Table of Contents

Overview of Cisco Secure ACS

Overview of Cisco Secure ACS

This chapter provides an overview of Cisco Secure Access Control Server for Windows NT/2000 Servers Version 3.0 (Cisco Secure ACS). It contains the following sections:

• The Cisco Secure ACS Paradigm
  
  
• Cisco Secure ACS Specifications
  
  
• AAA Server Functions and Concepts
  
  
• Cisco Secure ACS HTML Interface
  
  

The Cisco Secure ACS Paradigm

Cisco Secure ACS provides authentication, authorization, and accounting (AAA—pronounced "triple A") services to network devices that function as AAA clients, such as a network access server, PIX Firewall, or router. The AAA client in Figure 1-1 represents any such device that provides AAA client functionality and uses one of the AAA protocols supported by Cisco Secure ACS.

Cisco Secure ACS helps centralize access control and accounting, in addition to router and switch access management. With Cisco Secure ACS, network administrators can quickly administer accounts and globally change levels of service offerings for entire groups of users. Although the external user database shown in Figure 1-1 is optional, support for many popular user repository implementations enables companies to put to use the working knowledge gained from and the investment already made in building their corporate user repositories.

Cisco Secure ACS supports Cisco AAA clients such as the Cisco 2509, 2511, 3620, 3640, AS5200 and AS5300, AS5800, the Cisco PIX Firewall, Cisco Aironet Access Point wireless networking devices, Cisco VPN 3000 Concentrators, and Cisco VPN 5000 Concentrators. It also supports third-party devices that can be configured with the Terminal Access Controller Access Control System (TACACS+) or the Remote Access Dial-In User Service (RADIUS) protocol. Cisco Secure ACS treats all such devices as AAA clients. Cisco Secure ACS uses the TACACS+ and RADIUS protocols to provide AAA services that ensure a secure environment. For more information about support for TACACS+ and RADIUS in Cisco Secure ACS, see the "AAA ProtocolsTACACS+ and RADIUS" section.

Cisco Secure ACS Specifications

This section provides information about Cisco Secure ACS performance specifications and the Windows services that compose Cisco Secure ACS.

System Performance Specifications

The performance capabilities of Cisco Secure ACS are largely dependent upon the Windows server it is installed upon, your network topology and network management, the selection of user databases, and other factors. For example, Cisco Secure ACS can perform many more authentications per second if it is running on a 1.4-GHz Pentium IV server with Windows 2000 Server on a 1 GB ethernet backbone than it can if it is running on a 200-MHz Pentium II server with Windows NT 4.0 on a 10 MB LAN.

For more information about the expected performance of Cisco Secure ACS in your network setting, contact your Cisco sales representative. The following items are general answers to common system performance questions. The performance of Cisco Secure ACS in your network depends on your specific environment and AAA requirements.

• Maximum users supported by the CiscoSecure user database—There is no theoretical limit to the number of users the CiscoSecure user database can support. We have successfully tested Cisco Secure ACS with databases in excess of 100,000 users. The practical limit for a single Cisco Secure ACS server authenticating against all its databases, internal and external, is approximately 300,000 to 500,000 users. This number increases significantly if the authentication load is spread across a number of replicated Cisco Secure ACS servers.
  
  
• Transactions per second per number of users—Assuming 10,000 users in the CiscoSecure user database, a single processor 300-MHz Pentium II server provides 80 RADIUS full login cycles (authentication, accounting start, and accounting stop) per second and approximately 40 TACACS+ logins per second. As the database grows, this performance declines roughly proportionately.
  
  
• Maximum number of AAA clients supported—Cisco Secure ACS can support AAA services for approximately 2000 network devices running a AAA client.
  
  

Cisco Secure ACS Windows Services

Cisco Secure ACS operates as a set of Windows NT or Windows 2000 services and controls the authentication, authorization, and accounting of users accessing networks.

When you install Cisco Secure ACS on your server, the installation adds several Windows services. The services provide the core of Cisco Secure ACS functionality. For a full discussion of each service, see the "Cisco Secure ACS Internal Architecture" section. The Cisco Secure ACS services on your Cisco Secure ACS server include the following:

• CSAdmin—Provides the HTML interface for administration of Cisco Secure ACS.
  
  
• CSAuth—Provides authentication services.
  
  
• CSDBSync—Provides synchronization of the CiscoSecure user database with an external RDBMS application.
  
  
• CSLog—Provides logging services, both for accounting and system activity.
  
  
• CSMon—Provides monitoring, recording, and notification of Cisco Secure ACS performance, and includes automatic response to some scenarios.
  
  
• CSTacacs—Provides communication between TACACS+ AAA clients and the CSAuth service.
  
  
• CSRadius—Provides communication between RADIUS AAA clients and the CSAuth service.
  
