-
User Guide for Cisco Secure ACS Windows Server 3.1
-
Preface
-
Overview of Cisco Secure ACS
-
Deploying Cisco Secure ACS
-
Setting Up the Cisco Secure ACS HTML Interface
-
Setting Up and Managing Network Configuration
-
Setting Up and Managing Shared Profile Components
-
Setting Up and Managing User Groups
-
Setting Up and Managing User Accounts
-
Establishing Cisco Secure ACS System Configuration
-
Working with Logging and Reports
-
Setting Up and Managing Administrators and Policy
-
Working with User Databases
-
Administering External User Databases
-
Troubleshooting Information for Cisco Secure ACS
-
TACACS+ Attribute-Value Pairs
-
RADIUS Attributes
-
Cisco Secure ACS Command-Line Database Utility
-
Cisco Secure ACS and Virtual Private Dial-up Networks
-
RDBMS Synchronization Import Definitions
-
Cisco Secure ACS Internal Architecture
-
Table of Contents
Setting Up and Managing User AccountsUser Setup Features and Functions
About User Databases
Basic User Setup Options
Setting Supplementary User Information
Setting a Separate CHAP/MS-CHAP/ARAP Password
Assigning a User to a Group
Setting User Callback Option
Assigning a User to a Client IP Address
Setting Network Access Restrictions for a User
Setting Max Sessions Options for a User
Setting User Usage Quotas Options
Setting Options for User Account Disablement
Assigning a PIX ACL to a User
Configuring TACACS+ Settings for a User
Configuring a Shell Command Authorization Set for a User
Configuring a PIX Command Authorization Set for a User
Configuring Device Management Command Authorization for a User
Configuring the Unknown Service Setting for a User
Advanced TACACS+ Settings (User)
Setting TACACS+ Enable Password Options for a User
Setting TACACS+ Outbound Password for a User
Setting Cisco IOS/PIX RADIUS Parameters for a User
Setting Cisco Aironet RADIUS Parameters for a User
Setting Ascend RADIUS Parameters for a User
Setting Cisco VPN 3000 Concentrator RADIUS Parameters for a User
Setting Cisco VPN 5000 Concentrator RADIUS Parameters for a User
Setting Microsoft RADIUS Parameters for a User
Setting Nortel RADIUS Parameters for a User
Setting Juniper RADIUS Parameters for a User
Setting BBSM RADIUS Parameters for a User
Setting Custom RADIUS Attributes for a User
Finding a User
Disabling a User Account
Deleting a User Account
Resetting User Session Quota Counters
Resetting a User Account after Login Failure
Saving User Settings
Setting Up and Managing User Accounts
This chapter provides information about setting up and managing user accounts in Cisco Secure Access Control Server (Cisco Secure ACS) for Windows Server version 3.1.
 |
Note Settings at the user level override settings configured at the group level. |
Before you configure User Setup, you should understand how this section functions. Cisco Secure ACS dynamically builds the User Setup section interface depending on the configuration of your AAA client and the security protocols being used. That is, what you see under User Setup is affected by both your system configuration and your settings in the Interface Configuration section.
This chapter contains the following sections:
- User Setup Features and Functions—An overview of the User Setup section functionality.
- About User Databases—Information about user databases.
- Basic User Setup Options—Information and step-by-step procedures regarding the many basic settings and options that are available when configuring a user account in the Cisco Secure ACS.
- Advanced User Authentication Settings—Details on the steps necessary to configure a user account for authentication outside the system using the TACACS+ or RADIUS protocol options.
- User Management—Information about viewing, disabling, and resetting user accounts.
User Setup Features and Functions
The User Setup section of the Cisco Secure ACS HTML interface is the centralized location for all operations regarding user account configuration and administration.
From within the User Setup section, you can perform the following tasks:
- View a list of all users in the CiscoSecure user database
- Find a user
- Add a user
- Assign the user to a group, including Voice over IP (VoIP) Groups
- Edit user account information
- Establish or change user authentication type
- Configure callback information for the user
- Set network access restrictions (NARs) for the user
- Configure Advanced Settings
- Set the maximum number of concurrent sessions (Max Sessions) for the user
- Disable or re-enable the user account
- Delete the user
About User Databases
Cisco Secure ACS authenticates users against one of several possible databases, including its CiscoSecure user database. Regardless of which database you configure Cisco Secure ACS to use when authenticating a user, all users have accounts within the CiscoSecure user database, and authorization of users is always performed against the user records in the CiscoSecure user database. The following list details the basic user databases used and provides links to greater details on each:
- CiscoSecure user database—Authenticates a user from the local CiscoSecure user database. For more information, see CiscoSecure User Database.
 |
Tip The following authentication types appear in the HTML interface only when the corresponding external user database has been configured in the Database Configuration area of the External User Databases section. |
- Windows NT/2000—Authenticates a user with an existing account in the Windows NT/2000 user database located in the local domain or in domains configured in the Windows NT/2000 user database. For more information, see Windows NT/2000 User Database.
- Generic LDAP—Authenticates a user from a Generic LDAP external user database. For more information, see Generic LDAP.
- Novell NDS—Authenticates a user using Novell NetWare Directory Services (NDS). For more information, see Novell NDS Database.
- ODBC Database—Authenticates a user from an Open Database Connectivity-compliant database server. For more information, see ODBC Database.
- LEAP Proxy RADIUS Server Database—Authenticates a user from an LEAP Proxy RADIUS server. For more information, see "LEAP Proxy RADIUS Server Database" section.
- Token Server—Authenticates a user from a token server database. Cisco Secure ACS supports the use of a variety of token servers for the increased security provided by one-time passwords. For more information, see Token Server User Databases
Basic User Setup Options
This section presents the basic activities you perform when configuring a new user. At its most basic level, configuring a new user requires only three steps, as follows:
For detailed procedural information, see Adding a Basic User Account.
What other procedures you perform when setting up new user accounts is a function both of the complexity of your network and of the granularity of control you desire. The other basic procedures detailed in this section include the following:
- Setting Supplementary User Information
- Setting a Separate CHAP/MS-CHAP/ARAP Password
- Assigning a User to a Group
- Setting User Callback Option
- Assigning a User to a Client IP Address
- Setting Network Access Restrictions for a User
- Setting Max Sessions Options for a User
- Setting User Usage Quotas Options
- Setting Options for User Account Disablement
- Assigning a PIX ACL to a User
Beyond these basic user setup options, there are also procedures for configuring a user account for authentication via TACACS+ and RADIUS; these procedures are located in Advanced User Authentication Settings.
|
Note The steps for editing user account settings are essentially identical to those used when adding a user account but, to edit, you navigate directly to the field or fields to be changed. You cannot edit the name associated with a user account; to change a username you must delete the user account and establish another. |
Bear in mind two things when setting up new user accounts:
Adding a Basic User Account
This procedure details the minimum steps necessary to add a new user account to the CiscoSecure user database.
To add a user account, follow these steps:
Step 1 In the navigation bar, click User Setup.
Result: The User Setup Select page opens.
Step 2 Type a name in the User box.
|
Note The username can contain up to 32 characters. Names cannot contain the following special characters: # ? " * > < Leading and trailing spaces are not allowed. |
Step 3 Click Add/Edit.
Result: The User Setup Edit page opens. The username being added is at the top of the page.
Step 4 Ensure that the Account Disabled check box is cleared.
|
Note Alternatively, you can select the Account Disabled check box to create a user account that is disabled, and enable the account at another time. |
Step 5 Under Password Authentication in the User Setup table, select the applicable authentication type from the list.
|
Tip The authentication types that appear reflect the databases that you have configured in the Database Configuration area of the External User Databases section. |
Step 6 Specify a single CiscoSecure PAP password by typing it in the first set of Password and Confirm Password boxes.
|
Tip The CiscoSecure PAP password is also used for CHAP/MS-CHAP/ARAP if the Separate CHAP/MS-CHAP/ARAP check box is not selected. |
|
Tip You can configure the AAA client to ask for a PAP password first and then a CHAP or MS-CHAP password so that when users dial in using a PAP password, they will authenticate. For example, the following line in the AAA client configuration file causes the AAA client to enable CHAP after PAP: ppp authentication pap chap |
Step 7 Do one of the following:
|
Tip For lengthy account configurations, you can click Submit before continuing. This will prevent loss of information you have already entered if an unforeseen problem occurs. |
Setting Supplementary User Information
Supplementary User Information can contain up to five fields that you configure. The default configuration includes two fields: Real Name and Description.
