User Guide for Cisco Secure ACS for Windows Server 3.2
User Group Management

Table Of Contents

User Group Management

About User Group Setup Features and Functions

Default Group

Group TACACS+ Settings

Basic User Group Settings

Enabling VoIP Support for a User Group

Setting Default Time-of-Day Access for a User Group

Setting Callback Options for a User Group

Setting Network Access Restrictions for a User Group

Setting Max Sessions for a User Group

Setting Usage Quotas for a User Group

Configuration-specific User Group Settings

Setting Token Card Settings for a User Group

Setting Enable Privilege Options for a User Group

Enabling Password Aging for the CiscoSecure User Database

Enabling Password Aging for Users in Windows Databases

Setting IP Address Assignment Method for a User Group

Assigning a Downloadable IP ACL to a Group

Configuring TACACS+ Settings for a User Group

Configuring a Shell Command Authorization Set for a User Group

Configuring a PIX Command Authorization Set for a User Group

Configuring Device-Management Command Authorization for a User Group

Configuring IETF RADIUS Settings for a User Group

Configuring Cisco IOS/PIX RADIUS Settings for a User Group

Configuring Cisco Aironet RADIUS Settings for a User Group

Configuring Ascend RADIUS Settings for a User Group

Configuring Cisco VPN 3000 Concentrator RADIUS Settings for a User Group

Configuring Cisco VPN 5000 Concentrator RADIUS Settings for a User Group

Configuring Microsoft RADIUS Settings for a User Group

Configuring Nortel RADIUS Settings for a User Group

Configuring Juniper RADIUS Settings for a User Group

Configuring BBSM RADIUS Settings for a User Group

Configuring Custom RADIUS VSA Settings for a User Group

Group Setting Management

Listing Users in a User Group

Resetting Usage Quota Counters for a User Group

Renaming a User Group

Saving Changes to User Group Settings

User Group Management


This chapter provides information about setting up and managing user groups in CiscoSecure ACS for WindowsServer to control authorization. CiscoSecure ACS enables you to group network users for more efficient administration. Each user can belong to only one group in CiscoSecure ACS. You can establish up to 500 groups to effect different levels of authorization.

CiscoSecure ACS also supports external database group mapping; that is, if your external user database distinguishes user groups, these groups can be mapped into CiscoSecure ACS. And if the external database does not support groups, you can map all users from that database to a CiscoSecure ACS user group. For information about external database mapping, see "User Group Mapping and Specification"

Before you configure Group Setup, you should understand how this section functions. CiscoSecure ACS dynamically builds the Group Setup section interface depending on the configuration of your network devices and the security protocols being used. That is, what you see under Group Setup is affected by settings in the Network Configuration and Interface Configuration sections.

This chapter contains the following topics:

About User Group Setup Features and Functions

Basic User Group Settings

Configuration-specific User Group Settings

Group Setting Management

About User Group Setup Features and Functions

The Group Setup section of the CiscoSecure ACS HTML interface is the centralized location for operations regarding user group configuration and administration. For information about network device groups (NDGs), see Network Device Group Configuration.

This section contains the following topics:

Default Group

Group TACACS+ Settings

Default Group

If you have not configured group mapping for an external user database, CiscoSecure ACS assigns users who are authenticated by the Unknown User Policy to the Default Group the first time they log in. The privileges and restrictions for the default group are applied to first-time users. If you have upgraded from a previous version of CiscoSecure ACS and kept your database information, CiscoSecure ACS retains the group mappings you configured before upgrading.

Group TACACS+ Settings

CiscoSecure ACS enables a full range of settings for TACACS+ at the group level. If a AAA client has been configured to use TACACS+ as the security control protocol, you can configure standard service protocols, including PPP IP, PPP LCP, ARAP, SLIP, and shell (exec), to be applied for the authorization of each user who belongs to a particular group.


Note You can also configure TACACS+ settings at the user level. User-level settings always override group level settings.


CiscoSecure ACS also enables you to enter and configure new TACACS+ services. For information about how to configure a new TACACS+ service to appear on the group setup page, see Protocol Configuration Options for TACACS+.

If you have configured CiscoSecure ACS to interact with a Cisco device-management application, new TACACS+ services may appear automatically, as needed, to support the device-management application. For more information about CiscoSecure ACS interaction with device-management applications, see Support for Cisco Device-Management Applications.

You can use the Shell Command Authorization Set feature to configure TACACS+ group settings. This feature enables you to apply shell commands to a particular user group in the following ways:

Assign a shell command authorization set, which you have already configured, for any network device.

Assign a shell command authorization set, which you have already configured, to particular NDGs.

Permit or deny specific shell commands, which you define, on a per-group basis.

For more information about shell command authorization sets, see "Shared Profile Components"

Basic User Group Settings

This section presents the basic activities you perform when configuring a new user group.

This section contains the following topics:

Enabling VoIP Support for a User Group

Setting Default Time-of-Day Access for a User Group

Setting Callback Options for a User Group

Setting Network Access Restrictions for a User Group

Setting Max Sessions for a User Group

Setting Usage Quotas for a User Group

Enabling VoIP Support for a User Group


Note If this feature does not appear, click Interface Configuration , click Advanced Options , and then select the Voice-over-IP (VoIP) Group Settings check box.


Perform this procedure to enable support for the null password function of VoIP. This enables users to authenticate (session or telephone call) on only the user ID (telephone number).

When you enable VoIP at the group level, all users in this group become VoIP users, and the user IDs are treated similarly to a telephone number. VoIP users do not need to enter passwords to authenticate.


Caution Enabling VoIP disables password authentication and most advanced settings, including password aging and protocol attributes.


To enable VoIP support for a group, follow these steps:


Step1 In the navigation bar, click Group Setup .

The Group Setup Select page opens.

Step2 From the Group list, select the group you want to configure for VoIP support, and then click Edit Settings .

The Group Settings page displays the name of the group at its top.

Step3 In the Voice-over-IP Support table, select the check box labeled This is a Voice-over-IP (VoIP) group - and all users of this group are VoIP users .

Step4 To save the group settings you have just made, click Submit .
For more information, see Saving Changes to User Group Settings.

Step5 To continue, and specify other group settings, perform other procedures in this chapter, as applicable.


Setting Default Time-of-Day Access for a User Group


Note If this feature does not appear, click Interface Configuration , click Advanced Options , and then select the Default Time-of-Day / Day-of-Week Specification check box.


To define the times during which users in a particular group are permitted or denied access, follow these steps:


Step1 In the navigation bar, click Group Setup .

The Group Setup Select page opens.

Step2 From the Group list, select a group, and then click Edit Settings .

The Group Settings page displays the name of the group at its top.

Step3 In the Default Time-of-Day Access Settings table, select the Set as default Access Times check box.


Note You must select the Set as default Access Times check box to limit access based on time or day.


Times at which the system permits access are highlighted in green on the day and hour matrix.


Note The default sets accessibility during all hours.


Step4 In the day and hour matrix, click the times at which you do not want to permit access to members of this group.


Tip Clicking times of day on the graph deselects those times; clicking again reselects them.
At any time, you can click Clear All to clear all hours, or you can click Set All to select all hours.


Step5 To save the group settings you have just made, click Submit .

For more information, see Saving Changes to User Group Settings.

Step6 To continue specifying other group settings, perform other procedures in this chapter, as applicable.


Setting Callback Options for a User Group

Callback is a command string that is passed back to the access server. You can use callback strings to initiate a modem to call the user back on a specific number for added security or reversal of line charges. There are three options, as follows:

No callback allowed —Disables callback for users in this group. This is the default setting.

Dialup client specifies callback number —Allows the dialup client to specify the callback number. The dialup client must support RFC 1570, PPP LCP Extensions.

Use Windows Database callback settings (where possible) —Uses the Microsoft Windows callback settings. If a Windows account for a user resides in a remote domain, the domain in which CiscoSecure ACS resides must have a two-way trust with that domain for the Microsoft Windows callback settings to operate for that user.

To set callback options for a user group, follow these steps:


Step1 In the navigation bar, click Group Setup .

The Group Setup Select page opens.

Step2 Select a group from the Group list, and then click Edit Settings .

The Group Settings page displays the name of the group at its top.

Step3 In the Callback table, select one of the following three options:

No callback allowed

Dialup client specifies callback number

Use Windows Database callback settings (where possible)

Step4 To save the group settings you have just made, click Submit .

For more information, see Saving Changes to User Group Settings.

Step5 To continue specifying other group settings, perform other procedures in this chapter, as applicable.


Setting Network Access Restrictions for a User Group

The Network Access Restrictions table in Group Setup enables you to apply network access restrictions (NARs) in three distinct ways:

Apply existing shared NARs by name.

Define IP-based group access restrictions to permit or deny access to a specified AAA client or to specified ports on a AAA client when an IP connection has been established.

Define CLI/DNIS-based group NARs to permit or deny access to either, or both, the calling line ID (CLI) number or the Dialed Number Identification Service (DNIS) number used.


Note You can also use the CLI/DNIS-based access restrictions area to specify other values. For more information, see About Network Access Restrictions.


