Table Of Contents
User Group Management
About User Group Setup Features and Functions
Default Group
Group TACACS+ Settings
Basic User Group Settings
Enabling VoIP Support for a User Group
Setting Default Time-of-Day Access for a User Group
Setting Callback Options for a User Group
Setting Network Access Restrictions for a User Group
Setting Max Sessions for a User Group
Setting Usage Quotas for a User Group
Configuration-specific User Group Settings
Setting Token Card Settings for a User Group
Setting Enable Privilege Options for a User Group
Enabling Password Aging for the CiscoSecure User Database
Enabling Password Aging for Users in Windows Databases
Setting IP Address Assignment Method for a User Group
Assigning a Downloadable IP ACL to a Group
Configuring TACACS+ Settings for a User Group
Configuring a Shell Command Authorization Set for a User Group
Configuring a PIX Command Authorization Set for a User Group
Configuring Device-Management Command Authorization for a User Group
Configuring IETF RADIUS Settings for a User Group
Configuring Cisco IOS/PIX RADIUS Settings for a User Group
Configuring Cisco Aironet RADIUS Settings for a User Group
Configuring Ascend RADIUS Settings for a User Group
Configuring Cisco VPN 3000 Concentrator RADIUS Settings for a User Group
Configuring Cisco VPN 5000 Concentrator RADIUS Settings for a User Group
Configuring Microsoft RADIUS Settings for a User Group
Configuring Nortel RADIUS Settings for a User Group
Configuring Juniper RADIUS Settings for a User Group
Configuring BBSM RADIUS Settings for a User Group
Configuring Custom RADIUS VSA Settings for a User Group
Group Setting Management
Listing Users in a User Group
Resetting Usage Quota Counters for a User Group
Renaming a User Group
Saving Changes to User Group Settings
User Group Management
This chapter provides information about setting up and managing user groups in CiscoSecure ACS Appliance to control authorization. CiscoSecure ACS enables you to group network users for more efficient administration. Each user can belong to only one group in CiscoSecure ACS. You can establish up to 500 groups to effect different levels of authorization.
CiscoSecure ACS also supports external database group mapping; that is, if your external user database distinguishes user groups, these groups can be mapped into CiscoSecure ACS. And if the external database does not support groups, you can map all users from that database to a CiscoSecure ACS user group. For information about external database mapping, see "User Group Mapping and Specification"
Before you configure Group Setup, you should understand how this section functions. CiscoSecure ACS dynamically builds the Group Setup section interface depending on the configuration of your network devices and the security protocols being used. That is, what you see under Group Setup is affected by settings in the Network Configuration and Interface Configuration sections.
This chapter contains the following topics:
•
About User Group Setup Features and Functions
• Basic User Group Settings
• Configuration-specific User Group Settings
• Group Setting Management
About User Group Setup Features and Functions
The Group Setup section of the CiscoSecure ACS HTML interface is the centralized location for operations regarding user group configuration and administration. For information about network device groups (NDGs), see Network Device Group Configuration.
This section contains the following topics:
• Default Group
• Group TACACS+ Settings
Default Group
If you have not configured group mapping for an external user database, CiscoSecure ACS assigns users who are authenticated by the Unknown User Policy to the Default Group the first time they log in. The privileges and restrictions for the default group are applied to first-time users. If you have upgraded from a previous version of CiscoSecure ACS and kept your database information, CiscoSecure ACS retains the group mappings you configured before upgrading.
Group TACACS+ Settings
CiscoSecure ACS enables a full range of settings for TACACS+ at the group level. If a AAA client has been configured to use TACACS+ as the security control protocol, you can configure standard service protocols, including PPP IP, PPP LCP, ARAP, SLIP, and shell (exec), to be applied for the authorization of each user who belongs to a particular group.
Note You can also configure TACACS+ settings at the user level. User-level settings always override group level settings.
CiscoSecure ACS also enables you to enter and configure new TACACS+ services. For information about how to configure a new TACACS+ service to appear on the group setup page, see Protocol Configuration Options for TACACS+.
If you have configured CiscoSecure ACS to interact with a Cisco device-management application, new TACACS+ services may appear automatically, as needed, to support the device-management application. For more information about CiscoSecure ACS interaction with device-management applications, see Support for Cisco Device-Management Applications.
You can use the Shell Command Authorization Set feature to configure TACACS+ group settings. This feature enables you to apply shell commands to a particular user group in the following ways:
•Assign a shell command authorization set, which you have already configured, for any network device.
•Assign a shell command authorization set, which you have already configured, to particular NDGs.
•Permit or deny specific shell commands, which you define, on a per-group basis.
For more information about shell command authorization sets, see "Shared Profile Components"
Basic User Group Settings
This section presents the basic activities you perform when configuring a new user group.
This section contains the following topics:
• Enabling VoIP Support for a User Group
• Setting Default Time-of-Day Access for a User Group
• Setting Callback Options for a User Group
• Setting Network Access Restrictions for a User Group
• Setting Max Sessions for a User Group
• Setting Usage Quotas for a User Group
Enabling VoIP Support for a User Group
Note If this feature does not appear, click Interface Configuration , click Advanced Options , and then select the Voice-over-IP (VoIP) Group Settings check box.