For information about how to display and configure these optional fields, see User Data Configuration Options.
To enter optional information into the Supplementary User Information table, follow these steps:
Step 1 Perform Step 1 through Step 3 of Adding a Basic User Account.
Result: The User Setup Edit page opens. The username being added or edited is at the top of the page.
Step 2 Complete each box that appears in the Supplementary User Info table.
Step 3 Do one of the following:
Setting a Separate CHAP/MS-CHAP/ARAP Password
Setting a separate CHAP/MS-CHAP/ARAP password adds more security to Cisco Secure ACS authentication. However, you must have a AAA client configured to support the separate password.
To allow the user to authenticate using a CHAP, MS-CHAP, or ARAP password, instead of the PAP password in the CiscoSecure user database, follow these steps:
Step 1 Perform Step 1 through Step 3 of Adding a Basic User Account.
Result: The User Setup Edit page opens. The username being added or edited is at the top of the page.
Step 2 Select the Separate CHAP/MS-CHAP/ARAP check box in the User Setup table.
Step 3 Specify the CHAP/MS-CHAP/ARAP password to be used by typing it in each of the second set of Password/Confirm boxes under the Separate (CHAP/MS-CHAP/ARAP) check box.
|
Note These Password and Confirm Password boxes are only required for authentication by the Cisco Secure ACS database. Additionally, if a user is assigned to a VoIP (null password) group, and the optional password is also included in the user profile, the password is not used until the user is re-mapped to a non-VoIP group. |
Step 4 Do one of the following:
Assigning a User to a Group
A user can only belong to one group in Cisco Secure ACS. The user inherits the attributes and operations assigned to his or her group. However, in the case of conflicting settings, the settings at the user level override the settings configured at the group level.
By default, users are assigned to the Default Group. Users who authenticate via the Unknown User method and who are not mapped to an existing Cisco Secure ACS group are also assigned to the Default Group.
Alternatively, you can choose not to map a user to a particular group, but rather, to have the group mapped by an external authenticator. For external user databases from which Cisco Secure ACS can derive group information, you can associate the group memberships—defined for the users in the external user database—to specific Cisco Secure ACS groups. For more information, see Database Group Mappings.
To assign a user to a group, follow these steps:
Step 1 Perform Step 1 through Step 3 of Adding a Basic User Account.
Result: The User Setup Edit page opens. The username being added or edited appears at the top of the page.
Step 2 From the Group to which user is assigned list in the User Setup table, select the group to which you want to assign the user.
|
Tip Alternatively, you can scroll up in the list to select the Mapped By External Authenticator option. |
Step 3 Do one of the following:
Setting User Callback Option
Callback is a command string that is passed to the access server. You can use a callback string to initiate a modem to call the user back on a specific number for added security or reversal of line charges.
To set the user callback option, follow these steps:
Step 1 Perform Step 1 through Step 3 of Adding a Basic User Account.
Result: The User Setup Edit page opens. The username being added or edited appears at the top of the page.
Step 2 Under Callback in the User Setup table, select the applicable option. Choices include the following:
- Dialup client specifies callback number—Select to enable the Windows 95/98/ME or Windows NT/2000 dialup client to specify the callback number.
- Use Microsoft NT/2000 callback settings—Select to use the settings specified for Windows NT/2000 callback. If a Windows account for a user resides in a remote domain, the domain in which Cisco Secure ACS resides must have a two-way trust with that domain for the Microsoft NT/2000 callback settings to operate for that user.
Step 3 Do one of the following:
Assigning a User to a Client IP Address
To assign a user to a client IP address, follow these steps:
Step 1 Perform Step 1 through Step 3 of Adding a Basic User Account.
Result: The User Setup Edit page opens. The username being added or edited is at the top of the page.
Step 2 Under Client IP Address Assignment in the User Setup table, select the applicable option. Choices include the following:
- Use group settings—Select this option to use the IP address group assignment.
- No IP address assignment—Select this option to override the group setting if you do not want an IP address returned by the client.
- Assigned by dialup client—Select this option to use the IP address dialup client assignment.
- Assign static IP address—Select this option and type the IP address in the box (up to 15 characters), if a specific IP address should be used for this user.
|
Note If the IP address is being assigned from a pool of IP addresses or by the dialup client, leave the Assign IP address box blank. |
- Assigned by AAA client pool—Select this option and type the AAA client IP pool name in the box, if this user is to have the IP address assigned by an IP address pool configured on the AAA client.
- Assigned from AAA pool—Select this option and type the applicable pool name in the box, if this user is to have the IP address assigned by an IP address pool configured on the AAA server. Select the AAA server IP pool name from the Available Pools list, and then click --> (right arrow button) to move the name into the Selected Pools list. If there is more than one pool in the Selected Pools list, the users in this group are assigned to the first available pool in the order listed. To move the position of a pool in the list, select the pool name and click Up or Down until the pool is in the position you want.
Step 3 Do one of the following:
Setting Network Access Restrictions for a User
The Network Access Restrictions table in the Advanced Settings area of User Setup enables you to set NARs in three distinct ways:
- Apply existing shared NARs by name.
- Define IP-based access restrictions to permit or deny user access to a specified AAA client or to specified ports on a AAA client when an IP connection has been established.
- Define CLI/DNIS-based access restrictions to permit or deny user access based on the CLI/DNIS used.
|
Note You can also use the CLI/DNIS-based access restrictions area to specify other values. For more information, see About Network Access Restrictions. |
Typically, you define (shared) NARs from within the Shared Components section so that these restrictions can be applied to more than one group or user. For more information, see Shared Network Access Restrictions Configuration. You must have selected the User-Level Shared Network Access Restriction check box on the Advanced Options page of the Interface Configuration section for this set of options to appear in the Cisco Secure ACS HTML interface.
However, Cisco Secure ACS also enables you to define and apply a NAR for a single user from within the User Setup section. You must have enabled the User-Level Network Access Restriction setting under the Advanced Options page of the Interface Configuration section for single user IP-based filter options and single user CLI/DNIS-based filter options to appear in the Cisco Secure ACS HTML interface.
|
Note When an authentication request is forwarded by proxy to a Cisco Secure ACS, any NARs for TACACS+ requests are applied to the IP address of the forwarding AAA server, not to the IP address of the originating AAA client. |
To set NARs for a user, follow these steps:
Step 1 Perform Step 1 through Step 3 of Adding a Basic User Account.
Result: The User Setup Edit page opens. The username being added or edited is at the top of the page.
Step 2 To apply a previously configured shared NAR to this user, follow these steps:
|
Note To apply a shared NAR, you must have configured it under Network Access Restrictions in the Shared Profile Components section. For more information, see Shared Network Access Restrictions Configuration. |
a. Select the Only Allow network access when check box.
b. To specify whether one or all shared NARs must apply for the user to be permitted access, select one of the following two options, as applicable:
c. Select a shared NAR name in the NARs list, and then click —> (right arrow button) to move the name into the Selected NARs list.
|
Tip To view the server details of the shared NARs you have selected to apply, you can click either View IP NAR or View CLID/DNIS NAR, as applicable. |
Step 3 To define and apply a NAR, for this particular user, that permits or denies this user access based on IP address, or IP address and port, follow these steps:
|
Tip You should define most NARs from within the Shared Components section so that they can be applied to more than one group or user. For more information, see Shared Network Access Restrictions Configuration. |
a. In the Network Access Restrictions table, under Per User Defined Network Access Restrictions, select the Define IP-based access restrictions check box.
b. To specify whether the subsequent listing specifies permitted or denied IP addresses, from the Table Defines list, select one of the following:
c. Select or enter the information in the following boxes:
- AAA Client—Select All AAA Clients, or the name of a network device group (NDG), or the name of the individual AAA client, to which to permit or deny access.
