-
User Guide for Cisco Secure ACS Windows Server 3.1
-
Preface
-
Overview of Cisco Secure ACS
-
Deploying Cisco Secure ACS
-
Setting Up the Cisco Secure ACS HTML Interface
-
Setting Up and Managing Network Configuration
-
Setting Up and Managing Shared Profile Components
-
Setting Up and Managing User Groups
-
Setting Up and Managing User Accounts
-
Establishing Cisco Secure ACS System Configuration
-
Working with Logging and Reports
-
Setting Up and Managing Administrators and Policy
-
Working with User Databases
-
Administering External User Databases
-
Troubleshooting Information for Cisco Secure ACS
-
TACACS+ Attribute-Value Pairs
-
RADIUS Attributes
-
Cisco Secure ACS Command-Line Database Utility
-
Cisco Secure ACS and Virtual Private Dial-up Networks
-
RDBMS Synchronization Import Definitions
-
Cisco Secure ACS Internal Architecture
-
Table of Contents
Setting Up and Managing Administrators and PolicyAdministrator Accounts
Administrator Privileges
Adding an Administrator Account
Editing an Administrator Account
Unlocking a Locked Out Administrator Account
Deleting an Administrator Account
Session Policy
Audit Policy
Setting Up and Managing Administrators and Policy
This chapter addresses the Cisco Secure Access Control Server (Cisco Secure ACS) for Windows Server version 3.1 features found in the Administration Control section of the HTML interface. It contains the following sections:
Administrator Accounts
This section provides details about Cisco Secure ACS administrators. It contains the following topics:
About Administrator Accounts
Administrators are the only users of the Cisco Secure ACS HTML interface. To access the Cisco Secure ACS HTML interface from a browser run elsewhere than on the Cisco Secure ACS Windows server itself, you must log in to Cisco Secure ACS using an administrative account. If your Cisco Secure ACS is so configured, you may need to log in to Cisco Secure ACS even in a browser run on the Cisco Secure ACS Windows server. For more information about automatic local logins, see Session Policy.
 |
Note Cisco Secure ACS administrator accounts are unique to Cisco Secure ACS. They are not related to other administrator accounts, such as Windows users with administrator privileges. |
In the HTML interface, an administrator can configure any of the features provided in Cisco Secure ACS; however, the ability to access various parts of the HTML interface can be limited by revoking privileges to those parts of the HTML interface that a given administrator is not allowed to access.
For example, you may want to limit access to the Network Configuration section of the HTML interface to administrators whose responsibilities include network management. To do so, you would only select the Network Configuration privilege for applicable administrator accounts. For more information about administrator privileges, see Administrator Privileges.
Cisco Secure ACS administrator accounts have no correlation with Cisco Secure ACS user accounts or username and password authentication. Cisco Secure ACS stores accounts created for authentication of network service requests and those created for Cisco Secure ACS administrative access in separate internal databases.
Administrator Privileges
You can grant appropriate privileges to each Cisco Secure ACS administrator by assigning privileges on an administrator-by-administrator basis. You control privileges by selecting the options from the Administrator Privileges table on the Add Administrator or Edit Administrator pages. These options are listed below:
- User and Group Setup—Contains the following privilege options for the User Setup and Group Setup sections of the HTML interface:
-
- Add/Edit users in these groups—Enables the administrator to add or edit users and to assign users to the groups in the Editable groups list.
- Setup of these groups—Enables the administrator to edit the settings for the groups in the Editable groups list.
- Available Groups—Lists the user groups for which the administrator does not have edit privileges and to which the administrator cannot add users.
- Editable Groups—Lists the user groups for which the administrator does have edit privileges and to which the administrator can add users.
- Shared Profile Components—Contains the following privilege options for the Shared Profile Components section of the HTML interface:
-
- Network Access Restriction Sets—Allows the administrator full access to the Network Access Restriction Sets feature.
- Downloadable ACLs—Allows the administrator full access to the Downloadable PIX ACLs feature.
- Create New Device Command Set Type—Allows the administrator account to be used as valid credentials by another Cisco application for adding new device command set types. New device command set types that are added to Cisco Secure ACS using this privilege appear in the Shared Profile Components section of the HTML interface.
- Shell Command Authorization Sets—Allows the administrator full access to the Shell Command Authorization Sets feature.
- PIX Command Authorization Sets—Allows the administrator full access to the PIX Command Authorization Sets feature.
|
Note Additional command authorization set privilege options may appear, if other Cisco network management applications, such as CiscoWorks2000, have updated the configuration of Cisco Secure ACS. |
- Network Configuration—Allows the administrator full access to the features in the Network Configuration section of the HTML interface.
