Table of Contents
Installation Guide for Cisco Secure ACS for Windows ServerPreparation for Installing or Upgrading Cisco Secure ACS
System Requirements
Hardware Requirements
Operating System Requirements
Third-Party Software Requirements
Back Up Data
Gathering Answers for the Installation Questions
Creating a Cisco Secure ACS Installation
Reinstalling or Upgrading Cisco Secure ACS and Preserving Existing Configuration
Reinstalling or Upgrading Cisco Secure ACS without Preserving Existing Configuration
Windows Authentication from a Member Server
Additional Installation Information
ODBC Message During Installation
Abnormal Installation Termination
Obtaining Documentation
Obtaining Technical Assistance
Installation Guide for Cisco Secure ACS for Windows Server
This document provides information about installing, reinstalling, and upgrading to Cisco Secure Access Control Server for Windows Servers Version 3.1 (Cisco Secure ACS). It contains the following sections:
- Preparation for Installing or Upgrading Cisco Secure ACS
- What You Can Do
- Creating a Cisco Secure ACS Installation
- Reinstalling or Upgrading Cisco Secure ACS and Preserving Existing Configuration
- Reinstalling or Upgrading Cisco Secure ACS without Preserving Existing Configuration
- Windows Authentication from a Member Server
- Additional Installation Information
- Related Documentation
- Obtaining Documentation
- Obtaining Technical Assistance
Preparation for Installing or Upgrading Cisco Secure ACS
Before performing an installation or upgrade procedure, read this section and perform the recommended actions. This section includes the following topics:
Cisco Secure ACS System Description
Cisco Secure ACS network security software helps you authenticate users by controlling access to a AAA client—any one of many network devices that can be configured to defer authentication and authorization of network users to a AAA server. Cisco Secure ACS operates as a set of Windows services that control the authentication, authorization, and accounting of users accessing networks.
Cisco Secure ACS operates on Windows 2000 Server. Cisco Secure ACS can run on a domain controller or a member server.
 |
Note If you install Cisco Secure ACS on a member server and want to authenticate users with a Windows Security Account Manager user database or an Active Directory user database, there is additional Windows configuration required after you have installed Cisco Secure ACS. For more information, see Windows Authentication from a Member Server. |
For additional information about Cisco Secure ACS, refer to the User Guide for Cisco Secure ACS for Windows Server, version 3.1.
System Requirements
Your Cisco Secure ACS server must meet the minimum hardware, operating system, and third-party software requirements detailed in the following sections. Additionally, if you are upgrading from a previous version of Cisco Secure ACS, refer to Cisco Secure ACS Upgrade Requirements.
Cisco Secure ACS Upgrade Requirements
We designed the setup program to support upgrades from previous versions of Cisco Secure ACS. For information about the versions of Cisco Secure ACS that we used to test the upgrade process, see the Release Notes. The latest version of the Release Notes are posted on Cisco.com, accessible from the following URL: http://www.cisco.com/univercd/cc/td/doc/product/access/acs_soft/csacs4nt/index.htm.
Hardware Requirements
The computer running Cisco Secure ACS must meet the following minimum hardware requirements:
Operating System Requirements
The server running Cisco Secure ACS should use an English-language version of Windows 2000 Server with Service Pack 3 installed.
|
Note Both the operating system and the applicable service pack must be English-language versions. |
Windows service packs can be applied either before or after installing Cisco Secure ACS. If you do not install a required service pack before installing Cisco Secure ACS, the Cisco Secure ACS installation program warns you that the required service pack is not present on your server. If you receive a service pack message, continue the installation, and then install the required service pack before starting user authentication with Cisco Secure ACS.
|
Note Beginning with Cisco Secure ACS version 3.1, we no longer support running Cisco Secure ACS on a Windows NT 4.0 server. For information about upgrading the operating system of a server running Cisco Secure ACS, see Upgrading from Windows NT 4.0 to Windows 2000 Server. |
For the most recent information about tested operating systems and service packs, see the Release Notes. The current version of the Release Notes are posted on Cisco.com, accessible from the following URL: http://www.cisco.com/univercd/cc/td/doc/product/access/acs_soft/csacs4nt/index.htm.
Third-Party Software Requirements
|
Note The Release Notes provide information about third-party software products that we tested with Cisco Secure ACS and that we support. Other than the software products described in the Release Notes, we have not tested the interoperability of Cisco Secure ACS and other software products on the same computer. We only support interoperability issues of software products that are mentioned in the Release Notes. The most recent version of the Release Notes are posted on Cisco.com, accessible from the following URL: http://www.cisco.com/univercd/cc/td/doc/product/access/acs_soft/csacs4nt/ index.htm. |
Your Cisco Secure ACS server must have a compatible browser installed. Cisco Secure ACS has been tested with English-language versions of the following browsers on Microsoft Windows operating systems:
- Microsoft Internet Explorer Version 5.5 or 6.0
- Netscape Communicator Version 6.2
|
Note To use a web browser to access the Cisco Secure ACS HTML interface, you must enable both Java and JavaScript in the browser. Also, the web browser must not be configured to use a proxy server. For more information about other network environment factors that affect access to the HTML interface, see User Guide for Cisco Secure ACS for Windows Server, version 3.1. |
For the latest information about tested browsers and other third-party applications, such as Novell NDS clients and token-card clients, see the Release Notes. The most recent version of the Release Notes are posted on Cisco.com, accessible from the following URL: http://www.cisco.com/univercd/cc/td/doc/product/access/acs_soft/csacs4nt/index.htm.
Network Requirements
Your network should meet the following requirements before you begin installing Cisco Secure ACS.
- To have Cisco Secure ACS use the Grant Dial-in Permission to User feature in Windows when authorizing network users, make sure this option is selected in the Windows 2000 Active Directory Users and Computers for the applicable user accounts.
- For full TACACS+ and RADIUS support on Cisco IOS devices, make sure that your AAA clients are running Cisco IOS Release 11.2 or later.
- Make sure that any non-Cisco IOS AAA clients can be configured with TACACS+ or RADIUS, or both.
- Make sure that dial-in, VPN, or wireless clients can successfully connect to the applicable AAA clients.
- Make sure that the computer running Cisco Secure ACS can ping the AAA clients.
- Make sure a compatible web browser is installed on the computer running Cisco Secure ACS. For more information, see Third-Party Software Requirements.
- Make sure all network cards in the Cisco Secure ACS server are enabled. If there is a disabled network card on the Cisco Secure ACS server, installing Cisco Secure ACS may proceed slowly due to delays caused by Microsoft CryptoAPI.
Back Up Data
Before you install or upgrade Cisco Secure ACS, we strongly recommend that you back up the computer that you will install Cisco Secure ACS on, using a Windows backup utility of your choice. Include the Windows Registry in the backup.
If you are upgrading or reinstalling Cisco Secure ACS, use the Cisco Secure ACS System Backup feature to back up the Cisco Secure ACS configuration and database, and then copy the backup file to a drive other than one local to the Cisco Secure ACS server.
|
Note Using the ACS Backup feature temporarily stops Cisco Secure ACS services while the backup is performed. |
 |
Caution If you are upgrading Cisco Secure ACS rather than performing a reinstallation, the backups you create cannot be used after the upgrade is successful. The backups provide for recovery should you need to restore your previous installation of Cisco Secure ACS. |
For information about backing up Cisco Secure ACS, see the User Guide for Cisco Secure ACS for Windows Server, version 3.1.
