Table Of Contents
Administrators and Administrative Policy
Administrator Accounts
About Administrator Accounts
Privileges
Administration Control Privilege
The Influence of Policy
Group Access Privileges
Password Expirations and Account Lockouts
Support for Regulatory Compliance
Logging In
Adding, Editing, and Deleting Accounts
Adding or Editing Accounts
Deleting an Account
Configuring Policy Options
Configuring Access Policy
Configuring Session Policy
Configuring Password Policy
Administration Control Pages Reference
Administration Control Page
Add Administrator and Edit Administrator Pages
Administrator Password Policy Page
Access Policy Setup Page
Session Policy Setup Page
Administrators and Administrative Policy
This chapter addresses the features in the Administration Control section of the Cisco Secure Access Control Server Release 4.1, hereafter referred to as ACS.
This chapter contains the following topics:
•Administrator Accounts
•Logging In
•Adding, Editing, and Deleting Accounts
•Configuring Policy Options
•Administration Control Pages Reference
Administrator Accounts
Administrator accounts provide the only access to the ACS web interface.
This section contains the following topics:
•About Administrator Accounts
•Privileges
•Group Access Privileges
•Password Expirations and Account Lockouts
•Support for Regulatory Compliance
About Administrator Accounts
From the Administration Control page, you can link to pages that establish the names, passwords, and privileges for individual administrators or groups of administrators.
ACS administrator accounts are:
•Unique to ACS and not related to other accounts, such as Windows administrator accounts, ACS TACACS+ accounts, or any other ACS user accounts.
•Unrelated to external ACS users because ACS stores ACS administrator accounts in a separate internal database.
Privileges
The privileges that you grant to each administrator determine access to areas of the web interface. By default, new administrators do not have any privileges.
Administration Control Privilege
Administrators who have the Administration Control privilege can access the complete Administration Control page. For these administrators, this page provides management of administrators and access to pages that control administrative access policy. Restricted administrators can update their passwords. Figure 11-1 shows the access granted by the administration control privilege.
Figure 11-1 The Administration Control Privilege
Examples of privileges that you can grant to administrators or groups of administrators include:
•Shared profile components
•Network, system, and interface configuration
•Administration control
•External user databases, posture validation, and network access profiles (NAPs)
•Reports and activities
For example, you are an administrator with the Administration Control privilege who wants to configure access to the Network Configuration section of the web interface for administrators whose responsibilities include network management. Therefore, you check only the Network Configuration privilege for the applicable administrator accounts.
However, you might want to configure all privileges for an administrator or an administrative group. In this case, you click the Grant All (privileges) option.
The web interface also includes a filter that can control the type of access granted to administrators. For example, you can configure an administrator for read-only access to groups of users, or you can grant them add and edit access to the same groups.
Note See Chapter 10, "Logs and Reports," for information on generating reports of privileges granted to administrators.
The Influence of Policy
The Administration Control page also includes links to access, session, and password policy configuration pages. These policies influence all account logins and include the following configuration options:
•Access Policy—IP address limitations, HTTP port restrictions, and secure socket layer (SSL) setup.
•Session Policy—Timeouts, automatic local logins, and response to invalid IP address connections.
•Password Policy—Password validation, lifetime, inactivity, and incorrect attempts.
Group Access Privileges
ACS includes options that determine the type of administrator access to groups or users in groups. When enabled, these options grant an administrator the following privileges with respect to any available group:
•Add or edit user pages
•Edit group pages
•Read access to user pages
•Read access to the group pages
Table 11-1 describes the interaction of the options:
Table 11-1 Group Access Options
Add and Edit Access
|
Read Access
|
Result
|
No
|
No
|
Administrators cannot view the users in the Editable groups.
|
No
|
Yes
|
Administrators can view the users in the Editable groups, but Submit is not available.
|
Yes
|
No
|
Full access granted in either case. When enabled, Add/Edit Users in these groups overrides Read Access.
|
Yes
|
Yes
|
Password Expirations and Account Lockouts
Successful logins take administrators to the main ACS web interface page. However, all logins are subject to the restrictions that have been configured in Administration Control, including expiration, account lockout, and password configuration options.
Limits set for password lifetime and password inactivity can force password change or account lockout. In addition, the limit set for failed attempts can force password change, and privileged administrators can manually lock accounts. In the case of an account lockout, a privileged administrator must unlock the account.
ACS includes the Account Never Expires option that can globally override automatic account lockouts and password configuration options. If the Account Never Expires option is enabled for a specific administrator, all administrator lockout options are ignored.
