User Guide for Cisco Secure ACS for Windows Server Version 3.3 - Index [Cisco Secure Access Control Server for Windows]

Table Of Contents

A - B - C - D - E - F - G - H - I - L - M - N - O - P - Q - R - S - T - U - V - W -

Index

A

AAA

See also AAA clients

See also AAA servers

definition   1-2

pools for IP address assignment   7-11

AAA clients

adding and configuring   4-16

configuration   4-11

definition   1-6

deleting   4-21

editing   4-19

interaction with AAA servers   1-6

IP pools   7-11

multiple IP addresses for   4-12

number of   1-4

searching for   4-8

supported Cisco AAA clients   1-2

table   4-1

timeout values   16-9

AAA servers

adding   4-24

configuring   4-21

deleting   4-28

editing   4-26

enabling in interface (table)   3-5

functions and concepts   1-5

in distributed systems   4-3

master   9-3

overview   4-21

primary   9-3

replicating   9-3

searching for   4-8

secondary   9-3

troubleshooting   A-1

access devices   1-6

accessing Cisco Secure ACS

how to   1-32

URL   1-29

with SSL enabled   1-29

access policies

See administrative access policies

accountActions table   9-29, 9-31

account disablement

Account Disabled check box   7-5

manual   7-56

resetting   7-59

setting options for   7-20

accounting

See also logging

overview   1-22

ACLs

See downloadable IP ACLs

action codes

for creating and modifying user accounts   F-7

for initializing and modifying access filters   F-14

for modifying network configuration   F-25

for modifying TACACS+ and RADIUS settings   F-19

for setting and deleting values   F-5

in accountActions   F-4

Active Service Management

See Cisco Secure ACS Active Service Management

Administration Audit log

configuring   11-14

CSV file directory   11-16

viewing   11-18

Administration Control

See also administrators

audit policy setup   12-18

administrative access policies

See also administrators

configuring   12-14

limits   12-11

options   12-12

overview   2-15

administrative sessions

and HTTP proxy   1-30

network environment limitations of   1-30

session policies   12-16

through firewalls   1-31

through NAT (network address translation)   1-31

administrators

See also Administration Audit log

See also Administration Control

See also administrative access policies

adding   12-6

deleting   12-11

editing   12-7

locked out   12-10

locking out   12-17

overview   12-2

privileges   12-3

separation from general users   2-17

troubleshooting   A-2

unlocking   12-10

advanced options in interface   3-6

age-by-date rules for groups   6-25

Aironet

AAA client configuration   4-13

RADIUS parameters for group   6-41

RADIUS parameters for user   7-41

ARAP

compatible databases   1-10

in User Setup   7-5

protocol supported   1-11

Architecture   G-1

ASCII/PAP

compatible databases   1-10

protocol supported   1-11

attributes

enabling in interface   3-2

group-specific (table)   F-35

logging of user data   11-2

per-group   3-2

per-user   3-2

user-specific (table)   F-34

attribute-value pairs

See AV (attribute value) pairs

audit policies

See also Administration Audit log

overview   12-18

authentication

compatibility of protocols   1-10

configuration   10-26

denying unknown users   16-17

options   10-33

overview   1-8

request handling   16-5

via external user databases   13-5

Windows   13-11

authorization   1-17

authorization sets

See command authorization sets

AV (attribute value) pairs

See also RADIUS VSAs (vendor specific attributes)

RADIUS

Cisco IOS   C-3

IETF   C-14

TACACS+

accounting   B-4

general   B-1

B

Backup and Restore log directory

See Cisco Secure ACS Backup and Restore log

backups

components backed up   8-10

directory management   8-10

disabling scheduled   8-13

filenames   8-15

locations   8-10

manual   8-12

options   8-11

overview   8-9

reports   8-11

scheduled vs. manual   8-9

scheduling   8-12

vs. replication   9-10

with CSUtil.exe   D-6

browsers

See also HTML interface

troubleshooting   A-4

C

cached users

See discovered users

CA configuration   10-38

callback options

in Group Setup   6-7

in User Setup   7-9

cascading replication   9-6, 9-13

cautions

significance of   xlviii

certification

See also EAP-TLS

See also PEAP

adding certificate authority certificates   10-37

background   10-1

backups   8-10

Certificate Revocation Lists   10-40

certificate signing request generation   10-45

editing the certificate trust list   10-38

replacing certificate   10-50

self-signed certificates

configuring   10-49

NAC   14-6

overview   10-47

server certificate installation   10-35

updating certificate   10-50

CHAP

compatible databases   1-10

in User Setup   7-5

protocol supported   1-11

Cisco IOS

RADIUS

AV (attribute value) pairs   C-2

group attributes   6-40

user attributes   7-39

TACACS+ AV (attribute value) pairs   B-1

troubleshooting   A-5

Cisco Secure ACS Active Service Management

event logging configuration   8-20

overview   8-17

system monitoring

configuring   8-19

custom actions   8-18

Cisco Secure ACS Active Service Monitoring logs

file location   11-17

viewing   11-18

Cisco Secure ACS administration overview   1-23

Cisco Secure ACS Backup and Restore log

CSV (comma-separated values) file directory   11-16

viewing   11-18

Cisco Secure ACS backups

See backups

Cisco Secure ACS system restore

See restore

CiscoSecure Authentication Agent   1-16, 6-21

CiscoSecure database replication

See replication

CiscoSecure user database

See also databases

overview   13-2

password encryption   13-2

Cisco Trust Agent

definition   14-2

unavailable   14-5

CLID-based filters   5-18

codes

See action codes

command authorization sets

See also shell command authorization sets

adding   5-31

configuring   5-25, 5-31

deleting   5-35

editing   5-33

overview   5-26

pattern matching   5-30

PIX command authorization sets   5-26

command-line database utility

See CSUtil.exe

conventions   xlvii

CRLs   10-40

CSAdmin   G-2

CSAuth   G-3

CSDBSync   9-29, G-4

CSLog   G-4

CSMon

See also Cisco Secure ACS Active Service Management

Cisco Secure ACS Service Monitoring logs   11-32

configuration   G-4

failure events

customer-defined actions   G-7

predefined actions   G-7

functions   G-4

log   G-6

overview   G-4

CSNTacctInfo   13-65, 13-67, 13-68

CSNTAuthUserPap   13-62

CSNTerrorString   13-65, 13-67, 13-68

CSNTExtractUserClearTextPw   13-63

CSNTFindUser   13-64

CSNTgroups   13-65, 13-67, 13-68

CSNTpasswords   13-65, 13-67

CSNTresults   13-65, 13-67, 13-68

CSNTusernames   13-65, 13-66, 13-68

CSRadius   G-8

CSTacacs   G-8

CSUtil.exe

decoding error numbers with   D-27

displaying syntax   D-5

import text file (example)   D-24

overview   D-1

CSV (comma-separated values) files

downloading   11-18

filename formats   11-15

logging format   11-2

viewing   11-18

CTL editing   10-38

custom attributes

in group-level TACACS+ settings   6-31

in user-level TACACS+ settings   7-23

D

database group mappings

configuring

for token servers   17-3

for Windows domains   17-9

no access groups   17-7

order   17-12

deleting

group set mappings   17-10

Windows domain configurations   17-11

in external user databases   17-1

overview   17-1

Database Replication log

CSV (comma-separated values) file directory   11-16

viewing   11-18

databases

See also external user databases

authentication search process   16-5

CiscoSecure user database   13-2

compacting   D-12

deleting   13-86

deployment considerations   2-18

dump files   D-10

external

See also external user databases

See also Unknown User Policy

NAC   14-10

posture validation search process   16-11

protocol compatibility   1-10

replication

See replication

search order   16-14

search process   16-14

selecting user databases   13-1

synchronization

See RDBMS synchronization

token cards

See token servers

troubleshooting   A-7, A-19

types

See generic LDAP user databases

See LEAP proxy RADIUS user databases

See Novell NDS user databases

See ODBC features

See RADIUS user databases

See RSA user databases

unknown users   16-1

user databases   7-2

user import methods   13-3

Windows user databases   13-7

data source names

configuring for ODBC logging   11-22

for RDMBS synchronization   9-38

using with ODBC databases   13-56, 13-70, 13-72

date format control   8-3

DbSync log directory   11-16

debug logs

detail levels   11-33

frequency   11-33

troubleshooting   A-14

default group in Group Setup   6-2

default group mapping for Windows   17-6

default time-of-day/day-of-week specification   3-5

default time-of-day access settings for groups   6-5

deleting logged-in users   11-11

deployment

overview   2-1

sequence   2-19

device command sets

See command authorization sets

device groups

See network device groups

device management applications support   1-19

DHCP with IP pools   9-45

dial-in permission to users in Windows   13-26

dial-in troubleshooting   A-10

dial-up networking clients   13-10

dial-up topologies   2-6

digital certificates

See certification

Disabled Accounts report

viewing   11-12

Disabled Accounts reports

description   11-9

discovered users   16-3

distributed systems

See also proxy

AAA servers in   4-3

overview   4-2

settings

configuring   4-34

default entry   4-3

enabling in interface   3-5

distribution table

See Proxy Distribution Table

DNIS-based filters   5-18

documentation

conventions   xlvii

objectives   xlv

online   1-33

related   xlix

Domain List

configuring   13-30

inadvertent user lockouts   13-14, 13-27

overview   13-13

unknown user authentication   16-7

domain names

Windows operating systems   13-13, 13-14

downloadable IP ACLs

adding   5-10

assigning to groups   6-30

assigning to users   7-21

deleting   5-14

editing   5-13

enabling in interface

group-level   3-5

user-level   3-5

overview   5-7

draft-ietf-radius-tunnel-auth   1-7

dump files

creating database dump files   D-10

loading a database from a dump file   D-11

E

EAP (Extensible Authentication Protocol)