Gathering Answers for the Installation Questions
During new installations, or upgrades and reinstallations that do not preserve the existing configuration, the installation process requires specific information about the computer you want to install Cisco Secure ACS on and a AAA client on your network. To facilitate the installation process, collect the applicable information before beginning the installation procedure.
|
Note If you are upgrading or reinstalling Cisco Secure ACS and intend to keep the existing configuration and database, you need not perform the following procedure. The information it requires is already recorded in your Cisco Secure ACS installation. |
To collect information that is required during the installation of Cisco Secure ACS, follow these steps:
Step 1 Determine whether the computer that you will install Cisco Secure ACS on is a domain controller or a member server. If you are installing Cisco Secure ACS on a member server and want Cisco Secure ACS to authenticate users with a Windows domain user database, be aware that after you install Cisco Secure ACS you must perform the additional Windows configuration discussed in Windows Authentication from a Member Server.
Step 2 For the first AAA client that you want to configure to use Cisco Secure ACS AAA services, determine which AAA protocol and vendor-specific attribute you want to implement:
Step 3 Record the name of the AAA client.
Step 4 Record the IP address of the AAA client.
Step 5 Record the IP address of the computer that you want to install Cisco Secure ACS on.
Step 6 Record the TACACS+ or RADIUS key (shared secret).
What You Can Do
This document provides detailed procedures for installing, reinstalling and upgrading Cisco Secure ACS. You must select the right procedure for your situation. Table 1 lists the five possible installation and upgrade scenarios. See Table 1 to determine which procedure applies to your situation.
|
Note Before performing any installation or upgrade procedure, we strongly recommend that you read Preparation for Installing or Upgrading Cisco Secure ACS, and perform the applicable tasks detailed in that section. Table 1 Installation and Upgrade Scenarios
|
Creating a Cisco Secure ACS Installation
Use this procedure to install Cisco Secure ACS for the first time.
|
Note For information about upgrading or reinstalling an existing Cisco Secure ACS installation, see Table 1. |
For information about what must be completed before installing Cisco Secure ACS, see Preparation for Installing or Upgrading Cisco Secure ACS.
If you are installing Cisco Secure ACS on a member server and want Cisco Secure ACS to authenticate users with a Windows domain user database, be aware that after you install Cisco Secure ACS you must perform the additional Windows configuration discussed in Windows Authentication from a Member Server.
To install Cisco Secure ACS, follow these steps:
Step 1 Using the local administrator account, log in to the computer you want to install Cisco Secure ACS on.
Step 2 Insert the Cisco Secure ACS CD into a CD-ROM drive on the computer.
Result: If the CD-ROM drive supports the Windows autorun feature, the Cisco Secure ACS v3.1 for Windows 2000 dialog box appears.
|
Note If the computer does not have a required service pack installed, a dialog box appears. Windows service packs can be applied either before or after installing Cisco Secure ACS. You can continue with the installation, but the required service pack must be applied after the installation is complete; otherwise, Cisco Secure ACS may not function reliably. |
Step 3 Do one of the following:
a. If the Cisco Secure ACS v3.1 for Windows 2000 dialog box appears, click Install.
b. If the Cisco Secure ACS v3.1 for Windows 2000 dialog box does not appear, run setup.exe, located in the root directory of the Cisco Secure ACS CD.
|
Note If the computer does not have a required service pack installed, a dialog box appears. Windows service packs can be applied either before or after installing Cisco Secure ACS. You can continue with the installation, but the required service pack must be applied after the installation is complete; otherwise, Cisco Secure ACS may not function reliably. |
Result: The CiscoSecure ACS Setup dialog box displays the software license agreement.
Step 4 Read the software license agreement. If you accept the software license agreement, click ACCEPT.
Result: The Welcome dialog box displays basic information about the setup program.
Step 5 After you have read the information in the Welcome dialog box, click Next >.
Result: The Before You Begin dialog box lists items that you must complete before continuing with the installation. These are the same items discussed in Gathering Answers for the Installation Questions.
Step 6 If you have completed all items listed in the Before You Begin dialog box, select the corresponding check box for each item, and then click Next >.
|
Note If you have not completed all items listed in the Before You Begin dialog box, click Cancel, and then click Exit Setup. After completing all items listed in the Before You Begin dialog box, restart the installation. For more information, see Preparation for Installing or Upgrading Cisco Secure ACS. |
Result: The Choose Destination Location dialog box appears. Under Destination Folder, the installation location appears. This is the drive and path at which the setup program installs Cisco Secure ACS.
Step 7 To change the installation location, follow these steps:
Result: The Choose Folder dialog box appears. The Path box contains the installation location.
b. Change the installation location. You can either type the new location in the Path box or you can use the Drives and Directories lists to select a new drive and directory.
|
Note If you specified a folder that does not exist, the setup program displays a dialog box to confirm the creation of the folder. To continue, click Yes. |
Result: In the Choose Destination Location dialog box, the new installation location appears under Destination Folder.
Step 8 Click Next >.
Result: The Authentication Database Configuration dialog box lists options for authenticating users. You can authenticate with the CiscoSecure user database only, or with a Windows NT/2000 user database also.
|
Note After you have installed Cisco Secure ACS, you can configure authentication support for all external user database types in addition to Windows NT/2000 user databases. |
Step 9 If you want to authenticate users with the CiscoSecure user database only, select the Check the CiscoSecure ACS database only option.
Step 10 If you want to authenticate users with a Windows NT/2000 Security Access Manager (SAM) user database or Windows 2000 Active Directory user database in addition to the CiscoSecure user database, follow these steps:
Result: The Yes, refer to "Grant dialin permission to user" setting check box becomes available.
|
Note The Yes, refer to "Grant dialin permission to user" setting check box applies to all forms of access controlled by Cisco Secure ACS, not just dial-in access. For example, a user accessing your network through a VPN tunnel is not dialing into a network access server; however, if the Yes, refer to "Grant dialin permission to user" setting check box is selected, Cisco Secure ACS applies the user's Windows dial-in permissions to determine whether to grant the user access to your network. |
b. If you want to allow access by users who are authenticated by a Windows domain user database only when they have dial-in permission in their Windows account, select the Yes, refer to "Grant dialin permission to user" setting check box.
Step 11 Click Next >.
Result: The CiscoSecure ACS Network Access Server Details dialog box appears. The information you provide in this dialog box has two uses:
- The setup program creates the AAA client definition in the Network Configuration section of Cisco Secure ACS.
- If you specify TACACS+ (Cisco IOS) or RADIUS (Cisco IOS/PIX) in the Authenticate Users Using list, the setup program uses this information in Step 19, in which you can configure a Cisco IOS network device to use this Cisco Secure ACS for AAA services.
|
Note You are not limited to defining a network access server in this dialog box. You can define any network device that can act as a AAA client. |
Step 12 Complete the following items in the CiscoSecure ACS Network Access Server Details dialog box:
- Authenticate Users Using—Select the AAA protocol used by the AAA client you are defining. If you specify TACACS+ (Cisco IOS) or RADIUS (Cisco IOS/PIX), in Step 19 you can configure the network device specified in this dialog box.
- Access Server Name—Type the name of the AAA client that will use Cisco Secure ACS for AAA services.
- Access Server IP Address—Type the IP address of the AAA client that will use Cisco Secure ACS for AAA services.
- Windows Server IP Address—Type the IP address of the computer that you are installing Cisco Secure ACS on.
- TACACS+ or RADIUS Key—Type the shared secret of the AAA client and Cisco Secure ACS. To ensure proper function and communication between the AAA client and Cisco Secure ACS, the key must be identical to AAA client key. Shared secrets are case sensitive.
Step 13 Click Next >.
Result: The setup program installs Cisco Secure ACS and updates the Windows Registry.
