|
|
After you have configured Cisco Secure Access Control Server for Windows NT/2000 Servers Version 3.0 (Cisco Secure ACS) to communicate with an external user database, you can decide how to implement other Cisco Secure ACS features related to external user databases. To address these features, this chapter contains the following sections:
For information about the databases supported by Cisco Secure ACS and how to configure Cisco Secure ACS to communicate with an external user database, see "Working with User Databases."
Unknown users are users who are not listed in the Cisco Secure ACS database. The Unknown User feature is a form of authentication forwarding. In essence, this feature is an extra step in the authentication process. In this additional step of the authentication process, if the username does not exist in the Cisco Secure ACS database, Cisco Secure ACS forwards the authentication request of an incoming username and password to external databases with which it is configured to communicate.
The Unknown User feature enables Cisco Secure ACS to use a variety of external databases in addition to its own internal database to authenticate incoming user requests. With this feature, Cisco Secure ACS provides the foundation for a basic single sign-on capability by integrating network and host-level access control. Because the incoming usernames and passwords of users dialing in can be authenticated with external user databases, there is no need for the network administrator to maintain a duplicate list within Cisco Secure ACS. This provides two advantages to the Cisco Secure ACS administrator:
The Unknown User feature implements three categories of users in Cisco Secure ACS. Each category is treated differently:
These are users added through User Setup in the HTML interface, by the RDBMS Synchronization feature, by the Database Replication feature, or through by the CSUtil.exe utility. For more information about CSUtil.exe, see "Cisco Secure ACS Command-Line Database Utility." In the CiscoSecure user database, each user must have an assigned password and must be explicitly associated with a particular authentication database.
Such users never have previously authenticated with Cisco Secure ACS. If the Unknown User Policy is configured in Cisco Secure ACS, Cisco Secure ACS attempts to authenticate these users with external user databases.
All cached users were once unknown users. The authentication process for cached users is identical to the authentication process for known users.
If you have configured the Unknown User Policy in Cisco Secure ACS, Cisco Secure ACS attempts to authenticate users as follows:
1. Cisco Secure ACS checks its internal user database. If the user exists in the CiscoSecure user database (that is, is a known or cached user), Cisco Secure ACS tries to authenticate the user with the specified password type against the specified database. Authentication for that user either passes or fails, depending on other procedures in the normal authentication process.
2. If the user does not exist in the CiscoSecure user database (that is, is an unknown user), Cisco Secure ACS tries each configured external database in the order specified in the Selected Databases list. If the user passes authentication against one of the external databases, Cisco Secure ACS automatically adds the user to the CiscoSecure user database, with a pointer to use the password type and database that succeeded on this authentication attempt. Users added by unknown user processing are flagged as such within the CiscoSecure user database and are called cached users.
The next time the cached user tries to authenticate, Cisco Secure ACS authenticates the user against the database that was successful the first time. Cached users are treated the same as known users.
3. If the unknown user fails authentication with all configured external databases, the user is not added to the CiscoSecure user database, and the authentication request is rejected.
Because usernames in the CiscoSecure user database must be unique, Cisco Secure ACS supports a single instance of any given username across all the databases it is configured to use. For example, assume every external user database contains a user account with the username John. Each account is for a different user, but they each, coincidentally, have the same exact username. After the first John attempts to access the network and has authenticated through the unknown user process, Cisco Secure ACS retains a cached user account for that John and only that John. Now, Cisco Secure ACS tries to authenticate subsequent attempts by any user named John using the same external user database that originally authenticated John. Assuming their passwords are different than the password for the John who authenticated first, the other Johns are unable to access the network.
 |
Note The scenario given above is handled differently if the user accounts with identical usernames exist in separate Windows domains. For more information, see the "Authentication Request Handling and Rejection Mode with the Windows NT/2000 User Database" section. |
Because it is a native Windows NT/2000 application, Cisco Secure ACS treats authentication with a Windows NT/2000 user database as a special case. Windows can provide added functionality to the remote access authentication process. Perhaps the most important aspect of this added functionality is support for multiple occurrences of the same username across the trusted domains against which Cisco Secure ACS authenticates access requests.
