service Management page 2
auto change password settings 16
backups recommended (Caution) 7
cascading 4, 9
certificates 2
client configuration 11
components
overwriting (Caution) 11
overwriting (Note) 7
selecting 8
configuring 14
corrupted backups (Caution) 7
custom RADIUS dictionaries 2
disabling 15, 16
EAP-FAST 15
encryption 4
external user databases 2
frequency 5
group mappings 2
immediate 12
implementing primary and secondary setups 10
important considerations 5
in System Configuration 14
interface configuration 6
IP pools 2, 29
logging 7
manual initiation 12
master AAA servers 2
notifications 16
options 7
overview 2
partners
configuring 15
options 9
process 3
scheduling 14
scheduling options 9
selecting data 8
unsupported 2
user-defined RADIUS vendors 6
vs. backup 6
Reports and Activity
See also logging
configuration privileges 4
configuring 15
CSV (comma-separated values) logs 8
in interface 17
overview 4
request handling
general 3
Windows user databases 4
Required Credential Types 38
resource consumption 5
restarting services 2
restore
components restored
configuring 12
overview 12
filenames 11
in System Configuration 11
on a different server 11
overview 11
performing 12
reports 12
with CSUtil.exe 4
RFC2138 3
RFC2139 3
RSA SecurID Token Server 7
RSA user databases
configuring 53
group mappings 1
rules
about 10
internal policy 10
S
search order of external user databases 8
security policies 8
security protocols
CSRadius 6
CSTacacs 6
interface options 9
RADIUS 3, 1
TACACS+
custom commands 8
overview 3
time-of-day access 8
Selected Credentials 38
server certificate installation 26
service control in System Configuration 24
Service Monitoring logs
See Cisco Secure ACS Service Monitoring logs
services
determining status of 2
logs
configuring 24
list of logs generated 23
management 13
starting 2
stopping 2
session policies
configuring 11
options 11
overview 11
setting up
Network Access Profiles 3
shared profile components
See also command authorization sets
See also downloadable IP ACLs
See also network access filters
See also network access restrictions
overview 1
Shared Profile Components (SPC) 13
Shared RAC 46
shared secret 6
shell command authorization sets
See also command authorization sets
in Group Setup 24
in User Setup 17
Simple Network Management Protocol (SNMP) 12
single password configurations 10
SMTP (simple mail-transfer protocol) 5
specifications
RADIUS
RFC2138 3
RFC2139 3
system performance 19
TACACS+ 3
SSL (secure socket layer) 9
starting services 2
static IP addresses 7
stopping services 2
stored procedures
CHAP authentication
configuring 45
input values 41
output values 41
result codes 43
EAP-TLS authentication
configuring 46
input values 42
output values 42
implementing 37
PAP authentication
configuring 45
input values 40
output values 40
result codes 43
sample procedures 38
type definitions
integer 38
string 38
supplementary user information
in User Setup 4
setting 4
support
Cisco Device-Management Applications 13
supported password protocols 8
synchronization
See RDBMS synchronization
system
configuration
advanced 1
authentication 1
basic 1
certificates 1
privileges 3
health 4
messages in interface 17
monitoring
See monitoring
performance specifications 19
services
See services
system performance
specifications 19
T
TACACS+ 3
accounting 15
advanced TACACS+ settings
in Group Setup 2, 3
in User Setup 22
AV (attribute value) pairs
accounting 3
general 1
custom commands 8
enable password options for users 23
enable privilege options 22
interface configuration 7
interface options 9
outbound passwords for users 24
ports 3
SENDAUTH 10
settings
in Group Setup 2, 3, 22
in User Setup 15, 16
specifications 3
time-of-day access 8
troubleshooting 15
vs. RADIUS 3
TACACS+ Accounting log
configuring
CSV (comma-separated values) 14
ODBC 17
CSV (comma-separated values) file directory 11
enabling CSV (comma-separated values) 11
enabling for ODBC 17
viewing 12
TACACS+ Administration log
configuring
CSV(comma-separated values) 14
ODBC 17
CSV (comma-separated values) file directory 11
enabling
ODBC 17
enabling CSV (comma-separated values) 11
viewing 12
Telnet
See also command authorization sets
password aging 16
test login frequency internally 13
thread used 5
time-of-day/day-of-week specification
See also date format control
enabling in interface 6
timeout values on AAA clients 6
TLS (transport level security)