The Advanced Options dialog box lists several features of Cisco Secure ACS that are not enabled by default. For more information about these features, see the User Guide for Cisco Secure ACS for Windows Server, version 3.1.
|
Note The listed features appear in the Cisco Secure ACS HTML interface only if you enable them. After installation, you can enable or disable them on the Advanced Options page in the Interface Configuration section. |
Step 14 For each feature you want to enable, select the corresponding check box.
Step 15 Click Next >.
Result: The Active Service Monitoring dialog box appears.
|
Note After installation, you can configure active service monitoring features on the Active Service Management page in the System Configuration section. |
Step 16 If you want Cisco Secure ACS to monitor user authentication services, select the Enable Log-in Monitoring check box. From the Script to execute list, select the option you want applied in the event of authentication service failure:
Step 17 If you want Cisco Secure ACS to send an e-mail message when service monitoring detects an event, select the Mail Notification check box.
Step 18 Click Next >.
Result: If, in Step 12, you specified TACACS+ (Cisco IOS) or RADIUS (Cisco IOS/PIX) as the AAA protocol for your first AAA client, the Network Access Server Configuration dialog box appears.
If, in Step 12, you specified a AAA protocol other than TACACS+ (Cisco IOS) or RADIUS (Cisco IOS/PIX), the CiscoSecure ACS Service Initiation dialog box appears.
Step 19 If the Network Access Server Configuration dialog box appears and you want to configure AAA functionality on a Cisco IOS network device, follow these steps:
Result: The Enable Secret Password dialog box appears.
b. In the Enable Secret Password box, type an enable secret password for the Cisco IOS network device.
|
Note You must type the shared secret exactly the same as it is configured on the Cisco IOS device, including whether the characters are uppercase or lowercase. |
Result: The Access Server Configuration dialog box displays information about configuring a Cisco IOS network device.
Result: The NAS Configuration dialog box displays the minimum Cisco IOS configuration needed for the network device you specified in Step 12. The minimum configuration includes information you have provided during installation, including the IP address of the computer you are installing Cisco Secure ACS on, the TACACS+ or RADIUS key, and the enable secret password.
|
Note When using the Cisco IOS aaa new-model command, always provide for a local login method. This guards against the slight risk of being locked out of a Cisco IOS device should the administrative Telnet session fail while you are in the process of enabling a new AAA paradigm. For more information about the Cisco IOS aaa command, refer to Cisco IOS documentation. |
|
Note Especially if you intend to implement the minimum configuration provided by the setup program, we recommend that you print the configuration now. |
Result: The setup program prints the configuration using the server's default printer.
Result: The setup program opens a Telnet window. You can login to the Cisco IOS device and update the device configuration, as applicable. The setup program copies the minimum configuration it provides to the Windows clipboard. If you want to use the minimum configuration, you can paste it in the Telnet window after you have entered the applicable configuration mode.
Result: The CiscoSecure ACS Service Initiation dialog box appears.
Step 20 If the Network Access Server Configuration dialog box appears and you want to skip configuring a Cisco IOS network device, clear the Yes, I want to configure Cisco IOS software now check box, and then click Next >.
Result: The CiscoSecure ACS Service Initiation dialog box appears.
Step 21 For each option you want, select the corresponding check box. The actions associated with the options occur after the setup program finishes.
- Yes, I want to start the CiscoSecure ACS Service now—Starts the Windows services that compose Cisco Secure ACS. If you do not select this option, the Cisco Secure ACS HTML interface is not available unless you reboot the server or start the CSAdmin service.
- Yes, I want Setup to launch the CiscoSecure ACS Administrator from my browser following installation—Opens the Cisco Secure ACS HTML interface in the default web browser for the current Windows user account.
- Yes, I want to view the Readme file—Opens the
README.TXTfile in Windows Notepad.
Step 22 Click Next >.
Result: If you so chose, the Cisco Secure ACS services start. The Setup Complete dialog box displays information about the Cisco Secure ACS HTML interface.
Step 23 Click Finish.
Result: The setup program exits. If, in Step 21, you chose the options to view the HTML interface or README.TXT file, those options occur now.
On the computer running Cisco Secure ACS, you can access the Cisco Secure ACS HTML interface using the ACS Admin desktop icon or you can use the following URL in a supported web browser:
|
Note The Cisco Secure ACS HTML interface is available only if you chose to start Cisco Secure ACS services in Step 21. If you did not, to make the HTML interface available, you can either reboot the server or type net start csadmin at a DOS prompt. |
Step 24 If you have installed Cisco Secure ACS on a member server and want Cisco Secure ACS to authenticate users with a Windows domain user database, you must perform the additional Windows configuration discussed in Windows Authentication from a Member Server.
Reinstalling or Upgrading Cisco Secure ACS and Preserving Existing Configuration
Use this procedure to reinstall or upgrade Cisco Secure ACS if you want to preserve all existing configuration and database information.
|
Note For information about installing Cisco Secure ACS the first time, see Table 1. |
For information about what must be completed before reinstalling or upgrading Cisco Secure ACS, see Preparation for Installing or Upgrading Cisco Secure ACS.
If you are installing Cisco Secure ACS on a member server and want Cisco Secure ACS to authenticate users with a Windows domain user database, be aware that after you have installed Cisco Secure ACS you must perform the additional Windows configuration discussed in Windows Authentication from a Member Server.
To reinstall or upgrade Cisco Secure ACS and preserve the existing configuration and CiscoSecure user database, follow these steps:
Step 1 Using the local administrator account, log in to the computer you want to install Cisco Secure ACS on.
Step 2 Insert the Cisco Secure ACS CD into a CD-ROM drive on the computer.
Result: If the CD-ROM drive supports the Windows autorun feature, the Cisco Secure ACS v3.1 for Windows 2000 dialog box appears.
|
Note If the computer does not have a required service pack installed, a dialog box appears. Windows service packs can be applied either before or after installing Cisco Secure ACS. You can continue with the installation, but the required service pack must be applied after the installation is complete; otherwise, Cisco Secure ACS may not function reliably. |
Step 3 Do one of the following:
a. If the Cisco Secure ACS v3.1 for Windows 2000 dialog box appears, click Install.
b. If the Cisco Secure ACS v3.1 for Windows 2000 dialog box does not appear, run setup.exe, located in the root directory of the Cisco Secure ACS CD.
|
Note If the computer does not have a required service pack installed, a dialog box appears. Windows service packs can be applied either before or after installing Cisco Secure ACS. You can continue with the installation, but the required service pack must be applied after the installation is complete; otherwise, Cisco Secure ACS may not function reliably. |
Result: The CiscoSecure ACS Setup dialog box displays the software license agreement.
Step 4 Read the software license agreement. If you accept the software license agreement, click ACCEPT.
Result: The Welcome dialog box displays basic information about the setup program.
Step 5 After you have read the information in the Welcome dialog box, click Next >.
Result: The Before You Begin dialog box lists items that you must complete before continuing with the installation. These are the same items discussed in Gathering Answers for the Installation Questions.
Step 6 If you have completed all items listed in the Before You Begin dialog box, select the corresponding check box for each item, and then click Next >.
|
Note If you have not completed all items listed in the Before You Begin dialog box, click Cancel, and then click Exit Setup. After completing all items listed in the Before You Begin dialog box, restart the installation. For more information, see Preparation for Installing or Upgrading Cisco Secure ACS. |
Result: The Existing Installation of CiscoSecure ACS vx.x dialog box appears.
Step 7 Select the Yes, import the existing configuration check box.
 |
Warning Be sure that the Yes, import the existing configuration check box is selected, not cleared. If you proceed without selecting the Yes, import the existing configuration check box, the setup program deletes all existing AAA client, user, and group information. |
Step 8 Click Next >.