Cisco Secure ACS communicates with the Windows NT/2000 operating system of the Cisco Secure ACS server to perform authentications. Windows NT/2000 uses its built-in facilities to forward the authentication requests to the appropriate domain controller. There are two possible scenarios to consider:
When a domain name is supplied as part of a authentication request, Cisco Secure ACS detects that a domain name was supplied and tries the authentication credentials against the specified domain. The dial-up networking client provided with Window NT/2000 and Windows 95/98 differ in the method by which users can specify their domains. For more information, see the "Windows Dial-up Networking Clients" section.
If the domain controller rejects the authentication request, Cisco Secure ACS logs the request as a failed attempt.
Specifying the domain name allows Cisco Secure ACS to differentiate a user from multiple instances of the same username in different domains. For unknown users who provide a domain name and who are authenticated by a Windows NT/2000 database, Cisco Secure ACS caches the username in the CiscoSecure user database in the form domain\user. The combination of username and domain makes this cached user unique in the Cisco Secure ACS database.
|
Note Cisco Secure ACS does not support the user@domain form of qualified usernames. |
|
Note We recommend removing a username from a database when the privileges associated with that username are no longer required. |
If the appropriate domain identifier is not supplied as part of the authentication process, as with the Windows 95/98 dial-up networking client or with Windows NT/2000 in a workgroup environment, the Windows NT/2000 operating system of the Cisco Secure ACS server follows a more complex authentication process. It first attempts to authenticate the user against its local domain controller. If the user does not exist in the local domain controller's user database, it progresses down the list of all its trusted domains, trying the username against each one. If Windows NT/2000 does not find the username, it tries the credentials against its local accounts database. If it does not find the username in the local accounts database, it rejects the authentication request. If authentication succeeds against the local domain, any of the trusted domains, or the local Windows NT/2000 accounts database, the user is granted access and Cisco Secure ACS ceases further attempts to find the user in other domains.
If the username exists in the local domain or any of the trusted domains but the password does not match the one supplied as part of the authentication credentials, Windows NT/2000 returns a rejection message to Cisco Secure ACS. You can circumvent this difficulty by using the Domain List in the Cisco Secure ACS configuration for the Windows NT/2000 database. If you have configured the Domain List with a list of trusted domains, Cisco Secure ACS submits the username and password to each domain in the list, using a domain-qualified format, until Cisco Secure ACS successfully authenticates the user. If Cisco Secure ACS has tried each domain listed in the Domain List, or if no trusted domains have been configured in the Domain List, Cisco Secure ACS fails the authentication request for that user.
|
Note If your network has multiple occurrences of a username across domains (for example, every domain has a user called Administrator) or if users dialing in do not provide their domains as part of their authentication credentials, be sure to configure the Domain List for the Windows NT/2000 database in the External User Databases section. If not, only the user whose account Windows NT/2000 happens to check first authenticates successfully. The Domain List is the only way that Cisco Secure ACS controls the order in which Windows NT/2000 checks domains. The most reliable method of supporting multiple instances of a username across domains is to require users to supply their domain memberships as part of the authentication request. |
Authentication requests that use the Unknown User authentication feature require slightly more time. This small delay may require additional configuration on the AAA clients through which unknown users may attempt to access your network.
Adding external databases against which to process unknown users can significantly increase the time needed for each individual authentication. At best, the time needed for each authentication is the time taken by the external database to authenticate, plus some latency for Cisco Secure ACS processing. In some circumstances (for example, when using a Windows NT/2000 user database), the extra latency introduced by an external database can be as much as tens of seconds. If you have configured multiple databases, this number is multiplied by the time taken for each one to complete.
Be sure to increase the AAA client timeout to accommodate the longer authentication time required for Cisco Secure ACS to pass the authentication request to the external databases. If the AAA client timeout value is not set high enough to account for the delay required by unknown user authentication, the AAA client times out the request and every unknown user authentication fails.
The default AAA client timeout value is 5 seconds. If you have Cisco Secure ACS configured to search through several databases or if your databases are large, you might need to increase this value in your AAA client configuration file. For more information, refer to your Cisco IOS documentation.
While the Unknown User Policy allows authentication requests to be forwarded to external user databases, all responsibility for the authorization parameters provided to the AAA client remains with Cisco Secure ACS. External user databases provide authentication services, and Cisco Secure ACS then provides the additional authorization information that is sent to the AAA client in the RADIUS or TACACS+ response packet. For more information about assignment of user authorization, see the "Database Group Mappings" section.
