-
User Guide for Cisco Secure ACS Solution Engine 4.0
-
Preface
-
Overview
-
Deployment Considerations
-
Interface Configuration
-
Network Configuration
-
Shared Profile Components
-
User Group Management
-
User Management
-
System Configuration: Basic
-
System Configuration: Advanced
-
System Configuration: Authentication and Certificates
-
Logs and Reports
-
Administrators and Administrative Policy
-
User Databases
-
Posture Validation
-
Network Access Profiles
-
Unknown User Policy
-
User Group Mapping and Specification
-
Troubleshooting
-
TACACS+ Attribute-Value Pairs
-
RADIUS Attributes
-
VPDN Processing
-
RDBMS Synchronization Import Definitions
-
Internal Architecture
-
Index
-
Feedback
Table Of Contents
A - B - C - D - E - F - G - H - I - L - M - N - O - P - Q - R - S - T - U - V - W -
Index
A
AAA 1
pools for IP address assignment 7
AAA clients 1
adding and configuring 11
configuring 8
deleting 14
editing 13
IP pools 7
multiple IP addresses for 8
number of 22
searching for 6
table 1
timeout values 6
AAA protocols
TACACS+ and RADIUS 3
AAA servers 3
adding 16
configuring 15
deleting 19
editing 18
enabling in interface (table) 6
functions and concepts 2
in distributed systems 2
master 2
overview 15
primary 2
replicating 2
searching for 6
secondary 2
troubleshooting 1
accessing Cisco Secure ACS
how to 3
URL 20
with SSL enabled 20
access policies
See administrative access policies
account disablement
Account Disabled check box 3
manual 37
resetting 39
setting options for 13
accounting
administrative 15
overview 14
RADIUS 15
TACACS+ 15
ACLs
ACS
additional features 4
extended replication components 5
features, functions and concepts 2
internal database 3
introduction to 1
managing and administrating 15
scalability improvements 5
specifications 21
Windows Services 22
ACS internal database
overview 1
password encryption 2
action codes
for creating and modifying user accounts 4
for initializing and modifying access filters 9
for modifying network configuration 17
for modifying TACACS+ and RADIUS settings 12
for setting and deleting values 4
in accountActions 3
Active Service Management
See Cisco Secure ACS Active Service Management
adding
external servers 23
ADF
importing for vendors 5
Administration Audit log
viewing 10
Administration Control
audit policy setup 12
administrative access policies
configuring 9
limits 8
options 8
overview 8
administrative accounting 15
administrative sessions
and HTTP proxy 2
network environment limitations of 1
session policies 11
through firewalls 2
through NAT (network address translation) 2
administrators
See also Administration Audit log
See also Administration Control
See also administrative access policies
adding 5
deleting 8
editing 6
locked out 7
locking out 11
overview 1
privileges 2
separation from general users 9
troubleshooting 1
unlocking 7
advanced options in interface 7
AES 128 algorithm 2
age-by-date rules for groups 18
Aironet
AAA client configuration 9
RADIUS parameters for group 30
RADIUS parameters for user 27
appliance
configuration 16
ARAP 9
in User Setup 4
attribute definition file
see also ADF 5
attributes
adding 36
definition file 34
definition file sample 41
deleting 38
dumping 40
enabling in interface 4
exporting 40
extended entity 39
extended property 39
group-specific (table) 24
logging of user data 2
management 33
NAC (posture validation) 33
per-group 4
per-user 4
posture validation (NAC) 33
user-specific (table) 24
attribute-value pairs
See AV (attribute value) pairs
audit policies
See also Administration Audit log
overview 12
audit server
functionality 40
setting up 25
authentication 6
configuration 19
configuring policies 27
considerations 7
denying unknown users 8
functionality 11
options 19
overview 6
protocol-database compatibility 7
request handling 3
user databases 7
via external user databases 3
Windows 7
authorization 12
configuring policies 43
ordering rules 46
rules 43
sets
See command authorization sets
AV (attribute value) pairs
See also RADIUS VSAs (vendor specific attributes)
RADIUS
Cisco IOS 3
IETF 11
TACACS+
accounting 3
general 1
Available Credentials 38
B
backups
components backed up 7
disabling scheduled 10
filename 7
filenames 11
manual 8
options 8
overview 7
reports 7
scheduled vs. manual 7
scheduling 9
