User Guide for Cisco IPS Manager 3.0
Employing Cisco Secure ACS with IPS MC
Download this chapter
Employing Cisco Secure ACS with IPS MCEmploying Cisco Secure ACS with IPS MC
Download the complete book
User Guide for Cisco IPS Manager 3.0User Guide for Cisco IPS Manager 3.0 (PDF - 3 MB)
give_us_feedback

Table Of Contents

Employing Cisco Secure ACS with IPS MC

Overview

Initial Cisco Secure ACS Setup

Checklist for Initial Cisco Secure ACS Setup

Configuring the CiscoWorks Server as a AAA Client in Cisco Secure ACS.

Creating an Administrative Account in Cisco Secure ACS

Setting the CiscoWorks Login Module to TACACS+

Registering and Synchronizing Cisco Secure ACS as the AAA Server

Populating Cisco Secure ACS

Cisco Secure ACS Roles and Privileges

Creating Roles

Editing a Role

Deleting a Role

Adding Managed Devices as AAA Clients in Cisco Secure ACS

Network Device Grouping

Setting Up User Groups for IPS MC

Adding Users


Employing Cisco Secure ACS with IPS MC

This chapter contains the following topics:

Overview

Initial Cisco Secure ACS Setup

Populating Cisco Secure ACS

Overview

This appendix details the steps you take to use your Cisco Secure Access Control Server (ACS) with Management Center for IPS Sensors (IPS MC).

Cisco Secure ACS supports Cisco device-management applications, such as IPS MC, by providing command authorization for users who are using the management application to configure managed network devices. Support for command authorization is accomplished by using unique command authorization set types (known as roles in IPS MC) for each management application configured to use Cisco Secure ACS for authorization.

Cisco Secure ACS uses TACACS+ to communicate with management applications. For IPS MC to communicate with Cisco Secure ACS, the CiscoWorks server must be configured in Cisco Secure ACS as a AAA client that uses TACACS+. Also, you must provide the CiscoWorks server with a valid administrator name and password. These requirements ensure the validity of communications between IPS MC and Cisco Secure ACS.

When IPS MC initially communicates with Cisco Secure ACS, it dictates to Cisco Secure ACS the creation of a command authorization set type, which appears in the Shared Profile Components section of the Cisco Secure ACS HTML interface. It also dictates a custom service to be authorized by TACACS+. The custom service appears on the TACACS+ (Cisco IOS) page in the Interface Configuration section of the HTML interface.

After IPS MC has dictated the custom TACACS+ service and device command authorization set type to Cisco Secure ACS, you can configure command authorization sets for each role supported by IPS MC and apply those sets to user groups that contain network administrators or to individual users who are network administrators.

To use Cisco Secure ACS, make sure:

You have a command authorization set that includes those commands that are required to perform necessary functions in IPS MC.

You have a user role with a corresponding command authorization set applied for IPS MC.

If a Network Access Restriction (NAR) is applied to the profile, it must permit access to the device group (or the device) that you want to administer.

If the devices managed by IPS MC use Cisco Secure ACS for command authorization, make sure that you have a shell command authorization set configured.

If you are using network device groups, the CiscoWorks server must not be in the Not Assigned network device group.

For example, to import a device, ensure that the shared profile includes the show config command in the authorized command set, the device definition under NARs, and the user role that includes administrative privileges.

If, for example, you have the privilege for importing devices, you must have device-level permission to administer each device you want to import.

For an understanding of TACACS+ security advantages, see the user guide for Cisco Secure ACS.

Note Even when Cisco Secure ACS authentication is used, CiscoWorks Common Services software uses local authorization for CiscoWorks Common Services-specific utilities, such as Compact Database and Database Checkpoint. To employ these utilities, you must be defined locally and be given the appropriate privilege level.

Note Network devices must be defined within Cisco Secure ACS before they will appear in IPS MC.

Initial Cisco Secure ACS Setup

This section outlines the tasks you must perform to successfully set up a Cisco Secure ACS to interoperate with IPS MC.

This section contains the following topics:

Checklist for Initial Cisco Secure ACS Setup

Configuring the CiscoWorks Server as a AAA Client in Cisco Secure ACS.