- System Configuration...—Contains the privilege options for the features found in the System Configuration section of the HTML interface. For each of the following features, enabling the option allows the administrator full access to the feature.
-
- Service Control—For more information about this feature, see Service Control.
- Date/Time Format Control—For more information about this feature, see Date Format Control.
- Logging Control—For more information about this feature, see Logging.
- Local Password Management—For more information about this feature, see Local Password Management.
- DB Replication—For more information about this feature, see CiscoSecure Database Replication.
- RDBMS Synchronization—For more information about this feature, see RDBMS Synchronization.
- IP Pool Address Recovery—For more information about this feature, see IP Pools Address Recovery.
- IP Pool Server Configuration—For more information about this feature, see IP Pools Server.
- ACS Backup—For more information about this feature, see Cisco Secure ACS Backup.
- ACS Restore—For more information about this feature, see Cisco Secure ACS System Restore.
- ACS Service Management—For more information about this feature, see Cisco Secure ACS Active Service Management.
- VoIP Accounting Configuration—For more information about this feature, see VoIP Accounting Configuration.
- ACS Certificate Setup—For more information about this feature, see Cisco Secure ACS Certificate Setup.
- Global Authentication Setup—For more information about this feature, see Global Authentication Setup.
- Interface Configuration—Allows the administrator full access to the features in the Interface Configuration section of the HTML interface.
- Administration Control—Allows the administrator full access to the features in the Administration Control section of the HTML interface.
- External User Databases—Allows the administrator full access to the features in the External User Databases section of the HTML interface.
- Reports & Activity—Contains the privilege options for the reports and features found in the Reports and Activity section of the HTML interface. For each of the following features, enabling the option allows the administrator full access to the feature.
-
- TACACS+ Accounting—For more information about this report, see Accounting Logs.
- TACACS+ Administration—For more information about this report, see Accounting Logs.
- RADIUS Accounting—For more information about this report, see Accounting Logs.
- VoIP Accounting—For more information about this report, see Accounting Logs.
- Passed Authentications—For more information about this report, see Accounting Logs.
- Failed Attempts—For more information about this report, see Accounting Logs.
- Logged-in Users—For more information about this report, see Dynamic Administration Reports.
- Purge of Logged-in Users—For more information about this feature, see Deleting Logged-in Users.
- Disabled Accounts—For more information about this report, see Dynamic Administration Reports.
- ACS Backup and Restore—For more information about this report, see Dynamic Administration Reports.
- DB Replication—For more information about this report, see Dynamic Administration Reports.
- RDBMS Synchronization—For more information about this report, see Dynamic Administration Reports.
- Administration Audit—For more information about this report, see Dynamic Administration Reports.
- ACS Service Monitor—For more information about this report, see Dynamic Administration Reports.
- User Change Password—For more information about this report, see Dynamic Administration Reports.
Adding an Administrator Account
For descriptions of the options available while adding an administrator account, see Administrator Privileges.
To add a Cisco Secure ACS administrator account, follow these steps:
Step 1 In the navigation bar, click Administration Control.
Step 2 Click Add Administrator.
Result: The Add Administrator page appears.
Step 3 Complete the boxes in the Administrator Details table:
a. In the Administrator Name box, type the login name (up to 32 characters) for the new Cisco Secure ACS administrator account.
b. In the Password box, type the password (up to 32 characters) for the new Cisco Secure ACS administrator account.
c. In the Confirm Password box, type the password a second time.
Step 4 To select all privileges, including user group editing privileges for all user groups, click Grant All.
Result: All privileges options are selected. All user groups move to the Editable groups list.
 |
Tip To clear all privileges, including user group editing privileges for all user groups, click Revoke All. |
Step 5 To grant user and user group editing privileges, follow these steps:
a. Select the desired check boxes under User & Group Setup.
b. To move a user group to the Editable groups list, select the group in the Available groups list, and then click --> (right arrow button).
Result: The selected group moves to the Editable groups list.
c. To remove a user group from the Editable groups list, select the group in the Editable groups list, and then click <-- (left arrow button).
Result: The selected group moves to the Available groups list.
Result: The user groups in the Available groups list move to the Editable groups list.
Result: The user groups in the Editable groups list move to the Available groups list.
Step 6 To grant any of the remaining privilege options, in the Administrator Privileges table, select the applicable check boxes.
Step 7 Click Submit.
Result: Cisco Secure ACS saves the new administrator account. The new account appears in the list of administrator accounts on the Administration Control page.