- Port—Type the number of the port to which to permit or deny access. You can use the wildcard asterisk (*) to permit or deny access to all ports on the selected AAA client.
- Address—Type the IP address or addresses to use when performing access restrictions. You can type multiple entries separated by a comma or use the wildcard asterisk (*).
Result: The specified AAA client, port, and address information appears in the table above the AAA Client list.
Step 4 To permit or deny this user access based on calling location or values other than an established IP address, follow these steps:
a. Select the Define CLI/DNIS based access restrictions check box.
b. To specify whether the subsequent listing specifies permitted or denied values, from the Table Defines list, select one of the following:
|
Note You must make an entry in each box. You can use the wildcard asterisk (*) for all or part of a value. The format you use must match the format of the string you receive from your AAA client. You can determine this format from your RADIUS Accounting Log. |
- AAA Client—Select All AAA Clients, or the name of the NDG, or the name of the individual AAA client, to which to permit or deny access.
- PORT—Type the number of the port to which to permit or deny access. You can use the wildcard asterisk (*) to permit or deny access to all ports.
- CLI—Type the CLI number to which to permit or deny access. You can use the wildcard asterisk (*) to permit or deny access based on part of the number.
|
Tip This is also the selection to use if you want to restrict access based on other values such as a Cisco Aironet client MAC address. For more information, see About Network Access Restrictions. |
|
Tip This is also the selection to use if you want to restrict access based on other values such as a Cisco Aironet AP MAC address. For more information, see About Network Access Restrictions. |
Result: The information, specifying the AAA client, port, CLI, and DNIS appears in the table above the AAA Client list.
Step 5 Do one of the following:
Setting Max Sessions Options for a User
The Max Sessions feature enables you to set the maximum number of simultaneous connections permitted for this user. For Cisco Secure ACS purposes, a session is considered any type of user connection supported by RADIUS or TACACS+, for example PPP, or Telnet, or ARAP. Note, however, that accounting must be enabled on the AAA client for Cisco Secure ACS to be aware of a session. All session counts are based on user and group names only. Cisco Secure ACS does not support any differentiation by type of session—all sessions are counted as the same. To illustrate, a user with a Max Session count of 1 who is dialed in to a AAA client with a PPP session will be refused a connection if that user then tries to Telnet to a location whose access is controlled by the same Cisco Secure ACS.
|
Note Each Cisco Secure ACS server holds its own Max Sessions counts. There is no mechanism for Cisco Secure ACS to share Max Sessions counts across multiple servers. Therefore, if two Cisco Secure ACS servers are set up as a mirror pair with the workload distributed between them, they will have completely independent views of the Max Sessions totals. |
|
Tip If the Max Sessions table does not appear, click Interface Configuration, click Advanced Options, and then select the Max Sessions check box. |
To set max sessions options for a user, follow these steps:
Step 1 Perform Step 1 through Step 3 of Adding a Basic User Account.
Result: The User Setup Edit page opens. The username being added or edited is at the top of the page.
Step 2 In the Max Sessions table, under Sessions available to user, select one of the following three options:
|
Note User Max Sessions settings override the group Max Sessions settings. For example, if the group Sales has a Max Sessions value of only 10, but a user in the group Sales, John, has a User Max Sessions value of Unlimited, John is still allowed an unlimited number of sessions. |
Step 3 Do one of the following:
Setting User Usage Quotas Options
You can define usage quotas for individual users. You can limit users in one or both of two ways:
For Cisco Secure ACS purposes, a session is considered any type of user connection supported by RADIUS or TACACS+, for example PPP, or Telnet, or ARAP. Note, however, that accounting must be enabled on the AAA client for Cisco Secure ACS to be aware of a session. If you make no selections in the Session Quotas section for an individual user, Cisco Secure ACS applies the session quotas of the group to which the user is assigned.
|
Note If the User Usage Quotas feature does not appear, click Interface Configuration, click Advanced Options, and then select the Usage Quotas check box. |
|
Tip The Current Usage table under the User Usage Quotas table on the User Setup Edit page displays usage statistics for the current user. The Current Usage table lists both online time and sessions used by the user, with columns for daily, weekly, monthly, and total usage. The Current Usage table appears only on user accounts that you have established; that is, it does not appear during initial user setup. |
For a user who has exceeded his quota, Cisco Secure ACS denies him access upon his next attempt to start a session. If a quota is exceeded during a session, Cisco Secure ACS allows the session to continue. If a user account has been disabled because the user has exceeded usage quotas, the User Setup Edit page displays a message stating that the account has been disabled for this reason.
You can reset the session quota counters on the User Setup page for a user. For more information about resetting usage quota counters, see Resetting User Session Quota Counters.
To support time-based quotas, we recommend enabling accounting update packets on all AAA clients. If update packets are not enabled, the quota is updated only when the user logs off. If the AAA client through which the user is accessing your network fails, the quota is not updated. In the case of multiple sessions, such as with ISDN, the quota is not updated until all sessions terminate, which means that a second channel will be accepted even if the first channel has exhausted the quota allocated to the user.
To set usage quota options for a user, follow these steps:
Step 1 Perform Step 1 through Step 3 of Adding a Basic User Account.
Result: The User Setup Edit page opens. The username being added or edited is at the top of the page.
Step 2 In the Usage Quotas table, select Use these settings.
Step 3 To define a usage quota based on duration of sessions for a user, follow these steps:
a. Select the Limit user to x hours of online time check box.
b. Type the number of hours (up to 10 characters) to which you want to limit the user in the Limit user to x hours of online time box. Use decimal values to indicate minutes. For example, a value of 10.5 would equal 10 hours and 30 minutes.
c. Select the period for which you want to enforce the time usage quota:
Step 4 To define usage quotas based on the number of sessions for a user, follow these steps:
a. Select the Limit user to x sessions check box.
b. Type the number of sessions (up to 10 characters) to which you want to limit the user in the Limit user to x sessions box.
c. Select the period for which you want to enforce the session usage quota:
Setting Options for User Account Disablement
The Account Disable feature defines the circumstances upon which a user account is disabled.
|
Note Do not confuse this feature with account expiration due to password aging. Password aging is defined for groups only, not for individual users. Also note that this feature is distinct from the Account Disabled check box. For instructions on how to disable a user account, see Disabling a User Account 7-55. |
|
Note If the user is authenticated with a Windows NT/2000 external user database, this expiration information is in addition to the information in the Windows NT/2000 user account. Changes here do not alter settings configured in Windows NT/2000. |
To set options for user account disablement, follow these steps:
Step 1 Perform Step 1 through Step 3 of Adding a Basic User Account.
Result: The User Setup Edit page opens. The username being added or edited is at the top of the page.
Step 2 Do one of the following:
b. Select the Disable account if option to disable the account under specific circumstances. Then, specify one or both of the circumstances under the following boxes:
Step 3 Do one of the following:
Assigning a PIX ACL to a User
The Downloadable ACLs feature enables you to assign a PIX Access Control List (ACL) at the user level. You must have established one or more PIX ACLs before attempting to assign one. For instructions on how to configure a downloadable PIX ACL using the Shared Profile Components section of the Cisco Secure ACS HTML interface, see Adding a Downloadable PIX ACL.
|
Note The Downloadable ACLs table does not appear if it has not been enabled. To enable the Downloadable ACLs table, click Interface Configuration, click Advanced Options, and then select the User-Level Downloadable ACLs check box. |
To assign a downloadable PIX ACL to a user account, follow these steps:
Step 1 Perform Step 1 through Step 3 of Adding a Basic User Account.
