Sample Configurations

Table of Contents

Sample Configurations

Dialup Using the Windows NT/2000 User Database with TACACS+
Dialup Using the Cisco Secure ACS User Database with TACACS+
Dialup Using SDI Token-Card Server with TACACS+
Dialup Using Novell NDS with TACACS+
Dialup Using a CRYPTOCard Token-Card Server with TACACS+
Dialup Using the Cisco Secure ACS User Database with Cisco IOS RADIUS
Cisco VPN 3000 Concentrator Authentication Using the CiscoSecure ACS User Database
Dialup for an ARAP Client Using the Cisco Secure ACS User Database with TACACS+
NAS Management Using the Cisco Secure ACS User Database with TACACS+
Password Aging and User-Changeable Passwords Using Cisco Secure ACS with CAA
Single Authentication Using Cisco Secure ACS and the CAA
Double Authentication Using Cisco Secure ACS and the CAA
Authentication Using Cisco Aironet RADIUS
Authentication Using Cisco Secure ACS and an MCIS Database
Authentication Using Cisco Secure ACS and a Generic LDAP Database
Authentication Using Cisco Secure ACS and an ODBC Database
PIX Firewall Authentication/Authorization Using the Windows NT/2000 User Database with TACACS+
VPDN Using the Cisco Secure ACS User Database with TACACS+
Virtual Profiles Using the Cisco Secure ACS User Database with TACACS+
VPDN Using the Cisco Secure ACS User Database with RADIUS Tunneling Attributes

Sample Configurations

Before you configure Cisco Secure ACS for the first time, make sure you have the required settings for the configuration you want. This chapter outlines the necessary settings for the following sample configurations:

Select the configuration that most closely meets your needs.


Note   If you are viewing this window as a link from the Cisco Secure ACS main window, click Online Documentation: Sample Configurations to return to this section.

You must configure four components to successfully initiate connectivity and start Cisco Secure Access Control Server for Windows NT/2000 Servers services:

  • Windows NT/2000 server—Computer hosting Cisco Secure ACS software and the Windows NT/2000 user database

  • Cisco Secure Access Control Server for Windows NT/2000 Servers Version 2.6—Software that provides centralized network security services

  • NAS—Network access servers, routers, or other devices, such as firewalls, that provide your users with access to specific networks


Note   Unless specifically stated otherwise, the term NAS includes access servers, routers, and PIX Firewalls.

  • Client—Async or ISDN dialup user applications

Dialup Using the Windows NT/2000 User Database with TACACS+

This section presents a typical configuration that can be used in a Windows NT/2000 network using only the Windows NT/2000 user database to maintain access. This configuration would typically be used in businesses with significant or strategic investment in Windows NT/2000. This configuration makes it possible to do the following:

  • Control dialup connectivity for the NAS from Windows NT User Manager or Windows 2000 Active Directory Users and Computers

  • Support single login

  • Authenticate the username against the Windows NT/2000 database (PAP or MS-CHAP)

Windows NT/2000 Server Configuration

This option requires significant configuration in the Windows NT/2000 server environment because it depends heavily on Windows NT/2000 management functions. Configure these items in User Manager on the Windows NT/2000 server that is running Cisco Secure ACS. Confirm that the following items are configured appropriately in Windows NT/2000:

Cisco Secure ACS Configuration

Follow these steps in Cisco Secure ACS.

Network Configuration


Note   If the first NAS into which clients dial was set up during Cisco Secure ACS installation, this configuration should already be complete.

In the Network Configuration window, follow these steps:


Step 1   If you are using Network Device Groups (NDGs), click the name of the applicable NDG.

Step 2   Add or edit a NAS.

Step 3   Type the name of the NAS.

Step 4   Type the IP address of the NAS.

Step 5   Type the shared secret (key) of the NAS and Cisco Secure ACS.

Step 6   Select TACACS+ (Cisco IOS) as the security control protocol.


External User Databases Configuration

If Cisco Secure ACS was originally installed to authenticate usernames against the Cisco Secure ACS database only; you must add a new configuration to allow it also to authenticate against the Windows NT/2000 database.

To allow Cisco Secure ACS also to authenticate against the Windows NT/2000 database, follow these steps:


Step 1   Click External User Databases: Database Configuration.

Step 2   Click Windows NT/2000.

Step 3   Click Create a new configuration.

Step 4   Click Submit to accept the default name.

Step 5   Click Configure to enable the additional capability to Grant dialin permission to user. Cisco Secure ACS verifies that dialin permission is granted for the user in the Windows NT/2000 user database. Authentication for a user without dialup permission on the Windows NT/2000 server fails, even if the user supplies the correct password. If you do not want to use this feature, click to clear the check box and click Submit.

Step 6   The Unknown User Policy window controls how Cisco Secure ACS handles usernames that are not found in the Cisco Secure ACS user database. Configure this option to ensure that all authentications without usernames in the Cisco Secure ACS user database are checked against the Windows NT/2000 database.


If this authentication succeeds, a record is automatically generated in the Cisco Secure ACS database indicating that the Windows NT/2000 database should also be used for password authentication. User records added to the database in this way automatically become members of the selected group.

Interface Configuration

In the Interface Configuration window, follow these steps:


Step 1   To allow the protocol to be configurable for a group, click TACACS+ (Cisco IOS).


Note   When you select any Point-to-Point Protocol (PPP), you must also enable PPP LCP.

Step 2   To add more controls for dial-in access, check the applicable features in the Interface Configuration: Advanced Options window to display the options in the user interface. Select the features in this section to reduce the level of complexity or enhance the detail of your access security.


Group Setup

In Group Setup for the Default Group, follow these steps:


Step 1   To use Time-of-Day access, click the times and days to grant access and click Use as Default. The times and days during which access is allowed appear highlighted in green. Leaving this feature disabled grants access 24 hours a day, 7 days a week. If this parameter is not displayed, enable it in the Interface Configuration: Advanced Options window.

Step 2   To permit or deny users to call only from a particular location, complete the applicable fields under Network Access Restrictions. If this parameter is not displayed, enable it in the Interface Configuration: Advanced Options window.

Step 3   To control the maximum number of simultaneous sessions allowed to a group as a whole and to each user in the group, type the applicable numbers in the MaxSessions fields.

If this parameter is not displayed, enable it in the Interface Configuration: Advanced Options window.


Note   The Max Sessions count defined in the User Setup window overrides the Max Sessions per-user count in the Group Setup window.

Step 4   To allow the NAS to support dialup clients running IP over a PPP (async or ISDN) connection, enable PPP-IP. If this parameter is not displayed, configure it in the Interface Configuration: TACACS+ (Cisco IOS) window.

Step 5   To make Cisco Secure ACS a "DHCP-like" server, enable IP Pool and type the IP Pool name defined on the NAS. To use a NAS-name pool, leave the field blank.

Step 6   To allow the NAS to support dialup clients running IPX over a PPP (async or ISDN) connection, enable PPP-IPX. If this parameter is not displayed, configure it in the Interface Configuration: TACACS+ (Cisco IOS) window.

Step 7   To allow Telnet sessions to be run by the client or to allow Cisco Secure ACS to also be used for NAS management, enable Shell (Exec). If this parameter is not displayed, configure it in the Interface Configuration: TACACS+ (Cisco IOS) window.


User Setup

User setup is not necessary; users who successfully authenticate against the Windows NT/2000 user database are added to the Cisco Secure ACS user database as members of the default group, designated as "Default Group." You can reassign them to another group later.

NAS Configuration

Cisco IOS configuration for the NAS depends on the network protocol, routing, IP address definition, access control list definition, and so on. The following sample configuration shows the minimum requirements for a Cisco 2509 access server using TACACS+. You can use PAP or MS-CHAP when authenticating against Windows NT/2000.

    aaa new-model
    aaa authentication login default tacacs+
    aaa authentication ppp default tacacs+
    aaa authorization exec tacacs+
    aaa authorization network tacacs+
    aaa accounting network start-stop tacacs+
    aaa accounting exec start-stop tacacs+
    tacacs-server host ip_address single
    tacacs-server key key
    enable secret password
    aaa authentication login no_tacacs enable
    line con 0
    login authentication no_tacacs

Enter the following command under each interface used for dialup access:

    ppp authentication pap

or

    ppp authentication MS-CHAP

Client Configuration

The client can be an async or Integrated Services Digital Network (ISDN) client. For an async client, be sure it is configured to use PAP or MS-CHAP.

Windows 95/98 Client Configuration

In the Dial-Up Networking section of Windows 95/98, follow these steps:


Step 1   Create and configure a connection with the NAS dial number.

Step 2   Right-click the Connection icon and select Properties.

Step 3   Click the Server Type tab.

Step 4   From the Type of Dial-Up Server list box, select PPP.

Step 5   In the Advanced Options area, check Log on to network. This will cause the client to attempt to log on to the Windows NT/2000 domain when dialing in.

Step 6   Click to clear the Require encrypted password check box.

Step 7   In the Allowed Network Protocols area, click IP and/or IPX.

Step 8   If you are using an IP pool on the NAS (not assigning the IP address at the client), set TCP/IP settings to server assigned IP Address and server assigned name.


Note   The NAS must support IP Pools.

Step 9   To set up single login, install the Client for Microsoft Networks under the Network Configuration, and set the Primary Network Logon to Windows Logon.

Step 10   For single login, in the properties for Client for Microsoft Networks, leave Log on to Windows NT/2000 Domain disabled, but type the desired domain in the Windows NT/2000 Domain field.

Step 11   When making a connection, enter the same username and password being used for the user account in the Windows NT/2000 user database.

Step 12   For single login, in the Connect To dialog box, click Save password. Make sure you have the Windows 95 service pack installed so the password is saved. Check with your system administrator to find out if the service pack has been installed.


Tips

Consider the following:

Dialup Using the Cisco Secure ACS User Database with TACACS+

This sample configuration lets you set a higher level of authentication security, such as CHAP, or increase authentication/authorization processing speed. Service providers can use this configuration when transaction speed is critical. Corporations in which the administrator would rather allow a single login to a Windows NT/2000 domain than have the added level of security of one-time passwords (OTPs) with CHAP can also use this configuration.

Windows NT/2000 Server Configuration

No Windows NT/2000 Server configuration is required; users do not need to exist in the Windows NT/2000 user database unless they need to log in to the Windows NT/2000 network.

Cisco Secure ACS Configuration

In Cisco Secure ACS, configure the items in the following sections.

Network Configuration


Note   If the first NAS into which clients dial was set up during the installation of Cisco Secure ACS, this configuration should already be complete.

In the Network Configuration window, follow these steps:


Step 1   If you are using NDGs, click the name of the applicable NDG.

Step 2   Add or edit a NAS.

Step 3   Type the name of the NAS.

Step 4   Type the IP address of the NAS.

Step 5   Type the shared secret (key) of the NAS and Cisco Secure ACS.

Step 6   Select the TACACS+ protocol.

Step 7   To allow the Service/Protocol to be configurable for a group, in the Protocol Configuration Options window, click TACACS+ (Cisco IOS).


Note   When you select any PPP protocol, you must also enable PPP LCP.

Step 8   Use the User Setup window to add a user.


External User Database Configuration (Optional)

In the External User Databases window, follow these steps:


Step 1   Click Unknown User Policy.

Step 2   Check Fail the attempt.


This sets Cisco Secure ACS to deny authentication unless the user has an active account in the Cisco Secure ACS database.

Interface Configuration

In the Interface Configuration window, follow these steps:


Step 1   To allow the protocol to be configurable for a group, click TACACS+ (Cisco IOS).


Note   When you select any PPP protocol, you must also enable PPP LCP.

Step 2   To add more controls for dial-in access, check the applicable features in the Interface Configuration: Advanced Options window to display the options in the user interface. Select the features in this section to reduce the level of complexity or enhance the detail of your access security.


Group Setup

In Group Setup for the Default Group, follow these steps:


Step 1   To use Time-of-Day Access, click the times and days to grant access and click Use as Default. The times and days during which access is allowed are highlighted in green. Leaving this feature disabled grants access 24 hours a day, 7 days a week. If this parameter is not displayed, enable it in the Interface Configuration: Advanced Options window.

Step 2   To permit or deny users to call only from a particular location, type the applicable information in the Network Access Restrictions field. If this parameter is not displayed, enable it in the Interface Configuration: Advanced Options window.

Step 3   To control the number of simultaneous sessions allowed to a group, and to specify the number of sessions allowed to users in the groups, type the appropriate number in the MaxSessions fields. If this parameter is not displayed, enable it in the Interface Configuration: Advanced Options window.


Note   The Max Sessions count defined in the User Setup window overrides the Max Sessions per user count in the Group Setup window.

Step 4   To enable the NAS to support dialup clients running IP over a PPP (async or ISDN) connection, enable PPP-IP. If this parameter is not displayed, configure it in the Interface Configuration: TACACS+ (Cisco IOS) window.

Step 5   To make Cisco Secure ACS a "DHCP-like" server, enable IP Pool and type the IP Pool name defined on the NAS. To use a NAS-name pool, leave the field blank.

Step 6   To enable the NAS to support dialup clients running IPX over a PPP (async or ISDN) connection, enable PPP-IPX. If this parameter is not displayed, configure it in the Interface Configuration: TACACS+ (Cisco IOS) window.

Step 7   To permit the client to run Telnet sessions or to enable Cisco Secure ACS to also be used for NAS management, enable Shell (Exec). If this parameter is not displayed, configure it in the Interface Configuration: TACACS+ (Cisco IOS) window.


User Setup

In the User Setup window of Cisco Secure ACS, follow these steps:


Step 1   Add a user to the Cisco Secure ACS user database.

Step 2   Select CiscoSecure Database as the method for password authentication.

Step 3   Type and confirm the password in the first set of Cisco Secure ACS user database password fields.

Step 4   Assign the user to a group. You can use the Default Group, but it is better to use a different group, such as Group 1.


Note   All groups can be renamed, but Cisco Secure ACS tracks each group by its original number.

Step 5   To permit or deny users to call only from a particular location, complete the applicable fields under Network Access Restrictions. If this parameter is not displayed, enable it in the Interface Configuration: Advanced Options window.

Step 6   If you are using dial-in, to assign a particular IP address to the user, type that address in the Static IP Address field.

Step 7   To set expiration conditions for the user, configure them here.


NAS Configuration

Cisco IOS configuration for the NAS depends on the network protocol, routing, IP address definition, access control list definition, and so on. The following sample configuration shows the minimum requirements for a Cisco 2509 access server using TACACS+.

    aaa new-model
    aaa authentication login default tacacs+
    aaa authentication ppp default tacacs+
    aaa authorization exec tacacs+
    aaa authorization network tacacs+
    aaa accounting network start-stop tacacs+
    aaa accounting exec start-stop tacacs+
    tacacs-server host ip_address single
    tacacs-server key key
    enable secret password
    aaa authentication login no_tacacs enable
    line con 0
    login authentication no_tacacs

To permit dial-in access, enter the following command for each interface:

    ppp authentication chap

Client Configuration

The client can be an async or ISDN client.

Windows 95/98 Client

In the Dial-Up Networking section of Windows 95/98, follow these steps:


Step 1   Create and configure a connection with the dial number for the NAS.

Step 2   Right-click the Connection icon and select Properties.

Step 3   Click the Server Type tab and select PPP from the Type Of Dial-up Server list box.

Step 4   In the Advanced Options area, select the Log on to network check box. This will cause the client to attempt to log on to the Windows NT/2000 domain when dialing in.

Step 5   Click to clear the Require encrypted password check box.

Step 6   In the Allowed network protocols area, select the IP and/or IPX check boxes.

Step 7   If the NAS is using an IP pool, do not assign an IP address to the client. Instead, in the TCP/IP settings, select server assigned IP Address and server assigned name server address.

Step 8   When making a connection, enter the Cisco Secure ACS user database username and password.


Tips

Consider the following:

  • Because PAP, CHAP, ARAP, and MS-CHAP passwords can be stored in the Cisco Secure ACS user database, this configuration can support PAP, CHAP, ARAP, or MS-CHAP as the authentication protocol. To use PAP authentication, substitute the word PAP in place of CHAP in the NAS configuration example earlier in this section.

