Table Of Contents
User Management
About User Setup Features and Functions
About User Databases
Basic User Setup Options
Adding a Basic User Account
Setting Supplementary User Information
Setting a Separate CHAP/MS-CHAP/ARAP Password
Assigning a User to a Group
Setting the User Callback Option
Assigning a User to a Client IP Address
Setting Network Access Restrictions for a User
Setting Max Sessions Options for a User
Options for Setting User Usage Quotas
Setting Options for User Account Disablement
Assigning a Downloadable IP ACL to a User
Advanced User Authentication Settings
TACACS+ Settings (User)
Configuring TACACS+ Settings for a User
Configuring a Shell Command Authorization Set for a User
Configuring a PIX Command Authorization Set for a User
Configuring Device-Management Command Authorization for a User
Configuring the Unknown Service Setting for a User
Advanced TACACS+ Settings for a User
Setting Enable Privilege Options for a User
Setting TACACS+ Enable Password Options for a User
Setting TACACS+ Outbound Password for a User
RADIUS Attributes
Setting IETF RADIUS Parameters for a User
Setting Cisco IOS/PIX 6.0 RADIUS Parameters for a User
Setting Cisco Airespace RADIUS Parameters for a User
Setting Cisco Aironet RADIUS Parameters for a User
Setting Ascend RADIUS Parameters for a User
Setting Cisco VPN 3000/ASA/PIX 7.x+ RADIUS Parameters for a User
Setting Cisco VPN 5000 Concentrator RADIUS Parameters for a User
Setting Microsoft RADIUS Parameters for a User
Setting Nortel RADIUS Parameters for a User
Setting Juniper RADIUS Parameters for a User
Setting BBSM RADIUS Parameters for a User
Setting Custom RADIUS Attributes for a User
User Management
Listing All Users
Finding a User
Disabling a User Account
Deleting a User Account
Resetting User Session Quota Counters
Resetting a User Account after Login Failure
Removing Dynamic Users
Saving User Settings
User Management
This chapter contains information about setting up and managing user accounts in the Cisco Secure Access Control Server Release 4.1, hereafter referred to as ACS.
This chapter contains the following topics:
•
About User Setup Features and Functions
•About User Databases
•Basic User Setup Options
•Advanced User Authentication Settings
•User Management
Caution Settings at the user level override settings that you configured at the group level.
Before you configure User Setup, you should understand how this section functions. ACS dynamically builds the User Setup section interface depending on the configuration of your Authentication, Authorization, and Accounting (AAA) client and the security protocols that you use. That is, what you see under User Setup is affected by settings in the Network Configuration and Interface Configuration sections.
About User Setup Features and Functions
The User Setup section of the ACS web interface is the centralized location for all operations regarding user account configuration and administration.
From within the User Setup section, you can:
•View a list of all users in the ACS internal database.
•Find a user.
•Add a user.
•Assign the user to a group, including Voice-over-IP (VoIP) groups.
•Edit user account information.
•Establish or change user authentication type.
•Configure callback information for the user.
•Set network-access restrictions (NARs) for the user.
•Configure Advanced Settings.
•Set the maximum number of concurrent sessions (Max Sessions) for the user.
•Disable or reenable the user account.
•Delete the user.
About User Databases
ACS authenticates users against one of several possible databases, including its ACS internal database. Regardless of which database that you configure ACS to use when authenticating a user, all users have accounts within the ACS internal database, and authorization of users is always performed against the user records in the ACS internal database. The following list details the basic user databases that are used and provides links to greater details on each:
•ACS internal database—Authenticates a user from the local ACS internal database. For more information, see ACS Internal Database, page 12-1.
Tip The following authentication types appear in the web interface only when the corresponding external user database has been configured in the Database Configuration area of the External User Databases section.
•Windows Database—Authenticates a user with an existing account in the Windows user database in the local domain or in domains that you configure in the Windows user database. For more information, see Windows User Database, page 12-5.
•Generic LDAP—Authenticates a user from a Generic Lightweight Directory Access Protocol (LDAP) external user database (including Network. Directory Services (NDS) users). For more information, see Generic LDAP, page 12-22.
•ODBC Database (ACS for Windows only)—Authenticates a user from an Open Database Connectivity-compliant database server. For more information, see ODBC Database (ACS for Windows Only), page 12-35.
•LEAP Proxy RADIUS Server Database—Authenticates a user from a Lightweight and Efficient Application Protocol (LEAP) Proxy Remote Access Dial-In User Service (RADIUS) server. For more information, see LEAP Proxy RADIUS Server Database (Both Platforms), page 12-48.
•Token Server—Authenticates a user from a token server database. ACS supports the use of a variety of token servers for the increased security that one-time passwords provide. For more information, see Token Server User Databases, page 12-50.