vs. replication 6
browsers
See also web interface 18
troubleshooting 3
C
cab file 19
cached users
CA configuration 29
callback options
in Group Setup 5
in User Setup 6
cautions
significance of xxv
certificate authority, trusted root 13
certificate database for LDAP servers 34
DB path 29
trusted root CA 29
certificate trust list
certification
adding certificate authority certificates 28
background 1
backups 7
Certificate Revocation Lists 30
certificate signing request generation 32
editing the certificate trust list 29
replacing certificate 36
self-signed certificates
configuring 35
NAC 5
overview 34
server certificate installation 25
updating certificate 36
Certification Revocation List (CRL) 6
CHAP 9
in User Setup 4
Cisco
Identity-Based Networking Services (IBNS) 2
Cisco IOS
RADIUS
AV (attribute value) pairs 2
group attributes 28
user attributes 25
TACACS+ AV (attribute value) pairs 1
troubleshooting 4
Cisco NAC support 5
Cisco Secure ACS Active Service Management
event logging configuration 15
overview 13
system monitoring
configuring 14
Cisco Secure ACS Active Service Monitoring logs
viewing 10
Cisco Secure ACS administration overview 15
Cisco Secure ACS Backup and Restore log
viewing 10
Cisco Secure ACS backups
Cisco Secure ACS system restore
CiscoSecure Authentication Agent 16
Cisco Security Agent 16
logging 17
policies 17
restrictions 17
viewing logs 21
CLID-based filters 19
cloning
Network Access Profiles 9
policies or rules 21
codes
command authorization sets
See also shell command authorization sets
adding 28
deleting 30
editing 29
overview 24
pattern matching 27
PIX command authorization sets 24
condition sets, defining 19
configuring
internal policies 18
configuring advanced filtering
Network Access Profiles 7
conventions xxiv
copying
policies or rules 21
creating
external servers 23
Credential Validation Databases 30
CRLs 30
CSAdmin
Windows Services 22
CSAdmin service 2
CSAgent
behavior 17
disabling 18
enabling 18
logging 17
overview 16
policies 17
CSAuth
Windows Services 22
CSDBSync 19
Windows Services 22
CSLog
Windows Services 22
CSMon
See also Cisco Secure ACS Active Service Management
configuration 3
log 5
windows Services 22
CSRadius 6
Windows Services 22
CSTacacs 6
Windows Services 22
CSV (comma-separated values) files
downloading 10
filename formats 9
logging format 1
viewing 10
CTL
CTL editing 29
custom attributes
in group-level TACACS+ settings 22
in user-level TACACS+ settings 15
customer support
collecting data for 20
D
database group mappings
configuring
for token servers 2
for Windows domains 6
no access groups 4
order 7
deleting
group set mappings 6
Windows domain configurations 7
Database Replication log
viewing 10
databases
See also external user databases
ACS internal database 1
authentication search process 3
deleting 42
deployment considerations 10
external
See also external user databases
remote agent selection 17
replication
search order 7
search process 7
selecting user databases 1
synchronization
token cards
types
See generic LDAP user databases
See LEAP proxy RADIUS user databases
unknown users 1
user databases 2
user import methods 2
Windows user databases 4
data source names
for RDMBS synchronization 24
data types, NAC attribute 8
date and time setting 17
date format control 3
debug logs
detail levels 19
frequency 19
default group
in Group Setup 2
mapping for Windows 4
default time-of-day/day-of-week specification 6
default time-of-day access settings for groups 5
deleting 10
external audit servers 26
external servers 25
logged-in users 7
Network Access Profiles 10
policies or rules 22
deployment
overview 1
sequence 11
device command sets
See command authorization sets
device management applications support 13
DHCP with IP pools 29
diagnostic logs 21
dial-in permission to users in Windows 17
dial-in troubleshooting 7
dial-up networking clients 6, 7
dial-up topologies 2
digital certificates
Disabled Accounts report
viewing 8
Disabled Accounts reports
description 6
discovered users 2
Distinguished Name Caching 26
distributed systems
AAA servers in 2
overview 2
settings
configuring 28
default entry 3
enabling in interface 6
distribution table
DNIS-based filters 19
documentation
conventions xxiv
objectives xxiii
online 20
related xxvi
Domain List
configuring 21
