Installation Guide for Cisco Secure ACS for Windows Servers 3.1
Installation Guide for Cisco Secure ACS for Windows Server 3.1

Table of Contents

Installation Guide for Cisco Secure ACS for Windows Server
Preparation for Installing or Upgrading Cisco Secure ACS
What You Can Do
Creating a Cisco Secure ACS Installation
Reinstalling or Upgrading Cisco Secure ACS and Preserving Existing Configuration
Reinstalling or Upgrading Cisco Secure ACS without Preserving Existing Configuration
Windows Authentication from a Member Server
Additional Installation Information
Related Documentation
Obtaining Documentation
Obtaining Technical Assistance

Installation Guide for Cisco Secure ACS for Windows Server


This document provides information about installing, reinstalling, and upgrading to Cisco Secure Access Control Server for Windows Servers Version 3.1 (Cisco Secure ACS). It contains the following sections:

Preparation for Installing or Upgrading Cisco Secure ACS

Before performing an installation or upgrade procedure, read this section and perform the recommended actions. This section includes the following topics:

Cisco Secure ACS System Description

Cisco Secure ACS network security software helps you authenticate users by controlling access to a AAA client—any one of many network devices that can be configured to defer authentication and authorization of network users to a AAA server. Cisco Secure ACS operates as a set of Windows services that control the authentication, authorization, and accounting of users accessing networks.

Cisco Secure ACS operates on Windows 2000 Server. Cisco Secure ACS can run on a domain controller or a member server.


Note   If you install Cisco Secure ACS on a member server and want to authenticate users with a Windows Security Account Manager user database or an Active Directory user database, there is additional Windows configuration required after you have installed Cisco Secure ACS. For more information, see Windows Authentication from a Member Server.

For additional information about Cisco Secure ACS, refer to the User Guide for Cisco Secure ACS for Windows Server, version 3.1.

System Requirements

Your Cisco Secure ACS server must meet the minimum hardware, operating system, and third-party software requirements detailed in the following sections. Additionally, if you are upgrading from a previous version of Cisco Secure ACS, refer to Cisco Secure ACS Upgrade Requirements.

Cisco Secure ACS Upgrade Requirements

We designed the setup program to support upgrades from previous versions of Cisco Secure ACS. For information about the versions of Cisco Secure ACS that we used to test the upgrade process, see the Release Notes. The latest version of the Release Notes are posted on Cisco.com, accessible from the following URL: http://www.cisco.com/univercd/cc/td/doc/product/access/acs_soft/csacs4nt/index.htm.

Hardware Requirements

The computer running Cisco Secure ACS must meet the following minimum hardware requirements:

  • Pentium III processor, 550 MHz or faster
  • 256 MB of RAM
  • At least 250 MB of free disk space. If you are running your database on the same machine, more disk space is required.
  • Minimum graphics resolution of 256 colors at 800 x 600 lines

Operating System Requirements

The server running Cisco Secure ACS should use an English-language version of Windows 2000 Server with Service Pack 3 installed.


Note   Both the operating system and the applicable service pack must be English-language versions.

Windows service packs can be applied either before or after installing Cisco Secure ACS. If you do not install a required service pack before installing Cisco Secure ACS, the Cisco Secure ACS installation program warns you that the required service pack is not present on your server. If you receive a service pack message, continue the installation, and then install the required service pack before starting user authentication with Cisco Secure ACS.


Note   Beginning with Cisco Secure ACS version 3.1, we no longer support running Cisco Secure ACS on a Windows NT 4.0 server. For information about upgrading the operating system of a server running Cisco Secure ACS, see Upgrading from Windows NT 4.0 to Windows 2000 Server.

For the most recent information about tested operating systems and service packs, see the Release Notes. The current version of the Release Notes are posted on Cisco.com, accessible from the following URL: http://www.cisco.com/univercd/cc/td/doc/product/access/acs_soft/csacs4nt/index.htm.

Third-Party Software Requirements


Note   The Release Notes provide information about third-party software products that we tested with Cisco Secure ACS and that we support. Other than the software products described in the Release Notes, we have not tested the interoperability of Cisco Secure ACS and other software products on the same computer. We only support interoperability issues of software products that are mentioned in the Release Notes. The most recent version of the Release Notes are posted on Cisco.com, accessible from the following URL: http://www.cisco.com/univercd/cc/td/doc/product/access/acs_soft/csacs4nt/
index.htm.

Your Cisco Secure ACS server must have a compatible browser installed. Cisco Secure ACS has been tested with English-language versions of the following browsers on Microsoft Windows operating systems:

  • Microsoft Internet Explorer Version 5.5 or 6.0
  • Netscape Communicator Version 6.2

  • Note   To use a web browser to access the Cisco Secure ACS HTML interface, you must enable both Java and JavaScript in the browser. Also, the web browser must not be configured to use a proxy server. For more information about other network environment factors that affect access to the HTML interface, see User Guide for Cisco Secure ACS for Windows Server, version 3.1.

For the latest information about tested browsers and other third-party applications, such as Novell NDS clients and token-card clients, see the Release Notes. The most recent version of the Release Notes are posted on Cisco.com, accessible from the following URL: http://www.cisco.com/univercd/cc/td/doc/product/access/acs_soft/csacs4nt/index.htm.

Network Requirements

Your network should meet the following requirements before you begin installing Cisco Secure ACS.

  • To have Cisco Secure ACS use the Grant Dial-in Permission to User feature in Windows when authorizing network users, make sure this option is selected in the Windows 2000 Active Directory Users and Computers for the applicable user accounts.
  • For full TACACS+ and RADIUS support on Cisco IOS devices, make sure that your AAA clients are running Cisco IOS Release 11.2 or later.
  • Make sure that any non-Cisco IOS AAA clients can be configured with TACACS+ or RADIUS, or both.
  • Make sure that dial-in, VPN, or wireless clients can successfully connect to the applicable AAA clients.
  • Make sure that the computer running Cisco Secure ACS can ping the AAA clients.
  • Make sure a compatible web browser is installed on the computer running Cisco Secure ACS. For more information, see Third-Party Software Requirements.
  • Make sure all network cards in the Cisco Secure ACS server are enabled. If there is a disabled network card on the Cisco Secure ACS server, installing Cisco Secure ACS may proceed slowly due to delays caused by Microsoft CryptoAPI.

Note    We only tested Cisco Secure ACS on servers that have one network interface card.

Back Up Data

Before you install or upgrade Cisco Secure ACS, we strongly recommend that you back up the computer that you will install Cisco Secure ACS on, using a Windows backup utility of your choice. Include the Windows Registry in the backup.

If you are upgrading or reinstalling Cisco Secure ACS, use the Cisco Secure ACS System Backup feature to back up the Cisco Secure ACS configuration and database, and then copy the backup file to a drive other than one local to the Cisco Secure ACS server.


Note   Using the ACS Backup feature temporarily stops Cisco Secure ACS services while the backup is performed.


Caution   If you are upgrading Cisco Secure ACS rather than performing a reinstallation, the backups you create cannot be used after the upgrade is successful. The backups provide for recovery should you need to restore your previous installation of Cisco Secure ACS.

For information about backing up Cisco Secure ACS, see the User Guide for Cisco Secure ACS for Windows Server, version 3.1.

Gathering Answers for the Installation Questions

During new installations, or upgrades and reinstallations that do not preserve the existing configuration, the installation process requires specific information about the computer you want to install Cisco Secure ACS on and a AAA client on your network. To facilitate the installation process, collect the applicable information before beginning the installation procedure.


Note   If you are upgrading or reinstalling Cisco Secure ACS and intend to keep the existing configuration and database, you need not perform the following procedure. The information it requires is already recorded in your Cisco Secure ACS installation.

To collect information that is required during the installation of Cisco Secure ACS, follow these steps:


Step 1   Determine whether the computer that you will install Cisco Secure ACS on is a domain controller or a member server. If you are installing Cisco Secure ACS on a member server and want Cisco Secure ACS to authenticate users with a Windows domain user database, be aware that after you install Cisco Secure ACS you must perform the additional Windows configuration discussed in Windows Authentication from a Member Server.