overview   1-13

with Windows authentication   13-15

EAP-FAST

compatible databases   1-10

enabling   10-25

identity protection   10-14

logging   10-14

master keys

definition   10-15

states   10-15

master server   10-23

options   10-28

overview   10-13

PAC

automatic provisioning   10-18

definition   10-17

manual provisioning   10-20

refresh   10-21

states   10-18

password aging   6-27

phases   10-13

replication   10-22

EAP-TLS

See also certification

authentication configuration   10-26

comparison methods   10-4

compatible databases   1-10

domain stripping   13-16

enabling   10-7

limitations   10-6

options   10-31

overview   10-3

session resume   10-5

enable password options for TACACS+   7-35

enable privilege options for groups   6-19

error number decoding with CSUtil.exe   D-27

Event log

configuring   8-20

exception events   G-6

exception events   G-7

exports

of user lists   D-24

Extensible Authentication Protocol

See EAP (Extensible Authentication Protocol)

external token servers

See token servers

external user databases

See also databases

authentication via   13-5

configuring   13-4

deleting configuration   13-86

latency factors   16-9

search order   16-9, 16-15

supported   1-10

Unknown User Policy   16-1

F

Failed Attempts log

configuring

CSV (comma-separated values)   11-19

ODBC   11-23

CSV (comma-separated values) file directory   11-16

enabling

log   11-17

ODBC   11-23

viewing   11-18

failed log-on attempts   G-6

failure events

customer-defined actions   G-7

predefined actions   G-7

fallbacks on failed connection   4-5

finding users   7-55

firewalls

administering AAA servers through   1-23

G

gateways   E-3

generic LDAP user databases

authentication   13-32

configuring

database   13-43

options   13-37

directed authentications   13-34

domain filtering   13-34

failover   13-36

mapping database groups to AAA groups   17-4

mutiple instances   13-33

organizational units and groups   13-34

supported protocols   1-10

Global Authentication Setup   10-33

grant dial-in permission to users   13-9, 13-26

greeting after login   6-24

group-level interface enabling

downloadable IP ACLs   3-5

network access restrictions   3-5

network access restriction sets   3-5

password aging   3-5

group-level network access restrictions

See network access restrictions

groups

See also network device groups

assigning users to   7-8

configuring RADIUS settings for

See RADIUS

Default Group   6-2, 17-6

enabling VoIP (Voice-over-IP) support for   6-4

exporting group information   D-25

listing all users in   6-54

mapping order   17-12

mappings   17-1, 17-2

multiple mappings   17-5

no access groups   17-5

overriding settings   3-2

relationship to users   3-2

renaming   6-55

resetting usage quota counters for   6-55

settings for

callback options   6-7

configuration-specific   6-16

configuring common   6-3

device management command authorization sets   6-37

enable privilege   6-19

IP address assignment method   6-28

management tasks   6-54

max sessions   6-12

network access restrictions   6-8

password aging rules   6-21

PIX command authorization sets   6-35

shell command authorization sets   6-33

TACACS+   6-2, 6-31

time-of-day access   6-5

token cards   6-18

usage quotas   6-14

setting up and managing   6-1

sort order within group mappings   17-5

specifications by ODBC authentications   13-65, 13-67, 13-68

GUI

See HTML interface

H

handle counts   G-6

hard disk space   G-5

hardware requirements   2-2

Help   1-29

host system state   G-5

HTML interface

See also Interface Configuration

encrypting   12-13

logging off   1-33

overview   1-25

security   1-26

SSL   1-26

web servers   G-2

HTTP port allocation

configuring   12-14

overview   1-23

HTTPS   12-13

I

IETF 802.1x   1-13

importing passwords   D-14

imports with CSUtil.exe   D-14

inbound authentication   1-14

inbound password configuration   1-14

installation

related documentation   xlix

system requirements   2-2

troubleshooting   A-16

Interface Configuration

See also HTML interface

advanced options   3-4

configuring   3-1

customized user data fields   3-3

security protocol options   3-9

IP ACLs

See downloadable IP ACLs

IP addresses

in User Setup   7-10

multiple IP addresses for AAA client   4-12

requirement for CSTacacs and CSRadius   G-8

setting assignment method for user groups   6-28

IP pools

address recovery   9-51

deleting   9-50

DHCP   9-45

editing IP pool definitions   9-48

enabling in interface   3-6

overlapping   9-45, 9-47

refreshing   9-47

resetting   9-49

servers

adding IP pools   9-47

overview   9-44

replicating IP pools   9-45

user IP addresses   7-11

L

LAN manager   1-13

latency in networks   2-19

LDAP

See generic LDAP user databases

LEAP proxy RADIUS user databases

configuring external databases   13-76

group mappings   17-2

overview   13-75

RADIUS-based group specifications   17-14

list all users

in Group Setup   6-54

in User Setup   7-55

Logged-In Users report

deleting logged-in users   11-11

description   11-10

viewing   11-10

logging

See also Reports and Activity

accounting logs   11-6

Administration Audit log   11-14

administration reports   11-9

configuring   11-20

CSV (comma-separated values) files   11-2

custom RADIUS dictionaries   9-2

debug logs

detail levels   11-33

frequency   11-33

Disabled Accounts reports   11-9

domain names   11-3

external user databases   11-3

Failed Attempts logs   11-6

formats   11-2

Logged-In Users reports   11-9

ODBC logs

enabling in interface   3-6

overview   11-2

working with   11-21

overview   11-6

Passed Authentication logs   11-6

RADIUS logs   11-6

RDBMS synchronization   9-2

remote logging

centralized   11-27

configuring   11-29

disabling   11-31

enabling in interface   3-5

logging hosts   11-26

options   11-28

overview   11-26

services

configuring service logs   11-33

list of logs generated   11-32

system logs   11-13

TACACS+ logs   11-6

troubleshooting   A-17

user data attributes   11-2

VoIP logs   11-6

watchdog packets   11-5

login process test frequency   8-18

logins

greeting upon   6-24

password aging dependency   6-23

logs

See logging

See Reports and Activity

M

machine authentication

enabling   13-22

overview   13-16

with Microsoft Windows   13-20

management application support   1-19

mappings

database groups to AAA groups   17-4

databases to AAA groups   17-2

master AAA servers   9-3

master key

definition   10-15

states   10-15

max sessions

enabling in interface   3-5

in Group Setup   6-12

in User Setup   7-16

overview   1-18

troubleshooting   A-16

memory utilization   G-5

monitoring

configuring   8-19

CSMon   G-5

overview   8-18

MS-CHAP

compatible databases   1-10

configuring   10-26

overview   1-13

protocol supported   1-11

multiple group mappings   17-5

multiple IP addresses for AAA clients   4-12

N

NAC

attributes

about   14-11

adding   D-44

data types   14-19

deleting   D-44

exporting   D-44

