Table Of Contents
Installing Cisco Secure ACS
Preparation for Installing or Upgrading ACS
Understanding your ACS System
System Requirements
ACS Upgrade Requirements
Server, Web Client, and Agent Requirements
Third-Party Software Requirements
Network and Port Requirements
Back Up Data
Gathering Answers for the Installation Questions
What You Can Do
Creating an ACS Installation
Reinstalling or Upgrading ACS
Reinstalling or Upgrading an Existing Configuration
Reinstalling or Upgrading ACS without Data Preservation
Installing Cisco Secure ACS
This chapter provides information about installing, reinstalling, and upgrading to Cisco Secure Access Control Server Release 4.0 for Windows, hereafter referred to as ACS.
This chapter contains:
•
Preparation for Installing or Upgrading ACS
•What You Can Do
•Creating an ACS Installation
•Reinstalling or Upgrading ACS
Preparation for Installing or Upgrading ACS
Before performing an installation or upgrade procedure, read this section and perform the recommended actions.
This section contains:
•Understanding your ACS System
•System Requirements
•Network and Port Requirements
•Back Up Data
•Gathering Answers for the Installation Questions
Note ACS will not install properly if Sybase server is installed on the same machine.
Understanding your ACS System
You can use ACS network security software to help you authenticate users by controlling access to a AAA client—any one of many network devices that can be configured to defer authentication and authorization of network users to a AAA server. ACS operates as a set of Windows services that control the authentication, authorization, and accounting of user access to networks.
ACS operates on Windows 2000 Server and Windows Server 2003. ACS can run on a domain controller or a member server. For information about supported operating systems, see Server, Web Client, and Agent Requirements or the latest version of the Release Notes, which are accessible from:
http://www.cisco.com/en/US/products/sw/secursw/ps2086/prod_release_notes_list.html
Note If you want to authenticate users with a Windows Security Account Manager user database or an Active Directory user database, additional Windows configuration is required after you have installed ACS. For more information, see Windows Authentication Configuration, page 2-1.
For additional information about ACS, refer to the User Guide for Cisco Secure ACS for Windows 4.0.
System Requirements
Your ACS server must meet certain minimum hardware, operating system, and third-party software requirements. Additionally, if you are upgrading from a previous version of ACS, refer to ACS Upgrade Requirements.
This section contains:
•ACS Upgrade Requirements
•Server, Web Client, and Agent Requirements
ACS Upgrade Requirements
The setup program supports upgrades from previous versions of ACS. For information about the versions of ACS that we used to test the upgrade process, see the Release Notes. The latest version of the Release Notes are on Cisco.com, accessible from:
http://www.cisco.com/en/US/products/sw/secursw/ps2086/prod_release_notes_list.html
Server, Web Client, and Agent Requirements
This section contains details on server, web client, and agent requirements:
•ACS for Windows Server Requirements, Table 1-1
•ACS for Windows Web Client Requirements, Table 1-2
•ACS for Windows Server UCP Requirements, Table 1-3
Note ACS for Windows is not designed to use the multiprocessor feature of any supported operating system; however, we did test ACS by using dual-processor computers.
The Windows 2000 Datacenter Server is not a supported operating system.
Windows service packs can be applied before or after installing ACS. If you do not install a required service pack before installing ACS, the ACS installation program may warn you that the required service pack is not present. If you receive a service pack error message, continue the installation, and then install the required service pack before starting user authentication with ACS.
Table 1-1 ACS for Windows Server Requirements
Component
|
Minimum Requirement
|
Hardware
|
•IBM PC-compatible with Pentium IV processor, 1.8 GHz or faster
•Color monitor with minimum graphics resolution of 256 colors at 800 x 600 resolution
•CD-ROM drive
•100BaseT or faster connection
|
Operating System
|
•Windows 2000 Server
•Windows 2000 Advanced Server (Service Pack 4) without features specific to Windows 2000 Advanced Server enabled or without Microsoft clustering service installed
•Windows Server 2003, Enterprise Edition or Standard Edition (Service Pack 1)
|
File System
|
NTFS
|
Memory
|
1 Gigabyte, minimum
|
Virtual Memory
|
1 Gigabyte, minimum
|
Hard Drive Space
|
At least 1 GB of free hard drive space, minimum
Note The actual amount of hard drive space required depends on several factors, including log file growth, and replication or backup purposes.
