Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide
Setting Up and Managing Network Configuration

Table of Contents

Setting Up and Managing Network Configuration
About Distributed Systems
Proxy in Distributed Systems
Other Features Enabled by System Distribution
AAA Client Configuration
AAA Server Configuration
Network Device Group Configuration
Proxy Distribution Table Configuration

Setting Up and Managing Network Configuration


This chapter details concepts and procedures for configuring the Cisco Secure ACS network and establishing a distributed system.

The appearance of the opening page you see when you click Network Configuration differs according to the network configuration selections you've made in the Interface Configuration section. The four tables that may appear in this section are as follows:

  • AAA Clients—This table lists each AAA client that is configured on the network, together with its IP address and associated protocol.

If you are using network device groups (NDGs), this table does not appear on the initial page, but is accessed through the Network Device Group table. For more information about this interface configuration, see the "Advanced Options" section.

  • AAA Servers—This table lists each AAA server that is configured on the network together with its IP Address and associated type.

This table does not appear unless you have enabled the Distributed System Settings feature in Interface Configuration.

If you are using NDGs, this table does not appear on the initial page, but is accessed through the Network Device Groups table. For more information about this interface configuration, see the "Advanced Options" section.

  • Network Device Groups—This table lists the name of each NDG that has been configured, and the number of AAA clients and AAA servers assigned to each NDG. If you are using NDGs, the AAA Clients table and AAA Servers table do not appear on the opening page. To configure a AAA client or AAA server, you must click the name of the NDG to which the device is assigned. If the newly configured device is not assigned to an NDG, it automatically belongs to the (Not Assigned) group.

This table appears only when you have configured the interface to use NDGs. For more information about this interface configuration, see the "Advanced Options" section.

This table appears only when you have configured the interface to enable Distributed Systems Settings. For more information about this interface configuration, see the "Advanced Options" section.

This chapter includes sections that provide the concepts and procedures related to each of these tables, as follows:

About Distributed Systems

Cisco Secure ACS can be used in a distributed system; that is, multiple Cisco Secure ACS servers and authentication, authorization, and accounting (AAA) servers can be configured to communicate with one another as primary, backup, client, or peer systems. This enables you to use powerful features such as the following:

  • Proxy
  • Fallback on failed connection
  • CiscoSecure database replication
  • Remote and centralized logging

AAA Servers in Distributed Systems

"AAA server" is the generic term for an access control server (ACS), and the two terms are often used interchangeably. AAA servers are used to determine who can access the network and what services are authorized for each user. The AAA server stores a profile containing authentication and authorization information for each user. Authentication information validates user identity, and authorization information determines what network services a user is permitted to use. A single AAA server can provide concurrent AAA services to many dial-up access servers, routers, and firewalls. Each network device can be configured to communicate with a AAA server. This makes it possible to centrally control dial-up access, as well as to secure network devices from unauthorized access.

These types of access control have unique authentication and authorization requirements. With Cisco Secure ACS, system administrators can use a variety of authentication methods that are used with different degrees of authorization privileges.

Completing the AAA functionality, Cisco Secure ACS serves as a central repository for accounting information. Each user session granted by Cisco Secure ACS can be fully accounted for, and its accounting information can be stored in the server. This accounting information can be used for billing, capacity planning, and security audits.


Note   If the fields mentioned in this section do not appear in your Cisco Secure ACS HTML interface, enable them by clicking Interface Configuration, clicking Advanced Options, and then selecting the Distributed System Settings check box.

Default Distributed System Settings

You use both the AAA Servers table and the Proxy Distribution Table to establish distributed system settings. The parameters configured within these tables create the foundation to enable multiple Cisco Secure ACS servers to be configured to work with one another. Each table contains a Cisco Secure ACS entry for itself. In the AAA Servers table, the only AAA server initially listed is itself; the Proxy Distribution Table lists an initial entry of (Default), which displays how the local Cisco Secure ACS is configured to handle each authentication request locally.

You can configure additional AAA servers in the AAA Servers table. This enables these devices to become available in the HTML interface so that they can be configured for other distributed features such as proxy, CiscoSecure user database replication, remote logging, and RDBMS synchronization. For information about configuring additional AAA servers, see the "Adding and Configuring a AAA Server" section.