Result: If the previous installation of Cisco Secure ACS has an PassGo (formerly Axent), CRYPTOCard, or Safeword external user database configuration that uses a proprietary client for communication with the applicable token server, the RADIUS Token Server Details dialog box appears. In Cisco Secure ACS 3.1, support for CRYPTOCard, PassGo, and Safeword token servers uses the RADIUS protocol rather than a proprietary client interface. For more information about changes to token server support, refer to the Release Notes for Cisco Secure ACS for Windows Server Version 3.1.
Step 9 If the RADIUS Token Server Details dialog box appears, follow these steps:
|
Note If the RADIUS token server and Cisco Secure ACS run on the same computer, be sure that the RADIUS token server is configured to listen for RADIUS requests on UDP ports different from the ports that Cisco Secure ACS uses. For more information about changing the UDP ports used by the RADIUS token server, refer to the Release Notes for Cisco Secure ACS for Windows Server Version 3.1. |
Result: The setup program creates a backup of the existing Cisco Secure ACS configuration and database, and then removes the previous installation.
The Choose Destination Location dialog box appears. Under Destination Folder, the installation location appears. This is the drive and path at which the setup program installs Cisco Secure ACS.
Step 10 To change the installation location, follow these steps:
Result: The Choose Folder dialog box appears. The Path box contains the installation location.
b. Change the installation location. You can either type the new location in the Path box or you can use the Drives and Directories lists to select a new drive and directory.
|
Note If you specified a folder that does not exist, the setup program displays a dialog box to confirm the creation of the folder. To continue, click Yes. |
Result: In the Choose Destination Location dialog box, the new installation location appears under Destination Folder.
Step 11 Click Next >.
Result: The setup program installs Cisco Secure ACS and updates the Windows Registry.
The CiscoSecure ACS Service Initiation dialog box appears.
Step 12 For each option you want, select the corresponding check box. The actions associated with each option occur after the setup program finishes.
- Yes, I want to start the CiscoSecure ACS Service now—Starts the Windows services that compose Cisco Secure ACS. If you do not select this option, the Cisco Secure ACS HTML interface is not available unless you reboot the server or start the CSAdmin service.
- Yes, I want Setup to launch the CiscoSecure ACS Administrator from my browser following installation—Opens the Cisco Secure ACS HTML interface in the default web browser for the current Windows user account.
- Yes, I want to view the Readme file—Opens the
README.TXTfile in Windows Notepad.
Step 13 Click Next >.
Result: If you so chose, the Cisco Secure ACS services start. The Setup Complete dialog box displays information about the Cisco Secure ACS HTML interface.
Step 14 Click Finish.
Result: The setup program exits. If, in Step 11, you chose the options to view the HTML interface or README.TXT file, those options occur now.
On the computer running Cisco Secure ACS, you can access the Cisco Secure ACS HTML interface using the ACS Admin desktop icon or you can use the following URL in a supported web browser:
|
Note The Cisco Secure ACS HTML interface is available only if you chose to start Cisco Secure ACS services in Step 11. If you did not and you want to make the HTML interface available, you can either reboot the server or type net start csadmin at a DOS prompt. |
Step 15 If you have installed Cisco Secure ACS on a member server and want Cisco Secure ACS to authenticate users with a Windows domain user database, you must perform the additional Windows configuration discussed in Windows Authentication from a Member Server.
|
Note If you previously configured Cisco Secure ACS services to run using a specific username, that configuration was lost during the reinstallation. For more information, see Windows Authentication from a Member Server. |
Reinstalling or Upgrading Cisco Secure ACS without Preserving Existing Configuration
Use this procedure to reinstall or upgrade Cisco Secure ACS if you do not intend to preserve the existing configuration and database information.
|
Warning Performing this procedure deletes the existing configuration of Cisco Secure ACS, including all AAA client, user and group information. Unless you have backed up your Cisco Secure ACS data and the Windows Registry, there is no recovery of the previous configuration and database. |
For information about what must be completed before reinstalling or upgrading Cisco Secure ACS, see Preparation for Installing or Upgrading Cisco Secure ACS.
If you are installing Cisco Secure ACS on a member server and want Cisco Secure ACS to authenticate users with a Windows domain user database, be aware that after you have installed Cisco Secure ACS you must perform the additional Windows configuration discussed in Windows Authentication from a Member Server.
To reinstall or upgrade Cisco Secure ACS without preserving the existing configuration or CiscoSecure user database, follow these steps:
Step 1 Using the local administrator account, log in to the computer you want to install Cisco Secure ACS on.
Step 2 Insert the Cisco Secure ACS CD into a CD-ROM drive on the computer.
Result: If the CD-ROM drive supports the Windows autorun feature, the Cisco Secure ACS v3.1 for Windows 2000 dialog box appears.
|
Note If computer does not have a required service pack installed, a dialog box appears. Windows service packs can be applied either before or after installing Cisco Secure ACS. You can continue with the installation, but the required service pack must be applied after the installation is complete; otherwise, Cisco Secure ACS may not function reliably. |
Step 3 Do one of the following:
a. If the Cisco Secure ACS v3.1 for Windows 2000 dialog box appears, click Install.
b. If the Cisco Secure ACS v3.1 for Windows 2000 dialog box does not appear, run setup.exe, located in the root directory of the Cisco Secure ACS CD.
|
Note If computer does not have a required service pack installed, a dialog box appears. Windows service packs can be applied either before or after installing Cisco Secure ACS. You can continue with the installation, but the required service pack must be applied after the installation is complete; otherwise, Cisco Secure ACS may not function reliably. |
Result: The CiscoSecure ACS Setup dialog box displays the software license agreement.
Step 4 Read the software license agreement. If you accept the software license agreement, click ACCEPT.
Result: The Welcome dialog box displays basic information about the setup program.
Step 5 After you have read the information in the Welcome dialog box, click Next >.
Result: The Before You Begin dialog box lists items that you must complete before continuing with the installation. These are the same items discussed in Gathering Answers for the Installation Questions.
Step 6 If you have completed all items listed in the Before You Begin dialog box, select the corresponding check box for each item, and then click Next >.
|
Note If you have not completed all items listed in the Before You Begin dialog box, click Cancel, and then click Exit Setup. After completing all items listed in the Before You Begin dialog box, restart the installation. For more information, see Preparation for Installing or Upgrading Cisco Secure ACS. |
Result: The Existing Installation of CiscoSecure ACS vx.x dialog box appears.
Step 7 Clear the Yes, import the existing configuration check box.
|
Note Be sure that the Yes, import the existing configuration check box is cleared, not checked; otherwise, the existing configuration and CiscoSecure user database are preserved. |
Step 8 Click Next >.
Result: The setup program removes the previous installation of Cisco Secure ACS.
If Cisco Secure ACS services are running, the CiscoSecure ACS Uninstall dialog box appears.
Step 9 If the CiscoSecure ACS Uninstall dialog box appears, click Continue.
Result: The setup program finishes removing the previous installation of Cisco Secure ACS.
The Choose Destination Location dialog box appears. Under Destination Folder, the installation location appears. This is the drive and path at which the setup program installs Cisco Secure ACS.
Step 10 To change the installation location, follow these steps:
Result: The Choose Folder dialog box appears. The Path box contains the installation location.
b. Change the installation location. You can either type the new location in the Path box or you can use the Drives and Directories lists to select a new drive and directory.
|
Note If you specified a folder that does not exist, the setup program displays a dialog box to confirm the creation of the folder. To continue, click Yes. |
Result: In the Choose Destination Location dialog box, the new installation location appears under Destination Folder.
Step 11 Click Next >.
