CiscoSecure ACS 2.3 for Windows NT Server User Guide - Sample Configurations [Cisco Secure Access Control Server for Windows]

Before you configure CiscoSecure ACS for the first time, make sure you have the required settings for the configuration you want. This chapter outlines the necessary settings for the following sample configurations:

1. Dialup Using the Windows NT User Database with TACACS+

2. Dialup Using the CiscoSecure ACS User Database with TACACS+

3. Dialup Using SDI Token-Card Server with TACACS+

4. Dialup Using NDS with TACACS+

5. ../../../../../../../../../home/home.htm

6. Dialup Using the CiscoSecure ACS User Database with Cisco RADIUS

7. Dialup for an ARAP Client Using the CiscoSecure ACS User Database with TACACS+

8. NAS Management Using the CiscoSecure ACS User Database with TACACS+

9. Password Aging and User-Changeable Passwords Using CiscoSecure ACS with the CiscoSecure Authentication Agent

10. Single Authentication Using CiscoSecure ACS and the CAA

11. Double Authentication Using CiscoSecure ACS and the CAA

12. Authentication Using CiscoSecure ACS and an MCIS LDAP Database

13. PIX Firewall Authentication/Authorization Using the Windows NT User Database with TACACS+

14. VPDN Using the CiscoSecure ACS User Database with TACACS+

15. Virtual Profiles Using the CiscoSecure ACS User Database with TACACS+

Select the configuration that most closely meets your needs.

Note If you are viewing this window as a link from the CiscoSecure ACS main window, click Online Documentation: Sample Configurations to return to this section.

You must configure four components to successfully initiate connectivity and start the CiscoSecure ACS for Windows NT services:

1. Windows NT server—Computer hosting the CiscoSecure ACS software and the Windows NT user database

2. Cisco Secure ACS 2.3 for Windows NT Server—Software that provides centralized network security services

3. NAS—Network access servers, routers, or other devices, such as firewalls, that provide your users with access to specific networks

Note Unless specifically stated otherwise, the term NAS includes access servers, routers, and PIX firewalls.

4. Client—Async or ISDN dialup user applications

Dialup Using the Windows NT User Database with TACACS+

This section presents a typical configuration that can be used in a Windows NT network using only the Windows NT user database to maintain access. This configuration would typically be used in businesses with significant or strategic investment in Windows NT. This configuration makes it possible to:

Control dialup connectivity for the NAS from the Windows NT user manager
Support single login
Authenticate the username against the Windows NT database (PAP or MS-CHAP)

Windows NT Server Configuration

This option requires significant configuration in the Windows NT server environment because it depends heavily on Windows NT management functions. Configure these items in the User Manager on your Windows NT server that is running CiscoSecure ACS. Make sure that:

The dialup user exists in the Windows NT user database
The dialup user's profile does not have change password at next login or disable account enabled
The callback number is not configured
(Optional) To be able to enable or disable user login privileges fromWindows NT, enable Grant dialin permission to user on the dialup menu

CiscoSecure ACS Configuration

Follow these steps in CiscoSecure ACS.

Network Configuration

Note If the first NAS into which clients dial was set up during CiscoSecure ACS installation, this configuration should already be complete.

Follow these steps in the Network Configuration window:

Step 1 If you are using network device groups (NDGs), click the name of the applicable NDG.

Step 2 Add or edit a NAS.

Step 3 Enter the name of the NAS.

Step 4 Enter the IP address of the NAS.

Step 5 Enter the shared secret (key) of the NAS and CiscoSecure ACS.

Step 6 Select TACACS+ (Cisco) as the security control protocol.

External User Databases Configuration

If CiscoSecure ACS was originally installed to authenticate usernames against the CiscoSecure ACS database only; you must add a new configuration to allow it to also authenticate against the Windows NT database.

Step 1 Click External User Databases: Database Configuration.

Step 2 Click Windows NT.

Step 3 Click Create a new configuration.

Step 4 Click Submit to accept the default name.

Step 5 Click Configure to allow the additional capability to Grant dialin permission to user. CiscoSecure ACS verifies that dialup permission is granted for the user in the Windows NT user database. Authentication for a user without dialup permission on the Windows NT server fails, even if the user supplies the correct password. If you do not want to use this feature, clear the check box and click Submit.

Step 6 The Unknown User Policy window controls how CiscoSecure ACS handles usernames that are not found in the CiscoSecure ACS user database. Configure this option to ensure that all authentications without usernames in the CiscoSecure ACS user database are checked against the Windows NT database.

If this authentication succeeds, a record is automatically generated in the CiscoSecure ACS Database indicating that the Windows NT database should also be used for password authentication. User records added to the database in this way automatically become members of the selected group.

Interface Configuration

Follow these steps in the Interface Configuration window:

Step 1 To allow the protocol to be configurable for a group, click TACACS+ (Cisco).

Note When you select any Point-to-Point Protocol (PPP), you must also enable PPP LCP.

Step 2 To add more controls for dial-in access, check the applicable features in the Interface Configuration: Advanced Options window to display the options in the user interface. Select the features in this section to reduce the level of complexity or enhance the detail of your access security.

Group Setup

Follow these steps in Group Setup for the Default Group:

Step 1 To use Time-of-Day access, click the times and days to grant access and click Use as Default. The times and days during which access is allowed appear highlighted in green. Leaving this feature disabled grants access 24 hours a day, 7 days a week. If this parameter is not displayed, enable it in the Interface Configuration: Advanced Options window.

Step 2 To permit or deny users to call only from a particular location, enter the applicable information in the Network Access Restrictions field. If this parameter is not displayed, enable it in the Interface Configuration: Advanced Options window.

Step 3 To control the number of simultaneous sessions allowed to a group and to specify the number of sessions allowed to users in the groups, enter the applicable number in the MaxSessions fields. If this parameter is not displayed, enable it in the Interface Configuration: Advanced Options window.

Note The Max Sessions count defined in the User Setup window overrides the Max Sessions per-user count in the Group Setup window.

Step 4 To allow the NAS to support dialup clients running IP over a PPP (async or ISDN) connection, enable PPP-IP. If this parameter is not displayed, configure it in the Interface Configuration: TACACS+ (Cisco) window.

Step 5 To make CiscoSecure ACS a "DHCP-like" server, enable IP Pool and enter the IP Pool name defined on the NAS. To use a NAS-name pool, leave the field blank.

Step 6 To allow the NAS to support dialup clients running IPX over a PPP (async or ISDN) connection, enable PPP-IPX. If this parameter is not displayed, configure it in the Interface Configuration: TACACS+ (Cisco) window.

Step 7 To allow Telnet sessions to be run by the client or to allow CiscoSecure ACS to also be used for NAS management, enable Shell (Exec). If this parameter is not displayed, configure it in the Interface Configuration: TACACS+ (Cisco) window.

User Setup

User setup is not necessary; users who successfully authenticate against the Windows NT user database are added to the CiscoSecure ACS user database as members of the default group, Default Group. You can reassign them to another group later.

NAS Configuration

Cisco IOS configuration for the NAS depends on the network protocol, routing, IP address definition, access control list definition, and so on. The following sample configuration shows the minimum requirements for a Cisco 2509 access server using TACACS+. PAP or MS-CHAP can be used when authenticating against Windows NT.

 aaa new-model

 aaa authentication login default tacacs+

 aaa authentication ppp default tacacs+

 aaa authorization exec tacacs+

 aaa authorization network tacacs+

 aaa accounting network start-stop tacacs+

 aaa accounting exec start-stop tacacs+

 tacacs-server host <ip_address> single

 tacacs-server key <key>

 enable secret <password>

 aaa authentication login no_tacacs enable

 line con 0

 login authentication no_tacacs

Enter the following command under each interface used for dial-in access:

 ppp authentication pap

 ppp authentication MS-CHAP

Client Configuration

The client can be an async or integrated services digital network (ISDN) client. For an ISDN client, be sure it is configured to use PAP or MS-CHAP.

Windows 95 Client Configuration

Follow these steps in the Dial-Up Networking section of Windows 95:

Step 1 Create and configure a connection with the NAS dial number.

Step 2 Right-click the Connection icon and select Properties.

Step 3 Click Server Type.

Step 4 For the Type of Dial-Up Server, click PPP.

Step 5 Under Advanced Options, check Log on to Network to log on to the Windows NT domain.

Step 6 Clear the require encrypted password check box.

Step 7 In Server Types: Allowed Network Protocols, click IP and/or IPX.

Step 8 If you are using an IP pool on the NAS (not assigning the IP address at the client), set TCP/IP settings to server assigned IP Address and server assigned name.

Note The NAS must support IP Pools.

Step 9 To set up single login, install the Client for Microsoft Networks under the Network Configuration, and set the Primary Network Logon to Windows Logon.

Step 10 For single login, in the properties for Client for Microsoft Networks, leave Log on to Windows NT Domain disabled, but enter the desired domain in the Windows NT Domain field.

Step 11 When making a connection, enter the same username and password being used for the user account in the Windows NT user database.

Step 12 For single login, in the Connect To dialog box, click save password. Make sure you have the Windows 95 service pack installed so the password is saved. Check with your system administrator to find out if the service pack has been installed.

Tips

Consider the following:

You can leverage all of the benefits of the Windows NT operating system, such as Primary Domain Controller/ Backup Domain Controller database replication and distribution.
Because CHAP passwords cannot be stored in the Windows NT user database, you must use MS-CHAP or PAP as the authentication protocol with this configuration.
To be able to enable or disable user login privileges from within Windows NT, enable Grant dialin permission to user from the dialup menu.

Dialup Using the CiscoSecure ACS User Database with TACACS+

This sample configuration lets you set a higher level of authentication security, such as CHAP, or increase authentication/authorization processing speed. Service providers can use this configuration when transaction speed is critical. Corporations in which the administrator would rather allow a single login to a Windows NT domain than have the added level of security of one-time passwords (OTPs) with CHAP can also use this configuration.

Windows NT Server Configuration

No Windows NT Server configuration is required; users do not need to exist in the Windows NT user database unless they need to log in to the Windows NT network.

CiscoSecure ACS Configuration

Configure these items in CiscoSecure ACS.

Network Configuration

Note If the first NAS into which clients dial was set up during the installation of CiscoSecure ACS, this configuration should already be complete.

Follow these steps in the Network Configuration window:

Step 1 If you are using network device groups (NDGs), click the name of the applicable NDG.

Step 2 Add or edit a NAS.

Step 3 Enter the name of the NAS.

Step 4 Enter the IP address of the NAS.

Step 5 Enter the shared secret (key) of the NAS and CiscoSecure ACS.

Step 6 Select the TACACS+ protocol.

Step 7 To allow the Service/Protocol to be configurable for a group, in the Protocol Configuration Options window, click TACACS+ (Cisco).

Note When you select any PPP protocol, you must also enable PPP LCP.

Step 8 Use the User Setup window to add a user.

External User Database Configuration (Optional)

Follow these steps in the External User Databases window:

Step 1 Click Unknown User Policy.

Step 2 Check Fail the attempt.

This sets CiscoSecure ACS to deny authentication unless the user has an active account in the CiscoSecure ACS database.

Interface Configuration

Follow these steps in the Interface Configuration window:

Step 1 To allow the protocol to be configurable for a group, click TACACS+ (Cisco).

Note When you select any PPP protocol, you must also enable PPP LCP.

Group Setup

Follow these steps in Group Setup for the Default Group:

Step 1 To use Time-of-Day Access, click the times and days to grant access and click Use as Default. The times and days during which access is allowed appear highlighted in green. Leaving this feature disabled grants access 24 hours a day, 7 days a week. If this parameter is not displayed, enable it in the Interface Configuration: Advanced Options window.