Proxy in Distributed Systems

Proxy is a powerful feature that enables you to use Cisco Secure ACS for authentication in a network that uses more than one AAA server. Using proxy, Cisco Secure ACS automatically forwards an authentication request from a AAA client to another AAA server. After the request has been successfully authenticated, the authorization privileges that have been configured for the user on the remote AAA server are passed back to the original Cisco Secure ACS, where the AAA client applies the user's profile information for that session.

Proxy is useful in the provision of service to users, such as business travelers, who dial in to a network device other than the one they normally use and would otherwise be authenticated by a "foreign" AAA server. To use proxy, you must first click Interface Configuration, click Advanced Options, and then select the Distributed System Settings check box.

Whether, and where, an authentication request is to be forwarded is defined in the Proxy Distribution Table on the Network Configuration page. You can use multiple Cisco Secure ACS servers throughout your network. For information about configuring the Proxy Distribution Table, see the "Proxy Distribution Table Configuration" section.

Cisco Secure ACS employs character strings defined by the administrator to determine whether an authentication request should be processed locally or forwarded, and to where. When an end user dials in to the network device and Cisco Secure ACS finds a match for the character string defined in the Proxy Distribution Table, Cisco Secure ACS forwards the authentication request to the associated remote AAA server.


Note   When a Cisco Secure ACS receives a TACACS+ authentication request forwarded by proxy, any Network Access Restrictions for TACACS+ requests are applied to the IP address of the forwarding AAA server, not to the IP address of the originating AAA client.


Note   In a network that uses more than one type of RADIUS protocol, Cisco Secure ACS accepts only IETF attributes. All other attributes, such as proprietary attributes, are not interpreted. If the AAA protocol for RADIUS is configured uniformly with the same attributes, all attributes are recognized.

For example, a Cisco Secure ACS receives an authentication request for mary.smith@corporate.com, where "@corporate.com" is a character string defined in the server's distribution table as being associated with another specific AAA server. The Cisco Secure ACS server receiving the authentication request for mary.smith@corporate.com then forwards the request to the AAA server with which the character string is associated. The entry in the Proxy Distribution Table defines the association.

Administrators with geographically dispersed networks can configure and manage the user profiles of employees within their immediate location or building. This enables the administrator to manage the policies of just their users and allows all authentication requests from other users within the company to be forwarded to their respective AAA server for authentication. Not every user profile needs to reside on every AAA server. This saves administration time and server space, and facilitates end users receiving the same privileges regardless of which access device they connect through.

Fallback on Failed Connection

You can configure the order in which Cisco Secure ACS checks remote AAA servers upon the failure of the network connection to the primary AAA server. If an authentication request cannot be sent to the first listed server, because of a network failure for example, the next listed server is checked. This continues, in order, down the list until a AAA server handles the authentication request. If Cisco Secure ACS cannot connect to any server in the list, authentication fails. Failed connections are detected by failure of the nominated server to respond within a specified time period. That is, the request is timed out.

Character String

Cisco Secure ACS forwards authentication requests using a configurable set of characters with a delimiter, such as dots (.), slashes (/), backslashes (\), and hyphens (-). When configuring the Cisco Secure ACS character string to match, you must specify whether the character string is the prefix or suffix. For example, you can use "domain.us" as a suffix character string in username*domain.us, where * represents any delimiter. An example of a prefix character string is domain*username, where the * would be used to detect the "\" character.

Stripping

Stripping allows Cisco Secure ACS to remove, or strip, the matched character string from the username. When you enable stripping, Cisco Secure ACS examines each authentication request for matching information. When Cisco Secure ACS finds a match by character string in the Proxy Distribution Table, as described above, Cisco Secure ACS strips off the character string if you have configured it to do so. For example, in the proxy example that follows, the character string that accompanies the username establishes the ability to forward the request to another AAA server. If the user must enter the user ID of mary@corporate.com to be forwarded correctly to the AAA server for authentication, Cisco Secure ACS might find a match on the "@corporate.com" character string, and strip the "@corporate.com", leaving a username of just "mary" which may be the username format that the destination AAA Server requires to identify the correct entry in its database.

