CiscoSecure 2.0 for Windows User Guide
Step-by-Step Configuration

Table of Contents

Step-by-Step Configuration
User Setup
Group Setup
NAS Configuration
Service Configuration
Token Card Configuration
Administration Control
Reports and Activity
Online Documentation

Step-by-Step Configuration


This chapter describes the basic operation of each of the configuration areas of CiscoSecure ACS 2.0 for Windows NT. It also provides additional information about each function or attribute.


Note      Your browser must be running either Microsoft Internet Explorer 3.02 or Netscape Navigator 3.0. Java functions, both Enable Java and Java Script, must be enabled.


Before completing any of the tasks in this chapter you must have:

  • CiscoSecure ACS 2.0 for Windows NT installed and running
  • Working knowledge of your network browser
  • One or more network access servers (NASes) configured and running

Each of the eight buttons on the navigational bar represents a particular area or function that you can configure. Depending on you configuration, you may not need to configure all of the eight areas. This chapter has a section for each of the areas of configuration or operation with step by step details of the general operation. Click one of these buttons to begin configuring:

  • User Setup
  • Group Setup
  • NAS Configuration
  • Service Configuration
  • Token Server Configuration
  • Administration Control
  • Reports and Activity
  • Online Documentation

The pervious bulleted list follows the order of the buttons in the navigational bar. The order to follow for configuration depends on you preferences and needs. One typical order of configuration is listed below.

1. Administration Control—Configure access for remote administrators.

2. NAS Configuration—Configure and verify connectivity to a NAS.

3. Group Setup—Configure available options and parameters for specific groups. All users must be long to a group.

4. User Setup—Add users to a group that is configured.

5. All other necessary areas.

User Setup

Select on the navigational bar to perform the following tasks:

  • Add a user to a group
  • Edit a user's account information
  • Delete a user
  • View any users listed in the CiscoSecure Database

Add/Edit User Accounts

To add a user:


Step 1   Click User Setup.

The Select and Help windows appear.


Note The only CiscoSecure account limit is that usernames must be 1 to 32 characters in length.


Step 2   Enter a name in the User field. User account names can be up to 32 characters in length. They must not contain any of the following special characters:

#~^*?,:;|\"

Step 3   Click Add/Edit.

The Edit form appears in the left window. The username being added or edited appears at the top of the window.

User Setup


Note You can select Account Disabled to deny access for this user. You must click Submit to have this action take affect.


Step 4   Select the Password Authentication type and supply password as required.

  • Windows NT User Database—Authenticates a user from an existing entry in the Windows NT User Database located on the same machine as the CiscoSecure server. There is also be an entry in the CiscoSecure Database used for other CiscoSecure services.
  • Token Card Server—Authenticates a user from a specific Token Card server. CiscoSecure acts as a client to the Token Card server.
  • CiscoSecure Database—Authenticates a user from the database maintained by CiscoSecure.
  • Separate (CHAP/ARAP)—Authenticates using a CHAP or ARAP password instead of the password in the CiscoSecure User Database. This adds an additional level of security on top of the CiscoSecure authentication.

Note The Password and Password Confirm fields are required for all authentication methods except the Windows NT User Database.


Step 5   Select a User Group the group list box—Represents a set of attributes and operations that are applied to all users assigned to the group. The default group is Windows NT Users. Its group number is zero (0).

Step 6   Enter a Static IP Address—An IP address assigned to this specific user. Leave this field blank if the user's IP address is dynamically assigned from an address pool.

Step 7   Enter a CLID address for Authenticate by CLI—An ISDN number, IP address or X121 address can be used to identify a user calling into a NAS. This allows users to be identified by this number instead of a username. Entering an address in this field overrides other caller identification settings when a username is not configured.

Step 8   Enter the address for Remote Address Filter—An address or partial address that is matched against and individual user. This can be different types of addresses such as IP address or telephone number. You can also enter a comma separated list with wildcards. An asterisk (*) matches any string of characters and a question mark (?) matches any single character.