  • Because single login is not available with CHAP, logging in to a Windows NT/2000 network requires two steps.

Dialup Using SDI Token-Card Server with TACACS+

Using an SDI ACE server for authentication enables you to increase the level of security while still allowing Cisco Secure ACS to authorize applicable services after a successful authentication.

Windows NT/2000 Server Configuration

On the Windows NT/2000 Server, configure the following items:

  • The client software for the SDI ACE Security server must be installed on the same Windows NT/2000 server on which Cisco Secure ACS is installed. The ACE Security server can be connected either to the LAN or remotely. To configure the client portion of the SDI software correctly, the SDI ACE Security server configuration file sdiconf.rec must reside in the \Winnt\systems32 directory. Refer to your SDI ACE Security server documentation for installation information.

  • Users do not need to exist in the Windows NT/2000 database unless they need to log in to the Windows NT/2000 network.

Cisco Secure ACS Configuration

In Cisco Secure ACS, configure the items in the following sections.

Network Configuration


Note   If the first NAS to which clients dial in was set up during the installation of Cisco Secure ACS, this configuration should already be complete.

In the Network Configuration window, follow these steps:


Step 1   If you are using NDGs, click the name of the applicable NDG.

Step 2   Add or edit a NAS.

Step 3   Type the name of the NAS.

Step 4   Type the IP address of the NAS.

Step 5   Type the shared secret (key) of the NAS and Cisco Secure ACS.

Step 6   Select TACACS+ (Cisco IOS) as the security control protocol.


External User Database Configuration

To add a new configuration for the external user database, follow these steps:


Step 1   Click External User Databases.

Step 2   Click Database Configuration.

Step 3   Click SDI SecurID Token Server.

Step 4   Click Create New Configuration. Click Submit to accept the default name.

Step 5   Click Configure to configure and enable Cisco Secure ACS to use the external user database to authenticate users.


Interface Configuration

In the Interface Configuration window, follow these steps:


Step 1   To allow the protocol to be configurable for a group, click TACACS+ (Cisco IOS).


Note   When you select any PPP protocol, you must also enable PPP LCP.

Step 2   To add more controls for dial-in access, check the applicable features in the Interface Configuration: Advanced Options window to display the options in the user interface. Select the features in this section to reduce the level of complexity or enhance the detail of your access security.


Group Setup

In Group Setup for the Default Group, follow these steps:


Step 1   To use Time-of-Day Access, click the times and days to grant access and click Use as Default. The times and days during which access is allowed are highlighted in green. Leaving this feature disabled grants access 24 hours a day, 7 days a week. If this parameter is not displayed, enable it in the Interface Configuration: Advanced Options window.

Step 2   To permit or deny users to call only from a particular location, complete the applicable fields under Network Access Restrictions. If this parameter is not displayed, enable it in the Interface Configuration: Advanced Options window.

Step 3   To control the number of simultaneous sessions allowed to a group and to specify the number of sessions allowed to users in the groups, type the appropriate number in the MaxSessions field. If this parameter is not displayed, enable it in the Interface Configuration: Advanced Options window.


Note   The Max Sessions count defined in the User Setup window overrides the Max Sessions per user count in the Group Setup window.

Step 4   Cisco Secure ACS can store ISDN passwords to authenticate the second B channel when it is brought into service. Select one of these token-caching methods:

  • If the second B-channel service goes up and down dynamically, select Session.

  • If both B channels stay in service, select Duration. Type the number of minutes for Cisco Secure ACS to cache the password.

  • Verify that accounting is enabled on the NAS. The configuration file should include the command aaa accounting network start-stop tacacs+.

Step 5   To enable the NAS to support dial-up clients running IP over a PPP (async or ISDN) connection, enable PPP-IP. If this parameter is not displayed, configure it in the Interface Configuration: TACACS+ (Cisco IOS) window.

Step 6   To make Cisco Secure ACS a "DHCP-like" server, enable IP Pool and type the IP Pool name defined on the NAS. To use a NAS-name pool, leave the field blank.

Step 7   To enable the NAS to support dial-up clients running IPX over a PPP (async or ISDN) connection, enable PPP-IPX. If this parameter is not displayed, configure it in the Interface Configuration: TACACS+ (Cisco IOS) window.


Note   To enable the client to run Telnet sessions or to enable Cisco Secure ACS to also be used for NAS management, enable Shell (Exec). If this parameter is not displayed, configure it in the Interface Configuration: TACACS+ (Cisco IOS) window.


User Setup

In the User Setup window of Cisco Secure ACS, follow these steps:


Step 1   Add a user to the Cisco Secure ACS user database.

Step 2   Select SDI SecurID Token Server as the method for password authentication.

Step 3   Type and confirm the password in the first set of Cisco Secure ACS user database password fields.

Step 4   Assign the user to a group. You can use the Default Group, but it is better to use a different group, such as Group 1.


Note   All groups can be renamed, but Cisco Secure ACS tracks each group by its original number.

Step 5   To permit or deny users to call only from a particular location, complete the applicable fields under Network Access Restrictions. If this parameter is not displayed, enable it in the Interface Configuration: Advanced Options window.

Step 6   If you are using dial-in, to assign a particular IP address to the user, type it in the Static IP Address field.

Step 7   To set expiration or aging conditions for the user, configure them here.


NAS Configuration

The Cisco IOS configuration for the NAS depends on the network protocol, routing, IP address definition, access control list definition, and so on. The following sample configuration shows the minimum requirements for a Cisco 2509 access server using TACACS+. CHAP can be used because the Cisco Secure ACS user database is being used.

    aaa new-model
    aaa authentication login default tacacs+
    aaa authentication ppp default tacacs+
    aaa authorization exec tacacs+
    aaa authorization network tacacs+
    aaa accounting network start-stop tacacs+
    aaa accounting exec start-stop tacacs+
    tacacs-server host ip_address single
    tacacs-server key key
    enable secret password
    aaa authentication login no_tacacs enable
    line con 0
    login authentication no_tacacs

Enter the one of the following commands under each interface used for dial-up access:

    ppp authentication chap

or

    ppp authentication pap

Client Configuration

The client can be an async or ISDN client.

Windows 95/98 Client

In the Dial-Up Networking section of Windows 95/98, follow these steps:


Step 1   Create and configure a connection with the dial number to the NAS.

Step 2   Right-click the Connection icon and click Properties.

Step 3   Click the Server Type tab.

Step 4   From the Type of Dial-Up Server list box, select PPP.

Step 5   In the Advanced options area, select the Log on to network check box. This will cause the client to attempt to log on to the Windows NT/2000 domain when dialing in.

Step 6   Click to clear the Require encrypted password check box.

Step 7   In the Allowed network protocols area, select the IP and/or IPX check box.

Step 8   If the NAS is using an IP pool, do not assign an IP address to the client. Instead, in the TCP/IP settings, select server assigned IP Address and server assigned name server address.

Step 9   When you make a connection, enter the username and the token one-time password (OTP) using the correct convention to authenticate successfully.

  • For PAP, enter the following information:

    • The username

    • The Token card PIN and OTP password

  • For CHAP, enter the following information:

    • username*tokencardPINOTP as the username.
      For example, jsmith*1234123456

    • The CHAP password

  • For MS-CHAP, enter the following information:

    • username*tokencardPINOTP as the username.
      For example, jsmith*1234123456

    • The MS-CHAP password.


Tips

Consider the following:

  • Because PAP, CHAP, and MS-CHAP passwords can be stored in the Cisco Secure ACS user database, this configuration can support PAP, CHAP, or MS-CHAP as the authentication protocol. To use PAP or MS-CHAP authentication, substitute the word PAP or MS-CHAP, respectively, in place of CHAP in the NAS configuration example earlier in this section.

  • Because single login is not available with token-card authentication, logging in to a Windows NT/2000 network requires two steps.

Dialup Using Novell NDS with TACACS+

This configuration presents examples of the information you need to use Cisco Secure ACS with Novell NetWare Directory Services (NDS). You can increase the level of security by using Novell NDS for authentication while still permitting Cisco Secure ACS to authorize services after a successful authentication. This section includes examples for a TACACS+ NAS; however, the protocol is transparent to Novell NDS.

Windows NT/2000 Server Configuration

On the Windows NT/2000 Server, configure the following items:

  • The Novell NetWare requestor software for Novell NDS must be installed on the same Windows NT/2000 server on which Cisco Secure ACS is installed. Refer to the Novell NDS documentation for information on proper installation.

  • Users do not need to exist in the Windows NT/2000 database unless they need to log in to the Windows NT/2000 network.

Cisco Secure ACS Configuration

In Cisco Secure ACS, configure the items in the following sections.

Network Configuration


Note   If the first NAS to which clients dial in was set up during the installation of Cisco Secure ACS, this configuration should already be complete.

In the Network Configuration window, follow these steps:


Step 1   If you are using NDGs, click the name of the applicable NDG.

Step 2   Add or edit a NAS.

Step 3   Type the name of the NAS.

Step 4   Type the IP address of the NAS.

Step 5   Type the shared secret (key) of the NAS and Cisco Secure ACS.

Step 6   From the Authenticate Using list box, click TACACS+ (Cisco IOS) as the security control protocol.


External User Database Configuration

To add a new configuration for the external user database:


Step 1   Click External User Databases.

Step 2   Click Database Configuration.

Step 3   Click NDS Database.

Result: If no Novell NDS database has yet been configured, the Database Configuration Creation page appears. Otherwise, the External User Database Configuration page appears.

Step 4   If you are creating a new configuration, follow these steps:

   a. Click Create New Configuration.

   b. Type a name for the new configuration for Novell NDS Authentication in the box provided.

Step 5   Click Configure.

Step 6   Complete the fields in the blank form at the bottom of the NDS Authentication Support page.


Note   You must select the Add Tree check box to confirm that you want to create a new tree configuration.

  • Add New Tree—Selecting this check box confirms that you want to add a new tree.

  • Test Login—Selecting this check box causes Cisco Secure ACS to test the the tree's administrative login to the Novell server when you click Submit.

  • Tree Name—The name of the Novell NDS tree against which Cisco Secure ACS should authenticate users.

  • Administrator Username—The username for the administrator of the Novell server.

  • Administrator Password—The password for the administrator of the Novell server.

  • Context List—The full context list with each context specified in canonical, typeless form; that is, remove the o= and ou= and separate each part of the context using a period (.). You can define more than one context list. If you do, separate them with a comma. For example, if your Organization is Corporation, your Organization Name is Chicago, and you want to define two Context names, Marketing and Engineering, you would type:

    Engineering.Chicago.Corporation, Marketing.Chicago.Corporation

You do not need to add users in the Context List box.

See your Novell documentation for more information on trees and contexts.

Step 7   Click OK.


Interface Configuration

In the Interface Configuration window, follow these steps:


Step 1   To enable the protocol to be configurable for a group, click TACACS+ (Cisco IOS).


Note   When you select any PPP protocol, you must also enable PPP LCP.

Step 2   To add more controls for dial-in access, check the applicable features in the Interface Configuration: Advanced Options window to display the options in the user interface. Select the features in this section to reduce the level of complexity or enhance the detail of your access security.


Group Setup

In Group Setup for the Default Group, follow these steps:


Step 1   To use Time-of-Day Access, click the times and days to grant access and click Use as Default. The times and days during which access is allowed are highlighted in green. Leaving this feature disabled grants access 24 hours a day, 7 days a week. If this parameter is not displayed, enable it in the Interface Configuration: Advanced Options window.

Step 2   To permit or deny users to call only from a particular location, type the applicable information in the Network Access Restrictions field. If this parameter is not displayed, enable it in the Interface Configuration: Advanced Options window.

Step 3   To control the number of simultaneous sessions allowed to a group, and to specify the number of sessions allowed to users in the groups, type the appropriate number in the Max Sessions fields. If this parameter is not displayed, enable it in the Interface Configuration: Advanced Options window.


Note   The Max Sessions count defined in the User Setup window overrides the Max Sessions per user count in the Group Setup window.

Step 4   To enable the NAS to support dial-in clients running IP over a PPP (async or ISDN) connection, enable PPP-IP. If this parameter is not displayed, configure it in the Interface Configuration: TACACS+ (Cisco IOS) window.

Step 5   To make Cisco Secure ACS a "DHCP-like" server, enable IP Pool and type the IP Pool name defined on the NAS. To use a NAS-name pool, leave the field blank.

Step 6   To permit the NAS to support dial-in clients running IPX over a PPP (async or ISDN) connection, enable PPP-IPX. If this parameter is not displayed, configure it in the Interface Configuration: TACACS+ (Cisco IOS) window.


Note   To enable Telnet sessions to be run by the client or to enable Cisco Secure ACS to also be used for NAS management, enable Shell (Exec). If this parameter is not displayed, configure it in the Interface Configuration: TACACS+ (Cisco IOS) window.


User Setup

In the User Setup window of Cisco Secure ACS, follow these steps:


Step 1   Add a user to the Cisco Secure ACS user database.

Step 2   Select NDS Database as the method for password authentication.

Step 3   Assign the user to a group. You can use the Default Group, but it is better to use a different group, such as Group 1.


Note   All groups can be renamed, but Cisco Secure ACS tracks each group by its original number.

Step 4   To permit or deny users to call only from a particular location, type the applicable information in the Network Access Restrictions field. If this parameter is not displayed, enable it in the Interface Configuration: Advanced Options window.

Step 5   If you are using dial in, to assign a particular IP address to the user, type it in the Static IP Address field.

Step 6   To set expiration conditions for the user, configure them here.


NAS Configuration

The Cisco IOS configuration for the NAS depends on the network protocol, routing, IP address definition, access control list definition, and so on. The following sample configuration shows the minimum requirements for a Cisco 2509 Access Server using TACACS+. Novell NDS requires PAP authentication.

    aaa new-model
    aaa authentication login default tacacs+
    aaa authentication ppp default tacacs+
    aaa authorization exec tacacs+
    aaa authorization network tacacs+
    aaa accounting network start-stop tacacs+
    aaa accounting exec start-stop tacacs+
    tacacs-server host ip_address single
    tacacs-server key key
    enable secret password
    aaa authentication login no_tacacs enable
    line con 0
    login authentication no_tacacs

Type the following command under each interface used for dial-in access:

    ppp authentication pap

Client Configuration

The client can be an async or ISDN client.

Windows 95/98 Client

In the Dial-Up Networking section of Windows 95/98, follow these steps:


Step 1   Create and configure a connection with the dial number to the NAS.

Step 2   Right-click the Connection icon, and click Properties.

Step 3   Click the Server Type tab.

Step 4   From the Type of Dial-Up Server list box, select PPP.

Step 5   To log on to the Windows NT/2000 domain, select the Log on to network check box in the Advanced options area.

Step 6   Click to clear the Require encrypted password check box.

Step 7   In the Allowed network protocols area, select the IP and/or IPX check boxes.

Step 8   If the NAS is using an IP pool, do not assign an IP address to the client. Instead, in the TCP/IP settings, select server assigned IP Address and server assigned name server address.


Tips

Consider the following:

  • With Cisco Secure ACS and Novell NDS, you must use the PAP authentication protocol. To use PAP authentication on the NAS, substitute the word PAP in place of CHAP in the NAS configuration example earlier in this section.

  • Because single login is not available with Novell NDS authentication, logging in to a Windows NT/2000 network requires two steps.

Dialup Using a CRYPTOCard Token-Card Server with TACACS+

This configuration shows how to implement Cisco Secure ACS with the CRYPTOCard token-card server. To increase the level of security by using a token card, you can use the CRYPTOCard server for authentication while still letting Cisco Secure ACS authorize the services after a successful authentication.

Windows NT/2000 Server Configuration

On the Windows NT/2000 Server, configure the following items:

  • The CRYPTOCard server is embedded within the Cisco Secure ACS software. To configure CRYPTOCard, configure the data files in the CRYPTOAdmin software, which is included on the Cisco Secure ACS CD-ROM. After the data files are configured, place them on the same Windows NT/2000 server on which Cisco Secure ACS is installed. Refer to the CRYPTOCard server documentation for information on proper installation.

  • Users do not need to exist in the Windows NT/2000 database unless they need to log in to the Windows NT/2000 network.

Cisco Secure ACS Configuration

In Cisco Secure ACS, configure the items in the following sections.