Proxy in an Enterprise

This section presents a scenario of proxy used in an enterprise system. Mary is an employee with an office in the corporate headquarters in Los Angeles. Her username is mary@la.corporate.com. When Mary needs access to the network, she accesses the network locally and authenticates her username and password. Because Mary works in the Los Angeles office, her user profile, which defines her authentication and authorization privileges, resides on the local Los Angeles AAA server. However, Mary occasionally travels to a division within the corporation in New York, where she still needs to access the corporate network to get her e-mail and other files. When Mary is in New York, she dials in to the New York office and logs in as mary@corporate.com. Her username is not recognized by the New York Cisco Secure ACS, but the Proxy Distribution Table contains an entry, "la", to forward the authentication request to the Los Angeles Cisco Secure ACS. Because Mary's username and password information reside on that AAA server, when she authenticates correctly, the authorization parameters assigned to her are applied by the AAA client in the New York office.

Remote Use of Accounting Packets

When proxy is employed, Cisco Secure ACS can dispatch AAA accounting packets in one of three ways:

  • Log them locally
  • Forward them to the destination AAA server
  • Log them locally and forward copies to the destination AAA server

Sending accounting packets to the remote Cisco Secure ACS offers several benefits. When Cisco Secure ACS is configured to send accounting packets to the remote AAA server, the remote AAA server logs an entry in the accounting report for that session on the destination server. Cisco Secure ACS also caches the user's connection information and adds an entry in the List Logged on Users report. You can then view the information for users that are currently connected. Because the accounting information is being sent to the remote AAA server, even if the connection fails, you can view the Failed Attempts report to troubleshoot the failed connection.

Sending the accounting information to the remote AAA server also enables you to use the Max Sessions feature. The Max Sessions feature uses the Start and Stop records in the accounting packet. If the remote AAA server is a Cisco Secure ACS and the Max Sessions feature is implemented, you can track the number of sessions allowed for each user or group.

You can also choose to have Voice over IP (VoIP) accounting information logged remotely, either appended to the RADIUS Accounting log, in a separate VoIP Accounting log, or both.

Other Features Enabled by System Distribution

Beyond basic proxy and fallback features, configuring a Cisco Secure ACS to interact with distributed systems enables several other features that are beyond the scope of this chapter. These features include the following:

AAA Client Configuration

In this guide we use the term AAA client comprehensively to signify the device through which or to which service access is being attempted. This is the RADIUS or TACACS+ client device, and may comprise network access servers (NASes), PIX Firewalls, routers, or any other RADIUS or TACACS+ hardware/software client.

Details on working with AAA clients are given in the following three procedures:

Adding and Configuring a AAA Client

You can use this procedure to add and configure a AAA client.

To add a AAA client, follow these steps:


Step 1   In the navigation bar, click Network Configuration.

Result: The Network Configuration section opens.

Step 2   Do one of the following:

a. If you are using NDGs, click the name of the NDG to which the AAA client is to be assigned. Then, click Add Entry below the AAA Clients table.

b. To add a AAA client when you have not enabled NDGs, click Add Entry below the AAA Clients table.

Result: The Add AAA Client page appears.

Step 3   In the AAA Client Hostname box, type the name assigned to this AAA client.


Note    This field does not appear if you are configuring an existing AAA client.

Step 4   In the AAA Client IP Address box, type the AAA client's IP address or addresses.


Tip If you want to designate more than one AAA client with a single AAA client entry in Cisco Secure ACS, you can specify the IP address for each AAA client to be represented by this AAA client entry. To separate each IP address, press Enter. You can also use the wildcard asterisk (*) for an octet in the IP address. For example, if you want every AAA client in your 192.168.13.1 Class C network to be represented by a single AAA client entry, enter 192.168.13.* in the AAA Client IP Address box.

Step 5   In the Key box, type the shared secret that the AAA client and Cisco Secure ACS use to encrypt the data.


Note    For correct operation, the identical key must be configured on the AAA client and Cisco Secure ACS. Keys are case sensitive. Because the shared secrets are not synchronized in any way, it is easy to make mistakes when entering them upon both devices. Such mistakes will cause the AAA server to discard all packets from the client because it must treat the client as a potential intruder and a threat to the network's security.

Step 6   If you are using NDGs, from the Network Device Group list, select the name of the NDG to which this AAA client should belong, or select Not Assigned to set this AAA client to be independent of NDGs.


Note    To enable NDGs, click Interface Configuration, click Advanced Options, and then select the Network Device Groups check box.