Result: The User Setup Edit page opens. The username being added and edited is at the top of the page.
Step 2 Under the Downloadable ACLs section, click the Assign PIX ACL: check box.
Step 3 Select a PIX ACL from the list.
Step 4 Do one of the following:
Advanced User Authentication Settings
This section presents the activities you perform to configure user-level TACACS+ and RADIUS enable parameters.
This section contains the following subsections:
TACACS+ Settings (User)
The TACACS+ Settings section permits you to enable and configure the service/protocol parameters to be applied for the authorization of a user. This section contains the following procedures:
Configuring TACACS+ Settings for a User
You can use this procedure to configure TACACS+ settings at the user level for the following service/protocols:
You can also enable any new TACACS+ services that you may have configured. Because having all service/protocol settings display within the User Setup section would be cumbersome, you choose what settings to hide or display at the user level when you configure the interface. For more information about setting up new or existing TACACS+ services in the Cisco Secure ACS HTML interface, see Protocol Configuration Options for TACACS+.
If you have configured Cisco Secure ACS to interact with a Cisco device-management application, new TACACS+ services may appear automatically, as needed to support the device-management application. For more information about Cisco Secure ACS interaction with device-management applications, see Support for Cisco Device-Management Applications.
For more information about attributes, see "TACACS+ Attribute-Value Pairs," or your AAA client documentation. For information on assigning a PIX ACL, see Assigning a PIX ACL to a User.
To configure TACACS+ settings for a user, follow these steps:
Step 1 Click Interface Configuration and then click TACACS+ (Cisco IOS). In the TACACS+ Services table, under the heading User, ensure that the check box is selected for each service/protocol you want to configure.
Step 2 Perform Step 1 through Step 3 of Adding a Basic User Account.
Result: The User Setup Edit page opens. The username being added or edited is at the top of the page.
Step 3 Scroll down to the TACACS+ Settings table and select the bold service name check box to enable that protocol; for example (PPP IP).
Step 4 To enable specific parameters within the selected service, select the check box next to a specific parameter and then do one of the following, as applicable:
To specify ACLs and IP address pools, enter the name of the ACL or pool as defined on the AAA client. Leave the box blank if the default (as defined on the AAA client) should be used. For more information about attributes, see "TACACS+ Attribute-Value Pairs," or your AAA client documentation. For information on assigning a PIX ACL, see Assigning a PIX ACL to a User.
|
Tip An ACL is a list of Cisco IOS commands used to restrict access to or from other devices and users on the network. |
Step 5 To employ custom attributes for a particular service, select the Custom attributes check box under that service, and then specify the attribute/value in the box below the check box.
Step 6 Do one of the following:
Configuring a Shell Command Authorization Set for a User
Use this procedure to specify the shell command authorization set parameters for a user. You can choose one of five options:
- None—There is no authorization for shell commands.
- Group—For this user, the group-level shell command authorization set applies.
- Assign a Shell Command Authorization Set for any network device—One shell command authorization set is assigned, and it applies all network devices.
- Assign a Shell Command Authorization Set on a per Network Device Group Basis—Particular shell command authorization sets are to be effective on particular NDGs. When you select this option, you create the table that lists what NDG associates with what shell command authorization set.
- Per User Command Authorization—Enables you to permit or deny specific Cisco IOS commands and arguments at the user level.
- Ensure that a AAA client has been configured to use TACACS+ as the security control protocol.
- In the Advanced Options section of Interface Configuration, ensure that the Per-user TACACS+/RADIUS Attributes check box is selected.
- In the TACACS+ (Cisco) section of Interface Configuration, ensure that the Shell (exec) option is selected in the User column.
- Ensure that you have already configured one or more shell command authorization sets. For detailed steps, see Command Authorization Sets Configuration.
To specify shell command authorization set parameters for a user, follow these steps:
Step 1 Perform Step 1 through Step 3 of Adding a Basic User Account.
Result: The User Setup Edit page opens. The username being added or edited is at the top of the page.
Step 2 Scroll down to the TACACS+ Settings table and to the Shell Command Authorization Set feature area within it.
Step 3 To prevent the application of any shell command authorization set, select (or accept the default of) the None option.
Step 4 To assign the shell command authorization set at the group level, select the As Group option.
Step 5 To assign a particular shell command authorization set to be effective on any configured network device, follow these steps:
a. Select the Assign a Shell Command Authorization Set for any network device option.
b. Then, from the list directly below that option, select the shell command authorization set you want applied to this user.
Step 6 To create associations that assign a particular shell command authorization set to be effective on a particular NDG, for each association, follow these steps:
a. Select the Assign a Shell Command Authorization Set on a per Network Device Group Basis option.
|
Tip You can also select which command set applies to network device groups that are not listed simply by associating that command set with the NDG <default> listing. |
Result: The NDG or NDGs and associated shell command authorization set or sets appear paired in the table.
Step 7 To define the specific Cisco IOS commands and arguments to be permitted or denied for this user, follow these steps:
a. Select the Per User Command Authorization option.
b. Under Unmatched Cisco IOS commands, select either Permit or Deny.
If you select Permit, the user can issue all commands not specifically listed. If you select Deny, the user can issue only those commands listed.
c. To list particular commands to be permitted or denied, select the Command check box and then type the name of the command, define its arguments using standard permit or deny syntax, and select whether unlisted arguments are to be permitted or denied.
 |
Warning This is a powerful, advanced feature and should be used by an administrator skilled with Cisco IOS commands. Correct syntax is the responsibility of the administrator. For information on how Cisco Secure ACS uses pattern matching in command arguments, see About Pattern Matching. |
|
Tip To enter several commands, you must click Submit after specifying a command. A new command entry box appears below the box you just completed. |
Step 8 Do one of the following:
Configuring a PIX Command Authorization Set for a User
Use this procedure to specify the PIX command authorization set parameters for a user. There are four options:
- None—No authorization for PIX commands.
- Group—For this user, the group-level PIX command authorization set applies.
- Assign a PIX Command Authorization Set for any network device—One PIX command authorization set is assigned, and it applies to all network devices.
- Assign a PIX Command Authorization Set on a per Network Device Group Basis—Particular PIX command authorization sets are to be effective on particular NDGs.
- Ensure that a AAA client has been configured to use TACACS+ as the security control protocol.
- In the Advanced Options section of Interface Configuration, ensure that the Per-user TACACS+/RADIUS Attributes check box is selected.
- In the TACACS+ (Cisco) section of Interface Configuration, ensure that the PIX Shell (pixShell) option is selected in the User column.
- Ensure that you have already configured one or more PIX command authorization sets. For detailed steps, see Command Authorization Sets Configuration.
To specify PIX command authorization set parameters for a user, follow these steps:
Step 1 Perform Step 1 through Step 3 of Adding a Basic User Account.
Result: The User Setup Edit page opens. The username being added or edited is at the top of the page.
Step 2 Scroll down to the TACACS+ Settings table and to the PIX Command Authorization Set feature area within it.
Step 3 To prevent the application of any PIX command authorization set, select (or accept the default of) the None option.
Step 4 To assign the PIX command authorization set at the group level, select the As Group option.
Step 5 To assign a particular PIX command authorization set to be effective on any configured network device, follow these steps:
a. Select the Assign a PIX Command Authorization Set for any network device option.
b. From the list directly below that option, select the PIX command authorization set you want applied to this user.
Step 6 To create associations that assign a particular PIX command authorization set to be effective on a particular NDG, for each association, follow these steps:
a. Select the Assign a PIX Command Authorization Set on a per Network Device Group Basis option.
Result: The associated NDG and PIX command authorization set appear in the table.
Step 7 Do one of the following:
Configuring Device Management Command Authorization for a User
Use this procedure to specify the device management command authorization set parameters for a user. Device management command authorization sets support the authorization of tasks in Cisco device-management applications that are configured to use Cisco Secure ACS for authorization. You can choose one of four options:
- None—No authorization is performed for commands issued in the applicable Cisco device-management application.