  

Each module can be started and stopped individually from within the Microsoft Service Control Panel or as a group from within the Cisco Secure ACS HTML interface. For information about stopping and starting Cisco Secure ACS services, see the "Service Control" section.

AAA Server Functions and Concepts

Cisco Secure ACS is a AAA server, providing authentication, authorization, and accounting services to network devices that can act as AAA clients.

As a AAA server, Cisco Secure ACS incorporates many technologies to render AAA services to AAA clients. Understanding Cisco Secure ACS requires knowledge of many of these technologies. To address the most significant aspects, this section contains the following topics:

• Cisco Secure ACS and the AAA Client
  
  
• AAA ProtocolsTACACS+ and RADIUS
  
  
• Authentication
  
  
• Authorization
  
  
• Accounting
  
  
• Administration
  
  

Cisco Secure ACS and the AAA Client

A AAA client is software running on a network device that enables the network device to defer authentication, authorization, and logging (accounting) of user sessions to a AAA server. AAA clients must be configured to direct all end-user client access requests to Cisco Secure ACS for authentication of users and authorization of service requests. Using the TACACS+ or RADIUS protocol, the AAA client sends authentication requests to Cisco Secure ACS. Cisco Secure ACS verifies the username and password using the user databases it is configured to query. Cisco Secure ACS returns a success or failure response to the AAA client, which permits or denies user access, based on the response it receives. When the user authenticates successfully, Cisco Secure ACS sends a set of authorization attributes to the AAA client. The AAA client then begins forwarding accounting information to Cisco Secure ACS.

When the user has successfully authenticated, a set of session attributes can be sent to the AAA client to provide additional security and control of privileges, otherwise known as authorization. These attributes might include the IP address pool, access control list, or type of connection (for example, IP, IPX, or Telnet). More recently, networking vendors are expanding the use of the attribute sets returned to cover an increasingly wider aspect of user session provisioning.

AAA Protocols—TACACS+ and RADIUS

Cisco Secure ACS can use both the TACACS+ and RADIUS AAA protocols. Table 1-1 provides a comparison of the two protocols.

TACACS+

Cisco Secure ACS conforms to the TACACS+ protocol as defined by Cisco Systems in draft 1.77. For more information, refer to the Cisco IOS software documentation or Cisco.com (http://www.cisco.com).

RADIUS

Cisco Secure ACS conforms to the RADIUS protocol as defined in draft April 1997 and in the following Requests for Comments (RFCs):

• RFC 2138, Remote Authentication Dial In User Service
  
  
• RFC 2139, RADIUS Accounting
  
  
• RFC 2865
  
  
• RFC 2866
  
  
• RFC 2867
  
  
• RFC 2868
  
  

The ports used for authentication and accounting have changed in RADIUS RFC documents. To support both the older and newer RFCs, Cisco Secure ACS accepts authentication requests on port 1645 and port 1812. For accounting, Cisco Secure ACS accepts accounting packets on port 1646 and 1813.

In addition to support for standard IETF RADIUS attributes, Cisco Secure ACS includes support for RADIUS vendor-specific attributes (VSAs). We have predefined the following RADIUS VSAs in Cisco Secure ACS:

• Cisco IOS/PIX
  
  
• Cisco VPN 3000
  
  
• Cisco VPN 5000
  
  
• Ascend
  
  
• Juniper
  
  
• Microsoft
  
  
• Nortel
  
  

Cisco Secure ACS also supports up to 10 RADIUS VSAs that you define. After you define a new RADIUS VSA, you can use it as you would one of the RADIUS VSAs that come predefined in Cisco Secure ACS. In the Network Configuration section of the Cisco Secure ACS HTML interface, you can configure a AAA client to use a user-defined RADIUS VSA as its AAA protocol. In Interface Configuration, you can enable user-level and group-level attributes for user-defined RADIUS VSAs. In User Setup and Group Setup, you can configure the values for enabled attributes of a user-defined RADIUS VSA.

For more information about creating user-defined RADIUS VSAs, see the "User-Defined RADIUS Vendors and VSA Sets" section.

Authentication

Authentication determines user identity and verifies the information. Traditional authentication uses a name and a fixed password. More modern and secure methods use technologies such as CHAP and one-time passwords (OTPs). Cisco Secure ACS supports a wide variety of these authentication methods.

There is a fundamental implicit relationship between authentication and authorization. The more authorization privileges granted to a user, the stronger the authentication should be. Cisco Secure ACS supports this fundamental relationship by providing various methods of authentication.

Authentication Considerations

Username and password is the most popular, simplest, and least expensive method used for authentication. No special equipment is required. This is a popular method for service providers because of its easy application by the client. The disadvantage is that this information can be told to someone else, guessed, or captured. Simple unencrypted username and password is not considered a strong authentication mechanism but can be sufficient for low authorization or privilege levels such as Internet access.