Perform this procedure to enable support for the null password function of VoIP. This enables users to authenticate (session or telephone call) on only the user ID (telephone number).
When you enable VoIP at the group level, all users in this group become VoIP users, and the user IDs are treated similarly to a telephone number. VoIP users do not need to enter passwords to authenticate.
Caution Enabling VoIP disables password authentication and most advanced settings, including password aging and protocol attributes.
To enable VoIP support for a group, follow these steps:
Step1 In the navigation bar, click Group Setup .
The Group Setup Select page opens.
Step2 From the Group list, select the group you want to configure for VoIP support, and then click Edit Settings .
The Group Settings page displays the name of the group at its top.
Step3 In the Voice-over-IP Support table, select the check box labeled This is a Voice-over-IP (VoIP) group - and all users of this group are VoIP users .
Step4 To save the group settings you have just made, click Submit .
For more information, see Saving Changes to User Group Settings.
Step5 To continue, and specify other group settings, perform other procedures in this chapter, as applicable.
Setting Default Time-of-Day Access for a User Group
Note If this feature does not appear, click Interface Configuration , click Advanced Options , and then select the Default Time-of-Day / Day-of-Week Specification check box.
To define the times during which users in a particular group are permitted or denied access, follow these steps:
Step1 In the navigation bar, click Group Setup .
The Group Setup Select page opens.
Step2 From the Group list, select a group, and then click Edit Settings .
The Group Settings page displays the name of the group at its top.
Step3 In the Default Time-of-Day Access Settings table, select the Set as default Access Times check box.
Note You must select the Set as default Access Times check box to limit access based on time or day.
Times at which the system permits access are highlighted in green on the day and hour matrix.
Note The default sets accessibility during all hours.
Step4 In the day and hour matrix, click the times at which you do not want to permit access to members of this group.
Tip Clicking times of day on the graph deselects those times; clicking again reselects them.
At any time, you can click Clear All to clear all hours, or you can click Set All to select all hours.
Step5 To save the group settings you have just made, click Submit .
For more information, see Saving Changes to User Group Settings.
Step6 To continue specifying other group settings, perform other procedures in this chapter, as applicable.
Setting Callback Options for a User Group
Callback is a command string that is passed back to the access server. You can use callback strings to initiate a modem to call the user back on a specific number for added security or reversal of line charges. There are three options, as follows:
•No callback allowed —Disables callback for users in this group. This is the default setting.
•Dialup client specifies callback number —Allows the dialup client to specify the callback number. The dialup client must support RFC 1570, PPP LCP Extensions.
•Use Windows Database callback settings (where possible) —Uses the Microsoft Windows callback settings. If a Windows account for a user resides in a remote domain, the domain in which CiscoSecure ACS resides must have a two-way trust with that domain for the Microsoft Windows callback settings to operate for that user.
To set callback options for a user group, follow these steps:
Step1 In the navigation bar, click Group Setup .
The Group Setup Select page opens.
Step2 Select a group from the Group list, and then click Edit Settings .
The Group Settings page displays the name of the group at its top.
Step3 In the Callback table, select one of the following three options:
•No callback allowed
•Dialup client specifies callback number
•Use Windows Database callback settings (where possible)
Step4 To save the group settings you have just made, click Submit .
For more information, see Saving Changes to User Group Settings.
Step5 To continue specifying other group settings, perform other procedures in this chapter, as applicable.
Setting Network Access Restrictions for a User Group
The Network Access Restrictions table in Group Setup enables you to apply network access restrictions (NARs) in three distinct ways:
•Apply existing shared NARs by name.
•Define IP-based group access restrictions to permit or deny access to a specified AAA client or to specified ports on a AAA client when an IP connection has been established.
•Define CLI/DNIS-based group NARs to permit or deny access to either, or both, the calling line ID (CLI) number or the Dialed Number Identification Service (DNIS) number used.
Note You can also use the CLI/DNIS-based access restrictions area to specify other values. For more information, see About Network Access Restrictions.
Typically, you define (shared) NARs from within the Shared Components section so that these restrictions can be applied to more than one group or user. For more information, see Adding a Shared Network Access Restriction. You must have enabled the Group-Level Shared Network Access Restriction check box on the Advanced Options page of the Interface Configuration section for these options to appear in the CiscoSecure ACS HTML interface.
However, CiscoSecure ACS also enables you to define and apply a NAR for a single group from within the Group Setup section. You must have enabled the Group-Level Network Access Restriction setting under the Advanced Options page of the Interface Configuration section for single group IP-based filter options and single group CLI/DNIS-based filter options to appear in the CiscoSecure ACS HTML interface.
Note When an authentication request is forwarded by proxy to a CiscoSecure ACS server, any NARs for TACACS+ requests are applied to the IP address of the forwarding AAA server, not to the IP address of the originating AAA client.