Step 2   For the first AAA client that you want to configure to use Cisco Secure ACS AAA services, determine which AAA protocol and vendor-specific attribute you want to implement:

  • TACACS+ (Cisco IOS)
  • RADIUS (Cisco Aironet)
  • RADIUS (Cisco BBSM)
  • RADIUS (Cisco IOS/PIX)
  • RADIUS (Cisco VPN 3000)
  • RADIUS (Cisco VPN 5000)
  • RADIUS (IETF)
  • RADIUS (Ascend)
  • RADIUS (Juniper)
  • RADIUS (Nortel)
  • RADIUS (iPass)

Step 3   Record the name of the AAA client.

Step 4   Record the IP address of the AAA client.

Step 5   Record the IP address of the computer that you want to install Cisco Secure ACS on.

Step 6   Record the TACACS+ or RADIUS key (shared secret).





What You Can Do

This document provides detailed procedures for installing, reinstalling and upgrading Cisco Secure ACS. You must select the right procedure for your situation. Table 1 lists the five possible installation and upgrade scenarios. See Table 1 to determine which procedure applies to your situation.


Note   Before performing any installation or upgrade procedure, we strongly recommend that you read Preparation for Installing or Upgrading Cisco Secure ACS, and perform the applicable tasks detailed in that section.

Table 1   Installation and Upgrade Scenarios

If your installation scenario is a: Refer to. . .

New installation

"Creating a Cisco Secure ACS Installation" section

Reinstallation, preserving the CiscoSecure user database and Cisco Secure ACS configuration

"Reinstalling or Upgrading Cisco Secure ACS and Preserving Existing Configuration" section

Reinstallation, overwriting the CiscoSecure user database and Cisco Secure ACS configuration

"Reinstalling or Upgrading Cisco Secure ACS without Preserving Existing Configuration" section

Upgrade, preserving the CiscoSecure user database and Cisco Secure ACS configuration

"Reinstalling or Upgrading Cisco Secure ACS and Preserving Existing Configuration" section

Upgrade, overwriting the CiscoSecure user database and Cisco Secure ACS configuration

"Reinstalling or Upgrading Cisco Secure ACS without Preserving Existing Configuration" section


Creating a Cisco Secure ACS Installation

Use this procedure to install Cisco Secure ACS for the first time.


Note   For information about upgrading or reinstalling an existing Cisco Secure ACS installation, see Table 1.

Before You Begin

For information about what must be completed before installing Cisco Secure ACS, see Preparation for Installing or Upgrading Cisco Secure ACS.

If you are installing Cisco Secure ACS on a member server and want Cisco Secure ACS to authenticate users with a Windows domain user database, be aware that after you install Cisco Secure ACS you must perform the additional Windows configuration discussed in Windows Authentication from a Member Server.

To install Cisco Secure ACS, follow these steps:


Step 1   Using the local administrator account, log in to the computer you want to install Cisco Secure ACS on.

Step 2   Insert the Cisco Secure ACS CD into a CD-ROM drive on the computer.

Result: If the CD-ROM drive supports the Windows autorun feature, the Cisco Secure ACS v3.1 for Windows 2000 dialog box appears.


Note    If the computer does not have a required service pack installed, a dialog box appears. Windows service packs can be applied either before or after installing Cisco Secure ACS. You can continue with the installation, but the required service pack must be applied after the installation is complete; otherwise, Cisco Secure ACS may not function reliably.

Step 3   Do one of the following:

a. If the Cisco Secure ACS v3.1 for Windows 2000 dialog box appears, click Install.

b. If the Cisco Secure ACS v3.1 for Windows 2000 dialog box does not appear, run setup.exe, located in the root directory of the Cisco Secure ACS CD.


Note    If the computer does not have a required service pack installed, a dialog box appears. Windows service packs can be applied either before or after installing Cisco Secure ACS. You can continue with the installation, but the required service pack must be applied after the installation is complete; otherwise, Cisco Secure ACS may not function reliably.

Result: The CiscoSecure ACS Setup dialog box displays the software license agreement.

Step 4   Read the software license agreement. If you accept the software license agreement, click ACCEPT.

Result: The Welcome dialog box displays basic information about the setup program.

Step 5   After you have read the information in the Welcome dialog box, click Next >.

Result: The Before You Begin dialog box lists items that you must complete before continuing with the installation. These are the same items discussed in Gathering Answers for the Installation Questions.

Step 6   If you have completed all items listed in the Before You Begin dialog box, select the corresponding check box for each item, and then click Next >.


Note    If you have not completed all items listed in the Before You Begin dialog box, click Cancel, and then click Exit Setup. After completing all items listed in the Before You Begin dialog box, restart the installation. For more information, see Preparation for Installing or Upgrading Cisco Secure ACS.

Result: The Choose Destination Location dialog box appears. Under Destination Folder, the installation location appears. This is the drive and path at which the setup program installs Cisco Secure ACS.

Step 7   To change the installation location, follow these steps:

a. Click Browse.

Result: The Choose Folder dialog box appears. The Path box contains the installation location.

b. Change the installation location. You can either type the new location in the Path box or you can use the Drives and Directories lists to select a new drive and directory.


Note    The installation location must be on a drive local to the computer.

c. Click OK.


Note    If you specified a folder that does not exist, the setup program displays a dialog box to confirm the creation of the folder. To continue, click Yes.

Result: In the Choose Destination Location dialog box, the new installation location appears under Destination Folder.

Step 8   Click Next >.

Result: The Authentication Database Configuration dialog box lists options for authenticating users. You can authenticate with the CiscoSecure user database only, or with a Windows NT/2000 user database also.


Note    After you have installed Cisco Secure ACS, you can configure authentication support for all external user database types in addition to Windows NT/2000 user databases.

Step 9   If you want to authenticate users with the CiscoSecure user database only, select the Check the CiscoSecure ACS database only option.

Step 10   If you want to authenticate users with a Windows NT/2000 Security Access Manager (SAM) user database or Windows 2000 Active Directory user database in addition to the CiscoSecure user database, follow these steps:

a. Select the Also check the Windows NT/2000 User Database option.

Result: The Yes, refer to "Grant dialin permission to user" setting check box becomes available.


Note    The Yes, refer to "Grant dialin permission to user" setting check box applies to all forms of access controlled by Cisco Secure ACS, not just dial-in access. For example, a user accessing your network through a VPN tunnel is not dialing into a network access server; however, if the Yes, refer to "Grant dialin permission to user" setting check box is selected, Cisco Secure ACS applies the user's Windows dial-in permissions to determine whether to grant the user access to your network.

b. If you want to allow access by users who are authenticated by a Windows domain user database only when they have dial-in permission in their Windows account, select the Yes, refer to "Grant dialin permission to user" setting check box.

Step 11   Click Next >.

Result: The CiscoSecure ACS Network Access Server Details dialog box appears. The information you provide in this dialog box has two uses:

  • The setup program creates the AAA client definition in the Network Configuration section of Cisco Secure ACS.
  • If you specify TACACS+ (Cisco IOS) or RADIUS (Cisco IOS/PIX) in the Authenticate Users Using list, the setup program uses this information in Step 19, in which you can configure a Cisco IOS network device to use this Cisco Secure ACS for AAA services.

Note    You are not limited to defining a network access server in this dialog box. You can define any network device that can act as a AAA client.

Step 12   Complete the following items in the CiscoSecure ACS Network Access Server Details dialog box:

  • Authenticate Users Using—Select the AAA protocol used by the AAA client you are defining. If you specify TACACS+ (Cisco IOS) or RADIUS (Cisco IOS/PIX), in Step 19 you can configure the network device specified in this dialog box.
  • Access Server Name—Type the name of the AAA client that will use Cisco Secure ACS for AAA services.
  • Access Server IP Address—Type the IP address of the AAA client that will use Cisco Secure ACS for AAA services.
  • Windows Server IP Address—Type the IP address of the computer that you are installing Cisco Secure ACS on.
  • TACACS+ or RADIUS Key—Type the shared secret of the AAA client and Cisco Secure ACS. To ensure proper function and communication between the AAA client and Cisco Secure ACS, the key must be identical to AAA client key. Shared secrets are case sensitive.

Step 13   Click Next >.

Result: The setup program installs Cisco Secure ACS and updates the Windows Registry.

The Advanced Options dialog box lists several features of Cisco Secure ACS that are not enabled by default. For more information about these features, see the User Guide for Cisco Secure ACS for Windows Server, version 3.1.


Note    The listed features appear in the Cisco Secure ACS HTML interface only if you enable them. After installation, you can enable or disable them on the Advanced Options page in the Interface Configuration section.

