-
User Guide for Cisco Secure ACS for Windows 4.0
-
Preface
-
Overview
-
Deployment Considerations
-
Interface Configuration
-
Network Configuration
-
Shared Profile Components
-
User Group Management
-
User Management
-
System Configuration: Basic
-
System Configuration: Advanced
-
System Configuration: Authentication and Certificates
-
Logs and Reports
-
Administrators and Administrative Policy
-
User Databases
-
Posture Validation
-
Network Access Profiles
-
Unknown User Policy
-
User Group Mapping and Specification
-
Troubleshooting
-
TACACS+ Attribute-Value Pairs
-
RADIUS Attributes
-
CSUtil Database Utility
-
VPDN Processing
-
RDBMS Synchronization Import Definitions
-
Internal Architecture
-
Index
-
Table Of Contents
A - B - C - D - E - F - G - H - I - L - M - N - O - P - Q - R - S - T - U - V - W -
Index
A
AAA 1-1
pools for IP address assignment 7-7
AAA clients 1-1
adding and configuring 4-11
configuring 4-7
deleting 4-14
editing 4-13
IP pools 7-7
multiple IP addresses for 4-8
number of 1-20
searching for 4-6
table 4-1
timeout values 16-6
AAA protocols
TACACS+ and RADIUS 1-3
AAA servers 1-3
adding 4-16
configuring 4-15
deleting 4-19
editing 4-18
enabling in interface (table) 3-6
functions and concepts 1-2
in distributed systems 4-2
master 9-2
overview 4-15
primary 9-2
replicating 9-2
searching for 4-6
secondary 9-2
troubleshooting A-1
accessing Cisco Secure ACS
how to 3-3
URL 1-18
with SSL enabled 1-18
access policies
See administrative access policies
accountActions table 9-19, 9-20
account disablement
Account Disabled check box 7-3
manual 7-38
resetting 7-39
setting options for 7-13
accounting
administrative 1-15
overview 1-14
RADIUS 1-15
TACACS+ 1-15
ACLs
ACS
additional features 1-4
extended replication components 1-5
features, functions and concepts 1-2
internal database 1-3
introduction to 1-1
managing and administrating 1-15
scalability improvements 1-5
specifications 1-19
Windows Services 1-20
ACS internal database
overview 13-1
password encryption 13-2
ACS internal database replication
action codes
for creating and modifying user accounts F-4
for initializing and modifying access filters F-9
for modifying network configuration F-17
for modifying TACACS+ and RADIUS settings F-12
for setting and deleting values F-4
in accountActions F-3
Active Service Management
See Cisco Secure ACS Active Service Management
adding
external servers 14-24
ADF
importing for vendors 14-5
Administration Audit log
configuring 11-9
CSV file directory 11-11
viewing 11-12
Administration Control
audit policy setup 12-12
administrative access policies
configuring 12-9
limits 12-8
options 12-8
overview 2-8
administrative accounting 1-15
administrative sessions
and HTTP proxy 3-2
network environment limitations of 3-1
session policies 12-11
through firewalls 3-2
through NAT (network address translation) 3-2
administrators
See also Administration Audit log
See also Administration Control
See also administrative access policies
adding 12-4
deleting 12-7
editing 12-5
locked out 12-7
locking out 12-11
overview 12-1
privileges 12-2
separation from general users 2-9
troubleshooting A-2
unlocking 12-7
advanced options in interface 3-7
AES 128 algorithm 13-2
age-by-date rules for groups 6-18
Aironet
AAA client configuration 4-9
RADIUS parameters for group 6-30
RADIUS parameters for user 7-28
ARAP 1-9
in User Setup 7-4
attribute definition file
see also ADF 14-5
attributes
enabling in interface 3-4
group-specific (table) F-24
logging of user data 11-2
per-group 3-4
per-user 3-4
user-specific (table) F-24
attribute-value pairs
See AV (attribute value) pairs
audit policies
See also Administration Audit log
overview 12-12
audit server
functionality 15-40
audit servers
setting up 14-25
authentication 1-6
configuration 10-19
configuring policies 15-27
considerations 1-6
denying unknown users 16-9
functionality A-12
options 10-19
overview 1-6
protocol-database compatibility 1-7
request handling 16-3
user databases 1-7
via external user databases 13-4
Windows 13-8
authorization 1-12
configuring policies 15-43
ordering rules 15-46
rules 15-43
setsSee command authorization sets
AV (attribute value) pairs
See also RADIUS VSAs (vendor specific attributes)
RADIUS
Cisco IOS C-3
IETF C-11
TACACS+
accounting B-3
general B-1
