User Guide for Cisco Secure ACS for Windows Server 3.2 - Index [Cisco Secure Access Control Server for Windows]

Table Of Contents

A - B - C - D - E - F - G - H - I - L - M - N - O - P - Q - R - S - T - U - V - W -

Index

A

AAA

See also AAA clients

See also AAA servers

definition 1-1

pools for IP address assignment 7-11

AAA clients

adding and configuring 4-17

configuration 4-11

definition 1-5

deleting 4-21

editing 4-20

interaction with AAA servers 1-5

IP pools 7-11

multiple IP addresses for 4-12

number of 1-3

searching for 4-8

supported Cisco AAA clients 1-2

table 4-2

timeout values 14-8

AAA servers

adding 4-25

configuring 4-22

deleting 4-28

editing 4-26

enabling in interface (table) 3-5

functions and concepts 1-5

in distributed systems 4-3

master 9-3

overview 4-22

primary 9-3

replicating 9-3

searching for 4-8

secondary 9-3

troubleshooting A-1

access devices 1-5

accessing Cisco Secure ACS

how to 1-30

URL 1-27

with SSL enabled 1-27

access policies

See administrative access policies

accountActions table 9-29, 9-30

account disablement

Account Disabled check box 7-5

manual 7-56

resetting 7-58

setting options for 7-20

accounting

See also logging

overview 1-20

ACLs

See downloadable IP ACLs

action codes

for creating and modifying user accounts F-7

for initializing and modifying access filters F-15

for modifying network configuration F-27

for modifying TACACS+ and RADIUS settings F-19

for setting and deleting values F-5

in accountActions F-4

ActivCard user databases

configuring 13-78

group mappings 15-2

RADIUS-based group specifications 15-13

Administration Audit log

configuring 11-12

CSV file directory 11-15

viewing 11-16

Administration Control

See also administrators

audit policy setup 12-18

administrative access policies

See also administrators

configuring 12-13

limits 12-11

options 12-12

overview 2-15

administrative sessions

and HTTP proxy 1-28

network environment limitations of 1-28

session policies 12-16

through firewalls 1-29

through NAT (network address translation) 1-29

administrators

See also Administration Audit log

See also Administration Control

See also administrative access policies

adding 12-6

deleting 12-10

editing 12-7

locked out 12-10

locking out 12-17

overview 12-2

privileges 12-3

separation from general users 2-17

troubleshooting A-2

unlocking 12-10

advanced options in interface 3-6

age-by-date rules for groups 6-24

Aironet

AAA client configuration 4-14

RADIUS parameters for group 6-40

RADIUS parameters for user 7-41

ARAP

compatible databases 1-9

in User Setup 7-5

protocol supported 1-11

Architecture G-1

ASCII/PAP

compatible databases 1-9

protocol supported 1-11

attributes

enabling in interface 3-2

group-specific (table) F-37

logging of user data 11-2

per-group 3-2

per-user 3-2

user-specific (table) F-36

audit policies

See also Administration Audit log

overview 12-18

authentication

compatibility of protocols 1-9

configuration 10-25

denying external user databases 14-12

options 10-32

overview 1-8

request handling 14-4

via external user databases 13-5

Windows 13-11

authorization 1-16

authorization sets

See command authorization sets

AV (attribute value) pairs

See also RADIUS VSAs (vendor specific attributes)

RADIUS

Cisco IOS C-2

IETF C-11

TACACS+

accounting B-4

general B-1

Axent user databases

See PassGo user databases

B

Backup and Restore log directory

See Cisco Secure ACS Backup and Restore log

backups

components backed up 8-11

directory management 8-10

disabling scheduled 8-14

filenames 8-15

locations 8-10

manual 8-12

options 8-11

overview 8-10

reports 8-11

scheduled vs. manual 8-10

scheduling 8-12

vs. replication 9-10

with CSUtil.exe D-5

browsers

See also HTML interface

troubleshooting A-4

C

callback options

in Group Setup 6-6

in User Setup 7-9

cascading replication 9-6, 9-13

certification

See also EAP-TLS

See also PEAP

adding certificate authority certificates 10-36

background 10-1

backups 8-11

certificate signing request generation 10-38

editing the certificate trust list 10-37

replacing certificate 10-40

server certificate installation 10-34

updating certificate 10-40

CHAP

compatible databases 1-9

in User Setup 7-5

protocol supported 1-11

Cisco IOS

RADIUS

AV (attribute value) pairs C-2

group attributes 6-39

user attributes 7-39

TACACS+ AV (attribute value) pairs B-1

troubleshooting A-5

Cisco Secure ACS Active Service Management

event logging configuration 8-21

overview 8-18

system monitoring

configuring 8-20

custom actions 8-19

Cisco Secure ACS Active Service Monitoring file location 11-15

Cisco Secure ACS Active Service Monitoring log

viewing 11-16

Cisco Secure ACS administration overview 1-21

Cisco Secure ACS Backup and Restore log

CSV (comma-separated values) file directory 11-15

viewing 11-16

Cisco Secure ACS backups

See backups

Cisco Secure ACS Service Monitoring log

CSV (comma-separated values) file directory 11-30

Cisco Secure ACS system restore

See restore

CiscoSecure Authentication Agent 1-15, 6-20

CiscoSecure database replication

See replication

CiscoSecure user database

See also databases

overview 13-2

codes

See action codes

command authorization sets

See also shell command authorization sets

adding 5-19

configuring 5-15, 5-19

deleting 5-23

editing 5-22

overview 5-15

pattern matching 5-19

PIX command authorization sets 5-15

command-line database utility

See CSUtil.exe

conventions xxviii

CRYPTOCard user databases

configuring 13-78

group mappings 15-2

RADIUS-based group specifications 15-13

CSAdmin G-2

CSAuth G-3

CSDBSync 9-29, G-4

CSLog G-4

CSMon

See also Cisco Secure ACS Active Service Management

configuration G-4

failure events

customer-defined actions G-7

predefined actions G-7

functions G-4

log G-6

overview G-4

CSNTacctInfo 13-63, 13-65, 13-66

CSNTAuthUserPap 13-60

CSNTerrorString 13-63, 13-65, 13-66

CSNTExtractUserClearTextPw 13-61

CSNTFindUser 13-62

CSNTgroups 13-63, 13-65, 13-66

CSNTpasswords 13-63, 13-65

CSNTresults 13-63, 13-65, 13-66

CSNTusernames 13-63, 13-64, 13-66

CSRadius G-8

CSTacacs G-8

CSUtil.exe

decoding error numbers with D-27

displaying syntax D-5

import text file (example) D-24

overview D-1

CSV (comma-separated values) files

downloading 11-16

filename formats 11-14

logging format 11-1

viewing 11-16

custom attributes

in group-level TACACS+ settings 6-30

in user-level TACACS+ settings 7-24

D

database group mappings

configuring

for token servers 15-3

for Windows domains 15-9

no access groups 15-6

order 15-11

deleting

group set mappings 15-10

Windows domain configurations 15-11

in external user databases 15-1

overview 15-1

Database Replication log

CSV (comma-separated values) file directory 11-15

viewing 11-16

databases

See also external user databases

CiscoSecure user database 13-2

compacting D-12

deleting 13-84

deployment considerations 2-18

dump files D-9

external

See also external user databases

See also unknown user policies

performance 14-8

protocol compatibility 1-9

replication

See replication

search order 14-10

search process 14-9, 14-10

selecting user databases 13-1

synchronization

See RDBMS synchronization

token cards

See token servers

troubleshooting A-6, A-17

types

See ActivCard user databases

See CRYPTOCard user databases

See generic LDAP user databases

See LEAP proxy RADIUS user databases

See Novell NDS user databases

See ODBC features

See PassGo user databases

See RADIUS user databases

See RSA user databases

See SafeWord user databases

unknown users 14-2

user

import methods 13-3

user databases 7-2

Windows user databases 13-7

data source names

configuring for ODBC logging 11-21

for RDMBS synchronization 9-37

using with ODBC databases 13-54, 13-67, 13-69

date format control 8-3

DbSync log directory 11-15

debug logs

detail levels 11-31

frequency 11-31

troubleshooting A-12

default group in Group Setup 6-2

default group mapping for Windows 15-6

default time-of-day/day-of-week specification 3-5

default time-of-day access settings for groups 6-5

deleting logged-in users 11-10

deployment

overview 2-1

sequence 2-19

device command sets

See command authorization sets

device groups

See network device groups

device management applications support 1-18

DHCP with IP pools 9-44

dial-in permission to users in Windows 13-24

dial-in troubleshooting A-8

dial-up networking clients 13-11

dial-up topologies 2-6

digital certificates

See certification

Disabled Accounts report

viewing 11-11

Disabled Accounts reports

description 11-8

discovered users 14-2

distributed systems

See also proxy

AAA servers in 4-3

overview 4-3

settings

configuring 4-34

default entry 4-4

enabling in interface 3-5

distribution table

See Proxy Distribution Table

documentation

conventions xxviii

objectives xxv

online 1-31

organization xxvi

related xxix

domain lists

configuring 13-28

inadvertent user lockouts 13-13, 13-25

overview 13-12

domain names

Windows operating systems 13-11

downloadable IP ACLs

adding 5-4

assigning to groups 6-29

assigning to users 7-22

deleting 5-6

editing 5-5

enabling in interface

group-level 3-5

user-level 3-5

overview 5-2

draft-ietf-radius-tunnel-auth 1-7

dump files

creating database dump files D-9

loading a database from a dump file D-10

E

EAP (Extensible Authentication Protocol)