attribute-value pairs   14-9

Certificate Trust List   14-6

credentials

about   14-11

definition   14-2

databases

configuring   14-14

default database   14-10

definition of   14-10

group mapping   17-13

implementing   14-5

introduction   1-25

logging   14-6

NAC client

Cisco Trust Agent   14-2

definition   14-2

policies

about   14-16

external   14-28

local   14-17

results   14-16

remediation server

definition   14-2

url-redirect attribute   C-8

rules

about   14-19

default   14-23

operators   14-20

self-signed certificates   14-6

tokens

assigning to rules   14-23

definition   14-4

group mapping   17-13

returned by local policies   14-18

Unknown User Policy   16-10

NAFs

See network access filters

NAR

See network access restrictions

NAS

See AAA clients

NDG

See network device groups

NDS

See Novell NDS user databases

network access filters

adding   5-3

deleting   5-7

editing   5-5

overview   5-2

network access quotas   1-18

network access restrictions

adding   5-19

configuring   5-19

deleting   5-24

editing   5-23

enabling in interface

group-level   3-5

user-level   3-5

in Group Setup   6-8

interface configuration   3-5

in User Setup   6-8, 7-11

non-IP-based filters   5-18

overview   5-15

network access servers

See AAA clients

Network Admission Control

See NAC

network configuration   4-1

network device groups

adding   4-29

assigning AAA clients to   4-30

assigning AAA servers to   4-30

configuring   4-28

deleting   4-32

enabling in interface   3-6

overview   1-24

reassigning AAA clients to   4-31

reassigning AAA servers to   4-31

renaming   4-32

network devices

See AAA clients

searches for   4-8

network requirements   2-4

networks

latency   2-19

reliability   2-19

network topologies

deployment   2-6

wireless   2-9

notifications   G-7

Novell NDS user databases

authentication   13-50

configuring   13-53

mapping database groups to AAA groups   17-4

Novell Requestor   13-50

options   13-52

supported protocols   1-10

supported versions   13-50

user contexts   13-51

O

ODBC features

accountActions table   9-32

authentication

CHAP   13-60

EAP-TLS   13-60

overview   13-55

PAP   13-60

preparation process   13-59

process with external user database   13-58

result codes   13-69

case-sensitive passwords   13-61

CHAP authentication sample procedure   13-63

configuring   13-71

data source names   11-22, 13-56

DSN (data source name) configuration   13-70

EAP-TLS authentication sample procedure   13-64

features supported   13-57

group mappings   17-2

group specifications

CHAP   13-67

EAP-TLS   13-68

PAP   13-65

vs. group mappings   17-3

PAP authentication sample procedures   13-62

password case sensitivity   13-61

stored procedures

CHAP authentication   13-66

EAP-TLS authentication   13-67

implementing   13-60

PAP authentication   13-64

type definitions   13-61

user databases   13-55

ODBC logs

See logging

Online Documentation   1-34

online Help

location in HTML interface   1-29

using   1-34

operating system requirements   2-2

outbound password configuration   1-15

overview of Cisco Secure ACS   1-1

P

PAC

automatic provisioning   10-18

definition   10-17

manual provisioning   10-20

refresh   10-21

PAP

compatible databases   1-10

in User Setup   7-5

vs. ARAP   1-12

vs. CHAP   1-12

Passed Authentications log

configuring CSV (comma-separated values)   11-19

CSV (comma-separated values) file directory   11-16

enabling CSV (comma-separated values) logging   11-17

viewing   11-18

password aging

age-by-uses rules   6-23

Cisco IOS release requirement for   6-21

EAP-FAST   13-25

interface configuration   3-5

in Windows databases   6-26

MS-CHAP   13-25

overview   1-15

PEAP   13-25

rules   6-21

passwords

See also password aging

case sensitive   13-61

CHAP/MS-CHAP/ARAP   7-7

configurations

caching   1-15

inbound passwords   1-14

outbound passwords   1-15

separate passwords   1-14

single password   1-14

token caching   1-15

token cards   1-14

encryption   13-2

expiration   6-23

import utility   D-14

local management   8-5

password change log management   8-6

post-login greeting   6-24

protocols and user database compatibility   1-10

protocols supported   1-11

remote change   8-5

user-changeable   1-16

validation options in System Configuration   8-5

pattern matching in command authorization   5-30

PEAP

See also certification

compatible databases   1-10

configuring   10-26

enabling   10-12

identity protection   10-9

options   10-27

overview   10-8

password aging   6-27

phases   10-9

with Unknown User Policy   10-11

performance monitoring   G-5

performance specifications   1-3

per-group attributes

See also groups

enabling in interface   3-2

per-user attributes

enabling in interface   3-2

TACACS+/RADIUS in Interface Configuration   3-4

PIX ACLs

See downloadable IP ACLs

PIX command authorization sets

See command authorization sets

PKI (public key infastructure)

See certification

port 2002

CSAdmin   G-2

in HTTP port ranges   12-13

in URLs   1-29

port allocation

See HTTP port allocation

ports

See also HTTP port allocation

See also port 2002

RADIUS   1-6, 1-7

TACACS+   1-6

posture validation

See also NAC

request handling   16-11

PPP password aging   6-21

privileges

See administrators

processor utilization   G-5

profile components

See shared profile components

proxy

See also Proxy Distribution Table

character strings

defining   4-6

stripping   4-6

configuring   4-34

in enterprise settings   4-6

overview   4-4

sending accounting packets   4-7

troubleshooting   A-15

Proxy Distribution Table

See also proxy

adding entries   4-35

configuring   4-34

default entry   4-3, 4-34

deleting entries   4-38

editing entries   4-37

match order sorting   4-36

overview   4-34

Q

quotas

See network access quotas

See usage quotas

R

RADIUS

See also RADIUS VSAs (vendor specific attributes)

attributes

See also RADIUS VSAs (vendor specific attributes)

in User Setup   7-37

AV (attribute value) pairs

See also RADIUS VSAs (vendor specific attributes)

Cisco IOS   C-3

IETF   C-14

overview   C-1

Cisco Aironet   4-13

IETF

in Group Setup   6-38

interface configuration   3-16

in User Setup   7-38

interface configuration overview   3-11

password aging   6-26

ports   1-6, 1-7

specifications   1-7

token servers   13-79

troubleshooting   A-22

tunneling packets   4-18

vs. TACACS+   1-6

RADIUS Accounting log

configuring

CSV (comma-separated values)   11-19

ODBC   11-23

configuring CSV (comma-separated values)   11-18

CSV (comma-separated values) file directory   11-16

enabling

ODBC   11-23

enabling CSV (comma-separated values)   11-17

RADIUS user databases

configuring   13-81

group mappings   17-2

RADIUS-based group specifications   17-14

RADIUS VSAs (vendor specific attributes)

Ascend

in Group Setup   6-43

in User Setup   7-43

supported attributes   C-31

Cisco Aironet

in Group Setup   6-41

in User Setup   7-41

Cisco BBSM (Building Broadband Service Manager)