You can configure how Cisco Secure ACS processes unknown users on the Configure Unknown User Policy page, in the External User Databases section of the HTML interface. The Configure Unknown User Policy page contains the following fields:
For more information about configuring your Unknown User Policy, see the "Configuring the Unknown User Policy" section
You can configure the order in which Cisco Secure ACS checks the selected external databases when Cisco Secure ACS attempts to authenticate unknown users. If the first database in the Selected Databases list fails the authentication request for the unknown user, Cisco Secure ACS checks the next database listed, and so on down the Selected Databases list, in the order listed, until the user authenticates or until Cisco Secure ACS has tried all the databases listed. Authentication with a Windows NT/2000 database is more complex. (For more information about Windows NT/2000 authentication, see the "The Cisco Secure ACS Authentication Process with Windows NT/2000 User Databases" section.) If Cisco Secure ACS does not find the user in any of the listed databases, authentication fails.
The order in which the databases appear in the Selected Databases list is important. For best performance, authentications should be processed first against the external database where the greatest number of authentications are likely to succeed (that is, get the highest level of successful cache hits).
 |
Tip Always list the database that will allow most authentications to succeed as near to the top of the list as possible. |
In Cisco Secure ACS, an unknown user is defined as one for whom no account has been created within the Cisco Secure ACS database.
To specify how Cisco Secure ACS should handle users who are not in the Cisco Secure ACS database, follow these steps:
Step 2 Click Unknown User Policy.
Step 3 To deny authentication requests for any unknown user, select the Fail the attempt option.
Step 4 To allow authentication requests for unknown users, follow these steps:
a. Select the Check the following external user databases option.
b. For each database you need Cisco Secure ACS to use when attempting to authenticate unknown users, select the database in the External Databases list and click —> (right arrow button) to move it to the Selected Databases list. To remove a database from the Selected Databases list, select the database, and then click <— (left arrow button) to move it back to the External Databases list.
c. To assign the order in which Cisco Secure ACS should use the selected external databases when attempting to authenticate an unknown user, click a database name in the Selected Databases list and click Up or Down to move it into the position you want.
d. Repeat Steps a through c until the selected databases are in the order needed.
Step 5 Click Submit.
Result: Cisco Secure ACS saves and implements the Unknown User Policy configuration you created. Cisco Secure ACS attempts to authenticate unknown users using the databases in the order listed in the Selected Databases list.
You can configure Cisco Secure ACS so that users who are not in the Cisco Secure ACS database are not permitted to authenticate.
To turn off external user database authentication, follow these steps:
Step 2 Click Unknown User Policy.
Step 3 Select the Fail the attempt option.
Step 4 Click Submit.
Result: Unknown user processing is halted. Cisco Secure ACS does not allow unknown users to authenticate with external user databases.
The Database Group Mapping feature in the External User Databases section enables you to associate unknown users with a Cisco Secure ACS group for the purposes of assigning authorization profiles. For external user databases from which Cisco Secure ACS can derive group information, you can associate the group memberships defined for the users in the external user database to specific Cisco Secure ACS groups. For Windows NT/2000 user databases, group mapping is further specified by domain, because each domain maintains its own user database. For Novell NDS user databases, group mapping is further specified by tree, because Cisco Secure ACS supports multiple trees in a single Novell NDS user database.
In addition to the Database Group Mapping feature, for some database types, Cisco Secure ACS supports RADIUS-based group specification.
This section contains the following topics:
You can map an external database to a Cisco Secure ACS group. Unknown users who authenticate using the specified database automatically belong to, and inherit the authorizations of, the group. For example, you could configure Cisco Secure ACS so that all unknown users who authenticate with a certain token server database belong to a group called Telecommuters. You could then assign a group setup that is appropriate for users who are working away from home, such as MaxSessions=1. Or you could configure restricted hours for other groups, but give unrestricted access to Telecommuters group members.
While you can configure Cisco Secure ACS to map all unknown users found in any external user database type to a single Cisco Secure ACS group, the following external user database types are the external user database types whose users you can only map to a single Cisco Secure ACS group:
For a subset of the external user database types listed above, group mapping by external database type is overridden on a user-by-user basis when the external user database specifies a Cisco Secure ACS group with its authentication response. Cisco Secure ACS supports specification of group membership for the following external user database types:
For more information about specifying group membership for users authenticated with one of these database types, see the "RADIUS-Based Group Specification" section.
