Installation and Configuration Guide for Cisco Secure ACS Remote Agents
Installation of Cisco Secure ACS Remote Agent for Windows

Table Of Contents

Installation of Cisco Secure ACS Remote Agent for Windows

System Requirements

Cisco Secure ACS Requirements

Hardware Requirements

Operating System Requirements

Network Requirements

Installing a Remote Agent for Windows

Uninstalling Cisco Secure ACS Remote Agent for Windows

Upgrading Cisco Secure ACS Remote Agent for Windows

Windows Authentication from a Member Server

Verifying Domain Membership

Configuring Security for the Remote Agent Service

Configuring Active Directory for EAP-TLS

Installation of Cisco Secure ACS Remote Agent for Windows


This chapter provides information about installing Cisco Secure ACS Remote Agent for Windows. It contains the following sections:

System Requirements

Network Requirements

Installing a Remote Agent for Windows

Uninstalling Cisco Secure ACS Remote Agent for Windows

Uninstalling Cisco Secure ACS Remote Agent for Windows

Windows Authentication from a Member Server

System Requirements

The computer running Cisco Secure ACS Remote Agent for Windows must meet the minimum requirements detailed in the sections that follow.

Cisco Secure ACS Requirements

You must use Cisco Secure ACS Remote Agent for Windows, version 3.2, with Cisco Secure ACS Appliance, version 3.2. Other versions of Cisco Secure ACS Appliance are not supported.

Hardware Requirements

The computer running Cisco Secure ACS Remote Agent for Windows must meet the following minimum hardware requirements:

Pentium III processor, 550 MHz or faster.

256 MB of RAM.

At least 250 MB of free disk space.

Operating System Requirements

The computer running Cisco Secure ACS Remote Agent for Windows must use an English-language version of Windows 2000 Server with Service Pack 3 installed. Both the operating system and the applicable service pack must be English-language versions.

Windows service packs can be applied either before or after installing Cisco Secure ACS Remote Agent for Windows. If you do not install a required service pack before installing Cisco Secure ACS Remote Agent for Windows, the Cisco Secure ACS Remote Agent for Windows installation program warns you that the required service pack is not present on your server. If you receive a service pack message, continue the installation, and then install the required service pack before starting user authentication with Cisco Secure ACS.

For the most recent information about tested operating systems and service packs, see the Release Notes for Cisco Secure ACS Appliance. The current version of the Release Notes are posted on Cisco.com (http://www.cisco.com).

Network Requirements

Your network must meet the following requirements before you begin installing Cisco Secure ACS.

The computer running Cisco Secure ACS Remote Agent for Windows must be able to ping the Cisco Secure ACS Appliances that it supports.

Gateway devices must permit traffic between the computer running Cisco Secure ACS Remote Agent for Windows and the Cisco Secure ACS Appliance. Specifically, the remote agent must receive TCP communication on TCP ports you configure in CSAgent.ini. The default TCP ports, if all services are used, are 2004, 2005, 2006, and 2007. The appliance must receive TCP communication on TCP port 2003.


Note Using the CSAgent.ini file, you can configure the ports used by the remote agent to communicate with Cisco Secure ACS. If you change the ports used, configure intervening gateway devices to permit TCP traffic on the ports that you configure the remote agent to use. For more information about changing the ports that a remote agent uses, see Configuring a Remote Agent.


Installing a Remote Agent for Windows

Use this procedure to install Cisco Secure ACS Remote Agent for Windows.

Before You Begin

Determine the IP address of the Cisco Secure ACS Appliance that is to be the configuration provider for this remote agent. For more information about configuration providers, see Configuration Provider.

If you are installing Cisco Secure ACS Remote Agent for Windows on a member server and want to authenticate users with a Windows domain user database, be aware that after you have installed the remote agent you must perform the additional Windows configuration discussed in Windows Authentication from a Member Server.

To install Cisco Secure ACS Remote Agent for Windows, follow these steps:


Step 1 Using the local administrator account, log in to the Microsoft Windows server on which you want to install Cisco Secure ACS.

Step 2 Insert the Cisco Secure ACS CD into a CD-ROM drive on the Microsoft Windows server.

Result: If the CD-ROM drive supports the Windows autorun feature, the Cisco Secure ACS Appliance dialog box appears.


Note If the computer does not have a required service pack installed, a dialog box may appear. Windows service packs can be applied either before or after installing Cisco Secure ACS. You can continue with the installation, but the required service pack must be applied after the installation is complete; otherwise, Cisco Secure ACS may not function reliably.


Step 3 If the Cisco Secure ACS Appliance dialog box appears, click Cancel.

Step 4 On the Cisco Secure ACS Appliance CD, locate the Windows remote agent subdirectory.