Step 3 To control the number of simultaneous sessions allowed to a group, and to specify the number of sessions allowed to users in the groups, enter the appropriate number in the MaxSessions fields. If this parameter is not displayed, enable it in the Interface Configuration: Advanced Options window.

Note The Max Sessions count defined in the User Setup window overrides the Max Sessions per user count in the Group Setup window.

Step 5 To make CiscoSecure ACS a "DHCP-like" server, enable IP Pool and enter the IP Pool name defined on the NAS. To use a NAS-name pool, leave the field blank.

Step 7 To allow the client to run Telnet sessions or to allow CiscoSecure ACS to also be used for NAS management, enable Shell (Exec). If this parameter is not displayed, configure it in the Interface Configuration: TACACS+ (Cisco) window.

User Setup

Follow these steps in the User Setup window of CiscoSecure ACS:

Step 1 Add a user to the CiscoSecure ACS user database.

Step 2 Select CiscoSecure Database as the method for password authentication.

Step 3 Enter and confirm the password in the first set of the CiscoSecure ACS user database password fields.

Step 4 Assign the user to a group. You can use the Default Group, but it is better to use a different group, such as Group 1.

Note All groups can be renamed, but CiscoSecure ACS tracks all groups by their original number.

Step 5 To permit or deny users to call only from a particular location, enter the applicable information in the Network Access Restrictions field. If this parameter is not displayed, enable it in the Interface Configuration: Advanced Options window.

Step 6 If you are using dial-in, to assign a particular IP address to the user, enter that address in the Static IP Address field.

Step 7 To set expiration conditions for the user, configure them here.

NAS Configuration

 aaa new-model

 aaa authentication login default tacacs+

 aaa authentication ppp default tacacs+

 aaa authorization exec tacacs+

 aaa authorization network tacacs+

 aaa accounting network start-stop tacacs+

 aaa accounting exec start-stop tacacs+

 tacacs-server host <ip_address> single

 tacacs-server key <key>

 enable secret <password>

 aaa authentication login no_tacacs enable

 line con 0

 login authentication no_tacacs

To allow dial-in access, enter the following command for each interface:

 ppp authentication chap

Client Configuration

The client can be an async or ISDN client.

Windows 95 Client

Follow these steps in the Dial-Up Networking section of Windows 95:

Step 1 Create and configure a connection with the dial number for the NAS.

Step 2 Right-click the Connection icon and select Properties.

Step 3 Click Server Type and select PPP for Type Of Dial-up Server.

Step 4 Under Advanced Options, check Log on to Network to log on to the Windows NT domain.

Step 5 Clear the require encrypted password check box.

Step 6 Under Server Types: allowed network protocols, check IP and/or IPX.

Step 7 If the NAS is using an IP pool rather than assigning the IP address at the client, set the TCP/IP settings to server assigned IP Address and server assigned name.

Step 8 When making a connection, enter the CiscoSecure ACS user database username and password.

Tips

Consider the following:

Because PAP, CHAP, ARAP, and MS-CHAP passwords can be stored in the CiscoSecure ACS user database, this configuration can support PAP, CHAP, ARAP, or MS-CHAP as the authentication protocol. To use PAP authentication, substitute the word PAP in place of CHAP in the NAS configuration example earlier in this section.
Because single login is not available with CHAP, logging in to a Windows NT network requires two steps.

Dialup Using SDI Token-Card Server with TACACS+

Using an SDI ACE server for authentication allows you to increase the level of security while still allowing CiscoSecure ACS to authorize the applicable services after a successful authentication.

Windows NT Server Configuration

Configure these items on the Windows NT Server:

The client software for the SDI ACE Security server must be installed on the same Windows NT server on which CiscoSecure ACS is installed. The ACE Security server can be connected either to the LAN or remotely. To configure the client portion of the SDI software correctly, the SDI ACE Security server configuration file sdiconf.rec must reside in the \Winnt\systems32 directory. Refer to your SDI ACE Security server documentation for installation information.
Users do not need to exist in the Windows NT database unless they need to log in to the Windows NT network.

CiscoSecure ACS Configuration

Configure these items in CiscoSecure ACS.

Network Configuration

Note If the first NAS to which clients dial in was set up during the installation of CiscoSecure ACS, this configuration should already be complete.

Follow these steps in the Network Configuration window:

Step 1 If you are using network device groups (NDGs), click the name of the applicable NDG.

Step 2 Add or edit a NAS.

Step 3 Enter the name of the NAS.

Step 4 Enter the IP address of the NAS.

Step 5 Enter the shared secret (key) of the NAS and CiscoSecure ACS.

Step 6 Select TACACS+ (Cisco) as the security control protocol.

External User Database Configuration

To add a new configuration for the external user database, follow these steps:

Step 1 Click External User Databases.

Step 2 Click Database Configuration.

Step 3 Click SDI SecurID Token Card.

Step 4 Click Create New Configuration. Click Submit to accept the default name.

Step 5 Click Configure to configure and enable CiscoSecure ACS to use the external user database to authenticate users.

Interface Configuration

Follow these steps in the Interface Configuration window:

Step 1 To allow the protocol to be configurable for a group, click TACACS+ (Cisco).

Note When you select any PPP protocol, you must also enable PPP LCP.

Group Setup

Follow these steps in Group Setup for the default group:

Step 3 To control the number of simultaneous sessions allowed to a group and to specify the number of sessions allowed to users in the groups, enter the appropriate number in the MaxSessions fields. If this parameter is not displayed, enable it in the Interface Configuration: Advanced Options window.

Note The Max Sessions count defined in the User Setup window overrides the Max Sessions per user count in the Group Setup window.

Step 4 CiscoSecure ACS can store ISDN passwords to authenticate the second B channel when it is brought into service. Select one of these token-caching methods:

If the second B-channel service goes up and down dynamically, select Session.
If both B channels stay in service, select Duration. Enter the number of minutes for CiscoSecure ACS to cache the password.
Verify that accounting is enabled on the NAS. The configuration file should include the command aaa accounting network start-stop tacacs+.

Step 5 To allow the NAS to support dialup clients running IP over a PPP (async or ISDN) connection, enable PPP-IP. If this parameter is not displayed, configure it in the Interface Configuration: TACACS+ (Cisco) window.

Step 6 To make CiscoSecure ACS a "DHCP-like" server, enable IP Pool and enter the IP Pool name defined on the NAS. To use a NAS-name pool, leave the field blank.

Step 7 To allow the NAS to support dialup clients running IPX over a PPP (async or ISDN) connection, enable PPP-IPX. If this parameter is not displayed, configure it in the Interface Configuration: TACACS+ (Cisco) window.

Note To allow the client to run Telnet sessions or to allow CiscoSecure ACS to also be used for NAS management, enable Shell (Exec). If this parameter is not displayed, configure it in the Interface Configuration: TACACS+ (Cisco) window.

User Setup

Follow these steps in the User Setup window of CiscoSecure ACS:

Step 1 Add a user to the CiscoSecure ACS user database.

Step 2 Select SDI SecurID Token Card as the method for password authentication.

Step 3 Enter and confirm the password in the first set of the CiscoSecure ACS user database password fields.

Step 4 Assign the user to a group. You can use the Default Group, but it is better to use a different group, such as Group 1.

Note All groups can be renamed, but CiscoSecure ACS tracks all groups by their original number.

Step 6 If you are using dial-in, to assign a particular IP address to the user, enter it in the Static IP Address field.

Step 7 To set expiration or aging conditions for the user, configure them here.

NAS Configuration

The Cisco IOS configuration for the NAS depends on the network protocol, routing, IP address definition, access control list definition, and so on. The following sample configuration shows the minimum requirements for a Cisco 2509 access server using TACACS+. CHAP can be used because the CiscoSecure ACS user database is being used.

 aaa new-model

 aaa authentication login default tacacs+

 aaa authentication ppp default tacacs+

 aaa authorization exec tacacs+

 aaa authorization network tacacs+

 aaa accounting network start-stop tacacs+

 aaa accounting exec start-stop tacacs+

 tacacs-server host <ip_address> single

 tacacs-server key <key>

 enable secret <password>

 aaa authentication login no_tacacs enable

 line con 0

 login authentication no_tacacs

Enter the one of the following commands under each interface used for dial-in access:

 ppp authentication chap

 ppp authentication pap

Client Configuration

The client can be an async or ISDN client.

Windows 95 Client

Follow these steps in the Dial-Up Networking section of Windows 95:

Step 1 Create and configure a connection with the dial number to the NAS.

Step 2 Right-click the Connection icon and click Properties.

Step 3 Click the Server Type tab.

Step 4 For the Type of Dial-Up Server, select PPP.

Step 5 Under Advanced options, check the Log on to Network check box to log on to the Windows NT domain.

Step 6 Clear the Require encrypted password check box.

Step 7 Under Allowed network protocols, check IP and/or IPX.

Step 8 If the NAS is using an IP pool, rather than assigning the IP address at the client, set TCP/IP settings to server assigned IP Address and server assigned name.

Step 9 When you make a connection, enter the username and the token one-time password (OTP) using the correct convention to authenticate successfully.

For PAP, enter the following information:
- Enter the username
- Enter the Token card PIN and OTP password
For CHAP, enter the following information:
- username*<token card PIN><OTP> as the username.
  For example, jsmith*1234123456
- Enter the CHAP password
For MS-CHAP, enter the following information:
- username*<token card PIN><OTP> as the username.
  For example, jsmith*1234123456
- Enter the MS-CHAP password.

Tips

Consider the following:

Because PAP, CHAP, and MS-CHAP passwords can be stored in the CiscoSecure ACS user database, this configuration can support PAP, CHAP, or MS-CHAP as the authentication protocol. To use PAP or MS-CHAP authentication, substitute the word PAP or MS-CHAP, respectively, in place of CHAP in the NAS configuration example earlier in this section.
Because single login is not available with token-card authentication, logging in to a Windows NT network requires two steps.

Dialup Using NDS with TACACS+

This configuration presents examples of the information you need to use CiscoSecure ACS with Novell Directory Services (NDS). You can increase the level of security by using NDS for authentication while still allowing CiscoSecure ACS to authorize services after a successful authentication. This section includes examples for a TACACS+ NAS; however, the protocol is transparent to NDS.

Windows NT Server Configuration

Configure these items on the Windows NT Server:

The Novell NetWare requestor software for NDS must be installed on the same Windows NT server on which CiscoSecure ACS is installed. Refer to the NDS documentation for information on proper installation.
Users do not need to exist in the Windows NT database unless they need to log in to the Windows NT network.

CiscoSecure ACS Configuration

Configure these items in CiscoSecure ACS.

Network Configuration

Note If the first NAS to which clients dial in was set up during the installation of CiscoSecure ACS, this configuration should already be complete.

Follow these steps in the Network Configuration window:

Step 1 If you are using network device groups (NDGs), click the name of the applicable NDG.

Step 2 Add or edit a NAS.

Step 3 Enter the name of the NAS.

Step 4 Enter the IP address of the NAS.

Step 5 Enter the shared secret (key) of the NAS and CiscoSecure ACS.

Step 6 Select TACACS+ (Cisco) as the security control protocol.

External User Database Configuration

To add a new configuration for the external user database:

Step 1 Click External User Databases.

Step 2 Click Database Configuration.

Step 3 Click NDS Database.

Step 4 Click Create New Configuration. Click Submit to accept the default name.

Step 5 Click Configure to configure and enable CiscoSecure ACS to use the external user database to authenticate users.

Step 6 (Optional) If this is a first-time configuration, click Initial NDS Configuration and enter the following information:

Configuration Name—Any name you want to assign this configuration
Treename—The name of the NDS tree against which to authenticate users
Context List—Comma-separated list of contexts within the tree used to search for user objects

See your Novell documentation for more information on trees and contexts.

