User Guide for Cisco Secure Access Control Server 4.1
Index

Table Of Contents

A - B - C - D - E - F - G - H - I - J - K - L - M - N - O - P - Q - R - S - T - U - V - W -

Index

A

AAA 1

See also AAA clients

See also AAA servers

pools for IP address assignment 7

AAA clients 1

adding and configuring 11

configuring 8

deleting 14

editing 12

IP pools 7

multiple IP addresses for 8

number of 23

searching for 6

table 1

timeout values 6

AAA client times out 19

AAA protocols

TACACS+ and RADIUS 3

AAA-related logs 1

AAA servers 3

adding 16

configuring 14

deleting 18

editing 17

enabling in interface (table) 15

functions and concepts 3

in distributed systems 2

master 2

overview 14

primary 2

replicating 2

searching for 6

secondary 2

troubleshooting 1

accessing Cisco Secure ACS

how to 3

URL 21

with SSL enabled 21

accountActions File 22

accountActions table 20, 21

account disablement

Account Disabled check box 3

manual 37

resetting 39

setting options for 13

accounting

See also logging

administrative 16

overview 16

RADIUS 16

TACACS+ 16

VoIP 16

accounting logs, update packets in 28

Account Never Expires option 3

ACLs

See downloadable IP ACLs

default 12

ACS

additional features 5

features, functions and concepts 3

internal database 3

introduction to 1

managing and administrating 16

specifications 22

Windows Services 23

ACS Backup 9

ACS internal database

See also databases

overview 1

password encryption 2

See replication

ACS internal database replication

See replication

ACS Restore 9

ACS State Collector utility 3

action codes

for creating and modifying user accounts 5

for initializing and modifying access filters 9

for modifying network configuration 17

for modifying TACACS+ and RADIUS settings 12

for setting and deleting values 4

in accountActions 3

Active Directory

configuration 30

Active Service Management

See Cisco Secure ACS Active Service Management

adding

external audit servers 23

external servers 21

ADF

importing for vendors 13

Administration Audit logs 5

administrative accounting 16

administrative sessions

and HTTP proxy 2

network environment limitations of 1

through firewalls 2

through NAT (network address translation) 2

Administrator Entitlements reports 12

administrator locked out 24

administrators

See also Administration Audit log

See also Administration Control

See also administrative access policies

deleting 7

locked out 3

locking out 18

unlocking 3

AES 128 algorithm 2

age-by-date rules for groups 18

Agentless Host for L2 (802.1x Fallback) 17

Agentless Request Processing 22

Aironet

AAA client configuration 10

RADIUS parameters for group 30

RADIUS parameters for user 27

appliance

configuration 20

Appliance Administration Audit logs 5

Appliance Status report 11

viewing 26

ARAP 10

attribute definition file

see also ADF 13

attributes 5

adding 40

adding external audit device types 39

definition file 37

definition file sample 44

deleting 41

dumping 43

enabling in interface 5

exporting 43

extended entity 42

extended property 43

group-specific (table) 24

logging 3

management 37

NAC (posture validation) 37

per-group 5

per-user 5

posture validation (NAC) 37

user-specific (table) 24

attribute-value pairs

See AV (attribute value) pairs

audit device types

external, adding attributes 39

audit logs 5

audit server

functionality 27

setting up 23

audit servers

setting up 23

Authenticate MAC With 41

authentication 7

configuration 19

configuring policies 24

considerations 7

denying unknown users 9

functionality 43

options 19

overview 7

protocol-database compatibility 8

request handling 3

user databases 7

via external user databases 4

Windows 7

Authentication Bypass template 17

authorization 13

configuring policies 30

ordering rules 33

rules 30

sets

See command authorization sets

setsSee command authorization sets

AV (attribute value) pairs

See also RADIUS VSAs (vendor specific attributes)

