Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide
Setting Up the Cisco Secure ACS HTML Interface
Download this chapter
Setting Up the Cisco Secure ACS HTML InterfaceSetting Up the Cisco Secure ACS HTML Interface
give_us_feedback

Table of Contents

Setting Up the Cisco Secure ACS HTML Interface
Interface Design Concepts
 User Data Configuration Options
 Advanced Options
 Protocol Configuration Options for TACACS+
 Protocol Configuration Options for RADIUS

Setting Up the Cisco Secure ACS HTML Interface

Ease of use is the overriding design principle of the HTML interface in the Cisco Secure Access Control Server for Windows NT/2000 Servers Version 3.0 (Cisco Secure ACS). Cisco Secure ACS presents intricate concepts of network security from the perspective of an administrator. The Interface Configuration section of Cisco Secure ACS enables you to configure the Cisco Secure ACS HTML interface—you can tailor the interface to simplify the screens you will use by hiding the features that you do not use and by adding fields for your specific configuration.

This chapter presents the details of configuring the Cisco Secure ACS interface through four topics:

While it is logical to begin your Cisco Secure ACS configuration efforts here—configuring the interface—we also recommend that you return to this section to review and confirm your initial settings. Sometimes a section of the HTML interface that you initially believed should be hidden from view may later require configuration from within this section.

Tip If a section of the Cisco Secure ACS HTML interface appears to be "missing" or "broken" return to the Interface Configuration section and confirm that the particular section has been activated.

Interface Design Concepts

Before you begin to configure the Cisco Secure ACS HTML interface for your particular configuration, it is helpful to understand a few basic precepts of the system's operation. The information in the following sections is necessary for effective interface configuration.

User-to-Group Relationship

A user can belong to only one group at a time. As long as there are no conflicting attributes, users inherit group settings.

Note   If a user profile has an attribute configured differently from the same attribute in the group profile, the user setting always overrides the group setting.

If a user has a unique configuration requirement, you can make that user a part of a group and set unique requirements on the User Setup page, or you can assign that user to his or her own group.

Per-User or Per-Group Features

You can configure most features at both group and user levels, with the following exceptions:

  • User level only—Static IP address, password, and expiration
  • Group level only—Password aging and time-of-day/day-of-week restrictions

User Data Configuration Options

The Configure User Defined Fields page enables you to add (or edit) up to five fields for recording information on each user. The fields you define in this section subsequently appear in the Supplementary User Information section at the top of the User Setup page. For example, you could add the user's company name, telephone number, department, billing code, and so on. You can also include these fields in the accounting logs. For more information about the accounting logs, see the "About Cisco Secure ACS Logs and Reports" section. For information on the data fields that comprise these options, see the "User-Defined Attributes" section.

Defining New User Data Fields

To configure new user data fields, follow these steps:

Step 1   Click Interface Configuration and then click User Data Configuration.

Result: The Configure User Defined Fields page appears. Check boxes in the Display column indicate which fields are configured to appear in the Supplementary User Information section at the top of the User Setup page.

Step 2   Select a check box in the Display column.

Step 3   In the corresponding Field Title box, type a title for the new field.

Step 4   To configure another field, repeat step 2 and step 3.

Step 5   When you have finished configuring new user data fields, click Submit.

Tip You can change the title of a field by editing the text in the Field Title box and then clicking Submit.



Advanced Options

This feature enables you to determine which advanced features Cisco Secure ACS displays. You can simplify the pages displayed in other areas of the Cisco Secure ACS HTML interface by hiding advanced features that you do not use. Many of these options do not appear if they are not enabled.

Caution   Disabling an advanced option in the Interface Configuration section does not affect anything except the display of that function in the CSACS HTML interface. Settings made while an advanced option was active (selected) remain in effect when that advanced option is no longer displayed in the interface (de-selected). Further, the interface displays any advanced option that is enabled or has non-default values, even if you have configured that advanced option to be hidden. If you later disable the option or delete its value, Cisco Secure ACS hides the advanced option.