To reduce the risk of password capturing on the network, use encryption. Client and server access control protocols such as TACACS+ and RADIUS encrypt passwords to prevent them from being captured within a network. However, TACACS+ and RADIUS operate only between the AAA client and the access control server. Before this point in the authentication process, unauthorized persons can obtain clear-text passwords, such as the communication between an end-user client dialing up over a phone line or an ISDN line terminating at a network access server, or over a Telnet session between an end-user client and the hosting device.

Network administrators who offer increased levels of security services, and corporations that want to lessen the chance of intruder access resulting from password capturing, can use an OTP. Cisco Secure ACS supports several types of OTP solutions, including PAP for Point-to-Point Protocol (PPP) remote-node login. Token cards are considered one of the strongest OTP authentication mechanisms.

Authentication and User Databases

Cisco Secure ACS supports a variety of user databases. In addition to the CiscoSecure user database, Cisco Secure ACS supports several external user databases, including the following:

• Windows NT/2000 User Database
  
  
• Generic LDAP
  
  
• Novell NetWare Directory Services (NDS)
  
  
• Open Database Connectivity (ODBC)-compliant relational databases
  
  
• CRYPTOCard token server
  
  
• SafeWord token server
  
  
• AXENT token server
  
  
• RSA SecureID token server
  
  
• ActivCard token server
  
  
• Vasco token server
  
  

The various password protocols supported by Cisco Secure ACS for authentication are supported unevenly by the various databases supported by Cisco Secure ACS. Table 1-2 provides a reference of the password protocols supported by the various databases. For more information about the password protocols supported by Cisco Secure ACS, see the "Passwords" section.

Passwords

Cisco Secure ACS supports many common password protocols:

• ASCII/PAP
  
• CHAP
  
  
• MS-CHAP
  
  
• LEAP
  
  
• EAP-CHAP
  
  
• EAP-TLS
  
  
• ARAP
  
  

Passwords can be processed using these password authentication protocols based on the version and type of security control protocol used (for example, RADIUS or TACACS+) and the configuration of the AAA client and end-user client. The following sections outline the different conditions and functions of password handling.

In the case of token servers, Cisco Secure ACS acts as a client to the token server, either using its proprietary API or its RADIUS interface, depending on the token server. For more information, see the "About Token Servers and Cisco Secure ACS" section.

Different levels of security can be concurrently used with Cisco Secure ACS for different requirements. The basic user-to-network security level is PAP. Although it represents the unencrypted security, PAP does offer convenience and simplicity for the client. PAP allows authentication against the Windows NT/2000 database. With this configuration, users need to log in only once. CHAP allows a higher level of security for encrypting passwords when communicating from an end-user client to the AAA client. You can use CHAP with the CiscoSecure user database. ARAP support is included to support Apple clients.

Comparing PAP, CHAP, and ARAP

PAP, CHAP, and ARAP are authentication protocols used to encrypt passwords. However, each protocol provides a different level of security.

• PAP—Uses clear-text passwords (that is, unencrypted passwords) and is the least sophisticated authentication protocol. If you are using the Windows NT/2000 user database to authenticate users, you must use PAP password encryption or MS-CHAP.
  
  
• CHAP—Uses a challenge-response mechanism with one-way encryption on the response. CHAP enables Cisco Secure ACS to negotiate downward from the most secure to the least secure encryption mechanism, and it protects passwords transmitted in the process. CHAP passwords are reusable. If you are using the CiscoSecure user database for authentication, you can use either PAP or CHAP. CHAP does not work with the Windows NT/2000 user database.
  
  
• ARAP—Uses a two-way challenge-response mechanism. The AAA client challenges the end-user client to authenticate itself, and the end-user client challenges the AAA client to authenticate itself.
  
  

MS-CHAP

Cisco Secure ACS supports Microsoft Challenge-Handshake Authentication Protocol (MS-CHAP) for user authentication. Differences between MS-CHAP and standard CHAP are the following:

• The MS-CHAP Response packet is in a format compatible with Microsoft Windows NT/2000, Windows 95/98/ME, and LAN Manager 2.x. The MS-CHAP format does not require the authenticator to store a clear-text or reversibly encrypted password.
  
• MS-CHAP provides an authentication-retry mechanism controlled by the authenticator.
  
  
• MS-CHAP provides additional failure codes in the Failure packet Message field.
  
  

For more information on MS-CHAP, refer to RFC draft-ietf-pppext-mschap-00.txt, RADIUS Attributes for MS-CHAP Support.

Basic Password Configurations

There are several basic password configurations:

Note   These configurations are all classed as inbound authentication.

• Single password for ASCII/PAP/CHAP/MS-CHAP/ARAP—This is the most convenient method for both the administrator when setting up accounts and the user when obtaining authentication. However, because the CHAP password is the same as the PAP password, and the PAP password is transmitted in clear text during an ASCII/PAP login, there is the chance that the CHAP password can be compromised.
  