|
Table 1-2 ACS for Windows Web Client Requirements
Component
|
Minimum Requirement
|
Hardware/Software
|
IBM PC-compatible computer with Pentium IV processor running:
•Microsoft Windows 2000 Server, or Advanced Server (Service Pack 4)
•Microsoft Windows 2000 (Service Pack 4)
•Microsoft Windows XP (Service Pack 2)
•Microsoft Windows 2003 (Service Pack 1) (Enterprise or Standard Edition)
|
Hard Drive Space
|
400 MB virtual memory
|
Memory
|
256 MB minimum
|
Browser
|
You must also install one of the following HTML browsers:
•Microsoft Internet Explorer 6 Service Pack 1 and 5.5 for Windows-English and Japanese version
•Netscape Web Browser 7.0, 7.1, and 7.2 for Windows-English and Japanese version1
|
Java Run-time Environment (JRE)
|
Sun JRE 1.4.2_04 or Microsoft Java Virtual Machine (JVM)
Note Microsoft does not include JVM in Windows Server 2003. Instead, use the Sun Java Plug-in which is previously listed. For more information about Microsoft plans regarding its JVM, see http://www.microsoft.com/mscorp/java/.
|
Table 1-3 ACS for Windows Server UCP Requirements
Component
|
Minimum Requirement
|
User Changeable Password (UCP) Web Server
|
•Microsoft IIS 6.0
•Apache 1.3 web server
|
Third-Party Software Requirements
The Release Notes provide information about third-party software products that we tested with ACS and support, including applications such as:
•Web browsers and Java virtual machines
•Novell Directory Server (NDS) clients
•Token-card clients
Other than the software products described in the Release Notes, we have not tested the interoperability of ACS and other software products on the same computer. We only support the interoperability issues of software products that are mentioned in the Release Notes.
The most recent version of the Release Notes is posted on Cisco.com, accessible from:
http://www.cisco.com/en/US/products/sw/secursw/ps2086/prod_release_notes_list.html
Network and Port Requirements
Your network should meet the following requirements before you begin deploying ACS:
•For full TACACS+ and RADIUS support on Cisco IOS devices, AAA clients must run Cisco IOS Release 11.1 or later.
•Non-Cisco IOS AAA clients must be configured with TACACS+, RADIUS, or both.
•Dial-in, VPN, or wireless clients must be able to connect to the applicable AAA clients.
•The computer that is running ACS must be able to ping all AAA clients.
•Gateway devices between ACS and other network devices must permit communication over the ports needed to support the applicable feature or protocol. For information about ports to which ACS listens, see Table 1-4.
•A supported web browser must be installed on the computer that is running ACS. For the most recent information about tested browsers, see the Release Notes, available on Cisco.com: http://www.cisco.com/en/US/products/sw/secursw/ps2086/prod_release_notes_list.html
•All network cards in the computer that is running ACS must be enabled. If a disabled network card is present on the computer that is running ACS, installing ACS may proceed slowly, due to delays caused by Microsoft CryptoAPI.
Note We tested ACS on computers that have only one network interface card.
•If you want ACS to use the Grant Dial-in Permission to User feature in Windows when authorizing network users, you must select this option in the Windows User Manager or Active Directory Users and Computers for the applicable user accounts.
Table 1-4 lists the ports to which ACS listens for communications with AAA clients, other ACS machines and applications, and web browsers. ACS uses other ports to communicate with external user databases; however, it initiates those communications rather than listening to specific ports. For example, if ACS initiates communications with LDAP or RADIUS token server databases, you can configure these destination ports in ACS. For more information about ports to which a particular external user database listens, see the documentation for that database.
