User Guide for Cisco Secure ACS for Windows Server 3.2
Administrators and Administrative Policy

Table Of Contents

Administrators and Administrative Policy

Administrator Accounts

About Administrator Accounts

Administrator Privileges

Adding an Administrator Account

Editing an Administrator Account

Unlocking a Locked Out Administrator Account

Deleting an Administrator Account

Access Policy

Access Policy Options

Setting Up Access Policy

Session Policy

Session Policy Options

Setting Up Session Policy

Audit Policy

Administrators and Administrative Policy


This chapter addresses the CiscoSecure ACS Appliance features found in the Administration Control section of the HTML interface.

This chapter contains the following topics:

Administrator Accounts

Access Policy

Session Policy

Audit Policy

Administrator Accounts

This section provides details about CiscoSecure ACS administrators.

This section contains the following topics:

About Administrator Accounts

Administrator Privileges

Adding an Administrator Account

Editing an Administrator Account

Unlocking a Locked Out Administrator Account

Deleting an Administrator Account

About Administrator Accounts

Administrators are the only users of the CiscoSecure ACS HTML interface. To access the CiscoSecure ACS HTML interface from a browser run elsewhere than on the CiscoSecure ACS Windows server itself, you must log in to CiscoSecure ACS using an administrator account. If your CiscoSecure ACS is so configured, you may need to log in to CiscoSecure ACS even in a browser run on the CiscoSecure ACS Windows server. For more information about automatic local logins, see Session Policy.


Note CiscoSecure ACS administrator accounts are unique to CiscoSecure ACS. They are not related to other administrator accounts, such as Windows users with administrator privileges.


In the HTML interface, an administrator can configure any of the features provided in CiscoSecure ACS; however, the ability to access various parts of the HTML interface can be limited by revoking privileges to those parts of the HTML interface that a given administrator is not allowed to access.

For example, you may want to limit access to the Network Configuration section of the HTML interface to administrators whose responsibilities include network management. To do so, you would select only the Network Configuration privilege for applicable administrator accounts. For more information about administrator privileges, see Administrator Privileges.

CiscoSecure ACS administrator accounts have no correlation with CiscoSecure ACS user accounts or username and password authentication. CiscoSecure ACS stores accounts created for authentication of network service requests and those created for CiscoSecure ACS administrative access in separate internal databases.

Administrator Privileges

You can grant appropriate privileges to each CiscoSecure ACS administrator by assigning privileges on an administrator-by-administrator basis. You control privileges by selecting the options from the Administrator Privileges table on the Add Administrator or Edit Administrator pages. These options are listed below:

User and Group Setup —Contains the following privilege options for the User Setup and Group Setup sections of the HTML interface:

Add/Edit users in these groups —Enables the administrator to add or edit users and to assign users to the groups in the Editable groups list.

Setup of these groups —Enables the administrator to edit the settings for the groups in the Editable groups list.

Available Groups —Lists the user groups for which the administrator does not have edit privileges and to which the administrator cannot add users.

Editable Groups —Lists the user groups for which the administrator does have edit privileges and to which the administrator can add users.

Shared Profile Components —Contains the following privilege options for the Shared Profile Components section of the HTML interface:

Network Access Restriction Sets —Allows the administrator full access to the Network Access Restriction Sets feature.

Downloadable ACLs —Allows the administrator full access to the Downloadable PIX ACLs feature.

Create New Device Command Set Type —Allows the administrator account to be used as valid credentials by another Cisco application for adding new device command set types. New device command set types that are added to CiscoSecure ACS using this privilege appear in the Shared Profile Components section of the HTML interface.

Shell Command Authorization Sets —Allows the administrator full access to the Shell Command Authorization Sets feature.

PIX Command Authorization Sets —Allows the administrator full access to the PIX Command Authorization Sets feature.


Note Additional command authorization set privilege options may appear, if other Cisco network management applications, such as CiscoWorks2000, have updated the configuration of CiscoSecure ACS.


Network Configuration —Allows the administrator full access to the features in the Network Configuration section of the HTML interface.

System Configuration... —Contains the privilege options for the features found in the System Configuration section of the HTML interface. For each of the following features, enabling the option allows the administrator full access to the feature.

Service Control —For more information about this feature, see Service Control.

Date/Time Format Control —For more information about this feature, see Date Format Control.

Logging Control —For more information about this feature, see Logging.

Local Password Management —For more information about this feature, see Local Password Management.

DB Replication —For more information about this feature, see CiscoSecure Database Replication.