• Separate passwords for ASCII/PAP and CHAP/MS-CHAP/ARAP—For a higher level of security, users can be given two separate passwords. If the ASCII/PAP password is compromised, the CHAP/ARAP password can remain secure.
  
• External user database authentication—For authentication by an external user database, the user does not need a password stored in the CiscoSecure user database. Instead, Cisco Secure ACS records which external user database it should query to authenticate the user.
  

Advanced Password Configurations

In addition to the basic password configurations listed above, Cisco Secure ACS supports the following:

• Inbound passwords—Passwords used by most Cisco Secure ACS users. These are supported by both the TACACS+ and RADIUS protocols. They are held internally to the CiscoSecure user database and are not usually given up to an external source if an outbound password has been configured.
  
• Outbound passwords—The TACACS+ protocol supports outbound passwords that can be used, for example, when a AAA client has to be authenticated by another AAA client and end-user client. Passwords from the CiscoSecure user database are then sent back to the second AAA client and end-user client.
  
• Token caching—When token caching is enabled, ISDN users can connect (for a limited time) a second B Channel using the same OTP entered during original authentication. For greater security, the B-Channel authentication request from the AAA client should include the OTP in the username value (for example Fredpassword) while the password value contains an ASCII/PAP/ARAP password. The TACACS+ and RADIUS servers then verify that the token is still cached and validate the incoming password against either the single ASCII/PAP/ARAP or separate CHAP/ARAP password, depending on the user's configuration.
  

The TACACS+ SENDAUTH feature enables a AAA client to authenticate itself to another AAA client or an end-user client via outbound authentication. The outbound authentication can be PAP, CHAP, or ARAP. With outbound authentication, the Cisco Secure ACS password is given out. By default, the user's ASCII/PAP or CHAP/ARAP password is used, depending on how this has been configured; however, we recommend that the separate SENDAUTH password be configured for the user so that Cisco Secure ACS inbound passwords are never compromised.

If you want to use outbound passwords and maintain the highest level of security, we recommend that you configure users in the CiscoSecure user database with an outbound password that is different from the inbound password.

Password Aging

With Cisco Secure ACS you can choose whether and how you want to employ password aging. Control for password aging may reside either in the CiscoSecure user database, or in the Windows NT/2000 directory. Each password aging mechanism differs as to requirements and setting configurations.

The password aging feature controlled by the CiscoSecure user database enables you force users to change their passwords under any of the following conditions:

• After a specified number of days
  
  
• After a specified number of logins
  
  
• The first time a new user logs in
  
  

For information on the requirements and configuration of the password aging feature controlled by the CiscoSecure user database, see the "Enabling Password Aging for the CiscoSecure User Database" section.

The Windows NT/2000-based password aging feature enables you to control the following password aging parameters:

• Maximum password age in days
  
  
• Minimum password age in days
  
  

The methods and functionality of Windows password aging differ according to whether you are using Windows NT or Windows 2000 and whether you employ Active Directory (AD) or Security Accounts Manager (SAM). For information on the requirements and configuration of the Windows-based password aging feature, see the "Enabling Password Aging for Users in Windows Databases" section.

User-Changeable Passwords

With Cisco Secure ACS, you can install a separate program that enables users to change their passwords by using a web-based utility. For more information about installing user-changeable passwords, refer to the Web Server Installation for Cisco Secure ACS for Windows NT/2000 User-Changeable Passwords quick reference card.

Other Authentication-Related Features

In addition to the authentication-related features discussed in this section, the following features are provided by Cisco Secure ACS:

• Authentication of unknown users with external user databases (see the "Unknown User Processing" section)
  
  
• Microsoft Windows Callback feature (see the "Setting User Callback Option" section)
  
  
• Ability to import a UNIX password file to the CiscoSecure user database (see the "Importing User and AAA Client Information" section)
  
  
• Ability for external users to authenticate via an enable password (see the "Setting TACACS+ Enable Password Options for a User" section)
  
  
• Proxy of authentication requests to other AAA servers (see the "Proxy in Distributed Systems" section)
  
  
• Configurable character string stripping from proxied authentication requests (see the "Stripping" section)
  
  

Authorization

Authorization determines what a user is allowed to do. Cisco Secure ACS can send user profile policies to a AAA client to determine the network services the user can access. You can configure authorization to give different users and groups different levels of service. For example, standard dial-up users might not have the same access privileges as premium customers and users. You can also differentiate by levels of security, access times, and services.

The Cisco Secure ACS access restrictions feature enables you to permit or deny logins based on time-of-day and day-of-week. For example, you could create a group for temporary accounts that can be disabled on specified dates. This would make it possible for a service provider to offer a 30-day free trial. The same authorization could be used to create a temporary account for a consultant with login permission limited to Monday through Friday, 9 A.M. to 5 P.M.