Table 1-4 Ports that ACS Listens To
Feature/Protocol
|
UDP or TCP
|
Ports
|
RADIUS authentication and authorization
|
UDP
|
1645, 1812
|
RADIUS accounting
|
UDP
|
1646, 1813
|
TACACS+
|
TCP
|
49
|
Cisco Secure Database Replication
|
TCP
|
2000
|
RDBMS Synchronization with synchronization partners
|
TCP
|
2000
|
User-Changeable Password web application
|
TCP
|
2000
|
Logging
|
TCP
|
2001
|
Administrative HTTP port for new sessions
|
TCP
|
2002
|
Administrative HTTP port range
|
TCP
|
Configurable; default 1024 through 65535
|
Back Up Data
Before you install or upgrade ACS, we strongly recommend that you back up the computer on which you install ACS by using a Windows backup utility of your choice. Include the Windows Registry in the backup.
If you are upgrading or reinstalling ACS, use the ACS Backup feature to back up the ACS configuration and database, and then copy the backup file to a drive that is not local to the computer running ACS.
Caution If you are upgrading ACS rather than reinstalling, the backups that you create cannot be used after the upgrade is successful. The backups provide for recovery if you need to restore your previous installation of ACS.
For information about backing up ACS, see the User Guide for Cisco Secure ACS for Windows.
Gathering Answers for the Installation Questions
During new installations, or upgrades and reinstallations that do not preserve the existing configuration, the installation requires specific information about the computer on which you want to install ACS. To facilitate the installation, collect the applicable information before you begin the installation.
Note If you are upgrading or reinstalling ACS and intend to keep the existing configuration and database, you do not need to perform the following procedure, which requires information that is already recorded in your ACS installation.
To collect information that is required during the installation of ACS:
Step 1 Determine whether the computer on which you will install ACS is a domain controller or a member server. If you want ACS to authenticate users with a Windows domain user database, after you install ACS, you must perform the additional Windows configuration, which is discussed in Windows Authentication Configuration, page 2-1.
Step 2 Confirm that these items are completed:
•End user clients can successfully connect to AAA clients.
•This Windows Server can ping the AAA clients.
•Any Cisco IOS clients are running Cisco IOS release 11.1 or later.
•Microsoft Internet Explorer 6.0 Service Pack 1 or Netscape 7.02 is installed.
Step 3 Create a password for your database access. You will need this password to manage your database information. Keep this password in a safe, accessible place so that technical support can gain access to the database.
What You Can Do
This document provides detailed procedures for installing, reinstalling, and upgrading ACS. You must select the right procedure for your situation.
Table 1-5 lists the five possible installation and upgrade scenarios. See Table 1-5 to determine which procedure applies to your situation.
Note Before you perform any installation or upgrade procedure, we strongly recommend that you read Preparation for Installing or Upgrading ACS, and perform the applicable tasks in that section.
Creating an ACS Installation
This section contains information on how to install ACS for the first time.
Note For information about upgrading or reinstalling an existing ACS installation, see Table 1-5.
Before You Begin
For information about what must be completed before installing ACS, see Preparation for Installing or Upgrading ACS.
If you want ACS to authenticate users with a Windows domain user database, after you install ACS you must perform additional Windows configuration, which is discussed in Windows Authentication Configuration, page 2-1.
To install ACS:
Step 1 Using a local administrator account, log in to the computer on which you want to install ACS.
Note Remote installations performed by using Windows Terminal Services are not tested and are not supported. We recommend that you disable Terminal Services while performing any installation or upgrade. Virtual Network Computing (VNC) has been tested successfully.
Step 2 Insert the ACS CD into a CD-ROM drive on the computer.
If the CD-ROM drive supports the Windows autorun feature, the ACS for Windows dialog box appears.
Note If the computer does not have the minimum system requirements, a dialog box appears. You can apply these requirements before or after installing ACS. You can continue with the installation, but you must apply the minimum requirements after the installation is complete; otherwise, ACS may not function reliably.
Step 3 If:
a. The Cisco Secure ACS for Windows dialog box appears, click Install.
b. The Cisco Secure ACS for Windows dialog box does not appear, run setup.exe, located in the root directory of the ACS CD.