The advanced option features include the following:

  • Per-User TACACS+/RADIUS Attributes—When selected, this feature enables TACACS+/RADIUS attributes to be set at a per-user level, in addition to being set at the group level.
  • User-Level Network Access Restriction SetsWhen selected, this feature enables the Shared Profile Component network access restrictions (NARs) options on the User Setup page. These options allow you to apply previously configured, named, IP-based and CLID/DNIS-based NARs at the user level. For information on defining a NAR, or NAR set, within Shared Profile Components, see the "Shared Network Access Restrictions Configuration" section.
  • User-Level Network Access RestrictionsWhen selected, this feature enables the two sets of options for defining user-level, IP-based and CLI/DNIS-based NARs on the User Setup page.
  • User-Level Downloadable ACLsWhen selected, this feature enables the Downloadable ACLs section on the User Setup page.
  • Default Time-of-Day/Day-of-Week SpecificationWhen selected, this feature enables the default time-of-day/day-of-week access settings grid on the Group Setup page.
  • Group-Level Network Access Restriction SetsWhen selected, this feature enables the Shared Profile Component NAR options on the Group Setup page. These options allow you to apply previously configured, named, IP-based and CLID/DNIS-based NARs at the group level. For information on defining a NAR, or NAR set, within Shared Profile Components, see the "Shared Network Access Restrictions Configuration" section.
  • Group-Level Network Access RestrictionsWhen selected, this feature enables the two sets of options for defining group-level, IP-based and CLI/DNIS-based NARs on the on the Group Setup page.
  • Group-Level Downloadable ACLsWhen selected, this feature enables the Downloadable ACLs section on the Group Setup page.
  • Group-Level Password AgingWhen selected, this feature enables the Password Aging section on the Group Setup page. The Password Aging feature enables you to force users to change their passwords.
  • Max SessionsWhen selected, this feature enables the Max Sessions section on the User Setup and Group Setup pages. The Max Sessions option sets the maximum number of simultaneous connections for a group or a user.
  • Usage Quotas—When selected, this feature enables the Usage Quotas sections on the User Setup and Group Setup pages. The Usage Quotas option sets one or more quotas for usage by a group or a user.
  • Distributed System SettingsWhen selected, this feature displays the AAA server and proxy table on the Network Interface page. If the tables are not empty and have information other than the defaults in them, they always appear.
  • Remote LoggingWhen selected, this feature enables the Remote Logging feature in the Logging page of the System Configuration section.
  • Cisco Secure ACS Database ReplicationWhen selected, this feature enables the Cisco Secure ACS database replication information on the System Configuration page.
  • RDBMS SynchronizationWhen selected, this feature enables the RDBMS (Relational Database Management System) Synchronization option on the System Configuration page. If RDBMS Synchronization is configured, this option always appears.
  • IP Pools—When selected, this feature enables the IP Pools Address Recovery and IP Pools Server options on the System Configuration page.
  • Network Device GroupsWhen selected, this option enables network device groups (NDGs). When NDGs are enabled, the Network Configuration section and parts of the User Setup and Group Setup pages change to enable you to manage groups of network devices (AAA clients or AAA servers). This feature is useful if you have many devices to administer.
  • Voice over IP (VoIP) Group SettingsWhen selected, this feature enables the VoIP option on the Group Setup page.
  • Voice-over-IP (VoIP) Accounting Configuration—When selected, this feature enables the VoIP Accounting Configuration option on the System Configuration page. This option is used to determine the logging format of RADIUS VoIP accounting packets.
  • ODBC LoggingWhen selected, this feature enables the ODBC logging sections on the Logging page of the System Configuration section.

Setting Advanced Options for the Cisco Secure ACS User Interface

To set advanced options for the Cisco Secure ACS HTML interface, follow these steps:

Step 1   Click Interface Configuration.

Step 2   Click Advanced Options.

Result: The Advanced Options table appears.

Step 3   Select each option that you want displayed (enabled) in the Cisco Secure ACS HTML interface.

Caution   Disabling an advanced option in the Interface Configuration section does not affect anything except the display of that function in the Cisco Secure ACS interface. Settings made while an advanced option was active (selected) remain in effect when that advanced option is no longer displayed in the interface (de-selected).