Editing an Administrator Account
You can edit a Cisco Secure ACS administrator account to change the privileges granted to the administrator. You can effectively disable an administrator account by revoking all privileges.
|
Note You cannot change the name of an administrator account; however, you can delete an administrator account and then create an account with the new name. For information about deleting an administrator account, see Deleting an Administrator Account. For information about creating an administrator account, see Adding an Administrator Account. |
For information about the administrative privilege options, see Administrator Privileges.
For descriptions of the options available while editing an administrator account, see Administrator Privileges.
To edit Cisco Secure ACS administrator account privileges, follow these steps:
Step 1 In the navigation bar, click Administration Control.
Result: Cisco Secure ACS displays the Administration Control page.
Step 2 Click the name of the administrator account whose privileges you want to edit.
Result: The Edit Administrator name page appears, where name is the name of the administrator account you just selected.
Step 3 To change the administrator password, follow these steps:
a. In the Password box, double-click the asterisks, and then type the new password (up to 32 characters) for the administrator.
Result: The new password replaces the existing, masked password.
b. In the Confirm Password box, double-click the asterisks, and then type the new administrator password a second time.
Result: The new password is effective immediately after you click Submit in Step 9.
Step 4 If the Reset current failed attempts count check box appears below the Confirm Password box and you want to allow the administrator whose account you are editing to access the Cisco Secure ACS HTML interface, select the Reset current failed attempts count check box.
|
Note If the Reset current failed attempts count check box appears below the Confirm Password box, the administrator cannot access Cisco Secure ACS unless you complete Step 4. For more information about re-enabling an administrator account, see Unlocking a Locked Out Administrator Account. |
Step 5 To select all privileges, including user group editing privileges for all user groups, click Grant All.
Result: All privileges options are selected. All user groups move to the Editable groups list.
Step 6 To clear all privileges, including user group editing privileges for all user groups, click Revoke All.
Result: All privileges options are cleared. All user groups move to the Available groups list.
Step 7 To grant user and user group editing privileges, follow these steps:
a. Under User & Group Setup, select the applicable check boxes.
b. To move all user groups to the Editable groups list, click >>.
Result: The user groups in the Available groups list move to the Editable groups list.
c. To move a user group to the Editable groups list, select the group in the Available groups list, and then click --> (right arrow button).
Result: The selected group moves to the Editable groups list.
Result: The user groups in the Editable groups list move to the Available groups list.
e. To remove a user group from the Editable groups list, select the group in the Editable groups list, and then click <— (left arrow button).
Result: The selected group moves to the Available groups list.
Step 8 To grant any remaining privilege options, select the applicable check boxes in the Administrator Privileges table.
Step 9 To revoke any remaining privilege options, clear the applicable check boxes in the Administrator Privileges table.
Step 10 Click Submit.
Result: Cisco Secure ACS saves the changes to the administrator account.
Unlocking a Locked Out Administrator Account
Cisco Secure ACS disables the accounts of administrators who have attempted to access the Cisco Secure ACS HTML interface and have provided an incorrect password in more successive attempts than is specified in on the Session Policy Setup page. Until the failed attempts counter for a disabled administrator account is reset, the administrator cannot access the HTML interface.
For more information about configuring how many successive failed login attempts can occur before Cisco Secure ACS disables an administrator account, see Session Policy.
To reset the failed attempts count for an administrator, follow these steps:
Step 1 In the navigation bar, click Administration Control.
Result: Cisco Secure ACS displays the Administration Control page.
Step 2 Click the name of the administrator account whose account you want to re-enable.
Result: The Edit Administrator name page appears, where name is the name of the administrator account you just selected.
If the Reset current failed attempts count check box appears below the Confirm Password box, the administrator account cannot access the HTML interface.
Step 3 Select the Reset current failed attempts count check box.
Step 4 Click Submit.
Result: Cisco Secure ACS saves the changes to the administrator account.
Deleting an Administrator Account
You can delete a Cisco Secure ACS administrator account when you no longer need it. We recommend deleting any unused administrator accounts.
To delete a Cisco Secure ACS administrator account, follow these steps:
Step 1 In the navigation bar, click Administration Control.
Result: Cisco Secure ACS displays the Administration Control page.
Step 2 In the Administrators table, click the name of the administrator account that you want to delete.
Result: The Edit Administrator name page appears, where name is the name of the administrator account you just selected.
Step 3 Click Delete.
Result: Cisco Secure ACS displays a confirmation dialog box.
Step 4 Click OK.
Result: Cisco Secure ACS deletes the administrator account. The Administrators table on the Administration Control page no longer lists administrator account that you deleted.