Note If the computer does not have a required service pack installed, a dialog box appears. You can apply Windows service packs before or after installing ACS. You can continue with the installation, but the required service pack must be installed after the installation is complete; otherwise, ACS may not function reliably.
The Cisco Secure ACS Setup dialog box displays the software license agreement.
Step 4 Read the software license agreement. If you accept the software license agreement, click ACCEPT.
The Welcome dialog box displays basic information about the setup program.
Step 5 After you have read the information in the Welcome dialog box, click Next.
The Before You Begin dialog box lists items that you must complete before continuing with the installation. The same items are discussed in Gathering Answers for the Installation Questions.
Step 6 If you have completed all items in the Before You Begin dialog box, check the corresponding check box for each item, and then click Next.
Note If you have not completed all items in the Before You Begin dialog box, click Cancel, and then click Exit Setup. After completing all items in the Before You Begin dialog box, restart the installation. For more information, see Preparation for Installing or Upgrading ACS.
The Choose Destination Location dialog box appears. Under Destination Folder, the installation location appears. This is the drive and path where the setup program installs ACS.
Step 7 If you want to change the installation location:
a. Click Browse.
The Choose Folder dialog box appears. The Path box contains the installation location.
b. Change the installation location. You can type the new location in the Path box, or use the Drives and Directories lists to select a new drive and directory. The installation location must be on a drive local to the computer.
Note Do not specify a path that contains a percent symbol (%). If you do so, installation may appear to continue properly but will fail before it ends.
c. Click OK.
Note If you specified a folder that does not exist, the setup program displays a dialog box to confirm the creation of the folder. To continue, click Yes.
In the Choose Destination Location dialog box, the new installation location appears under Destination Folder.
Step 8 Click Next.
The Authentication Database Configuration dialog box lists options for authenticating users. You can authenticate with the ACS internal database only, or with a Windows user database.
Note After you have installed ACS, you can configure authentication support for all external user database types in addition to Windows user databases.
Step 9 If you want to authenticate users with the ACS internal database only, click Check the Cisco Secure ACS database only.
Step 10 If you want to authenticate users with a Windows Security Access Manager (SAM) user database or Active Directory user database in addition to the ACS internal database:
a. Click Also check the Windows User Database.
The Yes, refer to "Grant dial-in permission to user" setting check box becomes available.
Note The Yes, refer to "Grant dial-in permission to user" setting check box applies to all forms of access that ACS controls; not just dial-in access. For example, a user accessing your network through a VPN tunnel is not dialing in to a network access server; however, if the Yes, refer to "Grant dial-in permission to user" setting check box is selected, ACS applies the Windows user dial-in permissions to determine whether to grant the user access to your network.
b. If you want to allow access by users who are authenticated by a Windows domain user database only when they have dial-in permission in their Windows account, click Yes, refer to "Grant dial-in permission to user" setting.
Step 11 Click Next.
The setup program installs ACS and updates its configuration.
The Advanced Options dialog box displays several features of ACS that are not enabled by default. For more information about these features, see the User Guide for Cisco Secure ACS for Windows 4.0.
Note The features appear in the ACS HTML interface only if you enable them. After installation, you can enable or disable them on Interface Configuration > Advanced Options.
Step 12 For each feature that you want to enable, check the corresponding check box.
Step 13 Click Next.
The Active Service Monitoring dialog box appears.
Note After installation, you can configure active service monitoring features on the Active Service Management page in the System Configuration section.
Step 14 If you want ACS to monitor user authentication services, click Enable Log-in Monitoring. From the Script to execute list, select the option that you want applied in the event of authentication service failure:
•No Remedial Action—ACS does not run a script.
Note This option is useful if you enable event e-mail notifications.
•Reboot—ACS runs a script that reboots the computer that runs ACS.
•Restart All—ACS restarts all ACS services.
•Restart RADIUS/TACACS+—ACS restarts only the RADIUS and TACACS+ services.
Step 15 If you want ACS to send an e-mail message when service monitoring detects an event, click Mail Notification.
Step 16 Click Next.