To set NARs for a user group, follow these steps:
Step1 In the navigation bar, click Group Setup .
The Group Setup Select page opens.
Step2 From the Group list, select a group, and then click Edit Settings .
The Group Settings page displays the name of the group at its top.
Step3 To apply a previously configured shared NAR to this group, follow these steps:
Note To apply a shared NAR, you must have configured it under Network Access Restrictions in the Shared Profile Components section. For more information, see Adding a Shared Network Access Restriction.
a. Select the Only Allow network access when check box.
b. To specify whether one or all shared NARs must apply for a member of the group to be permitted access, select one of the following options:
•All selected shared NARS result in permit
•Any one selected shared NAR results in permit
c. Select a shared NAR name in the Shared NAR list, and then click --> (right arrow button) to move the name into the Selected Shared NARs list.
Tip To view the server details of the shared NARs you have selected to apply, you can click either View IP NAR or View CLID/DNIS NAR , as applicable.
Step4 To define and apply a NAR, for this particular user group, that permits or denies access to this group based on IP address, or IP address and port, follow these steps:
Tip You should define most NARs from within the Shared Components section so that the restrictions can be applied to more than one group or user. For more information, see Adding a Shared Network Access Restriction.
a. In the Per Group Defined Network Access Restrictions section of the Network Access Restrictions table, select the Define IP-based access restrictions check box.
b. To specify whether the subsequent listing specifies permitted or denied IP addresses, from the Table Defines list, select either Permitted Calling/Point of Access Locations or Denied Calling/Point of Access Locations .
c. Select or enter the information in the following boxes:
•AAA Client —Select either All AAA Clients or the name of the NDG or the name of the individual AAA client to which to permit or deny access.
•Port —Type the number of the port to which to permit or deny access. You can use the wildcard asterisk (*) to permit or deny access to all ports on the selected AAA client.
•Address —Type the IP address or addresses to filter on when performing access restrictions. You can use the wildcard asterisk (*).
Note The total number of characters in the AAA Client list and the Port and Src IP Address boxes must not exceed 1024. Although CiscoSecure ACS accepts more than 1024 characters when you add a NAR, you cannot edit the NAR and CiscoSecure ACS cannot accurately apply it to users.
d. Click Enter .
The specified the AAA client, port, and address information appears in the NAR Access Control list.
Step5 To permit or deny access to this user group based on calling location or values other than an established IP address, follow these steps:
a. Select the Define CLI/DNIS-based access restrictions check box.
b. To specify whether the subsequent listing specifies permitted or denied values, from the Table Defines list, select one of the following:
•Permitted Calling/Point of Access Locations
•Denied Calling/Point of Access Locations
c. From the AAA Client list, select either All AAA Clients or the name of the NDG or the name of the particular AAA client to which to permit or deny access.
d. Complete the following boxes:
Note You must type an entry in each box. You can use the wildcard asterisk (*) for all or part of a value. The format you use must match the format of the string you receive from your AAA client. You can determine this format from your RADIUS Accounting Log.
•PORT —Type the number of the port to which to permit or deny access. You can use the wildcard asterisk (*) to permit or deny access to all ports.
•CLI —Type the CLI number to which to permit or deny access. You can use the wildcard asterisk (*) to permit or deny access based on part of the number or all numbers.
Tip This is also the selection to use if you want to restrict access based on other values, such as a Cisco Aironet client MAC address. For more information, see About Network Access Restrictions.
•DNIS —Type the DNIS number to restrict access based on the number into which the user will be dialing. You can use the wildcard asterisk (*) to permit or deny access based on part of the number or all numbers.
Tip This is also the selection to use if you want to restrict access based on other values, such as a Cisco Aironet AP MAC address. For more information, see About Network Access Restrictions.
Note The total number of characters in the AAA Client list and the Port, CLI, and DNIS boxes must not exceed 1024. Although CiscoSecure ACS accepts more than 1024 characters when you add a NAR, you cannot edit the NAR and CiscoSecure ACS cannot accurately apply it to users.
e. Click Enter .
The information, specifying the AAA client, port, CLI, and DNIS appears in the list.
Step6 To save the group settings you have just made, click Submit .
For more information, see Saving Changes to User Group Settings.
Step7 To continue specifying other group settings, perform other procedures in this chapter, as applicable.
Setting Max Sessions for a User Group
Note If this feature does not appear, click Interface Configuration , click Advanced Options , and then select the Max Sessions check box.
Perform this procedure to define the maximum number of sessions available to a group, or to each user in a group, or both. The settings are as follows:
•Sessions available to group —Sets the maximum number of simultaneous connections for the entire group.
•Sessions available to users of this group —Sets the maximum number of total simultaneous connections for each user in this group.
Tip As an example, Sessions available to group is set to 10 and Sessions available to users of this group is set to 2. If each user is using the maximum 2 simultaneous sessions, no more than 5 users can log in.
Note A session is any type of connection supported by RADIUS or TACACS+, such as PPP, NAS prompt, Telnet, ARAP, IPX/SLIP.