123*,*456*,789?8,?123*

Step 9   Enter a Callback String—A string, either a number or command string, sent back to a modem to call back a specific user.


Note The dial-up user must be configured with a service that supports callback.


Expiration

Step 10   Enter the expiration information for this user account.

  • Never—Account will never be disabled by CiscoSecure.
  • Disable account if:

Date exceeds—A specific date set to some time in the future.

Failed attempts exceed—Number of unsuccessful attempts to log in to this user's account.

Reset current failed attempts count on submit—Resets the number of failed login attempts to zero for this user. You must reset the failed attempts counter anytime you want it to start tracking failed logins from zero.

Advanced TACACS+ Settings

Step 11   Select TACACS+ Enable Control to use TACACS+ features. This option must be enabled when CiscoSecure is used to manage routers.


Note This setting is TACACS+ specific. It may not be visible to users that are not running TACACS+.


Step 12   Select Max Privilege—A level of access given that authorizes a user to access specific services. Zero (0) is the default privilege and allows view only privilege.


Note This setting is TACACS+ specific. It may not be visible to users that are not running TACACS+.


Step 13   TACACS+ Outbound Password—Enter an password to be used by device such as routers that request services from the CiscoSecure ACS. This is an advanced feature and should be used only if you are knowledgeable about how TACACS+ uses this function.

Step 14   Click Submit. You are returned to the Select window.

Step 15   Verify that the user was added by entering the username in the User field and clicking Find. The User List should appear with the entry you just submitted.


Note To change a username in the CiscoSecure ACS, you must first delete the user and then add the renamed user.


Deleting User Accounts

To delete a user account from the CiscoSecure Database:


Step 1   Click User Setup.

The Select and Help windows appear.

Step 2   Enter the full name to be deleted in the User field.

Step 3   Click Add/Edit.

Step 4   At the bottom of the Edit window, Click Delete.


Note If you are authenticating against the Windows NT User Database, you must also delete the user account from the Windows NT User Database. This prevents the username from being automatically re-added to the CiscoSecure User Database the next time the user tries to log in.


Group Setup

Select Group Setup on the navigational bar to perform the following tasks:

  • List all Users in Group—Displays all the users listed in the group you selected from the Group list box.
  • Edit Setting—Displays all the setting that you can change for the selected group.
  • Rename Group—Allows you to rename a selected group.

List Users in Group

To list all users in a specified group:


Step 1   Click Group Setup on the navigational bar. The Select and Help windows appear.

Step 2   Select a group from the Group pulldown list.

Step 3   Click Users in Group.

The User List appears in the window to the right. The Edit window appears in the left with the user's account information after you select a user. You can view, modify, or delete a user by clicking on the user's name in the list.

Edit Group Settings

To assign or edit a group's authorization and authentication settings, follow these steps:


Note      A user is assigned to the default group, Windows NT Users, until the user has been reassigned to another group under User Setup.



Step 1   Click Group Setup. The Select window appears.

Step 2   Select a group from the pulldown list.

Step 3   Click Edit Settings. The Edit window appears.

Step 4   Complete the Group Setup section.

Before you configure Group Setup it is important to understand how this window functions. Group Setup is dynamically built depending on the configuration of your NAS and the security protocols being used. There are six basic sections to Group Setup:

  • General information that applies to both TACACS+ and all instances of RADIUS
  • Token Card Information
  • TACACS+
  • RADIUS (IETF)
  • RADIUS (Cisco Vendor Specific Attribute)
  • RADIUS (Ascend)

The General Information and Token Card Information is always be displayed. TACACS+ and RADIUS sections are displayed depending on the configuration of your access device. If one NAS has been configured within CiscoSecure and it is running TACACS+, the only sub-sections displayed are:

  • General information that applies to both TACACS+ and all instances of RADIUS
  • Token Card Information
  • TACACS+

If a second NAS was added that used RADIUS (IETF), these sub-sections are displayed:

  • General information that applies to both TACACS+ and all instances of RADIUS
  • Token Card Information
  • TACACS+
  • RADIUS (IETF)

Note      When RADIUS (Cisco) or RADIUS (Ascend) are selected for a NAS, RADIUS (IETF) attributes are available because they are the base set of attributes used to configure the first 74 attributes of all RADIUS vendors.


