Table Of Contents
A - B - C - D - E - F - G - H - I - J - K - L - M - N - O - P - Q - R - S - T - U - V - W -
Index
A
AAA 1
See also AAA clients
See also AAA servers
pools for IP address assignment 7
AAA clients 1
adding and configuring 11
configuring 8
deleting 14
editing 12
IP pools 7
multiple IP addresses for 8
number of 23
searching for 6
table 1
timeout values 6
AAA client times out 19
AAA protocols
TACACS+ and RADIUS 3
AAA-related logs 1
AAA servers 3
adding 16
configuring 14
deleting 18
editing 17
enabling in interface (table) 15
functions and concepts 3
in distributed systems 2
master 2
overview 14
primary 2
replicating 2
searching for 6
secondary 2
troubleshooting 1
accessing Cisco Secure ACS
how to 3
URL 21
with SSL enabled 21
accountActions File 22
accountActions table 20, 21
account disablement
Account Disabled check box 3
manual 37
resetting 39
setting options for 13
accounting
See also logging
administrative 16
overview 16
RADIUS 16
TACACS+ 16
VoIP 16
accounting logs, update packets in 28
Account Never Expires option 3
ACLs
See downloadable IP ACLs
default 12
ACS
additional features 5
features, functions and concepts 3
internal database 3
introduction to 1
managing and administrating 16
specifications 22
Windows Services 23
ACS Backup 9
ACS internal database
See also databases
overview 1
password encryption 2
See replication
ACS internal database replication
See replication
ACS Restore 9
ACS State Collector utility 3
action codes
for creating and modifying user accounts 5
for initializing and modifying access filters 9
for modifying network configuration 17
for modifying TACACS+ and RADIUS settings 12
for setting and deleting values 4
in accountActions 3
Active Directory
configuration 30
Active Service Management
See Cisco Secure ACS Active Service Management
adding
external audit servers 23
external servers 21
ADF
importing for vendors 13
Administration Audit logs 5
administrative accounting 16
administrative sessions
and HTTP proxy 2
network environment limitations of 1
through firewalls 2
through NAT (network address translation) 2
Administrator Entitlements reports 12
administrator locked out 24
administrators
See also Administration Audit log
See also Administration Control
See also administrative access policies
deleting 7
locked out 3
locking out 18
unlocking 3
AES 128 algorithm 2
age-by-date rules for groups 18
Agentless Host for L2 (802.1x Fallback) 17
Agentless Request Processing 22
Aironet
AAA client configuration 10
RADIUS parameters for group 30
RADIUS parameters for user 27
appliance
configuration 20
Appliance Administration Audit logs 5
Appliance Status report 11
viewing 26
ARAP 10
attribute definition file
see also ADF 13
attributes 5
adding 40
adding external audit device types 39
definition file 37
definition file sample 44
deleting 41
dumping 43
enabling in interface 5
exporting 43
extended entity 42
extended property 43
group-specific (table) 24
logging 3
management 37
NAC (posture validation) 37
per-group 5
per-user 5
posture validation (NAC) 37
user-specific (table) 24
attribute-value pairs
See AV (attribute value) pairs
audit device types
external, adding attributes 39
audit logs 5
audit server
functionality 27
setting up 23
audit servers
setting up 23
Authenticate MAC With 41
authentication 7
configuration 19
configuring policies 24
considerations 7
denying unknown users 9
functionality 43
options 19
overview 7
protocol-database compatibility 8
request handling 3
user databases 7
via external user databases 4
Windows 7
Authentication Bypass template 17
authorization 13
configuring policies 30
ordering rules 33
rules 30
sets
See command authorization sets
setsSee command authorization sets
AV (attribute value) pairs
See also RADIUS VSAs (vendor specific attributes)
RADIUS
Cisco IOS 3
IETF 11
TACACS+
accounting 3
general 1
Available Credentials 42
AV pairs 11
B
backup
internal database 9
Backup and Restore logs 5
backups
components backed up 8
directory management 8
disabling scheduled 12
filename 7
filenames 13
locations 8
manual 9
options 9
overview 7
reports 8
scheduled vs. manual 7
scheduling 11
vs. replication 6
with CSUtil.exe 3
browser access 16
browsers
See also web interface 20
C
cab file 24
cached users
See discovered users
CA configuration 26
callback options
in Group Setup 5
in User Setup 6
cascading replication 4, 9