In the case of an account lockout, ACS displays the Login Process Fail page. Depending on the options, ACS displays the following pages for changing passwords:
•A password update page appears when you attempt to log in.
•The Change Password page appears when you click the Administration Control button in the navigation bar, if you do not have the Administration Control privilege. The Change Password page includes a list of the password criteria.
Figure 11-2 shows the process flow at login time.
Figure 11-2 Login Process Flow
1 When the administrator reaches the Incorrect Password Attempts limit, ACS locks the account. At this point, successful attempts will fail. However, if Account Never Expires is set, then the account cannot be locked out.
2 The administrator has successfully logged in. Therefore, if only the password has been incorrectly used, ACS allows retries even though the administrator has exceeded the Incorrect Password Attempt limit.
Support for Regulatory Compliance
ACS includes options that can support regulatory compliance. For example, an administrator with the Administration Control privilege can decide whether to grant the Administration Control privilege to other administrators. Administrators who do not have this privilege cannot access the administrator configuration details.
All administrator logins are subject to the policy that you configure for passwords and accounts, unless you check the Account Never Expires option. For example, ACS provides configurable limits on password lifetime, activity, and incorrect password attempts. These options can force password change and can result in automatic account lockout. Privileged administrators can also lock out an account. In addition, you can monitor the last password change and last account activity for each administrator.
In addition, you can restrict access to reports. For example, you can enable or disable an administrator's ability to change the Administration Audit report configuration.
You can also configure administrator access to user groups. You can selectively choose to allow administrators to setup groups and add or edit users. ACS also provides configuration of administrator read access to users and groups.
Logging In
The ACS login page is the access point for the web interface. If your valid password expires, or if a change in policy affects a password, ACS forces you to change your password when you log in. If you are locked out, contact an administrator who has the Administration Control privilege.
Note Administrators must have a Windows domain administrator account in order to log in and manage ACS services. However, Windows domain administrators cannot log in to ACS. Only administrators with valid ACS accounts can log in to ACS. For information, see the Installation Guide for Cisco Secure ACS for Windows Release 4.1 or the Installation Guide for Cisco Secure ACS Solution Engine Release 4.1.
ACS for Windows
To log in from a client, you must have an administrator account. However, the Session Policy includes an Allow automatic local login option. If this option is enabled, you can bypass the login page on the server that is running ACS. This option is available for unintentional lockouts. For more information about automatic local logins, see Configuring Session Policy.
ACS Solution Engine
To access the ACS web interface from a browser, log in to ACS by using an administrator account.
The first administrator to log in must create an administrator name and password by using the Add ACS Admin command in the Command Line Interface (CLI) to create the administrator name and password for the first account. For complete information on the CLI, see the "Administering Cisco Secure ACS Solution Engine" chapter of the Installation Guide for Cisco Secure ACS Solution Engine Release 4.1.
In cases where ACS has locked out all administrators, use the Unlock <administrator name> command from the CLI. Only an administrator with the Administration Control privilege can use this command. For complete information on the CLI, see the "Administering Cisco Secure ACS Solution Engine" chapter of the Installation Guide for Cisco Secure ACS Solution Engine Release 4.1.
To log in:
Step 1 To start ACS, click the ACS Admin button in the Cisco Secure ACS program group.
The Cisco Secure ACS login page appears.
Step 2 Type your Username and Password.
Step 3 Click the Login button.
The Cisco Secure ACS main page appears.
Adding, Editing, and Deleting Accounts
Administrators with the Administration Control privilege can add, edit, and delete administrator accounts.
This section contains the following topics:
•Adding or Editing Accounts
•Deleting an Account
Adding or Editing Accounts
To add or edit an administrator account:
Step 1 In the navigation bar, click Administration Control.
The Administration Control Page appears if the current account has the Administration Control privilege. Otherwise, a Change Password page appears.
Step 2 Click Add Administrator, and the Add Administrator page appears; or, click the name of the administrator account that you want to edit and the Edit Administrator administrator_name page appears.
Step 3 Type the Administrator Name, Password, and Password Confirmation for new accounts. If necessary, change the Password and Password Confirmation fields for an existing account. For information about these fields, see Add Administrator and Edit Administrator Pages.
Step 4 Check Account Never Expires to prevent the account for this administrator from expiring. For information, see Add Administrator and Edit Administrator Pages.
Step 5 Check the Account Locked check box to lock this account. If the Account Locked check box is checked, uncheck the box to unlock the account.
Step 6 Click Grant All or Revoke All to globally add or remove all privileges. For information on these commands, see Add Administrator and Edit Administrator Pages. Removing privileges from an existing account disables the account.