Additionally, users authenticated by an ODBC external user database can also be assigned to a specified Cisco Secure ACS group. Group specification by ODBC database authentication overrides group mapping. For more information about specifying group membership for users authenticated with an ODBC database, see the "ODBC Database" section.
To set or change a token server, ODBC, or LEAP Proxy RADIUS Server database group mapping, follow these steps:
Step 2 Click Database Group Mappings.
Step 3 Click the name of the token server, LEAP Proxy RADIUS Server, or ODBC database configuration for which you want to configure a group mapping.
Result: The Define Group Mapping table appears.
Step 4 From the Select a default group for database list, click the group to which users authenticated with this database should be assigned.
|
Tip The Select a default group for database list displays the number of users assigned to each group. |
Step 5 Click Submit.
Result: Cisco Secure ACS assigns unknown and cached users authenticated by the external database type you selected in Step 3 to the Cisco Secure ACS group selected in Step 4. For users authenticated by an ODBC, ActivCard, or LEAP Proxy RADIUS Server database, the mapping is only applied as a default if those databases did not specify a Cisco Secure ACS group for the user.
You can create group mappings for some external user databases based on the combination of external user database groups to which users belong. The following are the external user database types for which you can create group mappings based on group set membership:
When you configure a Cisco Secure ACS group mapping based on group set membership, you can add one or many external user database groups to the set. For Cisco Secure ACS to map a user to the specified Cisco Secure ACS group, the user must match all the external user database groups in the set.
As an example, you could configure a group mapping for users who belong to both the Engineering and Tokyo groups and a separate one for users who belong to both Engineering and London. You could then configure separate group mappings for the combinations of Engineering-Tokyo and Engineering-London and configure different access times for the Cisco Secure ACS groups to which they map. You could also configure a group mapping that only included the Engineering group that would map other members of the Engineering group who were not members of Tokyo or London.
Cisco Secure ACS always maps users to a single Cisco Secure ACS group, yet a user can belong to more than one group set mapping. For example, a user, John, could be a member of the group combination Engineering and California, and at the same time be a member of the group combination Engineering and Managers. If there are Cisco Secure ACS group set mappings for both these combinations, Cisco Secure ACS has to determine to which group John should be assigned.
Cisco Secure ACS prevents conflicting group set mappings by assigning the group set mappings a mapping order. When a user authenticated by an external user database is to be assigned to a Cisco Secure ACS group, Cisco Secure ACS starts at the top of the list of group mappings for that database. Cisco Secure ACS checks the user's group memberships in the external user database against each group mapping in the list sequentially. Upon finding the first group set mapping that matches the user's external user database group memberships, Cisco Secure ACS assigns the user to that group mapping's Cisco Secure ACS group and terminates the mapping process.
Clearly, the order of group mappings is important because it affects the network access and services allowed users. When defining mappings for users who belong to multiple groups, make sure they are in the correct order so that users are granted the correct group settings.
For example, a user, Mary, is assigned to the three-group combination of Engineering, Marketing, and Managers. Mary should be granted the privileges of a manager rather than an engineer. Mapping A assigns users who belong to all three of Mary's groups to Cisco Secure ACS Group 2. Mapping B assigns users who belong to the Engineering and Marketing groups to Cisco Secure ACS Group 1. If Mapping B is listed first, Cisco Secure ACS authenticates Mary as a user of Group 1, and she is be assigned to Group 1, rather than Group 2 like managers should be.
To prevent remote access for users assigned a group by a particular group set mapping, assign the group to the Cisco Secure ACS No Access group. For example, you could assign all members of an external user database group "Contractors" to the No Access group so they could not dial in to the network remotely.
For Windows NT/2000 user databases, Cisco Secure ACS includes the ability to define a default group mapping. If no other group mapping matches an unknown user authenticated by a Windows NT/2000 user database, Cisco Secure ACS assigns the user to a group based on the default group mapping.
Configuring the default group mapping for Windows NT/2000 user databases is the same as editing an existing group mapping, with one exception. When editing the default group mapping for Windows NT/2000, instead of selecting a valid domain name on the Domain Configurations page, select \DEFAULT.
For more information about editing an existing group mapping, see the "Editing a Windows NT/2000, Novell NDS, or Generic LDAP Group Set Mapping" section.