The Database Encryption Password dialog box appears.
Note The Database Encryption Password is encrypted and stored in the ACS registry. You might have to reuse this password when critical problems arise and the database needs to be accessed manually. Keep this password in a safe, accessible place so that technical support can gain access to the database.
Step 17 Enter a password for database encryption. The password should be at least 8 characters long and should contain characters and digits. There are no invalid characters. Click Next.
The setup program ends and the Cisco Secure ACS Service Initiation dialog box appears.
Step 18 For each option that you require, check the corresponding check box. The actions that are associated with the options occur after the setup program ends:
•Yes, I want to start the Cisco Secure ACS Service now—Starts the Windows services that ACS comprises. If you do not select this option, the ACS HTML interface is not available; unless you reboot the computer or start the CSAdmin service.
•Yes, I want Setup to launch the Cisco Secure ACS Administrator from my browser following installation—Opens the ACS HTML interface in the default web browser for the current Windows user account.
•Yes, I want to view the Readme file—Opens README.TXT in Windows Notepad.
Step 19 Click Next.
If you so chose, the ACS services start. The Setup Complete dialog box displays information about the ACS HTML interface.
Step 20 Click Finish.
The setup program exits. If, in Step 18, you chose the options to view the HTML interface or README.TXT file, those options occur now.
On the computer that is running ACS, you can access the ACS HTML interface by using the ACS Admin desktop icon; or you can use this URL in a supported web browser:
Note The ACS HTML interface is available only if you chose to start ACS services in Step 18. If you did not, to make the HTML interface available, you can reboot the computer or type net start csadmin at a DOS prompt.
Step 21 If you want ACS to authenticate users with a Windows domain user database, you must perform additional Windows configuration. For procedures, see Windows Authentication Configuration, page 2-1.
Reinstalling or Upgrading ACS
The two choices for upgrading or reinstalling ACS software are:
•Reinstalling or Upgrading an Existing Configuration
•Reinstalling or Upgrading ACS without Data Preservation
If you are installing ACS for the first time, see Creating an ACS Installation.
Reinstalling or Upgrading an Existing Configuration
Use this procedure to reinstall or upgrade ACS if you want to preserve all existing configuration and database information.
Note For information about installing ACS the first time, see Table 1-5.
Before You Begin
For information about what you must complete before reinstalling or upgrading ACS, see Preparation for Installing or Upgrading ACS.
Close all applications or command windows that are accessing any directory in the ACS directory. The installation cannot succeed if another process is using the ACS directory or any of its subdirectories. For example, if Windows Explorer is displaying the contents of a ACS directory, installation fails.
If you want ACS to authenticate users with a Windows domain user database, you must perform additional Windows configuration. For the appropriate procedures, see Windows Authentication Configuration, page 2-1.
To reinstall or upgrade ACS, and preserve the existing configuration and ACS internal database:
Step 1 Using a local administrator account, log in to the computer on which you want to install ACS.
Note Remote installations that you perform by using Windows Terminal Services are not tested and are not supported. We recommend that you disable Terminal Services while performing any installation or upgrade. Virtual Network Computing (VNC) has been tested successfully.
Step 2 Insert the ACS CD into a CD-ROM drive on the computer.
If the CD-ROM drive supports the Windows autorun feature, the Cisco Secure ACS for Windows dialog box appears.
Note If the computer does not have the minimum system requirements, a dialog box appears. You can apply these requirements before or after installing ACS. You can continue with the installation, but you must apply the minimum requirements after the installation is complete; otherwise, ACS may not function reliably.
Step 3 If:
a. The Cisco Secure ACS for Windows Server dialog box appears, click Install.
b. The Cisco Secure ACS for Windows Server dialog box does not appear, run setup.exe, located in the root directory of the ACS CD.
Note If the computer does not have a required service pack installed, a dialog box appears. You can apply Windows service packs before or after installing ACS. You can continue with the installation, but the required service pack must be applied after the installation is complete; otherwise, ACS may not function reliably.
An information dialog box displays some details about Windows authentication. Click OK.