The content of each of these sub-sections is dynamic. Only those attributes that are selected from the NAS Configuration under the Protocol Configuration Options section are displayed. This allows you to select and display only those attributes that you want. You can change what is displayed in each of the subsections by selecting a security protocol from the Protocol Configuration Options in the NAS Configuration window.

General Information

This information is applied to all members of a group:

(a). Select Default Time of Day Access Settings—Defines the default time of day you want to allow user access for this group. Select Setup Default to activate the time grid (if not enabled, 24hour / 7 day a week access is permitted). Click Clear All to clear all the times, or click Set All to enable all the times. Using the arrow and left mouse button, highlight the areas with green for the time of day access should be permitted. These settings apply to both TACACS+ and RADIUS.

(b). Select Force Remote Address Filtering—Switches on or off the enforcement an administrator security policy that requires a string to be entered for every user in the Group. This prevents users from accidentally being entered without a filter which helps prevent breaches in security policy. The Filter may be defined at the Group or User level. A popular application for the remote address filter is for use with ISDN. Using it requires a user to call from a specific or group of CLID's. This means the user must pass normal username and password authentication, and must be calling from a pre-determined location. This elevates the need to define the CLID's on the NAS itself.


Note Select Force Remote Address Filtering and leave the Group Remote Address Filter field blank to force the use of a CLI filter for each user in the group. You would set this CLI filter from User Setup.


(c). Default Remote Address Filter—Defines the strings used as filters. If a match is found, the user's authorizations will be processed. Filters are defined here for entire groups. A user level filter can be defined under User Setup and overrides the Group setting. The wildcard asterisk (*) is supported at any point in the string (1234*, *1234, 12*34). Furthermore, multiple strings maybe entered and separated by a comma making it possible to define an entire group of CLID's to be used, eliminating the requirement to enter them for each user.

Token Card Information

(d). Token Card Caching—When using a Security Dynamics Token Card Server and Terminal Adapters, it is possible to cache the token to support the use of a second `b' channel without a second token OTP. It can be configured on a per session basis or with a specified duration for which the token is cached.


Note Be sure to understand security ramifications before implementing token caching. This is discussed in some detail in the Overview chapter.


TACACS+

These parameters will only be displayed if a NAS has been configured to use TACACS+. The default service-protocol settings displayed for TACACS+ are:

  • PPP-IP
  • PPP-IPX
  • Shell (Exec)

To display or hide additional services or protocols, see NAS Configuration - Protocol Configuration Options.

(e). Select which services-protocols that should be authorized for the Group by checking the box next to the protocol-service. Below each service-protocol, select the attributes to further define the authorization for that protocol-service. In the case of access control lists (ACLs) and IP Address Pools, the name of the ACL or Pool as defined on the NAS should be entered. (An ACL is a list of Cisco IOS commands used to restrict access to or from other devices and users on the network.) Leave blank if the default (as defined on the NAS) should be used. Information about attributes can be found in the Appendix of these documents, or within the NAS documentation.


Note      It is possible to define and download an ACL. Go to the NAS Configuration - Protocol Configuration Options and enable Custom Commands. A field entry box will appear under each service-protocol and an Access Control List can be defined.


When configuring Shell (Exec), it is possible to define which Cisco IOS commands and arguments that should be permitted or denied. Click the box to enable the command, enter the name of the command, define its arguments using standard permit or deny syntax and define if Unlisted Arguments should be permitted or denied. CiscoSecure will support any number of commands to be entered. To add additional entry fields, simply submit the changes for the first commands and re-enter the Group Setup. The submitted commands will appear and additional field entry boxes will become available.