Step 7   From the Authenticate Using list, select the network security protocol used by the AAA client. Select either one of the following options, or any other custom RADIUS VSA that you have configured:

  • TACACS+ (Cisco IOS)—Select this option to use TACACS+, which is the standard choice when using Cisco Systems access servers, routers, and firewalls.
  • RADIUS (Cisco Aironet)—Select this option if the network device is a Cisco Aironet device that supports authentication via Cisco Secure ACS, such as an Access Point 340 or 350. When configured to use the RADIUS (Cisco Aironet) authentication protocol, Cisco Secure ACS first attempts to to authenticate a user by using LEAP; if this fails, Cisco Secure ACS fails over to EAP-TLS.

Note    Aironet authentication is limited to users whose records reside in either the CiscoSecure user database, a Windows NT/2000 user database, or an ODBC user database.

  • RADIUS (Cisco BBMS)—Select this option if the network device is a Cisco BBMS network device supporting authentication via RADIUS.
  • RADIUS (IETF)—Select this option if you are using devices using RADIUS from more than one manufacturer and want to use standard IETF RADIUS attributes. This is also the protocol to select if you want EAP-TLS to be used with Cisco Aironet AAA clients.
  • RADIUS (Cisco IOS/PIX)—This option enables you to pack commands sent to a Cisco IOS AAA client. The commands are defined in the Group Setup section. Select this option for RADIUS environments in which key TACACS+ functions are required to support Cisco IOS equipment.
  • RADIUS (Cisco VPN 3000)—Select this option if the network device is a Cisco VPN 3000 series Concentrator.
  • RADIUS (Cisco VPN 5000)—Select this option if the network device is a Cisco VPN 5000 series Concentrator.
  • RADIUS (Ascend)—Select this option if the network device is an Ascend network device supporting authentication via RADIUS.
  • RADIUS (Juniper)—Select this option if the network device is a Juniper network device supporting authentication via RADIUS.
  • RADIUS (Nortel)—Select this option if the network device is a Nortel network device supporting authentication via RADIUS.

Note    The preceding list of protocol options represents those that Cisco Secure ACS ships with. For information about creating user-defined RADIUS VSAs, see the "User-Defined RADIUS Vendors and VSA Sets" section.

Step 8   To enable single connection from a AAA client, rather than a new one for every TACACS+ request, select the Single Connect TACACS+ AAA Client (Record stop in accounting on failure) check box. In single connection, multiple requests from a single client are multiplexed over a single session.


Note    If your connection is unreliable, do not use this feature.

Step 9   To enable Watchdog packets, select the Log Update/Watchdog Packets from this AAA Client check box. Watchdog packets are interim packets sent periodically during a session. They serve to enable an approximation of session length if the AAA client fails and, thereby, no stop packet is received to mark the end of the session.

Step 10   To allow RADIUS tunneling accounting packets (tunnel reject/start/stop and tunnel link reject/start/stop) to be logged in the RADIUS Accounting reports of Reports and Activity, select the Log RADIUS tunneling Packets from this AAA Client check box.

Step 11   To save your changes and apply them immediately, click Submit + Restart.


Note    Restarting the service clears the Logged-in User report and temporarily interrupts all Cisco Secure ACS services. This affects the Max Sessions counter.


Tip To save your changes and apply them later, click Submit. When you are ready to implement the changes, click System Configuration, click Service Control, and then click Restart.





Editing an Existing AAA Client

You can use this procedure to edit the settings for a AAA client.


Note   You can not directly edit the name of a AAA client; rather, you must delete the AAA client entry and then re-establish the entry with the corrected name.

To edit a AAA client, follow these steps:


Step 1   In the navigation bar, click Network Configuration.

Result: The Network Configuration section opens.

Step 2   Do one of the following:

a. If you are using NDGs, click the name of the NDG to which the AAA client is assigned. Then, click the name of the AAA client.

b. To edit a AAA client when you have not enabled NDGs, click the name of the AAA client from the AAA Client Hostname column of the AAA Clients table.

Result: The AAA Client Setup For Name page appears.

Step 3   In the AAA Client IP Address box, type the corrected IP address assigned to the AAA client, as applicable.

Step 4   In the Key box, type the corrected shared secret, as applicable.


Note    For correct operation, the identical key must be configured on the AAA client and Cisco Secure ACS. Keys are case sensitive.