Step 7 Move the group names between the Available groups and Editable groups list boxes. Groups in the Editable groups list, and associated users, will be available to the current administrator according to the access options that you check.
Step 8 Check the appropriate options to grant access privileges to the Editable groups and associated users. For information on these options, see Add Administrator and Edit Administrator Pages.
Step 9 Check the appropriate options in the Shared Profile Components area to grant access to specific areas of the Shared Profile Components section of the web interface. For information on these options, see Add Administrator and Edit Administrator Pages. For information on shared profile components, see Chapter 4, "Shared Profile Components."
Step 10 Check Network Configuration to grant access to the Network Configuration section of the web interface. For information on network configuration, see Chapter 3, "Network Configuration."
Step 11 Check options in the System Configuration area to grant access to pages in the System Configuration section of the web interface. For information on these options, see Add Administrator and Edit Administrator Pages. For information on system configuration, see Chapter 7, "System Configuration: Basic," Chapter 8, "System Configuration: Advanced," and Chapter 10, "Logs and Reports."
Step 12 Check the Interface Configuration option to grant access to the Interface Configuration section of the web interface. For information on interface configuration, see Chapter 2, "Using the Web Interface."
Step 13 Check the Administration Control option to grant access to the Administration Control section of the web interface.
Step 14 Check the External User Databases option to grant access to the External User Databases section of the web interface. For information on external user databases, see Chapter 12, "User Databases."
Step 15 Check the Posture Validation option to grant access to the Posture Validation section of the web interface. For information on posture validation, see Chapter 13, "Posture Validation."
Step 16 Check the Network Access Profiles option to grant access to the Network Access Profiles section of the web interface. For information on network access profiles, see Chapter 14, "Network Access Profiles."
Step 17 Check options in the Reports and Activities area to grant access to pages in the Reports and Activities section of the web interface. For information on these options, see Add Administrator and Edit Administrator Pages. For information on reports, see Chapter 10, "Logs and Reports."
Step 18 Click Submit.
ACS saves the new administrator account. The new account appears in the list of administrator accounts on the Administration Control page.
Deleting an Account
You use this feature to delete administrator accounts. You can disable an account by clicking the Revoke All button. However, we recommend that you delete any unused administrator accounts.
To delete an account:
Step 1 In the navigation bar, click Administration Control.
ACS displays the Administration Control page.
Step 2 Click the name of the administrator account that you want to delete.
The Edit Administrator administrator_name page appears, where administrator_name is the name of the administrator account that you have selected.
Step 3 Click the Delete button.
ACS displays a confirmation dialog box.
Step 4 Click OK.
ACS deletes the administrator account. The Administrators list on the Administration Control page no longer contains the administrator account.
Configuring Policy Options
The options on these pages control access, session, and password policies.
This section contains the following options:
•Configuring Access Policy
•Configuring Session Policy
•Configuring Password Policy
Configuring Access Policy
If you have the Administration Control privilege, you can use the Access Policy feature to limit access by IP address and by the TCP port range used for administrative sessions. You can also enable the secure socket layer (SSL) for access to the web interface.
Before You Begin
If you want to enable the SSL for administrator access, you must have completed the steps in Installing an ACS Server Certificate, page 9-21, and Adding a Certificate Authority Certificate, page 9-24. After you have enabled SSL, ACS begins using the SSL at the next administrator login. This change does not affect current administrator sessions. In the absence of a certificate, ACS displays an error message when you attempt to configure SSL.
To set up an ACS Access Policy:
Step 1 In the navigation bar, click Administration Control.
ACS displays the Administration Control page.
Step 2 Click Access Policy.
The Access Policy Setup page appears.
Step 3 Click the appropriate IP Address Filtering option. For information on these options, see Access Policy Setup Page.
Step 4 Type the appropriate IP address ranges in accordance with the IP Address Filtering option.
Step 5 Click the appropriate HTTP Port Allocation option to allow all ports or restrict access to certain ports. If you restrict access, type the range of the restricted ports. For information on these options, see Access Policy Setup Page.
Step 6 Check this option if you want ACS to use the SSL. For information on this option, see Access Policy Setup Page.
Step 7 Click Submit.
ACS saves and begins enforcing the access policy settings.
Configuring Session Policy
If you have the Administration Control privilege, you can use the Session Policy controls that enable or disable:
•Local logins
•Responses to invalid IP address connections
To set up ACS session policy:
Step 1 In the navigation bar, click Administration Control.
ACS displays the Administration Control page.
Step 2 Click Session Policy.
The Session Policy Setup page appears.
Step 3 Click the appropriate policies and type the appropriate information to set up the policy. For information on these options and fields, see Session Policy Setup Page.