inadvertent user lockouts 9, 21
overview 9
unknown user authentication 5
domain name and hostname configuration 18
domain names
Windows operating systems 8, 9
downloadable IP ACLs 6
adding 15
assigning to groups 22
assigning to users 14
deleting 17
editing 16
enabling in interface
group-level 6
user-level 6
overview 13
draft-ietf-radius-tunnel-auth 3
dynamic usage quotas 13
dynamic users
removing 40
E
EAP (Extensible Authentication Protocol)
Configuration 29
overview 11
supported protocols 11
with Windows authentication 10
EAP authentication
protocol 8
EAP-FAST 11
enabling 17
identity protection 10
logging 9
master keys
definition 10
states 10
master server 16
overview 8
PAC
automatic provisioning 13
definition 11
manual provisioning 14
refresh 14
states 13
password aging 20
phases 9
replication 15
secured tunnel support 5
EAP-TLS 11
authentication configuration 19
comparison methods 3
domain stripping 10
enabling 4
limitations 4
overview 2
editing
external audit servers 26
external posture validation servers 24
internal policies 20
Network Access Profiles 9
enable password options for TACACS+ 23
enable privilege options for groups 13
entity field 8
Event log
configuring 15
exception events 5
exception events 5
exemption list
external audit 15
Extensible Authentication Protocol
See EAP (Extensible Authentication Protocol)
Extensible Authentication Protocol (EAP) 2
external audit policy
what triggers an 15
external audit server
setting up 25
external audit servers
about 14
deleting 26
editing 26
external policies 11
exemption list support 15
external servers
creating 23
deleting 25
editing 24
external token servers
external user databases
authentication via 3
configuring 3
deleting configuration 42
latency factors 5
supported 7
Unknown User Policy 1
F
Failed attempts accouting log 15
Failed Attempts log
configuring
CSV (comma-separated values) 12
enabling
log 10
viewing 10
failed log-on attempts 4
failure events
customer-defined actions 5
predefined actions 5
fallbacks on failed connection 4
finding users 37
FTP server 7
G
gateways 2
Generic LDAP 7
generic LDAP user databases
authentication 22
certificate database downloading 34
configuring
database 30
options 26
directed authentications 24
domain filtering 24
failover 25
mapping database groups to AAA groups 3
mutiple instances 23
organizational units and groups 23
Global Authentication Setup 19
global authentication setup
enabling posture validation 5
grant dial-in permission to users 6, 17
greeting after login 18
group-level interface enabling
downloadable IP ACLs 6
network access restrictions 6
network access restriction sets 6
password aging 6
group-level network access restrictions
See network access restrictions
groups
See also network device groups
assigning users to 5
configuring RADIUS settings for
enabling VoIP (Voice-over-IP) support for 4
listing all users in 40
mapping order 7
mappings 1
no access groups 4
overriding settings 4
relationship to users 4
renaming 40
resetting usage quota counters for 40
settings for
callback options 5
configuration-specific 12
configuring common 3
device management command authorization sets 26
enable privilege 13
IP address assignment method 21
management tasks 39
max sessions 9
network access restrictions 6
password aging rules 15
PIX command authorization sets 25
shell command authorization sets 24
time-of-day access 5
token cards 14
usage quotas 10
setting up and managing 1
H
handle counts 4
hard disk space 4
host and domain names configuration 18
host system state 4
HTML interface
encrypting 9
logging off 3
HTTP port allocation
configuring 9
for administrative sessions 18
HTTPS 9
I
IEEE 802.1x 2
IETF 802.1x 11
IETF RADIUS attributes 4
inbound
authentication 9
password configuration 10
installation
related documentation xxvi
system requirements 11
troubleshooting 10
Interface Configuration
advanced options 5
configuring 1
customized user data fields 4
security protocol options 9
internal architecture 1
configuration options 10
editing 20
rules 10
steps to set up 18
IP ACLs
IP addresses
in User Setup 7
multiple IP addresses for AAA client 8
requirement for CSTacacs and CSRadius 6
setting assignment method for user groups 21
IP pools
address recovery 33
deleting 32
DHCP 29
editing IP pool definitions 31