Result: The Authentication Database Configuration dialog box lists options for authenticating users. You can authenticate with the CiscoSecure user database only, or with a Windows NT/2000 user database also.
|
Note After you have installed Cisco Secure ACS, you can configure authentication support for all external user database types in addition to Windows NT/2000 user databases. |
Step 12 If you want to authenticate users with the CiscoSecure user database only, select the Check the CiscoSecure ACS database only option.
Step 13 If you want to authenticate users with a Windows NT/2000 Security Access Manager (SAM) user database or Windows 2000 Active Directory user database in addition to the CiscoSecure user database, follow these steps:
Result: The Yes, refer to "Grant dialin permission to user" setting check box becomes available.
|
Note The Yes, refer to "Grant dialin permission to user" setting check box applies to all forms of access controlled by Cisco Secure ACS, not just dial-in access. For example, a user accessing your network through a VPN tunnel is not dialing into a network access server; however, if the Yes, refer to "Grant dialin permission to user" setting check box is selected, Cisco Secure ACS applies the user's Windows dial-in permissions to determine whether to grant the user access to your network. |
b. If you want to allow access to users who are authenticated by a Windows domain user database only when they have dial-in permission in their Windows account, select the Yes, refer to "Grant dialin permission to user" setting check box.
Step 14 Click Next >.
Result: The CiscoSecure ACS Network Access Server Details dialog box appears. The information you provide in this dialog box has two uses:
- The setup program creates the AAA client definition in the Network Configuration section of Cisco Secure ACS.
- If you specify TACACS+ (Cisco IOS) or RADIUS (Cisco IOS/PIX) in the Authenticate Users Using list, the setup program uses this information in Step 22, in which you can configure a Cisco IOS network device to use this Cisco Secure ACS for AAA services.
|
Note You are not limited to defining a network access server in this dialog box. You can define any network device that can act as a AAA client. |
Step 15 Complete the following items in the CiscoSecure ACS Network Access Server Details dialog box:
- Authenticate Users Using—Select the AAA protocol used by the AAA client you are defining. If you specify TACACS+ (Cisco IOS) or RADIUS (Cisco IOS/PIX), in Step 22 you can configure the network device specified in this dialog box.
- Access Server Name—Type the name of the AAA client that will use Cisco Secure ACS for AAA services.
- Access Server IP Address—Type the IP address of the AAA client that will use Cisco Secure ACS for AAA services.
- Windows Server IP Address—Type the IP address of the computer you are installing Cisco Secure ACS on.
- TACACS+ or RADIUS Key—Type the shared secret of the AAA client and Cisco Secure ACS. These passwords must be identical to ensure proper function and communication between the AAA client and Cisco Secure ACS. Shared secrets are case sensitive.
Step 16 Click Next >.
Result: The setup program installs Cisco Secure ACS and updates the Windows Registry.
The Advanced Options dialog box lists several features of Cisco Secure ACS that are not enabled by default. For more information about these features, refer to the User Guide for Cisco Secure ACS for Windows Server, version 3.1.
|
Note The listed features appear in the Cisco Secure ACS HTML interface only if you enable them. After installation, you can enable or disable them on the Advanced Options page in the Interface Configuration section. |
Step 17 For each feature you want to enable, select the corresponding check box.
Step 18 Click Next >.
Result: The Active Service Monitoring dialog box appears.
|
Note After installation, you can configure active service monitoring features on the Active Service Management page in the System Configuration section. |
Step 19 If you want Cisco Secure ACS to monitor user authentication services, select the Enable Log-in Monitoring check box. From the Script to execute list, select the option you want applied in the event of authentication service failure:
Step 20 If you want Cisco Secure ACS to send an e-mail message when service monitoring detects an event, select the Mail Notification check box.
Step 21 Click Next >.
Result: If, in Step 15, you specified TACACS+ (Cisco IOS) or RADIUS (Cisco IOS/PIX) as the AAA protocol for your first AAA client, the Network Access Server Configuration dialog box appears.
If, in Step 15, you specified a AAA protocol other than TACACS+ (Cisco IOS) or RADIUS (Cisco IOS/PIX), the CiscoSecure ACS Service Initiation dialog box appears.
Step 22 If the Network Access Server Configuration dialog box appears and you want to configure AAA functionality on a Cisco IOS network device, follow these steps:
Result: The Enable Secret Password dialog box appears.
b. In the Enable Secret Password box, type an enable secret password for the Cisco IOS network device.
|
Note You must type the shared secret exactly the same as it is configured on the Cisco IOS device, including whether the characters are uppercase or lowercase. |
Result: The Access Server Configuration dialog box displays information about configuring a Cisco IOS network device.
Result: The NAS Configuration dialog box displays the minimum Cisco IOS configuration needed for the network device you specified in Step 15. The minimum configuration includes information you provided during the installation, including the IP address of the computer running Cisco Secure ACS, the TACACS+ or RADIUS key, and the enable secret password.
|
Note When using the Cisco IOS aaa new-model command, always provide for a local login method. This guards against the slight risk of being locked out of a Cisco IOS device should the administrative Telnet session fail while you are in the process of enabling a new AAA paradigm. For more information about the Cisco IOS aaa command, refer to Cisco IOS documentation. |
|
Note Especially if you intend to implement the minimum configuration provided by the setup program, we recommend that you print the configuration now. |
Result: The setup program uses the server's default printer to print the configuration.
Result: The setup program opens a Telnet window. You can log in to the Cisco IOS device and update the device configuration, as applicable. The setup program copies the minimum configuration it provides to the Windows clipboard. If you want to use the minimum configuration, you can paste it in the Telnet window after you have entered the applicable configuration mode.
Result: The CiscoSecure ACS Service Initiation dialog box appears.
Step 23 If the Network Access Server Configuration dialog box appears and you want to skip configuring a Cisco IOS network device, clear the Yes, I want to configure Cisco IOS software now check box, and then click Next >.
Result: The CiscoSecure ACS Service Initiation dialog box appears.
Step 24 For each option you want, select the corresponding check box. The actions associated with each option occur after the setup program finishes.
- Yes, I want to start the CiscoSecure ACS Service now—Starts the Windows services that compose Cisco Secure ACS. If you do not select this option, the Cisco Secure ACS HTML interface is not available unless you reboot the server or start the CSAdmin service.
- Yes, I want Setup to launch the CiscoSecure ACS Administrator from my browser following installation—Opens the Cisco Secure ACS HTML interface in the default web browser for the current Windows user account.
- Yes, I want to view the Readme file—Opens the
README.TXTfile in Windows Notepad.
Step 25 Click Next >.
Result: If you so chose, the Cisco Secure ACS services start. The Setup Complete dialog box displays information about the Cisco Secure ACS HTML interface.
Step 26 Click Finish.
Result: The setup program exits. If, in Step 24, you chose the options to view the HTML interface or README.TXT file, those options occur now.
On the computer running Cisco Secure ACS, you can access the Cisco Secure ACS HTML interface using the ACS Admin desktop icon or you can use the following URL in a supported web browser:
|
Note The Cisco Secure ACS HTML interface is available only if you chose to start Cisco Secure ACS services in Step 24. If you did not, to make the HTML interface available, you can either reboot the server or type net start csadmin at a DOS prompt. |
Step 27 If you have installed Cisco Secure ACS on a member server and want Cisco Secure ACS to authenticate users with a Windows domain user database, you must perform the additional Windows configuration discussed in Windows Authentication from a Member Server.
|
Note If you previously configured Cisco Secure ACS services to run using a specific username, that configuration was lost during the reinstallation. For more information, see Windows Authentication from a Member Server. |
Windows Authentication from a Member Server
Cisco Secure ACS can authenticate users against both types of Windows domain user databases: Security Accounts Manager (SAM) user databases and Active Directory user databases. For either type of Windows domain user database, Cisco Secure ACS submits authentication requests to the Windows operating system of the server on which Cisco Secure ACS is installed. If you have installed Cisco Secure ACS on a member server and you plan to use a Windows domain user database to authenticate users, you must perform additional Windows configuration to ensure that Windows permits authentication to occur from the member server. To do so, complete the steps in the following procedures:
Verifying Domain Membership
One common configuration error that prevents Windows authentication is the erroneous assignment of the member server to a workgroup with the same name as the Windows domain that you want to use to authenticate users. While this may seem obvious, we recommend that you verify that the computer running Cisco Secure ACS is a member server of the correct domain.
