User Guide for Cisco Secure ACS for Windows Server 3.2
Index

Table Of Contents


A - B - C - D - E - F - G - H - I - L - M - N - O - P - Q - R - S - T - U - V - W -

Index

A

AAA

See also AAA clients

See also AAA servers

definition 1-1

pools for IP address assignment 7-11

AAA clients

adding and configuring 4-17

configuration 4-11

definition 1-5

deleting 4-21

editing 4-20

interaction with AAA servers 1-5

IP pools 7-11

multiple IP addresses for 4-12

number of 1-3

searching for 4-8

supported Cisco AAA clients 1-2

table 4-2

timeout values 14-8

AAA servers

adding 4-25

configuring 4-22

deleting 4-28

editing 4-26

enabling in interface (table) 3-5

functions and concepts 1-5

in distributed systems 4-3

master 9-3

overview 4-22

primary 9-3

replicating 9-3

searching for 4-8

secondary 9-3

troubleshooting A-1

access devices 1-5

accessing Cisco Secure ACS

how to 1-30

URL 1-27

with SSL enabled 1-27

access policies

See administrative access policies

accountActions table 9-29, 9-30

account disablement

Account Disabled check box 7-5

manual 7-56

resetting 7-58

setting options for 7-20

accounting

See also logging

overview 1-20

ACLs

See downloadable IP ACLs

action codes

for creating and modifying user accounts F-7

for initializing and modifying access filters F-15

for modifying network configuration F-27

for modifying TACACS+ and RADIUS settings F-19

for setting and deleting values F-5

in accountActions F-4

ActivCard user databases

configuring 13-78

group mappings 15-2

RADIUS-based group specifications 15-13

Administration Audit log

configuring 11-12

CSV file directory 11-15

viewing 11-16

Administration Control

See also administrators

audit policy setup 12-18

administrative access policies

See also administrators

configuring 12-13

limits 12-11

options 12-12

overview 2-15

administrative sessions

and HTTP proxy 1-28

network environment limitations of 1-28

session policies 12-16

through firewalls 1-29

through NAT (network address translation) 1-29

administrators

See also Administration Audit log

See also Administration Control

See also administrative access policies

adding 12-6

deleting 12-10

editing 12-7

locked out 12-10

locking out 12-17

overview 12-2

privileges 12-3

separation from general users 2-17

troubleshooting A-2

unlocking 12-10

advanced options in interface 3-6

age-by-date rules for groups 6-24

Aironet

AAA client configuration 4-14

RADIUS parameters for group 6-40

RADIUS parameters for user 7-41

ARAP

compatible databases 1-9

in User Setup 7-5

protocol supported 1-11

Architecture G-1

ASCII/PAP

compatible databases 1-9

protocol supported 1-11

attributes

enabling in interface 3-2

group-specific (table) F-37

logging of user data 11-2

per-group 3-2

per-user 3-2

user-specific (table) F-36

audit policies

See also Administration Audit log

overview 12-18

authentication

compatibility of protocols 1-9

configuration 10-25

denying external user databases 14-12

options 10-32

overview 1-8

request handling 14-4

via external user databases 13-5

Windows 13-11

authorization 1-16

authorization sets

See command authorization sets

AV (attribute value) pairs

See also RADIUS VSAs (vendor specific attributes)