Step 7 Click OK.

Interface Configuration

Follow these steps in the Interface Configuration window:

Step 1 To allow the protocol to be configurable for a group, click TACACS+ (Cisco).

Note When you select any PPP protocol, you must also enable PPP LCP.

Group Setup

Follow these steps in Group Setup for the Default Group:

Step 2 To permit or deny users to call only from a particular location, enter the applicable information in the Network Access Restrictions field. If this parameter is not displayed, enable it in the Interface Configuration: Advanced Options window.

Step 3 To control the number of simultaneous sessions allowed to a group, and to specify the number of sessions allowed to users in the groups, enter the appropriate number in the Max Sessions fields. If this parameter is not displayed, enable it in the Interface Configuration: Advanced Options window.

Note The Max Sessions count defined in the User Setup window overrides the Max Sessions per user count in the Group Setup window.

Step 5 To make CiscoSecure ACS a "DHCP-like" server, enable IP Pool and enter the IP Pool name defined on the NAS. To use a NAS-name pool, leave the field blank.

Note To allow Telnet sessions to be run by the client or to allow CiscoSecure ACS to also be used for NAS management, enable Shell (Exec). If this parameter is not displayed, configure it in the Interface Configuration: TACACS+ (Cisco) window.

User Setup

Follow these steps in the User Setup window of CiscoSecure ACS:

Step 1 Add a user to the CiscoSecure ACS user database.

Step 2 Select NDS Database as the method for password authentication.

Step 3 Assign the user to a group. You can use the Default Group, but it is better to use a different group, such as Group 1.

Note All groups can be renamed, but CiscoSecure ACS tracks all groups by their original number.

Step 4 To permit or deny users to call only from a particular location, enter the applicable information in the Network Access Restrictions field. If this parameter is not displayed, enable it in the Interface Configuration: Advanced Options window.

Step 5 If you are using dial-in, to assign a particular IP address to the user, enter it in the Static IP Address field.

Step 6 To set expiration conditions for the user, configure them here.

NAS Configuration

 aaa new-model

 aaa authentication login default tacacs+

 aaa authentication ppp default tacacs+

 aaa authorization exec tacacs+

 aaa authorization network tacacs+

 aaa accounting network start-stop tacacs+

 aaa accounting exec start-stop tacacs+

 tacacs-server host <ip_address> single

 tacacs-server key <key>

 enable secret <password>

 aaa authentication login no_tacacs enable

 line con 0

 login authentication no_tacacs

Enter the following command under each interface used for dial-in access:

 ppp authentication pap

Client Configuration

The client can be an async or ISDN client.

Windows 95 Client

Follow these steps in the Dial-Up Networking section of Windows 95:

Step 1 Create and configure a connection with the dial number to the NAS.

Step 2 Right-click the Connection icon and click Properties.

Step 3 Click the Server Type tab.

Step 4 For the Type of Dial-Up Server, select PPP.

Step 5 Under Advanced options, check the Log on to Network check box to log on to the Windows NT domain.

Step 6 Clear the Require encrypted password check box.

Step 7 Under Allowed network protocols, check IP and/or IPX.

Step 8 If the NAS is using an IP pool, rather than assigning the IP address at the client, set TCP/IP settings to server assigned IP Address and server assigned name server address.

Tips

Consider the following:

With CiscoSecure ACS and NDS, you must use the PAP authentication protocol. To use PAP authentication on the NAS, substitute the word PAP in place of CHAP in the NAS configuration example earlier in this section.
Because single login is not available with NDS authentication, logging in to a Windows NT network requires two steps.

Dialup Using a CRYPTOCard Token-Card Server with TACACS+

This configuration shows how to implement CiscoSecure ACS with the CRYPTOCard token-card server. To increase the level of security by using a token card, you can use the CRYPTOCard server for authentication while still letting CiscoSecure ACS authorize the services after a successful authentication.

Windows NT Server Configuration

Configure these items on the Windows NT Server:

The CRYPTOCard server is embedded within the CiscoSecure ACS software. To configure CRYPTOCard, configure the data files in the CRYPTOAdmin software, which is included on the CiscoSecure ACS CD-ROM. After the data files are configured, place them on the same Windows NT server on which CiscoSecure ACS is installed. Refer to the CRYPTOCard server documentation for information on proper installation.
Users do not need to exist in the Windows NT database unless they need to log in to the Windows NT network.

CiscoSecure ACS Configuration

Configure these items in CiscoSecure ACS.

Network Configuration

Note If the first NAS to which clients dial in was set up during the installation of CiscoSecure ACS, this configuration should already be complete.

Follow these steps in the Network Configuration window:

Step 1 If you are using network device groups (NDGs), click the name of the applicable NDG.

Step 2 Add or edit a NAS.

Step 3 Enter the name of the NAS.

Step 4 Enter the IP address of the NAS.

Step 5 Enter the shared secret (key) of the NAS and CiscoSecure ACS.

Step 6 Select TACACS+ (Cisco) as the security control protocol.

External User Database Configuration

To add a new configuration for the external user database:

Step 1 Click External User Databases.

Step 2 Click Database Configuration.

Step 3 Click CRYPTOCard Token Card Configuration to allow CiscoSecure ACS to support the CRYPTOCard token card. Enter CRYPTOCard in the field.

Step 4 In the CRYPTOCard Directory field, enter the full directory path in which the CRYPTOCard files are located. The directory must contain the CRYPTOCard and CCSecret files; otherwise, a configuration error occurs. Click Submit. A window opens that allows you to test your CRYPTOCard token server configuration.

Step 5 (Optional) To verify the configuration of your CRYPTOCard token server, click Test.

Interface Configuration

Follow these steps in the Interface Configuration window:

Step 1 To allow the protocol to be configurable for a group, click TACACS+ (Cisco).

Note When you select any PPP protocol, you must also enable PPP LCP.

Step 2 To add more control for dial-in access, check the applicable features in the Interface Configuration: Advanced Options window to display the options in the user interface. Select the features in this section to reduce the level of complexity or enhance the detail of your access security.

Group Setup

Follow these steps in Group Setup for the Default Group:

Step 1 To use Time-of-Day Access, click Use as Default and click the times and days to grant access. The times and days during which access is allowed appear highlighted in green. Leaving this feature disabled grants access 24 hours a day, 7 days a week. If this parameter is not displayed, enable it in the Interface Configuration: Advanced Options window.

Step 3 To control the number of simultaneous sessions allowed to a group and to specify the number of sessions allowed to users in the groups, enter the appropriate number in the Max Sessions fields. If this parameter is not displayed, enable it in the Interface Configuration: Advanced Options window.

Note The Max Sessions count defined in the User Setup window overrides the Max Sessions per user count in the Group Setup window.

Step 4 CiscoSecure ACS can store ISDN passwords to authenticate the second B channel when it is brought into service. Select one of these token-caching methods:

If the second B-channel service goes up and down dynamically, select Session.
If both B channels stay in service, select Duration. Enter the number of minutes for CiscoSecure ACS to cache the password.
Verify that accounting is enabled on the NAS. The configuration file should include the command aaa accounting network start-stop tacacs+.

Step 6 To make CiscoSecure ACS a "DHCP-like" server, enable IP Pool and enter the IP Pool name defined on the NAS. To use a NAS-name pool, leave the field blank.

User Setup

Follow these steps in the User Setup window of CiscoSecure ACS:

Step 1 Add a user to the CiscoSecure ACS user database.

Step 2 Select CRYPTOCard Token Card as the method for password authentication.

Step 3 If you are using CHAP authentication, enter and confirm the password in the first set of the CiscoSecure ACS user database password fields.

Step 4 Assign the user to a group. You can use the Default Group, but it is better to use a different group, such as Group 1.

Note All groups can be renamed, but CiscoSecure ACS tracks all groups by their original number.

Step 6 If you are using dial-in, to assign a particular IP address to the user, enter it in the Static IP Address field.

Step 7 To set expiration or aging conditions for the user, configure them here.

NAS Configuration

 aaa new-model

 aaa authentication login default tacacs+

 aaa authentication ppp default tacacs+

 aaa authorization exec tacacs+

 aaa authorization network tacacs+

 aaa accounting network start-stop tacacs+

 aaa accounting exec start-stop tacacs+

 tacacs-server host <ip_address> single

 tacacs-server key <key>

 enable secret <password>

 aaa authentication login no_tacacs enable

 line con 0

 login authentication no_tacacs

Enter the following command under each interface used for dial-in access:

 ppp authentication chap

Client Configuration

The client can be an async or ISDN client.

Windows 95 Client

Follow these steps in the Dial-Up Networking section of Windows 95:

Step 1 Create and configure a connection with the dial number to the NAS.

Step 2 Right-click the Connection icon and select Properties.

Step 3 Click Server Type and select PPP for the Type of Dial-Up Server.

Step 4 Under Advanced Options, check Log on to Network to log on to the Windows NT domain.

Step 5 Clear the require encrypted password check box.

Step 6 Under Server Types: allowed network protocols, check IP and/or IPX.

Step 7 If the NAS is using an IP pool rather than assigning the IP address at the client, set TCP/IP settings to server assigned IP Address and server assigned name server address.

Step 8 When making a connection, enter the username and the token OTP using the correct convention to authenticate successfully:

For PAP, enter the following information:
- Username as the username.
For CHAP, enter the following information:
- username*OTP as the username.
  For example, jsmith*1234123456
- CHAP as the password.

Tips

Consider the following:

Because CHAP passwords can be stored in CiscoSecure ACS for token-card support, this configuration can support PAP or CHAP as the authentication protocol. To use PAP authentication on the NAS, substitute the word PAP in place of CHAP in the NAS Configuration example earlier in this section.
Because single login is not available with token-card authentication, login to a Windows NT network requires two steps.

Dialup Using the CiscoSecure ACS User Database with Cisco RADIUS

This dialup configuration can be used by administrators who want to use RADIUS authentication/authorization processing. Administrators who need to support non-Cisco equipment might use RADIUS. CiscoSecure ACS supports Cisco, Internet Engineering Task Force (IETF), Ascend, and RedCreek RADIUS attributes.

Windows NT Server Configuration

No Windows NT server Configuration is required; users do not need to exist in the Windows NT database unless they need to log in to the Windows NT network.

CiscoSecure ACS Configuration

Configure these parameters in CiscoSecure ACS.

Network Configuration

Note If the first NAS into which clients dial was set up during the installation of the CiscoSecure ACS, this configuration should already be complete.

Follow these steps in the Network Configuration window:

Step 1 If you are using network device groups (NDGs), click the name of the applicable NDG.

Step 2 Add or edit a NAS.

Step 3 Enter the name of the NAS.

Step 4 Enter the IP address of the NAS.

Step 5 Enter the shared secret (key) of the NAS and the CiscoSecure ACS.

Step 6 Click RADIUS (Cisco) under the Protocol Configuration Options and make sure the vendor-specific attribute (26) is selected.

Step 7 Click RADIUS (IETF) under the Protocol Configuration Options to select the Protocol to be configurable for a group.

Note The single TCP connection check box does not apply to RADIUS.

Interface Configuration

Follow these steps in the Interface Configuration window:

Step 1 To allow the attributes for RADIUS to be configurable for a group, click RADIUS (Cisco).

Group Setup

Configure the following parameters in the Group Setup window for the desired group:

Clients running IP over a PPP connection—Enable attribute 006 and select Framed. Enable attribute 007 and select PPP (async or ISDN).
Clients running Shell (exec) connections (async or ISDN)—Enable attribute 006 and select Login.

If these parameters are not displayed, configure them in the NAS Configuration window.

User Setup

Follow these steps in the User Setup window of CiscoSecure ACS:

Step 1 Add a user to the CiscoSecure ACS user database.