Network Configuration


Note   If the first NAS to which clients dial in was set up during the installation of Cisco Secure ACS, this configuration should already be complete.

In the Network Configuration window, follow these steps:


Step 1   If you are using NDGs, click the name of the applicable NDG.

Step 2   Add or edit a NAS.

Step 3   Type the name of the NAS.

Step 4   Type the IP address of the NAS.

Step 5   Type the shared secret (key) of the NAS and Cisco Secure ACS.

Step 6   From the Authenticate Using list box, click TACACS+ (Cisco IOS) as the security control protocol.


External User Database Configuration

To add a new configuration for the external user database, follow these steps:


Step 1   Click External User Databases.

Step 2   Click Database Configuration.

Step 3   Click CRYPTOCard Token Server to enable Cisco Secure ACS to support the CRYPTOCard token card. Type CRYPTOCard in the field.

Step 4   In the CRYPTOCard Directory field, type the full directory path in which the CRYPTOCard files are located. The directory must contain the CRYPTOCard and CCSecret files; otherwise, a configuration error occurs. Click Submit. A window opens that enables you to test your CRYPTOCard token server configuration.

Step 5   (Optional) To verify the configuration of your CRYPTOCard token server, click Test.


Interface Configuration

In the Interface Configuration window, follow these steps:


Step 1   To allow the protocol to be configurable for a group, click TACACS+ (Cisco IOS).


Note   When you select any PPP protocol, you must also enable PPP LCP.

Step 2   To add more control for dial-in access, select the applicable features in the Interface Configuration: Advanced Options window to display the options in the user interface. Select the features in this section to reduce the level of complexity or enhance the detail of your access security.


Group Setup

In Group Setup for the Default Group, follow these steps:


Step 1   To use Time-of-Day Access, click Use as Default and click the times and days to grant access. The times and days during which access is allowed are highlighted in green. Leaving this feature disabled grants access 24 hours a day, 7 days a week. If this parameter is not displayed, enable it in the Interface Configuration: Advanced Options window.

Step 2   To permit or deny users to call only from a particular location, type the applicable information in the Network Access Restrictions field. If this parameter is not displayed, enable it in the Interface Configuration: Advanced Options window.

Step 3   To control the maximum number of simultaneous sessions allowed to a group and to each user in the group, type the appropriate numbers in the Max Sessions fields.

If this parameter is not displayed, enable it in the Interface Configuration: Advanced Options window.


Note   The Max Sessions count defined in the User Setup window overrides the Max Sessions per user count in the Group Setup window.

Step 4   Cisco Secure ACS can store ISDN passwords to authenticate the second B channel when it is brought into service. Select one of these token-caching methods:

  • If the second B-channel service goes up and down dynamically, select Session.

  • If both B channels stay in service, select Duration. Type the number of minutes for Cisco Secure ACS to cache the password.

  • Verify that accounting is enabled on the NAS. The configuration file should include the command aaa accounting network start-stop tacacs+.

Step 5   To allow the NAS to support dial-in clients running IP over a PPP (async or ISDN) connection, enable PPP-IP. If this parameter is not displayed, configure it in the Interface Configuration: TACACS+ (Cisco IOS) window.

Step 6   To make Cisco Secure ACS a "DHCP-like" server, enable IP Pool and type the IP Pool name defined on the NAS. To use a NAS-name pool, leave the field blank.

Step 7   To enable the NAS to support dialup clients running IPX over a PPP (async or ISDN) connection, enable PPP-IPX. If this parameter is not displayed, configure it in the Interface Configuration: TACACS+ (Cisco IOS) window.


Note   To enable Telnet sessions to be run by the client or to enable Cisco Secure ACS to also be used for NAS management, enable Shell (Exec). If this parameter is not displayed, configure it in the Interface Configuration: TACACS+ (Cisco IOS) window.


User Setup

In the User Setup window of Cisco Secure ACS, follow these steps:


Step 1   Add a user to the Cisco Secure ACS user database.

Step 2   Select CRYPTOCard Token Server as the method for password authentication.

Step 3   If you are using CHAP authentication, type and confirm the password in the first set of the Cisco Secure ACS user database password fields.

Step 4   Assign the user to a group. You can use the Default Group, but it is better to use a different group, such as Group 1.


Note   All groups can be renamed, but Cisco Secure ACS tracks each group by its original number.

Step 5   To permit or deny users to call only from a particular location, type the applicable information in the Network Access Restrictions field. If this parameter is not displayed, enable it in the Interface Configuration: Advanced Options window.

Step 6   If you are using dial in, to assign a particular IP address to the user, type it in the Static IP Address field.

Step 7   To set expiration or aging conditions for the user, configure them here.


NAS Configuration

The Cisco IOS configuration for the NAS depends on the network protocol, routing, IP address definition, access control list definition, and so on. The following sample configuration shows the minimum requirements for a Cisco 2509 access server using TACACS+. CHAP can be used because the Cisco Secure ACS user database is being used:

    aaa new-model
    aaa authentication login default tacacs+
    aaa authentication ppp default tacacs+
    aaa authorization exec tacacs+
    aaa authorization network tacacs+
    aaa accounting network start-stop tacacs+
    aaa accounting exec start-stop tacacs+
    tacacs-server host ip_address single
    tacacs-server key key
    enable secret password
    aaa authentication login no_tacacs enable
    line con 0
    login authentication no_tacacs

Type the following command under each interface used for dial-in access:

    ppp authentication chap

Client Configuration

The client can be an async or ISDN client.

Windows 95/98 Client

In the Dial-Up Networking section of Windows 95/98, follow these steps:


Step 1   Create and configure a connection with the dial number to the NAS.

Step 2   Right-click the Connection icon and click Properties.

Step 3   Click the Server Type tab and click PPP from the Type of Dial-Up Server list box.

Step 4   In the Advanced options area, select the Log on to network check box. This will cause the client to attempt to log on to the Windows NT/2000 domain when dialing in.

Step 5   Clear the require encrypted password check box.

Step 6   In the Allowed network protocols area, select the IP and/or IPX check boxes.

Step 7   If the NAS is using an IP pool, do not assign an IP address to the client. Instead, in the TCP/IP settings, select server assigned IP Address and server assigned name server address.

Step 8   When making a connection, type the username and the token OTP using the correct convention to authenticate successfully:

  • For PAP, type the following information:

    • Username as the username.

  • For CHAP, type the following information:

    • username*OTP as the username.
      For example, jsmith*1234123456

    • CHAP as the password.


Tips

Consider the following:

  • Because CHAP passwords can be stored in Cisco Secure ACS for token-card support, this configuration can support PAP or CHAP as the authentication protocol. To use PAP authentication on the NAS, substitute the word PAP in place of CHAP in the NAS Configuration example earlier in this section.

  • Because single login is not available with token-card authentication, logging in to a Windows NT/2000 network requires two steps.

Dialup Using the Cisco Secure ACS User Database with Cisco IOS RADIUS

This dialup configuration can be used by administrators who want to use RADIUS authentication/authorization processing. Administrators who need to support non-Cisco equipment might use RADIUS. Cisco Secure ACS supports Cisco, Internet Engineering Task Force (IETF), and Ascend RADIUS attributes.

Windows NT/2000 Server Configuration

No Windows NT/2000 server Configuration is required; users do not need to exist in the Windows NT/2000 database unless they need to log in to the Windows NT/2000 network.

Cisco Secure ACS Configuration

Configure these parameters in Cisco Secure ACS.

Network Configuration


Note   If the first NAS into which clients dial was set up during the installation of Cisco Secure ACS, this configuration should already be complete.

In the Network Configuration window, follow these steps:


Step 1   If you are using NDGs, click the name of the applicable NDG.

Step 2   Add or edit a NAS.

Step 3   Type the name of the NAS.

Step 4   Type the IP address of the NAS.

Step 5   Type the shared secret (key) of the NAS and the Cisco Secure ACS.

Step 6   From the Authenticate Using list, click RADIUS (Cisco IOS).


Note   The single TCP connection check box does not apply to RADIUS.


Interface Configuration

In the Interface Configuration window, follow these steps:


Step 1   To allow the attributes for RADIUS to be configurable for a group, click RADIUS (Cisco IOS).

Step 2   To add more controls for dial-in access, check the applicable features in the Interface Configuration: Advanced Options window to display the options in the user interface. Select the features in this section to reduce the level of complexity or enhance the detail of your access security.


Group Setup

Configure the following parameters in the Group Setup window for the desired group:

  • Clients running IP over a PPP connection—Enable attribute 006 and select Framed. Enable attribute 007 and select PPP (async or ISDN).

  • Clients running Shell (exec) connections (async or ISDN)—Enable attribute 006 and select Login.

If these parameters are not displayed, configure them in the NAS Configuration window.

User Setup

In the User Setup window of Cisco Secure ACS, follow these steps:


Step 1   Add a user to the Cisco Secure ACS user database.

Step 2   Select the Cisco Secure ACS user database as the method for password authentication.

Step 3   Type and confirm a password in the first set of the Cisco Secure ACS user database password fields.

Step 4   Assign the user to a group. You can use the Default Group, but it is better to use a different group, such as Group 1.

Step 5   To set expiration conditions for the user, configure them here.

Step 6   If you are using dial in, to assign a particular IP address to the user, type it in the Static IP Address field.


NAS Configuration

The Cisco IOS configuration for the NAS depends on the network protocol, routing, IP address definition, access control list definition, and so on. The following sample configuration shows the minimum requirements for a Cisco 2509 access server using RADIUS. CHAP can be used because the Cisco Secure ACS user database is being used:

    aaa new-model
    aaa authentication login default radius
    aaa authentication ppp default radius
    aaa authorization exec radius
    aaa authorization network radius
    aaa accounting network start-stop radius
    aaa accounting exec start-stop radius
    radius-server host ip_address
    radius-server key key
    enable secret password
    aaa authentication login no_radius enable
    line con 0
    login authentication no_radius

Enter one of the following commands under each interface used for dial-in access:

    ppp authentication chap

or

    ppp authentication pap

Client Configuration

The client can be an async or ISDN client.

Windows 95/98 Client

In the Dial-Up Networking section of Windows 95/98, follow these steps:


Step 1   Create and configure a connection with the dial number to the NAS.

Step 2   Right-click the Connection icon, and click Properties.

Step 3   Click the Server Type tab.

Step 4   From the Type of Dial-Up Server list box, click PPP.

Step 5   In the Advanced options area, select the Log on to network check box. This will cause the client to attempt to log on to the Windows NT/2000 domain when dialing in.

Step 6   Click to clear the Require encrypted password check box.

Step 7   In the Allowed network protocols area, select the IP check box.

Step 8   If the NAS is using an IP pool, do not assign an IP address to the client. Instead, in the TCP/IP settings, select server assigned IP Address and server assigned name server address.


Tips

Consider the following:

  • RADIUS users can use Cisco IOS RADIUS to enable vendor-specific attributes (VSAs). Use the dialog box to configure Cisco AV pairs and add flexibility to the network.

  • Because PAP, CHAP, and MS-CHAP passwords can be stored in the Cisco Secure ACS user database, you can use either PAP, CHAP, or MS-CHAP as the authentication protocol with this configuration. To use PAP or MS-CHAP authentication, substitute the word PAP or MS-CHAP as applicable in place of CHAP in the NAS configuration example earlier in this section.

  • Because single login is not available with CHAP authentication, logging in to a Windows NT/2000 network requires two steps.

Cisco VPN 3000 Concentrator Authentication Using the CiscoSecure ACS User Database

This dialup configuration can be used by administrators who want to use Cisco VPN 3000 Concentrators with RADIUS authentication/authorization processing. Users connecting to the network are expected not to dial directly into the network, but to dial into an Internet service provider and gain remote access to your network via a Virtual Private Network (VPN) tunnel. Users must have the Cisco VPN 3000 Client installed on their Windows computer. The tunnel endpoints would be at the client and at the Cisco VPN 3000 Concentrator, inside your network perimeter.

NAS Configuration

The NAS in this configuration is the Cisco VPN 3000 Concentrator. Configuring the Cisco VPN 3000 Concentrator to authenticate users via Cisco Secure ACS involves two procedures:

  • Adding the Cisco Secure ACS server

  • Configuring a tunnel group


Note   The configuration presented in this section represents the minimum configuration needed to permit remote access to your network via VPN connections. It is written with the assumption that the default settings in the concentrator's Base Group have not changed.

For more information about configuring the Cisco VPN 3000 Concentrator, see the documentation included with your Cisco VPN 3000 Concentrator.

Adding the Cisco Secure ACS Server

To add the Cisco Secure ACS server to the Cisco VPN 3000 Concentrator configuration, follow these steps:


Step 1   Log in to the Cisco VPN 3000 Concentrator. Similar to Cisco Secure ACS, the concentrator provides a web-based interface.

Step 2   Select Configuration: System: Servers: Authentication.

Step 3   Click Add.

Step 4   Select RADIUS from the list of server types.

Step 5   Add the following parameters to identify the Cisco Secure ACS as the RADIUS server:

  • Authentication Server—Type the IP address of the Cisco Secure ACS server.

  • Server Port—Type 1645. This is the default port value used by Cisco Secure ACS for authentication and authorization.

  • Server Secret—Type the RADIUS shared secret (key). This must be the same as the shared secret typed when you create the NAS in Cisco Secure ACS.

  • Verify—Re-type the RADIUS shared secret.

Step 6   Make sure the RADIUS server you added appears at the top of the authentication server list. To move the RADIUS server higher in the list, select it, then click Move Up until it appears at the top of the list.


Note   If the RADIUS server configured to allow authentication by Cisco Secure ACS does not appear at the top of the authentication list, the concentrator will not forward the authentication request to Cisco Secure ACS.

Step 7   Click Apply.

Step 8   Click Save Needed in the upper-right corner of the page.


Configuring a Tunnel Group

To configure a tunnel group, follow these steps:


Step 1   Continuing in the Cisco VPN 3000 Concentrator interface, select Configuration: User Management: Groups.

Step 2   Click the Identity tab.

Step 3   Change or add the following parameters:

  • Group Name—Type a name for the group, such as "IPSecUsers." This is the same group name that all Cisco VPN 3000 Clients should be configured to use.

  • Password—Type a password for the group. This is the same password that all Cisco VPN 3000 Clients should be configured to use.

  • Verify—Re-type the password.

  • Type—Select External from the list box.

Step 4   Click Apply.

Step 5   Click Save Needed in the upper-right corner of the page.


Windows NT/2000 Server Configuration

No Windows NT/2000 server configuration is required; users do not need to exist in the Windows NT/2000 database unless they need to log in to the Windows NT/2000 network.

Cisco Secure ACS Configuration

Configure these parameters in Cisco Secure ACS.

Network Configuration

In this scenario, the NAS is the Cisco VPN 3000 Concentrator.

To configure a NAS using RADIUS (Cisco VPN 3000), follow these steps:


Step 1   Click Network Configuration.

Step 2   If you are using NDGs, click the name of the applicable NDG.

Step 3   Add or edit a NAS.

Step 4   Type the name of the NAS.

Step 5   Type the IP address of the NAS.

Step 6   Type the shared secret (key) of the NAS and the Cisco Secure ACS. This must be the same as the Server Secret entered when you configured the VPN 3000 Concentrator to use Cisco Secure ACS as its RADIUS server.

Step 7   From the Authenticate Using list, click RADIUS (Cisco VPN 3000).

Step 8   Click Submit+Restart.


Interface Configuration

To allow the attributes for RADIUS (Cisco VPN 3000) to be configurable for a group or user, follow these steps:


Step 1   In Interface Configuration, click RADIUS (Cisco VPN 3000).

Step 2   Enable the group-level Cisco VPN 3000 Concentrator RADIUS attribute. If needed, enable the user-level attribute also.


Note   The user-level check box is available only if Per-user TACACS+/RADIUS Attributes is enabled in Interface Configuration: Advanced Options.


Group Setup

You may need to configure the RADIUS attributes for groups containing users who will connect to your network via the Cisco VPN 3000 Concentrator.

To configure group-level RADIUS (Cisco VPN 3000) attributes, follow these steps:


Step 1   In Group Setup, access the group you need to configure.