Step 14   For each feature you want to enable, select the corresponding check box.

Step 15   Click Next >.

Result: The Active Service Monitoring dialog box appears.


Note    After installation, you can configure active service monitoring features on the Active Service Management page in the System Configuration section.

Step 16   If you want Cisco Secure ACS to monitor user authentication services, select the Enable Log-in Monitoring check box. From the Script to execute list, select the option you want applied in the event of authentication service failure:

  • No Remedial Action—Cisco Secure ACS does not run a script.

Note    This option is useful if you enable event mail notifications.

  • Reboot—Cisco Secure ACS runs a script that reboots the computer that runs Cisco Secure ACS.
  • Restart All—Cisco Secure ACS restarts all Cisco Secure ACS services.
  • Restart RADIUS/TACACS+—Cisco Secure ACS restarts only the RADIUS and TACACS+ services.

Step 17   If you want Cisco Secure ACS to send an e-mail message when service monitoring detects an event, select the Mail Notification check box.

Step 18   Click Next >.

Result: If, in Step 12, you specified TACACS+ (Cisco IOS) or RADIUS (Cisco IOS/PIX) as the AAA protocol for your first AAA client, the Network Access Server Configuration dialog box appears.

If, in Step 12, you specified a AAA protocol other than TACACS+ (Cisco IOS) or RADIUS (Cisco IOS/PIX), the CiscoSecure ACS Service Initiation dialog box appears.

Step 19   If the Network Access Server Configuration dialog box appears and you want to configure AAA functionality on a Cisco IOS network device, follow these steps:

a. Select the Yes, I want to configure Cisco IOS software now check box and click Next >.

Result: The Enable Secret Password dialog box appears.

b. In the Enable Secret Password box, type an enable secret password for the Cisco IOS network device.


Note    You must type the shared secret exactly the same as it is configured on the Cisco IOS device, including whether the characters are uppercase or lowercase.

c. Click Next >.

Result: The Access Server Configuration dialog box displays information about configuring a Cisco IOS network device.

d. After reading the text in the Access Server Configuration dialog box, click Next >.

Result: The NAS Configuration dialog box displays the minimum Cisco IOS configuration needed for the network device you specified in Step 12. The minimum configuration includes information you have provided during installation, including the IP address of the computer you are installing Cisco Secure ACS on, the TACACS+ or RADIUS key, and the enable secret password.


Note    When using the Cisco IOS aaa new-model command, always provide for a local login method. This guards against the slight risk of being locked out of a Cisco IOS device should the administrative Telnet session fail while you are in the process of enabling a new AAA paradigm. For more information about the Cisco IOS aaa command, refer to Cisco IOS documentation.

e. To print the minimum Cisco IOS configuration, click Print.


Note    Especially if you intend to implement the minimum configuration provided by the setup program, we recommend that you print the configuration now.

Result: The setup program prints the configuration using the server's default printer.

f. To telnet to the network device you specified in Step 12, click Telnet Now.

Result: The setup program opens a Telnet window. You can login to the Cisco IOS device and update the device configuration, as applicable. The setup program copies the minimum configuration it provides to the Windows clipboard. If you want to use the minimum configuration, you can paste it in the Telnet window after you have entered the applicable configuration mode.

g. After you finish with the options in the NAS Configuration dialog box, click Next >.

Result: The CiscoSecure ACS Service Initiation dialog box appears.

h. Proceed to Step 21.

Step 20   If the Network Access Server Configuration dialog box appears and you want to skip configuring a Cisco IOS network device, clear the Yes, I want to configure Cisco IOS software now check box, and then click Next >.

Result: The CiscoSecure ACS Service Initiation dialog box appears.

Step 21   For each option you want, select the corresponding check box. The actions associated with the options occur after the setup program finishes.

  • Yes, I want to start the CiscoSecure ACS Service now—Starts the Windows services that compose Cisco Secure ACS. If you do not select this option, the Cisco Secure ACS HTML interface is not available unless you reboot the server or start the CSAdmin service.
  • Yes, I want Setup to launch the CiscoSecure ACS Administrator from my browser following installation—Opens the Cisco Secure ACS HTML interface in the default web browser for the current Windows user account.
  • Yes, I want to view the Readme file—Opens the README.TXT file in Windows Notepad.

Step 22   Click Next >.

Result: If you so chose, the Cisco Secure ACS services start. The Setup Complete dialog box displays information about the Cisco Secure ACS HTML interface.

Step 23   Click Finish.

Result: The setup program exits. If, in Step 21, you chose the options to view the HTML interface or README.TXT file, those options occur now.

On the computer running Cisco Secure ACS, you can access the Cisco Secure ACS HTML interface using the ACS Admin desktop icon or you can use the following URL in a supported web browser:


Note    The Cisco Secure ACS HTML interface is available only if you chose to start Cisco Secure ACS services in Step 21. If you did not, to make the HTML interface available, you can either reboot the server or type net start csadmin at a DOS prompt.

Step 24   If you have installed Cisco Secure ACS on a member server and want Cisco Secure ACS to authenticate users with a Windows domain user database, you must perform the additional Windows configuration discussed in Windows Authentication from a Member Server.





Reinstalling or Upgrading Cisco Secure ACS and Preserving Existing Configuration

Use this procedure to reinstall or upgrade Cisco Secure ACS if you want to preserve all existing configuration and database information.


Note   For information about installing Cisco Secure ACS the first time, see Table 1.

Before You Begin

For information about what must be completed before reinstalling or upgrading Cisco Secure ACS, see Preparation for Installing or Upgrading Cisco Secure ACS.

If you are installing Cisco Secure ACS on a member server and want Cisco Secure ACS to authenticate users with a Windows domain user database, be aware that after you have installed Cisco Secure ACS you must perform the additional Windows configuration discussed in Windows Authentication from a Member Server.

To reinstall or upgrade Cisco Secure ACS and preserve the existing configuration and CiscoSecure user database, follow these steps:


Step 1   Using the local administrator account, log in to the computer you want to install Cisco Secure ACS on.

Step 2   Insert the Cisco Secure ACS CD into a CD-ROM drive on the computer.

Result: If the CD-ROM drive supports the Windows autorun feature, the Cisco Secure ACS v3.1 for Windows 2000 dialog box appears.


Note    If the computer does not have a required service pack installed, a dialog box appears. Windows service packs can be applied either before or after installing Cisco Secure ACS. You can continue with the installation, but the required service pack must be applied after the installation is complete; otherwise, Cisco Secure ACS may not function reliably.

Step 3   Do one of the following:

a. If the Cisco Secure ACS v3.1 for Windows 2000 dialog box appears, click Install.

b. If the Cisco Secure ACS v3.1 for Windows 2000 dialog box does not appear, run setup.exe, located in the root directory of the Cisco Secure ACS CD.


Note    If the computer does not have a required service pack installed, a dialog box appears. Windows service packs can be applied either before or after installing Cisco Secure ACS. You can continue with the installation, but the required service pack must be applied after the installation is complete; otherwise, Cisco Secure ACS may not function reliably.

Result: The CiscoSecure ACS Setup dialog box displays the software license agreement.

Step 4   Read the software license agreement. If you accept the software license agreement, click ACCEPT.

Result: The Welcome dialog box displays basic information about the setup program.

Step 5   After you have read the information in the Welcome dialog box, click Next >.

Result: The Before You Begin dialog box lists items that you must complete before continuing with the installation. These are the same items discussed in Gathering Answers for the Installation Questions.

Step 6   If you have completed all items listed in the Before You Begin dialog box, select the corresponding check box for each item, and then click Next >.


Note    If you have not completed all items listed in the Before You Begin dialog box, click Cancel, and then click Exit Setup. After completing all items listed in the Before You Begin dialog box, restart the installation. For more information, see Preparation for Installing or Upgrading Cisco Secure ACS.

Result: The Existing Installation of CiscoSecure ACS vx.x dialog box appears.

Step 7   Select the Yes, import the existing configuration check box.


Warning Be sure that the Yes, import the existing configuration check box is selected, not cleared. If you proceed without selecting the Yes, import the existing configuration check box, the setup program deletes all existing AAA client, user, and group information.

Step 8   Click Next >.