Access Policy
The Access Policy feature affects access to the Cisco Secure ACS HTML interface. You can limit access by IP address and by the TCP port range used for administrative sessions. You can also enable secure socket layer (SSL) for access to the HTML interface.
This section contains the following topics:
Access Policy Options
You can configure the following options on the Access Policy Setup page:
- IP Address Filtering—Contains the following IP address filtering options:
-
- Allow all IP addresses to connect—Allow access to the HTML interface from any IP address.
- Allow only listed IP addresses to connect—Allow access to the HTML interface only from IP addresses inside the address range(s) specified in the IP Address Ranges table.
- Reject connections from listed IP addresses—Allow access to the HTML interface only from IP addresses outside the address range(s) specified in the IP Address Ranges table.
- IP Address Ranges—The IP Address Ranges table contains ten rows for configuring IP address ranges. The ranges are always inclusive; that is, the range includes the start and end IP addresses. The IP addresses entered to define a range must differ only in the last octet (Class C format).
The IP Address Ranges table contains one column of each of the following boxes:
- HTTP Port Allocation—Contains the following options for configuring TCP ports used for remote access to the HTML interface.
-
- Allow any TCP ports to be used for Administration HTTP Access—Allow the ports used by administrative HTTP sessions to include the full range of TCP ports.
- Restrict Administration Sessions to the following port range From Port X to Port Y—Restrict the ports used by administrative HTTP sessions to the range specified in the X and Y boxes, inclusive. The size of the range specified determines the maximum number of concurrent administrative sessions.
Cisco Secure ACS uses port 2002 to start all administrative sessions. You do not need to include port 2002 in the port range. Also, Cisco Secure ACS does not allow you to define an HTTP port range that consists only of port 2002. Your port range must consist of at least one port other than port 2002.
A firewall configured to permit HTTP traffic over the Cisco Secure ACS administrative port range must also permit HTTP traffic through port 2002, because this is the port a web browser must access to initiate an administrative session.
|
Note We do not recommend allowing administration of Cisco Secure ACS from outside a firewall. If you do choose to allow access to the HTML interface from outside a firewall, keep the HTTP port range as narrow as possible. This can help prevent accidental discovery of an active administrative port by unauthorized users. An unauthorized user would have to impersonate, or "spoof," the IP address of a legitimate host to make use of the active administrative session HTTP port. |
- Secure Socket Layer Setup—The Use HTTPS Transport for Administration Access check box defines whether Cisco Secure ACS uses secure socket layer protocol to encrypt HTTP traffic between the CSAdmin service and a web browser used to access the HTML interface. When this option is enabled, HTTP traffic sending the Cisco Secure ACS logon page is not encrypted. After the administrator logs in, all subsequent communication is encrypted with SSL, as reflected by the URLs, which begin with HTTPS. Additionally, most browsers include an indicator for when a connection is SSL-encrypted.
|
Note Administrator credentials are always encrypted at login. Cisco Secure ACS never sends administrator login credentials in clear text. |
To enable SSL, you must have completed the steps in Installing a Cisco Secure ACS Server Certificate, and Adding a Certificate Authority Certificate.
Setting Up Access Policy
For information about access policy options, see Access Policy Options.
To set up Cisco Secure ACS Access Policy, follow these steps:
Step 1 In the navigation bar, click Administration Control.
Result: Cisco Secure ACS displays the Administration Control page.
Step 2 Click Access Policy.
Result: The Access Policy Setup page appears.
Step 3 To allow remote access to the HTML interface from any IP address, in the IP Address Filtering table, select the Allow all IP addresses to connect option.
Step 4 To allow remote access to the HTML interface only from IP addresses within a range or ranges of IP addresses, follow these steps:
a. In the IP Address Filtering table, select the Allow only listed IP addresses to connect option.
b. For each IP address range from within which you want to allow remote access to the HTML interface, complete one row of the IP Address Ranges table. In the Start IP Address box, type the lowest IP address (up to 16 characters) in the range. In the End IP Address box, type the highest IP address (up to 16 characters) in the range. Use dotted decimal format.
Step 5 To allow remote access to the HTML interface only from IP addresses outside a range or ranges of IP addresses, follow these steps:
a. In the IP Address Filtering table, select the Reject connections from listed IP addresses option.
b. For each IP address range from outside which you want to allow remote access to the HTML interface, complete one row of the IP Address Ranges table. Type the lowest IP address (up to 16 characters) in the range in the Start IP Address box. Type the highest IP address (up to 16 characters) in the range in the End IP Address box.
Step 6 If you want to allow Cisco Secure ACS to use any valid TCP port for administrative sessions, either local or remote, under HTTP Port Allocation, select the Allow any TCP ports to be used for Administration HTTP Access option.