cautions
significance of 35
certificate database for LDAP servers 47
DB path 29
trusted root CA 29
certificate trust list
see CTL
certification
See also EAP-TLS
See also PEAP
adding certificate authority certificates 24
background 1
backups 8
Certificate Revocation Lists 27
certificate signing request generation 29
editing the certificate trust list 26
replacing certificate 34
self-signed certificates
configuring 33
NAC 13
overview 31
server certificate installation 21
updating certificate 34
Change Password page 4
CHAP 10
Cisco
Identity-Based Networking Services (IBNS) 2
Cisco IOS
RADIUS
AV (attribute value) pairs 2
group attributes 28
user attributes 25
TACACS+ AV (attribute value) pairs 1
Cisco NAC support 6
Cisco Secure ACS Active Service Management
event logging configuration 19
overview 17
system monitoring
configuring 18
custom actions 18
Cisco Secure ACS administration overview 16
Cisco Secure ACS backups
See backups
Cisco Secure ACS system restore
See restore
CiscoSecure Authentication Agent 16
Cisco Security Agent 17
See also CSAgent
integration 17
logging 18
policies 18
restrictions 18
viewing logs 25
CLI commands
for troubleshooting 11
CLID-based filters 20
cloning
Network Access Profiles 5
policies or rules 19
codes
See action codes
command authorization sets
See also shell command authorization sets
adding 29
configuring 25, 29
deleting 31
editing 30
overview 25
pattern matching 28
PIX command authorization sets 25
command-line database utility
See CSUtil.exe
compacting the database 10
compliance support 5
condition sets, defining 16
configuration provider
remote agent logs on 19
configuring
internal policies 16
configuring advanced filtering
Network Access Profiles 2
conventions 34
copying
policies or rules 19
creating
external servers 21
credentials 5
Credential Validation Databases 25, 41
critical loggers 13
Critical Loggers Configuration Page 29
CRLs 27
CSAdmin
Windows Services 23
CSAdmin service 2
CSAgent
behavior 18
disabling 23
enabling 23
logging 18
overview 18
policies 18
CSAgent service 18, 2
CSAuth
Windows Services 23
CSDBSync 20
Windows Services 23
CSLog 13
Windows Services 23
CSMon 13
See also Cisco Secure ACS Active Service Management
configuration 4
log 5
windows Services 24
CSNTacctInfo 40, 41, 43
CSNTAuthUserPap 39
CSNTerrorString 40, 42, 43
CSNTExtractUserClearTextPw 39
CSNTFindUser 40
CSNTgroups 40, 41, 43
CSNTpasswords 40, 42
CSNTresults 40, 41, 43
CSNTusernames 40, 41, 42
CSRadius 6
Windows Services 24
CSTacacs 6
Windows Services 24
CSUtil.exe
add and delete posture validation attributes 28
adding external audit device type attributes 39
backing up with 3
cleaning up database with 8
decoding error numbers with 17
dumping database file with 6
exporting data with 15
exporting group information with 16
for troubleshooting 8
import text file (example) 15
initializing database with 5
loading database file with 7
overview 1
restoring with 4
updating database with 9
CSV (comma-separated values) logs
configuring 14
downloading 24
enabling and disabling 14
filename formats 22
locations 6
logging to 6
size and retention 7
viewing 22
CSV log File Configuration Page 31
CTL
external policy servers
CTL editing 26
custom attributes
in group-level TACACS+ settings 22
in user-level TACACS+ settings 15
customer support
collecting data for 20
providing package.cab file 20
D
database
compacting 10
database files 8
database group mappings
configuring
for token servers 2
for Windows domains 6
no access groups 4
order 8
deleting
group set mappings 7
Windows domain configurations 7
Database Replication logs 5
databases
See also external user databases
ACS internal database 1
authentication search process 3
cleaning up 8
deleting 55
external
See also external user databases
See also Unknown User Policy
initializing 5
remote agent selection 17
replication
See replication
search order 7
search process 7
selecting user databases 1
synchronization
See RDBMS synchronization
token cards
See token servers
types
See generic LDAP user databases
See LEAP proxy RADIUS user databases
See Novell NDS user databases
See ODBC features
See RADIUS user databases
See RSA user databases
unknown users 1
user databases 2
user import methods 2
Windows user databases 5
data source names
for ODBC logging 9
for RDMBS synchronization 26
using with ODBC databases 35, 44, 45