Result: If the previous installation of Cisco Secure ACS has an PassGo (formerly Axent), CRYPTOCard, or Safeword external user database configuration that uses a proprietary client for communication with the applicable token server, the RADIUS Token Server Details dialog box appears. In Cisco Secure ACS 3.1, support for CRYPTOCard, PassGo, and Safeword token servers uses the RADIUS protocol rather than a proprietary client interface. For more information about changes to token server support, refer to the Release Notes for Cisco Secure ACS for Windows Server Version 3.1.

Step 9   If the RADIUS Token Server Details dialog box appears, follow these steps:

a. Complete the following items in the RADIUS Token Server Details dialog box:

  • IP Address—Type the IP address of the RADIUS token server.
  • Port—Type the UDP port number that the RADIUS token server listens to for RADIUS requests.

Note    If the RADIUS token server and Cisco Secure ACS run on the same computer, be sure that the RADIUS token server is configured to listen for RADIUS requests on UDP ports different from the ports that Cisco Secure ACS uses. For more information about changing the UDP ports used by the RADIUS token server, refer to the Release Notes for Cisco Secure ACS for Windows Server Version 3.1.

  • RADIUS Key—Type the shared secret of the RADIUS token server. To ensure proper function and communication between the RADIUS token server and Cisco Secure ACS, the key must be identical to the RADIUS token server key. Shared secrets are case sensitive.

b. Click Next >.

Result: The setup program creates a backup of the existing Cisco Secure ACS configuration and database, and then removes the previous installation.

The Choose Destination Location dialog box appears. Under Destination Folder, the installation location appears. This is the drive and path at which the setup program installs Cisco Secure ACS.

Step 10   To change the installation location, follow these steps:

a. Click Browse.

Result: The Choose Folder dialog box appears. The Path box contains the installation location.

b. Change the installation location. You can either type the new location in the Path box or you can use the Drives and Directories lists to select a new drive and directory.


Note    The installation location must be on a drive local to the computer.

c. Click OK.


Note    If you specified a folder that does not exist, the setup program displays a dialog box to confirm the creation of the folder. To continue, click Yes.

Result: In the Choose Destination Location dialog box, the new installation location appears under Destination Folder.

Step 11   Click Next >.

Result: The setup program installs Cisco Secure ACS and updates the Windows Registry.

The CiscoSecure ACS Service Initiation dialog box appears.

Step 12   For each option you want, select the corresponding check box. The actions associated with each option occur after the setup program finishes.

  • Yes, I want to start the CiscoSecure ACS Service now—Starts the Windows services that compose Cisco Secure ACS. If you do not select this option, the Cisco Secure ACS HTML interface is not available unless you reboot the server or start the CSAdmin service.
  • Yes, I want Setup to launch the CiscoSecure ACS Administrator from my browser following installation—Opens the Cisco Secure ACS HTML interface in the default web browser for the current Windows user account.
  • Yes, I want to view the Readme file—Opens the README.TXT file in Windows Notepad.

Step 13   Click Next >.

Result: If you so chose, the Cisco Secure ACS services start. The Setup Complete dialog box displays information about the Cisco Secure ACS HTML interface.

Step 14   Click Finish.

Result: The setup program exits. If, in Step 11, you chose the options to view the HTML interface or README.TXT file, those options occur now.

On the computer running Cisco Secure ACS, you can access the Cisco Secure ACS HTML interface using the ACS Admin desktop icon or you can use the following URL in a supported web browser:


Note    The Cisco Secure ACS HTML interface is available only if you chose to start Cisco Secure ACS services in Step 11. If you did not and you want to make the HTML interface available, you can either reboot the server or type net start csadmin at a DOS prompt.

Step 15   If you have installed Cisco Secure ACS on a member server and want Cisco Secure ACS to authenticate users with a Windows domain user database, you must perform the additional Windows configuration discussed in Windows Authentication from a Member Server.


Note    If you previously configured Cisco Secure ACS services to run using a specific username, that configuration was lost during the reinstallation. For more information, see Windows Authentication from a Member Server.





Reinstalling or Upgrading Cisco Secure ACS without Preserving Existing Configuration

Use this procedure to reinstall or upgrade Cisco Secure ACS if you do not intend to preserve the existing configuration and database information.


Warning Performing this procedure deletes the existing configuration of Cisco Secure ACS, including all AAA client, user and group information. Unless you have backed up your Cisco Secure ACS data and the Windows Registry, there is no recovery of the previous configuration and database.

Before You Begin

For information about what must be completed before reinstalling or upgrading Cisco Secure ACS, see Preparation for Installing or Upgrading Cisco Secure ACS.

If you are installing Cisco Secure ACS on a member server and want Cisco Secure ACS to authenticate users with a Windows domain user database, be aware that after you have installed Cisco Secure ACS you must perform the additional Windows configuration discussed in Windows Authentication from a Member Server.

To reinstall or upgrade Cisco Secure ACS without preserving the existing configuration or CiscoSecure user database, follow these steps:


Step 1   Using the local administrator account, log in to the computer you want to install Cisco Secure ACS on.

Step 2   Insert the Cisco Secure ACS CD into a CD-ROM drive on the computer.

Result: If the CD-ROM drive supports the Windows autorun feature, the Cisco Secure ACS v3.1 for Windows 2000 dialog box appears.


Note    If computer does not have a required service pack installed, a dialog box appears. Windows service packs can be applied either before or after installing Cisco Secure ACS. You can continue with the installation, but the required service pack must be applied after the installation is complete; otherwise, Cisco Secure ACS may not function reliably.

Step 3   Do one of the following:

a. If the Cisco Secure ACS v3.1 for Windows 2000 dialog box appears, click Install.

b. If the Cisco Secure ACS v3.1 for Windows 2000 dialog box does not appear, run setup.exe, located in the root directory of the Cisco Secure ACS CD.


Note    If computer does not have a required service pack installed, a dialog box appears. Windows service packs can be applied either before or after installing Cisco Secure ACS. You can continue with the installation, but the required service pack must be applied after the installation is complete; otherwise, Cisco Secure ACS may not function reliably.

Result: The CiscoSecure ACS Setup dialog box displays the software license agreement.

Step 4   Read the software license agreement. If you accept the software license agreement, click ACCEPT.

Result: The Welcome dialog box displays basic information about the setup program.

Step 5   After you have read the information in the Welcome dialog box, click Next >.

Result: The Before You Begin dialog box lists items that you must complete before continuing with the installation. These are the same items discussed in Gathering Answers for the Installation Questions.

Step 6   If you have completed all items listed in the Before You Begin dialog box, select the corresponding check box for each item, and then click Next >.


Note    If you have not completed all items listed in the Before You Begin dialog box, click Cancel, and then click Exit Setup. After completing all items listed in the Before You Begin dialog box, restart the installation. For more information, see Preparation for Installing or Upgrading Cisco Secure ACS.

Result: The Existing Installation of CiscoSecure ACS vx.x dialog box appears.

Step 7   Clear the Yes, import the existing configuration check box.


Note    Be sure that the Yes, import the existing configuration check box is cleared, not checked; otherwise, the existing configuration and CiscoSecure user database are preserved.

Step 8   Click Next >.

Result: The setup program removes the previous installation of Cisco Secure ACS.

If Cisco Secure ACS services are running, the CiscoSecure ACS Uninstall dialog box appears.

Step 9   If the CiscoSecure ACS Uninstall dialog box appears, click Continue.

Result: The setup program finishes removing the previous installation of Cisco Secure ACS.

The Choose Destination Location dialog box appears. Under Destination Folder, the installation location appears. This is the drive and path at which the setup program installs Cisco Secure ACS.

Step 10   To change the installation location, follow these steps:

a. Click Browse.

Result: The Choose Folder dialog box appears. The Path box contains the installation location.

b. Change the installation location. You can either type the new location in the Path box or you can use the Drives and Directories lists to select a new drive and directory.


Note    The installation location must be on a drive local to the computer.

c. Click OK.


Note    If you specified a folder that does not exist, the setup program displays a dialog box to confirm the creation of the folder. To continue, click Yes.

Result: In the Choose Destination Location dialog box, the new installation location appears under Destination Folder.

Step 11   Click Next >.

Result: The Authentication Database Configuration dialog box lists options for authenticating users. You can authenticate with the CiscoSecure user database only, or with a Windows NT/2000 user database also.


Note    After you have installed Cisco Secure ACS, you can configure authentication support for all external user database types in addition to Windows NT/2000 user databases.

Step 12   If you want to authenticate users with the CiscoSecure user database only, select the Check the CiscoSecure ACS database only option.