overview 1-12

with Windows authentication 13-13

EAP-FAST

compatible databases 1-9

enabling 10-24

identity protection 10-13

logging 10-13

master keys

definition 10-14

states 10-14

master server 10-22

options 10-27

overview 10-12

PAC

automatic provisioning 10-17

definition 10-16

manual provisioning 10-19

refresh 10-20

states 10-17

password aging 6-26

phases 10-12

replication 10-21

EAP-TLS

See also certification

authentication configuration 10-25

comparison methods 10-4

compatible databases 1-9

domain stripping 13-14

enabling 10-6

limitations 10-5

options 10-30

overview 10-2

session resume 10-4

enable password options for TACACS+ 7-36

enable privilege options for groups 6-18

error number decoding with CSUtil.exe D-27

Event log

configuring 8-21

exception events G-6

exception events G-7

exports

of user lists D-24

Extensible Authentication Protocol

See EAP (Extensible Authentication Protocol)

external token servers

See token servers

external user databases

See also databases

authentication via 13-5

configuring 13-4

deleting configuration 13-84

latency factors 14-8

search order 14-8, 14-10

supported 1-9

turning off authentication from 14-12

unknown user policy 14-1

F

Failed Attempts log

configuring

CSV (comma-separated values) 11-17

ODBC 11-21

CSV (comma-separated values) file directory 11-15

enabling

log 11-15

ODBC 11-21

viewing 11-16

failed log-on attempts G-6

failure events

customer-defined actions G-7

predefined actions G-7

fallbacks on failed connection 4-6

finding users 7-55

firewalls

administering AAA servers through 1-22

G

gateways E-3

generic LDAP user databases

authentication 13-30

configuring

database 13-42

options 13-35

directed authentications 13-32

domain filtering 13-32

failover 13-34

mapping database groups to AAA groups 15-4

multiple instances 13-31

organizational units and groups 13-32

supported protocols 1-9

Global Authentication Setup 10-32

grant dial-in permission to users 13-9, 13-24

greeting after login 6-23

group-level interface enabling

downloadable IP ACLs 3-5

network access restrictions 3-5

network access restriction sets 3-5

password aging 3-5

group-level network access restrictions

See network access restrictions

groups

See also network device groups

assigning users to 7-8

configuring RADIUS settings for

See RADIUS

Default Group 6-2, 15-6

enabling VoIP (Voice-over-IP) support for 6-4

exporting group information D-25

listing all users in 6-53

mapping order 15-11

mappings 15-1, 15-2

multiple mappings 15-5

no access groups 15-6

overriding settings 3-2

relationship to users 3-2

renaming 6-54

resetting usage quota counters for 6-54

settings for

callback options 6-6

configuration-specific 6-15

configuring common 6-3

device management command authorization sets 6-36

enable privilege 6-18

IP address assignment method 6-27

management tasks 6-53

max sessions 6-11

network access restrictions 6-7

password aging rules 6-20

PIX command authorization sets 6-34

shell command authorization sets 6-32

TACACS+ 6-2, 6-30

time-of-day access 6-5

token cards 6-17

usage quotas 6-13

setting up and managing 6-1

sort order within group mappings 15-5

specifications by ODBC authentications 13-63, 13-65, 13-66

GUI

See HTML interface

H

handle counts G-6

hard disk space G-5

hardware requirements 2-2

Help 1-26

host system state G-5

HTML interface

See also Interface Configuration

encrypting 12-13

logging off 1-31

overview 1-24

security 1-24

SSL 1-24

web servers G-2

HTTP port allocation

configuring 12-13

overview 1-22

HTTPS 12-13

I

IETF 802.1x 1-12

importing passwords D-14

imports with CSUtil.exe D-14

inbound authentication 1-13

inbound password configuration 1-14

installation

related documentation xxix

system requirements 2-2

troubleshooting A-14

Interface Configuration

See also HTML interface

advanced options 3-4

configuring 3-1

customized user data fields 3-3

security protocol options 3-9

IP addresses

in User Setup 7-10

multiple IP addresses for AAA client 4-12

requirement for CSTacacs and CSRadius G-8

setting assignment method for user groups 6-27

IP pools

address recovery 9-50

deleting 9-49

DHCP 9-44

editing IP pool definitions 9-47

enabling in interface 3-6

overlapping 9-44, 9-46

refreshing 9-46

resetting 9-48

servers

adding IP pools 9-46

overview 9-43

replicating IP pools 9-44

user IP addresses 7-11

L

LAN manager 1-12

latency in networks 2-19

LDAP

See generic LDAP user databases

LDAP databases

See generic LDAP user databases

LEAP proxy RADIUS user databases

configuring external databases 13-73

group mappings 15-2

overview 13-72

RADIUS-based group specifications 15-13

list all users

in Group Setup 6-53

in User Setup 7-55

Logged-In Users report

deleting logged-in users 11-10

description 11-8

viewing 11-9

logging

See also Reports and Activity

accounting logs 11-5

Administration Audit log 11-12

administration reports 11-8

configuring 11-18

CSV (comma-separated values) files 11-1

custom RADIUS dictionaries 9-3

debug logs

detail levels 11-31

frequency 11-31

Disabled Accounts reports 11-8

domain names 11-2

external user databases 11-2

Failed Attempts logs 11-5

formats 11-1

Logged-In Users reports 11-8

ODBC logs

enabling in interface 3-6

overview 11-1

working with 11-20

overview 11-5

Passed Authentication logs 11-5

RADIUS logs 11-5

RDBMS synchronization 9-3

remote logging

centralized 11-25

configuring 11-27

disabling 11-29

enabling in interface 3-5

logging hosts 11-24

options 11-26

overview 11-24

services

configuring service logs 11-31

list of logs generated 11-30

system logs 11-11

TACACS+ logs 11-5

troubleshooting A-15

user data attributes 11-2

VoIP logs 11-5

watchdog packets 11-4

login process test frequency 8-19

logins

greeting upon 6-23

password aging dependency 6-22

logs

See logging

See Reports and Activity

M

machine authentication

enabling 13-20

overview 13-14

with Microsoft Windows 13-18

management application support 1-18

mappings

database groups to AAA groups 15-4

databases to AAA groups 15-2

master AAA servers 9-3

master key

definition 10-14

states 10-14

max sessions

enabling in interface 3-5