You can restrict users to a service or combination of services such as PPP, AppleTalk Remote Access (ARA), Serial Line Internet Protocol (SLIP), or EXEC. After a service is selected, you can restrict Layer 2 and Layer 3 protocols, such as IP and IPX, and you can apply individual access lists. Access lists on a per-user or per-group basis can restrict users from reaching parts of the network where critical information is stored or prevent them from using certain services such as File Transfer Protocol (FTP) or Simple Network Management Protocol (SNMP).

One fast-growing service being offered by service providers and adopted by corporations is a service authorization for Virtual Private Dial-Up Networks (VPDNs). Cisco Secure ACS can provide information to the network device for a specific user to configure a secure tunnel through a public network such as the Internet. The information can be for the access server (such as the home gateway for that user) or for the home gateway router to validate the user at the customer premises. In either case, Cisco Secure ACS can be used for each end of the VPDN.

Max Sessions

Max Sessions is a useful feature for organizations that need to limit the number of concurrent sessions available to either a user or a group:

• User Max Sessions—For example, an Internet service provider can limit each account holder to a single session.
  
  
• Group Max Sessions—For example, an enterprise administrator can allow the remote access infrastructure to be shared equally among several departments and limit the maximum number of concurrent sessions for all users in any one department.
  
  

In addition to simple User and Group Max Sessions control, Cisco Secure ACS enables the administrator to specify a Group Max Sessions value and a group-based User Max Sessions value; that is, a User Max Sessions value based on the user's group membership. For example, an administrator can allocate a Group Max Sessions value of 50 to the group "Sales" and also limit each member of the "Sales" group to 5 sessions each. This way no single member of a group account would be able to use more than 5 sessions at any one time, but the group could still have up to 50 active sessions.

Dynamic Usage Quotas

Cisco Secure ACS enables you to define usage quotas for users. You can limit the network access of each user in a group or of individual users. You define quotas by duration of sessions or the total number of sessions. Quotas can be either absolute or based on daily, weekly, or monthly periods. To grant access to users who have exceeded their quotas, you can reset session quota counters as needed.

To support time-based quotas, we recommend enabling accounting update packets on all AAA clients. If update packets are not enabled, the quota is updated only when the user logs off and the accounting stop packet is received from the AAA client. If the AAA client through which the user is accessing your network fails, the session information is not updated. In the case of multiple sessions, such as with ISDN, the quota would not be updated until all sessions terminate, which means that a second channel will be accepted even if the first channel has exhausted the user's quota.

Other Authorization-Related Features

In addition to the authorization-related features discussed in this section, the following features are provided by Cisco Secure ACS:

• Group administration of users, with support for up to 500 groups (see the "Setting Up and Managing User Groups" section)
  
  
• Ability to map a user from an external user database to a specific Cisco Secure ACS group (see the "Database Group Mappings" section)
  
  
• Ability to disable an account after a number of failed attempts, specified by the administrator (see the "Setting Options for User Account Disablement" section)
  
  
• Ability to disable an account on a specific date (see the "Setting Options for User Account Disablement" section)
  
  
• Ability to restrict time-of-day and day-of-week access (see the "Setting Default Time of Day Access for a User Group" section)
  
  
• Ability to restrict network access based on remote address caller line identification (CLID) and dialed number identification service (DNIS) (see the "Setting Network Access Restrictions for a User Group" section)
  
  
• IP Pools for IP address assignment of end-user client hosts (see the "Setting IP Address Assignment Method for a User Group" section)
  
  
• Per-user and per-group TACACS+ or RADIUS attributes (see the "Advanced Options" section)
  
  
• Support for Voice over IP (VoIP), including configurable logging of accounting data (see the "Enabling VoIP Support for a User Group" section)
  
  

Accounting

AAA clients use the accounting functions provided by the RADIUS and TACACS+ protocols to communicate relevant data for each user session to the AAA server for recording. Cisco Secure ACS writes accounting records to a comma-separated value (CSV) log file or ODBC database, depending upon your configuration. You can easily import these logs into popular database and spreadsheet applications for billing, security audits, and report generation. Among the types of accounting logs you can generate are the following:

• TACACS+ Accounting—Lists when sessions start and stop; records AAA client messages with username; provides caller line identification information; records the duration of each session.
  
  
• RADIUS Accounting—Lists when sessions stop and start; records AAA client messages with username; provides caller line identification information; records the duration of each session.
  
  
• Administrative Accounting—Lists commands entered on a network device with TACACS+ command authorization enabled.
  
  

For more information about Cisco Secure ACS logging capabilities, see "Working with Logging and Reports".