Step 13   If you want to authenticate users with a Windows NT/2000 Security Access Manager (SAM) user database or Windows 2000 Active Directory user database in addition to the CiscoSecure user database, follow these steps:

a. Select the Also check the Windows NT/2000 User Database option.

Result: The Yes, refer to "Grant dialin permission to user" setting check box becomes available.


Note    The Yes, refer to "Grant dialin permission to user" setting check box applies to all forms of access controlled by Cisco Secure ACS, not just dial-in access. For example, a user accessing your network through a VPN tunnel is not dialing into a network access server; however, if the Yes, refer to "Grant dialin permission to user" setting check box is selected, Cisco Secure ACS applies the user's Windows dial-in permissions to determine whether to grant the user access to your network.

b. If you want to allow access to users who are authenticated by a Windows domain user database only when they have dial-in permission in their Windows account, select the Yes, refer to "Grant dialin permission to user" setting check box.

Step 14   Click Next >.

Result: The CiscoSecure ACS Network Access Server Details dialog box appears. The information you provide in this dialog box has two uses:

  • The setup program creates the AAA client definition in the Network Configuration section of Cisco Secure ACS.
  • If you specify TACACS+ (Cisco IOS) or RADIUS (Cisco IOS/PIX) in the Authenticate Users Using list, the setup program uses this information in Step 22, in which you can configure a Cisco IOS network device to use this Cisco Secure ACS for AAA services.

Note    You are not limited to defining a network access server in this dialog box. You can define any network device that can act as a AAA client.

Step 15   Complete the following items in the CiscoSecure ACS Network Access Server Details dialog box:

  • Authenticate Users Using—Select the AAA protocol used by the AAA client you are defining. If you specify TACACS+ (Cisco IOS) or RADIUS (Cisco IOS/PIX), in Step 22 you can configure the network device specified in this dialog box.
  • Access Server Name—Type the name of the AAA client that will use Cisco Secure ACS for AAA services.
  • Access Server IP Address—Type the IP address of the AAA client that will use Cisco Secure ACS for AAA services.
  • Windows Server IP Address—Type the IP address of the computer you are installing Cisco Secure ACS on.
  • TACACS+ or RADIUS Key—Type the shared secret of the AAA client and Cisco Secure ACS. These passwords must be identical to ensure proper function and communication between the AAA client and Cisco Secure ACS. Shared secrets are case sensitive.

Step 16   Click Next >.

Result: The setup program installs Cisco Secure ACS and updates the Windows Registry.

The Advanced Options dialog box lists several features of Cisco Secure ACS that are not enabled by default. For more information about these features, refer to the User Guide for Cisco Secure ACS for Windows Server, version 3.1.


Note    The listed features appear in the Cisco Secure ACS HTML interface only if you enable them. After installation, you can enable or disable them on the Advanced Options page in the Interface Configuration section.

Step 17   For each feature you want to enable, select the corresponding check box.

Step 18   Click Next >.

Result: The Active Service Monitoring dialog box appears.


Note    After installation, you can configure active service monitoring features on the Active Service Management page in the System Configuration section.

Step 19   If you want Cisco Secure ACS to monitor user authentication services, select the Enable Log-in Monitoring check box. From the Script to execute list, select the option you want applied in the event of authentication service failure:

  • No Remedial Action—Cisco Secure ACS does not run a script.

Note    This option is useful if you enable event mail notifications.

  • Reboot—Cisco Secure ACS runs a script that reboots the Cisco Secure ACS that runs Cisco Secure ACS.
  • Restart All—Cisco Secure ACS restarts all Cisco Secure ACS services.
  • Restart RADIUS/TACACS+—Cisco Secure ACS restarts only the RADIUS and TACACS+ services.

Step 20   If you want Cisco Secure ACS to send an e-mail message when service monitoring detects an event, select the Mail Notification check box.

Step 21   Click Next >.

Result: If, in Step 15, you specified TACACS+ (Cisco IOS) or RADIUS (Cisco IOS/PIX) as the AAA protocol for your first AAA client, the Network Access Server Configuration dialog box appears.

If, in Step 15, you specified a AAA protocol other than TACACS+ (Cisco IOS) or RADIUS (Cisco IOS/PIX), the CiscoSecure ACS Service Initiation dialog box appears.

Step 22   If the Network Access Server Configuration dialog box appears and you want to configure AAA functionality on a Cisco IOS network device, follow these steps:

a. Select the Yes, I want to configure Cisco IOS software now check box and click Next >.

Result: The Enable Secret Password dialog box appears.

b. In the Enable Secret Password box, type an enable secret password for the Cisco IOS network device.


Note    You must type the shared secret exactly the same as it is configured on the Cisco IOS device, including whether the characters are uppercase or lowercase.

c. Click Next >.

Result: The Access Server Configuration dialog box displays information about configuring a Cisco IOS network device.

d. After reading the text in the Access Server Configuration dialog box, click Next >.

Result: The NAS Configuration dialog box displays the minimum Cisco IOS configuration needed for the network device you specified in Step 15. The minimum configuration includes information you provided during the installation, including the IP address of the computer running Cisco Secure ACS, the TACACS+ or RADIUS key, and the enable secret password.


Note    When using the Cisco IOS aaa new-model command, always provide for a local login method. This guards against the slight risk of being locked out of a Cisco IOS device should the administrative Telnet session fail while you are in the process of enabling a new AAA paradigm. For more information about the Cisco IOS aaa command, refer to Cisco IOS documentation.

e. To print the minimum Cisco IOS configuration, click Print.


Note    Especially if you intend to implement the minimum configuration provided by the setup program, we recommend that you print the configuration now.

Result: The setup program uses the server's default printer to print the configuration.

f. To telnet to the network device you specified in Step 15, click Telnet Now.

Result: The setup program opens a Telnet window. You can log in to the Cisco IOS device and update the device configuration, as applicable. The setup program copies the minimum configuration it provides to the Windows clipboard. If you want to use the minimum configuration, you can paste it in the Telnet window after you have entered the applicable configuration mode.

g. After you finish with the options in the NAS Configuration dialog box, click Next >.

Result: The CiscoSecure ACS Service Initiation dialog box appears.

h. Proceed to Step 24.

Step 23   If the Network Access Server Configuration dialog box appears and you want to skip configuring a Cisco IOS network device, clear the Yes, I want to configure Cisco IOS software now check box, and then click Next >.

Result: The CiscoSecure ACS Service Initiation dialog box appears.

Step 24   For each option you want, select the corresponding check box. The actions associated with each option occur after the setup program finishes.

  • Yes, I want to start the CiscoSecure ACS Service now—Starts the Windows services that compose Cisco Secure ACS. If you do not select this option, the Cisco Secure ACS HTML interface is not available unless you reboot the server or start the CSAdmin service.
  • Yes, I want Setup to launch the CiscoSecure ACS Administrator from my browser following installation—Opens the Cisco Secure ACS HTML interface in the default web browser for the current Windows user account.
  • Yes, I want to view the Readme file—Opens the README.TXT file in Windows Notepad.

Step 25   Click Next >.

Result: If you so chose, the Cisco Secure ACS services start. The Setup Complete dialog box displays information about the Cisco Secure ACS HTML interface.

Step 26   Click Finish.

Result: The setup program exits. If, in Step 24, you chose the options to view the HTML interface or README.TXT file, those options occur now.

On the computer running Cisco Secure ACS, you can access the Cisco Secure ACS HTML interface using the ACS Admin desktop icon or you can use the following URL in a supported web browser:


Note    The Cisco Secure ACS HTML interface is available only if you chose to start Cisco Secure ACS services in Step 24. If you did not, to make the HTML interface available, you can either reboot the server or type net start csadmin at a DOS prompt.

Step 27   If you have installed Cisco Secure ACS on a member server and want Cisco Secure ACS to authenticate users with a Windows domain user database, you must perform the additional Windows configuration discussed in Windows Authentication from a Member Server.


Note    If you previously configured Cisco Secure ACS services to run using a specific username, that configuration was lost during the reinstallation. For more information, see Windows Authentication from a Member Server.