RDBMS Synchronization —For more information about this feature, see RDBMS Synchronization.

IP Pool Address Recovery —For more information about this feature, see IP Pools Address Recovery.

IP Pool Server Configuration —For more information about this feature, see IP Pools Server.

ACS Backup —For more information about this feature, see CiscoSecure ACS Backup.

ACS Restore —For more information about this feature, see CiscoSecure ACS System Restore.

ACS Service Management —For more information about this feature, see CiscoSecure ACS Active Service Management.

VoIP Accounting Configuration —For more information about this feature, see VoIP Accounting Configuration.

ACS Certificate Setup —For more information about this feature, see CiscoSecure ACS Certificate Setup.

Global Authentication Setup —For more information about this feature, see Global Authentication Setup.

Interface Configuration —Allows the administrator full access to the features in the Interface Configuration section of the HTML interface.

Administration Control —Allows the administrator full access to the features in the Administration Control section of the HTML interface.

External User Databases —Allows the administrator full access to the features in the External User Databases section of the HTML interface.

Reports & Activity —Contains the privilege options for the reports and features found in the Reports and Activity section of the HTML interface. For each of the following features, enabling the option allows the administrator full access to the feature.

TACACS+ Accounting —For more information about this report, see Accounting Logs.

TACACS+ Administration —For more information about this report, see Accounting Logs.

RADIUS Accounting —For more information about this report, see Accounting Logs.

VoIP Accounting —For more information about this report, see Accounting Logs.

Passed Authentications —For more information about this report, see Accounting Logs.

Failed Attempts —For more information about this report, see Accounting Logs.

Logged-in Users —For more information about this report, see Dynamic Administration Reports.

Purge of Logged-in Users —For more information about this feature, see Deleting Logged-in Users.

Disabled Accounts —For more information about this report, see Dynamic Administration Reports.

ACS Backup and Restore —For more information about this report, see CiscoSecure ACS System Logs.

DB Replication —For more information about this report, see CiscoSecure ACS System Logs.

RDBMS Synchronization —For more information about this report, see CiscoSecure ACS System Logs.

Administration Audit —For more information about this report, see CiscoSecure ACS System Logs.

ACS Service Monitor —For more information about this report, see CiscoSecure ACS System Logs.

User Change Password —For more information about this report, see CiscoSecure ACS System Logs.

Adding an Administrator Account

Before You Begin

For descriptions of the options available while adding an administrator account, see Administrator Privileges.

To add a CiscoSecure ACS administrator account, follow these steps:


Step1 In the navigation bar, click Administration Control .

Step2 Click Add Administrator .

The Add Administrator page appears.

Step3 Complete the boxes in the Administrator Details table:

a. In the Administrator Name box, type the login name (up to 32 characters) for the new Cisco Secure ACS administrator account.

b. In the Password box, type the password (up to 32 characters) for the new Cisco Secure ACS administrator account.

c. In the Confirm Password box, type the password a second time.

Step4 To select all privileges, including user group editing privileges for all user groups, click Grant All .

All privilege options are selected. All user groups move to the Editable groups list.


Tip To clear all privileges, including user group editing privileges for all user groups, click Revoke All .


Step5 To grant user and user group editing privileges, follow these steps:

a. Select the desired check boxes under User & Group Setup.

b. To move a user group to the Editable groups list, select the group in the Available groups list, and then click --> (right arrow button).

The selected group moves to the Editable groups list.

c. To remove a user group from the Editable groups list, select the group in the Editable groups list, and then click <-- (left arrow button).

The selected group moves to the Available groups list.

d. To move all user groups to the Editable groups list, click >> .

The user groups in the Available groups list move to the Editable groups list.

e. To remove all user groups from the Editable groups list, click << .

The user groups in the Editable groups list move to the Available groups list.

Step6 To grant any of the remaining privilege options, in the Administrator Privileges table, select the applicable check boxes.

Step7 Click Submit .

CiscoSecure ACS saves the new administrator account. The new account appears in the list of administrator accounts on the Administration Control page.


Editing an Administrator Account

You can edit a CiscoSecure ACS administrator account to change the privileges granted to the administrator. You can effectively disable an administrator account by revoking all privileges.


Note You cannot change the name of an administrator account; however, you can delete an administrator account and then create an account with the new name. For information about deleting an administrator account, see Deleting an Administrator Account. For information about creating an administrator account, see Adding an Administrator Account.


For information about administrator privilege options, see Administrator Privileges.