RADIUS

Cisco IOS C-2

IETF C-11

TACACS+

accounting B-4

general B-1

Axent user databases

See PassGo user databases

B

Backup and Restore log directory

See Cisco Secure ACS Backup and Restore log

backups

components backed up 8-11

directory management 8-10

disabling scheduled 8-14

filenames 8-15

locations 8-10

manual 8-12

options 8-11

overview 8-10

reports 8-11

scheduled vs. manual 8-10

scheduling 8-12

vs. replication 9-10

with CSUtil.exe D-5

browsers

See also HTML interface

troubleshooting A-4

C

callback options

in Group Setup 6-6

in User Setup 7-9

cascading replication 9-6, 9-13

certification

See also EAP-TLS

See also PEAP

adding certificate authority certificates 10-36

background 10-1

backups 8-11

certificate signing request generation 10-38

editing the certificate trust list 10-37

replacing certificate 10-40

server certificate installation 10-34

updating certificate 10-40

CHAP

compatible databases 1-9

in User Setup 7-5

protocol supported 1-11

Cisco IOS

RADIUS

AV (attribute value) pairs C-2

group attributes 6-39

user attributes 7-39

TACACS+ AV (attribute value) pairs B-1

troubleshooting A-5

Cisco Secure ACS Active Service Management

event logging configuration 8-21

overview 8-18

system monitoring

configuring 8-20

custom actions 8-19

Cisco Secure ACS Active Service Monitoring file location 11-15

Cisco Secure ACS Active Service Monitoring log

viewing 11-16

Cisco Secure ACS administration overview 1-21

Cisco Secure ACS Backup and Restore log

CSV (comma-separated values) file directory 11-15

viewing 11-16

Cisco Secure ACS backups

See backups

Cisco Secure ACS Service Monitoring log

CSV (comma-separated values) file directory 11-30

Cisco Secure ACS system restore

See restore

CiscoSecure Authentication Agent 1-15, 6-20

CiscoSecure database replication

See replication

CiscoSecure user database

See also databases

overview 13-2

codes

See action codes

command authorization sets

See also shell command authorization sets

adding 5-19

configuring 5-15, 5-19

deleting 5-23

editing 5-22

overview 5-15

pattern matching 5-19

PIX command authorization sets 5-15

command-line database utility

See CSUtil.exe

conventions xxviii

CRYPTOCard user databases

configuring 13-78

group mappings 15-2

RADIUS-based group specifications 15-13

CSAdmin G-2

CSAuth G-3

CSDBSync 9-29, G-4

CSLog G-4

CSMon

See also Cisco Secure ACS Active Service Management

configuration G-4

failure events

customer-defined actions G-7

predefined actions G-7

functions G-4

log G-6

overview G-4

CSNTacctInfo 13-63, 13-65, 13-66

CSNTAuthUserPap 13-60

CSNTerrorString 13-63, 13-65, 13-66

CSNTExtractUserClearTextPw 13-61

CSNTFindUser 13-62

CSNTgroups 13-63, 13-65, 13-66

CSNTpasswords 13-63, 13-65

CSNTresults 13-63, 13-65, 13-66

CSNTusernames 13-63, 13-64, 13-66

CSRadius G-8

CSTacacs G-8

CSUtil.exe

decoding error numbers with D-27

displaying syntax D-5

import text file (example) D-24

overview D-1

CSV (comma-separated values) files

downloading 11-16

filename formats 11-14

logging format 11-1

viewing 11-16

custom attributes

in group-level TACACS+ settings 6-30

in user-level TACACS+ settings 7-24

D

database group mappings

configuring

for token servers 15-3

for Windows domains 15-9

no access groups 15-6

order 15-11

deleting

group set mappings 15-10

Windows domain configurations 15-11

in external user databases 15-1

overview 15-1

Database Replication log

CSV (comma-separated values) file directory 11-15

viewing 11-16