Windows Authentication from a Member Server

Cisco Secure ACS can authenticate users against both types of Windows domain user databases: Security Accounts Manager (SAM) user databases and Active Directory user databases. For either type of Windows domain user database, Cisco Secure ACS submits authentication requests to the Windows operating system of the server on which Cisco Secure ACS is installed. If you have installed Cisco Secure ACS on a member server and you plan to use a Windows domain user database to authenticate users, you must perform additional Windows configuration to ensure that Windows permits authentication to occur from the member server. To do so, complete the steps in the following procedures:

Verifying Domain Membership

One common configuration error that prevents Windows authentication is the erroneous assignment of the member server to a workgroup with the same name as the Windows domain that you want to use to authenticate users. While this may seem obvious, we recommend that you verify that the computer running Cisco Secure ACS is a member server of the correct domain.

To verify domain membership for your Cisco Secure ACS computer, follow these steps:


Step 1   From the Windows desktop of the server running Cisco Secure ACS, right-click My Computer and from the shortcut menu select Properties.

Result: The System Properties panel appears.

Step 2   Select the Network Identification tab.

Step 3   Verify that the Domain box displays the name of the domain that the computer running Cisco Secure ACS should be a member of.


Note    If the Workgroup box appears instead of the Domain box, the member server is not a member of a domain.

Step 4   If the computer running Cisco Secure ACS is not a member of the correct domain, change the server identification, as applicable.





Configuring Cisco Secure ACS Services

If you have installed Cisco Secure ACS on a member server, the member server must pass Windows authentication requests to a domain controller. For these requests to succeed, the member server must submit them using a user account that has certain security privileges enabled on the member server.


Note   If you use Active Directory to authenticate users, determine whether Active Directory is configured to use Pre-Windows 2000 Compatible Mode. If all Active Directory trees containing users that will be authenticated by Cisco Secure ACS are configured to use this mode, the steps in this procedure are not required.

Before You Begin

If you have upgraded or reinstalled Cisco Secure ACS and you completed this procedure previously, Step 1 through Step 6 apply to you only if you want to use a different user account to run Cisco Secure ACS services.

To configure Cisco Secure ACS services, follow these steps:


Step 1   In the domain that the computer running Cisco Secure ACS is a member of, create a domain user account. This is the user account that you will use to run Cisco Secure ACS services. To determine which domain the computer running Cisco Secure ACS belongs to, see Verifying Domain Membership.


Tip Give the user account an easily recognizable name, like "CSACS". If you enable audit policies, Event Viewer entries with this username will make it easier to diagnose permissions problems related to failed Cisco Secure ACS authentication attempts.

Step 2   Using the local administrator account, log in to the computer running Cisco Secure ACS.

Step 3   Add the user account you created in Step 1 to the local Administrators group. To do so, follow these steps:

a. Choose Start > Settings > Control Panel > Administrative Tools > Computer Management


Tip If Control Panel is not expanded on the Start menu, choose Start > Settings > Control Panel, double-click Administrative Tools, and then double-click Computer Management.

Result: The Computer Management window appears.

b. Under the Tree tab, double-click Local Users and Groups, and then click Groups.


Tip If Local Groups and Users does not appear under the Tree tab, double-click System Tools.

Result: The Name column lists the local groups available on the computer running Cisco Secure ACS.

c. Double-click Administrators.

Result: The Administrators Properties dialog box appears.

d. Click Add. . ..

Result: The Select Users or Groups dialog box appears.

e. In the box below the Add button, type the username for the user account you created in Step 1.


Note    The username must be in domain-qualified format. For example, if you created a user named "CSACS" in the "CORPORATE" domain, type "CORPORATE\CSACS".

f. Click Check Names.

Result: The Enter Network Password dialog box appears. This is because the local administrator account of the member server running Cisco Secure ACS should not have permission to access user account information on the domain controller.

g. In the Connect as box, type a domain-qualified username.


Note    The username provided must exist in the domain specified in Step e. For example, if the domain specified is "CORPORATE" and "echamberlain" is a valid user in that domain, type "CORPORATE\echamberlain".

h. In the Password box, type the password for the user account specified in Step e.

i. Click OK.

Result: Windows verifies the existence of the username provided in Step e. The Enter Network Password dialog box closes.

j. On Select Users or Groups dialog box, click OK.

Result: The Select Users or Groups dialog box closes.

Windows adds the username to the Members list on the Administrators Properties dialog box.

k. Click OK.

Result: The Administrators Properties dialog box closes.

l. Close the Computer Management window.

Result: The user account you created in step 1 is assigned to the local Administrators group.

Step 4   Choose Start > Settings > Control Panel > Administrative Tools > Local Security Policy


Tip If Control Panel is not expanded on the Start menu, choose Start > Settings > Control Panel, double-click Administrative Tools, and then double-click Local Security Policy.

Result: The Local Security Settings window appears.

Step 5   In the Name column, double-click Local Policies, and then double-click User Rights Assignment.

Result: The Local Security Settings window displays a list of policies with their associated settings. The two policies that you must configure are:

  • Act as part of the operating system
  • Log on as a service

Step 6   For the Act as part of the operating system policy and again for the Log on as a service policy, follow these steps:

a. Double-click the policy name.

Result: The Local Policy Setting dialog box appears.

b. Click Add. . ..

Result: The Select Users or Groups dialog box appears.

c. In the box below the Add button, type the username for the user account you created in Step 1.


Note    The username must be in domain-qualified format. For example, if you created a user named "CSACS" in the "CORPORATE" domain, type "CORPORATE\CSACS".

d. Click Check Names.

Result: The Enter Network Password dialog box appears. This is because the local administrator account of the member server running Cisco Secure ACS should not have permission to access user account information on the domain controller.

e. In the Connect as box, type a domain-qualified username.


Note    The username provided must exist in the domain specified in Step c. For example, if the domain specified is "CORPORATE" and "echamberlain" is a valid user in that domain, type "CORPORATE\echamberlain".

f. In the Password box, type the password for the user account specified in Step e.

g. Click OK.

Result: Windows verifies the existence of the username provided in Step c. The Enter Network Password dialog box closes.

h. In the Select Users or Groups dialog box, click OK.

Result: The Select Users or Groups dialog box closes.

Windows adds the username to the Assign To list in the Local Policy Setting dialog box.

i. Click OK.

Result: The Local Policy Setting dialog box closes. The domain-qualified username specified in Step c appears in the settings associated with the policy you have configured.

j. Verify that the username specified in Step c appears in the Local Setting column for the policy you modified. If it does not, repeat these steps.


Tip To see the username you added, you may have to widen the Local Setting column.


Note    The Effective Setting column does not dynamically update. This procedure includes later verification steps for ensuring that the Effective Setting column contains the required information.

Result: After you have configured both the Act as part of the operating system policy and the Log on as a service policy, the user account created in Step 1 appears in the Local Setting column for the policy you configured.

Step 7   Verify that the security policy settings you changed are in effect on the computer running Cisco Secure ACS. To do so, follow these steps:

a. Close the Local Security Settings window.

Result: The window closes. This is the only way to refresh the information in the Effective Setting column.

b. Open the Local Security Settings window again. To do so, choose Start > Programs > Administrative Tools > Local Security Policy.

c. In the Name column, double-click Local Policies, and then double-click User Rights Assignment.

Result: The Local Security Settings window displays an updated list of policies with their associated settings.

d. For the Act as part of the operating system policy and again for the Log on as a service policy, verify that the username you added to the policy in Step 6 appears in the Effective Setting column.


Note    If the username you configured the policies to include in Step 6 do not appear in the Effective Setting column for both policies, there may be security policy settings on the domain controller that conflict with the local setting. Resolve the conflict by configuring security policies on the domain controller to allow the local settings to be the effective settings for these two policies. For more information about configuring security policies on the domain controller, see your Microsoft documentation.

Result: The user account created in Step 1 has the required privileges to run Cisco Secure ACS services and support Windows authentication.

Step 8   Close the Local Security Settings window.

Step 9   Continuing as the local administrator on the computer running Cisco Secure ACS, choose Start > Settings > Control Panel > Administrative Tools > Services.


Tip If Control Panel is not expanded on the Start menu, choose Start > Settings > Control Panel, double-click Administrative Tools, and then double-click Services.

Result: The Services window displays list of service groups and a list of all registered services for the current group. The list of service groups is labeled Tree. The registered services for the current group appear in the list to the right of the Tree list.

Step 10   In the Tree list, click Services (local).

Step 11   The Windows services installed by Cisco Secure ACS are the following:

  • CSAdmin
  • CSAuth
  • CSDbSync
  • CSLog
  • CSMon
  • CSRadius
  • CSTacacs

For each Cisco Secure ACS service, follow these steps:

a. In the list of services, right-click a Cisco Secure ACS service, and from the shortcut menu, choose Properties.