data types, NAC attribute 6
date and time setting 21
date format control 3
debug logs, detail levels 20
default ACLs 12
default group
in Group Setup 2
mapping for Windows 4
default time-of-day/day-of-week specification 14
default time-of-day access settings for groups 5
deleting 6
external audit servers 25
external servers 22
logged-in users 25
Network Access Profiles 6
policies or rules 20
device command sets
See command authorization sets
device management applications support 14
DHCP with IP pools 33
diagnostic logs 25, 12
dial-in permission to users in Windows 17
dial-up networking clients 6, 7
digital certificates
See certification
Disabled Accounts report 11
viewing 26
discovered users 2
Distinguished Name Caching 26
distributed systems
See also proxy
AAA servers in 2
overview 2
settings
configuring 28
default entry 3
enabling in interface 15
distribution table
See Proxy Distribution Table
DNIS-based filters 20
documentation
conventions 34
objectives 33
online 22
related 36, 24
Domain List
configuring 21
inadvertent user lockouts 9, 21
overview 9
unknown user authentication 5
domain name and hostname configuration 22
domain names
Windows operating systems 8, 9
downloadable ACLs 9
downloadable IP ACLs
adding 15
assigning to groups 21
assigning to users 14
deleting 17
editing 16
enabling in interface
group-level 15
user-level 14
overview 13
draft-ietf-radius-tunnel-auth 4
dump files
loading a database from 7
loading a database to 6
dump text file 10
dynamic administration logs 10
viewing 25
dynamic usage quotas 14
dynamic users
removing 39
E
EAP (Extensible Authentication Protocol)
Configuration 23
overview 10
supported protocols 10
with Windows authentication 10
EAP authentication
protocol 8
EAP-FAST 10
enabling 17
identity protection 10
logging 9
master keys
definition 10
states 10
master server 17
overview 9
PAC
automatic provisioning 14
definition 11
manual provisioning 14
refresh 15
states 13
password aging 20
phases 9
replication 16
EAP logging 8
EAPoUDP failure 22
EAPoUDP support 22
EAP-TLS 10
See also certification
authentication configuration 19
comparison methods 3
enabling 4
limitations 4
options 36
overview 2
with RADIUS Key Wrap 23
editing
external audit servers 24
external posture validation servers 22
internal policies 18
Network Access Profiles 5
enable password options for TACACS+ 23
enable privilege options for groups 13
entitlement reports 11
entity field 6
error codes 46
error number decoding with CSUtil.exe 17
Event log
configuring 19
exception events 5
event logging 19
exception events 5
exemption list
external audit 10
Expanded agentless support 6
exports
of user lists 15
Extensible Authentication Protocol
See EAP (Extensible Authentication Protocol)
Extensible Authentication Protocol (EAP) 2
external audit policy
what triggers an 10
external audit server
setting up 23
external audit servers
about 9
adding 23
deleting 25
editing 24
external policies 8
exemption list support 10
external servers
creating 21
deleting 22
editing 22
external token servers
See token servers
external user databases
See also databases
authentication via 4
configuring 3
deleting configuration 55
latency factors 6
search order 6, 8
supported 7
Unknown User Policy 1
F
Failed Attempts logs 2
failed log-on attempts 5
failure events
customer-defined actions 6
predefined actions 6
fallbacks on failed connection 4
finding users 36
FTP server 7
FTP setup options 26
G
GAME/HCAP messages 5
GAME Group Feedback 6
gateways 2
Generic LDAP 7
generic LDAP user databases
authentication 22
certificate database downloading 47
configuring
database 30
options 26
directed authentications 24
domain filtering 24
failover 25
mapping database groups to AAA groups 3
mutiple instances 23
organizational units and groups 23
Global Authentication Setup 19
global authentication setup
enabling posture validation 13
grant dial-in permission to users 6, 17
greeting after login 17
group-level interface enabling
downloadable IP ACLs 15
network access restrictions 15
network access restriction sets 15
password aging 15
group-level network access restrictions
See network access restrictions
group mapping problem 29
groups
See also network device groups
assigning users to 5
configuring RADIUS settings for
See RADIUS
Default Group 2, 4
enabling VoIP (Voice-over-IP) support for 4