Step 5 From the Windows remote agent subdirectory, run Setup.exe.

Result: The Welcome dialog box displays basic information about the setup program.

Step 6 After you have read the information in the Welcome dialog box, click Next >.

Result: The Choose Destination Location dialog box appears. Under Destination Folder, the installation location appears. This is the drive and path to which the setup program installs Cisco Secure ACS Remote Agent for Windows.

Step 7 If you want to change the installation location, follow these steps:

a. Click Browse.

Result: The Choose Folder dialog box appears. The Path box contains the installation location.

b. Change the installation location. You can either type the new location in the Path box or use the Drives and Directories lists to select a new drive and directory.


Note The installation location must be on a drive local to the Windows server.


c. Click OK.


Note If you specified a folder that does not exist, the setup program displays a dialog box to confirm the creation of the folder. To continue, click Yes.


Result: In the Choose Destination Location dialog box, the new installation location appears under Destination Folder.

Step 8 Click Next >.

Result: The Agent Services dialog box lists options supported by Cisco Secure ACS Remote Agent for Windows:

Logging Service

Windows Authentication Service

Step 9 Select the agent services you want to use, and then click Next >.

Result: The Configuration Provider dialog box appears.

Step 10 In the Hostname box, type the hostname or IP address of the Cisco Secure ACS Appliance that should control the configuration of this remote agent.


Note If you type a hostname, be sure either that DNS is operating correctly or that the appliance hostname is in the local hosts file.


Step 11 Click Next >.

Result: The setup program installs Cisco Secure ACS Remote Agent for Windows.

The Setup Complete dialog box lists options for restarting the computer.

Step 12 Select the reboot option you want.


Note Rebooting is required to complete installation successfully. If you chose not to reboot now, do so before attempting to use remote agent services.


Step 13 Click Finish.

Result: The setup program exits. If you chose to reboot the computer automatically, Windows restarts.

Step 14 If you have installed Cisco Secure ACS Remote Agent for Windows on a member server and want to authenticate users with a Windows domain user database, you must perform the additional Windows configuration discussed in Windows Authentication from a Member Server.


Note If you are reinstalling the remote agent after uninstalling it, previous configuration of the remote agent service was lost during the uninstallation. For more information, see Windows Authentication from a Member Server.



Uninstalling Cisco Secure ACS Remote Agent for Windows

Use Windows Control Panel to uninstall Cisco Secure ACS Remote Agent for Windows. No special steps are required.


Note If you do not intend to reinstall Cisco Secure ACS Remote Agent for Windows on this computer, remove the applicable remote agent configurations from all Cisco Secure ACS Appliances.


Upgrading Cisco Secure ACS Remote Agent for Windows

The upgrade process consists of uninstalling the old version of the remote agent and installing the new version.

To upgrade Cisco Secure ACS Remote Agent for Windows software, follow these steps:


Step 1 Remove the old version of the remote agent by performing the steps in Uninstalling Cisco Secure ACS Remote Agent for Windows.

Step 2 Using the version of Cisco Secure ACS Remote Agent for Windows that you want to upgrade to, perform the steps in Installing a Remote Agent for Windows.


Windows Authentication from a Member Server

Using Cisco Secure ACS Remote Agent for Windows, a Cisco Secure ACS Appliance can authenticate users against both types of Windows domain user databases: Security Accounts Manager (SAM) user databases and Active Directory user databases. For either type of Windows domain user database, Cisco Secure ACS forwards authentication requests to the remote agent. The remote agent submits authentication requests to the Windows operating system of the server on which the remote agent is installed. If you have installed Cisco Secure ACS Remote Agent for Windows on a member server and you plan to use a Windows domain user database to authenticate users, you must perform additional Windows configuration to ensure that Windows permits authentication to occur from the member server. To do so, complete the steps in the following procedures:

Verifying Domain Membership

Configuring Security for the Remote Agent Service

Configuring Active Directory for EAP-TLS

Verifying Domain Membership

One common configuration error that prevents Windows authentication is the erroneous assignment of the member server to a workgroup with the same name as the Windows domain that you want to use to authenticate users. While this may seem obvious, we recommend that you verify that the computer running the remote agent is a member server of the correct domain.

To verify domain membership of the computer running the remote agent, follow these steps:


Step 1 From the Windows desktop of the server running the remote agent, right-click My Computer and from the shortcut menu select Properties.

Result: The System Properties panel appears.

Step 2 Select the Network Identification tab.

Step 3 Verify that the Domain box displays the name of the domain that the computer running Cisco Secure ACS should be a member of.


Note If the Workgroup box appears instead of the Domain box, the member server is not a member of a domain.


Step 4 If the computer running the remote agent is not a member of the correct domain, change the server identification, as applicable.