RADIUS

Cisco IOS 3

IETF 11

TACACS+

accounting 3

general 1

Available Credentials 42

AV pairs 11

B

backup

internal database 9

Backup and Restore logs 5

backups

components backed up 8

directory management 8

disabling scheduled 12

filename 7

filenames 13

locations 8

manual 9

options 9

overview 7

reports 8

scheduled vs. manual 7

scheduling 11

vs. replication 6

with CSUtil.exe 3

browser access 16

browsers

See also web interface 20

C

cab file 24

cached users

See discovered users

CA configuration 26

callback options

in Group Setup 5

in User Setup 6

cascading replication 4, 9

cautions

significance of 35

certificate database for LDAP servers 47

DB path 29

trusted root CA 29

certificate trust list

see CTL

certification

See also EAP-TLS

See also PEAP

adding certificate authority certificates 24

background 1

backups 8

Certificate Revocation Lists 27

certificate signing request generation 29

editing the certificate trust list 26

replacing certificate 34

self-signed certificates

configuring 33

NAC 13

overview 31

server certificate installation 21

updating certificate 34

Change Password page 4

CHAP 10

Cisco

Identity-Based Networking Services (IBNS) 2

Cisco IOS

RADIUS

AV (attribute value) pairs 2

group attributes 28

user attributes 25

TACACS+ AV (attribute value) pairs 1

Cisco NAC support 6

Cisco Secure ACS Active Service Management

event logging configuration 19

overview 17

system monitoring

configuring 18

custom actions 18

Cisco Secure ACS administration overview 16

Cisco Secure ACS backups

See backups

Cisco Secure ACS system restore

See restore

CiscoSecure Authentication Agent 16

Cisco Security Agent 17

See also CSAgent

integration 17

logging 18

policies 18

restrictions 18

viewing logs 25

CLI commands

for troubleshooting 11

CLID-based filters 20

cloning

Network Access Profiles 5

policies or rules 19

codes

See action codes

command authorization sets

See also shell command authorization sets

adding 29

configuring 25, 29

deleting 31

editing 30

overview 25

pattern matching 28

PIX command authorization sets 25

command-line database utility

See CSUtil.exe

compacting the database 10

compliance support 5

condition sets, defining 16

configuration provider

remote agent logs on 19

configuring

internal policies 16

configuring advanced filtering

Network Access Profiles 2

conventions 34

copying

policies or rules 19

creating

external servers 21

credentials 5

Credential Validation Databases 25, 41

critical loggers 13

Critical Loggers Configuration Page 29

CRLs 27

CSAdmin

Windows Services 23

CSAdmin service 2

CSAgent

behavior 18

disabling 23

enabling 23

logging 18

overview 18

policies 18

CSAgent service 18, 2

CSAuth

Windows Services 23

CSDBSync 20

Windows Services 23

CSLog 13

Windows Services 23

CSMon 13

See also Cisco Secure ACS Active Service Management

configuration 4

log 5

windows Services 24

CSNTacctInfo 40, 41, 43

CSNTAuthUserPap 39

CSNTerrorString 40, 42, 43

CSNTExtractUserClearTextPw 39

CSNTFindUser 40

CSNTgroups 40, 41, 43

CSNTpasswords 40, 42

CSNTresults 40, 41, 43

CSNTusernames 40, 41, 42

CSRadius 6

Windows Services 24

CSTacacs 6

Windows Services 24

CSUtil.exe

add and delete posture validation attributes 28

adding external audit device type attributes 39

backing up with 3

cleaning up database with 8

decoding error numbers with 17

dumping database file with 6

exporting data with 15

exporting group information with 16

for troubleshooting 8

import text file (example) 15

initializing database with 5

loading database file with 7

overview 1

restoring with 4

updating database with 9

CSV (comma-separated values) logs

configuring 14

downloading 24

enabling and disabling 14

filename formats 22

locations 6

logging to 6

size and retention 7

viewing 22

CSV log File Configuration Page 31

CTL

external policy servers

CTL editing 26

custom attributes

in group-level TACACS+ settings 22