enabling in interface 6
refreshing 30
resetting 32
servers
adding IP pools 30
overview 28
replicating IP pools 29
user IP addresses 7
L
LAN manager 9
latency in networks 10
LDAP
Admin Logon Connection Management 26
Distinguished Name 26
LEAP 11
LEAP proxy RADIUS user databases
configuring external databases 36
group mappings 1
overview 35
RADIUS-based group specifications 8
list all users
in Group Setup 40
in User Setup 36
local policies
log files
storage directory 3
Logged-In Users report
deleting logged-in users 7
description 6
viewing 7
logging
accounting logs 4
administration reports 6
configuring 12
configuring remote agent logs 18
CSAgent 17
CSV (comma-separated values) files 1
custom RADIUS dictionaries 2
debug logs
detail levels 19
frequency 19
diagnostic logs 21
Disabled Accounts reports 6
domain names 2
external user databases 2
Failed Attempts logs 4
formats 1
Logged-In Users reports 6
overview 4
Passed Authentication logs 4
RADIUS logs 4
RDBMS synchronization 2
remote agent logging
configuration 17
options 17
remote logging
centralized 14
configuring 15
disabling 16
enabling 15
enabling in interface 6
local configuration 14
options 15
overview 13
service logs 11
services
configuring service logs 19
list of logs generated 19
system logs 8
TACACS+ logs 4
troubleshooting 11
user data attributes 2
VoIP logs 4
watchdog packets 3
login process test frequency 14
logins
greeting upon 18
password aging dependency 17
M
MAC-Authentication Bypass 29
Machine Access Restrictions (MAR) 6
machine authentication
enabling 15
overview 10
with Microsoft Windows 13
management application support 13
mappings
database groups to AAA groups 3
databases to AAA groups 1
master AAA servers 2
master key
definition 10
states 10
max sessions 12
enabling in interface 6
group 12
in Group Setup 9
in User Setup 11
overview 12
troubleshooting 11
user 12
memory utilization 4
monitoring
configuring 14
CSMon 4
overview 13
services 20
MS-CHAP 9
configuring 19
overview 9
protocol supported 8
multiple IP addresses for AAA clients 8
N
NAC 2
agentless host see also NAH 14
attributes
about 7
data types 8
configuring ACS for support for 4
credentials
about 7
implementing 4
logging 5
policies
about 18
external 11
internal 9
results 18
remediation server
url-redirect attribute 6
rules
default 11
operators 6
self-signed certificates 5
tokens
definition 3
descriptions of 3
returned by internal policies 9
NAC Agentless Host 25
NAC L2 IP 17
NAC L3 IP 15
NAFs
NAH
policies 14
NAR
See network access restrictions
NAS
Network Access Filter (NAF)
editing 5
Network Access Filters (NAF) 6, 4
adding 3
deleting 6
overview 2
Network Access Profiles 5, 1, 10, 28
cloning 9
configuring advanced filtering 7
editing 9
setting up 3
network access quotas 13
network access restrictions
deleting 23
editing 22
enabling in interface
group-level 6
user-level 6
in Group Setup 6
interface configuration 6
non-IP-based filters 19
overview 18
network access servers
Network Admission Control
network configuration 1
network device groups
adding 24
assigning AAA clients to 25
assigning AAA servers to 25
configuring 24
deleting 27
enabling in interface 6
reassigning AAA clients to 26
reassigning AAA servers to 26
renaming 26
network devices
searches for 6
networks
latency 10
reliability 10
network time protocol
network topologies
deployment 2
wireless 4
noncompliant devices 2
non-EAP authentication
protocol 7
Novell NDS user databases
mapping database groups to AAA groups 3
NTP server 17
O
ODBC features
accountActions table 21
group mappings 1
One-time Passwords (OTPs) 6
online documentation 20
online help 20
location in HTML interface 19
using 20
online user guide 21
ordering rules, in policies 10
outbound password configuration 10
overview of Cisco Secure ACS 1
P
PAC
automatic provisioning 13
definition 11
manual provisioning 14
refresh 14
PAP 9
in User Setup 4
vs. ARAP 9
vs. CHAP 9
Passed authentications accounting log 15
Passed Authentications log
configuring CSV (comma-separated values) 12
enabling CSV (comma-separated values) logging 10
viewing 10
password
automatic change password configuration 16
password aging 10
age-by-uses rules 17
Cisco IOS release requirement for 16
EAP-FAST 16
interface configuration 6
in Windows databases 19
MS-CHAP 16
overview 10