in Group Setup 6-11

in User Setup 7-16

overview 1-17

troubleshooting A-14

memory utilization G-5

monitoring

configuring 8-20

CSMon G-5

overview 8-18

MS-CHAP

compatible databases 1-9

configuring 10-25

overview 1-12

protocol supported 1-11

multiple group mappings 15-5

multiple IP addresses for AAA clients 4-12

N

NAR

See network access restrictions

NAS

See AAA clients

NDG

See network device groups

NDS

See Novell NDS user databases

network access filters

See network access restrictions

network access quotas 1-18

network access restrictions

adding 5-9

configuring 5-9

deleting 5-14

editing 5-12

enabling in interface

group-level 3-5

user-level 3-5

in Group Setup 6-7

interface configuration 3-5

in User Setup 6-7, 7-11

overview 5-7

network access servers

See AAA clients

network configuration 4-1

network device groups

adding 4-30

assigning AAA clients to 4-31

assigning AAA servers to 4-31

configuring 4-29

deleting 4-33

enabling in interface 3-6

overview 1-22

reassigning AAA clients to 4-31

reassigning AAA servers to 4-31

renaming 4-32

network devices

See AAA clients

searches for 4-8

network requirements 2-4

networks

latency 2-19

reliability 2-19

network topologies

deployment 2-6

wireless 2-9

notifications G-7

Novell NDS user databases

authentication 13-48

configuring 13-51

mapping database groups to AAA groups 15-4

Novell Requestor 13-48

options 13-50

supported protocols 1-9

supported versions 13-48

user contexts 13-49

O

ODBC features

accountActions table 9-31

authentication

CHAP 13-58

EAP-TLS 13-58

overview 13-53

PAP 13-58

preparation process 13-57

process with external user database 13-56

result codes 13-67

case-sensitive passwords 13-59

CHAP authentication sample procedure 13-61

configuring 13-68

data source names 11-21, 13-54

DSN (data source name) configuration 13-67

EAP-TLS authentication sample procedure 13-62

features supported 13-55

group mappings 15-2

group specifications

CHAP 13-65

EAP-TLS 13-66

PAP 13-63

vs. group mappings 15-3

PAP authentication sample procedures 13-60

password case sensitivity 13-59

stored procedures

CHAP authentication 13-64

EAP-TLS authentication 13-65

implementing 13-58

PAP authentication 13-62

type definitions 13-59

user databases 13-53

ODBC logs

See logging

Online Documentation 1-32

online Help

location in HTML interface 1-26

using 1-31

operating system requirements 2-2

outbound password configuration 1-14

overview of Cisco Secure ACS 1-1

P

PAC

automatic provisioning 10-17

definition 10-16

manual provisioning 10-19

refresh 10-20

PAP

compatible databases 1-9

in User Setup 7-5

vs. ARAP 1-11

vs. CHAP 1-11

Passed Authentications log

configuring CSV (comma-separated values) 11-17

CSV (comma-separated values) file directory 11-15

enabling CSV (comma-separated values) logging 11-15

viewing 11-16

PassGo user databases

configuring external databases 13-78

group mappings 15-2

RADIUS-based group specifications 15-13

password aging

age-by-uses rules 6-22

Cisco IOS release requirement for 6-20

EAP-FAST 13-23

interface configuration 3-5

in Windows databases 6-25

MS-CHAP 13-23

overview 1-15

PEAP 13-23

rules 6-20

passwords

See also password aging

case sensitive 13-59

CHAP/MS-CHAP/ARAP 7-7

configurations

caching 1-14

inbound passwords 1-14

outbound passwords 1-14

separate passwords 1-13

single password 1-13

token caching 1-14

token cards 1-14

expiration 6-22

import utility D-14

local management 8-5

password change log management 8-6

post-login greeting 6-23

protocols and user database compatibility 1-9

protocols supported 1-11

remote change 8-5

user-changeable 1-15

validation options in System Configuration 8-5

pattern matching in command authorization 5-19

PEAP

See also certification

compatible databases 1-9

configuring 10-25

enabling 10-11

identity protection 10-8

options 10-26

overview 10-8

password aging 6-26

phases 10-8

with Unknown User Policy 10-10

performance monitoring G-5

performance specifications 1-3

per-group attributes

See also groups

enabling in interface 3-2

per-user attributes

enabling in interface 3-2

TACACS+/RADIUS in Interface Configuration 3-4

PIX ACLs

See downloadable IP ACLs

PIX command authorization sets

See command authorization sets

PKI (public key infrastructure)

See certification

port 2002

CSAdmin G-2

in HTTP port ranges 12-13

in URLs 1-27

port allocation

See HTTP port allocation

ports

See also HTTP port allocation

See also port 2002

RADIUS 1-6, 1-7

TACACS+ 1-6

PPP password aging 6-20

privileges

See administrators

processor utilization G-5

profile components

See shared profile components

proxy

See also Proxy Distribution Table

character strings

defining 4-6

stripping 4-6

configuring 4-34

in enterprise settings 4-7

overview 4-4

sending accounting packets 4-7

troubleshooting A-13

Proxy Distribution Table

See also proxy

adding entries 4-35

configuring 4-34

default entry 4-4, 4-35

deleting entries 4-38

editing entries 4-38

match order sorting 4-37

overview 4-34

Q

quotas

See network access quotas

See usage quotas

R

RADIUS

See also RADIUS VSAs (vendor specific attributes)

attributes

See also RADIUS VSAs (vendor specific attributes)

in User Setup 7-38

AV (attribute value) pairs

See also RADIUS VSAs (vendor specific attributes)

Cisco IOS C-2

IETF C-11

overview C-1

Cisco Aironet 4-14

IETF

in Group Setup 6-37

interface configuration 3-15

in User Setup 7-38

interface configuration overview 3-11

password aging 6-25

ports 1-6, 1-7

specifications 1-7

token servers 13-77

troubleshooting A-19

tunneling packets 4-19

vs. TACACS+ 1-6

RADIUS Accounting log

configuring

CSV (comma-separated values) 11-17

ODBC 11-21

configuring CSV (comma-separated values) 11-16

CSV (comma-separated values) file directory 11-15

enabling

ODBC 11-21

enabling CSV (comma-separated values) 11-15

RADIUS user databases

configuring 13-78

group mappings 15-2

RADIUS-based group specifications 15-13

RADIUS VSAs (vendor specific attributes)

Ascend

in Group Setup 6-42

in User Setup 7-42

supported attributes C-28

Cisco Aironet

in Group Setup 6-40

in User Setup 7-41

Cisco BBSM (Building Broadband Service Manager)