Step 5   If you are using NDGs, from the Network Device Group list, correct the selection of the name of the NDG to which this AAA client should belong, as applicable. To set this AAA client to be independent of NDGs, select Not Assigned.

Step 6   From the Authenticate Using list, correct the selection of the network security protocol, as applicable.


Note    The previous procedure includes detailed information about these security protocols.

Step 7   Change the status of any of the following three options, as applicable:

  • Single Connect TACACS+ NAS
  • Log Update/Watchdog Packets from this Access Server
  • Log RADIUS tunneling Packets from this Access Server

Step 8   To save your changes and apply them immediately, click Submit + Restart.


Tip To save your changes and apply them later, click Submit. When you are ready to implement the changes, click System Configuration, click Service Control, and then click Restart.


Note    Restarting the service clears the Logged-in User report and temporarily interrupts all Cisco Secure ACS services. This affects the Max Sessions counter.





Deleting a AAA Client

To delete a AAA client, follow these steps:


Step 1   In the navigation bar, click Network Configuration.

Result: The Network Configuration section opens.

Step 2   Do one of the following:

a. If you are using NDGs, click the name of the NDG to which the AAA client is assigned. Then, click the AAA client hostname in the AAA Clients table.

b. To delete a AAA client when you have not enabled NDGs, click the AAA client hostname in the AAA Clients table.

Result: The AAA Client Setup for Name page appears.

Step 3   To delete the AAA client and have the deletion take effect immediately, click Delete + Restart.


Note    Restarting the service clears the Logged-in User report and temporarily interrupts all Cisco Secure ACS services. As an alternative to restarting when you delete a AAA client, you can click Delete. However, when you do this, the change does not take effect until you restart the system, which you can do by clicking System Configuration, clicking Service Control, and then clicking Restart.

Result: A confirmation dialog box appears.

Step 4   Click OK.

Result: Cisco Secure ACS performs a restart and the AAA client is deleted.





AAA Server Configuration

This section presents procedures for configuring AAA servers in the Cisco Secure ACS. For additional information about AAA servers, see the AAA Servers in Distributed Systems.

To configure distributed system features for a given Cisco Secure ACS server, you must first define the other AAA server(s).


Tip If the AAA Servers table does not appear, click Interface Configuration, click Advanced Options, and then select the Distributed System Settings check box.

Details on working with AAA servers are given in the following procedures:

Adding and Configuring a AAA Server

To add and configure a AAA server, follow these steps:


Step 1   In the navigation bar, click Network Configuration.

Result: The Network Configuration section opens.

Step 2   Do one of the following:

a. If you are using NDGs, click the name of the NDG to which the AAA server is to be assigned. Then, click Add Entry below the [name] AAA Servers table.

b. To add a AAA server when you have not enabled NDGs, below the AAA Servers table, click Add Entry.

Result: The Add AAA Server page appears.

Step 3   If this is a new AAA Server, in the AAA Server Name box, type a name for the remote AAA server.

Step 4   In the AAA Server IP Address box, type the IP address assigned to the remote AAA server.

Step 5   In the Key box, type the shared secret that the remote AAA server and the Cisco Secure ACS use to encrypt the data.


Note    The key is case sensitive. If the keys between the two AAA servers are not identical when authentication is forwarded, the request is incorrectly encrypted and authentication fails.

Step 6   From the Network Device Group list, select the NDG to which this AAA Server belongs.


Note    To enable NDGs, click Interface Configuration, click Advanced Options, and then click Network Device Groups.

Step 7   To enable Watchdog packets, select the Log Update/Watchdog Packets from this remote AAA Server check box. Watchdog packets are interim packets sent periodically during a session. They serve to enable an approximation of session length in the event that no stop packet is received to mark the end of the session.

Step 8   In the AAA Server Type list, select the protocol the remote AAA server is configured to use:

  • RADIUS—Select this option if the remote AAA server is configured using any type of RADIUS protocol.
  • TACACS+—Select this option if the remote AAA server is configured using the TACACS+ protocol.
  • Cisco Secure ACS for Windows 2000/NT—Select this option if the remote AAA server is another Cisco Secure ACS. This enables you to configure features that are only available with other Cisco Secure ACS servers, such as CiscoSecure user database replication and remote logging.