Available Credentials 15-38
B
Backup and Restore log directory
See Cisco Secure ACS Backup and Restore log
backups
components backed up 8-8
directory management 8-8
disabling scheduled 8-10
filenames 8-11
locations 8-8
manual 8-9
options 8-9
overview 8-7
reports 8-8
scheduled vs. manual 8-7
scheduling 8-9
vs. replication 9-6
with CSUtil.exe D-3
browsers
troubleshooting A-3
C
cached users
CA configuration 10-27
callback options
in Group Setup 6-5
in User Setup 7-6
cascading replication 9-4, 9-9
cautions
significance of xxvii
certificate authority, trusted root 14-13
certificate trust list
certification
adding certificate authority certificates 10-27
background 10-1
backups 8-8
Certificate Revocation Lists 10-28
certificate signing request generation 10-31
editing the certificate trust list 10-27
replacing certificate 10-35
self-signed certificates
configuring 10-34
NAC 14-5
overview 10-33
server certificate installation 10-25
updating certificate 10-35
Certification Revocation List (CRL) 1-5
CHAP 1-9
in User Setup 7-4
Cisco
Identity-Based Networking Services (IBNS) 1-2
Cisco IOS
RADIUS
AV (attribute value) pairs C-2
group attributes 6-28
user attributes 7-26
TACACS+ AV (attribute value) pairs B-1
troubleshooting A-3
Cisco NAC support 1-4
Cisco Secure ACS Active Service Management
event logging configuration 8-15
overview 8-13
system monitoring
configuring 8-14
custom actions 8-14
Cisco Secure ACS Active Service Monitoring logs
file location 11-11
viewing 11-12
Cisco Secure ACS administration overview 1-15
Cisco Secure ACS Backup and Restore log
CSV (comma-separated values) file directory 11-11
viewing 11-12
Cisco Secure ACS backups
Cisco Secure ACS system restore
CiscoSecure Authentication Agent 6-16
CLID-based filters 5-19
cloning
Network Access Profiles 15-9
policies or rules 14-21
codes
command authorization sets
See also shell command authorization sets
adding 5-28
deleting 5-30
editing 5-29
overview 5-24
pattern matching 5-27
PIX command authorization sets 5-24
command-line database utility
condition sets, defining 14-19
configuring
internal policies 14-18
configuring advanced filtering
Network Access Profiles 15-7
conventions xxvi
copying
policies or rules 14-21
creating
external servers 14-24
Credential Validation Databases 15-30
CRLs 10-28
CSAdmin
Windows Services 1-20
CSAuth
Windows Services 1-20
CSDBSync 9-19
Windows Services 1-20
CSLog
Windows Services 1-20
CSMon
See also Cisco Secure ACS Active Service Management
Cisco Secure ACS Service Monitoring logs 11-23
configuration G-4
log G-5
windows Services 1-20
CSNTacctInfo 13-40, 13-41, 13-42
CSNTAuthUserPap 13-38
CSNTerrorString 13-40, 13-41, 13-42
CSNTExtractUserClearTextPw 13-39
CSNTFindUser 13-39
CSNTgroups 13-40, 13-41, 13-42
CSNTresults 13-40, 13-41, 13-42
CSNTusernames 13-40, 13-41, 13-42
CSRadius G-6
Windows Services 1-20
CSTacacs G-6
Windows Services 1-20
CSUtil.exe
decoding error numbers with D-17
import text file (example) D-15
overview D-1
CSV (comma-separated values) files
downloading 11-12
filename formats 11-10
logging format 11-1
viewing 11-12
CTL
CTL editing 10-27
custom attributes
in group-level TACACS+ settings 6-22
in user-level TACACS+ settings 7-16
customer support
collecting data for 11-25
D
database group mappings
configuring
for token servers 17-2
for Windows domains 17-6
no access groups 17-4
order 17-8
deleting
group set mappings 17-7
Windows domain configurations 17-7
Database Replication log
CSV (comma-separated values) file directory 11-11
viewing 11-12
databases
See also external user databases
ACS internal database 13-1
authentication search process 16-3
compacting D-8
deleting 13-54
deployment considerations 2-10
external
See also external user databases
replication
search order 16-7
search process 16-7
selecting user databases 13-1
synchronization
token cards
types
See generic LDAP user databases
See LEAP proxy RADIUS user databases
unknown users 16-1
user databases 7-2
user import methods 13-2
Windows user databases 13-5
data source names
configuring for ODBC logging 11-17
for RDMBS synchronization 9-24
using with ODBC databases 13-34, 13-43, 13-44
data types, NAC attribute 14-8
date format control 8-3
DbSync log directory 11-11
debug logs
detail levels 11-24
frequency 11-24
default group