PEAP 16
rules 15
password configurations
basic 9
passwords
CHAP/MS-CHAP/ARAP 5
configurations
caching 10
inbound passwords 10
outbound passwords 10
separate passwords 9
single password 9
token caching 10
token cards 9
encryption 2
expiration 17
local management 4
post-login greeting 18
protocols supported 8
remote change 5
user-changeable 11
validation options in System Configuration 4
patch
overview 21
process 23
pattern matching in command authorization 27
PEAP 11
configuring 19
enabling 7
identity protection 6
options 20
overview 5
password aging 19
phases 6
with Unknown User Policy 7
performance monitoring 4
performance specifications 22
per-group attributes
enabling in interface 4
per-user attributes
enabling in interface 4
TACACS+/RADIUS in Interface Configuration 5
ping command 17
PIX ACLs
PIX command authorization sets
See command authorization sets
PKI (public key infastructure)
Point-to-Point Protocol (PPP) 23
policies
cloning 21
configuring 17
copying 21
deleting 22
external 11
configuration options 12
internal 9
local
NAH 14
overview 7
renaming 22
rule order 10
setting up an external audit server 25
setting up external servers 23
Populate from Global 28
Network Access Profiles 28
port 2002
in HTTP port ranges 9
in URLs 20
port allocation
ports
RADIUS 3
TACACS+ 3
Posture Validation
for Agentless Hosts 41
posture validation
attributes 7
configuring ACS for 4
credentials 7
CTL 5
enabling 5
failed attempts log 5
implementing 4
internal policy configuration options 10
options 17
passed authentications log 5
policy overview 7
process flow 6
and profile-based policies 27
profiles, adding user groups 5
rule
assigning posture tokens 6
rules, about 10
server certificate requirement 5
Posture Validation Policies
configuring 35
PPP password aging 16
privileges
processor utilization 4
profile 1
Profile-based Policies 2
profile components
profiles 47
profile templates 13
protocols supported 8
protocol support
EAP authentication 8
non-EAP authentication
protocol types
Network Access Profiles 5
proxy
See also Proxy Distribution Table
character strings
defining 4
stripping 4
configuring 27
in enterprise settings 5
overview 3
sending accounting packets 5
troubleshooting 10
Proxy Distribution Table
adding entries 28
configuring 28
deleting entries 30
editing entries 30
match order sorting 29
overview 28
Q
quotas
R
RAC and Groups 47
RADIUS 3
See also RADIUS VSAs (vendor specific attributes)
accounting 15
attributes
See also RADIUS VSAs (vendor specific attributes)
in User Setup 24
AV (attribute value) pairs
See also RADIUS VSAs (vendor specific attributes)
Cisco IOS 3
IETF 11
overview 1
Cisco Aironet 9
compliant token servers 7
IETF
in Group Setup 27
interface configuration 12
in User Setup 25
interface configuration overview 9
password aging 19
ports 3
specifications 3
token servers 38
troubleshooting 14
tunneling packets 12
vs. TACACS+ 3
RADIUS Accounting log
configuring
CSV (comma-separated values) 12
configuring CSV (comma-separated values) 10
enabling CSV (comma-separated values) 10
RADIUS user databases
configuring 39
group mappings 1
RADIUS-based group specifications 8
RADIUS VSAs (vendor specific attributes)
Ascend
in Group Setup 32
in User Setup 28
supported attributes 21
Cisco Aironet
in Group Setup 30
in User Setup 27
Cisco BBSM (Building Broadband Service Manager)
in Group Setup 38
in User Setup 34
supported attributes 10
Cisco IOS/PIX
in Group Setup 28
interface configuration 13
in User Setup 25
supported attributes 4
Cisco VPN 3000
in Group Setup 33
in User Setup 29
supported attributes 6
Cisco VPN 5000
in Group Setup 34
in User Setup 30
supported attributes 10
custom
about 19
in Group Setup 39
in User Setup 35
Juniper
in Group Setup 37
in User Setup 33
supported attributes 28
Microsoft
in Group Setup 35
in User Setup 31
supported attributes 19
Nortel
in Group Setup 36
in User Setup 33
supported attributes 28
overview 1
user-defined
about 19
action codes for 12
replicating 19
RDBMS synchronization
accountActions table as transaction queue 21
configuring 26
data source name configuration 23, 24
disabling 28
enabling in interface 6
group-related configuration 18
import definitions 1
log
viewing 10
manual initialization 25
network configuration 18
overview 17
partners 25
preparing to use 22