Creating an Administrative Account in Cisco Secure ACS

Setting the CiscoWorks Login Module to TACACS+

Registering and Synchronizing Cisco Secure ACS as the AAA Server

Checklist for Initial Cisco Secure ACS Setup

The following checklist describes the steps required to integrate IPS MC with Cisco Secure ACS. Each step might contain several substeps; steps and substeps should be performed in order. The checklist contains references to specific procedures used to perform some steps.

Step 1 Define administrative authentication and authorization model.

Although the administrative model is configured and defined independent of IPS MC, you should define it before using IPS MC. You should also define the administrative roles and accounts that you plan to use.

The administrative model, roles, and accounts for administering IPS MC are defined.

For more information, see User Guide for Cisco Secure Access Control Server.

Step 2 Verify Cisco Secure ACS applicability.

Verify that your Cisco Secure ACS is running version 3.1 or later. CiscoWorks Common Services (CWCS) software is not compatible with earlier versions of Cisco Secure ACS. If your Cisco Secure ACS is running a software version earlier that 3.1, upgrade your Cisco Secure ACS before continuing.

You should also determine whether you will use only the IPS MC default roles or whether you want to establish customized roles in Cisco Secure ACS.

Your Cisco Secure ACS is running version 3.1 or later.

For more information, see the following references:

Cisco Secure ACS Roles and Privileges

User Guide for Cisco Secure Access Control Server.

Step 3 Configure the CiscoWorks server as a AAA client in Cisco Secure ACS.

You must configure the CiscoWorks server as a AAA client of Cisco Secure ACS for authentication and authorization to occur. This establishes both the IP address and the key (shared secret) for Cisco Secure ACS to use when communicating with the CiscoWorks server.

In the Network Configuration Section of Cisco Secure ACS, the CiscoWorks server is listed as a AAA client.

For more information, see the following references:

Configuring the CiscoWorks Server as a AAA Client in Cisco Secure ACS.

User Guide for Cisco Secure Access Control Server.

Step 4 Create an administrative account in Cisco Secure ACS.

Create an administrative account on the Cisco Secure ACS server particularly for CiscoWorks. This is the administrative account that CiscoWorks uses to configure and update Cisco Secure ACS settings for each client application, for example, IPS MC.

Tip Subsequently, you can view the audit data for this administrative account on Cisco Secure ACS to determine what actions CiscoWorks has performed on Cisco Secure ACS.

The CiscoWorks administrative account is established in Cisco Secure ACS.

For more information, see the following references:

Creating an Administrative Account in Cisco Secure ACS

User Guide for Cisco Secure Access Control Server.

Step 5 Set the CiscoWorks Login Module to TACACS+.

You set the Login Module to TACACS+ in the Server Configuration area of CiscoWorks. This establishes in CiscoWorks:

The login module to use

The IP address of the Cisco Secure ACS

The ACS shared secret (key)

The Login Module is set to TACACS+.

For more information, see the following references:

Setting the CiscoWorks Login Module to TACACS+

User Guide for Cisco Secure Access Control Server.

Step 6 Register and synchronize Cisco Secure ACS as the AAA server.

From the VPN/Security Management Solution section of CiscoWorks you establish that the AAA services are to be performed by Cisco Secure ACS. This registers settings for the IP address, the port, and the administrator credentials to use with Cisco Secure ACS. Next, you select applications (for example, IPS MC) to register with Cisco Secure ACS.

Note CiscoWorks does not support selection of multiple AAA servers. Therefore, when choosing the applications to register with Cisco Secure ACS, you should register all applications that are listed.

Cisco Secure ACS is registered as the AAA server, and application details are made available in the Shared Profile Components section of Cisco Secure ACS.

For more information, see the following references:

Registering and Synchronizing Cisco Secure ACS as the AAA Server

User Guide for Cisco Secure Access Control Server.

Step 7 Populate Cisco Secure ACS.

Populate Cisco Secure ACS, as necessary, with:

Edited roles

Network devices

Network device groups

User groups

Users

You structure the authentication and authorization functions of Cisco Secure ACS according to your network requirements.

For more information, see the following references:

Populating Cisco Secure ACS

User Guide for Cisco Secure Access Control Server.

Configuring the CiscoWorks Server as a AAA Client in Cisco Secure ACS.

This procedure is performed from within Cisco Secure ACS to configure the CiscoWorks server as a AAA client of Cisco Secure ACS.