Note   If the IETF RADIUS Attributes or Cisco VPN 3000 Concentrator RADIUS Attributes sections do not appear, configure Cisco Secure ACS to display them from Interface Configuration.

Step 2   In the IETF RADIUS Attributes section, follow these steps:

   a. Select attribute 006 and select Framed in the list box.

   b. Select attribute 007 and select PPP.

   c. Select and configure other attributes as needed.

Step 3   In the Cisco VPN 3000 Concentrator RADIUS Attributes section, follow these steps:

   a. Select attribute 031 and select On in the list.

   b. Enable other attributes as needed.


User Setup

For Cisco Secure ACS to authenticate VPN 3000 Concentrator users, the VPN 3000 group that users will use to access the network must exist in Cisco Secure ACS as a user. When a user requests access to the network, the VPN 3000 Concentrator will first authenticate the user's group; therefore, Cisco Secure ACS must have a user configured that corresponds to the user's VPN 3000 Concentrator group.

To create a Cisco Secure ACS user account that corresponds to the VPN 3000 Concentrator tunnel group, follow these steps:


Step 1   Select User Setup.

Step 2   Type the name of the tunnel group exactly as created in the VPN 3000 Concentrator (for example, "IPSecUsers"), and then click Add/Edit.

Step 3   Type a descriptive name in the Real Name and Description fields.

Step 4   Make sure CiscoSecure Database is selected in the Password Authentication list.


Note   If you want to authenticate the tunnel group user in a different database, you will also have to create a user for the tunnel group in that database.

Step 5   In the Password field, type the password assigned to the tunnel group exactly as it was created in the VPN 3000 Concentrator. Re-type the password in the Confirm Password field.

Step 6   Assign the user to an appropriate group.

Step 7   Click Submit.


Users accessing the network via the VPN 3000 Concentrator will need an account either in Cisco Secure ACS user database or in one of the external user databases you've configured.

You may need to configure the RADIUS attributes for each user who will connect to your network via the Cisco VPN 3000 Concentrator.

To configure user-level RADIUS (Cisco VPN 3000) attributes, follow these steps:


Step 1   In User Setup, access the user you need to configure.


Note   If the IETF RADIUS Attributes or Cisco VPN 3000 Concentrator RADIUS Attributes sections do not appear, configure Cisco Secure ACS to display them from Interface Configuration.

Step 2   In the IETF RADIUS Attributes section, enable the attributes that you need.

Step 3   In the Cisco VPN 3000 Concentrator RADIUS Attributes section, enable the Cisco VPN 3000-specific attributes that you need.

Step 4   If you are using dial-in, to assign a particular IP address to the user, type it in the Static IP Address field.

Step 5   Click Submit.


Client Configuration

Users must connect to your network via the Cisco VPN 3000 Client. When users initiate connection, the tunnel is created using the group name and password of the tunnel group rather than the user. A second authentication occurs when users enter their username and password.

To support the tunnel creation, the Cisco VPN 3000 Client must be configured to use the tunnel group's groupname and password.

To configure the VPN 3000 Client, follow these steps:


Step 1   Access the Authentication tab in the configuration settings for the VPN 3000 Client connection to your network.

Step 2   In the username field, enter the name assigned to the tunnel group in the Cisco VPN 3000 Concentrator.

Step 3   In the password field, enter the password assigned to both the tunnel group in the Cisco VPN 3000 Concentrator and to the user in Cisco Secure ACS that corresponds to the tunnel group.

Step 4   Save the settings and initiate a connection as usual.


For more information about configuring the Cisco VPN 3000 Client, see the documentation included with Cisco VPN 3000 Client.

Dialup for an ARAP Client Using the Cisco Secure ACS User Database with TACACS+

This section provides instructions for configuring a client using ARAP with TACACS+. The necessary (non-AAA) ARAP configuration parameters must already be configured on the NAS.


Note   When you use ARAP, the NAS must be running Cisco IOS Release 11.1.

Cisco Secure ACS Configuration

Configure the following items in the Cisco Secure ACS.

Network Configuration


Note   If the first NAS to which clients dial in was set up during installation of the Cisco Secure ACS, this configuration should already be complete.

In the Network Configuration window, follow these steps:


Step 1   If you are using NDGs, click the name of the applicable NDG.

Step 2   Add or edit the NAS.

Step 3   Type the name of the NAS.

Step 4   Type the IP address of the NAS.

Step 5   Type the shared secret (key) of the NAS and Cisco Secure ACS.

Step 6   Select TACACS+ (Cisco IOS) as the security control protocol.

Step 7   Click Submit + Restart.


Interface Configuration

In Interface Configuration: TACACS+ (Cisco IOS), follow these steps:


Step 1   Select the Group check box for the ARAP service.

Step 2   To add more controls for dial-in access, select the applicable features in the Interface Configuration: Advanced Options window to display the options in the user interface. Select the features in this section to reduce the level of complexity or enhance the detail of your access security.


Group Setup

In Group Setup for the Default Group, follow these steps:


Step 1   To use Time-of-Day Access, click the times and days to grant access and click Use as Default. The times and days during which access is allowed are highlighted in green. Leaving this feature disabled grants access 24 hours a day, 7 days a week. If this parameter is not displayed, enable it in the Interface Configuration: Advanced Options window.

Step 2   To permit or deny users to call only from a particular location, complete the applicable fields under Network Access Restrictions. If this parameter is not displayed, enable it in the Interface Configuration: Advanced Options window.

Step 3   To control the number of simultaneous sessions allowed to a group and to specify the number of sessions allowed to users in the groups, type the applicable numbers in the Max Sessions fields. If this parameter is not displayed, enable it in the Interface Configuration: Advanced Options window.


Note   The Max Sessions count defined in the User Setup window overrides the Max Sessions per user count in the Group Setup window.

Step 4   To enable the NAS to support dial-in clients, enable ARAP.

Step 5   To permit Telnet sessions to be run by the client or to enable the Cisco Secure ACS to also be used for NAS management, enable Shell (Exec). If this parameter is not displayed, configure it in the Interface Configuration: TACACS+ (Cisco IOS) window.


User Setup

In the Cisco Secure ACS from User Setup, follow these steps:


Step 1   Add a user to the Cisco Secure ACS user database.

Step 2   Select the Cisco Secure ACS user database as the method for Password authentication, and type and confirm a password in the first set of the Cisco Secure ACS user database password fields.

Step 3   Assign the user to a group. You can use Default Group, but it is better to use a different group, such as Group 1.

Step 4   To set expiration or aging conditions for the user, configure them here.


NAS Configuration

The Cisco IOS configuration for the NAS depends on the network protocol, routing, IP address definition, access control list definition, and so on. The following sample configuration shows the minimum requirements for a Cisco 2509 access server using TACACS+ and ARAP:

    aaa new-model
    aaa authentication arap default tacacs+
    aaa authorization network tacacs+
    aaa accounting network start-stop tacacs+
    tacacs-server host ip_address single
    tacacs-server key key
    enable secret password
    aaa authentication login no_tacacs enable
    line con 0
    login authentication no_tacacs

Type the following commands under each line used for dial-in access with ARAP:

    autoselect arap
    arap enable

Client Configuration

The client configured in this example is an Apple Macintosh Power PC running MAC/OS 7.5.5 that uses AppleTalk Remote Access V.2.1 software.


Step 1   In the Remote Access Client software, create a new profile.

Step 2   Configure these items in the Connect As section:

  • Username

  • Password

  • Dial number

Step 3   Click Connect to initiate a call.


NAS Management Using the Cisco Secure ACS User Database with TACACS+

This section describes how to enhance security when accessing NAS configuration. Using command authorizations and administrative privilege levels can enhance secure access to the NAS's configuration. IS managers can use this method to control and monitor administration activity of their NASes.

Windows NT/2000 Server Configuration

No Windows NT/2000 server configuration is required; users do not need to exist in the Windows NT/2000 database unless they need to log in to the Windows NT/2000 network.

Cisco Secure ACS Configuration

In Cisco Secure ACS, configure the following items.

Network Configuration


Note   If the first NAS to which clients dial in was set up during installation of the Cisco Secure ACS, this configuration should already be complete.

In the Network Configuration window, follow these steps:


Step 1   If you are using NDGs, click the name of the applicable NDG.

Step 2   Add or edit a NAS.

Step 3   Type the name of the NAS.

Step 4   Type the IP address of the NAS.

Step 5   Type the shared secret (key) of the NAS and Cisco Secure ACS.

Step 6   Select TACACS+ (Cisco IOS) as the security control protocol.

Step 7   If Cisco Secure ACS is configured on the NAS, select single TCP connection to configure it to use this feature.


Interface Configuration

In the Interface Configuration window, follow these steps:


Step 1   To allow the protocol to be configurable for a group, click TACACS+ (Cisco IOS).


Note   When you select any PPP protocol, you must also enable PPP LCP.

Step 2   To add more controls for dial-in access, select the applicable features in the Interface Configuration: Advanced Options window to display the options in the user interface. Select the features in this section to reduce the level of complexity or to enhance the detail of your access security.


Group Setup

In Group Setup for the Default Group, follow these steps:


Step 1   To use Time-of-Day Access, click the times and days to grant access and click Use as Default. The times and days during which access is allowed are highlighted in green. Leaving this feature disabled grants access 24 hours a day, 7 days a week. If this parameter is not displayed, enable it in the Interface Configuration: Advanced Options window.

Step 2   To permit or deny users to call only from a particular location, complete the applicable fields under Network Access Restrictions. If this parameter is not displayed, enable it in the Interface Configuration: Advanced Options window.

Step 3   To control the number of simultaneous sessions allowed to a group and to specify the number of sessions allowed to users in the group, type the appropriate numbers in the Max Sessions fields. If this parameter is not displayed, enable it in the Interface Configuration: Advanced Options window.


Note   The Max Sessions count defined in the User Setup window overrides the Max Sessions per user count in the Group Setup window.

Step 4   To enable the NAS to support dialup clients running IPX over a PPP (async or ISDN) connection, enable PPP-IPX. If this parameter is not displayed, configure it in the Interface Configuration: TACACS+ (Cisco IOS) window.


Note   To permit Telnet sessions to be run by the client or to allow Cisco Secure ACS to also be used for NAS management, enable Shell (Exec). If this parameter is not displayed, configure it in the Interface Configuration: TACACS+ (Cisco IOS) window.

Step 5   Assign the authorization privilege level for the group in the Shell (exec) section.

Step 6   To permit or deny Cisco IOS commands in Cisco Secure ACS Group Setup, make sure the proper command authorization has been configured on the NAS. (See NAS Configuration.)

Step 7   To permit or deny authorization of any command not specified for the group, click Permit/Deny in the Unmatched Cisco IOS Commands section.

Step 8   Select the Command check box and type the command to authorize in the text box. Add the argument(s) of the command to be permitted or denied. For example, for the command show, type the following:

    permit running-configuration
    show ip route
    deny interface ethernet 0

Step 9   Under Unlisted arguments, select Permit to permit all unlisted arguments for the command being configured. Select Deny to deny all unlisted arguments for the command being configured.

Step 10   To type another command, click Submit, and then click Edit Group Settings. Scroll down and configure another command for authorization until you have entered all your commands. To activate the changes immediately, click Submit + Restart.


User Setup

In the Cisco Secure ACS User Setup window, follow these steps:


Step 1   Add a user to the Cisco Secure ACS user database.

Step 2   Select CiscoSecure Database as the method for password authentication.

Step 3   Type and confirm a password in the first set of the Cisco Secure ACS user database password fields.

Step 4   Assign the user to a group. You can use Default Group, but it is better to use a different group, such as Group 1.

Step 5   To permit or deny users to call only from a particular location, complete the applicable fields under Network Access Restrictions. User definition overrides group definition.

Step 6   If you are using dial in, to assign a particular IP address to the user, type it in the Static IP Address field.

Step 7   To set expiration conditions for the user, configure them here.

Step 8   To authenticate the user by privilege level, in the Advanced TACACS+ Settings window, enable TACACS+ Enable Control. Type and confirm the password to be used when accessing enable mode on the NAS.


Note   To enable the Advanced TACACS+ Settings, in the Interface Configuration: Advanced Options window, click TACACS+ (Cisco IOS).


Token-Server Configuration

No token-server configuration is required; token card servers are not used in this configuration.

NAS Configuration

The Cisco IOS configuration for the NAS depends on the network protocol, routing, IP address definition, access control list definition, and so on. The following sample configuration shows the minimum requirements for a Cisco 2509 access server using TACACS+ that can authorize NAS commands and grant privilege-level authentication, if commands other than 1 or 15 are enabled. CHAP can be used because the Cisco Secure ACS user database is being used.

    aaa new-model
    aaa authentication login default tacacs+
    aaa authentication ppp default tacacs+
    aaa authentication enable default tacacs+
    aaa authorization exec tacacs+
    aaa authorization network tacacs+
    aaa authorization commands 0-15 tacacs+
    aaa accounting network start-stop tacacs+
    aaa accounting exec start-stop tacacs+
    aaa accounting commands start-stop tacacs+
    tacacs-server host ip_address single
    tacacs-server key key
    enable secret password
    aaa authentication login no_tacacs enable
    line con 0
    login authentication no_tacacs

Type one of the following commands under each interface used for dial-in access:

    ppp authentication chap

or

    ppp authentication pap

Client Configuration

The client can be an async or ISDN client or reside on the network.

Windows 95/98 Client

In the Dial-Up Networking section of Windows 95/98, follow these steps:


Step 1   Create and configure a connection with the dial number to the NAS.

Step 2   Right-click the Connection icon and click Properties.

Step 3   Click the Server Type tab.

Step 4   From the Type of Dial-Up Server list, select PPP.

Step 5   In the Advanced options area, select the Log on to network check box. This will cause the client to attempt to log in to the Windows NT/2000 domain when dialing in.

Step 6   Click to clear the Require encrypted password check box.

Step 7   In the Allowed network protocols area, check the IP and/or IPX check boxes.

Step 8   If the NAS is using an IP pool, do not assign an IP address to the client. Instead, in the TCP/IP settings, select server assigned IP Address and server assigned name server address.

Step 9   When the connection comes up, type the username and password specified in the Cisco Secure ACS user database.


Tips

Consider the following:

  • In Reports and Activity: TACACS+ Administration and Reports and Activity: TACACS+ Accounting, Cisco Secure ACS captures the command activity and logs the information in comma-separated value (.csv) files.

  • By default, privilege levels 1 and 15 are present in the Cisco IOS software. You can define other privilege levels on the NAS to further control authorization.

  • Because single login is not available with CHAP authentication, login to a Windows NT/2000 network requires two steps.

Password Aging and User-Changeable Passwords Using Cisco Secure ACS with CAA

You can use the CiscoSecure Authentication Agent (CAA) with Cisco Secure ACS to notify users to change their passwords before they expire and to enable users to change their own passwords. This feature uses the CAA Messaging Service and the new CiscoSecure Control Message Protocol (CCMP).


Note   To use these features over a dial-in connection you must be using Release 2.2 or later of Cisco Secure ACS and a Cisco 25XX, 36XX, AS52XX or AS53XX access server running the Cisco IOS image for Release 11.5T or later.

Web Server Configuration

To use CAA, you must install and configure a web server. SSL is not required. CAA must be installed on a PC running Windows 95/98 or Windows NT/2000. See the Web Server Installation for Cisco Secure Access Control Server for Windows NT/2000 Servers User-Changeable Passwords quick reference card for instructions.

Cisco Secure ACS Configuration

Configure the following items in Cisco Secure ACS.

User Setup

In the User Setup window of Cisco Secure ACS, follow these steps:


Step 1   Create or edit a user.

Step 2   Assign a CHAP or PAP password to the user.

Step 3   Map the user to the group that is configured to use password aging.


Note   The Account Disable section of User Setup is not the same as password aging. If the password has aged, the account is expired, not disabled; expired accounts are reflected in the Account Disable section.


Group Setup

In the Group Setup window of Cisco Secure ACS, follow these steps:


Step 1   Under Password Aging Rules, select Apply age-by-date rules and complete the Active period, Warning period, and Grace period fields. For an explanation of these options, see "Step-by-Step Configuration for Cisco Secure ACS."