Typically, you define (shared) NARs from within the Shared Components section so that these restrictions can be applied to more than one group or user. For more information, see Adding a Shared Network Access Restriction. You must have enabled the Group-Level Shared Network Access Restriction check box on the Advanced Options page of the Interface Configuration section for these options to appear in the CiscoSecure ACS HTML interface.

However, CiscoSecure ACS also enables you to define and apply a NAR for a single group from within the Group Setup section. You must have enabled the Group-Level Network Access Restriction setting under the Advanced Options page of the Interface Configuration section for single group IP-based filter options and single group CLI/DNIS-based filter options to appear in the CiscoSecure ACS HTML interface.


Note When an authentication request is forwarded by proxy to a CiscoSecure ACS server, any NARs for TACACS+ requests are applied to the IP address of the forwarding AAA server, not to the IP address of the originating AAA client.


To set NARs for a user group, follow these steps:


Step1 In the navigation bar, click Group Setup .

The Group Setup Select page opens.

Step2 From the Group list, select a group, and then click Edit Settings .

The Group Settings page displays the name of the group at its top.

Step3 To apply a previously configured shared NAR to this group, follow these steps:


Note To apply a shared NAR, you must have configured it under Network Access Restrictions in the Shared Profile Components section. For more information, see Adding a Shared Network Access Restriction.


a. Select the Only Allow network access when check box.

b. To specify whether one or all shared NARs must apply for a member of the group to be permitted access, select one of the following options:

All selected shared NARS result in permit

Any one selected shared NAR results in permit

c. Select a shared NAR name in the Shared NAR list, and then click --> (right arrow button) to move the name into the Selected Shared NARs list.


Tip To view the server details of the shared NARs you have selected to apply, you can click either View IP NAR or View CLID/DNIS NAR , as applicable.


Step4 To define and apply a NAR, for this particular user group, that permits or denies access to this group based on IP address, or IP address and port, follow these steps:


Tip You should define most NARs from within the Shared Components section so that the restrictions can be applied to more than one group or user. For more information, see Adding a Shared Network Access Restriction.


a. In the Per Group Defined Network Access Restrictions section of the Network Access Restrictions table, select the Define IP-based access restrictions check box.

b. To specify whether the subsequent listing specifies permitted or denied IP addresses, from the Table Defines list, select either Permitted Calling/Point of Access Locations or Denied Calling/Point of Access Locations .

c. Select or enter the information in the following boxes:

AAA Client —Select either All AAA Clients or the name of the NDG or the name of the individual AAA client to which to permit or deny access.

Port —Type the number of the port to which to permit or deny access. You can use the wildcard asterisk (*) to permit or deny access to all ports on the selected AAA client.

Address —Type the IP address or addresses to filter on when performing access restrictions. You can use the wildcard asterisk (*).


Note The total number of characters in the AAA Client list and the Port and Src IP Address boxes must not exceed 1024. Although CiscoSecure ACS accepts more than 1024 characters when you add a NAR, you cannot edit the NAR and CiscoSecure ACS cannot accurately apply it to users.


d. Click Enter .

The specified the AAA client, port, and address information appears in the NAR Access Control list.

Step5 To permit or deny access to this user group based on calling location or values other than an established IP address, follow these steps:

a. Select the Define CLI/DNIS-based access restrictions check box.

b. To specify whether the subsequent listing specifies permitted or denied values, from the Table Defines list, select one of the following:

Permitted Calling/Point of Access Locations

Denied Calling/Point of Access Locations

c. From the AAA Client list, select either All AAA Clients or the name of the NDG or the name of the particular AAA client to which to permit or deny access.

d. Complete the following boxes:


Note You must type an entry in each box. You can use the wildcard asterisk (*) for all or part of a value. The format you use must match the format of the string you receive from your AAA client. You can determine this format from your RADIUS Accounting Log.


PORT —Type the number of the port to which to permit or deny access. You can use the wildcard asterisk (*) to permit or deny access to all ports.

CLI —Type the CLI number to which to permit or deny access. You can use the wildcard asterisk (*) to permit or deny access based on part of the number or all numbers.


Tip This is also the selection to use if you want to restrict access based on other values, such as a Cisco Aironet client MAC address. For more information, see About Network Access Restrictions.


DNIS —Type the DNIS number to restrict access based on the number into which the user will be dialing. You can use the wildcard asterisk (*) to permit or deny access based on part of the number or all numbers.


Tip This is also the selection to use if you want to restrict access based on other values, such as a Cisco Aironet AP MAC address. For more information, see About Network Access Restrictions.



Note The total number of characters in the AAA Client list and the Port, CLI, and DNIS boxes must not exceed 1024. Although CiscoSecure ACS accepts more than 1024 characters when you add a NAR, you cannot edit the NAR and CiscoSecure ACS cannot accurately apply it to users.


e. Click Enter .

The information, specifying the AAA client, port, CLI, and DNIS appears in the list.

Step6 To save the group settings you have just made, click Submit .

For more information, see Saving Changes to User Group Settings.

Step7 To continue specifying other group settings, perform other procedures in this chapter, as applicable.


Setting Max Sessions for a User Group


Note If this feature does not appear, click Interface Configuration , click Advanced Options , and then select the Max Sessions check box.


Perform this procedure to define the maximum number of sessions available to a group, or to each user in a group, or both. The settings are as follows:

Sessions available to group —Sets the maximum number of simultaneous connections for the entire group.

Sessions available to users of this group —Sets the maximum number of total simultaneous connections for each user in this group.


Tip As an example, Sessions available to group is set to 10 and Sessions available to users of this group is set to 2. If each user is using the maximum 2 simultaneous sessions, no more than 5 users can log in.



Note A session is any type of connection supported by RADIUS or TACACS+, such as PPP, NAS prompt, Telnet, ARAP, IPX/SLIP.



Note The default setting for group Max Sessions is Unlimited for both the group and the user within the group.


To configure max sessions settings for a user group, follow these steps:


Step1 In the navigation bar, click Group Setup .

The Group Setup Select page opens.

Step2 From the Group list, select a group, and then click Edit Settings .

The Group Settings page displays the name of the group at its top.

Step3 In the Max Sessions table, under Sessions available to group, select one of the following options:

Unlimited —Select to allow this group an unlimited number of simultaneous sessions. (This effectively disables Max Sessions.)

n—Type the maximum number of simultaneous sessions to allow this group.

Step4 In the lower portion of the Max Sessions table, under Sessions available to users of this group, select one of the following two options:

Unlimited —Select to allow each individual in this group an unlimited number of simultaneous sessions. (This effectively disables Max Sessions.)

n—Type the maximum number of simultaneous sessions to allow each user in this group.


Note Settings made in User Setup override group settings. For more information, see Setting Max Sessions Options for a User.


Step5 To save the group settings you have just made, click Submit .

For more information, see Saving Changes to User Group Settings.

Step6 To continue specifying other group settings, perform other procedures in this chapter, as applicable.


Setting Usage Quotas for a User Group


Note If this feature does not appear, click Interface Configuration , click Advanced Options , and then select the Usage Quotas check box.


Perform this procedure to define usage quotas for members of a group. Session quotas affect each user of a group individually, not the group collectively. You can set quotas for a given period in two ways:

By total duration of session

By the total number of sessions

If you make no selections in the Usage Quotas section for a group, no usage quotas are enforced on users assigned to that group, unless you configure usage quotas for the individual users.


Note The Usage Quotas section on the Group Settings page does not show usage statistics.
Usage statistics are available only on the settings page for an individual user. For more information, see Setting User Usage Quotas Options.


When a user exceeds his or her assigned quota, CiscoSecure ACS denies that user access upon attempting to start a session. If a quota is exceeded during a session, CiscoSecure ACS allows the session to continue.

You can reset the usage quota counters for all users of a group from the Group Settings page. For more information about resetting usage quota counters for a whole group, see Resetting Usage Quota Counters for a User Group.


Tip To support time-based quotas, we recommend enabling accounting update packets on all AAA clients. If update packets are not enabled, the quota is updated when the user logs off. If the AAA client through which the user is accessing your network fails, the quota is not updated. In the case of multiple sessions, such as with ISDN, the quota is not updated until all sessions terminate. This means that a second channel will be accepted even if the first channel has exhausted the quota for the user.


To set user usage quotas for a user group, follow these steps:


Step1 In the navigation bar, click Group Setup .

The Group Setup Select page opens.

Step2 From the Group list, select a group, and then click Edit Settings .

The Group Settings page displays the name of the group at its top.

Step3 To define usage quotas based on duration of sessions, follow these steps:

a. In the Usage Quotas table, select the Limit each user of this group to x hours of online time per time unit check box.

b. Type the number of hours to which you want to limit group members in the to x hours box.
Use decimal values to indicate minutes. For example, a value of 10.5 would equal ten hours and 30 minutes.


Note Up to 5 characters are allowed in the to x hours box.


c. Select the period for which the quota is effective from the following:

per Day —From 12:01 a.m. until midnight.

per Week —From 12:01 a.m. Sunday until midnight Saturday.

per Month —From 12:01 a.m. on the first of the month until midnight on the last day of the month.