Step 4 Click Submit.
ACS saves and begins enforcing the session policy settings.
Configuring Password Policy
You can access the Administrator Password Policy page from the Password Policy button on the Add Administrator page. If you do not configure the password policy, any administrator can log in, create administrators, and assign privileges.
The Administrator Password Policy provides controls that:
•Constrain complexity
•Restrict lifetime
•Restrict inactive accounts
•Limit incorrect login attempts
To set up a password policy:
Step 1 In the navigation bar, click Administration Control.
ACS displays the Administration Control page.
Step 2 Click Password Policy.
The Administrator Password Policy page appears.
Step 3 Click the appropriate options and type the appropriate values. For information on these options and fields, see Administrator Password Policy Page.
Step 4 Click Submit.
ACS saves and begins enforcing the password policy settings at the next login.
Administration Control Pages Reference
The following topics describe the pages accessed from the Administration Control button on the navigation bar:
•Administration Control Page
•Add Administrator and Edit Administrator Pages
•Administrator Password Policy Page
•Access Policy Setup Page
•Session Policy Setup Page
Administration Control Page
The Administration Control page is the starting point for configuring administrator accounts and policies. Only administrators with the Administration Control privilege can access this page.
To open this page, click the Administration Control button in the navigation bar.
Table 11-2 Administration Control (Privileged Administrator)
Option
|
Description
|
Administrators
|
Lists all configured administrators.
|
<administrator_name>
|
|
Add Administrator
|
Opens the Add Administrator page. For information, see the Add Administrator and Edit Administrator Pages.
|
Access Policy
|
Opens the Access Policy Setup page, which controls network access for browsers. For information, see the Administrator Password Policy Page.
|
Session Policy
|
Opens the Session Policy Setup page, which provides configuration details for HTTP sessions. For information, see the Session Policy Setup Page.
|
Password Policy
|
Opens the Administrator Password Policy page. For information, see the Administrator Password Policy Page.
|
Related Topics
•Adding or Editing Accounts
•Deleting an Account
•Configuring Access Policy
•Configuring Session Policy
•Configuring Password Policy
Add Administrator and Edit Administrator Pages
Use the areas on the Add Administrator and Edit Administrator pages to:
•Add an administrator (Add Administrator page only)
•Add, edit, and monitor passwords
•Monitor and reenable locked out accounts
•Enable or disable privileges
To open these pages, click Administration Control, and then click Add Administrator or click <administrator_name> to edit an administrator.
Table 11-3 describes the following options:
•Administrator Details
•Administrator Privileges
•User & Group Setup
•Shared Profile Components
•Network Configuration
•System Configuration
•Interface Configuration
•Administration Control
•External User Databases
•Posture Validation
•Network Access Profiles
•Reports & Activity
Table 11-3 Add Administrator and Edit Administrator Pages
Option
|
Description
|
Administrator Details
|
Administrator Name (appears only on the Add Administrator page)
|
The login name for the ACS administrator account. Administrator names can contain 1 to 32 characters, excluding the left angle bracket (<), the right angle bracket (>), and the backslash (\). An ACS administrator name does not have to match a network user name.
The administrator name does not appear on the Edit Administrator page because ACS does not allow name changes for previously configured administrators. To change names, delete the account and configure an account with a new name. To disable an account, revoke all privileges.
|
Password
|
The password can match the password that the administrator uses for dial-in authentication, or it can be a different password. ACS enforces the options in the Password Validation Options section on the Administrator Password Policy page.
Passwords must be at least four characters long and contain at least one numeric character. The password cannot include the username or the reverse username, must not match any of the previous four passwords. and must be in ASCII characters. For errors in passwords, ACS displays the password criteria.
If the password policy changes and the password does not change, the administrator remains logged in. ACS enforces the new password policy at the next login.
|
Confirm Password
|
Verifies the password in the Password field. For errors in password typing, ACS displays an error message.
|
Last Password Change (Edit Administrator page only)
|
Displays the date of the change on which a password changes through administrative action on this page or through expiration of a password during login. (Read-only) Always displays the change date, not the expiration date. Does not appear until a new account has been submitted.
|
Last Activity (Edit Administrator page only)
|
Displays the date of the last successful login. (Read-only) Does not appear until a new account has been submitted.
|
Account Never Expires
|
Prevents account lockout by overriding the lockout options on the Administrator Password Policy page with the exception of manual lockout. Therefore, the account never expires but password change policy remains in effect. The default value is unchecked (disabled).
|
Account Locked
|
Prevents an administrator, who was locked out due to the lockout options on the Password Policy page, from logging in. When unchecked (disabled), this option unlocks an administrator who was locked out.