The Cisco Secure ACS Setup dialog box displays the software license agreement.
Step 4 Read the software license agreement. If you accept the software license agreement, click ACCEPT.
The Welcome dialog box displays basic information about the setup program.
Step 5 After you have read the information in the Welcome dialog box, click Next.
A dialog box displays any warnings if your machine will not run ACS without action on your part. Respond to the warning by performing any corrective action that is required. You may install the software without exiting the install; but you will see a reminder to fix any minimum system requirements that are not met after the setup program has run. Click Next.
If no warnings appear, the Before You Begin dialog box lists items that you must complete before continuing with the installation. The same items are discussed in Gathering Answers for the Installation Questions.
Step 6 If you have completed all items in the Before You Begin dialog box, check the corresponding check box for each item; then click Next.
Note If you have not completed all items in the Before You Begin dialog box, click Cancel, and then click Exit Setup. After completing all items in the Before You Begin dialog box, restart the installation. For more information, see Preparation for Installing or Upgrading ACS.
The Previous Installation dialog box appears.
Step 7 Click Yes, keep the existing configuration.
Caution Ensure that you check the Yes, import the existing configuration check box; it should not be unchecked. If you proceed without checking the Yes, keep the existing configuration check box, the setup program deletes all existing AAA client, user, and group information.
If you are uncertain about keeping the configuration, click Explain to see details on keeping the existing configuration.
Step 8 Click Next.
The Choose Destination Location dialog box appears. Under Destination Folder, the installation location appears. The setup program installs ACS on this drive and path.
Step 9 If you want to change the installation location:
a. Click Browse.
The Choose Folder dialog box appears. The Path box contains the installation location.
b. Change the installation location. You can type the new location in the Path box, or select a new drive and directory from the Drives and Directories lists.
Note The installation location must be on a drive that is local to the computer.
c. Click OK.
Note If you specified a folder that does not exist, the setup program displays a dialog box to confirm the creation of the folder. To continue, click Yes.
In the Choose Destination Location dialog box, the new installation location appears under Destination Folder.
Step 10 Click Next.
The setup program installs ACS and updates its configuration.
The Cisco Secure ACS Service Initiation dialog box appears.
Enter a password for database encryption, click Next.
Note The Database Encryption Password is encrypted and stored in the ACS configuration. You might have to reuse this password when critical problems arise and the database needs to be accessed manually. Keep this password in a safe, accessible place so that technical support can gain access to the database.
Step 11 The installation is finished. For each option that you require, check the corresponding check box. The actions that are associated with each option occur after the setup program ends:
•Yes, I want to start the Cisco Secure ACS Service now—Starts the Windows services that ACS comprises. If you do not select this option, the HTML interface is not available; unless you reboot the computer or start the CSAdmin service.
•Yes, I want Setup to launch the Cisco Secure ACS Administrator from my browser following installation—Opens the ACS HTML interface in the default web browser for the current Windows user account.
•Yes, I want to view the Readme file—Opens README.TXT in Windows Notepad.
Step 12 Click Next.
If you so chose, the ACS services start. The Setup Complete dialog box displays information about the ACS HTML interface.
Step 13 Click Finish.
The setup program exits. If, in Step 11, you chose the options to view the HTML interface or README.TXT file, those options occur now.
Step 14 If minimum system requirements were not met, a message might appear warning you to remedy the problem. Click OK to continue and resolve the problem where possible.
On the computer that is running ACS, you can access the ACS HTML interface by using the ACS Admin desktop icon; or you can use this URL in a supported web browser:
Note The ACS HTML interface is available only if you chose to start ACS services in Step 11. If you did not and you want to make the HTML interface available, you can reboot the computer or type net start csadmin at a DOS prompt.
Step 15 If you want ACS to authenticate users with a Windows domain user database, you must perform additional Windows configuration. For the appropriate procedures, see Windows Authentication Configuration, page 2-1.
Note If you previously configured ACS services to run by using a specific username, that configuration was lost during the reinstallation.
Reinstalling or Upgrading ACS without Data Preservation
Use this procedure to reinstall or upgrade ACS if you do not intend to preserve the existing configuration and database information.