To verify domain membership for your Cisco Secure ACS computer, follow these steps:
Step 1 From the Windows desktop of the server running Cisco Secure ACS, right-click My Computer and from the shortcut menu select Properties.
Result: The System Properties panel appears.
Step 2 Select the Network Identification tab.
Step 3 Verify that the Domain box displays the name of the domain that the computer running Cisco Secure ACS should be a member of.
|
Note If the Workgroup box appears instead of the Domain box, the member server is not a member of a domain. |
Step 4 If the computer running Cisco Secure ACS is not a member of the correct domain, change the server identification, as applicable.
Configuring Cisco Secure ACS Services
If you have installed Cisco Secure ACS on a member server, the member server must pass Windows authentication requests to a domain controller. For these requests to succeed, the member server must submit them using a user account that has certain security privileges enabled on the member server.
|
Note If you use Active Directory to authenticate users, determine whether Active Directory is configured to use Pre-Windows 2000 Compatible Mode. If all Active Directory trees containing users that will be authenticated by Cisco Secure ACS are configured to use this mode, the steps in this procedure are not required. |
If you have upgraded or reinstalled Cisco Secure ACS and you completed this procedure previously, Step 1 through Step 6 apply to you only if you want to use a different user account to run Cisco Secure ACS services.
To configure Cisco Secure ACS services, follow these steps:
Step 1 In the domain that the computer running Cisco Secure ACS is a member of, create a domain user account. This is the user account that you will use to run Cisco Secure ACS services. To determine which domain the computer running Cisco Secure ACS belongs to, see Verifying Domain Membership.
 |
Tip Give the user account an easily recognizable name, like "CSACS". If you enable audit policies, Event Viewer entries with this username will make it easier to diagnose permissions problems related to failed Cisco Secure ACS authentication attempts. |
Step 2 Using the local administrator account, log in to the computer running Cisco Secure ACS.
Step 3 Add the user account you created in Step 1 to the local Administrators group. To do so, follow these steps:
|
Tip If Control Panel is not expanded on the Start menu, choose Start > Settings > Control Panel, double-click Administrative Tools, and then double-click Computer Management. |
Result: The Computer Management window appears.
|
Tip If Local Groups and Users does not appear under the Tree tab, double-click System Tools. |
Result: The Name column lists the local groups available on the computer running Cisco Secure ACS.
Result: The Administrators Properties dialog box appears.
Result: The Select Users or Groups dialog box appears.
|
Note The username must be in domain-qualified format. For example, if you created a user named "CSACS" in the "CORPORATE" domain, type "CORPORATE\CSACS". |
Result: The Enter Network Password dialog box appears. This is because the local administrator account of the member server running Cisco Secure ACS should not have permission to access user account information on the domain controller.
|
Note The username provided must exist in the domain specified in Step e. For example, if the domain specified is "CORPORATE" and "echamberlain" is a valid user in that domain, type "CORPORATE\echamberlain". |
Result: Windows verifies the existence of the username provided in Step e. The Enter Network Password dialog box closes.
Result: The Select Users or Groups dialog box closes.
Windows adds the username to the Members list on the Administrators Properties dialog box.
Result: The Administrators Properties dialog box closes.
Result: The user account you created in step 1 is assigned to the local Administrators group.
Step 4 Choose Start > Settings > Control Panel > Administrative Tools > Local Security Policy
|
Tip If Control Panel is not expanded on the Start menu, choose Start > Settings > Control Panel, double-click Administrative Tools, and then double-click Local Security Policy. |
Result: The Local Security Settings window appears.
Step 5 In the Name column, double-click Local Policies, and then double-click User Rights Assignment.
Result: The Local Security Settings window displays a list of policies with their associated settings. The two policies that you must configure are:
Step 6 For the Act as part of the operating system policy and again for the Log on as a service policy, follow these steps:
Result: The Local Policy Setting dialog box appears.
Result: The Select Users or Groups dialog box appears.
|
Note The username must be in domain-qualified format. For example, if you created a user named "CSACS" in the "CORPORATE" domain, type "CORPORATE\CSACS". |
Result: The Enter Network Password dialog box appears. This is because the local administrator account of the member server running Cisco Secure ACS should not have permission to access user account information on the domain controller.
|
Note The username provided must exist in the domain specified in Step c. For example, if the domain specified is "CORPORATE" and "echamberlain" is a valid user in that domain, type "CORPORATE\echamberlain". |
Result: Windows verifies the existence of the username provided in Step c. The Enter Network Password dialog box closes.
Result: The Select Users or Groups dialog box closes.
Windows adds the username to the Assign To list in the Local Policy Setting dialog box.
Result: The Local Policy Setting dialog box closes. The domain-qualified username specified in Step c appears in the settings associated with the policy you have configured.
j. Verify that the username specified in Step c appears in the Local Setting column for the policy you modified. If it does not, repeat these steps.
|
Tip To see the username you added, you may have to widen the Local Setting column. |
|
Note The Effective Setting column does not dynamically update. This procedure includes later verification steps for ensuring that the Effective Setting column contains the required information. |
Result: After you have configured both the Act as part of the operating system policy and the Log on as a service policy, the user account created in Step 1 appears in the Local Setting column for the policy you configured.
Step 7 Verify that the security policy settings you changed are in effect on the computer running Cisco Secure ACS. To do so, follow these steps:
Result: The window closes. This is the only way to refresh the information in the Effective Setting column.
b. Open the Local Security Settings window again. To do so, choose Start > Programs > Administrative Tools > Local Security Policy.
c. In the Name column, double-click Local Policies, and then double-click User Rights Assignment.
Result: The Local Security Settings window displays an updated list of policies with their associated settings.
d. For the Act as part of the operating system policy and again for the Log on as a service policy, verify that the username you added to the policy in Step 6 appears in the Effective Setting column.
|
Note If the username you configured the policies to include in Step 6 do not appear in the Effective Setting column for both policies, there may be security policy settings on the domain controller that conflict with the local setting. Resolve the conflict by configuring security policies on the domain controller to allow the local settings to be the effective settings for these two policies. For more information about configuring security policies on the domain controller, see your Microsoft documentation. |
Result: The user account created in Step 1 has the required privileges to run Cisco Secure ACS services and support Windows authentication.
Step 8 Close the Local Security Settings window.
Step 9 Continuing as the local administrator on the computer running Cisco Secure ACS, choose Start > Settings > Control Panel > Administrative Tools > Services.
|
Tip If Control Panel is not expanded on the Start menu, choose Start > Settings > Control Panel, double-click Administrative Tools, and then double-click Services. |
Result: The Services window displays list of service groups and a list of all registered services for the current group. The list of service groups is labeled Tree. The registered services for the current group appear in the list to the right of the Tree list.
Step 10 In the Tree list, click Services (local).
Step 11 The Windows services installed by Cisco Secure ACS are the following:
For each Cisco Secure ACS service, follow these steps:
a. In the list of services, right-click a Cisco Secure ACS service, and from the shortcut menu, choose Properties.