exporting group information 16
listing all users in 39
mapping order 8
mappings 1
no access groups 4
overriding settings 4
relationship to users 4
renaming 40
resetting usage quota counters for 40
settings for
callback options 5
configuration-specific 12
configuring common 3
device management command authorization sets 26
enable privilege 13
IP address assignment method 20
management tasks 39
max sessions 9
network access restrictions 6
password aging rules 15
PIX command authorization sets 25
shell command authorization sets 23
TACACS+ 2, 3, 22
time-of-day access 5
token cards 14
usage quotas 10
setting up and managing 1
specifications by ODBC authentications 40, 41, 43
H
handle counts 5
hard disk space 4
HCAP errors 4
host and domain names configuration 22
host system state 4
HTML interface
logging off 4
HTTP port allocation
for administrative sessions 19
I
IEEE 802.1x 2
IETF 802.1x 10
IETF RADIUS attributes 4
importing passwords 9
imports with CSUtil.exe 9
inbound
authentication 11
password configuration 11
installation
related documentation 36, 24
Interface Configuration
See also HTML interface
advanced options 5
configuring 1
customized user data fields 5
interface security settings 5
Internal ACS Database 41
internal architecture 1
internal policies
editing 18
steps to set up 16
IP ACLs
See downloadable IP ACLs
IP addresses
in User Setup 7
multiple, for AAA client 8
requirement for CSTacacs and CSRadius 6
setting assignment method for user groups 20
IP pools
address recovery 37
deleting 36
DHCP 33
editing IP pool definitions 35
enabling in interface 15
overlapping 33, 34
refreshing 34
resetting 35
servers
adding IP pools 34
overview 32
replicating IP pools 32
user IP addresses 7
J
Japanese Microsoft Windows Suppor 7
K
Key Wrap 6
configuring for AAA client 9
configuring for NDG 24
key wrap
enabling 24
Key Wrap, RADIUS 23
L
LAN manager 10
LDAP
Admin Logon Connection Management 26
Distinguished Name 26
group attributes 22
LDAP Server 41
LEAP 10
LEAP authentication failure 20
LEAP proxy RADIUS user databases
configuring external databases 48
group mappings 1
overview 48
RADIUS-based group specifications 8
list all users
in Group Setup 39
in User Setup 36
local policies
see internal policies
log files
Remote Agent 6
storage directory 3
Windows services 5
Logged-In Users report 11
deleting logged-in users 25
viewing 25
logging 1
attributes 3
configuring
configuring
logs 1
configuring CSV (comma-separated values) 14
configuring ODBC 15
configuring remote logging server 17
configuring service logs 20
configuring syslog 15
critical loggers 13
CSAgent 18
CSV (comma-separated values) 6
custom RADIUS dictionaries 2
debug logs, detail levels 20
diagnostic logs 25
enabling and disabling ODBC 16
enabling CSV (comma-separated values) 14
enabling syslog 15
formats and targets 5
ODBC 8
RDBMS synchronization 2
remote, configuring ACS to send data to 17
remote, configuring and enabling 16
remote, for ACS for Windows 9
remote, hosts for 9
remote agents, configuring logs on configuration provider 19
remote agents, configuring to 18
remote agents,sending data to 18
remote agents for ACS SE 10
See also logs
See also reports
service logs 12, 44
service logs for customer support 20
syslog 7
watchdog packets 28
Logging Configuration Page 28
logging service 13
Login Process Fail page 3
login process test frequency 17
logins
greeting upon 17
password aging dependency 17
logs 1
AAA-related 1
Administration Audit 5
Appliance Administration Audit 5
audit 5
Backup and Restore 5
Database Replication 5
dynamic administration 10
Failed Attempts 2
logged-in users 11
Passed Authentications 2
RADIUS accounting 2
RDBMS Synchronization 5
See also logging
See also reports
service 12
Service Monitoring 5
TACACS+ accounting 2
TACACS+ administration 2
User Password Changes 5
viewing and downloading 21
VOIP accounting 2
M
MAC address
standard formats 22
MAC Authentication Bypass 5
audit support 6
MAC Exceptions
audit verifications 6
machine authentication
enabling 15
overview 10
with Microsoft Windows 13
management application support 14
mappings
database groups to AAA groups 3
databases to AAA groups 1
master AAA servers 2
master key
definition 10
states 10
max sessions 13
enabling in interface 15
group 14
in Group Setup 9
in User Setup 11
overview 13
user 13
member server 6, 8