in Group Setup   6-51

in User Setup   7-52

supported attributes   C-14

Cisco IOS/PIX

in Group Setup   6-40

interface configuration   3-17

in User Setup   7-39

supported attributes   C-5

Cisco VPN 3000

in Group Setup   6-44

in User Setup   7-44

supported attributes   C-9

Cisco VPN 5000

in Group Setup   6-46

in User Setup   7-46

supported attributes   C-13

custom

about   9-28

in Group Setup   6-53

in User Setup   7-53

Juniper

in Group Setup   6-50

in User Setup   7-51

supported attributes   C-44

Microsoft

in Group Setup   6-47

in User Setup   7-47

supported attributes   C-28

Nortel

in Group Setup   6-49

in User Setup   7-49

supported attributes   C-43

overview   C-1

user-defined

about   9-28, D-28

action codes for   F-19

adding   D-29

deleting   D-31

import files   D-34

listing   D-32

replicating   9-29, D-29

RDBMS synchronization

accountActions table as transaction queue   9-32

configuring   9-41

CSV-based   9-35

data source name configuration   9-37, 9-38

disabling   9-43

enabling in interface   3-6

group-related configuration   9-27

import definitions   F-1

log

CSV (comma-separated values) file directory   11-16

viewing   11-18

manual initialization   9-40

network configuration   9-28

overview   9-26

partners   9-39

preparing to use   9-33

report and error handling   9-33

scheduling options   9-39

user-related configuration   9-27

Registry   G-2

rejection mode

general   16-5

posture validation   16-11

Windows user databases   16-6

related documentation   xlix

reliability of network   2-19

remote access policies   2-14

remote logging

See logging

replication

ACS Service Management page   9-2

backups recommended (Caution)   9-10

cascading   9-6, 9-13

certificates   9-2

client configuration   9-17

components

overwriting (Caution)   9-17

overwriting (Note)   9-11

selecting   9-11

configuring   9-21

corrupted backups (Caution)   9-10

custom RADIUS dictionaries   9-2

disabling   9-24

EAP-FAST   10-22

encryption   9-5

external user databases   9-2

frequency   9-7

group mappings   9-2

immediate   9-19

implementing primary and secondary setups   9-15

important considerations   9-7

in System Configuration   9-21

interface configuration   3-5

IP pools   9-2, 9-45

logging   9-10

manual initiation   9-19

master AAA servers   9-3

notifications   9-25

options   9-11

overview   9-2

partners

configuring   9-23

options   9-12

process   9-4

scheduling   9-21

scheduling options   9-12

selecting data   9-11

unsupported   9-2

user-defined RADIUS vendors   9-9

vs. backup   9-10

Reports and Activity

See also logging

configuration privileges   12-5

configuring   11-20

CSV (comma-separated values) logs   11-13

in interface   1-29

overview   11-6

request handling

general   16-5

posture validation   16-11

Windows user databases   16-6

requirements

hardware   2-2

network   2-4

operating system   2-2

system   2-2

resource consumption   G-6

restarting services   8-2

restore

components restored

configuring   8-16

overview   8-16

filenames   8-15

in System Configuration   8-14

overview   8-14

performing   8-16

reports   8-16

with CSUtil.exe   D-7

RFC2138   1-7

RFC2139   1-7

RSA user databases

configuring   13-85

group mappings   17-2

S

search order of external user databases   16-15

security policies   2-15

security protocols

Cisco AAA client devices   1-2

CSRadius   G-8

CSTacacs   G-8

interface options   3-9

RADIUS   1-6, C-1

TACACS+

custom commands   3-9

overview   1-6

time-of-day access   3-8

server certificate installation   10-35

service control in System Configuration   11-33

Service Monitoring logs

See Cisco Secure ACS Service Monitoring logs

services

determining status of   8-2

logs

configuring   11-33

list of logs generated   11-32

management   8-17

overview   1-4, G-1

starting   8-2

stopping   8-2

session policies

configuring   12-17

options   12-16

overview   12-16

shared profile components

See also command authorization sets

See also downloadable IP ACLs

See also network access filters

See also network access restrictions

overview   5-1

shared secret   G-8

shell command authorization sets

See also command authorization sets

in Group Setup   6-33

in User Setup   7-26

single password configurations   1-14

SMTP (simple mail-transfer protocol)   G-7

specifications

RADIUS

RFC2138   1-7

RFC2139   1-7

system performance   1-3

TACACS+   1-7

SSL (secure socket layer)   12-13

starting services   8-2

static IP addresses   7-10

stopping services   8-2

stored procedures

CHAP authentication

configuring   13-73

input values   13-66

output values   13-66

result codes   13-69

EAP-TLS authentication

configuring   13-74

input values   13-67

output values   13-68

implementing   13-60

PAP authentication

configuring   13-73

input values   13-64

output values   13-65

result codes   13-69

sample procedures   13-62

type definitions

integer   13-61

string   13-61

supplementary user information

in User Setup   7-6

setting   7-6

synchronization

See RDBMS synchronization

system

configuration

advanced   9-1

authentication   10-1

basic   8-1

certificates   10-1

privileges   12-4

health   G-5

messages in interface   1-29

monitoring

See monitoring

performance specifications   1-3

requirements   2-2

services

See services

T

TACACS+

advanced TACACS+ settings

in Group Setup   6-2

in User Setup   7-33

AV (attribute value) pairs

accounting   B-4

general   B-1

custom commands   3-9

enable password options for users   7-35

enable privilege options   7-33

interface configuration   3-7

interface options   3-9

outbound passwords for users   7-37

ports   1-6

SENDAUTH   1-15

settings

in Group Setup   6-2, 6-31

in User Setup   7-22, 7-23

specifications   1-7

time-of-day access   3-8

troubleshooting   A-22

vs. RADIUS   1-6

TACACS+ Accounting log

configuring

CSV (comma-separated values)   11-19

ODBC   11-23

CSV (comma-separated values) file directory   11-16

enabling CSV (comma-separated values)   11-17

enabling for ODBC   11-23

viewing   11-18

TACACS+ Administration log

configuring

CSV(comma-separated values)   11-19

ODBC   11-23

CSV (comma-separated values) file directory   11-16

enabling

ODBC   11-23

enabling CSV (comma-separated values)   11-17

viewing   11-18

Telnet

See also command authorization sets

password aging   6-21

test login frequency internally   8-18

thread used   G-6

time-of-day/day-of-week specification

See also date format control

enabling in interface   3-5

timeout values on AAA clients   16-9

TLS (transport level security)

See certification

token caching   1-15, 13-79

token cards

password configuration   1-14

settings in Group Setup   6-18

token servers

ISDN terminal adapters   13-79

overview   13-78

RADIUS-enabled   13-79

RADIUS token servers   13-80

RSA   13-84

supported servers   1-10

token caching   13-79

topologies

See network topologies

troubleshooting

AAA servers   A-1

administration issues   A-2

browser issues   A-4

Cisco IOS issues   A-5

database issues   A-7

debug logs   11-31, A-14

dial-in issues   A-10

installation issues   A-16

max sessions issues   A-16

proxy issues   A-15

RADIUS issues   A-22

report issues   A-17

TACACS+ issues   A-22

third-party server issues   A-19

upgrade issues   A-16

user issues   A-20

trust lists

See certification

trust relationships   13-9

U

UNIX passwords   D-18

unknown service user setting   7-32

Unknown User Policy

See also unknown users

configuring   16-16

in external user databases   13-3, 16-14

turning off   16-17

unknown users

See also Unknown User Policy

authentication   16-4

authentication performance   16-8

authentication processing   16-8

network access authorization   16-13

posture validation   16-10

update packets

See watchdog packets

upgrade troubleshooting   A-16

usage quotas

in Group Setup   6-14

in Interface Configuration   3-5

in User Setup   7-18

overview   1-18

resetting

for groups   6-55

for single users   7-58

user-changeable passwords

overview   1-16

with Windows user databases   13-25

user databases

See databases

User Data Configuration   3-3

user groups

See groups

user-level

downloadable ACLs interface   3-5

network access restrictions

See also network access restrictions

enabling in interface   3-4

User Password Changes log location   11-17

users

See also User Setup

adding

basic steps   7-4

methods   13-3

assigning client IP addresses to   7-10

assigning to a group   7-8

callback options   7-9

configuring   7-2

configuring device management command authorization sets for   7-30

configuring PIX command authorization sets for   7-29

configuring shell command authorization sets for   7-26

customized data fields   3-3

data configuration

See User Data Configuration

deleting   11-11

deleting accounts   7-57

disabling accounts   7-5

finding   7-55

import methods   13-3

in multiple databases   16-7

listing all users   7-55

number allowed   2-18

number of   1-4

RDBMS synchronization   9-27

relationship to groups   3-2

resetting accounts   7-59

saving settings   7-60

supplementary information   7-6

troubleshooting   A-20

types

discovered   16-3

known   16-2

unknown   16-3

VPDN dialup   E-2

User Setup

account management tasks   7-54

basic options   7-3

configuring   7-2

deleting user accounts   7-57

saving settings   7-60

Users in Group button   6-54

V

validation of passwords   8-5

vendor-specific attributes

See RADIUS VSAs (vendor specific attributes)

viewing logs and reports

See logging

Voice-over-IP

See VoIP (Voice-over-IP)

VoIP (Voice-over-IP)

accounting configuration   3-6, 8-21

Accounting log

enabling csv log   11-17

viewing   11-18

enabling in interface   3-6

group settings in Interface Configuration   3-6

in Group Setup   6-4

VoIP (Voice-over-IP) Accounting log

configuring

CSV (comma-separated values)   11-19

ODBC   11-23

CSV (comma-separated values) file directory   11-16

enabling

ODBC   11-23

VPDN

advantages   2-12

authentication process   E-1

domain authorization   E-2

home gateways   E-3

IP addresses   E-3

tunnel IDs   E-3

users   E-2

VSAs

See RADIUS VSAs (vendor specific attributes)

