Installation Guide for Cisco Secure ACS Solution Engine 4.2
Cisco Secure ACS Solution Engine Overview

Table Of Contents

Cisco Secure ACS Solution Engine Overview

System Description

ACS SE Hardware Description

Serial Port

Solution Engine Specifications for the Cisco 1113

Front Panel Features for the Cisco 1113

Back Panel Features for the Cisco 1113

Serial Port

Ethernet Connectors

Network Cable Requirements


Cisco Secure ACS Solution Engine Overview


System Description

Cisco Secure ACS Solution Engine (ACS SE) is a highly scalable, rack-mounted, dedicated platform that serves as a high-performance access control server supporting centralized Remote Access Dial-In User Service (RADIUS) and Terminal Access Controller Access Control System (TACACS+). ACS SE controls the authentication, authorization, and accounting (AAA) of users accessing corporate resources through the network.

You use ACS SE to control who can access the network, to authorize what types of network services are available for particular users or groups of users, and to keep an accounting record of all user actions in the network. The appliance supports access control and accounting for dial-up access servers, firewalls and VPNs, Voice-over-IP solutions, content networking, and switched and wireless local area networks (LANs and WLANs). In addition, you can use the same AAA framework, via TACACS+, to manage administrative roles and groups and to control how network administrators change, access, and configure the network internally.

ACS SE provides almost the same set of features and functions as in the Cisco Secure ACS for Windows Server (the software product) in a dedicated, security hardened, application-specific, appliance packaging. ACS SE includes additional features specific to operating and managing the ACS appliance. See Release Notes for Cisco Secure ACS 4.2 for the new features in this release.

To ensure a highly secure posture, ACS SE:

Runs only the necessary services of the underlying hardened Windows operating system. (See "Windows Service Advisement," for details on the hardening.)

Does not support a keyboard or monitor.

Does not provide access to its file system.

Does not allow you to run arbitrary applications on it.

Allows TCP/IP connections only via the ports necessary for its own operations.

Figure 1-1 shows the ACS SE operating context.

Figure 1-1 ACS SE Context Diagram

The administrative console in the context diagram represents any data terminal equipment (DTE) capable of supporting administrative connection via a serial port connection and is generally referred to as a console in this guide.

For more detailed information on ACS SE features and capabilities, see the User Guide for Cisco Secure ACS Release 4.2 and the Release Notes for Cisco Secure ACS Solution Engine 4.2.

ACS SE Hardware Description

ACS SE is a rack-mountable 1U box. The sections below describe the Cisco 1113 device, which runs on a Quanta S27 system.

Serial Port

The integrated serial port on the back panel of the appliance uses a 9-pin, D-subminiature connector.

Serial Port Connector

If you reconfigure your hardware, you may need information regarding the pin number and signal for the serial port connector. Figure 1-4 illustrates the pin numbers for the serial port connector, and defines the pin assignments and interface signals for the serial port connector. (Pin numbering proceeds bottom to top and right to left, as illustrated.)

Solution Engine Specifications for the Cisco 1113

The ACS SE on the Cisco 1113 platform has the following specifications:

Intel Pentium IV 3.4 GHz/800FSB/2M KB CPU

Broadcom 5721J Ethernet network interface card

80-GB or more ATA hard drive

QSI DVD-ROM drive

Serial port

1 GB DDRII 667 unbuffered memory

DVD-Combo drive

345 W power supply

Technical specifications are detailed in "Technical Specifications for the Cisco 1113."

This section contains:

Front Panel Features for the Cisco 1113

Back Panel Features for the Cisco 1113

Serial Port

Ethernet Connectors

Network Cable Requirements

Front Panel Features for the Cisco 1113

The Cisco 1113 front panel contains switches, indicators, and the CD-ROM drive. Figure 1-2 shows the front panel switches and LED indicators. The functions of the switches and LED indicators are described in the table below the illustration.

Figure 1-2 Front Panel Switches and Indicators for the Cisco 1113

The following table describes the callouts in Figure 1-2.

No.
Switch or LED Indicator
Description
1

DVD-ROM drive activity LED

On = Activity

Off = No Activity

2

Power On or Off button and LED

Pushing the power button turns the unit on or off. The LED in the center of the power on or off button has three states:

Blinking Green = Power is connected but not on

Green = Power On

Off = Power Off

3

Unused button

This button is not operational.