Step 2   Select Apply age-by-uses rules and type the number of logins after which to issue warning messages or to require password changes in the appropriate fields.


Note   If you do not want users to ever be notified, type -1 in these fields.

Step 3   To force the user to change the password on the first login after an administrator has changed the password, select the Apply password change rule check box.

Step 4   To issue a greeting or message at each successful login, select the Generate greetings for successful logins check box. This message is displayed in the CAA and is not displayed to users accessing your network by any other means, such as Telnet.


Network Configuration


Note   If the first NAS into which clients dial was set up during Cisco Secure ACS installation, this configuration should already be complete.

In the Network Configuration window, follow these steps:


Step 1   If you are using NDGs, click the name of the applicable NDG.

Step 2   Add or edit a NAS.

Step 3   Type the name of the NAS.

Step 4   Type the IP address of the NAS.

Step 5   Type the shared secret (key) of the NAS and Cisco Secure ACS.

Step 6   Select TACACS+ (Cisco IOS) as the security control protocol.


System Configuration

In the System Configuration window, follow these steps:


Step 1   Click Password Validation.

Result: The Password Validation Options window opens.

Step 2   Type the minimum and maximum length you want to require for the password. The default password length is from 4 through 32 characters.

Step 3   Select one or more of the following check boxes:

  • Password may not contain the username—Require that the password not contain the entire username within it

  • Password is different from the previous value—Require that the new password be different from the previous password

  • Password must be alphanumeric—Require the password to contain both characters and numbers


Interface Configuration

In the Interface Configuration window, click Advanced Options and select the Group-Level Password Aging check box.

Administration Control

If you want the administrator to be able to control the Password Aging options, click Administration Control. In the Administrator Privileges: System Configuration section, select the Password Validation check box.

Reports & Activity

If the password has aged, the account is expired, not disabled; expired accounts are reflected in the Disabled Accounts report. If the user attempts to log in to an expired account, this action is logged in the Failed Attempts report.


Note   The Disabled Accounts report in the Reports & Activity window lists disabled and expired accounts.

NAS Configuration

The following sample configuration can be used for an analog dial-in networking user with a NAS-assigned dynamic IP address. This sample is for a Cisco AS5200 access server using TACACS+. Adjust the sample to match your individual requirements.


Note   Statements required or recommended for AAA are in bold type. Statements in italics should be added during the initial NAS configuration. Use the Cisco IOS image for Release 11.5T or later.

The term list-name used below in the command description refers to any character string (a name) used to represent a particular list of authentication method(s) for that login type.

    !
    version 11.2
    service timestamps debug datetime msec localtime
    no service password-encryption
    service udp-small-servers
    service tcp-small-servers
    !
    hostname 5200
    !
    aaa new-model
    aaa authentication login noaaa local
    aaa authentication login logintac tacacs+
    aaa authentication ppp ppptac tacacs+
    aaa accounting network start-stop tacacs+
    aaa accounting connection start-stop tacacs+
    aaa accounting update newinfo
    enable password cisco
    !
    username juan password 0 cisco
    modem startup-test
    no ip domain-lookup
    isdn switch-type primary-5ess
    !
    controller T1 0
    framing esf
    clock source line primary
    linecode b8zs
    pri-group timeslots 1-24
    !
    controller T1 1
    shutdown
    framing esf
    clock source line secondary
    linecode b8zs
    pri-group timeslots 1-24

    !
    interface Loopback0
    no ip address
    no ip route-cache
    no ip mroute-cache
    shutdown
    !
    interface Ethernet0
    ip address 10.4.1.30 255.255.255.0
    no ip route-cache
    no ip mroute-cache
    no mop enabled
    !
    interface Serial0
    no ip address
    no ip route-cache
    no ip mroute-cache
    shutdown
    no fair-queue
    !
    interface Serial1
    no ip address
    no ip route-cache
    no ip mroute-cache
    shutdown
    !
    interface Serial0:23
    ip unnumbered Ethernet0
    encapsulation ppp
    no ip route-cache
    no ip mroute-cache
    no keepalive
    isdn incoming-voice modem
    peer default ip address pool setup_pool
    dialer idle-timeout 400
    dialer-group 1
    no fair-queue
    ppp multilink
    !
    interface Serial1:23
    no ip address
    no ip route-cache
    no ip mroute-cache
    shutdown
    !
    interface Group-Async1
    ip unnumbered Ethernet0
    ip tcpheader-compression passive
    encapsulation ppp
    no ip route-cache
    no ip mroute-cache
    async default routing
    async dynamic address
    async mode interactive
    peer default ipaddress pool setup_pool
    ppp authentication pap ppptac
    group-range148
    !
    !
    interface Dialer0
    no ip address
    no ip route-cache
    no ip mroute-cache
    dialer-group 1
    !
    router igrp 1
    redistribute connected
    network 10.0.0.0
    !
    no ip classless
    ip route 10.0.0.0 255.0.0.0 Ethernet0
    !
    tacacs-server host 10.11.1.16
    tacacs-server timeout 20
    tacacs-server key cisco
    !
    line con 0
    exec-timeout 0 0
    password cisco
    logging synchronous
    login authentication noaaa
    line 1 48
    exec-timeout 0 0
    autoselect during-login
    autoselect ppp
    modem Dialin
    transport preferred telnet
    transport input all
    line aux 0
    line vty 0
    exec-timeout 0 0
    password cisco
    login authentication logintac
    length 62
    width 137
    line vty 1 4
    exec-timeout 0 0
    password cisco
    login authentication logintac
    !
    scheduler interval 1000
    end

    5200 #

Client Configuration

Use the self-extracting file provided with the CAA software to install the CAA client software. See the Quick Start Guide for the CiscoSecure Authentication Agent for instructions.

Follow the instructions in the readme file provided with the CAA client software to configure the CAA software.

Configure Dial-Up Networking on the Windows 95/98 or Windows NT/2000 workstation or server from which you will dial in. See your Microsoft documentation for instructions.

Tips

Consider the following:

  • Test the user using Dial-Up Networking to log in to the NAS. If the configuration is correct, you should see the appropriate aging message.

  • Make sure the modems, cables, and carrier lines are connected and functioning correctly.

  • Make sure the CAA is actively running in the background. You should see the CAA icon in the Active Icon tray.

  • Make sure you are using the correct Cisco IOS software image, 11.5(T). You can also use a later release, as long as it uses watchdog packets and supports the aaa accounting update new info statement.

Single Authentication Using Cisco Secure ACS and the CAA

Single Authentication uses the special Cisco EIOS image release 4.2(13) or later to provide a simple CHAP or PAP authentication. Single Authentication uses Cisco 76x or Cisco 77x routers that are equipped with the special UDP small office/home office (SOHO) client packet. Only one PC at a time can communicate through the Cisco 76x/77x device, and only one PC at a time can have a Telnet session or an Active Monitor status into the Cisco 76x/77x device.


Note   Users should not be able to define a destination IP address for the NAS automatic login. Do not use Virtual Templates and VPDNs on the same ISDN interface to which the Cisco 76x or Cisco 77x will call. To avoid problems with the token authentication server (TAS) mode, disable the Virtual Templates/VPDN statements.

Windows NT/2000 Server Configuration

No special configuration is required for the Windows NT/2000 server.

Cisco Secure ACS Configuration

Configure these items in Cisco Secure ACS.

Network Configuration


Note   If the first NAS into which clients dial was set up during Cisco Secure ACS installation, this configuration should already be complete.

In the Network Configuration window, follow these steps:


Step 1   If you are using NDGs, click the name of the applicable NDG.

Step 2   Add or edit a NAS.

Step 3   Type the name of the NAS.

Step 4   Type the IP address of the NAS.

Step 5   Type the shared secret (key) of the NAS and Cisco Secure ACS.

Step 6   Select TACACS+ (Cisco IOS) as the security control protocol.


Group Setup

Create an ISDN SOHO group.

User Setup

Create a standard ISDN user who will authenticate using a token card database, and/or map the user to the ISDN SOHO group.

Router Configuration

Add the following statements to the SET USER LAN section of the Cisco 76x/77x device's configuration file:

    SET IP ROUTING ON
    SET IP ADDRESS 200.200.200.1
    SET IP NETMASK 255.255.255.0
    SET IP RIP UPDATE PER

Add the following statements to the configuration file to create a host NAS profile:

    SET USER 5200
    SET PROFILE POWERUP ACTIVATE
    SET 1 NUMBER 95552000
    SET 2 NUMBER 95552000
    SET PPP TAS DISTRIBUTED
    SET PPP TAS CLIENT 0.0.0.0
    SET PPP TAS CHAPSECRET LOCAL ON
    SET PPP CLIENTNAME 765
    SET PPP PASSWORD CLIENT ENCRYPTED 121a0c041104
    SET PPP SECRET CLIENT ENCRYPTED 05080f1c2243
    SET PPP PASSWORD HOST ENCRYPTED 101b5a4955
    SET PPP SECRET HOST ENCRYPTED 115c4a5547
    SET IP ROUTING ON
    SET IP ADDRESS 0.0.0.0
    SET IP NETMASK 0.0.0.0
    SET IP ROUTE DEST 0.0.0.0/0 GATEWAY 0.0.0.0 PROPAGATE OFF COST 1

Client Configuration

Configure the CAA for Single Authentication mode. See your CAA documentation for instructions.

Tips

Consider the following:

  • Ping the NAS from the Cisco 76x/77x device to make sure it is reachable.

  • Make sure the Cisco 76x/77x device is using Cisco EIOS image 4.2(6) or later.

  • Make sure that the user is correctly defined within the CiscoSecure database.

  • Make sure the ISDN connection from the SOHO to the LAN is operating correctly by doing a test call on the Cisco 76x/77x device or a ping test on the Cisco 1xxx device. Use one of the following commands on the Cisco 1xxx device: sh conn (show connection), sh con (show configuration) or sh bri int.

  • Make sure the CAA is actively running in the background. You should see the CAA icon in the Active Icon tray at the lower right of the screen.

  • Make sure the NAS is configured correctly and the ISDN connection, carrier ISDN lines, network interface cards (NICs), and cables are connected and operating correctly.

Double Authentication Using Cisco Secure ACS and the CAA

Some token cards require you to use double authentication with an ISDN connection. See your token card documentation to see if your particular card requires this feature.

Double authentication consists of a two-part challenge.

In the first challenge, either CHAP or PAP authenticates the SOHO NAS and permits the NAS to establish the connection to the network NAS. PPP then negotiates with the AAA server to authorize the SOHO NAS to access the network. This challenge also triggers Cisco Secure ACS to download the first access control list (ACL) and apply it against the ISDN port of the network NAS. The ACL assigns the network access privileges, and the SOHO and its users are only allowed to Telnet to the NAS.

In the second challenge, SOHO users must Telnet to the network NAS to be user-authenticated. When SOHO users log in, they are authenticated with AAA login authentication. CAA users can right-click to access the Connect option and establish the required Telnet session. Users are automatically prompted to type the username and password. The Telnet service negotiates with Cisco Secure ACS to authorize users to access the network. When authorization is complete, users have been double-authenticated and can access the network according to their per-user network privileges. The second challenge also triggers the second ACS to download the ACL and apply it against the ISDN port on the NAS to which the SOHO connection has already been established.

Windows NT/2000 Server Configuration

No special Windows NT/2000 server configuration is required.

Cisco Secure ACS Configuration

Define the ACLs and network access privileges of the SOHO and its users on Cisco Secure ACS.

Network Configuration


Note   If the first NAS into which clients dial was set up during Cisco Secure ACS installation, this configuration should already be complete.

In the Network Configuration window, follow these steps:


Step 1   If you are using NDGs, click the name of the applicable NDG.

Step 2   Add or edit a NAS.

Step 3   Type the name of the NAS.

Step 4   Type the IP address of the NAS.

Step 5   Type the shared secret (key) of the NAS and Cisco Secure ACS.

Step 6   Select TACACS+ (Cisco IOS) as the security control protocol.


External User Databases Configuration

Configure the database for the token card you are using. See External User Databases, for instructions.

User Setup

Add or edit a user.

Group Setup

Add an ISDN SOHO group. The following TACACS+ statements must be included in the double-authentication user's or group's profile. Users on the same SOHO 802.3 segment inherit the capabilities and limitations of the first session established.


Step 1   Add a first authentication group for the Cisco 77x or Cisco 1xxx device.

Step 2   In the Custom Attributes section, assign PPP/IP to the group by adding the following statement:

    inacl#3=permit tcp any any eq telnet

Step 3   Add the SOHO device to the first authentication group and assign it a standard CHAP password.

Step 4   Add a second authentication group which will include the actual users.

Step 5   In the Custom Attributes section, assign PPP/IP to the group by adding the following statements:

    inacl#4=permit icmp any any
    inacl#5=permit tcp any any eq ftp
    inacl#6=permit tcp any any eq ftp-data

Make sure PPP LCP, Shell (exec), and AutoCommand are selected. AutoCommand is defined for the access profile only at the per-user level.

Step 6   Map the CHAP password user or token card user to the second authentication group.


NAS Configuration

Add the following configuration to the NAS:

    5200 #s ru
    Building configuration...

    Current configuration:
    !
    version 11.2
    service timestamps debug datetime msec localtime
    no service password-encryption
    service udp-small-servers
    service tcp-small-servers
    !
    hostname 5200
    !
    aaa new-model
    aaa authentication login noaaa local
    aaa authentication login logintac tacacs+
    aaa authentication ppp ppptac tacacs+
    aaa authorization exec tacacs+
    aaa authorization network default tacacs+
    aaa accounting exec default start-stop tacacs+
    aaa accounting network def start-stop tacacs+
    aaa accounting connection start-stop tacacs+
    enable password cisco
    !
    username jsmith password 0 cisco
    modem startup-test
    no ip domain-lookup
    isdn switch-type primary-5ess
    !
    controller T1 0
    framing esf
    clock source line primary
    linecode b8zs
    pri-group timeslots 1-24
    !
    controller T1 1
    shutdown
    framing esf
    clock source line secondary
    linecode b8zs
    pri-group timeslots 1-24
    !
    interface Loopback0
    no ip address
    no ip route-cache
    no ip mroute-cache
    shutdown
    !
    interface Ethernet0
    ip address 10.4.1.30 255.255.255.0
    no ip route-cache
    no ip mroute-cache
    no mop enabled
    !
    interface Virtual-Template1
    ip unnumbered Ethernet0
    no ip mroute-cache
    peer default ip address pool pool1
    ppp authentication chap ppptac
    !
    interface Serial0
    no ip address
    no ip route-cache
    no ip mroute-cache
    shutdown
    no fair-queue
    !
    interface Serial1
    no ip address
    no ip route-cache
    no ip mroute-cache
    shutdown
    !
    interface Serial0:23
    ip unnumbered Ethernet0
    encapsulation ppp
    no ip route-cache
    no ip mroute-cache
    no keepalive
    isdn incoming-voice modem
    peer default ip address pool setup_pool
    dialer idle-timeout 400
    dialer map ip 10.15.2.50 6661400
    dialer-group 1
    no fair-queue
    ppp authentication pap ppptac
    ppp multilink
    !
    interface Serial1:23
    no ip address
    no ip route-cache
    no ip mroute-cache
    shutdown
    !
    interface Group-Async1
    ip unnumbered Ethernet0
    ip tcp header-compression passive
    encapsulation ppp
    no ip route-cache
    no ip mroute-cache
    async default routing
    async dynamic address
    async mode interactive
    peer default ip address pool setup_pool
    ppp authentication pap ppptac
    group-range 1 48
    !
    !
    interface Dialer0
    no ip address
    no ip route-cache
    no ip mroute-cache
    dialer-group 1
    !
    router igrp 1
    redistribute connected
    network 10.0.0.0
    !
    ip local pool pool1 10.4.1.101 10.4.1.110
    ip local pool setup_pool 10.4.1.90 10.4.1.99
    no ip classless
    ip route 10.0.0.0 255.0.0.0 Ethernet0
    ip route 10.5.7.0 255.255.255.0 10.15.2.71
    ip route 10.6.3.0 255.255.255.0 10.15.2.70
    virtual-profile virtual-template 1
    dialer-list 1 protocol ip permit
    !
    tacacs-server host 10.11.1.16
    tacacs-server timeout 20
    tacacs-server key cisco
    !
    line con 0
    exec-timeout 0 0
    password cisco
    logging synchronous
    login authentication noaaa
    line 1 48
    exec-timeout 0 0
    autoselect during-login
    autoselect ppp
    modem Dialin
    transport preferred telnet
    transport input all
    line aux 0
    line vty 0
    exec-timeout 0 0
    password cisco
    login authentication logintac
    length 62
    width 137
    line vty 1 4
    exec-timeout 0 0
    password cisco
    login authentication logintac
    !
    scheduler interval 1000
    end

    5200 #

SOHO Router Configuration

Enter the following commands in the configuration file on the SOHO router:

    version 11.3
    no service pad
    no service password-encryption
    service udp-small-servers
    service tcp-small-servers
    !
    hostname 1000
    !
    enable secret 5 $1$pAlv$j3we9UFIcvdXBJ497PzFa/
    enable password enable
    !
    username 5200 password 7 104D000A0618
    username jsmith password 7 124C303A0617
    isdn switch-type basic-ni1
    !
    interface Ethernet0
    ip address 10.4.1.1 255.255.255.0
    !
    interface BRI0
    ip address 10.15.2.40 255.255.255.0
    encapsulation ppp
    dialer map ip 10.15.2.80 name 5200 broadcast 96662000
    dialer load-threshold 1 either
    dialer-group 1
    isdn spid1 714666140100
    isdn spid2 714666140200
    ppp authentication chap
    !
    no ip classless
    ip route 10.0.0.0 255.0.0.0 10.15.2.80
    dialer-list 1 protocol ip permit
    !
    line con 0
    exec-timeout 0 0
    line vty 0 4
    password enable
    login
    !
    end

Tips

Consider the following:

  • We recommend that before you use double authentication, you read the applicable documentation located on Cisco Connection Online at http://www.cisco.com.
  • Be sure to double-check the access-list service types you are permitting or denying for the double authentication group or users; for example, if you define FTP service, make sure you also define FTP-DATA or the HTTP service for web browsing.