Step 4   When you have finished making selections, click Submit.

Result: Cisco Secure ACS alters the contents of various sections of the HTML interface according to the selections made.




Protocol Configuration Options for TACACS+

The TACACS+ (Cisco) section details the configuration of the Cisco Secure ACS HTML interface for TACACS+ settings. The interface settings enable you to display or hide TACACS+ administrative and accounting options. You can simplify the HTML interface by hiding the features that you do not use.

The TACACS+ (Cisco) section comprises three distinct areas, as follows:

Tip The default interface setting presents a single column of check boxes, at the group level only, for selecting TACACS+ Services Settings and New Service Settings. To view two columns of check boxes that enable you to configure settings at the Group level or the User level, you must have enabled the Per-user TACACS+/RADIUS Attributes option on the Advanced Options page of Interface Configuration section.
  • TACACS+ Services Settings—In this area is a list of the most commonly used services and protocols for TACACS+. You select each TACACS+ service that you want to appear as a configurable option on either the User Setup page or Group Setup page.
  • New Services—In this area you can enter any services or protocols particular to your network configuration.
  • Advanced Configuration Options—In this area you can add more detailed information for even more tailored configurations.

The four items you can choose to hide or display are as follows:

  • Advanced TACACS+ Features—This option displays or hides the Advanced TACACS+ Options section on the User Setup page. These options include Privilege Level Authentication and Outbound Password Configuration for SENDPASS and SENDAUTH clients, such as routers.
  • Display a Time-of-Day access grid for every TACACS+ service where you can override the default Time-of-Day settings—If this option is selected, a grid appears on the User Setup page that enables you to override the TACACS+ scheduling attributes on the Group Setup page.

You can control the use of each TACACS+ service by the time of day and day of week. For example, you can restrict Exec (Telnet) access to business hours but permit PPP-IP access at any time.

The default setting is to control time-of-day access for all services as part of authentication. However, you can override the default and display a time-of-day access grid for every service. This keeps user and group setup easy to manage, while making this feature available for the most sophisticated environments. This feature applies only to TACACS+ because TACACS+ can separate the authentication and authorization processes. RADIUS time-of-day access applies to all services. If both TACACS+ and RADIUS are used simultaneously, the default time-of-day access applies to both. This provides a common method to control access regardless of the access control protocol.

  • Display a window for each service selected in which you can enter customized TACACS+ attributes—If this option is selected, an area appears on the User Setup and Group Setup pages that enables you to enter custom TACACS+ attributes.

Cisco Secure ACS can also display a custom command field for each service. This text field enables you to make specialized configurations to be downloaded for a particular service for users in a particular group.

You can use this feature to send many TACACS+ commands to the access device for the service, provided that the device supports the command, and that the command syntax is correct. This feature is disabled by default, but you can enable it the same way you enable attributes and time-of-day access.

  • Display enable Default (Undefined) Service Configuration—If this check box is selected, an area appears on the User Setup and Group Setup pages that enables you to permit unknown TACACS+ services, such as CDP.
Note    This option should be used by advanced system administrators only.
Note   Customized settings at the user level take precedence over settings at the group level.

Setting Options for TACACS+

This procedure enables you to display or hide TACACS+ administrative and accounting options. It is unlikely that you will use every service and protocol available for TACACS+. Displaying each would make setting up a user or group cumbersome. To simplify setup, you can use the TACACS+ (Cisco IOS) Edit page to customize the services and protocols that appear.

To configure the user interface for TACACS+ options, follow these steps:

Note   The Cisco Secure ACS HTML interface displays any protocol option that is enabled or has non-default values, even if you have configured that protocol option to be hidden. This behavior prevents Cisco Secure ACS from hiding active settings. If you later disable the option or delete its value, Cisco Secure ACS hides the protocol option.
Step 1   Click Interface Configuration.

Step 2   Click TACACS+ (Cisco IOS).

Result: The TACACS+ (Cisco) page of the Interface Configuration section appears.