Step 2 Select the CiscoSecure ACS user database as the method for password authentication.

Step 3 Enter and confirm a password in the first set CiscoSecure ACS User Database password fields.

Step 4 Assign the user to a group. You can use the Default Group, but it is better to use a different group, such as Group 1.

Step 5 To set expiration conditions for the user, configure them here.

Step 6 If you are using dial-in, to assign a particular IP address to the user, enter it in the Static IP Address field.

NAS Configuration

The Cisco IOS configuration for the NAS depends on the network protocol, routing, IP address definition, access control list definition, and so on. The following sample configuration shows the minimum requirements for a Cisco 2509 access server using RADIUS. CHAP can be used because the CiscoSecure ACS user database is being used:

 aaa new-model

 aaa authentication login default radius

 aaa authentication ppp default radius

 aaa authorization exec radius

 aaa authorization network radius

 aaa accounting network start-stop radius

 aaa accounting exec start-stop radius

 radius-server host <ip_address>

 radius-server key <key>

 enable secret <password>

 aaa authentication login no_radius enable

 line con 0

 login authentication no_radius

Enter one of the following commands under each interface used for dial-in access:

 ppp authentication chap

 ppp authentication pap

Client Configuration

The client can be an async or ISDN client.

Windows 95 Client

Follow these steps in the Dial-Up Networking section of Windows 95:

Step 1 Create and configure a connection with the dial number to the NAS.

Step 2 Right-click the Connection icon and click Properties.

Step 3 Click the Server Type tab.

Step 4 For the Type of Dial-Up Server, select PPP.

Step 5 Under Advanced options, check the Log on to Network check box to log on to the Windows NT domain.

Step 6 Clear the Require encrypted password check box.

Step 7 Under Allowed network protocols, check IP.

Step 8 If the NAS is using an IP pool, rather than assigning the IP address at the client, set TCP/IP settings to server assigned IP Address and server assigned name server address.

Tips

Consider the following:

RADIUS users can use Cisco RADIUS to enable vendor-specific attributes (VSAs). Use the dialog box to configure Cisco AV pairs and add flexibility to the network.
Because PAP, CHAP and MS-CHAP passwords can be stored in the CiscoSecure ACS user database, you can use either PAP, CHAP, or MS-CHAP as the authentication protocol with this configuration. To use PAP or MS-CHAP authentication, substitute the word PAP or MS-CHAP, respectively, in place of CHAP in the NAS configuration example earlier in this section.
Because single login is not available with CHAP authentication, logging in to a Windows NT network requires two steps.

Dialup for an ARAP Client Using the CiscoSecure ACS User Database with TACACS+

This section provides instructions for configuring a client using ARAP with TACACS+. The necessary (non-AAA) ARAP configuration parameters must already be configured on the NAS.

Note When you use ARAP, the NAS must be running Cisco IOS Release 11.1.

CiscoSecure ACS Configuration

Configure these items in the CiscoSecure ACS.

Network Configuration

Note If the first NAS to which clients dial in was set up during the installation of the CiscoSecure ACS, this configuration should already be complete.

Follow these steps in the Network Configuration window:

Step 1 If you are using network device groups (NDGs), click the name of the applicable NDG.

Step 2 Add or edit the NAS.

Step 3 Enter the name of the NAS.

Step 4 Enter the IP address of the NAS.

Step 5 Enter the shared secret (key) of the NAS and the CiscoSecure ACS.

Step 6 Select TACACS+ (Cisco) as the security control protocol.

Step 7 Under the Protocol Configuration Options, click TACACS+ (Cisco) and select the ARAP Protocol.

Interface Configuration

Follow these steps in the Interface Configuration window:

Step 1 To allow the protocol to be configurable for a group, click TACACS+ (Cisco).

Group Setup

Follow these steps in Group Setup for the Default Group:

Step 3 To control the number of simultaneous sessions allowed to a group and to specify the number of sessions allowed to users in the groups, enter the applicable number in the Max Sessions fields. If this parameter is not displayed, enable it in the Interface Configuration: Advanced Options window.

Note The Max Sessions count defined in the User Setup window overrides the Max Sessions per user count in the Group Setup window.

Step 4 To allow the NAS to support dialup clients, enable ARAP.

Step 5 To allow Telnet sessions to be run by the client or to allow the CiscoSecure ACS to also be used for NAS management, enable Shell (Exec). If this parameter is not displayed, configure it in the Interface Configuration: TACACS+ (Cisco) window.

User Setup

Follow these steps in the CiscoSecure ACS from User Setup:

Step 1 Add a user to the CiscoSecure ACS user database.

Step 2 Select the CiscoSecure ACS user database as the method for Password authentication, and enter/reconfirm a password in the first set CiscoSecure ACS User Database password fields.

Step 3 Assign the user to a group. You can use Default Group, but it is better to use a different group, such as Group 1.

Step 4 To set expiration or aging conditions for the user, configure them here.

NAS Configuration

 aaa new-model

 aaa authentication arap default tacacs+

 aaa authorization network tacacs+

 aaa accounting network start-stop tacacs+

 tacacs-server host <ip_address> single

 tacacs-server key <key>

 enable secret <password>

 aaa authentication login no_tacacs enable

 line con 0

 login authentication no_tacacs

Enter the following commands under each line used for dial-in access with ARAP:

 autoselect arap

 arap enable

Client Configuration

The client configured in this example is an Apple Macintosh Power PC running MAC/OS 7.5.5 and using AppleTalk Remote Access V.2.1 software.

Step 1 In the Remote Access Client software, create a new profile.

Step 2 Configure these items in the Connect As section:

Username
Password
Dial number

Step 3 Click Connect to initiate a call.

NAS Management Using the CiscoSecure ACS User Database with TACACS+

This section describes how to enhance security when accessing NAS configuration. Using command authorizations and administrative privilege levels can enhance secure access to the NAS's configuration. IS managers can use this method to control and monitor the administration activity of their NASes.

Windows NT Server Configuration

No Windows NT server configuration is required; users do not need to exist in the Windows NT database unless they need to log in to the Windows NT network.

CiscoSecure ACS Configuration

Configure these items in CiscoSecure ACS.

Network Configuration

Note If the first NAS to which clients dial in was set up during the installation of the CiscoSecure ACS, this configuration should already be complete.

Follow these steps in the Network Configuration window:

Step 1 If you are using network device groups (NDGs), click the name of the applicable NDG.

Step 2 Add or edit a NAS.

Step 3 Enter the name of the NAS.

Step 4 Enter the IP address of the NAS.

Step 5 Enter the shared secret (key) of the NAS and the CiscoSecure ACS.

Step 6 Select TACACS+ (Cisco) as the security control protocol.

Step 7 If CiscoSecure ACS is configured on the NAS, select single TCP connection to configure it to use this feature.

Interface Configuration

Follow these steps in the Interface Configuration window:

Step 1 To allow the protocol to be configurable for a group, click TACACS+ (Cisco).

Note When you select any PPP protocol, you must also enable PPP LCP.

Group Setup

Follow these steps in Group Setup for the Default Group:

Step 3 To control the number of simultaneous sessions allowed to a group and to specify the number of sessions allowed to users in the groups, enter the appropriate number in the Max Sessions fields. If this parameter is not displayed, enable it in the Interface Configuration: Advanced Options window.

Note The Max Sessions count defined in the User Setup window overrides the Max Sessions per user count in the Group Setup window.

Step 4 To allow the NAS to support dialup clients running IPX over a PPP (async or ISDN) connection, enable PPP-IPX. If this parameter is not displayed, configure it in the Interface Configuration: TACACS+ (Cisco) window.

Step 5 Assign the authorization privilege level for the group in the Shell (exec) section.

Step 6 To permit or deny Cisco IOS commands in the CiscoSecure ACS Group Setup, make sure the proper command authorization has been configured on the NAS. (See the section "NAS Configuration.")

Step 7 To permit or deny authorization of any command not specified for the group, click the Permit/Deny button on the Unmatched Cisco IOS Commands section.

Step 8 Select the Command check box and enter the command to authorize in the dialog box. Add the argument(s) of the command to be permitted or denied. For example, for the command show, enter:

 permit running-configuration

 show ip route

 deny interface ethernet 0

Step 9 Click the button to permit or deny all unlisted arguments for the command being configured.

Step 10 To enter another command, click Submit, then click Edit Group Settings. Scroll down and configure another command for authorization until you have entered all your commands. To activate the changes immediately, click Submit and Restart.

User Setup

Follow these steps in the CiscoSecure ACS User Setup window:

Step 1 Add a user to the CiscoSecure ACS user database.

Step 2 Select CiscoSecure ACS User Database as the method for password authentication.

Step 3 Enter and confirm a password in the first set CiscoSecure ACS User Database password fields.

Step 4 Assign the user to a group. You can use Default Group, but it is better to use a different group, such as Group 1.

Step 5 To permit or deny users to call only from a particular location, enter the applicable information in the Network Access Restrictions field. User definition overrides group definition.

Step 6 If you are using dial-in, to assign a particular IP address to the user, enter it in the Static IP Address field.

Step 7 To set expiration conditions for the user, configure them here.

Step 8 To authenticate the user by privilege level, in the Advanced TACACS+ Settings window, enable the TACACS+ Enable Control. Enter and confirm the password to be used when accessing enable mode on the NAS.

Note To enable the Advanced TACACS+ Settings, in the Interface Configuration: Advanced Options window, click TACACS+ (Cisco).

Token-Server Configuration

No token-server configuration is required; token card servers are not used in this configuration.

NAS Configuration

The Cisco IOS configuration for the NAS depends on the network protocol, routing, IP address definition, access control list definition, and so on. The following sample configuration shows the minimum requirements for a Cisco 2509 access server using TACACS+ that can authorize NAS commands and grant privilege-level authentication, if commands are other than 1 and 15 are enabled. CHAP can be used because the CiscoSecure ACS user database is being used:

 aaa new-model

 aaa authentication login default tacacs+

 aaa authentication ppp default tacacs+

 aaa authentication enable default tacacs+

 aaa authorization exec tacacs+

 aaa authorization network tacacs+

 aaa authorization commands <0-15> tacacs+

 aaa accounting network start-stop tacacs+

 aaa accounting exec start-stop tacacs+

 aaa accounting commands start-stop tacacs+

 tacacs-server host <ip_address> single

 tacacs-server key <key>

 enable secret <password>

 aaa authentication login no_tacacs enable

 line con 0

 login authentication no_tacacs

Enter one of the following commands under each interface used for dial-in access:

 ppp authentication chap

 ppp authentication pap

Client Configuration

The client can be an async or ISDN client or reside on the network.

Windows 95 Client

Follow these steps in the Dial-Up Networking section of Windows 95:

Step 1 Create and configure a connection with the dial number to the NAS.

Step 2 Right-click the Connection icon and click Properties.

Step 3 Click the Server Type tab.

Step 4 For the Type of Dial-Up Server, select PPP.

Step 5 Under Advanced options, check the Log on to Network check box to log on to the Windows NT domain.

Step 6 Clear the Require encrypted password check box.

Step 7 Under Allowed network protocols, check IP and/or IPX.

Step 8 If the NAS is using an IP pool, rather than assigning the IP address at the client, set TCP/IP settings to server assigned IP Address and server assigned name.

Step 9 When the connection comes up, enter the username and password entered in the CiscoSecure ACS user database.

Tips

Consider the following:

The Admin Accounting Report under the Reports & Activity button in the CiscoSecure ACS HTML interface captures the command activity and logs the information in a comma-separated value (.CSV) file.
By default, privilege levels 1 and 15 are present in the Cisco IOS software. You can define other privilege levels on the NAS to further control authorization.
Because single login is not available with CHAP authentication, login to a Windows NT network requires two steps.