To configure the CiscoWorks server as a AAA client of Cisco Secure ACS, follow these steps:

Step 1 Log in to Cisco Secure ACS.

Step 2 Select Network Configuration.

Step 3 Click Add Entry below the AAA Clients table.

Note This procedure assumes that you are not using Network Device Groups (NDGs) in your Cisco Secure ACS. If you are using NDGs, click the name of the NDG to which the CiscoWorks server is to be assigned, and then click Add Entry below the AAA Clients table. The CiscoWorks server must not be in the Not Assigned network device group.

Cisco Secure ACS displays the Add AAA Client page.

Step 4 Enter the hostname of the CiscoWorks server in the AAA Client Hostname field. The spelling and capitalization of the hostname much match exactly what is used on the CiscoWorks server.

Step 5 Enter the IP address of your CiscoWorks server in the AAA Client IP Address field.

Step 6 Enter the shared secret in the Key field.

Step 7 Select TACACS+ (Cisco IOS) from the Authenticate Using list.

Step 8 To save your changes and restart Cisco Secure ACS, click Submit + Restart.

Cisco Secure ACS restarts and your CiscoWorks server appears in the AAA Clients table.

Creating an Administrative Account in Cisco Secure ACS

This procedure is performed from within Cisco Secure ACS to set up an administrative account. The credentials established in this procedure are later used during CiscoWorks synchronization.

To create an administrative account, follow these steps:

Step 1 Log in to Cisco Secure ACS.

Step 2 Click Administration Control.

Step 3 Click Add Administrator.

The system displays the Add Administrator page.

Step 4 Enter the administrator name.

Step 5 Enter the password.

Step 6 Re-enter the password in the Confirm Password field.

Step 7 In the Administrator Privileges box, click Grant All.

Step 8 To save your changes, click Submit.

The system establishes a new administrative account.

Setting the CiscoWorks Login Module to TACACS+

This procedure sets the CiscoWorks login module to TACACS+ and identifies your Cisco Secure ACS as the TACACS+ server. Also, you use this procedure to register the ACS IP address, port, and shared secret key.

To set the CiscoWorks login module to TACACS+, follow these steps:

Step 1 Log in to CiscoWorks.

Step 2 Select Server Configuration > Setup > Security > Select Login Module.

The system displays the Select Login Module page. The default AAA server setting, CiscoWorks Local, is selected.

Step 3 Select TACACS+ from the Available Login Modules list, and then click Next.

The system displays the Login Module Options page.

Step 4 Enter the Cisco Secure ACS IP address in the Server field.

Step 5 Enter 49 (the TACACS+ service port) in the Port field.

Step 6 Enter the shared secret (that you previously established in Cisco Secure ACS) in the Key field.

Step 7 Click the False radio button next to Debug.

Step 8 Select a login fallback option from the three options given.

Step 9 To save your changes, click Finish.

The Select Login Module page appears again; now the module is specified as TACACS+.

Registering and Synchronizing Cisco Secure ACS as the AAA Server

To register and synchronize Cisco Secure ACS with the CiscoWorks server, follow these steps:

Step 1 On the CiscoWorks server, select VPN/Security Management Solution > Administration > Configuration > AAA Server.

The system displays the AAA Server Information window. The default AAA server setting, CiscoWorks 2000 Local, is selected.

Step 2 Confirm that the Synchronize button is active, indicating that the Login Module has been changed.

Note If the Login Module has not been changed, the actions on this page cannot be performed.

Step 3 Click Synchronize.

The ACS Server and ACS Port Number fields appear and are populated with the values you entered, and the three fields in the Login box become available.

Step 4 Enter the administrator name.

Step 5 Enter the administration password.

Step 6 Enter the Cisco Secure ACS shared secret.

Step 7 Click Register.

The application Registration Selection window appears.

Step 8 Move each client application name in the Available Applications field to the Selected Applications field by selecting it and then clicking Add >.

Step 9 Click OK.

The selected applications register their roles and privileges with the Cisco Secure ACS server. When registration is complete, a status message appears.

Step 10 Click OK to close the status message.

Step 11 Click Finish.

The Cisco Secure ACS administrator name, password, and shared secret are saved. A status message appears.

Step 12 Click OK to close the status message.