RADIUS (IETF)

These parameters are displayed only when a NAS has been configured to use RADIUS (IETF). The default attribute settings that displayed for RADIUS are:

  • Service Type
  • Framed-Protocol
  • Framed-IP-Address
  • Framed-IP-Network
  • Framed-Routing
  • Filter-Id
  • Framed-MTU
  • Framed-Compression
  • Login-IP-Host
  • Login-Service
  • Login-TCP-Port
  • Reply-Message
  • Callback-Number
  • Callback-Id
  • Framed-Route
  • Framed-IPX-Network
  • State
  • Class
  • Session-Timeout
  • Idle-Timeout
  • Proxy-State
  • Login-LAT-Service
  • Login-LAT-Node
  • Login-LAT-Group
  • Framed-AppleTalk-Link
  • Framed-AppleTalk-Network
  • Framed-AppleTalk-Zone
  • Port-Limit
  • Login-LAT-Port

 


Note      RADIUS attributes are sent as a profile for each user from the CiscoSecure ACS to the requesting NAS.



Note      To display or hide any of the RADIUS (IETF) attributes, see NAS Configuration.


(f). Select which attributes that should be authorized for the Group by checking the box next to the attribute. Be sure to further define the authorization for that attribute in the field entry field next to it. Information about attributes can be found in the appendices of this document, or within the NAS documentation.

RADIUS (Cisco)

The RADIUS (IETF) and RADIUS (Cisco) parameters will only be displayed if a NAS has been configured to use RADIUS (Cisco). RADIUS (Cisco) represents the Cisco Vendor Specific Attribute (VSA) IETF #26. Therefore, when configuring RADIUS (Cisco), both IETF and Cisco VSA apply.

The default attribute settings displayed for RADIUS (Cisco) are:

  • Cisco VSAs—These are packed as RADIUS VSAs (Attribute number 26 using Cisco's Vendor ID of 9).

Note To display additional, or hide any of these IETF attributes, see NAS Configuration.


(g). For the IETF attributes, select which attributes that should be authorized for the Group by checking the box next to the attribute. Be sure to further define the authorization for that attribute in the field entry field next to it. Information about attributes can be found in the Appendix of these documents, or within the NAS documentation.

(h). For the Cisco VSA, enter the commands (such as TACACS+ commands) that should be packed as a RADIUS VSA.


Note The RADIUS (IETF) attributes are shared among the different RADIUS vendors. You must configure the first 74 RADIUS attributes using the RADIUS (IETF) dictionary.


RADIUS (Ascend)

The RADIUS (IETF) and RADIUS (Ascend) parameters will only be displayed if a NAS has been configured to use RADIUS (Ascend). RADIUS (Ascend) represents the Ascend proprietary attributes. Therefore, when configuring RADIUS (Ascend), both IETF and Ascend apply (proprietary attributes override IETF when conflicting).

The default attribute settings displayed for RADIUS is:

  • Ascend-Remote-Addr

To display additional, or hide any l of these RADIUS (IETF) attributes, see NAS Configuration.

(i). For the IETF attributes, select which attributes that should be authorized for the Group by checking the box next to the attribute. Be sure to further define the authorization for that attribute in the field entry field next to it. Information about attributes can be found in the Appendix of these documents, or within the NAS documentation.

(j). For the Ascend attributes, select which attributes that should be authorized for the Group by checking the box next to the attribute. Be sure to further define the authorization for that attribute in the field entry field next to it. Information about attributes can be found in the Appendix of these documents, or within the NAS documentation.


Note      The RADIUS (IETF) attributes are shared among the different RADIUS vendors. You must configure the first 74 RADIUS attributes using the RADIUS (IETF) dictionary.


Step 5   Click Submit + Restart. The group attributes are applied and services are restarted. The Edit window appears. (Click Submit if you want to save your changes and apply them later by restarting the services.)


Note Restarting the service clears the Logged-in User Report and temporarily interrupts all of the CiscoSecure ACS services.


Step 6   Verify that your changes were applied by selecting the group and click Edit Settings. View the settings.

Renaming a Group

To rename a group, follow these steps:


Step 1   Click Group Setup. The Select window appears.