report and error handling 22
scheduling options 25
user-related configuration 18
rejection mode
general 3
Windows user databases 4
related documentation xxvi
reliability of network 10
remote access policies 7
remote agent
configuration 19
selecting for authentication 17
remote agent logging
configuration 17
options 17
remote agents
adding 21
configuring 19
deleting 23
editing 22
options 20
overview 19
Remote Agents table 2
selecting for authentication 17
remote logging
centralized 14
configuring remote agent logs 17
disabling 16
local configuration 14
options 15
overview 13
Remove Dynamic Users 40
removing
external audit servers 26
external servers 25
policies or rules 22
removing dynamic users 40
renaming
policies 22
replication
ACS Service Management page 2
auto change password settings 16
backups recommended (Caution) 7
certificates 2
client configuration 11
components
overwriting (Caution) 11
overwriting (Note) 7
selecting 7
configuring 13
corrupted backups (Caution) 7
custom RADIUS dictionaries 2
EAP-FAST 15
encryption 4
external user databases 2
frequency 5
group mappings 2
immediate 12
implementing primary and secondary setups 10
important considerations 5
in System Configuration 13
interface configuration 6
logging 7
manual initiation 12
master AAA servers 2
notifications 16
options 7
overview 2
partners
configuring 15
options 8
process 3
scheduling 13
scheduling options 8
selecting data 7
unsupported 2
user-defined RADIUS vendors 6
vs. backup 6
Reports and Activity
configuration privileges 4
configuring 12
CSV (comma-separated values) logs 8
in interface 20
overview 4
request handling
general 3
Windows user databases 4
Required Credential Types 38
requirements
system installation 11
resource consumption 4
restarting services 2
restore
components restored
configuring 12
overview 12
filenames 11
in System Configuration 10
on a different server 11
overview 11
performing 12
reports 12
RFC2138 3
RFC2139 3
RSA user databases
group mappings 1
rules
about 10
internal policy 10
S
search order of external user databases 7
security policies 8
security protocols
CSRadius 6
CSTacacs 6
interface options 9
TACACS+
custom commands 8
overview 3
time-of-day access 8
Selected Credentials 38
server certificate installation 25
service control in System Configuration 19
services
determining status of 2
logs
configuring 19
list of logs generated 19
management 13
monitoring 20
starting 2
stopping 2
session policies
configuring 11
options 11
overview 11
setting up
Network Access Profiles 3
shared profile components
See also command authorization sets
See also network access filters
See also network access restrictions
overview 1
Shared Profile Components (SPC) 13
Shared RAC 46
shared secret 6
shell command authorization sets
See also command authorization sets
in Group Setup 24
in User Setup 17
Simple Network Management Protocol (SNMP) 12
single password configurations 9
SMTP (simple mail-transfer protocol) 5
SNMP
support 4
specifications
RADIUS
RFC2138 3
RFC2139 3
system performance 22
TACACS+ 3
SSL (secure socket layer) 9, 29
starting services 2
static IP addresses 7
stopping services 2
supplementary user information
in User Setup 4
setting 4
support
Cisco Device-Management Applications 13
supported password protocols 8
support page 19
synchronization
system
configuration
advanced 1
authentication 1
basic 1
certificates 1
privileges 3
health 4
messages in interface 20
monitoring
performance specifications 22
services
system installation requirements 11
system monitoring
technical support file 19
system performance
specifications 22
T
TACACS+ 3
accounting 15
advanced TACACS+ settings
in User Setup 21
AV (attribute value) pairs
accounting 3
general 1
custom commands 8
enable password options for users 23
enable privilege options 22
interface configuration 7
interface options 9
outbound passwords for users 24
ports 3
SENDAUTH 10
settings
in User Setup 15
specifications 3
time-of-day access 8
troubleshooting 14
vs. RADIUS 3
TACACS+ Accounting log
configuring
CSV (comma-separated values) 12
enabling CSV (comma-separated values) 10
viewing 10
TACACS+ Administration log
configuring
CSV(comma-separated values) 12
enabling CSV (comma-separated values) 10
viewing 10
Telnet
See also command authorization sets