in user-level TACACS+ settings 15

customer support

collecting data for 20

providing package.cab file 20

D

database

compacting 10

database files 8

database group mappings

configuring

for token servers 2

for Windows domains 6

no access groups 4

order 8

deleting

group set mappings 7

Windows domain configurations 7

Database Replication logs 5

databases

See also external user databases

ACS internal database 1

authentication search process 3

cleaning up 8

deleting 55

external

See also external user databases

See also Unknown User Policy

initializing 5

remote agent selection 17

replication

See replication

search order 7

search process 7

selecting user databases 1

synchronization

See RDBMS synchronization

token cards

See token servers

types

See generic LDAP user databases

See LEAP proxy RADIUS user databases

See Novell NDS user databases

See ODBC features

See RADIUS user databases

See RSA user databases

unknown users 1

user databases 2

user import methods 2

Windows user databases 5

data source names

for ODBC logging 9

for RDMBS synchronization 26

using with ODBC databases 35, 44, 45

data types, NAC attribute 6

date and time setting 21

date format control 3

debug logs, detail levels 20

default ACLs 12

default group

in Group Setup 2

mapping for Windows 4

default time-of-day/day-of-week specification 14

default time-of-day access settings for groups 5

deleting 6

external audit servers 25

external servers 22

logged-in users 25

Network Access Profiles 6

policies or rules 20

device command sets

See command authorization sets

device management applications support 14

DHCP with IP pools 33

diagnostic logs 25, 12

dial-in permission to users in Windows 17

dial-up networking clients 6, 7

digital certificates

See certification

Disabled Accounts report 11

viewing 26

discovered users 2

Distinguished Name Caching 26

distributed systems

See also proxy

AAA servers in 2

overview 2

settings

configuring 28

default entry 3

enabling in interface 15

distribution table

See Proxy Distribution Table

DNIS-based filters 20

documentation

conventions 34

objectives 33

online 22

related 36, 24

Domain List

configuring 21

inadvertent user lockouts 9, 21

overview 9

unknown user authentication 5

domain name and hostname configuration 22

domain names

Windows operating systems 8, 9

downloadable ACLs 9

downloadable IP ACLs

adding 15

assigning to groups 21

assigning to users 14

deleting 17

editing 16

enabling in interface

group-level 15

user-level 14

overview 13

draft-ietf-radius-tunnel-auth 4

dump files

loading a database from 7

loading a database to 6

dump text file 10

dynamic administration logs 10

viewing 25

dynamic usage quotas 14

dynamic users

removing 39

E

EAP (Extensible Authentication Protocol)

Configuration 23

overview 10

supported protocols 10

with Windows authentication 10

EAP authentication

protocol 8

EAP-FAST 10

enabling 17

identity protection 10

logging 9

master keys

definition 10

states 10

master server 17

overview 9

PAC

automatic provisioning 14

definition 11

manual provisioning 14

refresh 15

states 13

password aging 20

phases 9

replication 16

EAP logging 8

EAPoUDP failure 22

EAPoUDP support 22

EAP-TLS 10

See also certification

authentication configuration 19

comparison methods 3

enabling 4

limitations 4

options 36

overview 2

with RADIUS Key Wrap 23

editing

external audit servers 24

external posture validation servers 22

internal policies 18

Network Access Profiles 5

enable password options for TACACS+ 23

enable privilege options for groups 13

entitlement reports 11

entity field 6

error codes 46

error number decoding with CSUtil.exe 17

Event log

configuring 19

exception events 5

event logging 19

exception events 5

exemption list

external audit 10

Expanded agentless support 6

exports

of user lists 15

Extensible Authentication Protocol

See EAP (Extensible Authentication Protocol)