  • Several debug tools are available for Cisco IOS AAA Double Authentication, including debug aaa authen, debug aaa author, debug aaa per-user, debug ppp authen, and debug vtem.

  • Ping the NAS from the Cisco/ 76x/77x device to make sure it is reachable.

  • Make sure the NAS is using Cisco IOS image 11.3.3Q or later.

  • Make sure that the user is correctly defined within the Cisco Secure ACS database.

  • Make sure the ISDN connection from the SOHO to the LAN is operating correctly by doing a test call on the Cisco/ 76x/77x device or a ping test on the Cisco 1xxx device. Use one of the following commands on the Cisco 1xxx device: sh conn, sh con, or sh bri int.

  • Make sure the CAA is actively running in the background. You should see the CAA icon in the Active Icon tray at the lower right of the screen.

  • Make sure the NAS is configured correctly and the ISDN connection, carrier ISDN lines, NICs, and cables are connected and operating correctly.

  • Check the PPP negotiation on the Cisco/ 76x/77x device by typing diag PPP On; to turn the diagnostics off, type diag PPP Off.

Authentication Using Cisco Aironet RADIUS

The following configuration can be used to enforce RADIUS authentication of users accessing your network via an Aironet Access Point device. The NAS in this configuration is an Aironet Access Point 350.

Windows NT/2000 Server Configuration

No Windows NT/2000 server configuration is required; users do not need to exist in the Windows NT/2000 database unless they need to log in to the Windows NT/2000 network.

Cisco Secure ACS Configuration

Configure Cisco Secure ACS as described in the following sections.

Network Configuration


Note   If the Aironet NAS through which users will access your network was set up during installation of Cisco Secure ACS, network configuration should already be complete.

To add and configure an Aironet NAS in Cisco Secure ACS, follow these steps:


Step 1   Click Network Configuration.

Step 2   If you are using Network Device Groups (NDGs), click the name of the applicable NDG.

Step 3   Click Add Entry.

Step 4   In the Network Access Server Hostname box, type the name of the Aironet NAS.

Step 5   In the Network Access Server IP Address box, type the IP address of the Aironet NAS.

Step 6   In the Key box, type the shared secret of the Aironet NAS.

Step 7   In the Authenticate Using list, click RADIUS (Cisco Aironet).

Step 8   Click Submit + Restart.


Interface Configuration

Aironet RADIUS vendor-specific attributes are system generated; therefore, there is no configuration to be performed in Interface Configuration.

External User Database Configuration

Aironet authentication uses MSCHAP as its password protocol. MSCHAP is supported only by certain databases; therefore, Aironet authentication is limited to users whose records reside in one of the following external user databases:

  • Windows NT/2000

  • ODBC

  • MCIS


Note   The CiscoSecure user database also supports MSCHAP, and thus, Aironet authentication.

No special configuration of external databases is required to support authentication of users accessing your network through an Aironet device.

Group Setup

No special group configuration is required.

User Setup

No special user configuration is required.

NAS Configuration

To configure your Aironet Access Point to request authentication service from your Cisco Secure ACS server, follow these steps:


Step 1   In the web-based management system for your Aironet Access Point, access the Summary Setup page.

Step 2   Click Setup.

Result: The Setup page appears.

Step 3   Click Security.

Result: The Security Setup page appears.

Step 4   Click Authentication Server.

Result: The Authentication Server Setup page appears.

Step 5   In the Server Name/IP box, type the name or IP address of the RADIUS server.

Step 6   Click RADIUS the Server Type list.

Step 7   In the Port box, type 1645, the port used by Cisco Secure ACS for RADIUS authentication.

Step 8   In the Shared Secret box, type the shared secret, or key, that you specified when you created the Aironet NAS in Cisco Secure ACS. The shared key specified here must exactly match the shared key specified in Cisco Secure ACS.

Step 9   In the Timeout box, type the number of seconds the Access Point should wait before authentication fails.

Step 10   Click Apply.

Step 11   Click the browser's Back button.

Result: The Security Setup page appears.

Step 12   Click Radio Data Encryption (WEP).

Result: The AP Radio Data Encryption page appears.

Step 13   Under Authentication Type, click Network-EAP.

Step 14   Click Apply.


Client Configuration

Network clients using the Cisco Aironet Access Point should be configured as required by the Aironet device. For more information, see the documentation for the specific Aironet devices you are using.

Authentication Using Cisco Secure ACS and an MCIS Database

This sample configuration supports authentication via the Microsoft Commercial Internet System (MCIS) Lightweight Directory Access Protocol (LDAP) authenticator.

Windows NT/2000 Server Configuration

To use MCIS authentication, you must have Microsoft Site Server 3.0 or MCIS 2.0 installed on the server. See your Microsoft documentation for more information.


Note   Cisco Secure ACS does not currently support password aging when using MCIS.

On the membership server, follow these steps:


Step 1   Select Membership Authentication.

Step 2   Enable clear text/basic authentication for the LDAP directory instance.

Step 3   The password is in clear text and is not encrypted. To increase security, select the Use Secure Authentication check box, the Use Encryption check box, or both.

Step 4   Make sure user objects are located in the Members container (ou=members) and are of the type "Member."

Step 5   Make sure the common name (cn=MarySmith) property exactly matches the username specified during dialin.

Step 6   Make sure the user-object's Account-Status property is set to Active (1).


Cisco Secure ACS Configuration

Configure these items in the Cisco Secure ACS.

Network Configuration


Note   If the first NAS into which clients dial was set up during Cisco Secure ACS installation, this configuration should already be complete.

In the Network Configuration window, follow these steps:


Step 1   If you are using NDGs, click the name of the applicable NDG.

Step 2   Add or edit a NAS.

Step 3   Type the name of the NAS.

Step 4   Type the IP address of the NAS.

Step 5   Type the shared secret (key) of the NAS and Cisco Secure ACS.

Step 6   Select TACACS+ (Cisco IOS) as the security control protocol.


Administration Control

To enable the administrator to configure MCIS options, in the Administrator Privileges section, select the User & Group Setup, External User Databases check box, and any other applicable check boxes.

External User Databases Configuration

Configure these items in the External User Databases window:

  • In the Database Configuration window, add and configure the MCIS database.

  • (Optional) In the Database Group Mappings window, map the applicable group(s) to the MCIS database.

  • (Optional) In the Unknown Users window, add the MCIS database to the Selected databases list.

For more information, see MCIS Configuration.

User Setup

Add or edit the user profile and either assign the user to an MCIS group, or overwrite the group profile.

Group Setup

Configure an MCIS group.

NAS Configuration

No special NAS configuration is required.

Client Configuration

No special client configuration is required.

Tips

Consider the following:

  • To use MCIS authentication, you must have Microsoft Site Server installed on the server. Cisco Secure ACS has been tested with Microsoft Site Server 3.0. See the Release Notes for information on any issues with particular versions of this software. See your Microsoft documentation for more information.

  • Cisco Secure ACS does not currently support password aging when using MCIS.

Authentication Using Cisco Secure ACS and a Generic LDAP Database

This configuration presents examples of the information you need to use Cisco Secure ACS with a Generic LDAP external user database. Generic LDAP is a standard implementation of a LDAP database.


Note   This sample configuration supports Netscape Directory Server (DS), Netscape's implementation of LDAP.

Windows NT/2000 Server Configuration

To use LDAP authentication as described in this sample configuration, you must have the Netscape Directory Services software installed on the server. See your Netscape documentation for more information.


Note   Cisco Secure ACS does not currently support password aging when using an LDAP user database.

Cisco Secure ACS does not require special LDAP database configuration. The following procedure is included for convenience; it does not contain non-standard Netscape DS configuration.

On the Netscape DS console, follow these steps:


Step 1   Click the Users and Groups tab.

Step 2   In the list at the bottom of the window, select New User.

Step 3   Click Create.

Step 4   Select Organizational Unit. The configuration dialog box opens.

Step 5   Select Base DN and click OK.

Step 6   Type the information requested. Fields with an * are required. The username is the name to be used to authenticate. Click OK. The system will return to the Users and Groups tab. The user you just created should appear in the Search Results list.

Step 7   If you do not want these users to be in the Default Group, add them to the applicable group.


Cisco Secure ACS Configuration

Configure these items in the Cisco Secure ACS.

Network Configuration

No special NAS configuration is required. For more information about configuring your NASes, see Network Configuration.

Administration Control

To enable the administrator to configure DS options, in the Administrator Privileges section, select the User & Group Setup check box, the External User Databases check box, and any other applicable check boxes.

External User Databases Configuration

Configure these items in the External User Databases window:

  • In the Database Configuration window, add and configure the DS database. For more information, see Generic LDAP Database Configuration.

  • (Optional) In the Database Group Mappings window, map the applicable group(s) to the DS database.

  • (Optional) In the Unknown Users window, add the DS database to the Selected databases list.

For more information, see External User Database Configuration.

User Setup

Add or edit the user profile and either assign the user to a DS group, or overwrite the group profile.

Group Setup

Configure a DS group.

NAS Configuration

No special NAS configuration is required.

Client Configuration

No special client configuration is required.

Tips

Consider the following:

  • To use generic LDAP authentication as described in this sample configuration, you must have the Netscape Directory Services software installed on the server. See your Netscape documentation for more information.

  • Cisco Secure ACS does not currently support password aging when using DS.

Authentication Using Cisco Secure ACS and an ODBC Database

This configuration presents an example of the information you need to use Cisco Secure ACS with an ODBC database.


Note   User passwords transferred between an ODBC-compliant database and Cisco Secure ACS will be unencrypted, because an ODBC connection passes data in clear text between source and destination. The most secure implementation of authentication against an ODBC database is to install the database on the same server as Cisco Secure ACS.

Windows NT/2000 Server Configuration

To use ODBC authentication, you must have the ODBC-compliant database software installed on a server on your network. See your ODBC database documentation for more information about installing your ODBC-compliant database.

Data Source Name Configuration

On the Cisco Secure ACS server, you must create a Data Source Name (DSN) for Cisco Secure ACS to communicate with your ODBC database

To create a DSN, follow these steps:


Step 1   In Windows Control Panel, double-click the ODBC icon.

Step 2   In the ODBC window, click the System DSN tab.

Step 3   Click Add.

Step 4   Select the driver you need to use with your new DSN, and then click Finish.

Result: A dialog box displays fields requiring information specific to the ODBC driver you selected.

Step 5   Type a descriptive name for the DSN in the Data Source Name box.

Step 6   Complete the other fields required by the ODBC driver you selected. These fields may include information such as the IP address of the server on which the ODBC-compliant database runs.

Step 7   Click OK.

Result: The name you assigned to the DSN appears in the System Data Sources list.

Step 8   Close the ODBC window and Windows Control Panel.


Cisco Secure ACS Configuration

Configure these items in the Cisco Secure ACS.

Network Configuration

No special configuration is required in Network Configuration. For more information about the Network Configuration section in Cisco Secure ACS, see Network Configuration.

Administration Control

In the administrative account of each administrator who needs to configure ODBC options, in the Administrator Privileges section, select the User & Group Setup check box, the External User Databases check box, and any other applicable check boxes.

External User Databases Configuration

Configure these items in the External User Databases window:

  • In the Database Configuration window, add and configure the ODBC database. For more information, see ODBC Configuration.

  • (Optional) In the Database Group Mappings window, map the applicable group(s) to the ODBC database.

  • (Optional) In the Unknown Users window, add the ODBC database to the Selected databases list.

For more information, see External User Database Configuration.

User Setup

Add or edit the user profile and either assign the user to an ODBC group, or overwrite the group profile.

Group Setup

Configure an ODBC group.

NAS Configuration

No special NAS configuration is required. For more information about configuring a NAS, see Network Configuration.

Client Configuration

No special client configuration is required.

PIX Firewall Authentication/Authorization Using the Windows NT/2000 User Database with TACACS+

This is a typical configuration that you can use in a Windows NT/2000 network that resides behind a PIX Firewall and that uses only the Windows NT/2000 user database to maintain authentication information. You can use this configuration to control connectivity through a PIX Firewall while using Windows NT/2000 for authentication and Cisco Secure ACS for authorization.

Windows NT/2000 Server Configuration

Because it depends greatly on management functions of Windows NT/2000, this configuration requires significant configuration of the Windows NT/2000 server.

Configure these items in the User Manager of your Windows NT/2000 server running Cisco Secure ACS:

Cisco Secure ACS Configuration

Configure these items in the Cisco Secure ACS.


Note   Administration through a firewall is not supported. The Cisco Secure ACS can only be managed from the same side of the firewall.

Network Configuration


Note   If the first PIX Firewall that clients use was set up during installation of the Cisco Secure ACS, this configuration should already be complete.

In the Network Configuration window, follow these steps:


Step 1   If you are using NDGs, click the name of the applicable NDG.

Step 2   Add or edit a PIX (NAS).

Step 3   Type the name of the PIX (NAS).

Step 4   Type the IP address of the PIX (NAS).

Step 5   Type the shared secret (key) between the PIX (NAS) and the Cisco Secure ACS.

Step 6   Select TACACS+ (Cisco IOS) as the security control protocol.


External User Databases Configuration

If Cisco Secure ACS was initially installed so that it did not authenticate usernames against the Windows NT/2000 database, you must add a new configuration to enable this function. Continuing in the Network Configuration window, follow these steps:


Step 1   Click External User Databases: Database Configuration.

Step 2   Click Create a new configuration.

Step 3   Click Submit to accept the default name.

Step 4   Click Configure to enable Grant dialin permission to user. Cisco Secure ACS verifies that dial-in permission is granted for this user in the Windows NT/2000 user database. If users without dial-in permission on the Windows NT/2000 server try to log in, authentication fails, even if they use the correct password. If you do not want to use this feature, click to clear the check box, and then click Submit.

Step 5   In External User Databases: Unknown User Policy, configure the Unknown User Policy feature to ensure that all authentications without matching usernames in the Cisco Secure ACS user database are checked against the Windows NT/2000 database. If this authentication succeeds, a record is automatically generated in the Cisco Secure ACS database indicating the database to use for password authentication. User records added to the database this way automatically become members of the selected group.


Interface Configuration

In the Interface Configuration window, follow these steps:


Step 1   To allow the protocol to be configurable for a group, click TACACS+ (Cisco IOS).