- Group—For this user, the group-level command authorization set applies for the applicable device-management application.
- Assign a device-management application for any network device—For the applicable device-management application, one command authorization set is assigned, and it applies to management tasks on all network devices.
- Assign a device-management application on a per Network Device Group Basis—For the applicable device-management application, this option enables you to apply command authorization sets to specific NDGs, so that it affects all management tasks on the network devices belonging to the NDG.
- Ensure that a AAA client has been configured to use TACACS+ as the security control protocol.
- In the Advanced Options section of Interface Configuration, ensure that the Per-user TACACS+/RADIUS Attributes check box is selected.
- In the TACACS+ (Cisco) section of Interface Configuration, ensure that, under New Services, the new TACACS+ service corresponding to the applicable device-management application is selected in the User column.
- If you want to apply command authorization sets, ensure that you have already configured one or more device management command authorization sets. For detailed steps, see Command Authorization Sets Configuration.
To specify device-management application command authorization for a user, follow these steps:
Step 1 Perform Step 1 through Step 3 of Adding a Basic User Account.
Result: The User Setup Edit page opens. The username being added or edited is at the top of the page.
Step 2 Scroll down to the TACACS+ Settings table and to the applicable device-management command authorization feature area within it.
Step 3 To prevent the application of any command authorization for actions performed in the applicable device-management application, select (or accept the default of) the None option.
Step 4 To assign command authorization for the applicable device-management application at the group level, select the As Group option.
Step 5 To assign a particular command authorization set that affects device-management application actions on any network device, follow these steps:
a. Select the Assign a device-management application for any network device option.
b. Then, from the list directly below that option, select the command authorization set you want applied to this user.
Step 6 To create associations that assign a particular command authorization set that affects device-management application actions on a particular NDG, for each association, follow these steps:
a. Select the Assign a device-management application on a per Network Device Group Basis option.
b. Select a Device Group and an associated device-management application.
Result: The associated NDG and command authorization set appear in the table.
Step 7 Do one of the following:
Configuring the Unknown Service Setting for a User
If you want TACACS+ AAA clients to permit unknown services, you can select the Default (Undefined) Services check box under Checking this option will PERMIT all UNKNOWN Services.
To configure the Unknown Service setting for a user, follow these steps:
Step 1 Perform Step 1 through Step 3 of Adding a Basic User Account.
Result: The User Setup Edit page opens. The username being added or edited is at the top of the page.
Step 2 Scroll down to the table under the heading Checking this option will PERMIT all UNKNOWN Services.
Step 3 To allow TACACS+ AAA clients to permit unknown services for this user, select the Default (Undefined) Services check box.
Step 4 Do one of the following:
Advanced TACACS+ Settings (User)
The information presented in this section applies when you have a AAA client with TACACS+ configured.
|
Tip If the Advanced TACACS+ Settings (User) table does not appear, click Interface Configuration, click TACACS+ (Cisco IOS), and then click Advanced TACACS+ Features. |
Details on configuring user options with the Advanced TACACS+ Settings are presented in the following three procedures:
Setting Enable Privilege Options for a User
You use TACACS+ Enable Control with Exec session to control administrator access. Typically, you use it for router management control. From the following four options, you can select and specify the privilege level you want a user to have.
- Max Privilege for any AAA Client—Enables you to select from a list the maximum privilege level that will apply to this user on any AAA client on which this user is authorized.
- Define Max Privilege on a per-Network Device Group Basis—Enables you to associate maximum privilege levels to this user in one or more NDGs.
|
Note For information about privilege levels, refer to your AAA client documentation. |
|
Tip You must configure NDGs from within Interface Configuration before you can assign user privilege levels to them. |
To select and specify the privilege level for a user, follow these steps:
Step 1 Perform Step 1 through Step 3 of Adding a Basic User Account.
Result: The User Setup Edit page opens. The username being added or edited is at the top of the page.
Step 2 Under TACACS+ Enable Control in the Advanced TACACS+ Settings table, select one of the four privilege options, as follows:
|
Note (No Enable Privilege is the default setting; when setting up an new user account, it should already be selected.) |
Step 3 If you selected Max Privilege for Any Access Server in Step 2, select the appropriate privilege level from the corresponding list.
Step 4 If you selected Define Max Privilege on a per-Network Device Group Basis in Step 2, perform the following steps to define the privilege levels on each NDG, as applicable:
Result: An entry appears in the table, associating the device group with a particular privilege level.
|
Tip To delete an entry, select the entry and then click Remove Associate. |
Step 5 Do one of the following:
Setting TACACS+ Enable Password Options for a User
When setting the TACACS+ Enable Password Options for a user, you have three options to chose from:
To set the options for the TACACS+ Enable password, follow these steps:
Step 1 Perform Step 1 through Step 3 of Adding a Basic User Account.
Result: The User Setup Edit page opens. The username being added or edited is at the top of the page.
Step 2 Do one of the following:
|
Note The list of databases displays only the databases that you have configured. For more information, see About External User Databases. |
Step 3 Do one of the following:
Setting TACACS+ Outbound Password for a User
The TACACS+ outbound password enables a AAA client to authenticate itself to another AAA client via outbound authentication. The outbound authentication can be PAP, CHAP, MS-CHAP, or ARAP, and results in the Cisco Secure ACS password being given out. By default, the user ASCII/PAP or CHAP/MS-CHAP/ARAP password is used. To prevent compromising inbound passwords, you can configure a separate SENDAUTH password.
 |
Caution Use an outbound password only if you are familiar with the use of a TACACS+ SendAuth/OutBound password. |
To set a TACACS+ outbound password for a user, follow these steps:
Step 1 Perform Step 1 through Step 3 of Adding a Basic User Account.
Result: The User Setup Edit page opens. The username being added or edited is at the top of the page.
Step 2 Type and retype to confirm a TACACS+ outbound password for this user.
Step 3 Do one of the following:
RADIUS Attributes
You can configure user attributes for RADIUS authentication either generally, at the IETF level, or for vendor-specific attributes (VSAs) on a vendor-by-vendor basis. For general attributes, see Setting IETF RADIUS Parameters for a User. Cisco Secure ACS ships with many popular VSAs already loaded and available to configure and apply. For information about creating additional, custom RADIUS VSAs, see Custom RADIUS Vendors and VSAs.
To configure the VSA for one of the RADIUS network device vendors supported by Cisco Secure ACS, refer to the appropriate procedure as follows:
- Setting Cisco IOS/PIX RADIUS Parameters for a User
- Setting Cisco Aironet RADIUS Parameters for a User
- Setting Ascend RADIUS Parameters for a User
- Setting Cisco VPN 3000 Concentrator RADIUS Parameters for a User
- Setting Cisco VPN 5000 Concentrator RADIUS Parameters for a User
- Setting Microsoft RADIUS Parameters for a User
- Setting Nortel RADIUS Parameters for a User
- Setting Juniper RADIUS Parameters for a User
- Setting BBSM RADIUS Parameters for a User
To configure custom VSAs, see Setting Custom RADIUS Attributes for a User.
Setting IETF RADIUS Parameters for a User
RADIUS attributes are sent as a profile for the user from Cisco Secure ACS to the requesting AAA client.
These parameters display only if all the following are true:
- A AAA client has been configured to use one of the RADIUS protocols in Network Configuration.
- The Per-user TACACS+/RADIUS Attributes check box is selected under Advanced Options in the Interface Configuration section.
- User-level IETF RADIUS attributes have been enabled under RADIUS (IETF) in the Interface Configuration section.
|
Note To display or hide any of these attributes in the HTML interface, see Protocol Configuration Options for RADIUS. |
|
Note For a list and explanation of RADIUS attributes, see "RADIUS Attributes," or the documentation for your particular network device using RADIUS. |
To configure IETF RADIUS attribute settings to be applied as an authorization for the current user, follow these steps:
Step 1 Perform Step 1 through Step 3 of Adding a Basic User Account.