W

warning events   G-5, G-7

warnings

significance of   xlviii

watchdog packets

configuring on AAA clients   4-18

configuring on AAA servers   4-25

logging   11-5

web servers   G-2

Windows operating systems

authentication order   16-7

Cisco Secure ACS-related services

services   8-2

dial-up networking   13-10

dial-up networking clients

domain field   13-10

password field   13-10

username field   13-10

Domain List effect   16-7

domains

domain names   13-13, 13-14, 16-6

Event logs   G-6

Registry   G-2

Windows user databases

See also databases

Active Directory   13-26

configuring   13-30

Domain list

inadvertent user lockouts   13-27

domain mapping   17-9

domains

trusted   13-9

grant dial-in permission to users   13-9, 13-26

group mappings

editing   17-9

limitations   17-4

no access groups   17-7

remapping   17-9

mapping database groups to AAA groups   17-4

overview   13-7

password aging   6-26

passwords   1-11

rejection mode   16-6

request handling   16-6

trust relationships   13-9

user-changeable passwords   13-25

user manager   13-26

wireless network topologies   2-9

	User Guide for Cisco Secure ACS for Windows Server Version 3.3
	Index
User Guide for Cisco Secure ACS for Windows Server Version 3.3 Preface Overview Deployment Considerations Interface Configuration Network Configuration Shared Profile Components User Group Management User Management System Configuration: Basic System Configuration: Advanced System Configuration: Authentication and Certificates Logs and Reports Administrators and Administrative Policy User Databases Network Admission Control Unknown User Policy User Group Mapping and Specification Troubleshooting TACACS+ Attribute-Value Pairs RADIUS Attributes CSUtil Database Utility VPDN Processing RDBMS Synchronization Import Definitions Internal Architecture Index	Download this chapter Index Download the complete book User Guide for Cisco Secure ACS for Windows Server 3.3 (whole-book pdf) (PDF - 7 MB) Feedback Table Of Contents A - B - C - D - E - F - G - H - I - L - M - N - O - P - Q - R - S - T - U - V - W - Index A AAA See also AAA clients See also AAA servers definition 1-2 pools for IP address assignment 7-11 AAA clients adding and configuring 4-16 configuration 4-11 definition 1-6 deleting 4-21 editing 4-19 interaction with AAA servers 1-6 IP pools 7-11 multiple IP addresses for 4-12 number of 1-4 searching for 4-8 supported Cisco AAA clients 1-2 table 4-1 timeout values 16-9 AAA servers adding 4-24 configuring 4-21 deleting 4-28 editing 4-26 enabling in interface (table) 3-5 functions and concepts 1-5 in distributed systems 4-3 master 9-3 overview 4-21 primary 9-3 replicating 9-3 searching for 4-8 secondary 9-3 troubleshooting A-1 access devices 1-6 accessing Cisco Secure ACS how to 1-32 URL 1-29 with SSL enabled 1-29 access policies See administrative access policies accountActions table 9-29, 9-31 account disablement Account Disabled check box 7-5 manual 7-56 resetting 7-59 setting options for 7-20 accounting See also logging overview 1-22 ACLs See downloadable IP ACLs action codes for creating and modifying user accounts F-7 for initializing and modifying access filters F-14 for modifying network configuration F-25 for modifying TACACS+ and RADIUS settings F-19 for setting and deleting values F-5 in accountActions F-4 Active Service Management See Cisco Secure ACS Active Service Management Administration Audit log configuring 11-14 CSV file directory 11-16 viewing 11-18 Administration Control See also administrators audit policy setup 12-18 administrative access policies See also administrators configuring 12-14 limits 12-11 options 12-12 overview 2-15 administrative sessions and HTTP proxy 1-30 network environment limitations of 1-30 session policies 12-16 through firewalls 1-31 through NAT (network address translation) 1-31 administrators See also Administration Audit log See also Administration Control See also administrative access policies adding 12-6 deleting 12-11 editing 12-7 locked out 12-10 locking out 12-17 overview 12-2 privileges 12-3 separation from general users 2-17 troubleshooting A-2 unlocking 12-10 advanced options in interface 3-6 age-by-date rules for groups 6-25 Aironet AAA client configuration 4-13 RADIUS parameters for group 6-41 RADIUS parameters for user 7-41 ARAP compatible databases 1-10 in User Setup 7-5 protocol supported 1-11 Architecture G-1 ASCII/PAP compatible databases 1-10 protocol supported 1-11 attributes enabling in interface 3-2 group-specific (table) F-35 logging of user data 11-2 per-group 3-2 per-user 3-2 user-specific (table) F-34 attribute-value pairs See AV (attribute value) pairs audit policies See also Administration Audit log overview 12-18 authentication compatibility of protocols 1-10 configuration 10-26 denying unknown users 16-17 options 10-33 overview 1-8 request handling 16-5 via external user databases 13-5 Windows 13-11 authorization 1-17 authorization sets See command authorization sets AV (attribute value) pairs See also RADIUS VSAs (vendor specific attributes) RADIUS Cisco IOS C-3 IETF C-14 TACACS+ accounting B-4 general B-1 B Backup and Restore log directory See Cisco Secure ACS Backup and Restore log backups components backed up 8-10 directory management 8-10 disabling scheduled 8-13 filenames 8-15 locations 8-10 manual 8-12 options 8-11 overview 8-9 reports 8-11 scheduled vs. manual 8-9 scheduling 8-12 vs. replication 9-10 with CSUtil.exe D-6 browsers See also HTML interface troubleshooting A-4 C cached users See discovered users CA configuration 10-38 callback options in Group Setup 6-7 in User Setup 7-9 cascading replication 9-6, 9-13 cautions significance of xlviii certification See also EAP-TLS See also PEAP adding certificate authority certificates 10-37 background 10-1 backups 8-10 Certificate Revocation Lists 10-40 certificate signing request generation 10-45 editing the certificate trust list 10-38 replacing certificate 10-50 self-signed certificates configuring 10-49 NAC 14-6 overview 10-47 server certificate installation 10-35 updating certificate 10-50 CHAP compatible databases 1-10 in User Setup 7-5 protocol supported 1-11 Cisco IOS RADIUS AV (attribute value) pairs C-2 group attributes 6-40 user attributes 7-39 TACACS+ AV (attribute value) pairs B-1 troubleshooting A-5 Cisco Secure ACS Active Service Management event logging configuration 8-20 overview 8-17 system monitoring configuring 8-19 custom actions 8-18 Cisco Secure ACS Active Service Monitoring logs file location 11-17 viewing 11-18 Cisco Secure ACS administration overview 1-23 Cisco Secure ACS Backup and Restore log CSV (comma-separated values) file directory 11-16 viewing 11-18 Cisco Secure ACS backups See backups Cisco Secure ACS system restore See restore CiscoSecure Authentication Agent 1-16, 6-21 CiscoSecure database replication See replication CiscoSecure user database See also databases overview 13-2 password encryption 13-2 Cisco Trust Agent definition 14-2 unavailable 14-5 CLID-based filters 5-18 codes See action codes command authorization sets See also shell command authorization sets adding 5-31 configuring 5-25, 5-31 deleting 5-35 editing 5-33 overview 5-26 pattern matching 5-30 PIX command authorization sets 5-26 command-line database utility See CSUtil.exe conventions xlvii CRLs 10-40 CSAdmin G-2 CSAuth G-3 CSDBSync 9-29, G-4 CSLog G-4 CSMon See also Cisco Secure ACS Active Service Management Cisco Secure ACS Service Monitoring logs 11-32 configuration G-4 failure events customer-defined actions G-7 predefined actions G-7 functions G-4 log G-6 overview G-4 CSNTacctInfo 13-65, 13-67, 13-68 CSNTAuthUserPap 13-62 CSNTerrorString 13-65, 13-67, 13-68 CSNTExtractUserClearTextPw 13-63 CSNTFindUser 13-64 CSNTgroups 13-65, 13-67, 13-68 CSNTpasswords 13-65, 13-67 CSNTresults 13-65, 13-67, 13-68 CSNTusernames 13-65, 13-66, 13-68 CSRadius G-8 CSTacacs G-8 CSUtil.exe decoding error numbers with D-27 displaying syntax D-5 import text file (example) D-24 overview D-1 CSV (comma-separated values) files downloading 11-18 filename formats 11-15 logging format 11-2 viewing 11-18 CTL editing 10-38 custom attributes in group-level TACACS+ settings 6-31 in user-level TACACS+ settings 7-23 D database group mappings configuring for token servers 17-3 for Windows domains 17-9 no access groups 17-7 order 17-12 deleting group set mappings 17-10 Windows domain configurations 17-11 in external user databases 17-1 overview 17-1 Database Replication log CSV (comma-separated