Note   When you select any PPP protocol, you must also enable PPP LCP.

Step 2   To add more controls for dial-in access, select the applicable features in the Interface Configuration: Advanced Options window to display the options in the user interface. Select the features in this section to reduce the level of complexity or enhance the detail of your access security.


Group Setup

In Group Setup for the Windows NT/2000 Users group, follow these steps:


Step 1   To use Time-of-Day Access, click the times and days to grant access and click Use as Default. The times and days during which access is allowed are highlighted in green. Leaving this feature disabled grants access 24 hours a day, 7 days a week. If this parameter is not displayed, enable it in the Interface Configuration: Advanced Options window.

Step 2   Enable Shell (Exec) to permit the client to run Telnet sessions for FTP and HTTP. With the commands:

    aaa authen any inbound 0.0.0.0 0.0.0.0 tacacs+
    aaa author any inbound 0.0.0.0 0.0.0.0

In addition to authentication requests, command authorization requests come to Cisco Secure ACS when a user tries to do FTP, Telnet, or HTTP inbound. If you want users to be able to do "http 1.1.1.1," all Telnets, and "ftp 2.2.2.2," add command authorization to Cisco Secure ACS as follows:

    command=http
    permit 1.1.1.1
    deny unmatched arguments
    command=telnet
    permit unmatched arguments
    command=ftp
    permit 2.2.2.2
    deny unmatched arguments

User Setup

User setup is not required; users who successfully authenticate against the Windows NT/2000 user database are automatically added to the Cisco Secure ACS user database; you can reassign them later to groups with different authorization levels.

PIX Firewall Configuration

This sample configuration for a Cisco PIX Firewall permits any inbound traffic (HTTP, FTP, or Telnet) as long as the user is authenticated and authorized. Notations have been added to this configuration to allow variations to be configured to deny authentication and/or authorization:

    PIX Firewall Version 4.0.3
    enable password 8Ry2YjIyt7RRXU24 encrypted
    passwd 2KFQnbNIdI.2KYOU encrypted
    hostname pixfirewall
    failover
    names
    syslog output 20.3
    no syslog console
    interface ethernet outside auto
    interface ethernet inside auto
    ip address inside 10.5.55.46 255.0.0.0
    ip address outside 200.200.201.100 255.255.255.0
    arp timeout 14400
    global 1 200.200.201.150-200.200.201.180
    static 200.200.201.0 10.0.0.0
    static 200.200.201.150 10.5.55.88
    conduit 200.200.201.150 0 tcp 0.0.0.0 0.0.0.0
    age 10
    no rip outside passive
    no rip outside default
    no rip inside passive
    no rip inside default
    route outside 0.0.0.0 0.0.0.0 10.5.55.46 1
    route inside 10.0.0.0 255.0.0.0 200.200.201.100 1
    timeout xlate 24:00:00 conn 12:00:00 udp 0:02:00
    timeout rpc 0:10:00 h323 0:05:00 uauth 0:05:00
    tacacs-server host 10.5.55.88 cisco
    aaa authentication any inbound 0.0.0.0 0.0.0.0 tacacs+
    aaa authorization any inbound 0.0.0.0 0.0.0.0
    no snmp-server location
    no snmp-server contact
    telnet 10.5.55.88 255.0.0.0
    mtu outside 1500
    mtu inside 1500

Client Configuration

No other client configuration is necessary for this application; however, you might need to enable authentication forwarding support on your browser.

Tips

With this configuration you can leverage all benefits of the Windows NT/2000 operating system such as Primary Domain Controller/Backup Domain Controller (PDC/BDC) database replication and distribution.

VPDN Using the Cisco Secure ACS User Database with TACACS+

Use this configuration to create secure connections over a public infrastructure. You can use the Cisco Secure ACS to provide authentication, authorization, and accounting for Virtual Private Dialup Networks (VPDNs) using the L2F tunneling protocol. Service providers can use this method to create the service and procure it by the corporate customers. This configuration requires both types of users to have an ACS at both the NAS and home gateway (HG) locations.

The Cisco Secure ACS is used at the originating end of the VPDN tunnel (the site into which the VPDN user dials, often called the ISP NAS) and at the end of the tunnel (the private network that terminates the VPDN tunnel, called the HG). See Figure 10-1.


Figure 10-1: VPDN and the Cisco Secure ACS


Note   VPDN terminology commonly uses domain to represent the corporate HG; this is not associated with the Windows NT/2000 domain. In the following example, the VPDN domain is referred to as VPDN domain to prevent confusion.

The creation of a tunnel can be described in two major processes that take place after the client dials in:

1. Creating a VPDN Tunnel

2. Authenticating and Authorizing the Client

Creating a VPDN Tunnel

1. The ISP NAS uses the VPDN domain to get information from the ACS (ISP) about where the tunnel should be built for that user (Tunnel ID and HG address).

2. The ISP NAS then uses the information (Tunnel ID) to request authentication for the tunnel from the NAS (HG).

3. The NAS forwards the information (Tunnel ID) to the ACS (HG) to authenticate the request.

4. When the information (Tunnel ID) is validated, the tunnel has been created.

Authenticating and Authorizing the Client

1. The ISP NAS requests authentication for the user by the ACS (HG).

2. The ACS (HG) returns authentication and authorization responses to the ISP NAS.

3. After validation, the client has a secure connection through the tunnel with permissions assigned by the ACS at the corporate site (HG).

Windows NT/2000 Server Configuration (ISP)

No Windows NT/2000 server configuration is required; users do not need to exist in the Windows NT/2000 database unless they need to log in to the Windows NT/2000 network.

Cisco Secure ACS Configuration (ISP)

Configure these items on the Cisco Secure ACS at the ISP end of the VPDN connection.

Network Configuration


Note   If the first ISP NAS into which the clients dial was set up during installation of Cisco Secure ACS, this configuration should already be complete.

In the Network Configuration window, follow these steps:


Step 1   If you are using NDGs, click the name of the applicable NDG.

Step 2   Add or edit the NAS.

Step 3   Type the name of the NAS (this is only for identification by the administrator).

Step 4   Type the IP address of the NAS.

Step 5   Type the shared secret (key) of the NAS and Cisco Secure ACS.


Interface Configuration

In the Interface Configuration window, follow these steps:


Step 1   To allow the protocol to be configurable for a group, click TACACS+ (Cisco IOS).


Note   When you select any PPP protocol, you must also enable PPP LCP.

Step 2   Click PPP-VPDN and click Submit. This displays the PPP-VPDN option under Group Setup when it is time to configure that section.


Group Setup

To configure Group 1, follow these steps:


Step 1   In Group Setup, select Group 1 from the Group list box and click Edit Settings.

Step 2   Under TACACS+ Settings, select the PPP-VPDN check box.

Step 3   Select the Tunnel id option and type CISCO_TUNNEL in the text box. This is the Tunnel ID, which is the username.

Step 4   Select the IP address list option and type the IP address of the HG NAS in the text box.


User Setup

In User Setup, follow these steps:


Step 1   Add a user to the Cisco Secure ACS user database for authentication. This username is actually the name of the VPDN domain. For this example, use cisco. A password is needed to submit the user but is not actually used for authentication, so type a fictitious password. Do not configure any other parameters.

Step 2   Assign the user to Group 1.

Step 3   Add a second user to the Cisco Secure ACS user database for authentication. This username is the name of the Tunnel ID. For this example use cisco_tunnel. A legitimate password is needed for this entry. Type cisco for this example. Do not configure any other parameters.

Step 4   Assign the second user to Group 1.


NAS Configuration (ISP)

The Cisco IOS configuration for the NAS depends on the network protocol, routing, IP address definition, access control list definition, and so on. The following sample configuration shows the minimum requirements for a Cisco 2509 access server using TACACS+ on a VPDN:

    aaa new-model
    aaa authentication login default tacacs+
    aaa authentication ppp default tacacs+
    aaa authorization exec tacacs+
    aaa authorization network tacacs+
    aaa accounting network start-stop tacacs+
    aaa accounting exec start-stop tacacs+

    enable vpdn

    tacacs-server host ip_address single
    tacacs-server key key
    enable secret password
    aaa authentication login no_tacacs enable
    line con 0
    login authentication no_tacacs

Enter the following command under each interface used for dial-in access:

    ppp authentication chap

Windows NT/2000 Server Configuration (HG)

No Windows NT/2000 server configuration is required; users do not need to exist in the Windows NT/2000 database unless they need to log in to the Windows NT/2000 network.

Cisco Secure ACS Configuration (HG)

Configure these items on the Cisco Secure ACS at the HG of the VPDN connection.

Network Configuration


Note   If the first HG NAS into which clients dial was set up during installation of Cisco Secure ACS, this configuration should already be complete.

In the Network Configuration window, follow these steps:


Step 1   If you are using NDGs, click the name of the applicable NDG.

Step 2   Add or edit the NAS.

Step 3   Type the name of the NAS (this is only for identification by the administrator).

Step 4   Type the IP address of the NAS.

Step 5   Type the shared secret (key) of the NAS and Cisco Secure ACS.

Step 6   Select TACACS+ as the security control protocol.


Interface Configuration

In the Interface Configuration window, follow these steps:


Step 1   To allow the protocol to be configurable for a group, click TACACS+ (Cisco IOS).


Note   When you select any PPP protocol, you must also enable PPP LCP.

Step 2   To add more controls for dial-in access, select the applicable features in the Interface Configuration: Advanced Options window to display the options in the user interface. Select the features in this section to reduce the level of complexity or enhance the detail of your access security.


Group Setup

Do not configure any parameters in Group Setup for the CISCO_TUNNEL user's group (for example, Group 1). CISCO_TUNNEL is only used for authentication of the tunnel.

In Group Setup for the Group where the user username@CISCO has been placed (for example, Group 2), follow these steps:


Step 1   To use Time-of-Day Access, click the times and days to grant access and click Use as Default. The times and days during which access is allowed are highlighted in green. Leaving this feature disabled grants access 24 hours a day, 7 days a week. If this parameter is not displayed, enable it in the Interface Configuration: Advanced Options window.

Step 2   To permit or deny users to call only from a particular location, complete the applicable fields under Network Access Restrictions. If this parameter is not displayed, enable it in the Interface Configuration: Advanced Options window.

Step 3   To enable the NAS to support dialup clients running IP over a PPP (async or ISDN) connection, enable PPP-IP. If this parameter is not displayed, configure it in the Interface Configuration: TACACS+ (Cisco IOS) window.

Step 4   To make Cisco Secure ACS a "DHCP-like" server, enable IP Pool and type the IP pool name defined on the NAS. To use a NAS-name pool, leave the field blank.

Step 5   To enable the NAS to support dial-in clients running IPX over a PPP (async or ISDN) connection, enable PPP-IPX. If this parameter is not displayed, configure it in the Interface Configuration: TACACS+ (Cisco IOS) window.

Step 6   To permit the client to run Telnet sessions or to enable Cisco Secure ACS to also be used for NAS management, enable Shell (Exec). If this parameter is not displayed, configure it in the Interface Configuration: TACACS+ (Cisco IOS) window.


User Setup

In the User Setup window of Cisco Secure ACS, follow these steps:


Step 1   Add a user to the Cisco Secure ACS user database for authentication. This username is used by the client. It must contain the VPDN domain as the suffix following the "@" sign. This name must be the same as the VPDN domain name specified at the ISP's ACS (for example, username@cisco). Type a client password.

Step 2   Assign the username@cisco to a group, for example, the Windows NT/2000 Users group.

Step 3   To permit or deny users to call only from a particular location, complete the applicable fields under Network Access Restrictions. If this parameter is not displayed, enable it in the Interface Configuration: Advanced Options window.

Step 4   If you are using dialin, to assign a particular IP address to the user, type it in the Static IP Address field.

Step 5   To set expiration or aging conditions for the user, configure them here.

Step 6   Add a second user to the Cisco Secure ACS user database for authentication. This username must match the name used at the ISP for the Tunnel ID. For this example, use cisco_tunnel. The same legitimate password is needed for this entry. For this example, type cisco. Do not configure any other parameters.

Step 7   Assign the second user to Group 1.


Administration Control

To enable users to configure Cisco Secure ACS from another workstation, either on the LAN or from a dial-in client, the user must be registered as an administrator. In the Administration Control window, specify the administrator's username and password, and assign the applicable administrator privileges. This username and password have no association with the dialup authentication username and password.

NAS Configuration (HG)

The Cisco IOS configuration for the NAS depends on the network protocol, routing, IP address definition, access control list definition, and so on. The following sample configuration shows the minimum requirements for a Cisco 2509 access server using TACACS+ on a VPDN:

    aaa new-model
    aaa authentication login default tacacs+
    aaa authentication ppp default tacacs+
    aaa authorization exec tacacs+
    aaa authorization network tacacs+
    aaa accounting network start-stop tacacs+
    aaa accounting exec start-stop tacacs+

    enable vpdn
    vpdn incoming isp hostnamehome-gw hostname virtual-template 1

    tacacs-server host ip_address single
    tacacs-server key key
    enable secret password
    aaa authentication login no_tacacs enable
    line con 0
    login authentication no_tacacs

    int virtual-template 1
    ip unnumber e0
    encap ppp
    ppp authentication chap

Enter the following command under each interface used for dial-in access:

    ppp authentication chap

Client Configuration

The client can be an async or ISDN client.

The client must dial in to the ISP NAS with the name defined at the HG ACS (for example, username@corporation).

Windows 95/98 Client

In the Dial-Up Networking section of Windows 95/98, follow these steps:


Step 1   Create and configure a connection with the dial number to the NAS.

Step 2   Right-click the Connection icon and click Properties.

Step 3   Click the Server Type tab.

Step 4   From the Type of Dial-Up Server list, select PPP.

Step 5   In the Advanced options area, select the Log on to network check box. This will cause the client to attempt to log in to the Windows NT/2000 domain when dialing in.

Step 6   Click to clear the Require encrypted password check box.

Step 7   In the Allowed network protocols area, select IP and/or IPX.

Step 8   If the NAS is using an IP pool, do not assign an IP address to the client. Instead, in the TCP/IP settings, select server assigned IP Address and server assigned name server address.

Step 9   When you make a connection, enter the same username and password for the user account in the Windows NT/2000 user database.


Tips

Consider the following:

  • Because PAP and CHAP passwords can be stored in the Cisco Secure ACS user database, you can use either PAP or CHAP as the authentication protocol with this configuration (with PAP added to the Cisco IOS configuration on the NAS).

  • Because single login is not available with CHAP authentication, logging in to a Windows NT/2000 network requires two steps.

Virtual Profiles Using the Cisco Secure ACS User Database with TACACS+

This section outlines how you can achieve greater flexibility in supporting access security with virtual profiles. Virtual profiles are specific access profiles you define in Cisco Secure ACS.

Virtual profiles enable you to do the following:

  • Use simpler NAS configurations.

  • Centralize network access management.

  • Apply security based on user profiles rather than configuring the physical interface of the access device.

  • Apply specific Cisco IOS WAN interface commands that are configured in Cisco Secure ACS onto a virtual interface that is created on the NAS when a user dials in to the network.

In this example, an access list is applied to a user's dial-in connections. When the user dials in and authenticates, a virtual profile is created and the access list is applied.

Windows NT/2000 Server Configuration

No Windows NT/2000 server configuration is required; users do not need to exist in the Windows NT/2000 database unless they need to log in to the Windows NT/2000 network.

Cisco Secure ACS Configuration

Configure these items in the Cisco Secure ACS.

Network Configuration


Note   If the first HG NAS into which clients dial was set up during installation of Cisco Secure ACS, this configuration should already be complete.

In the Network Configuration window, follow these steps:


Step 1   If you are using NDGs, click the name of the applicable NDG.

Step 2   Add or edit the NAS.

Step 3   Type the name of the NAS (this is only for identification by the administrator).

Step 4   Type the IP address of the NAS.

Step 5   Type the shared secret (key) of the NAS and Cisco Secure ACS.

Step 6   Select TACACS+ as the security control protocol.


External User Database Configuration

In the External User Databases window, follow these steps:


Step 1   Click Unknown User Policy.

Step 2   Click Fail the attempt.

