Guest

Cisco Secure Access Control Server for Windows

Web Server Installation for CiscoSecure ACS 2.3 for Win NT

 Feedback

Table of Contents

Quick Reference Card
Web Server Installation for CiscoSecure ACS for Windows NT User-changeable Passwords

Quick Reference Card
Web Server Installation for CiscoSecure ACS for Windows NT User-changeable Passwords

This card contains instructions for installing and configuring a separate program to allow users to change their passwords using a web-based utility. It also contains information on how to change a password using the utility.


Note Make sure you have already followed the instructions on the Read Me First: CiscoSecure ACS 2.3 for Windows NT Server Getting Started and the Quick Installation Card: CiscoSecure ACS 2.3 for Windows NT Server documents. To install this product correctly, you must be very familiar with Microsoft Internet Information Server (IIS) and Secure Socket Layer (SSL).




Protecting Your Web Server

The Secure Socket Layer (SSL) protocol provides security for remote access data transfer between the web server and browser.


Note If you are installing the user-changeable password software on an intranet, SSL might not be necessary.

The SSL protocol protects data transfers, which can include passwords, between the CiscoSecure ACS user-changeable password HTML-based interface and your web browser. Use the SSL protocol for encrypted connections to your web server. This provides a high degree of security. Users can use their own web browsers to connect to a web utility program to change their CiscoSecure ACS database passwords. Therefore, all of the data traffic is vulnerable and should be encrypted.

The CiscoSecure ACS user-changeable password HTML interface communicates with the web server (for example, Microsoft IIS); and the web server, in turn, communicates with the CiscoSecure ACS database.

SSL works by requiring the web browser to authenticate only a server that has a signed key. You must obtain a certificate from a certificate authority such as VeriSign. VeriSign will assign your keys for a fee, provided you comply with certain requirements, or you can check with the manufacturer of your web server software.

If your browser supports only basic authentication, Cisco recommends that you also use SSL. You might also want to use SSL even if you use Windows NT Challenge Response, because SSL encrypts all data in the session.




Enabling SSL on the Web Server

To enable SSL security on a web server, follow these steps:


Step 1   Generate a key pair file and a request file. In the Microsoft Internet Server, click Key Manager.

Step 2   From the Key menu, click Create New Key.

Step 3   In the Create New Key and Certificate Request dialog box, fill in the requested information. After you fill out the form, click OK.

Step 4   When you are prompted, retype the password you typed in the form, and click OK. When the key has been created, a screen opens containing information about the new keys and how to obtain a certificate. Click OK.

Step 5   From the Key menu in Key Manager, click Export Key and then Backup File. Click OK to the warning dialog.

Step 6   Type the key name in the File Name box, and click Save. To save the new key from the Servers menu, select Commit Changes Now. When asked if you want to commit all changes now, click OK.

Step 7   Request a certificate from a certification authority and install the certificate on your server.

Step 8   Activate SSL security on a WWW service folder. Use a web browser to connect to the server. Click Maintenance: Web Admin Preferences: Ensure use of SSL secure channel. Click OK. This sets the Registry entry SSLRequired to 1. The Registry entry SSLRequired is in the key:

HKEY_LOCAL_MACHINE\Software\Microsoft\
Inetsrv_NTAdmin

Keep in mind the following points when enabling SSL security:

  • You can enable SSL security on the root of your web site (\InetPub\Wwwroot by default) or on one or more virtual folders.

  • After SSL is enabled and properly configured, only SSL-enabled clients will be able to communicate with the SSL-enabled WWW folders.

  • URLs that point to documents on an SSL-enabled WWW folder must use https instead of http in the URL. Links that use http in the URL will not work on a secure folder.

For security purposes, do not leave your workstation while logged on to an administrative account or during an administrative session. See your Microsoft documentation for more detailed information.




Setting up a Virtual Directory on the Web Server

To set up a virtual directory on the web server, follow these steps:


Step 1   In CiscoSecure ACS, click Interface Configuration: Distributed Systems Settings.

Step 2   Click Network Configuration: Add AAA Server.

Step 3   Click AAA Server: Add Entry and enter the IP address and other applicable information for the remote web server. Restart the server.

Step 4   Make sure Microsoft IIS 2.0 or later is installed on the server. Follow the instructions in your Microsoft documentation to add the following directories:

  • Home directory with read enabled:

  c:\InetPub\\wwwroot\secure
  • Virtual directory with execute privileges:

  c:\InetPub\\wwwroot\securecgi-bin

Step 5   Set the default document for the home page to login.htm.


Note Do not skip this step; it is very important.




Installing the User-Changeable Password Software on the Web Server

To install the software on the web server, follow these steps:


Step 1   Use the Windows Explorer to locate the User-Changeable Password SETUP.EXE file. Double-click the SETUP.EXE file to run it.

Step 2   In the Before You Begin window, click the check boxes for items 1, 2, 3, 4, and 5. Click Next.

Step 3   In the Choose Destination Location window, select or enter the destination directory for the HTML files. Click Next.

Step 4   In the second Choose Destination Location window, select or enter the destination directory for the CGI script files. Click Next.

Step 5   In the Enter Information window, enter the IP address with the virtual directory of the Change Password logon web page that users will access. Excluding the virtual directory allows users to directly access the page. Click Next.

Step 6   In the second Enter Information window, enter the IP address of the virtual directory to which the physical CGI script directory maps. Click Next.

Step 7   In the Connecting to CiscoSecure Server window, enter the IP address of the server where CiscoSecure ACS resides. Click Next.

Step 8   In the Setup Complete window, click Finish. The installation is now complete.




Changing Your Password Using the Web Server


Note Check with your system administrator to be sure you have the appropriate permissions to change your password.

To change your password, follow these steps:


Step 1   Log in to the web page your administrator has provided:

http://  name of your web server:
 

Step 2   Enter your username and password and click Submit. The Change Password window opens.

Step 3   The username you entered on the previous screen is displayed in the username field. Enter the following information:

  • Current Password—Enter your current password.

  • New Password—Enter the new password. Your password might need to fulfill certain special requirements. Check with your system administrator.

  • Confirm New Password—Enter the new password again. Click Submit. Your password is changed. To exit, click the Back button of your browser.