memory utilization 4
monitoring
configuring 18
CSMon 4
overview 17
service 13
services 25
MS-CHAP 10
configuring 19
overview 10
protocol supported 9
multiple IP addresses for AAA clients 8
N
NAC 2
agentless hosts 9
attributes
about 5
data types 6
deleting 28
exporting 28
configuring ACS for support for 12
credentials
about 5
implementing 4
logging 13
overview
policies
about 16
external 8
internal 7
results 16
remediation server
url-redirect attribute 6
rules
about 8
default 29
self-signed certificates 13
tokens
definition 3
descriptions of 3
returned by internal policies 7
NAC Agentless Host 18
NAC L2 IP 11
NAC L3 IP 8
NAFs
See network access filters
NAR
See network access restrictions
NAS
See AAA clients
NAT environment 7
Network Access Filter (NAF)
editing 5
Network Access Filters (NAF) 2
adding 3
deleting 6
overview 2
Network Access Profiles 1, 6, 22
cloning 5
configuring advanced filtering 2
editing 5
network access quotas 14
network access restrictions
deleting 24
editing 23
enabling in interface
group-level 15
user-level 14
in Group Setup 6
interface configuration 15
in User Setup 6, 8
non-IP-based filters 20
overview 18
network access servers
See AAA clients
Network Admission Control
see NAC
network configuration 1
network device groups
adding 24
assigning AAA clients to 25
assigning AAA servers to 25
configuring 23
deleting 27
editing 26
enabling in interface 15
reassigning AAA clients to 25
reassigning AAA servers to 25
network devices
searches for 6
network time protocol
See NTP server
noncompliant devices 2
non-EAP authentication
protocol 8
Novell NDS user databases
mapping database groups to AAA groups 3
NTP server 21
O
ODBC features
authentication
CHAP 37
EAP-TLS 38
overview 35
PAP 37
preparation process 37
process with external user database 36
result codes 43
case-sensitive passwords 38
CHAP authentication sample procedure 39
configuring 44
data source names 35
DSN (data source name) configuration 44
EAP-TLS authentication sample procedure 40
features supported 36
group mappings 1
group specifications
CHAP 41
EAP-TLS 43
PAP 40
vs. group mappings 2
PAP authentication sample procedures 39
password case sensitivity 38
stored procedures
CHAP authentication 41
EAP-TLS authentication 42
implementing 37
PAP authentication 40
type definitions 38
user databases 35
ODBC log Configuration Page 33
ODBC logging 8
configuring 15
data source names 9
enabling and disabling 16
preparing for 9
One-time Passwords (OTPs) 7
online documentation 22
online help 22
location in HTML interface 21
using 22
online user guide 22
ordering rules, in policies 8
outbound password configuration 11
overview of Cisco Secure ACS 1
P
PAC
automatic provisioning 14
definition 11
manual provisioning 14
refresh 15
package.cab 3
package.cab file, for customer support 20
PAP 9
vs. ARAP 9
vs. CHAP 9
Passed Authentications logs 2
password
automatic change password configuration 16
periodical change 5
structure policy 5
password aging 12
age-by-uses rules 17
Cisco IOS release requirement for 16
EAP-FAST 16
interface configuration 15
in Windows databases 19
MS-CHAP 16
overview 12
PEAP 16
rules 15
password configurations
basic 11
passwords
See also password aging
case sensitive 38
CHAP/MS-CHAP/ARAP 5
configurations
caching 11
inbound passwords 11
outbound passwords 11
separate passwords 11
single password 11
token caching 11
token cards 11
encryption 2
expiration 17
import utility 9
local management 4
password change log management 5
post-login greeting 17
protocols supported 9
remote change 4
user-changeable 12
validation options in System Configuration 4
patch
overview 26
process 28
pattern matching in command authorization 28
PEAP 10
See also certification
configuring 19
enabling 8
identity protection 6
overview 6
password aging 19
phases 6
with Unknown User Policy 7
PEAP/EAP-TLS Support 6
performance monitoring 4
performance specifications 23
per-group attributes
See also groups
enabling in interface 5
per-user attributes
enabling in interface 5
TACACS+/RADIUS in Interface Configuration 14
ping command 18
PIX ACLs
See downloadable IP ACLs
PIX command authorization sets
See command authorization sets
PKI (public key infastructure)
See certification
Point-to-Point Protocol (PPP) 24
policies
agentless hosts 9
cloning 19
configuring 14
copying 19
deleting 20
external 8
internal 7
local