in Group Setup 6-2
mapping for Windows 17-4
default time-of-day/day-of-week specification 3-6
default time-of-day access settings for groups 6-5
deleting 15-10
external audit servers 14-27
external servers 14-25
logged-in users 11-7
Network Access Profiles 15-10
policies or rules 14-23
deployment
overview 2-1
sequence 2-11
device command sets
See command authorization sets
device management applications support 1-13
DHCP with IP pools 9-29
dial-in permission to users in Windows 13-18
dial-in troubleshooting A-8
dial-up networking clients 13-7
dial-up topologies 2-2
digital certificates
Disabled Accounts report
viewing 11-8
Disabled Accounts reports
description 11-6
discovered users 16-2
Distinguished Name Caching 13-26
distributed systems
AAA servers in 4-2
overview 4-2
settings
configuring 4-23
default entry 4-3
enabling in interface 3-6
distribution table
DNIS-based filters 5-19
documentation
conventions xxvi
objectives xxv
online 1-18
related xxviii
Domain List
configuring 13-21
inadvertent user lockouts 13-9, 13-21
overview 13-9
unknown user authentication 16-5
domain names
Windows operating systems 13-9
downloadable IP ACLs 1-5
adding 5-15
assigning to groups 6-22
assigning to users 7-14
deleting 5-17
editing 5-16
enabling in interface
group-level 3-6
user-level 3-5
overview 5-13
draft-ietf-radius-tunnel-auth 1-3
dump files
loading a database from a dump file D-7
dynamic usage quotas 1-13
dynamic users
removing 7-40
E
EAP (Extensible Authentication Protocol)
Configuration 15-29
overview 1-9
supported protocols 1-9
with Windows authentication 13-10
EAP authentication
protocol 1-8
EAP-FAST 1-9
enabling 10-17
identity protection 10-10
logging 10-9
master keys
definition 10-10
states 10-10
master server 10-16
overview 10-8
PAC
automatic provisioning 10-13
definition 10-11
manual provisioning 10-14
refresh 10-15
states 10-13
password aging 6-20
phases 10-9
replication 10-15
EAP-Flexible Authentication via Secure Tunneling (FAST) 1-5
EAP-TLS 1-9
authentication configuration 10-19
comparison methods 10-3
domain stripping 13-10
enabling 10-4
limitations 10-4
overview 10-2
editing
external audit servers 14-26
external posture validation servers 14-25
internal policies 14-20
Network Access Profiles 15-9
enable password options for TACACS+ 7-23
enable privilege options for groups 6-13
entity field 14-8
error number decoding with CSUtil.exe D-17
Event log
configuring 8-15
exception events G-5
exception events G-5
exemption list
external audit 14-15
exports
of user lists D-15
Extensible Authentication Protocol
See EAP (Extensible Authentication Protocol)
Extensible Authentication Protocol (EAP) 1-2
external audit policy
what triggers an 14-15
external audit server
setting up 14-25
external audit servers
about 14-14
deleting 14-27
editing 14-26
external policies 14-11
exemption list support 14-15
external servers
creating 14-24
deleting 14-25
editing 14-25
external token servers
external user databases
authentication via 13-4
configuring 13-3
deleting configuration 13-54
latency factors 16-6
supported 1-7
Unknown User Policy 16-1
F
Failed Attempts log
configuring
CSV (comma-separated values) 11-14
ODBC 11-17
CSV (comma-separated values) file directory 11-11
enabling
log 11-11
ODBC 11-17
viewing 11-12
failed log-on attempts G-5
failure events
customer-defined actions G-5
predefined actions G-5
fallbacks on failed connection 4-4
finding users 7-37
G
gateways E-2
Generic LDAP 1-7
generic LDAP user databases
authentication 13-22
configuring
database 13-30
options 13-26
directed authentications 13-24
domain filtering 13-24
failover 13-25
mapping database groups to AAA groups 17-3
mutiple instances 13-23
organizational units and groups 13-23
Global Authentication Setup 10-19
global authentication setup
enabling posture validation 14-5
grant dial-in permission to users 13-6, 13-18
greeting after login 6-18
group-level interface enabling
downloadable IP ACLs 3-6
network access restrictions 3-6
network access restriction sets 3-6
password aging 3-6
group-level network access restrictions
See network access restrictions
groups
See also network device groups
assigning users to 7-5
configuring RADIUS settings for
enabling VoIP (Voice-over-IP) support for 6-4
exporting group information D-16
listing all users in 6-40