in Group Setup 6-50

in User Setup 7-52

supported attributes C-11

Cisco IOS/PIX

in Group Setup 6-39

interface configuration 3-16

in User Setup 7-39

supported attributes C-4

Cisco VPN 3000

in Group Setup 6-43

in User Setup 7-44

supported attributes C-6

Cisco VPN 5000

in Group Setup 6-45

in User Setup 7-46

supported attributes C-10

custom

about 9-28

in Group Setup 6-52

in User Setup 7-53

Juniper

in Group Setup 6-49

in User Setup 7-51

supported attributes C-41

Microsoft

in Group Setup 6-46

in User Setup 7-47

supported attributes C-25

Nortel

in Group Setup 6-48

in User Setup 7-49

supported attributes C-40

overview C-1

user-defined

about 9-28, D-28

action codes for F-19

adding D-29

deleting D-31

import files D-34

listing D-32

replicating 9-28, D-29

RDBMS synchronization

accountActions table as transaction queue 9-31

configuring 9-40

CSV-based 9-34

data source name configuration 9-36, 9-37

disabling 9-42

enabling in interface 3-6

group-related configuration 9-27

import definitions F-1

log

CSV (comma-separated values) file directory 11-15

viewing 11-16

manual initialization 9-38

network configuration 9-27

overview 9-25

partners 9-38

preparing to use 9-32

report and error handling 9-32

scheduling options 9-38

user-related configuration 9-26

Registry G-2

rejection mode

general 14-4

Windows user databases 14-5

related documentation xxix

reliability of network 2-19

remote access policies 2-14

remote logging

See logging

replication

ACS Service Management page 9-3

backups recommended (Caution) 9-10

cascading 9-6, 9-13

certificates 9-3

client configuration 9-16

components

overwriting (Caution) 9-17

overwriting (Note) 9-11

selecting 9-11

configuring 9-20

corrupted backups (Caution) 9-10

custom RADIUS dictionaries 9-3

disabling 9-24

EAP-FAST 10-21

external user databases 9-3

frequency 9-7

group mappings 9-3

immediate 9-19

implementing primary and secondary setups 9-15

important considerations 9-8

in System Configuration 9-20

interface configuration 3-5

IP pools 9-3, 9-44

logging 9-10

manual initiation 9-19

master AAA servers 9-3

notifications 9-24

options 9-11

overview 9-2

partners

configuring 9-23

options 9-12

process 9-4

scheduling 9-20

scheduling options 9-12

selecting data 9-11

unsupported 9-3

user-defined RADIUS vendors 9-9

vs. backup 9-10

Reports and Activity

See also logging

configuration privileges 12-5

configuring 11-18

CSV (comma-separated values) logs 11-11

in interface 1-26

overview 11-5

request handling

general 14-4

Windows user databases 14-5

requirements

hardware 2-2

network 2-4

operating system 2-2

system 2-2

resource consumption G-6

restarting services 8-2

restore

components restored

configuring 8-17

overview 8-16

filenames 8-15

in System Configuration 8-14

overview 8-15

performing 8-17

reports 8-16

with CSUtil.exe D-6

RFC2138 1-7

RFC2139 1-7

RSA user databases

configuring 13-83

group mappings 15-2

S

SafeWord user databases

configuring 13-78

group mappings 15-2

RADIUS-based group specifications 15-13

search order of external user databases 14-10

security policies 2-15

security protocols

Cisco AAA client devices 1-2

CSRadius G-8

CSTacacs G-8

interface options 3-9

RADIUS 1-6, C-1

TACACS+

custom commands 3-9

overview 1-6

time-of-day access 3-8

service control in System Configuration 11-31

Service Monitoring log

See Cisco Secure ACS Service Monitoring log

services

determining status of 8-2

logs

configuring 11-31

list of logs generated 11-30

management 8-18

overview 1-4, G-1

starting 8-2

stopping 8-2

session policies

configuring 12-17

options 12-16

overview 12-16

shared profile components

See also command authorization sets

See also network access restrictions

downloadable IP ACLs 5-2

overview 5-1

shared secret G-8

shell command authorization sets

See also command authorization sets

in Group Setup 6-32

in User Setup 7-26

single password configurations 1-13

SMTP (simple mail-transfer protocol) G-7

specifications

RADIUS

RFC2138 1-7

RFC2139 1-7

system performance 1-3

TACACS+ 1-6

SSL (secure socket layer) 12-13

starting services 8-2

static IP addresses 7-11

stopping services 8-2

stored procedures

CHAP authentication

configuring 13-71

input values 13-64

output values 13-64

result codes 13-67

EAP-TLS authentication

configuring 13-71

input values 13-65

output values 13-66

implementing 13-58

PAP authentication

configuring 13-70

input values 13-62

output values 13-63

result codes 13-67

sample procedures 13-60

type definitions

integer 13-59

string 13-59

supplementary user information

in User Setup 7-6

setting 7-6

synchronization

See RDBMS synchronization

system

configuration

advanced 9-1

authentication 10-1

basic 8-1

certificates 10-1

privileges 12-4

health G-5

messages in interface 1-26

monitoring

See monitoring

performance specifications 1-3

requirements 2-2

services

See services

T

TACACS+

advanced TACACS+ settings

in Group Setup 6-2

in User Setup 7-33

AV (attribute value) pairs

accounting B-4

general B-1

custom commands 3-9

enable password options for users 7-36

enable privilege options 7-34

interface configuration 3-7

interface options 3-9

outbound passwords for users 7-37

ports 1-6

SENDAUTH 1-14

settings

in Group Setup 6-2, 6-30

in User Setup 7-22, 7-24

specifications 1-6

time-of-day access 3-8

troubleshooting A-19

vs. RADIUS 1-6

TACACS+ Accounting log

configuring

CSV (comma-separated values) 11-17

ODBC 11-21

CSV (comma-separated values) file directory 11-14

enabling CSV (comma-separated values) 11-15

enabling for ODBC 11-21

viewing 11-16

TACACS+ Administration log

configuring

CSV(comma-separated values) 11-17

ODBC 11-21

CSV (comma-separated values) file directory 11-14

enabling

ODBC 11-21

enabling CSV (comma-separated values) 11-15

viewing 11-16

Telnet

See also command authorization sets

password aging 6-20

test login frequency internally 8-19

thread used G-6

time-of-day/day-of-week specification

See also date format control

enabling in interface 3-5

timeout values on AAA clients 14-8

TLS (transport level security)

See certification

token caching 1-14, 13-76

token cards

password configuration 1-14

settings in Group Setup 6-17

token servers

ActivCard 13-77

CRYPTOCard 13-77

ISDN terminal adapters 13-76

overview 13-76

PassGo 13-77

RADIUS-enabled 13-77

RADIUS token servers 13-77

RSA 13-82

SafeWord 13-77

supported servers 1-9

token caching 13-76

Vasco 13-77

topologies

See network topologies

troubleshooting

AAA servers A-1

administration issues A-2

browser issues A-4

Cisco IOS issues A-5

database issues A-6

debug logs 11-29, A-12

dial-in issues A-8

installation issues A-14

max sessions issues A-14

proxy issues A-13

RADIUS issues A-19

report issues A-15

TACACS+ issues A-19

third-party server issues A-17

upgrade issues A-14

user issues A-18

trust lists

See certification

trust relationships 13-10

U

UNIX passwords D-18

unknown service user setting 7-32

unknown user policies

See also unknown users

configuring 14-11

in external user databases 13-3, 14-10

overview 14-9

unknown users

See also unknown user policies

authentication processing 14-8

handling methods 14-2

network access authorization 14-9

update packets

See watchdog packets

upgrade troubleshooting A-14

usage quotas

in Group Setup 6-13

in Interface Configuration 3-5

in User Setup 7-18

overview 1-18

resetting

for groups 6-54

for single users 7-58

user-changeable passwords

overview 1-15

with Windows user databases 13-23

user databases

See databases

User Data Configuration 3-3

user groups

See groups

user-level

downloadable ACLs interface 3-5

network access restrictions

See also network access restrictions

enabling in interface 3-4

User Password Changes log location 11-15

users

See also User Setup

adding

basic steps 7-4

methods 13-3

assigning client IP addresses to 7-10

assigning to a group 7-8

callback options 7-9

configuring 7-2

configuring device management command authorization sets for 7-31

configuring PIX command authorization sets for 7-29

configuring shell command authorization sets for 7-26

customized data fields 3-3

data configuration

See User Data Configuration

deleting 11-10

deleting accounts 7-57

disabling accounts 7-5

finding 7-55

import methods 13-3

in multiple databases 14-6

in multiple domains 14-6

listing all users 7-55

number allowed 2-18

number of 1-3

RDBMS synchronization 9-26

relationship to groups 3-2

resetting accounts 7-58

saving settings 7-60

supplementary information 7-6

troubleshooting A-18

types

discovered 14-3

known 14-2

unknown 14-3

VPDN dialup E-2

User Setup

account management tasks 7-54

basic options 7-3

configuring 7-2

deleting user accounts 7-57

saving settings 7-60

Users in Group button 6-53

V

validation of passwords 8-5

Vasco user databases

group mappings 15-2

RADIUS-based group specifications 15-13

vendor-specific attributes

See RADIUS VSAs (vendor specific attributes)

viewing logs and reports

See logging

Voice-over-IP

See VoIP (Voice-over-IP)

VoIP (Voice-over-IP)

accounting configuration 3-6, 8-22

Accounting log

enabling csv log 11-15

viewing 11-16

enabling in interface 3-6

group settings in Interface Configuration 3-6

in Group Setup 6-4

VoIP (Voice-over-IP) Accounting log

configuring

CSV (comma-separated values) 11-17

ODBC 11-21

CSV (comma-separated values) file directory 11-15

enabling

ODBC 11-21

VPDN

advantages 2-12

authentication process E-1

domain authorization E-2

home gateways E-3

IP addresses E-3

tunnel IDs E-3

users E-2

VSAs

See RADIUS VSAs (vendor specific attributes)