Step 7 If you want to allow Cisco Secure ACS to use only a specified range of TCP ports for administrative sessions, follow these steps:
a. Under HTTP Port Allocation, select the Restrict Administration Sessions to the following port range From Port X to Port Y option.
b. In the X box type the lowest TCP port (up to 5 characters) in the range.
c. In the Y box type the highest TCP port (up to 5 characters) in the range.
Step 8 If you want to enable SSL encryption of administrator access to the HTML interface, under Secure Socket Layer Setup, select the Use HTTPS Transport for Administration Access check box.
|
Note To enable SSL, you must have completed the steps in Installing a Cisco Secure ACS Server Certificate, and Adding a Certificate Authority Certificate. |
Step 9 Click Submit.
Result: Cisco Secure ACS saves and begins enforcing the access policy settings.
If you have enabled SSL, at the next administrator login, Cisco Secure ACS begins using HTTPS. Any current administrator sessions are unaffected.
Session Policy
The Session Policy feature controls various aspects of Cisco Secure ACS administrative sessions. This section contains the following topics:
Session Policy Options
You can configure the following options on the Session Policy Setup page:
- Session idle timeout (minutes)—Defines the time in minutes that an administrative session, local or remote, must remain idle before Cisco Secure ACS terminates the connection. This parameter applies to the Cisco Secure ACS administrative session in the browser only. It does not apply to an administrative dial-up session.
An administrator whose administrative session is terminated receives a dialog box asking whether or not the administrator wants to continue. If the administrator chooses to continue, Cisco Secure ACS starts a new administrative session.
- Allow Automatic Local Login—Enables administrators to start an administrative session without logging in if they are using a browser on the computer running Cisco Secure ACS. Such administrative sessions are conducted using a default administrator account named "local_login". The local_login administrator account has all privileges. Local administrative sessions with automatic local login are recorded in the Administrative Audit report under the local_login administrator name.
- Respond to Invalid IP Address Connections—Enables an error message in response to attempts to start a remote administrative session using an IP address that is invalid according to the IP address ranges configured in Access Policy. Disabling this option can help prevent unauthorized users from discovering your Cisco Secure ACS server.
- Lock out Administrator after X successive failed attempts—Enables Cisco Secure ACS to lock out an administrator after a number of successive failed attempts to log in to the HTML interface. The number of successive attempts is specified in the X box. If this check box is selected, the X box cannot be set to zero. If this check box is not selected, Cisco Secure ACS allows unlimited successive failed login attempts by an administrator.
|
Note If there are no administrator accounts defined, no administrator name and password is required to access Cisco Secure ACS locally. This prevents you from accidentally locking yourself out of Cisco Secure ACS. |
Setting Up Session Policy
For information about session policy options, see Session Policy Options.
To setup Cisco Secure ACS Session Policy, follow these steps:
Step 1 In the navigation bar, click Administration Control.
Result: Cisco Secure ACS displays the Administration Control page.
Step 2 Click Session Policy.
Result: The Session Policy Setup page appears.
Step 3 To define the number of minutes of inactivity after which Cisco Secure ACS ends an administrative session, in the Session idle timeout (minutes) box, type the number of minutes (up to 4 characters).
Step 4 Set the automatic local login policy:
a. To allow administrators to log in to Cisco Secure ACS locally without using their administrator names and passwords, select the Allow Automatic Local Login check box.
b. To require administrators to log in to Cisco Secure ACS locally using their administrator names and passwords, clear the Allow Automatic Local Login check box.
Step 5 Set the invalid IP address response policy:
a. To configure Cisco Secure ACS to respond with a message when an administrative session is requested from an invalid IP address, select the Respond to invalid IP address connections check box.
b. To configure Cisco Secure ACS to send no message when an administrative session is requested from an invalid IP address, clear the Respond to invalid IP address connections check box.
Step 6 Set the failed administrative login attempts policy:
a. To enable Cisco Secure ACS to lock out an administrator after a specified number of successive failed administrative login attempts, select the Lock out Administrator after X successive failed attempts check box.
b. In the X box, type how many successive failed login attempts can occur before Cisco Secure ACS locks out an administrator.
|
Note If the Lock out Administrator after X successive failed attempts check box is selected, the X box cannot be set to zero and cannot exceed 4 characters. |
Step 7 Click Submit.
Result: Cisco Secure ACS saves and begins enforcing the session policy settings you made.
Audit Policy
The Audit Policy feature controls the generation of the Administrative Audit log.
For more information about enabling, viewing, or configuring the Administrative Audit log, see Cisco Secure ACS System Logs.