password aging 16
test login frequency internally 14
thread used 4
time and date setting 17
time-of-day/day-of-week specification
enabling in interface 6
timeout values on AAA clients 6
TLS (transport level security)
token cards 23
password configuration 9
settings in Group Setup 14
token servers
ISDN terminal adapters 38
overview 38
RADIUS-enabled 38
RADIUS token servers 39
supported servers 7
token caching 38
topologies
troubleshooting 47
AAA servers 1
administration issues 1
browser issues 3
Cisco IOS issues 4
database issues 6
debug logs 19
dial-in issues 7
installation issues 10
max sessions issues 11
proxy issues 10
RADIUS issues 14
report issues 11
TACACS+ issues 14
third-party server issues 12
upgrade issues 10
user issues 13
trusted root certificate authority 13
trust lists
trust relationships 6
U
unknown service user setting 21
Unknown User Policy 18
configuring 8
in external user databases 2, 7
turning off 8
unknown users
authentication 3
authentication performance 5
authentication processing 5
network access authorization 6
unmatched user requests 10
update packets
upgrade
applying 27
CSAgent 17
distribution server requirements 22
overview 21
process 23
restrictions 17
transferring 24
upgrade troubleshooting 10
usage quotas
in Group Setup 10
in Interface Configuration 6
in User Setup 12
overview 13
resetting
for groups 40
for single users 38
user-changeable passwords
overview 11
with Windows user databases 16
user databases
User Data Configuration 4
user groups
user guide
online 21
user-level
downloadable ACLs interface 6
network access restrictions
See also network access restrictions
enabling in interface 5
users
adding
basic steps 3
methods 2
assigning client IP addresses to 7
assigning to a group 5
callback options 6
configuring 1
configuring device management command authorization sets for 20
configuring PIX command authorization sets for 19
configuring shell command authorization sets for 17
customized data fields 4
data configuration
deleting 7
deleting accounts 38
disabling accounts 3
finding 37
import methods 2
in multiple databases 4
listing all users 36
number allowed 10
number of 22
RDBMS synchronization 18
relationship to groups 4
removing dynamic 40
resetting accounts 39
saving settings 40
supplementary information 4
troubleshooting 13
types
discovered 2
known 2
unknown 2
VPDN dialup 1
User Setup
account management tasks 36
basic options 2
configuring 1
deleting user accounts 38
saving settings 40
Users in Group button 40
V
validation of passwords 4
vendor-specific attributes
See RADIUS VSAs (vendor specific attributes)
in RDBMS synchronization 8, 19
vendor-specific attributes (VSAs) 4
viewing logs and reports
Virtual Private Dial-Up Networks (VPDNs) 12
Voice-over-IP
VoIP (Voice-over-IP)
accounting configuration 7, 15
Accounting log
enabling csv log 10
viewing 10
enabling in interface 7
group settings in Interface Configuration 7
in Group Setup 4
VoIP (Voice-over-IP) Accounting log
configuring
CSV (comma-separated values) 12
VoIP accounting log 15
VPDN
advantages 6
authentication process 1
domain authorization 2
home gateways 2
IP addresses 2
tunnel IDs 2
users 1
VSAs
See RADIUS VSAs (vendor specific attributes)
W
warnings
significance of xxv
watchdog packets
configuring on AAA clients 12
configuring on AAA servers 17
logging 3
web interface
See also Interface Configuration
layout 18
security 16
uniform resource locator 20
Windows Callback 18
Windows Database Callback 18
Windows operating systems
authentication order 4
Cisco Secure ACS-related services
services 2
dial-up networking 6
dial-up networking clients
domain field 7
password field 7
username field 7
Domain List effect 5
domains
Event logs 5
Windows Services 22
CSAdmin 22
CSAuth 22
CSDBSync 22
CSLog 22
CSMon 22
CSRadius 22
CSTacacs 22
overview 22
Windows user database 7
passwords 8
Windows user databases
Active Directory 17
configuring 21
Domain list
inadvertent user lockouts 21
domain mapping 6
domains
trusted 6
grant dial-in permission to users 6, 17
group mappings
editing 6
limitations 3
no access groups 4
remapping 6
mapping database groups to AAA groups 3
overview 4
password aging 19
rejection mode 4
request handling 4
trust relationships 6
user-changeable passwords 16
user manager 17
wireless network topologies 4