W

warning events G-5, G-7

watchdog packets

configuring on AAA clients 4-19

configuring on AAA servers 4-26

logging 11-4

web servers G-2

Windows operating systems

authentication order 14-7

Cisco Secure ACS-related services

services 8-2

dial-up networking 13-11

dial-up networking clients

domain field 13-11

password field 13-11

username field 13-11

Domain List effect 14-7

domains

domain names 13-11, 14-5

trusted 13-11

Event logs G-6

Registry G-2

Windows user databases

See also databases

Active Directory 13-24

configuring 13-28

Domain list

inadvertent user lockouts 13-25

domain mapping 15-9

domains

trusted 13-10

grant dial-in permission to users 13-9, 13-24

group mappings

editing 15-9

no access groups 15-6

remapping 15-9

mapping database groups to AAA groups 15-4

overview 13-7

password aging 6-25

passwords 1-11

rejection mode 14-5

request handling 14-5

trust relationships 13-10

user-changeable passwords 13-23

user manager 13-24

wireless network topologies 2-9

	User Guide for Cisco Secure ACS for Windows Server 3.2
	Index
User Guide for Cisco Secure ACS for Windows Server 3.2 Preface Overview Deployment Considerations Interface Configuration Network Configuration Shared Profile Components User Group Management User Management System Configuration: Basic System Configuration: Advanced System Configuration: Authentication and Certificates Logs and Reports Administrators and Administrative Policy User Databases Unknown User Policy User Group Mapping and Specification Troubleshooting TACACS+ Attribute-Value Pairs RADIUS Attributes CSUtil Database Utility VPDN Processing RDBMS Synchronization Import Definitions Internal Architecture Index	Download this chapter Index Download the complete book User Guide for Cisco Secure ACS for Windows Server (whole-book pdf) (PDF - 7 MB) Table Of Contents A - B - C - D - E - F - G - H - I - L - M - N - O - P - Q - R - S - T - U - V - W - Index A AAA See also AAA clients See also AAA servers definition 1-1 pools for IP address assignment 7-11 AAA clients adding and configuring 4-17 configuration 4-11 definition 1-5 deleting 4-21 editing 4-20 interaction with AAA servers 1-5 IP pools 7-11 multiple IP addresses for 4-12 number of 1-3 searching for 4-8 supported Cisco AAA clients 1-2 table 4-2 timeout values 14-8 AAA servers adding 4-25 configuring 4-22 deleting 4-28 editing 4-26 enabling in interface (table) 3-5 functions and concepts 1-5 in distributed systems 4-3 master 9-3 overview 4-22 primary 9-3 replicating 9-3 searching for 4-8 secondary 9-3 troubleshooting A-1 access devices 1-5 accessing Cisco Secure ACS how to 1-30 URL 1-27 with SSL enabled 1-27 access policies See administrative access policies accountActions table 9-29, 9-30 account disablement Account Disabled check box 7-5 manual 7-56 resetting 7-58 setting options for 7-20 accounting See also logging overview 1-20 ACLs See downloadable IP ACLs action codes for creating and modifying user accounts F-7 for initializing and modifying access filters F-15 for modifying network configuration F-27 for modifying TACACS+ and RADIUS settings F-19 for setting and deleting values F-5 in accountActions F-4 ActivCard user databases configuring 13-78 group mappings 15-2 RADIUS-based group specifications 15-13 Administration Audit log configuring 11-12 CSV file directory 11-15 viewing 11-16 Administration Control See also administrators audit policy setup 12-18 administrative access policies See also administrators configuring 12-13 limits 12-11 options 12-12 overview 2-15 administrative sessions and HTTP proxy 1-28 network environment limitations of 1-28 session policies 12-16 through firewalls 1-29 through NAT (network address translation) 1-29 administrators See also Administration Audit log See also Administration Control See also administrative access policies adding 12-6 deleting 12-10 editing 12-7 locked out 12-10 locking out 12-17 overview 12-2 privileges 12-3 separation from general users 2-17 troubleshooting A-2 unlocking 12-10 advanced options in interface 3-6 age-by-date rules for groups 6-24 Aironet AAA client configuration 4-14 RADIUS parameters for group 6-40 RADIUS parameters for user 7-41 ARAP compatible databases 1-9 in User Setup 7-5 protocol supported 1-11 Architecture G-1 ASCII/PAP compatible databases 1-9 protocol supported 1-11 attributes enabling in interface 3-2 group-specific (table) F-37 logging of user data 11-2 per-group 3-2 per-user 3-2 user-specific (table) F-36 audit policies See also Administration Audit log overview 12-18 authentication compatibility of protocols 1-9 configuration 10-25 denying external user databases 14-12 options 10-32 overview 1-8 request handling 14-4 via external user databases 13-5 Windows 13-11 authorization 1-16 authorization sets See command authorization sets AV (attribute value) pairs See also RADIUS VSAs (vendor specific attributes) RADIUS Cisco IOS C-2 IETF C-11 TACACS+ accounting B-4 general B-1 Axent user databases See PassGo user databases B Backup and Restore log directory See Cisco Secure ACS Backup and Restore log backups components backed up 8-11 directory management 8-10 disabling scheduled 8-14 filenames 8-15 locations 8-10 manual 8-12 options 8-11 overview 8-10 reports 8-11 scheduled vs. manual 8-10 scheduling 8-12 vs. replication 9-10 with CSUtil.exe D-5 browsers See also HTML interface troubleshooting A-4 C callback options in Group Setup 6-6 in User Setup 7-9 cascading replication 9-6, 9-13 certification See also EAP-TLS See also PEAP adding certificate authority certificates 10-36 background 10-1 backups 8-11 certificate signing request generation 10-38 editing the certificate trust list 10-37 replacing certificate 10-40 server certificate installation 10-34 updating certificate 10-40 CHAP compatible databases 1-9 in User Setup 7-5 protocol supported 1-11 Cisco IOS RADIUS AV (attribute value) pairs C-2 group attributes 6-39 user attributes 7-39 TACACS+ AV (attribute value) pairs B-1 troubleshooting A-5 Cisco Secure ACS Active Service Management event logging configuration 8-21 overview 8-18 system monitoring configuring 8-20 custom actions 8-19 Cisco Secure ACS Active Service Monitoring file location 11-15 Cisco Secure ACS Active Service Monitoring log viewing 11-16 Cisco Secure ACS administration overview 1-21 Cisco Secure ACS Backup and Restore log CSV (comma-separated values) file directory 11-15 viewing 11-16 Cisco Secure ACS backups See backups Cisco Secure ACS Service Monitoring log CSV (comma-separated values) file directory 11-30 Cisco Secure ACS system restore See restore CiscoSecure Authentication Agent 1-15, 6-20 CiscoSecure database replication See replication CiscoSecure user database See also databases overview 13-2 codes See action codes command authorization sets See also shell command authorization sets adding 5-19 configuring 5-15, 5-19 deleting 5-23 editing 5-22 overview 5-15 pattern matching 5-19 PIX command authorization sets 5-15 command-line database utility See CSUtil.exe conventions xxviii CRYPTOCard user databases configuring 13-78 group mappings 15-2 RADIUS-based group specifications 15-13 CSAdmin G-2 CSAuth G-3 CSDBSync 9-29, G-4 CSLog G-4 CSMon See also Cisco Secure ACS Active Service Management configuration G-4 failure events customer-defined actions G-7 predefined actions G-7 functions G-4 log G-6 overview G-4 CSNTacctInfo 13-63, 13-65, 13-66 CSNTAuthUserPap 13-60 CSNTerrorString 13-63, 13-65, 13-66 CSNTExtractUserClearTextPw 13-61 CSNTFindUser 13-62 CSNTgroups 13-63, 13-65, 13-66 CSNTpasswords 13-63, 13-65 CSNTresults 13-63, 13-65, 13-66 CSNTusernames 13-63, 13-64, 13-66 CSRadius G-8 CSTacacs G-8 CSUtil.exe decoding error numbers with D-27 displaying syntax D-5 import text file (example) D-24 overview D-1 CSV (comma-separated values) files downloading 11-16 filename formats 11-14 logging format 11-1 viewing 11-16 custom attributes in group-level TACACS+ settings 6-30 in user-level TACACS+ settings 7-24 D database group mappings configuring for token servers 15-3 for Windows domains 15-9 no access groups 15-6 order 15-11 deleting group set mappings 15-10 Windows domain configurations 15-11 in external user databases 15-1 overview 15-1 Database Replication log CSV (comma-separated values) file directory 11-15 viewing 11-16 databases See