Administrators who have the Administration Control privilege can use this option to manually lock out an account or reset locked accounts. The system displays a message that explains the reason for a lockout.
When an administrator unlocks an account, ACS resets the Last Password Change and the Last Activity fields to the day on which the administrator unlocks the account.
The reset of a locked account does not affect the configuration of the lockout and unlock mechanisms for failed attempts.
|
Administrator Privileges
|
Contains the privilege options for the User Setup and Group Setup sections of the web interface.
By default, a remote administrator does not have privileges.
|
Grant All
|
Enables all privileges. ACS moves all user groups to the Editable Groups list. A privileged administrator can also grant privileges to each ACS administrator by assigning privileges on an individual basis. In either case, the administrator can individually override options enabled by Grant All.
By default, ACS restricts all privileges for new administrator accounts.
|
Revoke All
|
Clears (restricts) all privileges. ACS removes all user groups from the Editable Groups list. Revoking all privileges for an existing account effectively disables the account. The administrator can individually override options disabled by Revoke All.
You can also disable an account by revoking all privileges.
|
User & Group Setup
|
Add/Edit users in these groups
|
Enables an administrator to add or edit users, and to assign users to the groups in the Editable groups list.
When enabled, this setting overrides the settings in the Read access to users in these groups option.
|
Setup of these groups
|
Enables an administrator to edit the settings for the groups in the Editable groups list.
When enabled, this setting overrides the settings in the Read access of these groups option.
|
Read access to users in these groups
|
Enables read-only access to users in the Editable groups.
When the Add/Edit users in these groups option is enabled, it overrides the settings in the Read access to users in these groups option.
If the Add/Edit users in these groups option is checked (enabled), it does not matter if this setting is enabled or disabled. The Add/Edit users in these groups setting overrides this setting, and the administrator can edit all users in the Editable groups.
If the Add/Edit users in these groups option is unchecked (disabled):
•Check this check box to grant the administrator read access to the users in the Editable groups. In this case, the administrator cannot submit changes.
•When unchecked, administrators cannot view users.
|
Read access of these groups
|
Enables read-only access to users in the Editable groups.
When the Add/Edit users in these groups option is enabled, it overrides the settings in the Read access to users in these groups option.
If the Add/Edit users in these groups option is checked (enabled), it does not matter if this setting is enabled or disabled. The Add/Edit users in these groups setting overrides this setting, and the administrator can edit the Editable groups.
If the Add/Edit users in these groups option is unchecked (disabled):
•Check this check box to grant the administrator read access to the Editable groups list. In this case, the administrator cannot submit changes.
•When unchecked, administrators cannot view groups.
|
Available groups
|
Lists all user groups. Administrators do not have access to the groups in this list.
|
Editable groups
|
Lists the user groups to which administrators have access. Other options in the User & Group Setup area determine the limits on administrator access to these groups and associated users in this list.
Click >> to add all groups, or click << to remove all groups. Click > to add a single group, or click < to remove a single group.
Note The access settings in this section do not apply to group mappings for external authenticators.
|
Shared Profile Components
|
Network Access Restriction Sets
|
Enables full access to the Network Access Restriction Sets feature.
|
Network Access Filtering Sets
|
Enables full access to the Network Access Filtering Sets feature.
|
Downloadable ACLs
|
Enables full access to the Downloadable PIX ACLs feature.
|
RADIUS Authorization Components
|
Enables full access to RACs.
|
Create new Device Command Set Type
|
Allows the administrator account to be used as valid credentials by another Cisco application for adding new device command set types. New device command set types that are added to ACS by using this privilege appear in the Shared Profile Components section of the web interface.
|
Shell Command Authorization Sets
|
Enables full access to the Shell Command Authorization Sets feature.
|
PIX/ASA Command Authorization Sets
|
Enables full access to the PIX/ASA Command Authorization Sets feature.
Note Additional command authorization set privilege options can appear if other Cisco network management applications, such as CiscoWorks, have updated the configuration of ACS.
|
Network Configuration
|
Enables full access to the features in the Network Configuration section of the web interface.
|
System Configuration
|
Contains the privilege options for the features in the System Configuration section of the web interface. For each of the features, enabling the option grants full access to the feature.
|
Service Control
|
Enables access to configuration of the service log files, and stop and restart of ACS services.
|
Date/Time Format Control
|
Enables access to control of date formats.
|
Logging Control
|
Enables access to report options associated with the Logging Configuration page. To access the Logging Configuration page, click System Configuration, then click Logging.
|
Administration Audit Configuration
|
Enables this administrator to change the Administration Audit report configuration.