Total —An ongoing count of hours, with no end.

Step4 To define user session quotas based on number of sessions, follow these steps:

a. In the Usage Quotas table, select the Limit each user of this group to x sessions check box.

b. Type the number of sessions to which you want to limit users in the to x sessions box.


Note Up to 5 characters are allowed in the to x sessions box.


c. Select the period for which the session quota is effective from the following:

per Day —From 12:01 a.m. until midnight.

per Week —From 12:01 a.m. Sunday until midnight Saturday.

per Month —From 12:01 a.m. on the first of the month until midnight on the last day of the month.

Total —An ongoing count of session, with no end.

Step5 To save the group settings you have just made, click Submit .

For more information, see Saving Changes to User Group Settings.

Step6 To continue specifying other group settings, perform other procedures in this chapter, as applicable.


Configuration-specific User Group Settings

This section details procedures that you perform only as applicable to your particular network security configuration. For instance, if you have no token server configured, you do not have to set token card settings for each group.


Note When a vendor-specific variety of RADIUS is configured for use by network devices, the RADIUS (IETF) attributes are available because they are the base set of attributes, used by all RADIUS vendors per the RADIUS IETF specifications.


The HTML interface content corresponding to these procedures is dynamic, its appearance based upon the following two factors:

For a particular protocol (RADIUS or TACACS+) to be listed, at least one AAA client entry in the Network Configuration section of the HTML interface must use that protocol. For more information, see AAA Client Configuration.

To cause specific protocol attributes to appear on a group profile page, you must enable the display of those attributes in the Interface Configuration section of the HTML interface. For more information, see Protocol Configuration Options for TACACS+, or Protocol Configuration Options for RADIUS.

This section contains the following topics:

Setting Token Card Settings for a User Group

Setting Enable Privilege Options for a User Group

Enabling Password Aging for the CiscoSecure User Database

Enabling Password Aging for Users in Windows Databases

Setting IP Address Assignment Method for a User Group

Assigning a Downloadable IP ACL to a Group

Configuring TACACS+ Settings for a User Group

Configuring a Shell Command Authorization Set for a User Group

Configuring a PIX Command Authorization Set for a User Group

Configuring Device-Management Command Authorization for a User Group

Configuring IETF RADIUS Settings for a User Group

Configuring Cisco IOS/PIX RADIUS Settings for a User Group

Configuring Cisco Aironet RADIUS Settings for a User Group

Configuring Ascend RADIUS Settings for a User Group

Configuring Cisco VPN 3000 Concentrator RADIUS Settings for a User Group

Configuring Cisco VPN 5000 Concentrator RADIUS Settings for a User Group

Configuring Microsoft RADIUS Settings for a User Group

Configuring Nortel RADIUS Settings for a User Group

Configuring Juniper RADIUS Settings for a User Group

Configuring BBSM RADIUS Settings for a User Group

Configuring Custom RADIUS VSA Settings for a User Group

Setting Token Card Settings for a User Group


Note If this section does not appear, configure a token server. Then, click External User Databases , click Database Configuration , and then add the applicable token card server.


Perform this procedure to allow a token to be cached. This means users can use a second B channel without having to enter a second one-time password (OTP).


Caution This option is for use with token caching only for ISDN terminal adapters. You should fully understand token caching and ISDN concepts and principles before implementing this option. Token caching allows you to connect to multiple B channels without having to provide a token for each channel connection. Token card settings are applied to all users in the selected group.


Options for token caching include the following:

Session —You can select Session to cache the token for the entire session. This allows the second B channel to dynamically go in and out of service.

Duration —You can select Duration and specify a period of time to have the token cached (from the time of first authentication). If this time period expires, the user cannot start a second B channel.

Session and Duration —You can select both Session and Duration so that, if the session runs longer than the duration value, a new token is required to open a second B channel. Type a value high enough to allow the token to be cached for the entire session. If the session runs longer than the duration value, a new token is required to open a second B channel.

To set token card settings for a user group, follow these steps:


Step1 In the navigation bar, click Group Setup .

The Group Setup Select page opens.

Step2 From the Group list, select a group, and then click Edit Settings .

The Group Settings page displays the name of the group at its top.

Step3 From the Jump To list at the top of the page, choose Token Cards .

Step4 In the Token Card Settings table, to cache the token for the entire session, select Session .

Step5 Also in the Token Card Settings table, to cache the token for a specified time period (measured from the time of first authentication), follow these steps:

a. Select Duration .

b. Type the duration length in the box.

c. Select the unit of measure, either Seconds, Minutes or Hours.

Step6 To save the group settings you have just made, click Submit .

For more information, see Saving Changes to User Group Settings.

Step7 To continue specifying other group settings, perform other procedures in this chapter, as applicable.


Setting Enable Privilege Options for a User Group


Note If this section does not appear, click Interface Configuration and then click TACACS+ (Cisco) . At the bottom of the page in the Advanced Configuration Options table, select the Advanced TACACS+ features check box.


Perform this procedure to configure group-level TACACS+ enable parameters. The three possible TACACS+ enable options are as follows:

No Enable Privilege —(default) Select this option to disallow enable privileges for this user group.

Max Privilege for Any AAA Client —Select this option to select the maximum privilege level for this user group for any AAA client on which this group is authorized.

Define max Privilege on a per-network device group basis —Select this option to define maximum privilege levels for an NDG. To use this option, you create a list of device groups and corresponding maximum privilege levels. See your AAA client documentation for information about privilege levels.


Note To define levels in this manner, you must have configured the option in Interface Configuration; if you have not done so already, click Interface Configuration , click Advanced Settings , and then select the Network Device Groups check box.


If you are using NDGs, this option lets you configure the NDG for enable-level mapping rather than having to do it for each user in the group.

To set enable privilege options for a user group, follow these steps:


Step1 In the navigation bar, click Group Setup .

The Group Setup Select page opens.

Step2 From the Group list, select a group, and then click Edit Settings .

The Group Settings page displays the name of the group at its top.

Step3 From the Jump To list at the top of the page, choose Enable Options .

Step4 Do one of the following:

To disallow enable privileges for this user group, select the No Enable Privilege option.

To set the maximum privilege level for this user group, for any ACS on which this group is authorized, select the Max Privilege for Any Access Server option. Then, select the maximum privilege level from the list.

To define the maximum NDG privilege level for this user group, select the Define max Privilege on a per-network device group basis option. Then, from the lists, select the NDG and a corresponding privilege level. Finally, click Add Association .

The association of NDG and maximum privilege level appears in the table.

Step5 To save the group settings you have just made, click Submit .

For more information, see Saving Changes to User Group Settings.

Step6 To continue specifying other group settings, perform other procedures in this chapter, as applicable.


Enabling Password Aging for the CiscoSecure User Database

The password aging feature of CiscoSecure ACS enables you to force users to change their passwords under one or more of the following conditions:

After a specified number of days (age-by-date rules).

After a specified number of logins (age-by-uses rules).

The first time a new user logs in (password change rule).

Varieties of Password Aging Supported by CiscoSecure ACS

CiscoSecure ACS supports four distinct password aging mechanisms:

PEAP and EAP-FAST Windows Password Aging —Users must be in the Windows user database and be using a Microsoft client that supports EAP, such as Windows XP. For information on the requirements and configuration of this password aging mechanism, see Enabling Password Aging for Users in Windows Databases.

RADIUS-based Windows Password Aging —Users must be in the Windows user database and be using the Windows Dial-up Networking (DUN) client. For information on the requirements and configuration of this password aging mechanism, see Enabling Password Aging for Users in Windows Databases.

Password Aging for Device-hosted Sessions —Users must be in the CiscoSecure user database, the AAA client must be running TACACS+, and the connection must use Telnet. You can control the ability of users to change passwords during a device-hosted Telnet session. You can also control whether CiscoSecure ACS propagates passwords changed by this feature. For more information, see Local Password Management.

Password Aging for Transit Sessions —Users must be in the CiscoSecure user database. Users must use a PPP dialup client. Further, the end-user client must have CiscoSecure Authentication Agent (CAA) installed.


Tip The CAA software is available at http://www.cisco.com.


Also, to run password aging for transit sessions, the AAA client can be running either RADIUS or TACACS+; and the AAA client must be using CiscoIOS Release 11.2.7 or later and be configured to send a watchdog accounting packet (aaa accounting new-info update) with the IP address of the calling station. (Watchdog packets are interim packets sent periodically during a session. They provide an approximate session length in the event that no stop packet is received to mark the end of the session.)

You can control whether CiscoSecure ACS propagates passwords changed by this feature. For more information, see Local Password Management.

CiscoSecure ACS supports password aging using the RADIUS protocol under MSCHAP versions 1 and 2. CiscoSecure ACS does not support password aging over Telnet connections using the RADIUS protocol.


Caution If a user with a RADIUS connection tries to make a Telnet connection to the AAA client during or after the password aging warning or grace period, the change password option does not appear, and the user account is expired.


Password Aging Feature Settings

This section details only the Password Aging for Device-hosted Sessions and Password Aging for Transit Sessions mechanisms. For information on the Windows Password Aging mechanism, see Enabling Password Aging for Users in Windows Databases. For information on configuring local password validation options, see Local Password Management.