Caution Performing this procedure deletes the existing configuration of ACS, including all AAA client, user, and group information. Unless you have backed up your ACS data and the Windows Registry, you cannot recover the previous configuration and database.
Before You Begin
For information about what must be completed before reinstalling or upgrading ACS, see Preparation for Installing or Upgrading ACS.
Close all applications or command windows that are accessing any directory in the ACS directory. The installation cannot succeed if another process is using the ACS directory or any of its subdirectories. For example, if Windows Explorer is displaying the contents of an ACS directory, installation fails.
If you want ACS to authenticate users with a Windows domain user database, after you install ACS you must perform additional Windows configuration, discussed in Windows Authentication Configuration, page 2-1.
To reinstall or upgrade ACS without preserving the existing configuration or ACS internal database:
Step 1 Using a local administrator account, log in to the computer on which you want to install ACS.
Note Remote installations that are performed by using Windows Terminal Services are not tested and are not supported. We recommend that you disable Terminal Services while performing any installation or upgrade. Virtual Network Computing (VNC) has been tested successfully.
Step 2 Insert the ACS CD into a CD-ROM drive on the computer.
If the CD-ROM drive supports the Windows autorun feature, the ACS for Windows dialog box appears.
Note If the computer does not have the minimum system requirements, a dialog box appears. You can apply these requirements before or after installing ACS. You can continue with the installation, but the minimum requirements must be applied after the installation is complete; otherwise, ACS may not function reliably.
Step 3 If:
a. The Cisco Secure ACS for Windows dialog box appears, click Install.
b. The Cisco Secure ACS for Windows dialog box does not appear, run setup.exe, located in the root directory of the ACS CD.
Note If the computer does not have a required service pack installed, a dialog box appears. You can apply Windows service packs before or after installing ACS. You can continue with the installation, but the required service pack must be applied after the installation is complete; otherwise, ACS may not function reliably.
The Cisco Secure ACS Setup dialog box displays the software license agreement.
Step 4 Read the software license agreement. If you accept the software license agreement, click ACCEPT.
The Welcome dialog box displays basic information about the setup program.
Step 5 After you have read the information in the Welcome dialog box, click Next.
The Before You Begin dialog box lists items that you must complete before continuing with the installation. The same items are discussed in Gathering Answers for the Installation Questions.
Step 6 If you have completed all items in the Before You Begin dialog box, check the corresponding check box for each item, and then click Next.
Note If you have not completed all items in the Before You Begin dialog box, click Cancel, and then click Exit Setup. After completing all items in the Before You Begin dialog box, restart the installation. For more information, see Preparation for Installing or Upgrading ACS.
The Existing Installation of Cisco Secure ACS vx.x dialog box appears.
Step 7 Click Next.
The setup program removes the previous installation of ACS.
If ACS services are running, the Cisco Secure ACS Uninstall dialog box appears.
Step 8 If the Cisco Secure ACS Uninstall dialog box appears. Click Continue.
The setup program ends, removing the previous installation of ACS.
The Choose Destination Location dialog box appears. Under Destination Folder, the installation location appears. The setup program installs ACS on this drive and path.
Step 9 If you want to change the installation location:
a. Click Browse.
The Choose Folder dialog box appears. The Path box contains the installation location.
b. Change the installation location. You can type the new location in the Path box; or you can use the Drives and Directories lists to select a new drive and directory. The installation location must be on a drive that is local to the computer.
Note Do not specify a path that contains a percent symbol (%). If you do, installation may appear to continue properly; but will fail before it ends.
c. Click OK.
Note If you specified a folder that does not exist, the setup program displays a dialog box to confirm the creation of the folder. To continue, click Yes.
In the Choose Destination Location dialog box, the new installation location appears under Destination Folder.
Step 10 During the installation ACS checks for previous instances of the application. If it detects a previous uninstallation, a dialog box appears with the message: Setup has detected an existing ACS internal database. You may keep the existing ACS internal database if you wish. Click Yes to install the existing dump file that was saved from your previous uninstall. If you click No, the database dump file will remain; but will not be installed.