Other Accounting-Related Features

In addition to the accounting-related features discussed in this section, the following features are provided by Cisco Secure ACS:

• Centralized logging, allowing several Cisco Secure ACS servers to forward their accounting data to a remote Cisco Secure ACS server (see the "Remote Logging" section)
  
  
• Configurable supplementary user ID fields for capturing additional information in logs (see the "User Data Configuration Options" section)
  
  
• Configurable logs, allowing you to capture as much information as needed (see the "Accounting Logs" section)
  
  

Administration

To configure, maintain, and protect its AAA functionality, Cisco Secure ACS provides a flexible administration scheme. You can perform nearly all administration of Cisco Secure ACS through its HTML interface.

You can access the HTML interface from computers other than the Cisco Secure ACS server. This enables remote administration of Cisco Secure ACS. For more information about the HTML interface, including steps for accessing the HTML interface, see the "Cisco Secure ACS HTML Interface" section.

HTTP Port Allocation for Remote Administrative Sessions

The HTTP port allocation feature allows you to configure the range of TCP ports used by Cisco Secure ACS for remote administrative HTTP sessions (that is, administrative sessions conducted by a browser running on a computer other than the Cisco Secure ACS server). Narrowing this range with the HTTP port allocation feature reduces the risk of unauthorized access to your network by a port open for administrative sessions.

We do not recommend that you administer Cisco Secure ACS through a firewall. Doing so requires that you configure the firewall to permit HTTP traffic over the range of HTTP administrative session ports that Cisco Secure ACS uses. While narrowing this range reduces the risk of unauthorized access, a greater risk of attack remains if you allow administration of Cisco Secure ACS from outside a firewall. A firewall configured to permit HTTP traffic over the Cisco Secure ACS administrative port range must also permit HTTP traffic through port 2002, because this is the port a remote web browser must access to initiate an administrative session.

Note   A broad HTTP port range could create a security risk. To prevent accidental discovery of an active administrative port by unauthorized users, keep the HTTP port range as narrow as possible. Cisco Secure ACS tracks the IP address associated with each remote administrative session. An unauthorized user would have to impersonate, or "spoof", the IP address of the legitimate remote host to make use of the active administrative session HTTP port.

For information about configuring the HTTP port allocation feature, see the "Access Policy" section.

Network Device Groups

With a network device group (NDG), you can view and administer a collection of AAA clients and AAA servers as a single logical group. To simplify administration, you can assign each group a convenient name that can be used to refer to all devices within that group. This creates two levels of network devices within Cisco Secure ACS—discrete devices such as an individual router, access server, AAA server, or PIX Firewall, and NDGs, which are named collection of AAA clients and AAA servers.

A network device can belong to only one NDG at a time.

Using NDGs enables an organization with a large number of AAA clients spread across a large geographical area to logically organize its environment within Cisco Secure ACS to reflect the physical setup. For example, all routers in Europe could belong to a group named Europe; all routers in the United States could belong to a US group; and so on. This would be especially convenient if each region's AAA clients were administered along the same divisions. Alternatively, the environment could be organized by some other attribute such as divisions, departments, business functions, and so on.

You can assign a group of users to an NDG. For more information on NDGs, see the "Network Device Group Configuration" section.

Other Administration-Related Features

In addition to the administration-related features discussed in this section, the following features are provided by Cisco Secure ACS:

• Ability to define different privileges per administrator (see the "Administrator Accounts" section)
  
  
• Ability to log administrator activities (see the "Administration Audit Log" section)
  
  
• Ability to view a list of logged-in users (see the "Logged-In Users Report" section)
  
  
• CSMonitor service, providing monitoring, notification, logging, and limited automated failure response (see the "Cisco Secure ACS Active Service Management" section)
  
  
• Ability to import of large numbers of users with the CSUtil.exe command-line utility (see the "Cisco Secure ACS Command-Line Database Utility" section)
  
  
• Synchronization of the CiscoSecure user database with a relational database management system (RDBMS) (see the "RDBMS Synchronization" section)
  
  
• Replication of CiscoSecure user database components to other Cisco Secure ACS servers (see the "CiscoSecure Database Replication" section)
  
  
• Scheduled and on-demand Cisco Secure ACS system backups (see the "Cisco Secure ACS Backup" section)
  
  
• Ability to restore Cisco Secure ACS configuration, user accounts, and group profiles from a backup file (see the "Cisco Secure ACS System Restore" section)
  
  

Cisco Secure ACS HTML Interface

This section discusses the Cisco Secure ACS HTML interface and provides procedures for using it. This section contains the following topics:

• About the Cisco Secure ACS HTML Interface
  
  
• HTML Interface Layout
  
  
• Uniform Resource Locator for the HTML Interface
  
  
• Network Environments and Remote Administrative Sessions
  
  
• Accessing the HTML Interface
  
  
• Logging Off the HTML Interface
  
  
• Online Help and Online Documentation
  
  

About the Cisco Secure ACS HTML Interface

After installing Cisco Secure ACS, you configure and administer it through the HTML interface. The HTML interface enables you to easily modify Cisco Secure ACS configuration from any connection on your LAN or WAN.