The password aging feature in CiscoSecure ACS has the following options:

Apply age-by-date rules —Selecting this check box configures CiscoSecure ACS to determine password aging by date. The age-by-date rules contain the following settings:

Active period —The number of days users will be allowed to log in before being prompted to change their passwords. For example, if you enter 20, users can use their passwords for 20 days without being prompted to change them. The default Active period is 20 days.

Warning period —The number of days users will be notified to change their passwords. The existing password can be used, but the CiscoSecure ACS presents a warning indicating that the password must be changed and displays the number of days left before the password expires. For example, if you enter 5 in this box and 20 in the Active period box, users will be notified to change their passwords on the 21st through 25th days.

Grace period —The number of days to provide as the user grace period. The grace period allows a user to log in once to change the password. The existing password can be used one last time after the number of days specified in the active and warning period fields has been exceeded. Then, a dialog box warns the user that the account will be disabled if the password is not changed, and enables the user to change it. Continuing with the examples above, if you allow a 5-day grace period, a user who did not log in during the active and warning periods would be permitted to change passwords up to and including the 30th day. However, even though the grace period is set for 5 days, a user is allowed only one attempt to change the password when the password is in the grace period. CiscoSecure ACS displays the "last chance" warning only once. If the user does not change the password, this login is still permitted, but the password expires, and the next authentication is denied. An entry is logged in the Failed-Attempts log, and the user must contact an administrator to have the account reinstated.


Note All passwords expire at midnight, not the time at which they were set.


Apply age-by-uses rules —Selecting this check box configures CiscoSecure ACS to determine password aging by the number of logins. The age-by-uses rules contain the following settings:

Issue warning after x logins —The number of the login upon which CiscoSecure ACS begins prompting users to change their passwords. For example, if you enter 10, users are allowed to log in 10 times without a change-password prompt. On the 11th login, they are prompted to change their passwords.


Tip To allow users to log in an unlimited number of times without changing their passwords, type -1 .


Require change after x logins —The number of the login after which to notify users that they must to change their passwords. Continuing with the previous example, if this number is set to 12, users receive prompts requesting them to change their passwords on their 11th and 12th login attempts. On the 13th login attempt, they receive a prompt telling them that they must change their passwords. If users do not change their passwords now, their accounts expire and they cannot log in. This number must be greater than the Issue warning after x login number.


Tip To allow users to log in an unlimited number of times without changing their passwords, type -1 .


Apply password change rule —Selecting this check box forces new users to change their passwords the first time they log in.

Generate greetings for successful logins —Selecting this check box enables a Greetings message to display whenever users log in successfully via the CAA client. The message contains up-to-date password information specific to this user account.

The password aging rules are not mutually exclusive; a rule is applied for each check box that is selected. For example, users can be forced to change their passwords every 20 days, and every 10 logins, and to receive warnings and grace periods accordingly.

If no options are selected, passwords never expire.

Unlike most other parameters, which have corresponding settings at the user level, password aging parameters are configured only on a group basis.

Users who fail authentication because they have not changed their passwords and have exceeded their grace periods are logged in the Failed Attempts log. The accounts expire and appear in the Accounts Disabled list.

Before You Begin

Verify that your AAA client is running the TACACS+ or RADIUS protocol. (TACACS+ only supports password aging for device-hosted sessions.)

Set up your AAA client to perform authentication and accounting using the same protocol, either TACACS+ or RADIUS.

Verify that you have configured your password validation options. For more information, see Local Password Management.

Set up your AAA client to use CiscoIOS Release 11.2.7 or later and to send a watchdog accounting packet (aaa accounting new-info update) with the IP address of the calling station.

To set password aging rules for a user group, follow these steps:


Step1 In the navigation bar, click Group Setup .

The Group Setup Select page opens.

Step2 From the Group list, select a group, and then click Edit Settings .

The Group Settings page displays the name of the group at its top.

Step3 From the Jump To list at the top of the page, choose Password Aging .

The Password Aging Rules table appears.

Step4 To set password aging by date, select the Apply age-by-date rules check box and type the number of days for the following options, as applicable:

Active period

Warning period

Grace period


Note Up to 5 characters are allowed in each field.


Step5 To set password aging by use, select the Apply age-by-uses rules check box and type the number of logins for each of the following options, as applicable:

Issue warning after x logins

Require change after x logins


Note Up to 5 characters are allowed in each field.


Step6 To force the user to change the password on the first login after an administrator has changed it, select the Apply password change rule check box.

Step7 To enable a Greetings message display, select the Generate greetings for successful logins check box.

Step8 To save the group settings you have just made, click Submit .

For more information, see Saving Changes to User Group Settings.

Step9 To continue specifying other group settings, perform other procedures in this chapter, as applicable.


Enabling Password Aging for Users in Windows Databases

CiscoSecure ACS supports two types of password aging for users in Windows databases. Both types of Windows password aging mechanisms are separate and distinct from the other CiscoSecure ACS password aging mechanisms. For information on the requirements and settings for the password aging mechanisms that control users in the CiscoSecure user database, see Enabling Password Aging for the CiscoSecure User Database.


Note You can run both Windows Password Aging and CiscoSecure ACS Password Aging for Transit Sessions mechanisms concurrently, provided that the users authenticate from the two different databases.


The types of password aging in Windows databases are as follows:

RADIUS-based password aging —RADIUS-based password aging depends upon the RADIUS AAA protocol to send and receive the password change messages. Requirements for implementing the RADIUS-based Windows password aging mechanism include the following:

Communication between CiscoSecure ACS and the AAA client must be using RADIUS.

The AAA client must support MS CHAP password aging in addition to MS CHAP authentication.

Users must be in a Windows user database.

Users must be using the Windows DUN client.

You must enable MS CHAP version 1 or MS CHAP version 2, or both, in the Windows configuration within the External User Databases section.


Tip For information on enabling MS CHAP for password changes, see Configuring a Windows External User Database. For information on enabling MS CHAP in System Configuration, see Global Authentication Setup.


PEAP password aging —PEAP password aging depends upon the PEAP(EAP-GTC) or PEAP(EAP-MSCHAPv2) authentication protocol to send and receive the password change messages. Requirements for implementing the PEAP Windows password aging mechanism include the following:

The AAA client must support EAP.

Users must be in a Windows user database.

Users must be using a Microsoft PEAP client, such as Windows XP.

You must enable PEAP on the Global Authentication Configuration page within the System Configuration section.


Tip For information about enabling PEAP in System Configuration, see Global Authentication Setup.


You must enable PEAP password changes on the Windows Authentication Configuration page within the External User Databases section.


Tip For information about enabling PEAP password changes, see Windows User Database.


EAP-FAST password aging —If password aging occurs during phase zero of EAP-FAST, it depends upon EAP-MSCHAPv2 to send and receive the password change messages. If password aging occurs during phase two of EAP-FAST, it depends upon EAP-GTC to send and receive the password change messages. Requirements for implementing the EAP-FAST Windows password aging mechanism include the following:

The AAA client must support EAP.

Users must be in a Windows user database.

Users must be using a client that supports EAP-FAST.

You must enable EAP-FAST on the Global Authentication Configuration page within the System Configuration section.


Tip For information about enabling EAP-FAST in System Configuration, see Global Authentication Setup.


You must enable EAP-FAST password changes on the Windows Authentication Configuration page within the External User Databases section.


Tip For information about enabling EAP-FAST password changes, see Windows User Database.


Users whose Windows accounts reside in "remote" domains (that is, not the domain within which CiscoSecure ACS is running) can only use the Windows-based password aging if they supply their domain names.

The methods and functionality of Windows password aging differ according to which Microsoft Windows operating system you are using, and whether you employ Active Directory (AD) or Security Accounts Manager (SAM). Setting password aging for users in the Windows user database is only one part of the larger task of setting security policies in Windows. For comprehensive information on Windows procedures, refer to your Windows system documentation.

Setting IP Address Assignment Method for a User Group

Perform this procedure to configure the way CiscoSecure ACS assigns IP addresses to users in the group. The four possible methods are as follows:

No IP address assignment —No IP address is assigned to this group.

Assigned by dialup client —Use the IP address that is configured on the dialup client network settings for TCP/IP.

Assigned from AAA Client pool —The IP address is assigned by an IP address pool assigned on the AAA client.

Assigned from AAA server pool —The IP address is assigned by an IP address pool assigned on the AAA server.

To set an IP address assignment method for a user group, follow these steps:


Step1 In the navigation bar, click Group Setup .

The Group Setup Select page opens.

Step2 From the Group list, select a group, and then click Edit Settings .

The Group Settings page displays the name of the group at its top.

Step3 From the Jump To list at the top of the page, choose IP Address Assignment .

Step4 In the IP Assignment table, do one of the following:

Select No IP address assignment .

Select Assigned by dialup client .

Select Assigned from AAA Client pool . Then, type the AAA client IP pool name.

Select Assigned from AAA pool . Then, select the AAA server IP pool name in the Available Pools list and click --> (right arrow button) to move the name into the Selected Pools list.