Result: The User Setup Edit page opens. The username being added or edited is at the top of the page.
Step 2 In the IETF RADIUS table, for each attribute that you need to authorize for the current user, select the check box next to the attribute and then further define the authorization for the attribute in the box or boxes next to it, as applicable.
Step 3 Do one of the following:
Setting Cisco IOS/PIX RADIUS Parameters for a User
The Cisco IOS RADIUS parameters appear only if all the following are true:
- A AAA client has been configured to use RADIUS (Cisco IOS/PIX) in Network Configuration.
- The Per-user TACACS+/RADIUS Attributes check box is selected under Advanced Options in the Interface Configuration section.
- User-level RADIUS (Cisco IOS/PIX) attributes have been enabled under RADIUS (Cisco IOS/PIX) in the Interface Configuration section.
|
Note To hide or display the Cisco IOS RADIUS VSA, see Setting Protocol Configuration Options for Non-IETF RADIUS Attributes. A VSA applied as an authorization to a particular user persists, even when you remove or replace the associated AAA client; however, if you have no AAA clients of this (vendor) type configured, the VSA settings do not appear in the user configuration interface. |
Cisco IOS RADIUS represents only the Cisco IOS VSAs. You must configure both the IETF RADIUS and Cisco IOS RADIUS attributes.
To configure and enable Cisco IOS RADIUS attributes to be applied as an authorization for the current user, follow these steps:
Step 1 Perform Step 1 through Step 3 of Adding a Basic User Account.
Result: The User Setup Edit page opens. The username being added or edited is at the top of the page.
Step 2 Before configuring Cisco IOS RADIUS attributes, be sure your IETF RADIUS attributes are configured properly. For more information about setting IETF RADIUS attributes, see Setting IETF RADIUS Parameters for a User.
Step 3 In the Cisco IOS/PIX RADIUS Attributes table, to specify the attributes to be authorized for the user, follow these steps:
a. Select the [009\001] cisco-av-pair attribute check box.
b. Type the commands (such as TACACS+ commands) to be packed as a RADIUS VSA.
Step 4 Do one of the following:
Setting Cisco Aironet RADIUS Parameters for a User
The Cisco Aironet RADIUS parameters appear only if all the following are true:
- A AAA client has been configured to use RADIUS (Cisco Aironet) in Network Configuration.
- The Per-user TACACS+/RADIUS Attributes check box is selected under Advanced Options in the Interface Configuration section.
- User-level RADIUS (Cisco Aironet) attribute has been enabled under RADIUS (Cisco Aironet) in the Interface Configuration section.
The single Cisco Aironet RADIUS VSA, Cisco-Aironet-Session-Timeout, is a specialized implementation of the IETF RADIUS Session-Timeout attribute (27). When Cisco Secure ACS responds to an authentication request from a Cisco Aironet Access Point and the Cisco-Aironet-Session-Timeout attribute is configured, Cisco Secure ACS sends to the wireless device this value in the IETF Session-Timeout attribute. This enables you to provide different session timeout values for wireless and wired end-user clients.
|
Note To hide or display the Cisco Aironet RADIUS VSA, see Setting Protocol Configuration Options for Non-IETF RADIUS Attributes. A VSA applied as an authorization to a particular user persists, even when you remove or replace the associated AAA client; however, if you have no AAA clients of this (vendor) type configured, the VSA settings do not appear in the user configuration interface. |
To configure and enable the Cisco Aironet RADIUS attribute to be applied as an authorization for the current user, follow these steps:
Step 1 Perform Step 1 through Step 3 of Adding a Basic User Account.
Result: The User Setup Edit page opens. The username being added or edited is at the top of the page.
Step 2 Before configuring Cisco Aironet RADIUS attributes, be sure your IETF RADIUS attributes are configured properly. For more information about setting IETF RADIUS attributes, see Setting IETF RADIUS Parameters for a User.
Step 3 In the Cisco Aironet RADIUS Attributes table, select the [5842\001] Cisco-Aironet-Session-Timeout check box.
Step 4 In the [5842\001] Cisco-Aironet-Session-Timeout box, type the session timeout value (in seconds) that Cisco Secure ACS is to send in the IETF RADIUS Session-Timeout (27) attribute when the AAA client is configured in Network Configuration to use the RADIUS (Cisco Aironet) authentication option. The recommended value is 600 seconds.
For more information about the IETF RADIUS Session-Timeout attribute, see "RADIUS Attributes," or your AAA client documentation.
Step 5 Do one of the following:
Setting Ascend RADIUS Parameters for a User
The Ascend RADIUS parameters appear only if all the following are true:
- A AAA client has been configured to use RADIUS (Ascend) in Network Configuration.
- The Per-user TACACS+/RADIUS Attributes check box is selected under Advanced Options in the Interface Configuration section.
- User-level RADIUS (Ascend) attributes you want to apply have been enabled under RADIUS (Ascend) in the Interface Configuration section.
Ascend RADIUS represents only the Ascend proprietary attributes. You must configure both the IETF RADIUS and Ascend RADIUS attributes. Proprietary attributes override IETF attributes.
The default attribute setting displayed for RADIUS is Ascend-Remote-Addr.
|
Note To hide or display Ascend RADIUS attributes, see Setting Protocol Configuration Options for Non-IETF RADIUS Attributes. A VSA applied as an authorization to a particular user persists, even when you remove or replace the associated AAA client; however, if you have no AAA clients of this (vendor) type configured, the VSA settings do not appear in the user configuration interface. |
To configure and enable Ascend RADIUS attributes to be applied as an authorization for the current user, follow these steps:
Step 1 Perform Step 1 through Step 3 of Adding a Basic User Account.
Result: The User Setup Edit page opens. The username being added or edited is at the top of the page.
Step 2 Before configuring Ascend RADIUS attributes, be sure your IETF RADIUS attributes are configured properly. For more information about setting IETF RADIUS attributes, see Setting IETF RADIUS Parameters for a User.
Step 3 In the Ascend RADIUS Attributes table, to specify the attributes that should be authorized for the user, follow these steps:
a. Select the check box next to the particular attribute.
b. Further define the authorization for that attribute in the box next to it.
For more information about attributes, see "RADIUS Attributes," or your AAA client documentation.
Step 4 Do one of the following:
Setting Cisco VPN 3000 Concentrator RADIUS Parameters for a User
The Cisco VPN 3000 Concentrator RADIUS attribute configurations appear only if all the following are true:
- A AAA client has been configured to use RADIUS (Cisco VPN 3000) in Network Configuration.
- The Per-user TACACS+/RADIUS Attributes check box is selected under Advanced Options in the Interface Configuration section.
- User-level RADIUS (Cisco VPN 3000) attributes you want to apply have been enabled under RADIUS (Cisco VPN 3000) in the Interface Configuration section.
Cisco VPN 3000 Concentrator RADIUS represents only the Cisco VPN 3000 Concentrator VSA. You must configure both the IETF RADIUS and Cisco VPN 3000 Concentrator RADIUS attributes.
|
Note To hide or display Cisco VPN 3000 Concentrator RADIUS attributes, see Setting Protocol Configuration Options for Non-IETF RADIUS Attributes. A VSA applied as an authorization to a particular user persists, even when you remove or replace the associated AAA client; however, if you have no AAA clients of this (vendor) type configured, the VSA settings do not appear in the user configuration interface. |
To configure and enable Cisco VPN 3000 Concentrator RADIUS attributes to be applied as an authorization for the current user, follow these steps:
Step 1 Perform Step 1 through Step 3 of Adding a Basic User Account.
Result: The User Setup Edit page opens. The username being added or edited is at the top of the page.
Step 2 Before configuring Cisco VPN 3000 Concentrator RADIUS attributes, be sure your IETF RADIUS attributes are configured properly.