To map a Windows NT/2000, Novell NDS, or generic LDAP group to a Cisco Secure ACS group, follow these steps:
Step 2 Click Database Group Mappings.
Step 3 Click the external user database name for which you want to configure a group mapping.
Result: If you are mapping a Windows NT/2000 group set, the Domain Configurations table appears. If you are mapping an NDS group set, the NDS Trees table appears. Otherwise, the Group Mappings for database Users table appears.
Step 4 If you are mapping a Windows NT/2000 group set for a new domain, follow these steps:
Result: The Define New Domain Configuration page appears.
b. If the Windows domain for which you want to create a group set mapping configuration appears in the Detected domains list, select the name of the domain.
|
Tip To clear your domain selection, click Clear Selection. |
c. If the Windows domain for which you want to create a group set mapping does not appear in the Detected domains list, type the name of a trusted Windows NT/2000 domain in the Domain box.
Result: The new Windows NT/2000 domain appears in the list of domains in the Domain Configurations page.
Step 5 If you are mapping a Windows NT/2000 group set, click the domain name for which you want to configure a group set mapping.
Result: The Group Mappings for Domain: domainname table appears.
Step 6 If you are mapping a Novell NDS group set, click the name of the Novell NDS tree for which you want to configure group set mappings.
Result: The Group Mappings for NDS Users table appears.
Step 7 Click Add Mapping.
Result: The Create new group mapping for database page opens. The group list displays group names derived from the external user database.
Step 8 For each group to be added to the group set mapping, select the name of the applicable external user database group in the group list, and then click Add to selected.
|
Note A user must match all the groups in the Selected list in order for Cisco Secure ACS to use this group set mapping to map the user to a Cisco Secure ACS group; however, a user can also belong to other groups (in addition to the groups listed) and still be mapped to a Cisco Secure ACS group. |
|
Tip To remove a group from the mapping, select the name of the group in the Selected list, and then click Remove from selected. |
Result: The Selected list shows all the groups that a user must belong to in order to be mapped to a Cisco Secure ACS group.
Step 9 In the CiscoSecure group list, select the name of the Cisco Secure ACS group to which you want to map users who belong to all the external user database groups in the Selected list.
|
Note You can also select <No Access>. For more information about the <No Access> group, see the "No Access Group for Group Set Mappings" section. |
Step 10 Click Submit.
Result: The group set you mapped to the Cisco Secure ACS list appears at the bottom of the database groups column.
|
Note The asterisk at the end of each set of groups indicates that users authenticated with the external user database can belong to other groups besides those in the set. |
You can change the Cisco Secure ACS group to which a group set mapping is mapped.
|
Note The external user database groups of an existing group set mapping cannot be edited. If you want to add or remove external user database groups from the group set mapping, delete the group set mapping and create one with the revised set of groups. |
To edit a Windows NT/2000, Novell NDS, or generic LDAP group mapping, follow these steps:
Step 2 Click Database Group Mappings.
Step 3 Click the external user database name for which you want to edit a group set mapping.
Result: If you are editing a Windows NT/2000 group set mapping, the Domain Configurations table appears. If you are editing an NDS group set mapping, the NDS Trees table appears. Otherwise, the Group Mappings for database Users table appears.
Step 4 If you are editing a Windows NT/2000 group set mapping, click the domain name for which you want to edit a group set mapping.
Result: The Group Mappings for Domain: domainname table appears.
Step 5 If you are editing a Novell NDS group set mapping, click the name of the Novell NDS tree for which you want to edit a group set mapping.
Result: The Group Mappings for NDS Users table appears.
Step 6 Click the group set mapping to be edited.
Result: The Edit mapping for database page opens. The external user database group or groups included in the group set mapping appear above the CiscoSecure group list.
Step 7 From the CiscoSecure group list, select the name of the group to which the set of external database groups should be mapped, and then click Submit.
|
Note You can also select <No Access>. For more information about the <No Access> group, see the "No Access Group for Group Set Mappings" section. |
Step 8 Click Submit.
Result: The Group Mappings for database page opens again with the changed group set mapping listed.
You can delete individual group set mappings.
To delete a Windows NT/2000, Novell NDS, or generic LDAP group mapping, follow these steps:
Step 2 Click Database Group Mappings.
Step 3 Click the external user database configuration whose group set mapping you need to delete.