Note If there is more than one pool in the Selected Pools list, the users in this group are assigned to the first available pool in the order listed.



Tip To change the position of a pool in the list, select the pool name and click Up or Down until the pool is in the position you want.


Step5 To save the group settings you have just made, click Submit .

For more information, see Saving Changes to User Group Settings.

Step6 To continue specifying other group settings, perform other procedures in this chapter, as applicable.


Assigning a Downloadable IP ACL to a Group

The Downloadable ACLs feature enables you to assign an IP ACL at the group level.


Note You must have established one or more IP ACLs before attempting to assign one. For instructions on how to add a downloadable IP ACL using the Shared Profile Components section of the CiscoSecure ACS HTML interface, see Adding a Downloadable IP ACL.



Tip The Downloadable ACLs table does not appear if it has not been enabled. To enable the Downloadable ACLs table, click Interface Configuration , click Advanced Options , and then select the Group-Level Downloadable ACLs check box.


To assign a downloadable IP ACL to a group, follow these steps:


Step1 In the navigation bar, click Group Setup .

The Group Setup Select page opens.

Step2 From the Group list, select a group, and then click Edit Settings .

The Group Settings page displays the name of the group at its top.

Step3 From the Jump To list at the top of the page, choose Downloadable ACLs .

Step4 Under the Downloadable ACLs section, click the Assign IP ACL check box.

Step5 Select an IP ACL from the list.

Step6 To save the group settings you have just made, click Submit .

For more information, see Saving Changes to User Group Settings.

Step7 To continue specifying other group settings, perform other procedures in this chapter, as applicable.


Configuring TACACS+ Settings for a User Group

Perform this procedure to configure and enable the service/protocol parameters to be applied for the authorization of each user who belongs to the group. For information on how to configure settings for the Shell Command Authorization Set, see Configuring a Shell Command Authorization Set for a User Group.


Note To display or hide additional services or protocols, click Interface Configuration , click TACACS+ (Cisco IOS) , and then select or clear items in the group column, as applicable.


To configure TACACS+ settings for a user group, follow these steps:


Step1 In the navigation bar, click Group Setup .

The Group Setup Select page opens.

Step2 From the Group list, select a group, and then click Edit Settings .

The Group Settings page displays the name of the group at its top.

Step3 From the Jump To list at the top of the page, choose TACACS+ .

The system displays the TACACS+ Settings table section.

Step4 To configure services and protocols in the TACACS+ Settings table to be authorized for the group, follow these steps:

a. Select one or more service/protocol check boxes (for example, PPP IP or ARAP).

b. Under each service/protocol that you selected in Step a, select attributes and then type in the corresponding values, as applicable, to further define authorization for that service/protocol.

To employ custom attributes for a particular service, you must select the Custom attributes check box under that service, and then specify the attribute/value in the box below the check box.

For more information about attributes, see "TACACS+ Attribute-Value Pairs", or your AAA client documentation.


Tip For ACLs and IP address pools, the name of the ACL or pool as defined on the AAA client should be entered. (An ACL is a list of CiscoIOS commands used to restrict access to or from other devices and users on the network.)



Note Leave the attribute value box blank if the default (as defined on the AAA client) should be used.



Note You can define and download an ACL. Click Interface Configuration , click TACACS+ (Cisco IOS) , and then select Display a window for each service selected in which you can enter customized TACACS+ attributes . A box opens under each service/protocol in which you can define an ACL.


Step5 To allow all services to be permitted unless specifically listed and disabled, you can select the Default (Undefined) Services check box under the Checking this option will PERMIT all UNKNOWN Services table.


Caution This is an advanced feature and should only be used by administrators who understand the security implications.


Step6 To save the group settings you have just made, click Submit .

For more information, see Saving Changes to User Group Settings.

Step7 To continue specifying other group settings, perform other procedures in this chapter, as applicable.


Configuring a Shell Command Authorization Set for a User Group

Use this procedure to specify the shell command authorization set parameters for a group. There are four options:

None —No authorization for shell commands.

Assign a Shell Command Authorization Set for any network device —One shell command authorization set is assigned, and it applies to all network devices.

Assign a Shell Command Authorization Set on a per Network Device Group Basis —Enables you to associate particular shell command authorization sets to be effective on particular NDGs.

Per Group Command Authorization —Enables you to permit or deny specific CiscoIOS commands and arguments at the group level.


Note This feature requires that you have previously configured a shell command authorization set. For detailed steps, see Adding a Command Authorization Set.


To specify shell command authorization set parameters for a user group, follow these steps:


Step1 In the navigation bar, click Group Setup .

The Group Setup Select page opens.

Step2 From the Group list, select a group, and then click Edit Settings .

The Group Settings page displays the name of the group at its top.

Step3 From the Jump To list at the top of the page, choose TACACS+ .

The system displays the TACACS+ Settings table section.

Step4 Use the vertical scrollbar to scroll to the Shell Command Authorization Set feature area.

Step5 To prevent the application of any shell command authorization set, select (or accept the default of) the None option.

Step6 To assign a particular shell command authorization set to be effective on any configured network device, follow these steps:

a. Select the Assign a Shell Command Authorization Set for any network device option.

b. Then, from the list directly below that option, select the shell command authorization set you want applied to this group.

Step7 To create associations that assign a particular shell command authorization set to be effective on a particular NDG, for each association, follow these steps:

a. Select the Assign a Shell Command Authorization Set on a per Network Device Group Basis option.

b. Select a Device Group and a corresponding Command Set .


Tip You can select a Command Set that will be effective for all Device Groups , that are not otherwise assigned, by assigning that set to the <default> Device Group.


c. Click Add Association .

The associated NDG and shell command authorization set appear in the table.

Step8 To define the specific CiscoIOS commands and arguments to be permitted or denied at the group level, follow these steps:

a. Select the Per Group Command Authorization option.

b. Under Unmatched Cisco IOS commands, select either Permit or Deny .

If you select Permit, users can issue all commands not specifically listed. If you select Deny, users can issue only those commands listed.

c. To list particular commands to be permitted or denied, select the Command check box and then type the name of the command, define its arguments using standard permit or deny syntax, and select whether unlisted arguments should be permitted or denied.


Caution This is a powerful, advanced feature and should be used by an administrator skilled with Cisco IOS commands. Correct syntax is the responsibility of the administrator. For information on how CiscoSecure ACS uses pattern matching in command arguments, see About Pattern Matching.



Tip To enter several commands, you must click Submit after specifying a command. A new command entry box appears below the box you just completed.



Configuring a PIX Command Authorization Set for a User Group

Use this procedure to specify the PIX command authorization set parameters for a user group. There are three options:

None —No authorization for PIX commands.

Assign a PIX Command Authorization Set for any network device —One PIX command authorization set is assigned, and it applies all network devices.

Assign a PIX Command Authorization Set on a per Network Device Group Basis —Particular PIX command authorization sets are to be effective on particular NDGs.

Before You Begin

Ensure that a AAA client has been configured to use TACACS+ as the security control protocol.

On the TACACS+ (Cisco) page of Interface Configuration section, ensure that the PIX Shell (pixShell) option is selected in the Group column.

Make sure that you have already configured one or more PIX command authorization sets. For detailed steps, see Adding a Command Authorization Set.

To specify PIX command authorization set parameters for a user group,


Step1 In the navigation bar, click Group Setup .

The Group Setup Select page opens.

Step2 From the Group list, select a group, and then click Edit Settings .

The Group Settings page displays the name of the group at its top.

Step3 From the Jump To list at the top of the page, choose TACACS+ .

The system displays the TACACS+ Settings table section.

Step4 Scroll down to the PIX Command Authorization Set feature area within the TACACS+ Settings table.

Step5 To prevent the application of any PIX command authorization set, select (or accept the default of) the None option.

Step6 To assign a particular PIX command authorization set to be effective on any configured network device, follow these steps:

a. Select the Assign a PIX Command Authorization Set for any network device option.

b. From the list directly below that option, select the PIX command authorization set you want applied to this user group.

Step7 To create associations that assign a particular PIX command authorization set to be effective on a particular NDG, for each association, follow these steps:

a. Select the Assign a PIX Command Authorization Set on a per Network Device Group Basis option.

b. Select a Device Group and an associated Command Set .

c. Click Add Association .

The associated NDG and PIX command authorization set appear in the table.


Note To remove or edit an existing PIX command authorization set association, you can select the association from the list, and then click Remove Association .



Configuring Device-Management Command Authorization for a User Group

Use this procedure to specify the device-management command authorization set parameters for a group. Device-management command authorization sets support the authorization of tasks in Cisco device-management applications that are configured to use CiscoSecure ACS for authorization. There are three options:

None —No authorization is performed for commands issued in the applicable Cisco device-management application.

Assign a device-management application for any network device—For the applicable device-management application, one command authorization set is assigned, and it applies to management tasks on all network devices.

Assign a device-management application on a per Network Device Group Basis—For the applicable device-management application, this option enables you to apply command authorization sets to specific NDGs, so that it affects all management tasks on the network devices belonging to the NDG.


Note This feature requires that you have configured a command authorization set for the applicable Cisco device-management application. For detailed steps, see Adding a Command Authorization Set.