Before You Begin

For descriptions of the options available while editing an administrator account, see Administrator Privileges.

To edit CiscoSecure ACS administrator account privileges, follow these steps:


Step1 In the navigation bar, click Administration Control .

CiscoSecure ACS displays the Administration Control page.

Step2 Click the name of the administrator account whose privileges you want to edit.

The Edit Administrator name page appears, where name is the name of the administrator account you just selected.

Step3 To change the administrator password, follow these steps:

a. In the Password box, double-click the asterisks, and then type the new password (up to 32 characters) for the administrator.

The new password replaces the existing, masked password.

b. In the Confirm Password box, double-click the asterisks, and then type the new administrator password a second time.

The new password is effective immediately after you click Submit in Step9.

Step4 If the Reset current failed attempts count check box appears below the Confirm Password box and you want to allow the administrator whose account you are editing to access the CiscoSecure ACS HTML interface, select the Reset current failed attempts count check box.


Note If the Reset current failed attempts count check box appears below the Confirm Password box, the administrator cannot access CiscoSecure ACS unless you complete Step4. For more information about re-enabling an administrator account, see Unlocking a Locked Out Administrator Account.


Step5 To select all privileges, including user group editing privileges for all user groups, click Grant All .

All privilege options are selected. All user groups move to the Editable groups list.

Step6 To clear all privileges, including user group editing privileges for all user groups, click Revoke All .

All privileges options are cleared. All user groups move to the Available groups list.

Step7 To grant user and user group editing privileges, follow these steps:

a. Under User & Group Setup, select the applicable check boxes.

b. To move all user groups to the Editable groups list, click >> .

The user groups in the Available groups list move to the Editable groups list.

c. To move a user group to the Editable groups list, select the group in the Available groups list, and then click --> (right arrow button).

The selected group moves to the Editable groups list.

d. To remove all user groups from the Editable groups list, click << .

The user groups in the Editable groups list move to the Available groups list.

e. To remove a user group from the Editable groups list, select the group in the Editable groups list, and then click <-- (left arrow button).

The selected group moves to the Available groups list.

Step8 To grant any remaining privilege options, select the applicable check boxes in the Administrator Privileges table.

Step9 To revoke any remaining privilege options, clear the applicable check boxes in the Administrator Privileges table.

Step10 Click Submit .

CiscoSecure ACS saves the changes to the administrator account.


Unlocking a Locked Out Administrator Account

CiscoSecure ACS disables the accounts of administrators who have attempted to access the CiscoSecure ACS HTML interface and have provided an incorrect password in more successive attempts than is specified on the Session Policy Setup page. Until the failed attempts counter for a disabled administrator account is reset, the administrator cannot access the HTML interface.

For more information about configuring how many successive failed login attempts can occur before CiscoSecure ACS disables an administrator account, see Session Policy.

To reset the failed attempts count for an administrator, follow these steps:


Step1 In the navigation bar, click Administration Control .

CiscoSecure ACS displays the Administration Control page.

Step2 Click the name of the administrator account whose account you want to re-enable.

The Edit Administrator name page appears, where name is the name of the administrator account you just selected.

If the Reset current failed attempts count check box appears below the Confirm Password box, the administrator account cannot access the HTML interface.

Step3 Select the Reset current failed attempts count check box.

Step4 Click Submit .

CiscoSecure ACS saves the changes to the administrator account.


Deleting an Administrator Account

You can delete a CiscoSecure ACS administrator account when you no longer need it. We recommend deleting any unused administrator accounts.

To delete a CiscoSecure ACS administrator account, follow these steps:


Step1 In the navigation bar, click Administration Control .

CiscoSecure ACS displays the Administration Control page.

Step2 In the Administrators table, click the name of the administrator account that you want to delete.

The Edit Administrator name page appears, where name is the name of the administrator account you just selected.

Step3 Click Delete .

CiscoSecure ACS displays a confirmation dialog box.

Step4 Click OK .

CiscoSecure ACS deletes the administrator account. The Administrators table on the Administration Control page no longer lists the administrator account that you deleted.


Access Policy

The Access Policy feature affects access to the CiscoSecure ACS HTML interface. You can limit access by IP address and by the TCP port range used for administrative sessions. You can also enable secure socket layer (SSL) for access to the HTML interface.

This section contains the following topics:

Access Policy Options

Setting Up Access Policy

Access Policy Options

You can configure the following options on the Access Policy Setup page:

IP Address Filtering —Contains the following IP address filtering options:

Allow all IP addresses to connect —Allow access to the HTML interface from any IP address.