|
Password Change Configuration
|
Enables this administrator to change the Password Change report configuration.
|
Password Validation
|
Enables access to validation parameters for user passwords.
|
DB Replication
|
Enables access to ACS internal database replication.
|
RDBMS Synchronization
|
Enables access to RDBMS synchronization.
|
IP Pool Address Recovery
|
Enables access to IP pool address recovery.
|
IP Pool Server Configuration
|
Enables access to the configuration of IP pools.
|
ACS Backup
|
Enables access to ACS backup.
|
ACS Restore
|
Enables access to ACS restore.
|
ACS Service Management
|
Enables access to system monitoring and event logging.
|
VoIP Accounting Configuration
|
Enables access to the VoIP accounting configuration.
|
ACS Certificate Setup
|
Enables access to ACS certificate setup.
|
Global Authentication Setup
|
Grants privilege for global authentication setup. Any administrator who requires access to the EAP-FAST Files Generation configuration page must have the Global Authentication Setup privilege enabled.
|
NAC Attributes management (ACS Solution Engine)
|
Enables access to NAC attribute management.
|
Appliance Configuration (ACS Solution Engine)
|
Enables access to appliance configuration.
|
Support Operations (ACS Solution Engine)
|
Enables access to support operations.
|
View Diagnostic Logs (ACS Solution Engine)
|
Enables access to diagnostic logs.
|
Appliance Upgrade Status (ACS Solution Engine)
|
Enables access to appliance upgrade status reports.
|
Interface Configuration
|
Enables full access to the features in the Interface Configuration section of the web interface.
|
Administration Control
|
Enables full access to the features in the Administration Control section of the web interface.
|
External User Databases
|
Enables full access to the features in the External User Databases section of the web interface.
|
Posture Validation
|
Enables access to Network Admission Control (NAC) configuration.
|
Network Access Profiles
|
Enables access to service-based policy configuration by using NAPs.
|
Reports & Activity
|
Click the Reports and Activities button in the navigation bar to access these logs.
|
TACACS+ Accounting
|
Enables access to the TACACS+ Accounting log, which includes TACACS+ session information.
|
TACACS+ Administration
|
Enables access to the TACACS+ Administration log, which lists configuration commands.
|
RADIUS Accounting
|
Enables access to the RADIUS Accounting log, which includes RADIUS session information.
|
VoIP Accounting
|
Enables access to the VoIP Accounting log, which includes VoIP session information.
|
Passed Authentications
|
Enables access to the Passed Authentications log, which lists successful authentication requests.
|
Failed Attempts
|
Enables access to the Failed Attempts log, which lists authentication and authorization failures.
|
Logged-in Users
|
Enables access to the Logged-in Users log, which lists all users that receive services from AAA clients.
|
Purge of Logged-in Users
|
If users are listed as logged in but the connection to the AAA client has been lost and the users are no longer actually logged in, click Purge and that session's activity will be terminated. Purging the user from this list does not log the user off the AAA client, but terminates the session record in accounting. To print this list, right-click anywhere in the right window and print the window from the browser.
|
Disabled Accounts
|
Enables access to the Disabled Accounts log, which lists all disabled user accounts.
|
ACS Backup and Restore
|
Enables access to the ACS Backup and Restore log, which lists backup and restore activity.
|
DB Replication
|
Enables access to the Database Replication log, which lists database replication activity.
|
RDBMS Synchronization
|
Enables access to the RDBMS Synchronization log, which lists RDBMS synchronization activity.
|
Administration Audit
|
Enables access to the Administration Audit log, which lists system administrator actions.
|
ACS Service Monitor
|
Enables access to the ACS Service Monitoring log, which lists ACS service starts and stops.
|
User Change Password
|
Enables access to the User Password Changes log, which lists user-initiated password changes.
|
Entitlement Reports
|
Enables access to reports of user and administrator entitlements.
|
Appliance Status (ACS Solution Engine)
|
Enables access to the Appliance Status log, which logs resource utilization.
|
Appliance Administration Audit (ACS Solution Engine)
|
Enables access to the Appliance Administration Audit log. which lists activity on the serial console.