Note The default setting for group Max Sessions is Unlimited for both the group and the user within the group.
To configure max sessions settings for a user group, follow these steps:
Step1 In the navigation bar, click Group Setup .
The Group Setup Select page opens.
Step2 From the Group list, select a group, and then click Edit Settings .
The Group Settings page displays the name of the group at its top.
Step3 In the Max Sessions table, under Sessions available to group, select one of the following options:
•Unlimited —Select to allow this group an unlimited number of simultaneous sessions. (This effectively disables Max Sessions.)
•n—Type the maximum number of simultaneous sessions to allow this group.
Step4 In the lower portion of the Max Sessions table, under Sessions available to users of this group, select one of the following two options:
•Unlimited —Select to allow each individual in this group an unlimited number of simultaneous sessions. (This effectively disables Max Sessions.)
•n—Type the maximum number of simultaneous sessions to allow each user in this group.
Note Settings made in User Setup override group settings. For more information, see Setting Max Sessions Options for a User.
Step5 To save the group settings you have just made, click Submit .
For more information, see Saving Changes to User Group Settings.
Step6 To continue specifying other group settings, perform other procedures in this chapter, as applicable.
Setting Usage Quotas for a User Group
Note If this feature does not appear, click Interface Configuration , click Advanced Options , and then select the Usage Quotas check box.
Perform this procedure to define usage quotas for members of a group. Session quotas affect each user of a group individually, not the group collectively. You can set quotas for a given period in two ways:
•By total duration of session
•By the total number of sessions
If you make no selections in the Usage Quotas section for a group, no usage quotas are enforced on users assigned to that group, unless you configure usage quotas for the individual users.
Note The Usage Quotas section on the Group Settings page does not show usage statistics.
Usage statistics are available only on the settings page for an individual user. For more information, see Setting User Usage Quotas Options.
When a user exceeds his or her assigned quota, CiscoSecure ACS denies that user access upon attempting to start a session. If a quota is exceeded during a session, CiscoSecure ACS allows the session to continue.
You can reset the usage quota counters for all users of a group from the Group Settings page. For more information about resetting usage quota counters for a whole group, see Resetting Usage Quota Counters for a User Group.
Tip To support time-based quotas, we recommend enabling accounting update packets on all AAA clients. If update packets are not enabled, the quota is updated when the user logs off. If the AAA client through which the user is accessing your network fails, the quota is not updated. In the case of multiple sessions, such as with ISDN, the quota is not updated until all sessions terminate. This means that a second channel will be accepted even if the first channel has exhausted the quota for the user.
To set user usage quotas for a user group, follow these steps:
Step1 In the navigation bar, click Group Setup .
The Group Setup Select page opens.
Step2 From the Group list, select a group, and then click Edit Settings .
The Group Settings page displays the name of the group at its top.
Step3 To define usage quotas based on duration of sessions, follow these steps:
a. In the Usage Quotas table, select the Limit each user of this group to x hours of online time per time unit check box.
b. Type the number of hours to which you want to limit group members in the to x hours box.
Use decimal values to indicate minutes. For example, a value of 10.5 would equal ten hours and 30 minutes.
Note Up to 5 characters are allowed in the to x hours box.
c. Select the period for which the quota is effective from the following:
•per Day —From 12:01 a.m. until midnight.
•per Week —From 12:01 a.m. Sunday until midnight Saturday.
•per Month —From 12:01 a.m. on the first of the month until midnight on the last day of the month.
•Total —An ongoing count of hours, with no end.
Step4 To define user session quotas based on number of sessions, follow these steps:
a. In the Usage Quotas table, select the Limit each user of this group to x sessions check box.
b. Type the number of sessions to which you want to limit users in the to x sessions box.
Note Up to 5 characters are allowed in the to x sessions box.
c. Select the period for which the session quota is effective from the following:
•per Day —From 12:01 a.m. until midnight.
•per Week —From 12:01 a.m. Sunday until midnight Saturday.
•per Month —From 12:01 a.m. on the first of the month until midnight on the last day of the month.
•Total —An ongoing count of session, with no end.
Step5 To save the group settings you have just made, click Submit .
For more information, see Saving Changes to User Group Settings.
Step6 To continue specifying other group settings, perform other procedures in this chapter, as applicable.
Configuration-specific User Group Settings
This section details procedures that you perform only as applicable to your particular network security configuration. For instance, if you have no token server configured, you do not have to set token card settings for each group.
Note When a vendor-specific variety of RADIUS is configured for use by network devices, the RADIUS (IETF) attributes are available because they are the base set of attributes, used by all RADIUS vendors per the RADIUS IETF specifications.
The HTML interface content corresponding to these procedures is dynamic, its appearance based upon the following two factors:
•For a particular protocol (RADIUS or TACACS+) to be listed, at least one AAA client entry in the Network Configuration section of the HTML interface must use that protocol. For more information, see AAA Client Configuration.