To specify device-management application command authorization for a user group, follow these steps:


Step1 In the navigation bar, click Group Setup .

The Group Setup Select page opens.

Step2 From the Group list, select a group, and then click Edit Settings .

The Group Settings page displays the name of the group at its top.

Step3 From the Jump To list at the top of the page, choose TACACS+ .

The system displays the TACACS+ Settings table section.

Step4 Use the vertical scrollbar to scroll to the device-management application feature area, where device-management application is the name of the applicable Cisco device-management application.

Step5 To prevent the application of any command authorization set for the applicable device-management application, select the None option.

Step6 To assign a particular command authorization set that affects device-management application actions on any network device, follow these steps:

a. Select the Assign a device-management application for any network device option.

b. Then, from the list directly below that option, select the command authorization set you want applied to this group.

Step7 To create associations that assign a particular command authorization set that affects device-management application actions on a particular NDG, for each association, follow these steps:

a. Select the Assign a device-management application on a per Network Device Group Basis option.

b. Select a Device Group and a corresponding device-management application .

c. Click Add Association .

The associated NDG and command authorization set appear in the table.


Configuring IETF RADIUS Settings for a User Group

These parameters appear only when both the following are true:

A AAA client has been configured to use one of the RADIUS protocols in Network Configuration.

Group-level RADIUS attributes have been enabled on the RADIUS (IETF) page in the Interface Configuration section of the HTML interface.

RADIUS attributes are sent as a profile for each user from CiscoSecure ACS to the requesting AAA client. To display or hide any of these attributes, see Protocol Configuration Options for RADIUS. For a list and explanation of RADIUS attributes, see "RADIUS Attributes." For more information about how your AAA client uses RADIUS, refer to your AAA client vendor documentation.

To configure IETF RADIUS attribute settings to be applied as an authorization for each user in the current group, follow these steps:


Step1 In the navigation bar, click Group Setup .

The Group Setup Select page opens.

Step2 From the Group list, select a group, and then click Edit Settings .

The Group Settings page displays the name of the group at its top.

Step3 From the Jump To list at the top of the page, choose RADIUS (IETF) .

Step4 For each IETF RADIUS attribute you need to authorize for the current group, select the check box next to the attribute and then define the authorization for the attribute in the field or fields next to it.

Step5 To save the group settings you have just made, click Submit .

For more information, see Saving Changes to User Group Settings.

Step6 To configure the vendor-specific attributes (VSAs) for any RADIUS network device vendor supported by CiscoSecure ACS, see the appropriate section:

Configuring Cisco IOS/PIX RADIUS Settings for a User Group

Configuring Cisco Aironet RADIUS Settings for a User Group

Configuring Ascend RADIUS Settings for a User Group

Configuring Cisco VPN 3000 Concentrator RADIUS Settings for a User Group

Configuring Cisco VPN 5000 Concentrator RADIUS Settings for a User Group

Configuring Microsoft RADIUS Settings for a User Group

Configuring Nortel RADIUS Settings for a User Group

Configuring Juniper RADIUS Settings for a User Group

Configuring BBSM RADIUS Settings for a User Group

Step7 To continue specifying other group settings, perform other procedures in this chapter, as applicable.


Configuring Cisco IOS/PIX RADIUS Settings for a User Group

The Cisco IOS/PIX RADIUS parameters appear only when both the following are true:

A AAA client has been configured to use RADIUS (Cisco IOS/PIX) in Network Configuration.

Group-level RADIUS (Cisco IOS/PIX) attributes have been enabled in Interface Configuration: RADIUS (Cisco IOS/PIX).

Cisco IOS/PIX RADIUS represents only the Cisco VSAs. You must configure both the IETF RADIUS and Cisco IOS/PIX RADIUS attributes.


Note To hide or display Cisco IOS/PIX RADIUS attributes, see Setting Protocol Configuration Options for Non-IETF RADIUS Attributes. A VSA applied as an authorization to a particular group persists, even when you remove or replace the associated AAA client; however, if you have no AAA clients of this (vendor) type configured, the VSA settings do not appear in the group configuration interface.


To configure and enable Cisco IOS/PIX RADIUS attributes to be applied as an authorization for each user in the current group, follow these steps:


Step1 Before you configure Cisco IOS/PIX RADIUS attributes, be sure your IETF RADIUS attributes are configured properly. For more information about setting IETF RADIUS attributes, see Configuring IETF RADIUS Settings for a User Group.

Step2 For the Cisco attributes, determine the attributes to be authorized for the group by selecting the check box next to the attribute, and then type the commands (such as TACACS+ commands) to be packed as a RADIUS VSA.

Step3 To save the group settings you have just made, click Submit .

For more information, see Saving Changes to User Group Settings.

Step4 To continue specifying other group settings, perform other procedures in this chapter, as applicable.


Configuring Cisco Aironet RADIUS Settings for a User Group

The single Cisco Aironet RADIUS VSA, Cisco-Aironet-Session-Timeout, is a virtual VSA. It is a specialized implementation of the IETF RADIUS Session-Timeout attribute (27) that CiscoSecure ACS uses only when it responds to a RADIUS request from a AAA client using RADIUS (Cisco Aironet). This enables you to provide different timeout values for users accessing your network through wireless and wired access devices. By specifying a timeout value specifically for WLAN connections, you avoid the difficulties that would arise if you had to use a standard timeout value (typically measured in hours) for a WLAN connection (that is typically measured in minutes).


Tip Only enable and configure the Cisco-Aironet-Session-Timeout when some or all members of a group may connect through wired or wireless access devices. If members of a group always connect with a Cisco Aironet Access Point (AP) or always connect only with a wired access device, you do not need to use Cisco-Aironet-Session-Timeout but should instead configure RADIUS (IETF) attribute 27, Session-Timeout.


Imagine a user group Cisco-Aironet-Session-Timeout set to 600 seconds (10 minutes) and that same user group IETF RADIUS Session-Timeout set to 3 hours. When a member of this group connects through a VPN concentrator, CiscoSecure ACS uses 3 hours as the timeout value. However, if that same user connects via a Cisco Aironet AP, CiscoSecure ACS responds to an authentication request from the Aironet AP by sending 600 seconds in the IETF RADIUS Session-Timeout attribute. Thus, with the Cisco-Aironet-Session-Timeout attribute configured, different session timeout values can be sent depending on whether the end-user client is a wired access device or a Cisco Aironet AP.

The Cisco-Aironet-Session-Timeout VSA appears on the Group Setup page only when both the following are true:

A AAA client has been configured to use RADIUS (Cisco Aironet) in Network Configuration.

The group-level RADIUS (Cisco Aironet) attribute has been enabled in Interface Configuration: RADIUS (Cisco Aironet).


Note To hide or display the Cisco Aironet RADIUS VSA, see Setting Protocol Configuration Options for Non-IETF RADIUS Attributes. A VSA applied as an authorization to a particular group persists, even when you remove or replace the associated AAA client; however, if you have no AAA clients configured to use RADIUS (Cisco Aironet), the VSA settings do not appear in the group configuration interface.


To configure and enable the Cisco Aironet RADIUS attribute to be applied as an authorization for each user in the current group, follow these steps:


Step1 Confirm that your IETF RADIUS attributes are configured properly. For more information about setting IETF RADIUS attributes, see Configuring IETF RADIUS Settings for a User Group.

Step2 In the navigation bar, click Group Setup .

The Group Setup Select page opens.

Step3 From the Group list, select a group, and then click Edit Settings .

The Group Settings page displays the name of the group at its top.

Step4 From the Jump To list at the top of the page, choose RADIUS (Cisco Aironet) .

Step5 In the Cisco Aironet RADIUS Attributes table, select the [5842\001] Cisco-Aironet-Session-Timeout check box.

Step6 In the [5842\001] Cisco-Aironet-Session-Timeout box, type the session timeout value (in seconds) that CiscoSecure ACS is to send in the IETF RADIUS Session-Timeout (27) attribute when the AAA client is configured in Network Configuration to use the RADIUS (Cisco Aironet) authentication option. The recommended value is 600 seconds.

For more information about the IETF RADIUS Session-Timeout attribute, see "RADIUS Attributes," or your AAA client documentation.

Step7 To save the group settings you have just made, click Submit .

For more information, see Saving Changes to User Group Settings.

Step8 To continue specifying other group settings, perform other procedures in this chapter, as applicable.


Configuring Ascend RADIUS Settings for a User Group

The Ascend RADIUS parameters appear only when both the following are true:

A AAA client has been configured to use RADIUS (Ascend) or RADIUS (Cisco IOS/PIX) in Network Configuration.

Group-level RADIUS (Ascend) attributes have been enabled in Interface Configuration: RADIUS (Ascend).

Ascend RADIUS represents only the Ascend proprietary attributes. You must configure both the IETF RADIUS and Ascend RADIUS attributes. Proprietary attributes override IETF attributes.

The default attribute setting displayed for RADIUS is Ascend-Remote-Addr.