mapping order 17-8
mappings 17-1
no access groups 17-4
overriding settings 3-4
relationship to users 3-4
renaming 6-40
resetting usage quota counters for 6-40
settings for
callback options 6-5
configuration-specific 6-12
configuring common 6-3
device management command authorization sets 6-26
enable privilege 6-13
IP address assignment method 6-21
management tasks 6-39
max sessions 6-9
network access restrictions 6-6
password aging rules 6-15
PIX command authorization sets 6-25
shell command authorization sets 6-24
time-of-day access 6-5
token cards 6-14
usage quotas 6-10
setting up and managing 6-1
specifications by ODBC authentications 13-40, 13-41, 13-42
H
handle counts G-5
hard disk space G-4
host system state G-4
HTML interface
encrypting 12-9
logging off 3-3
HTTP port allocation
configuring 12-9
for administrative sessions 1-16
HTTPS 12-9
I
IEEE 802.1x 1-2
IETF 802.1x 1-9
IETF RADIUS attributes 1-4
importing passwords D-9
imports with CSUtil.exe D-9
inbound
authentication 1-10
password configuration 1-10
installation
related documentation xxviii
troubleshooting A-11
Interface Configuration
advanced options 3-5
configuring 3-1
customized user data fields 3-4
security protocol options 3-9
internal architecture G-1
configuration options 14-10
editing 14-20
rules 14-10
steps to set up 14-18
IP ACLs
IP addresses
in User Setup 7-7
multiple IP addresses for AAA client 4-8
requirement for CSTacacs and CSRadius G-6
setting assignment method for user groups 6-21
IP pools
address recovery 9-33
deleting 9-32
DHCP 9-29
editing IP pool definitions 9-31
enabling in interface 3-6
refreshing 9-30
resetting 9-32
servers
adding IP pools 9-30
overview 9-28
replicating IP pools 9-29
user IP addresses 7-7
L
LAN manager 1-9
latency in networks 2-10
LDAP
Admin Logon Connection Management 13-26
Distinguished Name 13-26
LEAP 1-9
LEAP proxy RADIUS user databases
configuring external databases 13-47
group mappings 17-1
overview 13-46
RADIUS-based group specifications 17-8
list all users
in Group Setup 6-40
in User Setup 7-37
local policies
log files
storage directory 8-3
Logged-In Users report
deleting logged-in users 11-7
description 11-6
viewing 11-7
logging
accounting logs 11-4
Administration Audit log 11-9
administration reports 11-6
configuring 11-15
CSV (comma-separated values) files 11-1
custom RADIUS dictionaries 9-2
debug logs
detail levels 11-24
frequency 11-24
Disabled Accounts reports 11-6
domain names 11-2
external user databases 11-2
Failed Attempts logs 11-4
formats 11-1
Logged-In Users reports 11-6
ODBC logs
enabling in interface 3-7
overview 11-1
working with 11-16
overview 11-4
Passed Authentication logs 11-4
RADIUS logs 11-4
RDBMS synchronization 9-2
remote logging
centralized 11-20
configuring 11-21
disabling 11-22
enabling in interface 3-6
logging hosts 11-19
options 11-21
overview 11-19
service logs A-12
services
configuring service logs 11-24
list of logs generated 11-23
system logs 11-8
TACACS+ logs 11-4
troubleshooting A-12
user data attributes 11-2
VoIP logs 11-4
watchdog packets 11-3
login process test frequency 8-13
logins
greeting upon 6-18
password aging dependency 6-17
logs
M
MAC-Authentication Bypass 15-29
Machine Access Restrictions (MAR) 1-6
machine authentication
enabling 13-16
overview 13-11
with Microsoft Windows 13-14
management application support 1-13
mappings
database groups to AAA groups 17-3
databases to AAA groups 17-1
master AAA servers 9-2
master key
definition 10-10
states 10-10
max sessions 1-12
enabling in interface 3-6
group 1-12
in Group Setup 6-9
in User Setup 7-11
overview 1-12
troubleshooting A-11
user 1-12
memory utilization G-4
monitoring
configuring 8-14
CSMon G-4
overview 8-13
MS-CHAP 1-9
configuring 10-19
overview 1-9
protocol supported 1-8
multiple IP addresses for AAA clients 4-8
N
NAC 1-2
agentless host see also NAH 14-14
attributes
about 14-7
adding D-28
data types 14-8
deleting D-28
exporting D-28
configuring ACS for support for 14-4
credentials
about 14-7
implementing 14-4
logging 14-5
policies
about 14-18
external 14-11
internal 14-9
results 14-18
remediation server
url-redirect attribute C-6
rules
default 14-11
operators 15-6
self-signed certificates 14-5
tokens
definition 14-3
descriptions of 14-3
returned by internal policies 14-9