Populating Cisco Secure ACS

After performing the initial setup of Cisco Secure ACS to inter-operate with CiscoWorks, you can perform additional procedures within Cisco Secure ACS that affect the way it operates with CiscoWorks. Through these procedures you can populate Cisco Secure ACS with edited roles, network device groups (NDGs), user groups, and users. The manner by which you perform these procedures is dictated by the overall administration model you established and the way you want to employ Cisco Secure ACS.

Note Cisco Secure ACS supports complex authentication and authorization capabilities that you can tailor to suit your network requirements. The procedures presented here provide only basic guidance on how you populate and deploy Cisco Secure ACS. See your Cisco Secure ACS user guide for detailed information.

This section contains the following topics:

Cisco Secure ACS Roles and Privileges

Creating Roles

Editing a Role

Deleting a Role

Adding Managed Devices as AAA Clients in Cisco Secure ACS

Network Device Grouping

Setting Up User Groups for IPS MC

Adding Users

Cisco Secure ACS Roles and Privileges

When you register IPS MC with Cisco Secure ACS, default roles are created that can be used for administering security privileges in IPS MC. A user account must have appropriate privileges to perform specific tasks such as to generate, approve, or deploy configuration files; that is, one's use of IPS MC is controlled by the permissions of one's user account in Cisco Secure ACS. Five types of accounts, or authorization roles, are available as a default in IPS MC. These default roles are listed and described in Table C-1.

However, you do not need to use the default roles that CiscoWorks registers with Cisco Secure ACS. You can delete roles, customize the default roles, or create additional roles to suit your requirements. You accomplish this in the Shared Profile Components section of Cisco Secure ACS.

Table C-1 Cisco Secure ACS Default Role Matrix for IPS MC 

Tasks
Roles
   
Help Desk
Approver
Network Operator
Network Administrator
System Administrator

Device

View

Yes

Yes

Yes

Yes

Yes

 

Admin

No

No

No

Yes

Yes

Configuration

View

Yes

Yes

Yes

Yes

Yes

 

Edit

No

No

No

Yes

Yes

Deployment

View

Yes

Yes

Yes

Yes

Yes

 

Generate

No

No

No

Yes

Yes

 

Approve

No

Yes

No

No

Yes

 

Deploy

No

No

Yes

Yes

Yes

Admin

View

Yes

Yes

Yes

Yes

Yes

 

Modify

No

No

No

No

Yes

Reports

View

Yes

Yes

Yes

Yes

Yes

 

Generate

No

No

No

No

Yes

 

Delete

No

No

No

No

Yes

Rules

View

Yes

Yes

Yes

Yes

Yes

 

Edit

No

No

No

No

Yes

 

Delete

No

No

No

No

Yes


Creating Roles

To establish a new role in Cisco Secure ACS, follow these steps:

Step 1 Log in to Cisco Secure ACS.

Step 2 Click Shared Profile Components.

The system displays the Shared Profile Components page.

Note The Shared Profile Components page has headings for each registered set of shared profile components.

Step 3 Select the Management Center for IDS Sensors shared profile component set from the list.

The system displays a table showing the registered roles for IPS MC.

Step 4 Select the name of a role you want to use as a baseline for the new role.

The system displays the hierarchy of the privileges assigned to the role you selected.

Step 5 Click Copy to Clipboard.

The system returns to the IPS MC roles page.

Step 6 Click Add.

The system displays an unnamed role with the privileges from the baseline role that you copied to the clipboard.

Note If you have not copied a baseline role, the system displays the IPS MC privilege hierarchy with no items selected.

Step 7 Enter the name of the role you are creating.

Step 8 Enter a description of the role you are creating.

Step 9 Edit the privileges assigned to the new role by selecting or deselecting the check box next to each item you want to change. A check mark in the check box indicates that permission is allowed. (A plus sign means that part of the branch is hidden; click the plus sign to reveal further detail.)

Step 10 When you have finished setting the privileges to be assigned to the new role, click Submit.

The new role is shown in the list on the IPS MC roles page.

Editing a Role

To customize a role that you registered in Cisco Secure ACS, follow these steps:

Step 1 Log in to Cisco Secure ACS.

Step 2 Click Shared Profile Components.

The system displays the Shared Profile Components page.

Note The Shared Profile Components page has headings for each registered set of shared profile components.

Step 3 Select the Management Center for IDS Sensors shared profile component set from the list.

The system displays a table showing the registered roles for IPS MC.