Allow only listed IP addresses to connect —Allow access to the HTML interface only from IP addresses inside the address range(s) specified in the IP Address Ranges table.

Reject connections from listed IP addresses —Allow access to the HTML interface only from IP addresses outside the address range(s) specified in the IP Address Ranges table.

IP Address Ranges —The IP Address Ranges table contains ten rows for configuring IP address ranges. The ranges are always inclusive; that is, the range includes the start and end IP addresses. The IP addresses entered to define a range must differ only in the last octet (Class C format).

The IP Address Ranges table contains one column of each of the following boxes:

Start IP Address —Defines the lowest IP address of the range specified in the current row.

End IP Address —Defines the highest IP address of the range specified in the current row.

HTTP Port Allocation —Contains the following options for configuring TCP ports used for remote access to the HTML interface.

Allow any TCP ports to be used for Administration HTTP Access —Allow the ports used by administrative HTTP sessions to include the full range of TCP ports.

Restrict Administration Sessions to the following port range From Port X to Port Y—Restrict the ports used by administrative HTTP sessions to the range specified in the X and Y boxes, inclusive. The size of the range specified determines the maximum number of concurrent administrative sessions.

Cisco Secure ACS uses port 2002 to start all administrative sessions. You do not need to include port 2002 in the port range. Also, Cisco Secure ACS does not allow you to define an HTTP port range that consists only of port 2002. Your port range must consist of at least one port other than port 2002.

A firewall configured to permit HTTP traffic over the Cisco Secure ACS administrative port range must also permit HTTP traffic through port 2002, because this is the port a web browser must address to initiate an administrative session.


Note We do not recommend allowing administration of CiscoSecure ACS from outside a firewall. If you do choose to allow access to the HTML interface from outside a firewall, keep the HTTP port range as narrow as possible. This can help prevent accidental discovery of an active administrative port by unauthorized users. An unauthorized user would have to impersonate, or "spoof," the IP address of a legitimate host to make use of the active administrative session HTTP port.


Secure Socket Layer Setup —The Use HTTPS Transport for Administration Access check box defines whether CiscoSecure ACS uses secure socket layer protocol to encrypt HTTP traffic between the CSAdmin service and a web browser used to access the HTML interface. When this option is enabled, all HTTP traffic between the browser and CiscoSecure ACS is encrypted, as reflected by the URLs, which begin with HTTPS. Additionally, most browsers include an indicator for when a connection is SSL-encrypted.

To enable SSL, you must have completed the steps in Installing a Cisco Secure ACS Server Certificate  and Adding a Certificate Authority Certificate .

Setting Up Access Policy

For information about access policy options, see Access Policy Options.

Before You Begin

If you want to enable SSL for administrative access, before completing this procedure, you must have completed the steps in Installing a CiscoSecure ACS Server Certificate, and Adding a Certificate Authority Certificate.

To set up CiscoSecure ACS Access Policy, follow these steps:


Step1 In the navigation bar, click Administration Control .

CiscoSecure ACS displays the Administration Control page.

Step2 Click Access Policy .

The Access Policy Setup page appears.

Step3 To allow remote access to the HTML interface from any IP address, in the IP Address Filtering table, select the Allow all IP addresses to connect option.

Step4 To allow remote access to the HTML interface only from IP addresses within a range or ranges of IP addresses, follow these steps:

a. In the IP Address Filtering table, select the Allow only listed IP addresses to connect option.

b. For each IP address range from within which you want to allow remote access to the HTML interface, complete one row of the IP Address Ranges table. In the Start IP Address box, type the lowest IP address (up to 16 characters) in the range. In the End IP Address box, type the highest IP address (up to 16 characters) in the range. Use dotted decimal format.


Note The IP addresses entered to define a range must differ only in the last octet.


Step5 To allow remote access to the HTML interface only from IP addresses outside a range or ranges of IP addresses, follow these steps:

a. In the IP Address Filtering table, select the Reject connections from listed IP addresses option.

b. For each IP address range from outside which you want to allow remote access to the HTML interface, complete one row of the IP Address Ranges table. Type the lowest IP address (up to 16 characters) in the range in the Start IP Address box. Type the highest IP address (up to 16 characters) in the range in the End IP Address box.


Note The IP addresses entered to define a range must differ only in the last octet.


Step6 If you want to allow CiscoSecure ACS to use any valid TCP port for administrative sessions, under HTTP Port Allocation, select the Allow any TCP ports to be used for Administration HTTP Access option.