see internal policies
overview 5
renaming 20
rule order 8
setting up an external audit server 23
setting up external servers 21
Populate from Global 12, 22, 41
Network Access Profiles 22
port 2002
in HTTP port ranges 19
in URLs 21
ports
See also HTTP port allocation
See also port 2002
RADIUS 3, 4
TACACS+ 3
Posture Validation
for Agentless Hosts 29
posture validation
attributes 5
adding 28
configuring ACS for 12
credentials 5
CTL 13
enabling 13
failed attempts log 13
implementing 4
options 15
passed authentications log 13
policy overview 5
and profile-based policies 3
profiles, adding user groups 13
rule
assigning posture tokens 14
rules, about 8
server certificate requirement 12
Posture Validation Policies
configuring 26
PPP password aging 16
processor utilization 4
profile 1
Profile-based Policies 3
profile components
See shared profile components
profiles 34
profile templates 7
prerequisites 7
protocols supported 9
protocol support
EAP authentication 8
non-EAP authentication
8
protocol types
Network Access Profiles 2
proxy
See also Proxy Distribution Table
character strings
defining 5
stripping 5
configuring 27
in enterprise settings 4
overview 3
sending accounting packets 5
Proxy Distribution Table
See also proxy
adding entries 28
configuring 28
default entry 3, 28
deleting entries 30
editing entries 30
match order sorting 29
overview 28
Q
quotas
See network access quotas
See usage quotas
R
RAC and Groups 7
RADIUS 4
See also RADIUS VSAs (vendor specific attributes)
accounting 16
attributes
See also RADIUS VSAs (vendor specific attributes)
in User Setup 24
AV (attribute value) pairs
See also RADIUS VSAs (vendor specific attributes)
Cisco IOS 3
IETF 11
overview 1
Cisco Aironet 10
IETF
in Group Setup 27
interface configuration 8
in User Setup 24
interface configuration overview 7
Key Wrap 23
Key Wrap, configuring for AAA client 9
Key Wrap, configuring for NDG 24
key wrap, enabling 24
password aging 19
ports 3, 4
specifications 4
token servers 51
vs. TACACS+ 3
RADIUS user databases
configuring 52
group mappings 1
RADIUS-based group specifications 8
RADIUS VSAs (vendor specific attributes)
Ascend
in Group Setup 31
in User Setup 28
supported attributes 21
Cisco Aironet
in Group Setup 30
in User Setup 27
Cisco BBSM (Building Broadband Service Manager)
in Group Setup 37
in User Setup 34
supported attributes 10
Cisco IOS/PIX
in Group Setup 28
interface configuration 9
in User Setup 25
supported attributes 4
Cisco VPN 3000
in Group Setup 32
in User Setup 29
supported attributes 6
Cisco VPN 5000
in Group Setup 33
in User Setup 30
supported attributes 10
custom
about 19
in Group Setup 38
in User Setup 35
Juniper
in Group Setup 37
in User Setup 33
supported attributes 28
Microsoft
in Group Setup 34
in User Setup 31
supported attributes 19
Nortel
in Group Setup 36
in User Setup 32
supported attributes 28
overview 1
user-defined
about 19, 17
action codes for 12
adding 18
deleting 19
import files 21
listing 20
replicating 19, 18
Radtest 3
RDBMS synchronization 1
accountActions file
overview 22
configuring 28
data source name configuration 25, 26
disabling 30
enabling in interface 15
FTP configuration 26
FTP setup options 26
group-related configuration 19
import definitions 1
manual initialization 27
network configuration 19
overview 17
partners 27
preparing to use 23
report and error handling 23
scheduling options 26
user-related configuration 18
RDBMS Synchronization logs 5
Registry 2
regular expressions syntax 23
rejection mode
general 3
Windows user databases 4
related documentation 36, 24
remote agent
log files 6
selecting for authentication 17
remote agents
adding 20
configuration options 19
configuring 18
configuring logging to 18
configuring logs on configuration provider 19
deleting 22
editing 21
overview 18
Remote Agents table 2
selecting for authentication 17
sending data to 18
Remote Agents Reports Configuration Page 30
remote logging
configuring ACS to send data to 17
configuring and enabling 16
for ACS for Windows 9
hosts 9
remote agents, for ACS SE 10
See also logging
server, configuring 17
using remote agents 18
Remote Logging Setup Page 30
Remove Dynamic Users 39
removing
external audit servers 25
external servers 22
policies or rules 20
removing dynamic users 39
renaming
policies 20
replication
ACS Service Management page 2
auto change password settings 16