•To cause specific protocol attributes to appear on a group profile page, you must enable the display of those attributes in the Interface Configuration section of the HTML interface. For more information, see Protocol Configuration Options for TACACS+ or Protocol Configuration Options for RADIUS.
This section contains the following topics:
• Setting Token Card Settings for a User Group
• Setting Enable Privilege Options for a User Group
• Enabling Password Aging for the CiscoSecure User Database
• Enabling Password Aging for Users in Windows Databases
• Setting IP Address Assignment Method for a User Group
• Assigning a Downloadable IP ACL to a Group
• Configuring TACACS+ Settings for a User Group
• Configuring a Shell Command Authorization Set for a User Group
• Configuring a PIX Command Authorization Set for a User Group
• Configuring Device-Management Command Authorization for a User Group
• Configuring IETF RADIUS Settings for a User Group
• Configuring Cisco IOS/PIX RADIUS Settings for a User Group
• Configuring Cisco Aironet RADIUS Settings for a User Group
• Configuring Ascend RADIUS Settings for a User Group
• Configuring Cisco VPN 3000 Concentrator RADIUS Settings for a User Group
• Configuring Cisco VPN 5000 Concentrator RADIUS Settings for a User Group
• Configuring Microsoft RADIUS Settings for a User Group
• Configuring Nortel RADIUS Settings for a User Group
• Configuring Juniper RADIUS Settings for a User Group
• Configuring BBSM RADIUS Settings for a User Group
• Configuring Custom RADIUS VSA Settings for a User Group
Setting Token Card Settings for a User Group
Note If this section does not appear, configure a token server. Then, click External User Databases , click Database Configuration , and then add the applicable token card server.
Perform this procedure to allow a token to be cached. This means users can use a second B channel without having to enter a second one-time password (OTP).
Caution This option is for use with token caching only for ISDN terminal adapters. You should fully understand token caching and ISDN concepts and principles before implementing this option. Token caching allows you to connect to multiple B channels without having to provide a token for each channel connection. Token card settings are applied to all users in the selected group.
Options for token caching include the following:
•Session —You can select Session to cache the token for the entire session. This allows the second B channel to dynamically go in and out of service.
•Duration —You can select Duration and specify a period of time to have the token cached (from the time of first authentication). If this time period expires, the user cannot start a second B channel.
•Session and Duration —You can select both Session and Duration so that, if the session runs longer than the duration value, a new token is required to open a second B channel. Type a value high enough to allow the token to be cached for the entire session. If the session runs longer than the duration value, a new token is required to open a second B channel.
To set token card settings for a user group, follow these steps:
Step1 In the navigation bar, click Group Setup .
The Group Setup Select page opens.
Step2 From the Group list, select a group, and then click Edit Settings .
The Group Settings page displays the name of the group at its top.
Step3 From the Jump To list at the top of the page, choose Token Cards .
Step4 In the Token Card Settings table, to cache the token for the entire session, select Session .
Step5 Also in the Token Card Settings table, to cache the token for a specified time period (measured from the time of first authentication), follow these steps:
a. Select Duration .
b. Type the duration length in the box.
c. Select the unit of measure, either Seconds, Minutes or Hours.
Step6 To save the group settings you have just made, click Submit .
For more information, see Saving Changes to User Group Settings.
Step7 To continue specifying other group settings, perform other procedures in this chapter, as applicable.
Setting Enable Privilege Options for a User Group
Note If this section does not appear, click Interface Configuration and then click TACACS+ (Cisco) . At the bottom of the page in the Advanced Configuration Options table, select the Advanced TACACS+ features check box.
Perform this procedure to configure group-level TACACS+ enable parameters. The three possible TACACS+ enable options are as follows:
•No Enable Privilege —(default) Select this option to disallow enable privileges for this user group.
•Max Privilege for Any AAA Client —Select this option to select the maximum privilege level for this user group for any AAA client on which this group is authorized.
•Define max Privilege on a per-network device group basis —Select this option to define maximum privilege levels for an NDG. To use this option, you create a list of device groups and corresponding maximum privilege levels. See your AAA client documentation for information about privilege levels.
Note To define levels in this manner, you must have configured the option in Interface Configuration; if you have not done so already, click Interface Configuration , click Advanced Settings , and then select the Network Device Groups check box.
If you are using NDGs, this option lets you configure the NDG for enable-level mapping rather than having to do it for each user in the group.
To set enable privilege options for a user group, follow these steps:
Step1 In the navigation bar, click Group Setup .
The Group Setup Select page opens.
Step2 From the Group list, select a group, and then click Edit Settings .
The Group Settings page displays the name of the group at its top.
Step3 From the Jump To list at the top of the page, choose Enable Options .
Step4 Do one of the following:
•To disallow enable privileges for this user group, select the No Enable Privilege option.
•To set the maximum privilege level for this user group, for any ACS on which this group is authorized, select the Max Privilege for Any Access Server option. Then, select the maximum privilege level from the list.