Note To hide or display Ascend RADIUS attributes, see Setting Protocol Configuration Options for Non-IETF RADIUS Attributes. A VSA applied as an authorization to a particular group persists, even when you remove or replace the associated AAA client; however, if you have no AAA clients of this (vendor) type configured, the VSA settings do not appear in the group configuration interface.


To configure and enable Ascend RADIUS attributes to be applied as an authorization for each user in the current group, follow these steps:


Step1 Confirm that your IETF RADIUS attributes are configured properly. For more information about setting IETF RADIUS attributes, see Configuring IETF RADIUS Settings for a User Group.

Step2 In the navigation bar, click Group Setup .

The Group Setup Select page opens.

Step3 From the Group list, select a group, and then click Edit Settings .

The Group Settings page displays the name of the group at its top.

Step4 From the Jump To list at the top of the page, choose RADIUS (Ascend) .

Step5 In the Ascend RADIUS Attributes table, determine the attributes to be authorized for the group by selecting the check box next to the attribute. Be sure to define the authorization for that attribute in the field next to it. For more information about attributes, see "RADIUS Attributes," or your AAA client documentation.

Step6 To save the group settings you have just made, click Submit .

For more information, see Saving Changes to User Group Settings.

Step7 To continue specifying other group settings, perform other procedures in this chapter, as applicable.


Configuring Cisco VPN 3000 Concentrator RADIUS Settings for a User Group

To control Microsoft MPPE settings for users accessing the network through a Cisco VPN 3000-series concentrator, use the CVPN3000-PPTP-Encryption (VSA 20) and CVPN3000-L2TP-Encryption (VSA 21) attributes. Settings for CVPN3000-PPTP-Encryption (VSA 20) and CVPN3000-L2TP-Encryption (VSA 21) override Microsoft MPPE RADIUS settings. If either of these attributes is enabled, CiscoSecure ACS determines the values to be sent in outbound RADIUS (Microsoft) attributes and sends them along with the RADIUS (Cisco VPN 3000) attributes, regardless of whether RADIUS (Microsoft) attributes are enabled in the CiscoSecure ACS HTML interface or how those attributes might be configured.

The Cisco VPN 3000 Concentrator RADIUS attribute configurations appear only if both the following are true:

A AAA client has been configured to use RADIUS (Cisco VPN 3000) in Network Configuration.

Group-level RADIUS (Cisco VPN 3000) attributes have been enabled on the RADIUS (Cisco VPN 3000) page of the Interface Configuration section.

Cisco VPN 3000 Concentrator RADIUS represents only the Cisco VPN 3000 Concentrator VSA. You must configure both the IETF RADIUS and Cisco VPN 3000 Concentrator RADIUS attributes.


Note To hide or display Cisco VPN 3000 Concentrator RADIUS attributes, see Setting Protocol Configuration Options for Non-IETF RADIUS Attributes. A VSA applied as an authorization to a particular group persists, even when you remove or replace the associated AAA client; however, if you have no AAA clients of this (vendor) type configured, the VSA settings do not appear in the group configuration interface.


To configure and enable Cisco VPN 3000 Concentrator RADIUS attributes to be applied as an authorization for each user in the current group, follow these steps:


Step1 Confirm that your IETF RADIUS attributes are configured properly.

For more information about setting IETF RADIUS attributes, see Configuring IETF RADIUS Settings for a User Group.

Step2 In the navigation bar, click Group Setup .

The Group Setup Select page opens.

Step3 From the Group list, select a group, and then click Edit Settings .

The Group Settings page displays the name of the group at its top.

Step4 From the Jump To list at the top of the page, choose RADIUS (Cisco VPN 3000) .

Step5 In the Cisco VPN 3000 Concentrator RADIUS Attributes table, determine the attributes to be authorized for the group by selecting the check box next to the attribute. Further define the authorization for that attribute in the field next to it.

For more information about attributes, see "RADIUS Attributes," or the documentation for network devices using RADIUS.

Step6 To save the group settings you have just made, click Submit .

For more information, see Saving Changes to User Group Settings.

Step7 To continue specifying other group settings, perform other procedures in this chapter, as applicable.


Configuring Cisco VPN 5000 Concentrator RADIUS Settings for a User Group

The Cisco VPN 5000 Concentrator RADIUS attribute configurations display only when both the following are true:

A network device has been configured to use RADIUS (Cisco VPN 5000) in Network Configuration.

Group-level RADIUS (Cisco VPN 5000) attributes have been enabled on the RADIUS (Cisco VPN 5000) page of the Interface Configuration section.

Cisco VPN 5000 Concentrator RADIUS represents only the Cisco VPN 5000 Concentrator VSA. You must configure both the IETF RADIUS and Cisco VPN 5000 Concentrator RADIUS attributes.


Note To hide or display Cisco VPN 5000 Concentrator RADIUS attributes, see Setting Protocol Configuration Options for Non-IETF RADIUS Attributes. A VSA applied as an authorization to a particular group persists, even when you remove or replace the associated AAA client; however, if you have no AAA clients of this (vendor) type configured, the VSA settings do not appear in the group configuration interface.


To configure and enable Cisco VPN 5000 Concentrator RADIUS attributes to be applied as an authorization for each user in the current group, follow these steps:


Step1 Confirm that your IETF RADIUS attributes are configured properly.

For more information about setting IETF RADIUS attributes, see Configuring IETF RADIUS Settings for a User Group.

Step2 In the navigation bar, click Group Setup .

The Group Setup Select page opens.

Step3 From the Group list, select a group, and then click Edit Settings .

The Group Settings page displays the name of the group at its top.

Step4 From the Jump To list at the top of the page, choose RADIUS (Cisco VPN 5000) .

Step5 In the Cisco VPN 5000 Concentrator RADIUS Attributes table, select the attributes that should be authorized for the group by selecting the check box next to the attribute. Further define the authorization for each attribute in the field next to it.

For more information about attributes, see "RADIUS Attributes," or the documentation for network devices using RADIUS.

Step6 To save the group settings you have just made, click Submit .

For more information, see Saving Changes to User Group Settings.

Step7 To continue specifying other group settings, perform other procedures in this chapter, as applicable.


Configuring Microsoft RADIUS Settings for a User Group

Microsoft RADIUS provides VSAs supporting MPPE, which is an encryption technology developed by Microsoft to encrypt PPP links. These PPP connections can be via a dial-in line, or over a VPN tunnel.

To control Microsoft MPPE settings for users accessing the network through a Cisco VPN 3000-series concentrator, use the CVPN3000-PPTP-Encryption (VSA 20) and CVPN3000-L2TP-Encryption (VSA 21) attributes. Settings for CVPN3000-PPTP-Encryption (VSA 20) and CVPN3000-L2TP-Encryption (VSA 21) override Microsoft MPPE RADIUS settings. If either of these attributes is enabled, CiscoSecure ACS determines the values to be sent in outbound RADIUS (Microsoft) attributes and sends them along with the RADIUS (Cisco VPN 3000) attributes, regardless of whether RADIUS (Microsoft) attributes are enabled in the CiscoSecure ACS HTML interface or how those attributes might be configured.

The Microsoft RADIUS attribute configurations appear only when both the following are true:

A network device has been configured in Network Configuration that uses a RADIUS protocol that supports the Microsoft RADIUS VSA.

Group-level Microsoft RADIUS attributes have been enabled on the RADIUS (Microsoft) page of the Interface Configuration section.

The following CiscoSecure ACS RADIUS protocols support the Microsoft RADIUS VSA:

Cisco IOS/PIX

Cisco VPN 3000

Ascend

Microsoft RADIUS represents only the Microsoft VSA. You must configure both the IETF RADIUS and Microsoft RADIUS attributes.


Note To hide or display Microsoft RADIUS attributes, see Setting Protocol Configuration Options for Non-IETF RADIUS Attributes. A VSA applied as an authorization to a particular group persists, even when you remove or replace the associated AAA client; however, if you have no AAA clients of this (vendor) type configured, the VSA settings do not appear in the group configuration interface.


To configure and enable Microsoft RADIUS attributes to be applied as an authorization for each user in the current group, follow these steps:


Step1 Confirm that your IETF RADIUS attributes are configured properly.

For more information about setting IETF RADIUS attributes, see Configuring IETF RADIUS Settings for a User Group.

Step2 In the navigation bar, click Group Setup .

The Group Setup Select page opens.

Step3 From the Group list, select a group, and then click Edit Settings .

The Group Settings page displays the name of the group at its top.

Step4 From the Jump To list at the top of the page, choose RADIUS (Microsoft) .

Step5 In the Microsoft RADIUS Attributes table, specify the attributes to be authorized for the group by selecting the check box next to the attribute. Where applicable, further define the authorization for that attribute in the field next to it. For more information about attributes, see "RADIUS Attributes," or the documentation for network devices using RADIUS.


Note The MS-CHAP-MPPE-Keys attribute value is autogenerated by CiscoSecure ACS; there is no value to set in the HTML interface.


Step6 To save the group settings you have just made, click Submit .

For more information, see Saving Changes to User Group Settings.

Step7 To continue specifying other group settings, perform other procedures in this chapter, as applicable.