NAC Agentless Host 15-25
NAC L2 IP 15-17
NAC L3 IP 15-15
NAFs
NAH
policies 14-14
NAR
See network access restrictions
NAS
Network Access Filter (NAF)
editing 5-5
Network Access Filters (NAF) 1-6, 15-4
adding 5-3
deleting 5-6
overview 5-2
Network Access Profiles 1-5, 15-1, 15-10, 15-28
cloning 15-9
configuring advanced filtering 15-7
editing 15-9
setting up 15-3
network access quotas 1-13
network access restrictions
deleting 5-23
editing 5-22
enabling in interface
group-level 3-6
user-level 3-5
in Group Setup 6-6
interface configuration 3-6
non-IP-based filters 5-19
overview 5-18
network access servers
Network Admission Control
network configuration 4-1
network device groups
adding 4-20
assigning AAA clients to 4-21
assigning AAA servers to 4-21
configuring 4-19
deleting 4-22
enabling in interface 3-6
reassigning AAA clients to 4-21
reassigning AAA servers to 4-21
renaming 4-22
network devices
searches for 4-6
networks
latency 2-10
reliability 2-10
network topologies
deployment 2-2
wireless 2-4
noncompliant devices 1-2
non-EAP authentication
protocol 1-7
Novell NDS user databases
mapping database groups to AAA groups 17-3
O
ODBC features
accountActions table 9-21
authentication
CHAP 13-37
EAP-TLS 13-37
overview 13-34
PAP 13-37
preparation process 13-36
process with external user database 13-35
result codes 13-43
case-sensitive passwords 13-38
CHAP authentication sample procedure 13-39
configuring 13-44
data source names 11-17, 13-34
DSN (data source name) configuration 13-43
EAP-TLS authentication sample procedure 13-39
features supported 13-35
group mappings 17-1
group specifications
CHAP 13-41
EAP-TLS 13-42
PAP 13-40
vs. group mappings 17-2
PAP authentication sample procedures 13-38
password case sensitivity 13-38
stored procedures
CHAP authentication 13-41
EAP-TLS authentication 13-42
implementing 13-37
PAP authentication 13-40
type definitions 13-38
user databases 13-34
ODBC logs
One-time Passwords (OTPs) 1-6
online documentation 1-18
online help 1-18
location in HTML interface 1-17
using 1-18
online user guide 1-19
Open Database Connectivity (ODBC) 1-7
ordering rules, in policies 14-10
outbound password configuration 1-10
overview of Cisco Secure ACS 1-1
P
PAC
automatic provisioning 10-13
definition 10-11
manual provisioning 10-14
refresh 10-15
package.cab file 11-25
PAP 1-9
in User Setup 7-4
vs. ARAP 1-9
vs. CHAP 1-9
Passed Authentications log
configuring CSV (comma-separated values) 11-14
CSV (comma-separated values) file directory 11-11
enabling CSV (comma-separated values) logging 11-11
viewing 11-12
password
automatic change password configuration 9-16
password aging 1-11
age-by-uses rules 6-17
Cisco IOS release requirement for 6-16
EAP-FAST 13-17
interface configuration 3-6
in Windows databases 6-19
MS-CHAP 13-17
overview 1-11
PEAP 13-17
rules 6-15
password configurations
basic 1-10
passwords
case sensitive 13-38
CHAP/MS-CHAP/ARAP 7-5
configurations
caching 1-10
inbound passwords 1-10
outbound passwords 1-10
separate passwords 1-10
single password 1-10
token caching 1-10
token cards 1-10
encryption 13-2
expiration 6-17
import utility D-9
local management 8-4
password change log management 8-5
post-login greeting 6-18
protocols supported 1-8
remote change 8-5
user-changeable 1-11
validation options in System Configuration 8-4
pattern matching in command authorization 5-27
PEAP 1-9
configuring 10-19
enabling 10-7
identity protection 10-6
options 10-20
overview 10-5
password aging 6-19
phases 10-6
with Unknown User Policy 10-7
performance monitoring G-4
performance specifications 1-19
per-group attributes
enabling in interface 3-4
per-user attributes
enabling in interface 3-4
TACACS+/RADIUS in Interface Configuration 3-5
PIX ACLs
PIX command authorization sets
See command authorization sets
PKI (public key infastructure)
Point-to-Point Protocol (PPP) 1-20
policies
cloning 14-21
configuring 14-17
copying 14-21
deleting 14-23
external 14-11
configuration options 14-12
internal 14-9
local
NAH 14-14
overview 14-7
renaming 14-22
rule order 14-10
setting up an external audit server 14-25
setting up external servers 14-24
Populate from Global 15-28
Network Access Profiles 15-28
port 2002
in HTTP port ranges 12-9
in URLs 1-18
port allocation
ports
RADIUS 1-3
TACACS+ 1-3
Posture Validation