also external user databases CiscoSecure user database 13-2 compacting D-12 deleting 13-84 deployment considerations 2-18 dump files D-9 external See also external user databases See also unknown user policies performance 14-8 protocol compatibility 1-9 replication See replication search order 14-10 search process 14-9, 14-10 selecting user databases 13-1 synchronization See RDBMS synchronization token cards See token servers troubleshooting A-6, A-17 types See ActivCard user databases See CRYPTOCard user databases See generic LDAP user databases See LEAP proxy RADIUS user databases See Novell NDS user databases See ODBC features See PassGo user databases See RADIUS user databases See RSA user databases See SafeWord user databases unknown users 14-2 user import methods 13-3 user databases 7-2 Windows user databases 13-7 data source names configuring for ODBC logging 11-21 for RDMBS synchronization 9-37 using with ODBC databases 13-54, 13-67, 13-69 date format control 8-3 DbSync log directory 11-15 debug logs detail levels 11-31 frequency 11-31 troubleshooting A-12 default group in Group Setup 6-2 default group mapping for Windows 15-6 default time-of-day/day-of-week specification 3-5 default time-of-day access settings for groups 6-5 deleting logged-in users 11-10 deployment overview 2-1 sequence 2-19 device command sets See command authorization sets device groups See network device groups device management applications support 1-18 DHCP with IP pools 9-44 dial-in permission to users in Windows 13-24 dial-in troubleshooting A-8 dial-up networking clients 13-11 dial-up topologies 2-6 digital certificates See certification Disabled Accounts report viewing 11-11 Disabled Accounts reports description 11-8 discovered users 14-2 distributed systems See also proxy AAA servers in 4-3 overview 4-3 settings configuring 4-34 default entry 4-4 enabling in interface 3-5 distribution table See Proxy Distribution Table documentation conventions xxviii objectives xxv online 1-31 organization xxvi related xxix domain lists configuring 13-28 inadvertent user lockouts 13-13, 13-25 overview 13-12 domain names Windows operating systems 13-11 downloadable IP ACLs adding 5-4 assigning to groups 6-29 assigning to users 7-22 deleting 5-6 editing 5-5 enabling in interface group-level 3-5 user-level 3-5 overview 5-2 draft-ietf-radius-tunnel-auth 1-7 dump files creating database dump files D-9 loading a database from a dump file D-10 E EAP (Extensible Authentication Protocol) overview 1-12 with Windows authentication 13-13 EAP-FAST compatible databases 1-9 enabling 10-24 identity protection 10-13 logging 10-13 master keys definition 10-14 states 10-14 master server 10-22 options 10-27 overview 10-12 PAC automatic provisioning 10-17 definition 10-16 manual provisioning 10-19 refresh 10-20 states 10-17 password aging 6-26 phases 10-12 replication 10-21 EAP-TLS See also certification authentication configuration 10-25 comparison methods 10-4 compatible databases 1-9 domain stripping 13-14 enabling 10-6 limitations 10-5 options 10-30 overview 10-2 session resume 10-4 enable password options for TACACS+ 7-36 enable privilege options for groups 6-18 error number decoding with CSUtil.exe D-27 Event log configuring 8-21 exception events G-6 exception events G-7 exports of user lists D-24 Extensible Authentication Protocol See EAP (Extensible Authentication Protocol) external token servers See token servers external user databases See also databases authentication via 13-5 configuring 13-4 deleting configuration 13-84 latency factors 14-8 search order 14-8, 14-10 supported 1-9 turning off authentication from 14-12 unknown user policy 14-1 F Failed Attempts log configuring CSV (comma-separated values) 11-17 ODBC 11-21 CSV (comma-separated values) file directory 11-15 enabling log 11-15 ODBC 11-21 viewing 11-16 failed log-on attempts G-6 failure events customer-defined actions G-7 predefined actions G-7 fallbacks on failed connection 4-6 finding users 7-55 firewalls administering AAA servers through 1-22 G gateways E-3 generic LDAP user databases authentication 13-30 configuring database 13-42 options 13-35 directed authentications 13-32 domain filtering 13-32 failover 13-34 mapping database groups to AAA groups 15-4 multiple instances 13-31 organizational units and groups 13-32 supported protocols 1-9 Global Authentication Setup 10-32 grant dial-in permission to users 13-9, 13-24 greeting after login 6-23 group-level interface enabling downloadable IP ACLs 3-5 network access restrictions 3-5 network access restriction sets 3-5 password aging 3-5 group-level network access restrictions See network access restrictions groups See also network device groups assigning users to 7-8 configuring RADIUS settings for See RADIUS Default Group 6-2, 15-6 enabling VoIP (Voice-over-IP) support for 6-4 exporting group information D-25 listing all users in 6-53 mapping order 15-11 mappings 15-1, 15-2 multiple mappings 15-5 no access groups 15-6 overriding settings 3-2 relationship to users 3-2 renaming 6-54 resetting usage quota counters for 6-54 settings for callback options 6-6 configuration-specific 6-15 configuring common 6-3 device management command authorization sets 6-36 enable privilege 6-18 IP address assignment method 6-27 management tasks 6-53 max sessions 6-11 network access restrictions 6-7 password aging rules 6-20 PIX command authorization sets 6-34 shell command authorization sets 6-32 TACACS+ 6-2, 6-30 time-of-day access 6-5 token cards 6-17 usage quotas 6-13 setting up and managing 6-1 sort order within group mappings 15-5 specifications by ODBC authentications 13-63, 13-65, 13-66 GUI See HTML interface H handle counts G-6 hard disk space G-5 hardware requirements 2-2 Help 1-26 host system state G-5 HTML interface See also Interface Configuration encrypting 12-13 logging off 1-31 overview 1-24 security 1-24 SSL 1-24 web servers G-2 HTTP port allocation configuring 12-13 overview 1-22 HTTPS 12-13 I IETF 802.1x 1-12 importing passwords D-14 imports with CSUtil.exe D-14 inbound authentication 1-13 inbound password configuration 1-14 installation related documentation xxix system requirements 2-2 troubleshooting A-14 Interface Configuration See also HTML interface advanced options 3-4 configuring 3-1 customized user data fields 3-3 security protocol options 3-9 IP addresses in User Setup 7-10 multiple IP addresses for AAA client 4-12 requirement for CSTacacs and CSRadius G-8 setting assignment method for user groups 6-27 IP pools address recovery 9-50 deleting 9-49 DHCP 9-44 editing IP pool definitions 9-47 enabling in interface 3-6 overlapping 9-44, 9-46 refreshing 9-46 resetting 9-48 servers adding IP pools 9-46 overview 9-43 replicating IP pools 9-44 user IP addresses 7-11 L LAN manager 1-12 latency in networks 2-19 LDAP See generic LDAP user databases LDAP databases See generic LDAP user databases LEAP proxy RADIUS user databases configuring external databases 13-73 group mappings 15-2 overview 13-72 RADIUS-based group specifications 15-13 list all users in Group Setup 6-53 in User Setup 7-55 Logged-In Users report deleting logged-in users 11-10 description 11-8 viewing 11-9 logging See also Reports and Activity accounting logs 11-5 Administration Audit log 11-12 administration reports 11-8 configuring 11-18 CSV (comma-separated values) files 11-1 custom RADIUS dictionaries 9-3 debug logs detail levels 11-31 frequency 11-31 Disabled Accounts reports 11-8 domain names 11-2 external user databases 11-2 Failed Attempts logs 11-5 formats 11-1 Logged-In Users reports 11-8 ODBC logs enabling in interface 3-6 overview 11-1 working with 11-20 overview 11-5 Passed Authentication logs 11-5 RADIUS logs 11-5 RDBMS synchronization 9-3 remote logging centralized 11-25 configuring 11-27 disabling 11-29 enabling in interface 3-5 logging hosts 11-24 options 11-26 overview 11-24 services configuring service logs 11-31 list of logs generated 11-30 system logs 11-11 TACACS+ logs 11-5 troubleshooting A-15 user data attributes 11-2 VoIP logs 11-5 watchdog packets 11-4 login process test frequency 8-19 logins greeting upon 6-23 password aging dependency 6-22 logs See logging See Reports and Activity M machine authentication enabling 13-20 overview 13-14 with Microsoft Windows 13-18 management application support 