Table of ContentsInstallation Guide
Web Server Installation for Cisco Secure ACS for Windows 2000/NT User-Changeable Passwords
1 Preparing for User-Changeable Cisco Secure ACS Passwords
2 Installing the User-Changeable Password Software
3 Using the Web Server to Change Your Password
4 Protecting Your Web Server (Optional)
5 Enabling SSL on the Web Server (Optional)
This card is effective for Cisco Secure ACS versions 2.5, 2.6, and 3.0, and contains instructions for installing and using an application that enables users to change their passwords with a web-based utility. To install the user-changeable passwords application, you must have a web server that runs Microsoft IIS 4.0 or 5.0.
Step 1 Make sure the web server uses Microsoft IIS 4.0 or 5.0.
|Note If Cisco Secure ACS and your Microsoft IIS software run on the same server, you do not need to perform steps 2 through 4. Proceed to "Installing the User-Changeable Password Software".|
Step 2 In Cisco Secure ACS, click Interface Configuration, then Advanced Options, and select the Distributed Systems Settings check box.
Step 3 Click Network Configuration, and then, under the AAA Servers table, click Add Entry.
Step 4 Type the hostname and the IP address of the web server in the corresponding boxes. The other items are irrelevant. Click Submit + Restart.
Step 1 On the web server, use Windows Explorer to find the user-changeable password SETUP.EXE file on the Cisco Secure ACS CD. Double-click the SETUP.EXE file. The Before You Begin dialog box appears.
Step 2 Select the check boxes for all the items. Click Next. The Choose Destination Location dialog box displays a default directory for the HTML files.
Step 3 For the HTML files, accept the default directory or choose a new destination directory. Click Next. A second Choose Destination Location dialog box displays a default directory for the CGI script.
Step 4 For the CGI script files, accept the default directory or choose a destination directory. Click Next. The Enter Information dialog box displays the default URL for the HTML virtual directory, using the web server's IP address.
Step 5 For the HTML files, accept the default URL or type a new URL. The URL should include the name of the virtual directory you want to associate with the HTML directory specified in step 3. We recommend that you use secure, which is the default name. Click Next. A second Enter Information dialog box displays the default URL for the CGI virtual directory, using the web server's IP address.
Step 6 For the CGI scripts, accept the default URL or type a new URL. The URL should include the name of the virtual directory you want to associate with the CGI directory specified in step 4. We recommend that you use securecgi-bin, which is the default name. Click Next. The Connecting to Cisco Secure Server dialog box appears.
Step 7 Type the IP address of the Cisco Secure ACS server. Click Next. Setup tests the connection to the Cisco Secure ACS server, and then the Setup Complete dialog box appears.
Step 8 To complete the installation, click Finish. The remaining steps involve configuring the Microsoft IIS web server.
Step 9 Following Microsoft IIS documentation, add a virtual directory for the HTML files. The virtual directory's name must match the virtual directory specified in step 5. For its content, associate the directory with the directory specified in step 3. Give this virtual directory read permissions.
Step 10 Add a virtual directory for the CGI scripts. The virtual directory's name must match the virtual directory specified in step 6. For its content, associate the directory with the directory you specified in step 4. Give this virtual directory read and execute permissions.
|Note Check with your system administrator to be sure you have the appropriate permissions to change your password.|
Step 1 Using a web browser, open the user-changeable password page using the URL that your administrator provided.
Step 2 Type your username and password, and click Submit. The Change Password page opens.
Step 3 The username you entered on the previous page appears in the Username box. Specify the following information:
- Current Password. Type your current password.
- New Password. Type the new password. Your password might need to fulfill certain special requirements, such as minimum length. Check with your system administrator for details.
- Confirm New Password. Re-type the new password. Click Submit. Your password is changed. To exit, click Logout.
|Note If your users will not be accessing the user-changeable password page from outside a secure perimeter, SSL may not be necessary.|
Because users change their Cisco Secure ACS database passwords over a connection between their web browsers and the web server, user and password data is vulnerable. The SSL protocol encrypts data transfers, including passwords, between web browsers and the web server. Using the SSL protocol to encrypt HTTP connections between browser and server provides greater security.
The Cisco Secure ACS user-changeable password HTML interface communicates with the web server (for example, Microsoft IIS), and the web server, in turn, communicates with the Cisco Secure ACS database.
SSL works by requiring the web browser to authenticate only a server that has a signed key. You must obtain a certificate from a certificate authority. If you use a public certificate authority, the certificate authority assigns your keys for a fee, provided you comply with certain requirements.
If your browser supports only basic authentication, we recommend that you also use SSL. You might also want to use SSL even if you use Windows NT Challenge Response, because SSL encrypts all data in the session.
Step 1 Following your Microsoft IIS documentation, generate a certificate request.
Step 2 Submit the certificate request to a certificate authority.
Step 3 After you have received your certificate from the certificate authority, install the certificate on your web server. For more information, refer to Microsoft IIS documentation.
Step 4 Following your Microsoft IIS documentation, activate SSL security on the web server.
- You can enable SSL security on the root of your web site or on one or more virtual directories.
- After SSL is enabled and properly configured, only SSL-enabled clients can communicate with the SSL-enabled WWW directories.
- URLs that point to documents on an SSL-enabled WWW folder must use https instead of http in the URL. Links that use http in the URL do not work on a secure directory.