Result: The Computer Browser Properties (Local Computer) dialog box appears.
c. Select the This account option.
d. In the box next to the This account option, type the username for the account created in Step 1.
|
Note The username must be in domain-qualified format. For example, if you created a user named "CSACS" in the "CORPORATE" domain, type "CORPORATE\CSACS". |
e. In the Password box and in the Confirm Password box, type the password for the user account created in Step 1.
Result: All Cisco Secure ACS services are configured to run using the privileges of the user account created in Step 1.
Step 12 Restart all Cisco Secure ACS services. To do so, follow these steps:
a. Log in to the Cisco Secure ACS HTML interface.
b. Click System Configuration, click Service Control, and then, at the bottom of the browser window, click Restart.
Result: With the exception of CSAdmin, Cisco Secure ACS services restart.
c. Wait until Cisco Secure ACS finishes restarting services. This usually takes a minute or two.
d. Continuing as the local administrator on the computer running Cisco Secure ACS, choose Start > Programs Administrative Tools > Services.
Result: The CSAdmin Properties dialog box appears.
f. Click Stop and wait for the Service Control dialog box to close.
g. Click Start and wait for the Service Control dialog box to close.
Result: The CSAdmin Properties dialog box closes.
Result: The Cisco Secure ACS services run using the privileges of the user account created in Step 1.
Additional Installation Information
This section contains information about additional configuration that your installation may require or about unusual installation situations that can occur. It contains the following topics:
Upgrading from Windows NT 4.0 to Windows 2000 Server
Cisco Secure ACS version 3.1 runs only on Windows 2000 Server (for operating system requirements, see Third-Party Software Requirements). If you are upgrading from a previous version of Cisco Secure ACS that is running on Windows NT 4.0, you cannot upgrade the operating system to Windows 2000 Server. This is because the setup program for previous versions of Cisco Secure ACS detected which Windows operating system ran on the server and customized Cisco Secure ACS for that operating system. As a result, upgrading the operating system to Windows 2000 Server without taking the necessary steps causes Cisco Secure ACS to fail.
Thus, upgrading the operating system that you use to run Cisco Secure ACS requires a second computer that runs Windows 2000 Server. The following procedure provides steps for upgrading to Windows 2000 Server using a second computer.
In addition to the original computer that runs Cisco Secure ACS using Windows NT 4.0, you must have a computer than runs Windows 2000 Server. The new server should have Windows 2000 Server installed before you begin the following procedure.
After you complete the procedure, you can use the computer that runs Windows 2000 Server as your production Cisco Secure ACS or you can perform additional steps to retain the original Cisco Secure ACS computer as your production Cisco Secure ACS. If you want to use the new Cisco Secure ACS as your production Cisco Secure ACS server, the new computer running Cisco Secure ACS must meet all Cisco Secure ACS system requirements. For more information, see System Requirements.
To upgrade the Cisco Secure ACS operating system to Windows 2000 Server, follow these steps:
Step 1 On the computer running Cisco Secure ACS with Windows NT 4.0, if you are using a version of Cisco Secure ACS before version 3.0, upgrade Cisco Secure ACS to version 3.0. If you do not have an additional license for version 3.0, you can use the trial version, available at http://www.cisco.com/pcgi-bin/tablebuild.pl/cs-acs-win. For information about installing Cisco Secure ACS version 3.0, see Installing Cisco Secure ACS 3.0 for Windows 2000/NT Servers.
Step 2 On a Windows 2000 server that meets all Cisco Secure ACS system requirements, install Cisco Secure ACS version 3.0. If you do not have an additional license for version 3.0, you can use the trial version, available at http://www.cisco.com/pcgi-bin/tablebuild.pl/cs-acs-win. For information about installing Cisco Secure ACS version 3.0, see Installing Cisco Secure ACS 3.0 for Windows 2000/NT Servers.
Step 3 Perform database replication from Cisco Secure ACS version 3.0 running on Windows NT 4.0 to Cisco Secure ACS version 3.0 running on Windows 2000 Server. This makes Cisco Secure ACS running with Windows 2000 Server a mirror system of Cisco Secure ACS running with Windows NT 4.0. For more information about database replication, see the Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide.
|
Note Some configuration items are not replicated. These include server certificates and IP pools. For more information, see the User Guide for Cisco Secure ACS for Windows Server, version 3.1. |
Step 4 Prepare to upgrade Cisco Secure ACS running with Windows 2000 Server. For more information, see Preparation for Installing or Upgrading Cisco Secure ACS.
Step 5 On the computer running Cisco Secure ACS version 3.0 with Windows 2000 Server, upgrade to Cisco Secure ACS to version 3.1. For more information, see Reinstalling or Upgrading Cisco Secure ACS and Preserving Existing Configuration.
Step 6 If you want to retain the original computer rather than use the new computer that uses Windows 2000 Server, see Retaining the Same Computer after Upgrading to Windows 2000 Server.
Step 7 If you want to use the new computer in place of the original computer, you must change the IP address on the computer running Cisco Secure ACS with Windows 2000 Server to that of the computer running Cisco Secure ACS with Windows NT 4.0.
|
Note If you do not change the IP address of the computer running Cisco Secure ACS with Windows 2000 Server to the address of the computer running Cisco Secure ACS with Windows NT 4.0, you must reconfigure all AAA clients to use the IP address of the computer running Cisco Secure ACS with Windows 2000 Server. |
To change the IP address of the computer running Cisco Secure ACS with Windows 2000 Server, follow these steps:
a. Record the IP address of the computer running Cisco Secure ACS with Windows NT 4.0.
b. Change the IP address of the computer running Cisco Secure ACS with Windows NT 4.0 to a different IP address.
c. Change the IP address of the computer running Cisco Secure ACS with Windows 2000 Server to the IP address previously used by the computer running Cisco Secure ACS with Windows NT 4.0. This is the IP address you recorded in Step a.
d. In the Cisco Secure ACS HTML interface of the computer running Cisco Secure ACS with Windows 2000 Server, change the IP address of Cisco Secure ACS to the IP address previously used by the computer running Cisco Secure ACS with Windows NT 4.0. You can change the IP address of Cisco Secure ACS by editing its entry in the AAA Servers table in Network Configuration. For more information about editing a AAA server, see the User Guide for Cisco Secure ACS for Windows Server, version 3.1.
Retaining the Same Computer after Upgrading to Windows 2000 Server
You can continue to use the original computer as a production Cisco Secure ACS after performing the procedure in Upgrading from Windows NT 4.0 to Windows 2000 Server.
To run Cisco Secure ACS on the same computer that you used for earlier releases of Cisco Secure ACS, follow these steps:
Step 1 Complete the procedure in Upgrading from Windows NT 4.0 to Windows 2000 Server.
Result: A computer running Cisco Secure ACS with Windows 2000 Server has all the user, group, and AAA client information from Cisco Secure ACS running on the original computer.
Step 2 On the original computer (the server running Cisco Secure ACS with Windows NT 4.0), uninstall Cisco Secure ACS. If you are prompted to retain the existing database, click Delete Database.
Step 3 Upgrade the operating system of the original computer to a supported Windows 2000 Server operating system. For more information, see System Requirements.
Step 4 Install Cisco Secure ACS version 3.1 on the original computer. For more information, see Creating a Cisco Secure ACS Installation.