1-18 mappings database groups to AAA groups 15-4 databases to AAA groups 15-2 master AAA servers 9-3 master key definition 10-14 states 10-14 max sessions enabling in interface 3-5 in Group Setup 6-11 in User Setup 7-16 overview 1-17 troubleshooting A-14 memory utilization G-5 monitoring configuring 8-20 CSMon G-5 overview 8-18 MS-CHAP compatible databases 1-9 configuring 10-25 overview 1-12 protocol supported 1-11 multiple group mappings 15-5 multiple IP addresses for AAA clients 4-12 N NAR See network access restrictions NAS See AAA clients NDG See network device groups NDS See Novell NDS user databases network access filters See network access restrictions network access quotas 1-18 network access restrictions adding 5-9 configuring 5-9 deleting 5-14 editing 5-12 enabling in interface group-level 3-5 user-level 3-5 in Group Setup 6-7 interface configuration 3-5 in User Setup 6-7, 7-11 overview 5-7 network access servers See AAA clients network configuration 4-1 network device groups adding 4-30 assigning AAA clients to 4-31 assigning AAA servers to 4-31 configuring 4-29 deleting 4-33 enabling in interface 3-6 overview 1-22 reassigning AAA clients to 4-31 reassigning AAA servers to 4-31 renaming 4-32 network devices See AAA clients searches for 4-8 network requirements 2-4 networks latency 2-19 reliability 2-19 network topologies deployment 2-6 wireless 2-9 notifications G-7 Novell NDS user databases authentication 13-48 configuring 13-51 mapping database groups to AAA groups 15-4 Novell Requestor 13-48 options 13-50 supported protocols 1-9 supported versions 13-48 user contexts 13-49 O ODBC features accountActions table 9-31 authentication CHAP 13-58 EAP-TLS 13-58 overview 13-53 PAP 13-58 preparation process 13-57 process with external user database 13-56 result codes 13-67 case-sensitive passwords 13-59 CHAP authentication sample procedure 13-61 configuring 13-68 data source names 11-21, 13-54 DSN (data source name) configuration 13-67 EAP-TLS authentication sample procedure 13-62 features supported 13-55 group mappings 15-2 group specifications CHAP 13-65 EAP-TLS 13-66 PAP 13-63 vs. group mappings 15-3 PAP authentication sample procedures 13-60 password case sensitivity 13-59 stored procedures CHAP authentication 13-64 EAP-TLS authentication 13-65 implementing 13-58 PAP authentication 13-62 type definitions 13-59 user databases 13-53 ODBC logs See logging Online Documentation 1-32 online Help location in HTML interface 1-26 using 1-31 operating system requirements 2-2 outbound password configuration 1-14 overview of Cisco Secure ACS 1-1 P PAC automatic provisioning 10-17 definition 10-16 manual provisioning 10-19 refresh 10-20 PAP compatible databases 1-9 in User Setup 7-5 vs. ARAP 1-11 vs. CHAP 1-11 Passed Authentications log configuring CSV (comma-separated values) 11-17 CSV (comma-separated values) file directory 11-15 enabling CSV (comma-separated values) logging 11-15 viewing 11-16 PassGo user databases configuring external databases 13-78 group mappings 15-2 RADIUS-based group specifications 15-13 password aging age-by-uses rules 6-22 Cisco IOS release requirement for 6-20 EAP-FAST 13-23 interface configuration 3-5 in Windows databases 6-25 MS-CHAP 13-23 overview 1-15 PEAP 13-23 rules 6-20 passwords See also password aging case sensitive 13-59 CHAP/MS-CHAP/ARAP 7-7 configurations caching 1-14 inbound passwords 1-14 outbound passwords 1-14 separate passwords 1-13 single password 1-13 token caching 1-14 token cards 1-14 expiration 6-22 import utility D-14 local management 8-5 password change log management 8-6 post-login greeting 6-23 protocols and user database compatibility 1-9 protocols supported 1-11 remote change 8-5 user-changeable 1-15 validation options in System Configuration 8-5 pattern matching in command authorization 5-19 PEAP See also certification compatible databases 1-9 configuring 10-25 enabling 10-11 identity protection 10-8 options 10-26 overview 10-8 password aging 6-26 phases 10-8 with Unknown User Policy 10-10 performance monitoring G-5 performance specifications 1-3 per-group attributes See also groups enabling in interface 3-2 per-user attributes enabling in interface 3-2 TACACS+/RADIUS in Interface Configuration 3-4 PIX ACLs See downloadable IP ACLs PIX command authorization sets See command authorization sets PKI (public key infrastructure) See certification port 2002 CSAdmin G-2 in HTTP port ranges 12-13 in URLs 1-27 port allocation See HTTP port allocation ports See also HTTP port allocation See also port 2002 RADIUS 1-6, 1-7 TACACS+ 1-6 PPP password aging 6-20 privileges See administrators processor utilization G-5 profile components See shared profile components proxy See also Proxy Distribution Table character strings defining 4-6 stripping 4-6 configuring 4-34 in enterprise settings 4-7 overview 4-4 sending accounting packets 4-7 troubleshooting A-13 Proxy Distribution Table See also proxy adding entries 4-35 configuring 4-34 default entry 4-4, 4-35 deleting entries 4-38 editing entries 4-38 match order sorting 4-37 overview 4-34 Q quotas See network access quotas See usage quotas R RADIUS See also RADIUS VSAs (vendor specific attributes) attributes See also RADIUS VSAs (vendor specific attributes) in User Setup 7-38 AV (attribute value) pairs See also RADIUS VSAs (vendor specific attributes) Cisco IOS C-2 IETF C-11 overview C-1 Cisco Aironet 4-14 IETF in Group Setup 6-37 interface configuration 3-15 in User Setup 7-38 interface configuration overview 3-11 password aging 6-25 ports 1-6, 1-7 specifications 1-7 token servers 13-77 troubleshooting A-19 tunneling packets 4-19 vs. TACACS+ 1-6 RADIUS Accounting log configuring CSV (comma-separated values) 11-17 ODBC 11-21 configuring CSV (comma-separated values) 11-16 CSV (comma-separated values) file directory 11-15 enabling ODBC 11-21 enabling CSV (comma-separated values) 11-15 RADIUS user databases configuring 13-78 group mappings 15-2 RADIUS-based group specifications 15-13 RADIUS VSAs (vendor specific attributes) Ascend in Group Setup 6-42 in User Setup 7-42 supported attributes C-28 Cisco Aironet in Group Setup 6-40 in User Setup 7-41 Cisco BBSM (Building Broadband Service Manager) in Group Setup 6-50 in User Setup 7-52 supported attributes C-11 Cisco IOS/PIX in Group Setup 6-39 interface configuration 3-16 in User Setup 7-39 supported attributes C-4 Cisco VPN 3000 in Group Setup 6-43 in User Setup 7-44 supported attributes C-6 Cisco VPN 5000 in Group Setup 6-45 in User Setup 7-46 supported attributes C-10 custom about 9-28 in Group Setup 6-52 in User Setup 7-53 Juniper in Group Setup 6-49 in User Setup 7-51 supported attributes C-41 Microsoft in Group Setup 6-46 in User Setup 7-47 supported attributes C-25 Nortel in Group Setup 6-48 in User Setup 7-49 supported attributes C-40 overview C-1 user-defined about 9-28, D-28 action codes for F-19 adding D-29 deleting D-31 import files D-34 listing D-32 replicating 9-28, D-29 RDBMS synchronization accountActions table as transaction queue 9-31 configuring 9-40 CSV-based 9-34 data source name configuration 9-36, 9-37 disabling 9-42 enabling in interface 3-6 group-related configuration 9-27 import definitions F-1 log CSV (comma-separated values) file directory 11-15 viewing 11-16 manual initialization 9-38 network configuration 9-27 overview 9-25 partners 9-38 preparing to use 9-32 report and error handling 9-32 scheduling options 9-38 user-related configuration 9-26 Registry G-2 rejection mode general 14-4 Windows user databases 14-5 related documentation xxix reliability of network 2-19 remote access policies 2-14 remote logging See logging replication ACS Service Management page 9-3 backups recommended (Caution) 9-10 cascading 9-6, 9-13 certificates 9-3 client configuration 9-16 components overwriting (Caution) 9-17 overwriting (Note) 9-11 selecting 9-11 configuring 9-20 corrupted backups (Caution) 9-10 custom RADIUS dictionaries 9-3 disabling 9-24 EAP-FAST 10-21 external user databases 9-3 frequency 9-7 group mappings 9-3 immediate 9-19 implementing primary and secondary setups 9-15 important considerations 9-8 in System Configuration 9-20 interface configuration 3-5 IP pools 9-3, 9-44 logging 9-10 manual initiation 9-19 master AAA servers 9-3 notifications 9-24 options 9-11 overview 9-2 partners configuring 9-23 options 