backups recommended (Caution) 7
cascading 4, 9
certificates 2
client configuration 11
components
overwriting (Caution) 11
overwriting (Note) 7
selecting 7
configuring 14
corrupted backups (Caution) 7
custom RADIUS dictionaries 2
disabling 16
EAP-FAST 16
encryption 4
external user databases 2
frequency 5
group mappings 2
immediate 13
implementing primary and secondary setups 10
important considerations 5
in System Configuration 14
interface configuration 15
IP pools 2, 32
logging 7
manual initiation 13
master AAA servers 2
notifications 17
options 7
overview 2
partners
configuring 15
options 9
process 3
scheduling 14
scheduling options 9
selecting data 7
unsupported 2
user-defined RADIUS vendors 6
vs. backup 6
reports 1
downloading CSV 24
entitlement 11
entitlement, viewing and downloading 27
See also logging
viewing and downloading 21
viewing appliance status 26
viewing CSV 22
viewing disabled accounts 26
viewing dynamic administration 25
viewing logged-in users, 25
Reports and Activity
in interface 21
Reports Page Reference 35
request handling
general 3
Windows user databases 4
Required Credential Types 42
resource consumption 5
restarting services 2
restart services 16
restore
components restored
configuring 15
overview 15
filenames 13
in System Configuration 13
internal database 9
on a different server 13
overview 13
performing 15
reports 15
with CSUtil.exe 4
restores
finding files 13
RFC2138 4
RFC2139 4
RSA user databases
configuring 54
group mappings 1
rule 8
rules
about 8
S
Sarbanes Oxley (SOX), compliance 5
search order of external user databases 8
security protocols
CSRadius 6
CSTacacs 6
RADIUS 3, 1
TACACS+
custom commands 12
overview 3
time-of-day access 12
Selected Credentials 42
server certificate installation 21
service control in System Configuration 20
Service Control Page Reference 34
service logs 12
configuring 20
for customer support 20
Service Monitoring logs 5
services
determining status of 2
logs generated 12
management 17
monitoring 25
running from the command line 14
starting 2
stopping 2
shared profile components
See also command authorization sets
See also downloadable IP ACLs
See also network access filters
See also network access restrictions
overview 1
Shared Profile Components (SPC) 14
Shared RAC 31
shared secret 6
shell command authorization sets
See also command authorization sets
in Group Setup 23
in User Setup 17
Simple Network Management Protocol (SNMP) 13
single password configurations 11
SMTP (simple mail-transfer protocol) 5
SNMP, support on appliance 21
specifications
RADIUS
RFC2138 4
RFC2139 4
system performance 23
TACACS+ 4
SSL (secure sockets layer) 29
starting services 2
static IP addresses 7
stopping services 2
stored procedures
CHAP authentication
configuring 46
input values 41
output values 41
result codes 43
EAP-TLS authentication
configuring 46
input values 42
output values 42
implementing 37
PAP authentication
configuring 46
input values 40
output values 40
result codes 43
sample procedures 39
type definitions
integer 38
string 38
supplementary user information
in User Setup 4
setting 4
support
Cisco Device-Management Applications 14
support command 4
supported password protocols 9
support page 23
synchronization
See RDBMS synchronization
Syslog log Configuration Page 32
syslog logging
configuring 15
enabling and disabling 15
message format 7
message length limitations 8
syslog logs
logging to 7
system
configuration
advanced 1
authentication 1
basic 1
certificates 1
health 4
messages in interface 21
monitoring
See monitoring
performance specifications 23
services
See services
system monitoring
technical support file 24
system performance
specifications 23
T
TACACS+ 3, 4
accounting 16
accounting logs 2
administration logs 2
advanced TACACS+ settings
in Group Setup 2, 3
in User Setup 21
AV (attribute value) pairs
accounting 3
general 1
custom commands 12
enable password options for users 23
enable privilege options 21
interface configuration 6
outbound passwords for users 23
ports 3
SENDAUTH 11
settings
in Group Setup 2, 3, 22
in User Setup 14, 15
specifications 4
time-of-day access 12
vs. RADIUS 3
Tactest 3
Telnet
See also command authorization sets
password aging 16
test login frequency internally 17
thread used 5
time and date setting 21
time-of-day/day-of-week specification
See also date format control
