-
Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide
-
Preface
-
Overview of Cisco Secure ACS
-
Deploying Cisco Secure ACS
-
Setting Up the Cisco Secure ACS HTML Interface
-
Setting Up and Managing Network Configuration
-
Setting Up and Managing Shared Profile Components
-
Setting Up and Managing User Groups
-
Setting Up and Managing User Accounts
-
Establishing Cisco Secure ACS System Configuration
-
Working with Logging and Reports
-
Setting Up and Managing Administrators and Policy
-
Working with User Databases
-
Administering External User Databases
-
Troubleshooting Information for Cisco Secure ACS
-
System Messages
-
TACACS+ Attribute-Value Pairs
-
RADIUS Attributes
-
Cisco Secure ACS Command-Line Database Utility
-
Cisco Secure ACS and Virtual Private Dial-up Networks
-
ODBC Import Definitions
-
Cisco Secure ACS Internal Architecture
-
Table of Contents
Setting Up and Managing Administrators and PolicyAdministrator Accounts
Adding an Administrator Account
Editing an Administrator Account
Deleting an Administrator Account
Session Policy
Audit Policy
Setting Up and Managing Administrators and Policy
This chapter addresses the Cisco Secure Access Control Server for Windows NT/2000 Servers Version 3.0 (Cisco Secure ACS) features found in the Administration Control section of the HTML interface. It contains the following sections:
Administrator Accounts
To access the Cisco Secure ACS HTML interface from a browser run elsewhere than on the Cisco Secure ACS server itself, you must log in to Cisco Secure ACS using an administrative account. If your Cisco Secure ACS is so configured, you may need to log in to Cisco Secure ACS even on the Cisco Secure ACS server. For more information about automatic local logins, see the "Session Policy" section.
 |
Note Cisco Secure ACS administrator accounts have no correlation with Cisco Secure ACS user accounts or username/password authentication. Cisco Secure ACS stores accounts created for authentication of network service requests and those created for Cisco Secure ACS administrative access in separate internal databases. |
This section contains the following topics:
Administrator Privileges
You can grant appropriate privileges to each Cisco Secure ACS administrator by assigning privileges on an administrator-by-administrator basis. You control privileges by selecting the options in the Administrator Privileges table on the Add Administrator or Edit Administrator pages. These options are listed below:
- User and Group Setup—Contains the following privilege options for the User Setup and Group Setup sections of the HTML interface:
-
- Add/Edit users in these groups—Enables the administrator to add or edit users and to assign users to the groups in the Editable groups list.
- Setup of these groups—Enables the administrator to edit the settings for the groups in the Editable groups list.
- Available Groups—Lists the user groups for which the administrator does not have edit privileges and to which the administrator cannot add users.
- Editable Groups—Lists the user groups for which the administrator does have edit privileges to which the administrator account can add users.
- Shared Profile Components—Contains the following privilege options for the Shared Profile Components section of the HTML interface:
-
- Network Access Restriction Sets—Allows the administrator full access to the Network Access Restriction Sets feature.
- Downloadable ACLs—Allows the administrator full access to the Downloadable PIX ACLs feature.
- Create New Device Command Set Type—Allows the administrator's account to be used as valid credentials by another Cisco application for adding new device command set types.
- Shell Command Authorization Sets—Allows the administrator full access to the Shell Command Authorization Sets feature.
- PIX Command Authorization Sets—Allows the administrator full access to the PIX Command Authorization Sets feature.
|
Note Additional command authorization set privilege options may appear, if other Cisco network management applications, such as CiscoWorks2000, have updated the configuration of Cisco Secure ACS. |
- Network Configuration—Allows the administrator full access to the features in the Network Configuration section of the HTML interface.
- System Configuration...—Contains the privilege options for the features found in the System Configuration section of the HTML interface. For each of the following features, enabling the option allows the administrator full access to the feature.
-
- Service Control—For more information about this feature, see the "Service Control" section.
- Date/Time Format Control—For more information about this feature, see the "Date Format Control" section.
- Logging Control—For more information about this feature, see the "Logging" section.
- Password Validation—For more information about this feature, see the "Password Validation" section.
- DB Replication—For more information about this feature, see the "CiscoSecure Database Replication" section.
- RDBMS Synchronization—For more information about this feature, see the "RDBMS Synchronization" section.
- IP Pool Address Recovery—For more information about this feature, see the "IP Pools Address Recovery" section.
- IP Pool Server Configuration—For more information about this feature, see the "IP Pools Server" section.
- ACS Backup—For more information about this feature, see the "Cisco Secure ACS Backup" section.
- ACS Restore—For more information about this feature, see the "Cisco Secure ACS System Restore" section.
- ACS Service Management—For more information about this feature, see the "Cisco Secure ACS Active Service Management" section.