Password Aging and User-Changeable Passwords Using CiscoSecure ACS with the CiscoSecure Authentication Agent

You can use the CiscoSecure Authentication Agent (CAA) with CiscoSecure ACS to notify users to change their passwords before they expire and to allow users to change their own passwords. This feature uses the CAA Messaging Service and the new CiscoSecure Control Message Protocol (CCMP).

Note To use these features over a dialup connection you must be using Release 2.2 or later of CiscoSecure ACS and a Cisco 25XX, 36XX, AS52XX or AS53XX access server running the Cisco IOS image for Release 11.5T or later.

Web Server Configuration

In order to use CAA, you must install and configure a web server. SSL is not required. CAA must be installed on a PC running Windows 95 or Windows NT. See the Web Server Installation for CiscoSecure ACS for Windows NT User-changeable Passwords quick reference card for instructions.

CiscoSecure ACS Configuration

Configure these items in the CiscoSecure ACS.

User Setup

Follow these steps in the User Setup window of CiscoSecure ACS:

Step 1 Create or edit a user.

Step 2 Assign a CHAP or PAP password to the user.

Step 3 Map the user to the group that is configured to use password aging.

Note The Account Disable section of User Setup is not the same as password aging. If the password has aged, the account is expired, not disabled; expired accounts are reflected in the Account Disable section.

Group Setup

Follow these steps in the Group Setup window of CiscoSecure ACS:

Step 1 In the Apply age-by-date rules section, enter the number of days for the Active period, Warning period, and Grace period. For an explanation of these options, see the Online Help and "Step-by-Step Configuration for CiscoSecure ACS."

Step 2 In the Apply age-by-uses rules section, select the number of logins after which to issue warning or require changes.

Note If you do not want users to ever be notified, enter -1 in these boxes.

Step 3 To force the user to change the password on the first login after an administrator has changed the password, check the Apply password change rule check box.

Step 4 To issue a greeting or message at each successful login, check the Generate greetings for successful logins check box. This message is displayed in the CAA.

Network Configuration

Note If the first NAS into which clients dial was set up during CiscoSecure ACS installation, this configuration should already be complete.

Follow these steps in the Network Configuration window:

Step 1 If you are using network device groups (NDGs), click the name of the applicable NDG.

Step 2 Add or edit a NAS.

Step 3 Enter the name of the NAS.

Step 4 Enter the IP address of the NAS.

Step 5 Enter the shared secret (key) of the NAS and CiscoSecure ACS.

Step 6 Select TACACS+ (Cisco) as the security control protocol.

System Configuration

Follow these steps in the System Configuration window:

Step 1 Click Password Validation. The Password Validation Options window opens.

Step 2 Enter the minimum and maximum length you want to require for the password. The default password length is from 4 through 32 characters.

Step 3 Check one or more of the following check boxes:

Password may not contain the username—Require that the password not contain the entire username within it
Password is different from the previous value—Require that the new password be different from the previous password
Password must be alphanumeric—Require the password to contain both characters and numbers.

Interface Configuration

In the Interface Configuration window click Advanced Options and check the Group-Level Password Aging check box.

Administration Control

If you want the administrator to be able to control the Password Aging options, click Administration Control. In the Administrator Privileges: System Configuration section, check the Password Validation check box.

Reports & Activity

If the password has aged, the account is expired, not disabled; expired accounts are reflected in the Disabled Accounts report. If the user attempts to log in to an expired account, this action is logged in the Failed Attempts report.

Note The Disabled Accounts report in the Reports & Activity window lists both disabled and expired accounts.

NAS Configuration

The following sample configuration can be used for an analog dial-up networking user with a NAS-assigned dynamic IP address. This sample is for a Cisco AS5200 access server using TACACS+. Adjust the sample to match your individual requirements.

Note Statements required or recommended for AAA are in bold type. Statements in italics should be added during the initial NAS configuration. Use the Cisco IOS image for Release 11.5T or later.

The term list-name used below in the command description refers to any character string (a name) used to represent a particular list of authentication method(s) for that login type.

!

 version 11.2

 service timestamps debug datetime msec localtime

 no service password-encryption

 service udp-small-servers

 service tcp-small-servers

!

 hostname 5200

!

 aaa new-model

 aaa authentication login noaaa local

 aaa authentication login logintac tacacs+

 aaa authentication ppp ppptac tacacs+

 aaa accounting network start-stop tacacs+

 aaa accounting connection start-stop tacacs+

 aaa accounting update newinfo

 enable password cisco

!

 username juan password 0 cisco

 modem startup-test

 no ip domain-lookup

 isdn switch-type primary-5ess

!

 controller T1 0

 framing esf

 clock source line primary

 linecode b8zs

 pri-group timeslots 1-24

!

 controller T1 1

 shutdown

  framing esf

 clock source line secondary

 linecode b8zs

 pri-group timeslots 1-24

!

 interface Loopback0

 no ip address

 no ip route-cache

 no ip mroute-cache

 shutdown

!

 interface Ethernet0

 ip address 10.4.1.30 255.255.255.0

 no ip route-cache

 no ip mroute-cache

 no mop enabled

!

 interface Serial0

 no ip address

 no ip route-cache

 no ip mroute-cache

 shutdown

 no fair-queue

!

 interface Serial1

 no ip address

 no ip route-cache

 no ip mroute-cache

 shutdown

!

 interface Serial0:23

 ip unnumbered Ethernet0

 encapsulation ppp

 no ip route-cache

 no ip mroute-cache

 no keepalive

 isdn incoming-voice modem

 peer default ip address pool setup_pool

 dialer idle-timeout 400

 dialer-group 1

 no fair-queue

 ppp multilink

!

 interface Serial1:23

  no ip address

 no ip route-cache

 no ip mroute-cache

 shutdown

!

 interface Group-Async1

 ip unnumbered Ethernet0

 ip tcpheader-compression passive

 encapsulation ppp

 no ip route-cache

 no ip mroute-cache

 async default routing

 async dynamic address

 async mode interactive

 peer default ipaddress pool setup_pool

 ppp authentication pap ppptac

 group-range148

!

!

 interface Dialer0

 no ip address

 no ip route-cache

 no ip mroute-cache

 dialer-group 1

!

 router igrp 1

 redistribute connected

 network 10.0.0.0

!

 no ip classless

 ip route 10.0.0.0 255.0.0.0 Ethernet0

!

 tacacs-server host 10.11.1.16

 tacacs-server timeout 20

 tacacs-server key cisco

!

 line con 0

 exec-timeout 0 0

 password cisco

 logging synchronous

 login authentication noaaa

 line 1 48

 exec-timeout 0 0

 autoselect during-login

 autoselect ppp

 modem Dialin

 transport preferred telnet

 transport input all

 line aux 0

 line vty 0

 exec-timeout 0 0

 password cisco

 login authentication logintac

 length 62

 width 137

 line vty 1 4

 exec-timeout 0 0

 password cisco

 login authentication logintac

!

 scheduler interval 1000

end

 5200 #

Client Configuration

Install the CAA client software using the self-extracting file provided with the CAA software. See the Quick Start Guide for the CiscoSecure Authentication Agent for instructions.

Follow the instructions in the readme file provided with the CAA client software to configure the CAA software.

Configure Dial-Up Networking on the Windows 95 or Windows NT workstation or server from which you will dial in. See your Microsoft documentation for instructions.

Tips

Consider the following:

Test the user using Dial-Up Networking to log in to the NAS. If the configuration is correct, you should see the appropriate aging message.
Make sure the modems, cables, and carrier lines are connected and functioning correctly.
Make sure the CAA is actively running in the background. You should see the CAA icon in the Active Icon tray.
Make sure you are using the correct Cisco IOS software image, 11.5(T). You can also use a later release, as long as it uses watchdog packets and supports the aaa accounting update new info statement.

Single Authentication Using CiscoSecure ACS and the CAA

Single Authentication uses the special Cisco EIOS image release 4.2(13) or later to provide a simple CHAP or PAP authentication. Single Authentication uses Cisco 76x or Cisco 77x routers that are equipped with the special UDP SOHO client packet. Only one PC at a time can communicate through the Cisco 76x/77x device, and only one PC at a time can have a Telnet session or an Active Monitor status into the Cisco 76x/77x device.

Note Users should not be able to define a destination IP address for the NAS automatic login. Do not use Virtual Templates and VPDNs on the same ISDN interface to which the Cisco 76x or Cisco 77x will call. To avoid problems with the token authentication server (TAS) mode, disable the Virtual Templates/VPDN statements.

Windows NT Server Configuration

No special configuration is required for the Windows NT server.

CiscoSecure ACS Configuration

Configure these items in the CiscoSecure ACS.

Network Configuration

Note If the first NAS into which clients dial was set up during CiscoSecure ACS installation, this configuration should already be complete.

Follow these steps in the Network Configuration window:

Step 1 If you are using network device groups (NDGs), click the name of the applicable NDG.

Step 2 Add or edit a NAS.

Step 3 Enter the name of the NAS.

Step 4 Enter the IP address of the NAS.

Step 5 Enter the shared secret (key) of the NAS and CiscoSecure ACS.

Step 6 Select TACACS+ (Cisco) as the security control protocol.

Group Setup

Create an ISDN small office/home office (SOHO) group.

User Setup

Create a standard ISDN user who will authenticate using a token card database, and/or map the user to the ISDN SOHO group.

Router Configuration

Add the following statements to the SET USER LAN section of the Cisco 76x/77x device's configuration file:

 SET IP ROUTING ON

 SET IP ADDRESS 200.200.200.1

 SET IP NETMASK 255.255.255.0

 SET IP RIP UPDATE PER

Add the following statements to the configuration file to create a host NAS profile:

 SET USER 5200

 SET PROFILE POWERUP ACTIVATE

 SET 1 NUMBER 95552000

 SET 2 NUMBER 95552000

 SET PPP TAS DISTRIBUTED

 SET PPP TAS CLIENT 0.0.0.0

 SET PPP TAS CHAPSECRET LOCAL ON

 SET PPP CLIENTNAME 765

 SET PPP PASSWORD CLIENT ENCRYPTED 121a0c041104

 SET PPP SECRET CLIENT ENCRYPTED 05080f1c2243

 SET PPP PASSWORD HOST ENCRYPTED 101b5a4955

 SET PPP SECRET HOST ENCRYPTED 115c4a5547

 SET IP ROUTING ON

 SET IP ADDRESS 0.0.0.0

 SET IP NETMASK 0.0.0.0

 SET IP ROUTE DEST 0.0.0.0/0 GATEWAY 0.0.0.0 PROPAGATE OFF COST 1

Client Configuration

Configure the CAA for Single Authentication mode. See your CAA documentation for instructions.

Tips

Consider the following:

Ping the NAS from the Cisco 76x/77x device to make sure it is reachable.
Make sure the Cisco 76x/77x device is using Cisco EIOS image 4.2(6) or later.
Make sure that the user is correctly defined within the CiscoSecure database.
Make sure the ISDN connection from the SOHO to the LAN is operating correctly by doing a test call on the Cisco 76x/77x device or a ping test on the Cisco 1xxx device. Use one of the following commands on the Cisco 1xxx device: sh conn (show connection), sh con (show configuration) or sh bri int.
Make sure the CAA is actively running in the background. You should see the CAA icon in the Active Icon tray at the lower right of the screen.
Make sure the NAS is configured correctly and the ISDN connection, carrier ISDN lines, network interface cards (NICs), and cables are connected and operating correctly.

Double Authentication Using CiscoSecure ACS and the CAA

Some token cards require you to use double authentication with an ISDN connection. See your token card documentation to see if your particular card requires this feature.

Double authentication consists of a two-part challenge.