Basic User Setup Options
This section presents the basic tasks that you perform when configuring a new user. At its most basic level, configuring a new user requires only three steps:
Step 1 Specify a name.
Step 2 Specify an external user database or a password.
Step 3 Submit the information.
The steps for editing user account settings are nearly identical to those used when adding a user account; but, to edit, you navigate directly to the field or fields to change. You cannot edit the name that is associated with a user account. To change a username, you must delete the user account and establish another.
What other procedures that you perform when setting up new user accounts is a function of the complexity of your network and of the granularity of control that you want.
This section contains the following topics:
•Adding a Basic User Account
•Setting Supplementary User Information
•Setting a Separate CHAP/MS-CHAP/ARAP Password
•Assigning a User to a Group
•Setting the User Callback Option
•Assigning a User to a Client IP Address
•Setting Network Access Restrictions for a User
•Setting Max Sessions Options for a User
•Options for Setting User Usage Quotas
•Setting Options for User Account Disablement
•Assigning a Downloadable IP ACL to a User
Adding a Basic User Account
This procedure details the minimum steps necessary to add a new user account to the ACS internal database.
To add a user account:
Step 1 In the navigation bar, click User Setup.
The User Setup Select page opens.
Step 2 Type a name in the User box.
Note The username can contain up to 64 characters. Names cannot contain the pound sign (#), the question mark (?), the quote ("), the asterisk (*), the right angle bracket (>), or the left angle bracket (<). Leading and trailing spaces are not allowed.
Step 3 Click Add/Edit.
The User Setup Edit page opens. The username that you are adding appears at the top of the page.
Step 4 Ensure that you uncheck the Account Disabled check box.
Note Alternatively, you can check the Account Disabled check box to create a user account that is disabled, and enable the account at another time.
Step 5 Under Password Authentication in the User Setup table, select the applicable authentication type from the list.
Tip The authentication types that appear reflect the databases that you have configured in the Database Configuration area of the External User Databases section.
Step 6 Enter a single ACS Password Authentication Protocol (PAP) password by typing it in the first set of Password and Confirm Password boxes.
Note Up to 32 characters are allowed each for the Password box and the Confirm Password box.
Tip The ACS PAP password is also used for CHAP/MS-CHAP/ARAP if you do not check the Separate CHAP/MS-CHAP/ARAP check box.
Tip You can configure the AAA client to ask for a PAP password first and then a Challenge Authentication Handshake Protocol (CHAP) or Microsoft-Challenge Authentication Handshake Protocol (MS-CHAP) password; so that, when users dial in by using a PAP password, they will authenticate. For example, the following line in the AAA client configuration file causes the AAA client to enable CHAP after PAP: ppp authentication pap chap
Step 7 Do one:
•Finish configuring the user account options and establish the user account, click Submit.
•Continue to specify the user account options, perform other procedures in this chapter, as applicable.
Tip For lengthy account configurations, you can click Submit before continuing. This action will prevent loss of information that you already entered if an unforeseen problem occurs.
Setting Supplementary User Information
Supplementary User Information can contain up to five fields that you configure. The default configuration includes two fields: Real Name and Description. For information about how to display and configure these optional fields, see Customizing User Data, page 2-5.
To enter optional information into the Supplementary User Information table:
Step 1 Perform Step 1 through Step 3 of Adding a Basic User Account.
The User Setup Edit page opens. The username that you add or edit appears at the top of the page.
Step 2 Complete each box that appears in the Supplementary User Info table.
Note Up to 128 characters are allowed each for the Real Name and the Description boxes.
Step 3 To continue to specify other user account options, perform the required steps. See the other procedures in this section, as applicable.
Step 4 If you are finished configuring the user account options, click Submit to record the options.
Setting a Separate CHAP/MS-CHAP/ARAP Password
Setting a separate CHAP/MS-CHAP/ARAP password adds more security to ACS authentication. However, you must have an AAA client configured to support the separate password.
To allow the user to authenticate by using a CHAP, MS-CHAP, or AppleTalk Remote Access Protocol (ARAP) password, instead of the PAP password in the ACS internal database:
Step 1 Perform Step 1 through Step 3 of Adding a Basic User Account.
The User Setup Edit page opens. The username that you add or edit appears at the top of the page.
Step 2 Select the Separate CHAP/MS-CHAP/ARAP check box in the User Setup table.
Step 3 Enter the CHAP/MS-CHAP/ARAP password to use by typing it in each of the second set of Password or Confirm boxes under the Separate (CHAP/MS-CHAP/ARAP) check box.
Note Up to 32 characters are allowed each for the Password box and the Confirm Password box.