for Agentless Hosts 15-41
posture validation
attributes 14-7
configuring ACS for 14-4
credentials 14-7
CTL 14-5
enabling 14-5
failed attempts log 14-5
implementing 14-4
internal policy configuration options 14-10
options 14-17
passed authentications log 14-5
policy overview 14-7
process flow 14-6
and profile-based policies 14-27
profiles, adding user groups 14-5
rule
assigning posture tokens 14-6
rules, about 14-10
server certificate requirement 14-4
Posture Validation Policies
configuring 15-35
PPP password aging 6-16
privileges
processor utilization G-4
profile 15-1
Profile-based Policies 15-2
profile components
profiles 15-47
profile templates 15-13
protocols supported 1-8
protocol support
EAP authentication 1-8
non-EAP authentication
protocol types
Network Access Profiles 15-5
proxy
See also Proxy Distribution Table
character strings
defining 4-4
stripping 4-4
configuring 4-23
in enterprise settings 4-5
overview 4-3
sending accounting packets 4-5
troubleshooting A-11
Proxy Distribution Table
adding entries 4-24
configuring 4-23
deleting entries 4-26
editing entries 4-25
match order sorting 4-25
overview 4-23
Q
quotas
R
RAC and Groups 15-47
RADIUS 1-3
See also RADIUS VSAs (vendor specific attributes)
accounting 1-15
attributes
See also RADIUS VSAs (vendor specific attributes)
in User Setup 7-24
AV (attribute value) pairs
See also RADIUS VSAs (vendor specific attributes)
Cisco IOS C-3
IETF C-11
overview C-1
Cisco Aironet 4-9
compliant token servers 1-7
IETF
in Group Setup 6-27
interface configuration 3-12
in User Setup 7-25
interface configuration overview 3-9
password aging 6-19
ports 1-3
specifications 1-3
token servers 13-49
troubleshooting A-15
tunneling packets 4-12
vs. TACACS+ 1-3
RADIUS Accounting log
configuring
CSV (comma-separated values) 11-14
ODBC 11-17
configuring CSV (comma-separated values) 11-12
CSV (comma-separated values) file directory 11-11
enabling
ODBC 11-17
enabling CSV (comma-separated values) 11-11
RADIUS user databases
configuring 13-50
group mappings 17-1
RADIUS-based group specifications 17-8
RADIUS VSAs (vendor specific attributes)
Ascend
in Group Setup 6-32
in User Setup 7-29
supported attributes C-21
Cisco Aironet
in Group Setup 6-30
in User Setup 7-28
Cisco BBSM (Building Broadband Service Manager)
in Group Setup 6-38
in User Setup 7-35
supported attributes C-10
Cisco IOS/PIX
in Group Setup 6-28
interface configuration 3-13
in User Setup 7-26
supported attributes C-4
Cisco VPN 3000
in Group Setup 6-33
in User Setup 7-30
supported attributes C-6
Cisco VPN 5000
in Group Setup 6-34
in User Setup 7-31
supported attributes C-10
custom
about 9-19
in Group Setup 6-39
in User Setup 7-35
Juniper
in Group Setup 6-37
in User Setup 7-34
supported attributes C-28
Microsoft
in Group Setup 6-35
in User Setup 7-32
supported attributes C-19
Nortel
in Group Setup 6-36
in User Setup 7-33
supported attributes C-28
overview C-1
user-defined
action codes for F-12
adding D-18
deleting D-19
import files D-21
listing D-20
RDBMS synchronization
accountActions table as transaction queue 9-21
configuring 9-26
data source name configuration 9-23, 9-24
disabling 9-28
enabling in interface 3-6
group-related configuration 9-18
import definitions F-1
log
CSV (comma-separated values) file directory 11-11
viewing 11-12
manual initialization 9-25
network configuration 9-19
overview 9-17
partners 9-25
preparing to use 9-22
report and error handling 9-22
scheduling options 9-25
user-related configuration 9-18
Registry G-2
Regular Expressions Syntax 11-14
rejection mode
general 16-3
Windows user databases 16-4
related documentation xxviii
reliability of network 2-10
remote access policies 2-7
remote logging
Remove Dynamic Users 7-40
removing
external audit servers 14-27
external servers 14-25
policies or rules 14-23
removing dynamic users 7-40
renaming
policies 14-22
replication
ACS Service Management page 9-2
auto change password settings 9-16
backups recommended (Caution) 9-7
certificates 9-2
client configuration 9-11
components
overwriting (Caution) 9-11
overwriting (Note) 9-7
selecting 9-8
configuring 9-14
corrupted backups (Caution) 9-7
custom RADIUS dictionaries 9-2
EAP-FAST 10-15
encryption 9-4
external user databases 9-2
frequency 9-5
group mappings 9-2
immediate 9-12
implementing primary and secondary setups 9-10