In the first challenge, either CHAP or PAP authenticates the SOHO NAS and allows the NAS to establish the connection to the NAS. PPP then negotiates with the AAA server to authorize the SOHO NAS to access the NAS's network. This challenge also triggers CiscoSecure ACS to download the first access control list (ACL) and apply it against the ISDN port of the NAS. The ACL assigns the network access privileges, and the SOHO and its users are only allowed to Telnet to the NAS.

In the second challenge, SOHO users must Telnet to the NAS to be user-authenticated. When SOHO users log in, they are authenticated with AAA login authentication. CAA users can simply right-click to access the Connect option and establish the required Telnet session. Users are automatically prompted to enter the username and password. The Telnet service negotiates with CiscoSecure ACS to authorize users to access the NAS network. When authorization is complete, users have been double-authenticated and can access the network according to their per-user network privileges. The second challenge also triggers the second ACS to download the ACS and apply it against the ISDN port on the NAS to which the SOHO connection has already been established.

Windows NT Server Configuration

No special Windows NT server configuration is required.

CiscoSecure ACS Configuration

Define the access control lists (ACLs) and network access privileges of the SOHO and its users on CiscoSecure ACS.

Network Configuration

Note If the first NAS into which clients dial was set up during CiscoSecure ACS installation, this configuration should already be complete.

Follow these steps in the Network Configuration window:

Step 1 If you are using network device groups (NDGs), click the name of the applicable NDG.

Step 2 Add or edit a NAS.

Step 3 Enter the name of the NAS.

Step 4 Enter the IP address of the NAS.

Step 5 Enter the shared secret (key) of the NAS and CiscoSecure ACS.

Step 6 Select TACACS+ (Cisco) as the security control protocol.

External User Databases Configuration

Configure the database for the token card you are using. See the "External User Databases" section in "Step-by-Step Configuration for CiscoSecure ACS," for instructions.

User Setup

Add or edit a user.

Group Setup

Add an ISDN SOHO group. The following TACACS+ statements must be included in the double-authentication user's or group's profile. Users on the same SOHO 802.3 segment inherit the capabilities and limitations of the first session established.

Step 1 Add a first authentication group for the Cisco 77x or Cisco 1xxx device.

Step 2 In the Custom Attributes section, assign PPP/IP to the group by adding the following statement:

 inacl#3=permit tcp any any eq telnet

Make sure PPP LCP and ppp multilink are checked.

Step 3 Add the SOHO device to the first authentication group and assign it a standard CHAP password.

Step 4 Add a second authentication group which will include the actual users.

Step 5 In the Custom Attributes section, assign PPP/IP to the group by adding the following statements:

 inacl#4=permit icmp any any

 inacl#5=permit tcp any any eq ftp

 inacl#6=permit tcp any any eq ftp-data

Make sure PPP LCP, Shell (exec), and AutoCommand are checked. AutoCommand is defined for the access profile only at the per-user level.

Step 6 Map the CHAP password user or token card user to the second authentication group.

NAS Configuration

Add the following configuration to the NAS.

 5200 #s ru

 Building configuration...

 Current configuration:

!

 version 11.2

 service timestamps debug datetime msec localtime

 no service password-encryption

 service udp-small-servers

 service tcp-small-servers

!

 hostname 5200

!

 aaa new-model

 aaa authentication login noaaa local

 aaa authentication login logintac tacacs+

 aaa authentication ppp ppptac tacacs+

 aaa authorization exec tacacs+

 aaa authorization network default tacacs+

 aaa accounting exec default start-stop tacacs+

 aaa accounting network def start-stop tacacs+

 aaa accounting connection start-stop tacacs+

 enable password cisco

!

 username jsmith password 0 cisco

 modem startup-test

 no ip domain-lookup

 isdn switch-type primary-5ess

!

 controller T1 0

 framing esf

 clock source line primary

 linecode b8zs

 pri-group timeslots 1-24

!

 controller T1 1

 shutdown

 framing esf

 clock source line secondary

 linecode b8zs

 pri-group timeslots 1-24

!

 interface Loopback0

 no ip address

 no ip route-cache

 no ip mroute-cache

 shutdown

!

 interface Ethernet0

 ip address 10.4.1.30 255.255.255.0

 no ip route-cache

 no ip mroute-cache

 no mop enabled

!

 interface Virtual-Template1

 ip unnumbered Ethernet0

 no ip mroute-cache

 peer default ip address pool pool1

 ppp authentication chap ppptac

!

 interface Serial0

 no ip address

 no ip route-cache

 no ip mroute-cache

 shutdown

 no fair-queue

!

 interface Serial1

 no ip address

 no ip route-cache

 no ip mroute-cache

 shutdown

!

 interface Serial0:23

 ip unnumbered Ethernet0

 encapsulation ppp

 no ip route-cache

 no ip mroute-cache

 no keepalive

 isdn incoming-voice modem

 peer default ip address pool setup_pool

 dialer idle-timeout 400

 dialer map ip 10.15.2.50 6661400

 dialer-group 1

 no fair-queue

 ppp authentication pap ppptac

 ppp multilink

!

 interface Serial1:23

 no ip address

 no ip route-cache

 no ip mroute-cache

 shutdown

!

 interface Group-Async1

 ip unnumbered Ethernet0

 ip tcp header-compression passive

 encapsulation ppp

 no ip route-cache

 no ip mroute-cache

 async default routing

 async dynamic address

 async mode interactive

 peer default ip address pool setup_pool

 ppp authentication pap ppptac

 group-range 1 48

!

!

 interface Dialer0

 no ip address

 no ip route-cache

 no ip mroute-cache

 dialer-group 1

!

 router igrp 1

 redistribute connected

 network 10.0.0.0

!

 ip local pool pool1 10.4.1.101 10.4.1.110

 ip local pool setup_pool 10.4.1.90 10.4.1.99

 no ip classless

 ip route 10.0.0.0 255.0.0.0 Ethernet0

 ip route 10.5.7.0 255.255.255.0 10.15.2.71

 ip route 10.6.3.0 255.255.255.0 10.15.2.70

 virtual-profile virtual-template 1

 dialer-list 1 protocol ip permit

!

 tacacs-server host 10.11.1.16

 tacacs-server timeout 20

 tacacs-server key cisco

!

 line con 0

 exec-timeout 0 0

 password cisco

 logging synchronous

 login authentication noaaa

 line 1 48

 exec-timeout 0 0

 autoselect during-login

 autoselect ppp

 modem Dialin

 transport preferred telnet

 transport input all

 line aux 0

 line vty 0

 exec-timeout 0 0

 password cisco

 login authentication logintac

 length 62

 width 137

 line vty 1 4

 exec-timeout 0 0

 password cisco

 login authentication logintac

!

 scheduler interval 1000

end

 5200 #

SOHO Router Configuration

Enter the following commands in the configuration file on the SOHO router:

 version 11.3

 no service pad

 no service password-encryption

 service udp-small-servers

 service tcp-small-servers

!

 hostname 1000

!

 enable secret 5 $1$pAlv$j3we9UFIcvdXBJ497PzFa/

 enable password enable

!

 username 5200 password 7 104D000A0618

 username jsmith password 7 124C303A0617

 isdn switch-type basic-ni1

!

 interface Ethernet0

 ip address 10.4.1.1 255.255.255.0

!

 interface BRI0

 ip address 10.15.2.40 255.255.255.0

 encapsulation ppp

 dialer map ip 10.15.2.80 name 5200 broadcast 96662000

 dialer load-threshold 1 either

 dialer-group 1

 isdn spid1 714666140100

 isdn spid2 714666140200

 ppp authentication chap

!

 no ip classless

 ip route 10.0.0.0 255.0.0.0 10.15.2.80

 dialer-list 1 protocol ip permit

!

 line con 0

 exec-timeout 0 0

 line vty 0 4

 password enable

 login

!

end

Tips

Consider the following:

Cisco recommends that before you use double authentication, you read the applicable documentation located on Cisco Connection Online at http://www.cisco.com.
Be sure to double-check the access-list service types you are permitting or denying for the double authentication group or users; for example, if you define ftp service, make sure you also define ftp-data or the http service for web browsing.
Several debug tools are available for Cisco IOS AAA Double Authentication, including debug aaa authen, debug aaa author, debug aaa per-user, debug ppp authen, and debug vtem.
Ping the NAS from the Cisco/ 76x/77x device to make sure it is reachable.
Make sure the NAS is using Cisco IOS image 11.3.3Q or later.
Make sure that the user is correctly defined within the CiscoSecure ACS database.
Make sure the ISDN connection from the SOHO to the LAN is operating correctly by doing a test call on the Cisco/ 76x/77x device or a ping test on the Cisco 1xxx device. Use one of the following commands on the Cisco 1xxx device: sh conn, sh con, or sh bri int.
Make sure the CAA is actively running in the background. You should see the CAA icon in the Active Icon tray at the lower right of the screen.
Make sure the NAS is configured correctly and the ISDN connection, carrier ISDN lines, NICs, and cables are connected and operating correctly.
Check the PPP negotiation on the Cisco/ 76x/77x device by entering diag PPP On; to turn the diagnostics off, enter diag PPP Off.

Authentication Using CiscoSecure ACS and an MCIS LDAP Database

This sample configuration supports authentication via the Microsoft Commercial Internet System (MCIS) Lightweight Directory Access Protocol (LDAP) authenticator.

Windows NT Server Configuration

To use MCIS LDAP authentication, you must have Microsoft Site Server 3.0 or MCIS 2.0 installed on the server. See your Microsoft documentation for more information.

Note CiscoSecure ACS does not currently support password aging when using MCIS.

Follow these steps on the membership server:

Step 1 Select Membership Authentication.

Step 2 Enable clear text/basic authentication for the LDAP directory instance.

Step 3 The password is in clear text and is not encrypted. To increase security, click the Use Secure Authentication check box, the Use Encryption check box, or both.

Step 4 Make sure user objects are located in the Members container (ou=members) and are of the type "Member."

Step 5 Make sure the common name (cn=MarySmith) property exactly matches the username entered during dial-in.

Step 6 Make sure the user-object's Account-Status property is set to Active (1).

CiscoSecure ACS Configuration

Configure these items in the CiscoSecure ACS.

Network Configuration

Note If the first NAS into which clients dial was set up during CiscoSecure ACS installation, this configuration should already be complete.

Follow these steps in the Network Configuration window:

Step 1 If you are using network device groups (NDGs), click the name of the applicable NDG.

Step 2 Add or edit a NAS.

Step 3 Enter the name of the NAS.

Step 4 Enter the IP address of the NAS.

Step 5 Enter the shared secret (key) of the NAS and CiscoSecure ACS.

Step 6 Select TACACS+ (Cisco) as the security control protocol.

Administration Control

To allow the administrator to configure MCIS LDAP options, in the Administrator Privileges section, check User & Group Setup, External User Databases, and any other applicable check boxes.

External User Databases Configuration

Configure these items in the External User Databases window:

In the Database Configuration window, add and configure the MCIS LDAP database.
(Optional) In the Database Group Mappings window, map the applicable group(s) to the MCIS LDAP database.
(Optional) In the Unknown Users window, add the MCIS LDAP database to the Selected databases list.

For more information, see the "MCIS LDAP Configuration" section in "Step-by-Step Configuration for CiscoSecure ACS."

User Setup

Add or edit the user profile and either assign the user to an MCIS LDAP group, or overwrite the group profile.

Group Setup

Configure an MCIS LDAP group.

NAS Configuration

No special NAS configuration is required.

Client Configuration

No special client configuration is required.

Tips

Consider the following:

To use MCIS LDAP authentication, you must have Microsoft Site Server 3.0 or MCIS 2.0 installed on the server. See your Microsoft documentation for more information.
CiscoSecure ACS does not currently support password aging when using MCIS.