See certification
token caching 10, 49
token cards 20
password configuration 10
settings in Group Setup 14
token servers
ISDN terminal adapters 49
overview 49
RADIUS-enabled 49
RADIUS token servers 50
RSA 53
supported servers 7
token caching 49
topologies
See network topologies
troubleshooting 47
AAA servers 1
administration issues 2
browser issues 3
Cisco IOS issues 3
database issues 6
debug logs 23
dial-in issues 8
installation issues 11
max sessions issues 11
proxy issues 11
RADIUS issues 15
report issues 12
TACACS+ issues 15
third-party server issues 14
upgrade issues 11
user issues 14
trusted root certificate authority 13
trust lists
See certification
trust relationships 7
U
UNIX passwords 12
unknown service user setting 21
Unknown User Policy 18
See also unknown users
configuring 8
in external user databases 2, 7
turning off 9
unknown users
See also Unknown User Policy
authentication 3
authentication performance 6
authentication processing 6
network access authorization 6
unmatched user requests 10
update packets
See watchdog packets
upgrade troubleshooting 11
usage quotas
in Group Setup 10
in Interface Configuration 6
in User Setup 12
overview 13
resetting
for groups 40
for single users 39
user-changeable passwords
overview 11
with Windows user databases 17
user databases
See databases
User Data Configuration 4
user groups
See groups
user guide
online 19
user-level
downloadable ACLs interface 5
network access restrictions
See also network access restrictions
enabling in interface 5
User Password Changes log location 11
users
See also User Setup
adding
basic steps 3
methods 2
assigning client IP addresses to 7
assigning to a group 5
callback options 6
configuring 1
configuring device management command authorization sets for 20
configuring PIX command authorization sets for 19
configuring shell command authorization sets for 17
customized data fields 4
data configuration
See User Data Configuration
deleting 7
deleting accounts 38
disabling accounts 3
finding 37
import methods 2
in multiple databases 4
listing all users 37
number allowed 10
number of 20
RDBMS synchronization 18
relationship to groups 4
removing dynamic 40
resetting accounts 39
saving settings 41
supplementary information 4
troubleshooting 14
types
discovered 2
known 2
unknown 2
VPDN dialup 1
User Setup
account management tasks 36
basic options 2
configuring 1
deleting user accounts 38
saving settings 41
Users in Group button 40
V
validation of passwords 4
vendors
adding audit 25
vendor-specific attributes
See RADIUS VSAs (vendor specific attributes)
vendor-specific attributes (VSAs) 4
viewing logs and reports
See logging
Virtual Private Dial-Up Networks (VPDNs) 12
Voice-over-IP
See VoIP (Voice-over-IP)
VoIP (Voice-over-IP)
accounting configuration 7, 15
Accounting log
enabling csv log 11
viewing 12
enabling in interface 6
group settings in Interface Configuration 6
in Group Setup 4
VoIP (Voice-over-IP) Accounting log
configuring
CSV (comma-separated values) 14
ODBC 17
CSV (comma-separated values) file directory 11
enabling
ODBC 17
VPDN
advantages 6
authentication process 1
domain authorization 2
home gateways 2
IP addresses 2
tunnel IDs 2
users 1
VSAs
See RADIUS VSAs (vendor specific attributes)
W
warning events 4, 5
warnings
significance of 27
watchdog packets
configuring on AAA clients 12
configuring on AAA servers 17
logging 3
web interface
See also Interface Configuration
layout 16
security 15
uniform resource locator 18
Windows Callback 18
Windows Database Callback 18
Windows operating systems
authentication order 5
Cisco Secure ACS-related services
services 2
dial-up networking 7
dial-up networking clients
domain field 7
password field 7
username field 7
Domain List effect 5
domains
domain names 9, 4
Event logs 5
Registry 2
Windows Services 20
CSAdmin 20
CSAuth 20
CSDBSync 20
CSLog 20
CSMon 20
CSRadius 20
CSTacacs 20
overview 20
Windows user database 7
passwords 8
Windows user databases
See also databases
Active Directory 18
configuring 21
Domain list
inadvertent user lockouts 21
domain mapping 6
domains
trusted 7
grant dial-in permission to users 6, 18
group mappings
editing 6
limitations 3
no access groups 4
remapping 6
mapping database groups to AAA groups 3
overview 5
password aging 19
rejection mode 4
request handling 4
trust relationships 7
user-changeable passwords 17
user manager 18
wireless network topologies 4