-
CiscoSecure ACS 2.3 for Windows NT Server User Guide
-
About This User Guide
-
Overview
-
CiscoSecure ACS 2.2 for Windows NT Architecture
-
User Databases
-
Sophisticated Unknown User Handling
-
Interface Design
-
Distributed Systems
-
Database Information Management
-
Reports and Logging
-
Step-by-Step Configuration for CiscoSecure ACS for Windows NT
-
Sample Configurations
-
Troubleshooting Information for CiscoSecure ACS for Windows NT
-
System Messages
-
TACACS+ Attribute-Value Pairs
-
RADIUS Attribute-Value Pairs
-
CiscoSecure ACS Database Utilities
-
CiscoSecureACS and Virtual Private Dialup Networks
-
Table of Contents
OverviewNew Features in this Release
Other CiscoSecure ACS Features
Upgrading from Previous Versions of CiscoSecure ACS
Specifications
System Requirements
CiscoSecure ACS Concepts and Functions
Authentication
Password Aging
User-Changeable Passwords
CiscoSecure Authentication Agent
Cisco IOS Release 11.1 CHAP and ARAP Considerations
Accounting
Max Sessions
Network Device Groups
Overview
CiscoSecure Access Control Server (CiscoSecure ACS) network security software helps you authenticate users by controlling dial-in access to a network access server (NAS) device—an access server, Cisco PIX firewall, or router.
Note Unless specifically stated otherwise, all references in this user guide to NAS apply to any access device.
CiscoSecure ACS operates as a Windows NT service and controls the authentication, authorization, and accounting (AAA, pronounced "triple A") of users accessing networks. CiscoSecure ACS operates with Windows NT server version 4.0.
CiscoSecure ACS helps centralize access control and accounting for dial-up access servers and firewalls as well as management of access to routers and switches. With CiscoSecure ACS, service providers can quickly administer accounts and globally change levels of service offerings for entire groups of users. The tight integration of CiscoSecure ACS with the Windows NT operating system enables companies to leverage the working knowledge and the investment already made into building a Windows NT network.
CiscoSecure ACS supports Cisco NASes such as the Cisco 2509, 2511, 3620, 3640, AS5200 and AS5300, the Cisco PIX firewall, and any third-party device that can be configured with the Terminal Access Controller Access Control System (TACACS+) and/or the Remote Access Dial-In User Service (RADIUS) protocol. CiscoSecure ACS uses the TACACS+ and/or RADIUS protocols to provide AAA services to ensure a secure environment.
CiscoSecure ACS can authenticate users against any of the following user databases:
The NAS directs all dial-in user access requests to CiscoSecure ACS for authentication and authorization of privileges. Using either the RADIUS or TACACS+ protocol, the NAS sends authentication requests to CiscoSecure ACS, which verifies the username and password. CiscoSecure ACS then returns a success or failure response to the NAS, which permits or denies user access. When the user has been authenticated, CiscoSecure ACS sends a set of authorization attributes to the NAS, and the accounting functions take effect.
New Features in this Release
CiscoSecure ACS adds the following new features and capabilities:
- Password Aging—Lets you set an expiration date or event after which group members must change their password to be able to continue to authenticate.
- IP Pools—Lets you specify a range of IP addresses for certain groups or users.
- User-Changeable Password—Lets users change their own passwords. You must also be using the CiscoSecure Authentication Agent (CAA).
- Support for MCIS LDAP—Lets you use the Microsoft Commercial Internet System Lightweight Directory Access Protocol (MCIS LDAP) as a user database.
- Support for ODBC—Lets you use a database that conforms to the Microsoft Open Database Connectivity (ODBC) specifications as a user database.
- Support for MS CHAP—Lets you use Microsoft's version of the Challenge Handshake Authentication Protocol (MS-CHAP).
- Multi-level administration—Lets you set different privilege levels for different system administrators.
- Per-User TACACS+ or RADIUS attributes—Lets you specify different TACACS+ or RADIUS attributes for each user.
- Define different privileges for remote administrators, including logging records—Lets you set different privilege levels for remote administrators than those assigned to local administrators.
- CSMonitor service—Lets CiscoSecure ACS monitor itself and correct system problems.