values) file directory 11-16 viewing 11-18 databases See also external user databases authentication search process 16-5 CiscoSecure user database 13-2 compacting D-12 deleting 13-86 deployment considerations 2-18 dump files D-10 external See also external user databases See also Unknown User Policy NAC 14-10 posture validation search process 16-11 protocol compatibility 1-10 replication See replication search order 16-14 search process 16-14 selecting user databases 13-1 synchronization See RDBMS synchronization token cards See token servers troubleshooting A-7, A-19 types See generic LDAP user databases See LEAP proxy RADIUS user databases See Novell NDS user databases See ODBC features See RADIUS user databases See RSA user databases unknown users 16-1 user databases 7-2 user import methods 13-3 Windows user databases 13-7 data source names configuring for ODBC logging 11-22 for RDMBS synchronization 9-38 using with ODBC databases 13-56, 13-70, 13-72 date format control 8-3 DbSync log directory 11-16 debug logs detail levels 11-33 frequency 11-33 troubleshooting A-14 default group in Group Setup 6-2 default group mapping for Windows 17-6 default time-of-day/day-of-week specification 3-5 default time-of-day access settings for groups 6-5 deleting logged-in users 11-11 deployment overview 2-1 sequence 2-19 device command sets See command authorization sets device groups See network device groups device management applications support 1-19 DHCP with IP pools 9-45 dial-in permission to users in Windows 13-26 dial-in troubleshooting A-10 dial-up networking clients 13-10 dial-up topologies 2-6 digital certificates See certification Disabled Accounts report viewing 11-12 Disabled Accounts reports description 11-9 discovered users 16-3 distributed systems See also proxy AAA servers in 4-3 overview 4-2 settings configuring 4-34 default entry 4-3 enabling in interface 3-5 distribution table See Proxy Distribution Table DNIS-based filters 5-18 documentation conventions xlvii objectives xlv online 1-33 related xlix Domain List configuring 13-30 inadvertent user lockouts 13-14, 13-27 overview 13-13 unknown user authentication 16-7 domain names Windows operating systems 13-13, 13-14 downloadable IP ACLs adding 5-10 assigning to groups 6-30 assigning to users 7-21 deleting 5-14 editing 5-13 enabling in interface group-level 3-5 user-level 3-5 overview 5-7 draft-ietf-radius-tunnel-auth 1-7 dump files creating database dump files D-10 loading a database from a dump file D-11 E EAP (Extensible Authentication Protocol) overview 1-13 with Windows authentication 13-15 EAP-FAST compatible databases 1-10 enabling 10-25 identity protection 10-14 logging 10-14 master keys definition 10-15 states 10-15 master server 10-23 options 10-28 overview 10-13 PAC automatic provisioning 10-18 definition 10-17 manual provisioning 10-20 refresh 10-21 states 10-18 password aging 6-27 phases 10-13 replication 10-22 EAP-TLS See also certification authentication configuration 10-26 comparison methods 10-4 compatible databases 1-10 domain stripping 13-16 enabling 10-7 limitations 10-6 options 10-31 overview 10-3 session resume 10-5 enable password options for TACACS+ 7-35 enable privilege options for groups 6-19 error number decoding with CSUtil.exe D-27 Event log configuring 8-20 exception events G-6 exception events G-7 exports of user lists D-24 Extensible Authentication Protocol See EAP (Extensible Authentication Protocol) external token servers See token servers external user databases See also databases authentication via 13-5 configuring 13-4 deleting configuration 13-86 latency factors 16-9 search order 16-9, 16-15 supported 1-10 Unknown User Policy 16-1 F Failed Attempts log configuring CSV (comma-separated values) 11-19 ODBC 11-23 CSV (comma-separated values) file directory 11-16 enabling log 11-17 ODBC 11-23 viewing 11-18 failed log-on attempts G-6 failure events customer-defined actions G-7 predefined actions G-7 fallbacks on failed connection 4-5 finding users 7-55 firewalls administering AAA servers through 1-23 G gateways E-3 generic LDAP user databases authentication 13-32 configuring database 13-43 options 13-37 directed authentications 13-34 domain filtering 13-34 failover 13-36 mapping database groups to AAA groups 17-4 mutiple instances 13-33 organizational units and groups 13-34 supported protocols 1-10 Global Authentication Setup 10-33 grant dial-in permission to users 13-9, 13-26 greeting after login 6-24 group-level interface enabling downloadable IP ACLs 3-5 network access restrictions 3-5 network access restriction sets 3-5 password aging 3-5 group-level network access restrictions See network access restrictions groups See also network device groups assigning users to 7-8 configuring RADIUS settings for See RADIUS Default Group 6-2, 17-6 enabling VoIP (Voice-over-IP) support for 6-4 exporting group information D-25 listing all users in 6-54 mapping order 17-12 mappings 17-1, 17-2 multiple mappings 17-5 no access groups 17-5 overriding settings 3-2 relationship to users 3-2 renaming 6-55 resetting usage quota counters for 6-55 settings for callback options 6-7 configuration-specific 6-16 configuring common 6-3 device management command authorization sets 6-37 enable privilege 6-19 IP address assignment method 6-28 management tasks 6-54 max sessions 6-12 network access restrictions 6-8 password aging rules 6-21 PIX command authorization sets 6-35 shell command authorization sets 6-33 TACACS+ 6-2, 6-31 time-of-day access 6-5 token cards 6-18 usage quotas 6-14 setting up and managing 6-1 sort order within group mappings 17-5 specifications by ODBC authentications 13-65, 13-67, 13-68 GUI See HTML interface H handle counts G-6 hard disk space G-5 hardware requirements 2-2 Help 1-29 host system state G-5 HTML interface See also Interface Configuration encrypting 12-13 logging off 1-33 overview 1-25 security 1-26 SSL 1-26 web servers G-2 HTTP port allocation configuring 12-14 overview 1-23 HTTPS 12-13 I IETF 802.1x 1-13 importing passwords D-14 imports with CSUtil.exe D-14 inbound authentication 1-14 inbound password configuration 1-14 installation related documentation xlix system requirements 2-2 troubleshooting A-16 Interface Configuration See also HTML interface advanced options 3-4 configuring 3-1 customized user data fields 3-3 security protocol options 3-9 IP ACLs See downloadable IP ACLs IP addresses in User Setup 7-10 multiple IP addresses for AAA client 4-12 requirement for CSTacacs and CSRadius G-8 setting assignment method for user groups 6-28 IP pools address recovery 9-51 deleting 9-50 DHCP 9-45 editing IP pool definitions 9-48 enabling in interface 3-6 overlapping 9-45, 9-47 refreshing 9-47 resetting 9-49 servers adding IP pools 9-47 overview 9-44 replicating IP pools 9-45 user IP addresses 7-11 L LAN manager 1-13 latency in networks 2-19 LDAP See generic LDAP user databases LEAP proxy RADIUS user databases configuring external databases 13-76 group mappings 17-2 overview 13-75 RADIUS-based group specifications 17-14 list all users in Group Setup 6-54 in User Setup 7-55 Logged-In Users report deleting logged-in users 11-11 description 11-10 viewing 11-10 logging See also Reports and Activity accounting logs 11-6 Administration Audit log 11-14 administration reports 11-9 configuring 11-20 CSV (comma-separated values) files 11-2 custom RADIUS dictionaries 9-2 debug logs detail levels 11-33 frequency 11-33 Disabled Accounts reports 11-9 domain names 11-3 external user databases 11-3 Failed Attempts logs 11-6 formats 11-2 Logged-In Users reports 11-9 ODBC logs enabling in interface 3-6 overview 11-2 working with 11-21 overview 11-6 Passed Authentication logs 11-6 RADIUS logs 11-6 RDBMS synchronization 9-2 remote logging centralized 11-27 configuring 11-29 disabling 11-31 enabling in interface 3-5 logging hosts 11-26 options 11-28 overview 11-26 services configuring service logs 11-33 list of logs generated 11-32 system logs 11-13 TACACS+ logs 11-6 troubleshooting A-17 user data attributes 11-2 VoIP logs 11-6 watchdog packets 11-5 login process test frequency 8-18 logins greeting upon 6-24 password aging dependency 6-23 logs See logging See Reports and Activity M machine authentication enabling 13-22 overview 13-16 with Microsoft Windows 13-20 management application support 1-19 mappings database groups to AAA groups 17-4 databases to AAA groups 17-2 master AAA servers 9-3 master key definition 10-15 states 10-15 max sessions enabling in interface 3-5 in Group Setup 6-12 in User Setup 