Extensible Authentication Protocol (EAP) 2

external audit policy

what triggers an 10

external audit server

setting up 23

external audit servers

about 9

adding 23

deleting 25

editing 24

external policies 8

exemption list support 10

external servers

creating 21

deleting 22

editing 22

external token servers

See token servers

external user databases

See also databases

authentication via 4

configuring 3

deleting configuration 55

latency factors 6

search order 6, 8

supported 7

Unknown User Policy 1

F

Failed Attempts logs 2

failed log-on attempts 5

failure events

customer-defined actions 6

predefined actions 6

fallbacks on failed connection 4

finding users 36

FTP server 7

FTP setup options 26

G

GAME/HCAP messages 5

GAME Group Feedback 6

gateways 2

Generic LDAP 7

generic LDAP user databases

authentication 22

certificate database downloading 47

configuring

database 30

options 26

directed authentications 24

domain filtering 24

failover 25

mapping database groups to AAA groups 3

mutiple instances 23

organizational units and groups 23

Global Authentication Setup 19

global authentication setup

enabling posture validation 13

grant dial-in permission to users 6, 17

greeting after login 17

group-level interface enabling

downloadable IP ACLs 15

network access restrictions 15

network access restriction sets 15

password aging 15

group-level network access restrictions

See network access restrictions

group mapping problem 29

groups

See also network device groups

assigning users to 5

configuring RADIUS settings for

See RADIUS

Default Group 2, 4

enabling VoIP (Voice-over-IP) support for 4

exporting group information 16

listing all users in 39

mapping order 8

mappings 1

no access groups 4

overriding settings 4

relationship to users 4

renaming 40

resetting usage quota counters for 40

settings for

callback options 5

configuration-specific 12

configuring common 3

device management command authorization sets 26

enable privilege 13

IP address assignment method 20

management tasks 39

max sessions 9

network access restrictions 6

password aging rules 15

PIX command authorization sets 25

shell command authorization sets 23

TACACS+ 2, 3, 22

time-of-day access 5

token cards 14

usage quotas 10

setting up and managing 1

specifications by ODBC authentications 40, 41, 43

H

handle counts 5

hard disk space 4

HCAP errors 4

host and domain names configuration 22

host system state 4

HTML interface

logging off 4

HTTP port allocation

for administrative sessions 19

I

IEEE 802.1x 2

IETF 802.1x 10

IETF RADIUS attributes 4

importing passwords 9

imports with CSUtil.exe 9

inbound

authentication 11

password configuration 11

installation

related documentation 36, 24

Interface Configuration

See also HTML interface

advanced options 5

configuring 1

customized user data fields 5

interface security settings 5

Internal ACS Database 41

internal architecture 1

internal policies

editing 18

steps to set up 16

IP ACLs

See downloadable IP ACLs

IP addresses

in User Setup 7

multiple, for AAA client 8

requirement for CSTacacs and CSRadius 6

setting assignment method for user groups 20

IP pools

address recovery 37

deleting 36

DHCP 33

editing IP pool definitions 35

enabling in interface 15

overlapping 33, 34

refreshing 34

resetting 35

servers

adding IP pools 34

overview 32

replicating IP pools 32

user IP addresses 7

J

Japanese Microsoft Windows Suppor 7

K

Key Wrap 6

configuring for AAA client 9

configuring for NDG 24

key wrap

enabling 24

Key Wrap, RADIUS 23

L

LAN manager 10

LDAP

Admin Logon Connection Management 26

Distinguished Name 26

group attributes 22

LDAP Server 41

LEAP 10

LEAP authentication failure 20

LEAP proxy RADIUS user databases

configuring external databases 48

group mappings 1

overview 48

RADIUS-based group specifications 8

list all users

in Group Setup 39

in User Setup 36

local policies

see internal policies

log files

Remote Agent 6

storage directory 3

Windows services 5

Logged-In Users report 11

deleting logged-in users 25

viewing 25

logging 1

attributes 3

configuring

configuring

logs     1

configuring CSV (comma-separated values) 14

configuring ODBC 15

configuring remote logging server 17

configuring service logs 20

configuring syslog 15

critical loggers 13

CSAgent 18

CSV (comma-separated values) 6

custom RADIUS dictionaries 2

debug logs, detail levels 20

diagnostic logs 25

enabling and disabling ODBC 16

enabling CSV (comma-separated values) 14

enabling syslog 15

formats and targets 5

ODBC 8

RDBMS synchronization 2

remote, configuring ACS to send data to 17

remote, configuring and enabling 16

remote, for ACS for Windows 9

remote, hosts for 9

remote agents, configuring logs on configuration provider 19

remote agents, configuring to 18

remote agents,sending data to 18

remote agents for ACS SE 10

See also logs

See also reports

service logs 12, 44

service logs for customer support 20

syslog 7

watchdog packets 28

Logging Configuration Page 28

logging service 13

Login Process Fail page 3

login process test frequency 17

logins

greeting upon 17

password aging dependency 17

logs 1

AAA-related 1

Administration Audit 5