•To define the maximum NDG privilege level for this user group, select the Define max Privilege on a per-network device group basis option. Then, from the lists, select the NDG and a corresponding privilege level. Finally, click Add Association .
Result: The association of NDG and maximum privilege level appears in the table.
Step5 To save the group settings you have just made, click Submit .
For more information, see Saving Changes to User Group Settings.
Step6 To continue specifying other group settings, perform other procedures in this chapter, as applicable.
Enabling Password Aging for the CiscoSecure User Database
The password aging feature of CiscoSecure ACS enables you to force users to change their passwords under one or more of the following conditions:
•After a specified number of days (age-by-date rules).
•After a specified number of logins (age-by-uses rules).
•The first time a new user logs in (password change rule).
Varieties of Password Aging Supported by CiscoSecure ACS
CiscoSecure ACS supports four distinct password aging mechanisms:
•PEAP and EAP-FAST Windows Password Aging —Users must be in the Windows user database and be using a Microsoft client that supports EAP, such as Windows XP. For information on the requirements and configuration of this password aging mechanism, see Enabling Password Aging for Users in Windows Databases.
•RADIUS-based Windows Password Aging —Users must be in the Windows user database and be using the Windows Dial-up Networking (DUN) client. For information on the requirements and configuration of this password aging mechanism, see Enabling Password Aging for Users in Windows Databases.
•Password Aging for Device-hosted Sessions —Users must be in the CiscoSecure user database, the AAA client must be running TACACS+, and the connection must use Telnet. You can control the ability of users to change passwords during a device-hosted Telnet session. You can also control whether CiscoSecure ACS propagates passwords changed by this feature. For more information, see Local Password Management.
•Password Aging for Transit Sessions —Users must be in the CiscoSecure user database. Users must use a PPP dialup client. Further, the end-user client must have CiscoSecure Authentication Agent (CAA) installed.
Tip The CAA software is available at http://www.cisco.com.
Also, to run password aging for transit sessions, the AAA client can be running either RADIUS or TACACS+; and the AAA client must be using CiscoIOS Release 11.2.7 or later and be configured to send a watchdog accounting packet (aaa accounting new-info update) with the IP address of the calling station. (Watchdog packets are interim packets sent periodically during a session. They provide an approximate session length in the event that no stop packet is received to mark the end of the session.)
You can control whether CiscoSecure ACS propagates passwords changed by this feature. For more information, see Local Password Management.
CiscoSecure ACS supports password aging using the RADIUS protocol under MSCHAP versions 1 and 2. CiscoSecure ACS does not support password aging over Telnet connections using the RADIUS protocol.
Caution If a user with a RADIUS connection tries to make a Telnet connection to the AAA client during or after the password aging warning or grace period, the change password option does not appear, and the user account is expired.
Password Aging Feature Settings
This section details only the Password Aging for Device-hosted Sessions and Password Aging for Transit Sessions mechanisms. For information on the Windows Password Aging mechanism, see Enabling Password Aging for Users in Windows Databases. For information on configuring local password validation options, see Local Password Management.
The password aging feature in CiscoSecure ACS has the following options:
•Apply age-by-date rules —Selecting this check box configures CiscoSecure ACS to determine password aging by date. The age-by-date rules contain the following settings:
–Active period —The number of days users will be allowed to log in before being prompted to change their passwords. For example, if you enter 20, users can use their passwords for 20 days without being prompted to change them. The default Active period is 20 days.
–Warning period —The number of days users will be notified to change their passwords. The existing password can be used, but the CiscoSecure ACS presents a warning indicating that the password must be changed and displays the number of days left before the password expires. For example, if you enter 5 in this box and 20 in the Active period box, users will be notified to change their passwords on the 21st through 25th days.
–Grace period —The number of days to provide as the user grace period. The grace period allows a user to log in once to change the password. The existing password can be used one last time after the number of days specified in the active and warning period fields has been exceeded. Then, a dialog box warns the user that the account will be disabled if the password is not changed, and enables the user to change it. Continuing with the examples above, if you allow a 5-day grace period, a user who did not log in during the active and warning periods would be permitted to change passwords up to and including the 30th day. However, even though the grace period is set for 5 days, a user is allowed only one attempt to change the password when the password is in the grace period. CiscoSecure ACS displays the "last chance" warning only once. If the user does not change the password, this login is still permitted, but the password expires, and the next authentication is denied. An entry is logged in the Failed-Attempts log, and the user must contact an administrator to have the account reinstated.
Note All passwords expire at midnight, not the time at which they were set.
•Apply age-by-uses rules —Selecting this check box configures CiscoSecure ACS to determine password aging by the number of logins. The age-by-uses rules contain the following settings:
–Issue warning after x logins —The number of the login upon which CiscoSecure ACS begins prompting users to change their passwords. For example, if you enter 10, users are allowed to log in 10 times without a change-password prompt. On the 11th login, they are prompted to change their passwords.
Tip To allow users to log in an unlimited number of times without changing their passwords, type -1 .