Result: The Computer Browser Properties (Local Computer) dialog box appears.

b. Select the Log On tab.

c. Select the This account option.

d. In the box next to the This account option, type the username for the account created in Step 1.


Note    The username must be in domain-qualified format. For example, if you created a user named "CSACS" in the "CORPORATE" domain, type "CORPORATE\CSACS".

e. In the Password box and in the Confirm Password box, type the password for the user account created in Step 1.

f. Click OK.

Result: All Cisco Secure ACS services are configured to run using the privileges of the user account created in Step 1.

Step 12   Restart all Cisco Secure ACS services. To do so, follow these steps:

a. Log in to the Cisco Secure ACS HTML interface.

b. Click System Configuration, click Service Control, and then, at the bottom of the browser window, click Restart.

Result: With the exception of CSAdmin, Cisco Secure ACS services restart.

c. Wait until Cisco Secure ACS finishes restarting services. This usually takes a minute or two.

d. Continuing as the local administrator on the computer running Cisco Secure ACS, choose Start > Programs  Administrative Tools > Services.

e. In the Name column, double-click CSAdmin.

Result: The CSAdmin Properties dialog box appears.

f. Click Stop and wait for the Service Control dialog box to close.

g. Click Start and wait for the Service Control dialog box to close.

h. In the CSAdmin Properties dialog box, click OK.

Result: The CSAdmin Properties dialog box closes.

i. Close the Services window.

Result: The Cisco Secure ACS services run using the privileges of the user account created in Step 1.





Additional Installation Information

This section contains information about additional configuration that your installation may require or about unusual installation situations that can occur. It contains the following topics:

Upgrading from Windows NT 4.0 to Windows 2000 Server

Cisco Secure ACS version 3.1 runs only on Windows 2000 Server (for operating system requirements, see Third-Party Software Requirements). If you are upgrading from a previous version of Cisco Secure ACS that is running on Windows NT 4.0, you cannot upgrade the operating system to Windows 2000 Server. This is because the setup program for previous versions of Cisco Secure ACS detected which Windows operating system ran on the server and customized Cisco Secure ACS for that operating system. As a result, upgrading the operating system to Windows 2000 Server without taking the necessary steps causes Cisco Secure ACS to fail.

Thus, upgrading the operating system that you use to run Cisco Secure ACS requires a second computer that runs Windows 2000 Server. The following procedure provides steps for upgrading to Windows 2000 Server using a second computer.

Before You Begin

In addition to the original computer that runs Cisco Secure ACS using Windows NT 4.0, you must have a computer than runs Windows 2000 Server. The new server should have Windows 2000 Server installed before you begin the following procedure.

After you complete the procedure, you can use the computer that runs Windows 2000 Server as your production Cisco Secure ACS or you can perform additional steps to retain the original Cisco Secure ACS computer as your production Cisco Secure ACS. If you want to use the new Cisco Secure ACS as your production Cisco Secure ACS server, the new computer running Cisco Secure ACS must meet all Cisco Secure ACS system requirements. For more information, see System Requirements.

To upgrade the Cisco Secure ACS operating system to Windows 2000 Server, follow these steps:


Step 1   On the computer running Cisco Secure ACS with Windows NT 4.0, if you are using a version of Cisco Secure ACS before version 3.0, upgrade Cisco Secure ACS to version 3.0. If you do not have an additional license for version 3.0, you can use the trial version, available at http://www.cisco.com/pcgi-bin/tablebuild.pl/cs-acs-win. For information about installing Cisco Secure ACS version 3.0, see Installing Cisco Secure ACS 3.0 for Windows 2000/NT Servers.

Step 2   On a Windows 2000 server that meets all Cisco Secure ACS system requirements, install Cisco Secure ACS version 3.0. If you do not have an additional license for version 3.0, you can use the trial version, available at http://www.cisco.com/pcgi-bin/tablebuild.pl/cs-acs-win. For information about installing Cisco Secure ACS version 3.0, see Installing Cisco Secure ACS 3.0 for Windows 2000/NT Servers.

Step 3   Perform database replication from Cisco Secure ACS version 3.0 running on Windows NT 4.0 to Cisco Secure ACS version 3.0 running on Windows 2000 Server. This makes Cisco Secure ACS running with Windows 2000 Server a mirror system of Cisco Secure ACS running with Windows NT 4.0. For more information about database replication, see the Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide.


Note    Some configuration items are not replicated. These include server certificates and IP pools. For more information, see the User Guide for Cisco Secure ACS for Windows Server, version 3.1.

Step 4   Prepare to upgrade Cisco Secure ACS running with Windows 2000 Server. For more information, see Preparation for Installing or Upgrading Cisco Secure ACS.

Step 5   On the computer running Cisco Secure ACS version 3.0 with Windows 2000 Server, upgrade to Cisco Secure ACS to version 3.1. For more information, see Reinstalling or Upgrading Cisco Secure ACS and Preserving Existing Configuration.

Step 6   If you want to retain the original computer rather than use the new computer that uses Windows 2000 Server, see Retaining the Same Computer after Upgrading to Windows 2000 Server.

Step 7   If you want to use the new computer in place of the original computer, you must change the IP address on the computer running Cisco Secure ACS with Windows 2000 Server to that of the computer running Cisco Secure ACS with Windows NT 4.0.


Note    If you do not change the IP address of the computer running Cisco Secure ACS with Windows 2000 Server to the address of the computer running Cisco Secure ACS with Windows NT 4.0, you must reconfigure all AAA clients to use the IP address of the computer running Cisco Secure ACS with Windows 2000 Server.

To change the IP address of the computer running Cisco Secure ACS with Windows 2000 Server, follow these steps:

a. Record the IP address of the computer running Cisco Secure ACS with Windows NT 4.0.

b. Change the IP address of the computer running Cisco Secure ACS with Windows NT 4.0 to a different IP address.

c. Change the IP address of the computer running Cisco Secure ACS with Windows 2000 Server to the IP address previously used by the computer running Cisco Secure ACS with Windows NT 4.0. This is the IP address you recorded in Step a.

d. In the Cisco Secure ACS HTML interface of the computer running Cisco Secure ACS with Windows 2000 Server, change the IP address of Cisco Secure ACS to the IP address previously used by the computer running Cisco Secure ACS with Windows NT 4.0. You can change the IP address of Cisco Secure ACS by editing its entry in the AAA Servers table in Network Configuration. For more information about editing a AAA server, see the User Guide for Cisco Secure ACS for Windows Server, version 3.1.


Note    Performing step c does not affect the IP address recorded in the AAA Servers table entry.

e. Reboot the computer running Cisco Secure ACS with Windows 2000 Server.





Retaining the Same Computer after Upgrading to Windows 2000 Server

You can continue to use the original computer as a production Cisco Secure ACS after performing the procedure in Upgrading from Windows NT 4.0 to Windows 2000 Server.

To run Cisco Secure ACS on the same computer that you used for earlier releases of Cisco Secure ACS, follow these steps:


Step 1   Complete the procedure in Upgrading from Windows NT 4.0 to Windows 2000 Server.

Result: A computer running Cisco Secure ACS with Windows 2000 Server has all the user, group, and AAA client information from Cisco Secure ACS running on the original computer.

Step 2   On the original computer (the server running Cisco Secure ACS with Windows NT 4.0), uninstall Cisco Secure ACS. If you are prompted to retain the existing database, click Delete Database.

Step 3   Upgrade the operating system of the original computer to a supported Windows 2000 Server operating system. For more information, see System Requirements.

Step 4   Install Cisco Secure ACS version 3.1 on the original computer. For more information, see Creating a Cisco Secure ACS Installation.

Step 5   Perform database replication from Cisco Secure ACS running on the new computer to Cisco Secure ACS running on the original computer. This makes Cisco Secure ACS on the original computer a mirror system of Cisco Secure ACS on the new computer. For more information about database replication, see the User Guide for Cisco Secure ACS for Windows Server, version 3.1.


Note    Some configuration items are not replicated. These include server certificates and IP pools. For more information, see the User Guide for Cisco Secure ACS for Windows Server, version 3.1.





ODBC Message During Installation

The Cisco Secure ACS setup program tests for the presence and proper functionality of the ODBC components needed by Cisco Secure ACS. If it does not find them, or if they are not functioning properly, a dialog box displays the following message:

Setup could not find a suitable ODBC Jet driver.
 