Step 5 Perform database replication from Cisco Secure ACS running on the new computer to Cisco Secure ACS running on the original computer. This makes Cisco Secure ACS on the original computer a mirror system of Cisco Secure ACS on the new computer. For more information about database replication, see the User Guide for Cisco Secure ACS for Windows Server, version 3.1.
|
Note Some configuration items are not replicated. These include server certificates and IP pools. For more information, see the User Guide for Cisco Secure ACS for Windows Server, version 3.1. |
ODBC Message During Installation
The Cisco Secure ACS setup program tests for the presence and proper functionality of the ODBC components needed by Cisco Secure ACS. If it does not find them, or if they are not functioning properly, a dialog box displays the following message:
Cisco Secure requires an Microsoft Access (Jet) ODBC driver to be
installed on the system in order to work properly. You can install
one by running the Microsoft Data Access Components 2.5 install
located on the CD or download the latest version from Microsoft
at the following location:
http://www.microsoft.com/data/
Please rerun Setup after a Jet driver has been installed.
|
Note If you choose to download the driver from the Microsoft web site, be sure you get and install the Jet driver rather than Microsoft Data Access Components (MDAC) 2.6. While MDAC version 2.5, included on the Cisco Secure ACS CD, does contain the Jet driver; version 2.6, available from the Microsoft web site, does not. The Jet driver must be downloaded separately from MDAC 2.6. |
To resolve the ODBC error message, follow these steps:
Step 1 Click Install MDAC 2.5 From CD.
|
Note If you exit the setup program at this point, you can install the appropriate ODBC driver by running mdac_typ.exe from the Cisco Secure ACS installation CD-ROM. It is located in the support\odbc folder. Otherwise, restart the installation and select Install ODBC rather than exiting the setup program. |
Step 2 Complete ODBC installation.
ODBC is packaged by Microsoft as a subset of Microsoft Data Components. The installation file may thus be called MDAC rather than ODBC.
Step 3 After you finish installing ODBC, restart the Cisco Secure ACS setup program by running setup.exe in the root directory of the Cisco Secure ACS CD.
Abnormal Installation Termination
If the installation of Cisco Secure ACS fails to complete successfully, you receive an error message. Cisco Secure ACS is then partially installed. Before restarting the installation, you must uninstall the unsuccessful Cisco Secure ACS installation.
To recover from an unsuccessful installation, follow these steps:
Step 1 From the Windows desktop, choose Start > Settings > Control Panel, and then click Add/Remove Program.
Step 2 Select CiscoSecure ACS vx.x, where x.x is the version of Cisco Secure ACS currently installed.
Step 3 Click Uninstall.
Step 4 If Uninstall completes successfully, click setup.exe in the root directory of the CD to restart installation of Cisco Secure ACS.
Step 5 If Uninstall fails to complete successfully or if installation still fails, follow these steps:
a. Go to the support\clean directory on the Cisco Secure ACS CD and run clean.exe. This uninstalls Cisco Secure ACS completely and cleans up certain statements from the Windows 2000 Registry that prevent installation of Cisco Secure ACS.
b. When you have finished running clean.exe, reboot the system and run setup.exe from the root directory of the CD to restart installation of Cisco Secure ACS.
Related Documentation
The User Guide for Cisco Secure ACS for Windows Server provides explanations for the features included in Cisco Secure ACS and procedures for configuring Cisco Secure ACS. This document is also available in PDF format on the Cisco Secure ACS product CD.
Installation and User Guide for Cisco Secure ACS User-Changeable Passwords contains information on installing and configuring the web server for use with the optional user-changeable password feature.
Included in the Cisco Secure ACS HTML interface are two sources of information:
You should also read the README.TXT file and any release notes for additional important information.
You should refer to the documentation that came with your AAA clients for more information about those products. You might also want to consult Cisco Systems' Internetworking Terms and Acronyms publication.
Obtaining Documentation
These sections explain how to obtain documentation from Cisco Systems.
World Wide Web
You can access the most current Cisco documentation on the World Wide Web at this URL:
Translated documentation is available at this URL:
http://www.cisco.com/public/countries_languages.shtml
Documentation CD-ROM
Cisco documentation and additional literature are available in a Cisco Documentation CD-ROM package, which is shipped with your product. The Documentation CD-ROM is updated monthly and may be more current than printed documentation. The CD-ROM package is available as a single unit or through an annual subscription.
Ordering Documentation
You can order Cisco documentation in these ways:
http://www.cisco.com/public/ordsum.html
http://www.cisco.com/go/subscription
Documentation Feedback
You can submit comments electronically on Cisco.com. In the Cisco Documentation home page, click the Fax or Email option in the "Leave Feedback" section at the bottom of the page.
You can e-mail your comments to bug-doc@cisco.com.
You can submit your comments by mail by using the response card behind the front cover of your document or by writing to the following address:
Cisco Systems
Attn: Document Resource Connection
170 West Tasman Drive
San Jose, CA 95134-9883
Obtaining Technical Assistance
Cisco provides Cisco.com as a starting point for all technical assistance. Customers and partners can obtain online documentation, troubleshooting tips, and sample configurations from online tools by using the Cisco Technical Assistance Center (TAC) Web Site. Cisco.com registered users have complete access to the technical support resources on the Cisco TAC Web Site.
Cisco.com
Cisco.com is the foundation of a suite of interactive, networked services that provides immediate, open access to Cisco information, networking solutions, services, programs, and resources at any time, from anywhere in the world.
Cisco.com is a highly integrated Internet application and a powerful, easy-to-use tool that provides a broad range of features and services to help you with these tasks:
If you want to obtain customized information and service, you can self-register on Cisco.com. To access Cisco.com, go to this URL:
Technical Assistance Center
The Cisco Technical Assistance Center (TAC) is available to all customers who need technical assistance with a Cisco product, technology, or solution. Two levels of support are available: the Cisco TAC Web Site and the Cisco TAC Escalation Center.
Cisco TAC inquiries are categorized according to the urgency of the issue:
- Priority level 4 (P4)—You need information or assistance concerning Cisco product capabilities, product installation, or basic product configuration.
- Priority level 3 (P3)—Your network performance is degraded. Network functionality is noticeably impaired, but most business operations continue.
- Priority level 2 (P2)—Your production network is severely degraded, affecting significant aspects of business operations. No workaround is available.
- Priority level 1 (P1)—Your production network is down, and a critical impact to business operations will occur if service is not restored quickly. No workaround is available.
The Cisco TAC resource that you choose is based on the priority of the problem and the conditions of service contracts, when applicable.
Cisco TAC Web Site
You can use the Cisco TAC Web Site to resolve P3 and P4 issues yourself, saving both cost and time. The site provides around-the-clock access to online tools, knowledge bases, and software. To access the Cisco TAC Web Site, go to this URL:
All customers, partners, and resellers who have a valid Cisco service contract have complete access to the technical support resources on the Cisco TAC Web Site. The Cisco TAC Web Site requires a Cisco.com login ID and password. If you have a valid service contract but do not have a login ID or password, go to this URL to register:
http://www.cisco.com/register/
If you are a Cisco.com registered user, and you cannot resolve your technical issues by using the Cisco TAC Web Site, you can open a case online by using the TAC Case Open tool at this URL:
http://www.cisco.com/tac/caseopen
If you have Internet access, we recommend that you open P3 and P4 cases through the Cisco TAC Web Site.
Cisco TAC Escalation Center
The Cisco TAC Escalation Center addresses priority level 1 or priority level 2 issues. These classifications are assigned when severe network degradation significantly impacts business operations. When you contact the TAC Escalation Center with a P1 or P2 problem, a Cisco TAC engineer automatically opens a case.
To obtain a directory of toll-free Cisco TAC telephone numbers for your country, go to this URL:
http://www.cisco.com/warp/public/687/Directory/DirTAC.shtml
Before calling, please check with your network operations center to determine the level of Cisco support services to which your company is entitled: for example, SMARTnet, SMARTnet Onsite, or Network Supported Accounts (NSA). When you call the center, please have available your service agreement number and your product serial number.