Step 2   Select a group from the pulldown list.

Step 3   Click Rename Group.

Step 4   Enter the new name in the Group field.

Step 5   Click Rename Group. The Select window appears with the new group name selected.


Note      The group remains in the same position in the list box. The number value of the group is still associated with this group name. Some utilities such as the database import utility use the numeric value associated with the group.


NAS Configuration

The NAS you use with the CiscoSecure ACS must be configured and active on the network.


Step 1   Click NAS Configuration.

Step 2   Click the Add New Access Server button. The following window appears.

Step 3   Provide the following information:

(a). Enter the Access Server Hostname.

(b). Enter the Access Server IP address.

(c). Enter the Key value (this is the secret value shared between the NAS and the CiscoSecure ACS).

(d). Select a security protocol from the Authenticate Using list box.

(e). Click the Submit + Restart.

You can also configure specific security protocol attributes to be used by CiscoSecure. Click on the button for the specific protocol you want to configure. A list of attributes is appeared.

Attributes marked with an asterisk are configured on the NAS and can not be changed from the CiscoSecure user interface. Attributes with a checkbox to the left can be activated by checking the box or deactivated by deselecting or unchecking the box.


Note      You must select attributes from these lists before they are available for use in User Setup or Group Setup. The RADIUS (IETF) attributes are shared among all the RADIUS vendors. You must configure the first 74 RADIUS attributes from RADIUS (IETF).


Edit NAS Configuration

You can edit the configuration of a NAS that is listed in the Select window after clicking NAS Configuration.


Step 1   Click NAS Configuration. The Select window appears.

Existing NASes are listed under Access Server Setup.

Step 2   Click on the name of the NAS you want to edit. The Edit window appears.

Step 3   You can change any of the following information:

Access Server IP Address—IP address of the NAS configured to work with the CiscoSecure ACS.

Key—A shared secret between the NAS and the CiscoSecure ACS for either TACACS+ or RADIUS. The shared secret is case sensitive.

Authenticate Using—Defines the type of security control protocol that is used for communication between the CiscoSecure ACS and NAS.

Step 4   Click Submit + Restart to immediately apply the changes, or click Submit if you want to restart the services and apply the changes later.

Service Configuration

To edit your current CiscoSecure service configuration, click Service Configuration.


Note      When you installed CiscoSecure, you were asked the following questions: if the service should be started, which database to use for authentication, and your network access server configuration. Administration Control should be the only parameter left to set up.


You can:

  • Restart Services—stops and restarts all CiscoSecure services except for CSAdmin. CSAdmin controls the browser and must continue to run.
  • Stop Services—stops all CiscoSecure services except for CSAdmin. CSAdmin controls the browser and must continue to run.
  • Windows NT User Database Setup—sets the option of using the Windows NT Database for user authentication:
    • Check Windows NT User Database for usernames not found in CiscoSecure—select this option to direct a first time user login to authenticate against the Windows NT User Database when there are no entries in the CiscoSecure Database. Select this option to gradually populate the CiscoSecure User Database as Windows NT users successfully login.
    • Check Windows NT User Manager (User Properties/Dial-in Information) for the "Grant dial—in permission to user" setting-select this option to allow the Windows NT User Manager to control dial-in access.

Token Card Configuration

Token Card Configuration allows you to specify the type of token card server to be used. From the User Setup you must also specify that a Token Card Server is to be used.


Step 1   Click Token Server Configuration. The Token Card Configuration widow appears.


Step 2   Click on the button for one of the installed token card servers.

A confirmation window appears.


Note If token card support is disabled, you will need to restart the CSAdmin service to reload the token card DLL.


Token Card Server Setup

Before you start:

  • Make sure you login to the Windows NT server with administrative privileges.
  • Make sure you have the ACE Client for Windows NT software.

Follow these steps:


Step 1   Run the Setup program of the ACE Client software following the setup instructions. Do not restart your Windows NT server when installation is complete.

Step 2   Open an FTP session with the machine that has the ACE server installed.