- More detailed logging information—Lets you add more detailed information to the accounting logs, including the Microsoft domain name.
- Scheduled ACS system backup—Lets you schedule regular backups for your ACS system through the hypertext markup language (HTML) interface.
- Ability to restore the ACS system from a backup file—Lets you restore your ACS system from a backup file created during an ACS system backup.
- Ability to import UNIX password files—Lets you import password files from a UNIX-based device.
- Network Device Groups—Lets you group network devices to allow different privilege levels per IP address.
- Enhancements to logged-on user list—Provides more detailed information for logged-on users.
- Ability to upgrade from all previous versions of CiscoSecure ACS for Windows NT, including CiscoSecure EasyACS—Lets you upgrade from any earlier version of CiscoSecure ACS for Windows NT and maintain your database and system configuration.
- Support for Voice over IP (VoIP)—Provides group-level support for the null password requirement of VoIP.
Other CiscoSecure ACS Features
Features included in this and previous versions of CiscoSecure ACS include:
- Sophisticated unknown user handling
- Remote administration
- Centralized logging
- Group mapping
- Supplementary user ID fields
- Simultaneous TACACS+ and RADIUS support, for a flexible solution
- HTML/Java HTML user interface (HTML interface) that simplifies and distributes configuration for user profiles, group profiles, and ACS configuration
- Help and online documentation included for quick problem solving
- Group administration of users for maximum flexibility and to facilitate enforcement and changes of security policies
- Virtual private dial-up network (VPDN) support available at the origination and termination of virtual private network (VPN) L2F tunnels
- Import mechanism to rapidly import a large number of users
- Hash-indexed flatfile database support for high-speed transaction processing
- Windows NT database support to leverage and consolidate Windows NT username and password management
- Windows NT single login
- Runs on Windows NT stand-alone, primary domain controller (PDC), and backup domain controller (BDC) servers
- Password support that includes Challenge Handshake Authentication Protocol (CHAP), Password Authentication Protocol (PAP), aChallenge Handshake Authentication Protocol (MS-CHAP), and AppleTalk Remote Access Password (ARAP)
- Support for token card security servers
- Token caching for Integrated Services Digital Network (ISDN) terminal adapters of one-time password (OTP) tokens
- Time-of-day and day-of-week access restrictions
- Network access restrictions based on remote address caller line identification (CLID)
- Ability to disable an account on a specific date
- Ability to disable an account after an amount of failed attempts specified by the administrator
- Ability to view a list of logged-in users
- Windows NT Performance Monitor support for real-time statistic viewing
- Configurable accounting and auditing information stored in comma-separated values (CSV) format for convenient import into billing applications
- User and group MaxSessions
- Configurable character string stripping
- Authentication forwarding
- Configurable HTML user interface
- Relational database management system (RDBMS) synchronization
- Database replication
- System/database backup
- Dialed number identification service (DNIS) Support
- Database maintenance
- Year-2000 compliance
Upgrading from Previous Versions of CiscoSecure ACS
CiscoSecure ACS can be installed as a new installation or as an upgrade from any previous version of CiscoSecure ACS, including CiscoSecure EasyACS.
If you are upgrading, be sure to back up your CiscoSecure ACS system files and database and your Windows Registry. For information on backing up, see "Database Information Management."
For more detailed information on installation, see the quick reference cards.
ODBC Message During Upgrade Installation
If a message stating that "The ODBC resource DLL (filename) is a different version than the ODBC (file type and name)" displays during installation, follow these steps:
Step 1 Exit the installation program.
Step 2 Run the ODBCDMIN.EXE file, which is located in the SUPPORT\ODBC directory on the CiscoSecure ACS CD-ROM. Installing the ODBCDMIN.EXE file will install the ODBC 3.0 components.
Step 3 When you have finished installing these ODBC components, click SETUP.EXE in the root directory of the CD-ROM to restart installation of CiscoSecure ACS.
Installation Terminates Abnormally
If you get an error message during installation indicating that installation has failed, follow these steps:
Step 1 Click Start/Settings/Control Panel/Add/Remove Program.
Step 2 Select CiscoSecure ACS 2.3 for Windows NT.
Step 3 Click Uninstall.
Step 4 When you have finished uninstalling, click SETUP.EXE in the root directory of the CD-ROM to restart installation of CiscoSecure ACS.