important considerations 9-5
in System Configuration 9-14
interface configuration 3-6
logging 9-7
manual initiation 9-12
master AAA servers 9-2
notifications 9-16
options 9-7
overview 9-2
partners
configuring 9-15
options 9-9
process 9-3
scheduling 9-14
scheduling options 9-9
selecting data 9-8
unsupported 9-2
user-defined RADIUS vendors 9-6
vs. backup 9-6
Reports and Activity
configuration privileges 12-4
configuring 11-15
CSV (comma-separated values) logs 11-8
in interface 1-17
overview 11-4
request handling
general 16-3
Windows user databases 16-4
Required Credential Types 15-38
resource consumption G-5
restarting services 8-2
restore
components restored
configuring 8-12
overview 8-12
filenames 8-11
in System Configuration 8-11
on a different server 8-11
overview 8-11
performing 8-12
reports 8-12
with CSUtil.exe D-4
RFC2138 1-3
RFC2139 1-3
RSA SecurID Token Server 1-7
RSA user databases
configuring 13-53
group mappings 17-1
rules
about 14-10
internal policy 14-10
S
search order of external user databases 16-8
security policies 2-8
security protocols
CSRadius G-6
CSTacacs G-6
interface options 3-9
TACACS+
custom commands 3-8
overview 1-3
time-of-day access 3-8
Selected Credentials 15-38
server certificate installation 10-25
service control in System Configuration 11-24
Service Monitoring logs
See Cisco Secure ACS Service Monitoring logs
services
determining status of 8-2
logs
configuring 11-24
list of logs generated 11-23
management 8-13
starting 8-2
stopping 8-2
session policies
configuring 12-11
options 12-11
overview 12-11
setting up
Network Access Profiles 15-3
shared profile components
See also command authorization sets
See also network access filters
See also network access restrictions
overview 5-1
Shared Profile Components (SPC) 1-13
Shared RAC 15-46
shared secret G-6
shell command authorization sets
See also command authorization sets
in Group Setup 6-24
in User Setup 7-17
Simple Network Management Protocol (SNMP) 1-12
single password configurations 1-10
SMTP (simple mail-transfer protocol) G-5
specifications
RADIUS
RFC2138 1-3
RFC2139 1-3
system performance 1-19
TACACS+ 1-3
SSL (secure socket layer) 12-9
starting services 8-2
static IP addresses 7-7
stopping services 8-2
stored procedures
CHAP authentication
configuring 13-45
input values 13-41
output values 13-41
result codes 13-43
EAP-TLS authentication
configuring 13-46
input values 13-42
output values 13-42
implementing 13-37
PAP authentication
configuring 13-45
input values 13-40
output values 13-40
result codes 13-43
sample procedures 13-38
type definitions
integer 13-38
string 13-38
supplementary user information
in User Setup 7-4
setting 7-4
support
Cisco Device-Management Applications 1-13
supported password protocols 1-8
synchronization
system
configuration
advanced 9-1
authentication 10-1
basic 8-1
certificates 10-1
privileges 12-3
health G-4
messages in interface 1-17
monitoring
performance specifications 1-19
services
system performance
specifications 1-19
T
TACACS+ 1-3
accounting 1-15
advanced TACACS+ settings
in User Setup 7-22
AV (attribute value) pairs
accounting B-3
general B-1
custom commands 3-8
enable password options for users 7-23
enable privilege options 7-22
interface configuration 3-7
interface options 3-9
outbound passwords for users 7-24
ports 1-3
SENDAUTH 1-10
settings
specifications 1-3
time-of-day access 3-8
troubleshooting A-15
vs. RADIUS 1-3
TACACS+ Accounting log
configuring
CSV (comma-separated values) 11-14
ODBC 11-17
CSV (comma-separated values) file directory 11-11
enabling CSV (comma-separated values) 11-11
enabling for ODBC 11-17
viewing 11-12
TACACS+ Administration log
configuring
CSV(comma-separated values) 11-14
ODBC 11-17
CSV (comma-separated values) file directory 11-11
enabling
ODBC 11-17
enabling CSV (comma-separated values) 11-11
viewing 11-12
Telnet
See also command authorization sets
password aging 6-16
test login frequency internally 8-13
thread used G-5
time-of-day/day-of-week specification
enabling in interface 3-6
timeout values on AAA clients 16-6
TLS (transport level security)
token cards 1-20
password configuration 1-10
settings in Group Setup 6-14
token servers
ISDN terminal adapters 13-49
overview 13-49
RADIUS-enabled 13-49
RADIUS token servers 13-50