databases

See also external user databases

CiscoSecure user database 13-2

compacting D-12

deleting 13-84

deployment considerations 2-18

dump files D-9

external

See also external user databases

See also unknown user policies

performance 14-8

protocol compatibility 1-9

replication

See replication

search order 14-10

search process 14-9, 14-10

selecting user databases 13-1

synchronization

See RDBMS synchronization

token cards

See token servers

troubleshooting A-6, A-17

types

See ActivCard user databases

See CRYPTOCard user databases

See generic LDAP user databases

See LEAP proxy RADIUS user databases

See Novell NDS user databases

See ODBC features

See PassGo user databases

See RADIUS user databases

See RSA user databases

See SafeWord user databases

unknown users 14-2

user

import methods 13-3

user databases 7-2

Windows user databases 13-7

data source names

configuring for ODBC logging 11-21

for RDMBS synchronization 9-37

using with ODBC databases 13-54, 13-67, 13-69

date format control 8-3

DbSync log directory 11-15

debug logs

detail levels 11-31

frequency 11-31

troubleshooting A-12

default group in Group Setup 6-2

default group mapping for Windows 15-6

default time-of-day/day-of-week specification 3-5

default time-of-day access settings for groups 6-5

deleting logged-in users 11-10

deployment

overview 2-1

sequence 2-19

device command sets

See command authorization sets

device groups

See network device groups

device management applications support 1-18

DHCP with IP pools 9-44

dial-in permission to users in Windows 13-24

dial-in troubleshooting A-8

dial-up networking clients 13-11

dial-up topologies 2-6

digital certificates

See certification

Disabled Accounts report

viewing 11-11

Disabled Accounts reports

description 11-8

discovered users 14-2

distributed systems

See also proxy

AAA servers in 4-3

overview 4-3

settings

configuring 4-34

default entry 4-4

enabling in interface 3-5

distribution table

See Proxy Distribution Table

documentation

conventions xxviii

objectives xxv

online 1-31

organization xxvi

related xxix

domain lists

configuring 13-28

inadvertent user lockouts 13-13, 13-25

overview 13-12

domain names

Windows operating systems 13-11

downloadable IP ACLs

adding 5-4

assigning to groups 6-29

assigning to users 7-22

deleting 5-6

editing 5-5

enabling in interface

group-level 3-5

user-level 3-5

overview 5-2

draft-ietf-radius-tunnel-auth 1-7

dump files

creating database dump files D-9

loading a database from a dump file D-10

E

EAP (Extensible Authentication Protocol)

overview 1-12

with Windows authentication 13-13

EAP-FAST

compatible databases 1-9

enabling 10-24

identity protection 10-13

logging 10-13

master keys

definition 10-14

states 10-14

master server 10-22

options 10-27

overview 10-12

PAC

automatic provisioning 10-17

definition 10-16

manual provisioning 10-19

refresh 10-20

states 10-17

password aging 6-26

phases 10-12

replication 10-21

EAP-TLS

See also certification

authentication configuration 10-25

comparison methods 10-4

compatible databases 1-9

domain stripping 13-14

enabling 10-6

limitations 10-5

options 10-30

overview 10-2

session resume 10-4

enable password options for TACACS+ 7-36

enable privilege options for groups 6-18

error number decoding with CSUtil.exe D-27

Event log

configuring 8-21

exception events G-6

exception events G-7

exports

of user lists D-24

Extensible Authentication Protocol

See EAP (Extensible Authentication Protocol)