Step 3   In the TACACS+ Services table, select the check box for each TACACS+ service you want displayed on the applicable setup page.

Step 4   To add new services and protocols, follow these steps:

a. In the New Services section of the TACACS+ Services table, type in any Service and Protocol to be added.

b. Select the appropriate check box to select those that should be displayed for configuration either under User Setup, or Group Setup, or both.

Step 5   In the Advanced Configurations Options section, select the check boxes of the display options you want to enable.

Step 6   When you have finished setting TACACS+ interface display options, click Submit.

Result: The selections made in this procedure determine what TACACS+ options Cisco Secure ACS displays in other sections of the HTML interface.




Protocol Configuration Options for RADIUS

This section details the configuration of the Cisco Secure ACS HTML interface for RADIUS settings. The interface settings enable you to display or hide various RADIUS administrative and accounting options. You can simplify the HTML interface by hiding the features that you do not use.

Provided that you have the corresponding AAA clients configured, the User Interface section displays the following RADIUS protocol configuration selections:

  • (IETF) RADIUS Settings—This page lists all attributes available for (IETF) RADIUS.

These standard (IETF) RADIUS attributes are available for any network device configuration when using RADIUS. If you want to use IETF attribute number 26, the vendor-specific attribute (VSA), select Interface Configuration and then RADIUS for the vendors whose network devices you use. Attributes for (IETF) RADIUS and the VSA for each RADIUS network device vendor supported by Cisco Secure ACS appear in User Setup or Group Setup.

Note    The RADIUS (IETF) attributes are shared with RADIUS VSAs. You must configure the first RADIUS attributes from RADIUS (IETF) for the RADIUS vendor.

The Tags to Display Per Attribute option (located under Advanced Configuration Options) enables you to specify how many values to display for tagged attributes on the User Setup and Group Setup pages. Examples of tagged attributes include [064]Tunnel-Type and [069]Tunnel-Password.

For detailed procedural information, see the "Setting Protocol Configuration Options for (IETF) RADIUS" section.

While Cisco Secure ACS ships with these listed VSAs prepackaged, it also enables you to define and configure custom attributes for any VSA set not already contained in Cisco Secure ACS. If you have configured a custom VSA and a corresponding AAA client, from the Interface Configuration section you can select the custom VSA and then set the options for how particular attributes appear as configurable options on the User Setup or Group Setup page. For information about creating user-defined RADIUS VSAs, see the "User-Defined RADIUS Vendors and VSA Sets" section.

Radius (Cisco Aironet) is not listed in Internet Configuration because there is no configuration required.

Setting Protocol Configuration Options for (IETF) RADIUS

This procedure enables you to hide or display any of the standard (IETF) RADIUS attributes for configuration from other portions of the Cisco Secure ACS HTML interface.

Note   If the Per-user TACACS+/RADIUS Attributes check box in Interface Configuration: Advanced Options is selected, a User check box appears alongside the Group check box for each attribute.
Note   Each selected IETF RADIUS attribute must be supported by all network devices using RADIUS.

To set protocol configuration options for (IETF) RADIUS attributes, follow these steps:

Step 1   Click Interface Configuration.

Step 2   Click RADIUS (IETF).

Result: The RADIUS (IETF) page appears.

Step 3   For each IETF RADIUS attribute that you want to appear as a configurable option on the User Setup or Group Setup page, select the corresponding check box.

Note    Each attribute selected must be supported by your RADIUS network devices.
Note    Attributes marked "*" are sent from the AAA client to the RADIUS server and hence cannot be configured in the RADIUS setup screens.

Step 4   To specify how many values to display for tagged attributes on the User Setup and Group Setup pages, select the Tags to Display Per Attribute option, and then select a value from the corresponding list. Examples of tagged attributes are [064] Tunnel-Type and [069] Tunnel-Password.

Step 5   When you have finished selecting the attributes, click Submit at the bottom of the page.

Result: Each IETF RADIUS attribute that you selected appears as a configurable option on the User Setup or Group Setup page, as applicable.