Step 3   Locate the ACE Server data directory, for example /sdi/ace/data.

Step 4   Get the file named sdconf.rec and place it in your Windows NT directory %SystemRoot%\system32, for example \winnt\system32.

Step 5   Make sure the ACE server host machine name is in the Windows NT local hosts file, \winnt\system32\drivers\etc\hosts.

Step 6   Restart your Windows NT server.

Step 7   Verify connectivity by running the Test Authentication function of your ACE client application. You can run this from the Control Panel.

You should get a challenge when you run the Test Authentication function. You should now be able to use the ACS for Windows NT with SDI.

Administration Control

You can administer CiscoSecure from any workstation in the network as long as the workstation is running either Microsoft Internet Explorer 3.02 or Netscape Navigator 3.0. The address to enter in the remote administrator's browser is: http://<<Windows NT Server ip-address>>:2002. The port number, 2002, is changed after the initial login of a remote administrator.

Remote administrators can use a firewall protected dialin connection, but this is not recommended or supported. Leaving a port open for remote administration could compromise network security.


Note      Browser Configuration—You must enable Java function on your browser. You should have No Proxies enabled.


Adding a Remote Administrator

To enable remote administration from a workstation or remote client:


Step 1   Click Administration Control in the navigational bar.

Step 2   Click Add new administrator.

Step 3   Fill in the following fields:

  • Administrator Name-user identification for the administrator to log into CiscoSecure
  • Password-a password used by the administrator to log in
  • Confirm Password-confirmation of the administrator password

Note This password is for a remote administrator to access the CiscoSecure interface. It has no connection with the user passwords for authentication, authorization, and accounting (AAA) services.


Step 4   Click Submit to save these changes and stop and start the appropriate services.

Administrator Session Control

An administrative login can be terminated by setting the idle timeout. This parameter applies to the browser session only. It does not apply to the dial-in session. The browser connection with CiscoSecure is terminated if there is no activity for the specified period of time.


Step 1   Enter the Session idle timeout (minutes)—Time in minutes that the browser must remain idle before the connection to CiscoSecure is terminated. This terminates the browser connection only.

Step 2   Click Submit Timeout Value—Updates the idle timeout value set in the Session idle timeout field.

Edit Administrator Configuration

You can change an administrator's password or delete an existing administrator.

To change a password:


Step 1   Click Administration Control. The Select window appears.

Step 2   Click an existing administrator name in the list. The Edit window appears.

Step 3   Enter a new password for the selected administrator. You must enter the password twice for confirmation.

Step 4   Click Submit to update the password now.

To delete an administrator:


Step 1   Click Administration Control. The Select window appears.

Step 2   Click an existing administrator name in the list. The Edit window appears.

Step 3   Click Delete. A delete confirmation window appears.

Step 4   Click OK to delete the selected administrator.

Reports and Activity

Click Reports & Activity in the navigational bar to view the following information:

  • TACACS+ Accounting Reports—Lists when sessions stop and start; records NAS messages with username; provides caller line identification information; records the duration of each session.
  • RADIUS Accounting Reports—Lists when sessions stop and start; records NAS messages with username; provides caller line identification information; records the duration of each session.
  • Failed Attempts Report—Lists authentication and authorization failures with an indication of the cause.
  • List Logged in Users—Lists all users currently receiving services for a single NAS or all NASes with access to the CiscoSecure ACS.
  • List Disabled Accounts—Lists all user accounts that are currently disabled.
  • Admin Accounting Reports—Lists configuration commands entered on a TACACS+ (Cisco) NAS.

You can import these files into most database and spreadsheet applications.

Online Documentation

The online documentation provides more detailed information about the configuration, operation, and concepts of CiscoSecure. To view it:


Step 1   Click Online Documentation.

The Table of Contents appears in the left window.

Step 2   Click the topic that you want to appear.

The online documentation appears in the right window.

Step 3   To print the online documentation, click in the right window, then click Print in your browser's navigational bar.


Note      Click More Detailed Information in any `Quick Help...' window to view the online user guide.