If Uninstall terminates abnormally or if installation still fails, go to the SUPPORT\CLEAN directory and run CLEAN.EXE. This will uninstall CiscoSecure ACS completely and clean up certain statements from the Windows NT Registry that prevent installation of CiscoSecure ACS. When you have finished running CLEAN.EXE, click SETUP.EXE in the root directory of the CD-ROM to restart installation of CiscoSecure ACS.
Specifications
CiscoSecure ACS conforms to the following specifications:
CiscoSecure ACS conforms to the TACACS+ protocol as defined by Cisco Systems in draft 1.77. See your Cisco IOS software documentation or Cisco Connection Online (http://www.cisco.com) for more information.
CiscoSecure ACS software conforms to the RADIUS protocol as defined in draft April 1997 and in the following Requests for Comments (RFCs):
System Requirements
Your Windows NT server must meet the following minimum requirements.
Hardware Requirements
Your Windows NT server must meet the following minimum hardware requirements:
Software Requirements
Your Windows NT server must meet the following minimum software requirements:
- To have CiscoSecure ACS refer to the Grant Dial-in Permission to User feature, make sure this option is checked in the Windows NT User Manager for the applicable user accounts.
- Make sure your NAS is running Cisco IOS Release 11.1 or higher (Release 11.2 or higher for RADIUS) or you are using a third-party device that can be configured with TACACS+ and/or RADIUS.
Note PAP authentication is supported for ODBC and MCIS user database with Cisco IOS Release 11.1 and later. CHAP, MS-CHAP, and ARAP are not supported with Cisco IOS Releases prior to 11.2.
- Make sure dial-up clients can successfully dial in to your NAS.
- Make sure the Windows NT server can ping the NAS.
- One of the following browsers must be installed on the Windows NT server:
- Java and JavaScript support must be enabled.
- Windows NT Service Pack 3 is recommended.
- If you are using the Security Dynamics, Inc. (SDI) token server authentication, Cisco recommends using ACE/Client version 4.2 and ACE/Server version 3.3.
CiscoSecure ACS Concepts and Functions
This section describes some of the different components that work together with CiscoSecure ACS to provide network security.
CiscoSecure ACS and the Access Device
The NAS is configured to direct all user access requests to CiscoSecure ACS for authentication and authorization of privileges. Using the TACACS+ or RADIUS protocol, the NAS sends authentication requests to CiscoSecure ACS, which verifies the username and password against the selected user database. CiscoSecure ACS then returns a success or failure response to the NAS, which permits or denies user access.
When the user has successfully authenticated, a set of session attributes can be sent to the NAS to provide additional security and control of privileges. These attributes might include the IP address pool, access control list, or type of connection (for example, IP, IPX, or Telnet).
TACACS+ and RADIUS
CiscoSecure ACS can use both the TACACS+ and RADIUS security protocols..
Authentication
Authentication determines a user's identity and then verifies that information. Traditional authentication uses a name and a fixed password. More modern and secure methods use OTPs such as PAP and token cards. CiscoSecure ACS provides support for these authentication methods.
There is a fundamental relationship between authentication and authorization. The more authorization privileges a user receives, the stronger the authentication should be. CiscoSecure ACS offers this capability by providing various methods of authentication.
Username and password is the most popular, simplest, and least expensive method used for authentication. No special equipment is required. This is a popular method for service providers because of its easy application by the client. The disadvantage is that this information can be told to someone else, guessed, or captured. Username and password is not considered a strong authentication mechanism but can be sufficient for low authorization or privilege levels such as Internet access.
To reduce the risk of password capturing on the network, use encryption. Client and server access control protocols such as TACACS+ and RADIUS encrypt passwords to prevent them from being captured within a network. However, TACACS+ and RADIUS operate between the NAS and the ACS. Clear-text passwords can be captured between a client host dialing up over a phone line or an ISDN line terminating at a NAS.
Service providers who offer increased levels of security services, and corporate customers who want to lessen the chance of intruder access resulting from password capturing can use an OTP. CiscoSecure ACS supports several types of OTP solutions, including PAP for Point-to-Point Protocol (PPP) remote-node logon. Token cards are considered one of the strongest OTP authentication mechanisms available today.