The Cisco Secure ACS HTML interface is designed to be viewed using a web browser. The design primarily uses HTML, along with some Java functions, to enhance ease of use. This design keeps the interface responsive and straightforward. The inclusion of Java requires that the browser used for administrative sessions supports Java. For a list of supported browsers, see the Release Notes. The latest revision to the Release Notes is posted on Cisco.com (http://www.cisco.com).

The HTML interface not only makes viewing and editing user and group information possible, it also enables you to restart services, add remote administrators, change AAA client information, back up the system, view reports from anywhere on the network, and more. The reports track connection activity, show which users are logged in, list the failed authentication and authorization attempts, and show administrators' recent tasks.

HTML Interface Layout

The HTML interface has three vertical partitions, known as frames:

• Navigation Bar—The gray frame on the left of the browser window, the navigation bar contains the task buttons. Each button changes the configuration area (see below) to a unique section of the Cisco Secure ACS application, such as the User Setup section or the Interface Configuration section. This frame does not change; it always contains the following buttons:
  
  
  • User Setup—Add and edit user profiles
    
    
  • Group Setup—Configure network services and protocols for groups of users
    
    
  • Shared Profile Components—Add and edit network access restriction and command authorization sets, to be applied to users and groups
    
    
  • Network Configuration—Add and edit network access devices and configure distributed systems
    
    
  • System Configuration—Configure database information and accounting
    
    
  • Interface Configuration—Display or hide product features and options to be configured
    
    
  • Administration Control—Define and configure access policies
    
    
  • External User Databases—Configure external databases for authentication
    
    
  • Reports and Activity—Display accounting and logging information
    
    
  • Online Documentation—View the Cisco Secure ACS User Guide
    
    
• Configuration Area—The frame in the middle of the browser window, the configuration area displays web pages that belong to one of the sections represented by the buttons in the navigation bar. The configuration area is where you add, edit, or delete information. For example, you configure user information in this frame on the User Setup Edit page.
  
  

  ---

  Note   Most pages have a Submit button at the bottom. Click Submit to confirm your changes. If you do not click Submit, changes are not saved.

  ---

• Display Area—The frame on the right of the browser window, the display area shows one of the following options:
  
  
  • Online Help—Displays basic help about the page currently shown in the configuration area. This help is not intended to offer in-depth information, but rather give some basic information about what can be accomplished in the middle frame. For more detailed information, click Section Information at the bottom of the page to go to the applicable part of Online Documentation.
    
  • Reports or Lists—Displays lists or reports, including accounting reports. For example, in User Setup you can show all usernames that start with a specific letter. The list of usernames beginning with a specified letter is displayed in this section. The usernames are hyperlinks to the specific user configuration, so clicking the name enables you to edit that user.
    
  • System Messages—Displays messages after you click Submit if you have typed in incorrect or incomplete data. For example, if the information you entered in the Password box does not match the information in the Confirm Password box in the User Setup section, Cisco Secure ACS displays an error message here. The incorrect information remains in the configuration area so that you can retype and resubmit the information correctly.
    

Uniform Resource Locator for the HTML Interface

The HTML interface is available by web browser at one of the following uniform resource locators (URLs):

• http://Windows server IP address:2002
  
  
• http://Windows server host name:2002
  
  

From the server on which Cisco Secure ACS is installed, you can also use the following URLs:

• http://localhost:2002
  
• http://127.0.0.1:2002
  

Network Environments and Remote Administrative Sessions

We recommend that remote administrative sessions take place without the use of an HTTP proxy server, without a firewall between the remote browser and the Cisco Secure ACS server, and without a NAT gateway between the remote browser and the Cisco Secure ACS server. Because these limitations are not always practical, we included the following topics regarding these remote administration scenarios.

Remote Administrative Sessions and HTTP Proxy

Cisco Secure ACS does not support HTTP proxy for remote administrative sessions. If the browser used for a remote administrative session is configured to use a proxy server, Cisco Secure ACS sees the administrative session originating from the IP address of the proxy server rather than the actual address of the remote workstation. Remote administrative session tracking assumes each browser resides on a workstation with a unique IP.

Also, IP filtering of proxied administrative sessions has to be based on the IP address of the proxy server rather than the IP address of the workstation. This conflicts with administrative session communication that does use the actual IP address of the workstation. For more information about IP filtering of remote administrative sessions, see the "Access Policy" section.

For these reasons, we do not recommend performing administrative sessions using a web browser that is configured to use a proxy server. Administrative sessions using a proxy-enabled web browser is not tested. If your web browser is configured to use a proxy server, disable HTTP proxying when attempting remote Cisco Secure ACS administrative sessions.

Remote Administrative Sessions through Firewalls

In the case of firewalls that do no perform network address translation (NAT), remote administrative sessions conducted across the firewall can require additional configuration of Cisco Secure ACS and the firewall. This is because Cisco Secure ACS assigns a random HTTP port at the beginning of a remote administrative session.