PIX Firewall Authentication/Authorization Using the Windows NT User Database with TACACS+

This is a typical configuration that you can use in a Windows NT network that resides behind a PIX firewall and uses only the Windows NT user database to maintain authentication information. Businesses with a significant investment or strategic direction based on Windows NT can use this configuration to control connectivity through a PIX firewall using Windows NT for authentication and the CiscoSecure ACS for authorization.

Windows NT Server Configuration

Because it depends greatly on Windows NT management functions, this configuration requires significant configuration of the Windows NT server.

Configure these items in the User Manager of your Windows NT server running CiscoSecure ACS:

The user must exist in the Windows NT user database on the same Windows NT server as the CiscoSecure ACS.
The user profile must not include change password at next login or disable account.
Do not configure a callback number.
(Optional) To be able to enable or disable user access privileges from Windows NT, enable Grant dialin permission to user from the Dial-up menu.

CiscoSecure ACS Configuration

Configure these items in the CiscoSecure ACS.

Note Administration through a firewall is not supported. The CiscoSecure ACS can only be managed from the same side of the firewall.

Network Configuration

Note If the first PIX that clients use was set up during the installation of the CiscoSecure ACS, this configuration should already be complete.

Follow these steps in the Network Configuration window:

Step 1 If you are using network device groups (NDGs), click the name of the applicable NDG.

Step 2 Add or edit a PIX (NAS).

Step 3 Enter the name of the PIX (NAS).

Step 4 Enter the IP address of the PIX (NAS).

Step 5 Enter the shared secret (key) between the PIX (NAS) and the CiscoSecure ACS.

Step 6 Select TACACS+ (Cisco) as the security control protocol.

External User Databases Configuration

If CiscoSecure ACS was initially installed so that it did not authenticate usernames against the Windows NT database, you must add a new configuration to allow this function.

Step 1 Click External User Databases: Database Configuration.

Step 2 Click Create a new configuration.

Step 3 Click Submit to accept the default name.

Step 4 Click Configure to allow Grant dialin permission to user. CiscoSecure ACS verifies that dialup permission is granted for this user in the Windows NT user database. If users without dialup permission on the Windows NT server try to log in, authentication fails, even if they use the correct password. If you do not want to use this feature, clear the check box and click Submit.

Step 5 The Unknown User Policy window controls how CiscoSecure ACS behaves when a username is not found in the CiscoSecure ACS user database. Configure this option to ensure that all authentications without matching usernames in the CiscoSecure ACS user database are checked against the Windows NT database. If this authentication succeeds, a record is automatically generated in the CiscoSecure ACS database indicating the database to use for password authentication. User records added to the database this way automatically become members of the selected group.

Interface Configuration

Follow these steps in the Interface Configuration window:

Step 1 To allow the protocol to be configurable for a group, click TACACS+ (Cisco).

Note When you select any PPP protocol, you must also enable PPP LCP.

Group Setup

Follow these steps in Group Setup for the Windows NT Users group:

Step 2 Enable Shell (Exec) to allow the client to run Telnet sessions for FTP and HTTP. With the commands:

 aaa authen any inbound 0.0.0.0 0.0.0.0 tacacs+

 aaa author any inbound 0.0.0.0 0.0.0.0

in addition to authentication, when a user tries to do FTP, Telnet, or HTTP inbound, command authorization requests come in to CiscoSecure ACS. If you want users to be able to do "http 1.1.1.1," all Telnets, and "ftp 2.2.2.2," add command authorization to CiscoSecure ACS as follows:

 command=http

 permit 1.1.1.1

 deny unmatched arguments

 command=telnet

 permit unmatched arguments

 command=ftp

 permit 2.2.2.2

 deny unmatched arguments

User Setup

User setup is not required; users who successfully authenticate against the Windows NT user database are automatically added to the CiscoSecure ACS user database; you can reassign them later to groups with different authorization levels.

PIX Configuration

This sample configuration for a Cisco PIX firewall allows any inbound traffic (HTTP, FTP, or Telnet) as long as the user is authenticated and authorized. Notations have been added to this configuration to allow variations to be configured to deny authentication and/or authorization:

 PIX Version 4.0.3

 enable password 8Ry2YjIyt7RRXU24 encrypted

 passwd 2KFQnbNIdI.2KYOU encrypted

 hostname pixfirewall

 failover

 names

 syslog output 20.3

 no syslog console

 interface ethernet outside auto

 interface ethernet inside auto

 ip address inside 10.5.55.46 255.0.0.0

 ip address outside 200.200.201.100 255.255.255.0

 arp timeout 14400

 global 1 200.200.201.150-200.200.201.180

 static 200.200.201.0 10.0.0.0

 static 200.200.201.150 10.5.55.88

 conduit 200.200.201.150 0 tcp 0.0.0.0 0.0.0.0

 age 10

 no rip outside passive

 no rip outside default

 no rip inside passive

 no rip inside default

 route outside 0.0.0.0 0.0.0.0 10.5.55.46 1

 route inside 10.0.0.0 255.0.0.0 200.200.201.100 1

 timeout xlate 24:00:00 conn 12:00:00 udp 0:02:00

 timeout rpc 0:10:00 h323 0:05:00 uauth 0:05:00

 tacacs-server host 10.5.55.88 cisco

 aaa authentication any inbound 0.0.0.0 0.0.0.0 tacacs+

 aaa authorization any inbound 0.0.0.0 0.0.0.0

 no snmp-server location

 no snmp-server contact

 telnet 10.5.55.88 255.0.0.0

 mtu outside 1500

 mtu inside 1500

Client Configuration

No other client configuration is necessary for this application; however, you might need to enable authentication forwarding support on your browser.

Tips

With this configuration you can leverage all of the benefits of the Windows NT operating system such as Primary Domain Controller/Backup domain Controller (PDC/BDC) database replication and distribution.

VPDN Using the CiscoSecure ACS User Database with TACACS+

Use this configuration to create secure connections over a public infrastructure. You can use the CiscoSecure ACS to provide authentication, authorization, and accounting for Virtual Private Dialup Networks (VPDNs) using the L2F tunneling protocol. Service providers can use this method to create the service and procure it by the corporate customers. This configuration requires both types of users to have an ACS at both the NAS and home gateway (HG) locations.

The CiscoSecure ACS is used at the originating end of the VPDN tunnel (the site into which the VPDN user dials, often called the ISP NAS) and at the end of the tunnel (the private network that terminates the VPDN tunnel, called the home gateway or HG).

Figure 10-1 VPDN and the CiscoSecure ACS

Note VPDN terminology commonly uses domain to represent the corporate home gateway; this is not associated with the Windows NT domain. In the following example, the VPDN domain is referred to as VPDN domain to prevent confusion.

The creation of a tunnel can be described in two major processes that take place after the client dials in:

1. Creating a VPDN Tunnel

2. Client Authentication and Authorization

Creating a VPDN Tunnel

1. The ISP NAS uses the VPDN domain to get information from the ACS (ISP) about where the tunnel should be built for that user (Tunnel ID and HG address).

2. The ISP NAS then uses the information (Tunnel ID) to request authentication for the tunnel from the NAS (HG).

3. The NAS forwards the information (Tunnel ID) to the ACS (HG) to authenticate the request.

4. When the information (Tunnel ID) is validated, the tunnel has been created.

Client Authentication and Authorization

1. The ISP NAS requests authentication for the user by the ACS (HG).

2. The ACS (HG) returns authentication and authorization responses to the ISP NAS.

3. After validation, the client has a secure connection through the tunnel with permissions assigned by the ACS at the corporate site (HG).

Windows NT Server Configuration (ISP)

No Windows NT server configuration is required; users do not need to exist in the Windows NT database unless they need to log in to the Windows NT network.

CiscoSecure ACS Configuration (ISP)

Configure these items on the CiscoSecure ACS at the ISP end of the VPDN connection.

Network Configuration

Note If the first ISP NAS into which the clients dial was set up during the installation of the CiscoSecure ACS, this configuration should already be complete.

Follow these steps in the Network Configuration window:

Step 1 If you are using network device groups (NDGs), click the name of the applicable NDG.

Step 2 Add or edit the NAS.

Step 3 Enter the name of the NAS (this is only for identification by the administrator).

Step 4 Enter the IP address of the NAS.

Step 5 Enter the shared secret (key) of the NAS and the CiscoSecure ACS.

Interface Configuration

Follow these steps in the Interface Configuration window:

Step 1 To allow the protocol to be configurable for a group, click TACACS+ (Cisco).

Note When you select any PPP protocol, you must also enable PPP LCP.

Step 2 Click PPP-VPDN and click Submit. This displays the PPP-VPDN option under Group Setup when it is time to configure that section.

Group Setup

Follow these steps in Group Setup for Group 1:

Step 1 Enable PPP-VPDN.

Step 2 Enter CISCO_TUNNEL. This is the Tunnel ID, which is the username.

Step 3 Enter the IP address of the HG NAS.

User Setup

Follow these steps in User Setup:

Step 1 Add a user to the CiscoSecure ACS user database for authentication. This username is actually the name of the VPDN domain. For this example, use cisco. A password is needed to submit the user but is not actually used for authentication, so enter a fictitious password. Do not configure any other parameters.

Step 2 Assign the user to Group 1.

Step 3 Add a second user to the CiscoSecure ACS user database for authentication. This username is the name of the Tunnel ID. For this example use cisco_tunnel. A legitimate password is needed for this entry. Enter cisco for this example. Do not configure any other parameters.

Step 4 Assign the second user to Group 1.

NAS Configuration (ISP)

 aaa new-model

 aaa authentication login default tacacs+

 aaa authentication ppp default tacacs+

 aaa authorization exec tacacs+

 aaa authorization network tacacs+

 aaa accounting network start-stop tacacs+

 aaa accounting exec start-stop tacacs+

 enable vpdn

 tacacs-server host <ip_address> single

 tacacs-server key <key>

 enable secret <password>

 aaa authentication login no_tacacs enable

 line con 0

 login authentication no_tacacs

Enter the following command under each interface used for dial-in access:

 ppp authentication chap

Windows NT Server Configuration (HG)

No Windows NT server configuration is required; users do not need to exist in the Windows NT database unless they need to log in to the Windows NT network.

CiscoSecure ACS Configuration (HG)

Configure these items on the CiscoSecure ACS at the HG of the VPDN connection.

Network Configuration

Note If the first HG NAS into which clients dial was set up during the installation of the CiscoSecure ACS, this configuration should already be complete.

Follow these steps in the Network Configuration window:

Step 1 If you are using network device groups (NDGs), click the name of the applicable NDG.

Step 2 Add or edit the NAS.

Step 3 Enter the name of the NAS (this is only for identification by the administrator).

Step 4 Enter the IP address of the NAS.

Step 5 Enter the shared secret (key) of the NAS and the CiscoSecure ACS.

Step 6 Select TACACS+ as the security control protocol.

Interface Configuration

Follow these steps in the Interface Configuration window:

Step 1 To allow the protocol to be configurable for a group, click TACACS+ (Cisco).

Note When you select any PPP protocol, you must also enable PPP LCP.

Group Setup

Do not configure any parameters in Group Setup for the CISCO_TUNNEL user's group (for example, Group 1). CISCO_TUNNEL is only used for authentication of the tunnel.

Follow these steps in Group Setup for the Group where the user username@CISCO has been placed (for example, Group 2):

Step 3 To allow the NAS to support dialup clients running IP over a PPP (async or ISDN) connection, enable PPP-IP. If this parameter is not displayed, configure it in the Interface Configuration: TACACS+ (Cisco) window.

Step 4 To make CiscoSecure ACS a "DHCP-like" server, enable IP Pool and enter the IP Pool name defined on the NAS. To use a NAS-name pool, leave the field blank.