Appliance Administration Audit 5

audit 5

Backup and Restore 5

Database Replication 5

dynamic administration 10

Failed Attempts 2

logged-in users 11

Passed Authentications 2

RADIUS accounting 2

RDBMS Synchronization 5

See also logging

See also reports

service 12

Service Monitoring 5

TACACS+ accounting 2

TACACS+ administration 2

User Password Changes 5

viewing and downloading 21

VOIP accounting 2

M

MAC address

standard formats 22

MAC Authentication Bypass 5

audit support 6

MAC Exceptions

audit verifications 6

machine authentication

enabling 15

overview 10

with Microsoft Windows 13

management application support 14

mappings

database groups to AAA groups 3

databases to AAA groups 1

master AAA servers 2

master key

definition 10

states 10

max sessions 13

enabling in interface 15

group 14

in Group Setup 9

in User Setup 11

overview 13

user 13

member server 6, 8

memory utilization 4

monitoring

configuring 18

CSMon 4

overview 17

service 13

services 25

MS-CHAP 10

configuring 19

overview 10

protocol supported 9

multiple IP addresses for AAA clients 8

N

NAC 2

agentless hosts 9

attributes

about 5

data types 6

deleting 28

exporting 28

configuring ACS for support for 12

credentials

about 5

implementing 4

logging 13

overview

policies

about 16

external 8

internal 7

results 16

remediation server

url-redirect attribute 6

rules

about 8

default 29

self-signed certificates 13

tokens

definition 3

descriptions of 3

returned by internal policies 7

NAC Agentless Host 18

NAC L2 IP 11

NAC L3 IP 8

NAFs

See network access filters

NAR

See network access restrictions

NAS

See AAA clients

NAT environment 7

Network Access Filter (NAF)

editing 5

Network Access Filters (NAF) 2

adding 3

deleting 6

overview 2

Network Access Profiles 1, 6, 22

cloning 5

configuring advanced filtering 2

editing 5

network access quotas 14

network access restrictions

deleting 24

editing 23

enabling in interface

group-level 15

user-level 14

in Group Setup 6

interface configuration 15

in User Setup 6, 8

non-IP-based filters 20

overview 18

network access servers

See AAA clients

Network Admission Control

see NAC

network configuration 1

network device groups

adding 24

assigning AAA clients to 25

assigning AAA servers to 25

configuring 23

deleting 27

editing 26

enabling in interface 15

reassigning AAA clients to 25

reassigning AAA servers to 25

network devices

searches for 6

network time protocol

See NTP server

noncompliant devices 2

non-EAP authentication

protocol 8

Novell NDS user databases

mapping database groups to AAA groups 3

NTP server 21

O

ODBC features

authentication

CHAP 37

EAP-TLS 38

overview 35

PAP 37

preparation process 37

process with external user database 36

result codes 43

case-sensitive passwords 38

CHAP authentication sample procedure 39

configuring 44

data source names 35

DSN (data source name) configuration 44

EAP-TLS authentication sample procedure 40

features supported 36

group mappings 1

group specifications

CHAP 41

EAP-TLS 43

PAP 40

vs. group mappings 2

PAP authentication sample procedures 39

password case sensitivity 38

stored procedures

CHAP authentication 41

EAP-TLS authentication 42

implementing 37

PAP authentication 40

type definitions 38

user databases 35

ODBC log Configuration Page 33

ODBC logging 8

configuring 15

data source names 9

enabling and disabling 16

preparing for 9

One-time Passwords (OTPs) 7

online documentation 22

online help 22

location in HTML interface 21

using 22

online user guide 22

ordering rules, in policies 8

outbound password configuration 11

overview of Cisco Secure ACS 1

P

PAC

automatic provisioning 14

definition 11

manual provisioning 14

refresh 15

package.cab 3

package.cab file, for customer support 20

PAP 9

vs. ARAP 9

vs. CHAP 9

Passed Authentications logs 2

password

automatic change password configuration 16

periodical change 5

structure policy 5

password aging 12

age-by-uses rules 17

Cisco IOS release requirement for 16

EAP-FAST 16

interface configuration 15

in Windows databases 19

MS-CHAP 16

overview 12

PEAP 16

rules 15

password configurations

basic 11

passwords

See also password aging

case sensitive 38

CHAP/MS-CHAP/ARAP 5

configurations

caching 11

inbound passwords 11

outbound passwords 11

separate passwords 11

single password 11

token caching 11

token cards 11

encryption 2

expiration 17

import utility 9

local management 4

password change log management 5

post-login greeting 17

protocols supported 9

remote change 4

user-changeable 12

validation options in System Configuration 4

patch

overview 26

process 28

pattern matching in command authorization 28

PEAP 10

See also certification

configuring 19

enabling 8

identity protection 6

overview 6

password aging 19

phases 6

with Unknown User Policy 7

PEAP/EAP-TLS Support 6

performance monitoring 4

performance specifications 23

per-group attributes

See also groups

enabling in interface 5

per-user attributes

enabling in interface 5

TACACS+/RADIUS in Interface Configuration 14

ping command 18

PIX ACLs

See downloadable IP ACLs

PIX command authorization sets

See command authorization sets

PKI (public key infastructure)