|
Related Topics
•Service Control, page 7-1
•Date Format Control, page 7-3
•Local Password Management, page 7-4
•ACS Backup, page 7-7
•ACS System Restore, page 7-13
•ACS Active Service Management, page 7-17
•VoIP Accounting Configuration, page 7-20
•Appliance Configuration (ACS Solution Engine Only), page 7-20
•Support Page (ACS Solution Engine Only), page 7-23
•Viewing or Downloading Diagnostic Logs (ACS Solution Engine Only), page 7-25
•Appliance Upgrade Status (ACS Solution Engine Only), page 7-26
•ACS Internal Database Replication, page 8-1
•RDBMS Synchronization, page 8-17
•IP Pools Server, page 8-32
•IP Pools Address Recovery, page 8-37
•Global Authentication Setup, page 9-19
•ACS Certificate Setup, page 9-20
•NAC Attribute Management (ACS Solution Engine Only), page 8-37
•Appliance Configuration (ACS Solution Engine Only), page 7-20
•About ACS Logs and Reports, page 10-1
•Password Expirations and Account Lockouts
•Adding, Editing, and Deleting Accounts
Administrator Password Policy Page
Use the Administrator Password Policy page to set password validation, lifetime, inactivity, and incorrect attempt options. If you do not configure the password policy, any administrator can log in, create administrators, and assign privileges.
To open this page, click Administration Control and then click Password Policy.
ACS returns an error when:
•The specification is out of range.
•Users do not meet the criteria on this page.
Table 11-4 describes the following options:
•Password Validation Options
•Password Lifetime Options
•Password Inactivity Options
•Incorrect Password Attempt Options
Table 11-4 Administrator Password Policy
Option
|
Description
|
Password Validation Options
|
Password may not contain the username
|
If enabled, the password cannot contain the username or the reverse username.
|
Minimum length n characters
|
n specifies the minimum length of the password (the default is 4, the range is 4 to 20).
|
Password must contain:
|
Use these options to determine password complexity constraints.
|
upper case alphabetic characters
|
If enabled, the password must contain uppercase alphabetic characters.
|
lower case alphabetic characters
|
If enabled, the password must contain lowercase alphabetic characters.
|
numeric characters
|
If enabled, the password must contain numeric characters.
|
non alphanumeric characters
|
If enabled, the password must contain nonalphanumeric characters (for example, @).
|
Password must be different from the previous n versions
|
If enabled, the password must be different from the previous n versions (the default is 1, the range is 1 to 99).
|
Password Lifetime Options
|
Following a change of password:
|
Use these options to set restrictions on the lifetime of administrator passwords. The value n represents the number of days that passed since the last time the password was changed.
|
The password will require change after n days
|
Following a change of password, if enabled, n specifies the number of days before ACS requires a change of password due to password age (the default is 30). The range is 1 to 365. When checked (enabled), The Administrator will be locked after n days option causes ACS to compare the two Password Lifetime Options and take the greater value.
|
The Administrator will be locked out after n days
|
Following a change of password, if enabled, n specifies the number of days before ACS locks out the associated administrator account due to password age (the default is 30, the range is 1 to 365).
|
Password Inactivity Options
|
Following last account activity:
|
Use these options to place restrictions on the use of inactive administrator accounts. The value n represents the number of days that passed since the activity (administrator login).
|
The password will require change after n days
|
Following the last account activity, if enabled, n specifies the number of days before ACS requires a change of password due to password inactivity (the default is 30). The range is 1 to 365. When checked (enabled), The Administrator will be locked after n days option causes ACS to compare the two Password Inactivity Options and take the greater value.
Note For additional security, ACS does not warn users who are approaching the limit for password inactivity.
|
The Administrator will be locked out after n days
|
Following the last account activity, if enabled, n specifies the number of days before ACS locks out the associated administrator account due to password inactivity (the default is 30, the range is 1 to 365).
Note For additional security, ACS does not warn users who are approaching the limit for account inactivity.
|
Incorrect Password Attempt Options
|
Lock out Administrator after n successive failed attempts
|
If enabled, n specifies the allowable number of incorrect password attempts. When checked, n cannot be set to zero. If disabled (not checked), ACS allows unlimited successive failed login attempts (the default is 3, the range is 1 to 98).
Note For additional security, ACS does not warn users who are approaching the limit for failed attempts. If the Account Never Expires option is enabled for a specific administrator, this option is ignored.
|
Access Policy Setup Page
Use the Access Policy Setup page to configure access for IP addresses and ranges, to configure HTTP access, and to set up the Secure Sockets Layer (SSL).
To open the Access Policy Setup page, click Administration Control, and then click Access Policy.
Table 11-5 describes the following options:
•IP Address Filtering
•IP Address Ranges
•HTTP Configuration
•Secure Socket Layer Setup
Table 11-5 Access Policy Options
Option
|
Description
|
IP Address Filtering
|
Allow all IP addresses to connect
|
Enables remote access to the web interface from any IP address.
|
Allow only listed IP addresses to connect
|
Restricts remote access to the web interface to IP addresses within the specified IP Address Ranges.
|
Reject connections from listed IP addresses
|
Restricts remote access to the web interface to IP addresses outside of the specified IP Address Ranges.