Note    The remote Cisco Secure ACS must be using Version 2.1 or later.

Step 9   The Traffic Type list defines the direction in which traffic to and from the remote AAA server is allowed to flow from this local Cisco Secure ACS. From the Traffic Type list, select one of the following options:

  • Inbound—The selected AAA server accepts requests that have been forwarded to it and does not forward the request to another AAA server. Select this option if you do not want to allow any authentication requests to be forwarded from the remote AAA server.
  • Outbound—The selected AAA server sends out authentication requests but does not receive them. If a Proxy Distribution Table entry is configured to proxy authentication requests to a AAA server that is configured for Outbound, the authentication request is not sent.
  • Inbound/Outbound—The specified AAA server forwards and accepts authentication requests. This allows the selected server to handle authentication requests in any manner defined in the distribution tables.

Step 10   To save your changes and apply them immediately, click Submit + Restart.


Tip To save your changes and apply them later, click Submit. When you are ready to implement the changes, click System Configuration, click Service Control, and then click Restart.


Note    Restarting the service clears the Logged-in User report and temporarily interrupts all Cisco Secure ACS services. This affects the Max Sessions counter and resets it to zero.





Editing a AAA Server Configuration

Use this procedure to edit the settings for a AAA server that you have previously configured.


Note   You cannot edit the name of an existing AAA server. To rename a AAA server, you must delete the existing AAA server and then add a new server entry with the new name.


Tip For detailed information on the AAA server settings, see the "Adding and Configuring a AAA Server" section.

To edit a AAA server configuration, follow these steps:


Step 1   In the navigation bar, click Network Configuration.

Result: The Network Configuration section opens.

Step 2   Do one of the following:

a. If you are using NDGs, click the name of the NDG to which the AAA server is assigned. Then, in the AAA Servers table, click the name of the AAA server to be edited.

b. If you have not enabled NDGs, in the AAA Servers table, click the name of the AAA server to be edited.

Result: The AAA Server Setup for X page appears.

Step 3   Enter or select new settings for one or more of the following fields:

  • AAA Server IP Address
  • Key
  • Log Update/Watchdog Packets from this remote AAA Server
  • AAA Server Type
  • Traffic Type

Step 4   To save your changes and apply them immediately, click Submit + Restart.


Tip To save your changes and apply them later, click Submit. When you are ready to implement the changes, click System Configuration, click Service Control, and then click Restart.


Note    Restarting the service clears the Logged-in User report and temporarily interrupts all Cisco Secure ACS services. This affects the Max Sessions counter and resets it to zero.





Deleting a AAA Server

To delete a AAA server, follow these steps:


Step 1   In the navigation bar, click Network Configuration.

Result: The Network Configuration section opens.

Step 2   Do one of the following:

a. If you are using NDGs, click the name of the NDG to which the AAA Server is assigned. Then, click the AAA Server Name in the AAA Servers table.

b. If you have not enabled NDGs, click the AAA Server Name in the AAA Servers table.

Result: The AAA Server Setup for X page appears.

Step 3   To delete the AAA server and have the deletion take effect immediately, click Delete + Restart.


Note    Restarting the service clears the Logged-in User report and temporarily interrupts all Cisco Secure ACS services. As an alternative to restarting when you delete a AAA server, in the preceding step you can click Delete. However, when you do this, the change does not take effect until you restart the system, which you can do by clicking System Configuration, clicking Service Control, and then clicking Restart.

Result: A confirmation dialog box appears.

Step 4   Click OK.

Result: Cisco Secure ACS performs a restart and the AAA server is deleted.





Network Device Group Configuration

Network Device Grouping is an advanced feature that enables you to view and administer a collection of network devices as a single logical group. To simplify administration, you can assign each group a convenient name that can be used to refer to all devices within that group. This creates two levels of network devices within Cisco Secure ACS—single discrete devices such as an individual router or network access server, and an NDG; that is, a collection of routers or AAA servers.

This section contains the following procedures for working with NDGs:

Adding a Network Device Group

You can assign users or groups of users to NDGs. For more information, see one of the following:

To add an NDG, follow these steps:


Step 1   In the navigation bar, click Network Configuration.

Result: The Network Configuration section opens.

Step 2   Beneath the Network Device Groups table, click Add Entry.