For more information about setting IETF RADIUS attributes, see Setting IETF RADIUS Parameters for a User.
Step 3 In the Cisco VPN 3000 Concentrator Attribute table, to specify the attributes that should be authorized for the user, follow these steps:
a. Select the check box next to the particular attribute.
b. Further define the authorization for that attribute in the box next to it.
For more information about attributes, see "RADIUS Attributes," or your AAA client documentation.
Step 4 Do one of the following:
Setting Cisco VPN 5000 Concentrator RADIUS Parameters for a User
The Cisco VPN 5000 Concentrator RADIUS attribute configurations display only if all the following are true:
- A AAA client has been configured to use RADIUS (Cisco VPN 5000) in Network Configuration.
- The Per-user TACACS+/RADIUS Attributes check box is selected under Advanced Options in the Interface Configuration section.
- User-level RADIUS (Cisco VPN 5000) attributes you want to apply have been enabled under RADIUS (Cisco VPN 5000) in the Interface Configuration section.
Cisco VPN 5000 Concentrator RADIUS represents only the Cisco VPN 5000 Concentrator VSA. You must configure both the IETF RADIUS and Cisco VPN 5000 Concentrator RADIUS attributes.
|
Note To hide or display Cisco VPN 5000 Concentrator RADIUS attributes, see Setting Protocol Configuration Options for Non-IETF RADIUS Attributes. A VSA applied as an authorization to a particular user persists, even when you remove or replace the associated AAA client; however, if you have no AAA clients of this (vendor) type configured, the VSA settings do not appear in the user configuration interface. |
To configure and enable Cisco VPN 5000 Concentrator RADIUS attributes to be applied as an authorization for the current user, follow these steps:
Step 1 Perform Step 1 through Step 3 of Adding a Basic User Account.
Result: The User Setup Edit page opens. The username being added or edited is at the top of the page.
Step 2 Before configuring Cisco VPN 5000 Concentrator RADIUS attributes, be sure your IETF RADIUS attributes are configured properly. For more information about setting IETF RADIUS attributes, see Setting IETF RADIUS Parameters for a User.
Step 3 In the Cisco VPN 5000 Concentrator Attribute table, to specify the attributes that should be authorized for the user, follow these steps:
a. Select the check box next to the particular attribute.
b. Further define the authorization for that attribute in the box next to it.
For more information about attributes, see "RADIUS Attributes," or your AAA client documentation.
Step 4 Do one of the following:
Setting Microsoft RADIUS Parameters for a User
Microsoft RADIUS provides VSAs supporting Microsoft Point-to-Point Encryption (MPPE), which is an encryption technology developed by Microsoft to encrypt point-to-point (PPP) links. These PPP connections can be via a dial-in line, or over a Virtual Private Network (VPN) tunnel. The Microsoft RADIUS attribute configurations display only if both the following are true:
- A AAA client has been configured in Network Configuration that uses a RADIUS protocol that supports the Microsoft RADIUS VSA.
- The Per-user TACACS+/RADIUS Attributes check box is selected under Advanced Options in the Interface Configuration section.
- The user-level RADIUS (Microsoft) attributes you want to apply have been enabled under RADIUS (Microsoft) in the Interface Configuration section.
The following Cisco Secure ACS RADIUS protocols support the Microsoft RADIUS VSA:
Microsoft RADIUS represents only the Microsoft VSA. You must configure both the IETF RADIUS and Microsoft RADIUS attributes.
|
Note To hide or display Microsoft RADIUS attributes, see Setting Protocol Configuration Options for Non-IETF RADIUS Attributes. A VSA applied as an authorization to a particular user persists, even when you remove or replace the associated AAA client; however, if you have no AAA clients of this (vendor) type configured, the VSA settings do not appear in the user configuration interface. |
To configure and enable Microsoft RADIUS attributes to be applied as an authorization for the current user, follow these steps:
Step 1 Perform Step 1 through Step 3 of Adding a Basic User Account.
Result: The User Setup Edit page opens. The username being added or edited is at the top of the page.
Step 2 Before configuring Cisco IOS RADIUS attributes, be sure your IETF RADIUS attributes are configured properly. For more information about setting IETF RADIUS attributes, see Setting IETF RADIUS Parameters for a User.
Step 3 In the Microsoft RADIUS Attributes table, to specify the attributes that should be authorized for the user, follow these steps:
a. Select the check box next to the particular attribute.
b. Further define the authorization for that attribute in the box next to it.
For more information about attributes, see "RADIUS Attributes," or your AAA client documentation.
|
Note The MS-CHAP-MPPE-Keys attribute value is autogenerated by Cisco Secure ACS; there is no value to set in the HTML interface. |
Step 4 Do one of the following:
Setting Nortel RADIUS Parameters for a User
The Nortel RADIUS parameters appear only if all the following are true:
- A AAA client has been configured to use RADIUS (Nortel) in Network Configuration.
- The Per-user TACACS+/RADIUS Attributes check box is selected under Advanced Options in the Interface Configuration section.
- User-level RADIUS (Nortel) attributes you want to apply have been enabled under RADIUS (Nortel) in the Interface Configuration section.
Nortel RADIUS represents only the Nortel proprietary attributes. You must configure both the IETF RADIUS and Nortel RADIUS attributes. Proprietary attributes override IETF attributes.
|
Note To hide or display Nortel RADIUS attributes, see Setting Protocol Configuration Options for Non-IETF RADIUS Attributes. A VSA applied as an authorization to a particular user persists, even when you remove or replace the associated AAA client; however, if you have no AAA clients of this (vendor) type configured, the VSA settings do not appear in the user configuration interface. |
To configure and enable Nortel RADIUS attributes to be applied as an authorization for the current user, follow these steps:
Step 1 Perform Step 1 through Step 3 of Adding a Basic User Account.
Result: The User Setup Edit page opens. The username being added or edited is at the top of the page.
Step 2 Before configuring Nortel RADIUS attributes, be sure your IETF RADIUS attributes are configured properly. For more information about setting IETF RADIUS attributes, see Setting IETF RADIUS Parameters for a User.
Step 3 In the Nortel RADIUS Attributes table, to specify the attributes that should be authorized for the user, follow these steps:
a. Select the check box next to the particular attribute.
b. Further define the authorization for that attribute in the box next to it.
For more information about attributes, see "RADIUS Attributes," or your AAA client documentation.
Step 4 Do one of the following:
Setting Juniper RADIUS Parameters for a User
The Juniper RADIUS parameters appear only if all the following are true:
- A AAA client has been configured to use RADIUS (Juniper) in Network Configuration.
- The Per-user TACACS+/RADIUS Attributes check box is selected under Advanced Options in the Interface Configuration section.
- User-level RADIUS (Juniper) attributes you want to apply have been enabled under RADIUS (Juniper) in the Interface Configuration section.
Juniper RADIUS represents only the Juniper proprietary attributes. You must configure both the IETF RADIUS and Juniper RADIUS attributes. Proprietary attributes override IETF attributes.
|
Note To hide or display Juniper RADIUS attributes, see Setting Protocol Configuration Options for Non-IETF RADIUS Attributes. A VSA applied as an authorization to a particular user persists, even when you remove or replace the associated AAA client; however, if you have no AAA clients of this (vendor) type configured, the VSA settings do not appear in the user configuration interface. |
To configure and enable Juniper RADIUS attributes to be applied as an authorization for the current user, follow these steps:
Step 1 Perform Step 1 through Step 3 of Adding a Basic User Account.
Result: The User Setup Edit page opens. The username being added or edited is at the top of the page.
Step 2 Before configuring Juniper RADIUS attributes, be sure your IETF RADIUS attributes are configured properly. For more information about setting IETF RADIUS attributes, see Setting IETF RADIUS Parameters for a User.
Step 3 In the Juniper RADIUS Attributes table, to specify the attributes that should be authorized for the user, follow these steps:
a. Select the check box next to the particular attribute.
b. Further define the authorization for that attribute in the box next to it.