external token servers

See token servers

external user databases

See also databases

authentication via 13-5

configuring 13-4

deleting configuration 13-84

latency factors 14-8

search order 14-8, 14-10

supported 1-9

turning off authentication from 14-12

unknown user policy 14-1

F

Failed Attempts log

configuring

CSV (comma-separated values) 11-17

ODBC 11-21

CSV (comma-separated values) file directory 11-15

enabling

log 11-15

ODBC 11-21

viewing 11-16

failed log-on attempts G-6

failure events

customer-defined actions G-7

predefined actions G-7

fallbacks on failed connection 4-6

finding users 7-55

firewalls

administering AAA servers through 1-22

G

gateways E-3

generic LDAP user databases

authentication 13-30

configuring

database 13-42

options 13-35

directed authentications 13-32

domain filtering 13-32

failover 13-34

mapping database groups to AAA groups 15-4

multiple instances 13-31

organizational units and groups 13-32

supported protocols 1-9

Global Authentication Setup 10-32

grant dial-in permission to users 13-9, 13-24

greeting after login 6-23

group-level interface enabling

downloadable IP ACLs 3-5

network access restrictions 3-5

network access restriction sets 3-5

password aging 3-5

group-level network access restrictions

See network access restrictions

groups

See also network device groups

assigning users to 7-8

configuring RADIUS settings for

See RADIUS

Default Group 6-2, 15-6

enabling VoIP (Voice-over-IP) support for 6-4

exporting group information D-25

listing all users in 6-53

mapping order 15-11

mappings 15-1, 15-2

multiple mappings 15-5

no access groups 15-6

overriding settings 3-2

relationship to users 3-2

renaming 6-54

resetting usage quota counters for 6-54

settings for

callback options 6-6

configuration-specific 6-15

configuring common 6-3

device management command authorization sets 6-36

enable privilege 6-18

IP address assignment method 6-27

management tasks 6-53

max sessions 6-11

network access restrictions 6-7

password aging rules 6-20

PIX command authorization sets 6-34

shell command authorization sets 6-32

TACACS+ 6-2, 6-30

time-of-day access 6-5

token cards 6-17

usage quotas 6-13

setting up and managing 6-1

sort order within group mappings 15-5

specifications by ODBC authentications 13-63, 13-65, 13-66

GUI

See HTML interface

H

handle counts G-6

hard disk space G-5

hardware requirements 2-2

Help 1-26

host system state G-5

HTML interface

See also Interface Configuration

encrypting 12-13

logging off 1-31

overview 1-24

security 1-24

SSL 1-24

web servers G-2

HTTP port allocation

configuring 12-13

overview 1-22

HTTPS 12-13

I

IETF 802.1x 1-12

importing passwords D-14

imports with CSUtil.exe D-14

inbound authentication 1-13

inbound password configuration 1-14

installation

related documentation xxix

system requirements 2-2

troubleshooting A-14

Interface Configuration

See also HTML interface

advanced options 3-4

configuring 3-1

customized user data fields 3-3

security protocol options 3-9

IP addresses

in User Setup 7-10

multiple IP addresses for AAA client 4-12

requirement for CSTacacs and CSRadius G-8

setting assignment method for user groups 6-27

IP pools

address recovery 9-50

deleting 9-49

DHCP 9-44

editing IP pool definitions 9-47

enabling in interface 3-6

overlapping 9-44, 9-46

refreshing 9-46

resetting 9-48

servers

adding IP pools 9-46

overview 9-43

replicating IP pools 9-44

user IP addresses 7-11

L

LAN manager 1-12

latency in networks 2-19

LDAP

See generic LDAP user databases

LDAP databases

See generic LDAP user databases

LEAP proxy RADIUS user databases

configuring external databases 13-73

group mappings 15-2

overview 13-72

RADIUS-based group specifications 15-13

list all users

in Group Setup 6-53

in User Setup 7-55

Logged-In Users report

deleting logged-in users 11-10

description 11-8

viewing 11-9

logging

See also Reports and Activity

accounting logs 11-5

Administration Audit log 11-12

administration reports 11-8

configuring 11-18

CSV (comma-separated values) files 11-1

custom RADIUS dictionaries 9-3

debug logs

detail levels 11-31

frequency 11-31

Disabled Accounts reports 11-8

domain names 11-2

external user databases 11-2

Failed Attempts logs 11-5

formats 11-1

Logged-In Users reports 11-8

ODBC logs

enabling in interface 3-6

overview 11-1

working with 11-20

overview 11-5

Passed Authentication logs 11-5

RADIUS logs 11-5

RDBMS synchronization 9-3

remote logging

centralized 11-25

configuring 11-27

disabling 11-29

enabling in interface 3-5

logging hosts 11-24

options 11-26

overview 11-24

services

configuring service logs 11-31

list of logs generated 11-30

system logs 11-11

TACACS+ logs 11-5

troubleshooting A-15

user data attributes 11-2

VoIP logs 11-5

watchdog packets 11-4

login process test frequency 8-19

logins

greeting upon 6-23

password aging dependency 6-22

logs

See logging

See Reports and Activity

M

machine authentication

enabling 13-20

overview 13-14

with Microsoft Windows 13-18

management application support 1-18

mappings

database groups to AAA groups 15-4

databases to AAA groups 15-2

master AAA servers 9-3

master key

definition 10-14

states 10-14

max sessions

enabling in interface 3-5

in Group Setup 6-11

in User Setup 7-16

overview 1-17

troubleshooting A-14

memory utilization G-5

monitoring

configuring 8-20

CSMon G-5

overview 8-18

MS-CHAP

compatible databases 1-9

configuring 10-25

overview