Result: If you are deleting a Windows NT/2000 group set mapping, the Domain Configurations table appears. If you are deleting an NDS group set mapping, the NDS Trees table appears. Otherwise, the Group Mappings for database Users table appears.
Step 4 If you are deleting a Windows NT/2000 group set mapping, click the domain name whose group set mapping you want to delete.
Result: The Group Mappings for Domain: domainname table appears.
Step 5 If you are deleting a Novell NDS group set mapping, click the name of the Novell NDS tree whose group set mapping you want to delete.
Result: The Group Mappings for NDS Users table appears.
Step 6 Click the group set mapping you want to delete.
Step 7 Click Delete.
Result: Cisco Secure ACS displays a confirmation dialog box.
Step 8 Click OK in the confirmation dialog box.
Result: Cisco Secure ACS deletes the selected external user database group set mapping.
You can delete an entire group mapping configuration for a Windows NT/2000 domain. When you delete a Windows domain group mapping configuration, all the group set mappings in the configuration are deleted.
To delete a Windows NT/2000 group mapping, follow these steps:
Step 2 Click Database Group Mappings.
Step 3 Click the name of the Windows NT/2000 external user database.
Step 4 Click the domain name whose group set mapping you want to delete.
Step 5 Click Delete Configuration.
Result: Cisco Secure ACS displays a confirmation dialog box.
Step 6 Click OK in the confirmation dialog box.
Result: Cisco Secure ACS deletes the selected external user database group mapping configuration.
You can change the order in which Cisco Secure ACS checks group set mappings for users authenticated by Windows NT/2000, Novell NDS, and generic LDAP databases. To order group mappings, you must have already mapped them. For more information about creating group mappings, see the "Creating a Cisco Secure ACS Group Mapping for Windows NT/2000, Novell NDS, or Generic LDAP Groups" section.
To change the order of the group mappings for a Windows NT/2000, Novell NDS, or generic LDAP group mapping, follow these steps:
Step 2 Click Database Group Mappings.
Step 3 Click the external user database name for which you want to configure group set mapping order.
Result: If you are ordering Windows NT/2000 group set mappings, the Domain Configurations table appears. If you are ordering NDS group set mappings, the NDS Trees table appears. Otherwise, the Group Mappings for database Users table appears.
Step 4 If you are configuring Windows NT/2000 group mapping order, click the domain name for which you want to configure group set mapping order.
Result: The Group Mappings for Domain: domainname table appears.
Step 5 If you are configuring Novell NDS group set mapping order, click the name of the Novell NDS tree for which you want to configure group set mapping order.
Result: The Group Mappings for NDS Users table appears.
Step 6 Click Order mappings.
|
Note The Order mappings button appears only if more than one group set mapping exists for the current database. |
Result: The Order mappings for database page appears. The group mappings for the current database appear in the Order list.
Step 7 Select the name of a group set mapping you want to move, and then click Up or Down until it is in the position you want.
Step 8 Repeat Step 7 until the group mappings are in the order you need.
Step 9 Click Submit.
Result: The Group Mappings for database page displays the group set mappings in the order you defined.
For some types of external user databases, Cisco Secure ACS supports the assignment of users to specific Cisco Secure ACS groups based upon the RADIUS authentication response from the external user database. This is provided in addition to the unknown user group mapping described in the "Group Mapping by External User Database" section. RADIUS-based group specification overrides group mapping. The database types that support RADIUS-based group specification are as follows:
Cisco Secure ACS supports per-user group mapping for users authenticated with a LEAP Proxy RADIUS Server database. This is provided in addition to the default group mapping described in the "Group Mapping by External User Database" section.
To enable per-user group mapping, configure the external user database to return authentication responses that contain the Cisco IOS/PIX RADIUS attribute 1, [009\001] cisco-av-pair with the following value:
where N is the Cisco Secure ACS group number (0 through 499) to which Cisco Secure ACS should assign the user. For example, if the LEAP Proxy RADIUS Server authenticated a user and included the following value for the Cisco IOS/PIX RADIUS attribute 1, [009\001] cisco-av-pair:
Cisco Secure ACS assigns the user to group 37 and applies authorization associated with group 37.
Posted: Mon Jan 20 21:46:51 PST 2003
All contents are Copyright © 1992--2002 Cisco Systems, Inc. All rights reserved.
Important Notices and Privacy Statement.