9-12 process 9-4 scheduling 9-20 scheduling options 9-12 selecting data 9-11 unsupported 9-3 user-defined RADIUS vendors 9-9 vs. backup 9-10 Reports and Activity See also logging configuration privileges 12-5 configuring 11-18 CSV (comma-separated values) logs 11-11 in interface 1-26 overview 11-5 request handling general 14-4 Windows user databases 14-5 requirements hardware 2-2 network 2-4 operating system 2-2 system 2-2 resource consumption G-6 restarting services 8-2 restore components restored configuring 8-17 overview 8-16 filenames 8-15 in System Configuration 8-14 overview 8-15 performing 8-17 reports 8-16 with CSUtil.exe D-6 RFC2138 1-7 RFC2139 1-7 RSA user databases configuring 13-83 group mappings 15-2 S SafeWord user databases configuring 13-78 group mappings 15-2 RADIUS-based group specifications 15-13 search order of external user databases 14-10 security policies 2-15 security protocols Cisco AAA client devices 1-2 CSRadius G-8 CSTacacs G-8 interface options 3-9 RADIUS 1-6, C-1 TACACS+ custom commands 3-9 overview 1-6 time-of-day access 3-8 service control in System Configuration 11-31 Service Monitoring log See Cisco Secure ACS Service Monitoring log services determining status of 8-2 logs configuring 11-31 list of logs generated 11-30 management 8-18 overview 1-4, G-1 starting 8-2 stopping 8-2 session policies configuring 12-17 options 12-16 overview 12-16 shared profile components See also command authorization sets See also network access restrictions downloadable IP ACLs 5-2 overview 5-1 shared secret G-8 shell command authorization sets See also command authorization sets in Group Setup 6-32 in User Setup 7-26 single password configurations 1-13 SMTP (simple mail-transfer protocol) G-7 specifications RADIUS RFC2138 1-7 RFC2139 1-7 system performance 1-3 TACACS+ 1-6 SSL (secure socket layer) 12-13 starting services 8-2 static IP addresses 7-11 stopping services 8-2 stored procedures CHAP authentication configuring 13-71 input values 13-64 output values 13-64 result codes 13-67 EAP-TLS authentication configuring 13-71 input values 13-65 output values 13-66 implementing 13-58 PAP authentication configuring 13-70 input values 13-62 output values 13-63 result codes 13-67 sample procedures 13-60 type definitions integer 13-59 string 13-59 supplementary user information in User Setup 7-6 setting 7-6 synchronization See RDBMS synchronization system configuration advanced 9-1 authentication 10-1 basic 8-1 certificates 10-1 privileges 12-4 health G-5 messages in interface 1-26 monitoring See monitoring performance specifications 1-3 requirements 2-2 services See services T TACACS+ advanced TACACS+ settings in Group Setup 6-2 in User Setup 7-33 AV (attribute value) pairs accounting B-4 general B-1 custom commands 3-9 enable password options for users 7-36 enable privilege options 7-34 interface configuration 3-7 interface options 3-9 outbound passwords for users 7-37 ports 1-6 SENDAUTH 1-14 settings in Group Setup 6-2, 6-30 in User Setup 7-22, 7-24 specifications 1-6 time-of-day access 3-8 troubleshooting A-19 vs. RADIUS 1-6 TACACS+ Accounting log configuring CSV (comma-separated values) 11-17 ODBC 11-21 CSV (comma-separated values) file directory 11-14 enabling CSV (comma-separated values) 11-15 enabling for ODBC 11-21 viewing 11-16 TACACS+ Administration log configuring CSV(comma-separated values) 11-17 ODBC 11-21 CSV (comma-separated values) file directory 11-14 enabling ODBC 11-21 enabling CSV (comma-separated values) 11-15 viewing 11-16 Telnet See also command authorization sets password aging 6-20 test login frequency internally 8-19 thread used G-6 time-of-day/day-of-week specification See also date format control enabling in interface 3-5 timeout values on AAA clients 14-8 TLS (transport level security) See certification token caching 1-14, 13-76 token cards password configuration 1-14 settings in Group Setup 6-17 token servers ActivCard 13-77 CRYPTOCard 13-77 ISDN terminal adapters 13-76 overview 13-76 PassGo 13-77 RADIUS-enabled 13-77 RADIUS token servers 13-77 RSA 13-82 SafeWord 13-77 supported servers 1-9 token caching 13-76 Vasco 13-77 topologies See network topologies troubleshooting AAA servers A-1 administration issues A-2 browser issues A-4 Cisco IOS issues A-5 database issues A-6 debug logs 11-29, A-12 dial-in issues A-8 installation issues A-14 max sessions issues A-14 proxy issues A-13 RADIUS issues A-19 report issues A-15 TACACS+ issues A-19 third-party server issues A-17 upgrade issues A-14 user issues A-18 trust lists See certification trust relationships 13-10 U UNIX passwords D-18 unknown service user setting 7-32 unknown user policies See also unknown users configuring 14-11 in external user databases 13-3, 14-10 overview 14-9 unknown users See also unknown user policies authentication processing 14-8 handling methods 14-2 network access authorization 14-9 update packets See watchdog packets upgrade troubleshooting A-14 usage quotas in Group Setup 6-13 in Interface Configuration 3-5 in User Setup 7-18 overview 1-18 resetting for groups 6-54 for single users 7-58 user-changeable passwords overview 1-15 with Windows user databases 13-23 user databases See databases User Data Configuration 3-3 user groups See groups user-level downloadable ACLs interface 3-5 network access restrictions See also network access restrictions enabling in interface 3-4 User Password Changes log location 11-15 users See also User Setup adding basic steps 7-4 methods 13-3 assigning client IP addresses to 7-10 assigning to a group 7-8 callback options 7-9 configuring 7-2 configuring device management command authorization sets for 7-31 configuring PIX command authorization sets for 7-29 configuring shell command authorization sets for 7-26 customized data fields 3-3 data configuration See User Data Configuration deleting 11-10 deleting accounts 7-57 disabling accounts 7-5 finding 7-55 import methods 13-3 in multiple databases 14-6 in multiple domains 14-6 listing all users 7-55 number allowed 2-18 number of 1-3 RDBMS synchronization 9-26 relationship to groups 3-2 resetting accounts 7-58 saving settings 7-60 supplementary information 7-6 troubleshooting A-18 types discovered 14-3 known 14-2 unknown 14-3 VPDN dialup E-2 User Setup account management tasks 7-54 basic options 7-3 configuring 7-2 deleting user accounts 7-57 saving settings 7-60 Users in Group button 6-53 V validation of passwords 8-5 Vasco user databases group mappings 15-2 RADIUS-based group specifications 15-13 vendor-specific attributes See RADIUS VSAs (vendor specific attributes) viewing logs and reports See logging Voice-over-IP See VoIP (Voice-over-IP) VoIP (Voice-over-IP) accounting configuration 3-6, 8-22 Accounting log enabling csv log 11-15 viewing 11-16 enabling in interface 3-6 group settings in Interface Configuration 3-6 in Group Setup 6-4 VoIP (Voice-over-IP) Accounting log configuring CSV (comma-separated values) 11-17 ODBC 11-21 CSV (comma-separated values) file directory 11-15 enabling ODBC 11-21 VPDN advantages 2-12 authentication process E-1 domain authorization E-2 home gateways E-3 IP addresses E-3 tunnel IDs E-3 users E-2 VSAs See RADIUS VSAs (vendor specific attributes) W warning events G-5, G-7 watchdog packets configuring on AAA clients 4-19 configuring on AAA servers 4-26 logging 11-4 web servers G-2 Windows operating systems authentication order 14-7 Cisco Secure ACS-related services services 8-2 dial-up networking 13-11 dial-up networking clients domain field 13-11 password field 13-11 username field 13-11 Domain List effect 14-7 domains domain names 13-11, 14-5 trusted 13-11 Event logs G-6 Registry G-2 Windows user databases See also databases Active Directory 13-24 configuring 13-28 Domain list inadvertent user lockouts 13-25 domain mapping 15-9 domains trusted 13-10 grant dial-in permission to users 13-9, 13-24 group mappings editing 15-9 no access groups 15-6 remapping 15-9 mapping database groups to AAA groups 15-4 overview 13-7 password aging 6-25 passwords 1-11 rejection mode 14-5 request handling 14-5 trust relationships 13-10 user-changeable passwords 13-23 user manager 13-24 wireless network topologies 2-9
	© 1992-2009 Cisco Systems, Inc. All rights reserved. Terms & Conditions \| Privacy Statement \| Cookie Policy \| Trademarks of Cisco Systems, Inc.