- VoIP Accounting Configuration—For more information about this feature, see the "VoIP Accounting Configuration" section.
- ACS Certificate Configuration—For more information about this feature, see the "Cisco Secure ACS Certificate Setup" section.
- Certification Authority Configuration—For more information about this feature, see the "Certification Authority Setup" section.
- Interface Configuration—Allows the administrator full access to the features in the Interface Configuration section of the HTML interface.
- Administration Control—Allows the administrator full access to the features in the Administration Control section of the HTML interface.
- External User Databases—Allows the administrator full access to the features in the External User Databases section of the HTML interface.
- Reports & Activity—Contains the privilege options for the reports and features found in the Reports and Activity section of the HTML interface. For each of the following features, enabling the option allows the administrator full access to the feature.
-
- TACACS+ Accounting—For more information about this report, see the "TACACS+ Accounting Log" section.
- TACACS+ Administration—For more information about this report, see the "TACACS+ Administration Log" section.
- RADIUS Accounting—For more information about this report, see the "RADIUS Accounting Log" section.
- VoIP Accounting—For more information about this report, see the "VoIP Accounting Log" section.
- Passed Authentications—For more information about this report, see the "Passed Authentications Log" section.
- Failed Attempts—For more information about this report, see the "Failed Attempts Log" section.
- Logged-in Users—For more information about this report, see the "Logged-In Users Report" section.
- Purge of Logged-in Users—For more information about this feature, see the "Deleting Logged-in Users" section.
- Disabled Accounts—For more information about this report, see the "Disabled Accounts Report" section.
- ACS Backup and Restore—For more information about this report, see the "ACS Backup and Restore Log" section.
- DB Replication—For more information about this report, see the "Database Replication Log" section.
- RDBMS Synchronization—For more information about this report, see the "RDBMS Synchronization Log" section.
- Administration Audit—For more information about this report, see the "Administration Audit Log" section.
- ACS Service Monitor—For more information about this report, see the "ACS Service Monitoring Log" section.
Adding an Administrator Account
You can add Cisco Secure ACS administrator accounts to allow remote access to the HTML interface. If, on the Session Policy page, the Allow automatic local login check box is not selected, Cisco Secure ACS requires that you log in using an administrative account for administrative sessions local to the Cisco Secure ACS server, too.
For information about the administrative privilege options, see the "Administrator Privileges" section.
To add a Cisco Secure ACS administrator account, follow these steps:
Step 1 In the navigation bar, click Administration Control.
Step 2 Click Add Administrator.
Result: The Add Administrator page appears.
Step 3 Complete the boxes in the Administrator Details table:
a. In the Administrator Name box, type the login name for the new Cisco Secure ACS administrator account.
b. In the Password box, type the password for the new Cisco Secure ACS administrator account.
c. In the Confirm Password box, type the password a second time.
Step 4 To select all privileges, including user group editing privileges for all user groups, click Grant All.
Result: All privileges options are selected. All user groups move to the Editable groups list.
 |
Tip To clear all privileges, including user group editing privileges for all user groups, click Revoke All. |
Step 5 To grant user and user group editing privileges, follow these steps:
a. Select the desired check boxes under User & Group Setup.
b. To move a user group to the Editable groups list, select the group in the Available groups list, and then click —> (right arrow button).
Result: The selected group moves to the Editable groups list.
c. To remove a user group from the Editable groups list, select the group in the Editable groups list, and then click <— (left arrow button).
Result: The selected group moves to the Available groups list.
Result: The user groups in the Available groups list move to the Editable groups list.
Result: The user groups in the Editable groups list move to the Available groups list.
Step 6 To grant any of the remaining privilege options, in the Administrator Privileges table, select the applicable check boxes.
Step 7 Click Submit.
Result: Cisco Secure ACS saves the new administrator account. The new account appears in the list of administrator accounts on the Administration Control page.
Editing an Administrator Account
You can edit a Cisco Secure ACS administrator account to change the privileges granted to the administrator. You can effectively disable an administrator account by revoking all privileges.
|
Note You cannot change the name of an administrator account; however, you can delete an administrator account and then create an account with the new name. For information about deleting an administrator account, see the "Deleting an Administrator Account" section. For information about creating an administrator account, see the "Adding an Administrator Account" section. |
For information about the administrative privilege options, see the "Administrator Privileges" section.
To edit Cisco Secure ACS administrator account privileges, follow these steps:
Step 1 In the navigation bar, click Administration Control.
Result: Cisco Secure ACS displays the Administration Control page.
Step 2 Click the name of the administrator account whose privileges you want to edit.
Result: The Edit Administrator name page appears, where name is the name of the administrator account you selected in Step 2.