See certification

Point-to-Point Protocol (PPP) 24

policies

agentless hosts 9

cloning 19

configuring 14

copying 19

deleting 20

external 8

internal 7

local

see internal policies

overview 5

renaming 20

rule order 8

setting up an external audit server 23

setting up external servers 21

Populate from Global 12, 22, 41

Network Access Profiles 22

port 2002

in HTTP port ranges 19

in URLs 21

ports

See also HTTP port allocation

See also port 2002

RADIUS 3, 4

TACACS+ 3

Posture Validation

for Agentless Hosts 29

posture validation

attributes 5

adding 28

configuring ACS for 12

credentials 5

CTL 13

enabling 13

failed attempts log 13

implementing 4

options 15

passed authentications log 13

policy overview 5

and profile-based policies 3

profiles, adding user groups 13

rule

assigning posture tokens 14

rules, about 8

server certificate requirement 12

Posture Validation Policies

configuring 26

PPP password aging 16

processor utilization 4

profile 1

Profile-based Policies 3

profile components

See shared profile components

profiles 34

profile templates 7

prerequisites 7

protocols supported 9

protocol support

EAP authentication 8

non-EAP authentication

8

protocol types

Network Access Profiles 2

proxy

See also Proxy Distribution Table

character strings

defining 5

stripping 5

configuring 27

in enterprise settings 4

overview 3

sending accounting packets 5

Proxy Distribution Table

See also proxy

adding entries 28

configuring 28

default entry 3, 28

deleting entries 30

editing entries 30

match order sorting 29

overview 28

Q

quotas

See network access quotas

See usage quotas

R

RAC and Groups 7

RADIUS 4

See also RADIUS VSAs (vendor specific attributes)

accounting 16

attributes

See also RADIUS VSAs (vendor specific attributes)

in User Setup 24

AV (attribute value) pairs

See also RADIUS VSAs (vendor specific attributes)

Cisco IOS 3

IETF 11

overview 1

Cisco Aironet 10

IETF

in Group Setup 27

interface configuration 8

in User Setup 24

interface configuration overview 7

Key Wrap 23

Key Wrap, configuring for AAA client 9

Key Wrap, configuring for NDG 24

key wrap, enabling 24

password aging 19

ports 3, 4

specifications 4

token servers 51

vs. TACACS+ 3

RADIUS user databases

configuring 52

group mappings 1

RADIUS-based group specifications 8

RADIUS VSAs (vendor specific attributes)

Ascend

in Group Setup 31

in User Setup 28

supported attributes 21

Cisco Aironet

in Group Setup 30

in User Setup 27

Cisco BBSM (Building Broadband Service Manager)