Setting Protocol Configuration Options for RADIUS (Cisco IOS/PIX)

This procedure allows you to enable the Cisco IOS/PIX RADIUS VSA. Selecting this attribute displays an entry field under User Setup and/or Group Setup in which any TACACS+ commands can be entered to fully leverage TACACS+ in a RADIUS environment.

Note   If the Per-user TACACS+/RADIUS Attributes check box in Interface Configuration: Advanced Options is selected, a User check box appears alongside the Group check box for each attribute.

To set protocol configuration options for the Cisco RADIUS attribute follow these steps:

Step 1   Click Interface Configuration.

Step 2   Click RADIUS (Cisco IOS/PIX).

Result: The RADIUS (Cisco IOS/PIX) page appears.

Step 3   Select the check box for either User or Group, or both, next to attribute number 26, the VSA for Cisco.

Step 4   Click Submit at the bottom of the page.

Result: According to your selections, the attribute for the Cisco RADIUS VSA appears on the User Setup or Group Setup pages, or both, as a configurable option with a field in which you can enter TACACS+ commands.




Setting Protocol Configuration Options for RADIUS (Ascend)

This procedure enables you to hide or display RADIUS (Ascend) attributes for configuration from other portions of the Cisco Secure ACS HTML interface.

Note   If the Per-user TACACS+/RADIUS Attributes check box on the Advanced Options page of Interface Configuration is selected, a User check box appears alongside the Group check box for each attribute.

To set protocol configuration options for RADIUS (Ascend) attributes, follow these steps:

Step 1   Click Interface Configuration.

Step 2   Click RADIUS (Ascend).

Result: The Edit RADIUS (Ascend) page appears, listing extended attributes.

Step 3   For each RADIUS (Ascend) attribute that you want to appear as a configurable option on the User Setup or Group Setup page, select the corresponding check box.

Note    Each attribute selected must be supported by your RADIUS network devices.

Step 4   Click Submit at the bottom of the page.




Setting Protocol Configuration Options for RADIUS (Cisco VPN 3000)

This procedure enables you to hide or display RADIUS (Cisco VPN 3000 Concentrator) attributes for configuration from other portions of the Cisco Secure ACS HTML interface.

The RADIUS (Cisco VPN 3000 Concentrator) page lists all the attributes available for Cisco VPN 3000 Concentrator RADIUS.

Note   If the Per-user TACACS+/RADIUS Attributes check box on the Advanced Options page of Interface Configuration is selected, a User check box appears alongside the Group check box for each attribute.

To set protocol configuration options for RADIUS (Cisco VPN 3000) attributes, follow these steps:

Step 1   Click Interface Configuration.

Step 2   Click RADIUS (Cisco VPN 3000).

Result: The RADIUS (Cisco VPN 3000 Concentrator) edit page appears.

Step 3   Select the check box for either User or Group, or both, for each RADIUS (Cisco VPN 3000) service you want to appear as a configurable option on the User Setup or Group Setup page.

Note    Each attribute selected must be supported by the Cisco VPN 3000 Concentrator RADIUS network devices.

Step 4   When you have finished selecting the attributes, click Submit at the bottom of the page.




Setting Protocol Configuration Options for RADIUS (Cisco VPN 5000)

This procedure enables you to hide or display RADIUS (Cisco VPN 5000 Concentrator) attributes for configuration from other portions of the Cisco Secure ACS HTML interface.

The RADIUS (Cisco VPN 5000 Concentrator) page lists all the attributes available for Cisco VPN 5000 Concentrator RADIUS.

Note   If the Per-user TACACS+/RADIUS Attributes check box on the Advanced Options page of Interface Configuration is selected, a User check box appears alongside the Group check box for each attribute.

To set protocol configuration options for RADIUS (Cisco VPN 5000) attributes, follow these steps:

Step 1   Click Interface Configuration.

Step 2   Click RADIUS (Cisco VPN 5000).

Result: The RADIUS (Cisco VPN 3000 Concentrator) edit page appears.

Step 3   Select the check box for either User or Group, or both, for each RADIUS (Cisco VPN 5000) service you want to appear as a configurable option on the User Setup or Group Setup page.