7-16 overview 1-18 troubleshooting A-16 memory utilization G-5 monitoring configuring 8-19 CSMon G-5 overview 8-18 MS-CHAP compatible databases 1-10 configuring 10-26 overview 1-13 protocol supported 1-11 multiple group mappings 17-5 multiple IP addresses for AAA clients 4-12 N NAC attributes about 14-11 adding D-44 data types 14-19 deleting D-44 exporting D-44 attribute-value pairs 14-9 Certificate Trust List 14-6 credentials about 14-11 definition 14-2 databases configuring 14-14 default database 14-10 definition of 14-10 group mapping 17-13 implementing 14-5 introduction 1-25 logging 14-6 NAC client Cisco Trust Agent 14-2 definition 14-2 policies about 14-16 external 14-28 local 14-17 results 14-16 remediation server definition 14-2 url-redirect attribute C-8 rules about 14-19 default 14-23 operators 14-20 self-signed certificates 14-6 tokens assigning to rules 14-23 definition 14-4 group mapping 17-13 returned by local policies 14-18 Unknown User Policy 16-10 NAFs See network access filters NAR See network access restrictions NAS See AAA clients NDG See network device groups NDS See Novell NDS user databases network access filters adding 5-3 deleting 5-7 editing 5-5 overview 5-2 network access quotas 1-18 network access restrictions adding 5-19 configuring 5-19 deleting 5-24 editing 5-23 enabling in interface group-level 3-5 user-level 3-5 in Group Setup 6-8 interface configuration 3-5 in User Setup 6-8, 7-11 non-IP-based filters 5-18 overview 5-15 network access servers See AAA clients Network Admission Control See NAC network configuration 4-1 network device groups adding 4-29 assigning AAA clients to 4-30 assigning AAA servers to 4-30 configuring 4-28 deleting 4-32 enabling in interface 3-6 overview 1-24 reassigning AAA clients to 4-31 reassigning AAA servers to 4-31 renaming 4-32 network devices See AAA clients searches for 4-8 network requirements 2-4 networks latency 2-19 reliability 2-19 network topologies deployment 2-6 wireless 2-9 notifications G-7 Novell NDS user databases authentication 13-50 configuring 13-53 mapping database groups to AAA groups 17-4 Novell Requestor 13-50 options 13-52 supported protocols 1-10 supported versions 13-50 user contexts 13-51 O ODBC features accountActions table 9-32 authentication CHAP 13-60 EAP-TLS 13-60 overview 13-55 PAP 13-60 preparation process 13-59 process with external user database 13-58 result codes 13-69 case-sensitive passwords 13-61 CHAP authentication sample procedure 13-63 configuring 13-71 data source names 11-22, 13-56 DSN (data source name) configuration 13-70 EAP-TLS authentication sample procedure 13-64 features supported 13-57 group mappings 17-2 group specifications CHAP 13-67 EAP-TLS 13-68 PAP 13-65 vs. group mappings 17-3 PAP authentication sample procedures 13-62 password case sensitivity 13-61 stored procedures CHAP authentication 13-66 EAP-TLS authentication 13-67 implementing 13-60 PAP authentication 13-64 type definitions 13-61 user databases 13-55 ODBC logs See logging Online Documentation 1-34 online Help location in HTML interface 1-29 using 1-34 operating system requirements 2-2 outbound password configuration 1-15 overview of Cisco Secure ACS 1-1 P PAC automatic provisioning 10-18 definition 10-17 manual provisioning 10-20 refresh 10-21 PAP compatible databases 1-10 in User Setup 7-5 vs. ARAP 1-12 vs. CHAP 1-12 Passed Authentications log configuring CSV (comma-separated values) 11-19 CSV (comma-separated values) file directory 11-16 enabling CSV (comma-separated values) logging 11-17 viewing 11-18 password aging age-by-uses rules 6-23 Cisco IOS release requirement for 6-21 EAP-FAST 13-25 interface configuration 3-5 in Windows databases 6-26 MS-CHAP 13-25 overview 1-15 PEAP 13-25 rules 6-21 passwords See also password aging case sensitive 13-61 CHAP/MS-CHAP/ARAP 7-7 configurations caching 1-15 inbound passwords 1-14 outbound passwords 1-15 separate passwords 1-14 single password 1-14 token caching 1-15 token cards 1-14 encryption 13-2 expiration 6-23 import utility D-14 local management 8-5 password change log management 8-6 post-login greeting 6-24 protocols and user database compatibility 1-10 protocols supported 1-11 remote change 8-5 user-changeable 1-16 validation options in System Configuration 8-5 pattern matching in command authorization 5-30 PEAP See also certification compatible databases 1-10 configuring 10-26 enabling 10-12 identity protection 10-9 options 10-27 overview 10-8 password aging 6-27 phases 10-9 with Unknown User Policy 10-11 performance monitoring G-5 performance specifications 1-3 per-group attributes See also groups enabling in interface 3-2 per-user attributes enabling in interface 3-2 TACACS+/RADIUS in Interface Configuration 3-4 PIX ACLs See downloadable IP ACLs PIX command authorization sets See command authorization sets PKI (public key infastructure) See certification port 2002 CSAdmin G-2 in HTTP port ranges 12-13 in URLs 1-29 port allocation See HTTP port allocation ports See also HTTP port allocation See also port 2002 RADIUS 1-6, 1-7 TACACS+ 1-6 posture validation See also NAC request handling 16-11 PPP password aging 6-21 privileges See administrators processor utilization G-5 profile components See shared profile components proxy See also Proxy Distribution Table character strings defining 4-6 stripping 4-6 configuring 4-34 in enterprise settings 4-6 overview 4-4 sending accounting packets 4-7 troubleshooting A-15 Proxy Distribution Table See also proxy adding entries 4-35 configuring 4-34 default entry 4-3, 4-34 deleting entries 4-38 editing entries 4-37 match order sorting 4-36 overview 4-34 Q quotas See network access quotas See usage quotas R RADIUS See also RADIUS VSAs (vendor specific attributes) attributes See also RADIUS VSAs (vendor specific attributes) in User Setup 7-37 AV (attribute value) pairs See also RADIUS VSAs (vendor specific attributes) Cisco IOS C-3 IETF C-14 overview C-1 Cisco Aironet 4-13 IETF in Group Setup 6-38 interface configuration 3-16 in User Setup 7-38 interface configuration overview 3-11 password aging 6-26 ports 1-6, 1-7 specifications 1-7 token servers 13-79 troubleshooting A-22 tunneling packets 4-18 vs. TACACS+ 1-6 RADIUS Accounting log configuring CSV (comma-separated values) 11-19 ODBC 11-23 configuring CSV (comma-separated values) 11-18 CSV (comma-separated values) file directory 11-16 enabling ODBC 11-23 enabling CSV (comma-separated values) 11-17 RADIUS user databases configuring 13-81 group mappings 17-2 RADIUS-based group specifications 17-14 RADIUS VSAs (vendor specific attributes) Ascend in Group Setup 6-43 in User Setup 7-43 supported attributes C-31 Cisco Aironet in Group Setup 6-41 in User Setup 7-41 Cisco BBSM (Building Broadband Service Manager) in Group Setup 6-51 in User Setup 7-52 supported attributes C-14 Cisco IOS/PIX in Group Setup 6-40 interface configuration 3-17 in User Setup 7-39 supported attributes C-5 Cisco VPN 3000 in Group Setup 6-44 in User Setup 7-44 supported attributes C-9 Cisco VPN 5000 in Group Setup 6-46 in User Setup 7-46 supported attributes C-13 custom about 9-28 in Group Setup 6-53 in User Setup 7-53 Juniper in Group Setup 6-50 in User Setup 7-51 supported attributes C-44 Microsoft in Group Setup 6-47 in User Setup 7-47 supported attributes C-28 Nortel in Group Setup 6-49 in User Setup 7-49 supported attributes C-43 overview C-1 user-defined about 9-28, D-28 action codes for F-19 adding D-29 deleting D-31 import files D-34 listing D-32 replicating 9-29, D-29 RDBMS synchronization accountActions table as transaction queue 9-32 configuring 9-41 CSV-based 9-35 data source name configuration 9-37, 9-38 disabling 9-43 enabling in interface 3-6 group-related configuration 9-27 import definitions F-1 log CSV (comma-separated values) file directory 11-16 viewing 11-18 manual initialization 9-40 network configuration 9-28 overview 9-26 partners 9-39 preparing to use 9-33 report and error handling 9-33 scheduling options 9-39 user-related configuration 9-27 Registry G-2 rejection mode general 16-5 posture validation 16-11 Windows user databases 16-6 related documentation xlix reliability of network 2-19 remote access policies 2-14 remote logging See logging replication ACS Service Management page 9-2 backups recommended (Caution) 9-10 cascading 9-6, 9-13 certificates 9-2 client configuration 9-17 components overwriting (Caution) 9-17 overwriting (Note) 9-11 selecting 9-11 configuring 9-21 corrupted backups (Caution) 9-10 custom RADIUS dictionaries 9-2 disabling 9-24 EAP-FAST 10-22 encryption 