in Group Setup 37

in User Setup 34

supported attributes 10

Cisco IOS/PIX

in Group Setup 28

interface configuration 9

in User Setup 25

supported attributes 4

Cisco VPN 3000

in Group Setup 32

in User Setup 29

supported attributes 6

Cisco VPN 5000

in Group Setup 33

in User Setup 30

supported attributes 10

custom

about 19

in Group Setup 38

in User Setup 35

Juniper

in Group Setup 37

in User Setup 33

supported attributes 28

Microsoft

in Group Setup 34

in User Setup 31

supported attributes 19

Nortel

in Group Setup 36

in User Setup 32

supported attributes 28

overview 1

user-defined

about 19, 17

action codes for 12

adding 18

deleting 19

import files 21

listing 20

replicating 19, 18

Radtest 3

RDBMS synchronization 1

accountActions file

overview 22

configuring 28

data source name configuration 25, 26

disabling 30

enabling in interface 15

FTP configuration 26

FTP setup options 26

group-related configuration 19

import definitions 1

manual initialization 27

network configuration 19

overview 17

partners 27

preparing to use 23

report and error handling 23

scheduling options 26

user-related configuration 18

RDBMS Synchronization logs 5

Registry 2

regular expressions syntax 23

rejection mode

general 3

Windows user databases 4

related documentation 36, 24

remote agent

log files 6

selecting for authentication 17

remote agents

adding 20

configuration options 19

configuring 18

configuring logging to 18

configuring logs on configuration provider 19

deleting 22

editing 21

overview 18

Remote Agents table 2

selecting for authentication 17

sending data to 18

Remote Agents Reports Configuration Page 30

remote logging

configuring ACS to send data to 17

configuring and enabling 16

for ACS for Windows 9

hosts 9

remote agents, for ACS SE 10

See also logging

server, configuring 17

using remote agents 18

Remote Logging Setup Page 30

Remove Dynamic Users 39

removing

external audit servers 25

external servers 22

policies or rules 20

removing dynamic users 39

renaming

policies 20

replication

ACS Service Management page 2

auto change password settings 16

backups recommended (Caution) 7

cascading 4, 9

certificates 2

client configuration 11

components

overwriting (Caution) 11

overwriting (Note) 7

selecting 7

configuring 14

corrupted backups (Caution) 7

custom RADIUS dictionaries 2

disabling 16

EAP-FAST 16

encryption 4

external user databases 2

frequency 5

group mappings 2

immediate 13

implementing primary and secondary setups 10

important considerations 5

in System Configuration 14

interface configuration 15

IP pools 2, 32

logging 7

manual initiation 13

master AAA servers 2

notifications 17

options 7

overview 2

partners

configuring 15

options 9

process 3

scheduling 14

scheduling options 9

selecting data 7

unsupported 2

user-defined RADIUS vendors 6

vs. backup 6

reports 1

downloading CSV 24

entitlement 11

entitlement, viewing and downloading 27

See also logging

viewing and downloading 21

viewing appliance status 26

viewing CSV 22

viewing disabled accounts 26

viewing dynamic administration 25

viewing logged-in users, 25

Reports and Activity

in interface 21

Reports Page Reference 35

request handling

general 3

Windows user databases 4

Required Credential Types 42

resource consumption 5

restarting services 2

restart services 16

restore

components restored

configuring 15

overview 15

filenames 13

in System Configuration 13

internal database 9

on a different server 13

overview 13

performing 15

reports 15

with CSUtil.exe 4

restores

finding files 13

RFC2138 4

RFC2139 4

RSA user databases

configuring 54

group mappings 1

rule 8

rules

about 8

S

Sarbanes Oxley (SOX), compliance 5

search order of external user databases 8

security protocols

CSRadius 6

CSTacacs 6

RADIUS 3, 1

TACACS+

custom commands 12

overview 3

time-of-day access 12

Selected Credentials 42

server certificate installation 21

service control in System Configuration 20

Service Control Page Reference 34

service logs 12

configuring 20

for customer support 20

Service Monitoring logs 5

services

determining status of 2

logs generated 12

management 17

monitoring 25

running from the command line 14

starting 2

stopping 2

shared profile components

See also command authorization sets

See also downloadable IP ACLs

See also network access filters

See also network access restrictions

overview 1

Shared Profile Components (SPC) 14

Shared RAC 31

shared secret 6

shell command authorization sets

See also command authorization sets

in Group Setup 23

in User Setup 17

Simple Network Management Protocol (SNMP) 13

single password configurations 11

SMTP (simple mail-transfer protocol) 5

SNMP, support on appliance 21

specifications

RADIUS

RFC2138 4

RFC2139 4

system performance 23

TACACS+ 4

SSL (secure sockets layer) 29

starting services 2

static IP addresses 7

stopping services 2

stored procedures

CHAP authentication

configuring 46

input values 41

output values 41

result codes 43

EAP-TLS authentication

configuring 46

input values 42

output values 42

implementing 37

PAP authentication

configuring 46

input values 40

output values 40

result codes 43

sample procedures 39

type definitions

integer 38

string 38

supplementary user information

in User Setup 4

setting 4

support

Cisco Device-Management Applications 14

support command 4

supported password protocols 9

support page 23

synchronization

See RDBMS synchronization

Syslog log Configuration Page 32

syslog logging

configuring 15

enabling and disabling 15

message format 7

message length limitations 8

syslog logs

logging to 7

system

configuration

advanced 1

authentication 1

basic 1

certificates 1

health 4

messages in interface 21

monitoring

See monitoring

performance specifications 23

services

See services

system monitoring

technical support file 24

system performance

specifications 23

T

TACACS+ 3, 4

accounting 16

accounting logs 2

administration logs 2

advanced TACACS+ settings

in Group Setup 2, 3

in User Setup 21

AV (attribute value) pairs

accounting 3

general 1

custom commands 12

enable password options for users 23

enable privilege options 21

interface configuration 6

outbound passwords for users 23

ports 3

SENDAUTH 11

settings

in Group Setup 2, 3, 22

in User Setup 14, 15

specifications 4

time-of-day access 12

vs. RADIUS 3

Tactest 3

Telnet

See also command authorization sets

password aging 16

test login frequency internally 17

thread used 5

time and date setting 21

time-of-day/day-of-week specification

See also date format control

enabling in interface 14

timeout values on AAA clients 6

TLS (transport level security)