Note These Password and Confirm Password boxes are only required for authentication by the ACS database. Additionally, if you assign a user to a VoIP (null password) group, and the optional password is also included in the user profile, the password is not used until the user is remapped to a non-VoIP group.
Step 4 Do one:
•If you are finished configuring the user account options, click Submit to record the options.
•To continue to specify the user account options, perform procedures in this chapter, as applicable.
Assigning a User to a Group
A user can only belong to one group in ACS. The user inherits the attributes and operations that are assigned to his or her group. However, in the case of conflicting settings, the settings at the user level override the settings that you configure at the group level.
By default, users are assigned to the Default Group. Users who authenticate via the Unknown User method and who are not mapped to an existing ACS group are also assigned to the Default Group.
Alternatively, you can choose not to map a user to a particular group; but instead, to have the group mapped by an external authenticator. For external user databases from which ACS can derive group information, you can associate the group memberships—defined for the users in the external user database—to specific ACS groups. For more information, see Chapter 16, "User Group Mapping and Specification."
To assign a user to a group:
Step 1 Perform Step 1 through Step 3 of Adding a Basic User Account.
The User Setup Edit page opens. The username that you add or edit appears at the top of the page.
Step 2 From the Group to which user is assigned list in the User Setup table, select the group to which to assign the user.
Tip Alternatively, you can scroll up in the list to select the Mapped By External Authenticator option.
Step 3 To continue to specify other user account options, perform the required steps. See the other procedures in this section, as applicable.
Step 4 If you are finished configuring the user account options, click Submit to record the options.
Setting the User Callback Option
Callback is a command string that is passed to the access server. You can use a callback string to initiate a modem to call the user back on a specific number for added security or reversal of line charges.
To set the user callback option:
Step 1 Perform Step 1 through Step 3 of Adding a Basic User Account.
The User Setup Edit page opens. The username that you add or edit appears at the top of the page.
Step 2 Under Callback in the User Setup table, select the applicable option. Choices include:
•Use group setting—Click if you want this user to use the setting for the group.
•No callback allowed—Click to disable callback for this user.
•Callback using this number—Click and type the complete number, including area code if necessary, on which to always call back this user.
Note The maximum length for the callback number is 199 characters.
•Dialup client specifies callback number—Click to enable the Windows dialup client to specify the callback number.
•Use Windows Database callback settings—Click to use the settings specified for Windows callback. If a Windows account for a user resides in a remote domain, the domain in which ACS resides must have a two-way trust with that domain for the Microsoft Windows callback settings to operate for that user.
Note The dial-in user must have configured Windows software that supports callback.
Note If you enable the Windows Database callback settings, the Windows Callback feature must also be enabled in the Windows Database Configuration Settings. See Windows User Database Configuration Options, page 12-18.
Step 3 To continue to specify other user account options, perform the required steps. See the other procedures in this section, as applicable.
Step 4 If you are finished configuring the user account options, click Submit to record the options.
Assigning a User to a Client IP Address
To assign a user to a client IP address:
Step 1 Perform Step 1 through Step 3 of Adding a Basic User Account.
The User Setup Edit page opens. The username that you add or edit appears at the top of the page.
Step 2 Under Client IP Address Assignment in the User Setup table, select the applicable option. Choices include:
Note The IP address assignment in User Setup overrides the IP address assignment in Group Setup.
•Use group settings—Click this option to use the IP address group assignment.
•No IP address assignment—Click this option to override the group setting if you do not want an IP address returned by the client.
•Assigned by dialup client—Click this option to use the IP address dialup client assignment.
•Assign static IP address—Click this option and type the IP address in the box (up to 15 characters), if a specific IP address should be used for this user.
Note If the IP address is being assigned from a pool of IP addresses or by the dialup client, leave the Assign static IP address box blank.
•Assigned by AAA client pool—Click this option and type the AAA client IP pool name in the box, if this user is to have the IP address assigned by an IP address pool that is configured on the AAA client.
•Assigned from AAA pool—Click this option and type the applicable pool name in the box, if this user is to have the IP address that is assigned by an IP address pool configured on the AAA server. Select the AAA server IP pool name from the Available Pools list, and then click --> (right arrow button) to move the name into the Selected Pools list. If the Selected Pools list contains more than one pool, the users in this group are assigned to the first available pool in the order listed. To move the position of a pool in the list, select the pool name, and click Up or Down until the pool is in the position that you want.
Step 3 To continue to specify other user account options, perform the required steps. See the other procedures in this section, as applicable.
Step 4 If you are finished configuring the user account options, click Submit to record the options.
Setting Network Access Restrictions for a User
You use the Network Access Restrictions table in the Advanced Settings area of User Setup to set NARs in three ways:
•Apply existing shared NARs by name.
•Define IP-based access restrictions to permit or deny user access to a specified AAA client or to specified ports on an AAA client when an IP connection has been established.