Step 4 Select the name of a role you want to edit.

The system displays the hierarchy of the privileges assigned to the role you selected.

Step 5 Do one or more of the following steps as necessary:

a. Edit the name of the role.

b. Edit the description of the role.

c. Edit the privileges assigned to the role by selecting or deselecting the check box next to each item you want to change. A check mark in the check box indicates that permission is allowed.

Note Short descriptions of the default privileges are given on the Cisco Secure ACS Help page. See the online help for IPS MC for specific information about the items for which you are assigning permission.

Step 6 When you have finished editing the name, description, and privileges to be assigned to the role, click Submit.

Deleting a Role

To delete a role that you registered in Cisco Secure ACS, follow these steps:

Step 1 Log in to Cisco Secure ACS.

Step 2 Click Shared Profile Components.

The system displays the Shared Profile Components page.

Note The Shared Profile Components page has headings for each registered set of shared profile components.

Step 3 Select the Management Center for IDS Sensors shared profile component set from the list.

The system displays a table showing the registered roles for IPS MC.

Step 4 Select the name of a role you want to delete.

A verification message appears.

Step 5 Click OK to acknowledge and close the verification message.

Adding Managed Devices as AAA Clients in Cisco Secure ACS

To configure user profiles, or user group profiles, on a network-device basis, you must make sure that each device managed by IPS MC is fully configured in your Cisco Secure ACS.

The following procedure provides basic details for adding a AAA client to Cisco Secure ACS. For full information on network configuration within Cisco Secure ACS, see your Cisco Secure ACS user guide.

To add managed devices as AAA clients in Cisco Secure ACS, follow these steps:

Step 1 Log in to Cisco Secure ACS.

Step 2 Click Network Configuration.

Step 3 Click Add Entry below the AAA Clients table.

Note This procedure assumes that you are not using NDGs in your Cisco Secure ACS. If you are using NDGs, click the name of the NDG to which the network device is to be assigned, and then click Add Entry below the AAA Clients table.

Cisco Secure ACS displays the Add AAA Client page.

Step 4 Enter the AAA Client Hostname (up to 32 characters). Spelling and capitalization of hostnames must be identical in Cisco Secure ACS and in IPS MC.

Step 5 Enter the IP address of the network device in the AAA Client IP Address field.

Step 6 Enter the shared secret in the Key field.

Note Cisco Secure ACS requires that this field be filled in, even if it is not used.

Step 7 From the Authenticate Using list, select the security control protocol to be used.

Note Cisco Secure ACS requires that this field be filled in, even if it is not used.

Step 8 Click Submit + Restart.

Note The configuration of the new device is not established until Cisco Secure ACS is restarted. As an alternative to restarting after setting up each device, you can set up multiple devices, click Submit for each, and then click Submit + Restart after setting up the last device to configure them all at once.

Network Device Grouping

Network Device Grouping is an advanced feature in Cisco Secure ACS that enables you to view and administer a collection of network devices as a single group. To simplify administration, you can assign each NDG a name that can be used to refer to all devices within that group.

Note To see the Network Device Groups table in the Cisco Secure ACS HTML interface, you must have the Network Device Groups option selected on the Advanced Options page of the Interface Configuration section.

You can assign users or groups of users to NDGs. If you are using NDGs, the CiscoWorks server must not be in the Not Assigned NDG.

To create an NDG, follow these steps:

Step 1 Log in to Cisco Secure ACS.

Step 2 Click Network Configuration.

Step 3 Under the Network Device Groups table, click Add Entry.

Step 4 Enter the name of the group in the Network Device Group Name field.

Step 5 Click Submit.

The Network Device Groups table displays the new NDG.

Setting Up User Groups for IPS MC

Setting up user groups within Cisco Secure ACS enables you to more easily associate users and roles than if you were to create a customized role for each user added. One or more Cisco Secure ACS user groups is associated with each IPS MC role; and each user is assigned to a single group. See Cisco Secure ACS Roles and Privileges.

This procedure does not detail everything you can do when setting up groups within Cisco Secure ACS. That level of detail is beyond the scope of this document. See your user guide for Cisco Secure ACS for more detailed information on customizing user groups.

Use this procedure to establish the basic user groups in Cisco Secure ACS that are:

Configured to employ the TACACS+ protocol for all or just for specific devices.

Assigned to specific IPS MC roles.