Tip If the Network Device Groups table does not appear, click Interface Configuration, click Advanced Options, and then select Network Device Groups.

Step 3   In the Network Device Group Name box, type the name of the new NDG.


Tip The maximum name length is 19 characters. Quotation marks (") and commas (,) are not allowed. Spaces are allowed.

Step 4   Click Submit.

Result: The Network Device Groups table displays the new NDG.

Step 5   To populate the newly established NDG with AAA clients or AAA servers, perform one or more of the following procedures, as applicable:





Assigning an Unassigned AAA Client or AAA Server to an NDG

You use this procedure to assign an unassigned AAA client or AAA server to an NDG. A prerequisite to performing this procedure is that you have already configured the client or server and it appears in the Not Assigned AAA Clients or Not Assigned AAA Servers table.

To assign a network device to an NDG, follow these steps:


Step 1   In the navigation bar, click Network Configuration.

Result: The Network Configuration section opens.

Step 2   In the Network Device Groups table, click Not Assigned.


Tip If the Network Device Groups table does not appear, click Interface Configuration, click Advanced Options, and then select the Network Device Groups check box.

Step 3   Click the name of the network device you want to assign to an NDG.

Step 4   From the Network Device Groups list, select the NDG to which you want to assign the AAA client or AAA server.

Step 5   Click Submit.

Result: The client or server is assigned to an NDG.





Reassigning a AAA Client or AAA Server to an NDG

To reassign a AAA client or AAA server to a new NDG, follow these steps:


Step 1   In the navigation bar, click Network Configuration.

Result: The Network Configuration section opens.

Step 2   In the Network Device Groups table, click the name of the network device's current group.

Step 3   In either the AAA Clients table or AAA Servers table, as applicable, click the name of the client or server you want to assign to a new NDG.

Step 4   From the Network Device Group list, select the NDG to which you want to reassign the network device.

Step 5   Click Submit.

Result: The network device is assigned to a different NDG.





Renaming a Network Device Group

To rename an NDG, follow these steps:


Step 1   In the navigation bar, click Network Configuration.

Result: The Network Configuration section opens.

Step 2   In the Network Device Groups table, click the NDG to be renamed.


Tip If the Network Device Groups table does not appear, click Interface Configuration, click Advanced Options, and then select the Network Device Groups check box.

Step 3   At the bottom of the page, click Rename.

Result: The Rename Network Device Group page appears.

Step 4   In the Network Device Group Name box, type the new name.

Step 5   Click Submit.

Result: The name of the NDG is changed.





Deleting a Network Device Group

To delete an NDG, follow these steps:


Step 1   In the navigation bar, click Network Configuration.

Result: The Network Configuration section opens.

Step 2   In the Network Device Groups table, click the NDG to be deleted.


Tip If the Network Device Groups table does not appear, click Interface Configuration, click Advanced Options, and then select the Network Device Groups check box.

Step 3   At the bottom of the page, click Delete Group.

Result: A confirmation dialog box appears.

Step 4   Click OK.

Result: The name of the NDG is changed.





Proxy Distribution Table Configuration

This section begins with a description of the Proxy Distribution Table and then details the following Proxy Distribution Table configuration procedures:

About the Proxy Distribution Table

If you have Distributed Systems Settings enabled, when you click Network Configuration, you will see the Proxy Distribution Table.


Tip To enable Distributed Systems Settings in the Cisco Secure ACS, click Interface Configuration, click Advanced Options, and then select the Distributed System Settings check box.

The Proxy Distribution Table comprises entries that show the character strings on which to proxy, the AAA Servers to proxy to, whether to strip the character string, and where to send the accounting information (Local/Remote, Remote, or Local). For more information about the proxy feature, see the "Proxy in Distributed Systems" section.

The entries you define and place in the Proxy Distribution Table can be considered turnstiles for each authentication request that Cisco Secure ACS receives from the AAA client. How the authentication request is defined in the Proxy Distribution Table depends on where it is to be forwarded. If a match to an entry in the Proxy Distribution Table that contains proxy information is found, Cisco Secure ACS forwards the request to the appropriate AAA server.