•Define calling line ID/Dialed Number Identification Service (CLI/DNIS)-based access restrictions to permit or deny user access based on the CLI/DNIS that is used.
Note You can also use the CLI/DNIS-based access restrictions area to specify other values. For more information, see Network Access Restrictions, page 4-18.
Typically, you define (shared) NARs from within the Shared Components section so that you can apply these restrictions to more than one group or user. For more information, see Adding a Shared NAR, page 4-21. You must have selected the User-Level Network Access Restrictions check box on the Advanced Options page of the Interface Configuration section for this set of options to appear in the web interface.
However, you can also use ACS to define and apply a NAR for a single user from within the User Setup section. You must have enabled the User-Level Network Access Restrictions setting on the Advanced Options page of the Interface Configuration section for single user IP-based filter options and single user CLI/DNIS-based filter options to appear in the web interface.
Note When an authentication request is forwarded by proxy to an ACS, any NARs for Terminal Access Controller Access Control System (TACACS+) requests are applied to the IP address of the forwarding AAA server, not to the IP address of the originating AAA client.
When you create access restrictions on a per-user basis, ACS does not enforce limits to the number of access restrictions nor does it enforce a limit to the length of each access restriction; however, there are strict limits:
•The combination of fields for each line item cannot exceed 1024 characters in length.
•The shared NAR cannot have more than 16 KB of characters. The number of line items supported depends on the length of each line item. For example, if you create a CLI/DNIS-based NAR where the AAA client names are 10 characters, the port numbers are 5 characters, the CLI entries are 15 characters, and the DNIS entries are 20 characters, you can add 450 line items before reaching the 16 KB limit.
To set NARs for a user:
Step 1 Perform Step 1 through Step 3 of Adding a Basic User Account.
The User Setup Edit page opens. The username that you add or edit appears at the top of the page.
Step 2 To apply a previously configured shared NAR to this user:
Note To apply a shared NAR, you must configure it under Network Access Restrictions in the Shared Profile Components section. For more information, see Adding a Shared NAR, page 4-21.
a. Check the Only Allow network access when check box.
b. To specify whether one or all shared NARs must apply for the user to be permitted access, select one, as applicable:
–All selected NARS result in permit.
–Any one selected NAR results in permit.
c. Select a shared NAR name in the NARs list, and then click --> (right arrow button) to move the name into the Selected NARs list.
Tip To view the server details of the shared NARs you have selected to apply, you can click View IP NAR or View CLID/DNIS NAR, as applicable.
Step 3 To define and apply a NAR, for this particular user, that permits or denies this user access based on IP address, or IP address and port:
Tip You should define most NARs from within the Shared Components section so that you can apply them to more than one group or user. For more information, see Adding a Shared NAR, page 4-21.
a. In the Network Access Restrictions table, under Per User Defined Network Access Restrictions, check the Define IP-based access restrictions check box.
b. To specify whether the subsequent listing specifies permitted or denied IP addresses, from the Table Defines list, select one:
–Permitted Calling/Point of Access Locations
–Denied Calling/Point of Access Locations
c. Select or enter the information in the following boxes:
–AAA Client—Select All AAA Clients, or the name of a network device group (NDG), or the name of the individual AAA client, to which to permit or deny access.
–Port—Type the number of the port to which to permit or deny access. You can use the asterisk (*) as a wildcard to permit or deny access to all ports on the selected AAA client.
–Address—Type the IP address or addresses to use when performing access restrictions. You can use the asterisk (*) as a wildcard.
Note The total number of characters in the AAA Client list, and the Port and Src IP Address boxes must not exceed 1024. Although ACS accepts more than 1024 characters when you add a NAR, you cannot edit the NAR and ACS cannot accurately apply it to users.
d. Click Enter.
The specified AAA client, port, and address information appears in the table above the AAA Client list.
Step 4 To permit or deny this user access based on calling location or values other than an established IP address:
a. Check the Define CLI/DNIS based access restrictions check box.
b. To specify whether the subsequent listing specifies permitted or denied values, from the Table Defines list, select one:
–Permitted Calling/Point of Access Locations
–Denied Calling/Point of Access Locations
c. Complete the following boxes:
Note You must make an entry in each box. You can use the asterisk (*) as a wildcard for all or part of a value. The format that you use must match the format of the string that you receive from your AAA client. You can determine this format from your RADIUS Accounting Log.
–AAA Client—Select All AAA Clients, or the name of the NDG, or the name of the individual AAA client, to which to permit or deny access.
–PORT—Type the number of the port to which to permit or deny access. You can use the asterisk (*) as a wildcard to permit or deny access to all ports.
–CLI—Type the CLI number to which to permit or deny access. You can use the asterisk (*) as a wildcard to permit or deny access based on part of the number.