The user groups that you establish, and their relationships to the roles you have established, are dictated by your security strategy and administration model.

Note The concept of a role, as used by IPS MC, is referred to in the Cisco Secure ACS documentation as a command authorization set.

A simple model might involve nothing more than a one-to-one assignment of groups to roles. However, if you also intend to employ network device grouping in Cisco Secure ACS, you may want to apply, to a particular group, different roles for different devices. For example, if your company has two major groupings of network devices called East Coast Network and West Coast Network, you could create a group called East Coast Network Admin that would have the full Network Administrator permission for all devices in the East Coast Network, while having only the Help Desk permission for devices in the West Coast Network.

Note The Cisco Secure ACS Interface Configuration section limits the settings you see according to the features you enable. This procedure includes steps to display the required interface settings only for TACACS+ and IPS MC.

To set up user groups for IPS MC in Cisco Secure ACS, follow these steps:

Step 1 Log in to Cisco Secure ACS.

Step 2 Click on Interface Configuration.

Note The Interface Configuration section enables you to determine what settings are displayed in the Cisco Secure ACS HTML interface. Features that are not selected may be hidden in the Cisco Secure ACS HTML interface.

Step 3 Click TACACS+ (Cisco IOS).

The system displays the TACACS+ (Cisco) edit page.

Step 4 In the New Services section of the TACACS+ Services box, in the Group column of check boxes, ensure that the idscfg service is selected.

Step 5 From the navigation bar on the left, click Group Setup.

The system displays the Group Setup page.

Step 6 From the Group list, select a group to configure.

Note Typically you want to leave Group 0, the default group, with a minimal set of permission. This is the group to which unknown users are assigned when authenticated by an external database for which no group mapping has been established.

Step 7 Click Rename Group.

Step 8 Enter a name for the group, and then click Submit.

In the Group list, the system displays the newly assigned group name.

Note Group numbers remain unchanged. You can configure up to 500 distinct groups in Cisco Secure ACS.

Step 9 With the renamed group still selected in the Group window, click Edit Settings.

The system displays the Group Settings page for the selected group.

Step 10 From the Jump To list at the top of the page, select TACACS+.

The system scrolls down to the TACACS+ Settings box.

Step 11 Scroll down through the TACACS+ Settings box sections until you locate the Management Center for IDS Sensors section.

Step 12 If you are not using NDGs for this user group, click the Assign a IPS MC for any network device radio button, and then select the group's assigned role from the list. Skip to Step 14.

Step 13 If you are using NDGs for this user group:

a. Click the Assign a IPS MC on a per Network Device Group Basis radio button.

b. Select a device group from the Device Group list.

c. Select a role from the IPS MC list.

d. Click Add Association.

The association is listed in the display box.

e. Continue to create associations between device groups and IPS MC roles until you have established the entire permission set for this group.

Step 14 Click Submit + Restart.

Note The association of groups to roles is not established until Cisco Secure ACS is restarted. As an alternative to restarting after setting up each group, you can set up multiple groups, click Submit for each, and then click Submit + Restart after setting up the last group to establish them all at once.

Adding Users

Users are authenticated by your Cisco Secure ACS in one of two basic ways:

By using the Cisco Secure ACS user database for authentication.

By using one of several possible external user databases for authentication.

Authentication types appear in the Cisco Secure ACS HTML interface only when the corresponding external user database has been configured in the Database Configuration area of the External User Databases section. Among the possible authentication types you might configure are the following:

Windows Database

Generic LDAP

Novell NDS

ODBC

LEAP Proxy RADIUS Server

Token Server

For detailed information on using external databases in user authentication, see your Cisco Secure ACS user guide.

Regardless of what database you configure your Cisco Secure ACS to use when authenticating a particular user, all users have accounts established within the CiscoSecure user database, and authorization of users is always performed against the user records in the CiscoSecure user database.

You can establish user accounts in your CiscoSecure user database in five ways:

Cisco Secure ACS HTML interface.

Unknown User Policy.

RDBMS Synchronization.

CSUtil.exe.

Database Replication.

Adding a user account can be as simple as specifying a name, an authentication method, and a password. Alternatively, there are many possible user management options, settings, and assignments that you may want to use that are beyond the scope of this document. For details on adding users to your Cisco Secure ACS, see your Cisco Secure ACS user guide.