Note    Each attribute selected must be supported by the Cisco VPN 5000 Concentrator RADIUS network devices.

Step 4   Click Submit at the bottom of the page.




Setting Protocol Configuration Options for RADIUS (Microsoft)

This procedure enables you to hide or display RADIUS (Microsoft) attributes for configuration from other portions of the Cisco Secure ACS HTML interface.

The RADIUS (Microsoft) page lists all the attributes available for Microsoft RADIUS.

Note   If the Per-user TACACS+/RADIUS Attributes check box on the Advanced Options page of Interface Configuration is selected, a User check box appears alongside the Group check box for each attribute.

To set protocol configuration options for RADIUS (Microsoft) attributes, follow these steps:

Step 1   Click Interface Configuration.

Step 2   Click RADIUS (Microsoft).

Result: The RADIUS (Microsoft) edit page appears.

Step 3   Select the check box for either User or Group, or both, for each RADIUS (Microsoft) service you want to appear as a configurable option on the User Setup or Group Setup page.

Note    Each attribute selected must be supported by the Microsoft RADIUS VSA.

Step 4   Click Submit at the bottom of the page.




Setting Protocol Configuration Options for RADIUS (Nortel)

This procedure enables you to hide or display RADIUS (Nortel) attributes for configuration from other portions of the Cisco Secure ACS HTML interface.

The RADIUS (Nortel) page lists all the attributes available for Nortel RADIUS.

Note   If the Per-user TACACS+/RADIUS Attributes check box on the Advanced Options page of Interface Configuration is selected, a User check box appears alongside the Group check box for each attribute.

To set protocol configuration options for RADIUS (Nortel) attributes, follow these steps:

Step 1   Click Interface Configuration.

Step 2   Click RADIUS (Nortel).

Result: The RADIUS (Nortel) edit page appears.

Step 3   Select the check box for either User or Group, or both, for each RADIUS (Nortel) service you want to appear as a configurable option on the User Setup or Group Setup page.

Note    Each attribute selected must be supported by the Nortel RADIUS VSA.

Step 4   Click Submit at the bottom of the page.




Setting Protocol Configuration Options for RADIUS (Juniper)

This procedure enables you to hide or display RADIUS (Juniper) attributes for configuration from other portions of the Cisco Secure ACS HTML interface.

The RADIUS (Juniper) page lists all the attributes available for Juniper RADIUS.

Note   If the Per-user TACACS+/RADIUS Attributes check box on the Advanced Options page of Interface Configuration is selected, a User check box appears alongside the Group check box for each attribute.

To set protocol configuration options for RADIUS (Juniper) attributes, follow these steps:

Step 1   Click Interface Configuration.

Step 2   Click RADIUS (Juniper).

Result: The RADIUS (Juniper) edit page appears.

Step 3   Select the check box for either User or Group, or both, for each RADIUS (Juniper) service you want to appear as a configurable option on the User Setup or Group Setup page.

Note    Each attribute selected must be supported by the Juniper RADIUS VSA.

Step 4   Click Submit at the bottom of the page.




Setting Protocol Configuration Options for RADIUS (Cisco BBSM)

This procedure enables you to hide or display the RADIUS (Cisco BBSM) attribute for configuration from other portions of the Cisco Secure ACS HTML interface.

The RADIUS (Cisco BBSM) page lists the attribute available for Building Broadband Service Manger (BBSM) RADIUS.

Note   If the Per-user TACACS+/RADIUS Attributes check box on the Advanced Options page of Interface Configuration is selected, a User check box appears alongside the Group check box for each attribute.

To set protocol configuration options for RADIUS (Cisco BBSM) attributes, follow these steps:

Step 1   Click Interface Configuration.

Step 2   Click RADIUS (Cisco BBSM).

Result: The RADIUS (Cisco BBSM) edit page appears.

Step 3   Select the check box for either User or Group, or both, for the service you want to appear as a configurable option on the User Setup or Group Setup page.

Step 4   Click Submit at the bottom of the page.