For more information about attributes, see "RADIUS Attributes," or your AAA client documentation.
Step 4 Do one of the following:
Setting BBSM RADIUS Parameters for a User
The BBSM RADIUS parameters appear only if all the following are true:
- A AAA client has been configured to use RADIUS (BBSM) in Network Configuration.
- The Per-user TACACS+/RADIUS Attributes check box is selected under Advanced Options in the Interface Configuration section.
- User-level RADIUS (BBSM) attributes you want to apply have been enabled under RADIUS (BBSM) in the Interface Configuration section.
BBSM RADIUS represents only the BBSM proprietary attributes. You must configure both the IETF RADIUS and BBSM RADIUS attributes. Proprietary attributes override IETF attributes.
|
Note To hide or display BBSM RADIUS attributes, see Setting Protocol Configuration Options for Non-IETF RADIUS Attributes. A VSA applied as an authorization to a particular user persists, even when you remove or replace the associated AAA client; however, if you have no AAA clients of this (vendor) type configured, the VSA settings do not appear in the user configuration interface. |
To configure and enable BBSM RADIUS attributes to be applied as an authorization for the current user, follow these steps:
Step 1 Perform Step 1 through Step 3 of Adding a Basic User Account.
Result: The User Setup Edit page opens. The username being added or edited is at the top of the page.
Step 2 Before configuring BBSM RADIUS attributes, be sure your IETF RADIUS attributes are configured properly. For more information about setting IETF RADIUS attributes, see Setting IETF RADIUS Parameters for a User.
Step 3 In the BBSM RADIUS Attributes table, to specify the attributes that should be authorized for the user, follow these steps:
a. Select the check box next to the particular attribute.
b. Further define the authorization for that attribute in the box next to it.
For more information about attributes, see "RADIUS Attributes," or your AAA client documentation.
Step 4 Do one of the following:
Setting Custom RADIUS Attributes for a User
Custom RADIUS parameters appear only if all the following are true:
- You have defined and configured the custom RADIUS VSAs. (For information about creating user-defined RADIUS VSAs, see Custom RADIUS Vendors and VSAs.)
- A AAA client has been configured in Network Configuration that uses a RADIUS protocol that supports the custom VSA.
- The Per-user TACACS+/RADIUS Attributes check box is selected under Advanced Options in the Interface Configuration section.
- User-level RADIUS (custom name) attributes you want to apply have been enabled under RADIUS (custom name) in the Interface Configuration section.
You must configure both the IETF RADIUS and the custom RADIUS attributes. Proprietary attributes override IETF attributes.
To configure and enable custom RADIUS attributes to be applied as an authorization for the current user, follow these steps:
Step 1 Perform Step 1 through Step 3 of Adding a Basic User Account.
Result: The User Setup Edit page opens. The username being added or edited is at the top of the page.
Step 2 Before configuring custom RADIUS attributes, be sure your IETF RADIUS attributes are configured properly. For more information about setting IETF RADIUS attributes, see Setting IETF RADIUS Parameters for a User.
Step 3 In the RADIUS custom name Attributes table, to specify the attributes that should be authorized for the user, follow these steps:
a. Select the check box next to the particular attribute.
b. Further define the authorization for that attribute in the box next to it, as required.
For more information about attributes, see "RADIUS Attributes," or your AAA client documentation.
Step 4 Do one of the following:
User Management
This section describes how to use the Cisco Secure ACS User Setup section to perform a variety of user account managerial tasks.
This section contains the following procedures:
Listing All Users
The Cisco Secure ACS User List displays all user accounts (enabled and disabled). The list includes, for each user, the username, status, and the group to which the user belongs.
Usernames are displayed in the order in which they were entered into the database. This list cannot be sorted.
To view a list of all user accounts, follow these steps:
Step 1 In the navigation bar, click User Setup.
Result: The User Setup Select page opens.
Step 2 Click List All Users.
Result: In the display area on the right, the User List appears.
Step 3 To view or edit the information for an individual user, click the username in the right window.
Result: The user account information appears.
Finding a User
To find a user, follow these steps:
Step 1 In the navigation bar, click User Setup.
Result: The User Setup Select page opens.
Step 2 Type the name in the User box, and then click Find.
|
Tip You can use wildcard characters (*) in this box. |
|
Tip To display a list of usernames that begin with a particular letter or number, click the letter or number in the alphanumeric list. A list of users whose names begin with that letter or number opens in the display area on the right. |
Result: The username, status (enabled or disabled), and group to which the user belongs appear in the display area on the right.
Step 3 To view or edit the information for the user, click the username in the display area on the right.
Result: The user account information appears.
Disabling a User Account
This procedure details how to manually disable a user account in the CiscoSecure user database.
|
Note To configure the conditions by which a user account will automatically be disabled, see Setting Options for User Account Disablement. |
|
Note This is not to be confused with account expiration due to password aging. Password aging is defined for groups only, not for individual users. |
To disable a user account, follow these steps:
Step 1 In the navigation bar, click User Setup.
Result: The User Setup Select page opens.
Step 2 In the User box, type the name of the user whose account is to be disabled.
Step 3 Click Add/Edit.
Result: The User Setup Edit page opens. The username being edited is at the top of the page.
Step 4 Select the Account Disabled check box.
Step 5 Click Submit at the bottom of the page.
Result: The specified user account is disabled.
Deleting a User Account
|
Caution If you are authenticating using the Unknown User policy, you must also delete the user account from the external user database. This prevents the username from being automatically re-added to the CiscoSecure user database the next time the user attempts to log in. |
To delete a user account, follow these steps:
Step 1 Click User Setup.
Result: The User Setup Select page of the HTML interface opens.
Step 2 In the User box, type the complete username to be deleted.
|
Note Alternatively, you can click List All Users and then select the user from the list that appears. |
Step 3 Click Add/Edit.
Step 4 At the bottom of the User Setup page, click Delete.
|
Note The Delete button appears only when you are editing user information, not when you are adding a username. |
Result: A popup window appears that asks you to confirm the user deletion.
Step 5 Click OK.
Result: The user account is removed from the CiscoSecure user database.
Resetting User Session Quota Counters
You can reset the session quota counters for a user either before or after the user exceeds a quota.
To reset user usage quota counters, follow these steps:
Step 1 Click User Setup.
Result: The Select page of the HTML interface opens.
Step 2 In the User box, type the complete username of the user whose session quota counters you are going to reset.
|
Note Alternatively, you can click List All Users and then select the user from the list that appears. |
Step 3 Click Add/Edit.
Step 4 In the Session Quotas section, select the Reset All Counters on submit check box.
Step 5 Click Submit at the bottom of the browser page.
Result: The session quota counters are reset for this user. The User Setup Select page appears.
Resetting a User Account after Login Failure
Perform this procedure when an account is disabled because the failed attempts count has been exceeded during an unsuccessful user attempt to log in.
To reset a user account after login failure, follow these steps:
Step 1 Click User Setup.
Result: The User Setup Select page of the HTML interface opens.
Step 2 In the User box, type the complete username of the account to be reset.
|
Note Alternatively, you can click List All Users and then select the user from the list that appears. |
Step 3 Click Add/Edit.
Step 4 In the Account Disable table, select the Reset current failed attempts count on submit check box, and then click Submit.
Result: The Failed attempts since last successful login: counter resets to 0 (zero) and the system re-enables the account.
|
Note This counter shows the number of unsuccessful login attempts since the last time this user logged in successfully. |
|
Note If the user authenticates with a Windows NT/2000 external user database, this expiration information is in addition to the information in the Windows NT/2000 user account. Changes here do not alter settings configured in Windows NT/2000. |
Saving User Settings
After you have completed configuration for a user, be sure to save your work.
To save the configuration for the current user, follow these steps:
Step 1 To save the user account configuration, click Submit.
Step 2 To verify that your changes were applied, type the username in the User box and click Add/Edit, and then review the settings.