Step 3   Click Database Configuration.

Step 4   Click Windows NT.

Step 5   Click to clear the Grant dialin permission to user check box.

Result: Cisco Secure ACS is set to deny authentication unless the user has an active account in the Cisco Secure ACS database.


Interface Configuration

In the Interface Configuration window, follow these steps:


Step 1   To allow the protocol to be configurable for a group, click TACACS+ (Cisco IOS).


Note   When you select any PPP protocol, you must also enable PPP LCP.

Step 2   Click Display a window for each service selected in which you can enter customized TACACS+ attributes in the TACACS+ (Cisco IOS) window.

Step 3   To add more controls for dial-in access, select the applicable features in the Interface Configuration: Advanced Options window to display the options in the user interface. Select the features in this section to reduce the level of complexity or enhance the detail of your access security.


Group Setup

In Group Setup for the Default Group, follow these steps:


Step 1   To use Time-of-Day Access, click the times and days to grant access and click Use as Default. The times and days during which access is allowed are highlighted in green. Leaving this feature disabled grants access 24 hours a day, 7 days a week. If this parameter is not displayed, enable it in the Interface Configuration: Advanced Options window.

Step 2   To permit or deny users to call only from a particular location, complete the applicable fields under Network Access Restrictions. If this parameter is not displayed, enable it in the Interface Configuration: Advanced Options window.

Step 3   To control the number of simultaneous sessions allowed to a group, and to specify the number of sessions allowed to users in the groups, type the appropriate number in the MaxSessions fields. If this parameter is not displayed, enable it in the Interface Configuration: Advanced Options window.


Note   The Max Sessions count defined in the User Setup window overrides the Max Sessions per user count in the Group Setup window.

Step 4   Cisco Secure ACS can store ISDN passwords to authenticate the second B channel when it is brought into service. Select one of these token caching methods:

  • If the second B-channel service goes up and down dynamically, select Session.

  • If both B channels stay in service, select Duration. Type the number of minutes for the Cisco Secure ACS to cache the password.

Step 5   Enable IP and select the Custom Attributes check box. In the text window enter the following:

    inacl#3=permit ip any any

Step 6   To enable the NAS to support dial-in clients running IP over a PPP (async or ISDN) connection, enable PPP-IP. If this parameter is not displayed, configure it in the Interface Configuration: TACACS+ (Cisco IOS) window.

Step 7   Enable LCP and select Custom Attributes. In the text window, enter the following:

    interface-config=ip unnumbered e0\nno ip route-cache

User Setup

In the User Setup window of Cisco Secure ACS, follow these steps:


Step 1   Add a user to the Cisco Secure ACS user database.

Step 2   Select CiscoSecure Database as the method for password authentication.

Step 3   Type and confirm the password in the first set of the Cisco Secure ACS user database password fields.

Step 4   Assign the user to a group. You can use the Default Group, but it is better to use a different group, such as Group 1.


Note   All groups can be renamed, but the Cisco Secure ACS tracks all groups by their original number.

Step 5   To permit or deny users to call only from a particular location, complete the applicable fields under Network Access Restrictions. If this parameter is not displayed, enable it in the Interface Configuration: Advanced Options window.

Step 6   If you are using dial in, to assign a particular IP address to the user, type the address in the Static IP Address field.

Step 7   To set expiration or aging conditions for the user, configure them here.


NAS Configuration

The Cisco IOS configuration for the NAS depends on the network protocol, routing, IP address definition, access control list definition, and so on. The following sample configuration shows the minimum requirements for a Cisco 2509 access server using TACACS+ that can authorize NAS commands and grant privilege-level authentication. CHAP can be used because the Cisco Secure ACS user database is being used:

    virtual-profile virtual-template1

    virtual-profile aaa
    aaa new-model
    aaa authentication login default tacacs+
    aaa authentication ppp default tacacs+
    aaa authentication enable default tacacs+
    aaa authorization exec tacacs+
    aaa authorization network tacacs+
    aaa accounting network start-stop tacacs+
    aaa accounting exec start-stop tacacs+
    tacacs-server host ip_address single
    tacacs-server key key
    enable secret password
    aaa authentication login no_tacacs enable
    line con 0
    login authentication no_tacacs

Enter one of the following commands under each interface used for dial-in access:

    ppp authentication chap

or

    ppp authentication pap

Client Configuration

The client can be an async or ISDN client or reside on the network.

Windows 95/98 Client

In the Dial-Up Networking section of Windows 95/98, follow these steps:


Step 1   Create and configure a connection with the dial number for the NAS.

Step 2   Right-click the Connection icon and select Properties.

Step 3   Click the Server Type tab.

Step 4   From the Type of Dial-Up Server list, select PPP.

Step 5   In the Advanced options area, select the Log on to network check box. This will cause the client to attempt to log on to the Windows NT/2000 domain when dialing in.

Step 6   Click to clear the Require encrypted password check box.

Step 7   In the Allowed network protocols area, select IP and/or IPX.

Step 8   If the NAS is using an IP pool, do not assign an IP address to the client. Instead, in the TCP/IP settings, select server assigned IP Address and server assigned name server address.

Step 9   When you make a connection, type the Cisco Secure ACS user database username and password.


Tips

Because the Cisco Secure ACS user database can store PAP and CHAP passwords, you can use PAP or CHAP as the authentication protocol. To use PAP authentication, substitute the word PAP in place of CHAP in the NAS configuration example earlier in this section.

VPDN Using the Cisco Secure ACS User Database with RADIUS Tunneling Attributes

Use this configuration to create secure connections over a public infrastructure. You can use the Cisco Secure ACS to provide authentication, authorization, and accounting for Virtual Private Dialup Networks (VPDNs) using the L2F tunneling protocol. Service providers can use this method to create the service and procure it by the corporate customers. This configuration requires both types of users to have an ACS at both the NAS and HG locations.

The Cisco Secure ACS is used at the originating end of the VPDN tunnel (the site into which the VPDN user dials, often called the ISP NAS) and at the end of the tunnel (the private network that terminates the VPDN tunnel, called the HG). See Figure 10-2.


Figure 10-2: VPDN and the Cisco Secure ACS


Note   VPDN terminology commonly uses domain to represent the corporate home gateway; this is not associated with the Windows NT/2000 domain. In the following example, the VPDN domain is referred to as VPDN domain to prevent confusion.

The creation of a tunnel can be described in two major processes that take place after the client dials in:

1. Creating a VPDN Tunnel

2. Authenticating and Authorizing the Client

Creating a VPDN Tunnel

1. The ISP NAS uses the VPDN domain to get information from the ACS (ISP) about where the tunnel should be built for that user (Tunnel ID and HG address).

2. The ISP NAS then uses the information (Tunnel ID) to request authentication for the tunnel from the NAS (HG).

3. The NAS forwards the information (Tunnel ID) to the ACS (HG) to authenticate the request.

4. When the information (Tunnel ID) is validated, the tunnel has been created.

Client Authentication and Authorization

1. The ISP NAS requests authentication for the user by the ACS (HG).

2. The ACS (HG) returns authentication and authorization responses to the ISP NAS.

3. After validation, the client has a secure connection through the tunnel with permissions assigned by the ACS at the corporate site (HG).

Windows NT/2000 Server Configuration (ISP)

No Windows NT/2000 server configuration is required; users do not need to exist in the Windows NT/2000 database unless they need to log in to the Windows NT/2000 network.

Cisco Secure ACS Configuration (ISP)

Configure these items on the Cisco Secure ACS at the ISP end of the VPDN connection.

Network Configuration


Note   If the first ISP NAS into which the clients dial was set up during the installation of the Cisco Secure ACS, this configuration should already be complete.

In the Network Configuration window, follow these steps:


Step 1   If you are using NDGs, click the name of the applicable NDG.

Step 2   Add or edit the NAS.

Step 3   Type the name of the NAS (this is only for identification by the administrator).

Step 4   Type the IP address of the NAS.

Step 5   Type the shared secret (key) of the NAS and Cisco Secure ACS.


Interface Configuration

In the Interface Configuration window, follow these steps:


Step 1   To allow the protocol to be configurable for a group, select TACACS+ (Cisco IOS).


Note   When you select any PPP protocol, you must also enable PPP LCP.

Step 2   Click PPP-VPDN and click Submit. This displays the PPP-VPDN option under Group Setup when it is time to configure that section.


Group Setup

In Group Setup for Group 1, follow these steps:


Step 1   Enable PPP-VPDN.

Step 2   Type CISCO_TUNNEL. This is the Tunnel ID, which is the username.

Step 3   Type the IP address of the HG NAS.


User Setup

In User Setup, follow these steps:


Step 1   Add a user to the Cisco Secure ACS user database for authentication. This username is actually the name of the VPDN domain. For this example, use cisco. A password is needed to submit the user but is not actually used for authentication, so type a fictitious password. Do not configure any other parameters.

Step 2   Assign the user to Group 1.

Step 3   Add a second user to the Cisco Secure ACS user database for authentication. This username is the name of the Tunnel ID. For this example use cisco_tunnel. A legitimate password is needed for this entry. Type cisco for this example. Do not configure any other parameters.

Step 4   Assign the second user to Group 1.


NAS Configuration (ISP)

The Cisco IOS configuration for the NAS depends on the network protocol, routing, IP address definition, access control list definition, and so on. The following sample configuration shows the minimum requirements for a Cisco 2509 access server using TACACS+ on a VPDN:

    aaa new-model
    aaa authentication login default tacacs+
    aaa authentication ppp default tacacs+
    aaa authorization exec tacacs+
    aaa authorization network tacacs+
    aaa accounting network start-stop tacacs+
    aaa accounting exec start-stop tacacs+

    enable vpdn

    tacacs-server host ip_address single
    tacacs-server key key
    enable secret password
    aaa authentication login no_tacacs enable
    line con 0
    login authentication no_tacacs

Enter the following command under each interface used for dial-in access:

    ppp authentication chap

Windows NT/2000 Server Configuration (HG)

No Windows NT/2000 server configuration is required; users do not need to exist in the Windows NT/2000 database unless they need to log in to the Windows NT/2000 network.

Cisco Secure ACS Configuration (HG)

Configure these items on the Cisco Secure ACS at the HG of the VPDN connection.

Network Configuration


Note   If the first HG NAS into which clients dial was set up during installation of Cisco Secure ACS, this configuration should already be complete.

In the Network Configuration window, follow these steps:


Step 1   If you are using NDGs, click the name of the applicable NDG.

Step 2   Add or edit the NAS.

Step 3   Type the name of the NAS (this is only for identification by the administrator).

Step 4   Type the IP address of the NAS.

Step 5   Type the shared secret (key) of the NAS and Cisco Secure ACS.

Step 6   Select TACACS+ as the security control protocol.


Interface Configuration

In the Interface Configuration window, follow these steps:


Step 1   To allow the protocol to be configurable for a group, click TACACS+ (Cisco IOS).


Note   When you select any PPP protocol, you must also enable PPP LCP.

Step 2   To add more controls for dial-in access, select the applicable features in the Interface Configuration: Advanced Options window to display the options in the user interface. Select the features in this section to reduce the level of complexity or enhance the detail of your access security.


Group Setup

Do not configure any parameters in Group Setup for the CISCO_TUNNEL user's group (for example, Group 1). CISCO_TUNNEL is only used for authentication of the tunnel.

In Group Setup for the Group where the user username@CISCO has been placed (for example, Group 2), follow these steps:


Step 1   To use Time-of-Day Access, click the times and days to grant access and click Use as Default. The times and days during which access is allowed are highlighted in green. Leaving this feature disabled grants access 24 hours a day, 7 days a week. If this parameter is not displayed, enable it in the Interface Configuration: Advanced Options window.

Step 2   To permit or deny users to call only from a particular location, complete the applicable fields under Network Access Restrictions. If this parameter is not displayed, enable it in the Interface Configuration: Advanced Options window.

Step 3   To enable the NAS to support dialup clients running IP over a PPP (async or ISDN) connection, enable PPP-IP. If this parameter is not displayed, configure it in the Interface Configuration: TACACS+ (Cisco IOS) window.

Step 4   To make Cisco Secure ACS a "DHCP-like" server, enable IP Pool and type the IP Pool name defined on the NAS. To use a NAS-name pool, leave the field blank.

Step 5   To enable the NAS to support dialup clients running IPX over a PPP (async or ISDN) connection, enable PPP-IPX. If this parameter is not displayed, configure it in the Interface Configuration: TACACS+ (Cisco IOS) window.

Step 6   To permit the client to run Telnet sessions or to allow Cisco Secure ACS to also be used for NAS management, enable Shell (Exec). If this parameter is not displayed, configure it in the Interface Configuration: TACACS+ (Cisco IOS) window.


User Setup

In the User Setup window of Cisco Secure ACS, follow these steps:


Step 1   Add a user to the Cisco Secure ACS user database for authentication. This username is used by the client. It must contain the VPDN domain as the suffix following the "@" sign. This name must be the same as the VPDN domain name entered at the ISP's ACS (for example, username@cisco). Type a client password.

Step 2   Assign the username@cisco to a group, for example, the Windows NT/2000 Users group.

Step 3   To permit or deny users to call only from a particular location, complete the applicable fields under Network Access Restrictions. If this parameter is not displayed, enable it in the Interface Configuration: Advanced Options window.

Step 4   If you are using dial-in, to assign a particular IP address to the user, type it in the Static IP Address field.

Step 5   To set expiration or aging conditions for the user, configure them here.

Step 6   Add a second user to the Cisco Secure ACS user database for authentication. This username must match the name used at the ISP for the Tunnel ID. For this example, use cisco_tunnel. The same legitimate password is needed for this entry. For this example, type cisco. Do not configure any other parameters.

Step 7   Assign the second user to Group 1.


Administration Control

To enable users to configure Cisco Secure ACS from another workstation, either on the LAN or from a dial-in client, the user must be registered as an administrator. In the Administration Control window, specify the administrator's username and password, and assign the applicable administrator privileges. This username and password have no association with the dial-in authentication username and password.

NAS Configuration (HG)

The Cisco IOS configuration for the NAS depends on the network protocol, routing, IP address definition, access control list definition, and so on. The following sample configuration shows the minimum requirements for a Cisco 2509 access server using TACACS+ on a VPDN:

    aaa new-model
    aaa authentication login default tacacs+
    aaa authentication ppp default tacacs+
    aaa authorization exec tacacs+
    aaa authorization network tacacs+
    aaa accounting network start-stop tacacs+
    aaa accounting exec start-stop tacacs+

    enable vpdn
    vpdn incoming isp hostnamehome-gw hostname virtual-template 1

    tacacs-server host ip_address single
    tacacs-server key key
    enable secret password
    aaa authentication login no_tacacs enable
    line con 0
    login authentication no_tacacs

    int virtual-template 1
    ip unnumber e0
    encap ppp
    ppp authentication chap

Enter the following command under each interface used for dial-in access:

    ppp authentication chap

Client Configuration

The client can be an async or ISDN client.

The client must dial in to the ISP NAS with the name defined at the HG ACS (for example, username@corporation).

Windows 95/98 Client

In the Dial-Up Networking section of Windows 95/98, follow these steps:


Step 1   Create and configure a connection with the dial number to the NAS.

Step 2   Right-click the Connection icon and click Properties.

Step 3   Click the Server Type tab.

Step 4   From the Type of Dial-Up Server list box, select PPP.

Step 5   In the Advanced options area, select the Log on to network check box. This will cause the client to attempt to log on to the Windows NT/2000 domain when dialing in.

Step 6   Click to clear the Require encrypted password check box.

Step 7   In the Allowed network protocols area, select IP and/or IPX.

Step 8   If the NAS is using an IP pool, do not assign an IP address to the client. Instead, in the TCP/IP settings, select server assigned IP Address and server assigned name server address.

Step 9   When you make a connection, type the same username and password for the user account in the Windows NT/2000 user database.


Tips

Consider the following:

  • Because PAP and CHAP passwords can be stored in the Cisco Secure ACS user database, you can use either PAP or CHAP as the authentication protocol with this configuration (with PAP added to the Cisco IOS configuration on the NAS).

  • Because single login is not available with CHAP authentication, logging in to a Windows NT/2000 network requires two steps.