Step 3 To change the administrator password, follow these steps:
a. In the Password box, double-click the asterisks, and then type the new password for the administrator.
Result: The new password replaces the existing, masked password.
b. In the Confirm Password box, double-click the asterisks, and then type the new administrator password a second time.
Step 4 To select all privileges, including user group editing privileges for all user groups, click Grant All.
Result: All privileges options are selected. All user groups move to the Editable groups list.
Step 5 To clear all privileges, including user group editing privileges for all user groups, click Revoke All.
Result: All privileges options are cleared. All user groups move to the Available groups list.
Step 6 To grant user and user group editing privileges, follow these steps:
a. Under User & Group Setup, select the applicable check boxes.
b. To move all user groups to the Editable groups list, click >>.
Result: The user groups in the Available groups list move to the Editable groups list.
c. To move a user group to the Editable groups list, select the group in the Available groups list, and then click —> (right arrow button).
Result: The selected group moves to the Editable groups list.
Result: The user groups in the Editable groups list move to the Available groups list.
e. To remove a user group from the Editable groups list, select the group in the Editable groups list, and then click <— (left arrow button).
Result: The selected group moves to the Available groups list.
Step 7 To grant any remaining privilege options, select the applicable check boxes in the Administrator Privileges table.
Step 8 To revoke any remaining privilege options, clear the applicable check boxes in the Administrator Privileges table.
Step 9 Click Submit.
Result: Cisco Secure ACS saves the changes to the administrator account.
Deleting an Administrator Account
You can delete a Cisco Secure ACS administrator account when you no longer need it. We recommend deleting any unused administrator accounts.
To delete a Cisco Secure ACS administrator account, follow these steps:
Step 1 In the navigation bar, click Administration Control.
Result: Cisco Secure ACS displays the Administration Control page.
Step 2 In the Administrators table, click the name of the administrator account that you want to delete.
Result: The Edit Administrator name page appears, where name is the name of the administrator account you selected in Step 2.
Step 3 Click Delete.
Result: Cisco Secure ACS displays a confirmation dialog box.
Step 4 Click OK.
Result: Cisco Secure ACS deletes the administrator account. The Administrators table on the Administration Control page no longer lists administrator account that you deleted.
Access Policy
The Access Policy feature affects access to remote Cisco Secure ACS administration sessions. You can limit remote administrator access by IP address and by the TCP port range used for administrative sessions. This section contains the following topics:
Access Policy Options
You can configure the following options on the Access Policy Setup page:
- IP Address Filtering—Contains the following IP address filtering options:
-
- Allow all IP addresses to connect—Allow remote access to the HTML interface from any IP address.
- Allow only listed IP addresses to connect—Allow remote access to the HTML interface only from IP addresses inside the address range(s) specified in the IP Address Ranges table.
- Reject connections from listed IP addresses—Allow remote access to the HTML interface only from IP addresses outside the address range(s) specified in the IP Address Ranges table.
- IP Address Ranges—The IP Address Ranges table contains ten rows for configuring IP address ranges. The ranges are always inclusive; that is, the range includes the start and end IP addresses. The IP addresses entered to define a range must differ only in the last octet (Class C format).
The IP Address Ranges table contains one column of each of the following boxes:
- HTTP Port Allocation—Contains the following options for configuring TCP ports used for remote access to the HTML interface.
-
- Allow any TCP ports to be used for Administration HTTP Access—Allow the ports used by administrative HTTP sessions to include the full range of TCP ports.
- Restrict Administration Sessions to the following port range From Port x to Port y—Restrict the ports used by administrative HTTP sessions to the range specified in the x and y boxes, inclusive. The size of the range specified determines the maximum number of concurrent administrative sessions.
A firewall configured to permit HTTP traffic over the Cisco Secure ACS administrative port range must also permit HTTP traffic through port 2002, because this is the port a remote web browser must access to initiate an administrative session.
|
Note We do not recommend allowing administration of Cisco Secure ACS from outside a firewall. If you do choose to allow remote access to the HTML interface from outside a firewall, keep the HTTP port range as narrow as possible. This can help prevent accidental discovery of an active administrative port by unauthorized users. An unauthorized user would have to impersonate, or "spoof," the IP address of a legitimate remote host to make use of the active administrative session HTTP port. |
Setting Up Access Policy
For information about access policy options, see the "Access Policy Options" section.
To set up Cisco Secure ACS Access Policy, follow these steps:
Step 1 In the navigation bar, click Administration Control.
Result: Cisco Secure ACS displays the Administration Control page.
Step 2 Click Access Policy.
Result: The Access Policy Setup page appears.
Step 3 To allow remote access to the HTML interface from any IP address, in the IP Address Filtering table, select the Allow all IP addresses to connect option.