Step 5 To allow the NAS to support dialup clients running IPX over a PPP (async or ISDN) connection, enable PPP-IPX. If this parameter is not displayed, configure it in the Interface Configuration: TACACS+ (Cisco) window.

Step 6 To allow the client to run Telnet sessions or to allow CiscoSecure ACS to also be used for NAS management, enable Shell (Exec). If this parameter is not displayed, configure it in the Interface Configuration: TACACS+ (Cisco) window.

User Setup

Follow these steps in the User Setup window of CiscoSecure ACS:

Step 1 Add a user to the CiscoSecure ACS user database for authentication. This username is used by the client. It must contain the VPDN domain as the suffix following the "@" sign. This name must be the same as the VPDN domain name entered at the ISP's ACS (for example, username@cisco). Enter a client password.

Step 2 Assign the username@cisco to a group, for example, the Windows NT Users group.

Step 3 To permit or deny users to call only from a particular location, enter the applicable information in the Network Access Restrictions field. If this parameter is not displayed, enable it in the Interface Configuration: Advanced Options window.

Step 4 If you are using dial-in, to assign a particular IP address to the user, enter it in the Static IP Address field.

Step 5 To set expiration or aging conditions for the user, configure them here.

Step 6 Add a second user to the CiscoSecure ACS user database for authentication. This username is actually the same name used at the ISP as the Tunnel ID. For this example, use cisco_tunnel. The same legitimate password is needed for this entry. For this example, enter cisco. Do not configure any other parameters.

Step 7 Assign the second user to Group 1.

Administration Control

To allow users to configure CiscoSecure ACS from another workstation, either on the LAN or from a dial-in client, the user must be registered as an administrator. In the Administration Control window, enter the administrator's username and password, and assign the applicable administrator privileges. This username and password have no association with the dialup authentication username and password.

NAS Configuration (HG)

 aaa new-model

 aaa authentication login default tacacs+

 aaa authentication ppp default tacacs+

 aaa authorization exec tacacs+

 aaa authorization network tacacs+

 aaa accounting network start-stop tacacs+

 aaa accounting exec start-stop tacacs+

 enable vpdn

 vpdn incoming <isp hostname> <home-gw hostname> virtual-template 1

 tacacs-server host <ip_address> single

 tacacs-server key <key>

 enable secret <password>

 aaa authentication login no_tacacs enable

 line con 0

 login authentication no_tacacs

 int virtual-template 1

 ip unnumber e0

 encap ppp

 ppp authentication chap

Enter the following command under each interface used for dial-in access:

 ppp authentication chap

Client Configuration

The client can be an async or ISDN client.

The client must dial in to the ISP NAS with the name defined at the HG ACS (for example, username@corporation).

Windows 95 Client

Follow these steps in the Dial-Up Networking section of Windows 95:

Step 1 Create and configure a connection with the dial number to the NAS.

Step 2 Right-click the Connection icon and click Properties.

Step 3 Click the Server Type tab.

Step 4 For the Type of Dial-Up Server, select PPP.

Step 5 Under Advanced options, check the Log on to Network check box to log on to the Windows NT domain.

Step 6 Clear the Require encrypted password check box.

Step 7 Under Allowed network protocols, check IP and/or IPX.

Step 8 If the NAS is using an IP pool, rather than assigning the IP address at the client, set TCP/IP settings to server assigned IP Address and server assigned name.

Step 9 When you make a connection, enter the same username and password for the user account in the Windows NT user database.

Tips

Consider the following:

Because PAP and CHAP passwords can be stored in the CiscoSecure ACS user database, you can use either PAP or CHAP as the authentication protocol with this configuration (with PAP added to the Cisco IOS configuration on the NAS).
Because single login is not available with CHAP authentication, logging in to a Windows NT network requires two steps.

Virtual Profiles Using the CiscoSecure ACS User Database with TACACS+

This section outlines how you can achieve greater flexibility in supporting access security with virtual profiles. Virtual profiles are specific access profiles you define in CiscoSecure ACS.

Virtual profiles allow you to:

Use simpler NAS configurations
Centralize network access management
Apply security based on user profiles rather than configuring the physical interface of the access device
Apply specific Cisco IOS WAN interface commands that are configured in CiscoSecure ACS onto a virtual interface that is created on the NAS when a user dials in to the network.

In this example, an access list is applied to a user's dial-in connections. When the user dials in and authenticates, a virtual profile is created and the access list is applied.

Windows NT Server Configuration

No Windows NT server configuration is required; users do not need to exist in the Windows NT database unless they need to log in to the Windows NT network.

CiscoSecure ACS Configuration

Configure these items in the CiscoSecure ACS.

Network Configuration

Note If the first HG NAS into which clients dial was set up during the installation of the CiscoSecure ACS, this configuration should already be complete.

Follow these steps in the Network Configuration window:

Step 1 If you are using network device groups (NDGs), click the name of the applicable NDG.

Step 2 Add or edit the NAS.

Step 3 Enter the name of the NAS (this is only for identification by the administrator).

Step 4 Enter the IP address of the NAS.

Step 5 Enter the shared secret (key) of the NAS and the CiscoSecure ACS.

Step 6 Select TACACS+ as the security control protocol.

External User Database Configuration

Follow these steps in the External User Databases window:

Step 1 Click Unknown User Policy.

Step 1 Click Fail the attempt.

Step 2 Click Database Configuration.

Step 3 Click Windows NT.

Step 4 Clear the Grant dialin permission to user check box.

This sets CiscoSecure ACS to deny authentication unless the user has an active account in the CiscoSecure ACS database.

Interface Configuration

Follow these steps in the Interface Configuration window:

Step 1 To allow the protocol to be configurable for a group, click TACACS+(Cisco).

Note When you select any PPP protocol, you must also enable PPP LCP.

Step 2 Click Display a window for each service selected in which you can enter customized TACACS+ attributes in the TACACS+(Cisco) window.

Step 3 To add more controls for dial-in access, check the applicable features in the Interface Configuration: Advanced Options window to display the options in the user interface. Select the features in this section to reduce the level of complexity or enhance the detail of your access security.

Group Setup

Follow these steps in Group Setup for the Default Group:

Note The Max Sessions count defined in the User Setup window overrides the Max Sessions per user count in the Group Setup window.

Step 4 CiscoSecure ACS can store ISDN passwords to authenticate the second B channel when it is brought into service. Select one of these token caching methods:

If the second B-channel service goes up and down dynamically, select Session.
If both B channels stay in service, select Duration. Enter the number of minutes for the CiscoSecure ACS to cache the password.

Step 5 Enable IP and click the Custom Attributes check box. In the text window enter:

 inacl#3=permit ip any any

Step 6 To allow the NAS to support dialup clients running IP over a PPP (async or ISDN) connection, enable PPP-IP. If this parameter is not displayed, configure it in the Interface Configuration: TACACS+ (Cisco) window.

Step 7 Enable LCP and check Custom Attributes. In the text window, enter:

 interface-config=ip unnumbered e0\nno ip route-cache

User Setup

Follow these steps in the User Setup window of CiscoSecure ACS:

Step 1 Add a user to the CiscoSecure ACS user database.

Step 2 Select CiscoSecure Database as the method for password authentication.

Step 3 Enter and confirm the password in the first set of the CiscoSecure ACS user database password fields.

Step 4 Assign the user to a group. You can use the Default Group, but it is better to use a different group, such as Group 1.

Note All groups can be renamed, but the CiscoSecure ACS tracks all groups by their original number.

Step 5 To permit or deny users to call only from a particular location, enter the applicable information in the Network Access Restrictions field. If this parameter is not displayed, enable it in the Interface Configuration: Advanced Options window.

Step 6 If you are using dial-in, to assign a particular IP address to the user, enter the address in the Static IP Address field.

Step 7 To set expiration or aging conditions for the user, configure them here.

NAS Configuration

The Cisco IOS configuration for the NAS depends on the network protocol, routing, IP address definition, access control list definition, and so on. The following sample configuration shows the minimum requirements for a Cisco 2509 access server using TACACS+ that can authorize NAS commands and grant privilege-level authentication. CHAP can be used because the CiscoSecure ACS user database is being used:

virtual-profile virtual-template1

 virtual-profile aaa

 aaa new-model

 aaa authentication login default tacacs+

 aaa authentication ppp default tacacs+

 aaa authentication enable default tacacs+

 aaa authorization exec tacacs+

 aaa authorization network tacacs+

 aaa accounting network start-stop tacacs+

 aaa accounting exec start-stop tacacs+

 tacacs-server host <ip_address> single

 tacacs-server key <key>

 enable secret <password>

 aaa authentication login no_tacacs enable

 line con 0

 login authentication no_tacacs

Enter one of the following commands under each interface used for dial-in access:

 ppp authentication chap

 ppp authentication pap

Client Configuration

The client can be an async or ISDN client or reside on the network.

Windows 95 Client

Follow these steps in the Dial-Up Networking section of Windows 95.

Step 1 Create and configure a connection with the dial number for the NAS.

Step 2 Right-click the Connection icon and select Properties.

Step 3 Click the Server Type tab.

Step 4 For the Type of Dial-Up Server, select PPP.

Step 5 Under Advanced options, check the Log on to Network check box to log on to the Windows NT domain.

Step 6 Clear the Require encrypted password check box.

Step 7 Under Allowed network protocols, check IP and/or IPX.

Step 8 If the NAS is using an IP pool, rather than assigning the IP address at the client, set TCP/IP settings to server assigned IP Address and server assigned name.

Step 9 When you make a connection, enter the CiscoSecure ACS user database username and password.

Tips

Because the CiscoSecure ACS user database can store PAP and CHAP passwords, you can use PAP or CHAP as the authentication protocol. To use PAP authentication, substitute the word PAP in place of CHAP in the NAS configuration example earlier in this section.

Table of Contents

Sample Configurations

Dialup Using the Windows NT User Database with TACACS+

Windows NT Server Configuration

CiscoSecure ACS Configuration

Network Configuration

External User Databases Configuration

Interface Configuration

Group Setup

User Setup

NAS Configuration

Client Configuration

Windows 95 Client Configuration

Tips

Dialup Using the CiscoSecure ACS User Database with TACACS+

Windows NT Server Configuration

CiscoSecure ACS Configuration

Network Configuration

External User Database Configuration (Optional)

Interface Configuration

Group Setup

User Setup

NAS Configuration

Client Configuration

Windows 95 Client

Tips

Dialup Using SDI Token-Card Server with TACACS+

Windows NT Server Configuration

CiscoSecure ACS Configuration

Network Configuration

External User Database Configuration

Interface Configuration

Group Setup

User Setup

NAS Configuration

Client Configuration

Windows 95 Client

Tips

Dialup Using NDS with TACACS+

Windows NT Server Configuration

CiscoSecure ACS Configuration

Network Configuration

External User Database Configuration

Interface Configuration

Group Setup

User Setup

NAS Configuration

Client Configuration

Windows 95 Client

Tips

Dialup Using a CRYPTOCard Token-Card Server with TACACS+

Windows NT Server Configuration

CiscoSecure ACS Configuration

Network Configuration

External User Database Configuration

Interface Configuration

Group Setup

User Setup

NAS Configuration

Client Configuration

Windows 95 Client

Tips

Dialup Using the CiscoSecure ACS User Database with Cisco RADIUS

Windows NT Server Configuration

CiscoSecure ACS Configuration

Network Configuration

Interface Configuration

Group Setup

User Setup

NAS Configuration

Client Configuration

Windows 95 Client

Tips

Dialup for an ARAP Client Using the CiscoSecure ACS User Database with TACACS+

CiscoSecure ACS Configuration

Network Configuration

Interface Configuration

Group Setup

User Setup

NAS Configuration