Configuring Nortel RADIUS Settings for a User Group

The Nortel RADIUS attribute configurations appear only when both the following are true:

A network device has been configured in Network Configuration that uses a RADIUS protocol that supports the Nortel RADIUS VSA.

Group-level Nortel RADIUS attributes have been enabled on the RADIUS (Nortel) page of the Interface Configuration section.

Nortel RADIUS represents only the Nortel VSA. You must configure both the IETF RADIUS and Nortel RADIUS attributes.


Note To hide or display Nortel RADIUS attributes, see Setting Protocol Configuration Options for Non-IETF RADIUS Attributes. A VSA applied as an authorization to a particular group persists, even when you remove or replace the associated AAA client; however, if you have no AAA clients of this (vendor) type configured, the VSA settings do not appear in the group configuration interface.


To configure and enable Nortel RADIUS attributes to be applied as an authorization for each user in the current group, follow these steps:


Step1 Confirm that your IETF RADIUS attributes are configured properly.

For more information about setting IETF RADIUS attributes, see Configuring IETF RADIUS Settings for a User Group.

Step2 In the navigation bar, click Group Setup .

The Group Setup Select page opens.

Step3 From the Group list, select a group, and then click Edit Settings .

The Group Settings page displays the name of the group at its top.

Step4 From the Jump To list at the top of the page, choose RADIUS (Nortel) .

Step5 In the Nortel RADIUS Attributes table, specify the attributes to be authorized for the group by selecting the check box next to the attribute. Where applicable, further define the authorization for that attribute in the field next to it. For more information about attributes, see "RADIUS Attributes," or the documentation for network devices using RADIUS.


Note The MS-CHAP-MPPE-Keys attribute value is autogenerated by CiscoSecure ACS; there is no value to set in the HTML interface.


Step6 To save the group settings you have just made, click Submit .

For more information, see Saving Changes to User Group Settings.

Step7 To continue specifying other group settings, perform other procedures in this chapter, as applicable.


Configuring Juniper RADIUS Settings for a User Group

Juniper RADIUS represents only the Juniper VSA. You must configure both the IETF RADIUS and Juniper RADIUS attributes.


Note To hide or display Juniper RADIUS attributes, see Setting Protocol Configuration Options for Non-IETF RADIUS Attributes. A VSA applied as an authorization to a particular group persists, even when you remove or replace the associated AAA client; however, if you have no AAA clients of this (vendor) type configured, the VSA settings do not appear in the group configuration interface.


To configure and enable Juniper RADIUS attributes to be applied as an authorization for each user in the current group, follow these steps:


Step1 Confirm that your IETF RADIUS attributes are configured properly.

For more information about setting IETF RADIUS attributes, see Configuring IETF RADIUS Settings for a User Group.

Step2 In the navigation bar, click Group Setup .

The Group Setup Select page opens.

Step3 From the Group list, select a group, and then click Edit Settings .

The Group Settings page displays the name of the group at its top.

Step4 From the Jump To list at the top of the page, choose RADIUS (Juniper) .

Step5 In the Juniper RADIUS Attributes table, specify the attributes to be authorized for the group by selecting the check box next to the attribute. Where applicable, further define the authorization for that attribute in the field next to it. For more information about attributes, see "RADIUS Attributes," or the documentation for network devices using RADIUS.


Note The MS-CHAP-MPPE-Keys attribute value is autogenerated by CiscoSecure ACS; there is no value to set in the HTML interface.


Step6 To save the group settings you have just made, click Submit .

For more information, see Saving Changes to User Group Settings.

Step7 To continue specifying other group settings, perform other procedures in this chapter, as applicable.


Configuring BBSM RADIUS Settings for a User Group

BBSM RADIUS represents only the BBSM RADIUS VSA. You must configure both the IETF RADIUS and BBSM RADIUS attributes.


Note To hide or display BBSM RADIUS attributes, see Setting Protocol Configuration Options for Non-IETF RADIUS Attributes. A VSA applied as an authorization to a particular group persists, even when you remove or replace the associated AAA client; however, if you have no AAA clients of this (vendor) type configured, the VSA settings do not appear in the group configuration interface.


To configure and enable BBSM RADIUS attributes to be applied as an authorization for each user in the current group, follow these steps:


Step1 Confirm that your IETF RADIUS attributes are configured properly.

For more information about setting IETF RADIUS attributes, see Configuring IETF RADIUS Settings for a User Group.

Step2 In the navigation bar, click Group Setup .

The Group Setup Select page opens.

Step3 From the Group list, select a group, and then click Edit Settings .

The Group Settings page displays the name of the group at its top.

Step4 From the Jump To list at the top of the page, choose RADIUS (BBSM) .

Step5 In the BBSM RADIUS Attributes table, specify the attribute to be authorized for the group by selecting the check box next to the attribute. Where applicable, further define the authorization for that attribute in the field next to it. For more information about attributes, see "RADIUS Attributes," or the documentation for network devices using RADIUS.


Note The MS-CHAP-MPPE-Keys attribute value is autogenerated by CiscoSecure ACS; there is no value to set in the HTML interface.


Step6 To save the group settings you have just made, click Submit .

For more information, see Saving Changes to User Group Settings.

Step7 To continue specifying other group settings, perform other procedures in this chapter, as applicable.


Configuring Custom RADIUS VSA Settings for a User Group

User-defined, custom Radius VSA configurations appear only when all the following are true:

You have defined and configured the custom RADIUS VSAs. (For information about creating user-defined RADIUS VSAs, see Custom RADIUS Vendors and VSAs.)

A network device has been configured in Network Configuration that uses a RADIUS protocol that supports the custom VSA.

Group-level custom RADIUS attributes have been enabled on the RADIUS (Name) page of the Interface Configuration section.

You must configure both the IETF RADIUS and the custom RADIUS attributes.

To configure and enable custom RADIUS attributes to be applied as an authorization for each user in the current group, follow these steps:


Step1 Confirm that your IETF RADIUS attributes are configured properly.

For more information about setting IETF RADIUS attributes, see Configuring IETF RADIUS Settings for a User Group.

Step2 In the navigation bar, click Group Setup .

The Group Setup Select page opens.

Step3 From the Group list, select a group, and then click Edit Settings .

The Group Settings page displays the name of the group at its top.

Step4 From the Jump To list at the top of the page, choose RADIUS ( custom name) .

Step5 In the RADIUS (custom name) Attributes table, specify the attributes to be authorized for the group by selecting the check box next to the attribute. Where applicable, further define the authorization for that attribute in the field next to it. For more information about attributes, see "RADIUS Attributes," or the documentation for network devices using RADIUS.


Note The MS-CHAP-MPPE-Keys attribute value is autogenerated by CiscoSecure ACS; there is no value to set in the HTML interface.


Step6 To save the group settings you have just made, click Submit .

For more information, see Saving Changes to User Group Settings.

Step7 To continue specifying other group settings, perform other procedures in this chapter, as applicable.


Group Setting Management

This section describes how to use the Group Setup section to perform a variety of managerial tasks.

This section contains the following topics:

Listing Users in a User Group

Resetting Usage Quota Counters for a User Group

Renaming a User Group

Saving Changes to User Group Settings

Listing Users in a User Group

To list all users in a specified group, follow these steps:


Step1 In the navigation bar, click Group Setup .

The Group Setup Select page opens.

Step2 From the Group list, select the group.

Step3 Click Users in Group .

The User List page for the particular group selected opens in the display area.

Step4 To open a user account (to view, modify, or delete a user), click the name of the user in the User List.

The User Setup page for the particular user account selected appears.


Resetting Usage Quota Counters for a User Group

You can reset the usage quota counters for all members of a group, either before or after a quota has been exceeded.

To reset usage quota counters for all members of a user group, follow these steps:


Step1 In the navigation bar, click Group Setup .

The Group Setup Select page opens.

Step2 From the Group list, select the group.

Step3 In the Usage Quotas section, select the On submit reset all usage counters for all users of this group check box.

Step4 Click Submit at the bottom of the browser page.

The usage quota counters for all users in the group are reset. The Group Setup Select page appears.


Renaming a User Group

To rename a user group, follow these steps:


Step1 In the navigation bar, click Group Setup .

The Group Setup Select page opens.

Step2 From the Group list, select the group.

Step3 Click Rename Group .

The Renaming Group: Group Name page appears.

Step4 Type the new name in the Group field. Group names cannot contain angle brackets (< or >).

Step5 Click Submit .


Note The group remains in the same position in the list. The number value of the group is still associated with this group name. Some utilities, such as the database import utility, use the numeric value associated with the group.


The Select page opens with the new group name selected.


Saving Changes to User Group Settings

After you have completed configuration for a group, be sure to save your work.

To save the configuration for the current group, follow these steps:


Step1 To save your changes and apply them later, click Submit . When you are ready to implement the changes, click System Configuration , and then click Service Control , and click Restart .


Tip To save your changes and apply them immediately, click Submit+Restart .


The group attributes are applied and services are restarted. The Edit page opens.


Note Restarting the service clears the Logged-in User Report and temporarily interrupts all CiscoSecure ACS services. This affects the Max Sessions counter.


Step2 To verify that your changes were applied, select the group and click Edit Settings . View the settings.