To allow remote administrative sessions from browsers outside a firewall that protects a Cisco Secure ACS server, the firewall must allow HTTP traffic across the range of ports that Cisco Secure ACS is configured to use. You can control the HTTP port range using the HTTP port allocation feature. For more information about the HTTP port allocation feature, see the "HTTP Port Allocation for Remote Administrative Sessions" section.

While administering Cisco Secure ACS through a firewall that is not performing NAT is possible, we do not recommend that you administer Cisco Secure ACS through a firewall. For more information, see the "HTTP Port Allocation for Remote Administrative Sessions" section.

Remote Administrative Sessions through a NAT Gateway

We do not recommend conducting remote administrative sessions across a network device performing NAT. If the administrator runs a browser on a workstation behind a NAT gateway, Cisco Secure ACS receives the HTTP requests from the NAT device's public IP address, which conflicts with the workstation's private IP address, included in the content of the HTTP requests. Cisco Secure ACS does not permit this.

If the Cisco Secure ACS server is behind a NAT gateway, you could configure the gateway to forward all connections to port 2002 to the Cisco Secure ACS server, using the same port. Additionally, all the ports allowed using the HTTP port allocation feature would have to be similarly mapped. We have not tested such a configuration and do not recommend implementing it.

Accessing the HTML Interface

Remote administrative sessions always require that you login using a valid administrator name and password, as configured in the Administration Control section. If the Allow automatic local login check box is cleared on the Sessions Policy Setup page in the Administration Control section, Cisco Secure ACS requires a valid administrator name and password for administrative sessions accessed from a browser on the Cisco Secure ACS server.

To access the HTML interface, follow these steps:

Step 2   In the Address or Location bar in the web browser, type the applicable URL. For a list of possible URLs, see the "Uniform Resource Locator for the HTML Interface" section.

Step 3   If the Cisco Secure ACS for Windows 2000/NT Login page appears, follow these steps:

Result: The Cisco Secure ACS for Windows 2000/NT initial page appears.

Logging Off the HTML Interface

When you are finished using the HTML interface, we recommend that you log off. While Cisco Secure ACS can timeout unused administrative sessions, logging off prevents unauthorized access by someone using the browser after you or by unauthorized persons using the HTTP port left open to support the administrative session.

To log off the Cisco Secure ACS HTML interface, click the Logoff button.

Note   The Logoff button appears in the upper right corner of the browser window, except on the initial page, where it appears in the upper left of the configuration area.

Online Help and Online Documentation

We provide two sources of information in the HTML interface:

• Online Help—Contains basic information about the page shown in the configuration area.
  
  
• Online Documentation—Contains the entire user guide.
  
  

Using Online Help

Online help is the default content in the display area. For every page that appears in the configuration area, there is a corresponding online help page. At the top of each online help page is a list of topics covered by that page.

To jump from the top of the online help page to a particular topic, click the topic name in the list at the top of the page.

There are three icons that appear on many pages in Cisco Secure ACS:

• Question Mark—Many subsections of the pages in the configuration area contain an icon with a question mark. To jump to the applicable topic in an online help page, click the question mark icon.
  
  
• Section Information—Many online help pages contain a Section Information icon at the bottom of the page. To view an applicable section of the online documentation, click the Section Information icon.
  
  
• Back to Help—Wherever you find a online help page with a Section Information icon, the corresponding page in the configuration area contains a Back to Help icon. If you have accessed the online documentation by clicking a Section Information icon and want to view the online help page again, click the Back to Help icon.
  
  

Using the Online Documentation

The Cisco Secure ACS online documentation is the user guide for Cisco Secure ACS. The user guide provides information about the configuration, operation, and concepts of Cisco Secure ACS. The information presented in the online documentation is as current as the release date of the Cisco Secure ACS version you are using. For the most up-to-date documentation about Cisco Secure ACS, please go to http://www.cisco.com

Tips Click Section Information on any online help page to view online documentation relevant to the section of the HTML interface you are using.

To access online documentation, follow these steps:

Tips To open the online documentation in a new browser window, right-click Online Documentation, and then click Open Link in New Window (for Microsoft Internet Explorer) or Open in New Window (for Netscape Navigator).

Result: The table of contents opens in the configuration area.

Step 2   To select a topic from the table of contents, scroll through the table of contents and click the applicable topic.

Result: The online documentation for the topic selected appears in the display area.

Step 3   To select a topic from the index, follow these steps:

Result: The index appears in the display area.

Tips Use the lettered shortcut links to jump to a particular section of the index.

Result: Entries appear with numbered links after them. The numbered links lead to separate instances of the entry topic.

Result: The online documentation for the topic selected appears in the display area.

Step 4   To print the online documentation, click in the display area, and then click Print in your browser's navigation bar.