The CRYPTOCard token-card server software is included with CiscoSecure ACS. All you need is the CRYPTOCard token card. CiscoSecure ACS also supports the following token-card servers for authentication:
To use SDI's ACE server, you must install the ACE clients and configure them in CiscoSecure ACS to call the server when a user attempts to authenticate with an ACE token card.
Note If you are using the Security Dynamics, Inc. (SDI) token server authentication, Cisco recommends using ACE/Client version 4.2 and ACE/Server version 3.3.
To use the AXENT token-card server, configure CiscoSecure ACS with the AXENT server's address and shared secret.
Passwords
CiscoSecure ACS supports all leading authentication protocols:
Passwords can be processed using these protocols based on the version and type of security control protocol used and the configuration of the NAS and client. The following sections outline the different conditions and functions of password handling.
CiscoSecure ACS acts as a client to the token-card server. The communication link between CiscoSecure ACS and the token-card server must be secure. This is done by either configuring a shared secret password between the two servers and defining the IP address or by installing a file created by the token-card server containing the same information into CiscoSecure ACS.
MCIS LDAP
CiscoSecure ACS supports the Microsoft Commercial Internet System Lightweight Directory Access Protocol ( MCIS LDAP). MCIS is Microsoft's product suite of commercial-grade server components designed for Internet service providers (ISPs) and commercial web sites. MCIS is a member of the Microsoft BackOffice family of servers and runs on Microsoft Windows NT Server and Microsoft Internet Information Server (IIS). For more information on MCIS, see your Microsoft documentation.
ODBC
CiscoSecure ACS supports authentication via an Open DataBase Connectivity (ODBC)-compliant SQL database. ODBC is a standardized API that was first developed by Microsoft and is now used by most major database vendors. ODBC now follows the specifications of the SQL Access Group. The benefit of ODBC in a web-based environment is easy access to data storage programs such as Microsoft Access and SQL Server. For more information on ODBC, see your ODBC and database vendor documentation.
Basic Password Configurations
There are 6 basic password configurations:
- Single password for ASCII/PAP/CHAP/MS-CHAP/ARAP—This is the most convenient method for both the SYSOP when setting up accounts and for the user when obtaining authentication. However, because the password is transmitted in clear text during an ASCII/PAP login, there is the chance that the CHAP password can become known.
- Separate passwords for ASCII/PAP and CHAP/MS-CHAP/ARAP—For a higher level of security, users can be given 2 separate passwords. If the ASCII/PAP password is compromised, the CHAP/ARAP password remains secure.
- ASCII login with token card—For basic ASCII authentication via a token-card server, the user does not need a password to be held in the CiscoSecure ACS user database.
- Novell NDS—For authentication when using a Novell NDS server.
- MCIS LDAP—For authentication when using the Microsoft Commercial Internet System Lightweight Directory Access Protocol.
- ODBC—For authentication when using the Open DataBase Connectivity system.
- Windows NT user database—Again, the user does not configure a password in the CiscoSecure ACS user database; however, only ASCII/PAP authentication is supported.
Advanced Password Configurations
In addition to the basic password configurations listed above, CiscoSecure ACS also provides for:
- Inbound passwords—Passwords used by most CiscoSecure ACS users. These are supported by both the TACACS+ and RADIUS protocols. They are held internally to the CiscoSecure ACS user database and are not usually given up to an external source if an outbound password has been configured.
- Outbound passwords—The TACACS+ protocol supports outbound passwords that can be used, for example, when a NAS has to be authenticated by another NAS and client. Passwords from the CiscoSecure ACS user database are then sent back to the NAS and client.
- Token caching—When token caching is enabled, ISDN users can connect (for a limited time period) a second B Channel using the same OTP entered during the original authentication. For a higher level of security, the B-Channel authentication request from the NAS should include the OTP in the username value (for example Fred*apassword) while the password value contains an ASCII/PAP/ARAP password. The TACACS+ and RADIUS servers then verify that the token is still cached and validate the incoming password against either the single ASCII/PAP/ARAP or separate CHAP/ARAP password, depending on the user's configuration.