Tip Use the CLI entry if you want to restrict access based on other values such as a Cisco Aironet client MAC address. For more information, see About Network Access Restrictions, page 4-18.
–DNIS—Type the DNIS number to which to permit or deny access. Use this entry to restrict access based on the number into which the user will be dialing. You can use the asterisk (*) as a wildcard to permit or deny access based on part of the number.
Tip Use the DNIS selection if you want to restrict access based on other values such as a Cisco Aironet AP MAC address. For more information, see About Network Access Restrictions, page 4-18.
Note The total number of characters in the AAA Client list and the Port, CLI, and DNIS boxes must not exceed 1024. Although ACS accepts more than 1024 characters when you add a NAR, you cannot edit the NAR and ACS cannot accurately apply it to users.
d. Click enter.
The information, specifying the AAA client, port, CLI, and DNIS, appears in the table above the AAA Client list.
Step 5 To continue to specify other user account options, perform the required steps. See the other procedures in this section, as applicable.
Step 6 If you are finished configuring the user account options, click Submit to record the options.
Setting Max Sessions Options for a User
You use the Max Sessions feature to set the maximum number of simultaneous connections permitted for this user. For ACS purposes, a session is considered any type of user connection RADIUS or TACACS+ supports, for example Point-to-Point Protocol (PPP), or Telnet, or ARAP. Note, however, that accounting must be enabled on the AAA client for ACS to be aware of a session. All session counts are based on user and group names only. ACS does not support any differentiation by type of session—all sessions are counted as the same. To illustrate, a user with a Max Session count of 1 who is dialed in to an AAA client with a PPP session will be refused a connection if that user then tries to Telnet to a location whose access is controlled by the same ACS.
Note Each ACS holds its own Max Sessions counts. There is no mechanism for ACS to share Max Sessions counts across multiple ACSs. Therefore, if two ACSs are set up as a mirror pair with the workload distributed between them, they will have completely independent views of the Max Sessions totals.
Tip If the Max Sessions table does not appear, choose Interface Configuration > Advanced Options. Then, check the Max Sessions check box.
To set max sessions options for a user:
Step 1 Perform Step 1 through Step 3 of Adding a Basic User Account.
The User Setup Edit page opens. The username that you add or edit appears at the top of the page.
Step 2 In the Max Sessions table, under Sessions available to user, select one:
•Unlimited—Select to allow this user an unlimited number of simultaneous sessions. (This effectively disables Max Sessions.)
•n—Select and then type the maximum number of simultaneous sessions to allow this user.
•Use group setting—Select to use the Max Sessions value for the group.
Note The default setting is Use group setting.
Note User Max Sessions settings override the group Max Sessions settings. For example, if the group Sales has a Max Sessions value of only 10, but a user in the group Sales, John, has a User Max Sessions value of Unlimited, John is still allowed an unlimited number of sessions.
Step 3 To continue to specify other user account options, perform the required steps. See the other procedures in this section, as applicable.
Step 4 If you are finished configuring the user account options, click Submit to record the options.
Options for Setting User Usage Quotas
You can define usage quotas for individual users. You can limit users by the:
•Duration of sessions for the period selected.
•Number of sessions for the period selected.
For ACS purposes, a session is considered any type of user connection the RADIUS or TACACS+ supports, for example PPP, or Telnet, or ARAP. Note, however, that accounting must be enabled on the AAA client for ACS to be aware of a session. If you make no selections in the Session Quotas section for an individual user, ACS applies the session quotas of the group to which the user is assigned.
Note If the User Usage Quotas feature does not appear, choose Interface Configuration > Advanced Options. Then check the Usage Quotas check box.
Tip The Current Usage table under the User Usage Quotas table on the User Setup Edit page displays usage statistics for the current user. The Current Usage table lists online time and sessions used by the user, with columns for daily, weekly, monthly, and total usage. The Current Usage table appears only on user accounts that you have established; that is, it does not appear during initial user setup.
For a user who has exceeded his quota, ACS denies him access on his next attempt to start a session. If a quota is exceeded during a session, ACS allows the session to continue. If a user account has been disabled because the user has exceeded usage quotas, the User Setup Edit page displays a message stating that the account has been disabled for this reason.
You can reset the session quota counters on the User Setup page for a user. For more information about resetting usage quota counters, see Resetting User Session Quota Counters.
To support time-based quotas, we recommend enabling accounting update packets on all AAA clients. If update packets are not enabled, the quota is updated only when the user logs off. If the AAA client through which the user is accessing your network fails, the quota is not updated. In the case of multiple sessions, such as with ISDN, the quota is not updated until all sessions terminate, which means that a second channel will be accepted; even if the first channel has exhausted the quota that is allocated to the user.