The Character String column in the Proxy Distribution Table always contains an entry of "(Default)". The "(Default)" entry matches authentication requests received by the local Cisco Secure ACS server that do not match any other defined character strings. While you cannot change the character string definition for the "(Default)" entry, you can change the distribution of authentication requests matching the "(Default)" entry. At installation, the AAA server associated with the "(Default)" entry is the local Cisco Secure ACS server. It can sometimes be easier to define strings that match authentication requests to be processed locally rather than defining strings that match authentication requests to be processed remotely. In such a case, associating the "(Default)" entry with a remote AAA server permits you to configure your Proxy Distribution Table with the more easily written entries.

Adding a New Proxy Distribution Table Entry

To create a Proxy Distribution Table entry, follow these steps:


Step 1   In the navigation bar, click Network Configuration.

Result: The Network Configuration page opens.

Step 2   Below the Proxy Distribution Table, click Add Entry.


Note    If the Proxy Distribution Table does not appear, you must enable it by clicking Interface Configuration, clicking Advanced Options, and then selecting the Distributed System Settings check box.

Step 3   In the Character String box, type the string of characters, including the delimiter to forward on when users dial in to be authenticated. For example,.uk.


Note    Angle brackets (< and >) cannot be used.

Step 4   From the Position list, select Prefix if the character string you typed appears at the beginning of the username or Suffix if the character string appears at the end of the username.

Step 5   From the Strip list, select Yes if the character string you entered is to be stripped off the username, or select No if it is to be left intact.

Step 6   In the AAA Servers column, select the AAA server you want to use for proxy. Click —> (right arrow button) to move it to the Forward To column.


Tip You can also select additional AAA servers to use for backup proxy in the event the prior servers fail. To set the order of AAA servers, in the Forward To column, click the name of the applicable server and click Up or Down to move it into the position you want.


Tip  If the AAA server you want to use is not listed, click Network Configuration, click AAA Servers, click Add Entry and complete the applicable information.

Step 7   From the Send Accounting Information list, select one of the following areas to which to report accounting information:

  • Local—Keep accounting packets on the local Cisco Secure ACS.
  • Remote—Send accounting packets to the remote Cisco Secure ACS.
  • Local/Remote—Keep accounting packets on the local Cisco Secure ACS and send them to the remote Cisco Secure ACS.

Tip This information is especially important if you are using the Max Sessions feature to control the number of connections a user is allowed. Max Sessions depends on accounting start and stop records, and where the accounting information is sent determines where the Max Sessions counter is tracked. The Failed Attempts log and the Logged in Users report are also affected by where the accounting records are sent.

Step 8   When you have finished, click Submit or Submit + Restart.





Sorting the Character String Match Order of Distribution Entries

You can use this procedure to set the priority by which Cisco Secure ACS searches character string entries in the Proxy Distribution Table when users dial in.

To determine the priority order by which Cisco Secure ACS searches entries in the Proxy Distribution Table, follow these steps:


Step 1   In the navigation bar, click Network Configuration.

Result: The Network Configuration page opens.

Step 2   Below the Proxy Distribution Table, click Sort Entries.


Tip To be able to sort the entries, you must have already configured at least two unique Proxy Distribution Table entries in addition to the default table entry.

Step 3   Select the character string entry to reorder, and then click Up or Down to move its position to reflect the search order you want.

Step 4   When you have finished sorting, click Submit or Submit + Restart.





Editing a Proxy Distribution Table Entry

To edit a Proxy Distribution Table entry, follow these steps:


Step 1   In the navigation bar, click Network Configuration.

Result: The Network Configuration page opens.

Step 2   In the Character String column of the Proxy Distribution Table, click the distribution entry you want to edit.

Result: The Edit Proxy Distribution Entry page appears.

Step 3   Edit the entry as necessary.


Tip For information about the parameters that make up a distribution entry, see the "Adding a New Proxy Distribution Table Entry" section.

Step 4   When you have finished editing the entry, click Submit or Submit + Restart.





Deleting a Proxy Distribution Table Entry

To delete a Proxy Distribution Table entry, follow these steps:


Step 1   In the navigation bar, click Network Configuration.

Result: The Network Configuration page opens.

Step 2   In the Character String column of the Proxy Distribution Table, click the distribution entry you want to delete.

Result: The Edit Proxy Distribution Entry page appears.

Step 3   Click Delete.

Result: A confirmation dialog box appears.

Step 4   Click OK.

Result: Cisco Secure ACS deletes the distribution entry from the Proxy Distribution Table.