Cisco Secure requires an Microsoft Access (Jet) ODBC driver to be
installed on the system in order to work properly. You can install
one by running the Microsoft Data Access Components 2.5 install
located on the CD or download the latest version from Microsoft
at the following location:
 
   http://www.microsoft.com/data/
 
Please rerun Setup after a Jet driver has been installed.

Note   If you choose to download the driver from the Microsoft web site, be sure you get and install the Jet driver rather than Microsoft Data Access Components (MDAC) 2.6. While MDAC version 2.5, included on the Cisco Secure ACS CD, does contain the Jet driver; version 2.6, available from the Microsoft web site, does not. The Jet driver must be downloaded separately from MDAC 2.6.

To resolve the ODBC error message, follow these steps:


Step 1   Click Install MDAC 2.5 From CD.


Note    If you exit the setup program at this point, you can install the appropriate ODBC driver by running mdac_typ.exe from the Cisco Secure ACS installation CD-ROM. It is located in the support\odbc folder. Otherwise, restart the installation and select Install ODBC rather than exiting the setup program.

Step 2   Complete ODBC installation.

ODBC is packaged by Microsoft as a subset of Microsoft Data Components. The installation file may thus be called MDAC rather than ODBC.

Step 3   After you finish installing ODBC, restart the Cisco Secure ACS setup program by running setup.exe in the root directory of the Cisco Secure ACS CD.





Abnormal Installation Termination

If the installation of Cisco Secure ACS fails to complete successfully, you receive an error message. Cisco Secure ACS is then partially installed. Before restarting the installation, you must uninstall the unsuccessful Cisco Secure ACS installation.

To recover from an unsuccessful installation, follow these steps:


Step 1   From the Windows desktop, choose Start > Settings > Control Panel, and then click Add/Remove Program.

Step 2   Select CiscoSecure ACS vx.x, where x.x is the version of Cisco Secure ACS currently installed.

Step 3   Click Uninstall.

Step 4   If Uninstall completes successfully, click setup.exe in the root directory of the CD to restart installation of Cisco Secure ACS.

Step 5   If Uninstall fails to complete successfully or if installation still fails, follow these steps:

a. Go to the support\clean directory on the Cisco Secure ACS CD and run clean.exe. This uninstalls Cisco Secure ACS completely and cleans up certain statements from the Windows 2000 Registry that prevent installation of Cisco Secure ACS.

b. When you have finished running clean.exe, reboot the system and run setup.exe from the root directory of the CD to restart installation of Cisco Secure ACS.





Related Documentation

The User Guide for Cisco Secure ACS for Windows Server provides explanations for the features included in Cisco Secure ACS and procedures for configuring Cisco Secure ACS. This document is also available in PDF format on the Cisco Secure ACS product CD.

Installation and User Guide for Cisco Secure ACS User-Changeable Passwords contains information on installing and configuring the web server for use with the optional user-changeable password feature.

Included in the Cisco Secure ACS HTML interface are two sources of information:

  • Online Help contains information for each associated page in the Cisco Secure ACS HTML interface.
  • Online Documentation is a complete copy of the User Guide for Cisco Secure ACS for Windows Server, version 3.1.

You should also read the README.TXT file and any release notes for additional important information.

You should refer to the documentation that came with your AAA clients for more information about those products. You might also want to consult Cisco Systems' Internetworking Terms and Acronyms publication.

Obtaining Documentation

These sections explain how to obtain documentation from Cisco Systems.

World Wide Web

You can access the most current Cisco documentation on the World Wide Web at this URL:

http://www.cisco.com

Translated documentation is available at this URL:

http://www.cisco.com/public/countries_languages.shtml

Documentation CD-ROM

Cisco documentation and additional literature are available in a Cisco Documentation CD-ROM package, which is shipped with your product. The Documentation CD-ROM is updated monthly and may be more current than printed documentation. The CD-ROM package is available as a single unit or through an annual subscription.

Ordering Documentation

You can order Cisco documentation in these ways:

  • Registered Cisco.com users (Cisco direct customers) can order Cisco product documentation from the Networking Products MarketPlace:

http://www.cisco.com/public/ordsum.html

  • Registered Cisco.com users can order the Documentation CD-ROM through the online Subscription Store:

http://www.cisco.com/go/subscription

  • Nonregistered Cisco.com users can order documentation through a local account representative by calling Cisco Systems Corporate Headquarters (California, U.S.A.) at 408 526-7208 or, elsewhere in North America, by calling 800 553-NETS (6387).

Documentation Feedback

You can submit comments electronically on Cisco.com. In the Cisco Documentation home page, click the Fax or Email option in the "Leave Feedback" section at the bottom of the page.

You can e-mail your comments to bug-doc@cisco.com.

You can submit your comments by mail by using the response card behind the front cover of your document or by writing to the following address:

Cisco Systems
Attn: Document Resource Connection
170 West Tasman Drive
San Jose, CA 95134-9883

We appreciate your comments.

Obtaining Technical Assistance

Cisco provides Cisco.com as a starting point for all technical assistance. Customers and partners can obtain online documentation, troubleshooting tips, and sample configurations from online tools by using the Cisco Technical Assistance Center (TAC) Web Site. Cisco.com registered users have complete access to the technical support resources on the Cisco TAC Web Site.

Cisco.com

Cisco.com is the foundation of a suite of interactive, networked services that provides immediate, open access to Cisco information, networking solutions, services, programs, and resources at any time, from anywhere in the world.

Cisco.com is a highly integrated Internet application and a powerful, easy-to-use tool that provides a broad range of features and services to help you with these tasks:

  • Streamline business processes and improve productivity
  • Resolve technical issues with online support
  • Download and test software packages
  • Order Cisco learning materials and merchandise
  • Register for online skill assessment, training, and certification programs

If you want to obtain customized information and service, you can self-register on Cisco.com. To access Cisco.com, go to this URL:

http://www.cisco.com

Technical Assistance Center

The Cisco Technical Assistance Center (TAC) is available to all customers who need technical assistance with a Cisco product, technology, or solution. Two levels of support are available: the Cisco TAC Web Site and the Cisco TAC Escalation Center.

Cisco TAC inquiries are categorized according to the urgency of the issue:

  • Priority level 4 (P4)—You need information or assistance concerning Cisco product capabilities, product installation, or basic product configuration.
  • Priority level 3 (P3)—Your network performance is degraded. Network functionality is noticeably impaired, but most business operations continue.
  • Priority level 2 (P2)—Your production network is severely degraded, affecting significant aspects of business operations. No workaround is available.
  • Priority level 1 (P1)—Your production network is down, and a critical impact to business operations will occur if service is not restored quickly. No workaround is available.

The Cisco TAC resource that you choose is based on the priority of the problem and the conditions of service contracts, when applicable.

Cisco TAC Web Site

You can use the Cisco TAC Web Site to resolve P3 and P4 issues yourself, saving both cost and time. The site provides around-the-clock access to online tools, knowledge bases, and software. To access the Cisco TAC Web Site, go to this URL:

http://www.cisco.com/tac

All customers, partners, and resellers who have a valid Cisco service contract have complete access to the technical support resources on the Cisco TAC Web Site. The Cisco TAC Web Site requires a Cisco.com login ID and password. If you have a valid service contract but do not have a login ID or password, go to this URL to register:

http://www.cisco.com/register/

If you are a Cisco.com registered user, and you cannot resolve your technical issues by using the Cisco TAC Web Site, you can open a case online by using the TAC Case Open tool at this URL:

http://www.cisco.com/tac/caseopen

If you have Internet access, we recommend that you open P3 and P4 cases through the Cisco TAC Web Site.

Cisco TAC Escalation Center

The Cisco TAC Escalation Center addresses priority level 1 or priority level 2 issues. These classifications are assigned when severe network degradation significantly impacts business operations. When you contact the TAC Escalation Center with a P1 or P2 problem, a Cisco TAC engineer automatically opens a case.

To obtain a directory of toll-free Cisco TAC telephone numbers for your country, go to this URL:

http://www.cisco.com/warp/public/687/Directory/DirTAC.shtml

Before calling, please check with your network operations center to determine the level of Cisco support services to which your company is entitled: for example, SMARTnet, SMARTnet Onsite, or Network Supported Accounts (NSA). When you call the center, please have available your service agreement number and your product serial number.