To set usage quota options for a user:
Step 1 Perform Step 1 through Step 3 of Adding a Basic User Account.
The User Setup Edit page opens. The username that you add or edit appears at the top of the page.
Step 2 In the Usage Quotas table, select Use these settings.
Step 3 To define a usage quota based on duration of sessions for a user:
a. Check the Limit user to x hours of online time check box.
b. Type the number of hours to which you want to limit the user in the Limit user to x hours of online time box. Use decimal values to indicate minutes. For example, a value of 10.5 would equal 10 hours and 30 minutes. This field can contain up to 10 characters.
c. Select the period for which you want to enforce the time usage quota:
•per Day—From 12:01 a.m. until midnight.
•per Week—From 12:01 a.m. Sunday until midnight Saturday.
•per Month—From 12:01 a.m. on the first of the month until midnight on the last day of the month.
•Absolute—A continuous, open-ended count of hours.
Step 4 To define usage quotas based on the number of sessions for a user:
a. Check the Limit user to x sessions check box.
b. Type the number of sessions to which you want to limit the user in the Limit user to x sessions box. Up to 10 characters are allowed for this field.
c. Select the period for which you want to enforce the session usage quota:
•per Day—From 12:01 a.m. until midnight.
•per Week—From 12:01 a.m. Sunday until midnight Saturday.
•per Month—From 12:01 a.m. on the first of the month until midnight on the last day of the month.
•Absolute—A continuous, open-ended count of hours.
Step 5 To continue to specify other user account options, perform the required steps. See the other procedures in this section, as applicable.
Step 6 If you are finished configuring the user account options, click Submit to record the options.
Setting Options for User Account Disablement
The Account Disable feature defines the circumstances under which a user account is disabled.
Note Do not confuse this feature with account expiration due to password aging. Password aging is defined for groups only, not for individual users. This feature is distinct from the Account Disabled check box. For instructions on how to disable a user account, see Disabling a User Account.
Note If the user is authenticated with a Windows user database, this expiration information is in addition to the information in the Windows user account. Changes here do not alter settings configured in Windows.
To set options for user account disablement:
Step 1 Perform Step 1 through Step 3 of Adding a Basic User Account.
The User Setup Edit page opens. The username that you add or edit appears at the top of the page.
Step 2 Do one:
a. Select the Never option to keep the user account always enabled. This is the default.
b. Select the Disable account if option to disable the account under specific circumstances. Then, specify one or both of the circumstances under the following boxes:
•Date exceeds—Check the Date exceeds check box. Then select the month and type the date (two characters) and year (four characters) on which to disable the account. The default is 30 days after the user is added.
•Failed attempts exceed—Check the Failed attempts exceed check box and then type the number of consecutive unsuccessful login attempts to allow before disabling the account. The default is 5.
Step 3 To continue to specify other user account options, perform the required steps. See the other procedures in this section, as applicable.
Step 4 If you are finished configuring the user account options, click Submit to record the options.
Assigning a Downloadable IP ACL to a User
You can use the Downloadable ACLs feature to assign an IP Access Control List (ACL) at the user level. You must configure one or more IP ACLs before you assign one. For instructions on how to configure a downloadable IP ACL by using the Shared Profile Components section of the ACS web interface, see Adding a Downloadable IP ACL, page 4-15.
Note The Downloadable ACLs table does not appear if it has not been enabled. To enable the Downloadable ACLs table, click Interface Configuration > Advanced Options, and then check the User-Level Downloadable ACLs check box.
To assign a downloadable IP ACL to a user account:
Step 1 Perform Step 1 through Step 3 of Adding a Basic User Account.
The User Setup Edit page opens. The username being added and edited is at the top of the page.
Step 2 Under the Downloadable ACLs section, click the Assign IP ACL: check box.
Step 3 Select an IP ACL from the list.
Step 4 To continue to specify other user account options, perform the required steps. See the other procedures in this section, as applicable.
Step 5 If you are finished configuring the user account options, click Submit to record the options.
Advanced User Authentication Settings
This section presents the activities that you perform to configure user-level TACACS+ and RADIUS enable parameters.