RSA 13-53
supported servers 1-7
token caching 13-49
topologies
troubleshooting 15-47
AAA servers A-1
administration issues A-2
browser issues A-3
Cisco IOS issues A-3
database issues A-6
debug logs 11-23
dial-in issues A-8
installation issues A-11
max sessions issues A-11
proxy issues A-11
RADIUS issues A-15
report issues A-12
TACACS+ issues A-15
third-party server issues A-14
upgrade issues A-11
user issues A-14
trusted root certificate authority 14-13
trust lists
trust relationships 13-7
U
UNIX passwords D-12
unknown service user setting 7-21
Unknown User Policy 13-18
configuring 16-8
in external user databases 13-2, 16-7
turning off 16-9
unknown users
authentication 16-3
authentication performance 16-6
authentication processing 16-6
network access authorization 16-6
unmatched user requests 15-10
update packets
upgrade troubleshooting A-11
usage quotas
in Group Setup 6-10
in Interface Configuration 3-6
in User Setup 7-12
overview 1-13
resetting
for groups 6-40
for single users 7-39
user-changeable passwords
overview 1-11
with Windows user databases 13-17
user databases
User Data Configuration 3-4
user groups
user guide
online 1-19
user-level
downloadable ACLs interface 3-5
network access restrictions
See also network access restrictions
enabling in interface 3-5
User Password Changes log location 11-11
users
adding
basic steps 7-3
methods 13-2
assigning client IP addresses to 7-7
assigning to a group 7-5
callback options 7-6
configuring 7-1
configuring device management command authorization sets for 7-20
configuring PIX command authorization sets for 7-19
configuring shell command authorization sets for 7-17
customized data fields 3-4
data configuration
deleting 11-7
deleting accounts 7-38
disabling accounts 7-3
finding 7-37
import methods 13-2
in multiple databases 16-4
listing all users 7-37
number allowed 2-10
number of 1-20
RDBMS synchronization 9-18
relationship to groups 3-4
removing dynamic 7-40
resetting accounts 7-39
saving settings 7-41
supplementary information 7-4
troubleshooting A-14
types
discovered 16-2
known 16-2
unknown 16-2
VPDN dialup E-1
User Setup
account management tasks 7-36
basic options 7-2
configuring 7-1
deleting user accounts 7-38
saving settings 7-41
Users in Group button 6-40
V
validation of passwords 8-4
vendors
adding audit 14-25
vendor-specific attributes
See RADIUS VSAs (vendor specific attributes)
vendor-specific attributes (VSAs) 1-4
viewing logs and reports
Virtual Private Dial-Up Networks (VPDNs) 1-12
Voice-over-IP
VoIP (Voice-over-IP)
accounting configuration 3-7, 8-15
Accounting log
enabling csv log 11-11
viewing 11-12
enabling in interface 3-6
group settings in Interface Configuration 3-6
in Group Setup 6-4
VoIP (Voice-over-IP) Accounting log
configuring
CSV (comma-separated values) 11-14
ODBC 11-17
CSV (comma-separated values) file directory 11-11
enabling
ODBC 11-17
VPDN
advantages 2-6
authentication process E-1
domain authorization E-2
home gateways E-2
IP addresses E-2
tunnel IDs E-2
users E-1
VSAs
See RADIUS VSAs (vendor specific attributes)
W
warnings
significance of xxvii
watchdog packets
configuring on AAA clients 4-12
configuring on AAA servers 4-17
logging 11-3
web interface
See also Interface Configuration
layout 1-16
security 1-15
uniform resource locator 1-18
Windows Callback 13-18
Windows Database Callback 13-18
Windows operating systems
authentication order 16-5
Cisco Secure ACS-related services
services 8-2
dial-up networking 13-7
dial-up networking clients
domain field 13-7
password field 13-7
username field 13-7
Domain List effect 16-5
domains
Event logs G-5
Registry G-2
Windows Services 1-20
CSAdmin 1-20
CSAuth 1-20
CSDBSync 1-20
CSLog 1-20
CSMon 1-20
CSRadius 1-20
CSTacacs 1-20
overview 1-20
Windows user database 1-7
passwords 1-8
Windows user databases
Active Directory 13-18
configuring 13-21
Domain list
inadvertent user lockouts 13-21
domain mapping 17-6
domains
trusted 13-7
grant dial-in permission to users 13-6, 13-18
group mappings
editing 17-6
limitations 17-3
no access groups 17-4
remapping 17-6
mapping database groups to AAA groups 17-3
overview 13-5
password aging 6-19
rejection mode 16-4
request handling 16-4
trust relationships 13-7
user-changeable passwords 13-17
user manager 13-18
wireless network topologies 2-4