Step 4 To allow remote access to the HTML interface only from IP addresses within a range or ranges of IP addresses, follow these steps:
a. In the IP Address Filtering table, select the Allow only listed IP addresses to connect option.
b. For each IP address range from within which you want to allow remote access to the HTML interface, complete one row of the IP Address Ranges table. In the Start IP Address box, type the lowest IP address in the range. In the End IP Address box, type the highest IP address in the range.
Step 5 To allow remote access to the HTML interface only from IP addresses outside a range or ranges of IP addresses, follow these steps:
a. In the IP Address Filtering table, select the Reject connections from listed IP addresses option.
b. For each IP address range from outside of which you want to allow remote access to the HTML interface, complete one row of the IP Address Ranges table. Type the lowest IP address in the range in the Start IP Address box. Type the highest IP address in the range in the End IP Address box.
Step 6 To allow Cisco Secure ACS to use any valid TCP port for administrative sessions, either local or remote, select the Allow any TCP ports to be used for Administration HTTP Access option.
Step 7 To allow Cisco Secure ACS to use only a specified range of TCP ports for administrative sessions, follow these steps:
a. Select the Restrict Administration Sessions to the following port range From Port x to Port y option.
Step 8 Click Submit.
Result: Cisco Secure ACS saves and begins enforcing the access policy settings.
Session Policy
The Session Policy feature controls various aspects of Cisco Secure ACS administrative sessions. This section contains the following topics:
Session Policy Options
You can configure the following options on the Session Policy Setup page:
- Session idle timeout (minutes)—Defines the time in minutes that an administrative session, local or remote, must remain idle before Cisco Secure ACS terminates the connection. This parameter applies to the Cisco Secure ACS administrative session in the browser only. It does not apply to an administrator's dial-up session.
An administrator whose administrative session is terminated receives a dialog box asking whether or not the administrator wants to continue. If the administrator chooses to continue, Cisco Secure ACS starts a new administrative session.
- Allow Automatic Local Login—Enables administrators to start an administrative session without logging in if they are using a browser on the Cisco Secure ACS server. Local administrative sessions with automatic local login are recorded in the Administrative Audit report with the administrator name "local_login".
|
Note If there are no administrator accounts defined, no administrator name and password is required to access Cisco Secure ACS locally. This prevents you from accidentally locking yourself out of Cisco Secure ACS. |
- Respond to Invalid IP Address Connections—Enables an error message in response to attempts to start a remote administrative session using an IP address that is invalid according to the IP address ranges configured in Access Policy. Disabling this option can help prevent unauthorized users from discovering your Cisco Secure ACS server.
- Lock out Administrator after x successive failed attempts—Enables Cisco Secure ACS to lock out an administrator after the number of successive failed login attempts specified in the x box. A value of 0 (zero) in the x box allows unlimited successive administrative login failures. If this check box is selected, the x box cannot be set to zero.
Setting Up Session Policy
For information about session policy options, see "Session Policy Options" section.
To setup Cisco Secure ACS Session Policy, follow these steps:
Step 1 In the navigation bar, click Administration Control.
Result: Cisco Secure ACS displays the Administration Control page.
Step 2 Click Session Policy.
Result: The Session Policy Setup page appears.
Step 3 To define the number of minutes of inactivity after which Cisco Secure ACS ends an administrative session, in the Session idle timeout (minutes) box, type the number of minutes.
Step 4 Set the automatic local login policy:
a. To allow administrators to login to Cisco Secure ACS locally without using their administrator names and passwords, select the Allow Automatic Local Login check box.
b. To require administrators to login to Cisco Secure ACS locally using their administrator names and passwords, clear the Allow Automatic Local Login check box.
Step 5 Set the invalid IP address response policy:
a. To configure Cisco Secure ACS to respond with a message when an administrative session is requested from an invalid IP address, select the Respond to invalid IP address connections check box.
b. To configure Cisco Secure ACS to send no message when an administrative session is requested from an invalid IP address, clear the Respond to invalid IP address connections check box.
Step 6 Set the failed administrative login attempts policy:
a. To enable Cisco Secure ACS to lockout an administrator after a number of successive failed administrative login attempts, select the Lock out Administrator after x successive failed attempts check box.
b. In the x box, type the number of successive failed login attempts after which Cisco Secure ACS locks out an administrator. To allow unlimited failed administrative login attempts, type 0 (zero).
|
Note If the Lock out Administrator after x successive failed attempts check box is selected, the x box cannot be set to zero. |
Step 7 Click Submit.
Result: Cisco Secure ACS saves and begins enforcing the session policy settings you made.
Audit Policy
The Audit Policy feature controls the generation of the Administrative Audit log.
For more information about enabling, viewing, or configuring the Administrative Audit log, see the "Administration Audit Log" section.