This section contains the following topics:
•TACACS+ Settings (User)
–Configuring TACACS+ Settings for a User
–Configuring a Shell Command Authorization Set for a User
–Configuring a PIX Command Authorization Set for a User
–Configuring Device-Management Command Authorization for a User
–Configuring the Unknown Service Setting for a User
•Advanced TACACS+ Settings for a User
–Setting Enable Privilege Options for a User
–Setting TACACS+ Enable Password Options for a User
–Setting TACACS+ Outbound Password for a User
•RADIUS Attributes
–Setting IETF RADIUS Parameters for a User
–Setting Cisco IOS/PIX 6.0 RADIUS Parameters for a User
–Setting Cisco Airespace RADIUS Parameters for a User
–Setting Cisco Aironet RADIUS Parameters for a User
–Setting Ascend RADIUS Parameters for a User
–Setting Cisco VPN 3000/ASA/PIX 7.x+ RADIUS Parameters for a User
–Setting Cisco VPN 5000 Concentrator RADIUS Parameters for a User
–Setting Microsoft RADIUS Parameters for a User
–Setting Nortel RADIUS Parameters for a User
–Setting Juniper RADIUS Parameters for a User
–Setting BBSM RADIUS Parameters for a User
–Setting Custom RADIUS Attributes for a User
TACACS+ Settings (User)
You can use TACACS+ Settings section to enable and configure the service and protocol parameters to apply for the authorization of a user.
This section contains the following topics:
•Configuring TACACS+ Settings for a User
•Configuring a Shell Command Authorization Set for a User
•Configuring a PIX Command Authorization Set for a User
•Configuring Device-Management Command Authorization for a User
•Configuring the Unknown Service Setting for a User
Configuring TACACS+ Settings for a User
You can use this procedure to configure TACACS+ settings at the user level for the following services and protocols:
•PPP IP
•PPP IPX
•PPP Multilink
•PPP Apple Talk
•PPP VPDN
•PPP LCP
•ARAP
•Shell (exec)
•Project Information Exchange (PIX) PIX Shell (pixShell)
•Serial Line Internet Protocol (SLIP)
You can also enable any new TACACS+ services that you configure. Because having all service/protocol settings appear within the User Setup section would be cumbersome, you choose what settings to hide or display at the user level when you configure the interface. For more information about setting up new or existing TACACS+ services in the ACS web interface, see Displaying TACACS+ Configuration Options, page 2-6.
If you have configured ACS to interact with a Cisco device-management application, new TACACS+ services may appear automatically, as needed, to support the device-management application. For more information about ACS interaction with device-management applications, see Support for Cisco Device-Management Applications, page 1-14.
For more information about attributes, see Appendix B, "TACACS+ Attribute-Value Pairs," or your AAA client documentation. For information on assigning an IP ACL, see Assigning a Downloadable IP ACL to a User.
Before You Begin
•For the TACACS+ service/protocol configuration to appear, you must configure an AAA client to use TACACS+ as the security control protocol.
•In Interface Configuration > Advanced Options, ensure that the Per-user TACACS+/RADIUS Attributes check box is selected.
To configure TACACS+ settings for a user:
Step 1 Click Interface Configuration > TACACS+ (Cisco IOS). In the TACACS+ Services table, under the heading User, ensure that the check box is selected for each service/protocol that you want to configure.
Step 2 Perform Step 1 through Step 3 of Adding a Basic User Account.
The User Setup Edit page opens. The username that you add or edit appears at the top of the page.
Step 3 Scroll down to the TACACS+ Settings table and select the bold service name check box to enable that protocol; for example PPP IP.
Step 4 To enable specific parameters within the selected service, Check the check box next to a specific parameter and then do one of the following, as applicable:
•Check the Enabled check box.
•Enter a value in the corresponding attribute box.
To specify ACLs and IP address pools, enter the name of the ACL or pool as defined on the AAA client. Leave the box blank if the default (as defined on the AAA client) should be used. For more information about attributes, see Appendix B, "TACACS+ Attribute-Value Pairs," or your AAA client documentation. For information on assigning a IP ACL, see Assigning a Downloadable IP ACL to a User.
Tip An ACL is a list of Cisco IOS commands that you use to restrict access to or from other devices and users on the network.
Step 5 To employ custom attributes for a particular service, check the Custom attributes check box under that service, and then enter the attribute and value in the box below the check box.
Step 6 To continue to specify other user account options, perform the required steps. See the other procedures in this section, as applicable.
Step 7 If you are finished configuring the user account options, click Submit to record the options.
Configuring a Shell Command Authorization Set for a User
Use this procedure to specify the shell command-authorization set parameters for a user. You can choose:
•None—No authorization for shell commands.
•Group—The group-level shell command-authorization set applies for this user.
•Assign a Shell Command Authorization Set for any network device—One shell command-authorization set is assigned, and it applies all network devices.
•Assign a Shell Command Authorization Set on a per Network Device Group Basis—Particular shell command-authorization sets will be effective on particular NDGs. When you select this option, you create the table that lists what NDG associates with what shell command-authorization set.
•Per User Command Authorization—Permits or denies specific Cisco IOS commands and arguments at the user level.
Before You Begin
•Ensure that you configure an AAA client to use TACACS+ as the security control protocol.
•In Interface Configuration > Advanced Options, ensure that the Per-user TACACS+/RADIUS Attributes check box is selected.