Step7 If you want to allow CiscoSecure ACS to use only a specified range of TCP ports for administrative sessions, follow these steps:

a. Under HTTP Port Allocation, select the Restrict Administration Sessions to the following port range From Port X to Port Y option.

b. In the X box type the lowest TCP port (up to 5 characters) in the range.

c. In the Y box type the highest TCP port (up to 5 characters) in the range.

Step8 If you want to enable SSL encryption of administrator access to the HTML interface, under Secure Socket Layer Setup, select the Use HTTPS Transport for Administration Access check box.


Note To enable SSL, you must have completed the steps in Installing a CiscoSecure ACS Server Certificate, and Adding a Certificate Authority Certificate.


Step9 Click Submit .

CiscoSecure ACS saves and begins enforcing the access policy settings.

If you have enabled SSL, at the next administrator login, CiscoSecure ACS begins using HTTPS. Any current administrator sessions are unaffected.


Session Policy

The Session Policy feature controls various aspects of CiscoSecure ACS administrative sessions.

This section contains the following topics:

Session Policy Options

Setting Up Session Policy

Session Policy Options

You can configure the following options on the Session Policy Setup page:

Session idle timeout (minutes) —Defines the time in minutes that an administrative session, local or remote, must remain idle before CiscoSecure ACS terminates the connection. This parameter applies to the CiscoSecure ACS administrative session in the browser only. It does not apply to an administrative dial-up session.

An administrator whose administrative session is terminated receives a dialog box asking whether or not the administrator wants to continue. If the administrator chooses to continue, CiscoSecure ACS starts a new administrative session.

Allow Automatic Local Login —Enables administrators to start an administrative session without logging in if they are using a browser on the computer running CiscoSecure ACS. Such administrative sessions are conducted using a default administrator account named "local_login". The local_login administrator account has all privileges. Local administrative sessions with automatic local login are recorded in the Administrative Audit report under the local_login administrator name.


Note If there are no administrator accounts defined, no administrator name and password are required to access CiscoSecure ACS locally. This prevents you from accidentally locking yourself out of CiscoSecure ACS.


Respond to Invalid IP Address Connections —Enables an error message in response to attempts to start a remote administrative session using an IP address that is invalid according to the IP address ranges configured in Access Policy. Disabling this option can help prevent unauthorized users from discovering CiscoSecure ACS.

Lock out Administrator after X successive failed attempts —Enables CiscoSecure ACS to lock out an administrator after a number of successive failed attempts to log in to the HTML interface. The number of successive attempts is specified in the X box. If this check box is selected, the X box cannot be set to zero. If this check box is not selected, CiscoSecure ACS allows unlimited successive failed login attempts by an administrator.

Setting Up Session Policy

For information about session policy options, see Session Policy Options.

To setup CiscoSecure ACS Session Policy, follow these steps:


Step1 In the navigation bar, click Administration Control .

CiscoSecure ACS displays the Administration Control page.

Step2 Click Session Policy .

The Session Policy Setup page appears.

Step3 To define the number of minutes of inactivity after which CiscoSecure ACS ends an administrative session, in the Session idle timeout (minutes) box, type the number of minutes (up to 4 characters).

Step4 Set the automatic local login policy:

a. To allow administrators to log in to Cisco Secure ACS locally without using their administrator names and passwords, select the Allow Automatic Local Login check box.

b. To require administrators to log in to Cisco Secure ACS locally using their administrator names and passwords, clear the Allow Automatic Local Login check box.

Step5 Set the invalid IP address response policy:

a. To configure Cisco Secure ACS to respond with a message when an administrative session is requested from an invalid IP address, select the Respond to invalid IP address connections check box.

b. To configure Cisco Secure ACS to send no message when an administrative session is requested from an invalid IP address, clear the Respond to invalid IP address connections check box.

Step6 Set the failed administrative login attempts policy:

a. To enable Cisco Secure ACS to lock out an administrator after a specified number of successive failed administrative login attempts, select the Lock out Administrator after X successive failed attempts check box.

b. In the X box, type the number of successive failed login attempts after which Cisco Secure ACS locks out an administrator. The X box accepts up to 4 characters.

Step7 Click Submit .

CiscoSecure ACS saves and begins enforcing the session policy settings you made.


Audit Policy

The Audit Policy feature controls the generation of the Administrative Audit log.

For more information about enabling, viewing, or configuring the Administrative Audit log, see CiscoSecure ACS System Logs.