enabling in interface 14
timeout values on AAA clients 6
TLS (transport level security)
See certification
token caching 11, 50
token cards 24
password configuration 11
settings in Group Setup 14
token servers
ISDN terminal adapters 50
overview 50
RADIUS-enabled 51
RADIUS token servers 51
RSA 54
supported servers 7
token caching 50
troubleshooting 34
AAA servers 1
administration problems 15
authentication 18
authorization 18
browser 21
database 26
debug logs 12
dial-in connections 31
EAP protocols 34
GAME protocol 35
installations 37
interoperability problems 40
logging 41
MAC authentication bypass problems 41
MaxSessions 44
Network Admission Control 23
Remote Agent 42
reports 42
upgrades 37
user group management 44
trust lists
See certification
trust relationships 6
U
unauthorized users 15
UNIX passwords 12
unknown service user setting 21
Unknown User Policy 18
See also unknown users
configuring 8
in external user databases 2, 7
turning off 9
unknown users
See also Unknown User Policy
authentication 3
authentication performance 6
authentication processing 6
network access authorization 6
unmatched user requests 3
update packets in accounting logs 28
upgrade
applying 31
CSAgent 18
distribution server requirements 27
overview 26
process 28
restrictions 18
transferring 29
usage quotas
in Group Setup 10
in Interface Configuration 15
in User Setup 12
overview 14
resetting
for groups 40
for single users 38
user-changeable passwords
overview 12
with Windows user databases 16
user databases
See databases
User Data Configuration 5
User Entitlements report 12
user groups
See groups
user guide
online 22
user-level
downloadable ACLs interface 14
network access restrictions
See also network access restrictions
enabling in interface 14
user or group information
exporting 11
User Password Changes logs 5
users
See also User Setup
adding
basic steps 3
assigning client IP addresses to 7
assigning to a group 5
callback options 6
configuring 1
configuring device management command authorization sets for 19
configuring PIX command authorization sets for 18
configuring shell command authorization sets for 17
customized data fields 5
deleting 25
deleting accounts 37
disabling accounts 3
finding 36
import methods 2
in multiple databases 4
listing all users 36
number of 23
RDBMS synchronization 18
relationship to groups 4
removing dynamic 39
resetting accounts 39
saving settings 40
supplementary information 4
types
discovered 2
known 2
unknown 2
VPDN dialup 1
User Setup
account management tasks 36
basic options 2
configuring 1
deleting user accounts 37
saving settings 40
Users in Group button 39
V
validation of passwords 4
vendors
adding audit 23
vendor-specific attributes
See RADIUS VSAs (vendor specific attributes)
in RDBMS synchronization 8, 19
vendor-specific attributes (VSAs) 4
Viewing Dynamic Administration Reports 25
Virtual Private Dial-Up Networks (VPDNs) 13
Voice-over-IP
See VoIP (Voice-over-IP)
VoIP
accounting 16
VoIP (Voice-over-IP)
accounting configuration 16, 20
enabling in interface 15
group settings in Interface Configuration 15
in Group Setup 4
VPDN
authentication process 1
domain authorization 2
home gateways 2
IP addresses 2
tunnel IDs 2
users 1
VSAs
See RADIUS VSAs (vendor specific attributes)
W
warning events 4, 6
warnings
significance of 35
watchdog packets
logging 28
web interface
See also Interface Configuration
layout 20
security 17
uniform resource locator 21
using with Solution Engine 12
Windows Callback 18
Windows Database Callback 18
Windows operating systems
authentication order 5
Cisco Secure ACS-related services
services 2
dial-up networking 6
dial-up networking clients
domain field 7
password field 7
username field 7
Domain List effect 5
domains
domain names 8, 9, 4
Event logs 5
Registry 2
Windows Services 23
CSAdmin 23
CSAuth 23
CSDBSync 23
CSLog 23
CSMon 24
CSRadius 24
CSTacacs 24
overview 23
Windows user database 7
passwords 9
Windows user databases
See also databases
Active Directory 17
configuring 21
Domain list
inadvertent user lockouts 21
domain mapping 6
domains
trusted 6
grant dial-in permission to users 6, 17
group mappings
editing 6
no access groups 4
remapping 6
mapping database groups to AAA groups 3
overview 5
password aging 19
rejection mode 4
request handling 4
trust relationships 6
user-changeable passwords 16
user manager 17