–Require change after x logins —The number of the login after which to notify users that they must to change their passwords. Continuing with the previous example, if this number is set to 12, users receive prompts requesting them to change their passwords on their 11th and 12th login attempts. On the 13th login attempt, they receive a prompt telling them that they must change their passwords. If users do not change their passwords now, their accounts expire and they cannot log in. This number must be greater than the Issue warning after x login number.
Tip To allow users to log in an unlimited number of times without changing their passwords, type -1 .
•Apply password change rule —Selecting this check box forces new users to change their passwords the first time they log in.
•Generate greetings for successful logins —Selecting this check box enables a Greetings message to display whenever users log in successfully via the CAA client. The message contains up-to-date password information specific to this user account.
The password aging rules are not mutually exclusive; a rule is applied for each check box that is selected. For example, users can be forced to change their passwords every 20 days, and every 10 logins, and to receive warnings and grace periods accordingly.
If no options are selected, passwords never expire.
Unlike most other parameters, which have corresponding settings at the user level, password aging parameters are configured only on a group basis.
Users who fail authentication because they have not changed their passwords and have exceeded their grace periods are logged in the Failed Attempts log. The accounts expire and appear in the Accounts Disabled list.
Before You Begin
•Verify that your AAA client is running the TACACS+ or RADIUS protocol. (TACACS+ only supports password aging for device-hosted sessions.)
•Set up your AAA client to perform authentication and accounting using the same protocol, either TACACS+ or RADIUS.
•Verify that you have configured your password validation options. For more information, see Local Password Management.
•Set up your AAA client to use CiscoIOS Release 11.2.7 or later and to send a watchdog accounting packet (aaa accounting new-info update) with the IP address of the calling station.
To set password aging rules for a user group, follow these steps:
Step1 In the navigation bar, click Group Setup .
The Group Setup Select page opens.
Step2 From the Group list, select a group, and then click Edit Settings .
The Group Settings page displays the name of the group at its top.
Step3 From the Jump To list at the top of the page, choose Password Aging .
The Password Aging Rules table appears.
Step4 To set password aging by date, select the Apply age-by-date rules check box and type the number of days for the following options, as applicable:
•Active period
•Warning period
•Grace period
Note Up to 5 characters are allowed in each field.
Step5 To set password aging by use, select the Apply age-by-uses rules check box and type the number of logins for each of the following options, as applicable:
•Issue warning after x logins
•Require change after x logins
Note Up to 5 characters are allowed in each field.
Step6 To force the user to change the password on the first login after an administrator has changed it, select the Apply password change rule check box.
Step7 To enable a Greetings message display, select the Generate greetings for successful logins check box.
Step8 To save the group settings you have just made, click Submit .
For more information, see Saving Changes to User Group Settings.
Step9 To continue specifying other group settings, perform other procedures in this chapter, as applicable.
Enabling Password Aging for Users in Windows Databases
CiscoSecure ACS supports two types of password aging for users in Windows databases. Both types of Windows password aging mechanisms are separate and distinct from the other CiscoSecure ACS password aging mechanisms. For information on the requirements and settings for the password aging mechanisms that control users in the CiscoSecure user database, see Enabling Password Aging for the CiscoSecure User Database.
Note You can run both Windows Password Aging and CiscoSecure ACS Password Aging for Transit Sessions mechanisms concurrently, provided that the users authenticate from the two different databases.
The two types of password aging in Windows databases are as follows:
•RADIUS-based password aging —RADIUS-based password aging depends upon the RADIUS AAA protocol to send and receive the password change messages. Requirements for implementing the RADIUS-based Windows password aging mechanism include the following:
–Communication between CiscoSecure ACS and the AAA client must be using RADIUS.
–The AAA client must support MS CHAP password aging in addition to MS CHAP authentication.
–Users must be in a Windows user database.
–Users must be using the Windows DUN client.
–You must enable MS CHAP version 1 or MS CHAP version 2, or both, in the Windows configuration within the External User Databases section.
Tip For information on enabling MS CHAP for password changes, see Configuring Windows Authentication. For information on enabling MS CHAP in System Configuration, see Global Authentication Setup.
•PEAP password aging —PEAP password aging depends upon the PEAP(EAP-GTC) or PEAP(EAP-MSCHAPv2) authentication protocol to send and receive the password change messages. Requirements for implementing the PEAP Windows password aging mechanism include the following:
–The AAA client must support EAP.
–Users must be in a Windows user database.
–Users must be using a Microsoft PEAP client, such as Windows XP.
–You must enable PEAP on the Global Authentication Configuration page within the System Configuration section.
Tip For information about enabling PEAP in System Configuration, see Global Authentication Setup.
–You must enable PEAP password changes on the Windows Authentication Configuration page within the External User Databases section.
Tip For information about enabling PEAP password changes, see Configuring Windows Authentication.
Users whose Windows accounts reside in "remote" domains (that is, not the domain within which CiscoSecure ACS is running) can only use the Windows-based password aging if they supply their domain names.