See certification

token caching 11, 50

token cards 24

password configuration 11

settings in Group Setup 14

token servers

ISDN terminal adapters 50

overview 50

RADIUS-enabled 51

RADIUS token servers 51

RSA 54

supported servers 7

token caching 50

troubleshooting 34

AAA servers 1

administration problems 15

authentication 18

authorization 18

browser 21

database 26

debug logs 12

dial-in connections 31

EAP protocols 34

GAME protocol 35

installations 37

interoperability problems 40

logging 41

MAC authentication bypass problems 41

MaxSessions 44

Network Admission Control 23

Remote Agent 42

reports 42

upgrades 37

user group management 44

trust lists

See certification

trust relationships 6

U

unauthorized users 15

UNIX passwords 12

unknown service user setting 21

Unknown User Policy 18

See also unknown users

configuring 8

in external user databases 2, 7

turning off 9

unknown users

See also Unknown User Policy

authentication 3

authentication performance 6

authentication processing 6

network access authorization 6

unmatched user requests 3

update packets in accounting logs 28

upgrade

applying 31

CSAgent 18

distribution server requirements 27

overview 26

process 28

restrictions 18

transferring 29

usage quotas

in Group Setup 10

in Interface Configuration 15

in User Setup 12

overview 14

resetting

for groups 40

for single users 38

user-changeable passwords

overview 12

with Windows user databases 16

user databases

See databases

User Data Configuration 5

User Entitlements report 12

user groups

See groups

user guide

online 22

user-level

downloadable ACLs interface 14

network access restrictions

See also network access restrictions

enabling in interface 14

user or group information

exporting 11

User Password Changes logs 5

users

See also User Setup

adding

basic steps 3

assigning client IP addresses to 7

assigning to a group 5

callback options 6

configuring 1

configuring device management command authorization sets for 19

configuring PIX command authorization sets for 18

configuring shell command authorization sets for 17

customized data fields 5

deleting 25

deleting accounts 37

disabling accounts 3

finding 36

import methods 2

in multiple databases 4

listing all users 36

number of 23

RDBMS synchronization 18

relationship to groups 4

removing dynamic 39

resetting accounts 39

saving settings 40

supplementary information 4

types

discovered 2

known 2

unknown 2

VPDN dialup 1

User Setup

account management tasks 36

basic options 2

configuring 1

deleting user accounts 37

saving settings 40

Users in Group button 39

V

validation of passwords 4

vendors

adding audit 23

vendor-specific attributes

See RADIUS VSAs (vendor specific attributes)

in RDBMS synchronization 8, 19

vendor-specific attributes (VSAs) 4

Viewing Dynamic Administration Reports 25

Virtual Private Dial-Up Networks (VPDNs) 13

Voice-over-IP

See VoIP (Voice-over-IP)

VoIP

accounting 16

VoIP (Voice-over-IP)

accounting configuration 16, 20

enabling in interface 15

group settings in Interface Configuration 15

in Group Setup 4

VPDN

authentication process 1

domain authorization 2

home gateways 2

IP addresses 2

tunnel IDs 2

users 1

VSAs

See RADIUS VSAs (vendor specific attributes)

W

warning events 4, 6

warnings

significance of 35

watchdog packets

logging 28

web interface

See also Interface Configuration

layout 20

security 17

uniform resource locator 21

using with Solution Engine 12

Windows Callback 18

Windows Database Callback 18

Windows operating systems

authentication order 5

Cisco Secure ACS-related services

services 2

dial-up networking 6

dial-up networking clients

domain field 7

password field 7

username field 7

Domain List effect 5

domains

domain names 8, 9, 4

Event logs 5

Registry 2

Windows Services 23

CSAdmin 23

CSAuth 23

CSDBSync 23

CSLog 23

CSMon 24

CSRadius 24

CSTacacs 24

overview 23

Windows user database 7

passwords 9

Windows user databases

See also databases

Active Directory 17

configuring 21

Domain list

inadvertent user lockouts 21

domain mapping 6

domains

trusted 6

grant dial-in permission to users 6, 17

group mappings

editing 6

no access groups 4

remapping 6

mapping database groups to AAA groups 3

overview 5

password aging 19

rejection mode 4

request handling 4

trust relationships 6

user-changeable passwords 16

user manager 17