Configuring Security for the Remote Agent Service

If you have installed Cisco Secure ACS Remote Agent for Windows on a member server, the member server must pass Windows authentication requests to a domain controller. For these requests to succeed, the remote agent must submit them using a user account that has certain security privileges enabled on the member server.


Note If you use Active Directory to authenticate users, determine whether Active Directory is configured to use Pre-Windows 2000 Compatible Mode. If all Active Directory trees containing users that will be authenticated by Cisco Secure ACS are configured to use this mode, the steps in this procedure are not required.


Before You Begin

If you have upgraded or reinstalled the remote agent and you completed this procedure previously, Step 1 through Step 6 apply to you only if you want to use a different user account to run the remote agent service.

To configure the remote agent service, follow these steps:


Step 1 In the domain that the computer running Cisco Secure ACS Remote Agent for Windows is a member of, create a domain user account. This is the user account that you will use to run the remote agent service. To determine which domain the computer running the remote agent belongs to, see Verifying Domain Membership.


Tip Give the user account an easily recognizable name, like "CSACS". If you enable audit policies, Event Viewer entries with this username will make it easier to diagnose permissions problems related to failed remote agent authentication attempts.


Step 2 Using the local administrator account, log in to the computer running Cisco Secure ACS Remote Agent for Windows.

Step 3 Add the user account you created in Step 1 to the local Administrators group. To do so, follow these steps:

a. Choose Start > Settings > Control Panel > Administrative Tools > Computer Management.


Tip If Control Panel is not expanded on the Start menu, choose Start > Settings > Control Panel, double-click Administrative Tools, and then double-click Computer Management.


Result: The Computer Management window appears.

b. Under the Tree tab, double-click Local Users and Groups, and then click Groups.


Tip If Local Groups and Users does not appear under the Tree tab, double-click System Tools.


Result: The Name column lists the local groups available on the computer running the remote agent.

c. Double-click Administrators.

Result: The Administrators Properties dialog box appears.

d. Click Add. . ..

Result: The Select Users or Groups dialog box appears.

e. In the box below the Add button, type the username for the user account you created in Step 1.


Note The username must be in domain-qualified format. For example, if you created a user named "CSACS" in the "CORPORATE" domain, type "CORPORATE\CSACS".


f. Click Check Names.

Result: The Enter Network Password dialog box appears. This is because the local administrator account of the member server running the remote agent should not have permission to access user account information on the domain controller.

g. In the Connect as box, type a domain-qualified username.


Note The username provided must exist in the domain specified in Step e. For example, if the domain specified is "CORPORATE" and "echamberlain" is a valid user in that domain, type "CORPORATE\echamberlain".


h. In the Password box, type the password for the user account specified in Step e.

i. Click OK.

Result: Windows verifies the existence of the username provided in Step e. The Enter Network Password dialog box closes.

j. In Select Users or Groups dialog box, click OK.

Result: The Select Users or Groups dialog box closes.

Windows adds the username to the Members list on the Administrators Properties dialog box.

k. Click OK.

Result: The Administrators Properties dialog box closes.

l. Close the Computer Management window.

Result: The user account you created in step 1 is assigned to the local Administrators group.

Step 4 Choose Start > Settings > Control Panel > Administrative Tools > Local Security Policy.


Tip If Control Panel is not expanded on the Start menu, choose Start > Settings > Control Panel, double-click Administrative Tools, and then double-click Local Security Policy.


Result: The Local Security Settings window appears.

Step 5 In the Name column, double-click Local Policies, and then double-click User Rights Assignment.

Result: The Local Security Settings window displays a list of policies with their associated settings. The two policies that you must configure are:

Act as part of the operating system

Log on as a service

Step 6 For the Act as part of the operating system policy and again for the Log on as a service policy, follow these steps:

a. Double-click the policy name.

Result: The Local Policy Setting dialog box appears.

b. Click Add. . ..

Result: The Select Users or Groups dialog box appears.

c. In the box below the Add button, type the username for the user account you created in Step 1.


Note The username must be in domain-qualified format. For example, if you created a user named "CSACS" in the "CORPORATE" domain, type "CORPORATE\CSACS".


d. Click Check Names.

Result: The Enter Network Password dialog box appears. This is because the local administrator account of the member server running the remote agent should not have permission to access user account information on the domain controller.

e. In the Connect as box, type a domain-qualified username.


Note The username provided must exist in the domain specified in Step c. For example, if the domain specified is "CORPORATE" and "echamberlain" is a valid user in that domain, type "CORPORATE\echamberlain".


f. In the Password box, type the password for the user account specified in Step e.

g. Click OK.

Result: Windows verifies the existence of the username provided in Step c. The Enter Network Password dialog box closes.

h. In the Select Users or Groups dialog box, click OK.