The methods and functionality of Windows password aging differ according to which Microsoft Windows operating system you are using, and whether you employ Active Directory (AD) or Security Accounts Manager (SAM). Setting password aging for users in the Windows user database is only one part of the larger task of setting security policies in Windows. For comprehensive information on Windows procedures, refer to your Windows system documentation.
Setting IP Address Assignment Method for a User Group
Perform this procedure to configure the way CiscoSecure ACS assigns IP addresses to users in the group. The four possible methods are as follows:
•No IP address assignment —No IP address is assigned to this group.
•Assigned by dialup client —Use the IP address that is configured on the dialup client network settings for TCP/IP.
•Assigned from AAA Client pool —The IP address is assigned by an IP address pool assigned on the AAA client.
•Assigned from AAA server pool —The IP address is assigned by an IP address pool assigned on the AAA server.
To set an IP address assignment method for a user group, follow these steps:
Step1 In the navigation bar, click Group Setup .
The Group Setup Select page opens.
Step2 From the Group list, select a group, and then click Edit Settings .
The Group Settings page displays the name of the group at its top.
Step3 From the Jump To list at the top of the page, choose IP Address Assignment .
Step4 In the IP Assignment table, do one of the following:
•Select No IP address assignment .
•Select Assigned by dialup client .
•Select Assigned from AAA Client pool . Then, type the AAA client IP pool name.
•Select Assigned from AAA pool . Then, select the AAA server IP pool name in the Available Pools list and click --> (right arrow button) to move the name into the Selected Pools list.
Note If there is more than one pool in the Selected Pools list, the users in this group are assigned to the first available pool in the order listed.
Tip To change the position of a pool in the list, select the pool name and click Up or Down until the pool is in the position you want.
Step5 To save the group settings you have just made, click Submit .
For more information, see Saving Changes to User Group Settings.
Step6 To continue specifying other group settings, perform other procedures in this chapter, as applicable.
Assigning a Downloadable IP ACL to a Group
The Downloadable ACLs feature enables you to assign an IP ACL at the group level.
Note You must have established one or more IP ACLs before attempting to assign one. For instructions on how to add a downloadable IP ACL using the Shared Profile Components section of the CiscoSecure ACS HTML interface, see Adding a Downloadable IP ACL.
Tip The Downloadable ACLs table does not appear if it has not been enabled. To enable the Downloadable ACLs table, click Interface Configuration , click Advanced Options , and then select the Group-Level Downloadable ACLs check box.
To assign a downloadable IP ACL to a group, follow these steps:
Step1 In the navigation bar, click Group Setup .
The Group Setup Select page opens.
Step2 From the Group list, select a group, and then click Edit Settings .
The Group Settings page displays the name of the group at its top.
Step3 From the Jump To list at the top of the page, choose Downloadable ACLs .
Step4 Under the Downloadable ACLs section, click the Assign IP ACL check box.
Step5 Select an IP ACL from the list.
Step6 To save the group settings you have just made, click Submit .
For more information, see Saving Changes to User Group Settings.
Step7 To continue specifying other group settings, perform other procedures in this chapter, as applicable.
Configuring TACACS+ Settings for a User Group
Perform this procedure to configure and enable the service/protocol parameters to be applied for the authorization of each user who belongs to the group. For information on how to configure settings for the Shell Command Authorization Set, see Configuring a Shell Command Authorization Set for a User Group.
Note To display or hide additional services or protocols, click Interface Configuration , click TACACS+ (Cisco IOS) , and then select or clear items in the group column, as applicable.
To configure TACACS+ settings for a user group, follow these steps:
Step1 In the navigation bar, click Group Setup .
The Group Setup Select page opens.
Step2 From the Group list, select a group, and then click Edit Settings .
The Group Settings page displays the name of the group at its top.
Step3 From the Jump To list at the top of the page, choose TACACS+ .
The system displays the TACACS+ Settings table section.
Step4 To configure services and protocols in the TACACS+ Settings table to be authorized for the group, follow these steps:
a. Select one or more service/protocol check boxes (for example, PPP IP or ARAP).
b. Under each service/protocol that you selected in Step a, select attributes and then type in the corresponding values, as applicable, to further define authorization for that service/protocol.
To employ custom attributes for a particular service, you must select the Custom attributes check box under that service, and then specify the attribute/value in the box below the check box.
For more information about attributes, see "TACACS+ Attribute-Value Pairs," or your AAA client documentation.
Tip For ACLs and IP address pools, the name of the ACL or pool as defined on the AAA client should be entered. (An ACL is a list of CiscoIOS commands used to restrict access to or from other devices and users on the network.)
Note Leave the attribute value box blank if the default (as defined on the AAA client) should be used.
Note You can define and download an ACL. Click Interface Configuration , click TACACS+ (Cisco IOS) , and then select Display a window for each service selected in which you can enter customized TACACS+ attributes . A box opens under each service/protocol in which you can define an ACL.
Step5 To allow all services to be permitted unless specifically listed and disabled, you can select the Default (Undefined) Services check box under the Checking this option will PERMIT all UNKNOWN Services table.
Caution