•In the TACACS+ (Cisco) section of Interface Configuration, ensure that the Shell (exec) option is selected in the User column.
•Ensure that you have already configured one or more shell command-authorization sets. For detailed steps, see Adding a Command Authorization Set, page 4-29.
To specify shell command-authorization set parameters for a user:
Step 1 Perform Step 1 through Step 3 of Adding a Basic User Account.
The User Setup Edit page opens. The username that you add or edit appears at the top of the page.
Step 2 Scroll down to the TACACS+ Settings table and to the Shell Command Authorization Set feature area within it.
Step 3 To prevent the application of any shell command-authorization set, click (or accept the default of) the None option.
Step 4 To assign the shell command-authorization set at the group level, select the As Group option.
Step 5 To assign a particular shell command-authorization set to be effective on any configured network device:
a. Select the Assign a Shell Command Authorization Set for any network device option.
b. Then, from the list directly below that option, select the shell command-authorization set that you want to apply to this user.
Step 6 To create associations that assign a particular shell command-authorization set to be effective on a particular NDG, for each association:
a. Select the Assign a Shell Command Authorization Set on a per Network Device Group Basis option.
b. Select a Device Group and an associated Command Set.
c. Click Add Association.
Tip You can also select which command set applies to network device groups that are not listed by associating that command set with the NDG <default> listing.
The NDG or NDGs and associated shell command-authorization set or sets are paired in the table.
Step 7 To define the specific Cisco IOS commands and arguments to permit or deny for this user:
Caution This step configures a powerful, advanced feature. Only an administrator who is skilled with Cisco IOS commands should use this feature. Correct syntax is the responsibility of the administrator. For information on how ACS uses pattern matching in command arguments, see
About Pattern Matching, page 4-28.
a. Select the Per User Command Authorization option.
b. Under Unmatched Cisco IOS commands, select Permit or Deny.
If you select Permit, the user can issue all commands that are not specifically listed. If you select Deny, the user can issue only those commands that are listed.h
c. To list particular commands to permit or deny, check the Command check box and then type the name of the command, define its arguments using standard permit or deny syntax, and select whether unlisted arguments are to be permitted or denied.
Tip To enter several commands, you must click Submit after entering a command. A new command entry box appears below the box that you just completed.
Step 8 To continue to specify other user account options, perform the required steps. See the other procedures in this section, as applicable.
Step 9 If you are finished configuring the user account options, click Submit to record the options.
Configuring a PIX Command Authorization Set for a User
Use this procedure to specify the PIX command-authorization set parameters for a user. The options are:
•None—No authorization for PIX commands.
•Group—The group-level PIX command-authorization set applies for this user.
•Assign a PIX Command Authorization Set for any network device—One PIX command-authorization set is assigned, and it applies to all network devices.
•Assign a PIX Command Authorization Set on a per Network Device Group Basis—Particular PIX command-authorization sets will be effective on particular NDGs.
Before You Begin
•Ensure that you configure an AAA client to use TACACS+ as the security control protocol.
•In Interface Configuration > Advanced Options, ensure that the Per-user TACACS+/RADIUS Attributes check box is selected.
•In Interface Configuration > TACACS+ (Cisco), ensure that the PIX Shell (pixShell) option is selected in the User column.
•Ensure that you have configured one or more PIX command-authorization sets. For detailed steps, see Adding a Command Authorization Set, page 4-29.
To specify PIX command-authorization set parameters for a user:
Step 1 Perform Step 1 through Step 3 of Adding a Basic User Account.
The User Setup Edit page opens. The username that you add or edit appears at the top of the page.
Step 2 Scroll down to the TACACS+ Settings table and to the PIX Command Authorization Set feature area within it.
Step 3 To prevent the application of any PIX command-authorization set, select (or accept the default of) the None option.
Step 4 To assign the PIX command-authorization set at the group level, select the As Group option.
Step 5 To assign a particular PIX command-authorization set to be effective on any configured network device:
a. Select the Assign a PIX Command Authorization Set for any network device option.
b. From the list directly below that option, select the PIX command-authorization set that you want to apply to this user.
Step 6 To create associations that assign a particular PIX command-authorization set to be effective on a particular NDG, for each association:
a. Select the Assign a PIX Command Authorization Set on a per Network Device Group Basis option.
b. Select a Device Group and an associated Command Set.
c. Click Add Association.
The associated NDG and PIX command-authorization sets appear in the table.
Step 7 To continue to specify other user account options, perform the required steps. See the other procedures in this section, as applicable.
Step 8 If you are finished configuring the user account options, click Submit to record the options.
Configuring Device-Management Command Authorization for a User
Use this procedure to specify the device-management command-authorization set para