IP filtering operates on the IP address received in an HTTP request from a remote administrator's web browser. If the browser is configured to use an HTTP proxy server or the browser runs on a workstation behind a network device performing network address translation, IP filtering applies only to the IP address of the HTTP proxy server or the NAT device.
|
IP Address Ranges
|
The IP Address Ranges table contains ten rows for configuring IP address ranges. The ranges are always inclusive; that is, the range includes the Start and End IP addresses.
Use dotted-decimal format. The IP addresses that define a range must differ only in the last octet (Class C format).
|
Start IP Address
|
Defines the lowest included IP address in the specified range (up to 16 characters).
|
End IP Address
|
Defines the highest included IP address in the specified range (up to 16 characters).
|
HTTP Configuration
|
HTTP Port Allocation
|
|
Allow any TCP ports to be used for Administration HTTP Access
|
Enables ACS to use any valid TCP port for remote access to the web interface.
|
Restrict Administration Sessions to the following port range From Port n to Port n
|
Restricts the ports that ACS can use for remote access to the web interface. Use the boxes to specify the port range (up to five digits per box). The range is always inclusive; that is, the range includes the start and end port numbers. The size of the specified range determines the maximum number of concurrent administrative sessions.
ACS uses port 2002 to start all administrative sessions. Port 2002 does not need to be in the port range. Also, ACS does not allow definition of an HTTP port range that consists only of port 2002. The port range must consist of at least one port other than port 2002.
A firewall configured to permit HTTP traffic over the ACS administrative port range must also permit HTTP traffic through port 2002, because this is the port that a web browser must address to initiate an administrative session.
We do not recommend allowing administration of ACS from outside a firewall. If access to the web interface from outside a firewall is necessary, keep the HTTP port range as narrow as possible. A narrow range can help to prevent accidental discovery of an active administrative port by unauthorized users. An unauthorized user would have to impersonate, or "spoof," the IP address of a legitimate host to make use of the active administrative session HTTP port.
|
Secure Socket Layer Setup
|
Use HTTPS Transport for Administration Access
|
Enables ACS to use the secure socket layer (SSL) protocol to encrypt HTTP traffic between the CSAdmin service and the web browser that accesses the web interface. This option enables encryption of all HTTP traffic between the browser and ACS, as reflected by the URLs, that begin with HTTPS. Most browsers include an indicator for SSL-encrypted connections.
To enable SSL, first install an a server certificate and a certification authority certificate. Choose System Configuration > ACS Certificate Setup to access the installation process. With SSL enabled, ACS begins using HTTPS at the next administrator login. Current administrator sessions are unaffected. In the absence of a certificate, ACS displays an error.
|
Related Topics
•Installing an ACS Server Certificate, page 9-21
•Adding a Certificate Authority Certificate, page 9-24
Session Policy Setup Page
Use the Session Policy Setup page to configure session attributes that include timeout, automatic local logins (ACS for Windows only), and response to invalid IP address connections.
To open this page, click Administration Control, and then click Session Policy.
Table 11-6 describes the session configuration options.
Table 11-6 Session Policy
Option
|
Description
|
Session Configuration
|
Session idle timeout (minutes)
|
Specifies the time, in minutes, that an administrative session must remain idle before ACS terminates the connection (four-digit maximum, 5 to 1439).
When an administrative session terminates, ACS displays a dialog box asking whether the administrator wants to continue. If the administrator chooses to continue, ACS starts a new administrative session.
This parameter only applies to the ACS administrative session in the browser. It does not apply to an administrative dial-up session.
|
Allow Automatic Local Login (ACS for Windows)
|
Enables administrators to start an administrative session without logging in, if they are using a browser on the computer that runs ACS. ACS uses a default administrator account named local_login to conduct these sessions.
When unchecked (disabled), administrators must log in using administrator names and passwords.
Note To prevent accidental lockout when there are no defined administrator accounts, ACS does not require an administrator name and password for local access to ACS.
The local_login administrator account requires the Administration Control privilege. ACS records administrative sessions that use the local_login account in the Administrative Audit report under the local_login administrator name.
|
Respond to invalid IP address connections
|
Enables ACS to send an error message in response to attempts to start a remote administrative session by using an IP address that is invalid according to the IP address Range settings in the Access Policy. If this check box is clear, ACS does not display an error message when an invalid remote connection attempt is made. (the default is Enabled)
Disabling this option can help to prevent unauthorized users from discovering ACS.
|