9-5 external user databases 9-2 frequency 9-7 group mappings 9-2 immediate 9-19 implementing primary and secondary setups 9-15 important considerations 9-7 in System Configuration 9-21 interface configuration 3-5 IP pools 9-2, 9-45 logging 9-10 manual initiation 9-19 master AAA servers 9-3 notifications 9-25 options 9-11 overview 9-2 partners configuring 9-23 options 9-12 process 9-4 scheduling 9-21 scheduling options 9-12 selecting data 9-11 unsupported 9-2 user-defined RADIUS vendors 9-9 vs. backup 9-10 Reports and Activity See also logging configuration privileges 12-5 configuring 11-20 CSV (comma-separated values) logs 11-13 in interface 1-29 overview 11-6 request handling general 16-5 posture validation 16-11 Windows user databases 16-6 requirements hardware 2-2 network 2-4 operating system 2-2 system 2-2 resource consumption G-6 restarting services 8-2 restore components restored configuring 8-16 overview 8-16 filenames 8-15 in System Configuration 8-14 overview 8-14 performing 8-16 reports 8-16 with CSUtil.exe D-7 RFC2138 1-7 RFC2139 1-7 RSA user databases configuring 13-85 group mappings 17-2 S search order of external user databases 16-15 security policies 2-15 security protocols Cisco AAA client devices 1-2 CSRadius G-8 CSTacacs G-8 interface options 3-9 RADIUS 1-6, C-1 TACACS+ custom commands 3-9 overview 1-6 time-of-day access 3-8 server certificate installation 10-35 service control in System Configuration 11-33 Service Monitoring logs See Cisco Secure ACS Service Monitoring logs services determining status of 8-2 logs configuring 11-33 list of logs generated 11-32 management 8-17 overview 1-4, G-1 starting 8-2 stopping 8-2 session policies configuring 12-17 options 12-16 overview 12-16 shared profile components See also command authorization sets See also downloadable IP ACLs See also network access filters See also network access restrictions overview 5-1 shared secret G-8 shell command authorization sets See also command authorization sets in Group Setup 6-33 in User Setup 7-26 single password configurations 1-14 SMTP (simple mail-transfer protocol) G-7 specifications RADIUS RFC2138 1-7 RFC2139 1-7 system performance 1-3 TACACS+ 1-7 SSL (secure socket layer) 12-13 starting services 8-2 static IP addresses 7-10 stopping services 8-2 stored procedures CHAP authentication configuring 13-73 input values 13-66 output values 13-66 result codes 13-69 EAP-TLS authentication configuring 13-74 input values 13-67 output values 13-68 implementing 13-60 PAP authentication configuring 13-73 input values 13-64 output values 13-65 result codes 13-69 sample procedures 13-62 type definitions integer 13-61 string 13-61 supplementary user information in User Setup 7-6 setting 7-6 synchronization See RDBMS synchronization system configuration advanced 9-1 authentication 10-1 basic 8-1 certificates 10-1 privileges 12-4 health G-5 messages in interface 1-29 monitoring See monitoring performance specifications 1-3 requirements 2-2 services See services T TACACS+ advanced TACACS+ settings in Group Setup 6-2 in User Setup 7-33 AV (attribute value) pairs accounting B-4 general B-1 custom commands 3-9 enable password options for users 7-35 enable privilege options 7-33 interface configuration 3-7 interface options 3-9 outbound passwords for users 7-37 ports 1-6 SENDAUTH 1-15 settings in Group Setup 6-2, 6-31 in User Setup 7-22, 7-23 specifications 1-7 time-of-day access 3-8 troubleshooting A-22 vs. RADIUS 1-6 TACACS+ Accounting log configuring CSV (comma-separated values) 11-19 ODBC 11-23 CSV (comma-separated values) file directory 11-16 enabling CSV (comma-separated values) 11-17 enabling for ODBC 11-23 viewing 11-18 TACACS+ Administration log configuring CSV(comma-separated values) 11-19 ODBC 11-23 CSV (comma-separated values) file directory 11-16 enabling ODBC 11-23 enabling CSV (comma-separated values) 11-17 viewing 11-18 Telnet See also command authorization sets password aging 6-21 test login frequency internally 8-18 thread used G-6 time-of-day/day-of-week specification See also date format control enabling in interface 3-5 timeout values on AAA clients 16-9 TLS (transport level security) See certification token caching 1-15, 13-79 token cards password configuration 1-14 settings in Group Setup 6-18 token servers ISDN terminal adapters 13-79 overview 13-78 RADIUS-enabled 13-79 RADIUS token servers 13-80 RSA 13-84 supported servers 1-10 token caching 13-79 topologies See network topologies troubleshooting AAA servers A-1 administration issues A-2 browser issues A-4 Cisco IOS issues A-5 database issues A-7 debug logs 11-31, A-14 dial-in issues A-10 installation issues A-16 max sessions issues A-16 proxy issues A-15 RADIUS issues A-22 report issues A-17 TACACS+ issues A-22 third-party server issues A-19 upgrade issues A-16 user issues A-20 trust lists See certification trust relationships 13-9 U UNIX passwords D-18 unknown service user setting 7-32 Unknown User Policy See also unknown users configuring 16-16 in external user databases 13-3, 16-14 turning off 16-17 unknown users See also Unknown User Policy authentication 16-4 authentication performance 16-8 authentication processing 16-8 network access authorization 16-13 posture validation 16-10 update packets See watchdog packets upgrade troubleshooting A-16 usage quotas in Group Setup 6-14 in Interface Configuration 3-5 in User Setup 7-18 overview 1-18 resetting for groups 6-55 for single users 7-58 user-changeable passwords overview 1-16 with Windows user databases 13-25 user databases See databases User Data Configuration 3-3 user groups See groups user-level downloadable ACLs interface 3-5 network access restrictions See also network access restrictions enabling in interface 3-4 User Password Changes log location 11-17 users See also User Setup adding basic steps 7-4 methods 13-3 assigning client IP addresses to 7-10 assigning to a group 7-8 callback options 7-9 configuring 7-2 configuring device management command authorization sets for 7-30 configuring PIX command authorization sets for 7-29 configuring shell command authorization sets for 7-26 customized data fields 3-3 data configuration See User Data Configuration deleting 11-11 deleting accounts 7-57 disabling accounts 7-5 finding 7-55 import methods 13-3 in multiple databases 16-7 listing all users 7-55 number allowed 2-18 number of 1-4 RDBMS synchronization 9-27 relationship to groups 3-2 resetting accounts 7-59 saving settings 7-60 supplementary information 7-6 troubleshooting A-20 types discovered 16-3 known 16-2 unknown 16-3 VPDN dialup E-2 User Setup account management tasks 7-54 basic options 7-3 configuring 7-2 deleting user accounts 7-57 saving settings 7-60 Users in Group button 6-54 V validation of passwords 8-5 vendor-specific attributes See RADIUS VSAs (vendor specific attributes) viewing logs and reports See logging Voice-over-IP See VoIP (Voice-over-IP) VoIP (Voice-over-IP) accounting configuration 3-6, 8-21 Accounting log enabling csv log 11-17 viewing 11-18 enabling in interface 3-6 group settings in Interface Configuration 3-6 in Group Setup 6-4 VoIP (Voice-over-IP) Accounting log configuring CSV (comma-separated values) 11-19 ODBC 11-23 CSV (comma-separated values) file directory 11-16 enabling ODBC 11-23 VPDN advantages 2-12 authentication process E-1 domain authorization E-2 home gateways E-3 IP addresses E-3 tunnel IDs E-3 users E-2 VSAs See RADIUS VSAs (vendor specific attributes) W warning events G-5, G-7 warnings significance of xlviii watchdog packets configuring on AAA clients 4-18 configuring on AAA servers 4-25 logging 11-5 web servers G-2 Windows operating systems authentication order 16-7 Cisco Secure ACS-related services services 8-2 dial-up networking 13-10 dial-up networking clients domain field 13-10 password field 13-10 username field 13-10 Domain List effect 16-7 domains domain names 13-13, 13-14, 16-6 Event logs G-6 Registry G-2 Windows user databases See also databases Active Directory 13-26 configuring 13-30 Domain list inadvertent user lockouts 13-27 domain mapping 17-9 domains trusted 13-9 grant dial-in permission to users 13-9, 13-26 group mappings editing 17-9 limitations 17-4 no access groups 17-7 remapping 17-9 mapping database groups to AAA groups 17-4 overview 13-7 password aging 6-26 passwords 1-11 rejection mode 16-6 request handling 16-6 trust relationships 13-9 user-changeable passwords 13-25 user manager 13-26 wireless network topologies 2-9
	Terms & Conditions \| Privacy Statement \| Cookie Policy \| Trademarks