4

HDD LED

Indicates that there is activity on the hard drive.

5

Unit Identification button

To enable the Unit Identification LED, push the Unit Identification Button.

When the Unit identification button is on, the Unit Identification LEDs on the front and back panels flash blue. This enables you to go behind the unit and look at the flashing blue light on the back.

You can switch the Unit Identification LED from flashing to solid blue by pushing the Unit Identification Button.

6

Unit Identification LED

The Unit Identification LED has the following states:

Off = System power is off, the system ID button has not been pushed, and there is no fault assertion condition (the system cover is on the device and there is no fault condition).

Flashing Blue = When the system ID button is pushed, the Unit Identification LED flashes blue if the system is in standby mode or system power is on.

Solid Blue = System power is on, the system cover is on the device, and there is no fault assertion condition. The system ID button has not been pushed.

Flashing Amber = The system is on standby power, there is a fault assertion condition (for example, the cover has been removed from the device), and the system ID button has not been pushed.

7

USB port (not supported)

Universal Serial Bus port. Do not use.


Back Panel Features for the Cisco 1113

The back panel for the Cisco 1113 contains the AC power receptacle, Ethernet connectors, indicator LEDs, and a serial port. Figure 1-3 shows the back-panel features.

Figure 1-3 Back Panel Features for the Cisco 1113

The following table describes the callouts in Figure 1-3.

No.
Description
1

AC power receptacle

2

Mouse connector (not supported). Do not use.

3

USB connectors (not supported). Do not use.

4

Serial connector (see Figure 1-3)

5

Video connector (not supported). Do not use.

6

RJ-45 Fast Ethernet connector with 10/100/1000-Mbit/s operation for NIC 2

7

RJ-45 Fast Ethernet connector with 10/100/1000-Mbit/s operation for NIC 1

8

Unit Identification Button and LED. When the Unit Identification Button on the front panel is pressed, this causes the Unit Identification Button on the back panel to flash blue. You can switch the Unit Identification LED from flashing to solid blue by pushing the Unit Identification Button.

9

Keyboard connector


Serial Port

The integrated serial port on the back panel of the appliance uses a 9-pin, D-subminiature connector.

Serial Port Connector

If you reconfigure your hardware, you may need information regarding the pin number and signal for the serial port connector. Figure 1-4 illustrates the pin numbers for the serial port connector, and defines the pin assignments and interface signals for the serial port connector. (Pin numbering proceeds bottom to top and right to left, as illustrated.)

Figure 1-4 Pin Numbers for the Serial Port Connector

Pin
Signal
I/O
Definition
1

DCD

I

Data carrier detect

2

SIN

I

Serial input

3

SOUT

O

Serial output

4

DTR

O

Data terminal ready

5

GND

N/A

Signal ground

6

DSR

I

Data set ready

7

RTS

O

Request to send

8

CTS

I

Clear to send

9

RI

I

Ring indicator

Shell

N/A

N/A

Chassis ground


Ethernet Connectors

Your Cisco 1113 system has two integrated 10/100/1000-megabit-per-second (Mbps) Ethernet connectors. ACS SE supports the operation of either Ethernet connector, but not both connectors. Each Ethernet connector provides all the functions of a network expansion card and supports the 10BASE-T, 100BASE-TX, and 1000BASE-TX Ethernet standards.

Each NIC is configured to automatically detect the speed and duplex mode of the network.

Network Cable Requirements


Warning To avoid electric shock, do not connect safety extra-low voltage (SELV) circuits to telephone-network voltage (TNV) circuits. LAN ports contain SELV circuits, and WAN ports contain TNV circuits. Some LAN and WAN ports both use RJ-45 connectors. Use caution when connecting cables.

The Ethernet connectors are designed for attaching an unshielded twisted pair (UTP) Ethernet cable equipped with standard RJ-45 compatible plugs. Press one end of the UTP cable into the Ethernet connector until the plug snaps securely into place. Connect the other end of the cable to an RJ-45 port on a hub or other device, depending on your network configuration. Observe the following cabling restrictions for 10BASE-T, 100BASE-TX, and 1000BASE-TX networks:

For 10BASE-T networks, use Category 3 or greater wiring and connectors.

For 100BASE-TX and 1000BASE-TX networks, use Category 5 or greater wiring and connectors.

The maximum cable run length is 328 feet (ft) or 100 meters (m).