If you clicked Yes, the previous database is installed. If you clicked No, the following installation continues without installing the database file.
The Authentication Database Configuration dialog box lists options for authenticating users. You can authenticate with the ACS internal database only; or with a Windows user database.
Note After you install ACS, you can configure authentication support for all external user database types in addition to Windows user databases.
Step 11 If you want to authenticate users with the ACS internal database only, click Check the Cisco Secure ACS database only.
Step 12 If you want to authenticate users with a Windows Security Access Manager (SAM) user database or Active Directory user database in addition to the ACS internal database:
a. Click Also check the Windows User Database.
The Yes, refer to "Grant dial-in permission to user" setting check box becomes available.
Note The Yes, refer to "Grant dial-in permission to user" setting check box applies to all forms of access that ACS controls; not just dial-in access. For example, a user accessing your network through a VPN tunnel is not dialing in to a network access server; however, if the Yes, refer to "Grant dial-in permission to user" setting check box is checked, ACS applies the Windows user dial-in permissions to determine whether to grant the user access to your network.
b. If you want to allow access to users who are authenticated by a Windows domain user database only when they have dial-in permission in their Windows account, click Yes, refer to "Grant dial-in permission to user" setting.
Step 13 Click Next.
The setup program installs ACS and updates its configuration.
The Advanced Options dialog box lists several ACS features that are not enabled by default. For more information about these features, refer to the User Guide for Cisco Secure ACS for Windows 4.0.
Note The features appear in the ACS HTML interface only if you enable them. After installation, you can enable or disable them by choosing Interface Configuration > Advanced Options.
Step 14 For each feature that you want to enable, check the corresponding check box. Click Next.
The Active Service Monitoring dialog box appears.
Note After installation, you can configure active service-monitoring features on the Active Service Management page in the System Configuration section.
Step 15 If you want ACS to monitor user authentication services, click Enable Log-in Monitoring. From the Script to execute list, select the option that you want applied in the event of authentication service failure:
•No Remedial Action—ACS does not run a script.
Note This option is useful if you enable event e-mail notifications.
•Reboot—ACS runs a script that reboots the computer that runs ACS.
•Restart All—ACS restarts all ACS services.
•Restart RADIUS/TACACS+—ACS restarts only the RADIUS and TACACS+ services.
Step 16 If you want ACS to send an e-mail message when service monitoring detects an event, click Mail Notification.
If you chose to save the previous instance of the database, the Cisco Secure ACS Service Initiation dialog box appears.
Step 17 Enter the password that you created during the uninstall procedure to save the database. Click Next.
Step 18 For each option that you require, check the corresponding check box. The actions that are associated with each option occur after the setup program ends:
•Yes, I want to start the Cisco Secure ACS Service now—Starts the Windows services that ACS comprises. If you do not select this option, the ACS HTML interface is not available; unless you reboot the computer or start the CSAdmin service.
•Yes, I want Setup to launch the Cisco Secure ACS Administrator from my browser following installation—Opens the ACS HTML interface in the default web browser for the current Windows user account.
•Yes, I want to view the Readme file—Opens README.TXT in Windows Notepad.
Step 19 Click Next.
If you so chose, the ACS services start. The Setup Complete dialog box displays information about the ACS HTML interface.
Step 20 Click Finish.
The setup program exits. If, in Step 18, you chose the options to view the HTML interface or README.TXT file, those options occur now.
On the computer that is running ACS, you can access the ACS HTML interface by using the ACS Admin desktop icon or you can use this URL in a supported web browser:
Note The ACS HTML interface is available only if you chose to start ACS services in Step 18. If you did not, to make the HTML interface available, you can reboot the computer or type net start csadmin at a DOS prompt.
Step 21 If you want ACS to authenticate users with a Windows domain user database, you must perform additional Windows configuration. For the appropriate procedures, see Windows Authentication Configuration, page 2-1.
Note If you previously configured ACS services to run by using a specific username, that configuration was lost during the reinstallation.
Feedback