Result: The Select Users or Groups dialog box closes.

Windows adds the username to the Assign To list in the Local Policy Setting dialog box.

i. Click OK.

Result: The Local Policy Setting dialog box closes. The domain-qualified username specified in Step c appears in the settings associated with the policy you have configured.

j. Verify that the username specified in Step c appears in the Local Setting column for the policy you modified. If it does not, repeat these steps.


Tip To see the username you added, you may have to widen the Local Setting column.



Note The Effective Setting column does not dynamically update. This procedure includes later verification steps for ensuring that the Effective Setting column contains the required information.


Result: After you have configured both the Act as part of the operating system policy and the Log on as a service policy, the user account created in Step 1 appears in the Local Setting column for the policy you configured.

Step 7 Verify that the security policy settings you changed are in effect on the computer running the remote agent. To do so, follow these steps:

a. Close the Local Security Settings window.

Result: The window closes. This is the only way to refresh the information in the Effective Setting column.

b. Open the Local Security Settings window again. To do so, choose Start > Programs > Administrative Tools > Local Security Policy.

c. In the Name column, double-click Local Policies, and then double-click User Rights Assignment.

Result: The Local Security Settings window displays an updated list of policies with their associated settings.

d. For the Act as part of the operating system policy and again for the Log on as a service policy, verify that the username you added to the policy in Step 6 appears in the Effective Setting column.


Note If the username you configured the policies to include in Step 6 does not appear in the Effective Setting column for both policies, there may be security policy settings on the domain controller that conflict with the local setting. Resolve the conflict by configuring security policies on the domain controller to allow the local settings to be the effective settings for these two policies. For more information about configuring security policies on the domain controller, see your Microsoft documentation.


Result: The user account created in Step 1 has the required privileges to run Cisco Secure ACS services and support Windows authentication.

Step 8 Close the Local Security Settings window.

Step 9 Continuing as the local administrator on the computer running Cisco Secure ACS, choose Start > Settings > Control Panel > Administrative Tools > Services.


Tip If Control Panel is not expanded on the Start menu, choose Start > Settings > Control Panel, double-click Administrative Tools, and then double-click Services.


Result: The Services window displays a list of service groups and a list of all registered services for the current group. The list of service groups is labeled Tree. The registered services for the current group appear in the list to the right of the Tree list.

Step 10 In the Tree list, click Services (local).

Result: The Windows service installed to support the remote agent appears in the lists of services as CiscoSecure ACS Agent. The service name is CSAgent.

Step 11 Configure the CiscoSecure ACS Agent service. To do so, follow these steps:

a. In the list of services, right-click the CiscoSecure ACS Agent service, and from the shortcut menu, choose Properties.

Result: The Computer Browser Properties (Local Computer) dialog box appears.

b. Select the Log On tab.

c. Select the This account option.

d. In the box next to the This account option, type the username for the account created in Step 1.


Note The username must be in domain-qualified format. For example, if you created a user named "CSACS" in the "CORPORATE" domain, type "CORPORATE\CSACS".


e. In the Password box and in the Confirm Password box, type the password for the user account created in Step 1.

f. Click Apply.


Note If a confirmation dialog box appears, click OK.


Result: The CiscoSecure ACS Agent service is configured to run using the privileges of the user account created in Step 1.

Step 12 Restart the CiscoSecure ACS Agent service. To do so, follow these steps:

a. On the Computer Browser Properties (Local Computer) dialog box, select the General tab.

b. Click Stop.

Result: The Service Control dialog box appears while the service is stopping.

c. Click Start.

Result: The Service Control dialog box appears while the service is starting.

Result: The remote agent service runs using the privileges of the user account created in Step 1.


Configuring Active Directory for EAP-TLS

If Cisco Secure ACS runs on a member server and any user is to be authenticated using EAP-TLS, you must complete additional configuration in Active Directory of the domain containing Cisco Secure ACS. The username that you configured to run all Cisco Secure ACS services must also have permission to read user properties in Active Directory, else EAP-TLS authentication fails. To the username you created in Verifying Domain Membership, you must grant "Read all properties" permission for all Active Directory folders containing users that will authenticate with EAP-TLS. This must be the same username that you configured Cisco Secure ACS services to run as. Granting permissions for Active Directory folders is done by accessing Active Directory using the Microsoft Management Console and configuring the security properties for the folders containing users who are to be authenticated by EAP-TLS.


Tip You can access the security properties of an Active Directory folder containing users by right-clicking the folder, selecting Properties, and clicking the Security tab. Click Add to include the username that is used to run Cisco Secure ACS services.


For more information about configuring Active Directory permissions, see Microsoft Active Directory documentation for Windows 2000 Server.