The TACACS+ SENDAUTH feature enables a NAS to authenticate itself to another NAS/client via an outbound authentication. The outbound authentication can be PAP, CHAP, or ARAP. With outbound authentication, the CiscoSecure ACS password is given out. By default, the user's ASCII/PAP or CHAP/ARAP password is used, depending on how this has been configured; however, Cisco recommends that the separate SENDAUTH password be configured for the user so that CiscoSecure ACS inbound passwords are never compromised.
If you want to use outbound passwords and maintain the highest level of security, Cisco recommends that you configure CiscoSecure ACS with a separate outbound password that is different from the inbound password.
Password Aging
The password aging feature of CiscoSecure ACS lets you force users to change their passwords under any of the following conditions:
Password aging requires the following conditions:
- The CiscoSecure Authentication Agent (CAA) software must be installed in Windows 95 or Windows NT on the PC from which the user will dial. The CAA software is available at http://www.cisco.com.
- The users must be using the Windows 95, Windows NT 3.51, or Windows NT 4.0 dial-up networking client or another PPP dial-up client.
- The connections must be using PPP.
- The NAS must be using the TACACS+ protocol.
- The NAS must be using Cisco IOS release 11.2.7 or later and be configured to send a "watchdog" accounting packet (aaa accounting new-info update) with the IP address of the calling station.
Password aging parameters are configured in the Group Setup window. For more information on the password aging feature, see the "Password Aging" section in "Step-by-Step Configuration for CiscoSecure ACS."
User-Changeable Passwords
With CiscoSecure ACS, you can install a separate program that lets users change their passwords using a web-based utility. For more information, see the Web Server Installation for CiscoSecure ACS for Windows NT User-Changeable Passwords quick reference card.
CiscoSecure Authentication Agent
To use the user-changeable password feature of CiscoSecure ACS, make sure you have installed the latest version of the CAA software.
Cisco IOS Release 11.1 CHAP and ARAP Considerations
When using CHAP and ARAP authentication with a NAS configured to use TACACS+ with Cisco IOS Release 11.1, authentication is performed by the NAS and not by the CiscoSecure ACS TACACS+ server. Therefore, CiscoSecure ACS returns a password to the NAS.
A NAS running Cisco IOS Release 11.1 generates TACACS+ SENDPASS requests in order to service a CHAP or ARAP authentication. The TACACS+ server replies with either the single ASCII PAP, CHAP, ARAP, or separate CHAP and ARAP password, depending on the user's configuration.
PAP, CHAP, and ARAP Support
Different levels of security can be used with CiscoSecure ACS for different requirements. The basic user-to-network security level is PAP. Although it does not represent the highest form of encrypted security, PAP does offer convenience and simplicity for the client. PAP allows authentication against the Windows NT database. With this configuration, users need to log in only a single time. CHAP allows a higher level of security for encrypting passwords when communicating from a client to the NAS. You can use CHAP with the CiscoSecure ACS user database. ARAP support is included to support Apple clients.
Comparing PAP, CHAP, and ARAP
PAP, CHAP, and ARAP are authentication protocols used to encrypt passwords. However, each protocol provides a different level of security.
- PAP—Uses clear-text passwords and is the least sophisticated authentication protocol. If you are using the Windows NT user database to authenticate users, you must use PAP password encryption.
- CHAP—Uses a challenge-response mechanism with one-way encryption on the response. CHAP lets CiscoSecure ACS negotiate downward from the most secure to the least secure encryption mechanism, and it protects passwords transmitted in the process. CHAP passwords are reusable. If you are using the CiscoSecure ACS user database for authentication, you can use either PAP or CHAP.
- ARAP—ARAP uses a two-way challenge-response mechanism. The NAS challenges the dial-in client to authenticate itself, and the dial-in client challenges the NAS to authenticate itself.
MS-CHAP
CiscoSecure ACS supports Microsoft Challenge-Handshake Authentication Protocol (MS-CHAP) for user authentication. The differences between MS-CHAP and standard CHAP are:
- The MS-CHAP Response packet is in a format compatible with Microsoft Windows NT, Windows 95, and LAN Manager 2.x. The MS-CHAP format does not require the authenticator to store a clear-text or reversibly encrypted password.
- MS-CHAP provides an authenticator-controlled authentication retry mechanism.
- MS-CHAP provides addition failure codes in the Failure packet Message field.
For more information on MS-CHAP, see RFC draft-ietf-pppext-mschap-00.txt, RADIUS Attributes for MS-CHAP Support.
Authorization
Authorization determines what a user is allowed to do. CiscoSecure ACS can send user profile policies to a NAS to determine the network services the user can access or the level of service to which the users is subscribed. You can configure authorization to give different users and groups different levels of service. For example, standard dial-up users might not have the same access privileges as premium customers and users. You can also differentiate by levels of security, access times, and services.
The CiscoSecure ACS access restrictions feature lets you permit or deny logins based on time-of-day and day-of-week. For example, you could create a group for temporary accounts that can be disabled on specified dates. This would make it possible for a service provider to offer a 30-day free trial. The same authorization could be used to create a temporary account for a consultant with login permission limited to Monday through Friday, 9 a.m. to 5 p.m.
You can also restrict use by way of the Max Sessions feature, allowing a maximum number of concurrent sessions per user or group.
You can restrict users to a service or combination of services such as Point-to-Point Protocol (PPP), AppleTalk Remote Access (ARA), Serial Line Internet Protocol (SLIP), or EXEC. After a service is selected, you can restrict Layer 2 and Layer 3 protocols, such as IP and IPX, and you can apply individual access lists. Access lists on a per-user or per-group basis can restrict users from reaching parts of the network where critical information is stored or prevent them from using certain services such as File Transfer Protocol (FTP) or Simple Network Management Protocol (SNMP).
One fast-growing service being offered by service providers and adopted by corporations is a service authorization for Virtual Private Dial-up Networks (VPDNs). CiscoSecure ACS can provide information to the network device for a specific user to configure a secure tunnel through a public network such as the Internet. The information can be for the access server (such as the Home Gateway for that user) or for the Home Gateway router to validate the user at the customer premises. In either case, CiscoSecure ACS can be used for each end of the VPDN.
Accounting
Accounting is the action of recording what a user is doing or has done. CiscoSecure ACS writes accounting records to a CSV log file daily. You can easily update this log file into popular database and spreadsheet applications for billing, security audits, and report generation. Among the types of accounting logs you can generate are:
- TACACS+ Accounting—Lists when sessions start and stop; records NAS messages with username; provides caller line identification information; records the duration of each session.
- RADIUS Accounting—Lists when sessions stop and start; records NAS messages with username; provides caller line identification information; records the duration of each session.
- Administrative Accounting—Lists configuration commands entered on the NAS.
Max Sessions
Max Sessions is a useful feature for organizations that need to limit the number of concurrent sessions available to either a user or a group:
- User Max Sessions—For example, an ISP can limit each account holder to a single session.
- Group Max Sessions—For example, an enterprise administrator can allow the remote access infrastructure to be shared equally among a number of departments and limit the maximum number of concurrent sessions for all the users of any one department.
In addition to simple User and Group Max Sessions control, CiscoSecure ACS lets the administrator specify a Group Max Sessions value and a group-based User Max Sessions value; that is, a User Max Sessions value based on the user's group membership. For example, an administrator can allocate a Group Max Sessions value of 50 to the group "Sales" and also limit each member of the "Sales" group to 5 sessions each. This way no single member of a group account would be able to use more than 5 sessions at any one time, but the group could still have up to 50 active sessions.
Network Device Groups
Network Device Grouping (NDG) is an advanced feature that allows you to view and administer a collection of network devices as a single logical group. To simplify administration, each group can be assigned a convenient name that can be used to refer to all devices within that group. This creates two levels of network devices within CiscoSecure ACS—single discrete devices such as an individual router, NAS, or PIX firewall, and an NDG; that is, a collection of routers or AAA servers.
A device can belong to only one NDG at a time.
Using NDGs allows an organization with a large number of routers spread across a large geographical area to logically organize their environment within CiscoSecure ACS to reflect the physical setup. For example, all routers in Europe could belong to a group named Europe; all routers in the United States could belong to a US group; and so on. This would be especially convenient if each region's NASes were administered along the same divisions. Alternatively, the environment could be organized by some other attribute such as divisions, departments, business functions, and so on. For more information on NDGs, see the "Network Device Groups" section in "Step-by-Step Configuration for CiscoSecure ACS."